@mantyx/sdk 0.9.1 → 0.10.1

package/dist/index.d.cts

@@ -1,96 +1,6 @@
-export { A as A2AToolRef, a as AgentSession, b as AgentSpecBase, c as AssistantDeltaEvent, d as AssistantMessageEvent, C as CancelledEvent, D as DEFAULT_BASE_URL, e as DefineLocalA2AOptions, f as DefineLocalMcpOptions, g as DefineLocalToolOptions, E as ErrorEvent, L as LocalA2ATool, h as LocalHandlers, i as LocalMcpHttpTransport, j as LocalMcpServer, k as LocalMcpStdioTransport, l as LocalTool, m as LocalToolCallEvent, n as LocalToolResultInEvent, o as LoopDetectedEvent, p as LoopDetection, q as MantyxA2AOptions, M as MantyxClient, r as MantyxClientOptions, s as MantyxMcpOptions, t as MantyxPluginToolRef, u as MantyxToolRef, v as McpToolRef, w as ModelCatalog, x as ModelInfo, O as OutputSchema, R as ReasoningLevel, y as ResultEvent, z as RunEvent, B as RunEventBase, F as RunResult, G as RunSpec, S as ServerToolResultEvent, H as SessionInfo, I as SessionSpec, J as ThinkingDeltaEvent, K as ToolBudget, N as ToolBudgetExceededEvent, P as ToolBudgets, T as ToolRef, Z as ZodLikeObject, Q as defineLocalA2A, U as defineLocalMcp, V as defineLocalTool, W as isLocalA2ATool, X as isLocalMcpServer, Y as isLocalTool, _ as mantyxA2A, $ as mantyxMcp, a0 as mantyxPluginTool, a1 as mantyxTool, a2 as parseRunOutput } from './client-BB6cjfsz.cjs';
+export { A as A2AToolRef, a as AgentSession, b as AgentSpecBase, c as AssistantDeltaEvent, d as AssistantMessageEvent, C as CancelledEvent, D as DEFAULT_BASE_URL, e as DEFAULT_OAUTH_BASE_URL, f as DEFAULT_REFRESH_SKEW_MS, g as DefineLocalA2AOptions, h as DefineLocalMcpOptions, i as DefineLocalToolOptions, E as ErrorEvent, L as LocalA2ATool, j as LocalHandlers, k as LocalMcpHttpTransport, l as LocalMcpServer, m as LocalMcpStdioTransport, n as LocalTool, o as LocalToolCallEvent, p as LocalToolResultInEvent, q as LoopDetectedEvent, r as LoopDetection, s as MantyxA2AOptions, t as MantyxAuthError, M as MantyxClient, u as MantyxClientOptions, v as MantyxError, w as MantyxMcpOptions, x as MantyxNetworkError, y as MantyxOAuthClient, z as MantyxOAuthClientOptions, B as MantyxOAuthError, F as MantyxParseError, G as MantyxPluginToolRef, H as MantyxRunError, I as MantyxRunErrorInit, J as MantyxScopeError, K as MantyxToolError, N as MantyxToolRef, O as McpToolRef, P as ModelCatalog, Q as ModelInfo, S as OAuthToken, U as OutputSchema, R as ReasoningLevel, V as RefreshOptions, W as RefreshTokenSourceOptions, X as ResultEvent, Y as RevokeOptions, Z as RunEvent, _ as RunEventBase, $ as RunResult, a0 as RunSpec, a1 as ServerToolResultEvent, a2 as SessionInfo, a3 as SessionSpec, a4 as ThinkingDeltaEvent, a5 as TokenRequestReason, a6 as TokenSource, a7 as ToolBudget, a8 as ToolBudgetExceededEvent, a9 as ToolBudgets, T as ToolRef, aa as ZodLikeObject, ab as defineLocalA2A, ac as defineLocalMcp, ad as defineLocalTool, ae as isLocalA2ATool, af as isLocalMcpServer, ag as isLocalTool, ah as mantyxA2A, ai as mantyxMcp, aj as mantyxPluginTool, ak as mantyxTool, al as parseRunOutput } from './client-CZUVldDx.cjs';
 import { z } from 'zod';
 
-/**
- * Error types raised by the MANTYX SDK.
- */
-declare class MantyxError extends Error {
-    readonly code: string;
-    readonly status: number | undefined;
-    readonly hint: string | undefined;
-    constructor(message: string, opts?: {
-        code?: string;
-        status?: number;
-        hint?: string;
-    });
-}
-declare class MantyxNetworkError extends MantyxError {
-    constructor(message: string, opts?: {
-        cause?: unknown;
-    });
-}
-declare class MantyxAuthError extends MantyxError {
-    constructor(message?: string);
-}
-declare class MantyxToolError extends MantyxError {
-    readonly toolName: string;
-    constructor(toolName: string, message: string);
-}
-/**
- * Optional triage attributes the runner attaches to terminal `error`
- * events. Mirrors the wire fields described in
- * `docs/agent-runs-protocol.md` §7 ("error event payload fields") so SDK
- * callers can render structured UI status notes ("model truncated — JSON
- * likely incomplete") and drive retry policy without re-parsing the
- * human-readable `message`.
- */
-interface MantyxRunErrorInit {
-    /**
-     * Canonical category of failure. One of `"rate_limit"`, `"overloaded"`,
-     * `"server"`, `"context_window"`, `"truncation"`, `"invalid_request"`,
-     * `"auth"`, `"timeout"`, `"local_timeout"`, `"upstream_deadline"`,
-     * `"unknown"`. New categories may land additively — callers should
-     * default-branch to `"unknown"` for unrecognized values.
-     */
-    errorClass?: string;
-    /**
-     * Canonical lowercase stop reason normalized across providers
-     * (`"max_tokens"`, `"refusal"`, `"malformed_function_call"`, …). When
-     * present, mirrors the value carried on the last `assistant_message`
-     * event preceding the failure.
-     */
-    finishReason?: string | null;
-    /**
-     * **Best-effort raw bytes** the model emitted before the failure. For
-     * `outputSchema` runs this is likely **incomplete JSON** that will
-     * fail `JSON.parse` — treat it as diagnostic data, never as a
-     * schema-conformant reply.
-     */
-    partialText?: string;
-    /**
-     * Coarse retry hint inherited from the pipeline's error classifier.
-     * Informational; the SDK still owns the actual retry decision.
-     */
-    retryable?: boolean;
-}
-declare class MantyxRunError extends MantyxError {
-    readonly runId: string;
-    readonly subtype: string;
-    /** See {@link MantyxRunErrorInit.errorClass}. */
-    readonly errorClass: string | undefined;
-    /** See {@link MantyxRunErrorInit.finishReason}. */
-    readonly finishReason: string | null | undefined;
-    /** See {@link MantyxRunErrorInit.partialText}. */
-    readonly partialText: string | undefined;
-    /** See {@link MantyxRunErrorInit.retryable}. */
-    readonly retryable: boolean | undefined;
-    constructor(runId: string, subtype: string, message: string, init?: MantyxRunErrorInit);
-}
-/**
- * Thrown by {@link parseRunOutput} when the run's terminal text was supposed
- * to be a JSON document (because `outputSchema` was set on the spec) but
- * either failed to JSON.parse or failed the user-supplied validator.
- *
- * The original `text` is preserved on the `text` field so callers can log
- * the raw model output for debugging.
- */
-declare class MantyxParseError extends MantyxError {
-    readonly text: string;
-    constructor(message: string, text: string, opts?: {
-        cause?: unknown;
-    });
-}
-
 /**
  * Lightweight Zod → JSON Schema converter for tool parameter definitions.
  *
@@ -142,6 +52,6 @@ declare function readSseStream(body: ReadableStream<Uint8Array> | null, opts?: S
 /**
  * Release version — synced from repo root VERSION (`npm run sync-version`).
  */
-declare const SDK_VERSION = "0.9.1";
+declare const SDK_VERSION = "0.10.1";
 
-export { MantyxAuthError, MantyxError, MantyxNetworkError, MantyxParseError, MantyxRunError, type MantyxRunErrorInit, MantyxToolError, SDK_VERSION, type SseEvent, type SseStreamOptions, readSseStream, toToolParametersWire, zodToJsonSchema };
+export { SDK_VERSION, type SseEvent, type SseStreamOptions, readSseStream, toToolParametersWire, zodToJsonSchema };

package/dist/index.d.ts

@@ -1,96 +1,6 @@
-export { A as A2AToolRef, a as AgentSession, b as AgentSpecBase, c as AssistantDeltaEvent, d as AssistantMessageEvent, C as CancelledEvent, D as DEFAULT_BASE_URL, e as DefineLocalA2AOptions, f as DefineLocalMcpOptions, g as DefineLocalToolOptions, E as ErrorEvent, L as LocalA2ATool, h as LocalHandlers, i as LocalMcpHttpTransport, j as LocalMcpServer, k as LocalMcpStdioTransport, l as LocalTool, m as LocalToolCallEvent, n as LocalToolResultInEvent, o as LoopDetectedEvent, p as LoopDetection, q as MantyxA2AOptions, M as MantyxClient, r as MantyxClientOptions, s as MantyxMcpOptions, t as MantyxPluginToolRef, u as MantyxToolRef, v as McpToolRef, w as ModelCatalog, x as ModelInfo, O as OutputSchema, R as ReasoningLevel, y as ResultEvent, z as RunEvent, B as RunEventBase, F as RunResult, G as RunSpec, S as ServerToolResultEvent, H as SessionInfo, I as SessionSpec, J as ThinkingDeltaEvent, K as ToolBudget, N as ToolBudgetExceededEvent, P as ToolBudgets, T as ToolRef, Z as ZodLikeObject, Q as defineLocalA2A, U as defineLocalMcp, V as defineLocalTool, W as isLocalA2ATool, X as isLocalMcpServer, Y as isLocalTool, _ as mantyxA2A, $ as mantyxMcp, a0 as mantyxPluginTool, a1 as mantyxTool, a2 as parseRunOutput } from './client-BB6cjfsz.js';
+export { A as A2AToolRef, a as AgentSession, b as AgentSpecBase, c as AssistantDeltaEvent, d as AssistantMessageEvent, C as CancelledEvent, D as DEFAULT_BASE_URL, e as DEFAULT_OAUTH_BASE_URL, f as DEFAULT_REFRESH_SKEW_MS, g as DefineLocalA2AOptions, h as DefineLocalMcpOptions, i as DefineLocalToolOptions, E as ErrorEvent, L as LocalA2ATool, j as LocalHandlers, k as LocalMcpHttpTransport, l as LocalMcpServer, m as LocalMcpStdioTransport, n as LocalTool, o as LocalToolCallEvent, p as LocalToolResultInEvent, q as LoopDetectedEvent, r as LoopDetection, s as MantyxA2AOptions, t as MantyxAuthError, M as MantyxClient, u as MantyxClientOptions, v as MantyxError, w as MantyxMcpOptions, x as MantyxNetworkError, y as MantyxOAuthClient, z as MantyxOAuthClientOptions, B as MantyxOAuthError, F as MantyxParseError, G as MantyxPluginToolRef, H as MantyxRunError, I as MantyxRunErrorInit, J as MantyxScopeError, K as MantyxToolError, N as MantyxToolRef, O as McpToolRef, P as ModelCatalog, Q as ModelInfo, S as OAuthToken, U as OutputSchema, R as ReasoningLevel, V as RefreshOptions, W as RefreshTokenSourceOptions, X as ResultEvent, Y as RevokeOptions, Z as RunEvent, _ as RunEventBase, $ as RunResult, a0 as RunSpec, a1 as ServerToolResultEvent, a2 as SessionInfo, a3 as SessionSpec, a4 as ThinkingDeltaEvent, a5 as TokenRequestReason, a6 as TokenSource, a7 as ToolBudget, a8 as ToolBudgetExceededEvent, a9 as ToolBudgets, T as ToolRef, aa as ZodLikeObject, ab as defineLocalA2A, ac as defineLocalMcp, ad as defineLocalTool, ae as isLocalA2ATool, af as isLocalMcpServer, ag as isLocalTool, ah as mantyxA2A, ai as mantyxMcp, aj as mantyxPluginTool, ak as mantyxTool, al as parseRunOutput } from './client-CZUVldDx.js';
 import { z } from 'zod';
 
-/**
- * Error types raised by the MANTYX SDK.
- */
-declare class MantyxError extends Error {
-    readonly code: string;
-    readonly status: number | undefined;
-    readonly hint: string | undefined;
-    constructor(message: string, opts?: {
-        code?: string;
-        status?: number;
-        hint?: string;
-    });
-}
-declare class MantyxNetworkError extends MantyxError {
-    constructor(message: string, opts?: {
-        cause?: unknown;
-    });
-}
-declare class MantyxAuthError extends MantyxError {
-    constructor(message?: string);
-}
-declare class MantyxToolError extends MantyxError {
-    readonly toolName: string;
-    constructor(toolName: string, message: string);
-}
-/**
- * Optional triage attributes the runner attaches to terminal `error`
- * events. Mirrors the wire fields described in
- * `docs/agent-runs-protocol.md` §7 ("error event payload fields") so SDK
- * callers can render structured UI status notes ("model truncated — JSON
- * likely incomplete") and drive retry policy without re-parsing the
- * human-readable `message`.
- */
-interface MantyxRunErrorInit {
-    /**
-     * Canonical category of failure. One of `"rate_limit"`, `"overloaded"`,
-     * `"server"`, `"context_window"`, `"truncation"`, `"invalid_request"`,
-     * `"auth"`, `"timeout"`, `"local_timeout"`, `"upstream_deadline"`,
-     * `"unknown"`. New categories may land additively — callers should
-     * default-branch to `"unknown"` for unrecognized values.
-     */
-    errorClass?: string;
-    /**
-     * Canonical lowercase stop reason normalized across providers
-     * (`"max_tokens"`, `"refusal"`, `"malformed_function_call"`, …). When
-     * present, mirrors the value carried on the last `assistant_message`
-     * event preceding the failure.
-     */
-    finishReason?: string | null;
-    /**
-     * **Best-effort raw bytes** the model emitted before the failure. For
-     * `outputSchema` runs this is likely **incomplete JSON** that will
-     * fail `JSON.parse` — treat it as diagnostic data, never as a
-     * schema-conformant reply.
-     */
-    partialText?: string;
-    /**
-     * Coarse retry hint inherited from the pipeline's error classifier.
-     * Informational; the SDK still owns the actual retry decision.
-     */
-    retryable?: boolean;
-}
-declare class MantyxRunError extends MantyxError {
-    readonly runId: string;
-    readonly subtype: string;
-    /** See {@link MantyxRunErrorInit.errorClass}. */
-    readonly errorClass: string | undefined;
-    /** See {@link MantyxRunErrorInit.finishReason}. */
-    readonly finishReason: string | null | undefined;
-    /** See {@link MantyxRunErrorInit.partialText}. */
-    readonly partialText: string | undefined;
-    /** See {@link MantyxRunErrorInit.retryable}. */
-    readonly retryable: boolean | undefined;
-    constructor(runId: string, subtype: string, message: string, init?: MantyxRunErrorInit);
-}
-/**
- * Thrown by {@link parseRunOutput} when the run's terminal text was supposed
- * to be a JSON document (because `outputSchema` was set on the spec) but
- * either failed to JSON.parse or failed the user-supplied validator.
- *
- * The original `text` is preserved on the `text` field so callers can log
- * the raw model output for debugging.
- */
-declare class MantyxParseError extends MantyxError {
-    readonly text: string;
-    constructor(message: string, text: string, opts?: {
-        cause?: unknown;
-    });
-}
-
 /**
  * Lightweight Zod → JSON Schema converter for tool parameter definitions.
  *
@@ -142,6 +52,6 @@ declare function readSseStream(body: ReadableStream<Uint8Array> | null, opts?: S
 /**
  * Release version — synced from repo root VERSION (`npm run sync-version`).
  */
-declare const SDK_VERSION = "0.9.1";
+declare const SDK_VERSION = "0.10.1";
 
-export { MantyxAuthError, MantyxError, MantyxNetworkError, MantyxParseError, MantyxRunError, type MantyxRunErrorInit, MantyxToolError, SDK_VERSION, type SseEvent, type SseStreamOptions, readSseStream, toToolParametersWire, zodToJsonSchema };
+export { SDK_VERSION, type SseEvent, type SseStreamOptions, readSseStream, toToolParametersWire, zodToJsonSchema };

package/dist/index.js

@@ -7,6 +7,7 @@ import {
   MantyxNetworkError,
   MantyxParseError,
   MantyxRunError,
+  MantyxScopeError,
   MantyxToolError,
   defineLocalA2A,
   defineLocalMcp,
@@ -22,19 +23,243 @@ import {
   readSseStream,
   toToolParametersWire,
   zodToJsonSchema
-} from "./chunk-AE7ZSLBH.js";
+} from "./chunk-XMUCELMH.js";
+
+// src/oauth.ts
+var DEFAULT_OAUTH_BASE_URL = "https://app.mantyx.io";
+var DEFAULT_REFRESH_SKEW_MS = 6e4;
+var MantyxOAuthError = class extends MantyxError {
+  oauthError;
+  oauthErrorDescription;
+  constructor(oauthError, oauthErrorDescription, status) {
+    const message = oauthErrorDescription ? `OAuth ${oauthError}: ${oauthErrorDescription}` : `OAuth ${oauthError}`;
+    super(message, { code: oauthError, status });
+    this.name = "MantyxOAuthError";
+    this.oauthError = oauthError;
+    this.oauthErrorDescription = oauthErrorDescription;
+  }
+};
+var MantyxOAuthClient = class {
+  clientId;
+  baseUrl;
+  clientSecret;
+  fetchImpl;
+  timeoutMs;
+  constructor(opts) {
+    if (!opts.clientId) {
+      throw new MantyxError("`clientId` is required for MantyxOAuthClient");
+    }
+    if (!opts.clientSecret) {
+      throw new MantyxError("`clientSecret` is required for MantyxOAuthClient");
+    }
+    const f = opts.fetch ?? globalThis.fetch;
+    if (typeof f !== "function") {
+      throw new MantyxError(
+        "Global fetch is not available; pass a custom `fetch` implementation in MantyxOAuthClientOptions."
+      );
+    }
+    this.clientId = opts.clientId;
+    this.clientSecret = opts.clientSecret;
+    this.baseUrl = (opts.baseUrl ?? DEFAULT_OAUTH_BASE_URL).replace(/\/+$/, "");
+    this.fetchImpl = f;
+    this.timeoutMs = opts.timeoutMs ?? 3e4;
+  }
+  /**
+   * Mint a fresh access token from a stored refresh token. The
+   * returned `refreshToken` is identical to the input — refresh
+   * tokens are persistent and non-rotating, so the field is
+   * surfaced only for symmetry with the response shape.
+   *
+   * On `400 invalid_grant` the refresh token has been revoked (or its
+   * grant / app was deleted); the SDK surfaces a
+   * {@link MantyxOAuthError} and callers must drive a fresh sign-in.
+   */
+  async refresh(opts) {
+    if (!opts.refreshToken) {
+      throw new MantyxError("`refreshToken` is required for MantyxOAuthClient.refresh");
+    }
+    const body = {
+      grant_type: "refresh_token",
+      refresh_token: opts.refreshToken
+    };
+    const scope = normalizeScope(opts.scope);
+    if (scope !== void 0) body.scope = scope;
+    return this.token(body);
+  }
+  /**
+   * Revoke an access or refresh token (RFC 7009). The server always
+   * returns 200, even for unknown tokens. Revoking a **refresh**
+   * token kills the refresh and every live access token tied to its
+   * grant; revoking an **access** token kills only that one.
+   */
+  async revoke(opts) {
+    if (!opts.token) {
+      throw new MantyxError("`token` is required for MantyxOAuthClient.revoke");
+    }
+    await this.formPost("/api/oauth/revoke", {
+      token: opts.token
+    });
+  }
+  /**
+   * Build a long-lived {@link TokenSource} that re-mints access
+   * tokens from the supplied refresh token. Pass the returned source
+   * to `new MantyxClient({ tokenSource, workspaceSlug, ... })`. The
+   * source caches the access token in-memory and refreshes
+   * proactively when the cached value is within `refreshSkewMs` of
+   * `expiresAt`, or eagerly when `MantyxClient` reports a 401.
+   *
+   * Pass `initialToken` if the calling app already has a non-expired
+   * access token in hand (e.g. straight out of the sign-in flow) to
+   * avoid an extra round-trip on the first request.
+   */
+  refreshTokenSource(opts) {
+    if (!opts.refreshToken) {
+      throw new MantyxError("`refreshToken` is required for MantyxOAuthClient.refreshTokenSource");
+    }
+    const skew = opts.refreshSkewMs ?? DEFAULT_REFRESH_SKEW_MS;
+    const cache = { token: opts.initialToken, inflight: null };
+    const refreshToken = opts.refreshToken;
+    return makeTokenSource(cache, skew, async () => {
+      return this.refresh({ refreshToken, scope: opts.scope });
+    });
+  }
+  // -------------------------------------------------------------- internals
+  /**
+   * POST `application/x-www-form-urlencoded` to `/api/oauth/token` and
+   * decode the {@link OAuthToken} response. Always injects `client_id`
+   * + `client_secret` from the constructor.
+   */
+  async token(body) {
+    const res = await this.formPost("/api/oauth/token", body);
+    let parsed = {};
+    try {
+      parsed = await res.json();
+    } catch {
+      throw new MantyxOAuthError(
+        "invalid_response",
+        "Token endpoint returned a non-JSON response",
+        res.status
+      );
+    }
+    const accessToken = typeof parsed.access_token === "string" ? parsed.access_token : "";
+    if (!accessToken) {
+      throw new MantyxOAuthError(
+        "invalid_response",
+        "Token endpoint response is missing `access_token`",
+        res.status
+      );
+    }
+    const expiresIn = typeof parsed.expires_in === "number" ? parsed.expires_in : 3600;
+    return {
+      accessToken,
+      refreshToken: typeof parsed.refresh_token === "string" ? parsed.refresh_token : void 0,
+      tokenType: typeof parsed.token_type === "string" ? parsed.token_type : "Bearer",
+      expiresIn,
+      expiresAt: Date.now() + expiresIn * 1e3,
+      scope: typeof parsed.scope === "string" ? parsed.scope : void 0
+    };
+  }
+  async formPost(path, body) {
+    const url = `${this.baseUrl}${path}`;
+    const params = new URLSearchParams({
+      ...body,
+      client_id: this.clientId,
+      client_secret: this.clientSecret
+    });
+    const ctrl = new AbortController();
+    const t = setTimeout(() => ctrl.abort(), this.timeoutMs);
+    let res;
+    try {
+      res = await this.fetchImpl(url, {
+        method: "POST",
+        headers: {
+          "Content-Type": "application/x-www-form-urlencoded",
+          Accept: "application/json"
+        },
+        body: params.toString(),
+        signal: ctrl.signal
+      });
+    } catch (err) {
+      if (ctrl.signal.aborted) {
+        throw new MantyxNetworkError(`OAuth request timed out after ${this.timeoutMs}ms`);
+      }
+      throw new MantyxNetworkError(`OAuth network error: ${err.message}`, {
+        cause: err
+      });
+    } finally {
+      clearTimeout(t);
+    }
+    if (!res.ok) {
+      let errBody = {};
+      try {
+        errBody = await res.json();
+      } catch {
+      }
+      const oauthError = typeof errBody.error === "string" ? errBody.error : `http_${res.status}`;
+      const desc = typeof errBody.error_description === "string" ? errBody.error_description : void 0;
+      throw new MantyxOAuthError(oauthError, desc, res.status);
+    }
+    return res;
+  }
+};
+function makeTokenSource(cache, skewMs, mint) {
+  return async (reason = "initial") => {
+    if (reason !== "unauthorized" && cache.token && !isExpiring(cache.token, skewMs)) {
+      return cache.token.accessToken;
+    }
+    if (cache.inflight) {
+      const t = await cache.inflight;
+      if (reason === "unauthorized" && t === cache.token) {
+      } else {
+        return t.accessToken;
+      }
+    }
+    cache.inflight = mint().then(
+      (t) => {
+        cache.token = t;
+        return t;
+      },
+      (err) => {
+        throw err;
+      }
+    );
+    try {
+      const t = await cache.inflight;
+      return t.accessToken;
+    } finally {
+      cache.inflight = null;
+    }
+  };
+}
+function isExpiring(token, skewMs) {
+  return token.expiresAt - Date.now() <= skewMs;
+}
+function normalizeScope(scope) {
+  if (scope === void 0) return void 0;
+  if (typeof scope === "string") {
+    const trimmed = scope.trim();
+    return trimmed.length > 0 ? trimmed : void 0;
+  }
+  const joined = scope.filter((s) => typeof s === "string" && s.length > 0).join(" ");
+  return joined.length > 0 ? joined : void 0;
+}
 
 // src/version.ts
-var SDK_VERSION = "0.9.1";
+var SDK_VERSION = "0.10.1";
 export {
   AgentSession,
   DEFAULT_BASE_URL,
+  DEFAULT_OAUTH_BASE_URL,
+  DEFAULT_REFRESH_SKEW_MS,
   MantyxAuthError,
   MantyxClient,
   MantyxError,
   MantyxNetworkError,
+  MantyxOAuthClient,
+  MantyxOAuthError,
   MantyxParseError,
   MantyxRunError,
+  MantyxScopeError,
   MantyxToolError,
   SDK_VERSION,
   defineLocalA2A,

package/dist/index.js.map

@@ -1 +1 @@
-{"version":3,"sources":["../src/version.ts"],"sourcesContent":["/**\n * Release version — synced from repo root VERSION (`npm run sync-version`).\n */\nexport const SDK_VERSION = \"0.9.1\";\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;AAGO,IAAM,cAAc;","names":[]}
+{"version":3,"sources":["../src/oauth.ts","../src/version.ts"],"sourcesContent":["/**\n * MANTYX OAuth 2.0 refresh client: trade a stored refresh token for\n * short-lived access tokens, revoke tokens at sign-out, and expose\n * a {@link TokenSource} the {@link MantyxClient} HTTP layer calls\n * before every request (and again on 401).\n *\n * The library is intentionally **refresh-only**. It assumes the caller\n * already obtained the refresh token through their own sign-in flow\n * (Authorization Code + PKCE in a browser, native redirect, server-\n * side exchange — whatever fits the host application). The SDK does\n * not drive consent, does not initiate auth-code exchanges, and does\n * not bundle PKCE helpers.\n *\n * Wire contract (`docs/oauth.md`):\n *\n * - Token endpoint: `POST <baseUrl>/api/oauth/token`, form-encoded,\n *   `grant_type=refresh_token`. Echoes back the same `refresh_token`\n *   the client sent (refresh tokens are persistent and non-rotating).\n * - Revoke endpoint: `POST <baseUrl>/api/oauth/revoke`, form-encoded.\n * - Access tokens (`mantyx_at_…`) live 1 hour (`expires_in: 3600`).\n * - Refresh tokens (`mantyx_rt_…`) are long-lived; the caller persists\n *   them once at first sign-in (encrypted at rest) and the SDK re-mints\n *   access tokens from the same value on demand.\n */\n\nimport { MantyxError, MantyxNetworkError } from \"./errors.js\";\n\nexport const DEFAULT_OAUTH_BASE_URL = \"https://app.mantyx.io\";\n\n/** Skew (ms) before `expiresAt` at which a TokenSource will pre-emptively refresh. Default 60s. */\nexport const DEFAULT_REFRESH_SKEW_MS = 60_000;\n\n/**\n * Raised on a non-2xx response from `POST /api/oauth/token` or\n * `POST /api/oauth/revoke`. Carries the RFC 6749 `error` discriminator\n * (`\"invalid_grant\"`, `\"invalid_client\"`, `\"unsupported_grant_type\"`,\n * …) and the optional `error_description` so callers can branch on\n * machine-readable values without parsing the human message.\n *\n * `invalid_grant` from the refresh path specifically signals that the\n * refresh token has been revoked (or the OAuth grant / application\n * was deleted). The SDK never loops on this — callers should route\n * the user back to a fresh sign-in.\n */\nexport class MantyxOAuthError extends MantyxError {\n  readonly oauthError: string;\n  readonly oauthErrorDescription: string | undefined;\n\n  constructor(\n    oauthError: string,\n    oauthErrorDescription: string | undefined,\n    status: number,\n  ) {\n    const message = oauthErrorDescription\n      ? `OAuth ${oauthError}: ${oauthErrorDescription}`\n      : `OAuth ${oauthError}`;\n    super(message, { code: oauthError, status });\n    this.name = \"MantyxOAuthError\";\n    this.oauthError = oauthError;\n    this.oauthErrorDescription = oauthErrorDescription;\n  }\n}\n\n/**\n * Decoded `POST /api/oauth/token` response, augmented with an absolute\n * `expiresAt` timestamp the SDK uses to decide when to refresh.\n *\n * On the refresh grant the response's `refreshToken` is identical to\n * the value the client just sent (refresh tokens never rotate). The\n * field is surfaced for symmetry with whatever the calling app's\n * sign-in flow already does.\n */\nexport interface OAuthToken {\n  readonly accessToken: string;\n  readonly refreshToken: string | undefined;\n  readonly tokenType: string;\n  readonly expiresIn: number;\n  /** Absolute Unix-ms timestamp set when the SDK parsed the response. */\n  readonly expiresAt: number;\n  readonly scope: string | undefined;\n}\n\n/** Why the SDK asked the {@link TokenSource} for the current access token. */\nexport type TokenRequestReason = \"initial\" | \"expired\" | \"unauthorized\";\n\n/**\n * A `TokenSource` produces the current access token on demand. The\n * {@link MantyxClient} HTTP layer calls it before every request. When\n * called with `reason: \"unauthorized\"` the source MUST force a refresh\n * (do not return a cached value); this is how the SDK recovers from\n * 401s caused by a token that the server already invalidated.\n *\n * Implementations should be safe to call from many concurrent requests.\n */\nexport type TokenSource = (reason?: TokenRequestReason) => Promise<string>;\n\n/** Caller-supplied options for `MantyxOAuthClient`. */\nexport interface MantyxOAuthClientOptions {\n  /**\n   * OAuth `client_id` issued at app registration (token prefix\n   * `mantyx_oa_`).\n   */\n  clientId: string;\n  /**\n   * OAuth `client_secret` issued at app registration (token prefix\n   * `mantyx_oas_`). Every MANTYX OAuth app is a confidential client,\n   * so this is always required for token + revoke calls. Treat as a\n   * deployment secret — do not bundle into browser builds.\n   */\n  clientSecret: string;\n  /**\n   * Origin of the MANTYX deployment. Defaults to `https://app.mantyx.io`.\n   * The OAuth endpoints are mounted at `<baseUrl>/api/oauth/...`.\n   */\n  baseUrl?: string;\n  /** Optional `fetch` override (e.g. node-fetch wrapper). Default: global `fetch`. */\n  fetch?: typeof fetch;\n  /** Default per-request timeout in milliseconds. Default: 30s. */\n  timeoutMs?: number;\n}\n\nexport interface RefreshOptions {\n  refreshToken: string;\n  /**\n   * Optional scope narrowing. Must be a subset of the scopes already\n   * granted to the refresh token (server enforces this). Useful when\n   * an SDK consumer wants a short-scope access token for a specific\n   * sub-operation.\n   */\n  scope?: string | readonly string[];\n}\n\nexport interface RevokeOptions {\n  token: string;\n}\n\nexport interface RefreshTokenSourceOptions {\n  refreshToken: string;\n  /** Optional scope narrowing applied on every refresh. */\n  scope?: string | readonly string[];\n  /**\n   * How many ms before `expiresAt` the source proactively refreshes.\n   * Defaults to {@link DEFAULT_REFRESH_SKEW_MS} (60s).\n   */\n  refreshSkewMs?: number;\n  /**\n   * Optional initial access token + expiry to seed the source's cache\n   * with (e.g. the token already in hand from the host application's\n   * sign-in flow). When omitted, the source mints one on the first\n   * call.\n   */\n  initialToken?: OAuthToken;\n}\n\n/**\n * Refresh-only wrapper around the MANTYX OAuth 2.0 authorization-server\n * endpoints. App-scoped (one per `{clientId, clientSecret}` pair);\n * construct independently of {@link MantyxClient}, then either call\n * {@link refresh} / {@link revoke} directly or hand a `TokenSource`\n * produced by {@link refreshTokenSource} to `MantyxClient` for fully\n * transparent refresh on every request.\n *\n * The client deliberately does **not** drive the authorization-code\n * exchange or any other \"initiate sign-in\" grant. The caller is\n * expected to obtain the refresh token through their own consent flow\n * and persist it before constructing this client.\n */\nexport class MantyxOAuthClient {\n  readonly clientId: string;\n  readonly baseUrl: string;\n  private readonly clientSecret: string;\n  private readonly fetchImpl: typeof fetch;\n  private readonly timeoutMs: number;\n\n  constructor(opts: MantyxOAuthClientOptions) {\n    if (!opts.clientId) {\n      throw new MantyxError(\"`clientId` is required for MantyxOAuthClient\");\n    }\n    if (!opts.clientSecret) {\n      throw new MantyxError(\"`clientSecret` is required for MantyxOAuthClient\");\n    }\n    const f = opts.fetch ?? globalThis.fetch;\n    if (typeof f !== \"function\") {\n      throw new MantyxError(\n        \"Global fetch is not available; pass a custom `fetch` implementation in MantyxOAuthClientOptions.\",\n      );\n    }\n    this.clientId = opts.clientId;\n    this.clientSecret = opts.clientSecret;\n    this.baseUrl = (opts.baseUrl ?? DEFAULT_OAUTH_BASE_URL).replace(/\\/+$/, \"\");\n    this.fetchImpl = f;\n    this.timeoutMs = opts.timeoutMs ?? 30_000;\n  }\n\n  /**\n   * Mint a fresh access token from a stored refresh token. The\n   * returned `refreshToken` is identical to the input — refresh\n   * tokens are persistent and non-rotating, so the field is\n   * surfaced only for symmetry with the response shape.\n   *\n   * On `400 invalid_grant` the refresh token has been revoked (or its\n   * grant / app was deleted); the SDK surfaces a\n   * {@link MantyxOAuthError} and callers must drive a fresh sign-in.\n   */\n  async refresh(opts: RefreshOptions): Promise<OAuthToken> {\n    if (!opts.refreshToken) {\n      throw new MantyxError(\"`refreshToken` is required for MantyxOAuthClient.refresh\");\n    }\n    const body: Record<string, string> = {\n      grant_type: \"refresh_token\",\n      refresh_token: opts.refreshToken,\n    };\n    const scope = normalizeScope(opts.scope);\n    if (scope !== undefined) body.scope = scope;\n    return this.token(body);\n  }\n\n  /**\n   * Revoke an access or refresh token (RFC 7009). The server always\n   * returns 200, even for unknown tokens. Revoking a **refresh**\n   * token kills the refresh and every live access token tied to its\n   * grant; revoking an **access** token kills only that one.\n   */\n  async revoke(opts: RevokeOptions): Promise<void> {\n    if (!opts.token) {\n      throw new MantyxError(\"`token` is required for MantyxOAuthClient.revoke\");\n    }\n    await this.formPost(\"/api/oauth/revoke\", {\n      token: opts.token,\n    });\n  }\n\n  /**\n   * Build a long-lived {@link TokenSource} that re-mints access\n   * tokens from the supplied refresh token. Pass the returned source\n   * to `new MantyxClient({ tokenSource, workspaceSlug, ... })`. The\n   * source caches the access token in-memory and refreshes\n   * proactively when the cached value is within `refreshSkewMs` of\n   * `expiresAt`, or eagerly when `MantyxClient` reports a 401.\n   *\n   * Pass `initialToken` if the calling app already has a non-expired\n   * access token in hand (e.g. straight out of the sign-in flow) to\n   * avoid an extra round-trip on the first request.\n   */\n  refreshTokenSource(opts: RefreshTokenSourceOptions): TokenSource {\n    if (!opts.refreshToken) {\n      throw new MantyxError(\"`refreshToken` is required for MantyxOAuthClient.refreshTokenSource\");\n    }\n    const skew = opts.refreshSkewMs ?? DEFAULT_REFRESH_SKEW_MS;\n    const cache: TokenCache = { token: opts.initialToken, inflight: null };\n    const refreshToken = opts.refreshToken;\n    return makeTokenSource(cache, skew, async () => {\n      return this.refresh({ refreshToken, scope: opts.scope });\n    });\n  }\n\n  // -------------------------------------------------------------- internals\n\n  /**\n   * POST `application/x-www-form-urlencoded` to `/api/oauth/token` and\n   * decode the {@link OAuthToken} response. Always injects `client_id`\n   * + `client_secret` from the constructor.\n   */\n  private async token(body: Record<string, string>): Promise<OAuthToken> {\n    const res = await this.formPost(\"/api/oauth/token\", body);\n    let parsed: Record<string, unknown> = {};\n    try {\n      parsed = (await res.json()) as Record<string, unknown>;\n    } catch {\n      throw new MantyxOAuthError(\n        \"invalid_response\",\n        \"Token endpoint returned a non-JSON response\",\n        res.status,\n      );\n    }\n    const accessToken = typeof parsed.access_token === \"string\" ? parsed.access_token : \"\";\n    if (!accessToken) {\n      throw new MantyxOAuthError(\n        \"invalid_response\",\n        \"Token endpoint response is missing `access_token`\",\n        res.status,\n      );\n    }\n    const expiresIn = typeof parsed.expires_in === \"number\" ? parsed.expires_in : 3600;\n    return {\n      accessToken,\n      refreshToken: typeof parsed.refresh_token === \"string\" ? parsed.refresh_token : undefined,\n      tokenType: typeof parsed.token_type === \"string\" ? parsed.token_type : \"Bearer\",\n      expiresIn,\n      expiresAt: Date.now() + expiresIn * 1000,\n      scope: typeof parsed.scope === \"string\" ? parsed.scope : undefined,\n    };\n  }\n\n  private async formPost(path: string, body: Record<string, string>): Promise<Response> {\n    const url = `${this.baseUrl}${path}`;\n    const params = new URLSearchParams({\n      ...body,\n      client_id: this.clientId,\n      client_secret: this.clientSecret,\n    });\n    const ctrl = new AbortController();\n    const t = setTimeout(() => ctrl.abort(), this.timeoutMs);\n    let res: Response;\n    try {\n      res = await this.fetchImpl(url, {\n        method: \"POST\",\n        headers: {\n          \"Content-Type\": \"application/x-www-form-urlencoded\",\n          Accept: \"application/json\",\n        },\n        body: params.toString(),\n        signal: ctrl.signal,\n      });\n    } catch (err) {\n      if (ctrl.signal.aborted) {\n        throw new MantyxNetworkError(`OAuth request timed out after ${this.timeoutMs}ms`);\n      }\n      throw new MantyxNetworkError(`OAuth network error: ${(err as Error).message}`, {\n        cause: err,\n      });\n    } finally {\n      clearTimeout(t);\n    }\n    if (!res.ok) {\n      let errBody: { error?: unknown; error_description?: unknown } = {};\n      try {\n        errBody = (await res.json()) as typeof errBody;\n      } catch {\n        // ignore\n      }\n      const oauthError = typeof errBody.error === \"string\" ? errBody.error : `http_${res.status}`;\n      const desc =\n        typeof errBody.error_description === \"string\" ? errBody.error_description : undefined;\n      throw new MantyxOAuthError(oauthError, desc, res.status);\n    }\n    return res;\n  }\n}\n\n// -------------------------------------------------------------- internals\n\ninterface TokenCache {\n  token: OAuthToken | undefined;\n  inflight: Promise<OAuthToken> | null;\n}\n\n/**\n * Wrap a `mintToken` thunk into a single-flight {@link TokenSource}\n * with a cache + proactive-refresh skew. The cache is overwritten\n * atomically on every successful mint; the in-flight promise\n * collapses N concurrent expired-token observers into one mint call.\n *\n * Single-flight is an efficiency, not a correctness requirement —\n * `docs/oauth.md` explicitly allows multiple concurrent refreshes\n * against the same refresh token — but it keeps the token-endpoint\n * QPS reasonable when an SDK consumer fans out work in parallel.\n */\nfunction makeTokenSource(\n  cache: TokenCache,\n  skewMs: number,\n  mint: () => Promise<OAuthToken>,\n): TokenSource {\n  return async (reason: TokenRequestReason = \"initial\"): Promise<string> => {\n    if (reason !== \"unauthorized\" && cache.token && !isExpiring(cache.token, skewMs)) {\n      return cache.token.accessToken;\n    }\n    if (cache.inflight) {\n      const t = await cache.inflight;\n      if (reason === \"unauthorized\" && t === cache.token) {\n        // If the inflight refresh was triggered by a benign cache miss\n        // and we observed an unauthorized hint after it started, fall\n        // through and mint again so the caller never gets a stale token.\n      } else {\n        return t.accessToken;\n      }\n    }\n    cache.inflight = mint().then(\n      (t) => {\n        cache.token = t;\n        return t;\n      },\n      (err: unknown) => {\n        throw err;\n      },\n    );\n    try {\n      const t = await cache.inflight;\n      return t.accessToken;\n    } finally {\n      cache.inflight = null;\n    }\n  };\n}\n\nfunction isExpiring(token: OAuthToken, skewMs: number): boolean {\n  return token.expiresAt - Date.now() <= skewMs;\n}\n\nfunction normalizeScope(scope: string | readonly string[] | undefined): string | undefined {\n  if (scope === undefined) return undefined;\n  if (typeof scope === \"string\") {\n    const trimmed = scope.trim();\n    return trimmed.length > 0 ? trimmed : undefined;\n  }\n  const joined = scope.filter((s) => typeof s === \"string\" && s.length > 0).join(\" \");\n  return joined.length > 0 ? joined : undefined;\n}\n","/**\n * Release version — synced from repo root VERSION (`npm run sync-version`).\n */\nexport const SDK_VERSION = \"0.10.1\";\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;AA2BO,IAAM,yBAAyB;AAG/B,IAAM,0BAA0B;AAchC,IAAM,mBAAN,cAA+B,YAAY;AAAA,EACvC;AAAA,EACA;AAAA,EAET,YACE,YACA,uBACA,QACA;AACA,UAAM,UAAU,wBACZ,SAAS,UAAU,KAAK,qBAAqB,KAC7C,SAAS,UAAU;AACvB,UAAM,SAAS,EAAE,MAAM,YAAY,OAAO,CAAC;AAC3C,SAAK,OAAO;AACZ,SAAK,aAAa;AAClB,SAAK,wBAAwB;AAAA,EAC/B;AACF;AA0GO,IAAM,oBAAN,MAAwB;AAAA,EACpB;AAAA,EACA;AAAA,EACQ;AAAA,EACA;AAAA,EACA;AAAA,EAEjB,YAAY,MAAgC;AAC1C,QAAI,CAAC,KAAK,UAAU;AAClB,YAAM,IAAI,YAAY,8CAA8C;AAAA,IACtE;AACA,QAAI,CAAC,KAAK,cAAc;AACtB,YAAM,IAAI,YAAY,kDAAkD;AAAA,IAC1E;AACA,UAAM,IAAI,KAAK,SAAS,WAAW;AACnC,QAAI,OAAO,MAAM,YAAY;AAC3B,YAAM,IAAI;AAAA,QACR;AAAA,MACF;AAAA,IACF;AACA,SAAK,WAAW,KAAK;AACrB,SAAK,eAAe,KAAK;AACzB,SAAK,WAAW,KAAK,WAAW,wBAAwB,QAAQ,QAAQ,EAAE;AAC1E,SAAK,YAAY;AACjB,SAAK,YAAY,KAAK,aAAa;AAAA,EACrC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAYA,MAAM,QAAQ,MAA2C;AACvD,QAAI,CAAC,KAAK,cAAc;AACtB,YAAM,IAAI,YAAY,0DAA0D;AAAA,IAClF;AACA,UAAM,OAA+B;AAAA,MACnC,YAAY;AAAA,MACZ,eAAe,KAAK;AAAA,IACtB;AACA,UAAM,QAAQ,eAAe,KAAK,KAAK;AACvC,QAAI,UAAU,OAAW,MAAK,QAAQ;AACtC,WAAO,KAAK,MAAM,IAAI;AAAA,EACxB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,MAAM,OAAO,MAAoC;AAC/C,QAAI,CAAC,KAAK,OAAO;AACf,YAAM,IAAI,YAAY,kDAAkD;AAAA,IAC1E;AACA,UAAM,KAAK,SAAS,qBAAqB;AAAA,MACvC,OAAO,KAAK;AAAA,IACd,CAAC;AAAA,EACH;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAcA,mBAAmB,MAA8C;AAC/D,QAAI,CAAC,KAAK,cAAc;AACtB,YAAM,IAAI,YAAY,qEAAqE;AAAA,IAC7F;AACA,UAAM,OAAO,KAAK,iBAAiB;AACnC,UAAM,QAAoB,EAAE,OAAO,KAAK,cAAc,UAAU,KAAK;AACrE,UAAM,eAAe,KAAK;AAC1B,WAAO,gBAAgB,OAAO,MAAM,YAAY;AAC9C,aAAO,KAAK,QAAQ,EAAE,cAAc,OAAO,KAAK,MAAM,CAAC;AAAA,IACzD,CAAC;AAAA,EACH;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASA,MAAc,MAAM,MAAmD;AACrE,UAAM,MAAM,MAAM,KAAK,SAAS,oBAAoB,IAAI;AACxD,QAAI,SAAkC,CAAC;AACvC,QAAI;AACF,eAAU,MAAM,IAAI,KAAK;AAAA,IAC3B,QAAQ;AACN,YAAM,IAAI;AAAA,QACR;AAAA,QACA;AAAA,QACA,IAAI;AAAA,MACN;AAAA,IACF;AACA,UAAM,cAAc,OAAO,OAAO,iBAAiB,WAAW,OAAO,eAAe;AACpF,QAAI,CAAC,aAAa;AAChB,YAAM,IAAI;AAAA,QACR;AAAA,QACA;AAAA,QACA,IAAI;AAAA,MACN;AAAA,IACF;AACA,UAAM,YAAY,OAAO,OAAO,eAAe,WAAW,OAAO,aAAa;AAC9E,WAAO;AAAA,MACL;AAAA,MACA,cAAc,OAAO,OAAO,kBAAkB,WAAW,OAAO,gBAAgB;AAAA,MAChF,WAAW,OAAO,OAAO,eAAe,WAAW,OAAO,aAAa;AAAA,MACvE;AAAA,MACA,WAAW,KAAK,IAAI,IAAI,YAAY;AAAA,MACpC,OAAO,OAAO,OAAO,UAAU,WAAW,OAAO,QAAQ;AAAA,IAC3D;AAAA,EACF;AAAA,EAEA,MAAc,SAAS,MAAc,MAAiD;AACpF,UAAM,MAAM,GAAG,KAAK,OAAO,GAAG,IAAI;AAClC,UAAM,SAAS,IAAI,gBAAgB;AAAA,MACjC,GAAG;AAAA,MACH,WAAW,KAAK;AAAA,MAChB,eAAe,KAAK;AAAA,IACtB,CAAC;AACD,UAAM,OAAO,IAAI,gBAAgB;AACjC,UAAM,IAAI,WAAW,MAAM,KAAK,MAAM,GAAG,KAAK,SAAS;AACvD,QAAI;AACJ,QAAI;AACF,YAAM,MAAM,KAAK,UAAU,KAAK;AAAA,QAC9B,QAAQ;AAAA,QACR,SAAS;AAAA,UACP,gBAAgB;AAAA,UAChB,QAAQ;AAAA,QACV;AAAA,QACA,MAAM,OAAO,SAAS;AAAA,QACtB,QAAQ,KAAK;AAAA,MACf,CAAC;AAAA,IACH,SAAS,KAAK;AACZ,UAAI,KAAK,OAAO,SAAS;AACvB,cAAM,IAAI,mBAAmB,iCAAiC,KAAK,SAAS,IAAI;AAAA,MAClF;AACA,YAAM,IAAI,mBAAmB,wBAAyB,IAAc,OAAO,IAAI;AAAA,QAC7E,OAAO;AAAA,MACT,CAAC;AAAA,IACH,UAAE;AACA,mBAAa,CAAC;AAAA,IAChB;AACA,QAAI,CAAC,IAAI,IAAI;AACX,UAAI,UAA4D,CAAC;AACjE,UAAI;AACF,kBAAW,MAAM,IAAI,KAAK;AAAA,MAC5B,QAAQ;AAAA,MAER;AACA,YAAM,aAAa,OAAO,QAAQ,UAAU,WAAW,QAAQ,QAAQ,QAAQ,IAAI,MAAM;AACzF,YAAM,OACJ,OAAO,QAAQ,sBAAsB,WAAW,QAAQ,oBAAoB;AAC9E,YAAM,IAAI,iBAAiB,YAAY,MAAM,IAAI,MAAM;AAAA,IACzD;AACA,WAAO;AAAA,EACT;AACF;AAoBA,SAAS,gBACP,OACA,QACA,MACa;AACb,SAAO,OAAO,SAA6B,cAA+B;AACxE,QAAI,WAAW,kBAAkB,MAAM,SAAS,CAAC,WAAW,MAAM,OAAO,MAAM,GAAG;AAChF,aAAO,MAAM,MAAM;AAAA,IACrB;AACA,QAAI,MAAM,UAAU;AAClB,YAAM,IAAI,MAAM,MAAM;AACtB,UAAI,WAAW,kBAAkB,MAAM,MAAM,OAAO;AAAA,MAIpD,OAAO;AACL,eAAO,EAAE;AAAA,MACX;AAAA,IACF;AACA,UAAM,WAAW,KAAK,EAAE;AAAA,MACtB,CAAC,MAAM;AACL,cAAM,QAAQ;AACd,eAAO;AAAA,MACT;AAAA,MACA,CAAC,QAAiB;AAChB,cAAM;AAAA,MACR;AAAA,IACF;AACA,QAAI;AACF,YAAM,IAAI,MAAM,MAAM;AACtB,aAAO,EAAE;AAAA,IACX,UAAE;AACA,YAAM,WAAW;AAAA,IACnB;AAAA,EACF;AACF;AAEA,SAAS,WAAW,OAAmB,QAAyB;AAC9D,SAAO,MAAM,YAAY,KAAK,IAAI,KAAK;AACzC;AAEA,SAAS,eAAe,OAAmE;AACzF,MAAI,UAAU,OAAW,QAAO;AAChC,MAAI,OAAO,UAAU,UAAU;AAC7B,UAAM,UAAU,MAAM,KAAK;AAC3B,WAAO,QAAQ,SAAS,IAAI,UAAU;AAAA,EACxC;AACA,QAAM,SAAS,MAAM,OAAO,CAAC,MAAM,OAAO,MAAM,YAAY,EAAE,SAAS,CAAC,EAAE,KAAK,GAAG;AAClF,SAAO,OAAO,SAAS,IAAI,SAAS;AACtC;;;ACpZO,IAAM,cAAc;","names":[]}