@hua-labs/tap 0.5.1 → 0.6.0

package/AI_GUIDE.md

@@ -0,0 +1,165 @@
+# @hua-labs/tap AI Guide
+
+This guide is for AI operators using the public `@hua-labs/tap` package without
+access to HUA's private monorepo notes.
+
+## Release Boundary
+
+`0.6.x` is an advanced operator preview. It helps AI runtimes produce durable
+communication evidence and inspect setup state, but it does not guarantee live
+model execution in every app surface.
+
+Keep these boundaries explicit:
+
+- Inbox, projection, uplink, and review files are durable evidence.
+- Receiver/promoter delivery is the portable CLI/TUI/headless backbone.
+- Codex App / Desktop live delivery is strict-gated by runtime health and route
+  freshness.
+- `tap reviews register` is explicit; automatic registration from every writer
+  path is a later follow-up.
+- Profile packs are data-only validation inputs in `0.6.x`; tap does not run
+  commands from a pack.
+
+## First-Run Path
+
+Run from a git repository:
+
+```bash
+git init
+npx @hua-labs/tap setup --profile codex-cli --dry-run --json
+npx @hua-labs/tap setup --profile codex-cli --apply --json
+npx @hua-labs/tap doctor --setup --profile codex-cli --json
+npx @hua-labs/tap status --json
+npx @hua-labs/tap add codex --name agent-a
+npx @hua-labs/tap ready --surface codex-cli --agent agent-a --apply --json
+npx @hua-labs/tap comms-doctor --all-known --json
+```
+
+Use concrete agent names such as `agent-a`, `operator-a`, or `diagnostic-a`.
+Avoid broad role words such as `codex`, `reviewer`, `implementer`,
+`implementation`, and `tower` as assignment targets unless a reviewed role map
+makes them unambiguous.
+
+## Expected Fresh-Install Results
+
+- `tap setup --apply --json` should return setup evidence without starting
+  receiver, projection, uplink, app-server, or remote-panel processes.
+- `tap status --json` may show zero installed instances until `tap add` runs.
+- `tap ready --surface codex-cli --agent agent-a --apply --json` should publish
+  readiness for the concrete `agent-a` lane.
+- `tap comms-doctor --all-known --json` should diagnose locally installed or
+  observed agents. Bundled operator profile surfaces require explicit
+  `--include-profile-pack`.
+- In an auth-free container or fresh desktop, app/live delivery can remain
+  blocked while inbox/receiver evidence is healthy.
+
+## Profile Pack Template
+
+A generic example is shipped with the package:
+
+```bash
+cp node_modules/@hua-labs/tap/examples/tap-profile-pack.example.json ./tap-profile-pack.json
+npx @hua-labs/tap setup --profile codex-cli --profile-pack ./tap-profile-pack.json --json
+npx @hua-labs/tap doctor --setup --profile codex-cli --profile-pack ./tap-profile-pack.json --json
+```
+
+If you are using `npx` without a local install, create `tap-profile-pack.json`
+from the example shape below or install the package as a dev dependency first.
+
+Profile-pack paths are not auto-corrected because each operator may keep the
+repo, comms directory, state directory, and runtime surfaces in different
+places. Use paths that are valid on the machine where the command runs:
+
+- `paths.repoRoot`: the repository where tap commands run;
+- `paths.commsDir`: the durable comms directory for inbox/projection/evidence;
+- command snippets: reviewed operator hints only; tap validates them but does
+  not execute them in `0.6.x`.
+
+If the pack is invalid, `tap setup --apply` blocks before writing setup
+artifacts. Repair the reported JSON path, or rerun without `--profile-pack`.
+
+## Minimal Generic Profile Pack
+
+```json
+{
+  "schemaVersion": "tap-profile-pack.v0",
+  "packId": "local.public.example",
+  "label": "Local public profile pack example",
+  "profiles": [
+    {
+      "id": "local-agent-a-cli",
+      "label": "Local Agent A CLI",
+      "agent": "agent-a",
+      "runtimeSurface": "codex-cli",
+      "paths": {
+        "repoRoot": ".",
+        "commsDir": "./tap-comms"
+      },
+      "capabilities": {
+        "ready": true,
+        "status": true,
+        "apply": false
+      },
+      "status": {
+        "kind": "codex-cli"
+      },
+      "ready": {
+        "surface": "codex-cli",
+        "commandRef": "ready-check"
+      },
+      "commands": {
+        "ready-check": {
+          "shell": "npx @hua-labs/tap ready --surface codex-cli --agent agent-a --json",
+          "risk": "read-only",
+          "reviewRequired": true,
+          "defaultEnabled": false
+        }
+      }
+    }
+  ]
+}
+```
+
+## Troubleshooting
+
+### `tap doctor --setup` reports `.mcp.json` cwd warning
+
+Rerun current `tap setup --profile codex-cli --apply --json`. The reviewed
+setup apply path writes guarded tap-managed `.mcp.json` entries with a `cwd`
+field. If an existing user-managed MCP entry is ambiguous, tap fails closed
+instead of overwriting it.
+
+### `tap comms-doctor --all-known` shows app/live blockers
+
+That can be expected on a fresh auth-free machine. Check whether inbox and
+receiver evidence are healthy before claiming live delivery is broken. App live
+delivery needs runtime health and route freshness that package setup cannot
+invent.
+
+### Profile-pack validation passes but nothing starts
+
+That is expected in `0.6.x`. Profile packs are data-only. Commands in a pack
+must be reviewed manually and remain `defaultEnabled: false`.
+
+### A command lists a bundled operator profile you do not recognize
+
+Treat it as a compatibility profile, not a public default. Some legacy helper
+surfaces remain discoverable for operators who already own those local runbooks,
+paths, and process managers. For a new install, use neutral concrete agents
+such as `agent-a`, or provide a reviewed local profile pack. Do not copy a
+profile command unless you own every path, host, and process name it references.
+
+### Profile-pack paths are wrong after moving machines
+
+Edit the pack for the current machine. Prefer repo-relative paths when the
+comms directory is inside the repo, and absolute paths when the comms directory
+is shared outside the repo. Do not copy another machine's host paths blindly.
+
+### Source package says `0.6.0` but npm shows an older version
+
+Treat `package.json` version and public npm registry state separately. Verify
+the registry with:
+
+```bash
+npm view @hua-labs/tap version time.modified --json
+```

package/CHANGELOG.md

@@ -0,0 +1,67 @@
+# @hua-labs/tap
+
+## 0.6.0
+
+### Minor Changes
+
+- Ship the tap 0.6 advanced operator preview.
+- Make `tap setup` and `tap doctor --setup` the first-run path for public
+  profiles (`codex-cli`, `codex-app`, and `claude-channel`), with dry-run-first
+  reports, guarded tap-managed `.mcp.json` apply behavior, and data-only
+  profile-pack validation.
+- Position receiver/promoter delivery as the portable CLI/TUI/headless
+  backbone. Receiver promotion is idle-only for live turn start; active targets
+  leave queued/blocked evidence instead of silently steering or passing through.
+- Add surface-first diagnostics across setup, status, comms-doctor, flow-doctor,
+  and review registration so AI operators can distinguish durable inbox
+  evidence, receiver/promoter delivery, return-uplink evidence, and experimental
+  live App delivery.
+- Persist displayed-notification dedupe with receiver-scoped marker files so
+  restarts do not replay already displayed inbox items while broadcasts can
+  still be shown once per receiving runtime.
+- Register formal review outcomes through the explicit
+  `tap reviews register` stream, including provenance-only handling for review
+  requests and stale review-meta chatter.
+- Guard broad role aliases such as `codex`, `reviewer`, `implementer`,
+  `implementation`, and `tower` when multiple candidates exist. Release
+  coordination should use concrete agents or reviewed structured targets.
+
+### Preview Boundaries
+
+- `0.6.0` is an advanced operator preview, not a universal one-click runtime
+  installer.
+- HUA machine topology, tmux sessions, one-character agent names, mission
+  governance, and private profile packs are examples or profile-pack inputs;
+  they are not public defaults.
+- Some advanced/HUA helper surfaces still expose existing named profiles for
+  compatibility. Portable first-run docs use explicit neutral agents and
+  profiles instead of relying on those helper defaults.
+- Codex App consent-drive / IPC remains experimental and strict-gated. A
+  conversation id or route tuple alone is not authority for live injection.
+- Durable inbox, projection, uplink, and review files are evidence records; they
+  are not proof that a target runtime executed work.
+- Automatic registration from every tap reply/review writer remains a follow-up.
+  Use explicit `tap reviews register` for the 0.6 preview evidence stream.
+- Archive-audit commands remain available for compatibility, but they are not
+  part of the first-run release story.
+
+## 0.5.2
+
+### Patch Changes
+
+- Fix doctor onboarding false failures and remove DEP0190 shell deprecation warnings.
+  - doctor: empty inbox treated as warning instead of failure on fresh setup
+  - doctor: recognize npx package launcher as valid MCP entry
+  - runtime: remove shell: true from command probes to eliminate Node 24 DEP0190 warnings
+  - README: add git init to Quick Start
+
+## 0.5.1
+
+### Patch Changes
+
+- c931481: Gen 25 trust-layer repair and delivery hardening.
+  - split shared state (`TAP_STATE_DIR`) from per-bridge runtime state (`TAP_RUNTIME_STATE_DIR`) so headless restarts and later attached TUI sessions keep the correct identity
+  - rebind attached TUI identity from runtime heartbeat and agent-name files instead of relying on one-shot session env injection
+  - align bridge status, runtime heartbeat, and presence surfaces so `tap status`, bridge state, and plugin-visible presence report the same runtime truth
+  - deduplicate bridge-dispatched broadcast notifications
+  - rate-limit peer DM auto-replies to stop acknowledgement loops from flooding the inbox

package/README.md

@@ -2,29 +2,85 @@
 
 Zero-dependency CLI for cross-model AI agent communication setup.
 
-One command to connect Claude, Codex, and Gemini agents through a shared file-based communication layer.
+tap connects Claude, Codex, and other agent runtimes through a shared
+file-backed communication layer, with setup reports that keep runtime surfaces,
+durable evidence, and optional live adapters separate.
+
+## Requirements
+
+- **Node.js ≥ 22.6.0** — tap uses the global `WebSocket` API (stable in Node 22+). Node 20 and earlier are not supported; run with `fnm use 22` or `nvm use 22`.
 
 ## Quick Start
 
 > `npx @hua-labs/tap` ships a bundled managed MCP server entry and runs that bundled `.mjs` with `node`. `bun` is only required when tap falls back to repo-local TypeScript sources during monorepo or local-dev workflows.
 
 ```bash
-# 1. Initialize comms directory and state
-npx @hua-labs/tap init
+# 1. Start in a git repo
+git init
 
-# 2. Add runtimes
-npx @hua-labs/tap add claude
-npx @hua-labs/tap add codex
-npx @hua-labs/tap add gemini
+# 2. Generate a dry-run setup report for your runtime surface
+npx @hua-labs/tap setup --profile codex-cli --dry-run --json
 
-# 3. Check status
-npx @hua-labs/tap status
+# 3. Apply only reviewed setup-safe changes
+npx @hua-labs/tap setup --profile codex-cli --apply --json
+
+# 4. Re-check setup readiness and surface status
+npx @hua-labs/tap doctor --setup --profile codex-cli --json
+npx @hua-labs/tap status --json
+
+# 5. Add a concrete runtime only when you are ready to patch that runtime
+npx @hua-labs/tap add codex --name agent-a
+npx @hua-labs/tap ready --surface codex-cli --agent agent-a --apply --json
+
+# 6. Diagnose delivery separately from setup
+npx @hua-labs/tap comms-doctor --all-known --json
 ```
 
-Your agents can now communicate through the shared comms directory.
+`tap setup` is dry-run by default. The current reviewed apply path creates
+tap-owned directories, an initial tap state file, and guarded tap-managed repo
+`.mcp.json` entries. It does not start receiver, projection, uplink, bridge,
+app-server, headless runner, or remote panel processes, and it does not publish
+presence, repair route tuples, send messages, or read credentials.
+
+Supported public setup profiles:
+
+| Profile          | Use when                                                                |
+| ---------------- | ----------------------------------------------------------------------- |
+| `codex-cli`      | Codex CLI or headless CLI will use MCP tools plus inbox/receiver paths. |
+| `codex-app`      | Codex App/Desktop route readiness should be inspected read-only.        |
+| `claude-channel` | Claude/channel readiness should be inspected read-only.                 |
+
+HUA-specific machine names, paths, tmux sessions, one-character Korean agent
+names, and private profile packs are examples, not package defaults.
+
+For the `0.6.x` preview, release-facing commands use neutral agents such as
+`agent-a` and `agent-b`. HUA profiles and paths can be supplied through a
+reviewed profile pack or HUA runbook, but they are not package defaults.
 
 ## Commands
 
+### `setup`
+
+Generate a dry-run-first setup report for public tap deployment.
+
+```bash
+npx @hua-labs/tap setup --profile codex-cli --dry-run --json
+npx @hua-labs/tap setup --profile codex-cli --apply --json
+TAP_AGENT=agent-a
+npx @hua-labs/tap setup --profile codex-app --agent "$TAP_AGENT" --json
+npx @hua-labs/tap setup --profile claude-channel --agent "$TAP_AGENT" --json
+npx @hua-labs/tap setup --profile codex-cli --profile-pack ./tap-profile-pack.json --json
+```
+
+`--apply` is intentionally narrow: create reviewed tap-owned directories, an
+initial tap state file, and guarded tap-managed repo `.mcp.json` changes only.
+User-managed or ambiguous MCP entries fail closed before mutation.
+
+Profile packs are data-only validation inputs in `0.6.x`; tap reports their
+shape and blocks invalid packs before setup mutation, but it does not execute
+pack commands. A generic example is shipped at
+`examples/tap-profile-pack.example.json`.
+
 ### `init`
 
 Initialize the comms directory and `.tap-comms/` state.
@@ -47,7 +103,41 @@ Add a runtime. Probes config, plans patches, applies, and verifies.
 npx @hua-labs/tap add claude
 npx @hua-labs/tap add codex
 npx @hua-labs/tap add gemini
-npx @hua-labs/tap add claude --force   # re-install
+npx @hua-labs/tap add claude --force                        # re-install
+npx @hua-labs/tap add codex --name agent-a --port 4520      # explicit port
+npx @hua-labs/tap add codex --name agent-b                  # portMap lookup, else auto-assign
+```
+
+For Codex app-server instances, `--name agent-a` is the concrete agent identity
+used by `tap ready --agent agent-a`; the managed instance id remains
+`codex-agent-a`.
+
+Codex instances bind to an app-server port. Resolution order:
+
+1. `--port <n>` — explicit override.
+2. `portMap[<instanceId>]` from `tap-config.json` / `tap-config.local.json` when the
+   entry is free (no state claim, TCP-available on loopback).
+3. Auto-assign — scan from 4501 upward for the first free port.
+
+`portMap` is a hint, not a hard requirement: a missing entry or a conflict
+silently drops through to auto-assign. Convention:
+
+| Port | Instance        | Role               |
+| ---- | --------------- | ------------------ |
+| 4510 | `codex-agent-a` | Agent A            |
+| 4511 | `codex-agent-b` | Agent B            |
+| 4512 | `codex-agent-c` | Agent C            |
+| 4520 | `codex-agent-d` | Agent D            |
+| 4530 | `codex-probe`   | Diagnostic / probe |
+
+```json
+{
+  "portMap": {
+    "codex-agent-a": 4510,
+    "codex-agent-b": 4511,
+    "codex-agent-d": 4520
+  }
+}
 ```
 
 ### `remove <runtime>`
@@ -65,6 +155,7 @@ Show installed runtimes and their status.
 
 ```bash
 npx @hua-labs/tap status
+npx @hua-labs/tap status --json
 ```
 
 Output shows three status levels:
@@ -75,13 +166,65 @@ Output shows three status levels:
 
 ### `doctor`
 
-Diagnose config drift, bridge health, managed MCP wiring, and runtime state. Use `--fix` to repair common config drift, including Codex `approval_mode` mismatches.
+Diagnose config drift, bridge health, managed MCP wiring, and runtime state.
+Use `--setup` for setup/config/warm-up readiness. Use the plain doctor for
+broader infrastructure checks.
 
 ```bash
 npx @hua-labs/tap doctor
 npx @hua-labs/tap doctor --fix
+npx @hua-labs/tap doctor --setup --profile codex-cli --json
+npx @hua-labs/tap doctor --setup --profile codex-cli --profile-pack ./tap-profile-pack.json --json
 ```
 
+`tap doctor --setup --apply` reuses the same guarded setup apply plan as
+`tap setup --apply`. It does not run the broad infrastructure fixer.
+
+### `comms-doctor`
+
+Explain delivery by runtime surface. Use this when you need to separate live
+delivery, durable inbox evidence, receiver/promoter paths, MCP/channel
+visibility, and fallback evidence.
+
+```bash
+npx @hua-labs/tap comms-doctor --all-known --json
+TAP_AGENT=agent-b
+npx @hua-labs/tap comms-doctor --agent "$TAP_AGENT" --plan-send --json
+```
+
+### `flow-doctor`
+
+Diagnose one receiver/promoter lane without mutating process state. Use this
+when an agent appears present but the operator needs one report for identity,
+receiver dry-run, return-uplink evidence, central presence freshness,
+active-turn queue state, and stale presence cleanup candidates.
+
+```bash
+TAP_AGENT=agent-a
+npx @hua-labs/tap flow-doctor --agent "$TAP_AGENT" --json
+npx @hua-labs/tap flow-doctor --agent "$TAP_AGENT" --presence-source-comms-dir ./tap-comms --presence-target-comms-dir ./tap-comms --json
+```
+
+`flow-doctor` is read-only by default. Its only reviewed cleanup mutation is
+`--apply-stale-presence-cleanup`, which archives stale non-lane presence
+records with a manifest and prunes matching stale heartbeat entries. It never
+publishes stale presence, restarts processes, changes route tuples, or deletes
+inbox/archive evidence.
+
+### `reviews register`
+
+Register formal review outcomes into the review evidence stream. Use this when
+review results should be discoverable outside the ordinary inbox flow.
+
+```bash
+npx @hua-labs/tap reviews register --source ./tap-comms --dry-run --json
+```
+
+The explicit registration path is part of the `0.6.x` preview boundary.
+Automatic registration from every tap reply/review writer path is a future
+follow-up, so release notes should name the explicit command as the current
+workaround.
+
 ### `serve`
 
 Start the tap-comms MCP server (stdio). Convenience command for running the MCP server locally.
@@ -93,6 +236,18 @@ npx @hua-labs/tap serve --comms-dir /path/to/comms
 
 For npm installs, `serve` runs the bundled `mcp-server.mjs` entry with `node`. In monorepos or local checkouts, tap may fall back to repo-local `.ts` sources, which still require `bun`.
 
+### `bridge start|stop|restart`
+
+Manage the Codex app-server bridge lifecycle.
+
+```bash
+npx @hua-labs/tap bridge start codex --agent-name agent-c
+npx @hua-labs/tap bridge stop codex --keep-server
+npx @hua-labs/tap bridge restart codex
+```
+
+`bridge stop --keep-server` leaves the managed app-server running and preserves its metadata in instance state so the next `bridge start` or `bridge restart` can reuse the existing session instead of forcing a fresh app-server.
+
 ## Supported Runtimes
 
 | Runtime | Config                  | Bridge                 | Mode               |
@@ -174,6 +329,40 @@ Each runtime has an adapter that:
 
 The adapter contract (`RuntimeAdapter`) is the extension point for adding new runtimes.
 
+## Surface-First Delivery Model
+
+tap does not route by display name alone. It asks which runtime surface is
+available and what evidence exists:
+
+- CLI/TUI surfaces use durable inbox files plus receiver/promoter loops.
+- Claude/channel surfaces use channel readiness and durable inbox fallback.
+- Codex App consent-drive / IPC is an experimental live adapter and must see
+  fresh explicit runtime health before it is treated as live-ready.
+- Inbox and projection files are durable evidence, not proof of live model
+  execution.
+
+Use `tap comms-doctor` to inspect these boundaries before claiming live
+delivery.
+
+## 0.6 Preview Boundary
+
+`0.6.x` should be described as an advanced operator preview:
+
+- Public defaults use neutral profile ids and concrete agents.
+- Receiver/promoter plus durable inbox/projection/uplink evidence is the
+  portable backbone for CLI/TUI/headless receive.
+- Codex App consent-drive / IPC remains experimental and strict-gated.
+- HUA machine topology, tmux sessions, one-character agent names, and
+  mission/devlog governance are examples or profile-pack inputs.
+- Broad role aliases such as `codex`, `reviewer`, `implementer`,
+  `implementation`, and `tower` are unsafe assignment targets unless a reviewed
+  role mapping makes them unambiguous.
+- Archive-audit commands remain preserved, but they are not part of the
+  first-run package story.
+
+For AI-facing troubleshooting and first-run detail, read the package-local
+[AI Guide](./AI_GUIDE.md).
+
 ## Recent Changes
 
 ### Config And Lifecycle

package/dist/bridges/codex-app-server-auth-gateway.mjs

@@ -3,7 +3,7 @@ import {
   createServer
 } from "http";
 import { readFileSync } from "fs";
-import { resolve } from "path";
+import { basename, resolve } from "path";
 import { pathToFileURL } from "url";
 import { timingSafeEqual } from "crypto";
 import { WebSocket, WebSocketServer } from "ws";
@@ -273,9 +273,15 @@ async function startGatewayServer(options) {
       closeSocket(client, CLOSE_UNAUTHORIZED, "Unauthorized");
       return;
     }
+    console.log(
+      `[auth-gateway] client authenticated from ${request.socket.remoteAddress ?? "unknown"} -> ${options.upstreamUrl}`
+    );
     const upstream = new WebSocket(options.upstreamUrl, {
       perMessageDeflate: false
     });
+    upstream.on("open", () => {
+      console.log(`[auth-gateway] upstream connected ${options.upstreamUrl}`);
+    });
     upstream.on("message", (data, isBinary) => {
       if (client.readyState === WebSocket.OPEN) {
         client.send(data, { binary: isBinary });
@@ -288,10 +294,16 @@ async function startGatewayServer(options) {
     });
     upstream.on("close", (code, reasonBuffer) => {
       const reason = reasonBuffer.toString() || "Upstream closed";
+      console.log(
+        `[auth-gateway] upstream closed code=${code || 1e3} reason=${reason}`
+      );
       closeSocket(client, code || 1e3, reason);
     });
     client.on("close", (code, reasonBuffer) => {
       const reason = reasonBuffer.toString() || "Client closed";
+      console.log(
+        `[auth-gateway] client closed code=${code || 1e3} reason=${reason}`
+      );
       closeSocket(upstream, code || 1e3, reason);
     });
     upstream.on("error", (error) => {
@@ -361,6 +373,9 @@ async function startGatewayServer(options) {
 function isDirectExecution() {
   const entry = process.argv[1];
   if (!entry) return false;
+  if (!basename(entry).startsWith("codex-app-server-auth-gateway")) {
+    return false;
+  }
   return import.meta.url === pathToFileURL(resolve(entry)).href;
 }
 if (isDirectExecution()) {

package/dist/bridges/codex-app-server-auth-gateway.mjs.map

@@ -1 +1 @@
-{"version":3,"sources":["../../src/bridges/codex-app-server-auth-gateway.ts","../../src/engine/bridge-app-server-health.ts"],"sourcesContent":["import {\n  createServer,\n  type IncomingMessage,\n  type Server as HttpServer,\n  type ServerResponse,\n} from \"node:http\";\nimport { readFileSync } from \"node:fs\";\nimport { resolve } from \"node:path\";\nimport type { Duplex } from \"node:stream\";\nimport { pathToFileURL } from \"node:url\";\nimport { timingSafeEqual } from \"node:crypto\";\nimport { WebSocket, WebSocketServer, type RawData } from \"ws\";\nimport { checkManagedAppServerReady } from \"../engine/bridge-app-server-health.js\";\n\nconst AUTH_SUBPROTOCOL_PREFIX = \"tap-auth-\";\nconst CLOSE_UNAUTHORIZED = 4401;\nconst CLOSE_UPSTREAM_ERROR = 1013;\nexport const GATEWAY_READYZ_PATH = \"/readyz\";\n\nexport interface GatewayOptions {\n  listenUrl: string;\n  upstreamUrl: string;\n  token: string;\n}\n\nexport interface GatewayRuntime {\n  server: HttpServer;\n  close(): Promise<void>;\n}\n\nfunction normalizeUrl(value: string): string {\n  return value.replace(/\\/$/, \"\");\n}\n\nfunction closeSocket(\n  socket: Pick<WebSocket, \"readyState\" | \"close\">,\n  code: number,\n  reason: string,\n): void {\n  if (\n    socket.readyState === WebSocket.CLOSING ||\n    socket.readyState === WebSocket.CLOSED\n  ) {\n    return;\n  }\n\n  try {\n    socket.close(code, reason);\n  } catch {\n    // Best-effort cleanup only.\n  }\n}\n\nfunction readFlagValue(argv: string[], index: number, flag: string): string {\n  const current = argv[index] ?? \"\";\n  const eqIndex = current.indexOf(\"=\");\n  if (eqIndex >= 0) {\n    return current.slice(eqIndex + 1);\n  }\n\n  const next = argv[index + 1];\n  if (!next || next.startsWith(\"--\")) {\n    throw new Error(`Missing value for ${flag}`);\n  }\n  return next;\n}\n\nexport function buildGatewayOptions(argv: string[]): GatewayOptions {\n  let listenUrl = process.env.TAP_GATEWAY_LISTEN_URL?.trim() || \"\";\n  let upstreamUrl = process.env.TAP_GATEWAY_UPSTREAM_URL?.trim() || \"\";\n  let tokenFile = process.env.TAP_GATEWAY_TOKEN_FILE?.trim() || \"\";\n  let token = process.env.TAP_GATEWAY_TOKEN?.trim() || \"\";\n\n  for (let index = 0; index < argv.length; index += 1) {\n    const flag = argv[index] ?? \"\";\n    const consumesNext = !flag.includes(\"=\");\n\n    if (flag.startsWith(\"--listen-url\")) {\n      listenUrl = readFlagValue(argv, index, \"--listen-url\").trim();\n      if (consumesNext) index += 1;\n      continue;\n    }\n\n    if (flag.startsWith(\"--upstream-url\")) {\n      upstreamUrl = readFlagValue(argv, index, \"--upstream-url\").trim();\n      if (consumesNext) index += 1;\n      continue;\n    }\n\n    if (flag.startsWith(\"--token\")) {\n      token = readFlagValue(argv, index, \"--token\").trim();\n      if (consumesNext) index += 1;\n      continue;\n    }\n\n    if (flag.startsWith(\"--token-file\")) {\n      tokenFile = readFlagValue(argv, index, \"--token-file\").trim();\n      if (consumesNext) index += 1;\n      continue;\n    }\n  }\n\n  if (tokenFile) {\n    token = readFileSync(tokenFile, \"utf8\").trim();\n  }\n\n  if (!listenUrl) {\n    throw new Error(\"Missing gateway listen URL\");\n  }\n  if (!upstreamUrl) {\n    throw new Error(\"Missing gateway upstream URL\");\n  }\n  if (!token) {\n    throw new Error(\"Missing gateway auth token\");\n  }\n\n  const listen = new URL(listenUrl);\n  const upstream = new URL(upstreamUrl);\n  if (!/^wss?:$/.test(listen.protocol)) {\n    throw new Error(`Unsupported gateway listen protocol: ${listen.protocol}`);\n  }\n  if (!/^wss?:$/.test(upstream.protocol)) {\n    throw new Error(\n      `Unsupported gateway upstream protocol: ${upstream.protocol}`,\n    );\n  }\n\n  return {\n    listenUrl: normalizeUrl(listen.toString()),\n    upstreamUrl: normalizeUrl(upstream.toString()),\n    token,\n  };\n}\n\nfunction tokensMatch(\n  presentedToken: string | null,\n  expectedToken: string,\n): boolean {\n  if (!presentedToken) {\n    return false;\n  }\n\n  const presented = Buffer.from(presentedToken, \"utf8\");\n  const expected = Buffer.from(expectedToken, \"utf8\");\n  if (presented.length !== expected.length) {\n    return false;\n  }\n\n  return timingSafeEqual(presented, expected);\n}\n\nasync function main(): Promise<void> {\n  const options = buildGatewayOptions(process.argv.slice(2));\n  const runtime = await startGatewayServer(options);\n\n  const shutdown = () => {\n    void runtime.close().finally(() => {\n      process.exit(0);\n    });\n  };\n\n  process.on(\"SIGINT\", shutdown);\n  process.on(\"SIGTERM\", shutdown);\n}\n\nfunction writeJson(\n  response: ServerResponse,\n  statusCode: number,\n  body: Record<string, unknown>,\n): void {\n  response.statusCode = statusCode;\n  response.setHeader(\"Content-Type\", \"application/json\");\n  response.end(JSON.stringify(body));\n}\n\nfunction writeUpgradeRequired(response: ServerResponse): void {\n  response.statusCode = 426;\n  response.setHeader(\"Connection\", \"Upgrade\");\n  response.setHeader(\"Upgrade\", \"websocket\");\n  response.end(\"Upgrade Required\");\n}\n\nfunction writeNotFound(response: ServerResponse): void {\n  response.statusCode = 404;\n  response.end(\"Not Found\");\n}\n\nfunction rejectUpgrade(socket: Duplex, statusCode: number): void {\n  socket.write(\n    `HTTP/1.1 ${statusCode} ${statusCode === 404 ? \"Not Found\" : \"Bad Request\"}\\r\\n\\r\\n`,\n  );\n  socket.destroy();\n}\n\n/**\n * Detect traversal sequences in any encoding: raw \"..\", percent-encoded\n * \"%2e%2e\", or mixed forms like \".%2e\" / \"%2e.\".\n */\nfunction containsTraversal(raw: string): boolean {\n  if (raw.includes(\"..\")) return true;\n  // Decode percent-encoded dots and recheck\n  if (/%2e/i.test(raw) && raw.replace(/%2e/gi, \".\").includes(\"..\")) return true;\n  return false;\n}\n\nfunction isUpgradePath(listenUrl: string, request: IncomingMessage): boolean {\n  const requestUrl = new URL(\n    request.url ?? \"/\",\n    listenUrl.replace(/^ws/, \"http\"),\n  );\n  const listenPath = new URL(listenUrl).pathname;\n  return requestUrl.pathname === (listenPath || \"/\");\n}\n\nasync function handleReadyzRequest(\n  response: ServerResponse,\n  options: GatewayOptions,\n): Promise<void> {\n  const ready = await checkManagedAppServerReady(options.upstreamUrl);\n  writeJson(response, ready ? 200 : 503, { ok: ready });\n}\n\nexport async function startGatewayServer(\n  options: GatewayOptions,\n): Promise<GatewayRuntime> {\n  const listen = new URL(options.listenUrl);\n  const host = listen.hostname === \"localhost\" ? \"127.0.0.1\" : listen.hostname;\n  const port = Number.parseInt(listen.port, 10);\n  if (!Number.isFinite(port) || port <= 0) {\n    throw new Error(\n      `Gateway listen URL must include a valid port: ${options.listenUrl}`,\n    );\n  }\n\n  const wsServer = new WebSocketServer({\n    noServer: true,\n    perMessageDeflate: false,\n  });\n\n  wsServer.on(\"connection\", (client: WebSocket, request: IncomingMessage) => {\n    // Extract token from Sec-WebSocket-Protocol header (subprotocol auth).\n    // Client sends: WebSocket(url, [\"tap-auth-<token>\"])\n    // Falls back to query param for backward compatibility during migration.\n    const protocols =\n      request.headers[\"sec-websocket-protocol\"]\n        ?.split(\",\")\n        .map((s) => s.trim()) ?? [];\n    const authProtocol = protocols.find((p) =>\n      p.startsWith(AUTH_SUBPROTOCOL_PREFIX),\n    );\n    const subprotocolToken =\n      authProtocol?.slice(AUTH_SUBPROTOCOL_PREFIX.length) ?? null;\n\n    // Legacy fallback: query param (will be removed in future version)\n    const requestUrl = new URL(request.url ?? \"/\", options.listenUrl);\n    const queryToken = requestUrl.searchParams.get(\"tap_token\");\n\n    const presentedToken = subprotocolToken ?? queryToken;\n    if (!tokensMatch(presentedToken, options.token)) {\n      closeSocket(client, CLOSE_UNAUTHORIZED, \"Unauthorized\");\n      return;\n    }\n\n    const upstream = new WebSocket(options.upstreamUrl, {\n      perMessageDeflate: false,\n    });\n\n    upstream.on(\"message\", (data: RawData, isBinary: boolean) => {\n      if (client.readyState === WebSocket.OPEN) {\n        client.send(data, { binary: isBinary });\n      }\n    });\n\n    client.on(\"message\", (data: RawData, isBinary: boolean) => {\n      if (upstream.readyState === WebSocket.OPEN) {\n        upstream.send(data, { binary: isBinary });\n      }\n    });\n\n    upstream.on(\"close\", (code: number, reasonBuffer: Buffer) => {\n      const reason = reasonBuffer.toString() || \"Upstream closed\";\n      closeSocket(client, code || 1000, reason);\n    });\n\n    client.on(\"close\", (code: number, reasonBuffer: Buffer) => {\n      const reason = reasonBuffer.toString() || \"Client closed\";\n      closeSocket(upstream, code || 1000, reason);\n    });\n\n    upstream.on(\"error\", (error: Error) => {\n      console.error(`[auth-gateway] upstream error: ${String(error)}`);\n      closeSocket(client, CLOSE_UPSTREAM_ERROR, \"Upstream unavailable\");\n      closeSocket(upstream, CLOSE_UPSTREAM_ERROR, \"Upstream unavailable\");\n    });\n\n    client.on(\"error\", (error: Error) => {\n      console.error(`[auth-gateway] client error: ${String(error)}`);\n      closeSocket(upstream, 1011, \"Client error\");\n    });\n  });\n\n  const listenPath = new URL(options.listenUrl).pathname || \"/\";\n\n  const server = createServer(async (request, response) => {\n    const requestUrl = new URL(\n      request.url ?? \"/\",\n      options.listenUrl.replace(/^ws/, \"http\"),\n    );\n\n    // Defense-in-depth: reject traversal sequences in any encoding.\n    // Covers raw \"..\", percent-encoded \"%2e%2e\", and mixed forms.\n    if (containsTraversal(request.url ?? \"\")) {\n      writeNotFound(response);\n      return;\n    }\n\n    if (\n      request.method === \"GET\" &&\n      requestUrl.pathname === GATEWAY_READYZ_PATH\n    ) {\n      await handleReadyzRequest(response, options);\n      return;\n    }\n\n    if (requestUrl.pathname === listenPath) {\n      writeUpgradeRequired(response);\n      return;\n    }\n\n    writeNotFound(response);\n  });\n\n  server.on(\"upgrade\", (request, socket, head) => {\n    // Block traversal in upgrade requests (raw + encoded)\n    if (containsTraversal(request.url ?? \"\")) {\n      rejectUpgrade(socket, 400);\n      return;\n    }\n\n    if (!isUpgradePath(options.listenUrl, request)) {\n      rejectUpgrade(socket, 404);\n      return;\n    }\n\n    wsServer.handleUpgrade(request, socket, head, (client) => {\n      wsServer.emit(\"connection\", client, request);\n    });\n  });\n\n  await new Promise<void>((resolvePromise, rejectPromise) => {\n    server.once(\"error\", rejectPromise);\n    server.listen(port, host, () => {\n      server.off(\"error\", rejectPromise);\n      console.log(\n        `[auth-gateway] listening ${options.listenUrl} -> ${options.upstreamUrl}`,\n      );\n      resolvePromise();\n    });\n  });\n\n  return {\n    server,\n    close() {\n      return new Promise<void>((resolvePromise) => {\n        server.close(() => {\n          wsServer.close(() => resolvePromise());\n        });\n      });\n    },\n  };\n}\n\nfunction isDirectExecution(): boolean {\n  const entry = process.argv[1];\n  if (!entry) return false;\n  return import.meta.url === pathToFileURL(resolve(entry)).href;\n}\n\nif (isDirectExecution()) {\n  main().catch((error) => {\n    console.error(\n      error instanceof Error ? (error.stack ?? error.message) : String(error),\n    );\n    process.exit(1);\n  });\n}\n","import * as net from \"node:net\";\nimport type { AppServerState } from \"../types.js\";\nimport { getWebSocketCtor, delay } from \"./bridge-port-network.js\";\n\nexport interface WebSocketLike {\n  addEventListener(\n    type: \"open\" | \"error\" | \"close\",\n    listener: () => void,\n    options?: { once?: boolean },\n  ): void;\n  close(code?: number, reason?: string): void;\n}\n\nexport type WebSocketCtor = new (\n  url: string,\n  protocols?: string | string[],\n) => WebSocketLike;\n\nexport const APP_SERVER_HEALTH_TIMEOUT_MS = 1_500;\nexport const APP_SERVER_HEALTH_RETRY_MS = 250;\nexport const APP_SERVER_READYZ_PATH = \"/readyz\";\n\nexport const AUTH_SUBPROTOCOL_PREFIX = \"tap-auth-\";\n\nexport type AppServerReadyzStatus = \"ready\" | \"not-ready\" | \"unsupported\";\n\nexport async function checkAppServerHealth(\n  url: string,\n  timeoutMs: number = APP_SERVER_HEALTH_TIMEOUT_MS,\n  gatewayToken?: string | null,\n): Promise<boolean> {\n  const WebSocket = getWebSocketCtor();\n  if (!WebSocket) {\n    return false;\n  }\n\n  return new Promise<boolean>((resolve) => {\n    let settled = false;\n    let socket: WebSocketLike | null = null;\n\n    const finish = (healthy: boolean) => {\n      if (settled) {\n        return;\n      }\n      settled = true;\n      clearTimeout(timer);\n      try {\n        socket?.close();\n      } catch {\n        // Best-effort cleanup only.\n      }\n      resolve(healthy);\n    };\n\n    const timer = setTimeout(() => finish(false), timeoutMs);\n\n    try {\n      // Authenticate via WebSocket subprotocol when a gateway token is provided.\n      const protocols = gatewayToken\n        ? [`${AUTH_SUBPROTOCOL_PREFIX}${gatewayToken}`]\n        : undefined;\n      socket = new WebSocket(url, protocols);\n      socket.addEventListener(\"open\", () => finish(true), { once: true });\n      socket.addEventListener(\"error\", () => finish(false), { once: true });\n      socket.addEventListener(\"close\", () => finish(false), { once: true });\n    } catch {\n      finish(false);\n    }\n  });\n}\n\nexport async function waitForAppServerHealth(\n  url: string,\n  timeoutMs: number,\n  gatewayToken?: string | null,\n): Promise<boolean> {\n  const deadline = Date.now() + timeoutMs;\n\n  while (Date.now() < deadline) {\n    if (\n      await checkAppServerHealth(\n        url,\n        APP_SERVER_HEALTH_TIMEOUT_MS,\n        gatewayToken,\n      )\n    ) {\n      return true;\n    }\n    await delay(APP_SERVER_HEALTH_RETRY_MS);\n  }\n\n  return false;\n}\n\nexport function buildAppServerReadyzUrl(url: string): string | null {\n  let parsed: URL;\n  try {\n    parsed = new URL(url);\n  } catch {\n    return null;\n  }\n\n  if (parsed.protocol === \"ws:\") {\n    parsed.protocol = \"http:\";\n  } else if (parsed.protocol === \"wss:\") {\n    parsed.protocol = \"https:\";\n  } else if (parsed.protocol !== \"http:\" && parsed.protocol !== \"https:\") {\n    return null;\n  }\n\n  parsed.pathname = APP_SERVER_READYZ_PATH;\n  parsed.search = \"\";\n  parsed.hash = \"\";\n  return parsed.toString();\n}\n\nexport async function checkAppServerReadyz(\n  url: string,\n  timeoutMs: number = APP_SERVER_HEALTH_TIMEOUT_MS,\n): Promise<AppServerReadyzStatus> {\n  const readyzUrl = buildAppServerReadyzUrl(url);\n  if (!readyzUrl) {\n    return \"unsupported\";\n  }\n\n  const controller = new AbortController();\n  const timer = setTimeout(() => controller.abort(), timeoutMs);\n\n  try {\n    const response = await fetch(readyzUrl, {\n      method: \"GET\",\n      signal: controller.signal,\n      headers: {\n        accept: \"application/json\",\n      },\n    });\n\n    if (response.ok) {\n      return \"ready\";\n    }\n\n    if (\n      response.status === 400 ||\n      response.status === 404 ||\n      response.status === 405 ||\n      response.status === 426 ||\n      response.status === 501\n    ) {\n      return \"unsupported\";\n    }\n\n    return \"not-ready\";\n  } catch {\n    return \"not-ready\";\n  } finally {\n    clearTimeout(timer);\n  }\n}\n\n/**\n * Check if a TCP port is accepting connections (without WebSocket upgrade).\n * Use this for managed startup health checks to avoid creating app-server sessions.\n */\nexport async function checkTcpPortListening(\n  url: string,\n  timeoutMs: number = APP_SERVER_HEALTH_TIMEOUT_MS,\n): Promise<boolean> {\n  let hostname: string;\n  let port: number;\n  try {\n    const parsed = new URL(url.replace(/^ws/, \"http\"));\n    hostname = parsed.hostname;\n    port = parseInt(parsed.port, 10);\n  } catch {\n    return false;\n  }\n  if (!port || !Number.isFinite(port)) return false;\n\n  return new Promise<boolean>((resolve) => {\n    const socket = net.createConnection({ host: hostname, port });\n    const timer = setTimeout(() => {\n      socket.destroy();\n      resolve(false);\n    }, timeoutMs);\n\n    socket.once(\"connect\", () => {\n      clearTimeout(timer);\n      socket.destroy();\n      resolve(true);\n    });\n    socket.once(\"error\", () => {\n      clearTimeout(timer);\n      socket.destroy();\n      resolve(false);\n    });\n  });\n}\n\n/**\n * Wait for a TCP port to start accepting connections.\n * Does NOT open a WebSocket, so no app-server session is created.\n */\nexport async function waitForTcpPortListening(\n  url: string,\n  timeoutMs: number,\n): Promise<boolean> {\n  const deadline = Date.now() + timeoutMs;\n\n  while (Date.now() < deadline) {\n    if (await checkTcpPortListening(url, APP_SERVER_HEALTH_TIMEOUT_MS)) {\n      return true;\n    }\n    await delay(APP_SERVER_HEALTH_RETRY_MS);\n  }\n\n  return false;\n}\n\nexport async function checkManagedAppServerReady(\n  url: string,\n  timeoutMs: number = APP_SERVER_HEALTH_TIMEOUT_MS,\n): Promise<boolean> {\n  const readyzStatus = await checkAppServerReadyz(url, timeoutMs);\n  if (readyzStatus === \"ready\") {\n    return true;\n  }\n\n  if (readyzStatus === \"unsupported\") {\n    return checkTcpPortListening(url, timeoutMs);\n  }\n\n  return false;\n}\n\nexport async function waitForManagedAppServerReady(\n  url: string,\n  timeoutMs: number,\n): Promise<boolean> {\n  const deadline = Date.now() + timeoutMs;\n\n  while (Date.now() < deadline) {\n    const remaining = Math.max(\n      1,\n      Math.min(APP_SERVER_HEALTH_TIMEOUT_MS, deadline - Date.now()),\n    );\n    if (await checkManagedAppServerReady(url, remaining)) {\n      return true;\n    }\n    await delay(APP_SERVER_HEALTH_RETRY_MS);\n  }\n\n  return false;\n}\n\nexport function markAppServerHealthy(\n  appServer: AppServerState,\n): AppServerState {\n  const checkedAt = new Date().toISOString();\n  return {\n    ...appServer,\n    healthy: true,\n    lastCheckedAt: checkedAt,\n    lastHealthyAt: checkedAt,\n  };\n}\n"],"mappings":";AAAA;AAAA,EACE;AAAA,OAIK;AACP,SAAS,oBAAoB;AAC7B,SAAS,eAAe;AAExB,SAAS,qBAAqB;AAC9B,SAAS,uBAAuB;AAChC,SAAS,WAAW,uBAAqC;;;ACXzD,YAAY,SAAS;AAkBd,IAAM,+BAA+B;AAErC,IAAM,yBAAyB;AA0E/B,SAAS,wBAAwB,KAA4B;AAClE,MAAI;AACJ,MAAI;AACF,aAAS,IAAI,IAAI,GAAG;AAAA,EACtB,QAAQ;AACN,WAAO;AAAA,EACT;AAEA,MAAI,OAAO,aAAa,OAAO;AAC7B,WAAO,WAAW;AAAA,EACpB,WAAW,OAAO,aAAa,QAAQ;AACrC,WAAO,WAAW;AAAA,EACpB,WAAW,OAAO,aAAa,WAAW,OAAO,aAAa,UAAU;AACtE,WAAO;AAAA,EACT;AAEA,SAAO,WAAW;AAClB,SAAO,SAAS;AAChB,SAAO,OAAO;AACd,SAAO,OAAO,SAAS;AACzB;AAEA,eAAsB,qBACpB,KACA,YAAoB,8BACY;AAChC,QAAM,YAAY,wBAAwB,GAAG;AAC7C,MAAI,CAAC,WAAW;AACd,WAAO;AAAA,EACT;AAEA,QAAM,aAAa,IAAI,gBAAgB;AACvC,QAAM,QAAQ,WAAW,MAAM,WAAW,MAAM,GAAG,SAAS;AAE5D,MAAI;AACF,UAAM,WAAW,MAAM,MAAM,WAAW;AAAA,MACtC,QAAQ;AAAA,MACR,QAAQ,WAAW;AAAA,MACnB,SAAS;AAAA,QACP,QAAQ;AAAA,MACV;AAAA,IACF,CAAC;AAED,QAAI,SAAS,IAAI;AACf,aAAO;AAAA,IACT;AAEA,QACE,SAAS,WAAW,OACpB,SAAS,WAAW,OACpB,SAAS,WAAW,OACpB,SAAS,WAAW,OACpB,SAAS,WAAW,KACpB;AACA,aAAO;AAAA,IACT;AAEA,WAAO;AAAA,EACT,QAAQ;AACN,WAAO;AAAA,EACT,UAAE;AACA,iBAAa,KAAK;AAAA,EACpB;AACF;AAMA,eAAsB,sBACpB,KACA,YAAoB,8BACF;AAClB,MAAI;AACJ,MAAI;AACJ,MAAI;AACF,UAAM,SAAS,IAAI,IAAI,IAAI,QAAQ,OAAO,MAAM,CAAC;AACjD,eAAW,OAAO;AAClB,WAAO,SAAS,OAAO,MAAM,EAAE;AAAA,EACjC,QAAQ;AACN,WAAO;AAAA,EACT;AACA,MAAI,CAAC,QAAQ,CAAC,OAAO,SAAS,IAAI,EAAG,QAAO;AAE5C,SAAO,IAAI,QAAiB,CAACA,aAAY;AACvC,UAAM,SAAa,qBAAiB,EAAE,MAAM,UAAU,KAAK,CAAC;AAC5D,UAAM,QAAQ,WAAW,MAAM;AAC7B,aAAO,QAAQ;AACf,MAAAA,SAAQ,KAAK;AAAA,IACf,GAAG,SAAS;AAEZ,WAAO,KAAK,WAAW,MAAM;AAC3B,mBAAa,KAAK;AAClB,aAAO,QAAQ;AACf,MAAAA,SAAQ,IAAI;AAAA,IACd,CAAC;AACD,WAAO,KAAK,SAAS,MAAM;AACzB,mBAAa,KAAK;AAClB,aAAO,QAAQ;AACf,MAAAA,SAAQ,KAAK;AAAA,IACf,CAAC;AAAA,EACH,CAAC;AACH;AAsBA,eAAsB,2BACpB,KACA,YAAoB,8BACF;AAClB,QAAM,eAAe,MAAM,qBAAqB,KAAK,SAAS;AAC9D,MAAI,iBAAiB,SAAS;AAC5B,WAAO;AAAA,EACT;AAEA,MAAI,iBAAiB,eAAe;AAClC,WAAO,sBAAsB,KAAK,SAAS;AAAA,EAC7C;AAEA,SAAO;AACT;;;AD1NA,IAAM,0BAA0B;AAChC,IAAM,qBAAqB;AAC3B,IAAM,uBAAuB;AACtB,IAAM,sBAAsB;AAanC,SAAS,aAAa,OAAuB;AAC3C,SAAO,MAAM,QAAQ,OAAO,EAAE;AAChC;AAEA,SAAS,YACP,QACA,MACA,QACM;AACN,MACE,OAAO,eAAe,UAAU,WAChC,OAAO,eAAe,UAAU,QAChC;AACA;AAAA,EACF;AAEA,MAAI;AACF,WAAO,MAAM,MAAM,MAAM;AAAA,EAC3B,QAAQ;AAAA,EAER;AACF;AAEA,SAAS,cAAc,MAAgB,OAAe,MAAsB;AAC1E,QAAM,UAAU,KAAK,KAAK,KAAK;AAC/B,QAAM,UAAU,QAAQ,QAAQ,GAAG;AACnC,MAAI,WAAW,GAAG;AAChB,WAAO,QAAQ,MAAM,UAAU,CAAC;AAAA,EAClC;AAEA,QAAM,OAAO,KAAK,QAAQ,CAAC;AAC3B,MAAI,CAAC,QAAQ,KAAK,WAAW,IAAI,GAAG;AAClC,UAAM,IAAI,MAAM,qBAAqB,IAAI,EAAE;AAAA,EAC7C;AACA,SAAO;AACT;AAEO,SAAS,oBAAoB,MAAgC;AAClE,MAAI,YAAY,QAAQ,IAAI,wBAAwB,KAAK,KAAK;AAC9D,MAAI,cAAc,QAAQ,IAAI,0BAA0B,KAAK,KAAK;AAClE,MAAI,YAAY,QAAQ,IAAI,wBAAwB,KAAK,KAAK;AAC9D,MAAI,QAAQ,QAAQ,IAAI,mBAAmB,KAAK,KAAK;AAErD,WAAS,QAAQ,GAAG,QAAQ,KAAK,QAAQ,SAAS,GAAG;AACnD,UAAM,OAAO,KAAK,KAAK,KAAK;AAC5B,UAAM,eAAe,CAAC,KAAK,SAAS,GAAG;AAEvC,QAAI,KAAK,WAAW,cAAc,GAAG;AACnC,kBAAY,cAAc,MAAM,OAAO,cAAc,EAAE,KAAK;AAC5D,UAAI,aAAc,UAAS;AAC3B;AAAA,IACF;AAEA,QAAI,KAAK,WAAW,gBAAgB,GAAG;AACrC,oBAAc,cAAc,MAAM,OAAO,gBAAgB,EAAE,KAAK;AAChE,UAAI,aAAc,UAAS;AAC3B;AAAA,IACF;AAEA,QAAI,KAAK,WAAW,SAAS,GAAG;AAC9B,cAAQ,cAAc,MAAM,OAAO,SAAS,EAAE,KAAK;AACnD,UAAI,aAAc,UAAS;AAC3B;AAAA,IACF;AAEA,QAAI,KAAK,WAAW,cAAc,GAAG;AACnC,kBAAY,cAAc,MAAM,OAAO,cAAc,EAAE,KAAK;AAC5D,UAAI,aAAc,UAAS;AAC3B;AAAA,IACF;AAAA,EACF;AAEA,MAAI,WAAW;AACb,YAAQ,aAAa,WAAW,MAAM,EAAE,KAAK;AAAA,EAC/C;AAEA,MAAI,CAAC,WAAW;AACd,UAAM,IAAI,MAAM,4BAA4B;AAAA,EAC9C;AACA,MAAI,CAAC,aAAa;AAChB,UAAM,IAAI,MAAM,8BAA8B;AAAA,EAChD;AACA,MAAI,CAAC,OAAO;AACV,UAAM,IAAI,MAAM,4BAA4B;AAAA,EAC9C;AAEA,QAAM,SAAS,IAAI,IAAI,SAAS;AAChC,QAAM,WAAW,IAAI,IAAI,WAAW;AACpC,MAAI,CAAC,UAAU,KAAK,OAAO,QAAQ,GAAG;AACpC,UAAM,IAAI,MAAM,wCAAwC,OAAO,QAAQ,EAAE;AAAA,EAC3E;AACA,MAAI,CAAC,UAAU,KAAK,SAAS,QAAQ,GAAG;AACtC,UAAM,IAAI;AAAA,MACR,0CAA0C,SAAS,QAAQ;AAAA,IAC7D;AAAA,EACF;AAEA,SAAO;AAAA,IACL,WAAW,aAAa,OAAO,SAAS,CAAC;AAAA,IACzC,aAAa,aAAa,SAAS,SAAS,CAAC;AAAA,IAC7C;AAAA,EACF;AACF;AAEA,SAAS,YACP,gBACA,eACS;AACT,MAAI,CAAC,gBAAgB;AACnB,WAAO;AAAA,EACT;AAEA,QAAM,YAAY,OAAO,KAAK,gBAAgB,MAAM;AACpD,QAAM,WAAW,OAAO,KAAK,eAAe,MAAM;AAClD,MAAI,UAAU,WAAW,SAAS,QAAQ;AACxC,WAAO;AAAA,EACT;AAEA,SAAO,gBAAgB,WAAW,QAAQ;AAC5C;AAEA,eAAe,OAAsB;AACnC,QAAM,UAAU,oBAAoB,QAAQ,KAAK,MAAM,CAAC,CAAC;AACzD,QAAM,UAAU,MAAM,mBAAmB,OAAO;AAEhD,QAAM,WAAW,MAAM;AACrB,SAAK,QAAQ,MAAM,EAAE,QAAQ,MAAM;AACjC,cAAQ,KAAK,CAAC;AAAA,IAChB,CAAC;AAAA,EACH;AAEA,UAAQ,GAAG,UAAU,QAAQ;AAC7B,UAAQ,GAAG,WAAW,QAAQ;AAChC;AAEA,SAAS,UACP,UACA,YACA,MACM;AACN,WAAS,aAAa;AACtB,WAAS,UAAU,gBAAgB,kBAAkB;AACrD,WAAS,IAAI,KAAK,UAAU,IAAI,CAAC;AACnC;AAEA,SAAS,qBAAqB,UAAgC;AAC5D,WAAS,aAAa;AACtB,WAAS,UAAU,cAAc,SAAS;AAC1C,WAAS,UAAU,WAAW,WAAW;AACzC,WAAS,IAAI,kBAAkB;AACjC;AAEA,SAAS,cAAc,UAAgC;AACrD,WAAS,aAAa;AACtB,WAAS,IAAI,WAAW;AAC1B;AAEA,SAAS,cAAc,QAAgB,YAA0B;AAC/D,SAAO;AAAA,IACL,YAAY,UAAU,IAAI,eAAe,MAAM,cAAc,aAAa;AAAA;AAAA;AAAA,EAC5E;AACA,SAAO,QAAQ;AACjB;AAMA,SAAS,kBAAkB,KAAsB;AAC/C,MAAI,IAAI,SAAS,IAAI,EAAG,QAAO;AAE/B,MAAI,OAAO,KAAK,GAAG,KAAK,IAAI,QAAQ,SAAS,GAAG,EAAE,SAAS,IAAI,EAAG,QAAO;AACzE,SAAO;AACT;AAEA,SAAS,cAAc,WAAmB,SAAmC;AAC3E,QAAM,aAAa,IAAI;AAAA,IACrB,QAAQ,OAAO;AAAA,IACf,UAAU,QAAQ,OAAO,MAAM;AAAA,EACjC;AACA,QAAM,aAAa,IAAI,IAAI,SAAS,EAAE;AACtC,SAAO,WAAW,cAAc,cAAc;AAChD;AAEA,eAAe,oBACb,UACA,SACe;AACf,QAAM,QAAQ,MAAM,2BAA2B,QAAQ,WAAW;AAClE,YAAU,UAAU,QAAQ,MAAM,KAAK,EAAE,IAAI,MAAM,CAAC;AACtD;AAEA,eAAsB,mBACpB,SACyB;AACzB,QAAM,SAAS,IAAI,IAAI,QAAQ,SAAS;AACxC,QAAM,OAAO,OAAO,aAAa,cAAc,cAAc,OAAO;AACpE,QAAM,OAAO,OAAO,SAAS,OAAO,MAAM,EAAE;AAC5C,MAAI,CAAC,OAAO,SAAS,IAAI,KAAK,QAAQ,GAAG;AACvC,UAAM,IAAI;AAAA,MACR,iDAAiD,QAAQ,SAAS;AAAA,IACpE;AAAA,EACF;AAEA,QAAM,WAAW,IAAI,gBAAgB;AAAA,IACnC,UAAU;AAAA,IACV,mBAAmB;AAAA,EACrB,CAAC;AAED,WAAS,GAAG,cAAc,CAAC,QAAmB,YAA6B;AAIzE,UAAM,YACJ,QAAQ,QAAQ,wBAAwB,GACpC,MAAM,GAAG,EACV,IAAI,CAAC,MAAM,EAAE,KAAK,CAAC,KAAK,CAAC;AAC9B,UAAM,eAAe,UAAU;AAAA,MAAK,CAAC,MACnC,EAAE,WAAW,uBAAuB;AAAA,IACtC;AACA,UAAM,mBACJ,cAAc,MAAM,wBAAwB,MAAM,KAAK;AAGzD,UAAM,aAAa,IAAI,IAAI,QAAQ,OAAO,KAAK,QAAQ,SAAS;AAChE,UAAM,aAAa,WAAW,aAAa,IAAI,WAAW;AAE1D,UAAM,iBAAiB,oBAAoB;AAC3C,QAAI,CAAC,YAAY,gBAAgB,QAAQ,KAAK,GAAG;AAC/C,kBAAY,QAAQ,oBAAoB,cAAc;AACtD;AAAA,IACF;AAEA,UAAM,WAAW,IAAI,UAAU,QAAQ,aAAa;AAAA,MAClD,mBAAmB;AAAA,IACrB,CAAC;AAED,aAAS,GAAG,WAAW,CAAC,MAAe,aAAsB;AAC3D,UAAI,OAAO,eAAe,UAAU,MAAM;AACxC,eAAO,KAAK,MAAM,EAAE,QAAQ,SAAS,CAAC;AAAA,MACxC;AAAA,IACF,CAAC;AAED,WAAO,GAAG,WAAW,CAAC,MAAe,aAAsB;AACzD,UAAI,SAAS,eAAe,UAAU,MAAM;AAC1C,iBAAS,KAAK,MAAM,EAAE,QAAQ,SAAS,CAAC;AAAA,MAC1C;AAAA,IACF,CAAC;AAED,aAAS,GAAG,SAAS,CAAC,MAAc,iBAAyB;AAC3D,YAAM,SAAS,aAAa,SAAS,KAAK;AAC1C,kBAAY,QAAQ,QAAQ,KAAM,MAAM;AAAA,IAC1C,CAAC;AAED,WAAO,GAAG,SAAS,CAAC,MAAc,iBAAyB;AACzD,YAAM,SAAS,aAAa,SAAS,KAAK;AAC1C,kBAAY,UAAU,QAAQ,KAAM,MAAM;AAAA,IAC5C,CAAC;AAED,aAAS,GAAG,SAAS,CAAC,UAAiB;AACrC,cAAQ,MAAM,kCAAkC,OAAO,KAAK,CAAC,EAAE;AAC/D,kBAAY,QAAQ,sBAAsB,sBAAsB;AAChE,kBAAY,UAAU,sBAAsB,sBAAsB;AAAA,IACpE,CAAC;AAED,WAAO,GAAG,SAAS,CAAC,UAAiB;AACnC,cAAQ,MAAM,gCAAgC,OAAO,KAAK,CAAC,EAAE;AAC7D,kBAAY,UAAU,MAAM,cAAc;AAAA,IAC5C,CAAC;AAAA,EACH,CAAC;AAED,QAAM,aAAa,IAAI,IAAI,QAAQ,SAAS,EAAE,YAAY;AAE1D,QAAM,SAAS,aAAa,OAAO,SAAS,aAAa;AACvD,UAAM,aAAa,IAAI;AAAA,MACrB,QAAQ,OAAO;AAAA,MACf,QAAQ,UAAU,QAAQ,OAAO,MAAM;AAAA,IACzC;AAIA,QAAI,kBAAkB,QAAQ,OAAO,EAAE,GAAG;AACxC,oBAAc,QAAQ;AACtB;AAAA,IACF;AAEA,QACE,QAAQ,WAAW,SACnB,WAAW,aAAa,qBACxB;AACA,YAAM,oBAAoB,UAAU,OAAO;AAC3C;AAAA,IACF;AAEA,QAAI,WAAW,aAAa,YAAY;AACtC,2BAAqB,QAAQ;AAC7B;AAAA,IACF;AAEA,kBAAc,QAAQ;AAAA,EACxB,CAAC;AAED,SAAO,GAAG,WAAW,CAAC,SAAS,QAAQ,SAAS;AAE9C,QAAI,kBAAkB,QAAQ,OAAO,EAAE,GAAG;AACxC,oBAAc,QAAQ,GAAG;AACzB;AAAA,IACF;AAEA,QAAI,CAAC,cAAc,QAAQ,WAAW,OAAO,GAAG;AAC9C,oBAAc,QAAQ,GAAG;AACzB;AAAA,IACF;AAEA,aAAS,cAAc,SAAS,QAAQ,MAAM,CAAC,WAAW;AACxD,eAAS,KAAK,cAAc,QAAQ,OAAO;AAAA,IAC7C,CAAC;AAAA,EACH,CAAC;AAED,QAAM,IAAI,QAAc,CAAC,gBAAgB,kBAAkB;AACzD,WAAO,KAAK,SAAS,aAAa;AAClC,WAAO,OAAO,MAAM,MAAM,MAAM;AAC9B,aAAO,IAAI,SAAS,aAAa;AACjC,cAAQ;AAAA,QACN,4BAA4B,QAAQ,SAAS,OAAO,QAAQ,WAAW;AAAA,MACzE;AACA,qBAAe;AAAA,IACjB,CAAC;AAAA,EACH,CAAC;AAED,SAAO;AAAA,IACL;AAAA,IACA,QAAQ;AACN,aAAO,IAAI,QAAc,CAAC,mBAAmB;AAC3C,eAAO,MAAM,MAAM;AACjB,mBAAS,MAAM,MAAM,eAAe,CAAC;AAAA,QACvC,CAAC;AAAA,MACH,CAAC;AAAA,IACH;AAAA,EACF;AACF;AAEA,SAAS,oBAA6B;AACpC,QAAM,QAAQ,QAAQ,KAAK,CAAC;AAC5B,MAAI,CAAC,MAAO,QAAO;AACnB,SAAO,YAAY,QAAQ,cAAc,QAAQ,KAAK,CAAC,EAAE;AAC3D;AAEA,IAAI,kBAAkB,GAAG;AACvB,OAAK,EAAE,MAAM,CAAC,UAAU;AACtB,YAAQ;AAAA,MACN,iBAAiB,QAAS,MAAM,SAAS,MAAM,UAAW,OAAO,KAAK;AAAA,IACxE;AACA,YAAQ,KAAK,CAAC;AAAA,EAChB,CAAC;AACH;","names":["resolve"]}
+{"version":3,"sources":["../../src/bridges/codex-app-server-auth-gateway.ts","../../src/engine/bridge-app-server-health.ts"],"mappings":";AAAA;AAAA,EACE;AAAA,OAIK;AACP,SAAS,oBAAoB;AAC7B,SAAS,UAAU,eAAe;AAElC,SAAS,qBAAqB;AAC9B,SAAS,uBAAuB;AAChC,SAAS,WAAW,uBAAqC;;;ACXzD,YAAY,SAAS;AAkBd,IAAM,+BAA+B;AAErC,IAAM,yBAAyB;AA0E/B,SAAS,wBAAwB,KAA4B;AAClE,MAAI;AACJ,MAAI;AACF,aAAS,IAAI,IAAI,GAAG;AAAA,EACtB,QAAQ;AACN,WAAO;AAAA,EACT;AAEA,MAAI,OAAO,aAAa,OAAO;AAC7B,WAAO,WAAW;AAAA,EACpB,WAAW,OAAO,aAAa,QAAQ;AACrC,WAAO,WAAW;AAAA,EACpB,WAAW,OAAO,aAAa,WAAW,OAAO,aAAa,UAAU;AACtE,WAAO;AAAA,EACT;AAEA,SAAO,WAAW;AAClB,SAAO,SAAS;AAChB,SAAO,OAAO;AACd,SAAO,OAAO,SAAS;AACzB;AAEA,eAAsB,qBACpB,KACA,YAAoB,8BACY;AAChC,QAAM,YAAY,wBAAwB,GAAG;AAC7C,MAAI,CAAC,WAAW;AACd,WAAO;AAAA,EACT;AAEA,QAAM,aAAa,IAAI,gBAAgB;AACvC,QAAM,QAAQ,WAAW,MAAM,WAAW,MAAM,GAAG,SAAS;AAE5D,MAAI;AACF,UAAM,WAAW,MAAM,MAAM,WAAW;AAAA,MACtC,QAAQ;AAAA,MACR,QAAQ,WAAW;AAAA,MACnB,SAAS;AAAA,QACP,QAAQ;AAAA,MACV;AAAA,IACF,CAAC;AAED,QAAI,SAAS,IAAI;AACf,aAAO;AAAA,IACT;AAEA,QACE,SAAS,WAAW,OACpB,SAAS,WAAW,OACpB,SAAS,WAAW,OACpB,SAAS,WAAW,OACpB,SAAS,WAAW,KACpB;AACA,aAAO;AAAA,IACT;AAEA,WAAO;AAAA,EACT,QAAQ;AACN,WAAO;AAAA,EACT,UAAE;AACA,iBAAa,KAAK;AAAA,EACpB;AACF;AAMA,eAAsB,sBACpB,KACA,YAAoB,8BACF;AAClB,MAAI;AACJ,MAAI;AACJ,MAAI;AACF,UAAM,SAAS,IAAI,IAAI,IAAI,QAAQ,OAAO,MAAM,CAAC;AACjD,eAAW,OAAO;AAClB,WAAO,SAAS,OAAO,MAAM,EAAE;AAAA,EACjC,QAAQ;AACN,WAAO;AAAA,EACT;AACA,MAAI,CAAC,QAAQ,CAAC,OAAO,SAAS,IAAI,EAAG,QAAO;AAE5C,SAAO,IAAI,QAAiB,CAACA,aAAY;AACvC,UAAM,SAAa,qBAAiB,EAAE,MAAM,UAAU,KAAK,CAAC;AAC5D,UAAM,QAAQ,WAAW,MAAM;AAC7B,aAAO,QAAQ;AACf,MAAAA,SAAQ,KAAK;AAAA,IACf,GAAG,SAAS;AAEZ,WAAO,KAAK,WAAW,MAAM;AAC3B,mBAAa,KAAK;AAClB,aAAO,QAAQ;AACf,MAAAA,SAAQ,IAAI;AAAA,IACd,CAAC;AACD,WAAO,KAAK,SAAS,MAAM;AACzB,mBAAa,KAAK;AAClB,aAAO,QAAQ;AACf,MAAAA,SAAQ,KAAK;AAAA,IACf,CAAC;AAAA,EACH,CAAC;AACH;AAsBA,eAAsB,2BACpB,KACA,YAAoB,8BACF;AAClB,QAAM,eAAe,MAAM,qBAAqB,KAAK,SAAS;AAC9D,MAAI,iBAAiB,SAAS;AAC5B,WAAO;AAAA,EACT;AAEA,MAAI,iBAAiB,eAAe;AAClC,WAAO,sBAAsB,KAAK,SAAS;AAAA,EAC7C;AAEA,SAAO;AACT;;;AD1NA,IAAM,0BAA0B;AAChC,IAAM,qBAAqB;AAC3B,IAAM,uBAAuB;AACtB,IAAM,sBAAsB;AAanC,SAAS,aAAa,OAAuB;AAC3C,SAAO,MAAM,QAAQ,OAAO,EAAE;AAChC;AAEA,SAAS,YACP,QACA,MACA,QACM;AACN,MACE,OAAO,eAAe,UAAU,WAChC,OAAO,eAAe,UAAU,QAChC;AACA;AAAA,EACF;AAEA,MAAI;AACF,WAAO,MAAM,MAAM,MAAM;AAAA,EAC3B,QAAQ;AAAA,EAER;AACF;AAEA,SAAS,cAAc,MAAgB,OAAe,MAAsB;AAC1E,QAAM,UAAU,KAAK,KAAK,KAAK;AAC/B,QAAM,UAAU,QAAQ,QAAQ,GAAG;AACnC,MAAI,WAAW,GAAG;AAChB,WAAO,QAAQ,MAAM,UAAU,CAAC;AAAA,EAClC;AAEA,QAAM,OAAO,KAAK,QAAQ,CAAC;AAC3B,MAAI,CAAC,QAAQ,KAAK,WAAW,IAAI,GAAG;AAClC,UAAM,IAAI,MAAM,qBAAqB,IAAI,EAAE;AAAA,EAC7C;AACA,SAAO;AACT;AAEO,SAAS,oBAAoB,MAAgC;AAClE,MAAI,YAAY,QAAQ,IAAI,wBAAwB,KAAK,KAAK;AAC9D,MAAI,cAAc,QAAQ,IAAI,0BAA0B,KAAK,KAAK;AAClE,MAAI,YAAY,QAAQ,IAAI,wBAAwB,KAAK,KAAK;AAC9D,MAAI,QAAQ,QAAQ,IAAI,mBAAmB,KAAK,KAAK;AAErD,WAAS,QAAQ,GAAG,QAAQ,KAAK,QAAQ,SAAS,GAAG;AACnD,UAAM,OAAO,KAAK,KAAK,KAAK;AAC5B,UAAM,eAAe,CAAC,KAAK,SAAS,GAAG;AAEvC,QAAI,KAAK,WAAW,cAAc,GAAG;AACnC,kBAAY,cAAc,MAAM,OAAO,cAAc,EAAE,KAAK;AAC5D,UAAI,aAAc,UAAS;AAC3B;AAAA,IACF;AAEA,QAAI,KAAK,WAAW,gBAAgB,GAAG;AACrC,oBAAc,cAAc,MAAM,OAAO,gBAAgB,EAAE,KAAK;AAChE,UAAI,aAAc,UAAS;AAC3B;AAAA,IACF;AAEA,QAAI,KAAK,WAAW,SAAS,GAAG;AAC9B,cAAQ,cAAc,MAAM,OAAO,SAAS,EAAE,KAAK;AACnD,UAAI,aAAc,UAAS;AAC3B;AAAA,IACF;AAEA,QAAI,KAAK,WAAW,cAAc,GAAG;AACnC,kBAAY,cAAc,MAAM,OAAO,cAAc,EAAE,KAAK;AAC5D,UAAI,aAAc,UAAS;AAC3B;AAAA,IACF;AAAA,EACF;AAEA,MAAI,WAAW;AACb,YAAQ,aAAa,WAAW,MAAM,EAAE,KAAK;AAAA,EAC/C;AAEA,MAAI,CAAC,WAAW;AACd,UAAM,IAAI,MAAM,4BAA4B;AAAA,EAC9C;AACA,MAAI,CAAC,aAAa;AAChB,UAAM,IAAI,MAAM,8BAA8B;AAAA,EAChD;AACA,MAAI,CAAC,OAAO;AACV,UAAM,IAAI,MAAM,4BAA4B;AAAA,EAC9C;AAEA,QAAM,SAAS,IAAI,IAAI,SAAS;AAChC,QAAM,WAAW,IAAI,IAAI,WAAW;AACpC,MAAI,CAAC,UAAU,KAAK,OAAO,QAAQ,GAAG;AACpC,UAAM,IAAI,MAAM,wCAAwC,OAAO,QAAQ,EAAE;AAAA,EAC3E;AACA,MAAI,CAAC,UAAU,KAAK,SAAS,QAAQ,GAAG;AACtC,UAAM,IAAI;AAAA,MACR,0CAA0C,SAAS,QAAQ;AAAA,IAC7D;AAAA,EACF;AAEA,SAAO;AAAA,IACL,WAAW,aAAa,OAAO,SAAS,CAAC;AAAA,IACzC,aAAa,aAAa,SAAS,SAAS,CAAC;AAAA,IAC7C;AAAA,EACF;AACF;AAEA,SAAS,YACP,gBACA,eACS;AACT,MAAI,CAAC,gBAAgB;AACnB,WAAO;AAAA,EACT;AAEA,QAAM,YAAY,OAAO,KAAK,gBAAgB,MAAM;AACpD,QAAM,WAAW,OAAO,KAAK,eAAe,MAAM;AAClD,MAAI,UAAU,WAAW,SAAS,QAAQ;AACxC,WAAO;AAAA,EACT;AAEA,SAAO,gBAAgB,WAAW,QAAQ;AAC5C;AAEA,eAAe,OAAsB;AACnC,QAAM,UAAU,oBAAoB,QAAQ,KAAK,MAAM,CAAC,CAAC;AACzD,QAAM,UAAU,MAAM,mBAAmB,OAAO;AAEhD,QAAM,WAAW,MAAM;AACrB,SAAK,QAAQ,MAAM,EAAE,QAAQ,MAAM;AACjC,cAAQ,KAAK,CAAC;AAAA,IAChB,CAAC;AAAA,EACH;AAEA,UAAQ,GAAG,UAAU,QAAQ;AAC7B,UAAQ,GAAG,WAAW,QAAQ;AAChC;AAEA,SAAS,UACP,UACA,YACA,MACM;AACN,WAAS,aAAa;AACtB,WAAS,UAAU,gBAAgB,kBAAkB;AACrD,WAAS,IAAI,KAAK,UAAU,IAAI,CAAC;AACnC;AAEA,SAAS,qBAAqB,UAAgC;AAC5D,WAAS,aAAa;AACtB,WAAS,UAAU,cAAc,SAAS;AAC1C,WAAS,UAAU,WAAW,WAAW;AACzC,WAAS,IAAI,kBAAkB;AACjC;AAEA,SAAS,cAAc,UAAgC;AACrD,WAAS,aAAa;AACtB,WAAS,IAAI,WAAW;AAC1B;AAEA,SAAS,cAAc,QAAgB,YAA0B;AAC/D,SAAO;AAAA,IACL,YAAY,UAAU,IAAI,eAAe,MAAM,cAAc,aAAa;AAAA;AAAA;AAAA,EAC5E;AACA,SAAO,QAAQ;AACjB;AAMA,SAAS,kBAAkB,KAAsB;AAC/C,MAAI,IAAI,SAAS,IAAI,EAAG,QAAO;AAE/B,MAAI,OAAO,KAAK,GAAG,KAAK,IAAI,QAAQ,SAAS,GAAG,EAAE,SAAS,IAAI,EAAG,QAAO;AACzE,SAAO;AACT;AAEA,SAAS,cAAc,WAAmB,SAAmC;AAC3E,QAAM,aAAa,IAAI;AAAA,IACrB,QAAQ,OAAO;AAAA,IACf,UAAU,QAAQ,OAAO,MAAM;AAAA,EACjC;AACA,QAAM,aAAa,IAAI,IAAI,SAAS,EAAE;AACtC,SAAO,WAAW,cAAc,cAAc;AAChD;AAEA,eAAe,oBACb,UACA,SACe;AACf,QAAM,QAAQ,MAAM,2BAA2B,QAAQ,WAAW;AAClE,YAAU,UAAU,QAAQ,MAAM,KAAK,EAAE,IAAI,MAAM,CAAC;AACtD;AAEA,eAAsB,mBACpB,SACyB;AACzB,QAAM,SAAS,IAAI,IAAI,QAAQ,SAAS;AACxC,QAAM,OAAO,OAAO,aAAa,cAAc,cAAc,OAAO;AACpE,QAAM,OAAO,OAAO,SAAS,OAAO,MAAM,EAAE;AAC5C,MAAI,CAAC,OAAO,SAAS,IAAI,KAAK,QAAQ,GAAG;AACvC,UAAM,IAAI;AAAA,MACR,iDAAiD,QAAQ,SAAS;AAAA,IACpE;AAAA,EACF;AAEA,QAAM,WAAW,IAAI,gBAAgB;AAAA,IACnC,UAAU;AAAA,IACV,mBAAmB;AAAA,EACrB,CAAC;AAED,WAAS,GAAG,cAAc,CAAC,QAAmB,YAA6B;AAIzE,UAAM,YACJ,QAAQ,QAAQ,wBAAwB,GACpC,MAAM,GAAG,EACV,IAAI,CAAC,MAAM,EAAE,KAAK,CAAC,KAAK,CAAC;AAC9B,UAAM,eAAe,UAAU;AAAA,MAAK,CAAC,MACnC,EAAE,WAAW,uBAAuB;AAAA,IACtC;AACA,UAAM,mBACJ,cAAc,MAAM,wBAAwB,MAAM,KAAK;AAGzD,UAAM,aAAa,IAAI,IAAI,QAAQ,OAAO,KAAK,QAAQ,SAAS;AAChE,UAAM,aAAa,WAAW,aAAa,IAAI,WAAW;AAE1D,UAAM,iBAAiB,oBAAoB;AAC3C,QAAI,CAAC,YAAY,gBAAgB,QAAQ,KAAK,GAAG;AAC/C,kBAAY,QAAQ,oBAAoB,cAAc;AACtD;AAAA,IACF;AAEA,YAAQ;AAAA,MACN,4CAA4C,QAAQ,OAAO,iBAAiB,SAAS,OAAO,QAAQ,WAAW;AAAA,IACjH;AAEA,UAAM,WAAW,IAAI,UAAU,QAAQ,aAAa;AAAA,MAClD,mBAAmB;AAAA,IACrB,CAAC;AAED,aAAS,GAAG,QAAQ,MAAM;AACxB,cAAQ,IAAI,qCAAqC,QAAQ,WAAW,EAAE;AAAA,IACxE,CAAC;AAED,aAAS,GAAG,WAAW,CAAC,MAAe,aAAsB;AAC3D,UAAI,OAAO,eAAe,UAAU,MAAM;AACxC,eAAO,KAAK,MAAM,EAAE,QAAQ,SAAS,CAAC;AAAA,MACxC;AAAA,IACF,CAAC;AAED,WAAO,GAAG,WAAW,CAAC,MAAe,aAAsB;AACzD,UAAI,SAAS,eAAe,UAAU,MAAM;AAC1C,iBAAS,KAAK,MAAM,EAAE,QAAQ,SAAS,CAAC;AAAA,MAC1C;AAAA,IACF,CAAC;AAED,aAAS,GAAG,SAAS,CAAC,MAAc,iBAAyB;AAC3D,YAAM,SAAS,aAAa,SAAS,KAAK;AAC1C,cAAQ;AAAA,QACN,uCAAuC,QAAQ,GAAI,WAAW,MAAM;AAAA,MACtE;AACA,kBAAY,QAAQ,QAAQ,KAAM,MAAM;AAAA,IAC1C,CAAC;AAED,WAAO,GAAG,SAAS,CAAC,MAAc,iBAAyB;AACzD,YAAM,SAAS,aAAa,SAAS,KAAK;AAC1C,cAAQ;AAAA,QACN,qCAAqC,QAAQ,GAAI,WAAW,MAAM;AAAA,MACpE;AACA,kBAAY,UAAU,QAAQ,KAAM,MAAM;AAAA,IAC5C,CAAC;AAED,aAAS,GAAG,SAAS,CAAC,UAAiB;AACrC,cAAQ,MAAM,kCAAkC,OAAO,KAAK,CAAC,EAAE;AAC/D,kBAAY,QAAQ,sBAAsB,sBAAsB;AAChE,kBAAY,UAAU,sBAAsB,sBAAsB;AAAA,IACpE,CAAC;AAED,WAAO,GAAG,SAAS,CAAC,UAAiB;AACnC,cAAQ,MAAM,gCAAgC,OAAO,KAAK,CAAC,EAAE;AAC7D,kBAAY,UAAU,MAAM,cAAc;AAAA,IAC5C,CAAC;AAAA,EACH,CAAC;AAED,QAAM,aAAa,IAAI,IAAI,QAAQ,SAAS,EAAE,YAAY;AAE1D,QAAM,SAAS,aAAa,OAAO,SAAS,aAAa;AACvD,UAAM,aAAa,IAAI;AAAA,MACrB,QAAQ,OAAO;AAAA,MACf,QAAQ,UAAU,QAAQ,OAAO,MAAM;AAAA,IACzC;AAIA,QAAI,kBAAkB,QAAQ,OAAO,EAAE,GAAG;AACxC,oBAAc,QAAQ;AACtB;AAAA,IACF;AAEA,QACE,QAAQ,WAAW,SACnB,WAAW,aAAa,qBACxB;AACA,YAAM,oBAAoB,UAAU,OAAO;AAC3C;AAAA,IACF;AAEA,QAAI,WAAW,aAAa,YAAY;AACtC,2BAAqB,QAAQ;AAC7B;AAAA,IACF;AAEA,kBAAc,QAAQ;AAAA,EACxB,CAAC;AAED,SAAO,GAAG,WAAW,CAAC,SAAS,QAAQ,SAAS;AAE9C,QAAI,kBAAkB,QAAQ,OAAO,EAAE,GAAG;AACxC,oBAAc,QAAQ,GAAG;AACzB;AAAA,IACF;AAEA,QAAI,CAAC,cAAc,QAAQ,WAAW,OAAO,GAAG;AAC9C,oBAAc,QAAQ,GAAG;AACzB;AAAA,IACF;AAEA,aAAS,cAAc,SAAS,QAAQ,MAAM,CAAC,WAAW;AACxD,eAAS,KAAK,cAAc,QAAQ,OAAO;AAAA,IAC7C,CAAC;AAAA,EACH,CAAC;AAED,QAAM,IAAI,QAAc,CAAC,gBAAgB,kBAAkB;AACzD,WAAO,KAAK,SAAS,aAAa;AAClC,WAAO,OAAO,MAAM,MAAM,MAAM;AAC9B,aAAO,IAAI,SAAS,aAAa;AACjC,cAAQ;AAAA,QACN,4BAA4B,QAAQ,SAAS,OAAO,QAAQ,WAAW;AAAA,MACzE;AACA,qBAAe;AAAA,IACjB,CAAC;AAAA,EACH,CAAC;AAED,SAAO;AAAA,IACL;AAAA,IACA,QAAQ;AACN,aAAO,IAAI,QAAc,CAAC,mBAAmB;AAC3C,eAAO,MAAM,MAAM;AACjB,mBAAS,MAAM,MAAM,eAAe,CAAC;AAAA,QACvC,CAAC;AAAA,MACH,CAAC;AAAA,IACH;AAAA,EACF;AACF;AAEA,SAAS,oBAA6B;AACpC,QAAM,QAAQ,QAAQ,KAAK,CAAC;AAC5B,MAAI,CAAC,MAAO,QAAO;AACnB,MAAI,CAAC,SAAS,KAAK,EAAE,WAAW,+BAA+B,GAAG;AAChE,WAAO;AAAA,EACT;AACA,SAAO,YAAY,QAAQ,cAAc,QAAQ,KAAK,CAAC,EAAE;AAC3D;AAEA,IAAI,kBAAkB,GAAG;AACvB,OAAK,EAAE,MAAM,CAAC,UAAU;AACtB,YAAQ;AAAA,MACN,iBAAiB,QAAS,MAAM,SAAS,MAAM,UAAW,OAAO,KAAK;AAAA,IACxE;AACA,YAAQ,KAAK,CAAC;AAAA,EAChB,CAAC;AACH;","names":["resolve"]}