@geminixiang/mama 0.2.0-beta.2 → 0.2.0-beta.21

package/dist/vault.js

@@ -1,8 +1,26 @@
-import { chmodSync, closeSync, constants as fsConstants, existsSync, mkdirSync, openSync, readFileSync, renameSync, unlinkSync, writeSync, } from "fs";
-import { randomBytes } from "crypto";
-import { basename, dirname, isAbsolute, join, normalize, sep } from "path";
+import { chmodSync, copyFileSync, existsSync, mkdirSync, readdirSync, rmSync, writeFileSync, } from "fs";
+import { dirname, isAbsolute, join, normalize, sep } from "path";
+import { readTextFileIfExists } from "./file-guards.js";
+import { atomicWritePrivateFile } from "./fs-atomic.js";
+import { reportUserFacingError } from "./sentry.js";
 const PRIVATE_DIR_MODE = 0o700;
-const PRIVATE_FILE_MODE = 0o600;
+const SHARED_VAULT_DIR = "shared";
+export function normalizeSharedVaultName(name) {
+    const trimmed = name.trim();
+    if (!/^[A-Za-z0-9][A-Za-z0-9._-]{0,63}$/.test(trimmed))
+        return undefined;
+    return trimmed;
+}
+export function sharedVaultKey(name) {
+    const normalized = normalizeSharedVaultName(name);
+    return normalized ? `${SHARED_VAULT_DIR}/${normalized}` : undefined;
+}
+function sanitizeCloudflareSandboxId(value) {
+    return (value
+        .toLowerCase()
+        .replace(/[^a-z0-9-]+/g, "-")
+        .replace(/^-+|-+$/g, "") || "unknown");
+}
 // ── parseEnvFile ───────────────────────────────────────────────────────────────
 /**
  * Parse a KEY=VALUE env file. Supports:
@@ -26,7 +44,6 @@ export function parseEnvFile(content) {
         if (!key)
             continue;
         let value = trimmed.slice(eqIndex + 1);
-        // Strip matching quotes
         if ((value.startsWith('"') && value.endsWith('"')) ||
             (value.startsWith("'") && value.endsWith("'"))) {
             value = value.slice(1, -1);
@@ -38,178 +55,86 @@ export function parseEnvFile(content) {
 // ── FileVaultManager ───────────────────────────────────────────────────────────
 export class FileVaultManager {
     constructor(stateDir) {
-        this.config = null;
         this.vaultsDir = join(stateDir, "vaults");
-        this.configPath = join(this.vaultsDir, "vault.json");
-        this.reload();
-    }
-    reload() {
-        if (!existsSync(this.configPath)) {
-            this.config = null;
-            return;
-        }
-        try {
-            const raw = readFileSync(this.configPath, "utf-8");
-            const parsed = JSON.parse(raw);
-            if (!parsed ||
-                typeof parsed !== "object" ||
-                !parsed.vaults ||
-                typeof parsed.vaults !== "object") {
-                console.error(`vault: malformed vault.json — expected { vaults: { ... } }`);
-                this.config = null;
-                return;
-            }
-            this.config = parsed;
-            this.warnUnsupportedSandboxTypes();
-        }
-        catch (err) {
-            console.error(`vault: failed to read ${this.configPath}:`, err);
-            this.config = null;
-        }
-    }
-    /** Warn for legacy or insecure vault sandbox overrides that are no longer allowed. */
-    warnUnsupportedSandboxTypes() {
-        if (!this.config)
-            return;
-        for (const [key, entry] of Object.entries(this.config.vaults)) {
-            if (entry.sandbox?.type === "host") {
-                console.error(`vault: "${key}" uses sandbox.type=host, which is blocked for credential isolation. ` +
-                    "Use sandbox.type=image or sandbox.type=firecracker.");
-            }
-            if (entry.sandbox?.type === "container" || entry.sandbox?.type === "docker") {
-                console.error(`vault: "${key}" uses sandbox.type=${entry.sandbox.type}, which is blocked for credential isolation. ` +
-                    "Use sandbox.type=image for per-user containers or sandbox.type=firecracker.");
-            }
-        }
     }
     isEnabled() {
-        return this.config !== null;
+        return existsSync(this.vaultsDir);
     }
     hasEntry(key) {
-        return !!this.config?.vaults[key];
+        return existsSync(join(this.vaultsDir, key));
+    }
+    listSharedVaults() {
+        const sharedDir = join(this.vaultsDir, SHARED_VAULT_DIR);
+        if (!existsSync(sharedDir))
+            return [];
+        return readdirSync(sharedDir, { withFileTypes: true })
+            .filter((entry) => entry.isDirectory() && normalizeSharedVaultName(entry.name) === entry.name)
+            .map((entry) => entry.name)
+            .toSorted((left, right) => left.localeCompare(right));
+    }
+    deleteSharedVault(name) {
+        const key = sharedVaultKey(name);
+        if (!key)
+            throw new Error(`vault: invalid shared login name: ${name}`);
+        const dir = join(this.vaultsDir, key);
+        const existed = existsSync(dir);
+        rmSync(dir, { recursive: true, force: true });
+        return existed;
+    }
+    copySharedVaultTo(name, targetKey) {
+        const sourceKey = sharedVaultKey(name);
+        if (!sourceKey)
+            throw new Error(`vault: invalid shared login name: ${name}`);
+        const sourceDir = join(this.vaultsDir, sourceKey);
+        if (!existsSync(sourceDir))
+            throw new Error(`vault: shared login "${name}" does not exist`);
+        const targetDir = join(this.vaultsDir, targetKey);
+        ensurePrivateDir(this.vaultsDir);
+        ensurePrivateDir(targetDir);
+        return copyVaultDir(sourceDir, targetDir);
     }
     resolve(userId) {
-        const entry = this.config?.vaults[userId];
-        if (!entry)
+        const dir = join(this.vaultsDir, userId);
+        if (!existsSync(dir))
             return undefined;
-        return this.buildResolved(userId, entry);
+        return this.buildResolved(userId);
     }
     getSandboxConfig(userId, baseConfig) {
-        const vault = this.resolve(userId);
-        if (!vault?.sandboxOverride)
-            return baseConfig;
-        const override = vault.sandboxOverride;
-        if (override.type === "image") {
-            if (baseConfig.type !== "image") {
-                throw new Error(`vault "${userId}" sets sandbox.type=image, but base sandbox is "${baseConfig.type}". ` +
-                    "Use --sandbox=image:<image> to enable per-user managed containers.");
-            }
-            const container = override.container || `mama-sandbox-${userId}`;
-            return { type: "container", container };
-        }
-        if (override.type === "firecracker") {
-            if (!override.vmId)
-                return baseConfig;
-            if (baseConfig.type !== "firecracker") {
-                throw new Error(`vault "${userId}" sets sandbox.type=firecracker, but base sandbox is "${baseConfig.type}". ` +
-                    "Use --sandbox=firecracker:<vm-id>:<host-path> so /workspace stays mapped to the real workspace.");
-            }
+        if (baseConfig.type === "cloudflare") {
             return {
-                type: "firecracker",
-                vmId: override.vmId,
-                hostPath: baseConfig.hostPath,
-                sshUser: override.sshUser,
-                sshPort: override.sshPort,
+                type: "cloudflare",
+                sandboxId: `${baseConfig.sandboxId}-${sanitizeCloudflareSandboxId(userId)}`,
             };
         }
-        if (override.type === "host") {
-            throw new Error(`vault "${userId}" uses sandbox.type=host, which is blocked for credential isolation. ` +
-                "Use sandbox.type=image or sandbox.type=firecracker.");
-        }
-        if (override.type === "container" || override.type === "docker") {
-            throw new Error(`vault "${userId}" uses sandbox.type=${override.type}, which is blocked for credential isolation. ` +
-                "Use sandbox.type=image for per-user containers or sandbox.type=firecracker.");
-        }
-        // No type override — return base config unchanged
         return baseConfig;
     }
     list() {
-        if (!this.config)
+        if (!existsSync(this.vaultsDir))
             return [];
-        const results = [];
-        for (const [key, entry] of Object.entries(this.config.vaults)) {
-            results.push(this.buildResolved(key, entry));
-        }
-        return results;
-    }
-    addEntry(key, entry) {
-        if (!this.config) {
-            this.config = { vaults: {} };
-        }
-        // Idempotent: skip if already exists
-        if (this.config.vaults[key])
-            return;
-        this.config.vaults[key] = entry;
-        this.persistConfig();
-    }
-    ensureImageSandboxEntry(key, entry) {
-        if (entry.sandbox?.type !== "image") {
-            throw new Error(`vault: ensureImageSandboxEntry requires sandbox.type=image for "${key}"`);
-        }
-        if (!this.config) {
-            this.config = { vaults: {} };
+        const keys = new Set();
+        for (const entry of readdirSync(this.vaultsDir, { withFileTypes: true })) {
+            if (entry.isDirectory())
+                keys.add(entry.name);
         }
-        const existing = this.config.vaults[key];
-        if (!existing) {
-            this.config.vaults[key] = entry;
-            this.persistConfig();
-            return;
-        }
-        let nextEntry = existing;
-        let changed = false;
-        if (!existing.platform && entry.platform) {
-            nextEntry = { ...nextEntry, platform: entry.platform };
-            changed = true;
-        }
-        const existingSandbox = existing.sandbox;
-        if (!existingSandbox?.type) {
-            nextEntry = { ...nextEntry, sandbox: entry.sandbox };
-            changed = true;
-        }
-        else if (existingSandbox.type === "image" &&
-            !existingSandbox.container &&
-            entry.sandbox.container) {
-            nextEntry = {
-                ...nextEntry,
-                sandbox: { ...existingSandbox, container: entry.sandbox.container },
-            };
-            changed = true;
-        }
-        if (!changed) {
-            return;
-        }
-        this.config.vaults[key] = nextEntry;
-        this.persistConfig();
+        return Array.from(keys, (key) => this.buildResolved(key));
     }
     upsertEnv(key, env) {
         const dir = join(this.vaultsDir, key);
         const envPath = join(dir, "env");
         ensurePrivateDir(this.vaultsDir);
         ensurePrivateDir(dir);
-        const existing = existsSync(envPath)
-            ? parseEnvFile(readFileSync(envPath, "utf-8"))
-            : {};
+        const existingContent = readTextFileIfExists(envPath);
+        const existing = existingContent ? parseEnvFile(existingContent) : {};
         const merged = { ...existing, ...env };
         const content = Object.entries(merged)
-            .sort(([left], [right]) => left.localeCompare(right))
+            .toSorted(([left], [right]) => left.localeCompare(right))
             .map(([envKey, value]) => `${envKey}=${value}`)
             .join("\n") + "\n";
         atomicWritePrivateFile(envPath, content);
     }
     upsertFile(key, relativePath, content, targetPath) {
         const normalizedPath = normalizeVaultRelativePath(relativePath);
-        const normalizedTarget = normalizeVaultTargetPath(targetPath);
-        if (!normalizedPath || (targetPath !== undefined && !normalizedTarget)) {
+        if (!normalizedPath || (targetPath !== undefined && !normalizeVaultTargetPath(targetPath))) {
             throw new Error(`vault: invalid relative secret file path for "${key}": ${relativePath}`);
         }
         const dir = join(this.vaultsDir, key);
@@ -219,147 +144,95 @@ export class FileVaultManager {
         const parentDir = dirname(filePath);
         if (parentDir !== dir)
             ensurePrivateDir(parentDir);
-        atomicWritePrivateFile(filePath, content);
-        this.ensureMountEntry(key, normalizedPath, normalizedTarget);
-    }
-    // ── private ────────────────────────────────────────────────────────────────
-    persistConfig() {
-        ensurePrivateDir(this.vaultsDir);
-        // Preserve concurrent external edits: pull in any entries that appear on
-        // disk but not in our in-memory view, so a background edit (e.g. another
-        // admin adding a user) is not silently dropped by the next upsert here.
-        // Individual field edits still follow last-writer-wins per key.
-        const onDisk = this.readConfigFromDisk();
-        if (onDisk && this.config) {
-            for (const [key, entry] of Object.entries(onDisk.vaults)) {
-                if (!(key in this.config.vaults)) {
-                    this.config.vaults[key] = entry;
-                }
-            }
+        if (existsSync(filePath)) {
+            writeFileSync(filePath, content, { mode: 0o600 });
+            chmodSync(filePath, 0o600);
         }
-        atomicWritePrivateFile(this.configPath, JSON.stringify(this.config, null, 2) + "\n");
-    }
-    readConfigFromDisk() {
-        if (!existsSync(this.configPath))
-            return null;
-        try {
-            const parsed = JSON.parse(readFileSync(this.configPath, "utf-8"));
-            if (!parsed ||
-                typeof parsed !== "object" ||
-                !parsed.vaults ||
-                typeof parsed.vaults !== "object") {
-                return null;
-            }
-            return parsed;
-        }
-        catch {
-            return null;
-        }
-    }
-    ensureMountEntry(key, relativePath, targetPath) {
-        if (!this.config?.vaults[key]) {
-            throw new Error(`vault: cannot add mount "${relativePath}" for missing entry "${key}"`);
+        else {
+            atomicWritePrivateFile(filePath, content);
         }
-        const existing = this.config.vaults[key];
-        const mounts = existing.mounts ?? [];
-        if (mounts.some((mount) => typeof mount === "string"
-            ? mount === relativePath && !targetPath
-            : mount.source === relativePath && mount.target === targetPath)) {
-            return;
-        }
-        this.config.vaults[key] = {
-            ...existing,
-            mounts: [...mounts, targetPath ? { source: relativePath, target: targetPath } : relativePath],
-        };
-        this.persistConfig();
     }
-    buildResolved(key, entry) {
+    // ── private ────────────────────────────────────────────────────────────────
+    buildResolved(key) {
         const dir = join(this.vaultsDir, key);
-        const mounts = (entry.mounts ?? [])
-            .map((mount) => this.resolveMountEntry(dir, mount))
-            .filter((mount) => mount !== undefined);
+        const mounts = inferMountsFromDir(dir);
         let env = {};
-        const envPath = join(dir, "env");
-        if (entry.envFile !== false && existsSync(envPath)) {
+        const envContent = readTextFileIfExists(join(dir, "env"));
+        if (envContent !== undefined) {
             try {
-                env = parseEnvFile(readFileSync(envPath, "utf-8"));
+                env = parseEnvFile(envContent);
             }
             catch (err) {
                 console.error(`vault: failed to parse env file for "${key}":`, err);
+                reportUserFacingError(err, {
+                    domain: "sandbox",
+                    surface: "vault_injection",
+                    operation: "parse_env",
+                    severity: "warning",
+                    context: { vaultKey: key, fatal: false },
+                });
             }
         }
         return {
             userId: key,
-            displayName: entry.displayName,
+            displayName: key,
             dir,
             mounts,
             env,
-            sandboxOverride: entry.sandbox,
         };
     }
-    resolveMountEntry(dir, mount) {
-        if (typeof mount === "string") {
-            const normalizedSource = normalizeVaultRelativePath(mount);
-            if (!normalizedSource)
-                return undefined;
-            return {
-                source: join(dir, normalizedSource),
-                target: defaultVaultTargetPath(normalizedSource),
-            };
-        }
-        if (!mount || typeof mount !== "object")
-            return undefined;
-        const normalizedSource = normalizeVaultRelativePath(mount.source);
-        if (!normalizedSource)
-            return undefined;
-        const normalizedTarget = normalizeVaultTargetPath(mount.target);
-        return {
-            source: join(dir, normalizedSource),
-            target: normalizedTarget ?? defaultVaultTargetPath(normalizedSource),
-        };
+}
+function inferMountsFromDir(dir) {
+    if (!existsSync(dir))
+        return [];
+    const mounts = [];
+    for (const entry of readdirSync(dir, { withFileTypes: true })) {
+        if (entry.name === "env")
+            continue;
+        const source = join(dir, entry.name);
+        const target = inferredVaultTargetPath(entry.name);
+        if (!target)
+            continue;
+        mounts.push({ source, target });
     }
+    return mounts;
 }
 function ensurePrivateDir(path) {
     mkdirSync(path, { recursive: true, mode: PRIVATE_DIR_MODE });
     chmodSync(path, PRIVATE_DIR_MODE);
 }
-/**
- * Write `content` to `targetPath` with mode 0600, even when `targetPath`
- * already exists. Uses O_CREAT|O_EXCL on a temp sibling (so the kernel
- * guarantees permissions at creation, not after a racy chmod) and then
- * rename(2) into place for atomicity. Readers never see a torn write.
- */
-function atomicWritePrivateFile(targetPath, content) {
-    const dir = dirname(targetPath);
-    const tmpPath = join(dir, `.${basename(targetPath)}.${process.pid}.${randomBytes(8).toString("hex")}.tmp`);
-    const fd = openSync(tmpPath, fsConstants.O_WRONLY | fsConstants.O_CREAT | fsConstants.O_EXCL, PRIVATE_FILE_MODE);
-    try {
-        writeSync(fd, content);
-    }
-    catch (err) {
-        try {
-            unlinkSync(tmpPath);
-        }
-        catch {
-            // ignore — original error is more informative
-        }
-        throw err;
-    }
-    finally {
-        closeSync(fd);
-    }
-    try {
-        renameSync(tmpPath, targetPath);
-    }
-    catch (err) {
-        try {
-            unlinkSync(tmpPath);
+function copyVaultDir(sourceDir, targetDir) {
+    let filesCopied = 0;
+    let envKeysCopied = 0;
+    for (const entry of readdirSync(sourceDir, { withFileTypes: true })) {
+        const sourcePath = join(sourceDir, entry.name);
+        const targetPath = join(targetDir, entry.name);
+        if (entry.name === "env" && entry.isFile()) {
+            const sourceEnv = parseEnvFile(readTextFileIfExists(sourcePath) ?? "");
+            const targetEnv = parseEnvFile(readTextFileIfExists(targetPath) ?? "");
+            const merged = { ...targetEnv, ...sourceEnv };
+            const content = Object.entries(merged)
+                .toSorted(([left], [right]) => left.localeCompare(right))
+                .map(([envKey, value]) => `${envKey}=${value}`)
+                .join("\n") + "\n";
+            atomicWritePrivateFile(targetPath, content);
+            envKeysCopied += Object.keys(sourceEnv).length;
+            continue;
         }
-        catch {
-            // ignore
+        if (entry.isDirectory()) {
+            ensurePrivateDir(targetPath);
+            const nested = copyVaultDir(sourcePath, targetPath);
+            filesCopied += nested.filesCopied;
+            envKeysCopied += nested.envKeysCopied;
+            continue;
         }
-        throw err;
+        if (!entry.isFile())
+            continue;
+        copyFileSync(sourcePath, targetPath);
+        chmodSync(targetPath, 0o600);
+        filesCopied++;
     }
+    return { filesCopied, envKeysCopied };
 }
 function normalizeVaultRelativePath(relativePath) {
     const trimmed = relativePath.trim();
@@ -372,13 +245,11 @@ function normalizeVaultRelativePath(relativePath) {
     return normalized;
 }
 function normalizeVaultTargetPath(targetPath) {
-    if (targetPath === undefined) {
+    if (targetPath === undefined)
         return undefined;
-    }
     const trimmed = targetPath.trim();
-    if (!trimmed || !trimmed.startsWith("/")) {
+    if (!trimmed || !trimmed.startsWith("/"))
         return undefined;
-    }
     const normalized = normalize(trimmed).split(sep).join("/");
     return normalized.startsWith("/") ? normalized : undefined;
 }
@@ -386,4 +257,25 @@ export function defaultVaultTargetPath(relativePath) {
     const normalized = normalizeVaultRelativePath(relativePath) ?? relativePath.replace(/^\/+/, "");
     return `/root/${normalized}`;
 }
+function inferredVaultTargetPath(relativePath) {
+    const normalized = normalizeVaultRelativePath(relativePath);
+    if (!normalized)
+        return undefined;
+    if (normalized === "gws.json") {
+        return "/root/.config/gws/credentials.json";
+    }
+    if (normalized === "gcloud-adc.json") {
+        return "/root/.config/gcloud/application_default_credentials.json";
+    }
+    if (normalized === ".ssh" || normalized.startsWith(".ssh/")) {
+        return "/root/.ssh";
+    }
+    if (normalized === ".kube" || normalized.startsWith(".kube/")) {
+        return "/root/.kube";
+    }
+    if (normalized === ".config/gh" || normalized.startsWith(".config/gh/")) {
+        return "/root/.config/gh";
+    }
+    return defaultVaultTargetPath(normalized);
+}
 //# sourceMappingURL=vault.js.map

package/dist/vault.js.map

@@ -1 +1 @@
-{"version":3,"file":"vault.js","sourceRoot":"","sources":["../src/vault.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,SAAS,EACT,SAAS,EACT,SAAS,IAAI,WAAW,EACxB,UAAU,EACV,SAAS,EACT,QAAQ,EACR,YAAY,EACZ,UAAU,EACV,UAAU,EACV,SAAS,GACV,MAAM,IAAI,CAAC;AACZ,OAAO,EAAE,WAAW,EAAE,MAAM,QAAQ,CAAC;AACrC,OAAO,EAAE,QAAQ,EAAE,OAAO,EAAE,UAAU,EAAE,IAAI,EAAE,SAAS,EAAE,GAAG,EAAE,MAAM,MAAM,CAAC;AAG3E,MAAM,gBAAgB,GAAG,KAAK,CAAC;AAC/B,MAAM,iBAAiB,GAAG,KAAK,CAAC;AAiFhC,kFAAkF;AAElF;;;;;;;GAOG;AACH,MAAM,UAAU,YAAY,CAAC,OAAe;IAC1C,MAAM,GAAG,GAA2B,EAAE,CAAC;IACvC,MAAM,KAAK,GAAG,OAAO,CAAC,OAAO,CAAC,OAAO,EAAE,IAAI,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,IAAI,CAAC,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAE9E,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;QAC5B,IAAI,CAAC,OAAO,IAAI,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC;YAAE,SAAS;QAElD,MAAM,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;QACrC,IAAI,OAAO,KAAK,CAAC,CAAC;YAAE,SAAS;QAE7B,MAAM,GAAG,GAAG,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,OAAO,CAAC,CAAC,IAAI,EAAE,CAAC;QAC7C,IAAI,CAAC,GAAG;YAAE,SAAS;QAEnB,IAAI,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,OAAO,GAAG,CAAC,CAAC,CAAC;QAEvC,wBAAwB;QACxB,IACE,CAAC,KAAK,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC;YAC9C,CAAC,KAAK,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,EAC9C,CAAC;YACD,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;QAC7B,CAAC;QAED,GAAG,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC;IACnB,CAAC;IAED,OAAO,GAAG,CAAC;AACb,CAAC;AAED,kFAAkF;AAElF,MAAM,OAAO,gBAAgB;IAK3B,YAAY,QAAgB;QAJpB,WAAM,GAAuB,IAAI,CAAC;QAKxC,IAAI,CAAC,SAAS,GAAG,IAAI,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAC;QAC1C,IAAI,CAAC,UAAU,GAAG,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,YAAY,CAAC,CAAC;QACrD,IAAI,CAAC,MAAM,EAAE,CAAC;IAChB,CAAC;IAED,MAAM;QACJ,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,UAAU,CAAC,EAAE,CAAC;YACjC,IAAI,CAAC,MAAM,GAAG,IAAI,CAAC;YACnB,OAAO;QACT,CAAC;QAED,IAAI,CAAC;YACH,MAAM,GAAG,GAAG,YAAY,CAAC,IAAI,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC;YACnD,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;YAE/B,IACE,CAAC,MAAM;gBACP,OAAO,MAAM,KAAK,QAAQ;gBAC1B,CAAC,MAAM,CAAC,MAAM;gBACd,OAAO,MAAM,CAAC,MAAM,KAAK,QAAQ,EACjC,CAAC;gBACD,OAAO,CAAC,KAAK,CAAC,4DAA4D,CAAC,CAAC;gBAC5E,IAAI,CAAC,MAAM,GAAG,IAAI,CAAC;gBACnB,OAAO;YACT,CAAC;YAED,IAAI,CAAC,MAAM,GAAG,MAAqB,CAAC;YACpC,IAAI,CAAC,2BAA2B,EAAE,CAAC;QACrC,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,OAAO,CAAC,KAAK,CAAC,yBAAyB,IAAI,CAAC,UAAU,GAAG,EAAE,GAAG,CAAC,CAAC;YAChE,IAAI,CAAC,MAAM,GAAG,IAAI,CAAC;QACrB,CAAC;IACH,CAAC;IAED,sFAAsF;IAC9E,2BAA2B;QACjC,IAAI,CAAC,IAAI,CAAC,MAAM;YAAE,OAAO;QACzB,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,EAAE,CAAC;YAC9D,IAAI,KAAK,CAAC,OAAO,EAAE,IAAI,KAAK,MAAM,EAAE,CAAC;gBACnC,OAAO,CAAC,KAAK,CACX,WAAW,GAAG,uEAAuE;oBACnF,qDAAqD,CACxD,CAAC;YACJ,CAAC;YACD,IAAI,KAAK,CAAC,OAAO,EAAE,IAAI,KAAK,WAAW,IAAI,KAAK,CAAC,OAAO,EAAE,IAAI,KAAK,QAAQ,EAAE,CAAC;gBAC5E,OAAO,CAAC,KAAK,CACX,WAAW,GAAG,uBAAuB,KAAK,CAAC,OAAO,CAAC,IAAI,+CAA+C;oBACpG,6EAA6E,CAChF,CAAC;YACJ,CAAC;QACH,CAAC;IACH,CAAC;IAED,SAAS;QACP,OAAO,IAAI,CAAC,MAAM,KAAK,IAAI,CAAC;IAC9B,CAAC;IAED,QAAQ,CAAC,GAAW;QAClB,OAAO,CAAC,CAAC,IAAI,CAAC,MAAM,EAAE,MAAM,CAAC,GAAG,CAAC,CAAC;IACpC,CAAC;IAED,OAAO,CAAC,MAAc;QACpB,MAAM,KAAK,GAAG,IAAI,CAAC,MAAM,EAAE,MAAM,CAAC,MAAM,CAAC,CAAC;QAC1C,IAAI,CAAC,KAAK;YAAE,OAAO,SAAS,CAAC;QAC7B,OAAO,IAAI,CAAC,aAAa,CAAC,MAAM,EAAE,KAAK,CAAC,CAAC;IAC3C,CAAC;IAED,gBAAgB,CAAC,MAAc,EAAE,UAAyB;QACxD,MAAM,KAAK,GAAG,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;QACnC,IAAI,CAAC,KAAK,EAAE,eAAe;YAAE,OAAO,UAAU,CAAC;QAE/C,MAAM,QAAQ,GAAG,KAAK,CAAC,eAAe,CAAC;QAEvC,IAAI,QAAQ,CAAC,IAAI,KAAK,OAAO,EAAE,CAAC;YAC9B,IAAI,UAAU,CAAC,IAAI,KAAK,OAAO,EAAE,CAAC;gBAChC,MAAM,IAAI,KAAK,CACb,UAAU,MAAM,mDAAmD,UAAU,CAAC,IAAI,KAAK;oBACrF,oEAAoE,CACvE,CAAC;YACJ,CAAC;YACD,MAAM,SAAS,GAAG,QAAQ,CAAC,SAAS,IAAI,gBAAgB,MAAM,EAAE,CAAC;YACjE,OAAO,EAAE,IAAI,EAAE,WAAW,EAAE,SAAS,EAAE,CAAC;QAC1C,CAAC;QAED,IAAI,QAAQ,CAAC,IAAI,KAAK,aAAa,EAAE,CAAC;YACpC,IAAI,CAAC,QAAQ,CAAC,IAAI;gBAAE,OAAO,UAAU,CAAC;YACtC,IAAI,UAAU,CAAC,IAAI,KAAK,aAAa,EAAE,CAAC;gBACtC,MAAM,IAAI,KAAK,CACb,UAAU,MAAM,yDAAyD,UAAU,CAAC,IAAI,KAAK;oBAC3F,iGAAiG,CACpG,CAAC;YACJ,CAAC;YACD,OAAO;gBACL,IAAI,EAAE,aAAa;gBACnB,IAAI,EAAE,QAAQ,CAAC,IAAI;gBACnB,QAAQ,EAAE,UAAU,CAAC,QAAQ;gBAC7B,OAAO,EAAE,QAAQ,CAAC,OAAO;gBACzB,OAAO,EAAE,QAAQ,CAAC,OAAO;aAC1B,CAAC;QACJ,CAAC;QAED,IAAI,QAAQ,CAAC,IAAI,KAAK,MAAM,EAAE,CAAC;YAC7B,MAAM,IAAI,KAAK,CACb,UAAU,MAAM,uEAAuE;gBACrF,qDAAqD,CACxD,CAAC;QACJ,CAAC;QAED,IAAI,QAAQ,CAAC,IAAI,KAAK,WAAW,IAAI,QAAQ,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;YAChE,MAAM,IAAI,KAAK,CACb,UAAU,MAAM,uBAAuB,QAAQ,CAAC,IAAI,+CAA+C;gBACjG,6EAA6E,CAChF,CAAC;QACJ,CAAC;QAED,kDAAkD;QAClD,OAAO,UAAU,CAAC;IACpB,CAAC;IAED,IAAI;QACF,IAAI,CAAC,IAAI,CAAC,MAAM;YAAE,OAAO,EAAE,CAAC;QAE5B,MAAM,OAAO,GAAoB,EAAE,CAAC;QACpC,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,EAAE,CAAC;YAC9D,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,aAAa,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC,CAAC;QAC/C,CAAC;QACD,OAAO,OAAO,CAAC;IACjB,CAAC;IAED,QAAQ,CAAC,GAAW,EAAE,KAAiB;QACrC,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,CAAC;YACjB,IAAI,CAAC,MAAM,GAAG,EAAE,MAAM,EAAE,EAAE,EAAE,CAAC;QAC/B,CAAC;QACD,qCAAqC;QACrC,IAAI,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,GAAG,CAAC;YAAE,OAAO;QACpC,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC;QAChC,IAAI,CAAC,aAAa,EAAE,CAAC;IACvB,CAAC;IAED,uBAAuB,CAAC,GAAW,EAAE,KAAiB;QACpD,IAAI,KAAK,CAAC,OAAO,EAAE,IAAI,KAAK,OAAO,EAAE,CAAC;YACpC,MAAM,IAAI,KAAK,CAAC,mEAAmE,GAAG,GAAG,CAAC,CAAC;QAC7F,CAAC;QAED,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,CAAC;YACjB,IAAI,CAAC,MAAM,GAAG,EAAE,MAAM,EAAE,EAAE,EAAE,CAAC;QAC/B,CAAC;QAED,MAAM,QAAQ,GAAG,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QACzC,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC;YAChC,IAAI,CAAC,aAAa,EAAE,CAAC;YACrB,OAAO;QACT,CAAC;QAED,IAAI,SAAS,GAAG,QAAQ,CAAC;QACzB,IAAI,OAAO,GAAG,KAAK,CAAC;QAEpB,IAAI,CAAC,QAAQ,CAAC,QAAQ,IAAI,KAAK,CAAC,QAAQ,EAAE,CAAC;YACzC,SAAS,GAAG,EAAE,GAAG,SAAS,EAAE,QAAQ,EAAE,KAAK,CAAC,QAAQ,EAAE,CAAC;YACvD,OAAO,GAAG,IAAI,CAAC;QACjB,CAAC;QAED,MAAM,eAAe,GAAG,QAAQ,CAAC,OAAO,CAAC;QACzC,IAAI,CAAC,eAAe,EAAE,IAAI,EAAE,CAAC;YAC3B,SAAS,GAAG,EAAE,GAAG,SAAS,EAAE,OAAO,EAAE,KAAK,CAAC,OAAO,EAAE,CAAC;YACrD,OAAO,GAAG,IAAI,CAAC;QACjB,CAAC;aAAM,IACL,eAAe,CAAC,IAAI,KAAK,OAAO;YAChC,CAAC,eAAe,CAAC,SAAS;YAC1B,KAAK,CAAC,OAAO,CAAC,SAAS,EACvB,CAAC;YACD,SAAS,GAAG;gBACV,GAAG,SAAS;gBACZ,OAAO,EAAE,EAAE,GAAG,eAAe,EAAE,SAAS,EAAE,KAAK,CAAC,OAAO,CAAC,SAAS,EAAE;aACpE,CAAC;YACF,OAAO,GAAG,IAAI,CAAC;QACjB,CAAC;QAED,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,OAAO;QACT,CAAC;QAED,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,GAAG,CAAC,GAAG,SAAS,CAAC;QACpC,IAAI,CAAC,aAAa,EAAE,CAAC;IACvB,CAAC;IAED,SAAS,CAAC,GAAW,EAAE,GAA2B;QAChD,MAAM,GAAG,GAAG,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,GAAG,CAAC,CAAC;QACtC,MAAM,OAAO,GAAG,IAAI,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;QACjC,gBAAgB,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;QACjC,gBAAgB,CAAC,GAAG,CAAC,CAAC;QACtB,MAAM,QAAQ,GAAG,UAAU,CAAC,OAAO,CAAC;YAClC,CAAC,CAAC,YAAY,CAAC,YAAY,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;YAC9C,CAAC,CAAE,EAA6B,CAAC;QACnC,MAAM,MAAM,GAAG,EAAE,GAAG,QAAQ,EAAE,GAAG,GAAG,EAAE,CAAC;QACvC,MAAM,OAAO,GACX,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC;aACnB,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,KAAK,CAAC,EAAE,EAAE,CAAC,IAAI,CAAC,aAAa,CAAC,KAAK,CAAC,CAAC;aACpD,GAAG,CAAC,CAAC,CAAC,MAAM,EAAE,KAAK,CAAC,EAAE,EAAE,CAAC,GAAG,MAAM,IAAI,KAAK,EAAE,CAAC;aAC9C,IAAI,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC;QACvB,sBAAsB,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;IAC3C,CAAC;IAED,UAAU,CAAC,GAAW,EAAE,YAAoB,EAAE,OAAe,EAAE,UAAmB;QAChF,MAAM,cAAc,GAAG,0BAA0B,CAAC,YAAY,CAAC,CAAC;QAChE,MAAM,gBAAgB,GAAG,wBAAwB,CAAC,UAAU,CAAC,CAAC;QAC9D,IAAI,CAAC,cAAc,IAAI,CAAC,UAAU,KAAK,SAAS,IAAI,CAAC,gBAAgB,CAAC,EAAE,CAAC;YACvE,MAAM,IAAI,KAAK,CAAC,iDAAiD,GAAG,MAAM,YAAY,EAAE,CAAC,CAAC;QAC5F,CAAC;QAED,MAAM,GAAG,GAAG,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,GAAG,CAAC,CAAC;QACtC,MAAM,QAAQ,GAAG,IAAI,CAAC,GAAG,EAAE,cAAc,CAAC,CAAC;QAE3C,gBAAgB,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;QACjC,gBAAgB,CAAC,GAAG,CAAC,CAAC;QACtB,MAAM,SAAS,GAAG,OAAO,CAAC,QAAQ,CAAC,CAAC;QACpC,IAAI,SAAS,KAAK,GAAG;YAAE,gBAAgB,CAAC,SAAS,CAAC,CAAC;QACnD,sBAAsB,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;QAC1C,IAAI,CAAC,gBAAgB,CAAC,GAAG,EAAE,cAAc,EAAE,gBAAgB,CAAC,CAAC;IAC/D,CAAC;IAED,8EAA8E;IAEtE,aAAa;QACnB,gBAAgB,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;QAEjC,yEAAyE;QACzE,yEAAyE;QACzE,wEAAwE;QACxE,gEAAgE;QAChE,MAAM,MAAM,GAAG,IAAI,CAAC,kBAAkB,EAAE,CAAC;QACzC,IAAI,MAAM,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC;YAC1B,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,MAAM,CAAC,EAAE,CAAC;gBACzD,IAAI,CAAC,CAAC,GAAG,IAAI,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,EAAE,CAAC;oBACjC,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC;gBAClC,CAAC;YACH,CAAC;QACH,CAAC;QAED,sBAAsB,CAAC,IAAI,CAAC,UAAU,EAAE,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,GAAG,IAAI,CAAC,CAAC;IACvF,CAAC;IAEO,kBAAkB;QACxB,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,UAAU,CAAC;YAAE,OAAO,IAAI,CAAC;QAC9C,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,IAAI,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC,CAAC;YAClE,IACE,CAAC,MAAM;gBACP,OAAO,MAAM,KAAK,QAAQ;gBAC1B,CAAC,MAAM,CAAC,MAAM;gBACd,OAAO,MAAM,CAAC,MAAM,KAAK,QAAQ,EACjC,CAAC;gBACD,OAAO,IAAI,CAAC;YACd,CAAC;YACD,OAAO,MAAqB,CAAC;QAC/B,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IAEO,gBAAgB,CAAC,GAAW,EAAE,YAAoB,EAAE,UAAmB;QAC7E,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC;YAC9B,MAAM,IAAI,KAAK,CAAC,4BAA4B,YAAY,wBAAwB,GAAG,GAAG,CAAC,CAAC;QAC1F,CAAC;QAED,MAAM,QAAQ,GAAG,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QACzC,MAAM,MAAM,GAAG,QAAQ,CAAC,MAAM,IAAI,EAAE,CAAC;QACrC,IACE,MAAM,CAAC,IAAI,CAAC,CAAC,KAAK,EAAE,EAAE,CACpB,OAAO,KAAK,KAAK,QAAQ;YACvB,CAAC,CAAC,KAAK,KAAK,YAAY,IAAI,CAAC,UAAU;YACvC,CAAC,CAAC,KAAK,CAAC,MAAM,KAAK,YAAY,IAAI,KAAK,CAAC,MAAM,KAAK,UAAU,CACjE,EACD,CAAC;YACD,OAAO;QACT,CAAC;QAED,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,GAAG,CAAC,GAAG;YACxB,GAAG,QAAQ;YACX,MAAM,EAAE,CAAC,GAAG,MAAM,EAAE,UAAU,CAAC,CAAC,CAAC,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,EAAE,UAAU,EAAE,CAAC,CAAC,CAAC,YAAY,CAAC;SAC9F,CAAC;QACF,IAAI,CAAC,aAAa,EAAE,CAAC;IACvB,CAAC;IAEO,aAAa,CAAC,GAAW,EAAE,KAAiB;QAClD,MAAM,GAAG,GAAG,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,GAAG,CAAC,CAAC;QAEtC,MAAM,MAAM,GAAG,CAAC,KAAK,CAAC,MAAM,IAAI,EAAE,CAAC;aAChC,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,IAAI,CAAC,iBAAiB,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;aAClD,MAAM,CAAC,CAAC,KAAK,EAA+B,EAAE,CAAC,KAAK,KAAK,SAAS,CAAC,CAAC;QAEvE,IAAI,GAAG,GAA2B,EAAE,CAAC;QACrC,MAAM,OAAO,GAAG,IAAI,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;QACjC,IAAI,KAAK,CAAC,OAAO,KAAK,KAAK,IAAI,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC;YACnD,IAAI,CAAC;gBACH,GAAG,GAAG,YAAY,CAAC,YAAY,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC,CAAC;YACrD,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,OAAO,CAAC,KAAK,CAAC,wCAAwC,GAAG,IAAI,EAAE,GAAG,CAAC,CAAC;YACtE,CAAC;QACH,CAAC;QAED,OAAO;YACL,MAAM,EAAE,GAAG;YACX,WAAW,EAAE,KAAK,CAAC,WAAW;YAC9B,GAAG;YACH,MAAM;YACN,GAAG;YACH,eAAe,EAAE,KAAK,CAAC,OAAO;SAC/B,CAAC;IACJ,CAAC;IAEO,iBAAiB,CACvB,GAAW,EACX,KAA+B;QAE/B,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;YAC9B,MAAM,gBAAgB,GAAG,0BAA0B,CAAC,KAAK,CAAC,CAAC;YAC3D,IAAI,CAAC,gBAAgB;gBAAE,OAAO,SAAS,CAAC;YACxC,OAAO;gBACL,MAAM,EAAE,IAAI,CAAC,GAAG,EAAE,gBAAgB,CAAC;gBACnC,MAAM,EAAE,sBAAsB,CAAC,gBAAgB,CAAC;aACjD,CAAC;QACJ,CAAC;QAED,IAAI,CAAC,KAAK,IAAI,OAAO,KAAK,KAAK,QAAQ;YAAE,OAAO,SAAS,CAAC;QAC1D,MAAM,gBAAgB,GAAG,0BAA0B,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;QAClE,IAAI,CAAC,gBAAgB;YAAE,OAAO,SAAS,CAAC;QACxC,MAAM,gBAAgB,GAAG,wBAAwB,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;QAChE,OAAO;YACL,MAAM,EAAE,IAAI,CAAC,GAAG,EAAE,gBAAgB,CAAC;YACnC,MAAM,EAAE,gBAAgB,IAAI,sBAAsB,CAAC,gBAAgB,CAAC;SACrE,CAAC;IACJ,CAAC;CACF;AAED,SAAS,gBAAgB,CAAC,IAAY;IACpC,SAAS,CAAC,IAAI,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,IAAI,EAAE,gBAAgB,EAAE,CAAC,CAAC;IAC7D,SAAS,CAAC,IAAI,EAAE,gBAAgB,CAAC,CAAC;AACpC,CAAC;AAED;;;;;GAKG;AACH,SAAS,sBAAsB,CAAC,UAAkB,EAAE,OAAe;IACjE,MAAM,GAAG,GAAG,OAAO,CAAC,UAAU,CAAC,CAAC;IAChC,MAAM,OAAO,GAAG,IAAI,CAClB,GAAG,EACH,IAAI,QAAQ,CAAC,UAAU,CAAC,IAAI,OAAO,CAAC,GAAG,IAAI,WAAW,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,MAAM,CAChF,CAAC;IACF,MAAM,EAAE,GAAG,QAAQ,CACjB,OAAO,EACP,WAAW,CAAC,QAAQ,GAAG,WAAW,CAAC,OAAO,GAAG,WAAW,CAAC,MAAM,EAC/D,iBAAiB,CAClB,CAAC;IACF,IAAI,CAAC;QACH,SAAS,CAAC,EAAE,EAAE,OAAO,CAAC,CAAC;IACzB,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,IAAI,CAAC;YACH,UAAU,CAAC,OAAO,CAAC,CAAC;QACtB,CAAC;QAAC,MAAM,CAAC;YACP,8CAA8C;QAChD,CAAC;QACD,MAAM,GAAG,CAAC;IACZ,CAAC;YAAS,CAAC;QACT,SAAS,CAAC,EAAE,CAAC,CAAC;IAChB,CAAC;IACD,IAAI,CAAC;QACH,UAAU,CAAC,OAAO,EAAE,UAAU,CAAC,CAAC;IAClC,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,IAAI,CAAC;YACH,UAAU,CAAC,OAAO,CAAC,CAAC;QACtB,CAAC;QAAC,MAAM,CAAC;YACP,SAAS;QACX,CAAC;QACD,MAAM,GAAG,CAAC;IACZ,CAAC;AACH,CAAC;AAED,SAAS,0BAA0B,CAAC,YAAoB;IACtD,MAAM,OAAO,GAAG,YAAY,CAAC,IAAI,EAAE,CAAC;IACpC,IAAI,CAAC,OAAO,IAAI,UAAU,CAAC,OAAO,CAAC;QAAE,OAAO,SAAS,CAAC;IAEtD,MAAM,UAAU,GAAG,SAAS,CAAC,OAAO,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IAC3D,IAAI,CAAC,UAAU,IAAI,UAAU,KAAK,GAAG,IAAI,UAAU,KAAK,IAAI,IAAI,UAAU,CAAC,UAAU,CAAC,KAAK,CAAC,EAAE,CAAC;QAC7F,OAAO,SAAS,CAAC;IACnB,CAAC;IACD,OAAO,UAAU,CAAC;AACpB,CAAC;AAED,SAAS,wBAAwB,CAAC,UAAmB;IACnD,IAAI,UAAU,KAAK,SAAS,EAAE,CAAC;QAC7B,OAAO,SAAS,CAAC;IACnB,CAAC;IAED,MAAM,OAAO,GAAG,UAAU,CAAC,IAAI,EAAE,CAAC;IAClC,IAAI,CAAC,OAAO,IAAI,CAAC,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;QACzC,OAAO,SAAS,CAAC;IACnB,CAAC;IAED,MAAM,UAAU,GAAG,SAAS,CAAC,OAAO,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IAC3D,OAAO,UAAU,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,SAAS,CAAC;AAC7D,CAAC;AAED,MAAM,UAAU,sBAAsB,CAAC,YAAoB;IACzD,MAAM,UAAU,GAAG,0BAA0B,CAAC,YAAY,CAAC,IAAI,YAAY,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;IAChG,OAAO,SAAS,UAAU,EAAE,CAAC;AAC/B,CAAC","sourcesContent":["import {\n  chmodSync,\n  closeSync,\n  constants as fsConstants,\n  existsSync,\n  mkdirSync,\n  openSync,\n  readFileSync,\n  renameSync,\n  unlinkSync,\n  writeSync,\n} from \"fs\";\nimport { randomBytes } from \"crypto\";\nimport { basename, dirname, isAbsolute, join, normalize, sep } from \"path\";\nimport type { SandboxConfig } from \"./sandbox.js\";\n\nconst PRIVATE_DIR_MODE = 0o700;\nconst PRIVATE_FILE_MODE = 0o600;\n\n// ── Types ──────────────────────────────────────────────────────────────────────\n\n/** Shape of workspace/vaults/vault.json */\nexport interface VaultConfig {\n  vaults: Record<string, VaultEntry>;\n}\n\n/** Per-user vault mount entry in vault.json */\nexport interface VaultMountEntry {\n  source: string;\n  target?: string;\n}\n\n/** Per-user vault entry in vault.json */\nexport interface VaultEntry {\n  displayName: string;\n  platform?: \"slack\" | \"discord\" | \"telegram\";\n  /** Subdirs/files in vault dir to mount into sandbox (e.g. [\".gcloud\", \".ssh\", \".kube\"]) */\n  mounts?: Array<string | VaultMountEntry>;\n  /** Whether to load env file as environment variables (default: true if env file exists) */\n  envFile?: boolean;\n  /** Per-user sandbox config override */\n  sandbox?: {\n    type?: \"image\" | \"firecracker\" | \"host\" | \"container\" | \"docker\";\n    container?: string;\n    image?: string;\n    vmId?: string;\n    sshUser?: string;\n    sshPort?: number;\n  };\n}\n\nexport interface ResolvedVaultMount {\n  source: string;\n  target: string;\n}\n\n/** Resolved vault ready for use at runtime */\nexport interface ResolvedVault {\n  userId: string;\n  displayName: string;\n  /** Absolute path to vault directory */\n  dir: string;\n  /** Absolute mount specs */\n  mounts: ResolvedVaultMount[];\n  /** Parsed from env file */\n  env: Record<string, string>;\n  sandboxOverride?: VaultEntry[\"sandbox\"];\n}\n\nexport interface VaultManager {\n  /** Return true when vault.json contains this exact key. */\n  hasEntry(key: string): boolean;\n  /** Resolve vault for a user; returns undefined when no entry exists. */\n  resolve(userId: string): ResolvedVault | undefined;\n  /** Get sandbox config with credential injection for a user */\n  getSandboxConfig(userId: string, baseConfig: SandboxConfig): SandboxConfig;\n  /** List all configured vaults */\n  list(): ResolvedVault[];\n  /** Re-read vault.json without restart */\n  reload(): void;\n  /** Check if vault system is enabled (vault.json exists) */\n  isEnabled(): boolean;\n  /**\n   * Add a vault entry and persist to disk.\n   * No-op if the key already exists (idempotent).\n   */\n  addEntry(key: string, entry: VaultEntry): void;\n  /**\n   * Ensure a vault entry has image sandbox metadata.\n   * Creates the entry when missing and upgrades existing entries that lack sandbox.type.\n   */\n  ensureImageSandboxEntry(key: string, entry: VaultEntry): void;\n  /** Merge environment variables into vaults/<key>/env and persist them to disk. */\n  upsertEnv(key: string, env: Record<string, string>): void;\n  /** Write a private file into vaults/<key>/ and ensure it is mounted into the sandbox. */\n  upsertFile(key: string, relativePath: string, content: string, targetPath?: string): void;\n}\n\n// ── parseEnvFile ───────────────────────────────────────────────────────────────\n\n/**\n * Parse a KEY=VALUE env file. Supports:\n * - Lines starting with # are comments\n * - Empty lines are skipped\n * - Values can be quoted with single or double quotes (quotes are stripped)\n * - No variable expansion\n * - The value is everything after the first `=` to end of line (no inline comments)\n */\nexport function parseEnvFile(content: string): Record<string, string> {\n  const env: Record<string, string> = {};\n  const lines = content.replace(/\\r\\n/g, \"\\n\").replace(/\\r/g, \"\\n\").split(\"\\n\");\n\n  for (const line of lines) {\n    const trimmed = line.trim();\n    if (!trimmed || trimmed.startsWith(\"#\")) continue;\n\n    const eqIndex = trimmed.indexOf(\"=\");\n    if (eqIndex === -1) continue;\n\n    const key = trimmed.slice(0, eqIndex).trim();\n    if (!key) continue;\n\n    let value = trimmed.slice(eqIndex + 1);\n\n    // Strip matching quotes\n    if (\n      (value.startsWith('\"') && value.endsWith('\"')) ||\n      (value.startsWith(\"'\") && value.endsWith(\"'\"))\n    ) {\n      value = value.slice(1, -1);\n    }\n\n    env[key] = value;\n  }\n\n  return env;\n}\n\n// ── FileVaultManager ───────────────────────────────────────────────────────────\n\nexport class FileVaultManager implements VaultManager {\n  private config: VaultConfig | null = null;\n  private readonly vaultsDir: string;\n  private readonly configPath: string;\n\n  constructor(stateDir: string) {\n    this.vaultsDir = join(stateDir, \"vaults\");\n    this.configPath = join(this.vaultsDir, \"vault.json\");\n    this.reload();\n  }\n\n  reload(): void {\n    if (!existsSync(this.configPath)) {\n      this.config = null;\n      return;\n    }\n\n    try {\n      const raw = readFileSync(this.configPath, \"utf-8\");\n      const parsed = JSON.parse(raw);\n\n      if (\n        !parsed ||\n        typeof parsed !== \"object\" ||\n        !parsed.vaults ||\n        typeof parsed.vaults !== \"object\"\n      ) {\n        console.error(`vault: malformed vault.json — expected { vaults: { ... } }`);\n        this.config = null;\n        return;\n      }\n\n      this.config = parsed as VaultConfig;\n      this.warnUnsupportedSandboxTypes();\n    } catch (err) {\n      console.error(`vault: failed to read ${this.configPath}:`, err);\n      this.config = null;\n    }\n  }\n\n  /** Warn for legacy or insecure vault sandbox overrides that are no longer allowed. */\n  private warnUnsupportedSandboxTypes(): void {\n    if (!this.config) return;\n    for (const [key, entry] of Object.entries(this.config.vaults)) {\n      if (entry.sandbox?.type === \"host\") {\n        console.error(\n          `vault: \"${key}\" uses sandbox.type=host, which is blocked for credential isolation. ` +\n            \"Use sandbox.type=image or sandbox.type=firecracker.\",\n        );\n      }\n      if (entry.sandbox?.type === \"container\" || entry.sandbox?.type === \"docker\") {\n        console.error(\n          `vault: \"${key}\" uses sandbox.type=${entry.sandbox.type}, which is blocked for credential isolation. ` +\n            \"Use sandbox.type=image for per-user containers or sandbox.type=firecracker.\",\n        );\n      }\n    }\n  }\n\n  isEnabled(): boolean {\n    return this.config !== null;\n  }\n\n  hasEntry(key: string): boolean {\n    return !!this.config?.vaults[key];\n  }\n\n  resolve(userId: string): ResolvedVault | undefined {\n    const entry = this.config?.vaults[userId];\n    if (!entry) return undefined;\n    return this.buildResolved(userId, entry);\n  }\n\n  getSandboxConfig(userId: string, baseConfig: SandboxConfig): SandboxConfig {\n    const vault = this.resolve(userId);\n    if (!vault?.sandboxOverride) return baseConfig;\n\n    const override = vault.sandboxOverride;\n\n    if (override.type === \"image\") {\n      if (baseConfig.type !== \"image\") {\n        throw new Error(\n          `vault \"${userId}\" sets sandbox.type=image, but base sandbox is \"${baseConfig.type}\". ` +\n            \"Use --sandbox=image:<image> to enable per-user managed containers.\",\n        );\n      }\n      const container = override.container || `mama-sandbox-${userId}`;\n      return { type: \"container\", container };\n    }\n\n    if (override.type === \"firecracker\") {\n      if (!override.vmId) return baseConfig;\n      if (baseConfig.type !== \"firecracker\") {\n        throw new Error(\n          `vault \"${userId}\" sets sandbox.type=firecracker, but base sandbox is \"${baseConfig.type}\". ` +\n            \"Use --sandbox=firecracker:<vm-id>:<host-path> so /workspace stays mapped to the real workspace.\",\n        );\n      }\n      return {\n        type: \"firecracker\",\n        vmId: override.vmId,\n        hostPath: baseConfig.hostPath,\n        sshUser: override.sshUser,\n        sshPort: override.sshPort,\n      };\n    }\n\n    if (override.type === \"host\") {\n      throw new Error(\n        `vault \"${userId}\" uses sandbox.type=host, which is blocked for credential isolation. ` +\n          \"Use sandbox.type=image or sandbox.type=firecracker.\",\n      );\n    }\n\n    if (override.type === \"container\" || override.type === \"docker\") {\n      throw new Error(\n        `vault \"${userId}\" uses sandbox.type=${override.type}, which is blocked for credential isolation. ` +\n          \"Use sandbox.type=image for per-user containers or sandbox.type=firecracker.\",\n      );\n    }\n\n    // No type override — return base config unchanged\n    return baseConfig;\n  }\n\n  list(): ResolvedVault[] {\n    if (!this.config) return [];\n\n    const results: ResolvedVault[] = [];\n    for (const [key, entry] of Object.entries(this.config.vaults)) {\n      results.push(this.buildResolved(key, entry));\n    }\n    return results;\n  }\n\n  addEntry(key: string, entry: VaultEntry): void {\n    if (!this.config) {\n      this.config = { vaults: {} };\n    }\n    // Idempotent: skip if already exists\n    if (this.config.vaults[key]) return;\n    this.config.vaults[key] = entry;\n    this.persistConfig();\n  }\n\n  ensureImageSandboxEntry(key: string, entry: VaultEntry): void {\n    if (entry.sandbox?.type !== \"image\") {\n      throw new Error(`vault: ensureImageSandboxEntry requires sandbox.type=image for \"${key}\"`);\n    }\n\n    if (!this.config) {\n      this.config = { vaults: {} };\n    }\n\n    const existing = this.config.vaults[key];\n    if (!existing) {\n      this.config.vaults[key] = entry;\n      this.persistConfig();\n      return;\n    }\n\n    let nextEntry = existing;\n    let changed = false;\n\n    if (!existing.platform && entry.platform) {\n      nextEntry = { ...nextEntry, platform: entry.platform };\n      changed = true;\n    }\n\n    const existingSandbox = existing.sandbox;\n    if (!existingSandbox?.type) {\n      nextEntry = { ...nextEntry, sandbox: entry.sandbox };\n      changed = true;\n    } else if (\n      existingSandbox.type === \"image\" &&\n      !existingSandbox.container &&\n      entry.sandbox.container\n    ) {\n      nextEntry = {\n        ...nextEntry,\n        sandbox: { ...existingSandbox, container: entry.sandbox.container },\n      };\n      changed = true;\n    }\n\n    if (!changed) {\n      return;\n    }\n\n    this.config.vaults[key] = nextEntry;\n    this.persistConfig();\n  }\n\n  upsertEnv(key: string, env: Record<string, string>): void {\n    const dir = join(this.vaultsDir, key);\n    const envPath = join(dir, \"env\");\n    ensurePrivateDir(this.vaultsDir);\n    ensurePrivateDir(dir);\n    const existing = existsSync(envPath)\n      ? parseEnvFile(readFileSync(envPath, \"utf-8\"))\n      : ({} as Record<string, string>);\n    const merged = { ...existing, ...env };\n    const content =\n      Object.entries(merged)\n        .sort(([left], [right]) => left.localeCompare(right))\n        .map(([envKey, value]) => `${envKey}=${value}`)\n        .join(\"\\n\") + \"\\n\";\n    atomicWritePrivateFile(envPath, content);\n  }\n\n  upsertFile(key: string, relativePath: string, content: string, targetPath?: string): void {\n    const normalizedPath = normalizeVaultRelativePath(relativePath);\n    const normalizedTarget = normalizeVaultTargetPath(targetPath);\n    if (!normalizedPath || (targetPath !== undefined && !normalizedTarget)) {\n      throw new Error(`vault: invalid relative secret file path for \"${key}\": ${relativePath}`);\n    }\n\n    const dir = join(this.vaultsDir, key);\n    const filePath = join(dir, normalizedPath);\n\n    ensurePrivateDir(this.vaultsDir);\n    ensurePrivateDir(dir);\n    const parentDir = dirname(filePath);\n    if (parentDir !== dir) ensurePrivateDir(parentDir);\n    atomicWritePrivateFile(filePath, content);\n    this.ensureMountEntry(key, normalizedPath, normalizedTarget);\n  }\n\n  // ── private ────────────────────────────────────────────────────────────────\n\n  private persistConfig(): void {\n    ensurePrivateDir(this.vaultsDir);\n\n    // Preserve concurrent external edits: pull in any entries that appear on\n    // disk but not in our in-memory view, so a background edit (e.g. another\n    // admin adding a user) is not silently dropped by the next upsert here.\n    // Individual field edits still follow last-writer-wins per key.\n    const onDisk = this.readConfigFromDisk();\n    if (onDisk && this.config) {\n      for (const [key, entry] of Object.entries(onDisk.vaults)) {\n        if (!(key in this.config.vaults)) {\n          this.config.vaults[key] = entry;\n        }\n      }\n    }\n\n    atomicWritePrivateFile(this.configPath, JSON.stringify(this.config, null, 2) + \"\\n\");\n  }\n\n  private readConfigFromDisk(): VaultConfig | null {\n    if (!existsSync(this.configPath)) return null;\n    try {\n      const parsed = JSON.parse(readFileSync(this.configPath, \"utf-8\"));\n      if (\n        !parsed ||\n        typeof parsed !== \"object\" ||\n        !parsed.vaults ||\n        typeof parsed.vaults !== \"object\"\n      ) {\n        return null;\n      }\n      return parsed as VaultConfig;\n    } catch {\n      return null;\n    }\n  }\n\n  private ensureMountEntry(key: string, relativePath: string, targetPath?: string): void {\n    if (!this.config?.vaults[key]) {\n      throw new Error(`vault: cannot add mount \"${relativePath}\" for missing entry \"${key}\"`);\n    }\n\n    const existing = this.config.vaults[key];\n    const mounts = existing.mounts ?? [];\n    if (\n      mounts.some((mount) =>\n        typeof mount === \"string\"\n          ? mount === relativePath && !targetPath\n          : mount.source === relativePath && mount.target === targetPath,\n      )\n    ) {\n      return;\n    }\n\n    this.config.vaults[key] = {\n      ...existing,\n      mounts: [...mounts, targetPath ? { source: relativePath, target: targetPath } : relativePath],\n    };\n    this.persistConfig();\n  }\n\n  private buildResolved(key: string, entry: VaultEntry): ResolvedVault {\n    const dir = join(this.vaultsDir, key);\n\n    const mounts = (entry.mounts ?? [])\n      .map((mount) => this.resolveMountEntry(dir, mount))\n      .filter((mount): mount is ResolvedVaultMount => mount !== undefined);\n\n    let env: Record<string, string> = {};\n    const envPath = join(dir, \"env\");\n    if (entry.envFile !== false && existsSync(envPath)) {\n      try {\n        env = parseEnvFile(readFileSync(envPath, \"utf-8\"));\n      } catch (err) {\n        console.error(`vault: failed to parse env file for \"${key}\":`, err);\n      }\n    }\n\n    return {\n      userId: key,\n      displayName: entry.displayName,\n      dir,\n      mounts,\n      env,\n      sandboxOverride: entry.sandbox,\n    };\n  }\n\n  private resolveMountEntry(\n    dir: string,\n    mount: string | VaultMountEntry,\n  ): ResolvedVaultMount | undefined {\n    if (typeof mount === \"string\") {\n      const normalizedSource = normalizeVaultRelativePath(mount);\n      if (!normalizedSource) return undefined;\n      return {\n        source: join(dir, normalizedSource),\n        target: defaultVaultTargetPath(normalizedSource),\n      };\n    }\n\n    if (!mount || typeof mount !== \"object\") return undefined;\n    const normalizedSource = normalizeVaultRelativePath(mount.source);\n    if (!normalizedSource) return undefined;\n    const normalizedTarget = normalizeVaultTargetPath(mount.target);\n    return {\n      source: join(dir, normalizedSource),\n      target: normalizedTarget ?? defaultVaultTargetPath(normalizedSource),\n    };\n  }\n}\n\nfunction ensurePrivateDir(path: string): void {\n  mkdirSync(path, { recursive: true, mode: PRIVATE_DIR_MODE });\n  chmodSync(path, PRIVATE_DIR_MODE);\n}\n\n/**\n * Write `content` to `targetPath` with mode 0600, even when `targetPath`\n * already exists. Uses O_CREAT|O_EXCL on a temp sibling (so the kernel\n * guarantees permissions at creation, not after a racy chmod) and then\n * rename(2) into place for atomicity. Readers never see a torn write.\n */\nfunction atomicWritePrivateFile(targetPath: string, content: string): void {\n  const dir = dirname(targetPath);\n  const tmpPath = join(\n    dir,\n    `.${basename(targetPath)}.${process.pid}.${randomBytes(8).toString(\"hex\")}.tmp`,\n  );\n  const fd = openSync(\n    tmpPath,\n    fsConstants.O_WRONLY | fsConstants.O_CREAT | fsConstants.O_EXCL,\n    PRIVATE_FILE_MODE,\n  );\n  try {\n    writeSync(fd, content);\n  } catch (err) {\n    try {\n      unlinkSync(tmpPath);\n    } catch {\n      // ignore — original error is more informative\n    }\n    throw err;\n  } finally {\n    closeSync(fd);\n  }\n  try {\n    renameSync(tmpPath, targetPath);\n  } catch (err) {\n    try {\n      unlinkSync(tmpPath);\n    } catch {\n      // ignore\n    }\n    throw err;\n  }\n}\n\nfunction normalizeVaultRelativePath(relativePath: string): string | undefined {\n  const trimmed = relativePath.trim();\n  if (!trimmed || isAbsolute(trimmed)) return undefined;\n\n  const normalized = normalize(trimmed).split(sep).join(\"/\");\n  if (!normalized || normalized === \".\" || normalized === \"..\" || normalized.startsWith(\"../\")) {\n    return undefined;\n  }\n  return normalized;\n}\n\nfunction normalizeVaultTargetPath(targetPath?: string): string | undefined {\n  if (targetPath === undefined) {\n    return undefined;\n  }\n\n  const trimmed = targetPath.trim();\n  if (!trimmed || !trimmed.startsWith(\"/\")) {\n    return undefined;\n  }\n\n  const normalized = normalize(trimmed).split(sep).join(\"/\");\n  return normalized.startsWith(\"/\") ? normalized : undefined;\n}\n\nexport function defaultVaultTargetPath(relativePath: string): string {\n  const normalized = normalizeVaultRelativePath(relativePath) ?? relativePath.replace(/^\\/+/, \"\");\n  return `/root/${normalized}`;\n}\n"]}
+{"version":3,"file":"vault.js","sourceRoot":"","sources":["../src/vault.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,SAAS,EACT,YAAY,EACZ,UAAU,EACV,SAAS,EACT,WAAW,EACX,MAAM,EACN,aAAa,GACd,MAAM,IAAI,CAAC;AACZ,OAAO,EAAE,OAAO,EAAE,UAAU,EAAE,IAAI,EAAE,SAAS,EAAE,GAAG,EAAE,MAAM,MAAM,CAAC;AACjE,OAAO,EAAE,oBAAoB,EAAE,MAAM,kBAAkB,CAAC;AAExD,OAAO,EAAE,sBAAsB,EAAE,MAAM,gBAAgB,CAAC;AACxD,OAAO,EAAE,qBAAqB,EAAE,MAAM,aAAa,CAAC;AAEpD,MAAM,gBAAgB,GAAG,KAAK,CAAC;AAC/B,MAAM,gBAAgB,GAAG,QAAQ,CAAC;AAElC,MAAM,UAAU,wBAAwB,CAAC,IAAY;IACnD,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;IAC5B,IAAI,CAAC,mCAAmC,CAAC,IAAI,CAAC,OAAO,CAAC;QAAE,OAAO,SAAS,CAAC;IACzE,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,MAAM,UAAU,cAAc,CAAC,IAAY;IACzC,MAAM,UAAU,GAAG,wBAAwB,CAAC,IAAI,CAAC,CAAC;IAClD,OAAO,UAAU,CAAC,CAAC,CAAC,GAAG,gBAAgB,IAAI,UAAU,EAAE,CAAC,CAAC,CAAC,SAAS,CAAC;AACtE,CAAC;AAED,SAAS,2BAA2B,CAAC,KAAa;IAChD,OAAO,CACL,KAAK;SACF,WAAW,EAAE;SACb,OAAO,CAAC,cAAc,EAAE,GAAG,CAAC;SAC5B,OAAO,CAAC,UAAU,EAAE,EAAE,CAAC,IAAI,SAAS,CACxC,CAAC;AACJ,CAAC;AA+CD,kFAAkF;AAElF;;;;;;;GAOG;AACH,MAAM,UAAU,YAAY,CAAC,OAAe;IAC1C,MAAM,GAAG,GAA2B,EAAE,CAAC;IACvC,MAAM,KAAK,GAAG,OAAO,CAAC,OAAO,CAAC,OAAO,EAAE,IAAI,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,IAAI,CAAC,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAE9E,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;QAC5B,IAAI,CAAC,OAAO,IAAI,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC;YAAE,SAAS;QAElD,MAAM,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;QACrC,IAAI,OAAO,KAAK,CAAC,CAAC;YAAE,SAAS;QAE7B,MAAM,GAAG,GAAG,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,OAAO,CAAC,CAAC,IAAI,EAAE,CAAC;QAC7C,IAAI,CAAC,GAAG;YAAE,SAAS;QAEnB,IAAI,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,OAAO,GAAG,CAAC,CAAC,CAAC;QAEvC,IACE,CAAC,KAAK,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC;YAC9C,CAAC,KAAK,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,EAC9C,CAAC;YACD,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;QAC7B,CAAC;QAED,GAAG,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC;IACnB,CAAC;IAED,OAAO,GAAG,CAAC;AACb,CAAC;AAED,kFAAkF;AAElF,MAAM,OAAO,gBAAgB;IAG3B,YAAY,QAAgB;QAC1B,IAAI,CAAC,SAAS,GAAG,IAAI,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAC;IAC5C,CAAC;IAED,SAAS;QACP,OAAO,UAAU,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;IACpC,CAAC;IAED,QAAQ,CAAC,GAAW;QAClB,OAAO,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,GAAG,CAAC,CAAC,CAAC;IAC/C,CAAC;IAED,gBAAgB;QACd,MAAM,SAAS,GAAG,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,gBAAgB,CAAC,CAAC;QACzD,IAAI,CAAC,UAAU,CAAC,SAAS,CAAC;YAAE,OAAO,EAAE,CAAC;QACtC,OAAO,WAAW,CAAC,SAAS,EAAE,EAAE,aAAa,EAAE,IAAI,EAAE,CAAC;aACnD,MAAM,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,KAAK,CAAC,WAAW,EAAE,IAAI,wBAAwB,CAAC,KAAK,CAAC,IAAI,CAAC,KAAK,KAAK,CAAC,IAAI,CAAC;aAC7F,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,KAAK,CAAC,IAAI,CAAC;aAC1B,QAAQ,CAAC,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE,CAAC,IAAI,CAAC,aAAa,CAAC,KAAK,CAAC,CAAC,CAAC;IAC1D,CAAC;IAED,iBAAiB,CAAC,IAAY;QAC5B,MAAM,GAAG,GAAG,cAAc,CAAC,IAAI,CAAC,CAAC;QACjC,IAAI,CAAC,GAAG;YAAE,MAAM,IAAI,KAAK,CAAC,qCAAqC,IAAI,EAAE,CAAC,CAAC;QACvE,MAAM,GAAG,GAAG,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,GAAG,CAAC,CAAC;QACtC,MAAM,OAAO,GAAG,UAAU,CAAC,GAAG,CAAC,CAAC;QAChC,MAAM,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;QAC9C,OAAO,OAAO,CAAC;IACjB,CAAC;IAED,iBAAiB,CACf,IAAY,EACZ,SAAiB;QAEjB,MAAM,SAAS,GAAG,cAAc,CAAC,IAAI,CAAC,CAAC;QACvC,IAAI,CAAC,SAAS;YAAE,MAAM,IAAI,KAAK,CAAC,qCAAqC,IAAI,EAAE,CAAC,CAAC;QAC7E,MAAM,SAAS,GAAG,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,SAAS,CAAC,CAAC;QAClD,IAAI,CAAC,UAAU,CAAC,SAAS,CAAC;YAAE,MAAM,IAAI,KAAK,CAAC,wBAAwB,IAAI,kBAAkB,CAAC,CAAC;QAE5F,MAAM,SAAS,GAAG,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,SAAS,CAAC,CAAC;QAClD,gBAAgB,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;QACjC,gBAAgB,CAAC,SAAS,CAAC,CAAC;QAC5B,OAAO,YAAY,CAAC,SAAS,EAAE,SAAS,CAAC,CAAC;IAC5C,CAAC;IAED,OAAO,CAAC,MAAc;QACpB,MAAM,GAAG,GAAG,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,MAAM,CAAC,CAAC;QACzC,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC;YAAE,OAAO,SAAS,CAAC;QACvC,OAAO,IAAI,CAAC,aAAa,CAAC,MAAM,CAAC,CAAC;IACpC,CAAC;IAED,gBAAgB,CAAC,MAAc,EAAE,UAAyB;QACxD,IAAI,UAAU,CAAC,IAAI,KAAK,YAAY,EAAE,CAAC;YACrC,OAAO;gBACL,IAAI,EAAE,YAAY;gBAClB,SAAS,EAAE,GAAG,UAAU,CAAC,SAAS,IAAI,2BAA2B,CAAC,MAAM,CAAC,EAAE;aAC5E,CAAC;QACJ,CAAC;QACD,OAAO,UAAU,CAAC;IACpB,CAAC;IAED,IAAI;QACF,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,SAAS,CAAC;YAAE,OAAO,EAAE,CAAC;QAC3C,MAAM,IAAI,GAAG,IAAI,GAAG,EAAU,CAAC;QAC/B,KAAK,MAAM,KAAK,IAAI,WAAW,CAAC,IAAI,CAAC,SAAS,EAAE,EAAE,aAAa,EAAE,IAAI,EAAE,CAAC,EAAE,CAAC;YACzE,IAAI,KAAK,CAAC,WAAW,EAAE;gBAAE,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QAChD,CAAC;QACD,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC,GAAG,EAAE,EAAE,CAAC,IAAI,CAAC,aAAa,CAAC,GAAG,CAAC,CAAC,CAAC;IAC5D,CAAC;IAED,SAAS,CAAC,GAAW,EAAE,GAA2B;QAChD,MAAM,GAAG,GAAG,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,GAAG,CAAC,CAAC;QACtC,MAAM,OAAO,GAAG,IAAI,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;QACjC,gBAAgB,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;QACjC,gBAAgB,CAAC,GAAG,CAAC,CAAC;QACtB,MAAM,eAAe,GAAG,oBAAoB,CAAC,OAAO,CAAC,CAAC;QACtD,MAAM,QAAQ,GAAG,eAAe,CAAC,CAAC,CAAC,YAAY,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;QACtE,MAAM,MAAM,GAAG,EAAE,GAAG,QAAQ,EAAE,GAAG,GAAG,EAAE,CAAC;QACvC,MAAM,OAAO,GACX,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC;aACnB,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,KAAK,CAAC,EAAE,EAAE,CAAC,IAAI,CAAC,aAAa,CAAC,KAAK,CAAC,CAAC;aACxD,GAAG,CAAC,CAAC,CAAC,MAAM,EAAE,KAAK,CAAC,EAAE,EAAE,CAAC,GAAG,MAAM,IAAI,KAAK,EAAE,CAAC;aAC9C,IAAI,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC;QACvB,sBAAsB,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;IAC3C,CAAC;IAED,UAAU,CAAC,GAAW,EAAE,YAAoB,EAAE,OAAe,EAAE,UAAmB;QAChF,MAAM,cAAc,GAAG,0BAA0B,CAAC,YAAY,CAAC,CAAC;QAChE,IAAI,CAAC,cAAc,IAAI,CAAC,UAAU,KAAK,SAAS,IAAI,CAAC,wBAAwB,CAAC,UAAU,CAAC,CAAC,EAAE,CAAC;YAC3F,MAAM,IAAI,KAAK,CAAC,iDAAiD,GAAG,MAAM,YAAY,EAAE,CAAC,CAAC;QAC5F,CAAC;QAED,MAAM,GAAG,GAAG,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,GAAG,CAAC,CAAC;QACtC,MAAM,QAAQ,GAAG,IAAI,CAAC,GAAG,EAAE,cAAc,CAAC,CAAC;QAE3C,gBAAgB,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;QACjC,gBAAgB,CAAC,GAAG,CAAC,CAAC;QACtB,MAAM,SAAS,GAAG,OAAO,CAAC,QAAQ,CAAC,CAAC;QACpC,IAAI,SAAS,KAAK,GAAG;YAAE,gBAAgB,CAAC,SAAS,CAAC,CAAC;QACnD,IAAI,UAAU,CAAC,QAAQ,CAAC,EAAE,CAAC;YACzB,aAAa,CAAC,QAAQ,EAAE,OAAO,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;YAClD,SAAS,CAAC,QAAQ,EAAE,KAAK,CAAC,CAAC;QAC7B,CAAC;aAAM,CAAC;YACN,sBAAsB,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;QAC5C,CAAC;IACH,CAAC;IAED,8EAA8E;IAEtE,aAAa,CAAC,GAAW;QAC/B,MAAM,GAAG,GAAG,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,GAAG,CAAC,CAAC;QACtC,MAAM,MAAM,GAAG,kBAAkB,CAAC,GAAG,CAAC,CAAC;QAEvC,IAAI,GAAG,GAA2B,EAAE,CAAC;QACrC,MAAM,UAAU,GAAG,oBAAoB,CAAC,IAAI,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC,CAAC;QAC1D,IAAI,UAAU,KAAK,SAAS,EAAE,CAAC;YAC7B,IAAI,CAAC;gBACH,GAAG,GAAG,YAAY,CAAC,UAAU,CAAC,CAAC;YACjC,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,OAAO,CAAC,KAAK,CAAC,wCAAwC,GAAG,IAAI,EAAE,GAAG,CAAC,CAAC;gBACpE,qBAAqB,CAAC,GAAG,EAAE;oBACzB,MAAM,EAAE,SAAS;oBACjB,OAAO,EAAE,iBAAiB;oBAC1B,SAAS,EAAE,WAAW;oBACtB,QAAQ,EAAE,SAAS;oBACnB,OAAO,EAAE,EAAE,QAAQ,EAAE,GAAG,EAAE,KAAK,EAAE,KAAK,EAAE;iBACzC,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,OAAO;YACL,MAAM,EAAE,GAAG;YACX,WAAW,EAAE,GAAG;YAChB,GAAG;YACH,MAAM;YACN,GAAG;SACJ,CAAC;IACJ,CAAC;CACF;AAED,SAAS,kBAAkB,CAAC,GAAW;IACrC,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC;QAAE,OAAO,EAAE,CAAC;IAEhC,MAAM,MAAM,GAAyB,EAAE,CAAC;IACxC,KAAK,MAAM,KAAK,IAAI,WAAW,CAAC,GAAG,EAAE,EAAE,aAAa,EAAE,IAAI,EAAE,CAAC,EAAE,CAAC;QAC9D,IAAI,KAAK,CAAC,IAAI,KAAK,KAAK;YAAE,SAAS;QACnC,MAAM,MAAM,GAAG,IAAI,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,CAAC,CAAC;QACrC,MAAM,MAAM,GAAG,uBAAuB,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QACnD,IAAI,CAAC,MAAM;YAAE,SAAS;QACtB,MAAM,CAAC,IAAI,CAAC,EAAE,MAAM,EAAE,MAAM,EAAE,CAAC,CAAC;IAClC,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,SAAS,gBAAgB,CAAC,IAAY;IACpC,SAAS,CAAC,IAAI,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,IAAI,EAAE,gBAAgB,EAAE,CAAC,CAAC;IAC7D,SAAS,CAAC,IAAI,EAAE,gBAAgB,CAAC,CAAC;AACpC,CAAC;AAED,SAAS,YAAY,CACnB,SAAiB,EACjB,SAAiB;IAKjB,IAAI,WAAW,GAAG,CAAC,CAAC;IACpB,IAAI,aAAa,GAAG,CAAC,CAAC;IAEtB,KAAK,MAAM,KAAK,IAAI,WAAW,CAAC,SAAS,EAAE,EAAE,aAAa,EAAE,IAAI,EAAE,CAAC,EAAE,CAAC;QACpE,MAAM,UAAU,GAAG,IAAI,CAAC,SAAS,EAAE,KAAK,CAAC,IAAI,CAAC,CAAC;QAC/C,MAAM,UAAU,GAAG,IAAI,CAAC,SAAS,EAAE,KAAK,CAAC,IAAI,CAAC,CAAC;QAE/C,IAAI,KAAK,CAAC,IAAI,KAAK,KAAK,IAAI,KAAK,CAAC,MAAM,EAAE,EAAE,CAAC;YAC3C,MAAM,SAAS,GAAG,YAAY,CAAC,oBAAoB,CAAC,UAAU,CAAC,IAAI,EAAE,CAAC,CAAC;YACvE,MAAM,SAAS,GAAG,YAAY,CAAC,oBAAoB,CAAC,UAAU,CAAC,IAAI,EAAE,CAAC,CAAC;YACvE,MAAM,MAAM,GAAG,EAAE,GAAG,SAAS,EAAE,GAAG,SAAS,EAAE,CAAC;YAC9C,MAAM,OAAO,GACX,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC;iBACnB,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,KAAK,CAAC,EAAE,EAAE,CAAC,IAAI,CAAC,aAAa,CAAC,KAAK,CAAC,CAAC;iBACxD,GAAG,CAAC,CAAC,CAAC,MAAM,EAAE,KAAK,CAAC,EAAE,EAAE,CAAC,GAAG,MAAM,IAAI,KAAK,EAAE,CAAC;iBAC9C,IAAI,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC;YACvB,sBAAsB,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC;YAC5C,aAAa,IAAI,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,MAAM,CAAC;YAC/C,SAAS;QACX,CAAC;QAED,IAAI,KAAK,CAAC,WAAW,EAAE,EAAE,CAAC;YACxB,gBAAgB,CAAC,UAAU,CAAC,CAAC;YAC7B,MAAM,MAAM,GAAG,YAAY,CAAC,UAAU,EAAE,UAAU,CAAC,CAAC;YACpD,WAAW,IAAI,MAAM,CAAC,WAAW,CAAC;YAClC,aAAa,IAAI,MAAM,CAAC,aAAa,CAAC;YACtC,SAAS;QACX,CAAC;QAED,IAAI,CAAC,KAAK,CAAC,MAAM,EAAE;YAAE,SAAS;QAC9B,YAAY,CAAC,UAAU,EAAE,UAAU,CAAC,CAAC;QACrC,SAAS,CAAC,UAAU,EAAE,KAAK,CAAC,CAAC;QAC7B,WAAW,EAAE,CAAC;IAChB,CAAC;IAED,OAAO,EAAE,WAAW,EAAE,aAAa,EAAE,CAAC;AACxC,CAAC;AAED,SAAS,0BAA0B,CAAC,YAAoB;IACtD,MAAM,OAAO,GAAG,YAAY,CAAC,IAAI,EAAE,CAAC;IACpC,IAAI,CAAC,OAAO,IAAI,UAAU,CAAC,OAAO,CAAC;QAAE,OAAO,SAAS,CAAC;IAEtD,MAAM,UAAU,GAAG,SAAS,CAAC,OAAO,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IAC3D,IAAI,CAAC,UAAU,IAAI,UAAU,KAAK,GAAG,IAAI,UAAU,KAAK,IAAI,IAAI,UAAU,CAAC,UAAU,CAAC,KAAK,CAAC,EAAE,CAAC;QAC7F,OAAO,SAAS,CAAC;IACnB,CAAC;IACD,OAAO,UAAU,CAAC;AACpB,CAAC;AAED,SAAS,wBAAwB,CAAC,UAAmB;IACnD,IAAI,UAAU,KAAK,SAAS;QAAE,OAAO,SAAS,CAAC;IAE/C,MAAM,OAAO,GAAG,UAAU,CAAC,IAAI,EAAE,CAAC;IAClC,IAAI,CAAC,OAAO,IAAI,CAAC,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC;QAAE,OAAO,SAAS,CAAC;IAE3D,MAAM,UAAU,GAAG,SAAS,CAAC,OAAO,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IAC3D,OAAO,UAAU,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,SAAS,CAAC;AAC7D,CAAC;AAED,MAAM,UAAU,sBAAsB,CAAC,YAAoB;IACzD,MAAM,UAAU,GAAG,0BAA0B,CAAC,YAAY,CAAC,IAAI,YAAY,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;IAChG,OAAO,SAAS,UAAU,EAAE,CAAC;AAC/B,CAAC;AAED,SAAS,uBAAuB,CAAC,YAAoB;IACnD,MAAM,UAAU,GAAG,0BAA0B,CAAC,YAAY,CAAC,CAAC;IAC5D,IAAI,CAAC,UAAU;QAAE,OAAO,SAAS,CAAC;IAElC,IAAI,UAAU,KAAK,UAAU,EAAE,CAAC;QAC9B,OAAO,oCAAoC,CAAC;IAC9C,CAAC;IACD,IAAI,UAAU,KAAK,iBAAiB,EAAE,CAAC;QACrC,OAAO,2DAA2D,CAAC;IACrE,CAAC;IACD,IAAI,UAAU,KAAK,MAAM,IAAI,UAAU,CAAC,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC;QAC5D,OAAO,YAAY,CAAC;IACtB,CAAC;IACD,IAAI,UAAU,KAAK,OAAO,IAAI,UAAU,CAAC,UAAU,CAAC,QAAQ,CAAC,EAAE,CAAC;QAC9D,OAAO,aAAa,CAAC;IACvB,CAAC;IACD,IAAI,UAAU,KAAK,YAAY,IAAI,UAAU,CAAC,UAAU,CAAC,aAAa,CAAC,EAAE,CAAC;QACxE,OAAO,kBAAkB,CAAC;IAC5B,CAAC;IAED,OAAO,sBAAsB,CAAC,UAAU,CAAC,CAAC;AAC5C,CAAC","sourcesContent":["import {\n  chmodSync,\n  copyFileSync,\n  existsSync,\n  mkdirSync,\n  readdirSync,\n  rmSync,\n  writeFileSync,\n} from \"fs\";\nimport { dirname, isAbsolute, join, normalize, sep } from \"path\";\nimport { readTextFileIfExists } from \"./file-guards.js\";\nimport type { SandboxConfig } from \"./sandbox/index.js\";\nimport { atomicWritePrivateFile } from \"./fs-atomic.js\";\nimport { reportUserFacingError } from \"./sentry.js\";\n\nconst PRIVATE_DIR_MODE = 0o700;\nconst SHARED_VAULT_DIR = \"shared\";\n\nexport function normalizeSharedVaultName(name: string): string | undefined {\n  const trimmed = name.trim();\n  if (!/^[A-Za-z0-9][A-Za-z0-9._-]{0,63}$/.test(trimmed)) return undefined;\n  return trimmed;\n}\n\nexport function sharedVaultKey(name: string): string | undefined {\n  const normalized = normalizeSharedVaultName(name);\n  return normalized ? `${SHARED_VAULT_DIR}/${normalized}` : undefined;\n}\n\nfunction sanitizeCloudflareSandboxId(value: string): string {\n  return (\n    value\n      .toLowerCase()\n      .replace(/[^a-z0-9-]+/g, \"-\")\n      .replace(/^-+|-+$/g, \"\") || \"unknown\"\n  );\n}\n\n// ── Types ──────────────────────────────────────────────────────────────────────\n\nexport interface ResolvedVaultMount {\n  source: string;\n  target: string;\n}\n\n/** Resolved vault ready for use at runtime */\nexport interface ResolvedVault {\n  userId: string;\n  displayName: string;\n  /** Absolute path to vault directory */\n  dir: string;\n  /** Absolute mount specs */\n  mounts: ResolvedVaultMount[];\n  /** Parsed from env file */\n  env: Record<string, string>;\n}\n\nexport interface VaultManager {\n  /** Return true when a vault directory exists for this exact key. */\n  hasEntry(key: string): boolean;\n  /** Resolve vault for a user; returns undefined when no directory exists. */\n  resolve(userId: string): ResolvedVault | undefined;\n  /** Get sandbox config with credential injection for a user */\n  getSandboxConfig(userId: string, baseConfig: SandboxConfig): SandboxConfig;\n  /** List all vaults discovered under vaults/. */\n  list(): ResolvedVault[];\n  /** Check if the vaults directory exists. */\n  isEnabled(): boolean;\n  /** Merge environment variables into vaults/<key>/env and persist them to disk. */\n  upsertEnv(key: string, env: Record<string, string>): void;\n  /** Write a private file into vaults/<key>/ and ensure it is mounted into the sandbox. */\n  upsertFile(key: string, relativePath: string, content: string, targetPath?: string): void;\n  /** List named shared login profiles under vaults/shared/. */\n  listSharedVaults(): string[];\n  /** Delete a shared login profile's directory. Returns true when it existed. */\n  deleteSharedVault(name: string): boolean;\n  /** Copy a shared login profile's files into another vault directory. */\n  copySharedVaultTo(\n    name: string,\n    targetKey: string,\n  ): { filesCopied: number; envKeysCopied: number };\n}\n\n// ── parseEnvFile ───────────────────────────────────────────────────────────────\n\n/**\n * Parse a KEY=VALUE env file. Supports:\n * - Lines starting with # are comments\n * - Empty lines are skipped\n * - Values can be quoted with single or double quotes (quotes are stripped)\n * - No variable expansion\n * - The value is everything after the first `=` to end of line (no inline comments)\n */\nexport function parseEnvFile(content: string): Record<string, string> {\n  const env: Record<string, string> = {};\n  const lines = content.replace(/\\r\\n/g, \"\\n\").replace(/\\r/g, \"\\n\").split(\"\\n\");\n\n  for (const line of lines) {\n    const trimmed = line.trim();\n    if (!trimmed || trimmed.startsWith(\"#\")) continue;\n\n    const eqIndex = trimmed.indexOf(\"=\");\n    if (eqIndex === -1) continue;\n\n    const key = trimmed.slice(0, eqIndex).trim();\n    if (!key) continue;\n\n    let value = trimmed.slice(eqIndex + 1);\n\n    if (\n      (value.startsWith('\"') && value.endsWith('\"')) ||\n      (value.startsWith(\"'\") && value.endsWith(\"'\"))\n    ) {\n      value = value.slice(1, -1);\n    }\n\n    env[key] = value;\n  }\n\n  return env;\n}\n\n// ── FileVaultManager ───────────────────────────────────────────────────────────\n\nexport class FileVaultManager implements VaultManager {\n  private readonly vaultsDir: string;\n\n  constructor(stateDir: string) {\n    this.vaultsDir = join(stateDir, \"vaults\");\n  }\n\n  isEnabled(): boolean {\n    return existsSync(this.vaultsDir);\n  }\n\n  hasEntry(key: string): boolean {\n    return existsSync(join(this.vaultsDir, key));\n  }\n\n  listSharedVaults(): string[] {\n    const sharedDir = join(this.vaultsDir, SHARED_VAULT_DIR);\n    if (!existsSync(sharedDir)) return [];\n    return readdirSync(sharedDir, { withFileTypes: true })\n      .filter((entry) => entry.isDirectory() && normalizeSharedVaultName(entry.name) === entry.name)\n      .map((entry) => entry.name)\n      .toSorted((left, right) => left.localeCompare(right));\n  }\n\n  deleteSharedVault(name: string): boolean {\n    const key = sharedVaultKey(name);\n    if (!key) throw new Error(`vault: invalid shared login name: ${name}`);\n    const dir = join(this.vaultsDir, key);\n    const existed = existsSync(dir);\n    rmSync(dir, { recursive: true, force: true });\n    return existed;\n  }\n\n  copySharedVaultTo(\n    name: string,\n    targetKey: string,\n  ): { filesCopied: number; envKeysCopied: number } {\n    const sourceKey = sharedVaultKey(name);\n    if (!sourceKey) throw new Error(`vault: invalid shared login name: ${name}`);\n    const sourceDir = join(this.vaultsDir, sourceKey);\n    if (!existsSync(sourceDir)) throw new Error(`vault: shared login \"${name}\" does not exist`);\n\n    const targetDir = join(this.vaultsDir, targetKey);\n    ensurePrivateDir(this.vaultsDir);\n    ensurePrivateDir(targetDir);\n    return copyVaultDir(sourceDir, targetDir);\n  }\n\n  resolve(userId: string): ResolvedVault | undefined {\n    const dir = join(this.vaultsDir, userId);\n    if (!existsSync(dir)) return undefined;\n    return this.buildResolved(userId);\n  }\n\n  getSandboxConfig(userId: string, baseConfig: SandboxConfig): SandboxConfig {\n    if (baseConfig.type === \"cloudflare\") {\n      return {\n        type: \"cloudflare\",\n        sandboxId: `${baseConfig.sandboxId}-${sanitizeCloudflareSandboxId(userId)}`,\n      };\n    }\n    return baseConfig;\n  }\n\n  list(): ResolvedVault[] {\n    if (!existsSync(this.vaultsDir)) return [];\n    const keys = new Set<string>();\n    for (const entry of readdirSync(this.vaultsDir, { withFileTypes: true })) {\n      if (entry.isDirectory()) keys.add(entry.name);\n    }\n    return Array.from(keys, (key) => this.buildResolved(key));\n  }\n\n  upsertEnv(key: string, env: Record<string, string>): void {\n    const dir = join(this.vaultsDir, key);\n    const envPath = join(dir, \"env\");\n    ensurePrivateDir(this.vaultsDir);\n    ensurePrivateDir(dir);\n    const existingContent = readTextFileIfExists(envPath);\n    const existing = existingContent ? parseEnvFile(existingContent) : {};\n    const merged = { ...existing, ...env };\n    const content =\n      Object.entries(merged)\n        .toSorted(([left], [right]) => left.localeCompare(right))\n        .map(([envKey, value]) => `${envKey}=${value}`)\n        .join(\"\\n\") + \"\\n\";\n    atomicWritePrivateFile(envPath, content);\n  }\n\n  upsertFile(key: string, relativePath: string, content: string, targetPath?: string): void {\n    const normalizedPath = normalizeVaultRelativePath(relativePath);\n    if (!normalizedPath || (targetPath !== undefined && !normalizeVaultTargetPath(targetPath))) {\n      throw new Error(`vault: invalid relative secret file path for \"${key}\": ${relativePath}`);\n    }\n\n    const dir = join(this.vaultsDir, key);\n    const filePath = join(dir, normalizedPath);\n\n    ensurePrivateDir(this.vaultsDir);\n    ensurePrivateDir(dir);\n    const parentDir = dirname(filePath);\n    if (parentDir !== dir) ensurePrivateDir(parentDir);\n    if (existsSync(filePath)) {\n      writeFileSync(filePath, content, { mode: 0o600 });\n      chmodSync(filePath, 0o600);\n    } else {\n      atomicWritePrivateFile(filePath, content);\n    }\n  }\n\n  // ── private ────────────────────────────────────────────────────────────────\n\n  private buildResolved(key: string): ResolvedVault {\n    const dir = join(this.vaultsDir, key);\n    const mounts = inferMountsFromDir(dir);\n\n    let env: Record<string, string> = {};\n    const envContent = readTextFileIfExists(join(dir, \"env\"));\n    if (envContent !== undefined) {\n      try {\n        env = parseEnvFile(envContent);\n      } catch (err) {\n        console.error(`vault: failed to parse env file for \"${key}\":`, err);\n        reportUserFacingError(err, {\n          domain: \"sandbox\",\n          surface: \"vault_injection\",\n          operation: \"parse_env\",\n          severity: \"warning\",\n          context: { vaultKey: key, fatal: false },\n        });\n      }\n    }\n\n    return {\n      userId: key,\n      displayName: key,\n      dir,\n      mounts,\n      env,\n    };\n  }\n}\n\nfunction inferMountsFromDir(dir: string): ResolvedVaultMount[] {\n  if (!existsSync(dir)) return [];\n\n  const mounts: ResolvedVaultMount[] = [];\n  for (const entry of readdirSync(dir, { withFileTypes: true })) {\n    if (entry.name === \"env\") continue;\n    const source = join(dir, entry.name);\n    const target = inferredVaultTargetPath(entry.name);\n    if (!target) continue;\n    mounts.push({ source, target });\n  }\n  return mounts;\n}\n\nfunction ensurePrivateDir(path: string): void {\n  mkdirSync(path, { recursive: true, mode: PRIVATE_DIR_MODE });\n  chmodSync(path, PRIVATE_DIR_MODE);\n}\n\nfunction copyVaultDir(\n  sourceDir: string,\n  targetDir: string,\n): {\n  filesCopied: number;\n  envKeysCopied: number;\n} {\n  let filesCopied = 0;\n  let envKeysCopied = 0;\n\n  for (const entry of readdirSync(sourceDir, { withFileTypes: true })) {\n    const sourcePath = join(sourceDir, entry.name);\n    const targetPath = join(targetDir, entry.name);\n\n    if (entry.name === \"env\" && entry.isFile()) {\n      const sourceEnv = parseEnvFile(readTextFileIfExists(sourcePath) ?? \"\");\n      const targetEnv = parseEnvFile(readTextFileIfExists(targetPath) ?? \"\");\n      const merged = { ...targetEnv, ...sourceEnv };\n      const content =\n        Object.entries(merged)\n          .toSorted(([left], [right]) => left.localeCompare(right))\n          .map(([envKey, value]) => `${envKey}=${value}`)\n          .join(\"\\n\") + \"\\n\";\n      atomicWritePrivateFile(targetPath, content);\n      envKeysCopied += Object.keys(sourceEnv).length;\n      continue;\n    }\n\n    if (entry.isDirectory()) {\n      ensurePrivateDir(targetPath);\n      const nested = copyVaultDir(sourcePath, targetPath);\n      filesCopied += nested.filesCopied;\n      envKeysCopied += nested.envKeysCopied;\n      continue;\n    }\n\n    if (!entry.isFile()) continue;\n    copyFileSync(sourcePath, targetPath);\n    chmodSync(targetPath, 0o600);\n    filesCopied++;\n  }\n\n  return { filesCopied, envKeysCopied };\n}\n\nfunction normalizeVaultRelativePath(relativePath: string): string | undefined {\n  const trimmed = relativePath.trim();\n  if (!trimmed || isAbsolute(trimmed)) return undefined;\n\n  const normalized = normalize(trimmed).split(sep).join(\"/\");\n  if (!normalized || normalized === \".\" || normalized === \"..\" || normalized.startsWith(\"../\")) {\n    return undefined;\n  }\n  return normalized;\n}\n\nfunction normalizeVaultTargetPath(targetPath?: string): string | undefined {\n  if (targetPath === undefined) return undefined;\n\n  const trimmed = targetPath.trim();\n  if (!trimmed || !trimmed.startsWith(\"/\")) return undefined;\n\n  const normalized = normalize(trimmed).split(sep).join(\"/\");\n  return normalized.startsWith(\"/\") ? normalized : undefined;\n}\n\nexport function defaultVaultTargetPath(relativePath: string): string {\n  const normalized = normalizeVaultRelativePath(relativePath) ?? relativePath.replace(/^\\/+/, \"\");\n  return `/root/${normalized}`;\n}\n\nfunction inferredVaultTargetPath(relativePath: string): string | undefined {\n  const normalized = normalizeVaultRelativePath(relativePath);\n  if (!normalized) return undefined;\n\n  if (normalized === \"gws.json\") {\n    return \"/root/.config/gws/credentials.json\";\n  }\n  if (normalized === \"gcloud-adc.json\") {\n    return \"/root/.config/gcloud/application_default_credentials.json\";\n  }\n  if (normalized === \".ssh\" || normalized.startsWith(\".ssh/\")) {\n    return \"/root/.ssh\";\n  }\n  if (normalized === \".kube\" || normalized.startsWith(\".kube/\")) {\n    return \"/root/.kube\";\n  }\n  if (normalized === \".config/gh\" || normalized.startsWith(\".config/gh/\")) {\n    return \"/root/.config/gh\";\n  }\n\n  return defaultVaultTargetPath(normalized);\n}\n"]}