npm - @general-input/cli - Versions diffs - 0.1.1 → 0.1.3 - Mend

@general-input/cli 0.1.1 → 0.1.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/dist/cli.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"sources":["../src/cli.ts","../src/lib/output.ts","../src/lib/banner.ts","../src/lib/exitCodes.ts","../src/services/SessionContextService.ts","../src/services/AuthService.ts","../src/services/WorkspaceService.ts","../src/services/ExecService.ts","../package.json","../src/lib/version.ts","../src/clients/HttpClient.ts","../src/lib/scrubber.ts","../src/lib/execEnv.ts","../src/services/DiscoveryService.ts","../src/types/config.ts","../src/services/ConfigService.ts","../src/clients/AuthApiClient.ts","../src/clients/WorkspacesApiClient.ts","../src/clients/ExecApiClient.ts","../src/clients/CredentialsApiClient.ts","../src/clients/IntegrationsApiClient.ts","../src/clients/OperationsApiClient.ts","../src/clients/ApiClientFactory.ts","../src/clients/SessionStore.ts","../src/types/session.ts","../src/clients/ConfigStore.ts","../src/clients/BrowserOpener.ts","../src/clients/ChildProcessSpawner.ts","../src/lib/paths.ts","../src/dependencyInjection/clients.ts","../src/dependencyInjection/services.ts","../src/lib/cliErrors.ts","../src/commands/auth/login.ts","../src/commands/auth/logout.ts","../src/commands/auth/status.ts","../src/commands/auth/index.ts","../src/lib/printTable.ts","../src/commands/workspace/list.ts","../src/commands/workspace/switch.ts","../src/commands/workspace/current.ts","../src/commands/workspace/index.ts","../src/commands/exec/bash.ts","../src/commands/exec/index.ts","../src/commands/credential/list.ts","../src/lib/jsonField.ts","../src/commands/credential/get.ts","../src/commands/credential/connect.ts","../src/commands/credential/index.ts","../src/commands/integration/list.ts","../src/commands/integration/get.ts","../src/commands/integration/operations.ts","../src/commands/integration/operation.ts","../src/commands/integration/index.ts","../src/commands/config/get.ts","../src/commands/config/set.ts","../src/commands/config/unset.ts","../src/commands/config/path.ts","../src/commands/config/index.ts","../src/lib/skills.ts","../src/skills/geni.md","../src/commands/skills/install.ts","../src/commands/skills/uninstall.ts","../src/commands/skills/index.ts","../src/commands/doctor.ts","../src/lib/preflight.ts"],"sourcesContent":["import { Command } from 'commander'\nimport { registerAuthCommands } from './commands/auth/index.js'\nimport { registerWorkspaceCommands } from './commands/workspace/index.js'\nimport { registerExecCommands } from './commands/exec/index.js'\nimport { registerCredentialCommands } from './commands/credential/index.js'\nimport { registerIntegrationCommands } from './commands/integration/index.js'\nimport { registerConfigCommands } from './commands/config/index.js'\nimport { registerSkillsCommands } from './commands/skills/index.js'\nimport { registerDoctorCommand } from './commands/doctor.js'\nimport { requireRuntimeDeps } from './lib/preflight.js'\nimport { CLI_VERSION } from './lib/version.js'\nimport { ApiError } from './clients/HttpClient.js'\nimport { printError } from './lib/output.js'\nimport { ExitCode, exit } from './lib/exitCodes.js'\n\n/*\n The CLI entry point. Mounts every subcommand on a single Commander\n * program. Subcommand groups live in `./commands/<noun>/` and export\n * a `registerCommands(program)` function the entry calls.\n /\nconst program = new Command()\n\nprogram\n .name('geni')\n .description(\n 'The agent-facing CLI for General Input. Discover the integrations and credentials the operator has connected, then run shell commands with those credentials injected as env vars by the cloud (audit-logged, output-scrubbed).'\n )\n .version(CLI_VERSION, '-v, --version', 'Print the geni version and exit.')\n .showHelpAfterError()\n // Global flag every subcommand sees. Resolving the actual workspace\n // override lives in each command, having it here makes Commander\n // accept it before subcommand parsing.\n .option(\n '--workspace <slug>',\n 'Override the active workspace for this invocation. Without it, commands run against the workspace set by `geni workspace switch`.'\n )\n\nregisterAuthCommands(program)\nregisterWorkspaceCommands(program)\nregisterExecCommands(program)\nregisterCredentialCommands(program)\nregisterIntegrationCommands(program)\nregisterConfigCommands(program)\nregisterSkillsCommands(program)\nregisterDoctorCommand(program)\n\n// Agent-facing orientation. Shown after the auto-generated commands\n// list on `geni --help` so a fresh agent can read it once and know\n// which command to reach for next without trial-and-error.\nprogram.addHelpText(\n 'after',\n `\nTypical agent flow:\n 1. geni integration list -q \"<keyword>\" find a service\n 2. geni integration operations <service> -q \"...\" find an operation\n 3. geni integration operation <opId> read its reference (env vars, auth header, example). ALWAYS do this before writing a curl\n 4. geni credential list --service <service> find a connected credential\n 5. geni exec bash --cred <id> --reason \"...\" -- '<command>'\n\nDiscovery (steps 1-4) is read-only and free; only step 5 resolves\ncredentials and runs code, audit-logged with the reason you supplied.\n\nFirst time? geni login then geni config get to verify the API URL.\nRun any command with --help for its full reference.`\n)\n\n// Hard-require bash + curl + jq before any real command runs. Skip\n// for `doctor` (which diagnoses these very deps as part of its\n// output) and the help/version surfaces (cosmetic, no shell-out\n// happens). Install script already enforces this; the runtime check\n// catches the case where a dep got uninstalled after geni was set up.\nif (shouldRunPreflight(process.argv)) {\n requireRuntimeDeps()\n}\n\nfunction shouldRunPreflight(argv: string[]): boolean {\n // argv: [node, geni, ...rest]\n const firstArg = argv[2]\n if (!firstArg) return false\n if (firstArg === 'doctor') return false\n if (firstArg === '--help' \|\| firstArg === '-h') return false\n if (firstArg === '--version' \|\| firstArg === '-v') return false\n return true\n}\n\ntry {\n await program.parseAsync(process.argv)\n} catch (err) {\n // The server's cliVersionGate returns HTTP 426 for any CLI below the\n // configured minimum version. Catch it here so the user sees a clean\n // upgrade prompt and a dedicated exit code, instead of a generic\n // unhandled-rejection stack trace. All other errors keep their\n // existing handling path (Commander prints, or the per-command\n // try/catch produces its own output).\n if (err instanceof ApiError && err.status === 426) {\n printError(err.message)\n exit(ExitCode.UpgradeRequired)\n }\n throw err\n}\n","import chalk from 'chalk'\n\n/*\n Print a success line to stdout. Examples: \"✓ Authenticated as ...\",\n * \"✓ Active workspace: acme\". Goes to stdout because it's the command's\n * actual response (visible even when output is piped).\n /\nexport function printSuccess(message: string): void {\n process.stdout.write(`${chalk.green('✓')} ${message}\\n`)\n}\n\n/\n Print a single info line to stdout. Used for secondary info that's\n * still part of the command's response (e.g. \"Session saved to …\").\n /\nexport function printInfo(message: string): void {\n process.stdout.write(`${chalk.dim('·')} ${message}\\n`)\n}\n\n/\n Print a warning to stderr. Doesn't pollute stdout, so JSON pipes\n * stay clean.\n /\nexport function printWarning(message: string): void {\n process.stderr.write(`${chalk.yellow('!')} ${message}\\n`)\n}\n\n/\n Print an error to stderr. Used when a command fails before it even\n * begins to produce its real output.\n /\nexport function printError(message: string): void {\n process.stderr.write(`${chalk.red('✗')} ${message}\\n`)\n}\n\n/\n Pretty-print JSON to stdout. Used for `--json` flags everywhere.\n * No banner, no extra formatting; the response is the entire stdout.\n /\nexport function printJson(value: unknown): void {\n process.stdout.write(JSON.stringify(value, null, 2) + '\\n')\n}\n","import chalk from 'chalk'\nimport type { RunnerSessionFile } from '../types/session.js'\n\n/\n The status banner that prints on every command, on stderr, so the\n * operator always knows what workspace they're operating in.\n \n Suppression rules:\n * - `--json` (caller passes `json: true`) → no banner.\n * - stdout is not a TTY → no banner. An LLM piping our output to\n * `jq`, `grep`, etc., gets clean stdout; banner-on-stderr is\n * still visible to humans.\n * - `NO_GENI_BANNER=1` env var → escape hatch.\n \n Also writes the terminal-window title via OSC-0 so the workspace\n * shows in tab labels. Pure visual extra; ignored by anything that\n * isn't a terminal emulator.\n /\nexport function printBanner(args: {\n session: RunnerSessionFile \| null\n json?: boolean\n workflowId?: string\n workflowName?: string\n}): void {\n if (args.json) return\n if (process.env.NO_GENI_BANNER === '1') return\n if (!process.stdout.isTTY) return\n if (!args.session) return\n\n const ws = args.session.workspace\n const parts = [\n chalk.dim('geni'),\n chalk.dim('·'),\n chalk.dim('workspace:'),\n chalk.cyan(ws.slug),\n ]\n if (args.workflowId) {\n parts.push(\n chalk.dim('·'),\n chalk.dim('workflow:'),\n chalk.cyan(args.workflowId)\n )\n if (args.workflowName) {\n parts.push(chalk.dim(`(${args.workflowName})`))\n }\n }\n\n process.stderr.write(parts.join(' ') + '\\n')\n\n // Terminal title. Best-effort; harmless if the terminal doesn't\n // honor OSC-0.\n const titleParts = [`geni · ${ws.slug}`]\n if (args.workflowId) titleParts.push(args.workflowId)\n process.stderr.write(`\\x1b]0;${titleParts.join(' · ')}\\x07`)\n}\n","/\n Stable exit codes the CLI uses everywhere. Per-command exit-code\n * tables live in each command's docs page under\n * `apps/developer/content/docs/cli/<command>/<sub>.mdx`.\n \n Don't reuse these numbers for command-specific cases without explicit\n * documentation. Each command's reference page can extend the set with\n * its own meanings (e.g. `9` for \"validation failed\" on `workflow save`),\n * but the foundational codes below have project-wide semantics.\n /\nexport const ExitCode = {\n Ok: 0,\n GenericError: 1,\n InvalidArgs: 2,\n NotFound: 4,\n Forbidden: 5,\n ValidationFailed: 9,\n CredentialResolveFailed: 77,\n SessionMissingOrExpired: 78,\n UpgradeRequired: 79,\n Timeout: 124,\n InternalError: 125,\n} as const\n\nexport type ExitCode = (typeof ExitCode)[keyof typeof ExitCode]\n\n/\n Exit the process with the given code. Wrapper exists so test code\n * can intercept it; use this instead of `process.exit` directly.\n /\nexport function exit(code: ExitCode): never {\n process.exit(code)\n}\n","import type { ApiClientFactory, ApiClientBundle } from '../clients/index.js'\nimport type { SessionStore } from '../clients/SessionStore.js'\nimport type { RunnerSessionFile } from '../types/session.js'\nimport { printError } from '../lib/output.js'\nimport { printBanner } from '../lib/banner.js'\nimport { ExitCode, exit } from '../lib/exitCodes.js'\n\nexport interface AuthedSessionContext {\n session: RunnerSessionFile\n client: ApiClientBundle\n}\n\n/\n One-stop \"give me an authed client\" service for every command that\n * needs the runner-session token loaded and an API-client bundle\n * built against it. Composes `SessionStore` + `ApiClientFactory` so\n * commands depend on this single service rather than reaching for\n * the lower-level clients themselves.\n \n The exit-on-no-session policy lives here too: a missing local\n * session is a uniform \"run `geni login`\" message + exit 78. Commands\n * that want to handle the unauthed case differently (e.g. `geni auth\n * status --json` returning `{ authenticated: false }`) call `load()`\n * directly and branch on the null.\n /\nexport class SessionContextService {\n public constructor(\n private readonly sessionStore: SessionStore,\n private readonly apiClientFactory: ApiClientFactory\n ) {}\n\n /* Read the session file, returning `null` if no session exists. /\n public load(): Promise<RunnerSessionFile \| null> {\n return this.sessionStore.load()\n }\n\n /\n Load the session and build an authed API-client bundle. Exits\n * with code 78 + a \"run `geni login`\" hint when no session exists.\n \n Also prints the workspace banner on stderr (via `printBanner`,\n * which TTY-suppresses + has the `NO_GENI_BANNER` escape hatch),\n * so the operator always sees which workspace the command is\n * targeting before any output appears.\n /\n public async requireAuthed(): Promise<AuthedSessionContext> {\n const session = await this.sessionStore.load()\n if (!session) {\n printError(\n 'No runner session on disk. Run `geni login` to authenticate, then retry.'\n )\n exit(ExitCode.SessionMissingOrExpired)\n }\n printBanner({ session })\n return {\n session,\n client: this.apiClientFactory.build({\n server: session.server,\n token: session.token,\n }),\n }\n }\n}\n","import { hostname } from 'node:os'\nimport chalk from 'chalk'\nimport type { Cli } from '@packages/api'\nimport type { ApiClientFactory, ApiClientBundle } from '../clients/index.js'\nimport type { SessionStore } from '../clients/SessionStore.js'\nimport type { BrowserOpener } from '../clients/BrowserOpener.js'\nimport type { ConfigService } from './ConfigService.js'\nimport type { RunnerSessionFile } from '../types/session.js'\nimport { printSuccess, printInfo, printError } from '../lib/output.js'\nimport { ExitCode, exit } from '../lib/exitCodes.js'\n\nexport interface LoginArgs {\n /* Override the API base URL for this login (also persists in the session). /\n server?: string\n /* Optional workspace slug to bind the session to after the dashboard picks. /\n workspace?: string\n}\n\nexport interface StatusResult {\n authenticated: true\n user: { id: string; email: string \| null; name: string \| null }\n workspace: Cli.WorkspaceSummary\n server: string\n}\n\n/\n Owns the runner-session lifecycle: device-code login flow, server-\n * side revoke + local file delete on logout, validation hit on\n * `auth status`. Composes the clients (api-client factory, session\n * store, browser opener) rather than reaching for `fetch` or `fs`\n * itself.\n \n The login flow has user-visible status messages (Opening URL /\n * Approve in browser / Authenticated as ...) that print directly\n * here. Reasonable trade-off: keeping commands purely thin is more\n * important than service purity for CLI surfaces.\n /\nexport class AuthService {\n public constructor(\n private readonly apiClientFactory: ApiClientFactory,\n private readonly sessionStore: SessionStore,\n private readonly browserOpener: BrowserOpener,\n private readonly configService: ConfigService\n ) {}\n\n /\n Run the device-code login flow end-to-end. Mints a runner-session\n * token, saves it locally, and (when `--workspace <slug>` was\n * passed) re-binds the session to a different workspace than the\n * one the dashboard's approval picker chose.\n /\n public async login(args: LoginArgs): Promise<void> {\n const server = this.configService.resolveApiUrl(args.server)\n const client = this.apiClientFactory.build({ server, token: null })\n\n const start = await client.auth.startDeviceCode(buildClientLabel())\n printInfo(`Opening ${chalk.cyan(start.verificationUri)}`)\n printInfo('Approve in your browser to continue.')\n this.browserOpener.open(start.verificationUri)\n\n const result = await this.pollUntilResolved(client, start)\n if (result.status === 'denied') {\n printError(\n 'Login was declined in the browser. Run `geni login` again and click \"Authorize\" on the device-code page.'\n )\n exit(ExitCode.Forbidden)\n }\n if (result.status === 'expired') {\n printError(\n 'Device code expired before the browser approved it (codes live ~10 minutes). Run `geni login` to start a fresh code.'\n )\n exit(ExitCode.GenericError)\n }\n if ('tokenAlreadyConsumed' in result) {\n printError(\n 'Login approved but a parallel `geni login` already consumed the device code (race). Run `geni login` again to mint a new session.'\n )\n exit(ExitCode.GenericError)\n }\n\n await this.sessionStore.save({\n version: 1,\n server,\n token: result.sessionToken,\n user: {\n id: result.me.user.id,\n email: result.me.user.email ?? null,\n name: result.me.user.name ?? null,\n },\n workspace: {\n membershipId: result.me.workspace.membershipId,\n organizationId: result.me.workspace.organizationId,\n slug: result.me.workspace.slug,\n name: result.me.workspace.name,\n role: result.me.workspace.role,\n },\n savedAt: new Date().toISOString(),\n })\n\n if (args.workspace) {\n await this.maybeRebindWorkspace({\n server,\n requestedSlug: args.workspace,\n })\n }\n\n const final = await this.sessionStore.load()\n if (!final) {\n printError(\n 'Session was written to ~/.config/geni/runner-session.json but the file could not be re-read immediately. Check filesystem permissions on ~/.config/geni and re-run `geni login`.'\n )\n exit(ExitCode.InternalError)\n }\n printSuccess(`Authenticated as ${final.user.email ?? final.user.id}`)\n printSuccess(\n `Active workspace: ${final.workspace.slug} (${final.workspace.name})`\n )\n printInfo('Session saved to ~/.config/geni/runner-session.json')\n }\n\n /\n Revoke the runner session server-side and delete the local file.\n * The local file is removed even if the server-side revoke fails:\n * the operator running `geni logout` should never be left with a\n * token they think is gone but is still on disk.\n /\n public async logout(): Promise<void> {\n const session = await this.sessionStore.load()\n if (!session) {\n printInfo('No active session.')\n return\n }\n try {\n const client = this.apiClientFactory.build({\n server: session.server,\n token: session.token,\n })\n await client.auth.logout()\n printSuccess('Session revoked.')\n } catch (error) {\n const message = error instanceof Error ? error.message : String(error)\n printInfo(`Server revoke failed: ${message}`)\n printInfo('Removing local session anyway.')\n }\n await this.sessionStore.delete()\n printSuccess('Removed ~/.config/geni/runner-session.json')\n }\n\n /\n Verify the active session by hitting `/cli/auth/me`. Returns the\n * resolved status when the session is valid, or `null` when no\n * local session exists. Stale-session failures throw `ApiError(401)`\n * so commands can map them to exit code 78 with the same\n * \"run `geni login`\" hint as the no-session path.\n /\n public async status(): Promise<StatusResult \| null> {\n const session = await this.sessionStore.load()\n if (!session) return null\n const client = this.apiClientFactory.build({\n server: session.server,\n token: session.token,\n })\n const me = await client.auth.me()\n return {\n authenticated: true,\n user: {\n id: me.user.id,\n email: me.user.email ?? null,\n name: me.user.name ?? null,\n },\n workspace: me.workspace,\n server: session.server,\n }\n }\n\n /\n Re-bind the active session to a different workspace by slug. Used\n * by `geni login --workspace <slug>` after the dashboard's approval\n * picker chose a different workspace than the operator wanted.\n /\n private async maybeRebindWorkspace(args: {\n server: string\n requestedSlug: string\n }): Promise<void> {\n const session = await this.sessionStore.load()\n if (!session) return\n if (args.requestedSlug === session.workspace.slug) return\n\n const client = this.apiClientFactory.build({\n server: args.server,\n token: session.token,\n })\n const list = await client.workspaces.list()\n const target = list.workspaces.find((w) => w.slug === args.requestedSlug)\n if (!target) {\n const available = list.workspaces.map((w) => w.slug).join(', ') \|\| 'none'\n printError(\n `No workspace with slug \"${args.requestedSlug}\" on this account. Available: [${available}]. Re-run \\`geni login --workspace <slug>\\` with one of those.`\n )\n exit(ExitCode.NotFound)\n }\n const me = await client.workspaces.switch(target.membershipId)\n await this.persistSwitch({ session, me })\n }\n\n private async persistSwitch(args: {\n session: RunnerSessionFile\n me: Cli.MeResponse\n }): Promise<void> {\n await this.sessionStore.save({\n ...args.session,\n workspace: {\n membershipId: args.me.workspace.membershipId,\n organizationId: args.me.workspace.organizationId,\n slug: args.me.workspace.slug,\n name: args.me.workspace.name,\n role: args.me.workspace.role,\n },\n user: {\n id: args.me.user.id,\n email: args.me.user.email ?? args.session.user.email,\n name: args.me.user.name ?? args.session.user.name,\n },\n savedAt: new Date().toISOString(),\n })\n }\n\n /\n Poll the device-code endpoint until status flips to a terminal\n * value, or until the device code itself expires server-side. The\n * `pending` variant is normalized away here — callers only see\n * approved / denied / expired.\n /\n private async pollUntilResolved(\n client: ApiClientBundle,\n start: Cli.DeviceCodeStartResponse\n ): Promise<Exclude<Cli.DeviceCodePollResponse, { status: 'pending' }>> {\n const intervalMs = start.intervalSeconds 1000\n const expiresAtMs = Date.parse(start.expiresAt)\n const hardDeadline = expiresAtMs + 30_000\n while (Date.now() < hardDeadline) {\n await sleep(intervalMs)\n const status = await client.auth.pollDeviceCode(start.userCode)\n if (status.status === 'pending') continue\n return status\n }\n return { status: 'expired' }\n }\n}\n\n/*\n Human-readable client label so the operator can recognize the\n * approval request on the dashboard. The user-agent the CLI sends is\n * the source of truth; this is just a friendly one-liner.\n /\nfunction buildClientLabel(): string {\n return `geni CLI on ${hostname()}`\n}\n\nfunction sleep(ms: number): Promise<void> {\n return new Promise((resolve) => setTimeout(resolve, ms))\n}\n","import type { Cli } from '@packages/api'\nimport type { SessionContextService } from './SessionContextService.js'\nimport type { SessionStore } from '../clients/SessionStore.js'\n\n/\n Owns workspace-context operations: listing the workspaces the\n * authenticated account belongs to, switching the active one, and\n * reading the current pointer from the local session cache.\n \n Returns plain data; commands handle the table / JSON / single-value\n * output formatting. Mirrors how the server's services return DTOs\n * and routers serialize them.\n /\nexport class WorkspaceService {\n public constructor(\n private readonly sessionContext: SessionContextService,\n private readonly sessionStore: SessionStore\n ) {}\n\n /* Server-side list of every workspace the account belongs to. /\n public async list(): Promise<Cli.WorkspacesResponse> {\n const { client } = await this.sessionContext.requireAuthed()\n return client.workspaces.list()\n }\n\n /\n Switch the active workspace. Re-points the runner session\n * server-side and updates the local cached pointer so subsequent\n * commands operate against the new workspace.\n \n Returns:\n * - `{ kind: 'switched', workspace }` on success,\n * - `{ kind: 'no-change', workspace }` when the requested target\n * is already the active one (lets the command print a friendly\n * message without an unnecessary network round-trip),\n * - `{ kind: 'not-found', requestedSlug }` when the slug isn't\n * in the user's accessible workspaces. Commands map this to\n * exit code 4.\n /\n public async switch(args: { membershipId: string }): Promise<Cli.MeResponse> {\n const { client } = await this.sessionContext.requireAuthed()\n const me = await client.workspaces.switch(args.membershipId)\n await this.sessionStore.updateActiveWorkspace({\n membershipId: me.workspace.membershipId,\n organizationId: me.workspace.organizationId,\n slug: me.workspace.slug,\n name: me.workspace.name,\n role: me.workspace.role,\n })\n return me\n }\n\n /\n Read the active workspace from the local session cache (no\n * network round-trip). Returns `null` when no session is loaded;\n * the command renders the unauthenticated case.\n /\n public async current(): Promise<{\n workspace: Cli.WorkspaceSummary\n } \| null> {\n const session = await this.sessionStore.load()\n if (!session) return null\n return {\n workspace: {\n membershipId: session.workspace.membershipId,\n organizationId: session.workspace.organizationId,\n slug: session.workspace.slug,\n name: session.workspace.name,\n role: session.workspace.role,\n isActive: true,\n },\n }\n }\n}\n","import chalk from 'chalk'\nimport type { Cli } from '@packages/api'\nimport { ApiError } from '../clients/HttpClient.js'\nimport type { SessionContextService } from './SessionContextService.js'\nimport type { ChildProcessSpawner } from '../clients/ChildProcessSpawner.js'\nimport { Scrubber } from '../lib/scrubber.js'\nimport { buildSafeInheritedEnv } from '../lib/execEnv.js'\nimport { printInfo, printError } from '../lib/output.js'\nimport { ExitCode, exit } from '../lib/exitCodes.js'\n\nexport interface RunBashArgs {\n /* The bash command to run, passed to `bash -lc` as a single string. /\n command: string\n /* Per-credential `(id, reason)` pairs the agent declared. /\n credentials: Cli.ExecCredentialRequest[]\n /* Working directory for the spawned process. Defaults to cwd. /\n cwd?: string\n /* Suppress geni's per-credential status lines on stderr. /\n quiet?: boolean\n}\n\n/\n Owns the `geni exec bash` flow: resolve credentials server-side\n * under audit, build a deny-by-default env with the resolved env vars,\n * register every secret with a streaming scrubber, then spawn bash via\n * the injected spawner and pipe output back through the scrubber.\n /\nexport class ExecService {\n public constructor(\n private readonly sessionContext: SessionContextService,\n private readonly spawner: ChildProcessSpawner\n ) {}\n\n public async runBash(args: RunBashArgs): Promise<number> {\n const { resolved, scrubber } = await this.resolveAndScrub(\n args.credentials,\n args.quiet\n )\n\n // Deny-by-default env: only the small allowlist of process /\n // locale / terminal vars passes through from the operator's\n // shell. Anything they exported (other tools' tokens, .envrc\n // leaks) gets dropped before we overlay our cloud-resolved creds.\n const env: NodeJS.ProcessEnv = {\n ...buildSafeInheritedEnv(),\n PLATFORM_API_KEY: resolved.platformApiKey,\n PLATFORM_BASE_URL: resolved.platformBaseUrl,\n }\n for (const cred of resolved.credentials) {\n Object.assign(env, cred.envVars)\n }\n\n try {\n return await this.spawner.run({\n command: 'bash',\n args: ['-lc', args.command],\n env,\n cwd: args.cwd,\n scrubber,\n })\n } catch (err) {\n const detail = err instanceof Error ? err.message : String(err)\n printError(\n `Could not spawn \\`bash\\` (${detail}). Verify bash is on $PATH with \\`command -v bash\\`. Credentials were already resolved (audit-logged); the subprocess never started.`\n )\n return ExitCode.InternalError\n }\n }\n\n /\n Resolve credentials, register their secrets with a streaming\n * scrubber, and print per-credential status lines unless quiet.\n * Exits the process on resolve failure (the documented exit codes\n * are a CLI-level contract — there's no useful recovery path above\n * this).\n /\n private async resolveAndScrub(\n credentials: Cli.ExecCredentialRequest[],\n quiet: boolean \| undefined\n ): Promise<{ resolved: Cli.ExecResolveResponse; scrubber: Scrubber }> {\n const { client } = await this.sessionContext.requireAuthed()\n\n let resolved: Cli.ExecResolveResponse\n try {\n resolved = await client.exec.resolve({ credentials })\n } catch (error) {\n if (error instanceof ApiError) {\n const ids = credentials.map((c) => c.id).join(', ') \|\| '(none)'\n if (error.status === 403) {\n // Server says one or more declared credentials aren't\n // accessible (doesn't exist, or membership has no read on it).\n // Server message names the offender; surface that verbatim\n // and tell the agent what to verify.\n printError(\n `Cloud refused credential resolution: ${error.message} Declared ids: [${ids}]. Verify each one with \\`geni credential list\\`.`\n )\n exit(ExitCode.CredentialResolveFailed)\n }\n if (error.status === 401) {\n printError(\n `Runner session is missing or expired: ${error.message} Run \\`geni login\\` to re-authenticate, then retry.`\n )\n exit(ExitCode.SessionMissingOrExpired)\n }\n printError(\n `Cloud failed to resolve credentials (HTTP ${error.status}): ${error.message} The subprocess did not start. Retry once before reporting.`\n )\n exit(ExitCode.InternalError)\n }\n throw error\n }\n\n // Register secret values + their common encoded forms with the\n // scrubber so `echo $TOKEN \| base64`-style obfuscation still gets\n // caught. Platform key is short-lived but sensitive — same treatment.\n const scrubber = new Scrubber()\n scrubber.registerWithEncodings({\n credentialId: 'platform',\n value: resolved.platformApiKey,\n })\n for (const cred of resolved.credentials) {\n for (const value of cred.redactionValues) {\n scrubber.registerWithEncodings({\n credentialId: cred.credentialId,\n value,\n })\n }\n }\n\n if (!quiet) this.printResolvedStatusLines(resolved)\n\n return { resolved, scrubber }\n }\n\n /\n Print one stderr status line per resolved credential plus one\n * per cred error. Stays on stderr so stdout remains clean for\n * pipe-friendly subprocess output.\n /\n private printResolvedStatusLines(resolved: Cli.ExecResolveResponse): void {\n for (const cred of resolved.credentials) {\n const envList = Object.keys(cred.envVars).sort().join(', ')\n printInfo(\n `resolved ${chalk.cyan(cred.credentialId)} (${cred.providerTitle}, ${cred.credentialTitle}) → ${envList}`\n )\n }\n for (const err of resolved.errors ?? []) {\n printError(\n `${err.credentialId} (${err.providerTitle}): ${err.message} The subprocess will run without this credential — calls that need it will 401. Re-auth ${err.providerTitle} from the dashboard.`\n )\n }\n }\n}\n","{\n \"name\": \"@general-input/cli\",\n \"version\": \"0.1.1\",\n \"type\": \"module\",\n \"description\": \"The agent-facing CLI for General Input. Authenticate, manage workflows, run bash with operator credentials injected by the cloud.\",\n \"license\": \"SEE LICENSE IN LICENSE\",\n \"homepage\": \"https://docs.generalinput.com/cli\",\n \"keywords\": [\n \"general-input\",\n \"geni\",\n \"cli\",\n \"agent\",\n \"ai\",\n \"automation\"\n ],\n \"engines\": {\n \"node\": \">=20\"\n },\n \"publishConfig\": {\n \"access\": \"public\"\n },\n \"bin\": {\n \"geni\": \"./dist/cli.js\"\n },\n \"files\": [\n \"dist\",\n \"README.md\",\n \"LICENSE\"\n ],\n \"scripts\": {\n \"dev\": \"tsup --watch\",\n \"build\": \"tsup\",\n \"clean\": \"rm -rf dist\",\n \"typecheck\": \"tsc --noEmit\",\n \"lint\": \"eslint . --fix --max-warnings 0\",\n \"format\": \"prettier --write . --ignore-path=../../.prettierignore\",\n \"test\": \"vitest run\",\n \"test:watch\": \"vitest\",\n \"prepublishOnly\": \"pnpm build\"\n },\n \"dependencies\": {\n \"@clack/prompts\": \"^0.7.0\",\n \"chalk\": \"^5.3.0\",\n \"commander\": \"^12.1.0\",\n \"tar\": \"^7.4.3\",\n \"zod\": \"^4.3.6\"\n },\n \"devDependencies\": {\n \"@packages/api\": \"workspace:\",\n \"@packages/eslint-config\": \"workspace:\",\n \"@packages/typescript-config\": \"workspace:\",\n \"@types/node\": \"^24.12.2\",\n \"@types/tar\": \"^6.1.13\",\n \"eslint\": \"^9.39.4\",\n \"tsup\": \"^8.3.5\",\n \"typescript\": \"^5.9.3\",\n \"vitest\": \"^4.1.5\"\n }\n}\n","import packageJson from '../../package.json' with { type: 'json' }\n\n/*\n Single source of truth for the CLI's version. Drives `geni --version`,\n * the User-Agent header on every API request, and any other place\n * that needs the version string.\n \n The import resolves through `resolveJsonModule: true` in the CLI's\n * tsconfig and gets inlined by tsup at build time, so the bundled\n * binary carries the version as a literal — no runtime fs read.\n \n Bumping the version means editing `apps/cli/package.json` (or running\n * `pnpm version patch` from `apps/cli/`) — the constant follows.\n /\nexport const CLI_VERSION: string = packageJson.version\n","import { CLI_VERSION } from '../lib/version.js'\n\n/\n HTTP transport for the geni CLI. Wraps `fetch` with the runner-\n * session bearer header (when a token is bound), JSON encoding, and\n * uniform error parsing into `ApiError`. Owned by the route-specific\n * clients (`AuthApiClient`, `WorkspacesApiClient`, etc.) which\n * compose this once at construction time.\n \n The client is parameterized by `(server, token)` because the CLI is\n * per-invocation: a single CLI command resolves a server + token from\n * the session file at startup, builds the bundle of API clients via\n * the factory, runs, and exits. There is no long-lived shared client.\n /\n\n/\n User-Agent header sent on every request. The server's\n * `cliVersionGate` middleware parses `geni/X.Y.Z` out of this to\n * decide whether to serve the request or return 426. The trailing\n * platform/arch/node info is informational (lands in server logs)\n * and not part of the gate contract.\n /\nconst USER_AGENT = `geni/${CLI_VERSION} (${process.platform}/${process.arch}; node/${process.versions.node})`\n\nexport class ApiError extends Error {\n public constructor(\n message: string,\n public readonly status: number,\n public readonly body: unknown\n ) {\n super(message)\n this.name = 'ApiError'\n }\n}\n\nexport interface RequestOptions {\n method?: 'GET' \| 'POST' \| 'PUT' \| 'PATCH' \| 'DELETE'\n body?: unknown\n signal?: AbortSignal\n}\n\nexport class HttpClient {\n public constructor(\n private readonly server: string,\n private readonly token: string \| null\n ) {}\n\n /\n Fetch a JSON endpoint. Caller owns the response shape via the\n * generic; the wrapper returns the parsed JSON cast to `T`. Routes\n * that need authentication MUST be reached via a client built with\n * a non-null token; the wrapper does not enforce auth itself, that's\n * the per-route client's job (each can `requireAuthed()` if needed).\n /\n public async fetch<T>(path: string, opts: RequestOptions = {}): Promise<T> {\n const url = `${this.server}${path}`\n const headers: Record<string, string> = {\n 'Content-Type': 'application/json',\n 'User-Agent': USER_AGENT,\n }\n if (this.token !== null) {\n headers['Authorization'] = `Bearer ${this.token}`\n }\n const response = await fetch(url, {\n method: opts.method ?? 'GET',\n headers,\n body: opts.body !== undefined ? JSON.stringify(opts.body) : undefined,\n signal: opts.signal,\n })\n return parseResponse<T>(response)\n }\n\n /* True when this transport carries a bound runner-session token. /\n public get isAuthed(): boolean {\n return this.token !== null\n }\n\n /\n Throw `ApiError(401)` locally when the transport has no token.\n * Per-route clients call this before authed endpoints so a missing\n * session surfaces with the same shape the server would produce for\n * a missing Authorization header, without a network round-trip.\n /\n public requireAuthed(): void {\n if (this.token !== null) return\n throw new ApiError(\n 'No runner session on disk. Run `geni login` to authenticate, then retry.',\n 401,\n null\n )\n }\n}\n\nasync function parseResponse<T>(response: Response): Promise<T> {\n const text = await response.text()\n let body: unknown = null\n if (text.length > 0) {\n try {\n body = JSON.parse(text)\n } catch {\n body = text\n }\n }\n if (!response.ok) {\n const errorField =\n body !== null && typeof body === 'object' && 'error' in body\n ? body.error\n : null\n const message =\n typeof errorField === 'string' ? errorField : response.statusText\n throw new ApiError(\n typeof message === 'string' && message.length > 0\n ? message\n : `HTTP ${response.status}`,\n response.status,\n body\n )\n }\n // Same trade-off as every TS fetch wrapper: at this point `body` is\n // runtime-`unknown`; the per-route client's typed return contract\n // is the agent's narrowing layer. Replacing this with per-endpoint\n // Zod parsing is a non-trivial follow-up.\n return body as T\n}\n","/\n Streaming output scrubber for `geni exec`.\n \n Mirrors the server-side `CredentialScrubber` (under\n * `apps/server/src/services/SandboxWorkspace`): every secret value the\n * cloud returned for an exec call gets registered, then `redact()` is\n * called on each chunk of stdout/stderr from the spawned subprocess\n * before it reaches the operator's terminal.\n \n Streaming is the wrinkle. A secret can be split across two chunks\n * (`\"...part1\"` then `\"part2...\"`), so each stream context buffers a\n * tail of length `maxSecretLen - 1` between calls. New chunk = previous\n * tail + new data; we redact the combined string and emit everything\n * except the last `maxSecretLen - 1` chars (which become the next call's\n * tail) so a secret that straddles the boundary still gets caught next\n * time. Final flush at end-of-stream emits whatever's left in the tail.\n \n Two-class model:\n \n - `Scrubber` owns the secret list (`register`, `registerWithEncodings`)\n * and is shared across both stdout and stderr pipes for a given\n * subprocess. One source of truth for \"what's a secret\".\n * - `StreamScrubber` is a per-stream view that holds the rolling\n * tail buffer. The spawner asks the `Scrubber` for one stream\n * scrubber per pipe so stdout and stderr don't fight over the\n * same tail.\n /\n\nexport interface RegisterArgs {\n credentialId: string\n value: string\n}\n\n/\n Minimum secret length we'll register. Anything shorter is too likely\n * to collide with normal output (e.g. \"ok\", \"1\", a 4-letter name) and\n * the over-redaction cure would be worse than the leak. Matches the\n * server scrubber's threshold for parity.\n /\nconst MIN_SECRET_LEN = 8\n\nexport class Scrubber {\n /* Map of secret value → redaction marker. Shared across streams. /\n private readonly redactions = new Map<string, string>()\n /* Length of the longest registered secret. Sets the tail size. /\n private maxLen = 0\n\n public register(args: RegisterArgs): void {\n const { credentialId, value } = args\n if (value.length < MIN_SECRET_LEN) return\n if (this.redactions.has(value)) return\n this.redactions.set(value, `[REDACTED:credential_${credentialId}]`)\n if (value.length > this.maxLen) this.maxLen = value.length\n }\n\n /\n Register the literal secret plus the common encoded forms a child\n * process might emit instead of the raw value: base64, base64url, hex\n * (upper + lower), URL-percent-encoded. Catches the lazy obfuscation\n * class of leak (`echo $TOKEN \| base64`, `echo $TOKEN \| xxd`,\n * `printf '%s' $TOKEN \| jq -R @uri`).\n \n Does not catch determined adversaries: anything that transforms\n * via `tr`, splits below MIN_SECRET_LEN, or exfiltrates over the\n * network is out of scope for an output scrubber. For airtight\n * isolation the plaintext must not enter the child's env at all.\n /\n public registerWithEncodings(args: RegisterArgs): void {\n this.register(args)\n for (const variant of encodingVariants(args.value)) {\n this.register({ credentialId: args.credentialId, value: variant })\n }\n }\n\n /\n Build a per-stream scrubber view. Each stream gets its own rolling\n * tail buffer; the underlying secret list is shared by reference. The\n * spawner calls this twice per child (stdout + stderr) so the two\n * pipes don't clobber each other's tail state.\n /\n public stream(): StreamScrubber {\n return new StreamScrubber(this.redactions, this.maxLen)\n }\n\n /\n Single-shot redaction for callers that have the entire string in\n * hand and don't need the streaming machinery. Useful for tests and\n * for one-off helpers (`apps/server/src/services/SandboxWorkspace`'s\n * non-streaming surfaces). Equivalent to creating a stream, redacting\n * once with `final: true`, and discarding.\n /\n public redact(text: string): string {\n return this.stream().redact(text, { final: true })\n }\n\n /* Test-only: how many secrets are registered. /\n public get size(): number {\n return this.redactions.size\n }\n}\n\n/\n One stream's worth of scrubbing state. The tail buffer holds the\n * last `maxLen - 1` chars between redact calls so a secret straddling\n * a chunk boundary still matches.\n /\nexport class StreamScrubber {\n private tail = ''\n\n public constructor(\n private readonly redactions: Map<string, string>,\n private readonly maxLen: number\n ) {}\n\n /\n Redact a chunk and return the safe-to-emit portion. The trailing\n * `maxLen - 1` chars are buffered for the next call so a secret that\n * straddles the chunk boundary still gets caught.\n \n Pass `final: true` on end-of-stream to flush the buffered tail.\n /\n public redact(chunk: string, opts: { final?: boolean } = {}): string {\n if (this.redactions.size === 0) {\n if (opts.final) {\n const out = this.tail + chunk\n this.tail = ''\n return out\n }\n return chunk\n }\n\n const combined = this.tail + chunk\n const redacted = this.replaceAll(combined)\n\n if (opts.final) {\n this.tail = ''\n return redacted\n }\n\n // Hold back enough chars to catch a secret that crosses the next\n // boundary. `maxLen - 1` is the tightest correct bound: any longer\n // and we'd hold output unnecessarily; any shorter and a secret of\n // length maxLen could split across an unbuffered boundary.\n const holdback = Math.max(0, this.maxLen - 1)\n if (redacted.length <= holdback) {\n this.tail = redacted\n return ''\n }\n const cut = redacted.length - holdback\n this.tail = redacted.slice(cut)\n return redacted.slice(0, cut)\n }\n\n /\n Replace every registered secret in `text`. Iterates longest-first\n * so a superstring secret gets redacted before any of its substrings,\n * which prevents partial overlaps from sneaking through.\n /\n private replaceAll(text: string): string {\n let result = text\n const entries = [...this.redactions.entries()].sort(\n (a, b) => b[0].length - a[0].length\n )\n for (const [value, marker] of entries) {\n if (!result.includes(value)) continue\n result = result.split(value).join(marker)\n }\n return result\n }\n}\n\n/\n Common encoded forms the child process is most likely to produce when\n * an agent tries to obfuscate a secret. Output is deduplicated by the\n * scrubber, so encodings that happen to match the literal (URL-encoding\n * a token with no special chars, base64 of an already-base64 token) are\n * harmless no-ops.\n \n The list is intentionally short. We're catching lazy obfuscation, not\n * a Turing-complete adversary; adding `value.toUpperCase()`,\n * `value.split('').reverse().join('')`, etc. would never end. The cost-\n * effective coverage is the four encodings most CLI tools and one-liner\n * shell pipelines reach for.\n /\nfunction encodingVariants(value: string): string[] {\n const buf = Buffer.from(value, 'utf8')\n return [\n buf.toString('base64'),\n buf.toString('base64url'),\n buf.toString('hex'),\n buf.toString('hex').toUpperCase(),\n encodeURIComponent(value),\n ]\n}\n","/\n Deny-by-default env passthrough for `geni exec` subprocesses.\n \n Without an allowlist, the spawned bash inherits everything in the\n * operator's shell env — anything they happened to `export` before\n * running the CLI. That includes vars from other tools (`AWS_`,\n `GITHUB_TOKEN` from a `.envrc`, secrets pulled by Infisical for the\n * dashboard, etc.). Inheriting them silently is two kinds of bad:\n \n 1. They override our cloud-resolved equivalents in unpredictable\n * ways. The operator runs `geni exec bash --cred slack_prod ...`\n * expecting the prod token, but their shell already has a stale\n * `SLACK_BOT_TOKEN` from yesterday's debugging.\n * 2. They leak data the operator didn't ask the CLI to surface.\n \n The allowlist below is the minimum useful set for a bash session to\n * function — process essentials (`PATH`, `HOME`), locale (`LANG`,\n * `LC_`, `TZ`), terminal capabilities (`TERM`, `COLORTERM`), and\n tempfile location (`TMPDIR`). Anything else gets dropped.\n \n If a real use case turns up that needs more (`SSH_AUTH_SOCK` for\n * `git push`, custom `PYTHONPATH`), add it here with a short comment.\n * Don't add to make a passing test pass — verify the value isn't a\n * source of credential leakage first.\n /\nexport const SAFE_INHERIT_ENV = [\n // Process essentials.\n 'PATH',\n 'HOME',\n 'USER',\n 'LOGNAME',\n 'SHELL',\n 'PWD',\n // Locale.\n 'LANG',\n 'LC_ALL',\n 'LC_CTYPE',\n 'TZ',\n // Terminal capabilities. Without these, color output and TUI\n // programs render garbled.\n 'TERM',\n 'COLORTERM',\n 'LINES',\n 'COLUMNS',\n // Tempfile location.\n 'TMPDIR',\n] as const\n\n/\n Build the env the child process should start with: only the allowed\n * keys from the operator's process.env, nothing else. Caller layers\n * cloud-resolved credential env vars and platform vars on top.\n /\nexport function buildSafeInheritedEnv(): NodeJS.ProcessEnv {\n const out: NodeJS.ProcessEnv = {}\n for (const key of SAFE_INHERIT_ENV) {\n const value = process.env[key]\n if (value !== undefined) out[key] = value\n }\n return out\n}\n","import type { Cli } from '@packages/api'\nimport type { SessionContextService } from './SessionContextService.js'\nimport type { ConfigService } from './ConfigService.js'\nimport type { BrowserOpener } from '../clients/BrowserOpener.js'\n\nexport type ConnectIntent =\n \| { kind: 'open-browser'; url: string }\n \| { kind: 'print-url'; url: string }\n\n/\n Owns credential + integration discovery on top of the API clients.\n * Adds CLI-flavored filtering (`--service`, `--mine`, `-q`) and the\n * ranked-search wrappers, returning plain data so commands can pick\n * table vs JSON vs single-field output.\n \n Also handles `geni credential connect`, which validates the service\n * slug against the integration catalog (server returns 404 for\n * unknown slugs) before sending the operator to the dashboard.\n /\nexport class DiscoveryService {\n public constructor(\n private readonly sessionContext: SessionContextService,\n private readonly browserOpener: BrowserOpener,\n private readonly configService: ConfigService\n ) {}\n\n // ---- credentials ----------------------------------------------------\n\n public async listCredentials(args: {\n service?: string\n mine?: boolean\n query?: string\n }): Promise<Cli.CredentialSummary[]> {\n const { client } = await this.sessionContext.requireAuthed()\n const { credentials } = await client.credentials.list()\n let result = credentials\n if (args.service) {\n result = result.filter((c) => c.service === args.service)\n }\n if (args.mine) {\n result = result.filter((c) => c.isOwnedByViewer)\n }\n if (args.query && args.query.length > 0) {\n result = rankCredentials(result, args.query)\n }\n return result\n }\n\n public async getCredential(id: string): Promise<Cli.CredentialDetail> {\n const { client } = await this.sessionContext.requireAuthed()\n return client.credentials.get(id)\n }\n\n /\n Validate the service slug against the integration catalog (404\n * surfaces the same way `integration get` does, mapped to exit 4\n * by the command), then return the dashboard connect URL the\n * operator should be sent to.\n \n Side effect: if `printUrlOnly` is false, opens the URL in the\n * operator's default browser. The CLI always prints the URL too,\n * so a silent failure to launch a browser still leaves the\n * operator with a clickable link.\n /\n public async connectCredential(args: {\n service: string\n printUrlOnly?: boolean\n }): Promise<ConnectIntent> {\n const { session, client } = await this.sessionContext.requireAuthed()\n await client.integrations.get(args.service) // throws ApiError(404) when unknown\n const url = `${this.configService.resolveDashboardUrl(session.server)}/credentials/connect?service=${encodeURIComponent(args.service)}`\n if (args.printUrlOnly) return { kind: 'print-url', url }\n this.browserOpener.open(url)\n return { kind: 'open-browser', url }\n }\n\n // ---- integrations ---------------------------------------------------\n\n public async listIntegrations(args: {\n type?: string\n query?: string\n }): Promise<Cli.IntegrationSummary[]> {\n const { client } = await this.sessionContext.requireAuthed()\n // Server-side hybrid (pgvector + lexical) search runs when\n // `query` is set; without it, the server returns the full list\n // in catalog order. `--type` is a boolean discriminator that\n // shouldn't mix into the relevance ranking, so we filter\n // client-side after the server answers.\n const { integrations } = await client.integrations.list({\n query: args.query,\n })\n return args.type\n ? integrations.filter((i) => i.credentialType === args.type)\n : integrations\n }\n\n public async getIntegration(service: string): Promise<Cli.IntegrationDetail> {\n const { client } = await this.sessionContext.requireAuthed()\n return client.integrations.get(service)\n }\n\n // ---- operations -----------------------------------------------------\n\n public async listOperations(args: {\n service: string\n query?: string\n }): Promise<Cli.IntegrationOperationSummary[]> {\n const { client } = await this.sessionContext.requireAuthed()\n const { operations } = await client.integrations.listOperations(\n args.service\n )\n if (!args.query \|\| args.query.length === 0) return operations\n return rankOperations(operations, args.query)\n }\n\n /\n Look up one operation. When `service` is provided, hits the\n * service-scoped integrations route; otherwise hits the standalone\n * `/cli/operations/:opId` route which lets the server resolve the\n * service from the id alone.\n /\n public async getOperation(args: {\n service?: string\n opId: string\n }): Promise<Cli.IntegrationOperationDetail> {\n const { client } = await this.sessionContext.requireAuthed()\n return args.service\n ? client.integrations.getOperation({\n service: args.service,\n opId: args.opId,\n })\n : client.operations.getById(args.opId)\n }\n}\n\n/\n Substring-rank credentials. Service slug weighs highest since\n * agents query by capability (\"slack\", \"stripe\") far more often\n * than by title or provider.\n /\nfunction rankCredentials(\n credentials: Cli.CredentialSummary[],\n query: string\n): Cli.CredentialSummary[] {\n const q = query.toLowerCase()\n const scored = credentials.map((c) => {\n let score = 0\n if (c.service.toLowerCase().includes(q)) score += 3\n if (c.providerTitle.toLowerCase().includes(q)) score += 2\n if (c.title.toLowerCase().includes(q)) score += 1\n return { c, score }\n })\n return scored\n .filter((s) => s.score > 0)\n .sort((a, b) => b.score - a.score)\n .map((s) => s.c)\n}\n\n/\n Substring-rank operations. Title weighs higher than description\n * because agents look up an operation by what it does (\"post\n * message\", \"list channels\"), and titles are written for that.\n /\nfunction rankOperations(\n operations: Cli.IntegrationOperationSummary[],\n query: string\n): Cli.IntegrationOperationSummary[] {\n const q = query.toLowerCase()\n const scored = operations.map((op) => {\n let score = 0\n if (op.title.toLowerCase().includes(q)) score += 2\n if (op.description.toLowerCase().includes(q)) score += 1\n return { op, score }\n })\n return scored\n .filter((s) => s.score > 0)\n .sort((a, b) => b.score - a.score)\n .map((s) => s.op)\n}\n","import { z } from 'zod'\n\n/\n Persistent CLI config. Lives at `<configDir>/config.json` and is\n * loaded synchronously on every command start (the file is tiny —\n * ~100 bytes — so the blocking read doesn't cost anything material).\n \n Distinct from the session file:\n * - `runner-session.json` is per-login, holds the auth token + the\n * server URL the token was minted against, lifetime = until logout.\n * - `config.json` is per-machine, holds defaults for fresh logins\n * (which API/dashboard URL to talk to, future settings), lifetime\n * = until the user changes it.\n \n Keys are validated by the Zod schema below; unknown keys are dropped\n * on read so a corrupt or partially-old file behaves like an empty\n * config rather than crashing the CLI.\n /\nexport const CliConfigSchema = z.object({\n version: z.literal(1),\n /\n Override for the cloud API base URL used at fresh `geni login`\n * time. Once a session exists, the URL stored on it takes\n * precedence — switching `apiUrl` after login does NOT reroute\n * existing tokens (the session knows which server minted it).\n /\n apiUrl: z.url().optional(),\n /\n Override for the dashboard base URL used by browser-opening\n * commands (`geni credential connect`). Independent of `apiUrl`\n * because in dev they live on different ports.\n /\n dashboardUrl: z.url().optional(),\n})\n\nexport type CliConfigFile = z.infer<typeof CliConfigSchema>\n\n/\n Keys the user can set via `geni config set <key> <value>`. We keep\n * the camelCase internal representation 1:1 with the file format —\n * one less translation layer to think about — and the CLI accepts\n * exactly these names.\n /\nexport const SETTABLE_CONFIG_KEYS = ['apiUrl', 'dashboardUrl'] as const\nexport type SettableConfigKey = (typeof SETTABLE_CONFIG_KEYS)[number]\n\nconst SETTABLE_CONFIG_KEY_SET: ReadonlySet<string> = new Set(\n SETTABLE_CONFIG_KEYS\n)\n\n/\n Type guard for \"is this an arbitrary string one of the settable\n * config keys?\". Lives here (not in each command) so all three\n * call-sites in `geni config get/set/unset` agree on the same\n * narrowing logic — adding a key to `SETTABLE_CONFIG_KEYS` lights up\n * every consumer at once.\n /\nexport function isSettableConfigKey(key: string): key is SettableConfigKey {\n return SETTABLE_CONFIG_KEY_SET.has(key)\n}\n","import type { ConfigStore } from '../clients/ConfigStore.js'\nimport type { SessionStore } from '../clients/SessionStore.js'\nimport {\n CliConfigSchema,\n SETTABLE_CONFIG_KEYS,\n isSettableConfigKey,\n type CliConfigFile,\n type SettableConfigKey,\n} from '../types/config.js'\n\n/\n Compiled-in defaults for the URL resolver chain. Both deliberately\n * reference the prod cloud + dashboard; dev/local-only is reached\n * via env var, config file, or a session minted against a localhost\n * server.\n /\nconst DEFAULT_API_URL = 'https://cloud.generalinput.com'\nconst DEFAULT_DASHBOARD_URL = 'https://web.generalinput.com'\n\n/\n Result of `ConfigService.set`. Discriminated so callers can render\n * different messages for schema-failure vs. session-conflict without\n * string-matching on `error`.\n \n `session_conflict` is specifically the case where the operator is\n * trying to change `apiUrl` while a runner-session is bound to a\n * different server. We refuse the write rather than letting the file\n * drift out of sync with what the CLI is actually doing at runtime.\n /\nexport type ConfigSetResult =\n \| { ok: true }\n \| { ok: false; reason: 'invalid'; error: string }\n \| { ok: false; reason: 'session_conflict'; sessionUrl: string }\n\n/\n Owns everything related to the persistent CLI config:\n \n - the on-disk `config.json` (via `ConfigStore`),\n * - the URL resolver chain (`apiUrl` / `dashboardUrl`),\n * - the file-values view (`fileValues`) used by `geni config get`,\n * - refusing an `apiUrl` change that would conflict with the\n * currently-bound runner-session.\n \n Other services (`AuthService`, `DiscoveryService`) inject this and\n * call `resolveApiUrl(...)` / `resolveDashboardUrl(...)` rather than\n * importing free functions, which lets tests construct an isolated\n * `ConfigService` against a temp `ConfigStore` without dragging in\n * module-level singleton state.\n /\nexport class ConfigService {\n public constructor(\n private readonly configStore: ConfigStore,\n private readonly sessionStore: SessionStore\n ) {}\n\n /\n Resolve the API URL the CLI should talk to. Precedence:\n * 1. The session's stored server (locked at `geni login` time —\n * the auth token was minted on that specific URL).\n * 2. `$GENI_API_URL` env var.\n * 3. `apiUrl` from the persistent config.\n * 4. Compiled-in default.\n \n Callers that have a session loaded should pass `sessionServer`\n * explicitly. The session lock means changing the config after\n * login does NOT retarget existing commands until logout + re-login.\n /\n public resolveApiUrl(sessionServer?: string): string {\n return (\n sessionServer ??\n process.env.GENI_API_URL ??\n this.configStore.loadSync()?.apiUrl ??\n DEFAULT_API_URL\n )\n }\n\n /\n Resolve the dashboard URL for browser-opening commands. Precedence:\n * 1. `$GENI_DASHBOARD_URL` env var.\n * 2. `dashboardUrl` from the persistent config.\n * 3. Inferred from the session's API URL when it points at\n * localhost (dev convenience: API on :4111 → dashboard on :5177).\n * 4. Compiled-in default.\n /\n public resolveDashboardUrl(sessionApiUrl?: string): string {\n if (process.env.GENI_DASHBOARD_URL) return process.env.GENI_DASHBOARD_URL\n const config = this.configStore.loadSync()\n if (config?.dashboardUrl) return config.dashboardUrl\n if (sessionApiUrl?.includes('localhost')) return 'http://localhost:5177'\n return DEFAULT_DASHBOARD_URL\n }\n\n /\n Read what's literally in the persistent config file, with no\n * resolver fallbacks layered on. This is what `set` writes and what\n * `get` should display — symmetric, predictable, no \"I set X, get\n * shows Y\" surprise from a session-locked URL trumping the file.\n \n For \"what URL is the CLI actually hitting right now?\" the answer\n * lives on the session (printed by `geni auth status`); the resolver\n * itself stays in `resolveApiUrl` / `resolveDashboardUrl`.\n /\n public fileValues(): Record<SettableConfigKey, string \| undefined> {\n const file = this.configStore.loadSync()\n return {\n apiUrl: file?.apiUrl,\n dashboardUrl: file?.dashboardUrl,\n }\n }\n\n /\n Write a config value. Validates against the schema; a malformed\n * URL fails loudly here rather than waiting for the next CLI\n * command to crash.\n \n Refuses to change `apiUrl` while a runner-session is bound to a\n * different URL: the session's server is what the CLI actually hits\n * at runtime, so silently letting the file diverge from that would\n * make `geni config set` a lie. The operator must logout (or use\n * `geni login --server <url>`) to switch servers cleanly.\n /\n public async set(args: {\n key: SettableConfigKey\n value: string\n }): Promise<ConfigSetResult> {\n const existing = this.configStore.loadSync() ?? { version: 1 as const }\n const next = { ...existing, [args.key]: args.value }\n const parsed = CliConfigSchema.safeParse(next)\n if (!parsed.success) {\n return {\n ok: false,\n reason: 'invalid',\n error: parsed.error.issues[0]?.message ?? 'failed validation',\n }\n }\n if (args.key === 'apiUrl') {\n const session = await this.sessionStore.load()\n if (session && session.server !== args.value) {\n return {\n ok: false,\n reason: 'session_conflict',\n sessionUrl: session.server,\n }\n }\n }\n await this.configStore.save(parsed.data)\n return { ok: true }\n }\n\n /\n Remove a key. When the last key is removed, the file itself is\n * deleted so `cat $(geni config path)` doesn't show an empty\n * `{ \"version\": 1 }` shell.\n \n Returns whether the key was actually present (lets the command\n * pick \"Unset apiUrl.\" vs \"apiUrl was already unset.\").\n /\n public async unset(args: {\n key: SettableConfigKey\n }): Promise<{ wasSet: boolean }> {\n const existing = this.configStore.loadSync()\n if (!existing \|\| existing[args.key] === undefined) {\n return { wasSet: false }\n }\n const next: CliConfigFile = { version: 1 }\n for (const k of SETTABLE_CONFIG_KEYS) {\n if (k === args.key) continue\n const value = existing[k]\n if (value !== undefined) next[k] = value\n }\n const hasRemainingValues = SETTABLE_CONFIG_KEYS.some(\n (k) => next[k] !== undefined\n )\n if (hasRemainingValues) {\n await this.configStore.save(next)\n } else {\n await this.configStore.delete()\n }\n return { wasSet: true }\n }\n\n /* Absolute path to the config file. /\n public get path(): string {\n return this.configStore.path\n }\n\n /* Re-export the type guard from the types module for convenience. /\n public isSettableKey(key: string): key is SettableConfigKey {\n return isSettableConfigKey(key)\n }\n}\n","import type { Cli } from '@packages/api'\nimport type { HttpClient } from './HttpClient.js'\n\n/\n Wraps the server's `/cli/auth/` routes:\n POST /cli/auth/device-code\n * POST /cli/auth/device-code/:code/poll\n * GET /cli/auth/me (runner-session authed)\n * POST /cli/auth/logout (runner-session authed)\n \n The device-code routes work without a runner-session token (it's\n * being minted by the flow). `me` and `logout` require one; the\n * transport's `requireAuthed()` throws locally before the request\n * leaves the process when the transport has no token.\n /\nexport class AuthApiClient {\n public constructor(private readonly http: HttpClient) {}\n\n public async startDeviceCode(\n clientLabel: string\n ): Promise<Cli.DeviceCodeStartResponse> {\n return this.http.fetch('/cli/auth/device-code', {\n method: 'POST',\n body: { clientLabel },\n })\n }\n\n public async pollDeviceCode(\n userCode: string\n ): Promise<Cli.DeviceCodePollResponse> {\n return this.http.fetch(\n `/cli/auth/device-code/${encodeURIComponent(userCode)}/poll`,\n { method: 'POST' }\n )\n }\n\n public async me(): Promise<Cli.MeResponse> {\n this.http.requireAuthed()\n return this.http.fetch('/cli/auth/me')\n }\n\n public async logout(): Promise<void> {\n this.http.requireAuthed()\n return this.http.fetch('/cli/auth/logout', { method: 'POST' })\n }\n}\n","import type { Cli } from '@packages/api'\nimport type { HttpClient } from './HttpClient.js'\n\n/\n Wraps the server's `/cli/workspaces/` routes:\n GET /cli/workspaces (runner-session authed)\n * POST /cli/workspaces/switch (runner-session authed)\n \n Both routes need a runner-session token; the transport's\n * `requireAuthed()` rejects calls when the transport has no token,\n * mirroring the server's 401 without a network round-trip.\n /\nexport class WorkspacesApiClient {\n public constructor(private readonly http: HttpClient) {}\n\n public async list(): Promise<Cli.WorkspacesResponse> {\n this.http.requireAuthed()\n return this.http.fetch('/cli/workspaces')\n }\n\n public async switch(membershipId: string): Promise<Cli.MeResponse> {\n this.http.requireAuthed()\n return this.http.fetch('/cli/workspaces/switch', {\n method: 'POST',\n body: { membershipId },\n })\n }\n}\n","import type { Cli } from '@packages/api'\nimport type { HttpClient } from './HttpClient.js'\n\n/\n Wraps the server's `/cli/exec/` routes:\n POST /cli/exec/resolve (runner-session authed)\n \n Resolves the declared credentials for an exec call. Returns the env\n * vars + scrubber values the CLI applies to the spawned subprocess,\n * plus a fresh PLATFORM_API_KEY / PLATFORM_BASE_URL pair always.\n /\nexport class ExecApiClient {\n public constructor(private readonly http: HttpClient) {}\n\n public async resolve(\n body: Cli.ExecResolveRequest\n ): Promise<Cli.ExecResolveResponse> {\n this.http.requireAuthed()\n return this.http.fetch('/cli/exec/resolve', {\n method: 'POST',\n body,\n })\n }\n}\n","import type { Cli } from '@packages/api'\nimport type { HttpClient } from './HttpClient.js'\n\n/\n Wraps the server's `/cli/credentials/` routes:\n GET /cli/credentials (runner-session authed)\n * GET /cli/credentials/:id (runner-session authed)\n \n Discovery-only surface: returns credential metadata + the env var\n * names that get set when each credential is declared on\n * `geni exec bash`. No plaintext secret values; those resolve\n * server-side at exec time.\n /\nexport class CredentialsApiClient {\n public constructor(private readonly http: HttpClient) {}\n\n public async list(): Promise<Cli.CredentialListResponse> {\n this.http.requireAuthed()\n return this.http.fetch('/cli/credentials')\n }\n\n public async get(id: string): Promise<Cli.CredentialDetail> {\n this.http.requireAuthed()\n return this.http.fetch(`/cli/credentials/${encodeURIComponent(id)}`)\n }\n}\n","import type { Cli } from '@packages/api'\nimport type { HttpClient } from './HttpClient.js'\n\n/\n Wraps the server's `/cli/integrations/` routes:\n GET /cli/integrations[?q=...] (runner-session authed)\n * GET /cli/integrations/:service (runner-session authed)\n * GET /cli/integrations/:service/operations (runner-session authed)\n * GET /cli/integrations/:service/operations/:opId (runner-session authed)\n \n Hybrid (pgvector + lexical) search runs server-side when the\n * `query` arg is set on `list`. The single-operation lookup that\n * skips the service prefix lives on `OperationsApiClient` (the\n * `/cli/operations/` route family).\n /\nexport class IntegrationsApiClient {\n public constructor(private readonly http: HttpClient) {}\n\n public async list(args?: {\n query?: string\n }): Promise<Cli.IntegrationListResponse> {\n this.http.requireAuthed()\n const path =\n args?.query && args.query.length > 0\n ? `/cli/integrations?q=${encodeURIComponent(args.query)}`\n : '/cli/integrations'\n return this.http.fetch(path)\n }\n\n public async get(service: string): Promise<Cli.IntegrationDetail> {\n this.http.requireAuthed()\n return this.http.fetch(`/cli/integrations/${encodeURIComponent(service)}`)\n }\n\n public async listOperations(\n service: string\n ): Promise<Cli.IntegrationOperationsListResponse> {\n this.http.requireAuthed()\n return this.http.fetch(\n `/cli/integrations/${encodeURIComponent(service)}/operations`\n )\n }\n\n public async getOperation(args: {\n service: string\n opId: string\n }): Promise<Cli.IntegrationOperationDetail> {\n this.http.requireAuthed()\n return this.http.fetch(\n `/cli/integrations/${encodeURIComponent(args.service)}/operations/${encodeURIComponent(args.opId)}`\n )\n }\n}\n","import type { Cli } from '@packages/api'\nimport type { HttpClient } from './HttpClient.js'\n\n/*\n Wraps the server's `/cli/operations/` routes:\n GET /cli/operations/:opId (runner-session authed)\n \n A separate URL prefix from `/cli/integrations/` because the agent\n sometimes has an operation id without knowing which service it\n * belongs to (e.g. when copy-pasting from a previous transcript). The\n * server resolves the service from the id alone and returns the same\n * `IntegrationOperationDetail` shape as the service-scoped path.\n /\nexport class OperationsApiClient {\n public constructor(private readonly http: HttpClient) {}\n\n public async getById(opId: string): Promise<Cli.IntegrationOperationDetail> {\n this.http.requireAuthed()\n return this.http.fetch(`/cli/operations/${encodeURIComponent(opId)}`)\n }\n}\n","import { HttpClient } from './HttpClient.js'\nimport { AuthApiClient } from './AuthApiClient.js'\nimport { WorkspacesApiClient } from './WorkspacesApiClient.js'\nimport { ExecApiClient } from './ExecApiClient.js'\nimport { CredentialsApiClient } from './CredentialsApiClient.js'\nimport { IntegrationsApiClient } from './IntegrationsApiClient.js'\nimport { OperationsApiClient } from './OperationsApiClient.js'\n\n/\n The bundle of per-route-prefix clients a service operates against.\n * Built fresh for each (server, token) pair the CLI sees, since a\n * single CLI invocation has exactly one transport configuration.\n /\nexport interface ApiClientBundle {\n auth: AuthApiClient\n workspaces: WorkspacesApiClient\n exec: ExecApiClient\n credentials: CredentialsApiClient\n integrations: IntegrationsApiClient\n operations: OperationsApiClient\n}\n\n/\n Builds `ApiClientBundle`s. The factory itself has no I/O state —\n * `build` is a pure constructor — so the same instance is shared\n * across every service in the DI graph. Services that need an authed\n * transport call `factory.build({ server, token })` once they have a\n * session loaded; services hitting unauthed routes (just the device-\n * code start + poll today) pass `token: null`.\n /\nexport class ApiClientFactory {\n public build(args: {\n server: string\n token: string \| null\n }): ApiClientBundle {\n const http = new HttpClient(args.server, args.token)\n return {\n auth: new AuthApiClient(http),\n workspaces: new WorkspacesApiClient(http),\n exec: new ExecApiClient(http),\n credentials: new CredentialsApiClient(http),\n integrations: new IntegrationsApiClient(http),\n operations: new OperationsApiClient(http),\n }\n }\n}\n","import { mkdir, readFile, writeFile, unlink, chmod } from 'node:fs/promises'\nimport {\n RunnerSessionFileSchema,\n type RunnerSessionFile,\n} from '../types/session.js'\n\n/\n Owns the on-disk runner-session file (`~/.config/geni/runner-session.json`\n * by default; honors `$GENI_CONFIG_DIR`). One instance per CLI process,\n * registered in DI. Constructor takes the resolved file path so the\n * class is testable in isolation — pass a temp path in tests instead\n * of monkeypatching `process.env`.\n \n The file holds the runner-session token, the API URL it was minted\n * against, and a cached active-workspace pointer. Mode 0600 so other\n * users on the box can't read the token.\n /\nexport class SessionStore {\n public constructor(\n private readonly filePath: string,\n private readonly directoryPath: string\n ) {}\n\n /\n Read the file, or `null` if no session exists. Returns `null` for\n * unparseable / schema-invalid files too — corrupt local state\n * shouldn't prevent re-login. The user can rerun `geni login` to\n * write a fresh file over the broken one.\n /\n public async load(): Promise<RunnerSessionFile \| null> {\n let raw: string\n try {\n raw = await readFile(this.filePath, 'utf-8')\n } catch (err) {\n if (isErrnoCode(err, 'ENOENT')) return null\n throw err\n }\n let json: unknown\n try {\n json = JSON.parse(raw)\n } catch {\n return null\n }\n const parsed = RunnerSessionFileSchema.safeParse(json)\n return parsed.success ? parsed.data : null\n }\n\n /\n Persist the session. Creates the config dir if missing and lands\n * mode 0600 on the file. Tightens dir mode to 0700 best-effort —\n * if the chmod fails (e.g. on a CI mount), we continue rather than\n * failing the login outright.\n /\n public async save(session: RunnerSessionFile): Promise<void> {\n await mkdir(this.directoryPath, { recursive: true, mode: 0o700 })\n await chmod(this.directoryPath, 0o700).catch(() => {\n // Best effort. Better to write the session than fail login.\n })\n await writeFile(this.filePath, JSON.stringify(session, null, 2), {\n mode: 0o600,\n })\n }\n\n /\n Delete the session file. Idempotent — missing file is not an error.\n * Used by `geni logout` after server revoke, and as a recovery path\n * when the local file is corrupt or stale.\n /\n public async delete(): Promise<void> {\n try {\n await unlink(this.filePath)\n } catch (err) {\n if (isErrnoCode(err, 'ENOENT')) return\n throw err\n }\n }\n\n /\n Update just the workspace pointer in the session file, used by\n * `geni workspace switch` after the server confirms the membership.\n * Throws if no session exists — the caller must have verified one\n * is loaded before calling this.\n /\n public async updateActiveWorkspace(\n workspace: RunnerSessionFile['workspace']\n ): Promise<void> {\n const current = await this.load()\n if (!current) {\n throw new Error('No active session to update')\n }\n await this.save({\n ...current,\n workspace,\n savedAt: new Date().toISOString(),\n })\n }\n}\n\n/\n Type-guard for `NodeJS.ErrnoException.code === <expected>`. Avoids\n * the `as NodeJS.ErrnoException` cast that the surrounding file rule\n * would flag, while still narrowing safely for both `Error` instances\n * and the bare object form `fs/promises` rejects with on some\n * platforms.\n /\nfunction isErrnoCode(err: unknown, expected: string): boolean {\n if (typeof err !== 'object' \|\| err === null) return false\n if (!('code' in err)) return false\n return err.code === expected\n}\n","import { z } from 'zod'\n\n/\n Local session file written to ~/.config/geni/runner-session.json on\n * `geni login` and read by every authenticated command.\n \n `server` is the API base URL the session was minted against. Stored\n * here (not just in $GENI_API_URL) so the CLI keeps talking to the\n * same cloud the user authenticated with, even if they later set the\n * env var to something else.\n \n `workspace` is the locally-cached active-workspace pointer. Server-\n * side state is the source of truth; this cache lets `geni workspace\n * current` and the status banner avoid a roundtrip on every call.\n /\nexport const RunnerSessionFileSchema = z.object({\n version: z.literal(1),\n server: z.url(),\n /* Plaintext runner-session token (`geni_rs_…`). /\n token: z.string().startsWith('geni_rs_'),\n user: z.object({\n id: z.string(),\n email: z.string().nullable(),\n name: z.string().nullable(),\n }),\n workspace: z.object({\n membershipId: z.string(),\n organizationId: z.string(),\n slug: z.string(),\n name: z.string(),\n role: z.string(),\n }),\n /* ISO 8601 — when the file was last written by login or workspace switch. /\n savedAt: z.string(),\n})\n\nexport type RunnerSessionFile = z.infer<typeof RunnerSessionFileSchema>\n","import { readFileSync } from 'node:fs'\nimport { mkdir, writeFile, unlink } from 'node:fs/promises'\nimport { dirname } from 'node:path'\nimport { CliConfigSchema, type CliConfigFile } from '../types/config.js'\n\n/\n Owns the on-disk persistent CLI config (`~/.config/geni/config.json`\n * by default; honors `$GENI_CONFIG_DIR`). One instance per CLI process,\n * registered in DI. Constructor takes the resolved file path so the\n * class is testable without env munging.\n \n `loadSync` is deliberate: the file is ~100 bytes and the URL\n * resolvers consult it on every command start. An async API would\n * force the entire URL-resolution chain to be async, which the\n * call-site graph doesn't need.\n /\nexport class ConfigStore {\n public constructor(private readonly filePath: string) {}\n\n /\n Read the file synchronously. Returns `null` for any unreadable /\n * corrupt / schema-invalid file so the CLI degrades to defaults\n * instead of crashing on a stale on-disk format.\n /\n public loadSync(): CliConfigFile \| null {\n let raw: string\n try {\n raw = readFileSync(this.filePath, 'utf8')\n } catch {\n return null\n }\n let json: unknown\n try {\n json = JSON.parse(raw)\n } catch {\n return null\n }\n const parsed = CliConfigSchema.safeParse(json)\n return parsed.success ? parsed.data : null\n }\n\n /\n Persist the config. Creates the directory if missing. Mode 0644:\n * config is non-secret, unlike the session file.\n /\n public async save(config: CliConfigFile): Promise<void> {\n await mkdir(dirname(this.filePath), { recursive: true })\n await writeFile(this.filePath, JSON.stringify(config, null, 2) + '\\n', {\n mode: 0o644,\n })\n }\n\n /\n Delete the config file. Idempotent — succeeds silently when the\n * file doesn't exist (the user's intent is \"ensure no config\",\n * not \"the file definitely existed\").\n /\n public async delete(): Promise<void> {\n try {\n await unlink(this.filePath)\n } catch (err) {\n if (\n typeof err === 'object' &&\n err !== null &&\n 'code' in err &&\n err.code === 'ENOENT'\n ) {\n return\n }\n throw err\n }\n }\n\n /* Path the file would be at, regardless of whether it exists. /\n public get path(): string {\n return this.filePath\n }\n}\n","import { spawn } from 'node:child_process'\n\n/\n Best-effort browser opener for flows that bounce the operator into\n * the dashboard (`geni login`, `geni credential connect`).\n \n Failure modes are handled by the caller, not here: the CLI always\n * prints the URL to stdout/stderr first, so even a silent failure to\n * launch a browser leaves the operator with a clickable / pasteable\n * link. The class never throws; `open()` returns whether the spawn\n * call succeeded but most callers ignore the result.\n \n One instance per CLI process, registered in DI. Stateless, so\n * sharing the singleton is the obvious right call.\n /\nexport class BrowserOpener {\n public open(url: string): boolean {\n const cmd = openerCommandForPlatform()\n try {\n const child = spawn(cmd, [url], { stdio: 'ignore', detached: true })\n child.unref()\n return true\n } catch {\n // ignore — caller has already printed the URL as a fallback\n return false\n }\n }\n}\n\nfunction openerCommandForPlatform(): string {\n switch (process.platform) {\n case 'darwin':\n return 'open'\n case 'win32':\n return 'start'\n default:\n return 'xdg-open'\n }\n}\n","import { spawn } from 'node:child_process'\nimport type { Scrubber, StreamScrubber } from '../lib/scrubber.js'\n\n/\n Owns the `child_process.spawn` machinery for `geni exec`:\n \n - inherits stdin (so the subprocess can read piped input),\n * - pipes stdout + stderr through a scrubber that replaces\n * registered secret values with [REDACTED:credential_<id>]\n * before they reach the operator's terminal,\n * - forwards SIGINT / SIGTERM from the parent so Ctrl-C tears the\n * child down cleanly,\n * - resolves with the child's exit code, mapping signal-kills to\n * the conventional 128+signum.\n \n Subprocess-agnostic — `command + args` is the full spawn input, so\n * `bash -lc <user-command>` (`runBash`) and `node <runner.mjs>`\n * (`runScript`) share the same plumbing.\n /\n\nexport interface SpawnArgs {\n command: string\n args: string[]\n env: NodeJS.ProcessEnv\n cwd?: string\n scrubber: Scrubber\n /\n Optional tap on the redacted stdout stream. Fires once per chunk\n * the spawner writes to `process.stdout`, with the same already-\n * scrubbed bytes. `geni exec script` uses this to capture the\n * harness's JSONL output for parsing (exit-code derivation, error-\n * line detection) without a second pipe through the scrubber.\n * `geni exec bash` doesn't pass it.\n /\n onStdoutChunk?: (chunk: string) => void\n}\n\nexport class ChildProcessSpawner {\n /\n Run `command` with `args` and return the child's exit code. Pipes\n * stdout + stderr through `scrubber` before forwarding to the\n * parent process's streams.\n /\n public async run(args: SpawnArgs): Promise<number> {\n const child = spawn(args.command, args.args, {\n env: args.env,\n cwd: args.cwd ?? process.cwd(),\n stdio: ['inherit', 'pipe', 'pipe'],\n })\n\n // Track the scrubber-tail flushes so we don't resolve `run()`\n // before the last bytes have been emitted. Without this the\n // child's `exit` event can fire before `stdout`/`stderr` have\n // delivered their final chunks (and thus their `end` event),\n // which means the tail-buffered redaction marker never reaches\n // the parent's stream.\n // One stream-scrubber per pipe so stdout and stderr have their\n // own tail buffer. Sharing a single scrubber's tail across both\n // pipes is a bug: whichever stream's `end` fires first claims\n // the buffered tail, even when the redacted payload belongs to\n // the other pipe.\n const stdoutClosed = pipeWithScrubbing(\n child.stdout!,\n process.stdout,\n args.scrubber.stream(),\n args.onStdoutChunk\n )\n const stderrClosed = pipeWithScrubbing(\n child.stderr!,\n process.stderr,\n args.scrubber.stream()\n )\n\n const forwardSignal = (signal: NodeJS.Signals): void => {\n if (!child.killed) child.kill(signal)\n }\n process.on('SIGINT', forwardSignal)\n process.on('SIGTERM', forwardSignal)\n\n try {\n const exitCode = await new Promise<number>((resolve, reject) => {\n child.once('exit', (code, signal) => {\n if (code !== null) resolve(code)\n else if (signal !== null) resolve(128 + signalNumber(signal))\n else resolve(1)\n })\n child.once('error', (err) => reject(err))\n })\n // Wait for both stdio streams to finish flushing through the\n // scrubber. A stream that never opened still resolves cleanly\n // because `pipeWithScrubbing` resolves on its `end` event.\n await Promise.all([stdoutClosed, stderrClosed])\n return exitCode\n } finally {\n process.removeListener('SIGINT', forwardSignal)\n process.removeListener('SIGTERM', forwardSignal)\n }\n }\n}\n\n/\n Pipe a child's output through the scrubber to a destination. Buffers\n * across chunk boundaries so secrets that straddle boundaries still\n * match. Flushes the scrubber's tail on stream end so trailing bytes\n * don't get swallowed.\n \n Returns a promise that resolves once the source emits `end` and the\n * tail flush has been written. Caller awaits this before resolving\n * the parent `run()` promise so the last bytes always reach the\n * parent's stream before exit.\n /\nfunction pipeWithScrubbing(\n source: NodeJS.ReadableStream,\n dest: NodeJS.WritableStream,\n scrubber: StreamScrubber,\n onChunk?: (chunk: string) => void\n): Promise<void> {\n return new Promise<void>((resolve) => {\n let flushed = false\n const emit = (chunk: string): void => {\n if (chunk.length === 0) return\n dest.write(chunk)\n onChunk?.(chunk)\n }\n const finishOnce = (): void => {\n if (flushed) return\n flushed = true\n emit(scrubber.redact('', { final: true }))\n resolve()\n }\n source.on('end', finishOnce)\n source.on('close', finishOnce)\n source.on('error', () => {\n flushed = true\n resolve()\n })\n source.setEncoding('utf8')\n source.on('data', (chunk: string) => {\n emit(scrubber.redact(chunk))\n })\n })\n}\n\n/\n Map a signal name to its conventional Unix exit-code suffix\n * (`128 + signum`). Unknown signals fall back to `1`; throwing here\n * would mask the underlying signal-kill from the operator.\n /\nfunction signalNumber(signal: NodeJS.Signals): number {\n const map: Partial<Record<NodeJS.Signals, number>> = {\n SIGHUP: 1,\n SIGINT: 2,\n SIGQUIT: 3,\n SIGKILL: 9,\n SIGTERM: 15,\n }\n return map[signal] ?? 1\n}\n","import { homedir } from 'node:os'\nimport { join } from 'node:path'\n\n/\n XDG-style path helpers. Pure resolvers, no I/O — safe to import\n * from anywhere, including the DI wiring file. Honors the\n * `$GENI_CONFIG_DIR` and `$GENI_CACHE_DIR` env vars so test\n * harnesses (and operators with non-default `$XDG_CONFIG_HOME`\n * setups) can override without monkeypatching.\n /\nexport function configDir(): string {\n return process.env.GENI_CONFIG_DIR ?? join(homedir(), '.config', 'geni')\n}\n\nexport function cacheDir(): string {\n return process.env.GENI_CACHE_DIR ?? join(homedir(), '.cache', 'geni')\n}\n\nexport function sessionFilePath(): string {\n return join(configDir(), 'runner-session.json')\n}\n\nexport function configFilePath(): string {\n return join(configDir(), 'config.json')\n}\n","import {\n ApiClientFactory,\n SessionStore,\n ConfigStore,\n BrowserOpener,\n ChildProcessSpawner,\n} from '../clients/index.js'\nimport { sessionFilePath, configDir, configFilePath } from '../lib/paths.js'\n\n/\n Module-level singletons of every CLI I/O client. Mirrors the\n * server's `apps/server/src/dependencyInjection/clients.ts` — one\n * file is the canonical answer to \"where do these get instantiated?\".\n \n These are intentionally module-level rather than wrapped in a\n * factory function: a CLI process is short-lived, runs one command,\n * and exits. There is no per-request scoping to thread through.\n \n Tests that need to swap an implementation (e.g. a tmp-dir\n * SessionStore for an isolation test) should construct the class\n * directly with the test path; they should not import these.\n /\n\nexport const sessionStore = new SessionStore(sessionFilePath(), configDir())\n\nexport const configStore = new ConfigStore(configFilePath())\n\nexport const apiClientFactory = new ApiClientFactory()\n\nexport const browserOpener = new BrowserOpener()\n\nexport const childProcessSpawner = new ChildProcessSpawner()\n","import {\n SessionContextService,\n AuthService,\n WorkspaceService,\n ExecService,\n DiscoveryService,\n ConfigService,\n} from '../services/index.js'\nimport {\n sessionStore,\n configStore,\n apiClientFactory,\n browserOpener,\n childProcessSpawner,\n} from './clients.js'\n\n/\n Module-level singletons of every CLI service. Mirrors the server's\n * `apps/server/src/dependencyInjection/services.ts`. Wiring order\n * respects dependencies:\n \n `ConfigService` first — owns the URL resolver chain and is\n * composed by Auth + Discovery for `resolveApiUrl` /\n * `resolveDashboardUrl`.\n \n `SessionContextService` next — composed by Workspace + Exec +\n * Discovery for \"give me an authed client\".\n \n Tests that need to swap an implementation should construct the\n * service directly with mocks; they should not import these.\n /\n\nexport const configService = new ConfigService(configStore, sessionStore)\n\nexport const sessionContextService = new SessionContextService(\n sessionStore,\n apiClientFactory\n)\n\nexport const authService = new AuthService(\n apiClientFactory,\n sessionStore,\n browserOpener,\n configService\n)\n\nexport const workspaceService = new WorkspaceService(\n sessionContextService,\n sessionStore\n)\n\nexport const execService = new ExecService(\n sessionContextService,\n childProcessSpawner\n)\n\nexport const discoveryService = new DiscoveryService(\n sessionContextService,\n browserOpener,\n configService\n)\n","import { ApiError } from '../clients/HttpClient.js'\nimport { printError } from './output.js'\nimport { ExitCode, exit } from './exitCodes.js'\n\n/\n Map an arbitrary error caught in a command's `action` handler to\n * the documented CLI exit code, print an actionable message, and exit.\n \n Mapping:\n * - `ApiError` 401 → exit 78 (SessionMissingOrExpired)\n * - `ApiError` 403 → exit 5 (Forbidden)\n * - `ApiError` 404 → exit 4 (NotFound)\n * - `ApiError` 5xx → exit 125 (InternalError)\n * - any other `ApiError` / non-`ApiError` → exit 125\n \n Pass `notFoundMessage` to override the default 404 wording with\n * something domain-specific (e.g. `Credential \"<id>\" not found.`).\n * Omitting it surfaces the server's `error.message` plus a generic\n * \"verify the id\" hint.\n /\nexport function exitOnApiError(\n error: unknown,\n opts: { notFoundMessage?: string } = {}\n): never {\n if (error instanceof ApiError) {\n if (error.status === 404 && opts.notFoundMessage) {\n printError(opts.notFoundMessage)\n exit(ExitCode.NotFound)\n }\n if (error.status === 401) {\n printError(\n `Runner session is missing or expired: ${error.message} Run \\`geni login\\` to re-authenticate, then retry.`\n )\n exit(ExitCode.SessionMissingOrExpired)\n }\n if (error.status === 403) {\n printError(\n `Forbidden: ${error.message} Verify the resource id and the active workspace (\\`geni workspace current\\`).`\n )\n exit(ExitCode.Forbidden)\n }\n if (error.status === 404) {\n printError(\n `Not found: ${error.message} Verify the id exists in the active workspace.`\n )\n exit(ExitCode.NotFound)\n }\n if (error.status >= 500) {\n printError(\n `Server error (HTTP ${error.status}): ${error.message} Retry once before reporting.`\n )\n exit(ExitCode.InternalError)\n }\n printError(`Request failed (HTTP ${error.status}): ${error.message}`)\n exit(ExitCode.InternalError)\n }\n printError(\n `Unexpected error: ${error instanceof Error ? error.message : String(error)}`\n )\n exit(ExitCode.InternalError)\n}\n","import { Command } from 'commander'\nimport { authService } from '../../dependencyInjection/services.js'\nimport { exitOnApiError } from '../../lib/cliErrors.js'\n\ninterface LoginOptions {\n server?: string\n workspace?: string\n}\n\n/\n `geni login` — authenticate via browser device-code flow. Thin\n * handler: parses flags and delegates to `AuthService.login`, which\n * runs the full device-code exchange, saves the session locally, and\n * prints the success summary.\n /\nexport function registerLogin(parent: Command): void {\n parent\n .command('login')\n .description(\n 'Authenticate via browser device-code flow. The CLI prints (and tries to open) a one-time approval URL; the operator picks a workspace in the browser; on approval the CLI saves a runner-session token to ~/.config/geni/runner-session.json. The token is bound to the URL it was minted against, so switching API URL after login requires logout + re-login.'\n )\n .option(\n '--server <url>',\n 'Override the API base URL for this login. Precedence: this flag > $GENI_API_URL > `apiUrl` from `geni config` > https://cloud.generalinput.com. Whatever URL wins is locked into the session file.'\n )\n .option(\n '--workspace <slug>',\n 'After approval, re-bind the session to this workspace slug instead of whatever the dashboard picker chose. Useful in CI / scripted setups where there is no human at the browser.'\n )\n .action(async (opts: LoginOptions) => {\n try {\n await authService.login({\n server: opts.server,\n workspace: opts.workspace,\n })\n } catch (error) {\n exitOnApiError(error)\n }\n })\n}\n","import { Command } from 'commander'\nimport { authService } from '../../dependencyInjection/services.js'\nimport { exitOnApiError } from '../../lib/cliErrors.js'\n\n/\n `geni logout` — revoke the runner session and remove the local\n * file. Thin handler: delegates to `AuthService.logout` which does\n * a best-effort server revoke and always deletes the local token.\n /\nexport function registerLogout(parent: Command): void {\n parent\n .command('logout')\n .description(\n 'Revoke the runner-session token server-side and delete the local session file (~/.config/geni/runner-session.json). The local file is removed even if the server-side revoke fails. Running `geni logout` should never leave a token the operator thinks is gone still on disk.'\n )\n .action(async () => {\n try {\n await authService.logout()\n } catch (error) {\n exitOnApiError(error)\n }\n })\n}\n","import { Command } from 'commander'\nimport { ApiError } from '../../clients/HttpClient.js'\nimport { authService } from '../../dependencyInjection/services.js'\nimport {\n printError,\n printJson,\n printSuccess,\n printInfo,\n} from '../../lib/output.js'\nimport { ExitCode, exit } from '../../lib/exitCodes.js'\n\nexport interface AuthStatusOptions {\n json?: boolean\n}\n\n/\n Print the active operator and workspace after a `/cli/auth/me`\n * round-trip. Exported separately from the registrar so the parent\n * `geni auth` can run it as a default action when called without a\n * subcommand. The `--json` payload still carries the server URL for\n * scripted callers that need it.\n /\nexport async function executeAuthStatus(\n opts: AuthStatusOptions\n): Promise<void> {\n try {\n const status = await authService.status()\n if (!status) {\n if (opts.json) {\n printJson({ authenticated: false })\n } else {\n printError(\n 'No runner session on disk. Run `geni login` to authenticate, then retry.'\n )\n }\n exit(ExitCode.SessionMissingOrExpired)\n }\n if (opts.json) {\n printJson(status)\n exit(ExitCode.Ok)\n }\n printSuccess(`Authenticated as ${status.user.email ?? status.user.id}`)\n printInfo(\n `Active workspace: ${status.workspace.slug} (${status.workspace.name}, ${status.workspace.role})`\n )\n exit(ExitCode.Ok)\n } catch (error) {\n if (error instanceof ApiError && error.status === 401) {\n printError(\n 'Local session token was rejected by the server (revoked, expired, or pointed at a different server). Run `geni login` to mint a fresh session.'\n )\n exit(ExitCode.SessionMissingOrExpired)\n }\n const detail = error instanceof Error ? error.message : String(error)\n printError(\n `Failed to verify session: ${detail}. Check that the server is reachable; \\`geni auth status --json\\` shows the bound server URL.`\n )\n exit(ExitCode.InternalError)\n }\n}\n\n/\n `geni auth status` — print the active operator and workspace,\n * after a `/cli/auth/me` round-trip to confirm the session is still\n * valid server-side. Thin handler: branches on `--json` and the\n * no-session / stale-session cases, delegates to `AuthService.status`\n * for the actual fetch.\n /\nexport function registerStatus(parent: Command): void {\n parent\n .command('status')\n .description(\n 'Verify the active session and print operator + active workspace. Hits `/cli/auth/me` to confirm the token is still valid server-side; a stale local session (server revoked, expired) exits 78 with a clear \"run geni login\" message rather than reporting a fake-OK from the local file alone.'\n )\n .option(\n '--json',\n 'Emit a machine-readable JSON object: `{ authenticated, user, workspace, server }`. When unauthenticated, `{ authenticated: false }` is the only field.'\n )\n .action((opts: AuthStatusOptions) => executeAuthStatus(opts))\n}\n","import { Command } from 'commander'\nimport { registerLogin } from './login.js'\nimport { registerLogout } from './logout.js'\nimport { registerStatus, executeAuthStatus } from './status.js'\n\n/\n Registers `geni login`, `geni logout`, `geni auth status` on the\n * top-level program.\n \n `login` and `logout` are top-level for ergonomics — same shape as\n * `gh auth login` and the conventions external developers know.\n * `auth status` is grouped under an `auth` subcommand because there\n * isn't a sensible single verb for \"check status\" at the top level\n * (`geni status` would clash later if we ever add a `status` of\n * something else).\n \n Bare `geni auth` runs `status` as a default action so a quick\n * \"what session am I on?\" works without having to remember the\n * verb. To pass flags (e.g. `--json`), use the explicit subcommand:\n * `geni auth status --json`.\n /\nexport function registerAuthCommands(program: Command): void {\n registerLogin(program)\n registerLogout(program)\n\n const auth = program\n .command('auth')\n .description('Inspect the active CLI session.')\n .action(() => executeAuthStatus({}))\n registerStatus(auth)\n}\n","import chalk from 'chalk'\n\n/\n Column-aligned table printer for `geni <noun> list` default output.\n * Pads each cell to the longest in its column; doesn't try to be\n * clever about wrapping or terminal width — agents and humans both\n * cope with overflow as long as the columns line up.\n \n Optional `markerFn` flags one row as \"active\" (or \"yours\", or any\n * single-row highlight) with a leading `` and recolors that row's\n first cell cyan. `colorFn` lets a caller dim or accent specific\n * cells (typical: ID columns dimmed, slugs cyan).\n \n Headers always render in dim/uppercase. ANSI is stripped\n * automatically when stdout is piped (chalk does this).\n /\n\nexport interface PrintTableOpts {\n out?: NodeJS.WritableStream\n /\n Returns true for the row to highlight. Marks it with a leading\n * `` in the gutter and renders the first cell in cyan. Auto-\n suppressed if every row matches or none do (so the gutter never\n * becomes visual noise).\n /\n markerFn?: (row: string[], index: number) => boolean\n /\n Per-cell color override. Called for every body cell (not headers).\n * Return the cell unchanged to skip styling. Common pattern: dim the\n * ID column with `dimColumn(0)`.\n /\n colorFn?: (cell: string, args: { row: number; col: number }) => string\n}\n\nexport function printTable(\n headers: string[],\n rows: string[][],\n opts: PrintTableOpts = {}\n): void {\n const out = opts.out ?? process.stdout\n const colCount = headers.length\n\n // Pre-compute marker membership and only render the gutter when the\n // marker actually distinguishes a subset. If every row is marked (or\n // none are), the gutter is pure noise — suppress it.\n const markers = opts.markerFn\n ? rows.map((row, i) => opts.markerFn!(row, i))\n : null\n const usesMarker =\n markers !== null && markers.some((m) => m) && !markers.every((m) => m)\n\n const widths = new Array<number>(colCount).fill(0)\n for (let i = 0; i < colCount; i++) widths[i] = headers[i]!.length\n for (const row of rows) {\n for (let i = 0; i < colCount; i++) {\n const len = row[i]?.length ?? 0\n if (len > widths[i]!) widths[i] = len\n }\n }\n\n // Header row — dim, gutter blank when markers are in play.\n const headerCells = headers.map((h, i) =>\n pad(chalk.dim(h), h.length, widths[i]!, i === colCount - 1)\n )\n out.write((usesMarker ? ' ' : '') + headerCells.join(' ') + '\\n')\n\n rows.forEach((row, rowIdx) => {\n const isMarked = usesMarker && markers![rowIdx] === true\n const cells = row.map((raw, i) => {\n const value = raw ?? ''\n let colored = value\n if (isMarked && i === 0) colored = chalk.cyan(value)\n else if (opts.colorFn)\n colored = opts.colorFn(value, { row: rowIdx, col: i })\n return pad(colored, value.length, widths[i]!, i === colCount - 1)\n })\n const gutter = usesMarker ? `${isMarked ? chalk.green('') : ' '} ` : ''\n out.write(gutter + cells.join(' ') + '\\n')\n })\n}\n\n/*\n Pad a (possibly ANSI-colored) cell to the column width, measuring\n * against `rawLen` (the uncolored length) so trailing spaces don't\n * pick up styling and columns still line up.\n /\nfunction pad(\n colored: string,\n rawLen: number,\n width: number,\n isLast: boolean\n): string {\n if (isLast) return colored\n if (rawLen >= width) return colored\n return colored + ' '.repeat(width - rawLen)\n}\n\n/\n Convenience `colorFn`: dim one column. Compose with array-spread or\n * write your own when you need multiple columns styled.\n /\nexport function dimColumn(\n colIndex: number\n): (cell: string, args: { col: number }) => string {\n return (cell, args) => (args.col === colIndex ? chalk.dim(cell) : cell)\n}\n","import { Command } from 'commander'\nimport { workspaceService } from '../../dependencyInjection/services.js'\nimport { exitOnApiError } from '../../lib/cliErrors.js'\nimport { printJson } from '../../lib/output.js'\nimport { printTable } from '../../lib/printTable.js'\nimport { ExitCode, exit } from '../../lib/exitCodes.js'\n\nexport interface WorkspaceListOptions {\n json?: boolean\n}\n\n/\n Render every workspace the authenticated account belongs to.\n * Exported separately from the registrar so the parent `geni\n * workspace` (and its `workspaces` alias) can invoke it as a\n * default action when called without a subcommand.\n \n Banner is printed centrally by `SessionContextService.requireAuthed`\n * (which `WorkspaceService.list` calls), so this handler doesn't need\n * to print one explicitly.\n /\nexport async function executeWorkspaceList(\n opts: WorkspaceListOptions\n): Promise<void> {\n try {\n const { workspaces } = await workspaceService.list()\n\n if (opts.json) {\n printJson({\n active: workspaces.find((w) => w.isActive)?.slug ?? null,\n workspaces,\n })\n exit(ExitCode.Ok)\n }\n\n if (workspaces.length === 0) {\n process.stdout.write(\n 'No workspaces yet. Create or join one in the dashboard, then re-run.\\n'\n )\n exit(ExitCode.Ok)\n }\n\n printTable(\n ['SLUG', 'NAME', 'ROLE'],\n workspaces.map((w) => [w.slug, w.name, w.role]),\n { markerFn: (_row, i) => workspaces[i]!.isActive }\n )\n exit(ExitCode.Ok)\n } catch (error) {\n exitOnApiError(error)\n }\n}\n\n/\n `geni workspace list` — every workspace the authenticated account\n * belongs to. Thin handler: fetches via `WorkspaceService.list`,\n * renders the table or JSON. The active workspace is marked with ``.\n /\nexport function registerWorkspaceList(parent: Command): void {\n parent\n .command('list')\n .description(\n 'List every workspace the authenticated account belongs to. The active workspace is marked with a `` and rendered in cyan. Server is the source of truth for both the list and the active marker.'\n )\n .option(\n '--json',\n 'Emit `{ active: <slug>, workspaces: [...] }`. Each workspace carries `membershipId`, `organizationId`, `slug`, `name`, `role`, `isActive`.'\n )\n .action((opts: WorkspaceListOptions) => executeWorkspaceList(opts))\n}\n","import { Command } from 'commander'\nimport as p from '@clack/prompts'\nimport type { Cli } from '@packages/api'\nimport {\n workspaceService,\n sessionContextService,\n} from '../../dependencyInjection/services.js'\nimport { exitOnApiError } from '../../lib/cliErrors.js'\nimport { printSuccess, printInfo, printError } from '../../lib/output.js'\nimport { ExitCode, exit } from '../../lib/exitCodes.js'\n\n/*\n `geni workspace switch [slug]` — re-point the runner session at a\n * different workspace. Thin handler: resolves a target by slug or\n * interactive picker, delegates the actual switch to\n * `WorkspaceService.switch`, prints the new active workspace.\n /\nexport function registerWorkspaceSwitch(parent: Command): void {\n parent\n .command('switch')\n .argument(\n '[slug]',\n 'Workspace slug to switch to. Omit for an interactive picker.'\n )\n .description(\n 'Re-point the runner session at a different workspace the same account belongs to. The session token keeps working; only the active-workspace pointer changes server-side and in the local cache. Pass a slug for scriptable use, or omit for an interactive picker (TTY only).'\n )\n .action(async (slug: string \| undefined) => {\n try {\n const { session } = await sessionContextService.requireAuthed()\n const { workspaces } = await workspaceService.list()\n\n const target = slug\n ? findBySlug(workspaces, slug)\n : await pickInteractively({\n workspaces,\n currentMembershipId: session.workspace.membershipId,\n })\n if (!target) return\n\n if (target.membershipId === session.workspace.membershipId) {\n printInfo(`Already on ${target.slug} (${target.name}). No change.`)\n exit(ExitCode.Ok)\n }\n\n const me = await workspaceService.switch({\n membershipId: target.membershipId,\n })\n printSuccess(\n `Active workspace: ${me.workspace.slug} (${me.workspace.name})`\n )\n exit(ExitCode.Ok)\n } catch (error) {\n exitOnApiError(error)\n }\n })\n}\n\nfunction findBySlug(\n workspaces: Cli.WorkspaceSummary[],\n slug: string\n): Cli.WorkspaceSummary {\n const target = workspaces.find((w) => w.slug === slug)\n if (!target) {\n const available = workspaces.map((w) => w.slug).join(', ') \|\| 'none'\n printError(\n `No workspace with slug \"${slug}\" on this account. Available: [${available}]. Pick one of those, or run \\`geni workspace list\\` for the full set with names + roles.`\n )\n exit(ExitCode.NotFound)\n }\n return target\n}\n\n/\n Interactive picker. Returns the chosen workspace, or `undefined` if\n * the user cancelled (in which case we print a hint and exit 0).\n /\nasync function pickInteractively(args: {\n workspaces: Cli.WorkspaceSummary[]\n currentMembershipId: string\n}): Promise<Cli.WorkspaceSummary \| undefined> {\n if (!process.stdin.isTTY) {\n printError(\n 'Interactive picker needs a TTY. Pass a slug: `geni workspace switch <slug>`.'\n )\n exit(ExitCode.GenericError)\n }\n if (args.workspaces.length === 0) {\n printError(\n 'No workspaces on this account. Create or join one in the dashboard before running `geni workspace switch`.'\n )\n exit(ExitCode.NotFound)\n }\n if (args.workspaces.length === 1) {\n printInfo('You only have one workspace; nothing to switch to.')\n exit(ExitCode.Ok)\n }\n\n const choice = await p.select({\n message: 'Pick a workspace',\n initialValue: args.currentMembershipId,\n options: args.workspaces.map((w) => ({\n value: w.membershipId,\n label: `${w.slug} (${w.name})`,\n hint: w.role,\n })),\n })\n if (p.isCancel(choice)) {\n printInfo('Cancelled.')\n return undefined\n }\n return args.workspaces.find((w) => w.membershipId === choice)\n}\n","import { Command } from 'commander'\nimport { workspaceService } from '../../dependencyInjection/services.js'\nimport { printError, printJson } from '../../lib/output.js'\nimport { ExitCode, exit } from '../../lib/exitCodes.js'\n\ninterface CurrentOptions {\n json?: boolean\n verbose?: boolean\n}\n\n/\n `geni workspace current` — print the active workspace. Thin\n * handler: reads from `WorkspaceService.current` (which uses the\n * local session cache, no network round-trip) and renders.\n /\nexport function registerWorkspaceCurrent(parent: Command): void {\n parent\n .command('current')\n .description(\n \"Print the active workspace's slug. Reads the local session file directly (no network round-trip), so it's safe to use in shell substitutions like `cd ~/repos/$(geni workspace current)`. Use `--verbose` for slug + name + role + id, or `--json` for machine-readable.\"\n )\n .option('--verbose', 'Include name, role, and id alongside the slug.')\n .option(\n '--json',\n 'Emit the workspace record: `{ membershipId, organizationId, slug, name, role }`.'\n )\n .action((opts: CurrentOptions) => {\n // Action wrapper is synchronous-shaped; the async work happens\n // inside `run` so we keep exit-code semantics unchanged.\n void run(opts)\n })\n}\n\nasync function run(opts: CurrentOptions): Promise<void> {\n const current = await workspaceService.current()\n if (!current) {\n if (opts.json) {\n printJson({ authenticated: false })\n } else {\n printError(\n 'No runner session on disk. Run `geni login` to authenticate, then retry.'\n )\n }\n exit(ExitCode.SessionMissingOrExpired)\n }\n\n const ws = current.workspace\n if (opts.json) {\n printJson(ws)\n exit(ExitCode.Ok)\n }\n if (opts.verbose) {\n process.stdout.write(`slug: ${ws.slug}\\n`)\n process.stdout.write(`name: ${ws.name}\\n`)\n process.stdout.write(`role: ${ws.role}\\n`)\n process.stdout.write(`id: ${ws.organizationId}\\n`)\n exit(ExitCode.Ok)\n }\n process.stdout.write(`${ws.slug}\\n`)\n exit(ExitCode.Ok)\n}\n","import { Command } from 'commander'\nimport { registerWorkspaceList, executeWorkspaceList } from './list.js'\nimport { registerWorkspaceSwitch } from './switch.js'\nimport { registerWorkspaceCurrent } from './current.js'\n\n/\n `geni workspace` (alias: `workspaces`) — list, switch, inspect.\n \n Bare `geni workspace` / `geni workspaces` runs the list view as a\n * default action. To pass flags (e.g. `--json`), use the explicit\n * subcommand: `geni workspace list --json`. The bare shortcut\n * deliberately accepts no flags so adding a flag tomorrow doesn't\n * silently change shell-piped output.\n /\nexport function registerWorkspaceCommands(program: Command): void {\n const workspace = program\n .command('workspace')\n .alias('workspaces')\n .description(\n \"List the workspaces the operator's account belongs to and switch which one this CLI session targets. The runner-session token is account-scoped; the active workspace pointer determines which org's credentials, integrations, and audit logs every other command operates on.\"\n )\n .action(() => executeWorkspaceList({}))\n registerWorkspaceList(workspace)\n registerWorkspaceSwitch(workspace)\n registerWorkspaceCurrent(workspace)\n}\n","import { Command } from 'commander'\nimport { execService } from '../../dependencyInjection/services.js'\nimport { exitOnApiError } from '../../lib/cliErrors.js'\nimport { printError } from '../../lib/output.js'\nimport { ExitCode, exit } from '../../lib/exitCodes.js'\n\ninterface BashOptions {\n cred: string[]\n reason: string[]\n cwd?: string\n quiet?: boolean\n}\n\n/\n `geni exec bash` — run `bash -lc <cmd>` with cloud-resolved\n * credentials injected as env vars. Thin handler: validates the\n * `--cred` / `--reason` pairing locally, parses the command from the\n * `--` separator, delegates to `ExecService.runBash`.\n \n `ExecService` owns the resolve + env build + scrubber registration\n * + spawn + scrub + signal-forwarding pipeline. The handler exits\n * with the child's code (or one of the documented CLI codes for\n * arg-validation / cred-resolve / session failures).\n /\nexport function registerExecBash(parent: Command): void {\n parent\n .command('bash')\n .description(\n 'Run `bash -lc <cmd>` locally with cloud-resolved credentials injected as env vars. Output is streamed back through a scrubber that replaces every registered secret with [REDACTED:credential_<id>].'\n )\n .option(\n '--cred <id>',\n 'Credential id to inject. Repeat once per credential; each --cred MUST be followed by exactly one --reason. Pairing is by order: the Nth --cred goes with the Nth --reason. Discover ids via `geni credential list --service <service>`.',\n collect,\n []\n )\n .option(\n '--reason <text>',\n 'Why this credential is being accessed. Lands in the credential access log and is shown to the operator. Re-state on every call; the audit log is per-invocation.',\n collect,\n []\n )\n .option(\n '--cwd <path>',\n 'Working directory for the command. Defaults to your current shell cwd.'\n )\n .option(\n '--quiet',\n \"Suppress geni's `resolved <cred> → ...` status lines on stderr. Subprocess output still passes through, scrubbed.\"\n )\n .allowExcessArguments(true)\n .action(async (opts: BashOptions, command: Command) => {\n try {\n const code = await runExecBash(opts, command.args)\n process.exit(code)\n } catch (error) {\n exitOnApiError(error)\n }\n })\n .addHelpText(\n 'after',\n `\nAlways-injected env vars (no --cred required):\n $PLATFORM_API_KEY short-lived bearer for $PLATFORM_BASE_URL/<service> calls\n $PLATFORM_BASE_URL the cloud's base URL\n\nPer-credential env vars are derived from the integration's secret\nschema, with the credential id as a suffix so two credentials of the\nsame service can coexist: $<SERVICE>_<FIELD>_<id>\nLook up the exact names before constructing the command:\n geni credential get <id> --field envVars # for a known cred\n geni integration get <service> --field envVars # for a service\n\nExamples:\n\n # One credential, simple curl:\n geni exec bash \\\\\n --cred cred_01HX --reason \"Listing Slack channels\" \\\\\n -- 'curl -s -H \"Authorization: Bearer $SLACK_ACCESS_TOKEN_01HX\" https://slack.com/api/conversations.list'\n\n # Multiple credentials, fan-out (suffix keeps them distinct):\n geni exec bash \\\\\n --cred cred_slackA --reason \"Posting to #engineering\" \\\\\n --cred cred_slackB --reason \"Posting to #marketing\" \\\\\n -- 'curl ... $SLACK_ACCESS_TOKEN_SLACKA ... && curl ... $SLACK_ACCESS_TOKEN_SLACKB ...'\n\n # No --cred. Platform service:\n geni exec bash -- 'curl -s -H \"Authorization: Bearer $PLATFORM_API_KEY\" \"$PLATFORM_BASE_URL/v1/web-search\" -d ...'\n\nExit codes:\n 0–125 subprocess's own exit code\n 77 server refused to resolve a credential, don't retry\n 78 runner session missing or expired, run \\`geni login\\`\n 125 internal CLI error\n`\n )\n}\n\nfunction collect(value: string, prev: string[]): string[] {\n return [...prev, value]\n}\n\nasync function runExecBash(\n opts: BashOptions,\n positional: string[]\n): Promise<number> {\n const command = positional.join(' ').trim()\n if (!command) {\n printError(\n 'Missing the bash command. Put it after a literal `--` (flags before `--` belong to geni). Example: `geni exec bash --cred cred_X --reason \"...\" -- \\'curl ...\\'`.'\n )\n exit(ExitCode.InvalidArgs)\n }\n if (opts.cred.length !== opts.reason.length) {\n printError(\n `--cred and --reason must be paired one-to-one (got ${opts.cred.length} --cred and ${opts.reason.length} --reason). Example: \\`--cred cred_A --reason \"...\" --cred cred_B --reason \"...\"\\`.`\n )\n exit(ExitCode.InvalidArgs)\n }\n\n return execService.runBash({\n command,\n // Pair-by-index: Commander's `collect` reducer keeps both arrays\n // in declaration order, so opts.cred[i] always corresponds to\n // opts.reason[i].\n credentials: opts.cred.map((id, i) => ({\n id,\n reason: opts.reason[i]!,\n })),\n cwd: opts.cwd,\n quiet: opts.quiet,\n })\n}\n","import { Command } from 'commander'\nimport { registerExecBash } from './bash.js'\n\n/\n `geni exec` — execution primitives. Runs bash commands locally on\n * the operator's machine with credentials resolved by the cloud and\n * injected as env vars. Output is streamed back through a scrubber.\n \n Subcommands:\n * bash — run a bash command with cloud-resolved credentials.\n /\nexport function registerExecCommands(program: Command): void {\n const exec = program\n .command('exec')\n .description(\n \"Run bash locally with the operator's credentials resolved by the cloud and injected as env vars. Plaintext secrets never enter the agent's transcript — output is streamed through a scrubber that redacts every registered secret value.\"\n )\n\n registerExecBash(exec)\n}\n","import { Command } from 'commander'\nimport { discoveryService } from '../../dependencyInjection/services.js'\nimport { exitOnApiError } from '../../lib/cliErrors.js'\nimport { printJson } from '../../lib/output.js'\nimport { printTable, dimColumn } from '../../lib/printTable.js'\n\nexport interface CredentialListOptions {\n service?: string\n mine?: boolean\n query?: string\n json?: boolean\n}\n\n/\n Render credentials matching the given filters. Exported separately\n * from the registrar so the parent `geni credential` (and its\n * `credentials` alias) can invoke it as a default action.\n /\nexport async function executeCredentialList(\n opts: CredentialListOptions\n): Promise<void> {\n try {\n const credentials = await discoveryService.listCredentials({\n service: opts.service,\n mine: opts.mine,\n query: opts.query,\n })\n\n if (opts.json) {\n printJson({ credentials })\n return\n }\n if (credentials.length === 0) {\n const filterDesc = describeCredentialFilters(opts)\n process.stdout.write(\n filterDesc\n ? `No credentials match (${filterDesc}). Drop filters or run \\`geni credential connect <service>\\` to add one.\\n`\n : 'No credentials connected yet. Connect one with `geni credential connect <service>` (find a service slug with `geni integration list -q <keyword>`).\\n'\n )\n return\n }\n printTable(\n ['ID', 'SERVICE', 'TITLE'],\n credentials.map((c) => [c.id, c.service, c.title]),\n {\n // `` flags the rows you own (auto-suppressed if every row is\n // yours or none are — i.e. the marker only renders when it\n // actually distinguishes a subset).\n markerFn: (_row, i) => credentials[i]!.isOwnedByViewer,\n colorFn: dimColumn(0),\n }\n )\n } catch (error) {\n exitOnApiError(error)\n }\n}\n\n/*\n `geni credential list` — list every credential the runner-session's\n * membership has access to. Thin handler: filters via\n * `DiscoveryService.listCredentials`, renders the table or JSON.\n /\nexport function registerCredentialList(parent: Command): void {\n parent\n .command('list')\n .description(\n 'List credentials the runner session can use (owned, org-shared, or per-credential collaborator). Default columns are id / service / title — for env var names, OAuth scopes, or the full record use `geni credential get <id>` (or `--field <path>` / `--json`).'\n )\n .option(\n '--service <slug>',\n 'Filter to one service (e.g. slack, github, salesforce). Use `geni integration list` to discover slugs.'\n )\n .option(\n '--mine',\n 'Only credentials owned by you. Excludes credentials shared with you via org-grant or collaborator rows.'\n )\n .option(\n '-q, --query <text>',\n 'Substring rank across service, title, and provider name. Service slug weighs highest.'\n )\n .option(\n '--json',\n 'Machine-readable output. Each entry carries `id`, `service`, `envVars`, `grantedScopes`, etc.'\n )\n .action((opts: CredentialListOptions) => executeCredentialList(opts))\n}\n\nfunction describeCredentialFilters(opts: CredentialListOptions): string {\n const parts: string[] = []\n if (opts.service) parts.push(`--service ${opts.service}`)\n if (opts.mine) parts.push('--mine')\n if (opts.query) parts.push(`-q \"${opts.query}\"`)\n return parts.join(' ')\n}\n","/\n Resolve a dotted-path field from a JSON-like value, used by\n * `--field <path>` flags on `geni <noun> get`. Supports object keys\n * and array indices (`fields.0.name`).\n \n Returns `undefined` when any segment of the path doesn't resolve;\n * the caller treats `undefined` as \"not found\" and exits accordingly.\n * Doesn't try to handle bracketed indices (`fields[0].name`) — the\n * dotted form is enough for the agent-facing surface, less ambiguous,\n * and matches how `jq` handles array indices when keys are numeric.\n /\nexport function extractField(\n value: unknown,\n path: string\n): unknown \| undefined {\n const segments = path.split('.').filter((s) => s.length > 0)\n let current: unknown = value\n for (const segment of segments) {\n if (current === null \|\| current === undefined) return undefined\n if (Array.isArray(current)) {\n const idx = Number.parseInt(segment, 10)\n if (Number.isNaN(idx)) return undefined\n current = current[idx]\n } else if (typeof current === 'object') {\n // After the typeof / null / array narrowing above, `current` is\n // a plain object. Reflect.get returns `unknown` and accepts a\n // generic object target, so we don't need a type assertion.\n current = Reflect.get(current, segment)\n } else {\n return undefined\n }\n }\n return current\n}\n\n/\n Stringify a value extracted from a `--field` lookup for terminal\n * output. Strings print bare (no JSON quoting); everything else uses\n * `JSON.stringify` with two-space indentation so structured fields\n * are agent-friendly.\n /\nexport function formatExtractedField(value: unknown): string {\n if (typeof value === 'string') return value\n if (value === null \|\| value === undefined) return ''\n return JSON.stringify(value, null, 2)\n}\n","import { Command } from 'commander'\nimport type { Cli } from '@packages/api'\nimport { discoveryService } from '../../dependencyInjection/services.js'\nimport { exitOnApiError } from '../../lib/cliErrors.js'\nimport { printError, printJson } from '../../lib/output.js'\nimport { extractField, formatExtractedField } from '../../lib/jsonField.js'\nimport { ExitCode, exit } from '../../lib/exitCodes.js'\n\ninterface GetOptions {\n json?: boolean\n field?: string\n}\n\n/\n `geni credential get <id>` — print one credential's full record.\n * Thin handler: fetches via `DiscoveryService.getCredential`, renders\n * the default text view, JSON, or one extracted field.\n /\nexport function registerCredentialGet(parent: Command): void {\n parent\n .command('get')\n .argument('<id>', 'Credential id (e.g. `cred_01HX…`).')\n .description(\n \"Print one credential's full record: env var names, per-field secret/non-secret breakdown, ownership, sharing, scopes. No plaintext secret values are returned. Those resolve server-side at `geni exec bash` time.\"\n )\n .option('--json', 'Machine-readable output (full record).')\n .option(\n '--field <path>',\n 'Print one dotted-path field instead of the whole record. Examples: `envVars`, `grantedScopes`, `service`, `isShared`.'\n )\n .action(async (id: string, opts: GetOptions) => {\n try {\n const detail = await discoveryService.getCredential(id)\n\n if (opts.field) {\n const value = extractField(detail, opts.field)\n if (value === undefined) {\n const topLevel = Object.keys(detail).join(', ')\n printError(\n `Field \"${opts.field}\" is not on the credential record. Top-level fields: [${topLevel}]. Pass a dotted path that exists, or run \\`geni credential get ${id} --json\\` to see the whole shape.`\n )\n exit(ExitCode.NotFound)\n }\n process.stdout.write(formatExtractedField(value) + '\\n')\n return\n }\n if (opts.json) {\n printJson(detail)\n return\n }\n printDefault(detail)\n } catch (error) {\n exitOnApiError(error, {\n notFoundMessage: `No credential with id \"${id}\" in the active workspace. Run \\`geni credential list\\` to find the right id.`,\n })\n }\n })\n}\n\nfunction printDefault(detail: Cli.CredentialDetail): void {\n const out = process.stdout\n out.write(`${detail.id} ${detail.title}\\n`)\n out.write(`provider: ${detail.providerTitle}\\n`)\n out.write(`type: ${detail.credentialType}\\n`)\n out.write(`created: ${detail.createdAt.slice(0, 10)}\\n`)\n out.write(\n `ownership: ${detail.isOwnedByViewer ? 'owned by you' : 'shared with you'}\\n`\n )\n out.write(`shared: ${detail.isShared ? 'yes' : 'no'}\\n\\n`)\n\n out.write('envVars:\\n')\n for (const v of detail.envVars) out.write(` ${v}\\n`)\n out.write('\\n')\n\n if (detail.fields.length > 0) {\n out.write('fields:\\n')\n for (const f of detail.fields) {\n out.write(` ${f.name.padEnd(14)} ${f.isSecret ? 'secret' : 'config'}\\n`)\n }\n out.write('\\n')\n }\n\n if (detail.grantedScopes && detail.grantedScopes.length > 0) {\n out.write(`scopes: ${detail.grantedScopes.join(', ')}\\n`)\n }\n}\n","import { Command } from 'commander'\nimport chalk from 'chalk'\nimport { discoveryService } from '../../dependencyInjection/services.js'\nimport { exitOnApiError } from '../../lib/cliErrors.js'\nimport { printInfo } from '../../lib/output.js'\n\ninterface ConnectOptions {\n printUrl?: boolean\n noBrowser?: boolean\n}\n\n/\n `geni credential connect <service>` — open the dashboard's connect\n * page for a service. Thin handler: validates the slug + builds the\n * URL via `DiscoveryService.connectCredential`, then prints to\n * stdout. The service handles the actual browser launch for\n * non-`--print-url` invocations.\n /\nexport function registerCredentialConnect(parent: Command): void {\n parent\n .command('connect')\n .argument(\n '<service>',\n 'Service slug (slack, github, …). Use `geni integration list` to discover.'\n )\n .description(\n \"Open the dashboard's authorize page for a service so the operator can connect a new credential. Lightweight by design: no polling, no rendezvous. After the operator finishes in the dashboard, re-run `geni credential list --service <service>` to discover the new credential id.\"\n )\n .option(\n '--print-url',\n \"Don't auto-open the browser; print the URL to stdout. Useful in headless / SSH / CI sessions.\"\n )\n .option('--no-browser', 'Alias for --print-url.')\n .action(async (service: string, opts: ConnectOptions) => {\n try {\n const intent = await discoveryService.connectCredential({\n service,\n // Commander turns `--no-browser` into `noBrowser: false`,\n // so the print-only branch is \"either flag was passed\".\n printUrlOnly: opts.printUrl \|\| opts.noBrowser === false,\n })\n if (intent.kind === 'print-url') {\n process.stdout.write(`${intent.url}\\n`)\n return\n }\n printInfo(`Opening ${chalk.cyan(intent.url)}`)\n printInfo('↳ approve in your browser')\n process.stdout.write(\n `\\nWhen you're done, re-run: geni credential list --service ${service}\\n`\n )\n } catch (error) {\n exitOnApiError(error, {\n notFoundMessage: `Service \"${service}\" not found.`,\n })\n }\n })\n}\n","import { Command } from 'commander'\nimport { registerCredentialList, executeCredentialList } from './list.js'\nimport { registerCredentialGet } from './get.js'\nimport { registerCredentialConnect } from './connect.js'\n\n/\n `geni credential` (alias: `credentials`) — credential discovery\n * (and prompt-the-operator-to-connect). Discovery only — secret\n * values never travel through the CLI surface; declare a credential\n * on a `geni exec` call and the cloud injects the resolved values\n * into the spawned subprocess.\n \n Bare `geni credential` / `geni credentials` runs the list view as\n * a default action. To pass flags (e.g. `--service slack`), use the\n * explicit subcommand: `geni credential list --service slack`.\n /\nexport function registerCredentialCommands(program: Command): void {\n const credential = program\n .command('credential')\n .alias('credentials')\n .description(\n \"Discover the operator's connected credentials and prompt them to connect new ones. Discovery-only: the agent sees credential ids and the env var names that get set when each is declared on `geni exec bash`, never plaintext secrets. Resolution and decryption happen server-side at exec time.\"\n )\n .action(() => executeCredentialList({}))\n\n registerCredentialList(credential)\n registerCredentialGet(credential)\n registerCredentialConnect(credential)\n}\n","import { Command } from 'commander'\nimport chalk from 'chalk'\nimport { discoveryService } from '../../dependencyInjection/services.js'\nimport { exitOnApiError } from '../../lib/cliErrors.js'\nimport { printError, printJson } from '../../lib/output.js'\nimport { printTable } from '../../lib/printTable.js'\nimport { ExitCode, exit } from '../../lib/exitCodes.js'\n\nexport interface IntegrationListOptions {\n type?: string\n query?: string\n json?: boolean\n}\n\nconst VALID_TYPES = ['oauth2', 'apiKey', 'platform', 'noAuth'] as const\nconst VALID_TYPE_SET: ReadonlySet<string> = new Set(VALID_TYPES)\n\n/\n Render the integration catalog with the given filters. Exported\n * separately from the registrar so the parent `geni integration`\n * (and its `integrations` alias) can invoke it as a default action.\n /\nexport async function executeIntegrationList(\n opts: IntegrationListOptions\n): Promise<void> {\n if (opts.type && !VALID_TYPE_SET.has(opts.type)) {\n printError(\n `Invalid --type \"${opts.type}\". Valid values: [${VALID_TYPES.join(', ')}]. \\`oauth2\\` and \\`apiKey\\` are user-connected credentials; \\`platform\\` is first-party (uses $PLATFORM_API_KEY); \\`noAuth\\` is a public API.`\n )\n exit(ExitCode.InvalidArgs)\n }\n\n try {\n const integrations = await discoveryService.listIntegrations({\n type: opts.type,\n query: opts.query,\n })\n if (opts.json) {\n printJson({ integrations })\n return\n }\n if (integrations.length === 0) {\n const filterDesc = [\n opts.type ? `--type ${opts.type}` : null,\n opts.query ? `-q \"${opts.query}\"` : null,\n ]\n .filter(Boolean)\n .join(' ')\n process.stdout.write(\n `No integrations match (${filterDesc \|\| 'no filters'}). Drop filters or broaden the query.\\n`\n )\n return\n }\n printTable(\n ['SERVICE', 'TITLE', 'TYPE'],\n integrations.map((i) => [i.service, i.title, i.credentialType]),\n {\n // Service slug is the lookup key for every other CLI verb\n // (`credential connect <service>`, `integration get <service>`),\n // so render it cyan to draw the eye. Type is metadata — dim.\n colorFn: (cell, args) => {\n if (args.col === 0) return chalk.cyan(cell)\n if (args.col === 2) return chalk.dim(cell)\n return cell\n },\n }\n )\n } catch (error) {\n exitOnApiError(error)\n }\n}\n\n/\n `geni integration list` — every integration available to the\n * operator's organization. Thin handler: validates `--type`, fetches\n * via `DiscoveryService.listIntegrations` (server-side hybrid\n * search runs when `--query` is set), renders.\n /\nexport function registerIntegrationList(parent: Command): void {\n parent\n .command('list')\n .description(\n \"List every integration available to the operator's organization: third-party services (slack, github, salesforce), platform services (chat-completion, search-internet), and noAuth APIs. The starting point for finding the canonical `service` slug to pass to `geni credential connect` or to filter `geni credential list`.\"\n )\n .option(\n '--type <kind>',\n `Filter by credential type: ${VALID_TYPES.join(' \| ')}. \\`oauth2\\` and \\`apiKey\\` need a connected credential; \\`platform\\` uses $PLATFORM_API_KEY; \\`noAuth\\` is a public API that needs no auth.`\n )\n .option(\n '-q, --query <text>',\n 'Server-side hybrid (semantic + lexical) search across service slug, title, and description. Search by capability (\"send message\", \"calendar\"), not just service name.'\n )\n .option(\n '--json',\n 'Machine-readable output. Each entry is `{ service, title, description, credentialType }`.'\n )\n .action((opts: IntegrationListOptions) => executeIntegrationList(opts))\n}\n","import { Command } from 'commander'\nimport type { Cli } from '@packages/api'\nimport { discoveryService } from '../../dependencyInjection/services.js'\nimport { exitOnApiError } from '../../lib/cliErrors.js'\nimport { printError, printJson } from '../../lib/output.js'\nimport { extractField, formatExtractedField } from '../../lib/jsonField.js'\nimport { ExitCode, exit } from '../../lib/exitCodes.js'\n\ninterface GetOptions {\n json?: boolean\n field?: string\n}\n\n/\n `geni integration get <service>` — full setup metadata for one\n * integration. Thin handler: fetches via\n * `DiscoveryService.getIntegration`, renders the default text view,\n * JSON, or one extracted field.\n /\nexport function registerIntegrationGet(parent: Command): void {\n parent\n .command('get')\n .argument('<service>', 'Service slug (slack, github, …).')\n .description(\n 'Full setup metadata for one integration: bash env var names that get set when its credentials are declared, per-field secret/non-secret breakdown, OAuth scope catalog (when applicable), operator-facing setup guide. Read this when the agent needs to walk the operator through credential setup or wants to know exactly what env vars a credential will produce before declaring one.'\n )\n .option('--json', 'Machine-readable output (full record).')\n .option(\n '--field <path>',\n 'Print one dotted-path field instead of the whole record. Examples: `envVars`, `oauthScopes`, `fields`, `setupGuide`.'\n )\n .action(async (service: string, opts: GetOptions) => {\n try {\n const detail = await discoveryService.getIntegration(service)\n\n if (opts.field) {\n const value = extractField(detail, opts.field)\n if (value === undefined) {\n const topLevel = Object.keys(detail).join(', ')\n printError(\n `Field \"${opts.field}\" is not on the integration record. Top-level fields: [${topLevel}]. Pass a dotted path that exists, or run \\`geni integration get ${service} --json\\` to see the whole shape.`\n )\n exit(ExitCode.NotFound)\n }\n process.stdout.write(formatExtractedField(value) + '\\n')\n return\n }\n if (opts.json) {\n printJson(detail)\n return\n }\n printDefault(detail)\n } catch (error) {\n exitOnApiError(error, {\n notFoundMessage: `No integration with slug \"${service}\". Run \\`geni integration list -q <keyword>\\` to find the right slug (slugs are the service's brand name lowercased, e.g. \\`slack\\`).`,\n })\n }\n })\n}\n\nfunction printDefault(detail: Cli.IntegrationDetail): void {\n const out = process.stdout\n out.write(`${detail.service} ${detail.title}\\n`)\n out.write(`type: ${detail.credentialType}\\n\\n`)\n\n out.write('description:\\n')\n out.write(` ${detail.description}\\n\\n`)\n\n if (detail.oauthScopes && detail.oauthScopes.length > 0) {\n out.write('OAuth scopes:\\n')\n for (const scope of detail.oauthScopes) {\n out.write(\n ` ${scope.name.padEnd(40)} ${scope.description \|\| '(no description)'}\\n`\n )\n }\n out.write('\\n')\n }\n\n if (detail.fields.length > 0) {\n out.write('Secret schema:\\n')\n for (const f of detail.fields) {\n out.write(` ${f.name.padEnd(20)} ${f.isSecret ? 'secret' : 'config'}\\n`)\n }\n out.write('\\n')\n }\n\n if (detail.envVars.length > 0) {\n out.write('Bash env vars set when used:\\n')\n out.write(` ${detail.envVars.map((v) => `$${v}`).join(', ')}\\n`)\n }\n}\n","import { Command } from 'commander'\nimport { discoveryService } from '../../dependencyInjection/services.js'\nimport { exitOnApiError } from '../../lib/cliErrors.js'\nimport { printJson } from '../../lib/output.js'\nimport { printTable, dimColumn } from '../../lib/printTable.js'\n\ninterface OperationsOptions {\n query?: string\n json?: boolean\n}\n\n/\n `geni integration operations <service>` — list operations exposed\n * by an integration. Thin handler: fetches + ranks via\n * `DiscoveryService.listOperations`, renders.\n /\nexport function registerIntegrationOperations(parent: Command): void {\n parent\n .command('operations')\n .argument('<service>', 'Service slug (e.g. slack, github, stripe).')\n .description(\n \"List the operations one integration exposes (e.g. for slack: 'Send a Message', 'Get Channel History'). Each row's id is the input to `geni integration operation <id>` for full reference docs.\"\n )\n .option(\n '-q, --query <text>',\n 'Substring rank across operation title and description. Title weighs higher.'\n )\n .option(\n '--json',\n 'Machine-readable output. Each entry is `{ id, title, description }`.'\n )\n .action(async (service: string, opts: OperationsOptions) => {\n try {\n const operations = await discoveryService.listOperations({\n service,\n query: opts.query,\n })\n if (opts.json) {\n printJson({ operations })\n return\n }\n if (operations.length === 0) {\n process.stdout.write(\n opts.query\n ? `No operations on \\`${service}\\` match -q \"${opts.query}\". Drop the query to list all, or broaden the keyword.\\n`\n : `\\`${service}\\` exposes no operations. Verify the service slug with \\`geni integration list\\`.\\n`\n )\n return\n }\n printTable(\n ['ID', 'TITLE', 'DESCRIPTION'],\n operations.map((op) => [op.id, op.title, op.description]),\n { colorFn: dimColumn(0) }\n )\n } catch (error) {\n exitOnApiError(error, {\n notFoundMessage: `No integration with slug \"${service}\". Run \\`geni integration list -q <keyword>\\` to find the right slug.`,\n })\n }\n })\n}\n","import { Command } from 'commander'\nimport type { Cli } from '@packages/api'\nimport { discoveryService } from '../../dependencyInjection/services.js'\nimport { exitOnApiError } from '../../lib/cliErrors.js'\nimport { printError, printJson } from '../../lib/output.js'\nimport { ExitCode, exit } from '../../lib/exitCodes.js'\n\ninterface OperationOptions {\n format?: string\n}\n\nconst VALID_FORMATS = ['text', 'markdown', 'json'] as const\nconst VALID_FORMAT_SET: ReadonlySet<string> = new Set(VALID_FORMATS)\n\n/\n `geni integration operation [<service>] <opId>` — full reference\n * docs for one operation. Thin handler: validates `--format`,\n * dispatches to `DiscoveryService.getOperation` (which picks the\n * service-scoped or bare-id route), renders text / markdown / JSON.\n /\nexport function registerIntegrationOperation(parent: Command): void {\n parent\n .command('operation')\n .argument(\n '<serviceOrId>',\n 'Operation id, or service slug followed by operation id.'\n )\n .argument('[opId]', 'Operation id when the first arg is a service slug.')\n .description(\n 'Full reference for one operation: HTTP method+path, required scopes, params, response shape, code example, and the env var names that get set when a credential of this service is declared on `geni exec bash`. The single most important command before constructing a credentialed request. Read this, then write the call.'\n )\n .option(\n '--format <fmt>',\n `Output format: ${VALID_FORMATS.join(' \| ')}. \\`markdown\\` is the cleanest paste into an LLM context window.`,\n 'text'\n )\n .action(\n async (\n serviceOrId: string,\n maybeOpId: string \| undefined,\n opts: OperationOptions\n ) => {\n const format = opts.format ?? 'text'\n if (!VALID_FORMAT_SET.has(format)) {\n printError(\n `Invalid --format \"${format}\". Valid values: [${VALID_FORMATS.join(', ')}]. Default is \\`text\\`; use \\`markdown\\` when pasting into an LLM context.`\n )\n exit(ExitCode.InvalidArgs)\n }\n\n try {\n const detail = await discoveryService.getOperation(\n maybeOpId\n ? { service: serviceOrId, opId: maybeOpId }\n : { opId: serviceOrId }\n )\n\n if (format === 'json') {\n printJson(detail)\n return\n }\n if (format === 'markdown') {\n process.stdout.write(detail.documentation + '\\n')\n return\n }\n printText(detail)\n } catch (error) {\n const target = maybeOpId ? `${serviceOrId} ${maybeOpId}` : serviceOrId\n exitOnApiError(error, {\n notFoundMessage: `No operation found for \"${target}\". List operations for a service with \\`geni integration operations <service>\\`, then re-run with one of those ids.`,\n })\n }\n }\n )\n .addHelpText(\n 'after',\n `\nExamples:\n\n # Look up by bare operation id (server resolves the service):\n geni integration operation 4c21e1ee-4d54-4413-a4f2-80a80dff4c99\n\n # Look up with service prefix (works the same, useful when the agent\n # already knows the service):\n geni integration operation slack 4c21e1ee-4d54-4413-a4f2-80a80dff4c99\n\n # Paste-ready for an LLM context window:\n geni integration operation slack 4c21e1ee... --format markdown\n\nFind ids first with: geni integration operations <service>\n`\n )\n}\n\n/\n Render a minimal text view of the operation. The `documentation`\n * field is already markdown — for `--format text` we strip the most\n * obvious markdown noise (heading hashes, code fences) so the agent\n * gets an LLM-safe plain-text rendering. For pristine markdown use\n * `--format markdown`.\n /\nfunction printText(detail: Cli.IntegrationOperationDetail): void {\n const out = process.stdout\n out.write(`${detail.service} · ${detail.title}\\n\\n`)\n if (detail.description) out.write(`${detail.description}\\n\\n`)\n const cleaned = detail.documentation\n .replace(/^#+\\s/gm, '')\n .replace(/^```[\\w-]$/gm, '')\n out.write(cleaned)\n if (!cleaned.endsWith('\\n')) out.write('\\n')\n}\n","import { Command } from 'commander'\nimport { registerIntegrationList, executeIntegrationList } from './list.js'\nimport { registerIntegrationGet } from './get.js'\nimport { registerIntegrationOperations } from './operations.js'\nimport { registerIntegrationOperation } from './operation.js'\n\n/\n `geni integration` (alias: `integrations`) — discover the\n * integrations available to the operator's organization. Used by\n * agents to find the canonical `service` slug for a credential, the\n * env var names a credential will set, and the per-operation\n * reference docs needed to construct a `geni exec bash` curl\n * invocation.\n \n Bare `geni integration` / `geni integrations` runs the list view\n * as a default action. To pass flags (e.g. `-q \"calendar\"`), use\n * the explicit subcommand: `geni integration list -q \"calendar\"`.\n /\nexport function registerIntegrationCommands(program: Command): void {\n const integration = program\n .command('integration')\n .alias('integrations')\n .description(\n \"Discover the integration catalog: which third-party and platform services the operator's organization can use, the env var names each service's credentials will inject, and per-operation reference docs (HTTP method, params, examples) needed to construct an exec call.\"\n )\n .action(() => executeIntegrationList({}))\n\n registerIntegrationList(integration)\n registerIntegrationGet(integration)\n registerIntegrationOperations(integration)\n registerIntegrationOperation(integration)\n}\n","import { Command } from 'commander'\nimport { configService } from '../../dependencyInjection/services.js'\nimport { printError, printJson } from '../../lib/output.js'\nimport { printTable } from '../../lib/printTable.js'\nimport {\n SETTABLE_CONFIG_KEYS,\n isSettableConfigKey,\n} from '../../types/config.js'\nimport { ExitCode, exit } from '../../lib/exitCodes.js'\n\nexport interface ConfigGetArgs {\n key?: string\n json?: boolean\n}\n\nconst UNSET_PLACEHOLDER = '(unset)'\n\n/\n Print what's in the config file, either one key or every settable\n * key as a table. Exported separately from the registrar so the\n * parent `geni config` can run it as a default action when called\n * without a subcommand.\n /\nexport function executeConfigGet(args: ConfigGetArgs): void {\n const file = configService.fileValues()\n\n if (args.key) {\n if (!isSettableConfigKey(args.key)) {\n printError(\n `Unknown config key \"${args.key}\". Valid keys: ${SETTABLE_CONFIG_KEYS.join(', ')}.`\n )\n exit(ExitCode.InvalidArgs)\n }\n const value = file[args.key]\n if (args.json) {\n printJson({ [args.key]: value ?? null })\n return\n }\n process.stdout.write((value ?? UNSET_PLACEHOLDER) + '\\n')\n return\n }\n\n if (args.json) {\n const payload: Record<string, string \| null> = {}\n for (const k of SETTABLE_CONFIG_KEYS) payload[k] = file[k] ?? null\n printJson(payload)\n return\n }\n\n printTable(\n ['KEY', 'VALUE'],\n SETTABLE_CONFIG_KEYS.map((k) => [k, file[k] ?? UNSET_PLACEHOLDER])\n )\n}\n\n/\n `geni config get [key]` — print whatever is in the persistent\n * config file. Symmetric with `geni config set`: whatever you wrote\n * is what you read. To see which URL the CLI is hitting at runtime\n * (which can differ when a runner-session is bound to a different\n * server), run `geni auth status`.\n /\nexport function registerConfigGet(parent: Command): void {\n parent\n .command('get')\n .argument(\n '[key]',\n `Specific key to read (${SETTABLE_CONFIG_KEYS.join(' \| ')}). Omit to list every settable key with its value.`\n )\n .description(\n \"Print what's written to the persistent config file. Symmetric with `geni config set` — whatever you wrote is what you read. Unset keys render as `(unset)` in table output and `null` in --json. For the URL the CLI is actually hitting at runtime (which can differ if a runner-session is bound to a different server), run `geni auth status`.\"\n )\n .option(\n '--json',\n 'Machine-readable output. Unset keys are emitted as JSON `null`.'\n )\n .action((key: string \| undefined, opts: { json?: boolean }) =>\n executeConfigGet({ key, json: opts.json })\n )\n}\n","import { Command } from 'commander'\nimport { configService } from '../../dependencyInjection/services.js'\nimport { printError, printSuccess } from '../../lib/output.js'\nimport {\n SETTABLE_CONFIG_KEYS,\n isSettableConfigKey,\n} from '../../types/config.js'\nimport { ExitCode, exit } from '../../lib/exitCodes.js'\n\n/\n `geni config set <key> <value>` — write or overwrite one config\n * key. Thin handler: validates the key arg, delegates to\n * `ConfigService.set` (which validates the value against the schema\n * AND rejects an `apiUrl` change that conflicts with the active\n * session), then renders the appropriate message.\n \n The session-conflict refusal exists so the file never disagrees\n * with what the CLI is actually doing at runtime: a runner-session\n * is bound to the URL it was minted on, so changing `apiUrl` while\n * a session is active would silently lie about where commands go.\n /\nexport function registerConfigSet(parent: Command): void {\n parent\n .command('set')\n .argument('<key>', `Config key (${SETTABLE_CONFIG_KEYS.join(' \| ')}).`)\n .argument(\n '<value>',\n 'New value. URL keys must be valid http:// or https:// URLs (validated on write).'\n )\n .description(\n 'Write a config value. Validated against the schema on write, so a malformed URL fails loudly here rather than waiting for the next CLI command to crash. Refuses to change `apiUrl` while a runner-session is bound to a different server — logout (or use `geni login --server <url>`) to switch first.'\n )\n .action(async (key: string, value: string) => {\n if (!isSettableConfigKey(key)) {\n printError(\n `Unknown config key \"${key}\". Valid keys: ${SETTABLE_CONFIG_KEYS.join(', ')}.`\n )\n exit(ExitCode.InvalidArgs)\n }\n\n const result = await configService.set({ key, value })\n if (result.ok) {\n printSuccess(`Set ${key} = ${value}`)\n return\n }\n\n // `exit()` returns `never`, so falling through is impossible at\n // runtime — the disables silence ESLint's static check.\n switch (result.reason) {\n case 'invalid':\n printError(`Invalid value for ${key}: ${result.error}.`)\n exit(ExitCode.InvalidArgs)\n // eslint-disable-next-line no-fallthrough\n case 'session_conflict':\n printError(\n `Refusing to change apiUrl: an active session is bound to ${result.sessionUrl}.`\n )\n printError(\n `Run \\`geni logout\\` first, or switch in one step with \\`geni login --server ${value}\\`.`\n )\n exit(ExitCode.GenericError)\n // eslint-disable-next-line no-fallthrough\n default: {\n const _exhaustive: never = result\n throw new Error(\n `Unhandled set result: ${JSON.stringify(_exhaustive)}`\n )\n }\n }\n })\n}\n","import { Command } from 'commander'\nimport { configService } from '../../dependencyInjection/services.js'\nimport { printError, printSuccess } from '../../lib/output.js'\nimport {\n SETTABLE_CONFIG_KEYS,\n isSettableConfigKey,\n} from '../../types/config.js'\nimport { ExitCode, exit } from '../../lib/exitCodes.js'\n\n/\n `geni config unset <key>` — remove a config key. Thin handler:\n * validates the key, delegates to `ConfigService.unset` which keeps\n * the rest of the file intact (or deletes it when nothing's left),\n * and prints the appropriate confirmation.\n /\nexport function registerConfigUnset(parent: Command): void {\n parent\n .command('unset')\n .argument('<key>', `Config key (${SETTABLE_CONFIG_KEYS.join(' \| ')}).`)\n .description(\n \"Remove a key from the config file. The resolver falls back through env vars then the compiled-in default, so unsetting doesn't break the CLI; it just goes to the next layer. When the last key is removed, the file itself is deleted instead of leaving an empty config behind.\"\n )\n .action(async (key: string) => {\n if (!isSettableConfigKey(key)) {\n printError(\n `Unknown config key \"${key}\". Valid keys: ${SETTABLE_CONFIG_KEYS.join(', ')}.`\n )\n exit(ExitCode.InvalidArgs)\n }\n\n const result = await configService.unset({ key })\n if (!result.wasSet) {\n printSuccess(`${key} was already unset.`)\n return\n }\n printSuccess(`Unset ${key}.`)\n })\n}\n","import { Command } from 'commander'\nimport { configService } from '../../dependencyInjection/services.js'\n\n/\n `geni config path` — print the path to the config file. Useful for\n * `cat $(geni config path)` and `vim $(geni config path)` patterns,\n * and for debugging which file the CLI is actually reading.\n /\nexport function registerConfigPath(parent: Command): void {\n parent\n .command('path')\n .description(\n 'Print the absolute path to the config file. Useful in shell substitutions: `cat $(geni config path)`, `vim $(geni config path)`. Honors $GENI_CONFIG_DIR; defaults to ~/.config/geni/config.json. Always prints what the path WOULD be, the file may not exist yet.'\n )\n .action(() => {\n process.stdout.write(configService.path + '\\n')\n })\n}\n","import { Command } from 'commander'\nimport { registerConfigGet, executeConfigGet } from './get.js'\nimport { registerConfigSet } from './set.js'\nimport { registerConfigUnset } from './unset.js'\nimport { registerConfigPath } from './path.js'\n\n/\n `geni config` — manage the persistent CLI config (`<config-dir>/config.json`).\n \n Settable keys today:\n * - `apiUrl` the cloud API base URL\n * - `dashboardUrl` the dashboard base URL\n \n Add new keys in `apps/cli/src/types/config.ts` (`SETTABLE_CONFIG_KEYS`)\n * along with the Zod schema so validation, listing, and the help text\n * stay consistent.\n \n Bare `geni config` runs `get` (no key) as a default action, so a\n * quick \"what's in my config?\" works without having to remember the\n * verb. To pass flags (e.g. `--json`) or read a specific key, use\n * the explicit subcommand: `geni config get apiUrl --json`.\n /\nexport function registerConfigCommands(program: Command): void {\n const config = program\n .command('config')\n .description(\n 'Read and write the persistent CLI config (`~/.config/geni/config.json` by default; honors $GENI_CONFIG_DIR). Holds defaults the resolver consults when nothing more specific is set, useful for pointing the CLI at a self-hosted or local-dev server without re-passing `--server` or exporting an env var on every shell.'\n )\n .action(() => executeConfigGet({}))\n\n registerConfigGet(config)\n registerConfigSet(config)\n registerConfigUnset(config)\n registerConfigPath(config)\n\n config.addHelpText(\n 'after',\n `\nSettable keys:\n apiUrl cloud API base URL used at fresh \\`geni login\\` time\n dashboardUrl dashboard base URL used by browser-opening commands\n (e.g. \\`geni credential connect\\`)\n\nResolver precedence for apiUrl (highest wins):\n 1. session file's stored server (locked at \\`geni login\\` time)\n 2. $GENI_API_URL env var\n 3. \\`apiUrl\\` in this config\n 4. compiled-in default (https://cloud.generalinput.com)\n\nSwitching API URL after login:\n $ geni logout\n $ geni config set apiUrl http://localhost:4111\n $ geni login\nThe session token is bound to the URL it was minted against, so\n\\`config set apiUrl <new>\\` is refused while a session is active —\nlogout (or use \\`geni login --server <url>\\`) to switch in one step.\n`\n )\n}\n","import { homedir } from 'node:os'\nimport { join } from 'node:path'\nimport {\n mkdirSync,\n writeFileSync,\n existsSync,\n readFileSync,\n unlinkSync,\n rmSync,\n} from 'node:fs'\nimport geniSkillContent from '../skills/geni.md'\n\n/\n Bundled skill content the agent reads to learn how to use `geni`.\n * The markdown lives at `src/skills/geni.md` (real file, easy to edit\n * and preview) and is inlined into the binary at build time by tsup's\n * `.md` text loader. Editing the markdown is the way to update the\n * skill — when the user upgrades geni, the new content lands\n * automatically (the install command is idempotent and overwrites).\n /\nexport const GENI_SKILL_NAME = 'geni'\nexport const GENI_SKILL_MD = geniSkillContent\n\n/\n Where each supported agent looks for skill files. Detection is\n * directory-existence based — if the agent's home dir exists, we\n * treat it as installed and write the skill there.\n \n Two install locations cover today's standard-`SKILL.md` agents:\n \n 1. `~/.claude/skills/geni/SKILL.md` — Claude Code only. It does\n * not honor the cross-vendor `~/.agents/` path.\n * 2. `~/.agents/skills/geni/SKILL.md` — the agentskills.io standard\n * location. Codex CLI, Gemini CLI, and VS Code Copilot Chat all\n * read from here, so a single write covers all three.\n \n Vendor-specific formats (Cursor `.mdc`, Cline / Continue / Windsurf\n * flat `.md` with bespoke frontmatter and size caps) are intentionally\n * not installed here — they need their own format adapter and a\n * smaller, rewritten skill body. Add them when they're worth the\n * separate authoring pass, not as silent transformations.\n \n Skill layout in every supported target is the same: a directory\n * named after the skill, with `SKILL.md` (frontmatter + body) inside.\n /\ninterface AgentTarget {\n name: string\n detect(): boolean\n skillDir: string\n skillPath: string\n legacyPaths: string[]\n}\n\nconst home = homedir()\nconst claudeSkillsDir = join(home, '.claude', 'skills')\nconst claudeGeniDir = join(claudeSkillsDir, GENI_SKILL_NAME)\nconst agentSkillsDir = join(home, '.agents', 'skills')\nconst agentSkillsGeniDir = join(agentSkillsDir, GENI_SKILL_NAME)\n\nconst TARGETS: AgentTarget[] = [\n {\n name: 'Claude Code',\n detect: () => existsSync(join(home, '.claude')),\n skillDir: claudeGeniDir,\n skillPath: join(claudeGeniDir, 'SKILL.md'),\n // Earlier versions of `geni skills install` wrote a loose .md file\n // at `~/.claude/skills/geni.md`, which Claude Code silently ignores.\n // Clean it up on install/uninstall so upgraders aren't left with a\n // stale sibling that confuses `doctor`.\n legacyPaths: [join(claudeSkillsDir, `${GENI_SKILL_NAME}.md`)],\n },\n {\n name: 'Codex CLI / Gemini CLI / VS Code Copilot',\n // Detection: any of the supporting agents has touched disk, or the\n // shared `~/.agents/` dir already exists (likely written by another\n // installer). We don't probe for VS Code Copilot Chat directly\n // because it lives inside VS Code's user data with no clean\n // home-dir signal — Copilot users typically have one of the CLIs\n // installed too, and the install is idempotent if they don't.\n detect: () =>\n existsSync(join(home, '.codex')) \|\|\n existsSync(join(home, '.gemini')) \|\|\n existsSync(join(home, '.agents')),\n skillDir: agentSkillsGeniDir,\n skillPath: join(agentSkillsGeniDir, 'SKILL.md'),\n legacyPaths: [],\n },\n]\n\nexport interface SkillTarget {\n name: string\n path: string\n}\n\nexport function detectSkillTargets(): SkillTarget[] {\n const out: SkillTarget[] = []\n for (const target of TARGETS) {\n if (!target.detect()) continue\n out.push({ name: target.name, path: target.skillPath })\n }\n return out\n}\n\n/\n Write the bundled skill content to each detected agent's skill\n * directory. Idempotent — overwrites with the current bundled\n * content every call, which is also how upgrades work (bumping the\n * geni version → re-running install ships the new skill).\n /\nexport function installSkills(): SkillInstallResult[] {\n const results: SkillInstallResult[] = []\n for (const target of TARGETS) {\n if (!target.detect()) continue\n const path = target.skillPath\n try {\n mkdirSync(target.skillDir, { recursive: true })\n const previous = existsSync(path) ? readFileSync(path, 'utf-8') : null\n const changed = previous !== GENI_SKILL_MD\n writeFileSync(path, GENI_SKILL_MD)\n for (const legacy of target.legacyPaths) {\n if (existsSync(legacy)) unlinkSync(legacy)\n }\n results.push({\n name: target.name,\n path,\n status: changed ? 'updated' : 'unchanged',\n })\n } catch (err) {\n results.push({\n name: target.name,\n path,\n status: 'failed',\n error: err instanceof Error ? err.message : String(err),\n })\n }\n }\n return results\n}\n\nexport function uninstallSkills(): SkillUninstallResult[] {\n const results: SkillUninstallResult[] = []\n for (const target of TARGETS) {\n if (!target.detect()) continue\n const dir = target.skillDir\n const path = target.skillPath\n const legacies = target.legacyPaths.filter((p) => existsSync(p))\n if (!existsSync(dir) && legacies.length === 0) {\n results.push({ name: target.name, path, status: 'absent' })\n continue\n }\n try {\n // Remove the whole skill directory (SKILL.md plus anything else\n // we've dropped alongside it) and any leftover legacy loose files.\n rmSync(dir, { recursive: true, force: true })\n for (const legacy of legacies) unlinkSync(legacy)\n results.push({ name: target.name, path, status: 'removed' })\n } catch (err) {\n results.push({\n name: target.name,\n path,\n status: 'failed',\n error: err instanceof Error ? err.message : String(err),\n })\n }\n }\n return results\n}\n\nexport interface SkillInstallResult extends SkillTarget {\n status: 'updated' \| 'unchanged' \| 'failed'\n error?: string\n}\n\nexport interface SkillUninstallResult extends SkillTarget {\n status: 'removed' \| 'absent' \| 'failed'\n error?: string\n}\n","---\nname: geni\ndescription: Use the operator's connected services (Slack, Gmail, GitHub, Stripe, anything they've authorized in General Input) to fulfill their request. Load this whenever the user wants you to take an action on their behalf against an external SaaS account, fetch data from one of their tools, or wire something up that crosses service boundaries. Powers two modes today, one-off requests via `geni exec bash`, plus workflows (coming soon).\n---\n\n# geni\n\n`geni` is the CLI that gives you (the agent) credentialed access to\nthe operator's connected accounts. The cloud injects their tokens as\nenv vars into a fresh bash subprocess; you write the `curl` and\nnever see the secret.\n\n## Two modes\n\n1. One-off requests (available now).* The operator asks you to do\na thing once: \"post a Slack message to #eng,\" \"show me my last 10\nStripe charges,\" \"create a GitHub issue from this thread.\" You\ndiscover the right credential and operation, then run a single\n`geni exec bash --cred <id>` to do it. This is the entire surface\narea you should use today.\n\n2. Workflows (coming soon). Durable, scheduled, reusable runs\n(cron-like jobs, webhook handlers, multi-step pipelines) will live\nunder `geni workflow`. Not supported yet. If the operator asks for\n\"every morning at 9,\" \"whenever a webhook fires,\" or anything that\nneeds to keep running after this session ends, tell them workflows\naren't available yet and offer to do the work as a one-off right\nnow instead.\n\n## One-off request flow\n\nAlways run discovery before constructing a request. The operation\ndocs tell you the exact env var names and HTTP shape, derive nothing.\n\n1. Find a connected credential. `geni credential list` returns\n one row per credential the operator has access to (id, service,\n title). Filter by service: `geni credential list --service slack`.\n\n2. If the service isn't connected, search the catalog and prompt\n the operator: `geni integration list -q \"<keyword>\"`. Then\n `geni credential connect <service>` opens the dashboard for them.\n\n3. Find the operation you need. `geni integration operations\n<service>` lists every operation the integration exposes. Filter\n with `-q \"<keyword>\"`.\n\n4. Read the operation's reference docs. `geni integration\noperation <id> --format markdown` returns HTTP method, path,\n params, response shape, AND the exact env var names that bash\n will set when this credential is declared. Always read this\n before constructing a curl. Guessing at URLs or env var names\n is the most common failure mode.\n\n5. Run the call.\n ```\n geni exec bash --cred <cred_id> --reason \"<what + why>\" \\\n -- '<bash command using the env vars>'\n ```\n\n## Env var contract\n\nEvery credential's env vars are on the response of step 5\n(`credentials_resolved`) and on the operation docs from step 4. Read\nthem, don't derive.\n\n- Per-field, suffixed: `<SERVICE>_<FIELD>_<id>` (e.g.\n `$SLACK_ACCESS_TOKEN_ABC`, `$SALESFORCE_INSTANCE_URL_KG`). The\n `<id>` suffix is the credential id with `cred_` stripped, uppercased.\n Suffix means two credentials of the same service can coexist in one\n call without colliding.\n- Canonical aliases (unsuffixed): well-known SDKs read fixed env\n var names (`$GH_TOKEN`, `$GITHUB_TOKEN`, `$SLACK_BOT_TOKEN`,\n `$OPENAI_API_KEY`, `$ANTHROPIC_API_KEY`, `$STRIPE_API_KEY`).\n These are emitted alongside the suffixed names for tools that\n hardcode them.\n- Always-injected platform vars: `$PLATFORM_API_KEY` /\n `$PLATFORM_BASE_URL` are set on every `geni exec bash` (no\n `--cred` needed). Use them to call General Input's first-party\n services (image gen, weather, send-email, etc.).\n\n## Reasons matter\n\nThe `--reason` you supply on every `geni exec bash --cred ...`\ncall lands in the credential access log and is shown to the\noperator. Be specific: \"Posting daily digest to #engineering on the\noperator's request\" is good; \"Slack call\" is not. Re-state the reason\non every call. The audit log is per-call, not per-session.\n\n## Output is scrubbed\n\nstdout/stderr from the bash subprocess pass through a streaming\nscrubber that replaces every literal occurrence of a registered\nsecret with `[REDACTED:credential_<id>]`. You won't see the token\nback. Tools like `echo $TOKEN \| base64` don't help either, the\nscrubber knows the common encodings.\n\n## Patterns\n\nOne credential, simple curl:\n\n```\ngeni exec bash --cred cred_01HX --reason \"Listing Slack channels\" \\\n -- 'curl -s -H \"Authorization: Bearer $SLACK_BOT_TOKEN\" https://slack.com/api/conversations.list \| jq .channels'\n```\n\nMultiple credentials, fan-out (suffix keeps them distinct):\n\n```\ngeni exec bash \\\n --cred cred_slackA --reason \"Posting to #engineering\" \\\n --cred cred_slackB --reason \"Posting to #marketing\" \\\n -- 'curl ... $SLACK_ACCESS_TOKEN_SLACKA ...; curl ... $SLACK_ACCESS_TOKEN_SLACKB ...'\n```\n\nPlatform service (no --cred needed):\n\n```\ngeni exec bash \\\n -- 'curl -s -X POST \"$PLATFORM_BASE_URL/v1/web-search\" \\\n -H \"Authorization: Bearer $PLATFORM_API_KEY\" \\\n -d \"{\\\"query\\\":\\\"general input\\\"}\"'\n```\n\n## Exit codes\n\n\| Code \| Meaning \|\n\| ----- \| -------------------------------------------------------------------- \|\n\| 0 \| Subprocess succeeded \|\n\| 1–125 \| Subprocess's own exit code (curl failed, jq parse error, etc.) \|\n\| 4 \| Resource not found (cred id, integration slug, operation id) \|\n\| 5 \| Forbidden, session valid but no access to this resource \|\n\| 9 \| Validation failed (bad flag combo, malformed input) \|\n\| 77 \| Server refused to resolve a credential. Don't retry, surface to user \|\n\| 78 \| Runner session missing or expired. Operator runs `geni login` \|\n\| 124 \| Timeout \|\n\| 125 \| Internal CLI error \|\n\n## Use `--json` everywhere for programmatic output\n\nEvery list/get command supports `--json` for machine-readable shape.\nUse it whenever you're going to parse the response. The table output\nis meant for humans.\n\n## Don't\n\n- Don't construct a curl without reading `geni integration operation\n<id>` first. The HTTP shape, required headers, and env var names\n are all in the operation docs; deriving them from the service slug\n is how you end up with 401s.\n- Don't reach for `run_managed_script` or any JS-script tool. `geni\nexec bash` is the only execution primitive locally. If you need\n npm packages, your bash command can call `bun --install auto run -e\n'...'` (if bun is installed locally) or `python3 -c '...'` for\n Python.\n- Don't promise the operator a recurring or scheduled job. Workflows\n are coming soon but not shipped. Offer the one-off equivalent now.\n","import { Command } from 'commander'\nimport { installSkills, detectSkillTargets } from '../../lib/skills.js'\nimport {\n printSuccess,\n printInfo,\n printWarning,\n printError,\n} from '../../lib/output.js'\nimport { ExitCode, exit } from '../../lib/exitCodes.js'\n\n/*\n `geni skills install` — write the bundled skill files into every\n * detected agent's skill directory. Idempotent; re-run after a `geni`\n * upgrade to ship the latest skill content.\n \n No flags. Detection is automatic, output reports what landed where\n * so the operator can see the result without having to find the file.\n /\nexport function registerSkillsInstall(parent: Command): void {\n parent\n .command('install')\n .description(\n 'Install the bundled geni skill into every detected AI agent (Claude Code, Codex CLI, Gemini CLI, VS Code Copilot Chat). Idempotent, safe to re-run after upgrading geni.'\n )\n .action(() => {\n const targets = detectSkillTargets()\n if (targets.length === 0) {\n printWarning(\n 'No supported AI agent detected. Install Claude Code (https://claude.ai/download), Codex CLI, or Gemini CLI first, then re-run `geni skills install`.'\n )\n exit(ExitCode.NotFound)\n }\n const results = installSkills()\n for (const r of results) {\n if (r.status === 'failed') {\n printError(`${r.name}: ${r.error ?? 'failed'} (${r.path})`)\n continue\n }\n if (r.status === 'updated') {\n printSuccess(`${r.name}: ${r.path}`)\n } else {\n printInfo(`${r.name}: ${r.path} (already up to date)`)\n }\n }\n const failed = results.some((r) => r.status === 'failed')\n exit(failed ? ExitCode.InternalError : ExitCode.Ok)\n })\n}\n","import { Command } from 'commander'\nimport { uninstallSkills } from '../../lib/skills.js'\nimport { printSuccess, printInfo, printError } from '../../lib/output.js'\nimport { ExitCode, exit } from '../../lib/exitCodes.js'\n\n/\n `geni skills uninstall` — remove the geni skill files from every\n * detected agent. Useful for clean uninstall or when switching to\n * a project-local skill setup later.\n /\nexport function registerSkillsUninstall(parent: Command): void {\n parent\n .command('uninstall')\n .description(\n 'Remove the geni skill from every detected AI agent. Leaves the agent itself untouched.'\n )\n .action(() => {\n const results = uninstallSkills()\n if (results.length === 0) {\n printInfo('No supported AI agent detected; nothing to remove.')\n exit(ExitCode.Ok)\n }\n for (const r of results) {\n if (r.status === 'failed') {\n printError(`${r.name}: ${r.error ?? 'failed'} (${r.path})`)\n continue\n }\n if (r.status === 'removed') {\n printSuccess(`${r.name}: removed ${r.path}`)\n } else {\n printInfo(`${r.name}: nothing to remove (${r.path} not present)`)\n }\n }\n const failed = results.some((r) => r.status === 'failed')\n exit(failed ? ExitCode.InternalError : ExitCode.Ok)\n })\n}\n","import { Command } from 'commander'\nimport { registerSkillsInstall } from './install.js'\nimport { registerSkillsUninstall } from './uninstall.js'\n\n/\n `geni skills` — install (or remove) the bundled instructions that\n * teach an AI agent how to use `geni`. The skill content ships with\n * the binary and lands in the agent's plugin/skill directory so the\n * agent picks it up automatically. Re-running after a `geni` upgrade\n * is the supported update path.\n /\nexport function registerSkillsCommands(program: Command): void {\n const skills = program\n .command('skills')\n .description(\n 'Install (or remove) the agent-facing geni instructions in your AI coding agent. Detects Claude Code (others coming) and writes a skill file the agent loads automatically.'\n )\n\n registerSkillsInstall(skills)\n registerSkillsUninstall(skills)\n}\n","import { Command } from 'commander'\nimport chalk from 'chalk'\nimport { ApiError } from '../clients/HttpClient.js'\nimport {\n authService,\n sessionContextService,\n} from '../dependencyInjection/services.js'\nimport {\n checkRuntimeDeps,\n REQUIRED_RUNTIME_DEPS,\n installHint,\n} from '../lib/preflight.js'\nimport { detectSkillTargets, GENI_SKILL_MD } from '../lib/skills.js'\nimport { existsSync, readFileSync } from 'node:fs'\nimport { ExitCode, exit } from '../lib/exitCodes.js'\n\n/\n `geni doctor` — feel-good preflight that walks through every layer\n * `geni` depends on and reports ✓/✗ for each. Designed as the first\n * thing to run when something doesn't work, and as the last thing to\n * run after install to confirm everything's wired up.\n \n Each check is independent — one failure doesn't short-circuit the\n * rest, so a single run produces the full picture.\n /\nexport function registerDoctorCommand(program: Command): void {\n program\n .command('doctor')\n .description(\n 'Diagnose your geni setup: required system tools, active session, network reach to the cloud, and skill installation across detected AI agents. Prints a checklist with ✓/✗ for each.'\n )\n .action(async () => {\n const checks: CheckResult[] = []\n checks.push(...runtimeDepsCheck())\n checks.push(...(await sessionCheck()))\n checks.push(...skillsCheck())\n printReport(checks)\n const failures = checks.filter((c) => c.status === 'fail').length\n exit(failures > 0 ? ExitCode.GenericError : ExitCode.Ok)\n })\n}\n\ninterface CheckResult {\n label: string\n status: 'pass' \| 'fail' \| 'warn'\n detail: string\n}\n\nfunction runtimeDepsCheck(): CheckResult[] {\n const { found, missing } = checkRuntimeDeps()\n const out: CheckResult[] = []\n for (const dep of REQUIRED_RUNTIME_DEPS) {\n const path = found[dep]\n if (path) {\n out.push({\n label: `${dep} on $PATH`,\n status: 'pass',\n detail: path,\n })\n } else {\n out.push({\n label: `${dep} on $PATH`,\n status: 'fail',\n detail: `not found. ${installHint([dep])}`,\n })\n }\n }\n if (missing.length > 1) {\n // Append a single hint with all missing deps for one-line install.\n out.push({\n label: 'install hint',\n status: 'warn',\n detail: installHint(missing),\n })\n }\n return out\n}\n\nasync function sessionCheck(): Promise<CheckResult[]> {\n const session = await sessionContextService.load()\n if (!session) {\n return [\n {\n label: 'runner session',\n status: 'fail',\n detail: 'no session on disk. Run `geni login` to authenticate.',\n },\n ]\n }\n const out: CheckResult[] = [\n {\n label: 'runner session',\n status: 'pass',\n detail: `${session.user.email ?? session.user.id} on ${session.server}`,\n },\n {\n label: 'active workspace',\n status: 'pass',\n detail: `${session.workspace.slug} (${session.workspace.role})`,\n },\n ]\n // Hit /cli/auth/me to verify the session is still valid server-side\n // and the server is reachable. This is the network-reach check.\n try {\n await authService.status()\n out.push({\n label: 'server reachable + session valid',\n status: 'pass',\n detail: session.server,\n })\n } catch (err) {\n if (err instanceof ApiError && err.status === 401) {\n out.push({\n label: 'server reachable + session valid',\n status: 'fail',\n detail: 'session token rejected. Run `geni login` to re-authenticate.',\n })\n } else {\n const detail = err instanceof Error ? err.message : String(err)\n out.push({\n label: 'server reachable',\n status: 'fail',\n detail: `${session.server} unreachable: ${detail}`,\n })\n }\n }\n return out\n}\n\nfunction skillsCheck(): CheckResult[] {\n const targets = detectSkillTargets()\n if (targets.length === 0) {\n return [\n {\n label: 'AI agent detected',\n status: 'warn',\n detail:\n 'no supported agent installed yet. Install Claude Code (https://claude.ai/download) and re-run `geni doctor`.',\n },\n ]\n }\n const out: CheckResult[] = []\n for (const target of targets) {\n if (!existsSync(target.path)) {\n out.push({\n label: `${target.name} skill installed`,\n status: 'fail',\n detail: `${target.path} missing. Run \\`geni skills install\\` to write it.`,\n })\n continue\n }\n const onDisk = readFileSync(target.path, 'utf-8')\n if (onDisk === GENI_SKILL_MD) {\n out.push({\n label: `${target.name} skill installed`,\n status: 'pass',\n detail: `${target.path} (current)`,\n })\n } else {\n out.push({\n label: `${target.name} skill installed`,\n status: 'warn',\n detail: `${target.path} is out of date. Run \\`geni skills install\\` to refresh.`,\n })\n }\n }\n return out\n}\n\nfunction printReport(checks: CheckResult[]): void {\n for (const check of checks) {\n const mark =\n check.status === 'pass'\n ? chalk.green('✓')\n : check.status === 'warn'\n ? chalk.yellow('!')\n : chalk.red('✗')\n process.stdout.write(`${mark} ${check.label}\\n`)\n process.stdout.write(` ${chalk.dim(check.detail)}\\n`)\n }\n const fails = checks.filter((c) => c.status === 'fail').length\n const warns = checks.filter((c) => c.status === 'warn').length\n process.stdout.write('\\n')\n if (fails === 0 && warns === 0) {\n process.stdout.write(chalk.green('All checks passed.\\n'))\n } else {\n process.stdout.write(\n `${fails} failure${fails === 1 ? '' : 's'}, ${warns} warning${warns === 1 ? '' : 's'}.\\n`\n )\n }\n}\n","import { delimiter, join } from 'node:path'\nimport { accessSync, constants } from 'node:fs'\nimport { printError } from './output.js'\nimport { ExitCode, exit } from './exitCodes.js'\n\n/\n Tools the agent's bash flow can't run without:\n * - bash, the shell every `geni exec bash` invocation passes commands to\n * - curl, the HTTP client agents reach for in those bash commands\n * - jq, how agents parse JSON responses inside the bash one-liner\n \n Order matters in the printed install hint: bash first since it's the\n * shell, curl + jq usually missing together on a fresh Mac.\n /\nexport const REQUIRED_RUNTIME_DEPS = ['bash', 'curl', 'jq'] as const\nexport type RuntimeDep = (typeof REQUIRED_RUNTIME_DEPS)[number]\n\n/\n `which`-style PATH lookup without spawning a shell. Splits `$PATH`,\n * stat-checks each candidate. Used at startup so we can hard-fail with\n * a clear install hint instead of letting `geni exec` blow up later\n * with an opaque ENOENT.\n /\nexport function findOnPath(name: string): string \| null {\n const path = process.env.PATH\n if (!path) return null\n for (const dir of path.split(delimiter)) {\n if (dir.length === 0) continue\n const candidate = join(dir, name)\n try {\n accessSync(candidate, constants.X_OK)\n return candidate\n } catch {\n // Not executable here — try the next dir.\n }\n }\n return null\n}\n\nexport interface PreflightResult {\n missing: RuntimeDep[]\n found: Record<RuntimeDep, string \| null>\n}\n\nexport function checkRuntimeDeps(): PreflightResult {\n const found = {} as Record<RuntimeDep, string \| null>\n const missing: RuntimeDep[] = []\n for (const dep of REQUIRED_RUNTIME_DEPS) {\n const path = findOnPath(dep)\n found[dep] = path\n if (path === null) missing.push(dep)\n }\n return { missing, found }\n}\n\n/\n Run the preflight check at command startup. Hard-exits with an\n * actionable install hint if anything's missing — every command from\n * `auth login` to `exec bash` shells to at least one of these\n * eventually, so refusing up front is better than failing later with\n * an ENOENT the agent can't easily map back to \"install jq\".\n /\nexport function requireRuntimeDeps(): void {\n const { missing } = checkRuntimeDeps()\n if (missing.length === 0) return\n printError(\n `Missing required tool(s) on $PATH: ${missing.join(', ')}. ${installHint(missing)}`\n )\n exit(ExitCode.InternalError)\n}\n\n/\n One-line install command per OS. Mac defaults to Homebrew (universal\n * for the dev audience); Linux probes apt/dnf/pacman in that order.\n * Windows users running geni inside WSL hit the Linux branch via\n * uname; native Windows isn't supported for the bash flow.\n */\nexport function installHint(deps: readonly string[]): string {\n const list = deps.join(' ')\n switch (process.platform) {\n case 'darwin':\n return `Install with: \\`brew install ${list}\\``\n case 'linux':\n return `Install with your distro's package manager, e.g. \\`sudo apt install ${list}\\` or \\`sudo dnf install ${list}\\``\n default:\n return `Install ${list} before re-running.`\n }\n}\n"],"mappings":";;;AAAA,SAAS,eAAe;;;ACAxB,OAAO,WAAW;AAOX,SAAS,aAAa,SAAuB;AAClD,UAAQ,OAAO,MAAM,GAAG,MAAM,MAAM,QAAG,CAAC,IAAI,OAAO;AAAA,CAAI;AACzD;AAMO,SAAS,UAAU,SAAuB;AAC/C,UAAQ,OAAO,MAAM,GAAG,MAAM,IAAI,MAAG,CAAC,IAAI,OAAO;AAAA,CAAI;AACvD;AAMO,SAAS,aAAa,SAAuB;AAClD,UAAQ,OAAO,MAAM,GAAG,MAAM,OAAO,GAAG,CAAC,IAAI,OAAO;AAAA,CAAI;AAC1D;AAMO,SAAS,WAAW,SAAuB;AAChD,UAAQ,OAAO,MAAM,GAAG,MAAM,IAAI,QAAG,CAAC,IAAI,OAAO;AAAA,CAAI;AACvD;AAMO,SAAS,UAAU,OAAsB;AAC9C,UAAQ,OAAO,MAAM,KAAK,UAAU,OAAO,MAAM,CAAC,IAAI,IAAI;AAC5D;;;ACzCA,OAAOA,YAAW;AAkBX,SAAS,YAAY,MAKnB;AACP,MAAI,KAAK,KAAM;AACf,MAAI,QAAQ,IAAI,mBAAmB,IAAK;AACxC,MAAI,CAAC,QAAQ,OAAO,MAAO;AAC3B,MAAI,CAAC,KAAK,QAAS;AAEnB,QAAM,KAAK,KAAK,QAAQ;AACxB,QAAM,QAAQ;AAAA,IACZA,OAAM,IAAI,MAAM;AAAA,IAChBA,OAAM,IAAI,MAAG;AAAA,IACbA,OAAM,IAAI,YAAY;AAAA,IACtBA,OAAM,KAAK,GAAG,IAAI;AAAA,EACpB;AACA,MAAI,KAAK,YAAY;AACnB,UAAM;AAAA,MACJA,OAAM,IAAI,MAAG;AAAA,MACbA,OAAM,IAAI,WAAW;AAAA,MACrBA,OAAM,KAAK,KAAK,UAAU;AAAA,IAC5B;AACA,QAAI,KAAK,cAAc;AACrB,YAAM,KAAKA,OAAM,IAAI,IAAI,KAAK,YAAY,GAAG,CAAC;AAAA,IAChD;AAAA,EACF;AAEA,UAAQ,OAAO,MAAM,MAAM,KAAK,GAAG,IAAI,IAAI;AAI3C,QAAM,aAAa,CAAC,aAAU,GAAG,IAAI,EAAE;AACvC,MAAI,KAAK,WAAY,YAAW,KAAK,KAAK,UAAU;AACpD,UAAQ,OAAO,MAAM,UAAU,WAAW,KAAK,QAAK,CAAC,MAAM;AAC7D;;;AC5CO,IAAM,WAAW;AAAA,EACtB,IAAI;AAAA,EACJ,cAAc;AAAA,EACd,aAAa;AAAA,EACb,UAAU;AAAA,EACV,WAAW;AAAA,EACX,kBAAkB;AAAA,EAClB,yBAAyB;AAAA,EACzB,yBAAyB;AAAA,EACzB,iBAAiB;AAAA,EACjB,SAAS;AAAA,EACT,eAAe;AACjB;AAQO,SAAS,KAAK,MAAuB;AAC1C,UAAQ,KAAK,IAAI;AACnB;;;ACPO,IAAM,wBAAN,MAA4B;AAAA,EAC1B,YACYC,eACAC,mBACjB;AAFiB,wBAAAD;AACA,4BAAAC;AAAA,EAChB;AAAA,EAFgB;AAAA,EACA;AAAA;AAAA,EAIZ,OAA0C;AAC/C,WAAO,KAAK,aAAa,KAAK;AAAA,EAChC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAWA,MAAa,gBAA+C;AAC1D,UAAM,UAAU,MAAM,KAAK,aAAa,KAAK;AAC7C,QAAI,CAAC,SAAS;AACZ;AAAA,QACE;AAAA,MACF;AACA,WAAK,SAAS,uBAAuB;AAAA,IACvC;AACA,gBAAY,EAAE,QAAQ,CAAC;AACvB,WAAO;AAAA,MACL;AAAA,MACA,QAAQ,KAAK,iBAAiB,MAAM;AAAA,QAClC,QAAQ,QAAQ;AAAA,QAChB,OAAO,QAAQ;AAAA,MACjB,CAAC;AAAA,IACH;AAAA,EACF;AACF;;;AC9DA,SAAS,gBAAgB;AACzB,OAAOC,YAAW;AAoCX,IAAM,cAAN,MAAkB;AAAA,EAChB,YACYC,mBACAC,eACAC,gBACAC,gBACjB;AAJiB,4BAAAH;AACA,wBAAAC;AACA,yBAAAC;AACA,yBAAAC;AAAA,EAChB;AAAA,EAJgB;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASnB,MAAa,MAAM,MAAgC;AACjD,UAAM,SAAS,KAAK,cAAc,cAAc,KAAK,MAAM;AAC3D,UAAM,SAAS,KAAK,iBAAiB,MAAM,EAAE,QAAQ,OAAO,KAAK,CAAC;AAElE,UAAM,QAAQ,MAAM,OAAO,KAAK,gBAAgB,iBAAiB,CAAC;AAClE,cAAU,WAAWC,OAAM,KAAK,MAAM,eAAe,CAAC,EAAE;AACxD,cAAU,sCAAsC;AAChD,SAAK,cAAc,KAAK,MAAM,eAAe;AAE7C,UAAM,SAAS,MAAM,KAAK,kBAAkB,QAAQ,KAAK;AACzD,QAAI,OAAO,WAAW,UAAU;AAC9B;AAAA,QACE;AAAA,MACF;AACA,WAAK,SAAS,SAAS;AAAA,IACzB;AACA,QAAI,OAAO,WAAW,WAAW;AAC/B;AAAA,QACE;AAAA,MACF;AACA,WAAK,SAAS,YAAY;AAAA,IAC5B;AACA,QAAI,0BAA0B,QAAQ;AACpC;AAAA,QACE;AAAA,MACF;AACA,WAAK,SAAS,YAAY;AAAA,IAC5B;AAEA,UAAM,KAAK,aAAa,KAAK;AAAA,MAC3B,SAAS;AAAA,MACT;AAAA,MACA,OAAO,OAAO;AAAA,MACd,MAAM;AAAA,QACJ,IAAI,OAAO,GAAG,KAAK;AAAA,QACnB,OAAO,OAAO,GAAG,KAAK,SAAS;AAAA,QAC/B,MAAM,OAAO,GAAG,KAAK,QAAQ;AAAA,MAC/B;AAAA,MACA,WAAW;AAAA,QACT,cAAc,OAAO,GAAG,UAAU;AAAA,QAClC,gBAAgB,OAAO,GAAG,UAAU;AAAA,QACpC,MAAM,OAAO,GAAG,UAAU;AAAA,QAC1B,MAAM,OAAO,GAAG,UAAU;AAAA,QAC1B,MAAM,OAAO,GAAG,UAAU;AAAA,MAC5B;AAAA,MACA,UAAS,oBAAI,KAAK,GAAE,YAAY;AAAA,IAClC,CAAC;AAED,QAAI,KAAK,WAAW;AAClB,YAAM,KAAK,qBAAqB;AAAA,QAC9B;AAAA,QACA,eAAe,KAAK;AAAA,MACtB,CAAC;AAAA,IACH;AAEA,UAAM,QAAQ,MAAM,KAAK,aAAa,KAAK;AAC3C,QAAI,CAAC,OAAO;AACV;AAAA,QACE;AAAA,MACF;AACA,WAAK,SAAS,aAAa;AAAA,IAC7B;AACA,iBAAa,oBAAoB,MAAM,KAAK,SAAS,MAAM,KAAK,EAAE,EAAE;AACpE;AAAA,MACE,qBAAqB,MAAM,UAAU,IAAI,KAAK,MAAM,UAAU,IAAI;AAAA,IACpE;AACA,cAAU,qDAAqD;AAAA,EACjE;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,MAAa,SAAwB;AACnC,UAAM,UAAU,MAAM,KAAK,aAAa,KAAK;AAC7C,QAAI,CAAC,SAAS;AACZ,gBAAU,oBAAoB;AAC9B;AAAA,IACF;AACA,QAAI;AACF,YAAM,SAAS,KAAK,iBAAiB,MAAM;AAAA,QACzC,QAAQ,QAAQ;AAAA,QAChB,OAAO,QAAQ;AAAA,MACjB,CAAC;AACD,YAAM,OAAO,KAAK,OAAO;AACzB,mBAAa,kBAAkB;AAAA,IACjC,SAAS,OAAO;AACd,YAAM,UAAU,iBAAiB,QAAQ,MAAM,UAAU,OAAO,KAAK;AACrE,gBAAU,yBAAyB,OAAO,EAAE;AAC5C,gBAAU,gCAAgC;AAAA,IAC5C;AACA,UAAM,KAAK,aAAa,OAAO;AAC/B,iBAAa,4CAA4C;AAAA,EAC3D;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASA,MAAa,SAAuC;AAClD,UAAM,UAAU,MAAM,KAAK,aAAa,KAAK;AAC7C,QAAI,CAAC,QAAS,QAAO;AACrB,UAAM,SAAS,KAAK,iBAAiB,MAAM;AAAA,MACzC,QAAQ,QAAQ;AAAA,MAChB,OAAO,QAAQ;AAAA,IACjB,CAAC;AACD,UAAM,KAAK,MAAM,OAAO,KAAK,GAAG;AAChC,WAAO;AAAA,MACL,eAAe;AAAA,MACf,MAAM;AAAA,QACJ,IAAI,GAAG,KAAK;AAAA,QACZ,OAAO,GAAG,KAAK,SAAS;AAAA,QACxB,MAAM,GAAG,KAAK,QAAQ;AAAA,MACxB;AAAA,MACA,WAAW,GAAG;AAAA,MACd,QAAQ,QAAQ;AAAA,IAClB;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,MAAc,qBAAqB,MAGjB;AAChB,UAAM,UAAU,MAAM,KAAK,aAAa,KAAK;AAC7C,QAAI,CAAC,QAAS;AACd,QAAI,KAAK,kBAAkB,QAAQ,UAAU,KAAM;AAEnD,UAAM,SAAS,KAAK,iBAAiB,MAAM;AAAA,MACzC,QAAQ,KAAK;AAAA,MACb,OAAO,QAAQ;AAAA,IACjB,CAAC;AACD,UAAM,OAAO,MAAM,OAAO,WAAW,KAAK;AAC1C,UAAM,SAAS,KAAK,WAAW,KAAK,CAAC,MAAM,EAAE,SAAS,KAAK,aAAa;AACxE,QAAI,CAAC,QAAQ;AACX,YAAM,YAAY,KAAK,WAAW,IAAI,CAAC,MAAM,EAAE,IAAI,EAAE,KAAK,IAAI,KAAK;AACnE;AAAA,QACE,2BAA2B,KAAK,aAAa,kCAAkC,SAAS;AAAA,MAC1F;AACA,WAAK,SAAS,QAAQ;AAAA,IACxB;AACA,UAAM,KAAK,MAAM,OAAO,WAAW,OAAO,OAAO,YAAY;AAC7D,UAAM,KAAK,cAAc,EAAE,SAAS,GAAG,CAAC;AAAA,EAC1C;AAAA,EAEA,MAAc,cAAc,MAGV;AAChB,UAAM,KAAK,aAAa,KAAK;AAAA,MAC3B,GAAG,KAAK;AAAA,MACR,WAAW;AAAA,QACT,cAAc,KAAK,GAAG,UAAU;AAAA,QAChC,gBAAgB,KAAK,GAAG,UAAU;AAAA,QAClC,MAAM,KAAK,GAAG,UAAU;AAAA,QACxB,MAAM,KAAK,GAAG,UAAU;AAAA,QACxB,MAAM,KAAK,GAAG,UAAU;AAAA,MAC1B;AAAA,MACA,MAAM;AAAA,QACJ,IAAI,KAAK,GAAG,KAAK;AAAA,QACjB,OAAO,KAAK,GAAG,KAAK,SAAS,KAAK,QAAQ,KAAK;AAAA,QAC/C,MAAM,KAAK,GAAG,KAAK,QAAQ,KAAK,QAAQ,KAAK;AAAA,MAC/C;AAAA,MACA,UAAS,oBAAI,KAAK,GAAE,YAAY;AAAA,IAClC,CAAC;AAAA,EACH;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,MAAc,kBACZ,QACA,OACqE;AACrE,UAAM,aAAa,MAAM,kBAAkB;AAC3C,UAAM,cAAc,KAAK,MAAM,MAAM,SAAS;AAC9C,UAAM,eAAe,cAAc;AACnC,WAAO,KAAK,IAAI,IAAI,cAAc;AAChC,YAAM,MAAM,UAAU;AACtB,YAAM,SAAS,MAAM,OAAO,KAAK,eAAe,MAAM,QAAQ;AAC9D,UAAI,OAAO,WAAW,UAAW;AACjC,aAAO;AAAA,IACT;AACA,WAAO,EAAE,QAAQ,UAAU;AAAA,EAC7B;AACF;AAOA,SAAS,mBAA2B;AAClC,SAAO,eAAe,SAAS,CAAC;AAClC;AAEA,SAAS,MAAM,IAA2B;AACxC,SAAO,IAAI,QAAQ,CAAC,YAAY,WAAW,SAAS,EAAE,CAAC;AACzD;;;ACxPO,IAAM,mBAAN,MAAuB;AAAA,EACrB,YACY,gBACAC,eACjB;AAFiB;AACA,wBAAAA;AAAA,EAChB;AAAA,EAFgB;AAAA,EACA;AAAA;AAAA,EAInB,MAAa,OAAwC;AACnD,UAAM,EAAE,OAAO,IAAI,MAAM,KAAK,eAAe,cAAc;AAC3D,WAAO,OAAO,WAAW,KAAK;AAAA,EAChC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAgBA,MAAa,OAAO,MAAyD;AAC3E,UAAM,EAAE,OAAO,IAAI,MAAM,KAAK,eAAe,cAAc;AAC3D,UAAM,KAAK,MAAM,OAAO,WAAW,OAAO,KAAK,YAAY;AAC3D,UAAM,KAAK,aAAa,sBAAsB;AAAA,MAC5C,cAAc,GAAG,UAAU;AAAA,MAC3B,gBAAgB,GAAG,UAAU;AAAA,MAC7B,MAAM,GAAG,UAAU;AAAA,MACnB,MAAM,GAAG,UAAU;AAAA,MACnB,MAAM,GAAG,UAAU;AAAA,IACrB,CAAC;AACD,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,MAAa,UAEH;AACR,UAAM,UAAU,MAAM,KAAK,aAAa,KAAK;AAC7C,QAAI,CAAC,QAAS,QAAO;AACrB,WAAO;AAAA,MACL,WAAW;AAAA,QACT,cAAc,QAAQ,UAAU;AAAA,QAChC,gBAAgB,QAAQ,UAAU;AAAA,QAClC,MAAM,QAAQ,UAAU;AAAA,QACxB,MAAM,QAAQ,UAAU;AAAA,QACxB,MAAM,QAAQ,UAAU;AAAA,QACxB,UAAU;AAAA,MACZ;AAAA,IACF;AAAA,EACF;AACF;;;ACzEA,OAAOC,YAAW;;;ACAlB;AAAA,EACE,MAAQ;AAAA,EACR,SAAW;AAAA,EACX,MAAQ;AAAA,EACR,aAAe;AAAA,EACf,SAAW;AAAA,EACX,UAAY;AAAA,EACZ,UAAY;AAAA,IACV;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,EACF;AAAA,EACA,SAAW;AAAA,IACT,MAAQ;AAAA,EACV;AAAA,EACA,eAAiB;AAAA,IACf,QAAU;AAAA,EACZ;AAAA,EACA,KAAO;AAAA,IACL,MAAQ;AAAA,EACV;AAAA,EACA,OAAS;AAAA,IACP;AAAA,IACA;AAAA,IACA;AAAA,EACF;AAAA,EACA,SAAW;AAAA,IACT,KAAO;AAAA,IACP,OAAS;AAAA,IACT,OAAS;AAAA,IACT,WAAa;AAAA,IACb,MAAQ;AAAA,IACR,QAAU;AAAA,IACV,MAAQ;AAAA,IACR,cAAc;AAAA,IACd,gBAAkB;AAAA,EACpB;AAAA,EACA,cAAgB;AAAA,IACd,kBAAkB;AAAA,IAClB,OAAS;AAAA,IACT,WAAa;AAAA,IACb,KAAO;AAAA,IACP,KAAO;AAAA,EACT;AAAA,EACA,iBAAmB;AAAA,IACjB,iBAAiB;AAAA,IACjB,2BAA2B;AAAA,IAC3B,+BAA+B;AAAA,IAC/B,eAAe;AAAA,IACf,cAAc;AAAA,IACd,QAAU;AAAA,IACV,MAAQ;AAAA,IACR,YAAc;AAAA,IACd,QAAU;AAAA,EACZ;AACF;;;AC5CO,IAAM,cAAsB,gBAAY;;;ACQ/C,IAAM,aAAa,QAAQ,WAAW,KAAK,QAAQ,QAAQ,IAAI,QAAQ,IAAI,UAAU,QAAQ,SAAS,IAAI;AAEnG,IAAM,WAAN,cAAuB,MAAM;AAAA,EAC3B,YACL,SACgB,QACA,MAChB;AACA,UAAM,OAAO;AAHG;AACA;AAGhB,SAAK,OAAO;AAAA,EACd;AAAA,EALkB;AAAA,EACA;AAKpB;AAQO,IAAM,aAAN,MAAiB;AAAA,EACf,YACY,QACA,OACjB;AAFiB;AACA;AAAA,EAChB;AAAA,EAFgB;AAAA,EACA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAUnB,MAAa,MAAS,MAAc,OAAuB,CAAC,GAAe;AACzE,UAAM,MAAM,GAAG,KAAK,MAAM,GAAG,IAAI;AACjC,UAAM,UAAkC;AAAA,MACtC,gBAAgB;AAAA,MAChB,cAAc;AAAA,IAChB;AACA,QAAI,KAAK,UAAU,MAAM;AACvB,cAAQ,eAAe,IAAI,UAAU,KAAK,KAAK;AAAA,IACjD;AACA,UAAM,WAAW,MAAM,MAAM,KAAK;AAAA,MAChC,QAAQ,KAAK,UAAU;AAAA,MACvB;AAAA,MACA,MAAM,KAAK,SAAS,SAAY,KAAK,UAAU,KAAK,IAAI,IAAI;AAAA,MAC5D,QAAQ,KAAK;AAAA,IACf,CAAC;AACD,WAAO,cAAiB,QAAQ;AAAA,EAClC;AAAA;AAAA,EAGA,IAAW,WAAoB;AAC7B,WAAO,KAAK,UAAU;AAAA,EACxB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQO,gBAAsB;AAC3B,QAAI,KAAK,UAAU,KAAM;AACzB,UAAM,IAAI;AAAA,MACR;AAAA,MACA;AAAA,MACA;AAAA,IACF;AAAA,EACF;AACF;AAEA,eAAe,cAAiB,UAAgC;AAC9D,QAAM,OAAO,MAAM,SAAS,KAAK;AACjC,MAAI,OAAgB;AACpB,MAAI,KAAK,SAAS,GAAG;AACnB,QAAI;AACF,aAAO,KAAK,MAAM,IAAI;AAAA,IACxB,QAAQ;AACN,aAAO;AAAA,IACT;AAAA,EACF;AACA,MAAI,CAAC,SAAS,IAAI;AAChB,UAAM,aACJ,SAAS,QAAQ,OAAO,SAAS,YAAY,WAAW,OACpD,KAAK,QACL;AACN,UAAM,UACJ,OAAO,eAAe,WAAW,aAAa,SAAS;AACzD,UAAM,IAAI;AAAA,MACR,OAAO,YAAY,YAAY,QAAQ,SAAS,IAC5C,UACA,QAAQ,SAAS,MAAM;AAAA,MAC3B,SAAS;AAAA,MACT;AAAA,IACF;AAAA,EACF;AAKA,SAAO;AACT;;;ACpFA,IAAM,iBAAiB;AAEhB,IAAM,WAAN,MAAe;AAAA;AAAA,EAEH,aAAa,oBAAI,IAAoB;AAAA;AAAA,EAE9C,SAAS;AAAA,EAEV,SAAS,MAA0B;AACxC,UAAM,EAAE,cAAc,MAAM,IAAI;AAChC,QAAI,MAAM,SAAS,eAAgB;AACnC,QAAI,KAAK,WAAW,IAAI,KAAK,EAAG;AAChC,SAAK,WAAW,IAAI,OAAO,wBAAwB,YAAY,GAAG;AAClE,QAAI,MAAM,SAAS,KAAK,OAAQ,MAAK,SAAS,MAAM;AAAA,EACtD;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAcO,sBAAsB,MAA0B;AACrD,SAAK,SAAS,IAAI;AAClB,eAAW,WAAW,iBAAiB,KAAK,KAAK,GAAG;AAClD,WAAK,SAAS,EAAE,cAAc,KAAK,cAAc,OAAO,QAAQ,CAAC;AAAA,IACnE;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQO,SAAyB;AAC9B,WAAO,IAAI,eAAe,KAAK,YAAY,KAAK,MAAM;AAAA,EACxD;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASO,OAAO,MAAsB;AAClC,WAAO,KAAK,OAAO,EAAE,OAAO,MAAM,EAAE,OAAO,KAAK,CAAC;AAAA,EACnD;AAAA;AAAA,EAGA,IAAW,OAAe;AACxB,WAAO,KAAK,WAAW;AAAA,EACzB;AACF;AAOO,IAAM,iBAAN,MAAqB;AAAA,EAGnB,YACY,YACA,QACjB;AAFiB;AACA;AAAA,EAChB;AAAA,EAFgB;AAAA,EACA;AAAA,EAJX,OAAO;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAcR,OAAO,OAAe,OAA4B,CAAC,GAAW;AACnE,QAAI,KAAK,WAAW,SAAS,GAAG;AAC9B,UAAI,KAAK,OAAO;AACd,cAAM,MAAM,KAAK,OAAO;AACxB,aAAK,OAAO;AACZ,eAAO;AAAA,MACT;AACA,aAAO;AAAA,IACT;AAEA,UAAM,WAAW,KAAK,OAAO;AAC7B,UAAM,WAAW,KAAK,WAAW,QAAQ;AAEzC,QAAI,KAAK,OAAO;AACd,WAAK,OAAO;AACZ,aAAO;AAAA,IACT;AAMA,UAAM,WAAW,KAAK,IAAI,GAAG,KAAK,SAAS,CAAC;AAC5C,QAAI,SAAS,UAAU,UAAU;AAC/B,WAAK,OAAO;AACZ,aAAO;AAAA,IACT;AACA,UAAM,MAAM,SAAS,SAAS;AAC9B,SAAK,OAAO,SAAS,MAAM,GAAG;AAC9B,WAAO,SAAS,MAAM,GAAG,GAAG;AAAA,EAC9B;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOQ,WAAW,MAAsB;AACvC,QAAI,SAAS;AACb,UAAM,UAAU,CAAC,GAAG,KAAK,WAAW,QAAQ,CAAC,EAAE;AAAA,MAC7C,CAAC,GAAG,MAAM,EAAE,CAAC,EAAE,SAAS,EAAE,CAAC,EAAE;AAAA,IAC/B;AACA,eAAW,CAAC,OAAO,MAAM,KAAK,SAAS;AACrC,UAAI,CAAC,OAAO,SAAS,KAAK,EAAG;AAC7B,eAAS,OAAO,MAAM,KAAK,EAAE,KAAK,MAAM;AAAA,IAC1C;AACA,WAAO;AAAA,EACT;AACF;AAeA,SAAS,iBAAiB,OAAyB;AACjD,QAAM,MAAM,OAAO,KAAK,OAAO,MAAM;AACrC,SAAO;AAAA,IACL,IAAI,SAAS,QAAQ;AAAA,IACrB,IAAI,SAAS,WAAW;AAAA,IACxB,IAAI,SAAS,KAAK;AAAA,IAClB,IAAI,SAAS,KAAK,EAAE,YAAY;AAAA,IAChC,mBAAmB,KAAK;AAAA,EAC1B;AACF;;;ACxKO,IAAM,mBAAmB;AAAA;AAAA,EAE9B;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA;AAAA,EAEA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA;AAAA;AAAA,EAGA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA;AAAA,EAEA;AACF;AAOO,SAAS,wBAA2C;AACzD,QAAM,MAAyB,CAAC;AAChC,aAAW,OAAO,kBAAkB;AAClC,UAAM,QAAQ,QAAQ,IAAI,GAAG;AAC7B,QAAI,UAAU,OAAW,KAAI,GAAG,IAAI;AAAA,EACtC;AACA,SAAO;AACT;;;ALjCO,IAAM,cAAN,MAAkB;AAAA,EAChB,YACY,gBACA,SACjB;AAFiB;AACA;AAAA,EAChB;AAAA,EAFgB;AAAA,EACA;AAAA,EAGnB,MAAa,QAAQ,MAAoC;AACvD,UAAM,EAAE,UAAU,SAAS,IAAI,MAAM,KAAK;AAAA,MACxC,KAAK;AAAA,MACL,KAAK;AAAA,IACP;AAMA,UAAM,MAAyB;AAAA,MAC7B,GAAG,sBAAsB;AAAA,MACzB,kBAAkB,SAAS;AAAA,MAC3B,mBAAmB,SAAS;AAAA,IAC9B;AACA,eAAW,QAAQ,SAAS,aAAa;AACvC,aAAO,OAAO,KAAK,KAAK,OAAO;AAAA,IACjC;AAEA,QAAI;AACF,aAAO,MAAM,KAAK,QAAQ,IAAI;AAAA,QAC5B,SAAS;AAAA,QACT,MAAM,CAAC,OAAO,KAAK,OAAO;AAAA,QAC1B;AAAA,QACA,KAAK,KAAK;AAAA,QACV;AAAA,MACF,CAAC;AAAA,IACH,SAAS,KAAK;AACZ,YAAM,SAAS,eAAe,QAAQ,IAAI,UAAU,OAAO,GAAG;AAC9D;AAAA,QACE,6BAA6B,MAAM;AAAA,MACrC;AACA,aAAO,SAAS;AAAA,IAClB;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASA,MAAc,gBACZ,aACA,OACoE;AACpE,UAAM,EAAE,OAAO,IAAI,MAAM,KAAK,eAAe,cAAc;AAE3D,QAAI;AACJ,QAAI;AACF,iBAAW,MAAM,OAAO,KAAK,QAAQ,EAAE,YAAY,CAAC;AAAA,IACtD,SAAS,OAAO;AACd,UAAI,iBAAiB,UAAU;AAC7B,cAAM,MAAM,YAAY,IAAI,CAAC,MAAM,EAAE,EAAE,EAAE,KAAK,IAAI,KAAK;AACvD,YAAI,MAAM,WAAW,KAAK;AAKxB;AAAA,YACE,wCAAwC,MAAM,OAAO,mBAAmB,GAAG;AAAA,UAC7E;AACA,eAAK,SAAS,uBAAuB;AAAA,QACvC;AACA,YAAI,MAAM,WAAW,KAAK;AACxB;AAAA,YACE,yCAAyC,MAAM,OAAO;AAAA,UACxD;AACA,eAAK,SAAS,uBAAuB;AAAA,QACvC;AACA;AAAA,UACE,6CAA6C,MAAM,MAAM,MAAM,MAAM,OAAO;AAAA,QAC9E;AACA,aAAK,SAAS,aAAa;AAAA,MAC7B;AACA,YAAM;AAAA,IACR;AAKA,UAAM,WAAW,IAAI,SAAS;AAC9B,aAAS,sBAAsB;AAAA,MAC7B,cAAc;AAAA,MACd,OAAO,SAAS;AAAA,IAClB,CAAC;AACD,eAAW,QAAQ,SAAS,aAAa;AACvC,iBAAW,SAAS,KAAK,iBAAiB;AACxC,iBAAS,sBAAsB;AAAA,UAC7B,cAAc,KAAK;AAAA,UACnB;AAAA,QACF,CAAC;AAAA,MACH;AAAA,IACF;AAEA,QAAI,CAAC,MAAO,MAAK,yBAAyB,QAAQ;AAElD,WAAO,EAAE,UAAU,SAAS;AAAA,EAC9B;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOQ,yBAAyB,UAAyC;AACxE,eAAW,QAAQ,SAAS,aAAa;AACvC,YAAM,UAAU,OAAO,KAAK,KAAK,OAAO,EAAE,KAAK,EAAE,KAAK,IAAI;AAC1D;AAAA,QACE,YAAYC,OAAM,KAAK,KAAK,YAAY,CAAC,KAAK,KAAK,aAAa,KAAK,KAAK,eAAe,YAAO,OAAO;AAAA,MACzG;AAAA,IACF;AACA,eAAW,OAAO,SAAS,UAAU,CAAC,GAAG;AACvC;AAAA,QACE,GAAG,IAAI,YAAY,KAAK,IAAI,aAAa,MAAM,IAAI,OAAO,gGAA2F,IAAI,aAAa;AAAA,MACxK;AAAA,IACF;AAAA,EACF;AACF;;;AMrIO,IAAM,mBAAN,MAAuB;AAAA,EACrB,YACY,gBACAC,gBACAC,gBACjB;AAHiB;AACA,yBAAAD;AACA,yBAAAC;AAAA,EAChB;AAAA,EAHgB;AAAA,EACA;AAAA,EACA;AAAA;AAAA,EAKnB,MAAa,gBAAgB,MAIQ;AACnC,UAAM,EAAE,OAAO,IAAI,MAAM,KAAK,eAAe,cAAc;AAC3D,UAAM,EAAE,YAAY,IAAI,MAAM,OAAO,YAAY,KAAK;AACtD,QAAI,SAAS;AACb,QAAI,KAAK,SAAS;AAChB,eAAS,OAAO,OAAO,CAAC,MAAM,EAAE,YAAY,KAAK,OAAO;AAAA,IAC1D;AACA,QAAI,KAAK,MAAM;AACb,eAAS,OAAO,OAAO,CAAC,MAAM,EAAE,eAAe;AAAA,IACjD;AACA,QAAI,KAAK,SAAS,KAAK,MAAM,SAAS,GAAG;AACvC,eAAS,gBAAgB,QAAQ,KAAK,KAAK;AAAA,IAC7C;AACA,WAAO;AAAA,EACT;AAAA,EAEA,MAAa,cAAc,IAA2C;AACpE,UAAM,EAAE,OAAO,IAAI,MAAM,KAAK,eAAe,cAAc;AAC3D,WAAO,OAAO,YAAY,IAAI,EAAE;AAAA,EAClC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAaA,MAAa,kBAAkB,MAGJ;AACzB,UAAM,EAAE,SAAS,OAAO,IAAI,MAAM,KAAK,eAAe,cAAc;AACpE,UAAM,OAAO,aAAa,IAAI,KAAK,OAAO;AAC1C,UAAM,MAAM,GAAG,KAAK,cAAc,oBAAoB,QAAQ,MAAM,CAAC,gCAAgC,mBAAmB,KAAK,OAAO,CAAC;AACrI,QAAI,KAAK,aAAc,QAAO,EAAE,MAAM,aAAa,IAAI;AACvD,SAAK,cAAc,KAAK,GAAG;AAC3B,WAAO,EAAE,MAAM,gBAAgB,IAAI;AAAA,EACrC;AAAA;AAAA,EAIA,MAAa,iBAAiB,MAGQ;AACpC,UAAM,EAAE,OAAO,IAAI,MAAM,KAAK,eAAe,cAAc;AAM3D,UAAM,EAAE,aAAa,IAAI,MAAM,OAAO,aAAa,KAAK;AAAA,MACtD,OAAO,KAAK;AAAA,IACd,CAAC;AACD,WAAO,KAAK,OACR,aAAa,OAAO,CAAC,MAAM,EAAE,mBAAmB,KAAK,IAAI,IACzD;AAAA,EACN;AAAA,EAEA,MAAa,eAAe,SAAiD;AAC3E,UAAM,EAAE,OAAO,IAAI,MAAM,KAAK,eAAe,cAAc;AAC3D,WAAO,OAAO,aAAa,IAAI,OAAO;AAAA,EACxC;AAAA;AAAA,EAIA,MAAa,eAAe,MAGmB;AAC7C,UAAM,EAAE,OAAO,IAAI,MAAM,KAAK,eAAe,cAAc;AAC3D,UAAM,EAAE,WAAW,IAAI,MAAM,OAAO,aAAa;AAAA,MAC/C,KAAK;AAAA,IACP;AACA,QAAI,CAAC,KAAK,SAAS,KAAK,MAAM,WAAW,EAAG,QAAO;AACnD,WAAO,eAAe,YAAY,KAAK,KAAK;AAAA,EAC9C;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,MAAa,aAAa,MAGkB;AAC1C,UAAM,EAAE,OAAO,IAAI,MAAM,KAAK,eAAe,cAAc;AAC3D,WAAO,KAAK,UACR,OAAO,aAAa,aAAa;AAAA,MAC/B,SAAS,KAAK;AAAA,MACd,MAAM,KAAK;AAAA,IACb,CAAC,IACD,OAAO,WAAW,QAAQ,KAAK,IAAI;AAAA,EACzC;AACF;AAOA,SAAS,gBACP,aACA,OACyB;AACzB,QAAM,IAAI,MAAM,YAAY;AAC5B,QAAM,SAAS,YAAY,IAAI,CAAC,MAAM;AACpC,QAAI,QAAQ;AACZ,QAAI,EAAE,QAAQ,YAAY,EAAE,SAAS,CAAC,EAAG,UAAS;AAClD,QAAI,EAAE,cAAc,YAAY,EAAE,SAAS,CAAC,EAAG,UAAS;AACxD,QAAI,EAAE,MAAM,YAAY,EAAE,SAAS,CAAC,EAAG,UAAS;AAChD,WAAO,EAAE,GAAG,MAAM;AAAA,EACpB,CAAC;AACD,SAAO,OACJ,OAAO,CAAC,MAAM,EAAE,QAAQ,CAAC,EACzB,KAAK,CAAC,GAAG,MAAM,EAAE,QAAQ,EAAE,KAAK,EAChC,IAAI,CAAC,MAAM,EAAE,CAAC;AACnB;AAOA,SAAS,eACP,YACA,OACmC;AACnC,QAAM,IAAI,MAAM,YAAY;AAC5B,QAAM,SAAS,WAAW,IAAI,CAAC,OAAO;AACpC,QAAI,QAAQ;AACZ,QAAI,GAAG,MAAM,YAAY,EAAE,SAAS,CAAC,EAAG,UAAS;AACjD,QAAI,GAAG,YAAY,YAAY,EAAE,SAAS,CAAC,EAAG,UAAS;AACvD,WAAO,EAAE,IAAI,MAAM;AAAA,EACrB,CAAC;AACD,SAAO,OACJ,OAAO,CAAC,MAAM,EAAE,QAAQ,CAAC,EACzB,KAAK,CAAC,GAAG,MAAM,EAAE,QAAQ,EAAE,KAAK,EAChC,IAAI,CAAC,MAAM,EAAE,EAAE;AACpB;;;AClLA,SAAS,SAAS;AAkBX,IAAM,kBAAkB,EAAE,OAAO;AAAA,EACtC,SAAS,EAAE,QAAQ,CAAC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOpB,QAAQ,EAAE,IAAI,EAAE,SAAS;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAMzB,cAAc,EAAE,IAAI,EAAE,SAAS;AACjC,CAAC;AAUM,IAAM,uBAAuB,CAAC,UAAU,cAAc;AAG7D,IAAM,0BAA+C,IAAI;AAAA,EACvD;AACF;AASO,SAAS,oBAAoB,KAAuC;AACzE,SAAO,wBAAwB,IAAI,GAAG;AACxC;;;AC3CA,IAAM,kBAAkB;AACxB,IAAM,wBAAwB;AAgCvB,IAAM,gBAAN,MAAoB;AAAA,EAClB,YACYC,cACAC,eACjB;AAFiB,uBAAAD;AACA,wBAAAC;AAAA,EAChB;AAAA,EAFgB;AAAA,EACA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAeZ,cAAc,eAAgC;AACnD,WACE,iBACA,QAAQ,IAAI,gBACZ,KAAK,YAAY,SAAS,GAAG,UAC7B;AAAA,EAEJ;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAUO,oBAAoB,eAAgC;AACzD,QAAI,QAAQ,IAAI,mBAAoB,QAAO,QAAQ,IAAI;AACvD,UAAM,SAAS,KAAK,YAAY,SAAS;AACzC,QAAI,QAAQ,aAAc,QAAO,OAAO;AACxC,QAAI,eAAe,SAAS,WAAW,EAAG,QAAO;AACjD,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAYO,aAA4D;AACjE,UAAM,OAAO,KAAK,YAAY,SAAS;AACvC,WAAO;AAAA,MACL,QAAQ,MAAM;AAAA,MACd,cAAc,MAAM;AAAA,IACtB;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAaA,MAAa,IAAI,MAGY;AAC3B,UAAM,WAAW,KAAK,YAAY,SAAS,KAAK,EAAE,SAAS,EAAW;AACtE,UAAM,OAAO,EAAE,GAAG,UAAU,CAAC,KAAK,GAAG,GAAG,KAAK,MAAM;AACnD,UAAM,SAAS,gBAAgB,UAAU,IAAI;AAC7C,QAAI,CAAC,OAAO,SAAS;AACnB,aAAO;AAAA,QACL,IAAI;AAAA,QACJ,QAAQ;AAAA,QACR,OAAO,OAAO,MAAM,OAAO,CAAC,GAAG,WAAW;AAAA,MAC5C;AAAA,IACF;AACA,QAAI,KAAK,QAAQ,UAAU;AACzB,YAAM,UAAU,MAAM,KAAK,aAAa,KAAK;AAC7C,UAAI,WAAW,QAAQ,WAAW,KAAK,OAAO;AAC5C,eAAO;AAAA,UACL,IAAI;AAAA,UACJ,QAAQ;AAAA,UACR,YAAY,QAAQ;AAAA,QACtB;AAAA,MACF;AAAA,IACF;AACA,UAAM,KAAK,YAAY,KAAK,OAAO,IAAI;AACvC,WAAO,EAAE,IAAI,KAAK;AAAA,EACpB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAUA,MAAa,MAAM,MAEc;AAC/B,UAAM,WAAW,KAAK,YAAY,SAAS;AAC3C,QAAI,CAAC,YAAY,SAAS,KAAK,GAAG,MAAM,QAAW;AACjD,aAAO,EAAE,QAAQ,MAAM;AAAA,IACzB;AACA,UAAM,OAAsB,EAAE,SAAS,EAAE;AACzC,eAAW,KAAK,sBAAsB;AACpC,UAAI,MAAM,KAAK,IAAK;AACpB,YAAM,QAAQ,SAAS,CAAC;AACxB,UAAI,UAAU,OAAW,MAAK,CAAC,IAAI;AAAA,IACrC;AACA,UAAM,qBAAqB,qBAAqB;AAAA,MAC9C,CAAC,MAAM,KAAK,CAAC,MAAM;AAAA,IACrB;AACA,QAAI,oBAAoB;AACtB,YAAM,KAAK,YAAY,KAAK,IAAI;AAAA,IAClC,OAAO;AACL,YAAM,KAAK,YAAY,OAAO;AAAA,IAChC;AACA,WAAO,EAAE,QAAQ,KAAK;AAAA,EACxB;AAAA;AAAA,EAGA,IAAW,OAAe;AACxB,WAAO,KAAK,YAAY;AAAA,EAC1B;AAAA;AAAA,EAGO,cAAc,KAAuC;AAC1D,WAAO,oBAAoB,GAAG;AAAA,EAChC;AACF;;;AC/KO,IAAM,gBAAN,MAAoB;AAAA,EAClB,YAA6B,MAAkB;AAAlB;AAAA,EAAmB;AAAA,EAAnB;AAAA,EAEpC,MAAa,gBACX,aACsC;AACtC,WAAO,KAAK,KAAK,MAAM,yBAAyB;AAAA,MAC9C,QAAQ;AAAA,MACR,MAAM,EAAE,YAAY;AAAA,IACtB,CAAC;AAAA,EACH;AAAA,EAEA,MAAa,eACX,UACqC;AACrC,WAAO,KAAK,KAAK;AAAA,MACf,yBAAyB,mBAAmB,QAAQ,CAAC;AAAA,MACrD,EAAE,QAAQ,OAAO;AAAA,IACnB;AAAA,EACF;AAAA,EAEA,MAAa,KAA8B;AACzC,SAAK,KAAK,cAAc;AACxB,WAAO,KAAK,KAAK,MAAM,cAAc;AAAA,EACvC;AAAA,EAEA,MAAa,SAAwB;AACnC,SAAK,KAAK,cAAc;AACxB,WAAO,KAAK,KAAK,MAAM,oBAAoB,EAAE,QAAQ,OAAO,CAAC;AAAA,EAC/D;AACF;;;ACjCO,IAAM,sBAAN,MAA0B;AAAA,EACxB,YAA6B,MAAkB;AAAlB;AAAA,EAAmB;AAAA,EAAnB;AAAA,EAEpC,MAAa,OAAwC;AACnD,SAAK,KAAK,cAAc;AACxB,WAAO,KAAK,KAAK,MAAM,iBAAiB;AAAA,EAC1C;AAAA,EAEA,MAAa,OAAO,cAA+C;AACjE,SAAK,KAAK,cAAc;AACxB,WAAO,KAAK,KAAK,MAAM,0BAA0B;AAAA,MAC/C,QAAQ;AAAA,MACR,MAAM,EAAE,aAAa;AAAA,IACvB,CAAC;AAAA,EACH;AACF;;;AChBO,IAAM,gBAAN,MAAoB;AAAA,EAClB,YAA6B,MAAkB;AAAlB;AAAA,EAAmB;AAAA,EAAnB;AAAA,EAEpC,MAAa,QACX,MACkC;AAClC,SAAK,KAAK,cAAc;AACxB,WAAO,KAAK,KAAK,MAAM,qBAAqB;AAAA,MAC1C,QAAQ;AAAA,MACR;AAAA,IACF,CAAC;AAAA,EACH;AACF;;;ACVO,IAAM,uBAAN,MAA2B;AAAA,EACzB,YAA6B,MAAkB;AAAlB;AAAA,EAAmB;AAAA,EAAnB;AAAA,EAEpC,MAAa,OAA4C;AACvD,SAAK,KAAK,cAAc;AACxB,WAAO,KAAK,KAAK,MAAM,kBAAkB;AAAA,EAC3C;AAAA,EAEA,MAAa,IAAI,IAA2C;AAC1D,SAAK,KAAK,cAAc;AACxB,WAAO,KAAK,KAAK,MAAM,oBAAoB,mBAAmB,EAAE,CAAC,EAAE;AAAA,EACrE;AACF;;;ACVO,IAAM,wBAAN,MAA4B;AAAA,EAC1B,YAA6B,MAAkB;AAAlB;AAAA,EAAmB;AAAA,EAAnB;AAAA,EAEpC,MAAa,KAAK,MAEuB;AACvC,SAAK,KAAK,cAAc;AACxB,UAAM,OACJ,MAAM,SAAS,KAAK,MAAM,SAAS,IAC/B,uBAAuB,mBAAmB,KAAK,KAAK,CAAC,KACrD;AACN,WAAO,KAAK,KAAK,MAAM,IAAI;AAAA,EAC7B;AAAA,EAEA,MAAa,IAAI,SAAiD;AAChE,SAAK,KAAK,cAAc;AACxB,WAAO,KAAK,KAAK,MAAM,qBAAqB,mBAAmB,OAAO,CAAC,EAAE;AAAA,EAC3E;AAAA,EAEA,MAAa,eACX,SACgD;AAChD,SAAK,KAAK,cAAc;AACxB,WAAO,KAAK,KAAK;AAAA,MACf,qBAAqB,mBAAmB,OAAO,CAAC;AAAA,IAClD;AAAA,EACF;AAAA,EAEA,MAAa,aAAa,MAGkB;AAC1C,SAAK,KAAK,cAAc;AACxB,WAAO,KAAK,KAAK;AAAA,MACf,qBAAqB,mBAAmB,KAAK,OAAO,CAAC,eAAe,mBAAmB,KAAK,IAAI,CAAC;AAAA,IACnG;AAAA,EACF;AACF;;;ACvCO,IAAM,sBAAN,MAA0B;AAAA,EACxB,YAA6B,MAAkB;AAAlB;AAAA,EAAmB;AAAA,EAAnB;AAAA,EAEpC,MAAa,QAAQ,MAAuD;AAC1E,SAAK,KAAK,cAAc;AACxB,WAAO,KAAK,KAAK,MAAM,mBAAmB,mBAAmB,IAAI,CAAC,EAAE;AAAA,EACtE;AACF;;;ACUO,IAAM,mBAAN,MAAuB;AAAA,EACrB,MAAM,MAGO;AAClB,UAAM,OAAO,IAAI,WAAW,KAAK,QAAQ,KAAK,KAAK;AACnD,WAAO;AAAA,MACL,MAAM,IAAI,cAAc,IAAI;AAAA,MAC5B,YAAY,IAAI,oBAAoB,IAAI;AAAA,MACxC,MAAM,IAAI,cAAc,IAAI;AAAA,MAC5B,aAAa,IAAI,qBAAqB,IAAI;AAAA,MAC1C,cAAc,IAAI,sBAAsB,IAAI;AAAA,MAC5C,YAAY,IAAI,oBAAoB,IAAI;AAAA,IAC1C;AAAA,EACF;AACF;;;AC7CA,SAAS,OAAO,UAAU,WAAW,QAAQ,aAAa;;;ACA1D,SAAS,KAAAC,UAAS;AAeX,IAAM,0BAA0BA,GAAE,OAAO;AAAA,EAC9C,SAASA,GAAE,QAAQ,CAAC;AAAA,EACpB,QAAQA,GAAE,IAAI;AAAA;AAAA,EAEd,OAAOA,GAAE,OAAO,EAAE,WAAW,UAAU;AAAA,EACvC,MAAMA,GAAE,OAAO;AAAA,IACb,IAAIA,GAAE,OAAO;AAAA,IACb,OAAOA,GAAE,OAAO,EAAE,SAAS;AAAA,IAC3B,MAAMA,GAAE,OAAO,EAAE,SAAS;AAAA,EAC5B,CAAC;AAAA,EACD,WAAWA,GAAE,OAAO;AAAA,IAClB,cAAcA,GAAE,OAAO;AAAA,IACvB,gBAAgBA,GAAE,OAAO;AAAA,IACzB,MAAMA,GAAE,OAAO;AAAA,IACf,MAAMA,GAAE,OAAO;AAAA,IACf,MAAMA,GAAE,OAAO;AAAA,EACjB,CAAC;AAAA;AAAA,EAED,SAASA,GAAE,OAAO;AACpB,CAAC;;;ADjBM,IAAM,eAAN,MAAmB;AAAA,EACjB,YACY,UACA,eACjB;AAFiB;AACA;AAAA,EAChB;AAAA,EAFgB;AAAA,EACA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASnB,MAAa,OAA0C;AACrD,QAAI;AACJ,QAAI;AACF,YAAM,MAAM,SAAS,KAAK,UAAU,OAAO;AAAA,IAC7C,SAAS,KAAK;AACZ,UAAI,YAAY,KAAK,QAAQ,EAAG,QAAO;AACvC,YAAM;AAAA,IACR;AACA,QAAI;AACJ,QAAI;AACF,aAAO,KAAK,MAAM,GAAG;AAAA,IACvB,QAAQ;AACN,aAAO;AAAA,IACT;AACA,UAAM,SAAS,wBAAwB,UAAU,IAAI;AACrD,WAAO,OAAO,UAAU,OAAO,OAAO;AAAA,EACxC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,MAAa,KAAK,SAA2C;AAC3D,UAAM,MAAM,KAAK,eAAe,EAAE,WAAW,MAAM,MAAM,IAAM,CAAC;AAChE,UAAM,MAAM,KAAK,eAAe,GAAK,EAAE,MAAM,MAAM;AAAA,IAEnD,CAAC;AACD,UAAM,UAAU,KAAK,UAAU,KAAK,UAAU,SAAS,MAAM,CAAC,GAAG;AAAA,MAC/D,MAAM;AAAA,IACR,CAAC;AAAA,EACH;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,MAAa,SAAwB;AACnC,QAAI;AACF,YAAM,OAAO,KAAK,QAAQ;AAAA,IAC5B,SAAS,KAAK;AACZ,UAAI,YAAY,KAAK,QAAQ,EAAG;AAChC,YAAM;AAAA,IACR;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,MAAa,sBACX,WACe;AACf,UAAM,UAAU,MAAM,KAAK,KAAK;AAChC,QAAI,CAAC,SAAS;AACZ,YAAM,IAAI,MAAM,6BAA6B;AAAA,IAC/C;AACA,UAAM,KAAK,KAAK;AAAA,MACd,GAAG;AAAA,MACH;AAAA,MACA,UAAS,oBAAI,KAAK,GAAE,YAAY;AAAA,IAClC,CAAC;AAAA,EACH;AACF;AASA,SAAS,YAAY,KAAc,UAA2B;AAC5D,MAAI,OAAO,QAAQ,YAAY,QAAQ,KAAM,QAAO;AACpD,MAAI,EAAE,UAAU,KAAM,QAAO;AAC7B,SAAO,IAAI,SAAS;AACtB;;;AE7GA,SAAS,oBAAoB;AAC7B,SAAS,SAAAC,QAAO,aAAAC,YAAW,UAAAC,eAAc;AACzC,SAAS,eAAe;AAcjB,IAAM,cAAN,MAAkB;AAAA,EAChB,YAA6B,UAAkB;AAAlB;AAAA,EAAmB;AAAA,EAAnB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAO7B,WAAiC;AACtC,QAAI;AACJ,QAAI;AACF,YAAM,aAAa,KAAK,UAAU,MAAM;AAAA,IAC1C,QAAQ;AACN,aAAO;AAAA,IACT;AACA,QAAI;AACJ,QAAI;AACF,aAAO,KAAK,MAAM,GAAG;AAAA,IACvB,QAAQ;AACN,aAAO;AAAA,IACT;AACA,UAAM,SAAS,gBAAgB,UAAU,IAAI;AAC7C,WAAO,OAAO,UAAU,OAAO,OAAO;AAAA,EACxC;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,MAAa,KAAK,QAAsC;AACtD,UAAMC,OAAM,QAAQ,KAAK,QAAQ,GAAG,EAAE,WAAW,KAAK,CAAC;AACvD,UAAMC,WAAU,KAAK,UAAU,KAAK,UAAU,QAAQ,MAAM,CAAC,IAAI,MAAM;AAAA,MACrE,MAAM;AAAA,IACR,CAAC;AAAA,EACH;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,MAAa,SAAwB;AACnC,QAAI;AACF,YAAMC,QAAO,KAAK,QAAQ;AAAA,IAC5B,SAAS,KAAK;AACZ,UACE,OAAO,QAAQ,YACf,QAAQ,QACR,UAAU,OACV,IAAI,SAAS,UACb;AACA;AAAA,MACF;AACA,YAAM;AAAA,IACR;AAAA,EACF;AAAA;AAAA,EAGA,IAAW,OAAe;AACxB,WAAO,KAAK;AAAA,EACd;AACF;;;AC7EA,SAAS,aAAa;AAef,IAAM,gBAAN,MAAoB;AAAA,EAClB,KAAK,KAAsB;AAChC,UAAM,MAAM,yBAAyB;AACrC,QAAI;AACF,YAAM,QAAQ,MAAM,KAAK,CAAC,GAAG,GAAG,EAAE,OAAO,UAAU,UAAU,KAAK,CAAC;AACnE,YAAM,MAAM;AACZ,aAAO;AAAA,IACT,QAAQ;AAEN,aAAO;AAAA,IACT;AAAA,EACF;AACF;AAEA,SAAS,2BAAmC;AAC1C,UAAQ,QAAQ,UAAU;AAAA,IACxB,KAAK;AACH,aAAO;AAAA,IACT,KAAK;AACH,aAAO;AAAA,IACT;AACE,aAAO;AAAA,EACX;AACF;;;ACtCA,SAAS,SAAAC,cAAa;AAqCf,IAAM,sBAAN,MAA0B;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAM/B,MAAa,IAAI,MAAkC;AACjD,UAAM,QAAQA,OAAM,KAAK,SAAS,KAAK,MAAM;AAAA,MAC3C,KAAK,KAAK;AAAA,MACV,KAAK,KAAK,OAAO,QAAQ,IAAI;AAAA,MAC7B,OAAO,CAAC,WAAW,QAAQ,MAAM;AAAA,IACnC,CAAC;AAaD,UAAM,eAAe;AAAA,MACnB,MAAM;AAAA,MACN,QAAQ;AAAA,MACR,KAAK,SAAS,OAAO;AAAA,MACrB,KAAK;AAAA,IACP;AACA,UAAM,eAAe;AAAA,MACnB,MAAM;AAAA,MACN,QAAQ;AAAA,MACR,KAAK,SAAS,OAAO;AAAA,IACvB;AAEA,UAAM,gBAAgB,CAAC,WAAiC;AACtD,UAAI,CAAC,MAAM,OAAQ,OAAM,KAAK,MAAM;AAAA,IACtC;AACA,YAAQ,GAAG,UAAU,aAAa;AAClC,YAAQ,GAAG,WAAW,aAAa;AAEnC,QAAI;AACF,YAAM,WAAW,MAAM,IAAI,QAAgB,CAAC,SAAS,WAAW;AAC9D,cAAM,KAAK,QAAQ,CAAC,MAAM,WAAW;AACnC,cAAI,SAAS,KAAM,SAAQ,IAAI;AAAA,mBACtB,WAAW,KAAM,SAAQ,MAAM,aAAa,MAAM,CAAC;AAAA,cACvD,SAAQ,CAAC;AAAA,QAChB,CAAC;AACD,cAAM,KAAK,SAAS,CAAC,QAAQ,OAAO,GAAG,CAAC;AAAA,MAC1C,CAAC;AAID,YAAM,QAAQ,IAAI,CAAC,cAAc,YAAY,CAAC;AAC9C,aAAO;AAAA,IACT,UAAE;AACA,cAAQ,eAAe,UAAU,aAAa;AAC9C,cAAQ,eAAe,WAAW,aAAa;AAAA,IACjD;AAAA,EACF;AACF;AAaA,SAAS,kBACP,QACA,MACA,UACA,SACe;AACf,SAAO,IAAI,QAAc,CAAC,YAAY;AACpC,QAAI,UAAU;AACd,UAAM,OAAO,CAAC,UAAwB;AACpC,UAAI,MAAM,WAAW,EAAG;AACxB,WAAK,MAAM,KAAK;AAChB,gBAAU,KAAK;AAAA,IACjB;AACA,UAAM,aAAa,MAAY;AAC7B,UAAI,QAAS;AACb,gBAAU;AACV,WAAK,SAAS,OAAO,IAAI,EAAE,OAAO,KAAK,CAAC,CAAC;AACzC,cAAQ;AAAA,IACV;AACA,WAAO,GAAG,OAAO,UAAU;AAC3B,WAAO,GAAG,SAAS,UAAU;AAC7B,WAAO,GAAG,SAAS,MAAM;AACvB,gBAAU;AACV,cAAQ;AAAA,IACV,CAAC;AACD,WAAO,YAAY,MAAM;AACzB,WAAO,GAAG,QAAQ,CAAC,UAAkB;AACnC,WAAK,SAAS,OAAO,KAAK,CAAC;AAAA,IAC7B,CAAC;AAAA,EACH,CAAC;AACH;AAOA,SAAS,aAAa,QAAgC;AACpD,QAAM,MAA+C;AAAA,IACnD,QAAQ;AAAA,IACR,QAAQ;AAAA,IACR,SAAS;AAAA,IACT,SAAS;AAAA,IACT,SAAS;AAAA,EACX;AACA,SAAO,IAAI,MAAM,KAAK;AACxB;;;AC7JA,SAAS,eAAe;AACxB,SAAS,YAAY;AASd,SAAS,YAAoB;AAClC,SAAO,QAAQ,IAAI,mBAAmB,KAAK,QAAQ,GAAG,WAAW,MAAM;AACzE;AAMO,SAAS,kBAA0B;AACxC,SAAO,KAAK,UAAU,GAAG,qBAAqB;AAChD;AAEO,SAAS,iBAAyB;AACvC,SAAO,KAAK,UAAU,GAAG,aAAa;AACxC;;;ACDO,IAAM,eAAe,IAAI,aAAa,gBAAgB,GAAG,UAAU,CAAC;AAEpE,IAAM,cAAc,IAAI,YAAY,eAAe,CAAC;AAEpD,IAAM,mBAAmB,IAAI,iBAAiB;AAE9C,IAAM,gBAAgB,IAAI,cAAc;AAExC,IAAM,sBAAsB,IAAI,oBAAoB;;;ACCpD,IAAM,gBAAgB,IAAI,cAAc,aAAa,YAAY;AAEjE,IAAM,wBAAwB,IAAI;AAAA,EACvC;AAAA,EACA;AACF;AAEO,IAAM,cAAc,IAAI;AAAA,EAC7B;AAAA,EACA;AAAA,EACA;AAAA,EACA;AACF;AAEO,IAAM,mBAAmB,IAAI;AAAA,EAClC;AAAA,EACA;AACF;AAEO,IAAM,cAAc,IAAI;AAAA,EAC7B;AAAA,EACA;AACF;AAEO,IAAM,mBAAmB,IAAI;AAAA,EAClC;AAAA,EACA;AAAA,EACA;AACF;;;ACxCO,SAAS,eACd,OACA,OAAqC,CAAC,GAC/B;AACP,MAAI,iBAAiB,UAAU;AAC7B,QAAI,MAAM,WAAW,OAAO,KAAK,iBAAiB;AAChD,iBAAW,KAAK,eAAe;AAC/B,WAAK,SAAS,QAAQ;AAAA,IACxB;AACA,QAAI,MAAM,WAAW,KAAK;AACxB;AAAA,QACE,yCAAyC,MAAM,OAAO;AAAA,MACxD;AACA,WAAK,SAAS,uBAAuB;AAAA,IACvC;AACA,QAAI,MAAM,WAAW,KAAK;AACxB;AAAA,QACE,cAAc,MAAM,OAAO;AAAA,MAC7B;AACA,WAAK,SAAS,SAAS;AAAA,IACzB;AACA,QAAI,MAAM,WAAW,KAAK;AACxB;AAAA,QACE,cAAc,MAAM,OAAO;AAAA,MAC7B;AACA,WAAK,SAAS,QAAQ;AAAA,IACxB;AACA,QAAI,MAAM,UAAU,KAAK;AACvB;AAAA,QACE,sBAAsB,MAAM,MAAM,MAAM,MAAM,OAAO;AAAA,MACvD;AACA,WAAK,SAAS,aAAa;AAAA,IAC7B;AACA,eAAW,wBAAwB,MAAM,MAAM,MAAM,MAAM,OAAO,EAAE;AACpE,SAAK,SAAS,aAAa;AAAA,EAC7B;AACA;AAAA,IACE,qBAAqB,iBAAiB,QAAQ,MAAM,UAAU,OAAO,KAAK,CAAC;AAAA,EAC7E;AACA,OAAK,SAAS,aAAa;AAC7B;;;AC7CO,SAAS,cAAc,QAAuB;AACnD,SACG,QAAQ,OAAO,EACf;AAAA,IACC;AAAA,EACF,EACC;AAAA,IACC;AAAA,IACA;AAAA,EACF,EACC;AAAA,IACC;AAAA,IACA;AAAA,EACF,EACC,OAAO,OAAO,SAAuB;AACpC,QAAI;AACF,YAAM,YAAY,MAAM;AAAA,QACtB,QAAQ,KAAK;AAAA,QACb,WAAW,KAAK;AAAA,MAClB,CAAC;AAAA,IACH,SAAS,OAAO;AACd,qBAAe,KAAK;AAAA,IACtB;AAAA,EACF,CAAC;AACL;;;AC9BO,SAAS,eAAe,QAAuB;AACpD,SACG,QAAQ,QAAQ,EAChB;AAAA,IACC;AAAA,EACF,EACC,OAAO,YAAY;AAClB,QAAI;AACF,YAAM,YAAY,OAAO;AAAA,IAC3B,SAAS,OAAO;AACd,qBAAe,KAAK;AAAA,IACtB;AAAA,EACF,CAAC;AACL;;;ACAA,eAAsB,kBACpB,MACe;AACf,MAAI;AACF,UAAM,SAAS,MAAM,YAAY,OAAO;AACxC,QAAI,CAAC,QAAQ;AACX,UAAI,KAAK,MAAM;AACb,kBAAU,EAAE,eAAe,MAAM,CAAC;AAAA,MACpC,OAAO;AACL;AAAA,UACE;AAAA,QACF;AAAA,MACF;AACA,WAAK,SAAS,uBAAuB;AAAA,IACvC;AACA,QAAI,KAAK,MAAM;AACb,gBAAU,MAAM;AAChB,WAAK,SAAS,EAAE;AAAA,IAClB;AACA,iBAAa,oBAAoB,OAAO,KAAK,SAAS,OAAO,KAAK,EAAE,EAAE;AACtE;AAAA,MACE,qBAAqB,OAAO,UAAU,IAAI,KAAK,OAAO,UAAU,IAAI,KAAK,OAAO,UAAU,IAAI;AAAA,IAChG;AACA,SAAK,SAAS,EAAE;AAAA,EAClB,SAAS,OAAO;AACd,QAAI,iBAAiB,YAAY,MAAM,WAAW,KAAK;AACrD;AAAA,QACE;AAAA,MACF;AACA,WAAK,SAAS,uBAAuB;AAAA,IACvC;AACA,UAAM,SAAS,iBAAiB,QAAQ,MAAM,UAAU,OAAO,KAAK;AACpE;AAAA,MACE,6BAA6B,MAAM;AAAA,IACrC;AACA,SAAK,SAAS,aAAa;AAAA,EAC7B;AACF;AASO,SAAS,eAAe,QAAuB;AACpD,SACG,QAAQ,QAAQ,EAChB;AAAA,IACC;AAAA,EACF,EACC;AAAA,IACC;AAAA,IACA;AAAA,EACF,EACC,OAAO,CAAC,SAA4B,kBAAkB,IAAI,CAAC;AAChE;;;AC1DO,SAAS,qBAAqBC,UAAwB;AAC3D,gBAAcA,QAAO;AACrB,iBAAeA,QAAO;AAEtB,QAAM,OAAOA,SACV,QAAQ,MAAM,EACd,YAAY,iCAAiC,EAC7C,OAAO,MAAM,kBAAkB,CAAC,CAAC,CAAC;AACrC,iBAAe,IAAI;AACrB;;;AC9BA,OAAOC,YAAW;AAkCX,SAAS,WACd,SACA,MACA,OAAuB,CAAC,GAClB;AACN,QAAM,MAAM,KAAK,OAAO,QAAQ;AAChC,QAAM,WAAW,QAAQ;AAKzB,QAAM,UAAU,KAAK,WACjB,KAAK,IAAI,CAAC,KAAK,MAAM,KAAK,SAAU,KAAK,CAAC,CAAC,IAC3C;AACJ,QAAM,aACJ,YAAY,QAAQ,QAAQ,KAAK,CAAC,MAAM,CAAC,KAAK,CAAC,QAAQ,MAAM,CAAC,MAAM,CAAC;AAEvE,QAAM,SAAS,IAAI,MAAc,QAAQ,EAAE,KAAK,CAAC;AACjD,WAAS,IAAI,GAAG,IAAI,UAAU,IAAK,QAAO,CAAC,IAAI,QAAQ,CAAC,EAAG;AAC3D,aAAW,OAAO,MAAM;AACtB,aAAS,IAAI,GAAG,IAAI,UAAU,KAAK;AACjC,YAAM,MAAM,IAAI,CAAC,GAAG,UAAU;AAC9B,UAAI,MAAM,OAAO,CAAC,EAAI,QAAO,CAAC,IAAI;AAAA,IACpC;AAAA,EACF;AAGA,QAAM,cAAc,QAAQ;AAAA,IAAI,CAAC,GAAG,MAClC,IAAIA,OAAM,IAAI,CAAC,GAAG,EAAE,QAAQ,OAAO,CAAC,GAAI,MAAM,WAAW,CAAC;AAAA,EAC5D;AACA,MAAI,OAAO,aAAa,OAAO,MAAM,YAAY,KAAK,IAAI,IAAI,IAAI;AAElE,OAAK,QAAQ,CAAC,KAAK,WAAW;AAC5B,UAAM,WAAW,cAAc,QAAS,MAAM,MAAM;AACpD,UAAM,QAAQ,IAAI,IAAI,CAAC,KAAK,MAAM;AAChC,YAAM,QAAQ,OAAO;AACrB,UAAI,UAAU;AACd,UAAI,YAAY,MAAM,EAAG,WAAUA,OAAM,KAAK,KAAK;AAAA,eAC1C,KAAK;AACZ,kBAAU,KAAK,QAAQ,OAAO,EAAE,KAAK,QAAQ,KAAK,EAAE,CAAC;AACvD,aAAO,IAAI,SAAS,MAAM,QAAQ,OAAO,CAAC,GAAI,MAAM,WAAW,CAAC;AAAA,IAClE,CAAC;AACD,UAAM,SAAS,aAAa,GAAG,WAAWA,OAAM,MAAM,GAAG,IAAI,GAAG,MAAM;AACtE,QAAI,MAAM,SAAS,MAAM,KAAK,IAAI,IAAI,IAAI;AAAA,EAC5C,CAAC;AACH;AAOA,SAAS,IACP,SACA,QACA,OACA,QACQ;AACR,MAAI,OAAQ,QAAO;AACnB,MAAI,UAAU,MAAO,QAAO;AAC5B,SAAO,UAAU,IAAI,OAAO,QAAQ,MAAM;AAC5C;AAMO,SAAS,UACd,UACiD;AACjD,SAAO,CAAC,MAAM,SAAU,KAAK,QAAQ,WAAWA,OAAM,IAAI,IAAI,IAAI;AACpE;;;ACpFA,eAAsB,qBACpB,MACe;AACf,MAAI;AACF,UAAM,EAAE,WAAW,IAAI,MAAM,iBAAiB,KAAK;AAEnD,QAAI,KAAK,MAAM;AACb,gBAAU;AAAA,QACR,QAAQ,WAAW,KAAK,CAAC,MAAM,EAAE,QAAQ,GAAG,QAAQ;AAAA,QACpD;AAAA,MACF,CAAC;AACD,WAAK,SAAS,EAAE;AAAA,IAClB;AAEA,QAAI,WAAW,WAAW,GAAG;AAC3B,cAAQ,OAAO;AAAA,QACb;AAAA,MACF;AACA,WAAK,SAAS,EAAE;AAAA,IAClB;AAEA;AAAA,MACE,CAAC,QAAQ,QAAQ,MAAM;AAAA,MACvB,WAAW,IAAI,CAAC,MAAM,CAAC,EAAE,MAAM,EAAE,MAAM,EAAE,IAAI,CAAC;AAAA,MAC9C,EAAE,UAAU,CAAC,MAAM,MAAM,WAAW,CAAC,EAAG,SAAS;AAAA,IACnD;AACA,SAAK,SAAS,EAAE;AAAA,EAClB,SAAS,OAAO;AACd,mBAAe,KAAK;AAAA,EACtB;AACF;AAOO,SAAS,sBAAsB,QAAuB;AAC3D,SACG,QAAQ,MAAM,EACd;AAAA,IACC;AAAA,EACF,EACC;AAAA,IACC;AAAA,IACA;AAAA,EACF,EACC,OAAO,CAAC,SAA+B,qBAAqB,IAAI,CAAC;AACtE;;;ACpEA,YAAY,OAAO;AAgBZ,SAAS,wBAAwB,QAAuB;AAC7D,SACG,QAAQ,QAAQ,EAChB;AAAA,IACC;AAAA,IACA;AAAA,EACF,EACC;AAAA,IACC;AAAA,EACF,EACC,OAAO,OAAO,SAA6B;AAC1C,QAAI;AACF,YAAM,EAAE,QAAQ,IAAI,MAAM,sBAAsB,cAAc;AAC9D,YAAM,EAAE,WAAW,IAAI,MAAM,iBAAiB,KAAK;AAEnD,YAAM,SAAS,OACX,WAAW,YAAY,IAAI,IAC3B,MAAM,kBAAkB;AAAA,QACtB;AAAA,QACA,qBAAqB,QAAQ,UAAU;AAAA,MACzC,CAAC;AACL,UAAI,CAAC,OAAQ;AAEb,UAAI,OAAO,iBAAiB,QAAQ,UAAU,cAAc;AAC1D,kBAAU,cAAc,OAAO,IAAI,KAAK,OAAO,IAAI,eAAe;AAClE,aAAK,SAAS,EAAE;AAAA,MAClB;AAEA,YAAM,KAAK,MAAM,iBAAiB,OAAO;AAAA,QACvC,cAAc,OAAO;AAAA,MACvB,CAAC;AACD;AAAA,QACE,qBAAqB,GAAG,UAAU,IAAI,KAAK,GAAG,UAAU,IAAI;AAAA,MAC9D;AACA,WAAK,SAAS,EAAE;AAAA,IAClB,SAAS,OAAO;AACd,qBAAe,KAAK;AAAA,IACtB;AAAA,EACF,CAAC;AACL;AAEA,SAAS,WACP,YACA,MACsB;AACtB,QAAM,SAAS,WAAW,KAAK,CAAC,MAAM,EAAE,SAAS,IAAI;AACrD,MAAI,CAAC,QAAQ;AACX,UAAM,YAAY,WAAW,IAAI,CAAC,MAAM,EAAE,IAAI,EAAE,KAAK,IAAI,KAAK;AAC9D;AAAA,MACE,2BAA2B,IAAI,kCAAkC,SAAS;AAAA,IAC5E;AACA,SAAK,SAAS,QAAQ;AAAA,EACxB;AACA,SAAO;AACT;AAMA,eAAe,kBAAkB,MAGa;AAC5C,MAAI,CAAC,QAAQ,MAAM,OAAO;AACxB;AAAA,MACE;AAAA,IACF;AACA,SAAK,SAAS,YAAY;AAAA,EAC5B;AACA,MAAI,KAAK,WAAW,WAAW,GAAG;AAChC;AAAA,MACE;AAAA,IACF;AACA,SAAK,SAAS,QAAQ;AAAA,EACxB;AACA,MAAI,KAAK,WAAW,WAAW,GAAG;AAChC,cAAU,oDAAoD;AAC9D,SAAK,SAAS,EAAE;AAAA,EAClB;AAEA,QAAM,SAAS,MAAQ,SAAO;AAAA,IAC5B,SAAS;AAAA,IACT,cAAc,KAAK;AAAA,IACnB,SAAS,KAAK,WAAW,IAAI,CAAC,OAAO;AAAA,MACnC,OAAO,EAAE;AAAA,MACT,OAAO,GAAG,EAAE,IAAI,KAAK,EAAE,IAAI;AAAA,MAC3B,MAAM,EAAE;AAAA,IACV,EAAE;AAAA,EACJ,CAAC;AACD,MAAM,WAAS,MAAM,GAAG;AACtB,cAAU,YAAY;AACtB,WAAO;AAAA,EACT;AACA,SAAO,KAAK,WAAW,KAAK,CAAC,MAAM,EAAE,iBAAiB,MAAM;AAC9D;;;ACjGO,SAAS,yBAAyB,QAAuB;AAC9D,SACG,QAAQ,SAAS,EACjB;AAAA,IACC;AAAA,EACF,EACC,OAAO,aAAa,gDAAgD,EACpE;AAAA,IACC;AAAA,IACA;AAAA,EACF,EACC,OAAO,CAAC,SAAyB;AAGhC,SAAK,IAAI,IAAI;AAAA,EACf,CAAC;AACL;AAEA,eAAe,IAAI,MAAqC;AACtD,QAAM,UAAU,MAAM,iBAAiB,QAAQ;AAC/C,MAAI,CAAC,SAAS;AACZ,QAAI,KAAK,MAAM;AACb,gBAAU,EAAE,eAAe,MAAM,CAAC;AAAA,IACpC,OAAO;AACL;AAAA,QACE;AAAA,MACF;AAAA,IACF;AACA,SAAK,SAAS,uBAAuB;AAAA,EACvC;AAEA,QAAM,KAAK,QAAQ;AACnB,MAAI,KAAK,MAAM;AACb,cAAU,EAAE;AACZ,SAAK,SAAS,EAAE;AAAA,EAClB;AACA,MAAI,KAAK,SAAS;AAChB,YAAQ,OAAO,MAAM,SAAS,GAAG,IAAI;AAAA,CAAI;AACzC,YAAQ,OAAO,MAAM,SAAS,GAAG,IAAI;AAAA,CAAI;AACzC,YAAQ,OAAO,MAAM,SAAS,GAAG,IAAI;AAAA,CAAI;AACzC,YAAQ,OAAO,MAAM,SAAS,GAAG,cAAc;AAAA,CAAI;AACnD,SAAK,SAAS,EAAE;AAAA,EAClB;AACA,UAAQ,OAAO,MAAM,GAAG,GAAG,IAAI;AAAA,CAAI;AACnC,OAAK,SAAS,EAAE;AAClB;;;AC9CO,SAAS,0BAA0BC,UAAwB;AAChE,QAAM,YAAYA,SACf,QAAQ,WAAW,EACnB,MAAM,YAAY,EAClB;AAAA,IACC;AAAA,EACF,EACC,OAAO,MAAM,qBAAqB,CAAC,CAAC,CAAC;AACxC,wBAAsB,SAAS;AAC/B,0BAAwB,SAAS;AACjC,2BAAyB,SAAS;AACpC;;;ACDO,SAAS,iBAAiB,QAAuB;AACtD,SACG,QAAQ,MAAM,EACd;AAAA,IACC;AAAA,EACF,EACC;AAAA,IACC;AAAA,IACA;AAAA,IACA;AAAA,IACA,CAAC;AAAA,EACH,EACC;AAAA,IACC;AAAA,IACA;AAAA,IACA;AAAA,IACA,CAAC;AAAA,EACH,EACC;AAAA,IACC;AAAA,IACA;AAAA,EACF,EACC;AAAA,IACC;AAAA,IACA;AAAA,EACF,EACC,qBAAqB,IAAI,EACzB,OAAO,OAAO,MAAmB,YAAqB;AACrD,QAAI;AACF,YAAM,OAAO,MAAM,YAAY,MAAM,QAAQ,IAAI;AACjD,cAAQ,KAAK,IAAI;AAAA,IACnB,SAAS,OAAO;AACd,qBAAe,KAAK;AAAA,IACtB;AAAA,EACF,CAAC,EACA;AAAA,IACC;AAAA,IACA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAkCF;AACJ;AAEA,SAAS,QAAQ,OAAe,MAA0B;AACxD,SAAO,CAAC,GAAG,MAAM,KAAK;AACxB;AAEA,eAAe,YACb,MACA,YACiB;AACjB,QAAM,UAAU,WAAW,KAAK,GAAG,EAAE,KAAK;AAC1C,MAAI,CAAC,SAAS;AACZ;AAAA,MACE;AAAA,IACF;AACA,SAAK,SAAS,WAAW;AAAA,EAC3B;AACA,MAAI,KAAK,KAAK,WAAW,KAAK,OAAO,QAAQ;AAC3C;AAAA,MACE,sDAAsD,KAAK,KAAK,MAAM,eAAe,KAAK,OAAO,MAAM;AAAA,IACzG;AACA,SAAK,SAAS,WAAW;AAAA,EAC3B;AAEA,SAAO,YAAY,QAAQ;AAAA,IACzB;AAAA;AAAA;AAAA;AAAA,IAIA,aAAa,KAAK,KAAK,IAAI,CAAC,IAAI,OAAO;AAAA,MACrC;AAAA,MACA,QAAQ,KAAK,OAAO,CAAC;AAAA,IACvB,EAAE;AAAA,IACF,KAAK,KAAK;AAAA,IACV,OAAO,KAAK;AAAA,EACd,CAAC;AACH;;;ACzHO,SAAS,qBAAqBC,UAAwB;AAC3D,QAAM,OAAOA,SACV,QAAQ,MAAM,EACd;AAAA,IACC;AAAA,EACF;AAEF,mBAAiB,IAAI;AACvB;;;ACDA,eAAsB,sBACpB,MACe;AACf,MAAI;AACF,UAAM,cAAc,MAAM,iBAAiB,gBAAgB;AAAA,MACzD,SAAS,KAAK;AAAA,MACd,MAAM,KAAK;AAAA,MACX,OAAO,KAAK;AAAA,IACd,CAAC;AAED,QAAI,KAAK,MAAM;AACb,gBAAU,EAAE,YAAY,CAAC;AACzB;AAAA,IACF;AACA,QAAI,YAAY,WAAW,GAAG;AAC5B,YAAM,aAAa,0BAA0B,IAAI;AACjD,cAAQ,OAAO;AAAA,QACb,aACI,yBAAyB,UAAU;AAAA,IACnC;AAAA,MACN;AACA;AAAA,IACF;AACA;AAAA,MACE,CAAC,MAAM,WAAW,OAAO;AAAA,MACzB,YAAY,IAAI,CAAC,MAAM,CAAC,EAAE,IAAI,EAAE,SAAS,EAAE,KAAK,CAAC;AAAA,MACjD;AAAA;AAAA;AAAA;AAAA,QAIE,UAAU,CAAC,MAAM,MAAM,YAAY,CAAC,EAAG;AAAA,QACvC,SAAS,UAAU,CAAC;AAAA,MACtB;AAAA,IACF;AAAA,EACF,SAAS,OAAO;AACd,mBAAe,KAAK;AAAA,EACtB;AACF;AAOO,SAAS,uBAAuB,QAAuB;AAC5D,SACG,QAAQ,MAAM,EACd;AAAA,IACC;AAAA,EACF,EACC;AAAA,IACC;AAAA,IACA;AAAA,EACF,EACC;AAAA,IACC;AAAA,IACA;AAAA,EACF,EACC;AAAA,IACC;AAAA,IACA;AAAA,EACF,EACC;AAAA,IACC;AAAA,IACA;AAAA,EACF,EACC,OAAO,CAAC,SAAgC,sBAAsB,IAAI,CAAC;AACxE;AAEA,SAAS,0BAA0B,MAAqC;AACtE,QAAM,QAAkB,CAAC;AACzB,MAAI,KAAK,QAAS,OAAM,KAAK,aAAa,KAAK,OAAO,EAAE;AACxD,MAAI,KAAK,KAAM,OAAM,KAAK,QAAQ;AAClC,MAAI,KAAK,MAAO,OAAM,KAAK,OAAO,KAAK,KAAK,GAAG;AAC/C,SAAO,MAAM,KAAK,GAAG;AACvB;;;AClFO,SAAS,aACd,OACA,MACqB;AACrB,QAAM,WAAW,KAAK,MAAM,GAAG,EAAE,OAAO,CAAC,MAAM,EAAE,SAAS,CAAC;AAC3D,MAAI,UAAmB;AACvB,aAAW,WAAW,UAAU;AAC9B,QAAI,YAAY,QAAQ,YAAY,OAAW,QAAO;AACtD,QAAI,MAAM,QAAQ,OAAO,GAAG;AAC1B,YAAM,MAAM,OAAO,SAAS,SAAS,EAAE;AACvC,UAAI,OAAO,MAAM,GAAG,EAAG,QAAO;AAC9B,gBAAU,QAAQ,GAAG;AAAA,IACvB,WAAW,OAAO,YAAY,UAAU;AAItC,gBAAU,QAAQ,IAAI,SAAS,OAAO;AAAA,IACxC,OAAO;AACL,aAAO;AAAA,IACT;AAAA,EACF;AACA,SAAO;AACT;AAQO,SAAS,qBAAqB,OAAwB;AAC3D,MAAI,OAAO,UAAU,SAAU,QAAO;AACtC,MAAI,UAAU,QAAQ,UAAU,OAAW,QAAO;AAClD,SAAO,KAAK,UAAU,OAAO,MAAM,CAAC;AACtC;;;AC3BO,SAAS,sBAAsB,QAAuB;AAC3D,SACG,QAAQ,KAAK,EACb,SAAS,QAAQ,yCAAoC,EACrD;AAAA,IACC;AAAA,EACF,EACC,OAAO,UAAU,wCAAwC,EACzD;AAAA,IACC;AAAA,IACA;AAAA,EACF,EACC,OAAO,OAAO,IAAY,SAAqB;AAC9C,QAAI;AACF,YAAM,SAAS,MAAM,iBAAiB,cAAc,EAAE;AAEtD,UAAI,KAAK,OAAO;AACd,cAAM,QAAQ,aAAa,QAAQ,KAAK,KAAK;AAC7C,YAAI,UAAU,QAAW;AACvB,gBAAM,WAAW,OAAO,KAAK,MAAM,EAAE,KAAK,IAAI;AAC9C;AAAA,YACE,UAAU,KAAK,KAAK,yDAAyD,QAAQ,mEAAmE,EAAE;AAAA,UAC5J;AACA,eAAK,SAAS,QAAQ;AAAA,QACxB;AACA,gBAAQ,OAAO,MAAM,qBAAqB,KAAK,IAAI,IAAI;AACvD;AAAA,MACF;AACA,UAAI,KAAK,MAAM;AACb,kBAAU,MAAM;AAChB;AAAA,MACF;AACA,mBAAa,MAAM;AAAA,IACrB,SAAS,OAAO;AACd,qBAAe,OAAO;AAAA,QACpB,iBAAiB,0BAA0B,EAAE;AAAA,MAC/C,CAAC;AAAA,IACH;AAAA,EACF,CAAC;AACL;AAEA,SAAS,aAAa,QAAoC;AACxD,QAAM,MAAM,QAAQ;AACpB,MAAI,MAAM,GAAG,OAAO,EAAE,OAAO,OAAO,KAAK;AAAA,CAAI;AAC7C,MAAI,MAAM,iBAAiB,OAAO,aAAa;AAAA,CAAI;AACnD,MAAI,MAAM,iBAAiB,OAAO,cAAc;AAAA,CAAI;AACpD,MAAI,MAAM,iBAAiB,OAAO,UAAU,MAAM,GAAG,EAAE,CAAC;AAAA,CAAI;AAC5D,MAAI;AAAA,IACF,iBAAiB,OAAO,kBAAkB,iBAAiB,iBAAiB;AAAA;AAAA,EAC9E;AACA,MAAI,MAAM,iBAAiB,OAAO,WAAW,QAAQ,IAAI;AAAA;AAAA,CAAM;AAE/D,MAAI,MAAM,YAAY;AACtB,aAAW,KAAK,OAAO,QAAS,KAAI,MAAM,KAAK,CAAC;AAAA,CAAI;AACpD,MAAI,MAAM,IAAI;AAEd,MAAI,OAAO,OAAO,SAAS,GAAG;AAC5B,QAAI,MAAM,WAAW;AACrB,eAAW,KAAK,OAAO,QAAQ;AAC7B,UAAI,MAAM,KAAK,EAAE,KAAK,OAAO,EAAE,CAAC,IAAI,EAAE,WAAW,WAAW,QAAQ;AAAA,CAAI;AAAA,IAC1E;AACA,QAAI,MAAM,IAAI;AAAA,EAChB;AAEA,MAAI,OAAO,iBAAiB,OAAO,cAAc,SAAS,GAAG;AAC3D,QAAI,MAAM,kBAAkB,OAAO,cAAc,KAAK,IAAI,CAAC;AAAA,CAAI;AAAA,EACjE;AACF;;;ACpFA,OAAOC,YAAW;AAiBX,SAAS,0BAA0B,QAAuB;AAC/D,SACG,QAAQ,SAAS,EACjB;AAAA,IACC;AAAA,IACA;AAAA,EACF,EACC;AAAA,IACC;AAAA,EACF,EACC;AAAA,IACC;AAAA,IACA;AAAA,EACF,EACC,OAAO,gBAAgB,wBAAwB,EAC/C,OAAO,OAAO,SAAiB,SAAyB;AACvD,QAAI;AACF,YAAM,SAAS,MAAM,iBAAiB,kBAAkB;AAAA,QACtD;AAAA;AAAA;AAAA,QAGA,cAAc,KAAK,YAAY,KAAK,cAAc;AAAA,MACpD,CAAC;AACD,UAAI,OAAO,SAAS,aAAa;AAC/B,gBAAQ,OAAO,MAAM,GAAG,OAAO,GAAG;AAAA,CAAI;AACtC;AAAA,MACF;AACA,gBAAU,WAAWC,OAAM,KAAK,OAAO,GAAG,CAAC,EAAE;AAC7C,gBAAU,gCAA2B;AACrC,cAAQ,OAAO;AAAA,QACb;AAAA,2DAA8D,OAAO;AAAA;AAAA,MACvE;AAAA,IACF,SAAS,OAAO;AACd,qBAAe,OAAO;AAAA,QACpB,iBAAiB,YAAY,OAAO;AAAA,MACtC,CAAC;AAAA,IACH;AAAA,EACF,CAAC;AACL;;;ACxCO,SAAS,2BAA2BC,UAAwB;AACjE,QAAM,aAAaA,SAChB,QAAQ,YAAY,EACpB,MAAM,aAAa,EACnB;AAAA,IACC;AAAA,EACF,EACC,OAAO,MAAM,sBAAsB,CAAC,CAAC,CAAC;AAEzC,yBAAuB,UAAU;AACjC,wBAAsB,UAAU;AAChC,4BAA0B,UAAU;AACtC;;;AC3BA,OAAOC,YAAW;AAalB,IAAM,cAAc,CAAC,UAAU,UAAU,YAAY,QAAQ;AAC7D,IAAM,iBAAsC,IAAI,IAAI,WAAW;AAO/D,eAAsB,uBACpB,MACe;AACf,MAAI,KAAK,QAAQ,CAAC,eAAe,IAAI,KAAK,IAAI,GAAG;AAC/C;AAAA,MACE,mBAAmB,KAAK,IAAI,qBAAqB,YAAY,KAAK,IAAI,CAAC;AAAA,IACzE;AACA,SAAK,SAAS,WAAW;AAAA,EAC3B;AAEA,MAAI;AACF,UAAM,eAAe,MAAM,iBAAiB,iBAAiB;AAAA,MAC3D,MAAM,KAAK;AAAA,MACX,OAAO,KAAK;AAAA,IACd,CAAC;AACD,QAAI,KAAK,MAAM;AACb,gBAAU,EAAE,aAAa,CAAC;AAC1B;AAAA,IACF;AACA,QAAI,aAAa,WAAW,GAAG;AAC7B,YAAM,aAAa;AAAA,QACjB,KAAK,OAAO,UAAU,KAAK,IAAI,KAAK;AAAA,QACpC,KAAK,QAAQ,OAAO,KAAK,KAAK,MAAM;AAAA,MACtC,EACG,OAAO,OAAO,EACd,KAAK,GAAG;AACX,cAAQ,OAAO;AAAA,QACb,0BAA0B,cAAc,YAAY;AAAA;AAAA,MACtD;AACA;AAAA,IACF;AACA;AAAA,MACE,CAAC,WAAW,SAAS,MAAM;AAAA,MAC3B,aAAa,IAAI,CAAC,MAAM,CAAC,EAAE,SAAS,EAAE,OAAO,EAAE,cAAc,CAAC;AAAA,MAC9D;AAAA;AAAA;AAAA;AAAA,QAIE,SAAS,CAAC,MAAM,SAAS;AACvB,cAAI,KAAK,QAAQ,EAAG,QAAOC,OAAM,KAAK,IAAI;AAC1C,cAAI,KAAK,QAAQ,EAAG,QAAOA,OAAM,IAAI,IAAI;AACzC,iBAAO;AAAA,QACT;AAAA,MACF;AAAA,IACF;AAAA,EACF,SAAS,OAAO;AACd,mBAAe,KAAK;AAAA,EACtB;AACF;AAQO,SAAS,wBAAwB,QAAuB;AAC7D,SACG,QAAQ,MAAM,EACd;AAAA,IACC;AAAA,EACF,EACC;AAAA,IACC;AAAA,IACA,8BAA8B,YAAY,KAAK,KAAK,CAAC;AAAA,EACvD,EACC;AAAA,IACC;AAAA,IACA;AAAA,EACF,EACC;AAAA,IACC;AAAA,IACA;AAAA,EACF,EACC,OAAO,CAAC,SAAiC,uBAAuB,IAAI,CAAC;AAC1E;;;AC9EO,SAAS,uBAAuB,QAAuB;AAC5D,SACG,QAAQ,KAAK,EACb,SAAS,aAAa,uCAAkC,EACxD;AAAA,IACC;AAAA,EACF,EACC,OAAO,UAAU,wCAAwC,EACzD;AAAA,IACC;AAAA,IACA;AAAA,EACF,EACC,OAAO,OAAO,SAAiB,SAAqB;AACnD,QAAI;AACF,YAAM,SAAS,MAAM,iBAAiB,eAAe,OAAO;AAE5D,UAAI,KAAK,OAAO;AACd,cAAM,QAAQ,aAAa,QAAQ,KAAK,KAAK;AAC7C,YAAI,UAAU,QAAW;AACvB,gBAAM,WAAW,OAAO,KAAK,MAAM,EAAE,KAAK,IAAI;AAC9C;AAAA,YACE,UAAU,KAAK,KAAK,0DAA0D,QAAQ,oEAAoE,OAAO;AAAA,UACnK;AACA,eAAK,SAAS,QAAQ;AAAA,QACxB;AACA,gBAAQ,OAAO,MAAM,qBAAqB,KAAK,IAAI,IAAI;AACvD;AAAA,MACF;AACA,UAAI,KAAK,MAAM;AACb,kBAAU,MAAM;AAChB;AAAA,MACF;AACA,MAAAC,cAAa,MAAM;AAAA,IACrB,SAAS,OAAO;AACd,qBAAe,OAAO;AAAA,QACpB,iBAAiB,6BAA6B,OAAO;AAAA,MACvD,CAAC;AAAA,IACH;AAAA,EACF,CAAC;AACL;AAEA,SAASA,cAAa,QAAqC;AACzD,QAAM,MAAM,QAAQ;AACpB,MAAI,MAAM,GAAG,OAAO,OAAO,OAAO,OAAO,KAAK;AAAA,CAAI;AAClD,MAAI,MAAM,YAAY,OAAO,cAAc;AAAA;AAAA,CAAM;AAEjD,MAAI,MAAM,gBAAgB;AAC1B,MAAI,MAAM,KAAK,OAAO,WAAW;AAAA;AAAA,CAAM;AAEvC,MAAI,OAAO,eAAe,OAAO,YAAY,SAAS,GAAG;AACvD,QAAI,MAAM,iBAAiB;AAC3B,eAAW,SAAS,OAAO,aAAa;AACtC,UAAI;AAAA,QACF,KAAK,MAAM,KAAK,OAAO,EAAE,CAAC,IAAI,MAAM,eAAe,kBAAkB;AAAA;AAAA,MACvE;AAAA,IACF;AACA,QAAI,MAAM,IAAI;AAAA,EAChB;AAEA,MAAI,OAAO,OAAO,SAAS,GAAG;AAC5B,QAAI,MAAM,kBAAkB;AAC5B,eAAW,KAAK,OAAO,QAAQ;AAC7B,UAAI,MAAM,KAAK,EAAE,KAAK,OAAO,EAAE,CAAC,IAAI,EAAE,WAAW,WAAW,QAAQ;AAAA,CAAI;AAAA,IAC1E;AACA,QAAI,MAAM,IAAI;AAAA,EAChB;AAEA,MAAI,OAAO,QAAQ,SAAS,GAAG;AAC7B,QAAI,MAAM,gCAAgC;AAC1C,QAAI,MAAM,KAAK,OAAO,QAAQ,IAAI,CAAC,MAAM,IAAI,CAAC,EAAE,EAAE,KAAK,IAAI,CAAC;AAAA,CAAI;AAAA,EAClE;AACF;;;AC1EO,SAAS,8BAA8B,QAAuB;AACnE,SACG,QAAQ,YAAY,EACpB,SAAS,aAAa,4CAA4C,EAClE;AAAA,IACC;AAAA,EACF,EACC;AAAA,IACC;AAAA,IACA;AAAA,EACF,EACC;AAAA,IACC;AAAA,IACA;AAAA,EACF,EACC,OAAO,OAAO,SAAiB,SAA4B;AAC1D,QAAI;AACF,YAAM,aAAa,MAAM,iBAAiB,eAAe;AAAA,QACvD;AAAA,QACA,OAAO,KAAK;AAAA,MACd,CAAC;AACD,UAAI,KAAK,MAAM;AACb,kBAAU,EAAE,WAAW,CAAC;AACxB;AAAA,MACF;AACA,UAAI,WAAW,WAAW,GAAG;AAC3B,gBAAQ,OAAO;AAAA,UACb,KAAK,QACD,sBAAsB,OAAO,gBAAgB,KAAK,KAAK;AAAA,IACvD,KAAK,OAAO;AAAA;AAAA,QAClB;AACA;AAAA,MACF;AACA;AAAA,QACE,CAAC,MAAM,SAAS,aAAa;AAAA,QAC7B,WAAW,IAAI,CAAC,OAAO,CAAC,GAAG,IAAI,GAAG,OAAO,GAAG,WAAW,CAAC;AAAA,QACxD,EAAE,SAAS,UAAU,CAAC,EAAE;AAAA,MAC1B;AAAA,IACF,SAAS,OAAO;AACd,qBAAe,OAAO;AAAA,QACpB,iBAAiB,6BAA6B,OAAO;AAAA,MACvD,CAAC;AAAA,IACH;AAAA,EACF,CAAC;AACL;;;ACjDA,IAAM,gBAAgB,CAAC,QAAQ,YAAY,MAAM;AACjD,IAAM,mBAAwC,IAAI,IAAI,aAAa;AAQ5D,SAAS,6BAA6B,QAAuB;AAClE,SACG,QAAQ,WAAW,EACnB;AAAA,IACC;AAAA,IACA;AAAA,EACF,EACC,SAAS,UAAU,oDAAoD,EACvE;AAAA,IACC;AAAA,EACF,EACC;AAAA,IACC;AAAA,IACA,kBAAkB,cAAc,KAAK,KAAK,CAAC;AAAA,IAC3C;AAAA,EACF,EACC;AAAA,IACC,OACE,aACA,WACA,SACG;AACH,YAAM,SAAS,KAAK,UAAU;AAC9B,UAAI,CAAC,iBAAiB,IAAI,MAAM,GAAG;AACjC;AAAA,UACE,qBAAqB,MAAM,qBAAqB,cAAc,KAAK,IAAI,CAAC;AAAA,QAC1E;AACA,aAAK,SAAS,WAAW;AAAA,MAC3B;AAEA,UAAI;AACF,cAAM,SAAS,MAAM,iBAAiB;AAAA,UACpC,YACI,EAAE,SAAS,aAAa,MAAM,UAAU,IACxC,EAAE,MAAM,YAAY;AAAA,QAC1B;AAEA,YAAI,WAAW,QAAQ;AACrB,oBAAU,MAAM;AAChB;AAAA,QACF;AACA,YAAI,WAAW,YAAY;AACzB,kBAAQ,OAAO,MAAM,OAAO,gBAAgB,IAAI;AAChD;AAAA,QACF;AACA,kBAAU,MAAM;AAAA,MAClB,SAAS,OAAO;AACd,cAAM,SAAS,YAAY,GAAG,WAAW,IAAI,SAAS,KAAK;AAC3D,uBAAe,OAAO;AAAA,UACpB,iBAAiB,2BAA2B,MAAM;AAAA,QACpD,CAAC;AAAA,MACH;AAAA,IACF;AAAA,EACF,EACC;AAAA,IACC;AAAA,IACA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAeF;AACJ;AASA,SAAS,UAAU,QAA8C;AAC/D,QAAM,MAAM,QAAQ;AACpB,MAAI,MAAM,GAAG,OAAO,OAAO,SAAM,OAAO,KAAK;AAAA;AAAA,CAAM;AACnD,MAAI,OAAO,YAAa,KAAI,MAAM,GAAG,OAAO,WAAW;AAAA;AAAA,CAAM;AAC7D,QAAM,UAAU,OAAO,cACpB,QAAQ,YAAY,EAAE,EACtB,QAAQ,iBAAiB,EAAE;AAC9B,MAAI,MAAM,OAAO;AACjB,MAAI,CAAC,QAAQ,SAAS,IAAI,EAAG,KAAI,MAAM,IAAI;AAC7C;;;AC5FO,SAAS,4BAA4BC,UAAwB;AAClE,QAAM,cAAcA,SACjB,QAAQ,aAAa,EACrB,MAAM,cAAc,EACpB;AAAA,IACC;AAAA,EACF,EACC,OAAO,MAAM,uBAAuB,CAAC,CAAC,CAAC;AAE1C,0BAAwB,WAAW;AACnC,yBAAuB,WAAW;AAClC,gCAA8B,WAAW;AACzC,+BAA6B,WAAW;AAC1C;;;AChBA,IAAM,oBAAoB;AAQnB,SAAS,iBAAiB,MAA2B;AAC1D,QAAM,OAAO,cAAc,WAAW;AAEtC,MAAI,KAAK,KAAK;AACZ,QAAI,CAAC,oBAAoB,KAAK,GAAG,GAAG;AAClC;AAAA,QACE,uBAAuB,KAAK,GAAG,kBAAkB,qBAAqB,KAAK,IAAI,CAAC;AAAA,MAClF;AACA,WAAK,SAAS,WAAW;AAAA,IAC3B;AACA,UAAM,QAAQ,KAAK,KAAK,GAAG;AAC3B,QAAI,KAAK,MAAM;AACb,gBAAU,EAAE,CAAC,KAAK,GAAG,GAAG,SAAS,KAAK,CAAC;AACvC;AAAA,IACF;AACA,YAAQ,OAAO,OAAO,SAAS,qBAAqB,IAAI;AACxD;AAAA,EACF;AAEA,MAAI,KAAK,MAAM;AACb,UAAM,UAAyC,CAAC;AAChD,eAAW,KAAK,qBAAsB,SAAQ,CAAC,IAAI,KAAK,CAAC,KAAK;AAC9D,cAAU,OAAO;AACjB;AAAA,EACF;AAEA;AAAA,IACE,CAAC,OAAO,OAAO;AAAA,IACf,qBAAqB,IAAI,CAAC,MAAM,CAAC,GAAG,KAAK,CAAC,KAAK,iBAAiB,CAAC;AAAA,EACnE;AACF;AASO,SAAS,kBAAkB,QAAuB;AACvD,SACG,QAAQ,KAAK,EACb;AAAA,IACC;AAAA,IACA,yBAAyB,qBAAqB,KAAK,KAAK,CAAC;AAAA,EAC3D,EACC;AAAA,IACC;AAAA,EACF,EACC;AAAA,IACC;AAAA,IACA;AAAA,EACF,EACC;AAAA,IAAO,CAAC,KAAyB,SAChC,iBAAiB,EAAE,KAAK,MAAM,KAAK,KAAK,CAAC;AAAA,EAC3C;AACJ;;;AC1DO,SAAS,kBAAkB,QAAuB;AACvD,SACG,QAAQ,KAAK,EACb,SAAS,SAAS,eAAe,qBAAqB,KAAK,KAAK,CAAC,IAAI,EACrE;AAAA,IACC;AAAA,IACA;AAAA,EACF,EACC;AAAA,IACC;AAAA,EACF,EACC,OAAO,OAAO,KAAa,UAAkB;AAC5C,QAAI,CAAC,oBAAoB,GAAG,GAAG;AAC7B;AAAA,QACE,uBAAuB,GAAG,kBAAkB,qBAAqB,KAAK,IAAI,CAAC;AAAA,MAC7E;AACA,WAAK,SAAS,WAAW;AAAA,IAC3B;AAEA,UAAM,SAAS,MAAM,cAAc,IAAI,EAAE,KAAK,MAAM,CAAC;AACrD,QAAI,OAAO,IAAI;AACb,mBAAa,OAAO,GAAG,MAAM,KAAK,EAAE;AACpC;AAAA,IACF;AAIA,YAAQ,OAAO,QAAQ;AAAA,MACrB,KAAK;AACH,mBAAW,qBAAqB,GAAG,KAAK,OAAO,KAAK,GAAG;AACvD,aAAK,SAAS,WAAW;AAAA;AAAA,MAE3B,KAAK;AACH;AAAA,UACE,4DAA4D,OAAO,UAAU;AAAA,QAC/E;AACA;AAAA,UACE,+EAA+E,KAAK;AAAA,QACtF;AACA,aAAK,SAAS,YAAY;AAAA;AAAA,MAE5B,SAAS;AACP,cAAM,cAAqB;AAC3B,cAAM,IAAI;AAAA,UACR,yBAAyB,KAAK,UAAU,WAAW,CAAC;AAAA,QACtD;AAAA,MACF;AAAA,IACF;AAAA,EACF,CAAC;AACL;;;ACvDO,SAAS,oBAAoB,QAAuB;AACzD,SACG,QAAQ,OAAO,EACf,SAAS,SAAS,eAAe,qBAAqB,KAAK,KAAK,CAAC,IAAI,EACrE;AAAA,IACC;AAAA,EACF,EACC,OAAO,OAAO,QAAgB;AAC7B,QAAI,CAAC,oBAAoB,GAAG,GAAG;AAC7B;AAAA,QACE,uBAAuB,GAAG,kBAAkB,qBAAqB,KAAK,IAAI,CAAC;AAAA,MAC7E;AACA,WAAK,SAAS,WAAW;AAAA,IAC3B;AAEA,UAAM,SAAS,MAAM,cAAc,MAAM,EAAE,IAAI,CAAC;AAChD,QAAI,CAAC,OAAO,QAAQ;AAClB,mBAAa,GAAG,GAAG,qBAAqB;AACxC;AAAA,IACF;AACA,iBAAa,SAAS,GAAG,GAAG;AAAA,EAC9B,CAAC;AACL;;;AC7BO,SAAS,mBAAmB,QAAuB;AACxD,SACG,QAAQ,MAAM,EACd;AAAA,IACC;AAAA,EACF,EACC,OAAO,MAAM;AACZ,YAAQ,OAAO,MAAM,cAAc,OAAO,IAAI;AAAA,EAChD,CAAC;AACL;;;ACKO,SAAS,uBAAuBC,UAAwB;AAC7D,QAAM,SAASA,SACZ,QAAQ,QAAQ,EAChB;AAAA,IACC;AAAA,EACF,EACC,OAAO,MAAM,iBAAiB,CAAC,CAAC,CAAC;AAEpC,oBAAkB,MAAM;AACxB,oBAAkB,MAAM;AACxB,sBAAoB,MAAM;AAC1B,qBAAmB,MAAM;AAEzB,SAAO;AAAA,IACL;AAAA,IACA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAoBF;AACF;;;AC1DA,SAAS,WAAAC,gBAAe;AACxB,SAAS,QAAAC,aAAY;AACrB;AAAA,EACE;AAAA,EACA;AAAA,EACA;AAAA,EACA,gBAAAC;AAAA,EACA;AAAA,EACA;AAAA,OACK;;;ACTP;;;ADoBO,IAAM,kBAAkB;AACxB,IAAM,gBAAgB;AAgC7B,IAAM,OAAOC,SAAQ;AACrB,IAAM,kBAAkBC,MAAK,MAAM,WAAW,QAAQ;AACtD,IAAM,gBAAgBA,MAAK,iBAAiB,eAAe;AAC3D,IAAM,iBAAiBA,MAAK,MAAM,WAAW,QAAQ;AACrD,IAAM,qBAAqBA,MAAK,gBAAgB,eAAe;AAE/D,IAAM,UAAyB;AAAA,EAC7B;AAAA,IACE,MAAM;AAAA,IACN,QAAQ,MAAM,WAAWA,MAAK,MAAM,SAAS,CAAC;AAAA,IAC9C,UAAU;AAAA,IACV,WAAWA,MAAK,eAAe,UAAU;AAAA;AAAA;AAAA;AAAA;AAAA,IAKzC,aAAa,CAACA,MAAK,iBAAiB,GAAG,eAAe,KAAK,CAAC;AAAA,EAC9D;AAAA,EACA;AAAA,IACE,MAAM;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAON,QAAQ,MACN,WAAWA,MAAK,MAAM,QAAQ,CAAC,KAC/B,WAAWA,MAAK,MAAM,SAAS,CAAC,KAChC,WAAWA,MAAK,MAAM,SAAS,CAAC;AAAA,IAClC,UAAU;AAAA,IACV,WAAWA,MAAK,oBAAoB,UAAU;AAAA,IAC9C,aAAa,CAAC;AAAA,EAChB;AACF;AAOO,SAAS,qBAAoC;AAClD,QAAM,MAAqB,CAAC;AAC5B,aAAW,UAAU,SAAS;AAC5B,QAAI,CAAC,OAAO,OAAO,EAAG;AACtB,QAAI,KAAK,EAAE,MAAM,OAAO,MAAM,MAAM,OAAO,UAAU,CAAC;AAAA,EACxD;AACA,SAAO;AACT;AAQO,SAAS,gBAAsC;AACpD,QAAM,UAAgC,CAAC;AACvC,aAAW,UAAU,SAAS;AAC5B,QAAI,CAAC,OAAO,OAAO,EAAG;AACtB,UAAM,OAAO,OAAO;AACpB,QAAI;AACF,gBAAU,OAAO,UAAU,EAAE,WAAW,KAAK,CAAC;AAC9C,YAAM,WAAW,WAAW,IAAI,IAAIC,cAAa,MAAM,OAAO,IAAI;AAClE,YAAM,UAAU,aAAa;AAC7B,oBAAc,MAAM,aAAa;AACjC,iBAAW,UAAU,OAAO,aAAa;AACvC,YAAI,WAAW,MAAM,EAAG,YAAW,MAAM;AAAA,MAC3C;AACA,cAAQ,KAAK;AAAA,QACX,MAAM,OAAO;AAAA,QACb;AAAA,QACA,QAAQ,UAAU,YAAY;AAAA,MAChC,CAAC;AAAA,IACH,SAAS,KAAK;AACZ,cAAQ,KAAK;AAAA,QACX,MAAM,OAAO;AAAA,QACb;AAAA,QACA,QAAQ;AAAA,QACR,OAAO,eAAe,QAAQ,IAAI,UAAU,OAAO,GAAG;AAAA,MACxD,CAAC;AAAA,IACH;AAAA,EACF;AACA,SAAO;AACT;AAEO,SAAS,kBAA0C;AACxD,QAAM,UAAkC,CAAC;AACzC,aAAW,UAAU,SAAS;AAC5B,QAAI,CAAC,OAAO,OAAO,EAAG;AACtB,UAAM,MAAM,OAAO;AACnB,UAAM,OAAO,OAAO;AACpB,UAAM,WAAW,OAAO,YAAY,OAAO,CAACC,OAAM,WAAWA,EAAC,CAAC;AAC/D,QAAI,CAAC,WAAW,GAAG,KAAK,SAAS,WAAW,GAAG;AAC7C,cAAQ,KAAK,EAAE,MAAM,OAAO,MAAM,MAAM,QAAQ,SAAS,CAAC;AAC1D;AAAA,IACF;AACA,QAAI;AAGF,aAAO,KAAK,EAAE,WAAW,MAAM,OAAO,KAAK,CAAC;AAC5C,iBAAW,UAAU,SAAU,YAAW,MAAM;AAChD,cAAQ,KAAK,EAAE,MAAM,OAAO,MAAM,MAAM,QAAQ,UAAU,CAAC;AAAA,IAC7D,SAAS,KAAK;AACZ,cAAQ,KAAK;AAAA,QACX,MAAM,OAAO;AAAA,QACb;AAAA,QACA,QAAQ;AAAA,QACR,OAAO,eAAe,QAAQ,IAAI,UAAU,OAAO,GAAG;AAAA,MACxD,CAAC;AAAA,IACH;AAAA,EACF;AACA,SAAO;AACT;;;AEpJO,SAAS,sBAAsB,QAAuB;AAC3D,SACG,QAAQ,SAAS,EACjB;AAAA,IACC;AAAA,EACF,EACC,OAAO,MAAM;AACZ,UAAM,UAAU,mBAAmB;AACnC,QAAI,QAAQ,WAAW,GAAG;AACxB;AAAA,QACE;AAAA,MACF;AACA,WAAK,SAAS,QAAQ;AAAA,IACxB;AACA,UAAM,UAAU,cAAc;AAC9B,eAAW,KAAK,SAAS;AACvB,UAAI,EAAE,WAAW,UAAU;AACzB,mBAAW,GAAG,EAAE,IAAI,KAAK,EAAE,SAAS,QAAQ,KAAK,EAAE,IAAI,GAAG;AAC1D;AAAA,MACF;AACA,UAAI,EAAE,WAAW,WAAW;AAC1B,qBAAa,GAAG,EAAE,IAAI,KAAK,EAAE,IAAI,EAAE;AAAA,MACrC,OAAO;AACL,kBAAU,GAAG,EAAE,IAAI,KAAK,EAAE,IAAI,uBAAuB;AAAA,MACvD;AAAA,IACF;AACA,UAAM,SAAS,QAAQ,KAAK,CAAC,MAAM,EAAE,WAAW,QAAQ;AACxD,SAAK,SAAS,SAAS,gBAAgB,SAAS,EAAE;AAAA,EACpD,CAAC;AACL;;;ACrCO,SAAS,wBAAwB,QAAuB;AAC7D,SACG,QAAQ,WAAW,EACnB;AAAA,IACC;AAAA,EACF,EACC,OAAO,MAAM;AACZ,UAAM,UAAU,gBAAgB;AAChC,QAAI,QAAQ,WAAW,GAAG;AACxB,gBAAU,oDAAoD;AAC9D,WAAK,SAAS,EAAE;AAAA,IAClB;AACA,eAAW,KAAK,SAAS;AACvB,UAAI,EAAE,WAAW,UAAU;AACzB,mBAAW,GAAG,EAAE,IAAI,KAAK,EAAE,SAAS,QAAQ,KAAK,EAAE,IAAI,GAAG;AAC1D;AAAA,MACF;AACA,UAAI,EAAE,WAAW,WAAW;AAC1B,qBAAa,GAAG,EAAE,IAAI,aAAa,EAAE,IAAI,EAAE;AAAA,MAC7C,OAAO;AACL,kBAAU,GAAG,EAAE,IAAI,wBAAwB,EAAE,IAAI,eAAe;AAAA,MAClE;AAAA,IACF;AACA,UAAM,SAAS,QAAQ,KAAK,CAAC,MAAM,EAAE,WAAW,QAAQ;AACxD,SAAK,SAAS,SAAS,gBAAgB,SAAS,EAAE;AAAA,EACpD,CAAC;AACL;;;ACzBO,SAAS,uBAAuBC,UAAwB;AAC7D,QAAM,SAASA,SACZ,QAAQ,QAAQ,EAChB;AAAA,IACC;AAAA,EACF;AAEF,wBAAsB,MAAM;AAC5B,0BAAwB,MAAM;AAChC;;;ACnBA,OAAOC,YAAW;;;ACDlB,SAAS,WAAW,QAAAC,aAAY;AAChC,SAAS,YAAY,iBAAiB;AAa/B,IAAM,wBAAwB,CAAC,QAAQ,QAAQ,IAAI;AASnD,SAAS,WAAW,MAA6B;AACtD,QAAM,OAAO,QAAQ,IAAI;AACzB,MAAI,CAAC,KAAM,QAAO;AAClB,aAAW,OAAO,KAAK,MAAM,SAAS,GAAG;AACvC,QAAI,IAAI,WAAW,EAAG;AACtB,UAAM,YAAYC,MAAK,KAAK,IAAI;AAChC,QAAI;AACF,iBAAW,WAAW,UAAU,IAAI;AACpC,aAAO;AAAA,IACT,QAAQ;AAAA,IAER;AAAA,EACF;AACA,SAAO;AACT;AAOO,SAAS,mBAAoC;AAClD,QAAM,QAAQ,CAAC;AACf,QAAM,UAAwB,CAAC;AAC/B,aAAW,OAAO,uBAAuB;AACvC,UAAM,OAAO,WAAW,GAAG;AAC3B,UAAM,GAAG,IAAI;AACb,QAAI,SAAS,KAAM,SAAQ,KAAK,GAAG;AAAA,EACrC;AACA,SAAO,EAAE,SAAS,MAAM;AAC1B;AASO,SAAS,qBAA2B;AACzC,QAAM,EAAE,QAAQ,IAAI,iBAAiB;AACrC,MAAI,QAAQ,WAAW,EAAG;AAC1B;AAAA,IACE,sCAAsC,QAAQ,KAAK,IAAI,CAAC,KAAK,YAAY,OAAO,CAAC;AAAA,EACnF;AACA,OAAK,SAAS,aAAa;AAC7B;AAQO,SAAS,YAAY,MAAiC;AAC3D,QAAM,OAAO,KAAK,KAAK,GAAG;AAC1B,UAAQ,QAAQ,UAAU;AAAA,IACxB,KAAK;AACH,aAAO,gCAAgC,IAAI;AAAA,IAC7C,KAAK;AACH,aAAO,uEAAuE,IAAI,4BAA4B,IAAI;AAAA,IACpH;AACE,aAAO,WAAW,IAAI;AAAA,EAC1B;AACF;;;AD1EA,SAAS,cAAAC,aAAY,gBAAAC,qBAAoB;AAYlC,SAAS,sBAAsBC,UAAwB;AAC5D,EAAAA,SACG,QAAQ,QAAQ,EAChB;AAAA,IACC;AAAA,EACF,EACC,OAAO,YAAY;AAClB,UAAM,SAAwB,CAAC;AAC/B,WAAO,KAAK,GAAG,iBAAiB,CAAC;AACjC,WAAO,KAAK,GAAI,MAAM,aAAa,CAAE;AACrC,WAAO,KAAK,GAAG,YAAY,CAAC;AAC5B,gBAAY,MAAM;AAClB,UAAM,WAAW,OAAO,OAAO,CAAC,MAAM,EAAE,WAAW,MAAM,EAAE;AAC3D,SAAK,WAAW,IAAI,SAAS,eAAe,SAAS,EAAE;AAAA,EACzD,CAAC;AACL;AAQA,SAAS,mBAAkC;AACzC,QAAM,EAAE,OAAO,QAAQ,IAAI,iBAAiB;AAC5C,QAAM,MAAqB,CAAC;AAC5B,aAAW,OAAO,uBAAuB;AACvC,UAAM,OAAO,MAAM,GAAG;AACtB,QAAI,MAAM;AACR,UAAI,KAAK;AAAA,QACP,OAAO,GAAG,GAAG;AAAA,QACb,QAAQ;AAAA,QACR,QAAQ;AAAA,MACV,CAAC;AAAA,IACH,OAAO;AACL,UAAI,KAAK;AAAA,QACP,OAAO,GAAG,GAAG;AAAA,QACb,QAAQ;AAAA,QACR,QAAQ,cAAc,YAAY,CAAC,GAAG,CAAC,CAAC;AAAA,MAC1C,CAAC;AAAA,IACH;AAAA,EACF;AACA,MAAI,QAAQ,SAAS,GAAG;AAEtB,QAAI,KAAK;AAAA,MACP,OAAO;AAAA,MACP,QAAQ;AAAA,MACR,QAAQ,YAAY,OAAO;AAAA,IAC7B,CAAC;AAAA,EACH;AACA,SAAO;AACT;AAEA,eAAe,eAAuC;AACpD,QAAM,UAAU,MAAM,sBAAsB,KAAK;AACjD,MAAI,CAAC,SAAS;AACZ,WAAO;AAAA,MACL;AAAA,QACE,OAAO;AAAA,QACP,QAAQ;AAAA,QACR,QAAQ;AAAA,MACV;AAAA,IACF;AAAA,EACF;AACA,QAAM,MAAqB;AAAA,IACzB;AAAA,MACE,OAAO;AAAA,MACP,QAAQ;AAAA,MACR,QAAQ,GAAG,QAAQ,KAAK,SAAS,QAAQ,KAAK,EAAE,OAAO,QAAQ,MAAM;AAAA,IACvE;AAAA,IACA;AAAA,MACE,OAAO;AAAA,MACP,QAAQ;AAAA,MACR,QAAQ,GAAG,QAAQ,UAAU,IAAI,KAAK,QAAQ,UAAU,IAAI;AAAA,IAC9D;AAAA,EACF;AAGA,MAAI;AACF,UAAM,YAAY,OAAO;AACzB,QAAI,KAAK;AAAA,MACP,OAAO;AAAA,MACP,QAAQ;AAAA,MACR,QAAQ,QAAQ;AAAA,IAClB,CAAC;AAAA,EACH,SAAS,KAAK;AACZ,QAAI,eAAe,YAAY,IAAI,WAAW,KAAK;AACjD,UAAI,KAAK;AAAA,QACP,OAAO;AAAA,QACP,QAAQ;AAAA,QACR,QAAQ;AAAA,MACV,CAAC;AAAA,IACH,OAAO;AACL,YAAM,SAAS,eAAe,QAAQ,IAAI,UAAU,OAAO,GAAG;AAC9D,UAAI,KAAK;AAAA,QACP,OAAO;AAAA,QACP,QAAQ;AAAA,QACR,QAAQ,GAAG,QAAQ,MAAM,iBAAiB,MAAM;AAAA,MAClD,CAAC;AAAA,IACH;AAAA,EACF;AACA,SAAO;AACT;AAEA,SAAS,cAA6B;AACpC,QAAM,UAAU,mBAAmB;AACnC,MAAI,QAAQ,WAAW,GAAG;AACxB,WAAO;AAAA,MACL;AAAA,QACE,OAAO;AAAA,QACP,QAAQ;AAAA,QACR,QACE;AAAA,MACJ;AAAA,IACF;AAAA,EACF;AACA,QAAM,MAAqB,CAAC;AAC5B,aAAW,UAAU,SAAS;AAC5B,QAAI,CAACC,YAAW,OAAO,IAAI,GAAG;AAC5B,UAAI,KAAK;AAAA,QACP,OAAO,GAAG,OAAO,IAAI;AAAA,QACrB,QAAQ;AAAA,QACR,QAAQ,GAAG,OAAO,IAAI;AAAA,MACxB,CAAC;AACD;AAAA,IACF;AACA,UAAM,SAASC,cAAa,OAAO,MAAM,OAAO;AAChD,QAAI,WAAW,eAAe;AAC5B,UAAI,KAAK;AAAA,QACP,OAAO,GAAG,OAAO,IAAI;AAAA,QACrB,QAAQ;AAAA,QACR,QAAQ,GAAG,OAAO,IAAI;AAAA,MACxB,CAAC;AAAA,IACH,OAAO;AACL,UAAI,KAAK;AAAA,QACP,OAAO,GAAG,OAAO,IAAI;AAAA,QACrB,QAAQ;AAAA,QACR,QAAQ,GAAG,OAAO,IAAI;AAAA,MACxB,CAAC;AAAA,IACH;AAAA,EACF;AACA,SAAO;AACT;AAEA,SAAS,YAAY,QAA6B;AAChD,aAAW,SAAS,QAAQ;AAC1B,UAAM,OACJ,MAAM,WAAW,SACbC,OAAM,MAAM,QAAG,IACf,MAAM,WAAW,SACfA,OAAM,OAAO,GAAG,IAChBA,OAAM,IAAI,QAAG;AACrB,YAAQ,OAAO,MAAM,GAAG,IAAI,IAAI,MAAM,KAAK;AAAA,CAAI;AAC/C,YAAQ,OAAO,MAAM,KAAKA,OAAM,IAAI,MAAM,MAAM,CAAC;AAAA,CAAI;AAAA,EACvD;AACA,QAAM,QAAQ,OAAO,OAAO,CAAC,MAAM,EAAE,WAAW,MAAM,EAAE;AACxD,QAAM,QAAQ,OAAO,OAAO,CAAC,MAAM,EAAE,WAAW,MAAM,EAAE;AACxD,UAAQ,OAAO,MAAM,IAAI;AACzB,MAAI,UAAU,KAAK,UAAU,GAAG;AAC9B,YAAQ,OAAO,MAAMA,OAAM,MAAM,sBAAsB,CAAC;AAAA,EAC1D,OAAO;AACL,YAAQ,OAAO;AAAA,MACb,GAAG,KAAK,WAAW,UAAU,IAAI,KAAK,GAAG,KAAK,KAAK,WAAW,UAAU,IAAI,KAAK,GAAG;AAAA;AAAA,IACtF;AAAA,EACF;AACF;;;A/D1KA,IAAM,UAAU,IAAI,QAAQ;AAE5B,QACG,KAAK,MAAM,EACX;AAAA,EACC;AACF,EACC,QAAQ,aAAa,iBAAiB,kCAAkC,EACxE,mBAAmB,EAInB;AAAA,EACC;AAAA,EACA;AACF;AAEF,qBAAqB,OAAO;AAC5B,0BAA0B,OAAO;AACjC,qBAAqB,OAAO;AAC5B,2BAA2B,OAAO;AAClC,4BAA4B,OAAO;AACnC,uBAAuB,OAAO;AAC9B,uBAAuB,OAAO;AAC9B,sBAAsB,OAAO;AAK7B,QAAQ;AAAA,EACN;AAAA,EACA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAaF;AAOA,IAAI,mBAAmB,QAAQ,IAAI,GAAG;AACpC,qBAAmB;AACrB;AAEA,SAAS,mBAAmB,MAAyB;AAEnD,QAAM,WAAW,KAAK,CAAC;AACvB,MAAI,CAAC,SAAU,QAAO;AACtB,MAAI,aAAa,SAAU,QAAO;AAClC,MAAI,aAAa,YAAY,aAAa,KAAM,QAAO;AACvD,MAAI,aAAa,eAAe,aAAa,KAAM,QAAO;AAC1D,SAAO;AACT;AAEA,IAAI;AACF,QAAM,QAAQ,WAAW,QAAQ,IAAI;AACvC,SAAS,KAAK;AAOZ,MAAI,eAAe,YAAY,IAAI,WAAW,KAAK;AACjD,eAAW,IAAI,OAAO;AACtB,SAAK,SAAS,eAAe;AAAA,EAC/B;AACA,QAAM;AACR;","names":["chalk","sessionStore","apiClientFactory","chalk","apiClientFactory","sessionStore","browserOpener","configService","chalk","sessionStore","chalk","chalk","browserOpener","configService","configStore","sessionStore","z","mkdir","writeFile","unlink","mkdir","writeFile","unlink","spawn","program","chalk","program","program","chalk","chalk","program","chalk","chalk","printDefault","program","program","homedir","join","readFileSync","homedir","join","readFileSync","p","program","chalk","join","join","existsSync","readFileSync","program","existsSync","readFileSync","chalk"]}
1	+ {"version":3,"sources":["../src/cli.ts","../src/lib/output.ts","../src/lib/banner.ts","../src/lib/exitCodes.ts","../src/services/SessionContextService.ts","../src/services/AuthService.ts","../src/services/WorkspaceService.ts","../src/services/ExecService.ts","../package.json","../src/lib/version.ts","../src/clients/HttpClient.ts","../src/lib/scrubber.ts","../src/lib/execEnv.ts","../src/services/DiscoveryService.ts","../src/types/config.ts","../src/services/ConfigService.ts","../src/clients/AuthApiClient.ts","../src/clients/WorkspacesApiClient.ts","../src/clients/ExecApiClient.ts","../src/clients/CredentialsApiClient.ts","../src/clients/IntegrationsApiClient.ts","../src/clients/OperationsApiClient.ts","../src/clients/ApiClientFactory.ts","../src/clients/SessionStore.ts","../src/types/session.ts","../src/clients/ConfigStore.ts","../src/clients/BrowserOpener.ts","../src/clients/ChildProcessSpawner.ts","../src/lib/paths.ts","../src/dependencyInjection/clients.ts","../src/dependencyInjection/services.ts","../src/lib/cliErrors.ts","../src/commands/auth/login.ts","../src/commands/auth/logout.ts","../src/commands/auth/status.ts","../src/commands/auth/index.ts","../src/lib/printTable.ts","../src/commands/workspace/list.ts","../src/commands/workspace/switch.ts","../src/commands/workspace/current.ts","../src/commands/workspace/index.ts","../src/commands/exec/bash.ts","../src/commands/exec/index.ts","../src/commands/credential/list.ts","../src/lib/jsonField.ts","../src/commands/credential/get.ts","../src/commands/credential/connect.ts","../src/commands/credential/index.ts","../src/commands/integration/list.ts","../src/commands/integration/get.ts","../src/commands/integration/operations.ts","../src/commands/integration/operation.ts","../src/commands/integration/index.ts","../src/commands/config/get.ts","../src/commands/config/set.ts","../src/commands/config/unset.ts","../src/commands/config/path.ts","../src/commands/config/index.ts","../src/lib/skills.ts","../src/skills/geni.md","../src/commands/skills/install.ts","../src/commands/skills/uninstall.ts","../src/commands/skills/index.ts","../src/commands/doctor.ts","../src/lib/preflight.ts"],"sourcesContent":["import { Command } from 'commander'\nimport { registerAuthCommands } from './commands/auth/index.js'\nimport { registerWorkspaceCommands } from './commands/workspace/index.js'\nimport { registerExecCommands } from './commands/exec/index.js'\nimport { registerCredentialCommands } from './commands/credential/index.js'\nimport { registerIntegrationCommands } from './commands/integration/index.js'\nimport { registerConfigCommands } from './commands/config/index.js'\nimport { registerSkillsCommands } from './commands/skills/index.js'\nimport { registerDoctorCommand } from './commands/doctor.js'\nimport { requireRuntimeDeps } from './lib/preflight.js'\nimport { CLI_VERSION } from './lib/version.js'\nimport { ApiError } from './clients/HttpClient.js'\nimport { printError } from './lib/output.js'\nimport { ExitCode, exit } from './lib/exitCodes.js'\n\n/*\n The CLI entry point. Mounts every subcommand on a single Commander\n * program. Subcommand groups live in `./commands/<noun>/` and export\n * a `registerCommands(program)` function the entry calls.\n /\nconst program = new Command()\n\nprogram\n .name('geni')\n .description(\n 'The agent-facing CLI for General Input. Discover the integrations and credentials the operator has connected, then run shell commands with those credentials injected as env vars by the cloud (audit-logged, output-scrubbed).'\n )\n .version(CLI_VERSION, '-v, --version', 'Print the geni version and exit.')\n .showHelpAfterError()\n // Global flag every subcommand sees. Resolving the actual workspace\n // override lives in each command, having it here makes Commander\n // accept it before subcommand parsing.\n .option(\n '--workspace <slug>',\n 'Override the active workspace for this invocation. Without it, commands run against the workspace set by `geni workspace switch`.'\n )\n\nregisterAuthCommands(program)\nregisterWorkspaceCommands(program)\nregisterExecCommands(program)\nregisterCredentialCommands(program)\nregisterIntegrationCommands(program)\nregisterConfigCommands(program)\nregisterSkillsCommands(program)\nregisterDoctorCommand(program)\n\n// Agent-facing orientation. Shown after the auto-generated commands\n// list on `geni --help` so a fresh agent can read it once and know\n// which command to reach for next without trial-and-error.\nprogram.addHelpText(\n 'after',\n `\nTypical agent flow:\n 1. geni integration list -q \"<keyword>\" find a service\n 2. geni integration operations <service> -q \"...\" find an operation\n 3. geni integration operation <opId> read its reference (env vars, auth header, example). ALWAYS do this before writing a curl\n 4. geni credential list --service <service> find a connected credential\n 5. geni exec bash --cred <id> --reason \"...\" -- '<command>'\n\nDiscovery (steps 1-4) is read-only and free; only step 5 resolves\ncredentials and runs code, audit-logged with the reason you supplied.\n\nFirst time? geni login then geni config get to verify the API URL.\nRun any command with --help for its full reference.`\n)\n\n// Hard-require bash + curl + jq before any real command runs. Skip\n// for `doctor` (which diagnoses these very deps as part of its\n// output) and the help/version surfaces (cosmetic, no shell-out\n// happens). Install script already enforces this; the runtime check\n// catches the case where a dep got uninstalled after geni was set up.\nif (shouldRunPreflight(process.argv)) {\n requireRuntimeDeps()\n}\n\nfunction shouldRunPreflight(argv: string[]): boolean {\n // argv: [node, geni, ...rest]\n const firstArg = argv[2]\n if (!firstArg) return false\n if (firstArg === 'doctor') return false\n if (firstArg === '--help' \|\| firstArg === '-h') return false\n if (firstArg === '--version' \|\| firstArg === '-v') return false\n return true\n}\n\ntry {\n await program.parseAsync(process.argv)\n} catch (err) {\n // The server's cliVersionGate returns HTTP 426 for any CLI below the\n // configured minimum version. Catch it here so the user sees a clean\n // upgrade prompt and a dedicated exit code, instead of a generic\n // unhandled-rejection stack trace. All other errors keep their\n // existing handling path (Commander prints, or the per-command\n // try/catch produces its own output).\n if (err instanceof ApiError && err.status === 426) {\n printError(err.message)\n exit(ExitCode.UpgradeRequired)\n }\n throw err\n}\n","import chalk from 'chalk'\n\n/*\n Print a success line to stdout. Examples: \"✓ Authenticated as ...\",\n * \"✓ Active workspace: acme\". Goes to stdout because it's the command's\n * actual response (visible even when output is piped).\n /\nexport function printSuccess(message: string): void {\n process.stdout.write(`${chalk.green('✓')} ${message}\\n`)\n}\n\n/\n Print a single info line to stdout. Used for secondary info that's\n * still part of the command's response (e.g. \"Session saved to …\").\n /\nexport function printInfo(message: string): void {\n process.stdout.write(`${chalk.dim('·')} ${message}\\n`)\n}\n\n/\n Print a warning to stderr. Doesn't pollute stdout, so JSON pipes\n * stay clean.\n /\nexport function printWarning(message: string): void {\n process.stderr.write(`${chalk.yellow('!')} ${message}\\n`)\n}\n\n/\n Print an error to stderr. Used when a command fails before it even\n * begins to produce its real output.\n /\nexport function printError(message: string): void {\n process.stderr.write(`${chalk.red('✗')} ${message}\\n`)\n}\n\n/\n Pretty-print JSON to stdout. Used for `--json` flags everywhere.\n * No banner, no extra formatting; the response is the entire stdout.\n /\nexport function printJson(value: unknown): void {\n process.stdout.write(JSON.stringify(value, null, 2) + '\\n')\n}\n","import chalk from 'chalk'\nimport type { RunnerSessionFile } from '../types/session.js'\n\n/\n The status banner that prints on every command, on stderr, so the\n * operator always knows what workspace they're operating in.\n \n Suppression rules:\n * - `--json` (caller passes `json: true`) → no banner.\n * - stdout is not a TTY → no banner. An LLM piping our output to\n * `jq`, `grep`, etc., gets clean stdout; banner-on-stderr is\n * still visible to humans.\n * - `NO_GENI_BANNER=1` env var → escape hatch.\n \n Also writes the terminal-window title via OSC-0 so the workspace\n * shows in tab labels. Pure visual extra; ignored by anything that\n * isn't a terminal emulator.\n /\nexport function printBanner(args: {\n session: RunnerSessionFile \| null\n json?: boolean\n workflowId?: string\n workflowName?: string\n}): void {\n if (args.json) return\n if (process.env.NO_GENI_BANNER === '1') return\n if (!process.stdout.isTTY) return\n if (!args.session) return\n\n const ws = args.session.workspace\n const parts = [\n chalk.dim('geni'),\n chalk.dim('·'),\n chalk.dim('workspace:'),\n chalk.cyan(ws.slug),\n ]\n if (args.workflowId) {\n parts.push(\n chalk.dim('·'),\n chalk.dim('workflow:'),\n chalk.cyan(args.workflowId)\n )\n if (args.workflowName) {\n parts.push(chalk.dim(`(${args.workflowName})`))\n }\n }\n\n process.stderr.write(parts.join(' ') + '\\n')\n\n // Terminal title. Best-effort; harmless if the terminal doesn't\n // honor OSC-0.\n const titleParts = [`geni · ${ws.slug}`]\n if (args.workflowId) titleParts.push(args.workflowId)\n process.stderr.write(`\\x1b]0;${titleParts.join(' · ')}\\x07`)\n}\n","/\n Stable exit codes the CLI uses everywhere. Per-command exit-code\n * tables live in each command's docs page under\n * `apps/developer/content/docs/cli/<command>/<sub>.mdx`.\n \n Don't reuse these numbers for command-specific cases without explicit\n * documentation. Each command's reference page can extend the set with\n * its own meanings (e.g. `9` for \"validation failed\" on `workflow save`),\n * but the foundational codes below have project-wide semantics.\n /\nexport const ExitCode = {\n Ok: 0,\n GenericError: 1,\n InvalidArgs: 2,\n NotFound: 4,\n Forbidden: 5,\n ValidationFailed: 9,\n CredentialResolveFailed: 77,\n SessionMissingOrExpired: 78,\n UpgradeRequired: 79,\n Timeout: 124,\n InternalError: 125,\n} as const\n\nexport type ExitCode = (typeof ExitCode)[keyof typeof ExitCode]\n\n/\n Exit the process with the given code. Wrapper exists so test code\n * can intercept it; use this instead of `process.exit` directly.\n /\nexport function exit(code: ExitCode): never {\n process.exit(code)\n}\n","import type { ApiClientFactory, ApiClientBundle } from '../clients/index.js'\nimport type { SessionStore } from '../clients/SessionStore.js'\nimport type { RunnerSessionFile } from '../types/session.js'\nimport { printError } from '../lib/output.js'\nimport { printBanner } from '../lib/banner.js'\nimport { ExitCode, exit } from '../lib/exitCodes.js'\n\nexport interface AuthedSessionContext {\n session: RunnerSessionFile\n client: ApiClientBundle\n}\n\n/\n One-stop \"give me an authed client\" service for every command that\n * needs the runner-session token loaded and an API-client bundle\n * built against it. Composes `SessionStore` + `ApiClientFactory` so\n * commands depend on this single service rather than reaching for\n * the lower-level clients themselves.\n \n The exit-on-no-session policy lives here too: a missing local\n * session is a uniform \"run `geni login`\" message + exit 78. Commands\n * that want to handle the unauthed case differently (e.g. `geni auth\n * status --json` returning `{ authenticated: false }`) call `load()`\n * directly and branch on the null.\n /\nexport class SessionContextService {\n public constructor(\n private readonly sessionStore: SessionStore,\n private readonly apiClientFactory: ApiClientFactory\n ) {}\n\n /* Read the session file, returning `null` if no session exists. /\n public load(): Promise<RunnerSessionFile \| null> {\n return this.sessionStore.load()\n }\n\n /\n Load the session and build an authed API-client bundle. Exits\n * with code 78 + a \"run `geni login`\" hint when no session exists.\n \n Also prints the workspace banner on stderr (via `printBanner`,\n * which TTY-suppresses + has the `NO_GENI_BANNER` escape hatch),\n * so the operator always sees which workspace the command is\n * targeting before any output appears.\n /\n public async requireAuthed(): Promise<AuthedSessionContext> {\n const session = await this.sessionStore.load()\n if (!session) {\n printError(\n 'No runner session on disk. Run `geni login` to authenticate, then retry.'\n )\n exit(ExitCode.SessionMissingOrExpired)\n }\n printBanner({ session })\n return {\n session,\n client: this.apiClientFactory.build({\n server: session.server,\n token: session.token,\n }),\n }\n }\n}\n","import { hostname } from 'node:os'\nimport chalk from 'chalk'\nimport type { Cli } from '@packages/api'\nimport type { ApiClientFactory, ApiClientBundle } from '../clients/index.js'\nimport type { SessionStore } from '../clients/SessionStore.js'\nimport type { BrowserOpener } from '../clients/BrowserOpener.js'\nimport type { ConfigService } from './ConfigService.js'\nimport type { RunnerSessionFile } from '../types/session.js'\nimport { printSuccess, printInfo, printError } from '../lib/output.js'\nimport { ExitCode, exit } from '../lib/exitCodes.js'\n\nexport interface LoginArgs {\n /* Override the API base URL for this login (also persists in the session). /\n server?: string\n /* Optional workspace slug to bind the session to after the dashboard picks. /\n workspace?: string\n}\n\nexport interface StatusResult {\n authenticated: true\n user: { id: string; email: string \| null; name: string \| null }\n workspace: Cli.WorkspaceSummary\n server: string\n}\n\n/\n Owns the runner-session lifecycle: device-code login flow, server-\n * side revoke + local file delete on logout, validation hit on\n * `auth status`. Composes the clients (api-client factory, session\n * store, browser opener) rather than reaching for `fetch` or `fs`\n * itself.\n \n The login flow has user-visible status messages (Opening URL /\n * Approve in browser / Authenticated as ...) that print directly\n * here. Reasonable trade-off: keeping commands purely thin is more\n * important than service purity for CLI surfaces.\n /\nexport class AuthService {\n public constructor(\n private readonly apiClientFactory: ApiClientFactory,\n private readonly sessionStore: SessionStore,\n private readonly browserOpener: BrowserOpener,\n private readonly configService: ConfigService\n ) {}\n\n /\n Run the device-code login flow end-to-end. Mints a runner-session\n * token, saves it locally, and (when `--workspace <slug>` was\n * passed) re-binds the session to a different workspace than the\n * one the dashboard's approval picker chose.\n /\n public async login(args: LoginArgs): Promise<void> {\n const server = this.configService.resolveApiUrl(args.server)\n const client = this.apiClientFactory.build({ server, token: null })\n\n const start = await client.auth.startDeviceCode(buildClientLabel())\n printInfo(`Opening ${chalk.cyan(start.verificationUri)}`)\n printInfo('Approve in your browser to continue.')\n this.browserOpener.open(start.verificationUri)\n\n const result = await this.pollUntilResolved(client, start)\n if (result.status === 'denied') {\n printError(\n 'Login was declined in the browser. Run `geni login` again and click \"Authorize\" on the device-code page.'\n )\n exit(ExitCode.Forbidden)\n }\n if (result.status === 'expired') {\n printError(\n 'Device code expired before the browser approved it (codes live ~10 minutes). Run `geni login` to start a fresh code.'\n )\n exit(ExitCode.GenericError)\n }\n if ('tokenAlreadyConsumed' in result) {\n printError(\n 'Login approved but a parallel `geni login` already consumed the device code (race). Run `geni login` again to mint a new session.'\n )\n exit(ExitCode.GenericError)\n }\n\n await this.sessionStore.save({\n version: 1,\n server,\n token: result.sessionToken,\n user: {\n id: result.me.user.id,\n email: result.me.user.email ?? null,\n name: result.me.user.name ?? null,\n },\n workspace: {\n membershipId: result.me.workspace.membershipId,\n organizationId: result.me.workspace.organizationId,\n slug: result.me.workspace.slug,\n name: result.me.workspace.name,\n role: result.me.workspace.role,\n },\n savedAt: new Date().toISOString(),\n })\n\n if (args.workspace) {\n await this.maybeRebindWorkspace({\n server,\n requestedSlug: args.workspace,\n })\n }\n\n const final = await this.sessionStore.load()\n if (!final) {\n printError(\n 'Session was written to ~/.config/geni/runner-session.json but the file could not be re-read immediately. Check filesystem permissions on ~/.config/geni and re-run `geni login`.'\n )\n exit(ExitCode.InternalError)\n }\n printSuccess(`Authenticated as ${final.user.email ?? final.user.id}`)\n printSuccess(\n `Active workspace: ${final.workspace.slug} (${final.workspace.name})`\n )\n printInfo('Session saved to ~/.config/geni/runner-session.json')\n }\n\n /\n Revoke the runner session server-side and delete the local file.\n * The local file is removed even if the server-side revoke fails:\n * the operator running `geni logout` should never be left with a\n * token they think is gone but is still on disk.\n /\n public async logout(): Promise<void> {\n const session = await this.sessionStore.load()\n if (!session) {\n printInfo('No active session.')\n return\n }\n try {\n const client = this.apiClientFactory.build({\n server: session.server,\n token: session.token,\n })\n await client.auth.logout()\n printSuccess('Session revoked.')\n } catch (error) {\n const message = error instanceof Error ? error.message : String(error)\n printInfo(`Server revoke failed: ${message}`)\n printInfo('Removing local session anyway.')\n }\n await this.sessionStore.delete()\n printSuccess('Removed ~/.config/geni/runner-session.json')\n }\n\n /\n Verify the active session by hitting `/cli/auth/me`. Returns the\n * resolved status when the session is valid, or `null` when no\n * local session exists. Stale-session failures throw `ApiError(401)`\n * so commands can map them to exit code 78 with the same\n * \"run `geni login`\" hint as the no-session path.\n /\n public async status(): Promise<StatusResult \| null> {\n const session = await this.sessionStore.load()\n if (!session) return null\n const client = this.apiClientFactory.build({\n server: session.server,\n token: session.token,\n })\n const me = await client.auth.me()\n return {\n authenticated: true,\n user: {\n id: me.user.id,\n email: me.user.email ?? null,\n name: me.user.name ?? null,\n },\n workspace: me.workspace,\n server: session.server,\n }\n }\n\n /\n Re-bind the active session to a different workspace by slug. Used\n * by `geni login --workspace <slug>` after the dashboard's approval\n * picker chose a different workspace than the operator wanted.\n /\n private async maybeRebindWorkspace(args: {\n server: string\n requestedSlug: string\n }): Promise<void> {\n const session = await this.sessionStore.load()\n if (!session) return\n if (args.requestedSlug === session.workspace.slug) return\n\n const client = this.apiClientFactory.build({\n server: args.server,\n token: session.token,\n })\n const list = await client.workspaces.list()\n const target = list.workspaces.find((w) => w.slug === args.requestedSlug)\n if (!target) {\n const available = list.workspaces.map((w) => w.slug).join(', ') \|\| 'none'\n printError(\n `No workspace with slug \"${args.requestedSlug}\" on this account. Available: [${available}]. Re-run \\`geni login --workspace <slug>\\` with one of those.`\n )\n exit(ExitCode.NotFound)\n }\n const me = await client.workspaces.switch(target.membershipId)\n await this.persistSwitch({ session, me })\n }\n\n private async persistSwitch(args: {\n session: RunnerSessionFile\n me: Cli.MeResponse\n }): Promise<void> {\n await this.sessionStore.save({\n ...args.session,\n workspace: {\n membershipId: args.me.workspace.membershipId,\n organizationId: args.me.workspace.organizationId,\n slug: args.me.workspace.slug,\n name: args.me.workspace.name,\n role: args.me.workspace.role,\n },\n user: {\n id: args.me.user.id,\n email: args.me.user.email ?? args.session.user.email,\n name: args.me.user.name ?? args.session.user.name,\n },\n savedAt: new Date().toISOString(),\n })\n }\n\n /\n Poll the device-code endpoint until status flips to a terminal\n * value, or until the device code itself expires server-side. The\n * `pending` variant is normalized away here — callers only see\n * approved / denied / expired.\n /\n private async pollUntilResolved(\n client: ApiClientBundle,\n start: Cli.DeviceCodeStartResponse\n ): Promise<Exclude<Cli.DeviceCodePollResponse, { status: 'pending' }>> {\n const intervalMs = start.intervalSeconds 1000\n const expiresAtMs = Date.parse(start.expiresAt)\n const hardDeadline = expiresAtMs + 30_000\n while (Date.now() < hardDeadline) {\n await sleep(intervalMs)\n const status = await client.auth.pollDeviceCode(start.userCode)\n if (status.status === 'pending') continue\n return status\n }\n return { status: 'expired' }\n }\n}\n\n/*\n Human-readable client label so the operator can recognize the\n * approval request on the dashboard. The user-agent the CLI sends is\n * the source of truth; this is just a friendly one-liner.\n /\nfunction buildClientLabel(): string {\n return `geni CLI on ${hostname()}`\n}\n\nfunction sleep(ms: number): Promise<void> {\n return new Promise((resolve) => setTimeout(resolve, ms))\n}\n","import type { Cli } from '@packages/api'\nimport type { SessionContextService } from './SessionContextService.js'\nimport type { SessionStore } from '../clients/SessionStore.js'\n\n/\n Owns workspace-context operations: listing the workspaces the\n * authenticated account belongs to, switching the active one, and\n * reading the current pointer from the local session cache.\n \n Returns plain data; commands handle the table / JSON / single-value\n * output formatting. Mirrors how the server's services return DTOs\n * and routers serialize them.\n /\nexport class WorkspaceService {\n public constructor(\n private readonly sessionContext: SessionContextService,\n private readonly sessionStore: SessionStore\n ) {}\n\n /* Server-side list of every workspace the account belongs to. /\n public async list(): Promise<Cli.WorkspacesResponse> {\n const { client } = await this.sessionContext.requireAuthed()\n return client.workspaces.list()\n }\n\n /\n Switch the active workspace. Re-points the runner session\n * server-side and updates the local cached pointer so subsequent\n * commands operate against the new workspace.\n \n Returns:\n * - `{ kind: 'switched', workspace }` on success,\n * - `{ kind: 'no-change', workspace }` when the requested target\n * is already the active one (lets the command print a friendly\n * message without an unnecessary network round-trip),\n * - `{ kind: 'not-found', requestedSlug }` when the slug isn't\n * in the user's accessible workspaces. Commands map this to\n * exit code 4.\n /\n public async switch(args: { membershipId: string }): Promise<Cli.MeResponse> {\n const { client } = await this.sessionContext.requireAuthed()\n const me = await client.workspaces.switch(args.membershipId)\n await this.sessionStore.updateActiveWorkspace({\n membershipId: me.workspace.membershipId,\n organizationId: me.workspace.organizationId,\n slug: me.workspace.slug,\n name: me.workspace.name,\n role: me.workspace.role,\n })\n return me\n }\n\n /\n Read the active workspace from the local session cache (no\n * network round-trip). Returns `null` when no session is loaded;\n * the command renders the unauthenticated case.\n /\n public async current(): Promise<{\n workspace: Cli.WorkspaceSummary\n } \| null> {\n const session = await this.sessionStore.load()\n if (!session) return null\n return {\n workspace: {\n membershipId: session.workspace.membershipId,\n organizationId: session.workspace.organizationId,\n slug: session.workspace.slug,\n name: session.workspace.name,\n role: session.workspace.role,\n isActive: true,\n },\n }\n }\n}\n","import chalk from 'chalk'\nimport type { Cli } from '@packages/api'\nimport { ApiError } from '../clients/HttpClient.js'\nimport type { SessionContextService } from './SessionContextService.js'\nimport type { ChildProcessSpawner } from '../clients/ChildProcessSpawner.js'\nimport { Scrubber } from '../lib/scrubber.js'\nimport { buildSafeInheritedEnv } from '../lib/execEnv.js'\nimport { printInfo, printError } from '../lib/output.js'\nimport { ExitCode, exit } from '../lib/exitCodes.js'\n\nexport interface RunBashArgs {\n /* The bash command to run, passed to `bash -lc` as a single string. /\n command: string\n /* Per-credential `(id, reason)` pairs the agent declared. /\n credentials: Cli.ExecCredentialRequest[]\n /* Working directory for the spawned process. Defaults to cwd. /\n cwd?: string\n /* Suppress geni's per-credential status lines on stderr. /\n quiet?: boolean\n}\n\n/\n Owns the `geni exec bash` flow: resolve credentials server-side\n * under audit, build a deny-by-default env with the resolved env vars,\n * register every secret with a streaming scrubber, then spawn bash via\n * the injected spawner and pipe output back through the scrubber.\n /\nexport class ExecService {\n public constructor(\n private readonly sessionContext: SessionContextService,\n private readonly spawner: ChildProcessSpawner\n ) {}\n\n public async runBash(args: RunBashArgs): Promise<number> {\n const { resolved, scrubber } = await this.resolveAndScrub(\n args.credentials,\n args.quiet\n )\n\n // Deny-by-default env: only the small allowlist of process /\n // locale / terminal vars passes through from the operator's\n // shell. Anything they exported (other tools' tokens, .envrc\n // leaks) gets dropped before we overlay our cloud-resolved creds.\n const env: NodeJS.ProcessEnv = {\n ...buildSafeInheritedEnv(),\n PLATFORM_API_KEY: resolved.platformApiKey,\n PLATFORM_BASE_URL: resolved.platformBaseUrl,\n }\n for (const cred of resolved.credentials) {\n Object.assign(env, cred.envVars)\n }\n\n try {\n return await this.spawner.run({\n command: 'bash',\n args: ['-lc', args.command],\n env,\n cwd: args.cwd,\n scrubber,\n })\n } catch (err) {\n const detail = err instanceof Error ? err.message : String(err)\n printError(\n `Could not spawn \\`bash\\` (${detail}). Verify bash is on $PATH with \\`command -v bash\\`. Credentials were already resolved (audit-logged); the subprocess never started.`\n )\n return ExitCode.InternalError\n }\n }\n\n /\n Resolve credentials, register their secrets with a streaming\n * scrubber, and print per-credential status lines unless quiet.\n * Exits the process on resolve failure (the documented exit codes\n * are a CLI-level contract — there's no useful recovery path above\n * this).\n /\n private async resolveAndScrub(\n credentials: Cli.ExecCredentialRequest[],\n quiet: boolean \| undefined\n ): Promise<{ resolved: Cli.ExecResolveResponse; scrubber: Scrubber }> {\n const { client } = await this.sessionContext.requireAuthed()\n\n let resolved: Cli.ExecResolveResponse\n try {\n resolved = await client.exec.resolve({ credentials })\n } catch (error) {\n if (error instanceof ApiError) {\n const ids = credentials.map((c) => c.id).join(', ') \|\| '(none)'\n if (error.status === 403) {\n // Server says one or more declared credentials aren't\n // accessible (doesn't exist, or membership has no read on it).\n // Server message names the offender; surface that verbatim\n // and tell the agent what to verify.\n printError(\n `Cloud refused credential resolution: ${error.message} Declared ids: [${ids}]. Verify each one with \\`geni credential list\\`.`\n )\n exit(ExitCode.CredentialResolveFailed)\n }\n if (error.status === 401) {\n printError(\n `Runner session is missing or expired: ${error.message} Run \\`geni login\\` to re-authenticate, then retry.`\n )\n exit(ExitCode.SessionMissingOrExpired)\n }\n printError(\n `Cloud failed to resolve credentials (HTTP ${error.status}): ${error.message} The subprocess did not start. Retry once before reporting.`\n )\n exit(ExitCode.InternalError)\n }\n throw error\n }\n\n // Register secret values + their common encoded forms with the\n // scrubber so `echo $TOKEN \| base64`-style obfuscation still gets\n // caught. Platform key is short-lived but sensitive — same treatment.\n const scrubber = new Scrubber()\n scrubber.registerWithEncodings({\n credentialId: 'platform',\n value: resolved.platformApiKey,\n })\n for (const cred of resolved.credentials) {\n for (const value of cred.redactionValues) {\n scrubber.registerWithEncodings({\n credentialId: cred.credentialId,\n value,\n })\n }\n }\n\n if (!quiet) this.printResolvedStatusLines(resolved)\n\n return { resolved, scrubber }\n }\n\n /\n Print one stderr status line per resolved credential plus one\n * per cred error. Stays on stderr so stdout remains clean for\n * pipe-friendly subprocess output.\n /\n private printResolvedStatusLines(resolved: Cli.ExecResolveResponse): void {\n for (const cred of resolved.credentials) {\n const envList = Object.keys(cred.envVars).sort().join(', ')\n printInfo(\n `resolved ${chalk.cyan(cred.credentialId)} (${cred.providerTitle}, ${cred.credentialTitle}) → ${envList}`\n )\n }\n for (const err of resolved.errors ?? []) {\n printError(\n `${err.credentialId} (${err.providerTitle}): ${err.message} The subprocess will run without this credential — calls that need it will 401. Re-auth ${err.providerTitle} from the dashboard.`\n )\n }\n }\n}\n","{\n \"name\": \"@general-input/cli\",\n \"version\": \"0.1.3\",\n \"type\": \"module\",\n \"description\": \"The agent-facing CLI for General Input. Authenticate, manage workflows, run bash with operator credentials injected by the cloud.\",\n \"license\": \"SEE LICENSE IN LICENSE\",\n \"homepage\": \"https://docs.generalinput.com/cli\",\n \"keywords\": [\n \"general-input\",\n \"geni\",\n \"cli\",\n \"agent\",\n \"ai\",\n \"automation\"\n ],\n \"engines\": {\n \"node\": \">=20\"\n },\n \"publishConfig\": {\n \"access\": \"public\"\n },\n \"bin\": {\n \"geni\": \"./dist/cli.js\"\n },\n \"files\": [\n \"dist\",\n \"README.md\",\n \"LICENSE\"\n ],\n \"scripts\": {\n \"dev\": \"tsup --watch\",\n \"build\": \"tsup\",\n \"clean\": \"rm -rf dist\",\n \"typecheck\": \"tsc --noEmit\",\n \"lint\": \"eslint . --fix --max-warnings 0\",\n \"format\": \"prettier --write . --ignore-path=../../.prettierignore\",\n \"test\": \"vitest run\",\n \"test:watch\": \"vitest\",\n \"prepublishOnly\": \"pnpm build\"\n },\n \"dependencies\": {\n \"@clack/prompts\": \"^0.7.0\",\n \"chalk\": \"^5.3.0\",\n \"commander\": \"^12.1.0\",\n \"tar\": \"^7.4.3\",\n \"zod\": \"^4.3.6\"\n },\n \"devDependencies\": {\n \"@packages/api\": \"workspace:\",\n \"@packages/eslint-config\": \"workspace:\",\n \"@packages/typescript-config\": \"workspace:\",\n \"@types/node\": \"^24.12.2\",\n \"@types/tar\": \"^6.1.13\",\n \"eslint\": \"^9.39.4\",\n \"tsup\": \"^8.3.5\",\n \"typescript\": \"^5.9.3\",\n \"vitest\": \"^4.1.5\"\n }\n}\n","import packageJson from '../../package.json' with { type: 'json' }\n\n/*\n Single source of truth for the CLI's version. Drives `geni --version`,\n * the User-Agent header on every API request, and any other place\n * that needs the version string.\n \n The import resolves through `resolveJsonModule: true` in the CLI's\n * tsconfig and gets inlined by tsup at build time, so the bundled\n * binary carries the version as a literal — no runtime fs read.\n \n Bumping the version means editing `apps/cli/package.json` (or running\n * `pnpm version patch` from `apps/cli/`) — the constant follows.\n /\nexport const CLI_VERSION: string = packageJson.version\n","import { CLI_VERSION } from '../lib/version.js'\n\n/\n HTTP transport for the geni CLI. Wraps `fetch` with the runner-\n * session bearer header (when a token is bound), JSON encoding, and\n * uniform error parsing into `ApiError`. Owned by the route-specific\n * clients (`AuthApiClient`, `WorkspacesApiClient`, etc.) which\n * compose this once at construction time.\n \n The client is parameterized by `(server, token)` because the CLI is\n * per-invocation: a single CLI command resolves a server + token from\n * the session file at startup, builds the bundle of API clients via\n * the factory, runs, and exits. There is no long-lived shared client.\n /\n\n/\n User-Agent header sent on every request. The server's\n * `cliVersionGate` middleware parses `geni/X.Y.Z` out of this to\n * decide whether to serve the request or return 426. The trailing\n * platform/arch/node info is informational (lands in server logs)\n * and not part of the gate contract.\n /\nconst USER_AGENT = `geni/${CLI_VERSION} (${process.platform}/${process.arch}; node/${process.versions.node})`\n\nexport class ApiError extends Error {\n public constructor(\n message: string,\n public readonly status: number,\n public readonly body: unknown\n ) {\n super(message)\n this.name = 'ApiError'\n }\n}\n\nexport interface RequestOptions {\n method?: 'GET' \| 'POST' \| 'PUT' \| 'PATCH' \| 'DELETE'\n body?: unknown\n signal?: AbortSignal\n}\n\nexport class HttpClient {\n public constructor(\n private readonly server: string,\n private readonly token: string \| null\n ) {}\n\n /\n Fetch a JSON endpoint. Caller owns the response shape via the\n * generic; the wrapper returns the parsed JSON cast to `T`. Routes\n * that need authentication MUST be reached via a client built with\n * a non-null token; the wrapper does not enforce auth itself, that's\n * the per-route client's job (each can `requireAuthed()` if needed).\n /\n public async fetch<T>(path: string, opts: RequestOptions = {}): Promise<T> {\n const url = `${this.server}${path}`\n const headers: Record<string, string> = {\n 'Content-Type': 'application/json',\n 'User-Agent': USER_AGENT,\n }\n if (this.token !== null) {\n headers['Authorization'] = `Bearer ${this.token}`\n }\n const response = await fetch(url, {\n method: opts.method ?? 'GET',\n headers,\n body: opts.body !== undefined ? JSON.stringify(opts.body) : undefined,\n signal: opts.signal,\n })\n return parseResponse<T>(response)\n }\n\n /* True when this transport carries a bound runner-session token. /\n public get isAuthed(): boolean {\n return this.token !== null\n }\n\n /\n Throw `ApiError(401)` locally when the transport has no token.\n * Per-route clients call this before authed endpoints so a missing\n * session surfaces with the same shape the server would produce for\n * a missing Authorization header, without a network round-trip.\n /\n public requireAuthed(): void {\n if (this.token !== null) return\n throw new ApiError(\n 'No runner session on disk. Run `geni login` to authenticate, then retry.',\n 401,\n null\n )\n }\n}\n\nasync function parseResponse<T>(response: Response): Promise<T> {\n const text = await response.text()\n let body: unknown = null\n if (text.length > 0) {\n try {\n body = JSON.parse(text)\n } catch {\n body = text\n }\n }\n if (!response.ok) {\n const errorField =\n body !== null && typeof body === 'object' && 'error' in body\n ? body.error\n : null\n const message =\n typeof errorField === 'string' ? errorField : response.statusText\n throw new ApiError(\n typeof message === 'string' && message.length > 0\n ? message\n : `HTTP ${response.status}`,\n response.status,\n body\n )\n }\n // Same trade-off as every TS fetch wrapper: at this point `body` is\n // runtime-`unknown`; the per-route client's typed return contract\n // is the agent's narrowing layer. Replacing this with per-endpoint\n // Zod parsing is a non-trivial follow-up.\n return body as T\n}\n","/\n Streaming output scrubber for `geni exec`.\n \n Mirrors the server-side `CredentialScrubber` (under\n * `apps/server/src/services/SandboxWorkspace`): every secret value the\n * cloud returned for an exec call gets registered, then `redact()` is\n * called on each chunk of stdout/stderr from the spawned subprocess\n * before it reaches the operator's terminal.\n \n Streaming is the wrinkle. A secret can be split across two chunks\n * (`\"...part1\"` then `\"part2...\"`), so each stream context buffers a\n * tail of length `maxSecretLen - 1` between calls. New chunk = previous\n * tail + new data; we redact the combined string and emit everything\n * except the last `maxSecretLen - 1` chars (which become the next call's\n * tail) so a secret that straddles the boundary still gets caught next\n * time. Final flush at end-of-stream emits whatever's left in the tail.\n \n Two-class model:\n \n - `Scrubber` owns the secret list (`register`, `registerWithEncodings`)\n * and is shared across both stdout and stderr pipes for a given\n * subprocess. One source of truth for \"what's a secret\".\n * - `StreamScrubber` is a per-stream view that holds the rolling\n * tail buffer. The spawner asks the `Scrubber` for one stream\n * scrubber per pipe so stdout and stderr don't fight over the\n * same tail.\n /\n\nexport interface RegisterArgs {\n credentialId: string\n value: string\n}\n\n/\n Minimum secret length we'll register. Anything shorter is too likely\n * to collide with normal output (e.g. \"ok\", \"1\", a 4-letter name) and\n * the over-redaction cure would be worse than the leak. Matches the\n * server scrubber's threshold for parity.\n /\nconst MIN_SECRET_LEN = 8\n\nexport class Scrubber {\n /* Map of secret value → redaction marker. Shared across streams. /\n private readonly redactions = new Map<string, string>()\n /* Length of the longest registered secret. Sets the tail size. /\n private maxLen = 0\n\n public register(args: RegisterArgs): void {\n const { credentialId, value } = args\n if (value.length < MIN_SECRET_LEN) return\n if (this.redactions.has(value)) return\n this.redactions.set(value, `[REDACTED:credential_${credentialId}]`)\n if (value.length > this.maxLen) this.maxLen = value.length\n }\n\n /\n Register the literal secret plus the common encoded forms a child\n * process might emit instead of the raw value: base64, base64url, hex\n * (upper + lower), URL-percent-encoded. Catches the lazy obfuscation\n * class of leak (`echo $TOKEN \| base64`, `echo $TOKEN \| xxd`,\n * `printf '%s' $TOKEN \| jq -R @uri`).\n \n Does not catch determined adversaries: anything that transforms\n * via `tr`, splits below MIN_SECRET_LEN, or exfiltrates over the\n * network is out of scope for an output scrubber. For airtight\n * isolation the plaintext must not enter the child's env at all.\n /\n public registerWithEncodings(args: RegisterArgs): void {\n this.register(args)\n for (const variant of encodingVariants(args.value)) {\n this.register({ credentialId: args.credentialId, value: variant })\n }\n }\n\n /\n Build a per-stream scrubber view. Each stream gets its own rolling\n * tail buffer; the underlying secret list is shared by reference. The\n * spawner calls this twice per child (stdout + stderr) so the two\n * pipes don't clobber each other's tail state.\n /\n public stream(): StreamScrubber {\n return new StreamScrubber(this.redactions, this.maxLen)\n }\n\n /\n Single-shot redaction for callers that have the entire string in\n * hand and don't need the streaming machinery. Useful for tests and\n * for one-off helpers (`apps/server/src/services/SandboxWorkspace`'s\n * non-streaming surfaces). Equivalent to creating a stream, redacting\n * once with `final: true`, and discarding.\n /\n public redact(text: string): string {\n return this.stream().redact(text, { final: true })\n }\n\n /* Test-only: how many secrets are registered. /\n public get size(): number {\n return this.redactions.size\n }\n}\n\n/\n One stream's worth of scrubbing state. The tail buffer holds the\n * last `maxLen - 1` chars between redact calls so a secret straddling\n * a chunk boundary still matches.\n /\nexport class StreamScrubber {\n private tail = ''\n\n public constructor(\n private readonly redactions: Map<string, string>,\n private readonly maxLen: number\n ) {}\n\n /\n Redact a chunk and return the safe-to-emit portion. The trailing\n * `maxLen - 1` chars are buffered for the next call so a secret that\n * straddles the chunk boundary still gets caught.\n \n Pass `final: true` on end-of-stream to flush the buffered tail.\n /\n public redact(chunk: string, opts: { final?: boolean } = {}): string {\n if (this.redactions.size === 0) {\n if (opts.final) {\n const out = this.tail + chunk\n this.tail = ''\n return out\n }\n return chunk\n }\n\n const combined = this.tail + chunk\n const redacted = this.replaceAll(combined)\n\n if (opts.final) {\n this.tail = ''\n return redacted\n }\n\n // Hold back enough chars to catch a secret that crosses the next\n // boundary. `maxLen - 1` is the tightest correct bound: any longer\n // and we'd hold output unnecessarily; any shorter and a secret of\n // length maxLen could split across an unbuffered boundary.\n const holdback = Math.max(0, this.maxLen - 1)\n if (redacted.length <= holdback) {\n this.tail = redacted\n return ''\n }\n const cut = redacted.length - holdback\n this.tail = redacted.slice(cut)\n return redacted.slice(0, cut)\n }\n\n /\n Replace every registered secret in `text`. Iterates longest-first\n * so a superstring secret gets redacted before any of its substrings,\n * which prevents partial overlaps from sneaking through.\n /\n private replaceAll(text: string): string {\n let result = text\n const entries = [...this.redactions.entries()].sort(\n (a, b) => b[0].length - a[0].length\n )\n for (const [value, marker] of entries) {\n if (!result.includes(value)) continue\n result = result.split(value).join(marker)\n }\n return result\n }\n}\n\n/\n Common encoded forms the child process is most likely to produce when\n * an agent tries to obfuscate a secret. Output is deduplicated by the\n * scrubber, so encodings that happen to match the literal (URL-encoding\n * a token with no special chars, base64 of an already-base64 token) are\n * harmless no-ops.\n \n The list is intentionally short. We're catching lazy obfuscation, not\n * a Turing-complete adversary; adding `value.toUpperCase()`,\n * `value.split('').reverse().join('')`, etc. would never end. The cost-\n * effective coverage is the four encodings most CLI tools and one-liner\n * shell pipelines reach for.\n /\nfunction encodingVariants(value: string): string[] {\n const buf = Buffer.from(value, 'utf8')\n return [\n buf.toString('base64'),\n buf.toString('base64url'),\n buf.toString('hex'),\n buf.toString('hex').toUpperCase(),\n encodeURIComponent(value),\n ]\n}\n","/\n Deny-by-default env passthrough for `geni exec` subprocesses.\n \n Without an allowlist, the spawned bash inherits everything in the\n * operator's shell env — anything they happened to `export` before\n * running the CLI. That includes vars from other tools (`AWS_`,\n `GITHUB_TOKEN` from a `.envrc`, secrets pulled by Infisical for the\n * dashboard, etc.). Inheriting them silently is two kinds of bad:\n \n 1. They override our cloud-resolved equivalents in unpredictable\n * ways. The operator runs `geni exec bash --cred slack_prod ...`\n * expecting the prod token, but their shell already has a stale\n * `SLACK_BOT_TOKEN` from yesterday's debugging.\n * 2. They leak data the operator didn't ask the CLI to surface.\n \n The allowlist below is the minimum useful set for a bash session to\n * function — process essentials (`PATH`, `HOME`), locale (`LANG`,\n * `LC_`, `TZ`), terminal capabilities (`TERM`, `COLORTERM`), and\n tempfile location (`TMPDIR`). Anything else gets dropped.\n \n If a real use case turns up that needs more (`SSH_AUTH_SOCK` for\n * `git push`, custom `PYTHONPATH`), add it here with a short comment.\n * Don't add to make a passing test pass — verify the value isn't a\n * source of credential leakage first.\n /\nexport const SAFE_INHERIT_ENV = [\n // Process essentials.\n 'PATH',\n 'HOME',\n 'USER',\n 'LOGNAME',\n 'SHELL',\n 'PWD',\n // Locale.\n 'LANG',\n 'LC_ALL',\n 'LC_CTYPE',\n 'TZ',\n // Terminal capabilities. Without these, color output and TUI\n // programs render garbled.\n 'TERM',\n 'COLORTERM',\n 'LINES',\n 'COLUMNS',\n // Tempfile location.\n 'TMPDIR',\n] as const\n\n/\n Build the env the child process should start with: only the allowed\n * keys from the operator's process.env, nothing else. Caller layers\n * cloud-resolved credential env vars and platform vars on top.\n /\nexport function buildSafeInheritedEnv(): NodeJS.ProcessEnv {\n const out: NodeJS.ProcessEnv = {}\n for (const key of SAFE_INHERIT_ENV) {\n const value = process.env[key]\n if (value !== undefined) out[key] = value\n }\n return out\n}\n","import type { Cli } from '@packages/api'\nimport type { SessionContextService } from './SessionContextService.js'\nimport type { ConfigService } from './ConfigService.js'\nimport type { BrowserOpener } from '../clients/BrowserOpener.js'\n\nexport type ConnectIntent =\n \| { kind: 'open-browser'; url: string }\n \| { kind: 'print-url'; url: string }\n\n/\n Owns credential + integration discovery on top of the API clients.\n * Adds CLI-flavored filtering (`--service`, `--mine`, `-q`) and the\n * ranked-search wrappers, returning plain data so commands can pick\n * table vs JSON vs single-field output.\n \n Also handles `geni credential connect`, which validates the service\n * slug against the integration catalog (server returns 404 for\n * unknown slugs) before sending the operator to the dashboard.\n /\nexport class DiscoveryService {\n public constructor(\n private readonly sessionContext: SessionContextService,\n private readonly browserOpener: BrowserOpener,\n private readonly configService: ConfigService\n ) {}\n\n // ---- credentials ----------------------------------------------------\n\n public async listCredentials(args: {\n service?: string\n mine?: boolean\n query?: string\n }): Promise<Cli.CredentialSummary[]> {\n const { client } = await this.sessionContext.requireAuthed()\n const { credentials } = await client.credentials.list()\n let result = credentials\n if (args.service) {\n result = result.filter((c) => c.service === args.service)\n }\n if (args.mine) {\n result = result.filter((c) => c.isOwnedByViewer)\n }\n if (args.query && args.query.length > 0) {\n result = rankCredentials(result, args.query)\n }\n return result\n }\n\n public async getCredential(id: string): Promise<Cli.CredentialDetail> {\n const { client } = await this.sessionContext.requireAuthed()\n return client.credentials.get(id)\n }\n\n /\n Validate the service slug against the integration catalog (404\n * surfaces the same way `integration get` does, mapped to exit 4\n * by the command), then return the dashboard integration-detail\n * URL the operator should be sent to. That page already hosts the\n * connect UI for every integration kind (OAuth start, API-key\n * dialog, etc.), so we don't need a dedicated CLI-side route.\n \n Side effect: if `printUrlOnly` is false, opens the URL in the\n * operator's default browser. The CLI always prints the URL too,\n * so a silent failure to launch a browser still leaves the\n * operator with a clickable link.\n /\n public async connectCredential(args: {\n service: string\n printUrlOnly?: boolean\n }): Promise<ConnectIntent> {\n const { session, client } = await this.sessionContext.requireAuthed()\n await client.integrations.get(args.service) // throws ApiError(404) when unknown\n const dashboardUrl = this.configService.resolveDashboardUrl(session.server)\n const url = `${dashboardUrl}/${encodeURIComponent(session.workspace.slug)}/integrations/${encodeURIComponent(args.service)}`\n if (args.printUrlOnly) return { kind: 'print-url', url }\n this.browserOpener.open(url)\n return { kind: 'open-browser', url }\n }\n\n // ---- integrations ---------------------------------------------------\n\n public async listIntegrations(args: {\n type?: string\n query?: string\n }): Promise<Cli.IntegrationSummary[]> {\n const { client } = await this.sessionContext.requireAuthed()\n // Server-side hybrid (pgvector + lexical) search runs when\n // `query` is set; without it, the server returns the full list\n // in catalog order. `--type` is a boolean discriminator that\n // shouldn't mix into the relevance ranking, so we filter\n // client-side after the server answers.\n const { integrations } = await client.integrations.list({\n query: args.query,\n })\n return args.type\n ? integrations.filter((i) => i.credentialType === args.type)\n : integrations\n }\n\n public async getIntegration(service: string): Promise<Cli.IntegrationDetail> {\n const { client } = await this.sessionContext.requireAuthed()\n return client.integrations.get(service)\n }\n\n // ---- operations -----------------------------------------------------\n\n public async listOperations(args: {\n service: string\n query?: string\n }): Promise<Cli.IntegrationOperationSummary[]> {\n const { client } = await this.sessionContext.requireAuthed()\n const { operations } = await client.integrations.listOperations(\n args.service\n )\n if (!args.query \|\| args.query.length === 0) return operations\n return rankOperations(operations, args.query)\n }\n\n /\n Look up one operation. When `service` is provided, hits the\n * service-scoped integrations route; otherwise hits the standalone\n * `/cli/operations/:opId` route which lets the server resolve the\n * service from the id alone.\n /\n public async getOperation(args: {\n service?: string\n opId: string\n }): Promise<Cli.IntegrationOperationDetail> {\n const { client } = await this.sessionContext.requireAuthed()\n return args.service\n ? client.integrations.getOperation({\n service: args.service,\n opId: args.opId,\n })\n : client.operations.getById(args.opId)\n }\n}\n\n/\n Substring-rank credentials. Service slug weighs highest since\n * agents query by capability (\"slack\", \"stripe\") far more often\n * than by title or provider.\n /\nfunction rankCredentials(\n credentials: Cli.CredentialSummary[],\n query: string\n): Cli.CredentialSummary[] {\n const q = query.toLowerCase()\n const scored = credentials.map((c) => {\n let score = 0\n if (c.service.toLowerCase().includes(q)) score += 3\n if (c.providerTitle.toLowerCase().includes(q)) score += 2\n if (c.title.toLowerCase().includes(q)) score += 1\n return { c, score }\n })\n return scored\n .filter((s) => s.score > 0)\n .sort((a, b) => b.score - a.score)\n .map((s) => s.c)\n}\n\n/\n Substring-rank operations. Title weighs higher than description\n * because agents look up an operation by what it does (\"post\n * message\", \"list channels\"), and titles are written for that.\n /\nfunction rankOperations(\n operations: Cli.IntegrationOperationSummary[],\n query: string\n): Cli.IntegrationOperationSummary[] {\n const q = query.toLowerCase()\n const scored = operations.map((op) => {\n let score = 0\n if (op.title.toLowerCase().includes(q)) score += 2\n if (op.description.toLowerCase().includes(q)) score += 1\n return { op, score }\n })\n return scored\n .filter((s) => s.score > 0)\n .sort((a, b) => b.score - a.score)\n .map((s) => s.op)\n}\n","import { z } from 'zod'\n\n/\n Persistent CLI config. Lives at `<configDir>/config.json` and is\n * loaded synchronously on every command start (the file is tiny —\n * ~100 bytes — so the blocking read doesn't cost anything material).\n \n Distinct from the session file:\n * - `runner-session.json` is per-login, holds the auth token + the\n * server URL the token was minted against, lifetime = until logout.\n * - `config.json` is per-machine, holds defaults for fresh logins\n * (which API/dashboard URL to talk to, future settings), lifetime\n * = until the user changes it.\n \n Keys are validated by the Zod schema below; unknown keys are dropped\n * on read so a corrupt or partially-old file behaves like an empty\n * config rather than crashing the CLI.\n /\nexport const CliConfigSchema = z.object({\n version: z.literal(1),\n /\n Override for the cloud API base URL used at fresh `geni login`\n * time. Once a session exists, the URL stored on it takes\n * precedence — switching `apiUrl` after login does NOT reroute\n * existing tokens (the session knows which server minted it).\n /\n apiUrl: z.url().optional(),\n /\n Override for the dashboard base URL used by browser-opening\n * commands (`geni credential connect`). Independent of `apiUrl`\n * because in dev they live on different ports.\n /\n dashboardUrl: z.url().optional(),\n})\n\nexport type CliConfigFile = z.infer<typeof CliConfigSchema>\n\n/\n Keys the user can set via `geni config set <key> <value>`. We keep\n * the camelCase internal representation 1:1 with the file format —\n * one less translation layer to think about — and the CLI accepts\n * exactly these names.\n /\nexport const SETTABLE_CONFIG_KEYS = ['apiUrl', 'dashboardUrl'] as const\nexport type SettableConfigKey = (typeof SETTABLE_CONFIG_KEYS)[number]\n\nconst SETTABLE_CONFIG_KEY_SET: ReadonlySet<string> = new Set(\n SETTABLE_CONFIG_KEYS\n)\n\n/\n Type guard for \"is this an arbitrary string one of the settable\n * config keys?\". Lives here (not in each command) so all three\n * call-sites in `geni config get/set/unset` agree on the same\n * narrowing logic — adding a key to `SETTABLE_CONFIG_KEYS` lights up\n * every consumer at once.\n /\nexport function isSettableConfigKey(key: string): key is SettableConfigKey {\n return SETTABLE_CONFIG_KEY_SET.has(key)\n}\n","import type { ConfigStore } from '../clients/ConfigStore.js'\nimport type { SessionStore } from '../clients/SessionStore.js'\nimport {\n CliConfigSchema,\n SETTABLE_CONFIG_KEYS,\n isSettableConfigKey,\n type CliConfigFile,\n type SettableConfigKey,\n} from '../types/config.js'\n\n/\n Compiled-in defaults for the URL resolver chain. Both deliberately\n * reference the prod cloud + dashboard; dev/local-only is reached\n * via env var, config file, or a session minted against a localhost\n * server.\n /\nconst DEFAULT_API_URL = 'https://cloud.generalinput.com'\nconst DEFAULT_DASHBOARD_URL = 'https://web.generalinput.com'\n\n/\n Result of `ConfigService.set`. Discriminated so callers can render\n * different messages for schema-failure vs. session-conflict without\n * string-matching on `error`.\n \n `session_conflict` is specifically the case where the operator is\n * trying to change `apiUrl` while a runner-session is bound to a\n * different server. We refuse the write rather than letting the file\n * drift out of sync with what the CLI is actually doing at runtime.\n /\nexport type ConfigSetResult =\n \| { ok: true }\n \| { ok: false; reason: 'invalid'; error: string }\n \| { ok: false; reason: 'session_conflict'; sessionUrl: string }\n\n/\n Owns everything related to the persistent CLI config:\n \n - the on-disk `config.json` (via `ConfigStore`),\n * - the URL resolver chain (`apiUrl` / `dashboardUrl`),\n * - the file-values view (`fileValues`) used by `geni config get`,\n * - refusing an `apiUrl` change that would conflict with the\n * currently-bound runner-session.\n \n Other services (`AuthService`, `DiscoveryService`) inject this and\n * call `resolveApiUrl(...)` / `resolveDashboardUrl(...)` rather than\n * importing free functions, which lets tests construct an isolated\n * `ConfigService` against a temp `ConfigStore` without dragging in\n * module-level singleton state.\n /\nexport class ConfigService {\n public constructor(\n private readonly configStore: ConfigStore,\n private readonly sessionStore: SessionStore\n ) {}\n\n /\n Resolve the API URL the CLI should talk to. Precedence:\n * 1. The session's stored server (locked at `geni login` time —\n * the auth token was minted on that specific URL).\n * 2. `$GENI_API_URL` env var.\n * 3. `apiUrl` from the persistent config.\n * 4. Compiled-in default.\n \n Callers that have a session loaded should pass `sessionServer`\n * explicitly. The session lock means changing the config after\n * login does NOT retarget existing commands until logout + re-login.\n /\n public resolveApiUrl(sessionServer?: string): string {\n return (\n sessionServer ??\n process.env.GENI_API_URL ??\n this.configStore.loadSync()?.apiUrl ??\n DEFAULT_API_URL\n )\n }\n\n /\n Resolve the dashboard URL for browser-opening commands. Precedence:\n * 1. `$GENI_DASHBOARD_URL` env var.\n * 2. `dashboardUrl` from the persistent config.\n * 3. Inferred from the session's API URL when it points at\n * localhost (dev convenience: API on :4111 → dashboard on :5177).\n * 4. Compiled-in default.\n /\n public resolveDashboardUrl(sessionApiUrl?: string): string {\n if (process.env.GENI_DASHBOARD_URL) return process.env.GENI_DASHBOARD_URL\n const config = this.configStore.loadSync()\n if (config?.dashboardUrl) return config.dashboardUrl\n if (sessionApiUrl?.includes('localhost')) return 'http://localhost:5177'\n return DEFAULT_DASHBOARD_URL\n }\n\n /\n Read what's literally in the persistent config file, with no\n * resolver fallbacks layered on. This is what `set` writes and what\n * `get` should display — symmetric, predictable, no \"I set X, get\n * shows Y\" surprise from a session-locked URL trumping the file.\n \n For \"what URL is the CLI actually hitting right now?\" the answer\n * lives on the session (printed by `geni auth status`); the resolver\n * itself stays in `resolveApiUrl` / `resolveDashboardUrl`.\n /\n public fileValues(): Record<SettableConfigKey, string \| undefined> {\n const file = this.configStore.loadSync()\n return {\n apiUrl: file?.apiUrl,\n dashboardUrl: file?.dashboardUrl,\n }\n }\n\n /\n Write a config value. Validates against the schema; a malformed\n * URL fails loudly here rather than waiting for the next CLI\n * command to crash.\n \n Refuses to change `apiUrl` while a runner-session is bound to a\n * different URL: the session's server is what the CLI actually hits\n * at runtime, so silently letting the file diverge from that would\n * make `geni config set` a lie. The operator must logout (or use\n * `geni login --server <url>`) to switch servers cleanly.\n /\n public async set(args: {\n key: SettableConfigKey\n value: string\n }): Promise<ConfigSetResult> {\n const existing = this.configStore.loadSync() ?? { version: 1 as const }\n const next = { ...existing, [args.key]: args.value }\n const parsed = CliConfigSchema.safeParse(next)\n if (!parsed.success) {\n return {\n ok: false,\n reason: 'invalid',\n error: parsed.error.issues[0]?.message ?? 'failed validation',\n }\n }\n if (args.key === 'apiUrl') {\n const session = await this.sessionStore.load()\n if (session && session.server !== args.value) {\n return {\n ok: false,\n reason: 'session_conflict',\n sessionUrl: session.server,\n }\n }\n }\n await this.configStore.save(parsed.data)\n return { ok: true }\n }\n\n /\n Remove a key. When the last key is removed, the file itself is\n * deleted so `cat $(geni config path)` doesn't show an empty\n * `{ \"version\": 1 }` shell.\n \n Returns whether the key was actually present (lets the command\n * pick \"Unset apiUrl.\" vs \"apiUrl was already unset.\").\n /\n public async unset(args: {\n key: SettableConfigKey\n }): Promise<{ wasSet: boolean }> {\n const existing = this.configStore.loadSync()\n if (!existing \|\| existing[args.key] === undefined) {\n return { wasSet: false }\n }\n const next: CliConfigFile = { version: 1 }\n for (const k of SETTABLE_CONFIG_KEYS) {\n if (k === args.key) continue\n const value = existing[k]\n if (value !== undefined) next[k] = value\n }\n const hasRemainingValues = SETTABLE_CONFIG_KEYS.some(\n (k) => next[k] !== undefined\n )\n if (hasRemainingValues) {\n await this.configStore.save(next)\n } else {\n await this.configStore.delete()\n }\n return { wasSet: true }\n }\n\n /* Absolute path to the config file. /\n public get path(): string {\n return this.configStore.path\n }\n\n /* Re-export the type guard from the types module for convenience. /\n public isSettableKey(key: string): key is SettableConfigKey {\n return isSettableConfigKey(key)\n }\n}\n","import type { Cli } from '@packages/api'\nimport type { HttpClient } from './HttpClient.js'\n\n/\n Wraps the server's `/cli/auth/` routes:\n POST /cli/auth/device-code\n * POST /cli/auth/device-code/:code/poll\n * GET /cli/auth/me (runner-session authed)\n * POST /cli/auth/logout (runner-session authed)\n \n The device-code routes work without a runner-session token (it's\n * being minted by the flow). `me` and `logout` require one; the\n * transport's `requireAuthed()` throws locally before the request\n * leaves the process when the transport has no token.\n /\nexport class AuthApiClient {\n public constructor(private readonly http: HttpClient) {}\n\n public async startDeviceCode(\n clientLabel: string\n ): Promise<Cli.DeviceCodeStartResponse> {\n return this.http.fetch('/cli/auth/device-code', {\n method: 'POST',\n body: { clientLabel },\n })\n }\n\n public async pollDeviceCode(\n userCode: string\n ): Promise<Cli.DeviceCodePollResponse> {\n return this.http.fetch(\n `/cli/auth/device-code/${encodeURIComponent(userCode)}/poll`,\n { method: 'POST' }\n )\n }\n\n public async me(): Promise<Cli.MeResponse> {\n this.http.requireAuthed()\n return this.http.fetch('/cli/auth/me')\n }\n\n public async logout(): Promise<void> {\n this.http.requireAuthed()\n return this.http.fetch('/cli/auth/logout', { method: 'POST' })\n }\n}\n","import type { Cli } from '@packages/api'\nimport type { HttpClient } from './HttpClient.js'\n\n/\n Wraps the server's `/cli/workspaces/` routes:\n GET /cli/workspaces (runner-session authed)\n * POST /cli/workspaces/switch (runner-session authed)\n \n Both routes need a runner-session token; the transport's\n * `requireAuthed()` rejects calls when the transport has no token,\n * mirroring the server's 401 without a network round-trip.\n /\nexport class WorkspacesApiClient {\n public constructor(private readonly http: HttpClient) {}\n\n public async list(): Promise<Cli.WorkspacesResponse> {\n this.http.requireAuthed()\n return this.http.fetch('/cli/workspaces')\n }\n\n public async switch(membershipId: string): Promise<Cli.MeResponse> {\n this.http.requireAuthed()\n return this.http.fetch('/cli/workspaces/switch', {\n method: 'POST',\n body: { membershipId },\n })\n }\n}\n","import type { Cli } from '@packages/api'\nimport type { HttpClient } from './HttpClient.js'\n\n/\n Wraps the server's `/cli/exec/` routes:\n POST /cli/exec/resolve (runner-session authed)\n \n Resolves the declared credentials for an exec call. Returns the env\n * vars + scrubber values the CLI applies to the spawned subprocess,\n * plus a fresh PLATFORM_API_KEY / PLATFORM_BASE_URL pair always.\n /\nexport class ExecApiClient {\n public constructor(private readonly http: HttpClient) {}\n\n public async resolve(\n body: Cli.ExecResolveRequest\n ): Promise<Cli.ExecResolveResponse> {\n this.http.requireAuthed()\n return this.http.fetch('/cli/exec/resolve', {\n method: 'POST',\n body,\n })\n }\n}\n","import type { Cli } from '@packages/api'\nimport type { HttpClient } from './HttpClient.js'\n\n/\n Wraps the server's `/cli/credentials/` routes:\n GET /cli/credentials (runner-session authed)\n * GET /cli/credentials/:id (runner-session authed)\n \n Discovery-only surface: returns credential metadata + the env var\n * names that get set when each credential is declared on\n * `geni exec bash`. No plaintext secret values; those resolve\n * server-side at exec time.\n /\nexport class CredentialsApiClient {\n public constructor(private readonly http: HttpClient) {}\n\n public async list(): Promise<Cli.CredentialListResponse> {\n this.http.requireAuthed()\n return this.http.fetch('/cli/credentials')\n }\n\n public async get(id: string): Promise<Cli.CredentialDetail> {\n this.http.requireAuthed()\n return this.http.fetch(`/cli/credentials/${encodeURIComponent(id)}`)\n }\n}\n","import type { Cli } from '@packages/api'\nimport type { HttpClient } from './HttpClient.js'\n\n/\n Wraps the server's `/cli/integrations/` routes:\n GET /cli/integrations[?q=...] (runner-session authed)\n * GET /cli/integrations/:service (runner-session authed)\n * GET /cli/integrations/:service/operations (runner-session authed)\n * GET /cli/integrations/:service/operations/:opId (runner-session authed)\n \n Hybrid (pgvector + lexical) search runs server-side when the\n * `query` arg is set on `list`. The single-operation lookup that\n * skips the service prefix lives on `OperationsApiClient` (the\n * `/cli/operations/` route family).\n /\nexport class IntegrationsApiClient {\n public constructor(private readonly http: HttpClient) {}\n\n public async list(args?: {\n query?: string\n }): Promise<Cli.IntegrationListResponse> {\n this.http.requireAuthed()\n const path =\n args?.query && args.query.length > 0\n ? `/cli/integrations?q=${encodeURIComponent(args.query)}`\n : '/cli/integrations'\n return this.http.fetch(path)\n }\n\n public async get(service: string): Promise<Cli.IntegrationDetail> {\n this.http.requireAuthed()\n return this.http.fetch(`/cli/integrations/${encodeURIComponent(service)}`)\n }\n\n public async listOperations(\n service: string\n ): Promise<Cli.IntegrationOperationsListResponse> {\n this.http.requireAuthed()\n return this.http.fetch(\n `/cli/integrations/${encodeURIComponent(service)}/operations`\n )\n }\n\n public async getOperation(args: {\n service: string\n opId: string\n }): Promise<Cli.IntegrationOperationDetail> {\n this.http.requireAuthed()\n return this.http.fetch(\n `/cli/integrations/${encodeURIComponent(args.service)}/operations/${encodeURIComponent(args.opId)}`\n )\n }\n}\n","import type { Cli } from '@packages/api'\nimport type { HttpClient } from './HttpClient.js'\n\n/*\n Wraps the server's `/cli/operations/` routes:\n GET /cli/operations/:opId (runner-session authed)\n \n A separate URL prefix from `/cli/integrations/` because the agent\n sometimes has an operation id without knowing which service it\n * belongs to (e.g. when copy-pasting from a previous transcript). The\n * server resolves the service from the id alone and returns the same\n * `IntegrationOperationDetail` shape as the service-scoped path.\n /\nexport class OperationsApiClient {\n public constructor(private readonly http: HttpClient) {}\n\n public async getById(opId: string): Promise<Cli.IntegrationOperationDetail> {\n this.http.requireAuthed()\n return this.http.fetch(`/cli/operations/${encodeURIComponent(opId)}`)\n }\n}\n","import { HttpClient } from './HttpClient.js'\nimport { AuthApiClient } from './AuthApiClient.js'\nimport { WorkspacesApiClient } from './WorkspacesApiClient.js'\nimport { ExecApiClient } from './ExecApiClient.js'\nimport { CredentialsApiClient } from './CredentialsApiClient.js'\nimport { IntegrationsApiClient } from './IntegrationsApiClient.js'\nimport { OperationsApiClient } from './OperationsApiClient.js'\n\n/\n The bundle of per-route-prefix clients a service operates against.\n * Built fresh for each (server, token) pair the CLI sees, since a\n * single CLI invocation has exactly one transport configuration.\n /\nexport interface ApiClientBundle {\n auth: AuthApiClient\n workspaces: WorkspacesApiClient\n exec: ExecApiClient\n credentials: CredentialsApiClient\n integrations: IntegrationsApiClient\n operations: OperationsApiClient\n}\n\n/\n Builds `ApiClientBundle`s. The factory itself has no I/O state —\n * `build` is a pure constructor — so the same instance is shared\n * across every service in the DI graph. Services that need an authed\n * transport call `factory.build({ server, token })` once they have a\n * session loaded; services hitting unauthed routes (just the device-\n * code start + poll today) pass `token: null`.\n /\nexport class ApiClientFactory {\n public build(args: {\n server: string\n token: string \| null\n }): ApiClientBundle {\n const http = new HttpClient(args.server, args.token)\n return {\n auth: new AuthApiClient(http),\n workspaces: new WorkspacesApiClient(http),\n exec: new ExecApiClient(http),\n credentials: new CredentialsApiClient(http),\n integrations: new IntegrationsApiClient(http),\n operations: new OperationsApiClient(http),\n }\n }\n}\n","import { mkdir, readFile, writeFile, unlink, chmod } from 'node:fs/promises'\nimport {\n RunnerSessionFileSchema,\n type RunnerSessionFile,\n} from '../types/session.js'\n\n/\n Owns the on-disk runner-session file (`~/.config/geni/runner-session.json`\n * by default; honors `$GENI_CONFIG_DIR`). One instance per CLI process,\n * registered in DI. Constructor takes the resolved file path so the\n * class is testable in isolation — pass a temp path in tests instead\n * of monkeypatching `process.env`.\n \n The file holds the runner-session token, the API URL it was minted\n * against, and a cached active-workspace pointer. Mode 0600 so other\n * users on the box can't read the token.\n /\nexport class SessionStore {\n public constructor(\n private readonly filePath: string,\n private readonly directoryPath: string\n ) {}\n\n /\n Read the file, or `null` if no session exists. Returns `null` for\n * unparseable / schema-invalid files too — corrupt local state\n * shouldn't prevent re-login. The user can rerun `geni login` to\n * write a fresh file over the broken one.\n /\n public async load(): Promise<RunnerSessionFile \| null> {\n let raw: string\n try {\n raw = await readFile(this.filePath, 'utf-8')\n } catch (err) {\n if (isErrnoCode(err, 'ENOENT')) return null\n throw err\n }\n let json: unknown\n try {\n json = JSON.parse(raw)\n } catch {\n return null\n }\n const parsed = RunnerSessionFileSchema.safeParse(json)\n return parsed.success ? parsed.data : null\n }\n\n /\n Persist the session. Creates the config dir if missing and lands\n * mode 0600 on the file. Tightens dir mode to 0700 best-effort —\n * if the chmod fails (e.g. on a CI mount), we continue rather than\n * failing the login outright.\n /\n public async save(session: RunnerSessionFile): Promise<void> {\n await mkdir(this.directoryPath, { recursive: true, mode: 0o700 })\n await chmod(this.directoryPath, 0o700).catch(() => {\n // Best effort. Better to write the session than fail login.\n })\n await writeFile(this.filePath, JSON.stringify(session, null, 2), {\n mode: 0o600,\n })\n }\n\n /\n Delete the session file. Idempotent — missing file is not an error.\n * Used by `geni logout` after server revoke, and as a recovery path\n * when the local file is corrupt or stale.\n /\n public async delete(): Promise<void> {\n try {\n await unlink(this.filePath)\n } catch (err) {\n if (isErrnoCode(err, 'ENOENT')) return\n throw err\n }\n }\n\n /\n Update just the workspace pointer in the session file, used by\n * `geni workspace switch` after the server confirms the membership.\n * Throws if no session exists — the caller must have verified one\n * is loaded before calling this.\n /\n public async updateActiveWorkspace(\n workspace: RunnerSessionFile['workspace']\n ): Promise<void> {\n const current = await this.load()\n if (!current) {\n throw new Error('No active session to update')\n }\n await this.save({\n ...current,\n workspace,\n savedAt: new Date().toISOString(),\n })\n }\n}\n\n/\n Type-guard for `NodeJS.ErrnoException.code === <expected>`. Avoids\n * the `as NodeJS.ErrnoException` cast that the surrounding file rule\n * would flag, while still narrowing safely for both `Error` instances\n * and the bare object form `fs/promises` rejects with on some\n * platforms.\n /\nfunction isErrnoCode(err: unknown, expected: string): boolean {\n if (typeof err !== 'object' \|\| err === null) return false\n if (!('code' in err)) return false\n return err.code === expected\n}\n","import { z } from 'zod'\n\n/\n Local session file written to ~/.config/geni/runner-session.json on\n * `geni login` and read by every authenticated command.\n \n `server` is the API base URL the session was minted against. Stored\n * here (not just in $GENI_API_URL) so the CLI keeps talking to the\n * same cloud the user authenticated with, even if they later set the\n * env var to something else.\n \n `workspace` is the locally-cached active-workspace pointer. Server-\n * side state is the source of truth; this cache lets `geni workspace\n * current` and the status banner avoid a roundtrip on every call.\n /\nexport const RunnerSessionFileSchema = z.object({\n version: z.literal(1),\n server: z.url(),\n /* Plaintext runner-session token (`geni_rs_…`). /\n token: z.string().startsWith('geni_rs_'),\n user: z.object({\n id: z.string(),\n email: z.string().nullable(),\n name: z.string().nullable(),\n }),\n workspace: z.object({\n membershipId: z.string(),\n organizationId: z.string(),\n slug: z.string(),\n name: z.string(),\n role: z.string(),\n }),\n /* ISO 8601 — when the file was last written by login or workspace switch. /\n savedAt: z.string(),\n})\n\nexport type RunnerSessionFile = z.infer<typeof RunnerSessionFileSchema>\n","import { readFileSync } from 'node:fs'\nimport { mkdir, writeFile, unlink } from 'node:fs/promises'\nimport { dirname } from 'node:path'\nimport { CliConfigSchema, type CliConfigFile } from '../types/config.js'\n\n/\n Owns the on-disk persistent CLI config (`~/.config/geni/config.json`\n * by default; honors `$GENI_CONFIG_DIR`). One instance per CLI process,\n * registered in DI. Constructor takes the resolved file path so the\n * class is testable without env munging.\n \n `loadSync` is deliberate: the file is ~100 bytes and the URL\n * resolvers consult it on every command start. An async API would\n * force the entire URL-resolution chain to be async, which the\n * call-site graph doesn't need.\n /\nexport class ConfigStore {\n public constructor(private readonly filePath: string) {}\n\n /\n Read the file synchronously. Returns `null` for any unreadable /\n * corrupt / schema-invalid file so the CLI degrades to defaults\n * instead of crashing on a stale on-disk format.\n /\n public loadSync(): CliConfigFile \| null {\n let raw: string\n try {\n raw = readFileSync(this.filePath, 'utf8')\n } catch {\n return null\n }\n let json: unknown\n try {\n json = JSON.parse(raw)\n } catch {\n return null\n }\n const parsed = CliConfigSchema.safeParse(json)\n return parsed.success ? parsed.data : null\n }\n\n /\n Persist the config. Creates the directory if missing. Mode 0644:\n * config is non-secret, unlike the session file.\n /\n public async save(config: CliConfigFile): Promise<void> {\n await mkdir(dirname(this.filePath), { recursive: true })\n await writeFile(this.filePath, JSON.stringify(config, null, 2) + '\\n', {\n mode: 0o644,\n })\n }\n\n /\n Delete the config file. Idempotent — succeeds silently when the\n * file doesn't exist (the user's intent is \"ensure no config\",\n * not \"the file definitely existed\").\n /\n public async delete(): Promise<void> {\n try {\n await unlink(this.filePath)\n } catch (err) {\n if (\n typeof err === 'object' &&\n err !== null &&\n 'code' in err &&\n err.code === 'ENOENT'\n ) {\n return\n }\n throw err\n }\n }\n\n /* Path the file would be at, regardless of whether it exists. /\n public get path(): string {\n return this.filePath\n }\n}\n","import { spawn } from 'node:child_process'\n\n/\n Best-effort browser opener for flows that bounce the operator into\n * the dashboard (`geni login`, `geni credential connect`).\n \n Failure modes are handled by the caller, not here: the CLI always\n * prints the URL to stdout/stderr first, so even a silent failure to\n * launch a browser leaves the operator with a clickable / pasteable\n * link. The class never throws; `open()` returns whether the spawn\n * call succeeded but most callers ignore the result.\n \n One instance per CLI process, registered in DI. Stateless, so\n * sharing the singleton is the obvious right call.\n /\nexport class BrowserOpener {\n public open(url: string): boolean {\n const cmd = openerCommandForPlatform()\n try {\n const child = spawn(cmd, [url], { stdio: 'ignore', detached: true })\n child.unref()\n return true\n } catch {\n // ignore — caller has already printed the URL as a fallback\n return false\n }\n }\n}\n\nfunction openerCommandForPlatform(): string {\n switch (process.platform) {\n case 'darwin':\n return 'open'\n case 'win32':\n return 'start'\n default:\n return 'xdg-open'\n }\n}\n","import { spawn } from 'node:child_process'\nimport type { Scrubber, StreamScrubber } from '../lib/scrubber.js'\n\n/\n Owns the `child_process.spawn` machinery for `geni exec`:\n \n - inherits stdin (so the subprocess can read piped input),\n * - pipes stdout + stderr through a scrubber that replaces\n * registered secret values with [REDACTED:credential_<id>]\n * before they reach the operator's terminal,\n * - forwards SIGINT / SIGTERM from the parent so Ctrl-C tears the\n * child down cleanly,\n * - resolves with the child's exit code, mapping signal-kills to\n * the conventional 128+signum.\n \n Subprocess-agnostic — `command + args` is the full spawn input, so\n * `bash -lc <user-command>` (`runBash`) and `node <runner.mjs>`\n * (`runScript`) share the same plumbing.\n /\n\nexport interface SpawnArgs {\n command: string\n args: string[]\n env: NodeJS.ProcessEnv\n cwd?: string\n scrubber: Scrubber\n /\n Optional tap on the redacted stdout stream. Fires once per chunk\n * the spawner writes to `process.stdout`, with the same already-\n * scrubbed bytes. `geni exec script` uses this to capture the\n * harness's JSONL output for parsing (exit-code derivation, error-\n * line detection) without a second pipe through the scrubber.\n * `geni exec bash` doesn't pass it.\n /\n onStdoutChunk?: (chunk: string) => void\n}\n\nexport class ChildProcessSpawner {\n /\n Run `command` with `args` and return the child's exit code. Pipes\n * stdout + stderr through `scrubber` before forwarding to the\n * parent process's streams.\n /\n public async run(args: SpawnArgs): Promise<number> {\n const child = spawn(args.command, args.args, {\n env: args.env,\n cwd: args.cwd ?? process.cwd(),\n stdio: ['inherit', 'pipe', 'pipe'],\n })\n\n // Track the scrubber-tail flushes so we don't resolve `run()`\n // before the last bytes have been emitted. Without this the\n // child's `exit` event can fire before `stdout`/`stderr` have\n // delivered their final chunks (and thus their `end` event),\n // which means the tail-buffered redaction marker never reaches\n // the parent's stream.\n // One stream-scrubber per pipe so stdout and stderr have their\n // own tail buffer. Sharing a single scrubber's tail across both\n // pipes is a bug: whichever stream's `end` fires first claims\n // the buffered tail, even when the redacted payload belongs to\n // the other pipe.\n const stdoutClosed = pipeWithScrubbing(\n child.stdout!,\n process.stdout,\n args.scrubber.stream(),\n args.onStdoutChunk\n )\n const stderrClosed = pipeWithScrubbing(\n child.stderr!,\n process.stderr,\n args.scrubber.stream()\n )\n\n const forwardSignal = (signal: NodeJS.Signals): void => {\n if (!child.killed) child.kill(signal)\n }\n process.on('SIGINT', forwardSignal)\n process.on('SIGTERM', forwardSignal)\n\n try {\n const exitCode = await new Promise<number>((resolve, reject) => {\n child.once('exit', (code, signal) => {\n if (code !== null) resolve(code)\n else if (signal !== null) resolve(128 + signalNumber(signal))\n else resolve(1)\n })\n child.once('error', (err) => reject(err))\n })\n // Wait for both stdio streams to finish flushing through the\n // scrubber. A stream that never opened still resolves cleanly\n // because `pipeWithScrubbing` resolves on its `end` event.\n await Promise.all([stdoutClosed, stderrClosed])\n return exitCode\n } finally {\n process.removeListener('SIGINT', forwardSignal)\n process.removeListener('SIGTERM', forwardSignal)\n }\n }\n}\n\n/\n Pipe a child's output through the scrubber to a destination. Buffers\n * across chunk boundaries so secrets that straddle boundaries still\n * match. Flushes the scrubber's tail on stream end so trailing bytes\n * don't get swallowed.\n \n Returns a promise that resolves once the source emits `end` and the\n * tail flush has been written. Caller awaits this before resolving\n * the parent `run()` promise so the last bytes always reach the\n * parent's stream before exit.\n /\nfunction pipeWithScrubbing(\n source: NodeJS.ReadableStream,\n dest: NodeJS.WritableStream,\n scrubber: StreamScrubber,\n onChunk?: (chunk: string) => void\n): Promise<void> {\n return new Promise<void>((resolve) => {\n let flushed = false\n const emit = (chunk: string): void => {\n if (chunk.length === 0) return\n dest.write(chunk)\n onChunk?.(chunk)\n }\n const finishOnce = (): void => {\n if (flushed) return\n flushed = true\n emit(scrubber.redact('', { final: true }))\n resolve()\n }\n source.on('end', finishOnce)\n source.on('close', finishOnce)\n source.on('error', () => {\n flushed = true\n resolve()\n })\n source.setEncoding('utf8')\n source.on('data', (chunk: string) => {\n emit(scrubber.redact(chunk))\n })\n })\n}\n\n/\n Map a signal name to its conventional Unix exit-code suffix\n * (`128 + signum`). Unknown signals fall back to `1`; throwing here\n * would mask the underlying signal-kill from the operator.\n /\nfunction signalNumber(signal: NodeJS.Signals): number {\n const map: Partial<Record<NodeJS.Signals, number>> = {\n SIGHUP: 1,\n SIGINT: 2,\n SIGQUIT: 3,\n SIGKILL: 9,\n SIGTERM: 15,\n }\n return map[signal] ?? 1\n}\n","import { homedir } from 'node:os'\nimport { join } from 'node:path'\n\n/\n XDG-style path helpers. Pure resolvers, no I/O — safe to import\n * from anywhere, including the DI wiring file. Honors the\n * `$GENI_CONFIG_DIR` and `$GENI_CACHE_DIR` env vars so test\n * harnesses (and operators with non-default `$XDG_CONFIG_HOME`\n * setups) can override without monkeypatching.\n /\nexport function configDir(): string {\n return process.env.GENI_CONFIG_DIR ?? join(homedir(), '.config', 'geni')\n}\n\nexport function cacheDir(): string {\n return process.env.GENI_CACHE_DIR ?? join(homedir(), '.cache', 'geni')\n}\n\nexport function sessionFilePath(): string {\n return join(configDir(), 'runner-session.json')\n}\n\nexport function configFilePath(): string {\n return join(configDir(), 'config.json')\n}\n","import {\n ApiClientFactory,\n SessionStore,\n ConfigStore,\n BrowserOpener,\n ChildProcessSpawner,\n} from '../clients/index.js'\nimport { sessionFilePath, configDir, configFilePath } from '../lib/paths.js'\n\n/\n Module-level singletons of every CLI I/O client. Mirrors the\n * server's `apps/server/src/dependencyInjection/clients.ts` — one\n * file is the canonical answer to \"where do these get instantiated?\".\n \n These are intentionally module-level rather than wrapped in a\n * factory function: a CLI process is short-lived, runs one command,\n * and exits. There is no per-request scoping to thread through.\n \n Tests that need to swap an implementation (e.g. a tmp-dir\n * SessionStore for an isolation test) should construct the class\n * directly with the test path; they should not import these.\n /\n\nexport const sessionStore = new SessionStore(sessionFilePath(), configDir())\n\nexport const configStore = new ConfigStore(configFilePath())\n\nexport const apiClientFactory = new ApiClientFactory()\n\nexport const browserOpener = new BrowserOpener()\n\nexport const childProcessSpawner = new ChildProcessSpawner()\n","import {\n SessionContextService,\n AuthService,\n WorkspaceService,\n ExecService,\n DiscoveryService,\n ConfigService,\n} from '../services/index.js'\nimport {\n sessionStore,\n configStore,\n apiClientFactory,\n browserOpener,\n childProcessSpawner,\n} from './clients.js'\n\n/\n Module-level singletons of every CLI service. Mirrors the server's\n * `apps/server/src/dependencyInjection/services.ts`. Wiring order\n * respects dependencies:\n \n `ConfigService` first — owns the URL resolver chain and is\n * composed by Auth + Discovery for `resolveApiUrl` /\n * `resolveDashboardUrl`.\n \n `SessionContextService` next — composed by Workspace + Exec +\n * Discovery for \"give me an authed client\".\n \n Tests that need to swap an implementation should construct the\n * service directly with mocks; they should not import these.\n /\n\nexport const configService = new ConfigService(configStore, sessionStore)\n\nexport const sessionContextService = new SessionContextService(\n sessionStore,\n apiClientFactory\n)\n\nexport const authService = new AuthService(\n apiClientFactory,\n sessionStore,\n browserOpener,\n configService\n)\n\nexport const workspaceService = new WorkspaceService(\n sessionContextService,\n sessionStore\n)\n\nexport const execService = new ExecService(\n sessionContextService,\n childProcessSpawner\n)\n\nexport const discoveryService = new DiscoveryService(\n sessionContextService,\n browserOpener,\n configService\n)\n","import { ApiError } from '../clients/HttpClient.js'\nimport { printError } from './output.js'\nimport { ExitCode, exit } from './exitCodes.js'\n\n/\n Map an arbitrary error caught in a command's `action` handler to\n * the documented CLI exit code, print an actionable message, and exit.\n \n Mapping:\n * - `ApiError` 401 → exit 78 (SessionMissingOrExpired)\n * - `ApiError` 403 → exit 5 (Forbidden)\n * - `ApiError` 404 → exit 4 (NotFound)\n * - `ApiError` 5xx → exit 125 (InternalError)\n * - any other `ApiError` / non-`ApiError` → exit 125\n \n Pass `notFoundMessage` to override the default 404 wording with\n * something domain-specific (e.g. `Credential \"<id>\" not found.`).\n * Omitting it surfaces the server's `error.message` plus a generic\n * \"verify the id\" hint.\n /\nexport function exitOnApiError(\n error: unknown,\n opts: { notFoundMessage?: string } = {}\n): never {\n if (error instanceof ApiError) {\n if (error.status === 404 && opts.notFoundMessage) {\n printError(opts.notFoundMessage)\n exit(ExitCode.NotFound)\n }\n if (error.status === 401) {\n printError(\n `Runner session is missing or expired: ${error.message} Run \\`geni login\\` to re-authenticate, then retry.`\n )\n exit(ExitCode.SessionMissingOrExpired)\n }\n if (error.status === 403) {\n printError(\n `Forbidden: ${error.message} Verify the resource id and the active workspace (\\`geni workspace current\\`).`\n )\n exit(ExitCode.Forbidden)\n }\n if (error.status === 404) {\n printError(\n `Not found: ${error.message} Verify the id exists in the active workspace.`\n )\n exit(ExitCode.NotFound)\n }\n if (error.status >= 500) {\n printError(\n `Server error (HTTP ${error.status}): ${error.message} Retry once before reporting.`\n )\n exit(ExitCode.InternalError)\n }\n printError(`Request failed (HTTP ${error.status}): ${error.message}`)\n exit(ExitCode.InternalError)\n }\n printError(\n `Unexpected error: ${error instanceof Error ? error.message : String(error)}`\n )\n exit(ExitCode.InternalError)\n}\n","import { Command } from 'commander'\nimport { authService } from '../../dependencyInjection/services.js'\nimport { exitOnApiError } from '../../lib/cliErrors.js'\n\ninterface LoginOptions {\n server?: string\n workspace?: string\n}\n\n/\n `geni login` — authenticate via browser device-code flow. Thin\n * handler: parses flags and delegates to `AuthService.login`, which\n * runs the full device-code exchange, saves the session locally, and\n * prints the success summary.\n /\nexport function registerLogin(parent: Command): void {\n parent\n .command('login')\n .description(\n 'Authenticate via browser device-code flow. The CLI prints (and tries to open) a one-time approval URL; the operator picks a workspace in the browser; on approval the CLI saves a runner-session token to ~/.config/geni/runner-session.json. The token is bound to the URL it was minted against, so switching API URL after login requires logout + re-login.'\n )\n .option(\n '--server <url>',\n 'Override the API base URL for this login. Precedence: this flag > $GENI_API_URL > `apiUrl` from `geni config` > https://cloud.generalinput.com. Whatever URL wins is locked into the session file.'\n )\n .option(\n '--workspace <slug>',\n 'After approval, re-bind the session to this workspace slug instead of whatever the dashboard picker chose. Useful in CI / scripted setups where there is no human at the browser.'\n )\n .action(async (opts: LoginOptions) => {\n try {\n await authService.login({\n server: opts.server,\n workspace: opts.workspace,\n })\n } catch (error) {\n exitOnApiError(error)\n }\n })\n}\n","import { Command } from 'commander'\nimport { authService } from '../../dependencyInjection/services.js'\nimport { exitOnApiError } from '../../lib/cliErrors.js'\n\n/\n `geni logout` — revoke the runner session and remove the local\n * file. Thin handler: delegates to `AuthService.logout` which does\n * a best-effort server revoke and always deletes the local token.\n /\nexport function registerLogout(parent: Command): void {\n parent\n .command('logout')\n .description(\n 'Revoke the runner-session token server-side and delete the local session file (~/.config/geni/runner-session.json). The local file is removed even if the server-side revoke fails. Running `geni logout` should never leave a token the operator thinks is gone still on disk.'\n )\n .action(async () => {\n try {\n await authService.logout()\n } catch (error) {\n exitOnApiError(error)\n }\n })\n}\n","import { Command } from 'commander'\nimport { ApiError } from '../../clients/HttpClient.js'\nimport { authService } from '../../dependencyInjection/services.js'\nimport {\n printError,\n printJson,\n printSuccess,\n printInfo,\n} from '../../lib/output.js'\nimport { ExitCode, exit } from '../../lib/exitCodes.js'\n\nexport interface AuthStatusOptions {\n json?: boolean\n}\n\n/\n Print the active operator and workspace after a `/cli/auth/me`\n * round-trip. Exported separately from the registrar so the parent\n * `geni auth` can run it as a default action when called without a\n * subcommand. The `--json` payload still carries the server URL for\n * scripted callers that need it.\n /\nexport async function executeAuthStatus(\n opts: AuthStatusOptions\n): Promise<void> {\n try {\n const status = await authService.status()\n if (!status) {\n if (opts.json) {\n printJson({ authenticated: false })\n } else {\n printError(\n 'No runner session on disk. Run `geni login` to authenticate, then retry.'\n )\n }\n exit(ExitCode.SessionMissingOrExpired)\n }\n if (opts.json) {\n printJson(status)\n exit(ExitCode.Ok)\n }\n printSuccess(`Authenticated as ${status.user.email ?? status.user.id}`)\n printInfo(\n `Active workspace: ${status.workspace.slug} (${status.workspace.name}, ${status.workspace.role})`\n )\n exit(ExitCode.Ok)\n } catch (error) {\n if (error instanceof ApiError && error.status === 401) {\n printError(\n 'Local session token was rejected by the server (revoked, expired, or pointed at a different server). Run `geni login` to mint a fresh session.'\n )\n exit(ExitCode.SessionMissingOrExpired)\n }\n const detail = error instanceof Error ? error.message : String(error)\n printError(\n `Failed to verify session: ${detail}. Check that the server is reachable; \\`geni auth status --json\\` shows the bound server URL.`\n )\n exit(ExitCode.InternalError)\n }\n}\n\n/\n `geni auth status` — print the active operator and workspace,\n * after a `/cli/auth/me` round-trip to confirm the session is still\n * valid server-side. Thin handler: branches on `--json` and the\n * no-session / stale-session cases, delegates to `AuthService.status`\n * for the actual fetch.\n /\nexport function registerStatus(parent: Command): void {\n parent\n .command('status')\n .description(\n 'Verify the active session and print operator + active workspace. Hits `/cli/auth/me` to confirm the token is still valid server-side; a stale local session (server revoked, expired) exits 78 with a clear \"run geni login\" message rather than reporting a fake-OK from the local file alone.'\n )\n .option(\n '--json',\n 'Emit a machine-readable JSON object: `{ authenticated, user, workspace, server }`. When unauthenticated, `{ authenticated: false }` is the only field.'\n )\n .action((opts: AuthStatusOptions) => executeAuthStatus(opts))\n}\n","import { Command } from 'commander'\nimport { registerLogin } from './login.js'\nimport { registerLogout } from './logout.js'\nimport { registerStatus, executeAuthStatus } from './status.js'\n\n/\n Registers `geni login`, `geni logout`, `geni auth status` on the\n * top-level program.\n \n `login` and `logout` are top-level for ergonomics — same shape as\n * `gh auth login` and the conventions external developers know.\n * `auth status` is grouped under an `auth` subcommand because there\n * isn't a sensible single verb for \"check status\" at the top level\n * (`geni status` would clash later if we ever add a `status` of\n * something else).\n \n Bare `geni auth` runs `status` as a default action so a quick\n * \"what session am I on?\" works without having to remember the\n * verb. To pass flags (e.g. `--json`), use the explicit subcommand:\n * `geni auth status --json`.\n /\nexport function registerAuthCommands(program: Command): void {\n registerLogin(program)\n registerLogout(program)\n\n const auth = program\n .command('auth')\n .description('Inspect the active CLI session.')\n .action(() => executeAuthStatus({}))\n registerStatus(auth)\n}\n","import chalk from 'chalk'\n\n/\n Column-aligned table printer for `geni <noun> list` default output.\n * Pads each cell to the longest in its column; doesn't try to be\n * clever about wrapping or terminal width — agents and humans both\n * cope with overflow as long as the columns line up.\n \n Optional `markerFn` flags one row as \"active\" (or \"yours\", or any\n * single-row highlight) with a leading `` and recolors that row's\n first cell cyan. `colorFn` lets a caller dim or accent specific\n * cells (typical: ID columns dimmed, slugs cyan).\n \n Headers always render in dim/uppercase. ANSI is stripped\n * automatically when stdout is piped (chalk does this).\n /\n\nexport interface PrintTableOpts {\n out?: NodeJS.WritableStream\n /\n Returns true for the row to highlight. Marks it with a leading\n * `` in the gutter and renders the first cell in cyan. Auto-\n suppressed if every row matches or none do (so the gutter never\n * becomes visual noise).\n /\n markerFn?: (row: string[], index: number) => boolean\n /\n Per-cell color override. Called for every body cell (not headers).\n * Return the cell unchanged to skip styling. Common pattern: dim the\n * ID column with `dimColumn(0)`.\n /\n colorFn?: (cell: string, args: { row: number; col: number }) => string\n}\n\nexport function printTable(\n headers: string[],\n rows: string[][],\n opts: PrintTableOpts = {}\n): void {\n const out = opts.out ?? process.stdout\n const colCount = headers.length\n\n // Pre-compute marker membership and only render the gutter when the\n // marker actually distinguishes a subset. If every row is marked (or\n // none are), the gutter is pure noise — suppress it.\n const markers = opts.markerFn\n ? rows.map((row, i) => opts.markerFn!(row, i))\n : null\n const usesMarker =\n markers !== null && markers.some((m) => m) && !markers.every((m) => m)\n\n const widths = new Array<number>(colCount).fill(0)\n for (let i = 0; i < colCount; i++) widths[i] = headers[i]!.length\n for (const row of rows) {\n for (let i = 0; i < colCount; i++) {\n const len = row[i]?.length ?? 0\n if (len > widths[i]!) widths[i] = len\n }\n }\n\n // Header row — dim, gutter blank when markers are in play.\n const headerCells = headers.map((h, i) =>\n pad(chalk.dim(h), h.length, widths[i]!, i === colCount - 1)\n )\n out.write((usesMarker ? ' ' : '') + headerCells.join(' ') + '\\n')\n\n rows.forEach((row, rowIdx) => {\n const isMarked = usesMarker && markers![rowIdx] === true\n const cells = row.map((raw, i) => {\n const value = raw ?? ''\n let colored = value\n if (isMarked && i === 0) colored = chalk.cyan(value)\n else if (opts.colorFn)\n colored = opts.colorFn(value, { row: rowIdx, col: i })\n return pad(colored, value.length, widths[i]!, i === colCount - 1)\n })\n const gutter = usesMarker ? `${isMarked ? chalk.green('') : ' '} ` : ''\n out.write(gutter + cells.join(' ') + '\\n')\n })\n}\n\n/*\n Pad a (possibly ANSI-colored) cell to the column width, measuring\n * against `rawLen` (the uncolored length) so trailing spaces don't\n * pick up styling and columns still line up.\n /\nfunction pad(\n colored: string,\n rawLen: number,\n width: number,\n isLast: boolean\n): string {\n if (isLast) return colored\n if (rawLen >= width) return colored\n return colored + ' '.repeat(width - rawLen)\n}\n\n/\n Convenience `colorFn`: dim one column. Compose with array-spread or\n * write your own when you need multiple columns styled.\n /\nexport function dimColumn(\n colIndex: number\n): (cell: string, args: { col: number }) => string {\n return (cell, args) => (args.col === colIndex ? chalk.dim(cell) : cell)\n}\n","import { Command } from 'commander'\nimport { workspaceService } from '../../dependencyInjection/services.js'\nimport { exitOnApiError } from '../../lib/cliErrors.js'\nimport { printJson } from '../../lib/output.js'\nimport { printTable } from '../../lib/printTable.js'\nimport { ExitCode, exit } from '../../lib/exitCodes.js'\n\nexport interface WorkspaceListOptions {\n json?: boolean\n}\n\n/\n Render every workspace the authenticated account belongs to.\n * Exported separately from the registrar so the parent `geni\n * workspace` (and its `workspaces` alias) can invoke it as a\n * default action when called without a subcommand.\n \n Banner is printed centrally by `SessionContextService.requireAuthed`\n * (which `WorkspaceService.list` calls), so this handler doesn't need\n * to print one explicitly.\n /\nexport async function executeWorkspaceList(\n opts: WorkspaceListOptions\n): Promise<void> {\n try {\n const { workspaces } = await workspaceService.list()\n\n if (opts.json) {\n printJson({\n active: workspaces.find((w) => w.isActive)?.slug ?? null,\n workspaces,\n })\n exit(ExitCode.Ok)\n }\n\n if (workspaces.length === 0) {\n process.stdout.write(\n 'No workspaces yet. Create or join one in the dashboard, then re-run.\\n'\n )\n exit(ExitCode.Ok)\n }\n\n printTable(\n ['SLUG', 'NAME', 'ROLE'],\n workspaces.map((w) => [w.slug, w.name, w.role]),\n { markerFn: (_row, i) => workspaces[i]!.isActive }\n )\n exit(ExitCode.Ok)\n } catch (error) {\n exitOnApiError(error)\n }\n}\n\n/\n `geni workspace list` — every workspace the authenticated account\n * belongs to. Thin handler: fetches via `WorkspaceService.list`,\n * renders the table or JSON. The active workspace is marked with ``.\n /\nexport function registerWorkspaceList(parent: Command): void {\n parent\n .command('list')\n .description(\n 'List every workspace the authenticated account belongs to. The active workspace is marked with a `` and rendered in cyan. Server is the source of truth for both the list and the active marker.'\n )\n .option(\n '--json',\n 'Emit `{ active: <slug>, workspaces: [...] }`. Each workspace carries `membershipId`, `organizationId`, `slug`, `name`, `role`, `isActive`.'\n )\n .action((opts: WorkspaceListOptions) => executeWorkspaceList(opts))\n}\n","import { Command } from 'commander'\nimport as p from '@clack/prompts'\nimport type { Cli } from '@packages/api'\nimport {\n workspaceService,\n sessionContextService,\n} from '../../dependencyInjection/services.js'\nimport { exitOnApiError } from '../../lib/cliErrors.js'\nimport { printSuccess, printInfo, printError } from '../../lib/output.js'\nimport { ExitCode, exit } from '../../lib/exitCodes.js'\n\n/*\n `geni workspace switch [slug]` — re-point the runner session at a\n * different workspace. Thin handler: resolves a target by slug or\n * interactive picker, delegates the actual switch to\n * `WorkspaceService.switch`, prints the new active workspace.\n /\nexport function registerWorkspaceSwitch(parent: Command): void {\n parent\n .command('switch')\n .argument(\n '[slug]',\n 'Workspace slug to switch to. Omit for an interactive picker.'\n )\n .description(\n 'Re-point the runner session at a different workspace the same account belongs to. The session token keeps working; only the active-workspace pointer changes server-side and in the local cache. Pass a slug for scriptable use, or omit for an interactive picker (TTY only).'\n )\n .action(async (slug: string \| undefined) => {\n try {\n const { session } = await sessionContextService.requireAuthed()\n const { workspaces } = await workspaceService.list()\n\n const target = slug\n ? findBySlug(workspaces, slug)\n : await pickInteractively({\n workspaces,\n currentMembershipId: session.workspace.membershipId,\n })\n if (!target) return\n\n if (target.membershipId === session.workspace.membershipId) {\n printInfo(`Already on ${target.slug} (${target.name}). No change.`)\n exit(ExitCode.Ok)\n }\n\n const me = await workspaceService.switch({\n membershipId: target.membershipId,\n })\n printSuccess(\n `Active workspace: ${me.workspace.slug} (${me.workspace.name})`\n )\n exit(ExitCode.Ok)\n } catch (error) {\n exitOnApiError(error)\n }\n })\n}\n\nfunction findBySlug(\n workspaces: Cli.WorkspaceSummary[],\n slug: string\n): Cli.WorkspaceSummary {\n const target = workspaces.find((w) => w.slug === slug)\n if (!target) {\n const available = workspaces.map((w) => w.slug).join(', ') \|\| 'none'\n printError(\n `No workspace with slug \"${slug}\" on this account. Available: [${available}]. Pick one of those, or run \\`geni workspace list\\` for the full set with names + roles.`\n )\n exit(ExitCode.NotFound)\n }\n return target\n}\n\n/\n Interactive picker. Returns the chosen workspace, or `undefined` if\n * the user cancelled (in which case we print a hint and exit 0).\n /\nasync function pickInteractively(args: {\n workspaces: Cli.WorkspaceSummary[]\n currentMembershipId: string\n}): Promise<Cli.WorkspaceSummary \| undefined> {\n if (!process.stdin.isTTY) {\n printError(\n 'Interactive picker needs a TTY. Pass a slug: `geni workspace switch <slug>`.'\n )\n exit(ExitCode.GenericError)\n }\n if (args.workspaces.length === 0) {\n printError(\n 'No workspaces on this account. Create or join one in the dashboard before running `geni workspace switch`.'\n )\n exit(ExitCode.NotFound)\n }\n if (args.workspaces.length === 1) {\n printInfo('You only have one workspace; nothing to switch to.')\n exit(ExitCode.Ok)\n }\n\n const choice = await p.select({\n message: 'Pick a workspace',\n initialValue: args.currentMembershipId,\n options: args.workspaces.map((w) => ({\n value: w.membershipId,\n label: `${w.slug} (${w.name})`,\n hint: w.role,\n })),\n })\n if (p.isCancel(choice)) {\n printInfo('Cancelled.')\n return undefined\n }\n return args.workspaces.find((w) => w.membershipId === choice)\n}\n","import { Command } from 'commander'\nimport { workspaceService } from '../../dependencyInjection/services.js'\nimport { printError, printJson } from '../../lib/output.js'\nimport { ExitCode, exit } from '../../lib/exitCodes.js'\n\ninterface CurrentOptions {\n json?: boolean\n verbose?: boolean\n}\n\n/\n `geni workspace current` — print the active workspace. Thin\n * handler: reads from `WorkspaceService.current` (which uses the\n * local session cache, no network round-trip) and renders.\n /\nexport function registerWorkspaceCurrent(parent: Command): void {\n parent\n .command('current')\n .description(\n \"Print the active workspace's slug. Reads the local session file directly (no network round-trip), so it's safe to use in shell substitutions like `cd ~/repos/$(geni workspace current)`. Use `--verbose` for slug + name + role + id, or `--json` for machine-readable.\"\n )\n .option('--verbose', 'Include name, role, and id alongside the slug.')\n .option(\n '--json',\n 'Emit the workspace record: `{ membershipId, organizationId, slug, name, role }`.'\n )\n .action((opts: CurrentOptions) => {\n // Action wrapper is synchronous-shaped; the async work happens\n // inside `run` so we keep exit-code semantics unchanged.\n void run(opts)\n })\n}\n\nasync function run(opts: CurrentOptions): Promise<void> {\n const current = await workspaceService.current()\n if (!current) {\n if (opts.json) {\n printJson({ authenticated: false })\n } else {\n printError(\n 'No runner session on disk. Run `geni login` to authenticate, then retry.'\n )\n }\n exit(ExitCode.SessionMissingOrExpired)\n }\n\n const ws = current.workspace\n if (opts.json) {\n printJson(ws)\n exit(ExitCode.Ok)\n }\n if (opts.verbose) {\n process.stdout.write(`slug: ${ws.slug}\\n`)\n process.stdout.write(`name: ${ws.name}\\n`)\n process.stdout.write(`role: ${ws.role}\\n`)\n process.stdout.write(`id: ${ws.organizationId}\\n`)\n exit(ExitCode.Ok)\n }\n process.stdout.write(`${ws.slug}\\n`)\n exit(ExitCode.Ok)\n}\n","import { Command } from 'commander'\nimport { registerWorkspaceList, executeWorkspaceList } from './list.js'\nimport { registerWorkspaceSwitch } from './switch.js'\nimport { registerWorkspaceCurrent } from './current.js'\n\n/\n `geni workspace` (alias: `workspaces`) — list, switch, inspect.\n \n Bare `geni workspace` / `geni workspaces` runs the list view as a\n * default action. To pass flags (e.g. `--json`), use the explicit\n * subcommand: `geni workspace list --json`. The bare shortcut\n * deliberately accepts no flags so adding a flag tomorrow doesn't\n * silently change shell-piped output.\n /\nexport function registerWorkspaceCommands(program: Command): void {\n const workspace = program\n .command('workspace')\n .alias('workspaces')\n .description(\n \"List the workspaces the operator's account belongs to and switch which one this CLI session targets. The runner-session token is account-scoped; the active workspace pointer determines which org's credentials, integrations, and audit logs every other command operates on.\"\n )\n .action(() => executeWorkspaceList({}))\n registerWorkspaceList(workspace)\n registerWorkspaceSwitch(workspace)\n registerWorkspaceCurrent(workspace)\n}\n","import { Command } from 'commander'\nimport { execService } from '../../dependencyInjection/services.js'\nimport { exitOnApiError } from '../../lib/cliErrors.js'\nimport { printError } from '../../lib/output.js'\nimport { ExitCode, exit } from '../../lib/exitCodes.js'\n\ninterface BashOptions {\n cred: string[]\n reason: string[]\n cwd?: string\n quiet?: boolean\n}\n\n/\n `geni exec bash` — run `bash -lc <cmd>` with cloud-resolved\n * credentials injected as env vars. Thin handler: validates the\n * `--cred` / `--reason` pairing locally, parses the command from the\n * `--` separator, delegates to `ExecService.runBash`.\n \n `ExecService` owns the resolve + env build + scrubber registration\n * + spawn + scrub + signal-forwarding pipeline. The handler exits\n * with the child's code (or one of the documented CLI codes for\n * arg-validation / cred-resolve / session failures).\n /\nexport function registerExecBash(parent: Command): void {\n parent\n .command('bash')\n .description(\n 'Run `bash -lc <cmd>` locally with cloud-resolved credentials injected as env vars. Output is streamed back through a scrubber that replaces every registered secret with [REDACTED:credential_<id>].'\n )\n .option(\n '--cred <id>',\n 'Credential id to inject. Repeat once per credential; each --cred MUST be followed by exactly one --reason. Pairing is by order: the Nth --cred goes with the Nth --reason. Discover ids via `geni credential list --service <service>`.',\n collect,\n []\n )\n .option(\n '--reason <text>',\n 'Why this credential is being accessed. Lands in the credential access log and is shown to the operator. Re-state on every call; the audit log is per-invocation.',\n collect,\n []\n )\n .option(\n '--cwd <path>',\n 'Working directory for the command. Defaults to your current shell cwd.'\n )\n .option(\n '--quiet',\n \"Suppress geni's `resolved <cred> → ...` status lines on stderr. Subprocess output still passes through, scrubbed.\"\n )\n .allowExcessArguments(true)\n .action(async (opts: BashOptions, command: Command) => {\n try {\n const code = await runExecBash(opts, command.args)\n process.exit(code)\n } catch (error) {\n exitOnApiError(error)\n }\n })\n .addHelpText(\n 'after',\n `\nAlways-injected env vars (no --cred required):\n $PLATFORM_API_KEY short-lived bearer for $PLATFORM_BASE_URL/<service> calls\n $PLATFORM_BASE_URL the cloud's base URL\n\nPer-credential env vars are derived from the integration's secret\nschema, with the credential id as a suffix so two credentials of the\nsame service can coexist: $<SERVICE>_<FIELD>_<id>\nLook up the exact names before constructing the command:\n geni credential get <id> --field envVars # for a known cred\n geni integration get <service> --field envVars # for a service\n\nExamples:\n\n # One credential, simple curl:\n geni exec bash \\\\\n --cred cred_01HX --reason \"Listing Slack channels\" \\\\\n -- 'curl -s -H \"Authorization: Bearer $SLACK_ACCESS_TOKEN_01HX\" https://slack.com/api/conversations.list'\n\n # Multiple credentials, fan-out (suffix keeps them distinct):\n geni exec bash \\\\\n --cred cred_slackA --reason \"Posting to #engineering\" \\\\\n --cred cred_slackB --reason \"Posting to #marketing\" \\\\\n -- 'curl ... $SLACK_ACCESS_TOKEN_SLACKA ... && curl ... $SLACK_ACCESS_TOKEN_SLACKB ...'\n\n # No --cred. Platform service:\n geni exec bash -- 'curl -s -H \"Authorization: Bearer $PLATFORM_API_KEY\" \"$PLATFORM_BASE_URL/v1/web-search\" -d ...'\n\nExit codes:\n 0–125 subprocess's own exit code\n 77 server refused to resolve a credential, don't retry\n 78 runner session missing or expired, run \\`geni login\\`\n 125 internal CLI error\n`\n )\n}\n\nfunction collect(value: string, prev: string[]): string[] {\n return [...prev, value]\n}\n\nasync function runExecBash(\n opts: BashOptions,\n positional: string[]\n): Promise<number> {\n const command = positional.join(' ').trim()\n if (!command) {\n printError(\n 'Missing the bash command. Put it after a literal `--` (flags before `--` belong to geni). Example: `geni exec bash --cred cred_X --reason \"...\" -- \\'curl ...\\'`.'\n )\n exit(ExitCode.InvalidArgs)\n }\n if (opts.cred.length !== opts.reason.length) {\n printError(\n `--cred and --reason must be paired one-to-one (got ${opts.cred.length} --cred and ${opts.reason.length} --reason). Example: \\`--cred cred_A --reason \"...\" --cred cred_B --reason \"...\"\\`.`\n )\n exit(ExitCode.InvalidArgs)\n }\n\n return execService.runBash({\n command,\n // Pair-by-index: Commander's `collect` reducer keeps both arrays\n // in declaration order, so opts.cred[i] always corresponds to\n // opts.reason[i].\n credentials: opts.cred.map((id, i) => ({\n id,\n reason: opts.reason[i]!,\n })),\n cwd: opts.cwd,\n quiet: opts.quiet,\n })\n}\n","import { Command } from 'commander'\nimport { registerExecBash } from './bash.js'\n\n/\n `geni exec` — execution primitives. Runs bash commands locally on\n * the operator's machine with credentials resolved by the cloud and\n * injected as env vars. Output is streamed back through a scrubber.\n \n Subcommands:\n * bash — run a bash command with cloud-resolved credentials.\n /\nexport function registerExecCommands(program: Command): void {\n const exec = program\n .command('exec')\n .description(\n \"Run bash locally with the operator's credentials resolved by the cloud and injected as env vars. Plaintext secrets never enter the agent's transcript — output is streamed through a scrubber that redacts every registered secret value.\"\n )\n\n registerExecBash(exec)\n}\n","import { Command } from 'commander'\nimport { discoveryService } from '../../dependencyInjection/services.js'\nimport { exitOnApiError } from '../../lib/cliErrors.js'\nimport { printJson } from '../../lib/output.js'\nimport { printTable, dimColumn } from '../../lib/printTable.js'\n\nexport interface CredentialListOptions {\n service?: string\n mine?: boolean\n query?: string\n json?: boolean\n}\n\n/\n Render credentials matching the given filters. Exported separately\n * from the registrar so the parent `geni credential` (and its\n * `credentials` alias) can invoke it as a default action.\n /\nexport async function executeCredentialList(\n opts: CredentialListOptions\n): Promise<void> {\n try {\n const credentials = await discoveryService.listCredentials({\n service: opts.service,\n mine: opts.mine,\n query: opts.query,\n })\n\n if (opts.json) {\n printJson({ credentials })\n return\n }\n if (credentials.length === 0) {\n const filterDesc = describeCredentialFilters(opts)\n process.stdout.write(\n filterDesc\n ? `No credentials match (${filterDesc}). Drop filters or run \\`geni credential connect <service>\\` to add one.\\n`\n : 'No credentials connected yet. Connect one with `geni credential connect <service>` (find a service slug with `geni integration list -q <keyword>`).\\n'\n )\n return\n }\n printTable(\n ['ID', 'SERVICE', 'TITLE'],\n credentials.map((c) => [c.id, c.service, c.title]),\n {\n // `` flags the rows you own (auto-suppressed if every row is\n // yours or none are — i.e. the marker only renders when it\n // actually distinguishes a subset).\n markerFn: (_row, i) => credentials[i]!.isOwnedByViewer,\n colorFn: dimColumn(0),\n }\n )\n } catch (error) {\n exitOnApiError(error)\n }\n}\n\n/*\n `geni credential list` — list every credential the runner-session's\n * membership has access to. Thin handler: filters via\n * `DiscoveryService.listCredentials`, renders the table or JSON.\n /\nexport function registerCredentialList(parent: Command): void {\n parent\n .command('list')\n .description(\n 'List credentials the runner session can use (owned, org-shared, or per-credential collaborator). Default columns are id / service / title — for env var names, OAuth scopes, or the full record use `geni credential get <id>` (or `--field <path>` / `--json`).'\n )\n .option(\n '--service <slug>',\n 'Filter to one service (e.g. slack, github, salesforce). Use `geni integration list` to discover slugs.'\n )\n .option(\n '--mine',\n 'Only credentials owned by you. Excludes credentials shared with you via org-grant or collaborator rows.'\n )\n .option(\n '-q, --query <text>',\n 'Substring rank across service, title, and provider name. Service slug weighs highest.'\n )\n .option(\n '--json',\n 'Machine-readable output. Each entry carries `id`, `service`, `envVars`, `grantedScopes`, etc.'\n )\n .action((opts: CredentialListOptions) => executeCredentialList(opts))\n}\n\nfunction describeCredentialFilters(opts: CredentialListOptions): string {\n const parts: string[] = []\n if (opts.service) parts.push(`--service ${opts.service}`)\n if (opts.mine) parts.push('--mine')\n if (opts.query) parts.push(`-q \"${opts.query}\"`)\n return parts.join(' ')\n}\n","/\n Resolve a dotted-path field from a JSON-like value, used by\n * `--field <path>` flags on `geni <noun> get`. Supports object keys\n * and array indices (`fields.0.name`).\n \n Returns `undefined` when any segment of the path doesn't resolve;\n * the caller treats `undefined` as \"not found\" and exits accordingly.\n * Doesn't try to handle bracketed indices (`fields[0].name`) — the\n * dotted form is enough for the agent-facing surface, less ambiguous,\n * and matches how `jq` handles array indices when keys are numeric.\n /\nexport function extractField(\n value: unknown,\n path: string\n): unknown \| undefined {\n const segments = path.split('.').filter((s) => s.length > 0)\n let current: unknown = value\n for (const segment of segments) {\n if (current === null \|\| current === undefined) return undefined\n if (Array.isArray(current)) {\n const idx = Number.parseInt(segment, 10)\n if (Number.isNaN(idx)) return undefined\n current = current[idx]\n } else if (typeof current === 'object') {\n // After the typeof / null / array narrowing above, `current` is\n // a plain object. Reflect.get returns `unknown` and accepts a\n // generic object target, so we don't need a type assertion.\n current = Reflect.get(current, segment)\n } else {\n return undefined\n }\n }\n return current\n}\n\n/\n Stringify a value extracted from a `--field` lookup for terminal\n * output. Strings print bare (no JSON quoting); everything else uses\n * `JSON.stringify` with two-space indentation so structured fields\n * are agent-friendly.\n /\nexport function formatExtractedField(value: unknown): string {\n if (typeof value === 'string') return value\n if (value === null \|\| value === undefined) return ''\n return JSON.stringify(value, null, 2)\n}\n","import { Command } from 'commander'\nimport type { Cli } from '@packages/api'\nimport { discoveryService } from '../../dependencyInjection/services.js'\nimport { exitOnApiError } from '../../lib/cliErrors.js'\nimport { printError, printJson } from '../../lib/output.js'\nimport { extractField, formatExtractedField } from '../../lib/jsonField.js'\nimport { ExitCode, exit } from '../../lib/exitCodes.js'\n\ninterface GetOptions {\n json?: boolean\n field?: string\n}\n\n/\n `geni credential get <id>` — print one credential's full record.\n * Thin handler: fetches via `DiscoveryService.getCredential`, renders\n * the default text view, JSON, or one extracted field.\n /\nexport function registerCredentialGet(parent: Command): void {\n parent\n .command('get')\n .argument('<id>', 'Credential id (e.g. `cred_01HX…`).')\n .description(\n \"Print one credential's full record: env var names, per-field secret/non-secret breakdown, ownership, sharing, scopes. No plaintext secret values are returned. Those resolve server-side at `geni exec bash` time.\"\n )\n .option('--json', 'Machine-readable output (full record).')\n .option(\n '--field <path>',\n 'Print one dotted-path field instead of the whole record. Examples: `envVars`, `grantedScopes`, `service`, `isShared`.'\n )\n .action(async (id: string, opts: GetOptions) => {\n try {\n const detail = await discoveryService.getCredential(id)\n\n if (opts.field) {\n const value = extractField(detail, opts.field)\n if (value === undefined) {\n const topLevel = Object.keys(detail).join(', ')\n printError(\n `Field \"${opts.field}\" is not on the credential record. Top-level fields: [${topLevel}]. Pass a dotted path that exists, or run \\`geni credential get ${id} --json\\` to see the whole shape.`\n )\n exit(ExitCode.NotFound)\n }\n process.stdout.write(formatExtractedField(value) + '\\n')\n return\n }\n if (opts.json) {\n printJson(detail)\n return\n }\n printDefault(detail)\n } catch (error) {\n exitOnApiError(error, {\n notFoundMessage: `No credential with id \"${id}\" in the active workspace. Run \\`geni credential list\\` to find the right id.`,\n })\n }\n })\n}\n\nfunction printDefault(detail: Cli.CredentialDetail): void {\n const out = process.stdout\n out.write(`${detail.id} ${detail.title}\\n`)\n out.write(`provider: ${detail.providerTitle}\\n`)\n out.write(`type: ${detail.credentialType}\\n`)\n out.write(`created: ${detail.createdAt.slice(0, 10)}\\n`)\n out.write(\n `ownership: ${detail.isOwnedByViewer ? 'owned by you' : 'shared with you'}\\n`\n )\n out.write(`shared: ${detail.isShared ? 'yes' : 'no'}\\n\\n`)\n\n out.write('envVars:\\n')\n for (const v of detail.envVars) out.write(` ${v}\\n`)\n out.write('\\n')\n\n if (detail.fields.length > 0) {\n out.write('fields:\\n')\n for (const f of detail.fields) {\n out.write(` ${f.name.padEnd(14)} ${f.isSecret ? 'secret' : 'config'}\\n`)\n }\n out.write('\\n')\n }\n\n if (detail.grantedScopes && detail.grantedScopes.length > 0) {\n out.write(`scopes: ${detail.grantedScopes.join(', ')}\\n`)\n }\n}\n","import { Command } from 'commander'\nimport chalk from 'chalk'\nimport { discoveryService } from '../../dependencyInjection/services.js'\nimport { exitOnApiError } from '../../lib/cliErrors.js'\nimport { printInfo } from '../../lib/output.js'\n\ninterface ConnectOptions {\n printUrl?: boolean\n noBrowser?: boolean\n}\n\n/\n `geni credential connect <service>` — open the dashboard's connect\n * page for a service. Thin handler: validates the slug + builds the\n * URL via `DiscoveryService.connectCredential`, then prints to\n * stdout. The service handles the actual browser launch for\n * non-`--print-url` invocations.\n /\nexport function registerCredentialConnect(parent: Command): void {\n parent\n .command('connect')\n .argument(\n '<service>',\n 'Service slug (slack, github, …). Use `geni integration list` to discover.'\n )\n .description(\n \"Open the dashboard's authorize page for a service so the operator can connect a new credential. Lightweight by design: no polling, no rendezvous. After the operator finishes in the dashboard, re-run `geni credential list --service <service>` to discover the new credential id.\"\n )\n .option(\n '--print-url',\n \"Don't auto-open the browser; print the URL to stdout. Useful in headless / SSH / CI sessions.\"\n )\n .option('--no-browser', 'Alias for --print-url.')\n .action(async (service: string, opts: ConnectOptions) => {\n try {\n const intent = await discoveryService.connectCredential({\n service,\n // Commander turns `--no-browser` into `noBrowser: false`,\n // so the print-only branch is \"either flag was passed\".\n printUrlOnly: opts.printUrl \|\| opts.noBrowser === false,\n })\n if (intent.kind === 'print-url') {\n process.stdout.write(`${intent.url}\\n`)\n return\n }\n printInfo(`Opening ${chalk.cyan(intent.url)}`)\n printInfo(\n `↳ connect ${service} in your browser, then come back here`\n )\n process.stdout.write(\n `\\nOnce it's connected, re-run: geni credential list --service ${service}\\n`\n )\n } catch (error) {\n exitOnApiError(error, {\n notFoundMessage: `Service \"${service}\" not found.`,\n })\n }\n })\n}\n","import { Command } from 'commander'\nimport { registerCredentialList, executeCredentialList } from './list.js'\nimport { registerCredentialGet } from './get.js'\nimport { registerCredentialConnect } from './connect.js'\n\n/\n `geni credential` (alias: `credentials`) — credential discovery\n * (and prompt-the-operator-to-connect). Discovery only — secret\n * values never travel through the CLI surface; declare a credential\n * on a `geni exec` call and the cloud injects the resolved values\n * into the spawned subprocess.\n \n Bare `geni credential` / `geni credentials` runs the list view as\n * a default action. To pass flags (e.g. `--service slack`), use the\n * explicit subcommand: `geni credential list --service slack`.\n /\nexport function registerCredentialCommands(program: Command): void {\n const credential = program\n .command('credential')\n .alias('credentials')\n .description(\n \"Discover the operator's connected credentials and prompt them to connect new ones. Discovery-only: the agent sees credential ids and the env var names that get set when each is declared on `geni exec bash`, never plaintext secrets. Resolution and decryption happen server-side at exec time.\"\n )\n .action(() => executeCredentialList({}))\n\n registerCredentialList(credential)\n registerCredentialGet(credential)\n registerCredentialConnect(credential)\n}\n","import { Command } from 'commander'\nimport chalk from 'chalk'\nimport { discoveryService } from '../../dependencyInjection/services.js'\nimport { exitOnApiError } from '../../lib/cliErrors.js'\nimport { printError, printJson } from '../../lib/output.js'\nimport { printTable } from '../../lib/printTable.js'\nimport { ExitCode, exit } from '../../lib/exitCodes.js'\n\nexport interface IntegrationListOptions {\n type?: string\n query?: string\n json?: boolean\n}\n\nconst VALID_TYPES = ['oauth2', 'apiKey', 'platform', 'noAuth'] as const\nconst VALID_TYPE_SET: ReadonlySet<string> = new Set(VALID_TYPES)\n\n/\n Render the integration catalog with the given filters. Exported\n * separately from the registrar so the parent `geni integration`\n * (and its `integrations` alias) can invoke it as a default action.\n /\nexport async function executeIntegrationList(\n opts: IntegrationListOptions\n): Promise<void> {\n if (opts.type && !VALID_TYPE_SET.has(opts.type)) {\n printError(\n `Invalid --type \"${opts.type}\". Valid values: [${VALID_TYPES.join(', ')}]. \\`oauth2\\` and \\`apiKey\\` are user-connected credentials; \\`platform\\` is first-party (uses $PLATFORM_API_KEY); \\`noAuth\\` is a public API.`\n )\n exit(ExitCode.InvalidArgs)\n }\n\n try {\n const integrations = await discoveryService.listIntegrations({\n type: opts.type,\n query: opts.query,\n })\n if (opts.json) {\n printJson({ integrations })\n return\n }\n if (integrations.length === 0) {\n const filterDesc = [\n opts.type ? `--type ${opts.type}` : null,\n opts.query ? `-q \"${opts.query}\"` : null,\n ]\n .filter(Boolean)\n .join(' ')\n process.stdout.write(\n `No integrations match (${filterDesc \|\| 'no filters'}). Drop filters or broaden the query.\\n`\n )\n return\n }\n printTable(\n ['SERVICE', 'TITLE', 'TYPE'],\n integrations.map((i) => [i.service, i.title, i.credentialType]),\n {\n // Service slug is the lookup key for every other CLI verb\n // (`credential connect <service>`, `integration get <service>`),\n // so render it cyan to draw the eye. Type is metadata — dim.\n colorFn: (cell, args) => {\n if (args.col === 0) return chalk.cyan(cell)\n if (args.col === 2) return chalk.dim(cell)\n return cell\n },\n }\n )\n } catch (error) {\n exitOnApiError(error)\n }\n}\n\n/\n `geni integration list` — every integration available to the\n * operator's organization. Thin handler: validates `--type`, fetches\n * via `DiscoveryService.listIntegrations` (server-side hybrid\n * search runs when `--query` is set), renders.\n /\nexport function registerIntegrationList(parent: Command): void {\n parent\n .command('list')\n .description(\n \"List every integration available to the operator's organization: third-party services (slack, github, salesforce), platform services (chat-completion, search-internet), and noAuth APIs. The starting point for finding the canonical `service` slug to pass to `geni credential connect` or to filter `geni credential list`.\"\n )\n .option(\n '--type <kind>',\n `Filter by credential type: ${VALID_TYPES.join(' \| ')}. \\`oauth2\\` and \\`apiKey\\` need a connected credential; \\`platform\\` uses $PLATFORM_API_KEY; \\`noAuth\\` is a public API that needs no auth.`\n )\n .option(\n '-q, --query <text>',\n 'Server-side hybrid (semantic + lexical) search across service slug, title, and description. Search by capability (\"send message\", \"calendar\"), not just service name.'\n )\n .option(\n '--json',\n 'Machine-readable output. Each entry is `{ service, title, description, credentialType }`.'\n )\n .action((opts: IntegrationListOptions) => executeIntegrationList(opts))\n}\n","import { Command } from 'commander'\nimport type { Cli } from '@packages/api'\nimport { discoveryService } from '../../dependencyInjection/services.js'\nimport { exitOnApiError } from '../../lib/cliErrors.js'\nimport { printError, printJson } from '../../lib/output.js'\nimport { extractField, formatExtractedField } from '../../lib/jsonField.js'\nimport { ExitCode, exit } from '../../lib/exitCodes.js'\n\ninterface GetOptions {\n json?: boolean\n field?: string\n}\n\n/\n `geni integration get <service>` — full setup metadata for one\n * integration. Thin handler: fetches via\n * `DiscoveryService.getIntegration`, renders the default text view,\n * JSON, or one extracted field.\n /\nexport function registerIntegrationGet(parent: Command): void {\n parent\n .command('get')\n .argument('<service>', 'Service slug (slack, github, …).')\n .description(\n 'Full setup metadata for one integration: bash env var names that get set when its credentials are declared, per-field secret/non-secret breakdown, OAuth scope catalog (when applicable), operator-facing setup guide. Read this when the agent needs to walk the operator through credential setup or wants to know exactly what env vars a credential will produce before declaring one.'\n )\n .option('--json', 'Machine-readable output (full record).')\n .option(\n '--field <path>',\n 'Print one dotted-path field instead of the whole record. Examples: `envVars`, `oauthScopes`, `fields`, `setupGuide`.'\n )\n .action(async (service: string, opts: GetOptions) => {\n try {\n const detail = await discoveryService.getIntegration(service)\n\n if (opts.field) {\n const value = extractField(detail, opts.field)\n if (value === undefined) {\n const topLevel = Object.keys(detail).join(', ')\n printError(\n `Field \"${opts.field}\" is not on the integration record. Top-level fields: [${topLevel}]. Pass a dotted path that exists, or run \\`geni integration get ${service} --json\\` to see the whole shape.`\n )\n exit(ExitCode.NotFound)\n }\n process.stdout.write(formatExtractedField(value) + '\\n')\n return\n }\n if (opts.json) {\n printJson(detail)\n return\n }\n printDefault(detail)\n } catch (error) {\n exitOnApiError(error, {\n notFoundMessage: `No integration with slug \"${service}\". Run \\`geni integration list -q <keyword>\\` to find the right slug (slugs are the service's brand name lowercased, e.g. \\`slack\\`).`,\n })\n }\n })\n}\n\nfunction printDefault(detail: Cli.IntegrationDetail): void {\n const out = process.stdout\n out.write(`${detail.service} ${detail.title}\\n`)\n out.write(`type: ${detail.credentialType}\\n\\n`)\n\n out.write('description:\\n')\n out.write(` ${detail.description}\\n\\n`)\n\n if (detail.oauthScopes && detail.oauthScopes.length > 0) {\n out.write('OAuth scopes:\\n')\n for (const scope of detail.oauthScopes) {\n out.write(\n ` ${scope.name.padEnd(40)} ${scope.description \|\| '(no description)'}\\n`\n )\n }\n out.write('\\n')\n }\n\n if (detail.fields.length > 0) {\n out.write('Secret schema:\\n')\n for (const f of detail.fields) {\n out.write(` ${f.name.padEnd(20)} ${f.isSecret ? 'secret' : 'config'}\\n`)\n }\n out.write('\\n')\n }\n\n if (detail.envVars.length > 0) {\n out.write('Bash env vars set when used:\\n')\n out.write(` ${detail.envVars.map((v) => `$${v}`).join(', ')}\\n`)\n }\n}\n","import { Command } from 'commander'\nimport { discoveryService } from '../../dependencyInjection/services.js'\nimport { exitOnApiError } from '../../lib/cliErrors.js'\nimport { printJson } from '../../lib/output.js'\nimport { printTable, dimColumn } from '../../lib/printTable.js'\n\ninterface OperationsOptions {\n query?: string\n json?: boolean\n}\n\n/\n `geni integration operations <service>` — list operations exposed\n * by an integration. Thin handler: fetches + ranks via\n * `DiscoveryService.listOperations`, renders.\n /\nexport function registerIntegrationOperations(parent: Command): void {\n parent\n .command('operations')\n .argument('<service>', 'Service slug (e.g. slack, github, stripe).')\n .description(\n \"List the operations one integration exposes (e.g. for slack: 'Send a Message', 'Get Channel History'). Each row's id is the input to `geni integration operation <id>` for full reference docs.\"\n )\n .option(\n '-q, --query <text>',\n 'Substring rank across operation title and description. Title weighs higher.'\n )\n .option(\n '--json',\n 'Machine-readable output. Each entry is `{ id, title, description }`.'\n )\n .action(async (service: string, opts: OperationsOptions) => {\n try {\n const operations = await discoveryService.listOperations({\n service,\n query: opts.query,\n })\n if (opts.json) {\n printJson({ operations })\n return\n }\n if (operations.length === 0) {\n process.stdout.write(\n opts.query\n ? `No operations on \\`${service}\\` match -q \"${opts.query}\". Drop the query to list all, or broaden the keyword.\\n`\n : `\\`${service}\\` exposes no operations. Verify the service slug with \\`geni integration list\\`.\\n`\n )\n return\n }\n printTable(\n ['ID', 'TITLE', 'DESCRIPTION'],\n operations.map((op) => [op.id, op.title, op.description]),\n { colorFn: dimColumn(0) }\n )\n } catch (error) {\n exitOnApiError(error, {\n notFoundMessage: `No integration with slug \"${service}\". Run \\`geni integration list -q <keyword>\\` to find the right slug.`,\n })\n }\n })\n}\n","import { Command } from 'commander'\nimport type { Cli } from '@packages/api'\nimport { discoveryService } from '../../dependencyInjection/services.js'\nimport { exitOnApiError } from '../../lib/cliErrors.js'\nimport { printError, printJson } from '../../lib/output.js'\nimport { ExitCode, exit } from '../../lib/exitCodes.js'\n\ninterface OperationOptions {\n format?: string\n}\n\nconst VALID_FORMATS = ['text', 'markdown', 'json'] as const\nconst VALID_FORMAT_SET: ReadonlySet<string> = new Set(VALID_FORMATS)\n\n/\n `geni integration operation [<service>] <opId>` — full reference\n * docs for one operation. Thin handler: validates `--format`,\n * dispatches to `DiscoveryService.getOperation` (which picks the\n * service-scoped or bare-id route), renders text / markdown / JSON.\n /\nexport function registerIntegrationOperation(parent: Command): void {\n parent\n .command('operation')\n .argument(\n '<serviceOrId>',\n 'Operation id, or service slug followed by operation id.'\n )\n .argument('[opId]', 'Operation id when the first arg is a service slug.')\n .description(\n 'Full reference for one operation: HTTP method+path, required scopes, params, response shape, code example, and the env var names that get set when a credential of this service is declared on `geni exec bash`. The single most important command before constructing a credentialed request. Read this, then write the call.'\n )\n .option(\n '--format <fmt>',\n `Output format: ${VALID_FORMATS.join(' \| ')}. \\`markdown\\` is the cleanest paste into an LLM context window.`,\n 'text'\n )\n .action(\n async (\n serviceOrId: string,\n maybeOpId: string \| undefined,\n opts: OperationOptions\n ) => {\n const format = opts.format ?? 'text'\n if (!VALID_FORMAT_SET.has(format)) {\n printError(\n `Invalid --format \"${format}\". Valid values: [${VALID_FORMATS.join(', ')}]. Default is \\`text\\`; use \\`markdown\\` when pasting into an LLM context.`\n )\n exit(ExitCode.InvalidArgs)\n }\n\n try {\n const detail = await discoveryService.getOperation(\n maybeOpId\n ? { service: serviceOrId, opId: maybeOpId }\n : { opId: serviceOrId }\n )\n\n if (format === 'json') {\n printJson(detail)\n return\n }\n if (format === 'markdown') {\n process.stdout.write(detail.documentation + '\\n')\n return\n }\n printText(detail)\n } catch (error) {\n const target = maybeOpId ? `${serviceOrId} ${maybeOpId}` : serviceOrId\n exitOnApiError(error, {\n notFoundMessage: `No operation found for \"${target}\". List operations for a service with \\`geni integration operations <service>\\`, then re-run with one of those ids.`,\n })\n }\n }\n )\n .addHelpText(\n 'after',\n `\nExamples:\n\n # Look up by bare operation id (server resolves the service):\n geni integration operation 4c21e1ee-4d54-4413-a4f2-80a80dff4c99\n\n # Look up with service prefix (works the same, useful when the agent\n # already knows the service):\n geni integration operation slack 4c21e1ee-4d54-4413-a4f2-80a80dff4c99\n\n # Paste-ready for an LLM context window:\n geni integration operation slack 4c21e1ee... --format markdown\n\nFind ids first with: geni integration operations <service>\n`\n )\n}\n\n/\n Render a minimal text view of the operation. The `documentation`\n * field is already markdown — for `--format text` we strip the most\n * obvious markdown noise (heading hashes, code fences) so the agent\n * gets an LLM-safe plain-text rendering. For pristine markdown use\n * `--format markdown`.\n /\nfunction printText(detail: Cli.IntegrationOperationDetail): void {\n const out = process.stdout\n out.write(`${detail.service} · ${detail.title}\\n\\n`)\n if (detail.description) out.write(`${detail.description}\\n\\n`)\n const cleaned = detail.documentation\n .replace(/^#+\\s/gm, '')\n .replace(/^```[\\w-]$/gm, '')\n out.write(cleaned)\n if (!cleaned.endsWith('\\n')) out.write('\\n')\n}\n","import { Command } from 'commander'\nimport { registerIntegrationList, executeIntegrationList } from './list.js'\nimport { registerIntegrationGet } from './get.js'\nimport { registerIntegrationOperations } from './operations.js'\nimport { registerIntegrationOperation } from './operation.js'\n\n/\n `geni integration` (alias: `integrations`) — discover the\n * integrations available to the operator's organization. Used by\n * agents to find the canonical `service` slug for a credential, the\n * env var names a credential will set, and the per-operation\n * reference docs needed to construct a `geni exec bash` curl\n * invocation.\n \n Bare `geni integration` / `geni integrations` runs the list view\n * as a default action. To pass flags (e.g. `-q \"calendar\"`), use\n * the explicit subcommand: `geni integration list -q \"calendar\"`.\n /\nexport function registerIntegrationCommands(program: Command): void {\n const integration = program\n .command('integration')\n .alias('integrations')\n .description(\n \"Discover the integration catalog: which third-party and platform services the operator's organization can use, the env var names each service's credentials will inject, and per-operation reference docs (HTTP method, params, examples) needed to construct an exec call.\"\n )\n .action(() => executeIntegrationList({}))\n\n registerIntegrationList(integration)\n registerIntegrationGet(integration)\n registerIntegrationOperations(integration)\n registerIntegrationOperation(integration)\n}\n","import { Command } from 'commander'\nimport { configService } from '../../dependencyInjection/services.js'\nimport { printError, printJson } from '../../lib/output.js'\nimport { printTable } from '../../lib/printTable.js'\nimport {\n SETTABLE_CONFIG_KEYS,\n isSettableConfigKey,\n} from '../../types/config.js'\nimport { ExitCode, exit } from '../../lib/exitCodes.js'\n\nexport interface ConfigGetArgs {\n key?: string\n json?: boolean\n}\n\nconst UNSET_PLACEHOLDER = '(unset)'\n\n/\n Print what's in the config file, either one key or every settable\n * key as a table. Exported separately from the registrar so the\n * parent `geni config` can run it as a default action when called\n * without a subcommand.\n /\nexport function executeConfigGet(args: ConfigGetArgs): void {\n const file = configService.fileValues()\n\n if (args.key) {\n if (!isSettableConfigKey(args.key)) {\n printError(\n `Unknown config key \"${args.key}\". Valid keys: ${SETTABLE_CONFIG_KEYS.join(', ')}.`\n )\n exit(ExitCode.InvalidArgs)\n }\n const value = file[args.key]\n if (args.json) {\n printJson({ [args.key]: value ?? null })\n return\n }\n process.stdout.write((value ?? UNSET_PLACEHOLDER) + '\\n')\n return\n }\n\n if (args.json) {\n const payload: Record<string, string \| null> = {}\n for (const k of SETTABLE_CONFIG_KEYS) payload[k] = file[k] ?? null\n printJson(payload)\n return\n }\n\n printTable(\n ['KEY', 'VALUE'],\n SETTABLE_CONFIG_KEYS.map((k) => [k, file[k] ?? UNSET_PLACEHOLDER])\n )\n}\n\n/\n `geni config get [key]` — print whatever is in the persistent\n * config file. Symmetric with `geni config set`: whatever you wrote\n * is what you read. To see which URL the CLI is hitting at runtime\n * (which can differ when a runner-session is bound to a different\n * server), run `geni auth status`.\n /\nexport function registerConfigGet(parent: Command): void {\n parent\n .command('get')\n .argument(\n '[key]',\n `Specific key to read (${SETTABLE_CONFIG_KEYS.join(' \| ')}). Omit to list every settable key with its value.`\n )\n .description(\n \"Print what's written to the persistent config file. Symmetric with `geni config set` — whatever you wrote is what you read. Unset keys render as `(unset)` in table output and `null` in --json. For the URL the CLI is actually hitting at runtime (which can differ if a runner-session is bound to a different server), run `geni auth status`.\"\n )\n .option(\n '--json',\n 'Machine-readable output. Unset keys are emitted as JSON `null`.'\n )\n .action((key: string \| undefined, opts: { json?: boolean }) =>\n executeConfigGet({ key, json: opts.json })\n )\n}\n","import { Command } from 'commander'\nimport { configService } from '../../dependencyInjection/services.js'\nimport { printError, printSuccess } from '../../lib/output.js'\nimport {\n SETTABLE_CONFIG_KEYS,\n isSettableConfigKey,\n} from '../../types/config.js'\nimport { ExitCode, exit } from '../../lib/exitCodes.js'\n\n/\n `geni config set <key> <value>` — write or overwrite one config\n * key. Thin handler: validates the key arg, delegates to\n * `ConfigService.set` (which validates the value against the schema\n * AND rejects an `apiUrl` change that conflicts with the active\n * session), then renders the appropriate message.\n \n The session-conflict refusal exists so the file never disagrees\n * with what the CLI is actually doing at runtime: a runner-session\n * is bound to the URL it was minted on, so changing `apiUrl` while\n * a session is active would silently lie about where commands go.\n /\nexport function registerConfigSet(parent: Command): void {\n parent\n .command('set')\n .argument('<key>', `Config key (${SETTABLE_CONFIG_KEYS.join(' \| ')}).`)\n .argument(\n '<value>',\n 'New value. URL keys must be valid http:// or https:// URLs (validated on write).'\n )\n .description(\n 'Write a config value. Validated against the schema on write, so a malformed URL fails loudly here rather than waiting for the next CLI command to crash. Refuses to change `apiUrl` while a runner-session is bound to a different server — logout (or use `geni login --server <url>`) to switch first.'\n )\n .action(async (key: string, value: string) => {\n if (!isSettableConfigKey(key)) {\n printError(\n `Unknown config key \"${key}\". Valid keys: ${SETTABLE_CONFIG_KEYS.join(', ')}.`\n )\n exit(ExitCode.InvalidArgs)\n }\n\n const result = await configService.set({ key, value })\n if (result.ok) {\n printSuccess(`Set ${key} = ${value}`)\n return\n }\n\n // `exit()` returns `never`, so falling through is impossible at\n // runtime — the disables silence ESLint's static check.\n switch (result.reason) {\n case 'invalid':\n printError(`Invalid value for ${key}: ${result.error}.`)\n exit(ExitCode.InvalidArgs)\n // eslint-disable-next-line no-fallthrough\n case 'session_conflict':\n printError(\n `Refusing to change apiUrl: an active session is bound to ${result.sessionUrl}.`\n )\n printError(\n `Run \\`geni logout\\` first, or switch in one step with \\`geni login --server ${value}\\`.`\n )\n exit(ExitCode.GenericError)\n // eslint-disable-next-line no-fallthrough\n default: {\n const _exhaustive: never = result\n throw new Error(\n `Unhandled set result: ${JSON.stringify(_exhaustive)}`\n )\n }\n }\n })\n}\n","import { Command } from 'commander'\nimport { configService } from '../../dependencyInjection/services.js'\nimport { printError, printSuccess } from '../../lib/output.js'\nimport {\n SETTABLE_CONFIG_KEYS,\n isSettableConfigKey,\n} from '../../types/config.js'\nimport { ExitCode, exit } from '../../lib/exitCodes.js'\n\n/\n `geni config unset <key>` — remove a config key. Thin handler:\n * validates the key, delegates to `ConfigService.unset` which keeps\n * the rest of the file intact (or deletes it when nothing's left),\n * and prints the appropriate confirmation.\n /\nexport function registerConfigUnset(parent: Command): void {\n parent\n .command('unset')\n .argument('<key>', `Config key (${SETTABLE_CONFIG_KEYS.join(' \| ')}).`)\n .description(\n \"Remove a key from the config file. The resolver falls back through env vars then the compiled-in default, so unsetting doesn't break the CLI; it just goes to the next layer. When the last key is removed, the file itself is deleted instead of leaving an empty config behind.\"\n )\n .action(async (key: string) => {\n if (!isSettableConfigKey(key)) {\n printError(\n `Unknown config key \"${key}\". Valid keys: ${SETTABLE_CONFIG_KEYS.join(', ')}.`\n )\n exit(ExitCode.InvalidArgs)\n }\n\n const result = await configService.unset({ key })\n if (!result.wasSet) {\n printSuccess(`${key} was already unset.`)\n return\n }\n printSuccess(`Unset ${key}.`)\n })\n}\n","import { Command } from 'commander'\nimport { configService } from '../../dependencyInjection/services.js'\n\n/\n `geni config path` — print the path to the config file. Useful for\n * `cat $(geni config path)` and `vim $(geni config path)` patterns,\n * and for debugging which file the CLI is actually reading.\n /\nexport function registerConfigPath(parent: Command): void {\n parent\n .command('path')\n .description(\n 'Print the absolute path to the config file. Useful in shell substitutions: `cat $(geni config path)`, `vim $(geni config path)`. Honors $GENI_CONFIG_DIR; defaults to ~/.config/geni/config.json. Always prints what the path WOULD be, the file may not exist yet.'\n )\n .action(() => {\n process.stdout.write(configService.path + '\\n')\n })\n}\n","import { Command } from 'commander'\nimport { registerConfigGet, executeConfigGet } from './get.js'\nimport { registerConfigSet } from './set.js'\nimport { registerConfigUnset } from './unset.js'\nimport { registerConfigPath } from './path.js'\n\n/\n `geni config` — manage the persistent CLI config (`<config-dir>/config.json`).\n \n Settable keys today:\n * - `apiUrl` the cloud API base URL\n * - `dashboardUrl` the dashboard base URL\n \n Add new keys in `apps/cli/src/types/config.ts` (`SETTABLE_CONFIG_KEYS`)\n * along with the Zod schema so validation, listing, and the help text\n * stay consistent.\n \n Bare `geni config` runs `get` (no key) as a default action, so a\n * quick \"what's in my config?\" works without having to remember the\n * verb. To pass flags (e.g. `--json`) or read a specific key, use\n * the explicit subcommand: `geni config get apiUrl --json`.\n /\nexport function registerConfigCommands(program: Command): void {\n const config = program\n .command('config')\n .description(\n 'Read and write the persistent CLI config (`~/.config/geni/config.json` by default; honors $GENI_CONFIG_DIR). Holds defaults the resolver consults when nothing more specific is set, useful for pointing the CLI at a self-hosted or local-dev server without re-passing `--server` or exporting an env var on every shell.'\n )\n .action(() => executeConfigGet({}))\n\n registerConfigGet(config)\n registerConfigSet(config)\n registerConfigUnset(config)\n registerConfigPath(config)\n\n config.addHelpText(\n 'after',\n `\nSettable keys:\n apiUrl cloud API base URL used at fresh \\`geni login\\` time\n dashboardUrl dashboard base URL used by browser-opening commands\n (e.g. \\`geni credential connect\\`)\n\nResolver precedence for apiUrl (highest wins):\n 1. session file's stored server (locked at \\`geni login\\` time)\n 2. $GENI_API_URL env var\n 3. \\`apiUrl\\` in this config\n 4. compiled-in default (https://cloud.generalinput.com)\n\nSwitching API URL after login:\n $ geni logout\n $ geni config set apiUrl http://localhost:4111\n $ geni login\nThe session token is bound to the URL it was minted against, so\n\\`config set apiUrl <new>\\` is refused while a session is active —\nlogout (or use \\`geni login --server <url>\\`) to switch in one step.\n`\n )\n}\n","import { homedir } from 'node:os'\nimport { join } from 'node:path'\nimport {\n mkdirSync,\n writeFileSync,\n existsSync,\n readFileSync,\n unlinkSync,\n rmSync,\n} from 'node:fs'\nimport geniSkillContent from '../skills/geni.md'\n\n/\n Bundled skill content the agent reads to learn how to use `geni`.\n * The markdown lives at `src/skills/geni.md` (real file, easy to edit\n * and preview) and is inlined into the binary at build time by tsup's\n * `.md` text loader. Editing the markdown is the way to update the\n * skill — when the user upgrades geni, the new content lands\n * automatically (the install command is idempotent and overwrites).\n /\nexport const GENI_SKILL_NAME = 'geni'\nexport const GENI_SKILL_MD = geniSkillContent\n\n/\n Where each supported agent looks for skill files. Detection is\n * directory-existence based — if the agent's home dir exists, we\n * treat it as installed and write the skill there.\n \n Two install locations cover today's standard-`SKILL.md` agents:\n \n 1. `~/.claude/skills/geni/SKILL.md` — Claude Code only. It does\n * not honor the cross-vendor `~/.agents/` path.\n * 2. `~/.agents/skills/geni/SKILL.md` — the agentskills.io standard\n * location. Codex CLI, Gemini CLI, and VS Code Copilot Chat all\n * read from here, so a single write covers all three.\n \n Vendor-specific formats (Cursor `.mdc`, Cline / Continue / Windsurf\n * flat `.md` with bespoke frontmatter and size caps) are intentionally\n * not installed here — they need their own format adapter and a\n * smaller, rewritten skill body. Add them when they're worth the\n * separate authoring pass, not as silent transformations.\n \n Skill layout in every supported target is the same: a directory\n * named after the skill, with `SKILL.md` (frontmatter + body) inside.\n /\ninterface AgentTarget {\n name: string\n detect(): boolean\n skillDir: string\n skillPath: string\n legacyPaths: string[]\n}\n\nconst home = homedir()\nconst claudeSkillsDir = join(home, '.claude', 'skills')\nconst claudeGeniDir = join(claudeSkillsDir, GENI_SKILL_NAME)\nconst agentSkillsDir = join(home, '.agents', 'skills')\nconst agentSkillsGeniDir = join(agentSkillsDir, GENI_SKILL_NAME)\n\nconst TARGETS: AgentTarget[] = [\n {\n name: 'Claude Code',\n detect: () => existsSync(join(home, '.claude')),\n skillDir: claudeGeniDir,\n skillPath: join(claudeGeniDir, 'SKILL.md'),\n // Earlier versions of `geni skills install` wrote a loose .md file\n // at `~/.claude/skills/geni.md`, which Claude Code silently ignores.\n // Clean it up on install/uninstall so upgraders aren't left with a\n // stale sibling that confuses `doctor`.\n legacyPaths: [join(claudeSkillsDir, `${GENI_SKILL_NAME}.md`)],\n },\n {\n name: 'Codex CLI / Gemini CLI / VS Code Copilot',\n // Detection: any of the supporting agents has touched disk, or the\n // shared `~/.agents/` dir already exists (likely written by another\n // installer). We don't probe for VS Code Copilot Chat directly\n // because it lives inside VS Code's user data with no clean\n // home-dir signal — Copilot users typically have one of the CLIs\n // installed too, and the install is idempotent if they don't.\n detect: () =>\n existsSync(join(home, '.codex')) \|\|\n existsSync(join(home, '.gemini')) \|\|\n existsSync(join(home, '.agents')),\n skillDir: agentSkillsGeniDir,\n skillPath: join(agentSkillsGeniDir, 'SKILL.md'),\n legacyPaths: [],\n },\n]\n\nexport interface SkillTarget {\n name: string\n path: string\n}\n\nexport function detectSkillTargets(): SkillTarget[] {\n const out: SkillTarget[] = []\n for (const target of TARGETS) {\n if (!target.detect()) continue\n out.push({ name: target.name, path: target.skillPath })\n }\n return out\n}\n\n/\n Write the bundled skill content to each detected agent's skill\n * directory. Idempotent — overwrites with the current bundled\n * content every call, which is also how upgrades work (bumping the\n * geni version → re-running install ships the new skill).\n /\nexport function installSkills(): SkillInstallResult[] {\n const results: SkillInstallResult[] = []\n for (const target of TARGETS) {\n if (!target.detect()) continue\n const path = target.skillPath\n try {\n mkdirSync(target.skillDir, { recursive: true })\n const previous = existsSync(path) ? readFileSync(path, 'utf-8') : null\n const changed = previous !== GENI_SKILL_MD\n writeFileSync(path, GENI_SKILL_MD)\n for (const legacy of target.legacyPaths) {\n if (existsSync(legacy)) unlinkSync(legacy)\n }\n results.push({\n name: target.name,\n path,\n status: changed ? 'updated' : 'unchanged',\n })\n } catch (err) {\n results.push({\n name: target.name,\n path,\n status: 'failed',\n error: err instanceof Error ? err.message : String(err),\n })\n }\n }\n return results\n}\n\nexport function uninstallSkills(): SkillUninstallResult[] {\n const results: SkillUninstallResult[] = []\n for (const target of TARGETS) {\n if (!target.detect()) continue\n const dir = target.skillDir\n const path = target.skillPath\n const legacies = target.legacyPaths.filter((p) => existsSync(p))\n if (!existsSync(dir) && legacies.length === 0) {\n results.push({ name: target.name, path, status: 'absent' })\n continue\n }\n try {\n // Remove the whole skill directory (SKILL.md plus anything else\n // we've dropped alongside it) and any leftover legacy loose files.\n rmSync(dir, { recursive: true, force: true })\n for (const legacy of legacies) unlinkSync(legacy)\n results.push({ name: target.name, path, status: 'removed' })\n } catch (err) {\n results.push({\n name: target.name,\n path,\n status: 'failed',\n error: err instanceof Error ? err.message : String(err),\n })\n }\n }\n return results\n}\n\nexport interface SkillInstallResult extends SkillTarget {\n status: 'updated' \| 'unchanged' \| 'failed'\n error?: string\n}\n\nexport interface SkillUninstallResult extends SkillTarget {\n status: 'removed' \| 'absent' \| 'failed'\n error?: string\n}\n","---\nname: geni\ndescription: Use the operator's connected services (Slack, Gmail, GitHub, Stripe, anything they've authorized in General Input) to fulfill their request. Load this whenever the user wants you to take an action on their behalf against an external SaaS account, fetch data from one of their tools, or wire something up that crosses service boundaries.\n---\n\n# geni\n\n`geni` is a CLI that gives you credentialed access to the operator's\nconnected accounts. The cloud injects their tokens into a fresh bash\nsubprocess as env vars; you write the `curl`, you never see the\nsecret. Run `geni --help` for the full command surface.\n\n## How to talk about geni\n\nTreat geni as a teammate — the integration specialist who picks the\nright operation and runs the credentialed call. You're the one\nsynthesizing and replying.\n\nIn summaries of multi-step work, credit geni naturally: \"Geni pulled\nthe last 30 days of charges from Stripe; I rolled them into the report\nbelow.\" Skip the credit on trivial single calls; don't manufacture\nteam language (\"with geni's help…\") to fill space. Lowercase `geni`\nin commands; capitalize \"Geni\" when personifying.\n\n## Request flow\n\nDiscovery first. Don't guess URLs, params, or env var names — the\noperation docs have them.\n\n1. `geni credential list [--service <slug>]` — find a connected\n credential id. If nothing's connected for the service, run\n `geni integration list -q \"<keyword>\"` to confirm the slug, then\n `geni credential connect <service>` (see \"Connecting a missing\n credential\" below).\n2. `geni integration operations <service> [-q \"<keyword>\"]` — find\n the operation you need.\n3. `geni integration operation <id> --format markdown` — read the\n HTTP shape, params, and exact env var names* this call will set.\n4. `geni exec bash --cred <cred_id> --reason \"<what + why>\" -- '<curl>'`\n\n## Connecting a missing credential\n\n`geni credential connect <service>` opens the integration's\ndashboard page in the operator's browser. Tell the operator to\nfinish the connection there and come back — then re-run `geni\ncredential list --service <service>` to pick up the new id. Don't\npoll, don't loop. In non-interactive shells, add `--print-url` so\nthe URL prints to stdout instead.\n\n## Env vars\n\nRead the names off the operation docs; never derive them. Two flavors\nemitted per credential:\n\n- Suffixed: `<SERVICE>_<FIELD>_<id>` (e.g. `$SLACK_BOT_TOKEN_ABC`,\n `$SALESFORCE_INSTANCE_URL_KG`). The `<id>` is the credential id with\n `cred_` stripped, uppercased. Use these when fanning out across\n multiple credentials of the same service in one call.\n- Canonical aliases: well-known SDK names (`$GH_TOKEN`,\n `$SLACK_BOT_TOKEN`, `$OPENAI_API_KEY`, `$STRIPE_API_KEY`, …) for\n tools that hardcode them.\n\nPlus `$PLATFORM_API_KEY` and `$PLATFORM_BASE_URL` on every exec — use\nthem to call General Input's first-party services (web search, image\ngen, weather, send-email) without `--cred`.\n\n## --reason is per-call\n\nEvery `geni exec bash --cred ...` requires `--reason`. It lands in\nthe operator's audit log and is shown to them. Be specific\n(\"Posting daily digest to #engineering\"), not generic (\"Slack call\").\nRe-state it on every call — the log is per-call, not per-session.\n\n## Output is scrubbed\n\nstdout and stderr pass through a streaming scrubber that replaces\nevery registered secret with `[REDACTED:credential_<id>]`. Don't try\nto exfiltrate via `echo $TOKEN \| base64`; common encodings are\ncaught too. You don't need to see the secret to use it — the\nsubprocess can.\n\n## Exit codes worth knowing\n\n- `0` — success; `1–125` — subprocess's own exit (curl, jq, etc.)\n- `4` — resource not found (bad cred id, slug, operation id)\n- `77` — server refused to resolve a credential. Don't retry; surface\n to the operator.\n- `78` — session expired. Tell the operator to run `geni login`.\n\n## Don't\n\n- Don't construct a curl without reading the operation docs first.\n Guessing at URLs and env var names is the most common failure mode.\n- Don't promise scheduled or recurring jobs. Workflows are coming\n soon but not shipped; offer the one-off equivalent now.\n- Use `--json` on list/get commands when you're going to parse the\n output. Table output is for humans.\n","import { Command } from 'commander'\nimport { installSkills, detectSkillTargets } from '../../lib/skills.js'\nimport {\n printSuccess,\n printInfo,\n printWarning,\n printError,\n} from '../../lib/output.js'\nimport { ExitCode, exit } from '../../lib/exitCodes.js'\n\n/*\n `geni skills install` — write the bundled skill files into every\n * detected agent's skill directory. Idempotent; re-run after a `geni`\n * upgrade to ship the latest skill content.\n \n No flags. Detection is automatic, output reports what landed where\n * so the operator can see the result without having to find the file.\n /\nexport function registerSkillsInstall(parent: Command): void {\n parent\n .command('install')\n .description(\n 'Install the bundled geni skill into every detected AI agent (Claude Code, Codex CLI, Gemini CLI, VS Code Copilot Chat). Idempotent, safe to re-run after upgrading geni.'\n )\n .action(() => {\n const targets = detectSkillTargets()\n if (targets.length === 0) {\n printWarning(\n 'No supported AI agent detected. Install Claude Code (https://claude.ai/download), Codex CLI, or Gemini CLI first, then re-run `geni skills install`.'\n )\n exit(ExitCode.NotFound)\n }\n const results = installSkills()\n for (const r of results) {\n if (r.status === 'failed') {\n printError(`${r.name}: ${r.error ?? 'failed'} (${r.path})`)\n continue\n }\n if (r.status === 'updated') {\n printSuccess(`${r.name}: ${r.path}`)\n } else {\n printInfo(`${r.name}: ${r.path} (already up to date)`)\n }\n }\n const failed = results.some((r) => r.status === 'failed')\n exit(failed ? ExitCode.InternalError : ExitCode.Ok)\n })\n}\n","import { Command } from 'commander'\nimport { uninstallSkills } from '../../lib/skills.js'\nimport { printSuccess, printInfo, printError } from '../../lib/output.js'\nimport { ExitCode, exit } from '../../lib/exitCodes.js'\n\n/\n `geni skills uninstall` — remove the geni skill files from every\n * detected agent. Useful for clean uninstall or when switching to\n * a project-local skill setup later.\n /\nexport function registerSkillsUninstall(parent: Command): void {\n parent\n .command('uninstall')\n .description(\n 'Remove the geni skill from every detected AI agent. Leaves the agent itself untouched.'\n )\n .action(() => {\n const results = uninstallSkills()\n if (results.length === 0) {\n printInfo('No supported AI agent detected; nothing to remove.')\n exit(ExitCode.Ok)\n }\n for (const r of results) {\n if (r.status === 'failed') {\n printError(`${r.name}: ${r.error ?? 'failed'} (${r.path})`)\n continue\n }\n if (r.status === 'removed') {\n printSuccess(`${r.name}: removed ${r.path}`)\n } else {\n printInfo(`${r.name}: nothing to remove (${r.path} not present)`)\n }\n }\n const failed = results.some((r) => r.status === 'failed')\n exit(failed ? ExitCode.InternalError : ExitCode.Ok)\n })\n}\n","import { Command } from 'commander'\nimport { registerSkillsInstall } from './install.js'\nimport { registerSkillsUninstall } from './uninstall.js'\n\n/\n `geni skills` — install (or remove) the bundled instructions that\n * teach an AI agent how to use `geni`. The skill content ships with\n * the binary and lands in the agent's plugin/skill directory so the\n * agent picks it up automatically. Re-running after a `geni` upgrade\n * is the supported update path.\n /\nexport function registerSkillsCommands(program: Command): void {\n const skills = program\n .command('skills')\n .description(\n 'Install (or remove) the agent-facing geni instructions in your AI coding agent. Detects Claude Code (others coming) and writes a skill file the agent loads automatically.'\n )\n\n registerSkillsInstall(skills)\n registerSkillsUninstall(skills)\n}\n","import { Command } from 'commander'\nimport chalk from 'chalk'\nimport { ApiError } from '../clients/HttpClient.js'\nimport {\n authService,\n sessionContextService,\n} from '../dependencyInjection/services.js'\nimport {\n checkRuntimeDeps,\n REQUIRED_RUNTIME_DEPS,\n installHint,\n} from '../lib/preflight.js'\nimport { detectSkillTargets, GENI_SKILL_MD } from '../lib/skills.js'\nimport { existsSync, readFileSync } from 'node:fs'\nimport { ExitCode, exit } from '../lib/exitCodes.js'\n\n/\n `geni doctor` — feel-good preflight that walks through every layer\n * `geni` depends on and reports ✓/✗ for each. Designed as the first\n * thing to run when something doesn't work, and as the last thing to\n * run after install to confirm everything's wired up.\n \n Each check is independent — one failure doesn't short-circuit the\n * rest, so a single run produces the full picture.\n /\nexport function registerDoctorCommand(program: Command): void {\n program\n .command('doctor')\n .description(\n 'Diagnose your geni setup: required system tools, active session, network reach to the cloud, and skill installation across detected AI agents. Prints a checklist with ✓/✗ for each.'\n )\n .action(async () => {\n const checks: CheckResult[] = []\n checks.push(...runtimeDepsCheck())\n checks.push(...(await sessionCheck()))\n checks.push(...skillsCheck())\n printReport(checks)\n const failures = checks.filter((c) => c.status === 'fail').length\n exit(failures > 0 ? ExitCode.GenericError : ExitCode.Ok)\n })\n}\n\ninterface CheckResult {\n label: string\n status: 'pass' \| 'fail' \| 'warn'\n detail: string\n}\n\nfunction runtimeDepsCheck(): CheckResult[] {\n const { found, missing } = checkRuntimeDeps()\n const out: CheckResult[] = []\n for (const dep of REQUIRED_RUNTIME_DEPS) {\n const path = found[dep]\n if (path) {\n out.push({\n label: `${dep} on $PATH`,\n status: 'pass',\n detail: path,\n })\n } else {\n out.push({\n label: `${dep} on $PATH`,\n status: 'fail',\n detail: `not found. ${installHint([dep])}`,\n })\n }\n }\n if (missing.length > 1) {\n // Append a single hint with all missing deps for one-line install.\n out.push({\n label: 'install hint',\n status: 'warn',\n detail: installHint(missing),\n })\n }\n return out\n}\n\nasync function sessionCheck(): Promise<CheckResult[]> {\n const session = await sessionContextService.load()\n if (!session) {\n return [\n {\n label: 'runner session',\n status: 'fail',\n detail: 'no session on disk. Run `geni login` to authenticate.',\n },\n ]\n }\n const out: CheckResult[] = [\n {\n label: 'runner session',\n status: 'pass',\n detail: `${session.user.email ?? session.user.id} on ${session.server}`,\n },\n {\n label: 'active workspace',\n status: 'pass',\n detail: `${session.workspace.slug} (${session.workspace.role})`,\n },\n ]\n // Hit /cli/auth/me to verify the session is still valid server-side\n // and the server is reachable. This is the network-reach check.\n try {\n await authService.status()\n out.push({\n label: 'server reachable + session valid',\n status: 'pass',\n detail: session.server,\n })\n } catch (err) {\n if (err instanceof ApiError && err.status === 401) {\n out.push({\n label: 'server reachable + session valid',\n status: 'fail',\n detail: 'session token rejected. Run `geni login` to re-authenticate.',\n })\n } else {\n const detail = err instanceof Error ? err.message : String(err)\n out.push({\n label: 'server reachable',\n status: 'fail',\n detail: `${session.server} unreachable: ${detail}`,\n })\n }\n }\n return out\n}\n\nfunction skillsCheck(): CheckResult[] {\n const targets = detectSkillTargets()\n if (targets.length === 0) {\n return [\n {\n label: 'AI agent detected',\n status: 'warn',\n detail:\n 'no supported agent installed yet. Install Claude Code (https://claude.ai/download) and re-run `geni doctor`.',\n },\n ]\n }\n const out: CheckResult[] = []\n for (const target of targets) {\n if (!existsSync(target.path)) {\n out.push({\n label: `${target.name} skill installed`,\n status: 'fail',\n detail: `${target.path} missing. Run \\`geni skills install\\` to write it.`,\n })\n continue\n }\n const onDisk = readFileSync(target.path, 'utf-8')\n if (onDisk === GENI_SKILL_MD) {\n out.push({\n label: `${target.name} skill installed`,\n status: 'pass',\n detail: `${target.path} (current)`,\n })\n } else {\n out.push({\n label: `${target.name} skill installed`,\n status: 'warn',\n detail: `${target.path} is out of date. Run \\`geni skills install\\` to refresh.`,\n })\n }\n }\n return out\n}\n\nfunction printReport(checks: CheckResult[]): void {\n for (const check of checks) {\n const mark =\n check.status === 'pass'\n ? chalk.green('✓')\n : check.status === 'warn'\n ? chalk.yellow('!')\n : chalk.red('✗')\n process.stdout.write(`${mark} ${check.label}\\n`)\n process.stdout.write(` ${chalk.dim(check.detail)}\\n`)\n }\n const fails = checks.filter((c) => c.status === 'fail').length\n const warns = checks.filter((c) => c.status === 'warn').length\n process.stdout.write('\\n')\n if (fails === 0 && warns === 0) {\n process.stdout.write(chalk.green('All checks passed.\\n'))\n } else {\n process.stdout.write(\n `${fails} failure${fails === 1 ? '' : 's'}, ${warns} warning${warns === 1 ? '' : 's'}.\\n`\n )\n }\n}\n","import { delimiter, join } from 'node:path'\nimport { accessSync, constants } from 'node:fs'\nimport { printError } from './output.js'\nimport { ExitCode, exit } from './exitCodes.js'\n\n/\n Tools the agent's bash flow can't run without:\n * - bash, the shell every `geni exec bash` invocation passes commands to\n * - curl, the HTTP client agents reach for in those bash commands\n * - jq, how agents parse JSON responses inside the bash one-liner\n \n Order matters in the printed install hint: bash first since it's the\n * shell, curl + jq usually missing together on a fresh Mac.\n /\nexport const REQUIRED_RUNTIME_DEPS = ['bash', 'curl', 'jq'] as const\nexport type RuntimeDep = (typeof REQUIRED_RUNTIME_DEPS)[number]\n\n/\n `which`-style PATH lookup without spawning a shell. Splits `$PATH`,\n * stat-checks each candidate. Used at startup so we can hard-fail with\n * a clear install hint instead of letting `geni exec` blow up later\n * with an opaque ENOENT.\n /\nexport function findOnPath(name: string): string \| null {\n const path = process.env.PATH\n if (!path) return null\n for (const dir of path.split(delimiter)) {\n if (dir.length === 0) continue\n const candidate = join(dir, name)\n try {\n accessSync(candidate, constants.X_OK)\n return candidate\n } catch {\n // Not executable here — try the next dir.\n }\n }\n return null\n}\n\nexport interface PreflightResult {\n missing: RuntimeDep[]\n found: Record<RuntimeDep, string \| null>\n}\n\nexport function checkRuntimeDeps(): PreflightResult {\n const found = {} as Record<RuntimeDep, string \| null>\n const missing: RuntimeDep[] = []\n for (const dep of REQUIRED_RUNTIME_DEPS) {\n const path = findOnPath(dep)\n found[dep] = path\n if (path === null) missing.push(dep)\n }\n return { missing, found }\n}\n\n/\n Run the preflight check at command startup. Hard-exits with an\n * actionable install hint if anything's missing — every command from\n * `auth login` to `exec bash` shells to at least one of these\n * eventually, so refusing up front is better than failing later with\n * an ENOENT the agent can't easily map back to \"install jq\".\n /\nexport function requireRuntimeDeps(): void {\n const { missing } = checkRuntimeDeps()\n if (missing.length === 0) return\n printError(\n `Missing required tool(s) on $PATH: ${missing.join(', ')}. ${installHint(missing)}`\n )\n exit(ExitCode.InternalError)\n}\n\n/\n One-line install command per OS. Mac defaults to Homebrew (universal\n * for the dev audience); Linux probes apt/dnf/pacman in that order.\n * Windows users running geni inside WSL hit the Linux branch via\n * uname; native Windows isn't supported for the bash flow.\n */\nexport function installHint(deps: readonly string[]): string {\n const list = deps.join(' ')\n switch (process.platform) {\n case 'darwin':\n return `Install with: \\`brew install ${list}\\``\n case 'linux':\n return `Install with your distro's package manager, e.g. \\`sudo apt install ${list}\\` or \\`sudo dnf install ${list}\\``\n default:\n return `Install ${list} before re-running.`\n }\n}\n"],"mappings":";;;AAAA,SAAS,eAAe;;;ACAxB,OAAO,WAAW;AAOX,SAAS,aAAa,SAAuB;AAClD,UAAQ,OAAO,MAAM,GAAG,MAAM,MAAM,QAAG,CAAC,IAAI,OAAO;AAAA,CAAI;AACzD;AAMO,SAAS,UAAU,SAAuB;AAC/C,UAAQ,OAAO,MAAM,GAAG,MAAM,IAAI,MAAG,CAAC,IAAI,OAAO;AAAA,CAAI;AACvD;AAMO,SAAS,aAAa,SAAuB;AAClD,UAAQ,OAAO,MAAM,GAAG,MAAM,OAAO,GAAG,CAAC,IAAI,OAAO;AAAA,CAAI;AAC1D;AAMO,SAAS,WAAW,SAAuB;AAChD,UAAQ,OAAO,MAAM,GAAG,MAAM,IAAI,QAAG,CAAC,IAAI,OAAO;AAAA,CAAI;AACvD;AAMO,SAAS,UAAU,OAAsB;AAC9C,UAAQ,OAAO,MAAM,KAAK,UAAU,OAAO,MAAM,CAAC,IAAI,IAAI;AAC5D;;;ACzCA,OAAOA,YAAW;AAkBX,SAAS,YAAY,MAKnB;AACP,MAAI,KAAK,KAAM;AACf,MAAI,QAAQ,IAAI,mBAAmB,IAAK;AACxC,MAAI,CAAC,QAAQ,OAAO,MAAO;AAC3B,MAAI,CAAC,KAAK,QAAS;AAEnB,QAAM,KAAK,KAAK,QAAQ;AACxB,QAAM,QAAQ;AAAA,IACZA,OAAM,IAAI,MAAM;AAAA,IAChBA,OAAM,IAAI,MAAG;AAAA,IACbA,OAAM,IAAI,YAAY;AAAA,IACtBA,OAAM,KAAK,GAAG,IAAI;AAAA,EACpB;AACA,MAAI,KAAK,YAAY;AACnB,UAAM;AAAA,MACJA,OAAM,IAAI,MAAG;AAAA,MACbA,OAAM,IAAI,WAAW;AAAA,MACrBA,OAAM,KAAK,KAAK,UAAU;AAAA,IAC5B;AACA,QAAI,KAAK,cAAc;AACrB,YAAM,KAAKA,OAAM,IAAI,IAAI,KAAK,YAAY,GAAG,CAAC;AAAA,IAChD;AAAA,EACF;AAEA,UAAQ,OAAO,MAAM,MAAM,KAAK,GAAG,IAAI,IAAI;AAI3C,QAAM,aAAa,CAAC,aAAU,GAAG,IAAI,EAAE;AACvC,MAAI,KAAK,WAAY,YAAW,KAAK,KAAK,UAAU;AACpD,UAAQ,OAAO,MAAM,UAAU,WAAW,KAAK,QAAK,CAAC,MAAM;AAC7D;;;AC5CO,IAAM,WAAW;AAAA,EACtB,IAAI;AAAA,EACJ,cAAc;AAAA,EACd,aAAa;AAAA,EACb,UAAU;AAAA,EACV,WAAW;AAAA,EACX,kBAAkB;AAAA,EAClB,yBAAyB;AAAA,EACzB,yBAAyB;AAAA,EACzB,iBAAiB;AAAA,EACjB,SAAS;AAAA,EACT,eAAe;AACjB;AAQO,SAAS,KAAK,MAAuB;AAC1C,UAAQ,KAAK,IAAI;AACnB;;;ACPO,IAAM,wBAAN,MAA4B;AAAA,EAC1B,YACYC,eACAC,mBACjB;AAFiB,wBAAAD;AACA,4BAAAC;AAAA,EAChB;AAAA,EAFgB;AAAA,EACA;AAAA;AAAA,EAIZ,OAA0C;AAC/C,WAAO,KAAK,aAAa,KAAK;AAAA,EAChC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAWA,MAAa,gBAA+C;AAC1D,UAAM,UAAU,MAAM,KAAK,aAAa,KAAK;AAC7C,QAAI,CAAC,SAAS;AACZ;AAAA,QACE;AAAA,MACF;AACA,WAAK,SAAS,uBAAuB;AAAA,IACvC;AACA,gBAAY,EAAE,QAAQ,CAAC;AACvB,WAAO;AAAA,MACL;AAAA,MACA,QAAQ,KAAK,iBAAiB,MAAM;AAAA,QAClC,QAAQ,QAAQ;AAAA,QAChB,OAAO,QAAQ;AAAA,MACjB,CAAC;AAAA,IACH;AAAA,EACF;AACF;;;AC9DA,SAAS,gBAAgB;AACzB,OAAOC,YAAW;AAoCX,IAAM,cAAN,MAAkB;AAAA,EAChB,YACYC,mBACAC,eACAC,gBACAC,gBACjB;AAJiB,4BAAAH;AACA,wBAAAC;AACA,yBAAAC;AACA,yBAAAC;AAAA,EAChB;AAAA,EAJgB;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASnB,MAAa,MAAM,MAAgC;AACjD,UAAM,SAAS,KAAK,cAAc,cAAc,KAAK,MAAM;AAC3D,UAAM,SAAS,KAAK,iBAAiB,MAAM,EAAE,QAAQ,OAAO,KAAK,CAAC;AAElE,UAAM,QAAQ,MAAM,OAAO,KAAK,gBAAgB,iBAAiB,CAAC;AAClE,cAAU,WAAWC,OAAM,KAAK,MAAM,eAAe,CAAC,EAAE;AACxD,cAAU,sCAAsC;AAChD,SAAK,cAAc,KAAK,MAAM,eAAe;AAE7C,UAAM,SAAS,MAAM,KAAK,kBAAkB,QAAQ,KAAK;AACzD,QAAI,OAAO,WAAW,UAAU;AAC9B;AAAA,QACE;AAAA,MACF;AACA,WAAK,SAAS,SAAS;AAAA,IACzB;AACA,QAAI,OAAO,WAAW,WAAW;AAC/B;AAAA,QACE;AAAA,MACF;AACA,WAAK,SAAS,YAAY;AAAA,IAC5B;AACA,QAAI,0BAA0B,QAAQ;AACpC;AAAA,QACE;AAAA,MACF;AACA,WAAK,SAAS,YAAY;AAAA,IAC5B;AAEA,UAAM,KAAK,aAAa,KAAK;AAAA,MAC3B,SAAS;AAAA,MACT;AAAA,MACA,OAAO,OAAO;AAAA,MACd,MAAM;AAAA,QACJ,IAAI,OAAO,GAAG,KAAK;AAAA,QACnB,OAAO,OAAO,GAAG,KAAK,SAAS;AAAA,QAC/B,MAAM,OAAO,GAAG,KAAK,QAAQ;AAAA,MAC/B;AAAA,MACA,WAAW;AAAA,QACT,cAAc,OAAO,GAAG,UAAU;AAAA,QAClC,gBAAgB,OAAO,GAAG,UAAU;AAAA,QACpC,MAAM,OAAO,GAAG,UAAU;AAAA,QAC1B,MAAM,OAAO,GAAG,UAAU;AAAA,QAC1B,MAAM,OAAO,GAAG,UAAU;AAAA,MAC5B;AAAA,MACA,UAAS,oBAAI,KAAK,GAAE,YAAY;AAAA,IAClC,CAAC;AAED,QAAI,KAAK,WAAW;AAClB,YAAM,KAAK,qBAAqB;AAAA,QAC9B;AAAA,QACA,eAAe,KAAK;AAAA,MACtB,CAAC;AAAA,IACH;AAEA,UAAM,QAAQ,MAAM,KAAK,aAAa,KAAK;AAC3C,QAAI,CAAC,OAAO;AACV;AAAA,QACE;AAAA,MACF;AACA,WAAK,SAAS,aAAa;AAAA,IAC7B;AACA,iBAAa,oBAAoB,MAAM,KAAK,SAAS,MAAM,KAAK,EAAE,EAAE;AACpE;AAAA,MACE,qBAAqB,MAAM,UAAU,IAAI,KAAK,MAAM,UAAU,IAAI;AAAA,IACpE;AACA,cAAU,qDAAqD;AAAA,EACjE;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,MAAa,SAAwB;AACnC,UAAM,UAAU,MAAM,KAAK,aAAa,KAAK;AAC7C,QAAI,CAAC,SAAS;AACZ,gBAAU,oBAAoB;AAC9B;AAAA,IACF;AACA,QAAI;AACF,YAAM,SAAS,KAAK,iBAAiB,MAAM;AAAA,QACzC,QAAQ,QAAQ;AAAA,QAChB,OAAO,QAAQ;AAAA,MACjB,CAAC;AACD,YAAM,OAAO,KAAK,OAAO;AACzB,mBAAa,kBAAkB;AAAA,IACjC,SAAS,OAAO;AACd,YAAM,UAAU,iBAAiB,QAAQ,MAAM,UAAU,OAAO,KAAK;AACrE,gBAAU,yBAAyB,OAAO,EAAE;AAC5C,gBAAU,gCAAgC;AAAA,IAC5C;AACA,UAAM,KAAK,aAAa,OAAO;AAC/B,iBAAa,4CAA4C;AAAA,EAC3D;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASA,MAAa,SAAuC;AAClD,UAAM,UAAU,MAAM,KAAK,aAAa,KAAK;AAC7C,QAAI,CAAC,QAAS,QAAO;AACrB,UAAM,SAAS,KAAK,iBAAiB,MAAM;AAAA,MACzC,QAAQ,QAAQ;AAAA,MAChB,OAAO,QAAQ;AAAA,IACjB,CAAC;AACD,UAAM,KAAK,MAAM,OAAO,KAAK,GAAG;AAChC,WAAO;AAAA,MACL,eAAe;AAAA,MACf,MAAM;AAAA,QACJ,IAAI,GAAG,KAAK;AAAA,QACZ,OAAO,GAAG,KAAK,SAAS;AAAA,QACxB,MAAM,GAAG,KAAK,QAAQ;AAAA,MACxB;AAAA,MACA,WAAW,GAAG;AAAA,MACd,QAAQ,QAAQ;AAAA,IAClB;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,MAAc,qBAAqB,MAGjB;AAChB,UAAM,UAAU,MAAM,KAAK,aAAa,KAAK;AAC7C,QAAI,CAAC,QAAS;AACd,QAAI,KAAK,kBAAkB,QAAQ,UAAU,KAAM;AAEnD,UAAM,SAAS,KAAK,iBAAiB,MAAM;AAAA,MACzC,QAAQ,KAAK;AAAA,MACb,OAAO,QAAQ;AAAA,IACjB,CAAC;AACD,UAAM,OAAO,MAAM,OAAO,WAAW,KAAK;AAC1C,UAAM,SAAS,KAAK,WAAW,KAAK,CAAC,MAAM,EAAE,SAAS,KAAK,aAAa;AACxE,QAAI,CAAC,QAAQ;AACX,YAAM,YAAY,KAAK,WAAW,IAAI,CAAC,MAAM,EAAE,IAAI,EAAE,KAAK,IAAI,KAAK;AACnE;AAAA,QACE,2BAA2B,KAAK,aAAa,kCAAkC,SAAS;AAAA,MAC1F;AACA,WAAK,SAAS,QAAQ;AAAA,IACxB;AACA,UAAM,KAAK,MAAM,OAAO,WAAW,OAAO,OAAO,YAAY;AAC7D,UAAM,KAAK,cAAc,EAAE,SAAS,GAAG,CAAC;AAAA,EAC1C;AAAA,EAEA,MAAc,cAAc,MAGV;AAChB,UAAM,KAAK,aAAa,KAAK;AAAA,MAC3B,GAAG,KAAK;AAAA,MACR,WAAW;AAAA,QACT,cAAc,KAAK,GAAG,UAAU;AAAA,QAChC,gBAAgB,KAAK,GAAG,UAAU;AAAA,QAClC,MAAM,KAAK,GAAG,UAAU;AAAA,QACxB,MAAM,KAAK,GAAG,UAAU;AAAA,QACxB,MAAM,KAAK,GAAG,UAAU;AAAA,MAC1B;AAAA,MACA,MAAM;AAAA,QACJ,IAAI,KAAK,GAAG,KAAK;AAAA,QACjB,OAAO,KAAK,GAAG,KAAK,SAAS,KAAK,QAAQ,KAAK;AAAA,QAC/C,MAAM,KAAK,GAAG,KAAK,QAAQ,KAAK,QAAQ,KAAK;AAAA,MAC/C;AAAA,MACA,UAAS,oBAAI,KAAK,GAAE,YAAY;AAAA,IAClC,CAAC;AAAA,EACH;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,MAAc,kBACZ,QACA,OACqE;AACrE,UAAM,aAAa,MAAM,kBAAkB;AAC3C,UAAM,cAAc,KAAK,MAAM,MAAM,SAAS;AAC9C,UAAM,eAAe,cAAc;AACnC,WAAO,KAAK,IAAI,IAAI,cAAc;AAChC,YAAM,MAAM,UAAU;AACtB,YAAM,SAAS,MAAM,OAAO,KAAK,eAAe,MAAM,QAAQ;AAC9D,UAAI,OAAO,WAAW,UAAW;AACjC,aAAO;AAAA,IACT;AACA,WAAO,EAAE,QAAQ,UAAU;AAAA,EAC7B;AACF;AAOA,SAAS,mBAA2B;AAClC,SAAO,eAAe,SAAS,CAAC;AAClC;AAEA,SAAS,MAAM,IAA2B;AACxC,SAAO,IAAI,QAAQ,CAAC,YAAY,WAAW,SAAS,EAAE,CAAC;AACzD;;;ACxPO,IAAM,mBAAN,MAAuB;AAAA,EACrB,YACY,gBACAC,eACjB;AAFiB;AACA,wBAAAA;AAAA,EAChB;AAAA,EAFgB;AAAA,EACA;AAAA;AAAA,EAInB,MAAa,OAAwC;AACnD,UAAM,EAAE,OAAO,IAAI,MAAM,KAAK,eAAe,cAAc;AAC3D,WAAO,OAAO,WAAW,KAAK;AAAA,EAChC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAgBA,MAAa,OAAO,MAAyD;AAC3E,UAAM,EAAE,OAAO,IAAI,MAAM,KAAK,eAAe,cAAc;AAC3D,UAAM,KAAK,MAAM,OAAO,WAAW,OAAO,KAAK,YAAY;AAC3D,UAAM,KAAK,aAAa,sBAAsB;AAAA,MAC5C,cAAc,GAAG,UAAU;AAAA,MAC3B,gBAAgB,GAAG,UAAU;AAAA,MAC7B,MAAM,GAAG,UAAU;AAAA,MACnB,MAAM,GAAG,UAAU;AAAA,MACnB,MAAM,GAAG,UAAU;AAAA,IACrB,CAAC;AACD,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,MAAa,UAEH;AACR,UAAM,UAAU,MAAM,KAAK,aAAa,KAAK;AAC7C,QAAI,CAAC,QAAS,QAAO;AACrB,WAAO;AAAA,MACL,WAAW;AAAA,QACT,cAAc,QAAQ,UAAU;AAAA,QAChC,gBAAgB,QAAQ,UAAU;AAAA,QAClC,MAAM,QAAQ,UAAU;AAAA,QACxB,MAAM,QAAQ,UAAU;AAAA,QACxB,MAAM,QAAQ,UAAU;AAAA,QACxB,UAAU;AAAA,MACZ;AAAA,IACF;AAAA,EACF;AACF;;;ACzEA,OAAOC,YAAW;;;ACAlB;AAAA,EACE,MAAQ;AAAA,EACR,SAAW;AAAA,EACX,MAAQ;AAAA,EACR,aAAe;AAAA,EACf,SAAW;AAAA,EACX,UAAY;AAAA,EACZ,UAAY;AAAA,IACV;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,EACF;AAAA,EACA,SAAW;AAAA,IACT,MAAQ;AAAA,EACV;AAAA,EACA,eAAiB;AAAA,IACf,QAAU;AAAA,EACZ;AAAA,EACA,KAAO;AAAA,IACL,MAAQ;AAAA,EACV;AAAA,EACA,OAAS;AAAA,IACP;AAAA,IACA;AAAA,IACA;AAAA,EACF;AAAA,EACA,SAAW;AAAA,IACT,KAAO;AAAA,IACP,OAAS;AAAA,IACT,OAAS;AAAA,IACT,WAAa;AAAA,IACb,MAAQ;AAAA,IACR,QAAU;AAAA,IACV,MAAQ;AAAA,IACR,cAAc;AAAA,IACd,gBAAkB;AAAA,EACpB;AAAA,EACA,cAAgB;AAAA,IACd,kBAAkB;AAAA,IAClB,OAAS;AAAA,IACT,WAAa;AAAA,IACb,KAAO;AAAA,IACP,KAAO;AAAA,EACT;AAAA,EACA,iBAAmB;AAAA,IACjB,iBAAiB;AAAA,IACjB,2BAA2B;AAAA,IAC3B,+BAA+B;AAAA,IAC/B,eAAe;AAAA,IACf,cAAc;AAAA,IACd,QAAU;AAAA,IACV,MAAQ;AAAA,IACR,YAAc;AAAA,IACd,QAAU;AAAA,EACZ;AACF;;;AC5CO,IAAM,cAAsB,gBAAY;;;ACQ/C,IAAM,aAAa,QAAQ,WAAW,KAAK,QAAQ,QAAQ,IAAI,QAAQ,IAAI,UAAU,QAAQ,SAAS,IAAI;AAEnG,IAAM,WAAN,cAAuB,MAAM;AAAA,EAC3B,YACL,SACgB,QACA,MAChB;AACA,UAAM,OAAO;AAHG;AACA;AAGhB,SAAK,OAAO;AAAA,EACd;AAAA,EALkB;AAAA,EACA;AAKpB;AAQO,IAAM,aAAN,MAAiB;AAAA,EACf,YACY,QACA,OACjB;AAFiB;AACA;AAAA,EAChB;AAAA,EAFgB;AAAA,EACA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAUnB,MAAa,MAAS,MAAc,OAAuB,CAAC,GAAe;AACzE,UAAM,MAAM,GAAG,KAAK,MAAM,GAAG,IAAI;AACjC,UAAM,UAAkC;AAAA,MACtC,gBAAgB;AAAA,MAChB,cAAc;AAAA,IAChB;AACA,QAAI,KAAK,UAAU,MAAM;AACvB,cAAQ,eAAe,IAAI,UAAU,KAAK,KAAK;AAAA,IACjD;AACA,UAAM,WAAW,MAAM,MAAM,KAAK;AAAA,MAChC,QAAQ,KAAK,UAAU;AAAA,MACvB;AAAA,MACA,MAAM,KAAK,SAAS,SAAY,KAAK,UAAU,KAAK,IAAI,IAAI;AAAA,MAC5D,QAAQ,KAAK;AAAA,IACf,CAAC;AACD,WAAO,cAAiB,QAAQ;AAAA,EAClC;AAAA;AAAA,EAGA,IAAW,WAAoB;AAC7B,WAAO,KAAK,UAAU;AAAA,EACxB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQO,gBAAsB;AAC3B,QAAI,KAAK,UAAU,KAAM;AACzB,UAAM,IAAI;AAAA,MACR;AAAA,MACA;AAAA,MACA;AAAA,IACF;AAAA,EACF;AACF;AAEA,eAAe,cAAiB,UAAgC;AAC9D,QAAM,OAAO,MAAM,SAAS,KAAK;AACjC,MAAI,OAAgB;AACpB,MAAI,KAAK,SAAS,GAAG;AACnB,QAAI;AACF,aAAO,KAAK,MAAM,IAAI;AAAA,IACxB,QAAQ;AACN,aAAO;AAAA,IACT;AAAA,EACF;AACA,MAAI,CAAC,SAAS,IAAI;AAChB,UAAM,aACJ,SAAS,QAAQ,OAAO,SAAS,YAAY,WAAW,OACpD,KAAK,QACL;AACN,UAAM,UACJ,OAAO,eAAe,WAAW,aAAa,SAAS;AACzD,UAAM,IAAI;AAAA,MACR,OAAO,YAAY,YAAY,QAAQ,SAAS,IAC5C,UACA,QAAQ,SAAS,MAAM;AAAA,MAC3B,SAAS;AAAA,MACT;AAAA,IACF;AAAA,EACF;AAKA,SAAO;AACT;;;ACpFA,IAAM,iBAAiB;AAEhB,IAAM,WAAN,MAAe;AAAA;AAAA,EAEH,aAAa,oBAAI,IAAoB;AAAA;AAAA,EAE9C,SAAS;AAAA,EAEV,SAAS,MAA0B;AACxC,UAAM,EAAE,cAAc,MAAM,IAAI;AAChC,QAAI,MAAM,SAAS,eAAgB;AACnC,QAAI,KAAK,WAAW,IAAI,KAAK,EAAG;AAChC,SAAK,WAAW,IAAI,OAAO,wBAAwB,YAAY,GAAG;AAClE,QAAI,MAAM,SAAS,KAAK,OAAQ,MAAK,SAAS,MAAM;AAAA,EACtD;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAcO,sBAAsB,MAA0B;AACrD,SAAK,SAAS,IAAI;AAClB,eAAW,WAAW,iBAAiB,KAAK,KAAK,GAAG;AAClD,WAAK,SAAS,EAAE,cAAc,KAAK,cAAc,OAAO,QAAQ,CAAC;AAAA,IACnE;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQO,SAAyB;AAC9B,WAAO,IAAI,eAAe,KAAK,YAAY,KAAK,MAAM;AAAA,EACxD;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASO,OAAO,MAAsB;AAClC,WAAO,KAAK,OAAO,EAAE,OAAO,MAAM,EAAE,OAAO,KAAK,CAAC;AAAA,EACnD;AAAA;AAAA,EAGA,IAAW,OAAe;AACxB,WAAO,KAAK,WAAW;AAAA,EACzB;AACF;AAOO,IAAM,iBAAN,MAAqB;AAAA,EAGnB,YACY,YACA,QACjB;AAFiB;AACA;AAAA,EAChB;AAAA,EAFgB;AAAA,EACA;AAAA,EAJX,OAAO;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAcR,OAAO,OAAe,OAA4B,CAAC,GAAW;AACnE,QAAI,KAAK,WAAW,SAAS,GAAG;AAC9B,UAAI,KAAK,OAAO;AACd,cAAM,MAAM,KAAK,OAAO;AACxB,aAAK,OAAO;AACZ,eAAO;AAAA,MACT;AACA,aAAO;AAAA,IACT;AAEA,UAAM,WAAW,KAAK,OAAO;AAC7B,UAAM,WAAW,KAAK,WAAW,QAAQ;AAEzC,QAAI,KAAK,OAAO;AACd,WAAK,OAAO;AACZ,aAAO;AAAA,IACT;AAMA,UAAM,WAAW,KAAK,IAAI,GAAG,KAAK,SAAS,CAAC;AAC5C,QAAI,SAAS,UAAU,UAAU;AAC/B,WAAK,OAAO;AACZ,aAAO;AAAA,IACT;AACA,UAAM,MAAM,SAAS,SAAS;AAC9B,SAAK,OAAO,SAAS,MAAM,GAAG;AAC9B,WAAO,SAAS,MAAM,GAAG,GAAG;AAAA,EAC9B;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOQ,WAAW,MAAsB;AACvC,QAAI,SAAS;AACb,UAAM,UAAU,CAAC,GAAG,KAAK,WAAW,QAAQ,CAAC,EAAE;AAAA,MAC7C,CAAC,GAAG,MAAM,EAAE,CAAC,EAAE,SAAS,EAAE,CAAC,EAAE;AAAA,IAC/B;AACA,eAAW,CAAC,OAAO,MAAM,KAAK,SAAS;AACrC,UAAI,CAAC,OAAO,SAAS,KAAK,EAAG;AAC7B,eAAS,OAAO,MAAM,KAAK,EAAE,KAAK,MAAM;AAAA,IAC1C;AACA,WAAO;AAAA,EACT;AACF;AAeA,SAAS,iBAAiB,OAAyB;AACjD,QAAM,MAAM,OAAO,KAAK,OAAO,MAAM;AACrC,SAAO;AAAA,IACL,IAAI,SAAS,QAAQ;AAAA,IACrB,IAAI,SAAS,WAAW;AAAA,IACxB,IAAI,SAAS,KAAK;AAAA,IAClB,IAAI,SAAS,KAAK,EAAE,YAAY;AAAA,IAChC,mBAAmB,KAAK;AAAA,EAC1B;AACF;;;ACxKO,IAAM,mBAAmB;AAAA;AAAA,EAE9B;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA;AAAA,EAEA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA;AAAA;AAAA,EAGA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA;AAAA,EAEA;AACF;AAOO,SAAS,wBAA2C;AACzD,QAAM,MAAyB,CAAC;AAChC,aAAW,OAAO,kBAAkB;AAClC,UAAM,QAAQ,QAAQ,IAAI,GAAG;AAC7B,QAAI,UAAU,OAAW,KAAI,GAAG,IAAI;AAAA,EACtC;AACA,SAAO;AACT;;;ALjCO,IAAM,cAAN,MAAkB;AAAA,EAChB,YACY,gBACA,SACjB;AAFiB;AACA;AAAA,EAChB;AAAA,EAFgB;AAAA,EACA;AAAA,EAGnB,MAAa,QAAQ,MAAoC;AACvD,UAAM,EAAE,UAAU,SAAS,IAAI,MAAM,KAAK;AAAA,MACxC,KAAK;AAAA,MACL,KAAK;AAAA,IACP;AAMA,UAAM,MAAyB;AAAA,MAC7B,GAAG,sBAAsB;AAAA,MACzB,kBAAkB,SAAS;AAAA,MAC3B,mBAAmB,SAAS;AAAA,IAC9B;AACA,eAAW,QAAQ,SAAS,aAAa;AACvC,aAAO,OAAO,KAAK,KAAK,OAAO;AAAA,IACjC;AAEA,QAAI;AACF,aAAO,MAAM,KAAK,QAAQ,IAAI;AAAA,QAC5B,SAAS;AAAA,QACT,MAAM,CAAC,OAAO,KAAK,OAAO;AAAA,QAC1B;AAAA,QACA,KAAK,KAAK;AAAA,QACV;AAAA,MACF,CAAC;AAAA,IACH,SAAS,KAAK;AACZ,YAAM,SAAS,eAAe,QAAQ,IAAI,UAAU,OAAO,GAAG;AAC9D;AAAA,QACE,6BAA6B,MAAM;AAAA,MACrC;AACA,aAAO,SAAS;AAAA,IAClB;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASA,MAAc,gBACZ,aACA,OACoE;AACpE,UAAM,EAAE,OAAO,IAAI,MAAM,KAAK,eAAe,cAAc;AAE3D,QAAI;AACJ,QAAI;AACF,iBAAW,MAAM,OAAO,KAAK,QAAQ,EAAE,YAAY,CAAC;AAAA,IACtD,SAAS,OAAO;AACd,UAAI,iBAAiB,UAAU;AAC7B,cAAM,MAAM,YAAY,IAAI,CAAC,MAAM,EAAE,EAAE,EAAE,KAAK,IAAI,KAAK;AACvD,YAAI,MAAM,WAAW,KAAK;AAKxB;AAAA,YACE,wCAAwC,MAAM,OAAO,mBAAmB,GAAG;AAAA,UAC7E;AACA,eAAK,SAAS,uBAAuB;AAAA,QACvC;AACA,YAAI,MAAM,WAAW,KAAK;AACxB;AAAA,YACE,yCAAyC,MAAM,OAAO;AAAA,UACxD;AACA,eAAK,SAAS,uBAAuB;AAAA,QACvC;AACA;AAAA,UACE,6CAA6C,MAAM,MAAM,MAAM,MAAM,OAAO;AAAA,QAC9E;AACA,aAAK,SAAS,aAAa;AAAA,MAC7B;AACA,YAAM;AAAA,IACR;AAKA,UAAM,WAAW,IAAI,SAAS;AAC9B,aAAS,sBAAsB;AAAA,MAC7B,cAAc;AAAA,MACd,OAAO,SAAS;AAAA,IAClB,CAAC;AACD,eAAW,QAAQ,SAAS,aAAa;AACvC,iBAAW,SAAS,KAAK,iBAAiB;AACxC,iBAAS,sBAAsB;AAAA,UAC7B,cAAc,KAAK;AAAA,UACnB;AAAA,QACF,CAAC;AAAA,MACH;AAAA,IACF;AAEA,QAAI,CAAC,MAAO,MAAK,yBAAyB,QAAQ;AAElD,WAAO,EAAE,UAAU,SAAS;AAAA,EAC9B;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOQ,yBAAyB,UAAyC;AACxE,eAAW,QAAQ,SAAS,aAAa;AACvC,YAAM,UAAU,OAAO,KAAK,KAAK,OAAO,EAAE,KAAK,EAAE,KAAK,IAAI;AAC1D;AAAA,QACE,YAAYC,OAAM,KAAK,KAAK,YAAY,CAAC,KAAK,KAAK,aAAa,KAAK,KAAK,eAAe,YAAO,OAAO;AAAA,MACzG;AAAA,IACF;AACA,eAAW,OAAO,SAAS,UAAU,CAAC,GAAG;AACvC;AAAA,QACE,GAAG,IAAI,YAAY,KAAK,IAAI,aAAa,MAAM,IAAI,OAAO,gGAA2F,IAAI,aAAa;AAAA,MACxK;AAAA,IACF;AAAA,EACF;AACF;;;AMrIO,IAAM,mBAAN,MAAuB;AAAA,EACrB,YACY,gBACAC,gBACAC,gBACjB;AAHiB;AACA,yBAAAD;AACA,yBAAAC;AAAA,EAChB;AAAA,EAHgB;AAAA,EACA;AAAA,EACA;AAAA;AAAA,EAKnB,MAAa,gBAAgB,MAIQ;AACnC,UAAM,EAAE,OAAO,IAAI,MAAM,KAAK,eAAe,cAAc;AAC3D,UAAM,EAAE,YAAY,IAAI,MAAM,OAAO,YAAY,KAAK;AACtD,QAAI,SAAS;AACb,QAAI,KAAK,SAAS;AAChB,eAAS,OAAO,OAAO,CAAC,MAAM,EAAE,YAAY,KAAK,OAAO;AAAA,IAC1D;AACA,QAAI,KAAK,MAAM;AACb,eAAS,OAAO,OAAO,CAAC,MAAM,EAAE,eAAe;AAAA,IACjD;AACA,QAAI,KAAK,SAAS,KAAK,MAAM,SAAS,GAAG;AACvC,eAAS,gBAAgB,QAAQ,KAAK,KAAK;AAAA,IAC7C;AACA,WAAO;AAAA,EACT;AAAA,EAEA,MAAa,cAAc,IAA2C;AACpE,UAAM,EAAE,OAAO,IAAI,MAAM,KAAK,eAAe,cAAc;AAC3D,WAAO,OAAO,YAAY,IAAI,EAAE;AAAA,EAClC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAeA,MAAa,kBAAkB,MAGJ;AACzB,UAAM,EAAE,SAAS,OAAO,IAAI,MAAM,KAAK,eAAe,cAAc;AACpE,UAAM,OAAO,aAAa,IAAI,KAAK,OAAO;AAC1C,UAAM,eAAe,KAAK,cAAc,oBAAoB,QAAQ,MAAM;AAC1E,UAAM,MAAM,GAAG,YAAY,IAAI,mBAAmB,QAAQ,UAAU,IAAI,CAAC,iBAAiB,mBAAmB,KAAK,OAAO,CAAC;AAC1H,QAAI,KAAK,aAAc,QAAO,EAAE,MAAM,aAAa,IAAI;AACvD,SAAK,cAAc,KAAK,GAAG;AAC3B,WAAO,EAAE,MAAM,gBAAgB,IAAI;AAAA,EACrC;AAAA;AAAA,EAIA,MAAa,iBAAiB,MAGQ;AACpC,UAAM,EAAE,OAAO,IAAI,MAAM,KAAK,eAAe,cAAc;AAM3D,UAAM,EAAE,aAAa,IAAI,MAAM,OAAO,aAAa,KAAK;AAAA,MACtD,OAAO,KAAK;AAAA,IACd,CAAC;AACD,WAAO,KAAK,OACR,aAAa,OAAO,CAAC,MAAM,EAAE,mBAAmB,KAAK,IAAI,IACzD;AAAA,EACN;AAAA,EAEA,MAAa,eAAe,SAAiD;AAC3E,UAAM,EAAE,OAAO,IAAI,MAAM,KAAK,eAAe,cAAc;AAC3D,WAAO,OAAO,aAAa,IAAI,OAAO;AAAA,EACxC;AAAA;AAAA,EAIA,MAAa,eAAe,MAGmB;AAC7C,UAAM,EAAE,OAAO,IAAI,MAAM,KAAK,eAAe,cAAc;AAC3D,UAAM,EAAE,WAAW,IAAI,MAAM,OAAO,aAAa;AAAA,MAC/C,KAAK;AAAA,IACP;AACA,QAAI,CAAC,KAAK,SAAS,KAAK,MAAM,WAAW,EAAG,QAAO;AACnD,WAAO,eAAe,YAAY,KAAK,KAAK;AAAA,EAC9C;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,MAAa,aAAa,MAGkB;AAC1C,UAAM,EAAE,OAAO,IAAI,MAAM,KAAK,eAAe,cAAc;AAC3D,WAAO,KAAK,UACR,OAAO,aAAa,aAAa;AAAA,MAC/B,SAAS,KAAK;AAAA,MACd,MAAM,KAAK;AAAA,IACb,CAAC,IACD,OAAO,WAAW,QAAQ,KAAK,IAAI;AAAA,EACzC;AACF;AAOA,SAAS,gBACP,aACA,OACyB;AACzB,QAAM,IAAI,MAAM,YAAY;AAC5B,QAAM,SAAS,YAAY,IAAI,CAAC,MAAM;AACpC,QAAI,QAAQ;AACZ,QAAI,EAAE,QAAQ,YAAY,EAAE,SAAS,CAAC,EAAG,UAAS;AAClD,QAAI,EAAE,cAAc,YAAY,EAAE,SAAS,CAAC,EAAG,UAAS;AACxD,QAAI,EAAE,MAAM,YAAY,EAAE,SAAS,CAAC,EAAG,UAAS;AAChD,WAAO,EAAE,GAAG,MAAM;AAAA,EACpB,CAAC;AACD,SAAO,OACJ,OAAO,CAAC,MAAM,EAAE,QAAQ,CAAC,EACzB,KAAK,CAAC,GAAG,MAAM,EAAE,QAAQ,EAAE,KAAK,EAChC,IAAI,CAAC,MAAM,EAAE,CAAC;AACnB;AAOA,SAAS,eACP,YACA,OACmC;AACnC,QAAM,IAAI,MAAM,YAAY;AAC5B,QAAM,SAAS,WAAW,IAAI,CAAC,OAAO;AACpC,QAAI,QAAQ;AACZ,QAAI,GAAG,MAAM,YAAY,EAAE,SAAS,CAAC,EAAG,UAAS;AACjD,QAAI,GAAG,YAAY,YAAY,EAAE,SAAS,CAAC,EAAG,UAAS;AACvD,WAAO,EAAE,IAAI,MAAM;AAAA,EACrB,CAAC;AACD,SAAO,OACJ,OAAO,CAAC,MAAM,EAAE,QAAQ,CAAC,EACzB,KAAK,CAAC,GAAG,MAAM,EAAE,QAAQ,EAAE,KAAK,EAChC,IAAI,CAAC,MAAM,EAAE,EAAE;AACpB;;;ACrLA,SAAS,SAAS;AAkBX,IAAM,kBAAkB,EAAE,OAAO;AAAA,EACtC,SAAS,EAAE,QAAQ,CAAC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOpB,QAAQ,EAAE,IAAI,EAAE,SAAS;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAMzB,cAAc,EAAE,IAAI,EAAE,SAAS;AACjC,CAAC;AAUM,IAAM,uBAAuB,CAAC,UAAU,cAAc;AAG7D,IAAM,0BAA+C,IAAI;AAAA,EACvD;AACF;AASO,SAAS,oBAAoB,KAAuC;AACzE,SAAO,wBAAwB,IAAI,GAAG;AACxC;;;AC3CA,IAAM,kBAAkB;AACxB,IAAM,wBAAwB;AAgCvB,IAAM,gBAAN,MAAoB;AAAA,EAClB,YACYC,cACAC,eACjB;AAFiB,uBAAAD;AACA,wBAAAC;AAAA,EAChB;AAAA,EAFgB;AAAA,EACA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAeZ,cAAc,eAAgC;AACnD,WACE,iBACA,QAAQ,IAAI,gBACZ,KAAK,YAAY,SAAS,GAAG,UAC7B;AAAA,EAEJ;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAUO,oBAAoB,eAAgC;AACzD,QAAI,QAAQ,IAAI,mBAAoB,QAAO,QAAQ,IAAI;AACvD,UAAM,SAAS,KAAK,YAAY,SAAS;AACzC,QAAI,QAAQ,aAAc,QAAO,OAAO;AACxC,QAAI,eAAe,SAAS,WAAW,EAAG,QAAO;AACjD,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAYO,aAA4D;AACjE,UAAM,OAAO,KAAK,YAAY,SAAS;AACvC,WAAO;AAAA,MACL,QAAQ,MAAM;AAAA,MACd,cAAc,MAAM;AAAA,IACtB;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAaA,MAAa,IAAI,MAGY;AAC3B,UAAM,WAAW,KAAK,YAAY,SAAS,KAAK,EAAE,SAAS,EAAW;AACtE,UAAM,OAAO,EAAE,GAAG,UAAU,CAAC,KAAK,GAAG,GAAG,KAAK,MAAM;AACnD,UAAM,SAAS,gBAAgB,UAAU,IAAI;AAC7C,QAAI,CAAC,OAAO,SAAS;AACnB,aAAO;AAAA,QACL,IAAI;AAAA,QACJ,QAAQ;AAAA,QACR,OAAO,OAAO,MAAM,OAAO,CAAC,GAAG,WAAW;AAAA,MAC5C;AAAA,IACF;AACA,QAAI,KAAK,QAAQ,UAAU;AACzB,YAAM,UAAU,MAAM,KAAK,aAAa,KAAK;AAC7C,UAAI,WAAW,QAAQ,WAAW,KAAK,OAAO;AAC5C,eAAO;AAAA,UACL,IAAI;AAAA,UACJ,QAAQ;AAAA,UACR,YAAY,QAAQ;AAAA,QACtB;AAAA,MACF;AAAA,IACF;AACA,UAAM,KAAK,YAAY,KAAK,OAAO,IAAI;AACvC,WAAO,EAAE,IAAI,KAAK;AAAA,EACpB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAUA,MAAa,MAAM,MAEc;AAC/B,UAAM,WAAW,KAAK,YAAY,SAAS;AAC3C,QAAI,CAAC,YAAY,SAAS,KAAK,GAAG,MAAM,QAAW;AACjD,aAAO,EAAE,QAAQ,MAAM;AAAA,IACzB;AACA,UAAM,OAAsB,EAAE,SAAS,EAAE;AACzC,eAAW,KAAK,sBAAsB;AACpC,UAAI,MAAM,KAAK,IAAK;AACpB,YAAM,QAAQ,SAAS,CAAC;AACxB,UAAI,UAAU,OAAW,MAAK,CAAC,IAAI;AAAA,IACrC;AACA,UAAM,qBAAqB,qBAAqB;AAAA,MAC9C,CAAC,MAAM,KAAK,CAAC,MAAM;AAAA,IACrB;AACA,QAAI,oBAAoB;AACtB,YAAM,KAAK,YAAY,KAAK,IAAI;AAAA,IAClC,OAAO;AACL,YAAM,KAAK,YAAY,OAAO;AAAA,IAChC;AACA,WAAO,EAAE,QAAQ,KAAK;AAAA,EACxB;AAAA;AAAA,EAGA,IAAW,OAAe;AACxB,WAAO,KAAK,YAAY;AAAA,EAC1B;AAAA;AAAA,EAGO,cAAc,KAAuC;AAC1D,WAAO,oBAAoB,GAAG;AAAA,EAChC;AACF;;;AC/KO,IAAM,gBAAN,MAAoB;AAAA,EAClB,YAA6B,MAAkB;AAAlB;AAAA,EAAmB;AAAA,EAAnB;AAAA,EAEpC,MAAa,gBACX,aACsC;AACtC,WAAO,KAAK,KAAK,MAAM,yBAAyB;AAAA,MAC9C,QAAQ;AAAA,MACR,MAAM,EAAE,YAAY;AAAA,IACtB,CAAC;AAAA,EACH;AAAA,EAEA,MAAa,eACX,UACqC;AACrC,WAAO,KAAK,KAAK;AAAA,MACf,yBAAyB,mBAAmB,QAAQ,CAAC;AAAA,MACrD,EAAE,QAAQ,OAAO;AAAA,IACnB;AAAA,EACF;AAAA,EAEA,MAAa,KAA8B;AACzC,SAAK,KAAK,cAAc;AACxB,WAAO,KAAK,KAAK,MAAM,cAAc;AAAA,EACvC;AAAA,EAEA,MAAa,SAAwB;AACnC,SAAK,KAAK,cAAc;AACxB,WAAO,KAAK,KAAK,MAAM,oBAAoB,EAAE,QAAQ,OAAO,CAAC;AAAA,EAC/D;AACF;;;ACjCO,IAAM,sBAAN,MAA0B;AAAA,EACxB,YAA6B,MAAkB;AAAlB;AAAA,EAAmB;AAAA,EAAnB;AAAA,EAEpC,MAAa,OAAwC;AACnD,SAAK,KAAK,cAAc;AACxB,WAAO,KAAK,KAAK,MAAM,iBAAiB;AAAA,EAC1C;AAAA,EAEA,MAAa,OAAO,cAA+C;AACjE,SAAK,KAAK,cAAc;AACxB,WAAO,KAAK,KAAK,MAAM,0BAA0B;AAAA,MAC/C,QAAQ;AAAA,MACR,MAAM,EAAE,aAAa;AAAA,IACvB,CAAC;AAAA,EACH;AACF;;;AChBO,IAAM,gBAAN,MAAoB;AAAA,EAClB,YAA6B,MAAkB;AAAlB;AAAA,EAAmB;AAAA,EAAnB;AAAA,EAEpC,MAAa,QACX,MACkC;AAClC,SAAK,KAAK,cAAc;AACxB,WAAO,KAAK,KAAK,MAAM,qBAAqB;AAAA,MAC1C,QAAQ;AAAA,MACR;AAAA,IACF,CAAC;AAAA,EACH;AACF;;;ACVO,IAAM,uBAAN,MAA2B;AAAA,EACzB,YAA6B,MAAkB;AAAlB;AAAA,EAAmB;AAAA,EAAnB;AAAA,EAEpC,MAAa,OAA4C;AACvD,SAAK,KAAK,cAAc;AACxB,WAAO,KAAK,KAAK,MAAM,kBAAkB;AAAA,EAC3C;AAAA,EAEA,MAAa,IAAI,IAA2C;AAC1D,SAAK,KAAK,cAAc;AACxB,WAAO,KAAK,KAAK,MAAM,oBAAoB,mBAAmB,EAAE,CAAC,EAAE;AAAA,EACrE;AACF;;;ACVO,IAAM,wBAAN,MAA4B;AAAA,EAC1B,YAA6B,MAAkB;AAAlB;AAAA,EAAmB;AAAA,EAAnB;AAAA,EAEpC,MAAa,KAAK,MAEuB;AACvC,SAAK,KAAK,cAAc;AACxB,UAAM,OACJ,MAAM,SAAS,KAAK,MAAM,SAAS,IAC/B,uBAAuB,mBAAmB,KAAK,KAAK,CAAC,KACrD;AACN,WAAO,KAAK,KAAK,MAAM,IAAI;AAAA,EAC7B;AAAA,EAEA,MAAa,IAAI,SAAiD;AAChE,SAAK,KAAK,cAAc;AACxB,WAAO,KAAK,KAAK,MAAM,qBAAqB,mBAAmB,OAAO,CAAC,EAAE;AAAA,EAC3E;AAAA,EAEA,MAAa,eACX,SACgD;AAChD,SAAK,KAAK,cAAc;AACxB,WAAO,KAAK,KAAK;AAAA,MACf,qBAAqB,mBAAmB,OAAO,CAAC;AAAA,IAClD;AAAA,EACF;AAAA,EAEA,MAAa,aAAa,MAGkB;AAC1C,SAAK,KAAK,cAAc;AACxB,WAAO,KAAK,KAAK;AAAA,MACf,qBAAqB,mBAAmB,KAAK,OAAO,CAAC,eAAe,mBAAmB,KAAK,IAAI,CAAC;AAAA,IACnG;AAAA,EACF;AACF;;;ACvCO,IAAM,sBAAN,MAA0B;AAAA,EACxB,YAA6B,MAAkB;AAAlB;AAAA,EAAmB;AAAA,EAAnB;AAAA,EAEpC,MAAa,QAAQ,MAAuD;AAC1E,SAAK,KAAK,cAAc;AACxB,WAAO,KAAK,KAAK,MAAM,mBAAmB,mBAAmB,IAAI,CAAC,EAAE;AAAA,EACtE;AACF;;;ACUO,IAAM,mBAAN,MAAuB;AAAA,EACrB,MAAM,MAGO;AAClB,UAAM,OAAO,IAAI,WAAW,KAAK,QAAQ,KAAK,KAAK;AACnD,WAAO;AAAA,MACL,MAAM,IAAI,cAAc,IAAI;AAAA,MAC5B,YAAY,IAAI,oBAAoB,IAAI;AAAA,MACxC,MAAM,IAAI,cAAc,IAAI;AAAA,MAC5B,aAAa,IAAI,qBAAqB,IAAI;AAAA,MAC1C,cAAc,IAAI,sBAAsB,IAAI;AAAA,MAC5C,YAAY,IAAI,oBAAoB,IAAI;AAAA,IAC1C;AAAA,EACF;AACF;;;AC7CA,SAAS,OAAO,UAAU,WAAW,QAAQ,aAAa;;;ACA1D,SAAS,KAAAC,UAAS;AAeX,IAAM,0BAA0BA,GAAE,OAAO;AAAA,EAC9C,SAASA,GAAE,QAAQ,CAAC;AAAA,EACpB,QAAQA,GAAE,IAAI;AAAA;AAAA,EAEd,OAAOA,GAAE,OAAO,EAAE,WAAW,UAAU;AAAA,EACvC,MAAMA,GAAE,OAAO;AAAA,IACb,IAAIA,GAAE,OAAO;AAAA,IACb,OAAOA,GAAE,OAAO,EAAE,SAAS;AAAA,IAC3B,MAAMA,GAAE,OAAO,EAAE,SAAS;AAAA,EAC5B,CAAC;AAAA,EACD,WAAWA,GAAE,OAAO;AAAA,IAClB,cAAcA,GAAE,OAAO;AAAA,IACvB,gBAAgBA,GAAE,OAAO;AAAA,IACzB,MAAMA,GAAE,OAAO;AAAA,IACf,MAAMA,GAAE,OAAO;AAAA,IACf,MAAMA,GAAE,OAAO;AAAA,EACjB,CAAC;AAAA;AAAA,EAED,SAASA,GAAE,OAAO;AACpB,CAAC;;;ADjBM,IAAM,eAAN,MAAmB;AAAA,EACjB,YACY,UACA,eACjB;AAFiB;AACA;AAAA,EAChB;AAAA,EAFgB;AAAA,EACA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASnB,MAAa,OAA0C;AACrD,QAAI;AACJ,QAAI;AACF,YAAM,MAAM,SAAS,KAAK,UAAU,OAAO;AAAA,IAC7C,SAAS,KAAK;AACZ,UAAI,YAAY,KAAK,QAAQ,EAAG,QAAO;AACvC,YAAM;AAAA,IACR;AACA,QAAI;AACJ,QAAI;AACF,aAAO,KAAK,MAAM,GAAG;AAAA,IACvB,QAAQ;AACN,aAAO;AAAA,IACT;AACA,UAAM,SAAS,wBAAwB,UAAU,IAAI;AACrD,WAAO,OAAO,UAAU,OAAO,OAAO;AAAA,EACxC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,MAAa,KAAK,SAA2C;AAC3D,UAAM,MAAM,KAAK,eAAe,EAAE,WAAW,MAAM,MAAM,IAAM,CAAC;AAChE,UAAM,MAAM,KAAK,eAAe,GAAK,EAAE,MAAM,MAAM;AAAA,IAEnD,CAAC;AACD,UAAM,UAAU,KAAK,UAAU,KAAK,UAAU,SAAS,MAAM,CAAC,GAAG;AAAA,MAC/D,MAAM;AAAA,IACR,CAAC;AAAA,EACH;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,MAAa,SAAwB;AACnC,QAAI;AACF,YAAM,OAAO,KAAK,QAAQ;AAAA,IAC5B,SAAS,KAAK;AACZ,UAAI,YAAY,KAAK,QAAQ,EAAG;AAChC,YAAM;AAAA,IACR;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,MAAa,sBACX,WACe;AACf,UAAM,UAAU,MAAM,KAAK,KAAK;AAChC,QAAI,CAAC,SAAS;AACZ,YAAM,IAAI,MAAM,6BAA6B;AAAA,IAC/C;AACA,UAAM,KAAK,KAAK;AAAA,MACd,GAAG;AAAA,MACH;AAAA,MACA,UAAS,oBAAI,KAAK,GAAE,YAAY;AAAA,IAClC,CAAC;AAAA,EACH;AACF;AASA,SAAS,YAAY,KAAc,UAA2B;AAC5D,MAAI,OAAO,QAAQ,YAAY,QAAQ,KAAM,QAAO;AACpD,MAAI,EAAE,UAAU,KAAM,QAAO;AAC7B,SAAO,IAAI,SAAS;AACtB;;;AE7GA,SAAS,oBAAoB;AAC7B,SAAS,SAAAC,QAAO,aAAAC,YAAW,UAAAC,eAAc;AACzC,SAAS,eAAe;AAcjB,IAAM,cAAN,MAAkB;AAAA,EAChB,YAA6B,UAAkB;AAAlB;AAAA,EAAmB;AAAA,EAAnB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAO7B,WAAiC;AACtC,QAAI;AACJ,QAAI;AACF,YAAM,aAAa,KAAK,UAAU,MAAM;AAAA,IAC1C,QAAQ;AACN,aAAO;AAAA,IACT;AACA,QAAI;AACJ,QAAI;AACF,aAAO,KAAK,MAAM,GAAG;AAAA,IACvB,QAAQ;AACN,aAAO;AAAA,IACT;AACA,UAAM,SAAS,gBAAgB,UAAU,IAAI;AAC7C,WAAO,OAAO,UAAU,OAAO,OAAO;AAAA,EACxC;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,MAAa,KAAK,QAAsC;AACtD,UAAMC,OAAM,QAAQ,KAAK,QAAQ,GAAG,EAAE,WAAW,KAAK,CAAC;AACvD,UAAMC,WAAU,KAAK,UAAU,KAAK,UAAU,QAAQ,MAAM,CAAC,IAAI,MAAM;AAAA,MACrE,MAAM;AAAA,IACR,CAAC;AAAA,EACH;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,MAAa,SAAwB;AACnC,QAAI;AACF,YAAMC,QAAO,KAAK,QAAQ;AAAA,IAC5B,SAAS,KAAK;AACZ,UACE,OAAO,QAAQ,YACf,QAAQ,QACR,UAAU,OACV,IAAI,SAAS,UACb;AACA;AAAA,MACF;AACA,YAAM;AAAA,IACR;AAAA,EACF;AAAA;AAAA,EAGA,IAAW,OAAe;AACxB,WAAO,KAAK;AAAA,EACd;AACF;;;AC7EA,SAAS,aAAa;AAef,IAAM,gBAAN,MAAoB;AAAA,EAClB,KAAK,KAAsB;AAChC,UAAM,MAAM,yBAAyB;AACrC,QAAI;AACF,YAAM,QAAQ,MAAM,KAAK,CAAC,GAAG,GAAG,EAAE,OAAO,UAAU,UAAU,KAAK,CAAC;AACnE,YAAM,MAAM;AACZ,aAAO;AAAA,IACT,QAAQ;AAEN,aAAO;AAAA,IACT;AAAA,EACF;AACF;AAEA,SAAS,2BAAmC;AAC1C,UAAQ,QAAQ,UAAU;AAAA,IACxB,KAAK;AACH,aAAO;AAAA,IACT,KAAK;AACH,aAAO;AAAA,IACT;AACE,aAAO;AAAA,EACX;AACF;;;ACtCA,SAAS,SAAAC,cAAa;AAqCf,IAAM,sBAAN,MAA0B;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAM/B,MAAa,IAAI,MAAkC;AACjD,UAAM,QAAQA,OAAM,KAAK,SAAS,KAAK,MAAM;AAAA,MAC3C,KAAK,KAAK;AAAA,MACV,KAAK,KAAK,OAAO,QAAQ,IAAI;AAAA,MAC7B,OAAO,CAAC,WAAW,QAAQ,MAAM;AAAA,IACnC,CAAC;AAaD,UAAM,eAAe;AAAA,MACnB,MAAM;AAAA,MACN,QAAQ;AAAA,MACR,KAAK,SAAS,OAAO;AAAA,MACrB,KAAK;AAAA,IACP;AACA,UAAM,eAAe;AAAA,MACnB,MAAM;AAAA,MACN,QAAQ;AAAA,MACR,KAAK,SAAS,OAAO;AAAA,IACvB;AAEA,UAAM,gBAAgB,CAAC,WAAiC;AACtD,UAAI,CAAC,MAAM,OAAQ,OAAM,KAAK,MAAM;AAAA,IACtC;AACA,YAAQ,GAAG,UAAU,aAAa;AAClC,YAAQ,GAAG,WAAW,aAAa;AAEnC,QAAI;AACF,YAAM,WAAW,MAAM,IAAI,QAAgB,CAAC,SAAS,WAAW;AAC9D,cAAM,KAAK,QAAQ,CAAC,MAAM,WAAW;AACnC,cAAI,SAAS,KAAM,SAAQ,IAAI;AAAA,mBACtB,WAAW,KAAM,SAAQ,MAAM,aAAa,MAAM,CAAC;AAAA,cACvD,SAAQ,CAAC;AAAA,QAChB,CAAC;AACD,cAAM,KAAK,SAAS,CAAC,QAAQ,OAAO,GAAG,CAAC;AAAA,MAC1C,CAAC;AAID,YAAM,QAAQ,IAAI,CAAC,cAAc,YAAY,CAAC;AAC9C,aAAO;AAAA,IACT,UAAE;AACA,cAAQ,eAAe,UAAU,aAAa;AAC9C,cAAQ,eAAe,WAAW,aAAa;AAAA,IACjD;AAAA,EACF;AACF;AAaA,SAAS,kBACP,QACA,MACA,UACA,SACe;AACf,SAAO,IAAI,QAAc,CAAC,YAAY;AACpC,QAAI,UAAU;AACd,UAAM,OAAO,CAAC,UAAwB;AACpC,UAAI,MAAM,WAAW,EAAG;AACxB,WAAK,MAAM,KAAK;AAChB,gBAAU,KAAK;AAAA,IACjB;AACA,UAAM,aAAa,MAAY;AAC7B,UAAI,QAAS;AACb,gBAAU;AACV,WAAK,SAAS,OAAO,IAAI,EAAE,OAAO,KAAK,CAAC,CAAC;AACzC,cAAQ;AAAA,IACV;AACA,WAAO,GAAG,OAAO,UAAU;AAC3B,WAAO,GAAG,SAAS,UAAU;AAC7B,WAAO,GAAG,SAAS,MAAM;AACvB,gBAAU;AACV,cAAQ;AAAA,IACV,CAAC;AACD,WAAO,YAAY,MAAM;AACzB,WAAO,GAAG,QAAQ,CAAC,UAAkB;AACnC,WAAK,SAAS,OAAO,KAAK,CAAC;AAAA,IAC7B,CAAC;AAAA,EACH,CAAC;AACH;AAOA,SAAS,aAAa,QAAgC;AACpD,QAAM,MAA+C;AAAA,IACnD,QAAQ;AAAA,IACR,QAAQ;AAAA,IACR,SAAS;AAAA,IACT,SAAS;AAAA,IACT,SAAS;AAAA,EACX;AACA,SAAO,IAAI,MAAM,KAAK;AACxB;;;AC7JA,SAAS,eAAe;AACxB,SAAS,YAAY;AASd,SAAS,YAAoB;AAClC,SAAO,QAAQ,IAAI,mBAAmB,KAAK,QAAQ,GAAG,WAAW,MAAM;AACzE;AAMO,SAAS,kBAA0B;AACxC,SAAO,KAAK,UAAU,GAAG,qBAAqB;AAChD;AAEO,SAAS,iBAAyB;AACvC,SAAO,KAAK,UAAU,GAAG,aAAa;AACxC;;;ACDO,IAAM,eAAe,IAAI,aAAa,gBAAgB,GAAG,UAAU,CAAC;AAEpE,IAAM,cAAc,IAAI,YAAY,eAAe,CAAC;AAEpD,IAAM,mBAAmB,IAAI,iBAAiB;AAE9C,IAAM,gBAAgB,IAAI,cAAc;AAExC,IAAM,sBAAsB,IAAI,oBAAoB;;;ACCpD,IAAM,gBAAgB,IAAI,cAAc,aAAa,YAAY;AAEjE,IAAM,wBAAwB,IAAI;AAAA,EACvC;AAAA,EACA;AACF;AAEO,IAAM,cAAc,IAAI;AAAA,EAC7B;AAAA,EACA;AAAA,EACA;AAAA,EACA;AACF;AAEO,IAAM,mBAAmB,IAAI;AAAA,EAClC;AAAA,EACA;AACF;AAEO,IAAM,cAAc,IAAI;AAAA,EAC7B;AAAA,EACA;AACF;AAEO,IAAM,mBAAmB,IAAI;AAAA,EAClC;AAAA,EACA;AAAA,EACA;AACF;;;ACxCO,SAAS,eACd,OACA,OAAqC,CAAC,GAC/B;AACP,MAAI,iBAAiB,UAAU;AAC7B,QAAI,MAAM,WAAW,OAAO,KAAK,iBAAiB;AAChD,iBAAW,KAAK,eAAe;AAC/B,WAAK,SAAS,QAAQ;AAAA,IACxB;AACA,QAAI,MAAM,WAAW,KAAK;AACxB;AAAA,QACE,yCAAyC,MAAM,OAAO;AAAA,MACxD;AACA,WAAK,SAAS,uBAAuB;AAAA,IACvC;AACA,QAAI,MAAM,WAAW,KAAK;AACxB;AAAA,QACE,cAAc,MAAM,OAAO;AAAA,MAC7B;AACA,WAAK,SAAS,SAAS;AAAA,IACzB;AACA,QAAI,MAAM,WAAW,KAAK;AACxB;AAAA,QACE,cAAc,MAAM,OAAO;AAAA,MAC7B;AACA,WAAK,SAAS,QAAQ;AAAA,IACxB;AACA,QAAI,MAAM,UAAU,KAAK;AACvB;AAAA,QACE,sBAAsB,MAAM,MAAM,MAAM,MAAM,OAAO;AAAA,MACvD;AACA,WAAK,SAAS,aAAa;AAAA,IAC7B;AACA,eAAW,wBAAwB,MAAM,MAAM,MAAM,MAAM,OAAO,EAAE;AACpE,SAAK,SAAS,aAAa;AAAA,EAC7B;AACA;AAAA,IACE,qBAAqB,iBAAiB,QAAQ,MAAM,UAAU,OAAO,KAAK,CAAC;AAAA,EAC7E;AACA,OAAK,SAAS,aAAa;AAC7B;;;AC7CO,SAAS,cAAc,QAAuB;AACnD,SACG,QAAQ,OAAO,EACf;AAAA,IACC;AAAA,EACF,EACC;AAAA,IACC;AAAA,IACA;AAAA,EACF,EACC;AAAA,IACC;AAAA,IACA;AAAA,EACF,EACC,OAAO,OAAO,SAAuB;AACpC,QAAI;AACF,YAAM,YAAY,MAAM;AAAA,QACtB,QAAQ,KAAK;AAAA,QACb,WAAW,KAAK;AAAA,MAClB,CAAC;AAAA,IACH,SAAS,OAAO;AACd,qBAAe,KAAK;AAAA,IACtB;AAAA,EACF,CAAC;AACL;;;AC9BO,SAAS,eAAe,QAAuB;AACpD,SACG,QAAQ,QAAQ,EAChB;AAAA,IACC;AAAA,EACF,EACC,OAAO,YAAY;AAClB,QAAI;AACF,YAAM,YAAY,OAAO;AAAA,IAC3B,SAAS,OAAO;AACd,qBAAe,KAAK;AAAA,IACtB;AAAA,EACF,CAAC;AACL;;;ACAA,eAAsB,kBACpB,MACe;AACf,MAAI;AACF,UAAM,SAAS,MAAM,YAAY,OAAO;AACxC,QAAI,CAAC,QAAQ;AACX,UAAI,KAAK,MAAM;AACb,kBAAU,EAAE,eAAe,MAAM,CAAC;AAAA,MACpC,OAAO;AACL;AAAA,UACE;AAAA,QACF;AAAA,MACF;AACA,WAAK,SAAS,uBAAuB;AAAA,IACvC;AACA,QAAI,KAAK,MAAM;AACb,gBAAU,MAAM;AAChB,WAAK,SAAS,EAAE;AAAA,IAClB;AACA,iBAAa,oBAAoB,OAAO,KAAK,SAAS,OAAO,KAAK,EAAE,EAAE;AACtE;AAAA,MACE,qBAAqB,OAAO,UAAU,IAAI,KAAK,OAAO,UAAU,IAAI,KAAK,OAAO,UAAU,IAAI;AAAA,IAChG;AACA,SAAK,SAAS,EAAE;AAAA,EAClB,SAAS,OAAO;AACd,QAAI,iBAAiB,YAAY,MAAM,WAAW,KAAK;AACrD;AAAA,QACE;AAAA,MACF;AACA,WAAK,SAAS,uBAAuB;AAAA,IACvC;AACA,UAAM,SAAS,iBAAiB,QAAQ,MAAM,UAAU,OAAO,KAAK;AACpE;AAAA,MACE,6BAA6B,MAAM;AAAA,IACrC;AACA,SAAK,SAAS,aAAa;AAAA,EAC7B;AACF;AASO,SAAS,eAAe,QAAuB;AACpD,SACG,QAAQ,QAAQ,EAChB;AAAA,IACC;AAAA,EACF,EACC;AAAA,IACC;AAAA,IACA;AAAA,EACF,EACC,OAAO,CAAC,SAA4B,kBAAkB,IAAI,CAAC;AAChE;;;AC1DO,SAAS,qBAAqBC,UAAwB;AAC3D,gBAAcA,QAAO;AACrB,iBAAeA,QAAO;AAEtB,QAAM,OAAOA,SACV,QAAQ,MAAM,EACd,YAAY,iCAAiC,EAC7C,OAAO,MAAM,kBAAkB,CAAC,CAAC,CAAC;AACrC,iBAAe,IAAI;AACrB;;;AC9BA,OAAOC,YAAW;AAkCX,SAAS,WACd,SACA,MACA,OAAuB,CAAC,GAClB;AACN,QAAM,MAAM,KAAK,OAAO,QAAQ;AAChC,QAAM,WAAW,QAAQ;AAKzB,QAAM,UAAU,KAAK,WACjB,KAAK,IAAI,CAAC,KAAK,MAAM,KAAK,SAAU,KAAK,CAAC,CAAC,IAC3C;AACJ,QAAM,aACJ,YAAY,QAAQ,QAAQ,KAAK,CAAC,MAAM,CAAC,KAAK,CAAC,QAAQ,MAAM,CAAC,MAAM,CAAC;AAEvE,QAAM,SAAS,IAAI,MAAc,QAAQ,EAAE,KAAK,CAAC;AACjD,WAAS,IAAI,GAAG,IAAI,UAAU,IAAK,QAAO,CAAC,IAAI,QAAQ,CAAC,EAAG;AAC3D,aAAW,OAAO,MAAM;AACtB,aAAS,IAAI,GAAG,IAAI,UAAU,KAAK;AACjC,YAAM,MAAM,IAAI,CAAC,GAAG,UAAU;AAC9B,UAAI,MAAM,OAAO,CAAC,EAAI,QAAO,CAAC,IAAI;AAAA,IACpC;AAAA,EACF;AAGA,QAAM,cAAc,QAAQ;AAAA,IAAI,CAAC,GAAG,MAClC,IAAIA,OAAM,IAAI,CAAC,GAAG,EAAE,QAAQ,OAAO,CAAC,GAAI,MAAM,WAAW,CAAC;AAAA,EAC5D;AACA,MAAI,OAAO,aAAa,OAAO,MAAM,YAAY,KAAK,IAAI,IAAI,IAAI;AAElE,OAAK,QAAQ,CAAC,KAAK,WAAW;AAC5B,UAAM,WAAW,cAAc,QAAS,MAAM,MAAM;AACpD,UAAM,QAAQ,IAAI,IAAI,CAAC,KAAK,MAAM;AAChC,YAAM,QAAQ,OAAO;AACrB,UAAI,UAAU;AACd,UAAI,YAAY,MAAM,EAAG,WAAUA,OAAM,KAAK,KAAK;AAAA,eAC1C,KAAK;AACZ,kBAAU,KAAK,QAAQ,OAAO,EAAE,KAAK,QAAQ,KAAK,EAAE,CAAC;AACvD,aAAO,IAAI,SAAS,MAAM,QAAQ,OAAO,CAAC,GAAI,MAAM,WAAW,CAAC;AAAA,IAClE,CAAC;AACD,UAAM,SAAS,aAAa,GAAG,WAAWA,OAAM,MAAM,GAAG,IAAI,GAAG,MAAM;AACtE,QAAI,MAAM,SAAS,MAAM,KAAK,IAAI,IAAI,IAAI;AAAA,EAC5C,CAAC;AACH;AAOA,SAAS,IACP,SACA,QACA,OACA,QACQ;AACR,MAAI,OAAQ,QAAO;AACnB,MAAI,UAAU,MAAO,QAAO;AAC5B,SAAO,UAAU,IAAI,OAAO,QAAQ,MAAM;AAC5C;AAMO,SAAS,UACd,UACiD;AACjD,SAAO,CAAC,MAAM,SAAU,KAAK,QAAQ,WAAWA,OAAM,IAAI,IAAI,IAAI;AACpE;;;ACpFA,eAAsB,qBACpB,MACe;AACf,MAAI;AACF,UAAM,EAAE,WAAW,IAAI,MAAM,iBAAiB,KAAK;AAEnD,QAAI,KAAK,MAAM;AACb,gBAAU;AAAA,QACR,QAAQ,WAAW,KAAK,CAAC,MAAM,EAAE,QAAQ,GAAG,QAAQ;AAAA,QACpD;AAAA,MACF,CAAC;AACD,WAAK,SAAS,EAAE;AAAA,IAClB;AAEA,QAAI,WAAW,WAAW,GAAG;AAC3B,cAAQ,OAAO;AAAA,QACb;AAAA,MACF;AACA,WAAK,SAAS,EAAE;AAAA,IAClB;AAEA;AAAA,MACE,CAAC,QAAQ,QAAQ,MAAM;AAAA,MACvB,WAAW,IAAI,CAAC,MAAM,CAAC,EAAE,MAAM,EAAE,MAAM,EAAE,IAAI,CAAC;AAAA,MAC9C,EAAE,UAAU,CAAC,MAAM,MAAM,WAAW,CAAC,EAAG,SAAS;AAAA,IACnD;AACA,SAAK,SAAS,EAAE;AAAA,EAClB,SAAS,OAAO;AACd,mBAAe,KAAK;AAAA,EACtB;AACF;AAOO,SAAS,sBAAsB,QAAuB;AAC3D,SACG,QAAQ,MAAM,EACd;AAAA,IACC;AAAA,EACF,EACC;AAAA,IACC;AAAA,IACA;AAAA,EACF,EACC,OAAO,CAAC,SAA+B,qBAAqB,IAAI,CAAC;AACtE;;;ACpEA,YAAY,OAAO;AAgBZ,SAAS,wBAAwB,QAAuB;AAC7D,SACG,QAAQ,QAAQ,EAChB;AAAA,IACC;AAAA,IACA;AAAA,EACF,EACC;AAAA,IACC;AAAA,EACF,EACC,OAAO,OAAO,SAA6B;AAC1C,QAAI;AACF,YAAM,EAAE,QAAQ,IAAI,MAAM,sBAAsB,cAAc;AAC9D,YAAM,EAAE,WAAW,IAAI,MAAM,iBAAiB,KAAK;AAEnD,YAAM,SAAS,OACX,WAAW,YAAY,IAAI,IAC3B,MAAM,kBAAkB;AAAA,QACtB;AAAA,QACA,qBAAqB,QAAQ,UAAU;AAAA,MACzC,CAAC;AACL,UAAI,CAAC,OAAQ;AAEb,UAAI,OAAO,iBAAiB,QAAQ,UAAU,cAAc;AAC1D,kBAAU,cAAc,OAAO,IAAI,KAAK,OAAO,IAAI,eAAe;AAClE,aAAK,SAAS,EAAE;AAAA,MAClB;AAEA,YAAM,KAAK,MAAM,iBAAiB,OAAO;AAAA,QACvC,cAAc,OAAO;AAAA,MACvB,CAAC;AACD;AAAA,QACE,qBAAqB,GAAG,UAAU,IAAI,KAAK,GAAG,UAAU,IAAI;AAAA,MAC9D;AACA,WAAK,SAAS,EAAE;AAAA,IAClB,SAAS,OAAO;AACd,qBAAe,KAAK;AAAA,IACtB;AAAA,EACF,CAAC;AACL;AAEA,SAAS,WACP,YACA,MACsB;AACtB,QAAM,SAAS,WAAW,KAAK,CAAC,MAAM,EAAE,SAAS,IAAI;AACrD,MAAI,CAAC,QAAQ;AACX,UAAM,YAAY,WAAW,IAAI,CAAC,MAAM,EAAE,IAAI,EAAE,KAAK,IAAI,KAAK;AAC9D;AAAA,MACE,2BAA2B,IAAI,kCAAkC,SAAS;AAAA,IAC5E;AACA,SAAK,SAAS,QAAQ;AAAA,EACxB;AACA,SAAO;AACT;AAMA,eAAe,kBAAkB,MAGa;AAC5C,MAAI,CAAC,QAAQ,MAAM,OAAO;AACxB;AAAA,MACE;AAAA,IACF;AACA,SAAK,SAAS,YAAY;AAAA,EAC5B;AACA,MAAI,KAAK,WAAW,WAAW,GAAG;AAChC;AAAA,MACE;AAAA,IACF;AACA,SAAK,SAAS,QAAQ;AAAA,EACxB;AACA,MAAI,KAAK,WAAW,WAAW,GAAG;AAChC,cAAU,oDAAoD;AAC9D,SAAK,SAAS,EAAE;AAAA,EAClB;AAEA,QAAM,SAAS,MAAQ,SAAO;AAAA,IAC5B,SAAS;AAAA,IACT,cAAc,KAAK;AAAA,IACnB,SAAS,KAAK,WAAW,IAAI,CAAC,OAAO;AAAA,MACnC,OAAO,EAAE;AAAA,MACT,OAAO,GAAG,EAAE,IAAI,KAAK,EAAE,IAAI;AAAA,MAC3B,MAAM,EAAE;AAAA,IACV,EAAE;AAAA,EACJ,CAAC;AACD,MAAM,WAAS,MAAM,GAAG;AACtB,cAAU,YAAY;AACtB,WAAO;AAAA,EACT;AACA,SAAO,KAAK,WAAW,KAAK,CAAC,MAAM,EAAE,iBAAiB,MAAM;AAC9D;;;ACjGO,SAAS,yBAAyB,QAAuB;AAC9D,SACG,QAAQ,SAAS,EACjB;AAAA,IACC;AAAA,EACF,EACC,OAAO,aAAa,gDAAgD,EACpE;AAAA,IACC;AAAA,IACA;AAAA,EACF,EACC,OAAO,CAAC,SAAyB;AAGhC,SAAK,IAAI,IAAI;AAAA,EACf,CAAC;AACL;AAEA,eAAe,IAAI,MAAqC;AACtD,QAAM,UAAU,MAAM,iBAAiB,QAAQ;AAC/C,MAAI,CAAC,SAAS;AACZ,QAAI,KAAK,MAAM;AACb,gBAAU,EAAE,eAAe,MAAM,CAAC;AAAA,IACpC,OAAO;AACL;AAAA,QACE;AAAA,MACF;AAAA,IACF;AACA,SAAK,SAAS,uBAAuB;AAAA,EACvC;AAEA,QAAM,KAAK,QAAQ;AACnB,MAAI,KAAK,MAAM;AACb,cAAU,EAAE;AACZ,SAAK,SAAS,EAAE;AAAA,EAClB;AACA,MAAI,KAAK,SAAS;AAChB,YAAQ,OAAO,MAAM,SAAS,GAAG,IAAI;AAAA,CAAI;AACzC,YAAQ,OAAO,MAAM,SAAS,GAAG,IAAI;AAAA,CAAI;AACzC,YAAQ,OAAO,MAAM,SAAS,GAAG,IAAI;AAAA,CAAI;AACzC,YAAQ,OAAO,MAAM,SAAS,GAAG,cAAc;AAAA,CAAI;AACnD,SAAK,SAAS,EAAE;AAAA,EAClB;AACA,UAAQ,OAAO,MAAM,GAAG,GAAG,IAAI;AAAA,CAAI;AACnC,OAAK,SAAS,EAAE;AAClB;;;AC9CO,SAAS,0BAA0BC,UAAwB;AAChE,QAAM,YAAYA,SACf,QAAQ,WAAW,EACnB,MAAM,YAAY,EAClB;AAAA,IACC;AAAA,EACF,EACC,OAAO,MAAM,qBAAqB,CAAC,CAAC,CAAC;AACxC,wBAAsB,SAAS;AAC/B,0BAAwB,SAAS;AACjC,2BAAyB,SAAS;AACpC;;;ACDO,SAAS,iBAAiB,QAAuB;AACtD,SACG,QAAQ,MAAM,EACd;AAAA,IACC;AAAA,EACF,EACC;AAAA,IACC;AAAA,IACA;AAAA,IACA;AAAA,IACA,CAAC;AAAA,EACH,EACC;AAAA,IACC;AAAA,IACA;AAAA,IACA;AAAA,IACA,CAAC;AAAA,EACH,EACC;AAAA,IACC;AAAA,IACA;AAAA,EACF,EACC;AAAA,IACC;AAAA,IACA;AAAA,EACF,EACC,qBAAqB,IAAI,EACzB,OAAO,OAAO,MAAmB,YAAqB;AACrD,QAAI;AACF,YAAM,OAAO,MAAM,YAAY,MAAM,QAAQ,IAAI;AACjD,cAAQ,KAAK,IAAI;AAAA,IACnB,SAAS,OAAO;AACd,qBAAe,KAAK;AAAA,IACtB;AAAA,EACF,CAAC,EACA;AAAA,IACC;AAAA,IACA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAkCF;AACJ;AAEA,SAAS,QAAQ,OAAe,MAA0B;AACxD,SAAO,CAAC,GAAG,MAAM,KAAK;AACxB;AAEA,eAAe,YACb,MACA,YACiB;AACjB,QAAM,UAAU,WAAW,KAAK,GAAG,EAAE,KAAK;AAC1C,MAAI,CAAC,SAAS;AACZ;AAAA,MACE;AAAA,IACF;AACA,SAAK,SAAS,WAAW;AAAA,EAC3B;AACA,MAAI,KAAK,KAAK,WAAW,KAAK,OAAO,QAAQ;AAC3C;AAAA,MACE,sDAAsD,KAAK,KAAK,MAAM,eAAe,KAAK,OAAO,MAAM;AAAA,IACzG;AACA,SAAK,SAAS,WAAW;AAAA,EAC3B;AAEA,SAAO,YAAY,QAAQ;AAAA,IACzB;AAAA;AAAA;AAAA;AAAA,IAIA,aAAa,KAAK,KAAK,IAAI,CAAC,IAAI,OAAO;AAAA,MACrC;AAAA,MACA,QAAQ,KAAK,OAAO,CAAC;AAAA,IACvB,EAAE;AAAA,IACF,KAAK,KAAK;AAAA,IACV,OAAO,KAAK;AAAA,EACd,CAAC;AACH;;;ACzHO,SAAS,qBAAqBC,UAAwB;AAC3D,QAAM,OAAOA,SACV,QAAQ,MAAM,EACd;AAAA,IACC;AAAA,EACF;AAEF,mBAAiB,IAAI;AACvB;;;ACDA,eAAsB,sBACpB,MACe;AACf,MAAI;AACF,UAAM,cAAc,MAAM,iBAAiB,gBAAgB;AAAA,MACzD,SAAS,KAAK;AAAA,MACd,MAAM,KAAK;AAAA,MACX,OAAO,KAAK;AAAA,IACd,CAAC;AAED,QAAI,KAAK,MAAM;AACb,gBAAU,EAAE,YAAY,CAAC;AACzB;AAAA,IACF;AACA,QAAI,YAAY,WAAW,GAAG;AAC5B,YAAM,aAAa,0BAA0B,IAAI;AACjD,cAAQ,OAAO;AAAA,QACb,aACI,yBAAyB,UAAU;AAAA,IACnC;AAAA,MACN;AACA;AAAA,IACF;AACA;AAAA,MACE,CAAC,MAAM,WAAW,OAAO;AAAA,MACzB,YAAY,IAAI,CAAC,MAAM,CAAC,EAAE,IAAI,EAAE,SAAS,EAAE,KAAK,CAAC;AAAA,MACjD;AAAA;AAAA;AAAA;AAAA,QAIE,UAAU,CAAC,MAAM,MAAM,YAAY,CAAC,EAAG;AAAA,QACvC,SAAS,UAAU,CAAC;AAAA,MACtB;AAAA,IACF;AAAA,EACF,SAAS,OAAO;AACd,mBAAe,KAAK;AAAA,EACtB;AACF;AAOO,SAAS,uBAAuB,QAAuB;AAC5D,SACG,QAAQ,MAAM,EACd;AAAA,IACC;AAAA,EACF,EACC;AAAA,IACC;AAAA,IACA;AAAA,EACF,EACC;AAAA,IACC;AAAA,IACA;AAAA,EACF,EACC;AAAA,IACC;AAAA,IACA;AAAA,EACF,EACC;AAAA,IACC;AAAA,IACA;AAAA,EACF,EACC,OAAO,CAAC,SAAgC,sBAAsB,IAAI,CAAC;AACxE;AAEA,SAAS,0BAA0B,MAAqC;AACtE,QAAM,QAAkB,CAAC;AACzB,MAAI,KAAK,QAAS,OAAM,KAAK,aAAa,KAAK,OAAO,EAAE;AACxD,MAAI,KAAK,KAAM,OAAM,KAAK,QAAQ;AAClC,MAAI,KAAK,MAAO,OAAM,KAAK,OAAO,KAAK,KAAK,GAAG;AAC/C,SAAO,MAAM,KAAK,GAAG;AACvB;;;AClFO,SAAS,aACd,OACA,MACqB;AACrB,QAAM,WAAW,KAAK,MAAM,GAAG,EAAE,OAAO,CAAC,MAAM,EAAE,SAAS,CAAC;AAC3D,MAAI,UAAmB;AACvB,aAAW,WAAW,UAAU;AAC9B,QAAI,YAAY,QAAQ,YAAY,OAAW,QAAO;AACtD,QAAI,MAAM,QAAQ,OAAO,GAAG;AAC1B,YAAM,MAAM,OAAO,SAAS,SAAS,EAAE;AACvC,UAAI,OAAO,MAAM,GAAG,EAAG,QAAO;AAC9B,gBAAU,QAAQ,GAAG;AAAA,IACvB,WAAW,OAAO,YAAY,UAAU;AAItC,gBAAU,QAAQ,IAAI,SAAS,OAAO;AAAA,IACxC,OAAO;AACL,aAAO;AAAA,IACT;AAAA,EACF;AACA,SAAO;AACT;AAQO,SAAS,qBAAqB,OAAwB;AAC3D,MAAI,OAAO,UAAU,SAAU,QAAO;AACtC,MAAI,UAAU,QAAQ,UAAU,OAAW,QAAO;AAClD,SAAO,KAAK,UAAU,OAAO,MAAM,CAAC;AACtC;;;AC3BO,SAAS,sBAAsB,QAAuB;AAC3D,SACG,QAAQ,KAAK,EACb,SAAS,QAAQ,yCAAoC,EACrD;AAAA,IACC;AAAA,EACF,EACC,OAAO,UAAU,wCAAwC,EACzD;AAAA,IACC;AAAA,IACA;AAAA,EACF,EACC,OAAO,OAAO,IAAY,SAAqB;AAC9C,QAAI;AACF,YAAM,SAAS,MAAM,iBAAiB,cAAc,EAAE;AAEtD,UAAI,KAAK,OAAO;AACd,cAAM,QAAQ,aAAa,QAAQ,KAAK,KAAK;AAC7C,YAAI,UAAU,QAAW;AACvB,gBAAM,WAAW,OAAO,KAAK,MAAM,EAAE,KAAK,IAAI;AAC9C;AAAA,YACE,UAAU,KAAK,KAAK,yDAAyD,QAAQ,mEAAmE,EAAE;AAAA,UAC5J;AACA,eAAK,SAAS,QAAQ;AAAA,QACxB;AACA,gBAAQ,OAAO,MAAM,qBAAqB,KAAK,IAAI,IAAI;AACvD;AAAA,MACF;AACA,UAAI,KAAK,MAAM;AACb,kBAAU,MAAM;AAChB;AAAA,MACF;AACA,mBAAa,MAAM;AAAA,IACrB,SAAS,OAAO;AACd,qBAAe,OAAO;AAAA,QACpB,iBAAiB,0BAA0B,EAAE;AAAA,MAC/C,CAAC;AAAA,IACH;AAAA,EACF,CAAC;AACL;AAEA,SAAS,aAAa,QAAoC;AACxD,QAAM,MAAM,QAAQ;AACpB,MAAI,MAAM,GAAG,OAAO,EAAE,OAAO,OAAO,KAAK;AAAA,CAAI;AAC7C,MAAI,MAAM,iBAAiB,OAAO,aAAa;AAAA,CAAI;AACnD,MAAI,MAAM,iBAAiB,OAAO,cAAc;AAAA,CAAI;AACpD,MAAI,MAAM,iBAAiB,OAAO,UAAU,MAAM,GAAG,EAAE,CAAC;AAAA,CAAI;AAC5D,MAAI;AAAA,IACF,iBAAiB,OAAO,kBAAkB,iBAAiB,iBAAiB;AAAA;AAAA,EAC9E;AACA,MAAI,MAAM,iBAAiB,OAAO,WAAW,QAAQ,IAAI;AAAA;AAAA,CAAM;AAE/D,MAAI,MAAM,YAAY;AACtB,aAAW,KAAK,OAAO,QAAS,KAAI,MAAM,KAAK,CAAC;AAAA,CAAI;AACpD,MAAI,MAAM,IAAI;AAEd,MAAI,OAAO,OAAO,SAAS,GAAG;AAC5B,QAAI,MAAM,WAAW;AACrB,eAAW,KAAK,OAAO,QAAQ;AAC7B,UAAI,MAAM,KAAK,EAAE,KAAK,OAAO,EAAE,CAAC,IAAI,EAAE,WAAW,WAAW,QAAQ;AAAA,CAAI;AAAA,IAC1E;AACA,QAAI,MAAM,IAAI;AAAA,EAChB;AAEA,MAAI,OAAO,iBAAiB,OAAO,cAAc,SAAS,GAAG;AAC3D,QAAI,MAAM,kBAAkB,OAAO,cAAc,KAAK,IAAI,CAAC;AAAA,CAAI;AAAA,EACjE;AACF;;;ACpFA,OAAOC,YAAW;AAiBX,SAAS,0BAA0B,QAAuB;AAC/D,SACG,QAAQ,SAAS,EACjB;AAAA,IACC;AAAA,IACA;AAAA,EACF,EACC;AAAA,IACC;AAAA,EACF,EACC;AAAA,IACC;AAAA,IACA;AAAA,EACF,EACC,OAAO,gBAAgB,wBAAwB,EAC/C,OAAO,OAAO,SAAiB,SAAyB;AACvD,QAAI;AACF,YAAM,SAAS,MAAM,iBAAiB,kBAAkB;AAAA,QACtD;AAAA;AAAA;AAAA,QAGA,cAAc,KAAK,YAAY,KAAK,cAAc;AAAA,MACpD,CAAC;AACD,UAAI,OAAO,SAAS,aAAa;AAC/B,gBAAQ,OAAO,MAAM,GAAG,OAAO,GAAG;AAAA,CAAI;AACtC;AAAA,MACF;AACA,gBAAU,WAAWC,OAAM,KAAK,OAAO,GAAG,CAAC,EAAE;AAC7C;AAAA,QACE,kBAAa,OAAO;AAAA,MACtB;AACA,cAAQ,OAAO;AAAA,QACb;AAAA,8DAAiE,OAAO;AAAA;AAAA,MAC1E;AAAA,IACF,SAAS,OAAO;AACd,qBAAe,OAAO;AAAA,QACpB,iBAAiB,YAAY,OAAO;AAAA,MACtC,CAAC;AAAA,IACH;AAAA,EACF,CAAC;AACL;;;AC1CO,SAAS,2BAA2BC,UAAwB;AACjE,QAAM,aAAaA,SAChB,QAAQ,YAAY,EACpB,MAAM,aAAa,EACnB;AAAA,IACC;AAAA,EACF,EACC,OAAO,MAAM,sBAAsB,CAAC,CAAC,CAAC;AAEzC,yBAAuB,UAAU;AACjC,wBAAsB,UAAU;AAChC,4BAA0B,UAAU;AACtC;;;AC3BA,OAAOC,YAAW;AAalB,IAAM,cAAc,CAAC,UAAU,UAAU,YAAY,QAAQ;AAC7D,IAAM,iBAAsC,IAAI,IAAI,WAAW;AAO/D,eAAsB,uBACpB,MACe;AACf,MAAI,KAAK,QAAQ,CAAC,eAAe,IAAI,KAAK,IAAI,GAAG;AAC/C;AAAA,MACE,mBAAmB,KAAK,IAAI,qBAAqB,YAAY,KAAK,IAAI,CAAC;AAAA,IACzE;AACA,SAAK,SAAS,WAAW;AAAA,EAC3B;AAEA,MAAI;AACF,UAAM,eAAe,MAAM,iBAAiB,iBAAiB;AAAA,MAC3D,MAAM,KAAK;AAAA,MACX,OAAO,KAAK;AAAA,IACd,CAAC;AACD,QAAI,KAAK,MAAM;AACb,gBAAU,EAAE,aAAa,CAAC;AAC1B;AAAA,IACF;AACA,QAAI,aAAa,WAAW,GAAG;AAC7B,YAAM,aAAa;AAAA,QACjB,KAAK,OAAO,UAAU,KAAK,IAAI,KAAK;AAAA,QACpC,KAAK,QAAQ,OAAO,KAAK,KAAK,MAAM;AAAA,MACtC,EACG,OAAO,OAAO,EACd,KAAK,GAAG;AACX,cAAQ,OAAO;AAAA,QACb,0BAA0B,cAAc,YAAY;AAAA;AAAA,MACtD;AACA;AAAA,IACF;AACA;AAAA,MACE,CAAC,WAAW,SAAS,MAAM;AAAA,MAC3B,aAAa,IAAI,CAAC,MAAM,CAAC,EAAE,SAAS,EAAE,OAAO,EAAE,cAAc,CAAC;AAAA,MAC9D;AAAA;AAAA;AAAA;AAAA,QAIE,SAAS,CAAC,MAAM,SAAS;AACvB,cAAI,KAAK,QAAQ,EAAG,QAAOC,OAAM,KAAK,IAAI;AAC1C,cAAI,KAAK,QAAQ,EAAG,QAAOA,OAAM,IAAI,IAAI;AACzC,iBAAO;AAAA,QACT;AAAA,MACF;AAAA,IACF;AAAA,EACF,SAAS,OAAO;AACd,mBAAe,KAAK;AAAA,EACtB;AACF;AAQO,SAAS,wBAAwB,QAAuB;AAC7D,SACG,QAAQ,MAAM,EACd;AAAA,IACC;AAAA,EACF,EACC;AAAA,IACC;AAAA,IACA,8BAA8B,YAAY,KAAK,KAAK,CAAC;AAAA,EACvD,EACC;AAAA,IACC;AAAA,IACA;AAAA,EACF,EACC;AAAA,IACC;AAAA,IACA;AAAA,EACF,EACC,OAAO,CAAC,SAAiC,uBAAuB,IAAI,CAAC;AAC1E;;;AC9EO,SAAS,uBAAuB,QAAuB;AAC5D,SACG,QAAQ,KAAK,EACb,SAAS,aAAa,uCAAkC,EACxD;AAAA,IACC;AAAA,EACF,EACC,OAAO,UAAU,wCAAwC,EACzD;AAAA,IACC;AAAA,IACA;AAAA,EACF,EACC,OAAO,OAAO,SAAiB,SAAqB;AACnD,QAAI;AACF,YAAM,SAAS,MAAM,iBAAiB,eAAe,OAAO;AAE5D,UAAI,KAAK,OAAO;AACd,cAAM,QAAQ,aAAa,QAAQ,KAAK,KAAK;AAC7C,YAAI,UAAU,QAAW;AACvB,gBAAM,WAAW,OAAO,KAAK,MAAM,EAAE,KAAK,IAAI;AAC9C;AAAA,YACE,UAAU,KAAK,KAAK,0DAA0D,QAAQ,oEAAoE,OAAO;AAAA,UACnK;AACA,eAAK,SAAS,QAAQ;AAAA,QACxB;AACA,gBAAQ,OAAO,MAAM,qBAAqB,KAAK,IAAI,IAAI;AACvD;AAAA,MACF;AACA,UAAI,KAAK,MAAM;AACb,kBAAU,MAAM;AAChB;AAAA,MACF;AACA,MAAAC,cAAa,MAAM;AAAA,IACrB,SAAS,OAAO;AACd,qBAAe,OAAO;AAAA,QACpB,iBAAiB,6BAA6B,OAAO;AAAA,MACvD,CAAC;AAAA,IACH;AAAA,EACF,CAAC;AACL;AAEA,SAASA,cAAa,QAAqC;AACzD,QAAM,MAAM,QAAQ;AACpB,MAAI,MAAM,GAAG,OAAO,OAAO,OAAO,OAAO,KAAK;AAAA,CAAI;AAClD,MAAI,MAAM,YAAY,OAAO,cAAc;AAAA;AAAA,CAAM;AAEjD,MAAI,MAAM,gBAAgB;AAC1B,MAAI,MAAM,KAAK,OAAO,WAAW;AAAA;AAAA,CAAM;AAEvC,MAAI,OAAO,eAAe,OAAO,YAAY,SAAS,GAAG;AACvD,QAAI,MAAM,iBAAiB;AAC3B,eAAW,SAAS,OAAO,aAAa;AACtC,UAAI;AAAA,QACF,KAAK,MAAM,KAAK,OAAO,EAAE,CAAC,IAAI,MAAM,eAAe,kBAAkB;AAAA;AAAA,MACvE;AAAA,IACF;AACA,QAAI,MAAM,IAAI;AAAA,EAChB;AAEA,MAAI,OAAO,OAAO,SAAS,GAAG;AAC5B,QAAI,MAAM,kBAAkB;AAC5B,eAAW,KAAK,OAAO,QAAQ;AAC7B,UAAI,MAAM,KAAK,EAAE,KAAK,OAAO,EAAE,CAAC,IAAI,EAAE,WAAW,WAAW,QAAQ;AAAA,CAAI;AAAA,IAC1E;AACA,QAAI,MAAM,IAAI;AAAA,EAChB;AAEA,MAAI,OAAO,QAAQ,SAAS,GAAG;AAC7B,QAAI,MAAM,gCAAgC;AAC1C,QAAI,MAAM,KAAK,OAAO,QAAQ,IAAI,CAAC,MAAM,IAAI,CAAC,EAAE,EAAE,KAAK,IAAI,CAAC;AAAA,CAAI;AAAA,EAClE;AACF;;;AC1EO,SAAS,8BAA8B,QAAuB;AACnE,SACG,QAAQ,YAAY,EACpB,SAAS,aAAa,4CAA4C,EAClE;AAAA,IACC;AAAA,EACF,EACC;AAAA,IACC;AAAA,IACA;AAAA,EACF,EACC;AAAA,IACC;AAAA,IACA;AAAA,EACF,EACC,OAAO,OAAO,SAAiB,SAA4B;AAC1D,QAAI;AACF,YAAM,aAAa,MAAM,iBAAiB,eAAe;AAAA,QACvD;AAAA,QACA,OAAO,KAAK;AAAA,MACd,CAAC;AACD,UAAI,KAAK,MAAM;AACb,kBAAU,EAAE,WAAW,CAAC;AACxB;AAAA,MACF;AACA,UAAI,WAAW,WAAW,GAAG;AAC3B,gBAAQ,OAAO;AAAA,UACb,KAAK,QACD,sBAAsB,OAAO,gBAAgB,KAAK,KAAK;AAAA,IACvD,KAAK,OAAO;AAAA;AAAA,QAClB;AACA;AAAA,MACF;AACA;AAAA,QACE,CAAC,MAAM,SAAS,aAAa;AAAA,QAC7B,WAAW,IAAI,CAAC,OAAO,CAAC,GAAG,IAAI,GAAG,OAAO,GAAG,WAAW,CAAC;AAAA,QACxD,EAAE,SAAS,UAAU,CAAC,EAAE;AAAA,MAC1B;AAAA,IACF,SAAS,OAAO;AACd,qBAAe,OAAO;AAAA,QACpB,iBAAiB,6BAA6B,OAAO;AAAA,MACvD,CAAC;AAAA,IACH;AAAA,EACF,CAAC;AACL;;;ACjDA,IAAM,gBAAgB,CAAC,QAAQ,YAAY,MAAM;AACjD,IAAM,mBAAwC,IAAI,IAAI,aAAa;AAQ5D,SAAS,6BAA6B,QAAuB;AAClE,SACG,QAAQ,WAAW,EACnB;AAAA,IACC;AAAA,IACA;AAAA,EACF,EACC,SAAS,UAAU,oDAAoD,EACvE;AAAA,IACC;AAAA,EACF,EACC;AAAA,IACC;AAAA,IACA,kBAAkB,cAAc,KAAK,KAAK,CAAC;AAAA,IAC3C;AAAA,EACF,EACC;AAAA,IACC,OACE,aACA,WACA,SACG;AACH,YAAM,SAAS,KAAK,UAAU;AAC9B,UAAI,CAAC,iBAAiB,IAAI,MAAM,GAAG;AACjC;AAAA,UACE,qBAAqB,MAAM,qBAAqB,cAAc,KAAK,IAAI,CAAC;AAAA,QAC1E;AACA,aAAK,SAAS,WAAW;AAAA,MAC3B;AAEA,UAAI;AACF,cAAM,SAAS,MAAM,iBAAiB;AAAA,UACpC,YACI,EAAE,SAAS,aAAa,MAAM,UAAU,IACxC,EAAE,MAAM,YAAY;AAAA,QAC1B;AAEA,YAAI,WAAW,QAAQ;AACrB,oBAAU,MAAM;AAChB;AAAA,QACF;AACA,YAAI,WAAW,YAAY;AACzB,kBAAQ,OAAO,MAAM,OAAO,gBAAgB,IAAI;AAChD;AAAA,QACF;AACA,kBAAU,MAAM;AAAA,MAClB,SAAS,OAAO;AACd,cAAM,SAAS,YAAY,GAAG,WAAW,IAAI,SAAS,KAAK;AAC3D,uBAAe,OAAO;AAAA,UACpB,iBAAiB,2BAA2B,MAAM;AAAA,QACpD,CAAC;AAAA,MACH;AAAA,IACF;AAAA,EACF,EACC;AAAA,IACC;AAAA,IACA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAeF;AACJ;AASA,SAAS,UAAU,QAA8C;AAC/D,QAAM,MAAM,QAAQ;AACpB,MAAI,MAAM,GAAG,OAAO,OAAO,SAAM,OAAO,KAAK;AAAA;AAAA,CAAM;AACnD,MAAI,OAAO,YAAa,KAAI,MAAM,GAAG,OAAO,WAAW;AAAA;AAAA,CAAM;AAC7D,QAAM,UAAU,OAAO,cACpB,QAAQ,YAAY,EAAE,EACtB,QAAQ,iBAAiB,EAAE;AAC9B,MAAI,MAAM,OAAO;AACjB,MAAI,CAAC,QAAQ,SAAS,IAAI,EAAG,KAAI,MAAM,IAAI;AAC7C;;;AC5FO,SAAS,4BAA4BC,UAAwB;AAClE,QAAM,cAAcA,SACjB,QAAQ,aAAa,EACrB,MAAM,cAAc,EACpB;AAAA,IACC;AAAA,EACF,EACC,OAAO,MAAM,uBAAuB,CAAC,CAAC,CAAC;AAE1C,0BAAwB,WAAW;AACnC,yBAAuB,WAAW;AAClC,gCAA8B,WAAW;AACzC,+BAA6B,WAAW;AAC1C;;;AChBA,IAAM,oBAAoB;AAQnB,SAAS,iBAAiB,MAA2B;AAC1D,QAAM,OAAO,cAAc,WAAW;AAEtC,MAAI,KAAK,KAAK;AACZ,QAAI,CAAC,oBAAoB,KAAK,GAAG,GAAG;AAClC;AAAA,QACE,uBAAuB,KAAK,GAAG,kBAAkB,qBAAqB,KAAK,IAAI,CAAC;AAAA,MAClF;AACA,WAAK,SAAS,WAAW;AAAA,IAC3B;AACA,UAAM,QAAQ,KAAK,KAAK,GAAG;AAC3B,QAAI,KAAK,MAAM;AACb,gBAAU,EAAE,CAAC,KAAK,GAAG,GAAG,SAAS,KAAK,CAAC;AACvC;AAAA,IACF;AACA,YAAQ,OAAO,OAAO,SAAS,qBAAqB,IAAI;AACxD;AAAA,EACF;AAEA,MAAI,KAAK,MAAM;AACb,UAAM,UAAyC,CAAC;AAChD,eAAW,KAAK,qBAAsB,SAAQ,CAAC,IAAI,KAAK,CAAC,KAAK;AAC9D,cAAU,OAAO;AACjB;AAAA,EACF;AAEA;AAAA,IACE,CAAC,OAAO,OAAO;AAAA,IACf,qBAAqB,IAAI,CAAC,MAAM,CAAC,GAAG,KAAK,CAAC,KAAK,iBAAiB,CAAC;AAAA,EACnE;AACF;AASO,SAAS,kBAAkB,QAAuB;AACvD,SACG,QAAQ,KAAK,EACb;AAAA,IACC;AAAA,IACA,yBAAyB,qBAAqB,KAAK,KAAK,CAAC;AAAA,EAC3D,EACC;AAAA,IACC;AAAA,EACF,EACC;AAAA,IACC;AAAA,IACA;AAAA,EACF,EACC;AAAA,IAAO,CAAC,KAAyB,SAChC,iBAAiB,EAAE,KAAK,MAAM,KAAK,KAAK,CAAC;AAAA,EAC3C;AACJ;;;AC1DO,SAAS,kBAAkB,QAAuB;AACvD,SACG,QAAQ,KAAK,EACb,SAAS,SAAS,eAAe,qBAAqB,KAAK,KAAK,CAAC,IAAI,EACrE;AAAA,IACC;AAAA,IACA;AAAA,EACF,EACC;AAAA,IACC;AAAA,EACF,EACC,OAAO,OAAO,KAAa,UAAkB;AAC5C,QAAI,CAAC,oBAAoB,GAAG,GAAG;AAC7B;AAAA,QACE,uBAAuB,GAAG,kBAAkB,qBAAqB,KAAK,IAAI,CAAC;AAAA,MAC7E;AACA,WAAK,SAAS,WAAW;AAAA,IAC3B;AAEA,UAAM,SAAS,MAAM,cAAc,IAAI,EAAE,KAAK,MAAM,CAAC;AACrD,QAAI,OAAO,IAAI;AACb,mBAAa,OAAO,GAAG,MAAM,KAAK,EAAE;AACpC;AAAA,IACF;AAIA,YAAQ,OAAO,QAAQ;AAAA,MACrB,KAAK;AACH,mBAAW,qBAAqB,GAAG,KAAK,OAAO,KAAK,GAAG;AACvD,aAAK,SAAS,WAAW;AAAA;AAAA,MAE3B,KAAK;AACH;AAAA,UACE,4DAA4D,OAAO,UAAU;AAAA,QAC/E;AACA;AAAA,UACE,+EAA+E,KAAK;AAAA,QACtF;AACA,aAAK,SAAS,YAAY;AAAA;AAAA,MAE5B,SAAS;AACP,cAAM,cAAqB;AAC3B,cAAM,IAAI;AAAA,UACR,yBAAyB,KAAK,UAAU,WAAW,CAAC;AAAA,QACtD;AAAA,MACF;AAAA,IACF;AAAA,EACF,CAAC;AACL;;;ACvDO,SAAS,oBAAoB,QAAuB;AACzD,SACG,QAAQ,OAAO,EACf,SAAS,SAAS,eAAe,qBAAqB,KAAK,KAAK,CAAC,IAAI,EACrE;AAAA,IACC;AAAA,EACF,EACC,OAAO,OAAO,QAAgB;AAC7B,QAAI,CAAC,oBAAoB,GAAG,GAAG;AAC7B;AAAA,QACE,uBAAuB,GAAG,kBAAkB,qBAAqB,KAAK,IAAI,CAAC;AAAA,MAC7E;AACA,WAAK,SAAS,WAAW;AAAA,IAC3B;AAEA,UAAM,SAAS,MAAM,cAAc,MAAM,EAAE,IAAI,CAAC;AAChD,QAAI,CAAC,OAAO,QAAQ;AAClB,mBAAa,GAAG,GAAG,qBAAqB;AACxC;AAAA,IACF;AACA,iBAAa,SAAS,GAAG,GAAG;AAAA,EAC9B,CAAC;AACL;;;AC7BO,SAAS,mBAAmB,QAAuB;AACxD,SACG,QAAQ,MAAM,EACd;AAAA,IACC;AAAA,EACF,EACC,OAAO,MAAM;AACZ,YAAQ,OAAO,MAAM,cAAc,OAAO,IAAI;AAAA,EAChD,CAAC;AACL;;;ACKO,SAAS,uBAAuBC,UAAwB;AAC7D,QAAM,SAASA,SACZ,QAAQ,QAAQ,EAChB;AAAA,IACC;AAAA,EACF,EACC,OAAO,MAAM,iBAAiB,CAAC,CAAC,CAAC;AAEpC,oBAAkB,MAAM;AACxB,oBAAkB,MAAM;AACxB,sBAAoB,MAAM;AAC1B,qBAAmB,MAAM;AAEzB,SAAO;AAAA,IACL;AAAA,IACA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAoBF;AACF;;;AC1DA,SAAS,WAAAC,gBAAe;AACxB,SAAS,QAAAC,aAAY;AACrB;AAAA,EACE;AAAA,EACA;AAAA,EACA;AAAA,EACA,gBAAAC;AAAA,EACA;AAAA,EACA;AAAA,OACK;;;ACTP;;;ADoBO,IAAM,kBAAkB;AACxB,IAAM,gBAAgB;AAgC7B,IAAM,OAAOC,SAAQ;AACrB,IAAM,kBAAkBC,MAAK,MAAM,WAAW,QAAQ;AACtD,IAAM,gBAAgBA,MAAK,iBAAiB,eAAe;AAC3D,IAAM,iBAAiBA,MAAK,MAAM,WAAW,QAAQ;AACrD,IAAM,qBAAqBA,MAAK,gBAAgB,eAAe;AAE/D,IAAM,UAAyB;AAAA,EAC7B;AAAA,IACE,MAAM;AAAA,IACN,QAAQ,MAAM,WAAWA,MAAK,MAAM,SAAS,CAAC;AAAA,IAC9C,UAAU;AAAA,IACV,WAAWA,MAAK,eAAe,UAAU;AAAA;AAAA;AAAA;AAAA;AAAA,IAKzC,aAAa,CAACA,MAAK,iBAAiB,GAAG,eAAe,KAAK,CAAC;AAAA,EAC9D;AAAA,EACA;AAAA,IACE,MAAM;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAON,QAAQ,MACN,WAAWA,MAAK,MAAM,QAAQ,CAAC,KAC/B,WAAWA,MAAK,MAAM,SAAS,CAAC,KAChC,WAAWA,MAAK,MAAM,SAAS,CAAC;AAAA,IAClC,UAAU;AAAA,IACV,WAAWA,MAAK,oBAAoB,UAAU;AAAA,IAC9C,aAAa,CAAC;AAAA,EAChB;AACF;AAOO,SAAS,qBAAoC;AAClD,QAAM,MAAqB,CAAC;AAC5B,aAAW,UAAU,SAAS;AAC5B,QAAI,CAAC,OAAO,OAAO,EAAG;AACtB,QAAI,KAAK,EAAE,MAAM,OAAO,MAAM,MAAM,OAAO,UAAU,CAAC;AAAA,EACxD;AACA,SAAO;AACT;AAQO,SAAS,gBAAsC;AACpD,QAAM,UAAgC,CAAC;AACvC,aAAW,UAAU,SAAS;AAC5B,QAAI,CAAC,OAAO,OAAO,EAAG;AACtB,UAAM,OAAO,OAAO;AACpB,QAAI;AACF,gBAAU,OAAO,UAAU,EAAE,WAAW,KAAK,CAAC;AAC9C,YAAM,WAAW,WAAW,IAAI,IAAIC,cAAa,MAAM,OAAO,IAAI;AAClE,YAAM,UAAU,aAAa;AAC7B,oBAAc,MAAM,aAAa;AACjC,iBAAW,UAAU,OAAO,aAAa;AACvC,YAAI,WAAW,MAAM,EAAG,YAAW,MAAM;AAAA,MAC3C;AACA,cAAQ,KAAK;AAAA,QACX,MAAM,OAAO;AAAA,QACb;AAAA,QACA,QAAQ,UAAU,YAAY;AAAA,MAChC,CAAC;AAAA,IACH,SAAS,KAAK;AACZ,cAAQ,KAAK;AAAA,QACX,MAAM,OAAO;AAAA,QACb;AAAA,QACA,QAAQ;AAAA,QACR,OAAO,eAAe,QAAQ,IAAI,UAAU,OAAO,GAAG;AAAA,MACxD,CAAC;AAAA,IACH;AAAA,EACF;AACA,SAAO;AACT;AAEO,SAAS,kBAA0C;AACxD,QAAM,UAAkC,CAAC;AACzC,aAAW,UAAU,SAAS;AAC5B,QAAI,CAAC,OAAO,OAAO,EAAG;AACtB,UAAM,MAAM,OAAO;AACnB,UAAM,OAAO,OAAO;AACpB,UAAM,WAAW,OAAO,YAAY,OAAO,CAACC,OAAM,WAAWA,EAAC,CAAC;AAC/D,QAAI,CAAC,WAAW,GAAG,KAAK,SAAS,WAAW,GAAG;AAC7C,cAAQ,KAAK,EAAE,MAAM,OAAO,MAAM,MAAM,QAAQ,SAAS,CAAC;AAC1D;AAAA,IACF;AACA,QAAI;AAGF,aAAO,KAAK,EAAE,WAAW,MAAM,OAAO,KAAK,CAAC;AAC5C,iBAAW,UAAU,SAAU,YAAW,MAAM;AAChD,cAAQ,KAAK,EAAE,MAAM,OAAO,MAAM,MAAM,QAAQ,UAAU,CAAC;AAAA,IAC7D,SAAS,KAAK;AACZ,cAAQ,KAAK;AAAA,QACX,MAAM,OAAO;AAAA,QACb;AAAA,QACA,QAAQ;AAAA,QACR,OAAO,eAAe,QAAQ,IAAI,UAAU,OAAO,GAAG;AAAA,MACxD,CAAC;AAAA,IACH;AAAA,EACF;AACA,SAAO;AACT;;;AEpJO,SAAS,sBAAsB,QAAuB;AAC3D,SACG,QAAQ,SAAS,EACjB;AAAA,IACC;AAAA,EACF,EACC,OAAO,MAAM;AACZ,UAAM,UAAU,mBAAmB;AACnC,QAAI,QAAQ,WAAW,GAAG;AACxB;AAAA,QACE;AAAA,MACF;AACA,WAAK,SAAS,QAAQ;AAAA,IACxB;AACA,UAAM,UAAU,cAAc;AAC9B,eAAW,KAAK,SAAS;AACvB,UAAI,EAAE,WAAW,UAAU;AACzB,mBAAW,GAAG,EAAE,IAAI,KAAK,EAAE,SAAS,QAAQ,KAAK,EAAE,IAAI,GAAG;AAC1D;AAAA,MACF;AACA,UAAI,EAAE,WAAW,WAAW;AAC1B,qBAAa,GAAG,EAAE,IAAI,KAAK,EAAE,IAAI,EAAE;AAAA,MACrC,OAAO;AACL,kBAAU,GAAG,EAAE,IAAI,KAAK,EAAE,IAAI,uBAAuB;AAAA,MACvD;AAAA,IACF;AACA,UAAM,SAAS,QAAQ,KAAK,CAAC,MAAM,EAAE,WAAW,QAAQ;AACxD,SAAK,SAAS,SAAS,gBAAgB,SAAS,EAAE;AAAA,EACpD,CAAC;AACL;;;ACrCO,SAAS,wBAAwB,QAAuB;AAC7D,SACG,QAAQ,WAAW,EACnB;AAAA,IACC;AAAA,EACF,EACC,OAAO,MAAM;AACZ,UAAM,UAAU,gBAAgB;AAChC,QAAI,QAAQ,WAAW,GAAG;AACxB,gBAAU,oDAAoD;AAC9D,WAAK,SAAS,EAAE;AAAA,IAClB;AACA,eAAW,KAAK,SAAS;AACvB,UAAI,EAAE,WAAW,UAAU;AACzB,mBAAW,GAAG,EAAE,IAAI,KAAK,EAAE,SAAS,QAAQ,KAAK,EAAE,IAAI,GAAG;AAC1D;AAAA,MACF;AACA,UAAI,EAAE,WAAW,WAAW;AAC1B,qBAAa,GAAG,EAAE,IAAI,aAAa,EAAE,IAAI,EAAE;AAAA,MAC7C,OAAO;AACL,kBAAU,GAAG,EAAE,IAAI,wBAAwB,EAAE,IAAI,eAAe;AAAA,MAClE;AAAA,IACF;AACA,UAAM,SAAS,QAAQ,KAAK,CAAC,MAAM,EAAE,WAAW,QAAQ;AACxD,SAAK,SAAS,SAAS,gBAAgB,SAAS,EAAE;AAAA,EACpD,CAAC;AACL;;;ACzBO,SAAS,uBAAuBC,UAAwB;AAC7D,QAAM,SAASA,SACZ,QAAQ,QAAQ,EAChB;AAAA,IACC;AAAA,EACF;AAEF,wBAAsB,MAAM;AAC5B,0BAAwB,MAAM;AAChC;;;ACnBA,OAAOC,YAAW;;;ACDlB,SAAS,WAAW,QAAAC,aAAY;AAChC,SAAS,YAAY,iBAAiB;AAa/B,IAAM,wBAAwB,CAAC,QAAQ,QAAQ,IAAI;AASnD,SAAS,WAAW,MAA6B;AACtD,QAAM,OAAO,QAAQ,IAAI;AACzB,MAAI,CAAC,KAAM,QAAO;AAClB,aAAW,OAAO,KAAK,MAAM,SAAS,GAAG;AACvC,QAAI,IAAI,WAAW,EAAG;AACtB,UAAM,YAAYC,MAAK,KAAK,IAAI;AAChC,QAAI;AACF,iBAAW,WAAW,UAAU,IAAI;AACpC,aAAO;AAAA,IACT,QAAQ;AAAA,IAER;AAAA,EACF;AACA,SAAO;AACT;AAOO,SAAS,mBAAoC;AAClD,QAAM,QAAQ,CAAC;AACf,QAAM,UAAwB,CAAC;AAC/B,aAAW,OAAO,uBAAuB;AACvC,UAAM,OAAO,WAAW,GAAG;AAC3B,UAAM,GAAG,IAAI;AACb,QAAI,SAAS,KAAM,SAAQ,KAAK,GAAG;AAAA,EACrC;AACA,SAAO,EAAE,SAAS,MAAM;AAC1B;AASO,SAAS,qBAA2B;AACzC,QAAM,EAAE,QAAQ,IAAI,iBAAiB;AACrC,MAAI,QAAQ,WAAW,EAAG;AAC1B;AAAA,IACE,sCAAsC,QAAQ,KAAK,IAAI,CAAC,KAAK,YAAY,OAAO,CAAC;AAAA,EACnF;AACA,OAAK,SAAS,aAAa;AAC7B;AAQO,SAAS,YAAY,MAAiC;AAC3D,QAAM,OAAO,KAAK,KAAK,GAAG;AAC1B,UAAQ,QAAQ,UAAU;AAAA,IACxB,KAAK;AACH,aAAO,gCAAgC,IAAI;AAAA,IAC7C,KAAK;AACH,aAAO,uEAAuE,IAAI,4BAA4B,IAAI;AAAA,IACpH;AACE,aAAO,WAAW,IAAI;AAAA,EAC1B;AACF;;;AD1EA,SAAS,cAAAC,aAAY,gBAAAC,qBAAoB;AAYlC,SAAS,sBAAsBC,UAAwB;AAC5D,EAAAA,SACG,QAAQ,QAAQ,EAChB;AAAA,IACC;AAAA,EACF,EACC,OAAO,YAAY;AAClB,UAAM,SAAwB,CAAC;AAC/B,WAAO,KAAK,GAAG,iBAAiB,CAAC;AACjC,WAAO,KAAK,GAAI,MAAM,aAAa,CAAE;AACrC,WAAO,KAAK,GAAG,YAAY,CAAC;AAC5B,gBAAY,MAAM;AAClB,UAAM,WAAW,OAAO,OAAO,CAAC,MAAM,EAAE,WAAW,MAAM,EAAE;AAC3D,SAAK,WAAW,IAAI,SAAS,eAAe,SAAS,EAAE;AAAA,EACzD,CAAC;AACL;AAQA,SAAS,mBAAkC;AACzC,QAAM,EAAE,OAAO,QAAQ,IAAI,iBAAiB;AAC5C,QAAM,MAAqB,CAAC;AAC5B,aAAW,OAAO,uBAAuB;AACvC,UAAM,OAAO,MAAM,GAAG;AACtB,QAAI,MAAM;AACR,UAAI,KAAK;AAAA,QACP,OAAO,GAAG,GAAG;AAAA,QACb,QAAQ;AAAA,QACR,QAAQ;AAAA,MACV,CAAC;AAAA,IACH,OAAO;AACL,UAAI,KAAK;AAAA,QACP,OAAO,GAAG,GAAG;AAAA,QACb,QAAQ;AAAA,QACR,QAAQ,cAAc,YAAY,CAAC,GAAG,CAAC,CAAC;AAAA,MAC1C,CAAC;AAAA,IACH;AAAA,EACF;AACA,MAAI,QAAQ,SAAS,GAAG;AAEtB,QAAI,KAAK;AAAA,MACP,OAAO;AAAA,MACP,QAAQ;AAAA,MACR,QAAQ,YAAY,OAAO;AAAA,IAC7B,CAAC;AAAA,EACH;AACA,SAAO;AACT;AAEA,eAAe,eAAuC;AACpD,QAAM,UAAU,MAAM,sBAAsB,KAAK;AACjD,MAAI,CAAC,SAAS;AACZ,WAAO;AAAA,MACL;AAAA,QACE,OAAO;AAAA,QACP,QAAQ;AAAA,QACR,QAAQ;AAAA,MACV;AAAA,IACF;AAAA,EACF;AACA,QAAM,MAAqB;AAAA,IACzB;AAAA,MACE,OAAO;AAAA,MACP,QAAQ;AAAA,MACR,QAAQ,GAAG,QAAQ,KAAK,SAAS,QAAQ,KAAK,EAAE,OAAO,QAAQ,MAAM;AAAA,IACvE;AAAA,IACA;AAAA,MACE,OAAO;AAAA,MACP,QAAQ;AAAA,MACR,QAAQ,GAAG,QAAQ,UAAU,IAAI,KAAK,QAAQ,UAAU,IAAI;AAAA,IAC9D;AAAA,EACF;AAGA,MAAI;AACF,UAAM,YAAY,OAAO;AACzB,QAAI,KAAK;AAAA,MACP,OAAO;AAAA,MACP,QAAQ;AAAA,MACR,QAAQ,QAAQ;AAAA,IAClB,CAAC;AAAA,EACH,SAAS,KAAK;AACZ,QAAI,eAAe,YAAY,IAAI,WAAW,KAAK;AACjD,UAAI,KAAK;AAAA,QACP,OAAO;AAAA,QACP,QAAQ;AAAA,QACR,QAAQ;AAAA,MACV,CAAC;AAAA,IACH,OAAO;AACL,YAAM,SAAS,eAAe,QAAQ,IAAI,UAAU,OAAO,GAAG;AAC9D,UAAI,KAAK;AAAA,QACP,OAAO;AAAA,QACP,QAAQ;AAAA,QACR,QAAQ,GAAG,QAAQ,MAAM,iBAAiB,MAAM;AAAA,MAClD,CAAC;AAAA,IACH;AAAA,EACF;AACA,SAAO;AACT;AAEA,SAAS,cAA6B;AACpC,QAAM,UAAU,mBAAmB;AACnC,MAAI,QAAQ,WAAW,GAAG;AACxB,WAAO;AAAA,MACL;AAAA,QACE,OAAO;AAAA,QACP,QAAQ;AAAA,QACR,QACE;AAAA,MACJ;AAAA,IACF;AAAA,EACF;AACA,QAAM,MAAqB,CAAC;AAC5B,aAAW,UAAU,SAAS;AAC5B,QAAI,CAACC,YAAW,OAAO,IAAI,GAAG;AAC5B,UAAI,KAAK;AAAA,QACP,OAAO,GAAG,OAAO,IAAI;AAAA,QACrB,QAAQ;AAAA,QACR,QAAQ,GAAG,OAAO,IAAI;AAAA,MACxB,CAAC;AACD;AAAA,IACF;AACA,UAAM,SAASC,cAAa,OAAO,MAAM,OAAO;AAChD,QAAI,WAAW,eAAe;AAC5B,UAAI,KAAK;AAAA,QACP,OAAO,GAAG,OAAO,IAAI;AAAA,QACrB,QAAQ;AAAA,QACR,QAAQ,GAAG,OAAO,IAAI;AAAA,MACxB,CAAC;AAAA,IACH,OAAO;AACL,UAAI,KAAK;AAAA,QACP,OAAO,GAAG,OAAO,IAAI;AAAA,QACrB,QAAQ;AAAA,QACR,QAAQ,GAAG,OAAO,IAAI;AAAA,MACxB,CAAC;AAAA,IACH;AAAA,EACF;AACA,SAAO;AACT;AAEA,SAAS,YAAY,QAA6B;AAChD,aAAW,SAAS,QAAQ;AAC1B,UAAM,OACJ,MAAM,WAAW,SACbC,OAAM,MAAM,QAAG,IACf,MAAM,WAAW,SACfA,OAAM,OAAO,GAAG,IAChBA,OAAM,IAAI,QAAG;AACrB,YAAQ,OAAO,MAAM,GAAG,IAAI,IAAI,MAAM,KAAK;AAAA,CAAI;AAC/C,YAAQ,OAAO,MAAM,KAAKA,OAAM,IAAI,MAAM,MAAM,CAAC;AAAA,CAAI;AAAA,EACvD;AACA,QAAM,QAAQ,OAAO,OAAO,CAAC,MAAM,EAAE,WAAW,MAAM,EAAE;AACxD,QAAM,QAAQ,OAAO,OAAO,CAAC,MAAM,EAAE,WAAW,MAAM,EAAE;AACxD,UAAQ,OAAO,MAAM,IAAI;AACzB,MAAI,UAAU,KAAK,UAAU,GAAG;AAC9B,YAAQ,OAAO,MAAMA,OAAM,MAAM,sBAAsB,CAAC;AAAA,EAC1D,OAAO;AACL,YAAQ,OAAO;AAAA,MACb,GAAG,KAAK,WAAW,UAAU,IAAI,KAAK,GAAG,KAAK,KAAK,WAAW,UAAU,IAAI,KAAK,GAAG;AAAA;AAAA,IACtF;AAAA,EACF;AACF;;;A/D1KA,IAAM,UAAU,IAAI,QAAQ;AAE5B,QACG,KAAK,MAAM,EACX;AAAA,EACC;AACF,EACC,QAAQ,aAAa,iBAAiB,kCAAkC,EACxE,mBAAmB,EAInB;AAAA,EACC;AAAA,EACA;AACF;AAEF,qBAAqB,OAAO;AAC5B,0BAA0B,OAAO;AACjC,qBAAqB,OAAO;AAC5B,2BAA2B,OAAO;AAClC,4BAA4B,OAAO;AACnC,uBAAuB,OAAO;AAC9B,uBAAuB,OAAO;AAC9B,sBAAsB,OAAO;AAK7B,QAAQ;AAAA,EACN;AAAA,EACA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAaF;AAOA,IAAI,mBAAmB,QAAQ,IAAI,GAAG;AACpC,qBAAmB;AACrB;AAEA,SAAS,mBAAmB,MAAyB;AAEnD,QAAM,WAAW,KAAK,CAAC;AACvB,MAAI,CAAC,SAAU,QAAO;AACtB,MAAI,aAAa,SAAU,QAAO;AAClC,MAAI,aAAa,YAAY,aAAa,KAAM,QAAO;AACvD,MAAI,aAAa,eAAe,aAAa,KAAM,QAAO;AAC1D,SAAO;AACT;AAEA,IAAI;AACF,QAAM,QAAQ,WAAW,QAAQ,IAAI;AACvC,SAAS,KAAK;AAOZ,MAAI,eAAe,YAAY,IAAI,WAAW,KAAK;AACjD,eAAW,IAAI,OAAO;AACtB,SAAK,SAAS,eAAe;AAAA,EAC/B;AACA,QAAM;AACR;","names":["chalk","sessionStore","apiClientFactory","chalk","apiClientFactory","sessionStore","browserOpener","configService","chalk","sessionStore","chalk","chalk","browserOpener","configService","configStore","sessionStore","z","mkdir","writeFile","unlink","mkdir","writeFile","unlink","spawn","program","chalk","program","program","chalk","chalk","program","chalk","chalk","printDefault","program","program","homedir","join","readFileSync","homedir","join","readFileSync","p","program","chalk","join","join","existsSync","readFileSync","program","existsSync","readFileSync","chalk"]}