@elizaos/plugin-elizacloud 2.0.0-alpha.7 → 2.0.0-beta.1

package/dist/routes/cloud-status-routes.js.map

@@ -0,0 +1,15 @@
+{
+  "version": 3,
+  "sources": ["../src/cloud/base-url.ts", "../src/cloud/validate-url.ts", "../src/lib/config-like.ts", "../src/lib/cloud-secrets.ts", "../src/lib/cloud-connection.ts", "../src/routes/cloud-status-routes.ts"],
+  "sourcesContent": [
+    "const DEFAULT_CLOUD_SITE_URL = \"https://www.elizacloud.ai\";\n\nconst LEGACY_CLOUD_HOST_ALIASES = new Set([\n  \"elizacloud.ai\",\n  \"www.elizacloud.ai\",\n]);\n\nfunction isLoopbackHost(hostname: string): boolean {\n  const normalized = hostname.toLowerCase();\n  return (\n    normalized === \"localhost\" ||\n    normalized === \"::1\" ||\n    normalized === \"0:0:0:0:0:0:0:1\" ||\n    normalized.startsWith(\"127.\")\n  );\n}\n\nfunction trimApiPath(pathname: string): string {\n  const normalized = pathname.trim().replace(/\\/+$/, \"\");\n  if (!normalized) return \"\";\n  if (normalized === \"/api/v1\") return \"\";\n  if (normalized.endsWith(\"/api/v1\")) {\n    return normalized.slice(0, -\"/api/v1\".length);\n  }\n  return normalized;\n}\n\nexport function normalizeCloudSiteUrl(rawUrl?: string): string {\n  // Allow cloud-provisioned containers to override the base URL via env var\n  const envOverride = process.env.ELIZAOS_CLOUD_BASE_URL?.trim();\n  const candidate = envOverride || rawUrl?.trim() || DEFAULT_CLOUD_SITE_URL;\n\n  try {\n    const parsed = new URL(candidate);\n    const pathname = trimApiPath(parsed.pathname);\n    const host = parsed.hostname.toLowerCase();\n    const preserveLocalOrigin = isLoopbackHost(host);\n\n    parsed.hash = \"\";\n    parsed.search = \"\";\n    if (!preserveLocalOrigin) {\n      parsed.protocol = \"https:\";\n      parsed.port = \"\";\n    }\n    parsed.pathname = pathname;\n\n    if (LEGACY_CLOUD_HOST_ALIASES.has(host)) {\n      parsed.hostname = \"www.elizacloud.ai\";\n      parsed.pathname = \"\";\n    }\n\n    return parsed.toString().replace(/\\/{1,1024}$/, \"\");\n  } catch {\n    const safeCandidate =\n      candidate.length > 8192 ? candidate.slice(0, 8192) : candidate;\n    return safeCandidate.replace(/\\/{1,1024}$/, \"\");\n  }\n}\n\nexport function resolveCloudApiBaseUrl(rawUrl?: string): string {\n  return `${normalizeCloudSiteUrl(rawUrl)}/api/v1`;\n}\n",
+    "import dns from \"node:dns\";\nimport net from \"node:net\";\nimport { promisify } from \"node:util\";\n\nconst dnsLookupAll = promisify(dns.lookup);\n\nconst BLOCKED_IPV4_CIDRS: Array<{ base: number; mask: number }> = [\n  cidrV4(\"0.0.0.0\", 8),\n  cidrV4(\"10.0.0.0\", 8),\n  cidrV4(\"172.16.0.0\", 12),\n  cidrV4(\"192.168.0.0\", 16),\n  cidrV4(\"100.64.0.0\", 10),\n  cidrV4(\"127.0.0.0\", 8),\n  cidrV4(\"169.254.0.0\", 16),\n  cidrV4(\"192.0.0.0\", 24),\n  cidrV4(\"198.18.0.0\", 15),\n  cidrV4(\"192.0.2.0\", 24),\n  cidrV4(\"198.51.100.0\", 24),\n  cidrV4(\"203.0.113.0\", 24),\n  cidrV4(\"224.0.0.0\", 4),\n  cidrV4(\"240.0.0.0\", 4),\n];\n\nfunction normalizeHostLike(value: string): string {\n  return value\n    .trim()\n    .toLowerCase()\n    .replace(/^\\[|\\]$/g, \"\");\n}\n\nfunction decodeIpv6MappedHex(mapped: string): string | null {\n  const parts = mapped.split(\":\");\n  if (parts.length < 1 || parts.length > 2) return null;\n\n  const parsed = parts.map((part) => {\n    if (!/^[0-9a-f]{1,4}$/i.test(part)) return Number.NaN;\n    return Number.parseInt(part, 16);\n  });\n  if (parsed.some((value) => !Number.isFinite(value))) return null;\n\n  const [hi, lo] = parsed.length === 1 ? [0, parsed[0]] : parsed;\n  const octets = [hi >> 8, hi & 0xff, lo >> 8, lo & 0xff];\n  return octets.join(\".\");\n}\n\nfunction canonicalizeIpv6(ip: string): string | null {\n  try {\n    return new URL(`http://[${ip}]/`).hostname.replace(/^\\[|\\]$/g, \"\");\n  } catch {\n    return null;\n  }\n}\n\nfunction normalizeIpForPolicy(ip: string): string {\n  const base = normalizeHostLike(ip).split(\"%\")[0];\n  if (!base) return base;\n\n  let normalized = base;\n  if (net.isIP(normalized) === 6) {\n    normalized = canonicalizeIpv6(normalized) ?? normalized;\n  }\n\n  let mapped: string | null = null;\n  if (normalized.startsWith(\"::ffff:\")) {\n    mapped = normalized.slice(\"::ffff:\".length);\n  } else if (normalized.startsWith(\"0:0:0:0:0:ffff:\")) {\n    mapped = normalized.slice(\"0:0:0:0:0:ffff:\".length);\n  }\n  if (!mapped) return normalized;\n\n  if (net.isIP(mapped) === 4) return mapped;\n  return decodeIpv6MappedHex(mapped) ?? normalized;\n}\n\nfunction cidrV4(base: string, prefix: number): { base: number; mask: number } {\n  const parsed = parseIpv4ToInt(base);\n  if (parsed === null) {\n    throw new Error(`Invalid CIDR base IPv4 address: ${base}`);\n  }\n  const shift = 32 - prefix;\n  const mask = shift === 32 ? 0 : (0xffffffff << shift) >>> 0;\n  return { base: parsed & mask, mask };\n}\n\nfunction parseIpv4ToInt(ip: string): number | null {\n  const parts = ip.split(\".\");\n  if (parts.length !== 4) return null;\n\n  let value = 0;\n  for (const part of parts) {\n    if (!/^\\d{1,3}$/.test(part)) return null;\n    const octet = Number.parseInt(part, 10);\n    if (!Number.isInteger(octet) || octet < 0 || octet > 255) return null;\n    value = (value << 8) | octet;\n  }\n\n  return value >>> 0;\n}\n\nfunction isBlockedIpv4(ip: string): boolean {\n  const asInt = parseIpv4ToInt(ip);\n  if (asInt === null) return true;\n  return BLOCKED_IPV4_CIDRS.some((cidr) => (asInt & cidr.mask) === cidr.base);\n}\n\nfunction isBlockedIpv6(ip: string): boolean {\n  const normalized = ip.toLowerCase();\n  return (\n    normalized === \"::\" ||\n    normalized === \"::1\" ||\n    /^fe[89ab][0-9a-f]:/.test(normalized) ||\n    /^f[cd][0-9a-f]{2}:/i.test(normalized) ||\n    normalized.startsWith(\"ff\")\n  );\n}\n\nfunction isBlockedIp(ip: string): boolean {\n  const normalized = normalizeIpForPolicy(ip);\n  const family = net.isIP(normalized);\n  if (family === 4) return isBlockedIpv4(normalized);\n  if (family === 6) return isBlockedIpv6(normalized);\n  return false;\n}\n\nexport async function validateCloudBaseUrl(\n  rawUrl: string,\n): Promise<string | null> {\n  let parsed: URL;\n  try {\n    parsed = new URL(rawUrl);\n  } catch {\n    return `Invalid cloud base URL: \"${rawUrl}\"`;\n  }\n\n  if (parsed.protocol !== \"https:\") {\n    return `Cloud base URL must use HTTPS, got \"${parsed.protocol}\" in \"${rawUrl}\"`;\n  }\n\n  const hostname = normalizeHostLike(parsed.hostname);\n  if (!hostname) {\n    return `Invalid cloud base URL: \"${rawUrl}\"`;\n  }\n\n  if (\n    hostname === \"localhost\" ||\n    hostname.endsWith(\".localhost\") ||\n    hostname.endsWith(\".local\")\n  ) {\n    return `Cloud base URL \"${rawUrl}\" points to a blocked local hostname.`;\n  }\n\n  // Dev-mode bypass: skip IP-range blocking but keep URL format checks above.\n  if (process.env.NODE_ENV === \"development\" || process.env.ELIZA_DEV) {\n    return null;\n  }\n\n  if (isBlockedIp(hostname)) {\n    return `Cloud base URL \"${rawUrl}\" points to a blocked address.`;\n  }\n\n  try {\n    const results = await dnsLookupAll(hostname, { all: true });\n    const addresses = Array.isArray(results) ? results : [results];\n    for (const entry of addresses) {\n      const ip =\n        typeof entry === \"string\"\n          ? entry\n          : (entry as { address: string }).address;\n      if (isBlockedIp(ip)) {\n        return (\n          `Cloud base URL \"${rawUrl}\" resolves to ${ip}, ` +\n          \"which is a blocked internal/metadata address.\"\n        );\n      }\n    }\n  } catch {\n    return `Cloud base URL \"${rawUrl}\" could not be resolved via DNS.`;\n  }\n\n  return null;\n}\n",
+    "import type {\n  DeploymentTargetConfig,\n  LinkedAccountFlagsConfig,\n  ServiceCapability,\n  ServiceRoutingConfig,\n} from \"@elizaos/core\";\n\nexport interface CloudProxyConfigLike {\n  cloud?: {\n    apiKey?: string;\n    baseUrl?: string;\n    enabled?: boolean;\n    serviceKey?: string;\n    backup?: {\n      autoBackupIntervalMs?: number;\n    };\n    bridge?: {\n      heartbeatIntervalMs?: number;\n    };\n  };\n}\n\nexport type CloudConfig = NonNullable<CloudProxyConfigLike[\"cloud\"]>;\n\nexport type ElizaConfig = Record<string, unknown> &\n  CloudProxyConfigLike & {\n    deploymentTarget?: DeploymentTargetConfig;\n    linkedAccounts?: LinkedAccountFlagsConfig;\n    serviceRouting?: ServiceRoutingConfig;\n  };\n\nexport interface AutonomousConfigLike {\n  [key: string]: unknown;\n}\n\ntype MutableElizaConfig = Partial<ElizaConfig> & {\n  cloud?: Record<string, unknown>;\n  deploymentTarget?: DeploymentTargetConfig;\n  linkedAccounts?: LinkedAccountFlagsConfig;\n  serviceRouting?: ServiceRoutingConfig;\n};\n\nfunction ensureLinkedAccounts(\n  config: MutableElizaConfig,\n): LinkedAccountFlagsConfig {\n  config.linkedAccounts ??= {};\n  return config.linkedAccounts;\n}\n\nfunction ensureServiceRouting(\n  config: MutableElizaConfig,\n): ServiceRoutingConfig {\n  config.serviceRouting ??= {};\n  return config.serviceRouting;\n}\n\nfunction persistDeploymentTarget(\n  config: MutableElizaConfig,\n  deploymentTarget: DeploymentTargetConfig | null | undefined,\n): void {\n  if (!deploymentTarget) {\n    delete config.deploymentTarget;\n    return;\n  }\n  config.deploymentTarget = { ...deploymentTarget };\n}\n\nfunction persistLinkedAccounts(\n  config: MutableElizaConfig,\n  linkedAccounts: LinkedAccountFlagsConfig | null | undefined,\n): void {\n  if (!linkedAccounts) return;\n\n  const existing = ensureLinkedAccounts(config);\n  for (const [accountId, account] of Object.entries(linkedAccounts)) {\n    if (!account || Object.keys(account).length === 0) {\n      delete existing[accountId];\n      continue;\n    }\n    existing[accountId] = {\n      ...existing[accountId],\n      ...account,\n    };\n  }\n\n  if (Object.keys(existing).length === 0) {\n    delete config.linkedAccounts;\n  }\n}\n\nfunction persistServiceRouting(\n  config: MutableElizaConfig,\n  serviceRouting: ServiceRoutingConfig | null | undefined,\n  clearRoutes: readonly ServiceCapability[] = [],\n): void {\n  const existing = ensureServiceRouting(config);\n\n  for (const capability of clearRoutes) {\n    delete existing[capability];\n  }\n\n  if (serviceRouting) {\n    for (const [capability, route] of Object.entries(serviceRouting)) {\n      const serviceKey = capability as ServiceCapability;\n      if (!route || Object.keys(route).length === 0) {\n        delete existing[serviceKey];\n        continue;\n      }\n      existing[serviceKey] = { ...route };\n    }\n  }\n\n  if (Object.keys(existing).length === 0) {\n    delete config.serviceRouting;\n  }\n}\n\nexport function applyCanonicalOnboardingConfig(\n  config: MutableElizaConfig,\n  args: {\n    deploymentTarget?: DeploymentTargetConfig | null;\n    linkedAccounts?: LinkedAccountFlagsConfig | null;\n    serviceRouting?: ServiceRoutingConfig | null;\n    clearRoutes?: readonly ServiceCapability[];\n  },\n): void {\n  if (args.deploymentTarget !== undefined) {\n    persistDeploymentTarget(config, args.deploymentTarget);\n  }\n  if (args.linkedAccounts !== undefined) {\n    persistLinkedAccounts(config, args.linkedAccounts);\n  }\n  if (args.serviceRouting !== undefined || args.clearRoutes?.length) {\n    persistServiceRouting(config, args.serviceRouting, args.clearRoutes);\n  }\n}\n\nexport function normalizeEnvValue(value: unknown): string | undefined {\n  if (typeof value !== \"string\") return undefined;\n  const trimmed = value.trim();\n  return trimmed || undefined;\n}\n\nexport function isTimeoutError(error: unknown): boolean {\n  if (!(error instanceof Error)) return false;\n  if (error.name === \"TimeoutError\" || error.name === \"AbortError\") return true;\n  const message = error.message.toLowerCase();\n  return message.includes(\"timed out\") || message.includes(\"timeout\");\n}\n",
+    "/**\n * Sealed in-process secret store for cloud credentials.\n *\n * Cloud API keys are scrubbed from process.env after login and stored\n * here so they are not visible in environment dumps, child processes,\n * or /proc/self/environ.\n *\n * This module has NO external dependencies so it can be imported by\n * any module without pulling in host-layer packages.\n */\n\nconst _cloudSecrets: Record<string, string | undefined> = Object.create(null);\n\nObject.defineProperty(_cloudSecrets, Symbol.toStringTag, {\n  value: \"CloudSecrets\",\n  enumerable: false,\n});\n\n/**\n * Read a cloud secret without exposing it in process.env.\n * Falls back to process.env for backwards compatibility with code that\n * sets the key before this module loads (e.g. docker entrypoints).\n */\nexport function getCloudSecret(\n  key: \"ELIZAOS_CLOUD_API_KEY\" | \"ELIZAOS_CLOUD_ENABLED\",\n): string | undefined {\n  return _cloudSecrets[key] ?? process.env[key];\n}\n\n/** Scrub cloud secrets from process.env and capture into the sealed store. */\nexport function scrubCloudSecretsFromEnv(): void {\n  for (const key of [\n    \"ELIZAOS_CLOUD_API_KEY\",\n    \"ELIZAOS_CLOUD_ENABLED\",\n  ] as const) {\n    if (process.env[key] !== undefined) {\n      _cloudSecrets[key] = process.env[key];\n      delete process.env[key];\n    }\n  }\n}\n\n/** Clear any sealed cloud secrets after an explicit disconnect. */\nexport function clearCloudSecrets(): void {\n  for (const key of [\n    \"ELIZAOS_CLOUD_API_KEY\",\n    \"ELIZAOS_CLOUD_ENABLED\",\n  ] as const) {\n    delete _cloudSecrets[key];\n  }\n}\n\n/** Reset the sealed secret store. Test-only. */\nexport function _resetCloudSecretsForTesting(): void {\n  for (const key of Object.keys(_cloudSecrets)) {\n    delete _cloudSecrets[key];\n  }\n}\n",
+    "import {\n  isCloudInferenceSelectedInConfig,\n  isElizaSettingsDebugEnabled,\n  migrateLegacyRuntimeConfig,\n  settingsDebugCloudSummary,\n} from \"@elizaos/core\";\nimport { resolveCloudApiBaseUrl as resolveCanonicalCloudApiBaseUrl } from \"../cloud/base-url.js\";\nimport { validateCloudBaseUrl } from \"../cloud/validate-url.js\";\nimport type { AgentRuntime } from \"@elizaos/core\";\nimport { logger } from \"@elizaos/core\";\nimport {\n  applyCanonicalOnboardingConfig,\n  type ElizaConfig,\n  normalizeEnvValue,\n} from \"./config-like\";\nimport {\n  clearCloudSecrets,\n  getCloudSecret,\n  scrubCloudSecretsFromEnv,\n} from \"./cloud-secrets\";\n\nconst DEFAULT_CLOUD_API_BASE_URL = \"https://www.elizacloud.ai/api/v1\";\nexport const CLOUD_BILLING_URL =\n  \"https://www.elizacloud.ai/dashboard/settings?tab=billing\";\n\nconst CLOUD_ENV_KEYS = [\n  \"ELIZAOS_CLOUD_API_KEY\",\n  \"ELIZAOS_CLOUD_ENABLED\",\n  \"ELIZAOS_CLOUD_BASE_URL\",\n  \"ELIZAOS_CLOUD_NANO_MODEL\",\n  \"ELIZAOS_CLOUD_MEDIUM_MODEL\",\n  \"ELIZAOS_CLOUD_SMALL_MODEL\",\n  \"ELIZAOS_CLOUD_LARGE_MODEL\",\n  \"ELIZAOS_CLOUD_MEGA_MODEL\",\n  \"ELIZAOS_CLOUD_RESPONSE_HANDLER_MODEL\",\n  \"ELIZAOS_CLOUD_SHOULD_RESPOND_MODEL\",\n  \"ELIZAOS_CLOUD_ACTION_PLANNER_MODEL\",\n  \"ELIZAOS_CLOUD_PLANNER_MODEL\",\n  \"ELIZAOS_CLOUD_USE_INFERENCE\",\n  \"ELIZAOS_CLOUD_USE_TTS\",\n  \"ELIZAOS_CLOUD_USE_MEDIA\",\n  \"ELIZAOS_CLOUD_USE_EMBEDDINGS\",\n  \"ELIZAOS_CLOUD_USE_RPC\",\n] as const;\n\nconst CLOUD_RUNTIME_SECRET_KEYS = [\n  \"ELIZAOS_CLOUD_API_KEY\",\n  \"ELIZAOS_CLOUD_ENABLED\",\n  \"ELIZAOS_CLOUD_BASE_URL\",\n  \"ELIZAOS_CLOUD_NANO_MODEL\",\n  \"ELIZAOS_CLOUD_MEDIUM_MODEL\",\n  \"ELIZAOS_CLOUD_SMALL_MODEL\",\n  \"ELIZAOS_CLOUD_LARGE_MODEL\",\n  \"ELIZAOS_CLOUD_MEGA_MODEL\",\n  \"ELIZAOS_CLOUD_RESPONSE_HANDLER_MODEL\",\n  \"ELIZAOS_CLOUD_SHOULD_RESPOND_MODEL\",\n  \"ELIZAOS_CLOUD_ACTION_PLANNER_MODEL\",\n  \"ELIZAOS_CLOUD_PLANNER_MODEL\",\n  \"ELIZA_CLOUD_AUTH_TOKEN\",\n  \"ELIZA_CLOUD_USER_ID\",\n  \"ELIZA_CLOUD_ORGANIZATION_ID\",\n] as const;\n\nconst CLOUD_RUNTIME_SETTING_KEYS = [\n  \"ELIZA_CLOUD_AUTH_TOKEN\",\n  \"ELIZA_CLOUD_USER_ID\",\n  \"ELIZA_CLOUD_ORGANIZATION_ID\",\n] as const;\n\nconst CLOUD_AUTH_CLEAR_METHODS = [\n  \"disconnect\",\n  \"logout\",\n  \"signOut\",\n  \"signout\",\n  \"clearSession\",\n  \"clearAuth\",\n  \"resetAuth\",\n  \"reset\",\n] as const;\n\ntype CloudClientLike = {\n  get?: (path: string) => Promise<unknown>;\n};\n\nexport type CloudAuthLike = {\n  authenticateWithApiKey?: (input: {\n    apiKey: string;\n    organizationId?: string;\n    userId?: string;\n  }) => unknown;\n  isAuthenticated?: () => boolean;\n  getUserId?: () => string | undefined;\n  getOrganizationId?: () => string | undefined;\n  getClient?: () => CloudClientLike | null;\n} & Partial<\n  Record<\n    (typeof CLOUD_AUTH_CLEAR_METHODS)[number],\n    (() => Promise<unknown>) | (() => unknown)\n  >\n>;\n\nexport type RuntimeCloudLike = AgentRuntime & {\n  agentId: string;\n  character: {\n    secrets?: Record<string, string | number | boolean>;\n    settings?: Record<string, unknown>;\n  };\n  updateAgent?: (\n    agentId: string,\n    update: { secrets: Record<string, string | number | boolean> },\n  ) => Promise<unknown>;\n  setSetting?: (key: string, value: string | null) => unknown;\n  getService?: (name: string) => unknown;\n};\n\ntype CloudManagerLike = {\n  disconnect?: () => Promise<void>;\n} | null;\n\nexport type CloudConnectionSnapshot = {\n  apiKey: string | undefined;\n  authConnected: boolean;\n  cloudAuth: CloudAuthLike | null;\n  connected: boolean;\n  enabled: boolean;\n  hasApiKey: boolean;\n  organizationId: string | undefined;\n  userId: string | undefined;\n};\n\ntype CloudCreditsResponse = {\n  balance: number | null;\n  connected: boolean;\n  authRejected?: boolean;\n  critical?: boolean;\n  error?: string;\n  low?: boolean;\n  topUpUrl?: string;\n};\n\n/** Thrown when the credits endpoint returns 401 — same credential path as chat completions. */\nexport class CloudCreditsAuthRejectedError extends Error {\n  override readonly name = \"CloudCreditsAuthRejectedError\";\n  constructor(message = \"Eliza Cloud API key was rejected\") {\n    super(message);\n  }\n}\n\nfunction cloudCreditsHttpErrorMessage(\n  status: number,\n  creditResponse: { error?: unknown },\n): string {\n  const err = creditResponse.error;\n  if (typeof err === \"string\" && err.trim()) {\n    return err.trim();\n  }\n  if (err && typeof err === \"object\" && \"message\" in err) {\n    const msg = (err as { message?: unknown }).message;\n    if (typeof msg === \"string\" && msg.trim()) {\n      return msg.trim();\n    }\n  }\n  return `HTTP ${status}`;\n}\n\nfunction asRuntimeCloud(runtime: AgentRuntime | null): RuntimeCloudLike | null {\n  return runtime as RuntimeCloudLike | null;\n}\n\nexport function getCloudAuth(\n  runtime: AgentRuntime | null,\n): CloudAuthLike | null {\n  const runtimeWithServices = asRuntimeCloud(runtime);\n  if (typeof runtimeWithServices?.getService !== \"function\") {\n    return null;\n  }\n\n  const service = runtimeWithServices.getService(\"CLOUD_AUTH\");\n  return service && typeof service === \"object\"\n    ? (service as CloudAuthLike)\n    : null;\n}\n\nfunction resolvePersistedCloudIdentity(runtime: AgentRuntime | null): {\n  organizationId: string | undefined;\n  userId: string | undefined;\n} {\n  const runtimeWithCloud = asRuntimeCloud(runtime);\n  return {\n    organizationId:\n      normalizeEnvValue(\n        runtimeWithCloud?.getSetting?.(\"ELIZA_CLOUD_ORGANIZATION_ID\") as\n          | string\n          | undefined,\n      ) ??\n      normalizeEnvValue(\n        runtimeWithCloud?.character?.secrets?.ELIZA_CLOUD_ORGANIZATION_ID as\n          | string\n          | undefined,\n      ),\n    userId:\n      normalizeEnvValue(\n        runtimeWithCloud?.getSetting?.(\"ELIZA_CLOUD_USER_ID\") as\n          | string\n          | undefined,\n      ) ??\n      normalizeEnvValue(\n        runtimeWithCloud?.character?.secrets?.ELIZA_CLOUD_USER_ID as\n          | string\n          | undefined,\n      ),\n  };\n}\n\nexport function resolveCloudApiBaseUrl(rawBaseUrl?: string): string {\n  return (\n    resolveCanonicalCloudApiBaseUrl(rawBaseUrl ?? DEFAULT_CLOUD_API_BASE_URL) ??\n    DEFAULT_CLOUD_API_BASE_URL\n  );\n}\n\nexport function resolveCloudApiKey(\n  config: Pick<ElizaConfig, \"cloud\"> | Record<string, unknown>,\n  runtime?: {\n    character?: { secrets?: Record<string, unknown> };\n    getSetting?: (key: string) => unknown;\n  } | null,\n): string | undefined {\n  migrateLegacyRuntimeConfig(config as Record<string, unknown>);\n  // 1. Config file (disk)\n  const configApiKey = normalizeEnvValue(\n    (config as { cloud?: { apiKey?: string } }).cloud?.apiKey,\n  );\n  if (configApiKey) return configApiKey;\n\n  if (!isCloudInferenceSelectedInConfig(config as Record<string, unknown>)) {\n    // A linked cloud account is represented by the persisted disk key above.\n    // Do not resurrect cloud from sealed/env/runtime fallbacks when the\n    // canonical connection is local, remote, or unset.\n    return undefined;\n  }\n\n  // 2. Sealed in-process secret store\n  const sealedKey = normalizeEnvValue(getCloudSecret(\"ELIZAOS_CLOUD_API_KEY\"));\n  if (sealedKey) return sealedKey;\n\n  // 3. Process environment (may not be scrubbed yet)\n  const envKey = normalizeEnvValue(process.env.ELIZAOS_CLOUD_API_KEY);\n  if (envKey) return envKey;\n\n  // 4. Runtime settings (persisted in database, survives restarts)\n  const runtimeSettingKey = normalizeEnvValue(\n    runtime?.getSetting?.(\"ELIZAOS_CLOUD_API_KEY\") as string | undefined,\n  );\n  if (runtimeSettingKey) return runtimeSettingKey;\n\n  // 5. Runtime character secrets (persisted in database, survives restarts)\n  const runtimeKey = normalizeEnvValue(\n    runtime?.character?.secrets?.ELIZAOS_CLOUD_API_KEY as string | undefined,\n  );\n  if (runtimeKey) return runtimeKey;\n\n  return undefined;\n}\n\nexport function resolveCloudConnectionSnapshot(\n  config: Partial<ElizaConfig>,\n  runtime: AgentRuntime | null,\n): CloudConnectionSnapshot {\n  migrateLegacyRuntimeConfig(config as Record<string, unknown>);\n  const _cloudRecord =\n    config.cloud && typeof config.cloud === \"object\"\n      ? (config.cloud as Record<string, unknown>)\n      : undefined;\n  const enabled = isCloudInferenceSelectedInConfig(\n    config as Record<string, unknown>,\n  );\n  const apiKey = resolveCloudApiKey(config, runtime);\n  const cloudAuth = getCloudAuth(runtime);\n  const authConnected = Boolean(cloudAuth?.isAuthenticated?.());\n  const hasApiKey = Boolean(apiKey);\n  const persistedIdentity = resolvePersistedCloudIdentity(runtime);\n  const shouldExposeIdentity = authConnected || hasApiKey;\n\n  return {\n    apiKey,\n    authConnected,\n    cloudAuth,\n    connected: authConnected || hasApiKey,\n    enabled,\n    hasApiKey,\n    organizationId: shouldExposeIdentity\n      ? (normalizeEnvValue(cloudAuth?.getOrganizationId?.()) ??\n        persistedIdentity.organizationId)\n      : undefined,\n    userId: shouldExposeIdentity\n      ? (normalizeEnvValue(cloudAuth?.getUserId?.()) ??\n        persistedIdentity.userId)\n      : undefined,\n  };\n}\n\n/**\n * Coerce an Eliza Cloud `balance` field into a number. The cloud API\n * returns `balance` as `string | number` (per the Bridge client + config\n * type definitions) — string when the upstream is using a fixed-precision\n * decimal, number when it's been arithmetic'd. Treat both as the same\n * dollar amount; reject anything else as an unexpected response.\n */\nfunction coerceCloudBalance(value: unknown): number | null {\n  if (typeof value === \"number\" && Number.isFinite(value)) {\n    return value;\n  }\n  if (typeof value === \"string\") {\n    const trimmed = value.trim();\n    if (!trimmed) return null;\n    const parsed = Number.parseFloat(trimmed);\n    return Number.isFinite(parsed) ? parsed : null;\n  }\n  return null;\n}\n\nasync function fetchCloudCreditsByApiKey(\n  baseUrl: string,\n  apiKey: string,\n): Promise<number | null> {\n  const response = await fetch(`${baseUrl}/credits/balance`, {\n    headers: {\n      Accept: \"application/json\",\n      Authorization: `Bearer ${apiKey}`,\n    },\n    redirect: \"manual\",\n    signal: AbortSignal.timeout(10_000),\n  });\n\n  if (response.status >= 300 && response.status < 400) {\n    throw new Error(\n      \"Cloud credits request was redirected; redirects are not allowed\",\n    );\n  }\n\n  const creditResponse = (await response.json().catch((err: unknown) => {\n    console.warn(\n      \"[cloud-connection] Failed to parse credit balance response JSON:\",\n      err,\n    );\n    return {};\n  })) as {\n    balance?: unknown;\n    data?: { balance?: unknown };\n    error?: unknown;\n  };\n\n  if (response.status === 401) {\n    throw new CloudCreditsAuthRejectedError(\n      cloudCreditsHttpErrorMessage(401, creditResponse),\n    );\n  }\n\n  if (!response.ok) {\n    throw new Error(\n      cloudCreditsHttpErrorMessage(response.status, creditResponse),\n    );\n  }\n\n  const balance =\n    coerceCloudBalance(creditResponse.balance) ??\n    coerceCloudBalance(creditResponse.data?.balance);\n\n  return balance;\n}\n\n/** Configurable credit thresholds. Override via env vars if defaults don't fit. */\nconst CREDIT_LOW_THRESHOLD = Number(\n  process.env.ELIZA_CREDIT_LOW_THRESHOLD ?? \"2.0\",\n);\nconst CREDIT_CRITICAL_THRESHOLD = Number(\n  process.env.ELIZA_CREDIT_CRITICAL_THRESHOLD ?? \"0.5\",\n);\n\nfunction withCreditFlags(balance: number): CloudCreditsResponse {\n  return {\n    connected: true,\n    balance,\n    low: balance < CREDIT_LOW_THRESHOLD,\n    critical: balance < CREDIT_CRITICAL_THRESHOLD,\n    topUpUrl: CLOUD_BILLING_URL,\n  };\n}\n\nexport async function fetchCloudCredits(\n  config: Partial<ElizaConfig>,\n  runtime: AgentRuntime | null,\n): Promise<CloudCreditsResponse> {\n  const snapshot = resolveCloudConnectionSnapshot(config, runtime);\n  let authenticatedFailure: string | null = null;\n  let authenticatedUnexpectedResponse = false;\n\n  if (!snapshot.connected) {\n    return { balance: null, connected: false };\n  }\n\n  const cloudClient = snapshot.cloudAuth?.getClient?.();\n  if (snapshot.authConnected && typeof cloudClient?.get === \"function\") {\n    try {\n      const creditResponse = (await cloudClient.get(\"/credits/balance\")) as {\n        balance?: unknown;\n        data?: { balance?: unknown };\n      };\n      const rawBalance =\n        coerceCloudBalance(creditResponse?.balance) ??\n        coerceCloudBalance(creditResponse?.data?.balance);\n\n      if (typeof rawBalance === \"number\") {\n        return withCreditFlags(rawBalance);\n      }\n\n      authenticatedUnexpectedResponse = true;\n      logger.debug(\n        `[cloud/credits] Unexpected authenticated response shape: ${JSON.stringify(creditResponse)}`,\n      );\n    } catch (err) {\n      const msg = err instanceof Error ? err.message : \"cloud API unreachable\";\n      authenticatedFailure = msg;\n      logger.debug(\n        `[cloud/credits] Authenticated balance fetch failed: ${msg}`,\n      );\n    }\n  }\n\n  if (!snapshot.apiKey) {\n    return {\n      balance: null,\n      connected: snapshot.connected,\n      error:\n        authenticatedFailure ??\n        (authenticatedUnexpectedResponse\n          ? \"unexpected response\"\n          : \"missing cloud api key\"),\n    };\n  }\n\n  const resolvedBaseUrl = resolveCloudApiBaseUrl(config.cloud?.baseUrl);\n  const baseUrlRejection = await validateCloudBaseUrl(resolvedBaseUrl);\n  if (baseUrlRejection) {\n    return {\n      balance: null,\n      connected: true,\n      error: baseUrlRejection,\n    };\n  }\n\n  try {\n    const balance = await fetchCloudCreditsByApiKey(\n      resolvedBaseUrl,\n      snapshot.apiKey,\n    );\n\n    if (typeof balance !== \"number\") {\n      return {\n        balance: null,\n        connected: true,\n        error: \"unexpected response\",\n      };\n    }\n\n    return withCreditFlags(balance);\n  } catch (err) {\n    if (err instanceof CloudCreditsAuthRejectedError) {\n      logger.debug(`[cloud/credits] API key rejected: ${err.message}`);\n      return {\n        balance: null,\n        connected: true,\n        authRejected: true,\n        error: err.message,\n        topUpUrl: CLOUD_BILLING_URL,\n      };\n    }\n    const msg = err instanceof Error ? err.message : \"cloud API unreachable\";\n    logger.debug(`[cloud/credits] Failed to fetch balance via API key: ${msg}`);\n    return {\n      balance: null,\n      connected: true,\n      error: msg,\n    };\n  }\n}\n\nexport async function clearCloudAuthService(\n  cloudAuth: CloudAuthLike | null,\n): Promise<void> {\n  if (!cloudAuth) {\n    return;\n  }\n\n  const seen = new Set<(...args: never[]) => unknown>();\n  for (const methodName of CLOUD_AUTH_CLEAR_METHODS) {\n    const method = cloudAuth[methodName];\n    if (typeof method !== \"function\" || seen.has(method)) {\n      continue;\n    }\n\n    seen.add(method);\n    try {\n      await method.call(cloudAuth);\n      // First successful clear method is sufficient — stop trying remaining ones.\n      break;\n    } catch (err) {\n      logger.warn(\n        `[cloud/disconnect] Failed to invoke CLOUD_AUTH.${methodName}: ${\n          err instanceof Error ? err.message : String(err)\n        }`,\n      );\n    }\n  }\n}\n\nfunction clearCloudEnv(): void {\n  for (const key of CLOUD_ENV_KEYS) {\n    delete process.env[key];\n  }\n  clearCloudSecrets();\n  scrubCloudSecretsFromEnv();\n}\n\nasync function clearRuntimeCloudState(\n  runtime: AgentRuntime | null,\n): Promise<void> {\n  const runtimeWithCloud = asRuntimeCloud(runtime);\n  if (!runtimeWithCloud) {\n    return;\n  }\n\n  const existingSecrets = runtimeWithCloud.character.secrets ?? {};\n  const nextSecrets = { ...existingSecrets };\n  for (const key of CLOUD_RUNTIME_SECRET_KEYS) {\n    delete nextSecrets[key];\n  }\n  runtimeWithCloud.character.secrets = nextSecrets;\n\n  if (\n    runtimeWithCloud.character.settings &&\n    typeof runtimeWithCloud.character.settings === \"object\"\n  ) {\n    for (const key of CLOUD_RUNTIME_SETTING_KEYS) {\n      delete runtimeWithCloud.character.settings[key];\n    }\n  }\n\n  if (typeof runtimeWithCloud.setSetting === \"function\") {\n    for (const key of CLOUD_RUNTIME_SETTING_KEYS) {\n      try {\n        runtimeWithCloud.setSetting(key, null);\n      } catch (err) {\n        logger.warn(\n          `[cloud/disconnect] Failed to clear runtime setting ${key}: ${\n            err instanceof Error ? err.message : String(err)\n          }`,\n        );\n      }\n    }\n  }\n\n  if (typeof runtimeWithCloud.updateAgent === \"function\") {\n    try {\n      await runtimeWithCloud.updateAgent(runtimeWithCloud.agentId, {\n        secrets: { ...nextSecrets },\n      });\n    } catch (err) {\n      logger.warn(\n        `[cloud/disconnect] Failed to clear cloud secrets from agent DB: ${\n          err instanceof Error ? err.message : String(err)\n        }`,\n      );\n    }\n  }\n}\n\nexport async function disconnectCloudConnection(args: {\n  cloudManager?: CloudManagerLike;\n  config: Partial<ElizaConfig>;\n  runtime: AgentRuntime | null;\n  saveConfig?: (config: Partial<ElizaConfig>) => void;\n}): Promise<void> {\n  const { cloudManager = null, config, runtime, saveConfig } = args;\n\n  if (isElizaSettingsDebugEnabled()) {\n    const c = config.cloud as Record<string, unknown> | undefined;\n    logger.debug(\n      `[eliza][settings][cloud] disconnectCloudConnection start cloud=${JSON.stringify(settingsDebugCloudSummary(c))}`,\n    );\n  }\n\n  if (typeof cloudManager?.disconnect === \"function\") {\n    try {\n      await cloudManager.disconnect();\n    } catch (err) {\n      logger.warn(\n        `[cloud/disconnect] Failed to disconnect cloud manager: ${\n          err instanceof Error ? err.message : String(err)\n        }`,\n      );\n    }\n  }\n\n  await clearCloudAuthService(getCloudAuth(runtime));\n\n  const nextCloud = { ...(config.cloud ?? {}) };\n  delete nextCloud.apiKey;\n  config.cloud = nextCloud;\n  applyCanonicalOnboardingConfig(config as ElizaConfig, {\n    deploymentTarget: { runtime: \"local\" },\n    linkedAccounts: {\n      elizacloud: {\n        status: \"unlinked\",\n        source: \"api-key\",\n      },\n    },\n    clearRoutes: [\"llmText\", \"tts\", \"media\", \"embeddings\", \"rpc\"],\n  });\n  migrateLegacyRuntimeConfig(config as Record<string, unknown>);\n\n  try {\n    saveConfig?.(config);\n    if (isElizaSettingsDebugEnabled()) {\n      const c = config.cloud as Record<string, unknown> | undefined;\n      logger.debug(\n        `[eliza][settings][cloud] disconnectCloudConnection saveConfig OK cloud=${JSON.stringify(settingsDebugCloudSummary(c))}`,\n      );\n    }\n  } catch (err) {\n    logger.warn(\n      `[cloud/disconnect] Failed to save cloud disconnect state: ${\n        err instanceof Error ? err.message : String(err)\n      }`,\n    );\n  }\n\n  clearCloudEnv();\n  await clearRuntimeCloudState(runtime);\n\n  if (isElizaSettingsDebugEnabled()) {\n    logger.debug(\n      \"[eliza][settings][cloud] disconnectCloudConnection done (env cleared + runtime cloud state cleared)\",\n    );\n  }\n}\n\nexport const disconnectUnifiedCloudConnection = disconnectCloudConnection;\n\n/** Matches `reason` from GET /api/cloud/status when connected via API key without CLOUD_AUTH. */\nconst CLOUD_STATUS_API_KEY_ONLY_REASONS: ReadonlySet<string> = new Set([\n  \"api_key_present_not_authenticated\",\n  \"api_key_present_runtime_not_started\",\n]);\n\nexport function isCloudStatusReasonApiKeyOnly(\n  reason: string | null | undefined,\n): boolean {\n  return (\n    typeof reason === \"string\" && CLOUD_STATUS_API_KEY_ONLY_REASONS.has(reason)\n  );\n}\n",
+    "import type {\n  CloudConfigLike,\n  CloudStatusRouteContext,\n} from \"./cloud-status-routes-autonomous.js\";\nimport type { ElizaConfig } from \"../lib/config-like\";\nimport { isElizaCloudServiceSelectedInConfig } from \"@elizaos/core\";\nimport {\n  CLOUD_BILLING_URL,\n  fetchCloudCredits,\n  resolveCloudConnectionSnapshot,\n} from \"../lib/cloud-connection\";\n\nexport type { CloudConfigLike, CloudStatusRouteContext };\n\nexport async function handleCloudStatusRoutes(\n  ctx: CloudStatusRouteContext,\n): Promise<boolean> {\n  const { res, method, pathname, config, runtime, json } = ctx;\n  const typedConfig = config as ElizaConfig;\n\n  if (method === \"GET\" && pathname === \"/api/cloud/status\") {\n    const snapshot = resolveCloudConnectionSnapshot(typedConfig, runtime);\n    const cloudVoiceProxyAvailable = isElizaCloudServiceSelectedInConfig(\n      typedConfig as Record<string, unknown>,\n      \"tts\",\n    );\n\n    if (snapshot.connected) {\n      json(res, {\n        connected: true,\n        enabled: snapshot.enabled,\n        cloudVoiceProxyAvailable,\n        hasApiKey: snapshot.hasApiKey,\n        userId: snapshot.userId,\n        organizationId: snapshot.organizationId,\n        topUpUrl: CLOUD_BILLING_URL,\n        reason: snapshot.authConnected\n          ? undefined\n          : runtime\n            ? \"api_key_present_not_authenticated\"\n            : \"api_key_present_runtime_not_started\",\n      });\n      return true;\n    }\n\n    if (!runtime) {\n      json(res, {\n        connected: false,\n        enabled: snapshot.enabled,\n        cloudVoiceProxyAvailable,\n        hasApiKey: snapshot.hasApiKey,\n        reason: \"runtime_not_started\",\n      });\n      return true;\n    }\n\n    json(res, {\n      connected: false,\n      enabled: snapshot.enabled,\n      cloudVoiceProxyAvailable,\n      hasApiKey: snapshot.hasApiKey,\n      reason: \"not_authenticated\",\n    });\n    return true;\n  }\n\n  if (method === \"GET\" && pathname === \"/api/cloud/credits\") {\n    json(res, await fetchCloudCredits(typedConfig, runtime));\n    return true;\n  }\n\n  return false;\n}\n"
+  ],
+  "mappings": ";;;;;;;;;;;;;;;;;;;AAOA,SAAS,cAAc,CAAC,UAA2B;AAAA,EACjD,MAAM,aAAa,SAAS,YAAY;AAAA,EACxC,OACE,eAAe,eACf,eAAe,SACf,eAAe,qBACf,WAAW,WAAW,MAAM;AAAA;AAIhC,SAAS,WAAW,CAAC,UAA0B;AAAA,EAC7C,MAAM,aAAa,SAAS,KAAK,EAAE,QAAQ,QAAQ,EAAE;AAAA,EACrD,IAAI,CAAC;AAAA,IAAY,OAAO;AAAA,EACxB,IAAI,eAAe;AAAA,IAAW,OAAO;AAAA,EACrC,IAAI,WAAW,SAAS,SAAS,GAAG;AAAA,IAClC,OAAO,WAAW,MAAM,GAAG,CAAC,UAAU,MAAM;AAAA,EAC9C;AAAA,EACA,OAAO;AAAA;AAGF,SAAS,qBAAqB,CAAC,QAAyB;AAAA,EAE7D,MAAM,cAAc,QAAQ,IAAI,wBAAwB,KAAK;AAAA,EAC7D,MAAM,YAAY,eAAe,QAAQ,KAAK,KAAK;AAAA,EAEnD,IAAI;AAAA,IACF,MAAM,SAAS,IAAI,IAAI,SAAS;AAAA,IAChC,MAAM,WAAW,YAAY,OAAO,QAAQ;AAAA,IAC5C,MAAM,OAAO,OAAO,SAAS,YAAY;AAAA,IACzC,MAAM,sBAAsB,eAAe,IAAI;AAAA,IAE/C,OAAO,OAAO;AAAA,IACd,OAAO,SAAS;AAAA,IAChB,IAAI,CAAC,qBAAqB;AAAA,MACxB,OAAO,WAAW;AAAA,MAClB,OAAO,OAAO;AAAA,IAChB;AAAA,IACA,OAAO,WAAW;AAAA,IAElB,IAAI,0BAA0B,IAAI,IAAI,GAAG;AAAA,MACvC,OAAO,WAAW;AAAA,MAClB,OAAO,WAAW;AAAA,IACpB;AAAA,IAEA,OAAO,OAAO,SAAS,EAAE,QAAQ,eAAe,EAAE;AAAA,IAClD,MAAM;AAAA,IACN,MAAM,gBACJ,UAAU,SAAS,OAAO,UAAU,MAAM,GAAG,IAAI,IAAI;AAAA,IACvD,OAAO,cAAc,QAAQ,eAAe,EAAE;AAAA;AAAA;AAI3C,SAAS,sBAAsB,CAAC,QAAyB;AAAA,EAC9D,OAAO,GAAG,sBAAsB,MAAM;AAAA;AAAA,IA5DlC,yBAAyB,6BAEzB;AAAA;AAAA,8BAA4B,IAAI,IAAI;AAAA,IACxC;AAAA,IACA;AAAA,EACF,CAAC;AAAA;;;ACLD;AACA;AACA;AAqBA,SAAS,iBAAiB,CAAC,OAAuB;AAAA,EAChD,OAAO,MACJ,KAAK,EACL,YAAY,EACZ,QAAQ,YAAY,EAAE;AAAA;AAG3B,SAAS,mBAAmB,CAAC,QAA+B;AAAA,EAC1D,MAAM,QAAQ,OAAO,MAAM,GAAG;AAAA,EAC9B,IAAI,MAAM,SAAS,KAAK,MAAM,SAAS;AAAA,IAAG,OAAO;AAAA,EAEjD,MAAM,SAAS,MAAM,IAAI,CAAC,SAAS;AAAA,IACjC,IAAI,CAAC,mBAAmB,KAAK,IAAI;AAAA,MAAG,OAAO,OAAO;AAAA,IAClD,OAAO,OAAO,SAAS,MAAM,EAAE;AAAA,GAChC;AAAA,EACD,IAAI,OAAO,KAAK,CAAC,UAAU,CAAC,OAAO,SAAS,KAAK,CAAC;AAAA,IAAG,OAAO;AAAA,EAE5D,OAAO,IAAI,MAAM,OAAO,WAAW,IAAI,CAAC,GAAG,OAAO,EAAE,IAAI;AAAA,EACxD,MAAM,SAAS,CAAC,MAAM,GAAG,KAAK,KAAM,MAAM,GAAG,KAAK,GAAI;AAAA,EACtD,OAAO,OAAO,KAAK,GAAG;AAAA;AAGxB,SAAS,gBAAgB,CAAC,IAA2B;AAAA,EACnD,IAAI;AAAA,IACF,OAAO,IAAI,IAAI,WAAW,MAAM,EAAE,SAAS,QAAQ,YAAY,EAAE;AAAA,IACjE,MAAM;AAAA,IACN,OAAO;AAAA;AAAA;AAIX,SAAS,oBAAoB,CAAC,IAAoB;AAAA,EAChD,MAAM,OAAO,kBAAkB,EAAE,EAAE,MAAM,GAAG,EAAE;AAAA,EAC9C,IAAI,CAAC;AAAA,IAAM,OAAO;AAAA,EAElB,IAAI,aAAa;AAAA,EACjB,IAAI,IAAI,KAAK,UAAU,MAAM,GAAG;AAAA,IAC9B,aAAa,iBAAiB,UAAU,KAAK;AAAA,EAC/C;AAAA,EAEA,IAAI,SAAwB;AAAA,EAC5B,IAAI,WAAW,WAAW,SAAS,GAAG;AAAA,IACpC,SAAS,WAAW,MAAM,UAAU,MAAM;AAAA,EAC5C,EAAO,SAAI,WAAW,WAAW,iBAAiB,GAAG;AAAA,IACnD,SAAS,WAAW,MAAM,kBAAkB,MAAM;AAAA,EACpD;AAAA,EACA,IAAI,CAAC;AAAA,IAAQ,OAAO;AAAA,EAEpB,IAAI,IAAI,KAAK,MAAM,MAAM;AAAA,IAAG,OAAO;AAAA,EACnC,OAAO,oBAAoB,MAAM,KAAK;AAAA;AAGxC,SAAS,MAAM,CAAC,MAAc,QAAgD;AAAA,EAC5E,MAAM,SAAS,eAAe,IAAI;AAAA,EAClC,IAAI,WAAW,MAAM;AAAA,IACnB,MAAM,IAAI,MAAM,mCAAmC,MAAM;AAAA,EAC3D;AAAA,EACA,MAAM,QAAQ,KAAK;AAAA,EACnB,MAAM,OAAO,UAAU,KAAK,IAAK,cAAc,UAAW;AAAA,EAC1D,OAAO,EAAE,MAAM,SAAS,MAAM,KAAK;AAAA;AAGrC,SAAS,cAAc,CAAC,IAA2B;AAAA,EACjD,MAAM,QAAQ,GAAG,MAAM,GAAG;AAAA,EAC1B,IAAI,MAAM,WAAW;AAAA,IAAG,OAAO;AAAA,EAE/B,IAAI,QAAQ;AAAA,EACZ,WAAW,QAAQ,OAAO;AAAA,IACxB,IAAI,CAAC,YAAY,KAAK,IAAI;AAAA,MAAG,OAAO;AAAA,IACpC,MAAM,QAAQ,OAAO,SAAS,MAAM,EAAE;AAAA,IACtC,IAAI,CAAC,OAAO,UAAU,KAAK,KAAK,QAAQ,KAAK,QAAQ;AAAA,MAAK,OAAO;AAAA,IACjE,QAAS,SAAS,IAAK;AAAA,EACzB;AAAA,EAEA,OAAO,UAAU;AAAA;AAGnB,SAAS,aAAa,CAAC,IAAqB;AAAA,EAC1C,MAAM,QAAQ,eAAe,EAAE;AAAA,EAC/B,IAAI,UAAU;AAAA,IAAM,OAAO;AAAA,EAC3B,OAAO,mBAAmB,KAAK,CAAC,UAAU,QAAQ,KAAK,UAAU,KAAK,IAAI;AAAA;AAG5E,SAAS,aAAa,CAAC,IAAqB;AAAA,EAC1C,MAAM,aAAa,GAAG,YAAY;AAAA,EAClC,OACE,eAAe,QACf,eAAe,SACf,qBAAqB,KAAK,UAAU,KACpC,sBAAsB,KAAK,UAAU,KACrC,WAAW,WAAW,IAAI;AAAA;AAI9B,SAAS,WAAW,CAAC,IAAqB;AAAA,EACxC,MAAM,aAAa,qBAAqB,EAAE;AAAA,EAC1C,MAAM,SAAS,IAAI,KAAK,UAAU;AAAA,EAClC,IAAI,WAAW;AAAA,IAAG,OAAO,cAAc,UAAU;AAAA,EACjD,IAAI,WAAW;AAAA,IAAG,OAAO,cAAc,UAAU;AAAA,EACjD,OAAO;AAAA;AAGT,eAAsB,oBAAoB,CACxC,QACwB;AAAA,EACxB,IAAI;AAAA,EACJ,IAAI;AAAA,IACF,SAAS,IAAI,IAAI,MAAM;AAAA,IACvB,MAAM;AAAA,IACN,OAAO,4BAA4B;AAAA;AAAA,EAGrC,IAAI,OAAO,aAAa,UAAU;AAAA,IAChC,OAAO,uCAAuC,OAAO,iBAAiB;AAAA,EACxE;AAAA,EAEA,MAAM,WAAW,kBAAkB,OAAO,QAAQ;AAAA,EAClD,IAAI,CAAC,UAAU;AAAA,IACb,OAAO,4BAA4B;AAAA,EACrC;AAAA,EAEA,IACE,aAAa,eACb,SAAS,SAAS,YAAY,KAC9B,SAAS,SAAS,QAAQ,GAC1B;AAAA,IACA,OAAO,mBAAmB;AAAA,EAC5B;AAAA,EAGA,IAAI,MAAiE;AAAA,IACnE,OAAO;AAAA,EACT;AAAA,EAEA,IAAI,YAAY,QAAQ,GAAG;AAAA,IACzB,OAAO,mBAAmB;AAAA,EAC5B;AAAA,EAEA,IAAI;AAAA,IACF,MAAM,UAAU,MAAM,aAAa,UAAU,EAAE,KAAK,KAAK,CAAC;AAAA,IAC1D,MAAM,YAAY,MAAM,QAAQ,OAAO,IAAI,UAAU,CAAC,OAAO;AAAA,IAC7D,WAAW,SAAS,WAAW;AAAA,MAC7B,MAAM,KACJ,OAAO,UAAU,WACb,QACC,MAA8B;AAAA,MACrC,IAAI,YAAY,EAAE,GAAG;AAAA,QACnB,OACE,mBAAmB,uBAAuB,SAC1C;AAAA,MAEJ;AAAA,IACF;AAAA,IACA,MAAM;AAAA,IACN,OAAO,mBAAmB;AAAA;AAAA,EAG5B,OAAO;AAAA;AAAA,IA/KH,cAEA;AAAA;AAAA,EAFA,eAAe,UAAU,IAAI,MAAM;AAAA,EAEnC,qBAA4D;AAAA,IAChE,OAAO,WAAW,CAAC;AAAA,IACnB,OAAO,YAAY,CAAC;AAAA,IACpB,OAAO,cAAc,EAAE;AAAA,IACvB,OAAO,eAAe,EAAE;AAAA,IACxB,OAAO,cAAc,EAAE;AAAA,IACvB,OAAO,aAAa,CAAC;AAAA,IACrB,OAAO,eAAe,EAAE;AAAA,IACxB,OAAO,aAAa,EAAE;AAAA,IACtB,OAAO,cAAc,EAAE;AAAA,IACvB,OAAO,aAAa,EAAE;AAAA,IACtB,OAAO,gBAAgB,EAAE;AAAA,IACzB,OAAO,eAAe,EAAE;AAAA,IACxB,OAAO,aAAa,CAAC;AAAA,IACrB,OAAO,aAAa,CAAC;AAAA,EACvB;AAAA;;;ACqBA,SAAS,oBAAoB,CAC3B,QAC0B;AAAA,EAC1B,OAAO,mBAAmB,CAAC;AAAA,EAC3B,OAAO,OAAO;AAAA;AAGhB,SAAS,oBAAoB,CAC3B,QACsB;AAAA,EACtB,OAAO,mBAAmB,CAAC;AAAA,EAC3B,OAAO,OAAO;AAAA;AAGhB,SAAS,uBAAuB,CAC9B,QACA,kBACM;AAAA,EACN,IAAI,CAAC,kBAAkB;AAAA,IACrB,OAAO,OAAO;AAAA,IACd;AAAA,EACF;AAAA,EACA,OAAO,mBAAmB,KAAK,iBAAiB;AAAA;AAGlD,SAAS,qBAAqB,CAC5B,QACA,gBACM;AAAA,EACN,IAAI,CAAC;AAAA,IAAgB;AAAA,EAErB,MAAM,WAAW,qBAAqB,MAAM;AAAA,EAC5C,YAAY,WAAW,YAAY,OAAO,QAAQ,cAAc,GAAG;AAAA,IACjE,IAAI,CAAC,WAAW,OAAO,KAAK,OAAO,EAAE,WAAW,GAAG;AAAA,MACjD,OAAO,SAAS;AAAA,MAChB;AAAA,IACF;AAAA,IACA,SAAS,aAAa;AAAA,SACjB,SAAS;AAAA,SACT;AAAA,IACL;AAAA,EACF;AAAA,EAEA,IAAI,OAAO,KAAK,QAAQ,EAAE,WAAW,GAAG;AAAA,IACtC,OAAO,OAAO;AAAA,EAChB;AAAA;AAGF,SAAS,qBAAqB,CAC5B,QACA,gBACA,cAA4C,CAAC,GACvC;AAAA,EACN,MAAM,WAAW,qBAAqB,MAAM;AAAA,EAE5C,WAAW,cAAc,aAAa;AAAA,IACpC,OAAO,SAAS;AAAA,EAClB;AAAA,EAEA,IAAI,gBAAgB;AAAA,IAClB,YAAY,YAAY,UAAU,OAAO,QAAQ,cAAc,GAAG;AAAA,MAChE,MAAM,aAAa;AAAA,MACnB,IAAI,CAAC,SAAS,OAAO,KAAK,KAAK,EAAE,WAAW,GAAG;AAAA,QAC7C,OAAO,SAAS;AAAA,QAChB;AAAA,MACF;AAAA,MACA,SAAS,cAAc,KAAK,MAAM;AAAA,IACpC;AAAA,EACF;AAAA,EAEA,IAAI,OAAO,KAAK,QAAQ,EAAE,WAAW,GAAG;AAAA,IACtC,OAAO,OAAO;AAAA,EAChB;AAAA;AAGK,SAAS,8BAA8B,CAC5C,QACA,MAMM;AAAA,EACN,IAAI,KAAK,qBAAqB,WAAW;AAAA,IACvC,wBAAwB,QAAQ,KAAK,gBAAgB;AAAA,EACvD;AAAA,EACA,IAAI,KAAK,mBAAmB,WAAW;AAAA,IACrC,sBAAsB,QAAQ,KAAK,cAAc;AAAA,EACnD;AAAA,EACA,IAAI,KAAK,mBAAmB,aAAa,KAAK,aAAa,QAAQ;AAAA,IACjE,sBAAsB,QAAQ,KAAK,gBAAgB,KAAK,WAAW;AAAA,EACrE;AAAA;AAGK,SAAS,iBAAiB,CAAC,OAAoC;AAAA,EACpE,IAAI,OAAO,UAAU;AAAA,IAAU;AAAA,EAC/B,MAAM,UAAU,MAAM,KAAK;AAAA,EAC3B,OAAO,WAAW;AAAA;AAGb,SAAS,cAAc,CAAC,OAAyB;AAAA,EACtD,IAAI,EAAE,iBAAiB;AAAA,IAAQ,OAAO;AAAA,EACtC,IAAI,MAAM,SAAS,kBAAkB,MAAM,SAAS;AAAA,IAAc,OAAO;AAAA,EACzE,MAAM,UAAU,MAAM,QAAQ,YAAY;AAAA,EAC1C,OAAO,QAAQ,SAAS,WAAW,KAAK,QAAQ,SAAS,SAAS;AAAA;;;AC5H7D,SAAS,cAAc,CAC5B,KACoB;AAAA,EACpB,OAAO,cAAc,QAAQ,QAAQ,IAAI;AAAA;AAIpC,SAAS,wBAAwB,GAAS;AAAA,EAC/C,WAAW,OAAO;AAAA,IAChB;AAAA,IACA;AAAA,EACF,GAAY;AAAA,IACV,IAAI,QAAQ,IAAI,SAAS,WAAW;AAAA,MAClC,cAAc,OAAO,QAAQ,IAAI;AAAA,MACjC,OAAO,QAAQ,IAAI;AAAA,IACrB;AAAA,EACF;AAAA;AAIK,SAAS,iBAAiB,GAAS;AAAA,EACxC,WAAW,OAAO;AAAA,IAChB;AAAA,IACA;AAAA,EACF,GAAY;AAAA,IACV,OAAO,cAAc;AAAA,EACvB;AAAA;AAIK,SAAS,4BAA4B,GAAS;AAAA,EACnD,WAAW,OAAO,OAAO,KAAK,aAAa,GAAG;AAAA,IAC5C,OAAO,cAAc;AAAA,EACvB;AAAA;AAAA,IA7CI;AAAA;AAAA,kBAAoD,OAAO,OAAO,IAAI;AAAA,EAE5E,OAAO,eAAe,eAAe,OAAO,aAAa;AAAA,IACvD,OAAO;AAAA,IACP,YAAY;AAAA,EACd,CAAC;AAAA;;;AChBD;AAAA;AAAA;AAAA;AAAA;AAAA;AASA;AA2IA,SAAS,4BAA4B,CACnC,QACA,gBACQ;AAAA,EACR,MAAM,MAAM,eAAe;AAAA,EAC3B,IAAI,OAAO,QAAQ,YAAY,IAAI,KAAK,GAAG;AAAA,IACzC,OAAO,IAAI,KAAK;AAAA,EAClB;AAAA,EACA,IAAI,OAAO,OAAO,QAAQ,YAAY,aAAa,KAAK;AAAA,IACtD,MAAM,MAAO,IAA8B;AAAA,IAC3C,IAAI,OAAO,QAAQ,YAAY,IAAI,KAAK,GAAG;AAAA,MACzC,OAAO,IAAI,KAAK;AAAA,IAClB;AAAA,EACF;AAAA,EACA,OAAO,QAAQ;AAAA;AAGjB,SAAS,cAAc,CAAC,SAAuD;AAAA,EAC7E,OAAO;AAAA;AAGF,SAAS,YAAY,CAC1B,SACsB;AAAA,EACtB,MAAM,sBAAsB,eAAe,OAAO;AAAA,EAClD,IAAI,OAAO,qBAAqB,eAAe,YAAY;AAAA,IACzD,OAAO;AAAA,EACT;AAAA,EAEA,MAAM,UAAU,oBAAoB,WAAW,YAAY;AAAA,EAC3D,OAAO,WAAW,OAAO,YAAY,WAChC,UACD;AAAA;AAGN,SAAS,6BAA6B,CAAC,SAGrC;AAAA,EACA,MAAM,mBAAmB,eAAe,OAAO;AAAA,EAC/C,OAAO;AAAA,IACL,gBACE,kBACE,kBAAkB,aAAa,6BAA6B,CAG9D,KACA,kBACE,kBAAkB,WAAW,SAAS,2BAGxC;AAAA,IACF,QACE,kBACE,kBAAkB,aAAa,qBAAqB,CAGtD,KACA,kBACE,kBAAkB,WAAW,SAAS,mBAGxC;AAAA,EACJ;AAAA;AAGK,SAAS,uBAAsB,CAAC,YAA6B;AAAA,EAClE,OACE,uBAAgC,cAAc,0BAA0B,KACxE;AAAA;AAIG,SAAS,kBAAkB,CAChC,QACA,SAIoB;AAAA,EACpB,2BAA2B,MAAiC;AAAA,EAE5D,MAAM,eAAe,kBAClB,OAA2C,OAAO,MACrD;AAAA,EACA,IAAI;AAAA,IAAc,OAAO;AAAA,EAEzB,IAAI,CAAC,iCAAiC,MAAiC,GAAG;AAAA,IAIxE;AAAA,EACF;AAAA,EAGA,MAAM,YAAY,kBAAkB,eAAe,uBAAuB,CAAC;AAAA,EAC3E,IAAI;AAAA,IAAW,OAAO;AAAA,EAGtB,MAAM,SAAS,kBAAkB,QAAQ,IAAI,qBAAqB;AAAA,EAClE,IAAI;AAAA,IAAQ,OAAO;AAAA,EAGnB,MAAM,oBAAoB,kBACxB,SAAS,aAAa,uBAAuB,CAC/C;AAAA,EACA,IAAI;AAAA,IAAmB,OAAO;AAAA,EAG9B,MAAM,aAAa,kBACjB,SAAS,WAAW,SAAS,qBAC/B;AAAA,EACA,IAAI;AAAA,IAAY,OAAO;AAAA,EAEvB;AAAA;AAGK,SAAS,8BAA8B,CAC5C,QACA,SACyB;AAAA,EACzB,2BAA2B,MAAiC;AAAA,EAC5D,MAAM,eACJ,OAAO,SAAS,OAAO,OAAO,UAAU,WACnC,OAAO,QACR;AAAA,EACN,MAAM,UAAU,iCACd,MACF;AAAA,EACA,MAAM,SAAS,mBAAmB,QAAQ,OAAO;AAAA,EACjD,MAAM,YAAY,aAAa,OAAO;AAAA,EACtC,MAAM,gBAAgB,QAAQ,WAAW,kBAAkB,CAAC;AAAA,EAC5D,MAAM,YAAY,QAAQ,MAAM;AAAA,EAChC,MAAM,oBAAoB,8BAA8B,OAAO;AAAA,EAC/D,MAAM,uBAAuB,iBAAiB;AAAA,EAE9C,OAAO;AAAA,IACL;AAAA,IACA;AAAA,IACA;AAAA,IACA,WAAW,iBAAiB;AAAA,IAC5B;AAAA,IACA;AAAA,IACA,gBAAgB,uBACX,kBAAkB,WAAW,oBAAoB,CAAC,KACnD,kBAAkB,iBAClB;AAAA,IACJ,QAAQ,uBACH,kBAAkB,WAAW,YAAY,CAAC,KAC3C,kBAAkB,SAClB;AAAA,EACN;AAAA;AAUF,SAAS,kBAAkB,CAAC,OAA+B;AAAA,EACzD,IAAI,OAAO,UAAU,YAAY,OAAO,SAAS,KAAK,GAAG;AAAA,IACvD,OAAO;AAAA,EACT;AAAA,EACA,IAAI,OAAO,UAAU,UAAU;AAAA,IAC7B,MAAM,UAAU,MAAM,KAAK;AAAA,IAC3B,IAAI,CAAC;AAAA,MAAS,OAAO;AAAA,IACrB,MAAM,SAAS,OAAO,WAAW,OAAO;AAAA,IACxC,OAAO,OAAO,SAAS,MAAM,IAAI,SAAS;AAAA,EAC5C;AAAA,EACA,OAAO;AAAA;AAGT,eAAe,yBAAyB,CACtC,SACA,QACwB;AAAA,EACxB,MAAM,WAAW,MAAM,MAAM,GAAG,2BAA2B;AAAA,IACzD,SAAS;AAAA,MACP,QAAQ;AAAA,MACR,eAAe,UAAU;AAAA,IAC3B;AAAA,IACA,UAAU;AAAA,IACV,QAAQ,YAAY,QAAQ,GAAM;AAAA,EACpC,CAAC;AAAA,EAED,IAAI,SAAS,UAAU,OAAO,SAAS,SAAS,KAAK;AAAA,IACnD,MAAM,IAAI,MACR,iEACF;AAAA,EACF;AAAA,EAEA,MAAM,iBAAkB,MAAM,SAAS,KAAK,EAAE,MAAM,CAAC,QAAiB;AAAA,IACpE,QAAQ,KACN,oEACA,GACF;AAAA,IACA,OAAO,CAAC;AAAA,GACT;AAAA,EAMD,IAAI,SAAS,WAAW,KAAK;AAAA,IAC3B,MAAM,IAAI,8BACR,6BAA6B,KAAK,cAAc,CAClD;AAAA,EACF;AAAA,EAEA,IAAI,CAAC,SAAS,IAAI;AAAA,IAChB,MAAM,IAAI,MACR,6BAA6B,SAAS,QAAQ,cAAc,CAC9D;AAAA,EACF;AAAA,EAEA,MAAM,UACJ,mBAAmB,eAAe,OAAO,KACzC,mBAAmB,eAAe,MAAM,OAAO;AAAA,EAEjD,OAAO;AAAA;AAWT,SAAS,eAAe,CAAC,SAAuC;AAAA,EAC9D,OAAO;AAAA,IACL,WAAW;AAAA,IACX;AAAA,IACA,KAAK,UAAU;AAAA,IACf,UAAU,UAAU;AAAA,IACpB,UAAU;AAAA,EACZ;AAAA;AAGF,eAAsB,iBAAiB,CACrC,QACA,SAC+B;AAAA,EAC/B,MAAM,WAAW,+BAA+B,QAAQ,OAAO;AAAA,EAC/D,IAAI,uBAAsC;AAAA,EAC1C,IAAI,kCAAkC;AAAA,EAEtC,IAAI,CAAC,SAAS,WAAW;AAAA,IACvB,OAAO,EAAE,SAAS,MAAM,WAAW,MAAM;AAAA,EAC3C;AAAA,EAEA,MAAM,cAAc,SAAS,WAAW,YAAY;AAAA,EACpD,IAAI,SAAS,iBAAiB,OAAO,aAAa,QAAQ,YAAY;AAAA,IACpE,IAAI;AAAA,MACF,MAAM,iBAAkB,MAAM,YAAY,IAAI,kBAAkB;AAAA,MAIhE,MAAM,aACJ,mBAAmB,gBAAgB,OAAO,KAC1C,mBAAmB,gBAAgB,MAAM,OAAO;AAAA,MAElD,IAAI,OAAO,eAAe,UAAU;AAAA,QAClC,OAAO,gBAAgB,UAAU;AAAA,MACnC;AAAA,MAEA,kCAAkC;AAAA,MAClC,OAAO,MACL,4DAA4D,KAAK,UAAU,cAAc,GAC3F;AAAA,MACA,OAAO,KAAK;AAAA,MACZ,MAAM,MAAM,eAAe,QAAQ,IAAI,UAAU;AAAA,MACjD,uBAAuB;AAAA,MACvB,OAAO,MACL,uDAAuD,KACzD;AAAA;AAAA,EAEJ;AAAA,EAEA,IAAI,CAAC,SAAS,QAAQ;AAAA,IACpB,OAAO;AAAA,MACL,SAAS;AAAA,MACT,WAAW,SAAS;AAAA,MACpB,OACE,yBACC,kCACG,wBACA;AAAA,IACR;AAAA,EACF;AAAA,EAEA,MAAM,kBAAkB,wBAAuB,OAAO,OAAO,OAAO;AAAA,EACpE,MAAM,mBAAmB,MAAM,qBAAqB,eAAe;AAAA,EACnE,IAAI,kBAAkB;AAAA,IACpB,OAAO;AAAA,MACL,SAAS;AAAA,MACT,WAAW;AAAA,MACX,OAAO;AAAA,IACT;AAAA,EACF;AAAA,EAEA,IAAI;AAAA,IACF,MAAM,UAAU,MAAM,0BACpB,iBACA,SAAS,MACX;AAAA,IAEA,IAAI,OAAO,YAAY,UAAU;AAAA,MAC/B,OAAO;AAAA,QACL,SAAS;AAAA,QACT,WAAW;AAAA,QACX,OAAO;AAAA,MACT;AAAA,IACF;AAAA,IAEA,OAAO,gBAAgB,OAAO;AAAA,IAC9B,OAAO,KAAK;AAAA,IACZ,IAAI,eAAe,+BAA+B;AAAA,MAChD,OAAO,MAAM,qCAAqC,IAAI,SAAS;AAAA,MAC/D,OAAO;AAAA,QACL,SAAS;AAAA,QACT,WAAW;AAAA,QACX,cAAc;AAAA,QACd,OAAO,IAAI;AAAA,QACX,UAAU;AAAA,MACZ;AAAA,IACF;AAAA,IACA,MAAM,MAAM,eAAe,QAAQ,IAAI,UAAU;AAAA,IACjD,OAAO,MAAM,wDAAwD,KAAK;AAAA,IAC1E,OAAO;AAAA,MACL,SAAS;AAAA,MACT,WAAW;AAAA,MACX,OAAO;AAAA,IACT;AAAA;AAAA;AAIJ,eAAsB,qBAAqB,CACzC,WACe;AAAA,EACf,IAAI,CAAC,WAAW;AAAA,IACd;AAAA,EACF;AAAA,EAEA,MAAM,OAAO,IAAI;AAAA,EACjB,WAAW,cAAc,0BAA0B;AAAA,IACjD,MAAM,SAAS,UAAU;AAAA,IACzB,IAAI,OAAO,WAAW,cAAc,KAAK,IAAI,MAAM,GAAG;AAAA,MACpD;AAAA,IACF;AAAA,IAEA,KAAK,IAAI,MAAM;AAAA,IACf,IAAI;AAAA,MACF,MAAM,OAAO,KAAK,SAAS;AAAA,MAE3B;AAAA,MACA,OAAO,KAAK;AAAA,MACZ,OAAO,KACL,kDAAkD,eAChD,eAAe,QAAQ,IAAI,UAAU,OAAO,GAAG,GAEnD;AAAA;AAAA,EAEJ;AAAA;AAGF,SAAS,aAAa,GAAS;AAAA,EAC7B,WAAW,OAAO,gBAAgB;AAAA,IAChC,OAAO,QAAQ,IAAI;AAAA,EACrB;AAAA,EACA,kBAAkB;AAAA,EAClB,yBAAyB;AAAA;AAG3B,eAAe,sBAAsB,CACnC,SACe;AAAA,EACf,MAAM,mBAAmB,eAAe,OAAO;AAAA,EAC/C,IAAI,CAAC,kBAAkB;AAAA,IACrB;AAAA,EACF;AAAA,EAEA,MAAM,kBAAkB,iBAAiB,UAAU,WAAW,CAAC;AAAA,EAC/D,MAAM,cAAc,KAAK,gBAAgB;AAAA,EACzC,WAAW,OAAO,2BAA2B;AAAA,IAC3C,OAAO,YAAY;AAAA,EACrB;AAAA,EACA,iBAAiB,UAAU,UAAU;AAAA,EAErC,IACE,iBAAiB,UAAU,YAC3B,OAAO,iBAAiB,UAAU,aAAa,UAC/C;AAAA,IACA,WAAW,OAAO,4BAA4B;AAAA,MAC5C,OAAO,iBAAiB,UAAU,SAAS;AAAA,IAC7C;AAAA,EACF;AAAA,EAEA,IAAI,OAAO,iBAAiB,eAAe,YAAY;AAAA,IACrD,WAAW,OAAO,4BAA4B;AAAA,MAC5C,IAAI;AAAA,QACF,iBAAiB,WAAW,KAAK,IAAI;AAAA,QACrC,OAAO,KAAK;AAAA,QACZ,OAAO,KACL,sDAAsD,QACpD,eAAe,QAAQ,IAAI,UAAU,OAAO,GAAG,GAEnD;AAAA;AAAA,IAEJ;AAAA,EACF;AAAA,EAEA,IAAI,OAAO,iBAAiB,gBAAgB,YAAY;AAAA,IACtD,IAAI;AAAA,MACF,MAAM,iBAAiB,YAAY,iBAAiB,SAAS;AAAA,QAC3D,SAAS,KAAK,YAAY;AAAA,MAC5B,CAAC;AAAA,MACD,OAAO,KAAK;AAAA,MACZ,OAAO,KACL,mEACE,eAAe,QAAQ,IAAI,UAAU,OAAO,GAAG,GAEnD;AAAA;AAAA,EAEJ;AAAA;AAGF,eAAsB,yBAAyB,CAAC,MAK9B;AAAA,EAChB,QAAQ,eAAe,MAAM,QAAQ,SAAS,eAAe;AAAA,EAE7D,IAAI,4BAA4B,GAAG;AAAA,IACjC,MAAM,IAAI,OAAO;AAAA,IACjB,OAAO,MACL,kEAAkE,KAAK,UAAU,0BAA0B,CAAC,CAAC,GAC/G;AAAA,EACF;AAAA,EAEA,IAAI,OAAO,cAAc,eAAe,YAAY;AAAA,IAClD,IAAI;AAAA,MACF,MAAM,aAAa,WAAW;AAAA,MAC9B,OAAO,KAAK;AAAA,MACZ,OAAO,KACL,0DACE,eAAe,QAAQ,IAAI,UAAU,OAAO,GAAG,GAEnD;AAAA;AAAA,EAEJ;AAAA,EAEA,MAAM,sBAAsB,aAAa,OAAO,CAAC;AAAA,EAEjD,MAAM,YAAY,KAAM,OAAO,SAAS,CAAC,EAAG;AAAA,EAC5C,OAAO,UAAU;AAAA,EACjB,OAAO,QAAQ;AAAA,EACf,+BAA+B,QAAuB;AAAA,IACpD,kBAAkB,EAAE,SAAS,QAAQ;AAAA,IACrC,gBAAgB;AAAA,MACd,YAAY;AAAA,QACV,QAAQ;AAAA,QACR,QAAQ;AAAA,MACV;AAAA,IACF;AAAA,IACA,aAAa,CAAC,WAAW,OAAO,SAAS,cAAc,KAAK;AAAA,EAC9D,CAAC;AAAA,EACD,2BAA2B,MAAiC;AAAA,EAE5D,IAAI;AAAA,IACF,aAAa,MAAM;AAAA,IACnB,IAAI,4BAA4B,GAAG;AAAA,MACjC,MAAM,IAAI,OAAO;AAAA,MACjB,OAAO,MACL,0EAA0E,KAAK,UAAU,0BAA0B,CAAC,CAAC,GACvH;AAAA,IACF;AAAA,IACA,OAAO,KAAK;AAAA,IACZ,OAAO,KACL,6DACE,eAAe,QAAQ,IAAI,UAAU,OAAO,GAAG,GAEnD;AAAA;AAAA,EAGF,cAAc;AAAA,EACd,MAAM,uBAAuB,OAAO;AAAA,EAEpC,IAAI,4BAA4B,GAAG;AAAA,IACjC,OAAO,MACL,qGACF;AAAA,EACF;AAAA;AAWK,SAAS,6BAA6B,CAC3C,QACS;AAAA,EACT,OACE,OAAO,WAAW,YAAY,kCAAkC,IAAI,MAAM;AAAA;AAAA,IA/nBxE,6BAA6B,oCACtB,oBACX,4DAEI,gBAoBA,2BAkBA,4BAMA,0BAwEO,+BAwOP,sBAGA,2BAgRO,kCAGP;AAAA;AAAA,EAroBN;AAAA,EACA;AAAA,EAQA;AAAA,EAUM,iBAAiB;AAAA,IACrB;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,EACF;AAAA,EAEM,4BAA4B;AAAA,IAChC;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,EACF;AAAA,EAEM,6BAA6B;AAAA,IACjC;AAAA,IACA;AAAA,IACA;AAAA,EACF;AAAA,EAEM,2BAA2B;AAAA,IAC/B;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,EACF;AAAA,EA+Da,gCAAN,MAAM,sCAAsC,MAAM;AAAA,IACrC,OAAO;AAAA,IACzB,WAAW,CAAC,UAAU,oCAAoC;AAAA,MACxD,MAAM,OAAO;AAAA;AAAA,EAEjB;AAAA,EAmOM,uBAAuB,OAC3B,QAAQ,IAAI,8BAA8B,KAC5C;AAAA,EACM,4BAA4B,OAChC,QAAQ,IAAI,mCAAmC,KACjD;AAAA,EA8Qa,mCAAmC;AAAA,EAG1C,oCAAyD,IAAI,IAAI;AAAA,IACrE;AAAA,IACA;AAAA,EACF,CAAC;AAAA;;;ACzoBD;AASA,eAAsB,uBAAuB,CAC3C,KACkB;AAAA,EAClB,QAAQ,KAAK,QAAQ,UAAU,QAAQ,SAAS,SAAS;AAAA,EACzD,MAAM,cAAc;AAAA,EAEpB,IAAI,WAAW,SAAS,aAAa,qBAAqB;AAAA,IACxD,MAAM,WAAW,+BAA+B,aAAa,OAAO;AAAA,IACpE,MAAM,2BAA2B,oCAC/B,aACA,KACF;AAAA,IAEA,IAAI,SAAS,WAAW;AAAA,MACtB,KAAK,KAAK;AAAA,QACR,WAAW;AAAA,QACX,SAAS,SAAS;AAAA,QAClB;AAAA,QACA,WAAW,SAAS;AAAA,QACpB,QAAQ,SAAS;AAAA,QACjB,gBAAgB,SAAS;AAAA,QACzB,UAAU;AAAA,QACV,QAAQ,SAAS,gBACb,YACA,UACE,sCACA;AAAA,MACR,CAAC;AAAA,MACD,OAAO;AAAA,IACT;AAAA,IAEA,IAAI,CAAC,SAAS;AAAA,MACZ,KAAK,KAAK;AAAA,QACR,WAAW;AAAA,QACX,SAAS,SAAS;AAAA,QAClB;AAAA,QACA,WAAW,SAAS;AAAA,QACpB,QAAQ;AAAA,MACV,CAAC;AAAA,MACD,OAAO;AAAA,IACT;AAAA,IAEA,KAAK,KAAK;AAAA,MACR,WAAW;AAAA,MACX,SAAS,SAAS;AAAA,MAClB;AAAA,MACA,WAAW,SAAS;AAAA,MACpB,QAAQ;AAAA,IACV,CAAC;AAAA,IACD,OAAO;AAAA,EACT;AAAA,EAEA,IAAI,WAAW,SAAS,aAAa,sBAAsB;AAAA,IACzD,KAAK,KAAK,MAAM,kBAAkB,aAAa,OAAO,CAAC;AAAA,IACvD,OAAO;AAAA,EACT;AAAA,EAEA,OAAO;AAAA;AAAA;AAAA,EAjET;AAAA;",
+  "debugId": "AF345220F5AD290064756E2164756E21",
+  "names": []
+}

package/dist/services/cloud-auth.d.ts

@@ -1,13 +1,136 @@
 /**
- * CloudAuthService — Device-based auto-signup and session management.
+ * CloudAuthService — Eliza Cloud authentication entry points.
  *
- * On first launch, derives a hardware fingerprint and calls
- * POST /api/v1/device-auth. The cloud backend creates a user + org +
- * $5 credit + API key if new, or returns the existing session.
+ * Two distinct auth flows live here:
+ *
+ * 1. **Device auto-signup** (`authenticateWithDevice`) — convenience-only.
+ *    Derives a hardware fingerprint and exchanges it for a free-tier API key
+ *    against the cloud signup endpoint. The result is treated as opaque and
+ *    is **never** trusted as inbound auth for the local Eliza dashboard.
+ *    See `docs/security/remote-auth-hardening-plan.md` §7 for the explicit
+ *    demotion rationale.
+ *
+ * 2. **Eliza Cloud SSO** (`getSsoRedirectUrl` / `exchangeCodeForSession`) —
+ *    OAuth-style authorization-code flow against the cloud issuer. The
+ *    callback handler in `app-core` (`api/auth/cloud-sso.ts`) consumes these
+ *    methods to bind a verified cloud user to a local Identity. All error
+ *    paths fail closed: the methods throw and the caller MUST refuse the
+ *    request. There is no partial-claims fallback.
  */
-import { type IAgentRuntime, Service } from "@elizaos/core";
+import { type RuntimeEnvRecord, type IAgentRuntime, Service } from "@elizaos/core";
 import type { CloudCredentials } from "../types/cloud";
 import { CloudApiClient } from "../utils/cloud-api";
+import type { CloudBootstrapService } from "./cloud-bootstrap";
+/**
+ * Required ID-token claims for an Eliza Cloud SSO exchange.
+ *
+ * `sub` is the cloud user id (canonical identity key). `email` and `name`
+ * are surfaced for UI display and identity provisioning. Anything else the
+ * cloud issuer adds is preserved on `extra` for callers that need it but
+ * is never required for auth decisions.
+ */
+export interface CloudSsoIdTokenClaims {
+    iss: string;
+    sub: string;
+    aud: string | string[];
+    exp: number;
+    iat: number;
+    email: string;
+    email_verified?: boolean;
+    name: string;
+    picture?: string;
+    extra: Record<string, unknown>;
+}
+export interface CloudSsoSession {
+    cloudUserId: string;
+    email: string;
+    displayName: string;
+    claims: CloudSsoIdTokenClaims;
+}
+export interface SsoRedirectArgs {
+    /**
+     * Local URL the user should land on after the SSO round-trip
+     * (e.g. `/onboarding/setup`). The dashboard's callback route forwards
+     * to this once the session cookie is set; it is NOT sent to the cloud
+     * issuer.
+     */
+    returnTo?: string;
+    /**
+     * State nonce. The caller is responsible for generating this with
+     * `crypto.randomBytes(32)` and storing it server-side keyed by the
+     * issued cookie / pending exchange.
+     */
+    state: string;
+    /**
+     * Override for `ELIZA_CLOUD_CLIENT_ID`. Falls through to the env when
+     * unset; explicitly throws when neither is provided.
+     */
+    clientId?: string;
+    /** Allows tests to inject a synthetic env record. */
+    env?: RuntimeEnvRecord;
+}
+export interface ExchangeCodeArgs {
+    /** Authorization code returned on the SSO callback. */
+    code: string;
+    /** State value the cloud issuer echoed back on the callback. */
+    state: string;
+    /**
+     * State value the caller originally issued. Compared with `state` and
+     * mismatch causes a fail-closed throw before any network call is made.
+     */
+    expectedState: string;
+    /**
+     * Source for `getJwksUrl()`. The caller resolves this from the runtime
+     * service registry (`runtime.getService("CLOUD_BOOTSTRAP")`) so this
+     * file does not import from `app-core` directly.
+     */
+    bootstrap: CloudBootstrapService;
+    /** Allows tests to inject a fake fetch for the token endpoint. */
+    fetchImpl?: typeof fetch;
+    /** Allows tests to inject a synthetic env record. */
+    env?: RuntimeEnvRecord;
+    /** Optional override for the redirect URI; defaults to the local callback. */
+    redirectUri?: string;
+}
+interface ApiKeyAuthInput {
+    apiKey: string;
+    organizationId?: string;
+    userId?: string;
+}
+/**
+ * Returns the absolute URL the dashboard should redirect the user to in
+ * order to start an Eliza Cloud SSO authorization-code flow.
+ *
+ * Throws when `ELIZA_CLOUD_CLIENT_ID` is unset and no `clientId` override
+ * is provided — there is no built-in default. `ELIZA_CLOUD_ISSUER` is read
+ * via the `CloudBootstrapService`'s service-port and must already be set;
+ * if not, this method throws via the bootstrap's existing fail-closed
+ * behaviour.
+ *
+ * The `state` argument MUST be generated by the caller with a cryptographic
+ * RNG and stored server-side bound to the issued cookie. This method does
+ * NOT generate or persist state.
+ *
+ * @param bootstrap - Service-port that exposes `getExpectedIssuer()`.
+ * @param args - Required `state`, optional `clientId` / `returnTo` / `env`.
+ */
+export declare function getSsoRedirectUrl(bootstrap: CloudBootstrapService, args: SsoRedirectArgs): string;
+/**
+ * Exchange an authorization code for a verified Eliza Cloud session.
+ *
+ * Steps:
+ *   1. Compare `state === expectedState`. Mismatch throws.
+ *   2. POST to `${ELIZA_CLOUD_ISSUER}/oauth/token` with the code,
+ *      `client_id`, and `client_secret` (the latter from
+ *      `ELIZA_CLOUD_CLIENT_SECRET`).
+ *   3. Verify the returned `id_token` against the JWKS exposed by
+ *      `CloudBootstrapService.getJwksUrl()`. RS256 only.
+ *   4. Project the claims onto a `CloudSsoSession`.
+ *
+ * Any error in fetch / signature verify / claim shape throws — this method
+ * NEVER returns a partial or fallback session.
+ */
+export declare function exchangeCodeForSession(args: ExchangeCodeArgs): Promise<CloudSsoSession>;
 export declare class CloudAuthService extends Service {
     static serviceType: string;
     capabilityDescription: string;
@@ -18,7 +141,18 @@ export declare class CloudAuthService extends Service {
     stop(): Promise<void>;
     private initialize;
     private validateApiKey;
+    /**
+     * Free-tier device auto-signup. **Convenience only — not a security
+     * primitive.** The hardware fingerprint is treated as opaque material the
+     * cloud signup endpoint can use to mint a fresh API key + $5 free credit
+     * for new installs. The result is usable for outbound LLM calls; it never
+     * authorizes inbound dashboard access.
+     *
+     * See `docs/security/remote-auth-hardening-plan.md` §7.
+     */
     authenticateWithDevice(): Promise<CloudCredentials>;
+    authenticateWithApiKey(input: ApiKeyAuthInput): CloudCredentials;
+    clearAuth(): void;
     isAuthenticated(): boolean;
     getCredentials(): CloudCredentials | null;
     getApiKey(): string | undefined;
@@ -26,4 +160,5 @@ export declare class CloudAuthService extends Service {
     getUserId(): string | undefined;
     getOrganizationId(): string | undefined;
 }
+export {};
 //# sourceMappingURL=cloud-auth.d.ts.map

package/dist/services/cloud-auth.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"cloud-auth.d.ts","sourceRoot":"","sources":["../../services/cloud-auth.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAAE,KAAK,aAAa,EAAU,OAAO,EAAE,MAAM,eAAe,CAAC;AACpE,OAAO,KAAK,EAAE,gBAAgB,EAAsC,MAAM,gBAAgB,CAAC;AAE3F,OAAO,EAAE,cAAc,EAAE,MAAM,oBAAoB,CAAC;AA4BpD,qBAAa,gBAAiB,SAAQ,OAAO;IAC3C,MAAM,CAAC,WAAW,SAAgB;IAClC,qBAAqB,SAA6D;IAElF,OAAO,CAAC,MAAM,CAAiB;IAC/B,OAAO,CAAC,WAAW,CAAiC;gBAExC,OAAO,CAAC,EAAE,aAAa;WAKtB,KAAK,CAAC,OAAO,EAAE,aAAa,GAAG,OAAO,CAAC,OAAO,CAAC;IAMtD,IAAI,IAAI,OAAO,CAAC,IAAI,CAAC;YAIb,UAAU;YA2DV,cAAc;IActB,sBAAsB,IAAI,OAAO,CAAC,gBAAgB,CAAC;IA6BzD,eAAe,IAAI,OAAO;IAG1B,cAAc,IAAI,gBAAgB,GAAG,IAAI;IAGzC,SAAS,IAAI,MAAM,GAAG,SAAS;IAG/B,SAAS,IAAI,cAAc;IAG3B,SAAS,IAAI,MAAM,GAAG,SAAS;IAG/B,iBAAiB,IAAI,MAAM,GAAG,SAAS;CAGxC"}
+{"version":3,"file":"cloud-auth.d.ts","sourceRoot":"","sources":["../../src/services/cloud-auth.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;GAkBG;AAEH,OAAO,EACL,KAAK,gBAAgB,EACrB,KAAK,aAAa,EAElB,OAAO,EAGR,MAAM,eAAe,CAAC;AAEvB,OAAO,KAAK,EAAE,gBAAgB,EAAsC,MAAM,gBAAgB,CAAC;AAE3F,OAAO,EAAE,cAAc,EAAE,MAAM,oBAAoB,CAAC;AACpD,OAAO,KAAK,EAAE,qBAAqB,EAAE,MAAM,mBAAmB,CAAC;AA8B/D;;;;;;;GAOG;AACH,MAAM,WAAW,qBAAqB;IACpC,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC;IACvB,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,EAAE,MAAM,CAAC;IACZ,KAAK,EAAE,MAAM,CAAC;IACd,cAAc,CAAC,EAAE,OAAO,CAAC;IACzB,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,KAAK,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CAChC;AAED,MAAM,WAAW,eAAe;IAC9B,WAAW,EAAE,MAAM,CAAC;IACpB,KAAK,EAAE,MAAM,CAAC;IACd,WAAW,EAAE,MAAM,CAAC;IACpB,MAAM,EAAE,qBAAqB,CAAC;CAC/B;AAED,MAAM,WAAW,eAAe;IAC9B;;;;;OAKG;IACH,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB;;;;OAIG;IACH,KAAK,EAAE,MAAM,CAAC;IACd;;;OAGG;IACH,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,qDAAqD;IACrD,GAAG,CAAC,EAAE,gBAAgB,CAAC;CACxB;AAED,MAAM,WAAW,gBAAgB;IAC/B,uDAAuD;IACvD,IAAI,EAAE,MAAM,CAAC;IACb,gEAAgE;IAChE,KAAK,EAAE,MAAM,CAAC;IACd;;;OAGG;IACH,aAAa,EAAE,MAAM,CAAC;IACtB;;;;OAIG;IACH,SAAS,EAAE,qBAAqB,CAAC;IACjC,kEAAkE;IAClE,SAAS,CAAC,EAAE,OAAO,KAAK,CAAC;IACzB,qDAAqD;IACrD,GAAG,CAAC,EAAE,gBAAgB,CAAC;IACvB,8EAA8E;IAC9E,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB;AAUD,UAAU,eAAe;IACvB,MAAM,EAAE,MAAM,CAAC;IACf,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAgDD;;;;;;;;;;;;;;;;GAgBG;AACH,wBAAgB,iBAAiB,CAAC,SAAS,EAAE,qBAAqB,EAAE,IAAI,EAAE,eAAe,GAAG,MAAM,CAuBjG;AAqED;;;;;;;;;;;;;;GAcG;AACH,wBAAsB,sBAAsB,CAAC,IAAI,EAAE,gBAAgB,GAAG,OAAO,CAAC,eAAe,CAAC,CAiE7F;AAID,qBAAa,gBAAiB,SAAQ,OAAO;IAC3C,MAAM,CAAC,WAAW,SAAgB;IAClC,qBAAqB,SAA+D;IAEpF,OAAO,CAAC,MAAM,CAAiB;IAC/B,OAAO,CAAC,WAAW,CAAiC;gBAExC,OAAO,CAAC,EAAE,aAAa;WAKtB,KAAK,CAAC,OAAO,EAAE,aAAa,GAAG,OAAO,CAAC,OAAO,CAAC;IAMtD,IAAI,IAAI,OAAO,CAAC,IAAI,CAAC;YAIb,UAAU;YA+DV,cAAc;IAY5B;;;;;;;;OAQG;IACG,sBAAsB,IAAI,OAAO,CAAC,gBAAgB,CAAC;IA6BzD,sBAAsB,CAAC,KAAK,EAAE,eAAe,GAAG,gBAAgB;IAkBhE,SAAS,IAAI,IAAI;IAKjB,eAAe,IAAI,OAAO;IAG1B,cAAc,IAAI,gBAAgB,GAAG,IAAI;IAGzC,SAAS,IAAI,MAAM,GAAG,SAAS;IAG/B,SAAS,IAAI,cAAc;IAG3B,SAAS,IAAI,MAAM,GAAG,SAAS;IAG/B,iBAAiB,IAAI,MAAM,GAAG,SAAS;CAGxC"}