@inkbox/sdk 0.2.16 → 0.3.0

package/dist/tunnels/client/_handler.js

@@ -0,0 +1,121 @@
+/**
+ * inkbox-tunnels/client/_handler.ts
+ *
+ * In-process Fetch-API HTTP handler. The user supplies a
+ * `(req: Request, ctx: InkboxRequestContext) => Response | Promise<Response>`
+ * function; the runtime synthesizes a `Request` from the envelope,
+ * invokes the handler, reads the response with the same per-chunk size
+ * cap as the URL-forward path, and returns a discriminated union the
+ * runtime maps onto fixed on-wire response shapes.
+ *
+ * Mirrors Python `_asgi.py` semantics at the wire level. The TS-side
+ * shape is Web standards (Fetch API) instead of ASGI 3.0.
+ */
+import { HOP_BY_HOP_RESPONSE } from "./_protocol.js";
+/**
+ * Synthesize a `Request` from the envelope, invoke the handler, read
+ * back the response under the size cap.
+ */
+export async function dispatchHttpInProcess(opts) {
+    const { envelope, handler, publicHost, maxResponseBytes, signal } = opts;
+    const url = `https://${publicHost}${envelope.path}`;
+    const reqHeaders = new Headers();
+    reqHeaders.set("host", publicHost);
+    reqHeaders.set("x-forwarded-host", publicHost);
+    reqHeaders.set("x-forwarded-proto", "https");
+    if (envelope.forwardedForIp !== null) {
+        reqHeaders.set("x-forwarded-for", envelope.forwardedForIp);
+        reqHeaders.set("forwarded", `for=${envelope.forwardedForIp}`);
+    }
+    for (const [k, v] of envelope.forwardedHeaders) {
+        const kl = k.toLowerCase();
+        if (kl === "host" ||
+            kl === "x-forwarded-host" ||
+            kl === "x-forwarded-proto" ||
+            kl === "x-forwarded-for" ||
+            kl === "forwarded") {
+            continue;
+        }
+        reqHeaders.append(k, v);
+    }
+    const reqInit = {
+        method: envelope.method,
+        headers: reqHeaders,
+        body: envelope.method === "GET" || envelope.method === "HEAD"
+            ? undefined
+            : envelope.body.length > 0
+                ? new Uint8Array(envelope.body)
+                : undefined,
+        signal,
+        // Discourage the user from issuing duplex calls when not needed.
+    };
+    let request;
+    try {
+        request = new Request(url, reqInit);
+    }
+    catch {
+        return {
+            kind: "handler-error",
+            status: 502,
+            inkboxReason: "handler-error",
+        };
+    }
+    const ctx = {
+        signal,
+        forwardedForIp: envelope.forwardedForIp,
+        sniHost: envelope.sniHost,
+        envelope: envelope,
+    };
+    let response;
+    try {
+        response = await handler(request, ctx);
+    }
+    catch {
+        return { kind: "handler-error", status: 502, inkboxReason: "handler-error" };
+    }
+    const headers = [];
+    response.headers.forEach((value, key) => {
+        if (HOP_BY_HOP_RESPONSE.has(key.toLowerCase()))
+            return;
+        headers.push([key, value]);
+    });
+    const reader = response.body?.getReader();
+    if (!reader) {
+        return {
+            kind: "ok",
+            status: response.status,
+            headers,
+            body: Buffer.alloc(0),
+        };
+    }
+    const chunks = [];
+    let total = 0;
+    try {
+        while (true) {
+            const { value, done } = await reader.read();
+            if (done)
+                break;
+            const chunk = Buffer.from(value);
+            if (total + chunk.length > maxResponseBytes) {
+                await reader.cancel().catch(() => undefined);
+                return {
+                    kind: "too-large",
+                    status: 502,
+                    inkboxReason: "response-too-large",
+                };
+            }
+            chunks.push(chunk);
+            total += chunk.length;
+        }
+    }
+    catch {
+        return { kind: "handler-error", status: 502, inkboxReason: "handler-error" };
+    }
+    return {
+        kind: "ok",
+        status: response.status,
+        headers,
+        body: chunks.length === 0 ? Buffer.alloc(0) : Buffer.concat(chunks, total),
+    };
+}
+//# sourceMappingURL=_handler.js.map

package/dist/tunnels/client/_handler.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"_handler.js","sourceRoot":"","sources":["../../../src/tunnels/client/_handler.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAGH,OAAO,EAAE,mBAAmB,EAAE,MAAM,gBAAgB,CAAC;AAsDrD;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,qBAAqB,CACzC,IAA+B;IAE/B,MAAM,EAAE,QAAQ,EAAE,OAAO,EAAE,UAAU,EAAE,gBAAgB,EAAE,MAAM,EAAE,GAAG,IAAI,CAAC;IACzE,MAAM,GAAG,GAAG,WAAW,UAAU,GAAG,QAAQ,CAAC,IAAI,EAAE,CAAC;IACpD,MAAM,UAAU,GAAG,IAAI,OAAO,EAAE,CAAC;IACjC,UAAU,CAAC,GAAG,CAAC,MAAM,EAAE,UAAU,CAAC,CAAC;IACnC,UAAU,CAAC,GAAG,CAAC,kBAAkB,EAAE,UAAU,CAAC,CAAC;IAC/C,UAAU,CAAC,GAAG,CAAC,mBAAmB,EAAE,OAAO,CAAC,CAAC;IAC7C,IAAI,QAAQ,CAAC,cAAc,KAAK,IAAI,EAAE,CAAC;QACrC,UAAU,CAAC,GAAG,CAAC,iBAAiB,EAAE,QAAQ,CAAC,cAAc,CAAC,CAAC;QAC3D,UAAU,CAAC,GAAG,CAAC,WAAW,EAAE,OAAO,QAAQ,CAAC,cAAc,EAAE,CAAC,CAAC;IAChE,CAAC;IACD,KAAK,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,QAAQ,CAAC,gBAAgB,EAAE,CAAC;QAC/C,MAAM,EAAE,GAAG,CAAC,CAAC,WAAW,EAAE,CAAC;QAC3B,IACE,EAAE,KAAK,MAAM;YACb,EAAE,KAAK,kBAAkB;YACzB,EAAE,KAAK,mBAAmB;YAC1B,EAAE,KAAK,iBAAiB;YACxB,EAAE,KAAK,WAAW,EAClB,CAAC;YACD,SAAS;QACX,CAAC;QACD,UAAU,CAAC,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;IAC1B,CAAC;IAED,MAAM,OAAO,GAAgB;QAC3B,MAAM,EAAE,QAAQ,CAAC,MAAM;QACvB,OAAO,EAAE,UAAU;QACnB,IAAI,EACF,QAAQ,CAAC,MAAM,KAAK,KAAK,IAAI,QAAQ,CAAC,MAAM,KAAK,MAAM;YACrD,CAAC,CAAC,SAAS;YACX,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,MAAM,GAAG,CAAC;gBACxB,CAAC,CAAC,IAAI,UAAU,CAAC,QAAQ,CAAC,IAAI,CAAC;gBAC/B,CAAC,CAAC,SAAS;QACjB,MAAM;QACN,iEAAiE;KAClE,CAAC;IAEF,IAAI,OAAgB,CAAC;IACrB,IAAI,CAAC;QACH,OAAO,GAAG,IAAI,OAAO,CAAC,GAAG,EAAE,OAAO,CAAC,CAAC;IACtC,CAAC;IAAC,MAAM,CAAC;QACP,OAAO;YACL,IAAI,EAAE,eAAe;YACrB,MAAM,EAAE,GAAG;YACX,YAAY,EAAE,eAAe;SAC9B,CAAC;IACJ,CAAC;IAED,MAAM,GAAG,GAAyB;QAChC,MAAM;QACN,cAAc,EAAE,QAAQ,CAAC,cAAc;QACvC,OAAO,EAAE,QAAQ,CAAC,OAAO;QACzB,QAAQ,EAAE,QAA4B;KACvC,CAAC;IAEF,IAAI,QAAkB,CAAC;IACvB,IAAI,CAAC;QACH,QAAQ,GAAG,MAAM,OAAO,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC;IACzC,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,IAAI,EAAE,eAAe,EAAE,MAAM,EAAE,GAAG,EAAE,YAAY,EAAE,eAAe,EAAE,CAAC;IAC/E,CAAC;IAED,MAAM,OAAO,GAA4B,EAAE,CAAC;IAC5C,QAAQ,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,KAAK,EAAE,GAAG,EAAE,EAAE;QACtC,IAAI,mBAAmB,CAAC,GAAG,CAAC,GAAG,CAAC,WAAW,EAAE,CAAC;YAAE,OAAO;QACvD,OAAO,CAAC,IAAI,CAAC,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC,CAAC;IAC7B,CAAC,CAAC,CAAC;IAEH,MAAM,MAAM,GAAG,QAAQ,CAAC,IAAI,EAAE,SAAS,EAAE,CAAC;IAC1C,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,OAAO;YACL,IAAI,EAAE,IAAI;YACV,MAAM,EAAE,QAAQ,CAAC,MAAM;YACvB,OAAO;YACP,IAAI,EAAE,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC;SACtB,CAAC;IACJ,CAAC;IACD,MAAM,MAAM,GAAa,EAAE,CAAC;IAC5B,IAAI,KAAK,GAAG,CAAC,CAAC;IACd,IAAI,CAAC;QACH,OAAO,IAAI,EAAE,CAAC;YACZ,MAAM,EAAE,KAAK,EAAE,IAAI,EAAE,GAAG,MAAM,MAAM,CAAC,IAAI,EAAE,CAAC;YAC5C,IAAI,IAAI;gBAAE,MAAM;YAChB,MAAM,KAAK,GAAG,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;YACjC,IAAI,KAAK,GAAG,KAAK,CAAC,MAAM,GAAG,gBAAgB,EAAE,CAAC;gBAC5C,MAAM,MAAM,CAAC,MAAM,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,SAAS,CAAC,CAAC;gBAC7C,OAAO;oBACL,IAAI,EAAE,WAAW;oBACjB,MAAM,EAAE,GAAG;oBACX,YAAY,EAAE,oBAAoB;iBACnC,CAAC;YACJ,CAAC;YACD,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;YACnB,KAAK,IAAI,KAAK,CAAC,MAAM,CAAC;QACxB,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,IAAI,EAAE,eAAe,EAAE,MAAM,EAAE,GAAG,EAAE,YAAY,EAAE,eAAe,EAAE,CAAC;IAC/E,CAAC;IACD,OAAO;QACL,IAAI,EAAE,IAAI;QACV,MAAM,EAAE,QAAQ,CAAC,MAAM;QACvB,OAAO;QACP,IAAI,EAAE,MAAM,CAAC,MAAM,KAAK,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,MAAM,EAAE,KAAK,CAAC;KAC3E,CAAC;AACJ,CAAC"}

package/dist/tunnels/client/_listener.d.ts

@@ -0,0 +1,64 @@
+/**
+ * inkbox-tunnels/client/_listener.ts
+ *
+ * Public TunnelListener interface and implementation. Drives the
+ * {@link TunnelRuntime} to completion; surfaces fatal runtime errors
+ * via `wait()`.
+ */
+import type { Tunnel } from "../types.js";
+import type { TunnelRuntime } from "./_runtime.js";
+export type TunnelStatusCallback = (status: "connecting" | "connected" | "reconnecting" | "closed") => void;
+/**
+ * Options that affect how the listener behaves around process signals.
+ *
+ * The default mode is `undefined`: the listener installs SIGINT/SIGTERM
+ * handlers iff the parent process has none at construction time. Hosts
+ * that own their shutdown code should set `installSignalHandlers: false`
+ * and call `await listener.aclose()` from their own handler.
+ */
+export interface TunnelListenerOpts {
+    installSignalHandlers?: boolean;
+}
+/**
+ * A live tunnel.
+ *
+ * Returned by `connect(...)`. Use `await listener.wait()` to block
+ * until shutdown, or call `await listener.close()` to drive a clean
+ * teardown.
+ */
+export interface TunnelListener {
+    /** `https://{public_host}`. */
+    readonly publicUrl: string;
+    /** Snapshot of the resource record taken at bootstrap. Not refreshed. */
+    readonly tunnel: Tunnel;
+    /** Block until shutdown. Resolves on clean close; throws on fatal. */
+    wait(): Promise<void>;
+    /** Drive a graceful shutdown. Idempotent. */
+    close(): Promise<void>;
+    /** Async-friendly alias for `close()`. */
+    aclose(): Promise<void>;
+    /** Run the runtime to completion. */
+    serveForever(): Promise<void>;
+}
+export declare class TunnelListenerImpl implements TunnelListener {
+    readonly publicUrl: string;
+    readonly tunnel: Tunnel;
+    private readonly runtime;
+    private servePromise;
+    private closed;
+    private capturedError;
+    private installedSigintHandler;
+    private installedSigtermHandler;
+    private willExitOnSignal;
+    constructor(opts: {
+        publicHost: string;
+        tunnel: Tunnel;
+        runtime: TunnelRuntime;
+        listenerOpts?: TunnelListenerOpts;
+    });
+    serveForever(): Promise<void>;
+    wait(): Promise<void>;
+    close(): Promise<void>;
+    aclose(): Promise<void>;
+}
+//# sourceMappingURL=_listener.d.ts.map

package/dist/tunnels/client/_listener.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"_listener.d.ts","sourceRoot":"","sources":["../../../src/tunnels/client/_listener.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,aAAa,CAAC;AAC1C,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,eAAe,CAAC;AAEnD,MAAM,MAAM,oBAAoB,GAAG,CACjC,MAAM,EAAE,YAAY,GAAG,WAAW,GAAG,cAAc,GAAG,QAAQ,KAC3D,IAAI,CAAC;AAEV;;;;;;;GAOG;AACH,MAAM,WAAW,kBAAkB;IACjC,qBAAqB,CAAC,EAAE,OAAO,CAAC;CACjC;AAED;;;;;;GAMG;AACH,MAAM,WAAW,cAAc;IAC7B,+BAA+B;IAC/B,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC;IAC3B,yEAAyE;IACzE,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;IACxB,sEAAsE;IACtE,IAAI,IAAI,OAAO,CAAC,IAAI,CAAC,CAAC;IACtB,6CAA6C;IAC7C,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC,CAAC;IACvB,0CAA0C;IAC1C,MAAM,IAAI,OAAO,CAAC,IAAI,CAAC,CAAC;IACxB,qCAAqC;IACrC,YAAY,IAAI,OAAO,CAAC,IAAI,CAAC,CAAC;CAC/B;AAED,qBAAa,kBAAmB,YAAW,cAAc;IACvD,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC;IAC3B,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;IACxB,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAgB;IACxC,OAAO,CAAC,YAAY,CAA8B;IAClD,OAAO,CAAC,MAAM,CAAS;IACvB,OAAO,CAAC,aAAa,CAAiB;IACtC,OAAO,CAAC,sBAAsB,CAA6B;IAC3D,OAAO,CAAC,uBAAuB,CAA6B;IAC5D,OAAO,CAAC,gBAAgB,CAAS;gBAErB,IAAI,EAAE;QAChB,UAAU,EAAE,MAAM,CAAC;QACnB,MAAM,EAAE,MAAM,CAAC;QACf,OAAO,EAAE,aAAa,CAAC;QACvB,YAAY,CAAC,EAAE,kBAAkB,CAAC;KACnC;IAkDK,YAAY,IAAI,OAAO,CAAC,IAAI,CAAC;IAY7B,IAAI,IAAI,OAAO,CAAC,IAAI,CAAC;IASrB,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC;IAItB,MAAM,IAAI,OAAO,CAAC,IAAI,CAAC;CAoB9B"}

package/dist/tunnels/client/_listener.js

@@ -0,0 +1,113 @@
+/**
+ * inkbox-tunnels/client/_listener.ts
+ *
+ * Public TunnelListener interface and implementation. Drives the
+ * {@link TunnelRuntime} to completion; surfaces fatal runtime errors
+ * via `wait()`.
+ */
+export class TunnelListenerImpl {
+    publicUrl;
+    tunnel;
+    runtime;
+    servePromise = null;
+    closed = false;
+    capturedError = null;
+    installedSigintHandler = null;
+    installedSigtermHandler = null;
+    willExitOnSignal = false;
+    constructor(opts) {
+        this.publicUrl = `https://${opts.publicHost}`;
+        this.tunnel = opts.tunnel;
+        this.runtime = opts.runtime;
+        const listenerOpts = opts.listenerOpts ?? {};
+        const explicit = listenerOpts.installSignalHandlers;
+        let shouldInstall;
+        if (explicit === true) {
+            const hadHandlers = process.listenerCount("SIGTERM") > 0 ||
+                process.listenerCount("SIGINT") > 0;
+            if (hadHandlers) {
+                // eslint-disable-next-line no-console
+                console.warn("TunnelListener: installSignalHandlers=true requested but " +
+                    "pre-existing SIGTERM/SIGINT handlers are present. The SDK " +
+                    "handler attaches alongside; both run on signal.");
+            }
+            shouldInstall = true;
+            this.willExitOnSignal = true;
+        }
+        else if (explicit === false) {
+            shouldInstall = false;
+        }
+        else {
+            // Default: install iff none exist at construction time.
+            shouldInstall =
+                process.listenerCount("SIGTERM") === 0 &&
+                    process.listenerCount("SIGINT") === 0;
+            this.willExitOnSignal = shouldInstall;
+        }
+        if (shouldInstall) {
+            const handler = () => {
+                void (async () => {
+                    try {
+                        await this.aclose();
+                    }
+                    finally {
+                        if (this.willExitOnSignal) {
+                            process.exit(0);
+                        }
+                    }
+                })();
+            };
+            this.installedSigtermHandler = handler;
+            this.installedSigintHandler = handler;
+            process.on("SIGTERM", handler);
+            process.on("SIGINT", handler);
+        }
+    }
+    async serveForever() {
+        if (this.servePromise !== null)
+            return this.servePromise;
+        this.servePromise = (async () => {
+            try {
+                await this.runtime.serveForever();
+            }
+            catch (err) {
+                this.capturedError = err;
+            }
+        })();
+        return this.servePromise;
+    }
+    async wait() {
+        await this.serveForever();
+        if (this.capturedError !== null) {
+            const err = this.capturedError;
+            this.capturedError = null;
+            throw err;
+        }
+    }
+    async close() {
+        return this.aclose();
+    }
+    async aclose() {
+        if (this.closed)
+            return;
+        this.closed = true;
+        await this.runtime.aclose();
+        if (this.installedSigtermHandler !== null) {
+            process.off("SIGTERM", this.installedSigtermHandler);
+            this.installedSigtermHandler = null;
+        }
+        if (this.installedSigintHandler !== null) {
+            process.off("SIGINT", this.installedSigintHandler);
+            this.installedSigintHandler = null;
+        }
+        if (this.servePromise !== null) {
+            try {
+                await this.servePromise;
+            }
+            catch {
+                /* swallow — captured in capturedError if relevant */
+            }
+        }
+    }
+}
+//# sourceMappingURL=_listener.js.map

package/dist/tunnels/client/_listener.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"_listener.js","sourceRoot":"","sources":["../../../src/tunnels/client/_listener.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AA2CH,MAAM,OAAO,kBAAkB;IACpB,SAAS,CAAS;IAClB,MAAM,CAAS;IACP,OAAO,CAAgB;IAChC,YAAY,GAAyB,IAAI,CAAC;IAC1C,MAAM,GAAG,KAAK,CAAC;IACf,aAAa,GAAY,IAAI,CAAC;IAC9B,sBAAsB,GAAwB,IAAI,CAAC;IACnD,uBAAuB,GAAwB,IAAI,CAAC;IACpD,gBAAgB,GAAG,KAAK,CAAC;IAEjC,YAAY,IAKX;QACC,IAAI,CAAC,SAAS,GAAG,WAAW,IAAI,CAAC,UAAU,EAAE,CAAC;QAC9C,IAAI,CAAC,MAAM,GAAG,IAAI,CAAC,MAAM,CAAC;QAC1B,IAAI,CAAC,OAAO,GAAG,IAAI,CAAC,OAAO,CAAC;QAE5B,MAAM,YAAY,GAAG,IAAI,CAAC,YAAY,IAAI,EAAE,CAAC;QAC7C,MAAM,QAAQ,GAAG,YAAY,CAAC,qBAAqB,CAAC;QACpD,IAAI,aAAsB,CAAC;QAC3B,IAAI,QAAQ,KAAK,IAAI,EAAE,CAAC;YACtB,MAAM,WAAW,GACf,OAAO,CAAC,aAAa,CAAC,SAAS,CAAC,GAAG,CAAC;gBACpC,OAAO,CAAC,aAAa,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC;YACtC,IAAI,WAAW,EAAE,CAAC;gBAChB,sCAAsC;gBACtC,OAAO,CAAC,IAAI,CACV,2DAA2D;oBACzD,4DAA4D;oBAC5D,iDAAiD,CACpD,CAAC;YACJ,CAAC;YACD,aAAa,GAAG,IAAI,CAAC;YACrB,IAAI,CAAC,gBAAgB,GAAG,IAAI,CAAC;QAC/B,CAAC;aAAM,IAAI,QAAQ,KAAK,KAAK,EAAE,CAAC;YAC9B,aAAa,GAAG,KAAK,CAAC;QACxB,CAAC;aAAM,CAAC;YACN,wDAAwD;YACxD,aAAa;gBACX,OAAO,CAAC,aAAa,CAAC,SAAS,CAAC,KAAK,CAAC;oBACtC,OAAO,CAAC,aAAa,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;YACxC,IAAI,CAAC,gBAAgB,GAAG,aAAa,CAAC;QACxC,CAAC;QACD,IAAI,aAAa,EAAE,CAAC;YAClB,MAAM,OAAO,GAAG,GAAS,EAAE;gBACzB,KAAK,CAAC,KAAK,IAAI,EAAE;oBACf,IAAI,CAAC;wBACH,MAAM,IAAI,CAAC,MAAM,EAAE,CAAC;oBACtB,CAAC;4BAAS,CAAC;wBACT,IAAI,IAAI,CAAC,gBAAgB,EAAE,CAAC;4BAC1B,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;wBAClB,CAAC;oBACH,CAAC;gBACH,CAAC,CAAC,EAAE,CAAC;YACP,CAAC,CAAC;YACF,IAAI,CAAC,uBAAuB,GAAG,OAAO,CAAC;YACvC,IAAI,CAAC,sBAAsB,GAAG,OAAO,CAAC;YACtC,OAAO,CAAC,EAAE,CAAC,SAAS,EAAE,OAAO,CAAC,CAAC;YAC/B,OAAO,CAAC,EAAE,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;QAChC,CAAC;IACH,CAAC;IAED,KAAK,CAAC,YAAY;QAChB,IAAI,IAAI,CAAC,YAAY,KAAK,IAAI;YAAE,OAAO,IAAI,CAAC,YAAY,CAAC;QACzD,IAAI,CAAC,YAAY,GAAG,CAAC,KAAK,IAAI,EAAE;YAC9B,IAAI,CAAC;gBACH,MAAM,IAAI,CAAC,OAAO,CAAC,YAAY,EAAE,CAAC;YACpC,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,IAAI,CAAC,aAAa,GAAG,GAAG,CAAC;YAC3B,CAAC;QACH,CAAC,CAAC,EAAE,CAAC;QACL,OAAO,IAAI,CAAC,YAAY,CAAC;IAC3B,CAAC;IAED,KAAK,CAAC,IAAI;QACR,MAAM,IAAI,CAAC,YAAY,EAAE,CAAC;QAC1B,IAAI,IAAI,CAAC,aAAa,KAAK,IAAI,EAAE,CAAC;YAChC,MAAM,GAAG,GAAG,IAAI,CAAC,aAAa,CAAC;YAC/B,IAAI,CAAC,aAAa,GAAG,IAAI,CAAC;YAC1B,MAAM,GAAG,CAAC;QACZ,CAAC;IACH,CAAC;IAED,KAAK,CAAC,KAAK;QACT,OAAO,IAAI,CAAC,MAAM,EAAE,CAAC;IACvB,CAAC;IAED,KAAK,CAAC,MAAM;QACV,IAAI,IAAI,CAAC,MAAM;YAAE,OAAO;QACxB,IAAI,CAAC,MAAM,GAAG,IAAI,CAAC;QACnB,MAAM,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE,CAAC;QAC5B,IAAI,IAAI,CAAC,uBAAuB,KAAK,IAAI,EAAE,CAAC;YAC1C,OAAO,CAAC,GAAG,CAAC,SAAS,EAAE,IAAI,CAAC,uBAAuB,CAAC,CAAC;YACrD,IAAI,CAAC,uBAAuB,GAAG,IAAI,CAAC;QACtC,CAAC;QACD,IAAI,IAAI,CAAC,sBAAsB,KAAK,IAAI,EAAE,CAAC;YACzC,OAAO,CAAC,GAAG,CAAC,QAAQ,EAAE,IAAI,CAAC,sBAAsB,CAAC,CAAC;YACnD,IAAI,CAAC,sBAAsB,GAAG,IAAI,CAAC;QACrC,CAAC;QACD,IAAI,IAAI,CAAC,YAAY,KAAK,IAAI,EAAE,CAAC;YAC/B,IAAI,CAAC;gBACH,MAAM,IAAI,CAAC,YAAY,CAAC;YAC1B,CAAC;YAAC,MAAM,CAAC;gBACP,qDAAqD;YACvD,CAAC;QACH,CAAC;IACH,CAAC;CACF"}

package/dist/tunnels/client/_protocol.d.ts

@@ -0,0 +1,67 @@
+/**
+ * inkbox-tunnels/client/_protocol.ts
+ *
+ * Single source of truth for the wire protocol in the TS SDK. Mirrors
+ * the server-side definitions in `servers/src/data_models/tunnel.py`.
+ *
+ * The companion manifest at
+ * `sdk/typescript/protocol/tunnel_protocol_constants.json` is the
+ * cross-SDK forcing function; the contract test in
+ * `tests/tunnels/protocol_contract.test.ts` asserts the constants here
+ * match it byte-for-byte. When the protocol changes, update both files
+ * in lockstep.
+ */
+export declare const INKBOX_NAMESPACE_PREFIX: "inkbox-";
+export declare const INKBOX_FORWARDED_HEADER_PREFIX: "inkbox-h-";
+/**
+ * The closed set of inkbox-defined meta headers exchanged on the
+ * `/_system/intake` and `/_system/response/{id}` streams.
+ */
+export declare const TunnelMetaHeader: {
+    readonly REQUEST_ID: "inkbox-request-id";
+    readonly METHOD: "inkbox-method";
+    readonly PATH: "inkbox-path";
+    readonly ROUTE_KIND: "inkbox-route-kind";
+    readonly STATUS: "inkbox-status";
+    readonly WS_ID: "inkbox-ws-id";
+    readonly TCP_ID: "inkbox-tcp-id";
+    readonly SNI_HOST: "inkbox-sni-host";
+    readonly BODY_URI: "inkbox-body-uri";
+    readonly FORWARDED_FOR: "inkbox-forwarded-for";
+    readonly REASON: "inkbox-reason";
+};
+export type TunnelMetaHeader = (typeof TunnelMetaHeader)[keyof typeof TunnelMetaHeader];
+/** Values for the `inkbox-route-kind` meta header. */
+export declare const TunnelRouteKind: {
+    readonly WEBHOOK: "webhook";
+    readonly WS_UPGRADE: "ws-upgrade";
+    readonly TCP_STREAM: "tcp-stream";
+};
+export type TunnelRouteKind = (typeof TunnelRouteKind)[keyof typeof TunnelRouteKind];
+/** ALPN-style subprotocols negotiated on extended-CONNECT bridge streams. */
+export declare const TunnelSubprotocol: {
+    readonly WS: "inkbox-tunnel-ws";
+    readonly TCP: "inkbox-tunnel-tcp";
+};
+export type TunnelSubprotocol = (typeof TunnelSubprotocol)[keyof typeof TunnelSubprotocol];
+/** Control-plane HTTP/2 paths exposed by the tunnel server. */
+export declare const ControlPaths: {
+    readonly HELLO: "/_system/hello";
+    readonly INTAKE: "/_system/intake";
+    readonly RESPONSE_PREFIX: "/_system/response/";
+    readonly WS_PREFIX: "/_system/ws/";
+    readonly TCP_PREFIX: "/_system/tcp/";
+};
+/** SDK-side request headers used on every control-plane stream. */
+export declare const ControlHeaders: {
+    readonly TUNNEL_ID: "x-tunnel-id";
+    readonly TUNNEL_SECRET: "x-tunnel-secret";
+    readonly OWNER_TOKEN: "x-owner-token";
+    readonly POOL_SLOT: "x-pool-slot";
+    readonly POOL_SIZE: "x-pool-size";
+};
+/** Hop-by-hop request headers stripped before forwarding upstream. */
+export declare const HOP_BY_HOP_REQUEST: ReadonlySet<string>;
+/** Hop-by-hop response headers stripped before forwarding back. */
+export declare const HOP_BY_HOP_RESPONSE: ReadonlySet<string>;
+//# sourceMappingURL=_protocol.d.ts.map

package/dist/tunnels/client/_protocol.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"_protocol.d.ts","sourceRoot":"","sources":["../../../src/tunnels/client/_protocol.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH,eAAO,MAAM,uBAAuB,EAAG,SAAkB,CAAC;AAC1D,eAAO,MAAM,8BAA8B,EAAG,WAAoB,CAAC;AAEnE;;;GAGG;AACH,eAAO,MAAM,gBAAgB;;;;;;;;;;;;CAYnB,CAAC;AACX,MAAM,MAAM,gBAAgB,GAC1B,CAAC,OAAO,gBAAgB,CAAC,CAAC,MAAM,OAAO,gBAAgB,CAAC,CAAC;AAE3D,sDAAsD;AACtD,eAAO,MAAM,eAAe;;;;CAIlB,CAAC;AACX,MAAM,MAAM,eAAe,GACzB,CAAC,OAAO,eAAe,CAAC,CAAC,MAAM,OAAO,eAAe,CAAC,CAAC;AAEzD,6EAA6E;AAC7E,eAAO,MAAM,iBAAiB;;;CAGpB,CAAC;AACX,MAAM,MAAM,iBAAiB,GAC3B,CAAC,OAAO,iBAAiB,CAAC,CAAC,MAAM,OAAO,iBAAiB,CAAC,CAAC;AAE7D,+DAA+D;AAC/D,eAAO,MAAM,YAAY;;;;;;CAMf,CAAC;AAEX,mEAAmE;AACnE,eAAO,MAAM,cAAc;;;;;;CAMjB,CAAC;AAEX,sEAAsE;AACtE,eAAO,MAAM,kBAAkB,EAAE,WAAW,CAAC,MAAM,CAajD,CAAC;AAEH,mEAAmE;AACnE,eAAO,MAAM,mBAAmB,EAAE,WAAW,CAAC,MAAM,CASlD,CAAC"}

package/dist/tunnels/client/_protocol.js

@@ -0,0 +1,86 @@
+/**
+ * inkbox-tunnels/client/_protocol.ts
+ *
+ * Single source of truth for the wire protocol in the TS SDK. Mirrors
+ * the server-side definitions in `servers/src/data_models/tunnel.py`.
+ *
+ * The companion manifest at
+ * `sdk/typescript/protocol/tunnel_protocol_constants.json` is the
+ * cross-SDK forcing function; the contract test in
+ * `tests/tunnels/protocol_contract.test.ts` asserts the constants here
+ * match it byte-for-byte. When the protocol changes, update both files
+ * in lockstep.
+ */
+export const INKBOX_NAMESPACE_PREFIX = "inkbox-";
+export const INKBOX_FORWARDED_HEADER_PREFIX = "inkbox-h-";
+/**
+ * The closed set of inkbox-defined meta headers exchanged on the
+ * `/_system/intake` and `/_system/response/{id}` streams.
+ */
+export const TunnelMetaHeader = {
+    REQUEST_ID: "inkbox-request-id",
+    METHOD: "inkbox-method",
+    PATH: "inkbox-path",
+    ROUTE_KIND: "inkbox-route-kind",
+    STATUS: "inkbox-status",
+    WS_ID: "inkbox-ws-id",
+    TCP_ID: "inkbox-tcp-id",
+    SNI_HOST: "inkbox-sni-host",
+    BODY_URI: "inkbox-body-uri",
+    FORWARDED_FOR: "inkbox-forwarded-for",
+    REASON: "inkbox-reason",
+};
+/** Values for the `inkbox-route-kind` meta header. */
+export const TunnelRouteKind = {
+    WEBHOOK: "webhook",
+    WS_UPGRADE: "ws-upgrade",
+    TCP_STREAM: "tcp-stream",
+};
+/** ALPN-style subprotocols negotiated on extended-CONNECT bridge streams. */
+export const TunnelSubprotocol = {
+    WS: "inkbox-tunnel-ws",
+    TCP: "inkbox-tunnel-tcp",
+};
+/** Control-plane HTTP/2 paths exposed by the tunnel server. */
+export const ControlPaths = {
+    HELLO: "/_system/hello",
+    INTAKE: "/_system/intake",
+    RESPONSE_PREFIX: "/_system/response/",
+    WS_PREFIX: "/_system/ws/",
+    TCP_PREFIX: "/_system/tcp/",
+};
+/** SDK-side request headers used on every control-plane stream. */
+export const ControlHeaders = {
+    TUNNEL_ID: "x-tunnel-id",
+    TUNNEL_SECRET: "x-tunnel-secret",
+    OWNER_TOKEN: "x-owner-token",
+    POOL_SLOT: "x-pool-slot",
+    POOL_SIZE: "x-pool-size",
+};
+/** Hop-by-hop request headers stripped before forwarding upstream. */
+export const HOP_BY_HOP_REQUEST = new Set([
+    "host",
+    "connection",
+    "upgrade",
+    "keep-alive",
+    "te",
+    "trailer",
+    "transfer-encoding",
+    "proxy-authenticate",
+    "proxy-authorization",
+    "sec-websocket-key",
+    "sec-websocket-version",
+    "sec-websocket-extensions",
+]);
+/** Hop-by-hop response headers stripped before forwarding back. */
+export const HOP_BY_HOP_RESPONSE = new Set([
+    "connection",
+    "keep-alive",
+    "transfer-encoding",
+    "upgrade",
+    "proxy-authenticate",
+    "proxy-authorization",
+    "te",
+    "trailer",
+]);
+//# sourceMappingURL=_protocol.js.map

package/dist/tunnels/client/_protocol.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"_protocol.js","sourceRoot":"","sources":["../../../src/tunnels/client/_protocol.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH,MAAM,CAAC,MAAM,uBAAuB,GAAG,SAAkB,CAAC;AAC1D,MAAM,CAAC,MAAM,8BAA8B,GAAG,WAAoB,CAAC;AAEnE;;;GAGG;AACH,MAAM,CAAC,MAAM,gBAAgB,GAAG;IAC9B,UAAU,EAAE,mBAAmB;IAC/B,MAAM,EAAE,eAAe;IACvB,IAAI,EAAE,aAAa;IACnB,UAAU,EAAE,mBAAmB;IAC/B,MAAM,EAAE,eAAe;IACvB,KAAK,EAAE,cAAc;IACrB,MAAM,EAAE,eAAe;IACvB,QAAQ,EAAE,iBAAiB;IAC3B,QAAQ,EAAE,iBAAiB;IAC3B,aAAa,EAAE,sBAAsB;IACrC,MAAM,EAAE,eAAe;CACf,CAAC;AAIX,sDAAsD;AACtD,MAAM,CAAC,MAAM,eAAe,GAAG;IAC7B,OAAO,EAAE,SAAS;IAClB,UAAU,EAAE,YAAY;IACxB,UAAU,EAAE,YAAY;CAChB,CAAC;AAIX,6EAA6E;AAC7E,MAAM,CAAC,MAAM,iBAAiB,GAAG;IAC/B,EAAE,EAAE,kBAAkB;IACtB,GAAG,EAAE,mBAAmB;CAChB,CAAC;AAIX,+DAA+D;AAC/D,MAAM,CAAC,MAAM,YAAY,GAAG;IAC1B,KAAK,EAAE,gBAAgB;IACvB,MAAM,EAAE,iBAAiB;IACzB,eAAe,EAAE,oBAAoB;IACrC,SAAS,EAAE,cAAc;IACzB,UAAU,EAAE,eAAe;CACnB,CAAC;AAEX,mEAAmE;AACnE,MAAM,CAAC,MAAM,cAAc,GAAG;IAC5B,SAAS,EAAE,aAAa;IACxB,aAAa,EAAE,iBAAiB;IAChC,WAAW,EAAE,eAAe;IAC5B,SAAS,EAAE,aAAa;IACxB,SAAS,EAAE,aAAa;CAChB,CAAC;AAEX,sEAAsE;AACtE,MAAM,CAAC,MAAM,kBAAkB,GAAwB,IAAI,GAAG,CAAC;IAC7D,MAAM;IACN,YAAY;IACZ,SAAS;IACT,YAAY;IACZ,IAAI;IACJ,SAAS;IACT,mBAAmB;IACnB,oBAAoB;IACpB,qBAAqB;IACrB,mBAAmB;IACnB,uBAAuB;IACvB,0BAA0B;CAC3B,CAAC,CAAC;AAEH,mEAAmE;AACnE,MAAM,CAAC,MAAM,mBAAmB,GAAwB,IAAI,GAAG,CAAC;IAC9D,YAAY;IACZ,YAAY;IACZ,mBAAmB;IACnB,SAAS;IACT,oBAAoB;IACpB,qBAAqB;IACrB,IAAI;IACJ,SAAS;CACV,CAAC,CAAC"}

package/dist/tunnels/client/_runtime.d.ts

@@ -0,0 +1,143 @@
+/**
+ * inkbox-tunnels/client/_runtime.ts
+ *
+ * The h2 data-plane runtime (Node-only). Maintains one persistent
+ * HTTP/2 connection to `https://{zone}/_system/connect`, parks N
+ * intake streams, dispatches envelopes (HTTP / WS upgrade / passthrough
+ * TCP-stream), and manages flow control + reconnect.
+ *
+ * Mirrors Python `_runtime.py` at the wire level. The TS-side API
+ * shape diverges where Python exposed ASGI 3.0 — we expose Web
+ * standards (Fetch API, `InkboxWebSocket`) instead. The on-wire
+ * behavior is identical.
+ *
+ * Flow-control caveat: Node's high-level h2 server auto-credits, so
+ * the `awaitWindow` / `markWindowBlocked` / per-stream send-window
+ * gate paths are unit-tested only and not exercised through a real h2
+ * stack against a real flow-control sequence.
+ */
+import * as http2 from "node:http2";
+import type { ClientHttp2Session } from "node:http2";
+import { type InkboxHandler } from "./_handler.js";
+import type { TlsTerminator } from "./_tls.js";
+import { type InkboxWsHandler } from "./_ws.js";
+export declare const PING_INTERVAL_MS = 20000;
+/**
+ * Force-reconnect window if a PING goes unacked. Long enough to absorb
+ * a slow path's RTT (multi-hop NLB, congested link), short enough that
+ * a dead TCP doesn't strand the runtime past the next intake.
+ */
+export declare const PING_ACK_TIMEOUT_MS = 10000;
+export declare const BACKOFF_CAP_SEC = 30;
+export declare const BACKOFF_JITTER = 0.25;
+export declare const DEFAULT_INBOUND_BODY_BYTES: number;
+export declare const DEFAULT_OUTBOUND_BODY_BYTES: number;
+export declare class TunnelAuthError extends Error {
+    constructor(message: string);
+}
+export type StatusCallback = (status: "connecting" | "connected" | "reconnecting" | "closed") => void;
+/**
+ * What this runtime forwards to. URL is required; `httpHandler` and
+ * `wsHandler` activate the in-process callable paths.
+ */
+export interface DispatchConfig {
+    /** Set if the runtime forwards HTTP envelopes to a local URL. */
+    forwardTo?: string;
+    /** Set if the runtime invokes an in-process Fetch-API handler. */
+    httpHandler?: InkboxHandler;
+    /** Set if the runtime drives WS-upgrade envelopes through an in-process handler. */
+    wsHandler?: InkboxWsHandler;
+}
+export interface TunnelRuntimeOpts {
+    tunnelId: string;
+    secret: string;
+    zone: string;
+    publicHost: string;
+    poolSize: number | null;
+    dispatch: DispatchConfig;
+    /**
+     * Set when the tunnel is in passthrough TLS mode. The runtime drives
+     * the in-process TLS state machine for inbound bridge data and
+     * forwards plaintext to `dispatch.forwardTo`.
+     */
+    tlsTerminator?: TlsTerminator;
+    maxInboundBodyBytes?: number;
+    maxResponseBytes?: number;
+    allowRemoteForwarding?: boolean;
+    /** Verify the upstream's TLS cert when `forwardTo` is https://. Default true. */
+    forwardToVerifyTls?: boolean;
+    /** Extra CA bundle (PEM) to trust for the upstream TLS connection. */
+    forwardToCaBundle?: Buffer | string;
+    onStatus?: StatusCallback;
+    /** Internal injection point for tests; default is `Math.random`. */
+    rng?: () => number;
+    /** Internal injection point for tests; default is `node:http2` connect. */
+    http2Connect?: (authority: string, options: http2.ClientSessionOptions | http2.SecureClientSessionOptions) => ClientHttp2Session;
+}
+/**
+ * The data-plane runtime. Construct with the bootstrap-derived
+ * tunnelId/secret/zone/publicHost; call `serveForever()` to drive it,
+ * `aclose()` to shut down.
+ */
+export declare class TunnelRuntime {
+    private readonly tunnelId;
+    private readonly secret;
+    private readonly zone;
+    private readonly publicHost;
+    private readonly poolSize;
+    private readonly dispatch;
+    private readonly maxInbound;
+    private readonly maxOutbound;
+    private readonly tlsTerminator;
+    private readonly forwardToVerifyTls;
+    private readonly forwardToCaBundle;
+    private readonly onStatus?;
+    private readonly rng;
+    private readonly http2Connect;
+    private session;
+    private ownerToken;
+    private serverPoolSize;
+    private intakeIdleSeconds;
+    private responseDeadlineSeconds;
+    private stop;
+    private readonly streams;
+    private readonly bridgeStreamIds;
+    private readonly tasks;
+    private passthroughDispatch;
+    private readonly undiciAgentCache;
+    private pingHandle;
+    private pingAbort;
+    private shutdownAbort;
+    constructor(opts: TunnelRuntimeOpts);
+    /**
+     * Drive the runtime forever. Reconnects with jittered exponential
+     * backoff; rejects only on permanent auth failure (rotate the
+     * secret) or after `aclose()`.
+     */
+    serveForever(): Promise<void>;
+    /** Graceful shutdown. Signals all loops to exit; closes the h2 session. */
+    aclose(): Promise<void>;
+    private runOnce;
+    private openConnection;
+    private waitForSessionClose;
+    private sendHello;
+    private openStream;
+    private wake;
+    private nextEvent;
+    private awaitResponse;
+    private intakeLoop;
+    private parkOneIntake;
+    private startPingLoop;
+    private stopPingLoop;
+    private dispatchEnvelope;
+    private dispatchHttp;
+    private materializeBody;
+    private dispatchWsUpgrade;
+    private dispatchWsUpgradeToUrl;
+    private openWsBridge;
+    private dispatchTcpStream;
+    private writeBridgeFrame;
+    private postResponse;
+    private notifyStatus;
+}
+//# sourceMappingURL=_runtime.d.ts.map

package/dist/tunnels/client/_runtime.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"_runtime.d.ts","sourceRoot":"","sources":["../../../src/tunnels/client/_runtime.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;GAiBG;AAEH,OAAO,KAAK,KAAK,MAAM,YAAY,CAAC;AAGpC,OAAO,KAAK,EAAE,kBAAkB,EAAqB,MAAM,YAAY,CAAC;AAiBxE,OAAO,EAEL,KAAK,aAAa,EAEnB,MAAM,eAAe,CAAC;AAiBvB,OAAO,KAAK,EAAc,aAAa,EAAE,MAAM,WAAW,CAAC;AAY3D,OAAO,EAEL,KAAK,eAAe,EAErB,MAAM,UAAU,CAAC;AAQlB,eAAO,MAAM,gBAAgB,QAAS,CAAC;AACvC;;;;GAIG;AACH,eAAO,MAAM,mBAAmB,QAAS,CAAC;AAC1C,eAAO,MAAM,eAAe,KAAO,CAAC;AACpC,eAAO,MAAM,cAAc,OAAO,CAAC;AAEnC,eAAO,MAAM,0BAA0B,QAAmB,CAAC;AAC3D,eAAO,MAAM,2BAA2B,QAAmB,CAAC;AAE5D,qBAAa,eAAgB,SAAQ,KAAK;gBAC5B,OAAO,EAAE,MAAM;CAI5B;AAoCD,MAAM,MAAM,cAAc,GAAG,CAC3B,MAAM,EAAE,YAAY,GAAG,WAAW,GAAG,cAAc,GAAG,QAAQ,KAC3D,IAAI,CAAC;AAEV;;;GAGG;AACH,MAAM,WAAW,cAAc;IAC7B,iEAAiE;IACjE,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,kEAAkE;IAClE,WAAW,CAAC,EAAE,aAAa,CAAC;IAC5B,oFAAoF;IACpF,SAAS,CAAC,EAAE,eAAe,CAAC;CAC7B;AAED,MAAM,WAAW,iBAAiB;IAChC,QAAQ,EAAE,MAAM,CAAC;IACjB,MAAM,EAAE,MAAM,CAAC;IACf,IAAI,EAAE,MAAM,CAAC;IACb,UAAU,EAAE,MAAM,CAAC;IACnB,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAC;IACxB,QAAQ,EAAE,cAAc,CAAC;IACzB;;;;OAIG;IACH,aAAa,CAAC,EAAE,aAAa,CAAC;IAC9B,mBAAmB,CAAC,EAAE,MAAM,CAAC;IAC7B,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,qBAAqB,CAAC,EAAE,OAAO,CAAC;IAChC,iFAAiF;IACjF,kBAAkB,CAAC,EAAE,OAAO,CAAC;IAC7B,sEAAsE;IACtE,iBAAiB,CAAC,EAAE,MAAM,GAAG,MAAM,CAAC;IACpC,QAAQ,CAAC,EAAE,cAAc,CAAC;IAC1B,oEAAoE;IACpE,GAAG,CAAC,EAAE,MAAM,MAAM,CAAC;IACnB,2EAA2E;IAC3E,YAAY,CAAC,EAAE,CACb,SAAS,EAAE,MAAM,EACjB,OAAO,EAAE,KAAK,CAAC,oBAAoB,GAAG,KAAK,CAAC,0BAA0B,KACnE,kBAAkB,CAAC;CACzB;AAeD;;;;GAIG;AACH,qBAAa,aAAa;IACxB,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAS;IAClC,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAS;IAChC,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAS;IAC9B,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAS;IACpC,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAgB;IACzC,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAiB;IAC1C,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAS;IACpC,OAAO,CAAC,QAAQ,CAAC,WAAW,CAAS;IACrC,OAAO,CAAC,QAAQ,CAAC,aAAa,CAAuB;IACrD,OAAO,CAAC,QAAQ,CAAC,kBAAkB,CAAU;IAC7C,OAAO,CAAC,QAAQ,CAAC,iBAAiB,CAAyB;IAC3D,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAiB;IAC3C,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAe;IACnC,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAiD;IAE9E,OAAO,CAAC,OAAO,CAAmC;IAClD,OAAO,CAAC,UAAU,CAAuB;IACzC,OAAO,CAAC,cAAc,CAAuB;IAC7C,OAAO,CAAC,iBAAiB,CAAuB;IAChD,OAAO,CAAC,uBAAuB,CAAuB;IAEtD,OAAO,CAAC,IAAI,CAAS;IACrB,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAgC;IACxD,OAAO,CAAC,QAAQ,CAAC,eAAe,CAAqB;IACrD,OAAO,CAAC,QAAQ,CAAC,KAAK,CAA+B;IAErD,OAAO,CAAC,mBAAmB,CAAkD;IAK7E,OAAO,CAAC,QAAQ,CAAC,gBAAgB,CAA8C;IAC/E,OAAO,CAAC,UAAU,CAA+B;IACjD,OAAO,CAAC,SAAS,CAAgC;IACjD,OAAO,CAAC,aAAa,CAA0C;gBAEnD,IAAI,EAAE,iBAAiB;IAmBnC;;;;OAIG;IACG,YAAY,IAAI,OAAO,CAAC,IAAI,CAAC;IA8CnC,2EAA2E;IACrE,MAAM,IAAI,OAAO,CAAC,IAAI,CAAC;YA6Ef,OAAO;YA0BP,cAAc;IAiG5B,OAAO,CAAC,mBAAmB;YAcb,SAAS;IA4DvB,OAAO,CAAC,UAAU;IAyDlB,OAAO,CAAC,IAAI;YAQE,SAAS;YAgBT,aAAa;YA4Bb,UAAU;YAiDV,aAAa;IA2D3B,OAAO,CAAC,aAAa;IAoDrB,OAAO,CAAC,YAAY;YAWN,gBAAgB;YAsChB,YAAY;YA6IZ,eAAe;YA8Bf,iBAAiB;YAmDjB,sBAAsB;YA6HtB,YAAY;YAsKZ,iBAAiB;IAiW/B,OAAO,CAAC,gBAAgB;YAyBV,YAAY;IAmE1B,OAAO,CAAC,YAAY;CAcrB"}