@llui/agent 0.0.29 → 0.0.31

package/dist/server/token.js

@@ -1,17 +1,54 @@
-import { createHmac, timingSafeEqual } from 'node:crypto';
 const PREFIX = 'llui-agent_';
-function toKeyBuffer(key) {
-    const buf = typeof key === 'string' ? Buffer.from(key, 'utf8') : Buffer.from(key);
-    if (buf.length < 32)
+/**
+ * Normalize key + payload to `Uint8Array<ArrayBuffer>`, the shape
+ * WebCrypto wants. Newer TS lib types parameterize `Uint8Array` over the
+ * underlying buffer, and `TextEncoder.encode()` returns
+ * `Uint8Array<ArrayBufferLike>` — which `crypto.subtle.*` won't accept
+ * directly. A one-shot copy is cheap (HMAC inputs are bytes-small) and
+ * keeps the types honest without `as BufferSource` scattered at call sites.
+ */
+function toBytes(input) {
+    const raw = typeof input === 'string' ? new TextEncoder().encode(input) : input;
+    const buf = new ArrayBuffer(raw.byteLength);
+    const out = new Uint8Array(buf);
+    out.set(raw);
+    return out;
+}
+function toKeyBytes(key) {
+    if (typeof key === 'string') {
+        if (key.length < 32)
+            throw new Error('signingKey must be at least 32 bytes');
+    }
+    else if (key.byteLength < 32) {
         throw new Error('signingKey must be at least 32 bytes');
-    return buf;
+    }
+    return toBytes(key);
 }
-function b64url(buf) {
-    return buf.toString('base64url');
+/**
+ * Import a signing key as a WebCrypto `CryptoKey`. Done per call so the
+ * caller doesn't have to pre-import and pass it around; the cost is a
+ * microtask per sign/verify, which is negligible for our call volume
+ * (tokens verified once per LAP HTTP request).
+ */
+async function importHmacKey(key, usages) {
+    return crypto.subtle.importKey('raw', toKeyBytes(key), { name: 'HMAC', hash: 'SHA-256' }, false, usages);
 }
-function b64urlDecode(s) {
+function toBase64Url(bytes) {
+    // btoa needs a binary string; build it manually to avoid ArrayBuffer/Uint8Array quirks.
+    let bin = '';
+    for (let i = 0; i < bytes.byteLength; i++)
+        bin += String.fromCharCode(bytes[i]);
+    return btoa(bin).replace(/\+/g, '-').replace(/\//g, '_').replace(/=+$/, '');
+}
+function fromBase64Url(s) {
     try {
-        return Buffer.from(s, 'base64url');
+        const b64 = s.replace(/-/g, '+').replace(/_/g, '/') + '='.repeat((4 - (s.length % 4)) % 4);
+        const bin = atob(b64);
+        const buf = new ArrayBuffer(bin.length);
+        const bytes = new Uint8Array(buf);
+        for (let i = 0; i < bin.length; i++)
+            bytes[i] = bin.charCodeAt(i);
+        return bytes;
     }
     catch {
         return null;
@@ -19,20 +56,24 @@ function b64urlDecode(s) {
 }
 /**
  * Serialize a payload to `llui-agent_<base64url(json)>.<base64url(hmac)>`.
- * See spec §6.1.
+ * See spec §6.1. Async because WebCrypto's HMAC sign/verify is the
+ * cross-runtime standard; Node, Cloudflare, Deno, and Bun all expose
+ * `crypto.subtle` identically.
  */
-export function signToken(payload, key) {
-    const keyBuf = toKeyBuffer(key);
-    const jsonBuf = Buffer.from(JSON.stringify(payload), 'utf8');
-    const payloadPart = b64url(jsonBuf);
-    const mac = createHmac('sha256', keyBuf).update(payloadPart).digest();
-    const sigPart = b64url(mac);
+export async function signToken(payload, key) {
+    const cryptoKey = await importHmacKey(key, ['sign']);
+    const jsonBytes = toBytes(JSON.stringify(payload));
+    const payloadPart = toBase64Url(jsonBytes);
+    const macBuf = await crypto.subtle.sign('HMAC', cryptoKey, toBytes(payloadPart));
+    const sigPart = toBase64Url(new Uint8Array(macBuf));
     return (PREFIX + payloadPart + '.' + sigPart);
 }
 /**
  * Verify the signature, parse the payload, and check expiry.
+ * `crypto.subtle.verify` does the constant-time compare internally,
+ * so we don't need a separate `timingSafeEqual`.
  */
-export function verifyToken(token, key, nowSec = Math.floor(Date.now() / 1000)) {
+export async function verifyToken(token, key, nowSec = Math.floor(Date.now() / 1000)) {
     if (!token.startsWith(PREFIX))
         return { kind: 'invalid', reason: 'malformed' };
     const body = token.slice(PREFIX.length);
@@ -41,20 +82,19 @@ export function verifyToken(token, key, nowSec = Math.floor(Date.now() / 1000))
         return { kind: 'invalid', reason: 'malformed' };
     const payloadPart = body.slice(0, dot);
     const sigPart = body.slice(dot + 1);
-    const sigBuf = b64urlDecode(sigPart);
-    if (!sigBuf)
+    const sigBytes = fromBase64Url(sigPart);
+    if (!sigBytes)
         return { kind: 'invalid', reason: 'malformed' };
-    const keyBuf = toKeyBuffer(key);
-    const expected = createHmac('sha256', keyBuf).update(payloadPart).digest();
-    if (expected.length !== sigBuf.length || !timingSafeEqual(expected, sigBuf)) {
+    const cryptoKey = await importHmacKey(key, ['verify']);
+    const ok = await crypto.subtle.verify('HMAC', cryptoKey, sigBytes, toBytes(payloadPart));
+    if (!ok)
         return { kind: 'invalid', reason: 'bad-signature' };
-    }
-    const jsonBuf = b64urlDecode(payloadPart);
-    if (!jsonBuf)
+    const jsonBytes = fromBase64Url(payloadPart);
+    if (!jsonBytes)
         return { kind: 'invalid', reason: 'malformed' };
     let parsed;
     try {
-        parsed = JSON.parse(jsonBuf.toString('utf8'));
+        parsed = JSON.parse(new TextDecoder().decode(jsonBytes));
     }
     catch {
         return { kind: 'invalid', reason: 'malformed' };

package/dist/server/token.js.map

@@ -1 +1 @@
-{"version":3,"file":"token.js","sourceRoot":"","sources":["../../src/server/token.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,eAAe,EAAE,MAAM,aAAa,CAAA;AAczD,MAAM,MAAM,GAAG,aAAa,CAAA;AAE5B,SAAS,WAAW,CAAC,GAAwB;IAC3C,MAAM,GAAG,GAAG,OAAO,GAAG,KAAK,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE,MAAM,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAA;IACjF,IAAI,GAAG,CAAC,MAAM,GAAG,EAAE;QAAE,MAAM,IAAI,KAAK,CAAC,sCAAsC,CAAC,CAAA;IAC5E,OAAO,GAAG,CAAA;AACZ,CAAC;AAED,SAAS,MAAM,CAAC,GAAW;IACzB,OAAO,GAAG,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAA;AAClC,CAAC;AAED,SAAS,YAAY,CAAC,CAAS;IAC7B,IAAI,CAAC;QACH,OAAO,MAAM,CAAC,IAAI,CAAC,CAAC,EAAE,WAAW,CAAC,CAAA;IACpC,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAA;IACb,CAAC;AACH,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,SAAS,CAAC,OAAqB,EAAE,GAAwB;IACvE,MAAM,MAAM,GAAG,WAAW,CAAC,GAAG,CAAC,CAAA;IAC/B,MAAM,OAAO,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,EAAE,MAAM,CAAC,CAAA;IAC5D,MAAM,WAAW,GAAG,MAAM,CAAC,OAAO,CAAC,CAAA;IACnC,MAAM,GAAG,GAAG,UAAU,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC,MAAM,EAAE,CAAA;IACrE,MAAM,OAAO,GAAG,MAAM,CAAC,GAAG,CAAC,CAAA;IAC3B,OAAO,CAAC,MAAM,GAAG,WAAW,GAAG,GAAG,GAAG,OAAO,CAAe,CAAA;AAC7D,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,WAAW,CACzB,KAAa,EACb,GAAwB,EACxB,SAAiB,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC;IAE9C,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,MAAM,CAAC;QAAE,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,MAAM,EAAE,WAAW,EAAE,CAAA;IAC9E,MAAM,IAAI,GAAG,KAAK,CAAC,KAAK,CAAC,MAAM,CAAC,MAAM,CAAC,CAAA;IACvC,MAAM,GAAG,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAA;IAC7B,IAAI,GAAG,GAAG,CAAC;QAAE,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,MAAM,EAAE,WAAW,EAAE,CAAA;IAE5D,MAAM,WAAW,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,CAAA;IACtC,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,GAAG,CAAC,CAAC,CAAA;IACnC,MAAM,MAAM,GAAG,YAAY,CAAC,OAAO,CAAC,CAAA;IACpC,IAAI,CAAC,MAAM;QAAE,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,MAAM,EAAE,WAAW,EAAE,CAAA;IAE5D,MAAM,MAAM,GAAG,WAAW,CAAC,GAAG,CAAC,CAAA;IAC/B,MAAM,QAAQ,GAAG,UAAU,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC,MAAM,EAAE,CAAA;IAC1E,IAAI,QAAQ,CAAC,MAAM,KAAK,MAAM,CAAC,MAAM,IAAI,CAAC,eAAe,CAAC,QAAQ,EAAE,MAAM,CAAC,EAAE,CAAC;QAC5E,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,MAAM,EAAE,eAAe,EAAE,CAAA;IACrD,CAAC;IAED,MAAM,OAAO,GAAG,YAAY,CAAC,WAAW,CAAC,CAAA;IACzC,IAAI,CAAC,OAAO;QAAE,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,MAAM,EAAE,WAAW,EAAE,CAAA;IAC7D,IAAI,MAAe,CAAA;IACnB,IAAI,CAAC;QACH,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAA;IAC/C,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,MAAM,EAAE,WAAW,EAAE,CAAA;IACjD,CAAC;IAED,IAAI,CAAC,cAAc,CAAC,MAAM,CAAC;QAAE,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,MAAM,EAAE,WAAW,EAAE,CAAA;IAC5E,IAAI,MAAM,CAAC,GAAG,IAAI,MAAM;QAAE,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,MAAM,EAAE,SAAS,EAAE,CAAA;IACvE,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,OAAO,EAAE,MAAM,EAAE,CAAA;AACxC,CAAC;AAED,SAAS,cAAc,CAAC,CAAU;IAChC,IAAI,CAAC,CAAC,IAAI,OAAO,CAAC,KAAK,QAAQ;QAAE,OAAO,KAAK,CAAA;IAC7C,MAAM,CAAC,GAAG,CAA4B,CAAA;IACtC,OAAO,CACL,OAAO,CAAC,CAAC,GAAG,KAAK,QAAQ;QACzB,OAAO,CAAC,CAAC,GAAG,KAAK,QAAQ;QACzB,OAAO,CAAC,CAAC,GAAG,KAAK,QAAQ;QACzB,CAAC,CAAC,KAAK,KAAK,OAAO,CACpB,CAAA;AACH,CAAC","sourcesContent":["import { createHmac, timingSafeEqual } from 'node:crypto'\nimport type { AgentToken } from '../protocol.js'\n\nexport type TokenPayload = {\n  tid: string\n  iat: number\n  exp: number\n  scope: 'agent'\n}\n\nexport type VerifyResult =\n  | { kind: 'ok'; payload: TokenPayload }\n  | { kind: 'invalid'; reason: 'malformed' | 'bad-signature' | 'expired' }\n\nconst PREFIX = 'llui-agent_'\n\nfunction toKeyBuffer(key: string | Uint8Array): Buffer {\n  const buf = typeof key === 'string' ? Buffer.from(key, 'utf8') : Buffer.from(key)\n  if (buf.length < 32) throw new Error('signingKey must be at least 32 bytes')\n  return buf\n}\n\nfunction b64url(buf: Buffer): string {\n  return buf.toString('base64url')\n}\n\nfunction b64urlDecode(s: string): Buffer | null {\n  try {\n    return Buffer.from(s, 'base64url')\n  } catch {\n    return null\n  }\n}\n\n/**\n * Serialize a payload to `llui-agent_<base64url(json)>.<base64url(hmac)>`.\n * See spec §6.1.\n */\nexport function signToken(payload: TokenPayload, key: string | Uint8Array): AgentToken {\n  const keyBuf = toKeyBuffer(key)\n  const jsonBuf = Buffer.from(JSON.stringify(payload), 'utf8')\n  const payloadPart = b64url(jsonBuf)\n  const mac = createHmac('sha256', keyBuf).update(payloadPart).digest()\n  const sigPart = b64url(mac)\n  return (PREFIX + payloadPart + '.' + sigPart) as AgentToken\n}\n\n/**\n * Verify the signature, parse the payload, and check expiry.\n */\nexport function verifyToken(\n  token: string,\n  key: string | Uint8Array,\n  nowSec: number = Math.floor(Date.now() / 1000),\n): VerifyResult {\n  if (!token.startsWith(PREFIX)) return { kind: 'invalid', reason: 'malformed' }\n  const body = token.slice(PREFIX.length)\n  const dot = body.indexOf('.')\n  if (dot < 0) return { kind: 'invalid', reason: 'malformed' }\n\n  const payloadPart = body.slice(0, dot)\n  const sigPart = body.slice(dot + 1)\n  const sigBuf = b64urlDecode(sigPart)\n  if (!sigBuf) return { kind: 'invalid', reason: 'malformed' }\n\n  const keyBuf = toKeyBuffer(key)\n  const expected = createHmac('sha256', keyBuf).update(payloadPart).digest()\n  if (expected.length !== sigBuf.length || !timingSafeEqual(expected, sigBuf)) {\n    return { kind: 'invalid', reason: 'bad-signature' }\n  }\n\n  const jsonBuf = b64urlDecode(payloadPart)\n  if (!jsonBuf) return { kind: 'invalid', reason: 'malformed' }\n  let parsed: unknown\n  try {\n    parsed = JSON.parse(jsonBuf.toString('utf8'))\n  } catch {\n    return { kind: 'invalid', reason: 'malformed' }\n  }\n\n  if (!isTokenPayload(parsed)) return { kind: 'invalid', reason: 'malformed' }\n  if (parsed.exp <= nowSec) return { kind: 'invalid', reason: 'expired' }\n  return { kind: 'ok', payload: parsed }\n}\n\nfunction isTokenPayload(x: unknown): x is TokenPayload {\n  if (!x || typeof x !== 'object') return false\n  const o = x as Record<string, unknown>\n  return (\n    typeof o.tid === 'string' &&\n    typeof o.iat === 'number' &&\n    typeof o.exp === 'number' &&\n    o.scope === 'agent'\n  )\n}\n"]}
+{"version":3,"file":"token.js","sourceRoot":"","sources":["../../src/server/token.ts"],"names":[],"mappings":"AAaA,MAAM,MAAM,GAAG,aAAa,CAAA;AAE5B;;;;;;;GAOG;AACH,SAAS,OAAO,CAAC,KAA0B;IACzC,MAAM,GAAG,GAAG,OAAO,KAAK,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,KAAK,CAAA;IAC/E,MAAM,GAAG,GAAG,IAAI,WAAW,CAAC,GAAG,CAAC,UAAU,CAAC,CAAA;IAC3C,MAAM,GAAG,GAAG,IAAI,UAAU,CAAC,GAAG,CAAC,CAAA;IAC/B,GAAG,CAAC,GAAG,CAAC,GAAG,CAAC,CAAA;IACZ,OAAO,GAAG,CAAA;AACZ,CAAC;AAED,SAAS,UAAU,CAAC,GAAwB;IAC1C,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;QAC5B,IAAI,GAAG,CAAC,MAAM,GAAG,EAAE;YAAE,MAAM,IAAI,KAAK,CAAC,sCAAsC,CAAC,CAAA;IAC9E,CAAC;SAAM,IAAI,GAAG,CAAC,UAAU,GAAG,EAAE,EAAE,CAAC;QAC/B,MAAM,IAAI,KAAK,CAAC,sCAAsC,CAAC,CAAA;IACzD,CAAC;IACD,OAAO,OAAO,CAAC,GAAG,CAAC,CAAA;AACrB,CAAC;AAED;;;;;GAKG;AACH,KAAK,UAAU,aAAa,CAAC,GAAwB,EAAE,MAAkB;IACvE,OAAO,MAAM,CAAC,MAAM,CAAC,SAAS,CAC5B,KAAK,EACL,UAAU,CAAC,GAAG,CAAC,EACf,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,SAAS,EAAE,EACjC,KAAK,EACL,MAAM,CACP,CAAA;AACH,CAAC;AAED,SAAS,WAAW,CAAC,KAAiB;IACpC,wFAAwF;IACxF,IAAI,GAAG,GAAG,EAAE,CAAA;IACZ,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,UAAU,EAAE,CAAC,EAAE;QAAE,GAAG,IAAI,MAAM,CAAC,YAAY,CAAC,KAAK,CAAC,CAAC,CAAE,CAAC,CAAA;IAChF,OAAO,IAAI,CAAC,GAAG,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAA;AAC7E,CAAC;AAED,SAAS,aAAa,CAAC,CAAS;IAC9B,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,GAAG,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAA;QAC1F,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,CAAC,CAAA;QACrB,MAAM,GAAG,GAAG,IAAI,WAAW,CAAC,GAAG,CAAC,MAAM,CAAC,CAAA;QACvC,MAAM,KAAK,GAAG,IAAI,UAAU,CAAC,GAAG,CAAC,CAAA;QACjC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,GAAG,CAAC,MAAM,EAAE,CAAC,EAAE;YAAE,KAAK,CAAC,CAAC,CAAC,GAAG,GAAG,CAAC,UAAU,CAAC,CAAC,CAAC,CAAA;QACjE,OAAO,KAAK,CAAA;IACd,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAA;IACb,CAAC;AACH,CAAC;AAED;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,SAAS,CAC7B,OAAqB,EACrB,GAAwB;IAExB,MAAM,SAAS,GAAG,MAAM,aAAa,CAAC,GAAG,EAAE,CAAC,MAAM,CAAC,CAAC,CAAA;IACpD,MAAM,SAAS,GAAG,OAAO,CAAC,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC,CAAA;IAClD,MAAM,WAAW,GAAG,WAAW,CAAC,SAAS,CAAC,CAAA;IAC1C,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,EAAE,SAAS,EAAE,OAAO,CAAC,WAAW,CAAC,CAAC,CAAA;IAChF,MAAM,OAAO,GAAG,WAAW,CAAC,IAAI,UAAU,CAAC,MAAM,CAAC,CAAC,CAAA;IACnD,OAAO,CAAC,MAAM,GAAG,WAAW,GAAG,GAAG,GAAG,OAAO,CAAe,CAAA;AAC7D,CAAC;AAED;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,WAAW,CAC/B,KAAa,EACb,GAAwB,EACxB,SAAiB,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC;IAE9C,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,MAAM,CAAC;QAAE,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,MAAM,EAAE,WAAW,EAAE,CAAA;IAC9E,MAAM,IAAI,GAAG,KAAK,CAAC,KAAK,CAAC,MAAM,CAAC,MAAM,CAAC,CAAA;IACvC,MAAM,GAAG,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAA;IAC7B,IAAI,GAAG,GAAG,CAAC;QAAE,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,MAAM,EAAE,WAAW,EAAE,CAAA;IAE5D,MAAM,WAAW,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,CAAA;IACtC,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,GAAG,CAAC,CAAC,CAAA;IACnC,MAAM,QAAQ,GAAG,aAAa,CAAC,OAAO,CAAC,CAAA;IACvC,IAAI,CAAC,QAAQ;QAAE,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,MAAM,EAAE,WAAW,EAAE,CAAA;IAE9D,MAAM,SAAS,GAAG,MAAM,aAAa,CAAC,GAAG,EAAE,CAAC,QAAQ,CAAC,CAAC,CAAA;IACtD,MAAM,EAAE,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,MAAM,EAAE,SAAS,EAAE,QAAQ,EAAE,OAAO,CAAC,WAAW,CAAC,CAAC,CAAA;IACxF,IAAI,CAAC,EAAE;QAAE,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,MAAM,EAAE,eAAe,EAAE,CAAA;IAE5D,MAAM,SAAS,GAAG,aAAa,CAAC,WAAW,CAAC,CAAA;IAC5C,IAAI,CAAC,SAAS;QAAE,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,MAAM,EAAE,WAAW,EAAE,CAAA;IAC/D,IAAI,MAAe,CAAA;IACnB,IAAI,CAAC;QACH,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,CAAA;IAC1D,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,MAAM,EAAE,WAAW,EAAE,CAAA;IACjD,CAAC;IAED,IAAI,CAAC,cAAc,CAAC,MAAM,CAAC;QAAE,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,MAAM,EAAE,WAAW,EAAE,CAAA;IAC5E,IAAI,MAAM,CAAC,GAAG,IAAI,MAAM;QAAE,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,MAAM,EAAE,SAAS,EAAE,CAAA;IACvE,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,OAAO,EAAE,MAAM,EAAE,CAAA;AACxC,CAAC;AAED,SAAS,cAAc,CAAC,CAAU;IAChC,IAAI,CAAC,CAAC,IAAI,OAAO,CAAC,KAAK,QAAQ;QAAE,OAAO,KAAK,CAAA;IAC7C,MAAM,CAAC,GAAG,CAA4B,CAAA;IACtC,OAAO,CACL,OAAO,CAAC,CAAC,GAAG,KAAK,QAAQ;QACzB,OAAO,CAAC,CAAC,GAAG,KAAK,QAAQ;QACzB,OAAO,CAAC,CAAC,GAAG,KAAK,QAAQ;QACzB,CAAC,CAAC,KAAK,KAAK,OAAO,CACpB,CAAA;AACH,CAAC","sourcesContent":["import type { AgentToken } from '../protocol.js'\n\nexport type TokenPayload = {\n  tid: string\n  iat: number\n  exp: number\n  scope: 'agent'\n}\n\nexport type VerifyResult =\n  | { kind: 'ok'; payload: TokenPayload }\n  | { kind: 'invalid'; reason: 'malformed' | 'bad-signature' | 'expired' }\n\nconst PREFIX = 'llui-agent_'\n\n/**\n * Normalize key + payload to `Uint8Array<ArrayBuffer>`, the shape\n * WebCrypto wants. Newer TS lib types parameterize `Uint8Array` over the\n * underlying buffer, and `TextEncoder.encode()` returns\n * `Uint8Array<ArrayBufferLike>` — which `crypto.subtle.*` won't accept\n * directly. A one-shot copy is cheap (HMAC inputs are bytes-small) and\n * keeps the types honest without `as BufferSource` scattered at call sites.\n */\nfunction toBytes(input: string | Uint8Array): Uint8Array<ArrayBuffer> {\n  const raw = typeof input === 'string' ? new TextEncoder().encode(input) : input\n  const buf = new ArrayBuffer(raw.byteLength)\n  const out = new Uint8Array(buf)\n  out.set(raw)\n  return out\n}\n\nfunction toKeyBytes(key: string | Uint8Array): Uint8Array<ArrayBuffer> {\n  if (typeof key === 'string') {\n    if (key.length < 32) throw new Error('signingKey must be at least 32 bytes')\n  } else if (key.byteLength < 32) {\n    throw new Error('signingKey must be at least 32 bytes')\n  }\n  return toBytes(key)\n}\n\n/**\n * Import a signing key as a WebCrypto `CryptoKey`. Done per call so the\n * caller doesn't have to pre-import and pass it around; the cost is a\n * microtask per sign/verify, which is negligible for our call volume\n * (tokens verified once per LAP HTTP request).\n */\nasync function importHmacKey(key: string | Uint8Array, usages: KeyUsage[]): Promise<CryptoKey> {\n  return crypto.subtle.importKey(\n    'raw',\n    toKeyBytes(key),\n    { name: 'HMAC', hash: 'SHA-256' },\n    false,\n    usages,\n  )\n}\n\nfunction toBase64Url(bytes: Uint8Array): string {\n  // btoa needs a binary string; build it manually to avoid ArrayBuffer/Uint8Array quirks.\n  let bin = ''\n  for (let i = 0; i < bytes.byteLength; i++) bin += String.fromCharCode(bytes[i]!)\n  return btoa(bin).replace(/\\+/g, '-').replace(/\\//g, '_').replace(/=+$/, '')\n}\n\nfunction fromBase64Url(s: string): Uint8Array<ArrayBuffer> | null {\n  try {\n    const b64 = s.replace(/-/g, '+').replace(/_/g, '/') + '='.repeat((4 - (s.length % 4)) % 4)\n    const bin = atob(b64)\n    const buf = new ArrayBuffer(bin.length)\n    const bytes = new Uint8Array(buf)\n    for (let i = 0; i < bin.length; i++) bytes[i] = bin.charCodeAt(i)\n    return bytes\n  } catch {\n    return null\n  }\n}\n\n/**\n * Serialize a payload to `llui-agent_<base64url(json)>.<base64url(hmac)>`.\n * See spec §6.1. Async because WebCrypto's HMAC sign/verify is the\n * cross-runtime standard; Node, Cloudflare, Deno, and Bun all expose\n * `crypto.subtle` identically.\n */\nexport async function signToken(\n  payload: TokenPayload,\n  key: string | Uint8Array,\n): Promise<AgentToken> {\n  const cryptoKey = await importHmacKey(key, ['sign'])\n  const jsonBytes = toBytes(JSON.stringify(payload))\n  const payloadPart = toBase64Url(jsonBytes)\n  const macBuf = await crypto.subtle.sign('HMAC', cryptoKey, toBytes(payloadPart))\n  const sigPart = toBase64Url(new Uint8Array(macBuf))\n  return (PREFIX + payloadPart + '.' + sigPart) as AgentToken\n}\n\n/**\n * Verify the signature, parse the payload, and check expiry.\n * `crypto.subtle.verify` does the constant-time compare internally,\n * so we don't need a separate `timingSafeEqual`.\n */\nexport async function verifyToken(\n  token: string,\n  key: string | Uint8Array,\n  nowSec: number = Math.floor(Date.now() / 1000),\n): Promise<VerifyResult> {\n  if (!token.startsWith(PREFIX)) return { kind: 'invalid', reason: 'malformed' }\n  const body = token.slice(PREFIX.length)\n  const dot = body.indexOf('.')\n  if (dot < 0) return { kind: 'invalid', reason: 'malformed' }\n\n  const payloadPart = body.slice(0, dot)\n  const sigPart = body.slice(dot + 1)\n  const sigBytes = fromBase64Url(sigPart)\n  if (!sigBytes) return { kind: 'invalid', reason: 'malformed' }\n\n  const cryptoKey = await importHmacKey(key, ['verify'])\n  const ok = await crypto.subtle.verify('HMAC', cryptoKey, sigBytes, toBytes(payloadPart))\n  if (!ok) return { kind: 'invalid', reason: 'bad-signature' }\n\n  const jsonBytes = fromBase64Url(payloadPart)\n  if (!jsonBytes) return { kind: 'invalid', reason: 'malformed' }\n  let parsed: unknown\n  try {\n    parsed = JSON.parse(new TextDecoder().decode(jsonBytes))\n  } catch {\n    return { kind: 'invalid', reason: 'malformed' }\n  }\n\n  if (!isTokenPayload(parsed)) return { kind: 'invalid', reason: 'malformed' }\n  if (parsed.exp <= nowSec) return { kind: 'invalid', reason: 'expired' }\n  return { kind: 'ok', payload: parsed }\n}\n\nfunction isTokenPayload(x: unknown): x is TokenPayload {\n  if (!x || typeof x !== 'object') return false\n  const o = x as Record<string, unknown>\n  return (\n    typeof o.tid === 'string' &&\n    typeof o.iat === 'number' &&\n    typeof o.exp === 'number' &&\n    o.scope === 'agent'\n  )\n}\n"]}

package/dist/server/web/adapter.d.ts

@@ -0,0 +1,16 @@
+import type { PairingConnection } from '../ws/pairing-registry.js';
+/**
+ * Wrap a WHATWG `WebSocket` in a `PairingConnection`. This is the
+ * common denominator across Cloudflare Workers (`WebSocketPair`
+ * server half), Deno (`Deno.upgradeWebSocket().socket`), Bun's
+ * upgraded socket, and any other runtime that exposes a
+ * standards-compliant WebSocket object.
+ *
+ * The input type is intentionally the browser/global `WebSocket`
+ * interface — *not* the Node `ws` library's variant, which uses an
+ * EventEmitter API (`on('message', ...)`) rather than
+ * `addEventListener('message', ...)`. Use `./node/upgrade.ts` for
+ * the `ws` library path.
+ */
+export declare function createWHATWGPairingConnection(socket: WebSocket): PairingConnection;
+//# sourceMappingURL=adapter.d.ts.map

package/dist/server/web/adapter.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"adapter.d.ts","sourceRoot":"","sources":["../../../src/server/web/adapter.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,2BAA2B,CAAA;AAGlE;;;;;;;;;;;;GAYG;AACH,wBAAgB,6BAA6B,CAAC,MAAM,EAAE,SAAS,GAAG,iBAAiB,CA4BlF"}

package/dist/server/web/adapter.js

@@ -0,0 +1,45 @@
+/**
+ * Wrap a WHATWG `WebSocket` in a `PairingConnection`. This is the
+ * common denominator across Cloudflare Workers (`WebSocketPair`
+ * server half), Deno (`Deno.upgradeWebSocket().socket`), Bun's
+ * upgraded socket, and any other runtime that exposes a
+ * standards-compliant WebSocket object.
+ *
+ * The input type is intentionally the browser/global `WebSocket`
+ * interface — *not* the Node `ws` library's variant, which uses an
+ * EventEmitter API (`on('message', ...)`) rather than
+ * `addEventListener('message', ...)`. Use `./node/upgrade.ts` for
+ * the `ws` library path.
+ */
+export function createWHATWGPairingConnection(socket) {
+    return {
+        send(frame) {
+            socket.send(JSON.stringify(frame));
+        },
+        onFrame(handler) {
+            socket.addEventListener('message', (ev) => {
+                const data = ev.data;
+                const raw = typeof data === 'string' ? data : new TextDecoder().decode(data);
+                try {
+                    const parsed = JSON.parse(raw);
+                    handler(parsed);
+                }
+                catch {
+                    // Ignore malformed frames — one bad frame shouldn't tear down the pairing.
+                }
+            });
+        },
+        onClose(handler) {
+            socket.addEventListener('close', () => handler());
+        },
+        close() {
+            try {
+                socket.close();
+            }
+            catch {
+                // Some runtimes throw if you close twice; swallow.
+            }
+        },
+    };
+}
+//# sourceMappingURL=adapter.js.map

package/dist/server/web/adapter.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"adapter.js","sourceRoot":"","sources":["../../../src/server/web/adapter.ts"],"names":[],"mappings":"AAGA;;;;;;;;;;;;GAYG;AACH,MAAM,UAAU,6BAA6B,CAAC,MAAiB;IAC7D,OAAO;QACL,IAAI,CAAC,KAAkB;YACrB,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC,CAAA;QACpC,CAAC;QACD,OAAO,CAAC,OAAO;YACb,MAAM,CAAC,gBAAgB,CAAC,SAAS,EAAE,CAAC,EAAE,EAAE,EAAE;gBACxC,MAAM,IAAI,GAAG,EAAE,CAAC,IAAI,CAAA;gBACpB,MAAM,GAAG,GAAG,OAAO,IAAI,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,IAAmB,CAAC,CAAA;gBAC3F,IAAI,CAAC;oBACH,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAgB,CAAA;oBAC7C,OAAO,CAAC,MAAM,CAAC,CAAA;gBACjB,CAAC;gBAAC,MAAM,CAAC;oBACP,2EAA2E;gBAC7E,CAAC;YACH,CAAC,CAAC,CAAA;QACJ,CAAC;QACD,OAAO,CAAC,OAAO;YACb,MAAM,CAAC,gBAAgB,CAAC,OAAO,EAAE,GAAG,EAAE,CAAC,OAAO,EAAE,CAAC,CAAA;QACnD,CAAC;QACD,KAAK;YACH,IAAI,CAAC;gBACH,MAAM,CAAC,KAAK,EAAE,CAAA;YAChB,CAAC;YAAC,MAAM,CAAC;gBACP,mDAAmD;YACrD,CAAC;QACH,CAAC;KACF,CAAA;AACH,CAAC","sourcesContent":["import type { PairingConnection } from '../ws/pairing-registry.js'\nimport type { ClientFrame, ServerFrame } from '../../protocol.js'\n\n/**\n * Wrap a WHATWG `WebSocket` in a `PairingConnection`. This is the\n * common denominator across Cloudflare Workers (`WebSocketPair`\n * server half), Deno (`Deno.upgradeWebSocket().socket`), Bun's\n * upgraded socket, and any other runtime that exposes a\n * standards-compliant WebSocket object.\n *\n * The input type is intentionally the browser/global `WebSocket`\n * interface — *not* the Node `ws` library's variant, which uses an\n * EventEmitter API (`on('message', ...)`) rather than\n * `addEventListener('message', ...)`. Use `./node/upgrade.ts` for\n * the `ws` library path.\n */\nexport function createWHATWGPairingConnection(socket: WebSocket): PairingConnection {\n  return {\n    send(frame: ServerFrame) {\n      socket.send(JSON.stringify(frame))\n    },\n    onFrame(handler) {\n      socket.addEventListener('message', (ev) => {\n        const data = ev.data\n        const raw = typeof data === 'string' ? data : new TextDecoder().decode(data as ArrayBuffer)\n        try {\n          const parsed = JSON.parse(raw) as ClientFrame\n          handler(parsed)\n        } catch {\n          // Ignore malformed frames — one bad frame shouldn't tear down the pairing.\n        }\n      })\n    },\n    onClose(handler) {\n      socket.addEventListener('close', () => handler())\n    },\n    close() {\n      try {\n        socket.close()\n      } catch {\n        // Some runtimes throw if you close twice; swallow.\n      }\n    },\n  }\n}\n"]}

package/dist/server/web/index.d.ts

@@ -0,0 +1,12 @@
+/**
+ * Web-runtime adapters. Use this sub-path from Cloudflare Workers,
+ * Deno, Bun, or any other runtime that speaks WHATWG `Request` /
+ * `Response` and exposes native WebSocket upgrade primitives.
+ *
+ * Pair with `@llui/agent/server/core`'s `createLluiAgentCore` — that
+ * builds the runtime-neutral router and registry; the handlers
+ * exported here handle the WebSocket upgrade half.
+ */
+export { createWHATWGPairingConnection } from './adapter.js';
+export { handleCloudflareUpgrade, handleDenoUpgrade, extractToken } from './upgrade.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/server/web/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/server/web/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AACH,OAAO,EAAE,6BAA6B,EAAE,MAAM,cAAc,CAAA;AAC5D,OAAO,EAAE,uBAAuB,EAAE,iBAAiB,EAAE,YAAY,EAAE,MAAM,cAAc,CAAA"}

package/dist/server/web/index.js

@@ -0,0 +1,12 @@
+/**
+ * Web-runtime adapters. Use this sub-path from Cloudflare Workers,
+ * Deno, Bun, or any other runtime that speaks WHATWG `Request` /
+ * `Response` and exposes native WebSocket upgrade primitives.
+ *
+ * Pair with `@llui/agent/server/core`'s `createLluiAgentCore` — that
+ * builds the runtime-neutral router and registry; the handlers
+ * exported here handle the WebSocket upgrade half.
+ */
+export { createWHATWGPairingConnection } from './adapter.js';
+export { handleCloudflareUpgrade, handleDenoUpgrade, extractToken } from './upgrade.js';
+//# sourceMappingURL=index.js.map

package/dist/server/web/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/server/web/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AACH,OAAO,EAAE,6BAA6B,EAAE,MAAM,cAAc,CAAA;AAC5D,OAAO,EAAE,uBAAuB,EAAE,iBAAiB,EAAE,YAAY,EAAE,MAAM,cAAc,CAAA","sourcesContent":["/**\n * Web-runtime adapters. Use this sub-path from Cloudflare Workers,\n * Deno, Bun, or any other runtime that speaks WHATWG `Request` /\n * `Response` and exposes native WebSocket upgrade primitives.\n *\n * Pair with `@llui/agent/server/core`'s `createLluiAgentCore` — that\n * builds the runtime-neutral router and registry; the handlers\n * exported here handle the WebSocket upgrade half.\n */\nexport { createWHATWGPairingConnection } from './adapter.js'\nexport { handleCloudflareUpgrade, handleDenoUpgrade, extractToken } from './upgrade.js'\n"]}

package/dist/server/web/upgrade.d.ts

@@ -0,0 +1,41 @@
+import type { AgentCoreHandle } from '../core.js';
+/**
+ * Extract the bearer token from a LAP WebSocket upgrade request.
+ * Accepts the token on either `?token=` or `Authorization: Bearer` —
+ * query-string is the common pattern because browsers can't set
+ * arbitrary headers on WebSocket construction.
+ */
+export declare function extractToken(req: Request): string | null;
+/**
+ * Cloudflare Workers handler. Accepts a WebSocket upgrade using
+ * `WebSocketPair`, validates the token via
+ * `agent.acceptConnection`, and returns the 101 upgrade Response.
+ *
+ * Usage:
+ * ```ts
+ * const agent = createLluiAgentCore({ signingKey: env.AGENT_KEY })
+ * export default {
+ *   async fetch(req, env) {
+ *     const url = new URL(req.url)
+ *     if (url.pathname === '/agent/ws') return handleCloudflareUpgrade(req, agent)
+ *     return (await agent.router(req)) ?? new Response('Not Found', { status: 404 })
+ *   },
+ * }
+ * ```
+ */
+export declare function handleCloudflareUpgrade(req: Request, agent: AgentCoreHandle): Promise<Response>;
+/**
+ * Deno handler. Uses `Deno.upgradeWebSocket(req)` to produce the
+ * response + socket pair, then plugs the socket into the registry.
+ *
+ * Usage:
+ * ```ts
+ * Deno.serve(async (req) => {
+ *   const url = new URL(req.url)
+ *   if (url.pathname === '/agent/ws') return handleDenoUpgrade(req, agent)
+ *   return (await agent.router(req)) ?? new Response('Not Found', { status: 404 })
+ * })
+ * ```
+ */
+export declare function handleDenoUpgrade(req: Request, agent: AgentCoreHandle): Promise<Response>;
+//# sourceMappingURL=upgrade.d.ts.map

package/dist/server/web/upgrade.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"upgrade.d.ts","sourceRoot":"","sources":["../../../src/server/web/upgrade.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,YAAY,CAAA;AAGjD;;;;;GAKG;AACH,wBAAgB,YAAY,CAAC,GAAG,EAAE,OAAO,GAAG,MAAM,GAAG,IAAI,CAOxD;AAED;;;;;;;;;;;;;;;;GAgBG;AACH,wBAAsB,uBAAuB,CAC3C,GAAG,EAAE,OAAO,EACZ,KAAK,EAAE,eAAe,GACrB,OAAO,CAAC,QAAQ,CAAC,CAmCnB;AAED;;;;;;;;;;;;GAYG;AACH,wBAAsB,iBAAiB,CAAC,GAAG,EAAE,OAAO,EAAE,KAAK,EAAE,eAAe,GAAG,OAAO,CAAC,QAAQ,CAAC,CA+B/F"}

package/dist/server/web/upgrade.js

@@ -0,0 +1,96 @@
+import { createWHATWGPairingConnection } from './adapter.js';
+/**
+ * Extract the bearer token from a LAP WebSocket upgrade request.
+ * Accepts the token on either `?token=` or `Authorization: Bearer` —
+ * query-string is the common pattern because browsers can't set
+ * arbitrary headers on WebSocket construction.
+ */
+export function extractToken(req) {
+    const url = new URL(req.url);
+    const q = url.searchParams.get('token');
+    if (q)
+        return q;
+    const auth = req.headers.get('authorization');
+    if (auth?.startsWith('Bearer '))
+        return auth.slice('Bearer '.length);
+    return null;
+}
+/**
+ * Cloudflare Workers handler. Accepts a WebSocket upgrade using
+ * `WebSocketPair`, validates the token via
+ * `agent.acceptConnection`, and returns the 101 upgrade Response.
+ *
+ * Usage:
+ * ```ts
+ * const agent = createLluiAgentCore({ signingKey: env.AGENT_KEY })
+ * export default {
+ *   async fetch(req, env) {
+ *     const url = new URL(req.url)
+ *     if (url.pathname === '/agent/ws') return handleCloudflareUpgrade(req, agent)
+ *     return (await agent.router(req)) ?? new Response('Not Found', { status: 404 })
+ *   },
+ * }
+ * ```
+ */
+export async function handleCloudflareUpgrade(req, agent) {
+    if (req.headers.get('upgrade') !== 'websocket') {
+        return new Response('Expected upgrade: websocket', { status: 426 });
+    }
+    const token = extractToken(req);
+    if (!token)
+        return new Response('Unauthorized', { status: 401 });
+    // `WebSocketPair` is a Cloudflare Workers global. We reference it
+    // through `globalThis` so importing this module in non-CF runtimes
+    // (e.g. during type-checking on Node) doesn't crash.
+    const Pair = globalThis.WebSocketPair;
+    if (!Pair) {
+        return new Response('WebSocketPair unavailable in this runtime', { status: 501 });
+    }
+    const pair = new Pair();
+    const client = pair[0];
+    const server = pair[1];
+    server.accept();
+    const conn = createWHATWGPairingConnection(server);
+    const result = await agent.acceptConnection(token, conn);
+    if (!result.ok) {
+        conn.close();
+        return new Response(result.code, { status: result.status });
+    }
+    // `webSocket` on ResponseInit is Cloudflare-specific; cast to satisfy
+    // the standard lib types.
+    return new Response(null, { status: 101, webSocket: client });
+}
+/**
+ * Deno handler. Uses `Deno.upgradeWebSocket(req)` to produce the
+ * response + socket pair, then plugs the socket into the registry.
+ *
+ * Usage:
+ * ```ts
+ * Deno.serve(async (req) => {
+ *   const url = new URL(req.url)
+ *   if (url.pathname === '/agent/ws') return handleDenoUpgrade(req, agent)
+ *   return (await agent.router(req)) ?? new Response('Not Found', { status: 404 })
+ * })
+ * ```
+ */
+export async function handleDenoUpgrade(req, agent) {
+    const token = extractToken(req);
+    if (!token)
+        return new Response('Unauthorized', { status: 401 });
+    const Deno_ = globalThis.Deno;
+    if (!Deno_) {
+        return new Response('Deno.upgradeWebSocket unavailable in this runtime', { status: 501 });
+    }
+    const { socket, response } = Deno_.upgradeWebSocket(req);
+    const conn = createWHATWGPairingConnection(socket);
+    // Deno opens the socket asynchronously; validate the token first,
+    // then register on `open` so frames aren't missed.
+    socket.addEventListener('open', () => {
+        void agent.acceptConnection(token, conn).then((result) => {
+            if (!result.ok)
+                conn.close();
+        });
+    }, { once: true });
+    return response;
+}
+//# sourceMappingURL=upgrade.js.map

package/dist/server/web/upgrade.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"upgrade.js","sourceRoot":"","sources":["../../../src/server/web/upgrade.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,6BAA6B,EAAE,MAAM,cAAc,CAAA;AAE5D;;;;;GAKG;AACH,MAAM,UAAU,YAAY,CAAC,GAAY;IACvC,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,GAAG,CAAC,CAAA;IAC5B,MAAM,CAAC,GAAG,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,CAAC,CAAA;IACvC,IAAI,CAAC;QAAE,OAAO,CAAC,CAAA;IACf,MAAM,IAAI,GAAG,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC,CAAA;IAC7C,IAAI,IAAI,EAAE,UAAU,CAAC,SAAS,CAAC;QAAE,OAAO,IAAI,CAAC,KAAK,CAAC,SAAS,CAAC,MAAM,CAAC,CAAA;IACpE,OAAO,IAAI,CAAA;AACb,CAAC;AAED;;;;;;;;;;;;;;;;GAgBG;AACH,MAAM,CAAC,KAAK,UAAU,uBAAuB,CAC3C,GAAY,EACZ,KAAsB;IAEtB,IAAI,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,SAAS,CAAC,KAAK,WAAW,EAAE,CAAC;QAC/C,OAAO,IAAI,QAAQ,CAAC,6BAA6B,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC,CAAA;IACrE,CAAC;IACD,MAAM,KAAK,GAAG,YAAY,CAAC,GAAG,CAAC,CAAA;IAC/B,IAAI,CAAC,KAAK;QAAE,OAAO,IAAI,QAAQ,CAAC,cAAc,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC,CAAA;IAEhE,kEAAkE;IAClE,mEAAmE;IACnE,qDAAqD;IACrD,MAAM,IAAI,GACR,UACD,CAAC,aAAa,CAAA;IACf,IAAI,CAAC,IAAI,EAAE,CAAC;QACV,OAAO,IAAI,QAAQ,CAAC,2CAA2C,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC,CAAA;IACnF,CAAC;IACD,MAAM,IAAI,GAAG,IAAI,IAAI,EAAE,CAAA;IACvB,MAAM,MAAM,GAAG,IAAI,CAAC,CAAC,CAAC,CAAA;IACtB,MAAM,MAAM,GAAG,IAAI,CAAC,CAAC,CAAE,CAGtB;IAAC,MAA4C,CAAC,MAAM,EAAE,CAAA;IAEvD,MAAM,IAAI,GAAG,6BAA6B,CAAC,MAAM,CAAC,CAAA;IAClD,MAAM,MAAM,GAAG,MAAM,KAAK,CAAC,gBAAgB,CAAC,KAAK,EAAE,IAAI,CAAC,CAAA;IACxD,IAAI,CAAC,MAAM,CAAC,EAAE,EAAE,CAAC;QACf,IAAI,CAAC,KAAK,EAAE,CAAA;QACZ,OAAO,IAAI,QAAQ,CAAC,MAAM,CAAC,IAAI,EAAE,EAAE,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,CAAC,CAAA;IAC7D,CAAC;IAED,sEAAsE;IACtE,0BAA0B;IAC1B,OAAO,IAAI,QAAQ,CAAC,IAAI,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,SAAS,EAAE,MAAM,EAEzD,CAAC,CAAA;AACJ,CAAC;AAED;;;;;;;;;;;;GAYG;AACH,MAAM,CAAC,KAAK,UAAU,iBAAiB,CAAC,GAAY,EAAE,KAAsB;IAC1E,MAAM,KAAK,GAAG,YAAY,CAAC,GAAG,CAAC,CAAA;IAC/B,IAAI,CAAC,KAAK;QAAE,OAAO,IAAI,QAAQ,CAAC,cAAc,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC,CAAA;IAEhE,MAAM,KAAK,GACT,UAKD,CAAC,IAAI,CAAA;IACN,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,OAAO,IAAI,QAAQ,CAAC,mDAAmD,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC,CAAA;IAC3F,CAAC;IAED,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,GAAG,KAAK,CAAC,gBAAgB,CAAC,GAAG,CAAC,CAAA;IACxD,MAAM,IAAI,GAAG,6BAA6B,CAAC,MAAM,CAAC,CAAA;IAElD,kEAAkE;IAClE,mDAAmD;IACnD,MAAM,CAAC,gBAAgB,CACrB,MAAM,EACN,GAAG,EAAE;QACH,KAAK,KAAK,CAAC,gBAAgB,CAAC,KAAK,EAAE,IAAI,CAAC,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,EAAE;YACvD,IAAI,CAAC,MAAM,CAAC,EAAE;gBAAE,IAAI,CAAC,KAAK,EAAE,CAAA;QAC9B,CAAC,CAAC,CAAA;IACJ,CAAC,EACD,EAAE,IAAI,EAAE,IAAI,EAAE,CACf,CAAA;IAED,OAAO,QAAQ,CAAA;AACjB,CAAC","sourcesContent":["import type { AgentCoreHandle } from '../core.js'\nimport { createWHATWGPairingConnection } from './adapter.js'\n\n/**\n * Extract the bearer token from a LAP WebSocket upgrade request.\n * Accepts the token on either `?token=` or `Authorization: Bearer` —\n * query-string is the common pattern because browsers can't set\n * arbitrary headers on WebSocket construction.\n */\nexport function extractToken(req: Request): string | null {\n  const url = new URL(req.url)\n  const q = url.searchParams.get('token')\n  if (q) return q\n  const auth = req.headers.get('authorization')\n  if (auth?.startsWith('Bearer ')) return auth.slice('Bearer '.length)\n  return null\n}\n\n/**\n * Cloudflare Workers handler. Accepts a WebSocket upgrade using\n * `WebSocketPair`, validates the token via\n * `agent.acceptConnection`, and returns the 101 upgrade Response.\n *\n * Usage:\n * ```ts\n * const agent = createLluiAgentCore({ signingKey: env.AGENT_KEY })\n * export default {\n *   async fetch(req, env) {\n *     const url = new URL(req.url)\n *     if (url.pathname === '/agent/ws') return handleCloudflareUpgrade(req, agent)\n *     return (await agent.router(req)) ?? new Response('Not Found', { status: 404 })\n *   },\n * }\n * ```\n */\nexport async function handleCloudflareUpgrade(\n  req: Request,\n  agent: AgentCoreHandle,\n): Promise<Response> {\n  if (req.headers.get('upgrade') !== 'websocket') {\n    return new Response('Expected upgrade: websocket', { status: 426 })\n  }\n  const token = extractToken(req)\n  if (!token) return new Response('Unauthorized', { status: 401 })\n\n  // `WebSocketPair` is a Cloudflare Workers global. We reference it\n  // through `globalThis` so importing this module in non-CF runtimes\n  // (e.g. during type-checking on Node) doesn't crash.\n  const Pair = (\n    globalThis as unknown as { WebSocketPair?: new () => { 0: WebSocket; 1: WebSocket } }\n  ).WebSocketPair\n  if (!Pair) {\n    return new Response('WebSocketPair unavailable in this runtime', { status: 501 })\n  }\n  const pair = new Pair()\n  const client = pair[0]\n  const server = pair[1]!\n  // `accept()` on the server half is Cloudflare-specific — it tells\n  // the runtime the Worker will handle the WebSocket itself.\n  ;(server as unknown as { accept: () => void }).accept()\n\n  const conn = createWHATWGPairingConnection(server)\n  const result = await agent.acceptConnection(token, conn)\n  if (!result.ok) {\n    conn.close()\n    return new Response(result.code, { status: result.status })\n  }\n\n  // `webSocket` on ResponseInit is Cloudflare-specific; cast to satisfy\n  // the standard lib types.\n  return new Response(null, { status: 101, webSocket: client } as ResponseInit & {\n    webSocket: WebSocket\n  })\n}\n\n/**\n * Deno handler. Uses `Deno.upgradeWebSocket(req)` to produce the\n * response + socket pair, then plugs the socket into the registry.\n *\n * Usage:\n * ```ts\n * Deno.serve(async (req) => {\n *   const url = new URL(req.url)\n *   if (url.pathname === '/agent/ws') return handleDenoUpgrade(req, agent)\n *   return (await agent.router(req)) ?? new Response('Not Found', { status: 404 })\n * })\n * ```\n */\nexport async function handleDenoUpgrade(req: Request, agent: AgentCoreHandle): Promise<Response> {\n  const token = extractToken(req)\n  if (!token) return new Response('Unauthorized', { status: 401 })\n\n  const Deno_ = (\n    globalThis as unknown as {\n      Deno?: {\n        upgradeWebSocket: (req: Request) => { socket: WebSocket; response: Response }\n      }\n    }\n  ).Deno\n  if (!Deno_) {\n    return new Response('Deno.upgradeWebSocket unavailable in this runtime', { status: 501 })\n  }\n\n  const { socket, response } = Deno_.upgradeWebSocket(req)\n  const conn = createWHATWGPairingConnection(socket)\n\n  // Deno opens the socket asynchronously; validate the token first,\n  // then register on `open` so frames aren't missed.\n  socket.addEventListener(\n    'open',\n    () => {\n      void agent.acceptConnection(token, conn).then((result) => {\n        if (!result.ok) conn.close()\n      })\n    },\n    { once: true },\n  )\n\n  return response\n}\n"]}

package/dist/server/ws/pairing-registry.d.ts

@@ -1,7 +1,11 @@
 import type { ClientFrame, ServerFrame, HelloFrame, LogEntry } from '../../protocol.js';
+import { type RpcOptions, type RpcError } from './rpc.js';
+export type { RpcOptions, RpcError };
 /**
- * Thin abstraction over a WebSocket so the registry is testable with
- * a fake EventEmitter-style mock.
+ * Thin abstraction over a single paired WebSocket. Consumed by the
+ * registry implementations; runtime-specific adapters (`ws`-lib,
+ * `WebSocketPair`, `Deno.upgradeWebSocket`, `Bun.serve` upgrade) build
+ * one of these and pass it to `registry.register()`.
  */
 export interface PairingConnection {
     send(frame: ServerFrame): void;
@@ -9,35 +13,85 @@ export interface PairingConnection {
     onClose(handler: () => void): void;
     close(): void;
 }
-export type RpcError = {
-    code: 'paused' | 'invalid' | 'timeout' | 'schema-error' | 'internal' | string;
-    detail?: string;
-};
-export type RpcOptions = {
-    timeoutMs?: number;
-};
 /**
- * Tracks live browser pairings and correlates rpc requests with replies.
- * One instance per server; shared by all LAP handlers + the upgrade
- * handler. Spec §10.4–§10.5.
+ * A per-call frame subscriber. Return `true` to remove this
+ * subscriber (one-shot), or `false` to keep receiving. The registry
+ * dispatches every inbound `ClientFrame` to every active subscriber
+ * for the given `tid`; subscribers filter by `frame.t` + identifiers
+ * (correlation id, confirm id, state path) to find the one that
+ * belongs to their request.
  */
-export declare class WsPairingRegistry {
+export type FrameSubscriber = (frame: ClientFrame) => boolean;
+/**
+ * Registry of live browser pairings. Pure routing + hello cache —
+ * request-lifecycle state (in-flight RPC promises, confirm waits,
+ * long-polls) lives in the LAP handlers that need it, not here.
+ *
+ * Two implementations ship today:
+ *   - `InMemoryPairingRegistry` for long-lived server processes
+ *     (Node, Bun, Deno, Deno Deploy).
+ *   - A Cloudflare Durable Object implementation (see
+ *     `server/cloudflare`) for stateless Worker runtimes.
+ *
+ * Other runtimes can implement this interface the same way; the
+ * contract is intentionally small.
+ */
+export interface PairingRegistry {
+    register(tid: string, conn: PairingConnection): void;
+    unregister(tid: string): void;
+    isPaired(tid: string): boolean;
+    getHello(tid: string): HelloFrame | null;
+    /** Send a frame. No-op when the pairing is absent or closed. */
+    send(tid: string, frame: ServerFrame): void;
+    /**
+     * Subscribe to frames from the paired browser. Returns an
+     * unsubscribe function. A subscriber can remove itself mid-dispatch
+     * by returning `true` from its callback — useful for one-shot
+     * request/response correlation.
+     */
+    subscribe(tid: string, handler: FrameSubscriber): () => void;
+    /**
+     * Observe the pairing closing (WebSocket drop, `unregister`, etc.).
+     * Handlers registered before close fire; handlers registered after
+     * close fire synchronously. Returns an unsubscribe function.
+     */
+    onClose(tid: string, handler: () => void): () => void;
+    /**
+     * Send a typed rpc frame and await its matching reply. See
+     * `./rpc.ts::rpc` for the full contract.
+     */
+    rpc(tid: string, tool: string, args: unknown, opts?: RpcOptions): Promise<unknown>;
+    /** See `./rpc.ts::waitForConfirm`. */
+    waitForConfirm(tid: string, confirmId: string, timeoutMs: number): Promise<{
+        outcome: 'confirmed' | 'user-cancelled';
+        stateAfter?: unknown;
+    }>;
+    /** See `./rpc.ts::waitForChange`. */
+    waitForChange(tid: string, path: string | undefined, timeoutMs: number): Promise<{
+        status: 'changed' | 'timeout';
+        stateAfter: unknown;
+    }>;
+}
+/**
+ * Single-process in-memory registry. Correct for Node/Bun/Deno/Deno
+ * Deploy — anywhere the server process can hold a long-lived
+ * WebSocket. Not suitable for stateless Worker isolates; use the
+ * Durable Object registry for Cloudflare.
+ */
+export declare class InMemoryPairingRegistry implements PairingRegistry {
     private pairings;
-    private now;
     private onLogAppend;
     constructor(opts?: {
-        now?: () => number;
         onLogAppend?: (tid: string, entry: LogEntry) => void;
     });
     register(tid: string, conn: PairingConnection): void;
     unregister(tid: string): void;
     isPaired(tid: string): boolean;
-    /**
-     * Send a ServerFrame to the paired browser connection, if one is live.
-     * No-op when unpaired or closed.
-     */
-    notify(tid: string, frame: ServerFrame): void;
     getHello(tid: string): HelloFrame | null;
+    send(tid: string, frame: ServerFrame): void;
+    subscribe(tid: string, handler: FrameSubscriber): () => void;
+    onClose(tid: string, handler: () => void): () => void;
+    private dispatch;
     rpc(tid: string, tool: string, args: unknown, opts?: RpcOptions): Promise<unknown>;
     waitForConfirm(tid: string, confirmId: string, timeoutMs: number): Promise<{
         outcome: 'confirmed' | 'user-cancelled';
@@ -47,7 +101,16 @@ export declare class WsPairingRegistry {
         status: 'changed' | 'timeout';
         stateAfter: unknown;
     }>;
-    private handleClientFrame;
+    /** @deprecated Use `send(tid, frame)` directly; semantics are identical. */
+    notify(tid: string, frame: ServerFrame): void;
     private handleClose;
 }
+/**
+ * Back-compat alias for the prior class name. New code should use
+ * `InMemoryPairingRegistry`. Removed in a future major.
+ *
+ * @deprecated Use `InMemoryPairingRegistry` directly.
+ */
+export declare const WsPairingRegistry: typeof InMemoryPairingRegistry;
+export type WsPairingRegistry = InMemoryPairingRegistry;
 //# sourceMappingURL=pairing-registry.d.ts.map

package/dist/server/ws/pairing-registry.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"pairing-registry.d.ts","sourceRoot":"","sources":["../../../src/server/ws/pairing-registry.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,WAAW,EAAE,WAAW,EAAE,UAAU,EAAE,QAAQ,EAAE,MAAM,mBAAmB,CAAA;AAEvF;;;GAGG;AACH,MAAM,WAAW,iBAAiB;IAChC,IAAI,CAAC,KAAK,EAAE,WAAW,GAAG,IAAI,CAAA;IAC9B,OAAO,CAAC,OAAO,EAAE,CAAC,CAAC,EAAE,WAAW,KAAK,IAAI,GAAG,IAAI,CAAA;IAChD,OAAO,CAAC,OAAO,EAAE,MAAM,IAAI,GAAG,IAAI,CAAA;IAClC,KAAK,IAAI,IAAI,CAAA;CACd;AA4BD,MAAM,MAAM,QAAQ,GAAG;IACrB,IAAI,EAAE,QAAQ,GAAG,SAAS,GAAG,SAAS,GAAG,cAAc,GAAG,UAAU,GAAG,MAAM,CAAA;IAC7E,MAAM,CAAC,EAAE,MAAM,CAAA;CAChB,CAAA;AAED,MAAM,MAAM,UAAU,GAAG;IAAE,SAAS,CAAC,EAAE,MAAM,CAAA;CAAE,CAAA;AAE/C;;;;GAIG;AACH,qBAAa,iBAAiB;IAC5B,OAAO,CAAC,QAAQ,CAA6B;IAC7C,OAAO,CAAC,GAAG,CAAc;IACzB,OAAO,CAAC,WAAW,CAAiD;gBAGlE,IAAI,GAAE;QACJ,GAAG,CAAC,EAAE,MAAM,MAAM,CAAA;QAClB,WAAW,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,QAAQ,KAAK,IAAI,CAAA;KAChD;IAMR,QAAQ,CAAC,GAAG,EAAE,MAAM,EAAE,IAAI,EAAE,iBAAiB,GAAG,IAAI;IAcpD,UAAU,CAAC,GAAG,EAAE,MAAM,GAAG,IAAI;IAM7B,QAAQ,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO;IAK9B;;;OAGG;IACH,MAAM,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,WAAW,GAAG,IAAI;IAU7C,QAAQ,CAAC,GAAG,EAAE,MAAM,GAAG,UAAU,GAAG,IAAI;IAIlC,GAAG,CAAC,GAAG,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,OAAO,EAAE,IAAI,GAAE,UAAe,GAAG,OAAO,CAAC,OAAO,CAAC;IA6BtF,cAAc,CAClB,GAAG,EAAE,MAAM,EACX,SAAS,EAAE,MAAM,EACjB,SAAS,EAAE,MAAM,GAChB,OAAO,CAAC;QAAE,OAAO,EAAE,WAAW,GAAG,gBAAgB,CAAC;QAAC,UAAU,CAAC,EAAE,OAAO,CAAA;KAAE,CAAC;IAiBvE,aAAa,CACjB,GAAG,EAAE,MAAM,EACX,IAAI,EAAE,MAAM,GAAG,SAAS,EACxB,SAAS,EAAE,MAAM,GAChB,OAAO,CAAC;QAAE,MAAM,EAAE,SAAS,GAAG,SAAS,CAAC;QAAC,UAAU,EAAE,OAAO,CAAA;KAAE,CAAC;IAiBlE,OAAO,CAAC,iBAAiB;IAmDzB,OAAO,CAAC,WAAW;CAqBpB"}
+{"version":3,"file":"pairing-registry.d.ts","sourceRoot":"","sources":["../../../src/server/ws/pairing-registry.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,WAAW,EAAE,WAAW,EAAE,UAAU,EAAE,QAAQ,EAAE,MAAM,mBAAmB,CAAA;AACvF,OAAO,EAIL,KAAK,UAAU,EACf,KAAK,QAAQ,EACd,MAAM,UAAU,CAAA;AAEjB,YAAY,EAAE,UAAU,EAAE,QAAQ,EAAE,CAAA;AAEpC;;;;;GAKG;AACH,MAAM,WAAW,iBAAiB;IAChC,IAAI,CAAC,KAAK,EAAE,WAAW,GAAG,IAAI,CAAA;IAC9B,OAAO,CAAC,OAAO,EAAE,CAAC,CAAC,EAAE,WAAW,KAAK,IAAI,GAAG,IAAI,CAAA;IAChD,OAAO,CAAC,OAAO,EAAE,MAAM,IAAI,GAAG,IAAI,CAAA;IAClC,KAAK,IAAI,IAAI,CAAA;CACd;AAED;;;;;;;GAOG;AACH,MAAM,MAAM,eAAe,GAAG,CAAC,KAAK,EAAE,WAAW,KAAK,OAAO,CAAA;AAE7D;;;;;;;;;;;;;GAaG;AACH,MAAM,WAAW,eAAe;IAE9B,QAAQ,CAAC,GAAG,EAAE,MAAM,EAAE,IAAI,EAAE,iBAAiB,GAAG,IAAI,CAAA;IACpD,UAAU,CAAC,GAAG,EAAE,MAAM,GAAG,IAAI,CAAA;IAC7B,QAAQ,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAA;IAC9B,QAAQ,CAAC,GAAG,EAAE,MAAM,GAAG,UAAU,GAAG,IAAI,CAAA;IACxC,gEAAgE;IAChE,IAAI,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,WAAW,GAAG,IAAI,CAAA;IAC3C;;;;;OAKG;IACH,SAAS,CAAC,GAAG,EAAE,MAAM,EAAE,OAAO,EAAE,eAAe,GAAG,MAAM,IAAI,CAAA;IAC5D;;;;OAIG;IACH,OAAO,CAAC,GAAG,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,IAAI,GAAG,MAAM,IAAI,CAAA;IAWrD;;;OAGG;IACH,GAAG,CAAC,GAAG,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,OAAO,EAAE,IAAI,CAAC,EAAE,UAAU,GAAG,OAAO,CAAC,OAAO,CAAC,CAAA;IAClF,sCAAsC;IACtC,cAAc,CACZ,GAAG,EAAE,MAAM,EACX,SAAS,EAAE,MAAM,EACjB,SAAS,EAAE,MAAM,GAChB,OAAO,CAAC;QAAE,OAAO,EAAE,WAAW,GAAG,gBAAgB,CAAC;QAAC,UAAU,CAAC,EAAE,OAAO,CAAA;KAAE,CAAC,CAAA;IAC7E,qCAAqC;IACrC,aAAa,CACX,GAAG,EAAE,MAAM,EACX,IAAI,EAAE,MAAM,GAAG,SAAS,EACxB,SAAS,EAAE,MAAM,GAChB,OAAO,CAAC;QAAE,MAAM,EAAE,SAAS,GAAG,SAAS,CAAC;QAAC,UAAU,EAAE,OAAO,CAAA;KAAE,CAAC,CAAA;CACnE;AAUD;;;;;GAKG;AACH,qBAAa,uBAAwB,YAAW,eAAe;IAC7D,OAAO,CAAC,QAAQ,CAA6B;IAC7C,OAAO,CAAC,WAAW,CAAiD;gBAGlE,IAAI,GAAE;QACJ,WAAW,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,QAAQ,KAAK,IAAI,CAAA;KAChD;IAKR,QAAQ,CAAC,GAAG,EAAE,MAAM,EAAE,IAAI,EAAE,iBAAiB,GAAG,IAAI;IAapD,UAAU,CAAC,GAAG,EAAE,MAAM,GAAG,IAAI;IAI7B,QAAQ,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO;IAK9B,QAAQ,CAAC,GAAG,EAAE,MAAM,GAAG,UAAU,GAAG,IAAI;IAIxC,IAAI,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,WAAW,GAAG,IAAI;IAU3C,SAAS,CAAC,GAAG,EAAE,MAAM,EAAE,OAAO,EAAE,eAAe,GAAG,MAAM,IAAI;IAS5D,OAAO,CAAC,GAAG,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,IAAI,GAAG,MAAM,IAAI;IAcrD,OAAO,CAAC,QAAQ;IAmChB,GAAG,CAAC,GAAG,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,OAAO,EAAE,IAAI,GAAE,UAAe,GAAG,OAAO,CAAC,OAAO,CAAC;IAItF,cAAc,CACZ,GAAG,EAAE,MAAM,EACX,SAAS,EAAE,MAAM,EACjB,SAAS,EAAE,MAAM,GAChB,OAAO,CAAC;QAAE,OAAO,EAAE,WAAW,GAAG,gBAAgB,CAAC;QAAC,UAAU,CAAC,EAAE,OAAO,CAAA;KAAE,CAAC;IAI7E,aAAa,CACX,GAAG,EAAE,MAAM,EACX,IAAI,EAAE,MAAM,GAAG,SAAS,EACxB,SAAS,EAAE,MAAM,GAChB,OAAO,CAAC;QAAE,MAAM,EAAE,SAAS,GAAG,SAAS,CAAC;QAAC,UAAU,EAAE,OAAO,CAAA;KAAE,CAAC;IAIlE,4EAA4E;IAC5E,MAAM,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,WAAW,GAAG,IAAI;IAI7C,OAAO,CAAC,WAAW;CAepB;AAED;;;;;GAKG;AACH,eAAO,MAAM,iBAAiB,gCAA0B,CAAA;AACxD,MAAM,MAAM,iBAAiB,GAAG,uBAAuB,CAAA"}