npm - @cloudflare/sandbox - Versions diffs - 0.7.20 → 0.8.0 - Mend

@cloudflare/sandbox 0.7.20 → 0.8.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (16) hide show

package/dist/{dist-CwUZf_TJ.js → dist-CmfvOT-w.js} +290 -75
package/dist/dist-CmfvOT-w.js.map +1 -0
package/dist/index.d.ts +3 -2
package/dist/index.d.ts.map +1 -1
package/dist/index.js +654 -627
package/dist/index.js.map +1 -1
package/dist/openai/index.d.ts +1 -1
package/dist/openai/index.js +1 -1
package/dist/opencode/index.d.ts +1 -1
package/dist/opencode/index.d.ts.map +1 -1
package/dist/opencode/index.js +1 -1
package/dist/{sandbox-raa8coh3.d.ts → sandbox-DDDSuWA6.d.ts} +39 -24
package/dist/sandbox-DDDSuWA6.d.ts.map +1 -0
package/package.json +2 -2
package/dist/dist-CwUZf_TJ.js.map +0 -1
package/dist/sandbox-raa8coh3.d.ts.map +0 -1

package/dist/{dist-CwUZf_TJ.js → dist-CmfvOT-w.js} RENAMED Viewed

@@ -51,42 +51,25 @@ function partitionEnvVars(envVars) {
 }
 //#endregion
-//#region ../shared/dist/git.js
+//#region ../shared/dist/logger/sanitize.js
 /**
-* Fallback repository name used when URL parsing fails
+* Log-only sanitization helpers
+*
+* These functions redact sensitive values for logging output.
+* They MUST NOT be used to mutate command strings before execution.
 */
-const FALLBACK_REPO_NAME = "repository";
 /**
-* Extract repository name from a Git URL
-*
-* Supports multiple URL formats:
-* - HTTPS: https://github.com/user/repo.git → repo
-* - HTTPS without .git: https://github.com/user/repo → repo
-* - SSH: git@github.com:user/repo.git → repo
-* - GitLab/others: https://gitlab.com/org/project.git → project
-*
-* @param repoUrl - Git repository URL (HTTPS or SSH format)
-* @returns Repository name extracted from URL, or 'repository' as fallback
+* Sensitive query parameter names to redact from URLs.
+* Anchored to query string context ([?&]) to avoid matching path segments.
+* Value matching stops at & and common URL/command delimiters.
 */
-function extractRepoName(repoUrl) {
-	try {
-		const pathParts = new URL(repoUrl).pathname.split("/");
-		const lastPart = pathParts[pathParts.length - 1];
-		if (lastPart) return lastPart.replace(/\.git$/, "");
-	} catch {}
-	if (repoUrl.includes(":") || repoUrl.includes("/")) {
-		const segments = repoUrl.split(/[:/]/).filter(Boolean);
-		const lastSegment = segments[segments.length - 1];
-		if (lastSegment) return lastSegment.replace(/\.git$/, "");
-	}
-	return FALLBACK_REPO_NAME;
-}
+const SENSITIVE_PARAMS = /([?&])(X-Amz-Credential|X-Amz-Signature|X-Amz-Security-Token|token|secret|password)=[^&\s"'`<>]*/gi;
 /**
 * Redact credentials from URLs for secure logging
 *
 * Replaces any credentials (username:password, tokens, etc.) embedded
 * in URLs with ****** to prevent sensitive data exposure in logs.
-* Works with URLs embedded in text (e.g., "Error: https://token@github.com/repo.git failed")
+* Works with URLs embedded in text.
 *
 * @param text - String that may contain URLs with credentials
 * @returns String with credentials redacted from any URLs
@@ -123,11 +106,88 @@ function redactCredentials(text) {
 	return result;
 }
 /**
+* Redact sensitive query parameters from URLs
+*
+* Strips X-Amz-Credential, X-Amz-Signature, X-Amz-Security-Token,
+* token, secret, and password query params from URLs. Returns
+* non-URL strings unchanged.
+*
+* @param input - String that may contain URLs with sensitive params
+* @returns String with sensitive params replaced by REDACTED
+*/
+function redactSensitiveParams(input) {
+	if (!input.includes("?") || !input.includes("=")) return input;
+	return input.replace(SENSITIVE_PARAMS, "$1$2=REDACTED");
+}
+/**
+* Redact sensitive data from a command string for logging
+*
+* Composes redactCredentials (URL credentials) and redactSensitiveParams
+* (presigned URL query params). For log values only — never mutate
+* command strings before execution.
+*
+* @param command - Command string to sanitize for logging
+* @returns Sanitized command string
+*/
+function redactCommand(command) {
+	return redactSensitiveParams(redactCredentials(command));
+}
+/**
+* Truncate a string for log output with a truncation indicator
+*
+* @param value - String to potentially truncate
+* @param maxLen - Maximum length before truncation (default 120)
+* @returns Object with truncated value and boolean flag
+*/
+function truncateForLog(value, maxLen = 120) {
+	if (value.length <= maxLen) return {
+		value,
+		truncated: false
+	};
+	const cutoff = Math.max(0, maxLen - 3);
+	return {
+		value: `${value.substring(0, cutoff)}...`,
+		truncated: true
+	};
+}
+//#endregion
+//#region ../shared/dist/git.js
+/**
+* Fallback repository name used when URL parsing fails
+*/
+const FALLBACK_REPO_NAME = "repository";
+/**
+* Extract repository name from a Git URL
+*
+* Supports multiple URL formats:
+* - HTTPS: https://github.com/user/repo.git → repo
+* - HTTPS without .git: https://github.com/user/repo → repo
+* - SSH: git@github.com:user/repo.git → repo
+* - GitLab/others: https://gitlab.com/org/project.git → project
+*
+* @param repoUrl - Git repository URL (HTTPS or SSH format)
+* @returns Repository name extracted from URL, or 'repository' as fallback
+*/
+function extractRepoName(repoUrl) {
+	try {
+		const pathParts = new URL(repoUrl).pathname.split("/");
+		const lastPart = pathParts[pathParts.length - 1];
+		if (lastPart) return lastPart.replace(/\.git$/, "");
+	} catch {}
+	if (repoUrl.includes(":") || repoUrl.includes("/")) {
+		const segments = repoUrl.split(/[:/]/).filter(Boolean);
+		const lastSegment = segments[segments.length - 1];
+		if (lastSegment) return lastSegment.replace(/\.git$/, "");
+	}
+	return FALLBACK_REPO_NAME;
+}
+/**
 * Sanitize data by redacting credentials from any strings
 * Recursively processes objects and arrays to ensure credentials are never leaked
 */
 function sanitizeGitData(data) {
-	if (typeof data === "string") return redactCredentials(data);
+	if (typeof data === "string") return redactCommand(data);
 	if (data === null || data === void 0) return data;
 	if (Array.isArray(data)) return data.map((item) => sanitizeGitData(item));
 	if (typeof data === "object") {
@@ -150,9 +210,9 @@ var GitLogger = class GitLogger {
 	}
 	sanitizeError(error) {
 		if (!error) return error;
-		const sanitized = new Error(redactCredentials(error.message));
+		const sanitized = new Error(redactCommand(error.message));
 		sanitized.name = error.name;
-		if (error.stack) sanitized.stack = redactCredentials(error.stack);
+		if (error.stack) sanitized.stack = redactCommand(error.stack);
 		const sanitizedRecord = sanitized;
 		const errorRecord = error;
 		for (const key of Object.keys(error)) if (key !== "message" && key !== "stack" && key !== "name") sanitizedRecord[key] = sanitizeGitData(errorRecord[key]);
@@ -283,6 +343,128 @@ var ResultImpl = class {
 	}
 };
+//#endregion
+//#region ../shared/dist/logger/canonical.js
+/** Events that are low-value at info on success */
+const DEBUG_ON_SUCCESS = new Set([
+	"session.create",
+	"session.destroy",
+	"file.read",
+	"file.write",
+	"file.delete",
+	"file.mkdir"
+]);
+function resolveLogLevel(payload, options) {
+	if (payload.outcome === "error") return "error";
+	if (options?.successLevel) return options.successLevel;
+	if (payload.origin === "internal") return "debug";
+	if (DEBUG_ON_SUCCESS.has(payload.event)) return "debug";
+	return "info";
+}
+/**
+* Sanitize an Error object by redacting sensitive data from message and stack.
+* Produces a copy so the caller's original Error is not mutated.
+*/
+function sanitizeError(error) {
+	if (!error) return void 0;
+	const sanitized = new Error(redactCommand(error.message));
+	sanitized.name = error.name;
+	sanitized.stack = error.stack ? redactCommand(error.stack) : void 0;
+	return sanitized;
+}
+/**
+* Sanitize and prepare payload fields for both message building and context emission.
+* Called once by logCanonicalEvent to avoid double-redaction.
+*/
+function sanitizePayload(payload) {
+	if (payload.command === void 0) return { commandTruncated: false };
+	const { value, truncated } = truncateForLog(redactCommand(payload.command));
+	return {
+		sanitizedCommand: value,
+		commandTruncated: truncated
+	};
+}
+/**
+* Build a human-readable canonical event message for dashboards and log viewers.
+*
+* Format: `{event} {outcome} {key_context} [— {reason}] ({durationMs}ms[, {sizeBytes}B])`
+*
+* The if/else chain for key context has implicit priority: command > path >
+* sessionId > port > repoUrl > pid. If a payload has multiple, only the
+* highest-priority one appears in the message. All fields are still present
+* as discrete queryable keys in the structured log context.
+*/
+function buildMessage(payload, sanitizedCommand) {
+	const { event } = payload;
+	if (event === "version.check") {
+		const parts$1 = ["version.check"];
+		if (payload.sdkVersion) parts$1.push(`sdk=${payload.sdkVersion}`);
+		if (payload.containerVersion) parts$1.push(`container=${payload.containerVersion}`);
+		if (payload.versionOutcome && payload.versionOutcome !== "compatible") parts$1.push(`(${payload.versionOutcome})`);
+		return parts$1.join(" ");
+	}
+	const parts = [event, payload.outcome];
+	if (sanitizedCommand !== void 0) parts.push(sanitizedCommand);
+	else if (payload.command !== void 0) {
+		const { value } = truncateForLog(redactCommand(payload.command));
+		parts.push(value);
+	} else if (payload.path !== void 0) parts.push(payload.path);
+	else if (event.includes("session") && payload.sessionId !== void 0) parts.push(payload.sessionId);
+	else if (payload.port !== void 0) parts.push(String(payload.port));
+	else if (payload.repoUrl !== void 0) {
+		let gitContext = payload.repoUrl;
+		if (payload.branch !== void 0) gitContext += ` ${payload.branch}`;
+		parts.push(gitContext);
+	} else if (payload.pid !== void 0) parts.push(String(payload.pid));
+	else if (payload.backupId !== void 0) parts.push(payload.backupId);
+	else if (payload.repoPath !== void 0) {
+		let gitContext = payload.repoPath;
+		if (payload.branch !== void 0) gitContext += ` branch=${payload.branch}`;
+		parts.push(gitContext);
+	} else if (payload.mountsProcessed !== void 0) {
+		let destroyContext = `${payload.mountsProcessed} mounts`;
+		if (payload.mountFailures) destroyContext += `, ${payload.mountFailures} failed`;
+		parts.push(destroyContext);
+	} else if (payload.mountPath !== void 0) parts.push(payload.mountPath);
+	if (payload.outcome === "error") {
+		if (payload.errorMessage !== void 0) parts.push(`\u2014 ${payload.errorMessage}`);
+		else if (payload.exitCode !== void 0) parts.push(`\u2014 exitCode=${payload.exitCode}`);
+	}
+	const durationSuffix = payload.sizeBytes !== void 0 ? `(${payload.durationMs}ms, ${payload.sizeBytes}B)` : `(${payload.durationMs}ms)`;
+	parts.push(durationSuffix);
+	return parts.join(" ");
+}
+/**
+* Log a canonical event — the single entry point for all structured operational events.
+*
+* Sanitizes command fields once, builds the message, selects log level from
+* outcome, and emits a structured log entry with the full payload as context.
+*/
+function logCanonicalEvent(logger, payload, options) {
+	const resolvedErrorMessage = payload.errorMessage ?? payload.error?.message;
+	const sanitizedErrorMessage = resolvedErrorMessage ? redactCommand(resolvedErrorMessage) : void 0;
+	const enrichedPayload = sanitizedErrorMessage !== void 0 ? {
+		...payload,
+		errorMessage: sanitizedErrorMessage
+	} : payload;
+	const { sanitizedCommand, commandTruncated } = sanitizePayload(enrichedPayload);
+	const message = buildMessage(enrichedPayload, sanitizedCommand);
+	const context = {};
+	for (const [key, value] of Object.entries(enrichedPayload)) {
+		if (key === "error") continue;
+		context[key] = value;
+	}
+	if (sanitizedCommand !== void 0) {
+		context.command = sanitizedCommand;
+		if (commandTruncated) context.commandTruncated = true;
+	}
+	const level = resolveLogLevel(enrichedPayload, options);
+	if (level === "error") logger.error(message, sanitizeError(payload.error), context);
+	else if (level === "warn") logger.warn(message, context);
+	else if (level === "debug") logger.debug(message, context);
+	else logger.info(message, context);
+}
 //#endregion
 //#region ../shared/dist/logger/types.js
 /**
@@ -324,18 +506,18 @@ const COLORS = {
 var CloudflareLogger = class CloudflareLogger {
 	baseContext;
 	minLevel;
-	pretty;
+	outputMode;
 	/**
 	* Create a new CloudflareLogger
 	*
 	* @param baseContext Base context included in all log entries
 	* @param minLevel Minimum log level to output (default: INFO)
-	* @param pretty Enable pretty printing for human-readable output (default: false)
+	* @param outputMode How log entries are formatted and emitted (default: 'structured')
 	*/
-	constructor(baseContext, minLevel = LogLevel.INFO, pretty = false) {
+	constructor(baseContext, minLevel = LogLevel.INFO, outputMode = "structured") {
 		this.baseContext = baseContext;
 		this.minLevel = minLevel;
-		this.pretty = pretty;
+		this.outputMode = outputMode;
 	}
 	/**
 	* Log debug-level message
@@ -380,7 +562,7 @@ var CloudflareLogger = class CloudflareLogger {
 		return new CloudflareLogger({
 			...this.baseContext,
 			...context
-		}, this.minLevel, this.pretty);
+		}, this.minLevel, this.outputMode);
 	}
 	/**
 	* Check if a log level should be output
@@ -394,7 +576,7 @@ var CloudflareLogger = class CloudflareLogger {
 	buildLogData(level, message, context, error) {
 		const logData = {
 			level,
-			msg: message,
+			message,
 			...this.baseContext,
 			...context,
 			timestamp: (/* @__PURE__ */ new Date()).toISOString()
@@ -407,47 +589,75 @@ var CloudflareLogger = class CloudflareLogger {
 		return logData;
 	}
 	/**
-	* Output log data to console (pretty or JSON)
+	* Output log data using the configured output mode
 	*/
 	output(consoleFn, data) {
-		if (this.pretty) this.outputPretty(consoleFn, data);
-		else this.outputJson(consoleFn, data);
+		switch (this.outputMode) {
+			case "pretty":
+				this.outputPretty(consoleFn, data);
+				break;
+			case "json-line":
+				this.outputJsonLine(consoleFn, data);
+				break;
+			case "structured":
+				this.outputStructured(consoleFn, data);
+				break;
+		}
 	}
 	/**
-	* Output as JSON (production)
+	* Output as JSON string (container stdout — parsed by Containers pipeline)
 	*/
-	outputJson(consoleFn, data) {
+	outputJsonLine(consoleFn, data) {
 		consoleFn(JSON.stringify(data));
 	}
 	/**
+	* Output as raw object (Workers/DOs — Workers Logs auto-indexes fields)
+	*/
+	outputStructured(consoleFn, data) {
+		consoleFn(data);
+	}
+	/**
 	* Output as pretty-printed, colored text (development)
 	*
-	* Format: LEVEL [component] message (trace: tr_...) {context}
-	* Example: INFO [sandbox-do] Command started (trace: tr_7f3a9b2c) {commandId: "cmd-123"}
+	* Each log event is a single consoleFn() call so it appears as one entry
+	* in the Cloudflare dashboard. Context is rendered inline as compact key=value pairs.
+	*
+	* Format: LEVEL [component] message trace=tr_... key=value key=value
 	*/
 	outputPretty(consoleFn, data) {
-		const { level, msg, timestamp, traceId, component, sandboxId, sessionId, processId, commandId, operation, duration, error, ...rest } = data;
+		const { level, message: msg, timestamp, traceId, component, sandboxId, sessionId, processId, commandId, durationMs, serviceVersion, instanceId, error, ...rest } = data;
 		const levelStr = String(level || "INFO").toUpperCase();
 		const levelColor = this.getLevelColor(levelStr);
 		const componentBadge = component ? `[${component}]` : "";
-		const traceIdShort = traceId ? String(traceId).substring(0, 12) : "";
-		let logLine = `${levelColor}${levelStr.padEnd(5)}${COLORS.reset} ${componentBadge} ${msg}`;
-		if (traceIdShort) logLine += ` ${COLORS.dim}(trace: ${traceIdShort})${COLORS.reset}`;
-		const contextFields = [];
-		if (operation) contextFields.push(`operation: ${operation}`);
-		if (commandId) contextFields.push(`commandId: ${String(commandId).substring(0, 12)}`);
-		if (sandboxId) contextFields.push(`sandboxId: ${sandboxId}`);
-		if (sessionId) contextFields.push(`sessionId: ${String(sessionId).substring(0, 12)}`);
-		if (processId) contextFields.push(`processId: ${processId}`);
-		if (duration !== void 0) contextFields.push(`duration: ${duration}ms`);
-		if (contextFields.length > 0) logLine += ` ${COLORS.dim}{${contextFields.join(", ")}}${COLORS.reset}`;
-		consoleFn(logLine);
+		let logLine = `${timestamp ? `${COLORS.dim}${new Date(timestamp).toISOString().substring(11, 23)}${COLORS.reset} ` : ""}${levelColor}${levelStr.padEnd(5)}${COLORS.reset} ${componentBadge} ${msg}`;
+		const pairs = [];
+		if (traceId) pairs.push(`trace=${String(traceId).substring(0, 12)}`);
+		if (commandId) pairs.push(`cmd=${String(commandId).substring(0, 12)}`);
+		if (sandboxId) pairs.push(`sandbox=${sandboxId}`);
+		if (sessionId) pairs.push(`session=${String(sessionId).substring(0, 12)}`);
+		if (processId) pairs.push(`proc=${processId}`);
+		if (durationMs !== void 0) pairs.push(`dur=${durationMs}ms`);
+		for (const [key, value] of Object.entries(rest)) {
+			if (value === void 0 || value === null) continue;
+			const v = typeof value === "object" ? JSON.stringify(value) : this.sanitizePrettyValue(String(value));
+			pairs.push(`${key}=${v}`);
+		}
 		if (error && typeof error === "object") {
 			const errorObj = error;
-			if (errorObj.message) consoleFn(`  ${COLORS.error}Error: ${errorObj.message}${COLORS.reset}`);
-			if (errorObj.stack) consoleFn(`  ${COLORS.dim}${errorObj.stack}${COLORS.reset}`);
+			if (errorObj.name) pairs.push(`err.name=${this.sanitizePrettyValue(errorObj.name)}`);
+			if (errorObj.message) pairs.push(`err.msg=${this.sanitizePrettyValue(errorObj.message)}`);
+			if (errorObj.stack) pairs.push(`err.stack=${this.sanitizePrettyValue(errorObj.stack)}`);
 		}
-		if (Object.keys(rest).length > 0) consoleFn(`  ${COLORS.dim}${JSON.stringify(rest, null, 2)}${COLORS.reset}`);
+		if (pairs.length > 0) logLine += ` ${COLORS.dim}${pairs.join(" ")}${COLORS.reset}`;
+		consoleFn(logLine);
+	}
+	/**
+	* Collapse newlines so a single consoleFn() call stays on one line.
+	* Cloudflare's log pipeline splits on literal newlines, which fragments
+	* stack traces and multi-line error messages into separate entries.
+	*/
+	sanitizePrettyValue(value) {
+		return value.replace(/\r/g, "\\r").replace(/\n/g, "\\n");
 	}
 	/**
 	* Get ANSI color code for log level
@@ -527,8 +737,7 @@ var TraceContext = class TraceContext {
 *
 * Provides structured, trace-aware logging with:
 * - Explicit logger passing via constructor injection
-* - Pretty printing for local development
-* - JSON output for production
+* - Three output modes: structured (Workers/DOs), json-line (container), pretty (local dev)
 * - Environment auto-detection
 * - Log level configuration
 *
@@ -542,7 +751,7 @@ var TraceContext = class TraceContext {
 * const service = new MyService(logger);
 *
 * // Create child loggers for additional context
-* const execLogger = logger.child({ operation: 'exec', commandId: 'cmd-456' });
+* const execLogger = logger.child({ commandId: 'cmd-456' });
 * execLogger.info('Operation started');
 * ```
 */
@@ -598,12 +807,14 @@ function createNoOpLogger() {
 */
 function createLogger(context) {
 	const minLevel = getLogLevelFromEnv();
-	const pretty = isPrettyPrintEnabled();
+	const outputMode = getOutputMode(context.component);
 	return new CloudflareLogger({
 		...context,
 		traceId: context.traceId || TraceContext.generate(),
-		component: context.component
-	}, minLevel, pretty);
+		component: context.component,
+		serviceVersion: context.serviceVersion || getEnvVar("SANDBOX_VERSION") || void 0,
+		instanceId: context.instanceId || getEnvVar("HOSTNAME") || getEnvVar("SANDBOX_INSTANCE_ID") || void 0
+	}, minLevel, outputMode);
 }
 /**
 * Get log level from environment variable
@@ -621,16 +832,20 @@ function getLogLevelFromEnv() {
 	}
 }
 /**
-* Check if pretty printing should be enabled
+* Determine output mode based on component and environment:
+* - SANDBOX_LOG_FORMAT=pretty → 'pretty' for all components (local wrangler dev)
+* - Container/Executor without pretty → 'json-line' (Bun stdout → Containers pipeline)
+* - Everything else without pretty → 'structured' (Workers/DOs → Workers Logs)
 *
-* Checks SANDBOX_LOG_FORMAT env var, falls back to auto-detection:
-* - Local development: pretty (colored, human-readable)
-* - Production: json (structured)
+* In local dev, setting SANDBOX_LOG_FORMAT=pretty gives readable terminal
+* output on both the DO side and container side. In production (where the
+* var isn't set), DOs emit structured objects and containers emit single-line
+* JSON — both queryable by their respective observability pipelines.
 */
-function isPrettyPrintEnabled() {
-	const format = getEnvVar("SANDBOX_LOG_FORMAT");
-	if (format) return format.toLowerCase() === "pretty";
-	return false;
+function getOutputMode(component) {
+	if (getEnvVar("SANDBOX_LOG_FORMAT")?.toLowerCase() === "pretty") return "pretty";
+	if (component === "container" || component === "executor") return "json-line";
+	return "structured";
 }
 /**
 * Get environment variable value
@@ -756,5 +971,5 @@ function generateRequestId() {
 }
 //#endregion
-export { filterEnvVars as _, isExecResult as a, parseSSEFrames as c, createNoOpLogger as d, TraceContext as f, extractRepoName as g, GitLogger as h, isWSStreamChunk as i, shellEscape as l, ResultImpl as m, isWSError as n, isProcess as o, Execution as p, isWSResponse as r, isProcessStatus as s, generateRequestId as t, createLogger as u, getEnvString as v, partitionEnvVars as y };
-//# sourceMappingURL=dist-CwUZf_TJ.js.map
+export { extractRepoName as _, isExecResult as a, partitionEnvVars as b, parseSSEFrames as c, createNoOpLogger as d, TraceContext as f, GitLogger as g, ResultImpl as h, isWSStreamChunk as i, shellEscape as l, Execution as m, isWSError as n, isProcess as o, logCanonicalEvent as p, isWSResponse as r, isProcessStatus as s, generateRequestId as t, createLogger as u, filterEnvVars as v, getEnvString as y };
+//# sourceMappingURL=dist-CmfvOT-w.js.map

package/dist/dist-CmfvOT-w.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"dist-CmfvOT-w.js","names":["parts","LogLevelEnum","LogLevelEnum"],"sources":["../../shared/dist/env.js","../../shared/dist/logger/sanitize.js","../../shared/dist/git.js","../../shared/dist/interpreter-types.js","../../shared/dist/logger/canonical.js","../../shared/dist/logger/types.js","../../shared/dist/logger/logger.js","../../shared/dist/logger/trace-context.js","../../shared/dist/logger/index.js","../../shared/dist/shell-escape.js","../../shared/dist/sse.js","../../shared/dist/types.js","../../shared/dist/ws-types.js"],"sourcesContent":["/**\n * Safely extract a string value from an environment object\n *\n * @param env - Environment object with dynamic keys\n * @param key - The environment variable key to access\n * @returns The string value if present and is a string, undefined otherwise\n */\nexport function getEnvString(env, key) {\n const value = env?.[key];\n return typeof value === 'string' ? value : undefined;\n}\n/**\n * Filter environment variables object to only include string values.\n * Skips undefined, null, and non-string values.\n *\n * Use this when you only need the defined values (e.g., for per-command env\n * where undefined means \"don't override\").\n *\n * @param envVars - Object that may contain undefined values\n * @returns Clean object with only string values\n */\nexport function filterEnvVars(envVars) {\n const filtered = {};\n for (const [key, value] of Object.entries(envVars)) {\n if (value != null && typeof value === 'string') {\n filtered[key] = value;\n }\n }\n return filtered;\n}\n/**\n * Partition environment variables into values to set and keys to unset.\n *\n * - String values → toSet (will be exported)\n * - undefined/null → toUnset (will be unset)\n *\n * This enables idiomatic JS patterns where undefined means \"remove\":\n * ```typescript\n * await sandbox.setEnvVars({\n * API_KEY: 'new-key', // will be set\n * OLD_VAR: undefined, // will be unset\n * });\n * ```\n */\nexport function partitionEnvVars(envVars) {\n const toSet = {};\n const toUnset = [];\n for (const [key, value] of Object.entries(envVars)) {\n if (value != null && typeof value === 'string') {\n toSet[key] = value;\n }\n else {\n toUnset.push(key);\n }\n }\n return { toSet, toUnset };\n}\n","/**\n * Log-only sanitization helpers\n *\n * These functions redact sensitive values for logging output.\n * They MUST NOT be used to mutate command strings before execution.\n */\n/**\n * Sensitive query parameter names to redact from URLs.\n * Anchored to query string context ([?&]) to avoid matching path segments.\n * Value matching stops at & and common URL/command delimiters.\n */\nconst SENSITIVE_PARAMS = /([?&])(X-Amz-Credential|X-Amz-Signature|X-Amz-Security-Token|token|secret|password)=[^&\\s\"'`<>]*/gi;\n/**\n * Redact credentials from URLs for secure logging\n *\n * Replaces any credentials (username:password, tokens, etc.) embedded\n * in URLs with ****** to prevent sensitive data exposure in logs.\n * Works with URLs embedded in text.\n *\n * @param text - String that may contain URLs with credentials\n * @returns String with credentials redacted from any URLs\n */\nexport function redactCredentials(text) {\n // Scan for http(s):// URLs and redact any credentials found\n let result = text;\n let pos = 0;\n while (pos < result.length) {\n const httpPos = result.indexOf('http://', pos);\n const httpsPos = result.indexOf('https://', pos);\n let protocolPos = -1;\n let protocolLen = 0;\n if (httpPos === -1 && httpsPos === -1)\n break;\n if (httpPos !== -1 && (httpsPos === -1 || httpPos < httpsPos)) {\n protocolPos = httpPos;\n protocolLen = 7; // 'http://'.length\n }\n else {\n protocolPos = httpsPos;\n protocolLen = 8; // 'https://'.length\n }\n // Look for @ after the protocol\n const searchStart = protocolPos + protocolLen;\n const atPos = result.indexOf('@', searchStart);\n // Find where the URL ends (whitespace, quotes, or structural delimiters)\n let urlEnd = searchStart;\n while (urlEnd < result.length) {\n const char = result[urlEnd];\n if (/[\\s\"'`<>,;{}[\\]]/.test(char))\n break;\n urlEnd++;\n }\n if (atPos !== -1 && atPos < urlEnd) {\n result = `${result.substring(0, searchStart)}******${result.substring(atPos)}`;\n pos = searchStart + 6; // Move past '******'\n }\n else {\n pos = protocolPos + protocolLen;\n }\n }\n return result;\n}\n/**\n * Redact sensitive query parameters from URLs\n *\n * Strips X-Amz-Credential, X-Amz-Signature, X-Amz-Security-Token,\n * token, secret, and password query params from URLs. Returns\n * non-URL strings unchanged.\n *\n * @param input - String that may contain URLs with sensitive params\n * @returns String with sensitive params replaced by REDACTED\n */\nexport function redactSensitiveParams(input) {\n if (!input.includes('?') || !input.includes('='))\n return input;\n return input.replace(SENSITIVE_PARAMS, '$1$2=REDACTED');\n}\n/**\n * Redact sensitive data from a command string for logging\n *\n * Composes redactCredentials (URL credentials) and redactSensitiveParams\n * (presigned URL query params). For log values only — never mutate\n * command strings before execution.\n *\n * @param command - Command string to sanitize for logging\n * @returns Sanitized command string\n */\nexport function redactCommand(command) {\n return redactSensitiveParams(redactCredentials(command));\n}\n/**\n * Truncate a string for log output with a truncation indicator\n *\n * @param value - String to potentially truncate\n * @param maxLen - Maximum length before truncation (default 120)\n * @returns Object with truncated value and boolean flag\n */\nexport function truncateForLog(value, maxLen = 120) {\n if (value.length <= maxLen) {\n return { value, truncated: false };\n }\n const cutoff = Math.max(0, maxLen - 3);\n return { value: `${value.substring(0, cutoff)}...`, truncated: true };\n}\n","import { redactCommand } from './logger/sanitize.js';\n/**\n * Fallback repository name used when URL parsing fails\n */\nexport const FALLBACK_REPO_NAME = 'repository';\n/**\n * Extract repository name from a Git URL\n *\n * Supports multiple URL formats:\n * - HTTPS: https://github.com/user/repo.git → repo\n * - HTTPS without .git: https://github.com/user/repo → repo\n * - SSH: git@github.com:user/repo.git → repo\n * - GitLab/others: https://gitlab.com/org/project.git → project\n *\n * @param repoUrl - Git repository URL (HTTPS or SSH format)\n * @returns Repository name extracted from URL, or 'repository' as fallback\n */\nexport function extractRepoName(repoUrl) {\n // Try parsing as standard URL (https://, http://)\n try {\n const url = new URL(repoUrl);\n const pathParts = url.pathname.split('/');\n const lastPart = pathParts[pathParts.length - 1];\n if (lastPart) {\n return lastPart.replace(/\\.git$/, '');\n }\n }\n catch {\n // Not a standard URL, try SSH format\n }\n // For SSH URLs (git@github.com:user/repo.git), split by : and / to get last segment\n // Only process if the URL contains path delimiters\n if (repoUrl.includes(':') || repoUrl.includes('/')) {\n const segments = repoUrl.split(/[:/]/).filter(Boolean);\n const lastSegment = segments[segments.length - 1];\n if (lastSegment) {\n return lastSegment.replace(/\\.git$/, '');\n }\n }\n return FALLBACK_REPO_NAME;\n}\n/**\n * Sanitize data by redacting credentials from any strings\n * Recursively processes objects and arrays to ensure credentials are never leaked\n */\nexport function sanitizeGitData(data) {\n // Handle primitives\n if (typeof data === 'string') {\n return redactCommand(data);\n }\n if (data === null || data === undefined) {\n return data;\n }\n // Handle arrays\n if (Array.isArray(data)) {\n return data.map((item) => sanitizeGitData(item));\n }\n // Handle objects - recursively sanitize all fields\n if (typeof data === 'object') {\n const result = {};\n for (const [key, value] of Object.entries(data)) {\n result[key] = sanitizeGitData(value);\n }\n return result;\n }\n return data;\n}\n/**\n * Logger wrapper that automatically sanitizes git credentials\n */\nexport class GitLogger {\n baseLogger;\n constructor(baseLogger) {\n this.baseLogger = baseLogger;\n }\n sanitizeContext(context) {\n return context\n ? sanitizeGitData(context)\n : context;\n }\n sanitizeError(error) {\n if (!error)\n return error;\n // Create a new error with sanitized message and stack\n const sanitized = new Error(redactCommand(error.message));\n sanitized.name = error.name;\n if (error.stack) {\n sanitized.stack = redactCommand(error.stack);\n }\n // Preserve other enumerable properties\n const sanitizedRecord = sanitized;\n const errorRecord = error;\n for (const key of Object.keys(error)) {\n if (key !== 'message' && key !== 'stack' && key !== 'name') {\n sanitizedRecord[key] = sanitizeGitData(errorRecord[key]);\n }\n }\n return sanitized;\n }\n debug(message, context) {\n this.baseLogger.debug(message, this.sanitizeContext(context));\n }\n info(message, context) {\n this.baseLogger.info(message, this.sanitizeContext(context));\n }\n warn(message, context) {\n this.baseLogger.warn(message, this.sanitizeContext(context));\n }\n error(message, error, context) {\n this.baseLogger.error(message, this.sanitizeError(error), this.sanitizeContext(context));\n }\n child(context) {\n const sanitized = sanitizeGitData(context);\n const childLogger = this.baseLogger.child(sanitized);\n return new GitLogger(childLogger);\n }\n}\n","// Execution Result Container\nexport class Execution {\n code;\n context;\n /**\n * All results from the execution\n */\n results = [];\n /**\n * Accumulated stdout and stderr\n */\n logs = {\n stdout: [],\n stderr: []\n };\n /**\n * Execution error if any\n */\n error;\n /**\n * Execution count (for interpreter)\n */\n executionCount;\n constructor(code, context) {\n this.code = code;\n this.context = context;\n }\n /**\n * Convert to a plain object for serialization\n */\n toJSON() {\n return {\n code: this.code,\n logs: this.logs,\n error: this.error,\n executionCount: this.executionCount,\n results: this.results.map((result) => ({\n text: result.text,\n html: result.html,\n png: result.png,\n jpeg: result.jpeg,\n svg: result.svg,\n latex: result.latex,\n markdown: result.markdown,\n javascript: result.javascript,\n json: result.json,\n chart: result.chart,\n data: result.data\n }))\n };\n }\n}\n// Implementation of Result\nexport class ResultImpl {\n raw;\n constructor(raw) {\n this.raw = raw;\n }\n get text() {\n return this.raw.text || this.raw.data?.['text/plain'];\n }\n get html() {\n return this.raw.html || this.raw.data?.['text/html'];\n }\n get png() {\n return this.raw.png || this.raw.data?.['image/png'];\n }\n get jpeg() {\n return this.raw.jpeg || this.raw.data?.['image/jpeg'];\n }\n get svg() {\n return this.raw.svg || this.raw.data?.['image/svg+xml'];\n }\n get latex() {\n return this.raw.latex || this.raw.data?.['text/latex'];\n }\n get markdown() {\n return this.raw.markdown || this.raw.data?.['text/markdown'];\n }\n get javascript() {\n return this.raw.javascript || this.raw.data?.['application/javascript'];\n }\n get json() {\n return this.raw.json || this.raw.data?.['application/json'];\n }\n get chart() {\n return this.raw.chart;\n }\n get data() {\n return this.raw.data;\n }\n formats() {\n const formats = [];\n if (this.text)\n formats.push('text');\n if (this.html)\n formats.push('html');\n if (this.png)\n formats.push('png');\n if (this.jpeg)\n formats.push('jpeg');\n if (this.svg)\n formats.push('svg');\n if (this.latex)\n formats.push('latex');\n if (this.markdown)\n formats.push('markdown');\n if (this.javascript)\n formats.push('javascript');\n if (this.json)\n formats.push('json');\n if (this.chart)\n formats.push('chart');\n return formats;\n }\n}\n","import { redactCommand, truncateForLog } from './sanitize.js';\n/** Events that are low-value at info on success */\nconst DEBUG_ON_SUCCESS = new Set([\n 'session.create',\n 'session.destroy',\n 'file.read',\n 'file.write',\n 'file.delete',\n 'file.mkdir'\n]);\nexport function resolveLogLevel(payload, options) {\n if (payload.outcome === 'error')\n return 'error';\n if (options?.successLevel)\n return options.successLevel;\n if (payload.origin === 'internal')\n return 'debug';\n if (DEBUG_ON_SUCCESS.has(payload.event))\n return 'debug';\n return 'info';\n}\n/**\n * Sanitize an Error object by redacting sensitive data from message and stack.\n * Produces a copy so the caller's original Error is not mutated.\n */\nfunction sanitizeError(error) {\n if (!error)\n return undefined;\n const sanitized = new Error(redactCommand(error.message));\n sanitized.name = error.name;\n sanitized.stack = error.stack ? redactCommand(error.stack) : undefined;\n return sanitized;\n}\n/**\n * Sanitize and prepare payload fields for both message building and context emission.\n * Called once by logCanonicalEvent to avoid double-redaction.\n */\nfunction sanitizePayload(payload) {\n if (payload.command === undefined) {\n return { commandTruncated: false };\n }\n const redacted = redactCommand(payload.command);\n const { value, truncated } = truncateForLog(redacted);\n return { sanitizedCommand: value, commandTruncated: truncated };\n}\n/**\n * Build a human-readable canonical event message for dashboards and log viewers.\n *\n * Format: `{event} {outcome} {key_context} [— {reason}] ({durationMs}ms[, {sizeBytes}B])`\n *\n * The if/else chain for key context has implicit priority: command > path >\n * sessionId > port > repoUrl > pid. If a payload has multiple, only the\n * highest-priority one appears in the message. All fields are still present\n * as discrete queryable keys in the structured log context.\n */\nexport function buildMessage(payload, sanitizedCommand) {\n const { event } = payload;\n // version.check has its own format: no outcome, no duration\n if (event === 'version.check') {\n const parts = ['version.check'];\n if (payload.sdkVersion)\n parts.push(`sdk=${payload.sdkVersion}`);\n if (payload.containerVersion)\n parts.push(`container=${payload.containerVersion}`);\n if (payload.versionOutcome && payload.versionOutcome !== 'compatible') {\n parts.push(`(${payload.versionOutcome})`);\n }\n return parts.join(' ');\n }\n const parts = [event, payload.outcome];\n // Key context — highest priority field shown in message\n if (sanitizedCommand !== undefined) {\n parts.push(sanitizedCommand);\n }\n else if (payload.command !== undefined) {\n // Fallback for direct buildMessage calls without pre-sanitized command\n const redacted = redactCommand(payload.command);\n const { value } = truncateForLog(redacted);\n parts.push(value);\n }\n else if (payload.path !== undefined) {\n parts.push(payload.path);\n }\n else if (event.includes('session') && payload.sessionId !== undefined) {\n parts.push(payload.sessionId);\n }\n else if (payload.port !== undefined) {\n parts.push(String(payload.port));\n }\n else if (payload.repoUrl !== undefined) {\n let gitContext = payload.repoUrl;\n if (payload.branch !== undefined) {\n gitContext += ` ${payload.branch}`;\n }\n parts.push(gitContext);\n }\n else if (payload.pid !== undefined) {\n parts.push(String(payload.pid));\n }\n else if (payload.backupId !== undefined) {\n parts.push(payload.backupId);\n }\n else if (payload.repoPath !== undefined) {\n let gitContext = payload.repoPath;\n if (payload.branch !== undefined) {\n gitContext += ` branch=${payload.branch}`;\n }\n parts.push(gitContext);\n }\n else if (payload.mountsProcessed !== undefined) {\n let destroyContext = `${payload.mountsProcessed} mounts`;\n if (payload.mountFailures)\n destroyContext += `, ${payload.mountFailures} failed`;\n parts.push(destroyContext);\n }\n else if (payload.mountPath !== undefined) {\n parts.push(payload.mountPath);\n }\n // Error reason after em-dash\n if (payload.outcome === 'error') {\n if (payload.errorMessage !== undefined) {\n parts.push(`\\u2014 ${payload.errorMessage}`);\n }\n else if (payload.exitCode !== undefined) {\n parts.push(`\\u2014 exitCode=${payload.exitCode}`);\n }\n }\n // Duration suffix (and optional size)\n const durationSuffix = payload.sizeBytes !== undefined\n ? `(${payload.durationMs}ms, ${payload.sizeBytes}B)`\n : `(${payload.durationMs}ms)`;\n parts.push(durationSuffix);\n return parts.join(' ');\n}\n/**\n * Log a canonical event — the single entry point for all structured operational events.\n *\n * Sanitizes command fields once, builds the message, selects log level from\n * outcome, and emits a structured log entry with the full payload as context.\n */\nexport function logCanonicalEvent(logger, payload, options) {\n // Auto-derive errorMessage from error.message when not explicitly set,\n // then sanitize to prevent credential leaks (e.g., presigned URLs in error strings)\n const resolvedErrorMessage = payload.errorMessage ?? payload.error?.message;\n const sanitizedErrorMessage = resolvedErrorMessage\n ? redactCommand(resolvedErrorMessage)\n : undefined;\n const enrichedPayload = sanitizedErrorMessage !== undefined\n ? { ...payload, errorMessage: sanitizedErrorMessage }\n : payload;\n // Sanitize once, use for both message and context\n const { sanitizedCommand, commandTruncated } = sanitizePayload(enrichedPayload);\n const message = buildMessage(enrichedPayload, sanitizedCommand);\n // Build context from enriched payload, excluding the error object (passed separately)\n const context = {};\n for (const [key, value] of Object.entries(enrichedPayload)) {\n if (key === 'error')\n continue;\n context[key] = value;\n }\n // Apply sanitized command to context\n if (sanitizedCommand !== undefined) {\n context.command = sanitizedCommand;\n if (commandTruncated) {\n context.commandTruncated = true;\n }\n }\n const level = resolveLogLevel(enrichedPayload, options);\n if (level === 'error') {\n logger.error(message, sanitizeError(payload.error), context);\n }\n else if (level === 'warn') {\n logger.warn(message, context);\n }\n else if (level === 'debug') {\n logger.debug(message, context);\n }\n else {\n logger.info(message, context);\n }\n}\n","/**\n * Logger types for Cloudflare Sandbox SDK\n *\n * Provides structured, trace-aware logging across Worker, Durable Object, and Container.\n */\n/**\n * Log levels (from most to least verbose)\n */\nexport var LogLevel;\n(function (LogLevel) {\n LogLevel[LogLevel[\"DEBUG\"] = 0] = \"DEBUG\";\n LogLevel[LogLevel[\"INFO\"] = 1] = \"INFO\";\n LogLevel[LogLevel[\"WARN\"] = 2] = \"WARN\";\n LogLevel[LogLevel[\"ERROR\"] = 3] = \"ERROR\";\n})(LogLevel || (LogLevel = {}));\n","/**\n * Logger implementation\n */\nimport { LogLevel as LogLevelEnum } from './types.js';\n/**\n * ANSI color codes for terminal output\n */\nconst COLORS = {\n reset: '\\x1b[0m',\n debug: '\\x1b[36m', // Cyan\n info: '\\x1b[32m', // Green\n warn: '\\x1b[33m', // Yellow\n error: '\\x1b[31m', // Red\n dim: '\\x1b[2m' // Dim\n};\n/**\n * CloudflareLogger implements structured logging with support for\n * both JSON output (production) and pretty printing (development).\n */\nexport class CloudflareLogger {\n baseContext;\n minLevel;\n outputMode;\n /**\n * Create a new CloudflareLogger\n *\n * @param baseContext Base context included in all log entries\n * @param minLevel Minimum log level to output (default: INFO)\n * @param outputMode How log entries are formatted and emitted (default: 'structured')\n */\n constructor(baseContext, minLevel = LogLevelEnum.INFO, outputMode = 'structured') {\n this.baseContext = baseContext;\n this.minLevel = minLevel;\n this.outputMode = outputMode;\n }\n /**\n * Log debug-level message\n */\n debug(message, context) {\n if (this.shouldLog(LogLevelEnum.DEBUG)) {\n const logData = this.buildLogData('debug', message, context);\n this.output(console.log, logData);\n }\n }\n /**\n * Log info-level message\n */\n info(message, context) {\n if (this.shouldLog(LogLevelEnum.INFO)) {\n const logData = this.buildLogData('info', message, context);\n this.output(console.log, logData);\n }\n }\n /**\n * Log warning-level message\n */\n warn(message, context) {\n if (this.shouldLog(LogLevelEnum.WARN)) {\n const logData = this.buildLogData('warn', message, context);\n this.output(console.warn, logData);\n }\n }\n /**\n * Log error-level message\n */\n error(message, error, context) {\n if (this.shouldLog(LogLevelEnum.ERROR)) {\n const logData = this.buildLogData('error', message, context, error);\n this.output(console.error, logData);\n }\n }\n /**\n * Create a child logger with additional context\n */\n child(context) {\n return new CloudflareLogger({ ...this.baseContext, ...context }, this.minLevel, this.outputMode);\n }\n /**\n * Check if a log level should be output\n */\n shouldLog(level) {\n return level >= this.minLevel;\n }\n /**\n * Build log data object\n */\n buildLogData(level, message, context, error) {\n const logData = {\n level,\n message,\n ...this.baseContext,\n ...context,\n timestamp: new Date().toISOString()\n };\n // Add error details if provided\n if (error) {\n logData.error = {\n message: error.message,\n stack: error.stack,\n name: error.name\n };\n }\n return logData;\n }\n /**\n * Output log data using the configured output mode\n */\n output(consoleFn, data) {\n switch (this.outputMode) {\n case 'pretty':\n this.outputPretty(consoleFn, data);\n break;\n case 'json-line':\n this.outputJsonLine(consoleFn, data);\n break;\n case 'structured':\n this.outputStructured(consoleFn, data);\n break;\n }\n }\n /**\n * Output as JSON string (container stdout — parsed by Containers pipeline)\n */\n outputJsonLine(consoleFn, data) {\n consoleFn(JSON.stringify(data));\n }\n /**\n * Output as raw object (Workers/DOs — Workers Logs auto-indexes fields)\n */\n outputStructured(consoleFn, data) {\n consoleFn(data);\n }\n /**\n * Output as pretty-printed, colored text (development)\n *\n * Each log event is a single consoleFn() call so it appears as one entry\n * in the Cloudflare dashboard. Context is rendered inline as compact key=value pairs.\n *\n * Format: LEVEL [component] message trace=tr_... key=value key=value\n */\n outputPretty(consoleFn, data) {\n const { level, message: msg, timestamp, traceId, component, sandboxId, sessionId, processId, commandId, durationMs, serviceVersion, instanceId, error, ...rest } = data;\n const levelStr = String(level || 'INFO').toUpperCase();\n const levelColor = this.getLevelColor(levelStr);\n const componentBadge = component ? `[${component}]` : '';\n const timeStr = timestamp\n ? `${COLORS.dim}${new Date(timestamp).toISOString().substring(11, 23)}${COLORS.reset} `\n : '';\n let logLine = `${timeStr}${levelColor}${levelStr.padEnd(5)}${COLORS.reset} ${componentBadge} ${msg}`;\n // Append all context as compact key=value pairs on the same line\n const pairs = [];\n if (traceId)\n pairs.push(`trace=${String(traceId).substring(0, 12)}`);\n if (commandId)\n pairs.push(`cmd=${String(commandId).substring(0, 12)}`);\n if (sandboxId)\n pairs.push(`sandbox=${sandboxId}`);\n if (sessionId)\n pairs.push(`session=${String(sessionId).substring(0, 12)}`);\n if (processId)\n pairs.push(`proc=${processId}`);\n if (durationMs !== undefined)\n pairs.push(`dur=${durationMs}ms`);\n // Append remaining context fields inline\n for (const [key, value] of Object.entries(rest)) {\n if (value === undefined || value === null)\n continue;\n const v = typeof value === 'object'\n ? JSON.stringify(value)\n : this.sanitizePrettyValue(String(value));\n pairs.push(`${key}=${v}`);\n }\n // Append error info inline\n if (error && typeof error === 'object') {\n const errorObj = error;\n if (errorObj.name)\n pairs.push(`err.name=${this.sanitizePrettyValue(errorObj.name)}`);\n if (errorObj.message)\n pairs.push(`err.msg=${this.sanitizePrettyValue(errorObj.message)}`);\n if (errorObj.stack)\n pairs.push(`err.stack=${this.sanitizePrettyValue(errorObj.stack)}`);\n }\n if (pairs.length > 0) {\n logLine += ` ${COLORS.dim}${pairs.join(' ')}${COLORS.reset}`;\n }\n // Single consoleFn call = single log entry in the dashboard\n consoleFn(logLine);\n }\n /**\n * Collapse newlines so a single consoleFn() call stays on one line.\n * Cloudflare's log pipeline splits on literal newlines, which fragments\n * stack traces and multi-line error messages into separate entries.\n */\n sanitizePrettyValue(value) {\n return value.replace(/\\r/g, '\\\\r').replace(/\\n/g, '\\\\n');\n }\n /**\n * Get ANSI color code for log level\n */\n getLevelColor(level) {\n const levelLower = level.toLowerCase();\n switch (levelLower) {\n case 'debug':\n return COLORS.debug;\n case 'info':\n return COLORS.info;\n case 'warn':\n return COLORS.warn;\n case 'error':\n return COLORS.error;\n default:\n return COLORS.reset;\n }\n }\n}\n","/**\n * Trace context utilities for request correlation\n *\n * Trace IDs enable correlating logs across distributed components:\n * Worker → Durable Object → Container → back\n *\n * The trace ID is propagated via the X-Trace-Id HTTP header.\n */\n/**\n * Utility for managing trace context across distributed components\n */\n// biome-ignore lint/complexity/noStaticOnlyClass: Keep as class for namespace grouping and discoverability\nexport class TraceContext {\n /**\n * HTTP header name for trace ID propagation\n */\n static TRACE_HEADER = 'X-Trace-Id';\n /**\n * Generate a new trace ID\n *\n * Format: \"tr_\" + 16 random hex characters\n * Example: \"tr_7f3a9b2c4e5d6f1a\"\n *\n * @returns Newly generated trace ID\n */\n static generate() {\n // Use crypto.randomUUID() for randomness, extract 16 hex chars\n const randomHex = crypto.randomUUID().replace(/-/g, '').substring(0, 16);\n return `tr_${randomHex}`;\n }\n /**\n * Extract trace ID from HTTP request headers\n *\n * @param headers Request headers\n * @returns Trace ID if present, null otherwise\n */\n static fromHeaders(headers) {\n return headers.get(TraceContext.TRACE_HEADER);\n }\n /**\n * Create headers object with trace ID for outgoing requests\n *\n * @param traceId Trace ID to include\n * @returns Headers object with X-Trace-Id set\n */\n static toHeaders(traceId) {\n return { [TraceContext.TRACE_HEADER]: traceId };\n }\n /**\n * Get the header name used for trace ID propagation\n *\n * @returns Header name (\"X-Trace-Id\")\n */\n static getHeaderName() {\n return TraceContext.TRACE_HEADER;\n }\n}\n","/**\n * Logger module\n *\n * Provides structured, trace-aware logging with:\n * - Explicit logger passing via constructor injection\n * - Three output modes: structured (Workers/DOs), json-line (container), pretty (local dev)\n * - Environment auto-detection\n * - Log level configuration\n *\n * Usage:\n *\n * ```typescript\n * // Create a logger at entry point\n * const logger = createLogger({ component: 'sandbox-do', traceId: 'tr_abc123' });\n *\n * // Pass to classes via constructor\n * const service = new MyService(logger);\n *\n * // Create child loggers for additional context\n * const execLogger = logger.child({ commandId: 'cmd-456' });\n * execLogger.info('Operation started');\n * ```\n */\nimport { CloudflareLogger } from './logger.js';\nimport { TraceContext } from './trace-context.js';\nimport { LogLevel as LogLevelEnum } from './types.js';\nexport { buildMessage, logCanonicalEvent, resolveLogLevel } from './canonical.js';\nexport { CloudflareLogger } from './logger.js';\nexport { TraceContext } from './trace-context.js';\nexport { LogLevel as LogLevelEnum } from './types.js';\n/**\n * Create a no-op logger for testing\n *\n * Returns a logger that implements the Logger interface but does nothing.\n * Useful for tests that don't need actual logging output.\n *\n * @returns No-op logger instance\n *\n * @example\n * ```typescript\n * // In tests\n * const client = new HttpClient({\n * baseUrl: 'http://test.com',\n * logger: createNoOpLogger() // Optional - tests can enable real logging if needed\n * });\n * ```\n */\nexport function createNoOpLogger() {\n return {\n debug: () => { },\n info: () => { },\n warn: () => { },\n error: () => { },\n child: () => createNoOpLogger()\n };\n}\n/**\n * Create a new logger instance\n *\n * @param context Base context for the logger. Must include 'component'.\n * TraceId will be auto-generated if not provided.\n * @returns New logger instance\n *\n * @example\n * ```typescript\n * // In Durable Object\n * const logger = createLogger({\n * component: 'sandbox-do',\n * traceId: TraceContext.fromHeaders(request.headers) || TraceContext.generate(),\n * sandboxId: this.id\n * });\n *\n * // In Container\n * const logger = createLogger({\n * component: 'container',\n * traceId: TraceContext.fromHeaders(request.headers)!,\n * sessionId: this.id\n * });\n * ```\n */\nexport function createLogger(context) {\n const minLevel = getLogLevelFromEnv();\n const outputMode = getOutputMode(context.component);\n const baseContext = {\n ...context,\n traceId: context.traceId || TraceContext.generate(),\n component: context.component,\n serviceVersion: context.serviceVersion || getEnvVar('SANDBOX_VERSION') || undefined,\n instanceId: context.instanceId ||\n getEnvVar('HOSTNAME') ||\n getEnvVar('SANDBOX_INSTANCE_ID') ||\n undefined\n };\n return new CloudflareLogger(baseContext, minLevel, outputMode);\n}\n/**\n * Get log level from environment variable\n *\n * Checks SANDBOX_LOG_LEVEL env var, falls back to default based on environment.\n * Default: 'debug' for development, 'info' for production\n */\nfunction getLogLevelFromEnv() {\n const envLevel = getEnvVar('SANDBOX_LOG_LEVEL') || 'info';\n switch (envLevel.toLowerCase()) {\n case 'debug':\n return LogLevelEnum.DEBUG;\n case 'info':\n return LogLevelEnum.INFO;\n case 'warn':\n return LogLevelEnum.WARN;\n case 'error':\n return LogLevelEnum.ERROR;\n default:\n // Invalid level, fall back to info\n return LogLevelEnum.INFO;\n }\n}\n/**\n * Determine output mode based on component and environment:\n * - SANDBOX_LOG_FORMAT=pretty → 'pretty' for all components (local wrangler dev)\n * - Container/Executor without pretty → 'json-line' (Bun stdout → Containers pipeline)\n * - Everything else without pretty → 'structured' (Workers/DOs → Workers Logs)\n *\n * In local dev, setting SANDBOX_LOG_FORMAT=pretty gives readable terminal\n * output on both the DO side and container side. In production (where the\n * var isn't set), DOs emit structured objects and containers emit single-line\n * JSON — both queryable by their respective observability pipelines.\n */\nfunction getOutputMode(component) {\n const format = getEnvVar('SANDBOX_LOG_FORMAT');\n if (format?.toLowerCase() === 'pretty') {\n return 'pretty';\n }\n if (component === 'container' || component === 'executor') {\n return 'json-line';\n }\n return 'structured';\n}\n/**\n * Get environment variable value\n *\n * Supports both Node.js (process.env) and Bun (Bun.env)\n */\nfunction getEnvVar(name) {\n // Try process.env first (Node.js / Bun)\n if (typeof process !== 'undefined' && process.env) {\n return process.env[name];\n }\n // Try Bun.env (Bun runtime)\n if (typeof Bun !== 'undefined') {\n const bunEnv = Bun.env;\n if (bunEnv) {\n return bunEnv[name];\n }\n }\n return undefined;\n}\n","/**\n * Escapes a string for safe use in shell commands using POSIX single-quote escaping.\n * Prevents command injection by wrapping the string in single quotes and escaping\n * any single quotes within the string.\n */\nexport function shellEscape(str) {\n return `'${str.replace(/'/g, \"'\\\\''\")}'`;\n}\n","/**\n * Shared SSE parsing utilities.\n *\n * Parses SSE frames from arbitrary text chunks while preserving partial state\n * across chunk boundaries.\n */\n/**\n * Parse SSE frames from a buffer.\n *\n * Returns parsed events, remaining unparsed text, and the current partial event\n * so callers can continue parsing on the next chunk.\n */\nexport function parseSSEFrames(buffer, currentEvent = { data: [] }) {\n const events = [];\n let i = 0;\n while (i < buffer.length) {\n const newlineIndex = buffer.indexOf('\\n', i);\n if (newlineIndex === -1)\n break;\n const rawLine = buffer.substring(i, newlineIndex);\n const line = rawLine.endsWith('\\r') ? rawLine.slice(0, -1) : rawLine;\n i = newlineIndex + 1;\n if (line === '' && currentEvent.data.length > 0) {\n events.push({\n event: currentEvent.event,\n data: currentEvent.data.join('\\n')\n });\n currentEvent = { data: [] };\n continue;\n }\n if (line.startsWith('event:')) {\n const value = line.startsWith('event: ')\n ? line.substring(7)\n : line.substring(6);\n currentEvent.event = value;\n continue;\n }\n if (line.startsWith('data:')) {\n const value = line.startsWith('data: ')\n ? line.substring(6)\n : line.substring(5);\n currentEvent.data.push(value);\n }\n }\n return {\n events,\n remaining: buffer.substring(i),\n currentEvent\n };\n}\n","/**\n * Check if a process status indicates the process has terminated\n */\nexport function isTerminalStatus(status) {\n return (status === 'completed' ||\n status === 'failed' ||\n status === 'killed' ||\n status === 'error');\n}\n// Type guards for runtime validation\nexport function isExecResult(value) {\n return (value &&\n typeof value.success === 'boolean' &&\n typeof value.exitCode === 'number' &&\n typeof value.stdout === 'string' &&\n typeof value.stderr === 'string');\n}\nexport function isProcess(value) {\n return (value &&\n typeof value.id === 'string' &&\n typeof value.command === 'string' &&\n typeof value.status === 'string');\n}\nexport function isProcessStatus(value) {\n return [\n 'starting',\n 'running',\n 'completed',\n 'failed',\n 'killed',\n 'error'\n ].includes(value);\n}\n// Re-export interpreter types for convenience\nexport { Execution, ResultImpl } from './interpreter-types';\n","/**\n * WebSocket transport protocol types\n *\n * Enables multiplexing HTTP-like requests over a single WebSocket connection.\n * This reduces sub-request count when running inside Workers/Durable Objects.\n *\n * Protocol:\n * - Client sends WSRequest messages\n * - Server responds with WSResponse messages (matched by id)\n * - For streaming endpoints, server sends multiple WSStreamChunk messages\n * followed by a final WSResponse\n */\n/**\n * Type guard for WSRequest\n *\n * Note: Only validates the discriminator field (type === 'request').\n * Does not validate other required fields (id, method, path).\n * Use for routing messages; trust TypeScript for field validation.\n */\nexport function isWSRequest(msg) {\n return (typeof msg === 'object' &&\n msg !== null &&\n 'type' in msg &&\n msg.type === 'request');\n}\n/**\n * Type guard for WSResponse\n *\n * Note: Only validates the discriminator field (type === 'response').\n */\nexport function isWSResponse(msg) {\n return (typeof msg === 'object' &&\n msg !== null &&\n 'type' in msg &&\n msg.type === 'response');\n}\n/**\n * Type guard for WSStreamChunk\n *\n * Note: Only validates the discriminator field (type === 'stream').\n */\nexport function isWSStreamChunk(msg) {\n return (typeof msg === 'object' &&\n msg !== null &&\n 'type' in msg &&\n msg.type === 'stream');\n}\n/**\n * Type guard for WSError\n *\n * Note: Only validates the discriminator field (type === 'error').\n */\nexport function isWSError(msg) {\n return (typeof msg === 'object' &&\n msg !== null &&\n 'type' in msg &&\n msg.type === 'error');\n}\n/**\n * Generate a unique request ID\n */\nexport function generateRequestId() {\n return `ws_${Date.now()}_${Math.random().toString(36).substring(2, 10)}`;\n}\n"],"mappings":";;;;;;;;AAOA,SAAgB,aAAa,KAAK,KAAK;CACnC,MAAM,QAAQ,MAAM;AACpB,QAAO,OAAO,UAAU,WAAW,QAAQ;;;;;;;;;;;;AAY/C,SAAgB,cAAc,SAAS;CACnC,MAAM,WAAW,EAAE;AACnB,MAAK,MAAM,CAAC,KAAK,UAAU,OAAO,QAAQ,QAAQ,CAC9C,KAAI,SAAS,QAAQ,OAAO,UAAU,SAClC,UAAS,OAAO;AAGxB,QAAO;;;;;;;;;;;;;;;;AAgBX,SAAgB,iBAAiB,SAAS;CACtC,MAAM,QAAQ,EAAE;CAChB,MAAM,UAAU,EAAE;AAClB,MAAK,MAAM,CAAC,KAAK,UAAU,OAAO,QAAQ,QAAQ,CAC9C,KAAI,SAAS,QAAQ,OAAO,UAAU,SAClC,OAAM,OAAO;KAGb,SAAQ,KAAK,IAAI;AAGzB,QAAO;EAAE;EAAO;EAAS;;;;;;;;;;;;;;;;AC5C7B,MAAM,mBAAmB;;;;;;;;;;;AAWzB,SAAgB,kBAAkB,MAAM;CAEpC,IAAI,SAAS;CACb,IAAI,MAAM;AACV,QAAO,MAAM,OAAO,QAAQ;EACxB,MAAM,UAAU,OAAO,QAAQ,WAAW,IAAI;EAC9C,MAAM,WAAW,OAAO,QAAQ,YAAY,IAAI;EAChD,IAAI,cAAc;EAClB,IAAI,cAAc;AAClB,MAAI,YAAY,MAAM,aAAa,GAC/B;AACJ,MAAI,YAAY,OAAO,aAAa,MAAM,UAAU,WAAW;AAC3D,iBAAc;AACd,iBAAc;SAEb;AACD,iBAAc;AACd,iBAAc;;EAGlB,MAAM,cAAc,cAAc;EAClC,MAAM,QAAQ,OAAO,QAAQ,KAAK,YAAY;EAE9C,IAAI,SAAS;AACb,SAAO,SAAS,OAAO,QAAQ;GAC3B,MAAM,OAAO,OAAO;AACpB,OAAI,mBAAmB,KAAK,KAAK,CAC7B;AACJ;;AAEJ,MAAI,UAAU,MAAM,QAAQ,QAAQ;AAChC,YAAS,GAAG,OAAO,UAAU,GAAG,YAAY,CAAC,QAAQ,OAAO,UAAU,MAAM;AAC5E,SAAM,cAAc;QAGpB,OAAM,cAAc;;AAG5B,QAAO;;;;;;;;;;;;AAYX,SAAgB,sBAAsB,OAAO;AACzC,KAAI,CAAC,MAAM,SAAS,IAAI,IAAI,CAAC,MAAM,SAAS,IAAI,CAC5C,QAAO;AACX,QAAO,MAAM,QAAQ,kBAAkB,gBAAgB;;;;;;;;;;;;AAY3D,SAAgB,cAAc,SAAS;AACnC,QAAO,sBAAsB,kBAAkB,QAAQ,CAAC;;;;;;;;;AAS5D,SAAgB,eAAe,OAAO,SAAS,KAAK;AAChD,KAAI,MAAM,UAAU,OAChB,QAAO;EAAE;EAAO,WAAW;EAAO;CAEtC,MAAM,SAAS,KAAK,IAAI,GAAG,SAAS,EAAE;AACtC,QAAO;EAAE,OAAO,GAAG,MAAM,UAAU,GAAG,OAAO,CAAC;EAAM,WAAW;EAAM;;;;;;;;AClGzE,MAAa,qBAAqB;;;;;;;;;;;;;AAalC,SAAgB,gBAAgB,SAAS;AAErC,KAAI;EAEA,MAAM,YADM,IAAI,IAAI,QAAQ,CACN,SAAS,MAAM,IAAI;EACzC,MAAM,WAAW,UAAU,UAAU,SAAS;AAC9C,MAAI,SACA,QAAO,SAAS,QAAQ,UAAU,GAAG;SAGvC;AAKN,KAAI,QAAQ,SAAS,IAAI,IAAI,QAAQ,SAAS,IAAI,EAAE;EAChD,MAAM,WAAW,QAAQ,MAAM,OAAO,CAAC,OAAO,QAAQ;EACtD,MAAM,cAAc,SAAS,SAAS,SAAS;AAC/C,MAAI,YACA,QAAO,YAAY,QAAQ,UAAU,GAAG;;AAGhD,QAAO;;;;;;AAMX,SAAgB,gBAAgB,MAAM;AAElC,KAAI,OAAO,SAAS,SAChB,QAAO,cAAc,KAAK;AAE9B,KAAI,SAAS,QAAQ,SAAS,OAC1B,QAAO;AAGX,KAAI,MAAM,QAAQ,KAAK,CACnB,QAAO,KAAK,KAAK,SAAS,gBAAgB,KAAK,CAAC;AAGpD,KAAI,OAAO,SAAS,UAAU;EAC1B,MAAM,SAAS,EAAE;AACjB,OAAK,MAAM,CAAC,KAAK,UAAU,OAAO,QAAQ,KAAK,CAC3C,QAAO,OAAO,gBAAgB,MAAM;AAExC,SAAO;;AAEX,QAAO;;;;;AAKX,IAAa,YAAb,MAAa,UAAU;CACnB;CACA,YAAY,YAAY;AACpB,OAAK,aAAa;;CAEtB,gBAAgB,SAAS;AACrB,SAAO,UACD,gBAAgB,QAAQ,GACxB;;CAEV,cAAc,OAAO;AACjB,MAAI,CAAC,MACD,QAAO;EAEX,MAAM,YAAY,IAAI,MAAM,cAAc,MAAM,QAAQ,CAAC;AACzD,YAAU,OAAO,MAAM;AACvB,MAAI,MAAM,MACN,WAAU,QAAQ,cAAc,MAAM,MAAM;EAGhD,MAAM,kBAAkB;EACxB,MAAM,cAAc;AACpB,OAAK,MAAM,OAAO,OAAO,KAAK,MAAM,CAChC,KAAI,QAAQ,aAAa,QAAQ,WAAW,QAAQ,OAChD,iBAAgB,OAAO,gBAAgB,YAAY,KAAK;AAGhE,SAAO;;CAEX,MAAM,SAAS,SAAS;AACpB,OAAK,WAAW,MAAM,SAAS,KAAK,gBAAgB,QAAQ,CAAC;;CAEjE,KAAK,SAAS,SAAS;AACnB,OAAK,WAAW,KAAK,SAAS,KAAK,gBAAgB,QAAQ,CAAC;;CAEhE,KAAK,SAAS,SAAS;AACnB,OAAK,WAAW,KAAK,SAAS,KAAK,gBAAgB,QAAQ,CAAC;;CAEhE,MAAM,SAAS,OAAO,SAAS;AAC3B,OAAK,WAAW,MAAM,SAAS,KAAK,cAAc,MAAM,EAAE,KAAK,gBAAgB,QAAQ,CAAC;;CAE5F,MAAM,SAAS;EACX,MAAM,YAAY,gBAAgB,QAAQ;AAE1C,SAAO,IAAI,UADS,KAAK,WAAW,MAAM,UAAU,CACnB;;;;;;ACjHzC,IAAa,YAAb,MAAuB;CACnB;CACA;;;;CAIA,UAAU,EAAE;;;;CAIZ,OAAO;EACH,QAAQ,EAAE;EACV,QAAQ,EAAE;EACb;;;;CAID;;;;CAIA;CACA,YAAY,MAAM,SAAS;AACvB,OAAK,OAAO;AACZ,OAAK,UAAU;;;;;CAKnB,SAAS;AACL,SAAO;GACH,MAAM,KAAK;GACX,MAAM,KAAK;GACX,OAAO,KAAK;GACZ,gBAAgB,KAAK;GACrB,SAAS,KAAK,QAAQ,KAAK,YAAY;IACnC,MAAM,OAAO;IACb,MAAM,OAAO;IACb,KAAK,OAAO;IACZ,MAAM,OAAO;IACb,KAAK,OAAO;IACZ,OAAO,OAAO;IACd,UAAU,OAAO;IACjB,YAAY,OAAO;IACnB,MAAM,OAAO;IACb,OAAO,OAAO;IACd,MAAM,OAAO;IAChB,EAAE;GACN;;;AAIT,IAAa,aAAb,MAAwB;CACpB;CACA,YAAY,KAAK;AACb,OAAK,MAAM;;CAEf,IAAI,OAAO;AACP,SAAO,KAAK,IAAI,QAAQ,KAAK,IAAI,OAAO;;CAE5C,IAAI,OAAO;AACP,SAAO,KAAK,IAAI,QAAQ,KAAK,IAAI,OAAO;;CAE5C,IAAI,MAAM;AACN,SAAO,KAAK,IAAI,OAAO,KAAK,IAAI,OAAO;;CAE3C,IAAI,OAAO;AACP,SAAO,KAAK,IAAI,QAAQ,KAAK,IAAI,OAAO;;CAE5C,IAAI,MAAM;AACN,SAAO,KAAK,IAAI,OAAO,KAAK,IAAI,OAAO;;CAE3C,IAAI,QAAQ;AACR,SAAO,KAAK,IAAI,SAAS,KAAK,IAAI,OAAO;;CAE7C,IAAI,WAAW;AACX,SAAO,KAAK,IAAI,YAAY,KAAK,IAAI,OAAO;;CAEhD,IAAI,aAAa;AACb,SAAO,KAAK,IAAI,cAAc,KAAK,IAAI,OAAO;;CAElD,IAAI,OAAO;AACP,SAAO,KAAK,IAAI,QAAQ,KAAK,IAAI,OAAO;;CAE5C,IAAI,QAAQ;AACR,SAAO,KAAK,IAAI;;CAEpB,IAAI,OAAO;AACP,SAAO,KAAK,IAAI;;CAEpB,UAAU;EACN,MAAM,UAAU,EAAE;AAClB,MAAI,KAAK,KACL,SAAQ,KAAK,OAAO;AACxB,MAAI,KAAK,KACL,SAAQ,KAAK,OAAO;AACxB,MAAI,KAAK,IACL,SAAQ,KAAK,MAAM;AACvB,MAAI,KAAK,KACL,SAAQ,KAAK,OAAO;AACxB,MAAI,KAAK,IACL,SAAQ,KAAK,MAAM;AACvB,MAAI,KAAK,MACL,SAAQ,KAAK,QAAQ;AACzB,MAAI,KAAK,SACL,SAAQ,KAAK,WAAW;AAC5B,MAAI,KAAK,WACL,SAAQ,KAAK,aAAa;AAC9B,MAAI,KAAK,KACL,SAAQ,KAAK,OAAO;AACxB,MAAI,KAAK,MACL,SAAQ,KAAK,QAAQ;AACzB,SAAO;;;;;;;AC/Gf,MAAM,mBAAmB,IAAI,IAAI;CAC7B;CACA;CACA;CACA;CACA;CACA;CACH,CAAC;AACF,SAAgB,gBAAgB,SAAS,SAAS;AAC9C,KAAI,QAAQ,YAAY,QACpB,QAAO;AACX,KAAI,SAAS,aACT,QAAO,QAAQ;AACnB,KAAI,QAAQ,WAAW,WACnB,QAAO;AACX,KAAI,iBAAiB,IAAI,QAAQ,MAAM,CACnC,QAAO;AACX,QAAO;;;;;;AAMX,SAAS,cAAc,OAAO;AAC1B,KAAI,CAAC,MACD,QAAO;CACX,MAAM,YAAY,IAAI,MAAM,cAAc,MAAM,QAAQ,CAAC;AACzD,WAAU,OAAO,MAAM;AACvB,WAAU,QAAQ,MAAM,QAAQ,cAAc,MAAM,MAAM,GAAG;AAC7D,QAAO;;;;;;AAMX,SAAS,gBAAgB,SAAS;AAC9B,KAAI,QAAQ,YAAY,OACpB,QAAO,EAAE,kBAAkB,OAAO;CAGtC,MAAM,EAAE,OAAO,cAAc,eADZ,cAAc,QAAQ,QAAQ,CACM;AACrD,QAAO;EAAE,kBAAkB;EAAO,kBAAkB;EAAW;;;;;;;;;;;;AAYnE,SAAgB,aAAa,SAAS,kBAAkB;CACpD,MAAM,EAAE,UAAU;AAElB,KAAI,UAAU,iBAAiB;EAC3B,MAAMA,UAAQ,CAAC,gBAAgB;AAC/B,MAAI,QAAQ,WACR,SAAM,KAAK,OAAO,QAAQ,aAAa;AAC3C,MAAI,QAAQ,iBACR,SAAM,KAAK,aAAa,QAAQ,mBAAmB;AACvD,MAAI,QAAQ,kBAAkB,QAAQ,mBAAmB,aACrD,SAAM,KAAK,IAAI,QAAQ,eAAe,GAAG;AAE7C,SAAOA,QAAM,KAAK,IAAI;;CAE1B,MAAM,QAAQ,CAAC,OAAO,QAAQ,QAAQ;AAEtC,KAAI,qBAAqB,OACrB,OAAM,KAAK,iBAAiB;UAEvB,QAAQ,YAAY,QAAW;EAGpC,MAAM,EAAE,UAAU,eADD,cAAc,QAAQ,QAAQ,CACL;AAC1C,QAAM,KAAK,MAAM;YAEZ,QAAQ,SAAS,OACtB,OAAM,KAAK,QAAQ,KAAK;UAEnB,MAAM,SAAS,UAAU,IAAI,QAAQ,cAAc,OACxD,OAAM,KAAK,QAAQ,UAAU;UAExB,QAAQ,SAAS,OACtB,OAAM,KAAK,OAAO,QAAQ,KAAK,CAAC;UAE3B,QAAQ,YAAY,QAAW;EACpC,IAAI,aAAa,QAAQ;AACzB,MAAI,QAAQ,WAAW,OACnB,eAAc,IAAI,QAAQ;AAE9B,QAAM,KAAK,WAAW;YAEjB,QAAQ,QAAQ,OACrB,OAAM,KAAK,OAAO,QAAQ,IAAI,CAAC;UAE1B,QAAQ,aAAa,OAC1B,OAAM,KAAK,QAAQ,SAAS;UAEvB,QAAQ,aAAa,QAAW;EACrC,IAAI,aAAa,QAAQ;AACzB,MAAI,QAAQ,WAAW,OACnB,eAAc,WAAW,QAAQ;AAErC,QAAM,KAAK,WAAW;YAEjB,QAAQ,oBAAoB,QAAW;EAC5C,IAAI,iBAAiB,GAAG,QAAQ,gBAAgB;AAChD,MAAI,QAAQ,cACR,mBAAkB,KAAK,QAAQ,cAAc;AACjD,QAAM,KAAK,eAAe;YAErB,QAAQ,cAAc,OAC3B,OAAM,KAAK,QAAQ,UAAU;AAGjC,KAAI,QAAQ,YAAY,SACpB;MAAI,QAAQ,iBAAiB,OACzB,OAAM,KAAK,UAAU,QAAQ,eAAe;WAEvC,QAAQ,aAAa,OAC1B,OAAM,KAAK,mBAAmB,QAAQ,WAAW;;CAIzD,MAAM,iBAAiB,QAAQ,cAAc,SACvC,IAAI,QAAQ,WAAW,MAAM,QAAQ,UAAU,MAC/C,IAAI,QAAQ,WAAW;AAC7B,OAAM,KAAK,eAAe;AAC1B,QAAO,MAAM,KAAK,IAAI;;;;;;;;AAQ1B,SAAgB,kBAAkB,QAAQ,SAAS,SAAS;CAGxD,MAAM,uBAAuB,QAAQ,gBAAgB,QAAQ,OAAO;CACpE,MAAM,wBAAwB,uBACxB,cAAc,qBAAqB,GACnC;CACN,MAAM,kBAAkB,0BAA0B,SAC5C;EAAE,GAAG;EAAS,cAAc;EAAuB,GACnD;CAEN,MAAM,EAAE,kBAAkB,qBAAqB,gBAAgB,gBAAgB;CAC/E,MAAM,UAAU,aAAa,iBAAiB,iBAAiB;CAE/D,MAAM,UAAU,EAAE;AAClB,MAAK,MAAM,CAAC,KAAK,UAAU,OAAO,QAAQ,gBAAgB,EAAE;AACxD,MAAI,QAAQ,QACR;AACJ,UAAQ,OAAO;;AAGnB,KAAI,qBAAqB,QAAW;AAChC,UAAQ,UAAU;AAClB,MAAI,iBACA,SAAQ,mBAAmB;;CAGnC,MAAM,QAAQ,gBAAgB,iBAAiB,QAAQ;AACvD,KAAI,UAAU,QACV,QAAO,MAAM,SAAS,cAAc,QAAQ,MAAM,EAAE,QAAQ;UAEvD,UAAU,OACf,QAAO,KAAK,SAAS,QAAQ;UAExB,UAAU,QACf,QAAO,MAAM,SAAS,QAAQ;KAG9B,QAAO,KAAK,SAAS,QAAQ;;;;;;;;;;;;;AC1KrC,IAAW;CACV,SAAU,YAAU;AACjB,YAAS,WAAS,WAAW,KAAK;AAClC,YAAS,WAAS,UAAU,KAAK;AACjC,YAAS,WAAS,UAAU,KAAK;AACjC,YAAS,WAAS,WAAW,KAAK;GACnC,aAAa,WAAW,EAAE,EAAE;;;;;;;;;;ACP/B,MAAM,SAAS;CACX,OAAO;CACP,OAAO;CACP,MAAM;CACN,MAAM;CACN,OAAO;CACP,KAAK;CACR;;;;;AAKD,IAAa,mBAAb,MAAa,iBAAiB;CAC1B;CACA;CACA;;;;;;;;CAQA,YAAY,aAAa,WAAWC,SAAa,MAAM,aAAa,cAAc;AAC9E,OAAK,cAAc;AACnB,OAAK,WAAW;AAChB,OAAK,aAAa;;;;;CAKtB,MAAM,SAAS,SAAS;AACpB,MAAI,KAAK,UAAUA,SAAa,MAAM,EAAE;GACpC,MAAM,UAAU,KAAK,aAAa,SAAS,SAAS,QAAQ;AAC5D,QAAK,OAAO,QAAQ,KAAK,QAAQ;;;;;;CAMzC,KAAK,SAAS,SAAS;AACnB,MAAI,KAAK,UAAUA,SAAa,KAAK,EAAE;GACnC,MAAM,UAAU,KAAK,aAAa,QAAQ,SAAS,QAAQ;AAC3D,QAAK,OAAO,QAAQ,KAAK,QAAQ;;;;;;CAMzC,KAAK,SAAS,SAAS;AACnB,MAAI,KAAK,UAAUA,SAAa,KAAK,EAAE;GACnC,MAAM,UAAU,KAAK,aAAa,QAAQ,SAAS,QAAQ;AAC3D,QAAK,OAAO,QAAQ,MAAM,QAAQ;;;;;;CAM1C,MAAM,SAAS,OAAO,SAAS;AAC3B,MAAI,KAAK,UAAUA,SAAa,MAAM,EAAE;GACpC,MAAM,UAAU,KAAK,aAAa,SAAS,SAAS,SAAS,MAAM;AACnE,QAAK,OAAO,QAAQ,OAAO,QAAQ;;;;;;CAM3C,MAAM,SAAS;AACX,SAAO,IAAI,iBAAiB;GAAE,GAAG,KAAK;GAAa,GAAG;GAAS,EAAE,KAAK,UAAU,KAAK,WAAW;;;;;CAKpG,UAAU,OAAO;AACb,SAAO,SAAS,KAAK;;;;;CAKzB,aAAa,OAAO,SAAS,SAAS,OAAO;EACzC,MAAM,UAAU;GACZ;GACA;GACA,GAAG,KAAK;GACR,GAAG;GACH,4BAAW,IAAI,MAAM,EAAC,aAAa;GACtC;AAED,MAAI,MACA,SAAQ,QAAQ;GACZ,SAAS,MAAM;GACf,OAAO,MAAM;GACb,MAAM,MAAM;GACf;AAEL,SAAO;;;;;CAKX,OAAO,WAAW,MAAM;AACpB,UAAQ,KAAK,YAAb;GACI,KAAK;AACD,SAAK,aAAa,WAAW,KAAK;AAClC;GACJ,KAAK;AACD,SAAK,eAAe,WAAW,KAAK;AACpC;GACJ,KAAK;AACD,SAAK,iBAAiB,WAAW,KAAK;AACtC;;;;;;CAMZ,eAAe,WAAW,MAAM;AAC5B,YAAU,KAAK,UAAU,KAAK,CAAC;;;;;CAKnC,iBAAiB,WAAW,MAAM;AAC9B,YAAU,KAAK;;;;;;;;;;CAUnB,aAAa,WAAW,MAAM;EAC1B,MAAM,EAAE,OAAO,SAAS,KAAK,WAAW,SAAS,WAAW,WAAW,WAAW,WAAW,WAAW,YAAY,gBAAgB,YAAY,OAAO,GAAG,SAAS;EACnK,MAAM,WAAW,OAAO,SAAS,OAAO,CAAC,aAAa;EACtD,MAAM,aAAa,KAAK,cAAc,SAAS;EAC/C,MAAM,iBAAiB,YAAY,IAAI,UAAU,KAAK;EAItD,IAAI,UAAU,GAHE,YACV,GAAG,OAAO,MAAM,IAAI,KAAK,UAAU,CAAC,aAAa,CAAC,UAAU,IAAI,GAAG,GAAG,OAAO,MAAM,KACnF,KACqB,aAAa,SAAS,OAAO,EAAE,GAAG,OAAO,MAAM,GAAG,eAAe,GAAG;EAE/F,MAAM,QAAQ,EAAE;AAChB,MAAI,QACA,OAAM,KAAK,SAAS,OAAO,QAAQ,CAAC,UAAU,GAAG,GAAG,GAAG;AAC3D,MAAI,UACA,OAAM,KAAK,OAAO,OAAO,UAAU,CAAC,UAAU,GAAG,GAAG,GAAG;AAC3D,MAAI,UACA,OAAM,KAAK,WAAW,YAAY;AACtC,MAAI,UACA,OAAM,KAAK,WAAW,OAAO,UAAU,CAAC,UAAU,GAAG,GAAG,GAAG;AAC/D,MAAI,UACA,OAAM,KAAK,QAAQ,YAAY;AACnC,MAAI,eAAe,OACf,OAAM,KAAK,OAAO,WAAW,IAAI;AAErC,OAAK,MAAM,CAAC,KAAK,UAAU,OAAO,QAAQ,KAAK,EAAE;AAC7C,OAAI,UAAU,UAAa,UAAU,KACjC;GACJ,MAAM,IAAI,OAAO,UAAU,WACrB,KAAK,UAAU,MAAM,GACrB,KAAK,oBAAoB,OAAO,MAAM,CAAC;AAC7C,SAAM,KAAK,GAAG,IAAI,GAAG,IAAI;;AAG7B,MAAI,SAAS,OAAO,UAAU,UAAU;GACpC,MAAM,WAAW;AACjB,OAAI,SAAS,KACT,OAAM,KAAK,YAAY,KAAK,oBAAoB,SAAS,KAAK,GAAG;AACrE,OAAI,SAAS,QACT,OAAM,KAAK,WAAW,KAAK,oBAAoB,SAAS,QAAQ,GAAG;AACvE,OAAI,SAAS,MACT,OAAM,KAAK,aAAa,KAAK,oBAAoB,SAAS,MAAM,GAAG;;AAE3E,MAAI,MAAM,SAAS,EACf,YAAW,IAAI,OAAO,MAAM,MAAM,KAAK,IAAI,GAAG,OAAO;AAGzD,YAAU,QAAQ;;;;;;;CAOtB,oBAAoB,OAAO;AACvB,SAAO,MAAM,QAAQ,OAAO,MAAM,CAAC,QAAQ,OAAO,MAAM;;;;;CAK5D,cAAc,OAAO;AAEjB,UADmB,MAAM,aAAa,EACtC;GACI,KAAK,QACD,QAAO,OAAO;GAClB,KAAK,OACD,QAAO,OAAO;GAClB,KAAK,OACD,QAAO,OAAO;GAClB,KAAK,QACD,QAAO,OAAO;GAClB,QACI,QAAO,OAAO;;;;;;;;;;;;;;;;;;ACvM9B,IAAa,eAAb,MAAa,aAAa;;;;CAItB,OAAO,eAAe;;;;;;;;;CAStB,OAAO,WAAW;AAGd,SAAO,MADW,OAAO,YAAY,CAAC,QAAQ,MAAM,GAAG,CAAC,UAAU,GAAG,GAAG;;;;;;;;CAS5E,OAAO,YAAY,SAAS;AACxB,SAAO,QAAQ,IAAI,aAAa,aAAa;;;;;;;;CAQjD,OAAO,UAAU,SAAS;AACtB,SAAO,GAAG,aAAa,eAAe,SAAS;;;;;;;CAOnD,OAAO,gBAAgB;AACnB,SAAO,aAAa;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;ACP5B,SAAgB,mBAAmB;AAC/B,QAAO;EACH,aAAa;EACb,YAAY;EACZ,YAAY;EACZ,aAAa;EACb,aAAa,kBAAkB;EAClC;;;;;;;;;;;;;;;;;;;;;;;;;;AA0BL,SAAgB,aAAa,SAAS;CAClC,MAAM,WAAW,oBAAoB;CACrC,MAAM,aAAa,cAAc,QAAQ,UAAU;AAWnD,QAAO,IAAI,iBAVS;EAChB,GAAG;EACH,SAAS,QAAQ,WAAW,aAAa,UAAU;EACnD,WAAW,QAAQ;EACnB,gBAAgB,QAAQ,kBAAkB,UAAU,kBAAkB,IAAI;EAC1E,YAAY,QAAQ,cAChB,UAAU,WAAW,IACrB,UAAU,sBAAsB,IAChC;EACP,EACwC,UAAU,WAAW;;;;;;;;AAQlE,SAAS,qBAAqB;AAE1B,UADiB,UAAU,oBAAoB,IAAI,QAClC,aAAa,EAA9B;EACI,KAAK,QACD,QAAOC,SAAa;EACxB,KAAK,OACD,QAAOA,SAAa;EACxB,KAAK,OACD,QAAOA,SAAa;EACxB,KAAK,QACD,QAAOA,SAAa;EACxB,QAEI,QAAOA,SAAa;;;;;;;;;;;;;;AAchC,SAAS,cAAc,WAAW;AAE9B,KADe,UAAU,qBAAqB,EAClC,aAAa,KAAK,SAC1B,QAAO;AAEX,KAAI,cAAc,eAAe,cAAc,WAC3C,QAAO;AAEX,QAAO;;;;;;;AAOX,SAAS,UAAU,MAAM;AAErB,KAAI,OAAO,YAAY,eAAe,QAAQ,IAC1C,QAAO,QAAQ,IAAI;AAGvB,KAAI,OAAO,QAAQ,aAAa;EAC5B,MAAM,SAAS,IAAI;AACnB,MAAI,OACA,QAAO,OAAO;;;;;;;;;;;ACnJ1B,SAAgB,YAAY,KAAK;AAC7B,QAAO,IAAI,IAAI,QAAQ,MAAM,QAAQ,CAAC;;;;;;;;;;;;;;;;;ACM1C,SAAgB,eAAe,QAAQ,eAAe,EAAE,MAAM,EAAE,EAAE,EAAE;CAChE,MAAM,SAAS,EAAE;CACjB,IAAI,IAAI;AACR,QAAO,IAAI,OAAO,QAAQ;EACtB,MAAM,eAAe,OAAO,QAAQ,MAAM,EAAE;AAC5C,MAAI,iBAAiB,GACjB;EACJ,MAAM,UAAU,OAAO,UAAU,GAAG,aAAa;EACjD,MAAM,OAAO,QAAQ,SAAS,KAAK,GAAG,QAAQ,MAAM,GAAG,GAAG,GAAG;AAC7D,MAAI,eAAe;AACnB,MAAI,SAAS,MAAM,aAAa,KAAK,SAAS,GAAG;AAC7C,UAAO,KAAK;IACR,OAAO,aAAa;IACpB,MAAM,aAAa,KAAK,KAAK,KAAK;IACrC,CAAC;AACF,kBAAe,EAAE,MAAM,EAAE,EAAE;AAC3B;;AAEJ,MAAI,KAAK,WAAW,SAAS,EAAE;AAI3B,gBAAa,QAHC,KAAK,WAAW,UAAU,GAClC,KAAK,UAAU,EAAE,GACjB,KAAK,UAAU,EAAE;AAEvB;;AAEJ,MAAI,KAAK,WAAW,QAAQ,EAAE;GAC1B,MAAM,QAAQ,KAAK,WAAW,SAAS,GACjC,KAAK,UAAU,EAAE,GACjB,KAAK,UAAU,EAAE;AACvB,gBAAa,KAAK,KAAK,MAAM;;;AAGrC,QAAO;EACH;EACA,WAAW,OAAO,UAAU,EAAE;EAC9B;EACH;;;;;ACtCL,SAAgB,aAAa,OAAO;AAChC,QAAQ,SACJ,OAAO,MAAM,YAAY,aACzB,OAAO,MAAM,aAAa,YAC1B,OAAO,MAAM,WAAW,YACxB,OAAO,MAAM,WAAW;;AAEhC,SAAgB,UAAU,OAAO;AAC7B,QAAQ,SACJ,OAAO,MAAM,OAAO,YACpB,OAAO,MAAM,YAAY,YACzB,OAAO,MAAM,WAAW;;AAEhC,SAAgB,gBAAgB,OAAO;AACnC,QAAO;EACH;EACA;EACA;EACA;EACA;EACA;EACH,CAAC,SAAS,MAAM;;;;;;;;;;ACDrB,SAAgB,aAAa,KAAK;AAC9B,QAAQ,OAAO,QAAQ,YACnB,QAAQ,QACR,UAAU,OACV,IAAI,SAAS;;;;;;;AAOrB,SAAgB,gBAAgB,KAAK;AACjC,QAAQ,OAAO,QAAQ,YACnB,QAAQ,QACR,UAAU,OACV,IAAI,SAAS;;;;;;;AAOrB,SAAgB,UAAU,KAAK;AAC3B,QAAQ,OAAO,QAAQ,YACnB,QAAQ,QACR,UAAU,OACV,IAAI,SAAS;;;;;AAKrB,SAAgB,oBAAoB;AAChC,QAAO,MAAM,KAAK,KAAK,CAAC,GAAG,KAAK,QAAQ,CAAC,SAAS,GAAG,CAAC,UAAU,GAAG,GAAG"}