@gaodefa/daocore 2026.5.74 → 2026.5.76

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (1140) hide show
  1. package/dist/abort-CB4Bin7P.js +277 -0
  2. package/dist/abort.runtime-C5imf3M6.js +2 -0
  3. package/dist/abort.runtime.js +1 -1
  4. package/dist/account-inspect-BrLOD3dL.js +173 -0
  5. package/dist/accounts-BJghihjE.js +107 -0
  6. package/dist/accounts-Cmmoz0Uc.js +119 -0
  7. package/dist/accounts-CtHQ9LlB.js +2 -0
  8. package/dist/accounts-D2XmsEdz.js +107 -0
  9. package/dist/acp/control-plane/manager.d.ts +2 -1
  10. package/dist/acp-runtime-CsJkP6Eh.js +26 -0
  11. package/dist/acp-spawn-DrF63yyT.js +1275 -0
  12. package/dist/acp-spawn-ORtTG-uw.js +2 -0
  13. package/dist/acp-stateful-target-driver-XI6lnVTT.js +89 -0
  14. package/dist/action-kill-BkWa08iK.js +33 -0
  15. package/dist/action-runtime-CW2Fkm81.js +469 -0
  16. package/dist/action-runtime-api-LQHyxfBM.js +2 -0
  17. package/dist/action-send-BSTkpsKB.js +39 -0
  18. package/dist/action-spawn-CG0owoYM.js +47 -0
  19. package/dist/actions-BQH4Vf20.js +161 -0
  20. package/dist/actions.runtime-BwFgiJFE.js +5 -0
  21. package/dist/agent-B1k62jFg.js +3 -0
  22. package/dist/agent-CooPvAB8.js +2 -0
  23. package/dist/agent-command-DQ1XgXqe.d.ts +105 -0
  24. package/dist/agent-command-Djll6bnb.js +1367 -0
  25. package/dist/agent-components.runtime-Bxmeq5SX.js +10 -0
  26. package/dist/agent-components.runtime.js +1 -1
  27. package/dist/agent-harness-Bt_1zRJ1.d.ts +146 -0
  28. package/dist/agent-harness-runtime-Bt2xTt2z.js +180 -0
  29. package/dist/agent-harness-task-runtime-C6Sx-QFy.js +140 -0
  30. package/dist/agent-runner-execution-CUB1dxz1.js +1713 -0
  31. package/dist/agent-runner-utils-LoP2ghjB.js +266 -0
  32. package/dist/agent-runner.runtime-B6FEpN97.js +3455 -0
  33. package/dist/agent-runner.runtime.js +1 -1
  34. package/dist/agent-runtime-DDBYT9PU.js +229 -0
  35. package/dist/agent-via-gateway-Cac7aWXN.js +463 -0
  36. package/dist/api-C7_eM4X7.js +2 -0
  37. package/dist/api-CTv-thVP.js +2 -0
  38. package/dist/api-CyVlHCwr.js +6 -0
  39. package/dist/api-DfnW7Cwk.js +134 -0
  40. package/dist/api-mdeTtlMU.js +3 -0
  41. package/dist/api-rzVN_ShI.js +639 -0
  42. package/dist/apply-CA6OjGyH.js +41 -0
  43. package/dist/apply-YMZKb6rV.js +54 -0
  44. package/dist/approval-handler.runtime-Bo3XBEmS.js +130 -0
  45. package/dist/assistant-D0Y0TW8p.js +291 -0
  46. package/dist/attachment-normalize-CRqY0rzf.js +225 -0
  47. package/dist/attempt-execution-BL2-MkN9.js +558 -0
  48. package/dist/attempt-execution.runtime-BbkIPww8.js +3 -0
  49. package/dist/attempt-execution.runtime.js +1 -1
  50. package/dist/attempt-execution.shared-xgnVkNxr.js +38 -0
  51. package/dist/attempt.prompt-helpers--NxxT8xy.js +475 -0
  52. package/dist/attempt.tool-run-context-EsAayWh6.js +2094 -0
  53. package/dist/binding-routing-BIf2zYbn.js +113 -0
  54. package/dist/binding-targets-CnVPlLL3.js +121 -0
  55. package/dist/bot-BUkIAmq4.js +7894 -0
  56. package/dist/bot-deps-BDpF3-2x.js +747 -0
  57. package/dist/bot-deps-Ctxazu0z.js +2 -0
  58. package/dist/bot-message-context.runtime-Ddl-CF0g.js +7 -0
  59. package/dist/bot-message-context.runtime.js +1 -1
  60. package/dist/bot-message-context.session.runtime-BOBDJGi6.js +12 -0
  61. package/dist/bot-message-context.session.runtime.js +1 -1
  62. package/dist/bot-native-commands.delivery.runtime-Cp2bC1cm.js +4 -0
  63. package/dist/bot-native-commands.delivery.runtime.js +1 -1
  64. package/dist/bot-native-commands.runtime-BxOgiBSg.js +13 -0
  65. package/dist/bot-native-commands.runtime.js +1 -1
  66. package/dist/bridge-server-BD8gdvCj.js +113 -0
  67. package/dist/browser-cli-BxOiqtw0.js +230 -0
  68. package/dist/browser-cli-CQSbU4r7.js +2 -0
  69. package/dist/browser-cli-actions-input-CACwoXjH.js +473 -0
  70. package/dist/browser-cli-actions-observe-7y44Efff.js +81 -0
  71. package/dist/browser-cli-debug--cZDNVgZ.js +137 -0
  72. package/dist/browser-cli-inspect-Bjm1LYpb.js +104 -0
  73. package/dist/browser-cli-manage-BdoQAGZ5.js +443 -0
  74. package/dist/browser-cli-resize-CiWfi52U.js +26 -0
  75. package/dist/browser-cli-shared-Cf2UTok5.js +50 -0
  76. package/dist/browser-cli-state-BzSo9Zyo.js +337 -0
  77. package/dist/browser-control-auth-goBz3LrL.js +2 -0
  78. package/dist/browser-profiles-5QyWxduY.js +2 -0
  79. package/dist/browser-runtime-DpYYMv_-.js +384 -0
  80. package/dist/build-BOWwrF6B.js +257 -0
  81. package/dist/build-info.json +3 -3
  82. package/dist/bundled/boot-md/handler.js +2 -2
  83. package/dist/bundled/session-memory/handler.js +1 -1
  84. package/dist/canvas-host/a2ui/.bundle.hash +1 -1
  85. package/dist/capability-cli-p3b5r_A5.js +1782 -0
  86. package/dist/channel-8rtqtIC-.js +238 -0
  87. package/dist/channel-B2t80bjP.js +1556 -0
  88. package/dist/channel-BFgbA2E6.js +562 -0
  89. package/dist/channel-BPZSxEkQ.js +808 -0
  90. package/dist/channel-BibcrGJ7.js +955 -0
  91. package/dist/channel-Bj3a13bG.js +1777 -0
  92. package/dist/channel-Bsd0VVMJ.js +2126 -0
  93. package/dist/channel-C4Ouz2jY.js +481 -0
  94. package/dist/channel-CXcp2i5k.js +653 -0
  95. package/dist/channel-CZNxKVdH.js +1134 -0
  96. package/dist/channel-CfI-ubEB.js +740 -0
  97. package/dist/channel-CgNA5Zih.js +1496 -0
  98. package/dist/channel-D1AKh1-N.d.ts +6 -0
  99. package/dist/channel-D5n_k9F5.js +867 -0
  100. package/dist/channel-D7vJSPUF.js +1249 -0
  101. package/dist/channel-DcV0Ld4N.js +362 -0
  102. package/dist/channel-De73mgO_.js +508 -0
  103. package/dist/channel-Dmdu9Pzb.js +376 -0
  104. package/dist/channel-actions.runtime-CihZrf0M.js +265 -0
  105. package/dist/channel-actions.runtime.js +1 -1
  106. package/dist/channel-cGJKLfJe.d.ts +427 -0
  107. package/dist/channel-core-Ng_haxOP.js +5 -0
  108. package/dist/channel-inbound-Dz8i5Map.js +80 -0
  109. package/dist/channel-lifecycle-BXdiTu_h.d.ts +126 -0
  110. package/dist/channel-pairing-qPwn6FAN.d.ts +58 -0
  111. package/dist/channel-plugin-runtime-BGwpeswU.js +998 -0
  112. package/dist/channel-runtime-5xfHeIpP.js +408 -0
  113. package/dist/channel.runtime-3cv5PIqa.js +21009 -0
  114. package/dist/channel.runtime-B48fiEqP.js +109 -0
  115. package/dist/channel.runtime-B9omb8Je.js +733 -0
  116. package/dist/channel.runtime-BTnYLrjs.js +652 -0
  117. package/dist/channel.runtime-Bw4vm2KP.js +4 -0
  118. package/dist/channel.runtime-JZVnahXY.js +254 -0
  119. package/dist/channel.runtime-OyE1NDe4.js +2528 -0
  120. package/dist/channel.runtime-Q3Chs30P.js +1008 -0
  121. package/dist/channel.runtime-cGEI9b88.js +88 -0
  122. package/dist/channel.setup-BvvO8wUo.js +1098 -0
  123. package/dist/channel.setup-Cy2rvR1u.js +10 -0
  124. package/dist/channel.setup-Xo7BBamM.js +343 -0
  125. package/dist/chat-CfSmQsWK.js +2666 -0
  126. package/dist/chrome-CB8ELr8g.js +1503 -0
  127. package/dist/cli/run-main.js +5 -5
  128. package/dist/cli-CCnAoXu8.js +1341 -0
  129. package/dist/cli-compaction-C5z02QAR.js +347 -0
  130. package/dist/cli-metadata-VfQG__-m.js +22 -0
  131. package/dist/cli-runner-C8VlXbx6.js +2 -0
  132. package/dist/cli-runner-FnNwgi9z.js +540 -0
  133. package/dist/cli-runner.runtime-3y8ztIrM.js +4 -0
  134. package/dist/cli-runner.runtime-DjJNUNqh.js +3 -0
  135. package/dist/cli-runner.runtime.js +1 -1
  136. package/dist/cli-startup-metadata.json +8 -8
  137. package/dist/client-BxaKR3NR.js +650 -0
  138. package/dist/client-adapter-CD2eYE5u.js +897 -0
  139. package/dist/client-factory-wknOz0YZ.js +9 -0
  140. package/dist/command-auth-5oWRlAgW.js +135 -0
  141. package/dist/command-handlers-DRLCoUOI.js +1609 -0
  142. package/dist/command-registry-ClgHMh-P.js +4 -0
  143. package/dist/command-registry-Crw-ALyo.js +9 -0
  144. package/dist/command-registry-core-Q8mKRnm2.js +110 -0
  145. package/dist/command-status.runtime-Bv5-S6Jh.js +90 -0
  146. package/dist/command-status.runtime.js +1 -1
  147. package/dist/commands-acp-D7wwvhSb.js +74 -0
  148. package/dist/commands-compact.runtime-Do6XoPgi.js +10 -0
  149. package/dist/commands-compact.runtime.js +1 -1
  150. package/dist/commands-handlers.runtime-CQIeiOBs.js +6154 -0
  151. package/dist/commands-handlers.runtime.js +1 -1
  152. package/dist/commands-status--6Ec-6xl.js +3 -0
  153. package/dist/commands-status-B71V5ctj.js +16 -0
  154. package/dist/commands-status.runtime--6Ec-6xl.js +3 -0
  155. package/dist/commands-status.runtime.js +1 -1
  156. package/dist/commands-subagents-control.runtime-0bdHKGkh.js +2 -0
  157. package/dist/commands-subagents-control.runtime-C699ndyM.js +3 -0
  158. package/dist/commands-subagents-control.runtime.js +1 -1
  159. package/dist/commands-system-prompt-B-_6D_8o.js +2 -0
  160. package/dist/commands-system-prompt-Cf5S370X.js +162 -0
  161. package/dist/commands.runtime-C95VhDIj.js +176 -0
  162. package/dist/commands.runtime.js +1 -1
  163. package/dist/commitments/runtime.js +1 -1
  164. package/dist/compact-BUfPJl6J.js +1141 -0
  165. package/dist/compact-WFlFbfB-.js +480 -0
  166. package/dist/compact.runtime-CQnO12gG.js +12 -0
  167. package/dist/compact.runtime.js +1 -1
  168. package/dist/completion-cli-uJRHgHYJ.js +315 -0
  169. package/dist/components-u4gL95dv.d.ts +228 -0
  170. package/dist/components.modal-glHG-y8o.d.ts +568 -0
  171. package/dist/computer-use-BqSdNbdx.js +367 -0
  172. package/dist/config-5QyWxduY.js +2 -0
  173. package/dist/config-D7UGquxF.js +373 -0
  174. package/dist/config-mutations-BcFxP9jF.js +159 -0
  175. package/dist/context-engine-host-compat-BBGC6Eb4.js +2 -0
  176. package/dist/context-engine-host-compat-Us6I7iiS.js +288 -0
  177. package/dist/context-engine-lifecycle-BRYjJ_xx.js +1274 -0
  178. package/dist/control-auth-Dz6wWtYF.js +114 -0
  179. package/dist/control-service-OTMJ16Vr.js +145 -0
  180. package/dist/control-ui/assets/agents-BFH1c5D8.js +1008 -0
  181. package/dist/control-ui/assets/channel-config-extras-DsnCLOmU.js +2 -0
  182. package/dist/control-ui/assets/channels-DSisxQja.js +367 -0
  183. package/dist/control-ui/assets/cron-DyI8r1tM.js +1013 -0
  184. package/dist/control-ui/assets/debug-DHzN1qXF.js +97 -0
  185. package/dist/control-ui/assets/index-BE880hFY.js +7378 -0
  186. package/dist/control-ui/assets/index-BimYwq-S.css +1 -0
  187. package/dist/control-ui/assets/instances-D-kXaz60.js +57 -0
  188. package/dist/control-ui/assets/logs-DoWwrXFx.js +74 -0
  189. package/dist/control-ui/assets/nodes-DYXRkdwm.js +436 -0
  190. package/dist/control-ui/assets/sessions-DBse3-4Y.js +399 -0
  191. package/dist/control-ui/assets/skills-SWnspXME.js +314 -0
  192. package/dist/control-ui/assets/skills-shared-D_taQTw1.js +11 -0
  193. package/dist/control-ui/assets/zh-CN-CDrBrfT7.js +2 -0
  194. package/dist/control-ui/index.html +2 -2
  195. package/dist/control-ui/sw.js +1 -1
  196. package/dist/conversation-binding-runtime-Qzm50Ztm.js +4 -0
  197. package/dist/conversation-runtime-B8IRh0X_.js +31 -0
  198. package/dist/core-B9JJc5bK.js +282 -0
  199. package/dist/core-api-BkLqoKIY.js +5 -0
  200. package/dist/core-api-D_qLiSVx.js +2 -0
  201. package/dist/crestodian/crestodian.js +1 -1
  202. package/dist/crestodian/rescue-message.js +1 -1
  203. package/dist/crestodian-Wce00VL9.js +55 -0
  204. package/dist/daocore-tools-BGfsn9OX.js +11727 -0
  205. package/dist/delivery-CKZNf6HN.js +1002 -0
  206. package/dist/dialogue-DMyfQ10Y.js +37 -0
  207. package/dist/dir-fetch-tool-Bodc_UiO.js +565 -0
  208. package/dist/dir-list-tool-DKdRgmE0.js +100 -0
  209. package/dist/direct-dm-gubxMBvV.js +64 -0
  210. package/dist/directive-handling.fast-lane-SIR-LK_X.js +68 -0
  211. package/dist/directive-handling.impl-CyETmsuZ.js +2 -0
  212. package/dist/directive-handling.impl-DBRFiFvk.js +818 -0
  213. package/dist/directive-handling.model-selection-DY-tmC6k.js +122 -0
  214. package/dist/directive-handling.persist.runtime-NzxgMnZ0.js +263 -0
  215. package/dist/directive-handling.persist.runtime.js +1 -1
  216. package/dist/dispatch-Cfc2X0Y6.js +1640 -0
  217. package/dist/dispatch-acp-transcript.runtime-QL350v4-.js +40 -0
  218. package/dist/dispatch-acp-transcript.runtime.js +1 -1
  219. package/dist/dispatch-acp.runtime-D3FviqFZ.js +18 -0
  220. package/dist/dispatch-acp.runtime.js +1 -1
  221. package/dist/doctor-C7gTSFfH.js +6 -0
  222. package/dist/doctor-DiHS_IQ0.js +2 -0
  223. package/dist/doctor-config-flow-B8FwXA-r.js +1741 -0
  224. package/dist/doctor-core-checks-BYeuryZ4.js +2 -0
  225. package/dist/doctor-core-checks-CnzzLGiH.js +573 -0
  226. package/dist/doctor-health-BnmOyTty.js +65 -0
  227. package/dist/doctor-health-contributions-ocQMPxjM.js +696 -0
  228. package/dist/doctor-lint-CjRi8o5u.js +94 -0
  229. package/dist/doctor-state-integrity-Dbu4NMz2.js +1231 -0
  230. package/dist/dynamic-tools-6zBBc1qr.js +486 -0
  231. package/dist/embedded-backend-BZOf3nmp.js +579 -0
  232. package/dist/embedded-gateway-stub.runtime-Bz0nKXhe.js +12 -0
  233. package/dist/embedded-gateway-stub.runtime.js +1 -1
  234. package/dist/exec-approvals-D7MoRNan.js +149 -0
  235. package/dist/extensionAPI.js +1 -1
  236. package/dist/extensions/active-memory/index.js +1 -1
  237. package/dist/extensions/admin-http-rpc/index.js +1 -1
  238. package/dist/extensions/anthropic/doctor-contract-api.d.ts +1 -1
  239. package/dist/extensions/browser/browser-bridge.js +1 -1
  240. package/dist/extensions/browser/browser-config.js +4 -4
  241. package/dist/extensions/browser/browser-control-auth.js +2 -2
  242. package/dist/extensions/browser/browser-doctor.js +2 -2
  243. package/dist/extensions/browser/browser-maintenance.js +1 -1
  244. package/dist/extensions/browser/browser-profiles.js +2 -2
  245. package/dist/extensions/browser/browser-runtime-api.js +11 -11
  246. package/dist/extensions/browser/cli-metadata.js +1 -1
  247. package/dist/extensions/browser/index.js +1 -1
  248. package/dist/extensions/browser/plugin-registration.js +1 -1
  249. package/dist/extensions/browser/register.runtime.js +4 -4
  250. package/dist/extensions/browser/runtime-api.js +13 -13
  251. package/dist/extensions/browser/test-support.d.ts +1 -1
  252. package/dist/extensions/canvas/index.js +1 -1
  253. package/dist/extensions/clickclack/api.js +2 -2
  254. package/dist/extensions/clickclack/channel-plugin-api.js +1 -1
  255. package/dist/extensions/clickclack/runtime-api.js +2 -2
  256. package/dist/extensions/device-pair/api.js +1 -1
  257. package/dist/extensions/device-pair/pair-command-approve.js +1 -1
  258. package/dist/extensions/file-transfer/index.js +4 -4
  259. package/dist/extensions/google/doctor-contract-api.d.ts +1 -1
  260. package/dist/extensions/image-generation-core/api.d.ts +1 -1
  261. package/dist/extensions/imessage/api.js +2 -2
  262. package/dist/extensions/imessage/channel-plugin-api.js +1 -1
  263. package/dist/extensions/imessage/message-tool-api.d.ts +1 -1
  264. package/dist/extensions/imessage/runtime-api.d.ts +1 -1
  265. package/dist/extensions/imessage/runtime-api.js +3 -3
  266. package/dist/extensions/irc/api.js +2 -2
  267. package/dist/extensions/irc/channel-plugin-api.js +1 -1
  268. package/dist/extensions/llm-task/index.js +1 -1
  269. package/dist/extensions/mattermost/api.js +1 -1
  270. package/dist/extensions/mattermost/channel-plugin-api.js +1 -1
  271. package/dist/extensions/mattermost/channel-plugin-runtime.js +1 -1
  272. package/dist/extensions/mattermost/policy-api.js +1 -1
  273. package/dist/extensions/mattermost/runtime-api.d.ts +7 -7
  274. package/dist/extensions/mattermost/runtime-api.js +2 -2
  275. package/dist/extensions/mattermost/slash-route-api.js +1 -1
  276. package/dist/extensions/memory-core/cli-metadata.js +1 -1
  277. package/dist/extensions/migrate-claude/apply.js +1 -1
  278. package/dist/extensions/migrate-claude/index.js +1 -1
  279. package/dist/extensions/migrate-claude/plan.js +1 -1
  280. package/dist/extensions/migrate-claude/provider.js +1 -1
  281. package/dist/extensions/migrate-claude/targets.js +1 -1
  282. package/dist/extensions/migrate-hermes/apply.js +1 -1
  283. package/dist/extensions/migrate-hermes/index.js +1 -1
  284. package/dist/extensions/migrate-hermes/model.js +1 -1
  285. package/dist/extensions/migrate-hermes/plan.js +1 -1
  286. package/dist/extensions/migrate-hermes/provider.js +1 -1
  287. package/dist/extensions/migrate-hermes/secrets.js +1 -1
  288. package/dist/extensions/migrate-hermes/targets.js +1 -1
  289. package/dist/extensions/policy/api.js +1 -1
  290. package/dist/extensions/policy/index.js +2 -2
  291. package/dist/extensions/signal/api.d.ts +1 -1
  292. package/dist/extensions/signal/api.js +6 -6
  293. package/dist/extensions/signal/channel-plugin-api.js +1 -1
  294. package/dist/extensions/signal/reaction-runtime-api.js +1 -1
  295. package/dist/extensions/signal/runtime-api.d.ts +2 -2
  296. package/dist/extensions/signal/runtime-api.js +7 -7
  297. package/dist/extensions/skill-workshop/api.js +1 -1
  298. package/dist/extensions/skill-workshop/index.js +2 -2
  299. package/dist/extensions/telegram/account-inspect-api.js +1 -1
  300. package/dist/extensions/telegram/api.d.ts +1 -1
  301. package/dist/extensions/telegram/api.js +11 -11
  302. package/dist/extensions/telegram/channel-plugin-api.js +2 -2
  303. package/dist/extensions/telegram/contract-api.js +3 -3
  304. package/dist/extensions/telegram/runtime-api.js +7 -7
  305. package/dist/extensions/telegram/security-audit-contract-api.js +1 -1
  306. package/dist/extensions/telegram/setup-plugin-api.js +1 -1
  307. package/dist/extensions/telegram/test-api.js +2 -2
  308. package/dist/extensions/video-generation-core/api.d.ts +1 -1
  309. package/dist/extensions/webhooks/api.js +1 -1
  310. package/dist/extensions/webhooks/index.js +1 -1
  311. package/dist/extensions/webhooks/runtime-api.d.ts +2 -2
  312. package/dist/extensions/xai/index.js +4 -4
  313. package/dist/extensions/xai/realtime-transcription-provider.js +1 -1
  314. package/dist/extensions/xai/speech-provider.js +1 -1
  315. package/dist/extensions/xai/test-api.js +1 -1
  316. package/dist/extensions/xai/tts.js +1 -1
  317. package/dist/extensions/xai/web-search.js +1 -1
  318. package/dist/extensions/xai/xai-oauth.js +1 -1
  319. package/dist/file-fetch-tool-UOp-kXiF.js +124 -0
  320. package/dist/file-write-tool-Bmics566.js +127 -0
  321. package/dist/format-BAPtahQp.js +1145 -0
  322. package/dist/gateway-cli-C9vWttAu.js +435 -0
  323. package/dist/gateway-method-runtime-cf2DQe_R.js +21 -0
  324. package/dist/get-reply-from-config.runtime-973T_WNQ.js +2 -0
  325. package/dist/get-reply-from-config.runtime.js +1 -1
  326. package/dist/get-reply-nFbvZyXJ.js +4689 -0
  327. package/dist/graph-users-DX3qj987.js +1419 -0
  328. package/dist/group-access-fUxE_esT.js +112 -0
  329. package/dist/group-keys-wTgDt5mh.d.ts +17 -0
  330. package/dist/handle-action.guild-admin-DzmixKDt.js +288 -0
  331. package/dist/harness-BvoaeM2G.js +61 -0
  332. package/dist/health-BNfYEJaa.js +4 -0
  333. package/dist/heartbeat-runner-DHFAz5O-.js +5 -0
  334. package/dist/heartbeat-runner.runtime-BTARhrNZ.js +4 -0
  335. package/dist/heartbeat-runner.runtime.js +1 -1
  336. package/dist/hook-runtime-BBONf8H3.d.ts +108 -0
  337. package/dist/hooks-DxGU2YA5.js +534 -0
  338. package/dist/inbound-direct-dm-runtime-CAX9fltu.js +2 -0
  339. package/dist/inbound-reply-dispatch-T13MYtrr.js +148 -0
  340. package/dist/index.d.ts +1 -1
  341. package/dist/index.js +1 -1
  342. package/dist/init-DCCh5oSO.js +59 -0
  343. package/dist/inline-buttons-DaFc4jXn.js +40 -0
  344. package/dist/internal-events-Gz1ipxmh.js +90 -0
  345. package/dist/isolated-agent-CHUsxMC-.js +1118 -0
  346. package/dist/isolated-agent-K2nfnPOc.js +2 -0
  347. package/dist/lifecycle-kyB2yqsq.js +571 -0
  348. package/dist/list.probe-BSjy8u2p.js +449 -0
  349. package/dist/list.status-command-BxIAK-G5.js +789 -0
  350. package/dist/llm-slug-generator-BMH4faWD.js +78 -0
  351. package/dist/llm-slug-generator.js +1 -1
  352. package/dist/local-dispatch.runtime-DFy7ycDP.js +9 -0
  353. package/dist/local-dispatch.runtime.js +1 -1
  354. package/dist/manager-DWN3qo90.d.ts +10 -0
  355. package/dist/manager.core-BRd2_lqA.d.ts +198 -0
  356. package/dist/manager.runtime-CPqoT9HS.js +2714 -0
  357. package/dist/manager.runtime.js +1 -1
  358. package/dist/markdown-to-line-DQuET8BD.js +811 -0
  359. package/dist/mcp-http-BTLfb7mN.js +555 -0
  360. package/dist/mcp-http-Bcx2IvUV.js +2 -0
  361. package/dist/media-understanding-provider-BXfXH9ER.js +339 -0
  362. package/dist/message-actions-O4ffm7Zz.js +145 -0
  363. package/dist/message-handler-B3NHGkvn.js +1715 -0
  364. package/dist/message-handler-Dm-49Yay.js +384 -0
  365. package/dist/message-handler.preflight-Dmy4TMmc.js +1125 -0
  366. package/dist/message-handler.process-BvIh9714.js +1484 -0
  367. package/dist/model-CiE38oM-.js +74 -0
  368. package/dist/model-selection-B4wj_z32.js +272 -0
  369. package/dist/models-DF0uMtab.js +2 -0
  370. package/dist/models-DupIeDpS.js +104 -0
  371. package/dist/models-cli-BKoIijSE.js +256 -0
  372. package/dist/monitor-BGkgqVYu.js +4377 -0
  373. package/dist/monitor-BJBnArAU.js +834 -0
  374. package/dist/monitor-C1L1aR0q.js +2788 -0
  375. package/dist/monitor-C3wAzu_q.js +2 -0
  376. package/dist/monitor-CN29zOnf.js +1370 -0
  377. package/dist/monitor-D7FhV0Qe.js +1657 -0
  378. package/dist/monitor-Dcy6FUPv.js +60 -0
  379. package/dist/monitor-Y4SvOC0z.js +715 -0
  380. package/dist/monitor-auth-B_73QHux.js +179 -0
  381. package/dist/monitor-polling.runtime-D3yoLMON.js +883 -0
  382. package/dist/monitor-polling.runtime.js +1 -1
  383. package/dist/monitor-webhook.runtime-CnchK0Ki.js +387 -0
  384. package/dist/monitor-webhook.runtime.js +1 -1
  385. package/dist/monitor.account-B0u_Xih0.js +5233 -0
  386. package/dist/monitor.runtime-9JVw9n8z.js +2 -0
  387. package/dist/monitor.runtime.js +1 -1
  388. package/dist/monitor.webhook-ixq3jhC8.js +180 -0
  389. package/dist/node-cli-sessions-C07qXjfH.js +1228 -0
  390. package/dist/openai-http-DL1i7Pdz.js +824 -0
  391. package/dist/openresponses-http-4vW7i5hM.js +1173 -0
  392. package/dist/operations-hyqHq47Z.js +805 -0
  393. package/dist/outbound-adapter-B2lF_Qp0.js +543 -0
  394. package/dist/outbound-session-route-CXbw-Zbl.js +45 -0
  395. package/dist/outbound.runtime-ROOz_EXD.js +2 -0
  396. package/dist/outbound.runtime.js +1 -1
  397. package/dist/pairing-store-Cfy_zHzi.d.ts +87 -0
  398. package/dist/pi-embedded-D23Jv1_v.js +4 -0
  399. package/dist/pi-embedded-LwXPGFfT.js +3796 -0
  400. package/dist/pi-embedded.runtime-Rk5rpqL7.js +4 -0
  401. package/dist/pi-embedded.runtime.js +1 -1
  402. package/dist/pi-tools-DqhrI9AL.js +2413 -0
  403. package/dist/plan-BCEMv5RF.js +112 -0
  404. package/dist/plan-BHwmpZjz.js +81 -0
  405. package/dist/plugin-app-cache-key-CWYPZS_p.js +46 -0
  406. package/dist/plugin-enabled-NkokTFHK.js +233 -0
  407. package/dist/plugin-oDyOB4UI.js +12396 -0
  408. package/dist/plugin-registration-CeH_6Is4.js +88 -0
  409. package/dist/plugin-sdk/.boundary-entry-shims.stamp +1 -1
  410. package/dist/plugin-sdk/acp-runtime-backend.js +1 -1
  411. package/dist/plugin-sdk/acp-runtime.js +2 -2
  412. package/dist/plugin-sdk/agent-harness-runtime.js +6 -6
  413. package/dist/plugin-sdk/agent-harness-task-runtime.js +1 -1
  414. package/dist/plugin-sdk/agent-harness.js +7 -7
  415. package/dist/plugin-sdk/agent-runtime.js +2 -2
  416. package/dist/plugin-sdk/channel-core.js +2 -2
  417. package/dist/plugin-sdk/channel-inbound.js +2 -2
  418. package/dist/plugin-sdk/channel-test-helpers.js +1 -1
  419. package/dist/plugin-sdk/command-auth.js +1 -1
  420. package/dist/plugin-sdk/command-status-runtime.js +1 -1
  421. package/dist/plugin-sdk/compat.js +1 -1
  422. package/dist/plugin-sdk/conversation-binding-runtime.js +2 -2
  423. package/dist/plugin-sdk/conversation-runtime.js +3 -3
  424. package/dist/plugin-sdk/core.js +2 -2
  425. package/dist/plugin-sdk/direct-dm.js +1 -1
  426. package/dist/plugin-sdk/gateway-method-runtime.js +1 -1
  427. package/dist/plugin-sdk/health.js +2 -2
  428. package/dist/plugin-sdk/inbound-reply-dispatch.js +1 -1
  429. package/dist/plugin-sdk/index.js +1 -1
  430. package/dist/plugin-sdk/mattermost.js +1 -1
  431. package/dist/plugin-sdk/plugin-test-contracts.js +2 -2
  432. package/dist/plugin-sdk/provider-test-contracts.js +4 -4
  433. package/dist/plugin-sdk/reply-runtime.js +4 -4
  434. package/dist/plugin-sdk/testing.js +2 -2
  435. package/dist/plugin-sdk/zalouser.js +1 -1
  436. package/dist/plugin-service-XeCZ8oFI.js +1229 -0
  437. package/dist/plugins/runtime/index.js +4 -4
  438. package/dist/policy-BsS7jXyV.js +138 -0
  439. package/dist/policy-dTLidj41.js +680 -0
  440. package/dist/postinstall-inventory.json +11611 -0
  441. package/dist/prepare.runtime-CxSRhibQ.js +732 -0
  442. package/dist/prepare.runtime.js +1 -1
  443. package/dist/preview-warnings-CYO_Ec8j.js +392 -0
  444. package/dist/probe-B38i01ob.js +2 -0
  445. package/dist/probe-BfuwJZxZ.js +47 -0
  446. package/dist/probe-DaZ-zbpf.js +2204 -0
  447. package/dist/probe-TNHaSvg4.js +682 -0
  448. package/dist/program-BHDY7txk.js +131 -0
  449. package/dist/provider-B2OEKMgz.js +8735 -0
  450. package/dist/provider-BN5zYpXy.js +152 -0
  451. package/dist/provider-C5wk4Zq2.js +32 -0
  452. package/dist/provider-C_AVioxd.js +32 -0
  453. package/dist/provider-dispatcher-D8wmCCX8.js +22 -0
  454. package/dist/provider-dispatcher.runtime.js +1 -1
  455. package/dist/provider-session.runtime-B63XBUkk.js +9 -0
  456. package/dist/provider-session.runtime.js +1 -1
  457. package/dist/provider.runtime-D1lu1iBi.js +2 -0
  458. package/dist/provider.runtime.js +1 -1
  459. package/dist/public-surface-loader-ClnvswYD.js +114 -0
  460. package/dist/pw-ai-CUvQLjDl.js +3029 -0
  461. package/dist/pw-role-snapshot-DqOQm6b-.js +333 -0
  462. package/dist/reaction-level-DdxMc_S-.js +19 -0
  463. package/dist/reaction-runtime-api-DV5ADguG.js +116 -0
  464. package/dist/realtime-transcription-provider-Jx3qVPVX.js +205 -0
  465. package/dist/register-B6JqGeZm.js +2178 -0
  466. package/dist/register.agent-pQ55YbLM.js +156 -0
  467. package/dist/register.crestodian-DG48cq1n.js +24 -0
  468. package/dist/register.maintenance-CmyTyWfW.js +83 -0
  469. package/dist/register.runtime-Dc2ah3hl.js +54 -0
  470. package/dist/register.subclis-BNslxGzE.js +3 -0
  471. package/dist/register.subclis-BltgkX8W.js +31 -0
  472. package/dist/register.subclis-core-CXo28UGO.js +273 -0
  473. package/dist/repair-sequencing-SddJfHba.js +640 -0
  474. package/dist/reply-delivery-YOUVxLhE.js +196 -0
  475. package/dist/reply-runtime-Bic05q8u.js +11 -0
  476. package/dist/reply-runtime-DUv2dRp3.d.ts +34 -0
  477. package/dist/reply.runtime-973T_WNQ.js +2 -0
  478. package/dist/reply.runtime.js +1 -1
  479. package/dist/request-De-MLnVs.js +54 -0
  480. package/dist/resolve-allowlist-0P5Zm3Ih.js +220 -0
  481. package/dist/result-fallback-classifier-CRFWJOeW.js +79 -0
  482. package/dist/route-A4sH-KRJ.js +469 -0
  483. package/dist/route-resolution-BR89k_5k.js +274 -0
  484. package/dist/routes-BbmTgfa7.js +3602 -0
  485. package/dist/routes-H_X6d_BR.js +2 -0
  486. package/dist/run-C_HJBF46.js +1162 -0
  487. package/dist/run-attempt-DVUpjMzw.js +7704 -0
  488. package/dist/run-command-CtO053FV.js +23 -0
  489. package/dist/run-command-whpq0vSs.js +2 -0
  490. package/dist/run-embedded.runtime-z8KRAA9N.js +4 -0
  491. package/dist/run-embedded.runtime.js +1 -1
  492. package/dist/run-execution-cli.runtime-DP4sTGB3.js +4 -0
  493. package/dist/run-execution-cli.runtime.js +1 -1
  494. package/dist/run-executor.runtime.js +1 -1
  495. package/dist/run-subagent-registry.runtime-Ic4qjJAZ.js +2 -0
  496. package/dist/run-subagent-registry.runtime.js +1 -1
  497. package/dist/runtime-C84q1uWh.js +438 -0
  498. package/dist/runtime-D21vC5Bd.d.ts +17 -0
  499. package/dist/runtime-DM-8CUG8.js +1287 -0
  500. package/dist/runtime-api-B92-eAFH.js +4 -0
  501. package/dist/runtime-api-BA-_f4wN.js +21 -0
  502. package/dist/runtime-api-C3x1bTUP.js +3 -0
  503. package/dist/runtime-api-C4J88HGc.js +13 -0
  504. package/dist/runtime-api-C7ToEUFX.d.ts +3151 -0
  505. package/dist/runtime-api-CBJPQTPG.js +24 -0
  506. package/dist/runtime-api-DI4rBaZp.js +17 -0
  507. package/dist/runtime-api-D_JIC4_F.js +13 -0
  508. package/dist/runtime-api.actions-CClxRuYx.d.ts +23 -0
  509. package/dist/runtime-api.actions-Crwfcz27.js +3 -0
  510. package/dist/runtime-api.monitor-DXEdIqiH.d.ts +3757 -0
  511. package/dist/runtime-api.monitor-KeGId_a2.js +6 -0
  512. package/dist/runtime-api.send-B5TgJp5s.d.ts +38 -0
  513. package/dist/runtime-api.send-DkmqVan7.js +4 -0
  514. package/dist/runtime-api.threads--LYxacx4.js +2 -0
  515. package/dist/runtime-channel-C0fX96Yx.js +2 -0
  516. package/dist/runtime-channel-CmXstmiO.js +150 -0
  517. package/dist/runtime-doctor-DVYwKwIT.d.ts +47 -0
  518. package/dist/runtime-embedded-pi.runtime-C0nckPTh.js +2 -0
  519. package/dist/runtime-embedded-pi.runtime.js +1 -1
  520. package/dist/runtime-o-9rMitP.js +6179 -0
  521. package/dist/sanitize-outbound-BDtDO_r3.js +127 -0
  522. package/dist/sdk-setup-tools-Bw1sb2J0.js +8 -0
  523. package/dist/secrets-Cexd83PL.js +113 -0
  524. package/dist/security-audit-DeMasGQi.js +122 -0
  525. package/dist/security-audit-lZXBiK8a.js +118 -0
  526. package/dist/security-audit.runtime-B73uav0c.js +2 -0
  527. package/dist/security-audit.runtime.js +1 -1
  528. package/dist/selection-BPe1-NRx.js +16157 -0
  529. package/dist/selection-DtlsSu6t.js +3 -0
  530. package/dist/send-BP8O_f3_.js +2 -0
  531. package/dist/send-D95RJNJM.d.ts +104 -0
  532. package/dist/send-DB92XENW.js +192 -0
  533. package/dist/send-DPpvAomE.js +1631 -0
  534. package/dist/send-DUSg5J3j.js +143 -0
  535. package/dist/send-DZ4YhPHH.d.ts +231 -0
  536. package/dist/send.components-Beh2GSlI.js +500 -0
  537. package/dist/send.components-vjkB2tEO.js +2 -0
  538. package/dist/send.runtime-XHNBD8mm.js +2 -0
  539. package/dist/send.runtime.js +1 -1
  540. package/dist/send.types-_f4omMzG.d.ts +159 -0
  541. package/dist/server-CAQk-GlH.js +24 -0
  542. package/dist/server-Um3iJ7EL.js +73 -0
  543. package/dist/server-close.runtime.js +1 -1
  544. package/dist/server-context-Cq6Mf_Hx.js +2 -0
  545. package/dist/server-context-CxM3niUB.js +955 -0
  546. package/dist/server-cron-BSh0DjkH.js +2989 -0
  547. package/dist/server-cron-Csg1r2SE.js +2 -0
  548. package/dist/server-methods-CBPnwVD3.js +16499 -0
  549. package/dist/server-node-events-CZCahsw3.js +596 -0
  550. package/dist/server-plugin-bootstrap-DB4Iptzd.js +70 -0
  551. package/dist/server-plugins-BVVgDSdq.d.ts +1 -0
  552. package/dist/server-plugins-BZIW7Sn8.js +432 -0
  553. package/dist/server-reload-handlers-V9f07KRC.js +714 -0
  554. package/dist/server-restart-sentinel-DSQyhuO9.js +2 -0
  555. package/dist/server-restart-sentinel-DnS4nSXg.js +747 -0
  556. package/dist/server-runtime-services-Da8S4dip.js +2 -0
  557. package/dist/server-runtime-services-hMwmCtz4.js +267 -0
  558. package/dist/server-startup-plugins-CFedlOir.js +113 -0
  559. package/dist/server-startup-post-attach-BC4ypGDV.js +716 -0
  560. package/dist/server-ws-runtime-BZdnJ8_f.js +349 -0
  561. package/dist/server.impl-JxdGpBse.js +2586 -0
  562. package/dist/service-CrRxM1s3.js +1446 -0
  563. package/dist/session-binding-B1kLTRx0.js +219 -0
  564. package/dist/session-binding-BhmP2qr8.js +2 -0
  565. package/dist/session-kill-http-hVTRFmxJ.js +121 -0
  566. package/dist/session-reset-service-NFIUAaub.js +625 -0
  567. package/dist/session-route-CAVGKfbY.js +93 -0
  568. package/dist/session-status.runtime-CAujMI0m.js +2 -0
  569. package/dist/session-status.runtime.js +1 -1
  570. package/dist/session-subagent-reactivation.runtime-CAD_WZE1.js +2 -0
  571. package/dist/session-subagent-reactivation.runtime.js +1 -1
  572. package/dist/session-tab-registry-BIhFQ2_N.js +521 -0
  573. package/dist/sessions-history-http-DTUCgSIv.js +430 -0
  574. package/dist/sessions.runtime-BhxJAIUl.js +2 -0
  575. package/dist/sessions.runtime.js +1 -1
  576. package/dist/setup-api-BaSNfjGt.js +29 -0
  577. package/dist/setup-core-Cv-UM5DV.js +174 -0
  578. package/dist/setup-surface-3iygBoSk.js +288 -0
  579. package/dist/setup-surface-BYu3PlXP.js +405 -0
  580. package/dist/setup-surface-BnCUx0xf.js +221 -0
  581. package/dist/setup-surface-DajEGPq9.js +320 -0
  582. package/dist/shared-DjUBdZw0.js +121 -0
  583. package/dist/shared-client-B364qsQs.js +2 -0
  584. package/dist/shared-client-vi4UjWgq.js +629 -0
  585. package/dist/side-question-Cfz-6Mik.js +683 -0
  586. package/dist/skill-tool-dispatch.runtime-BHi8qkm6.js +143 -0
  587. package/dist/skill-tool-dispatch.runtime.js +1 -1
  588. package/dist/slash-state-1yv6e-CZ.js +2166 -0
  589. package/dist/speech-provider-BBTLPoxz.js +184 -0
  590. package/dist/src-DQGUHoew.js +4256 -0
  591. package/dist/startup-context-CSXtIxM4.js +313 -0
  592. package/dist/status-subagents.runtime-Ce4XFNpI.js +18 -0
  593. package/dist/status-subagents.runtime.js +1 -1
  594. package/dist/status-text-B_aeJyIx.js +296 -0
  595. package/dist/sticker-cache-CyXfXSnD.js +206 -0
  596. package/dist/sticker-vision.runtime-CfEwepme.js +17 -0
  597. package/dist/sticker-vision.runtime.js +1 -1
  598. package/dist/subagent-announce-DJP9Deag.js +354 -0
  599. package/dist/subagent-announce-delivery-djkdPFWz.js +958 -0
  600. package/dist/subagent-control-C59CHxJT.js +508 -0
  601. package/dist/subagent-hooks-B7HsNzMr.js +230 -0
  602. package/dist/subagent-hooks-BPSvsSKo.js +2 -0
  603. package/dist/subagent-hooks-Bg-RSz4n.js +146 -0
  604. package/dist/subagent-hooks-BvAYM6MF.js +2 -0
  605. package/dist/subagent-hooks-DCga-z0P.js +2 -0
  606. package/dist/subagent-hooks-DpUUm-nC.js +116 -0
  607. package/dist/subagent-hooks-api-BfBPES7I.js +23 -0
  608. package/dist/subagent-hooks-api-Ct3H1JvT.js +23 -0
  609. package/dist/subagent-hooks-api-D-gcal8L.js +22 -0
  610. package/dist/subagent-orphan-recovery-TurbGwPo.js +352 -0
  611. package/dist/subagent-registry-BVVgDSdq.d.ts +1 -0
  612. package/dist/subagent-registry-Dcr5vJsh.js +3 -0
  613. package/dist/subagent-registry-almRMGiJ.js +2351 -0
  614. package/dist/subagent-registry-read-BVVgDSdq.d.ts +1 -0
  615. package/dist/subagent-registry.runtime.js +1 -1
  616. package/dist/subagent-session-cleanup-DStloUoa.js +525 -0
  617. package/dist/subagent-spawn-a5zQq79_.js +1164 -0
  618. package/dist/target-id-C0AUAPRt.js +107 -0
  619. package/dist/targets-9NQEAB_8.js +44 -0
  620. package/dist/targets-BX9hUOE0.js +19 -0
  621. package/dist/targets-uCQJMS9L.js +19 -0
  622. package/dist/task-registry-control.runtime.d.ts +1 -1
  623. package/dist/task-registry-control.runtime.js +1 -1
  624. package/dist/telegram/token.js +1 -1
  625. package/dist/test-fixtures-xgg7UsEw.d.ts +27 -0
  626. package/dist/test-support-BVVgDSdq.d.ts +1 -0
  627. package/dist/testing-CL4tSWlY.js +267 -0
  628. package/dist/thread-bindings-CuYgnJrA.js +232 -0
  629. package/dist/thread-bindings-DrLRFv9V.js +571 -0
  630. package/dist/thread-bindings-DuDBMJUH.js +8 -0
  631. package/dist/thread-bindings-DuPLUeEg.js +228 -0
  632. package/dist/thread-bindings.discord-api-CRkN3LO6.js +187 -0
  633. package/dist/thread-bindings.manager-U4vvV74R.js +2 -0
  634. package/dist/thread-bindings.manager-qvjQ7XrE.js +536 -0
  635. package/dist/thread-lifecycle-ebEJZlV8.js +1614 -0
  636. package/dist/token-BfUGddbB.js +134 -0
  637. package/dist/tool-DMbMn8SG.js +139 -0
  638. package/dist/tool-actions.runtime-3flyBx99.js +534 -0
  639. package/dist/tool-actions.runtime.js +1 -1
  640. package/dist/tool-resolution-CteuwLWG.js +149 -0
  641. package/dist/tools-effective-inventory-C3umjhj4.js +204 -0
  642. package/dist/tools-invoke-http-BPDxOpMS.js +67 -0
  643. package/dist/tools-invoke-shared-BgajIn1A.js +200 -0
  644. package/dist/tts-DWkHFEoO.js +66 -0
  645. package/dist/tui-BLuAg68O.js +2 -0
  646. package/dist/tui-backend-B_XhQILj.js +256 -0
  647. package/dist/tui-cli-C3L6mNyE.js +37 -0
  648. package/dist/tui-kx080n35.js +4709 -0
  649. package/dist/typed-cases-v8PtmO3g.d.ts +68 -0
  650. package/dist/update-cli-Ca7CiQOc.js +3664 -0
  651. package/dist/vision-tools-V-w_kZa2.js +1409 -0
  652. package/dist/web-search-LuWKS3f2.js +62 -0
  653. package/dist/web-search-provider.runtime-CmbTFxDm.js +2 -0
  654. package/dist/web-search-provider.runtime-DZXMqd4W.js +328 -0
  655. package/dist/web-search-provider.runtime.js +1 -1
  656. package/dist/webhook-targets-C9cJD_kB.d.ts +99 -0
  657. package/dist/xai-oauth-C_tPwhEw.js +479 -0
  658. package/dist/xai-user-agent-C1zI5_IU.js +32 -0
  659. package/npm-shrinkwrap.json +2 -2
  660. package/package.json +1 -1
  661. package/dist/abort-By1jCXcv.js +0 -277
  662. package/dist/abort.runtime-BUEReR-v.js +0 -2
  663. package/dist/account-inspect-DkuYTikX.js +0 -173
  664. package/dist/accounts-C19Qdo7I.js +0 -107
  665. package/dist/accounts-CjG0t0Cv.js +0 -119
  666. package/dist/accounts-CtWjp889.js +0 -2
  667. package/dist/accounts-qPTOizTg.js +0 -107
  668. package/dist/acp-runtime-CMLjiKa-.js +0 -26
  669. package/dist/acp-spawn-BGT-Px6Z.js +0 -1275
  670. package/dist/acp-spawn-CPO-hI4Y.js +0 -2
  671. package/dist/acp-stateful-target-driver-CDW_IRB4.js +0 -89
  672. package/dist/action-kill-B77KpIIQ.js +0 -33
  673. package/dist/action-runtime-EWSpHGrj.js +0 -469
  674. package/dist/action-runtime-api-bUNFqFoC.js +0 -2
  675. package/dist/action-send-DkQiw_fv.js +0 -39
  676. package/dist/action-spawn-noygtmpa.js +0 -47
  677. package/dist/actions-CPKTkTAD.js +0 -161
  678. package/dist/actions.runtime-eslFNzsP.js +0 -5
  679. package/dist/agent-CjNqqyKT.js +0 -3
  680. package/dist/agent-DaUQpTpc.js +0 -2
  681. package/dist/agent-command-COFQwKxZ.d.ts +0 -141
  682. package/dist/agent-command-DFcGb1lF.js +0 -1367
  683. package/dist/agent-components.runtime-_b4M39T5.js +0 -10
  684. package/dist/agent-harness-WlBoSv-g.d.ts +0 -146
  685. package/dist/agent-harness-runtime-C09s_5eo.js +0 -180
  686. package/dist/agent-harness-task-runtime-wnzHUZZT.js +0 -140
  687. package/dist/agent-runner-execution-Bx_X59we.js +0 -1713
  688. package/dist/agent-runner-utils-hOwJODaJ.js +0 -266
  689. package/dist/agent-runner.runtime-LeZ65RXP.js +0 -3455
  690. package/dist/agent-runtime-Cio-RAUW.js +0 -229
  691. package/dist/agent-via-gateway-C06ks7Yk.js +0 -463
  692. package/dist/api-CBKedD81.js +0 -2
  693. package/dist/api-Ct1qM1Qp.js +0 -3
  694. package/dist/api-DN_WUxmH.js +0 -639
  695. package/dist/api-D_cLf5HR.js +0 -6
  696. package/dist/api-DhpRwVRC.js +0 -134
  697. package/dist/api-HHeiUqKx.js +0 -2
  698. package/dist/apply-CBc3t-6b.js +0 -41
  699. package/dist/apply-DP2LNAI1.js +0 -54
  700. package/dist/approval-handler.runtime-D3dVfQpz.js +0 -130
  701. package/dist/assistant-CJUhCzx1.js +0 -291
  702. package/dist/attachment-normalize-B7BuPwh0.js +0 -225
  703. package/dist/attempt-execution-C_zoopZx.js +0 -558
  704. package/dist/attempt-execution.runtime-BORPE4U7.js +0 -3
  705. package/dist/attempt-execution.shared-CVs8nY8C.js +0 -38
  706. package/dist/attempt.prompt-helpers-hRgWdd1i.js +0 -475
  707. package/dist/attempt.tool-run-context-kTuNRgCl.js +0 -2094
  708. package/dist/binding-routing-DODVC3IC.js +0 -113
  709. package/dist/binding-targets-AB_RKGdU.js +0 -121
  710. package/dist/bot-CSLsTmf1.js +0 -7894
  711. package/dist/bot-deps-DynTqfAM.js +0 -2
  712. package/dist/bot-deps-W46ftf2D.js +0 -747
  713. package/dist/bot-message-context.runtime-CYqi6a9-.js +0 -7
  714. package/dist/bot-message-context.session.runtime-zGfXe8D8.js +0 -12
  715. package/dist/bot-native-commands.delivery.runtime-Cl0_uLC6.js +0 -4
  716. package/dist/bot-native-commands.runtime-yy3akJPm.js +0 -13
  717. package/dist/bridge-server-B6ImaGh0.js +0 -113
  718. package/dist/browser-cli-CPNZpueD.js +0 -230
  719. package/dist/browser-cli-CntDlufK.js +0 -2
  720. package/dist/browser-cli-actions-input-DiJDRQCl.js +0 -473
  721. package/dist/browser-cli-actions-observe-9KtuDERW.js +0 -81
  722. package/dist/browser-cli-debug-lSi6c_Ol.js +0 -137
  723. package/dist/browser-cli-inspect-B5KmooQv.js +0 -104
  724. package/dist/browser-cli-manage-ClQjPfwK.js +0 -443
  725. package/dist/browser-cli-resize-DDY2Vnxq.js +0 -26
  726. package/dist/browser-cli-shared-KEAus8qW.js +0 -50
  727. package/dist/browser-cli-state-cmFcL-Ov.js +0 -337
  728. package/dist/browser-control-auth-B9USDwU2.js +0 -2
  729. package/dist/browser-profiles-wUaKqWjT.js +0 -2
  730. package/dist/browser-runtime-BMjauwo0.js +0 -384
  731. package/dist/build-Dpe0nJg9.js +0 -257
  732. package/dist/capability-cli-APHxOZ1-.js +0 -1782
  733. package/dist/channel--E_8Ztf3.js +0 -238
  734. package/dist/channel-3EQVZa8n.js +0 -2126
  735. package/dist/channel-B78AzY4z.d.ts +0 -6
  736. package/dist/channel-BWohDmFY.js +0 -1777
  737. package/dist/channel-BfuypvUg.js +0 -562
  738. package/dist/channel-C-xJIqXb.js +0 -508
  739. package/dist/channel-C9ZiWsaI.js +0 -1496
  740. package/dist/channel-CWrkQgCl.js +0 -376
  741. package/dist/channel-CeYYSdzG.js +0 -740
  742. package/dist/channel-ClyBSyAK.js +0 -481
  743. package/dist/channel-Czs81UUj.d.ts +0 -427
  744. package/dist/channel-DG1b4zfh.js +0 -1134
  745. package/dist/channel-DW54rSJn.js +0 -1249
  746. package/dist/channel-DxjDXDxn.js +0 -867
  747. package/dist/channel-FomvCEVN.js +0 -955
  748. package/dist/channel-GKsXwHeD.js +0 -808
  749. package/dist/channel-WXdZaj61.js +0 -653
  750. package/dist/channel-actions.runtime-NGRDvF7V.js +0 -265
  751. package/dist/channel-core-DtMwDjjI.js +0 -5
  752. package/dist/channel-e8DrnKQ4.js +0 -1556
  753. package/dist/channel-inbound-DHAnp9B7.js +0 -80
  754. package/dist/channel-lifecycle-C4NrMjdz.d.ts +0 -125
  755. package/dist/channel-nELBI87_.js +0 -362
  756. package/dist/channel-pairing-ndZVB-VX.d.ts +0 -58
  757. package/dist/channel-plugin-runtime-Djo2BcWh.js +0 -998
  758. package/dist/channel-runtime-CAlo3fCO.js +0 -408
  759. package/dist/channel.runtime-B3Ul1RFH.js +0 -4
  760. package/dist/channel.runtime-B9St3ZA6.js +0 -2528
  761. package/dist/channel.runtime-BJQkhPRD.js +0 -109
  762. package/dist/channel.runtime-CK75RXGn.js +0 -652
  763. package/dist/channel.runtime-CToTSl-o.js +0 -254
  764. package/dist/channel.runtime-CmCC2X3-.js +0 -1008
  765. package/dist/channel.runtime-D9aRtIhc.js +0 -733
  766. package/dist/channel.runtime-awjkyecJ.js +0 -88
  767. package/dist/channel.runtime-j5gDw94U.js +0 -21009
  768. package/dist/channel.setup--MA2uXGh.js +0 -1098
  769. package/dist/channel.setup-CoJW0xXI.js +0 -343
  770. package/dist/channel.setup-Du2MwoWF.js +0 -10
  771. package/dist/chat-_rJvHV8g.js +0 -2666
  772. package/dist/chrome-Du8Sd8UD.js +0 -1503
  773. package/dist/cli-DmfcqkxN.js +0 -1341
  774. package/dist/cli-compaction-6W-_Qcqh.js +0 -347
  775. package/dist/cli-metadata-B4zGtsS4.js +0 -22
  776. package/dist/cli-runner-C2sL9k3L.js +0 -2
  777. package/dist/cli-runner-DppcV2AG.js +0 -540
  778. package/dist/cli-runner.runtime-CQLSyTQY.js +0 -4
  779. package/dist/cli-runner.runtime-CbEAn48-.js +0 -3
  780. package/dist/client-Dk9ROpNW.js +0 -650
  781. package/dist/client-adapter-ClI0hCmb.js +0 -897
  782. package/dist/client-factory-CaCu9BQF.js +0 -9
  783. package/dist/command-auth-6q0HyTu9.js +0 -135
  784. package/dist/command-handlers-DMAACmGz.js +0 -1609
  785. package/dist/command-registry-CfpDWtfY.js +0 -9
  786. package/dist/command-registry-Dnxqw0fv.js +0 -4
  787. package/dist/command-registry-core-D11J7oB_.js +0 -110
  788. package/dist/command-status.runtime-DrsPaVZw.js +0 -90
  789. package/dist/commands-acp-B4PDb6rs.js +0 -74
  790. package/dist/commands-compact.runtime-BmK2PNTw.js +0 -10
  791. package/dist/commands-handlers.runtime-C5hpRwAL.js +0 -6154
  792. package/dist/commands-status-CiZyKzzI.js +0 -3
  793. package/dist/commands-status-CzSWpd6s.js +0 -16
  794. package/dist/commands-status.runtime-CiZyKzzI.js +0 -3
  795. package/dist/commands-subagents-control.runtime-qc9m5MmZ.js +0 -3
  796. package/dist/commands-subagents-control.runtime-tWG0OlZd.js +0 -2
  797. package/dist/commands-system-prompt-6Q-vf5jq.js +0 -162
  798. package/dist/commands-system-prompt-FecWmCWC.js +0 -2
  799. package/dist/commands.runtime-DEt9uWfr.js +0 -176
  800. package/dist/compact-CgCjnQEP.js +0 -480
  801. package/dist/compact-D6t2ld0f.js +0 -1141
  802. package/dist/compact.runtime-CtoOHiEB.js +0 -12
  803. package/dist/completion-cli-CAHVBBDJ.js +0 -315
  804. package/dist/components-D9TlXmrM.d.ts +0 -228
  805. package/dist/components.modal-F1ooc12a.d.ts +0 -568
  806. package/dist/computer-use-CdIz1WHr.js +0 -367
  807. package/dist/config-CFxlEsAY.js +0 -373
  808. package/dist/config-mutations-6ioXU8Qg.js +0 -159
  809. package/dist/config-wUaKqWjT.js +0 -2
  810. package/dist/context-engine-host-compat-CFAOug91.js +0 -288
  811. package/dist/context-engine-host-compat-Cqe9ZyUZ.js +0 -2
  812. package/dist/context-engine-lifecycle-BjQwDRNw.js +0 -1274
  813. package/dist/control-auth-Du_jaEQB.js +0 -114
  814. package/dist/control-service-DIBBeoM_.js +0 -145
  815. package/dist/control-ui/assets/agents-BzOECW97.js +0 -1008
  816. package/dist/control-ui/assets/channel-config-extras-C-cqqjn3.js +0 -2
  817. package/dist/control-ui/assets/channels-B2c1DoAf.js +0 -367
  818. package/dist/control-ui/assets/cron-Dikdppj_.js +0 -1013
  819. package/dist/control-ui/assets/debug-BTcka11D.js +0 -97
  820. package/dist/control-ui/assets/index-BifhGgI4.js +0 -7378
  821. package/dist/control-ui/assets/index-Cc-YFhIX.css +0 -1
  822. package/dist/control-ui/assets/instances-DnlcwLSs.js +0 -57
  823. package/dist/control-ui/assets/logs-CUGJL7Ia.js +0 -74
  824. package/dist/control-ui/assets/nodes-DuwS3hRY.js +0 -436
  825. package/dist/control-ui/assets/sessions-DtiOFwOv.js +0 -399
  826. package/dist/control-ui/assets/skills-shared-Y3plxrx2.js +0 -11
  827. package/dist/control-ui/assets/skills-yR0YXQld.js +0 -314
  828. package/dist/control-ui/assets/zh-CN-pJJdaNGr.js +0 -2
  829. package/dist/conversation-binding-runtime-BnDFNjpw.js +0 -4
  830. package/dist/conversation-runtime-DXfeo_YZ.js +0 -31
  831. package/dist/core-CwGP8lnn.js +0 -282
  832. package/dist/core-api-B3hgaGPY.js +0 -5
  833. package/dist/core-api-DhVgU6Pw.js +0 -2
  834. package/dist/crestodian-BQF8KHgB.js +0 -55
  835. package/dist/daocore-tools-DwFKEwEz.js +0 -11727
  836. package/dist/delivery-LkV1NN8a.js +0 -1002
  837. package/dist/dialogue-BIB1NqtA.js +0 -37
  838. package/dist/dir-fetch-tool-DyG20xlt.js +0 -565
  839. package/dist/dir-list-tool-BntISSEL.js +0 -100
  840. package/dist/direct-dm-Dfgmj_Rk.js +0 -64
  841. package/dist/directive-handling.fast-lane-CPtDyKdP.js +0 -68
  842. package/dist/directive-handling.impl-CuhOq-BS.js +0 -2
  843. package/dist/directive-handling.impl-SAvKobjF.js +0 -818
  844. package/dist/directive-handling.model-selection-3dnu2j_t.js +0 -122
  845. package/dist/directive-handling.persist.runtime-y8pN8w-i.js +0 -263
  846. package/dist/dispatch-C_JMxM3D.js +0 -1640
  847. package/dist/dispatch-acp-transcript.runtime-BA4jA5DL.js +0 -40
  848. package/dist/dispatch-acp.runtime-BhpXHUuZ.js +0 -18
  849. package/dist/doctor-CRMnQl-o.js +0 -6
  850. package/dist/doctor-DD_iqydP.js +0 -2
  851. package/dist/doctor-config-flow-BXKaaiSk.js +0 -1741
  852. package/dist/doctor-core-checks-CSYsZXuS.js +0 -573
  853. package/dist/doctor-core-checks-xGSa7eSt.js +0 -2
  854. package/dist/doctor-health-contributions-DVLNXMsN.js +0 -696
  855. package/dist/doctor-health-wIbh8NF6.js +0 -65
  856. package/dist/doctor-lint-Hq2tNUox.js +0 -94
  857. package/dist/doctor-state-integrity-CQQ1oMeP.js +0 -1231
  858. package/dist/dynamic-tools-B3DtJJJn.js +0 -486
  859. package/dist/embedded-backend-Cz0ZebJI.js +0 -579
  860. package/dist/embedded-gateway-stub.runtime-CIk1aOal.js +0 -12
  861. package/dist/exec-approvals-DqJA2OTf.js +0 -149
  862. package/dist/file-fetch-tool-BM0auSop.js +0 -124
  863. package/dist/file-write-tool-CshXwc98.js +0 -127
  864. package/dist/format-BrPefrQt.js +0 -1145
  865. package/dist/gateway-cli-UkR6BmcI.js +0 -435
  866. package/dist/gateway-method-runtime-ucwF-DHM.js +0 -21
  867. package/dist/get-reply-BJ1QFEY8.js +0 -4689
  868. package/dist/get-reply-from-config.runtime-Rm8cMH3e.js +0 -2
  869. package/dist/graph-users-D2gOcc5D.js +0 -1419
  870. package/dist/group-access-BkQ2ldY4.js +0 -112
  871. package/dist/group-keys-z9CWcRVA.d.ts +0 -17
  872. package/dist/handle-action.guild-admin-aiua5pA-.js +0 -288
  873. package/dist/harness-BT2riWLr.js +0 -61
  874. package/dist/health-CnVZ4T6j.js +0 -4
  875. package/dist/heartbeat-runner-Cjg3EgS1.js +0 -5
  876. package/dist/heartbeat-runner.runtime-CoC3qR61.js +0 -4
  877. package/dist/hook-runtime-Cms52qXe.d.ts +0 -107
  878. package/dist/hooks-DlRvRnbJ.js +0 -534
  879. package/dist/inbound-direct-dm-runtime-BzQSanFy.js +0 -2
  880. package/dist/inbound-reply-dispatch-CDI1clh-.js +0 -148
  881. package/dist/init-pnw2iggs.js +0 -59
  882. package/dist/inline-buttons-Bh_p4ehq.js +0 -40
  883. package/dist/internal-events-u0Ov8uLt.js +0 -90
  884. package/dist/isolated-agent-By1ca-36.js +0 -2
  885. package/dist/isolated-agent-Zz-RQA7J.js +0 -1118
  886. package/dist/lifecycle-R9-dS5vo.js +0 -571
  887. package/dist/list.probe-CZLSVJOU.js +0 -449
  888. package/dist/list.status-command-BfFEfb9a.js +0 -789
  889. package/dist/llm-slug-generator-dCtCznm8.js +0 -78
  890. package/dist/local-dispatch.runtime-D9LP1xHX.js +0 -9
  891. package/dist/manager-CuzV3XAs.d.ts +0 -205
  892. package/dist/manager.runtime-6QpcwMf8.js +0 -2714
  893. package/dist/markdown-to-line-zbqRGuzM.js +0 -811
  894. package/dist/mcp-http-8c8x2bw2.js +0 -555
  895. package/dist/mcp-http-_a6CgNfk.js +0 -2
  896. package/dist/media-understanding-provider-CXP_WVXG.js +0 -339
  897. package/dist/message-actions-SByKheul.js +0 -145
  898. package/dist/message-handler-CKCY2qPA.js +0 -384
  899. package/dist/message-handler-StORmhkH.js +0 -1715
  900. package/dist/message-handler.preflight-BBcy1Vmz.js +0 -1125
  901. package/dist/message-handler.process-DC3NGb_U.js +0 -1484
  902. package/dist/model-qHmcK-wV.js +0 -74
  903. package/dist/model-selection-C_bNk70D.js +0 -272
  904. package/dist/models-0m6kj9Kh.js +0 -104
  905. package/dist/models-P3tVodj6.js +0 -2
  906. package/dist/models-cli-C_jhGL9M.js +0 -256
  907. package/dist/monitor-BK8o2fuJ.js +0 -2788
  908. package/dist/monitor-Bi5Al5Qq.js +0 -1657
  909. package/dist/monitor-CG3e3DTn.js +0 -4377
  910. package/dist/monitor-Cfa9dKXg.js +0 -1370
  911. package/dist/monitor-D3o4Su4a.js +0 -834
  912. package/dist/monitor-D5fMTlZ5.js +0 -60
  913. package/dist/monitor-DmPTU0tw.js +0 -715
  914. package/dist/monitor-DzgPE9f5.js +0 -2
  915. package/dist/monitor-auth-CVtN6J4_.js +0 -179
  916. package/dist/monitor-polling.runtime-Cg2e0kqq.js +0 -883
  917. package/dist/monitor-webhook.runtime-Dj1HmLMX.js +0 -387
  918. package/dist/monitor.account-BQImY6W4.js +0 -5233
  919. package/dist/monitor.runtime-CDK8uUpm.js +0 -2
  920. package/dist/monitor.webhook-DyEHhPJ1.js +0 -180
  921. package/dist/node-cli-sessions-Bv5PguQJ.js +0 -1228
  922. package/dist/openai-http-CIBLqlWd.js +0 -824
  923. package/dist/openresponses-http-DjoX4IHF.js +0 -1173
  924. package/dist/operations-DP1MZD9K.js +0 -805
  925. package/dist/outbound-adapter-BAwVSQlL.js +0 -543
  926. package/dist/outbound-session-route-DtqxN5uz.js +0 -45
  927. package/dist/outbound.runtime-DHPJ4ASv.js +0 -2
  928. package/dist/pairing-challenge-EwSQYSud.d.ts +0 -87
  929. package/dist/pi-embedded-BAC7pDy3.js +0 -4
  930. package/dist/pi-embedded-CNX1q8t8.js +0 -3796
  931. package/dist/pi-embedded.runtime-SbuDxtwm.js +0 -4
  932. package/dist/pi-tools-CnpfHiC0.js +0 -2413
  933. package/dist/plan-BNvONvjS.js +0 -81
  934. package/dist/plan-CADq4BFI.js +0 -112
  935. package/dist/plugin-D7gXSmDQ.js +0 -12396
  936. package/dist/plugin-app-cache-key-DrmlMiVI.js +0 -46
  937. package/dist/plugin-enabled-BoIsHSBf.js +0 -233
  938. package/dist/plugin-registration-yt9E-tcz.js +0 -88
  939. package/dist/plugin-sdk/scripts/lib/plugin-sdk-doc-metadata.d.ts +0 -107
  940. package/dist/plugin-service-BV0GV7gk.js +0 -1229
  941. package/dist/policy-D11pkH-F.js +0 -680
  942. package/dist/policy-DRVErS8F.js +0 -138
  943. package/dist/prepare.runtime-D5popyud.js +0 -732
  944. package/dist/preview-warnings-CdcHFLjy.js +0 -392
  945. package/dist/probe-BR_XxREj.js +0 -682
  946. package/dist/probe-CSkuj1Ki.js +0 -47
  947. package/dist/probe-DZHxSUyh.js +0 -2204
  948. package/dist/probe-DvUH7S2e.js +0 -2
  949. package/dist/program-Dp1JSnyB.js +0 -131
  950. package/dist/provider-4N9pa4vk.js +0 -32
  951. package/dist/provider-B6N1_oRM.js +0 -8735
  952. package/dist/provider-_W55dN19.js +0 -152
  953. package/dist/provider-dispatcher-BY0BKM51.js +0 -22
  954. package/dist/provider-session.runtime-CIMHFVsw.js +0 -9
  955. package/dist/provider-yjwJ7cEv.js +0 -32
  956. package/dist/provider.runtime-BXgHyxdL.js +0 -2
  957. package/dist/public-surface-loader-BtZpLAiq.js +0 -114
  958. package/dist/pw-ai-C8gW7XAX.js +0 -3029
  959. package/dist/pw-role-snapshot-DUCYIx3v.js +0 -333
  960. package/dist/reaction-level-D9FhYPnf.js +0 -19
  961. package/dist/reaction-runtime-api-C3r-xTtB.js +0 -116
  962. package/dist/realtime-transcription-provider-Ibc5MlDn.js +0 -205
  963. package/dist/register-C8HRj-Rv.js +0 -2178
  964. package/dist/register.agent-DRcH0h2g.js +0 -156
  965. package/dist/register.crestodian-Cc0_1XnJ.js +0 -24
  966. package/dist/register.maintenance-hDD-888W.js +0 -83
  967. package/dist/register.runtime-3KCk-rHT.js +0 -54
  968. package/dist/register.subclis-CrUZyRN9.js +0 -31
  969. package/dist/register.subclis-DGaNfEn8.js +0 -3
  970. package/dist/register.subclis-core-B5LkL2i6.js +0 -273
  971. package/dist/repair-sequencing-DSOttY24.js +0 -640
  972. package/dist/reply-delivery-CjS0vGdN.js +0 -196
  973. package/dist/reply-runtime-CEB3h2ID.js +0 -11
  974. package/dist/reply.runtime-Rm8cMH3e.js +0 -2
  975. package/dist/request-hp0T5HDv.js +0 -54
  976. package/dist/resolve-allowlist-BN__FO0F.js +0 -220
  977. package/dist/result-fallback-classifier-CfKrq2-s.js +0 -79
  978. package/dist/route-B2z32D9-.js +0 -469
  979. package/dist/route-resolution-B25jgDh8.js +0 -274
  980. package/dist/routes-CM95LS3k.js +0 -3602
  981. package/dist/routes-CUOimkJP.js +0 -2
  982. package/dist/run-CCrse9cU.js +0 -1162
  983. package/dist/run-attempt-Bp3H4oIM.js +0 -7704
  984. package/dist/run-command-9aTCc0HJ.js +0 -23
  985. package/dist/run-command-BuJ1fk8M.js +0 -2
  986. package/dist/run-embedded.runtime-CTprMJ8Z.js +0 -4
  987. package/dist/run-execution-cli.runtime-B05Oa61H.js +0 -4
  988. package/dist/run-subagent-registry.runtime-CJ0Hs8Pw.js +0 -2
  989. package/dist/runtime-C3k-ZByi.d.ts +0 -17
  990. package/dist/runtime-CKKZ8Pcs.js +0 -438
  991. package/dist/runtime-Cdi7BCo3.js +0 -6179
  992. package/dist/runtime-D3XaGRT8.js +0 -1287
  993. package/dist/runtime-api-1yqMVS2P.js +0 -17
  994. package/dist/runtime-api-B2sZsZh8.js +0 -4
  995. package/dist/runtime-api-BgQT9LMm.js +0 -21
  996. package/dist/runtime-api-CsbGUmvA.js +0 -3
  997. package/dist/runtime-api-DpTi-PJ3.js +0 -24
  998. package/dist/runtime-api-Dsp6Q8-12.d.ts +0 -3151
  999. package/dist/runtime-api-c9O4luRc.js +0 -13
  1000. package/dist/runtime-api-iiw2xe0i.js +0 -13
  1001. package/dist/runtime-api.actions-BVrajshb.js +0 -3
  1002. package/dist/runtime-api.actions-CzDO06T7.d.ts +0 -23
  1003. package/dist/runtime-api.monitor-BP7gIISf.d.ts +0 -3757
  1004. package/dist/runtime-api.monitor-BShOXy33.js +0 -6
  1005. package/dist/runtime-api.send-BTuGzQtf.js +0 -4
  1006. package/dist/runtime-api.send-C_MjuzGA.d.ts +0 -38
  1007. package/dist/runtime-api.threads-3cF-9XFp.js +0 -2
  1008. package/dist/runtime-channel-CwZHOoMT.js +0 -2
  1009. package/dist/runtime-channel-fHBJLcYG.js +0 -150
  1010. package/dist/runtime-doctor-_yVIDUi3.d.ts +0 -48
  1011. package/dist/runtime-embedded-pi.runtime-Cgc2MHEr.js +0 -2
  1012. package/dist/sanitize-outbound-DTdYOSuN.js +0 -127
  1013. package/dist/sdk-setup-tools-DsgXMSJF.js +0 -8
  1014. package/dist/secrets-xq1GA7Xo.js +0 -113
  1015. package/dist/security-audit-Du_2AwxR.js +0 -122
  1016. package/dist/security-audit-i1ehCFCk.js +0 -118
  1017. package/dist/security-audit.runtime-nBiU375z.js +0 -2
  1018. package/dist/selection-CZeNX1pE.js +0 -3
  1019. package/dist/selection-DTrJ8MmR.js +0 -16157
  1020. package/dist/send-79TPg_6c.js +0 -2
  1021. package/dist/send-91PqXvSN.js +0 -192
  1022. package/dist/send-C2reDA-B.js +0 -143
  1023. package/dist/send-CTDEXMPp.d.ts +0 -231
  1024. package/dist/send-DaFuA5cD.d.ts +0 -105
  1025. package/dist/send-JRMzkOJi.js +0 -1631
  1026. package/dist/send.components-Dv_9V1n4.js +0 -500
  1027. package/dist/send.components-MeAhqv9J.js +0 -2
  1028. package/dist/send.runtime-BXAcNcFW.js +0 -2
  1029. package/dist/send.types-DU1uiiR9.d.ts +0 -160
  1030. package/dist/server-CFMwy7OB.js +0 -24
  1031. package/dist/server-context-Dqwl703G.js +0 -955
  1032. package/dist/server-context-wK29CPaJ.js +0 -2
  1033. package/dist/server-cron-B1DKKd9L.js +0 -2
  1034. package/dist/server-cron-i1RW7vPj.js +0 -2989
  1035. package/dist/server-jF0fwwqG.js +0 -73
  1036. package/dist/server-methods-CbFofeYw.js +0 -16499
  1037. package/dist/server-node-events-DL9C2Zgb.js +0 -596
  1038. package/dist/server-plugin-bootstrap-BpLRcl2N.js +0 -70
  1039. package/dist/server-plugins-Bw4luxP4.js +0 -432
  1040. package/dist/server-reload-handlers-Du2MmNNy.js +0 -714
  1041. package/dist/server-restart-sentinel-Bi93NfH5.js +0 -747
  1042. package/dist/server-restart-sentinel-CZQ5DtCS.js +0 -2
  1043. package/dist/server-runtime-services-6xIr0oF5.js +0 -267
  1044. package/dist/server-runtime-services-Bn_-QBG_.js +0 -2
  1045. package/dist/server-startup-plugins-D67Ykogy.js +0 -113
  1046. package/dist/server-startup-post-attach-DGj_JzsI.js +0 -716
  1047. package/dist/server-ws-runtime-DY6Aw13I.js +0 -349
  1048. package/dist/server.impl-6rbQJgzF.js +0 -2586
  1049. package/dist/service-BniJ-ml1.js +0 -1446
  1050. package/dist/session-binding-BCrf6P9-.js +0 -2
  1051. package/dist/session-binding-Dv-7cruS.js +0 -219
  1052. package/dist/session-kill-http-BJFrJrtN.js +0 -121
  1053. package/dist/session-reset-service-BbWtWMwD.js +0 -625
  1054. package/dist/session-route-DU5w8Y32.js +0 -93
  1055. package/dist/session-status.runtime-BlQpbVG5.js +0 -2
  1056. package/dist/session-subagent-reactivation.runtime-5Q01Ew9-.js +0 -2
  1057. package/dist/session-tab-registry-BuYe4OOF.js +0 -521
  1058. package/dist/sessions-history-http-DSsnYvkK.js +0 -430
  1059. package/dist/sessions.runtime-BmeoWYRz.js +0 -2
  1060. package/dist/setup-api-CKNdGNsP.js +0 -29
  1061. package/dist/setup-core-DP5EwSY0.js +0 -174
  1062. package/dist/setup-surface-BYCu55nE.js +0 -288
  1063. package/dist/setup-surface-B_2igLCv.js +0 -405
  1064. package/dist/setup-surface-BcnlyFJo.js +0 -221
  1065. package/dist/setup-surface-BuTeC8Tu.js +0 -320
  1066. package/dist/shared-RXlS1jcs.js +0 -121
  1067. package/dist/shared-client-C3MyzMO-.js +0 -2
  1068. package/dist/shared-client-ChFVc6qy.js +0 -629
  1069. package/dist/side-question-C7XXJ3WJ.js +0 -683
  1070. package/dist/skill-tool-dispatch.runtime-D-KdTx1M.js +0 -143
  1071. package/dist/slash-state-Bkj8dL5a.js +0 -2166
  1072. package/dist/speech-provider-BunrBrCI.js +0 -184
  1073. package/dist/src-CEgolSf5.js +0 -4256
  1074. package/dist/startup-context-JB4BWjRi.js +0 -313
  1075. package/dist/status-subagents.runtime-Bp7aARu7.js +0 -18
  1076. package/dist/status-text-DN8S2Q1J.js +0 -296
  1077. package/dist/sticker-cache-Be-oBI7L.js +0 -206
  1078. package/dist/sticker-vision.runtime-Ba4krDPo.js +0 -17
  1079. package/dist/subagent-announce-C7j9VsZa.js +0 -354
  1080. package/dist/subagent-announce-delivery-CB4UtEg2.js +0 -958
  1081. package/dist/subagent-control-C4koBB2g.js +0 -508
  1082. package/dist/subagent-hooks-C6RmP8Ul.js +0 -2
  1083. package/dist/subagent-hooks-CrDfx1bX.js +0 -146
  1084. package/dist/subagent-hooks-Dh-10ODX.js +0 -116
  1085. package/dist/subagent-hooks-DjGGmJOs.js +0 -2
  1086. package/dist/subagent-hooks-Djrkg_r_.js +0 -230
  1087. package/dist/subagent-hooks-XiGzfcD1.js +0 -2
  1088. package/dist/subagent-hooks-api-BAuY6yAp.js +0 -23
  1089. package/dist/subagent-hooks-api-X4Wq3-bg.js +0 -22
  1090. package/dist/subagent-hooks-api-uGaYQ3ls.js +0 -23
  1091. package/dist/subagent-orphan-recovery-CiT4T6EK.js +0 -352
  1092. package/dist/subagent-registry-CJUOLPWx.js +0 -3
  1093. package/dist/subagent-registry-DkLEo8Gw.js +0 -2351
  1094. package/dist/subagent-session-cleanup-BXd7lwdo.js +0 -525
  1095. package/dist/subagent-spawn-C0nFUSkA.js +0 -1164
  1096. package/dist/target-id-C-_5ZyaM.js +0 -107
  1097. package/dist/targets-C6aOnm7M.js +0 -19
  1098. package/dist/targets-CeAvrPZY.js +0 -19
  1099. package/dist/targets-CiQWn-48.js +0 -44
  1100. package/dist/test-fixtures-HY6a4nTW.d.ts +0 -26
  1101. package/dist/testing-dGXqtqph.js +0 -267
  1102. package/dist/thread-bindings-2it1TXRk.js +0 -228
  1103. package/dist/thread-bindings-BVsdSE6x.js +0 -232
  1104. package/dist/thread-bindings-CxRt4oO6.js +0 -571
  1105. package/dist/thread-bindings-Duucj0p6.js +0 -8
  1106. package/dist/thread-bindings.discord-api-5DrSBok8.js +0 -187
  1107. package/dist/thread-bindings.manager-8Evv-rZ-.js +0 -2
  1108. package/dist/thread-bindings.manager-Dqs05Cqt.js +0 -536
  1109. package/dist/thread-lifecycle-a9ORG_Qn.js +0 -1614
  1110. package/dist/token-Cd4ZyEet.js +0 -134
  1111. package/dist/tool-X8pfYjSy.js +0 -139
  1112. package/dist/tool-actions.runtime-Be5Jzai5.js +0 -534
  1113. package/dist/tool-resolution-BsitImc6.js +0 -149
  1114. package/dist/tools-effective-inventory-BZrHm8Fz.js +0 -204
  1115. package/dist/tools-invoke-http-ShL1W_9J.js +0 -67
  1116. package/dist/tools-invoke-shared-DeHgr_VB.js +0 -200
  1117. package/dist/tts-Ayx5XgJd.js +0 -66
  1118. package/dist/tui-BMb_k0zQ.js +0 -2
  1119. package/dist/tui-Cok5WLhQ.js +0 -4709
  1120. package/dist/tui-backend-ByoQP-cW.js +0 -256
  1121. package/dist/tui-cli-CUq3hRch.js +0 -37
  1122. package/dist/typed-cases-BYRVKA1F.d.ts +0 -68
  1123. package/dist/update-cli-CEgVV8KX.js +0 -3664
  1124. package/dist/vision-tools-l3OhetFy.js +0 -1409
  1125. package/dist/web-search-cDMQBezP.js +0 -62
  1126. package/dist/web-search-provider.runtime-Ckon24db.js +0 -2
  1127. package/dist/web-search-provider.runtime-bfpMar6S.js +0 -328
  1128. package/dist/webhook-targets-DqetRJVn.d.ts +0 -99
  1129. package/dist/xai-oauth-DI_oDf1M.js +0 -479
  1130. package/dist/xai-user-agent-C3kBfnkY.js +0 -32
  1131. /package/dist/{accounts-5C9AWgJV2.d.ts → accounts-5C9AWgJV.d.ts} +0 -0
  1132. /package/dist/{acp-runtime-backend-BZ5O5ObX.js → acp-runtime-backend-BetObVpx.js} +0 -0
  1133. /package/dist/{channel-actions-CgtkgM0g.js → channel-actions-DckqlhU7.js} +0 -0
  1134. /package/dist/{command-status-runtime-CP5giZCt.js → command-status-runtime-E16rrPc3.js} +0 -0
  1135. /package/dist/{delegate-BqgaH2oz.js → delegate-BSLYNrsG.js} +0 -0
  1136. /package/dist/{dispatch-acp-BZWxbCpX.js → dispatch-acp-D4tmhg9Q.js} +0 -0
  1137. /package/dist/{heartbeat-runner-Ci-DNWRz.js → heartbeat-runner-DVT5MIY3.js} +0 -0
  1138. /package/dist/{library-Be_uMwZR.js → library-DxK3LF7B.js} +0 -0
  1139. /package/dist/{run-executor.runtime-CMc4ImJr.js → run-executor.runtime-6pORvlOZ.js} +0 -0
  1140. /package/dist/{shared-RstjPNr2.js → shared-KCy8RvKa.js} +0 -0
package/dist/message-handler-StORmhkH.js DELETED
@@ -1,1715 +0,0 @@
1
- import { a as normalizeLowercaseStringOrEmpty, c as normalizeOptionalString } from "./string-coerce-DyL154ka.js";
2
- import { s as resolveRuntimeServiceVersion } from "./version-QmPt05QD.js";
3
- import { t as normalizeArrayBackedTrimmedStringList } from "./string-normalization-DiPHgdft.js";
4
- import { S as runWithDiagnosticTraceContext, p as createDiagnosticTraceContext } from "./diagnostic-events-DPfGiEBK.js";
5
- import { a as isPrivateOrLoopbackAddress, c as isTrustedProxyAddress, f as resolveClientIp, h as resolveHostName, i as isLoopbackHost, n as isLocalishHost, o as isPrivateOrLoopbackHost, r as isLoopbackAddress } from "./net-DCUMtgJy.js";
6
- import { i as AUTH_RATE_LIMIT_SCOPE_SHARED_SECRET, n as AUTH_RATE_LIMIT_SCOPE_DEVICE_TOKEN } from "./auth-rate-limit-DA3xJNFz.js";
7
- import { a as hasForwardedRequestHeaders, i as authorizeWsControlUiGatewayConnect, o as isLocalDirectRequest, r as authorizeHttpGatewayConnect, s as checkBrowserOrigin } from "./auth-zk3HFDT6.js";
8
- import { i as getRuntimeConfig } from "./io-Dlv1CClM.js";
9
- import { i as normalizeDevicePublicKeyBase64Url, s as verifyDeviceSignature, t as deriveDeviceIdFromPublicKey } from "./device-identity-BVmCQ4s6.js";
10
- import { n as GATEWAY_CLIENT_IDS, r as GATEWAY_CLIENT_MODES } from "./client-info-B56HGdh-.js";
11
- import { a as isOperatorUiClient, n as isGatewayCliClient, o as isWebchatClient, t as isBrowserOperatorUiClient } from "./message-channel-CRza_Xs_.js";
12
- import { c as GATEWAY_STARTUP_CLOSE_REASON, d as buildDeviceAuthPayload, f as buildDeviceAuthPayloadV3, l as GATEWAY_STARTUP_PENDING_CLOSE_CAUSE, s as GATEWAY_STARTUP_CLOSE_CODE, u as gatewayStartupUnavailableDetails } from "./client-yI_gYDpR.js";
13
- import { t as rawDataToString } from "./ws-C3qhmaFC.js";
14
- import { t as normalizeDeviceMetadataForAuth } from "./device-metadata-normalization-PRIe4LWk.js";
15
- import { i as buildPairingConnectErrorMessage, m as resolveDeviceAuthConnectErrorDetailCode, n as buildPairingConnectCloseReason, p as resolveAuthConnectErrorDetailCode, r as buildPairingConnectErrorDetails, t as ConnectErrorDetailCodes } from "./connect-error-details-BNpp20bs.js";
16
- import { At as validateRequestFrame, M as validateConnectParams, Ni as ErrorCodes, Pi as errorShape, t as formatValidationErrors } from "./protocol-BqIJbb8x.js";
17
- import "./version-DDqbebEG.js";
18
- import { t as ADMIN_SCOPE } from "./operator-scopes-DGvgHuOd.js";
19
- import "./method-scopes-Ce2SpYo5.js";
20
- import { n as isOperatorApprovalRuntimeToken } from "./operator-approval-runtime-token-C5pv_wEb.js";
21
- import { n as logRejectedLargePayload } from "./diagnostic-payload-BfH_Skky.js";
22
- import { a as MAX_PAYLOAD_BYTES, i as MAX_BUFFERED_BYTES, o as MAX_PREAUTH_PAYLOAD_BYTES, s as TICK_INTERVAL_MS } from "./server-constants-BGwLM6XN.js";
23
- import { a as indexPluginNodeCapabilitySurfaces, l as resolvePluginNodeCapabilityTtlMs, o as mintPluginNodeCapabilityToken, r as buildPluginNodeCapabilityScopedHostUrl, u as setClientPluginNodeCapability } from "./plugin-node-capability-D0b7yj9X.js";
24
- import { a as normalizeDeclaredNodeCommands, o as resolveNodeCommandAllowlist, s as resolveNodePairingCommandAllowlist } from "./node-command-policy-DWvpPTgH.js";
25
- import { n as logWs, t as formatForLog } from "./ws-log-CHuv7KC7.js";
26
- import { l as roleScopesAllow } from "./pairing-token-B1grnvMr.js";
27
- import { c as updatePairedNodeMetadata, n as getPairedNode, s as requestNodePairing } from "./node-pairing-B5I4lpks.js";
28
- import { i as recordRemoteNodeInfo, o as refreshRemoteNodeBins } from "./skills-remote-vuEE6sLa.js";
29
- import { a as redeemDeviceBootstrapTokenProfile, d as PAIRING_SETUP_BOOTSTRAP_PROFILE, l as verifyDeviceBootstrapToken, n as getBoundDeviceBootstrapProfile, o as restoreDeviceBootstrapToken, p as resolveBootstrapProfileScopesForRole, r as getDeviceBootstrapTokenProfile, s as revokeDeviceBootstrapToken, u as BOOTSTRAP_HANDOFF_OPERATOR_SCOPES } from "./device-bootstrap-BZT0wrl5.js";
30
- import { _ as updatePairedDeviceMetadata, a as getPairedDevice, c as listApprovedPairedDeviceRoles, l as listDevicePairing, n as approveDevicePairing, p as requestDevicePairing, r as ensureDeviceToken, s as hasEffectivePairedDeviceRole, t as approveBootstrapDevicePairing, u as listEffectivePairedDeviceRoles, v as verifyDeviceToken } from "./device-pairing-Bw7rq1YT.js";
31
- import { r as loadVoiceWakeConfig, t as formatError } from "./server-utils-Dzo1sugg.js";
32
- import { r as upsertPresence } from "./system-presence-ClNSY4UX.js";
33
- import { a as incrementPresenceVersion, n as getHealthCache, r as getHealthVersion, t as buildGatewaySnapshot } from "./health-state-Df89yKue.js";
34
- import { c as roleCanSkipDeviceIdentity, s as parseGatewayRole, t as loadVoiceWakeRoutingConfig } from "./voicewake-routing-DZDAf5fD.js";
35
- import { t as resolveSharedGatewaySessionGeneration } from "./ws-shared-generation-Bp5l7wzu.js";
36
- import { t as truncateCloseReason } from "./close-reason-f7R6T5LC.js";
37
- import os from "node:os";
38
- //#region src/gateway/node-connect-reconcile.ts
39
- function resolveApprovedReconnectCommands(params) {
40
- return normalizeDeclaredNodeCommands({
41
- declaredCommands: Array.isArray(params.pairedCommands) ? params.pairedCommands : [],
42
- allowlist: params.allowlist
43
- });
44
- }
45
- function normalizeApprovalSurfaceList(value) {
46
- return normalizeArrayBackedTrimmedStringList(value) ?? [];
47
- }
48
- function sameApprovalSurfaceSet(left, right) {
49
- const normalizedLeft = new Set(normalizeApprovalSurfaceList(left));
50
- const normalizedRight = new Set(normalizeApprovalSurfaceList(right));
51
- if (normalizedLeft.size !== normalizedRight.size) return false;
52
- for (const entry of normalizedLeft) if (!normalizedRight.has(entry)) return false;
53
- return true;
54
- }
55
- function normalizePermissionMap(value) {
56
- if (!value) return;
57
- const entries = Object.entries(value).toSorted(([leftKey], [rightKey]) => leftKey.localeCompare(rightKey));
58
- return entries.length > 0 ? Object.fromEntries(entries) : void 0;
59
- }
60
- function samePermissions(left, right) {
61
- const leftEntries = Object.entries(left ?? {}).toSorted(([leftKey], [rightKey]) => leftKey.localeCompare(rightKey));
62
- const rightEntries = Object.entries(right ?? {}).toSorted(([leftKey], [rightKey]) => leftKey.localeCompare(rightKey));
63
- if (leftEntries.length !== rightEntries.length) return false;
64
- return leftEntries.every(([key, value], index) => {
65
- const rightEntry = rightEntries[index];
66
- return rightEntry !== void 0 && rightEntry[0] === key && rightEntry[1] === value;
67
- });
68
- }
69
- function intersectApprovalSurfaceList(params) {
70
- const approved = new Set(normalizeApprovalSurfaceList(params.approved));
71
- return normalizeApprovalSurfaceList(params.declared).filter((entry) => approved.has(entry));
72
- }
73
- function intersectPermissionSurface(params) {
74
- const entries = [];
75
- for (const [key, declaredValue] of Object.entries(params.declared ?? {})) {
76
- const approvedValue = params.approved?.[key];
77
- if (!declaredValue) {
78
- entries.push([key, false]);
79
- continue;
80
- }
81
- if (approvedValue === true) {
82
- entries.push([key, true]);
83
- continue;
84
- }
85
- if (approvedValue === false) entries.push([key, false]);
86
- }
87
- return entries.length > 0 ? Object.fromEntries(entries) : void 0;
88
- }
89
- function buildNodePairingRequestInput(params) {
90
- return {
91
- nodeId: params.nodeId,
92
- displayName: params.connectParams.client.displayName,
93
- platform: params.connectParams.client.platform,
94
- version: params.connectParams.client.version,
95
- deviceFamily: params.connectParams.client.deviceFamily,
96
- modelIdentifier: params.connectParams.client.modelIdentifier,
97
- caps: params.caps,
98
- commands: params.commands,
99
- permissions: params.permissions,
100
- remoteIp: params.remoteIp
101
- };
102
- }
103
- async function reconcileNodePairingOnConnect(params) {
104
- const nodeId = params.connectParams.device?.id ?? params.connectParams.client.id;
105
- const policyNode = {
106
- platform: params.connectParams.client.platform,
107
- deviceFamily: params.connectParams.client.deviceFamily,
108
- caps: params.connectParams.caps,
109
- commands: params.connectParams.commands
110
- };
111
- const pairingAllowlist = resolveNodePairingCommandAllowlist(params.cfg, policyNode);
112
- const declared = normalizeDeclaredNodeCommands({
113
- declaredCommands: Array.isArray(params.connectParams.commands) ? params.connectParams.commands : [],
114
- allowlist: pairingAllowlist
115
- });
116
- const declaredCaps = normalizeApprovalSurfaceList(params.connectParams.caps);
117
- const declaredPermissions = normalizePermissionMap(params.connectParams.permissions);
118
- if (!params.pairedNode) return {
119
- nodeId,
120
- declaredCaps,
121
- effectiveCaps: [],
122
- declaredCommands: declared,
123
- effectiveCommands: [],
124
- declaredPermissions,
125
- effectivePermissions: void 0,
126
- pendingPairing: await params.requestPairing(buildNodePairingRequestInput({
127
- nodeId,
128
- connectParams: params.connectParams,
129
- caps: declaredCaps,
130
- commands: declared,
131
- permissions: declaredPermissions,
132
- remoteIp: params.reportedClientIp
133
- }))
134
- };
135
- const runtimeAllowlist = resolveNodeCommandAllowlist(params.cfg, {
136
- ...policyNode,
137
- approvedCommands: params.pairedNode.commands
138
- });
139
- const approvedCommands = resolveApprovedReconnectCommands({
140
- pairedCommands: params.pairedNode.commands,
141
- allowlist: runtimeAllowlist
142
- });
143
- const approvedCaps = normalizeApprovalSurfaceList(params.pairedNode.caps);
144
- const approvedPermissions = normalizePermissionMap(params.pairedNode.permissions);
145
- const hasCommandUpgrade = declared.some((command) => !approvedCommands.includes(command));
146
- const hasCapabilityChange = !sameApprovalSurfaceSet(params.pairedNode.caps, declaredCaps);
147
- const hasPermissionChange = !samePermissions(params.pairedNode.permissions, declaredPermissions);
148
- const effectiveApprovedDeclaredCaps = intersectApprovalSurfaceList({
149
- approved: approvedCaps,
150
- declared: declaredCaps
151
- });
152
- const effectiveApprovedDeclaredCommands = intersectApprovalSurfaceList({
153
- approved: approvedCommands,
154
- declared
155
- });
156
- const effectiveApprovedDeclaredPermissions = intersectPermissionSurface({
157
- approved: approvedPermissions,
158
- declared: declaredPermissions
159
- });
160
- if (hasCommandUpgrade || hasCapabilityChange || hasPermissionChange) return {
161
- nodeId,
162
- declaredCaps,
163
- effectiveCaps: effectiveApprovedDeclaredCaps,
164
- declaredCommands: declared,
165
- effectiveCommands: effectiveApprovedDeclaredCommands,
166
- declaredPermissions,
167
- effectivePermissions: effectiveApprovedDeclaredPermissions,
168
- pendingPairing: await params.requestPairing(buildNodePairingRequestInput({
169
- nodeId,
170
- connectParams: params.connectParams,
171
- caps: declaredCaps,
172
- commands: declared,
173
- permissions: declaredPermissions ?? (hasPermissionChange ? {} : void 0),
174
- remoteIp: params.reportedClientIp
175
- }))
176
- };
177
- return {
178
- nodeId,
179
- declaredCaps,
180
- effectiveCaps: declaredCaps,
181
- declaredCommands: declared,
182
- effectiveCommands: declared,
183
- declaredPermissions,
184
- effectivePermissions: declaredPermissions
185
- };
186
- }
187
- //#endregion
188
- //#region src/gateway/node-pairing-auto-approve.ts
189
- function resolveNodePairingClientIpSource(params) {
190
- if (!params.reportedClientIp) return "none";
191
- if (!params.hasProxyHeaders || !params.remoteIsTrustedProxy) return "direct";
192
- return params.remoteIsLoopback ? "loopback-trusted-proxy" : "trusted-proxy";
193
- }
194
- function shouldAutoApproveNodePairingFromTrustedCidrs(params) {
195
- if (params.existingPairedDevice) return false;
196
- if (params.role !== "node") return false;
197
- if (params.reason !== "not-paired") return false;
198
- if (params.scopes.length > 0) return false;
199
- if (params.hasBrowserOriginHeader || params.isControlUi || params.isWebchat) return false;
200
- if (params.reportedClientIpSource === "none" || params.reportedClientIpSource === "loopback-trusted-proxy") return false;
201
- if (!params.reportedClientIp) return false;
202
- const autoApproveCidrs = params.autoApproveCidrs?.map((entry) => entry.trim()).filter((entry) => entry.length > 0);
203
- if (!autoApproveCidrs || autoApproveCidrs.length === 0) return false;
204
- return isTrustedProxyAddress(params.reportedClientIp, autoApproveCidrs);
205
- }
206
- //#endregion
207
- //#region src/gateway/server/ws-connection/auth-context.ts
208
- function mapDeviceTokenAuthFailureReason(params) {
209
- if (params.tokenCheckReason === "scope-mismatch" || params.tokenCheckReason === "scope_mismatch") return "scope_mismatch";
210
- if (params.candidateSource === "explicit-device-token") return "device_token_mismatch";
211
- return params.fallbackReason ?? "device_token_mismatch";
212
- }
213
- function resolveSharedConnectAuth(connectAuth) {
214
- const token = normalizeOptionalString(connectAuth?.token);
215
- const password = normalizeOptionalString(connectAuth?.password);
216
- if (!token && !password) return;
217
- return {
218
- token,
219
- password
220
- };
221
- }
222
- function resolveDeviceTokenCandidate(connectAuth) {
223
- const explicitDeviceToken = normalizeOptionalString(connectAuth?.deviceToken);
224
- if (explicitDeviceToken) return {
225
- token: explicitDeviceToken,
226
- source: "explicit-device-token"
227
- };
228
- const fallbackToken = normalizeOptionalString(connectAuth?.token);
229
- if (!fallbackToken) return {};
230
- return {
231
- token: fallbackToken,
232
- source: "shared-token-fallback"
233
- };
234
- }
235
- async function resolveConnectAuthState(params) {
236
- const sharedConnectAuth = resolveSharedConnectAuth(params.connectAuth);
237
- const sharedAuthProvided = Boolean(sharedConnectAuth);
238
- const bootstrapTokenCandidate = params.hasDeviceIdentity ? normalizeOptionalString(params.connectAuth?.bootstrapToken) : void 0;
239
- const { token: deviceTokenCandidate, source: deviceTokenCandidateSource } = params.hasDeviceIdentity ? resolveDeviceTokenCandidate(params.connectAuth) : {};
240
- let authResult = await authorizeWsControlUiGatewayConnect({
241
- auth: params.resolvedAuth,
242
- connectAuth: sharedConnectAuth,
243
- req: params.req,
244
- trustedProxies: params.trustedProxies,
245
- allowRealIpFallback: params.allowRealIpFallback,
246
- rateLimiter: sharedAuthProvided ? params.rateLimiter : void 0,
247
- clientIp: params.clientIp,
248
- rateLimitScope: AUTH_RATE_LIMIT_SCOPE_SHARED_SECRET
249
- });
250
- const sharedAuthResult = sharedConnectAuth && await authorizeHttpGatewayConnect({
251
- auth: {
252
- ...params.resolvedAuth,
253
- allowTailscale: false
254
- },
255
- connectAuth: sharedConnectAuth,
256
- req: params.req,
257
- trustedProxies: params.trustedProxies,
258
- allowRealIpFallback: params.allowRealIpFallback,
259
- rateLimitScope: "shared-secret"
260
- });
261
- const sharedAuthOk = sharedAuthResult?.ok === true && (sharedAuthResult.method === "token" || sharedAuthResult.method === "password") || authResult.ok && authResult.method === "trusted-proxy";
262
- return {
263
- authResult,
264
- authOk: authResult.ok,
265
- authMethod: authResult.method ?? (params.resolvedAuth.mode === "password" ? "password" : "token"),
266
- sharedAuthOk,
267
- sharedAuthProvided,
268
- bootstrapTokenCandidate,
269
- deviceTokenCandidate,
270
- deviceTokenCandidateSource
271
- };
272
- }
273
- async function resolveConnectAuthDecision(params) {
274
- let authResult = params.state.authResult;
275
- let authOk = params.state.authOk;
276
- let authMethod = params.state.authMethod;
277
- const bootstrapTokenCandidate = params.state.bootstrapTokenCandidate;
278
- if (params.hasDeviceIdentity && params.deviceId && params.publicKey && bootstrapTokenCandidate) {
279
- const tokenCheck = await params.verifyBootstrapToken({
280
- deviceId: params.deviceId,
281
- publicKey: params.publicKey,
282
- token: bootstrapTokenCandidate,
283
- role: params.role,
284
- scopes: params.scopes
285
- });
286
- if (tokenCheck.ok) {
287
- authOk = true;
288
- authMethod = "bootstrap-token";
289
- } else if (!authOk) authResult = {
290
- ok: false,
291
- reason: tokenCheck.reason ?? "bootstrap_token_invalid"
292
- };
293
- }
294
- const deviceTokenCandidate = params.state.deviceTokenCandidate;
295
- if (!params.hasDeviceIdentity || !params.deviceId || authOk || !deviceTokenCandidate) return {
296
- authResult,
297
- authOk,
298
- authMethod
299
- };
300
- let deviceTokenRateLimited = false;
301
- if (params.rateLimiter) {
302
- const deviceRateCheck = params.rateLimiter.check(params.clientIp, AUTH_RATE_LIMIT_SCOPE_DEVICE_TOKEN);
303
- if (!deviceRateCheck.allowed) {
304
- deviceTokenRateLimited = true;
305
- authResult = {
306
- ok: false,
307
- reason: "rate_limited",
308
- rateLimited: true,
309
- retryAfterMs: deviceRateCheck.retryAfterMs
310
- };
311
- }
312
- }
313
- if (!deviceTokenRateLimited) {
314
- const tokenCheck = await params.verifyDeviceToken({
315
- deviceId: params.deviceId,
316
- token: deviceTokenCandidate,
317
- role: params.role,
318
- scopes: params.scopes
319
- });
320
- if (tokenCheck.ok) {
321
- authOk = true;
322
- authMethod = "device-token";
323
- params.rateLimiter?.reset(params.clientIp, AUTH_RATE_LIMIT_SCOPE_DEVICE_TOKEN);
324
- if (params.state.sharedAuthProvided) params.rateLimiter?.reset(params.clientIp, AUTH_RATE_LIMIT_SCOPE_SHARED_SECRET);
325
- } else {
326
- authResult = {
327
- ok: false,
328
- reason: mapDeviceTokenAuthFailureReason({
329
- tokenCheckReason: tokenCheck.reason,
330
- candidateSource: params.state.deviceTokenCandidateSource,
331
- fallbackReason: authResult.reason
332
- })
333
- };
334
- params.rateLimiter?.recordFailure(params.clientIp, AUTH_RATE_LIMIT_SCOPE_DEVICE_TOKEN);
335
- }
336
- }
337
- return {
338
- authResult,
339
- authOk,
340
- authMethod
341
- };
342
- }
343
- //#endregion
344
- //#region src/gateway/server/ws-connection/auth-messages.ts
345
- function formatGatewayAuthFailureMessage(params) {
346
- const { authMode, authProvided, reason, client } = params;
347
- const isCli = isGatewayCliClient(client);
348
- const isControlUi = isOperatorUiClient(client);
349
- const isWebchat = isWebchatClient(client);
350
- const tokenHint = isCli ? "set gateway.remote.token to match gateway.auth.token" : isControlUi || isWebchat ? "open the dashboard URL and paste the token in Control UI settings" : "provide gateway auth token";
351
- const passwordHint = isCli ? "set gateway.remote.password to match gateway.auth.password" : isControlUi || isWebchat ? "enter the password in Control UI settings" : "provide gateway auth password";
352
- switch (reason) {
353
- case "token_missing": return `unauthorized: gateway token missing (${tokenHint})`;
354
- case "token_mismatch": return `unauthorized: gateway token mismatch (${tokenHint})`;
355
- case "token_missing_config": return "unauthorized: gateway token not configured on gateway (set gateway.auth.token)";
356
- case "password_missing": return `unauthorized: gateway password missing (${passwordHint})`;
357
- case "password_mismatch": return `unauthorized: gateway password mismatch (${passwordHint})`;
358
- case "password_missing_config": return "unauthorized: gateway password not configured on gateway (set gateway.auth.password)";
359
- case "bootstrap_token_invalid": return "unauthorized: bootstrap token invalid or expired (scan a fresh setup code)";
360
- case "tailscale_user_missing": return "unauthorized: tailscale identity missing (use Tailscale Serve auth or gateway token/password)";
361
- case "tailscale_proxy_missing": return "unauthorized: tailscale proxy headers missing (use Tailscale Serve or gateway token/password)";
362
- case "tailscale_whois_failed": return "unauthorized: tailscale identity check failed (use Tailscale Serve auth or gateway token/password)";
363
- case "tailscale_user_mismatch": return "unauthorized: tailscale identity mismatch (use Tailscale Serve auth or gateway token/password)";
364
- case "rate_limited": return "unauthorized: too many failed authentication attempts (retry later)";
365
- case "device_token_mismatch": return "unauthorized: device token mismatch (rotate/reissue device token)";
366
- case "scope_mismatch": return "unauthorized: device token scope mismatch (re-pair or approve scope upgrade)";
367
- default: break;
368
- }
369
- if (authMode === "token" && authProvided === "none") return `unauthorized: gateway token missing (${tokenHint})`;
370
- if (authMode === "token" && authProvided === "device-token") return "unauthorized: device token rejected (pair/repair this device, or provide gateway token)";
371
- if (authProvided === "bootstrap-token") return "unauthorized: bootstrap token invalid or expired (scan a fresh setup code)";
372
- if (authMode === "password" && authProvided === "none") return `unauthorized: gateway password missing (${passwordHint})`;
373
- return "unauthorized";
374
- }
375
- //#endregion
376
- //#region src/gateway/server/ws-connection/connect-policy.ts
377
- function resolveControlUiAuthPolicy(params) {
378
- const allowInsecureAuthConfigured = params.isControlUi && params.controlUiConfig?.allowInsecureAuth === true;
379
- const dangerouslyDisableDeviceAuth = params.isControlUi && params.controlUiConfig?.dangerouslyDisableDeviceAuth === true;
380
- return {
381
- isControlUi: params.isControlUi,
382
- allowInsecureAuthConfigured,
383
- dangerouslyDisableDeviceAuth,
384
- allowBypass: dangerouslyDisableDeviceAuth,
385
- device: dangerouslyDisableDeviceAuth ? null : params.deviceRaw
386
- };
387
- }
388
- function shouldSkipControlUiPairing(policy, role, _trustedProxyAuthOk = false, authMode, authMethod) {
389
- if (policy.isControlUi && role === "operator" && authMethod === "tailscale" && policy.device) return true;
390
- if (policy.isControlUi && role === "operator" && authMode === "none") return true;
391
- return role === "operator" && policy.allowBypass;
392
- }
393
- function isTrustedProxyControlUiOperatorAuth(params) {
394
- return params.isControlUi && params.role === "operator" && params.authMode === "trusted-proxy" && params.authOk && params.authMethod === "trusted-proxy";
395
- }
396
- function shouldClearUnboundScopesForMissingDeviceIdentity(params) {
397
- return params.decision.kind !== "allow" || !params.controlUiAuthPolicy.allowBypass && !params.preserveInsecureLocalControlUiScopes && (params.authMethod === "token" || params.authMethod === "password" || params.authMethod === "trusted-proxy");
398
- }
399
- function evaluateMissingDeviceIdentity(params) {
400
- if (params.hasDeviceIdentity) return { kind: "allow" };
401
- if (params.isControlUi && params.trustedProxyAuthOk) return { kind: "allow" };
402
- if (params.isControlUi && params.controlUiAuthPolicy.allowBypass && params.role === "operator") return { kind: "allow" };
403
- if (params.localBackendSelfPairingOk && params.role === "operator") return { kind: "allow" };
404
- if (params.isControlUi && !params.controlUiAuthPolicy.allowBypass) {
405
- if (!params.controlUiAuthPolicy.allowInsecureAuthConfigured || !params.isLocalClient) return { kind: "reject-control-ui-insecure-auth" };
406
- }
407
- if (roleCanSkipDeviceIdentity(params.role, params.sharedAuthOk)) return { kind: "allow" };
408
- if (!params.authOk && params.hasSharedAuth) return { kind: "reject-unauthorized" };
409
- return { kind: "reject-device-required" };
410
- }
411
- //#endregion
412
- //#region src/gateway/server/ws-connection/handshake-auth-helpers.ts
413
- const BROWSER_ORIGIN_LOOPBACK_RATE_LIMIT_IP = "198.18.0.1";
414
- const BROWSER_ORIGIN_RATE_LIMIT_KEY_PREFIX = "browser-origin:";
415
- function resolveBrowserOriginRateLimitKey(requestOrigin) {
416
- const trimmedOrigin = requestOrigin?.trim();
417
- if (!trimmedOrigin) return BROWSER_ORIGIN_LOOPBACK_RATE_LIMIT_IP;
418
- try {
419
- return `${BROWSER_ORIGIN_RATE_LIMIT_KEY_PREFIX}${normalizeLowercaseStringOrEmpty(new URL(trimmedOrigin).origin)}`;
420
- } catch {
421
- return BROWSER_ORIGIN_LOOPBACK_RATE_LIMIT_IP;
422
- }
423
- }
424
- function resolveHandshakeBrowserSecurityContext(params) {
425
- const hasBrowserOriginHeader = Boolean(params.requestOrigin && params.requestOrigin.trim() !== "");
426
- return {
427
- hasBrowserOriginHeader,
428
- enforceOriginCheckForAnyClient: hasBrowserOriginHeader,
429
- rateLimitClientIp: hasBrowserOriginHeader && isLoopbackAddress(params.clientIp) ? resolveBrowserOriginRateLimitKey(params.requestOrigin) : params.clientIp,
430
- authRateLimiter: hasBrowserOriginHeader && params.browserRateLimiter ? params.browserRateLimiter : params.rateLimiter
431
- };
432
- }
433
- function shouldAllowSilentLocalPairing(params) {
434
- if (params.locality === "remote") return false;
435
- if (params.hasBrowserOriginHeader && !params.isControlUi && !params.isWebchat) return false;
436
- if (params.reason === "not-paired" || params.reason === "scope-upgrade" || params.reason === "role-upgrade") return true;
437
- if (params.reason === "metadata-upgrade" && !params.hasBrowserOriginHeader && !params.isControlUi && !params.isWebchat && (params.locality === "direct_local" && params.isNativeAppUi === true || params.locality === "cli_container_local" || params.locality === "shared_secret_loopback_local")) return true;
438
- return false;
439
- }
440
- function isCliContainerLocalEquivalent(params) {
441
- const isCliClient = params.connectParams.client.id === GATEWAY_CLIENT_IDS.CLI && params.connectParams.client.mode === GATEWAY_CLIENT_MODES.CLI;
442
- const usesSharedSecretAuth = params.authMethod === "token" || params.authMethod === "password";
443
- return isCliClient && params.sharedAuthOk && usesSharedSecretAuth && !params.hasProxyHeaders && !params.hasBrowserOriginHeader && isLoopbackAddress(params.remoteAddress) && isPrivateOrLoopbackHost(resolveHostName(params.requestHost));
444
- }
445
- function isSharedSecretLoopbackLocalEquivalent(params) {
446
- const usesSharedSecretAuth = params.authMethod === "token" || params.authMethod === "password";
447
- return params.sharedAuthOk && usesSharedSecretAuth && !params.hasProxyHeaders && !params.hasBrowserOriginHeader && isLoopbackAddress(params.remoteAddress) && isPrivateOrLoopbackHost(resolveHostName(params.requestHost));
448
- }
449
- function resolveOriginHost(origin) {
450
- const trimmed = origin?.trim();
451
- if (!trimmed) return "";
452
- try {
453
- return new URL(trimmed).hostname;
454
- } catch {
455
- return "";
456
- }
457
- }
458
- function isControlUiBrowserContainerLocalEquivalent(params) {
459
- const isControlUiBrowser = params.connectParams.client.id === GATEWAY_CLIENT_IDS.CONTROL_UI && params.connectParams.client.mode === GATEWAY_CLIENT_MODES.WEBCHAT;
460
- const usesSharedSecretAuth = params.authMethod === "token" || params.authMethod === "password";
461
- return isControlUiBrowser && params.sharedAuthOk && usesSharedSecretAuth && !params.hasProxyHeaders && params.hasBrowserOriginHeader && isPrivateOrLoopbackAddress(params.remoteAddress) && isLoopbackHost(resolveHostName(params.requestHost)) && isLoopbackHost(resolveOriginHost(params.requestOrigin));
462
- }
463
- function resolvePairingLocality(params) {
464
- if (params.isLocalClient) return "direct_local";
465
- if (isControlUiBrowserContainerLocalEquivalent({
466
- connectParams: params.connectParams,
467
- requestHost: params.requestHost,
468
- requestOrigin: params.requestOrigin,
469
- remoteAddress: params.remoteAddress,
470
- hasProxyHeaders: params.hasProxyHeaders,
471
- hasBrowserOriginHeader: params.hasBrowserOriginHeader,
472
- sharedAuthOk: params.sharedAuthOk,
473
- authMethod: params.authMethod
474
- })) return "browser_container_local";
475
- if (isCliContainerLocalEquivalent({
476
- connectParams: params.connectParams,
477
- requestHost: params.requestHost,
478
- remoteAddress: params.remoteAddress,
479
- hasProxyHeaders: params.hasProxyHeaders,
480
- hasBrowserOriginHeader: params.hasBrowserOriginHeader,
481
- sharedAuthOk: params.sharedAuthOk,
482
- authMethod: params.authMethod
483
- })) return "cli_container_local";
484
- if (isSharedSecretLoopbackLocalEquivalent({
485
- requestHost: params.requestHost,
486
- remoteAddress: params.remoteAddress,
487
- hasProxyHeaders: params.hasProxyHeaders,
488
- hasBrowserOriginHeader: params.hasBrowserOriginHeader,
489
- sharedAuthOk: params.sharedAuthOk,
490
- authMethod: params.authMethod
491
- })) return "shared_secret_loopback_local";
492
- return "remote";
493
- }
494
- function shouldSkipLocalBackendSelfPairing(params) {
495
- if (!(params.connectParams.client.id === GATEWAY_CLIENT_IDS.GATEWAY_CLIENT && params.connectParams.client.mode === GATEWAY_CLIENT_MODES.BACKEND)) return false;
496
- if (!(params.locality === "direct_local" || params.locality === "shared_secret_loopback_local") || params.hasBrowserOriginHeader) return false;
497
- if (params.authMethod === "none") return true;
498
- const usesSharedSecretAuth = params.authMethod === "token" || params.authMethod === "password";
499
- const usesDeviceTokenAuth = params.authMethod === "device-token";
500
- return params.sharedAuthOk && usesSharedSecretAuth || usesDeviceTokenAuth;
501
- }
502
- function resolveSignatureToken(connectParams) {
503
- return connectParams.auth?.token ?? connectParams.auth?.deviceToken ?? connectParams.auth?.bootstrapToken ?? null;
504
- }
505
- function buildUnauthorizedHandshakeContext(params) {
506
- return {
507
- authProvided: params.authProvided,
508
- canRetryWithDeviceToken: params.canRetryWithDeviceToken,
509
- recommendedNextStep: params.recommendedNextStep
510
- };
511
- }
512
- function resolveDeviceSignaturePayloadVersion(params) {
513
- const signatureToken = resolveSignatureToken(params.connectParams);
514
- const basePayload = {
515
- deviceId: params.device.id,
516
- clientId: params.connectParams.client.id,
517
- clientMode: params.connectParams.client.mode,
518
- role: params.role,
519
- scopes: params.scopes,
520
- signedAtMs: params.signedAtMs,
521
- token: signatureToken,
522
- nonce: params.nonce
523
- };
524
- const payloadV3 = buildDeviceAuthPayloadV3({
525
- ...basePayload,
526
- platform: params.connectParams.client.platform,
527
- deviceFamily: params.connectParams.client.deviceFamily
528
- });
529
- if (verifyDeviceSignature(params.device.publicKey, payloadV3, params.device.signature)) return "v3";
530
- const payloadV2 = buildDeviceAuthPayload(basePayload);
531
- if (verifyDeviceSignature(params.device.publicKey, payloadV2, params.device.signature)) return "v2";
532
- return null;
533
- }
534
- function resolveAuthProvidedKind(connectAuth) {
535
- return connectAuth?.password ? "password" : connectAuth?.token ? "token" : connectAuth?.bootstrapToken ? "bootstrap-token" : connectAuth?.deviceToken ? "device-token" : "none";
536
- }
537
- function resolveUnauthorizedHandshakeContext(params) {
538
- const authProvided = resolveAuthProvidedKind(params.connectAuth);
539
- const canRetryWithDeviceToken = params.failedAuth.reason === "token_mismatch" && params.hasDeviceIdentity && authProvided === "token" && !params.connectAuth?.deviceToken;
540
- if (canRetryWithDeviceToken) return buildUnauthorizedHandshakeContext({
541
- authProvided,
542
- canRetryWithDeviceToken,
543
- recommendedNextStep: "retry_with_device_token"
544
- });
545
- switch (params.failedAuth.reason) {
546
- case "token_missing":
547
- case "token_missing_config":
548
- case "password_missing":
549
- case "password_missing_config": return buildUnauthorizedHandshakeContext({
550
- authProvided,
551
- canRetryWithDeviceToken,
552
- recommendedNextStep: "update_auth_configuration"
553
- });
554
- case "token_mismatch":
555
- case "password_mismatch":
556
- case "device_token_mismatch": return buildUnauthorizedHandshakeContext({
557
- authProvided,
558
- canRetryWithDeviceToken,
559
- recommendedNextStep: "update_auth_credentials"
560
- });
561
- case "scope_mismatch": return buildUnauthorizedHandshakeContext({
562
- authProvided,
563
- canRetryWithDeviceToken,
564
- recommendedNextStep: "review_auth_configuration"
565
- });
566
- case "rate_limited": return buildUnauthorizedHandshakeContext({
567
- authProvided,
568
- canRetryWithDeviceToken,
569
- recommendedNextStep: "wait_then_retry"
570
- });
571
- default: return buildUnauthorizedHandshakeContext({
572
- authProvided,
573
- canRetryWithDeviceToken,
574
- recommendedNextStep: "review_auth_configuration"
575
- });
576
- }
577
- }
578
- //#endregion
579
- //#region src/gateway/server/ws-connection/unauthorized-flood-guard.ts
580
- const DEFAULT_CLOSE_AFTER = 10;
581
- const DEFAULT_LOG_EVERY = 100;
582
- var UnauthorizedFloodGuard = class {
583
- constructor(options) {
584
- this.count = 0;
585
- this.suppressedSinceLastLog = 0;
586
- this.closeAfter = Math.max(1, Math.floor(options?.closeAfter ?? DEFAULT_CLOSE_AFTER));
587
- this.logEvery = Math.max(1, Math.floor(options?.logEvery ?? DEFAULT_LOG_EVERY));
588
- }
589
- registerUnauthorized() {
590
- this.count += 1;
591
- const shouldClose = this.count > this.closeAfter;
592
- if (!(this.count === 1 || this.count % this.logEvery === 0 || shouldClose)) {
593
- this.suppressedSinceLastLog += 1;
594
- return {
595
- shouldClose,
596
- shouldLog: false,
597
- count: this.count,
598
- suppressedSinceLastLog: 0
599
- };
600
- }
601
- const suppressedSinceLastLog = this.suppressedSinceLastLog;
602
- this.suppressedSinceLastLog = 0;
603
- return {
604
- shouldClose,
605
- shouldLog: true,
606
- count: this.count,
607
- suppressedSinceLastLog
608
- };
609
- }
610
- reset() {
611
- this.count = 0;
612
- this.suppressedSinceLastLog = 0;
613
- }
614
- };
615
- function isUnauthorizedRoleError(error) {
616
- if (!error) return false;
617
- return error.code === ErrorCodes.INVALID_REQUEST && typeof error.message === "string" && error.message.startsWith("unauthorized role:");
618
- }
619
- //#endregion
620
- //#region src/gateway/server/ws-connection/message-handler.ts
621
- const DEVICE_SIGNATURE_SKEW_MS = 120 * 1e3;
622
- function sameBootstrapProfile(left, right) {
623
- if (left.roles.length !== right.roles.length || left.scopes.length !== right.scopes.length) return false;
624
- return left.roles.every((role, index) => role === right.roles[index]) && left.scopes.every((scope, index) => scope === right.scopes[index]);
625
- }
626
- function firstHeaderValue(value) {
627
- return Array.isArray(value) ? value[0] : value;
628
- }
629
- function resolveTrustedProxyControlUiScopes(params) {
630
- const rawHeader = firstHeaderValue(params.upgradeReq.headers["x-daocore-scopes"]);
631
- if (rawHeader === void 0) return params.requestedScopes;
632
- const declaredScopes = new Set(rawHeader.split(",").map((scope) => scope.trim()).filter((scope) => scope.length > 0));
633
- if (declaredScopes.size === 0) return [];
634
- return params.requestedScopes.filter((scope) => declaredScopes.has(scope));
635
- }
636
- function resolvePinnedClientMetadata(params) {
637
- function normalizeLegacyNodeHostPlatformPin(value) {
638
- switch (value) {
639
- case "darwin":
640
- case "macos": return "macos";
641
- case "win32":
642
- case "windows": return "windows";
643
- default: return value;
644
- }
645
- }
646
- function normalizeMobileAppPlatformPin(clientId, value) {
647
- if (clientId === GATEWAY_CLIENT_IDS.IOS_APP && /^(?:ios|ipados)(?:\s|$)/.test(value)) return "ios-family";
648
- if (clientId === GATEWAY_CLIENT_IDS.ANDROID_APP && /^android(?:\s|$)/.test(value)) return "android";
649
- return value;
650
- }
651
- const claimedPlatform = normalizeDeviceMetadataForAuth(params.claimedPlatform);
652
- const claimedDeviceFamily = normalizeDeviceMetadataForAuth(params.claimedDeviceFamily);
653
- const pairedPlatform = normalizeDeviceMetadataForAuth(params.pairedPlatform);
654
- const pairedDeviceFamily = normalizeDeviceMetadataForAuth(params.pairedDeviceFamily);
655
- const hasPinnedPlatform = pairedPlatform !== "";
656
- const hasPinnedDeviceFamily = pairedDeviceFamily !== "";
657
- const isLegacyNodeHostPlatformPin = params.clientId === GATEWAY_CLIENT_IDS.NODE_HOST && params.clientMode === GATEWAY_CLIENT_MODES.NODE && hasPinnedPlatform && claimedPlatform !== "" && normalizeLegacyNodeHostPlatformPin(claimedPlatform) === normalizeLegacyNodeHostPlatformPin(pairedPlatform);
658
- const isMobileAppPlatformVersionRefresh = hasPinnedPlatform && claimedPlatform !== "" && claimedPlatform !== pairedPlatform && normalizeMobileAppPlatformPin(params.clientId, claimedPlatform) === normalizeMobileAppPlatformPin(params.clientId, pairedPlatform);
659
- const platformMismatch = hasPinnedPlatform && claimedPlatform !== pairedPlatform && !isLegacyNodeHostPlatformPin && !isMobileAppPlatformVersionRefresh;
660
- const deviceFamilyMismatch = hasPinnedDeviceFamily && claimedDeviceFamily !== pairedDeviceFamily;
661
- const pinnedPlatform = claimedPlatform === pairedPlatform ? params.pairedPlatform : isLegacyNodeHostPlatformPin ? normalizeLegacyNodeHostPlatformPin(pairedPlatform) : isMobileAppPlatformVersionRefresh ? params.claimedPlatform : void 0;
662
- return {
663
- platformMismatch,
664
- deviceFamilyMismatch,
665
- pinnedPlatform: hasPinnedPlatform ? pinnedPlatform : void 0,
666
- pinnedDeviceFamily: hasPinnedDeviceFamily ? params.pairedDeviceFamily : void 0,
667
- ...isMobileAppPlatformVersionRefresh ? { refreshPairedPlatform: params.claimedPlatform } : {}
668
- };
669
- }
670
- function attachGatewayWsMessageHandler(params) {
671
- const { socket, upgradeReq, connId, remoteAddr, remotePort, localAddr, localPort, endpoint, forwardedFor, realIp, requestHost, requestOrigin, requestUserAgent, pluginSurfaceBaseUrl, pluginNodeCapabilities = [], connectNonce, getResolvedAuth, getRequiredSharedGatewaySessionGeneration, rateLimiter, browserRateLimiter, isStartupPending, gatewayMethods, events, extraHandlers, getMethodRegistry, buildRequestContext, refreshHealthSnapshot, send, close, isClosed, clearHandshakeTimer, getClient, setClient, setHandshakeState, setCloseCause, setLastFrameMeta, originCheckMetrics, logGateway, logHealth, logWsControl } = params;
672
- const sendFrame = async (obj) => await new Promise((resolve, reject) => {
673
- socket.send(JSON.stringify(obj), (err) => {
674
- if (err) {
675
- reject(err);
676
- return;
677
- }
678
- resolve();
679
- });
680
- });
681
- const configSnapshot = getRuntimeConfig();
682
- const trustedProxies = configSnapshot.gateway?.trustedProxies ?? [];
683
- const allowRealIpFallback = configSnapshot.gateway?.allowRealIpFallback === true;
684
- const clientIp = resolveClientIp({
685
- remoteAddr,
686
- forwardedFor,
687
- realIp,
688
- trustedProxies,
689
- allowRealIpFallback
690
- });
691
- const peerLabel = endpoint ?? remoteAddr ?? "n/a";
692
- const hasProxyHeaders = hasForwardedRequestHeaders(upgradeReq);
693
- const remoteIsTrustedProxy = isTrustedProxyAddress(remoteAddr, trustedProxies);
694
- const hasUntrustedProxyHeaders = hasProxyHeaders && !remoteIsTrustedProxy;
695
- const hostIsLocalish = isLocalishHost(requestHost);
696
- const isLocalClient = isLocalDirectRequest(upgradeReq, trustedProxies, allowRealIpFallback);
697
- const reportedClientIp = isLocalClient || hasUntrustedProxyHeaders ? void 0 : clientIp && !isLoopbackAddress(clientIp) ? clientIp : void 0;
698
- const reportedClientIpSource = resolveNodePairingClientIpSource({
699
- reportedClientIp,
700
- hasProxyHeaders,
701
- remoteIsTrustedProxy,
702
- remoteIsLoopback: isLoopbackAddress(remoteAddr)
703
- });
704
- if (hasUntrustedProxyHeaders) logWsControl.warn("Proxy headers detected from untrusted address. Connection will not be treated as local. Configure gateway.trustedProxies to restore local client detection behind your proxy.");
705
- if (!hostIsLocalish && isLoopbackAddress(remoteAddr) && !hasProxyHeaders) logWsControl.warn("Loopback connection with non-local Host header. Treating it as remote. If you're behind a reverse proxy, set gateway.trustedProxies and forward X-Forwarded-For/X-Real-IP.");
706
- const isWebchatConnect = (p) => isWebchatClient(p?.client);
707
- const unauthorizedFloodGuard = new UnauthorizedFloodGuard();
708
- const { hasBrowserOriginHeader, enforceOriginCheckForAnyClient, rateLimitClientIp: browserRateLimitClientIp, authRateLimiter } = resolveHandshakeBrowserSecurityContext({
709
- requestOrigin,
710
- clientIp,
711
- rateLimiter,
712
- browserRateLimiter
713
- });
714
- const handleMessage = async (data) => {
715
- if (isClosed()) return;
716
- const preauthPayloadBytes = !getClient() ? getRawDataByteLength(data) : void 0;
717
- if (preauthPayloadBytes !== void 0 && preauthPayloadBytes > 65536) {
718
- logRejectedLargePayload({
719
- surface: "gateway.ws.preauth",
720
- bytes: preauthPayloadBytes,
721
- limitBytes: MAX_PREAUTH_PAYLOAD_BYTES,
722
- reason: "preauth_frame_limit"
723
- });
724
- setHandshakeState("failed");
725
- setCloseCause("preauth-payload-too-large", {
726
- payloadBytes: preauthPayloadBytes,
727
- limitBytes: MAX_PREAUTH_PAYLOAD_BYTES
728
- });
729
- close(1009, "preauth payload too large");
730
- return;
731
- }
732
- const text = rawDataToString(data);
733
- try {
734
- const parsed = JSON.parse(text);
735
- const frameType = parsed && typeof parsed === "object" && "type" in parsed ? typeof parsed.type === "string" ? String(parsed.type) : void 0 : void 0;
736
- const frameMethod = parsed && typeof parsed === "object" && "method" in parsed ? typeof parsed.method === "string" ? String(parsed.method) : void 0 : void 0;
737
- const frameId = parsed && typeof parsed === "object" && "id" in parsed ? typeof parsed.id === "string" ? String(parsed.id) : void 0 : void 0;
738
- if (frameType || frameMethod || frameId) setLastFrameMeta({
739
- type: frameType,
740
- method: frameMethod,
741
- id: frameId
742
- });
743
- const client = getClient();
744
- if (!client) {
745
- const isRequestFrame = validateRequestFrame(parsed);
746
- if (!isRequestFrame || parsed.method !== "connect" || !validateConnectParams(parsed.params)) {
747
- const handshakeError = isRequestFrame ? parsed.method === "connect" ? `invalid connect params: ${formatValidationErrors(validateConnectParams.errors)}` : "invalid handshake: first request must be connect" : "invalid request frame";
748
- setHandshakeState("failed");
749
- setCloseCause("invalid-handshake", {
750
- frameType,
751
- frameMethod,
752
- frameId,
753
- handshakeError
754
- });
755
- if (isRequestFrame) send({
756
- type: "res",
757
- id: parsed.id,
758
- ok: false,
759
- error: errorShape(ErrorCodes.INVALID_REQUEST, handshakeError)
760
- });
761
- else logWsControl.warn(`invalid handshake conn=${connId} peer=${formatForLog(peerLabel)} remote=${remoteAddr ?? "?"} fwd=${formatForLog(forwardedFor ?? "n/a")} origin=${formatForLog(requestOrigin ?? "n/a")} host=${formatForLog(requestHost ?? "n/a")} ua=${formatForLog(requestUserAgent ?? "n/a")}`);
762
- const closeReason = truncateCloseReason(handshakeError || "invalid handshake");
763
- if (isRequestFrame) queueMicrotask(() => close(1008, closeReason));
764
- else close(1008, closeReason);
765
- return;
766
- }
767
- const frame = parsed;
768
- const connectParams = frame.params;
769
- const resolvedAuth = getResolvedAuth();
770
- const clientLabel = connectParams.client.displayName ?? connectParams.client.id;
771
- const clientMeta = {
772
- client: connectParams.client.id,
773
- clientDisplayName: connectParams.client.displayName,
774
- mode: connectParams.client.mode,
775
- version: connectParams.client.version,
776
- platform: connectParams.client.platform,
777
- deviceFamily: connectParams.client.deviceFamily,
778
- modelIdentifier: connectParams.client.modelIdentifier,
779
- instanceId: connectParams.client.instanceId
780
- };
781
- const markHandshakeFailure = (cause, meta) => {
782
- setHandshakeState("failed");
783
- setCloseCause(cause, {
784
- ...meta,
785
- ...clientMeta
786
- });
787
- };
788
- const sendHandshakeErrorResponse = (code, message, options) => {
789
- send({
790
- type: "res",
791
- id: frame.id,
792
- ok: false,
793
- error: errorShape(code, message, options)
794
- });
795
- };
796
- if (isStartupPending?.()) {
797
- markHandshakeFailure(GATEWAY_STARTUP_PENDING_CLOSE_CAUSE);
798
- await sendFrame({
799
- type: "res",
800
- id: frame.id,
801
- ok: false,
802
- error: errorShape(ErrorCodes.UNAVAILABLE, "gateway starting; retry shortly", {
803
- retryable: true,
804
- retryAfterMs: 500,
805
- details: gatewayStartupUnavailableDetails()
806
- })
807
- }).catch(() => {});
808
- queueMicrotask(() => close(GATEWAY_STARTUP_CLOSE_CODE, GATEWAY_STARTUP_CLOSE_REASON));
809
- return;
810
- }
811
- const { minProtocol, maxProtocol } = connectParams;
812
- const supportsCurrentProtocol = maxProtocol >= 4 && minProtocol <= 4;
813
- const supportsProbeRestartProtocol = connectParams.client.mode === GATEWAY_CLIENT_MODES.PROBE && maxProtocol >= 4 && minProtocol <= 4;
814
- if (!supportsCurrentProtocol && !supportsProbeRestartProtocol) {
815
- markHandshakeFailure("protocol-mismatch", {
816
- minProtocol,
817
- maxProtocol,
818
- expectedProtocol: 4,
819
- minimumProbeProtocol: 4
820
- });
821
- logWsControl.warn(`protocol mismatch conn=${connId} peer=${formatForLog(peerLabel)} remote=${remoteAddr ?? "?"} remotePort=${remotePort ?? "?"} client=${formatForLog(clientLabel)} ${connectParams.client.mode} v${formatForLog(connectParams.client.version)} min=${minProtocol} max=${maxProtocol} expected=4 probeMin=4 instance=${formatForLog(connectParams.client.instanceId ?? "n/a")}`);
822
- sendHandshakeErrorResponse(ErrorCodes.INVALID_REQUEST, "protocol mismatch", { details: {
823
- code: ConnectErrorDetailCodes.PROTOCOL_MISMATCH,
824
- clientMinProtocol: minProtocol,
825
- clientMaxProtocol: maxProtocol,
826
- expectedProtocol: 4,
827
- minimumProbeProtocol: 4
828
- } });
829
- close(1002, "protocol mismatch");
830
- return;
831
- }
832
- const roleRaw = connectParams.role ?? "operator";
833
- const role = parseGatewayRole(roleRaw);
834
- if (!role) {
835
- markHandshakeFailure("invalid-role", { role: roleRaw });
836
- sendHandshakeErrorResponse(ErrorCodes.INVALID_REQUEST, "invalid role");
837
- close(1008, "invalid role");
838
- return;
839
- }
840
- let scopes = Array.isArray(connectParams.scopes) ? connectParams.scopes : [];
841
- connectParams.role = role;
842
- connectParams.scopes = scopes;
843
- const isControlUi = isOperatorUiClient(connectParams.client);
844
- const isBrowserOperatorUi = isBrowserOperatorUiClient(connectParams.client);
845
- const isWebchat = isWebchatConnect(connectParams);
846
- const isNativeAppUi = connectParams.client.mode === GATEWAY_CLIENT_MODES.UI && (connectParams.client.id === GATEWAY_CLIENT_IDS.MACOS_APP || connectParams.client.id === GATEWAY_CLIENT_IDS.IOS_APP || connectParams.client.id === GATEWAY_CLIENT_IDS.ANDROID_APP);
847
- if (enforceOriginCheckForAnyClient || isBrowserOperatorUi || isWebchat) {
848
- const hostHeaderOriginFallbackEnabled = configSnapshot.gateway?.controlUi?.dangerouslyAllowHostHeaderOriginFallback === true;
849
- const originCheck = checkBrowserOrigin({
850
- requestHost,
851
- origin: requestOrigin,
852
- allowedOrigins: configSnapshot.gateway?.controlUi?.allowedOrigins,
853
- allowHostHeaderOriginFallback: hostHeaderOriginFallbackEnabled,
854
- isLocalClient
855
- });
856
- if (!originCheck.ok) {
857
- const errorMessage = "origin not allowed (open the Control UI from the gateway host or allow it in gateway.controlUi.allowedOrigins)";
858
- markHandshakeFailure("origin-mismatch", {
859
- origin: requestOrigin ?? "n/a",
860
- host: requestHost ?? "n/a",
861
- reason: originCheck.reason
862
- });
863
- sendHandshakeErrorResponse(ErrorCodes.INVALID_REQUEST, errorMessage, { details: {
864
- code: ConnectErrorDetailCodes.CONTROL_UI_ORIGIN_NOT_ALLOWED,
865
- reason: originCheck.reason
866
- } });
867
- close(1008, truncateCloseReason(errorMessage));
868
- return;
869
- }
870
- if (originCheck.matchedBy === "host-header-fallback") {
871
- originCheckMetrics.hostHeaderFallbackAccepted += 1;
872
- logWsControl.warn(`security warning: websocket origin accepted via Host-header fallback conn=${connId} count=${originCheckMetrics.hostHeaderFallbackAccepted} host=${requestHost ?? "n/a"} origin=${requestOrigin ?? "n/a"}`);
873
- if (hostHeaderOriginFallbackEnabled) logGateway.warn("security metric: gateway.controlUi.dangerouslyAllowHostHeaderOriginFallback accepted a websocket connect request");
874
- }
875
- }
876
- const deviceRaw = connectParams.device;
877
- let devicePublicKey = null;
878
- let deviceAuthPayloadVersion = null;
879
- const hasTokenAuth = Boolean(connectParams.auth?.token);
880
- const hasPasswordAuth = Boolean(connectParams.auth?.password);
881
- const hasSharedAuth = hasTokenAuth || hasPasswordAuth;
882
- const controlUiAuthPolicy = resolveControlUiAuthPolicy({
883
- isControlUi,
884
- controlUiConfig: configSnapshot.gateway?.controlUi,
885
- deviceRaw
886
- });
887
- const device = controlUiAuthPolicy.device;
888
- let { authResult, authOk, authMethod, sharedAuthOk, bootstrapTokenCandidate, deviceTokenCandidate, deviceTokenCandidateSource } = await resolveConnectAuthState({
889
- resolvedAuth,
890
- connectAuth: connectParams.auth,
891
- hasDeviceIdentity: Boolean(device),
892
- req: upgradeReq,
893
- trustedProxies,
894
- allowRealIpFallback,
895
- rateLimiter: authRateLimiter,
896
- clientIp: browserRateLimitClientIp
897
- });
898
- const rejectUnauthorized = (failedAuth) => {
899
- const { authProvided, canRetryWithDeviceToken, recommendedNextStep } = resolveUnauthorizedHandshakeContext({
900
- connectAuth: connectParams.auth,
901
- failedAuth,
902
- hasDeviceIdentity: Boolean(device)
903
- });
904
- markHandshakeFailure("unauthorized", {
905
- authMode: resolvedAuth.mode,
906
- authProvided,
907
- authReason: failedAuth.reason,
908
- allowTailscale: resolvedAuth.allowTailscale,
909
- peer: peerLabel,
910
- remoteAddr,
911
- remotePort,
912
- localAddr,
913
- localPort,
914
- role,
915
- scopeCount: scopes.length,
916
- hasDeviceIdentity: Boolean(device)
917
- });
918
- logWsControl.warn(`unauthorized conn=${connId} peer=${formatForLog(peerLabel)} remote=${remoteAddr ?? "?"} client=${formatForLog(clientLabel)} ${connectParams.client.mode} v${formatForLog(connectParams.client.version)} role=${role} scopes=${scopes.length} auth=${authProvided} device=${device ? "yes" : "no"} platform=${formatForLog(connectParams.client.platform)} instance=${formatForLog(connectParams.client.instanceId ?? "n/a")} host=${formatForLog(requestHost ?? "n/a")} origin=${formatForLog(requestOrigin ?? "n/a")} ua=${formatForLog(requestUserAgent ?? "n/a")} reason=${failedAuth.reason ?? "unknown"}`);
919
- const authMessage = formatGatewayAuthFailureMessage({
920
- authMode: resolvedAuth.mode,
921
- authProvided,
922
- reason: failedAuth.reason,
923
- client: connectParams.client
924
- });
925
- sendHandshakeErrorResponse(ErrorCodes.INVALID_REQUEST, authMessage, { details: {
926
- code: resolveAuthConnectErrorDetailCode(failedAuth.reason),
927
- authReason: failedAuth.reason,
928
- canRetryWithDeviceToken,
929
- recommendedNextStep
930
- } });
931
- close(1008, truncateCloseReason(authMessage));
932
- };
933
- const clearUnboundScopes = () => {
934
- if (scopes.length > 0) {
935
- scopes = [];
936
- connectParams.scopes = scopes;
937
- }
938
- };
939
- let pairingLocality = resolvePairingLocality({
940
- connectParams,
941
- isLocalClient,
942
- requestHost,
943
- requestOrigin,
944
- remoteAddress: remoteAddr,
945
- hasProxyHeaders,
946
- hasBrowserOriginHeader,
947
- sharedAuthOk,
948
- authMethod
949
- });
950
- let skipLocalBackendSelfPairing = shouldSkipLocalBackendSelfPairing({
951
- connectParams,
952
- locality: pairingLocality,
953
- hasBrowserOriginHeader,
954
- sharedAuthOk,
955
- authMethod
956
- });
957
- const handleMissingDeviceIdentity = () => {
958
- const trustedProxyAuthOk = isTrustedProxyControlUiOperatorAuth({
959
- isControlUi,
960
- role,
961
- authMode: resolvedAuth.mode,
962
- authOk,
963
- authMethod
964
- });
965
- const preserveInsecureLocalControlUiScopes = isControlUi && controlUiAuthPolicy.allowInsecureAuthConfigured && isLocalClient && (authMethod === "token" || authMethod === "password");
966
- const decision = evaluateMissingDeviceIdentity({
967
- hasDeviceIdentity: Boolean(device),
968
- role,
969
- isControlUi,
970
- controlUiAuthPolicy,
971
- trustedProxyAuthOk,
972
- localBackendSelfPairingOk: skipLocalBackendSelfPairing,
973
- sharedAuthOk,
974
- authOk,
975
- hasSharedAuth,
976
- isLocalClient
977
- });
978
- if (!device && !skipLocalBackendSelfPairing && shouldClearUnboundScopesForMissingDeviceIdentity({
979
- decision,
980
- controlUiAuthPolicy,
981
- preserveInsecureLocalControlUiScopes,
982
- authMethod,
983
- trustedProxyAuthOk
984
- })) clearUnboundScopes();
985
- if (decision.kind === "allow") return true;
986
- if (decision.kind === "reject-control-ui-insecure-auth") {
987
- const errorMessage = "control ui requires device identity (use HTTPS or localhost secure context)";
988
- markHandshakeFailure("control-ui-insecure-auth", { insecureAuthConfigured: controlUiAuthPolicy.allowInsecureAuthConfigured });
989
- sendHandshakeErrorResponse(ErrorCodes.INVALID_REQUEST, errorMessage, { details: { code: ConnectErrorDetailCodes.CONTROL_UI_DEVICE_IDENTITY_REQUIRED } });
990
- close(1008, errorMessage);
991
- return false;
992
- }
993
- if (decision.kind === "reject-unauthorized") {
994
- rejectUnauthorized(authResult);
995
- return false;
996
- }
997
- markHandshakeFailure("device-required");
998
- sendHandshakeErrorResponse(ErrorCodes.NOT_PAIRED, "device identity required", { details: { code: ConnectErrorDetailCodes.DEVICE_IDENTITY_REQUIRED } });
999
- close(1008, "device identity required");
1000
- return false;
1001
- };
1002
- if (!handleMissingDeviceIdentity()) return;
1003
- if (device) {
1004
- const rejectDeviceAuthInvalid = (reason, message) => {
1005
- setHandshakeState("failed");
1006
- setCloseCause("device-auth-invalid", {
1007
- reason,
1008
- client: connectParams.client.id,
1009
- deviceId: device.id
1010
- });
1011
- send({
1012
- type: "res",
1013
- id: frame.id,
1014
- ok: false,
1015
- error: errorShape(ErrorCodes.INVALID_REQUEST, message, { details: {
1016
- code: resolveDeviceAuthConnectErrorDetailCode(reason),
1017
- reason
1018
- } })
1019
- });
1020
- close(1008, message);
1021
- };
1022
- const derivedId = deriveDeviceIdFromPublicKey(device.publicKey);
1023
- if (!derivedId || derivedId !== device.id) {
1024
- rejectDeviceAuthInvalid("device-id-mismatch", "device identity mismatch");
1025
- return;
1026
- }
1027
- const signedAt = device.signedAt;
1028
- if (typeof signedAt !== "number" || Math.abs(Date.now() - signedAt) > DEVICE_SIGNATURE_SKEW_MS) {
1029
- rejectDeviceAuthInvalid("device-signature-stale", "device signature expired");
1030
- return;
1031
- }
1032
- const providedNonce = typeof device.nonce === "string" ? device.nonce.trim() : "";
1033
- if (!providedNonce) {
1034
- rejectDeviceAuthInvalid("device-nonce-missing", "device nonce required");
1035
- return;
1036
- }
1037
- if (providedNonce !== connectNonce) {
1038
- rejectDeviceAuthInvalid("device-nonce-mismatch", "device nonce mismatch");
1039
- return;
1040
- }
1041
- const rejectDeviceSignatureInvalid = () => rejectDeviceAuthInvalid("device-signature", "device signature invalid");
1042
- const payloadVersion = resolveDeviceSignaturePayloadVersion({
1043
- device,
1044
- connectParams,
1045
- role,
1046
- scopes,
1047
- signedAtMs: signedAt,
1048
- nonce: providedNonce
1049
- });
1050
- if (!payloadVersion) {
1051
- rejectDeviceSignatureInvalid();
1052
- return;
1053
- }
1054
- deviceAuthPayloadVersion = payloadVersion;
1055
- devicePublicKey = normalizeDevicePublicKeyBase64Url(device.publicKey);
1056
- if (!devicePublicKey) {
1057
- rejectDeviceAuthInvalid("device-public-key", "device public key invalid");
1058
- return;
1059
- }
1060
- }
1061
- ({authResult, authOk, authMethod} = await resolveConnectAuthDecision({
1062
- state: {
1063
- authResult,
1064
- authOk,
1065
- authMethod,
1066
- sharedAuthOk,
1067
- sharedAuthProvided: hasSharedAuth,
1068
- bootstrapTokenCandidate,
1069
- deviceTokenCandidate,
1070
- deviceTokenCandidateSource
1071
- },
1072
- hasDeviceIdentity: Boolean(device),
1073
- deviceId: device?.id,
1074
- publicKey: device?.publicKey,
1075
- role,
1076
- scopes,
1077
- rateLimiter: authRateLimiter,
1078
- clientIp: browserRateLimitClientIp,
1079
- verifyBootstrapToken: async ({ deviceId, publicKey, token, role, scopes }) => await verifyDeviceBootstrapToken({
1080
- deviceId,
1081
- publicKey,
1082
- token,
1083
- role,
1084
- scopes
1085
- }),
1086
- verifyDeviceToken
1087
- }));
1088
- pairingLocality = resolvePairingLocality({
1089
- connectParams,
1090
- isLocalClient,
1091
- requestHost,
1092
- requestOrigin,
1093
- remoteAddress: remoteAddr,
1094
- hasProxyHeaders,
1095
- hasBrowserOriginHeader,
1096
- sharedAuthOk,
1097
- authMethod
1098
- });
1099
- skipLocalBackendSelfPairing = shouldSkipLocalBackendSelfPairing({
1100
- connectParams,
1101
- locality: pairingLocality,
1102
- hasBrowserOriginHeader,
1103
- sharedAuthOk,
1104
- authMethod
1105
- });
1106
- if (!authOk) {
1107
- rejectUnauthorized(authResult);
1108
- return;
1109
- }
1110
- if (authMethod === "token" || authMethod === "password" || authMethod === "trusted-proxy") {
1111
- const sharedGatewaySessionGeneration = resolveSharedGatewaySessionGeneration(resolvedAuth, trustedProxies);
1112
- const requiredSharedGatewaySessionGeneration = getRequiredSharedGatewaySessionGeneration?.();
1113
- if (requiredSharedGatewaySessionGeneration !== void 0 && sharedGatewaySessionGeneration !== requiredSharedGatewaySessionGeneration) {
1114
- setCloseCause("gateway-auth-rotated", { authGenerationStale: true });
1115
- close(4001, "gateway auth changed");
1116
- return;
1117
- }
1118
- }
1119
- const issuedBootstrapProfile = authMethod === "bootstrap-token" && bootstrapTokenCandidate ? await getDeviceBootstrapTokenProfile({ token: bootstrapTokenCandidate }) : null;
1120
- let handoffBootstrapProfile = null;
1121
- const trustedProxyAuthOk = isTrustedProxyControlUiOperatorAuth({
1122
- isControlUi,
1123
- role,
1124
- authMode: resolvedAuth.mode,
1125
- authOk,
1126
- authMethod
1127
- });
1128
- if (trustedProxyAuthOk) {
1129
- scopes = resolveTrustedProxyControlUiScopes({
1130
- requestedScopes: scopes,
1131
- upgradeReq
1132
- });
1133
- connectParams.scopes = scopes;
1134
- }
1135
- const skipControlUiPairingForDevice = shouldSkipControlUiPairing(controlUiAuthPolicy, role, trustedProxyAuthOk, resolvedAuth.mode, authMethod);
1136
- let hasServerApprovedDeviceTokenBaseline = false;
1137
- if (device && devicePublicKey) {
1138
- const formatAuditList = (items) => {
1139
- if (!items || items.length === 0) return "<none>";
1140
- const out = /* @__PURE__ */ new Set();
1141
- for (const item of items) {
1142
- const trimmed = item.trim();
1143
- if (trimmed) out.add(trimmed);
1144
- }
1145
- if (out.size === 0) return "<none>";
1146
- return [...out].toSorted().join(",");
1147
- };
1148
- const logUpgradeAudit = (reason, currentRoles, currentScopes) => {
1149
- logGateway.warn(`security audit: device access upgrade requested reason=${reason} device=${device.id} ip=${reportedClientIp ?? "unknown-ip"} auth=${authMethod} roleFrom=${formatAuditList(currentRoles)} roleTo=${role} scopesFrom=${formatAuditList(currentScopes)} scopesTo=${formatAuditList(scopes)} client=${connectParams.client.id} conn=${connId}`);
1150
- };
1151
- const clientPairingMetadata = {
1152
- displayName: connectParams.client.displayName,
1153
- platform: connectParams.client.platform,
1154
- deviceFamily: connectParams.client.deviceFamily,
1155
- clientId: connectParams.client.id,
1156
- clientMode: connectParams.client.mode,
1157
- role,
1158
- scopes,
1159
- remoteIp: reportedClientIp
1160
- };
1161
- const clientAccessMetadata = {
1162
- displayName: connectParams.client.displayName,
1163
- remoteIp: reportedClientIp
1164
- };
1165
- const requirePairing = async (reason, existingPairedDevice = null) => {
1166
- const pairingStateAllowsRequestedAccess = (pairedCandidate) => {
1167
- if (!pairedCandidate || pairedCandidate.publicKey !== devicePublicKey) return false;
1168
- if (!hasEffectivePairedDeviceRole(pairedCandidate, role)) return false;
1169
- if (scopes.length === 0) return true;
1170
- const pairedScopes = Array.isArray(pairedCandidate.approvedScopes) ? pairedCandidate.approvedScopes : Array.isArray(pairedCandidate.scopes) ? pairedCandidate.scopes : [];
1171
- if (pairedScopes.length === 0) return false;
1172
- return roleScopesAllow({
1173
- role,
1174
- requestedScopes: scopes,
1175
- allowedScopes: pairedScopes
1176
- });
1177
- };
1178
- const allowSilentLocalPairing = !(existingPairedDevice && role !== "operator") && shouldAllowSilentLocalPairing({
1179
- locality: pairingLocality,
1180
- hasBrowserOriginHeader,
1181
- isControlUi,
1182
- isWebchat,
1183
- isNativeAppUi,
1184
- reason
1185
- });
1186
- const allowSilentTrustedCidrsNodePairing = shouldAutoApproveNodePairingFromTrustedCidrs({
1187
- existingPairedDevice: Boolean(existingPairedDevice),
1188
- role,
1189
- reason,
1190
- scopes,
1191
- hasBrowserOriginHeader,
1192
- isControlUi,
1193
- isWebchat,
1194
- reportedClientIpSource,
1195
- reportedClientIp,
1196
- autoApproveCidrs: configSnapshot.gateway?.nodes?.pairing?.autoApproveCidrs
1197
- });
1198
- const boundBootstrapProfile = authMethod === "bootstrap-token" && bootstrapTokenCandidate && reason === "not-paired" && role === "node" && scopes.length === 0 && !existingPairedDevice && !isControlUi && !isBrowserOperatorUi && !isWebchat && connectParams.client.mode === GATEWAY_CLIENT_MODES.NODE ? await getBoundDeviceBootstrapProfile({
1199
- token: bootstrapTokenCandidate,
1200
- deviceId: device.id,
1201
- publicKey: devicePublicKey
1202
- }) : null;
1203
- const allowSilentBootstrapPairing = boundBootstrapProfile !== null && sameBootstrapProfile(boundBootstrapProfile, PAIRING_SETUP_BOOTSTRAP_PROFILE);
1204
- const bootstrapPairingRoles = allowSilentBootstrapPairing ? Array.from(new Set([role, ...boundBootstrapProfile.roles])) : void 0;
1205
- const pairing = await requestDevicePairing({
1206
- deviceId: device.id,
1207
- publicKey: devicePublicKey,
1208
- ...clientPairingMetadata,
1209
- ...bootstrapPairingRoles ? {
1210
- roles: bootstrapPairingRoles,
1211
- scopes: [...BOOTSTRAP_HANDOFF_OPERATOR_SCOPES]
1212
- } : {},
1213
- silent: reason === "scope-upgrade" ? false : allowSilentLocalPairing || allowSilentTrustedCidrsNodePairing || allowSilentBootstrapPairing
1214
- });
1215
- const context = buildRequestContext();
1216
- let approved;
1217
- let resolvedByConcurrentApproval = false;
1218
- let recoveryRequestId = pairing.request.requestId;
1219
- const resolveLivePendingRequestId = async () => {
1220
- const pendingList = await listDevicePairing();
1221
- const exactPending = pendingList.pending.find((pending) => pending.requestId === pairing.request.requestId);
1222
- if (exactPending) return exactPending.requestId;
1223
- return pendingList.pending.find((pending) => pending.deviceId === device.id && pending.publicKey === devicePublicKey)?.requestId;
1224
- };
1225
- if (pairing.request.silent === true) {
1226
- approved = allowSilentBootstrapPairing && boundBootstrapProfile ? await approveBootstrapDevicePairing(pairing.request.requestId, boundBootstrapProfile) : await approveDevicePairing(pairing.request.requestId, { callerScopes: scopes });
1227
- if (approved?.status === "approved") {
1228
- if (allowSilentBootstrapPairing && boundBootstrapProfile) handoffBootstrapProfile = boundBootstrapProfile;
1229
- logGateway.info(`device pairing auto-approved device=${approved.device.deviceId} role=${approved.device.role ?? "unknown"}`);
1230
- context.broadcast("device.pair.resolved", {
1231
- requestId: pairing.request.requestId,
1232
- deviceId: approved.device.deviceId,
1233
- decision: "approved",
1234
- ts: Date.now()
1235
- }, { dropIfSlow: true });
1236
- } else {
1237
- resolvedByConcurrentApproval = pairingStateAllowsRequestedAccess(await getPairedDevice(device.id));
1238
- let requestStillPending = false;
1239
- if (!resolvedByConcurrentApproval) {
1240
- recoveryRequestId = await resolveLivePendingRequestId();
1241
- requestStillPending = recoveryRequestId === pairing.request.requestId;
1242
- }
1243
- if (requestStillPending) context.broadcast("device.pair.requested", pairing.request, { dropIfSlow: true });
1244
- }
1245
- } else if (pairing.created) context.broadcast("device.pair.requested", pairing.request, { dropIfSlow: true });
1246
- recoveryRequestId = await resolveLivePendingRequestId();
1247
- if (!(pairing.request.silent === true && (approved?.status === "approved" || resolvedByConcurrentApproval))) {
1248
- const exposeApprovedAccess = existingPairedDevice?.publicKey === devicePublicKey;
1249
- const approvedRoles = exposeApprovedAccess ? listApprovedPairedDeviceRoles(existingPairedDevice) : [];
1250
- const approvedScopes = exposeApprovedAccess ? Array.isArray(existingPairedDevice.approvedScopes) ? existingPairedDevice.approvedScopes : Array.isArray(existingPairedDevice.scopes) ? existingPairedDevice.scopes : [] : [];
1251
- const retryAfterBootstrapPairingApproval = authMethod === "bootstrap-token" && reason === "not-paired" && role === "node" && scopes.length === 0 && !existingPairedDevice;
1252
- const pairingErrorDetails = buildPairingConnectErrorDetails({
1253
- reason,
1254
- requestId: recoveryRequestId,
1255
- ...retryAfterBootstrapPairingApproval ? {
1256
- recommendedNextStep: "wait_then_retry",
1257
- retryable: true,
1258
- pauseReconnect: false
1259
- } : {},
1260
- deviceId: device.id,
1261
- requestedRole: role,
1262
- requestedScopes: scopes,
1263
- ...approvedRoles.length > 0 ? { approvedRoles } : {},
1264
- ...approvedScopes.length > 0 ? { approvedScopes } : {}
1265
- });
1266
- const pairingErrorMessage = buildPairingConnectErrorMessage(reason);
1267
- setHandshakeState("failed");
1268
- setCloseCause("pairing-required", {
1269
- deviceId: device.id,
1270
- ...recoveryRequestId ? { requestId: recoveryRequestId } : {},
1271
- reason
1272
- });
1273
- send({
1274
- type: "res",
1275
- id: frame.id,
1276
- ok: false,
1277
- error: errorShape(ErrorCodes.NOT_PAIRED, pairingErrorMessage, { details: pairingErrorDetails })
1278
- });
1279
- close(1008, truncateCloseReason(buildPairingConnectCloseReason({
1280
- reason,
1281
- requestId: recoveryRequestId
1282
- })));
1283
- return false;
1284
- }
1285
- return true;
1286
- };
1287
- const paired = await getPairedDevice(device.id);
1288
- if (!(paired?.publicKey === devicePublicKey)) {
1289
- if (!(skipLocalBackendSelfPairing || skipControlUiPairingForDevice)) {
1290
- if (!await requirePairing("not-paired", paired)) return;
1291
- hasServerApprovedDeviceTokenBaseline = true;
1292
- } else if (skipControlUiPairingForDevice || skipLocalBackendSelfPairing && authMethod !== "device-token") hasServerApprovedDeviceTokenBaseline = true;
1293
- } else {
1294
- hasServerApprovedDeviceTokenBaseline = true;
1295
- const claimedPlatform = connectParams.client.platform;
1296
- const pairedPlatform = paired.platform;
1297
- const claimedDeviceFamily = connectParams.client.deviceFamily;
1298
- const pairedDeviceFamily = paired.deviceFamily;
1299
- const metadataPinning = resolvePinnedClientMetadata({
1300
- clientId: connectParams.client.id,
1301
- clientMode: connectParams.client.mode,
1302
- claimedPlatform,
1303
- claimedDeviceFamily,
1304
- pairedPlatform,
1305
- pairedDeviceFamily
1306
- });
1307
- const { platformMismatch, deviceFamilyMismatch } = metadataPinning;
1308
- if (platformMismatch || deviceFamilyMismatch) {
1309
- if (!shouldAllowSilentLocalPairing({
1310
- locality: pairingLocality,
1311
- hasBrowserOriginHeader,
1312
- isControlUi,
1313
- isWebchat,
1314
- isNativeAppUi,
1315
- reason: "metadata-upgrade"
1316
- })) logGateway.warn(`security audit: device metadata upgrade requested reason=metadata-upgrade device=${device.id} ip=${reportedClientIp ?? "unknown-ip"} auth=${authMethod} payload=${deviceAuthPayloadVersion ?? "unknown"} claimedPlatform=${claimedPlatform ?? "<none>"} pinnedPlatform=${pairedPlatform ?? "<none>"} claimedDeviceFamily=${claimedDeviceFamily ?? "<none>"} pinnedDeviceFamily=${pairedDeviceFamily ?? "<none>"} client=${connectParams.client.id} conn=${connId}`);
1317
- if (!await requirePairing("metadata-upgrade", paired)) return;
1318
- } else {
1319
- if (metadataPinning.pinnedPlatform) connectParams.client.platform = metadataPinning.pinnedPlatform;
1320
- if (metadataPinning.pinnedDeviceFamily) connectParams.client.deviceFamily = metadataPinning.pinnedDeviceFamily;
1321
- }
1322
- const pairedRoles = listEffectivePairedDeviceRoles(paired);
1323
- const pairedScopes = Array.isArray(paired.approvedScopes) ? paired.approvedScopes : Array.isArray(paired.scopes) ? paired.scopes : [];
1324
- const allowedRoles = new Set(pairedRoles);
1325
- if (allowedRoles.size === 0) {
1326
- logUpgradeAudit("role-upgrade", pairedRoles, pairedScopes);
1327
- if (!await requirePairing("role-upgrade", paired)) return;
1328
- } else if (!allowedRoles.has(role)) {
1329
- logUpgradeAudit("role-upgrade", pairedRoles, pairedScopes);
1330
- if (!await requirePairing("role-upgrade", paired)) return;
1331
- }
1332
- if (scopes.length > 0) {
1333
- if (pairedScopes.length === 0) {
1334
- logUpgradeAudit("scope-upgrade", pairedRoles, pairedScopes);
1335
- if (!await requirePairing("scope-upgrade", paired)) return;
1336
- } else if (!roleScopesAllow({
1337
- role,
1338
- requestedScopes: scopes,
1339
- allowedScopes: pairedScopes
1340
- })) {
1341
- logUpgradeAudit("scope-upgrade", pairedRoles, pairedScopes);
1342
- if (!await requirePairing("scope-upgrade", paired)) return;
1343
- }
1344
- }
1345
- const retryBootstrapHandoffProfile = authMethod === "bootstrap-token" && bootstrapTokenCandidate && role === "node" && scopes.length === 0 && !isControlUi && !isBrowserOperatorUi && !isWebchat && connectParams.client.mode === GATEWAY_CLIENT_MODES.NODE && pairedRoles.includes("operator") && roleScopesAllow({
1346
- role: "operator",
1347
- requestedScopes: BOOTSTRAP_HANDOFF_OPERATOR_SCOPES,
1348
- allowedScopes: pairedScopes
1349
- }) ? await getBoundDeviceBootstrapProfile({
1350
- token: bootstrapTokenCandidate,
1351
- deviceId: device.id,
1352
- publicKey: devicePublicKey
1353
- }) : null;
1354
- if (retryBootstrapHandoffProfile && sameBootstrapProfile(retryBootstrapHandoffProfile, PAIRING_SETUP_BOOTSTRAP_PROFILE)) handoffBootstrapProfile = retryBootstrapHandoffProfile;
1355
- await updatePairedDeviceMetadata(device.id, {
1356
- ...clientAccessMetadata,
1357
- ...metadataPinning.refreshPairedPlatform ? { platform: metadataPinning.refreshPairedPlatform } : {}
1358
- });
1359
- }
1360
- }
1361
- const deviceToken = !trustedProxyAuthOk && device && hasServerApprovedDeviceTokenBaseline ? await ensureDeviceToken({
1362
- deviceId: device.id,
1363
- role,
1364
- scopes
1365
- }) : null;
1366
- const bootstrapDeviceTokens = [];
1367
- if (deviceToken) bootstrapDeviceTokens.push({
1368
- deviceToken: deviceToken.token,
1369
- role: deviceToken.role,
1370
- scopes: deviceToken.scopes,
1371
- issuedAtMs: deviceToken.rotatedAtMs ?? deviceToken.createdAtMs
1372
- });
1373
- const approvedHandoffBootstrapProfile = handoffBootstrapProfile;
1374
- if (device && approvedHandoffBootstrapProfile) for (const bootstrapRole of approvedHandoffBootstrapProfile.roles) {
1375
- if (bootstrapDeviceTokens.some((entry) => entry.role === bootstrapRole)) continue;
1376
- const bootstrapRoleScopes = bootstrapRole === "operator" ? resolveBootstrapProfileScopesForRole(bootstrapRole, approvedHandoffBootstrapProfile.scopes) : [];
1377
- const extraToken = await ensureDeviceToken({
1378
- deviceId: device.id,
1379
- role: bootstrapRole,
1380
- scopes: bootstrapRoleScopes
1381
- });
1382
- if (!extraToken) continue;
1383
- bootstrapDeviceTokens.push({
1384
- deviceToken: extraToken.token,
1385
- role: extraToken.role,
1386
- scopes: extraToken.scopes,
1387
- issuedAtMs: extraToken.rotatedAtMs ?? extraToken.createdAtMs
1388
- });
1389
- }
1390
- if (role === "node") {
1391
- const reconciliation = await reconcileNodePairingOnConnect({
1392
- cfg: getRuntimeConfig(),
1393
- connectParams,
1394
- pairedNode: await getPairedNode(connectParams.device?.id ?? connectParams.client.id),
1395
- reportedClientIp,
1396
- requestPairing: async (input) => await requestNodePairing(input)
1397
- });
1398
- if (reconciliation.pendingPairing?.created) {
1399
- const requestContext = buildRequestContext();
1400
- const resolvedAt = Date.now();
1401
- for (const superseded of reconciliation.pendingPairing.superseded ?? []) requestContext.broadcast("node.pair.resolved", {
1402
- requestId: superseded.requestId,
1403
- nodeId: superseded.nodeId,
1404
- decision: "rejected",
1405
- ts: resolvedAt
1406
- }, { dropIfSlow: true });
1407
- requestContext.broadcast("node.pair.requested", reconciliation.pendingPairing.request, { dropIfSlow: true });
1408
- }
1409
- const nodeConnectParams = connectParams;
1410
- nodeConnectParams.declaredCaps = reconciliation.declaredCaps;
1411
- nodeConnectParams.declaredCommands = reconciliation.declaredCommands;
1412
- nodeConnectParams.declaredPermissions = reconciliation.declaredPermissions;
1413
- connectParams.caps = reconciliation.effectiveCaps;
1414
- connectParams.commands = reconciliation.effectiveCommands;
1415
- connectParams.permissions = reconciliation.effectivePermissions;
1416
- }
1417
- const shouldTrackPresence = !isGatewayCliClient(connectParams.client);
1418
- const clientId = connectParams.client.id;
1419
- const instanceId = connectParams.client.instanceId;
1420
- const presenceKey = shouldTrackPresence ? device?.id ?? instanceId ?? connId : void 0;
1421
- if (isClosed()) {
1422
- setCloseCause("connect-aborted-before-register", {
1423
- ...clientMeta,
1424
- auth: authMethod
1425
- });
1426
- return;
1427
- }
1428
- const pluginSurfaceUrls = {};
1429
- const pluginNodeCapabilitySurfaces = indexPluginNodeCapabilitySurfaces(pluginNodeCapabilities);
1430
- const pendingPluginNodeCapabilities = [];
1431
- if (pluginSurfaceBaseUrl) for (const pluginCapabilitySurface of Object.values(pluginNodeCapabilitySurfaces)) {
1432
- const capability = mintPluginNodeCapabilityToken();
1433
- const expiresAtMs = Date.now() + resolvePluginNodeCapabilityTtlMs(pluginCapabilitySurface);
1434
- const scopedUrl = buildPluginNodeCapabilityScopedHostUrl(pluginSurfaceBaseUrl, capability) ?? pluginSurfaceBaseUrl;
1435
- pluginSurfaceUrls[pluginCapabilitySurface.surface] = scopedUrl;
1436
- pendingPluginNodeCapabilities.push({
1437
- surface: pluginCapabilitySurface,
1438
- capability,
1439
- expiresAtMs
1440
- });
1441
- }
1442
- const usesSharedGatewayAuth = authMethod === "token" || authMethod === "password" || authMethod === "trusted-proxy";
1443
- const sharedGatewaySessionGeneration = usesSharedGatewayAuth ? resolveSharedGatewaySessionGeneration(resolvedAuth, trustedProxies) : void 0;
1444
- const isTrustedApprovalRuntime = scopes.includes("operator.approvals") && connectParams.client.id === GATEWAY_CLIENT_IDS.GATEWAY_CLIENT && connectParams.client.mode === GATEWAY_CLIENT_MODES.BACKEND && isOperatorApprovalRuntimeToken(connectParams.auth?.approvalRuntimeToken);
1445
- clearHandshakeTimer();
1446
- const nextClient = {
1447
- socket,
1448
- connect: connectParams,
1449
- connId,
1450
- isDeviceTokenAuth: authMethod === "device-token",
1451
- usesSharedGatewayAuth,
1452
- sharedGatewaySessionGeneration,
1453
- presenceKey,
1454
- clientIp: reportedClientIp,
1455
- ...isTrustedApprovalRuntime ? { internal: { approvalRuntime: true } } : {},
1456
- ...Object.keys(pluginSurfaceUrls).length > 0 ? { pluginSurfaceUrls } : {},
1457
- ...Object.keys(pluginNodeCapabilitySurfaces).length > 0 ? { pluginNodeCapabilitySurfaces } : {}
1458
- };
1459
- for (const entry of pendingPluginNodeCapabilities) setClientPluginNodeCapability({
1460
- client: nextClient,
1461
- surface: entry.surface,
1462
- capability: entry.capability,
1463
- expiresAtMs: entry.expiresAtMs
1464
- });
1465
- setSocketMaxPayload(socket, MAX_PAYLOAD_BYTES);
1466
- if (!setClient(nextClient)) {
1467
- setCloseCause("connect-aborted-before-register", {
1468
- ...clientMeta,
1469
- auth: authMethod
1470
- });
1471
- return;
1472
- }
1473
- setHandshakeState("connected");
1474
- logWs("in", "connect", {
1475
- connId,
1476
- client: connectParams.client.id,
1477
- clientDisplayName: connectParams.client.displayName,
1478
- version: connectParams.client.version,
1479
- mode: connectParams.client.mode,
1480
- clientId,
1481
- platform: connectParams.client.platform,
1482
- auth: authMethod
1483
- });
1484
- if (isWebchatConnect(connectParams)) logWsControl.info(`webchat connected conn=${connId} remote=${remoteAddr ?? "?"} client=${clientLabel} ${connectParams.client.mode} v${connectParams.client.version}`);
1485
- if (presenceKey) {
1486
- upsertPresence(presenceKey, {
1487
- host: connectParams.client.displayName ?? connectParams.client.id ?? os.hostname(),
1488
- ip: isLocalClient ? void 0 : reportedClientIp,
1489
- version: connectParams.client.version,
1490
- platform: connectParams.client.platform,
1491
- deviceFamily: connectParams.client.deviceFamily,
1492
- modelIdentifier: connectParams.client.modelIdentifier,
1493
- mode: connectParams.client.mode,
1494
- deviceId: device?.id,
1495
- roles: [role],
1496
- scopes,
1497
- instanceId: device?.id ?? instanceId,
1498
- reason: "connect"
1499
- });
1500
- incrementPresenceVersion();
1501
- }
1502
- if (role === "node") {
1503
- const context = buildRequestContext();
1504
- const nodeSession = context.nodeRegistry.register(nextClient, { remoteIp: reportedClientIp });
1505
- const instanceIdRaw = connectParams.client.instanceId;
1506
- const instanceId = typeof instanceIdRaw === "string" ? instanceIdRaw.trim() : "";
1507
- const nodeIdsForPairing = new Set([nodeSession.nodeId]);
1508
- if (instanceId) nodeIdsForPairing.add(instanceId);
1509
- for (const nodeId of nodeIdsForPairing) updatePairedNodeMetadata(nodeId, { lastConnectedAtMs: nodeSession.connectedAtMs }).catch((err) => logGateway.warn(`failed to record last connect for ${nodeId}: ${formatForLog(err)}`));
1510
- recordRemoteNodeInfo({
1511
- nodeId: nodeSession.nodeId,
1512
- displayName: nodeSession.displayName,
1513
- platform: nodeSession.platform,
1514
- deviceFamily: nodeSession.deviceFamily,
1515
- commands: nodeSession.commands,
1516
- remoteIp: nodeSession.remoteIp
1517
- });
1518
- refreshRemoteNodeBins({
1519
- nodeId: nodeSession.nodeId,
1520
- platform: nodeSession.platform,
1521
- deviceFamily: nodeSession.deviceFamily,
1522
- commands: nodeSession.commands,
1523
- cfg: getRuntimeConfig()
1524
- }).catch((err) => logGateway.warn(`remote bin probe failed for ${nodeSession.nodeId}: ${formatForLog(err)}`));
1525
- loadVoiceWakeConfig().then((cfg) => {
1526
- context.nodeRegistry.sendEvent(nodeSession.nodeId, "voicewake.changed", { triggers: cfg.triggers });
1527
- }).catch((err) => logGateway.warn(`voicewake snapshot failed for ${nodeSession.nodeId}: ${formatForLog(err)}`));
1528
- loadVoiceWakeRoutingConfig().then((routing) => {
1529
- context.nodeRegistry.sendEvent(nodeSession.nodeId, "voicewake.routing.changed", { config: routing });
1530
- }).catch((err) => logGateway.warn(`voicewake routing snapshot failed for ${nodeSession.nodeId}: ${formatForLog(err)}`));
1531
- }
1532
- const snapshot = buildGatewaySnapshot({ includeSensitive: scopes.includes(ADMIN_SCOPE) });
1533
- const cachedHealth = getHealthCache();
1534
- if (cachedHealth) {
1535
- snapshot.health = cachedHealth;
1536
- snapshot.stateVersion.health = getHealthVersion();
1537
- }
1538
- const helloOkAuthScopes = deviceToken ? deviceToken.scopes : scopes;
1539
- const helloOk = {
1540
- type: "hello-ok",
1541
- protocol: 4,
1542
- server: {
1543
- version: resolveRuntimeServiceVersion(process.env),
1544
- connId
1545
- },
1546
- features: {
1547
- methods: gatewayMethods,
1548
- events
1549
- },
1550
- snapshot,
1551
- ...Object.keys(pluginSurfaceUrls).length > 0 ? { pluginSurfaceUrls } : {},
1552
- auth: {
1553
- role,
1554
- scopes: helloOkAuthScopes,
1555
- ...deviceToken ? {
1556
- deviceToken: deviceToken.token,
1557
- issuedAtMs: deviceToken.rotatedAtMs ?? deviceToken.createdAtMs,
1558
- ...bootstrapDeviceTokens.length > 1 ? { deviceTokens: bootstrapDeviceTokens.slice(1) } : {}
1559
- } : {}
1560
- },
1561
- policy: {
1562
- maxPayload: MAX_PAYLOAD_BYTES,
1563
- maxBufferedBytes: MAX_BUFFERED_BYTES,
1564
- tickIntervalMs: TICK_INTERVAL_MS
1565
- }
1566
- };
1567
- let revokedBootstrapTokenRecord;
1568
- if (authMethod === "bootstrap-token" && bootstrapTokenCandidate && device) try {
1569
- if (handoffBootstrapProfile || issuedBootstrapProfile) {
1570
- const redemption = await redeemDeviceBootstrapTokenProfile({
1571
- token: bootstrapTokenCandidate,
1572
- role,
1573
- scopes
1574
- });
1575
- if (handoffBootstrapProfile || redemption.fullyRedeemed) {
1576
- const revoked = await revokeDeviceBootstrapToken({ token: bootstrapTokenCandidate });
1577
- if (!revoked.removed) logGateway.warn(`bootstrap token revoke skipped after profile redemption device=${device.id}`);
1578
- else revokedBootstrapTokenRecord = revoked.record;
1579
- }
1580
- }
1581
- } catch (err) {
1582
- logGateway.warn(`bootstrap token post-connect bookkeeping failed device=${device.id}: ${formatForLog(err)}`);
1583
- }
1584
- try {
1585
- await sendFrame({
1586
- type: "res",
1587
- id: frame.id,
1588
- ok: true,
1589
- payload: helloOk
1590
- });
1591
- } catch (err) {
1592
- if (revokedBootstrapTokenRecord) try {
1593
- await restoreDeviceBootstrapToken({ record: revokedBootstrapTokenRecord });
1594
- } catch (restoreErr) {
1595
- logGateway.warn(`bootstrap token restore after hello-send failure failed device=${device?.id ?? "unknown"}: ${formatForLog(restoreErr)}`);
1596
- }
1597
- setCloseCause("hello-send-failed", { error: formatForLog(err) });
1598
- close();
1599
- return;
1600
- }
1601
- logWs("out", "hello-ok", {
1602
- connId,
1603
- methods: gatewayMethods.length,
1604
- events: events.length,
1605
- presence: snapshot.presence.length,
1606
- stateVersion: snapshot.stateVersion.presence
1607
- });
1608
- refreshHealthSnapshot({ probe: true }).catch((err) => logHealth.error(`post-connect health refresh failed: ${formatError(err)}`));
1609
- return;
1610
- }
1611
- if (!validateRequestFrame(parsed)) {
1612
- send({
1613
- type: "res",
1614
- id: parsed?.id ?? "invalid",
1615
- ok: false,
1616
- error: errorShape(ErrorCodes.INVALID_REQUEST, `invalid request frame: ${formatValidationErrors(validateRequestFrame.errors)}`)
1617
- });
1618
- return;
1619
- }
1620
- const req = parsed;
1621
- logWs("in", "req", {
1622
- connId,
1623
- id: req.id,
1624
- method: req.method
1625
- });
1626
- if (client.usesSharedGatewayAuth) {
1627
- const requiredSharedGatewaySessionGeneration = getRequiredSharedGatewaySessionGeneration?.();
1628
- if (requiredSharedGatewaySessionGeneration !== void 0 && client.sharedGatewaySessionGeneration !== requiredSharedGatewaySessionGeneration) {
1629
- setCloseCause("gateway-auth-rotated", {
1630
- authGenerationStale: true,
1631
- method: req.method
1632
- });
1633
- close(4001, "gateway auth changed");
1634
- return;
1635
- }
1636
- }
1637
- const respond = (ok, payload, error, meta) => {
1638
- send({
1639
- type: "res",
1640
- id: req.id,
1641
- ok,
1642
- payload,
1643
- error
1644
- });
1645
- const unauthorizedRoleError = isUnauthorizedRoleError(error);
1646
- let logMeta = meta;
1647
- if (unauthorizedRoleError) {
1648
- const unauthorizedDecision = unauthorizedFloodGuard.registerUnauthorized();
1649
- if (unauthorizedDecision.suppressedSinceLastLog > 0) logMeta = {
1650
- ...logMeta,
1651
- suppressedUnauthorizedResponses: unauthorizedDecision.suppressedSinceLastLog
1652
- };
1653
- if (!unauthorizedDecision.shouldLog) return;
1654
- if (unauthorizedDecision.shouldClose) {
1655
- setCloseCause("repeated-unauthorized-requests", {
1656
- unauthorizedCount: unauthorizedDecision.count,
1657
- method: req.method
1658
- });
1659
- queueMicrotask(() => close(1008, "repeated unauthorized calls"));
1660
- }
1661
- logMeta = {
1662
- ...logMeta,
1663
- unauthorizedCount: unauthorizedDecision.count
1664
- };
1665
- } else unauthorizedFloodGuard.reset();
1666
- logWs("out", "res", {
1667
- connId,
1668
- id: req.id,
1669
- ok,
1670
- method: req.method,
1671
- errorCode: error?.code,
1672
- errorMessage: error?.message,
1673
- ...logMeta
1674
- });
1675
- };
1676
- (async () => {
1677
- const { handleGatewayRequest } = await import("./server-methods-CbFofeYw.js");
1678
- await handleGatewayRequest({
1679
- req,
1680
- respond,
1681
- client,
1682
- isWebchatConnect,
1683
- extraHandlers,
1684
- methodRegistry: getMethodRegistry?.(),
1685
- context: buildRequestContext()
1686
- });
1687
- })().catch((err) => {
1688
- logGateway.error(`request handler failed: ${formatForLog(err)}`);
1689
- respond(false, void 0, errorShape(ErrorCodes.UNAVAILABLE, formatForLog(err)));
1690
- });
1691
- } catch (err) {
1692
- logGateway.error(`parse/handle error: ${String(err)}`);
1693
- logWs("out", "parse-error", {
1694
- connId,
1695
- error: formatForLog(err)
1696
- });
1697
- if (!getClient()) close();
1698
- }
1699
- };
1700
- socket.on("message", (data) => {
1701
- runWithDiagnosticTraceContext(createDiagnosticTraceContext(), () => handleMessage(data));
1702
- });
1703
- }
1704
- function getRawDataByteLength(data) {
1705
- if (Buffer.isBuffer(data)) return data.byteLength;
1706
- if (Array.isArray(data)) return data.reduce((total, chunk) => total + chunk.byteLength, 0);
1707
- if (data instanceof ArrayBuffer) return data.byteLength;
1708
- return Buffer.byteLength(String(data));
1709
- }
1710
- function setSocketMaxPayload(socket, maxPayload) {
1711
- const receiver = socket["_receiver"];
1712
- if (receiver) receiver["_maxPayload"] = maxPayload;
1713
- }
1714
- //#endregion
1715
- export { attachGatewayWsMessageHandler };