@lark-project/openclaw-lark-project 2026.3.131

package/dist/src/core/message-unavailable.js

@@ -0,0 +1,119 @@
+import { MESSAGE_TERMINAL_CODES } from "./auth-errors";
+import { extractLarkApiCode } from "./api-error";
+import { normalizeMessageId } from "./targets";
+const UNAVAILABLE_CACHE_TTL_MS = 30 * 60 * 1e3;
+const MAX_CACHE_SIZE_BEFORE_PRUNE = 512;
+const unavailableMessageCache = /* @__PURE__ */ new Map();
+function pruneExpired(nowMs = Date.now()) {
+  for (const [messageId, state] of unavailableMessageCache) {
+    if (nowMs - state.markedAtMs > UNAVAILABLE_CACHE_TTL_MS) {
+      unavailableMessageCache.delete(messageId);
+    }
+  }
+}
+function isTerminalMessageApiCode(code) {
+  return typeof code === "number" && MESSAGE_TERMINAL_CODES.has(code);
+}
+function markMessageUnavailable(params) {
+  const normalizedId = normalizeMessageId(params.messageId);
+  if (!normalizedId) return;
+  if (unavailableMessageCache.size >= MAX_CACHE_SIZE_BEFORE_PRUNE) {
+    pruneExpired();
+  }
+  unavailableMessageCache.set(normalizedId, {
+    apiCode: params.apiCode,
+    operation: params.operation,
+    markedAtMs: Date.now()
+  });
+}
+function getMessageUnavailableState(messageId) {
+  const normalizedId = normalizeMessageId(messageId);
+  if (!normalizedId) return void 0;
+  const state = unavailableMessageCache.get(normalizedId);
+  if (!state) return void 0;
+  if (Date.now() - state.markedAtMs > UNAVAILABLE_CACHE_TTL_MS) {
+    unavailableMessageCache.delete(normalizedId);
+    return void 0;
+  }
+  return state;
+}
+function isMessageUnavailable(messageId) {
+  return !!getMessageUnavailableState(messageId);
+}
+function markMessageUnavailableFromError(params) {
+  const normalizedId = normalizeMessageId(params.messageId);
+  if (!normalizedId) return void 0;
+  const code = extractLarkApiCode(params.error);
+  if (!isTerminalMessageApiCode(code)) return void 0;
+  markMessageUnavailable({
+    messageId: normalizedId,
+    apiCode: code,
+    operation: params.operation
+  });
+  return code;
+}
+class MessageUnavailableError extends Error {
+  messageId;
+  apiCode;
+  operation;
+  constructor(params) {
+    const operationText = params.operation ? `, op=${params.operation}` : "";
+    super(
+      `[feishu-message-unavailable] message ${params.messageId} unavailable (code=${params.apiCode}${operationText})`
+    );
+    this.name = "MessageUnavailableError";
+    this.messageId = params.messageId;
+    this.apiCode = params.apiCode;
+    this.operation = params.operation;
+  }
+}
+function isMessageUnavailableError(error) {
+  return error instanceof MessageUnavailableError || typeof error === "object" && error !== null && error.name === "MessageUnavailableError";
+}
+function assertMessageAvailable(messageId, operation) {
+  const normalizedId = normalizeMessageId(messageId);
+  if (!normalizedId) return;
+  const state = getMessageUnavailableState(normalizedId);
+  if (!state) return;
+  throw new MessageUnavailableError({
+    messageId: normalizedId,
+    apiCode: state.apiCode,
+    operation: operation ?? state.operation
+  });
+}
+async function runWithMessageUnavailableGuard(params) {
+  const normalizedId = normalizeMessageId(params.messageId);
+  if (!normalizedId) {
+    return params.fn();
+  }
+  assertMessageAvailable(normalizedId, params.operation);
+  try {
+    return await params.fn();
+  } catch (error) {
+    const code = markMessageUnavailableFromError({
+      messageId: normalizedId,
+      error,
+      operation: params.operation
+    });
+    if (code) {
+      throw new MessageUnavailableError({
+        messageId: normalizedId,
+        apiCode: code,
+        operation: params.operation
+      });
+    }
+    throw error;
+  }
+}
+export {
+  MessageUnavailableError,
+  assertMessageAvailable,
+  getMessageUnavailableState,
+  isMessageUnavailable,
+  isMessageUnavailableError,
+  isTerminalMessageApiCode,
+  markMessageUnavailable,
+  markMessageUnavailableFromError,
+  runWithMessageUnavailableGuard
+};
+//# sourceMappingURL=message-unavailable.js.map

package/dist/src/core/message-unavailable.js.map

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../../../src/core/message-unavailable.ts"],
+  "sourcesContent": ["/**\n * Copyright (c) 2026 ByteDance Ltd. and/or its affiliates\n * SPDX-License-Identifier: MIT\n *\n * \u6D88\u606F\u4E0D\u53EF\u7528\uFF08\u5DF2\u64A4\u56DE/\u5DF2\u5220\u9664\uFF09\u72B6\u6001\u7BA1\u7406\u3002\n *\n * \u76EE\u6807\uFF1A\n * 1) \u5F53\u547D\u4E2D\u98DE\u4E66\u7EC8\u6B62\u9519\u8BEF\u7801\uFF08230011/231003\uFF09\u65F6\uFF0C\u6309 message_id \u6807\u8BB0\u4E0D\u53EF\u7528\uFF1B\n * 2) \u540E\u7EED\u9488\u5BF9\u8BE5 message_id \u7684 API \u8C03\u7528\u76F4\u63A5\u77ED\u8DEF\uFF0C\u907F\u514D\u6301\u7EED\u62A5\u9519\u5237\u5C4F\u3002\n */\n\nimport { LARK_ERROR, MESSAGE_TERMINAL_CODES } from './auth-errors';\nimport { extractLarkApiCode } from './api-error';\nimport { normalizeMessageId } from './targets';\n\nexport type TerminalMessageApiCode = typeof LARK_ERROR.MESSAGE_RECALLED | typeof LARK_ERROR.MESSAGE_DELETED;\n\nexport interface MessageUnavailableState {\n  apiCode: TerminalMessageApiCode;\n  markedAtMs: number;\n  operation?: string;\n}\n\nconst UNAVAILABLE_CACHE_TTL_MS = 30 * 60 * 1000;\nconst MAX_CACHE_SIZE_BEFORE_PRUNE = 512;\n\nconst unavailableMessageCache = new Map<string, MessageUnavailableState>();\n\nfunction pruneExpired(nowMs = Date.now()): void {\n  for (const [messageId, state] of unavailableMessageCache) {\n    if (nowMs - state.markedAtMs > UNAVAILABLE_CACHE_TTL_MS) {\n      unavailableMessageCache.delete(messageId);\n    }\n  }\n}\n\nexport function isTerminalMessageApiCode(code: unknown): code is TerminalMessageApiCode {\n  return typeof code === 'number' && MESSAGE_TERMINAL_CODES.has(code);\n}\n\nexport function markMessageUnavailable(params: {\n  messageId: string;\n  apiCode: TerminalMessageApiCode;\n  operation?: string;\n}): void {\n  const normalizedId = normalizeMessageId(params.messageId);\n  if (!normalizedId) return;\n\n  if (unavailableMessageCache.size >= MAX_CACHE_SIZE_BEFORE_PRUNE) {\n    pruneExpired();\n  }\n\n  unavailableMessageCache.set(normalizedId, {\n    apiCode: params.apiCode,\n    operation: params.operation,\n    markedAtMs: Date.now(),\n  });\n}\n\nexport function getMessageUnavailableState(messageId: string | undefined): MessageUnavailableState | undefined {\n  const normalizedId = normalizeMessageId(messageId);\n  if (!normalizedId) return undefined;\n\n  const state = unavailableMessageCache.get(normalizedId);\n  if (!state) return undefined;\n\n  if (Date.now() - state.markedAtMs > UNAVAILABLE_CACHE_TTL_MS) {\n    unavailableMessageCache.delete(normalizedId);\n    return undefined;\n  }\n\n  return state;\n}\n\nexport function isMessageUnavailable(messageId: string | undefined): boolean {\n  return !!getMessageUnavailableState(messageId);\n}\n\nexport function markMessageUnavailableFromError(params: {\n  messageId: string | undefined;\n  error: unknown;\n  operation?: string;\n}): TerminalMessageApiCode | undefined {\n  const normalizedId = normalizeMessageId(params.messageId);\n  if (!normalizedId) return undefined;\n\n  const code = extractLarkApiCode(params.error);\n  if (!isTerminalMessageApiCode(code)) return undefined;\n\n  markMessageUnavailable({\n    messageId: normalizedId,\n    apiCode: code,\n    operation: params.operation,\n  });\n  return code;\n}\n\nexport class MessageUnavailableError extends Error {\n  readonly messageId: string;\n  readonly apiCode: TerminalMessageApiCode;\n  readonly operation?: string;\n\n  constructor(params: { messageId: string; apiCode: TerminalMessageApiCode; operation?: string }) {\n    const operationText = params.operation ? `, op=${params.operation}` : '';\n    super(\n      `[feishu-message-unavailable] message ${params.messageId} unavailable (code=${params.apiCode}${operationText})`,\n    );\n    this.name = 'MessageUnavailableError';\n    this.messageId = params.messageId;\n    this.apiCode = params.apiCode;\n    this.operation = params.operation;\n  }\n}\n\nexport function isMessageUnavailableError(error: unknown): error is MessageUnavailableError {\n  return (\n    error instanceof MessageUnavailableError ||\n    (typeof error === 'object' && error !== null && (error as { name?: string }).name === 'MessageUnavailableError')\n  );\n}\n\nexport function assertMessageAvailable(messageId: string | undefined, operation?: string): void {\n  const normalizedId = normalizeMessageId(messageId);\n  if (!normalizedId) return;\n\n  const state = getMessageUnavailableState(normalizedId);\n  if (!state) return;\n\n  throw new MessageUnavailableError({\n    messageId: normalizedId,\n    apiCode: state.apiCode,\n    operation: operation ?? state.operation,\n  });\n}\n\n/**\n * \u9488\u5BF9 message_id \u7684\u7EDF\u4E00\u4FDD\u62A4\uFF1A\n * - \u8C03\u7528\u524D\u68C0\u67E5\u662F\u5426\u5DF2\u6807\u8BB0\u4E0D\u53EF\u7528\uFF1B\n * - \u8C03\u7528\u62A5\u9519\u540E\u8BC6\u522B 230011/231003 \u5E76\u6807\u8BB0\uFF1B\n * - \u547D\u4E2D\u65F6\u629B\u51FA MessageUnavailableError \u4F9B\u4E0A\u6E38\u5FEB\u901F\u7EC8\u6B62\u6D41\u7A0B\u3002\n */\nexport async function runWithMessageUnavailableGuard<T>(params: {\n  messageId: string | undefined;\n  operation: string;\n  fn: () => Promise<T>;\n}): Promise<T> {\n  const normalizedId = normalizeMessageId(params.messageId);\n  if (!normalizedId) {\n    return params.fn();\n  }\n\n  assertMessageAvailable(normalizedId, params.operation);\n\n  try {\n    return await params.fn();\n  } catch (error) {\n    const code = markMessageUnavailableFromError({\n      messageId: normalizedId,\n      error,\n      operation: params.operation,\n    });\n    if (code) {\n      throw new MessageUnavailableError({\n        messageId: normalizedId,\n        apiCode: code,\n        operation: params.operation,\n      });\n    }\n    throw error;\n  }\n}\n"],
+  "mappings": "AAWA,SAAqB,8BAA8B;AACnD,SAAS,0BAA0B;AACnC,SAAS,0BAA0B;AAUnC,MAAM,2BAA2B,KAAK,KAAK;AAC3C,MAAM,8BAA8B;AAEpC,MAAM,0BAA0B,oBAAI,IAAqC;AAEzE,SAAS,aAAa,QAAQ,KAAK,IAAI,GAAS;AAC9C,aAAW,CAAC,WAAW,KAAK,KAAK,yBAAyB;AACxD,QAAI,QAAQ,MAAM,aAAa,0BAA0B;AACvD,8BAAwB,OAAO,SAAS;AAAA,IAC1C;AAAA,EACF;AACF;AAEO,SAAS,yBAAyB,MAA+C;AACtF,SAAO,OAAO,SAAS,YAAY,uBAAuB,IAAI,IAAI;AACpE;AAEO,SAAS,uBAAuB,QAI9B;AACP,QAAM,eAAe,mBAAmB,OAAO,SAAS;AACxD,MAAI,CAAC,aAAc;AAEnB,MAAI,wBAAwB,QAAQ,6BAA6B;AAC/D,iBAAa;AAAA,EACf;AAEA,0BAAwB,IAAI,cAAc;AAAA,IACxC,SAAS,OAAO;AAAA,IAChB,WAAW,OAAO;AAAA,IAClB,YAAY,KAAK,IAAI;AAAA,EACvB,CAAC;AACH;AAEO,SAAS,2BAA2B,WAAoE;AAC7G,QAAM,eAAe,mBAAmB,SAAS;AACjD,MAAI,CAAC,aAAc,QAAO;AAE1B,QAAM,QAAQ,wBAAwB,IAAI,YAAY;AACtD,MAAI,CAAC,MAAO,QAAO;AAEnB,MAAI,KAAK,IAAI,IAAI,MAAM,aAAa,0BAA0B;AAC5D,4BAAwB,OAAO,YAAY;AAC3C,WAAO;AAAA,EACT;AAEA,SAAO;AACT;AAEO,SAAS,qBAAqB,WAAwC;AAC3E,SAAO,CAAC,CAAC,2BAA2B,SAAS;AAC/C;AAEO,SAAS,gCAAgC,QAIT;AACrC,QAAM,eAAe,mBAAmB,OAAO,SAAS;AACxD,MAAI,CAAC,aAAc,QAAO;AAE1B,QAAM,OAAO,mBAAmB,OAAO,KAAK;AAC5C,MAAI,CAAC,yBAAyB,IAAI,EAAG,QAAO;AAE5C,yBAAuB;AAAA,IACrB,WAAW;AAAA,IACX,SAAS;AAAA,IACT,WAAW,OAAO;AAAA,EACpB,CAAC;AACD,SAAO;AACT;AAEO,MAAM,gCAAgC,MAAM;AAAA,EACxC;AAAA,EACA;AAAA,EACA;AAAA,EAET,YAAY,QAAoF;AAC9F,UAAM,gBAAgB,OAAO,YAAY,QAAQ,OAAO,SAAS,KAAK;AACtE;AAAA,MACE,wCAAwC,OAAO,SAAS,sBAAsB,OAAO,OAAO,GAAG,aAAa;AAAA,IAC9G;AACA,SAAK,OAAO;AACZ,SAAK,YAAY,OAAO;AACxB,SAAK,UAAU,OAAO;AACtB,SAAK,YAAY,OAAO;AAAA,EAC1B;AACF;AAEO,SAAS,0BAA0B,OAAkD;AAC1F,SACE,iBAAiB,2BAChB,OAAO,UAAU,YAAY,UAAU,QAAS,MAA4B,SAAS;AAE1F;AAEO,SAAS,uBAAuB,WAA+B,WAA0B;AAC9F,QAAM,eAAe,mBAAmB,SAAS;AACjD,MAAI,CAAC,aAAc;AAEnB,QAAM,QAAQ,2BAA2B,YAAY;AACrD,MAAI,CAAC,MAAO;AAEZ,QAAM,IAAI,wBAAwB;AAAA,IAChC,WAAW;AAAA,IACX,SAAS,MAAM;AAAA,IACf,WAAW,aAAa,MAAM;AAAA,EAChC,CAAC;AACH;AAQA,eAAsB,+BAAkC,QAIzC;AACb,QAAM,eAAe,mBAAmB,OAAO,SAAS;AACxD,MAAI,CAAC,cAAc;AACjB,WAAO,OAAO,GAAG;AAAA,EACnB;AAEA,yBAAuB,cAAc,OAAO,SAAS;AAErD,MAAI;AACF,WAAO,MAAM,OAAO,GAAG;AAAA,EACzB,SAAS,OAAO;AACd,UAAM,OAAO,gCAAgC;AAAA,MAC3C,WAAW;AAAA,MACX;AAAA,MACA,WAAW,OAAO;AAAA,IACpB,CAAC;AACD,QAAI,MAAM;AACR,YAAM,IAAI,wBAAwB;AAAA,QAChC,WAAW;AAAA,QACX,SAAS;AAAA,QACT,WAAW,OAAO;AAAA,MACpB,CAAC;AAAA,IACH;AACA,UAAM;AAAA,EACR;AACF;",
+  "names": []
+}

package/dist/src/core/owner-policy.js

@@ -0,0 +1,25 @@
+import { getAppOwnerFallback } from "./app-owner-fallback";
+class OwnerAccessDeniedError extends Error {
+  userOpenId;
+  appOwnerId;
+  constructor(userOpenId, appOwnerId) {
+    super("Permission denied: Only the app owner is authorized to use this feature.");
+    this.name = "OwnerAccessDeniedError";
+    this.userOpenId = userOpenId;
+    this.appOwnerId = appOwnerId;
+  }
+}
+async function assertOwnerAccessStrict(account, sdk, userOpenId) {
+  const ownerOpenId = await getAppOwnerFallback(account, sdk);
+  if (!ownerOpenId) {
+    throw new OwnerAccessDeniedError(userOpenId, "unknown");
+  }
+  if (ownerOpenId !== userOpenId) {
+    throw new OwnerAccessDeniedError(userOpenId, ownerOpenId);
+  }
+}
+export {
+  OwnerAccessDeniedError,
+  assertOwnerAccessStrict
+};
+//# sourceMappingURL=owner-policy.js.map

package/dist/src/core/owner-policy.js.map

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../../../src/core/owner-policy.ts"],
+  "sourcesContent": ["/**\n * Copyright (c) 2026 ByteDance Ltd. and/or its affiliates\n * SPDX-License-Identifier: MIT\n *\n * owner-policy.ts \u2014 \u5E94\u7528 Owner \u8BBF\u95EE\u63A7\u5236\u7B56\u7565\u3002\n *\n * \u4ECE uat-client.ts \u8FC1\u79FB owner \u68C0\u67E5\u903B\u8F91\u5230\u72EC\u7ACB policy \u5C42\u3002\n * \u63D0\u4F9B fail-close \u7B56\u7565\uFF08\u5B89\u5168\u4F18\u5148\uFF1A\u6388\u6743\u53D1\u8D77\u8DEF\u5F84\uFF09\u3002\n */\n\nimport type { ConfiguredLarkAccount } from './types';\nimport { getAppOwnerFallback } from './app-owner-fallback';\n\n// ---------------------------------------------------------------------------\n// Error class\n// ---------------------------------------------------------------------------\n\n/**\n * \u975E\u5E94\u7528 owner \u5C1D\u8BD5\u6267\u884C owner-only \u64CD\u4F5C\u65F6\u629B\u51FA\u3002\n *\n * \u6CE8\u610F\uFF1A`appOwnerId` \u4EC5\u7528\u4E8E\u5185\u90E8\u65E5\u5FD7\uFF0C\u4E0D\u5E94\u5E8F\u5217\u5316\u5230\u7528\u6237\u53EF\u89C1\u7684\u54CD\u5E94\u4E2D\uFF0C\n * \u4EE5\u907F\u514D\u6CC4\u9732 owner \u7684 open_id\u3002\n */\nexport class OwnerAccessDeniedError extends Error {\n  readonly userOpenId: string;\n  readonly appOwnerId: string;\n\n  constructor(userOpenId: string, appOwnerId: string) {\n    super('Permission denied: Only the app owner is authorized to use this feature.');\n    this.name = 'OwnerAccessDeniedError';\n    this.userOpenId = userOpenId;\n    this.appOwnerId = appOwnerId;\n  }\n}\n\n// ---------------------------------------------------------------------------\n// Policy functions\n// ---------------------------------------------------------------------------\n\n/**\n * \u6821\u9A8C\u7528\u6237\u662F\u5426\u4E3A\u5E94\u7528 owner\uFF08fail-close \u7248\u672C\uFF09\u3002\n *\n * - \u83B7\u53D6 owner \u5931\u8D25\u65F6 \u2192 \u62D2\u7EDD\uFF08\u5B89\u5168\u4F18\u5148\uFF09\n * - owner \u4E0D\u5339\u914D\u65F6 \u2192 \u62D2\u7EDD\n *\n * \u9002\u7528\u4E8E\uFF1A`executeAuthorize`\uFF08OAuth \u6388\u6743\u53D1\u8D77\uFF09\u3001`commands/auth.ts`\uFF08\u6279\u91CF\u6388\u6743\uFF09\u7B49\n * \u8D4B\u4E88\u5B9E\u8D28\u6027\u6743\u9650\u7684\u5165\u53E3\u3002\n */\nexport async function assertOwnerAccessStrict(\n  account: ConfiguredLarkAccount,\n  // eslint-disable-next-line @typescript-eslint/no-explicit-any\n  sdk: any,\n  userOpenId: string,\n): Promise<void> {\n  const ownerOpenId = await getAppOwnerFallback(account, sdk);\n\n  if (!ownerOpenId) {\n    throw new OwnerAccessDeniedError(userOpenId, 'unknown');\n  }\n\n  if (ownerOpenId !== userOpenId) {\n    throw new OwnerAccessDeniedError(userOpenId, ownerOpenId);\n  }\n}\n"],
+  "mappings": "AAWA,SAAS,2BAA2B;AAY7B,MAAM,+BAA+B,MAAM;AAAA,EACvC;AAAA,EACA;AAAA,EAET,YAAY,YAAoB,YAAoB;AAClD,UAAM,0EAA0E;AAChF,SAAK,OAAO;AACZ,SAAK,aAAa;AAClB,SAAK,aAAa;AAAA,EACpB;AACF;AAeA,eAAsB,wBACpB,SAEA,KACA,YACe;AACf,QAAM,cAAc,MAAM,oBAAoB,SAAS,GAAG;AAE1D,MAAI,CAAC,aAAa;AAChB,UAAM,IAAI,uBAAuB,YAAY,SAAS;AAAA,EACxD;AAEA,MAAI,gBAAgB,YAAY;AAC9B,UAAM,IAAI,uBAAuB,YAAY,WAAW;AAAA,EAC1D;AACF;",
+  "names": []
+}

package/dist/src/core/permission-url.js

@@ -0,0 +1,37 @@
+function getPermissionPriority(scope) {
+  const lowerScope = scope.toLowerCase();
+  const hasRead = lowerScope.includes("read");
+  const hasWrite = lowerScope.includes("write");
+  if (hasRead && !hasWrite) return 1;
+  if (hasWrite && !hasRead) return 2;
+  return 3;
+}
+function extractHighestPriorityScope(scopeList) {
+  return scopeList.split(",").sort((a, b) => getPermissionPriority(a) - getPermissionPriority(b))[0] ?? "";
+}
+function extractPermissionGrantUrl(msg) {
+  const urlMatch = msg.match(/https:\/\/[^\s]+\/app\/[^\s]+/);
+  if (!urlMatch?.[0]) {
+    return "";
+  }
+  try {
+    const url = new URL(urlMatch[0]);
+    const scopeListParam = url.searchParams.get("q") ?? "";
+    const firstScope = extractHighestPriorityScope(scopeListParam);
+    if (firstScope) {
+      url.searchParams.set("q", firstScope);
+    }
+    return url.href;
+  } catch {
+    return urlMatch[0];
+  }
+}
+function extractPermissionScopes(msg) {
+  const scopeMatch = msg.match(/\[([^\]]+)\]/);
+  return scopeMatch?.[1] ?? "unknown";
+}
+export {
+  extractPermissionGrantUrl,
+  extractPermissionScopes
+};
+//# sourceMappingURL=permission-url.js.map

package/dist/src/core/permission-url.js.map

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../../../src/core/permission-url.ts"],
+  "sourcesContent": ["/**\n * Copyright (c) 2026 ByteDance Ltd. and/or its affiliates\n * SPDX-License-Identifier: MIT\n *\n * Permission URL extraction utilities.\n *\n * Shared functions for extracting and processing permission grant URLs\n * from Feishu API error messages.\n */\n\n// ---------------------------------------------------------------------------\n// Permission priority\n// ---------------------------------------------------------------------------\n\n/**\n * Permission priority for sorting.\n * Lower number = higher priority.\n * - read: 1 (highest)\n * - write: 2\n * - other / both read+write: 3 (lowest)\n */\nfunction getPermissionPriority(scope: string): number {\n  const lowerScope = scope.toLowerCase();\n  const hasRead = lowerScope.includes('read');\n  const hasWrite = lowerScope.includes('write');\n\n  if (hasRead && !hasWrite) return 1;\n  if (hasWrite && !hasRead) return 2;\n  return 3;\n}\n\n/**\n * Extract the highest-priority permission from a scope list.\n * Returns the permission with the lowest priority number (read > write > other).\n */\nfunction extractHighestPriorityScope(scopeList: string): string {\n  return scopeList.split(',').sort((a, b) => getPermissionPriority(a) - getPermissionPriority(b))[0] ?? '';\n}\n\n// ---------------------------------------------------------------------------\n// Permission URL extraction\n// ---------------------------------------------------------------------------\n\n/**\n * Extract permission grant URL from a Feishu error message and optimize it\n * by keeping only the highest-priority permission.\n *\n * @param msg - The error message containing the grant URL\n * @returns The optimized grant URL with single permission, or empty string if not found\n */\nexport function extractPermissionGrantUrl(msg: string): string {\n  const urlMatch = msg.match(/https:\\/\\/[^\\s]+\\/app\\/[^\\s]+/);\n  if (!urlMatch?.[0]) {\n    return '';\n  }\n\n  try {\n    const url = new URL(urlMatch[0]);\n    const scopeListParam = url.searchParams.get('q') ?? '';\n    const firstScope = extractHighestPriorityScope(scopeListParam);\n    if (firstScope) {\n      url.searchParams.set('q', firstScope);\n    }\n    return url.href;\n  } catch {\n    return urlMatch[0];\n  }\n}\n\n/**\n * Extract permission scopes from a Feishu error message.\n * Looks for scopes in the format [scope1,scope2,...]\n */\nexport function extractPermissionScopes(msg: string): string {\n  const scopeMatch = msg.match(/\\[([^\\]]+)\\]/);\n  return scopeMatch?.[1] ?? 'unknown';\n}\n"],
+  "mappings": "AAqBA,SAAS,sBAAsB,OAAuB;AACpD,QAAM,aAAa,MAAM,YAAY;AACrC,QAAM,UAAU,WAAW,SAAS,MAAM;AAC1C,QAAM,WAAW,WAAW,SAAS,OAAO;AAE5C,MAAI,WAAW,CAAC,SAAU,QAAO;AACjC,MAAI,YAAY,CAAC,QAAS,QAAO;AACjC,SAAO;AACT;AAMA,SAAS,4BAA4B,WAA2B;AAC9D,SAAO,UAAU,MAAM,GAAG,EAAE,KAAK,CAAC,GAAG,MAAM,sBAAsB,CAAC,IAAI,sBAAsB,CAAC,CAAC,EAAE,CAAC,KAAK;AACxG;AAaO,SAAS,0BAA0B,KAAqB;AAC7D,QAAM,WAAW,IAAI,MAAM,+BAA+B;AAC1D,MAAI,CAAC,WAAW,CAAC,GAAG;AAClB,WAAO;AAAA,EACT;AAEA,MAAI;AACF,UAAM,MAAM,IAAI,IAAI,SAAS,CAAC,CAAC;AAC/B,UAAM,iBAAiB,IAAI,aAAa,IAAI,GAAG,KAAK;AACpD,UAAM,aAAa,4BAA4B,cAAc;AAC7D,QAAI,YAAY;AACd,UAAI,aAAa,IAAI,KAAK,UAAU;AAAA,IACtC;AACA,WAAO,IAAI;AAAA,EACb,QAAQ;AACN,WAAO,SAAS,CAAC;AAAA,EACnB;AACF;AAMO,SAAS,wBAAwB,KAAqB;AAC3D,QAAM,aAAa,IAAI,MAAM,cAAc;AAC3C,SAAO,aAAa,CAAC,KAAK;AAC5B;",
+  "names": []
+}

package/dist/src/core/project-auth.js

@@ -0,0 +1,177 @@
+import http from "node:http";
+import { randomUUID } from "node:crypto";
+import { larkLogger } from "./lark-logger";
+import {
+  discoverOAuthMetadata,
+  registerOAuthClient,
+  generatePKCE,
+  buildAuthorizationUrl,
+  exchangeCodeForTokens,
+  extractCodeFromCallbackUrl,
+  refreshAccessToken
+} from "./project-oauth-flow";
+import { getProjectMcpEndpoint } from "../tools/mcp/project/endpoint";
+const log = larkLogger("core/project-auth");
+const CALLBACK_HOST = "127.0.0.1";
+const CALLBACK_PATH = "/callback";
+async function prepareAuthSession(mcpEndpoint, redirectUri) {
+  const endpoint = mcpEndpoint ?? getProjectMcpEndpoint();
+  log.info(`discovering OAuth metadata from ${endpoint}`);
+  const metadata = await discoverOAuthMetadata(endpoint);
+  const callbackUri = redirectUri ?? `http://${CALLBACK_HOST}:0${CALLBACK_PATH}`;
+  log.info("registering OAuth client via dynamic registration");
+  const client = await registerOAuthClient(
+    metadata.registration_endpoint,
+    callbackUri
+  );
+  const pkce = generatePKCE();
+  const state = randomUUID();
+  const authorizationUrl = buildAuthorizationUrl({
+    authorizationEndpoint: metadata.authorization_endpoint,
+    clientId: client.client_id,
+    redirectUri: callbackUri,
+    codeChallenge: pkce.codeChallenge,
+    state
+  });
+  return { metadata, client, pkce, state, redirectUri: callbackUri, authorizationUrl };
+}
+async function startLocalAuthFlow(mcpEndpoint, signal) {
+  const endpoint = mcpEndpoint ?? getProjectMcpEndpoint();
+  log.info(`discovering OAuth metadata from ${endpoint}`);
+  const metadata = await discoverOAuthMetadata(endpoint);
+  const server = http.createServer();
+  const port = await new Promise((resolve, reject) => {
+    server.listen(0, CALLBACK_HOST, () => {
+      const addr = server.address();
+      if (addr && typeof addr === "object") {
+        resolve(addr.port);
+      } else {
+        reject(new Error("Failed to determine callback port"));
+      }
+    });
+    server.once("error", reject);
+  });
+  const redirectUri = `http://${CALLBACK_HOST}:${port}${CALLBACK_PATH}`;
+  const client = await registerOAuthClient(
+    metadata.registration_endpoint,
+    redirectUri
+  );
+  const pkce = generatePKCE();
+  const state = randomUUID();
+  const authorizationUrl = buildAuthorizationUrl({
+    authorizationEndpoint: metadata.authorization_endpoint,
+    clientId: client.client_id,
+    redirectUri,
+    codeChallenge: pkce.codeChallenge,
+    state
+  });
+  const session = {
+    metadata,
+    client,
+    pkce,
+    state,
+    redirectUri,
+    authorizationUrl
+  };
+  const waitForCode = () => new Promise((resolve, reject) => {
+    const onAbort = () => {
+      reject(new Error("Authorization cancelled"));
+      cleanup();
+    };
+    signal?.addEventListener("abort", onAbort, { once: true });
+    const cleanup = () => {
+      signal?.removeEventListener("abort", onAbort);
+    };
+    server.on("request", async (req, res) => {
+      try {
+        const reqUrl = new URL(req.url ?? "", `http://${CALLBACK_HOST}:${port}`);
+        if (reqUrl.pathname !== CALLBACK_PATH) {
+          res.statusCode = 404;
+          res.end("Not found");
+          return;
+        }
+        const { code, state: receivedState } = extractCodeFromCallbackUrl(reqUrl.toString());
+        if (receivedState && receivedState !== session.state) {
+          res.statusCode = 400;
+          res.setHeader("Content-Type", "text/html");
+          res.end("<html><body><h1>Authorization failed</h1><p>Invalid state</p></body></html>");
+          reject(new Error("OAuth state mismatch"));
+          cleanup();
+          return;
+        }
+        res.statusCode = 200;
+        res.setHeader("Content-Type", "text/html");
+        res.end("<html><body><h1>Authorization successful</h1><p>You can close this tab.</p></body></html>");
+        const tokens = await exchangeCodeForTokens({
+          tokenEndpoint: session.metadata.token_endpoint,
+          code,
+          codeVerifier: session.pkce.codeVerifier,
+          clientId: session.client.client_id,
+          redirectUri: session.redirectUri
+        });
+        resolve({ tokens, clientId: session.client.client_id });
+        cleanup();
+      } catch (err) {
+        res.statusCode = 500;
+        res.end("Internal error");
+        reject(err);
+        cleanup();
+      }
+    });
+  });
+  const close = async () => {
+    await new Promise((resolve) => {
+      server.close(() => resolve());
+    });
+  };
+  return { session, waitForCode, port, close };
+}
+async function prepareRemoteAuth(mcpEndpoint) {
+  const endpoint = mcpEndpoint ?? getProjectMcpEndpoint();
+  const metadata = await discoverOAuthMetadata(endpoint);
+  const redirectUri = `http://${CALLBACK_HOST}:3456${CALLBACK_PATH}`;
+  const client = await registerOAuthClient(
+    metadata.registration_endpoint,
+    redirectUri
+  );
+  const pkce = generatePKCE();
+  const state = randomUUID();
+  const authorizationUrl = buildAuthorizationUrl({
+    authorizationEndpoint: metadata.authorization_endpoint,
+    clientId: client.client_id,
+    redirectUri,
+    codeChallenge: pkce.codeChallenge,
+    state
+  });
+  return { metadata, client, pkce, state, redirectUri, authorizationUrl };
+}
+async function completeRemoteAuth(session, callbackUrl) {
+  const { code, state: receivedState } = extractCodeFromCallbackUrl(callbackUrl);
+  if (receivedState && receivedState !== session.state) {
+    throw new Error("OAuth state mismatch \u2014 \u8BF7\u91CD\u65B0\u53D1\u8D77\u6388\u6743");
+  }
+  const tokens = await exchangeCodeForTokens({
+    tokenEndpoint: session.metadata.token_endpoint,
+    code,
+    codeVerifier: session.pkce.codeVerifier,
+    clientId: session.client.client_id,
+    redirectUri: session.redirectUri
+  });
+  return { tokens, clientId: session.client.client_id };
+}
+async function refreshProjectToken(mcpEndpoint, refreshToken, clientId) {
+  const metadata = await discoverOAuthMetadata(mcpEndpoint);
+  return refreshAccessToken({
+    tokenEndpoint: metadata.token_endpoint,
+    refreshToken,
+    clientId
+  });
+}
+export {
+  completeRemoteAuth,
+  prepareAuthSession,
+  prepareRemoteAuth,
+  refreshProjectToken,
+  startLocalAuthFlow
+};
+//# sourceMappingURL=project-auth.js.map

package/dist/src/core/project-auth.js.map

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../../../src/core/project-auth.ts"],
+  "sourcesContent": ["/**\n * Copyright (c) 2026 ByteDance Ltd. and/or its affiliates\n * SPDX-License-Identifier: MIT\n *\n * \u98DE\u4E66\u9879\u76EE\uFF08Meego\uFF09\u72EC\u7ACB OAuth \u7F16\u6392\n *\n * \u57FA\u4E8E MCP \u6807\u51C6 OAuth\uFF08Authorization Code + PKCE + \u52A8\u6001\u5BA2\u6237\u7AEF\u6CE8\u518C\uFF09\uFF0C\n * \u4E0D\u4F9D\u8D56\u98DE\u4E66\u5F00\u653E\u5E73\u53F0 appId/appSecret\uFF0C\u4E5F\u4E0D\u8D70 Device Flow\u3002\n *\n * \u652F\u6301\u4E24\u79CD\u8FD0\u884C\u6A21\u5F0F\uFF1A\n *   - \u672C\u5730\u6A21\u5F0F\uFF08\u6709\u6D4F\u89C8\u5668\uFF09\uFF1A\u542F\u52A8 127.0.0.1 \u56DE\u8C03\u670D\u52A1\u5668\uFF0C\u81EA\u52A8\u5B8C\u6210\u6388\u6743\n *   - \u8FDC\u7A0B\u6A21\u5F0F\uFF08\u65E0\u6D4F\u89C8\u5668\uFF09\uFF1A\u751F\u6210\u6388\u6743\u94FE\u63A5\uFF0C\u7528\u6237\u5728\u5916\u90E8\u6D4F\u89C8\u5668\u5B8C\u6210\u540E\u56DE\u4F20 URL\n */\n\nimport http from 'node:http';\nimport { randomUUID } from 'node:crypto';\nimport { larkLogger } from './lark-logger';\nimport {\n  discoverOAuthMetadata,\n  registerOAuthClient,\n  generatePKCE,\n  buildAuthorizationUrl,\n  exchangeCodeForTokens,\n  extractCodeFromCallbackUrl,\n  refreshAccessToken,\n  type OAuthMetadata,\n  type OAuthClientInfo,\n  type OAuthTokens,\n  type PKCEPair,\n} from './project-oauth-flow';\nimport { getProjectMcpEndpoint } from '../tools/mcp/project/endpoint';\n\nconst log = larkLogger('core/project-auth');\n\nconst CALLBACK_HOST = '127.0.0.1';\nconst CALLBACK_PATH = '/callback';\n\n// ---------------------------------------------------------------------------\n// Pending authorization session \u2014 \u5171\u4EAB\u72B6\u6001\uFF0C\u4F9B\u672C\u5730\u56DE\u8C03\u548C\u8FDC\u7A0B\u624B\u52A8\u4E24\u79CD\u6A21\u5F0F\u4F7F\u7528\n// ---------------------------------------------------------------------------\n\nexport interface ProjectAuthSession {\n  metadata: OAuthMetadata;\n  client: OAuthClientInfo;\n  pkce: PKCEPair;\n  state: string;\n  redirectUri: string;\n  authorizationUrl: string;\n}\n\n// ---------------------------------------------------------------------------\n// \u516C\u5171\u6B65\u9AA4\uFF1A\u53D1\u73B0 + \u6CE8\u518C + PKCE + \u6784\u5EFA\u6388\u6743 URL\n// ---------------------------------------------------------------------------\n\nexport async function prepareAuthSession(\n  mcpEndpoint?: string,\n  redirectUri?: string,\n): Promise<ProjectAuthSession> {\n  const endpoint = mcpEndpoint ?? getProjectMcpEndpoint();\n\n  log.info(`discovering OAuth metadata from ${endpoint}`);\n  const metadata = await discoverOAuthMetadata(endpoint);\n\n  const callbackUri = redirectUri ?? `http://${CALLBACK_HOST}:0${CALLBACK_PATH}`;\n\n  log.info('registering OAuth client via dynamic registration');\n  const client = await registerOAuthClient(\n    metadata.registration_endpoint,\n    callbackUri,\n  );\n\n  const pkce = generatePKCE();\n  const state = randomUUID();\n\n  const authorizationUrl = buildAuthorizationUrl({\n    authorizationEndpoint: metadata.authorization_endpoint,\n    clientId: client.client_id,\n    redirectUri: callbackUri,\n    codeChallenge: pkce.codeChallenge,\n    state,\n  });\n\n  return { metadata, client, pkce, state, redirectUri: callbackUri, authorizationUrl };\n}\n\n// ---------------------------------------------------------------------------\n// \u6A21\u5F0F 1\uFF1A\u672C\u5730\u56DE\u8C03\uFF08\u6709\u6D4F\u89C8\u5668\uFF09\n// ---------------------------------------------------------------------------\n\nexport interface LocalAuthResult {\n  tokens: OAuthTokens;\n  clientId: string;\n}\n\n/**\n * \u542F\u52A8\u672C\u5730 HTTP \u56DE\u8C03\u670D\u52A1\u5668\uFF0C\u7B49\u5F85\u6D4F\u89C8\u5668\u91CD\u5B9A\u5411\u5E26\u56DE authorization code\u3002\n *\n * \u6D41\u7A0B\uFF1A\n *   1. prepareAuthSession\uFF08\u52A8\u6001\u6CE8\u518C\u65F6\u7528\u5B9E\u9645\u7AEF\u53E3\u7684 redirect_uri\uFF09\n *   2. \u542F\u52A8 127.0.0.1 \u56DE\u8C03\u670D\u52A1\u5668\n *   3. \u6253\u5F00\u6D4F\u89C8\u5668\uFF08\u8C03\u7528\u65B9\u8D1F\u8D23\uFF09\n *   4. \u7B49\u5F85\u56DE\u8C03 \u2192 \u63D0\u53D6 code \u2192 \u6362 token\n *   5. \u5173\u95ED\u670D\u52A1\u5668\n */\nexport async function startLocalAuthFlow(\n  mcpEndpoint?: string,\n  signal?: AbortSignal,\n): Promise<{\n  session: ProjectAuthSession;\n  waitForCode: () => Promise<LocalAuthResult>;\n  port: number;\n  close: () => Promise<void>;\n}> {\n  const endpoint = mcpEndpoint ?? getProjectMcpEndpoint();\n\n  log.info(`discovering OAuth metadata from ${endpoint}`);\n  const metadata = await discoverOAuthMetadata(endpoint);\n\n  // \u5148\u542F\u52A8\u670D\u52A1\u5668\u62FF\u5230\u5B9E\u9645\u7AEF\u53E3\uFF0C\u518D\u7528\u8BE5\u7AEF\u53E3\u6CE8\u518C\u5BA2\u6237\u7AEF\n  const server = http.createServer();\n  const port = await new Promise<number>((resolve, reject) => {\n    server.listen(0, CALLBACK_HOST, () => {\n      const addr = server.address();\n      if (addr && typeof addr === 'object') {\n        resolve(addr.port);\n      } else {\n        reject(new Error('Failed to determine callback port'));\n      }\n    });\n    server.once('error', reject);\n  });\n\n  const redirectUri = `http://${CALLBACK_HOST}:${port}${CALLBACK_PATH}`;\n\n  const client = await registerOAuthClient(\n    metadata.registration_endpoint,\n    redirectUri,\n  );\n\n  const pkce = generatePKCE();\n  const state = randomUUID();\n\n  const authorizationUrl = buildAuthorizationUrl({\n    authorizationEndpoint: metadata.authorization_endpoint,\n    clientId: client.client_id,\n    redirectUri,\n    codeChallenge: pkce.codeChallenge,\n    state,\n  });\n\n  const session: ProjectAuthSession = {\n    metadata,\n    client,\n    pkce,\n    state,\n    redirectUri,\n    authorizationUrl,\n  };\n\n  // \u7B49\u5F85\u56DE\u8C03\u7684 Promise\n  const waitForCode = (): Promise<LocalAuthResult> =>\n    new Promise<LocalAuthResult>((resolve, reject) => {\n      const onAbort = () => {\n        reject(new Error('Authorization cancelled'));\n        cleanup();\n      };\n      signal?.addEventListener('abort', onAbort, { once: true });\n\n      const cleanup = () => {\n        signal?.removeEventListener('abort', onAbort);\n      };\n\n      server.on('request', async (req, res) => {\n        try {\n          const reqUrl = new URL(req.url ?? '', `http://${CALLBACK_HOST}:${port}`);\n          if (reqUrl.pathname !== CALLBACK_PATH) {\n            res.statusCode = 404;\n            res.end('Not found');\n            return;\n          }\n\n          const { code, state: receivedState } = extractCodeFromCallbackUrl(reqUrl.toString());\n\n          if (receivedState && receivedState !== session.state) {\n            res.statusCode = 400;\n            res.setHeader('Content-Type', 'text/html');\n            res.end('<html><body><h1>Authorization failed</h1><p>Invalid state</p></body></html>');\n            reject(new Error('OAuth state mismatch'));\n            cleanup();\n            return;\n          }\n\n          res.statusCode = 200;\n          res.setHeader('Content-Type', 'text/html');\n          res.end('<html><body><h1>Authorization successful</h1><p>You can close this tab.</p></body></html>');\n\n          const tokens = await exchangeCodeForTokens({\n            tokenEndpoint: session.metadata.token_endpoint,\n            code,\n            codeVerifier: session.pkce.codeVerifier,\n            clientId: session.client.client_id,\n            redirectUri: session.redirectUri,\n          });\n\n          resolve({ tokens, clientId: session.client.client_id });\n          cleanup();\n        } catch (err) {\n          res.statusCode = 500;\n          res.end('Internal error');\n          reject(err);\n          cleanup();\n        }\n      });\n    });\n\n  const close = async () => {\n    await new Promise<void>((resolve) => {\n      server.close(() => resolve());\n    });\n  };\n\n  return { session, waitForCode, port, close };\n}\n\n// ---------------------------------------------------------------------------\n// \u6A21\u5F0F 2\uFF1A\u8FDC\u7A0B\u624B\u52A8\uFF08\u65E0\u6D4F\u89C8\u5668\uFF09\n// ---------------------------------------------------------------------------\n\n/**\n * \u4E3A\u8FDC\u7A0B\uFF08\u65E0\u6D4F\u89C8\u5668\uFF09\u573A\u666F\u51C6\u5907\u6388\u6743\u3002\n *\n * \u8FD4\u56DE session \u548C authorizationUrl\uFF0C\u8C03\u7528\u65B9\u5C06 URL \u53D1\u9001\u7ED9\u7528\u6237\u3002\n * \u7528\u6237\u5728\u672C\u5730\u6D4F\u89C8\u5668\u5B8C\u6210\u6388\u6743\u540E\uFF0C\u6D4F\u89C8\u5668\u91CD\u5B9A\u5411\u5230 127.0.0.1\uFF08\u4E0D\u53EF\u8FBE\uFF09\uFF0C\n * \u7528\u6237\u4ECE\u5730\u5740\u680F\u590D\u5236\u5B8C\u6574 URL \u56DE\u4F20\u3002\u8C03\u7528\u65B9\u7528 completeRemoteAuth \u5B8C\u6210\u6362 token\u3002\n */\nexport async function prepareRemoteAuth(\n  mcpEndpoint?: string,\n): Promise<ProjectAuthSession> {\n  const endpoint = mcpEndpoint ?? getProjectMcpEndpoint();\n  const metadata = await discoverOAuthMetadata(endpoint);\n\n  // \u8FDC\u7A0B\u6A21\u5F0F\u4F7F\u7528\u56FA\u5B9A\u7AEF\u53E3\u7684 redirect_uri\uFF08\u7528\u6237\u9700\u8981\u624B\u52A8\u590D\u5236 URL\uFF09\n  const redirectUri = `http://${CALLBACK_HOST}:3456${CALLBACK_PATH}`;\n\n  const client = await registerOAuthClient(\n    metadata.registration_endpoint,\n    redirectUri,\n  );\n\n  const pkce = generatePKCE();\n  const state = randomUUID();\n\n  const authorizationUrl = buildAuthorizationUrl({\n    authorizationEndpoint: metadata.authorization_endpoint,\n    clientId: client.client_id,\n    redirectUri,\n    codeChallenge: pkce.codeChallenge,\n    state,\n  });\n\n  return { metadata, client, pkce, state, redirectUri, authorizationUrl };\n}\n\n/**\n * \u7528\u6237\u624B\u52A8\u56DE\u4F20 callback URL \u540E\uFF0C\u63D0\u53D6 code \u5E76\u6362 token\u3002\n */\nexport async function completeRemoteAuth(\n  session: ProjectAuthSession,\n  callbackUrl: string,\n): Promise<LocalAuthResult> {\n  const { code, state: receivedState } = extractCodeFromCallbackUrl(callbackUrl);\n\n  if (receivedState && receivedState !== session.state) {\n    throw new Error('OAuth state mismatch \u2014 \u8BF7\u91CD\u65B0\u53D1\u8D77\u6388\u6743');\n  }\n\n  const tokens = await exchangeCodeForTokens({\n    tokenEndpoint: session.metadata.token_endpoint,\n    code,\n    codeVerifier: session.pkce.codeVerifier,\n    clientId: session.client.client_id,\n    redirectUri: session.redirectUri,\n  });\n\n  return { tokens, clientId: session.client.client_id };\n}\n\n// ---------------------------------------------------------------------------\n// Token \u5237\u65B0\uFF08\u4E24\u79CD\u6A21\u5F0F\u5171\u7528\uFF09\n// ---------------------------------------------------------------------------\n\nexport async function refreshProjectToken(\n  mcpEndpoint: string,\n  refreshToken: string,\n  clientId: string,\n): Promise<OAuthTokens> {\n  const metadata = await discoverOAuthMetadata(mcpEndpoint);\n  return refreshAccessToken({\n    tokenEndpoint: metadata.token_endpoint,\n    refreshToken,\n    clientId,\n  });\n}\n"],
+  "mappings": "AAcA,OAAO,UAAU;AACjB,SAAS,kBAAkB;AAC3B,SAAS,kBAAkB;AAC3B;AAAA,EACE;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,OAKK;AACP,SAAS,6BAA6B;AAEtC,MAAM,MAAM,WAAW,mBAAmB;AAE1C,MAAM,gBAAgB;AACtB,MAAM,gBAAgB;AAmBtB,eAAsB,mBACpB,aACA,aAC6B;AAC7B,QAAM,WAAW,eAAe,sBAAsB;AAEtD,MAAI,KAAK,mCAAmC,QAAQ,EAAE;AACtD,QAAM,WAAW,MAAM,sBAAsB,QAAQ;AAErD,QAAM,cAAc,eAAe,UAAU,aAAa,KAAK,aAAa;AAE5E,MAAI,KAAK,mDAAmD;AAC5D,QAAM,SAAS,MAAM;AAAA,IACnB,SAAS;AAAA,IACT;AAAA,EACF;AAEA,QAAM,OAAO,aAAa;AAC1B,QAAM,QAAQ,WAAW;AAEzB,QAAM,mBAAmB,sBAAsB;AAAA,IAC7C,uBAAuB,SAAS;AAAA,IAChC,UAAU,OAAO;AAAA,IACjB,aAAa;AAAA,IACb,eAAe,KAAK;AAAA,IACpB;AAAA,EACF,CAAC;AAED,SAAO,EAAE,UAAU,QAAQ,MAAM,OAAO,aAAa,aAAa,iBAAiB;AACrF;AAqBA,eAAsB,mBACpB,aACA,QAMC;AACD,QAAM,WAAW,eAAe,sBAAsB;AAEtD,MAAI,KAAK,mCAAmC,QAAQ,EAAE;AACtD,QAAM,WAAW,MAAM,sBAAsB,QAAQ;AAGrD,QAAM,SAAS,KAAK,aAAa;AACjC,QAAM,OAAO,MAAM,IAAI,QAAgB,CAAC,SAAS,WAAW;AAC1D,WAAO,OAAO,GAAG,eAAe,MAAM;AACpC,YAAM,OAAO,OAAO,QAAQ;AAC5B,UAAI,QAAQ,OAAO,SAAS,UAAU;AACpC,gBAAQ,KAAK,IAAI;AAAA,MACnB,OAAO;AACL,eAAO,IAAI,MAAM,mCAAmC,CAAC;AAAA,MACvD;AAAA,IACF,CAAC;AACD,WAAO,KAAK,SAAS,MAAM;AAAA,EAC7B,CAAC;AAED,QAAM,cAAc,UAAU,aAAa,IAAI,IAAI,GAAG,aAAa;AAEnE,QAAM,SAAS,MAAM;AAAA,IACnB,SAAS;AAAA,IACT;AAAA,EACF;AAEA,QAAM,OAAO,aAAa;AAC1B,QAAM,QAAQ,WAAW;AAEzB,QAAM,mBAAmB,sBAAsB;AAAA,IAC7C,uBAAuB,SAAS;AAAA,IAChC,UAAU,OAAO;AAAA,IACjB;AAAA,IACA,eAAe,KAAK;AAAA,IACpB;AAAA,EACF,CAAC;AAED,QAAM,UAA8B;AAAA,IAClC;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,EACF;AAGA,QAAM,cAAc,MAClB,IAAI,QAAyB,CAAC,SAAS,WAAW;AAChD,UAAM,UAAU,MAAM;AACpB,aAAO,IAAI,MAAM,yBAAyB,CAAC;AAC3C,cAAQ;AAAA,IACV;AACA,YAAQ,iBAAiB,SAAS,SAAS,EAAE,MAAM,KAAK,CAAC;AAEzD,UAAM,UAAU,MAAM;AACpB,cAAQ,oBAAoB,SAAS,OAAO;AAAA,IAC9C;AAEA,WAAO,GAAG,WAAW,OAAO,KAAK,QAAQ;AACvC,UAAI;AACF,cAAM,SAAS,IAAI,IAAI,IAAI,OAAO,IAAI,UAAU,aAAa,IAAI,IAAI,EAAE;AACvE,YAAI,OAAO,aAAa,eAAe;AACrC,cAAI,aAAa;AACjB,cAAI,IAAI,WAAW;AACnB;AAAA,QACF;AAEA,cAAM,EAAE,MAAM,OAAO,cAAc,IAAI,2BAA2B,OAAO,SAAS,CAAC;AAEnF,YAAI,iBAAiB,kBAAkB,QAAQ,OAAO;AACpD,cAAI,aAAa;AACjB,cAAI,UAAU,gBAAgB,WAAW;AACzC,cAAI,IAAI,6EAA6E;AACrF,iBAAO,IAAI,MAAM,sBAAsB,CAAC;AACxC,kBAAQ;AACR;AAAA,QACF;AAEA,YAAI,aAAa;AACjB,YAAI,UAAU,gBAAgB,WAAW;AACzC,YAAI,IAAI,2FAA2F;AAEnG,cAAM,SAAS,MAAM,sBAAsB;AAAA,UACzC,eAAe,QAAQ,SAAS;AAAA,UAChC;AAAA,UACA,cAAc,QAAQ,KAAK;AAAA,UAC3B,UAAU,QAAQ,OAAO;AAAA,UACzB,aAAa,QAAQ;AAAA,QACvB,CAAC;AAED,gBAAQ,EAAE,QAAQ,UAAU,QAAQ,OAAO,UAAU,CAAC;AACtD,gBAAQ;AAAA,MACV,SAAS,KAAK;AACZ,YAAI,aAAa;AACjB,YAAI,IAAI,gBAAgB;AACxB,eAAO,GAAG;AACV,gBAAQ;AAAA,MACV;AAAA,IACF,CAAC;AAAA,EACH,CAAC;AAEH,QAAM,QAAQ,YAAY;AACxB,UAAM,IAAI,QAAc,CAAC,YAAY;AACnC,aAAO,MAAM,MAAM,QAAQ,CAAC;AAAA,IAC9B,CAAC;AAAA,EACH;AAEA,SAAO,EAAE,SAAS,aAAa,MAAM,MAAM;AAC7C;AAaA,eAAsB,kBACpB,aAC6B;AAC7B,QAAM,WAAW,eAAe,sBAAsB;AACtD,QAAM,WAAW,MAAM,sBAAsB,QAAQ;AAGrD,QAAM,cAAc,UAAU,aAAa,QAAQ,aAAa;AAEhE,QAAM,SAAS,MAAM;AAAA,IACnB,SAAS;AAAA,IACT;AAAA,EACF;AAEA,QAAM,OAAO,aAAa;AAC1B,QAAM,QAAQ,WAAW;AAEzB,QAAM,mBAAmB,sBAAsB;AAAA,IAC7C,uBAAuB,SAAS;AAAA,IAChC,UAAU,OAAO;AAAA,IACjB;AAAA,IACA,eAAe,KAAK;AAAA,IACpB;AAAA,EACF,CAAC;AAED,SAAO,EAAE,UAAU,QAAQ,MAAM,OAAO,aAAa,iBAAiB;AACxE;AAKA,eAAsB,mBACpB,SACA,aAC0B;AAC1B,QAAM,EAAE,MAAM,OAAO,cAAc,IAAI,2BAA2B,WAAW;AAE7E,MAAI,iBAAiB,kBAAkB,QAAQ,OAAO;AACpD,UAAM,IAAI,MAAM,wEAAgC;AAAA,EAClD;AAEA,QAAM,SAAS,MAAM,sBAAsB;AAAA,IACzC,eAAe,QAAQ,SAAS;AAAA,IAChC;AAAA,IACA,cAAc,QAAQ,KAAK;AAAA,IAC3B,UAAU,QAAQ,OAAO;AAAA,IACzB,aAAa,QAAQ;AAAA,EACvB,CAAC;AAED,SAAO,EAAE,QAAQ,UAAU,QAAQ,OAAO,UAAU;AACtD;AAMA,eAAsB,oBACpB,aACA,cACA,UACsB;AACtB,QAAM,WAAW,MAAM,sBAAsB,WAAW;AACxD,SAAO,mBAAmB;AAAA,IACxB,eAAe,SAAS;AAAA,IACxB;AAAA,IACA;AAAA,EACF,CAAC;AACH;",
+  "names": []
+}

package/dist/src/core/project-oauth-flow.js

@@ -0,0 +1,124 @@
+import { randomBytes, createHash } from "node:crypto";
+import { larkLogger } from "./lark-logger";
+const log = larkLogger("core/project-oauth-flow");
+async function discoverOAuthMetadata(serverUrl) {
+  const base = serverUrl.replace(/\/+$/, "");
+  const origin = new URL(base).origin;
+  const candidates = [
+    `${base}/.well-known/oauth-authorization-server`,
+    `${origin}/.well-known/oauth-authorization-server`
+  ];
+  for (const url of candidates) {
+    const res = await fetch(url);
+    if (res.ok) {
+      const data = await res.json();
+      log.info(`OAuth metadata discovered from ${url}`);
+      return data;
+    }
+  }
+  throw new Error(
+    `Failed to discover OAuth metadata from ${serverUrl} (tried ${candidates.join(", ")})`
+  );
+}
+async function registerOAuthClient(registrationEndpoint, redirectUri, clientName) {
+  const body = {
+    client_name: clientName ?? "openclaw-feishu-project",
+    redirect_uris: [redirectUri],
+    grant_types: ["authorization_code", "refresh_token"],
+    response_types: ["code"],
+    token_endpoint_auth_method: "none"
+  };
+  const res = await fetch(registrationEndpoint, {
+    method: "POST",
+    headers: { "Content-Type": "application/json" },
+    body: JSON.stringify(body)
+  });
+  const text = await res.text();
+  if (!res.ok) {
+    throw new Error(`OAuth client registration failed: HTTP ${res.status} \u2013 ${text.slice(0, 500)}`);
+  }
+  const data = JSON.parse(text);
+  log.info(`OAuth client registered: client_id=${data.client_id}`);
+  return data;
+}
+function generatePKCE() {
+  const codeVerifier = randomBytes(32).toString("base64url");
+  const codeChallenge = createHash("sha256").update(codeVerifier).digest("base64url");
+  return { codeVerifier, codeChallenge };
+}
+function buildAuthorizationUrl(params) {
+  const url = new URL(params.authorizationEndpoint);
+  url.searchParams.set("response_type", "code");
+  url.searchParams.set("client_id", params.clientId);
+  url.searchParams.set("redirect_uri", params.redirectUri);
+  url.searchParams.set("code_challenge", params.codeChallenge);
+  url.searchParams.set("code_challenge_method", "S256");
+  url.searchParams.set("state", params.state);
+  if (params.scope) {
+    url.searchParams.set("scope", params.scope);
+  }
+  return url.toString();
+}
+async function exchangeCodeForTokens(params) {
+  const body = new URLSearchParams({
+    grant_type: "authorization_code",
+    code: params.code,
+    redirect_uri: params.redirectUri,
+    client_id: params.clientId,
+    code_verifier: params.codeVerifier
+  });
+  const res = await fetch(params.tokenEndpoint, {
+    method: "POST",
+    headers: { "Content-Type": "application/x-www-form-urlencoded" },
+    body: body.toString()
+  });
+  const text = await res.text();
+  if (!res.ok) {
+    throw new Error(`Token exchange failed: HTTP ${res.status} \u2013 ${text.slice(0, 500)}`);
+  }
+  const data = JSON.parse(text);
+  log.info("Authorization code exchanged for tokens");
+  return data;
+}
+async function refreshAccessToken(params) {
+  const body = new URLSearchParams({
+    grant_type: "refresh_token",
+    refresh_token: params.refreshToken,
+    client_id: params.clientId
+  });
+  const res = await fetch(params.tokenEndpoint, {
+    method: "POST",
+    headers: { "Content-Type": "application/x-www-form-urlencoded" },
+    body: body.toString()
+  });
+  const text = await res.text();
+  if (!res.ok) {
+    throw new Error(`Token refresh failed: HTTP ${res.status} \u2013 ${text.slice(0, 500)}`);
+  }
+  const data = JSON.parse(text);
+  log.info("Access token refreshed");
+  return data;
+}
+function extractCodeFromCallbackUrl(callbackUrl) {
+  const url = new URL(callbackUrl);
+  const code = url.searchParams.get("code");
+  const error = url.searchParams.get("error");
+  if (error) {
+    const desc = url.searchParams.get("error_description") ?? error;
+    throw new Error(`OAuth authorization denied: ${desc}`);
+  }
+  if (!code) {
+    throw new Error("Callback URL missing authorization code");
+  }
+  return { code, state: url.searchParams.get("state") };
+}
+export {
+  buildAuthorizationUrl,
+  discoverOAuthMetadata,
+  exchangeCodeForTokens,
+  extractCodeFromCallbackUrl,
+  generatePKCE,
+  refreshAccessToken,
+  registerOAuthClient
+};
+//# sourceMappingURL=project-oauth-flow.js.map

package/dist/src/core/project-oauth-flow.js.map

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../../../src/core/project-oauth-flow.ts"],
+  "sourcesContent": ["/**\n * Copyright (c) 2026 ByteDance Ltd. and/or its affiliates\n * SPDX-License-Identifier: MIT\n *\n * \u98DE\u4E66\u9879\u76EE MCP OAuth \u539F\u8BED\n *\n * \u5B9E\u73B0\u6807\u51C6 MCP OAuth \u6D41\u7A0B\uFF1A\n *   1. \u53D1\u73B0 OAuth \u7AEF\u70B9 (RFC 8414)\n *   2. \u52A8\u6001\u5BA2\u6237\u7AEF\u6CE8\u518C (RFC 7591)\n *   3. PKCE (RFC 7636)\n *   4. Authorization Code \u6362 token\n *   5. Refresh token\n *\n * \u4E0D\u4F9D\u8D56\u4EFB\u4F55\u7B2C\u4E09\u65B9 OAuth \u5E93\uFF0C\u4EC5\u4F7F\u7528 Node 18+ \u5185\u7F6E fetch + crypto\u3002\n */\n\nimport { randomBytes, createHash } from 'node:crypto';\nimport { larkLogger } from './lark-logger';\n\nconst log = larkLogger('core/project-oauth-flow');\n\n// ---------------------------------------------------------------------------\n// Types\n// ---------------------------------------------------------------------------\n\nexport interface OAuthMetadata {\n  issuer: string;\n  authorization_endpoint: string;\n  token_endpoint: string;\n  registration_endpoint: string;\n  response_types_supported: string[];\n  grant_types_supported: string[];\n  code_challenge_methods_supported: string[];\n  scopes_supported: string[];\n}\n\nexport interface OAuthClientInfo {\n  client_id: string;\n  client_secret?: string;\n  redirect_uris: string[];\n  client_name: string;\n}\n\nexport interface PKCEPair {\n  codeVerifier: string;\n  codeChallenge: string;\n}\n\nexport interface OAuthTokens {\n  access_token: string;\n  refresh_token?: string;\n  token_type: string;\n  expires_in?: number;\n  scope?: string;\n}\n\n// ---------------------------------------------------------------------------\n// 1. \u53D1\u73B0 OAuth \u7AEF\u70B9\n// ---------------------------------------------------------------------------\n\nexport async function discoverOAuthMetadata(serverUrl: string): Promise<OAuthMetadata> {\n  const base = serverUrl.replace(/\\/+$/, '');\n  // MCP \u89C4\u8303\uFF1A\u5148\u5C1D\u8BD5 path-aware\uFF0C\u518D\u56DE\u9000 root\n  const origin = new URL(base).origin;\n  const candidates = [\n    `${base}/.well-known/oauth-authorization-server`,\n    `${origin}/.well-known/oauth-authorization-server`,\n  ];\n\n  for (const url of candidates) {\n    const res = await fetch(url);\n    if (res.ok) {\n      const data = (await res.json()) as OAuthMetadata;\n      log.info(`OAuth metadata discovered from ${url}`);\n      return data;\n    }\n  }\n\n  throw new Error(\n    `Failed to discover OAuth metadata from ${serverUrl} (tried ${candidates.join(', ')})`,\n  );\n}\n\n// ---------------------------------------------------------------------------\n// 2. \u52A8\u6001\u5BA2\u6237\u7AEF\u6CE8\u518C\n// ---------------------------------------------------------------------------\n\nexport async function registerOAuthClient(\n  registrationEndpoint: string,\n  redirectUri: string,\n  clientName?: string,\n): Promise<OAuthClientInfo> {\n  const body = {\n    client_name: clientName ?? 'openclaw-feishu-project',\n    redirect_uris: [redirectUri],\n    grant_types: ['authorization_code', 'refresh_token'],\n    response_types: ['code'],\n    token_endpoint_auth_method: 'none',\n  };\n\n  const res = await fetch(registrationEndpoint, {\n    method: 'POST',\n    headers: { 'Content-Type': 'application/json' },\n    body: JSON.stringify(body),\n  });\n\n  const text = await res.text();\n  if (!res.ok) {\n    throw new Error(`OAuth client registration failed: HTTP ${res.status} \u2013 ${text.slice(0, 500)}`);\n  }\n\n  const data = JSON.parse(text) as OAuthClientInfo;\n  log.info(`OAuth client registered: client_id=${data.client_id}`);\n  return data;\n}\n\n// ---------------------------------------------------------------------------\n// 3. PKCE\n// ---------------------------------------------------------------------------\n\nexport function generatePKCE(): PKCEPair {\n  const codeVerifier = randomBytes(32).toString('base64url');\n  const codeChallenge = createHash('sha256').update(codeVerifier).digest('base64url');\n  return { codeVerifier, codeChallenge };\n}\n\n// ---------------------------------------------------------------------------\n// 4. \u6784\u5EFA\u6388\u6743 URL\n// ---------------------------------------------------------------------------\n\nexport function buildAuthorizationUrl(params: {\n  authorizationEndpoint: string;\n  clientId: string;\n  redirectUri: string;\n  codeChallenge: string;\n  state: string;\n  scope?: string;\n}): string {\n  const url = new URL(params.authorizationEndpoint);\n  url.searchParams.set('response_type', 'code');\n  url.searchParams.set('client_id', params.clientId);\n  url.searchParams.set('redirect_uri', params.redirectUri);\n  url.searchParams.set('code_challenge', params.codeChallenge);\n  url.searchParams.set('code_challenge_method', 'S256');\n  url.searchParams.set('state', params.state);\n  if (params.scope) {\n    url.searchParams.set('scope', params.scope);\n  }\n  return url.toString();\n}\n\n// ---------------------------------------------------------------------------\n// 5. Authorization Code \u2192 Token\n// ---------------------------------------------------------------------------\n\nexport async function exchangeCodeForTokens(params: {\n  tokenEndpoint: string;\n  code: string;\n  codeVerifier: string;\n  clientId: string;\n  redirectUri: string;\n}): Promise<OAuthTokens> {\n  const body = new URLSearchParams({\n    grant_type: 'authorization_code',\n    code: params.code,\n    redirect_uri: params.redirectUri,\n    client_id: params.clientId,\n    code_verifier: params.codeVerifier,\n  });\n\n  const res = await fetch(params.tokenEndpoint, {\n    method: 'POST',\n    headers: { 'Content-Type': 'application/x-www-form-urlencoded' },\n    body: body.toString(),\n  });\n\n  const text = await res.text();\n  if (!res.ok) {\n    throw new Error(`Token exchange failed: HTTP ${res.status} \u2013 ${text.slice(0, 500)}`);\n  }\n\n  const data = JSON.parse(text) as OAuthTokens;\n  log.info('Authorization code exchanged for tokens');\n  return data;\n}\n\n// ---------------------------------------------------------------------------\n// 6. Refresh Token\n// ---------------------------------------------------------------------------\n\nexport async function refreshAccessToken(params: {\n  tokenEndpoint: string;\n  refreshToken: string;\n  clientId: string;\n}): Promise<OAuthTokens> {\n  const body = new URLSearchParams({\n    grant_type: 'refresh_token',\n    refresh_token: params.refreshToken,\n    client_id: params.clientId,\n  });\n\n  const res = await fetch(params.tokenEndpoint, {\n    method: 'POST',\n    headers: { 'Content-Type': 'application/x-www-form-urlencoded' },\n    body: body.toString(),\n  });\n\n  const text = await res.text();\n  if (!res.ok) {\n    throw new Error(`Token refresh failed: HTTP ${res.status} \u2013 ${text.slice(0, 500)}`);\n  }\n\n  const data = JSON.parse(text) as OAuthTokens;\n  log.info('Access token refreshed');\n  return data;\n}\n\n// ---------------------------------------------------------------------------\n// 7. \u4ECE\u56DE\u8C03 URL \u4E2D\u63D0\u53D6 code \u548C state\n// ---------------------------------------------------------------------------\n\nexport function extractCodeFromCallbackUrl(\n  callbackUrl: string,\n): { code: string; state: string | null } {\n  const url = new URL(callbackUrl);\n  const code = url.searchParams.get('code');\n  const error = url.searchParams.get('error');\n  if (error) {\n    const desc = url.searchParams.get('error_description') ?? error;\n    throw new Error(`OAuth authorization denied: ${desc}`);\n  }\n  if (!code) {\n    throw new Error('Callback URL missing authorization code');\n  }\n  return { code, state: url.searchParams.get('state') };\n}\n"],
+  "mappings": "AAgBA,SAAS,aAAa,kBAAkB;AACxC,SAAS,kBAAkB;AAE3B,MAAM,MAAM,WAAW,yBAAyB;AAyChD,eAAsB,sBAAsB,WAA2C;AACrF,QAAM,OAAO,UAAU,QAAQ,QAAQ,EAAE;AAEzC,QAAM,SAAS,IAAI,IAAI,IAAI,EAAE;AAC7B,QAAM,aAAa;AAAA,IACjB,GAAG,IAAI;AAAA,IACP,GAAG,MAAM;AAAA,EACX;AAEA,aAAW,OAAO,YAAY;AAC5B,UAAM,MAAM,MAAM,MAAM,GAAG;AAC3B,QAAI,IAAI,IAAI;AACV,YAAM,OAAQ,MAAM,IAAI,KAAK;AAC7B,UAAI,KAAK,kCAAkC,GAAG,EAAE;AAChD,aAAO;AAAA,IACT;AAAA,EACF;AAEA,QAAM,IAAI;AAAA,IACR,0CAA0C,SAAS,WAAW,WAAW,KAAK,IAAI,CAAC;AAAA,EACrF;AACF;AAMA,eAAsB,oBACpB,sBACA,aACA,YAC0B;AAC1B,QAAM,OAAO;AAAA,IACX,aAAa,cAAc;AAAA,IAC3B,eAAe,CAAC,WAAW;AAAA,IAC3B,aAAa,CAAC,sBAAsB,eAAe;AAAA,IACnD,gBAAgB,CAAC,MAAM;AAAA,IACvB,4BAA4B;AAAA,EAC9B;AAEA,QAAM,MAAM,MAAM,MAAM,sBAAsB;AAAA,IAC5C,QAAQ;AAAA,IACR,SAAS,EAAE,gBAAgB,mBAAmB;AAAA,IAC9C,MAAM,KAAK,UAAU,IAAI;AAAA,EAC3B,CAAC;AAED,QAAM,OAAO,MAAM,IAAI,KAAK;AAC5B,MAAI,CAAC,IAAI,IAAI;AACX,UAAM,IAAI,MAAM,0CAA0C,IAAI,MAAM,WAAM,KAAK,MAAM,GAAG,GAAG,CAAC,EAAE;AAAA,EAChG;AAEA,QAAM,OAAO,KAAK,MAAM,IAAI;AAC5B,MAAI,KAAK,sCAAsC,KAAK,SAAS,EAAE;AAC/D,SAAO;AACT;AAMO,SAAS,eAAyB;AACvC,QAAM,eAAe,YAAY,EAAE,EAAE,SAAS,WAAW;AACzD,QAAM,gBAAgB,WAAW,QAAQ,EAAE,OAAO,YAAY,EAAE,OAAO,WAAW;AAClF,SAAO,EAAE,cAAc,cAAc;AACvC;AAMO,SAAS,sBAAsB,QAO3B;AACT,QAAM,MAAM,IAAI,IAAI,OAAO,qBAAqB;AAChD,MAAI,aAAa,IAAI,iBAAiB,MAAM;AAC5C,MAAI,aAAa,IAAI,aAAa,OAAO,QAAQ;AACjD,MAAI,aAAa,IAAI,gBAAgB,OAAO,WAAW;AACvD,MAAI,aAAa,IAAI,kBAAkB,OAAO,aAAa;AAC3D,MAAI,aAAa,IAAI,yBAAyB,MAAM;AACpD,MAAI,aAAa,IAAI,SAAS,OAAO,KAAK;AAC1C,MAAI,OAAO,OAAO;AAChB,QAAI,aAAa,IAAI,SAAS,OAAO,KAAK;AAAA,EAC5C;AACA,SAAO,IAAI,SAAS;AACtB;AAMA,eAAsB,sBAAsB,QAMnB;AACvB,QAAM,OAAO,IAAI,gBAAgB;AAAA,IAC/B,YAAY;AAAA,IACZ,MAAM,OAAO;AAAA,IACb,cAAc,OAAO;AAAA,IACrB,WAAW,OAAO;AAAA,IAClB,eAAe,OAAO;AAAA,EACxB,CAAC;AAED,QAAM,MAAM,MAAM,MAAM,OAAO,eAAe;AAAA,IAC5C,QAAQ;AAAA,IACR,SAAS,EAAE,gBAAgB,oCAAoC;AAAA,IAC/D,MAAM,KAAK,SAAS;AAAA,EACtB,CAAC;AAED,QAAM,OAAO,MAAM,IAAI,KAAK;AAC5B,MAAI,CAAC,IAAI,IAAI;AACX,UAAM,IAAI,MAAM,+BAA+B,IAAI,MAAM,WAAM,KAAK,MAAM,GAAG,GAAG,CAAC,EAAE;AAAA,EACrF;AAEA,QAAM,OAAO,KAAK,MAAM,IAAI;AAC5B,MAAI,KAAK,yCAAyC;AAClD,SAAO;AACT;AAMA,eAAsB,mBAAmB,QAIhB;AACvB,QAAM,OAAO,IAAI,gBAAgB;AAAA,IAC/B,YAAY;AAAA,IACZ,eAAe,OAAO;AAAA,IACtB,WAAW,OAAO;AAAA,EACpB,CAAC;AAED,QAAM,MAAM,MAAM,MAAM,OAAO,eAAe;AAAA,IAC5C,QAAQ;AAAA,IACR,SAAS,EAAE,gBAAgB,oCAAoC;AAAA,IAC/D,MAAM,KAAK,SAAS;AAAA,EACtB,CAAC;AAED,QAAM,OAAO,MAAM,IAAI,KAAK;AAC5B,MAAI,CAAC,IAAI,IAAI;AACX,UAAM,IAAI,MAAM,8BAA8B,IAAI,MAAM,WAAM,KAAK,MAAM,GAAG,GAAG,CAAC,EAAE;AAAA,EACpF;AAEA,QAAM,OAAO,KAAK,MAAM,IAAI;AAC5B,MAAI,KAAK,wBAAwB;AACjC,SAAO;AACT;AAMO,SAAS,2BACd,aACwC;AACxC,QAAM,MAAM,IAAI,IAAI,WAAW;AAC/B,QAAM,OAAO,IAAI,aAAa,IAAI,MAAM;AACxC,QAAM,QAAQ,IAAI,aAAa,IAAI,OAAO;AAC1C,MAAI,OAAO;AACT,UAAM,OAAO,IAAI,aAAa,IAAI,mBAAmB,KAAK;AAC1D,UAAM,IAAI,MAAM,+BAA+B,IAAI,EAAE;AAAA,EACvD;AACA,MAAI,CAAC,MAAM;AACT,UAAM,IAAI,MAAM,yCAAyC;AAAA,EAC3D;AACA,SAAO,EAAE,MAAM,OAAO,IAAI,aAAa,IAAI,OAAO,EAAE;AACtD;",
+  "names": []
+}