@desplega.ai/agent-swarm 1.113.0 → 1.114.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (204) hide show
  1. package/README.md +2 -2
  2. package/dist/{actions-q4n7cz6e.js → actions-bm8vdxys.js} +7 -8
  3. package/dist/{app-es4nzc71.js → app-bhwdxmvp.js} +5 -5
  4. package/dist/{assistant-0x8ey0vs.js → assistant-15mp2apr.js} +18 -17
  5. package/dist/{boot-reembed-69agkhv6.js → boot-reembed-awr2179r.js} +6 -6
  6. package/dist/{boot-reembed-p0ny05t8.js → boot-reembed-b9sbk87z.js} +5 -5
  7. package/dist/{boot-scrub-logs-yybrkmvr.js → boot-scrub-logs-c1zsaw9m.js} +4 -4
  8. package/dist/{claude-adapter-mma9a1yr.js → claude-adapter-2k45y7p7.js} +2 -2
  9. package/dist/{claude-managed-adapter-pv2nbqy4.js → claude-managed-adapter-kysmkz89.js} +2 -2
  10. package/dist/cli-0kgcv878.js +344 -0
  11. package/dist/cli-0pygq9r1.js +429 -0
  12. package/dist/{cli-h3k622d0.js → cli-113wmegp.js} +90 -3
  13. package/dist/{cli-7ga43spr.js → cli-1yjrbg1f.js} +1 -1
  14. package/dist/{cli-r5g6ngtn.js → cli-2t4e4ayk.js} +1 -1
  15. package/dist/{cli-y4ycrnjc.js → cli-312v3c41.js} +1 -1
  16. package/dist/{cli-ceewqajw.js → cli-46b6kc7f.js} +5 -5
  17. package/dist/cli-49j095n9.js +393 -0
  18. package/dist/{cli-hjhvekf4.js → cli-5afkmcfj.js} +10 -7
  19. package/dist/{cli-bgvskydy.js → cli-5ktc9fd4.js} +1 -1
  20. package/dist/cli-7rgh0w0k.js +262 -0
  21. package/dist/{cli-9cy6nc5m.js → cli-8fjwym53.js} +1 -1
  22. package/dist/{cli-z46pnksz.js → cli-a6tzw6vq.js} +175 -28
  23. package/dist/{cli-q21d49ac.js → cli-bw80ck94.js} +1 -1
  24. package/dist/{cli-f3qa069v.js → cli-byjcad11.js} +1 -1
  25. package/dist/{cli-4xyj9jtq.js → cli-e2xbxmhd.js} +996 -470
  26. package/dist/{cli-6wscj9z0.js → cli-e7306swv.js} +14 -14
  27. package/dist/{cli-c3frqf65.js → cli-f5pzfvwb.js} +3 -3
  28. package/dist/{cli-30bbaveh.js → cli-f9n2jg31.js} +2 -2
  29. package/dist/{cli-dcfyyh3t.js → cli-ftyf58xj.js} +2 -2
  30. package/dist/{cli-trmapn9k.js → cli-hq39e630.js} +5 -5
  31. package/dist/{cli-y6mrptcn.js → cli-hvg05qwm.js} +1 -1
  32. package/dist/cli-jkhwmmgg.js +136 -0
  33. package/dist/{cli-ncfgsqbd.js → cli-jzwtn8rm.js} +77 -18
  34. package/dist/{cli-tbw13sx8.js → cli-k6h2zkw3.js} +1 -1
  35. package/dist/{cli-qwgtacd6.js → cli-pnfyyp6h.js} +1240 -335
  36. package/dist/{cli-gtkqc144.js → cli-q1z5d5ss.js} +13 -7
  37. package/dist/{cli-bnzbn8j8.js → cli-q4e2x252.js} +3 -3
  38. package/dist/{cli-mq580e06.js → cli-r3mtrrzp.js} +16 -16
  39. package/dist/{cli-ywez6yps.js → cli-sq7f72d6.js} +1 -1
  40. package/dist/{cli-36ymmpmp.js → cli-w3nq88yc.js} +2 -2
  41. package/dist/{cli-pwc5e83c.js → cli-w4wk3kx6.js} +12 -7
  42. package/dist/{cli-anrj584m.js → cli-xz9aq0rf.js} +1 -1
  43. package/dist/{cli-hsetkkd3.js → cli-zmmp2r79.js} +22 -9
  44. package/dist/cli.js +32 -15
  45. package/dist/{codex-adapter-5cmy858w.js → codex-adapter-4z8m9mb5.js} +9 -9
  46. package/dist/{codex-session-runner-46q8mrba.js → codex-session-runner-rbct46dg.js} +9 -9
  47. package/dist/{commands-z5dbwta3.js → commands-zk4d6esf.js} +4 -4
  48. package/dist/{db-bbgahh4z.js → db-stn16jp2.js} +4 -4
  49. package/dist/{handlers-6b44317z.js → handlers-gshprvpf.js} +16 -30
  50. package/dist/{hook-sbp5fmps.js → hook-amzx9tap.js} +7 -7
  51. package/dist/{http-2xz43gz3.js → http-6g0hfzax.js} +1659 -728
  52. package/dist/{index-wz1ea15p.js → index-2dgfj9av.js} +3 -3
  53. package/dist/{index-vfedgdw6.js → index-df8fmphk.js} +43 -16
  54. package/dist/{index-0gzmqj4k.js → index-f03rnnrs.js} +13 -10
  55. package/dist/{index-5ghxn8s6.js → index-jbm7qcqk.js} +12 -9
  56. package/dist/{index-ykvs43z4.js → index-t2snazez.js} +4 -4
  57. package/dist/{index-nhat35em.js → index-ty42rxw9.js} +14 -11
  58. package/dist/{keepalive-62gfj91d.js → keepalive-pm6g2wpw.js} +7 -6
  59. package/dist/{lead-ag0akn0v.js → lead-h79fzpzw.js} +33 -29
  60. package/dist/{maintenance-xxrrzk5x.js → maintenance-433zndy1.js} +6 -6
  61. package/dist/{mistral-conversations-26yrnbf1.js → mistral-conversations-7gqnz2wt.js} +7 -7
  62. package/dist/oauth-refresh-sweep-mjsbmsk2.js +114 -0
  63. package/dist/{onboard-64zyfcbs.js → onboard-vdr9hc3f.js} +2 -2
  64. package/dist/{otel-zjd9zaxs.js → otel-g299k41b.js} +2 -2
  65. package/dist/{otel-impl-b86qseaa.js → otel-impl-yswd0fty.js} +1 -1
  66. package/dist/{pi-mono-adapter-kxjxpfgy.js → pi-mono-adapter-vbrvg1p8.js} +16 -108
  67. package/dist/{pricing-refresh-cgtkffpa.js → pricing-refresh-2kk2ap9b.js} +6 -6
  68. package/dist/rbac-roles-2wgh9b5t.js +276 -0
  69. package/dist/rbac-roles-xdc5208b.js +28 -0
  70. package/dist/{seed-pricing-1r1y1xkq.js → seed-pricing-m9h69d2t.js} +5 -5
  71. package/dist/{setup-mkcgkjf7.js → setup-eynkvafa.js} +2 -2
  72. package/dist/{worker-351sze63.js → worker-136q8dc2.js} +33 -29
  73. package/openapi.json +1320 -17
  74. package/package.json +3 -3
  75. package/src/agentmail/handlers.ts +16 -6
  76. package/src/agentmail/templates.ts +25 -5
  77. package/src/be/audit-user.ts +28 -4
  78. package/src/be/db-queries/oauth.ts +42 -0
  79. package/src/be/db.ts +61 -8
  80. package/src/be/identity.ts +79 -0
  81. package/src/be/mcp-proxy.ts +132 -0
  82. package/src/be/migrations/109_rbac_roles.sql +79 -0
  83. package/src/be/migrations/111_oauth_credential_bindings.sql +6 -0
  84. package/src/be/migrations/112_script_connections_graphql.sql +96 -0
  85. package/src/be/oauth-credential-bindings.ts +35 -0
  86. package/src/be/oauth-refresh-sweep.ts +159 -0
  87. package/src/be/rbac-audit.ts +41 -13
  88. package/src/be/rbac-roles.ts +417 -0
  89. package/src/be/script-connections.ts +456 -37
  90. package/src/be/script-credential-broker.ts +29 -3
  91. package/src/be/scripts/typecheck.ts +40 -7
  92. package/src/be/users.ts +24 -0
  93. package/src/cli.tsx +17 -0
  94. package/src/github/handlers.ts +10 -9
  95. package/src/github/templates.ts +45 -9
  96. package/src/gitlab/handlers.ts +20 -8
  97. package/src/gitlab/templates.ts +18 -6
  98. package/src/http/all-routes.ts +3 -0
  99. package/src/http/approval-requests.ts +12 -0
  100. package/src/http/config.ts +44 -10
  101. package/src/http/core.ts +30 -3
  102. package/src/http/index.ts +25 -1
  103. package/src/http/mcp-oauth.ts +2 -0
  104. package/src/http/mcp-servers.ts +6 -3
  105. package/src/http/oauth-generic.ts +105 -0
  106. package/src/http/poll.ts +13 -1
  107. package/src/http/script-connection-proxy.ts +116 -0
  108. package/src/http/script-connections.ts +1657 -0
  109. package/src/http/scripts.ts +21 -7
  110. package/src/http/tasks.ts +16 -14
  111. package/src/http/x.ts +6 -2
  112. package/src/integrations/kapso/inbound.ts +23 -6
  113. package/src/jira/sync.ts +111 -17
  114. package/src/jira/templates.ts +10 -2
  115. package/src/mcp-client/http-client.ts +194 -0
  116. package/src/oauth/app-validation.ts +16 -0
  117. package/src/oauth/ensure-token.ts +69 -14
  118. package/src/oauth/mcp-wrapper.ts +15 -0
  119. package/src/oauth/wrapper.ts +48 -20
  120. package/src/prompts/session-templates.ts +3 -3
  121. package/src/providers/pi-mono-mcp-client.ts +2 -133
  122. package/src/rbac/admission.ts +44 -0
  123. package/src/rbac/index.ts +2 -0
  124. package/src/rbac/legacy-policy.ts +3 -0
  125. package/src/rbac/permissions.ts +12 -0
  126. package/src/scheduler/scheduler.ts +9 -1
  127. package/src/scripts-runtime/api-client.ts +70 -14
  128. package/src/scripts-runtime/api-types.ts +38 -6
  129. package/src/scripts-runtime/credential-broker/default-bindings.ts +1 -0
  130. package/src/scripts-runtime/credential-broker/types.ts +8 -0
  131. package/src/scripts-runtime/ctx.ts +11 -1
  132. package/src/scripts-runtime/eval-harness.ts +5 -1
  133. package/src/scripts-runtime/executors/types.ts +2 -1
  134. package/src/scripts-runtime/loader.ts +3 -1
  135. package/src/scripts-runtime/mcp-client.ts +87 -0
  136. package/src/scripts-runtime/sdk-allowlist.ts +1 -0
  137. package/src/scripts-runtime/types/stdlib.d.ts +6 -0
  138. package/src/scripts-runtime/types/swarm-sdk.d.ts +8 -0
  139. package/src/server.ts +12 -0
  140. package/src/slack/assistant.ts +14 -6
  141. package/src/slack/enrich.ts +17 -0
  142. package/src/slack/handlers.ts +8 -22
  143. package/src/slack/thread-buffer.ts +6 -3
  144. package/src/tests/agentmail-handlers.test.ts +32 -3
  145. package/src/tests/approval-requests.test.ts +61 -0
  146. package/src/tests/audit-user.test.ts +47 -1
  147. package/src/tests/credential-broker.test.ts +5 -2
  148. package/src/tests/delete-page-tool.test.ts +197 -0
  149. package/src/tests/github-handlers.test.ts +28 -2
  150. package/src/tests/gitlab-handlers.test.ts +125 -0
  151. package/src/tests/identity.test.ts +117 -0
  152. package/src/tests/jira-sync.test.ts +99 -1
  153. package/src/tests/kapso-inbound.test.ts +7 -0
  154. package/src/tests/mcp-tools-user.test.ts +60 -6
  155. package/src/tests/oauth-credential-bindings.test.ts +490 -0
  156. package/src/tests/oauth-refresh-sweep.test.ts +160 -0
  157. package/src/tests/prompt-template-remaining.test.ts +2 -2
  158. package/src/tests/rbac-admission-e2e.test.ts +241 -0
  159. package/src/tests/rbac-admission.test.ts +433 -0
  160. package/src/tests/rbac-e2e-helpers.ts +3 -0
  161. package/src/tests/rbac-engine.test.ts +41 -0
  162. package/src/tests/rbac-roles.test.ts +326 -0
  163. package/src/tests/schedule-target-type.test.ts +50 -0
  164. package/src/tests/scheduled-tasks.test.ts +40 -0
  165. package/src/tests/script-connections-http.test.ts +1158 -0
  166. package/src/tests/script-connections-mcp.test.ts +894 -0
  167. package/src/tests/script-connections.test.ts +727 -5
  168. package/src/tests/scripts-external-api.test.ts +49 -1
  169. package/src/tests/scripts-runtime-secret-egress.test.ts +1 -0
  170. package/src/tests/scripts-runtime.test.ts +104 -0
  171. package/src/tests/slack-identity-resolution.test.ts +37 -3
  172. package/src/tests/slack-thread-buffer.test.ts +28 -0
  173. package/src/tests/tool-annotations.test.ts +1 -0
  174. package/src/tests/user-token-rest-auth.test.ts +30 -1
  175. package/src/tests/workflow-swarm-script.test.ts +44 -0
  176. package/src/tests/workflow-triggers-v2.test.ts +300 -1
  177. package/src/tools/credential-bindings/tool.ts +277 -18
  178. package/src/tools/delete-page.ts +145 -0
  179. package/src/tools/mcp-servers/mcp-server-delete.ts +7 -4
  180. package/src/tools/request-human-input.ts +2 -0
  181. package/src/tools/resolve-user.ts +77 -27
  182. package/src/tools/script-connections/tool.ts +275 -31
  183. package/src/tools/templates.ts +5 -1
  184. package/src/tools/tool-config.ts +2 -1
  185. package/src/tools/workflows/create-workflow.ts +8 -1
  186. package/src/tools/workflows/update-workflow.ts +11 -2
  187. package/src/types.ts +63 -6
  188. package/src/utils/scoped-resource.ts +25 -0
  189. package/src/workflows/executors/human-in-the-loop.ts +1 -0
  190. package/src/workflows/executors/swarm-script.ts +7 -1
  191. package/src/workflows/triggers.ts +146 -18
  192. package/templates/skills/swarm-scripts/content.md +33 -8
  193. package/dist/cli-bgef578c.js +0 -771
  194. package/dist/cli-c9mtm09b.js +0 -43
  195. package/dist/{anthropic-messages-8nc6r2dw.js → anthropic-messages-kq3pjhbp.js} +6 -6
  196. package/dist/{azure-openai-responses-6yfzw3qw.js → azure-openai-responses-gm1ejtmn.js} +7 -7
  197. package/dist/{cli-vbraamxr.js → cli-6b4wwmm8.js} +9 -9
  198. package/dist/{cli-2fc97xm5.js → cli-ggy8c7tk.js} +3 -3
  199. package/dist/{cli-2r7s8jhp.js → cli-sznberje.js} +3 -3
  200. package/dist/{google-generative-ai-vfq6ymz9.js → google-generative-ai-hyrra2jm.js} +3 -3
  201. package/dist/{google-vertex-mj5y5rfj.js → google-vertex-8bs2pzgn.js} +3 -3
  202. package/dist/{openai-codex-responses-8h6kvfv8.js → openai-codex-responses-3nkvje79.js} +4 -4
  203. package/dist/{openai-completions-x6kjnqjd.js → openai-completions-0asftkwg.js} +11 -11
  204. package/dist/{openai-responses-7jwyz3ds.js → openai-responses-pmatek45.js} +10 -10
@@ -0,0 +1,429 @@
1
+ // node_modules/oauth4webapi/build/index.js
2
+ var USER_AGENT;
3
+ if (typeof navigator === "undefined" || !navigator.userAgent?.startsWith?.("Mozilla/5.0 ")) {
4
+ const NAME = "oauth4webapi";
5
+ const VERSION = "v3.8.5";
6
+ USER_AGENT = `${NAME}/${VERSION}`;
7
+ }
8
+ var ERR_INVALID_ARG_VALUE = "ERR_INVALID_ARG_VALUE";
9
+ var ERR_INVALID_ARG_TYPE = "ERR_INVALID_ARG_TYPE";
10
+ function CodedTypeError(message, code, cause) {
11
+ const err = new TypeError(message, { cause });
12
+ Object.assign(err, { code });
13
+ return err;
14
+ }
15
+ var allowInsecureRequests = Symbol();
16
+ var clockSkew = Symbol();
17
+ var clockTolerance = Symbol();
18
+ var customFetch = Symbol();
19
+ var modifyAssertion = Symbol();
20
+ var jweDecrypt = Symbol();
21
+ var jwksCache = Symbol();
22
+ var encoder = new TextEncoder;
23
+ var decoder = new TextDecoder;
24
+ function buf(input) {
25
+ if (typeof input === "string") {
26
+ return encoder.encode(input);
27
+ }
28
+ return decoder.decode(input);
29
+ }
30
+ var encodeBase64Url;
31
+ if (Uint8Array.prototype.toBase64) {
32
+ encodeBase64Url = (input) => {
33
+ if (input instanceof ArrayBuffer) {
34
+ input = new Uint8Array(input);
35
+ }
36
+ return input.toBase64({ alphabet: "base64url", omitPadding: true });
37
+ };
38
+ } else {
39
+ const CHUNK_SIZE = 32768;
40
+ encodeBase64Url = (input) => {
41
+ if (input instanceof ArrayBuffer) {
42
+ input = new Uint8Array(input);
43
+ }
44
+ const arr = [];
45
+ for (let i = 0;i < input.byteLength; i += CHUNK_SIZE) {
46
+ arr.push(String.fromCharCode.apply(null, input.subarray(i, i + CHUNK_SIZE)));
47
+ }
48
+ return btoa(arr.join("")).replace(/=/g, "").replace(/\+/g, "-").replace(/\//g, "_");
49
+ };
50
+ }
51
+ var decodeBase64Url;
52
+ if (Uint8Array.fromBase64) {
53
+ decodeBase64Url = (input) => {
54
+ try {
55
+ return Uint8Array.fromBase64(input, { alphabet: "base64url" });
56
+ } catch (cause) {
57
+ throw CodedTypeError("The input to be decoded is not correctly encoded.", ERR_INVALID_ARG_VALUE, cause);
58
+ }
59
+ };
60
+ } else {
61
+ decodeBase64Url = (input) => {
62
+ try {
63
+ const binary = atob(input.replace(/-/g, "+").replace(/_/g, "/").replace(/\s/g, ""));
64
+ const bytes = new Uint8Array(binary.length);
65
+ for (let i = 0;i < binary.length; i++) {
66
+ bytes[i] = binary.charCodeAt(i);
67
+ }
68
+ return bytes;
69
+ } catch (cause) {
70
+ throw CodedTypeError("The input to be decoded is not correctly encoded.", ERR_INVALID_ARG_VALUE, cause);
71
+ }
72
+ };
73
+ }
74
+ function b64u(input) {
75
+ if (typeof input === "string") {
76
+ return decodeBase64Url(input);
77
+ }
78
+ return encodeBase64Url(input);
79
+ }
80
+
81
+ class UnsupportedOperationError extends Error {
82
+ code;
83
+ constructor(message, options) {
84
+ super(message, options);
85
+ this.name = this.constructor.name;
86
+ this.code = UNSUPPORTED_OPERATION;
87
+ Error.captureStackTrace?.(this, this.constructor);
88
+ }
89
+ }
90
+
91
+ class OperationProcessingError extends Error {
92
+ code;
93
+ constructor(message, options) {
94
+ super(message, options);
95
+ this.name = this.constructor.name;
96
+ if (options?.code) {
97
+ this.code = options?.code;
98
+ }
99
+ Error.captureStackTrace?.(this, this.constructor);
100
+ }
101
+ }
102
+ function OPE(message, code, cause) {
103
+ return new OperationProcessingError(message, { code, cause });
104
+ }
105
+ async function calculateJwkThumbprint(jwk) {
106
+ let components;
107
+ switch (jwk.kty) {
108
+ case "EC":
109
+ components = {
110
+ crv: jwk.crv,
111
+ kty: jwk.kty,
112
+ x: jwk.x,
113
+ y: jwk.y
114
+ };
115
+ break;
116
+ case "OKP":
117
+ components = {
118
+ crv: jwk.crv,
119
+ kty: jwk.kty,
120
+ x: jwk.x
121
+ };
122
+ break;
123
+ case "AKP":
124
+ components = {
125
+ alg: jwk.alg,
126
+ kty: jwk.kty,
127
+ pub: jwk.pub
128
+ };
129
+ break;
130
+ case "RSA":
131
+ components = {
132
+ e: jwk.e,
133
+ kty: jwk.kty,
134
+ n: jwk.n
135
+ };
136
+ break;
137
+ default:
138
+ throw new UnsupportedOperationError("unsupported JWK key type", { cause: jwk });
139
+ }
140
+ return b64u(await crypto.subtle.digest("SHA-256", buf(JSON.stringify(components))));
141
+ }
142
+ function assertCryptoKey(key, it) {
143
+ if (!(key instanceof CryptoKey)) {
144
+ throw CodedTypeError(`${it} must be a CryptoKey`, ERR_INVALID_ARG_TYPE);
145
+ }
146
+ }
147
+ function assertPrivateKey(key, it) {
148
+ assertCryptoKey(key, it);
149
+ if (key.type !== "private") {
150
+ throw CodedTypeError(`${it} must be a private CryptoKey`, ERR_INVALID_ARG_VALUE);
151
+ }
152
+ }
153
+ function assertPublicKey(key, it) {
154
+ assertCryptoKey(key, it);
155
+ if (key.type !== "public") {
156
+ throw CodedTypeError(`${it} must be a public CryptoKey`, ERR_INVALID_ARG_VALUE);
157
+ }
158
+ }
159
+ function assertString(input, it, code, cause) {
160
+ try {
161
+ if (typeof input !== "string") {
162
+ throw CodedTypeError(`${it} must be a string`, ERR_INVALID_ARG_TYPE, cause);
163
+ }
164
+ if (input.length === 0) {
165
+ throw CodedTypeError(`${it} must not be empty`, ERR_INVALID_ARG_VALUE, cause);
166
+ }
167
+ } catch (err) {
168
+ if (code) {
169
+ throw OPE(err.message, code, cause);
170
+ }
171
+ throw err;
172
+ }
173
+ }
174
+ function randomBytes() {
175
+ return b64u(crypto.getRandomValues(new Uint8Array(32)));
176
+ }
177
+ function generateRandomCodeVerifier() {
178
+ return randomBytes();
179
+ }
180
+ function generateRandomState() {
181
+ return randomBytes();
182
+ }
183
+ async function calculatePKCECodeChallenge(codeVerifier) {
184
+ assertString(codeVerifier, "codeVerifier");
185
+ return b64u(await crypto.subtle.digest("SHA-256", buf(codeVerifier)));
186
+ }
187
+ function psAlg(key) {
188
+ switch (key.algorithm.hash.name) {
189
+ case "SHA-256":
190
+ return "PS256";
191
+ case "SHA-384":
192
+ return "PS384";
193
+ case "SHA-512":
194
+ return "PS512";
195
+ default:
196
+ throw new UnsupportedOperationError("unsupported RsaHashedKeyAlgorithm hash name", {
197
+ cause: key
198
+ });
199
+ }
200
+ }
201
+ function rsAlg(key) {
202
+ switch (key.algorithm.hash.name) {
203
+ case "SHA-256":
204
+ return "RS256";
205
+ case "SHA-384":
206
+ return "RS384";
207
+ case "SHA-512":
208
+ return "RS512";
209
+ default:
210
+ throw new UnsupportedOperationError("unsupported RsaHashedKeyAlgorithm hash name", {
211
+ cause: key
212
+ });
213
+ }
214
+ }
215
+ function esAlg(key) {
216
+ switch (key.algorithm.namedCurve) {
217
+ case "P-256":
218
+ return "ES256";
219
+ case "P-384":
220
+ return "ES384";
221
+ case "P-521":
222
+ return "ES512";
223
+ default:
224
+ throw new UnsupportedOperationError("unsupported EcKeyAlgorithm namedCurve", { cause: key });
225
+ }
226
+ }
227
+ function keyToJws(key) {
228
+ switch (key.algorithm.name) {
229
+ case "RSA-PSS":
230
+ return psAlg(key);
231
+ case "RSASSA-PKCS1-v1_5":
232
+ return rsAlg(key);
233
+ case "ECDSA":
234
+ return esAlg(key);
235
+ case "Ed25519":
236
+ case "ML-DSA-44":
237
+ case "ML-DSA-65":
238
+ case "ML-DSA-87":
239
+ return key.algorithm.name;
240
+ case "EdDSA":
241
+ return "Ed25519";
242
+ default:
243
+ throw new UnsupportedOperationError("unsupported CryptoKey algorithm name", { cause: key });
244
+ }
245
+ }
246
+ function getClockSkew(client) {
247
+ const skew = client?.[clockSkew];
248
+ return typeof skew === "number" && Number.isFinite(skew) ? skew : 0;
249
+ }
250
+ function epochTime() {
251
+ return Math.floor(Date.now() / 1000);
252
+ }
253
+ async function signJwt(header, payload, key) {
254
+ if (!key.usages.includes("sign")) {
255
+ throw CodedTypeError('CryptoKey instances used for signing assertions must include "sign" in their "usages"', ERR_INVALID_ARG_VALUE);
256
+ }
257
+ const input = `${b64u(buf(JSON.stringify(header)))}.${b64u(buf(JSON.stringify(payload)))}`;
258
+ const signature = b64u(await crypto.subtle.sign(keyToSubtle(key), key, buf(input)));
259
+ return `${input}.${signature}`;
260
+ }
261
+ var jwkCache;
262
+ async function getSetPublicJwkCache(key, alg) {
263
+ const { kty, e, n, x, y, crv, pub } = await crypto.subtle.exportKey("jwk", key);
264
+ const jwk = { kty, e, n, x, y, crv, pub };
265
+ if (kty === "AKP")
266
+ jwk.alg = alg;
267
+ jwkCache.set(key, jwk);
268
+ return jwk;
269
+ }
270
+ async function publicJwk(key, alg) {
271
+ jwkCache ||= new WeakMap;
272
+ return jwkCache.get(key) || getSetPublicJwkCache(key, alg);
273
+ }
274
+ var URLParse = URL.parse ? (url, base) => URL.parse(url, base) : (url, base) => {
275
+ try {
276
+ return new URL(url, base);
277
+ } catch {
278
+ return null;
279
+ }
280
+ };
281
+ class DPoPHandler {
282
+ #header;
283
+ #privateKey;
284
+ #publicKey;
285
+ #clockSkew;
286
+ #modifyAssertion;
287
+ #map;
288
+ #jkt;
289
+ constructor(client, keyPair, options) {
290
+ assertPrivateKey(keyPair?.privateKey, '"DPoP.privateKey"');
291
+ assertPublicKey(keyPair?.publicKey, '"DPoP.publicKey"');
292
+ if (!keyPair.publicKey.extractable) {
293
+ throw CodedTypeError('"DPoP.publicKey.extractable" must be true', ERR_INVALID_ARG_VALUE);
294
+ }
295
+ this.#modifyAssertion = options?.[modifyAssertion];
296
+ this.#clockSkew = getClockSkew(client);
297
+ this.#privateKey = keyPair.privateKey;
298
+ this.#publicKey = keyPair.publicKey;
299
+ branded.add(this);
300
+ }
301
+ #get(key) {
302
+ this.#map ||= new Map;
303
+ let item = this.#map.get(key);
304
+ if (item) {
305
+ this.#map.delete(key);
306
+ this.#map.set(key, item);
307
+ }
308
+ return item;
309
+ }
310
+ #set(key, val) {
311
+ this.#map ||= new Map;
312
+ this.#map.delete(key);
313
+ if (this.#map.size === 100) {
314
+ this.#map.delete(this.#map.keys().next().value);
315
+ }
316
+ this.#map.set(key, val);
317
+ }
318
+ async calculateThumbprint() {
319
+ if (!this.#jkt) {
320
+ const jwk = await crypto.subtle.exportKey("jwk", this.#publicKey);
321
+ this.#jkt ||= await calculateJwkThumbprint(jwk);
322
+ }
323
+ return this.#jkt;
324
+ }
325
+ async addProof(url, headers, htm, accessToken) {
326
+ const alg = keyToJws(this.#privateKey);
327
+ this.#header ||= {
328
+ alg,
329
+ typ: "dpop+jwt",
330
+ jwk: await publicJwk(this.#publicKey, alg)
331
+ };
332
+ const nonce = this.#get(url.origin);
333
+ const now = epochTime() + this.#clockSkew;
334
+ const payload = {
335
+ iat: now,
336
+ jti: randomBytes(),
337
+ htm,
338
+ nonce,
339
+ htu: `${url.origin}${url.pathname}`,
340
+ ath: accessToken ? b64u(await crypto.subtle.digest("SHA-256", buf(accessToken))) : undefined
341
+ };
342
+ this.#modifyAssertion?.(this.#header, payload);
343
+ headers.set("dpop", await signJwt(this.#header, payload, this.#privateKey));
344
+ }
345
+ cacheNonce(response, url) {
346
+ try {
347
+ const nonce = response.headers.get("dpop-nonce");
348
+ if (nonce) {
349
+ this.#set(url.origin, nonce);
350
+ }
351
+ } catch {}
352
+ }
353
+ }
354
+ var tokenMatch = "[a-zA-Z0-9!#$%&\\'\\*\\+\\-\\.\\^_`\\|~]+";
355
+ var token68Match = "[a-zA-Z0-9\\-\\._\\~\\+\\/]+={0,2}";
356
+ var quotedMatch = '"((?:[^"\\\\]|\\\\[\\s\\S])*)"';
357
+ var quotedParamMatcher = "(" + tokenMatch + ")\\s*=\\s*" + quotedMatch;
358
+ var paramMatcher = "(" + tokenMatch + ")\\s*=\\s*(" + tokenMatch + ")";
359
+ var schemeRE = new RegExp("^[,\\s]*(" + tokenMatch + ")");
360
+ var quotedParamRE = new RegExp("^[,\\s]*" + quotedParamMatcher + "[,\\s]*(.*)");
361
+ var unquotedParamRE = new RegExp("^[,\\s]*" + paramMatcher + "[,\\s]*(.*)");
362
+ var token68ParamRE = new RegExp("^(" + token68Match + ")(?:$|[,\\s])(.*)");
363
+ var skipSubjectCheck = Symbol();
364
+ var idTokenClaims = new WeakMap;
365
+ var jwtRefs = new WeakMap;
366
+ var branded = new WeakSet;
367
+ var nopkce = Symbol();
368
+ var expectNoNonce = Symbol();
369
+ var skipAuthTimeCheck = Symbol();
370
+ var UNSUPPORTED_OPERATION = "OAUTH_UNSUPPORTED_OPERATION";
371
+ function checkRsaKeyAlgorithm(key) {
372
+ const { algorithm } = key;
373
+ if (typeof algorithm.modulusLength !== "number" || algorithm.modulusLength < 2048) {
374
+ throw new UnsupportedOperationError(`unsupported ${algorithm.name} modulusLength`, {
375
+ cause: key
376
+ });
377
+ }
378
+ }
379
+ function ecdsaHashName(key) {
380
+ const { algorithm } = key;
381
+ switch (algorithm.namedCurve) {
382
+ case "P-256":
383
+ return "SHA-256";
384
+ case "P-384":
385
+ return "SHA-384";
386
+ case "P-521":
387
+ return "SHA-512";
388
+ default:
389
+ throw new UnsupportedOperationError("unsupported ECDSA namedCurve", { cause: key });
390
+ }
391
+ }
392
+ function keyToSubtle(key) {
393
+ switch (key.algorithm.name) {
394
+ case "ECDSA":
395
+ return {
396
+ name: key.algorithm.name,
397
+ hash: ecdsaHashName(key)
398
+ };
399
+ case "RSA-PSS": {
400
+ checkRsaKeyAlgorithm(key);
401
+ switch (key.algorithm.hash.name) {
402
+ case "SHA-256":
403
+ case "SHA-384":
404
+ case "SHA-512":
405
+ return {
406
+ name: key.algorithm.name,
407
+ saltLength: parseInt(key.algorithm.hash.name.slice(-3), 10) >> 3
408
+ };
409
+ default:
410
+ throw new UnsupportedOperationError("unsupported RSA-PSS hash name", { cause: key });
411
+ }
412
+ }
413
+ case "RSASSA-PKCS1-v1_5":
414
+ checkRsaKeyAlgorithm(key);
415
+ return key.algorithm.name;
416
+ case "ML-DSA-44":
417
+ case "ML-DSA-65":
418
+ case "ML-DSA-87":
419
+ case "Ed25519":
420
+ return key.algorithm.name;
421
+ }
422
+ throw new UnsupportedOperationError("unsupported CryptoKey algorithm name", { cause: key });
423
+ }
424
+ var skipStateCheck = Symbol();
425
+ var expectNoState = Symbol();
426
+ var _nodiscoverycheck = Symbol();
427
+ var _expectedIssuer = Symbol();
428
+
429
+ export { generateRandomCodeVerifier, generateRandomState, calculatePKCECodeChallenge };
@@ -1,7 +1,10 @@
1
1
  import {
2
2
  getDb,
3
- init_db
4
- } from "./cli-ncfgsqbd.js";
3
+ getKv,
4
+ incrKv,
5
+ init_db,
6
+ upsertKv
7
+ } from "./cli-jzwtn8rm.js";
5
8
 
6
9
  // src/be/users.ts
7
10
  init_db();
@@ -51,6 +54,18 @@ function findUserByEmail(email) {
51
54
  }
52
55
  return null;
53
56
  }
57
+ function findUsersByName(name) {
58
+ const trimmed = name.trim();
59
+ if (!trimmed)
60
+ return [];
61
+ const db = getDb();
62
+ const exact = db.prepare("SELECT * FROM users WHERE LOWER(name) = LOWER(?)").all(trimmed);
63
+ if (exact.length > 0)
64
+ return exact.map(rowToUser);
65
+ const firstToken = trimmed.split(/\s+/)[0] ?? trimmed;
66
+ const prefixed = db.prepare("SELECT * FROM users WHERE LOWER(name) LIKE LOWER(?) || '%'").all(firstToken);
67
+ return prefixed.map(rowToUser);
68
+ }
54
69
  function getUserIdentities(userId) {
55
70
  return getDb().prepare("SELECT kind, externalId FROM user_external_ids WHERE userId = ? ORDER BY kind, externalId").all(userId);
56
71
  }
@@ -179,4 +194,76 @@ function fingerprintApiKey(rawKey) {
179
194
  return `op:${sha256Hex(rawKey).slice(0, 16)}`;
180
195
  }
181
196
 
182
- export { findUserById, findUserByExternalId, findUserByEmail, getUserIdentities, listUserEvents, listUserTokens, recordIdentityEvent, findOrCreateUserByEmail, linkIdentity, unlinkIdentity, mintToken, revokeToken, resolveUserByToken, fingerprintApiKey };
197
+ // src/be/identity.ts
198
+ function resolveIdentity(kind, externalId) {
199
+ const user = findUserByExternalId(kind, externalId);
200
+ if (!user) {
201
+ return { status: "unknown", kind, externalId };
202
+ }
203
+ return {
204
+ status: "resolved",
205
+ kind,
206
+ externalId,
207
+ userId: user.id,
208
+ name: user.name,
209
+ email: user.email
210
+ };
211
+ }
212
+ function resolveIdentityByEmail(email) {
213
+ const user = findUserByEmail(email);
214
+ if (!user) {
215
+ return { status: "unknown", kind: "email", externalId: email };
216
+ }
217
+ return {
218
+ status: "resolved",
219
+ kind: "email",
220
+ externalId: email,
221
+ userId: user.id,
222
+ name: user.name,
223
+ email: user.email
224
+ };
225
+ }
226
+ function renderIdentity(resolution) {
227
+ const pair = `${resolution.kind}:${resolution.externalId}`;
228
+ if (resolution.status === "resolved") {
229
+ return `${resolution.name} (${pair})`;
230
+ }
231
+ return `${pair} (unknown user)`;
232
+ }
233
+
234
+ // src/be/unmapped-identities.ts
235
+ init_db();
236
+ var TTL_MS = 30 * 24 * 60 * 60 * 1000;
237
+ function namespace(kind) {
238
+ return `integration:unmapped:${kind}`;
239
+ }
240
+ function recordUnmappedIdentity(kind, externalId, meta) {
241
+ const ns = namespace(kind);
242
+ const now = new Date().toISOString();
243
+ const expiresAt = Date.now() + TTL_MS;
244
+ const countKey = `${externalId}:count`;
245
+ const countBefore = getKv(ns, countKey);
246
+ upsertKv({
247
+ namespace: ns,
248
+ key: `${externalId}:meta`,
249
+ value: {
250
+ lastSeenAt: now,
251
+ sampleEventType: meta.sampleEventType,
252
+ sampleContext: meta.sampleContext.slice(0, 100)
253
+ },
254
+ valueType: "json",
255
+ expiresAt
256
+ });
257
+ const incremented = incrKv(ns, countKey, 1);
258
+ if (countBefore === null) {
259
+ upsertKv({
260
+ namespace: ns,
261
+ key: countKey,
262
+ value: Number(incremented.value),
263
+ valueType: "integer",
264
+ expiresAt
265
+ });
266
+ }
267
+ }
268
+
269
+ export { findUserById, findUserByExternalId, findUsersByName, getUserIdentities, listUserEvents, listUserTokens, recordIdentityEvent, findOrCreateUserByEmail, linkIdentity, unlinkIdentity, mintToken, revokeToken, resolveUserByToken, fingerprintApiKey, resolveIdentity, resolveIdentityByEmail, renderIdentity, recordUnmappedIdentity };
@@ -14,7 +14,7 @@ import {
14
14
  string,
15
15
  union,
16
16
  unknown
17
- } from "./cli-anrj584m.js";
17
+ } from "./cli-xz9aq0rf.js";
18
18
 
19
19
  // node_modules/@mistralai/mistralai/esm/lib/primitives.js
20
20
  function remap(inp, mappings) {
@@ -17,7 +17,7 @@ import {
17
17
  init_templates1 as init_templates,
18
18
  normalizeDateRequired,
19
19
  resolveTemplate
20
- } from "./cli-ncfgsqbd.js";
20
+ } from "./cli-jzwtn8rm.js";
21
21
 
22
22
  // src/be/db-queries/tracker.ts
23
23
  init_date_utils();
@@ -3,7 +3,7 @@ import {
3
3
  getAgentById,
4
4
  getInProgressTasksByContextKey,
5
5
  init_db
6
- } from "./cli-ncfgsqbd.js";
6
+ } from "./cli-jzwtn8rm.js";
7
7
 
8
8
  // src/tasks/context-key.ts
9
9
  var SEPARATOR = ":";
@@ -1,12 +1,12 @@
1
+ import {
2
+ resolveCodexPrompt
3
+ } from "./cli-r94z9p1z.js";
1
4
  import {
2
5
  summarizeSession
3
- } from "./cli-6wscj9z0.js";
6
+ } from "./cli-e7306swv.js";
4
7
  import {
5
8
  createSwarmEventHandler
6
9
  } from "./cli-07er7wrs.js";
7
- import {
8
- resolveCodexPrompt
9
- } from "./cli-r94z9p1z.js";
10
10
  import {
11
11
  readPkgVersion
12
12
  } from "./cli-d6n0thxw.js";
@@ -14,7 +14,7 @@ import {
14
14
  buildRatingsFromLlm,
15
15
  fetchRetrievalsForTask,
16
16
  postRatings
17
- } from "./cli-dcfyyh3t.js";
17
+ } from "./cli-ftyf58xj.js";
18
18
  import {
19
19
  CodexOAuthRefreshError,
20
20
  credentialsToAuthJson,