@cat-factory/server 0.6.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/LICENSE +21 -0
- package/dist/agents/CompositeAgentExecutor.d.ts +39 -0
- package/dist/agents/CompositeAgentExecutor.d.ts.map +1 -0
- package/dist/agents/CompositeAgentExecutor.js +169 -0
- package/dist/agents/CompositeAgentExecutor.js.map +1 -0
- package/dist/agents/ContainerAgentExecutor.d.ts +235 -0
- package/dist/agents/ContainerAgentExecutor.d.ts.map +1 -0
- package/dist/agents/ContainerAgentExecutor.js +825 -0
- package/dist/agents/ContainerAgentExecutor.js.map +1 -0
- package/dist/agents/ContainerRepoBootstrapper.d.ts +78 -0
- package/dist/agents/ContainerRepoBootstrapper.d.ts.map +1 -0
- package/dist/agents/ContainerRepoBootstrapper.js +279 -0
- package/dist/agents/ContainerRepoBootstrapper.js.map +1 -0
- package/dist/agents/ModelRouter.d.ts +69 -0
- package/dist/agents/ModelRouter.d.ts.map +1 -0
- package/dist/agents/ModelRouter.js +84 -0
- package/dist/agents/ModelRouter.js.map +1 -0
- package/dist/agents/RunnerJobClient.d.ts +41 -0
- package/dist/agents/RunnerJobClient.d.ts.map +1 -0
- package/dist/agents/RunnerJobClient.js +43 -0
- package/dist/agents/RunnerJobClient.js.map +1 -0
- package/dist/agents/modelProviderResolver.d.ts +33 -0
- package/dist/agents/modelProviderResolver.d.ts.map +1 -0
- package/dist/agents/modelProviderResolver.js +48 -0
- package/dist/agents/modelProviderResolver.js.map +1 -0
- package/dist/agents/providerCapabilities.d.ts +22 -0
- package/dist/agents/providerCapabilities.d.ts.map +1 -0
- package/dist/agents/providerCapabilities.js +43 -0
- package/dist/agents/providerCapabilities.js.map +1 -0
- package/dist/agents/resolveRepoTarget.d.ts +33 -0
- package/dist/agents/resolveRepoTarget.d.ts.map +1 -0
- package/dist/agents/resolveRepoTarget.js +81 -0
- package/dist/agents/resolveRepoTarget.js.map +1 -0
- package/dist/app.d.ts +12 -0
- package/dist/app.d.ts.map +1 -0
- package/dist/app.js +102 -0
- package/dist/app.js.map +1 -0
- package/dist/auth/GitHubOAuth.d.ts +39 -0
- package/dist/auth/GitHubOAuth.d.ts.map +1 -0
- package/dist/auth/GitHubOAuth.js +90 -0
- package/dist/auth/GitHubOAuth.js.map +1 -0
- package/dist/auth/GoogleOAuth.d.ts +35 -0
- package/dist/auth/GoogleOAuth.d.ts.map +1 -0
- package/dist/auth/GoogleOAuth.js +66 -0
- package/dist/auth/GoogleOAuth.js.map +1 -0
- package/dist/auth/middleware.d.ts +15 -0
- package/dist/auth/middleware.d.ts.map +1 -0
- package/dist/auth/middleware.js +63 -0
- package/dist/auth/middleware.js.map +1 -0
- package/dist/auth/signing.d.ts +50 -0
- package/dist/auth/signing.d.ts.map +1 -0
- package/dist/auth/signing.js +96 -0
- package/dist/auth/signing.js.map +1 -0
- package/dist/auth/wsTicket.d.ts +34 -0
- package/dist/auth/wsTicket.d.ts.map +1 -0
- package/dist/auth/wsTicket.js +50 -0
- package/dist/auth/wsTicket.js.map +1 -0
- package/dist/config/types.d.ts +294 -0
- package/dist/config/types.d.ts.map +1 -0
- package/dist/config/types.js +2 -0
- package/dist/config/types.js.map +1 -0
- package/dist/config/url-safety.d.ts +8 -0
- package/dist/config/url-safety.d.ts.map +1 -0
- package/dist/config/url-safety.js +11 -0
- package/dist/config/url-safety.js.map +1 -0
- package/dist/containers/ContainerSessionService.d.ts +67 -0
- package/dist/containers/ContainerSessionService.d.ts.map +1 -0
- package/dist/containers/ContainerSessionService.js +44 -0
- package/dist/containers/ContainerSessionService.js.map +1 -0
- package/dist/crypto/WebCryptoPasswordHasher.d.ts +9 -0
- package/dist/crypto/WebCryptoPasswordHasher.d.ts.map +1 -0
- package/dist/crypto/WebCryptoPasswordHasher.js +67 -0
- package/dist/crypto/WebCryptoPasswordHasher.js.map +1 -0
- package/dist/crypto/WebCryptoPersonalSecretCipher.d.ts +6 -0
- package/dist/crypto/WebCryptoPersonalSecretCipher.d.ts.map +1 -0
- package/dist/crypto/WebCryptoPersonalSecretCipher.js +57 -0
- package/dist/crypto/WebCryptoPersonalSecretCipher.js.map +1 -0
- package/dist/crypto/WebCryptoSecretCipher.d.ts +23 -0
- package/dist/crypto/WebCryptoSecretCipher.d.ts.map +1 -0
- package/dist/crypto/WebCryptoSecretCipher.js +60 -0
- package/dist/crypto/WebCryptoSecretCipher.js.map +1 -0
- package/dist/crypto/encoding.d.ts +14 -0
- package/dist/crypto/encoding.d.ts.map +1 -0
- package/dist/crypto/encoding.js +58 -0
- package/dist/crypto/encoding.js.map +1 -0
- package/dist/events/FanOutEventPublisher.d.ts +32 -0
- package/dist/events/FanOutEventPublisher.d.ts.map +1 -0
- package/dist/events/FanOutEventPublisher.js +76 -0
- package/dist/events/FanOutEventPublisher.js.map +1 -0
- package/dist/events/InAppNotificationChannel.d.ts +20 -0
- package/dist/events/InAppNotificationChannel.d.ts.map +1 -0
- package/dist/events/InAppNotificationChannel.js +23 -0
- package/dist/events/InAppNotificationChannel.js.map +1 -0
- package/dist/github/FetchGitHubClient.d.ts +72 -0
- package/dist/github/FetchGitHubClient.d.ts.map +1 -0
- package/dist/github/FetchGitHubClient.js +485 -0
- package/dist/github/FetchGitHubClient.js.map +1 -0
- package/dist/github/FetchGitHubProvisioningClient.d.ts +13 -0
- package/dist/github/FetchGitHubProvisioningClient.d.ts.map +1 -0
- package/dist/github/FetchGitHubProvisioningClient.js +59 -0
- package/dist/github/FetchGitHubProvisioningClient.js.map +1 -0
- package/dist/github/GitHubAppAuth.d.ts +30 -0
- package/dist/github/GitHubAppAuth.d.ts.map +1 -0
- package/dist/github/GitHubAppAuth.js +95 -0
- package/dist/github/GitHubAppAuth.js.map +1 -0
- package/dist/github/GitHubAppRegistry.d.ts +57 -0
- package/dist/github/GitHubAppRegistry.d.ts.map +1 -0
- package/dist/github/GitHubAppRegistry.js +51 -0
- package/dist/github/GitHubAppRegistry.js.map +1 -0
- package/dist/github/GitHubCiStatusProvider.d.ts +21 -0
- package/dist/github/GitHubCiStatusProvider.d.ts.map +1 -0
- package/dist/github/GitHubCiStatusProvider.js +39 -0
- package/dist/github/GitHubCiStatusProvider.js.map +1 -0
- package/dist/github/GitHubMergeabilityProvider.d.ts +26 -0
- package/dist/github/GitHubMergeabilityProvider.d.ts.map +1 -0
- package/dist/github/GitHubMergeabilityProvider.js +38 -0
- package/dist/github/GitHubMergeabilityProvider.js.map +1 -0
- package/dist/github/GitHubPullRequestMerger.d.ts +23 -0
- package/dist/github/GitHubPullRequestMerger.d.ts.map +1 -0
- package/dist/github/GitHubPullRequestMerger.js +38 -0
- package/dist/github/GitHubPullRequestMerger.js.map +1 -0
- package/dist/github/WebCryptoWebhookVerifier.d.ts +9 -0
- package/dist/github/WebCryptoWebhookVerifier.d.ts.map +1 -0
- package/dist/github/WebCryptoWebhookVerifier.js +40 -0
- package/dist/github/WebCryptoWebhookVerifier.js.map +1 -0
- package/dist/github/ensureWorkBranch.d.ts +26 -0
- package/dist/github/ensureWorkBranch.d.ts.map +1 -0
- package/dist/github/ensureWorkBranch.js +97 -0
- package/dist/github/ensureWorkBranch.js.map +1 -0
- package/dist/github/state.d.ts +19 -0
- package/dist/github/state.d.ts.map +1 -0
- package/dist/github/state.js +55 -0
- package/dist/github/state.js.map +1 -0
- package/dist/http/authGate.d.ts +21 -0
- package/dist/http/authGate.d.ts.map +1 -0
- package/dist/http/authGate.js +77 -0
- package/dist/http/authGate.js.map +1 -0
- package/dist/http/cors.d.ts +13 -0
- package/dist/http/cors.d.ts.map +1 -0
- package/dist/http/cors.js +30 -0
- package/dist/http/cors.js.map +1 -0
- package/dist/http/env.d.ts +68 -0
- package/dist/http/env.d.ts.map +1 -0
- package/dist/http/env.js +2 -0
- package/dist/http/env.js.map +1 -0
- package/dist/http/errorHandler.d.ts +4 -0
- package/dist/http/errorHandler.d.ts.map +1 -0
- package/dist/http/errorHandler.js +33 -0
- package/dist/http/errorHandler.js.map +1 -0
- package/dist/http/params.d.ts +8 -0
- package/dist/http/params.d.ts.map +1 -0
- package/dist/http/params.js +13 -0
- package/dist/http/params.js.map +1 -0
- package/dist/http/validation.d.ts +12 -0
- package/dist/http/validation.d.ts.map +1 -0
- package/dist/http/validation.js +21 -0
- package/dist/http/validation.js.map +1 -0
- package/dist/index.d.ts +46 -0
- package/dist/index.d.ts.map +1 -0
- package/dist/index.js +63 -0
- package/dist/index.js.map +1 -0
- package/dist/modules/accounts/AccountController.d.ts +10 -0
- package/dist/modules/accounts/AccountController.d.ts.map +1 -0
- package/dist/modules/accounts/AccountController.js +197 -0
- package/dist/modules/accounts/AccountController.js.map +1 -0
- package/dist/modules/agentRuns/AgentRunController.d.ts +10 -0
- package/dist/modules/agentRuns/AgentRunController.d.ts.map +1 -0
- package/dist/modules/agentRuns/AgentRunController.js +65 -0
- package/dist/modules/agentRuns/AgentRunController.js.map +1 -0
- package/dist/modules/auth/AuthController.d.ts +12 -0
- package/dist/modules/auth/AuthController.d.ts.map +1 -0
- package/dist/modules/auth/AuthController.js +457 -0
- package/dist/modules/auth/AuthController.js.map +1 -0
- package/dist/modules/board/BoardController.d.ts +8 -0
- package/dist/modules/board/BoardController.d.ts.map +1 -0
- package/dist/modules/board/BoardController.js +89 -0
- package/dist/modules/board/BoardController.js.map +1 -0
- package/dist/modules/boardScan/BoardScanController.d.ts +10 -0
- package/dist/modules/boardScan/BoardScanController.d.ts.map +1 -0
- package/dist/modules/boardScan/BoardScanController.js +53 -0
- package/dist/modules/boardScan/BoardScanController.js.map +1 -0
- package/dist/modules/bootstrap/BootstrapController.d.ts +10 -0
- package/dist/modules/bootstrap/BootstrapController.d.ts.map +1 -0
- package/dist/modules/bootstrap/BootstrapController.js +75 -0
- package/dist/modules/bootstrap/BootstrapController.js.map +1 -0
- package/dist/modules/clarity/ClarityReviewController.d.ts +11 -0
- package/dist/modules/clarity/ClarityReviewController.d.ts.map +1 -0
- package/dist/modules/clarity/ClarityReviewController.js +97 -0
- package/dist/modules/clarity/ClarityReviewController.js.map +1 -0
- package/dist/modules/consensus/ConsensusController.d.ts +12 -0
- package/dist/modules/consensus/ConsensusController.d.ts.map +1 -0
- package/dist/modules/consensus/ConsensusController.js +23 -0
- package/dist/modules/consensus/ConsensusController.js.map +1 -0
- package/dist/modules/documents/DocumentSourceController.d.ts +10 -0
- package/dist/modules/documents/DocumentSourceController.d.ts.map +1 -0
- package/dist/modules/documents/DocumentSourceController.js +116 -0
- package/dist/modules/documents/DocumentSourceController.js.map +1 -0
- package/dist/modules/environments/EnvironmentController.d.ts +10 -0
- package/dist/modules/environments/EnvironmentController.d.ts.map +1 -0
- package/dist/modules/environments/EnvironmentController.js +95 -0
- package/dist/modules/environments/EnvironmentController.js.map +1 -0
- package/dist/modules/events/EventsController.d.ts +26 -0
- package/dist/modules/events/EventsController.d.ts.map +1 -0
- package/dist/modules/events/EventsController.js +56 -0
- package/dist/modules/events/EventsController.js.map +1 -0
- package/dist/modules/execution/ExecutionController.d.ts +10 -0
- package/dist/modules/execution/ExecutionController.d.ts.map +1 -0
- package/dist/modules/execution/ExecutionController.js +156 -0
- package/dist/modules/execution/ExecutionController.js.map +1 -0
- package/dist/modules/fragmentLibrary/FragmentLibraryController.d.ts +14 -0
- package/dist/modules/fragmentLibrary/FragmentLibraryController.d.ts.map +1 -0
- package/dist/modules/fragmentLibrary/FragmentLibraryController.js +128 -0
- package/dist/modules/fragmentLibrary/FragmentLibraryController.js.map +1 -0
- package/dist/modules/github/GitHubController.d.ts +12 -0
- package/dist/modules/github/GitHubController.d.ts.map +1 -0
- package/dist/modules/github/GitHubController.js +234 -0
- package/dist/modules/github/GitHubController.js.map +1 -0
- package/dist/modules/github/GitHubWebhookController.d.ts +13 -0
- package/dist/modules/github/GitHubWebhookController.d.ts.map +1 -0
- package/dist/modules/github/GitHubWebhookController.js +74 -0
- package/dist/modules/github/GitHubWebhookController.js.map +1 -0
- package/dist/modules/llmProxy/LlmProxyController.d.ts +18 -0
- package/dist/modules/llmProxy/LlmProxyController.d.ts.map +1 -0
- package/dist/modules/llmProxy/LlmProxyController.js +567 -0
- package/dist/modules/llmProxy/LlmProxyController.js.map +1 -0
- package/dist/modules/localModels/LocalModelEndpointController.d.ts +4 -0
- package/dist/modules/localModels/LocalModelEndpointController.d.ts.map +1 -0
- package/dist/modules/localModels/LocalModelEndpointController.js +58 -0
- package/dist/modules/localModels/LocalModelEndpointController.js.map +1 -0
- package/dist/modules/merge/MergePresetController.d.ts +9 -0
- package/dist/modules/merge/MergePresetController.d.ts.map +1 -0
- package/dist/modules/merge/MergePresetController.js +46 -0
- package/dist/modules/merge/MergePresetController.js.map +1 -0
- package/dist/modules/modelDefaults/ModelDefaultsController.d.ts +9 -0
- package/dist/modules/modelDefaults/ModelDefaultsController.d.ts.map +1 -0
- package/dist/modules/modelDefaults/ModelDefaultsController.js +32 -0
- package/dist/modules/modelDefaults/ModelDefaultsController.js.map +1 -0
- package/dist/modules/models/ModelController.d.ts +11 -0
- package/dist/modules/models/ModelController.d.ts.map +1 -0
- package/dist/modules/models/ModelController.js +38 -0
- package/dist/modules/models/ModelController.js.map +1 -0
- package/dist/modules/notifications/NotificationController.d.ts +13 -0
- package/dist/modules/notifications/NotificationController.d.ts.map +1 -0
- package/dist/modules/notifications/NotificationController.js +67 -0
- package/dist/modules/notifications/NotificationController.js.map +1 -0
- package/dist/modules/pipelines/PipelineController.d.ts +5 -0
- package/dist/modules/pipelines/PipelineController.d.ts.map +1 -0
- package/dist/modules/pipelines/PipelineController.js +46 -0
- package/dist/modules/pipelines/PipelineController.js.map +1 -0
- package/dist/modules/promptFragments/PromptFragmentController.d.ts +11 -0
- package/dist/modules/promptFragments/PromptFragmentController.d.ts.map +1 -0
- package/dist/modules/promptFragments/PromptFragmentController.js +18 -0
- package/dist/modules/promptFragments/PromptFragmentController.js.map +1 -0
- package/dist/modules/providers/ApiKeyController.d.ts +13 -0
- package/dist/modules/providers/ApiKeyController.d.ts.map +1 -0
- package/dist/modules/providers/ApiKeyController.js +98 -0
- package/dist/modules/providers/ApiKeyController.js.map +1 -0
- package/dist/modules/providers/PersonalSubscriptionController.d.ts +4 -0
- package/dist/modules/providers/PersonalSubscriptionController.d.ts.map +1 -0
- package/dist/modules/providers/PersonalSubscriptionController.js +48 -0
- package/dist/modules/providers/PersonalSubscriptionController.js.map +1 -0
- package/dist/modules/providers/VendorCredentialController.d.ts +4 -0
- package/dist/modules/providers/VendorCredentialController.d.ts.map +1 -0
- package/dist/modules/providers/VendorCredentialController.js +55 -0
- package/dist/modules/providers/VendorCredentialController.js.map +1 -0
- package/dist/modules/providers/personalCredentialGate.d.ts +34 -0
- package/dist/modules/providers/personalCredentialGate.d.ts.map +1 -0
- package/dist/modules/providers/personalCredentialGate.js +106 -0
- package/dist/modules/providers/personalCredentialGate.js.map +1 -0
- package/dist/modules/recurring/RecurringPipelineController.d.ts +8 -0
- package/dist/modules/recurring/RecurringPipelineController.d.ts.map +1 -0
- package/dist/modules/recurring/RecurringPipelineController.js +58 -0
- package/dist/modules/recurring/RecurringPipelineController.js.map +1 -0
- package/dist/modules/recurring/TrackerSettingsController.d.ts +8 -0
- package/dist/modules/recurring/TrackerSettingsController.d.ts.map +1 -0
- package/dist/modules/recurring/TrackerSettingsController.js +30 -0
- package/dist/modules/recurring/TrackerSettingsController.js.map +1 -0
- package/dist/modules/releaseHealth/ReleaseHealthController.d.ts +9 -0
- package/dist/modules/releaseHealth/ReleaseHealthController.d.ts.map +1 -0
- package/dist/modules/releaseHealth/ReleaseHealthController.js +58 -0
- package/dist/modules/releaseHealth/ReleaseHealthController.js.map +1 -0
- package/dist/modules/requirements/RequirementReviewController.d.ts +12 -0
- package/dist/modules/requirements/RequirementReviewController.d.ts.map +1 -0
- package/dist/modules/requirements/RequirementReviewController.js +107 -0
- package/dist/modules/requirements/RequirementReviewController.js.map +1 -0
- package/dist/modules/runners/RunnerPoolController.d.ts +10 -0
- package/dist/modules/runners/RunnerPoolController.d.ts.map +1 -0
- package/dist/modules/runners/RunnerPoolController.js +52 -0
- package/dist/modules/runners/RunnerPoolController.js.map +1 -0
- package/dist/modules/serviceFragmentDefaults/ServiceFragmentDefaultsController.d.ts +9 -0
- package/dist/modules/serviceFragmentDefaults/ServiceFragmentDefaultsController.d.ts.map +1 -0
- package/dist/modules/serviceFragmentDefaults/ServiceFragmentDefaultsController.js +32 -0
- package/dist/modules/serviceFragmentDefaults/ServiceFragmentDefaultsController.js.map +1 -0
- package/dist/modules/services/ServiceMountController.d.ts +11 -0
- package/dist/modules/services/ServiceMountController.d.ts.map +1 -0
- package/dist/modules/services/ServiceMountController.js +64 -0
- package/dist/modules/services/ServiceMountController.js.map +1 -0
- package/dist/modules/settings/WorkspaceSettingsController.d.ts +9 -0
- package/dist/modules/settings/WorkspaceSettingsController.d.ts.map +1 -0
- package/dist/modules/settings/WorkspaceSettingsController.js +32 -0
- package/dist/modules/settings/WorkspaceSettingsController.js.map +1 -0
- package/dist/modules/slack/SlackController.d.ts +17 -0
- package/dist/modules/slack/SlackController.d.ts.map +1 -0
- package/dist/modules/slack/SlackController.js +135 -0
- package/dist/modules/slack/SlackController.js.map +1 -0
- package/dist/modules/tasks/TaskSourceController.d.ts +9 -0
- package/dist/modules/tasks/TaskSourceController.d.ts.map +1 -0
- package/dist/modules/tasks/TaskSourceController.js +103 -0
- package/dist/modules/tasks/TaskSourceController.js.map +1 -0
- package/dist/modules/webSearch/WebSearchProxyController.d.ts +4 -0
- package/dist/modules/webSearch/WebSearchProxyController.d.ts.map +1 -0
- package/dist/modules/webSearch/WebSearchProxyController.js +78 -0
- package/dist/modules/webSearch/WebSearchProxyController.js.map +1 -0
- package/dist/modules/webSearch/upstreams.d.ts +50 -0
- package/dist/modules/webSearch/upstreams.d.ts.map +1 -0
- package/dist/modules/webSearch/upstreams.js +107 -0
- package/dist/modules/webSearch/upstreams.js.map +1 -0
- package/dist/modules/workspaces/WorkspaceController.d.ts +5 -0
- package/dist/modules/workspaces/WorkspaceController.d.ts.map +1 -0
- package/dist/modules/workspaces/WorkspaceController.js +167 -0
- package/dist/modules/workspaces/WorkspaceController.js.map +1 -0
- package/dist/observability/logger.d.ts +9 -0
- package/dist/observability/logger.d.ts.map +1 -0
- package/dist/observability/logger.js +39 -0
- package/dist/observability/logger.js.map +1 -0
- package/dist/persistence/mappers.d.ts +101 -0
- package/dist/persistence/mappers.d.ts.map +1 -0
- package/dist/persistence/mappers.js +260 -0
- package/dist/persistence/mappers.js.map +1 -0
- package/dist/runtime/escalateNotifications.d.ts +12 -0
- package/dist/runtime/escalateNotifications.d.ts.map +1 -0
- package/dist/runtime/escalateNotifications.js +25 -0
- package/dist/runtime/escalateNotifications.js.map +1 -0
- package/dist/runtime/gateways.d.ts +159 -0
- package/dist/runtime/gateways.d.ts.map +1 -0
- package/dist/runtime/gateways.js +2 -0
- package/dist/runtime/gateways.js.map +1 -0
- package/package.json +44 -0
|
@@ -0,0 +1,97 @@
|
|
|
1
|
+
// Ensure a per-task WORK BRANCH exists on the remote before any agent in a pipeline
|
|
2
|
+
// touches the repo. Every container agent for a task operates on one shared branch
|
|
3
|
+
// (`cat-factory/<blockId>`): the writers (spec-writer, coder, …) commit to it and the
|
|
4
|
+
// read-only design agents (architect, analysis) clone it so they read what the earlier
|
|
5
|
+
// writers already committed (e.g. the spec-writer's in-repo `spec/`).
|
|
6
|
+
//
|
|
7
|
+
// Two intents share this one helper:
|
|
8
|
+
// - WRITERS create the branch up front (a purely mechanical step — every writer
|
|
9
|
+
// eventually needs the branch — so we do it programmatically rather than relying on
|
|
10
|
+
// whichever agent writes first).
|
|
11
|
+
// - READ-ONLY agents only PROBE for it: they never write, so when the branch does not
|
|
12
|
+
// yet exist there is nothing on it to read and they must fall back to base. Probing
|
|
13
|
+
// (rather than creating) keeps a code-less pipeline from littering the repo with an
|
|
14
|
+
// empty `cat-factory/<blockId>` ref that no PR ever uses.
|
|
15
|
+
//
|
|
16
|
+
// Implemented as plain GitHub REST calls using the installation token the facade already
|
|
17
|
+
// mints. It deliberately does NOT go through the `GitHubClient` port: the port exposes no
|
|
18
|
+
// single-ref read (only paged `listBranches`, which can't reliably surface an arbitrary
|
|
19
|
+
// ref), whereas `GET /git/ref/heads/<branch>` resolves a ref in one call. It probes the
|
|
20
|
+
// work branch FIRST, so an already-present branch is reported ready in a single call
|
|
21
|
+
// regardless of whether the base ref can be resolved, and `create` never issues a
|
|
22
|
+
// redundant write. Idempotent: a create that races another and answers 422 "already
|
|
23
|
+
// exists" is treated as success — we never reset or move an existing branch. Best-effort:
|
|
24
|
+
// every failure path returns `false` (so callers fall back) but logs a warning first, so
|
|
25
|
+
// a silent degradation back to the base branch is observable in telemetry rather than
|
|
26
|
+
// invisible.
|
|
27
|
+
import { logger } from '../observability/logger.js';
|
|
28
|
+
const GITHUB_HEADERS = (token) => ({
|
|
29
|
+
authorization: `Bearer ${token}`,
|
|
30
|
+
accept: 'application/vnd.github+json',
|
|
31
|
+
'user-agent': 'cat-factory-server',
|
|
32
|
+
'x-github-api-version': '2022-11-28',
|
|
33
|
+
});
|
|
34
|
+
/**
|
|
35
|
+
* Encode a branch name for use in a `/git/ref/heads/<branch>` path. A branch can contain
|
|
36
|
+
* slashes (`feature/x`), which are real path separators in the ref API, so encode each
|
|
37
|
+
* segment individually rather than the whole name (which would turn `/` into `%2F` and
|
|
38
|
+
* break the lookup).
|
|
39
|
+
*/
|
|
40
|
+
function encodeBranchPath(branch) {
|
|
41
|
+
return branch.split('/').map(encodeURIComponent).join('/');
|
|
42
|
+
}
|
|
43
|
+
/**
|
|
44
|
+
* Ensure `branch` is present on the remote. Writers (`create !== false`) create it from
|
|
45
|
+
* `baseBranch`'s tip when absent; read-only callers (`create: false`) only report whether
|
|
46
|
+
* it already exists. Returns whether the work branch is present afterwards.
|
|
47
|
+
*/
|
|
48
|
+
export async function ensureWorkBranchViaRest(input) {
|
|
49
|
+
const apiBase = (input.apiBase ?? 'https://api.github.com').replace(/\/+$/, '');
|
|
50
|
+
const repoPath = `${apiBase}/repos/${input.owner}/${input.name}`;
|
|
51
|
+
const create = input.create !== false;
|
|
52
|
+
try {
|
|
53
|
+
// Probe the work branch first: if it already exists (an earlier step/run created it),
|
|
54
|
+
// it is ready in a single call — independent of whether the base ref resolves.
|
|
55
|
+
const probeRes = await fetch(`${repoPath}/git/ref/heads/${encodeBranchPath(input.branch)}`, {
|
|
56
|
+
headers: GITHUB_HEADERS(input.token),
|
|
57
|
+
});
|
|
58
|
+
if (probeRes.ok)
|
|
59
|
+
return true;
|
|
60
|
+
if (probeRes.status !== 404) {
|
|
61
|
+
logger.warn({ branch: input.branch, status: probeRes.status }, 'ensureWorkBranch: unexpected status probing work branch');
|
|
62
|
+
}
|
|
63
|
+
// Not present. Read-only callers stop here (a missing branch ⇒ use base); only writers
|
|
64
|
+
// create it.
|
|
65
|
+
if (!create)
|
|
66
|
+
return false;
|
|
67
|
+
// Resolve the base branch tip the work branch should fork from.
|
|
68
|
+
const baseRes = await fetch(`${repoPath}/git/ref/heads/${encodeBranchPath(input.baseBranch)}`, {
|
|
69
|
+
headers: GITHUB_HEADERS(input.token),
|
|
70
|
+
});
|
|
71
|
+
if (!baseRes.ok) {
|
|
72
|
+
logger.warn({ baseBranch: input.baseBranch, status: baseRes.status }, 'ensureWorkBranch: could not resolve base branch tip');
|
|
73
|
+
return false;
|
|
74
|
+
}
|
|
75
|
+
const baseJson = (await baseRes.json().catch(() => null));
|
|
76
|
+
const sha = baseJson?.object?.sha;
|
|
77
|
+
if (!sha) {
|
|
78
|
+
logger.warn({ baseBranch: input.baseBranch }, 'ensureWorkBranch: base ref had no sha');
|
|
79
|
+
return false;
|
|
80
|
+
}
|
|
81
|
+
const createRes = await fetch(`${repoPath}/git/refs`, {
|
|
82
|
+
method: 'POST',
|
|
83
|
+
headers: { ...GITHUB_HEADERS(input.token), 'content-type': 'application/json' },
|
|
84
|
+
body: JSON.stringify({ ref: `refs/heads/${input.branch}`, sha }),
|
|
85
|
+
});
|
|
86
|
+
// 201 created, or 422 "Reference already exists" (a race) — both mean it is present.
|
|
87
|
+
if (createRes.ok || createRes.status === 422)
|
|
88
|
+
return true;
|
|
89
|
+
logger.warn({ branch: input.branch, status: createRes.status }, 'ensureWorkBranch: failed to create work branch');
|
|
90
|
+
return false;
|
|
91
|
+
}
|
|
92
|
+
catch (err) {
|
|
93
|
+
logger.warn({ branch: input.branch, err }, 'ensureWorkBranch: request failed');
|
|
94
|
+
return false;
|
|
95
|
+
}
|
|
96
|
+
}
|
|
97
|
+
//# sourceMappingURL=ensureWorkBranch.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"ensureWorkBranch.js","sourceRoot":"","sources":["../../src/github/ensureWorkBranch.ts"],"names":[],"mappings":"AAAA,oFAAoF;AACpF,mFAAmF;AACnF,sFAAsF;AACtF,uFAAuF;AACvF,sEAAsE;AACtE,EAAE;AACF,qCAAqC;AACrC,kFAAkF;AAClF,wFAAwF;AACxF,qCAAqC;AACrC,wFAAwF;AACxF,wFAAwF;AACxF,wFAAwF;AACxF,8DAA8D;AAC9D,EAAE;AACF,yFAAyF;AACzF,0FAA0F;AAC1F,wFAAwF;AACxF,wFAAwF;AACxF,qFAAqF;AACrF,kFAAkF;AAClF,oFAAoF;AACpF,0FAA0F;AAC1F,yFAAyF;AACzF,sFAAsF;AACtF,aAAa;AAEb,OAAO,EAAE,MAAM,EAAE,MAAM,4BAA4B,CAAA;AAsBnD,MAAM,cAAc,GAAG,CAAC,KAAa,EAAE,EAAE,CAAC,CAAC;IACzC,aAAa,EAAE,UAAU,KAAK,EAAE;IAChC,MAAM,EAAE,6BAA6B;IACrC,YAAY,EAAE,oBAAoB;IAClC,sBAAsB,EAAE,YAAY;CACrC,CAAC,CAAA;AAEF;;;;;GAKG;AACH,SAAS,gBAAgB,CAAC,MAAc;IACtC,OAAO,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,kBAAkB,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAA;AAC5D,CAAC;AAED;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,uBAAuB,CAAC,KAA4B;IACxE,MAAM,OAAO,GAAG,CAAC,KAAK,CAAC,OAAO,IAAI,wBAAwB,CAAC,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAA;IAC/E,MAAM,QAAQ,GAAG,GAAG,OAAO,UAAU,KAAK,CAAC,KAAK,IAAI,KAAK,CAAC,IAAI,EAAE,CAAA;IAChE,MAAM,MAAM,GAAG,KAAK,CAAC,MAAM,KAAK,KAAK,CAAA;IACrC,IAAI,CAAC;QACH,sFAAsF;QACtF,+EAA+E;QAC/E,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,QAAQ,kBAAkB,gBAAgB,CAAC,KAAK,CAAC,MAAM,CAAC,EAAE,EAAE;YAC1F,OAAO,EAAE,cAAc,CAAC,KAAK,CAAC,KAAK,CAAC;SACrC,CAAC,CAAA;QACF,IAAI,QAAQ,CAAC,EAAE;YAAE,OAAO,IAAI,CAAA;QAC5B,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;YAC5B,MAAM,CAAC,IAAI,CACT,EAAE,MAAM,EAAE,KAAK,CAAC,MAAM,EAAE,MAAM,EAAE,QAAQ,CAAC,MAAM,EAAE,EACjD,yDAAyD,CAC1D,CAAA;QACH,CAAC;QAED,uFAAuF;QACvF,aAAa;QACb,IAAI,CAAC,MAAM;YAAE,OAAO,KAAK,CAAA;QAEzB,gEAAgE;QAChE,MAAM,OAAO,GAAG,MAAM,KAAK,CAAC,GAAG,QAAQ,kBAAkB,gBAAgB,CAAC,KAAK,CAAC,UAAU,CAAC,EAAE,EAAE;YAC7F,OAAO,EAAE,cAAc,CAAC,KAAK,CAAC,KAAK,CAAC;SACrC,CAAC,CAAA;QACF,IAAI,CAAC,OAAO,CAAC,EAAE,EAAE,CAAC;YAChB,MAAM,CAAC,IAAI,CACT,EAAE,UAAU,EAAE,KAAK,CAAC,UAAU,EAAE,MAAM,EAAE,OAAO,CAAC,MAAM,EAAE,EACxD,qDAAqD,CACtD,CAAA;YACD,OAAO,KAAK,CAAA;QACd,CAAC;QACD,MAAM,QAAQ,GAAG,CAAC,MAAM,OAAO,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,CAEhD,CAAA;QACR,MAAM,GAAG,GAAG,QAAQ,EAAE,MAAM,EAAE,GAAG,CAAA;QACjC,IAAI,CAAC,GAAG,EAAE,CAAC;YACT,MAAM,CAAC,IAAI,CAAC,EAAE,UAAU,EAAE,KAAK,CAAC,UAAU,EAAE,EAAE,uCAAuC,CAAC,CAAA;YACtF,OAAO,KAAK,CAAA;QACd,CAAC;QAED,MAAM,SAAS,GAAG,MAAM,KAAK,CAAC,GAAG,QAAQ,WAAW,EAAE;YACpD,MAAM,EAAE,MAAM;YACd,OAAO,EAAE,EAAE,GAAG,cAAc,CAAC,KAAK,CAAC,KAAK,CAAC,EAAE,cAAc,EAAE,kBAAkB,EAAE;YAC/E,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,GAAG,EAAE,cAAc,KAAK,CAAC,MAAM,EAAE,EAAE,GAAG,EAAE,CAAC;SACjE,CAAC,CAAA;QACF,qFAAqF;QACrF,IAAI,SAAS,CAAC,EAAE,IAAI,SAAS,CAAC,MAAM,KAAK,GAAG;YAAE,OAAO,IAAI,CAAA;QACzD,MAAM,CAAC,IAAI,CACT,EAAE,MAAM,EAAE,KAAK,CAAC,MAAM,EAAE,MAAM,EAAE,SAAS,CAAC,MAAM,EAAE,EAClD,gDAAgD,CACjD,CAAA;QACD,OAAO,KAAK,CAAA;IACd,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,CAAC,IAAI,CAAC,EAAE,MAAM,EAAE,KAAK,CAAC,MAAM,EAAE,GAAG,EAAE,EAAE,kCAAkC,CAAC,CAAA;QAC9E,OAAO,KAAK,CAAA;IACd,CAAC;AACH,CAAC"}
|
|
@@ -0,0 +1,19 @@
|
|
|
1
|
+
/** Claims carried through the install round-trip. */
|
|
2
|
+
export interface InstallState {
|
|
3
|
+
workspaceId: string;
|
|
4
|
+
/** Internal user id that initiated the install (null when auth is disabled). */
|
|
5
|
+
userId: string | null;
|
|
6
|
+
/** Absolute expiry, epoch ms. */
|
|
7
|
+
exp: number;
|
|
8
|
+
}
|
|
9
|
+
export declare class StateSigner {
|
|
10
|
+
private readonly secret;
|
|
11
|
+
private keyPromise?;
|
|
12
|
+
constructor(secret: string);
|
|
13
|
+
sign(state: InstallState): Promise<string>;
|
|
14
|
+
/** Return the claims if `state` carries a valid, unexpired signature, else null. */
|
|
15
|
+
verify(state: string | null): Promise<InstallState | null>;
|
|
16
|
+
private mac;
|
|
17
|
+
private importKey;
|
|
18
|
+
}
|
|
19
|
+
//# sourceMappingURL=state.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"state.d.ts","sourceRoot":"","sources":["../../src/github/state.ts"],"names":[],"mappings":"AAWA,qDAAqD;AACrD,MAAM,WAAW,YAAY;IAC3B,WAAW,EAAE,MAAM,CAAA;IACnB,gFAAgF;IAChF,MAAM,EAAE,MAAM,GAAG,IAAI,CAAA;IACrB,iCAAiC;IACjC,GAAG,EAAE,MAAM,CAAA;CACZ;AAED,qBAAa,WAAW;IAGV,OAAO,CAAC,QAAQ,CAAC,MAAM;IAFnC,OAAO,CAAC,UAAU,CAAC,CAAoB;IAEvC,YAA6B,MAAM,EAAE,MAAM,EAAI;IAEzC,IAAI,CAAC,KAAK,EAAE,YAAY,GAAG,OAAO,CAAC,MAAM,CAAC,CAG/C;IAED,oFAAoF;IAC9E,MAAM,CAAC,KAAK,EAAE,MAAM,GAAG,IAAI,GAAG,OAAO,CAAC,YAAY,GAAG,IAAI,CAAC,CAwB/D;YAEa,GAAG;IAKjB,OAAO,CAAC,SAAS;CAYlB"}
|
|
@@ -0,0 +1,55 @@
|
|
|
1
|
+
import { base64url, base64urlToBytes, timingSafeEqual } from '../crypto/encoding.js';
|
|
2
|
+
export class StateSigner {
|
|
3
|
+
secret;
|
|
4
|
+
keyPromise;
|
|
5
|
+
constructor(secret) {
|
|
6
|
+
this.secret = secret;
|
|
7
|
+
}
|
|
8
|
+
async sign(state) {
|
|
9
|
+
const body = base64url(JSON.stringify(state));
|
|
10
|
+
return `${body}.${base64url(await this.mac(body))}`;
|
|
11
|
+
}
|
|
12
|
+
/** Return the claims if `state` carries a valid, unexpired signature, else null. */
|
|
13
|
+
async verify(state) {
|
|
14
|
+
if (!state)
|
|
15
|
+
return null;
|
|
16
|
+
const dot = state.indexOf('.');
|
|
17
|
+
if (dot <= 0 || dot === state.length - 1)
|
|
18
|
+
return null;
|
|
19
|
+
const body = state.slice(0, dot);
|
|
20
|
+
// A malformed base64url signature must fail closed, not throw out of `atob`.
|
|
21
|
+
let provided;
|
|
22
|
+
try {
|
|
23
|
+
provided = base64urlToBytes(state.slice(dot + 1));
|
|
24
|
+
}
|
|
25
|
+
catch {
|
|
26
|
+
return null;
|
|
27
|
+
}
|
|
28
|
+
const expected = new Uint8Array(await this.mac(body));
|
|
29
|
+
if (!timingSafeEqual(provided, expected))
|
|
30
|
+
return null;
|
|
31
|
+
let payload;
|
|
32
|
+
try {
|
|
33
|
+
payload = JSON.parse(new TextDecoder().decode(base64urlToBytes(body)));
|
|
34
|
+
}
|
|
35
|
+
catch {
|
|
36
|
+
return null;
|
|
37
|
+
}
|
|
38
|
+
if (typeof payload.exp !== 'number' || payload.exp < Date.now())
|
|
39
|
+
return null;
|
|
40
|
+
if (typeof payload.workspaceId !== 'string' || payload.workspaceId === '')
|
|
41
|
+
return null;
|
|
42
|
+
return payload;
|
|
43
|
+
}
|
|
44
|
+
async mac(input) {
|
|
45
|
+
const key = await this.importKey();
|
|
46
|
+
return crypto.subtle.sign('HMAC', key, new TextEncoder().encode(input));
|
|
47
|
+
}
|
|
48
|
+
importKey() {
|
|
49
|
+
if (!this.keyPromise) {
|
|
50
|
+
this.keyPromise = crypto.subtle.importKey('raw', new TextEncoder().encode(this.secret), { name: 'HMAC', hash: 'SHA-256' }, false, ['sign']);
|
|
51
|
+
}
|
|
52
|
+
return this.keyPromise;
|
|
53
|
+
}
|
|
54
|
+
}
|
|
55
|
+
//# sourceMappingURL=state.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"state.js","sourceRoot":"","sources":["../../src/github/state.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,gBAAgB,EAAE,eAAe,EAAE,MAAM,uBAAuB,CAAA;AAoBpF,MAAM,OAAO,WAAW;IAGO,MAAM;IAF3B,UAAU,CAAqB;IAEvC,YAA6B,MAAc;sBAAd,MAAM;IAAW,CAAC;IAE/C,KAAK,CAAC,IAAI,CAAC,KAAmB;QAC5B,MAAM,IAAI,GAAG,SAAS,CAAC,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC,CAAA;QAC7C,OAAO,GAAG,IAAI,IAAI,SAAS,CAAC,MAAM,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,EAAE,CAAA;IACrD,CAAC;IAED,oFAAoF;IACpF,KAAK,CAAC,MAAM,CAAC,KAAoB;QAC/B,IAAI,CAAC,KAAK;YAAE,OAAO,IAAI,CAAA;QACvB,MAAM,GAAG,GAAG,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,CAAA;QAC9B,IAAI,GAAG,IAAI,CAAC,IAAI,GAAG,KAAK,KAAK,CAAC,MAAM,GAAG,CAAC;YAAE,OAAO,IAAI,CAAA;QACrD,MAAM,IAAI,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,CAAA;QAChC,6EAA6E;QAC7E,IAAI,QAAoB,CAAA;QACxB,IAAI,CAAC;YACH,QAAQ,GAAG,gBAAgB,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,GAAG,CAAC,CAAC,CAAC,CAAA;QACnD,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,IAAI,CAAA;QACb,CAAC;QACD,MAAM,QAAQ,GAAG,IAAI,UAAU,CAAC,MAAM,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,CAAA;QACrD,IAAI,CAAC,eAAe,CAAC,QAAQ,EAAE,QAAQ,CAAC;YAAE,OAAO,IAAI,CAAA;QAErD,IAAI,OAAqB,CAAA;QACzB,IAAI,CAAC;YACH,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,gBAAgB,CAAC,IAAI,CAAC,CAAC,CAAiB,CAAA;QACxF,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,IAAI,CAAA;QACb,CAAC;QACD,IAAI,OAAO,OAAO,CAAC,GAAG,KAAK,QAAQ,IAAI,OAAO,CAAC,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE;YAAE,OAAO,IAAI,CAAA;QAC5E,IAAI,OAAO,OAAO,CAAC,WAAW,KAAK,QAAQ,IAAI,OAAO,CAAC,WAAW,KAAK,EAAE;YAAE,OAAO,IAAI,CAAA;QACtF,OAAO,OAAO,CAAA;IAChB,CAAC;IAEO,KAAK,CAAC,GAAG,CAAC,KAAa;QAC7B,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,SAAS,EAAE,CAAA;QAClC,OAAO,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,EAAE,GAAG,EAAE,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAA;IACzE,CAAC;IAEO,SAAS;QACf,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,CAAC;YACrB,IAAI,CAAC,UAAU,GAAG,MAAM,CAAC,MAAM,CAAC,SAAS,CACvC,KAAK,EACL,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,EACrC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,SAAS,EAAE,EACjC,KAAK,EACL,CAAC,MAAM,CAAC,CACT,CAAA;QACH,CAAC;QACD,OAAO,IAAI,CAAC,UAAU,CAAA;IACxB,CAAC;CACF"}
|
|
@@ -0,0 +1,21 @@
|
|
|
1
|
+
import type { Hono } from 'hono';
|
|
2
|
+
import type { AppEnv } from './env.js';
|
|
3
|
+
/**
|
|
4
|
+
* Mount the default-deny session gate and the per-workspace authorization check.
|
|
5
|
+
*
|
|
6
|
+
* 1. Default-deny: every route requires a valid session EXCEPT {@link PUBLIC_PREFIXES}
|
|
7
|
+
* and the exact WS event-stream upgrade (a browser can't set `Authorization` on a
|
|
8
|
+
* WS handshake, so it authenticates via `?ticket=` inside its handler). The gate
|
|
9
|
+
* fails closed (503) when auth is unconfigured unless `AUTH_DEV_OPEN` is set, so
|
|
10
|
+
* production is always authenticated and any new route is protected by default.
|
|
11
|
+
* 2. Per-workspace authz: binds the signed-in user to the `:workspaceId` they address
|
|
12
|
+
* so one user cannot read or mutate a board outside the accounts they belong to. A
|
|
13
|
+
* board in an account the user doesn't belong to is reported as 404 (not 403) so
|
|
14
|
+
* existence isn't leaked. Runs only when a user is set (no-op for dev-open / the
|
|
15
|
+
* self-authenticating WS upgrade) and skips `/workspaces` (list/create, no `:id`).
|
|
16
|
+
*
|
|
17
|
+
* Call this AFTER the middleware that sets `container` on the context and BEFORE
|
|
18
|
+
* `registerCoreControllers`.
|
|
19
|
+
*/
|
|
20
|
+
export declare function mountAuthGate<E extends AppEnv>(app: Hono<E>): void;
|
|
21
|
+
//# sourceMappingURL=authGate.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"authGate.d.ts","sourceRoot":"","sources":["../../src/http/authGate.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,IAAI,EAAE,MAAM,MAAM,CAAA;AAEhC,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,UAAU,CAAA;AAuBtC;;;;;;;;;;;;;;;;GAgBG;AACH,wBAAgB,aAAa,CAAC,CAAC,SAAS,MAAM,EAAE,GAAG,EAAE,IAAI,CAAC,CAAC,CAAC,GAAG,IAAI,CAsClE"}
|
|
@@ -0,0 +1,77 @@
|
|
|
1
|
+
import { requireAuth } from '../auth/middleware.js';
|
|
2
|
+
// The runtime-neutral authentication + authorization gate, shared by every facade.
|
|
3
|
+
// Each facade builds its own app (CORS, the per-request container, runtime-specific
|
|
4
|
+
// controllers) and calls `mountAuthGate(app)` BEFORE `registerCoreControllers(app)` —
|
|
5
|
+
// so the security-critical default-deny + per-workspace ownership checks have ONE
|
|
6
|
+
// implementation and cannot drift between the Cloudflare Worker and the Node service.
|
|
7
|
+
// The gate reads the container the facade stashed on the context, so it works
|
|
8
|
+
// identically regardless of how that container was assembled.
|
|
9
|
+
// Routes that bypass the session gate: either public by necessity or carrying their
|
|
10
|
+
// own authentication.
|
|
11
|
+
// /health — liveness probe (no data).
|
|
12
|
+
// /auth — the login flow itself; can't require a session to obtain one.
|
|
13
|
+
// /v1 — container LLM proxy; authenticated by a model-locked session token
|
|
14
|
+
// (ContainerSessionService), not the workspace session.
|
|
15
|
+
// /github — GitHub webhooks + setup callback; verified by HMAC signature.
|
|
16
|
+
// /slack — Slack OAuth callback; the `state` is HMAC-signed + short-lived.
|
|
17
|
+
const PUBLIC_PREFIXES = ['/health', '/auth', '/v1', '/github', '/slack'];
|
|
18
|
+
/** The exact WebSocket-upgrade shape that self-authenticates via `?ticket=`. */
|
|
19
|
+
const WS_EVENTS_PATH = /^\/workspaces\/[^/]+\/events$/;
|
|
20
|
+
/**
|
|
21
|
+
* Mount the default-deny session gate and the per-workspace authorization check.
|
|
22
|
+
*
|
|
23
|
+
* 1. Default-deny: every route requires a valid session EXCEPT {@link PUBLIC_PREFIXES}
|
|
24
|
+
* and the exact WS event-stream upgrade (a browser can't set `Authorization` on a
|
|
25
|
+
* WS handshake, so it authenticates via `?ticket=` inside its handler). The gate
|
|
26
|
+
* fails closed (503) when auth is unconfigured unless `AUTH_DEV_OPEN` is set, so
|
|
27
|
+
* production is always authenticated and any new route is protected by default.
|
|
28
|
+
* 2. Per-workspace authz: binds the signed-in user to the `:workspaceId` they address
|
|
29
|
+
* so one user cannot read or mutate a board outside the accounts they belong to. A
|
|
30
|
+
* board in an account the user doesn't belong to is reported as 404 (not 403) so
|
|
31
|
+
* existence isn't leaked. Runs only when a user is set (no-op for dev-open / the
|
|
32
|
+
* self-authenticating WS upgrade) and skips `/workspaces` (list/create, no `:id`).
|
|
33
|
+
*
|
|
34
|
+
* Call this AFTER the middleware that sets `container` on the context and BEFORE
|
|
35
|
+
* `registerCoreControllers`.
|
|
36
|
+
*/
|
|
37
|
+
export function mountAuthGate(app) {
|
|
38
|
+
const gate = requireAuth();
|
|
39
|
+
app.use('*', (c, next) => {
|
|
40
|
+
if (c.req.method === 'OPTIONS')
|
|
41
|
+
return next();
|
|
42
|
+
const path = c.req.path;
|
|
43
|
+
if (c.req.method === 'GET' &&
|
|
44
|
+
c.req.header('Upgrade')?.toLowerCase() === 'websocket' &&
|
|
45
|
+
WS_EVENTS_PATH.test(path)) {
|
|
46
|
+
return next();
|
|
47
|
+
}
|
|
48
|
+
if (PUBLIC_PREFIXES.some((p) => path === p || path.startsWith(`${p}/`)))
|
|
49
|
+
return next();
|
|
50
|
+
return gate(c, next);
|
|
51
|
+
});
|
|
52
|
+
app.use('*', async (c, next) => {
|
|
53
|
+
if (c.req.method === 'OPTIONS')
|
|
54
|
+
return next();
|
|
55
|
+
const user = c.get('user');
|
|
56
|
+
if (!user)
|
|
57
|
+
return next();
|
|
58
|
+
const match = /^\/workspaces\/([^/]+)(?:\/.*)?$/.exec(c.req.path);
|
|
59
|
+
if (!match)
|
|
60
|
+
return next();
|
|
61
|
+
const workspaceId = decodeURIComponent(match[1]);
|
|
62
|
+
const container = c.get('container');
|
|
63
|
+
const accountId = await container.workspaceService.accountOf(workspaceId);
|
|
64
|
+
if (accountId === undefined)
|
|
65
|
+
return next(); // missing board → let the handler 404 normally
|
|
66
|
+
const notFound = () => c.json({ error: { code: 'not_found', message: 'Workspace not found' } }, 404);
|
|
67
|
+
if (accountId === null) {
|
|
68
|
+
// Legacy/unscoped board: only the user who personally owns it may access it.
|
|
69
|
+
const owner = await container.workspaceService.ownerOf(workspaceId);
|
|
70
|
+
return owner === user.id ? next() : notFound();
|
|
71
|
+
}
|
|
72
|
+
if (await container.accountService.isMember(accountId, user.id))
|
|
73
|
+
return next();
|
|
74
|
+
return notFound();
|
|
75
|
+
});
|
|
76
|
+
}
|
|
77
|
+
//# sourceMappingURL=authGate.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"authGate.js","sourceRoot":"","sources":["../../src/http/authGate.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,WAAW,EAAE,MAAM,uBAAuB,CAAA;AAGnD,mFAAmF;AACnF,oFAAoF;AACpF,sFAAsF;AACtF,kFAAkF;AAClF,sFAAsF;AACtF,8EAA8E;AAC9E,8DAA8D;AAE9D,oFAAoF;AACpF,sBAAsB;AACtB,0CAA0C;AAC1C,8EAA8E;AAC9E,mFAAmF;AACnF,sEAAsE;AACtE,8EAA8E;AAC9E,gFAAgF;AAChF,MAAM,eAAe,GAAG,CAAC,SAAS,EAAE,OAAO,EAAE,KAAK,EAAE,SAAS,EAAE,QAAQ,CAAC,CAAA;AAExE,gFAAgF;AAChF,MAAM,cAAc,GAAG,+BAA+B,CAAA;AAEtD;;;;;;;;;;;;;;;;GAgBG;AACH,MAAM,UAAU,aAAa,CAAmB,GAAY;IAC1D,MAAM,IAAI,GAAG,WAAW,EAAK,CAAA;IAC7B,GAAG,CAAC,GAAG,CAAC,GAAG,EAAE,CAAC,CAAC,EAAE,IAAI,EAAE,EAAE;QACvB,IAAI,CAAC,CAAC,GAAG,CAAC,MAAM,KAAK,SAAS;YAAE,OAAO,IAAI,EAAE,CAAA;QAC7C,MAAM,IAAI,GAAG,CAAC,CAAC,GAAG,CAAC,IAAI,CAAA;QACvB,IACE,CAAC,CAAC,GAAG,CAAC,MAAM,KAAK,KAAK;YACtB,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,SAAS,CAAC,EAAE,WAAW,EAAE,KAAK,WAAW;YACtD,cAAc,CAAC,IAAI,CAAC,IAAI,CAAC,EACzB,CAAC;YACD,OAAO,IAAI,EAAE,CAAA;QACf,CAAC;QACD,IAAI,eAAe,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,IAAI,KAAK,CAAC,IAAI,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;YAAE,OAAO,IAAI,EAAE,CAAA;QACtF,OAAO,IAAI,CAAC,CAAC,EAAE,IAAI,CAAC,CAAA;IACtB,CAAC,CAAC,CAAA;IAEF,GAAG,CAAC,GAAG,CAAC,GAAG,EAAE,KAAK,EAAE,CAAC,EAAE,IAAI,EAAE,EAAE;QAC7B,IAAI,CAAC,CAAC,GAAG,CAAC,MAAM,KAAK,SAAS;YAAE,OAAO,IAAI,EAAE,CAAA;QAC7C,MAAM,IAAI,GAAG,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,CAAA;QAC1B,IAAI,CAAC,IAAI;YAAE,OAAO,IAAI,EAAE,CAAA;QACxB,MAAM,KAAK,GAAG,kCAAkC,CAAC,IAAI,CAAC,CAAC,CAAC,GAAG,CAAC,IAAI,CAAC,CAAA;QACjE,IAAI,CAAC,KAAK;YAAE,OAAO,IAAI,EAAE,CAAA;QACzB,MAAM,WAAW,GAAG,kBAAkB,CAAC,KAAK,CAAC,CAAC,CAAE,CAAC,CAAA;QACjD,MAAM,SAAS,GAAG,CAAC,CAAC,GAAG,CAAC,WAAW,CAAC,CAAA;QACpC,MAAM,SAAS,GAAG,MAAM,SAAS,CAAC,gBAAgB,CAAC,SAAS,CAAC,WAAW,CAAC,CAAA;QACzE,IAAI,SAAS,KAAK,SAAS;YAAE,OAAO,IAAI,EAAE,CAAA,CAAC,+CAA+C;QAE1F,MAAM,QAAQ,GAAG,GAAG,EAAE,CACpB,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,EAAE,IAAI,EAAE,WAAW,EAAE,OAAO,EAAE,qBAAqB,EAAE,EAAE,EAAE,GAAG,CAAC,CAAA;QAE/E,IAAI,SAAS,KAAK,IAAI,EAAE,CAAC;YACvB,6EAA6E;YAC7E,MAAM,KAAK,GAAG,MAAM,SAAS,CAAC,gBAAgB,CAAC,OAAO,CAAC,WAAW,CAAC,CAAA;YACnE,OAAO,KAAK,KAAK,IAAI,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,QAAQ,EAAE,CAAA;QAChD,CAAC;QACD,IAAI,MAAM,SAAS,CAAC,cAAc,CAAC,QAAQ,CAAC,SAAS,EAAE,IAAI,CAAC,EAAE,CAAC;YAAE,OAAO,IAAI,EAAE,CAAA;QAC9E,OAAO,QAAQ,EAAE,CAAA;IACnB,CAAC,CAAC,CAAA;AACJ,CAAC"}
|
|
@@ -0,0 +1,13 @@
|
|
|
1
|
+
/** Parse a comma-separated allowed-origins string into trimmed entries. */
|
|
2
|
+
export declare function parseAllowedOrigins(configured: string | undefined): string[];
|
|
3
|
+
/**
|
|
4
|
+
* Resolve the value for `Access-Control-Allow-Origin` for one request, given the
|
|
5
|
+
* request's `Origin` and the configured allowlist. Returns the origin to echo
|
|
6
|
+
* back (so it works without credentials), or `null` to omit the header.
|
|
7
|
+
*
|
|
8
|
+
* - No allowlist configured, or it contains `*` → allow any origin (echo it).
|
|
9
|
+
* - Otherwise → echo the origin only when it's explicitly listed.
|
|
10
|
+
* - No request Origin (non-browser caller) → `null`; CORS doesn't apply.
|
|
11
|
+
*/
|
|
12
|
+
export declare function resolveCorsOrigin(requestOrigin: string | undefined | null, configured: string | undefined): string | null;
|
|
13
|
+
//# sourceMappingURL=cors.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"cors.d.ts","sourceRoot":"","sources":["../../src/http/cors.ts"],"names":[],"mappings":"AAMA,2EAA2E;AAC3E,wBAAgB,mBAAmB,CAAC,UAAU,EAAE,MAAM,GAAG,SAAS,GAAG,MAAM,EAAE,CAK5E;AAED;;;;;;;;GAQG;AACH,wBAAgB,iBAAiB,CAC/B,aAAa,EAAE,MAAM,GAAG,SAAS,GAAG,IAAI,EACxC,UAAU,EAAE,MAAM,GAAG,SAAS,GAC7B,MAAM,GAAG,IAAI,CAKf"}
|
|
@@ -0,0 +1,30 @@
|
|
|
1
|
+
// CORS origin policy. The set of allowed browser Origins is configuration, not
|
|
2
|
+
// code: this is a self-hosted system, so each provisioning org declares its own
|
|
3
|
+
// frontend origin(s) (comma-separated). A lone `*` — or no value at all — allows
|
|
4
|
+
// any origin, which is safe here because every route is bearer-gated and fails
|
|
5
|
+
// closed; pinning origins is defense-in-depth.
|
|
6
|
+
/** Parse a comma-separated allowed-origins string into trimmed entries. */
|
|
7
|
+
export function parseAllowedOrigins(configured) {
|
|
8
|
+
return (configured ?? '')
|
|
9
|
+
.split(',')
|
|
10
|
+
.map((origin) => origin.trim())
|
|
11
|
+
.filter(Boolean);
|
|
12
|
+
}
|
|
13
|
+
/**
|
|
14
|
+
* Resolve the value for `Access-Control-Allow-Origin` for one request, given the
|
|
15
|
+
* request's `Origin` and the configured allowlist. Returns the origin to echo
|
|
16
|
+
* back (so it works without credentials), or `null` to omit the header.
|
|
17
|
+
*
|
|
18
|
+
* - No allowlist configured, or it contains `*` → allow any origin (echo it).
|
|
19
|
+
* - Otherwise → echo the origin only when it's explicitly listed.
|
|
20
|
+
* - No request Origin (non-browser caller) → `null`; CORS doesn't apply.
|
|
21
|
+
*/
|
|
22
|
+
export function resolveCorsOrigin(requestOrigin, configured) {
|
|
23
|
+
if (!requestOrigin)
|
|
24
|
+
return null;
|
|
25
|
+
const allowed = parseAllowedOrigins(configured);
|
|
26
|
+
if (allowed.length === 0 || allowed.includes('*'))
|
|
27
|
+
return requestOrigin;
|
|
28
|
+
return allowed.includes(requestOrigin) ? requestOrigin : null;
|
|
29
|
+
}
|
|
30
|
+
//# sourceMappingURL=cors.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"cors.js","sourceRoot":"","sources":["../../src/http/cors.ts"],"names":[],"mappings":"AAAA,+EAA+E;AAC/E,gFAAgF;AAChF,iFAAiF;AACjF,+EAA+E;AAC/E,+CAA+C;AAE/C,2EAA2E;AAC3E,MAAM,UAAU,mBAAmB,CAAC,UAA8B;IAChE,OAAO,CAAC,UAAU,IAAI,EAAE,CAAC;SACtB,KAAK,CAAC,GAAG,CAAC;SACV,GAAG,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC;SAC9B,MAAM,CAAC,OAAO,CAAC,CAAA;AACpB,CAAC;AAED;;;;;;;;GAQG;AACH,MAAM,UAAU,iBAAiB,CAC/B,aAAwC,EACxC,UAA8B;IAE9B,IAAI,CAAC,aAAa;QAAE,OAAO,IAAI,CAAA;IAC/B,MAAM,OAAO,GAAG,mBAAmB,CAAC,UAAU,CAAC,CAAA;IAC/C,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAC;QAAE,OAAO,aAAa,CAAA;IACvE,OAAO,OAAO,CAAC,QAAQ,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC,aAAa,CAAC,CAAC,CAAC,IAAI,CAAA;AAC/D,CAAC"}
|
|
@@ -0,0 +1,68 @@
|
|
|
1
|
+
import type { AgentRunRepository, ConsensusSessionRepository } from '@cat-factory/kernel';
|
|
2
|
+
import type { ApiKeyService, LocalModelEndpointService, PersonalSubscriptionService, ProviderSubscriptionService } from '@cat-factory/integrations';
|
|
3
|
+
import type { Core } from '@cat-factory/orchestration';
|
|
4
|
+
import type { SessionPayload } from '../auth/signing.js';
|
|
5
|
+
import type { AppConfig } from '../config/types.js';
|
|
6
|
+
import type { RuntimeGateways } from '../runtime/gateways.js';
|
|
7
|
+
export interface ServerContainer extends Core {
|
|
8
|
+
config: AppConfig;
|
|
9
|
+
/** Kind-spanning view over agent_runs (retry dispatch + the cron sweeper). */
|
|
10
|
+
agentRunRepository: AgentRunRepository;
|
|
11
|
+
/**
|
|
12
|
+
* Consensus session transcripts (the optional `@cat-factory/consensus` mechanism's
|
|
13
|
+
* observability surface). Present only when the facade wired the repository; the
|
|
14
|
+
* consensus read endpoint 404s when absent.
|
|
15
|
+
*/
|
|
16
|
+
consensusSessionRepository?: ConsensusSessionRepository;
|
|
17
|
+
/** Per-facade runtime seams (real-time delivery, …) the shared controllers use. */
|
|
18
|
+
gateways: RuntimeGateways;
|
|
19
|
+
/**
|
|
20
|
+
* The workspace subscription-token pool (Claude Code / Codex credentials).
|
|
21
|
+
* Present only when the facade wired the provider-subscription repository.
|
|
22
|
+
*/
|
|
23
|
+
subscriptions?: ProviderSubscriptionService;
|
|
24
|
+
/**
|
|
25
|
+
* The per-user individual-usage subscription store (Claude). Present only when the
|
|
26
|
+
* facade wired the personal-subscription repositories (needs ENCRYPTION_KEY). Drives
|
|
27
|
+
* the personal-credential controller + the run activation the executor leases.
|
|
28
|
+
*/
|
|
29
|
+
personalSubscriptions?: PersonalSubscriptionService;
|
|
30
|
+
/**
|
|
31
|
+
* The direct-provider API-key pool (OpenAI/Anthropic/Qwen/DeepSeek/Moonshot),
|
|
32
|
+
* scoped account/workspace/user. Present only when the facade wired the
|
|
33
|
+
* provider-api-key repository (needs ENCRYPTION_KEY). Drives the API-key
|
|
34
|
+
* controller, the per-scope model-provider resolver, and the LLM proxy's key lease.
|
|
35
|
+
*/
|
|
36
|
+
apiKeys?: ApiKeyService;
|
|
37
|
+
/**
|
|
38
|
+
* Whether the opt-in Cloudflare Workers AI provider lib is registered for this
|
|
39
|
+
* deployment (binding on the Worker, REST account/token on Node). When false, the
|
|
40
|
+
* `workers-ai` provider is unavailable and `cloudflare`-flavour catalog models are
|
|
41
|
+
* not selectable.
|
|
42
|
+
*/
|
|
43
|
+
cloudflareModelsEnabled?: boolean;
|
|
44
|
+
/**
|
|
45
|
+
* The deployment's direct-provider base-URL resolver (env override → built-in default,
|
|
46
|
+
* or null when none — e.g. an unconfigured operator-hosted LiteLLM gateway). The model
|
|
47
|
+
* catalog uses it to gate selectability: an OpenAI-compatible provider is only
|
|
48
|
+
* selectable once its base URL resolves, mirroring what the dispatch path requires.
|
|
49
|
+
*/
|
|
50
|
+
baseUrlFor?: (provider: string) => string | null | undefined;
|
|
51
|
+
/**
|
|
52
|
+
* The per-USER locally-run model endpoints store (Ollama / LM Studio / llama.cpp /
|
|
53
|
+
* vLLM / custom OpenAI-compatible runners). Present only when the facade wired the
|
|
54
|
+
* local-model repository (needs ENCRYPTION_KEY). Drives the local-runner controller,
|
|
55
|
+
* the per-user model catalog, and the LLM proxy's base-URL/key resolution for a
|
|
56
|
+
* locally-run model — resolved by the run initiator.
|
|
57
|
+
*/
|
|
58
|
+
localModelEndpoints?: LocalModelEndpointService;
|
|
59
|
+
}
|
|
60
|
+
/** Hono generics shared by the cross-runtime controllers (Variables only — no Bindings). */
|
|
61
|
+
export type AppEnv = {
|
|
62
|
+
Variables: {
|
|
63
|
+
container: ServerContainer;
|
|
64
|
+
/** The authenticated user, set by `requireAuth` when auth is enabled. */
|
|
65
|
+
user?: SessionPayload;
|
|
66
|
+
};
|
|
67
|
+
};
|
|
68
|
+
//# sourceMappingURL=env.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"env.d.ts","sourceRoot":"","sources":["../../src/http/env.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,kBAAkB,EAAE,0BAA0B,EAAE,MAAM,qBAAqB,CAAA;AACzF,OAAO,KAAK,EACV,aAAa,EACb,yBAAyB,EACzB,2BAA2B,EAC3B,2BAA2B,EAC5B,MAAM,2BAA2B,CAAA;AAClC,OAAO,KAAK,EAAE,IAAI,EAAE,MAAM,4BAA4B,CAAA;AACtD,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,oBAAoB,CAAA;AACxD,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,oBAAoB,CAAA;AACnD,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,wBAAwB,CAAA;AAQ7D,MAAM,WAAW,eAAgB,SAAQ,IAAI;IAC3C,MAAM,EAAE,SAAS,CAAA;IACjB,8EAA8E;IAC9E,kBAAkB,EAAE,kBAAkB,CAAA;IACtC;;;;OAIG;IACH,0BAA0B,CAAC,EAAE,0BAA0B,CAAA;IACvD,mFAAmF;IACnF,QAAQ,EAAE,eAAe,CAAA;IACzB;;;OAGG;IACH,aAAa,CAAC,EAAE,2BAA2B,CAAA;IAC3C;;;;OAIG;IACH,qBAAqB,CAAC,EAAE,2BAA2B,CAAA;IACnD;;;;;OAKG;IACH,OAAO,CAAC,EAAE,aAAa,CAAA;IACvB;;;;;OAKG;IACH,uBAAuB,CAAC,EAAE,OAAO,CAAA;IACjC;;;;;OAKG;IACH,UAAU,CAAC,EAAE,CAAC,QAAQ,EAAE,MAAM,KAAK,MAAM,GAAG,IAAI,GAAG,SAAS,CAAA;IAC5D;;;;;;OAMG;IACH,mBAAmB,CAAC,EAAE,yBAAyB,CAAA;CAChD;AAED,4FAA4F;AAC5F,MAAM,MAAM,MAAM,GAAG;IACnB,SAAS,EAAE;QACT,SAAS,EAAE,eAAe,CAAA;QAC1B,yEAAyE;QACzE,IAAI,CAAC,EAAE,cAAc,CAAA;KACtB,CAAA;CACF,CAAA"}
|
package/dist/http/env.js
ADDED
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"env.js","sourceRoot":"","sources":["../../src/http/env.ts"],"names":[],"mappings":""}
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"errorHandler.d.ts","sourceRoot":"","sources":["../../src/http/errorHandler.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,MAAM,CAAA;AAanC,oEAAoE;AACpE,wBAAgB,WAAW,CAAC,KAAK,EAAE,OAAO,EAAE,CAAC,EAAE,OAAO,GAAG,QAAQ,CA2BhE"}
|
|
@@ -0,0 +1,33 @@
|
|
|
1
|
+
import { DomainError } from '@cat-factory/kernel';
|
|
2
|
+
import { logger } from '../observability/logger.js';
|
|
3
|
+
const STATUS_BY_CODE = {
|
|
4
|
+
not_found: 404,
|
|
5
|
+
validation: 422,
|
|
6
|
+
conflict: 409,
|
|
7
|
+
// Precondition Required: a user-scoped personal credential (password/subscription)
|
|
8
|
+
// must be supplied before the action can proceed (individual-usage restricted mode).
|
|
9
|
+
credential_required: 428,
|
|
10
|
+
};
|
|
11
|
+
/** Maps domain errors to HTTP responses; anything else is a 500. */
|
|
12
|
+
export function handleError(error, c) {
|
|
13
|
+
if (error instanceof DomainError) {
|
|
14
|
+
return c.json({
|
|
15
|
+
error: {
|
|
16
|
+
code: error.code,
|
|
17
|
+
message: error.message,
|
|
18
|
+
...(error.details ? { details: error.details } : {}),
|
|
19
|
+
},
|
|
20
|
+
}, STATUS_BY_CODE[error.code]);
|
|
21
|
+
}
|
|
22
|
+
// Unexpected fault: log it with request context so it's traceable, but never
|
|
23
|
+
// leak internals to the client.
|
|
24
|
+
logger.error({
|
|
25
|
+
err: error instanceof Error
|
|
26
|
+
? { message: error.message, stack: error.stack }
|
|
27
|
+
: { message: String(error) },
|
|
28
|
+
method: c.req.method,
|
|
29
|
+
path: new URL(c.req.url).pathname,
|
|
30
|
+
}, 'unhandled request error');
|
|
31
|
+
return c.json({ error: { code: 'internal', message: 'Internal server error' } }, 500);
|
|
32
|
+
}
|
|
33
|
+
//# sourceMappingURL=errorHandler.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"errorHandler.js","sourceRoot":"","sources":["../../src/http/errorHandler.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,MAAM,qBAAqB,CAAA;AAGjD,OAAO,EAAE,MAAM,EAAE,MAAM,4BAA4B,CAAA;AAEnD,MAAM,cAAc,GAAsD;IACxE,SAAS,EAAE,GAAG;IACd,UAAU,EAAE,GAAG;IACf,QAAQ,EAAE,GAAG;IACb,mFAAmF;IACnF,qFAAqF;IACrF,mBAAmB,EAAE,GAAG;CACzB,CAAA;AAED,oEAAoE;AACpE,MAAM,UAAU,WAAW,CAAC,KAAc,EAAE,CAAU;IACpD,IAAI,KAAK,YAAY,WAAW,EAAE,CAAC;QACjC,OAAO,CAAC,CAAC,IAAI,CACX;YACE,KAAK,EAAE;gBACL,IAAI,EAAE,KAAK,CAAC,IAAI;gBAChB,OAAO,EAAE,KAAK,CAAC,OAAO;gBACtB,GAAG,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,OAAO,EAAE,KAAK,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;aACrD;SACF,EACD,cAAc,CAAC,KAAK,CAAC,IAAI,CAAC,CAC3B,CAAA;IACH,CAAC;IACD,6EAA6E;IAC7E,gCAAgC;IAChC,MAAM,CAAC,KAAK,CACV;QACE,GAAG,EACD,KAAK,YAAY,KAAK;YACpB,CAAC,CAAC,EAAE,OAAO,EAAE,KAAK,CAAC,OAAO,EAAE,KAAK,EAAE,KAAK,CAAC,KAAK,EAAE;YAChD,CAAC,CAAC,EAAE,OAAO,EAAE,MAAM,CAAC,KAAK,CAAC,EAAE;QAChC,MAAM,EAAE,CAAC,CAAC,GAAG,CAAC,MAAM;QACpB,IAAI,EAAE,IAAI,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,QAAQ;KAClC,EACD,yBAAyB,CAC1B,CAAA;IACD,OAAO,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,EAAE,IAAI,EAAE,UAAU,EAAE,OAAO,EAAE,uBAAuB,EAAE,EAAE,EAAE,GAAG,CAAC,CAAA;AACvF,CAAC"}
|
|
@@ -0,0 +1,8 @@
|
|
|
1
|
+
import type { Context } from 'hono';
|
|
2
|
+
/**
|
|
3
|
+
* Read a required path parameter. Controllers are mounted under a param prefix
|
|
4
|
+
* (`/workspaces/:workspaceId`), so Hono types the lookup as possibly undefined;
|
|
5
|
+
* a missing value would be a routing bug, surfaced here as a clear error.
|
|
6
|
+
*/
|
|
7
|
+
export declare function param(c: Context, name: string): string;
|
|
8
|
+
//# sourceMappingURL=params.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"params.d.ts","sourceRoot":"","sources":["../../src/http/params.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,MAAM,CAAA;AAEnC;;;;GAIG;AACH,wBAAgB,KAAK,CAAC,CAAC,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,GAAG,MAAM,CAItD"}
|
|
@@ -0,0 +1,13 @@
|
|
|
1
|
+
import { ValidationError } from '@cat-factory/kernel';
|
|
2
|
+
/**
|
|
3
|
+
* Read a required path parameter. Controllers are mounted under a param prefix
|
|
4
|
+
* (`/workspaces/:workspaceId`), so Hono types the lookup as possibly undefined;
|
|
5
|
+
* a missing value would be a routing bug, surfaced here as a clear error.
|
|
6
|
+
*/
|
|
7
|
+
export function param(c, name) {
|
|
8
|
+
const value = c.req.param(name);
|
|
9
|
+
if (value === undefined)
|
|
10
|
+
throw new ValidationError(`Missing path parameter: ${name}`);
|
|
11
|
+
return value;
|
|
12
|
+
}
|
|
13
|
+
//# sourceMappingURL=params.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"params.js","sourceRoot":"","sources":["../../src/http/params.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAAE,MAAM,qBAAqB,CAAA;AAGrD;;;;GAIG;AACH,MAAM,UAAU,KAAK,CAAC,CAAU,EAAE,IAAY;IAC5C,MAAM,KAAK,GAAG,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,CAAA;IAC/B,IAAI,KAAK,KAAK,SAAS;QAAE,MAAM,IAAI,eAAe,CAAC,2BAA2B,IAAI,EAAE,CAAC,CAAA;IACrF,OAAO,KAAK,CAAA;AACd,CAAC"}
|
|
@@ -0,0 +1,12 @@
|
|
|
1
|
+
import type { GenericSchema } from 'valibot';
|
|
2
|
+
export declare function jsonBody<T extends GenericSchema>(schema: T): import("hono").MiddlewareHandler<import("hono").Env, string, {
|
|
3
|
+
in: (undefined extends import("valibot").InferInput<T> ? true : false) extends true ? {
|
|
4
|
+
json?: (import("valibot").InferInput<T> extends infer T_1 ? T_1 extends import("valibot").InferInput<T> ? T_1 extends any ? T_1 : { [K2 in keyof T_1]?: any; } : never : never) | undefined;
|
|
5
|
+
} : {
|
|
6
|
+
json: import("valibot").InferInput<T> extends infer T_2 ? T_2 extends import("valibot").InferInput<T> ? T_2 extends any ? T_2 : { [K2 in keyof T_2]: any; } : never : never;
|
|
7
|
+
};
|
|
8
|
+
out: {
|
|
9
|
+
json: import("valibot").InferOutput<T>;
|
|
10
|
+
};
|
|
11
|
+
}>;
|
|
12
|
+
//# sourceMappingURL=validation.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"validation.d.ts","sourceRoot":"","sources":["../../src/http/validation.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,SAAS,CAAA;AAK5C,wBAAgB,QAAQ,CAAC,CAAC,SAAS,aAAa,EAAE,MAAM,EAAE,CAAC;;;;;;;;;GAkB1D"}
|
|
@@ -0,0 +1,21 @@
|
|
|
1
|
+
import { vValidator } from '@hono/valibot-validator';
|
|
2
|
+
// Thin wrapper around @hono/valibot-validator that yields a consistent error
|
|
3
|
+
// envelope (matching the domain error handler) when a request body fails the
|
|
4
|
+
// contract, instead of the library default.
|
|
5
|
+
export function jsonBody(schema) {
|
|
6
|
+
return vValidator('json', schema, (result, c) => {
|
|
7
|
+
if (!result.success) {
|
|
8
|
+
return c.json({
|
|
9
|
+
error: {
|
|
10
|
+
code: 'validation',
|
|
11
|
+
message: 'Request body failed validation',
|
|
12
|
+
issues: result.issues.map((issue) => ({
|
|
13
|
+
path: issue.path?.map((p) => p.key).join('.'),
|
|
14
|
+
message: issue.message,
|
|
15
|
+
})),
|
|
16
|
+
},
|
|
17
|
+
}, 400);
|
|
18
|
+
}
|
|
19
|
+
});
|
|
20
|
+
}
|
|
21
|
+
//# sourceMappingURL=validation.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"validation.js","sourceRoot":"","sources":["../../src/http/validation.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,yBAAyB,CAAA;AAGpD,6EAA6E;AAC7E,6EAA6E;AAC7E,4CAA4C;AAC5C,MAAM,UAAU,QAAQ,CAA0B,MAAS;IACzD,OAAO,UAAU,CAAC,MAAM,EAAE,MAAM,EAAE,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE;QAC9C,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;YACpB,OAAO,CAAC,CAAC,IAAI,CACX;gBACE,KAAK,EAAE;oBACL,IAAI,EAAE,YAAY;oBAClB,OAAO,EAAE,gCAAgC;oBACzC,MAAM,EAAE,MAAM,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;wBACpC,IAAI,EAAE,KAAK,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC;wBAC7C,OAAO,EAAE,KAAK,CAAC,OAAO;qBACvB,CAAC,CAAC;iBACJ;aACF,EACD,GAAG,CACJ,CAAA;QACH,CAAC;IACH,CAAC,CAAC,CAAA;AACJ,CAAC"}
|
package/dist/index.d.ts
ADDED
|
@@ -0,0 +1,46 @@
|
|
|
1
|
+
export { logger, type Logger } from './observability/logger.js';
|
|
2
|
+
export { type AppEnv, type ServerContainer } from './http/env.js';
|
|
3
|
+
export { type GitHubBackfillScheduler, type GitHubWebhookIngest, type LlmInProcessRequest, type LlmTokenUsage, type LlmUpstream, type LlmUpstreamEndpoint, type RealtimeGateway, type RuntimeGateways, type WebSearchResponse, type WebSearchResult, type WebSearchUpstream, } from './runtime/gateways.js';
|
|
4
|
+
export { BraveWebSearchUpstream, SearxngWebSearchUpstream, createWebSearchUpstreamFromEnv, DEFAULT_WEB_SEARCH_COUNT, } from './modules/webSearch/upstreams.js';
|
|
5
|
+
export { escalateStaleNotifications } from './runtime/escalateNotifications.js';
|
|
6
|
+
export { StateSigner, type InstallState } from './github/state.js';
|
|
7
|
+
export { GitHubOAuth, type GitHubOAuthDependencies, type GitHubIdentity, } from './auth/GitHubOAuth.js';
|
|
8
|
+
export { GoogleOAuth, type GoogleOAuthDependencies, type GoogleIdentity, } from './auth/GoogleOAuth.js';
|
|
9
|
+
export { WebCryptoPasswordHasher } from './crypto/WebCryptoPasswordHasher.js';
|
|
10
|
+
export { authController, pickPostLoginRedirect } from './modules/auth/AuthController.js';
|
|
11
|
+
export { llmProxyController } from './modules/llmProxy/LlmProxyController.js';
|
|
12
|
+
export { ContainerSessionService, DEFAULT_SESSION_TTL_MS, type ContainerSession, type MintInput, } from './containers/ContainerSessionService.js';
|
|
13
|
+
export { CompositeAgentExecutor } from './agents/CompositeAgentExecutor.js';
|
|
14
|
+
export { ContainerAgentExecutor, type ContainerAgentExecutorDependencies, type RepoTarget, type ResolveRepoTarget, type MintInstallationToken, type EnsureWorkBranch, } from './agents/ContainerAgentExecutor.js';
|
|
15
|
+
export { ensureWorkBranchViaRest, type EnsureWorkBranchInput } from './github/ensureWorkBranch.js';
|
|
16
|
+
export { RunnerJobClient, type ResolveRunnerTransport } from './agents/RunnerJobClient.js';
|
|
17
|
+
export { createScopedModelProviderResolver, type ScopedModelProviderOptions, } from './agents/modelProviderResolver.js';
|
|
18
|
+
export { resolveWorkspaceCapabilities, type CapabilityServices, } from './agents/providerCapabilities.js';
|
|
19
|
+
export { ContainerRepoBootstrapper, type ContainerRepoBootstrapperDependencies, } from './agents/ContainerRepoBootstrapper.js';
|
|
20
|
+
export { buildResolveRepoTarget, type ResolveRepoTargetDependencies, } from './agents/resolveRepoTarget.js';
|
|
21
|
+
export { bearerToken, requireAuth, verifySession } from './auth/middleware.js';
|
|
22
|
+
export { registerCoreControllers } from './app.js';
|
|
23
|
+
export { FanOutEventPublisher, type FanOutEventPublisherDependencies, } from './events/FanOutEventPublisher.js';
|
|
24
|
+
export { InAppNotificationChannel } from './events/InAppNotificationChannel.js';
|
|
25
|
+
export { mountAuthGate } from './http/authGate.js';
|
|
26
|
+
export { param } from './http/params.js';
|
|
27
|
+
export { jsonBody } from './http/validation.js';
|
|
28
|
+
export { handleError } from './http/errorHandler.js';
|
|
29
|
+
export { parseAllowedOrigins, resolveCorsOrigin } from './http/cors.js';
|
|
30
|
+
export { base64url, base64urlToBytes, pkcs8PemToDer, timingSafeEqual } from './crypto/encoding.js';
|
|
31
|
+
export { WebCryptoSecretCipher, type WebCryptoSecretCipherOptions, } from './crypto/WebCryptoSecretCipher.js';
|
|
32
|
+
export { WebCryptoPersonalSecretCipher } from './crypto/WebCryptoPersonalSecretCipher.js';
|
|
33
|
+
export { GitHubAppAuth, type GitHubAppAuthDependencies } from './github/GitHubAppAuth.js';
|
|
34
|
+
export { GitHubAppRegistry, type GitHubAppRegistryDependencies, type RegisteredApp, type AppTokenSource, } from './github/GitHubAppRegistry.js';
|
|
35
|
+
export { FetchGitHubClient, GitHubApiError, type FetchGitHubClientDependencies, } from './github/FetchGitHubClient.js';
|
|
36
|
+
export { FetchGitHubProvisioningClient, type FetchGitHubProvisioningClientDependencies, } from './github/FetchGitHubProvisioningClient.js';
|
|
37
|
+
export { WebCryptoWebhookVerifier } from './github/WebCryptoWebhookVerifier.js';
|
|
38
|
+
export { GitHubCiStatusProvider, type GitHubCiStatusProviderDependencies, } from './github/GitHubCiStatusProvider.js';
|
|
39
|
+
export { GitHubMergeabilityProvider, classifyMergeability, type GitHubMergeabilityProviderDependencies, } from './github/GitHubMergeabilityProvider.js';
|
|
40
|
+
export { GitHubPullRequestMerger, type GitHubPullRequestMergerDependencies, } from './github/GitHubPullRequestMerger.js';
|
|
41
|
+
export { HmacSigner, TOKEN_AUDIENCE, type SessionPayload, type SessionUser, type TokenAudience, } from './auth/signing.js';
|
|
42
|
+
export { WS_TICKET_TTL_MS, authorizeWsUpgrade, mintWsTicket, type WsTicket, type WsUpgradeAuth, } from './auth/wsTicket.js';
|
|
43
|
+
export type { AgentsConfig, AppConfig, AuthConfig, DatadogConfig, IncidentEnrichmentConfig, DocumentsConfig, EmailConfig, EnvironmentsConfig, ExecutionConfig, FragmentLibraryConfig, GitHubConfig, GoogleOAuthConfig, LangfuseConfig, ObservabilityConfig, PrivilegedAppConfig, RetentionConfig, RunnerPoolConfig, SlackConfig, TasksConfig, } from './config/types.js';
|
|
44
|
+
export { resolveUrlSafetyPolicy } from './config/url-safety.js';
|
|
45
|
+
export * from './persistence/mappers.js';
|
|
46
|
+
//# sourceMappingURL=index.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAIA,OAAO,EAAE,MAAM,EAAE,KAAK,MAAM,EAAE,MAAM,2BAA2B,CAAA;AAC/D,OAAO,EAAE,KAAK,MAAM,EAAE,KAAK,eAAe,EAAE,MAAM,eAAe,CAAA;AACjE,OAAO,EACL,KAAK,uBAAuB,EAC5B,KAAK,mBAAmB,EACxB,KAAK,mBAAmB,EACxB,KAAK,aAAa,EAClB,KAAK,WAAW,EAChB,KAAK,mBAAmB,EACxB,KAAK,eAAe,EACpB,KAAK,eAAe,EACpB,KAAK,iBAAiB,EACtB,KAAK,eAAe,EACpB,KAAK,iBAAiB,GACvB,MAAM,uBAAuB,CAAA;AAC9B,OAAO,EACL,sBAAsB,EACtB,wBAAwB,EACxB,8BAA8B,EAC9B,wBAAwB,GACzB,MAAM,kCAAkC,CAAA;AACzC,OAAO,EAAE,0BAA0B,EAAE,MAAM,oCAAoC,CAAA;AAC/E,OAAO,EAAE,WAAW,EAAE,KAAK,YAAY,EAAE,MAAM,mBAAmB,CAAA;AAClE,OAAO,EACL,WAAW,EACX,KAAK,uBAAuB,EAC5B,KAAK,cAAc,GACpB,MAAM,uBAAuB,CAAA;AAC9B,OAAO,EACL,WAAW,EACX,KAAK,uBAAuB,EAC5B,KAAK,cAAc,GACpB,MAAM,uBAAuB,CAAA;AAC9B,OAAO,EAAE,uBAAuB,EAAE,MAAM,qCAAqC,CAAA;AAC7E,OAAO,EAAE,cAAc,EAAE,qBAAqB,EAAE,MAAM,kCAAkC,CAAA;AACxF,OAAO,EAAE,kBAAkB,EAAE,MAAM,0CAA0C,CAAA;AAC7E,OAAO,EACL,uBAAuB,EACvB,sBAAsB,EACtB,KAAK,gBAAgB,EACrB,KAAK,SAAS,GACf,MAAM,yCAAyC,CAAA;AAIhD,OAAO,EAAE,sBAAsB,EAAE,MAAM,oCAAoC,CAAA;AAC3E,OAAO,EACL,sBAAsB,EACtB,KAAK,kCAAkC,EACvC,KAAK,UAAU,EACf,KAAK,iBAAiB,EACtB,KAAK,qBAAqB,EAC1B,KAAK,gBAAgB,GACtB,MAAM,oCAAoC,CAAA;AAC3C,OAAO,EAAE,uBAAuB,EAAE,KAAK,qBAAqB,EAAE,MAAM,8BAA8B,CAAA;AAClG,OAAO,EAAE,eAAe,EAAE,KAAK,sBAAsB,EAAE,MAAM,6BAA6B,CAAA;AAC1F,OAAO,EACL,iCAAiC,EACjC,KAAK,0BAA0B,GAChC,MAAM,mCAAmC,CAAA;AAC1C,OAAO,EACL,4BAA4B,EAC5B,KAAK,kBAAkB,GACxB,MAAM,kCAAkC,CAAA;AACzC,OAAO,EACL,yBAAyB,EACzB,KAAK,qCAAqC,GAC3C,MAAM,uCAAuC,CAAA;AAC9C,OAAO,EACL,sBAAsB,EACtB,KAAK,6BAA6B,GACnC,MAAM,+BAA+B,CAAA;AACtC,OAAO,EAAE,WAAW,EAAE,WAAW,EAAE,aAAa,EAAE,MAAM,sBAAsB,CAAA;AAC9E,OAAO,EAAE,uBAAuB,EAAE,MAAM,UAAU,CAAA;AAClD,OAAO,EACL,oBAAoB,EACpB,KAAK,gCAAgC,GACtC,MAAM,kCAAkC,CAAA;AACzC,OAAO,EAAE,wBAAwB,EAAE,MAAM,sCAAsC,CAAA;AAC/E,OAAO,EAAE,aAAa,EAAE,MAAM,oBAAoB,CAAA;AAClD,OAAO,EAAE,KAAK,EAAE,MAAM,kBAAkB,CAAA;AACxC,OAAO,EAAE,QAAQ,EAAE,MAAM,sBAAsB,CAAA;AAC/C,OAAO,EAAE,WAAW,EAAE,MAAM,wBAAwB,CAAA;AACpD,OAAO,EAAE,mBAAmB,EAAE,iBAAiB,EAAE,MAAM,gBAAgB,CAAA;AACvE,OAAO,EAAE,SAAS,EAAE,gBAAgB,EAAE,aAAa,EAAE,eAAe,EAAE,MAAM,sBAAsB,CAAA;AAIlG,OAAO,EACL,qBAAqB,EACrB,KAAK,4BAA4B,GAClC,MAAM,mCAAmC,CAAA;AAC1C,OAAO,EAAE,6BAA6B,EAAE,MAAM,2CAA2C,CAAA;AACzF,OAAO,EAAE,aAAa,EAAE,KAAK,yBAAyB,EAAE,MAAM,2BAA2B,CAAA;AACzF,OAAO,EACL,iBAAiB,EACjB,KAAK,6BAA6B,EAClC,KAAK,aAAa,EAClB,KAAK,cAAc,GACpB,MAAM,+BAA+B,CAAA;AAKtC,OAAO,EACL,iBAAiB,EACjB,cAAc,EACd,KAAK,6BAA6B,GACnC,MAAM,+BAA+B,CAAA;AAGtC,OAAO,EACL,6BAA6B,EAC7B,KAAK,yCAAyC,GAC/C,MAAM,2CAA2C,CAAA;AAClD,OAAO,EAAE,wBAAwB,EAAE,MAAM,sCAAsC,CAAA;AAC/E,OAAO,EACL,sBAAsB,EACtB,KAAK,kCAAkC,GACxC,MAAM,oCAAoC,CAAA;AAC3C,OAAO,EACL,0BAA0B,EAC1B,oBAAoB,EACpB,KAAK,sCAAsC,GAC5C,MAAM,wCAAwC,CAAA;AAC/C,OAAO,EACL,uBAAuB,EACvB,KAAK,mCAAmC,GACzC,MAAM,qCAAqC,CAAA;AAC5C,OAAO,EACL,UAAU,EACV,cAAc,EACd,KAAK,cAAc,EACnB,KAAK,WAAW,EAChB,KAAK,aAAa,GACnB,MAAM,mBAAmB,CAAA;AAC1B,OAAO,EACL,gBAAgB,EAChB,kBAAkB,EAClB,YAAY,EACZ,KAAK,QAAQ,EACb,KAAK,aAAa,GACnB,MAAM,oBAAoB,CAAA;AAC3B,YAAY,EACV,YAAY,EACZ,SAAS,EACT,UAAU,EACV,aAAa,EACb,wBAAwB,EACxB,eAAe,EACf,WAAW,EACX,kBAAkB,EAClB,eAAe,EACf,qBAAqB,EACrB,YAAY,EACZ,iBAAiB,EACjB,cAAc,EACd,mBAAmB,EACnB,mBAAmB,EACnB,eAAe,EACf,gBAAgB,EAChB,WAAW,EACX,WAAW,GACZ,MAAM,mBAAmB,CAAA;AAC1B,OAAO,EAAE,sBAAsB,EAAE,MAAM,wBAAwB,CAAA;AAI/D,cAAc,0BAA0B,CAAA"}
|