@immediately-run/sdk 0.8.1 → 0.9.0

package/dist/mounts.d.cts

@@ -1,3 +1,5 @@
+import { FileCap } from './tasks.cjs';
+
 /**
  * The absolute path where this app's own repository filesystem is mounted
  * (FILE_SHARING_SPEC §11.2). Prefer this over hardcoding `/app`: the repo is
@@ -10,8 +12,8 @@ declare const getAppMountPath: () => string;
 /**
  * A filesystem mount available to the sandbox, mirrored from the host window.
  *
- * Mounts appear on demand — call {@link openAppSpace} / {@link mountSpace} to ask
- * the host to mount a Firestore-backed "space"; it appears at `/spaces/{id}`.
+ * Mounts appear on demand — call {@link openSettings} for this app's own settings,
+ * or {@link mountSpace} / {@link requestMount} to mount a Firestore-backed "space".
  * Read or subscribe to the set, then access the files through the `fs` module at
  * the mount's `path`.
  */
@@ -29,6 +31,29 @@ interface SandboxMount {
      * Absent on the primary repo mount (treated as read-write).
      */
     mode?: "ro" | "rw";
+    /**
+     * Human-readable label for the mount — the space's display name, or the repo
+     * label for the primary working-tree mount (R3-69). Use this to show users and
+     * agents *what* a mount is: the `path` (`/mnt/{hash}`) and `id` (the spaceId)
+     * are opaque, and space names are not unique, so neither alone tells you which
+     * filesystem you're looking at. Absent when the host can't resolve a name
+     * (older host, or a name it never learned) — fall back to `id`/`path`.
+     */
+    name?: string;
+    /**
+     * The granted scopes of this mount (plan 12 §8.7 / §F): each `{subtree, mode}`
+     * is a path prefix you hold and at what access, at the mount's backend-natural
+     * paths. Use it to reason about per-path writability — which subtree is `rw` —
+     * WITHOUT probing `EROFS`. A single whole-mount grant is `[{ subtree: '/', mode }]`.
+     * Absent on the primary repo mount and on an older host that doesn't report it.
+     */
+    rules?: MountRule[];
+}
+/** One granted scope of a mount (plan 12 §F): a backend-natural path prefix and
+ *  the access mode there. The most specific (longest) matching rule governs a path. */
+interface MountRule {
+    subtree: string;
+    mode: 'ro' | 'rw';
 }
 /**
  * Why a mounted filesystem was removed, surfaced on the removed descriptor so an
@@ -47,15 +72,20 @@ type MountRemoveReason = "revoked" | "unshared" | "signed-out" | "unmounted" | "
 interface RemovedMount extends SandboxMount {
     reason: MountRemoveReason;
 }
-/** A predicate-style matcher for {@link findMount} / {@link waitForMount}. */
+/** A predicate-style matcher for {@link findMount} / {@link waitForMount}. Any
+ *  combination of coordinates; `name` matches the human-readable mount label. */
 type MountQuery = {
     type?: string;
     id?: string;
     path?: string;
+    name?: string;
 };
 /**
  * Returns the mounts currently available. Poll this whenever you need a one-off
  * read; use {@link onMountsChange} or {@link useMounts} to react to changes.
+ * Each descriptor carries its `id` (the spaceId), `path` (`/mnt/{hash}`) and —
+ * when the host can resolve it — a human-readable `name` (R3-69), so this doubles
+ * as a queryable mount→space mapping for showing or locating a mount by name.
  */
 declare const getMounts: () => SandboxMount[];
 /** Returns the first mount matching `query`, or `undefined`. */
@@ -88,13 +118,6 @@ interface SpaceInfo {
 interface SpaceError extends Error {
     code: 'auth-required' | 'cancelled' | 'forbidden' | 'not-found' | 'unsupported-scheme' | 'unknown';
 }
-/**
- * Open this app's workspace for the signed-in user (the zero-config path). The
- * `slot` names which workspace (default `'default'`); pass distinct slots for
- * multiple filesystems in one app. On a missing slot the host shows a
- * create-or-pick dialog. Rejects with a {@link SpaceError} (`.code`) on cancel.
- */
-declare const openAppSpace: (slot?: string) => Promise<SandboxMount>;
 /**
  * Mount a filesystem by its **universal mount id** (UI_AS_APPS_SPEC §3.5) —
  * `scheme:locator`, e.g. `space:{spaceId}` or `github:owner/repo@ref`. Backend-blind:
@@ -109,11 +132,19 @@ declare const mountSpace: (query: {
 }) => Promise<SandboxMount>;
 /**
  * Ask the user to grant a filesystem to this app — the §8.6 powerbox. The app
- * asks; the HOST shows the user their mounts and the access choice (which mount,
- * an optional subtree, read-only vs read-write); the USER picks or declines. The
- * app never sees the list — it resolves with the single granted mount, or rejects
- * with a {@link SpaceError} (`cancelled`) if declined. The granted scope is
- * enforced host-side: the mount is chroot'd / `ro`-limited accordingly.
+ * asks; the HOST shows the user their spaces and, for the chosen one, its PROJECT
+ * FOLDERS (§8.7). The user picks ONE project — so a shared space opens scoped to
+ * just that project, never the whole space — and makes an EXPLICIT read-only vs
+ * read-write decision (there is no default). The app never sees the list; it
+ * resolves with the single granted mount, or rejects with a {@link SpaceError}
+ * (`cancelled`) if declined. The granted scope is enforced host-side: the mount
+ * is chroot'd to the project folder and `ro`-limited accordingly, so paths
+ * outside the project are unnameable and writes on a `ro` grant fail `EROFS`.
+ *
+ * A project folder is the macOS-bundle-like unit an app works in inside a space;
+ * the host records which app a folder belongs to (a `.immediately.run/` sidecar),
+ * so the picker can surface the app's own projects or let the user create a new
+ * one. Observe the granted access via {@link SandboxMount.mode}.
  *
  * Backend-general (§3.5): the picker offers whatever mounts the user has (today,
  * their spaces). Returns the granted mount by its universal id.
@@ -121,11 +152,106 @@ declare const mountSpace: (query: {
 declare const requestMount: () => Promise<SandboxMount>;
 /** @deprecated renamed to {@link requestMount} (backend-general, §3.5). */
 declare const requestSpace: () => Promise<SandboxMount>;
-/** Create a brand-new space, optionally binding it to this app (a slot). */
+/**
+ * Build a persisted CONTENT REFERENCE to a file in a mount — a `{mountId, relPath}`
+ * pointer your app serializes into ITS OWN content (a board's JSON, an MDX file's
+ * frontmatter, an album manifest — the platform doesn't dictate the container) so a
+ * later viewer can resolve it. It is exactly the §5.7 {@link capFile} shape: ONE
+ * capability, two delivery modes — runtime delegation (a task param, authorized by
+ * the caller) vs a durable reference (authorized per-viewer by {@link resolveContentRef}).
+ * `relPath` is BACKEND-NATURAL, so the reference resolves to the SAME path for every
+ * viewer. Cross-app/cross-project references default to `ro`.
+ *
+ *   const ref = makeContentRef({ mountId: 'space:ACME', relPath: 'office-seating/desk.mdx' }, { mode: 'ro' });
+ */
+declare const makeContentRef: (ref: {
+    mountId: string;
+    relPath: string;
+}, opts: {
+    mode: "ro" | "rw";
+}) => FileCap;
+/**
+ * Resolve a content reference your app found in content it ALREADY holds (plan 12
+ * §E). This is a RELAY, not a fabrication: the host honors it ONLY when your app
+ * already holds a grant to `ref.mountId` (else `forbidden`) — apps follow
+ * writer-authored links inside granted content; they cannot name a space from
+ * nothing (T27). The host runs a per-VIEWER consent prompt (named via the owning
+ * app's project sidecar), and existence is never leaked — a decline and a
+ * non-existent path are indistinguishable.
+ *
+ * On allow, the host APPENDS a read scope for the referenced path to your grant
+ * (durable; same §8.15 lifecycle) and returns the STABLE absolute `path` the file
+ * is mounted at — identical for every viewer, so a path the author stored resolves
+ * the same for you. Read it through the `fs` module at that path. Rejects with a
+ * {@link SpaceError}: `forbidden` (you don't hold the referenced mount) or
+ * `cancelled` (the viewer declined / the path doesn't exist — no oracle).
+ *
+ *   const { path } = await resolveContentRef(ref);
+ *   const text = await fs.promises.readFile(path, 'utf8');
+ */
+declare const resolveContentRef: (ref: FileCap) => Promise<{
+    path: string;
+}>;
+/**
+ * Resolve a BATCH of content references in ONE consent round (plan 12 §E). When a
+ * board opens with several embedded references, pass them all here: the host
+ * coalesces them into a SINGLE consent prompt listing every target, instead of one
+ * prompt per reference. Same relay gate and per-viewer semantics as
+ * {@link resolveContentRef} (each ref's mount must already be held), applied to the
+ * whole set — it is all-or-nothing: the user allows the batch or declines it.
+ *
+ * Resolves `{ paths }` with the STABLE absolute path of each ref, in input order.
+ * Rejects with a {@link SpaceError}: `forbidden` (a referenced mount isn't held) or
+ * `cancelled` (the viewer declined).
+ *
+ *   const { paths } = await resolveContentRefs(board.references);
+ */
+declare const resolveContentRefs: (refs: FileCap[]) => Promise<{
+    paths: string[];
+}>;
+/**
+ * Mount this app's per-user settings — a private `~/.config`-style filesystem,
+ * auto-provisioned for the signed-in user and isolated to THIS app (the host
+ * chroots it; a different app can never name it). Read/write config files through
+ * the returned mount. Rejects with a {@link SpaceError} (`auth-required`) when
+ * signed out. Capability: baseline `settings:app`.
+ */
+declare const openSettings: () => Promise<SandboxMount>;
+/**
+ * One-time SEED of this app's settings from the parent it declares as `forkOf`
+ * (its `package.json` `immediately.run.forkOf`) — so a fork inherits your
+ * preferences from the original app (UI_AS_APPS_SPEC §3.4). The host asks the user
+ * to confirm (a full consent when the apps have different owners, a light confirm
+ * when the same owner publishes both) and copies the parent's settings into this
+ * app's own subdir, skipping any file you already have. Non-throwing: resolves
+ * `{ ok:false, code }` on decline (`cancelled`), no declared parent (`forbidden`),
+ * or signed-out (`auth-required`). After `{ ok:true }`, read {@link openSettings}.
+ * Capability: baseline `settings:fork`.
+ */
+declare const importSettingsFromParent: () => Promise<{
+    ok: true;
+    copied: number;
+} | {
+    ok: false;
+    code: string;
+}>;
+/**
+ * Mount ANOTHER app's per-user settings by its `appKey` — the elevated "file
+ * commander" surface. Rejects `forbidden` unless this app holds the first-party-
+ * only `settings:all` capability. Most apps want {@link openSettings} instead.
+ */
+declare const openSettingsOf: (appKey: string) => Promise<SandboxMount>;
+/**
+ * List every app that has per-user settings — the elevated "file commander"
+ * enumeration. Pair with {@link openSettingsOf} to mount any of them. Rejects
+ * `forbidden` unless this app holds the first-party-only `settings:all`.
+ */
+declare const listSettingsApps: () => Promise<string[]>;
+/** Create a brand-new, empty platform-hosted space. The app reaches it (or any
+ *  other space) afterward through the {@link requestMount} powerbox or
+ *  {@link mountSpace}; there is no implicit per-app binding. */
 declare const createSpace: (opts?: {
     name?: string;
-    slot?: string;
-    bindToApp?: boolean;
 }) => Promise<SandboxMount>;
 /** List spaces you can access — all of them, or just those bound to this app. */
 declare const listSpaces: (opts?: {
@@ -185,4 +311,4 @@ declare const listGrants: () => Promise<GrantRecord[]>;
  *  best-effort live teardown. Elevated `spaces:admin`. */
 declare const revokeGrant: (appKey: string, spaceId: string) => Promise<void>;
 
-export { type GrantRecord, type Member, type MountQuery, type MountRemoveReason, type RemovedMount, type ResolvedUser, type Role, type SandboxMount, type SpaceError, type SpaceInfo, createSpace, findMount, getAppMountPath, getMounts, getSpaceMembers, listAllSpaces, listGrants, listSpaces, lookupUser, mount, mountSpace, onMountsChange, openAppSpace, requestMount, requestSpace, revokeGrant, setSpaceRole, shareSpace, unmountSpace, unshareSpace, useMounts, waitForMount };
+export { type GrantRecord, type Member, type MountQuery, type MountRemoveReason, type MountRule, type RemovedMount, type ResolvedUser, type Role, type SandboxMount, type SpaceError, type SpaceInfo, createSpace, findMount, getAppMountPath, getMounts, getSpaceMembers, importSettingsFromParent, listAllSpaces, listGrants, listSettingsApps, listSpaces, lookupUser, makeContentRef, mount, mountSpace, onMountsChange, openSettings, openSettingsOf, requestMount, requestSpace, resolveContentRef, resolveContentRefs, revokeGrant, setSpaceRole, shareSpace, unmountSpace, unshareSpace, useMounts, waitForMount };

package/dist/mounts.d.ts

@@ -1,3 +1,5 @@
+import { FileCap } from './tasks.js';
+
 /**
  * The absolute path where this app's own repository filesystem is mounted
  * (FILE_SHARING_SPEC §11.2). Prefer this over hardcoding `/app`: the repo is
@@ -10,8 +12,8 @@ declare const getAppMountPath: () => string;
 /**
  * A filesystem mount available to the sandbox, mirrored from the host window.
  *
- * Mounts appear on demand — call {@link openAppSpace} / {@link mountSpace} to ask
- * the host to mount a Firestore-backed "space"; it appears at `/spaces/{id}`.
+ * Mounts appear on demand — call {@link openSettings} for this app's own settings,
+ * or {@link mountSpace} / {@link requestMount} to mount a Firestore-backed "space".
  * Read or subscribe to the set, then access the files through the `fs` module at
  * the mount's `path`.
  */
@@ -29,6 +31,29 @@ interface SandboxMount {
      * Absent on the primary repo mount (treated as read-write).
      */
     mode?: "ro" | "rw";
+    /**
+     * Human-readable label for the mount — the space's display name, or the repo
+     * label for the primary working-tree mount (R3-69). Use this to show users and
+     * agents *what* a mount is: the `path` (`/mnt/{hash}`) and `id` (the spaceId)
+     * are opaque, and space names are not unique, so neither alone tells you which
+     * filesystem you're looking at. Absent when the host can't resolve a name
+     * (older host, or a name it never learned) — fall back to `id`/`path`.
+     */
+    name?: string;
+    /**
+     * The granted scopes of this mount (plan 12 §8.7 / §F): each `{subtree, mode}`
+     * is a path prefix you hold and at what access, at the mount's backend-natural
+     * paths. Use it to reason about per-path writability — which subtree is `rw` —
+     * WITHOUT probing `EROFS`. A single whole-mount grant is `[{ subtree: '/', mode }]`.
+     * Absent on the primary repo mount and on an older host that doesn't report it.
+     */
+    rules?: MountRule[];
+}
+/** One granted scope of a mount (plan 12 §F): a backend-natural path prefix and
+ *  the access mode there. The most specific (longest) matching rule governs a path. */
+interface MountRule {
+    subtree: string;
+    mode: 'ro' | 'rw';
 }
 /**
  * Why a mounted filesystem was removed, surfaced on the removed descriptor so an
@@ -47,15 +72,20 @@ type MountRemoveReason = "revoked" | "unshared" | "signed-out" | "unmounted" | "
 interface RemovedMount extends SandboxMount {
     reason: MountRemoveReason;
 }
-/** A predicate-style matcher for {@link findMount} / {@link waitForMount}. */
+/** A predicate-style matcher for {@link findMount} / {@link waitForMount}. Any
+ *  combination of coordinates; `name` matches the human-readable mount label. */
 type MountQuery = {
     type?: string;
     id?: string;
     path?: string;
+    name?: string;
 };
 /**
  * Returns the mounts currently available. Poll this whenever you need a one-off
  * read; use {@link onMountsChange} or {@link useMounts} to react to changes.
+ * Each descriptor carries its `id` (the spaceId), `path` (`/mnt/{hash}`) and —
+ * when the host can resolve it — a human-readable `name` (R3-69), so this doubles
+ * as a queryable mount→space mapping for showing or locating a mount by name.
  */
 declare const getMounts: () => SandboxMount[];
 /** Returns the first mount matching `query`, or `undefined`. */
@@ -88,13 +118,6 @@ interface SpaceInfo {
 interface SpaceError extends Error {
     code: 'auth-required' | 'cancelled' | 'forbidden' | 'not-found' | 'unsupported-scheme' | 'unknown';
 }
-/**
- * Open this app's workspace for the signed-in user (the zero-config path). The
- * `slot` names which workspace (default `'default'`); pass distinct slots for
- * multiple filesystems in one app. On a missing slot the host shows a
- * create-or-pick dialog. Rejects with a {@link SpaceError} (`.code`) on cancel.
- */
-declare const openAppSpace: (slot?: string) => Promise<SandboxMount>;
 /**
  * Mount a filesystem by its **universal mount id** (UI_AS_APPS_SPEC §3.5) —
  * `scheme:locator`, e.g. `space:{spaceId}` or `github:owner/repo@ref`. Backend-blind:
@@ -109,11 +132,19 @@ declare const mountSpace: (query: {
 }) => Promise<SandboxMount>;
 /**
  * Ask the user to grant a filesystem to this app — the §8.6 powerbox. The app
- * asks; the HOST shows the user their mounts and the access choice (which mount,
- * an optional subtree, read-only vs read-write); the USER picks or declines. The
- * app never sees the list — it resolves with the single granted mount, or rejects
- * with a {@link SpaceError} (`cancelled`) if declined. The granted scope is
- * enforced host-side: the mount is chroot'd / `ro`-limited accordingly.
+ * asks; the HOST shows the user their spaces and, for the chosen one, its PROJECT
+ * FOLDERS (§8.7). The user picks ONE project — so a shared space opens scoped to
+ * just that project, never the whole space — and makes an EXPLICIT read-only vs
+ * read-write decision (there is no default). The app never sees the list; it
+ * resolves with the single granted mount, or rejects with a {@link SpaceError}
+ * (`cancelled`) if declined. The granted scope is enforced host-side: the mount
+ * is chroot'd to the project folder and `ro`-limited accordingly, so paths
+ * outside the project are unnameable and writes on a `ro` grant fail `EROFS`.
+ *
+ * A project folder is the macOS-bundle-like unit an app works in inside a space;
+ * the host records which app a folder belongs to (a `.immediately.run/` sidecar),
+ * so the picker can surface the app's own projects or let the user create a new
+ * one. Observe the granted access via {@link SandboxMount.mode}.
  *
  * Backend-general (§3.5): the picker offers whatever mounts the user has (today,
  * their spaces). Returns the granted mount by its universal id.
@@ -121,11 +152,106 @@ declare const mountSpace: (query: {
 declare const requestMount: () => Promise<SandboxMount>;
 /** @deprecated renamed to {@link requestMount} (backend-general, §3.5). */
 declare const requestSpace: () => Promise<SandboxMount>;
-/** Create a brand-new space, optionally binding it to this app (a slot). */
+/**
+ * Build a persisted CONTENT REFERENCE to a file in a mount — a `{mountId, relPath}`
+ * pointer your app serializes into ITS OWN content (a board's JSON, an MDX file's
+ * frontmatter, an album manifest — the platform doesn't dictate the container) so a
+ * later viewer can resolve it. It is exactly the §5.7 {@link capFile} shape: ONE
+ * capability, two delivery modes — runtime delegation (a task param, authorized by
+ * the caller) vs a durable reference (authorized per-viewer by {@link resolveContentRef}).
+ * `relPath` is BACKEND-NATURAL, so the reference resolves to the SAME path for every
+ * viewer. Cross-app/cross-project references default to `ro`.
+ *
+ *   const ref = makeContentRef({ mountId: 'space:ACME', relPath: 'office-seating/desk.mdx' }, { mode: 'ro' });
+ */
+declare const makeContentRef: (ref: {
+    mountId: string;
+    relPath: string;
+}, opts: {
+    mode: "ro" | "rw";
+}) => FileCap;
+/**
+ * Resolve a content reference your app found in content it ALREADY holds (plan 12
+ * §E). This is a RELAY, not a fabrication: the host honors it ONLY when your app
+ * already holds a grant to `ref.mountId` (else `forbidden`) — apps follow
+ * writer-authored links inside granted content; they cannot name a space from
+ * nothing (T27). The host runs a per-VIEWER consent prompt (named via the owning
+ * app's project sidecar), and existence is never leaked — a decline and a
+ * non-existent path are indistinguishable.
+ *
+ * On allow, the host APPENDS a read scope for the referenced path to your grant
+ * (durable; same §8.15 lifecycle) and returns the STABLE absolute `path` the file
+ * is mounted at — identical for every viewer, so a path the author stored resolves
+ * the same for you. Read it through the `fs` module at that path. Rejects with a
+ * {@link SpaceError}: `forbidden` (you don't hold the referenced mount) or
+ * `cancelled` (the viewer declined / the path doesn't exist — no oracle).
+ *
+ *   const { path } = await resolveContentRef(ref);
+ *   const text = await fs.promises.readFile(path, 'utf8');
+ */
+declare const resolveContentRef: (ref: FileCap) => Promise<{
+    path: string;
+}>;
+/**
+ * Resolve a BATCH of content references in ONE consent round (plan 12 §E). When a
+ * board opens with several embedded references, pass them all here: the host
+ * coalesces them into a SINGLE consent prompt listing every target, instead of one
+ * prompt per reference. Same relay gate and per-viewer semantics as
+ * {@link resolveContentRef} (each ref's mount must already be held), applied to the
+ * whole set — it is all-or-nothing: the user allows the batch or declines it.
+ *
+ * Resolves `{ paths }` with the STABLE absolute path of each ref, in input order.
+ * Rejects with a {@link SpaceError}: `forbidden` (a referenced mount isn't held) or
+ * `cancelled` (the viewer declined).
+ *
+ *   const { paths } = await resolveContentRefs(board.references);
+ */
+declare const resolveContentRefs: (refs: FileCap[]) => Promise<{
+    paths: string[];
+}>;
+/**
+ * Mount this app's per-user settings — a private `~/.config`-style filesystem,
+ * auto-provisioned for the signed-in user and isolated to THIS app (the host
+ * chroots it; a different app can never name it). Read/write config files through
+ * the returned mount. Rejects with a {@link SpaceError} (`auth-required`) when
+ * signed out. Capability: baseline `settings:app`.
+ */
+declare const openSettings: () => Promise<SandboxMount>;
+/**
+ * One-time SEED of this app's settings from the parent it declares as `forkOf`
+ * (its `package.json` `immediately.run.forkOf`) — so a fork inherits your
+ * preferences from the original app (UI_AS_APPS_SPEC §3.4). The host asks the user
+ * to confirm (a full consent when the apps have different owners, a light confirm
+ * when the same owner publishes both) and copies the parent's settings into this
+ * app's own subdir, skipping any file you already have. Non-throwing: resolves
+ * `{ ok:false, code }` on decline (`cancelled`), no declared parent (`forbidden`),
+ * or signed-out (`auth-required`). After `{ ok:true }`, read {@link openSettings}.
+ * Capability: baseline `settings:fork`.
+ */
+declare const importSettingsFromParent: () => Promise<{
+    ok: true;
+    copied: number;
+} | {
+    ok: false;
+    code: string;
+}>;
+/**
+ * Mount ANOTHER app's per-user settings by its `appKey` — the elevated "file
+ * commander" surface. Rejects `forbidden` unless this app holds the first-party-
+ * only `settings:all` capability. Most apps want {@link openSettings} instead.
+ */
+declare const openSettingsOf: (appKey: string) => Promise<SandboxMount>;
+/**
+ * List every app that has per-user settings — the elevated "file commander"
+ * enumeration. Pair with {@link openSettingsOf} to mount any of them. Rejects
+ * `forbidden` unless this app holds the first-party-only `settings:all`.
+ */
+declare const listSettingsApps: () => Promise<string[]>;
+/** Create a brand-new, empty platform-hosted space. The app reaches it (or any
+ *  other space) afterward through the {@link requestMount} powerbox or
+ *  {@link mountSpace}; there is no implicit per-app binding. */
 declare const createSpace: (opts?: {
     name?: string;
-    slot?: string;
-    bindToApp?: boolean;
 }) => Promise<SandboxMount>;
 /** List spaces you can access — all of them, or just those bound to this app. */
 declare const listSpaces: (opts?: {
@@ -185,4 +311,4 @@ declare const listGrants: () => Promise<GrantRecord[]>;
  *  best-effort live teardown. Elevated `spaces:admin`. */
 declare const revokeGrant: (appKey: string, spaceId: string) => Promise<void>;
 
-export { type GrantRecord, type Member, type MountQuery, type MountRemoveReason, type RemovedMount, type ResolvedUser, type Role, type SandboxMount, type SpaceError, type SpaceInfo, createSpace, findMount, getAppMountPath, getMounts, getSpaceMembers, listAllSpaces, listGrants, listSpaces, lookupUser, mount, mountSpace, onMountsChange, openAppSpace, requestMount, requestSpace, revokeGrant, setSpaceRole, shareSpace, unmountSpace, unshareSpace, useMounts, waitForMount };
+export { type GrantRecord, type Member, type MountQuery, type MountRemoveReason, type MountRule, type RemovedMount, type ResolvedUser, type Role, type SandboxMount, type SpaceError, type SpaceInfo, createSpace, findMount, getAppMountPath, getMounts, getSpaceMembers, importSettingsFromParent, listAllSpaces, listGrants, listSettingsApps, listSpaces, lookupUser, makeContentRef, mount, mountSpace, onMountsChange, openSettings, openSettingsOf, requestMount, requestSpace, resolveContentRef, resolveContentRefs, revokeGrant, setSpaceRole, shareSpace, unmountSpace, unshareSpace, useMounts, waitForMount };

package/dist/mounts.js

@@ -1,11 +1,12 @@
 import { useEffect, useState } from "react";
 import { protocolRequest } from "./sandboxUtils";
 import { getHostRuntime } from "./hostRuntime";
+import { mountMatches } from "./mountMatch";
 const getAppMountPath = () => getHostRuntime()?.appMountPath ?? "/app";
 const mountService = () => {
   return module.evaluation.module.bundler.mounts;
 };
-const matches = (mount2, query) => (query.type === void 0 || mount2.type === query.type) && (query.id === void 0 || mount2.id === query.id) && (query.path === void 0 || mount2.path === query.path);
+const matches = (mount2, query) => mountMatches(mount2, query);
 const getMounts = () => mountService().getMounts();
 const findMount = (query) => getMounts().find((m) => matches(m, query));
 const onMountsChange = (listener) => {
@@ -39,11 +40,45 @@ const requestMountInternal = async (method, query) => {
   const mount2 = await request(method, query);
   return waitForMount({ id: mount2.id ?? mount2.path });
 };
-const openAppSpace = (slot = "default") => requestMountInternal("open", { slot });
 const mount = (mountId) => requestMountInternal("mount", { mount: mountId });
 const mountSpace = (query) => mount(`space:${query.spaceId}`);
 const requestMount = () => requestMountInternal("request", {});
 const requestSpace = requestMount;
+const makeContentRef = (ref, opts) => ({ $cap: "file", mountId: ref.mountId, relPath: ref.relPath, mode: opts.mode });
+const resolveContentRef = async (ref) => {
+  const path = await request("resolveRef", { ref });
+  return { path };
+};
+const resolveContentRefs = async (refs) => {
+  const paths = await request("resolveRefs", { refs });
+  return { paths };
+};
+const settingsRequest = async (method, query = {}) => {
+  const res = await protocolRequest("settings", method, [query]);
+  if (!res || res.ok !== true) {
+    const err = new Error(res?.message ?? "settings request failed");
+    err.code = res?.code ?? "unknown";
+    throw err;
+  }
+  return res.data;
+};
+const openSettings = async () => {
+  const mount2 = await settingsRequest("open");
+  return waitForMount({ id: mount2.id ?? mount2.path });
+};
+const importSettingsFromParent = async () => {
+  try {
+    const data = await settingsRequest("importFromParent");
+    return { ok: true, copied: data.copied };
+  } catch (e) {
+    return { ok: false, code: e.code ?? "unknown" };
+  }
+};
+const openSettingsOf = async (appKey) => {
+  const mount2 = await settingsRequest("openOf", { appKey });
+  return waitForMount({ id: mount2.id ?? mount2.path });
+};
+const listSettingsApps = () => settingsRequest("list");
 const createSpace = (opts = {}) => requestMountInternal("create", opts);
 const listSpaces = (opts = {}) => request("list", opts);
 const unmountSpace = async (query) => {
@@ -71,16 +106,22 @@ export {
   getAppMountPath,
   getMounts,
   getSpaceMembers,
+  importSettingsFromParent,
   listAllSpaces,
   listGrants,
+  listSettingsApps,
   listSpaces,
   lookupUser,
+  makeContentRef,
   mount,
   mountSpace,
   onMountsChange,
-  openAppSpace,
+  openSettings,
+  openSettingsOf,
   requestMount,
   requestSpace,
+  resolveContentRef,
+  resolveContentRefs,
   revokeGrant,
   setSpaceRole,
   shareSpace,

package/dist/mounts.js.map

@@ -1 +1 @@
-{"version":3,"sources":["../src/mounts.ts"],"sourcesContent":["import { useEffect, useState } from 'react';\nimport { protocolRequest } from './sandboxUtils';\nimport { getHostRuntime } from './hostRuntime';\n\n/**\n * The absolute path where this app's own repository filesystem is mounted\n * (FILE_SHARING_SPEC §11.2). Prefer this over hardcoding `/app`: the repo is\n * dual-mounted at both `/app` (back-compat) and its canonical `/mnt/{hash}`\n * address, and this returns the canonical one the host reports. Falls back to\n * `/app` when the host hasn't reported a canonical path (older host / before the\n * report arrives) — both paths are live, so either resolves the same files.\n */\nexport const getAppMountPath = (): string => getHostRuntime()?.appMountPath ?? '/app';\n\n/**\n * A filesystem mount available to the sandbox, mirrored from the host window.\n *\n * Mounts appear on demand — call {@link openAppSpace} / {@link mountSpace} to ask\n * the host to mount a Firestore-backed \"space\"; it appears at `/spaces/{id}`.\n * Read or subscribe to the set, then access the files through the `fs` module at\n * the mount's `path`.\n */\nexport interface SandboxMount {\n  /** Absolute path where the mount is reachable (e.g. `/spaces/{id}`). */\n  path: string;\n  /** Backend kind, e.g. `'firestore'`. */\n  type: string;\n  /** Optional stable identifier (the spaceId, for spaces). */\n  id?: string;\n  /**\n   * Access mode of the granted view: `'rw'` (read-write) or `'ro'` (read-only).\n   * A live role downgrade re-announces the same mount with `mode: 'ro'`; apps\n   * observing `onMountsChange` see the change and writes start failing `EROFS`.\n   * Absent on the primary repo mount (treated as read-write).\n   */\n  mode?: \"ro\" | \"rw\";\n}\n\n/**\n * Why a mounted filesystem was removed, surfaced on the removed descriptor so an\n * app can say *why* it vanished instead of failing mutely (auth-mount §\"mount-remove\"\n * / AM2-4):\n * - `revoked` — a durable grant was revoked (revokeGrant / consent withdrawal);\n * - `unshared` — the granting user's membership was removed (or downgraded out);\n * - `signed-out` — sign-out tore down every mount;\n * - `unmounted` — the app's own `unmountSpace` (or region teardown);\n * - `deleted` — the space was soft-deleted.\n * An older host that sends no reason is read as `'revoked'` (most conservative).\n */\nexport type MountRemoveReason =\n  | \"revoked\"\n  | \"unshared\"\n  | \"signed-out\"\n  | \"unmounted\"\n  | \"deleted\";\n\n/** A descriptor delivered as REMOVED to a mounts-change listener: the mount that\n *  went away, plus the `reason` it did. */\nexport interface RemovedMount extends SandboxMount {\n  reason: MountRemoveReason;\n}\n\ninterface MountService {\n  getMounts(): SandboxMount[];\n  onChange(\n    listener: (mounts: SandboxMount[], removed: RemovedMount[]) => void,\n  ): { dispose(): void };\n}\n\n// `module.evaluation.module.bundler` is the sandbox bundler injected into the\n// evaluation context (same path the other SDK helpers reach for `messageBus`).\nconst mountService = (): MountService => {\n  // @ts-ignore - injected by the sandbox runtime\n  return module.evaluation.module.bundler.mounts;\n};\n\n/** A predicate-style matcher for {@link findMount} / {@link waitForMount}. */\nexport type MountQuery = { type?: string; id?: string; path?: string };\n\nconst matches = (mount: SandboxMount, query: MountQuery): boolean =>\n  (query.type === undefined || mount.type === query.type) &&\n  (query.id === undefined || mount.id === query.id) &&\n  (query.path === undefined || mount.path === query.path);\n\n/**\n * Returns the mounts currently available. Poll this whenever you need a one-off\n * read; use {@link onMountsChange} or {@link useMounts} to react to changes.\n */\nexport const getMounts = (): SandboxMount[] => mountService().getMounts();\n\n/** Returns the first mount matching `query`, or `undefined`. */\nexport const findMount = (query: MountQuery): SandboxMount | undefined =>\n  getMounts().find((m) => matches(m, query));\n\n/**\n * Subscribe to mount changes. The listener is invoked immediately with the\n * current mounts (and an empty `removed`), then again on every change. The second\n * argument carries the descriptors REMOVED by that change, each with its `reason`\n * (AM2-4) — so an app can react to *why* a mount vanished (e.g. tell the user a\n * shared space was `unshared` vs `deleted`). It is empty on adds and on the\n * initial replay. Returns an unsubscribe fn.\n */\nexport const onMountsChange = (\n  listener: (mounts: SandboxMount[], removed: RemovedMount[]) => void,\n): (() => void) => {\n  const disposable = mountService().onChange(listener);\n  return () => disposable.dispose();\n};\n\n/**\n * Resolves once a mount matching `query` is present (immediately if it already\n * is). Handy for \"use it when it appears\" — e.g.\n * `await waitForMount({ type: 'firestore' })` before reading `/firestore`.\n */\nexport const waitForMount = (query: MountQuery): Promise<SandboxMount> =>\n  new Promise((resolve) => {\n    const unsubscribe = onMountsChange((mounts) => {\n      const found = mounts.find((m) => matches(m, query));\n      if (found) {\n        // Defer unsubscribe so we don't dispose during the initial replay call.\n        Promise.resolve().then(unsubscribe);\n        resolve(found);\n      }\n    });\n  });\n\n/** React hook returning the mounts currently available, re-rendering on change. */\nexport const useMounts = (): SandboxMount[] => {\n  const [mounts, setMounts] = useState<SandboxMount[]>(getMounts);\n  useEffect(() => onMountsChange(setMounts), []);\n  return mounts;\n};\n\n// ---------------------------------------------------------------------------\n// Spaces — on-demand, shareable Firestore-backed filesystems.\n// The host owns all UX: if you aren't signed in, or the space doesn't exist or\n// isn't accessible, the parent window presents sign-in / create / request-access\n// and only then resolves these calls. See docs/specs/FILE_SHARING_SPEC.md.\n// ---------------------------------------------------------------------------\n\n/** Summary of a space, as returned by {@link listSpaces}. */\nexport interface SpaceInfo {\n  spaceId: string;\n  role?: 'owner' | 'writer' | 'reader';\n  owner?: string;\n  name?: string;\n}\n\n/** An error from a space operation, carrying a machine-readable `code`. */\nexport interface SpaceError extends Error {\n  code:\n    | 'auth-required'\n    | 'cancelled'\n    | 'forbidden'\n    | 'not-found'\n    | 'unsupported-scheme'\n    | 'unknown';\n}\n\ntype SpaceResult =\n  | { ok: true; data: unknown }\n  | { ok: false; code: string; message: string };\n\n// Issue a spaces protocol request, unwrapping the host's {ok,data} envelope and\n// throwing a typed SpaceError on failure.\nconst request = async <T = unknown>(\n  method: string,\n  query: Record<string, unknown> = {},\n): Promise<T> => {\n  const res = (await protocolRequest('spaces', method, [query])) as SpaceResult;\n  if (!res || res.ok !== true) {\n    const err = new Error(res?.message ?? 'space request failed') as SpaceError;\n    err.code = (res?.code as SpaceError['code']) ?? 'unknown';\n    throw err;\n  }\n  return res.data as T;\n};\n\n// Request a space mount, then wait until the host actually registers it. The\n// host announces the mount (`mount-add`) separately from the protocol reply, so\n// an immediate read could otherwise race the mount.\nconst requestMountInternal = async (\n  method: string,\n  query: Record<string, unknown>,\n): Promise<SandboxMount> => {\n  const mount = await request<SandboxMount>(method, query);\n  return waitForMount({ id: mount.id ?? mount.path });\n};\n\n/**\n * Open this app's workspace for the signed-in user (the zero-config path). The\n * `slot` names which workspace (default `'default'`); pass distinct slots for\n * multiple filesystems in one app. On a missing slot the host shows a\n * create-or-pick dialog. Rejects with a {@link SpaceError} (`.code`) on cancel.\n */\nexport const openAppSpace = (slot = 'default'): Promise<SandboxMount> =>\n  requestMountInternal('open', { slot });\n\n/**\n * Mount a filesystem by its **universal mount id** (UI_AS_APPS_SPEC §3.5) —\n * `scheme:locator`, e.g. `space:{spaceId}` or `github:owner/repo@ref`. Backend-blind:\n * the host resolves the scheme. A scheme with no resolver rejects with\n * {@link SpaceError} `unsupported-scheme`.\n */\nexport const mount = (mountId: string): Promise<SandboxMount> =>\n  requestMountInternal('mount', { mount: mountId });\n\n/** Mount a specific space by id (e.g. one shared with you, or from a link). A thin\n *  shim over {@link mount} with the `space:` scheme. */\nexport const mountSpace = (query: { spaceId: string }): Promise<SandboxMount> =>\n  mount(`space:${query.spaceId}`);\n\n/**\n * Ask the user to grant a filesystem to this app — the §8.6 powerbox. The app\n * asks; the HOST shows the user their mounts and the access choice (which mount,\n * an optional subtree, read-only vs read-write); the USER picks or declines. The\n * app never sees the list — it resolves with the single granted mount, or rejects\n * with a {@link SpaceError} (`cancelled`) if declined. The granted scope is\n * enforced host-side: the mount is chroot'd / `ro`-limited accordingly.\n *\n * Backend-general (§3.5): the picker offers whatever mounts the user has (today,\n * their spaces). Returns the granted mount by its universal id.\n */\nexport const requestMount = (): Promise<SandboxMount> =>\n  requestMountInternal('request', {});\n\n/** @deprecated renamed to {@link requestMount} (backend-general, §3.5). */\nexport const requestSpace = requestMount;\n\n/** Create a brand-new space, optionally binding it to this app (a slot). */\nexport const createSpace = (\n  opts: { name?: string; slot?: string; bindToApp?: boolean } = {}\n): Promise<SandboxMount> => requestMountInternal('create', opts);\n\n/** List spaces you can access — all of them, or just those bound to this app. */\nexport const listSpaces = (opts: { app?: boolean } = {}): Promise<SpaceInfo[]> =>\n  request<SpaceInfo[]>('list', opts);\n\n/** Release a mounted space (stops its listener on the host). */\nexport const unmountSpace = async (query: { spaceId: string }): Promise<void> => {\n  await request('unmount', query);\n};\n\n// ---------------------------------------------------------------------------\n// Space management (the space-manager app) — UI_AS_APPS_SPEC §5.2. These are\n// ELEVATED: enumerating all the user's spaces is `spaces:user`; mutating\n// membership (share/unshare/setRole) and resolving handles is `spaces:admin`.\n// The host enforces the owner-lockout invariant (a space always keeps an owner,\n// T41) and rate-limits handle lookups (L1); the OAuth/identity token never\n// crosses to the app.\n// ---------------------------------------------------------------------------\n\nexport type Role = 'owner' | 'writer' | 'reader';\n\n/** A member of a space (for the share/manage UI). */\nexport interface Member {\n  /** `user:{uid}` | `group:{gid}`. */\n  principal: string;\n  role: Role;\n  login?: string;\n  avatarUrl?: string;\n}\n\n/** A handle resolved to a principal (handle → who). */\nexport interface ResolvedUser {\n  uid: string;\n  login: string;\n  avatarUrl?: string;\n}\n\n/** Enumerate ALL the user's spaces (not just this app's) — `spaces:user`. */\nexport const listAllSpaces = (): Promise<SpaceInfo[]> => request<SpaceInfo[]>('listAll', {});\n\n/** Read a space's members one-shot — `spaces:admin`. */\nexport const getSpaceMembers = (spaceId: string): Promise<Member[]> =>\n  request<Member[]>('members', { spaceId });\n\n/** Invite a user (by provider handle) to a space at a role — `spaces:admin`. The\n *  host resolves the handle, so the app never sees other users' uids except the\n *  one it invited. */\nexport const shareSpace = async (spaceId: string, login: string, role: Role): Promise<void> => {\n  await request('share', { spaceId, login, role });\n};\n\n/** Remove a member from a space — `spaces:admin`. Refused if it would orphan the\n *  space (owner-lockout, T41). */\nexport const unshareSpace = async (spaceId: string, uid: string): Promise<void> => {\n  await request('unshare', { spaceId, uid });\n};\n\n/** Change a member's role — `spaces:admin`. Refused if it would drop the sole\n *  owner (owner-lockout, T41). */\nexport const setSpaceRole = async (spaceId: string, uid: string, role: Role): Promise<void> => {\n  await request('setRole', { spaceId, uid, role });\n};\n\n/** Resolve a provider handle to a principal (for the invite flow) — `spaces:admin`,\n *  rate-limited host-side. */\nexport const lookupUser = (login: string): Promise<ResolvedUser> =>\n  request<ResolvedUser>('lookupUser', { login });\n\n/** One durable grant an app holds, for the §8.11 capability audit view. */\nexport interface GrantRecord {\n  /** The app's provider-qualified identity (`provider__namespace__repository`). */\n  appKey: string;\n  spaceId: string;\n  /** Universal mount id (§3.5). */\n  mountId: string;\n  subtree?: string;\n  mode: 'ro' | 'rw';\n  name?: string;\n}\n\n/** Enumerate every (app, mount) grant the user holds — the audit view\n *  (§8.11). Elevated `spaces:admin`. */\nexport const listGrants = (): Promise<GrantRecord[]> => request<GrantRecord[]>('grants', {});\n\n/** Revoke one app's grant on a space — durable (the app can't re-mount) plus a\n *  best-effort live teardown. Elevated `spaces:admin`. */\nexport const revokeGrant = async (appKey: string, spaceId: string): Promise<void> => {\n  await request('revokeGrant', { appKey, spaceId });\n};\n"],"mappings":"AAAA,SAAS,WAAW,gBAAgB;AACpC,SAAS,uBAAuB;AAChC,SAAS,sBAAsB;AAUxB,MAAM,kBAAkB,MAAc,eAAe,GAAG,gBAAgB;AA2D/E,MAAM,eAAe,MAAoB;AAEvC,SAAO,OAAO,WAAW,OAAO,QAAQ;AAC1C;AAKA,MAAM,UAAU,CAACA,QAAqB,WACnC,MAAM,SAAS,UAAaA,OAAM,SAAS,MAAM,UACjD,MAAM,OAAO,UAAaA,OAAM,OAAO,MAAM,QAC7C,MAAM,SAAS,UAAaA,OAAM,SAAS,MAAM;AAM7C,MAAM,YAAY,MAAsB,aAAa,EAAE,UAAU;AAGjE,MAAM,YAAY,CAAC,UACxB,UAAU,EAAE,KAAK,CAAC,MAAM,QAAQ,GAAG,KAAK,CAAC;AAUpC,MAAM,iBAAiB,CAC5B,aACiB;AACjB,QAAM,aAAa,aAAa,EAAE,SAAS,QAAQ;AACnD,SAAO,MAAM,WAAW,QAAQ;AAClC;AAOO,MAAM,eAAe,CAAC,UAC3B,IAAI,QAAQ,CAAC,YAAY;AACvB,QAAM,cAAc,eAAe,CAAC,WAAW;AAC7C,UAAM,QAAQ,OAAO,KAAK,CAAC,MAAM,QAAQ,GAAG,KAAK,CAAC;AAClD,QAAI,OAAO;AAET,cAAQ,QAAQ,EAAE,KAAK,WAAW;AAClC,cAAQ,KAAK;AAAA,IACf;AAAA,EACF,CAAC;AACH,CAAC;AAGI,MAAM,YAAY,MAAsB;AAC7C,QAAM,CAAC,QAAQ,SAAS,IAAI,SAAyB,SAAS;AAC9D,YAAU,MAAM,eAAe,SAAS,GAAG,CAAC,CAAC;AAC7C,SAAO;AACT;AAkCA,MAAM,UAAU,OACd,QACA,QAAiC,CAAC,MACnB;AACf,QAAM,MAAO,MAAM,gBAAgB,UAAU,QAAQ,CAAC,KAAK,CAAC;AAC5D,MAAI,CAAC,OAAO,IAAI,OAAO,MAAM;AAC3B,UAAM,MAAM,IAAI,MAAM,KAAK,WAAW,sBAAsB;AAC5D,QAAI,OAAQ,KAAK,QAA+B;AAChD,UAAM;AAAA,EACR;AACA,SAAO,IAAI;AACb;AAKA,MAAM,uBAAuB,OAC3B,QACA,UAC0B;AAC1B,QAAMA,SAAQ,MAAM,QAAsB,QAAQ,KAAK;AACvD,SAAO,aAAa,EAAE,IAAIA,OAAM,MAAMA,OAAM,KAAK,CAAC;AACpD;AAQO,MAAM,eAAe,CAAC,OAAO,cAClC,qBAAqB,QAAQ,EAAE,KAAK,CAAC;AAQhC,MAAM,QAAQ,CAAC,YACpB,qBAAqB,SAAS,EAAE,OAAO,QAAQ,CAAC;AAI3C,MAAM,aAAa,CAAC,UACzB,MAAM,SAAS,MAAM,OAAO,EAAE;AAazB,MAAM,eAAe,MAC1B,qBAAqB,WAAW,CAAC,CAAC;AAG7B,MAAM,eAAe;AAGrB,MAAM,cAAc,CACzB,OAA8D,CAAC,MACrC,qBAAqB,UAAU,IAAI;AAGxD,MAAM,aAAa,CAAC,OAA0B,CAAC,MACpD,QAAqB,QAAQ,IAAI;AAG5B,MAAM,eAAe,OAAO,UAA8C;AAC/E,QAAM,QAAQ,WAAW,KAAK;AAChC;AA8BO,MAAM,gBAAgB,MAA4B,QAAqB,WAAW,CAAC,CAAC;AAGpF,MAAM,kBAAkB,CAAC,YAC9B,QAAkB,WAAW,EAAE,QAAQ,CAAC;AAKnC,MAAM,aAAa,OAAO,SAAiB,OAAe,SAA8B;AAC7F,QAAM,QAAQ,SAAS,EAAE,SAAS,OAAO,KAAK,CAAC;AACjD;AAIO,MAAM,eAAe,OAAO,SAAiB,QAA+B;AACjF,QAAM,QAAQ,WAAW,EAAE,SAAS,IAAI,CAAC;AAC3C;AAIO,MAAM,eAAe,OAAO,SAAiB,KAAa,SAA8B;AAC7F,QAAM,QAAQ,WAAW,EAAE,SAAS,KAAK,KAAK,CAAC;AACjD;AAIO,MAAM,aAAa,CAAC,UACzB,QAAsB,cAAc,EAAE,MAAM,CAAC;AAgBxC,MAAM,aAAa,MAA8B,QAAuB,UAAU,CAAC,CAAC;AAIpF,MAAM,cAAc,OAAO,QAAgB,YAAmC;AACnF,QAAM,QAAQ,eAAe,EAAE,QAAQ,QAAQ,CAAC;AAClD;","names":["mount"]}
+{"version":3,"sources":["../src/mounts.ts"],"sourcesContent":["import { useEffect, useState } from 'react';\nimport { protocolRequest } from './sandboxUtils';\nimport { getHostRuntime } from './hostRuntime';\nimport { mountMatches } from './mountMatch';\n// Type-only: `tasks.ts` registers a host listener at module load, so we reuse the\n// FileCap SHAPE without pulling that side effect into every `mounts` importer.\nimport type { FileCap } from './tasks';\n\n/**\n * The absolute path where this app's own repository filesystem is mounted\n * (FILE_SHARING_SPEC §11.2). Prefer this over hardcoding `/app`: the repo is\n * dual-mounted at both `/app` (back-compat) and its canonical `/mnt/{hash}`\n * address, and this returns the canonical one the host reports. Falls back to\n * `/app` when the host hasn't reported a canonical path (older host / before the\n * report arrives) — both paths are live, so either resolves the same files.\n */\nexport const getAppMountPath = (): string => getHostRuntime()?.appMountPath ?? '/app';\n\n/**\n * A filesystem mount available to the sandbox, mirrored from the host window.\n *\n * Mounts appear on demand — call {@link openSettings} for this app's own settings,\n * or {@link mountSpace} / {@link requestMount} to mount a Firestore-backed \"space\".\n * Read or subscribe to the set, then access the files through the `fs` module at\n * the mount's `path`.\n */\nexport interface SandboxMount {\n  /** Absolute path where the mount is reachable (e.g. `/spaces/{id}`). */\n  path: string;\n  /** Backend kind, e.g. `'firestore'`. */\n  type: string;\n  /** Optional stable identifier (the spaceId, for spaces). */\n  id?: string;\n  /**\n   * Access mode of the granted view: `'rw'` (read-write) or `'ro'` (read-only).\n   * A live role downgrade re-announces the same mount with `mode: 'ro'`; apps\n   * observing `onMountsChange` see the change and writes start failing `EROFS`.\n   * Absent on the primary repo mount (treated as read-write).\n   */\n  mode?: \"ro\" | \"rw\";\n  /**\n   * Human-readable label for the mount — the space's display name, or the repo\n   * label for the primary working-tree mount (R3-69). Use this to show users and\n   * agents *what* a mount is: the `path` (`/mnt/{hash}`) and `id` (the spaceId)\n   * are opaque, and space names are not unique, so neither alone tells you which\n   * filesystem you're looking at. Absent when the host can't resolve a name\n   * (older host, or a name it never learned) — fall back to `id`/`path`.\n   */\n  name?: string;\n  /**\n   * The granted scopes of this mount (plan 12 §8.7 / §F): each `{subtree, mode}`\n   * is a path prefix you hold and at what access, at the mount's backend-natural\n   * paths. Use it to reason about per-path writability — which subtree is `rw` —\n   * WITHOUT probing `EROFS`. A single whole-mount grant is `[{ subtree: '/', mode }]`.\n   * Absent on the primary repo mount and on an older host that doesn't report it.\n   */\n  rules?: MountRule[];\n}\n\n/** One granted scope of a mount (plan 12 §F): a backend-natural path prefix and\n *  the access mode there. The most specific (longest) matching rule governs a path. */\nexport interface MountRule {\n  subtree: string;\n  mode: 'ro' | 'rw';\n}\n\n/**\n * Why a mounted filesystem was removed, surfaced on the removed descriptor so an\n * app can say *why* it vanished instead of failing mutely (auth-mount §\"mount-remove\"\n * / AM2-4):\n * - `revoked` — a durable grant was revoked (revokeGrant / consent withdrawal);\n * - `unshared` — the granting user's membership was removed (or downgraded out);\n * - `signed-out` — sign-out tore down every mount;\n * - `unmounted` — the app's own `unmountSpace` (or region teardown);\n * - `deleted` — the space was soft-deleted.\n * An older host that sends no reason is read as `'revoked'` (most conservative).\n */\nexport type MountRemoveReason =\n  | \"revoked\"\n  | \"unshared\"\n  | \"signed-out\"\n  | \"unmounted\"\n  | \"deleted\";\n\n/** A descriptor delivered as REMOVED to a mounts-change listener: the mount that\n *  went away, plus the `reason` it did. */\nexport interface RemovedMount extends SandboxMount {\n  reason: MountRemoveReason;\n}\n\ninterface MountService {\n  getMounts(): SandboxMount[];\n  onChange(\n    listener: (mounts: SandboxMount[], removed: RemovedMount[]) => void,\n  ): { dispose(): void };\n}\n\n// `module.evaluation.module.bundler` is the sandbox bundler injected into the\n// evaluation context (same path the other SDK helpers reach for `messageBus`).\nconst mountService = (): MountService => {\n  // @ts-ignore - injected by the sandbox runtime\n  return module.evaluation.module.bundler.mounts;\n};\n\n/** A predicate-style matcher for {@link findMount} / {@link waitForMount}. Any\n *  combination of coordinates; `name` matches the human-readable mount label. */\nexport type MountQuery = { type?: string; id?: string; path?: string; name?: string };\n\nconst matches = (mount: SandboxMount, query: MountQuery): boolean =>\n  mountMatches(mount, query);\n\n/**\n * Returns the mounts currently available. Poll this whenever you need a one-off\n * read; use {@link onMountsChange} or {@link useMounts} to react to changes.\n * Each descriptor carries its `id` (the spaceId), `path` (`/mnt/{hash}`) and —\n * when the host can resolve it — a human-readable `name` (R3-69), so this doubles\n * as a queryable mount→space mapping for showing or locating a mount by name.\n */\nexport const getMounts = (): SandboxMount[] => mountService().getMounts();\n\n/** Returns the first mount matching `query`, or `undefined`. */\nexport const findMount = (query: MountQuery): SandboxMount | undefined =>\n  getMounts().find((m) => matches(m, query));\n\n/**\n * Subscribe to mount changes. The listener is invoked immediately with the\n * current mounts (and an empty `removed`), then again on every change. The second\n * argument carries the descriptors REMOVED by that change, each with its `reason`\n * (AM2-4) — so an app can react to *why* a mount vanished (e.g. tell the user a\n * shared space was `unshared` vs `deleted`). It is empty on adds and on the\n * initial replay. Returns an unsubscribe fn.\n */\nexport const onMountsChange = (\n  listener: (mounts: SandboxMount[], removed: RemovedMount[]) => void,\n): (() => void) => {\n  const disposable = mountService().onChange(listener);\n  return () => disposable.dispose();\n};\n\n/**\n * Resolves once a mount matching `query` is present (immediately if it already\n * is). Handy for \"use it when it appears\" — e.g.\n * `await waitForMount({ type: 'firestore' })` before reading `/firestore`.\n */\nexport const waitForMount = (query: MountQuery): Promise<SandboxMount> =>\n  new Promise((resolve) => {\n    const unsubscribe = onMountsChange((mounts) => {\n      const found = mounts.find((m) => matches(m, query));\n      if (found) {\n        // Defer unsubscribe so we don't dispose during the initial replay call.\n        Promise.resolve().then(unsubscribe);\n        resolve(found);\n      }\n    });\n  });\n\n/** React hook returning the mounts currently available, re-rendering on change. */\nexport const useMounts = (): SandboxMount[] => {\n  const [mounts, setMounts] = useState<SandboxMount[]>(getMounts);\n  useEffect(() => onMountsChange(setMounts), []);\n  return mounts;\n};\n\n// ---------------------------------------------------------------------------\n// Spaces — on-demand, shareable Firestore-backed filesystems.\n// The host owns all UX: if you aren't signed in, or the space doesn't exist or\n// isn't accessible, the parent window presents sign-in / create / request-access\n// and only then resolves these calls. See docs/specs/FILE_SHARING_SPEC.md.\n// ---------------------------------------------------------------------------\n\n/** Summary of a space, as returned by {@link listSpaces}. */\nexport interface SpaceInfo {\n  spaceId: string;\n  role?: 'owner' | 'writer' | 'reader';\n  owner?: string;\n  name?: string;\n}\n\n/** An error from a space operation, carrying a machine-readable `code`. */\nexport interface SpaceError extends Error {\n  code:\n    | 'auth-required'\n    | 'cancelled'\n    | 'forbidden'\n    | 'not-found'\n    | 'unsupported-scheme'\n    | 'unknown';\n}\n\ntype SpaceResult =\n  | { ok: true; data: unknown }\n  | { ok: false; code: string; message: string };\n\n// Issue a spaces protocol request, unwrapping the host's {ok,data} envelope and\n// throwing a typed SpaceError on failure.\nconst request = async <T = unknown>(\n  method: string,\n  query: Record<string, unknown> = {},\n): Promise<T> => {\n  const res = (await protocolRequest('spaces', method, [query])) as SpaceResult;\n  if (!res || res.ok !== true) {\n    const err = new Error(res?.message ?? 'space request failed') as SpaceError;\n    err.code = (res?.code as SpaceError['code']) ?? 'unknown';\n    throw err;\n  }\n  return res.data as T;\n};\n\n// Request a space mount, then wait until the host actually registers it. The\n// host announces the mount (`mount-add`) separately from the protocol reply, so\n// an immediate read could otherwise race the mount.\nconst requestMountInternal = async (\n  method: string,\n  query: Record<string, unknown>,\n): Promise<SandboxMount> => {\n  const mount = await request<SandboxMount>(method, query);\n  return waitForMount({ id: mount.id ?? mount.path });\n};\n\n/**\n * Mount a filesystem by its **universal mount id** (UI_AS_APPS_SPEC §3.5) —\n * `scheme:locator`, e.g. `space:{spaceId}` or `github:owner/repo@ref`. Backend-blind:\n * the host resolves the scheme. A scheme with no resolver rejects with\n * {@link SpaceError} `unsupported-scheme`.\n */\nexport const mount = (mountId: string): Promise<SandboxMount> =>\n  requestMountInternal('mount', { mount: mountId });\n\n/** Mount a specific space by id (e.g. one shared with you, or from a link). A thin\n *  shim over {@link mount} with the `space:` scheme. */\nexport const mountSpace = (query: { spaceId: string }): Promise<SandboxMount> =>\n  mount(`space:${query.spaceId}`);\n\n/**\n * Ask the user to grant a filesystem to this app — the §8.6 powerbox. The app\n * asks; the HOST shows the user their spaces and, for the chosen one, its PROJECT\n * FOLDERS (§8.7). The user picks ONE project — so a shared space opens scoped to\n * just that project, never the whole space — and makes an EXPLICIT read-only vs\n * read-write decision (there is no default). The app never sees the list; it\n * resolves with the single granted mount, or rejects with a {@link SpaceError}\n * (`cancelled`) if declined. The granted scope is enforced host-side: the mount\n * is chroot'd to the project folder and `ro`-limited accordingly, so paths\n * outside the project are unnameable and writes on a `ro` grant fail `EROFS`.\n *\n * A project folder is the macOS-bundle-like unit an app works in inside a space;\n * the host records which app a folder belongs to (a `.immediately.run/` sidecar),\n * so the picker can surface the app's own projects or let the user create a new\n * one. Observe the granted access via {@link SandboxMount.mode}.\n *\n * Backend-general (§3.5): the picker offers whatever mounts the user has (today,\n * their spaces). Returns the granted mount by its universal id.\n */\nexport const requestMount = (): Promise<SandboxMount> =>\n  requestMountInternal('request', {});\n\n/** @deprecated renamed to {@link requestMount} (backend-general, §3.5). */\nexport const requestSpace = requestMount;\n\n// ── content references (plan 12 §E / FILE_SHARING §7) ────────────────────────\n\n/**\n * Build a persisted CONTENT REFERENCE to a file in a mount — a `{mountId, relPath}`\n * pointer your app serializes into ITS OWN content (a board's JSON, an MDX file's\n * frontmatter, an album manifest — the platform doesn't dictate the container) so a\n * later viewer can resolve it. It is exactly the §5.7 {@link capFile} shape: ONE\n * capability, two delivery modes — runtime delegation (a task param, authorized by\n * the caller) vs a durable reference (authorized per-viewer by {@link resolveContentRef}).\n * `relPath` is BACKEND-NATURAL, so the reference resolves to the SAME path for every\n * viewer. Cross-app/cross-project references default to `ro`.\n *\n *   const ref = makeContentRef({ mountId: 'space:ACME', relPath: 'office-seating/desk.mdx' }, { mode: 'ro' });\n */\nexport const makeContentRef = (\n  ref: { mountId: string; relPath: string },\n  opts: { mode: 'ro' | 'rw' },\n): FileCap => ({ $cap: 'file', mountId: ref.mountId, relPath: ref.relPath, mode: opts.mode });\n\n/**\n * Resolve a content reference your app found in content it ALREADY holds (plan 12\n * §E). This is a RELAY, not a fabrication: the host honors it ONLY when your app\n * already holds a grant to `ref.mountId` (else `forbidden`) — apps follow\n * writer-authored links inside granted content; they cannot name a space from\n * nothing (T27). The host runs a per-VIEWER consent prompt (named via the owning\n * app's project sidecar), and existence is never leaked — a decline and a\n * non-existent path are indistinguishable.\n *\n * On allow, the host APPENDS a read scope for the referenced path to your grant\n * (durable; same §8.15 lifecycle) and returns the STABLE absolute `path` the file\n * is mounted at — identical for every viewer, so a path the author stored resolves\n * the same for you. Read it through the `fs` module at that path. Rejects with a\n * {@link SpaceError}: `forbidden` (you don't hold the referenced mount) or\n * `cancelled` (the viewer declined / the path doesn't exist — no oracle).\n *\n *   const { path } = await resolveContentRef(ref);\n *   const text = await fs.promises.readFile(path, 'utf8');\n */\nexport const resolveContentRef = async (ref: FileCap): Promise<{ path: string }> => {\n  const path = await request<string>('resolveRef', { ref });\n  return { path };\n};\n\n/**\n * Resolve a BATCH of content references in ONE consent round (plan 12 §E). When a\n * board opens with several embedded references, pass them all here: the host\n * coalesces them into a SINGLE consent prompt listing every target, instead of one\n * prompt per reference. Same relay gate and per-viewer semantics as\n * {@link resolveContentRef} (each ref's mount must already be held), applied to the\n * whole set — it is all-or-nothing: the user allows the batch or declines it.\n *\n * Resolves `{ paths }` with the STABLE absolute path of each ref, in input order.\n * Rejects with a {@link SpaceError}: `forbidden` (a referenced mount isn't held) or\n * `cancelled` (the viewer declined).\n *\n *   const { paths } = await resolveContentRefs(board.references);\n */\nexport const resolveContentRefs = async (refs: FileCap[]): Promise<{ paths: string[] }> => {\n  const paths = await request<string[]>('resolveRefs', { refs });\n  return { paths };\n};\n\n// ---------------------------------------------------------------------------\n// Settings — the per-user \"~/.config\"-style space (UI_AS_APPS_SPEC §3.3/§3.5/§8.2).\n// Each app gets its OWN settings subdir, auto-provisioned and chroot'd by the host\n// (no dialog, no powerbox). Read/write it through the returned mount's filesystem\n// port — there is deliberately no key/value get/set API; settings are just files.\n// ---------------------------------------------------------------------------\n\n// Issue a `protocol-settings` request, unwrapping {ok,data} and throwing a typed\n// SpaceError on failure (mirrors `request` for the spaces surface).\nconst settingsRequest = async <T = unknown>(\n  method: string,\n  query: Record<string, unknown> = {},\n): Promise<T> => {\n  const res = (await protocolRequest('settings', method, [query])) as SpaceResult;\n  if (!res || res.ok !== true) {\n    const err = new Error(res?.message ?? 'settings request failed') as SpaceError;\n    err.code = (res?.code as SpaceError['code']) ?? 'unknown';\n    throw err;\n  }\n  return res.data as T;\n};\n\n/**\n * Mount this app's per-user settings — a private `~/.config`-style filesystem,\n * auto-provisioned for the signed-in user and isolated to THIS app (the host\n * chroots it; a different app can never name it). Read/write config files through\n * the returned mount. Rejects with a {@link SpaceError} (`auth-required`) when\n * signed out. Capability: baseline `settings:app`.\n */\nexport const openSettings = async (): Promise<SandboxMount> => {\n  const mount = await settingsRequest<SandboxMount>('open');\n  return waitForMount({ id: mount.id ?? mount.path });\n};\n\n/**\n * One-time SEED of this app's settings from the parent it declares as `forkOf`\n * (its `package.json` `immediately.run.forkOf`) — so a fork inherits your\n * preferences from the original app (UI_AS_APPS_SPEC §3.4). The host asks the user\n * to confirm (a full consent when the apps have different owners, a light confirm\n * when the same owner publishes both) and copies the parent's settings into this\n * app's own subdir, skipping any file you already have. Non-throwing: resolves\n * `{ ok:false, code }` on decline (`cancelled`), no declared parent (`forbidden`),\n * or signed-out (`auth-required`). After `{ ok:true }`, read {@link openSettings}.\n * Capability: baseline `settings:fork`.\n */\nexport const importSettingsFromParent = async (): Promise<\n  { ok: true; copied: number } | { ok: false; code: string }\n> => {\n  try {\n    const data = await settingsRequest<{ copied: number }>('importFromParent');\n    return { ok: true, copied: data.copied };\n  } catch (e) {\n    return { ok: false, code: (e as SpaceError).code ?? 'unknown' };\n  }\n};\n\n/**\n * Mount ANOTHER app's per-user settings by its `appKey` — the elevated \"file\n * commander\" surface. Rejects `forbidden` unless this app holds the first-party-\n * only `settings:all` capability. Most apps want {@link openSettings} instead.\n */\nexport const openSettingsOf = async (appKey: string): Promise<SandboxMount> => {\n  const mount = await settingsRequest<SandboxMount>('openOf', { appKey });\n  return waitForMount({ id: mount.id ?? mount.path });\n};\n\n/**\n * List every app that has per-user settings — the elevated \"file commander\"\n * enumeration. Pair with {@link openSettingsOf} to mount any of them. Rejects\n * `forbidden` unless this app holds the first-party-only `settings:all`.\n */\nexport const listSettingsApps = (): Promise<string[]> =>\n  settingsRequest<string[]>('list');\n\n/** Create a brand-new, empty platform-hosted space. The app reaches it (or any\n *  other space) afterward through the {@link requestMount} powerbox or\n *  {@link mountSpace}; there is no implicit per-app binding. */\nexport const createSpace = (\n  opts: { name?: string } = {}\n): Promise<SandboxMount> => requestMountInternal('create', opts);\n\n/** List spaces you can access — all of them, or just those bound to this app. */\nexport const listSpaces = (opts: { app?: boolean } = {}): Promise<SpaceInfo[]> =>\n  request<SpaceInfo[]>('list', opts);\n\n/** Release a mounted space (stops its listener on the host). */\nexport const unmountSpace = async (query: { spaceId: string }): Promise<void> => {\n  await request('unmount', query);\n};\n\n// ---------------------------------------------------------------------------\n// Space management (the space-manager app) — UI_AS_APPS_SPEC §5.2. These are\n// ELEVATED: enumerating all the user's spaces is `spaces:user`; mutating\n// membership (share/unshare/setRole) and resolving handles is `spaces:admin`.\n// The host enforces the owner-lockout invariant (a space always keeps an owner,\n// T41) and rate-limits handle lookups (L1); the OAuth/identity token never\n// crosses to the app.\n// ---------------------------------------------------------------------------\n\nexport type Role = 'owner' | 'writer' | 'reader';\n\n/** A member of a space (for the share/manage UI). */\nexport interface Member {\n  /** `user:{uid}` | `group:{gid}`. */\n  principal: string;\n  role: Role;\n  login?: string;\n  avatarUrl?: string;\n}\n\n/** A handle resolved to a principal (handle → who). */\nexport interface ResolvedUser {\n  uid: string;\n  login: string;\n  avatarUrl?: string;\n}\n\n/** Enumerate ALL the user's spaces (not just this app's) — `spaces:user`. */\nexport const listAllSpaces = (): Promise<SpaceInfo[]> => request<SpaceInfo[]>('listAll', {});\n\n/** Read a space's members one-shot — `spaces:admin`. */\nexport const getSpaceMembers = (spaceId: string): Promise<Member[]> =>\n  request<Member[]>('members', { spaceId });\n\n/** Invite a user (by provider handle) to a space at a role — `spaces:admin`. The\n *  host resolves the handle, so the app never sees other users' uids except the\n *  one it invited. */\nexport const shareSpace = async (spaceId: string, login: string, role: Role): Promise<void> => {\n  await request('share', { spaceId, login, role });\n};\n\n/** Remove a member from a space — `spaces:admin`. Refused if it would orphan the\n *  space (owner-lockout, T41). */\nexport const unshareSpace = async (spaceId: string, uid: string): Promise<void> => {\n  await request('unshare', { spaceId, uid });\n};\n\n/** Change a member's role — `spaces:admin`. Refused if it would drop the sole\n *  owner (owner-lockout, T41). */\nexport const setSpaceRole = async (spaceId: string, uid: string, role: Role): Promise<void> => {\n  await request('setRole', { spaceId, uid, role });\n};\n\n/** Resolve a provider handle to a principal (for the invite flow) — `spaces:admin`,\n *  rate-limited host-side. */\nexport const lookupUser = (login: string): Promise<ResolvedUser> =>\n  request<ResolvedUser>('lookupUser', { login });\n\n/** One durable grant an app holds, for the §8.11 capability audit view. */\nexport interface GrantRecord {\n  /** The app's provider-qualified identity (`provider__namespace__repository`). */\n  appKey: string;\n  spaceId: string;\n  /** Universal mount id (§3.5). */\n  mountId: string;\n  subtree?: string;\n  mode: 'ro' | 'rw';\n  name?: string;\n}\n\n/** Enumerate every (app, mount) grant the user holds — the audit view\n *  (§8.11). Elevated `spaces:admin`. */\nexport const listGrants = (): Promise<GrantRecord[]> => request<GrantRecord[]>('grants', {});\n\n/** Revoke one app's grant on a space — durable (the app can't re-mount) plus a\n *  best-effort live teardown. Elevated `spaces:admin`. */\nexport const revokeGrant = async (appKey: string, spaceId: string): Promise<void> => {\n  await request('revokeGrant', { appKey, spaceId });\n};\n"],"mappings":"AAAA,SAAS,WAAW,gBAAgB;AACpC,SAAS,uBAAuB;AAChC,SAAS,sBAAsB;AAC/B,SAAS,oBAAoB;AAatB,MAAM,kBAAkB,MAAc,eAAe,GAAG,gBAAgB;AAmF/E,MAAM,eAAe,MAAoB;AAEvC,SAAO,OAAO,WAAW,OAAO,QAAQ;AAC1C;AAMA,MAAM,UAAU,CAACA,QAAqB,UACpC,aAAaA,QAAO,KAAK;AASpB,MAAM,YAAY,MAAsB,aAAa,EAAE,UAAU;AAGjE,MAAM,YAAY,CAAC,UACxB,UAAU,EAAE,KAAK,CAAC,MAAM,QAAQ,GAAG,KAAK,CAAC;AAUpC,MAAM,iBAAiB,CAC5B,aACiB;AACjB,QAAM,aAAa,aAAa,EAAE,SAAS,QAAQ;AACnD,SAAO,MAAM,WAAW,QAAQ;AAClC;AAOO,MAAM,eAAe,CAAC,UAC3B,IAAI,QAAQ,CAAC,YAAY;AACvB,QAAM,cAAc,eAAe,CAAC,WAAW;AAC7C,UAAM,QAAQ,OAAO,KAAK,CAAC,MAAM,QAAQ,GAAG,KAAK,CAAC;AAClD,QAAI,OAAO;AAET,cAAQ,QAAQ,EAAE,KAAK,WAAW;AAClC,cAAQ,KAAK;AAAA,IACf;AAAA,EACF,CAAC;AACH,CAAC;AAGI,MAAM,YAAY,MAAsB;AAC7C,QAAM,CAAC,QAAQ,SAAS,IAAI,SAAyB,SAAS;AAC9D,YAAU,MAAM,eAAe,SAAS,GAAG,CAAC,CAAC;AAC7C,SAAO;AACT;AAkCA,MAAM,UAAU,OACd,QACA,QAAiC,CAAC,MACnB;AACf,QAAM,MAAO,MAAM,gBAAgB,UAAU,QAAQ,CAAC,KAAK,CAAC;AAC5D,MAAI,CAAC,OAAO,IAAI,OAAO,MAAM;AAC3B,UAAM,MAAM,IAAI,MAAM,KAAK,WAAW,sBAAsB;AAC5D,QAAI,OAAQ,KAAK,QAA+B;AAChD,UAAM;AAAA,EACR;AACA,SAAO,IAAI;AACb;AAKA,MAAM,uBAAuB,OAC3B,QACA,UAC0B;AAC1B,QAAMA,SAAQ,MAAM,QAAsB,QAAQ,KAAK;AACvD,SAAO,aAAa,EAAE,IAAIA,OAAM,MAAMA,OAAM,KAAK,CAAC;AACpD;AAQO,MAAM,QAAQ,CAAC,YACpB,qBAAqB,SAAS,EAAE,OAAO,QAAQ,CAAC;AAI3C,MAAM,aAAa,CAAC,UACzB,MAAM,SAAS,MAAM,OAAO,EAAE;AAqBzB,MAAM,eAAe,MAC1B,qBAAqB,WAAW,CAAC,CAAC;AAG7B,MAAM,eAAe;AAgBrB,MAAM,iBAAiB,CAC5B,KACA,UACa,EAAE,MAAM,QAAQ,SAAS,IAAI,SAAS,SAAS,IAAI,SAAS,MAAM,KAAK,KAAK;AAqBpF,MAAM,oBAAoB,OAAO,QAA4C;AAClF,QAAM,OAAO,MAAM,QAAgB,cAAc,EAAE,IAAI,CAAC;AACxD,SAAO,EAAE,KAAK;AAChB;AAgBO,MAAM,qBAAqB,OAAO,SAAkD;AACzF,QAAM,QAAQ,MAAM,QAAkB,eAAe,EAAE,KAAK,CAAC;AAC7D,SAAO,EAAE,MAAM;AACjB;AAWA,MAAM,kBAAkB,OACtB,QACA,QAAiC,CAAC,MACnB;AACf,QAAM,MAAO,MAAM,gBAAgB,YAAY,QAAQ,CAAC,KAAK,CAAC;AAC9D,MAAI,CAAC,OAAO,IAAI,OAAO,MAAM;AAC3B,UAAM,MAAM,IAAI,MAAM,KAAK,WAAW,yBAAyB;AAC/D,QAAI,OAAQ,KAAK,QAA+B;AAChD,UAAM;AAAA,EACR;AACA,SAAO,IAAI;AACb;AASO,MAAM,eAAe,YAAmC;AAC7D,QAAMA,SAAQ,MAAM,gBAA8B,MAAM;AACxD,SAAO,aAAa,EAAE,IAAIA,OAAM,MAAMA,OAAM,KAAK,CAAC;AACpD;AAaO,MAAM,2BAA2B,YAEnC;AACH,MAAI;AACF,UAAM,OAAO,MAAM,gBAAoC,kBAAkB;AACzE,WAAO,EAAE,IAAI,MAAM,QAAQ,KAAK,OAAO;AAAA,EACzC,SAAS,GAAG;AACV,WAAO,EAAE,IAAI,OAAO,MAAO,EAAiB,QAAQ,UAAU;AAAA,EAChE;AACF;AAOO,MAAM,iBAAiB,OAAO,WAA0C;AAC7E,QAAMA,SAAQ,MAAM,gBAA8B,UAAU,EAAE,OAAO,CAAC;AACtE,SAAO,aAAa,EAAE,IAAIA,OAAM,MAAMA,OAAM,KAAK,CAAC;AACpD;AAOO,MAAM,mBAAmB,MAC9B,gBAA0B,MAAM;AAK3B,MAAM,cAAc,CACzB,OAA0B,CAAC,MACD,qBAAqB,UAAU,IAAI;AAGxD,MAAM,aAAa,CAAC,OAA0B,CAAC,MACpD,QAAqB,QAAQ,IAAI;AAG5B,MAAM,eAAe,OAAO,UAA8C;AAC/E,QAAM,QAAQ,WAAW,KAAK;AAChC;AA8BO,MAAM,gBAAgB,MAA4B,QAAqB,WAAW,CAAC,CAAC;AAGpF,MAAM,kBAAkB,CAAC,YAC9B,QAAkB,WAAW,EAAE,QAAQ,CAAC;AAKnC,MAAM,aAAa,OAAO,SAAiB,OAAe,SAA8B;AAC7F,QAAM,QAAQ,SAAS,EAAE,SAAS,OAAO,KAAK,CAAC;AACjD;AAIO,MAAM,eAAe,OAAO,SAAiB,QAA+B;AACjF,QAAM,QAAQ,WAAW,EAAE,SAAS,IAAI,CAAC;AAC3C;AAIO,MAAM,eAAe,OAAO,SAAiB,KAAa,SAA8B;AAC7F,QAAM,QAAQ,WAAW,EAAE,SAAS,KAAK,KAAK,CAAC;AACjD;AAIO,MAAM,aAAa,CAAC,UACzB,QAAsB,cAAc,EAAE,MAAM,CAAC;AAgBxC,MAAM,aAAa,MAA8B,QAAuB,UAAU,CAAC,CAAC;AAIpF,MAAM,cAAc,OAAO,QAAgB,YAAmC;AACnF,QAAM,QAAQ,eAAe,EAAE,QAAQ,QAAQ,CAAC;AAClD;","names":["mount"]}