@elizaos/vault 2.0.0-alpha.537

package/dist/install.js

@@ -0,0 +1,163 @@
+/**
+ * Install spec — what install methods exist for each external secrets-manager
+ * backend on which OS, and how to detect whether a given package manager is
+ * present on the host.
+ *
+ * Detection-only. The actual `child_process` execution and streaming live in
+ * the consumer (app-core's `secrets-manager-installer`); this module is pure
+ * data + small async checks so it stays usable from the vault package
+ * without pulling in spawn/PTY machinery.
+ */
+import { execFile } from "node:child_process";
+import { promisify } from "node:util";
+const exec = promisify(execFile);
+/**
+ * Install specs for each external backend.
+ *
+ * Sources:
+ *   - 1Password CLI: `brew install --cask 1password-cli`
+ *     (https://developer.1password.com/docs/cli/get-started)
+ *   - Bitwarden CLI: `brew install bitwarden-cli` (formula, not cask) or
+ *     `npm install -g @bitwarden/cli`
+ *     (https://bitwarden.com/help/cli/)
+ *   - Proton Pass CLI: vendor CLI is in beta, no automated install path yet.
+ */
+export const BACKEND_INSTALL_SPECS = {
+    "1password": {
+        id: "1password",
+        methods: {
+            darwin: [
+                { kind: "brew", package: "1password-cli", cask: true },
+                {
+                    kind: "manual",
+                    instructions: "Download the 1Password CLI installer for macOS from the official page.",
+                    url: "https://developer.1password.com/docs/cli/get-started",
+                },
+            ],
+            linux: [
+                {
+                    kind: "manual",
+                    instructions: "Follow the official Linux install instructions (apt/dnf/zypper repo with signed packages).",
+                    url: "https://developer.1password.com/docs/cli/get-started/#linux",
+                },
+            ],
+            win32: [
+                {
+                    kind: "manual",
+                    instructions: "Install via winget or the MSI from the official 1Password CLI page.",
+                    url: "https://developer.1password.com/docs/cli/get-started/#windows",
+                },
+            ],
+        },
+    },
+    bitwarden: {
+        id: "bitwarden",
+        methods: {
+            darwin: [
+                { kind: "brew", package: "bitwarden-cli", cask: false },
+                { kind: "npm", package: "@bitwarden/cli" },
+            ],
+            linux: [{ kind: "npm", package: "@bitwarden/cli" }],
+            win32: [{ kind: "npm", package: "@bitwarden/cli" }],
+        },
+    },
+    protonpass: {
+        id: "protonpass",
+        methods: {
+            darwin: [
+                {
+                    kind: "manual",
+                    instructions: "Proton Pass CLI is in closed beta. Track Proton's roadmap or use the desktop app.",
+                    url: "https://proton.me/pass",
+                },
+            ],
+            linux: [
+                {
+                    kind: "manual",
+                    instructions: "Proton Pass CLI is in closed beta. Track Proton's roadmap or use the desktop app.",
+                    url: "https://proton.me/pass",
+                },
+            ],
+            win32: [
+                {
+                    kind: "manual",
+                    instructions: "Proton Pass CLI is in closed beta. Track Proton's roadmap or use the desktop app.",
+                    url: "https://proton.me/pass",
+                },
+            ],
+        },
+    },
+};
+/**
+ * Per-OS package-manager availability (brew/npm). Cached for the process
+ * lifetime — the result doesn't change without a host-level install/remove,
+ * and the caller can force a re-detect by importing `resetInstallerCache`.
+ */
+let _packageManagerCache = null;
+export async function detectPackageManagers() {
+    if (_packageManagerCache)
+        return _packageManagerCache;
+    const [brew, npm] = await Promise.all([
+        isCommandRunnable("brew"),
+        isCommandRunnable("npm"),
+    ]);
+    _packageManagerCache = { brew, npm };
+    return _packageManagerCache;
+}
+export function resetInstallerCache() {
+    _packageManagerCache = null;
+}
+async function isCommandRunnable(cmd) {
+    try {
+        await exec(cmd, ["--version"], { timeout: 5000 });
+        return true;
+    }
+    catch {
+        return false;
+    }
+}
+/**
+ * Resolve the install methods that are *runnable on this host* for a given
+ * backend. Manual methods are always returned (so the UI can show the doc
+ * link); brew/npm methods are filtered to those whose tool is present.
+ */
+export async function resolveRunnableMethods(id, platform = currentPlatform()) {
+    const spec = BACKEND_INSTALL_SPECS[id];
+    const candidates = spec.methods[platform] ?? [];
+    if (candidates.length === 0)
+        return [];
+    const tools = await detectPackageManagers();
+    return candidates.filter((m) => {
+        if (m.kind === "brew")
+            return tools.brew;
+        if (m.kind === "npm")
+            return tools.npm;
+        return true;
+    });
+}
+export function currentPlatform() {
+    const p = process.platform;
+    if (p === "darwin" || p === "linux" || p === "win32")
+        return p;
+    // Treat anything else as linux for dispatch purposes; specs only ship the
+    // three primary platforms today.
+    return "linux";
+}
+/**
+ * Build the argv for a given install method. Caller spawns directly with
+ * argv (no shell interpolation). Returns null for `manual` — those have no
+ * automated execution path.
+ */
+export function buildInstallCommand(method) {
+    if (method.kind === "brew") {
+        const args = method.cask
+            ? ["install", "--cask", method.package]
+            : ["install", method.package];
+        return { command: "brew", args };
+    }
+    if (method.kind === "npm") {
+        return { command: "npm", args: ["install", "-g", method.package] };
+    }
+    return null;
+}
+//# sourceMappingURL=install.js.map

package/dist/install.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"install.js","sourceRoot":"","sources":["../src/install.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,EAAE,QAAQ,EAAE,MAAM,oBAAoB,CAAC;AAC9C,OAAO,EAAE,SAAS,EAAE,MAAM,WAAW,CAAC;AAGtC,MAAM,IAAI,GAAG,SAAS,CAAC,QAAQ,CAAC,CAAC;AAmCjC;;;;;;;;;;GAUG;AACH,MAAM,CAAC,MAAM,qBAAqB,GAE9B;IACF,WAAW,EAAE;QACX,EAAE,EAAE,WAAW;QACf,OAAO,EAAE;YACP,MAAM,EAAE;gBACN,EAAE,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,eAAe,EAAE,IAAI,EAAE,IAAI,EAAE;gBACtD;oBACE,IAAI,EAAE,QAAQ;oBACd,YAAY,EACV,wEAAwE;oBAC1E,GAAG,EAAE,sDAAsD;iBAC5D;aACF;YACD,KAAK,EAAE;gBACL;oBACE,IAAI,EAAE,QAAQ;oBACd,YAAY,EACV,4FAA4F;oBAC9F,GAAG,EAAE,6DAA6D;iBACnE;aACF;YACD,KAAK,EAAE;gBACL;oBACE,IAAI,EAAE,QAAQ;oBACd,YAAY,EACV,qEAAqE;oBACvE,GAAG,EAAE,+DAA+D;iBACrE;aACF;SACF;KACF;IACD,SAAS,EAAE;QACT,EAAE,EAAE,WAAW;QACf,OAAO,EAAE;YACP,MAAM,EAAE;gBACN,EAAE,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,eAAe,EAAE,IAAI,EAAE,KAAK,EAAE;gBACvD,EAAE,IAAI,EAAE,KAAK,EAAE,OAAO,EAAE,gBAAgB,EAAE;aAC3C;YACD,KAAK,EAAE,CAAC,EAAE,IAAI,EAAE,KAAK,EAAE,OAAO,EAAE,gBAAgB,EAAE,CAAC;YACnD,KAAK,EAAE,CAAC,EAAE,IAAI,EAAE,KAAK,EAAE,OAAO,EAAE,gBAAgB,EAAE,CAAC;SACpD;KACF;IACD,UAAU,EAAE;QACV,EAAE,EAAE,YAAY;QAChB,OAAO,EAAE;YACP,MAAM,EAAE;gBACN;oBACE,IAAI,EAAE,QAAQ;oBACd,YAAY,EACV,mFAAmF;oBACrF,GAAG,EAAE,wBAAwB;iBAC9B;aACF;YACD,KAAK,EAAE;gBACL;oBACE,IAAI,EAAE,QAAQ;oBACd,YAAY,EACV,mFAAmF;oBACrF,GAAG,EAAE,wBAAwB;iBAC9B;aACF;YACD,KAAK,EAAE;gBACL;oBACE,IAAI,EAAE,QAAQ;oBACd,YAAY,EACV,mFAAmF;oBACrF,GAAG,EAAE,wBAAwB;iBAC9B;aACF;SACF;KACF;CACF,CAAC;AAEF;;;;GAIG;AACH,IAAI,oBAAoB,GAAsC,IAAI,CAAC;AAOnE,MAAM,CAAC,KAAK,UAAU,qBAAqB;IACzC,IAAI,oBAAoB;QAAE,OAAO,oBAAoB,CAAC;IACtD,MAAM,CAAC,IAAI,EAAE,GAAG,CAAC,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC;QACpC,iBAAiB,CAAC,MAAM,CAAC;QACzB,iBAAiB,CAAC,KAAK,CAAC;KACzB,CAAC,CAAC;IACH,oBAAoB,GAAG,EAAE,IAAI,EAAE,GAAG,EAAE,CAAC;IACrC,OAAO,oBAAoB,CAAC;AAC9B,CAAC;AAED,MAAM,UAAU,mBAAmB;IACjC,oBAAoB,GAAG,IAAI,CAAC;AAC9B,CAAC;AAED,KAAK,UAAU,iBAAiB,CAAC,GAAW;IAC1C,IAAI,CAAC;QACH,MAAM,IAAI,CAAC,GAAG,EAAE,CAAC,WAAW,CAAC,EAAE,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC,CAAC;QAClD,OAAO,IAAI,CAAC;IACd,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,sBAAsB,CAC1C,EAAkC,EAClC,WAA8B,eAAe,EAAE;IAE/C,MAAM,IAAI,GAAG,qBAAqB,CAAC,EAAE,CAAC,CAAC;IACvC,MAAM,UAAU,GAAG,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC;IAChD,IAAI,UAAU,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,EAAE,CAAC;IACvC,MAAM,KAAK,GAAG,MAAM,qBAAqB,EAAE,CAAC;IAC5C,OAAO,UAAU,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE;QAC7B,IAAI,CAAC,CAAC,IAAI,KAAK,MAAM;YAAE,OAAO,KAAK,CAAC,IAAI,CAAC;QACzC,IAAI,CAAC,CAAC,IAAI,KAAK,KAAK;YAAE,OAAO,KAAK,CAAC,GAAG,CAAC;QACvC,OAAO,IAAI,CAAC;IACd,CAAC,CAAC,CAAC;AACL,CAAC;AAED,MAAM,UAAU,eAAe;IAC7B,MAAM,CAAC,GAAG,OAAO,CAAC,QAAQ,CAAC;IAC3B,IAAI,CAAC,KAAK,QAAQ,IAAI,CAAC,KAAK,OAAO,IAAI,CAAC,KAAK,OAAO;QAAE,OAAO,CAAC,CAAC;IAC/D,0EAA0E;IAC1E,iCAAiC;IACjC,OAAO,OAAO,CAAC;AACjB,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,mBAAmB,CACjC,MAAqB;IAErB,IAAI,MAAM,CAAC,IAAI,KAAK,MAAM,EAAE,CAAC;QAC3B,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI;YACtB,CAAC,CAAC,CAAC,SAAS,EAAE,QAAQ,EAAE,MAAM,CAAC,OAAO,CAAC;YACvC,CAAC,CAAC,CAAC,SAAS,EAAE,MAAM,CAAC,OAAO,CAAC,CAAC;QAChC,OAAO,EAAE,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,CAAC;IACnC,CAAC;IACD,IAAI,MAAM,CAAC,IAAI,KAAK,KAAK,EAAE,CAAC;QAC1B,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,SAAS,EAAE,IAAI,EAAE,MAAM,CAAC,OAAO,CAAC,EAAE,CAAC;IACrE,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC"}

package/dist/inventory.d.ts

@@ -0,0 +1,140 @@
+/**
+ * Vault inventory: a meta-layer over `Vault` that surfaces every stored
+ * key in a categorized, UI-renderable shape, and lets the user attach
+ * metadata (label, providerId, profiles, routing) to a key without
+ * changing the vault's underlying storage contract.
+ *
+ * Storage convention:
+ *   - Original keys live exactly where they always have (e.g.
+ *     `OPENROUTER_API_KEY`).
+ *   - Metadata for a key K lives at `_meta.<K>` as a JSON-encoded
+ *     non-sensitive entry.
+ *   - When profiles are enabled for K, the per-profile values live at
+ *     `<K>.profile.<profileId>`. The "active profile" pointer lives in
+ *     the meta blob.
+ *   - Routing rules across keys live at `_routing.config` as a single
+ *     JSON-encoded non-sensitive entry.
+ *
+ * The vault layer remains dumb: `vault.get(K)` still returns the value
+ * stored under K. Profile resolution is a thin wrapper exposed by the
+ * manager (see `manager.getActive`). This file owns the metadata
+ * read/write/categorize logic only.
+ *
+ * Hard rule: `_meta.*` and `_routing.*` are reserved prefixes — every
+ * inventory listing filters them out so the user never sees a meta
+ * blob masquerading as a normal vault entry.
+ */
+import type { Vault } from "./vault.js";
+export declare const META_PREFIX = "_meta.";
+export declare const ROUTING_KEY = "_routing.config";
+export declare const PROFILE_SEGMENT = "profile";
+/**
+ * High-level category of a vault entry — drives grouping in the UI.
+ *
+ * - `provider`   — model-provider API keys (OPENAI_API_KEY, etc.)
+ * - `plugin`     — non-provider plugin tokens (N8N_API_KEY, GITHUB_TOKEN, …)
+ * - `wallet`     — wallet private keys / mnemonics
+ * - `credential` — saved-login records (`creds.<domain>.<user>`)
+ * - `system`     — internal manager/preferences entries
+ * - `session`    — password-manager session tokens (`pm.<vendor>.session`)
+ */
+export type VaultEntryCategory = "provider" | "plugin" | "wallet" | "credential" | "system" | "session";
+export interface VaultEntryProfile {
+    readonly id: string;
+    readonly label: string;
+    /** Epoch ms; missing on legacy entries. */
+    readonly createdAt?: number;
+}
+/**
+ * On-disk shape of `_meta.<key>`. Only the fields the user has set
+ * are persisted — partial writes via `setEntryMeta` merge.
+ */
+export interface VaultEntryMetaRecord {
+    readonly category?: VaultEntryCategory;
+    readonly label?: string;
+    readonly providerId?: string;
+    readonly lastModified?: number;
+    readonly lastUsed?: number;
+    readonly profiles?: ReadonlyArray<VaultEntryProfile>;
+    readonly activeProfile?: string;
+}
+/**
+ * Inventory row as the UI sees it. `kind` mirrors the underlying vault
+ * entry's storage kind (secret = encrypted, value = plaintext config,
+ * reference = pointer into a password manager).
+ */
+export interface VaultEntryMeta {
+    readonly key: string;
+    readonly category: VaultEntryCategory;
+    readonly label: string;
+    readonly providerId?: string;
+    readonly hasProfiles: boolean;
+    readonly activeProfile?: string;
+    readonly profiles?: ReadonlyArray<VaultEntryProfile>;
+    readonly lastModified?: number;
+    readonly lastUsed?: number;
+    readonly kind: "secret" | "value" | "reference";
+}
+/**
+ * Heuristic categorization for keys without an explicit `_meta.*` entry.
+ * Order matters: more specific patterns run first.
+ */
+export declare function categorizeKey(key: string): VaultEntryCategory;
+/**
+ * Provider id derivation when no explicit meta is set. Returns null
+ * when the key isn't a recognized provider env var.
+ */
+export declare function inferProviderId(key: string): string | null;
+/**
+ * Read the meta record for `key`, parsing the underlying JSON. Returns
+ * null when no meta has been written. Malformed JSON is treated as
+ * "no meta" and logged at warn — we never silently coerce a corrupt
+ * blob into a valid meta to mask the underlying problem.
+ */
+export declare function readEntryMeta(vault: Vault, key: string): Promise<VaultEntryMetaRecord | null>;
+/**
+ * Merge `partial` into the existing meta for `key`. Writing partial
+ * meta is the only public way to mutate metadata — callers always
+ * read-modify-write through this helper so concurrent fields don't
+ * clobber each other.
+ *
+ * Wipe a field by setting its value to `null` in the partial.
+ */
+/**
+ * Partial-update payload accepted by `setEntryMeta`. Fields are
+ * optional; passing `null` deletes the underlying field from the
+ * stored meta blob (the only way to wipe e.g. activeProfile without
+ * round-tripping the entire record).
+ */
+export interface VaultEntryMetaUpdate {
+    readonly category?: VaultEntryCategory | null;
+    readonly label?: string | null;
+    readonly providerId?: string | null;
+    readonly lastUsed?: number | null;
+    readonly profiles?: ReadonlyArray<VaultEntryProfile> | null;
+    readonly activeProfile?: string | null;
+}
+export declare function setEntryMeta(vault: Vault, key: string, partial: VaultEntryMetaUpdate): Promise<void>;
+/**
+ * Drop the meta record for `key`. Callers are responsible for also
+ * removing the underlying value(s) and profile entries — this only
+ * touches `_meta.<key>`.
+ */
+export declare function removeEntryMeta(vault: Vault, key: string): Promise<void>;
+/**
+ * List every meaningful vault entry, grouped by category. Reserved
+ * `_meta.*` and `_routing.*` keys are filtered out, as are the
+ * `_manager.*` preferences keys.
+ *
+ * For keys with profile entries (`<K>.profile.<id>`), only the parent
+ * `<K>` is surfaced — the profile rows roll up under it.
+ */
+export declare function listVaultInventory(vault: Vault): Promise<readonly VaultEntryMeta[]>;
+/**
+ * Vault key for the storage backing one profile of a parent key.
+ *
+ * Profiles use dot separators so `vault.list("<KEY>")` matches both the
+ * parent and every profile via the existing prefix logic.
+ */
+export declare function profileStorageKey(key: string, profileId: string): string;
+//# sourceMappingURL=inventory.d.ts.map

package/dist/inventory.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"inventory.d.ts","sourceRoot":"","sources":["../src/inventory.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AAEH,OAAO,KAAK,EAAE,KAAK,EAAE,MAAM,YAAY,CAAC;AAIxC,eAAO,MAAM,WAAW,WAAW,CAAC;AACpC,eAAO,MAAM,WAAW,oBAAoB,CAAC;AAC7C,eAAO,MAAM,eAAe,YAAY,CAAC;AAEzC;;;;;;;;;GASG;AACH,MAAM,MAAM,kBAAkB,GAC1B,UAAU,GACV,QAAQ,GACR,QAAQ,GACR,YAAY,GACZ,QAAQ,GACR,SAAS,CAAC;AAEd,MAAM,WAAW,iBAAiB;IAChC,QAAQ,CAAC,EAAE,EAAE,MAAM,CAAC;IACpB,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC;IACvB,2CAA2C;IAC3C,QAAQ,CAAC,SAAS,CAAC,EAAE,MAAM,CAAC;CAC7B;AAED;;;GAGG;AACH,MAAM,WAAW,oBAAoB;IACnC,QAAQ,CAAC,QAAQ,CAAC,EAAE,kBAAkB,CAAC;IACvC,QAAQ,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC;IACxB,QAAQ,CAAC,UAAU,CAAC,EAAE,MAAM,CAAC;IAC7B,QAAQ,CAAC,YAAY,CAAC,EAAE,MAAM,CAAC;IAC/B,QAAQ,CAAC,QAAQ,CAAC,EAAE,MAAM,CAAC;IAC3B,QAAQ,CAAC,QAAQ,CAAC,EAAE,aAAa,CAAC,iBAAiB,CAAC,CAAC;IACrD,QAAQ,CAAC,aAAa,CAAC,EAAE,MAAM,CAAC;CACjC;AAED;;;;GAIG;AACH,MAAM,WAAW,cAAc;IAC7B,QAAQ,CAAC,GAAG,EAAE,MAAM,CAAC;IACrB,QAAQ,CAAC,QAAQ,EAAE,kBAAkB,CAAC;IACtC,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC;IACvB,QAAQ,CAAC,UAAU,CAAC,EAAE,MAAM,CAAC;IAC7B,QAAQ,CAAC,WAAW,EAAE,OAAO,CAAC;IAC9B,QAAQ,CAAC,aAAa,CAAC,EAAE,MAAM,CAAC;IAChC,QAAQ,CAAC,QAAQ,CAAC,EAAE,aAAa,CAAC,iBAAiB,CAAC,CAAC;IACrD,QAAQ,CAAC,YAAY,CAAC,EAAE,MAAM,CAAC;IAC/B,QAAQ,CAAC,QAAQ,CAAC,EAAE,MAAM,CAAC;IAC3B,QAAQ,CAAC,IAAI,EAAE,QAAQ,GAAG,OAAO,GAAG,WAAW,CAAC;CACjD;AAID;;;GAGG;AACH,wBAAgB,aAAa,CAAC,GAAG,EAAE,MAAM,GAAG,kBAAkB,CAoB7D;AAED;;;GAGG;AACH,wBAAgB,eAAe,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI,CAM1D;AAwDD;;;;;GAKG;AACH,wBAAsB,aAAa,CACjC,KAAK,EAAE,KAAK,EACZ,GAAG,EAAE,MAAM,GACV,OAAO,CAAC,oBAAoB,GAAG,IAAI,CAAC,CAKtC;AAED;;;;;;;GAOG;AACH;;;;;GAKG;AACH,MAAM,WAAW,oBAAoB;IACnC,QAAQ,CAAC,QAAQ,CAAC,EAAE,kBAAkB,GAAG,IAAI,CAAC;IAC9C,QAAQ,CAAC,KAAK,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC/B,QAAQ,CAAC,UAAU,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACpC,QAAQ,CAAC,QAAQ,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAClC,QAAQ,CAAC,QAAQ,CAAC,EAAE,aAAa,CAAC,iBAAiB,CAAC,GAAG,IAAI,CAAC;IAC5D,QAAQ,CAAC,aAAa,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;CACxC;AAED,wBAAsB,YAAY,CAChC,KAAK,EAAE,KAAK,EACZ,GAAG,EAAE,MAAM,EACX,OAAO,EAAE,oBAAoB,GAC5B,OAAO,CAAC,IAAI,CAAC,CAkBf;AAED;;;;GAIG;AACH,wBAAsB,eAAe,CACnC,KAAK,EAAE,KAAK,EACZ,GAAG,EAAE,MAAM,GACV,OAAO,CAAC,IAAI,CAAC,CAKf;AAED;;;;;;;GAOG;AACH,wBAAsB,kBAAkB,CACtC,KAAK,EAAE,KAAK,GACX,OAAO,CAAC,SAAS,cAAc,EAAE,CAAC,CAiEpC;AAED;;;;;GAKG;AACH,wBAAgB,iBAAiB,CAAC,GAAG,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,MAAM,CAUxE"}

package/dist/inventory.js

@@ -0,0 +1,319 @@
+/**
+ * Vault inventory: a meta-layer over `Vault` that surfaces every stored
+ * key in a categorized, UI-renderable shape, and lets the user attach
+ * metadata (label, providerId, profiles, routing) to a key without
+ * changing the vault's underlying storage contract.
+ *
+ * Storage convention:
+ *   - Original keys live exactly where they always have (e.g.
+ *     `OPENROUTER_API_KEY`).
+ *   - Metadata for a key K lives at `_meta.<K>` as a JSON-encoded
+ *     non-sensitive entry.
+ *   - When profiles are enabled for K, the per-profile values live at
+ *     `<K>.profile.<profileId>`. The "active profile" pointer lives in
+ *     the meta blob.
+ *   - Routing rules across keys live at `_routing.config` as a single
+ *     JSON-encoded non-sensitive entry.
+ *
+ * The vault layer remains dumb: `vault.get(K)` still returns the value
+ * stored under K. Profile resolution is a thin wrapper exposed by the
+ * manager (see `manager.getActive`). This file owns the metadata
+ * read/write/categorize logic only.
+ *
+ * Hard rule: `_meta.*` and `_routing.*` are reserved prefixes — every
+ * inventory listing filters them out so the user never sees a meta
+ * blob masquerading as a normal vault entry.
+ */
+// Reserved key prefixes. Anything starting with these is internal to
+// the inventory layer and must not surface to UI listings.
+export const META_PREFIX = "_meta.";
+export const ROUTING_KEY = "_routing.config";
+export const PROFILE_SEGMENT = "profile";
+// ── Categorization ──────────────────────────────────────────────────
+/**
+ * Heuristic categorization for keys without an explicit `_meta.*` entry.
+ * Order matters: more specific patterns run first.
+ */
+export function categorizeKey(key) {
+    if (key.startsWith("creds."))
+        return "credential";
+    if (key.startsWith("pm."))
+        return "session";
+    if (key.startsWith("_manager.") || key === ROUTING_KEY)
+        return "system";
+    if (/(?:_PRIVATE_KEY|_MNEMONIC|_SEED_PHRASE)$/i.test(key) ||
+        /^(?:EVM|SOLANA|BTC|ETH|BITCOIN)_/i.test(key) ||
+        // wallet.<agent>.<chain>.privateKey  (Phase 3 unified storage)
+        key.startsWith("wallet.") ||
+        // Legacy per-agent shape: agent.<name>.wallet.<chain>
+        /(?:^|\.)wallet\./i.test(key)) {
+        return "wallet";
+    }
+    if (/_API_KEY$/.test(key)) {
+        if (PROVIDER_KEY_PATTERNS.some((rx) => rx.test(key)))
+            return "provider";
+        return "plugin";
+    }
+    if (PROVIDER_EXACT_KEYS.has(key))
+        return "provider";
+    return "plugin";
+}
+/**
+ * Provider id derivation when no explicit meta is set. Returns null
+ * when the key isn't a recognized provider env var.
+ */
+export function inferProviderId(key) {
+    const lookup = PROVIDER_KEY_TO_ID[key];
+    if (lookup)
+        return lookup;
+    const m = /^([A-Z][A-Z0-9_]*)_API_KEY$/.exec(key);
+    if (m)
+        return m[1].toLowerCase();
+    return null;
+}
+const PROVIDER_KEY_TO_ID = {
+    OPENAI_API_KEY: "openai",
+    ANTHROPIC_API_KEY: "anthropic",
+    OPENROUTER_API_KEY: "openrouter",
+    GROQ_API_KEY: "groq",
+    XAI_API_KEY: "grok",
+    DEEPSEEK_API_KEY: "deepseek",
+    MISTRAL_API_KEY: "mistral",
+    TOGETHER_API_KEY: "together",
+    GOOGLE_GENERATIVE_AI_API_KEY: "gemini",
+    GOOGLE_API_KEY: "gemini",
+    GEMINI_API_KEY: "gemini",
+};
+const PROVIDER_EXACT_KEYS = new Set(Object.keys(PROVIDER_KEY_TO_ID));
+const PROVIDER_KEY_PATTERNS = [
+    /^OPENAI_API_KEY$/,
+    /^ANTHROPIC_API_KEY$/,
+    /^OPENROUTER_API_KEY$/,
+    /^GROQ_API_KEY$/,
+    /^XAI_API_KEY$/,
+    /^DEEPSEEK_API_KEY$/,
+    /^MISTRAL_API_KEY$/,
+    /^TOGETHER_API_KEY$/,
+    /^GOOGLE_(?:GENERATIVE_AI_)?API_KEY$/,
+    /^GEMINI_API_KEY$/,
+    /^PERPLEXITY_API_KEY$/,
+];
+// ── Default labels ─────────────────────────────────────────────────
+const PROVIDER_LABELS = {
+    openai: "OpenAI",
+    anthropic: "Anthropic",
+    openrouter: "OpenRouter",
+    groq: "Groq",
+    grok: "xAI Grok",
+    deepseek: "DeepSeek",
+    mistral: "Mistral",
+    together: "Together",
+    gemini: "Gemini",
+};
+function defaultLabel(key, providerId) {
+    if (providerId && PROVIDER_LABELS[providerId])
+        return PROVIDER_LABELS[providerId];
+    return key;
+}
+// ── Public API ─────────────────────────────────────────────────────
+/**
+ * Read the meta record for `key`, parsing the underlying JSON. Returns
+ * null when no meta has been written. Malformed JSON is treated as
+ * "no meta" and logged at warn — we never silently coerce a corrupt
+ * blob into a valid meta to mask the underlying problem.
+ */
+export async function readEntryMeta(vault, key) {
+    const metaKey = `${META_PREFIX}${key}`;
+    if (!(await vault.has(metaKey)))
+        return null;
+    const raw = await vault.get(metaKey);
+    return parseMetaRecord(raw, metaKey);
+}
+export async function setEntryMeta(vault, key, partial) {
+    const metaKey = `${META_PREFIX}${key}`;
+    const existing = (await readEntryMeta(vault, key)) ?? {};
+    const merged = { ...existing };
+    for (const [k, v] of Object.entries(partial)) {
+        if (v === null) {
+            delete merged[k];
+            continue;
+        }
+        if (v === undefined)
+            continue;
+        merged[k] = v;
+    }
+    merged.lastModified = Date.now();
+    // Meta is non-sensitive but its content describes which keys exist
+    // and which profiles a user maintains — disclosure-meaningful but
+    // not credential-bearing. Stored as a plain `value` entry; the
+    // sensitive value sits in `<key>` (or `<key>.profile.<id>`).
+    await vault.set(metaKey, JSON.stringify(merged));
+}
+/**
+ * Drop the meta record for `key`. Callers are responsible for also
+ * removing the underlying value(s) and profile entries — this only
+ * touches `_meta.<key>`.
+ */
+export async function removeEntryMeta(vault, key) {
+    const metaKey = `${META_PREFIX}${key}`;
+    if (await vault.has(metaKey)) {
+        await vault.remove(metaKey);
+    }
+}
+/**
+ * List every meaningful vault entry, grouped by category. Reserved
+ * `_meta.*` and `_routing.*` keys are filtered out, as are the
+ * `_manager.*` preferences keys.
+ *
+ * For keys with profile entries (`<K>.profile.<id>`), only the parent
+ * `<K>` is surfaced — the profile rows roll up under it.
+ */
+export async function listVaultInventory(vault) {
+    const allKeys = await vault.list();
+    const profileChildren = new Set();
+    // First pass: identify keys that are themselves children of a
+    // profile-bearing parent. Pattern: <PARENT>.profile.<id>.
+    // We strip these so the inventory only ever exposes the parent.
+    for (const k of allKeys) {
+        const split = k.indexOf(`.${PROFILE_SEGMENT}.`);
+        if (split > 0)
+            profileChildren.add(k);
+    }
+    // The set of parents we want to expose:
+    //   1. Every concrete vault key that isn't a profile child or a
+    //      reserved internal key.
+    //   2. Every parent whose `_meta.<key>` exists even if the bare key
+    //      itself doesn't (the user has profiles but no legacy default
+    //      value at the bare key — common after `migrate-to-profiles`).
+    const parentKeys = new Set();
+    for (const key of allKeys) {
+        if (key.startsWith(META_PREFIX)) {
+            parentKeys.add(key.slice(META_PREFIX.length));
+            continue;
+        }
+        if (key === ROUTING_KEY)
+            continue;
+        if (key.startsWith("_manager."))
+            continue;
+        if (profileChildren.has(key))
+            continue;
+        parentKeys.add(key);
+    }
+    const out = [];
+    for (const key of parentKeys) {
+        const descriptor = await vault.describe(key);
+        const meta = await readEntryMeta(vault, key);
+        if (!descriptor && !meta)
+            continue; // nothing to surface
+        const kind = descriptor
+            ? descriptorKind(descriptor.source)
+            : "secret"; // meta-only parents are presumed to back sensitive data
+        const providerId = meta?.providerId ?? inferProviderId(key) ?? undefined;
+        const category = meta?.category ?? categorizeKey(key);
+        const label = meta?.label ?? defaultLabel(key, providerId ?? null);
+        const profiles = meta?.profiles ?? [];
+        const hasProfiles = profiles.length > 0;
+        out.push({
+            key,
+            category,
+            label,
+            ...(providerId ? { providerId } : {}),
+            hasProfiles,
+            ...(meta?.activeProfile ? { activeProfile: meta.activeProfile } : {}),
+            ...(hasProfiles ? { profiles } : {}),
+            ...(meta?.lastModified !== undefined
+                ? { lastModified: meta.lastModified }
+                : descriptor?.lastModified !== undefined
+                    ? { lastModified: descriptor.lastModified }
+                    : {}),
+            ...(meta?.lastUsed !== undefined ? { lastUsed: meta.lastUsed } : {}),
+            kind,
+        });
+    }
+    return out;
+}
+/**
+ * Vault key for the storage backing one profile of a parent key.
+ *
+ * Profiles use dot separators so `vault.list("<KEY>")` matches both the
+ * parent and every profile via the existing prefix logic.
+ */
+export function profileStorageKey(key, profileId) {
+    if (typeof profileId !== "string" || profileId.length === 0) {
+        throw new TypeError("profileStorageKey: profileId must be non-empty");
+    }
+    if (!/^[a-zA-Z0-9_-]+$/.test(profileId)) {
+        throw new TypeError(`profileStorageKey: profileId must match [a-zA-Z0-9_-]+, got ${JSON.stringify(profileId)}`);
+    }
+    return `${key}.${PROFILE_SEGMENT}.${profileId}`;
+}
+// ── Internals ───────────────────────────────────────────────────────
+function descriptorKind(source) {
+    if (source === "file")
+        return "value";
+    if (source === "keychain-encrypted")
+        return "secret";
+    return "reference";
+}
+function parseMetaRecord(raw, metaKey) {
+    const parsed = JSON.parse(raw);
+    if (!parsed || typeof parsed !== "object" || Array.isArray(parsed)) {
+        throw new Error(`vault: meta entry ${metaKey} is not a JSON object (got ${typeof parsed})`);
+    }
+    const obj = parsed;
+    const out = {};
+    const cat = obj.category;
+    if (typeof cat === "string" && isCategory(cat)) {
+        out.category = cat;
+    }
+    if (typeof obj.label === "string" && obj.label.length > 0) {
+        out.label = obj.label;
+    }
+    if (typeof obj.providerId === "string" && obj.providerId.length > 0) {
+        out.providerId = obj.providerId;
+    }
+    if (typeof obj.lastModified === "number") {
+        out.lastModified = obj.lastModified;
+    }
+    if (typeof obj.lastUsed === "number") {
+        out.lastUsed = obj.lastUsed;
+    }
+    if (typeof obj.activeProfile === "string" && obj.activeProfile.length > 0) {
+        out.activeProfile = obj.activeProfile;
+    }
+    if (Array.isArray(obj.profiles)) {
+        const profiles = [];
+        for (const p of obj.profiles) {
+            if (!p || typeof p !== "object")
+                continue;
+            const rec = p;
+            if (typeof rec.id !== "string" || rec.id.length === 0)
+                continue;
+            const label = typeof rec.label === "string" && rec.label.length > 0
+                ? rec.label
+                : rec.id;
+            const profile = {
+                id: rec.id,
+                label,
+                ...(typeof rec.createdAt === "number"
+                    ? { createdAt: rec.createdAt }
+                    : {}),
+            };
+            profiles.push(profile);
+        }
+        if (profiles.length > 0) {
+            out.profiles =
+                profiles;
+        }
+    }
+    return out;
+}
+function isCategory(v) {
+    return (v === "provider" ||
+        v === "plugin" ||
+        v === "wallet" ||
+        v === "credential" ||
+        v === "system" ||
+        v === "session");
+}
+//# sourceMappingURL=inventory.js.map

package/dist/inventory.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"inventory.js","sourceRoot":"","sources":["../src/inventory.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AAIH,qEAAqE;AACrE,2DAA2D;AAC3D,MAAM,CAAC,MAAM,WAAW,GAAG,QAAQ,CAAC;AACpC,MAAM,CAAC,MAAM,WAAW,GAAG,iBAAiB,CAAC;AAC7C,MAAM,CAAC,MAAM,eAAe,GAAG,SAAS,CAAC;AA2DzC,uEAAuE;AAEvE;;;GAGG;AACH,MAAM,UAAU,aAAa,CAAC,GAAW;IACvC,IAAI,GAAG,CAAC,UAAU,CAAC,QAAQ,CAAC;QAAE,OAAO,YAAY,CAAC;IAClD,IAAI,GAAG,CAAC,UAAU,CAAC,KAAK,CAAC;QAAE,OAAO,SAAS,CAAC;IAC5C,IAAI,GAAG,CAAC,UAAU,CAAC,WAAW,CAAC,IAAI,GAAG,KAAK,WAAW;QAAE,OAAO,QAAQ,CAAC;IACxE,IACE,2CAA2C,CAAC,IAAI,CAAC,GAAG,CAAC;QACrD,mCAAmC,CAAC,IAAI,CAAC,GAAG,CAAC;QAC7C,+DAA+D;QAC/D,GAAG,CAAC,UAAU,CAAC,SAAS,CAAC;QACzB,sDAAsD;QACtD,mBAAmB,CAAC,IAAI,CAAC,GAAG,CAAC,EAC7B,CAAC;QACD,OAAO,QAAQ,CAAC;IAClB,CAAC;IACD,IAAI,WAAW,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;QAC1B,IAAI,qBAAqB,CAAC,IAAI,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,EAAE,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;YAAE,OAAO,UAAU,CAAC;QACxE,OAAO,QAAQ,CAAC;IAClB,CAAC;IACD,IAAI,mBAAmB,CAAC,GAAG,CAAC,GAAG,CAAC;QAAE,OAAO,UAAU,CAAC;IACpD,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,eAAe,CAAC,GAAW;IACzC,MAAM,MAAM,GAAG,kBAAkB,CAAC,GAAG,CAAC,CAAC;IACvC,IAAI,MAAM;QAAE,OAAO,MAAM,CAAC;IAC1B,MAAM,CAAC,GAAG,6BAA6B,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IAClD,IAAI,CAAC;QAAE,OAAO,CAAC,CAAC,CAAC,CAAE,CAAC,WAAW,EAAE,CAAC;IAClC,OAAO,IAAI,CAAC;AACd,CAAC;AAED,MAAM,kBAAkB,GAAqC;IAC3D,cAAc,EAAE,QAAQ;IACxB,iBAAiB,EAAE,WAAW;IAC9B,kBAAkB,EAAE,YAAY;IAChC,YAAY,EAAE,MAAM;IACpB,WAAW,EAAE,MAAM;IACnB,gBAAgB,EAAE,UAAU;IAC5B,eAAe,EAAE,SAAS;IAC1B,gBAAgB,EAAE,UAAU;IAC5B,4BAA4B,EAAE,QAAQ;IACtC,cAAc,EAAE,QAAQ;IACxB,cAAc,EAAE,QAAQ;CACzB,CAAC;AAEF,MAAM,mBAAmB,GAAwB,IAAI,GAAG,CACtD,MAAM,CAAC,IAAI,CAAC,kBAAkB,CAAC,CAChC,CAAC;AAEF,MAAM,qBAAqB,GAA0B;IACnD,kBAAkB;IAClB,qBAAqB;IACrB,sBAAsB;IACtB,gBAAgB;IAChB,eAAe;IACf,oBAAoB;IACpB,mBAAmB;IACnB,oBAAoB;IACpB,qCAAqC;IACrC,kBAAkB;IAClB,sBAAsB;CACvB,CAAC;AAEF,sEAAsE;AAEtE,MAAM,eAAe,GAAqC;IACxD,MAAM,EAAE,QAAQ;IAChB,SAAS,EAAE,WAAW;IACtB,UAAU,EAAE,YAAY;IACxB,IAAI,EAAE,MAAM;IACZ,IAAI,EAAE,UAAU;IAChB,QAAQ,EAAE,UAAU;IACpB,OAAO,EAAE,SAAS;IAClB,QAAQ,EAAE,UAAU;IACpB,MAAM,EAAE,QAAQ;CACjB,CAAC;AAEF,SAAS,YAAY,CAAC,GAAW,EAAE,UAAyB;IAC1D,IAAI,UAAU,IAAI,eAAe,CAAC,UAAU,CAAC;QAC3C,OAAO,eAAe,CAAC,UAAU,CAAE,CAAC;IACtC,OAAO,GAAG,CAAC;AACb,CAAC;AAED,sEAAsE;AAEtE;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,aAAa,CACjC,KAAY,EACZ,GAAW;IAEX,MAAM,OAAO,GAAG,GAAG,WAAW,GAAG,GAAG,EAAE,CAAC;IACvC,IAAI,CAAC,CAAC,MAAM,KAAK,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;QAAE,OAAO,IAAI,CAAC;IAC7C,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;IACrC,OAAO,eAAe,CAAC,GAAG,EAAE,OAAO,CAAC,CAAC;AACvC,CAAC;AAyBD,MAAM,CAAC,KAAK,UAAU,YAAY,CAChC,KAAY,EACZ,GAAW,EACX,OAA6B;IAE7B,MAAM,OAAO,GAAG,GAAG,WAAW,GAAG,GAAG,EAAE,CAAC;IACvC,MAAM,QAAQ,GAAG,CAAC,MAAM,aAAa,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC;IACzD,MAAM,MAAM,GAA4B,EAAE,GAAG,QAAQ,EAAE,CAAC;IACxD,KAAK,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC;QAC7C,IAAI,CAAC,KAAK,IAAI,EAAE,CAAC;YACf,OAAO,MAAM,CAAC,CAAC,CAAC,CAAC;YACjB,SAAS;QACX,CAAC;QACD,IAAI,CAAC,KAAK,SAAS;YAAE,SAAS;QAC9B,MAAM,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC;IAChB,CAAC;IACD,MAAM,CAAC,YAAY,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IACjC,mEAAmE;IACnE,kEAAkE;IAClE,+DAA+D;IAC/D,6DAA6D;IAC7D,MAAM,KAAK,CAAC,GAAG,CAAC,OAAO,EAAE,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC,CAAC;AACnD,CAAC;AAED;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,eAAe,CACnC,KAAY,EACZ,GAAW;IAEX,MAAM,OAAO,GAAG,GAAG,WAAW,GAAG,GAAG,EAAE,CAAC;IACvC,IAAI,MAAM,KAAK,CAAC,GAAG,CAAC,OAAO,CAAC,EAAE,CAAC;QAC7B,MAAM,KAAK,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;IAC9B,CAAC;AACH,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,CAAC,KAAK,UAAU,kBAAkB,CACtC,KAAY;IAEZ,MAAM,OAAO,GAAG,MAAM,KAAK,CAAC,IAAI,EAAE,CAAC;IACnC,MAAM,eAAe,GAAG,IAAI,GAAG,EAAU,CAAC;IAE1C,8DAA8D;IAC9D,0DAA0D;IAC1D,gEAAgE;IAChE,KAAK,MAAM,CAAC,IAAI,OAAO,EAAE,CAAC;QACxB,MAAM,KAAK,GAAG,CAAC,CAAC,OAAO,CAAC,IAAI,eAAe,GAAG,CAAC,CAAC;QAChD,IAAI,KAAK,GAAG,CAAC;YAAE,eAAe,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;IACxC,CAAC;IAED,wCAAwC;IACxC,gEAAgE;IAChE,8BAA8B;IAC9B,oEAAoE;IACpE,mEAAmE;IACnE,oEAAoE;IACpE,MAAM,UAAU,GAAG,IAAI,GAAG,EAAU,CAAC;IACrC,KAAK,MAAM,GAAG,IAAI,OAAO,EAAE,CAAC;QAC1B,IAAI,GAAG,CAAC,UAAU,CAAC,WAAW,CAAC,EAAE,CAAC;YAChC,UAAU,CAAC,GAAG,CAAC,GAAG,CAAC,KAAK,CAAC,WAAW,CAAC,MAAM,CAAC,CAAC,CAAC;YAC9C,SAAS;QACX,CAAC;QACD,IAAI,GAAG,KAAK,WAAW;YAAE,SAAS;QAClC,IAAI,GAAG,CAAC,UAAU,CAAC,WAAW,CAAC;YAAE,SAAS;QAC1C,IAAI,eAAe,CAAC,GAAG,CAAC,GAAG,CAAC;YAAE,SAAS;QACvC,UAAU,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;IACtB,CAAC;IAED,MAAM,GAAG,GAAqB,EAAE,CAAC;IACjC,KAAK,MAAM,GAAG,IAAI,UAAU,EAAE,CAAC;QAC7B,MAAM,UAAU,GAAG,MAAM,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC;QAC7C,MAAM,IAAI,GAAG,MAAM,aAAa,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;QAC7C,IAAI,CAAC,UAAU,IAAI,CAAC,IAAI;YAAE,SAAS,CAAC,qBAAqB;QAEzD,MAAM,IAAI,GAAqC,UAAU;YACvD,CAAC,CAAC,cAAc,CAAC,UAAU,CAAC,MAAM,CAAC;YACnC,CAAC,CAAC,QAAQ,CAAC,CAAC,wDAAwD;QAEtE,MAAM,UAAU,GAAG,IAAI,EAAE,UAAU,IAAI,eAAe,CAAC,GAAG,CAAC,IAAI,SAAS,CAAC;QACzE,MAAM,QAAQ,GAAG,IAAI,EAAE,QAAQ,IAAI,aAAa,CAAC,GAAG,CAAC,CAAC;QACtD,MAAM,KAAK,GAAG,IAAI,EAAE,KAAK,IAAI,YAAY,CAAC,GAAG,EAAE,UAAU,IAAI,IAAI,CAAC,CAAC;QACnE,MAAM,QAAQ,GAAG,IAAI,EAAE,QAAQ,IAAI,EAAE,CAAC;QACtC,MAAM,WAAW,GAAG,QAAQ,CAAC,MAAM,GAAG,CAAC,CAAC;QAExC,GAAG,CAAC,IAAI,CAAC;YACP,GAAG;YACH,QAAQ;YACR,KAAK;YACL,GAAG,CAAC,UAAU,CAAC,CAAC,CAAC,EAAE,UAAU,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;YACrC,WAAW;YACX,GAAG,CAAC,IAAI,EAAE,aAAa,CAAC,CAAC,CAAC,EAAE,aAAa,EAAE,IAAI,CAAC,aAAa,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;YACrE,GAAG,CAAC,WAAW,CAAC,CAAC,CAAC,EAAE,QAAQ,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;YACpC,GAAG,CAAC,IAAI,EAAE,YAAY,KAAK,SAAS;gBAClC,CAAC,CAAC,EAAE,YAAY,EAAE,IAAI,CAAC,YAAY,EAAE;gBACrC,CAAC,CAAC,UAAU,EAAE,YAAY,KAAK,SAAS;oBACtC,CAAC,CAAC,EAAE,YAAY,EAAE,UAAU,CAAC,YAAY,EAAE;oBAC3C,CAAC,CAAC,EAAE,CAAC;YACT,GAAG,CAAC,IAAI,EAAE,QAAQ,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,QAAQ,EAAE,IAAI,CAAC,QAAQ,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;YACpE,IAAI;SACL,CAAC,CAAC;IACL,CAAC;IAED,OAAO,GAAG,CAAC;AACb,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,iBAAiB,CAAC,GAAW,EAAE,SAAiB;IAC9D,IAAI,OAAO,SAAS,KAAK,QAAQ,IAAI,SAAS,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC5D,MAAM,IAAI,SAAS,CAAC,gDAAgD,CAAC,CAAC;IACxE,CAAC;IACD,IAAI,CAAC,kBAAkB,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,CAAC;QACxC,MAAM,IAAI,SAAS,CACjB,+DAA+D,IAAI,CAAC,SAAS,CAAC,SAAS,CAAC,EAAE,CAC3F,CAAC;IACJ,CAAC;IACD,OAAO,GAAG,GAAG,IAAI,eAAe,IAAI,SAAS,EAAE,CAAC;AAClD,CAAC;AAED,uEAAuE;AAEvE,SAAS,cAAc,CACrB,MAAkE;IAElE,IAAI,MAAM,KAAK,MAAM;QAAE,OAAO,OAAO,CAAC;IACtC,IAAI,MAAM,KAAK,oBAAoB;QAAE,OAAO,QAAQ,CAAC;IACrD,OAAO,WAAW,CAAC;AACrB,CAAC;AAED,SAAS,eAAe,CACtB,GAAW,EACX,OAAe;IAEf,MAAM,MAAM,GAAY,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IACxC,IAAI,CAAC,MAAM,IAAI,OAAO,MAAM,KAAK,QAAQ,IAAI,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC;QACnE,MAAM,IAAI,KAAK,CACb,qBAAqB,OAAO,8BAA8B,OAAO,MAAM,GAAG,CAC3E,CAAC;IACJ,CAAC;IACD,MAAM,GAAG,GAAG,MAAiC,CAAC;IAE9C,MAAM,GAAG,GAAyB,EAAE,CAAC;IACrC,MAAM,GAAG,GAAG,GAAG,CAAC,QAAQ,CAAC;IACzB,IAAI,OAAO,GAAG,KAAK,QAAQ,IAAI,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;QAC9C,GAAwC,CAAC,QAAQ,GAAG,GAAG,CAAC;IAC3D,CAAC;IACD,IAAI,OAAO,GAAG,CAAC,KAAK,KAAK,QAAQ,IAAI,GAAG,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACzD,GAAyB,CAAC,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC;IAC/C,CAAC;IACD,IAAI,OAAO,GAAG,CAAC,UAAU,KAAK,QAAQ,IAAI,GAAG,CAAC,UAAU,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACnE,GAA8B,CAAC,UAAU,GAAG,GAAG,CAAC,UAAU,CAAC;IAC9D,CAAC;IACD,IAAI,OAAO,GAAG,CAAC,YAAY,KAAK,QAAQ,EAAE,CAAC;QACxC,GAAgC,CAAC,YAAY,GAAG,GAAG,CAAC,YAAY,CAAC;IACpE,CAAC;IACD,IAAI,OAAO,GAAG,CAAC,QAAQ,KAAK,QAAQ,EAAE,CAAC;QACpC,GAA4B,CAAC,QAAQ,GAAG,GAAG,CAAC,QAAQ,CAAC;IACxD,CAAC;IACD,IAAI,OAAO,GAAG,CAAC,aAAa,KAAK,QAAQ,IAAI,GAAG,CAAC,aAAa,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACzE,GAAiC,CAAC,aAAa,GAAG,GAAG,CAAC,aAAa,CAAC;IACvE,CAAC;IACD,IAAI,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,EAAE,CAAC;QAChC,MAAM,QAAQ,GAAwB,EAAE,CAAC;QACzC,KAAK,MAAM,CAAC,IAAI,GAAG,CAAC,QAAQ,EAAE,CAAC;YAC7B,IAAI,CAAC,CAAC,IAAI,OAAO,CAAC,KAAK,QAAQ;gBAAE,SAAS;YAC1C,MAAM,GAAG,GAAG,CAA4B,CAAC;YACzC,IAAI,OAAO,GAAG,CAAC,EAAE,KAAK,QAAQ,IAAI,GAAG,CAAC,EAAE,CAAC,MAAM,KAAK,CAAC;gBAAE,SAAS;YAChE,MAAM,KAAK,GACT,OAAO,GAAG,CAAC,KAAK,KAAK,QAAQ,IAAI,GAAG,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC;gBACnD,CAAC,CAAC,GAAG,CAAC,KAAK;gBACX,CAAC,CAAC,GAAG,CAAC,EAAE,CAAC;YACb,MAAM,OAAO,GAAsB;gBACjC,EAAE,EAAE,GAAG,CAAC,EAAE;gBACV,KAAK;gBACL,GAAG,CAAC,OAAO,GAAG,CAAC,SAAS,KAAK,QAAQ;oBACnC,CAAC,CAAC,EAAE,SAAS,EAAE,GAAG,CAAC,SAAS,EAAE;oBAC9B,CAAC,CAAC,EAAE,CAAC;aACR,CAAC;YACF,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QACzB,CAAC;QACD,IAAI,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACvB,GAAsD,CAAC,QAAQ;gBAC9D,QAAQ,CAAC;QACb,CAAC;IACH,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED,SAAS,UAAU,CAAC,CAAS;IAC3B,OAAO,CACL,CAAC,KAAK,UAAU;QAChB,CAAC,KAAK,QAAQ;QACd,CAAC,KAAK,QAAQ;QACd,CAAC,KAAK,YAAY;QAClB,CAAC,KAAK,QAAQ;QACd,CAAC,KAAK,SAAS,CAChB,CAAC;AACJ,CAAC"}