@kontext-dev/js-sdk 0.1.1 → 0.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (27) hide show
  1. package/dist/adapters/ai/index.cjs +135 -58
  2. package/dist/adapters/ai/index.cjs.map +1 -1
  3. package/dist/adapters/ai/index.js +135 -58
  4. package/dist/adapters/ai/index.js.map +1 -1
  5. package/dist/adapters/cloudflare/index.cjs +28 -70
  6. package/dist/adapters/cloudflare/index.cjs.map +1 -1
  7. package/dist/adapters/cloudflare/index.js +28 -70
  8. package/dist/adapters/cloudflare/index.js.map +1 -1
  9. package/dist/client/index.cjs +14 -8
  10. package/dist/client/index.cjs.map +1 -1
  11. package/dist/client/index.js +14 -8
  12. package/dist/client/index.js.map +1 -1
  13. package/dist/index.cjs +15 -8
  14. package/dist/index.cjs.map +1 -1
  15. package/dist/index.js +15 -8
  16. package/dist/index.js.map +1 -1
  17. package/dist/mcp/index.cjs +9 -7
  18. package/dist/mcp/index.cjs.map +1 -1
  19. package/dist/mcp/index.d.cts +1 -0
  20. package/dist/mcp/index.d.ts +1 -0
  21. package/dist/mcp/index.js +9 -7
  22. package/dist/mcp/index.js.map +1 -1
  23. package/dist/server/index.cjs +1 -0
  24. package/dist/server/index.cjs.map +1 -1
  25. package/dist/server/index.js +1 -0
  26. package/dist/server/index.js.map +1 -1
  27. package/package.json +1 -1
package/dist/server/index.cjs.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"sources":["../../src/management/types.ts","../../src/errors.ts","../../src/oauth/token-exchange.ts","../../src/verify/errors.ts","../../src/verify/jwks-client.ts","../../src/verify/verifier.ts","../../src/server/sessions.ts","../../src/server/kontext.ts"],"names":["createRemoteJWKSet","jwtVerify","joseErrors","decodeProtectedHeader","createRequire","mcpHandler","mcpAuthMetadataRouter","getOAuthProtectedResourceMetadataUrl","requireBearerAuth","issuer","InvalidTokenError","createHash","sessionId","transport","isInitializeRequest","StreamableHTTPServerTransport"],"mappings":";;;;;;;;;;;;;;;AA2ZO,IAAM,yBAAA,GACX,iDAAA;AAKK,IAAM,uBAAA,GACX,+CAAA;;;ACpYK,IAAM,YAAA,GAAN,cAA2B,KAAA,CAAM;AAAA;AAAA,EAE7B,YAAA,GAAe,IAAA;AAAA;AAAA,EAGf,IAAA;AAAA;AAAA,EAGA,UAAA;AAAA;AAAA,EAGA,OAAA;AAAA;AAAA,EAGA,SAAA;AAAA;AAAA,EAGA,IAAA;AAAA,EAET,WAAA,CACE,OAAA,EACA,IAAA,EACA,OAAA,EAMA;AACA,IAAA,KAAA,CAAM,OAAA,EAAS,EAAE,KAAA,EAAO,OAAA,EAAS,OAAO,CAAA;AACxC,IAAA,IAAA,CAAK,IAAA,GAAO,cAAA;AACZ,IAAA,IAAA,CAAK,IAAA,GAAO,IAAA;AACZ,IAAA,IAAA,CAAK,aAAa,OAAA,EAAS,UAAA;AAC3B,IAAA,IAAA,CAAK,YAAY,OAAA,EAAS,SAAA;AAC1B,IAAA,IAAA,CAAK,IAAA,GAAO,OAAA,EAAS,IAAA,IAAQ,EAAC;AAC9B,IAAA,IAAA,CAAK,OAAA,GAAU,mCAAmC,IAAI,CAAA,CAAA;AACtD,IAAA,MAAA,CAAO,cAAA,CAAe,IAAA,EAAM,GAAA,CAAA,MAAA,CAAW,SAAS,CAAA;AAAA,EAClD;AAAA,EAEA,MAAA,GAAkC;AAChC,IAAA,OAAO;AAAA,MACL,MAAM,IAAA,CAAK,IAAA;AAAA,MACX,MAAM,IAAA,CAAK,IAAA;AAAA,MACX,SAAS,IAAA,CAAK,OAAA;AAAA,MACd,YAAY,IAAA,CAAK,UAAA;AAAA,MACjB,SAAS,IAAA,CAAK,OAAA;AAAA,MACd,WAAW,IAAA,CAAK,SAAA;AAAA,MAChB,IAAA,EAAM,OAAO,IAAA,CAAK,IAAA,CAAK,IAAI,CAAA,CAAE,MAAA,GAAS,CAAA,GAAI,IAAA,CAAK,IAAA,GAAO;AAAA,KACxD;AAAA,EACF;AAAA,EAES,QAAA,GAAmB;AAC1B,IAAA,MAAM,KAAA,GAAQ,CAAC,CAAA,CAAA,EAAI,IAAA,CAAK,IAAI,CAAA,EAAA,EAAK,IAAA,CAAK,OAAO,CAAA,CAAE,CAAA;AAC/C,IAAA,IAAI,KAAK,OAAA,EAAS,KAAA,CAAM,KAAK,CAAA,MAAA,EAAS,IAAA,CAAK,OAAO,CAAA,CAAE,CAAA;AACpD,IAAA,IAAI,KAAK,SAAA,EAAW,KAAA,CAAM,KAAK,CAAA,YAAA,EAAe,IAAA,CAAK,SAAS,CAAA,CAAE,CAAA;AAC9D,IAAA,OAAO,KAAA,CAAM,KAAK,IAAI,CAAA;AAAA,EACxB;AACF,CAAA;AAsDO,IAAM,UAAA,GAAN,cAAyB,YAAA,CAAa;AAAA,EAClC,SAAA;AAAA,EACA,gBAAA;AAAA,EAET,WAAA,CACE,OAAA,EACA,IAAA,EACA,OAAA,EAQA;AACA,IAAA,KAAA,CAAM,SAAS,IAAA,EAAM;AAAA,MACnB,UAAA,EAAY,SAAS,UAAA,IAAc,GAAA;AAAA,MACnC,GAAG;AAAA,KACJ,CAAA;AACD,IAAA,IAAA,CAAK,IAAA,GAAO,YAAA;AACZ,IAAA,IAAA,CAAK,YAAY,OAAA,EAAS,SAAA;AAC1B,IAAA,IAAA,CAAK,mBAAmB,OAAA,EAAS,gBAAA;AAAA,EACnC;AACF,CAAA;AASO,IAAM,kCAAA,GAAN,cAAiD,YAAA,CAAa;AAAA,EAC1D,aAAA;AAAA,EACA,eAAA;AAAA,EACA,UAAA;AAAA,EAET,WAAA,CACE,eACA,OAAA,EAQA;AACA,IAAA,KAAA;AAAA,MACE,OAAA,EAAS,OAAA,IACP,CAAA,2BAAA,EAA8B,aAAa,CAAA,kDAAA,CAAA;AAAA,MAC7C,yCAAA;AAAA,MACA,EAAE,UAAA,EAAY,GAAA,EAAK,GAAG,OAAA;AAAQ,KAChC;AACA,IAAA,IAAA,CAAK,IAAA,GAAO,oCAAA;AACZ,IAAA,IAAA,CAAK,aAAA,GAAgB,aAAA;AACrB,IAAA,IAAA,CAAK,kBAAkB,OAAA,EAAS,eAAA;AAChC,IAAA,IAAA,CAAK,aAAa,OAAA,EAAS,UAAA;AAAA,EAC7B;AACF;;;ACzIA,eAAsB,cACpB,MAAA,EACA,YAAA,EACA,QAAA,EACA,KAAA,EACA,mBAA2B,uBAAA,EACK;AAEhC,EAAA,MAAM,IAAA,GAAO,IAAI,eAAA,EAAgB;AACjC,EAAA,IAAA,CAAK,GAAA,CAAI,cAAc,yBAAyB,CAAA;AAChD,EAAA,IAAA,CAAK,GAAA,CAAI,iBAAiB,YAAY,CAAA;AACtC,EAAA,IAAA,CAAK,GAAA,CAAI,sBAAsB,gBAAgB,CAAA;AAC/C,EAAA,IAAA,CAAK,GAAA,CAAI,YAAY,QAAQ,CAAA;AAQ7B,EAAA,MAAM,OAAA,GAAkC;AAAA,IACtC,cAAA,EAAgB;AAAA,GAClB;AAEA,EAAA,IAAI,OAAO,YAAA,EAAc;AAEvB,IAAA,MAAM,cAAc,MAAA,CAAO,IAAA;AAAA,MACzB,CAAA,EAAG,MAAA,CAAO,QAAQ,CAAA,CAAA,EAAI,OAAO,YAAY,CAAA;AAAA,KAC3C,CAAE,SAAS,QAAQ,CAAA;AACnB,IAAA,OAAA,CAAQ,eAAe,CAAA,GAAI,CAAA,MAAA,EAAS,WAAW,CAAA,CAAA;AAAA,EACjD,CAAA,MAAO;AAEL,IAAA,IAAA,CAAK,GAAA,CAAI,WAAA,EAAa,MAAA,CAAO,QAAQ,CAAA;AAAA,EACvC;AAEA,EAAA,MAAM,QAAA,GAAW,MAAM,KAAA,CAAM,MAAA,CAAO,QAAA,EAAU;AAAA,IAC5C,MAAA,EAAQ,MAAA;AAAA,IACR,OAAA;AAAA,IACA,IAAA,EAAM,KAAK,QAAA;AAAS,GACrB,CAAA;AAED,EAAA,IAAI,CAAC,SAAS,EAAA,EAAI;AAChB,IAAA,IAAI,eAAe,CAAA,uBAAA,EAA0B,QAAA,CAAS,MAAM,CAAA,CAAA,EAAI,SAAS,UAAU,CAAA,CAAA;AACnF,IAAA,IAAI,SAAA;AACJ,IAAA,IAAI,eAAA;AACJ,IAAA,IAAI,aAAA;AAEJ,IAAA,IAAI;AACF,MAAA,MAAM,SAAA,GAAY,MAAM,QAAA,CAAS,IAAA,EAAK;AACtC,MAAA,SAAA,GAAY,SAAA,CAAU,KAAA;AACtB,MAAA,IAAI,UAAU,iBAAA,EAAmB;AAC/B,QAAA,YAAA,GAAe,SAAA,CAAU,iBAAA;AAAA,MAC3B,CAAA,MAAA,IAAW,UAAU,KAAA,EAAO;AAC1B,QAAA,YAAA,GAAe,CAAA,uBAAA,EAA0B,UAAU,KAAK,CAAA,CAAA;AAAA,MAC1D;AAGA,MAAA,IAAI,SAAA,CAAU,gBAAA,IAAoB,SAAA,CAAU,cAAA,EAAgB;AAC1D,QAAA,eAAA,GAAkB,SAAA,CAAU,gBAAA;AAC5B,QAAA,aAAA,GAAgB,SAAA,CAAU,cAAA;AAAA,MAC5B;AAAA,IACF,CAAA,CAAA,MAAQ;AAAA,IAER;AAEA,IAAA,MAAM,IAAI,UAAA,CAAW,YAAA,EAAc,qCAAA,EAAuC;AAAA,MACxE,SAAA;AAAA,MACA,IAAA,EAAM;AAAA,QACJ,eAAA;AAAA,QACA;AAAA;AACF,KACD,CAAA;AAAA,EACH;AAEA,EAAA,MAAM,aAAA,GAAiB,MAAM,QAAA,CAAS,IAAA,EAAK;AAG3C,EAAA,IAAI,CAAC,cAAc,YAAA,EAAc;AAC/B,IAAA,MAAM,IAAI,UAAA;AAAA,MACR,+CAAA;AAAA,MACA;AAAA,KACF;AAAA,EACF;AAEA,EAAA,IAAI,CAAC,cAAc,iBAAA,EAAmB;AACpC,IAAA,MAAM,IAAI,UAAA;AAAA,MACR,oDAAA;AAAA,MACA;AAAA,KACF;AAAA,EACF;AAEA,EAAA,IAAI,CAAC,cAAc,UAAA,EAAY;AAC7B,IAAA,MAAM,IAAI,UAAA;AAAA,MACR,6CAAA;AAAA,MACA;AAAA,KACF;AAAA,EACF;AAEA,EAAA,OAAO,aAAA;AACT;;;AC9IO,IAAM,sBAAA,GAAN,MAAM,uBAAA,SAA+B,KAAA,CAAM;AAAA,EACvC,IAAA;AAAA,EAET,WAAA,CAAY,MAAkC,OAAA,EAAiB;AAC7D,IAAA,KAAA,CAAM,OAAO,CAAA;AACb,IAAA,IAAA,CAAK,IAAA,GAAO,wBAAA;AACZ,IAAA,IAAA,CAAK,IAAA,GAAO,IAAA;AACZ,IAAA,MAAA,CAAO,cAAA,CAAe,IAAA,EAAM,uBAAA,CAAuB,SAAS,CAAA;AAAA,EAC9D;AACF,CAAA;;;ACVA,IAAM,oBAAA,GAAuB,IAAI,EAAA,GAAK,GAAA;AACtC,IAAM,8BAA8B,EAAA,GAAK,GAAA;AAQlC,IAAM,aAAN,MAAiB;AAAA,EACL,OAAA;AAAA,EACA,UAAA;AAAA,EACA,iBAAA;AAAA,EACA,WAAA;AAAA,EAET,IAAA,GAA+B,IAAA;AAAA,EAC/B,WAAA,GAAc,CAAA;AAAA,EACd,aAAA,GAAgB,CAAA;AAAA,EAExB,YAAY,OAAA,EAA4B;AACtC,IAAA,IAAA,CAAK,OAAA,GAAU,IAAI,GAAA,CAAI,OAAA,CAAQ,OAAO,CAAA;AACtC,IAAA,IAAA,CAAK,UAAA,GAAa,QAAQ,UAAA,IAAc,oBAAA;AACxC,IAAA,IAAA,CAAK,iBAAA,GACH,QAAQ,iBAAA,IAAqB,2BAAA;AAC/B,IAAA,IAAA,CAAK,cAAc,OAAA,CAAQ,KAAA;AAAA,EAC7B;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,cAAA,GAAkC;AAChC,IAAA,MAAM,GAAA,GAAM,KAAK,GAAA,EAAI;AAGrB,IAAA,IAAI,KAAK,IAAA,IAAQ,GAAA,GAAM,IAAA,CAAK,WAAA,GAAc,KAAK,UAAA,EAAY;AACzD,MAAA,IAAA,CAAK,IAAA,GAAO,IAAA;AAAA,IACd;AAEA,IAAA,IAAI,CAAC,KAAK,IAAA,EAAM;AACd,MAAA,IAAA,CAAK,IAAA,GAAOA,uBAAA,CAAmB,IAAA,CAAK,OAAA,EAAS;AAAA;AAAA,QAE3C,GAAI,KAAK,WAAA,IAAe;AAAA,UACtB,iBAAC,MAAA,CAAO,GAAA,CAAI,OAAO,CAAC,GAAG,IAAA,CAAK;AAAA;AAC9B,OACD,CAAA;AACD,MAAA,IAAA,CAAK,WAAA,GAAc,GAAA;AAAA,IACrB;AAEA,IAAA,OAAO,IAAA,CAAK,IAAA;AAAA,EACd;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,OAAA,GAAmB;AACjB,IAAA,MAAM,GAAA,GAAM,KAAK,GAAA,EAAI;AAErB,IAAA,IAAI,CAAC,IAAA,CAAK,UAAA,EAAW,EAAG;AACtB,MAAA,OAAO,KAAA;AAAA,IACT;AAEA,IAAA,IAAA,CAAK,IAAA,GAAO,IAAA;AACZ,IAAA,IAAA,CAAK,aAAA,GAAgB,GAAA;AACrB,IAAA,OAAO,IAAA;AAAA,EACT;AAAA;AAAA;AAAA;AAAA,EAKA,UAAA,GAAsB;AACpB,IAAA,OAAO,IAAA,CAAK,GAAA,EAAI,GAAI,IAAA,CAAK,iBAAiB,IAAA,CAAK,iBAAA;AAAA,EACjD;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,iBAAiB,GAAA,EAA4C;AAC3D,IAAA,IAAI,IAAA,CAAK,SAAQ,EAAG;AAElB,MAAA,OAAO,IAAA;AAAA,IACT;AAGA,IAAA,OAAO,IAAI,sBAAA;AAAA,MACT,aAAA;AAAA,MACA,mBAAmB,GAAG,CAAA,2BAAA;AAAA,KACxB;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,UAAA,GAAmB;AACjB,IAAA,IAAA,CAAK,IAAA,GAAO,IAAA;AACZ,IAAA,IAAA,CAAK,WAAA,GAAc,CAAA;AAAA,EAErB;AACF,CAAA;;;ACnHA,IAAM,2BAAA,GAA8B,EAAA;AACpC,IAAM,oBAAA,GAAuB,CAAC,OAAA,EAAS,OAAO,CAAA;AA0CvC,IAAM,uBAAN,MAA2B;AAAA,EACf,MAAA;AAAA,EACA,UAAA;AAAA,EACA,SAAA;AAAA,EAEjB,YAAY,MAAA,EAAoC;AAC9C,IAAA,IAAA,CAAK,MAAA,GAAS;AAAA,MACZ,SAAS,MAAA,CAAO,OAAA;AAAA,MAChB,QAAQ,MAAA,CAAO,MAAA;AAAA,MACf,UAAU,MAAA,CAAO,QAAA;AAAA,MACjB,cAAA,EAAgB,MAAA,CAAO,cAAA,IAAkB,EAAC;AAAA,MAC1C,UAAA,EAAY,MAAA,CAAO,UAAA,IAAc,CAAA,GAAI,EAAA,GAAK,GAAA;AAAA,MAC1C,iBAAA,EAAmB,MAAA,CAAO,iBAAA,IAAqB,EAAA,GAAK,GAAA;AAAA,MACpD,iBAAA,EACE,OAAO,iBAAA,IAAqB,2BAAA;AAAA,MAC9B,OAAO,MAAA,CAAO;AAAA,KAChB;AAEA,IAAA,IAAA,CAAK,SAAA,GAAY,KAAA,CAAM,OAAA,CAAQ,MAAA,CAAO,QAAQ,IAC1C,MAAA,CAAO,QAAA,GACP,CAAC,MAAA,CAAO,QAAQ,CAAA;AAEpB,IAAA,IAAA,CAAK,UAAA,GAAa,IAAI,UAAA,CAAW;AAAA,MAC/B,SAAS,MAAA,CAAO,OAAA;AAAA,MAChB,UAAA,EAAY,KAAK,MAAA,CAAO,UAAA;AAAA,MACxB,iBAAA,EAAmB,KAAK,MAAA,CAAO,iBAAA;AAAA,MAC/B,OAAO,MAAA,CAAO;AAAA,KACf,CAAA;AAAA,EACH;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,MAAM,OAAO,KAAA,EAAsC;AACjD,IAAA,IAAI;AACF,MAAA,OAAO,MAAM,IAAA,CAAK,cAAA,CAAe,KAAA,EAAO,KAAK,CAAA;AAAA,IAC/C,SAAS,KAAA,EAAO;AACd,MAAA,IAAI,iBAAiB,sBAAA,EAAwB;AAC3C,QAAA,OAAO,EAAE,OAAA,EAAS,KAAA,EAAO,KAAA,EAAM;AAAA,MACjC;AAGA,MAAA,OAAO;AAAA,QACL,OAAA,EAAS,KAAA;AAAA,QACT,OAAO,IAAI,sBAAA;AAAA,UACT,sBAAA;AAAA,UACA,CAAA,+BAAA,EAAmC,MAAgB,OAAO,CAAA;AAAA;AAC5D,OACF;AAAA,IACF;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASA,MAAM,aAAa,KAAA,EAAoD;AACrE,IAAA,MAAM,MAAA,GAAS,MAAM,IAAA,CAAK,MAAA,CAAO,KAAK,CAAA;AACtC,IAAA,OAAO,MAAA,CAAO,OAAA,GAAU,MAAA,CAAO,MAAA,GAAS,IAAA;AAAA,EAC1C;AAAA;AAAA;AAAA;AAAA,EAKA,UAAA,GAAmB;AACjB,IAAA,IAAA,CAAK,WAAW,UAAA,EAAW;AAAA,EAC7B;AAAA,EAEA,MAAc,cAAA,CACZ,KAAA,EACA,OAAA,EACuB;AACvB,IAAA,MAAM,IAAA,GAAO,IAAA,CAAK,UAAA,CAAW,cAAA,EAAe;AAE5C,IAAA,IAAI;AAEF,MAAA,MAAM,EAAE,OAAA,EAAS,eAAA,KAAoB,MAAMC,cAAA,CAAU,OAAO,IAAA,EAAM;AAAA,QAChE,MAAA,EAAQ,KAAK,MAAA,CAAO,MAAA;AAAA,QACpB,UAAU,IAAA,CAAK,SAAA;AAAA,QACf,cAAA,EAAgB,KAAK,MAAA,CAAO,iBAAA;AAAA,QAC5B,UAAA,EAAY;AAAA,OACb,CAAA;AAGD,MAAA,MAAM,MAAM,eAAA,CAAgB,GAAA;AAC5B,MAAA,IAAI,CAAC,oBAAA,CAAqB,QAAA,CAAS,GAAG,CAAA,EAAG;AACvC,QAAA,MAAM,IAAI,sBAAA;AAAA,UACR,uBAAA;AAAA,UACA,0BAA0B,GAAG,CAAA,mBAAA,EAAsB,oBAAA,CAAqB,IAAA,CAAK,IAAI,CAAC,CAAA;AAAA,SACpF;AAAA,MACF;AAGA,MAAA,MAAM,UAAA,GAAa,OAAA;AACnB,MAAA,IACE,OAAO,UAAA,CAAW,GAAA,KAAQ,QAAA,IAC1B,CAAC,MAAA,CAAO,QAAA,CAAS,UAAA,CAAW,GAAG,CAAA,IAC/B,UAAA,CAAW,GAAA,IAAO,CAAA,EAClB;AACA,QAAA,MAAM,IAAI,sBAAA;AAAA,UACR,gBAAA;AAAA,UACA;AAAA,SACF;AAAA,MACF;AAGA,MAAA,MAAM,MAAA,GAAS,IAAA,CAAK,WAAA,CAAY,UAAA,CAAW,KAAK,CAAA;AAChD,MAAA,KAAA,MAAW,QAAA,IAAY,IAAA,CAAK,MAAA,CAAO,cAAA,EAAgB;AACjD,QAAA,IAAI,CAAC,MAAA,CAAO,QAAA,CAAS,QAAQ,CAAA,EAAG;AAC9B,UAAA,MAAM,IAAI,sBAAA;AAAA,YACR,eAAA;AAAA,YACA,2BAA2B,QAAQ,CAAA;AAAA,WACrC;AAAA,QACF;AAAA,MACF;AAGA,MAAA,MAAM,QAAA,GAAW,UAAA,CAAW,SAAA,IAAa,UAAA,CAAW,GAAA;AACpD,MAAA,IAAI,CAAC,QAAA,EAAU;AACb,QAAA,MAAM,IAAI,sBAAA;AAAA,UACR,gBAAA;AAAA,UACA;AAAA,SACF;AAAA,MACF;AAGA,MAAA,MAAM,MAAA,GAA8B;AAAA,QAClC,GAAA,EAAK,WAAW,GAAA,IAAO,EAAA;AAAA,QACvB,QAAA;AAAA,QACA,MAAA;AAAA,QACA,SAAA,EAAW,IAAI,IAAA,CAAK,UAAA,CAAW,MAAM,GAAI,CAAA;AAAA,QACzC,KAAK,UAAA,CAAW,GAAA;AAAA,QAChB,OAAA,EAAS;AAAA,OACX;AAEA,MAAA,OAAO,EAAE,OAAA,EAAS,IAAA,EAAM,MAAA,EAAO;AAAA,IACjC,SAAS,KAAA,EAAO;AAEd,MAAA,IAAI,KAAA,YAAiBC,YAAW,iBAAA,EAAmB;AAEjD,QAAA,IAAI,CAAC,OAAA,EAAS;AACZ,UAAA,MAAM,GAAA,GAAM,IAAA,CAAK,UAAA,CAAW,KAAK,CAAA;AACjC,UAAA,MAAM,YAAA,GAAe,KAAK,UAAA,CAAW,gBAAA;AAAA,YACnC,GAAA,IAAO;AAAA,WACT;AACA,UAAA,IAAI,CAAC,YAAA,EAAc;AAEjB,YAAA,OAAO,IAAA,CAAK,cAAA,CAAe,KAAA,EAAO,IAAI,CAAA;AAAA,UACxC;AACA,UAAA,OAAO,EAAE,OAAA,EAAS,KAAA,EAAO,KAAA,EAAO,YAAA,EAAa;AAAA,QAC/C;AAEA,QAAA,OAAO;AAAA,UACL,OAAA,EAAS,KAAA;AAAA,UACT,OAAO,IAAI,sBAAA;AAAA,YACT,aAAA;AAAA,YACA;AAAA;AACF,SACF;AAAA,MACF;AAEA,MAAA,IAAI,KAAA,YAAiBA,YAAW,UAAA,EAAY;AAC1C,QAAA,OAAO;AAAA,UACL,OAAA,EAAS,KAAA;AAAA,UACT,OAAO,IAAI,sBAAA;AAAA,YACT,eAAA;AAAA,YACA;AAAA;AACF,SACF;AAAA,MACF;AAEA,MAAA,IAAI,KAAA,YAAiBA,YAAW,wBAAA,EAA0B;AACxD,QAAA,MAAM,UAAU,KAAA,CAAM,OAAA;AACtB,QAAA,IAAI,OAAA,CAAQ,QAAA,CAAS,KAAK,CAAA,EAAG;AAC3B,UAAA,MAAM,QAAA,GAAW,KAAA,CAAM,OAAA,CAAQ,IAAA,CAAK,OAAO,MAAM,CAAA,GAC7C,IAAA,CAAK,MAAA,CAAO,MAAA,CAAO,IAAA,CAAK,MAAM,CAAA,GAC9B,KAAK,MAAA,CAAO,MAAA;AAChB,UAAA,OAAO;AAAA,YACL,OAAA,EAAS,KAAA;AAAA,YACT,OAAO,IAAI,sBAAA;AAAA,cACT,gBAAA;AAAA,cACA,4BAA4B,QAAQ,CAAA;AAAA;AACtC,WACF;AAAA,QACF;AACA,QAAA,IAAI,OAAA,CAAQ,QAAA,CAAS,KAAK,CAAA,EAAG;AAC3B,UAAA,OAAO;AAAA,YACL,OAAA,EAAS,KAAA;AAAA,YACT,OAAO,IAAI,sBAAA;AAAA,cACT,kBAAA;AAAA,cACA,CAAA,kCAAA,EAAqC,IAAA,CAAK,SAAA,CAAU,IAAA,CAAK,IAAI,CAAC,CAAA;AAAA;AAChE,WACF;AAAA,QACF;AACA,QAAA,IAAI,OAAA,CAAQ,QAAA,CAAS,KAAK,CAAA,EAAG;AAC3B,UAAA,OAAO;AAAA,YACL,OAAA,EAAS,KAAA;AAAA,YACT,OAAO,IAAI,sBAAA;AAAA,cACT,qBAAA;AAAA,cACA;AAAA;AACF,WACF;AAAA,QACF;AAAA,MACF;AAEA,MAAA,IAAI,KAAA,YAAiBA,YAAW,8BAAA,EAAgC;AAC9D,QAAA,OAAO;AAAA,UACL,OAAA,EAAS,KAAA;AAAA,UACT,OAAO,IAAI,sBAAA;AAAA,YACT,mBAAA;AAAA,YACA;AAAA;AACF,SACF;AAAA,MACF;AAEA,MAAA,IAAI,KAAA,YAAiBA,YAAW,UAAA,EAAY;AAC1C,QAAA,OAAO;AAAA,UACL,OAAA,EAAS,KAAA;AAAA,UACT,OAAO,IAAI,sBAAA;AAAA,YACT,sBAAA;AAAA,YACA,CAAA,aAAA,EAAgB,MAAM,OAAO,CAAA;AAAA;AAC/B,SACF;AAAA,MACF;AAGA,MAAA,IAAI,iBAAiB,sBAAA,EAAwB;AAC3C,QAAA,MAAM,KAAA;AAAA,MACR;AAGA,MAAA,MAAM,IAAI,sBAAA;AAAA,QACR,sBAAA;AAAA,QACA,CAAA,qBAAA,EAAyB,MAAgB,OAAO,CAAA;AAAA,OAClD;AAAA,IACF;AAAA,EACF;AAAA,EAEQ,YAAY,KAAA,EAAqC;AACvD,IAAA,IAAI,CAAC,KAAA,EAAO,OAAO,EAAC;AACpB,IAAA,OAAO,KAAA,CACJ,KAAA,CAAM,GAAG,CAAA,CACT,GAAA,CAAI,CAAC,CAAA,KAAM,CAAA,CAAE,IAAA,EAAM,CAAA,CACnB,MAAA,CAAO,OAAO,CAAA;AAAA,EACnB;AAAA,EAEQ,WAAW,KAAA,EAA8B;AAC/C,IAAA,IAAI;AACF,MAAA,MAAM,MAAA,GAASC,2BAAsB,KAAK,CAAA;AAC1C,MAAA,OAAO,OAAO,GAAA,IAAO,IAAA;AAAA,IACvB,CAAA,CAAA,MAAQ;AACN,MAAA,OAAO,IAAA;AAAA,IACT;AAAA,EACF;AACF;;;AC3SO,IAAM,cAAA,GAAN,MAAM,eAAA,CAAe;AAAA,EACT,UAAA,uBAAiB,GAAA,EAGhC;AAAA,EACe,YAAA,uBAAmB,GAAA,EAAoB;AAAA,EACvC,SAAA,uBAAgB,GAAA,EAAoB;AAAA,EACpC,eAAA;AAAA,EAEjB,OAAwB,gBAAA,GAAmB,EAAA,GAAK,EAAA,GAAK,GAAA;AAAA;AAAA,EACrD,OAAwB,mBAAA,GAAsB,CAAA,GAAI,EAAA,GAAK,GAAA;AAAA;AAAA,EAEvD,WAAA,GAAc;AACZ,IAAA,IAAA,CAAK,eAAA,GAAkB,WAAA;AAAA,MACrB,MAAM,KAAK,oBAAA,EAAqB;AAAA,MAChC,eAAA,CAAe;AAAA,KACjB;AAEA,IAAA,IAAI,IAAA,CAAK,gBAAgB,KAAA,EAAO;AAC9B,MAAA,IAAA,CAAK,gBAAgB,KAAA,EAAM;AAAA,IAC7B;AAAA,EACF;AAAA,EAEA,aAAa,SAAA,EAA8D;AACzE,IAAA,OAAO,IAAA,CAAK,UAAA,CAAW,GAAA,CAAI,SAAS,CAAA;AAAA,EACtC;AAAA,EAEA,eAAA,CACE,SAAA,EACA,SAAA,EACA,SAAA,EACA,SAAA,EACM;AACN,IAAA,IAAA,CAAK,UAAA,CAAW,GAAA,CAAI,SAAA,EAAW,SAAS,CAAA;AACxC,IAAA,IAAA,CAAK,YAAA,CAAa,GAAA,CAAI,SAAA,EAAW,IAAA,CAAK,KAAK,CAAA;AAC3C,IAAA,IAAI,cAAc,MAAA,EAAW;AAC3B,MAAA,IAAA,CAAK,SAAA,CAAU,GAAA,CAAI,SAAA,EAAW,SAAS,CAAA;AAAA,IACzC;AAEA,IAAA,SAAA,CAAU,UAAU,MAAM;AACxB,MAAA,IAAA,CAAK,cAAc,SAAS,CAAA;AAC5B,MAAA,SAAA,EAAW,kBAAkB,SAAS,CAAA;AAAA,IACxC,CAAA;AAAA,EACF;AAAA,EAEA,aAAa,SAAA,EAAyB;AACpC,IAAA,IAAI,IAAA,CAAK,UAAA,CAAW,GAAA,CAAI,SAAS,CAAA,EAAG;AAClC,MAAA,IAAA,CAAK,YAAA,CAAa,GAAA,CAAI,SAAA,EAAW,IAAA,CAAK,KAAK,CAAA;AAAA,IAC7C;AAAA,EACF;AAAA,EAEA,cAAc,SAAA,EAAyB;AACrC,IAAA,IAAA,CAAK,UAAA,CAAW,OAAO,SAAS,CAAA;AAChC,IAAA,IAAA,CAAK,YAAA,CAAa,OAAO,SAAS,CAAA;AAClC,IAAA,IAAA,CAAK,SAAA,CAAU,OAAO,SAAS,CAAA;AAAA,EACjC;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,iBAAiB,SAAA,EAA4B;AAC3C,IAAA,MAAM,GAAA,GAAM,IAAA,CAAK,SAAA,CAAU,GAAA,CAAI,SAAS,CAAA;AACxC,IAAA,OAAO,GAAA,KAAQ,MAAA,IAAa,IAAA,CAAK,GAAA,KAAQ,GAAA,IAAQ,GAAA;AAAA,EACnD;AAAA,EAEQ,oBAAA,GAA6B;AACnC,IAAA,MAAM,GAAA,GAAM,KAAK,GAAA,EAAI;AACrB,IAAA,KAAA,MAAW,CAAC,GAAA,EAAK,QAAQ,KAAK,IAAA,CAAK,YAAA,CAAa,SAAQ,EAAG;AACzD,MAAA,IAAI,GAAA,GAAM,QAAA,GAAW,eAAA,CAAe,gBAAA,EAAkB;AACpD,QAAA,MAAM,SAAA,GAAY,IAAA,CAAK,UAAA,CAAW,GAAA,CAAI,GAAG,CAAA;AACzC,QAAA,IAAI,SAAA,EAAW;AACb,UAAA,KAAK,UAAU,KAAA,IAAQ;AAAA,QACzB;AACA,QAAA,IAAA,CAAK,cAAc,GAAG,CAAA;AAAA,MACxB;AAAA,IACF;AAAA,EACF;AAAA,EAEA,OAAA,GAAgB;AACd,IAAA,aAAA,CAAc,KAAK,eAAe,CAAA;AAClC,IAAA,KAAA,MAAW,CAAC,GAAA,EAAK,SAAS,KAAK,IAAA,CAAK,UAAA,CAAW,SAAQ,EAAG;AACxD,MAAA,KAAK,UAAU,KAAA,IAAQ;AACvB,MAAA,IAAA,CAAK,cAAc,GAAG,CAAA;AAAA,IACxB;AAAA,EACF;AACF,CAAA;;;ACnCA,IAAM,eAAA,GAAkB,yBAAA;AACxB,IAAM,qBAAA,GAAwB,KAAK,EAAA,GAAK,GAAA;AACxC,IAAM,4BAAA,GAA+B,GAAA;AACrC,IAAM,8BAAA,GAAiC,CAAA;AACvC,IAAM,mCAAmC,EAAA,GAAK,GAAA;AAE9C,IAAM,eAAe,MAAM;AACzB,EAAA,IAAI;AACF,IAAA,MAAM,UAAA,GAAaC,sBAAA,CAAc,2PAAe,CAAA;AAChD,IAAA,MAAM,GAAA,GAAM,WAAW,oBAAoB,CAAA;AAC3C,IAAA,OAAO,IAAI,OAAA,IAAW,SAAA;AAAA,EACxB,CAAA,CAAA,MAAQ;AACN,IAAA,OAAO,SAAA;AAAA,EACT;AACF,CAAA,GAAG;AA0BI,IAAM,OAAA,GAAN,MAAM,QAAA,CAAQ;AAAA,EACnB,OAAwB,iBAAA,mBAAoB,IAAI,GAAA,EAAa;AAAA,EAC7D,OAAe,0BAAA,GAA6B,KAAA;AAAA,EAE3B,QAAA;AAAA,EACA,YAAA;AAAA,EACA,MAAA;AAAA,EACA,YAAA;AAAA;AAAA,EAGT,aAAA,GAAsC,IAAA;AAAA,EACtC,iBAAA,GAAoB,CAAA;AAAA,EACpB,eAAA,GAAiD,IAAA;AAAA;AAAA,EAGxC,eAAA,uBAAsB,GAAA,EAA8B;AAAA,EACpD,uBAAA,uBAA8B,GAAA,EAG7C;AAAA,EACe,gBAAA,uBAAuB,GAAA,EAAgC;AAAA,EACvD,kBAAA,uBAAyB,OAAA,EAGxC;AAAA,EACM,wBAAA,GAA2B,CAAA;AAAA;AAAA,EAG3B,YAAA,GAA8B,IAAA;AAAA,EAC9B,eAAA,GAAkB,CAAA;AAAA,EAClB,mBAAA,GAA8C,IAAA;AAAA;AAAA,EAGrC,eAAA,uBAAsB,GAAA,EAAoB;AAAA,EAC1C,yBAAA,uBAAgC,GAAA,EAAY;AAAA,EAE7D,YAAY,OAAA,EAAyB;AACnC,IAAA,IAAA,CAAK,WAAW,OAAA,CAAQ,QAAA;AACxB,IAAA,IAAA,CAAK,YAAA,GACH,OAAA,CAAQ,YAAA,IAAgB,OAAA,CAAQ,GAAA,CAAI,qBAAA;AACtC,IAAA,IAAA,CAAK,UAAU,OAAA,CAAQ,MAAA,IAAU,eAAA,EAAiB,OAAA,CAAQ,OAAO,EAAE,CAAA;AACnE,IAAA,MAAM,kBAAkB,KAAA,CAAM,OAAA,CAAQ,QAAQ,WAAW,CAAA,GACrD,QAAQ,WAAA,GACR,OAAA,CAAQ,cACN,OAAA,CAAQ,WAAA,CAAY,MAAM,GAAG,CAAA,GAC7B,QAAQ,GAAA,CAAI,oBAAA,EAAsB,MAAM,GAAG,CAAA;AACjD,IAAA,IAAA,CAAK,eAAe,KAAA,CAAM,IAAA;AAAA,MACxB,IAAI,GAAA,CAAI,eAAA,EAAiB,GAAA,CAAI,CAAC,MAAA,KAAW,MAAA,CAAO,IAAA,EAAM,CAAA,CAAE,MAAA,CAAO,OAAO,CAAC;AAAA,KACzE;AAEA,IAAA,QAAA,CAAQ,iBAAA,CAAkB,IAAI,IAAI,CAAA;AAClC,IAAA,QAAA,CAAQ,sBAAA,EAAuB;AAAA,EACjC;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,MAAM,OAAA,GAAyB;AAC7B,IAAA,MAAM,KAAK,qBAAA,EAAsB;AACjC,IAAA,QAAA,CAAQ,iBAAA,CAAkB,OAAO,IAAI,CAAA;AACrC,IAAA,IAAA,CAAK,gBAAgB,KAAA,EAAM;AAC3B,IAAA,IAAA,CAAK,wBAAwB,KAAA,EAAM;AACnC,IAAA,IAAA,CAAK,aAAA,GAAgB,IAAA;AACrB,IAAA,IAAA,CAAK,iBAAA,GAAoB,CAAA;AACzB,IAAA,IAAA,CAAK,eAAA,GAAkB,IAAA;AACvB,IAAA,IAAA,CAAK,YAAA,GAAe,IAAA;AACpB,IAAA,IAAA,CAAK,eAAA,GAAkB,CAAA;AACvB,IAAA,IAAA,CAAK,mBAAA,GAAsB,IAAA;AAC3B,IAAA,IAAA,CAAK,gBAAgB,KAAA,EAAM;AAC3B,IAAA,IAAA,CAAK,0BAA0B,KAAA,EAAM;AAAA,EACvC;AAAA,EAEA,OAAe,sBAAA,GAA+B;AAC5C,IAAA,IAAI,SAAQ,0BAAA,EAA4B;AAExC,IAAA,MAAM,aAAa,MAAM;AACvB,MAAA,KAAA,MAAW,QAAA,IAAY,SAAQ,iBAAA,EAAmB;AAChD,QAAA,KAAK,SAAS,qBAAA,EAAsB;AAAA,MACtC;AAAA,IACF,CAAA;AAEA,IAAA,OAAA,CAAQ,IAAA,CAAK,UAAU,UAAU,CAAA;AACjC,IAAA,OAAA,CAAQ,IAAA,CAAK,WAAW,UAAU,CAAA;AAClC,IAAA,QAAA,CAAQ,0BAAA,GAA6B,IAAA;AAAA,EACvC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAiCA,UAAA,CAAW,QAA4B,OAAA,EAAqC;AAE1E,IAAA,MAAM,UAAA,GAAaA,sBAAA,CAAc,2PAAe,CAAA;AAChD,IAAA,MAAM,OAAA,GAAU,WAAW,SAAS,CAAA;AACpC,IAAA,MAAM,MAAA,GAAS,QAAQ,MAAA,EAAO;AAE9B,IAAA,MAAM,OAAA,GAAU,SAAS,OAAA,IAAW,MAAA;AACpC,IAAA,MAAM,cAAA,GAAiB,IAAI,cAAA,EAAe;AAC1C,IAAA,MAAM,QAAA,GAAW,SAAS,mBAAA,IAAuB,KAAA;AAIjD,IAAA,MAAA,CAAO,GAAA,CAAI,CAAC,IAAA,EAAe,GAAA,EAAe,IAAA,KAAuB;AAC/D,MAAA,GAAA,CAAI,MAAA,CAAO,+BAA+B,GAAG,CAAA;AAC7C,MAAA,GAAA,CAAI,MAAA;AAAA,QACF,8BAAA;AAAA,QACA;AAAA,OACF;AACA,MAAA,GAAA,CAAI,MAAA,CAAO,iCAAiC,gBAAgB,CAAA;AAC5D,MAAA,GAAA,CAAI,MAAA,CAAO,gCAAgC,4BAA4B,CAAA;AACvE,MAAA,IAAI,IAAA,CAAK,WAAW,SAAA,EAAW;AAC7B,QAAA,GAAA,CAAI,WAAW,GAAG,CAAA;AAClB,QAAA;AAAA,MACF;AACA,MAAA,IAAA,EAAK;AAAA,IACP,CAAC,CAAA;AAED,IAAA,IAAI,QAAA,EAAU;AACZ,MAAA,OAAA,CAAQ,IAAA;AAAA,QACN;AAAA,OACF;AAGA,MAAA,MAAA,CAAO,GAAA,CAAI,OAAA,EAAS,OAAA,CAAQ,IAAA,CAAK,EAAE,OAAO,OAAA,EAAS,SAAA,IAAa,KAAA,EAAO,CAAC,CAAA;AACxE,MAAA,MAAMC,cAAa,IAAA,CAAK,gBAAA;AAAA,QACtB,MAAA;AAAA,QACA,cAAA;AAAA,QACA,IAAA;AAAA,QACA;AAAA,OACF;AACA,MAAA,MAAA,CAAO,IAAA,CAAK,OAAA,EAASA,WAAAA,CAAW,IAAI,CAAA;AACpC,MAAA,MAAA,CAAO,GAAA,CAAI,OAAA,EAASA,WAAAA,CAAW,GAAG,CAAA;AAClC,MAAA,MAAA,CAAO,MAAA,CAAO,OAAA,EAASA,WAAAA,CAAW,MAAM,CAAA;AAExC,MAAA,OAAO,MAAA;AAAA,IACT;AAEA,IAAA,MAAM,cAAA,GAAiB,OACrB,GAAA,KACgC;AAChC,MAAA,MAAM,WAAW,IAAA,CAAK,sBAAA;AAAA,QACpB,MAAM,KAAK,gBAAA,EAAiB;AAAA,QAC5B,OAAA,EAAS;AAAA,OACX;AACA,MAAA,MAAM,KAAA,GAAQ,IAAA,CAAK,wBAAA,CAAyB,GAAA,EAAK,SAAS,OAAO,CAAA;AACjE,MAAA,OAAO,IAAA,CAAK,6BAAA;AAAA,QACV,QAAA;AAAA,QACA,KAAA;AAAA,QACA,OAAA,EAAS;AAAA,OACX;AAAA,IACF,CAAA;AAKA,IAAA,MAAA,CAAO,GAAA,CAAI,OAAO,GAAA,EAAc,GAAA,EAAe,IAAA,KAAuB;AACpE,MAAA,MAAM,IAAA,GAAO,GAAA,CAAI,IAAA,IAAQ,GAAA,CAAI,GAAA,IAAO,EAAA;AACpC,MAAA,MAAM,oBACJ,IAAA,CAAK,UAAA,CAAW,yCAAyC,CAAA,IACzD,IAAA,CAAK,WAAW,uCAAuC,CAAA;AAEzD,MAAA,IAAI,CAAC,iBAAA,EAAmB;AACtB,QAAA,IAAA,EAAK;AACL,QAAA;AAAA,MACF;AAEA,MAAA,IAAI;AACF,QAAA,MAAM,WAAA,GAAc,MAAM,cAAA,CAAe,GAAG,CAAA;AAC5C,QAAA,WAAA,CAAY,cAAA,CAAe,GAAA,EAAK,GAAA,EAAK,IAAI,CAAA;AAAA,MAC3C,SAAS,KAAA,EAAO;AACd,QAAA,IAAA,CAAK,wBAAA,CAAyB,KAAK,KAAK,CAAA;AAAA,MAC1C;AAAA,IACF,CAAC,CAAA;AAGD,IAAA,MAAA,CAAO,GAAA,CAAI,OAAA,EAAS,OAAA,CAAQ,IAAA,CAAK,EAAE,OAAO,OAAA,EAAS,SAAA,IAAa,KAAA,EAAO,CAAC,CAAA;AAExE,IAAA,MAAM,aAAa,IAAA,CAAK,gBAAA;AAAA,MACtB,MAAA;AAAA,MACA,cAAA;AAAA,MACA,cAAA;AAAA,MACA;AAAA,KACF;AACA,IAAA,MAAA,CAAO,IAAA,CAAK,OAAA,EAAS,UAAA,CAAW,IAAI,CAAA;AACpC,IAAA,MAAA,CAAO,GAAA,CAAI,OAAA,EAAS,UAAA,CAAW,GAAG,CAAA;AAClC,IAAA,MAAA,CAAO,MAAA,CAAO,OAAA,EAAS,UAAA,CAAW,MAAM,CAAA;AAExC,IAAA,OAAO,MAAA;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAgBA,MAAM,OAAA,CACJ,WAAA,EACA,KAAA,EACgC;AAChC,IAAA,MAAM,GAAA,GAAM,KAAK,GAAA,EAAI;AACrB,IAAA,IAAA,CAAK,wBAAwB,GAAG,CAAA;AAGhC,IAAA,MAAM,QAAA,GAAW,CAAA,EAAG,WAAW,CAAA,EAAA,EAAK,KAAK,CAAA,CAAA;AACzC,IAAA,MAAM,MAAA,GAAS,IAAA,CAAK,eAAA,CAAgB,GAAA,CAAI,QAAQ,CAAA;AAChD,IAAA,IAAI,MAAA,IAAU,GAAA,GAAM,MAAA,CAAO,SAAA,EAAW;AAEpC,MAAA,IAAA,CAAK,eAAA,CAAgB,OAAO,QAAQ,CAAA;AACpC,MAAA,IAAA,CAAK,eAAA,CAAgB,GAAA,CAAI,QAAA,EAAU,MAAM,CAAA;AACzC,MAAA,OAAO,MAAA,CAAO,UAAA;AAAA,IAChB;AACA,IAAA,IAAI,MAAA,EAAQ;AACV,MAAA,IAAA,CAAK,eAAA,CAAgB,OAAO,QAAQ,CAAA;AAAA,IACtC;AAGA,IAAA,MAAM,cAAA,GAAsC;AAAA,MAC1C,QAAA,EAAU,CAAA,EAAG,IAAA,CAAK,MAAM,CAAA,aAAA,CAAA;AAAA,MACxB,UAAU,IAAA,CAAK,QAAA;AAAA,MACf,cAAc,IAAA,CAAK;AAAA,KACrB;AAEA,IAAA,IAAI,QAAA;AACJ,IAAA,IAAI;AACF,MAAA,QAAA,GAAW,MAAM,aAAA,CAAc,cAAA,EAAgB,KAAA,EAAO,WAAW,CAAA;AAAA,IACnE,SAAS,GAAA,EAAK;AAIZ,MAAA,IAAI,eAAe,UAAA,EAAY;AAC7B,QAAA,IACE,IAAI,SAAA,KAAc,sBAAA,IAClB,GAAA,CAAI,OAAA,CAAQ,SAAS,eAAe,CAAA,IACnC,GAAA,CAAI,OAAA,CAAQ,SAAS,SAAS,CAAA,IAAK,IAAI,OAAA,CAAQ,QAAA,CAAS,WAAW,CAAA,EACpE;AACA,UAAA,MAAM,aAAA,GACH,GAAA,CAAI,IAAA,CAAK,aAAA,IAA4B,WAAA;AACxC,UAAA,MAAM,UAAA,GAAa,MAAM,IAAA,CAAK,eAAA;AAAA,YAC5B,KAAA;AAAA,YACA,aAAA;AAAA,YACA;AAAA,WACF;AACA,UAAA,MAAM,IAAI,mCAAmC,aAAA,EAAe;AAAA,YAC1D,eAAA,EAAiB,IAAI,IAAA,CAAK,eAAA;AAAA,YAC1B,UAAA;AAAA,YACA,SAAS,GAAA,CAAI;AAAA,WACd,CAAA;AAAA,QACH;AAAA,MACF;AACA,MAAA,MAAM,GAAA;AAAA,IACR;AAEA,IAAA,MAAM,UAAA,GAAoC;AAAA,MACxC,aAAa,QAAA,CAAS,YAAA;AAAA,MACtB,WAAW,QAAA,CAAS,UAAA;AAAA,MACpB,eAAe,CAAA,EAAG,QAAA,CAAS,UAAU,CAAA,CAAA,EAAI,SAAS,YAAY,CAAA,CAAA;AAAA,MAC9D,WAAW,QAAA,CAAS,UAAA;AAAA,MACpB,OAAO,QAAA,CAAS,KAAA;AAAA,MAChB;AAAA,KACF;AAGA,IAAA,IAAI,SAAS,UAAA,EAAY;AACvB,MAAA,MAAM,KAAA,GAAQ,KAAK,GAAA,CAAI,QAAA,CAAS,aAAa,EAAA,EAAI,CAAA,GAAI,EAAE,CAAA,GAAI,GAAA;AAC3D,MAAA,IAAI,QAAQ,CAAA,EAAG;AACb,QAAA,IAAA,CAAK,cAAA,CAAe,IAAA,CAAK,eAAA,EAAiB,4BAA4B,CAAA;AACtE,QAAA,IAAA,CAAK,eAAA,CAAgB,IAAI,QAAA,EAAU;AAAA,UACjC,UAAA;AAAA,UACA,WAAW,GAAA,GAAM;AAAA,SAClB,CAAA;AAAA,MACH;AAAA,IACF;AAEA,IAAA,OAAO,UAAA;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAYA,MAAM,kBAAA,CACJ,WAAA,EACA,KAAA,EACyC;AACzC,IAAA,MAAM,GAAA,GAAM,KAAK,GAAA,EAAI;AACrB,IAAA,IAAA,CAAK,gCAAgC,GAAG,CAAA;AAExC,IAAA,MAAM,QAAA,GAAW,CAAA,EAAG,WAAW,CAAA,EAAA,EAAK,KAAK,CAAA,sBAAA,CAAA;AACzC,IAAA,MAAM,MAAA,GAAS,IAAA,CAAK,uBAAA,CAAwB,GAAA,CAAI,QAAQ,CAAA;AACxD,IAAA,IAAI,MAAA,IAAU,GAAA,GAAM,MAAA,CAAO,SAAA,EAAW;AACpC,MAAA,IAAA,CAAK,uBAAA,CAAwB,OAAO,QAAQ,CAAA;AAC5C,MAAA,IAAA,CAAK,uBAAA,CAAwB,GAAA,CAAI,QAAA,EAAU,MAAM,CAAA;AACjD,MAAA,OAAO,MAAA,CAAO,UAAA;AAAA,IAChB;AACA,IAAA,IAAI,MAAA,EAAQ;AACV,MAAA,IAAA,CAAK,uBAAA,CAAwB,OAAO,QAAQ,CAAA;AAAA,IAC9C;AAEA,IAAA,MAAM,cAAA,GAAsC;AAAA,MAC1C,QAAA,EAAU,CAAA,EAAG,IAAA,CAAK,MAAM,CAAA,aAAA,CAAA;AAAA,MACxB,UAAU,IAAA,CAAK,QAAA;AAAA,MACf,cAAc,IAAA,CAAK;AAAA,KACrB;AAEA,IAAA,IAAI,kBAAA,GAAqB,KAAA;AACzB,IAAA,IAAI,CAAC,IAAA,CAAK,oBAAA,CAAqB,KAAK,CAAA,EAAG;AACrC,MAAA,IAAI;AACF,QAAA,MAAM,YAAY,MAAM,aAAA;AAAA,UACtB,cAAA;AAAA,UACA,KAAA;AAAA,UACA;AAAA,SACF;AACA,QAAA,kBAAA,GAAqB,SAAA,CAAU,YAAA;AAAA,MACjC,SAAS,GAAA,EAAK;AACZ,QAAA,MAAM,IAAI,UAAA;AAAA,UACR,8CAAA;AAAA,UACA,qCAAA;AAAA,UACA;AAAA,YACE,SAAA,EAAW,6BAAA;AAAA,YACX,kBACE,GAAA,YAAe,KAAA,GACX,IAAI,OAAA,GACJ,MAAA,CAAO,OAAO,eAAe;AAAA;AACrC,SACF;AAAA,MACF;AAAA,IACF;AAEA,IAAA,MAAM,aAAA,GAAgB,MAAM,IAAA,CAAK,2BAAA;AAAA,MAC/B,WAAA;AAAA,MACA;AAAA,KACF;AAEA,IAAA,MAAM,MAAM,MAAM,KAAA;AAAA,MAChB,CAAA,EAAG,IAAA,CAAK,MAAM,CAAA,kBAAA,EAAqB,aAAa,CAAA,oBAAA,CAAA;AAAA,MAChD;AAAA,QACE,MAAA,EAAQ,MAAA;AAAA,QACR,OAAA,EAAS;AAAA,UACP,aAAA,EAAe,UAAU,kBAAkB,CAAA,CAAA;AAAA,UAC3C,cAAA,EAAgB;AAAA,SAClB;AAAA,QACA,IAAA,EAAM;AAAA;AACR,KACF;AAEA,IAAA,IAAI,CAAC,IAAI,EAAA,EAAI;AACX,MAAA,MAAM,OAAO,MAAM,GAAA,CAAI,MAAK,CAAE,KAAA,CAAM,MAAM,EAAE,CAAA;AAC5C,MAAA,MAAM,OAAA,GACJ,IAAA,IAAQ,IAAA,CAAK,IAAA,EAAK,CAAE,SAAS,CAAA,GACzB,IAAA,GACA,CAAA,KAAA,EAAQ,GAAA,CAAI,MAAM,CAAA,4BAAA,CAAA;AAExB,MAAA,IACE,GAAA,CAAI,WAAW,GAAA,IACf,OAAA,CAAQ,aAAY,CAAE,QAAA,CAAS,sBAAsB,CAAA,EACrD;AACA,QAAA,MAAM,IAAI,mCAAmC,aAAA,EAAe;AAAA,UAC1D,eAAA,EAAiB,OAAO,WAAW,CAAA;AAAA,UACnC;AAAA,SACD,CAAA;AAAA,MACH;AAEA,MAAA,MAAM,IAAI,UAAA;AAAA,QACR,iDAAiD,aAAa,CAAA,CAAA;AAAA,QAC9D,oCAAA;AAAA,QACA;AAAA,UACE,SAAA,EAAW,4BAAA;AAAA,UACX,gBAAA,EAAkB;AAAA;AACpB,OACF;AAAA,IACF;AAEA,IAAA,MAAM,OAAA,GAAW,MAAM,GAAA,CAAI,IAAA,EAAK;AAKhC,IAAA,IACE,CAAC,OAAA,CAAQ,WAAA,IACT,OAAO,OAAA,CAAQ,WAAA,KAAgB,QAAA,IAC/B,KAAA,CAAM,OAAA,CAAQ,OAAA,CAAQ,WAAW,CAAA,EACjC;AACA,MAAA,MAAM,IAAI,UAAA;AAAA,QACR,6CAAA;AAAA,QACA;AAAA,OACF;AAAA,IACF;AAEA,IAAA,MAAM,cAAsC,EAAC;AAC7C,IAAA,KAAA,MAAW,CAAC,KAAK,KAAK,CAAA,IAAK,OAAO,OAAA,CAAQ,OAAA,CAAQ,WAAW,CAAA,EAAG;AAC9D,MAAA,IAAI,OAAO,UAAU,QAAA,EAAU;AAC7B,QAAA,WAAA,CAAY,GAAG,CAAA,GAAI,KAAA;AAAA,MACrB;AAAA,IACF;AAEA,IAAA,IAAI,MAAA,CAAO,IAAA,CAAK,WAAW,CAAA,CAAE,WAAW,CAAA,EAAG;AACzC,MAAA,MAAM,IAAI,mCAAmC,aAAA,EAAe;AAAA,QAC1D,eAAA,EAAiB,OAAO,WAAW,CAAA;AAAA,QACnC,OAAA,EAAS;AAAA,OACV,CAAA;AAAA,IACH;AAEA,IAAA,MAAM,QAAA,GAA2C;AAAA,MAC/C,WAAA;AAAA,MACA,aAAA,EAAe,QAAQ,aAAA,IAAiB,aAAA;AAAA,MACxC;AAAA,KACF;AAEA,IAAA,IAAA,CAAK,cAAA;AAAA,MACH,IAAA,CAAK,uBAAA;AAAA,MACL;AAAA,KACF;AACA,IAAA,IAAA,CAAK,uBAAA,CAAwB,IAAI,QAAA,EAAU;AAAA,MACzC,UAAA,EAAY,QAAA;AAAA,MACZ,WAAW,GAAA,GAAM;AAAA,KAClB,CAAA;AAED,IAAA,OAAO,QAAA;AAAA,EACT;AAAA,EAEQ,mBAAA,GAAmC;AACzC,IAAA,uBAAO,IAAI,GAAA,CAAI,CAAC,CAAA,EAAG,IAAI,GAAA,CAAI,IAAA,CAAK,MAAM,CAAA,CAAE,MAAM,CAAA,IAAA,CAAA,EAAQ,aAAa,CAAC,CAAA;AAAA,EACtE;AAAA,EAEQ,qBAAqB,KAAA,EAAwB;AACnD,IAAA,MAAM,SAAA,GAAY,IAAA,CAAK,qBAAA,CAAsB,KAAK,CAAA;AAClD,IAAA,IAAI,SAAA,CAAU,WAAW,CAAA,EAAG;AAC1B,MAAA,OAAO,KAAA;AAAA,IACT;AACA,IAAA,MAAM,gBAAA,GAAmB,KAAK,mBAAA,EAAoB;AAClD,IAAA,OAAO,UAAU,IAAA,CAAK,CAAC,aAAa,gBAAA,CAAiB,GAAA,CAAI,QAAQ,CAAC,CAAA;AAAA,EACpE;AAAA,EAEQ,sBAAsB,KAAA,EAAyB;AACrD,IAAA,MAAM,GAAG,WAAW,CAAA,GAAI,KAAA,CAAM,MAAM,GAAG,CAAA;AACvC,IAAA,IAAI,CAAC,WAAA,EAAa,OAAO,EAAC;AAC1B,IAAA,IAAI;AACF,MAAA,MAAM,UAAU,IAAA,CAAK,KAAA;AAAA,QACnB,OAAO,IAAA,CAAK,WAAA,EAAa,WAAW,CAAA,CAAE,SAAS,MAAM;AAAA,OACvD;AACA,MAAA,IAAI,OAAO,OAAA,CAAQ,GAAA,KAAQ,QAAA,EAAU;AACnC,QAAA,OAAO,CAAC,QAAQ,GAAG,CAAA;AAAA,MACrB;AACA,MAAA,IAAI,KAAA,CAAM,OAAA,CAAQ,OAAA,CAAQ,GAAG,CAAA,EAAG;AAC9B,QAAA,OAAO,QAAQ,GAAA,CAAI,MAAA;AAAA,UACjB,CAAC,KAAA,KAA2B,OAAO,KAAA,KAAU;AAAA,SAC/C;AAAA,MACF;AAAA,IACF,CAAA,CAAA,MAAQ;AAAA,IAER;AACA,IAAA,OAAO,EAAC;AAAA,EACV;AAAA;AAAA;AAAA;AAAA,EAMA,MAAc,2BAAA,CACZ,WAAA,EACA,YAAA,EACiB;AACjB,IAAA,MAAM,GAAA,GAAM,OAAO,WAAW,CAAA;AAC9B,IAAA,IAAI,IAAA,CAAK,MAAA,CAAO,GAAG,CAAA,EAAG;AACpB,MAAA,OAAO,GAAA;AAAA,IACT;AAEA,IAAA,MAAM,MAAM,MAAM,KAAA,CAAM,CAAA,EAAG,IAAA,CAAK,MAAM,CAAA,iBAAA,CAAA,EAAqB;AAAA,MACzD,OAAA,EAAS;AAAA,QACP,aAAA,EAAe,UAAU,YAAY,CAAA;AAAA;AACvC,KACD,CAAA;AACD,IAAA,IAAI,CAAC,IAAI,EAAA,EAAI;AACX,MAAA,MAAM,OAAO,MAAM,GAAA,CAAI,MAAK,CAAE,KAAA,CAAM,MAAM,EAAE,CAAA;AAC5C,MAAA,MAAM,IAAI,UAAA;AAAA,QACR,0CAAA;AAAA,QACA,mCAAA;AAAA,QACA;AAAA,UACE,SAAA,EAAW,2BAAA;AAAA,UACX,gBAAA,EAAkB,IAAA,IAAQ,CAAA,KAAA,EAAQ,GAAA,CAAI,MAAM,CAAA;AAAA;AAC9C,OACF;AAAA,IACF;AAEA,IAAA,MAAM,OAAA,GAAW,MAAM,GAAA,CAAI,IAAA,EAAK;AAGhC,IAAA,MAAM,KAAA,GAAQ,MAAM,OAAA,CAAQ,OAAA,CAAQ,KAAK,CAAA,GAAI,OAAA,CAAQ,QAAQ,EAAC;AAC9D,IAAA,MAAM,KAAA,GAAQ,KAAA,CAAM,IAAA,CAAK,CAAC,IAAA,KAAS,KAAK,EAAA,KAAO,GAAA,IAAO,IAAA,CAAK,IAAA,KAAS,GAAG,CAAA;AACvE,IAAA,MAAM,gBAAgB,KAAA,EAAO,EAAA;AAC7B,IAAA,IAAI,CAAC,aAAA,EAAe;AAClB,MAAA,MAAM,IAAI,mCAAmC,GAAA,EAAK;AAAA,QAChD,eAAA,EAAiB,GAAA;AAAA,QACjB,OAAA,EAAS,eAAe,GAAG,CAAA,oCAAA;AAAA,OAC5B,CAAA;AAAA,IACH;AAEA,IAAA,OAAO,aAAA;AAAA,EACT;AAAA,EAEQ,OAAO,KAAA,EAAwB;AACrC,IAAA,OAAO,4EAAA,CAA6E,IAAA;AAAA,MAClF;AAAA,KACF;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAcA,MAAc,eAAA,CACZ,YAAA,EACA,aAAA,EACA,cAAA,EAC6B;AAC7B,IAAA,IAAI;AAEF,MAAA,MAAM,eAAe,MAAM,aAAA;AAAA,QACzB,cAAA;AAAA,QACA,YAAA;AAAA,QACA;AAAA,OACF;AAGA,MAAA,MAAM,OAAA,GAAU,CAAA,EAAG,IAAA,CAAK,MAAM,qBAAqB,aAAa,CAAA,WAAA,CAAA;AAChE,MAAA,MAAM,GAAA,GAAM,MAAM,KAAA,CAAM,OAAA,EAAS;AAAA,QAC/B,MAAA,EAAQ,MAAA;AAAA,QACR,OAAA,EAAS;AAAA,UACP,aAAA,EAAe,CAAA,OAAA,EAAU,YAAA,CAAa,YAAY,CAAA,CAAA;AAAA,UAClD,cAAA,EAAgB;AAAA,SAClB;AAAA,QACA,IAAA,EAAM,IAAA,CAAK,SAAA,CAAU,EAAE;AAAA,OACxB,CAAA;AAED,MAAA,IAAI,CAAC,IAAI,EAAA,EAAI;AACX,QAAA,MAAM,OAAO,MAAM,GAAA,CAAI,MAAK,CAAE,KAAA,CAAM,MAAM,EAAE,CAAA;AAC5C,QAAA,OAAA,CAAQ,IAAA;AAAA,UACN,CAAA,kDAAA,EAAqD,GAAA,CAAI,MAAM,CAAA,EAAA,EAAK,IAAI,CAAA;AAAA,SAC1E;AACA,QAAA,OAAO,KAAA,CAAA;AAAA,MACT;AAEA,MAAA,MAAM,IAAA,GAAQ,MAAM,GAAA,CAAI,IAAA,EAAK;AAM7B,MAAA,OAAO,IAAA,CAAK,cAAc,IAAA,CAAK,gBAAA;AAAA,IACjC,SAAS,GAAA,EAAK;AAIZ,MAAA,OAAA,CAAQ,IAAA;AAAA,QACN,CAAA,iCAAA,CAAA;AAAA,QACA,GAAA,YAAe,KAAA,GAAQ,GAAA,CAAI,OAAA,GAAU,OAAO,GAAG;AAAA,OACjD;AACA,MAAA,OAAO,MAAA;AAAA,IACT;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAMA,MAAc,gBAAA,GAA2C;AACvD,IAAA,MAAM,GAAA,GAAM,KAAK,GAAA,EAAI;AACrB,IAAA,IACE,IAAA,CAAK,aAAA,IACL,GAAA,GAAM,IAAA,CAAK,oBAAoB,qBAAA,EAC/B;AACA,MAAA,OAAO,IAAA,CAAK,aAAA;AAAA,IACd;AAEA,IAAA,IAAI,KAAK,eAAA,EAAiB;AACxB,MAAA,OAAO,IAAA,CAAK,eAAA;AAAA,IACd;AAEA,IAAA,IAAA,CAAK,eAAA,GAAkB,KAAK,kBAAA,EAAmB;AAC/C,IAAA,IAAI;AACF,MAAA,MAAM,QAAA,GAAW,MAAM,IAAA,CAAK,eAAA;AAC5B,MAAA,IAAA,CAAK,aAAA,GAAgB,QAAA;AACrB,MAAA,IAAA,CAAK,iBAAA,GAAoB,KAAK,GAAA,EAAI;AAClC,MAAA,OAAO,QAAA;AAAA,IACT,CAAA,SAAE;AACA,MAAA,IAAA,CAAK,eAAA,GAAkB,IAAA;AAAA,IACzB;AAAA,EACF;AAAA,EAEQ,sBAAA,CACN,UACA,iBAAA,EACe;AACf,IAAA,IAAI,CAAC,iBAAA,EAAmB;AACtB,MAAA,OAAO,QAAA;AAAA,IACT;AAGA,IAAA,OAAO,iBAAA,CAAkB,IAAA,CAAK,kBAAA,CAAmB,QAAQ,CAAC,CAAA;AAAA,EAC5D;AAAA,EAEQ,mBAAmB,QAAA,EAAwC;AACjE,IAAA,OAAO,IAAA,CAAK,KAAA,CAAM,IAAA,CAAK,SAAA,CAAU,QAAQ,CAAC,CAAA;AAAA,EAC5C;AAAA,EAEA,MAAc,kBAAA,GAA6C;AAEzD,IAAA,MAAM,IAAA,GAAO;AAAA,MACX,CAAA,EAAG,KAAK,MAAM,CAAA,uCAAA,CAAA;AAAA,MACd,CAAA,EAAG,KAAK,MAAM,CAAA,iCAAA;AAAA,KAChB;AAEA,IAAA,IAAI,SAAA;AACJ,IAAA,KAAA,MAAW,OAAO,IAAA,EAAM;AACtB,MAAA,IAAI;AACF,QAAA,MAAM,GAAA,GAAM,MAAM,KAAA,CAAM,GAAG,CAAA;AAC3B,QAAA,IAAI,IAAI,EAAA,EAAI;AACV,UAAA,OAAQ,MAAM,IAAI,IAAA,EAAK;AAAA,QACzB;AAAA,MACF,SAAS,GAAA,EAAK;AACZ,QAAA,SAAA,GAAY,eAAe,KAAA,GAAQ,GAAA,GAAM,IAAI,KAAA,CAAM,MAAA,CAAO,GAAG,CAAC,CAAA;AAAA,MAChE;AAAA,IACF;AAEA,IAAA,MAAM,IAAI,KAAA;AAAA,MACR,oCAAoC,IAAA,CAAK,MAAM,CAAA,EAAA,EAAK,SAAA,EAAW,WAAW,eAAe,CAAA;AAAA,KAC3F;AAAA,EACF;AAAA,EAEQ,wBAAA,CACN,GAAA,EACA,OAAA,EACA,OAAA,EACK;AACL,IAAA,IAAI,SAAS,iBAAA,EAAmB;AAC9B,MAAA,OAAO,IAAI,GAAA,CAAI,OAAA,CAAQ,iBAAiB,CAAA;AAAA,IAC1C;AACA,IAAA,MAAM,IAAA,GAAO,GAAA,CAAI,GAAA,CAAI,MAAM,CAAA;AAC3B,IAAA,IAAI,CAAC,IAAA,EAAM;AACT,MAAA,MAAM,IAAI,KAAA;AAAA,QACR;AAAA,OACF;AAAA,IACF;AACA,IAAA,OAAO,IAAI,IAAI,CAAA,EAAG,GAAA,CAAI,QAAQ,CAAA,GAAA,EAAM,IAAI,CAAA,EAAG,OAAO,CAAA,CAAE,CAAA;AAAA,EACtD;AAAA,EAEQ,6BAAA,CACN,QAAA,EACA,KAAA,EACA,cAAA,EACoB;AACpB,IAAA,MAAM,GAAA,GAAM,IAAA,CAAK,sBAAA,CAAuB,KAAA,EAAO,cAAc,CAAA;AAC7D,IAAA,MAAM,MAAA,GAAS,IAAA,CAAK,gBAAA,CAAiB,GAAA,CAAI,GAAG,CAAA;AAC5C,IAAA,IAAI,MAAA,EAAQ;AAEV,MAAA,IAAA,CAAK,gBAAA,CAAiB,OAAO,GAAG,CAAA;AAChC,MAAA,IAAA,CAAK,gBAAA,CAAiB,GAAA,CAAI,GAAA,EAAK,MAAM,CAAA;AACrC,MAAA,OAAO,MAAA;AAAA,IACT;AAIA,IAAA,MAAM,eAAA,GAAkB,EAAE,GAAG,QAAA,EAAU,QAAQ,CAAA,EAAG,KAAA,CAAM,MAAM,CAAA,CAAA,CAAA,EAAI;AAClE,IAAA,MAAM,iBAAiBC,+BAAA,CAAsB;AAAA,MAC3C,aAAA,EAAe,eAAA;AAAA,MACf,iBAAA,EAAmB;AAAA,KACpB,CAAA;AACD,IAAA,MAAM,mBAAA,GAAsBC,+CAAqC,KAAK,CAAA;AACtE,IAAA,MAAM,QAAA,GACJ,cAAA,IAAkB,IAAA,CAAK,mBAAA,CAAoB,UAAU,KAAK,CAAA;AAC5D,IAAA,MAAM,WAAA,GAAkC;AAAA,MACtC,cAAA;AAAA,MACA,YAAYC,+BAAA,CAAkB;AAAA,QAC5B,QAAA;AAAA,QACA;AAAA,OACD;AAAA,KACH;AAEA,IAAA,IAAA,CAAK,cAAA,CAAe,IAAA,CAAK,gBAAA,EAAkB,8BAA8B,CAAA;AACzE,IAAA,IAAA,CAAK,gBAAA,CAAiB,GAAA,CAAI,GAAA,EAAK,WAAW,CAAA;AAC1C,IAAA,OAAO,WAAA;AAAA,EACT;AAAA,EAEQ,sBAAA,CACN,OACA,cAAA,EACQ;AACR,IAAA,IAAI,CAAC,cAAA,EAAgB;AACnB,MAAA,OAAO,CAAA,EAAG,MAAM,IAAI,CAAA,SAAA,CAAA;AAAA,IACtB;AAEA,IAAA,IAAI,UAAA,GAAa,IAAA,CAAK,kBAAA,CAAmB,GAAA,CAAI,cAAc,CAAA;AAC3D,IAAA,IAAI,eAAe,MAAA,EAAW;AAC5B,MAAA,UAAA,GAAa,EAAE,IAAA,CAAK,wBAAA;AACpB,MAAA,IAAA,CAAK,kBAAA,CAAmB,GAAA,CAAI,cAAA,EAAgB,UAAU,CAAA;AAAA,IACxD;AAEA,IAAA,OAAO,CAAA,EAAG,KAAA,CAAM,IAAI,CAAA,SAAA,EAAY,UAAU,CAAA,CAAA;AAAA,EAC5C;AAAA,EAEQ,wBAAA,CAAyB,KAAe,KAAA,EAAsB;AACpE,IAAA,MAAM,UAAU,KAAA,YAAiB,KAAA,GAAQ,KAAA,CAAM,OAAA,GAAU,OAAO,KAAK,CAAA;AACrE,IAAA,OAAA,CAAQ,KAAA,CAAM,CAAA,uCAAA,EAA0C,OAAO,CAAA,CAAE,CAAA;AACjE,IAAA,IAAI,IAAI,WAAA,EAAa;AACrB,IAAA,GAAA,CAAI,MAAA,CAAO,GAAG,CAAA,CAAE,IAAA,CAAK;AAAA,MACnB,KAAA,EAAO,qBAAA;AAAA,MACP,iBAAA,EACE;AAAA,KACH,CAAA;AAAA,EACH;AAAA,EAEQ,wBAAwB,GAAA,EAAmB;AACjD,IAAA,KAAA,MAAW,CAAC,GAAA,EAAK,KAAK,KAAK,IAAA,CAAK,eAAA,CAAgB,SAAQ,EAAG;AACzD,MAAA,IAAI,KAAA,CAAM,aAAa,GAAA,EAAK;AAC1B,QAAA,IAAA,CAAK,eAAA,CAAgB,OAAO,GAAG,CAAA;AAAA,MACjC;AAAA,IACF;AAAA,EACF;AAAA,EAEQ,gCAAgC,GAAA,EAAmB;AACzD,IAAA,KAAA,MAAW,CAAC,GAAA,EAAK,KAAK,KAAK,IAAA,CAAK,uBAAA,CAAwB,SAAQ,EAAG;AACjE,MAAA,IAAI,KAAA,CAAM,aAAa,GAAA,EAAK;AAC1B,QAAA,IAAA,CAAK,uBAAA,CAAwB,OAAO,GAAG,CAAA;AAAA,MACzC;AAAA,IACF;AAAA,EACF;AAAA,EAEQ,cAAA,CAAkB,OAAuB,UAAA,EAA0B;AACzE,IAAA,OAAO,KAAA,CAAM,QAAQ,UAAA,EAAY;AAC/B,MAAA,MAAM,SAAA,GAAY,KAAA,CAAM,IAAA,EAAK,CAAE,MAAK,CAAE,KAAA;AACtC,MAAA,IAAI,CAAC,SAAA,EAAW;AAChB,MAAA,KAAA,CAAM,OAAO,SAAS,CAAA;AAAA,IACxB;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAMQ,mBAAA,CACN,UACA,WAAA,EACoB;AACpB,IAAA,MAAM,WAAA,GAAc,QAAA;AACpB,IAAA,MAAM,OAAA,GACH,WAAA,CAAY,QAAA,IACb,CAAA,EAAG,KAAK,MAAM,CAAA,sBAAA,CAAA;AAChB,IAAA,MAAM,WAAW,IAAA,CAAK,QAAA;AAEtB,IAAA,MAAM,UAAU,KAAA,CAAM,IAAA;AAAA,MACpB,IAAI,GAAA;AAAA,QACF,CAAC,QAAA,CAAS,MAAA,EAAQ,GAAG,IAAA,CAAK,YAAY,CAAA,CAAE,MAAA;AAAA,UACtC,CAACC,OAAAA,KAA6B,OAAOA,OAAAA,KAAW,QAAA,IAAY,CAAC,CAACA;AAAA;AAChE;AACF,KACF;AACA,IAAA,IAAI,CAAC,QAAQ,MAAA,EAAQ;AACnB,MAAA,MAAM,IAAI,MAAM,+BAA+B,CAAA;AAAA,IACjD;AACA,IAAA,MAAM,SACJ,OAAA,CAAQ,MAAA,KAAW,CAAA,GAAI,OAAA,CAAQ,CAAC,CAAA,GAAK,OAAA;AAEvC,IAAA,MAAM,QAAA,GAAW,IAAI,oBAAA,CAAqB;AAAA,MACxC,OAAA,EAAS,OAAA;AAAA,MACT,MAAA;AAAA,MACA,UAAU,WAAA,CAAY;AAAA,KACvB,CAAA;AAED,IAAA,OAAO;AAAA,MACL,MAAM,kBAAkB,KAAA,EAAkC;AACxD,QAAA,MAAM,MAAA,GAAS,MAAM,QAAA,CAAS,MAAA,CAAO,KAAK,CAAA;AAE1C,QAAA,IAAI,CAAC,OAAO,OAAA,EAAS;AACnB,UAAA,MAAM,IAAIC,2BAAA;AAAA,YACR,CAAA,2BAAA,EAA8B,MAAA,CAAO,KAAA,CAAM,OAAO,CAAA;AAAA,WACpD;AAAA,QACF;AAEA,QAAA,MAAM,EAAE,QAAO,GAAI,MAAA;AACnB,QAAA,MAAM,UAAU,MAAA,CAAO,OAAA;AACvB,QAAA,MAAM,GAAA,GAAO,OAAA,CAAQ,GAAA,IAA+C,EAAC;AAErE,QAAA,OAAO;AAAA,UACL,KAAA;AAAA,UACA,QAAA,EAAU,OAAO,QAAA,IAAY,QAAA;AAAA,UAC7B,QAAQ,MAAA,CAAO,MAAA;AAAA,UACf,WAAW,IAAA,CAAK,KAAA,CAAM,OAAO,SAAA,CAAU,OAAA,KAAY,GAAI,CAAA;AAAA,UACvD,KAAA,EAAO;AAAA,YACL,GAAG,GAAA;AAAA,YACH,KAAK,MAAA,CAAO,GAAA;AAAA,YACZ,KAAA,EAAO,OAAA,CAAQ,KAAA,IAAS,GAAA,CAAI;AAAA;AAC9B,SACF;AAAA,MACF;AAAA,KACF;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAMA,MAAc,eAAA,GAAmC;AAC/C,IAAA,IAAI,KAAK,YAAA,IAAgB,IAAA,CAAK,KAAI,GAAI,IAAA,CAAK,kBAAkB,GAAA,EAAQ;AACnE,MAAA,OAAO,IAAA,CAAK,YAAA;AAAA,IACd;AAEA,IAAA,IAAI,KAAK,mBAAA,EAAqB;AAC5B,MAAA,OAAO,IAAA,CAAK,mBAAA;AAAA,IACd;AAEA,IAAA,IAAA,CAAK,uBAAuB,YAAY;AACtC,MAAA,MAAM,MAAM,MAAM,KAAA,CAAM,CAAA,EAAG,IAAA,CAAK,MAAM,CAAA,aAAA,CAAA,EAAiB;AAAA,QACrD,MAAA,EAAQ,MAAA;AAAA,QACR,OAAA,EAAS;AAAA,UACP,cAAA,EAAgB,mCAAA;AAAA,UAChB,aAAA,EAAe,CAAA,MAAA,EAAS,MAAA,CAAO,IAAA,CAAK,IAAA,CAAK,QAAA,GAAW,GAAA,GAAM,IAAA,CAAK,YAAY,CAAA,CAAE,QAAA,CAAS,QAAQ,CAAC,CAAA;AAAA,SACjG;AAAA,QACA,IAAA,EAAM;AAAA,OACP,CAAA;AACD,MAAA,IAAI,CAAC,IAAI,EAAA,EAAI;AACX,QAAA,MAAM,OAAO,MAAM,GAAA,CAAI,MAAK,CAAE,KAAA,CAAM,MAAM,EAAE,CAAA;AAC5C,QAAA,MAAM,IAAI,KAAA;AAAA,UACR,CAAA,0DAAA,EAA6D,GAAA,CAAI,MAAM,CAAA,CAAA,EAAI,IAAI,CAAA;AAAA,SACjF;AAAA,MACF;AACA,MAAA,MAAM,IAAA,GAAQ,MAAM,GAAA,CAAI,IAAA,EAAK;AAI7B,MAAA,IAAA,CAAK,eAAe,IAAA,CAAK,YAAA;AACzB,MAAA,IAAA,CAAK,eAAA,GAAkB,IAAA,CAAK,GAAA,EAAI,GAAI,KAAK,UAAA,GAAa,GAAA;AACtD,MAAA,OAAO,IAAA,CAAK,YAAA;AAAA,IACd,CAAA,GAAG;AAEH,IAAA,IAAI;AACF,MAAA,OAAO,MAAM,IAAA,CAAK,mBAAA;AAAA,IACpB,CAAA,SAAE;AACA,MAAA,IAAA,CAAK,mBAAA,GAAsB,IAAA;AAAA,IAC7B;AAAA,EACF;AAAA,EAEQ,YACN,KAAA,EAKM;AACN,IAAA,IAAI,CAAC,IAAA,CAAK,YAAA,IAAgB,CAAC,MAAM,SAAA,EAAW;AAC5C,IAAA,IAAA,CAAK,iBAAgB,CAClB,IAAA;AAAA,MAAK,CAAC,KAAA,KACL,KAAA,CAAM,CAAA,EAAG,IAAA,CAAK,MAAM,CAAA,kBAAA,CAAA,EAAsB;AAAA,QACxC,MAAA,EAAQ,MAAA;AAAA,QACR,OAAA,EAAS;AAAA,UACP,cAAA,EAAgB,kBAAA;AAAA,UAChB,aAAA,EAAe,UAAU,KAAK,CAAA;AAAA,SAChC;AAAA,QACA,IAAA,EAAM,KAAK,SAAA,CAAU;AAAA,UACnB,GAAG,KAAA;AAAA,UACH,SAAS,IAAA,CAAK,QAAA;AAAA,UACd,UAAU,IAAA,CAAK,QAAA;AAAA,UACf,aAAA,EAAe;AAAA,SAChB;AAAA,OACF,CAAA,CAAE,IAAA,CAAK,CAAC,GAAA,KAAQ;AACf,QAAA,IAAI,CAAC,IAAI,EAAA,EAAI;AACX,UAAA,OAAA,CAAQ,IAAA;AAAA,YACN,CAAA,8CAAA,EAAiD,IAAI,MAAM,CAAA;AAAA,WAC7D;AAAA,QACF;AAAA,MACF,CAAC;AAAA,KACH,CACC,KAAA,CAAM,CAAC,GAAA,KAAQ;AACd,MAAA,OAAA,CAAQ,IAAA;AAAA,QACN,CAAA,0BAAA,CAAA;AAAA,QACA,GAAA,YAAe,KAAA,GAAQ,GAAA,CAAI,OAAA,GAAU,OAAO,GAAG;AAAA,OACjD;AAAA,IACF,CAAC,CAAA;AAAA,EACL;AAAA;AAAA;AAAA;AAAA,EAMQ,kBAAA,CACN,SAAA,EACA,YAAA,EACA,QAAA,EAMM;AACN,IAAA,IAAI,CAAC,IAAA,CAAK,YAAA,IAAgB,CAAC,SAAA,EAAW;AACtC,IAAA,MAAM,eAAA,GAAkBC,oBAAW,QAAQ,CAAA,CACxC,OAAO,SAAS,CAAA,CAChB,OAAO,KAAK,CAAA;AAEf,IAAA,IAAA,CAAK,iBAAgB,CAClB,IAAA;AAAA,MAAK,CAAC,KAAA,KACL,KAAA,CAAM,CAAA,EAAG,IAAA,CAAK,MAAM,CAAA,sBAAA,CAAA,EAA0B;AAAA,QAC5C,MAAA,EAAQ,MAAA;AAAA,QACR,OAAA,EAAS;AAAA,UACP,cAAA,EAAgB,kBAAA;AAAA,UAChB,aAAA,EAAe,UAAU,KAAK,CAAA;AAAA,SAChC;AAAA,QACA,IAAA,EAAM,KAAK,SAAA,CAAU;AAAA,UACnB,eAAA;AAAA,UACA,UAAU,QAAA,EAAU,QAAA;AAAA,UACpB,WAAW,QAAA,EAAU,SAAA;AAAA,UACrB,YAAY,QAAA,EAAU,UAAA;AAAA,UACtB,cAAA,EAAgB,QAAA,EAAU,cAAA,GACtB,IAAI,IAAA,CAAK,SAAS,cAAA,GAAiB,GAAI,CAAA,CAAE,WAAA,EAAY,GACrD;AAAA,SACL;AAAA,OACF,CAAA,CAAE,IAAA,CAAK,OAAO,GAAA,KAAQ;AACrB,QAAA,IAAI,IAAI,EAAA,EAAI;AACV,UAAA,MAAM,IAAA,GAAQ,MAAM,GAAA,CAAI,IAAA,EAAK;AAI7B,UAAA,IAAI,IAAA,CAAK,yBAAA,CAA0B,MAAA,CAAO,YAAY,CAAA,EAAG;AACvD,YAAA,IAAA,CAAK,sCAAA;AAAA,cACH,IAAA,CAAK,SAAA;AAAA,cACL;AAAA,aACF;AACA,YAAA;AAAA,UACF;AAEA,UAAA,IAAA,CAAK,eAAA,CAAgB,GAAA,CAAI,YAAA,EAAc,IAAA,CAAK,SAAS,CAAA;AAAA,QACvD,CAAA,MAAO;AACL,UAAA,IAAA,CAAK,yBAAA,CAA0B,OAAO,YAAY,CAAA;AAClD,UAAA,OAAA,CAAQ,IAAA;AAAA,YACN,CAAA,uCAAA,EAA0C,IAAI,MAAM,CAAA;AAAA,WACtD;AAAA,QACF;AAAA,MACF,CAAC;AAAA,KACH,CACC,KAAA,CAAM,CAAC,GAAA,KAAQ;AACd,MAAA,IAAA,CAAK,yBAAA,CAA0B,OAAO,YAAY,CAAA;AAClD,MAAA,OAAA,CAAQ,IAAA;AAAA,QACN,CAAA,yBAAA,CAAA;AAAA,QACA,GAAA,YAAe,KAAA,GAAQ,GAAA,CAAI,OAAA,GAAU,OAAO,GAAG;AAAA,OACjD;AAAA,IACF,CAAC,CAAA;AAAA,EACL;AAAA,EAEQ,sCAAA,CACN,gBACA,YAAA,EACM;AACN,IAAA,IAAI,CAAC,KAAK,YAAA,EAAc;AAExB,IAAA,MAAM,eAAe,YAAA,GACjB,OAAA,CAAQ,QAAQ,YAAY,CAAA,GAC5B,KAAK,eAAA,EAAgB;AAEzB,IAAA,YAAA,CACG,IAAA;AAAA,MAAK,CAAC,KAAA,KACL,KAAA;AAAA,QACE,CAAA,EAAG,IAAA,CAAK,MAAM,CAAA,uBAAA,EAA0B,cAAc,CAAA,WAAA,CAAA;AAAA,QACtD;AAAA,UACE,MAAA,EAAQ,MAAA;AAAA,UACR,OAAA,EAAS,EAAE,aAAA,EAAe,CAAA,OAAA,EAAU,KAAK,CAAA,CAAA;AAAG;AAC9C;AACF,KACF,CACC,MAAM,MAAM;AAAA,IAAC,CAAC,CAAA;AAAA,EACnB;AAAA,EAEQ,uBAAuB,YAAA,EAA4B;AACzD,IAAA,IAAI,CAAC,KAAK,YAAA,EAAc;AAExB,IAAA,MAAM,cAAA,GAAiB,IAAA,CAAK,eAAA,CAAgB,GAAA,CAAI,YAAY,CAAA;AAC5D,IAAA,IAAA,CAAK,eAAA,CAAgB,OAAO,YAAY,CAAA;AACxC,IAAA,IAAI,CAAC,cAAA,EAAgB;AACnB,MAAA,IAAA,CAAK,yBAAA,CAA0B,IAAI,YAAY,CAAA;AAC/C,MAAA;AAAA,IACF;AAEA,IAAA,IAAA,CAAK,yBAAA,CAA0B,OAAO,YAAY,CAAA;AAClD,IAAA,IAAA,CAAK,uCAAuC,cAAc,CAAA;AAAA,EAC5D;AAAA,EAEA,MAAc,qBAAA,GAAuC;AACnD,IAAA,IAAI,CAAC,KAAK,YAAA,EAAc;AACxB,IAAA,IAAI,IAAA,CAAK,eAAA,CAAgB,IAAA,KAAS,CAAA,EAAG;AACnC,MAAA,IAAA,CAAK,0BAA0B,KAAA,EAAM;AACrC,MAAA;AAAA,IACF;AAEA,IAAA,IAAI;AACF,MAAA,MAAM,KAAA,GAAQ,MAAM,IAAA,CAAK,eAAA,EAAgB;AACzC,MAAA,MAAM,OAAA,CAAQ,UAAA;AAAA,QACZ,CAAC,GAAG,IAAA,CAAK,eAAA,CAAgB,MAAA,EAAQ,CAAA,CAAE,GAAA;AAAA,UAAI,CAAC,cAAA,KACtC,KAAA;AAAA,YACE,CAAA,EAAG,IAAA,CAAK,MAAM,CAAA,uBAAA,EAA0B,cAAc,CAAA,WAAA,CAAA;AAAA,YACtD;AAAA,cACE,MAAA,EAAQ,MAAA;AAAA,cACR,OAAA,EAAS,EAAE,aAAA,EAAe,CAAA,OAAA,EAAU,KAAK,CAAA,CAAA;AAAG;AAC9C;AACF;AACF,OACF;AAAA,IACF,CAAA,CAAA,MAAQ;AAAA,IAER;AACA,IAAA,IAAA,CAAK,gBAAgB,KAAA,EAAM;AAC3B,IAAA,IAAA,CAAK,0BAA0B,KAAA,EAAM;AAAA,EACvC;AAAA;AAAA;AAAA;AAAA,EAMA,MAAc,aAAA,CACZ,UAAA,EACA,GAAA,EACA,GAAA,EACe;AACf,IAAA,MAAM,IAAI,OAAA,CAAc,CAAC,OAAA,EAAS,MAAA,KAAW;AAC3C,MAAA,IAAI,OAAA,GAAU,KAAA;AACd,MAAA,IAAI,UAAA,GAAa,KAAA;AAEjB,MAAA,MAAM,UAAU,MAAM;AACpB,QAAA,GAAA,CAAI,cAAA,CAAe,UAAU,cAAc,CAAA;AAC3C,QAAA,GAAA,CAAI,cAAA,CAAe,SAAS,cAAc,CAAA;AAAA,MAC5C,CAAA;AAEA,MAAA,MAAM,gBAAgB,MAAM;AAC1B,QAAA,IAAI,OAAA,EAAS;AACb,QAAA,OAAA,GAAU,IAAA;AACV,QAAA,OAAA,EAAQ;AACR,QAAA,OAAA,EAAQ;AAAA,MACV,CAAA;AAEA,MAAA,MAAM,YAAA,GAAe,CAAC,GAAA,KAAiB;AACrC,QAAA,IAAI,OAAA,EAAS;AACb,QAAA,OAAA,GAAU,IAAA;AACV,QAAA,OAAA,EAAQ;AACR,QAAA,MAAA,CAAO,GAAA,YAAe,QAAQ,GAAA,GAAM,IAAI,MAAM,MAAA,CAAO,GAAG,CAAC,CAAC,CAAA;AAAA,MAC5D,CAAA;AAEA,MAAA,MAAM,iBAAiB,MAAM;AAG3B,QAAA,aAAA,EAAc;AAAA,MAChB,CAAA;AAEA,MAAA,GAAA,CAAI,IAAA,CAAK,UAAU,cAAc,CAAA;AACjC,MAAA,GAAA,CAAI,IAAA,CAAK,SAAS,cAAc,CAAA;AAEhC,MAAA,IAAI,gBAAA;AACJ,MAAA,IAAI;AACF,QAAA,gBAAA,GAAmB,UAAA,CAAW,GAAA,EAAK,GAAA,EAAK,CAAC,GAAA,KAAkB;AACzD,UAAA,UAAA,GAAa,IAAA;AACb,UAAA,IAAI,GAAA,EAAK;AACP,YAAA,YAAA,CAAa,GAAG,CAAA;AAChB,YAAA;AAAA,UACF;AACA,UAAA,aAAA,EAAc;AAAA,QAChB,CAAC,CAAA;AAAA,MACH,SAAS,GAAA,EAAK;AACZ,QAAA,YAAA,CAAa,GAAG,CAAA;AAChB,QAAA;AAAA,MACF;AAEA,MAAA,KAAK,OAAA,CAAQ,OAAA,CAAQ,gBAAgB,CAAA,CAAE,IAAA;AAAA,QACrC,MAAM;AACJ,UAAA,IAAI,CAAC,UAAA,IAAc,GAAA,CAAI,WAAA,EAAa;AAClC,YAAA,aAAA,EAAc;AAAA,UAChB;AAAA,QACF,CAAA;AAAA,QACA,CAAC,GAAA,KAAiB;AAChB,UAAA,YAAA,CAAa,GAAG,CAAA;AAAA,QAClB;AAAA,OACF;AAAA,IACF,CAAC,CAAA;AAAA,EACH;AAAA,EAEQ,gBAAA,CACN,MAAA,EACA,cAAA,EACA,cAAA,EACA,OAAA,EACA;AACA,IAAA,MAAM,SAAA,GAA8B;AAAA,MAClC,eAAA,EAAiB,CAAC,SAAA,KAAsB;AACtC,QAAA,OAAA,EAAS,kBAAkB,SAAS,CAAA;AACpC,QAAA,IAAA,CAAK,uBAAuB,SAAS,CAAA;AAAA,MACvC;AAAA,KACF;AAEA,IAAA,MAAM,IAAA,GAAO,OAAO,GAAA,EAAc,GAAA,KAAkB;AAClD,MAAA,MAAM,OAAA,GAAU,OAAO,UAAA,EAAW;AAClC,MAAA,MAAM,OAAA,GAAU,GAAA;AAIhB,MAAA,IAAI,cAAA,EAAgB;AAClB,QAAA,IAAI,UAAA;AACJ,QAAA,IAAI;AACF,UAAA,MAAM,WAAA,GAAc,MAAM,cAAA,CAAe,GAAG,CAAA;AAC5C,UAAA,UAAA,GAAa,WAAA,CAAY,UAAA;AAAA,QAC3B,SAAS,KAAA,EAAO;AACd,UAAA,IAAA,CAAK,wBAAA,CAAyB,KAAK,KAAK,CAAA;AACxC,UAAA;AAAA,QACF;AAEA,QAAA,MAAM,IAAA,CAAK,aAAA,CAAc,UAAA,EAAY,GAAA,EAAK,GAAG,CAAA;AAE7C,QAAA,MAAMC,UAAAA,GAAY,GAAA,CAAI,OAAA,CAAQ,gBAAgB,CAAA;AAK9C,QAAA,IAAIA,UAAAA,EAAW;AACb,UAAA,IAAI,IAAI,WAAA,EAAa;AACnB,YAAA,IAAA,CAAK,WAAA,CAAY;AAAA,cACf,SAAA,EAAW,YAAA;AAAA,cACX,OAAA;AAAA,cACA,SAAA,EAAAA,UAAAA;AAAA,cACA,UAAA,EAAY,CAAA;AAAA,cACZ,MAAA,EAAQ;AAAA,aACT,CAAA;AACD,YAAA;AAAA,UACF;AAEA,UAAA,IAAI,QAAQ,IAAA,EAAM;AAChB,YAAA,IAAA,CAAK,WAAA,CAAY;AAAA,cACf,SAAA,EAAW,SAAA;AAAA,cACX,OAAA;AAAA,cACA,WAAA,EAAa,OAAA,CAAQ,IAAA,CAAK,KAAA,EAAO,GAAA;AAAA,cACjC,SAAA,EAAAA,UAAAA;AAAA,cACA,UAAA,EAAY,CAAA;AAAA,cACZ,MAAA,EAAQ;AAAA,aACT,CAAA;AAAA,UACH;AAAA,QACF,CAAA,MAAA,IAAW,IAAI,WAAA,EAAa;AAE1B,UAAA;AAAA,QACF;AAAA,MACF;AAEA,MAAA,MAAM,SAAA,GAAY,GAAA,CAAI,OAAA,CAAQ,gBAAgB,CAAA;AAG9C,MAAA,IAAI,SAAA,EAAW;AACb,QAAA,MAAMC,UAAAA,GAAY,cAAA,CAAe,YAAA,CAAa,SAAS,CAAA;AACvD,QAAA,IAAIA,UAAAA,EAAW;AACb,UAAA,cAAA,CAAe,aAAa,SAAS,CAAA;AACrC,UAAA,MAAMA,UAAAA,CAAU,aAAA,CAAc,GAAA,EAAK,GAAA,EAAK,IAAI,IAAI,CAAA;AAChD,UAAA;AAAA,QACF;AAAA,MACF;AAGA,MAAA,IAAI,CAACC,4BAAA,CAAoB,GAAA,CAAI,IAAI,CAAA,EAAG;AAClC,QAAA,GAAA,CAAI,MAAA,CAAO,GAAG,CAAA,CAAE,IAAA,CAAK;AAAA,UACnB,OAAA,EAAS,KAAA;AAAA,UACT,KAAA,EAAO;AAAA,YACL,IAAA,EAAM,KAAA;AAAA,YACN,OAAA,EAAS,SAAA,GACL,CAAA,QAAA,EAAW,SAAS,CAAA,UAAA,CAAA,GACpB;AAAA,WACN;AAAA,UACA,EAAA,EAAI;AAAA,SACL,CAAA;AACD,QAAA;AAAA,MACF;AAGA,MAAA,MAAM,WAAW,OAAA,CAAQ,IAAA;AACzB,MAAA,MAAM,SAAA,GAAY,IAAIC,+CAAA,CAA8B;AAAA,QAClD,kBAAA,EAAoB,MAAM,MAAA,CAAO,UAAA,EAAW;AAAA,QAC5C,oBAAA,EAAsB,CAAC,GAAA,KAAgB;AACrC,UAAA,cAAA,CAAe,eAAA;AAAA,YACb,GAAA;AAAA,YACA,SAAA;AAAA,YACA,SAAA;AAAA,YACA,QAAA,EAAU;AAAA,WACZ;AACA,UAAA,OAAA,EAAS,oBAAA,GAAuB,GAAA,EAAK,QAAA,EAAU,SAAS,CAAA;AACxD,UAAA,IAAA,CAAK,WAAA,CAAY;AAAA,YACf,SAAA,EAAW,YAAA;AAAA,YACX,OAAA;AAAA,YACA,SAAA,EAAW,GAAA;AAAA,YACX,WAAA,EAAa,UAAU,KAAA,EAAO,GAAA;AAAA,YAC9B,UAAA,EAAY,CAAA;AAAA,YACZ,MAAA,EAAQ;AAAA,WACT,CAAA;AACD,UAAA,IAAA,CAAK,kBAAA,CAAmB,QAAA,EAAU,KAAA,EAAO,GAAA,EAAK;AAAA,YAC5C,QAAA,EAAU,GAAA,CAAI,OAAA,CAAQ,iBAAiB,CAAA;AAAA,YACvC,SAAA,EAAW,GAAA,CAAI,OAAA,CAAQ,YAAY,CAAA;AAAA,YACnC,gBAAgB,QAAA,EAAU;AAAA,WAC3B,CAAA;AAAA,QACH;AAAA,OACD,CAAA;AAGD,MAAA,MAAM,cAAA,GAAiB,SAAA,CAAU,aAAA,CAAc,IAAA,CAAK,SAAS,CAAA;AAC7D,MAAA,SAAA,CAAU,aAAA,GAAgB,OACxB,UAAA,EACA,UAAA,EACA,UAAA,KACG;AACH,QAAA,MAAM,UAAA,GAAa,UAAA,KAAe,GAAA,GAAM,OAAA,GAAU,OAAO,UAAA,EAAW;AACpE,QAAA,MAAM,GAAA,GACH,UAAA,CAAW,OAAA,CAAQ,gBAAgB,KACpC,SAAA,CAAU,SAAA;AACZ,QAAA,MAAM,KAAA,GAAQ,KAAK,GAAA,EAAI;AACvB,QAAA,IAAI;AACF,UAAA,MAAM,cAAA,CAAe,UAAA,EAAY,UAAA,EAAY,UAAU,CAAA;AACvD,UAAA,IAAI,UAAA,EAAY,WAAW,YAAA,EAAc;AACvC,YAAA,IAAA,CAAK,WAAA,CAAY;AAAA,cACf,SAAA,EAAW,cAAA;AAAA,cACX,OAAA,EAAS,UAAA;AAAA,cACT,QAAA,EACE,WAAW,MAAA,EACV,IAAA;AAAA,cACH,UAAA,EAAY,IAAA,CAAK,GAAA,EAAI,GAAI,KAAA;AAAA,cACzB,SAAA,EAAW,GAAA;AAAA,cACX,WAAA,EAAa,UAAU,KAAA,EAAO,GAAA;AAAA,cAC9B,MAAA,EAAQ,IAAA;AAAA,cACR,aAAa,UAAA,CAAW;AAAA,aACzB,CAAA;AAAA,UACH,CAAA,MAAA,IAAW,UAAA,EAAY,MAAA,KAAW,YAAA,EAAc;AAC9C,YAAA,IAAA,CAAK,WAAA,CAAY;AAAA,cACf,SAAA,EAAW,cAAA;AAAA,cACX,OAAA,EAAS,UAAA;AAAA,cACT,UAAA,EAAY,IAAA,CAAK,GAAA,EAAI,GAAI,KAAA;AAAA,cACzB,SAAA,EAAW,GAAA;AAAA,cACX,WAAA,EAAa,UAAU,KAAA,EAAO,GAAA;AAAA,cAC9B,MAAA,EAAQ;AAAA,aACT,CAAA;AAAA,UACH;AAAA,QACF,SAAS,GAAA,EAAK;AACZ,UAAA,IAAI,UAAA,EAAY,WAAW,YAAA,EAAc;AACvC,YAAA,IAAA,CAAK,WAAA,CAAY;AAAA,cACf,SAAA,EAAW,cAAA;AAAA,cACX,OAAA,EAAS,UAAA;AAAA,cACT,QAAA,EACE,WAAW,MAAA,EACV,IAAA;AAAA,cACH,UAAA,EAAY,IAAA,CAAK,GAAA,EAAI,GAAI,KAAA;AAAA,cACzB,SAAA,EAAW,GAAA;AAAA,cACX,WAAA,EAAa,UAAU,KAAA,EAAO,GAAA;AAAA,cAC9B,MAAA,EAAQ,cAAA;AAAA,cACR,cAAc,GAAA,YAAe,KAAA,GAAQ,GAAA,CAAI,OAAA,GAAU,OAAO,GAAG;AAAA,aAC9D,CAAA;AAAA,UACH,CAAA,MAAA,IAAW,UAAA,EAAY,MAAA,KAAW,YAAA,EAAc;AAC9C,YAAA,IAAA,CAAK,WAAA,CAAY;AAAA,cACf,SAAA,EAAW,cAAA;AAAA,cACX,OAAA,EAAS,UAAA;AAAA,cACT,UAAA,EAAY,IAAA,CAAK,GAAA,EAAI,GAAI,KAAA;AAAA,cACzB,SAAA,EAAW,GAAA;AAAA,cACX,WAAA,EAAa,UAAU,KAAA,EAAO,GAAA;AAAA,cAC9B,MAAA,EAAQ,cAAA;AAAA,cACR,cAAc,GAAA,YAAe,KAAA,GAAQ,GAAA,CAAI,OAAA,GAAU,OAAO,GAAG;AAAA,aAC9D,CAAA;AAAA,UACH;AACA,UAAA,MAAM,GAAA;AAAA,QACR;AAAA,MACF,CAAA;AAEA,MAAA,MAAM,SAAA,GAAY,OAAO,MAAA,KAAW,UAAA,GAAa,QAAO,GAAI,MAAA;AAC5D,MAAA,MAAM,SAAA,CAAU,QAAQ,SAAS,CAAA;AACjC,MAAA,MAAM,SAAA,CAAU,aAAA,CAAc,GAAA,EAAK,GAAA,EAAK,IAAI,IAAI,CAAA;AAAA,IAClD,CAAA;AAEA,IAAA,MAAM,GAAA,GAAM,OAAO,GAAA,EAAc,GAAA,KAAkB;AACjD,MAAA,IAAI,cAAA,EAAgB;AAClB,QAAA,IAAI,UAAA;AACJ,QAAA,IAAI;AACF,UAAA,MAAM,WAAA,GAAc,MAAM,cAAA,CAAe,GAAG,CAAA;AAC5C,UAAA,UAAA,GAAa,WAAA,CAAY,UAAA;AAAA,QAC3B,SAAS,KAAA,EAAO;AACd,UAAA,IAAA,CAAK,wBAAA,CAAyB,KAAK,KAAK,CAAA;AACxC,UAAA;AAAA,QACF;AAEA,QAAA,MAAM,IAAA,CAAK,aAAA,CAAc,UAAA,EAAY,GAAA,EAAK,GAAG,CAAA;AAC7C,QAAA,IAAI,IAAI,WAAA,EAAa;AACnB,UAAA;AAAA,QACF;AAAA,MACF;AAEA,MAAA,MAAM,YACH,GAAA,CAAI,OAAA,CAAQ,gBAAgB,CAAA,IAC5B,GAAA,CAAI,QAAQ,gBAAgB,CAAA;AAC/B,MAAA,IAAI,CAAC,SAAA,EAAW;AACd,QAAA,GAAA,CAAI,OAAO,GAAG,CAAA,CAAE,KAAK,EAAE,KAAA,EAAO,iCAAiC,CAAA;AAC/D,QAAA;AAAA,MACF;AAEA,MAAA,MAAM,SAAA,GAAY,cAAA,CAAe,YAAA,CAAa,SAAS,CAAA;AACvD,MAAA,IAAI,CAAC,SAAA,EAAW;AACd,QAAA,GAAA,CAAI,OAAO,GAAG,CAAA,CAAE,KAAK,EAAE,KAAA,EAAO,qBAAqB,CAAA;AACnD,QAAA;AAAA,MACF;AAEA,MAAA,cAAA,CAAe,aAAa,SAAS,CAAA;AACrC,MAAA,MAAM,SAAA,CAAU,aAAA,CAAc,GAAA,EAAK,GAAG,CAAA;AAAA,IACxC,CAAA;AAEA,IAAA,MAAM,GAAA,GAAM,OAAO,GAAA,EAAc,GAAA,KAAkB;AACjD,MAAA,IAAI,cAAA,EAAgB;AAClB,QAAA,IAAI,UAAA;AACJ,QAAA,IAAI;AACF,UAAA,MAAM,WAAA,GAAc,MAAM,cAAA,CAAe,GAAG,CAAA;AAC5C,UAAA,UAAA,GAAa,WAAA,CAAY,UAAA;AAAA,QAC3B,SAAS,KAAA,EAAO;AACd,UAAA,IAAA,CAAK,wBAAA,CAAyB,KAAK,KAAK,CAAA;AACxC,UAAA;AAAA,QACF;AAEA,QAAA,MAAM,IAAA,CAAK,aAAA,CAAc,UAAA,EAAY,GAAA,EAAK,GAAG,CAAA;AAC7C,QAAA,IAAI,IAAI,WAAA,EAAa;AACnB,UAAA;AAAA,QACF;AAAA,MACF;AAEA,MAAA,MAAM,YACH,GAAA,CAAI,OAAA,CAAQ,gBAAgB,CAAA,IAC5B,GAAA,CAAI,QAAQ,gBAAgB,CAAA;AAC/B,MAAA,IAAI,CAAC,SAAA,EAAW;AACd,QAAA,GAAA,CAAI,OAAO,GAAG,CAAA,CAAE,KAAK,EAAE,KAAA,EAAO,iCAAiC,CAAA;AAC/D,QAAA;AAAA,MACF;AAEA,MAAA,MAAM,SAAA,GAAY,cAAA,CAAe,YAAA,CAAa,SAAS,CAAA;AACvD,MAAA,IAAI,CAAC,SAAA,EAAW;AACd,QAAA,GAAA,CAAI,OAAO,GAAG,CAAA,CAAE,KAAK,EAAE,KAAA,EAAO,qBAAqB,CAAA;AACnD,QAAA;AAAA,MACF;AAEA,MAAA,MAAM,SAAA,CAAU,aAAA,CAAc,GAAA,EAAK,GAAG,CAAA;AAAA,IACxC,CAAA;AAEA,IAAA,OAAO,EAAE,IAAA,EAAM,GAAA,EAAK,MAAA,EAAQ,GAAA,EAAI;AAAA,EAClC;AACF","file":"index.cjs","sourcesContent":["/**\n * Core types for the Kontext SDK\n * These mirror the API DTOs for type-safe interactions\n */\n\n// ============================================================================\n// Applications\n// ============================================================================\n\nexport interface Application {\n id: string;\n name: string;\n canModify?: boolean;\n activeSessionCount?: number;\n idleSessionCount?: number;\n liveSessionCount?: number;\n totalSessionCount?: number;\n oauth?: ApplicationOAuth;\n archivedAt?: string;\n createdAt: string;\n updatedAt: string;\n}\n\nexport interface ApplicationOAuth {\n type: \"public\" | \"confidential\";\n clientId: string;\n clientSecret?: string;\n pkceRequired: boolean;\n scopes: string[];\n authorizationUrl: string;\n tokenUrl: string;\n gatewayUrl: string;\n redirectUris: string[];\n}\n\nexport interface CreateApplicationOAuthInput {\n type?: \"public\" | \"confidential\";\n redirectUris: string[];\n pkceRequired?: boolean;\n scopes?: string[];\n}\n\nexport interface CreateApplicationInput {\n name: string;\n oauth: CreateApplicationOAuthInput;\n}\n\nexport interface UpdateApplicationInput {\n name?: string;\n}\n\nexport interface UpdateApplicationOAuthInput {\n pkceRequired?: boolean;\n scopes?: string[];\n redirectUris?: string[];\n}\n\nexport interface CreateApplicationResponse {\n application: Application;\n oauth: ApplicationOAuth;\n}\n\nexport interface ApplicationResponse {\n application: Application;\n}\n\nexport interface ApplicationOAuthResponse {\n oauth: ApplicationOAuth;\n}\n\nexport interface ListApplicationsResponse {\n items: Application[];\n nextCursor?: string;\n}\n\nexport interface RotateApplicationSecretResponse {\n oauth: ApplicationOAuth;\n}\n\nexport interface UpdateApplicationIntegrationsInput {\n integrationIds: string[];\n}\n\nexport interface ApplicationIntegrationsResponse {\n integrationIds: string[];\n}\n\n// ============================================================================\n// Integrations\n// ============================================================================\n\nexport type IntegrationAuthMode =\n | \"oauth\"\n | \"user_token\"\n | \"server_token\"\n | \"none\";\n\nexport type IntegrationValidationStatus = \"pending\" | \"valid\" | \"invalid\";\n\nexport interface IntegrationOAuthSummary {\n provider?: string;\n issuer?: string;\n scopes?: string[];\n metadata?: Record<string, unknown>;\n}\n\nexport interface IntegrationCapabilities {\n tools?: boolean;\n resources?: boolean;\n prompts?: boolean;\n}\n\nexport interface Integration {\n id: string;\n name: string;\n url: string;\n authMode: IntegrationAuthMode;\n oauth?: IntegrationOAuthSummary;\n capabilities?: IntegrationCapabilities;\n serverTokenConfigured: boolean;\n validationStatus: IntegrationValidationStatus;\n validationMessage?: string;\n lastValidatedAt?: string;\n userConnection?: ConnectionStatusResponse;\n createdAt: string;\n updatedAt: string;\n archivedAt?: string;\n}\n\nexport interface IntegrationOAuthConfigInput {\n provider?: string;\n issuer?: string;\n scopes?: string[];\n}\n\nexport interface CreateIntegrationInput {\n name: string;\n url: string;\n authMode?: IntegrationAuthMode;\n oauth?: IntegrationOAuthConfigInput;\n capabilities?: IntegrationCapabilities;\n serverToken?: string;\n}\n\nexport interface UpdateIntegrationInput {\n name?: string;\n url?: string;\n authMode?: IntegrationAuthMode;\n oauth?: IntegrationOAuthConfigInput;\n capabilities?: IntegrationCapabilities;\n serverToken?: string;\n}\n\nexport interface CreateIntegrationResponse {\n integration: Integration;\n}\n\nexport interface IntegrationResponse {\n integration: Integration;\n}\n\nexport interface ListIntegrationsResponse {\n items: Integration[];\n nextCursor?: string;\n}\n\nexport interface ValidateIntegrationResponse {\n status: IntegrationValidationStatus;\n message?: string;\n}\n\n// ============================================================================\n// Integration Connections\n// ============================================================================\n\nexport type ConnectionStatus = \"connected\" | \"disconnected\";\n\nexport interface ConnectionStatusResponse {\n connected: boolean;\n status?: ConnectionStatus;\n expiresAt?: string;\n displayName?: string;\n}\n\nexport interface ConnectionResponse {\n connection: ConnectionStatusResponse;\n}\n\nexport interface AddUserTokenInput {\n token: string;\n}\n\n// ============================================================================\n// Service Accounts\n// ============================================================================\n\nexport interface ServiceAccount {\n id: string;\n name: string;\n description: string | null;\n createdAt: string;\n}\n\nexport interface ServiceAccountCredentials {\n clientId: string;\n clientSecret: string;\n}\n\nexport interface CreateServiceAccountInput {\n name: string;\n description?: string;\n}\n\nexport interface CreateServiceAccountResponse {\n serviceAccount: ServiceAccount;\n credentials: ServiceAccountCredentials;\n}\n\nexport interface RotateSecretResponse {\n credentials: ServiceAccountCredentials;\n}\n\nexport interface ListServiceAccountsResponse {\n items: ServiceAccount[];\n nextCursor: string | null;\n}\n\nexport interface ServiceAccountResponse {\n serviceAccount: ServiceAccount;\n}\n\n// ============================================================================\n// Agent Sessions\n// ============================================================================\n\nexport type AgentSessionStatus = \"active\" | \"disconnected\";\nexport type AgentSessionDerivedStatus =\n | \"active\"\n | \"idle\"\n | \"expired\"\n | \"disconnected\";\n\nexport interface AgentSession {\n id: string;\n agentId: string;\n organizationId: string;\n name: string;\n hostname?: string | null;\n userAgent?: string | null;\n clientInfo?: Record<string, unknown> | null;\n status: AgentSessionStatus;\n derivedStatus: AgentSessionDerivedStatus;\n connectedAt?: string;\n lastActiveAt?: string;\n disconnectedAt?: string;\n tokenExpiresAt?: string;\n createdAt: string;\n}\n\nexport interface AgentSessionResponse {\n session: AgentSession;\n}\n\nexport interface ListAgentSessionsResponse {\n items: AgentSession[];\n}\n\nexport interface RevokeAllSessionsResponse {\n success: boolean;\n disconnectedCount: number;\n}\n\n// ============================================================================\n// Traces & Events\n// ============================================================================\n\nexport interface Trace {\n traceId: string | null;\n sessionId: string;\n startedAt: string | null;\n endedAt: string | null;\n eventCount: number;\n okCount?: number;\n warnCount?: number;\n errorCount?: number;\n agentId?: string;\n ownerUserId?: string;\n ownerEmail?: string;\n agentName?: string;\n agentSessionId?: string;\n agentSessionName?: string;\n}\n\nexport interface TraceEvent {\n id: string;\n createdAt: string;\n sessionId: string;\n agentId: string;\n traceId?: string | null;\n apiKeyId?: string | null;\n eventType: string;\n status: string;\n durationMs?: number | null;\n integrationId?: string | null;\n toolName?: string | null;\n errorMessage?: string | null;\n bytesIn?: number | null;\n bytesOut?: number | null;\n requestJson?: unknown;\n responseJson?: unknown;\n parentEventId?: string | null;\n agentSessionId?: string | null;\n /** @deprecated Use createdAt */\n timestamp?: string;\n /** @deprecated Use status */\n level?: \"ok\" | \"warn\" | \"error\";\n /** @deprecated Use eventType */\n type?: string;\n /** @deprecated May be encoded in requestJson/responseJson */\n method?: string;\n /** @deprecated Use toolName */\n tool?: string;\n /** @deprecated Use durationMs */\n duration?: number;\n /** @deprecated Use status/errorMessage fields */\n errorType?: string;\n /** @deprecated May be encoded in requestJson/responseJson */\n metadata?: Record<string, unknown>;\n}\n\nexport interface ListTracesResponse {\n items: Trace[];\n nextCursor?: string;\n}\n\nexport interface TraceResponse {\n trace: Trace;\n events: TraceEvent[];\n}\n\nexport interface McpEvent {\n id: string;\n createdAt: string;\n agentId: string;\n integrationId: string | null;\n toolName: string | null;\n eventType: string;\n status: string;\n}\n\nexport interface McpEventListResponse {\n items: McpEvent[];\n}\n\n/**\n * @deprecated Use McpEventListResponse instead.\n */\nexport type ListEventsResponse = McpEventListResponse;\n\nexport interface TraceStats {\n totalTraces: number;\n totalEvents: number;\n eventCounts: { ok: number; warn: number; error: number };\n errorRate: number;\n latency: { avg: number; p50: number; p95: number; p99: number };\n bytesTransferred: { in: number; out: number };\n errorsByType: Array<{ type: string; count: number; percentage: number }>;\n topTools: Array<{ name: string; count: number; avgDuration: number }>;\n timeline: Array<{\n date: string;\n traceCount: number;\n eventCount: number;\n warnCount: number;\n errorCount: number;\n bytesIn: number;\n bytesOut: number;\n }>;\n}\n\nexport interface TraceStatsResponse {\n stats: TraceStats;\n}\n\n// ============================================================================\n// Pagination\n// ============================================================================\n\nexport interface PaginationParams {\n cursor?: string;\n limit?: number;\n}\n\n// ============================================================================\n// OAuth Tokens (for storage)\n// ============================================================================\n\nexport interface OAuthTokens {\n accessToken: string;\n refreshToken?: string;\n tokenType: string;\n scope?: string;\n expiresAt?: string;\n}\n\n// ============================================================================\n// Token Exchange (RFC 8693)\n// ============================================================================\n\n/**\n * RFC 8693 Token Exchange grant type\n */\nexport const TOKEN_EXCHANGE_GRANT_TYPE =\n \"urn:ietf:params:oauth:grant-type:token-exchange\";\n\n/**\n * RFC 8693 token type identifier for access tokens\n */\nexport const TOKEN_TYPE_ACCESS_TOKEN =\n \"urn:ietf:params:oauth:token-type:access_token\";\n\n/**\n * Request body for RFC 8693 token exchange\n */\nexport interface TokenExchangeRequest {\n grant_type: typeof TOKEN_EXCHANGE_GRANT_TYPE;\n subject_token: string;\n subject_token_type?: string;\n resource: string;\n scope?: string;\n audience?: string;\n}\n\n/**\n * Response from RFC 8693 token exchange\n */\nexport interface TokenExchangeResponse {\n access_token: string;\n issued_token_type: string;\n token_type: string;\n expires_in?: number;\n scope?: string;\n refresh_token?: string;\n}\n\n// ============================================================================\n// Client Configuration\n// ============================================================================\n\nexport interface KontextManagementClientConfig {\n /**\n * Base URL for the Kontext API (e.g., \"https://api.kontext.dev\")\n */\n baseUrl: string;\n\n /**\n * API version to use (default: \"v1\")\n */\n apiVersion?: string;\n\n /**\n * OAuth token endpoint URL (optional)\n * If not specified, defaults to `${baseUrl}/oauth2/token`\n * Useful for local development where Hydra runs on a different port\n */\n tokenUrl?: string;\n\n /**\n * OAuth scopes to request (optional)\n * Defaults to [\"management:all\"]\n */\n scopes?: string[];\n\n /**\n * OAuth audience for token requests (optional)\n * If not specified, defaults to `${baseUrl}/api/${apiVersion}`\n * Required for Hydra token introspection\n */\n audience?: string;\n\n /**\n * Service account credentials for authentication\n */\n credentials: {\n clientId: string;\n clientSecret: string;\n };\n}\n","/**\n * Typed error classes for the Kontext SDK.\n *\n * Every error has a `kontext_` prefixed code, an auto-generated docsUrl,\n * and a `kontextError` brand for type narrowing without instanceof.\n *\n * @packageDocumentation\n */\n\n// ============================================================================\n// Base\n// ============================================================================\n\n/**\n * Base error class for all Kontext SDK errors.\n *\n * @example\n * ```typescript\n * import { isKontextError } from '@kontext-dev/js-sdk';\n *\n * try {\n * await client.connect();\n * } catch (err) {\n * if (isKontextError(err)) {\n * console.log(err.code); // \"kontext_authorization_required\"\n * console.log(err.docsUrl); // \"https://docs.kontext.dev/errors/kontext_authorization_required\"\n * }\n * }\n * ```\n */\nexport class KontextError extends Error {\n /** Brand field for type narrowing without instanceof */\n readonly kontextError = true as const;\n\n /** Machine-readable error code, always prefixed with `kontext_` */\n readonly code: string;\n\n /** HTTP status code when applicable */\n readonly statusCode?: number;\n\n /** Auto-generated link to error documentation */\n readonly docsUrl: string;\n\n /** Server request ID for debugging / support escalation */\n readonly requestId?: string;\n\n /** Contextual metadata bag (integration IDs, param names, etc.) */\n readonly meta: Record<string, unknown>;\n\n constructor(\n message: string,\n code: string,\n options?: {\n statusCode?: number;\n requestId?: string;\n meta?: Record<string, unknown>;\n cause?: unknown;\n },\n ) {\n super(message, { cause: options?.cause });\n this.name = \"KontextError\";\n this.code = code;\n this.statusCode = options?.statusCode;\n this.requestId = options?.requestId;\n this.meta = options?.meta ?? {};\n this.docsUrl = `https://docs.kontext.dev/errors/${code}`;\n Object.setPrototypeOf(this, new.target.prototype);\n }\n\n toJSON(): Record<string, unknown> {\n return {\n name: this.name,\n code: this.code,\n message: this.message,\n statusCode: this.statusCode,\n docsUrl: this.docsUrl,\n requestId: this.requestId,\n meta: Object.keys(this.meta).length > 0 ? this.meta : undefined,\n };\n }\n\n override toString(): string {\n const parts = [`[${this.code}] ${this.message}`];\n if (this.docsUrl) parts.push(`Docs: ${this.docsUrl}`);\n if (this.requestId) parts.push(`Request ID: ${this.requestId}`);\n return parts.join(\"\\n\");\n }\n}\n\n// ============================================================================\n// Type guard\n// ============================================================================\n\n/**\n * Check if an error is a KontextError without instanceof.\n * Works across package versions and bundler deduplication.\n */\nexport function isKontextError(err: unknown): err is KontextError {\n return (\n typeof err === \"object\" &&\n err !== null &&\n (err as Record<string, unknown>).kontextError === true\n );\n}\n\n// ============================================================================\n// Auth errors\n// ============================================================================\n\n/**\n * Thrown when authentication is required but no valid credentials are available.\n */\nexport class AuthorizationRequiredError extends KontextError {\n readonly authorizationUrl?: string;\n\n constructor(\n message = \"Authorization required. Complete the OAuth flow to continue.\",\n options?: {\n authorizationUrl?: string;\n requestId?: string;\n meta?: Record<string, unknown>;\n cause?: unknown;\n },\n ) {\n super(message, \"kontext_authorization_required\", {\n statusCode: 401,\n ...options,\n });\n this.name = \"AuthorizationRequiredError\";\n this.authorizationUrl = options?.authorizationUrl;\n }\n}\n\n// ============================================================================\n// OAuth errors\n// ============================================================================\n\n/**\n * Thrown when an OAuth flow fails — state validation, token exchange,\n * missing code verifier, or provider errors.\n */\nexport class OAuthError extends KontextError {\n readonly errorCode?: string;\n readonly errorDescription?: string;\n\n constructor(\n message: string,\n code: string,\n options?: {\n statusCode?: number;\n errorCode?: string;\n errorDescription?: string;\n requestId?: string;\n meta?: Record<string, unknown>;\n cause?: unknown;\n },\n ) {\n super(message, code, {\n statusCode: options?.statusCode ?? 400,\n ...options,\n });\n this.name = \"OAuthError\";\n this.errorCode = options?.errorCode;\n this.errorDescription = options?.errorDescription;\n }\n}\n\n// ============================================================================\n// Integration errors\n// ============================================================================\n\n/**\n * Thrown when an integration connection is required before a tool can be used.\n */\nexport class IntegrationConnectionRequiredError extends KontextError {\n readonly integrationId: string;\n readonly integrationName?: string;\n readonly connectUrl?: string;\n\n constructor(\n integrationId: string,\n options?: {\n integrationName?: string;\n connectUrl?: string;\n message?: string;\n requestId?: string;\n meta?: Record<string, unknown>;\n cause?: unknown;\n },\n ) {\n super(\n options?.message ??\n `Connection to integration \"${integrationId}\" is required. Visit the connect URL to authorize.`,\n \"kontext_integration_connection_required\",\n { statusCode: 403, ...options },\n );\n this.name = \"IntegrationConnectionRequiredError\";\n this.integrationId = integrationId;\n this.integrationName = options?.integrationName;\n this.connectUrl = options?.connectUrl;\n }\n}\n\n// ============================================================================\n// Config errors (NEW — replaces all plain Error config throws)\n// ============================================================================\n\n/**\n * Thrown when SDK configuration is invalid or missing.\n * These are deterministic errors caught at initialization time.\n */\nexport class ConfigError extends KontextError {\n constructor(\n message: string,\n code: string,\n options?: {\n meta?: Record<string, unknown>;\n cause?: unknown;\n },\n ) {\n super(message, code, options);\n this.name = \"ConfigError\";\n }\n}\n\n// ============================================================================\n// Network errors\n// ============================================================================\n\n/**\n * Thrown when there is a network or connection error.\n */\nexport class NetworkError extends KontextError {\n constructor(\n message = \"Network error. Check your internet connection and that the server is reachable.\",\n options?: {\n cause?: unknown;\n requestId?: string;\n meta?: Record<string, unknown>;\n },\n ) {\n super(message, \"kontext_network_error\", options);\n this.name = \"NetworkError\";\n }\n}\n\n// ============================================================================\n// HTTP response errors (differentiated by code)\n// ============================================================================\n\n/**\n * Thrown when the server returns an HTTP error.\n * Use `error.code` to distinguish between specific error types.\n */\nexport class HttpError extends KontextError {\n readonly retryAfter?: number;\n readonly validationErrors?: Array<{ field: string; message: string }>;\n\n constructor(\n message: string,\n code: string,\n options?: {\n statusCode?: number;\n retryAfter?: number;\n validationErrors?: Array<{ field: string; message: string }>;\n requestId?: string;\n meta?: Record<string, unknown>;\n cause?: unknown;\n },\n ) {\n super(message, code, {\n statusCode: options?.statusCode,\n ...options,\n });\n this.name = \"HttpError\";\n this.retryAfter = options?.retryAfter;\n this.validationErrors = options?.validationErrors;\n }\n}\n\n// ============================================================================\n// Network error detection (used by translateError)\n// ============================================================================\n\n/**\n * Safely access arbitrary properties on an error object.\n * Errors in JS frequently carry extra properties (code, statusCode, etc.)\n * that aren't part of the Error interface. This avoids `as unknown as` casts.\n */\n// eslint-disable-next-line @typescript-eslint/no-explicit-any\nfunction errorProps(err: Error): Record<string, any> {\n return err;\n}\n\nconst NETWORK_ERROR_CODES = new Set([\n \"ECONNREFUSED\",\n \"ENOTFOUND\",\n \"ETIMEDOUT\",\n \"ECONNRESET\",\n \"ECONNABORTED\",\n \"EPIPE\",\n \"UND_ERR_CONNECT_TIMEOUT\",\n]);\n\n/**\n * Detect network errors structurally rather than by string matching.\n * Checks Node.js system error codes on the error and its cause.\n */\nexport function isNetworkError(err: Error): boolean {\n if (err.name === \"AbortError\") return true;\n\n const props = errorProps(err);\n const sysCode = props.code as string | undefined;\n if (typeof sysCode === \"string\" && NETWORK_ERROR_CODES.has(sysCode))\n return true;\n\n // fetch() throws TypeError — only classify as network error when cause\n // indicates a system-level failure\n if (err.name === \"TypeError\" && err.cause instanceof Error) {\n const causeCode = errorProps(err.cause).code;\n if (typeof causeCode === \"string\" && NETWORK_ERROR_CODES.has(causeCode))\n return true;\n }\n\n return false;\n}\n\n/**\n * Detect unauthorized errors structurally.\n * Checks status code and numeric code rather than string matching on name.\n */\nexport function isUnauthorizedError(err: Error): boolean {\n const props = errorProps(err);\n\n // Check HTTP status code (most reliable)\n if (props.statusCode === 401 || props.status === 401) return true;\n\n // Check MCP SDK UnauthorizedError by name (last resort, but needed for\n // MCP SDK errors which don't set statusCode)\n if (err.name === \"UnauthorizedError\") return true;\n if (err.message === \"Unauthorized\") return true;\n\n return false;\n}\n\n// ============================================================================\n// Elicitation types\n// ============================================================================\n\nexport interface ElicitationEntry {\n readonly url: string;\n readonly message: string;\n readonly elicitationId: string;\n readonly integrationId?: string;\n readonly integrationName?: string;\n}\n\n// ============================================================================\n// HTTP error parsing\n// ============================================================================\n\n/**\n * Parse an HTTP response into an appropriate error.\n */\nexport function parseHttpError(\n statusCode: number,\n body?: unknown,\n): KontextError {\n const message =\n typeof body === \"object\" && body !== null && \"message\" in body\n ? String((body as { message: unknown }).message)\n : `HTTP ${statusCode}`;\n\n const errorCode =\n typeof body === \"object\" && body !== null && \"code\" in body\n ? String((body as { code: unknown }).code)\n : undefined;\n\n switch (statusCode) {\n case 400:\n if (\n typeof body === \"object\" &&\n body !== null &&\n \"errors\" in body &&\n Array.isArray((body as { errors: unknown }).errors)\n ) {\n return new HttpError(message, \"kontext_validation_error\", {\n statusCode: 400,\n validationErrors: (\n body as { errors: Array<{ field: string; message: string }> }\n ).errors,\n });\n }\n return new KontextError(message, errorCode ?? \"kontext_bad_request\", {\n statusCode: 400,\n });\n\n case 401:\n return new AuthorizationRequiredError(message);\n\n case 403:\n if (errorCode === \"INTEGRATION_CONNECTION_REQUIRED\") {\n const details = body as {\n integrationId?: string;\n integrationName?: string;\n connectUrl?: string;\n };\n return new IntegrationConnectionRequiredError(\n details.integrationId ?? \"unknown\",\n {\n integrationName: details.integrationName,\n connectUrl: details.connectUrl,\n message,\n },\n );\n }\n return new HttpError(message, \"kontext_policy_denied\", {\n statusCode: 403,\n meta: { policy: (body as Record<string, unknown>)?.policy },\n });\n\n case 404:\n return new HttpError(message, \"kontext_not_found\", { statusCode: 404 });\n\n case 429: {\n const retryAfter =\n typeof body === \"object\" && body !== null && \"retryAfter\" in body\n ? Number((body as { retryAfter: unknown }).retryAfter)\n : undefined;\n return new HttpError(\n retryAfter\n ? `Rate limit exceeded. Retry after ${retryAfter} seconds.`\n : \"Rate limit exceeded. Wait and retry.\",\n \"kontext_rate_limited\",\n { statusCode: 429, retryAfter },\n );\n }\n\n default:\n if (statusCode >= 500) {\n return new HttpError(\n `Server error (HTTP ${statusCode}): ${message}`,\n \"kontext_server_error\",\n { statusCode },\n );\n }\n return new KontextError(message, errorCode ?? \"kontext_unknown_error\", {\n statusCode,\n });\n }\n}\n","/**\n * RFC 8693 Token Exchange\n *\n * Generic token exchange function for exchanging identity tokens\n * for resource-scoped tokens.\n *\n * @see https://datatracker.ietf.org/doc/html/rfc8693\n */\n\nimport {\n TOKEN_EXCHANGE_GRANT_TYPE,\n TOKEN_TYPE_ACCESS_TOKEN,\n type TokenExchangeResponse,\n} from \"../management/types.js\";\nimport { OAuthError } from \"../errors.js\";\n\n/**\n * Configuration for token exchange\n */\nexport interface TokenExchangeConfig {\n /**\n * Token endpoint URL (e.g., https://api.kontext.dev/oauth2/token)\n */\n tokenUrl: string;\n\n /**\n * OAuth client ID\n */\n clientId: string;\n\n /**\n * OAuth client secret (for confidential clients)\n */\n clientSecret?: string;\n}\n\n/**\n * Exchange a subject token for a resource-scoped token (RFC 8693).\n *\n * This function implements the OAuth 2.0 Token Exchange grant type,\n * allowing an identity token to be exchanged for an access token\n * scoped to a specific resource.\n *\n * @param config - Token exchange configuration\n * @param subjectToken - The subject token to exchange (typically an access token)\n * @param resource - The target resource identifier (e.g., \"mcp-gateway\", \"my-mcp-server\")\n * @param scope - Optional scope restriction (must be subset of subject token scopes)\n * @param subjectTokenType - Optional subject token type (defaults to access token)\n * @returns Resource-scoped token response\n * @throws {OAuthError} If the token exchange fails\n *\n * @example\n * ```typescript\n * const response = await exchangeToken(\n * {\n * tokenUrl: 'https://api.kontext.dev/oauth2/token',\n * clientId: 'my-client-id',\n * },\n * identityToken,\n * 'mcp-gateway'\n * );\n * console.log(response.access_token);\n * ```\n */\nexport async function exchangeToken(\n config: TokenExchangeConfig,\n subjectToken: string,\n resource: string,\n scope?: string,\n subjectTokenType: string = TOKEN_TYPE_ACCESS_TOKEN,\n): Promise<TokenExchangeResponse> {\n // Build the request body as form-urlencoded\n const body = new URLSearchParams();\n body.set(\"grant_type\", TOKEN_EXCHANGE_GRANT_TYPE);\n body.set(\"subject_token\", subjectToken);\n body.set(\"subject_token_type\", subjectTokenType);\n body.set(\"resource\", resource);\n\n if (scope) {\n body.set(\"scope\", scope);\n }\n\n // For public clients, include client_id in the body\n // For confidential clients, use Basic auth\n const headers: Record<string, string> = {\n \"Content-Type\": \"application/x-www-form-urlencoded\",\n };\n\n if (config.clientSecret) {\n // Confidential client: use Basic authentication\n const credentials = Buffer.from(\n `${config.clientId}:${config.clientSecret}`,\n ).toString(\"base64\");\n headers[\"Authorization\"] = `Basic ${credentials}`;\n } else {\n // Public client: include client_id in body\n body.set(\"client_id\", config.clientId);\n }\n\n const response = await fetch(config.tokenUrl, {\n method: \"POST\",\n headers,\n body: body.toString(),\n });\n\n if (!response.ok) {\n let errorMessage = `Token exchange failed: ${response.status} ${response.statusText}`;\n let errorCode: string | undefined;\n let integrationName: string | undefined;\n let integrationId: string | undefined;\n\n try {\n const errorBody = await response.json();\n errorCode = errorBody.error;\n if (errorBody.error_description) {\n errorMessage = errorBody.error_description;\n } else if (errorBody.error) {\n errorMessage = `Token exchange failed: ${errorBody.error}`;\n }\n // Extract integration-specific fields when present (e.g., integration_required,\n // or any error that includes integration metadata for reconnection flows)\n if (errorBody.integration_name || errorBody.integration_id) {\n integrationName = errorBody.integration_name;\n integrationId = errorBody.integration_id;\n }\n } catch {\n // Ignore JSON parse errors, use default message\n }\n\n throw new OAuthError(errorMessage, \"kontext_oauth_token_exchange_failed\", {\n errorCode,\n meta: {\n integrationName,\n integrationId,\n },\n });\n }\n\n const tokenResponse = (await response.json()) as TokenExchangeResponse;\n\n // Validate required fields\n if (!tokenResponse.access_token) {\n throw new OAuthError(\n \"Token exchange response missing access_token.\",\n \"kontext_oauth_token_exchange_failed\",\n );\n }\n\n if (!tokenResponse.issued_token_type) {\n throw new OAuthError(\n \"Token exchange response missing issued_token_type.\",\n \"kontext_oauth_token_exchange_failed\",\n );\n }\n\n if (!tokenResponse.token_type) {\n throw new OAuthError(\n \"Token exchange response missing token_type.\",\n \"kontext_oauth_token_exchange_failed\",\n );\n }\n\n return tokenResponse;\n}\n","/**\n * Token verification error codes.\n * These provide structured error information for debugging and error handling.\n */\nexport type TokenVerificationErrorCode =\n | \"INVALID_TOKEN_FORMAT\"\n | \"INVALID_SIGNATURE\"\n | \"TOKEN_EXPIRED\"\n | \"TOKEN_NOT_YET_VALID\"\n | \"INVALID_ISSUER\"\n | \"INVALID_AUDIENCE\"\n | \"MISSING_SCOPE\"\n | \"MISSING_CLAIMS\"\n | \"JWKS_FETCH_FAILED\"\n | \"UNKNOWN_KID\"\n | \"UNSUPPORTED_ALGORITHM\";\n\n/**\n * Error thrown when token verification fails.\n * Contains a structured error code for programmatic handling.\n */\nexport class TokenVerificationError extends Error {\n readonly code: TokenVerificationErrorCode;\n\n constructor(code: TokenVerificationErrorCode, message: string) {\n super(message);\n this.name = \"TokenVerificationError\";\n this.code = code;\n Object.setPrototypeOf(this, TokenVerificationError.prototype);\n }\n}\n","import { createRemoteJWKSet, type JWTVerifyGetKey } from \"jose\";\nimport { TokenVerificationError } from \"./errors.js\";\n\n/**\n * Options for the JWKS client.\n */\nexport interface JwksClientOptions {\n /** JWKS endpoint URL */\n jwksUrl: string;\n\n /** Cache TTL in milliseconds (default: 5 minutes) */\n cacheTtlMs?: number;\n\n /** Minimum time between refetches in milliseconds (default: 30 seconds) */\n refetchCooldownMs?: number;\n\n /** Custom fetch function for testing */\n fetch?: typeof globalThis.fetch;\n}\n\nconst DEFAULT_CACHE_TTL_MS = 5 * 60 * 1000; // 5 minutes\nconst DEFAULT_REFETCH_COOLDOWN_MS = 30 * 1000; // 30 seconds\n\n/**\n * JWKS client with caching and rate-limited refetching.\n *\n * Uses jose's createRemoteJWKSet for JWKS fetching and caching,\n * but adds rate limiting to prevent DoS via rapid refetch requests.\n */\nexport class JwksClient {\n private readonly jwksUrl: URL;\n private readonly cacheTtlMs: number;\n private readonly refetchCooldownMs: number;\n private readonly customFetch?: typeof globalThis.fetch;\n\n private jwks: JWTVerifyGetKey | null = null;\n private lastFetchAt = 0;\n private lastRefreshAt = 0;\n\n constructor(options: JwksClientOptions) {\n this.jwksUrl = new URL(options.jwksUrl);\n this.cacheTtlMs = options.cacheTtlMs ?? DEFAULT_CACHE_TTL_MS;\n this.refetchCooldownMs =\n options.refetchCooldownMs ?? DEFAULT_REFETCH_COOLDOWN_MS;\n this.customFetch = options.fetch;\n }\n\n /**\n * Get the JWKS key resolver for use with jose's jwtVerify.\n *\n * Creates the remote JWKS on first call and caches it.\n * The jose library handles internal caching and key lookup.\n */\n getKeyResolver(): JWTVerifyGetKey {\n const now = Date.now();\n\n // Check if we need to refresh (cache expired)\n if (this.jwks && now - this.lastFetchAt > this.cacheTtlMs) {\n this.jwks = null;\n }\n\n if (!this.jwks) {\n this.jwks = createRemoteJWKSet(this.jwksUrl, {\n // jose handles caching internally, we just track our own refresh timing\n ...(this.customFetch && {\n [Symbol.for(\"fetch\")]: this.customFetch,\n }),\n });\n this.lastFetchAt = now;\n }\n\n return this.jwks;\n }\n\n /**\n * Force refresh the JWKS cache.\n *\n * Respects the refetch cooldown to prevent rapid refetching.\n * Returns true if refresh was performed, false if cooldown not elapsed.\n */\n refresh(): boolean {\n const now = Date.now();\n\n if (!this.canRefresh()) {\n return false;\n }\n\n this.jwks = null;\n this.lastRefreshAt = now;\n return true;\n }\n\n /**\n * Check if a refresh is allowed (cooldown elapsed).\n */\n canRefresh(): boolean {\n return Date.now() - this.lastRefreshAt >= this.refetchCooldownMs;\n }\n\n /**\n * Handle unknown kid errors by attempting refresh.\n *\n * @returns TokenVerificationError if refresh not allowed or already attempted\n */\n handleUnknownKid(kid: string): TokenVerificationError | null {\n if (this.refresh()) {\n // Refresh performed, caller should retry verification\n return null;\n }\n\n // Cooldown not elapsed, return error\n return new TokenVerificationError(\n \"UNKNOWN_KID\",\n `Unknown key ID: ${kid}. JWKS refresh on cooldown.`,\n );\n }\n\n /**\n * Clear the cache, forcing a fresh fetch on next access.\n */\n clearCache(): void {\n this.jwks = null;\n this.lastFetchAt = 0;\n // Don't reset lastRefreshAt to maintain cooldown protection\n }\n}\n","import { jwtVerify, decodeProtectedHeader, errors as joseErrors } from \"jose\";\nimport { JwksClient } from \"./jwks-client.js\";\nimport { TokenVerificationError } from \"./errors.js\";\nimport type {\n KontextTokenVerifierConfig,\n VerifiedTokenClaims,\n VerifyResult,\n JwtPayload,\n} from \"./types.js\";\n\nconst DEFAULT_CLOCK_TOLERANCE_SEC = 30;\nconst SUPPORTED_ALGORITHMS = [\"ES256\", \"RS256\"];\n\n/**\n * Token verifier for Kontext-issued JWTs using JWKS discovery.\n *\n * Uses the jose library for robust JWT verification with support for:\n * - ES256 and RS256 algorithms\n * - JWKS-based key discovery with caching\n * - Key rotation support with rate-limited refetching\n * - Configurable clock tolerance\n * - Typed error responses\n *\n * @example\n * ```typescript\n * import { KontextTokenVerifier } from '@kontext-dev/js-sdk';\n *\n * const verifier = new KontextTokenVerifier({\n * jwksUrl: 'https://api.kontext.dev/.well-known/jwks.json',\n * issuer: 'kontext-token-exchange',\n * audience: 'mcp-gateway',\n * requiredScopes: ['mcp:invoke'],\n * });\n *\n * const result = await verifier.verify(bearerToken);\n * if (result.success) {\n * console.log(`Verified token for client: ${result.claims.clientId}`);\n * } else {\n * console.error(`Verification failed: ${result.error.code}`);\n * }\n * ```\n */\ninterface ResolvedConfig {\n jwksUrl: string;\n issuer: string | string[];\n audience: string | string[];\n requiredScopes: string[];\n cacheTtlMs: number;\n refetchCooldownMs: number;\n clockToleranceSec: number;\n fetch?: typeof globalThis.fetch;\n}\n\nexport class KontextTokenVerifier {\n private readonly config: ResolvedConfig;\n private readonly jwksClient: JwksClient;\n private readonly audiences: string[];\n\n constructor(config: KontextTokenVerifierConfig) {\n this.config = {\n jwksUrl: config.jwksUrl,\n issuer: config.issuer,\n audience: config.audience,\n requiredScopes: config.requiredScopes ?? [],\n cacheTtlMs: config.cacheTtlMs ?? 5 * 60 * 1000,\n refetchCooldownMs: config.refetchCooldownMs ?? 30 * 1000,\n clockToleranceSec:\n config.clockToleranceSec ?? DEFAULT_CLOCK_TOLERANCE_SEC,\n fetch: config.fetch,\n };\n\n this.audiences = Array.isArray(config.audience)\n ? config.audience\n : [config.audience];\n\n this.jwksClient = new JwksClient({\n jwksUrl: config.jwksUrl,\n cacheTtlMs: this.config.cacheTtlMs,\n refetchCooldownMs: this.config.refetchCooldownMs,\n fetch: config.fetch,\n });\n }\n\n /**\n * Verify a JWT token.\n *\n * @param token - The JWT token string (without \"Bearer \" prefix)\n * @returns VerifyResult with success=true and claims, or success=false and error\n */\n async verify(token: string): Promise<VerifyResult> {\n try {\n return await this.verifyInternal(token, false);\n } catch (error) {\n if (error instanceof TokenVerificationError) {\n return { success: false, error };\n }\n\n // Unexpected error\n return {\n success: false,\n error: new TokenVerificationError(\n \"INVALID_TOKEN_FORMAT\",\n `Unexpected verification error: ${(error as Error).message}`,\n ),\n };\n }\n }\n\n /**\n * Verify a JWT token and return claims or null.\n * Simpler API for cases where you don't need error details.\n *\n * @param token - The JWT token string (without \"Bearer \" prefix)\n * @returns VerifiedTokenClaims if valid, null if invalid\n */\n async verifyOrNull(token: string): Promise<VerifiedTokenClaims | null> {\n const result = await this.verify(token);\n return result.success ? result.claims : null;\n }\n\n /**\n * Clear the JWKS cache, forcing a fresh fetch on next verification.\n */\n clearCache(): void {\n this.jwksClient.clearCache();\n }\n\n private async verifyInternal(\n token: string,\n isRetry: boolean,\n ): Promise<VerifyResult> {\n const JWKS = this.jwksClient.getKeyResolver();\n\n try {\n // Use jose's jwtVerify for robust verification\n const { payload, protectedHeader } = await jwtVerify(token, JWKS, {\n issuer: this.config.issuer,\n audience: this.audiences,\n clockTolerance: this.config.clockToleranceSec,\n algorithms: SUPPORTED_ALGORITHMS,\n });\n\n // Check algorithm is supported\n const alg = protectedHeader.alg;\n if (!SUPPORTED_ALGORITHMS.includes(alg)) {\n throw new TokenVerificationError(\n \"UNSUPPORTED_ALGORITHM\",\n `Unsupported algorithm: ${alg}. Expected one of: ${SUPPORTED_ALGORITHMS.join(\", \")}`,\n );\n }\n\n // Validate required claims\n const jwtPayload = payload as JwtPayload;\n if (\n typeof jwtPayload.exp !== \"number\" ||\n !Number.isFinite(jwtPayload.exp) ||\n jwtPayload.exp <= 0\n ) {\n throw new TokenVerificationError(\n \"MISSING_CLAIMS\",\n \"Token missing required exp claim\",\n );\n }\n\n // Extract and validate scopes\n const scopes = this.parseScopes(jwtPayload.scope);\n for (const required of this.config.requiredScopes) {\n if (!scopes.includes(required)) {\n throw new TokenVerificationError(\n \"MISSING_SCOPE\",\n `Missing required scope: ${required}`,\n );\n }\n }\n\n // Extract client ID\n const clientId = jwtPayload.client_id || jwtPayload.sub;\n if (!clientId) {\n throw new TokenVerificationError(\n \"MISSING_CLAIMS\",\n \"Token missing client_id and sub claims\",\n );\n }\n\n // Build verified claims\n const claims: VerifiedTokenClaims = {\n sub: jwtPayload.sub || \"\",\n clientId,\n scopes,\n expiresAt: new Date(jwtPayload.exp * 1000),\n jti: jwtPayload.jti,\n payload: jwtPayload,\n };\n\n return { success: true, claims };\n } catch (error) {\n // Handle jose-specific errors\n if (error instanceof joseErrors.JWKSNoMatchingKey) {\n // Unknown kid - try refreshing JWKS once\n if (!isRetry) {\n const kid = this.extractKid(token);\n const refreshError = this.jwksClient.handleUnknownKid(\n kid || \"unknown\",\n );\n if (!refreshError) {\n // Refresh performed, retry verification\n return this.verifyInternal(token, true);\n }\n return { success: false, error: refreshError };\n }\n\n return {\n success: false,\n error: new TokenVerificationError(\n \"UNKNOWN_KID\",\n \"No matching key found in JWKS\",\n ),\n };\n }\n\n if (error instanceof joseErrors.JWTExpired) {\n return {\n success: false,\n error: new TokenVerificationError(\n \"TOKEN_EXPIRED\",\n \"Token has expired\",\n ),\n };\n }\n\n if (error instanceof joseErrors.JWTClaimValidationFailed) {\n const message = error.message;\n if (message.includes(\"iss\")) {\n const expected = Array.isArray(this.config.issuer)\n ? this.config.issuer.join(\" or \")\n : this.config.issuer;\n return {\n success: false,\n error: new TokenVerificationError(\n \"INVALID_ISSUER\",\n `Invalid issuer: expected ${expected}`,\n ),\n };\n }\n if (message.includes(\"aud\")) {\n return {\n success: false,\n error: new TokenVerificationError(\n \"INVALID_AUDIENCE\",\n `Invalid audience: expected one of ${this.audiences.join(\", \")}`,\n ),\n };\n }\n if (message.includes(\"nbf\")) {\n return {\n success: false,\n error: new TokenVerificationError(\n \"TOKEN_NOT_YET_VALID\",\n \"Token is not yet valid (nbf claim)\",\n ),\n };\n }\n }\n\n if (error instanceof joseErrors.JWSSignatureVerificationFailed) {\n return {\n success: false,\n error: new TokenVerificationError(\n \"INVALID_SIGNATURE\",\n \"Signature verification failed\",\n ),\n };\n }\n\n if (error instanceof joseErrors.JWSInvalid) {\n return {\n success: false,\n error: new TokenVerificationError(\n \"INVALID_TOKEN_FORMAT\",\n `Invalid JWS: ${error.message}`,\n ),\n };\n }\n\n // Re-throw TokenVerificationError\n if (error instanceof TokenVerificationError) {\n throw error;\n }\n\n // Unknown error\n throw new TokenVerificationError(\n \"INVALID_TOKEN_FORMAT\",\n `Verification failed: ${(error as Error).message}`,\n );\n }\n }\n\n private parseScopes(scope: string | undefined): string[] {\n if (!scope) return [];\n return scope\n .split(\" \")\n .map((s) => s.trim())\n .filter(Boolean);\n }\n\n private extractKid(token: string): string | null {\n try {\n const header = decodeProtectedHeader(token);\n return header.kid ?? null;\n } catch {\n return null;\n }\n }\n}\n","/**\n * Session and transport management for the Kontext server SDK.\n *\n * Tracks StreamableHTTPServerTransport instances by session ID,\n * handles cleanup of stale sessions, and provides the session lifecycle\n * hooks used by `kontext.middleware()`.\n */\n\nimport { StreamableHTTPServerTransport } from \"@modelcontextprotocol/sdk/server/streamableHttp.js\";\n\nexport interface SessionCallbacks {\n onSessionClosed?: (sessionId: string) => void;\n}\n\nexport class SessionManager {\n private readonly transports = new Map<\n string,\n StreamableHTTPServerTransport\n >();\n private readonly lastAccessed = new Map<string, number>();\n private readonly expiresAt = new Map<string, number>();\n private readonly cleanupInterval: ReturnType<typeof setInterval>;\n\n private static readonly STALE_TIMEOUT_MS = 60 * 60 * 1000; // 1 hour\n private static readonly CLEANUP_INTERVAL_MS = 5 * 60 * 1000; // 5 minutes\n\n constructor() {\n this.cleanupInterval = setInterval(\n () => this.cleanupStaleSessions(),\n SessionManager.CLEANUP_INTERVAL_MS,\n );\n // Allow the timer to not block process exit\n if (this.cleanupInterval.unref) {\n this.cleanupInterval.unref();\n }\n }\n\n getTransport(sessionId: string): StreamableHTTPServerTransport | undefined {\n return this.transports.get(sessionId);\n }\n\n registerSession(\n sessionId: string,\n transport: StreamableHTTPServerTransport,\n callbacks?: SessionCallbacks,\n expiresAt?: number,\n ): void {\n this.transports.set(sessionId, transport);\n this.lastAccessed.set(sessionId, Date.now());\n if (expiresAt !== undefined) {\n this.expiresAt.set(sessionId, expiresAt);\n }\n\n transport.onclose = () => {\n this.removeSession(sessionId);\n callbacks?.onSessionClosed?.(sessionId);\n };\n }\n\n touchSession(sessionId: string): void {\n if (this.transports.has(sessionId)) {\n this.lastAccessed.set(sessionId, Date.now());\n }\n }\n\n removeSession(sessionId: string): void {\n this.transports.delete(sessionId);\n this.lastAccessed.delete(sessionId);\n this.expiresAt.delete(sessionId);\n }\n\n /**\n * Check if a session's token has expired.\n * Returns true if the token's `expiresAt` has passed.\n */\n isSessionExpired(sessionId: string): boolean {\n const exp = this.expiresAt.get(sessionId);\n return exp !== undefined && Date.now() / 1000 >= exp;\n }\n\n private cleanupStaleSessions(): void {\n const now = Date.now();\n for (const [sid, lastTime] of this.lastAccessed.entries()) {\n if (now - lastTime > SessionManager.STALE_TIMEOUT_MS) {\n const transport = this.transports.get(sid);\n if (transport) {\n void transport.close?.();\n }\n this.removeSession(sid);\n }\n }\n }\n\n destroy(): void {\n clearInterval(this.cleanupInterval);\n for (const [sid, transport] of this.transports.entries()) {\n void transport.close?.();\n this.removeSession(sid);\n }\n }\n}\n","/**\n * Kontext — the v3 server SDK entry point.\n *\n * Two methods:\n * kontext.middleware(server) — Express middleware (auth + metadata + transport + sessions)\n * kontext.require(integration, token) — RFC 8693 token exchange with caching\n * kontext.requireCredentials(integration, token) — Resolve per-user internal credentials\n *\n * @example Factory pattern (recommended for production — supports concurrent sessions)\n * ```typescript\n * import { Kontext } from \"@kontext-dev/js-sdk/server\";\n * import { McpServer } from \"@modelcontextprotocol/sdk/server/mcp.js\";\n * import express from \"express\";\n *\n * const kontext = new Kontext({ clientId: \"mcp_my-server\" });\n *\n * function createServer() {\n * const server = new McpServer({ name: \"my-server\", version: \"1.0.0\" });\n * server.tool(\"list_repos\", {}, async (args, { authInfo }) => {\n * const github = await kontext.require(\"github\", authInfo!.token);\n * const res = await fetch(\"https://api.github.com/user/repos\", {\n * headers: { Authorization: github.authorization },\n * });\n * return { content: [{ type: \"text\", text: JSON.stringify(await res.json()) }] };\n * });\n * return server;\n * }\n *\n * const app = express();\n * app.use(kontext.middleware(createServer)); // /mcp endpoint + /.well-known/* metadata\n * app.listen(3000);\n * ```\n */\n\nimport { createHash } from \"node:crypto\";\nimport { createRequire } from \"node:module\";\nimport type { Router, Request, Response, NextFunction } from \"express\";\nimport type { McpServerOrFactory } from \"./types.js\";\nimport { StreamableHTTPServerTransport } from \"@modelcontextprotocol/sdk/server/streamableHttp.js\";\nimport { isInitializeRequest } from \"@modelcontextprotocol/sdk/types.js\";\nimport {\n mcpAuthMetadataRouter,\n getOAuthProtectedResourceMetadataUrl,\n} from \"@modelcontextprotocol/sdk/server/auth/router.js\";\nimport { requireBearerAuth } from \"@modelcontextprotocol/sdk/server/auth/middleware/bearerAuth.js\";\nimport type { OAuthMetadata } from \"@modelcontextprotocol/sdk/shared/auth.js\";\nimport type { OAuthTokenVerifier } from \"@modelcontextprotocol/sdk/server/auth/provider.js\";\nimport type { AuthInfo } from \"@modelcontextprotocol/sdk/server/auth/types.js\";\nimport { InvalidTokenError } from \"@modelcontextprotocol/sdk/server/auth/errors.js\";\n\nimport {\n exchangeToken,\n type TokenExchangeConfig,\n} from \"../oauth/token-exchange.js\";\nimport { OAuthError, IntegrationConnectionRequiredError } from \"../errors.js\";\nimport { KontextTokenVerifier } from \"../verify/verifier.js\";\nimport { SessionManager, type SessionCallbacks } from \"./sessions.js\";\nimport type {\n KontextOptions,\n MiddlewareOptions,\n IntegrationCredential,\n IntegrationResolvedCredentials,\n IntegrationName,\n} from \"./types.js\";\n\nconst DEFAULT_API_URL = \"https://api.kontext.dev\";\nconst METADATA_CACHE_TTL_MS = 60 * 60 * 1000; // 1 hour\nconst CREDENTIAL_CACHE_MAX_ENTRIES = 500;\nconst RUNTIME_AUTH_CACHE_MAX_ENTRIES = 8;\nconst RESOLVED_CREDENTIAL_CACHE_TTL_MS = 30 * 1000;\n\nconst SDK_VERSION = (() => {\n try {\n const esmRequire = createRequire(import.meta.url);\n const pkg = esmRequire(\"../../package.json\") as { version?: string };\n return pkg.version ?? \"unknown\";\n } catch {\n return \"unknown\";\n }\n})();\n\ninterface CachedCredential {\n credential: IntegrationCredential;\n expiresAt: number;\n}\n\ninterface CachedResolvedCredential {\n credential: IntegrationResolvedCredentials;\n expiresAt: number;\n}\n\ninterface RuntimeAuthContext {\n metadataRouter: Router;\n bearerAuth: ReturnType<typeof requireBearerAuth>;\n}\n\n/**\n * The v3 Kontext server SDK.\n *\n * Provides two methods:\n * - `middleware(server)` — Express Router with auth metadata, bearer validation, and MCP transport.\n * Accepts an `McpServer` instance (single-session) or a factory `() => McpServer` (concurrent sessions).\n * - `require(integration, token)` — RFC 8693 token exchange with in-memory caching\n * - `requireCredentials(integration, token)` — Resolve per-user credential maps for internal integrations\n */\nexport class Kontext {\n private static readonly shutdownInstances = new Set<Kontext>();\n private static shutdownHandlersRegistered = false;\n\n private readonly clientId: string;\n private readonly clientSecret: string | undefined;\n private readonly apiUrl: string;\n private readonly tokenIssuers: string[];\n\n // AS metadata: fetched lazily, cached with TTL\n private oauthMetadata: OAuthMetadata | null = null;\n private metadataFetchedAt = 0;\n private metadataPromise: Promise<OAuthMetadata> | null = null;\n\n // Token exchange caching: keyed by `${integration}\\0${subjectToken}`\n private readonly credentialCache = new Map<string, CachedCredential>();\n private readonly resolvedCredentialCache = new Map<\n string,\n CachedResolvedCredential\n >();\n private readonly runtimeAuthCache = new Map<string, RuntimeAuthContext>();\n private readonly runtimeVerifierIds = new WeakMap<\n OAuthTokenVerifier,\n number\n >();\n private runtimeVerifierIdCounter = 0;\n\n // Telemetry: cached service token for event reporting\n private serviceToken: string | null = null;\n private serviceTokenExp = 0;\n private serviceTokenPromise: Promise<string> | null = null;\n\n // Session tracking: MCP sessionId → API agentSessionId\n private readonly agentSessionIds = new Map<string, string>();\n private readonly pendingSessionDisconnects = new Set<string>();\n\n constructor(options: KontextOptions) {\n this.clientId = options.clientId;\n this.clientSecret =\n options.clientSecret ?? process.env.KONTEXT_CLIENT_SECRET;\n this.apiUrl = (options.apiUrl ?? DEFAULT_API_URL).replace(/\\/$/, \"\");\n const rawTokenIssuers = Array.isArray(options.tokenIssuer)\n ? options.tokenIssuer\n : options.tokenIssuer\n ? options.tokenIssuer.split(\",\")\n : process.env.KONTEXT_TOKEN_ISSUER?.split(\",\");\n this.tokenIssuers = Array.from(\n new Set(rawTokenIssuers?.map((issuer) => issuer.trim()).filter(Boolean)),\n );\n\n Kontext.shutdownInstances.add(this);\n Kontext.ensureShutdownHandlers();\n }\n\n /**\n * Cleanup method for runtimes that create/dispose SDK instances dynamically.\n * Ensures this instance can be garbage-collected by removing static references.\n */\n async destroy(): Promise<void> {\n await this.disconnectAllSessions();\n Kontext.shutdownInstances.delete(this);\n this.credentialCache.clear();\n this.resolvedCredentialCache.clear();\n this.oauthMetadata = null;\n this.metadataFetchedAt = 0;\n this.metadataPromise = null;\n this.serviceToken = null;\n this.serviceTokenExp = 0;\n this.serviceTokenPromise = null;\n this.agentSessionIds.clear();\n this.pendingSessionDisconnects.clear();\n }\n\n private static ensureShutdownHandlers(): void {\n if (Kontext.shutdownHandlersRegistered) return;\n\n const onShutdown = () => {\n for (const instance of Kontext.shutdownInstances) {\n void instance.disconnectAllSessions();\n }\n };\n\n process.once(\"SIGINT\", onShutdown);\n process.once(\"SIGTERM\", onShutdown);\n Kontext.shutdownHandlersRegistered = true;\n }\n\n // ===========================================================================\n // middleware()\n // ===========================================================================\n\n /**\n * Express middleware: `.well-known` metadata + bearer auth + MCP transport + sessions.\n *\n * Must be mounted at the app root (not a sub-path) because RFC 9728 requires\n * `/.well-known/oauth-protected-resource` at the root. Use `mcpPath` to set\n * the transport endpoint path.\n *\n * @param server - An `McpServer` instance for single-session use, or a\n * `() => McpServer` factory for concurrent sessions (recommended in production).\n * `McpServer.connect()` is 1:1 per the MCP spec — passing a factory ensures\n * each session gets its own instance.\n *\n * @example Factory pattern (recommended for concurrent sessions)\n * ```typescript\n * app.use(kontext.middleware(() => createServer()));\n * ```\n *\n * @example Single instance (local dev / single session)\n * ```typescript\n * app.use(kontext.middleware(server));\n * ```\n *\n * @example Custom path\n * ```typescript\n * app.use(kontext.middleware(createServer, { mcpPath: \"/api/mcp\" }));\n * ```\n */\n middleware(server: McpServerOrFactory, options?: MiddlewareOptions): Router {\n // Dynamic require for express (works in both ESM and CJS)\n const esmRequire = createRequire(import.meta.url);\n const express = esmRequire(\"express\") as typeof import(\"express\");\n const router = express.Router();\n\n const mcpPath = options?.mcpPath ?? \"/mcp\";\n const sessionManager = new SessionManager();\n const omitAuth = options?.dangerouslyOmitAuth ?? false;\n\n // CORS: MCP clients (Inspector, browser-based) connect directly and need\n // CORS to perform OAuth discovery and token exchange from the browser.\n router.use((_req: Request, res: Response, next: NextFunction) => {\n res.header(\"Access-Control-Allow-Origin\", \"*\");\n res.header(\n \"Access-Control-Allow-Headers\",\n \"Content-Type, Authorization, Mcp-Session-Id, Mcp-Protocol-Version, Accept\",\n );\n res.header(\"Access-Control-Expose-Headers\", \"Mcp-Session-Id\");\n res.header(\"Access-Control-Allow-Methods\", \"GET, POST, DELETE, OPTIONS\");\n if (_req.method === \"OPTIONS\") {\n res.sendStatus(204);\n return;\n }\n next();\n });\n\n if (omitAuth) {\n console.warn(\n \"[kontext] ⚠️ Auth is disabled (dangerouslyOmitAuth). Do NOT use in production.\",\n );\n\n // JSON body parsing + unauthenticated MCP transport — no metadata, no bearer auth\n router.use(mcpPath, express.json({ limit: options?.bodyLimit ?? \"1mb\" }));\n const mcpHandler = this.createMcpHandler(\n server,\n sessionManager,\n null,\n options,\n );\n router.post(mcpPath, mcpHandler.post);\n router.get(mcpPath, mcpHandler.get);\n router.delete(mcpPath, mcpHandler.delete);\n\n return router;\n }\n\n const getRuntimeAuth = async (\n req: Request,\n ): Promise<RuntimeAuthContext> => {\n const metadata = this.applyMetadataTransform(\n await this.getOAuthMetadata(),\n options?.metadataTransform,\n );\n const rsUrl = this.resolveResourceServerUrl(req, mcpPath, options);\n return this.getOrCreateRuntimeAuthContext(\n metadata,\n rsUrl,\n options?.verifier,\n );\n };\n\n // Intentionally use a catch-all middleware here. Metadata responses depend\n // on request-derived runtime auth context (host/protocol/mount path), so we\n // guard by path and build that context lazily per request.\n router.use(async (req: Request, res: Response, next: NextFunction) => {\n const path = req.path || req.url || \"\";\n const isMetadataRequest =\n path.startsWith(\"/.well-known/oauth-authorization-server\") ||\n path.startsWith(\"/.well-known/oauth-protected-resource\");\n\n if (!isMetadataRequest) {\n next();\n return;\n }\n\n try {\n const runtimeAuth = await getRuntimeAuth(req);\n runtimeAuth.metadataRouter(req, res, next);\n } catch (error) {\n this.respondMetadataInitError(res, error);\n }\n });\n\n // JSON body parsing for MCP POST requests\n router.use(mcpPath, express.json({ limit: options?.bodyLimit ?? \"1mb\" }));\n\n const mcpHandler = this.createMcpHandler(\n server,\n sessionManager,\n getRuntimeAuth,\n options,\n );\n router.post(mcpPath, mcpHandler.post);\n router.get(mcpPath, mcpHandler.get);\n router.delete(mcpPath, mcpHandler.delete);\n\n return router;\n }\n\n // ===========================================================================\n // require()\n // ===========================================================================\n\n /**\n * Exchange a user's access token for an integration credential.\n *\n * @param integration - Integration name (e.g., \"github\")\n * @param token - The user's Bearer token (from `authInfo.token`)\n * @returns Integration credential with `accessToken` and `authorization` header\n *\n * @throws {IntegrationConnectionRequiredError} User hasn't connected this integration\n * @throws {OAuthError} Token exchange failed\n */\n async require(\n integration: IntegrationName,\n token: string,\n ): Promise<IntegrationCredential> {\n const now = Date.now();\n this.evictExpiredCredentials(now);\n\n // Check cache first\n const cacheKey = `${integration}\\0${token}`;\n const cached = this.credentialCache.get(cacheKey);\n if (cached && now < cached.expiresAt) {\n // LRU touch\n this.credentialCache.delete(cacheKey);\n this.credentialCache.set(cacheKey, cached);\n return cached.credential;\n }\n if (cached) {\n this.credentialCache.delete(cacheKey);\n }\n\n // Perform token exchange\n const exchangeConfig: TokenExchangeConfig = {\n tokenUrl: `${this.apiUrl}/oauth2/token`,\n clientId: this.clientId,\n clientSecret: this.clientSecret,\n };\n\n let response;\n try {\n response = await exchangeToken(exchangeConfig, token, integration);\n } catch (err) {\n // Map \"integration not connected\" errors.\n // Per the spec, when the token exchange returns integration_required\n // the SDK fetches a connect URL via a second API call.\n if (err instanceof OAuthError) {\n if (\n err.errorCode === \"integration_required\" ||\n err.message.includes(\"not connected\") ||\n (err.message.includes(\"expired\") && err.message.includes(\"reconnect\"))\n ) {\n const integrationId =\n (err.meta.integrationId as string) || integration;\n const connectUrl = await this.fetchConnectUrl(\n token,\n integrationId,\n exchangeConfig,\n );\n throw new IntegrationConnectionRequiredError(integrationId, {\n integrationName: err.meta.integrationName as string | undefined,\n connectUrl,\n message: err.message,\n });\n }\n }\n throw err;\n }\n\n const credential: IntegrationCredential = {\n accessToken: response.access_token,\n tokenType: response.token_type,\n authorization: `${response.token_type} ${response.access_token}`,\n expiresIn: response.expires_in,\n scope: response.scope,\n integration,\n };\n\n // Cache with TTL = min(expiresIn - 60s, 5 minutes)\n if (response.expires_in) {\n const ttlMs = Math.min(response.expires_in - 60, 5 * 60) * 1000;\n if (ttlMs > 0) {\n this.trimCacheToFit(this.credentialCache, CREDENTIAL_CACHE_MAX_ENTRIES);\n this.credentialCache.set(cacheKey, {\n credential,\n expiresAt: now + ttlMs,\n });\n }\n }\n\n return credential;\n }\n\n /**\n * Resolve per-user credential key/value pairs for an internal MCP integration.\n *\n * @param integration - Integration UUID or name\n * @param token - The user's Bearer token (from `authInfo.token`)\n * @returns Decrypted credential map for the current user and integration\n *\n * @throws {IntegrationConnectionRequiredError} User has not provided required credentials\n * @throws {OAuthError} Runtime credential resolution failed\n */\n async requireCredentials(\n integration: IntegrationName,\n token: string,\n ): Promise<IntegrationResolvedCredentials> {\n const now = Date.now();\n this.evictExpiredResolvedCredentials(now);\n\n const cacheKey = `${integration}\\0${token}\\0internal_credentials`;\n const cached = this.resolvedCredentialCache.get(cacheKey);\n if (cached && now < cached.expiresAt) {\n this.resolvedCredentialCache.delete(cacheKey);\n this.resolvedCredentialCache.set(cacheKey, cached);\n return cached.credential;\n }\n if (cached) {\n this.resolvedCredentialCache.delete(cacheKey);\n }\n\n const exchangeConfig: TokenExchangeConfig = {\n tokenUrl: `${this.apiUrl}/oauth2/token`,\n clientId: this.clientId,\n clientSecret: this.clientSecret,\n };\n\n let gatewayAccessToken = token;\n if (!this.isGatewayScopedToken(token)) {\n try {\n const exchanged = await exchangeToken(\n exchangeConfig,\n token,\n \"mcp-gateway\",\n );\n gatewayAccessToken = exchanged.access_token;\n } catch (err) {\n throw new OAuthError(\n \"Failed to exchange subject token for runtime\",\n \"kontext_credentials_exchange_failed\",\n {\n errorCode: \"credentials_exchange_failed\",\n errorDescription:\n err instanceof Error\n ? err.message\n : String(err ?? \"unknown error\"),\n },\n );\n }\n }\n\n const integrationId = await this.resolveRuntimeIntegrationId(\n integration,\n gatewayAccessToken,\n );\n\n const res = await fetch(\n `${this.apiUrl}/mcp/integrations/${integrationId}/credentials/resolve`,\n {\n method: \"POST\",\n headers: {\n Authorization: `Bearer ${gatewayAccessToken}`,\n \"Content-Type\": \"application/json\",\n },\n body: \"{}\",\n },\n );\n\n if (!res.ok) {\n const text = await res.text().catch(() => \"\");\n const message =\n text && text.trim().length > 0\n ? text\n : `HTTP ${res.status} while resolving credentials`;\n\n if (\n res.status === 400 &&\n message.toLowerCase().includes(\"credentials required\")\n ) {\n throw new IntegrationConnectionRequiredError(integrationId, {\n integrationName: String(integration),\n message,\n });\n }\n\n throw new OAuthError(\n `Failed to resolve credentials for integration ${integrationId}`,\n \"kontext_credentials_resolve_failed\",\n {\n errorCode: \"credentials_resolve_failed\",\n errorDescription: message,\n },\n );\n }\n\n const payload = (await res.json()) as {\n integrationId?: string;\n credentials?: Record<string, unknown>;\n };\n\n if (\n !payload.credentials ||\n typeof payload.credentials !== \"object\" ||\n Array.isArray(payload.credentials)\n ) {\n throw new OAuthError(\n \"Credential resolve returned invalid payload\",\n \"kontext_credentials_invalid_payload\",\n );\n }\n\n const credentials: Record<string, string> = {};\n for (const [key, value] of Object.entries(payload.credentials)) {\n if (typeof value === \"string\") {\n credentials[key] = value;\n }\n }\n\n if (Object.keys(credentials).length === 0) {\n throw new IntegrationConnectionRequiredError(integrationId, {\n integrationName: String(integration),\n message: \"No credentials configured for this integration\",\n });\n }\n\n const resolved: IntegrationResolvedCredentials = {\n integration,\n integrationId: payload.integrationId ?? integrationId,\n credentials,\n };\n\n this.trimCacheToFit(\n this.resolvedCredentialCache,\n CREDENTIAL_CACHE_MAX_ENTRIES,\n );\n this.resolvedCredentialCache.set(cacheKey, {\n credential: resolved,\n expiresAt: now + RESOLVED_CREDENTIAL_CACHE_TTL_MS,\n });\n\n return resolved;\n }\n\n private getGatewayAudiences(): Set<string> {\n return new Set([`${new URL(this.apiUrl).origin}/mcp`, \"mcp-gateway\"]);\n }\n\n private isGatewayScopedToken(token: string): boolean {\n const audiences = this.extractTokenAudiences(token);\n if (audiences.length === 0) {\n return false;\n }\n const gatewayAudiences = this.getGatewayAudiences();\n return audiences.some((audience) => gatewayAudiences.has(audience));\n }\n\n private extractTokenAudiences(token: string): string[] {\n const [, payloadPart] = token.split(\".\");\n if (!payloadPart) return [];\n try {\n const payload = JSON.parse(\n Buffer.from(payloadPart, \"base64url\").toString(\"utf8\"),\n ) as { aud?: unknown };\n if (typeof payload.aud === \"string\") {\n return [payload.aud];\n }\n if (Array.isArray(payload.aud)) {\n return payload.aud.filter(\n (value): value is string => typeof value === \"string\",\n );\n }\n } catch {\n // Non-JWT or malformed payload — treat as unknown audience.\n }\n return [];\n }\n\n // ===========================================================================\n // Private: fetch connect URL (spec §2 — two-step init)\n // ===========================================================================\n\n private async resolveRuntimeIntegrationId(\n integration: IntegrationName,\n runtimeToken: string,\n ): Promise<string> {\n const raw = String(integration);\n if (this.isUuid(raw)) {\n return raw;\n }\n\n const res = await fetch(`${this.apiUrl}/mcp/integrations`, {\n headers: {\n Authorization: `Bearer ${runtimeToken}`,\n },\n });\n if (!res.ok) {\n const text = await res.text().catch(() => \"\");\n throw new OAuthError(\n \"Failed to resolve integration identifier\",\n \"kontext_integration_lookup_failed\",\n {\n errorCode: \"integration_lookup_failed\",\n errorDescription: text || `HTTP ${res.status}`,\n },\n );\n }\n\n const payload = (await res.json()) as {\n items?: Array<{ id?: string; name?: string }>;\n };\n const items = Array.isArray(payload.items) ? payload.items : [];\n const match = items.find((item) => item.id === raw || item.name === raw);\n const integrationId = match?.id;\n if (!integrationId) {\n throw new IntegrationConnectionRequiredError(raw, {\n integrationName: raw,\n message: `Integration ${raw} is not attached to this application`,\n });\n }\n\n return integrationId;\n }\n\n private isUuid(value: string): boolean {\n return /^[0-9a-f]{8}-[0-9a-f]{4}-[1-8][0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$/i.test(\n value,\n );\n }\n\n /**\n * Fetch a browser-openable connect URL for a missing integration.\n *\n * Per the integration-interrupt-flow spec, the SDK:\n * 1. Exchanges the user's token for a resource-scoped mcp-gateway JWT\n * 2. Calls POST /mcp/integrations/:id/oauth/init with that JWT\n * 3. Returns the `connectUrl` (intermediate endpoint with one-time token)\n *\n * The connect URL points to our own server (ticket pattern), which\n * validates the ticket, sets a browser session cookie, then redirects\n * to the actual OAuth provider.\n */\n private async fetchConnectUrl(\n subjectToken: string,\n integrationId: string,\n exchangeConfig: TokenExchangeConfig,\n ): Promise<string | undefined> {\n try {\n // Step 1: Exchange for mcp-gateway to get a resource-scoped JWT\n const gatewayToken = await exchangeToken(\n exchangeConfig,\n subjectToken,\n \"mcp-gateway\",\n );\n\n // Step 2: Call the init endpoint with the resource-scoped JWT\n const initUrl = `${this.apiUrl}/mcp/integrations/${integrationId}/oauth/init`;\n const res = await fetch(initUrl, {\n method: \"POST\",\n headers: {\n Authorization: `Bearer ${gatewayToken.access_token}`,\n \"Content-Type\": \"application/json\",\n },\n body: JSON.stringify({}),\n });\n\n if (!res.ok) {\n const text = await res.text().catch(() => \"\");\n console.warn(\n `[kontext] fetchConnectUrl: init endpoint returned ${res.status}: ${text}`,\n );\n return undefined;\n }\n\n const data = (await res.json()) as {\n connectUrl?: string;\n authorizationUrl?: string;\n };\n\n // Prefer connectUrl (intermediate endpoint) over raw authorizationUrl\n return data.connectUrl ?? data.authorizationUrl;\n } catch (err) {\n // If we can't get the connect URL, return undefined — the error\n // still propagates as IntegrationConnectionRequiredError, just\n // without a connect URL.\n console.warn(\n `[kontext] fetchConnectUrl failed:`,\n err instanceof Error ? err.message : String(err),\n );\n return undefined;\n }\n }\n\n // ===========================================================================\n // Private: AS metadata\n // ===========================================================================\n\n private async getOAuthMetadata(): Promise<OAuthMetadata> {\n const now = Date.now();\n if (\n this.oauthMetadata &&\n now - this.metadataFetchedAt < METADATA_CACHE_TTL_MS\n ) {\n return this.oauthMetadata;\n }\n\n if (this.metadataPromise) {\n return this.metadataPromise;\n }\n\n this.metadataPromise = this.fetchOAuthMetadata();\n try {\n const metadata = await this.metadataPromise;\n this.oauthMetadata = metadata;\n this.metadataFetchedAt = Date.now();\n return metadata;\n } finally {\n this.metadataPromise = null;\n }\n }\n\n private applyMetadataTransform(\n metadata: OAuthMetadata,\n metadataTransform?: MiddlewareOptions[\"metadataTransform\"],\n ): OAuthMetadata {\n if (!metadataTransform) {\n return metadata;\n }\n\n // Keep cached discovery metadata immutable from user-provided transforms.\n return metadataTransform(this.cloneOAuthMetadata(metadata));\n }\n\n private cloneOAuthMetadata(metadata: OAuthMetadata): OAuthMetadata {\n return JSON.parse(JSON.stringify(metadata)) as OAuthMetadata;\n }\n\n private async fetchOAuthMetadata(): Promise<OAuthMetadata> {\n // Try RFC 8414 first, then OIDC discovery\n const urls = [\n `${this.apiUrl}/.well-known/oauth-authorization-server`,\n `${this.apiUrl}/.well-known/openid-configuration`,\n ];\n\n let lastError: Error | undefined;\n for (const url of urls) {\n try {\n const res = await fetch(url);\n if (res.ok) {\n return (await res.json()) as OAuthMetadata;\n }\n } catch (err) {\n lastError = err instanceof Error ? err : new Error(String(err));\n }\n }\n\n throw new Error(\n `Failed to fetch AS metadata from ${this.apiUrl}: ${lastError?.message ?? \"unknown error\"}`,\n );\n }\n\n private resolveResourceServerUrl(\n req: Request,\n mcpPath: string,\n options?: MiddlewareOptions,\n ): URL {\n if (options?.resourceServerUrl) {\n return new URL(options.resourceServerUrl);\n }\n const host = req.get(\"host\");\n if (!host) {\n throw new Error(\n \"Missing Host header. Set middleware({ resourceServerUrl }) to a trusted public URL.\",\n );\n }\n return new URL(`${req.protocol}://${host}${mcpPath}`);\n }\n\n private getOrCreateRuntimeAuthContext(\n metadata: OAuthMetadata,\n rsUrl: URL,\n customVerifier?: OAuthTokenVerifier,\n ): RuntimeAuthContext {\n const key = this.getRuntimeAuthCacheKey(rsUrl, customVerifier);\n const cached = this.runtimeAuthCache.get(key);\n if (cached) {\n // LRU touch\n this.runtimeAuthCache.delete(key);\n this.runtimeAuthCache.set(key, cached);\n return cached;\n }\n\n // mcpAuthMetadataRouter uses issuer for authorization_servers.\n // Keep issuer aligned with the request's resource server origin.\n const proxiedMetadata = { ...metadata, issuer: `${rsUrl.origin}/` };\n const metadataRouter = mcpAuthMetadataRouter({\n oauthMetadata: proxiedMetadata,\n resourceServerUrl: rsUrl,\n });\n const resourceMetadataUrl = getOAuthProtectedResourceMetadataUrl(rsUrl);\n const verifier =\n customVerifier ?? this.createTokenVerifier(metadata, rsUrl);\n const runtimeAuth: RuntimeAuthContext = {\n metadataRouter,\n bearerAuth: requireBearerAuth({\n verifier,\n resourceMetadataUrl,\n }),\n };\n\n this.trimCacheToFit(this.runtimeAuthCache, RUNTIME_AUTH_CACHE_MAX_ENTRIES);\n this.runtimeAuthCache.set(key, runtimeAuth);\n return runtimeAuth;\n }\n\n private getRuntimeAuthCacheKey(\n rsUrl: URL,\n customVerifier?: OAuthTokenVerifier,\n ): string {\n if (!customVerifier) {\n return `${rsUrl.href}\\0default`;\n }\n\n let verifierId = this.runtimeVerifierIds.get(customVerifier);\n if (verifierId === undefined) {\n verifierId = ++this.runtimeVerifierIdCounter;\n this.runtimeVerifierIds.set(customVerifier, verifierId);\n }\n\n return `${rsUrl.href}\\0custom:${verifierId}`;\n }\n\n private respondMetadataInitError(res: Response, error: unknown): void {\n const message = error instanceof Error ? error.message : String(error);\n console.error(`[kontext] Failed to fetch AS metadata: ${message}`);\n if (res.headersSent) return;\n res.status(503).json({\n error: \"service_unavailable\",\n error_description:\n \"Failed to fetch authorization server metadata. Retry later.\",\n });\n }\n\n private evictExpiredCredentials(now: number): void {\n for (const [key, value] of this.credentialCache.entries()) {\n if (value.expiresAt <= now) {\n this.credentialCache.delete(key);\n }\n }\n }\n\n private evictExpiredResolvedCredentials(now: number): void {\n for (const [key, value] of this.resolvedCredentialCache.entries()) {\n if (value.expiresAt <= now) {\n this.resolvedCredentialCache.delete(key);\n }\n }\n }\n\n private trimCacheToFit<T>(cache: Map<string, T>, maxEntries: number): void {\n while (cache.size >= maxEntries) {\n const oldestKey = cache.keys().next().value as string | undefined;\n if (!oldestKey) break;\n cache.delete(oldestKey);\n }\n }\n\n // ===========================================================================\n // Private: token verifier\n // ===========================================================================\n\n private createTokenVerifier(\n metadata: OAuthMetadata,\n resourceUrl: URL,\n ): OAuthTokenVerifier {\n const metadataRaw = metadata as Record<string, unknown>;\n const jwksUri =\n (metadataRaw.jwks_uri as string | undefined) ??\n `${this.apiUrl}/.well-known/jwks.json`;\n const clientId = this.clientId;\n\n const issuers = Array.from(\n new Set(\n [metadata.issuer, ...this.tokenIssuers].filter(\n (issuer): issuer is string => typeof issuer === \"string\" && !!issuer,\n ),\n ),\n );\n if (!issuers.length) {\n throw new Error(\"OAuth metadata missing issuer\");\n }\n const issuer: string | string[] =\n issuers.length === 1 ? issuers[0]! : issuers;\n\n const verifier = new KontextTokenVerifier({\n jwksUrl: jwksUri,\n issuer,\n audience: resourceUrl.href,\n });\n\n return {\n async verifyAccessToken(token: string): Promise<AuthInfo> {\n const result = await verifier.verify(token);\n\n if (!result.success) {\n throw new InvalidTokenError(\n `Token verification failed: ${result.error.message}`,\n );\n }\n\n const { claims } = result;\n const payload = claims.payload as Record<string, unknown>;\n const ext = (payload.ext as Record<string, unknown> | undefined) ?? {};\n\n return {\n token,\n clientId: claims.clientId ?? clientId,\n scopes: claims.scopes,\n expiresAt: Math.floor(claims.expiresAt.getTime() / 1000),\n extra: {\n ...ext,\n sub: claims.sub,\n email: payload.email ?? ext.email,\n },\n };\n },\n };\n }\n\n // ===========================================================================\n // Private: telemetry\n // ===========================================================================\n\n private async getServiceToken(): Promise<string> {\n if (this.serviceToken && Date.now() < this.serviceTokenExp - 30_000) {\n return this.serviceToken;\n }\n\n if (this.serviceTokenPromise) {\n return this.serviceTokenPromise;\n }\n\n this.serviceTokenPromise = (async () => {\n const res = await fetch(`${this.apiUrl}/oauth2/token`, {\n method: \"POST\",\n headers: {\n \"Content-Type\": \"application/x-www-form-urlencoded\",\n Authorization: `Basic ${Buffer.from(this.clientId + \":\" + this.clientSecret).toString(\"base64\")}`,\n },\n body: \"grant_type=client_credentials\",\n });\n if (!res.ok) {\n const text = await res.text().catch(() => \"\");\n throw new Error(\n `[kontext:telemetry] client_credentials grant failed: HTTP ${res.status} ${text}`,\n );\n }\n const data = (await res.json()) as {\n access_token: string;\n expires_in: number;\n };\n this.serviceToken = data.access_token;\n this.serviceTokenExp = Date.now() + data.expires_in * 1000;\n return data.access_token;\n })();\n\n try {\n return await this.serviceTokenPromise;\n } finally {\n this.serviceTokenPromise = null;\n }\n }\n\n private reportEvent(\n event: Record<string, unknown> & {\n sessionId?: string;\n ownerUserId?: unknown;\n durationMs: number;\n },\n ): void {\n if (!this.clientSecret || !event.sessionId) return;\n this.getServiceToken()\n .then((token) =>\n fetch(`${this.apiUrl}/api/v1/mcp-events`, {\n method: \"POST\",\n headers: {\n \"Content-Type\": \"application/json\",\n Authorization: `Bearer ${token}`,\n },\n body: JSON.stringify({\n ...event,\n agentId: this.clientId,\n clientId: this.clientId,\n clientVersion: SDK_VERSION,\n }),\n }).then((res) => {\n if (!res.ok) {\n console.warn(\n `[kontext:telemetry] event report failed: HTTP ${res.status}`,\n );\n }\n }),\n )\n .catch((err) => {\n console.warn(\n `[kontext:telemetry] error:`,\n err instanceof Error ? err.message : String(err),\n );\n });\n }\n\n // ===========================================================================\n // Private: session lifecycle\n // ===========================================================================\n\n private createAgentSession(\n userToken: string | undefined,\n mcpSessionId: string,\n metadata?: {\n hostname?: string;\n userAgent?: string;\n clientInfo?: Record<string, unknown>;\n tokenExpiresAt?: number;\n },\n ): void {\n if (!this.clientSecret || !userToken) return;\n const tokenIdentifier = createHash(\"sha256\")\n .update(userToken)\n .digest(\"hex\");\n\n this.getServiceToken()\n .then((token) =>\n fetch(`${this.apiUrl}/api/v1/agent-sessions`, {\n method: \"POST\",\n headers: {\n \"Content-Type\": \"application/json\",\n Authorization: `Bearer ${token}`,\n },\n body: JSON.stringify({\n tokenIdentifier,\n hostname: metadata?.hostname,\n userAgent: metadata?.userAgent,\n clientInfo: metadata?.clientInfo,\n tokenExpiresAt: metadata?.tokenExpiresAt\n ? new Date(metadata.tokenExpiresAt * 1000).toISOString()\n : undefined,\n }),\n }).then(async (res) => {\n if (res.ok) {\n const data = (await res.json()) as {\n sessionId: string;\n name: string;\n };\n if (this.pendingSessionDisconnects.delete(mcpSessionId)) {\n this.disconnectAgentSessionByAgentSessionId(\n data.sessionId,\n token,\n );\n return;\n }\n\n this.agentSessionIds.set(mcpSessionId, data.sessionId);\n } else {\n this.pendingSessionDisconnects.delete(mcpSessionId);\n console.warn(\n `[kontext:sessions] create failed: HTTP ${res.status}`,\n );\n }\n }),\n )\n .catch((err) => {\n this.pendingSessionDisconnects.delete(mcpSessionId);\n console.warn(\n `[kontext:sessions] error:`,\n err instanceof Error ? err.message : String(err),\n );\n });\n }\n\n private disconnectAgentSessionByAgentSessionId(\n agentSessionId: string,\n serviceToken?: string,\n ): void {\n if (!this.clientSecret) return;\n\n const tokenPromise = serviceToken\n ? Promise.resolve(serviceToken)\n : this.getServiceToken();\n\n tokenPromise\n .then((token) =>\n fetch(\n `${this.apiUrl}/api/v1/agent-sessions/${agentSessionId}/disconnect`,\n {\n method: \"POST\",\n headers: { Authorization: `Bearer ${token}` },\n },\n ),\n )\n .catch(() => {});\n }\n\n private disconnectAgentSession(mcpSessionId: string): void {\n if (!this.clientSecret) return;\n\n const agentSessionId = this.agentSessionIds.get(mcpSessionId);\n this.agentSessionIds.delete(mcpSessionId);\n if (!agentSessionId) {\n this.pendingSessionDisconnects.add(mcpSessionId);\n return;\n }\n\n this.pendingSessionDisconnects.delete(mcpSessionId);\n this.disconnectAgentSessionByAgentSessionId(agentSessionId);\n }\n\n private async disconnectAllSessions(): Promise<void> {\n if (!this.clientSecret) return;\n if (this.agentSessionIds.size === 0) {\n this.pendingSessionDisconnects.clear();\n return;\n }\n\n try {\n const token = await this.getServiceToken();\n await Promise.allSettled(\n [...this.agentSessionIds.values()].map((agentSessionId) =>\n fetch(\n `${this.apiUrl}/api/v1/agent-sessions/${agentSessionId}/disconnect`,\n {\n method: \"POST\",\n headers: { Authorization: `Bearer ${token}` },\n },\n ),\n ),\n );\n } catch {\n // Best-effort on shutdown — swallow errors\n }\n this.agentSessionIds.clear();\n this.pendingSessionDisconnects.clear();\n }\n\n // ===========================================================================\n // Private: MCP transport handlers\n // ===========================================================================\n\n private async runBearerAuth(\n bearerAuth: ReturnType<typeof requireBearerAuth>,\n req: Request,\n res: Response,\n ): Promise<void> {\n await new Promise<void>((resolve, reject) => {\n let settled = false;\n let nextCalled = false;\n\n const cleanup = () => {\n res.removeListener(\"finish\", onResponseDone);\n res.removeListener(\"close\", onResponseDone);\n };\n\n const settleResolve = () => {\n if (settled) return;\n settled = true;\n cleanup();\n resolve();\n };\n\n const settleReject = (err: unknown) => {\n if (settled) return;\n settled = true;\n cleanup();\n reject(err instanceof Error ? err : new Error(String(err)));\n };\n\n const onResponseDone = () => {\n // Auth middleware can terminate the response (401/403) without\n // calling next(). Treat response completion as terminal.\n settleResolve();\n };\n\n res.once(\"finish\", onResponseDone);\n res.once(\"close\", onResponseDone);\n\n let middlewareResult: unknown;\n try {\n middlewareResult = bearerAuth(req, res, (err?: unknown) => {\n nextCalled = true;\n if (err) {\n settleReject(err);\n return;\n }\n settleResolve();\n });\n } catch (err) {\n settleReject(err);\n return;\n }\n\n void Promise.resolve(middlewareResult).then(\n () => {\n if (!nextCalled && res.headersSent) {\n settleResolve();\n }\n },\n (err: unknown) => {\n settleReject(err);\n },\n );\n });\n }\n\n private createMcpHandler(\n server: McpServerOrFactory,\n sessionManager: SessionManager,\n getRuntimeAuth: ((req: Request) => Promise<RuntimeAuthContext>) | null,\n options?: MiddlewareOptions,\n ) {\n const callbacks: SessionCallbacks = {\n onSessionClosed: (sessionId: string) => {\n options?.onSessionClosed?.(sessionId);\n this.disconnectAgentSession(sessionId);\n },\n };\n\n const post = async (req: Request, res: Response) => {\n const traceId = crypto.randomUUID();\n const authReq = req as Request & { auth?: AuthInfo };\n\n // Authenticate every request (not just initialize) so authInfo\n // is available in tool handlers on subsequent calls.\n if (getRuntimeAuth) {\n let bearerAuth: ReturnType<typeof requireBearerAuth>;\n try {\n const runtimeAuth = await getRuntimeAuth(req);\n bearerAuth = runtimeAuth.bearerAuth;\n } catch (error) {\n this.respondMetadataInitError(res, error);\n return;\n }\n\n await this.runBearerAuth(bearerAuth, req, res);\n\n const sessionId = req.headers[\"mcp-session-id\"] as string | undefined;\n\n // Only report auth events for established sessions — the\n // initial request has no session ID yet and is covered by\n // the \"initialize\" event instead.\n if (sessionId) {\n if (res.headersSent) {\n this.reportEvent({\n eventType: \"auth_error\",\n traceId,\n sessionId,\n durationMs: 0,\n status: \"error_auth\",\n });\n return;\n }\n\n if (authReq.auth) {\n this.reportEvent({\n eventType: \"auth_ok\",\n traceId,\n ownerUserId: authReq.auth.extra?.sub,\n sessionId,\n durationMs: 0,\n status: \"ok\",\n });\n }\n } else if (res.headersSent) {\n // Auth failed on initial request — nothing more to do\n return;\n }\n }\n\n const sessionId = req.headers[\"mcp-session-id\"] as string | undefined;\n\n // If there's an existing session, route to its transport\n if (sessionId) {\n const transport = sessionManager.getTransport(sessionId);\n if (transport) {\n sessionManager.touchSession(sessionId);\n await transport.handleRequest(req, res, req.body);\n return;\n }\n }\n\n // New session: must be an initialize request\n if (!isInitializeRequest(req.body)) {\n res.status(400).json({\n jsonrpc: \"2.0\",\n error: {\n code: -32000,\n message: sessionId\n ? `Session ${sessionId} not found`\n : \"No valid session ID provided\",\n },\n id: null,\n });\n return;\n }\n\n // Create transport and connect\n const authInfo = authReq.auth;\n const transport = new StreamableHTTPServerTransport({\n sessionIdGenerator: () => crypto.randomUUID(),\n onsessioninitialized: (sid: string) => {\n sessionManager.registerSession(\n sid,\n transport,\n callbacks,\n authInfo?.expiresAt,\n );\n options?.onSessionInitialized?.(sid, authInfo, transport);\n this.reportEvent({\n eventType: \"initialize\",\n traceId,\n sessionId: sid,\n ownerUserId: authInfo?.extra?.sub,\n durationMs: 0,\n status: \"ok\",\n });\n this.createAgentSession(authInfo?.token, sid, {\n hostname: req.headers[\"x-forwarded-for\"] as string | undefined,\n userAgent: req.headers[\"user-agent\"] as string | undefined,\n tokenExpiresAt: authInfo?.expiresAt,\n });\n },\n });\n\n // Wrap handleRequest to intercept tool calls with telemetry\n const originalHandle = transport.handleRequest.bind(transport);\n transport.handleRequest = async (\n wrappedReq: Request,\n wrappedRes: Response,\n parsedBody?: Record<string, unknown>,\n ) => {\n const reqTraceId = wrappedReq === req ? traceId : crypto.randomUUID();\n const sid =\n (wrappedReq.headers[\"mcp-session-id\"] as string | undefined) ??\n transport.sessionId;\n const start = Date.now();\n try {\n await originalHandle(wrappedReq, wrappedRes, parsedBody);\n if (parsedBody?.method === \"tools/call\") {\n this.reportEvent({\n eventType: \"execute_tool\",\n traceId: reqTraceId,\n toolName: (\n parsedBody.params as Record<string, unknown> | undefined\n )?.name,\n durationMs: Date.now() - start,\n sessionId: sid,\n ownerUserId: authInfo?.extra?.sub,\n status: \"ok\",\n requestJson: parsedBody.params,\n });\n } else if (parsedBody?.method === \"tools/list\") {\n this.reportEvent({\n eventType: \"search_tools\",\n traceId: reqTraceId,\n durationMs: Date.now() - start,\n sessionId: sid,\n ownerUserId: authInfo?.extra?.sub,\n status: \"ok\",\n });\n }\n } catch (err) {\n if (parsedBody?.method === \"tools/call\") {\n this.reportEvent({\n eventType: \"execute_tool\",\n traceId: reqTraceId,\n toolName: (\n parsedBody.params as Record<string, unknown> | undefined\n )?.name,\n durationMs: Date.now() - start,\n sessionId: sid,\n ownerUserId: authInfo?.extra?.sub,\n status: \"error_remote\",\n errorMessage: err instanceof Error ? err.message : String(err),\n });\n } else if (parsedBody?.method === \"tools/list\") {\n this.reportEvent({\n eventType: \"search_tools\",\n traceId: reqTraceId,\n durationMs: Date.now() - start,\n sessionId: sid,\n ownerUserId: authInfo?.extra?.sub,\n status: \"error_remote\",\n errorMessage: err instanceof Error ? err.message : String(err),\n });\n }\n throw err;\n }\n };\n\n const mcpServer = typeof server === \"function\" ? server() : server;\n await mcpServer.connect(transport);\n await transport.handleRequest(req, res, req.body);\n };\n\n const get = async (req: Request, res: Response) => {\n if (getRuntimeAuth) {\n let bearerAuth: ReturnType<typeof requireBearerAuth>;\n try {\n const runtimeAuth = await getRuntimeAuth(req);\n bearerAuth = runtimeAuth.bearerAuth;\n } catch (error) {\n this.respondMetadataInitError(res, error);\n return;\n }\n\n await this.runBearerAuth(bearerAuth, req, res);\n if (res.headersSent) {\n return;\n }\n }\n\n const sessionId =\n (req.headers[\"mcp-session-id\"] as string | undefined) ||\n (req.headers[\"Mcp-Session-Id\"] as string | undefined);\n if (!sessionId) {\n res.status(400).json({ error: \"Missing Mcp-Session-Id header\" });\n return;\n }\n\n const transport = sessionManager.getTransport(sessionId);\n if (!transport) {\n res.status(400).json({ error: \"Session not found\" });\n return;\n }\n\n sessionManager.touchSession(sessionId);\n await transport.handleRequest(req, res);\n };\n\n const del = async (req: Request, res: Response) => {\n if (getRuntimeAuth) {\n let bearerAuth: ReturnType<typeof requireBearerAuth>;\n try {\n const runtimeAuth = await getRuntimeAuth(req);\n bearerAuth = runtimeAuth.bearerAuth;\n } catch (error) {\n this.respondMetadataInitError(res, error);\n return;\n }\n\n await this.runBearerAuth(bearerAuth, req, res);\n if (res.headersSent) {\n return;\n }\n }\n\n const sessionId =\n (req.headers[\"mcp-session-id\"] as string | undefined) ||\n (req.headers[\"Mcp-Session-Id\"] as string | undefined);\n if (!sessionId) {\n res.status(400).json({ error: \"Missing Mcp-Session-Id header\" });\n return;\n }\n\n const transport = sessionManager.getTransport(sessionId);\n if (!transport) {\n res.status(400).json({ error: \"Session not found\" });\n return;\n }\n\n await transport.handleRequest(req, res);\n };\n\n return { post, get, delete: del };\n }\n}\n"]}
1
+ {"version":3,"sources":["../../src/management/types.ts","../../src/errors.ts","../../src/oauth/token-exchange.ts","../../src/verify/errors.ts","../../src/verify/jwks-client.ts","../../src/verify/verifier.ts","../../src/server/sessions.ts","../../src/server/kontext.ts"],"names":["createRemoteJWKSet","jwtVerify","joseErrors","decodeProtectedHeader","createRequire","mcpHandler","mcpAuthMetadataRouter","getOAuthProtectedResourceMetadataUrl","requireBearerAuth","issuer","InvalidTokenError","createHash","sessionId","transport","isInitializeRequest","StreamableHTTPServerTransport"],"mappings":";;;;;;;;;;;;;;;AA2ZO,IAAM,yBAAA,GACX,iDAAA;AAKK,IAAM,uBAAA,GACX,+CAAA;;;ACpYK,IAAM,YAAA,GAAN,cAA2B,KAAA,CAAM;AAAA;AAAA,EAE7B,YAAA,GAAe,IAAA;AAAA;AAAA,EAGf,IAAA;AAAA;AAAA,EAGA,UAAA;AAAA;AAAA,EAGA,OAAA;AAAA;AAAA,EAGA,SAAA;AAAA;AAAA,EAGA,IAAA;AAAA,EAET,WAAA,CACE,OAAA,EACA,IAAA,EACA,OAAA,EAMA;AACA,IAAA,KAAA,CAAM,OAAA,EAAS,EAAE,KAAA,EAAO,OAAA,EAAS,OAAO,CAAA;AACxC,IAAA,IAAA,CAAK,IAAA,GAAO,cAAA;AACZ,IAAA,IAAA,CAAK,IAAA,GAAO,IAAA;AACZ,IAAA,IAAA,CAAK,aAAa,OAAA,EAAS,UAAA;AAC3B,IAAA,IAAA,CAAK,YAAY,OAAA,EAAS,SAAA;AAC1B,IAAA,IAAA,CAAK,IAAA,GAAO,OAAA,EAAS,IAAA,IAAQ,EAAC;AAC9B,IAAA,IAAA,CAAK,OAAA,GAAU,mCAAmC,IAAI,CAAA,CAAA;AACtD,IAAA,MAAA,CAAO,cAAA,CAAe,IAAA,EAAM,GAAA,CAAA,MAAA,CAAW,SAAS,CAAA;AAAA,EAClD;AAAA,EAEA,MAAA,GAAkC;AAChC,IAAA,OAAO;AAAA,MACL,MAAM,IAAA,CAAK,IAAA;AAAA,MACX,MAAM,IAAA,CAAK,IAAA;AAAA,MACX,SAAS,IAAA,CAAK,OAAA;AAAA,MACd,YAAY,IAAA,CAAK,UAAA;AAAA,MACjB,SAAS,IAAA,CAAK,OAAA;AAAA,MACd,WAAW,IAAA,CAAK,SAAA;AAAA,MAChB,IAAA,EAAM,OAAO,IAAA,CAAK,IAAA,CAAK,IAAI,CAAA,CAAE,MAAA,GAAS,CAAA,GAAI,IAAA,CAAK,IAAA,GAAO;AAAA,KACxD;AAAA,EACF;AAAA,EAES,QAAA,GAAmB;AAC1B,IAAA,MAAM,KAAA,GAAQ,CAAC,CAAA,CAAA,EAAI,IAAA,CAAK,IAAI,CAAA,EAAA,EAAK,IAAA,CAAK,OAAO,CAAA,CAAE,CAAA;AAC/C,IAAA,IAAI,KAAK,OAAA,EAAS,KAAA,CAAM,KAAK,CAAA,MAAA,EAAS,IAAA,CAAK,OAAO,CAAA,CAAE,CAAA;AACpD,IAAA,IAAI,KAAK,SAAA,EAAW,KAAA,CAAM,KAAK,CAAA,YAAA,EAAe,IAAA,CAAK,SAAS,CAAA,CAAE,CAAA;AAC9D,IAAA,OAAO,KAAA,CAAM,KAAK,IAAI,CAAA;AAAA,EACxB;AACF,CAAA;AAsDO,IAAM,UAAA,GAAN,cAAyB,YAAA,CAAa;AAAA,EAClC,SAAA;AAAA,EACA,gBAAA;AAAA,EAET,WAAA,CACE,OAAA,EACA,IAAA,EACA,OAAA,EAQA;AACA,IAAA,KAAA,CAAM,SAAS,IAAA,EAAM;AAAA,MACnB,UAAA,EAAY,SAAS,UAAA,IAAc,GAAA;AAAA,MACnC,GAAG;AAAA,KACJ,CAAA;AACD,IAAA,IAAA,CAAK,IAAA,GAAO,YAAA;AACZ,IAAA,IAAA,CAAK,YAAY,OAAA,EAAS,SAAA;AAC1B,IAAA,IAAA,CAAK,mBAAmB,OAAA,EAAS,gBAAA;AAAA,EACnC;AACF,CAAA;AASO,IAAM,kCAAA,GAAN,cAAiD,YAAA,CAAa;AAAA,EAC1D,aAAA;AAAA,EACA,eAAA;AAAA,EACA,UAAA;AAAA,EAET,WAAA,CACE,eACA,OAAA,EAQA;AACA,IAAA,KAAA;AAAA,MACE,OAAA,EAAS,OAAA,IACP,CAAA,2BAAA,EAA8B,aAAa,CAAA,kDAAA,CAAA;AAAA,MAC7C,yCAAA;AAAA,MACA,EAAE,UAAA,EAAY,GAAA,EAAK,GAAG,OAAA;AAAQ,KAChC;AACA,IAAA,IAAA,CAAK,IAAA,GAAO,oCAAA;AACZ,IAAA,IAAA,CAAK,aAAA,GAAgB,aAAA;AACrB,IAAA,IAAA,CAAK,kBAAkB,OAAA,EAAS,eAAA;AAChC,IAAA,IAAA,CAAK,aAAa,OAAA,EAAS,UAAA;AAAA,EAC7B;AACF;;;ACzIA,eAAsB,cACpB,MAAA,EACA,YAAA,EACA,QAAA,EACA,KAAA,EACA,mBAA2B,uBAAA,EACK;AAEhC,EAAA,MAAM,IAAA,GAAO,IAAI,eAAA,EAAgB;AACjC,EAAA,IAAA,CAAK,GAAA,CAAI,cAAc,yBAAyB,CAAA;AAChD,EAAA,IAAA,CAAK,GAAA,CAAI,iBAAiB,YAAY,CAAA;AACtC,EAAA,IAAA,CAAK,GAAA,CAAI,sBAAsB,gBAAgB,CAAA;AAC/C,EAAA,IAAA,CAAK,GAAA,CAAI,YAAY,QAAQ,CAAA;AAQ7B,EAAA,MAAM,OAAA,GAAkC;AAAA,IACtC,cAAA,EAAgB;AAAA,GAClB;AAEA,EAAA,IAAI,OAAO,YAAA,EAAc;AAEvB,IAAA,MAAM,cAAc,MAAA,CAAO,IAAA;AAAA,MACzB,CAAA,EAAG,MAAA,CAAO,QAAQ,CAAA,CAAA,EAAI,OAAO,YAAY,CAAA;AAAA,KAC3C,CAAE,SAAS,QAAQ,CAAA;AACnB,IAAA,OAAA,CAAQ,eAAe,CAAA,GAAI,CAAA,MAAA,EAAS,WAAW,CAAA,CAAA;AAAA,EACjD,CAAA,MAAO;AAEL,IAAA,IAAA,CAAK,GAAA,CAAI,WAAA,EAAa,MAAA,CAAO,QAAQ,CAAA;AAAA,EACvC;AAEA,EAAA,MAAM,QAAA,GAAW,MAAM,KAAA,CAAM,MAAA,CAAO,QAAA,EAAU;AAAA,IAC5C,MAAA,EAAQ,MAAA;AAAA,IACR,OAAA;AAAA,IACA,IAAA,EAAM,KAAK,QAAA;AAAS,GACrB,CAAA;AAED,EAAA,IAAI,CAAC,SAAS,EAAA,EAAI;AAChB,IAAA,IAAI,eAAe,CAAA,uBAAA,EAA0B,QAAA,CAAS,MAAM,CAAA,CAAA,EAAI,SAAS,UAAU,CAAA,CAAA;AACnF,IAAA,IAAI,SAAA;AACJ,IAAA,IAAI,eAAA;AACJ,IAAA,IAAI,aAAA;AAEJ,IAAA,IAAI;AACF,MAAA,MAAM,SAAA,GAAY,MAAM,QAAA,CAAS,IAAA,EAAK;AACtC,MAAA,SAAA,GAAY,SAAA,CAAU,KAAA;AACtB,MAAA,IAAI,UAAU,iBAAA,EAAmB;AAC/B,QAAA,YAAA,GAAe,SAAA,CAAU,iBAAA;AAAA,MAC3B,CAAA,MAAA,IAAW,UAAU,KAAA,EAAO;AAC1B,QAAA,YAAA,GAAe,CAAA,uBAAA,EAA0B,UAAU,KAAK,CAAA,CAAA;AAAA,MAC1D;AAGA,MAAA,IAAI,SAAA,CAAU,gBAAA,IAAoB,SAAA,CAAU,cAAA,EAAgB;AAC1D,QAAA,eAAA,GAAkB,SAAA,CAAU,gBAAA;AAC5B,QAAA,aAAA,GAAgB,SAAA,CAAU,cAAA;AAAA,MAC5B;AAAA,IACF,CAAA,CAAA,MAAQ;AAAA,IAER;AAEA,IAAA,MAAM,IAAI,UAAA,CAAW,YAAA,EAAc,qCAAA,EAAuC;AAAA,MACxE,SAAA;AAAA,MACA,IAAA,EAAM;AAAA,QACJ,eAAA;AAAA,QACA;AAAA;AACF,KACD,CAAA;AAAA,EACH;AAEA,EAAA,MAAM,aAAA,GAAiB,MAAM,QAAA,CAAS,IAAA,EAAK;AAG3C,EAAA,IAAI,CAAC,cAAc,YAAA,EAAc;AAC/B,IAAA,MAAM,IAAI,UAAA;AAAA,MACR,+CAAA;AAAA,MACA;AAAA,KACF;AAAA,EACF;AAEA,EAAA,IAAI,CAAC,cAAc,iBAAA,EAAmB;AACpC,IAAA,MAAM,IAAI,UAAA;AAAA,MACR,oDAAA;AAAA,MACA;AAAA,KACF;AAAA,EACF;AAEA,EAAA,IAAI,CAAC,cAAc,UAAA,EAAY;AAC7B,IAAA,MAAM,IAAI,UAAA;AAAA,MACR,6CAAA;AAAA,MACA;AAAA,KACF;AAAA,EACF;AAEA,EAAA,OAAO,aAAA;AACT;;;AC9IO,IAAM,sBAAA,GAAN,MAAM,uBAAA,SAA+B,KAAA,CAAM;AAAA,EACvC,IAAA;AAAA,EAET,WAAA,CAAY,MAAkC,OAAA,EAAiB;AAC7D,IAAA,KAAA,CAAM,OAAO,CAAA;AACb,IAAA,IAAA,CAAK,IAAA,GAAO,wBAAA;AACZ,IAAA,IAAA,CAAK,IAAA,GAAO,IAAA;AACZ,IAAA,MAAA,CAAO,cAAA,CAAe,IAAA,EAAM,uBAAA,CAAuB,SAAS,CAAA;AAAA,EAC9D;AACF,CAAA;;;ACVA,IAAM,oBAAA,GAAuB,IAAI,EAAA,GAAK,GAAA;AACtC,IAAM,8BAA8B,EAAA,GAAK,GAAA;AAQlC,IAAM,aAAN,MAAiB;AAAA,EACL,OAAA;AAAA,EACA,UAAA;AAAA,EACA,iBAAA;AAAA,EACA,WAAA;AAAA,EAET,IAAA,GAA+B,IAAA;AAAA,EAC/B,WAAA,GAAc,CAAA;AAAA,EACd,aAAA,GAAgB,CAAA;AAAA,EAExB,YAAY,OAAA,EAA4B;AACtC,IAAA,IAAA,CAAK,OAAA,GAAU,IAAI,GAAA,CAAI,OAAA,CAAQ,OAAO,CAAA;AACtC,IAAA,IAAA,CAAK,UAAA,GAAa,QAAQ,UAAA,IAAc,oBAAA;AACxC,IAAA,IAAA,CAAK,iBAAA,GACH,QAAQ,iBAAA,IAAqB,2BAAA;AAC/B,IAAA,IAAA,CAAK,cAAc,OAAA,CAAQ,KAAA;AAAA,EAC7B;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,cAAA,GAAkC;AAChC,IAAA,MAAM,GAAA,GAAM,KAAK,GAAA,EAAI;AAGrB,IAAA,IAAI,KAAK,IAAA,IAAQ,GAAA,GAAM,IAAA,CAAK,WAAA,GAAc,KAAK,UAAA,EAAY;AACzD,MAAA,IAAA,CAAK,IAAA,GAAO,IAAA;AAAA,IACd;AAEA,IAAA,IAAI,CAAC,KAAK,IAAA,EAAM;AACd,MAAA,IAAA,CAAK,IAAA,GAAOA,uBAAA,CAAmB,IAAA,CAAK,OAAA,EAAS;AAAA;AAAA,QAE3C,GAAI,KAAK,WAAA,IAAe;AAAA,UACtB,iBAAC,MAAA,CAAO,GAAA,CAAI,OAAO,CAAC,GAAG,IAAA,CAAK;AAAA;AAC9B,OACD,CAAA;AACD,MAAA,IAAA,CAAK,WAAA,GAAc,GAAA;AAAA,IACrB;AAEA,IAAA,OAAO,IAAA,CAAK,IAAA;AAAA,EACd;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,OAAA,GAAmB;AACjB,IAAA,MAAM,GAAA,GAAM,KAAK,GAAA,EAAI;AAErB,IAAA,IAAI,CAAC,IAAA,CAAK,UAAA,EAAW,EAAG;AACtB,MAAA,OAAO,KAAA;AAAA,IACT;AAEA,IAAA,IAAA,CAAK,IAAA,GAAO,IAAA;AACZ,IAAA,IAAA,CAAK,aAAA,GAAgB,GAAA;AACrB,IAAA,OAAO,IAAA;AAAA,EACT;AAAA;AAAA;AAAA;AAAA,EAKA,UAAA,GAAsB;AACpB,IAAA,OAAO,IAAA,CAAK,GAAA,EAAI,GAAI,IAAA,CAAK,iBAAiB,IAAA,CAAK,iBAAA;AAAA,EACjD;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,iBAAiB,GAAA,EAA4C;AAC3D,IAAA,IAAI,IAAA,CAAK,SAAQ,EAAG;AAElB,MAAA,OAAO,IAAA;AAAA,IACT;AAGA,IAAA,OAAO,IAAI,sBAAA;AAAA,MACT,aAAA;AAAA,MACA,mBAAmB,GAAG,CAAA,2BAAA;AAAA,KACxB;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,UAAA,GAAmB;AACjB,IAAA,IAAA,CAAK,IAAA,GAAO,IAAA;AACZ,IAAA,IAAA,CAAK,WAAA,GAAc,CAAA;AAAA,EAErB;AACF,CAAA;;;ACnHA,IAAM,2BAAA,GAA8B,EAAA;AACpC,IAAM,oBAAA,GAAuB,CAAC,OAAA,EAAS,OAAO,CAAA;AA0CvC,IAAM,uBAAN,MAA2B;AAAA,EACf,MAAA;AAAA,EACA,UAAA;AAAA,EACA,SAAA;AAAA,EAEjB,YAAY,MAAA,EAAoC;AAC9C,IAAA,IAAA,CAAK,MAAA,GAAS;AAAA,MACZ,SAAS,MAAA,CAAO,OAAA;AAAA,MAChB,QAAQ,MAAA,CAAO,MAAA;AAAA,MACf,UAAU,MAAA,CAAO,QAAA;AAAA,MACjB,cAAA,EAAgB,MAAA,CAAO,cAAA,IAAkB,EAAC;AAAA,MAC1C,UAAA,EAAY,MAAA,CAAO,UAAA,IAAc,CAAA,GAAI,EAAA,GAAK,GAAA;AAAA,MAC1C,iBAAA,EAAmB,MAAA,CAAO,iBAAA,IAAqB,EAAA,GAAK,GAAA;AAAA,MACpD,iBAAA,EACE,OAAO,iBAAA,IAAqB,2BAAA;AAAA,MAC9B,OAAO,MAAA,CAAO;AAAA,KAChB;AAEA,IAAA,IAAA,CAAK,SAAA,GAAY,KAAA,CAAM,OAAA,CAAQ,MAAA,CAAO,QAAQ,IAC1C,MAAA,CAAO,QAAA,GACP,CAAC,MAAA,CAAO,QAAQ,CAAA;AAEpB,IAAA,IAAA,CAAK,UAAA,GAAa,IAAI,UAAA,CAAW;AAAA,MAC/B,SAAS,MAAA,CAAO,OAAA;AAAA,MAChB,UAAA,EAAY,KAAK,MAAA,CAAO,UAAA;AAAA,MACxB,iBAAA,EAAmB,KAAK,MAAA,CAAO,iBAAA;AAAA,MAC/B,OAAO,MAAA,CAAO;AAAA,KACf,CAAA;AAAA,EACH;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,MAAM,OAAO,KAAA,EAAsC;AACjD,IAAA,IAAI;AACF,MAAA,OAAO,MAAM,IAAA,CAAK,cAAA,CAAe,KAAA,EAAO,KAAK,CAAA;AAAA,IAC/C,SAAS,KAAA,EAAO;AACd,MAAA,IAAI,iBAAiB,sBAAA,EAAwB;AAC3C,QAAA,OAAO,EAAE,OAAA,EAAS,KAAA,EAAO,KAAA,EAAM;AAAA,MACjC;AAGA,MAAA,OAAO;AAAA,QACL,OAAA,EAAS,KAAA;AAAA,QACT,OAAO,IAAI,sBAAA;AAAA,UACT,sBAAA;AAAA,UACA,CAAA,+BAAA,EAAmC,MAAgB,OAAO,CAAA;AAAA;AAC5D,OACF;AAAA,IACF;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASA,MAAM,aAAa,KAAA,EAAoD;AACrE,IAAA,MAAM,MAAA,GAAS,MAAM,IAAA,CAAK,MAAA,CAAO,KAAK,CAAA;AACtC,IAAA,OAAO,MAAA,CAAO,OAAA,GAAU,MAAA,CAAO,MAAA,GAAS,IAAA;AAAA,EAC1C;AAAA;AAAA;AAAA;AAAA,EAKA,UAAA,GAAmB;AACjB,IAAA,IAAA,CAAK,WAAW,UAAA,EAAW;AAAA,EAC7B;AAAA,EAEA,MAAc,cAAA,CACZ,KAAA,EACA,OAAA,EACuB;AACvB,IAAA,MAAM,IAAA,GAAO,IAAA,CAAK,UAAA,CAAW,cAAA,EAAe;AAE5C,IAAA,IAAI;AAEF,MAAA,MAAM,EAAE,OAAA,EAAS,eAAA,KAAoB,MAAMC,cAAA,CAAU,OAAO,IAAA,EAAM;AAAA,QAChE,MAAA,EAAQ,KAAK,MAAA,CAAO,MAAA;AAAA,QACpB,UAAU,IAAA,CAAK,SAAA;AAAA,QACf,cAAA,EAAgB,KAAK,MAAA,CAAO,iBAAA;AAAA,QAC5B,UAAA,EAAY;AAAA,OACb,CAAA;AAGD,MAAA,MAAM,MAAM,eAAA,CAAgB,GAAA;AAC5B,MAAA,IAAI,CAAC,oBAAA,CAAqB,QAAA,CAAS,GAAG,CAAA,EAAG;AACvC,QAAA,MAAM,IAAI,sBAAA;AAAA,UACR,uBAAA;AAAA,UACA,0BAA0B,GAAG,CAAA,mBAAA,EAAsB,oBAAA,CAAqB,IAAA,CAAK,IAAI,CAAC,CAAA;AAAA,SACpF;AAAA,MACF;AAGA,MAAA,MAAM,UAAA,GAAa,OAAA;AACnB,MAAA,IACE,OAAO,UAAA,CAAW,GAAA,KAAQ,QAAA,IAC1B,CAAC,MAAA,CAAO,QAAA,CAAS,UAAA,CAAW,GAAG,CAAA,IAC/B,UAAA,CAAW,GAAA,IAAO,CAAA,EAClB;AACA,QAAA,MAAM,IAAI,sBAAA;AAAA,UACR,gBAAA;AAAA,UACA;AAAA,SACF;AAAA,MACF;AAGA,MAAA,MAAM,MAAA,GAAS,IAAA,CAAK,WAAA,CAAY,UAAA,CAAW,KAAK,CAAA;AAChD,MAAA,KAAA,MAAW,QAAA,IAAY,IAAA,CAAK,MAAA,CAAO,cAAA,EAAgB;AACjD,QAAA,IAAI,CAAC,MAAA,CAAO,QAAA,CAAS,QAAQ,CAAA,EAAG;AAC9B,UAAA,MAAM,IAAI,sBAAA;AAAA,YACR,eAAA;AAAA,YACA,2BAA2B,QAAQ,CAAA;AAAA,WACrC;AAAA,QACF;AAAA,MACF;AAGA,MAAA,MAAM,QAAA,GAAW,UAAA,CAAW,SAAA,IAAa,UAAA,CAAW,GAAA;AACpD,MAAA,IAAI,CAAC,QAAA,EAAU;AACb,QAAA,MAAM,IAAI,sBAAA;AAAA,UACR,gBAAA;AAAA,UACA;AAAA,SACF;AAAA,MACF;AAGA,MAAA,MAAM,MAAA,GAA8B;AAAA,QAClC,GAAA,EAAK,WAAW,GAAA,IAAO,EAAA;AAAA,QACvB,QAAA;AAAA,QACA,MAAA;AAAA,QACA,SAAA,EAAW,IAAI,IAAA,CAAK,UAAA,CAAW,MAAM,GAAI,CAAA;AAAA,QACzC,KAAK,UAAA,CAAW,GAAA;AAAA,QAChB,OAAA,EAAS;AAAA,OACX;AAEA,MAAA,OAAO,EAAE,OAAA,EAAS,IAAA,EAAM,MAAA,EAAO;AAAA,IACjC,SAAS,KAAA,EAAO;AAEd,MAAA,IAAI,KAAA,YAAiBC,YAAW,iBAAA,EAAmB;AAEjD,QAAA,IAAI,CAAC,OAAA,EAAS;AACZ,UAAA,MAAM,GAAA,GAAM,IAAA,CAAK,UAAA,CAAW,KAAK,CAAA;AACjC,UAAA,MAAM,YAAA,GAAe,KAAK,UAAA,CAAW,gBAAA;AAAA,YACnC,GAAA,IAAO;AAAA,WACT;AACA,UAAA,IAAI,CAAC,YAAA,EAAc;AAEjB,YAAA,OAAO,IAAA,CAAK,cAAA,CAAe,KAAA,EAAO,IAAI,CAAA;AAAA,UACxC;AACA,UAAA,OAAO,EAAE,OAAA,EAAS,KAAA,EAAO,KAAA,EAAO,YAAA,EAAa;AAAA,QAC/C;AAEA,QAAA,OAAO;AAAA,UACL,OAAA,EAAS,KAAA;AAAA,UACT,OAAO,IAAI,sBAAA;AAAA,YACT,aAAA;AAAA,YACA;AAAA;AACF,SACF;AAAA,MACF;AAEA,MAAA,IAAI,KAAA,YAAiBA,YAAW,UAAA,EAAY;AAC1C,QAAA,OAAO;AAAA,UACL,OAAA,EAAS,KAAA;AAAA,UACT,OAAO,IAAI,sBAAA;AAAA,YACT,eAAA;AAAA,YACA;AAAA;AACF,SACF;AAAA,MACF;AAEA,MAAA,IAAI,KAAA,YAAiBA,YAAW,wBAAA,EAA0B;AACxD,QAAA,MAAM,UAAU,KAAA,CAAM,OAAA;AACtB,QAAA,IAAI,OAAA,CAAQ,QAAA,CAAS,KAAK,CAAA,EAAG;AAC3B,UAAA,MAAM,QAAA,GAAW,KAAA,CAAM,OAAA,CAAQ,IAAA,CAAK,OAAO,MAAM,CAAA,GAC7C,IAAA,CAAK,MAAA,CAAO,MAAA,CAAO,IAAA,CAAK,MAAM,CAAA,GAC9B,KAAK,MAAA,CAAO,MAAA;AAChB,UAAA,OAAO;AAAA,YACL,OAAA,EAAS,KAAA;AAAA,YACT,OAAO,IAAI,sBAAA;AAAA,cACT,gBAAA;AAAA,cACA,4BAA4B,QAAQ,CAAA;AAAA;AACtC,WACF;AAAA,QACF;AACA,QAAA,IAAI,OAAA,CAAQ,QAAA,CAAS,KAAK,CAAA,EAAG;AAC3B,UAAA,OAAO;AAAA,YACL,OAAA,EAAS,KAAA;AAAA,YACT,OAAO,IAAI,sBAAA;AAAA,cACT,kBAAA;AAAA,cACA,CAAA,kCAAA,EAAqC,IAAA,CAAK,SAAA,CAAU,IAAA,CAAK,IAAI,CAAC,CAAA;AAAA;AAChE,WACF;AAAA,QACF;AACA,QAAA,IAAI,OAAA,CAAQ,QAAA,CAAS,KAAK,CAAA,EAAG;AAC3B,UAAA,OAAO;AAAA,YACL,OAAA,EAAS,KAAA;AAAA,YACT,OAAO,IAAI,sBAAA;AAAA,cACT,qBAAA;AAAA,cACA;AAAA;AACF,WACF;AAAA,QACF;AAAA,MACF;AAEA,MAAA,IAAI,KAAA,YAAiBA,YAAW,8BAAA,EAAgC;AAC9D,QAAA,OAAO;AAAA,UACL,OAAA,EAAS,KAAA;AAAA,UACT,OAAO,IAAI,sBAAA;AAAA,YACT,mBAAA;AAAA,YACA;AAAA;AACF,SACF;AAAA,MACF;AAEA,MAAA,IAAI,KAAA,YAAiBA,YAAW,UAAA,EAAY;AAC1C,QAAA,OAAO;AAAA,UACL,OAAA,EAAS,KAAA;AAAA,UACT,OAAO,IAAI,sBAAA;AAAA,YACT,sBAAA;AAAA,YACA,CAAA,aAAA,EAAgB,MAAM,OAAO,CAAA;AAAA;AAC/B,SACF;AAAA,MACF;AAGA,MAAA,IAAI,iBAAiB,sBAAA,EAAwB;AAC3C,QAAA,MAAM,KAAA;AAAA,MACR;AAGA,MAAA,MAAM,IAAI,sBAAA;AAAA,QACR,sBAAA;AAAA,QACA,CAAA,qBAAA,EAAyB,MAAgB,OAAO,CAAA;AAAA,OAClD;AAAA,IACF;AAAA,EACF;AAAA,EAEQ,YAAY,KAAA,EAAqC;AACvD,IAAA,IAAI,CAAC,KAAA,EAAO,OAAO,EAAC;AACpB,IAAA,OAAO,KAAA,CACJ,KAAA,CAAM,GAAG,CAAA,CACT,GAAA,CAAI,CAAC,CAAA,KAAM,CAAA,CAAE,IAAA,EAAM,CAAA,CACnB,MAAA,CAAO,OAAO,CAAA;AAAA,EACnB;AAAA,EAEQ,WAAW,KAAA,EAA8B;AAC/C,IAAA,IAAI;AACF,MAAA,MAAM,MAAA,GAASC,2BAAsB,KAAK,CAAA;AAC1C,MAAA,OAAO,OAAO,GAAA,IAAO,IAAA;AAAA,IACvB,CAAA,CAAA,MAAQ;AACN,MAAA,OAAO,IAAA;AAAA,IACT;AAAA,EACF;AACF;;;AC3SO,IAAM,cAAA,GAAN,MAAM,eAAA,CAAe;AAAA,EACT,UAAA,uBAAiB,GAAA,EAGhC;AAAA,EACe,YAAA,uBAAmB,GAAA,EAAoB;AAAA,EACvC,SAAA,uBAAgB,GAAA,EAAoB;AAAA,EACpC,eAAA;AAAA,EAEjB,OAAwB,gBAAA,GAAmB,EAAA,GAAK,EAAA,GAAK,GAAA;AAAA;AAAA,EACrD,OAAwB,mBAAA,GAAsB,CAAA,GAAI,EAAA,GAAK,GAAA;AAAA;AAAA,EAEvD,WAAA,GAAc;AACZ,IAAA,IAAA,CAAK,eAAA,GAAkB,WAAA;AAAA,MACrB,MAAM,KAAK,oBAAA,EAAqB;AAAA,MAChC,eAAA,CAAe;AAAA,KACjB;AAEA,IAAA,IAAI,IAAA,CAAK,gBAAgB,KAAA,EAAO;AAC9B,MAAA,IAAA,CAAK,gBAAgB,KAAA,EAAM;AAAA,IAC7B;AAAA,EACF;AAAA,EAEA,aAAa,SAAA,EAA8D;AACzE,IAAA,OAAO,IAAA,CAAK,UAAA,CAAW,GAAA,CAAI,SAAS,CAAA;AAAA,EACtC;AAAA,EAEA,eAAA,CACE,SAAA,EACA,SAAA,EACA,SAAA,EACA,SAAA,EACM;AACN,IAAA,IAAA,CAAK,UAAA,CAAW,GAAA,CAAI,SAAA,EAAW,SAAS,CAAA;AACxC,IAAA,IAAA,CAAK,YAAA,CAAa,GAAA,CAAI,SAAA,EAAW,IAAA,CAAK,KAAK,CAAA;AAC3C,IAAA,IAAI,cAAc,MAAA,EAAW;AAC3B,MAAA,IAAA,CAAK,SAAA,CAAU,GAAA,CAAI,SAAA,EAAW,SAAS,CAAA;AAAA,IACzC;AAEA,IAAA,SAAA,CAAU,UAAU,MAAM;AACxB,MAAA,IAAA,CAAK,cAAc,SAAS,CAAA;AAC5B,MAAA,SAAA,EAAW,kBAAkB,SAAS,CAAA;AAAA,IACxC,CAAA;AAAA,EACF;AAAA,EAEA,aAAa,SAAA,EAAyB;AACpC,IAAA,IAAI,IAAA,CAAK,UAAA,CAAW,GAAA,CAAI,SAAS,CAAA,EAAG;AAClC,MAAA,IAAA,CAAK,YAAA,CAAa,GAAA,CAAI,SAAA,EAAW,IAAA,CAAK,KAAK,CAAA;AAAA,IAC7C;AAAA,EACF;AAAA,EAEA,cAAc,SAAA,EAAyB;AACrC,IAAA,IAAA,CAAK,UAAA,CAAW,OAAO,SAAS,CAAA;AAChC,IAAA,IAAA,CAAK,YAAA,CAAa,OAAO,SAAS,CAAA;AAClC,IAAA,IAAA,CAAK,SAAA,CAAU,OAAO,SAAS,CAAA;AAAA,EACjC;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,iBAAiB,SAAA,EAA4B;AAC3C,IAAA,MAAM,GAAA,GAAM,IAAA,CAAK,SAAA,CAAU,GAAA,CAAI,SAAS,CAAA;AACxC,IAAA,OAAO,GAAA,KAAQ,MAAA,IAAa,IAAA,CAAK,GAAA,KAAQ,GAAA,IAAQ,GAAA;AAAA,EACnD;AAAA,EAEQ,oBAAA,GAA6B;AACnC,IAAA,MAAM,GAAA,GAAM,KAAK,GAAA,EAAI;AACrB,IAAA,KAAA,MAAW,CAAC,GAAA,EAAK,QAAQ,KAAK,IAAA,CAAK,YAAA,CAAa,SAAQ,EAAG;AACzD,MAAA,IAAI,GAAA,GAAM,QAAA,GAAW,eAAA,CAAe,gBAAA,EAAkB;AACpD,QAAA,MAAM,SAAA,GAAY,IAAA,CAAK,UAAA,CAAW,GAAA,CAAI,GAAG,CAAA;AACzC,QAAA,IAAI,SAAA,EAAW;AACb,UAAA,KAAK,UAAU,KAAA,IAAQ;AAAA,QACzB;AACA,QAAA,IAAA,CAAK,cAAc,GAAG,CAAA;AAAA,MACxB;AAAA,IACF;AAAA,EACF;AAAA,EAEA,OAAA,GAAgB;AACd,IAAA,aAAA,CAAc,KAAK,eAAe,CAAA;AAClC,IAAA,KAAA,MAAW,CAAC,GAAA,EAAK,SAAS,KAAK,IAAA,CAAK,UAAA,CAAW,SAAQ,EAAG;AACxD,MAAA,KAAK,UAAU,KAAA,IAAQ;AACvB,MAAA,IAAA,CAAK,cAAc,GAAG,CAAA;AAAA,IACxB;AAAA,EACF;AACF,CAAA;;;ACnCA,IAAM,eAAA,GAAkB,yBAAA;AACxB,IAAM,qBAAA,GAAwB,KAAK,EAAA,GAAK,GAAA;AACxC,IAAM,4BAAA,GAA+B,GAAA;AACrC,IAAM,8BAAA,GAAiC,CAAA;AACvC,IAAM,mCAAmC,EAAA,GAAK,GAAA;AAE9C,IAAM,eAAe,MAAM;AACzB,EAAA,IAAI;AACF,IAAA,MAAM,UAAA,GAAaC,sBAAA,CAAc,2PAAe,CAAA;AAChD,IAAA,MAAM,GAAA,GAAM,WAAW,oBAAoB,CAAA;AAC3C,IAAA,OAAO,IAAI,OAAA,IAAW,SAAA;AAAA,EACxB,CAAA,CAAA,MAAQ;AACN,IAAA,OAAO,SAAA;AAAA,EACT;AACF,CAAA,GAAG;AA0BI,IAAM,OAAA,GAAN,MAAM,QAAA,CAAQ;AAAA,EACnB,OAAwB,iBAAA,mBAAoB,IAAI,GAAA,EAAa;AAAA,EAC7D,OAAe,0BAAA,GAA6B,KAAA;AAAA,EAE3B,QAAA;AAAA,EACA,YAAA;AAAA,EACA,MAAA;AAAA,EACA,YAAA;AAAA;AAAA,EAGT,aAAA,GAAsC,IAAA;AAAA,EACtC,iBAAA,GAAoB,CAAA;AAAA,EACpB,eAAA,GAAiD,IAAA;AAAA;AAAA,EAGxC,eAAA,uBAAsB,GAAA,EAA8B;AAAA,EACpD,uBAAA,uBAA8B,GAAA,EAG7C;AAAA,EACe,gBAAA,uBAAuB,GAAA,EAAgC;AAAA,EACvD,kBAAA,uBAAyB,OAAA,EAGxC;AAAA,EACM,wBAAA,GAA2B,CAAA;AAAA;AAAA,EAG3B,YAAA,GAA8B,IAAA;AAAA,EAC9B,eAAA,GAAkB,CAAA;AAAA,EAClB,mBAAA,GAA8C,IAAA;AAAA;AAAA,EAGrC,eAAA,uBAAsB,GAAA,EAAoB;AAAA,EAC1C,yBAAA,uBAAgC,GAAA,EAAY;AAAA,EAE7D,YAAY,OAAA,EAAyB;AACnC,IAAA,IAAA,CAAK,WAAW,OAAA,CAAQ,QAAA;AACxB,IAAA,IAAA,CAAK,YAAA,GACH,OAAA,CAAQ,YAAA,IAAgB,OAAA,CAAQ,GAAA,CAAI,qBAAA;AACtC,IAAA,IAAA,CAAK,UAAU,OAAA,CAAQ,MAAA,IAAU,eAAA,EAAiB,OAAA,CAAQ,OAAO,EAAE,CAAA;AACnE,IAAA,MAAM,kBAAkB,KAAA,CAAM,OAAA,CAAQ,QAAQ,WAAW,CAAA,GACrD,QAAQ,WAAA,GACR,OAAA,CAAQ,cACN,OAAA,CAAQ,WAAA,CAAY,MAAM,GAAG,CAAA,GAC7B,QAAQ,GAAA,CAAI,oBAAA,EAAsB,MAAM,GAAG,CAAA;AACjD,IAAA,IAAA,CAAK,eAAe,KAAA,CAAM,IAAA;AAAA,MACxB,IAAI,GAAA,CAAI,eAAA,EAAiB,GAAA,CAAI,CAAC,MAAA,KAAW,MAAA,CAAO,IAAA,EAAM,CAAA,CAAE,MAAA,CAAO,OAAO,CAAC;AAAA,KACzE;AAEA,IAAA,QAAA,CAAQ,iBAAA,CAAkB,IAAI,IAAI,CAAA;AAClC,IAAA,QAAA,CAAQ,sBAAA,EAAuB;AAAA,EACjC;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,MAAM,OAAA,GAAyB;AAC7B,IAAA,MAAM,KAAK,qBAAA,EAAsB;AACjC,IAAA,QAAA,CAAQ,iBAAA,CAAkB,OAAO,IAAI,CAAA;AACrC,IAAA,IAAA,CAAK,gBAAgB,KAAA,EAAM;AAC3B,IAAA,IAAA,CAAK,wBAAwB,KAAA,EAAM;AACnC,IAAA,IAAA,CAAK,aAAA,GAAgB,IAAA;AACrB,IAAA,IAAA,CAAK,iBAAA,GAAoB,CAAA;AACzB,IAAA,IAAA,CAAK,eAAA,GAAkB,IAAA;AACvB,IAAA,IAAA,CAAK,YAAA,GAAe,IAAA;AACpB,IAAA,IAAA,CAAK,eAAA,GAAkB,CAAA;AACvB,IAAA,IAAA,CAAK,mBAAA,GAAsB,IAAA;AAC3B,IAAA,IAAA,CAAK,gBAAgB,KAAA,EAAM;AAC3B,IAAA,IAAA,CAAK,0BAA0B,KAAA,EAAM;AAAA,EACvC;AAAA,EAEA,OAAe,sBAAA,GAA+B;AAC5C,IAAA,IAAI,SAAQ,0BAAA,EAA4B;AAExC,IAAA,MAAM,aAAa,MAAM;AACvB,MAAA,KAAA,MAAW,QAAA,IAAY,SAAQ,iBAAA,EAAmB;AAChD,QAAA,KAAK,SAAS,qBAAA,EAAsB;AAAA,MACtC;AAAA,IACF,CAAA;AAEA,IAAA,OAAA,CAAQ,IAAA,CAAK,UAAU,UAAU,CAAA;AACjC,IAAA,OAAA,CAAQ,IAAA,CAAK,WAAW,UAAU,CAAA;AAClC,IAAA,QAAA,CAAQ,0BAAA,GAA6B,IAAA;AAAA,EACvC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAiCA,UAAA,CAAW,QAA4B,OAAA,EAAqC;AAE1E,IAAA,MAAM,UAAA,GAAaA,sBAAA,CAAc,2PAAe,CAAA;AAChD,IAAA,MAAM,OAAA,GAAU,WAAW,SAAS,CAAA;AACpC,IAAA,MAAM,MAAA,GAAS,QAAQ,MAAA,EAAO;AAE9B,IAAA,MAAM,OAAA,GAAU,SAAS,OAAA,IAAW,MAAA;AACpC,IAAA,MAAM,cAAA,GAAiB,IAAI,cAAA,EAAe;AAC1C,IAAA,MAAM,QAAA,GAAW,SAAS,mBAAA,IAAuB,KAAA;AAIjD,IAAA,MAAA,CAAO,GAAA,CAAI,CAAC,IAAA,EAAe,GAAA,EAAe,IAAA,KAAuB;AAC/D,MAAA,GAAA,CAAI,MAAA,CAAO,+BAA+B,GAAG,CAAA;AAC7C,MAAA,GAAA,CAAI,MAAA;AAAA,QACF,8BAAA;AAAA,QACA;AAAA,OACF;AACA,MAAA,GAAA,CAAI,MAAA,CAAO,iCAAiC,gBAAgB,CAAA;AAC5D,MAAA,GAAA,CAAI,MAAA,CAAO,gCAAgC,4BAA4B,CAAA;AACvE,MAAA,IAAI,IAAA,CAAK,WAAW,SAAA,EAAW;AAC7B,QAAA,GAAA,CAAI,WAAW,GAAG,CAAA;AAClB,QAAA;AAAA,MACF;AACA,MAAA,IAAA,EAAK;AAAA,IACP,CAAC,CAAA;AAED,IAAA,IAAI,QAAA,EAAU;AACZ,MAAA,OAAA,CAAQ,IAAA;AAAA,QACN;AAAA,OACF;AAGA,MAAA,MAAA,CAAO,GAAA,CAAI,OAAA,EAAS,OAAA,CAAQ,IAAA,CAAK,EAAE,OAAO,OAAA,EAAS,SAAA,IAAa,KAAA,EAAO,CAAC,CAAA;AACxE,MAAA,MAAMC,cAAa,IAAA,CAAK,gBAAA;AAAA,QACtB,MAAA;AAAA,QACA,cAAA;AAAA,QACA,IAAA;AAAA,QACA;AAAA,OACF;AACA,MAAA,MAAA,CAAO,IAAA,CAAK,OAAA,EAASA,WAAAA,CAAW,IAAI,CAAA;AACpC,MAAA,MAAA,CAAO,GAAA,CAAI,OAAA,EAASA,WAAAA,CAAW,GAAG,CAAA;AAClC,MAAA,MAAA,CAAO,MAAA,CAAO,OAAA,EAASA,WAAAA,CAAW,MAAM,CAAA;AAExC,MAAA,OAAO,MAAA;AAAA,IACT;AAEA,IAAA,MAAM,cAAA,GAAiB,OACrB,GAAA,KACgC;AAChC,MAAA,MAAM,WAAW,IAAA,CAAK,sBAAA;AAAA,QACpB,MAAM,KAAK,gBAAA,EAAiB;AAAA,QAC5B,OAAA,EAAS;AAAA,OACX;AACA,MAAA,MAAM,KAAA,GAAQ,IAAA,CAAK,wBAAA,CAAyB,GAAA,EAAK,SAAS,OAAO,CAAA;AACjE,MAAA,OAAO,IAAA,CAAK,6BAAA;AAAA,QACV,QAAA;AAAA,QACA,KAAA;AAAA,QACA,OAAA,EAAS;AAAA,OACX;AAAA,IACF,CAAA;AAKA,IAAA,MAAA,CAAO,GAAA,CAAI,OAAO,GAAA,EAAc,GAAA,EAAe,IAAA,KAAuB;AACpE,MAAA,MAAM,IAAA,GAAO,GAAA,CAAI,IAAA,IAAQ,GAAA,CAAI,GAAA,IAAO,EAAA;AACpC,MAAA,MAAM,oBACJ,IAAA,CAAK,UAAA,CAAW,yCAAyC,CAAA,IACzD,IAAA,CAAK,WAAW,uCAAuC,CAAA;AAEzD,MAAA,IAAI,CAAC,iBAAA,EAAmB;AACtB,QAAA,IAAA,EAAK;AACL,QAAA;AAAA,MACF;AAEA,MAAA,IAAI;AACF,QAAA,MAAM,WAAA,GAAc,MAAM,cAAA,CAAe,GAAG,CAAA;AAC5C,QAAA,WAAA,CAAY,cAAA,CAAe,GAAA,EAAK,GAAA,EAAK,IAAI,CAAA;AAAA,MAC3C,SAAS,KAAA,EAAO;AACd,QAAA,IAAA,CAAK,wBAAA,CAAyB,KAAK,KAAK,CAAA;AAAA,MAC1C;AAAA,IACF,CAAC,CAAA;AAGD,IAAA,MAAA,CAAO,GAAA,CAAI,OAAA,EAAS,OAAA,CAAQ,IAAA,CAAK,EAAE,OAAO,OAAA,EAAS,SAAA,IAAa,KAAA,EAAO,CAAC,CAAA;AAExE,IAAA,MAAM,aAAa,IAAA,CAAK,gBAAA;AAAA,MACtB,MAAA;AAAA,MACA,cAAA;AAAA,MACA,cAAA;AAAA,MACA;AAAA,KACF;AACA,IAAA,MAAA,CAAO,IAAA,CAAK,OAAA,EAAS,UAAA,CAAW,IAAI,CAAA;AACpC,IAAA,MAAA,CAAO,GAAA,CAAI,OAAA,EAAS,UAAA,CAAW,GAAG,CAAA;AAClC,IAAA,MAAA,CAAO,MAAA,CAAO,OAAA,EAAS,UAAA,CAAW,MAAM,CAAA;AAExC,IAAA,OAAO,MAAA;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAgBA,MAAM,OAAA,CACJ,WAAA,EACA,KAAA,EACgC;AAChC,IAAA,MAAM,GAAA,GAAM,KAAK,GAAA,EAAI;AACrB,IAAA,IAAA,CAAK,wBAAwB,GAAG,CAAA;AAGhC,IAAA,MAAM,QAAA,GAAW,CAAA,EAAG,WAAW,CAAA,EAAA,EAAK,KAAK,CAAA,CAAA;AACzC,IAAA,MAAM,MAAA,GAAS,IAAA,CAAK,eAAA,CAAgB,GAAA,CAAI,QAAQ,CAAA;AAChD,IAAA,IAAI,MAAA,IAAU,GAAA,GAAM,MAAA,CAAO,SAAA,EAAW;AAEpC,MAAA,IAAA,CAAK,eAAA,CAAgB,OAAO,QAAQ,CAAA;AACpC,MAAA,IAAA,CAAK,eAAA,CAAgB,GAAA,CAAI,QAAA,EAAU,MAAM,CAAA;AACzC,MAAA,OAAO,MAAA,CAAO,UAAA;AAAA,IAChB;AACA,IAAA,IAAI,MAAA,EAAQ;AACV,MAAA,IAAA,CAAK,eAAA,CAAgB,OAAO,QAAQ,CAAA;AAAA,IACtC;AAGA,IAAA,MAAM,cAAA,GAAsC;AAAA,MAC1C,QAAA,EAAU,CAAA,EAAG,IAAA,CAAK,MAAM,CAAA,aAAA,CAAA;AAAA,MACxB,UAAU,IAAA,CAAK,QAAA;AAAA,MACf,cAAc,IAAA,CAAK;AAAA,KACrB;AAEA,IAAA,IAAI,QAAA;AACJ,IAAA,IAAI;AACF,MAAA,QAAA,GAAW,MAAM,aAAA,CAAc,cAAA,EAAgB,KAAA,EAAO,WAAW,CAAA;AAAA,IACnE,SAAS,GAAA,EAAK;AAIZ,MAAA,IAAI,eAAe,UAAA,EAAY;AAC7B,QAAA,IACE,IAAI,SAAA,KAAc,sBAAA,IAClB,GAAA,CAAI,OAAA,CAAQ,SAAS,eAAe,CAAA,IACnC,GAAA,CAAI,OAAA,CAAQ,SAAS,SAAS,CAAA,IAAK,IAAI,OAAA,CAAQ,QAAA,CAAS,WAAW,CAAA,EACpE;AACA,UAAA,MAAM,aAAA,GACH,GAAA,CAAI,IAAA,CAAK,aAAA,IAA4B,WAAA;AACxC,UAAA,MAAM,UAAA,GAAa,MAAM,IAAA,CAAK,eAAA;AAAA,YAC5B,KAAA;AAAA,YACA,aAAA;AAAA,YACA;AAAA,WACF;AACA,UAAA,MAAM,IAAI,mCAAmC,aAAA,EAAe;AAAA,YAC1D,eAAA,EAAiB,IAAI,IAAA,CAAK,eAAA;AAAA,YAC1B,UAAA;AAAA,YACA,SAAS,GAAA,CAAI;AAAA,WACd,CAAA;AAAA,QACH;AAAA,MACF;AACA,MAAA,MAAM,GAAA;AAAA,IACR;AAEA,IAAA,MAAM,UAAA,GAAoC;AAAA,MACxC,aAAa,QAAA,CAAS,YAAA;AAAA,MACtB,WAAW,QAAA,CAAS,UAAA;AAAA,MACpB,eAAe,CAAA,EAAG,QAAA,CAAS,UAAU,CAAA,CAAA,EAAI,SAAS,YAAY,CAAA,CAAA;AAAA,MAC9D,WAAW,QAAA,CAAS,UAAA;AAAA,MACpB,OAAO,QAAA,CAAS,KAAA;AAAA,MAChB;AAAA,KACF;AAGA,IAAA,IAAI,SAAS,UAAA,EAAY;AACvB,MAAA,MAAM,KAAA,GAAQ,KAAK,GAAA,CAAI,QAAA,CAAS,aAAa,EAAA,EAAI,CAAA,GAAI,EAAE,CAAA,GAAI,GAAA;AAC3D,MAAA,IAAI,QAAQ,CAAA,EAAG;AACb,QAAA,IAAA,CAAK,cAAA,CAAe,IAAA,CAAK,eAAA,EAAiB,4BAA4B,CAAA;AACtE,QAAA,IAAA,CAAK,eAAA,CAAgB,IAAI,QAAA,EAAU;AAAA,UACjC,UAAA;AAAA,UACA,WAAW,GAAA,GAAM;AAAA,SAClB,CAAA;AAAA,MACH;AAAA,IACF;AAEA,IAAA,OAAO,UAAA;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAYA,MAAM,kBAAA,CACJ,WAAA,EACA,KAAA,EACyC;AACzC,IAAA,MAAM,GAAA,GAAM,KAAK,GAAA,EAAI;AACrB,IAAA,IAAA,CAAK,gCAAgC,GAAG,CAAA;AAExC,IAAA,MAAM,QAAA,GAAW,CAAA,EAAG,WAAW,CAAA,EAAA,EAAK,KAAK,CAAA,sBAAA,CAAA;AACzC,IAAA,MAAM,MAAA,GAAS,IAAA,CAAK,uBAAA,CAAwB,GAAA,CAAI,QAAQ,CAAA;AACxD,IAAA,IAAI,MAAA,IAAU,GAAA,GAAM,MAAA,CAAO,SAAA,EAAW;AACpC,MAAA,IAAA,CAAK,uBAAA,CAAwB,OAAO,QAAQ,CAAA;AAC5C,MAAA,IAAA,CAAK,uBAAA,CAAwB,GAAA,CAAI,QAAA,EAAU,MAAM,CAAA;AACjD,MAAA,OAAO,MAAA,CAAO,UAAA;AAAA,IAChB;AACA,IAAA,IAAI,MAAA,EAAQ;AACV,MAAA,IAAA,CAAK,uBAAA,CAAwB,OAAO,QAAQ,CAAA;AAAA,IAC9C;AAEA,IAAA,MAAM,cAAA,GAAsC;AAAA,MAC1C,QAAA,EAAU,CAAA,EAAG,IAAA,CAAK,MAAM,CAAA,aAAA,CAAA;AAAA,MACxB,UAAU,IAAA,CAAK,QAAA;AAAA,MACf,cAAc,IAAA,CAAK;AAAA,KACrB;AAEA,IAAA,IAAI,kBAAA,GAAqB,KAAA;AACzB,IAAA,IAAI,CAAC,IAAA,CAAK,oBAAA,CAAqB,KAAK,CAAA,EAAG;AACrC,MAAA,IAAI;AACF,QAAA,MAAM,YAAY,MAAM,aAAA;AAAA,UACtB,cAAA;AAAA,UACA,KAAA;AAAA,UACA;AAAA,SACF;AACA,QAAA,kBAAA,GAAqB,SAAA,CAAU,YAAA;AAAA,MACjC,SAAS,GAAA,EAAK;AACZ,QAAA,MAAM,IAAI,UAAA;AAAA,UACR,8CAAA;AAAA,UACA,qCAAA;AAAA,UACA;AAAA,YACE,SAAA,EAAW,6BAAA;AAAA,YACX,kBACE,GAAA,YAAe,KAAA,GACX,IAAI,OAAA,GACJ,MAAA,CAAO,OAAO,eAAe;AAAA;AACrC,SACF;AAAA,MACF;AAAA,IACF;AAEA,IAAA,MAAM,aAAA,GAAgB,MAAM,IAAA,CAAK,2BAAA;AAAA,MAC/B,WAAA;AAAA,MACA;AAAA,KACF;AAEA,IAAA,MAAM,MAAM,MAAM,KAAA;AAAA,MAChB,CAAA,EAAG,IAAA,CAAK,MAAM,CAAA,kBAAA,EAAqB,aAAa,CAAA,oBAAA,CAAA;AAAA,MAChD;AAAA,QACE,MAAA,EAAQ,MAAA;AAAA,QACR,OAAA,EAAS;AAAA,UACP,aAAA,EAAe,UAAU,kBAAkB,CAAA,CAAA;AAAA,UAC3C,cAAA,EAAgB;AAAA,SAClB;AAAA,QACA,IAAA,EAAM;AAAA;AACR,KACF;AAEA,IAAA,IAAI,CAAC,IAAI,EAAA,EAAI;AACX,MAAA,MAAM,OAAO,MAAM,GAAA,CAAI,MAAK,CAAE,KAAA,CAAM,MAAM,EAAE,CAAA;AAC5C,MAAA,MAAM,OAAA,GACJ,IAAA,IAAQ,IAAA,CAAK,IAAA,EAAK,CAAE,SAAS,CAAA,GACzB,IAAA,GACA,CAAA,KAAA,EAAQ,GAAA,CAAI,MAAM,CAAA,4BAAA,CAAA;AAExB,MAAA,IACE,GAAA,CAAI,WAAW,GAAA,IACf,OAAA,CAAQ,aAAY,CAAE,QAAA,CAAS,sBAAsB,CAAA,EACrD;AACA,QAAA,MAAM,IAAI,mCAAmC,aAAA,EAAe;AAAA,UAC1D,eAAA,EAAiB,OAAO,WAAW,CAAA;AAAA,UACnC;AAAA,SACD,CAAA;AAAA,MACH;AAEA,MAAA,MAAM,IAAI,UAAA;AAAA,QACR,iDAAiD,aAAa,CAAA,CAAA;AAAA,QAC9D,oCAAA;AAAA,QACA;AAAA,UACE,SAAA,EAAW,4BAAA;AAAA,UACX,gBAAA,EAAkB;AAAA;AACpB,OACF;AAAA,IACF;AAEA,IAAA,MAAM,OAAA,GAAW,MAAM,GAAA,CAAI,IAAA,EAAK;AAKhC,IAAA,IACE,CAAC,OAAA,CAAQ,WAAA,IACT,OAAO,OAAA,CAAQ,WAAA,KAAgB,QAAA,IAC/B,KAAA,CAAM,OAAA,CAAQ,OAAA,CAAQ,WAAW,CAAA,EACjC;AACA,MAAA,MAAM,IAAI,UAAA;AAAA,QACR,6CAAA;AAAA,QACA;AAAA,OACF;AAAA,IACF;AAEA,IAAA,MAAM,cAAsC,EAAC;AAC7C,IAAA,KAAA,MAAW,CAAC,KAAK,KAAK,CAAA,IAAK,OAAO,OAAA,CAAQ,OAAA,CAAQ,WAAW,CAAA,EAAG;AAC9D,MAAA,IAAI,OAAO,UAAU,QAAA,EAAU;AAC7B,QAAA,WAAA,CAAY,GAAG,CAAA,GAAI,KAAA;AAAA,MACrB;AAAA,IACF;AAEA,IAAA,IAAI,MAAA,CAAO,IAAA,CAAK,WAAW,CAAA,CAAE,WAAW,CAAA,EAAG;AACzC,MAAA,MAAM,IAAI,mCAAmC,aAAA,EAAe;AAAA,QAC1D,eAAA,EAAiB,OAAO,WAAW,CAAA;AAAA,QACnC,OAAA,EAAS;AAAA,OACV,CAAA;AAAA,IACH;AAEA,IAAA,MAAM,QAAA,GAA2C;AAAA,MAC/C,WAAA;AAAA,MACA,aAAA,EAAe,QAAQ,aAAA,IAAiB,aAAA;AAAA,MACxC;AAAA,KACF;AAEA,IAAA,IAAA,CAAK,cAAA;AAAA,MACH,IAAA,CAAK,uBAAA;AAAA,MACL;AAAA,KACF;AACA,IAAA,IAAA,CAAK,uBAAA,CAAwB,IAAI,QAAA,EAAU;AAAA,MACzC,UAAA,EAAY,QAAA;AAAA,MACZ,WAAW,GAAA,GAAM;AAAA,KAClB,CAAA;AAED,IAAA,OAAO,QAAA;AAAA,EACT;AAAA,EAEQ,mBAAA,GAAmC;AACzC,IAAA,uBAAO,IAAI,GAAA,CAAI,CAAC,CAAA,EAAG,IAAI,GAAA,CAAI,IAAA,CAAK,MAAM,CAAA,CAAE,MAAM,CAAA,IAAA,CAAA,EAAQ,aAAa,CAAC,CAAA;AAAA,EACtE;AAAA,EAEQ,qBAAqB,KAAA,EAAwB;AACnD,IAAA,MAAM,SAAA,GAAY,IAAA,CAAK,qBAAA,CAAsB,KAAK,CAAA;AAClD,IAAA,IAAI,SAAA,CAAU,WAAW,CAAA,EAAG;AAC1B,MAAA,OAAO,KAAA;AAAA,IACT;AACA,IAAA,MAAM,gBAAA,GAAmB,KAAK,mBAAA,EAAoB;AAClD,IAAA,OAAO,UAAU,IAAA,CAAK,CAAC,aAAa,gBAAA,CAAiB,GAAA,CAAI,QAAQ,CAAC,CAAA;AAAA,EACpE;AAAA,EAEQ,sBAAsB,KAAA,EAAyB;AACrD,IAAA,MAAM,GAAG,WAAW,CAAA,GAAI,KAAA,CAAM,MAAM,GAAG,CAAA;AACvC,IAAA,IAAI,CAAC,WAAA,EAAa,OAAO,EAAC;AAC1B,IAAA,IAAI;AACF,MAAA,MAAM,UAAU,IAAA,CAAK,KAAA;AAAA,QACnB,OAAO,IAAA,CAAK,WAAA,EAAa,WAAW,CAAA,CAAE,SAAS,MAAM;AAAA,OACvD;AACA,MAAA,IAAI,OAAO,OAAA,CAAQ,GAAA,KAAQ,QAAA,EAAU;AACnC,QAAA,OAAO,CAAC,QAAQ,GAAG,CAAA;AAAA,MACrB;AACA,MAAA,IAAI,KAAA,CAAM,OAAA,CAAQ,OAAA,CAAQ,GAAG,CAAA,EAAG;AAC9B,QAAA,OAAO,QAAQ,GAAA,CAAI,MAAA;AAAA,UACjB,CAAC,KAAA,KAA2B,OAAO,KAAA,KAAU;AAAA,SAC/C;AAAA,MACF;AAAA,IACF,CAAA,CAAA,MAAQ;AAAA,IAER;AACA,IAAA,OAAO,EAAC;AAAA,EACV;AAAA;AAAA;AAAA;AAAA,EAMA,MAAc,2BAAA,CACZ,WAAA,EACA,YAAA,EACiB;AACjB,IAAA,MAAM,GAAA,GAAM,OAAO,WAAW,CAAA;AAC9B,IAAA,IAAI,IAAA,CAAK,MAAA,CAAO,GAAG,CAAA,EAAG;AACpB,MAAA,OAAO,GAAA;AAAA,IACT;AAEA,IAAA,MAAM,MAAM,MAAM,KAAA,CAAM,CAAA,EAAG,IAAA,CAAK,MAAM,CAAA,iBAAA,CAAA,EAAqB;AAAA,MACzD,OAAA,EAAS;AAAA,QACP,aAAA,EAAe,UAAU,YAAY,CAAA;AAAA;AACvC,KACD,CAAA;AACD,IAAA,IAAI,CAAC,IAAI,EAAA,EAAI;AACX,MAAA,MAAM,OAAO,MAAM,GAAA,CAAI,MAAK,CAAE,KAAA,CAAM,MAAM,EAAE,CAAA;AAC5C,MAAA,MAAM,IAAI,UAAA;AAAA,QACR,0CAAA;AAAA,QACA,mCAAA;AAAA,QACA;AAAA,UACE,SAAA,EAAW,2BAAA;AAAA,UACX,gBAAA,EAAkB,IAAA,IAAQ,CAAA,KAAA,EAAQ,GAAA,CAAI,MAAM,CAAA;AAAA;AAC9C,OACF;AAAA,IACF;AAEA,IAAA,MAAM,OAAA,GAAW,MAAM,GAAA,CAAI,IAAA,EAAK;AAGhC,IAAA,MAAM,KAAA,GAAQ,MAAM,OAAA,CAAQ,OAAA,CAAQ,KAAK,CAAA,GAAI,OAAA,CAAQ,QAAQ,EAAC;AAC9D,IAAA,MAAM,KAAA,GAAQ,KAAA,CAAM,IAAA,CAAK,CAAC,IAAA,KAAS,KAAK,EAAA,KAAO,GAAA,IAAO,IAAA,CAAK,IAAA,KAAS,GAAG,CAAA;AACvE,IAAA,MAAM,gBAAgB,KAAA,EAAO,EAAA;AAC7B,IAAA,IAAI,CAAC,aAAA,EAAe;AAClB,MAAA,MAAM,IAAI,mCAAmC,GAAA,EAAK;AAAA,QAChD,eAAA,EAAiB,GAAA;AAAA,QACjB,OAAA,EAAS,eAAe,GAAG,CAAA,oCAAA;AAAA,OAC5B,CAAA;AAAA,IACH;AAEA,IAAA,OAAO,aAAA;AAAA,EACT;AAAA,EAEQ,OAAO,KAAA,EAAwB;AACrC,IAAA,OAAO,4EAAA,CAA6E,IAAA;AAAA,MAClF;AAAA,KACF;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAcA,MAAc,eAAA,CACZ,YAAA,EACA,aAAA,EACA,cAAA,EAC6B;AAC7B,IAAA,IAAI;AAEF,MAAA,MAAM,eAAe,MAAM,aAAA;AAAA,QACzB,cAAA;AAAA,QACA,YAAA;AAAA,QACA;AAAA,OACF;AAGA,MAAA,MAAM,OAAA,GAAU,CAAA,EAAG,IAAA,CAAK,MAAM,qBAAqB,aAAa,CAAA,WAAA,CAAA;AAChE,MAAA,MAAM,GAAA,GAAM,MAAM,KAAA,CAAM,OAAA,EAAS;AAAA,QAC/B,MAAA,EAAQ,MAAA;AAAA,QACR,OAAA,EAAS;AAAA,UACP,aAAA,EAAe,CAAA,OAAA,EAAU,YAAA,CAAa,YAAY,CAAA,CAAA;AAAA,UAClD,cAAA,EAAgB;AAAA,SAClB;AAAA,QACA,IAAA,EAAM,IAAA,CAAK,SAAA,CAAU,EAAE;AAAA,OACxB,CAAA;AAED,MAAA,IAAI,CAAC,IAAI,EAAA,EAAI;AACX,QAAA,MAAM,OAAO,MAAM,GAAA,CAAI,MAAK,CAAE,KAAA,CAAM,MAAM,EAAE,CAAA;AAC5C,QAAA,OAAA,CAAQ,IAAA;AAAA,UACN,CAAA,kDAAA,EAAqD,GAAA,CAAI,MAAM,CAAA,EAAA,EAAK,IAAI,CAAA;AAAA,SAC1E;AACA,QAAA,OAAO,KAAA,CAAA;AAAA,MACT;AAEA,MAAA,MAAM,IAAA,GAAQ,MAAM,GAAA,CAAI,IAAA,EAAK;AAM7B,MAAA,OAAO,IAAA,CAAK,cAAc,IAAA,CAAK,gBAAA;AAAA,IACjC,SAAS,GAAA,EAAK;AAIZ,MAAA,OAAA,CAAQ,IAAA;AAAA,QACN,CAAA,iCAAA,CAAA;AAAA,QACA,GAAA,YAAe,KAAA,GAAQ,GAAA,CAAI,OAAA,GAAU,OAAO,GAAG;AAAA,OACjD;AACA,MAAA,OAAO,MAAA;AAAA,IACT;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAMA,MAAc,gBAAA,GAA2C;AACvD,IAAA,MAAM,GAAA,GAAM,KAAK,GAAA,EAAI;AACrB,IAAA,IACE,IAAA,CAAK,aAAA,IACL,GAAA,GAAM,IAAA,CAAK,oBAAoB,qBAAA,EAC/B;AACA,MAAA,OAAO,IAAA,CAAK,aAAA;AAAA,IACd;AAEA,IAAA,IAAI,KAAK,eAAA,EAAiB;AACxB,MAAA,OAAO,IAAA,CAAK,eAAA;AAAA,IACd;AAEA,IAAA,IAAA,CAAK,eAAA,GAAkB,KAAK,kBAAA,EAAmB;AAC/C,IAAA,IAAI;AACF,MAAA,MAAM,QAAA,GAAW,MAAM,IAAA,CAAK,eAAA;AAC5B,MAAA,IAAA,CAAK,aAAA,GAAgB,QAAA;AACrB,MAAA,IAAA,CAAK,iBAAA,GAAoB,KAAK,GAAA,EAAI;AAClC,MAAA,OAAO,QAAA;AAAA,IACT,CAAA,SAAE;AACA,MAAA,IAAA,CAAK,eAAA,GAAkB,IAAA;AAAA,IACzB;AAAA,EACF;AAAA,EAEQ,sBAAA,CACN,UACA,iBAAA,EACe;AACf,IAAA,IAAI,CAAC,iBAAA,EAAmB;AACtB,MAAA,OAAO,QAAA;AAAA,IACT;AAGA,IAAA,OAAO,iBAAA,CAAkB,IAAA,CAAK,kBAAA,CAAmB,QAAQ,CAAC,CAAA;AAAA,EAC5D;AAAA,EAEQ,mBAAmB,QAAA,EAAwC;AACjE,IAAA,OAAO,IAAA,CAAK,KAAA,CAAM,IAAA,CAAK,SAAA,CAAU,QAAQ,CAAC,CAAA;AAAA,EAC5C;AAAA,EAEA,MAAc,kBAAA,GAA6C;AAEzD,IAAA,MAAM,IAAA,GAAO;AAAA,MACX,CAAA,EAAG,KAAK,MAAM,CAAA,uCAAA,CAAA;AAAA,MACd,CAAA,EAAG,KAAK,MAAM,CAAA,iCAAA;AAAA,KAChB;AAEA,IAAA,IAAI,SAAA;AACJ,IAAA,KAAA,MAAW,OAAO,IAAA,EAAM;AACtB,MAAA,IAAI;AACF,QAAA,MAAM,GAAA,GAAM,MAAM,KAAA,CAAM,GAAG,CAAA;AAC3B,QAAA,IAAI,IAAI,EAAA,EAAI;AACV,UAAA,OAAQ,MAAM,IAAI,IAAA,EAAK;AAAA,QACzB;AAAA,MACF,SAAS,GAAA,EAAK;AACZ,QAAA,SAAA,GAAY,eAAe,KAAA,GAAQ,GAAA,GAAM,IAAI,KAAA,CAAM,MAAA,CAAO,GAAG,CAAC,CAAA;AAAA,MAChE;AAAA,IACF;AAEA,IAAA,MAAM,IAAI,KAAA;AAAA,MACR,oCAAoC,IAAA,CAAK,MAAM,CAAA,EAAA,EAAK,SAAA,EAAW,WAAW,eAAe,CAAA;AAAA,KAC3F;AAAA,EACF;AAAA,EAEQ,wBAAA,CACN,GAAA,EACA,OAAA,EACA,OAAA,EACK;AACL,IAAA,IAAI,SAAS,iBAAA,EAAmB;AAC9B,MAAA,OAAO,IAAI,GAAA,CAAI,OAAA,CAAQ,iBAAiB,CAAA;AAAA,IAC1C;AACA,IAAA,MAAM,IAAA,GAAO,GAAA,CAAI,GAAA,CAAI,MAAM,CAAA;AAC3B,IAAA,IAAI,CAAC,IAAA,EAAM;AACT,MAAA,MAAM,IAAI,KAAA;AAAA,QACR;AAAA,OACF;AAAA,IACF;AACA,IAAA,OAAO,IAAI,IAAI,CAAA,EAAG,GAAA,CAAI,QAAQ,CAAA,GAAA,EAAM,IAAI,CAAA,EAAG,OAAO,CAAA,CAAE,CAAA;AAAA,EACtD;AAAA,EAEQ,6BAAA,CACN,QAAA,EACA,KAAA,EACA,cAAA,EACoB;AACpB,IAAA,MAAM,GAAA,GAAM,IAAA,CAAK,sBAAA,CAAuB,KAAA,EAAO,cAAc,CAAA;AAC7D,IAAA,MAAM,MAAA,GAAS,IAAA,CAAK,gBAAA,CAAiB,GAAA,CAAI,GAAG,CAAA;AAC5C,IAAA,IAAI,MAAA,EAAQ;AAEV,MAAA,IAAA,CAAK,gBAAA,CAAiB,OAAO,GAAG,CAAA;AAChC,MAAA,IAAA,CAAK,gBAAA,CAAiB,GAAA,CAAI,GAAA,EAAK,MAAM,CAAA;AACrC,MAAA,OAAO,MAAA;AAAA,IACT;AAIA,IAAA,MAAM,eAAA,GAAkB,EAAE,GAAG,QAAA,EAAU,QAAQ,CAAA,EAAG,KAAA,CAAM,MAAM,CAAA,CAAA,CAAA,EAAI;AAClE,IAAA,MAAM,iBAAiBC,+BAAA,CAAsB;AAAA,MAC3C,aAAA,EAAe,eAAA;AAAA,MACf,iBAAA,EAAmB;AAAA,KACpB,CAAA;AACD,IAAA,MAAM,mBAAA,GAAsBC,+CAAqC,KAAK,CAAA;AACtE,IAAA,MAAM,QAAA,GACJ,cAAA,IAAkB,IAAA,CAAK,mBAAA,CAAoB,UAAU,KAAK,CAAA;AAC5D,IAAA,MAAM,WAAA,GAAkC;AAAA,MACtC,cAAA;AAAA,MACA,YAAYC,+BAAA,CAAkB;AAAA,QAC5B,QAAA;AAAA,QACA;AAAA,OACD;AAAA,KACH;AAEA,IAAA,IAAA,CAAK,cAAA,CAAe,IAAA,CAAK,gBAAA,EAAkB,8BAA8B,CAAA;AACzE,IAAA,IAAA,CAAK,gBAAA,CAAiB,GAAA,CAAI,GAAA,EAAK,WAAW,CAAA;AAC1C,IAAA,OAAO,WAAA;AAAA,EACT;AAAA,EAEQ,sBAAA,CACN,OACA,cAAA,EACQ;AACR,IAAA,IAAI,CAAC,cAAA,EAAgB;AACnB,MAAA,OAAO,CAAA,EAAG,MAAM,IAAI,CAAA,SAAA,CAAA;AAAA,IACtB;AAEA,IAAA,IAAI,UAAA,GAAa,IAAA,CAAK,kBAAA,CAAmB,GAAA,CAAI,cAAc,CAAA;AAC3D,IAAA,IAAI,eAAe,MAAA,EAAW;AAC5B,MAAA,UAAA,GAAa,EAAE,IAAA,CAAK,wBAAA;AACpB,MAAA,IAAA,CAAK,kBAAA,CAAmB,GAAA,CAAI,cAAA,EAAgB,UAAU,CAAA;AAAA,IACxD;AAEA,IAAA,OAAO,CAAA,EAAG,KAAA,CAAM,IAAI,CAAA,SAAA,EAAY,UAAU,CAAA,CAAA;AAAA,EAC5C;AAAA,EAEQ,wBAAA,CAAyB,KAAe,KAAA,EAAsB;AACpE,IAAA,MAAM,UAAU,KAAA,YAAiB,KAAA,GAAQ,KAAA,CAAM,OAAA,GAAU,OAAO,KAAK,CAAA;AACrE,IAAA,OAAA,CAAQ,KAAA,CAAM,CAAA,uCAAA,EAA0C,OAAO,CAAA,CAAE,CAAA;AACjE,IAAA,IAAI,IAAI,WAAA,EAAa;AACrB,IAAA,GAAA,CAAI,MAAA,CAAO,GAAG,CAAA,CAAE,IAAA,CAAK;AAAA,MACnB,KAAA,EAAO,qBAAA;AAAA,MACP,iBAAA,EACE;AAAA,KACH,CAAA;AAAA,EACH;AAAA,EAEQ,wBAAwB,GAAA,EAAmB;AACjD,IAAA,KAAA,MAAW,CAAC,GAAA,EAAK,KAAK,KAAK,IAAA,CAAK,eAAA,CAAgB,SAAQ,EAAG;AACzD,MAAA,IAAI,KAAA,CAAM,aAAa,GAAA,EAAK;AAC1B,QAAA,IAAA,CAAK,eAAA,CAAgB,OAAO,GAAG,CAAA;AAAA,MACjC;AAAA,IACF;AAAA,EACF;AAAA,EAEQ,gCAAgC,GAAA,EAAmB;AACzD,IAAA,KAAA,MAAW,CAAC,GAAA,EAAK,KAAK,KAAK,IAAA,CAAK,uBAAA,CAAwB,SAAQ,EAAG;AACjE,MAAA,IAAI,KAAA,CAAM,aAAa,GAAA,EAAK;AAC1B,QAAA,IAAA,CAAK,uBAAA,CAAwB,OAAO,GAAG,CAAA;AAAA,MACzC;AAAA,IACF;AAAA,EACF;AAAA,EAEQ,cAAA,CAAkB,OAAuB,UAAA,EAA0B;AACzE,IAAA,OAAO,KAAA,CAAM,QAAQ,UAAA,EAAY;AAC/B,MAAA,MAAM,SAAA,GAAY,KAAA,CAAM,IAAA,EAAK,CAAE,MAAK,CAAE,KAAA;AACtC,MAAA,IAAI,CAAC,SAAA,EAAW;AAChB,MAAA,KAAA,CAAM,OAAO,SAAS,CAAA;AAAA,IACxB;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAMQ,mBAAA,CACN,UACA,WAAA,EACoB;AACpB,IAAA,MAAM,WAAA,GAAc,QAAA;AACpB,IAAA,MAAM,OAAA,GACH,WAAA,CAAY,QAAA,IACb,CAAA,EAAG,KAAK,MAAM,CAAA,sBAAA,CAAA;AAChB,IAAA,MAAM,WAAW,IAAA,CAAK,QAAA;AAEtB,IAAA,MAAM,UAAU,KAAA,CAAM,IAAA;AAAA,MACpB,IAAI,GAAA;AAAA,QACF,CAAC,QAAA,CAAS,MAAA,EAAQ,GAAG,IAAA,CAAK,YAAY,CAAA,CAAE,MAAA;AAAA,UACtC,CAACC,OAAAA,KAA6B,OAAOA,OAAAA,KAAW,QAAA,IAAY,CAAC,CAACA;AAAA;AAChE;AACF,KACF;AACA,IAAA,IAAI,CAAC,QAAQ,MAAA,EAAQ;AACnB,MAAA,MAAM,IAAI,MAAM,+BAA+B,CAAA;AAAA,IACjD;AACA,IAAA,MAAM,SACJ,OAAA,CAAQ,MAAA,KAAW,CAAA,GAAI,OAAA,CAAQ,CAAC,CAAA,GAAK,OAAA;AAEvC,IAAA,MAAM,QAAA,GAAW,IAAI,oBAAA,CAAqB;AAAA,MACxC,OAAA,EAAS,OAAA;AAAA,MACT,MAAA;AAAA,MACA,UAAU,WAAA,CAAY;AAAA,KACvB,CAAA;AAED,IAAA,OAAO;AAAA,MACL,MAAM,kBAAkB,KAAA,EAAkC;AACxD,QAAA,MAAM,MAAA,GAAS,MAAM,QAAA,CAAS,MAAA,CAAO,KAAK,CAAA;AAE1C,QAAA,IAAI,CAAC,OAAO,OAAA,EAAS;AACnB,UAAA,MAAM,IAAIC,2BAAA;AAAA,YACR,CAAA,2BAAA,EAA8B,MAAA,CAAO,KAAA,CAAM,OAAO,CAAA;AAAA,WACpD;AAAA,QACF;AAEA,QAAA,MAAM,EAAE,QAAO,GAAI,MAAA;AACnB,QAAA,MAAM,UAAU,MAAA,CAAO,OAAA;AACvB,QAAA,MAAM,GAAA,GAAO,OAAA,CAAQ,GAAA,IAA+C,EAAC;AAErE,QAAA,OAAO;AAAA,UACL,KAAA;AAAA,UACA,QAAA,EAAU,OAAO,QAAA,IAAY,QAAA;AAAA,UAC7B,QAAQ,MAAA,CAAO,MAAA;AAAA,UACf,WAAW,IAAA,CAAK,KAAA,CAAM,OAAO,SAAA,CAAU,OAAA,KAAY,GAAI,CAAA;AAAA,UACvD,KAAA,EAAO;AAAA,YACL,GAAG,GAAA;AAAA,YACH,KAAK,MAAA,CAAO,GAAA;AAAA,YACZ,KAAA,EAAO,OAAA,CAAQ,KAAA,IAAS,GAAA,CAAI;AAAA;AAC9B,SACF;AAAA,MACF;AAAA,KACF;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAMA,MAAc,eAAA,GAAmC;AAC/C,IAAA,IAAI,KAAK,YAAA,IAAgB,IAAA,CAAK,KAAI,GAAI,IAAA,CAAK,kBAAkB,GAAA,EAAQ;AACnE,MAAA,OAAO,IAAA,CAAK,YAAA;AAAA,IACd;AAEA,IAAA,IAAI,KAAK,mBAAA,EAAqB;AAC5B,MAAA,OAAO,IAAA,CAAK,mBAAA;AAAA,IACd;AAEA,IAAA,IAAA,CAAK,uBAAuB,YAAY;AACtC,MAAA,MAAM,MAAM,MAAM,KAAA,CAAM,CAAA,EAAG,IAAA,CAAK,MAAM,CAAA,aAAA,CAAA,EAAiB;AAAA,QACrD,MAAA,EAAQ,MAAA;AAAA,QACR,OAAA,EAAS;AAAA,UACP,cAAA,EAAgB,mCAAA;AAAA,UAChB,aAAA,EAAe,CAAA,MAAA,EAAS,MAAA,CAAO,IAAA,CAAK,IAAA,CAAK,QAAA,GAAW,GAAA,GAAM,IAAA,CAAK,YAAY,CAAA,CAAE,QAAA,CAAS,QAAQ,CAAC,CAAA;AAAA,SACjG;AAAA,QACA,IAAA,EAAM;AAAA,OACP,CAAA;AACD,MAAA,IAAI,CAAC,IAAI,EAAA,EAAI;AACX,QAAA,MAAM,OAAO,MAAM,GAAA,CAAI,MAAK,CAAE,KAAA,CAAM,MAAM,EAAE,CAAA;AAC5C,QAAA,MAAM,IAAI,KAAA;AAAA,UACR,CAAA,0DAAA,EAA6D,GAAA,CAAI,MAAM,CAAA,CAAA,EAAI,IAAI,CAAA;AAAA,SACjF;AAAA,MACF;AACA,MAAA,MAAM,IAAA,GAAQ,MAAM,GAAA,CAAI,IAAA,EAAK;AAI7B,MAAA,IAAA,CAAK,eAAe,IAAA,CAAK,YAAA;AACzB,MAAA,IAAA,CAAK,eAAA,GAAkB,IAAA,CAAK,GAAA,EAAI,GAAI,KAAK,UAAA,GAAa,GAAA;AACtD,MAAA,OAAO,IAAA,CAAK,YAAA;AAAA,IACd,CAAA,GAAG;AAEH,IAAA,IAAI;AACF,MAAA,OAAO,MAAM,IAAA,CAAK,mBAAA;AAAA,IACpB,CAAA,SAAE;AACA,MAAA,IAAA,CAAK,mBAAA,GAAsB,IAAA;AAAA,IAC7B;AAAA,EACF;AAAA,EAEQ,YACN,KAAA,EAKM;AACN,IAAA,IAAI,CAAC,IAAA,CAAK,YAAA,IAAgB,CAAC,MAAM,SAAA,EAAW;AAC5C,IAAA,IAAA,CAAK,iBAAgB,CAClB,IAAA;AAAA,MAAK,CAAC,KAAA,KACL,KAAA,CAAM,CAAA,EAAG,IAAA,CAAK,MAAM,CAAA,kBAAA,CAAA,EAAsB;AAAA,QACxC,MAAA,EAAQ,MAAA;AAAA,QACR,OAAA,EAAS;AAAA,UACP,cAAA,EAAgB,kBAAA;AAAA,UAChB,aAAA,EAAe,UAAU,KAAK,CAAA;AAAA,SAChC;AAAA,QACA,IAAA,EAAM,KAAK,SAAA,CAAU;AAAA,UACnB,GAAG,KAAA;AAAA,UACH,SAAS,IAAA,CAAK,QAAA;AAAA,UACd,UAAU,IAAA,CAAK,QAAA;AAAA,UACf,aAAA,EAAe;AAAA,SAChB;AAAA,OACF,CAAA,CAAE,IAAA,CAAK,CAAC,GAAA,KAAQ;AACf,QAAA,IAAI,CAAC,IAAI,EAAA,EAAI;AACX,UAAA,OAAA,CAAQ,IAAA;AAAA,YACN,CAAA,8CAAA,EAAiD,IAAI,MAAM,CAAA;AAAA,WAC7D;AAAA,QACF;AAAA,MACF,CAAC;AAAA,KACH,CACC,KAAA,CAAM,CAAC,GAAA,KAAQ;AACd,MAAA,OAAA,CAAQ,IAAA;AAAA,QACN,CAAA,0BAAA,CAAA;AAAA,QACA,GAAA,YAAe,KAAA,GAAQ,GAAA,CAAI,OAAA,GAAU,OAAO,GAAG;AAAA,OACjD;AAAA,IACF,CAAC,CAAA;AAAA,EACL;AAAA;AAAA;AAAA;AAAA,EAMQ,kBAAA,CACN,SAAA,EACA,YAAA,EACA,QAAA,EAMM;AACN,IAAA,IAAI,CAAC,IAAA,CAAK,YAAA,IAAgB,CAAC,SAAA,EAAW;AACtC,IAAA,MAAM,eAAA,GAAkBC,oBAAW,QAAQ,CAAA,CACxC,OAAO,SAAS,CAAA,CAChB,OAAO,KAAK,CAAA;AAEf,IAAA,IAAA,CAAK,iBAAgB,CAClB,IAAA;AAAA,MAAK,CAAC,KAAA,KACL,KAAA,CAAM,CAAA,EAAG,IAAA,CAAK,MAAM,CAAA,sBAAA,CAAA,EAA0B;AAAA,QAC5C,MAAA,EAAQ,MAAA;AAAA,QACR,OAAA,EAAS;AAAA,UACP,cAAA,EAAgB,kBAAA;AAAA,UAChB,aAAA,EAAe,UAAU,KAAK,CAAA;AAAA,SAChC;AAAA,QACA,IAAA,EAAM,KAAK,SAAA,CAAU;AAAA,UACnB,eAAA;AAAA,UACA,eAAA,EAAiB,YAAA;AAAA,UACjB,UAAU,QAAA,EAAU,QAAA;AAAA,UACpB,WAAW,QAAA,EAAU,SAAA;AAAA,UACrB,YAAY,QAAA,EAAU,UAAA;AAAA,UACtB,cAAA,EAAgB,QAAA,EAAU,cAAA,GACtB,IAAI,IAAA,CAAK,SAAS,cAAA,GAAiB,GAAI,CAAA,CAAE,WAAA,EAAY,GACrD;AAAA,SACL;AAAA,OACF,CAAA,CAAE,IAAA,CAAK,OAAO,GAAA,KAAQ;AACrB,QAAA,IAAI,IAAI,EAAA,EAAI;AACV,UAAA,MAAM,IAAA,GAAQ,MAAM,GAAA,CAAI,IAAA,EAAK;AAI7B,UAAA,IAAI,IAAA,CAAK,yBAAA,CAA0B,MAAA,CAAO,YAAY,CAAA,EAAG;AACvD,YAAA,IAAA,CAAK,sCAAA;AAAA,cACH,IAAA,CAAK,SAAA;AAAA,cACL;AAAA,aACF;AACA,YAAA;AAAA,UACF;AAEA,UAAA,IAAA,CAAK,eAAA,CAAgB,GAAA,CAAI,YAAA,EAAc,IAAA,CAAK,SAAS,CAAA;AAAA,QACvD,CAAA,MAAO;AACL,UAAA,IAAA,CAAK,yBAAA,CAA0B,OAAO,YAAY,CAAA;AAClD,UAAA,OAAA,CAAQ,IAAA;AAAA,YACN,CAAA,uCAAA,EAA0C,IAAI,MAAM,CAAA;AAAA,WACtD;AAAA,QACF;AAAA,MACF,CAAC;AAAA,KACH,CACC,KAAA,CAAM,CAAC,GAAA,KAAQ;AACd,MAAA,IAAA,CAAK,yBAAA,CAA0B,OAAO,YAAY,CAAA;AAClD,MAAA,OAAA,CAAQ,IAAA;AAAA,QACN,CAAA,yBAAA,CAAA;AAAA,QACA,GAAA,YAAe,KAAA,GAAQ,GAAA,CAAI,OAAA,GAAU,OAAO,GAAG;AAAA,OACjD;AAAA,IACF,CAAC,CAAA;AAAA,EACL;AAAA,EAEQ,sCAAA,CACN,gBACA,YAAA,EACM;AACN,IAAA,IAAI,CAAC,KAAK,YAAA,EAAc;AAExB,IAAA,MAAM,eAAe,YAAA,GACjB,OAAA,CAAQ,QAAQ,YAAY,CAAA,GAC5B,KAAK,eAAA,EAAgB;AAEzB,IAAA,YAAA,CACG,IAAA;AAAA,MAAK,CAAC,KAAA,KACL,KAAA;AAAA,QACE,CAAA,EAAG,IAAA,CAAK,MAAM,CAAA,uBAAA,EAA0B,cAAc,CAAA,WAAA,CAAA;AAAA,QACtD;AAAA,UACE,MAAA,EAAQ,MAAA;AAAA,UACR,OAAA,EAAS,EAAE,aAAA,EAAe,CAAA,OAAA,EAAU,KAAK,CAAA,CAAA;AAAG;AAC9C;AACF,KACF,CACC,MAAM,MAAM;AAAA,IAAC,CAAC,CAAA;AAAA,EACnB;AAAA,EAEQ,uBAAuB,YAAA,EAA4B;AACzD,IAAA,IAAI,CAAC,KAAK,YAAA,EAAc;AAExB,IAAA,MAAM,cAAA,GAAiB,IAAA,CAAK,eAAA,CAAgB,GAAA,CAAI,YAAY,CAAA;AAC5D,IAAA,IAAA,CAAK,eAAA,CAAgB,OAAO,YAAY,CAAA;AACxC,IAAA,IAAI,CAAC,cAAA,EAAgB;AACnB,MAAA,IAAA,CAAK,yBAAA,CAA0B,IAAI,YAAY,CAAA;AAC/C,MAAA;AAAA,IACF;AAEA,IAAA,IAAA,CAAK,yBAAA,CAA0B,OAAO,YAAY,CAAA;AAClD,IAAA,IAAA,CAAK,uCAAuC,cAAc,CAAA;AAAA,EAC5D;AAAA,EAEA,MAAc,qBAAA,GAAuC;AACnD,IAAA,IAAI,CAAC,KAAK,YAAA,EAAc;AACxB,IAAA,IAAI,IAAA,CAAK,eAAA,CAAgB,IAAA,KAAS,CAAA,EAAG;AACnC,MAAA,IAAA,CAAK,0BAA0B,KAAA,EAAM;AACrC,MAAA;AAAA,IACF;AAEA,IAAA,IAAI;AACF,MAAA,MAAM,KAAA,GAAQ,MAAM,IAAA,CAAK,eAAA,EAAgB;AACzC,MAAA,MAAM,OAAA,CAAQ,UAAA;AAAA,QACZ,CAAC,GAAG,IAAA,CAAK,eAAA,CAAgB,MAAA,EAAQ,CAAA,CAAE,GAAA;AAAA,UAAI,CAAC,cAAA,KACtC,KAAA;AAAA,YACE,CAAA,EAAG,IAAA,CAAK,MAAM,CAAA,uBAAA,EAA0B,cAAc,CAAA,WAAA,CAAA;AAAA,YACtD;AAAA,cACE,MAAA,EAAQ,MAAA;AAAA,cACR,OAAA,EAAS,EAAE,aAAA,EAAe,CAAA,OAAA,EAAU,KAAK,CAAA,CAAA;AAAG;AAC9C;AACF;AACF,OACF;AAAA,IACF,CAAA,CAAA,MAAQ;AAAA,IAER;AACA,IAAA,IAAA,CAAK,gBAAgB,KAAA,EAAM;AAC3B,IAAA,IAAA,CAAK,0BAA0B,KAAA,EAAM;AAAA,EACvC;AAAA;AAAA;AAAA;AAAA,EAMA,MAAc,aAAA,CACZ,UAAA,EACA,GAAA,EACA,GAAA,EACe;AACf,IAAA,MAAM,IAAI,OAAA,CAAc,CAAC,OAAA,EAAS,MAAA,KAAW;AAC3C,MAAA,IAAI,OAAA,GAAU,KAAA;AACd,MAAA,IAAI,UAAA,GAAa,KAAA;AAEjB,MAAA,MAAM,UAAU,MAAM;AACpB,QAAA,GAAA,CAAI,cAAA,CAAe,UAAU,cAAc,CAAA;AAC3C,QAAA,GAAA,CAAI,cAAA,CAAe,SAAS,cAAc,CAAA;AAAA,MAC5C,CAAA;AAEA,MAAA,MAAM,gBAAgB,MAAM;AAC1B,QAAA,IAAI,OAAA,EAAS;AACb,QAAA,OAAA,GAAU,IAAA;AACV,QAAA,OAAA,EAAQ;AACR,QAAA,OAAA,EAAQ;AAAA,MACV,CAAA;AAEA,MAAA,MAAM,YAAA,GAAe,CAAC,GAAA,KAAiB;AACrC,QAAA,IAAI,OAAA,EAAS;AACb,QAAA,OAAA,GAAU,IAAA;AACV,QAAA,OAAA,EAAQ;AACR,QAAA,MAAA,CAAO,GAAA,YAAe,QAAQ,GAAA,GAAM,IAAI,MAAM,MAAA,CAAO,GAAG,CAAC,CAAC,CAAA;AAAA,MAC5D,CAAA;AAEA,MAAA,MAAM,iBAAiB,MAAM;AAG3B,QAAA,aAAA,EAAc;AAAA,MAChB,CAAA;AAEA,MAAA,GAAA,CAAI,IAAA,CAAK,UAAU,cAAc,CAAA;AACjC,MAAA,GAAA,CAAI,IAAA,CAAK,SAAS,cAAc,CAAA;AAEhC,MAAA,IAAI,gBAAA;AACJ,MAAA,IAAI;AACF,QAAA,gBAAA,GAAmB,UAAA,CAAW,GAAA,EAAK,GAAA,EAAK,CAAC,GAAA,KAAkB;AACzD,UAAA,UAAA,GAAa,IAAA;AACb,UAAA,IAAI,GAAA,EAAK;AACP,YAAA,YAAA,CAAa,GAAG,CAAA;AAChB,YAAA;AAAA,UACF;AACA,UAAA,aAAA,EAAc;AAAA,QAChB,CAAC,CAAA;AAAA,MACH,SAAS,GAAA,EAAK;AACZ,QAAA,YAAA,CAAa,GAAG,CAAA;AAChB,QAAA;AAAA,MACF;AAEA,MAAA,KAAK,OAAA,CAAQ,OAAA,CAAQ,gBAAgB,CAAA,CAAE,IAAA;AAAA,QACrC,MAAM;AACJ,UAAA,IAAI,CAAC,UAAA,IAAc,GAAA,CAAI,WAAA,EAAa;AAClC,YAAA,aAAA,EAAc;AAAA,UAChB;AAAA,QACF,CAAA;AAAA,QACA,CAAC,GAAA,KAAiB;AAChB,UAAA,YAAA,CAAa,GAAG,CAAA;AAAA,QAClB;AAAA,OACF;AAAA,IACF,CAAC,CAAA;AAAA,EACH;AAAA,EAEQ,gBAAA,CACN,MAAA,EACA,cAAA,EACA,cAAA,EACA,OAAA,EACA;AACA,IAAA,MAAM,SAAA,GAA8B;AAAA,MAClC,eAAA,EAAiB,CAAC,SAAA,KAAsB;AACtC,QAAA,OAAA,EAAS,kBAAkB,SAAS,CAAA;AACpC,QAAA,IAAA,CAAK,uBAAuB,SAAS,CAAA;AAAA,MACvC;AAAA,KACF;AAEA,IAAA,MAAM,IAAA,GAAO,OAAO,GAAA,EAAc,GAAA,KAAkB;AAClD,MAAA,MAAM,OAAA,GAAU,OAAO,UAAA,EAAW;AAClC,MAAA,MAAM,OAAA,GAAU,GAAA;AAIhB,MAAA,IAAI,cAAA,EAAgB;AAClB,QAAA,IAAI,UAAA;AACJ,QAAA,IAAI;AACF,UAAA,MAAM,WAAA,GAAc,MAAM,cAAA,CAAe,GAAG,CAAA;AAC5C,UAAA,UAAA,GAAa,WAAA,CAAY,UAAA;AAAA,QAC3B,SAAS,KAAA,EAAO;AACd,UAAA,IAAA,CAAK,wBAAA,CAAyB,KAAK,KAAK,CAAA;AACxC,UAAA;AAAA,QACF;AAEA,QAAA,MAAM,IAAA,CAAK,aAAA,CAAc,UAAA,EAAY,GAAA,EAAK,GAAG,CAAA;AAE7C,QAAA,MAAMC,UAAAA,GAAY,GAAA,CAAI,OAAA,CAAQ,gBAAgB,CAAA;AAK9C,QAAA,IAAIA,UAAAA,EAAW;AACb,UAAA,IAAI,IAAI,WAAA,EAAa;AACnB,YAAA,IAAA,CAAK,WAAA,CAAY;AAAA,cACf,SAAA,EAAW,YAAA;AAAA,cACX,OAAA;AAAA,cACA,SAAA,EAAAA,UAAAA;AAAA,cACA,UAAA,EAAY,CAAA;AAAA,cACZ,MAAA,EAAQ;AAAA,aACT,CAAA;AACD,YAAA;AAAA,UACF;AAEA,UAAA,IAAI,QAAQ,IAAA,EAAM;AAChB,YAAA,IAAA,CAAK,WAAA,CAAY;AAAA,cACf,SAAA,EAAW,SAAA;AAAA,cACX,OAAA;AAAA,cACA,WAAA,EAAa,OAAA,CAAQ,IAAA,CAAK,KAAA,EAAO,GAAA;AAAA,cACjC,SAAA,EAAAA,UAAAA;AAAA,cACA,UAAA,EAAY,CAAA;AAAA,cACZ,MAAA,EAAQ;AAAA,aACT,CAAA;AAAA,UACH;AAAA,QACF,CAAA,MAAA,IAAW,IAAI,WAAA,EAAa;AAE1B,UAAA;AAAA,QACF;AAAA,MACF;AAEA,MAAA,MAAM,SAAA,GAAY,GAAA,CAAI,OAAA,CAAQ,gBAAgB,CAAA;AAG9C,MAAA,IAAI,SAAA,EAAW;AACb,QAAA,MAAMC,UAAAA,GAAY,cAAA,CAAe,YAAA,CAAa,SAAS,CAAA;AACvD,QAAA,IAAIA,UAAAA,EAAW;AACb,UAAA,cAAA,CAAe,aAAa,SAAS,CAAA;AACrC,UAAA,MAAMA,UAAAA,CAAU,aAAA,CAAc,GAAA,EAAK,GAAA,EAAK,IAAI,IAAI,CAAA;AAChD,UAAA;AAAA,QACF;AAAA,MACF;AAGA,MAAA,IAAI,CAACC,4BAAA,CAAoB,GAAA,CAAI,IAAI,CAAA,EAAG;AAClC,QAAA,GAAA,CAAI,MAAA,CAAO,GAAG,CAAA,CAAE,IAAA,CAAK;AAAA,UACnB,OAAA,EAAS,KAAA;AAAA,UACT,KAAA,EAAO;AAAA,YACL,IAAA,EAAM,KAAA;AAAA,YACN,OAAA,EAAS,SAAA,GACL,CAAA,QAAA,EAAW,SAAS,CAAA,UAAA,CAAA,GACpB;AAAA,WACN;AAAA,UACA,EAAA,EAAI;AAAA,SACL,CAAA;AACD,QAAA;AAAA,MACF;AAGA,MAAA,MAAM,WAAW,OAAA,CAAQ,IAAA;AACzB,MAAA,MAAM,SAAA,GAAY,IAAIC,+CAAA,CAA8B;AAAA,QAClD,kBAAA,EAAoB,MAAM,MAAA,CAAO,UAAA,EAAW;AAAA,QAC5C,oBAAA,EAAsB,CAAC,GAAA,KAAgB;AACrC,UAAA,cAAA,CAAe,eAAA;AAAA,YACb,GAAA;AAAA,YACA,SAAA;AAAA,YACA,SAAA;AAAA,YACA,QAAA,EAAU;AAAA,WACZ;AACA,UAAA,OAAA,EAAS,oBAAA,GAAuB,GAAA,EAAK,QAAA,EAAU,SAAS,CAAA;AACxD,UAAA,IAAA,CAAK,WAAA,CAAY;AAAA,YACf,SAAA,EAAW,YAAA;AAAA,YACX,OAAA;AAAA,YACA,SAAA,EAAW,GAAA;AAAA,YACX,WAAA,EAAa,UAAU,KAAA,EAAO,GAAA;AAAA,YAC9B,UAAA,EAAY,CAAA;AAAA,YACZ,MAAA,EAAQ;AAAA,WACT,CAAA;AACD,UAAA,IAAA,CAAK,kBAAA,CAAmB,QAAA,EAAU,KAAA,EAAO,GAAA,EAAK;AAAA,YAC5C,QAAA,EAAU,GAAA,CAAI,OAAA,CAAQ,iBAAiB,CAAA;AAAA,YACvC,SAAA,EAAW,GAAA,CAAI,OAAA,CAAQ,YAAY,CAAA;AAAA,YACnC,gBAAgB,QAAA,EAAU;AAAA,WAC3B,CAAA;AAAA,QACH;AAAA,OACD,CAAA;AAGD,MAAA,MAAM,cAAA,GAAiB,SAAA,CAAU,aAAA,CAAc,IAAA,CAAK,SAAS,CAAA;AAC7D,MAAA,SAAA,CAAU,aAAA,GAAgB,OACxB,UAAA,EACA,UAAA,EACA,UAAA,KACG;AACH,QAAA,MAAM,UAAA,GAAa,UAAA,KAAe,GAAA,GAAM,OAAA,GAAU,OAAO,UAAA,EAAW;AACpE,QAAA,MAAM,GAAA,GACH,UAAA,CAAW,OAAA,CAAQ,gBAAgB,KACpC,SAAA,CAAU,SAAA;AACZ,QAAA,MAAM,KAAA,GAAQ,KAAK,GAAA,EAAI;AACvB,QAAA,IAAI;AACF,UAAA,MAAM,cAAA,CAAe,UAAA,EAAY,UAAA,EAAY,UAAU,CAAA;AACvD,UAAA,IAAI,UAAA,EAAY,WAAW,YAAA,EAAc;AACvC,YAAA,IAAA,CAAK,WAAA,CAAY;AAAA,cACf,SAAA,EAAW,cAAA;AAAA,cACX,OAAA,EAAS,UAAA;AAAA,cACT,QAAA,EACE,WAAW,MAAA,EACV,IAAA;AAAA,cACH,UAAA,EAAY,IAAA,CAAK,GAAA,EAAI,GAAI,KAAA;AAAA,cACzB,SAAA,EAAW,GAAA;AAAA,cACX,WAAA,EAAa,UAAU,KAAA,EAAO,GAAA;AAAA,cAC9B,MAAA,EAAQ,IAAA;AAAA,cACR,aAAa,UAAA,CAAW;AAAA,aACzB,CAAA;AAAA,UACH,CAAA,MAAA,IAAW,UAAA,EAAY,MAAA,KAAW,YAAA,EAAc;AAC9C,YAAA,IAAA,CAAK,WAAA,CAAY;AAAA,cACf,SAAA,EAAW,cAAA;AAAA,cACX,OAAA,EAAS,UAAA;AAAA,cACT,UAAA,EAAY,IAAA,CAAK,GAAA,EAAI,GAAI,KAAA;AAAA,cACzB,SAAA,EAAW,GAAA;AAAA,cACX,WAAA,EAAa,UAAU,KAAA,EAAO,GAAA;AAAA,cAC9B,MAAA,EAAQ;AAAA,aACT,CAAA;AAAA,UACH;AAAA,QACF,SAAS,GAAA,EAAK;AACZ,UAAA,IAAI,UAAA,EAAY,WAAW,YAAA,EAAc;AACvC,YAAA,IAAA,CAAK,WAAA,CAAY;AAAA,cACf,SAAA,EAAW,cAAA;AAAA,cACX,OAAA,EAAS,UAAA;AAAA,cACT,QAAA,EACE,WAAW,MAAA,EACV,IAAA;AAAA,cACH,UAAA,EAAY,IAAA,CAAK,GAAA,EAAI,GAAI,KAAA;AAAA,cACzB,SAAA,EAAW,GAAA;AAAA,cACX,WAAA,EAAa,UAAU,KAAA,EAAO,GAAA;AAAA,cAC9B,MAAA,EAAQ,cAAA;AAAA,cACR,cAAc,GAAA,YAAe,KAAA,GAAQ,GAAA,CAAI,OAAA,GAAU,OAAO,GAAG;AAAA,aAC9D,CAAA;AAAA,UACH,CAAA,MAAA,IAAW,UAAA,EAAY,MAAA,KAAW,YAAA,EAAc;AAC9C,YAAA,IAAA,CAAK,WAAA,CAAY;AAAA,cACf,SAAA,EAAW,cAAA;AAAA,cACX,OAAA,EAAS,UAAA;AAAA,cACT,UAAA,EAAY,IAAA,CAAK,GAAA,EAAI,GAAI,KAAA;AAAA,cACzB,SAAA,EAAW,GAAA;AAAA,cACX,WAAA,EAAa,UAAU,KAAA,EAAO,GAAA;AAAA,cAC9B,MAAA,EAAQ,cAAA;AAAA,cACR,cAAc,GAAA,YAAe,KAAA,GAAQ,GAAA,CAAI,OAAA,GAAU,OAAO,GAAG;AAAA,aAC9D,CAAA;AAAA,UACH;AACA,UAAA,MAAM,GAAA;AAAA,QACR;AAAA,MACF,CAAA;AAEA,MAAA,MAAM,SAAA,GAAY,OAAO,MAAA,KAAW,UAAA,GAAa,QAAO,GAAI,MAAA;AAC5D,MAAA,MAAM,SAAA,CAAU,QAAQ,SAAS,CAAA;AACjC,MAAA,MAAM,SAAA,CAAU,aAAA,CAAc,GAAA,EAAK,GAAA,EAAK,IAAI,IAAI,CAAA;AAAA,IAClD,CAAA;AAEA,IAAA,MAAM,GAAA,GAAM,OAAO,GAAA,EAAc,GAAA,KAAkB;AACjD,MAAA,IAAI,cAAA,EAAgB;AAClB,QAAA,IAAI,UAAA;AACJ,QAAA,IAAI;AACF,UAAA,MAAM,WAAA,GAAc,MAAM,cAAA,CAAe,GAAG,CAAA;AAC5C,UAAA,UAAA,GAAa,WAAA,CAAY,UAAA;AAAA,QAC3B,SAAS,KAAA,EAAO;AACd,UAAA,IAAA,CAAK,wBAAA,CAAyB,KAAK,KAAK,CAAA;AACxC,UAAA;AAAA,QACF;AAEA,QAAA,MAAM,IAAA,CAAK,aAAA,CAAc,UAAA,EAAY,GAAA,EAAK,GAAG,CAAA;AAC7C,QAAA,IAAI,IAAI,WAAA,EAAa;AACnB,UAAA;AAAA,QACF;AAAA,MACF;AAEA,MAAA,MAAM,YACH,GAAA,CAAI,OAAA,CAAQ,gBAAgB,CAAA,IAC5B,GAAA,CAAI,QAAQ,gBAAgB,CAAA;AAC/B,MAAA,IAAI,CAAC,SAAA,EAAW;AACd,QAAA,GAAA,CAAI,OAAO,GAAG,CAAA,CAAE,KAAK,EAAE,KAAA,EAAO,iCAAiC,CAAA;AAC/D,QAAA;AAAA,MACF;AAEA,MAAA,MAAM,SAAA,GAAY,cAAA,CAAe,YAAA,CAAa,SAAS,CAAA;AACvD,MAAA,IAAI,CAAC,SAAA,EAAW;AACd,QAAA,GAAA,CAAI,OAAO,GAAG,CAAA,CAAE,KAAK,EAAE,KAAA,EAAO,qBAAqB,CAAA;AACnD,QAAA;AAAA,MACF;AAEA,MAAA,cAAA,CAAe,aAAa,SAAS,CAAA;AACrC,MAAA,MAAM,SAAA,CAAU,aAAA,CAAc,GAAA,EAAK,GAAG,CAAA;AAAA,IACxC,CAAA;AAEA,IAAA,MAAM,GAAA,GAAM,OAAO,GAAA,EAAc,GAAA,KAAkB;AACjD,MAAA,IAAI,cAAA,EAAgB;AAClB,QAAA,IAAI,UAAA;AACJ,QAAA,IAAI;AACF,UAAA,MAAM,WAAA,GAAc,MAAM,cAAA,CAAe,GAAG,CAAA;AAC5C,UAAA,UAAA,GAAa,WAAA,CAAY,UAAA;AAAA,QAC3B,SAAS,KAAA,EAAO;AACd,UAAA,IAAA,CAAK,wBAAA,CAAyB,KAAK,KAAK,CAAA;AACxC,UAAA;AAAA,QACF;AAEA,QAAA,MAAM,IAAA,CAAK,aAAA,CAAc,UAAA,EAAY,GAAA,EAAK,GAAG,CAAA;AAC7C,QAAA,IAAI,IAAI,WAAA,EAAa;AACnB,UAAA;AAAA,QACF;AAAA,MACF;AAEA,MAAA,MAAM,YACH,GAAA,CAAI,OAAA,CAAQ,gBAAgB,CAAA,IAC5B,GAAA,CAAI,QAAQ,gBAAgB,CAAA;AAC/B,MAAA,IAAI,CAAC,SAAA,EAAW;AACd,QAAA,GAAA,CAAI,OAAO,GAAG,CAAA,CAAE,KAAK,EAAE,KAAA,EAAO,iCAAiC,CAAA;AAC/D,QAAA;AAAA,MACF;AAEA,MAAA,MAAM,SAAA,GAAY,cAAA,CAAe,YAAA,CAAa,SAAS,CAAA;AACvD,MAAA,IAAI,CAAC,SAAA,EAAW;AACd,QAAA,GAAA,CAAI,OAAO,GAAG,CAAA,CAAE,KAAK,EAAE,KAAA,EAAO,qBAAqB,CAAA;AACnD,QAAA;AAAA,MACF;AAEA,MAAA,MAAM,SAAA,CAAU,aAAA,CAAc,GAAA,EAAK,GAAG,CAAA;AAAA,IACxC,CAAA;AAEA,IAAA,OAAO,EAAE,IAAA,EAAM,GAAA,EAAK,MAAA,EAAQ,GAAA,EAAI;AAAA,EAClC;AACF","file":"index.cjs","sourcesContent":["/**\n * Core types for the Kontext SDK\n * These mirror the API DTOs for type-safe interactions\n */\n\n// ============================================================================\n// Applications\n// ============================================================================\n\nexport interface Application {\n id: string;\n name: string;\n canModify?: boolean;\n activeSessionCount?: number;\n idleSessionCount?: number;\n liveSessionCount?: number;\n totalSessionCount?: number;\n oauth?: ApplicationOAuth;\n archivedAt?: string;\n createdAt: string;\n updatedAt: string;\n}\n\nexport interface ApplicationOAuth {\n type: \"public\" | \"confidential\";\n clientId: string;\n clientSecret?: string;\n pkceRequired: boolean;\n scopes: string[];\n authorizationUrl: string;\n tokenUrl: string;\n gatewayUrl: string;\n redirectUris: string[];\n}\n\nexport interface CreateApplicationOAuthInput {\n type?: \"public\" | \"confidential\";\n redirectUris: string[];\n pkceRequired?: boolean;\n scopes?: string[];\n}\n\nexport interface CreateApplicationInput {\n name: string;\n oauth: CreateApplicationOAuthInput;\n}\n\nexport interface UpdateApplicationInput {\n name?: string;\n}\n\nexport interface UpdateApplicationOAuthInput {\n pkceRequired?: boolean;\n scopes?: string[];\n redirectUris?: string[];\n}\n\nexport interface CreateApplicationResponse {\n application: Application;\n oauth: ApplicationOAuth;\n}\n\nexport interface ApplicationResponse {\n application: Application;\n}\n\nexport interface ApplicationOAuthResponse {\n oauth: ApplicationOAuth;\n}\n\nexport interface ListApplicationsResponse {\n items: Application[];\n nextCursor?: string;\n}\n\nexport interface RotateApplicationSecretResponse {\n oauth: ApplicationOAuth;\n}\n\nexport interface UpdateApplicationIntegrationsInput {\n integrationIds: string[];\n}\n\nexport interface ApplicationIntegrationsResponse {\n integrationIds: string[];\n}\n\n// ============================================================================\n// Integrations\n// ============================================================================\n\nexport type IntegrationAuthMode =\n | \"oauth\"\n | \"user_token\"\n | \"server_token\"\n | \"none\";\n\nexport type IntegrationValidationStatus = \"pending\" | \"valid\" | \"invalid\";\n\nexport interface IntegrationOAuthSummary {\n provider?: string;\n issuer?: string;\n scopes?: string[];\n metadata?: Record<string, unknown>;\n}\n\nexport interface IntegrationCapabilities {\n tools?: boolean;\n resources?: boolean;\n prompts?: boolean;\n}\n\nexport interface Integration {\n id: string;\n name: string;\n url: string;\n authMode: IntegrationAuthMode;\n oauth?: IntegrationOAuthSummary;\n capabilities?: IntegrationCapabilities;\n serverTokenConfigured: boolean;\n validationStatus: IntegrationValidationStatus;\n validationMessage?: string;\n lastValidatedAt?: string;\n userConnection?: ConnectionStatusResponse;\n createdAt: string;\n updatedAt: string;\n archivedAt?: string;\n}\n\nexport interface IntegrationOAuthConfigInput {\n provider?: string;\n issuer?: string;\n scopes?: string[];\n}\n\nexport interface CreateIntegrationInput {\n name: string;\n url: string;\n authMode?: IntegrationAuthMode;\n oauth?: IntegrationOAuthConfigInput;\n capabilities?: IntegrationCapabilities;\n serverToken?: string;\n}\n\nexport interface UpdateIntegrationInput {\n name?: string;\n url?: string;\n authMode?: IntegrationAuthMode;\n oauth?: IntegrationOAuthConfigInput;\n capabilities?: IntegrationCapabilities;\n serverToken?: string;\n}\n\nexport interface CreateIntegrationResponse {\n integration: Integration;\n}\n\nexport interface IntegrationResponse {\n integration: Integration;\n}\n\nexport interface ListIntegrationsResponse {\n items: Integration[];\n nextCursor?: string;\n}\n\nexport interface ValidateIntegrationResponse {\n status: IntegrationValidationStatus;\n message?: string;\n}\n\n// ============================================================================\n// Integration Connections\n// ============================================================================\n\nexport type ConnectionStatus = \"connected\" | \"disconnected\";\n\nexport interface ConnectionStatusResponse {\n connected: boolean;\n status?: ConnectionStatus;\n expiresAt?: string;\n displayName?: string;\n}\n\nexport interface ConnectionResponse {\n connection: ConnectionStatusResponse;\n}\n\nexport interface AddUserTokenInput {\n token: string;\n}\n\n// ============================================================================\n// Service Accounts\n// ============================================================================\n\nexport interface ServiceAccount {\n id: string;\n name: string;\n description: string | null;\n createdAt: string;\n}\n\nexport interface ServiceAccountCredentials {\n clientId: string;\n clientSecret: string;\n}\n\nexport interface CreateServiceAccountInput {\n name: string;\n description?: string;\n}\n\nexport interface CreateServiceAccountResponse {\n serviceAccount: ServiceAccount;\n credentials: ServiceAccountCredentials;\n}\n\nexport interface RotateSecretResponse {\n credentials: ServiceAccountCredentials;\n}\n\nexport interface ListServiceAccountsResponse {\n items: ServiceAccount[];\n nextCursor: string | null;\n}\n\nexport interface ServiceAccountResponse {\n serviceAccount: ServiceAccount;\n}\n\n// ============================================================================\n// Agent Sessions\n// ============================================================================\n\nexport type AgentSessionStatus = \"active\" | \"disconnected\";\nexport type AgentSessionDerivedStatus =\n | \"active\"\n | \"idle\"\n | \"expired\"\n | \"disconnected\";\n\nexport interface AgentSession {\n id: string;\n agentId: string;\n organizationId: string;\n name: string;\n hostname?: string | null;\n userAgent?: string | null;\n clientInfo?: Record<string, unknown> | null;\n status: AgentSessionStatus;\n derivedStatus: AgentSessionDerivedStatus;\n connectedAt?: string;\n lastActiveAt?: string;\n disconnectedAt?: string;\n tokenExpiresAt?: string;\n createdAt: string;\n}\n\nexport interface AgentSessionResponse {\n session: AgentSession;\n}\n\nexport interface ListAgentSessionsResponse {\n items: AgentSession[];\n}\n\nexport interface RevokeAllSessionsResponse {\n success: boolean;\n disconnectedCount: number;\n}\n\n// ============================================================================\n// Traces & Events\n// ============================================================================\n\nexport interface Trace {\n traceId: string | null;\n sessionId: string;\n startedAt: string | null;\n endedAt: string | null;\n eventCount: number;\n okCount?: number;\n warnCount?: number;\n errorCount?: number;\n agentId?: string;\n ownerUserId?: string;\n ownerEmail?: string;\n agentName?: string;\n agentSessionId?: string;\n agentSessionName?: string;\n}\n\nexport interface TraceEvent {\n id: string;\n createdAt: string;\n sessionId: string;\n agentId: string;\n traceId?: string | null;\n apiKeyId?: string | null;\n eventType: string;\n status: string;\n durationMs?: number | null;\n integrationId?: string | null;\n toolName?: string | null;\n errorMessage?: string | null;\n bytesIn?: number | null;\n bytesOut?: number | null;\n requestJson?: unknown;\n responseJson?: unknown;\n parentEventId?: string | null;\n agentSessionId?: string | null;\n /** @deprecated Use createdAt */\n timestamp?: string;\n /** @deprecated Use status */\n level?: \"ok\" | \"warn\" | \"error\";\n /** @deprecated Use eventType */\n type?: string;\n /** @deprecated May be encoded in requestJson/responseJson */\n method?: string;\n /** @deprecated Use toolName */\n tool?: string;\n /** @deprecated Use durationMs */\n duration?: number;\n /** @deprecated Use status/errorMessage fields */\n errorType?: string;\n /** @deprecated May be encoded in requestJson/responseJson */\n metadata?: Record<string, unknown>;\n}\n\nexport interface ListTracesResponse {\n items: Trace[];\n nextCursor?: string;\n}\n\nexport interface TraceResponse {\n trace: Trace;\n events: TraceEvent[];\n}\n\nexport interface McpEvent {\n id: string;\n createdAt: string;\n agentId: string;\n integrationId: string | null;\n toolName: string | null;\n eventType: string;\n status: string;\n}\n\nexport interface McpEventListResponse {\n items: McpEvent[];\n}\n\n/**\n * @deprecated Use McpEventListResponse instead.\n */\nexport type ListEventsResponse = McpEventListResponse;\n\nexport interface TraceStats {\n totalTraces: number;\n totalEvents: number;\n eventCounts: { ok: number; warn: number; error: number };\n errorRate: number;\n latency: { avg: number; p50: number; p95: number; p99: number };\n bytesTransferred: { in: number; out: number };\n errorsByType: Array<{ type: string; count: number; percentage: number }>;\n topTools: Array<{ name: string; count: number; avgDuration: number }>;\n timeline: Array<{\n date: string;\n traceCount: number;\n eventCount: number;\n warnCount: number;\n errorCount: number;\n bytesIn: number;\n bytesOut: number;\n }>;\n}\n\nexport interface TraceStatsResponse {\n stats: TraceStats;\n}\n\n// ============================================================================\n// Pagination\n// ============================================================================\n\nexport interface PaginationParams {\n cursor?: string;\n limit?: number;\n}\n\n// ============================================================================\n// OAuth Tokens (for storage)\n// ============================================================================\n\nexport interface OAuthTokens {\n accessToken: string;\n refreshToken?: string;\n tokenType: string;\n scope?: string;\n expiresAt?: string;\n}\n\n// ============================================================================\n// Token Exchange (RFC 8693)\n// ============================================================================\n\n/**\n * RFC 8693 Token Exchange grant type\n */\nexport const TOKEN_EXCHANGE_GRANT_TYPE =\n \"urn:ietf:params:oauth:grant-type:token-exchange\";\n\n/**\n * RFC 8693 token type identifier for access tokens\n */\nexport const TOKEN_TYPE_ACCESS_TOKEN =\n \"urn:ietf:params:oauth:token-type:access_token\";\n\n/**\n * Request body for RFC 8693 token exchange\n */\nexport interface TokenExchangeRequest {\n grant_type: typeof TOKEN_EXCHANGE_GRANT_TYPE;\n subject_token: string;\n subject_token_type?: string;\n resource: string;\n scope?: string;\n audience?: string;\n}\n\n/**\n * Response from RFC 8693 token exchange\n */\nexport interface TokenExchangeResponse {\n access_token: string;\n issued_token_type: string;\n token_type: string;\n expires_in?: number;\n scope?: string;\n refresh_token?: string;\n}\n\n// ============================================================================\n// Client Configuration\n// ============================================================================\n\nexport interface KontextManagementClientConfig {\n /**\n * Base URL for the Kontext API (e.g., \"https://api.kontext.dev\")\n */\n baseUrl: string;\n\n /**\n * API version to use (default: \"v1\")\n */\n apiVersion?: string;\n\n /**\n * OAuth token endpoint URL (optional)\n * If not specified, defaults to `${baseUrl}/oauth2/token`\n * Useful for local development where Hydra runs on a different port\n */\n tokenUrl?: string;\n\n /**\n * OAuth scopes to request (optional)\n * Defaults to [\"management:all\"]\n */\n scopes?: string[];\n\n /**\n * OAuth audience for token requests (optional)\n * If not specified, defaults to `${baseUrl}/api/${apiVersion}`\n * Required for Hydra token introspection\n */\n audience?: string;\n\n /**\n * Service account credentials for authentication\n */\n credentials: {\n clientId: string;\n clientSecret: string;\n };\n}\n","/**\n * Typed error classes for the Kontext SDK.\n *\n * Every error has a `kontext_` prefixed code, an auto-generated docsUrl,\n * and a `kontextError` brand for type narrowing without instanceof.\n *\n * @packageDocumentation\n */\n\n// ============================================================================\n// Base\n// ============================================================================\n\n/**\n * Base error class for all Kontext SDK errors.\n *\n * @example\n * ```typescript\n * import { isKontextError } from '@kontext-dev/js-sdk';\n *\n * try {\n * await client.connect();\n * } catch (err) {\n * if (isKontextError(err)) {\n * console.log(err.code); // \"kontext_authorization_required\"\n * console.log(err.docsUrl); // \"https://docs.kontext.dev/errors/kontext_authorization_required\"\n * }\n * }\n * ```\n */\nexport class KontextError extends Error {\n /** Brand field for type narrowing without instanceof */\n readonly kontextError = true as const;\n\n /** Machine-readable error code, always prefixed with `kontext_` */\n readonly code: string;\n\n /** HTTP status code when applicable */\n readonly statusCode?: number;\n\n /** Auto-generated link to error documentation */\n readonly docsUrl: string;\n\n /** Server request ID for debugging / support escalation */\n readonly requestId?: string;\n\n /** Contextual metadata bag (integration IDs, param names, etc.) */\n readonly meta: Record<string, unknown>;\n\n constructor(\n message: string,\n code: string,\n options?: {\n statusCode?: number;\n requestId?: string;\n meta?: Record<string, unknown>;\n cause?: unknown;\n },\n ) {\n super(message, { cause: options?.cause });\n this.name = \"KontextError\";\n this.code = code;\n this.statusCode = options?.statusCode;\n this.requestId = options?.requestId;\n this.meta = options?.meta ?? {};\n this.docsUrl = `https://docs.kontext.dev/errors/${code}`;\n Object.setPrototypeOf(this, new.target.prototype);\n }\n\n toJSON(): Record<string, unknown> {\n return {\n name: this.name,\n code: this.code,\n message: this.message,\n statusCode: this.statusCode,\n docsUrl: this.docsUrl,\n requestId: this.requestId,\n meta: Object.keys(this.meta).length > 0 ? this.meta : undefined,\n };\n }\n\n override toString(): string {\n const parts = [`[${this.code}] ${this.message}`];\n if (this.docsUrl) parts.push(`Docs: ${this.docsUrl}`);\n if (this.requestId) parts.push(`Request ID: ${this.requestId}`);\n return parts.join(\"\\n\");\n }\n}\n\n// ============================================================================\n// Type guard\n// ============================================================================\n\n/**\n * Check if an error is a KontextError without instanceof.\n * Works across package versions and bundler deduplication.\n */\nexport function isKontextError(err: unknown): err is KontextError {\n return (\n typeof err === \"object\" &&\n err !== null &&\n (err as Record<string, unknown>).kontextError === true\n );\n}\n\n// ============================================================================\n// Auth errors\n// ============================================================================\n\n/**\n * Thrown when authentication is required but no valid credentials are available.\n */\nexport class AuthorizationRequiredError extends KontextError {\n readonly authorizationUrl?: string;\n\n constructor(\n message = \"Authorization required. Complete the OAuth flow to continue.\",\n options?: {\n authorizationUrl?: string;\n requestId?: string;\n meta?: Record<string, unknown>;\n cause?: unknown;\n },\n ) {\n super(message, \"kontext_authorization_required\", {\n statusCode: 401,\n ...options,\n });\n this.name = \"AuthorizationRequiredError\";\n this.authorizationUrl = options?.authorizationUrl;\n }\n}\n\n// ============================================================================\n// OAuth errors\n// ============================================================================\n\n/**\n * Thrown when an OAuth flow fails — state validation, token exchange,\n * missing code verifier, or provider errors.\n */\nexport class OAuthError extends KontextError {\n readonly errorCode?: string;\n readonly errorDescription?: string;\n\n constructor(\n message: string,\n code: string,\n options?: {\n statusCode?: number;\n errorCode?: string;\n errorDescription?: string;\n requestId?: string;\n meta?: Record<string, unknown>;\n cause?: unknown;\n },\n ) {\n super(message, code, {\n statusCode: options?.statusCode ?? 400,\n ...options,\n });\n this.name = \"OAuthError\";\n this.errorCode = options?.errorCode;\n this.errorDescription = options?.errorDescription;\n }\n}\n\n// ============================================================================\n// Integration errors\n// ============================================================================\n\n/**\n * Thrown when an integration connection is required before a tool can be used.\n */\nexport class IntegrationConnectionRequiredError extends KontextError {\n readonly integrationId: string;\n readonly integrationName?: string;\n readonly connectUrl?: string;\n\n constructor(\n integrationId: string,\n options?: {\n integrationName?: string;\n connectUrl?: string;\n message?: string;\n requestId?: string;\n meta?: Record<string, unknown>;\n cause?: unknown;\n },\n ) {\n super(\n options?.message ??\n `Connection to integration \"${integrationId}\" is required. Visit the connect URL to authorize.`,\n \"kontext_integration_connection_required\",\n { statusCode: 403, ...options },\n );\n this.name = \"IntegrationConnectionRequiredError\";\n this.integrationId = integrationId;\n this.integrationName = options?.integrationName;\n this.connectUrl = options?.connectUrl;\n }\n}\n\n// ============================================================================\n// Config errors (NEW — replaces all plain Error config throws)\n// ============================================================================\n\n/**\n * Thrown when SDK configuration is invalid or missing.\n * These are deterministic errors caught at initialization time.\n */\nexport class ConfigError extends KontextError {\n constructor(\n message: string,\n code: string,\n options?: {\n meta?: Record<string, unknown>;\n cause?: unknown;\n },\n ) {\n super(message, code, options);\n this.name = \"ConfigError\";\n }\n}\n\n// ============================================================================\n// Network errors\n// ============================================================================\n\n/**\n * Thrown when there is a network or connection error.\n */\nexport class NetworkError extends KontextError {\n constructor(\n message = \"Network error. Check your internet connection and that the server is reachable.\",\n options?: {\n cause?: unknown;\n requestId?: string;\n meta?: Record<string, unknown>;\n },\n ) {\n super(message, \"kontext_network_error\", options);\n this.name = \"NetworkError\";\n }\n}\n\n// ============================================================================\n// HTTP response errors (differentiated by code)\n// ============================================================================\n\n/**\n * Thrown when the server returns an HTTP error.\n * Use `error.code` to distinguish between specific error types.\n */\nexport class HttpError extends KontextError {\n readonly retryAfter?: number;\n readonly validationErrors?: Array<{ field: string; message: string }>;\n\n constructor(\n message: string,\n code: string,\n options?: {\n statusCode?: number;\n retryAfter?: number;\n validationErrors?: Array<{ field: string; message: string }>;\n requestId?: string;\n meta?: Record<string, unknown>;\n cause?: unknown;\n },\n ) {\n super(message, code, {\n statusCode: options?.statusCode,\n ...options,\n });\n this.name = \"HttpError\";\n this.retryAfter = options?.retryAfter;\n this.validationErrors = options?.validationErrors;\n }\n}\n\n// ============================================================================\n// Network error detection (used by translateError)\n// ============================================================================\n\n/**\n * Safely access arbitrary properties on an error object.\n * Errors in JS frequently carry extra properties (code, statusCode, etc.)\n * that aren't part of the Error interface. This avoids `as unknown as` casts.\n */\n// eslint-disable-next-line @typescript-eslint/no-explicit-any\nfunction errorProps(err: Error): Record<string, any> {\n return err;\n}\n\nconst NETWORK_ERROR_CODES = new Set([\n \"ECONNREFUSED\",\n \"ENOTFOUND\",\n \"ETIMEDOUT\",\n \"ECONNRESET\",\n \"ECONNABORTED\",\n \"EPIPE\",\n \"UND_ERR_CONNECT_TIMEOUT\",\n]);\n\n/**\n * Detect network errors structurally rather than by string matching.\n * Checks Node.js system error codes on the error and its cause.\n */\nexport function isNetworkError(err: Error): boolean {\n if (err.name === \"AbortError\") return true;\n\n const props = errorProps(err);\n const sysCode = props.code as string | undefined;\n if (typeof sysCode === \"string\" && NETWORK_ERROR_CODES.has(sysCode))\n return true;\n\n // fetch() throws TypeError — only classify as network error when cause\n // indicates a system-level failure\n if (err.name === \"TypeError\" && err.cause instanceof Error) {\n const causeCode = errorProps(err.cause).code;\n if (typeof causeCode === \"string\" && NETWORK_ERROR_CODES.has(causeCode))\n return true;\n }\n\n return false;\n}\n\n/**\n * Detect unauthorized errors structurally.\n * Checks status code and numeric code rather than string matching on name.\n */\nexport function isUnauthorizedError(err: Error): boolean {\n const props = errorProps(err);\n\n // Check HTTP status code (most reliable)\n if (props.statusCode === 401 || props.status === 401) return true;\n\n // Check MCP SDK UnauthorizedError by name (last resort, but needed for\n // MCP SDK errors which don't set statusCode)\n if (err.name === \"UnauthorizedError\") return true;\n if (err.message === \"Unauthorized\") return true;\n\n return false;\n}\n\n// ============================================================================\n// Elicitation types\n// ============================================================================\n\nexport interface ElicitationEntry {\n readonly url: string;\n readonly message: string;\n readonly elicitationId: string;\n readonly integrationId?: string;\n readonly integrationName?: string;\n}\n\n// ============================================================================\n// HTTP error parsing\n// ============================================================================\n\n/**\n * Parse an HTTP response into an appropriate error.\n */\nexport function parseHttpError(\n statusCode: number,\n body?: unknown,\n): KontextError {\n const message =\n typeof body === \"object\" && body !== null && \"message\" in body\n ? String((body as { message: unknown }).message)\n : `HTTP ${statusCode}`;\n\n const errorCode =\n typeof body === \"object\" && body !== null && \"code\" in body\n ? String((body as { code: unknown }).code)\n : undefined;\n\n switch (statusCode) {\n case 400:\n if (\n typeof body === \"object\" &&\n body !== null &&\n \"errors\" in body &&\n Array.isArray((body as { errors: unknown }).errors)\n ) {\n return new HttpError(message, \"kontext_validation_error\", {\n statusCode: 400,\n validationErrors: (\n body as { errors: Array<{ field: string; message: string }> }\n ).errors,\n });\n }\n return new KontextError(message, errorCode ?? \"kontext_bad_request\", {\n statusCode: 400,\n });\n\n case 401:\n return new AuthorizationRequiredError(message);\n\n case 403:\n if (errorCode === \"INTEGRATION_CONNECTION_REQUIRED\") {\n const details = body as {\n integrationId?: string;\n integrationName?: string;\n connectUrl?: string;\n };\n return new IntegrationConnectionRequiredError(\n details.integrationId ?? \"unknown\",\n {\n integrationName: details.integrationName,\n connectUrl: details.connectUrl,\n message,\n },\n );\n }\n return new HttpError(message, \"kontext_policy_denied\", {\n statusCode: 403,\n meta: { policy: (body as Record<string, unknown>)?.policy },\n });\n\n case 404:\n return new HttpError(message, \"kontext_not_found\", { statusCode: 404 });\n\n case 429: {\n const retryAfter =\n typeof body === \"object\" && body !== null && \"retryAfter\" in body\n ? Number((body as { retryAfter: unknown }).retryAfter)\n : undefined;\n return new HttpError(\n retryAfter\n ? `Rate limit exceeded. Retry after ${retryAfter} seconds.`\n : \"Rate limit exceeded. Wait and retry.\",\n \"kontext_rate_limited\",\n { statusCode: 429, retryAfter },\n );\n }\n\n default:\n if (statusCode >= 500) {\n return new HttpError(\n `Server error (HTTP ${statusCode}): ${message}`,\n \"kontext_server_error\",\n { statusCode },\n );\n }\n return new KontextError(message, errorCode ?? \"kontext_unknown_error\", {\n statusCode,\n });\n }\n}\n","/**\n * RFC 8693 Token Exchange\n *\n * Generic token exchange function for exchanging identity tokens\n * for resource-scoped tokens.\n *\n * @see https://datatracker.ietf.org/doc/html/rfc8693\n */\n\nimport {\n TOKEN_EXCHANGE_GRANT_TYPE,\n TOKEN_TYPE_ACCESS_TOKEN,\n type TokenExchangeResponse,\n} from \"../management/types.js\";\nimport { OAuthError } from \"../errors.js\";\n\n/**\n * Configuration for token exchange\n */\nexport interface TokenExchangeConfig {\n /**\n * Token endpoint URL (e.g., https://api.kontext.dev/oauth2/token)\n */\n tokenUrl: string;\n\n /**\n * OAuth client ID\n */\n clientId: string;\n\n /**\n * OAuth client secret (for confidential clients)\n */\n clientSecret?: string;\n}\n\n/**\n * Exchange a subject token for a resource-scoped token (RFC 8693).\n *\n * This function implements the OAuth 2.0 Token Exchange grant type,\n * allowing an identity token to be exchanged for an access token\n * scoped to a specific resource.\n *\n * @param config - Token exchange configuration\n * @param subjectToken - The subject token to exchange (typically an access token)\n * @param resource - The target resource identifier (e.g., \"mcp-gateway\", \"my-mcp-server\")\n * @param scope - Optional scope restriction (must be subset of subject token scopes)\n * @param subjectTokenType - Optional subject token type (defaults to access token)\n * @returns Resource-scoped token response\n * @throws {OAuthError} If the token exchange fails\n *\n * @example\n * ```typescript\n * const response = await exchangeToken(\n * {\n * tokenUrl: 'https://api.kontext.dev/oauth2/token',\n * clientId: 'my-client-id',\n * },\n * identityToken,\n * 'mcp-gateway'\n * );\n * console.log(response.access_token);\n * ```\n */\nexport async function exchangeToken(\n config: TokenExchangeConfig,\n subjectToken: string,\n resource: string,\n scope?: string,\n subjectTokenType: string = TOKEN_TYPE_ACCESS_TOKEN,\n): Promise<TokenExchangeResponse> {\n // Build the request body as form-urlencoded\n const body = new URLSearchParams();\n body.set(\"grant_type\", TOKEN_EXCHANGE_GRANT_TYPE);\n body.set(\"subject_token\", subjectToken);\n body.set(\"subject_token_type\", subjectTokenType);\n body.set(\"resource\", resource);\n\n if (scope) {\n body.set(\"scope\", scope);\n }\n\n // For public clients, include client_id in the body\n // For confidential clients, use Basic auth\n const headers: Record<string, string> = {\n \"Content-Type\": \"application/x-www-form-urlencoded\",\n };\n\n if (config.clientSecret) {\n // Confidential client: use Basic authentication\n const credentials = Buffer.from(\n `${config.clientId}:${config.clientSecret}`,\n ).toString(\"base64\");\n headers[\"Authorization\"] = `Basic ${credentials}`;\n } else {\n // Public client: include client_id in body\n body.set(\"client_id\", config.clientId);\n }\n\n const response = await fetch(config.tokenUrl, {\n method: \"POST\",\n headers,\n body: body.toString(),\n });\n\n if (!response.ok) {\n let errorMessage = `Token exchange failed: ${response.status} ${response.statusText}`;\n let errorCode: string | undefined;\n let integrationName: string | undefined;\n let integrationId: string | undefined;\n\n try {\n const errorBody = await response.json();\n errorCode = errorBody.error;\n if (errorBody.error_description) {\n errorMessage = errorBody.error_description;\n } else if (errorBody.error) {\n errorMessage = `Token exchange failed: ${errorBody.error}`;\n }\n // Extract integration-specific fields when present (e.g., integration_required,\n // or any error that includes integration metadata for reconnection flows)\n if (errorBody.integration_name || errorBody.integration_id) {\n integrationName = errorBody.integration_name;\n integrationId = errorBody.integration_id;\n }\n } catch {\n // Ignore JSON parse errors, use default message\n }\n\n throw new OAuthError(errorMessage, \"kontext_oauth_token_exchange_failed\", {\n errorCode,\n meta: {\n integrationName,\n integrationId,\n },\n });\n }\n\n const tokenResponse = (await response.json()) as TokenExchangeResponse;\n\n // Validate required fields\n if (!tokenResponse.access_token) {\n throw new OAuthError(\n \"Token exchange response missing access_token.\",\n \"kontext_oauth_token_exchange_failed\",\n );\n }\n\n if (!tokenResponse.issued_token_type) {\n throw new OAuthError(\n \"Token exchange response missing issued_token_type.\",\n \"kontext_oauth_token_exchange_failed\",\n );\n }\n\n if (!tokenResponse.token_type) {\n throw new OAuthError(\n \"Token exchange response missing token_type.\",\n \"kontext_oauth_token_exchange_failed\",\n );\n }\n\n return tokenResponse;\n}\n","/**\n * Token verification error codes.\n * These provide structured error information for debugging and error handling.\n */\nexport type TokenVerificationErrorCode =\n | \"INVALID_TOKEN_FORMAT\"\n | \"INVALID_SIGNATURE\"\n | \"TOKEN_EXPIRED\"\n | \"TOKEN_NOT_YET_VALID\"\n | \"INVALID_ISSUER\"\n | \"INVALID_AUDIENCE\"\n | \"MISSING_SCOPE\"\n | \"MISSING_CLAIMS\"\n | \"JWKS_FETCH_FAILED\"\n | \"UNKNOWN_KID\"\n | \"UNSUPPORTED_ALGORITHM\";\n\n/**\n * Error thrown when token verification fails.\n * Contains a structured error code for programmatic handling.\n */\nexport class TokenVerificationError extends Error {\n readonly code: TokenVerificationErrorCode;\n\n constructor(code: TokenVerificationErrorCode, message: string) {\n super(message);\n this.name = \"TokenVerificationError\";\n this.code = code;\n Object.setPrototypeOf(this, TokenVerificationError.prototype);\n }\n}\n","import { createRemoteJWKSet, type JWTVerifyGetKey } from \"jose\";\nimport { TokenVerificationError } from \"./errors.js\";\n\n/**\n * Options for the JWKS client.\n */\nexport interface JwksClientOptions {\n /** JWKS endpoint URL */\n jwksUrl: string;\n\n /** Cache TTL in milliseconds (default: 5 minutes) */\n cacheTtlMs?: number;\n\n /** Minimum time between refetches in milliseconds (default: 30 seconds) */\n refetchCooldownMs?: number;\n\n /** Custom fetch function for testing */\n fetch?: typeof globalThis.fetch;\n}\n\nconst DEFAULT_CACHE_TTL_MS = 5 * 60 * 1000; // 5 minutes\nconst DEFAULT_REFETCH_COOLDOWN_MS = 30 * 1000; // 30 seconds\n\n/**\n * JWKS client with caching and rate-limited refetching.\n *\n * Uses jose's createRemoteJWKSet for JWKS fetching and caching,\n * but adds rate limiting to prevent DoS via rapid refetch requests.\n */\nexport class JwksClient {\n private readonly jwksUrl: URL;\n private readonly cacheTtlMs: number;\n private readonly refetchCooldownMs: number;\n private readonly customFetch?: typeof globalThis.fetch;\n\n private jwks: JWTVerifyGetKey | null = null;\n private lastFetchAt = 0;\n private lastRefreshAt = 0;\n\n constructor(options: JwksClientOptions) {\n this.jwksUrl = new URL(options.jwksUrl);\n this.cacheTtlMs = options.cacheTtlMs ?? DEFAULT_CACHE_TTL_MS;\n this.refetchCooldownMs =\n options.refetchCooldownMs ?? DEFAULT_REFETCH_COOLDOWN_MS;\n this.customFetch = options.fetch;\n }\n\n /**\n * Get the JWKS key resolver for use with jose's jwtVerify.\n *\n * Creates the remote JWKS on first call and caches it.\n * The jose library handles internal caching and key lookup.\n */\n getKeyResolver(): JWTVerifyGetKey {\n const now = Date.now();\n\n // Check if we need to refresh (cache expired)\n if (this.jwks && now - this.lastFetchAt > this.cacheTtlMs) {\n this.jwks = null;\n }\n\n if (!this.jwks) {\n this.jwks = createRemoteJWKSet(this.jwksUrl, {\n // jose handles caching internally, we just track our own refresh timing\n ...(this.customFetch && {\n [Symbol.for(\"fetch\")]: this.customFetch,\n }),\n });\n this.lastFetchAt = now;\n }\n\n return this.jwks;\n }\n\n /**\n * Force refresh the JWKS cache.\n *\n * Respects the refetch cooldown to prevent rapid refetching.\n * Returns true if refresh was performed, false if cooldown not elapsed.\n */\n refresh(): boolean {\n const now = Date.now();\n\n if (!this.canRefresh()) {\n return false;\n }\n\n this.jwks = null;\n this.lastRefreshAt = now;\n return true;\n }\n\n /**\n * Check if a refresh is allowed (cooldown elapsed).\n */\n canRefresh(): boolean {\n return Date.now() - this.lastRefreshAt >= this.refetchCooldownMs;\n }\n\n /**\n * Handle unknown kid errors by attempting refresh.\n *\n * @returns TokenVerificationError if refresh not allowed or already attempted\n */\n handleUnknownKid(kid: string): TokenVerificationError | null {\n if (this.refresh()) {\n // Refresh performed, caller should retry verification\n return null;\n }\n\n // Cooldown not elapsed, return error\n return new TokenVerificationError(\n \"UNKNOWN_KID\",\n `Unknown key ID: ${kid}. JWKS refresh on cooldown.`,\n );\n }\n\n /**\n * Clear the cache, forcing a fresh fetch on next access.\n */\n clearCache(): void {\n this.jwks = null;\n this.lastFetchAt = 0;\n // Don't reset lastRefreshAt to maintain cooldown protection\n }\n}\n","import { jwtVerify, decodeProtectedHeader, errors as joseErrors } from \"jose\";\nimport { JwksClient } from \"./jwks-client.js\";\nimport { TokenVerificationError } from \"./errors.js\";\nimport type {\n KontextTokenVerifierConfig,\n VerifiedTokenClaims,\n VerifyResult,\n JwtPayload,\n} from \"./types.js\";\n\nconst DEFAULT_CLOCK_TOLERANCE_SEC = 30;\nconst SUPPORTED_ALGORITHMS = [\"ES256\", \"RS256\"];\n\n/**\n * Token verifier for Kontext-issued JWTs using JWKS discovery.\n *\n * Uses the jose library for robust JWT verification with support for:\n * - ES256 and RS256 algorithms\n * - JWKS-based key discovery with caching\n * - Key rotation support with rate-limited refetching\n * - Configurable clock tolerance\n * - Typed error responses\n *\n * @example\n * ```typescript\n * import { KontextTokenVerifier } from '@kontext-dev/js-sdk';\n *\n * const verifier = new KontextTokenVerifier({\n * jwksUrl: 'https://api.kontext.dev/.well-known/jwks.json',\n * issuer: 'kontext-token-exchange',\n * audience: 'mcp-gateway',\n * requiredScopes: ['mcp:invoke'],\n * });\n *\n * const result = await verifier.verify(bearerToken);\n * if (result.success) {\n * console.log(`Verified token for client: ${result.claims.clientId}`);\n * } else {\n * console.error(`Verification failed: ${result.error.code}`);\n * }\n * ```\n */\ninterface ResolvedConfig {\n jwksUrl: string;\n issuer: string | string[];\n audience: string | string[];\n requiredScopes: string[];\n cacheTtlMs: number;\n refetchCooldownMs: number;\n clockToleranceSec: number;\n fetch?: typeof globalThis.fetch;\n}\n\nexport class KontextTokenVerifier {\n private readonly config: ResolvedConfig;\n private readonly jwksClient: JwksClient;\n private readonly audiences: string[];\n\n constructor(config: KontextTokenVerifierConfig) {\n this.config = {\n jwksUrl: config.jwksUrl,\n issuer: config.issuer,\n audience: config.audience,\n requiredScopes: config.requiredScopes ?? [],\n cacheTtlMs: config.cacheTtlMs ?? 5 * 60 * 1000,\n refetchCooldownMs: config.refetchCooldownMs ?? 30 * 1000,\n clockToleranceSec:\n config.clockToleranceSec ?? DEFAULT_CLOCK_TOLERANCE_SEC,\n fetch: config.fetch,\n };\n\n this.audiences = Array.isArray(config.audience)\n ? config.audience\n : [config.audience];\n\n this.jwksClient = new JwksClient({\n jwksUrl: config.jwksUrl,\n cacheTtlMs: this.config.cacheTtlMs,\n refetchCooldownMs: this.config.refetchCooldownMs,\n fetch: config.fetch,\n });\n }\n\n /**\n * Verify a JWT token.\n *\n * @param token - The JWT token string (without \"Bearer \" prefix)\n * @returns VerifyResult with success=true and claims, or success=false and error\n */\n async verify(token: string): Promise<VerifyResult> {\n try {\n return await this.verifyInternal(token, false);\n } catch (error) {\n if (error instanceof TokenVerificationError) {\n return { success: false, error };\n }\n\n // Unexpected error\n return {\n success: false,\n error: new TokenVerificationError(\n \"INVALID_TOKEN_FORMAT\",\n `Unexpected verification error: ${(error as Error).message}`,\n ),\n };\n }\n }\n\n /**\n * Verify a JWT token and return claims or null.\n * Simpler API for cases where you don't need error details.\n *\n * @param token - The JWT token string (without \"Bearer \" prefix)\n * @returns VerifiedTokenClaims if valid, null if invalid\n */\n async verifyOrNull(token: string): Promise<VerifiedTokenClaims | null> {\n const result = await this.verify(token);\n return result.success ? result.claims : null;\n }\n\n /**\n * Clear the JWKS cache, forcing a fresh fetch on next verification.\n */\n clearCache(): void {\n this.jwksClient.clearCache();\n }\n\n private async verifyInternal(\n token: string,\n isRetry: boolean,\n ): Promise<VerifyResult> {\n const JWKS = this.jwksClient.getKeyResolver();\n\n try {\n // Use jose's jwtVerify for robust verification\n const { payload, protectedHeader } = await jwtVerify(token, JWKS, {\n issuer: this.config.issuer,\n audience: this.audiences,\n clockTolerance: this.config.clockToleranceSec,\n algorithms: SUPPORTED_ALGORITHMS,\n });\n\n // Check algorithm is supported\n const alg = protectedHeader.alg;\n if (!SUPPORTED_ALGORITHMS.includes(alg)) {\n throw new TokenVerificationError(\n \"UNSUPPORTED_ALGORITHM\",\n `Unsupported algorithm: ${alg}. Expected one of: ${SUPPORTED_ALGORITHMS.join(\", \")}`,\n );\n }\n\n // Validate required claims\n const jwtPayload = payload as JwtPayload;\n if (\n typeof jwtPayload.exp !== \"number\" ||\n !Number.isFinite(jwtPayload.exp) ||\n jwtPayload.exp <= 0\n ) {\n throw new TokenVerificationError(\n \"MISSING_CLAIMS\",\n \"Token missing required exp claim\",\n );\n }\n\n // Extract and validate scopes\n const scopes = this.parseScopes(jwtPayload.scope);\n for (const required of this.config.requiredScopes) {\n if (!scopes.includes(required)) {\n throw new TokenVerificationError(\n \"MISSING_SCOPE\",\n `Missing required scope: ${required}`,\n );\n }\n }\n\n // Extract client ID\n const clientId = jwtPayload.client_id || jwtPayload.sub;\n if (!clientId) {\n throw new TokenVerificationError(\n \"MISSING_CLAIMS\",\n \"Token missing client_id and sub claims\",\n );\n }\n\n // Build verified claims\n const claims: VerifiedTokenClaims = {\n sub: jwtPayload.sub || \"\",\n clientId,\n scopes,\n expiresAt: new Date(jwtPayload.exp * 1000),\n jti: jwtPayload.jti,\n payload: jwtPayload,\n };\n\n return { success: true, claims };\n } catch (error) {\n // Handle jose-specific errors\n if (error instanceof joseErrors.JWKSNoMatchingKey) {\n // Unknown kid - try refreshing JWKS once\n if (!isRetry) {\n const kid = this.extractKid(token);\n const refreshError = this.jwksClient.handleUnknownKid(\n kid || \"unknown\",\n );\n if (!refreshError) {\n // Refresh performed, retry verification\n return this.verifyInternal(token, true);\n }\n return { success: false, error: refreshError };\n }\n\n return {\n success: false,\n error: new TokenVerificationError(\n \"UNKNOWN_KID\",\n \"No matching key found in JWKS\",\n ),\n };\n }\n\n if (error instanceof joseErrors.JWTExpired) {\n return {\n success: false,\n error: new TokenVerificationError(\n \"TOKEN_EXPIRED\",\n \"Token has expired\",\n ),\n };\n }\n\n if (error instanceof joseErrors.JWTClaimValidationFailed) {\n const message = error.message;\n if (message.includes(\"iss\")) {\n const expected = Array.isArray(this.config.issuer)\n ? this.config.issuer.join(\" or \")\n : this.config.issuer;\n return {\n success: false,\n error: new TokenVerificationError(\n \"INVALID_ISSUER\",\n `Invalid issuer: expected ${expected}`,\n ),\n };\n }\n if (message.includes(\"aud\")) {\n return {\n success: false,\n error: new TokenVerificationError(\n \"INVALID_AUDIENCE\",\n `Invalid audience: expected one of ${this.audiences.join(\", \")}`,\n ),\n };\n }\n if (message.includes(\"nbf\")) {\n return {\n success: false,\n error: new TokenVerificationError(\n \"TOKEN_NOT_YET_VALID\",\n \"Token is not yet valid (nbf claim)\",\n ),\n };\n }\n }\n\n if (error instanceof joseErrors.JWSSignatureVerificationFailed) {\n return {\n success: false,\n error: new TokenVerificationError(\n \"INVALID_SIGNATURE\",\n \"Signature verification failed\",\n ),\n };\n }\n\n if (error instanceof joseErrors.JWSInvalid) {\n return {\n success: false,\n error: new TokenVerificationError(\n \"INVALID_TOKEN_FORMAT\",\n `Invalid JWS: ${error.message}`,\n ),\n };\n }\n\n // Re-throw TokenVerificationError\n if (error instanceof TokenVerificationError) {\n throw error;\n }\n\n // Unknown error\n throw new TokenVerificationError(\n \"INVALID_TOKEN_FORMAT\",\n `Verification failed: ${(error as Error).message}`,\n );\n }\n }\n\n private parseScopes(scope: string | undefined): string[] {\n if (!scope) return [];\n return scope\n .split(\" \")\n .map((s) => s.trim())\n .filter(Boolean);\n }\n\n private extractKid(token: string): string | null {\n try {\n const header = decodeProtectedHeader(token);\n return header.kid ?? null;\n } catch {\n return null;\n }\n }\n}\n","/**\n * Session and transport management for the Kontext server SDK.\n *\n * Tracks StreamableHTTPServerTransport instances by session ID,\n * handles cleanup of stale sessions, and provides the session lifecycle\n * hooks used by `kontext.middleware()`.\n */\n\nimport { StreamableHTTPServerTransport } from \"@modelcontextprotocol/sdk/server/streamableHttp.js\";\n\nexport interface SessionCallbacks {\n onSessionClosed?: (sessionId: string) => void;\n}\n\nexport class SessionManager {\n private readonly transports = new Map<\n string,\n StreamableHTTPServerTransport\n >();\n private readonly lastAccessed = new Map<string, number>();\n private readonly expiresAt = new Map<string, number>();\n private readonly cleanupInterval: ReturnType<typeof setInterval>;\n\n private static readonly STALE_TIMEOUT_MS = 60 * 60 * 1000; // 1 hour\n private static readonly CLEANUP_INTERVAL_MS = 5 * 60 * 1000; // 5 minutes\n\n constructor() {\n this.cleanupInterval = setInterval(\n () => this.cleanupStaleSessions(),\n SessionManager.CLEANUP_INTERVAL_MS,\n );\n // Allow the timer to not block process exit\n if (this.cleanupInterval.unref) {\n this.cleanupInterval.unref();\n }\n }\n\n getTransport(sessionId: string): StreamableHTTPServerTransport | undefined {\n return this.transports.get(sessionId);\n }\n\n registerSession(\n sessionId: string,\n transport: StreamableHTTPServerTransport,\n callbacks?: SessionCallbacks,\n expiresAt?: number,\n ): void {\n this.transports.set(sessionId, transport);\n this.lastAccessed.set(sessionId, Date.now());\n if (expiresAt !== undefined) {\n this.expiresAt.set(sessionId, expiresAt);\n }\n\n transport.onclose = () => {\n this.removeSession(sessionId);\n callbacks?.onSessionClosed?.(sessionId);\n };\n }\n\n touchSession(sessionId: string): void {\n if (this.transports.has(sessionId)) {\n this.lastAccessed.set(sessionId, Date.now());\n }\n }\n\n removeSession(sessionId: string): void {\n this.transports.delete(sessionId);\n this.lastAccessed.delete(sessionId);\n this.expiresAt.delete(sessionId);\n }\n\n /**\n * Check if a session's token has expired.\n * Returns true if the token's `expiresAt` has passed.\n */\n isSessionExpired(sessionId: string): boolean {\n const exp = this.expiresAt.get(sessionId);\n return exp !== undefined && Date.now() / 1000 >= exp;\n }\n\n private cleanupStaleSessions(): void {\n const now = Date.now();\n for (const [sid, lastTime] of this.lastAccessed.entries()) {\n if (now - lastTime > SessionManager.STALE_TIMEOUT_MS) {\n const transport = this.transports.get(sid);\n if (transport) {\n void transport.close?.();\n }\n this.removeSession(sid);\n }\n }\n }\n\n destroy(): void {\n clearInterval(this.cleanupInterval);\n for (const [sid, transport] of this.transports.entries()) {\n void transport.close?.();\n this.removeSession(sid);\n }\n }\n}\n","/**\n * Kontext — the v3 server SDK entry point.\n *\n * Two methods:\n * kontext.middleware(server) — Express middleware (auth + metadata + transport + sessions)\n * kontext.require(integration, token) — RFC 8693 token exchange with caching\n * kontext.requireCredentials(integration, token) — Resolve per-user internal credentials\n *\n * @example Factory pattern (recommended for production — supports concurrent sessions)\n * ```typescript\n * import { Kontext } from \"@kontext-dev/js-sdk/server\";\n * import { McpServer } from \"@modelcontextprotocol/sdk/server/mcp.js\";\n * import express from \"express\";\n *\n * const kontext = new Kontext({ clientId: \"mcp_my-server\" });\n *\n * function createServer() {\n * const server = new McpServer({ name: \"my-server\", version: \"1.0.0\" });\n * server.tool(\"list_repos\", {}, async (args, { authInfo }) => {\n * const github = await kontext.require(\"github\", authInfo!.token);\n * const res = await fetch(\"https://api.github.com/user/repos\", {\n * headers: { Authorization: github.authorization },\n * });\n * return { content: [{ type: \"text\", text: JSON.stringify(await res.json()) }] };\n * });\n * return server;\n * }\n *\n * const app = express();\n * app.use(kontext.middleware(createServer)); // /mcp endpoint + /.well-known/* metadata\n * app.listen(3000);\n * ```\n */\n\nimport { createHash } from \"node:crypto\";\nimport { createRequire } from \"node:module\";\nimport type { Router, Request, Response, NextFunction } from \"express\";\nimport type { McpServerOrFactory } from \"./types.js\";\nimport { StreamableHTTPServerTransport } from \"@modelcontextprotocol/sdk/server/streamableHttp.js\";\nimport { isInitializeRequest } from \"@modelcontextprotocol/sdk/types.js\";\nimport {\n mcpAuthMetadataRouter,\n getOAuthProtectedResourceMetadataUrl,\n} from \"@modelcontextprotocol/sdk/server/auth/router.js\";\nimport { requireBearerAuth } from \"@modelcontextprotocol/sdk/server/auth/middleware/bearerAuth.js\";\nimport type { OAuthMetadata } from \"@modelcontextprotocol/sdk/shared/auth.js\";\nimport type { OAuthTokenVerifier } from \"@modelcontextprotocol/sdk/server/auth/provider.js\";\nimport type { AuthInfo } from \"@modelcontextprotocol/sdk/server/auth/types.js\";\nimport { InvalidTokenError } from \"@modelcontextprotocol/sdk/server/auth/errors.js\";\n\nimport {\n exchangeToken,\n type TokenExchangeConfig,\n} from \"../oauth/token-exchange.js\";\nimport { OAuthError, IntegrationConnectionRequiredError } from \"../errors.js\";\nimport { KontextTokenVerifier } from \"../verify/verifier.js\";\nimport { SessionManager, type SessionCallbacks } from \"./sessions.js\";\nimport type {\n KontextOptions,\n MiddlewareOptions,\n IntegrationCredential,\n IntegrationResolvedCredentials,\n IntegrationName,\n} from \"./types.js\";\n\nconst DEFAULT_API_URL = \"https://api.kontext.dev\";\nconst METADATA_CACHE_TTL_MS = 60 * 60 * 1000; // 1 hour\nconst CREDENTIAL_CACHE_MAX_ENTRIES = 500;\nconst RUNTIME_AUTH_CACHE_MAX_ENTRIES = 8;\nconst RESOLVED_CREDENTIAL_CACHE_TTL_MS = 30 * 1000;\n\nconst SDK_VERSION = (() => {\n try {\n const esmRequire = createRequire(import.meta.url);\n const pkg = esmRequire(\"../../package.json\") as { version?: string };\n return pkg.version ?? \"unknown\";\n } catch {\n return \"unknown\";\n }\n})();\n\ninterface CachedCredential {\n credential: IntegrationCredential;\n expiresAt: number;\n}\n\ninterface CachedResolvedCredential {\n credential: IntegrationResolvedCredentials;\n expiresAt: number;\n}\n\ninterface RuntimeAuthContext {\n metadataRouter: Router;\n bearerAuth: ReturnType<typeof requireBearerAuth>;\n}\n\n/**\n * The v3 Kontext server SDK.\n *\n * Provides two methods:\n * - `middleware(server)` — Express Router with auth metadata, bearer validation, and MCP transport.\n * Accepts an `McpServer` instance (single-session) or a factory `() => McpServer` (concurrent sessions).\n * - `require(integration, token)` — RFC 8693 token exchange with in-memory caching\n * - `requireCredentials(integration, token)` — Resolve per-user credential maps for internal integrations\n */\nexport class Kontext {\n private static readonly shutdownInstances = new Set<Kontext>();\n private static shutdownHandlersRegistered = false;\n\n private readonly clientId: string;\n private readonly clientSecret: string | undefined;\n private readonly apiUrl: string;\n private readonly tokenIssuers: string[];\n\n // AS metadata: fetched lazily, cached with TTL\n private oauthMetadata: OAuthMetadata | null = null;\n private metadataFetchedAt = 0;\n private metadataPromise: Promise<OAuthMetadata> | null = null;\n\n // Token exchange caching: keyed by `${integration}\\0${subjectToken}`\n private readonly credentialCache = new Map<string, CachedCredential>();\n private readonly resolvedCredentialCache = new Map<\n string,\n CachedResolvedCredential\n >();\n private readonly runtimeAuthCache = new Map<string, RuntimeAuthContext>();\n private readonly runtimeVerifierIds = new WeakMap<\n OAuthTokenVerifier,\n number\n >();\n private runtimeVerifierIdCounter = 0;\n\n // Telemetry: cached service token for event reporting\n private serviceToken: string | null = null;\n private serviceTokenExp = 0;\n private serviceTokenPromise: Promise<string> | null = null;\n\n // Session tracking: MCP sessionId → API agentSessionId\n private readonly agentSessionIds = new Map<string, string>();\n private readonly pendingSessionDisconnects = new Set<string>();\n\n constructor(options: KontextOptions) {\n this.clientId = options.clientId;\n this.clientSecret =\n options.clientSecret ?? process.env.KONTEXT_CLIENT_SECRET;\n this.apiUrl = (options.apiUrl ?? DEFAULT_API_URL).replace(/\\/$/, \"\");\n const rawTokenIssuers = Array.isArray(options.tokenIssuer)\n ? options.tokenIssuer\n : options.tokenIssuer\n ? options.tokenIssuer.split(\",\")\n : process.env.KONTEXT_TOKEN_ISSUER?.split(\",\");\n this.tokenIssuers = Array.from(\n new Set(rawTokenIssuers?.map((issuer) => issuer.trim()).filter(Boolean)),\n );\n\n Kontext.shutdownInstances.add(this);\n Kontext.ensureShutdownHandlers();\n }\n\n /**\n * Cleanup method for runtimes that create/dispose SDK instances dynamically.\n * Ensures this instance can be garbage-collected by removing static references.\n */\n async destroy(): Promise<void> {\n await this.disconnectAllSessions();\n Kontext.shutdownInstances.delete(this);\n this.credentialCache.clear();\n this.resolvedCredentialCache.clear();\n this.oauthMetadata = null;\n this.metadataFetchedAt = 0;\n this.metadataPromise = null;\n this.serviceToken = null;\n this.serviceTokenExp = 0;\n this.serviceTokenPromise = null;\n this.agentSessionIds.clear();\n this.pendingSessionDisconnects.clear();\n }\n\n private static ensureShutdownHandlers(): void {\n if (Kontext.shutdownHandlersRegistered) return;\n\n const onShutdown = () => {\n for (const instance of Kontext.shutdownInstances) {\n void instance.disconnectAllSessions();\n }\n };\n\n process.once(\"SIGINT\", onShutdown);\n process.once(\"SIGTERM\", onShutdown);\n Kontext.shutdownHandlersRegistered = true;\n }\n\n // ===========================================================================\n // middleware()\n // ===========================================================================\n\n /**\n * Express middleware: `.well-known` metadata + bearer auth + MCP transport + sessions.\n *\n * Must be mounted at the app root (not a sub-path) because RFC 9728 requires\n * `/.well-known/oauth-protected-resource` at the root. Use `mcpPath` to set\n * the transport endpoint path.\n *\n * @param server - An `McpServer` instance for single-session use, or a\n * `() => McpServer` factory for concurrent sessions (recommended in production).\n * `McpServer.connect()` is 1:1 per the MCP spec — passing a factory ensures\n * each session gets its own instance.\n *\n * @example Factory pattern (recommended for concurrent sessions)\n * ```typescript\n * app.use(kontext.middleware(() => createServer()));\n * ```\n *\n * @example Single instance (local dev / single session)\n * ```typescript\n * app.use(kontext.middleware(server));\n * ```\n *\n * @example Custom path\n * ```typescript\n * app.use(kontext.middleware(createServer, { mcpPath: \"/api/mcp\" }));\n * ```\n */\n middleware(server: McpServerOrFactory, options?: MiddlewareOptions): Router {\n // Dynamic require for express (works in both ESM and CJS)\n const esmRequire = createRequire(import.meta.url);\n const express = esmRequire(\"express\") as typeof import(\"express\");\n const router = express.Router();\n\n const mcpPath = options?.mcpPath ?? \"/mcp\";\n const sessionManager = new SessionManager();\n const omitAuth = options?.dangerouslyOmitAuth ?? false;\n\n // CORS: MCP clients (Inspector, browser-based) connect directly and need\n // CORS to perform OAuth discovery and token exchange from the browser.\n router.use((_req: Request, res: Response, next: NextFunction) => {\n res.header(\"Access-Control-Allow-Origin\", \"*\");\n res.header(\n \"Access-Control-Allow-Headers\",\n \"Content-Type, Authorization, Mcp-Session-Id, Mcp-Protocol-Version, Accept\",\n );\n res.header(\"Access-Control-Expose-Headers\", \"Mcp-Session-Id\");\n res.header(\"Access-Control-Allow-Methods\", \"GET, POST, DELETE, OPTIONS\");\n if (_req.method === \"OPTIONS\") {\n res.sendStatus(204);\n return;\n }\n next();\n });\n\n if (omitAuth) {\n console.warn(\n \"[kontext] ⚠️ Auth is disabled (dangerouslyOmitAuth). Do NOT use in production.\",\n );\n\n // JSON body parsing + unauthenticated MCP transport — no metadata, no bearer auth\n router.use(mcpPath, express.json({ limit: options?.bodyLimit ?? \"1mb\" }));\n const mcpHandler = this.createMcpHandler(\n server,\n sessionManager,\n null,\n options,\n );\n router.post(mcpPath, mcpHandler.post);\n router.get(mcpPath, mcpHandler.get);\n router.delete(mcpPath, mcpHandler.delete);\n\n return router;\n }\n\n const getRuntimeAuth = async (\n req: Request,\n ): Promise<RuntimeAuthContext> => {\n const metadata = this.applyMetadataTransform(\n await this.getOAuthMetadata(),\n options?.metadataTransform,\n );\n const rsUrl = this.resolveResourceServerUrl(req, mcpPath, options);\n return this.getOrCreateRuntimeAuthContext(\n metadata,\n rsUrl,\n options?.verifier,\n );\n };\n\n // Intentionally use a catch-all middleware here. Metadata responses depend\n // on request-derived runtime auth context (host/protocol/mount path), so we\n // guard by path and build that context lazily per request.\n router.use(async (req: Request, res: Response, next: NextFunction) => {\n const path = req.path || req.url || \"\";\n const isMetadataRequest =\n path.startsWith(\"/.well-known/oauth-authorization-server\") ||\n path.startsWith(\"/.well-known/oauth-protected-resource\");\n\n if (!isMetadataRequest) {\n next();\n return;\n }\n\n try {\n const runtimeAuth = await getRuntimeAuth(req);\n runtimeAuth.metadataRouter(req, res, next);\n } catch (error) {\n this.respondMetadataInitError(res, error);\n }\n });\n\n // JSON body parsing for MCP POST requests\n router.use(mcpPath, express.json({ limit: options?.bodyLimit ?? \"1mb\" }));\n\n const mcpHandler = this.createMcpHandler(\n server,\n sessionManager,\n getRuntimeAuth,\n options,\n );\n router.post(mcpPath, mcpHandler.post);\n router.get(mcpPath, mcpHandler.get);\n router.delete(mcpPath, mcpHandler.delete);\n\n return router;\n }\n\n // ===========================================================================\n // require()\n // ===========================================================================\n\n /**\n * Exchange a user's access token for an integration credential.\n *\n * @param integration - Integration name (e.g., \"github\")\n * @param token - The user's Bearer token (from `authInfo.token`)\n * @returns Integration credential with `accessToken` and `authorization` header\n *\n * @throws {IntegrationConnectionRequiredError} User hasn't connected this integration\n * @throws {OAuthError} Token exchange failed\n */\n async require(\n integration: IntegrationName,\n token: string,\n ): Promise<IntegrationCredential> {\n const now = Date.now();\n this.evictExpiredCredentials(now);\n\n // Check cache first\n const cacheKey = `${integration}\\0${token}`;\n const cached = this.credentialCache.get(cacheKey);\n if (cached && now < cached.expiresAt) {\n // LRU touch\n this.credentialCache.delete(cacheKey);\n this.credentialCache.set(cacheKey, cached);\n return cached.credential;\n }\n if (cached) {\n this.credentialCache.delete(cacheKey);\n }\n\n // Perform token exchange\n const exchangeConfig: TokenExchangeConfig = {\n tokenUrl: `${this.apiUrl}/oauth2/token`,\n clientId: this.clientId,\n clientSecret: this.clientSecret,\n };\n\n let response;\n try {\n response = await exchangeToken(exchangeConfig, token, integration);\n } catch (err) {\n // Map \"integration not connected\" errors.\n // Per the spec, when the token exchange returns integration_required\n // the SDK fetches a connect URL via a second API call.\n if (err instanceof OAuthError) {\n if (\n err.errorCode === \"integration_required\" ||\n err.message.includes(\"not connected\") ||\n (err.message.includes(\"expired\") && err.message.includes(\"reconnect\"))\n ) {\n const integrationId =\n (err.meta.integrationId as string) || integration;\n const connectUrl = await this.fetchConnectUrl(\n token,\n integrationId,\n exchangeConfig,\n );\n throw new IntegrationConnectionRequiredError(integrationId, {\n integrationName: err.meta.integrationName as string | undefined,\n connectUrl,\n message: err.message,\n });\n }\n }\n throw err;\n }\n\n const credential: IntegrationCredential = {\n accessToken: response.access_token,\n tokenType: response.token_type,\n authorization: `${response.token_type} ${response.access_token}`,\n expiresIn: response.expires_in,\n scope: response.scope,\n integration,\n };\n\n // Cache with TTL = min(expiresIn - 60s, 5 minutes)\n if (response.expires_in) {\n const ttlMs = Math.min(response.expires_in - 60, 5 * 60) * 1000;\n if (ttlMs > 0) {\n this.trimCacheToFit(this.credentialCache, CREDENTIAL_CACHE_MAX_ENTRIES);\n this.credentialCache.set(cacheKey, {\n credential,\n expiresAt: now + ttlMs,\n });\n }\n }\n\n return credential;\n }\n\n /**\n * Resolve per-user credential key/value pairs for an internal MCP integration.\n *\n * @param integration - Integration UUID or name\n * @param token - The user's Bearer token (from `authInfo.token`)\n * @returns Decrypted credential map for the current user and integration\n *\n * @throws {IntegrationConnectionRequiredError} User has not provided required credentials\n * @throws {OAuthError} Runtime credential resolution failed\n */\n async requireCredentials(\n integration: IntegrationName,\n token: string,\n ): Promise<IntegrationResolvedCredentials> {\n const now = Date.now();\n this.evictExpiredResolvedCredentials(now);\n\n const cacheKey = `${integration}\\0${token}\\0internal_credentials`;\n const cached = this.resolvedCredentialCache.get(cacheKey);\n if (cached && now < cached.expiresAt) {\n this.resolvedCredentialCache.delete(cacheKey);\n this.resolvedCredentialCache.set(cacheKey, cached);\n return cached.credential;\n }\n if (cached) {\n this.resolvedCredentialCache.delete(cacheKey);\n }\n\n const exchangeConfig: TokenExchangeConfig = {\n tokenUrl: `${this.apiUrl}/oauth2/token`,\n clientId: this.clientId,\n clientSecret: this.clientSecret,\n };\n\n let gatewayAccessToken = token;\n if (!this.isGatewayScopedToken(token)) {\n try {\n const exchanged = await exchangeToken(\n exchangeConfig,\n token,\n \"mcp-gateway\",\n );\n gatewayAccessToken = exchanged.access_token;\n } catch (err) {\n throw new OAuthError(\n \"Failed to exchange subject token for runtime\",\n \"kontext_credentials_exchange_failed\",\n {\n errorCode: \"credentials_exchange_failed\",\n errorDescription:\n err instanceof Error\n ? err.message\n : String(err ?? \"unknown error\"),\n },\n );\n }\n }\n\n const integrationId = await this.resolveRuntimeIntegrationId(\n integration,\n gatewayAccessToken,\n );\n\n const res = await fetch(\n `${this.apiUrl}/mcp/integrations/${integrationId}/credentials/resolve`,\n {\n method: \"POST\",\n headers: {\n Authorization: `Bearer ${gatewayAccessToken}`,\n \"Content-Type\": \"application/json\",\n },\n body: \"{}\",\n },\n );\n\n if (!res.ok) {\n const text = await res.text().catch(() => \"\");\n const message =\n text && text.trim().length > 0\n ? text\n : `HTTP ${res.status} while resolving credentials`;\n\n if (\n res.status === 400 &&\n message.toLowerCase().includes(\"credentials required\")\n ) {\n throw new IntegrationConnectionRequiredError(integrationId, {\n integrationName: String(integration),\n message,\n });\n }\n\n throw new OAuthError(\n `Failed to resolve credentials for integration ${integrationId}`,\n \"kontext_credentials_resolve_failed\",\n {\n errorCode: \"credentials_resolve_failed\",\n errorDescription: message,\n },\n );\n }\n\n const payload = (await res.json()) as {\n integrationId?: string;\n credentials?: Record<string, unknown>;\n };\n\n if (\n !payload.credentials ||\n typeof payload.credentials !== \"object\" ||\n Array.isArray(payload.credentials)\n ) {\n throw new OAuthError(\n \"Credential resolve returned invalid payload\",\n \"kontext_credentials_invalid_payload\",\n );\n }\n\n const credentials: Record<string, string> = {};\n for (const [key, value] of Object.entries(payload.credentials)) {\n if (typeof value === \"string\") {\n credentials[key] = value;\n }\n }\n\n if (Object.keys(credentials).length === 0) {\n throw new IntegrationConnectionRequiredError(integrationId, {\n integrationName: String(integration),\n message: \"No credentials configured for this integration\",\n });\n }\n\n const resolved: IntegrationResolvedCredentials = {\n integration,\n integrationId: payload.integrationId ?? integrationId,\n credentials,\n };\n\n this.trimCacheToFit(\n this.resolvedCredentialCache,\n CREDENTIAL_CACHE_MAX_ENTRIES,\n );\n this.resolvedCredentialCache.set(cacheKey, {\n credential: resolved,\n expiresAt: now + RESOLVED_CREDENTIAL_CACHE_TTL_MS,\n });\n\n return resolved;\n }\n\n private getGatewayAudiences(): Set<string> {\n return new Set([`${new URL(this.apiUrl).origin}/mcp`, \"mcp-gateway\"]);\n }\n\n private isGatewayScopedToken(token: string): boolean {\n const audiences = this.extractTokenAudiences(token);\n if (audiences.length === 0) {\n return false;\n }\n const gatewayAudiences = this.getGatewayAudiences();\n return audiences.some((audience) => gatewayAudiences.has(audience));\n }\n\n private extractTokenAudiences(token: string): string[] {\n const [, payloadPart] = token.split(\".\");\n if (!payloadPart) return [];\n try {\n const payload = JSON.parse(\n Buffer.from(payloadPart, \"base64url\").toString(\"utf8\"),\n ) as { aud?: unknown };\n if (typeof payload.aud === \"string\") {\n return [payload.aud];\n }\n if (Array.isArray(payload.aud)) {\n return payload.aud.filter(\n (value): value is string => typeof value === \"string\",\n );\n }\n } catch {\n // Non-JWT or malformed payload — treat as unknown audience.\n }\n return [];\n }\n\n // ===========================================================================\n // Private: fetch connect URL (spec §2 — two-step init)\n // ===========================================================================\n\n private async resolveRuntimeIntegrationId(\n integration: IntegrationName,\n runtimeToken: string,\n ): Promise<string> {\n const raw = String(integration);\n if (this.isUuid(raw)) {\n return raw;\n }\n\n const res = await fetch(`${this.apiUrl}/mcp/integrations`, {\n headers: {\n Authorization: `Bearer ${runtimeToken}`,\n },\n });\n if (!res.ok) {\n const text = await res.text().catch(() => \"\");\n throw new OAuthError(\n \"Failed to resolve integration identifier\",\n \"kontext_integration_lookup_failed\",\n {\n errorCode: \"integration_lookup_failed\",\n errorDescription: text || `HTTP ${res.status}`,\n },\n );\n }\n\n const payload = (await res.json()) as {\n items?: Array<{ id?: string; name?: string }>;\n };\n const items = Array.isArray(payload.items) ? payload.items : [];\n const match = items.find((item) => item.id === raw || item.name === raw);\n const integrationId = match?.id;\n if (!integrationId) {\n throw new IntegrationConnectionRequiredError(raw, {\n integrationName: raw,\n message: `Integration ${raw} is not attached to this application`,\n });\n }\n\n return integrationId;\n }\n\n private isUuid(value: string): boolean {\n return /^[0-9a-f]{8}-[0-9a-f]{4}-[1-8][0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$/i.test(\n value,\n );\n }\n\n /**\n * Fetch a browser-openable connect URL for a missing integration.\n *\n * Per the integration-interrupt-flow spec, the SDK:\n * 1. Exchanges the user's token for a resource-scoped mcp-gateway JWT\n * 2. Calls POST /mcp/integrations/:id/oauth/init with that JWT\n * 3. Returns the `connectUrl` (intermediate endpoint with one-time token)\n *\n * The connect URL points to our own server (ticket pattern), which\n * validates the ticket, sets a browser session cookie, then redirects\n * to the actual OAuth provider.\n */\n private async fetchConnectUrl(\n subjectToken: string,\n integrationId: string,\n exchangeConfig: TokenExchangeConfig,\n ): Promise<string | undefined> {\n try {\n // Step 1: Exchange for mcp-gateway to get a resource-scoped JWT\n const gatewayToken = await exchangeToken(\n exchangeConfig,\n subjectToken,\n \"mcp-gateway\",\n );\n\n // Step 2: Call the init endpoint with the resource-scoped JWT\n const initUrl = `${this.apiUrl}/mcp/integrations/${integrationId}/oauth/init`;\n const res = await fetch(initUrl, {\n method: \"POST\",\n headers: {\n Authorization: `Bearer ${gatewayToken.access_token}`,\n \"Content-Type\": \"application/json\",\n },\n body: JSON.stringify({}),\n });\n\n if (!res.ok) {\n const text = await res.text().catch(() => \"\");\n console.warn(\n `[kontext] fetchConnectUrl: init endpoint returned ${res.status}: ${text}`,\n );\n return undefined;\n }\n\n const data = (await res.json()) as {\n connectUrl?: string;\n authorizationUrl?: string;\n };\n\n // Prefer connectUrl (intermediate endpoint) over raw authorizationUrl\n return data.connectUrl ?? data.authorizationUrl;\n } catch (err) {\n // If we can't get the connect URL, return undefined — the error\n // still propagates as IntegrationConnectionRequiredError, just\n // without a connect URL.\n console.warn(\n `[kontext] fetchConnectUrl failed:`,\n err instanceof Error ? err.message : String(err),\n );\n return undefined;\n }\n }\n\n // ===========================================================================\n // Private: AS metadata\n // ===========================================================================\n\n private async getOAuthMetadata(): Promise<OAuthMetadata> {\n const now = Date.now();\n if (\n this.oauthMetadata &&\n now - this.metadataFetchedAt < METADATA_CACHE_TTL_MS\n ) {\n return this.oauthMetadata;\n }\n\n if (this.metadataPromise) {\n return this.metadataPromise;\n }\n\n this.metadataPromise = this.fetchOAuthMetadata();\n try {\n const metadata = await this.metadataPromise;\n this.oauthMetadata = metadata;\n this.metadataFetchedAt = Date.now();\n return metadata;\n } finally {\n this.metadataPromise = null;\n }\n }\n\n private applyMetadataTransform(\n metadata: OAuthMetadata,\n metadataTransform?: MiddlewareOptions[\"metadataTransform\"],\n ): OAuthMetadata {\n if (!metadataTransform) {\n return metadata;\n }\n\n // Keep cached discovery metadata immutable from user-provided transforms.\n return metadataTransform(this.cloneOAuthMetadata(metadata));\n }\n\n private cloneOAuthMetadata(metadata: OAuthMetadata): OAuthMetadata {\n return JSON.parse(JSON.stringify(metadata)) as OAuthMetadata;\n }\n\n private async fetchOAuthMetadata(): Promise<OAuthMetadata> {\n // Try RFC 8414 first, then OIDC discovery\n const urls = [\n `${this.apiUrl}/.well-known/oauth-authorization-server`,\n `${this.apiUrl}/.well-known/openid-configuration`,\n ];\n\n let lastError: Error | undefined;\n for (const url of urls) {\n try {\n const res = await fetch(url);\n if (res.ok) {\n return (await res.json()) as OAuthMetadata;\n }\n } catch (err) {\n lastError = err instanceof Error ? err : new Error(String(err));\n }\n }\n\n throw new Error(\n `Failed to fetch AS metadata from ${this.apiUrl}: ${lastError?.message ?? \"unknown error\"}`,\n );\n }\n\n private resolveResourceServerUrl(\n req: Request,\n mcpPath: string,\n options?: MiddlewareOptions,\n ): URL {\n if (options?.resourceServerUrl) {\n return new URL(options.resourceServerUrl);\n }\n const host = req.get(\"host\");\n if (!host) {\n throw new Error(\n \"Missing Host header. Set middleware({ resourceServerUrl }) to a trusted public URL.\",\n );\n }\n return new URL(`${req.protocol}://${host}${mcpPath}`);\n }\n\n private getOrCreateRuntimeAuthContext(\n metadata: OAuthMetadata,\n rsUrl: URL,\n customVerifier?: OAuthTokenVerifier,\n ): RuntimeAuthContext {\n const key = this.getRuntimeAuthCacheKey(rsUrl, customVerifier);\n const cached = this.runtimeAuthCache.get(key);\n if (cached) {\n // LRU touch\n this.runtimeAuthCache.delete(key);\n this.runtimeAuthCache.set(key, cached);\n return cached;\n }\n\n // mcpAuthMetadataRouter uses issuer for authorization_servers.\n // Keep issuer aligned with the request's resource server origin.\n const proxiedMetadata = { ...metadata, issuer: `${rsUrl.origin}/` };\n const metadataRouter = mcpAuthMetadataRouter({\n oauthMetadata: proxiedMetadata,\n resourceServerUrl: rsUrl,\n });\n const resourceMetadataUrl = getOAuthProtectedResourceMetadataUrl(rsUrl);\n const verifier =\n customVerifier ?? this.createTokenVerifier(metadata, rsUrl);\n const runtimeAuth: RuntimeAuthContext = {\n metadataRouter,\n bearerAuth: requireBearerAuth({\n verifier,\n resourceMetadataUrl,\n }),\n };\n\n this.trimCacheToFit(this.runtimeAuthCache, RUNTIME_AUTH_CACHE_MAX_ENTRIES);\n this.runtimeAuthCache.set(key, runtimeAuth);\n return runtimeAuth;\n }\n\n private getRuntimeAuthCacheKey(\n rsUrl: URL,\n customVerifier?: OAuthTokenVerifier,\n ): string {\n if (!customVerifier) {\n return `${rsUrl.href}\\0default`;\n }\n\n let verifierId = this.runtimeVerifierIds.get(customVerifier);\n if (verifierId === undefined) {\n verifierId = ++this.runtimeVerifierIdCounter;\n this.runtimeVerifierIds.set(customVerifier, verifierId);\n }\n\n return `${rsUrl.href}\\0custom:${verifierId}`;\n }\n\n private respondMetadataInitError(res: Response, error: unknown): void {\n const message = error instanceof Error ? error.message : String(error);\n console.error(`[kontext] Failed to fetch AS metadata: ${message}`);\n if (res.headersSent) return;\n res.status(503).json({\n error: \"service_unavailable\",\n error_description:\n \"Failed to fetch authorization server metadata. Retry later.\",\n });\n }\n\n private evictExpiredCredentials(now: number): void {\n for (const [key, value] of this.credentialCache.entries()) {\n if (value.expiresAt <= now) {\n this.credentialCache.delete(key);\n }\n }\n }\n\n private evictExpiredResolvedCredentials(now: number): void {\n for (const [key, value] of this.resolvedCredentialCache.entries()) {\n if (value.expiresAt <= now) {\n this.resolvedCredentialCache.delete(key);\n }\n }\n }\n\n private trimCacheToFit<T>(cache: Map<string, T>, maxEntries: number): void {\n while (cache.size >= maxEntries) {\n const oldestKey = cache.keys().next().value as string | undefined;\n if (!oldestKey) break;\n cache.delete(oldestKey);\n }\n }\n\n // ===========================================================================\n // Private: token verifier\n // ===========================================================================\n\n private createTokenVerifier(\n metadata: OAuthMetadata,\n resourceUrl: URL,\n ): OAuthTokenVerifier {\n const metadataRaw = metadata as Record<string, unknown>;\n const jwksUri =\n (metadataRaw.jwks_uri as string | undefined) ??\n `${this.apiUrl}/.well-known/jwks.json`;\n const clientId = this.clientId;\n\n const issuers = Array.from(\n new Set(\n [metadata.issuer, ...this.tokenIssuers].filter(\n (issuer): issuer is string => typeof issuer === \"string\" && !!issuer,\n ),\n ),\n );\n if (!issuers.length) {\n throw new Error(\"OAuth metadata missing issuer\");\n }\n const issuer: string | string[] =\n issuers.length === 1 ? issuers[0]! : issuers;\n\n const verifier = new KontextTokenVerifier({\n jwksUrl: jwksUri,\n issuer,\n audience: resourceUrl.href,\n });\n\n return {\n async verifyAccessToken(token: string): Promise<AuthInfo> {\n const result = await verifier.verify(token);\n\n if (!result.success) {\n throw new InvalidTokenError(\n `Token verification failed: ${result.error.message}`,\n );\n }\n\n const { claims } = result;\n const payload = claims.payload as Record<string, unknown>;\n const ext = (payload.ext as Record<string, unknown> | undefined) ?? {};\n\n return {\n token,\n clientId: claims.clientId ?? clientId,\n scopes: claims.scopes,\n expiresAt: Math.floor(claims.expiresAt.getTime() / 1000),\n extra: {\n ...ext,\n sub: claims.sub,\n email: payload.email ?? ext.email,\n },\n };\n },\n };\n }\n\n // ===========================================================================\n // Private: telemetry\n // ===========================================================================\n\n private async getServiceToken(): Promise<string> {\n if (this.serviceToken && Date.now() < this.serviceTokenExp - 30_000) {\n return this.serviceToken;\n }\n\n if (this.serviceTokenPromise) {\n return this.serviceTokenPromise;\n }\n\n this.serviceTokenPromise = (async () => {\n const res = await fetch(`${this.apiUrl}/oauth2/token`, {\n method: \"POST\",\n headers: {\n \"Content-Type\": \"application/x-www-form-urlencoded\",\n Authorization: `Basic ${Buffer.from(this.clientId + \":\" + this.clientSecret).toString(\"base64\")}`,\n },\n body: \"grant_type=client_credentials\",\n });\n if (!res.ok) {\n const text = await res.text().catch(() => \"\");\n throw new Error(\n `[kontext:telemetry] client_credentials grant failed: HTTP ${res.status} ${text}`,\n );\n }\n const data = (await res.json()) as {\n access_token: string;\n expires_in: number;\n };\n this.serviceToken = data.access_token;\n this.serviceTokenExp = Date.now() + data.expires_in * 1000;\n return data.access_token;\n })();\n\n try {\n return await this.serviceTokenPromise;\n } finally {\n this.serviceTokenPromise = null;\n }\n }\n\n private reportEvent(\n event: Record<string, unknown> & {\n sessionId?: string;\n ownerUserId?: unknown;\n durationMs: number;\n },\n ): void {\n if (!this.clientSecret || !event.sessionId) return;\n this.getServiceToken()\n .then((token) =>\n fetch(`${this.apiUrl}/api/v1/mcp-events`, {\n method: \"POST\",\n headers: {\n \"Content-Type\": \"application/json\",\n Authorization: `Bearer ${token}`,\n },\n body: JSON.stringify({\n ...event,\n agentId: this.clientId,\n clientId: this.clientId,\n clientVersion: SDK_VERSION,\n }),\n }).then((res) => {\n if (!res.ok) {\n console.warn(\n `[kontext:telemetry] event report failed: HTTP ${res.status}`,\n );\n }\n }),\n )\n .catch((err) => {\n console.warn(\n `[kontext:telemetry] error:`,\n err instanceof Error ? err.message : String(err),\n );\n });\n }\n\n // ===========================================================================\n // Private: session lifecycle\n // ===========================================================================\n\n private createAgentSession(\n userToken: string | undefined,\n mcpSessionId: string,\n metadata?: {\n hostname?: string;\n userAgent?: string;\n clientInfo?: Record<string, unknown>;\n tokenExpiresAt?: number;\n },\n ): void {\n if (!this.clientSecret || !userToken) return;\n const tokenIdentifier = createHash(\"sha256\")\n .update(userToken)\n .digest(\"hex\");\n\n this.getServiceToken()\n .then((token) =>\n fetch(`${this.apiUrl}/api/v1/agent-sessions`, {\n method: \"POST\",\n headers: {\n \"Content-Type\": \"application/json\",\n Authorization: `Bearer ${token}`,\n },\n body: JSON.stringify({\n tokenIdentifier,\n clientSessionId: mcpSessionId,\n hostname: metadata?.hostname,\n userAgent: metadata?.userAgent,\n clientInfo: metadata?.clientInfo,\n tokenExpiresAt: metadata?.tokenExpiresAt\n ? new Date(metadata.tokenExpiresAt * 1000).toISOString()\n : undefined,\n }),\n }).then(async (res) => {\n if (res.ok) {\n const data = (await res.json()) as {\n sessionId: string;\n name: string;\n };\n if (this.pendingSessionDisconnects.delete(mcpSessionId)) {\n this.disconnectAgentSessionByAgentSessionId(\n data.sessionId,\n token,\n );\n return;\n }\n\n this.agentSessionIds.set(mcpSessionId, data.sessionId);\n } else {\n this.pendingSessionDisconnects.delete(mcpSessionId);\n console.warn(\n `[kontext:sessions] create failed: HTTP ${res.status}`,\n );\n }\n }),\n )\n .catch((err) => {\n this.pendingSessionDisconnects.delete(mcpSessionId);\n console.warn(\n `[kontext:sessions] error:`,\n err instanceof Error ? err.message : String(err),\n );\n });\n }\n\n private disconnectAgentSessionByAgentSessionId(\n agentSessionId: string,\n serviceToken?: string,\n ): void {\n if (!this.clientSecret) return;\n\n const tokenPromise = serviceToken\n ? Promise.resolve(serviceToken)\n : this.getServiceToken();\n\n tokenPromise\n .then((token) =>\n fetch(\n `${this.apiUrl}/api/v1/agent-sessions/${agentSessionId}/disconnect`,\n {\n method: \"POST\",\n headers: { Authorization: `Bearer ${token}` },\n },\n ),\n )\n .catch(() => {});\n }\n\n private disconnectAgentSession(mcpSessionId: string): void {\n if (!this.clientSecret) return;\n\n const agentSessionId = this.agentSessionIds.get(mcpSessionId);\n this.agentSessionIds.delete(mcpSessionId);\n if (!agentSessionId) {\n this.pendingSessionDisconnects.add(mcpSessionId);\n return;\n }\n\n this.pendingSessionDisconnects.delete(mcpSessionId);\n this.disconnectAgentSessionByAgentSessionId(agentSessionId);\n }\n\n private async disconnectAllSessions(): Promise<void> {\n if (!this.clientSecret) return;\n if (this.agentSessionIds.size === 0) {\n this.pendingSessionDisconnects.clear();\n return;\n }\n\n try {\n const token = await this.getServiceToken();\n await Promise.allSettled(\n [...this.agentSessionIds.values()].map((agentSessionId) =>\n fetch(\n `${this.apiUrl}/api/v1/agent-sessions/${agentSessionId}/disconnect`,\n {\n method: \"POST\",\n headers: { Authorization: `Bearer ${token}` },\n },\n ),\n ),\n );\n } catch {\n // Best-effort on shutdown — swallow errors\n }\n this.agentSessionIds.clear();\n this.pendingSessionDisconnects.clear();\n }\n\n // ===========================================================================\n // Private: MCP transport handlers\n // ===========================================================================\n\n private async runBearerAuth(\n bearerAuth: ReturnType<typeof requireBearerAuth>,\n req: Request,\n res: Response,\n ): Promise<void> {\n await new Promise<void>((resolve, reject) => {\n let settled = false;\n let nextCalled = false;\n\n const cleanup = () => {\n res.removeListener(\"finish\", onResponseDone);\n res.removeListener(\"close\", onResponseDone);\n };\n\n const settleResolve = () => {\n if (settled) return;\n settled = true;\n cleanup();\n resolve();\n };\n\n const settleReject = (err: unknown) => {\n if (settled) return;\n settled = true;\n cleanup();\n reject(err instanceof Error ? err : new Error(String(err)));\n };\n\n const onResponseDone = () => {\n // Auth middleware can terminate the response (401/403) without\n // calling next(). Treat response completion as terminal.\n settleResolve();\n };\n\n res.once(\"finish\", onResponseDone);\n res.once(\"close\", onResponseDone);\n\n let middlewareResult: unknown;\n try {\n middlewareResult = bearerAuth(req, res, (err?: unknown) => {\n nextCalled = true;\n if (err) {\n settleReject(err);\n return;\n }\n settleResolve();\n });\n } catch (err) {\n settleReject(err);\n return;\n }\n\n void Promise.resolve(middlewareResult).then(\n () => {\n if (!nextCalled && res.headersSent) {\n settleResolve();\n }\n },\n (err: unknown) => {\n settleReject(err);\n },\n );\n });\n }\n\n private createMcpHandler(\n server: McpServerOrFactory,\n sessionManager: SessionManager,\n getRuntimeAuth: ((req: Request) => Promise<RuntimeAuthContext>) | null,\n options?: MiddlewareOptions,\n ) {\n const callbacks: SessionCallbacks = {\n onSessionClosed: (sessionId: string) => {\n options?.onSessionClosed?.(sessionId);\n this.disconnectAgentSession(sessionId);\n },\n };\n\n const post = async (req: Request, res: Response) => {\n const traceId = crypto.randomUUID();\n const authReq = req as Request & { auth?: AuthInfo };\n\n // Authenticate every request (not just initialize) so authInfo\n // is available in tool handlers on subsequent calls.\n if (getRuntimeAuth) {\n let bearerAuth: ReturnType<typeof requireBearerAuth>;\n try {\n const runtimeAuth = await getRuntimeAuth(req);\n bearerAuth = runtimeAuth.bearerAuth;\n } catch (error) {\n this.respondMetadataInitError(res, error);\n return;\n }\n\n await this.runBearerAuth(bearerAuth, req, res);\n\n const sessionId = req.headers[\"mcp-session-id\"] as string | undefined;\n\n // Only report auth events for established sessions — the\n // initial request has no session ID yet and is covered by\n // the \"initialize\" event instead.\n if (sessionId) {\n if (res.headersSent) {\n this.reportEvent({\n eventType: \"auth_error\",\n traceId,\n sessionId,\n durationMs: 0,\n status: \"error_auth\",\n });\n return;\n }\n\n if (authReq.auth) {\n this.reportEvent({\n eventType: \"auth_ok\",\n traceId,\n ownerUserId: authReq.auth.extra?.sub,\n sessionId,\n durationMs: 0,\n status: \"ok\",\n });\n }\n } else if (res.headersSent) {\n // Auth failed on initial request — nothing more to do\n return;\n }\n }\n\n const sessionId = req.headers[\"mcp-session-id\"] as string | undefined;\n\n // If there's an existing session, route to its transport\n if (sessionId) {\n const transport = sessionManager.getTransport(sessionId);\n if (transport) {\n sessionManager.touchSession(sessionId);\n await transport.handleRequest(req, res, req.body);\n return;\n }\n }\n\n // New session: must be an initialize request\n if (!isInitializeRequest(req.body)) {\n res.status(400).json({\n jsonrpc: \"2.0\",\n error: {\n code: -32000,\n message: sessionId\n ? `Session ${sessionId} not found`\n : \"No valid session ID provided\",\n },\n id: null,\n });\n return;\n }\n\n // Create transport and connect\n const authInfo = authReq.auth;\n const transport = new StreamableHTTPServerTransport({\n sessionIdGenerator: () => crypto.randomUUID(),\n onsessioninitialized: (sid: string) => {\n sessionManager.registerSession(\n sid,\n transport,\n callbacks,\n authInfo?.expiresAt,\n );\n options?.onSessionInitialized?.(sid, authInfo, transport);\n this.reportEvent({\n eventType: \"initialize\",\n traceId,\n sessionId: sid,\n ownerUserId: authInfo?.extra?.sub,\n durationMs: 0,\n status: \"ok\",\n });\n this.createAgentSession(authInfo?.token, sid, {\n hostname: req.headers[\"x-forwarded-for\"] as string | undefined,\n userAgent: req.headers[\"user-agent\"] as string | undefined,\n tokenExpiresAt: authInfo?.expiresAt,\n });\n },\n });\n\n // Wrap handleRequest to intercept tool calls with telemetry\n const originalHandle = transport.handleRequest.bind(transport);\n transport.handleRequest = async (\n wrappedReq: Request,\n wrappedRes: Response,\n parsedBody?: Record<string, unknown>,\n ) => {\n const reqTraceId = wrappedReq === req ? traceId : crypto.randomUUID();\n const sid =\n (wrappedReq.headers[\"mcp-session-id\"] as string | undefined) ??\n transport.sessionId;\n const start = Date.now();\n try {\n await originalHandle(wrappedReq, wrappedRes, parsedBody);\n if (parsedBody?.method === \"tools/call\") {\n this.reportEvent({\n eventType: \"execute_tool\",\n traceId: reqTraceId,\n toolName: (\n parsedBody.params as Record<string, unknown> | undefined\n )?.name,\n durationMs: Date.now() - start,\n sessionId: sid,\n ownerUserId: authInfo?.extra?.sub,\n status: \"ok\",\n requestJson: parsedBody.params,\n });\n } else if (parsedBody?.method === \"tools/list\") {\n this.reportEvent({\n eventType: \"search_tools\",\n traceId: reqTraceId,\n durationMs: Date.now() - start,\n sessionId: sid,\n ownerUserId: authInfo?.extra?.sub,\n status: \"ok\",\n });\n }\n } catch (err) {\n if (parsedBody?.method === \"tools/call\") {\n this.reportEvent({\n eventType: \"execute_tool\",\n traceId: reqTraceId,\n toolName: (\n parsedBody.params as Record<string, unknown> | undefined\n )?.name,\n durationMs: Date.now() - start,\n sessionId: sid,\n ownerUserId: authInfo?.extra?.sub,\n status: \"error_remote\",\n errorMessage: err instanceof Error ? err.message : String(err),\n });\n } else if (parsedBody?.method === \"tools/list\") {\n this.reportEvent({\n eventType: \"search_tools\",\n traceId: reqTraceId,\n durationMs: Date.now() - start,\n sessionId: sid,\n ownerUserId: authInfo?.extra?.sub,\n status: \"error_remote\",\n errorMessage: err instanceof Error ? err.message : String(err),\n });\n }\n throw err;\n }\n };\n\n const mcpServer = typeof server === \"function\" ? server() : server;\n await mcpServer.connect(transport);\n await transport.handleRequest(req, res, req.body);\n };\n\n const get = async (req: Request, res: Response) => {\n if (getRuntimeAuth) {\n let bearerAuth: ReturnType<typeof requireBearerAuth>;\n try {\n const runtimeAuth = await getRuntimeAuth(req);\n bearerAuth = runtimeAuth.bearerAuth;\n } catch (error) {\n this.respondMetadataInitError(res, error);\n return;\n }\n\n await this.runBearerAuth(bearerAuth, req, res);\n if (res.headersSent) {\n return;\n }\n }\n\n const sessionId =\n (req.headers[\"mcp-session-id\"] as string | undefined) ||\n (req.headers[\"Mcp-Session-Id\"] as string | undefined);\n if (!sessionId) {\n res.status(400).json({ error: \"Missing Mcp-Session-Id header\" });\n return;\n }\n\n const transport = sessionManager.getTransport(sessionId);\n if (!transport) {\n res.status(400).json({ error: \"Session not found\" });\n return;\n }\n\n sessionManager.touchSession(sessionId);\n await transport.handleRequest(req, res);\n };\n\n const del = async (req: Request, res: Response) => {\n if (getRuntimeAuth) {\n let bearerAuth: ReturnType<typeof requireBearerAuth>;\n try {\n const runtimeAuth = await getRuntimeAuth(req);\n bearerAuth = runtimeAuth.bearerAuth;\n } catch (error) {\n this.respondMetadataInitError(res, error);\n return;\n }\n\n await this.runBearerAuth(bearerAuth, req, res);\n if (res.headersSent) {\n return;\n }\n }\n\n const sessionId =\n (req.headers[\"mcp-session-id\"] as string | undefined) ||\n (req.headers[\"Mcp-Session-Id\"] as string | undefined);\n if (!sessionId) {\n res.status(400).json({ error: \"Missing Mcp-Session-Id header\" });\n return;\n }\n\n const transport = sessionManager.getTransport(sessionId);\n if (!transport) {\n res.status(400).json({ error: \"Session not found\" });\n return;\n }\n\n await transport.handleRequest(req, res);\n };\n\n return { post, get, delete: del };\n }\n}\n"]}