@keycardai/a2a 0.1.0

package/README.md

@@ -0,0 +1,110 @@
+# @keycardai/a2a
+
+> **Preview.** This SDK has not reached parity with the Keycard Python SDK. APIs may change between minor versions.
+
+Keycard auth integration for the [Agent-to-Agent (A2A) protocol](https://google.github.io/A2A). Wraps [`@a2a-js/sdk`](https://github.com/a2aproject/a2a-js) the same way Python's `keycardai-a2a` wraps `a2a-sdk 1.x` — adds Keycard auth on top of the existing SDK's routing, executor, and task store infrastructure.
+
+Python equivalent: [`keycardai-a2a`](https://github.com/keycardai/python-sdk/tree/main/packages/a2a).
+
+## Installation
+
+```bash
+npm install @keycardai/a2a @a2a-js/sdk express
+```
+
+## Quick Start
+
+### Build an A2A agent server
+
+```typescript
+import express from "express";
+import { agentCardHandler, jsonRpcHandler } from "@a2a-js/sdk/server/express";
+import { InMemoryTaskStore, type AgentExecutor, type RequestContext, type ExecutionEventBus } from "@a2a-js/sdk/server";
+import {
+  keycardUserBuilder,
+  getKeycardAuth,
+  createKeycardRequestHandler,
+  buildAgentCard,
+} from "@keycardai/a2a";
+
+const executor: AgentExecutor = {
+  async execute(requestContext: RequestContext, eventBus: ExecutionEventBus) {
+    const auth = getKeycardAuth(requestContext);
+    if (!auth) throw new Error("unauthenticated"); // guard: keycardUserBuilder normally prevents this
+    // auth.token is the raw bearer string for downstream delegation
+    const text = (requestContext.userMessage.parts[0] as any).text;
+    eventBus.publish({ messageId: crypto.randomUUID(), role: "agent",
+      parts: [{ kind: "text", text: `Hello: ${text}` }] } as any);
+    eventBus.finished();
+  },
+  async cancelTask() {},
+};
+
+const config = {
+  serviceName: "My Agent",
+  clientId: process.env.KEYCARD_CLIENT_ID!,
+  clientSecret: process.env.KEYCARD_CLIENT_SECRET!,
+  identityUrl: "https://my-agent.example.com",
+  zoneId: process.env.KEYCARD_ZONE_ID,
+};
+
+const agentCard = buildAgentCard(config);
+const requestHandler = createKeycardRequestHandler(executor, agentCard);
+const userBuilder = keycardUserBuilder({
+  issuer: `https://${config.zoneId}.keycard.cloud`,
+});
+
+const app = express();
+app.use(express.json());
+app.use("/.well-known/agent-card.json", agentCardHandler({ agentCardProvider: requestHandler }));
+app.use("/a2a/jsonrpc", jsonRpcHandler({ requestHandler, userBuilder }));
+
+app.listen(3000);
+```
+
+### Call a remote A2A agent
+
+```typescript
+import { DelegationClient, getKeycardAuth } from "@keycardai/a2a";
+
+const client = new DelegationClient(config);
+
+// Inside your executor — pass the caller's token for delegation chain
+async execute(requestContext, eventBus) {
+  const auth = getKeycardAuth(requestContext)!;
+  const result = await client.invokeService(
+    "https://remote-agent.example.com",
+    "Summarize this document",
+    { subjectToken: auth.token },
+  );
+  eventBus.publish(result.message);
+  eventBus.finished();
+}
+```
+
+## How it works
+
+`keycardUserBuilder` implements [`@a2a-js/sdk`'s `UserBuilder`](https://github.com/a2aproject/a2a-js) interface — the auth extension point where Keycard JWT validation is wired in. This is the same pattern as Python's `KeycardServerCallContextBuilder`. The builder validates the bearer token with `TokenVerifier`, creates a `KeycardUser` carrying the `AccessToken`, and injects it into each `RequestContext` via `ServerCallContext`.
+
+`getKeycardAuth(requestContext)` extracts that `AccessToken` in the executor, giving you the caller's identity and a ready-to-use `token` string for downstream RFC 8693 delegation.
+
+## API
+
+| Export | Description |
+|---|---|
+| `keycardUserBuilder(options)` | Returns a `UserBuilder` for `@a2a-js/sdk`'s Express handlers; validates Keycard JWTs |
+| `KeycardUser` | Implements `User`, carries `AccessToken` |
+| `getKeycardAuth(requestContext)` | Extracts `AccessToken` from executor context; returns `null` if unauthenticated |
+| `createKeycardRequestHandler(executor, agentCard, options?)` | Convenience wrapper creating `DefaultRequestHandler` with `InMemoryTaskStore` |
+| `buildAgentCard(config)` | Builds an `AgentCard` from `AgentServiceConfig` |
+| `DelegationClient` | Discovers, exchanges tokens, and invokes remote A2A agents |
+| `ServiceDiscovery` | Fetches and caches agent cards from `/.well-known/agent-card.json` |
+| `AgentServiceConfig` | Config: service name, credentials, identity URL, zone |
+
+Re-exports from `@a2a-js/sdk`: `agentCardHandler`, `jsonRpcHandler`, `restHandler`, `UserBuilder`, `AgentExecutor`, `RequestContext`, `ExecutionEventBus`, `InMemoryTaskStore`, `DefaultRequestHandler`, `AgentCard`, `Message`, `Task`.
+
+## Related Packages
+
+- [`@keycardai/oauth`](../oauth/) — Token exchange primitives used by `DelegationClient`
+- [`@keycardai/express`](../express/) — Bearer auth middleware for plain HTTP APIs
+- [Keycard TypeScript SDK](../../README.md) — Root documentation

package/dist/cjs/auth.d.ts

@@ -0,0 +1,48 @@
+import type { User } from "@a2a-js/sdk/server";
+import type { UserBuilder } from "@a2a-js/sdk/server/express";
+import type { TokenVerifierOptions } from "@keycardai/oauth/server/tokenVerifier";
+import type { AccessToken } from "@keycardai/oauth/server/accessToken";
+import type { RequestContext } from "@a2a-js/sdk/server";
+/**
+ * A Keycard-verified user. Implements `@a2a-js/sdk`'s `User` interface
+ * and carries the full `AccessToken` for downstream delegation.
+ *
+ * Python equivalent: the `KeycardUser` injected into `ServerCallContext.state`
+ * by `KeycardServerCallContextBuilder`.
+ */
+export declare class KeycardUser implements User {
+    readonly accessToken: AccessToken;
+    constructor(accessToken: AccessToken);
+    get isAuthenticated(): boolean;
+    get userName(): string;
+}
+export type KeycardUserBuilderOptions = Pick<TokenVerifierOptions, "issuer" | "audience" | "enableMultiZone" | "keyring" | "requiredScopes">;
+/**
+ * Returns a `UserBuilder` for `@a2a-js/sdk`'s Express handlers that validates
+ * Keycard-issued JWTs and injects a `KeycardUser` into the request context.
+ *
+ * Python equivalent: `KeycardServerCallContextBuilder`, the auth extension
+ * point of `a2a-sdk` where Keycard auth is wired in.
+ *
+ * ```ts
+ * const userBuilder = keycardUserBuilder({ issuer: "https://zone.keycard.cloud" });
+ * app.post("/a2a/jsonrpc", jsonRpcHandler({ requestHandler, userBuilder }));
+ * ```
+ *
+ * On a valid token the SDK receives a `KeycardUser`; on an invalid or missing
+ * token it receives an `UnauthenticatedUser`, and the SDK rejects the request
+ * with a 401.
+ */
+export declare function keycardUserBuilder(options: KeycardUserBuilderOptions): UserBuilder;
+/**
+ * Extract the `AccessToken` from an A2A `RequestContext`.
+ * Returns `null` if the request was not authenticated with a Keycard token.
+ *
+ * ```ts
+ * const auth = getKeycardAuth(requestContext);
+ * if (!auth) throw new Error("unauthenticated");
+ * // use auth.token for downstream delegation
+ * ```
+ */
+export declare function getKeycardAuth(requestContext: RequestContext): AccessToken | null;
+//# sourceMappingURL=auth.d.ts.map

package/dist/cjs/auth.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth.d.ts","sourceRoot":"","sources":["../../src/auth.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,IAAI,EAAE,MAAM,oBAAoB,CAAC;AAC/C,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,4BAA4B,CAAC;AAE9D,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,uCAAuC,CAAC;AAClF,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,qCAAqC,CAAC;AACvE,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,oBAAoB,CAAC;AAGzD;;;;;;GAMG;AACH,qBAAa,WAAY,YAAW,IAAI;IACtC,QAAQ,CAAC,WAAW,EAAE,WAAW,CAAC;gBAEtB,WAAW,EAAE,WAAW;IAIpC,IAAI,eAAe,IAAI,OAAO,CAE7B;IAED,IAAI,QAAQ,IAAI,MAAM,CAErB;CACF;AAED,MAAM,MAAM,yBAAyB,GAAG,IAAI,CAC1C,oBAAoB,EACpB,QAAQ,GAAG,UAAU,GAAG,iBAAiB,GAAG,SAAS,GAAG,gBAAgB,CACzE,CAAC;AAEF;;;;;;;;;;;;;;;GAeG;AACH,wBAAgB,kBAAkB,CAAC,OAAO,EAAE,yBAAyB,GAAG,WAAW,CAsBlF;AAED;;;;;;;;;GASG;AACH,wBAAgB,cAAc,CAAC,cAAc,EAAE,cAAc,GAAG,WAAW,GAAG,IAAI,CAMjF"}

package/dist/cjs/auth.js

@@ -0,0 +1,90 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.KeycardUser = void 0;
+exports.keycardUserBuilder = keycardUserBuilder;
+exports.getKeycardAuth = getKeycardAuth;
+const tokenVerifier_1 = require("@keycardai/oauth/server/tokenVerifier");
+const server_1 = require("@a2a-js/sdk/server");
+/**
+ * A Keycard-verified user. Implements `@a2a-js/sdk`'s `User` interface
+ * and carries the full `AccessToken` for downstream delegation.
+ *
+ * Python equivalent: the `KeycardUser` injected into `ServerCallContext.state`
+ * by `KeycardServerCallContextBuilder`.
+ */
+class KeycardUser {
+    constructor(accessToken) {
+        this.accessToken = accessToken;
+    }
+    get isAuthenticated() {
+        return true;
+    }
+    get userName() {
+        return this.accessToken.clientId;
+    }
+}
+exports.KeycardUser = KeycardUser;
+/**
+ * Returns a `UserBuilder` for `@a2a-js/sdk`'s Express handlers that validates
+ * Keycard-issued JWTs and injects a `KeycardUser` into the request context.
+ *
+ * Python equivalent: `KeycardServerCallContextBuilder`, the auth extension
+ * point of `a2a-sdk` where Keycard auth is wired in.
+ *
+ * ```ts
+ * const userBuilder = keycardUserBuilder({ issuer: "https://zone.keycard.cloud" });
+ * app.post("/a2a/jsonrpc", jsonRpcHandler({ requestHandler, userBuilder }));
+ * ```
+ *
+ * On a valid token the SDK receives a `KeycardUser`; on an invalid or missing
+ * token it receives an `UnauthenticatedUser`, and the SDK rejects the request
+ * with a 401.
+ */
+function keycardUserBuilder(options) {
+    const verifier = new tokenVerifier_1.TokenVerifier({
+        issuer: options.issuer,
+        audience: options.audience,
+        enableMultiZone: options.enableMultiZone,
+        keyring: options.keyring,
+        requiredScopes: options.requiredScopes,
+    });
+    return async (req) => {
+        const authorization = req.headers.authorization;
+        if (!authorization?.startsWith("Bearer ")) {
+            // -32001 is the A2A unauthorized error code
+            throw new server_1.A2AError(-32001, "Missing or invalid Authorization header");
+        }
+        const token = authorization.slice(7);
+        const accessToken = await verifier.verifyToken(token);
+        if (!accessToken) {
+            throw new server_1.A2AError(-32001, "Invalid or expired token");
+        }
+        return new KeycardUser(accessToken);
+    };
+}
+/**
+ * Extract the `AccessToken` from an A2A `RequestContext`.
+ * Returns `null` if the request was not authenticated with a Keycard token.
+ *
+ * ```ts
+ * const auth = getKeycardAuth(requestContext);
+ * if (!auth) throw new Error("unauthenticated");
+ * // use auth.token for downstream delegation
+ * ```
+ */
+function getKeycardAuth(requestContext) {
+    const user = requestContext.context?.user;
+    if (user instanceof KeycardUser) {
+        return user.accessToken;
+    }
+    return null;
+}
+class UnauthenticatedUser {
+    get isAuthenticated() {
+        return false;
+    }
+    get userName() {
+        return "anonymous";
+    }
+}
+//# sourceMappingURL=auth.js.map

package/dist/cjs/auth.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth.js","sourceRoot":"","sources":["../../src/auth.ts"],"names":[],"mappings":";;;AAqDA,gDAsBC;AAYD,wCAMC;AA1FD,yEAAsE;AAItE,+CAA8C;AAE9C;;;;;;GAMG;AACH,MAAa,WAAW;IAGtB,YAAY,WAAwB;QAClC,IAAI,CAAC,WAAW,GAAG,WAAW,CAAC;IACjC,CAAC;IAED,IAAI,eAAe;QACjB,OAAO,IAAI,CAAC;IACd,CAAC;IAED,IAAI,QAAQ;QACV,OAAO,IAAI,CAAC,WAAW,CAAC,QAAQ,CAAC;IACnC,CAAC;CACF;AAdD,kCAcC;AAOD;;;;;;;;;;;;;;;GAeG;AACH,SAAgB,kBAAkB,CAAC,OAAkC;IACnE,MAAM,QAAQ,GAAG,IAAI,6BAAa,CAAC;QACjC,MAAM,EAAE,OAAO,CAAC,MAAM;QACtB,QAAQ,EAAE,OAAO,CAAC,QAAQ;QAC1B,eAAe,EAAE,OAAO,CAAC,eAAe;QACxC,OAAO,EAAE,OAAO,CAAC,OAAO;QACxB,cAAc,EAAE,OAAO,CAAC,cAAc;KACvC,CAAC,CAAC;IAEH,OAAO,KAAK,EAAE,GAAY,EAAiB,EAAE;QAC3C,MAAM,aAAa,GAAG,GAAG,CAAC,OAAO,CAAC,aAAa,CAAC;QAChD,IAAI,CAAC,aAAa,EAAE,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;YAC1C,4CAA4C;YAC5C,MAAM,IAAI,iBAAQ,CAAC,CAAC,KAAK,EAAE,yCAAyC,CAAC,CAAC;QACxE,CAAC;QACD,MAAM,KAAK,GAAG,aAAa,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;QACrC,MAAM,WAAW,GAAG,MAAM,QAAQ,CAAC,WAAW,CAAC,KAAK,CAAC,CAAC;QACtD,IAAI,CAAC,WAAW,EAAE,CAAC;YACjB,MAAM,IAAI,iBAAQ,CAAC,CAAC,KAAK,EAAE,0BAA0B,CAAC,CAAC;QACzD,CAAC;QACD,OAAO,IAAI,WAAW,CAAC,WAAW,CAAC,CAAC;IACtC,CAAC,CAAC;AACJ,CAAC;AAED;;;;;;;;;GASG;AACH,SAAgB,cAAc,CAAC,cAA8B;IAC3D,MAAM,IAAI,GAAG,cAAc,CAAC,OAAO,EAAE,IAAI,CAAC;IAC1C,IAAI,IAAI,YAAY,WAAW,EAAE,CAAC;QAChC,OAAO,IAAI,CAAC,WAAW,CAAC;IAC1B,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,MAAM,mBAAmB;IACvB,IAAI,eAAe;QACjB,OAAO,KAAK,CAAC;IACf,CAAC;IACD,IAAI,QAAQ;QACV,OAAO,WAAW,CAAC;IACrB,CAAC;CACF"}

package/dist/cjs/config.d.ts

@@ -0,0 +1,35 @@
+import type { AgentSkill } from "@a2a-js/sdk";
+export type { AgentSkill } from "@a2a-js/sdk";
+/**
+ * Configuration for a Keycard-protected A2A agent service.
+ *
+ * Python equivalent: `keycardai.a2a.AgentServiceConfig`
+ */
+export interface AgentServiceConfig {
+    /** Human-readable service name, used as the agent card `name`. */
+    serviceName: string;
+    /** Keycard client ID for service-to-service token exchange. */
+    clientId: string;
+    /** Keycard client secret. */
+    clientSecret: string;
+    /**
+     * Public URL of this agent service, e.g. "https://my-agent.example.com".
+     * Used to construct the JSONRPC endpoint URL.
+     */
+    identityUrl: string;
+    /** Keycard zone ID, e.g. "abc1234". Constructs the auth server URL. */
+    zoneId?: string;
+    /**
+     * Explicit authorization server URL. Defaults to
+     * `https://{zoneId}.keycard.cloud` when `zoneId` is provided.
+     */
+    authorizationServerUrl?: string;
+    /** Description for the agent card. */
+    description?: string;
+    /** Skills advertised in the agent card. */
+    skills?: readonly AgentSkill[];
+}
+export declare function getAgentCardUrl(config: AgentServiceConfig): string;
+export declare function getJsonrpcUrl(config: AgentServiceConfig): string;
+export declare function getAuthServerUrl(config: AgentServiceConfig): string;
+//# sourceMappingURL=config.d.ts.map

package/dist/cjs/config.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"config.d.ts","sourceRoot":"","sources":["../../src/config.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAE9C,YAAY,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAE9C;;;;GAIG;AACH,MAAM,WAAW,kBAAkB;IACjC,kEAAkE;IAClE,WAAW,EAAE,MAAM,CAAC;IACpB,+DAA+D;IAC/D,QAAQ,EAAE,MAAM,CAAC;IACjB,6BAA6B;IAC7B,YAAY,EAAE,MAAM,CAAC;IACrB;;;OAGG;IACH,WAAW,EAAE,MAAM,CAAC;IACpB,uEAAuE;IACvE,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB;;;OAGG;IACH,sBAAsB,CAAC,EAAE,MAAM,CAAC;IAChC,sCAAsC;IACtC,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,2CAA2C;IAC3C,MAAM,CAAC,EAAE,SAAS,UAAU,EAAE,CAAC;CAChC;AAED,wBAAgB,eAAe,CAAC,MAAM,EAAE,kBAAkB,GAAG,MAAM,CAElE;AAED,wBAAgB,aAAa,CAAC,MAAM,EAAE,kBAAkB,GAAG,MAAM,CAEhE;AAED,wBAAgB,gBAAgB,CAAC,MAAM,EAAE,kBAAkB,GAAG,MAAM,CAMnE"}

package/dist/cjs/config.js

@@ -0,0 +1,19 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.getAgentCardUrl = getAgentCardUrl;
+exports.getJsonrpcUrl = getJsonrpcUrl;
+exports.getAuthServerUrl = getAuthServerUrl;
+function getAgentCardUrl(config) {
+    return `${config.identityUrl}/.well-known/agent-card.json`;
+}
+function getJsonrpcUrl(config) {
+    return `${config.identityUrl}/a2a/jsonrpc`;
+}
+function getAuthServerUrl(config) {
+    if (config.authorizationServerUrl)
+        return config.authorizationServerUrl;
+    if (config.zoneId)
+        return `https://${config.zoneId}.keycard.cloud`;
+    throw new Error("AgentServiceConfig: either `authorizationServerUrl` or `zoneId` is required");
+}
+//# sourceMappingURL=config.js.map

package/dist/cjs/config.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"config.js","sourceRoot":"","sources":["../../src/config.ts"],"names":[],"mappings":";;AAkCA,0CAEC;AAED,sCAEC;AAED,4CAMC;AAdD,SAAgB,eAAe,CAAC,MAA0B;IACxD,OAAO,GAAG,MAAM,CAAC,WAAW,8BAA8B,CAAC;AAC7D,CAAC;AAED,SAAgB,aAAa,CAAC,MAA0B;IACtD,OAAO,GAAG,MAAM,CAAC,WAAW,cAAc,CAAC;AAC7C,CAAC;AAED,SAAgB,gBAAgB,CAAC,MAA0B;IACzD,IAAI,MAAM,CAAC,sBAAsB;QAAE,OAAO,MAAM,CAAC,sBAAsB,CAAC;IACxE,IAAI,MAAM,CAAC,MAAM;QAAE,OAAO,WAAW,MAAM,CAAC,MAAM,gBAAgB,CAAC;IACnE,MAAM,IAAI,KAAK,CACb,6EAA6E,CAC9E,CAAC;AACJ,CAAC"}

package/dist/cjs/delegation.d.ts

@@ -0,0 +1,56 @@
+import type { AgentCard } from "@a2a-js/sdk";
+import type { Message } from "@a2a-js/sdk";
+import { ServiceDiscovery } from "./discovery.js";
+import type { AgentServiceConfig } from "./config.js";
+export interface DelegationResult {
+    /** The agent's response message. */
+    message: Message;
+    /** Resolved agent card for the target service. */
+    agentCard: AgentCard;
+}
+export interface InvokeOptions {
+    /**
+     * Keycard bearer token from the current request context. Pass
+     * `getKeycardAuth(requestContext)?.token` from the executor.
+     * Required for all delegation flows.
+     *
+     * For service-to-service delegation without a user token (equivalent to
+     * Python's client-credentials fallback in `DelegationClient`), first
+     * acquire a service access token from Keycard, then pass it here.
+     * A convenience method for this path is a planned follow-up.
+     */
+    subjectToken: string;
+    /** Timeout in ms for the JSONRPC call. Default: 30 000. */
+    timeoutMs?: number;
+    /** Arbitrary metadata to attach to the A2A message. */
+    metadata?: Record<string, unknown>;
+}
+/**
+ * Client for delegating tasks to remote A2A agent services with
+ * Keycard token exchange.
+ *
+ * ```ts
+ * const client = new DelegationClient(config);
+ *
+ * // Inside your AgentExecutor.execute():
+ * const auth = getKeycardAuth(requestContext);
+ * const result = await client.invokeService(targetUrl, "summarize this", {
+ *   subjectToken: auth!.token,
+ * });
+ * eventBus.publish(result.message);
+ * eventBus.finished();
+ * ```
+ *
+ * Python equivalent: `keycardai.a2a.DelegationClient`
+ */
+export declare class DelegationClient {
+    #private;
+    constructor(config: AgentServiceConfig, options?: {
+        discovery?: ServiceDiscovery;
+    });
+    /**
+     * Discover, authenticate, and invoke a remote A2A agent in one call.
+     */
+    invokeService(serviceUrl: string, task: string, options: InvokeOptions): Promise<DelegationResult>;
+}
+//# sourceMappingURL=delegation.d.ts.map

package/dist/cjs/delegation.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"delegation.d.ts","sourceRoot":"","sources":["../../src/delegation.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,aAAa,CAAC;AAC7C,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,aAAa,CAAC;AAC3C,OAAO,EAAE,gBAAgB,EAAE,MAAM,gBAAgB,CAAC;AAClD,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,aAAa,CAAC;AAGtD,MAAM,WAAW,gBAAgB;IAC/B,oCAAoC;IACpC,OAAO,EAAE,OAAO,CAAC;IACjB,kDAAkD;IAClD,SAAS,EAAE,SAAS,CAAC;CACtB;AAED,MAAM,WAAW,aAAa;IAC5B;;;;;;;;;OASG;IACH,YAAY,EAAE,MAAM,CAAC;IACrB,2DAA2D;IAC3D,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,uDAAuD;IACvD,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACpC;AAMD;;;;;;;;;;;;;;;;;GAiBG;AACH,qBAAa,gBAAgB;;gBAKf,MAAM,EAAE,kBAAkB,EAAE,OAAO,CAAC,EAAE;QAAE,SAAS,CAAC,EAAE,gBAAgB,CAAA;KAAE;IAQlF;;OAEG;IACG,aAAa,CACjB,UAAU,EAAE,MAAM,EAClB,IAAI,EAAE,MAAM,EACZ,OAAO,EAAE,aAAa,GACrB,OAAO,CAAC,gBAAgB,CAAC;CAsE7B"}

package/dist/cjs/delegation.js

@@ -0,0 +1,124 @@
+"use strict";
+var __classPrivateFieldSet = (this && this.__classPrivateFieldSet) || function (receiver, state, value, kind, f) {
+    if (kind === "m") throw new TypeError("Private method is not writable");
+    if (kind === "a" && !f) throw new TypeError("Private accessor was defined without a setter");
+    if (typeof state === "function" ? receiver !== state || !f : !state.has(receiver)) throw new TypeError("Cannot write private member to an object whose class did not declare it");
+    return (kind === "a" ? f.call(receiver, value) : f ? f.value = value : state.set(receiver, value)), value;
+};
+var __classPrivateFieldGet = (this && this.__classPrivateFieldGet) || function (receiver, state, kind, f) {
+    if (kind === "a" && !f) throw new TypeError("Private accessor was defined without a getter");
+    if (typeof state === "function" ? receiver !== state || !f : !state.has(receiver)) throw new TypeError("Cannot read private member from an object whose class did not declare it");
+    return kind === "m" ? f : kind === "a" ? f.call(receiver) : f ? f.value : state.get(receiver);
+};
+var _DelegationClient_instances, _DelegationClient_config, _DelegationClient_tokenClient, _DelegationClient_discovery, _DelegationClient_getDelegationToken, _DelegationClient_sendMessage;
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.DelegationClient = void 0;
+const tokenExchange_1 = require("@keycardai/oauth/tokenExchange");
+const clientSecret_1 = require("@keycardai/oauth/server/clientSecret");
+const discovery_js_1 = require("./discovery.js");
+const config_js_1 = require("./config.js");
+const A2A_JSONRPC_PATH = "/a2a/jsonrpc";
+const A2A_PROTOCOL_VERSION = "0.3";
+const A2A_VERSION_HEADER = "x-a2a-protocol-version";
+/**
+ * Client for delegating tasks to remote A2A agent services with
+ * Keycard token exchange.
+ *
+ * ```ts
+ * const client = new DelegationClient(config);
+ *
+ * // Inside your AgentExecutor.execute():
+ * const auth = getKeycardAuth(requestContext);
+ * const result = await client.invokeService(targetUrl, "summarize this", {
+ *   subjectToken: auth!.token,
+ * });
+ * eventBus.publish(result.message);
+ * eventBus.finished();
+ * ```
+ *
+ * Python equivalent: `keycardai.a2a.DelegationClient`
+ */
+class DelegationClient {
+    constructor(config, options) {
+        _DelegationClient_instances.add(this);
+        _DelegationClient_config.set(this, void 0);
+        _DelegationClient_tokenClient.set(this, void 0);
+        _DelegationClient_discovery.set(this, void 0);
+        __classPrivateFieldSet(this, _DelegationClient_config, config, "f");
+        __classPrivateFieldSet(this, _DelegationClient_discovery, options?.discovery ?? new discovery_js_1.ServiceDiscovery(), "f");
+        __classPrivateFieldSet(this, _DelegationClient_tokenClient, new tokenExchange_1.TokenExchangeClient((0, config_js_1.getAuthServerUrl)(config), {
+            credential: new clientSecret_1.ClientSecret(config.clientId, config.clientSecret),
+        }), "f");
+    }
+    /**
+     * Discover, authenticate, and invoke a remote A2A agent in one call.
+     */
+    async invokeService(serviceUrl, task, options) {
+        const agentCard = await __classPrivateFieldGet(this, _DelegationClient_discovery, "f").getServiceCard(serviceUrl);
+        const delegationToken = await __classPrivateFieldGet(this, _DelegationClient_instances, "m", _DelegationClient_getDelegationToken).call(this, serviceUrl, options.subjectToken);
+        const message = buildUserMessage(task, options.metadata);
+        const jsonrpcUrl = buildJsonrpcUrl(serviceUrl, agentCard);
+        const responseMessage = await __classPrivateFieldGet(this, _DelegationClient_instances, "m", _DelegationClient_sendMessage).call(this, jsonrpcUrl, message, delegationToken, options.timeoutMs);
+        return { message: responseMessage, agentCard };
+    }
+}
+exports.DelegationClient = DelegationClient;
+_DelegationClient_config = new WeakMap(), _DelegationClient_tokenClient = new WeakMap(), _DelegationClient_discovery = new WeakMap(), _DelegationClient_instances = new WeakSet(), _DelegationClient_getDelegationToken = async function _DelegationClient_getDelegationToken(targetUrl, subjectToken) {
+    const response = await __classPrivateFieldGet(this, _DelegationClient_tokenClient, "f").exchangeToken({
+        subjectToken,
+        subjectTokenType: "urn:ietf:params:oauth:token-type:access_token",
+        resource: targetUrl,
+    });
+    return response.accessToken;
+}, _DelegationClient_sendMessage = async function _DelegationClient_sendMessage(jsonrpcUrl, message, bearerToken, timeoutMs = 30_000) {
+    const requestBody = {
+        jsonrpc: "2.0",
+        id: crypto.randomUUID(),
+        method: "message/send",
+        params: { message },
+    };
+    const response = await fetch(jsonrpcUrl, {
+        method: "POST",
+        headers: {
+            "Content-Type": "application/json",
+            Accept: "application/json",
+            Authorization: `Bearer ${bearerToken}`,
+            [A2A_VERSION_HEADER]: A2A_PROTOCOL_VERSION,
+        },
+        body: JSON.stringify(requestBody),
+        signal: AbortSignal.timeout(timeoutMs),
+    });
+    if (!response.ok) {
+        throw new Error(`DelegationClient: A2A request to "${jsonrpcUrl}" failed (HTTP ${response.status})`);
+    }
+    let body;
+    try {
+        body = await response.json();
+    }
+    catch {
+        throw new Error(`DelegationClient: response from "${jsonrpcUrl}" is not valid JSON`);
+    }
+    const envelope = body;
+    if (!envelope.result?.message) {
+        throw new Error(`DelegationClient: A2A error from "${jsonrpcUrl}": ${envelope.error?.message ?? "unknown error"}`);
+    }
+    return envelope.result.message;
+};
+function buildUserMessage(text, metadata) {
+    return {
+        messageId: crypto.randomUUID(),
+        role: "user",
+        parts: [{ kind: "text", text }],
+        ...(metadata ? { metadata } : {}),
+    };
+}
+function buildJsonrpcUrl(serviceUrl, agentCard) {
+    // agentCard.url IS the JSONRPC endpoint per the A2A spec — use it directly.
+    // Do not append A2A_JSONRPC_PATH: the agent card is built with getJsonrpcUrl()
+    // which already includes /a2a/jsonrpc, so appending would double the path.
+    if (agentCard.url) {
+        return agentCard.url;
+    }
+    return `${serviceUrl.replace(/\/$/, "")}${A2A_JSONRPC_PATH}`;
+}
+//# sourceMappingURL=delegation.js.map

package/dist/cjs/delegation.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"delegation.js","sourceRoot":"","sources":["../../src/delegation.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;AAAA,kEAAqE;AACrE,uEAAoE;AAGpE,iDAAkD;AAElD,2CAA+C;AA2B/C,MAAM,gBAAgB,GAAG,cAAc,CAAC;AACxC,MAAM,oBAAoB,GAAG,KAAK,CAAC;AACnC,MAAM,kBAAkB,GAAG,wBAAwB,CAAC;AAEpD;;;;;;;;;;;;;;;;;GAiBG;AACH,MAAa,gBAAgB;IAK3B,YAAY,MAA0B,EAAE,OAA0C;;QAJlF,2CAA4B;QAC5B,gDAAkC;QAClC,8CAA6B;QAG3B,uBAAA,IAAI,4BAAW,MAAM,MAAA,CAAC;QACtB,uBAAA,IAAI,+BAAc,OAAO,EAAE,SAAS,IAAI,IAAI,+BAAgB,EAAE,MAAA,CAAC;QAC/D,uBAAA,IAAI,iCAAgB,IAAI,mCAAmB,CAAC,IAAA,4BAAgB,EAAC,MAAM,CAAC,EAAE;YACpE,UAAU,EAAE,IAAI,2BAAY,CAAC,MAAM,CAAC,QAAQ,EAAE,MAAM,CAAC,YAAY,CAAC;SACnE,CAAC,MAAA,CAAC;IACL,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,aAAa,CACjB,UAAkB,EAClB,IAAY,EACZ,OAAsB;QAEtB,MAAM,SAAS,GAAG,MAAM,uBAAA,IAAI,mCAAW,CAAC,cAAc,CAAC,UAAU,CAAC,CAAC;QACnE,MAAM,eAAe,GAAG,MAAM,uBAAA,IAAI,yEAAoB,MAAxB,IAAI,EAAqB,UAAU,EAAE,OAAO,CAAC,YAAY,CAAC,CAAC;QACzF,MAAM,OAAO,GAAG,gBAAgB,CAAC,IAAI,EAAE,OAAO,CAAC,QAAQ,CAAC,CAAC;QACzD,MAAM,UAAU,GAAG,eAAe,CAAC,UAAU,EAAE,SAAS,CAAC,CAAC;QAC1D,MAAM,eAAe,GAAG,MAAM,uBAAA,IAAI,kEAAa,MAAjB,IAAI,EAChC,UAAU,EACV,OAAO,EACP,eAAe,EACf,OAAO,CAAC,SAAS,CAClB,CAAC;QACF,OAAO,EAAE,OAAO,EAAE,eAAe,EAAE,SAAS,EAAE,CAAC;IACjD,CAAC;CA0DF;AA1FD,4CA0FC;0NAxDC,KAAK,+CAAqB,SAAiB,EAAE,YAAoB;IAC/D,MAAM,QAAQ,GAAG,MAAM,uBAAA,IAAI,qCAAa,CAAC,aAAa,CAAC;QACrD,YAAY;QACZ,gBAAgB,EAAE,+CAA+C;QACjE,QAAQ,EAAE,SAAS;KACpB,CAAC,CAAC;IACH,OAAO,QAAQ,CAAC,WAAW,CAAC;AAC9B,CAAC,kCAED,KAAK,wCACH,UAAkB,EAClB,OAAgB,EAChB,WAAmB,EACnB,SAAS,GAAG,MAAM;IAElB,MAAM,WAAW,GAAG;QAClB,OAAO,EAAE,KAAK;QACd,EAAE,EAAE,MAAM,CAAC,UAAU,EAAE;QACvB,MAAM,EAAE,cAAc;QACtB,MAAM,EAAE,EAAE,OAAO,EAAE;KACpB,CAAC;IAEF,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,UAAU,EAAE;QACvC,MAAM,EAAE,MAAM;QACd,OAAO,EAAE;YACP,cAAc,EAAE,kBAAkB;YAClC,MAAM,EAAE,kBAAkB;YAC1B,aAAa,EAAE,UAAU,WAAW,EAAE;YACtC,CAAC,kBAAkB,CAAC,EAAE,oBAAoB;SAC3C;QACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,WAAW,CAAC;QACjC,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,SAAS,CAAC;KACvC,CAAC,CAAC;IAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;QACjB,MAAM,IAAI,KAAK,CACb,qCAAqC,UAAU,kBAAkB,QAAQ,CAAC,MAAM,GAAG,CACpF,CAAC;IACJ,CAAC;IAED,IAAI,IAAa,CAAC;IAClB,IAAI,CAAC;QACH,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;IAC/B,CAAC;IAAC,MAAM,CAAC;QACP,MAAM,IAAI,KAAK,CAAC,oCAAoC,UAAU,qBAAqB,CAAC,CAAC;IACvF,CAAC;IAED,MAAM,QAAQ,GAAG,IAAwE,CAAC;IAC1F,IAAI,CAAC,QAAQ,CAAC,MAAM,EAAE,OAAO,EAAE,CAAC;QAC9B,MAAM,IAAI,KAAK,CACb,qCAAqC,UAAU,MAAM,QAAQ,CAAC,KAAK,EAAE,OAAO,IAAI,eAAe,EAAE,CAClG,CAAC;IACJ,CAAC;IAED,OAAO,QAAQ,CAAC,MAAM,CAAC,OAAO,CAAC;AACjC,CAAC;AAGH,SAAS,gBAAgB,CAAC,IAAY,EAAE,QAAkC;IACxE,OAAO;QACL,SAAS,EAAE,MAAM,CAAC,UAAU,EAAE;QAC9B,IAAI,EAAE,MAAM;QACZ,KAAK,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,CAAC;QAC/B,GAAG,CAAC,QAAQ,CAAC,CAAC,CAAC,EAAE,QAAQ,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;KACvB,CAAC;AACf,CAAC;AAED,SAAS,eAAe,CAAC,UAAkB,EAAE,SAAoB;IAC/D,4EAA4E;IAC5E,+EAA+E;IAC/E,2EAA2E;IAC3E,IAAI,SAAS,CAAC,GAAG,EAAE,CAAC;QAClB,OAAO,SAAS,CAAC,GAAG,CAAC;IACvB,CAAC;IACD,OAAO,GAAG,UAAU,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,GAAG,gBAAgB,EAAE,CAAC;AAC/D,CAAC"}

package/dist/cjs/discovery.d.ts

@@ -0,0 +1,30 @@
+import type { AgentCard } from "@a2a-js/sdk";
+export type { AgentCard } from "@a2a-js/sdk";
+/**
+ * Fetches and caches agent cards from remote A2A services.
+ *
+ * Python equivalent: `keycardai.a2a.ServiceDiscovery`
+ */
+export declare class ServiceDiscovery {
+    #private;
+    constructor(options?: {
+        cacheTtlMs?: number;
+    });
+    /**
+     * Fetch the agent card from the given service URL.
+     * Validates that the card has a `name` field.
+     */
+    discoverService(serviceUrl: string): Promise<AgentCard>;
+    /**
+     * Return a cached agent card, fetching if absent or expired.
+     */
+    getServiceCard(serviceUrl: string, options?: {
+        forceRefresh?: boolean;
+    }): Promise<AgentCard>;
+    clearCache(): void;
+    getCacheStats(): {
+        size: number;
+        keys: string[];
+    };
+}
+//# sourceMappingURL=discovery.d.ts.map

package/dist/cjs/discovery.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"discovery.d.ts","sourceRoot":"","sources":["../../src/discovery.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,aAAa,CAAC;AAE7C,YAAY,EAAE,SAAS,EAAE,MAAM,aAAa,CAAC;AAU7C;;;;GAIG;AACH,qBAAa,gBAAgB;;gBAIf,OAAO,CAAC,EAAE;QAAE,UAAU,CAAC,EAAE,MAAM,CAAA;KAAE;IAI7C;;;OAGG;IACG,eAAe,CAAC,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,SAAS,CAAC;IAqB7D;;OAEG;IACG,cAAc,CAClB,UAAU,EAAE,MAAM,EAClB,OAAO,CAAC,EAAE;QAAE,YAAY,CAAC,EAAE,OAAO,CAAA;KAAE,GACnC,OAAO,CAAC,SAAS,CAAC;IAWrB,UAAU,IAAI,IAAI;IAIlB,aAAa,IAAI;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,EAAE,CAAA;KAAE;CAGlD"}

package/dist/cjs/discovery.js

@@ -0,0 +1,90 @@
+"use strict";
+var __classPrivateFieldSet = (this && this.__classPrivateFieldSet) || function (receiver, state, value, kind, f) {
+    if (kind === "m") throw new TypeError("Private method is not writable");
+    if (kind === "a" && !f) throw new TypeError("Private accessor was defined without a setter");
+    if (typeof state === "function" ? receiver !== state || !f : !state.has(receiver)) throw new TypeError("Cannot write private member to an object whose class did not declare it");
+    return (kind === "a" ? f.call(receiver, value) : f ? f.value = value : state.set(receiver, value)), value;
+};
+var __classPrivateFieldGet = (this && this.__classPrivateFieldGet) || function (receiver, state, kind, f) {
+    if (kind === "a" && !f) throw new TypeError("Private accessor was defined without a getter");
+    if (typeof state === "function" ? receiver !== state || !f : !state.has(receiver)) throw new TypeError("Cannot read private member from an object whose class did not declare it");
+    return kind === "m" ? f : kind === "a" ? f.call(receiver) : f ? f.value : state.get(receiver);
+};
+var _ServiceDiscovery_cacheTtlMs, _ServiceDiscovery_cache;
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ServiceDiscovery = void 0;
+const DEFAULT_CACHE_TTL_MS = 15 * 60 * 1000; // 15 minutes
+const AGENT_CARD_PATH = "/.well-known/agent-card.json";
+/**
+ * Fetches and caches agent cards from remote A2A services.
+ *
+ * Python equivalent: `keycardai.a2a.ServiceDiscovery`
+ */
+class ServiceDiscovery {
+    constructor(options) {
+        _ServiceDiscovery_cacheTtlMs.set(this, void 0);
+        _ServiceDiscovery_cache.set(this, new Map());
+        __classPrivateFieldSet(this, _ServiceDiscovery_cacheTtlMs, options?.cacheTtlMs ?? DEFAULT_CACHE_TTL_MS, "f");
+    }
+    /**
+     * Fetch the agent card from the given service URL.
+     * Validates that the card has a `name` field.
+     */
+    async discoverService(serviceUrl) {
+        const cardUrl = buildAgentCardUrl(serviceUrl);
+        const response = await fetch(cardUrl, {
+            headers: { Accept: "application/json" },
+            signal: AbortSignal.timeout(10_000),
+        });
+        if (!response.ok) {
+            throw new Error(`ServiceDiscovery: failed to fetch agent card from "${cardUrl}" (HTTP ${response.status})`);
+        }
+        let card;
+        try {
+            card = await response.json();
+        }
+        catch {
+            throw new Error(`ServiceDiscovery: agent card at "${cardUrl}" is not valid JSON`);
+        }
+        validateAgentCard(card, cardUrl);
+        return card;
+    }
+    /**
+     * Return a cached agent card, fetching if absent or expired.
+     */
+    async getServiceCard(serviceUrl, options) {
+        const key = normalizeUrl(serviceUrl);
+        const cached = __classPrivateFieldGet(this, _ServiceDiscovery_cache, "f").get(key);
+        if (!options?.forceRefresh && cached && Date.now() < cached.expiresAt) {
+            return cached.card;
+        }
+        const card = await this.discoverService(serviceUrl);
+        __classPrivateFieldGet(this, _ServiceDiscovery_cache, "f").set(key, { card, expiresAt: Date.now() + __classPrivateFieldGet(this, _ServiceDiscovery_cacheTtlMs, "f") });
+        return card;
+    }
+    clearCache() {
+        __classPrivateFieldGet(this, _ServiceDiscovery_cache, "f").clear();
+    }
+    getCacheStats() {
+        return { size: __classPrivateFieldGet(this, _ServiceDiscovery_cache, "f").size, keys: Array.from(__classPrivateFieldGet(this, _ServiceDiscovery_cache, "f").keys()) };
+    }
+}
+exports.ServiceDiscovery = ServiceDiscovery;
+_ServiceDiscovery_cacheTtlMs = new WeakMap(), _ServiceDiscovery_cache = new WeakMap();
+function buildAgentCardUrl(serviceUrl) {
+    const base = serviceUrl.endsWith("/") ? serviceUrl.slice(0, -1) : serviceUrl;
+    return `${base}${AGENT_CARD_PATH}`;
+}
+function normalizeUrl(url) {
+    return url.endsWith("/") ? url.slice(0, -1) : url;
+}
+function validateAgentCard(card, url) {
+    if (!card || typeof card !== "object" || Array.isArray(card)) {
+        throw new Error(`ServiceDiscovery: agent card at "${url}" is not a JSON object`);
+    }
+    const obj = card;
+    if (typeof obj.name !== "string" || !obj.name) {
+        throw new Error(`ServiceDiscovery: agent card at "${url}" is missing required field "name"`);
+    }
+}
+//# sourceMappingURL=discovery.js.map

package/dist/cjs/discovery.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"discovery.js","sourceRoot":"","sources":["../../src/discovery.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;AAIA,MAAM,oBAAoB,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC,aAAa;AAC1D,MAAM,eAAe,GAAG,8BAA8B,CAAC;AAOvD;;;;GAIG;AACH,MAAa,gBAAgB;IAI3B,YAAY,OAAiC;QAH7C,+CAAoB;QACpB,kCAAS,IAAI,GAAG,EAAsB,EAAC;QAGrC,uBAAA,IAAI,gCAAe,OAAO,EAAE,UAAU,IAAI,oBAAoB,MAAA,CAAC;IACjE,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,eAAe,CAAC,UAAkB;QACtC,MAAM,OAAO,GAAG,iBAAiB,CAAC,UAAU,CAAC,CAAC;QAC9C,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,OAAO,EAAE;YACpC,OAAO,EAAE,EAAE,MAAM,EAAE,kBAAkB,EAAE;YACvC,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,MAAM,CAAC;SACpC,CAAC,CAAC;QACH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACjB,MAAM,IAAI,KAAK,CACb,sDAAsD,OAAO,WAAW,QAAQ,CAAC,MAAM,GAAG,CAC3F,CAAC;QACJ,CAAC;QACD,IAAI,IAAa,CAAC;QAClB,IAAI,CAAC;YACH,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;QAC/B,CAAC;QAAC,MAAM,CAAC;YACP,MAAM,IAAI,KAAK,CAAC,oCAAoC,OAAO,qBAAqB,CAAC,CAAC;QACpF,CAAC;QACD,iBAAiB,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;QACjC,OAAO,IAAiB,CAAC;IAC3B,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,cAAc,CAClB,UAAkB,EAClB,OAAoC;QAEpC,MAAM,GAAG,GAAG,YAAY,CAAC,UAAU,CAAC,CAAC;QACrC,MAAM,MAAM,GAAG,uBAAA,IAAI,+BAAO,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;QACpC,IAAI,CAAC,OAAO,EAAE,YAAY,IAAI,MAAM,IAAI,IAAI,CAAC,GAAG,EAAE,GAAG,MAAM,CAAC,SAAS,EAAE,CAAC;YACtE,OAAO,MAAM,CAAC,IAAI,CAAC;QACrB,CAAC;QACD,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,eAAe,CAAC,UAAU,CAAC,CAAC;QACpD,uBAAA,IAAI,+BAAO,CAAC,GAAG,CAAC,GAAG,EAAE,EAAE,IAAI,EAAE,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,uBAAA,IAAI,oCAAY,EAAE,CAAC,CAAC;QACzE,OAAO,IAAI,CAAC;IACd,CAAC;IAED,UAAU;QACR,uBAAA,IAAI,+BAAO,CAAC,KAAK,EAAE,CAAC;IACtB,CAAC;IAED,aAAa;QACX,OAAO,EAAE,IAAI,EAAE,uBAAA,IAAI,+BAAO,CAAC,IAAI,EAAE,IAAI,EAAE,KAAK,CAAC,IAAI,CAAC,uBAAA,IAAI,+BAAO,CAAC,IAAI,EAAE,CAAC,EAAE,CAAC;IAC1E,CAAC;CACF;AAzDD,4CAyDC;;AAED,SAAS,iBAAiB,CAAC,UAAkB;IAC3C,MAAM,IAAI,GAAG,UAAU,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC;IAC7E,OAAO,GAAG,IAAI,GAAG,eAAe,EAAE,CAAC;AACrC,CAAC;AAED,SAAS,YAAY,CAAC,GAAW;IAC/B,OAAO,GAAG,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC;AACpD,CAAC;AAED,SAAS,iBAAiB,CAAC,IAAa,EAAE,GAAW;IACnD,IAAI,CAAC,IAAI,IAAI,OAAO,IAAI,KAAK,QAAQ,IAAI,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;QAC7D,MAAM,IAAI,KAAK,CAAC,oCAAoC,GAAG,wBAAwB,CAAC,CAAC;IACnF,CAAC;IACD,MAAM,GAAG,GAAG,IAA+B,CAAC;IAC5C,IAAI,OAAO,GAAG,CAAC,IAAI,KAAK,QAAQ,IAAI,CAAC,GAAG,CAAC,IAAI,EAAE,CAAC;QAC9C,MAAM,IAAI,KAAK,CACb,oCAAoC,GAAG,oCAAoC,CAC5E,CAAC;IACJ,CAAC;AACH,CAAC"}