@madarco/agentbox 0.6.0 → 0.7.0

package/dist/chunk-I24B6AXR.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../../packages/sandbox-hetzner/src/env-loader.ts","../../../packages/sandbox-hetzner/src/client.ts","../../../packages/sandbox-hetzner/src/credentials.ts","../../../packages/sandbox-hetzner/src/egress-ip.ts","../../../packages/sandbox-hetzner/src/retry.ts","../../../packages/sandbox-hetzner/src/firewall.ts"],"sourcesContent":["import { existsSync, readFileSync } from 'node:fs';\nimport { homedir } from 'node:os';\nimport { resolve } from 'node:path';\n\n/**\n * Hetzner env auto-loader — mirrors `ensureDaytonaEnvLoaded()`. The Hetzner\n * REST client reads `HCLOUD_TOKEN` from `process.env`. We pull it in from\n * `~/.agentbox/secrets.env` so the client Just Works after the user runs\n * `agentbox hetzner login` once.\n *\n * Lookup order (first wins; process.env is never overwritten):\n *   1. `process.env` (already set in the shell).\n *   2. `~/.agentbox/secrets.env` — written by `agentbox hetzner login`.\n *\n * Project-level `.env` / `.env.local` are intentionally NOT consulted: those\n * files belong to the app code being developed, and a `HCLOUD_TOKEN` there\n * is typically meant for in-box infrastructure work, not for the host CLI to\n * harvest and provision VPSes with.\n *\n * Only Hetzner-prefixed keys are imported. Idempotent + side-effect-free\n * after the first call.\n */\nconst HETZNER_KEYS = ['HCLOUD_TOKEN', 'HCLOUD_ENDPOINT'] as const;\n\nlet loaded = false;\n\nexport function ensureHetznerEnvLoaded(): void {\n  if (loaded) return;\n  loaded = true;\n  importHetznerFromFile(resolve(homedir(), '.agentbox', 'secrets.env'));\n}\n\nfunction importHetznerFromFile(path: string): void {\n  if (!existsSync(path)) return;\n  let body: string;\n  try {\n    body = readFileSync(path, 'utf8');\n  } catch {\n    return;\n  }\n  const parsed = parseEnvFile(body);\n  for (const key of HETZNER_KEYS) {\n    if (process.env[key] !== undefined) continue;\n    const value = parsed[key];\n    if (typeof value === 'string') {\n      process.env[key] = value;\n    }\n  }\n}\n\n/**\n * Minimal `.env` parser: handles `KEY=value`, `KEY=\"value with spaces\"`,\n * `KEY='value with $special chars'`, `export KEY=value`, blank lines, and\n * `#` comments. Same shape as the daytona env-loader's parser — kept local\n * here rather than imported across packages to avoid the cycle (daytona\n * doesn't import from hetzner and shouldn't start now).\n */\nexport function parseEnvFile(body: string): Record<string, string> {\n  const out: Record<string, string> = {};\n  for (const rawLine of body.split(/\\r?\\n/)) {\n    const line = rawLine.trim();\n    if (line.length === 0 || line.startsWith('#')) continue;\n    const stripped = line.startsWith('export ') ? line.slice('export '.length) : line;\n    const eq = stripped.indexOf('=');\n    if (eq <= 0) continue;\n    const key = stripped.slice(0, eq).trim();\n    let value = stripped.slice(eq + 1).trim();\n    if (\n      value.length >= 2 &&\n      ((value.startsWith('\"') && value.endsWith('\"')) ||\n        (value.startsWith(\"'\") && value.endsWith(\"'\")))\n    ) {\n      value = value.slice(1, -1);\n    }\n    out[key] = value;\n  }\n  return out;\n}\n","/**\n * Hetzner Cloud REST API client — hand-rolled fetch wrapper.\n *\n * Why not an SDK: the Hetzner SDK options are limited (no official JS SDK\n * with strict types at the time of writing), and the subset of the API we\n * need is small (servers, images, firewalls, plus a handful of read-only\n * lookups). A hand-rolled client gives us strict typing of just the fields\n * we touch, no heavy dep tree, and full control over the retry wrapper.\n *\n * Auth: bearer token in `HCLOUD_TOKEN` env. The env-loader pulls it from\n * `~/.agentbox/secrets.env` so the user only sets it once via\n * `agentbox hetzner login`.\n *\n * Errors: REST responses get unwrapped into typed `HetznerApiError`s that\n * carry the response `status` + the API's `error.code` / `error.message`.\n * Network failures bubble up as raw `Error`s with a `code` property\n * (ECONNRESET, ETIMEDOUT, …) — the retry wrapper classifies both shapes.\n */\n\nimport { ensureHetznerEnvLoaded } from './env-loader.js';\n\nexport const DEFAULT_HCLOUD_ENDPOINT = 'https://api.hetzner.cloud/v1';\n\n/**\n * Coarse Hetzner Cloud Server lifecycle states we care about. Hetzner has a\n * dozen finer-grained ones (`initializing`, `migrating`, `rebuilding`, …);\n * we map them in `backend.ts` to the four-value `CloudState` everyone else\n * consumes. Listed here so the client return types stay narrow.\n */\nexport type HetznerServerStatus =\n  | 'running'\n  | 'initializing'\n  | 'starting'\n  | 'stopping'\n  | 'off'\n  | 'deleting'\n  | 'migrating'\n  | 'rebuilding'\n  | 'unknown';\n\nexport interface HetznerServer {\n  id: number;\n  name: string;\n  status: HetznerServerStatus;\n  created: string;\n  public_net: {\n    ipv4: { ip: string; blocked: boolean } | null;\n    ipv6: { ip: string; blocked: boolean } | null;\n  };\n  server_type: { name: string; cores: number; memory: number; disk: number };\n  image: { id: number; name?: string; description?: string; type: string } | null;\n  labels: Record<string, string>;\n}\n\nexport interface HetznerAction {\n  id: number;\n  command: string;\n  status: 'running' | 'success' | 'error';\n  progress: number;\n  error?: { code: string; message: string };\n}\n\nexport interface HetznerImage {\n  id: number;\n  type: 'system' | 'snapshot' | 'backup' | 'app';\n  status: 'available' | 'creating' | 'unavailable';\n  name?: string;\n  description: string;\n  image_size?: number;\n  disk_size: number;\n  created: string;\n  labels: Record<string, string>;\n  bound_to?: number;\n}\n\nexport interface HetznerFirewall {\n  id: number;\n  name: string;\n  rules: HetznerFirewallRule[];\n  applied_to: Array<{ type: 'server'; server: { id: number } }>;\n}\n\nexport interface HetznerFirewallRule {\n  direction: 'in' | 'out';\n  protocol: 'tcp' | 'udp' | 'icmp' | 'esp' | 'gre';\n  port?: string;\n  source_ips?: string[];\n  destination_ips?: string[];\n  description?: string;\n}\n\nexport interface HetznerSshKey {\n  id: number;\n  name: string;\n  fingerprint: string;\n  public_key: string;\n  labels: Record<string, string>;\n}\n\nexport interface CreateServerRequest {\n  name: string;\n  server_type: string;\n  image: string | number;\n  location?: string;\n  datacenter?: string;\n  user_data?: string;\n  ssh_keys?: Array<string | number>;\n  firewalls?: Array<{ firewall: number }>;\n  labels?: Record<string, string>;\n  start_after_create?: boolean;\n  public_net?: {\n    enable_ipv4?: boolean;\n    enable_ipv6?: boolean;\n  };\n}\n\nexport interface CreateFirewallRequest {\n  name: string;\n  rules: HetznerFirewallRule[];\n  labels?: Record<string, string>;\n  apply_to?: Array<{ type: 'server'; server: { id: number } }>;\n}\n\n/**\n * Strongly-typed Hetzner API error. The Hetzner API consistently returns\n * `{ error: { code, message, details? } }` for 4xx/5xx (https://docs.hetzner.cloud/#errors).\n * We unwrap that into this class so callers can do `instanceof\n * HetznerApiError` and inspect `.code` / `.statusCode` without parsing the\n * body again.\n */\nexport class HetznerApiError extends Error {\n  readonly statusCode: number;\n  readonly code: string;\n  readonly details?: unknown;\n  constructor(statusCode: number, code: string, message: string, details?: unknown) {\n    super(`hetzner ${String(statusCode)} ${code}: ${message}`);\n    this.name = 'HetznerApiError';\n    this.statusCode = statusCode;\n    this.code = code;\n    this.details = details;\n  }\n}\n\n/**\n * Subset of the Hetzner Cloud API the agentbox provider talks to. Methods\n * map 1:1 to REST endpoints; each operation is small + idempotent-where-the-\n * API-is-idempotent. The retry wrapper around the provider methods handles\n * transient 5xx / connection failures.\n */\nexport interface HetznerClient {\n  /** GET /servers/{id}. Returns null on 404 so callers don't have to try/catch. */\n  getServer(id: number): Promise<HetznerServer | null>;\n  /** POST /servers. Returns the created server + the create action handle. */\n  createServer(req: CreateServerRequest): Promise<{ server: HetznerServer; action: HetznerAction }>;\n  /** GET /servers (with optional label selector). */\n  listServers(opts?: { label_selector?: string }): Promise<HetznerServer[]>;\n  /** DELETE /servers/{id}. Returns the action handle. Idempotent on 404. */\n  deleteServer(id: number): Promise<HetznerAction | null>;\n  /** POST /servers/{id}/actions/poweron. */\n  powerOn(id: number): Promise<HetznerAction>;\n  /** POST /servers/{id}/actions/poweroff. */\n  powerOff(id: number): Promise<HetznerAction>;\n  /** POST /servers/{id}/actions/shutdown — graceful, sends ACPI. */\n  shutdown(id: number): Promise<HetznerAction>;\n  /** POST /servers/{id}/actions/create_image — snapshot of the live disk. */\n  createImage(\n    id: number,\n    body: { type: 'snapshot' | 'backup'; description?: string; labels?: Record<string, string> },\n  ): Promise<{ image: HetznerImage; action: HetznerAction }>;\n  /** GET /images/{id}. Returns null on 404. */\n  getImage(id: number): Promise<HetznerImage | null>;\n  /** GET /images (filterable). */\n  listImages(opts?: {\n    type?: 'system' | 'snapshot' | 'backup' | 'app';\n    label_selector?: string;\n    name?: string;\n  }): Promise<HetznerImage[]>;\n  /** DELETE /images/{id}. Idempotent on 404. */\n  deleteImage(id: number): Promise<void>;\n  /** POST /firewalls. */\n  createFirewall(req: CreateFirewallRequest): Promise<HetznerFirewall>;\n  /** POST /firewalls/{id}/actions/set_rules. Replaces the entire rule set. */\n  setFirewallRules(id: number, rules: HetznerFirewallRule[]): Promise<HetznerAction[]>;\n  /** GET /firewalls/{id}. Returns null on 404. */\n  getFirewall(id: number): Promise<HetznerFirewall | null>;\n  /** DELETE /firewalls/{id}. Idempotent on 404. */\n  deleteFirewall(id: number): Promise<void>;\n  /**\n   * GET /locations — used by `agentbox hetzner login` to validate the token\n   * with a cheap unauthenticated-shape call (the endpoint requires a valid\n   * token but returns a small, stable response).\n   */\n  listLocations(): Promise<Array<{ id: number; name: string; city: string; country: string }>>;\n}\n\ninterface MakeClientOptions {\n  /** Override the bearer token (else read from `HCLOUD_TOKEN`). */\n  token?: string;\n  /** Override the API base URL (else read from `HCLOUD_ENDPOINT` or use the default). */\n  endpoint?: string;\n  /** Per-request fetch impl (tests inject this). */\n  fetchImpl?: typeof fetch;\n}\n\n/**\n * Build a Hetzner Cloud client bound to the current `HCLOUD_TOKEN`. The token\n * is resolved at construction time, so re-running `agentbox hetzner login` in\n * the middle of a long-lived process won't pick up the new token without a\n * fresh `makeHetznerClient()` call (we accept this — the CLI re-imports the\n * provider on each invocation).\n */\nexport function makeHetznerClient(opts: MakeClientOptions = {}): HetznerClient {\n  ensureHetznerEnvLoaded();\n  const rawToken = opts.token ?? process.env.HCLOUD_TOKEN;\n  if (!rawToken || rawToken.trim().length === 0) {\n    throw new Error(\n      'Hetzner credentials not configured: HCLOUD_TOKEN is empty.\\n' +\n        'Run `agentbox hetzner login` interactively, or set HCLOUD_TOKEN in the environment.',\n    );\n  }\n  // Bind to a const so the type narrows for the closures below — without\n  // this the `req()` closure sees the original `string | undefined` shape.\n  const token: string = rawToken.trim();\n  const endpoint = (opts.endpoint ?? process.env.HCLOUD_ENDPOINT ?? DEFAULT_HCLOUD_ENDPOINT).replace(/\\/$/, '');\n  const fetchImpl = opts.fetchImpl ?? fetch;\n\n  async function req<T>(\n    method: 'GET' | 'POST' | 'PUT' | 'DELETE',\n    path: string,\n    body?: unknown,\n  ): Promise<T | null> {\n    const url = `${endpoint}${path}`;\n    const init: RequestInit = {\n      method,\n      headers: {\n        Authorization: `Bearer ${token}`,\n        ...(body !== undefined ? { 'Content-Type': 'application/json' } : {}),\n      },\n      ...(body !== undefined ? { body: JSON.stringify(body) } : {}),\n    };\n    const res = await fetchImpl(url, init);\n    if (res.status === 204) return null;\n    if (res.status === 404) return null;\n    if (!res.ok) {\n      let parsed: { error?: { code?: string; message?: string; details?: unknown } } = {};\n      try {\n        parsed = (await res.json()) as typeof parsed;\n      } catch {\n        // body wasn't json\n      }\n      const code = parsed.error?.code ?? `http_${String(res.status)}`;\n      const msg = parsed.error?.message ?? res.statusText ?? 'unknown error';\n      throw new HetznerApiError(res.status, code, msg, parsed.error?.details);\n    }\n    const text = await res.text();\n    if (text.length === 0) return null;\n    return JSON.parse(text) as T;\n  }\n\n  async function reqExpect<T>(\n    method: 'GET' | 'POST' | 'PUT' | 'DELETE',\n    path: string,\n    body?: unknown,\n  ): Promise<T> {\n    const out = await req<T>(method, path, body);\n    if (out === null) {\n      throw new HetznerApiError(0, 'empty_response', `expected a body from ${method} ${path}`);\n    }\n    return out;\n  }\n\n  return {\n    async getServer(id) {\n      const r = await req<{ server: HetznerServer }>('GET', `/servers/${String(id)}`);\n      return r?.server ?? null;\n    },\n    async createServer(reqBody) {\n      const r = await reqExpect<{ server: HetznerServer; action: HetznerAction }>(\n        'POST',\n        '/servers',\n        reqBody,\n      );\n      return { server: r.server, action: r.action };\n    },\n    async listServers(opts) {\n      const params = new URLSearchParams();\n      if (opts?.label_selector) params.set('label_selector', opts.label_selector);\n      params.set('per_page', '50');\n      const all: HetznerServer[] = [];\n      let pageNum = 1;\n      while (true) {\n        params.set('page', String(pageNum));\n        const r = await reqExpect<{\n          servers: HetznerServer[];\n          meta?: { pagination?: { next_page?: number | null } };\n        }>('GET', `/servers?${params.toString()}`);\n        all.push(...r.servers);\n        const next = r.meta?.pagination?.next_page;\n        if (typeof next !== 'number') break;\n        pageNum = next;\n      }\n      return all;\n    },\n    async deleteServer(id) {\n      const r = await req<{ action: HetznerAction }>('DELETE', `/servers/${String(id)}`);\n      return r?.action ?? null;\n    },\n    async powerOn(id) {\n      const r = await reqExpect<{ action: HetznerAction }>(\n        'POST',\n        `/servers/${String(id)}/actions/poweron`,\n      );\n      return r.action;\n    },\n    async powerOff(id) {\n      const r = await reqExpect<{ action: HetznerAction }>(\n        'POST',\n        `/servers/${String(id)}/actions/poweroff`,\n      );\n      return r.action;\n    },\n    async shutdown(id) {\n      const r = await reqExpect<{ action: HetznerAction }>(\n        'POST',\n        `/servers/${String(id)}/actions/shutdown`,\n      );\n      return r.action;\n    },\n    async createImage(id, body) {\n      const r = await reqExpect<{ image: HetznerImage; action: HetznerAction }>(\n        'POST',\n        `/servers/${String(id)}/actions/create_image`,\n        body,\n      );\n      return { image: r.image, action: r.action };\n    },\n    async getImage(id) {\n      const r = await req<{ image: HetznerImage }>('GET', `/images/${String(id)}`);\n      return r?.image ?? null;\n    },\n    async listImages(opts) {\n      const params = new URLSearchParams();\n      if (opts?.type) params.set('type', opts.type);\n      if (opts?.label_selector) params.set('label_selector', opts.label_selector);\n      if (opts?.name) params.set('name', opts.name);\n      params.set('per_page', '50');\n      const all: HetznerImage[] = [];\n      let pageNum = 1;\n      while (true) {\n        params.set('page', String(pageNum));\n        const r = await reqExpect<{\n          images: HetznerImage[];\n          meta?: { pagination?: { next_page?: number | null } };\n        }>('GET', `/images?${params.toString()}`);\n        all.push(...r.images);\n        const next = r.meta?.pagination?.next_page;\n        if (typeof next !== 'number') break;\n        pageNum = next;\n      }\n      return all;\n    },\n    async deleteImage(id) {\n      await req<unknown>('DELETE', `/images/${String(id)}`);\n    },\n    async createFirewall(reqBody) {\n      const r = await reqExpect<{ firewall: HetznerFirewall }>('POST', '/firewalls', reqBody);\n      return r.firewall;\n    },\n    async setFirewallRules(id, rules) {\n      const r = await reqExpect<{ actions: HetznerAction[] }>(\n        'POST',\n        `/firewalls/${String(id)}/actions/set_rules`,\n        { rules },\n      );\n      return r.actions;\n    },\n    async getFirewall(id) {\n      const r = await req<{ firewall: HetznerFirewall }>('GET', `/firewalls/${String(id)}`);\n      return r?.firewall ?? null;\n    },\n    async deleteFirewall(id) {\n      await req<unknown>('DELETE', `/firewalls/${String(id)}`);\n    },\n    async listLocations() {\n      const r = await reqExpect<{\n        locations: Array<{ id: number; name: string; city: string; country: string }>;\n      }>('GET', '/locations');\n      return r.locations;\n    },\n  };\n}\n","import { spawnSync } from 'node:child_process';\nimport {\n  chmodSync,\n  existsSync,\n  mkdirSync,\n  readFileSync,\n  renameSync,\n  writeFileSync,\n} from 'node:fs';\nimport { homedir } from 'node:os';\nimport { dirname, resolve } from 'node:path';\nimport { confirm, isCancel, intro, log, note, outro, password, spinner } from '@clack/prompts';\nimport { makeHetznerClient } from './client.js';\nimport { ensureHetznerEnvLoaded } from './env-loader.js';\n\nconst DASHBOARD_KEYS_URL = 'https://console.hetzner.cloud/projects';\n\n/**\n * Keys we manage in `~/.agentbox/secrets.env`. When the user reconfigures\n * we strip prior values before appending so the file never accumulates\n * duplicates. `HCLOUD_ENDPOINT` is honored but we don't prompt for it\n * (default endpoint covers 100% of users).\n */\nconst MANAGED_KEYS = ['HCLOUD_TOKEN', 'HCLOUD_ENDPOINT'] as const;\ntype ManagedKey = (typeof MANAGED_KEYS)[number];\n\nexport interface EnsureHetznerCredentialsOptions {\n  /** Re-prompt even when valid credentials are already present (used by `agentbox hetzner login`). */\n  force?: boolean;\n}\n\n/**\n * First-run interactive setup for Hetzner credentials. Walks the user\n * through creating a project API token, pasting it, validating, and\n * persisting to `~/.agentbox/secrets.env`.\n *\n * No-op when credentials are already configured (env var or our secrets\n * file). Silent no-op when stdin isn't a TTY so scripted/CI callers get\n * the API \"401 unauthorized\" error instead of a hung prompt.\n *\n * Mirrors `ensureDaytonaCredentials()` in shape so the registry's first-\n * run gate stays uniform across providers.\n */\nexport async function ensureHetznerCredentials(\n  opts: EnsureHetznerCredentialsOptions = {},\n): Promise<void> {\n  ensureHetznerEnvLoaded();\n\n  if (!opts.force && hasUsableCredentials()) return;\n  if (!process.stdin.isTTY) return;\n\n  intro('Hetzner Cloud setup');\n  note(\n    `AgentBox needs a Hetzner Cloud API token (project-scoped) to provision VPSes.\\n\\n` +\n      `1. Open ${DASHBOARD_KEYS_URL}\\n` +\n      `2. Pick a project (or create one).\\n` +\n      `3. Security → API Tokens → Generate API Token (Read + Write).`,\n    'API token required',\n  );\n\n  const open = await confirm({\n    message: `Open ${DASHBOARD_KEYS_URL} in your browser?`,\n    initialValue: true,\n  });\n  if (isCancel(open)) {\n    log.warn('Hetzner setup cancelled — re-run `agentbox hetzner login` when ready.');\n    return;\n  }\n  if (open) openDashboard();\n\n  // One retry on auth failure (typos / expired token are the common case).\n  for (let attempt = 0; attempt < 2; attempt++) {\n    const creds = await promptForCredentials();\n    if (creds === null) return;\n\n    const result = await validateCredentials(creds);\n    if (result.ok) {\n      persistCredentials(creds);\n      log.success(`Hetzner credentials saved to ${secretsPath()}`);\n      outro('Setup complete.');\n      return;\n    }\n    if (result.kind === 'auth' && attempt === 0) {\n      log.error(`That token was rejected by Hetzner: ${result.message}`);\n      log.info('Try again, or press Ctrl-C to cancel.');\n      continue;\n    }\n    if (result.kind === 'network') {\n      log.warn(`Could not reach Hetzner to validate (${result.message}) — saving anyway.`);\n      persistCredentials(creds);\n      log.success(`Hetzner credentials saved to ${secretsPath()}`);\n      outro('Setup complete (unvalidated).');\n      return;\n    }\n    throw new Error(`Hetzner credentials rejected: ${result.message}`);\n  }\n}\n\nfunction hasUsableCredentials(): boolean {\n  return typeof process.env.HCLOUD_TOKEN === 'string' && process.env.HCLOUD_TOKEN.length > 0;\n}\n\ninterface Credentials {\n  token: string;\n  endpoint?: string;\n}\n\nasync function promptForCredentials(): Promise<Credentials | null> {\n  const token = await password({\n    message: 'Paste your Hetzner Cloud API token',\n    validate(v) {\n      if (!v || v.trim().length === 0) return 'Cannot be empty';\n      return undefined;\n    },\n  });\n  if (isCancel(token)) {\n    log.warn('Hetzner setup cancelled.');\n    return null;\n  }\n  return { token: token.trim() };\n}\n\ntype ValidationResult =\n  | { ok: true }\n  | { ok: false; kind: 'auth'; message: string }\n  | { ok: false; kind: 'network'; message: string };\n\nasync function validateCredentials(creds: Credentials): Promise<ValidationResult> {\n  const s = spinner();\n  s.start('Validating credentials with Hetzner');\n\n  try {\n    const client = makeHetznerClient({ token: creds.token, endpoint: creds.endpoint });\n    // `listLocations()` is a cheap, deterministic call that exercises auth +\n    // basic API reachability without provisioning anything.\n    await client.listLocations();\n    s.stop('Hetzner credentials accepted');\n    return { ok: true };\n  } catch (err) {\n    const message = err instanceof Error ? err.message : String(err);\n    s.stop('Hetzner credentials check failed');\n    if (/401|403|unauthor|forbidden|invalid|token/i.test(message)) {\n      return { ok: false, kind: 'auth', message };\n    }\n    return { ok: false, kind: 'network', message };\n  }\n}\n\nfunction persistCredentials(creds: Credentials): void {\n  process.env.HCLOUD_TOKEN = creds.token;\n  if (creds.endpoint) process.env.HCLOUD_ENDPOINT = creds.endpoint;\n  const path = secretsPath();\n  mkdirSync(dirname(path), { recursive: true });\n\n  let existing = '';\n  if (existsSync(path)) {\n    try {\n      existing = readFileSync(path, 'utf8');\n    } catch {\n      existing = '';\n    }\n  }\n\n  const kept = existing\n    .split(/\\r?\\n/)\n    .filter((line) => {\n      const stripped = line.startsWith('export ') ? line.slice('export '.length) : line;\n      const eq = stripped.indexOf('=');\n      if (eq <= 0) return true;\n      const key = stripped.slice(0, eq).trim();\n      return !(MANAGED_KEYS as readonly string[]).includes(key);\n    })\n    .join('\\n')\n    .replace(/\\s+$/u, '');\n\n  const lines: string[] = [`HCLOUD_TOKEN=${creds.token}`];\n  if (creds.endpoint) lines.push(`HCLOUD_ENDPOINT=${creds.endpoint}`);\n\n  const body = (kept ? `${kept}\\n` : '') + lines.join('\\n') + '\\n';\n\n  const tmp = `${path}.tmp`;\n  writeFileSync(tmp, body, { mode: 0o600 });\n  try {\n    chmodSync(tmp, 0o600);\n  } catch {\n    // chmod best-effort; writeFileSync mode already covers most filesystems.\n  }\n  renameSync(tmp, path);\n  try {\n    chmodSync(path, 0o600);\n  } catch {\n    // ignore — already attempted above.\n  }\n}\n\nfunction openDashboard(): void {\n  try {\n    const r = spawnSync('open', [DASHBOARD_KEYS_URL], { stdio: 'ignore' });\n    if (r.status !== 0) {\n      log.warn(`Could not auto-open the browser — visit ${DASHBOARD_KEYS_URL} manually.`);\n    }\n  } catch {\n    log.warn(`Could not auto-open the browser — visit ${DASHBOARD_KEYS_URL} manually.`);\n  }\n}\n\nexport function secretsPath(): string {\n  return resolve(homedir(), '.agentbox', 'secrets.env');\n}\n\nexport interface HetznerCredStatus {\n  token?: string;\n  endpoint?: string;\n  source: 'env' | 'secrets.env' | 'none';\n}\n\nexport function readHetznerCredStatus(): HetznerCredStatus {\n  const shellHadToken = !!process.env.HCLOUD_TOKEN;\n  ensureHetznerEnvLoaded();\n  const token = process.env.HCLOUD_TOKEN;\n  const endpoint = process.env.HCLOUD_ENDPOINT;\n  if (!token) return { source: 'none' };\n  return {\n    token,\n    endpoint,\n    source: shellHadToken ? 'env' : 'secrets.env',\n  };\n}\n\nexport function maskKey(value: string): string {\n  if (value.length <= 8) return '*'.repeat(value.length);\n  return `${value.slice(0, 4)}…${'*'.repeat(8)}${value.slice(-4)}`;\n}\n\n/** Snapshot of the managed env keys (used by tests around `applyToEnv`). */\nexport function snapshotManagedEnv(): Record<ManagedKey, string | undefined> {\n  const out = {} as Record<ManagedKey, string | undefined>;\n  for (const k of MANAGED_KEYS) out[k] = process.env[k];\n  return out;\n}\n\nexport function restoreManagedEnv(snap: Record<ManagedKey, string | undefined>): void {\n  for (const k of MANAGED_KEYS) {\n    if (snap[k] === undefined) delete process.env[k];\n    else process.env[k] = snap[k];\n  }\n}\n","/**\n * Host egress-IP detection for the Hetzner firewall lock-down. Probes three\n * independent providers in sequence; first 3s success wins. Fails loud\n * (throws) if all three fail — we do **not** silently fall back to\n * `0.0.0.0/0`, because that would defeat the safe-by-default firewall.\n *\n * The user can always override the auto-detect via\n * `--firewall-source <cidr>` (or `--firewall-source 0.0.0.0/0` for the\n * explicit dynamic-IP opt-in).\n */\n\nconst PROBES = [\n  'https://api.ipify.org',\n  'https://ifconfig.io/ip',\n  'https://icanhazip.com',\n] as const;\n\nconst TIMEOUT_MS = 3_000;\n\nconst IPV4_RE = /^(?:\\d{1,3}\\.){3}\\d{1,3}$/;\nconst IPV6_RE = /^[0-9a-fA-F:]+$/;\n\nexport interface DetectEgressIpOptions {\n  /** Override the probe list (tests inject this). */\n  probes?: readonly string[];\n  /** Per-probe timeout in ms (default 3_000). */\n  timeoutMs?: number;\n  /** Override `fetch` (tests inject this). */\n  fetchImpl?: typeof fetch;\n  /** Best-effort logger for probe attempts. */\n  onLog?: (line: string) => void;\n}\n\n/**\n * Detect the host's egress IP. Returns the bare IP string (no `/32`); the\n * caller composes the CIDR.\n *\n * Throws when no probe responded. The error message lists each probe that\n * was tried so the user can see whether their network is blocking a\n * specific provider.\n */\nexport async function detectEgressIp(opts: DetectEgressIpOptions = {}): Promise<string> {\n  const probes = opts.probes ?? PROBES;\n  const timeout = opts.timeoutMs ?? TIMEOUT_MS;\n  const fetchImpl = opts.fetchImpl ?? fetch;\n  const errors: string[] = [];\n\n  for (const url of probes) {\n    try {\n      const ip = await raceTimeout(probe(url, fetchImpl), timeout);\n      if (ip) {\n        opts.onLog?.(`egress-ip: detected ${ip} via ${url}`);\n        return ip;\n      }\n      errors.push(`${url}: empty/invalid response`);\n    } catch (err) {\n      errors.push(`${url}: ${err instanceof Error ? err.message : String(err)}`);\n    }\n  }\n\n  throw new Error(\n    `could not auto-detect the host's egress IP — all ${String(probes.length)} probes failed:\\n` +\n      errors.map((e) => `  - ${e}`).join('\\n') +\n      `\\nOverride with --firewall-source <cidr> (e.g. --firewall-source 0.0.0.0/0 for the explicit-open opt-in).`,\n  );\n}\n\nasync function probe(url: string, fetchImpl: typeof fetch): Promise<string | null> {\n  const res = await fetchImpl(url, { method: 'GET' });\n  if (!res.ok) return null;\n  const body = (await res.text()).trim();\n  if (IPV4_RE.test(body)) {\n    // Cheap sanity: each octet in 0–255.\n    const parts = body.split('.').map((p) => Number.parseInt(p, 10));\n    if (parts.every((p) => p >= 0 && p <= 255)) return body;\n    return null;\n  }\n  // We do not currently use IPv6 for firewall rules (Hetzner accepts them\n  // but the rest of the provider talks IPv4), but accept the probe answer\n  // so a v6-only network surfaces an actionable error rather than a silent\n  // empty result. Composing the CIDR is the caller's job.\n  if (IPV6_RE.test(body) && body.includes(':')) return body;\n  return null;\n}\n\nasync function raceTimeout<T>(p: Promise<T>, ms: number): Promise<T> {\n  let timer: ReturnType<typeof setTimeout> | undefined;\n  try {\n    return await Promise.race([\n      p,\n      new Promise<never>((_resolve, reject) => {\n        timer = setTimeout(() => reject(new Error(`probe timed out after ${String(ms)}ms`)), ms);\n      }),\n    ]);\n  } finally {\n    if (timer !== undefined) clearTimeout(timer);\n  }\n}\n","/**\n * Bounded retry wrapper for Hetzner Cloud API calls — mirrors\n * `withDaytonaRetry` in shape and intent. Hetzner is generally well-behaved\n * but the public API does rate-limit (429) and occasionally returns 502/504\n * during regional incidents; without bounded retries those propagate as\n * wedges in the calling lifecycle code.\n *\n * Non-idempotent ops (`provision`, `createImage`) pass\n * `retryOnAmbiguous: false` so a 504 after the request reached the origin\n * doesn't create a duplicate billable resource.\n */\n\nimport { HetznerApiError } from './client.js';\n\nexport interface WithRetryOptions {\n  /** Method name, used in retry log lines. */\n  method: string;\n  /** Per-attempt timeout (ms). Default 30_000. */\n  attemptTimeoutMs?: number;\n  /** Backoff before attempts 2, 3, … (ms). Default [1000, 2000, 4000]. */\n  backoffMs?: readonly number[];\n  /**\n   * Whether to retry on errors where we can't be sure the server applied\n   * the request — connection failures, per-attempt timeouts, and 5xx\n   * responses. Set false for non-idempotent operations (e.g. `provision`,\n   * `createImage`) where a retry could create a duplicate resource.\n   */\n  retryOnAmbiguous: boolean;\n  /** Override the default `process.stderr` retry sink (used by tests). */\n  onRetry?: (line: string) => void;\n}\n\nconst DEFAULT_BACKOFF: readonly number[] = [1000, 2000, 4000];\nconst DEFAULT_ATTEMPT_TIMEOUT_MS = 30_000;\n\nclass AttemptTimeoutError extends Error {\n  constructor(method: string, ms: number) {\n    super(`hetzner ${method}: per-attempt timeout after ${String(ms)}ms`);\n    this.name = 'AttemptTimeoutError';\n  }\n}\n\nexport function isAttemptTimeout(err: unknown): err is AttemptTimeoutError {\n  return err instanceof AttemptTimeoutError;\n}\n\n/**\n * Classify an error as retriable or not. `allowAmbiguous` gates the cases\n * where the server may or may not have applied the request — the caller\n * decides based on idempotency.\n */\nexport function isRetriable(err: unknown, allowAmbiguous: boolean): boolean {\n  if (err instanceof HetznerApiError) {\n    // Rate limit: always back off — the server told us to.\n    if (err.statusCode === 429 || err.code === 'rate_limit_exceeded') return true;\n    // 5xx: ambiguous (the API may or may not have applied the change).\n    if (err.statusCode >= 500 && err.statusCode <= 599) return allowAmbiguous;\n    // Hetzner conflict / locked errors: the API tells us to wait — same as\n    // rate-limit semantically. `conflict` is what `delete_server` returns\n    // when another action (e.g. our own poweroff) is still in flight.\n    if (err.code === 'locked' || err.code === 'conflict') return true;\n    // Everything else is a permanent client error (auth, validation, not_found).\n    return false;\n  }\n\n  if (err instanceof AttemptTimeoutError) return allowAmbiguous;\n\n  // Raw fetch / undici errors. The Node fetch impl wraps low-level errors in\n  // `{ cause }`; we check both shapes for portability.\n  if (err && typeof err === 'object') {\n    const candidates: unknown[] = [err, (err as { cause?: unknown }).cause];\n    for (const c of candidates) {\n      if (!c || typeof c !== 'object') continue;\n      const code = (c as { code?: unknown }).code;\n      if (\n        code === 'ECONNRESET' ||\n        code === 'ETIMEDOUT' ||\n        code === 'ECONNABORTED' ||\n        code === 'EAI_AGAIN' ||\n        code === 'ECONNREFUSED' ||\n        code === 'ENOTFOUND' ||\n        code === 'UND_ERR_SOCKET' ||\n        code === 'UND_ERR_CONNECT_TIMEOUT'\n      ) {\n        return allowAmbiguous;\n      }\n    }\n  }\n\n  return false;\n}\n\n/**\n * Run `fn`, retrying on transient failures with capped exponential backoff.\n * Each attempt is bounded by `attemptTimeoutMs` via Promise.race; total\n * wall-clock = sum(backoffMs) + maxAttempts * attemptTimeoutMs.\n */\nexport async function withHetznerRetry<T>(\n  opts: WithRetryOptions,\n  fn: () => Promise<T>,\n): Promise<T> {\n  const backoff = opts.backoffMs ?? DEFAULT_BACKOFF;\n  const maxAttempts = backoff.length + 1;\n  const timeoutMs = opts.attemptTimeoutMs ?? DEFAULT_ATTEMPT_TIMEOUT_MS;\n  const log = opts.onRetry ?? defaultRetryLog;\n\n  for (let attempt = 1; attempt <= maxAttempts; attempt++) {\n    try {\n      return await raceTimeout(fn(), timeoutMs, opts.method);\n    } catch (err) {\n      const last = attempt === maxAttempts;\n      if (last || !isRetriable(err, opts.retryOnAmbiguous)) throw err;\n      const delay = backoff[attempt - 1] ?? backoff[backoff.length - 1] ?? 4000;\n      log(\n        `hetzner ${opts.method}: attempt ${String(attempt)} failed (${errorSummary(err)}); retrying in ${String(delay)}ms`,\n      );\n      await sleep(delay);\n    }\n  }\n  throw new Error(`withHetznerRetry: exhausted attempts for ${opts.method}`);\n}\n\nfunction defaultRetryLog(line: string): void {\n  process.stderr.write(`\\n[hetzner-retry] ${line}\\n`);\n}\n\nfunction sleep(ms: number): Promise<void> {\n  return new Promise((resolve) => setTimeout(resolve, ms));\n}\n\nasync function raceTimeout<T>(p: Promise<T>, ms: number, method: string): Promise<T> {\n  let timer: ReturnType<typeof setTimeout> | undefined;\n  try {\n    return await Promise.race([\n      p,\n      new Promise<never>((_resolve, reject) => {\n        timer = setTimeout(() => reject(new AttemptTimeoutError(method, ms)), ms);\n      }),\n    ]);\n  } finally {\n    if (timer !== undefined) clearTimeout(timer);\n  }\n}\n\nfunction errorSummary(err: unknown): string {\n  if (err instanceof HetznerApiError) {\n    return `HetznerApiError ${String(err.statusCode)} ${err.code}: ${truncate(err.message)}`;\n  }\n  if (err instanceof Error) {\n    const code = (err as { code?: unknown }).code;\n    return code !== undefined\n      ? `${err.name}(${String(code)}): ${truncate(err.message)}`\n      : `${err.name}: ${truncate(err.message)}`;\n  }\n  return truncate(String(err));\n}\n\nfunction truncate(s: string, max = 160): string {\n  return s.length > max ? `${s.slice(0, max)}…` : s;\n}\n","/**\n * Hetzner Cloud Firewall provisioning + drift sync.\n *\n * Defense-in-depth model (recapped from\n * ~/.claude/plans/how-to-safely-create-parallel-pebble.md §\"The safety model\"):\n *\n *   1. In-VPS services bind to loopback (the load-bearing layer).\n *   2. Hetzner Cloud Firewall locks SSH to the host's egress IP — applied\n *      here at provision time, before the VPS first boots. Everything else\n *      is denied inbound; outbound is unrestricted.\n *   3. sshd hardening (PasswordAuthentication no, AllowUsers vscode, …)\n *      written by cloud-init at first boot.\n *\n * Layer 2 is what this module provisions. The firewall is per-box (1:1 with\n * the VPS) so an egress-IP-drift on one box doesn't affect siblings, and a\n * destroy cleanly removes everything we created.\n */\n\nimport { HetznerApiError, type HetznerClient, type HetznerFirewall, type HetznerFirewallRule } from './client.js';\nimport { withHetznerRetry } from './retry.js';\n\n/**\n * Build the SSH-only inbound rule for a given source CIDR. Outbound is\n * left unrestricted (empty rules array = \"no inbound besides this one\").\n */\nexport function sshOnlyInboundRule(sourceCidr: string): HetznerFirewallRule[] {\n  return [\n    {\n      direction: 'in',\n      protocol: 'tcp',\n      port: '22',\n      source_ips: [sourceCidr],\n      description: 'agentbox: SSH from host egress IP only',\n    },\n  ];\n}\n\nexport interface CreateFirewallOptions {\n  /** Human-readable name persisted with the firewall (visible in the Hetzner dashboard). */\n  name: string;\n  /** Source CIDR (e.g. `1.2.3.4/32`). The caller is responsible for normalizing the suffix. */\n  sourceCidr: string;\n  /** Labels merged onto the firewall (we always add `agentbox.managed=true`). */\n  labels?: Record<string, string>;\n}\n\n/**\n * Provision a fresh per-box firewall locked to the given source CIDR.\n * Returns the created `HetznerFirewall` so the caller can persist\n * `firewallId` on the box record.\n */\nexport async function createPerBoxFirewall(\n  client: HetznerClient,\n  opts: CreateFirewallOptions,\n): Promise<HetznerFirewall> {\n  return withHetznerRetry(\n    { method: 'createFirewall', retryOnAmbiguous: false, attemptTimeoutMs: 60_000 },\n    () =>\n      client.createFirewall({\n        name: opts.name,\n        rules: sshOnlyInboundRule(opts.sourceCidr),\n        labels: {\n          'agentbox.managed': 'true',\n          'agentbox.role': 'box',\n          ...opts.labels,\n        },\n      }),\n  );\n}\n\n/**\n * Re-detect the egress IP and replace the firewall's rule set with the new\n * source. Used by `agentbox hetzner firewall sync <box>` after the host\n * laptop moves networks. Cheap operation — no VPS restart involved.\n *\n * Idempotent on the API: setting the same rules again is a no-op from the\n * user's point of view (the API still returns an action handle, but it\n * resolves instantly).\n */\nexport async function syncFirewallSource(\n  client: HetznerClient,\n  firewallId: number,\n  sourceCidr: string,\n): Promise<void> {\n  await withHetznerRetry(\n    { method: 'setFirewallRules', retryOnAmbiguous: true, attemptTimeoutMs: 60_000 },\n    () => client.setFirewallRules(firewallId, sshOnlyInboundRule(sourceCidr)),\n  );\n}\n\n/**\n * Delete a per-box firewall. Idempotent on 404 (the API surfaces it as a\n * `not_found` error which the retry classifier won't retry; we swallow it\n * here so destroy paths don't need a special-case).\n *\n * Hetzner returns 409 `conflict` if the firewall is still attached to a\n * server when we try to delete it — `deleteServer()` returns as soon as the\n * delete action is *enqueued*, not after the server's firewall attachment\n * is torn down, so a quick subsequent `deleteFirewall()` will collide.\n * We poll for a short window (default 60s, intervals doubled to 8s) to\n * cover the typical 5–15s detach lag before giving up.\n */\nexport async function deletePerBoxFirewall(\n  client: HetznerClient,\n  firewallId: number,\n  opts: { detachWaitMs?: number } = {},\n): Promise<void> {\n  const deadline = Date.now() + (opts.detachWaitMs ?? 60_000);\n  let interval = 1_000;\n  while (true) {\n    try {\n      await withHetznerRetry(\n        { method: 'deleteFirewall', retryOnAmbiguous: true, attemptTimeoutMs: 30_000 },\n        () => client.deleteFirewall(firewallId),\n      );\n      return;\n    } catch (err) {\n      if (err instanceof HetznerApiError && (err.statusCode === 404 || err.code === 'not_found')) {\n        return;\n      }\n      const stillAttached =\n        err instanceof HetznerApiError &&\n        (err.statusCode === 409 ||\n          err.code === 'conflict' ||\n          err.code === 'resource_in_use');\n      if (stillAttached && Date.now() < deadline) {\n        await new Promise((r) => setTimeout(r, interval));\n        interval = Math.min(interval * 2, 8_000);\n        continue;\n      }\n      throw err;\n    }\n  }\n}\n\n/**\n * Normalize a source spec into a CIDR. Accepts:\n *   - bare IPv4 → appends `/32`\n *   - bare IPv6 → appends `/128`\n *   - already-CIDR (anything with `/`) → returned as-is\n *\n * Whitespace is trimmed. Does **not** validate the address itself — that's\n * either the API's job (it'll reject bad CIDRs with a clear `validation`\n * error) or `detectEgressIp`'s job (it only returns valid IPv4/IPv6).\n */\nexport function normalizeSourceCidr(raw: string): string {\n  const trimmed = raw.trim();\n  if (trimmed.includes('/')) return trimmed;\n  if (trimmed.includes(':')) return `${trimmed}/128`;\n  return `${trimmed}/32`;\n}\n"],"mappings":";;;AAAA,SAAS,YAAY,oBAAoB;AACzC,SAAS,eAAe;AACxB,SAAS,eAAe;AEFxB,SAAS,iBAAiB;AAC1B;EACE;EACA,cAAAA;EACA;EACA,gBAAAC;EACA;EACA;OACK;AACP,SAAS,WAAAC,gBAAe;AACxB,SAAS,SAAS,WAAAC,gBAAe;AACjC,SAAS,SAAS,UAAU,OAAO,KAAK,MAAM,OAAO,UAAU,eAAe;AFW9E,IAAM,eAAe,CAAC,gBAAgB,iBAAiB;AAEvD,IAAI,SAAS;AAEN,SAAS,yBAA+B;AAC7C,MAAI,OAAQ;AACZ,WAAS;AACT,wBAAsB,QAAQ,QAAQ,GAAG,aAAa,aAAa,CAAC;AACtE;AAEA,SAAS,sBAAsB,MAAoB;AACjD,MAAI,CAAC,WAAW,IAAI,EAAG;AACvB,MAAI;AACJ,MAAI;AACF,WAAO,aAAa,MAAM,MAAM;EAClC,QAAQ;AACN;EACF;AACA,QAAM,SAAS,aAAa,IAAI;AAChC,aAAW,OAAO,cAAc;AAC9B,QAAI,QAAQ,IAAI,GAAG,MAAM,OAAW;AACpC,UAAM,QAAQ,OAAO,GAAG;AACxB,QAAI,OAAO,UAAU,UAAU;AAC7B,cAAQ,IAAI,GAAG,IAAI;IACrB;EACF;AACF;AASO,SAAS,aAAa,MAAsC;AACjE,QAAM,MAA8B,CAAC;AACrC,aAAW,WAAW,KAAK,MAAM,OAAO,GAAG;AACzC,UAAM,OAAO,QAAQ,KAAK;AAC1B,QAAI,KAAK,WAAW,KAAK,KAAK,WAAW,GAAG,EAAG;AAC/C,UAAM,WAAW,KAAK,WAAW,SAAS,IAAI,KAAK,MAAM,UAAU,MAAM,IAAI;AAC7E,UAAM,KAAK,SAAS,QAAQ,GAAG;AAC/B,QAAI,MAAM,EAAG;AACb,UAAM,MAAM,SAAS,MAAM,GAAG,EAAE,EAAE,KAAK;AACvC,QAAI,QAAQ,SAAS,MAAM,KAAK,CAAC,EAAE,KAAK;AACxC,QACE,MAAM,UAAU,MACd,MAAM,WAAW,GAAG,KAAK,MAAM,SAAS,GAAG,KAC1C,MAAM,WAAW,GAAG,KAAK,MAAM,SAAS,GAAG,IAC9C;AACA,cAAQ,MAAM,MAAM,GAAG,EAAE;IAC3B;AACA,QAAI,GAAG,IAAI;EACb;AACA,SAAO;AACT;ACxDO,IAAM,0BAA0B;AA6GhC,IAAM,kBAAN,cAA8B,MAAM;EAChC;EACA;EACA;EACT,YAAY,YAAoB,MAAc,SAAiB,SAAmB;AAChF,UAAM,WAAW,OAAO,UAAU,CAAC,IAAI,IAAI,KAAK,OAAO,EAAE;AACzD,SAAK,OAAO;AACZ,SAAK,aAAa;AAClB,SAAK,OAAO;AACZ,SAAK,UAAU;EACjB;AACF;AAsEO,SAAS,kBAAkB,OAA0B,CAAC,GAAkB;AAC7E,yBAAuB;AACvB,QAAM,WAAW,KAAK,SAAS,QAAQ,IAAI;AAC3C,MAAI,CAAC,YAAY,SAAS,KAAK,EAAE,WAAW,GAAG;AAC7C,UAAM,IAAI;MACR;IAEF;EACF;AAGA,QAAM,QAAgB,SAAS,KAAK;AACpC,QAAM,YAAY,KAAK,YAAY,QAAQ,IAAI,mBAAmB,yBAAyB,QAAQ,OAAO,EAAE;AAC5G,QAAM,YAAY,KAAK,aAAa;AAEpC,iBAAe,IACb,QACA,MACA,MACmB;AACnB,UAAM,MAAM,GAAG,QAAQ,GAAG,IAAI;AAC9B,UAAM,OAAoB;MACxB;MACA,SAAS;QACP,eAAe,UAAU,KAAK;QAC9B,GAAI,SAAS,SAAY,EAAE,gBAAgB,mBAAmB,IAAI,CAAC;MACrE;MACA,GAAI,SAAS,SAAY,EAAE,MAAM,KAAK,UAAU,IAAI,EAAE,IAAI,CAAC;IAC7D;AACA,UAAM,MAAM,MAAM,UAAU,KAAK,IAAI;AACrC,QAAI,IAAI,WAAW,IAAK,QAAO;AAC/B,QAAI,IAAI,WAAW,IAAK,QAAO;AAC/B,QAAI,CAAC,IAAI,IAAI;AACX,UAAI,SAA6E,CAAC;AAClF,UAAI;AACF,iBAAU,MAAM,IAAI,KAAK;MAC3B,QAAQ;MAER;AACA,YAAM,OAAO,OAAO,OAAO,QAAQ,QAAQ,OAAO,IAAI,MAAM,CAAC;AAC7D,YAAM,MAAM,OAAO,OAAO,WAAW,IAAI,cAAc;AACvD,YAAM,IAAI,gBAAgB,IAAI,QAAQ,MAAM,KAAK,OAAO,OAAO,OAAO;IACxE;AACA,UAAM,OAAO,MAAM,IAAI,KAAK;AAC5B,QAAI,KAAK,WAAW,EAAG,QAAO;AAC9B,WAAO,KAAK,MAAM,IAAI;EACxB;AAEA,iBAAe,UACb,QACA,MACA,MACY;AACZ,UAAM,MAAM,MAAM,IAAO,QAAQ,MAAM,IAAI;AAC3C,QAAI,QAAQ,MAAM;AAChB,YAAM,IAAI,gBAAgB,GAAG,kBAAkB,wBAAwB,MAAM,IAAI,IAAI,EAAE;IACzF;AACA,WAAO;EACT;AAEA,SAAO;IACL,MAAM,UAAU,IAAI;AAClB,YAAM,IAAI,MAAM,IAA+B,OAAO,YAAY,OAAO,EAAE,CAAC,EAAE;AAC9E,aAAO,GAAG,UAAU;IACtB;IACA,MAAM,aAAa,SAAS;AAC1B,YAAM,IAAI,MAAM;QACd;QACA;QACA;MACF;AACA,aAAO,EAAE,QAAQ,EAAE,QAAQ,QAAQ,EAAE,OAAO;IAC9C;IACA,MAAM,YAAYC,OAAM;AACtB,YAAM,SAAS,IAAI,gBAAgB;AACnC,UAAIA,OAAM,eAAgB,QAAO,IAAI,kBAAkBA,MAAK,cAAc;AAC1E,aAAO,IAAI,YAAY,IAAI;AAC3B,YAAM,MAAuB,CAAC;AAC9B,UAAI,UAAU;AACd,aAAO,MAAM;AACX,eAAO,IAAI,QAAQ,OAAO,OAAO,CAAC;AAClC,cAAM,IAAI,MAAM,UAGb,OAAO,YAAY,OAAO,SAAS,CAAC,EAAE;AACzC,YAAI,KAAK,GAAG,EAAE,OAAO;AACrB,cAAM,OAAO,EAAE,MAAM,YAAY;AACjC,YAAI,OAAO,SAAS,SAAU;AAC9B,kBAAU;MACZ;AACA,aAAO;IACT;IACA,MAAM,aAAa,IAAI;AACrB,YAAM,IAAI,MAAM,IAA+B,UAAU,YAAY,OAAO,EAAE,CAAC,EAAE;AACjF,aAAO,GAAG,UAAU;IACtB;IACA,MAAM,QAAQ,IAAI;AAChB,YAAM,IAAI,MAAM;QACd;QACA,YAAY,OAAO,EAAE,CAAC;MACxB;AACA,aAAO,EAAE;IACX;IACA,MAAM,SAAS,IAAI;AACjB,YAAM,IAAI,MAAM;QACd;QACA,YAAY,OAAO,EAAE,CAAC;MACxB;AACA,aAAO,EAAE;IACX;IACA,MAAM,SAAS,IAAI;AACjB,YAAM,IAAI,MAAM;QACd;QACA,YAAY,OAAO,EAAE,CAAC;MACxB;AACA,aAAO,EAAE;IACX;IACA,MAAM,YAAY,IAAI,MAAM;AAC1B,YAAM,IAAI,MAAM;QACd;QACA,YAAY,OAAO,EAAE,CAAC;QACtB;MACF;AACA,aAAO,EAAE,OAAO,EAAE,OAAO,QAAQ,EAAE,OAAO;IAC5C;IACA,MAAM,SAAS,IAAI;AACjB,YAAM,IAAI,MAAM,IAA6B,OAAO,WAAW,OAAO,EAAE,CAAC,EAAE;AAC3E,aAAO,GAAG,SAAS;IACrB;IACA,MAAM,WAAWA,OAAM;AACrB,YAAM,SAAS,IAAI,gBAAgB;AACnC,UAAIA,OAAM,KAAM,QAAO,IAAI,QAAQA,MAAK,IAAI;AAC5C,UAAIA,OAAM,eAAgB,QAAO,IAAI,kBAAkBA,MAAK,cAAc;AAC1E,UAAIA,OAAM,KAAM,QAAO,IAAI,QAAQA,MAAK,IAAI;AAC5C,aAAO,IAAI,YAAY,IAAI;AAC3B,YAAM,MAAsB,CAAC;AAC7B,UAAI,UAAU;AACd,aAAO,MAAM;AACX,eAAO,IAAI,QAAQ,OAAO,OAAO,CAAC;AAClC,cAAM,IAAI,MAAM,UAGb,OAAO,WAAW,OAAO,SAAS,CAAC,EAAE;AACxC,YAAI,KAAK,GAAG,EAAE,MAAM;AACpB,cAAM,OAAO,EAAE,MAAM,YAAY;AACjC,YAAI,OAAO,SAAS,SAAU;AAC9B,kBAAU;MACZ;AACA,aAAO;IACT;IACA,MAAM,YAAY,IAAI;AACpB,YAAM,IAAa,UAAU,WAAW,OAAO,EAAE,CAAC,EAAE;IACtD;IACA,MAAM,eAAe,SAAS;AAC5B,YAAM,IAAI,MAAM,UAAyC,QAAQ,cAAc,OAAO;AACtF,aAAO,EAAE;IACX;IACA,MAAM,iBAAiB,IAAI,OAAO;AAChC,YAAM,IAAI,MAAM;QACd;QACA,cAAc,OAAO,EAAE,CAAC;QACxB,EAAE,MAAM;MACV;AACA,aAAO,EAAE;IACX;IACA,MAAM,YAAY,IAAI;AACpB,YAAM,IAAI,MAAM,IAAmC,OAAO,cAAc,OAAO,EAAE,CAAC,EAAE;AACpF,aAAO,GAAG,YAAY;IACxB;IACA,MAAM,eAAe,IAAI;AACvB,YAAM,IAAa,UAAU,cAAc,OAAO,EAAE,CAAC,EAAE;IACzD;IACA,MAAM,gBAAgB;AACpB,YAAM,IAAI,MAAM,UAEb,OAAO,YAAY;AACtB,aAAO,EAAE;IACX;EACF;AACF;ACvXA,IAAM,qBAAqB;AAQ3B,IAAM,eAAe,CAAC,gBAAgB,iBAAiB;AAoBvD,eAAsB,yBACpB,OAAwC,CAAC,GAC1B;AACf,yBAAuB;AAEvB,MAAI,CAAC,KAAK,SAAS,qBAAqB,EAAG;AAC3C,MAAI,CAAC,QAAQ,MAAM,MAAO;AAE1B,QAAM,qBAAqB;AAC3B;IACE;;UACa,kBAAkB;;;IAG/B;EACF;AAEA,QAAM,OAAO,MAAM,QAAQ;IACzB,SAAS,QAAQ,kBAAkB;IACnC,cAAc;EAChB,CAAC;AACD,MAAI,SAAS,IAAI,GAAG;AAClB,QAAI,KAAK,4EAAuE;AAChF;EACF;AACA,MAAI,KAAM,eAAc;AAGxB,WAAS,UAAU,GAAG,UAAU,GAAG,WAAW;AAC5C,UAAM,QAAQ,MAAM,qBAAqB;AACzC,QAAI,UAAU,KAAM;AAEpB,UAAM,SAAS,MAAM,oBAAoB,KAAK;AAC9C,QAAI,OAAO,IAAI;AACb,yBAAmB,KAAK;AACxB,UAAI,QAAQ,gCAAgC,YAAY,CAAC,EAAE;AAC3D,YAAM,iBAAiB;AACvB;IACF;AACA,QAAI,OAAO,SAAS,UAAU,YAAY,GAAG;AAC3C,UAAI,MAAM,uCAAuC,OAAO,OAAO,EAAE;AACjE,UAAI,KAAK,uCAAuC;AAChD;IACF;AACA,QAAI,OAAO,SAAS,WAAW;AAC7B,UAAI,KAAK,wCAAwC,OAAO,OAAO,yBAAoB;AACnF,yBAAmB,KAAK;AACxB,UAAI,QAAQ,gCAAgC,YAAY,CAAC,EAAE;AAC3D,YAAM,+BAA+B;AACrC;IACF;AACA,UAAM,IAAI,MAAM,iCAAiC,OAAO,OAAO,EAAE;EACnE;AACF;AAEA,SAAS,uBAAgC;AACvC,SAAO,OAAO,QAAQ,IAAI,iBAAiB,YAAY,QAAQ,IAAI,aAAa,SAAS;AAC3F;AAOA,eAAe,uBAAoD;AACjE,QAAM,QAAQ,MAAM,SAAS;IAC3B,SAAS;IACT,SAAS,GAAG;AACV,UAAI,CAAC,KAAK,EAAE,KAAK,EAAE,WAAW,EAAG,QAAO;AACxC,aAAO;IACT;EACF,CAAC;AACD,MAAI,SAAS,KAAK,GAAG;AACnB,QAAI,KAAK,0BAA0B;AACnC,WAAO;EACT;AACA,SAAO,EAAE,OAAO,MAAM,KAAK,EAAE;AAC/B;AAOA,eAAe,oBAAoB,OAA+C;AAChF,QAAM,IAAI,QAAQ;AAClB,IAAE,MAAM,qCAAqC;AAE7C,MAAI;AACF,UAAM,SAAS,kBAAkB,EAAE,OAAO,MAAM,OAAO,UAAU,MAAM,SAAS,CAAC;AAGjF,UAAM,OAAO,cAAc;AAC3B,MAAE,KAAK,8BAA8B;AACrC,WAAO,EAAE,IAAI,KAAK;EACpB,SAAS,KAAK;AACZ,UAAM,UAAU,eAAe,QAAQ,IAAI,UAAU,OAAO,GAAG;AAC/D,MAAE,KAAK,kCAAkC;AACzC,QAAI,4CAA4C,KAAK,OAAO,GAAG;AAC7D,aAAO,EAAE,IAAI,OAAO,MAAM,QAAQ,QAAQ;IAC5C;AACA,WAAO,EAAE,IAAI,OAAO,MAAM,WAAW,QAAQ;EAC/C;AACF;AAEA,SAAS,mBAAmB,OAA0B;AACpD,UAAQ,IAAI,eAAe,MAAM;AACjC,MAAI,MAAM,SAAU,SAAQ,IAAI,kBAAkB,MAAM;AACxD,QAAM,OAAO,YAAY;AACzB,YAAU,QAAQ,IAAI,GAAG,EAAE,WAAW,KAAK,CAAC;AAE5C,MAAI,WAAW;AACf,MAAIJ,YAAW,IAAI,GAAG;AACpB,QAAI;AACF,iBAAWC,cAAa,MAAM,MAAM;IACtC,QAAQ;AACN,iBAAW;IACb;EACF;AAEA,QAAM,OAAO,SACV,MAAM,OAAO,EACb,OAAO,CAAC,SAAS;AAChB,UAAM,WAAW,KAAK,WAAW,SAAS,IAAI,KAAK,MAAM,UAAU,MAAM,IAAI;AAC7E,UAAM,KAAK,SAAS,QAAQ,GAAG;AAC/B,QAAI,MAAM,EAAG,QAAO;AACpB,UAAM,MAAM,SAAS,MAAM,GAAG,EAAE,EAAE,KAAK;AACvC,WAAO,CAAE,aAAmC,SAAS,GAAG;EAC1D,CAAC,EACA,KAAK,IAAI,EACT,QAAQ,SAAS,EAAE;AAEtB,QAAM,QAAkB,CAAC,gBAAgB,MAAM,KAAK,EAAE;AACtD,MAAI,MAAM,SAAU,OAAM,KAAK,mBAAmB,MAAM,QAAQ,EAAE;AAElE,QAAM,QAAQ,OAAO,GAAG,IAAI;IAAO,MAAM,MAAM,KAAK,IAAI,IAAI;AAE5D,QAAM,MAAM,GAAG,IAAI;AACnB,gBAAc,KAAK,MAAM,EAAE,MAAM,IAAM,CAAC;AACxC,MAAI;AACF,cAAU,KAAK,GAAK;EACtB,QAAQ;EAER;AACA,aAAW,KAAK,IAAI;AACpB,MAAI;AACF,cAAU,MAAM,GAAK;EACvB,QAAQ;EAER;AACF;AAEA,SAAS,gBAAsB;AAC7B,MAAI;AACF,UAAM,IAAI,UAAU,QAAQ,CAAC,kBAAkB,GAAG,EAAE,OAAO,SAAS,CAAC;AACrE,QAAI,EAAE,WAAW,GAAG;AAClB,UAAI,KAAK,gDAA2C,kBAAkB,YAAY;IACpF;EACF,QAAQ;AACN,QAAI,KAAK,gDAA2C,kBAAkB,YAAY;EACpF;AACF;AAEO,SAAS,cAAsB;AACpC,SAAOE,SAAQD,SAAQ,GAAG,aAAa,aAAa;AACtD;AAQO,SAAS,wBAA2C;AACzD,QAAM,gBAAgB,CAAC,CAAC,QAAQ,IAAI;AACpC,yBAAuB;AACvB,QAAM,QAAQ,QAAQ,IAAI;AAC1B,QAAM,WAAW,QAAQ,IAAI;AAC7B,MAAI,CAAC,MAAO,QAAO,EAAE,QAAQ,OAAO;AACpC,SAAO;IACL;IACA;IACA,QAAQ,gBAAgB,QAAQ;EAClC;AACF;AAEO,SAAS,QAAQ,OAAuB;AAC7C,MAAI,MAAM,UAAU,EAAG,QAAO,IAAI,OAAO,MAAM,MAAM;AACrD,SAAO,GAAG,MAAM,MAAM,GAAG,CAAC,CAAC,SAAI,IAAI,OAAO,CAAC,CAAC,GAAG,MAAM,MAAM,EAAE,CAAC;AAChE;AC7NA,IAAM,SAAS;EACb;EACA;EACA;AACF;AAEA,IAAM,aAAa;AAEnB,IAAM,UAAU;AAChB,IAAM,UAAU;AAqBhB,eAAsB,eAAe,OAA8B,CAAC,GAAoB;AACtF,QAAM,SAAS,KAAK,UAAU;AAC9B,QAAM,UAAU,KAAK,aAAa;AAClC,QAAM,YAAY,KAAK,aAAa;AACpC,QAAM,SAAmB,CAAC;AAE1B,aAAW,OAAO,QAAQ;AACxB,QAAI;AACF,YAAM,KAAK,MAAM,YAAY,MAAM,KAAK,SAAS,GAAG,OAAO;AAC3D,UAAI,IAAI;AACN,aAAK,QAAQ,uBAAuB,EAAE,QAAQ,GAAG,EAAE;AACnD,eAAO;MACT;AACA,aAAO,KAAK,GAAG,GAAG,0BAA0B;IAC9C,SAAS,KAAK;AACZ,aAAO,KAAK,GAAG,GAAG,KAAK,eAAe,QAAQ,IAAI,UAAU,OAAO,GAAG,CAAC,EAAE;IAC3E;EACF;AAEA,QAAM,IAAI;IACR,yDAAoD,OAAO,OAAO,MAAM,CAAC;IACvE,OAAO,IAAI,CAAC,MAAM,OAAO,CAAC,EAAE,EAAE,KAAK,IAAI,IACvC;;EACJ;AACF;AAEA,eAAe,MAAM,KAAa,WAAiD;AACjF,QAAM,MAAM,MAAM,UAAU,KAAK,EAAE,QAAQ,MAAM,CAAC;AAClD,MAAI,CAAC,IAAI,GAAI,QAAO;AACpB,QAAM,QAAQ,MAAM,IAAI,KAAK,GAAG,KAAK;AACrC,MAAI,QAAQ,KAAK,IAAI,GAAG;AAEtB,UAAM,QAAQ,KAAK,MAAM,GAAG,EAAE,IAAI,CAAC,MAAM,OAAO,SAAS,GAAG,EAAE,CAAC;AAC/D,QAAI,MAAM,MAAM,CAAC,MAAM,KAAK,KAAK,KAAK,GAAG,EAAG,QAAO;AACnD,WAAO;EACT;AAKA,MAAI,QAAQ,KAAK,IAAI,KAAK,KAAK,SAAS,GAAG,EAAG,QAAO;AACrD,SAAO;AACT;AAEA,eAAe,YAAe,GAAe,IAAwB;AACnE,MAAI;AACJ,MAAI;AACF,WAAO,MAAM,QAAQ,KAAK;MACxB;MACA,IAAI,QAAe,CAAC,UAAU,WAAW;AACvC,gBAAQ,WAAW,MAAM,OAAO,IAAI,MAAM,yBAAyB,OAAO,EAAE,CAAC,IAAI,CAAC,GAAG,EAAE;MACzF,CAAC;IACH,CAAC;EACH,UAAA;AACE,QAAI,UAAU,OAAW,cAAa,KAAK;EAC7C;AACF;ACjEA,IAAM,kBAAqC,CAAC,KAAM,KAAM,GAAI;AAC5D,IAAM,6BAA6B;AAEnC,IAAM,sBAAN,cAAkC,MAAM;EACtC,YAAY,QAAgB,IAAY;AACtC,UAAM,WAAW,MAAM,+BAA+B,OAAO,EAAE,CAAC,IAAI;AACpE,SAAK,OAAO;EACd;AACF;AAEO,SAAS,iBAAiB,KAA0C;AACzE,SAAO,eAAe;AACxB;AAOO,SAAS,YAAY,KAAc,gBAAkC;AAC1E,MAAI,eAAe,iBAAiB;AAElC,QAAI,IAAI,eAAe,OAAO,IAAI,SAAS,sBAAuB,QAAO;AAEzE,QAAI,IAAI,cAAc,OAAO,IAAI,cAAc,IAAK,QAAO;AAI3D,QAAI,IAAI,SAAS,YAAY,IAAI,SAAS,WAAY,QAAO;AAE7D,WAAO;EACT;AAEA,MAAI,eAAe,oBAAqB,QAAO;AAI/C,MAAI,OAAO,OAAO,QAAQ,UAAU;AAClC,UAAM,aAAwB,CAAC,KAAM,IAA4B,KAAK;AACtE,eAAW,KAAK,YAAY;AAC1B,UAAI,CAAC,KAAK,OAAO,MAAM,SAAU;AACjC,YAAM,OAAQ,EAAyB;AACvC,UACE,SAAS,gBACT,SAAS,eACT,SAAS,kBACT,SAAS,eACT,SAAS,kBACT,SAAS,eACT,SAAS,oBACT,SAAS,2BACT;AACA,eAAO;MACT;IACF;EACF;AAEA,SAAO;AACT;AAOA,eAAsB,iBACpB,MACA,IACY;AACZ,QAAM,UAAU,KAAK,aAAa;AAClC,QAAM,cAAc,QAAQ,SAAS;AACrC,QAAM,YAAY,KAAK,oBAAoB;AAC3C,QAAMG,OAAM,KAAK,WAAW;AAE5B,WAAS,UAAU,GAAG,WAAW,aAAa,WAAW;AACvD,QAAI;AACF,aAAO,MAAMC,aAAY,GAAG,GAAG,WAAW,KAAK,MAAM;IACvD,SAAS,KAAK;AACZ,YAAM,OAAO,YAAY;AACzB,UAAI,QAAQ,CAAC,YAAY,KAAK,KAAK,gBAAgB,EAAG,OAAM;AAC5D,YAAM,QAAQ,QAAQ,UAAU,CAAC,KAAK,QAAQ,QAAQ,SAAS,CAAC,KAAK;AACrED;QACE,WAAW,KAAK,MAAM,aAAa,OAAO,OAAO,CAAC,YAAY,aAAa,GAAG,CAAC,kBAAkB,OAAO,KAAK,CAAC;MAChH;AACA,YAAM,MAAM,KAAK;IACnB;EACF;AACA,QAAM,IAAI,MAAM,4CAA4C,KAAK,MAAM,EAAE;AAC3E;AAEA,SAAS,gBAAgB,MAAoB;AAC3C,UAAQ,OAAO,MAAM;kBAAqB,IAAI;CAAI;AACpD;AAEA,SAAS,MAAM,IAA2B;AACxC,SAAO,IAAI,QAAQ,CAACF,aAAY,WAAWA,UAAS,EAAE,CAAC;AACzD;AAEA,eAAeG,aAAe,GAAe,IAAY,QAA4B;AACnF,MAAI;AACJ,MAAI;AACF,WAAO,MAAM,QAAQ,KAAK;MACxB;MACA,IAAI,QAAe,CAAC,UAAU,WAAW;AACvC,gBAAQ,WAAW,MAAM,OAAO,IAAI,oBAAoB,QAAQ,EAAE,CAAC,GAAG,EAAE;MAC1E,CAAC;IACH,CAAC;EACH,UAAA;AACE,QAAI,UAAU,OAAW,cAAa,KAAK;EAC7C;AACF;AAEA,SAAS,aAAa,KAAsB;AAC1C,MAAI,eAAe,iBAAiB;AAClC,WAAO,mBAAmB,OAAO,IAAI,UAAU,CAAC,IAAI,IAAI,IAAI,KAAK,SAAS,IAAI,OAAO,CAAC;EACxF;AACA,MAAI,eAAe,OAAO;AACxB,UAAM,OAAQ,IAA2B;AACzC,WAAO,SAAS,SACZ,GAAG,IAAI,IAAI,IAAI,OAAO,IAAI,CAAC,MAAM,SAAS,IAAI,OAAO,CAAC,KACtD,GAAG,IAAI,IAAI,KAAK,SAAS,IAAI,OAAO,CAAC;EAC3C;AACA,SAAO,SAAS,OAAO,GAAG,CAAC;AAC7B;AAEA,SAAS,SAAS,GAAW,MAAM,KAAa;AAC9C,SAAO,EAAE,SAAS,MAAM,GAAG,EAAE,MAAM,GAAG,GAAG,CAAC,WAAM;AAClD;ACtIO,SAAS,mBAAmB,YAA2C;AAC5E,SAAO;IACL;MACE,WAAW;MACX,UAAU;MACV,MAAM;MACN,YAAY,CAAC,UAAU;MACvB,aAAa;IACf;EACF;AACF;AAgBA,eAAsB,qBACpB,QACA,MAC0B;AAC1B,SAAO;IACL,EAAE,QAAQ,kBAAkB,kBAAkB,OAAO,kBAAkB,IAAO;IAC9E,MACE,OAAO,eAAe;MACpB,MAAM,KAAK;MACX,OAAO,mBAAmB,KAAK,UAAU;MACzC,QAAQ;QACN,oBAAoB;QACpB,iBAAiB;QACjB,GAAG,KAAK;MACV;IACF,CAAC;EACL;AACF;AAWA,eAAsB,mBACpB,QACA,YACA,YACe;AACf,QAAM;IACJ,EAAE,QAAQ,oBAAoB,kBAAkB,MAAM,kBAAkB,IAAO;IAC/E,MAAM,OAAO,iBAAiB,YAAY,mBAAmB,UAAU,CAAC;EAC1E;AACF;AAcA,eAAsB,qBACpB,QACA,YACA,OAAkC,CAAC,GACpB;AACf,QAAM,WAAW,KAAK,IAAI,KAAK,KAAK,gBAAgB;AACpD,MAAI,WAAW;AACf,SAAO,MAAM;AACX,QAAI;AACF,YAAM;QACJ,EAAE,QAAQ,kBAAkB,kBAAkB,MAAM,kBAAkB,IAAO;QAC7E,MAAM,OAAO,eAAe,UAAU;MACxC;AACA;IACF,SAAS,KAAK;AACZ,UAAI,eAAe,oBAAoB,IAAI,eAAe,OAAO,IAAI,SAAS,cAAc;AAC1F;MACF;AACA,YAAM,gBACJ,eAAe,oBACd,IAAI,eAAe,OAClB,IAAI,SAAS,cACb,IAAI,SAAS;AACjB,UAAI,iBAAiB,KAAK,IAAI,IAAI,UAAU;AAC1C,cAAM,IAAI,QAAQ,CAAC,MAAM,WAAW,GAAG,QAAQ,CAAC;AAChD,mBAAW,KAAK,IAAI,WAAW,GAAG,GAAK;AACvC;MACF;AACA,YAAM;IACR;EACF;AACF;AAYO,SAAS,oBAAoB,KAAqB;AACvD,QAAM,UAAU,IAAI,KAAK;AACzB,MAAI,QAAQ,SAAS,GAAG,EAAG,QAAO;AAClC,MAAI,QAAQ,SAAS,GAAG,EAAG,QAAO,GAAG,OAAO;AAC5C,SAAO,GAAG,OAAO;AACnB;","names":["existsSync","readFileSync","homedir","resolve","opts","log","raceTimeout"]}