@openape/apes 0.11.1 → 0.12.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (19) hide show
  1. package/dist/{auth-lock-O7BTENTJ.js → auth-lock-NYI376IM.js} +2 -2
  2. package/dist/{chunk-6JSOSD7R.js → chunk-6GPSKAMU.js} +29 -2
  3. package/dist/chunk-6GPSKAMU.js.map +1 -0
  4. package/dist/{chunk-U4CI2RBO.js → chunk-O7GSG3OE.js} +131 -12
  5. package/dist/chunk-O7GSG3OE.js.map +1 -0
  6. package/dist/{chunk-M2NBHR2E.js → chunk-OFIVF6NH.js} +7 -3
  7. package/dist/{chunk-M2NBHR2E.js.map → chunk-OFIVF6NH.js.map} +1 -1
  8. package/dist/cli.js +52 -21
  9. package/dist/cli.js.map +1 -1
  10. package/dist/index.d.ts +34 -1
  11. package/dist/index.js +2 -2
  12. package/dist/{orchestrator-OF2YGFMR.js → orchestrator-EHFFTEL5.js} +4 -4
  13. package/dist/{server-TGIP55VI.js → server-UXLNYVMG.js} +4 -4
  14. package/package.json +3 -3
  15. package/dist/chunk-6JSOSD7R.js.map +0 -1
  16. package/dist/chunk-U4CI2RBO.js.map +0 -1
  17. /package/dist/{auth-lock-O7BTENTJ.js.map → auth-lock-NYI376IM.js.map} +0 -0
  18. /package/dist/{orchestrator-OF2YGFMR.js.map → orchestrator-EHFFTEL5.js.map} +0 -0
  19. /package/dist/{server-TGIP55VI.js.map → server-UXLNYVMG.js.map} +0 -0
package/dist/{auth-lock-O7BTENTJ.js → auth-lock-NYI376IM.js} RENAMED
@@ -1,7 +1,7 @@
1
1
  #!/usr/bin/env node
2
2
  import {
3
3
  CONFIG_DIR
4
- } from "./chunk-6JSOSD7R.js";
4
+ } from "./chunk-6GPSKAMU.js";
5
5
 
6
6
  // src/auth-lock.ts
7
7
  import { open, rm, stat } from "fs/promises";
@@ -38,4 +38,4 @@ export {
38
38
  acquireAuthLock,
39
39
  releaseAuthLock
40
40
  };
41
- //# sourceMappingURL=auth-lock-O7BTENTJ.js.map
41
+ //# sourceMappingURL=auth-lock-NYI376IM.js.map
package/dist/{chunk-6JSOSD7R.js → chunk-6GPSKAMU.js} RENAMED
@@ -58,7 +58,9 @@ function parseTOML(content) {
58
58
  section = sectionMatch[1];
59
59
  continue;
60
60
  }
61
- const kvMatch = trimmed.match(/^(\w+)\s*=\s*"(.+)"$/);
61
+ const kvQuoted = trimmed.match(/^(\w+)\s*=\s*"(.*)"$/);
62
+ const kvBare = trimmed.match(/^(\w+)\s*=\s*([^"\s]\S*)$/);
63
+ const kvMatch = kvQuoted ?? kvBare;
62
64
  if (kvMatch) {
63
65
  const [, key, value] = kvMatch;
64
66
  if (section === "defaults") {
@@ -70,6 +72,9 @@ function parseTOML(content) {
70
72
  } else if (section === "notifications") {
71
73
  config.notifications = config.notifications || {};
72
74
  config.notifications[key] = value;
75
+ } else if (section === "generic") {
76
+ config.generic = config.generic || {};
77
+ config.generic[key] = value;
73
78
  }
74
79
  }
75
80
  }
@@ -102,8 +107,28 @@ function saveConfig(config) {
102
107
  }
103
108
  lines.push("");
104
109
  }
110
+ if (config.generic) {
111
+ lines.push("[generic]");
112
+ for (const [key, value] of Object.entries(config.generic)) {
113
+ if (value)
114
+ lines.push(`${key} = "${value}"`);
115
+ }
116
+ lines.push("");
117
+ }
105
118
  writeFileSync(CONFIG_FILE, lines.join("\n"), { mode: 384 });
106
119
  }
120
+ function isGenericFallbackEnabled(config) {
121
+ const cfg = config ?? loadConfig();
122
+ const raw = cfg.generic?.enabled;
123
+ if (raw === void 0) return true;
124
+ return raw !== "false";
125
+ }
126
+ function getGenericAuditLogPath(config) {
127
+ const cfg = config ?? loadConfig();
128
+ const raw = cfg.generic?.audit_log;
129
+ const path = raw && raw.length > 0 ? raw : join(homedir(), ".config", "apes", "generic-calls.log");
130
+ return path.startsWith("~/") ? join(homedir(), path.slice(2)) : path;
131
+ }
107
132
  function getIdpUrl(explicit) {
108
133
  if (explicit)
109
134
  return explicit;
@@ -138,8 +163,10 @@ export {
138
163
  clearAuth,
139
164
  loadConfig,
140
165
  saveConfig,
166
+ isGenericFallbackEnabled,
167
+ getGenericAuditLogPath,
141
168
  getIdpUrl,
142
169
  getAuthToken,
143
170
  getRequesterIdentity
144
171
  };
145
- //# sourceMappingURL=chunk-6JSOSD7R.js.map
172
+ //# sourceMappingURL=chunk-6GPSKAMU.js.map
package/dist/chunk-6GPSKAMU.js.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"sources":["../src/config.ts"],"sourcesContent":["import { existsSync, mkdirSync, readFileSync, writeFileSync } from 'node:fs'\nimport { homedir } from 'node:os'\nimport { join } from 'node:path'\n\nexport interface AuthData {\n idp: string\n access_token: string\n refresh_token?: string\n email: string\n expires_at: number\n}\n\nexport interface ApesConfig {\n defaults?: {\n idp?: string\n approval?: string\n /**\n * Audience for the `apes run` async info block. `agent` (default)\n * emits verbose agent-facing instructions with a polling protocol;\n * `human` emits a short friendly block. Env var `APES_USER` wins.\n */\n user?: 'agent' | 'human'\n /**\n * Poll interval (seconds) embedded in the agent-mode instructions.\n * Default 10. Env var `APES_GRANT_POLL_INTERVAL` wins. Stored as a\n * string in TOML because the hand-rolled parser only handles quoted\n * values — casting to number happens at read time.\n */\n grant_poll_interval_seconds?: string\n /**\n * Maximum poll duration (minutes) embedded in the agent-mode\n * instructions. Default 5. Env var `APES_GRANT_POLL_MAX_MINUTES` wins.\n */\n grant_poll_max_minutes?: string\n /**\n * Exit code emitted by `apes run` / `ape-shell -c` when the async\n * default path creates a pending grant. Default `75` (`EX_TEMPFAIL`\n * from sysexits.h — \"temporary failure, retry later\"). Set to `0`\n * to restore the pre-0.10.0 exit-0 behaviour. Env var\n * `APES_ASYNC_EXIT_CODE` wins. Valid range 0–255.\n */\n async_exit_code?: string\n }\n agent?: {\n key?: string\n email?: string\n }\n notifications?: {\n pending_command?: string\n }\n /**\n * Generic-fallback mode: when `apes run -- <cli>` is called with a CLI\n * that has no registered shape, fall through to a synthetic adapter that\n * requests a single-use, forced-high-risk grant for the exact argv.\n * See `shapes/generic.ts`.\n */\n generic?: {\n /**\n * Master switch. Default `true` (permissive). Set to `false` to restore\n * the legacy \"No adapter found\" hard-fail. Stored as string in TOML\n * (hand-parser limitation) and parsed as `value !== 'false'` at read time.\n */\n enabled?: string\n /** Override the audit-log location. Default `~/.config/apes/generic-calls.log`. Tilde-expanded at read time. */\n audit_log?: string\n }\n}\n\nconst CONFIG_DIR = join(homedir(), '.config', 'apes')\nconst AUTH_FILE = join(CONFIG_DIR, 'auth.json')\nconst CONFIG_FILE = join(CONFIG_DIR, 'config.toml')\n\nfunction ensureDir() {\n if (!existsSync(CONFIG_DIR)) {\n mkdirSync(CONFIG_DIR, { recursive: true })\n }\n}\n\nexport function loadAuth(): AuthData | null {\n if (!existsSync(AUTH_FILE))\n return null\n try {\n return JSON.parse(readFileSync(AUTH_FILE, 'utf-8'))\n }\n catch {\n return null\n }\n}\n\nexport function saveAuth(data: AuthData): void {\n ensureDir()\n writeFileSync(AUTH_FILE, JSON.stringify(data, null, 2), { mode: 0o600 })\n}\n\nexport function clearAuth(): void {\n if (existsSync(AUTH_FILE)) {\n writeFileSync(AUTH_FILE, '', { mode: 0o600 })\n }\n // Also wipe the [agent] section from config.toml so logout disables\n // auto-refresh. Preserves [defaults] so the IdP URL stays configured.\n if (existsSync(CONFIG_FILE)) {\n const existing = loadConfig()\n if (existing.agent) {\n const { agent: _removed, ...rest } = existing\n saveConfig(rest)\n }\n }\n}\n\nexport function loadConfig(): ApesConfig {\n if (!existsSync(CONFIG_FILE))\n return {}\n try {\n return parseTOML(readFileSync(CONFIG_FILE, 'utf-8'))\n }\n catch {\n return {}\n }\n}\n\nfunction parseTOML(content: string): ApesConfig {\n const config: ApesConfig = {}\n let section = ''\n\n for (const line of content.split('\\n')) {\n const trimmed = line.trim()\n if (!trimmed || trimmed.startsWith('#'))\n continue\n\n const sectionMatch = trimmed.match(/^\\[(.+)\\]$/)\n if (sectionMatch) {\n section = sectionMatch[1]!\n continue\n }\n\n // Accept quoted strings and bare booleans/tokens — the generic section\n // uses `enabled = false` (no quotes) which the quoted-only match would\n // silently drop.\n const kvQuoted = trimmed.match(/^(\\w+)\\s*=\\s*\"(.*)\"$/)\n const kvBare = trimmed.match(/^(\\w+)\\s*=\\s*([^\"\\s]\\S*)$/)\n const kvMatch = kvQuoted ?? kvBare\n if (kvMatch) {\n const [, key, value] = kvMatch\n if (section === 'defaults') {\n config.defaults = config.defaults || {}\n ;(config.defaults as Record<string, string>)[key!] = value!\n }\n else if (section === 'agent') {\n config.agent = config.agent || {}\n ;(config.agent as Record<string, string>)[key!] = value!\n }\n else if (section === 'notifications') {\n config.notifications = config.notifications || {}\n ;(config.notifications as Record<string, string>)[key!] = value!\n }\n else if (section === 'generic') {\n config.generic = config.generic || {}\n ;(config.generic as Record<string, string>)[key!] = value!\n }\n }\n }\n\n return config\n}\n\nexport function saveConfig(config: ApesConfig): void {\n ensureDir()\n const lines: string[] = []\n\n if (config.defaults) {\n lines.push('[defaults]')\n for (const [key, value] of Object.entries(config.defaults)) {\n if (value)\n lines.push(`${key} = \"${value}\"`)\n }\n lines.push('')\n }\n\n if (config.agent) {\n lines.push('[agent]')\n for (const [key, value] of Object.entries(config.agent)) {\n if (value)\n lines.push(`${key} = \"${value}\"`)\n }\n lines.push('')\n }\n\n if (config.notifications) {\n lines.push('[notifications]')\n for (const [key, value] of Object.entries(config.notifications)) {\n if (value)\n lines.push(`${key} = \"${value}\"`)\n }\n lines.push('')\n }\n\n if (config.generic) {\n lines.push('[generic]')\n for (const [key, value] of Object.entries(config.generic)) {\n if (value)\n lines.push(`${key} = \"${value}\"`)\n }\n lines.push('')\n }\n\n writeFileSync(CONFIG_FILE, lines.join('\\n'), { mode: 0o600 })\n}\n\n/**\n * Is generic-fallback enabled? Permissive default: `true` unless the user\n * explicitly sets `[generic] enabled = false`.\n */\nexport function isGenericFallbackEnabled(config?: ApesConfig): boolean {\n const cfg = config ?? loadConfig()\n const raw = cfg.generic?.enabled\n if (raw === undefined) return true\n return raw !== 'false'\n}\n\n/**\n * Resolve the audit-log path for generic calls, expanding `~` to `$HOME`.\n */\nexport function getGenericAuditLogPath(config?: ApesConfig): string {\n const cfg = config ?? loadConfig()\n const raw = cfg.generic?.audit_log\n const path = raw && raw.length > 0\n ? raw\n : join(homedir(), '.config', 'apes', 'generic-calls.log')\n return path.startsWith('~/')\n ? join(homedir(), path.slice(2))\n : path\n}\n\nexport function getIdpUrl(explicit?: string): string | null {\n if (explicit)\n return explicit\n if (process.env.APES_IDP)\n return process.env.APES_IDP\n\n const auth = loadAuth()\n if (auth?.idp)\n return auth.idp\n\n const config = loadConfig()\n if (config.defaults?.idp)\n return config.defaults.idp\n\n return null\n}\n\nexport function getAuthToken(): string | null {\n const auth = loadAuth()\n if (!auth)\n return null\n\n // Check expiry (with 30s buffer)\n if (auth.expires_at && Date.now() / 1000 > auth.expires_at - 30) {\n return null // expired\n }\n\n return auth.access_token\n}\n\nexport function getRequesterIdentity(): string | null {\n return loadAuth()?.email ?? null\n}\n\nexport { CONFIG_DIR, AUTH_FILE }\n"],"mappings":";;;AAAA,SAAS,YAAY,WAAW,cAAc,qBAAqB;AACnE,SAAS,eAAe;AACxB,SAAS,YAAY;AAkErB,IAAM,aAAa,KAAK,QAAQ,GAAG,WAAW,MAAM;AACpD,IAAM,YAAY,KAAK,YAAY,WAAW;AAC9C,IAAM,cAAc,KAAK,YAAY,aAAa;AAElD,SAAS,YAAY;AACnB,MAAI,CAAC,WAAW,UAAU,GAAG;AAC3B,cAAU,YAAY,EAAE,WAAW,KAAK,CAAC;AAAA,EAC3C;AACF;AAEO,SAAS,WAA4B;AAC1C,MAAI,CAAC,WAAW,SAAS;AACvB,WAAO;AACT,MAAI;AACF,WAAO,KAAK,MAAM,aAAa,WAAW,OAAO,CAAC;AAAA,EACpD,QACM;AACJ,WAAO;AAAA,EACT;AACF;AAEO,SAAS,SAAS,MAAsB;AAC7C,YAAU;AACV,gBAAc,WAAW,KAAK,UAAU,MAAM,MAAM,CAAC,GAAG,EAAE,MAAM,IAAM,CAAC;AACzE;AAEO,SAAS,YAAkB;AAChC,MAAI,WAAW,SAAS,GAAG;AACzB,kBAAc,WAAW,IAAI,EAAE,MAAM,IAAM,CAAC;AAAA,EAC9C;AAGA,MAAI,WAAW,WAAW,GAAG;AAC3B,UAAM,WAAW,WAAW;AAC5B,QAAI,SAAS,OAAO;AAClB,YAAM,EAAE,OAAO,UAAU,GAAG,KAAK,IAAI;AACrC,iBAAW,IAAI;AAAA,IACjB;AAAA,EACF;AACF;AAEO,SAAS,aAAyB;AACvC,MAAI,CAAC,WAAW,WAAW;AACzB,WAAO,CAAC;AACV,MAAI;AACF,WAAO,UAAU,aAAa,aAAa,OAAO,CAAC;AAAA,EACrD,QACM;AACJ,WAAO,CAAC;AAAA,EACV;AACF;AAEA,SAAS,UAAU,SAA6B;AAC9C,QAAM,SAAqB,CAAC;AAC5B,MAAI,UAAU;AAEd,aAAW,QAAQ,QAAQ,MAAM,IAAI,GAAG;AACtC,UAAM,UAAU,KAAK,KAAK;AAC1B,QAAI,CAAC,WAAW,QAAQ,WAAW,GAAG;AACpC;AAEF,UAAM,eAAe,QAAQ,MAAM,YAAY;AAC/C,QAAI,cAAc;AAChB,gBAAU,aAAa,CAAC;AACxB;AAAA,IACF;AAKA,UAAM,WAAW,QAAQ,MAAM,sBAAsB;AACrD,UAAM,SAAS,QAAQ,MAAM,2BAA2B;AACxD,UAAM,UAAU,YAAY;AAC5B,QAAI,SAAS;AACX,YAAM,CAAC,EAAE,KAAK,KAAK,IAAI;AACvB,UAAI,YAAY,YAAY;AAC1B,eAAO,WAAW,OAAO,YAAY,CAAC;AACrC,QAAC,OAAO,SAAoC,GAAI,IAAI;AAAA,MACvD,WACS,YAAY,SAAS;AAC5B,eAAO,QAAQ,OAAO,SAAS,CAAC;AAC/B,QAAC,OAAO,MAAiC,GAAI,IAAI;AAAA,MACpD,WACS,YAAY,iBAAiB;AACpC,eAAO,gBAAgB,OAAO,iBAAiB,CAAC;AAC/C,QAAC,OAAO,cAAyC,GAAI,IAAI;AAAA,MAC5D,WACS,YAAY,WAAW;AAC9B,eAAO,UAAU,OAAO,WAAW,CAAC;AACnC,QAAC,OAAO,QAAmC,GAAI,IAAI;AAAA,MACtD;AAAA,IACF;AAAA,EACF;AAEA,SAAO;AACT;AAEO,SAAS,WAAW,QAA0B;AACnD,YAAU;AACV,QAAM,QAAkB,CAAC;AAEzB,MAAI,OAAO,UAAU;AACnB,UAAM,KAAK,YAAY;AACvB,eAAW,CAAC,KAAK,KAAK,KAAK,OAAO,QAAQ,OAAO,QAAQ,GAAG;AAC1D,UAAI;AACF,cAAM,KAAK,GAAG,GAAG,OAAO,KAAK,GAAG;AAAA,IACpC;AACA,UAAM,KAAK,EAAE;AAAA,EACf;AAEA,MAAI,OAAO,OAAO;AAChB,UAAM,KAAK,SAAS;AACpB,eAAW,CAAC,KAAK,KAAK,KAAK,OAAO,QAAQ,OAAO,KAAK,GAAG;AACvD,UAAI;AACF,cAAM,KAAK,GAAG,GAAG,OAAO,KAAK,GAAG;AAAA,IACpC;AACA,UAAM,KAAK,EAAE;AAAA,EACf;AAEA,MAAI,OAAO,eAAe;AACxB,UAAM,KAAK,iBAAiB;AAC5B,eAAW,CAAC,KAAK,KAAK,KAAK,OAAO,QAAQ,OAAO,aAAa,GAAG;AAC/D,UAAI;AACF,cAAM,KAAK,GAAG,GAAG,OAAO,KAAK,GAAG;AAAA,IACpC;AACA,UAAM,KAAK,EAAE;AAAA,EACf;AAEA,MAAI,OAAO,SAAS;AAClB,UAAM,KAAK,WAAW;AACtB,eAAW,CAAC,KAAK,KAAK,KAAK,OAAO,QAAQ,OAAO,OAAO,GAAG;AACzD,UAAI;AACF,cAAM,KAAK,GAAG,GAAG,OAAO,KAAK,GAAG;AAAA,IACpC;AACA,UAAM,KAAK,EAAE;AAAA,EACf;AAEA,gBAAc,aAAa,MAAM,KAAK,IAAI,GAAG,EAAE,MAAM,IAAM,CAAC;AAC9D;AAMO,SAAS,yBAAyB,QAA8B;AACrE,QAAM,MAAM,UAAU,WAAW;AACjC,QAAM,MAAM,IAAI,SAAS;AACzB,MAAI,QAAQ,OAAW,QAAO;AAC9B,SAAO,QAAQ;AACjB;AAKO,SAAS,uBAAuB,QAA6B;AAClE,QAAM,MAAM,UAAU,WAAW;AACjC,QAAM,MAAM,IAAI,SAAS;AACzB,QAAM,OAAO,OAAO,IAAI,SAAS,IAC7B,MACA,KAAK,QAAQ,GAAG,WAAW,QAAQ,mBAAmB;AAC1D,SAAO,KAAK,WAAW,IAAI,IACvB,KAAK,QAAQ,GAAG,KAAK,MAAM,CAAC,CAAC,IAC7B;AACN;AAEO,SAAS,UAAU,UAAkC;AAC1D,MAAI;AACF,WAAO;AACT,MAAI,QAAQ,IAAI;AACd,WAAO,QAAQ,IAAI;AAErB,QAAM,OAAO,SAAS;AACtB,MAAI,MAAM;AACR,WAAO,KAAK;AAEd,QAAM,SAAS,WAAW;AAC1B,MAAI,OAAO,UAAU;AACnB,WAAO,OAAO,SAAS;AAEzB,SAAO;AACT;AAEO,SAAS,eAA8B;AAC5C,QAAM,OAAO,SAAS;AACtB,MAAI,CAAC;AACH,WAAO;AAGT,MAAI,KAAK,cAAc,KAAK,IAAI,IAAI,MAAO,KAAK,aAAa,IAAI;AAC/D,WAAO;AAAA,EACT;AAEA,SAAO,KAAK;AACd;AAEO,SAAS,uBAAsC;AACpD,SAAO,SAAS,GAAG,SAAS;AAC9B;","names":[]}
package/dist/{chunk-U4CI2RBO.js → chunk-O7GSG3OE.js} RENAMED
@@ -1,11 +1,12 @@
1
1
  #!/usr/bin/env node
2
2
  import {
3
3
  getAuthToken,
4
+ getGenericAuditLogPath,
4
5
  getIdpUrl,
5
6
  loadAuth,
6
7
  loadConfig,
7
8
  saveAuth
8
- } from "./chunk-6JSOSD7R.js";
9
+ } from "./chunk-6GPSKAMU.js";
9
10
 
10
11
  // src/http.ts
11
12
  import consola from "consola";
@@ -62,9 +63,9 @@ async function refreshAgentToken() {
62
63
  try {
63
64
  const { readFileSync: readFileSync5 } = await import("fs");
64
65
  const { sign } = await import("crypto");
65
- const { homedir: homedir6 } = await import("os");
66
+ const { homedir: homedir7 } = await import("os");
66
67
  const { loadEd25519PrivateKey } = await import("./ssh-key-YBNNG5K5.js");
67
- const resolved = keyPath.replace(/^~/, homedir6());
68
+ const resolved = keyPath.replace(/^~/, homedir7());
68
69
  const keyContent = readFileSync5(resolved, "utf-8");
69
70
  const privateKey = loadEd25519PrivateKey(keyContent);
70
71
  const challengeUrl = await getAgentChallengeEndpoint(auth.idp);
@@ -104,7 +105,7 @@ async function refreshOAuthToken() {
104
105
  const auth = loadAuth();
105
106
  if (!auth?.refresh_token)
106
107
  return null;
107
- const { acquireAuthLock, releaseAuthLock } = await import("./auth-lock-O7BTENTJ.js");
108
+ const { acquireAuthLock, releaseAuthLock } = await import("./auth-lock-NYI376IM.js");
108
109
  const lock = await acquireAuthLock({ timeoutMs: 5e3 });
109
110
  if (!lock) {
110
111
  return getAuthToken();
@@ -322,6 +323,75 @@ function parseAdapterToml(content) {
322
323
  };
323
324
  }
324
325
 
326
+ // src/shapes/generic.ts
327
+ import { canonicalizeCliPermission, computeArgvHash } from "@openape/grants";
328
+ var GENERIC_OPERATION_ID = "_generic.exec";
329
+ var SYNTHETIC_SCHEMA = "openape-shapes/v1";
330
+ function buildGenericAdapter(cliId) {
331
+ const adapter = {
332
+ schema: SYNTHETIC_SCHEMA,
333
+ cli: {
334
+ id: cliId,
335
+ executable: cliId,
336
+ audience: "shapes",
337
+ version: "synthetic"
338
+ },
339
+ operations: []
340
+ };
341
+ return {
342
+ adapter,
343
+ source: "<synthetic>",
344
+ digest: "synthetic",
345
+ synthetic: true
346
+ };
347
+ }
348
+ async function buildGenericResolved(cliId, fullArgv) {
349
+ if (fullArgv.length === 0)
350
+ throw new Error("buildGenericResolved: fullArgv must include the executable");
351
+ const executable = fullArgv[0];
352
+ const commandArgv = fullArgv.slice(1);
353
+ const argvHash = await computeArgvHash(fullArgv);
354
+ const display = `Execute (unshaped): \`${cliId} ${commandArgv.join(" ")}\``;
355
+ const detail = {
356
+ type: "openape_cli",
357
+ cli_id: cliId,
358
+ operation_id: GENERIC_OPERATION_ID,
359
+ resource_chain: [
360
+ { resource: "cli", selector: { name: cliId } },
361
+ { resource: "argv", selector: { hash: argvHash } }
362
+ ],
363
+ action: "exec",
364
+ permission: "",
365
+ display,
366
+ risk: "high",
367
+ constraints: { exact_command: true }
368
+ };
369
+ detail.permission = canonicalizeCliPermission(detail);
370
+ const adapter = buildGenericAdapter(cliId);
371
+ return {
372
+ adapter: adapter.adapter,
373
+ source: adapter.source,
374
+ digest: adapter.digest,
375
+ executable,
376
+ commandArgv,
377
+ bindings: {},
378
+ detail,
379
+ executionContext: {
380
+ argv: fullArgv,
381
+ argv_hash: argvHash,
382
+ adapter_id: cliId,
383
+ adapter_version: SYNTHETIC_SCHEMA,
384
+ adapter_digest: adapter.digest,
385
+ resolved_executable: executable,
386
+ context_bindings: {}
387
+ },
388
+ permission: detail.permission
389
+ };
390
+ }
391
+ function isGenericResolved(resolved) {
392
+ return resolved.detail.operation_id === GENERIC_OPERATION_ID;
393
+ }
394
+
325
395
  // src/shapes/adapters.ts
326
396
  function digest(content) {
327
397
  return `SHA-256:${createHash("sha256").update(content).digest("hex")}`;
@@ -381,6 +451,11 @@ function loadAdapter(cliId, explicitPath) {
381
451
  digest: digest(content)
382
452
  };
383
453
  }
454
+ async function resolveGenericOrReject(cliId, fullArgv, opts) {
455
+ if (!opts.genericEnabled)
456
+ throw new Error(`No adapter found for ${cliId}`);
457
+ return await buildGenericResolved(cliId, fullArgv);
458
+ }
384
459
  function tryLoadAdapter(cliId, explicitPath) {
385
460
  try {
386
461
  return loadAdapter(cliId, explicitPath);
@@ -606,7 +681,7 @@ async function loadOrInstallAdapter(cliId) {
606
681
  }
607
682
 
608
683
  // src/shapes/capabilities.ts
609
- import { canonicalizeCliPermission } from "@openape/grants";
684
+ import { canonicalizeCliPermission as canonicalizeCliPermission2 } from "@openape/grants";
610
685
  function parseOperationChainEntry(entry) {
611
686
  const [resource, selectorSpec = "*"] = entry.split(":", 2);
612
687
  if (!resource) {
@@ -714,7 +789,7 @@ function resolveCapabilityRequest(loaded, params) {
714
789
  risk,
715
790
  ...exact_command ? { constraints: { exact_command: true } } : {}
716
791
  };
717
- detail.permission = canonicalizeCliPermission(detail);
792
+ detail.permission = canonicalizeCliPermission2(detail);
718
793
  detail.display = summarizeDetail(detail);
719
794
  return detail;
720
795
  });
@@ -741,7 +816,7 @@ function resolveCapabilityRequest(loaded, params) {
741
816
  }
742
817
 
743
818
  // src/shapes/parser.ts
744
- import { canonicalizeCliPermission as canonicalizeCliPermission2, computeArgvHash } from "@openape/grants";
819
+ import { canonicalizeCliPermission as canonicalizeCliPermission3, computeArgvHash as computeArgvHash2 } from "@openape/grants";
745
820
  function parseOptionArgs(tokens, valueOptions) {
746
821
  const options = {};
747
822
  const positionals = [];
@@ -902,7 +977,7 @@ async function resolveCommand(loaded, fullArgv) {
902
977
  risk: operation.risk,
903
978
  ...operation.exact_command ? { constraints: { exact_command: true } } : {}
904
979
  };
905
- detail.permission = canonicalizeCliPermission2(detail);
980
+ detail.permission = canonicalizeCliPermission3(detail);
906
981
  return {
907
982
  adapter: loaded.adapter,
908
983
  source: loaded.source,
@@ -913,7 +988,7 @@ async function resolveCommand(loaded, fullArgv) {
913
988
  detail,
914
989
  executionContext: {
915
990
  argv: fullArgv,
916
- argv_hash: await computeArgvHash(fullArgv),
991
+ argv_hash: await computeArgvHash2(fullArgv),
917
992
  adapter_id: loaded.adapter.cli.id,
918
993
  adapter_version: loaded.adapter.cli.version ?? loaded.adapter.schema,
919
994
  adapter_digest: loaded.digest,
@@ -1051,6 +1126,20 @@ async function apiFetch2(path, options = {}) {
1051
1126
  return response.json();
1052
1127
  }
1053
1128
 
1129
+ // src/audit/generic-log.ts
1130
+ import { mkdir, appendFile } from "fs/promises";
1131
+ import { homedir as homedir6 } from "os";
1132
+ import { dirname as dirname2, join as join6 } from "path";
1133
+ function defaultGenericLogPath() {
1134
+ return join6(homedir6(), ".config", "apes", "generic-calls.log");
1135
+ }
1136
+ async function appendGenericCallLog(entry, logPath) {
1137
+ const path = logPath ?? defaultGenericLogPath();
1138
+ await mkdir(dirname2(path), { recursive: true });
1139
+ await appendFile(path, `${JSON.stringify(entry)}
1140
+ `, "utf-8");
1141
+ }
1142
+
1054
1143
  // src/shapes/grants.ts
1055
1144
  function decodePayload(token) {
1056
1145
  const [, payload] = token.split(".");
@@ -1177,9 +1266,36 @@ function executeResolvedViaExec(resolved) {
1177
1266
  consola3.info(`Executing ${(resolved.executionContext.argv ?? [resolved.executable, ...resolved.commandArgv]).join(" ")}`);
1178
1267
  execFileSync(resolved.executable, resolved.commandArgv, { stdio: "inherit" });
1179
1268
  }
1180
- async function verifyAndExecute(token, resolved) {
1269
+ async function verifyAndExecute(token, resolved, grantId) {
1181
1270
  await verifyAndConsume(token, resolved);
1182
- executeResolvedViaExec(resolved);
1271
+ const isGeneric = isGenericResolved(resolved);
1272
+ const start = Date.now();
1273
+ let exitCode = 0;
1274
+ try {
1275
+ executeResolvedViaExec(resolved);
1276
+ } catch (err) {
1277
+ exitCode = err?.status ?? 1;
1278
+ throw err;
1279
+ } finally {
1280
+ if (isGeneric && grantId) {
1281
+ try {
1282
+ await appendGenericCallLog(
1283
+ {
1284
+ ts: (/* @__PURE__ */ new Date()).toISOString(),
1285
+ cli: resolved.detail.cli_id,
1286
+ argv: resolved.executionContext.argv ?? [resolved.executable, ...resolved.commandArgv],
1287
+ argv_hash: resolved.executionContext.argv_hash ?? "",
1288
+ grant_id: grantId,
1289
+ exit_code: exitCode,
1290
+ duration_ms: Date.now() - start
1291
+ },
1292
+ getGenericAuditLogPath()
1293
+ );
1294
+ } catch (logErr) {
1295
+ consola3.debug("Failed to append generic-call audit entry:", logErr);
1296
+ }
1297
+ }
1298
+ }
1183
1299
  }
1184
1300
  async function resolveFromGrant(grant) {
1185
1301
  const argv = grant.request?.command;
@@ -1273,8 +1389,11 @@ export {
1273
1389
  getAgentAuthenticateEndpoint,
1274
1390
  getDelegationsEndpoint,
1275
1391
  apiFetch,
1392
+ GENERIC_OPERATION_ID,
1393
+ buildGenericResolved,
1276
1394
  resolveAdapterPath,
1277
1395
  loadAdapter,
1396
+ resolveGenericOrReject,
1278
1397
  tryLoadAdapter,
1279
1398
  appendAuditLog,
1280
1399
  installAdapter,
@@ -1302,4 +1421,4 @@ export {
1302
1421
  buildExactCommandGrantRequest,
1303
1422
  buildStructuredCliGrantRequest
1304
1423
  };
1305
- //# sourceMappingURL=chunk-U4CI2RBO.js.map
1424
+ //# sourceMappingURL=chunk-O7GSG3OE.js.map
package/dist/chunk-O7GSG3OE.js.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"sources":["../src/http.ts","../src/shapes/adapters.ts","../src/shapes/toml.ts","../src/shapes/generic.ts","../src/shapes/audit.ts","../src/shapes/installer.ts","../src/shapes/registry.ts","../src/shapes/shell-parser.ts","../src/shapes/capabilities.ts","../src/shapes/parser.ts","../src/shapes/commands/explain.ts","../src/shapes/grants.ts","../src/shapes/config.ts","../src/shapes/http.ts","../src/audit/generic-log.ts","../src/shapes/request-builders.ts"],"sourcesContent":["import consola from 'consola'\nimport { getAuthToken, getIdpUrl, loadAuth, loadConfig, saveAuth } from './config'\n\nconst debug = process.argv.includes('--debug')\n\nexport class ApiError extends Error {\n constructor(public statusCode: number, message: string, public problemDetails?: Record<string, unknown>) {\n super(message)\n this.name = 'ApiError'\n }\n}\n\n// OIDC Discovery cache (one-time per CLI invocation)\nconst _discoveryCache: Record<string, Record<string, unknown>> = {}\n\nexport async function discoverEndpoints(idpUrl: string): Promise<Record<string, unknown>> {\n if (_discoveryCache[idpUrl]) {\n return _discoveryCache[idpUrl]\n }\n\n try {\n const response = await fetch(`${idpUrl}/.well-known/openid-configuration`)\n if (response.ok) {\n const data = await response.json() as Record<string, unknown>\n _discoveryCache[idpUrl] = data\n return data\n }\n }\n catch {}\n\n // Return empty if discovery fails (graceful degradation)\n _discoveryCache[idpUrl] = {}\n return {}\n}\n\nexport async function getGrantsEndpoint(idpUrl: string): Promise<string> {\n const disco = await discoverEndpoints(idpUrl)\n return (disco.openape_grants_endpoint as string) || `${idpUrl}/api/grants`\n}\n\nexport async function getAgentChallengeEndpoint(idpUrl: string): Promise<string> {\n const disco = await discoverEndpoints(idpUrl)\n return (disco.ddisa_agent_challenge_endpoint as string) || `${idpUrl}/api/agent/challenge`\n}\n\nexport async function getAgentAuthenticateEndpoint(idpUrl: string): Promise<string> {\n const disco = await discoverEndpoints(idpUrl)\n return (disco.ddisa_agent_authenticate_endpoint as string) || `${idpUrl}/api/agent/authenticate`\n}\n\nexport async function getDelegationsEndpoint(idpUrl: string): Promise<string> {\n const disco = await discoverEndpoints(idpUrl)\n return (disco.openape_delegations_endpoint as string) || `${idpUrl}/api/delegations`\n}\n\n/**\n * Re-authenticate an agent using Ed25519 challenge-response.\n * Called automatically when the token is expired.\n */\nasync function refreshAgentToken(): Promise<string | null> {\n const auth = loadAuth()\n if (!auth)\n return null\n\n const config = loadConfig()\n const keyPath = config.agent?.key\n if (!keyPath)\n return null\n\n try {\n const { readFileSync } = await import('node:fs')\n const { sign } = await import('node:crypto')\n const { homedir } = await import('node:os')\n const { loadEd25519PrivateKey } = await import('./ssh-key.js')\n\n const resolved = keyPath.replace(/^~/, homedir())\n const keyContent = readFileSync(resolved, 'utf-8')\n const privateKey = loadEd25519PrivateKey(keyContent)\n\n const challengeUrl = await getAgentChallengeEndpoint(auth.idp)\n const challengeResp = await fetch(challengeUrl, {\n method: 'POST',\n headers: { 'Content-Type': 'application/json' },\n body: JSON.stringify({ agent_id: auth.email }),\n })\n\n if (!challengeResp.ok)\n return null\n\n const { challenge } = await challengeResp.json() as { challenge: string }\n const { Buffer } = await import('node:buffer')\n const signature = sign(null, Buffer.from(challenge), privateKey).toString('base64')\n\n const authenticateUrl = await getAgentAuthenticateEndpoint(auth.idp)\n const authResp = await fetch(authenticateUrl, {\n method: 'POST',\n headers: { 'Content-Type': 'application/json' },\n body: JSON.stringify({ agent_id: auth.email, challenge, signature }),\n })\n\n if (!authResp.ok)\n return null\n\n const { token, expires_in } = await authResp.json() as { token: string, expires_in: number }\n\n saveAuth({\n ...auth,\n access_token: token,\n expires_at: Math.floor(Date.now() / 1000) + (expires_in || 3600),\n })\n\n if (debug) {\n consola.debug('Token refreshed via Ed25519 challenge-response')\n }\n\n return token\n }\n catch {\n return null\n }\n}\n\n/**\n * Refresh an OAuth2 access token using a stored refresh_token. Used for\n * PKCE/browser login sessions where no Ed25519 agent key is configured.\n *\n * Serialized via a file lock so concurrent apes/ape-shell invocations don't\n * both consume the same rotating refresh token (which would revoke the\n * entire family server-side).\n */\nasync function refreshOAuthToken(): Promise<string | null> {\n const auth = loadAuth()\n if (!auth?.refresh_token)\n return null\n\n const { acquireAuthLock, releaseAuthLock } = await import('./auth-lock.js')\n const lock = await acquireAuthLock({ timeoutMs: 5000 })\n if (!lock) {\n // Another process is refreshing. It should have updated auth.json by now;\n // re-read and return whatever fresh token is there (may still be null).\n return getAuthToken()\n }\n\n try {\n // Re-read auth.json inside the lock — another holder may already have\n // refreshed while we were waiting, in which case we reuse the new token.\n const latest = loadAuth()\n if (latest?.expires_at && Date.now() / 1000 < latest.expires_at - 30)\n return latest.access_token\n\n const activeRefreshToken = latest?.refresh_token ?? auth.refresh_token\n if (!activeRefreshToken)\n return null\n\n const disco = await discoverEndpoints(auth.idp)\n const tokenEndpoint = (disco.token_endpoint as string) || `${auth.idp}/token`\n\n const body = new URLSearchParams({\n grant_type: 'refresh_token',\n refresh_token: activeRefreshToken,\n })\n\n const resp = await fetch(tokenEndpoint, {\n method: 'POST',\n headers: { 'Content-Type': 'application/x-www-form-urlencoded' },\n body: body.toString(),\n })\n\n if (!resp.ok) {\n // Family may have been revoked server-side — clear refresh_token to\n // prevent an infinite retry loop on every subsequent apes invocation.\n if (resp.status === 400 || resp.status === 401) {\n const base = latest ?? auth\n saveAuth({ ...base, refresh_token: undefined })\n }\n return null\n }\n\n const tokens = await resp.json() as {\n access_token: string\n refresh_token?: string\n expires_in?: number\n }\n\n const base = latest ?? auth\n saveAuth({\n ...base,\n access_token: tokens.access_token,\n refresh_token: tokens.refresh_token ?? base.refresh_token,\n expires_at: Math.floor(Date.now() / 1000) + (tokens.expires_in || 300),\n })\n\n if (debug)\n consola.debug('Token refreshed via OAuth refresh_token')\n\n return tokens.access_token\n }\n finally {\n await releaseAuthLock(lock)\n }\n}\n\nexport async function apiFetch<T = unknown>(\n path: string,\n options: {\n method?: string\n body?: unknown\n idp?: string\n token?: string\n } = {},\n): Promise<T> {\n let token = options.token || getAuthToken()\n\n // Auto-refresh: priority (1) ed25519 agent key, (2) OAuth refresh_token.\n // Agent-key first because it is concurrency-safe — every challenge is\n // independent server-side, so parallel ape-shell spawns don't race.\n if (!token) {\n token = await refreshAgentToken()\n if (!token)\n token = await refreshOAuthToken()\n }\n\n if (!token) {\n throw new Error('Not authenticated (token expired). Run `apes login` first.')\n }\n\n let url: string\n if (path.startsWith('http')) {\n url = path\n }\n else {\n const idp = options.idp || getIdpUrl()\n if (!idp) {\n throw new Error('No IdP URL configured. Run `apes login` first or pass --idp.')\n }\n url = `${idp}${path}`\n }\n const method = options.method || 'GET'\n const headers: Record<string, string> = {\n 'Authorization': `Bearer ${token}`,\n 'Content-Type': 'application/json',\n }\n\n if (debug) {\n consola.debug(`${method} ${url}`)\n consola.debug(`Token: ${token.substring(0, 20)}...${token.substring(token.length - 10)}`)\n }\n\n const response = await fetch(url, {\n method,\n headers,\n body: options.body ? JSON.stringify(options.body) : undefined,\n })\n\n if (debug) {\n consola.debug(`Response: ${response.status} ${response.statusText}`)\n }\n\n if (!response.ok) {\n const contentType = response.headers.get('content-type') || ''\n\n // Parse RFC 7807 Problem Details\n if (contentType.includes('application/problem+json') || contentType.includes('application/json')) {\n try {\n const problem = await response.json() as Record<string, unknown>\n const message = (problem.detail as string) || (problem.title as string) || (problem.statusMessage as string) || (problem.message as string) || `${response.status} ${response.statusText}`\n throw new ApiError(response.status, message, problem)\n }\n catch (e) {\n if (e instanceof ApiError)\n throw e\n }\n }\n\n const text = await response.text()\n throw new ApiError(response.status, text || `${response.status} ${response.statusText}`)\n }\n\n return response.json() as Promise<T>\n}\n","import { createHash } from 'node:crypto'\nimport { existsSync, readdirSync, readFileSync } from 'node:fs'\nimport { homedir } from 'node:os'\nimport { basename, join } from 'node:path'\nimport type { LoadedAdapter, ResolvedCommand } from './types.js'\nimport { parseAdapterToml } from './toml.js'\nimport { buildGenericResolved } from './generic.js'\n\nfunction digest(content: string): string {\n return `SHA-256:${createHash('sha256').update(content).digest('hex')}`\n}\n\nfunction adapterDirs(): string[] {\n return [\n join(process.cwd(), '.openape', 'shapes', 'adapters'),\n join(homedir(), '.openape', 'shapes', 'adapters'),\n join('/etc', 'openape', 'shapes', 'adapters'),\n ]\n}\n\nfunction findByExecutable(executable: string): string | undefined {\n for (const dir of adapterDirs()) {\n if (!existsSync(dir))\n continue\n try {\n const files = readdirSync(dir).filter(f => f.endsWith('.toml'))\n for (const file of files) {\n const path = join(dir, file)\n const content = readFileSync(path, 'utf-8')\n const match = content.match(/^\\s*executable\\s*=\\s*\"([^\"]+)\"/m)\n if (match && match[1] === executable)\n return path\n }\n }\n catch {\n // directory not readable\n }\n }\n return undefined\n}\n\nexport function resolveAdapterPath(cliId: string, explicitPath?: string): string {\n if (explicitPath) {\n if (existsSync(explicitPath))\n return explicitPath\n throw new Error(`Adapter file not found: ${explicitPath}`)\n }\n\n // Try direct lookup by ID\n const candidates = adapterDirs().map(dir => join(dir, `${cliId}.toml`))\n const match = candidates.find(path => existsSync(path))\n if (match)\n return match\n\n // Fallback: scan for adapter with matching executable name\n const byExec = findByExecutable(cliId)\n if (byExec)\n return byExec\n\n throw new Error(`No adapter found for ${cliId}`)\n}\n\nexport function loadAdapter(cliId: string, explicitPath?: string): LoadedAdapter {\n const source = resolveAdapterPath(cliId, explicitPath)\n const content = readFileSync(source, 'utf-8')\n const adapter = parseAdapterToml(content)\n\n // Accept if either the adapter ID or the executable matches the requested cliId\n const idMatch = adapter.cli.id === cliId\n const fileMatch = basename(source) === `${cliId}.toml`\n const execMatch = adapter.cli.executable === cliId\n if (!idMatch && !fileMatch && !execMatch)\n throw new Error(`Adapter ${source} does not match requested CLI ${cliId}`)\n\n return {\n adapter,\n source,\n digest: digest(content),\n }\n}\n\n/**\n * Called by `run.ts` when `loadAdapter(cliId)` has already failed with\n * \"No adapter found\". If generic-fallback mode is enabled in config,\n * return a synthetic `ResolvedCommand` that bypasses the parser. If\n * disabled, re-throw the original error (restoring legacy behaviour).\n *\n * @param cliId The CLI that had no registered shape\n * @param fullArgv Argv to execute (including the executable itself)\n * @param opts `genericEnabled: true` → return synthetic resolved;\n * `false` → throw `\"No adapter found for <cliId>\"`.\n */\nexport async function resolveGenericOrReject(\n cliId: string,\n fullArgv: string[],\n opts: { genericEnabled: boolean },\n): Promise<ResolvedCommand> {\n if (!opts.genericEnabled)\n throw new Error(`No adapter found for ${cliId}`)\n return await buildGenericResolved(cliId, fullArgv)\n}\n\n/** Try to load an adapter locally, return null instead of throwing when not found. */\nexport function tryLoadAdapter(cliId: string, explicitPath?: string): LoadedAdapter | null {\n try {\n return loadAdapter(cliId, explicitPath)\n }\n catch {\n return null\n }\n}\n","import type { ShapesAdapter, ShapesOperation } from './types.js'\n\ninterface AdapterTomlFile {\n schema?: string\n cli?: ShapesAdapter['cli']\n operation?: ShapesOperation[]\n}\n\nfunction parseKeyValue(line: string): { key: string, value: string } | null {\n const eqIndex = line.indexOf('=')\n if (eqIndex === -1)\n return null\n const key = line.slice(0, eqIndex).trim()\n const value = line.slice(eqIndex + 1).trim()\n if (!key || !value)\n return null\n return { key, value }\n}\n\nfunction parseTomlValue(raw: string): unknown {\n const trimmed = raw.trim()\n\n if (trimmed.startsWith('\"') && trimmed.endsWith('\"'))\n return trimmed.slice(1, -1)\n if (trimmed === 'true')\n return true\n if (trimmed === 'false')\n return false\n if (trimmed.startsWith('[') && trimmed.endsWith(']')) {\n const inner = trimmed.slice(1, -1).trim()\n if (!inner)\n return []\n return inner.split(',').map(value => value.trim().replace(/^\"|\"$/g, ''))\n }\n\n return trimmed\n}\n\nexport function parseAdapterToml(content: string): ShapesAdapter {\n const result: AdapterTomlFile = {}\n const operations: ShapesOperation[] = []\n let currentSection: 'root' | 'cli' | 'operation' = 'root'\n let currentEntry: Record<string, unknown> = {}\n\n const flushOperation = () => {\n if (currentSection === 'operation' && Object.keys(currentEntry).length > 0) {\n operations.push(currentEntry as unknown as ShapesOperation)\n currentEntry = {}\n }\n }\n\n for (const rawLine of content.split('\\n')) {\n const line = rawLine.trim()\n if (!line || line.startsWith('#'))\n continue\n\n if (line === '[cli]') {\n flushOperation()\n currentSection = 'cli'\n result.cli = {} as ShapesAdapter['cli']\n continue\n }\n\n if (line === '[[operation]]') {\n flushOperation()\n currentSection = 'operation'\n currentEntry = {}\n continue\n }\n\n const kv = parseKeyValue(line)\n if (!kv)\n continue\n\n const value = parseTomlValue(kv.value)\n if (currentSection === 'root') {\n ;(result as Record<string, unknown>)[kv.key] = value\n }\n else if (currentSection === 'cli') {\n ;(result.cli as Record<string, unknown>)[kv.key] = value\n }\n else {\n currentEntry[kv.key] = value\n }\n }\n\n flushOperation()\n result.operation = operations\n\n if (result.schema !== 'openape-shapes/v1') {\n throw new Error(`Unsupported adapter schema: ${result.schema ?? 'missing'}`)\n }\n if (!result.cli?.id || !result.cli.executable) {\n throw new Error('Adapter is missing cli.id or cli.executable')\n }\n if (!result.operation?.length) {\n throw new Error('Adapter must define at least one [[operation]] entry')\n }\n\n return {\n schema: result.schema,\n cli: {\n id: String(result.cli.id),\n executable: String(result.cli.executable),\n ...(result.cli.audience ? { audience: String(result.cli.audience) } : {}),\n ...(result.cli.version ? { version: String(result.cli.version) } : {}),\n },\n operations: result.operation.map((operation) => {\n if (!Array.isArray(operation.command) || operation.command.some(token => typeof token !== 'string')) {\n throw new Error(`Operation ${String(operation.id ?? '<unknown>')} is missing command[]`)\n }\n if (!Array.isArray(operation.resource_chain) || operation.resource_chain.some(token => typeof token !== 'string')) {\n throw new Error(`Operation ${String(operation.id ?? '<unknown>')} is missing resource_chain[]`)\n }\n if (typeof operation.id !== 'string' || typeof operation.display !== 'string' || typeof operation.action !== 'string') {\n throw new TypeError('Operation must define id, display, and action')\n }\n return {\n id: operation.id,\n command: operation.command as string[],\n ...(Array.isArray(operation.positionals) ? { positionals: operation.positionals as string[] } : {}),\n ...(Array.isArray(operation.required_options) ? { required_options: operation.required_options as string[] } : {}),\n display: operation.display,\n action: operation.action,\n risk: (operation.risk as ShapesOperation['risk']) || 'low',\n resource_chain: operation.resource_chain as string[],\n ...(operation.exact_command !== undefined ? { exact_command: Boolean(operation.exact_command) } : {}),\n }\n }),\n }\n}\n","import type { OpenApeCliAuthorizationDetail } from '@openape/core'\nimport { canonicalizeCliPermission, computeArgvHash } from '@openape/grants'\nimport type { LoadedAdapter, ResolvedCommand, ShapesAdapter } from './types.js'\n\n/**\n * The synthetic operation ID used for generic-fallback grants. Downstream\n * code (audit logging, UI banner) keys off this exact string.\n */\nexport const GENERIC_OPERATION_ID = '_generic.exec'\n\n/**\n * Schema version for synthetic adapters. Not persisted anywhere — exists\n * only so the in-memory adapter shape matches `ShapesAdapter`.\n */\nconst SYNTHETIC_SCHEMA = 'openape-shapes/v1'\n\n/**\n * Build a synthetic in-memory `LoadedAdapter` for a CLI that has no\n * registered shape. The adapter is marked with `synthetic: true` so\n * callers can branch on it if needed.\n *\n * NOTE: This does NOT produce a parser-matchable adapter. The generic\n * pipeline bypasses `resolveCommand()` entirely — see `buildGenericResolved()`.\n * This function exists for flow-control markers and tests.\n */\nexport function buildGenericAdapter(cliId: string): LoadedAdapter {\n const adapter: ShapesAdapter = {\n schema: SYNTHETIC_SCHEMA,\n cli: {\n id: cliId,\n executable: cliId,\n audience: 'shapes',\n version: 'synthetic',\n },\n operations: [],\n }\n return {\n adapter,\n source: '<synthetic>',\n digest: 'synthetic',\n synthetic: true,\n }\n}\n\n/**\n * Build a `ResolvedCommand` directly for a CLI that has no registered shape.\n *\n * Unlike the normal flow (loadAdapter → resolveCommand), the generic path\n * bypasses the parser entirely. Rationale:\n *\n * - `resolveCommand()` matches argv against declarative operation specs\n * via `matchOperation()`, which requires `positionals.length ===\n * operation.positionals.length`. A \"match-all\" spec (`command: []`,\n * `positionals: []`) would reject any non-empty argv.\n *\n * - Synthetic adapters have no declarative spec — we already know what\n * to execute. Running the parser is theatre.\n *\n * The returned `ResolvedCommand` has:\n * - `detail.operation_id === GENERIC_OPERATION_ID` — marker consumed by\n * the audit-log hook in `verifyAndExecute`.\n * - `detail.risk === 'high'` — forced.\n * - `detail.constraints.exact_command === true` — forced, binds the\n * grant to this exact argv via `argv_hash`.\n * - `resource_chain = [{resource: 'cli', selector: {name: cliId}},\n * {resource: 'argv', selector: {hash: <sha256>}}]`\n */\nexport async function buildGenericResolved(\n cliId: string,\n fullArgv: string[],\n): Promise<ResolvedCommand> {\n if (fullArgv.length === 0)\n throw new Error('buildGenericResolved: fullArgv must include the executable')\n const executable = fullArgv[0]!\n const commandArgv = fullArgv.slice(1)\n const argvHash = await computeArgvHash(fullArgv)\n\n const display = `Execute (unshaped): \\`${cliId} ${commandArgv.join(' ')}\\``\n\n const detail: OpenApeCliAuthorizationDetail = {\n type: 'openape_cli',\n cli_id: cliId,\n operation_id: GENERIC_OPERATION_ID,\n resource_chain: [\n { resource: 'cli', selector: { name: cliId } },\n { resource: 'argv', selector: { hash: argvHash } },\n ],\n action: 'exec',\n permission: '',\n display,\n risk: 'high',\n constraints: { exact_command: true },\n }\n detail.permission = canonicalizeCliPermission(detail)\n\n const adapter = buildGenericAdapter(cliId)\n\n return {\n adapter: adapter.adapter,\n source: adapter.source,\n digest: adapter.digest,\n executable,\n commandArgv,\n bindings: {},\n detail,\n executionContext: {\n argv: fullArgv,\n argv_hash: argvHash,\n adapter_id: cliId,\n adapter_version: SYNTHETIC_SCHEMA,\n adapter_digest: adapter.digest,\n resolved_executable: executable,\n context_bindings: {},\n },\n permission: detail.permission,\n }\n}\n\n/**\n * Type guard: does this `ResolvedCommand` come from the generic fallback path?\n */\nexport function isGenericResolved(resolved: ResolvedCommand): boolean {\n return resolved.detail.operation_id === GENERIC_OPERATION_ID\n}\n","import { appendFileSync, existsSync, mkdirSync } from 'node:fs'\nimport { homedir } from 'node:os'\nimport { dirname, join } from 'node:path'\n\n/** Single audit log entry. Always includes a timestamp and an action string. */\nexport interface AuditEntry {\n action: string\n timestamp: number\n [key: string]: unknown\n}\n\nfunction auditPath(): string {\n return join(homedir(), '.config', 'apes', 'audit.jsonl')\n}\n\n/**\n * Append a single entry to the audit log at ~/.config/apes/audit.jsonl.\n * Failures are swallowed — the audit log should never break the actual flow.\n */\nexport function appendAuditLog(entry: { action: string, timestamp?: number } & Record<string, unknown>): void {\n const full: AuditEntry = {\n ...entry,\n action: entry.action,\n timestamp: entry.timestamp ?? Date.now(),\n }\n const path = auditPath()\n const dir = dirname(path)\n try {\n if (!existsSync(dir)) mkdirSync(dir, { recursive: true })\n appendFileSync(path, `${JSON.stringify(full)}\\n`)\n }\n catch {\n // intentionally ignored — audit log must never break the flow\n }\n}\n","import { createHash } from 'node:crypto'\nimport { existsSync, mkdirSync, readdirSync, readFileSync, unlinkSync, writeFileSync } from 'node:fs'\nimport { homedir } from 'node:os'\nimport { join } from 'node:path'\nimport type { RegistryEntry } from './types.js'\n\nfunction adapterDir(local: boolean): string {\n const base = local ? process.cwd() : homedir()\n return join(base, '.openape', 'shapes', 'adapters')\n}\n\nfunction adapterPath(id: string, local: boolean): string {\n return join(adapterDir(local), `${id}.toml`)\n}\n\nfunction sha256(content: string): string {\n return `SHA-256:${createHash('sha256').update(content).digest('hex')}`\n}\n\nexport interface InstallResult {\n id: string\n path: string\n digest: string\n updated: boolean\n}\n\nexport async function installAdapter(entry: RegistryEntry, options: { local?: boolean } = {}): Promise<InstallResult> {\n const local = options.local ?? false\n const dest = adapterPath(entry.id, local)\n const dir = adapterDir(local)\n\n const response = await fetch(entry.download_url)\n if (!response.ok)\n throw new Error(`Failed to download adapter ${entry.id}: ${response.status} ${response.statusText}`)\n\n const content = await response.text()\n const digest = sha256(content)\n\n if (digest !== entry.digest)\n throw new Error(`Digest mismatch for ${entry.id}: expected ${entry.digest}, got ${digest}`)\n\n const updated = existsSync(dest)\n\n if (!existsSync(dir))\n mkdirSync(dir, { recursive: true })\n\n writeFileSync(dest, content)\n\n return { id: entry.id, path: dest, digest, updated }\n}\n\nexport function getInstalledDigest(id: string, local: boolean): string | null {\n const path = adapterPath(id, local)\n if (!existsSync(path))\n return null\n\n const content = readFileSync(path, 'utf-8')\n return sha256(content)\n}\n\nexport function isInstalled(id: string, local: boolean): boolean {\n return existsSync(adapterPath(id, local))\n}\n\nexport function getInstalledPath(id: string, local: boolean): string {\n return adapterPath(id, local)\n}\n\nexport function removeAdapter(id: string, local: boolean): boolean {\n const path = adapterPath(id, local)\n if (!existsSync(path))\n return false\n unlinkSync(path)\n return true\n}\n\nexport interface ConflictingAdapter {\n file: string\n path: string\n adapterId: string\n executable: string\n}\n\nexport function findConflictingAdapters(executable: string, excludeId: string): ConflictingAdapter[] {\n const conflicts: ConflictingAdapter[] = []\n const dirs = [\n join(process.cwd(), '.openape', 'shapes', 'adapters'),\n join(homedir(), '.openape', 'shapes', 'adapters'),\n ]\n\n for (const dir of dirs) {\n if (!existsSync(dir))\n continue\n try {\n for (const file of readdirSync(dir).filter(f => f.endsWith('.toml'))) {\n const path = join(dir, file)\n const content = readFileSync(path, 'utf-8')\n const execMatch = content.match(/^\\s*executable\\s*=\\s*\"([^\"]+)\"/m)\n const idMatch = content.match(/^\\s*id\\s*=\\s*\"([^\"]+)\"/m)\n if (execMatch?.[1] === executable && idMatch?.[1] !== excludeId) {\n conflicts.push({ file, path, adapterId: idMatch?.[1] ?? file, executable })\n }\n }\n }\n catch {\n // directory not readable\n }\n }\n\n return conflicts\n}\n","import { existsSync, mkdirSync, readFileSync, writeFileSync } from 'node:fs'\nimport { homedir } from 'node:os'\nimport { join } from 'node:path'\nimport type { RegistryEntry, RegistryIndex } from './types.js'\n\nconst REGISTRY_URL = process.env.SHAPES_REGISTRY_URL\n ?? 'https://raw.githubusercontent.com/openape-ai/shapes-registry/main/registry.json'\n\nconst CACHE_TTL_MS = 60 * 60 * 1000 // 1 hour\n\nfunction cacheDir(): string {\n return join(homedir(), '.openape', 'shapes', 'cache')\n}\n\nfunction cachePath(): string {\n return join(cacheDir(), 'registry.json')\n}\n\nfunction readCache(): RegistryIndex | null {\n const path = cachePath()\n if (!existsSync(path))\n return null\n\n try {\n const raw = readFileSync(path, 'utf-8')\n const stat = JSON.parse(raw) as RegistryIndex & { _cached_at?: number }\n if (stat._cached_at && Date.now() - stat._cached_at > CACHE_TTL_MS)\n return null\n return stat\n }\n catch {\n return null\n }\n}\n\nfunction writeCache(index: RegistryIndex): void {\n const dir = cacheDir()\n if (!existsSync(dir))\n mkdirSync(dir, { recursive: true })\n\n writeFileSync(cachePath(), JSON.stringify({ ...index, _cached_at: Date.now() }, null, 2))\n}\n\nexport async function fetchRegistry(forceRefresh = false): Promise<RegistryIndex> {\n if (!forceRefresh) {\n const cached = readCache()\n if (cached)\n return cached\n }\n\n const response = await fetch(REGISTRY_URL)\n if (!response.ok)\n throw new Error(`Failed to fetch registry: ${response.status} ${response.statusText}`)\n\n const index = await response.json() as RegistryIndex\n writeCache(index)\n return index\n}\n\nexport function searchAdapters(index: RegistryIndex, query: string): RegistryEntry[] {\n const q = query.toLowerCase()\n return index.adapters.filter(a =>\n a.id.includes(q)\n || a.name.toLowerCase().includes(q)\n || a.description.toLowerCase().includes(q)\n || a.tags.some(t => t.includes(q))\n || a.category.includes(q),\n )\n}\n\n/**\n * Look up a registry entry by its id or its executable field. This lets callers\n * pass either the registry id (\"o365\") or the binary name (\"o365-cli\"); most\n * adapters have id === executable, but the two can diverge.\n */\nexport function findAdapter(index: RegistryIndex, idOrExecutable: string): RegistryEntry | undefined {\n return index.adapters.find(\n a => a.id === idOrExecutable || a.executable === idOrExecutable,\n )\n}\n","import { basename } from 'node:path'\nimport consola from 'consola'\nimport { parse as shellParse } from 'shell-quote'\nimport { loadAdapter, tryLoadAdapter } from './adapters.js'\nimport { installAdapter } from './installer.js'\nimport { fetchRegistry, findAdapter } from './registry.js'\nimport { appendAuditLog } from './audit.js'\nimport type { LoadedAdapter } from './types.js'\n\n/** A parsed shell command string with the executable and its argv extracted. */\nexport interface ParsedShellCommand {\n /** The program to run (first token, e.g. \"rm\") */\n executable: string\n /** Remaining tokens after the executable (e.g. [\"-f\", \"/tmp/foo.txt\"]) */\n argv: string[]\n /**\n * true if the command contains compound operators (&&, ||, ;, |),\n * subshells ($(...)), or backticks. These cannot be safely handled\n * by the adapter mode and must fall back to the generic shell grant flow.\n */\n isCompound: boolean\n /** The original command string for display/logging */\n raw: string\n}\n\nconst COMPOUND_OPERATORS = new Set(['&&', '||', ';', '|', '&', '>', '>>', '<'])\n\ntype ShellQuoteToken = string | { op: string } | { comment: string } | { pattern: string }\n\n/**\n * Parse a shell command string like `rm /tmp/foo.txt` or `git commit -m \"hello\"` into\n * its executable and argv. Uses `shell-quote` to handle quoting correctly.\n *\n * Returns null for empty/whitespace-only input.\n */\nexport function parseShellCommand(raw: string): ParsedShellCommand | null {\n const trimmed = raw.trim()\n if (trimmed.length === 0) return null\n\n let tokens: ShellQuoteToken[]\n try {\n tokens = shellParse(trimmed) as ShellQuoteToken[]\n }\n catch {\n return null\n }\n\n // Detect compound operators and subshells\n const hasShellExpansion = /\\$\\(|`/.test(trimmed)\n const hasOperatorToken = tokens.some(t => typeof t === 'object' && t !== null && 'op' in t && COMPOUND_OPERATORS.has(t.op))\n const isCompound = hasShellExpansion || hasOperatorToken\n\n // Extract leading string tokens up to the first operator object\n const stringTokens: string[] = []\n for (const t of tokens) {\n if (typeof t === 'string') {\n stringTokens.push(t)\n }\n else {\n break\n }\n }\n\n if (stringTokens.length === 0) return null\n\n return {\n executable: stringTokens[0]!,\n argv: stringTokens.slice(1),\n isCompound,\n raw: trimmed,\n }\n}\n\n/**\n * Extract the command string from an `apes run --shell -- bash -c \"…\"` argv.\n * Returns null if the argv does not follow that shape.\n */\nexport function extractShellCommandString(command: string[]): string | null {\n if (command.length < 3) return null\n if (command[0] !== 'bash' && command[0] !== 'sh') return null\n if (command[1] !== '-c') return null\n // Everything after `-c` is the quoted command string\n return command.slice(2).join(' ')\n}\n\n/**\n * Load an adapter for the given CLI id. If the adapter is not installed locally,\n * try to fetch it from the shapes registry and auto-install it.\n *\n * Returns null when no adapter exists in either location, or when any step fails.\n * Failures are logged but never thrown — callers should fall back to the generic flow.\n */\nexport async function loadOrInstallAdapter(cliId: string): Promise<LoadedAdapter | null> {\n // Absolute or relative paths like `/usr/local/bin/o365-cli` must be reduced\n // to the binary name before any lookup — neither the local file scan nor the\n // registry knows how to match a path.\n const lookupId = basename(cliId)\n\n // 1. Try local\n const local = tryLoadAdapter(lookupId)\n if (local) return local\n\n // 2. Remote registry lookup + auto-install.\n // findAdapter matches both `id` and `executable`, so a bare binary name\n // like `o365-cli` resolves to a registry entry whose id is `o365`.\n try {\n const index = await fetchRegistry()\n const entry = findAdapter(index, lookupId)\n if (!entry) return null\n\n consola.info(`Installing shapes adapter for ${entry.id} from registry...`)\n await installAdapter(entry, { local: false })\n appendAuditLog({\n action: 'adapter-auto-install',\n cli_id: entry.id,\n digest: entry.digest,\n source: 'ape-shell',\n })\n\n // Adapters are installed under their registry `id` — always reload by id\n // even if the caller passed the executable name.\n return tryLoadAdapter(entry.id)\n }\n catch (err) {\n consola.debug(`ape-shell adapter auto-install failed for ${lookupId}:`, err)\n return null\n }\n}\n\n// Re-export loadAdapter so callers can import everything from one module\nexport { loadAdapter }\n","import type { OpenApeCliAuthorizationDetail, OpenApeCliResourceRef } from '@openape/core'\nimport { canonicalizeCliPermission } from '@openape/grants'\nimport type { LoadedAdapter, ResolvedCapability, ShapesOperation } from './types.js'\n\ninterface ParsedOperationChainEntry {\n resource: string\n selectorKeys: string[]\n}\n\nfunction parseOperationChainEntry(entry: string): ParsedOperationChainEntry {\n const [resource, selectorSpec = '*'] = entry.split(':', 2)\n if (!resource) {\n throw new Error(`Invalid resource chain entry: ${entry}`)\n }\n\n if (selectorSpec === '*') {\n return { resource, selectorKeys: [] }\n }\n\n const selectorKeys = selectorSpec.split(',')\n .map((segment) => {\n const [key] = segment.split('=', 2)\n if (!key)\n throw new Error(`Invalid selector segment: ${segment}`)\n return key\n })\n\n return { resource, selectorKeys }\n}\n\nfunction operationChain(operation: ShapesOperation): ParsedOperationChainEntry[] {\n return operation.resource_chain.map(parseOperationChainEntry)\n}\n\nfunction knownSelectorKeys(operations: ShapesOperation[], resource: string): string[] {\n const keys = new Set<string>()\n for (const operation of operations) {\n for (const entry of operationChain(operation)) {\n if (entry.resource !== resource)\n continue\n for (const key of entry.selectorKeys) {\n keys.add(key)\n }\n }\n }\n return Array.from(keys).sort()\n}\n\nfunction parseResourceSelector(raw: string): { resource: string, key: string, value: string } {\n const [lhs, value] = raw.split('=', 2)\n if (!lhs || !value) {\n throw new Error(`Invalid selector: ${raw}`)\n }\n\n const [resource, key] = lhs.split('.', 2)\n if (!resource || !key) {\n throw new Error(`Selectors must be in resource.key=value form: ${raw}`)\n }\n\n return { resource, key, value }\n}\n\nfunction formatSelector(selector?: Record<string, string>): string {\n if (!selector || Object.keys(selector).length === 0)\n return '*'\n return Object.entries(selector)\n .sort(([a], [b]) => a.localeCompare(b))\n .map(([key, value]) => `${key}=${value}`)\n .join(',')\n}\n\nfunction summarizeDetail(detail: OpenApeCliAuthorizationDetail): string {\n const chain = detail.resource_chain\n .map(resource => `${resource.resource}[${formatSelector(resource.selector)}]`)\n .join(' -> ')\n return `Allow ${detail.action} on ${detail.cli_id} ${chain}`\n}\n\nexport function resolveCapabilityRequest(\n loaded: LoadedAdapter,\n params: {\n resources: string[]\n selectors?: string[]\n actions: string[]\n },\n): ResolvedCapability {\n if (params.resources.length === 0) {\n throw new Error('At least one --resource is required')\n }\n if (params.actions.length === 0) {\n throw new Error('At least one --action is required')\n }\n\n const selectorMap = new Map<string, Record<string, string>>()\n for (const rawSelector of params.selectors ?? []) {\n const { resource, key, value } = parseResourceSelector(rawSelector)\n const current = selectorMap.get(resource) ?? {}\n current[key] = value\n selectorMap.set(resource, current)\n }\n\n const resource_chain: OpenApeCliResourceRef[] = params.resources.map((resource) => {\n const selector = selectorMap.get(resource)\n const knownKeys = knownSelectorKeys(loaded.adapter.operations, resource)\n if (selector) {\n for (const key of Object.keys(selector)) {\n if (!knownKeys.includes(key)) {\n throw new Error(`Unknown selector ${resource}.${key} for adapter ${loaded.adapter.cli.id}`)\n }\n }\n }\n return selector && Object.keys(selector).length > 0 ? { resource, selector } : { resource }\n })\n\n const requestedSequence = params.resources.join('\\0')\n const matchingOperations = loaded.adapter.operations.filter((operation) => {\n const sequence = operationChain(operation).map(entry => entry.resource).join('\\0')\n return sequence === requestedSequence || sequence.startsWith(`${requestedSequence}\\0`)\n })\n\n if (matchingOperations.length === 0) {\n throw new Error(`No adapter operation supports resource chain: ${params.resources.join(' -> ')}`)\n }\n\n const details = params.actions.map((action) => {\n const matchingActionOps = matchingOperations.filter(operation => operation.action === action)\n if (matchingActionOps.length === 0) {\n throw new Error(`Action ${action} is not valid for resource chain: ${params.resources.join(' -> ')}`)\n }\n\n const exact_command = matchingActionOps.every(operation => operation.exact_command === true)\n const risks = ['low', 'medium', 'high', 'critical'] as const\n const risk = matchingActionOps.reduce<typeof risks[number]>((current, operation) => {\n return risks.indexOf(operation.risk) > risks.indexOf(current) ? operation.risk : current\n }, 'low')\n\n const detail: OpenApeCliAuthorizationDetail = {\n type: 'openape_cli',\n cli_id: loaded.adapter.cli.id,\n operation_id: `capability.${action}`,\n resource_chain,\n action,\n permission: '',\n display: '',\n risk,\n ...(exact_command ? { constraints: { exact_command: true } } : {}),\n }\n detail.permission = canonicalizeCliPermission(detail)\n detail.display = summarizeDetail(detail)\n return detail\n })\n\n return {\n adapter: loaded.adapter,\n source: loaded.source,\n digest: loaded.digest,\n executable: loaded.adapter.cli.executable,\n details,\n executionContext: {\n adapter_id: loaded.adapter.cli.id,\n adapter_version: loaded.adapter.cli.version ?? loaded.adapter.schema,\n adapter_digest: loaded.digest,\n resolved_executable: loaded.adapter.cli.executable,\n context_bindings: Object.fromEntries(\n Array.from(selectorMap.entries()).flatMap(([resource, selector]) =>\n Object.entries(selector).map(([key, value]) => [`${resource}.${key}`, value] as const),\n ),\n ),\n },\n permissions: details.map(detail => detail.permission),\n summary: details.map(detail => detail.display).join('; '),\n }\n}\n","import type { OpenApeCliAuthorizationDetail, OpenApeCliResourceRef } from '@openape/core'\nimport { canonicalizeCliPermission, computeArgvHash } from '@openape/grants'\nimport type { LoadedAdapter, ResolvedCommand, ShapesOperation } from './types.js'\n\nfunction parseOptionArgs(tokens: string[], valueOptions?: string[]): { options: Record<string, string>, positionals: string[] } {\n const options: Record<string, string> = {}\n const positionals: string[] = []\n const takesValue = new Set(valueOptions ?? [])\n\n for (let index = 0; index < tokens.length; index += 1) {\n const token = tokens[index]!\n\n if (token.startsWith('--')) {\n // Long option: --name value or --name=value\n const stripped = token.slice(2)\n const eqIndex = stripped.indexOf('=')\n if (eqIndex >= 0) {\n options[stripped.slice(0, eqIndex)] = stripped.slice(eqIndex + 1)\n continue\n }\n\n const next = tokens[index + 1]\n if (next && !next.startsWith('-')) {\n options[stripped] = next\n index += 1\n continue\n }\n\n options[stripped] = 'true'\n }\n else if (token.startsWith('-') && token.length > 1 && !/^-\\d/.test(token)) {\n // Short option: -name value, -f value, or -l (boolean)\n const key = token.slice(1)\n\n if (key.length === 1 && !takesValue.has(key)) {\n // Single-char flag not in required_options → boolean\n options[key] = 'true'\n }\n else {\n // Multi-char option (-name) or known value option (-f) → consume next as value\n const next = tokens[index + 1]\n if (next && !next.startsWith('-')) {\n options[key] = next\n index += 1\n }\n else {\n options[key] = 'true'\n }\n }\n }\n else {\n positionals.push(token)\n }\n }\n\n return { options, positionals }\n}\n\nfunction resolveBindingToken(binding: string, bindings: Record<string, string>): string {\n const match = binding.match(/^\\{([^}|]+)(?:\\|([^}]+))?\\}$/)\n if (!match)\n return binding\n\n const [, name, transform] = match\n const value = bindings[name]\n if (!value)\n throw new Error(`Missing binding: ${name}`)\n if (!transform)\n return value\n\n if (transform === 'owner' || transform === 'name') {\n const [owner, repo] = value.split('/')\n if (!owner || !repo)\n throw new Error(`Binding ${name} must be in owner/name form`)\n return transform === 'owner' ? owner : repo\n }\n\n throw new Error(`Unsupported binding transform: ${transform}`)\n}\n\nfunction renderTemplate(template: string, bindings: Record<string, string>): string {\n return template.replace(/\\{([^}]+)\\}/g, (_, expression: string) => resolveBindingToken(`{${expression}}`, bindings))\n}\n\nfunction parseResourceChain(chain: string[], bindings: Record<string, string>): OpenApeCliResourceRef[] {\n return chain.map((entry) => {\n const [resource, selectorSpec = '*'] = entry.split(':', 2)\n if (!resource)\n throw new Error(`Invalid resource chain entry: ${entry}`)\n\n if (selectorSpec === '*') {\n return { resource }\n }\n\n const selector = Object.fromEntries(\n selectorSpec.split(',').map((segment) => {\n const [key, rawValue] = segment.split('=', 2)\n if (!key || !rawValue)\n throw new Error(`Invalid selector segment: ${segment}`)\n return [key, renderTemplate(rawValue, bindings)]\n }),\n )\n\n return { resource, selector }\n })\n}\n\nfunction matchOperation(operation: ShapesOperation, argv: string[]): Record<string, string> | null {\n if (argv.length < operation.command.length)\n return null\n\n const prefix = argv.slice(0, operation.command.length)\n if (prefix.join('\\0') !== operation.command.join('\\0'))\n return null\n\n const remainder = argv.slice(operation.command.length)\n const { options, positionals } = parseOptionArgs(remainder, operation.required_options)\n\n const expectedPositionals = operation.positionals ?? []\n if (positionals.length !== expectedPositionals.length)\n return null\n\n for (const option of operation.required_options ?? []) {\n if (!options[option])\n return null\n }\n\n const bindings: Record<string, string> = { ...options }\n for (let index = 0; index < expectedPositionals.length; index += 1) {\n const name = expectedPositionals[index]!\n const value = positionals[index]!\n if (name.startsWith('=')) {\n if (value !== name.slice(1))\n return null\n continue\n }\n bindings[name] = value\n }\n return bindings\n}\n\nfunction expandCombinedFlags(argv: string[]): string[] {\n return argv.flatMap((token) => {\n // Expand -rl into -r, -l (only single-letter combined flags)\n if (token.startsWith('-') && !token.startsWith('--') && token.length > 2 && /^-[a-z]+$/i.test(token)) {\n return Array.from(token.slice(1), c => `-${c}`)\n }\n return [token]\n })\n}\n\nfunction tryMatch(operations: ShapesOperation[], argv: string[]) {\n return operations.flatMap((operation) => {\n try {\n const bindings = matchOperation(operation, argv)\n return bindings ? [{ operation, bindings }] : []\n }\n catch {\n return []\n }\n })\n}\n\nexport async function resolveCommand(loaded: LoadedAdapter, fullArgv: string[]): Promise<ResolvedCommand> {\n const [executable, ...commandArgv] = fullArgv\n if (!executable) {\n throw new Error('Missing wrapped command')\n }\n if (executable !== loaded.adapter.cli.executable) {\n throw new Error(`Adapter ${loaded.adapter.cli.id} expects executable ${loaded.adapter.cli.executable}, got ${executable}`)\n }\n\n // Pass 1: exact match\n let matches = tryMatch(loaded.adapter.operations, commandArgv)\n\n // Pass 2: try with expanded combined flags (e.g. -rl → -r -l)\n if (matches.length === 0) {\n const expanded = expandCombinedFlags(commandArgv)\n if (expanded.length !== commandArgv.length) {\n matches = tryMatch(loaded.adapter.operations, expanded)\n }\n }\n\n if (matches.length === 0) {\n throw new Error(`No adapter operation matched: ${fullArgv.join(' ')}`)\n }\n if (matches.length > 1) {\n // Prefer the most specific match (longest command prefix)\n matches.sort((a, b) => b.operation.command.length - a.operation.command.length)\n matches = [matches[0]!]\n }\n\n const { operation, bindings } = matches[0]!\n const resource_chain = parseResourceChain(operation.resource_chain, bindings)\n const detail: OpenApeCliAuthorizationDetail = {\n type: 'openape_cli',\n cli_id: loaded.adapter.cli.id,\n operation_id: operation.id,\n resource_chain,\n action: operation.action,\n permission: '',\n display: renderTemplate(operation.display, bindings),\n risk: operation.risk,\n ...(operation.exact_command ? { constraints: { exact_command: true } } : {}),\n }\n detail.permission = canonicalizeCliPermission(detail)\n\n return {\n adapter: loaded.adapter,\n source: loaded.source,\n digest: loaded.digest,\n executable,\n commandArgv,\n bindings,\n detail,\n executionContext: {\n argv: fullArgv,\n argv_hash: await computeArgvHash(fullArgv),\n adapter_id: loaded.adapter.cli.id,\n adapter_version: loaded.adapter.cli.version ?? loaded.adapter.schema,\n adapter_digest: loaded.digest,\n resolved_executable: executable,\n context_bindings: bindings,\n },\n permission: detail.permission,\n }\n}\n","import { defineCommand } from 'citty'\nimport { loadAdapter } from '../adapters.js'\nimport { resolveCommand } from '../parser.js'\n\nexport const explainCommand = defineCommand({\n meta: {\n name: 'explain',\n description: 'Show what permission a wrapped command would need',\n },\n args: {\n adapter: {\n type: 'string',\n description: 'Explicit path to adapter TOML file',\n },\n _: {\n type: 'positional',\n description: 'Wrapped command (after --)',\n required: false,\n },\n },\n async run({ rawArgs }) {\n const command = extractWrappedCommand(rawArgs ?? [])\n if (command.length === 0)\n throw new Error('Missing wrapped command. Usage: shapes explain [--adapter <file>] -- <cli> ...')\n\n const adapterOpt = extractOption(rawArgs ?? [], 'adapter')\n const loaded = loadAdapter(command[0]!, adapterOpt)\n const resolved = await resolveCommand(loaded, command)\n\n process.stdout.write(`${JSON.stringify({\n adapter: resolved.adapter.cli.id,\n source: resolved.source,\n operation: resolved.detail.operation_id,\n display: resolved.detail.display,\n permission: resolved.permission,\n resource_chain: resolved.detail.resource_chain,\n exact_command: resolved.detail.constraints?.exact_command ?? false,\n adapter_digest: resolved.digest,\n }, null, 2)}\\n`)\n },\n})\n\nexport function extractWrappedCommand(args: string[]): string[] {\n const delimiter = args.indexOf('--')\n return delimiter >= 0 ? args.slice(delimiter + 1) : []\n}\n\nexport function extractOption(args: string[], name: string): string | undefined {\n const delimiter = args.indexOf('--')\n const optionArgs = delimiter >= 0 ? args.slice(0, delimiter) : args\n const index = optionArgs.indexOf(`--${name}`)\n if (index >= 0 && index + 1 < optionArgs.length)\n return optionArgs[index + 1]\n return undefined\n}\n","import type { OpenApeCliAuthorizationDetail, OpenApeGrant } from '@openape/core'\nimport { computeCmdHash } from '@openape/core'\nimport { cliAuthorizationDetailCovers, verifyAuthzJWT } from '@openape/grants'\nimport { execFileSync } from 'node:child_process'\nimport { hostname } from 'node:os'\nimport consola from 'consola'\nimport { getRequesterIdentity } from './config.js'\nimport { getGenericAuditLogPath } from '../config.js'\nimport { resolveCommand } from './parser.js'\nimport { loadOrInstallAdapter } from './shell-parser.js'\nimport type { ResolvedCommand } from './types.js'\nimport { apiFetch, discoverEndpoints, getGrantsEndpoint } from './http.js'\nimport { appendGenericCallLog } from '../audit/generic-log.js'\nimport { isGenericResolved } from './generic.js'\n\nfunction decodePayload(token: string): Record<string, unknown> {\n const [, payload] = token.split('.')\n if (!payload)\n throw new Error('Invalid JWT')\n return JSON.parse(Buffer.from(payload, 'base64url').toString('utf-8')) as Record<string, unknown>\n}\n\ninterface SimilarGrantsInfo {\n similar_grants: Array<{ grant: { id: string }, similar_detail_indices: number[] }>\n widened_details: Array<{ permission: string }>\n merged_details: Array<{ permission: string }>\n}\n\nexport async function createShapesGrant(\n resolved: ResolvedCommand,\n params: {\n idp: string\n approval: 'once' | 'timed' | 'always'\n reason?: string\n },\n): Promise<{ id: string, status: string, similar_grants?: SimilarGrantsInfo }> {\n const grantsEndpoint = await getGrantsEndpoint(params.idp)\n const requester = getRequesterIdentity()\n if (!requester) {\n throw new Error('No requester identity available. Run `apes login` first.')\n }\n return apiFetch<{ id: string, status: string, similar_grants?: SimilarGrantsInfo }>(grantsEndpoint, {\n method: 'POST',\n idp: params.idp,\n body: {\n requester,\n target_host: hostname(),\n audience: resolved.adapter.cli.audience ?? 'shapes',\n grant_type: params.approval,\n command: resolved.executionContext.argv,\n reason: params.reason ?? resolved.detail.display,\n permissions: [resolved.permission],\n authorization_details: [resolved.detail],\n execution_context: resolved.executionContext,\n },\n })\n}\n\nexport async function waitForGrantStatus(idp: string, grantId: string): Promise<'approved' | 'denied' | 'revoked'> {\n const grantsEndpoint = await getGrantsEndpoint(idp)\n const deadline = Date.now() + 300_000\n\n while (Date.now() < deadline) {\n const grant = await apiFetch<{ status: 'pending' | 'approved' | 'denied' | 'revoked' }>(`${grantsEndpoint}/${grantId}`, { idp })\n if (grant.status === 'approved' || grant.status === 'denied' || grant.status === 'revoked')\n return grant.status\n await new Promise(resolve => setTimeout(resolve, 3000))\n }\n\n throw new Error('Timed out waiting for grant approval')\n}\n\nexport async function fetchGrantToken(idp: string, grantId: string): Promise<string> {\n const grantsEndpoint = await getGrantsEndpoint(idp)\n const response = await apiFetch<{ authz_jwt: string }>(`${grantsEndpoint}/${grantId}/token`, {\n method: 'POST',\n idp,\n })\n return response.authz_jwt\n}\n\nfunction grantedCliDetails(claims: Record<string, unknown>): OpenApeCliAuthorizationDetail[] {\n const details = claims.authorization_details\n if (!Array.isArray(details))\n return []\n\n return details.filter((detail): detail is OpenApeCliAuthorizationDetail =>\n typeof detail === 'object'\n && detail !== null\n && (detail as Record<string, unknown>).type === 'openape_cli',\n )\n}\n\nfunction hasStructuredCliGrant(claims: Record<string, unknown>): boolean {\n return grantedCliDetails(claims).length > 0\n}\n\n/**\n * Verifies a grant token against the resolved command and marks the grant\n * as consumed on the IdP. Does NOT execute anything — callers that want\n * the one-shot behavior should use `verifyAndExecute`, callers that want\n * to run the command themselves (e.g. the interactive REPL piping through\n * a persistent bash pty) should call this and then do their own execution.\n *\n * Split out so the interactive shell can re-use the verify + consume path\n * without being forced into the `execFileSync`-based one-shot execution.\n */\nexport async function verifyAndConsume(token: string, resolved: ResolvedCommand): Promise<void> {\n const payload = decodePayload(token)\n const issuer = String(payload.iss ?? '')\n if (!issuer)\n throw new Error('Grant token is missing issuer')\n\n const discovery = await discoverEndpoints(issuer)\n const jwksUri = String(discovery.jwks_uri ?? `${issuer}/.well-known/jwks.json`)\n const result = await verifyAuthzJWT(token, {\n expectedIss: issuer,\n expectedAud: resolved.adapter.cli.audience ?? 'shapes',\n jwksUri,\n })\n\n if (!result.valid || !result.claims) {\n throw new Error(result.error ?? 'Grant verification failed')\n }\n\n const claims = result.claims\n const details = grantedCliDetails(claims as unknown as Record<string, unknown>)\n\n if (claims.execution_context?.adapter_digest && claims.execution_context.adapter_digest !== resolved.digest) {\n throw new Error('Adapter digest mismatch')\n }\n\n if (!hasStructuredCliGrant(claims as unknown as Record<string, unknown>)) {\n const argv = resolved.executionContext.argv\n if (!argv?.length) {\n throw new Error('Resolved command is missing argv')\n }\n const expectedCmdHash = await computeCmdHash(argv.join(' '))\n if (claims.command?.join('\\0') !== argv.join('\\0')) {\n throw new Error('Granted command does not match current argv')\n }\n if (claims.cmd_hash && claims.cmd_hash !== expectedCmdHash) {\n throw new Error('Granted command does not match current argv')\n }\n if (!claims.command?.length && !claims.cmd_hash) {\n throw new Error('Grant is not a structured CLI grant and is missing command binding')\n }\n }\n else {\n if (!details.some(detail => cliAuthorizationDetailCovers(detail, resolved.detail))) {\n throw new Error(`Grant does not cover required permission: ${resolved.permission}`)\n }\n\n const exactRequired = details.some(detail =>\n cliAuthorizationDetailCovers(detail, resolved.detail) && detail.constraints?.exact_command,\n )\n\n const isOnce = claims.grant_type === 'once' || claims.approval === 'once'\n const enforceArgvHash = exactRequired || (isOnce && !!claims.execution_context?.argv_hash)\n\n if (enforceArgvHash && claims.execution_context?.argv_hash !== resolved.executionContext.argv_hash) {\n throw new Error('Granted command does not match current argv')\n }\n }\n\n const grantsEndpoint = await getGrantsEndpoint(issuer)\n const consume = await fetch(`${grantsEndpoint}/${claims.grant_id}/consume`, {\n method: 'POST',\n headers: {\n Authorization: `Bearer ${token}`,\n },\n })\n\n if (!consume.ok) {\n throw new Error(`Consume failed: ${consume.status} ${consume.statusText}`)\n }\n\n const consumeResult = await consume.json() as { error?: string }\n if (consumeResult.error) {\n throw new Error(`Grant rejected at consume step: ${consumeResult.error}`)\n }\n}\n\n/**\n * Execute a verified + consumed resolved command directly via execFileSync,\n * inheriting stdio so the caller's terminal is handed to the child. Used by\n * the one-shot `apes run --shell` path.\n */\nexport function executeResolvedViaExec(resolved: ResolvedCommand): void {\n consola.info(`Executing ${(resolved.executionContext.argv ?? [resolved.executable, ...resolved.commandArgv]).join(' ')}`)\n execFileSync(resolved.executable, resolved.commandArgv, { stdio: 'inherit' })\n}\n\n/**\n * One-shot verify + consume + execute. Preserves the legacy behavior of\n * the `apes run --shell` path so existing callers keep working unchanged.\n *\n * When `resolved` carries the generic-fallback operation id\n * (`_generic.exec`), a JSONL audit entry is appended to the generic-calls\n * log after the child process exits. `grantId` is needed to write the\n * entry — callers that know the grant id should pass it; if omitted, the\n * log entry is skipped (the audit hook is best-effort, not a hard gate).\n *\n * This is the central exec path for sync (`--wait`), async-default\n * (`apes grants run <id> --wait`), and REPL one-shot, so a hook here\n * covers all three flows without duplicating logic in each caller.\n */\nexport async function verifyAndExecute(\n token: string,\n resolved: ResolvedCommand,\n grantId?: string,\n): Promise<void> {\n await verifyAndConsume(token, resolved)\n\n const isGeneric = isGenericResolved(resolved)\n const start = Date.now()\n let exitCode = 0\n try {\n executeResolvedViaExec(resolved)\n }\n catch (err) {\n exitCode = (err as { status?: number })?.status ?? 1\n throw err\n }\n finally {\n if (isGeneric && grantId) {\n // Best-effort: swallow log errors so a broken audit file never\n // blocks a successful command.\n try {\n await appendGenericCallLog(\n {\n ts: new Date().toISOString(),\n cli: resolved.detail.cli_id,\n argv: resolved.executionContext.argv ?? [resolved.executable, ...resolved.commandArgv],\n argv_hash: resolved.executionContext.argv_hash ?? '',\n grant_id: grantId,\n exit_code: exitCode,\n duration_ms: Date.now() - start,\n },\n getGenericAuditLogPath(),\n )\n }\n catch (logErr) {\n consola.debug('Failed to append generic-call audit entry:', logErr)\n }\n }\n }\n}\n\n/**\n * Re-resolve a ResolvedCommand from a previously-created grant's recorded\n * request (argv + adapter digest). Used by `apes grants run <id>` to replay\n * an approved grant locally after the async approval step.\n *\n * Throws when the grant is missing argv, when the adapter cannot be loaded,\n * or when the locally installed adapter's digest no longer matches what the\n * grant was issued against.\n */\nexport async function resolveFromGrant(\n grant: {\n request: {\n command?: string[]\n execution_context?: { adapter_digest?: string, argv_hash?: string }\n authorization_details?: Array<{ type?: string, permission?: string }>\n }\n },\n): Promise<ResolvedCommand> {\n const argv = grant.request?.command\n if (!argv || argv.length === 0)\n throw new Error('Grant request is missing command argv')\n\n const executable = argv[0]\n const adapter = await loadOrInstallAdapter(executable)\n if (!adapter)\n throw new Error(`No shapes adapter found for ${executable}`)\n\n const resolved = await resolveCommand(adapter, argv)\n\n const grantDigest = grant.request.execution_context?.adapter_digest\n if (grantDigest && grantDigest !== resolved.digest) {\n throw new Error(\n `Adapter digest mismatch: grant was created against adapter ${grantDigest}, but local adapter is ${resolved.digest}. Reinstall or revert the adapter.`,\n )\n }\n\n return resolved\n}\n\nexport async function findExistingGrant(\n resolved: ResolvedCommand,\n idp: string,\n): Promise<string | null> {\n const grantsEndpoint = await getGrantsEndpoint(idp)\n const response = await apiFetch<{ data: OpenApeGrant[] }>(\n `${grantsEndpoint}?status=approved`,\n { idp },\n )\n\n const now = Math.floor(Date.now() / 1000)\n const expectedAudience = resolved.adapter.cli.audience ?? 'shapes'\n\n for (const grant of response.data) {\n const req = grant.request\n if (req.grant_type === 'once')\n continue\n if (req.grant_type === 'timed' && grant.expires_at && grant.expires_at <= now)\n continue\n if (req.audience !== expectedAudience)\n continue\n if (req.execution_context?.adapter_digest && req.execution_context.adapter_digest !== resolved.digest)\n continue\n\n const cliDetails = (req.authorization_details ?? []).filter(\n (d): d is OpenApeCliAuthorizationDetail => d.type === 'openape_cli',\n )\n\n if (cliDetails.length > 0) {\n if (cliDetails.some(detail => cliAuthorizationDetailCovers(detail, resolved.detail)))\n return grant.id\n }\n else if (req.permissions?.includes(resolved.permission)) {\n return grant.id\n }\n }\n\n return null\n}\n","import { existsSync, readFileSync } from 'node:fs'\nimport { homedir } from 'node:os'\nimport { join } from 'node:path'\n\ninterface AuthData {\n idp: string\n access_token: string\n email: string\n expires_at: number\n}\n\nconst AUTH_FILE = join(homedir(), '.config', 'apes', 'auth.json')\n\nexport function loadAuth(): AuthData | null {\n if (!existsSync(AUTH_FILE))\n return null\n try {\n return JSON.parse(readFileSync(AUTH_FILE, 'utf-8')) as AuthData\n }\n catch {\n return null\n }\n}\n\nexport function getIdpUrl(explicit?: string): string | null {\n if (explicit)\n return explicit\n if (process.env.APES_IDP)\n return process.env.APES_IDP\n if (process.env.SHAPES_IDP)\n return process.env.SHAPES_IDP\n return loadAuth()?.idp ?? null\n}\n\nexport function getAuthToken(): string | null {\n const auth = loadAuth()\n if (!auth)\n return null\n if (auth.expires_at && Date.now() / 1000 > auth.expires_at - 30)\n return null\n return auth.access_token\n}\n\nexport function getRequesterIdentity(): string | null {\n return loadAuth()?.email ?? null\n}\n","import { getAuthToken, getIdpUrl } from './config.js'\n\nexport async function discoverEndpoints(idpUrl: string): Promise<Record<string, unknown>> {\n const response = await fetch(`${idpUrl}/.well-known/openid-configuration`)\n if (!response.ok)\n return {}\n return response.json() as Promise<Record<string, unknown>>\n}\n\nexport async function getGrantsEndpoint(idpUrl: string): Promise<string> {\n const discovery = await discoverEndpoints(idpUrl)\n return String(discovery.openape_grants_endpoint ?? `${idpUrl}/api/grants`)\n}\n\nexport async function apiFetch<T>(\n path: string,\n options: {\n method?: string\n body?: unknown\n idp?: string\n token?: string\n } = {},\n): Promise<T> {\n const token = options.token ?? getAuthToken()\n if (!token)\n throw new Error('Not authenticated. Run `apes login` first.')\n\n const idp = options.idp ?? getIdpUrl()\n if (!path.startsWith('http') && !idp)\n throw new Error('No IdP URL configured. Use --idp or log in with apes.')\n\n const url = path.startsWith('http') ? path : `${idp}${path}`\n const response = await fetch(url, {\n method: options.method ?? 'GET',\n headers: {\n Authorization: `Bearer ${token}`,\n 'Content-Type': 'application/json',\n },\n body: options.body ? JSON.stringify(options.body) : undefined,\n })\n\n if (!response.ok) {\n const text = await response.text()\n throw new Error(text || `${response.status} ${response.statusText}`)\n }\n\n return response.json() as Promise<T>\n}\n","import { mkdir, appendFile } from 'node:fs/promises'\nimport { homedir } from 'node:os'\nimport { dirname, join } from 'node:path'\n\n/**\n * A single successful generic-fallback execution entry.\n * Denied, timeout, and cancelled grants are NOT logged here — they are\n * captured by the IdP's server-side audit trail.\n */\nexport interface GenericCallLogEntry {\n /** ISO 8601 timestamp of execution completion */\n ts: string\n /** CLI id as requested by the user (e.g. \"kubectl\") */\n cli: string\n /** Full argv as executed, including the executable */\n argv: string[]\n /** SHA-256 of the argv — matches the `argv:hash` selector in resource_chain */\n argv_hash: string\n /** Grant that authorized this execution */\n grant_id: string\n /** Process exit code */\n exit_code: number\n /** Wall-clock duration from grant-approval to process exit, milliseconds */\n duration_ms: number\n}\n\n/**\n * Default audit log location. Lives under `~/.config/apes/` for consistency\n * with the rest of apes' client state (`config.toml`, `auth.json`, …).\n */\nexport function defaultGenericLogPath(): string {\n return join(homedir(), '.config', 'apes', 'generic-calls.log')\n}\n\n/**\n * Append a single generic-call entry to the audit log in JSONL format.\n * Creates the containing directory if needed.\n *\n * @param entry The call record to append\n * @param logPath Optional override (usually from `config.generic.audit_log`)\n */\nexport async function appendGenericCallLog(\n entry: GenericCallLogEntry,\n logPath?: string,\n): Promise<void> {\n const path = logPath ?? defaultGenericLogPath()\n await mkdir(dirname(path), { recursive: true })\n await appendFile(path, `${JSON.stringify(entry)}\\n`, 'utf-8')\n}\n","import { computeCmdHash } from '@openape/core'\nimport type { BuiltGrantRequest, GrantRequestOptions, ResolvedCapability, ResolvedCommand } from './types.js'\n\nexport async function buildExactCommandGrantRequest(\n command: string[],\n options: GrantRequestOptions & {\n audience: string\n },\n): Promise<BuiltGrantRequest> {\n return {\n request: {\n requester: options.requester,\n target_host: options.target_host,\n audience: options.audience,\n grant_type: options.grant_type,\n command,\n cmd_hash: await computeCmdHash(command.join(' ')),\n ...(options.reason ? { reason: options.reason } : {}),\n ...(options.run_as ? { run_as: options.run_as } : {}),\n },\n }\n}\n\nexport async function buildStructuredCliGrantRequest(\n resolved: ResolvedCommand | ResolvedCapability,\n options: GrantRequestOptions,\n): Promise<BuiltGrantRequest> {\n const details = 'detail' in resolved ? [resolved.detail] : resolved.details\n const permissions = 'permission' in resolved ? [resolved.permission] : resolved.permissions\n const command = 'executionContext' in resolved && resolved.executionContext.argv?.length\n ? resolved.executionContext.argv\n : undefined\n\n return {\n request: {\n requester: options.requester,\n target_host: options.target_host,\n audience: resolved.adapter.cli.audience ?? 'shapes',\n grant_type: options.grant_type,\n permissions,\n authorization_details: details,\n execution_context: resolved.executionContext,\n ...(command ? { command } : {}),\n ...(options.reason ? { reason: options.reason } : { reason: 'summary' in resolved ? resolved.summary : details[0]?.display }),\n ...(options.run_as ? { run_as: options.run_as } : {}),\n },\n }\n}\n"],"mappings":";;;;;;;;;;;AAAA,OAAO,aAAa;AAGpB,IAAM,QAAQ,QAAQ,KAAK,SAAS,SAAS;AAEtC,IAAM,WAAN,cAAuB,MAAM;AAAA,EAClC,YAAmB,YAAoB,SAAwB,gBAA0C;AACvG,UAAM,OAAO;AADI;AAA4C;AAE7D,SAAK,OAAO;AAAA,EACd;AACF;AAGA,IAAM,kBAA2D,CAAC;AAElE,eAAsB,kBAAkB,QAAkD;AACxF,MAAI,gBAAgB,MAAM,GAAG;AAC3B,WAAO,gBAAgB,MAAM;AAAA,EAC/B;AAEA,MAAI;AACF,UAAM,WAAW,MAAM,MAAM,GAAG,MAAM,mCAAmC;AACzE,QAAI,SAAS,IAAI;AACf,YAAM,OAAO,MAAM,SAAS,KAAK;AACjC,sBAAgB,MAAM,IAAI;AAC1B,aAAO;AAAA,IACT;AAAA,EACF,QACM;AAAA,EAAC;AAGP,kBAAgB,MAAM,IAAI,CAAC;AAC3B,SAAO,CAAC;AACV;AAEA,eAAsB,kBAAkB,QAAiC;AACvE,QAAM,QAAQ,MAAM,kBAAkB,MAAM;AAC5C,SAAQ,MAAM,2BAAsC,GAAG,MAAM;AAC/D;AAEA,eAAsB,0BAA0B,QAAiC;AAC/E,QAAM,QAAQ,MAAM,kBAAkB,MAAM;AAC5C,SAAQ,MAAM,kCAA6C,GAAG,MAAM;AACtE;AAEA,eAAsB,6BAA6B,QAAiC;AAClF,QAAM,QAAQ,MAAM,kBAAkB,MAAM;AAC5C,SAAQ,MAAM,qCAAgD,GAAG,MAAM;AACzE;AAEA,eAAsB,uBAAuB,QAAiC;AAC5E,QAAM,QAAQ,MAAM,kBAAkB,MAAM;AAC5C,SAAQ,MAAM,gCAA2C,GAAG,MAAM;AACpE;AAMA,eAAe,oBAA4C;AACzD,QAAM,OAAO,SAAS;AACtB,MAAI,CAAC;AACH,WAAO;AAET,QAAM,SAAS,WAAW;AAC1B,QAAM,UAAU,OAAO,OAAO;AAC9B,MAAI,CAAC;AACH,WAAO;AAET,MAAI;AACF,UAAM,EAAE,cAAAA,cAAa,IAAI,MAAM,OAAO,IAAS;AAC/C,UAAM,EAAE,KAAK,IAAI,MAAM,OAAO,QAAa;AAC3C,UAAM,EAAE,SAAAC,SAAQ,IAAI,MAAM,OAAO,IAAS;AAC1C,UAAM,EAAE,sBAAsB,IAAI,MAAM,OAAO,uBAAc;AAE7D,UAAM,WAAW,QAAQ,QAAQ,MAAMA,SAAQ,CAAC;AAChD,UAAM,aAAaD,cAAa,UAAU,OAAO;AACjD,UAAM,aAAa,sBAAsB,UAAU;AAEnD,UAAM,eAAe,MAAM,0BAA0B,KAAK,GAAG;AAC7D,UAAM,gBAAgB,MAAM,MAAM,cAAc;AAAA,MAC9C,QAAQ;AAAA,MACR,SAAS,EAAE,gBAAgB,mBAAmB;AAAA,MAC9C,MAAM,KAAK,UAAU,EAAE,UAAU,KAAK,MAAM,CAAC;AAAA,IAC/C,CAAC;AAED,QAAI,CAAC,cAAc;AACjB,aAAO;AAET,UAAM,EAAE,UAAU,IAAI,MAAM,cAAc,KAAK;AAC/C,UAAM,EAAE,QAAAE,QAAO,IAAI,MAAM,OAAO,QAAa;AAC7C,UAAM,YAAY,KAAK,MAAMA,QAAO,KAAK,SAAS,GAAG,UAAU,EAAE,SAAS,QAAQ;AAElF,UAAM,kBAAkB,MAAM,6BAA6B,KAAK,GAAG;AACnE,UAAM,WAAW,MAAM,MAAM,iBAAiB;AAAA,MAC5C,QAAQ;AAAA,MACR,SAAS,EAAE,gBAAgB,mBAAmB;AAAA,MAC9C,MAAM,KAAK,UAAU,EAAE,UAAU,KAAK,OAAO,WAAW,UAAU,CAAC;AAAA,IACrE,CAAC;AAED,QAAI,CAAC,SAAS;AACZ,aAAO;AAET,UAAM,EAAE,OAAO,WAAW,IAAI,MAAM,SAAS,KAAK;AAElD,aAAS;AAAA,MACP,GAAG;AAAA,MACH,cAAc;AAAA,MACd,YAAY,KAAK,MAAM,KAAK,IAAI,IAAI,GAAI,KAAK,cAAc;AAAA,IAC7D,CAAC;AAED,QAAI,OAAO;AACT,cAAQ,MAAM,gDAAgD;AAAA,IAChE;AAEA,WAAO;AAAA,EACT,QACM;AACJ,WAAO;AAAA,EACT;AACF;AAUA,eAAe,oBAA4C;AACzD,QAAM,OAAO,SAAS;AACtB,MAAI,CAAC,MAAM;AACT,WAAO;AAET,QAAM,EAAE,iBAAiB,gBAAgB,IAAI,MAAM,OAAO,yBAAgB;AAC1E,QAAM,OAAO,MAAM,gBAAgB,EAAE,WAAW,IAAK,CAAC;AACtD,MAAI,CAAC,MAAM;AAGT,WAAO,aAAa;AAAA,EACtB;AAEA,MAAI;AAGF,UAAM,SAAS,SAAS;AACxB,QAAI,QAAQ,cAAc,KAAK,IAAI,IAAI,MAAO,OAAO,aAAa;AAChE,aAAO,OAAO;AAEhB,UAAM,qBAAqB,QAAQ,iBAAiB,KAAK;AACzD,QAAI,CAAC;AACH,aAAO;AAET,UAAM,QAAQ,MAAM,kBAAkB,KAAK,GAAG;AAC9C,UAAM,gBAAiB,MAAM,kBAA6B,GAAG,KAAK,GAAG;AAErE,UAAM,OAAO,IAAI,gBAAgB;AAAA,MAC/B,YAAY;AAAA,MACZ,eAAe;AAAA,IACjB,CAAC;AAED,UAAM,OAAO,MAAM,MAAM,eAAe;AAAA,MACtC,QAAQ;AAAA,MACR,SAAS,EAAE,gBAAgB,oCAAoC;AAAA,MAC/D,MAAM,KAAK,SAAS;AAAA,IACtB,CAAC;AAED,QAAI,CAAC,KAAK,IAAI;AAGZ,UAAI,KAAK,WAAW,OAAO,KAAK,WAAW,KAAK;AAC9C,cAAMC,QAAO,UAAU;AACvB,iBAAS,EAAE,GAAGA,OAAM,eAAe,OAAU,CAAC;AAAA,MAChD;AACA,aAAO;AAAA,IACT;AAEA,UAAM,SAAS,MAAM,KAAK,KAAK;AAM/B,UAAM,OAAO,UAAU;AACvB,aAAS;AAAA,MACP,GAAG;AAAA,MACH,cAAc,OAAO;AAAA,MACrB,eAAe,OAAO,iBAAiB,KAAK;AAAA,MAC5C,YAAY,KAAK,MAAM,KAAK,IAAI,IAAI,GAAI,KAAK,OAAO,cAAc;AAAA,IACpE,CAAC;AAED,QAAI;AACF,cAAQ,MAAM,yCAAyC;AAEzD,WAAO,OAAO;AAAA,EAChB,UACA;AACE,UAAM,gBAAgB,IAAI;AAAA,EAC5B;AACF;AAEA,eAAsB,SACpB,MACA,UAKI,CAAC,GACO;AACZ,MAAI,QAAQ,QAAQ,SAAS,aAAa;AAK1C,MAAI,CAAC,OAAO;AACV,YAAQ,MAAM,kBAAkB;AAChC,QAAI,CAAC;AACH,cAAQ,MAAM,kBAAkB;AAAA,EACpC;AAEA,MAAI,CAAC,OAAO;AACV,UAAM,IAAI,MAAM,4DAA4D;AAAA,EAC9E;AAEA,MAAI;AACJ,MAAI,KAAK,WAAW,MAAM,GAAG;AAC3B,UAAM;AAAA,EACR,OACK;AACH,UAAM,MAAM,QAAQ,OAAO,UAAU;AACrC,QAAI,CAAC,KAAK;AACR,YAAM,IAAI,MAAM,8DAA8D;AAAA,IAChF;AACA,UAAM,GAAG,GAAG,GAAG,IAAI;AAAA,EACrB;AACA,QAAM,SAAS,QAAQ,UAAU;AACjC,QAAM,UAAkC;AAAA,IACtC,iBAAiB,UAAU,KAAK;AAAA,IAChC,gBAAgB;AAAA,EAClB;AAEA,MAAI,OAAO;AACT,YAAQ,MAAM,GAAG,MAAM,IAAI,GAAG,EAAE;AAChC,YAAQ,MAAM,UAAU,MAAM,UAAU,GAAG,EAAE,CAAC,MAAM,MAAM,UAAU,MAAM,SAAS,EAAE,CAAC,EAAE;AAAA,EAC1F;AAEA,QAAM,WAAW,MAAM,MAAM,KAAK;AAAA,IAChC;AAAA,IACA;AAAA,IACA,MAAM,QAAQ,OAAO,KAAK,UAAU,QAAQ,IAAI,IAAI;AAAA,EACtD,CAAC;AAED,MAAI,OAAO;AACT,YAAQ,MAAM,aAAa,SAAS,MAAM,IAAI,SAAS,UAAU,EAAE;AAAA,EACrE;AAEA,MAAI,CAAC,SAAS,IAAI;AAChB,UAAM,cAAc,SAAS,QAAQ,IAAI,cAAc,KAAK;AAG5D,QAAI,YAAY,SAAS,0BAA0B,KAAK,YAAY,SAAS,kBAAkB,GAAG;AAChG,UAAI;AACF,cAAM,UAAU,MAAM,SAAS,KAAK;AACpC,cAAM,UAAW,QAAQ,UAAsB,QAAQ,SAAqB,QAAQ,iBAA6B,QAAQ,WAAsB,GAAG,SAAS,MAAM,IAAI,SAAS,UAAU;AACxL,cAAM,IAAI,SAAS,SAAS,QAAQ,SAAS,OAAO;AAAA,MACtD,SACO,GAAG;AACR,YAAI,aAAa;AACf,gBAAM;AAAA,MACV;AAAA,IACF;AAEA,UAAM,OAAO,MAAM,SAAS,KAAK;AACjC,UAAM,IAAI,SAAS,SAAS,QAAQ,QAAQ,GAAG,SAAS,MAAM,IAAI,SAAS,UAAU,EAAE;AAAA,EACzF;AAEA,SAAO,SAAS,KAAK;AACvB;;;ACvRA,SAAS,kBAAkB;AAC3B,SAAS,YAAY,aAAa,oBAAoB;AACtD,SAAS,eAAe;AACxB,SAAS,UAAU,YAAY;;;ACK/B,SAAS,cAAc,MAAqD;AAC1E,QAAM,UAAU,KAAK,QAAQ,GAAG;AAChC,MAAI,YAAY;AACd,WAAO;AACT,QAAM,MAAM,KAAK,MAAM,GAAG,OAAO,EAAE,KAAK;AACxC,QAAM,QAAQ,KAAK,MAAM,UAAU,CAAC,EAAE,KAAK;AAC3C,MAAI,CAAC,OAAO,CAAC;AACX,WAAO;AACT,SAAO,EAAE,KAAK,MAAM;AACtB;AAEA,SAAS,eAAe,KAAsB;AAC5C,QAAM,UAAU,IAAI,KAAK;AAEzB,MAAI,QAAQ,WAAW,GAAG,KAAK,QAAQ,SAAS,GAAG;AACjD,WAAO,QAAQ,MAAM,GAAG,EAAE;AAC5B,MAAI,YAAY;AACd,WAAO;AACT,MAAI,YAAY;AACd,WAAO;AACT,MAAI,QAAQ,WAAW,GAAG,KAAK,QAAQ,SAAS,GAAG,GAAG;AACpD,UAAM,QAAQ,QAAQ,MAAM,GAAG,EAAE,EAAE,KAAK;AACxC,QAAI,CAAC;AACH,aAAO,CAAC;AACV,WAAO,MAAM,MAAM,GAAG,EAAE,IAAI,WAAS,MAAM,KAAK,EAAE,QAAQ,UAAU,EAAE,CAAC;AAAA,EACzE;AAEA,SAAO;AACT;AAEO,SAAS,iBAAiB,SAAgC;AAC/D,QAAM,SAA0B,CAAC;AACjC,QAAM,aAAgC,CAAC;AACvC,MAAI,iBAA+C;AACnD,MAAI,eAAwC,CAAC;AAE7C,QAAM,iBAAiB,MAAM;AAC3B,QAAI,mBAAmB,eAAe,OAAO,KAAK,YAAY,EAAE,SAAS,GAAG;AAC1E,iBAAW,KAAK,YAA0C;AAC1D,qBAAe,CAAC;AAAA,IAClB;AAAA,EACF;AAEA,aAAW,WAAW,QAAQ,MAAM,IAAI,GAAG;AACzC,UAAM,OAAO,QAAQ,KAAK;AAC1B,QAAI,CAAC,QAAQ,KAAK,WAAW,GAAG;AAC9B;AAEF,QAAI,SAAS,SAAS;AACpB,qBAAe;AACf,uBAAiB;AACjB,aAAO,MAAM,CAAC;AACd;AAAA,IACF;AAEA,QAAI,SAAS,iBAAiB;AAC5B,qBAAe;AACf,uBAAiB;AACjB,qBAAe,CAAC;AAChB;AAAA,IACF;AAEA,UAAM,KAAK,cAAc,IAAI;AAC7B,QAAI,CAAC;AACH;AAEF,UAAM,QAAQ,eAAe,GAAG,KAAK;AACrC,QAAI,mBAAmB,QAAQ;AAC7B;AAAC,MAAC,OAAmC,GAAG,GAAG,IAAI;AAAA,IACjD,WACS,mBAAmB,OAAO;AACjC;AAAC,MAAC,OAAO,IAAgC,GAAG,GAAG,IAAI;AAAA,IACrD,OACK;AACH,mBAAa,GAAG,GAAG,IAAI;AAAA,IACzB;AAAA,EACF;AAEA,iBAAe;AACf,SAAO,YAAY;AAEnB,MAAI,OAAO,WAAW,qBAAqB;AACzC,UAAM,IAAI,MAAM,+BAA+B,OAAO,UAAU,SAAS,EAAE;AAAA,EAC7E;AACA,MAAI,CAAC,OAAO,KAAK,MAAM,CAAC,OAAO,IAAI,YAAY;AAC7C,UAAM,IAAI,MAAM,6CAA6C;AAAA,EAC/D;AACA,MAAI,CAAC,OAAO,WAAW,QAAQ;AAC7B,UAAM,IAAI,MAAM,sDAAsD;AAAA,EACxE;AAEA,SAAO;AAAA,IACL,QAAQ,OAAO;AAAA,IACf,KAAK;AAAA,MACH,IAAI,OAAO,OAAO,IAAI,EAAE;AAAA,MACxB,YAAY,OAAO,OAAO,IAAI,UAAU;AAAA,MACxC,GAAI,OAAO,IAAI,WAAW,EAAE,UAAU,OAAO,OAAO,IAAI,QAAQ,EAAE,IAAI,CAAC;AAAA,MACvE,GAAI,OAAO,IAAI,UAAU,EAAE,SAAS,OAAO,OAAO,IAAI,OAAO,EAAE,IAAI,CAAC;AAAA,IACtE;AAAA,IACA,YAAY,OAAO,UAAU,IAAI,CAAC,cAAc;AAC9C,UAAI,CAAC,MAAM,QAAQ,UAAU,OAAO,KAAK,UAAU,QAAQ,KAAK,WAAS,OAAO,UAAU,QAAQ,GAAG;AACnG,cAAM,IAAI,MAAM,aAAa,OAAO,UAAU,MAAM,WAAW,CAAC,uBAAuB;AAAA,MACzF;AACA,UAAI,CAAC,MAAM,QAAQ,UAAU,cAAc,KAAK,UAAU,eAAe,KAAK,WAAS,OAAO,UAAU,QAAQ,GAAG;AACjH,cAAM,IAAI,MAAM,aAAa,OAAO,UAAU,MAAM,WAAW,CAAC,8BAA8B;AAAA,MAChG;AACA,UAAI,OAAO,UAAU,OAAO,YAAY,OAAO,UAAU,YAAY,YAAY,OAAO,UAAU,WAAW,UAAU;AACrH,cAAM,IAAI,UAAU,+CAA+C;AAAA,MACrE;AACA,aAAO;AAAA,QACL,IAAI,UAAU;AAAA,QACd,SAAS,UAAU;AAAA,QACnB,GAAI,MAAM,QAAQ,UAAU,WAAW,IAAI,EAAE,aAAa,UAAU,YAAwB,IAAI,CAAC;AAAA,QACjG,GAAI,MAAM,QAAQ,UAAU,gBAAgB,IAAI,EAAE,kBAAkB,UAAU,iBAA6B,IAAI,CAAC;AAAA,QAChH,SAAS,UAAU;AAAA,QACnB,QAAQ,UAAU;AAAA,QAClB,MAAO,UAAU,QAAoC;AAAA,QACrD,gBAAgB,UAAU;AAAA,QAC1B,GAAI,UAAU,kBAAkB,SAAY,EAAE,eAAe,QAAQ,UAAU,aAAa,EAAE,IAAI,CAAC;AAAA,MACrG;AAAA,IACF,CAAC;AAAA,EACH;AACF;;;ACjIA,SAAS,2BAA2B,uBAAuB;AAOpD,IAAM,uBAAuB;AAMpC,IAAM,mBAAmB;AAWlB,SAAS,oBAAoB,OAA8B;AAChE,QAAM,UAAyB;AAAA,IAC7B,QAAQ;AAAA,IACR,KAAK;AAAA,MACH,IAAI;AAAA,MACJ,YAAY;AAAA,MACZ,UAAU;AAAA,MACV,SAAS;AAAA,IACX;AAAA,IACA,YAAY,CAAC;AAAA,EACf;AACA,SAAO;AAAA,IACL;AAAA,IACA,QAAQ;AAAA,IACR,QAAQ;AAAA,IACR,WAAW;AAAA,EACb;AACF;AAyBA,eAAsB,qBACpB,OACA,UAC0B;AAC1B,MAAI,SAAS,WAAW;AACtB,UAAM,IAAI,MAAM,4DAA4D;AAC9E,QAAM,aAAa,SAAS,CAAC;AAC7B,QAAM,cAAc,SAAS,MAAM,CAAC;AACpC,QAAM,WAAW,MAAM,gBAAgB,QAAQ;AAE/C,QAAM,UAAU,yBAAyB,KAAK,IAAI,YAAY,KAAK,GAAG,CAAC;AAEvE,QAAM,SAAwC;AAAA,IAC5C,MAAM;AAAA,IACN,QAAQ;AAAA,IACR,cAAc;AAAA,IACd,gBAAgB;AAAA,MACd,EAAE,UAAU,OAAO,UAAU,EAAE,MAAM,MAAM,EAAE;AAAA,MAC7C,EAAE,UAAU,QAAQ,UAAU,EAAE,MAAM,SAAS,EAAE;AAAA,IACnD;AAAA,IACA,QAAQ;AAAA,IACR,YAAY;AAAA,IACZ;AAAA,IACA,MAAM;AAAA,IACN,aAAa,EAAE,eAAe,KAAK;AAAA,EACrC;AACA,SAAO,aAAa,0BAA0B,MAAM;AAEpD,QAAM,UAAU,oBAAoB,KAAK;AAEzC,SAAO;AAAA,IACL,SAAS,QAAQ;AAAA,IACjB,QAAQ,QAAQ;AAAA,IAChB,QAAQ,QAAQ;AAAA,IAChB;AAAA,IACA;AAAA,IACA,UAAU,CAAC;AAAA,IACX;AAAA,IACA,kBAAkB;AAAA,MAChB,MAAM;AAAA,MACN,WAAW;AAAA,MACX,YAAY;AAAA,MACZ,iBAAiB;AAAA,MACjB,gBAAgB,QAAQ;AAAA,MACxB,qBAAqB;AAAA,MACrB,kBAAkB,CAAC;AAAA,IACrB;AAAA,IACA,YAAY,OAAO;AAAA,EACrB;AACF;AAKO,SAAS,kBAAkB,UAAoC;AACpE,SAAO,SAAS,OAAO,iBAAiB;AAC1C;;;AFnHA,SAAS,OAAO,SAAyB;AACvC,SAAO,WAAW,WAAW,QAAQ,EAAE,OAAO,OAAO,EAAE,OAAO,KAAK,CAAC;AACtE;AAEA,SAAS,cAAwB;AAC/B,SAAO;AAAA,IACL,KAAK,QAAQ,IAAI,GAAG,YAAY,UAAU,UAAU;AAAA,IACpD,KAAK,QAAQ,GAAG,YAAY,UAAU,UAAU;AAAA,IAChD,KAAK,QAAQ,WAAW,UAAU,UAAU;AAAA,EAC9C;AACF;AAEA,SAAS,iBAAiB,YAAwC;AAChE,aAAW,OAAO,YAAY,GAAG;AAC/B,QAAI,CAAC,WAAW,GAAG;AACjB;AACF,QAAI;AACF,YAAM,QAAQ,YAAY,GAAG,EAAE,OAAO,OAAK,EAAE,SAAS,OAAO,CAAC;AAC9D,iBAAW,QAAQ,OAAO;AACxB,cAAM,OAAO,KAAK,KAAK,IAAI;AAC3B,cAAM,UAAU,aAAa,MAAM,OAAO;AAC1C,cAAM,QAAQ,QAAQ,MAAM,iCAAiC;AAC7D,YAAI,SAAS,MAAM,CAAC,MAAM;AACxB,iBAAO;AAAA,MACX;AAAA,IACF,QACM;AAAA,IAEN;AAAA,EACF;AACA,SAAO;AACT;AAEO,SAAS,mBAAmB,OAAe,cAA+B;AAC/E,MAAI,cAAc;AAChB,QAAI,WAAW,YAAY;AACzB,aAAO;AACT,UAAM,IAAI,MAAM,2BAA2B,YAAY,EAAE;AAAA,EAC3D;AAGA,QAAM,aAAa,YAAY,EAAE,IAAI,SAAO,KAAK,KAAK,GAAG,KAAK,OAAO,CAAC;AACtE,QAAM,QAAQ,WAAW,KAAK,UAAQ,WAAW,IAAI,CAAC;AACtD,MAAI;AACF,WAAO;AAGT,QAAM,SAAS,iBAAiB,KAAK;AACrC,MAAI;AACF,WAAO;AAET,QAAM,IAAI,MAAM,wBAAwB,KAAK,EAAE;AACjD;AAEO,SAAS,YAAY,OAAe,cAAsC;AAC/E,QAAM,SAAS,mBAAmB,OAAO,YAAY;AACrD,QAAM,UAAU,aAAa,QAAQ,OAAO;AAC5C,QAAM,UAAU,iBAAiB,OAAO;AAGxC,QAAM,UAAU,QAAQ,IAAI,OAAO;AACnC,QAAM,YAAY,SAAS,MAAM,MAAM,GAAG,KAAK;AAC/C,QAAM,YAAY,QAAQ,IAAI,eAAe;AAC7C,MAAI,CAAC,WAAW,CAAC,aAAa,CAAC;AAC7B,UAAM,IAAI,MAAM,WAAW,MAAM,iCAAiC,KAAK,EAAE;AAE3E,SAAO;AAAA,IACL;AAAA,IACA;AAAA,IACA,QAAQ,OAAO,OAAO;AAAA,EACxB;AACF;AAaA,eAAsB,uBACpB,OACA,UACA,MAC0B;AAC1B,MAAI,CAAC,KAAK;AACR,UAAM,IAAI,MAAM,wBAAwB,KAAK,EAAE;AACjD,SAAO,MAAM,qBAAqB,OAAO,QAAQ;AACnD;AAGO,SAAS,eAAe,OAAe,cAA6C;AACzF,MAAI;AACF,WAAO,YAAY,OAAO,YAAY;AAAA,EACxC,QACM;AACJ,WAAO;AAAA,EACT;AACF;;;AG9GA,SAAS,gBAAgB,cAAAC,aAAY,iBAAiB;AACtD,SAAS,WAAAC,gBAAe;AACxB,SAAS,SAAS,QAAAC,aAAY;AAS9B,SAAS,YAAoB;AAC3B,SAAOA,MAAKD,SAAQ,GAAG,WAAW,QAAQ,aAAa;AACzD;AAMO,SAAS,eAAe,OAA+E;AAC5G,QAAM,OAAmB;AAAA,IACvB,GAAG;AAAA,IACH,QAAQ,MAAM;AAAA,IACd,WAAW,MAAM,aAAa,KAAK,IAAI;AAAA,EACzC;AACA,QAAM,OAAO,UAAU;AACvB,QAAM,MAAM,QAAQ,IAAI;AACxB,MAAI;AACF,QAAI,CAACD,YAAW,GAAG,EAAG,WAAU,KAAK,EAAE,WAAW,KAAK,CAAC;AACxD,mBAAe,MAAM,GAAG,KAAK,UAAU,IAAI,CAAC;AAAA,CAAI;AAAA,EAClD,QACM;AAAA,EAEN;AACF;;;AClCA,SAAS,cAAAG,mBAAkB;AAC3B,SAAS,cAAAC,aAAY,aAAAC,YAAW,eAAAC,cAAa,gBAAAC,eAAc,YAAY,qBAAqB;AAC5F,SAAS,WAAAC,gBAAe;AACxB,SAAS,QAAAC,aAAY;AAGrB,SAAS,WAAW,OAAwB;AAC1C,QAAM,OAAO,QAAQ,QAAQ,IAAI,IAAID,SAAQ;AAC7C,SAAOC,MAAK,MAAM,YAAY,UAAU,UAAU;AACpD;AAEA,SAAS,YAAY,IAAY,OAAwB;AACvD,SAAOA,MAAK,WAAW,KAAK,GAAG,GAAG,EAAE,OAAO;AAC7C;AAEA,SAAS,OAAO,SAAyB;AACvC,SAAO,WAAWN,YAAW,QAAQ,EAAE,OAAO,OAAO,EAAE,OAAO,KAAK,CAAC;AACtE;AASA,eAAsB,eAAe,OAAsB,UAA+B,CAAC,GAA2B;AACpH,QAAM,QAAQ,QAAQ,SAAS;AAC/B,QAAM,OAAO,YAAY,MAAM,IAAI,KAAK;AACxC,QAAM,MAAM,WAAW,KAAK;AAE5B,QAAM,WAAW,MAAM,MAAM,MAAM,YAAY;AAC/C,MAAI,CAAC,SAAS;AACZ,UAAM,IAAI,MAAM,8BAA8B,MAAM,EAAE,KAAK,SAAS,MAAM,IAAI,SAAS,UAAU,EAAE;AAErG,QAAM,UAAU,MAAM,SAAS,KAAK;AACpC,QAAMO,UAAS,OAAO,OAAO;AAE7B,MAAIA,YAAW,MAAM;AACnB,UAAM,IAAI,MAAM,uBAAuB,MAAM,EAAE,cAAc,MAAM,MAAM,SAASA,OAAM,EAAE;AAE5F,QAAM,UAAUN,YAAW,IAAI;AAE/B,MAAI,CAACA,YAAW,GAAG;AACjB,IAAAC,WAAU,KAAK,EAAE,WAAW,KAAK,CAAC;AAEpC,gBAAc,MAAM,OAAO;AAE3B,SAAO,EAAE,IAAI,MAAM,IAAI,MAAM,MAAM,QAAAK,SAAQ,QAAQ;AACrD;AAEO,SAAS,mBAAmB,IAAY,OAA+B;AAC5E,QAAM,OAAO,YAAY,IAAI,KAAK;AAClC,MAAI,CAACN,YAAW,IAAI;AAClB,WAAO;AAET,QAAM,UAAUG,cAAa,MAAM,OAAO;AAC1C,SAAO,OAAO,OAAO;AACvB;AAEO,SAAS,YAAY,IAAY,OAAyB;AAC/D,SAAOH,YAAW,YAAY,IAAI,KAAK,CAAC;AAC1C;AAMO,SAAS,cAAc,IAAY,OAAyB;AACjE,QAAM,OAAO,YAAY,IAAI,KAAK;AAClC,MAAI,CAACO,YAAW,IAAI;AAClB,WAAO;AACT,aAAW,IAAI;AACf,SAAO;AACT;AASO,SAAS,wBAAwB,YAAoB,WAAyC;AACnG,QAAM,YAAkC,CAAC;AACzC,QAAM,OAAO;AAAA,IACXC,MAAK,QAAQ,IAAI,GAAG,YAAY,UAAU,UAAU;AAAA,IACpDA,MAAKC,SAAQ,GAAG,YAAY,UAAU,UAAU;AAAA,EAClD;AAEA,aAAW,OAAO,MAAM;AACtB,QAAI,CAACF,YAAW,GAAG;AACjB;AACF,QAAI;AACF,iBAAW,QAAQG,aAAY,GAAG,EAAE,OAAO,OAAK,EAAE,SAAS,OAAO,CAAC,GAAG;AACpE,cAAM,OAAOF,MAAK,KAAK,IAAI;AAC3B,cAAM,UAAUG,cAAa,MAAM,OAAO;AAC1C,cAAM,YAAY,QAAQ,MAAM,iCAAiC;AACjE,cAAM,UAAU,QAAQ,MAAM,yBAAyB;AACvD,YAAI,YAAY,CAAC,MAAM,cAAc,UAAU,CAAC,MAAM,WAAW;AAC/D,oBAAU,KAAK,EAAE,MAAM,MAAM,WAAW,UAAU,CAAC,KAAK,MAAM,WAAW,CAAC;AAAA,QAC5E;AAAA,MACF;AAAA,IACF,QACM;AAAA,IAEN;AAAA,EACF;AAEA,SAAO;AACT;;;AC9GA,SAAS,cAAAC,aAAY,aAAAC,YAAW,gBAAAC,eAAc,iBAAAC,sBAAqB;AACnE,SAAS,WAAAC,gBAAe;AACxB,SAAS,QAAAC,aAAY;AAGrB,IAAM,eAAe,QAAQ,IAAI,uBAC5B;AAEL,IAAM,eAAe,KAAK,KAAK;AAE/B,SAAS,WAAmB;AAC1B,SAAOA,MAAKD,SAAQ,GAAG,YAAY,UAAU,OAAO;AACtD;AAEA,SAAS,YAAoB;AAC3B,SAAOC,MAAK,SAAS,GAAG,eAAe;AACzC;AAEA,SAAS,YAAkC;AACzC,QAAM,OAAO,UAAU;AACvB,MAAI,CAACL,YAAW,IAAI;AAClB,WAAO;AAET,MAAI;AACF,UAAM,MAAME,cAAa,MAAM,OAAO;AACtC,UAAM,OAAO,KAAK,MAAM,GAAG;AAC3B,QAAI,KAAK,cAAc,KAAK,IAAI,IAAI,KAAK,aAAa;AACpD,aAAO;AACT,WAAO;AAAA,EACT,QACM;AACJ,WAAO;AAAA,EACT;AACF;AAEA,SAAS,WAAW,OAA4B;AAC9C,QAAM,MAAM,SAAS;AACrB,MAAI,CAACF,YAAW,GAAG;AACjB,IAAAC,WAAU,KAAK,EAAE,WAAW,KAAK,CAAC;AAEpC,EAAAE,eAAc,UAAU,GAAG,KAAK,UAAU,EAAE,GAAG,OAAO,YAAY,KAAK,IAAI,EAAE,GAAG,MAAM,CAAC,CAAC;AAC1F;AAEA,eAAsB,cAAc,eAAe,OAA+B;AAChF,MAAI,CAAC,cAAc;AACjB,UAAM,SAAS,UAAU;AACzB,QAAI;AACF,aAAO;AAAA,EACX;AAEA,QAAM,WAAW,MAAM,MAAM,YAAY;AACzC,MAAI,CAAC,SAAS;AACZ,UAAM,IAAI,MAAM,6BAA6B,SAAS,MAAM,IAAI,SAAS,UAAU,EAAE;AAEvF,QAAM,QAAQ,MAAM,SAAS,KAAK;AAClC,aAAW,KAAK;AAChB,SAAO;AACT;AAEO,SAAS,eAAe,OAAsB,OAAgC;AACnF,QAAM,IAAI,MAAM,YAAY;AAC5B,SAAO,MAAM,SAAS;AAAA,IAAO,OAC3B,EAAE,GAAG,SAAS,CAAC,KACZ,EAAE,KAAK,YAAY,EAAE,SAAS,CAAC,KAC/B,EAAE,YAAY,YAAY,EAAE,SAAS,CAAC,KACtC,EAAE,KAAK,KAAK,OAAK,EAAE,SAAS,CAAC,CAAC,KAC9B,EAAE,SAAS,SAAS,CAAC;AAAA,EAC1B;AACF;AAOO,SAAS,YAAY,OAAsB,gBAAmD;AACnG,SAAO,MAAM,SAAS;AAAA,IACpB,OAAK,EAAE,OAAO,kBAAkB,EAAE,eAAe;AAAA,EACnD;AACF;;;AC/EA,SAAS,YAAAG,iBAAgB;AACzB,OAAOC,cAAa;AACpB,SAAS,SAAS,kBAAkB;AAuBpC,IAAM,qBAAqB,oBAAI,IAAI,CAAC,MAAM,MAAM,KAAK,KAAK,KAAK,KAAK,MAAM,GAAG,CAAC;AAUvE,SAAS,kBAAkB,KAAwC;AACxE,QAAM,UAAU,IAAI,KAAK;AACzB,MAAI,QAAQ,WAAW,EAAG,QAAO;AAEjC,MAAI;AACJ,MAAI;AACF,aAAS,WAAW,OAAO;AAAA,EAC7B,QACM;AACJ,WAAO;AAAA,EACT;AAGA,QAAM,oBAAoB,SAAS,KAAK,OAAO;AAC/C,QAAM,mBAAmB,OAAO,KAAK,OAAK,OAAO,MAAM,YAAY,MAAM,QAAQ,QAAQ,KAAK,mBAAmB,IAAI,EAAE,EAAE,CAAC;AAC1H,QAAM,aAAa,qBAAqB;AAGxC,QAAM,eAAyB,CAAC;AAChC,aAAW,KAAK,QAAQ;AACtB,QAAI,OAAO,MAAM,UAAU;AACzB,mBAAa,KAAK,CAAC;AAAA,IACrB,OACK;AACH;AAAA,IACF;AAAA,EACF;AAEA,MAAI,aAAa,WAAW,EAAG,QAAO;AAEtC,SAAO;AAAA,IACL,YAAY,aAAa,CAAC;AAAA,IAC1B,MAAM,aAAa,MAAM,CAAC;AAAA,IAC1B;AAAA,IACA,KAAK;AAAA,EACP;AACF;AAMO,SAAS,0BAA0B,SAAkC;AAC1E,MAAI,QAAQ,SAAS,EAAG,QAAO;AAC/B,MAAI,QAAQ,CAAC,MAAM,UAAU,QAAQ,CAAC,MAAM,KAAM,QAAO;AACzD,MAAI,QAAQ,CAAC,MAAM,KAAM,QAAO;AAEhC,SAAO,QAAQ,MAAM,CAAC,EAAE,KAAK,GAAG;AAClC;AASA,eAAsB,qBAAqB,OAA8C;AAIvF,QAAM,WAAWC,UAAS,KAAK;AAG/B,QAAM,QAAQ,eAAe,QAAQ;AACrC,MAAI,MAAO,QAAO;AAKlB,MAAI;AACF,UAAM,QAAQ,MAAM,cAAc;AAClC,UAAM,QAAQ,YAAY,OAAO,QAAQ;AACzC,QAAI,CAAC,MAAO,QAAO;AAEnB,IAAAC,SAAQ,KAAK,iCAAiC,MAAM,EAAE,mBAAmB;AACzE,UAAM,eAAe,OAAO,EAAE,OAAO,MAAM,CAAC;AAC5C,mBAAe;AAAA,MACb,QAAQ;AAAA,MACR,QAAQ,MAAM;AAAA,MACd,QAAQ,MAAM;AAAA,MACd,QAAQ;AAAA,IACV,CAAC;AAID,WAAO,eAAe,MAAM,EAAE;AAAA,EAChC,SACO,KAAK;AACV,IAAAA,SAAQ,MAAM,6CAA6C,QAAQ,KAAK,GAAG;AAC3E,WAAO;AAAA,EACT;AACF;;;AC9HA,SAAS,6BAAAC,kCAAiC;AAQ1C,SAAS,yBAAyB,OAA0C;AAC1E,QAAM,CAAC,UAAU,eAAe,GAAG,IAAI,MAAM,MAAM,KAAK,CAAC;AACzD,MAAI,CAAC,UAAU;AACb,UAAM,IAAI,MAAM,iCAAiC,KAAK,EAAE;AAAA,EAC1D;AAEA,MAAI,iBAAiB,KAAK;AACxB,WAAO,EAAE,UAAU,cAAc,CAAC,EAAE;AAAA,EACtC;AAEA,QAAM,eAAe,aAAa,MAAM,GAAG,EACxC,IAAI,CAAC,YAAY;AAChB,UAAM,CAAC,GAAG,IAAI,QAAQ,MAAM,KAAK,CAAC;AAClC,QAAI,CAAC;AACH,YAAM,IAAI,MAAM,6BAA6B,OAAO,EAAE;AACxD,WAAO;AAAA,EACT,CAAC;AAEH,SAAO,EAAE,UAAU,aAAa;AAClC;AAEA,SAAS,eAAe,WAAyD;AAC/E,SAAO,UAAU,eAAe,IAAI,wBAAwB;AAC9D;AAEA,SAAS,kBAAkB,YAA+B,UAA4B;AACpF,QAAM,OAAO,oBAAI,IAAY;AAC7B,aAAW,aAAa,YAAY;AAClC,eAAW,SAAS,eAAe,SAAS,GAAG;AAC7C,UAAI,MAAM,aAAa;AACrB;AACF,iBAAW,OAAO,MAAM,cAAc;AACpC,aAAK,IAAI,GAAG;AAAA,MACd;AAAA,IACF;AAAA,EACF;AACA,SAAO,MAAM,KAAK,IAAI,EAAE,KAAK;AAC/B;AAEA,SAAS,sBAAsB,KAA+D;AAC5F,QAAM,CAAC,KAAK,KAAK,IAAI,IAAI,MAAM,KAAK,CAAC;AACrC,MAAI,CAAC,OAAO,CAAC,OAAO;AAClB,UAAM,IAAI,MAAM,qBAAqB,GAAG,EAAE;AAAA,EAC5C;AAEA,QAAM,CAAC,UAAU,GAAG,IAAI,IAAI,MAAM,KAAK,CAAC;AACxC,MAAI,CAAC,YAAY,CAAC,KAAK;AACrB,UAAM,IAAI,MAAM,iDAAiD,GAAG,EAAE;AAAA,EACxE;AAEA,SAAO,EAAE,UAAU,KAAK,MAAM;AAChC;AAEA,SAAS,eAAe,UAA2C;AACjE,MAAI,CAAC,YAAY,OAAO,KAAK,QAAQ,EAAE,WAAW;AAChD,WAAO;AACT,SAAO,OAAO,QAAQ,QAAQ,EAC3B,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,MAAM,EAAE,cAAc,CAAC,CAAC,EACrC,IAAI,CAAC,CAAC,KAAK,KAAK,MAAM,GAAG,GAAG,IAAI,KAAK,EAAE,EACvC,KAAK,GAAG;AACb;AAEA,SAAS,gBAAgB,QAA+C;AACtE,QAAM,QAAQ,OAAO,eAClB,IAAI,cAAY,GAAG,SAAS,QAAQ,IAAI,eAAe,SAAS,QAAQ,CAAC,GAAG,EAC5E,KAAK,MAAM;AACd,SAAO,SAAS,OAAO,MAAM,OAAO,OAAO,MAAM,IAAI,KAAK;AAC5D;AAEO,SAAS,yBACd,QACA,QAKoB;AACpB,MAAI,OAAO,UAAU,WAAW,GAAG;AACjC,UAAM,IAAI,MAAM,qCAAqC;AAAA,EACvD;AACA,MAAI,OAAO,QAAQ,WAAW,GAAG;AAC/B,UAAM,IAAI,MAAM,mCAAmC;AAAA,EACrD;AAEA,QAAM,cAAc,oBAAI,IAAoC;AAC5D,aAAW,eAAe,OAAO,aAAa,CAAC,GAAG;AAChD,UAAM,EAAE,UAAU,KAAK,MAAM,IAAI,sBAAsB,WAAW;AAClE,UAAM,UAAU,YAAY,IAAI,QAAQ,KAAK,CAAC;AAC9C,YAAQ,GAAG,IAAI;AACf,gBAAY,IAAI,UAAU,OAAO;AAAA,EACnC;AAEA,QAAM,iBAA0C,OAAO,UAAU,IAAI,CAAC,aAAa;AACjF,UAAM,WAAW,YAAY,IAAI,QAAQ;AACzC,UAAM,YAAY,kBAAkB,OAAO,QAAQ,YAAY,QAAQ;AACvE,QAAI,UAAU;AACZ,iBAAW,OAAO,OAAO,KAAK,QAAQ,GAAG;AACvC,YAAI,CAAC,UAAU,SAAS,GAAG,GAAG;AAC5B,gBAAM,IAAI,MAAM,oBAAoB,QAAQ,IAAI,GAAG,gBAAgB,OAAO,QAAQ,IAAI,EAAE,EAAE;AAAA,QAC5F;AAAA,MACF;AAAA,IACF;AACA,WAAO,YAAY,OAAO,KAAK,QAAQ,EAAE,SAAS,IAAI,EAAE,UAAU,SAAS,IAAI,EAAE,SAAS;AAAA,EAC5F,CAAC;AAED,QAAM,oBAAoB,OAAO,UAAU,KAAK,IAAI;AACpD,QAAM,qBAAqB,OAAO,QAAQ,WAAW,OAAO,CAAC,cAAc;AACzE,UAAM,WAAW,eAAe,SAAS,EAAE,IAAI,WAAS,MAAM,QAAQ,EAAE,KAAK,IAAI;AACjF,WAAO,aAAa,qBAAqB,SAAS,WAAW,GAAG,iBAAiB,IAAI;AAAA,EACvF,CAAC;AAED,MAAI,mBAAmB,WAAW,GAAG;AACnC,UAAM,IAAI,MAAM,iDAAiD,OAAO,UAAU,KAAK,MAAM,CAAC,EAAE;AAAA,EAClG;AAEA,QAAM,UAAU,OAAO,QAAQ,IAAI,CAAC,WAAW;AAC7C,UAAM,oBAAoB,mBAAmB,OAAO,eAAa,UAAU,WAAW,MAAM;AAC5F,QAAI,kBAAkB,WAAW,GAAG;AAClC,YAAM,IAAI,MAAM,UAAU,MAAM,qCAAqC,OAAO,UAAU,KAAK,MAAM,CAAC,EAAE;AAAA,IACtG;AAEA,UAAM,gBAAgB,kBAAkB,MAAM,eAAa,UAAU,kBAAkB,IAAI;AAC3F,UAAM,QAAQ,CAAC,OAAO,UAAU,QAAQ,UAAU;AAClD,UAAM,OAAO,kBAAkB,OAA6B,CAAC,SAAS,cAAc;AAClF,aAAO,MAAM,QAAQ,UAAU,IAAI,IAAI,MAAM,QAAQ,OAAO,IAAI,UAAU,OAAO;AAAA,IACnF,GAAG,KAAK;AAER,UAAM,SAAwC;AAAA,MAC5C,MAAM;AAAA,MACN,QAAQ,OAAO,QAAQ,IAAI;AAAA,MAC3B,cAAc,cAAc,MAAM;AAAA,MAClC;AAAA,MACA;AAAA,MACA,YAAY;AAAA,MACZ,SAAS;AAAA,MACT;AAAA,MACA,GAAI,gBAAgB,EAAE,aAAa,EAAE,eAAe,KAAK,EAAE,IAAI,CAAC;AAAA,IAClE;AACA,WAAO,aAAaA,2BAA0B,MAAM;AACpD,WAAO,UAAU,gBAAgB,MAAM;AACvC,WAAO;AAAA,EACT,CAAC;AAED,SAAO;AAAA,IACL,SAAS,OAAO;AAAA,IAChB,QAAQ,OAAO;AAAA,IACf,QAAQ,OAAO;AAAA,IACf,YAAY,OAAO,QAAQ,IAAI;AAAA,IAC/B;AAAA,IACA,kBAAkB;AAAA,MAChB,YAAY,OAAO,QAAQ,IAAI;AAAA,MAC/B,iBAAiB,OAAO,QAAQ,IAAI,WAAW,OAAO,QAAQ;AAAA,MAC9D,gBAAgB,OAAO;AAAA,MACvB,qBAAqB,OAAO,QAAQ,IAAI;AAAA,MACxC,kBAAkB,OAAO;AAAA,QACvB,MAAM,KAAK,YAAY,QAAQ,CAAC,EAAE;AAAA,UAAQ,CAAC,CAAC,UAAU,QAAQ,MAC5D,OAAO,QAAQ,QAAQ,EAAE,IAAI,CAAC,CAAC,KAAK,KAAK,MAAM,CAAC,GAAG,QAAQ,IAAI,GAAG,IAAI,KAAK,CAAU;AAAA,QACvF;AAAA,MACF;AAAA,IACF;AAAA,IACA,aAAa,QAAQ,IAAI,YAAU,OAAO,UAAU;AAAA,IACpD,SAAS,QAAQ,IAAI,YAAU,OAAO,OAAO,EAAE,KAAK,IAAI;AAAA,EAC1D;AACF;;;AC3KA,SAAS,6BAAAC,4BAA2B,mBAAAC,wBAAuB;AAG3D,SAAS,gBAAgB,QAAkB,cAAqF;AAC9H,QAAM,UAAkC,CAAC;AACzC,QAAM,cAAwB,CAAC;AAC/B,QAAM,aAAa,IAAI,IAAI,gBAAgB,CAAC,CAAC;AAE7C,WAAS,QAAQ,GAAG,QAAQ,OAAO,QAAQ,SAAS,GAAG;AACrD,UAAM,QAAQ,OAAO,KAAK;AAE1B,QAAI,MAAM,WAAW,IAAI,GAAG;AAE1B,YAAM,WAAW,MAAM,MAAM,CAAC;AAC9B,YAAM,UAAU,SAAS,QAAQ,GAAG;AACpC,UAAI,WAAW,GAAG;AAChB,gBAAQ,SAAS,MAAM,GAAG,OAAO,CAAC,IAAI,SAAS,MAAM,UAAU,CAAC;AAChE;AAAA,MACF;AAEA,YAAM,OAAO,OAAO,QAAQ,CAAC;AAC7B,UAAI,QAAQ,CAAC,KAAK,WAAW,GAAG,GAAG;AACjC,gBAAQ,QAAQ,IAAI;AACpB,iBAAS;AACT;AAAA,MACF;AAEA,cAAQ,QAAQ,IAAI;AAAA,IACtB,WACS,MAAM,WAAW,GAAG,KAAK,MAAM,SAAS,KAAK,CAAC,OAAO,KAAK,KAAK,GAAG;AAEzE,YAAM,MAAM,MAAM,MAAM,CAAC;AAEzB,UAAI,IAAI,WAAW,KAAK,CAAC,WAAW,IAAI,GAAG,GAAG;AAE5C,gBAAQ,GAAG,IAAI;AAAA,MACjB,OACK;AAEH,cAAM,OAAO,OAAO,QAAQ,CAAC;AAC7B,YAAI,QAAQ,CAAC,KAAK,WAAW,GAAG,GAAG;AACjC,kBAAQ,GAAG,IAAI;AACf,mBAAS;AAAA,QACX,OACK;AACH,kBAAQ,GAAG,IAAI;AAAA,QACjB;AAAA,MACF;AAAA,IACF,OACK;AACH,kBAAY,KAAK,KAAK;AAAA,IACxB;AAAA,EACF;AAEA,SAAO,EAAE,SAAS,YAAY;AAChC;AAEA,SAAS,oBAAoB,SAAiB,UAA0C;AACtF,QAAM,QAAQ,QAAQ,MAAM,8BAA8B;AAC1D,MAAI,CAAC;AACH,WAAO;AAET,QAAM,CAAC,EAAE,MAAM,SAAS,IAAI;AAC5B,QAAM,QAAQ,SAAS,IAAI;AAC3B,MAAI,CAAC;AACH,UAAM,IAAI,MAAM,oBAAoB,IAAI,EAAE;AAC5C,MAAI,CAAC;AACH,WAAO;AAET,MAAI,cAAc,WAAW,cAAc,QAAQ;AACjD,UAAM,CAAC,OAAO,IAAI,IAAI,MAAM,MAAM,GAAG;AACrC,QAAI,CAAC,SAAS,CAAC;AACb,YAAM,IAAI,MAAM,WAAW,IAAI,6BAA6B;AAC9D,WAAO,cAAc,UAAU,QAAQ;AAAA,EACzC;AAEA,QAAM,IAAI,MAAM,kCAAkC,SAAS,EAAE;AAC/D;AAEA,SAAS,eAAe,UAAkB,UAA0C;AAClF,SAAO,SAAS,QAAQ,gBAAgB,CAAC,GAAG,eAAuB,oBAAoB,IAAI,UAAU,KAAK,QAAQ,CAAC;AACrH;AAEA,SAAS,mBAAmB,OAAiB,UAA2D;AACtG,SAAO,MAAM,IAAI,CAAC,UAAU;AAC1B,UAAM,CAAC,UAAU,eAAe,GAAG,IAAI,MAAM,MAAM,KAAK,CAAC;AACzD,QAAI,CAAC;AACH,YAAM,IAAI,MAAM,iCAAiC,KAAK,EAAE;AAE1D,QAAI,iBAAiB,KAAK;AACxB,aAAO,EAAE,SAAS;AAAA,IACpB;AAEA,UAAM,WAAW,OAAO;AAAA,MACtB,aAAa,MAAM,GAAG,EAAE,IAAI,CAAC,YAAY;AACvC,cAAM,CAAC,KAAK,QAAQ,IAAI,QAAQ,MAAM,KAAK,CAAC;AAC5C,YAAI,CAAC,OAAO,CAAC;AACX,gBAAM,IAAI,MAAM,6BAA6B,OAAO,EAAE;AACxD,eAAO,CAAC,KAAK,eAAe,UAAU,QAAQ,CAAC;AAAA,MACjD,CAAC;AAAA,IACH;AAEA,WAAO,EAAE,UAAU,SAAS;AAAA,EAC9B,CAAC;AACH;AAEA,SAAS,eAAe,WAA4B,MAA+C;AACjG,MAAI,KAAK,SAAS,UAAU,QAAQ;AAClC,WAAO;AAET,QAAM,SAAS,KAAK,MAAM,GAAG,UAAU,QAAQ,MAAM;AACrD,MAAI,OAAO,KAAK,IAAI,MAAM,UAAU,QAAQ,KAAK,IAAI;AACnD,WAAO;AAET,QAAM,YAAY,KAAK,MAAM,UAAU,QAAQ,MAAM;AACrD,QAAM,EAAE,SAAS,YAAY,IAAI,gBAAgB,WAAW,UAAU,gBAAgB;AAEtF,QAAM,sBAAsB,UAAU,eAAe,CAAC;AACtD,MAAI,YAAY,WAAW,oBAAoB;AAC7C,WAAO;AAET,aAAW,UAAU,UAAU,oBAAoB,CAAC,GAAG;AACrD,QAAI,CAAC,QAAQ,MAAM;AACjB,aAAO;AAAA,EACX;AAEA,QAAM,WAAmC,EAAE,GAAG,QAAQ;AACtD,WAAS,QAAQ,GAAG,QAAQ,oBAAoB,QAAQ,SAAS,GAAG;AAClE,UAAM,OAAO,oBAAoB,KAAK;AACtC,UAAM,QAAQ,YAAY,KAAK;AAC/B,QAAI,KAAK,WAAW,GAAG,GAAG;AACxB,UAAI,UAAU,KAAK,MAAM,CAAC;AACxB,eAAO;AACT;AAAA,IACF;AACA,aAAS,IAAI,IAAI;AAAA,EACnB;AACA,SAAO;AACT;AAEA,SAAS,oBAAoB,MAA0B;AACrD,SAAO,KAAK,QAAQ,CAAC,UAAU;AAE7B,QAAI,MAAM,WAAW,GAAG,KAAK,CAAC,MAAM,WAAW,IAAI,KAAK,MAAM,SAAS,KAAK,aAAa,KAAK,KAAK,GAAG;AACpG,aAAO,MAAM,KAAK,MAAM,MAAM,CAAC,GAAG,OAAK,IAAI,CAAC,EAAE;AAAA,IAChD;AACA,WAAO,CAAC,KAAK;AAAA,EACf,CAAC;AACH;AAEA,SAAS,SAAS,YAA+B,MAAgB;AAC/D,SAAO,WAAW,QAAQ,CAAC,cAAc;AACvC,QAAI;AACF,YAAM,WAAW,eAAe,WAAW,IAAI;AAC/C,aAAO,WAAW,CAAC,EAAE,WAAW,SAAS,CAAC,IAAI,CAAC;AAAA,IACjD,QACM;AACJ,aAAO,CAAC;AAAA,IACV;AAAA,EACF,CAAC;AACH;AAEA,eAAsB,eAAe,QAAuB,UAA8C;AACxG,QAAM,CAAC,YAAY,GAAG,WAAW,IAAI;AACrC,MAAI,CAAC,YAAY;AACf,UAAM,IAAI,MAAM,yBAAyB;AAAA,EAC3C;AACA,MAAI,eAAe,OAAO,QAAQ,IAAI,YAAY;AAChD,UAAM,IAAI,MAAM,WAAW,OAAO,QAAQ,IAAI,EAAE,uBAAuB,OAAO,QAAQ,IAAI,UAAU,SAAS,UAAU,EAAE;AAAA,EAC3H;AAGA,MAAI,UAAU,SAAS,OAAO,QAAQ,YAAY,WAAW;AAG7D,MAAI,QAAQ,WAAW,GAAG;AACxB,UAAM,WAAW,oBAAoB,WAAW;AAChD,QAAI,SAAS,WAAW,YAAY,QAAQ;AAC1C,gBAAU,SAAS,OAAO,QAAQ,YAAY,QAAQ;AAAA,IACxD;AAAA,EACF;AAEA,MAAI,QAAQ,WAAW,GAAG;AACxB,UAAM,IAAI,MAAM,iCAAiC,SAAS,KAAK,GAAG,CAAC,EAAE;AAAA,EACvE;AACA,MAAI,QAAQ,SAAS,GAAG;AAEtB,YAAQ,KAAK,CAAC,GAAG,MAAM,EAAE,UAAU,QAAQ,SAAS,EAAE,UAAU,QAAQ,MAAM;AAC9E,cAAU,CAAC,QAAQ,CAAC,CAAE;AAAA,EACxB;AAEA,QAAM,EAAE,WAAW,SAAS,IAAI,QAAQ,CAAC;AACzC,QAAM,iBAAiB,mBAAmB,UAAU,gBAAgB,QAAQ;AAC5E,QAAM,SAAwC;AAAA,IAC5C,MAAM;AAAA,IACN,QAAQ,OAAO,QAAQ,IAAI;AAAA,IAC3B,cAAc,UAAU;AAAA,IACxB;AAAA,IACA,QAAQ,UAAU;AAAA,IAClB,YAAY;AAAA,IACZ,SAAS,eAAe,UAAU,SAAS,QAAQ;AAAA,IACnD,MAAM,UAAU;AAAA,IAChB,GAAI,UAAU,gBAAgB,EAAE,aAAa,EAAE,eAAe,KAAK,EAAE,IAAI,CAAC;AAAA,EAC5E;AACA,SAAO,aAAaD,2BAA0B,MAAM;AAEpD,SAAO;AAAA,IACL,SAAS,OAAO;AAAA,IAChB,QAAQ,OAAO;AAAA,IACf,QAAQ,OAAO;AAAA,IACf;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA,kBAAkB;AAAA,MAChB,MAAM;AAAA,MACN,WAAW,MAAMC,iBAAgB,QAAQ;AAAA,MACzC,YAAY,OAAO,QAAQ,IAAI;AAAA,MAC/B,iBAAiB,OAAO,QAAQ,IAAI,WAAW,OAAO,QAAQ;AAAA,MAC9D,gBAAgB,OAAO;AAAA,MACvB,qBAAqB;AAAA,MACrB,kBAAkB;AAAA,IACpB;AAAA,IACA,YAAY,OAAO;AAAA,EACrB;AACF;;;AClOA,SAAS,qBAAqB;AAIvB,IAAM,iBAAiB,cAAc;AAAA,EAC1C,MAAM;AAAA,IACJ,MAAM;AAAA,IACN,aAAa;AAAA,EACf;AAAA,EACA,MAAM;AAAA,IACJ,SAAS;AAAA,MACP,MAAM;AAAA,MACN,aAAa;AAAA,IACf;AAAA,IACA,GAAG;AAAA,MACD,MAAM;AAAA,MACN,aAAa;AAAA,MACb,UAAU;AAAA,IACZ;AAAA,EACF;AAAA,EACA,MAAM,IAAI,EAAE,QAAQ,GAAG;AACrB,UAAM,UAAU,sBAAsB,WAAW,CAAC,CAAC;AACnD,QAAI,QAAQ,WAAW;AACrB,YAAM,IAAI,MAAM,gFAAgF;AAElG,UAAM,aAAa,cAAc,WAAW,CAAC,GAAG,SAAS;AACzD,UAAM,SAAS,YAAY,QAAQ,CAAC,GAAI,UAAU;AAClD,UAAM,WAAW,MAAM,eAAe,QAAQ,OAAO;AAErD,YAAQ,OAAO,MAAM,GAAG,KAAK,UAAU;AAAA,MACrC,SAAS,SAAS,QAAQ,IAAI;AAAA,MAC9B,QAAQ,SAAS;AAAA,MACjB,WAAW,SAAS,OAAO;AAAA,MAC3B,SAAS,SAAS,OAAO;AAAA,MACzB,YAAY,SAAS;AAAA,MACrB,gBAAgB,SAAS,OAAO;AAAA,MAChC,eAAe,SAAS,OAAO,aAAa,iBAAiB;AAAA,MAC7D,gBAAgB,SAAS;AAAA,IAC3B,GAAG,MAAM,CAAC,CAAC;AAAA,CAAI;AAAA,EACjB;AACF,CAAC;AAEM,SAAS,sBAAsB,MAA0B;AAC9D,QAAM,YAAY,KAAK,QAAQ,IAAI;AACnC,SAAO,aAAa,IAAI,KAAK,MAAM,YAAY,CAAC,IAAI,CAAC;AACvD;AAEO,SAAS,cAAc,MAAgB,MAAkC;AAC9E,QAAM,YAAY,KAAK,QAAQ,IAAI;AACnC,QAAM,aAAa,aAAa,IAAI,KAAK,MAAM,GAAG,SAAS,IAAI;AAC/D,QAAM,QAAQ,WAAW,QAAQ,KAAK,IAAI,EAAE;AAC5C,MAAI,SAAS,KAAK,QAAQ,IAAI,WAAW;AACvC,WAAO,WAAW,QAAQ,CAAC;AAC7B,SAAO;AACT;;;ACrDA,SAAS,sBAAsB;AAC/B,SAAS,8BAA8B,sBAAsB;AAC7D,SAAS,oBAAoB;AAC7B,SAAS,gBAAgB;AACzB,OAAOC,cAAa;;;ACLpB,SAAS,cAAAC,aAAY,gBAAAC,qBAAoB;AACzC,SAAS,WAAAC,gBAAe;AACxB,SAAS,QAAAC,aAAY;AASrB,IAAM,YAAYA,MAAKD,SAAQ,GAAG,WAAW,QAAQ,WAAW;AAEzD,SAASE,YAA4B;AAC1C,MAAI,CAACJ,YAAW,SAAS;AACvB,WAAO;AACT,MAAI;AACF,WAAO,KAAK,MAAMC,cAAa,WAAW,OAAO,CAAC;AAAA,EACpD,QACM;AACJ,WAAO;AAAA,EACT;AACF;AAEO,SAASI,WAAU,UAAkC;AAC1D,MAAI;AACF,WAAO;AACT,MAAI,QAAQ,IAAI;AACd,WAAO,QAAQ,IAAI;AACrB,MAAI,QAAQ,IAAI;AACd,WAAO,QAAQ,IAAI;AACrB,SAAOD,UAAS,GAAG,OAAO;AAC5B;AAEO,SAASE,gBAA8B;AAC5C,QAAM,OAAOF,UAAS;AACtB,MAAI,CAAC;AACH,WAAO;AACT,MAAI,KAAK,cAAc,KAAK,IAAI,IAAI,MAAO,KAAK,aAAa;AAC3D,WAAO;AACT,SAAO,KAAK;AACd;AAEO,SAAS,uBAAsC;AACpD,SAAOA,UAAS,GAAG,SAAS;AAC9B;;;AC3CA,eAAsBG,mBAAkB,QAAkD;AACxF,QAAM,WAAW,MAAM,MAAM,GAAG,MAAM,mCAAmC;AACzE,MAAI,CAAC,SAAS;AACZ,WAAO,CAAC;AACV,SAAO,SAAS,KAAK;AACvB;AAEA,eAAsBC,mBAAkB,QAAiC;AACvE,QAAM,YAAY,MAAMD,mBAAkB,MAAM;AAChD,SAAO,OAAO,UAAU,2BAA2B,GAAG,MAAM,aAAa;AAC3E;AAEA,eAAsBE,UACpB,MACA,UAKI,CAAC,GACO;AACZ,QAAM,QAAQ,QAAQ,SAASC,cAAa;AAC5C,MAAI,CAAC;AACH,UAAM,IAAI,MAAM,4CAA4C;AAE9D,QAAM,MAAM,QAAQ,OAAOC,WAAU;AACrC,MAAI,CAAC,KAAK,WAAW,MAAM,KAAK,CAAC;AAC/B,UAAM,IAAI,MAAM,uDAAuD;AAEzE,QAAM,MAAM,KAAK,WAAW,MAAM,IAAI,OAAO,GAAG,GAAG,GAAG,IAAI;AAC1D,QAAM,WAAW,MAAM,MAAM,KAAK;AAAA,IAChC,QAAQ,QAAQ,UAAU;AAAA,IAC1B,SAAS;AAAA,MACP,eAAe,UAAU,KAAK;AAAA,MAC9B,gBAAgB;AAAA,IAClB;AAAA,IACA,MAAM,QAAQ,OAAO,KAAK,UAAU,QAAQ,IAAI,IAAI;AAAA,EACtD,CAAC;AAED,MAAI,CAAC,SAAS,IAAI;AAChB,UAAM,OAAO,MAAM,SAAS,KAAK;AACjC,UAAM,IAAI,MAAM,QAAQ,GAAG,SAAS,MAAM,IAAI,SAAS,UAAU,EAAE;AAAA,EACrE;AAEA,SAAO,SAAS,KAAK;AACvB;;;AC/CA,SAAS,OAAO,kBAAkB;AAClC,SAAS,WAAAC,gBAAe;AACxB,SAAS,WAAAC,UAAS,QAAAC,aAAY;AA4BvB,SAAS,wBAAgC;AAC9C,SAAOA,MAAKF,SAAQ,GAAG,WAAW,QAAQ,mBAAmB;AAC/D;AASA,eAAsB,qBACpB,OACA,SACe;AACf,QAAM,OAAO,WAAW,sBAAsB;AAC9C,QAAM,MAAMC,SAAQ,IAAI,GAAG,EAAE,WAAW,KAAK,CAAC;AAC9C,QAAM,WAAW,MAAM,GAAG,KAAK,UAAU,KAAK,CAAC;AAAA,GAAM,OAAO;AAC9D;;;AHjCA,SAAS,cAAc,OAAwC;AAC7D,QAAM,CAAC,EAAE,OAAO,IAAI,MAAM,MAAM,GAAG;AACnC,MAAI,CAAC;AACH,UAAM,IAAI,MAAM,aAAa;AAC/B,SAAO,KAAK,MAAM,OAAO,KAAK,SAAS,WAAW,EAAE,SAAS,OAAO,CAAC;AACvE;AAQA,eAAsB,kBACpB,UACA,QAK6E;AAC7E,QAAM,iBAAiB,MAAME,mBAAkB,OAAO,GAAG;AACzD,QAAM,YAAY,qBAAqB;AACvC,MAAI,CAAC,WAAW;AACd,UAAM,IAAI,MAAM,0DAA0D;AAAA,EAC5E;AACA,SAAOC,UAA6E,gBAAgB;AAAA,IAClG,QAAQ;AAAA,IACR,KAAK,OAAO;AAAA,IACZ,MAAM;AAAA,MACJ;AAAA,MACA,aAAa,SAAS;AAAA,MACtB,UAAU,SAAS,QAAQ,IAAI,YAAY;AAAA,MAC3C,YAAY,OAAO;AAAA,MACnB,SAAS,SAAS,iBAAiB;AAAA,MACnC,QAAQ,OAAO,UAAU,SAAS,OAAO;AAAA,MACzC,aAAa,CAAC,SAAS,UAAU;AAAA,MACjC,uBAAuB,CAAC,SAAS,MAAM;AAAA,MACvC,mBAAmB,SAAS;AAAA,IAC9B;AAAA,EACF,CAAC;AACH;AAEA,eAAsB,mBAAmB,KAAa,SAA6D;AACjH,QAAM,iBAAiB,MAAMD,mBAAkB,GAAG;AAClD,QAAM,WAAW,KAAK,IAAI,IAAI;AAE9B,SAAO,KAAK,IAAI,IAAI,UAAU;AAC5B,UAAM,QAAQ,MAAMC,UAAoE,GAAG,cAAc,IAAI,OAAO,IAAI,EAAE,IAAI,CAAC;AAC/H,QAAI,MAAM,WAAW,cAAc,MAAM,WAAW,YAAY,MAAM,WAAW;AAC/E,aAAO,MAAM;AACf,UAAM,IAAI,QAAQ,aAAW,WAAW,SAAS,GAAI,CAAC;AAAA,EACxD;AAEA,QAAM,IAAI,MAAM,sCAAsC;AACxD;AAEA,eAAsB,gBAAgB,KAAa,SAAkC;AACnF,QAAM,iBAAiB,MAAMD,mBAAkB,GAAG;AAClD,QAAM,WAAW,MAAMC,UAAgC,GAAG,cAAc,IAAI,OAAO,UAAU;AAAA,IAC3F,QAAQ;AAAA,IACR;AAAA,EACF,CAAC;AACD,SAAO,SAAS;AAClB;AAEA,SAAS,kBAAkB,QAAkE;AAC3F,QAAM,UAAU,OAAO;AACvB,MAAI,CAAC,MAAM,QAAQ,OAAO;AACxB,WAAO,CAAC;AAEV,SAAO,QAAQ;AAAA,IAAO,CAAC,WACrB,OAAO,WAAW,YACf,WAAW,QACV,OAAmC,SAAS;AAAA,EAClD;AACF;AAEA,SAAS,sBAAsB,QAA0C;AACvE,SAAO,kBAAkB,MAAM,EAAE,SAAS;AAC5C;AAYA,eAAsB,iBAAiB,OAAe,UAA0C;AAC9F,QAAM,UAAU,cAAc,KAAK;AACnC,QAAM,SAAS,OAAO,QAAQ,OAAO,EAAE;AACvC,MAAI,CAAC;AACH,UAAM,IAAI,MAAM,+BAA+B;AAEjD,QAAM,YAAY,MAAMC,mBAAkB,MAAM;AAChD,QAAM,UAAU,OAAO,UAAU,YAAY,GAAG,MAAM,wBAAwB;AAC9E,QAAM,SAAS,MAAM,eAAe,OAAO;AAAA,IACzC,aAAa;AAAA,IACb,aAAa,SAAS,QAAQ,IAAI,YAAY;AAAA,IAC9C;AAAA,EACF,CAAC;AAED,MAAI,CAAC,OAAO,SAAS,CAAC,OAAO,QAAQ;AACnC,UAAM,IAAI,MAAM,OAAO,SAAS,2BAA2B;AAAA,EAC7D;AAEA,QAAM,SAAS,OAAO;AACtB,QAAM,UAAU,kBAAkB,MAA4C;AAE9E,MAAI,OAAO,mBAAmB,kBAAkB,OAAO,kBAAkB,mBAAmB,SAAS,QAAQ;AAC3G,UAAM,IAAI,MAAM,yBAAyB;AAAA,EAC3C;AAEA,MAAI,CAAC,sBAAsB,MAA4C,GAAG;AACxE,UAAM,OAAO,SAAS,iBAAiB;AACvC,QAAI,CAAC,MAAM,QAAQ;AACjB,YAAM,IAAI,MAAM,kCAAkC;AAAA,IACpD;AACA,UAAM,kBAAkB,MAAM,eAAe,KAAK,KAAK,GAAG,CAAC;AAC3D,QAAI,OAAO,SAAS,KAAK,IAAI,MAAM,KAAK,KAAK,IAAI,GAAG;AAClD,YAAM,IAAI,MAAM,6CAA6C;AAAA,IAC/D;AACA,QAAI,OAAO,YAAY,OAAO,aAAa,iBAAiB;AAC1D,YAAM,IAAI,MAAM,6CAA6C;AAAA,IAC/D;AACA,QAAI,CAAC,OAAO,SAAS,UAAU,CAAC,OAAO,UAAU;AAC/C,YAAM,IAAI,MAAM,oEAAoE;AAAA,IACtF;AAAA,EACF,OACK;AACH,QAAI,CAAC,QAAQ,KAAK,YAAU,6BAA6B,QAAQ,SAAS,MAAM,CAAC,GAAG;AAClF,YAAM,IAAI,MAAM,6CAA6C,SAAS,UAAU,EAAE;AAAA,IACpF;AAEA,UAAM,gBAAgB,QAAQ;AAAA,MAAK,YACjC,6BAA6B,QAAQ,SAAS,MAAM,KAAK,OAAO,aAAa;AAAA,IAC/E;AAEA,UAAM,SAAS,OAAO,eAAe,UAAU,OAAO,aAAa;AACnE,UAAM,kBAAkB,iBAAkB,UAAU,CAAC,CAAC,OAAO,mBAAmB;AAEhF,QAAI,mBAAmB,OAAO,mBAAmB,cAAc,SAAS,iBAAiB,WAAW;AAClG,YAAM,IAAI,MAAM,6CAA6C;AAAA,IAC/D;AAAA,EACF;AAEA,QAAM,iBAAiB,MAAMF,mBAAkB,MAAM;AACrD,QAAM,UAAU,MAAM,MAAM,GAAG,cAAc,IAAI,OAAO,QAAQ,YAAY;AAAA,IAC1E,QAAQ;AAAA,IACR,SAAS;AAAA,MACP,eAAe,UAAU,KAAK;AAAA,IAChC;AAAA,EACF,CAAC;AAED,MAAI,CAAC,QAAQ,IAAI;AACf,UAAM,IAAI,MAAM,mBAAmB,QAAQ,MAAM,IAAI,QAAQ,UAAU,EAAE;AAAA,EAC3E;AAEA,QAAM,gBAAgB,MAAM,QAAQ,KAAK;AACzC,MAAI,cAAc,OAAO;AACvB,UAAM,IAAI,MAAM,mCAAmC,cAAc,KAAK,EAAE;AAAA,EAC1E;AACF;AAOO,SAAS,uBAAuB,UAAiC;AACtE,EAAAG,SAAQ,KAAK,cAAc,SAAS,iBAAiB,QAAQ,CAAC,SAAS,YAAY,GAAG,SAAS,WAAW,GAAG,KAAK,GAAG,CAAC,EAAE;AACxH,eAAa,SAAS,YAAY,SAAS,aAAa,EAAE,OAAO,UAAU,CAAC;AAC9E;AAgBA,eAAsB,iBACpB,OACA,UACA,SACe;AACf,QAAM,iBAAiB,OAAO,QAAQ;AAEtC,QAAM,YAAY,kBAAkB,QAAQ;AAC5C,QAAM,QAAQ,KAAK,IAAI;AACvB,MAAI,WAAW;AACf,MAAI;AACF,2BAAuB,QAAQ;AAAA,EACjC,SACO,KAAK;AACV,eAAY,KAA6B,UAAU;AACnD,UAAM;AAAA,EACR,UACA;AACE,QAAI,aAAa,SAAS;AAGxB,UAAI;AACF,cAAM;AAAA,UACJ;AAAA,YACE,KAAI,oBAAI,KAAK,GAAE,YAAY;AAAA,YAC3B,KAAK,SAAS,OAAO;AAAA,YACrB,MAAM,SAAS,iBAAiB,QAAQ,CAAC,SAAS,YAAY,GAAG,SAAS,WAAW;AAAA,YACrF,WAAW,SAAS,iBAAiB,aAAa;AAAA,YAClD,UAAU;AAAA,YACV,WAAW;AAAA,YACX,aAAa,KAAK,IAAI,IAAI;AAAA,UAC5B;AAAA,UACA,uBAAuB;AAAA,QACzB;AAAA,MACF,SACO,QAAQ;AACb,QAAAA,SAAQ,MAAM,8CAA8C,MAAM;AAAA,MACpE;AAAA,IACF;AAAA,EACF;AACF;AAWA,eAAsB,iBACpB,OAO0B;AAC1B,QAAM,OAAO,MAAM,SAAS;AAC5B,MAAI,CAAC,QAAQ,KAAK,WAAW;AAC3B,UAAM,IAAI,MAAM,uCAAuC;AAEzD,QAAM,aAAa,KAAK,CAAC;AACzB,QAAM,UAAU,MAAM,qBAAqB,UAAU;AACrD,MAAI,CAAC;AACH,UAAM,IAAI,MAAM,+BAA+B,UAAU,EAAE;AAE7D,QAAM,WAAW,MAAM,eAAe,SAAS,IAAI;AAEnD,QAAM,cAAc,MAAM,QAAQ,mBAAmB;AACrD,MAAI,eAAe,gBAAgB,SAAS,QAAQ;AAClD,UAAM,IAAI;AAAA,MACR,8DAA8D,WAAW,0BAA0B,SAAS,MAAM;AAAA,IACpH;AAAA,EACF;AAEA,SAAO;AACT;AAEA,eAAsB,kBACpB,UACA,KACwB;AACxB,QAAM,iBAAiB,MAAMH,mBAAkB,GAAG;AAClD,QAAM,WAAW,MAAMC;AAAA,IACrB,GAAG,cAAc;AAAA,IACjB,EAAE,IAAI;AAAA,EACR;AAEA,QAAM,MAAM,KAAK,MAAM,KAAK,IAAI,IAAI,GAAI;AACxC,QAAM,mBAAmB,SAAS,QAAQ,IAAI,YAAY;AAE1D,aAAW,SAAS,SAAS,MAAM;AACjC,UAAM,MAAM,MAAM;AAClB,QAAI,IAAI,eAAe;AACrB;AACF,QAAI,IAAI,eAAe,WAAW,MAAM,cAAc,MAAM,cAAc;AACxE;AACF,QAAI,IAAI,aAAa;AACnB;AACF,QAAI,IAAI,mBAAmB,kBAAkB,IAAI,kBAAkB,mBAAmB,SAAS;AAC7F;AAEF,UAAM,cAAc,IAAI,yBAAyB,CAAC,GAAG;AAAA,MACnD,CAAC,MAA0C,EAAE,SAAS;AAAA,IACxD;AAEA,QAAI,WAAW,SAAS,GAAG;AACzB,UAAI,WAAW,KAAK,YAAU,6BAA6B,QAAQ,SAAS,MAAM,CAAC;AACjF,eAAO,MAAM;AAAA,IACjB,WACS,IAAI,aAAa,SAAS,SAAS,UAAU,GAAG;AACvD,aAAO,MAAM;AAAA,IACf;AAAA,EACF;AAEA,SAAO;AACT;;;AItUA,SAAS,kBAAAG,uBAAsB;AAG/B,eAAsB,8BACpB,SACA,SAG4B;AAC5B,SAAO;AAAA,IACL,SAAS;AAAA,MACP,WAAW,QAAQ;AAAA,MACnB,aAAa,QAAQ;AAAA,MACrB,UAAU,QAAQ;AAAA,MAClB,YAAY,QAAQ;AAAA,MACpB;AAAA,MACA,UAAU,MAAMA,gBAAe,QAAQ,KAAK,GAAG,CAAC;AAAA,MAChD,GAAI,QAAQ,SAAS,EAAE,QAAQ,QAAQ,OAAO,IAAI,CAAC;AAAA,MACnD,GAAI,QAAQ,SAAS,EAAE,QAAQ,QAAQ,OAAO,IAAI,CAAC;AAAA,IACrD;AAAA,EACF;AACF;AAEA,eAAsB,+BACpB,UACA,SAC4B;AAC5B,QAAM,UAAU,YAAY,WAAW,CAAC,SAAS,MAAM,IAAI,SAAS;AACpE,QAAM,cAAc,gBAAgB,WAAW,CAAC,SAAS,UAAU,IAAI,SAAS;AAChF,QAAM,UAAU,sBAAsB,YAAY,SAAS,iBAAiB,MAAM,SAC9E,SAAS,iBAAiB,OAC1B;AAEJ,SAAO;AAAA,IACL,SAAS;AAAA,MACP,WAAW,QAAQ;AAAA,MACnB,aAAa,QAAQ;AAAA,MACrB,UAAU,SAAS,QAAQ,IAAI,YAAY;AAAA,MAC3C,YAAY,QAAQ;AAAA,MACpB;AAAA,MACA,uBAAuB;AAAA,MACvB,mBAAmB,SAAS;AAAA,MAC5B,GAAI,UAAU,EAAE,QAAQ,IAAI,CAAC;AAAA,MAC7B,GAAI,QAAQ,SAAS,EAAE,QAAQ,QAAQ,OAAO,IAAI,EAAE,QAAQ,aAAa,WAAW,SAAS,UAAU,QAAQ,CAAC,GAAG,QAAQ;AAAA,MAC3H,GAAI,QAAQ,SAAS,EAAE,QAAQ,QAAQ,OAAO,IAAI,CAAC;AAAA,IACrD;AAAA,EACF;AACF;","names":["readFileSync","homedir","Buffer","base","existsSync","homedir","join","createHash","existsSync","mkdirSync","readdirSync","readFileSync","homedir","join","digest","existsSync","join","homedir","readdirSync","readFileSync","existsSync","mkdirSync","readFileSync","writeFileSync","homedir","join","basename","consola","basename","consola","canonicalizeCliPermission","canonicalizeCliPermission","computeArgvHash","consola","existsSync","readFileSync","homedir","join","loadAuth","getIdpUrl","getAuthToken","discoverEndpoints","getGrantsEndpoint","apiFetch","getAuthToken","getIdpUrl","homedir","dirname","join","getGrantsEndpoint","apiFetch","discoverEndpoints","consola","computeCmdHash"]}
package/dist/{chunk-M2NBHR2E.js → chunk-OFIVF6NH.js} RENAMED
@@ -1,7 +1,7 @@
1
1
  #!/usr/bin/env node
2
2
  import {
3
3
  loadConfig
4
- } from "./chunk-6JSOSD7R.js";
4
+ } from "./chunk-6GPSKAMU.js";
5
5
 
6
6
  // src/notifications.ts
7
7
  import { spawn } from "child_process";
@@ -56,7 +56,11 @@ function isApesSelfDispatch(parsed) {
56
56
  const subCommand = parsed.argv[0];
57
57
  if (!subCommand)
58
58
  return false;
59
- return !APES_GATED_SUBCOMMANDS.has(subCommand);
59
+ if (!APES_GATED_SUBCOMMANDS.has(subCommand))
60
+ return true;
61
+ if (subCommand === "run" && parsed.argv.includes("--as"))
62
+ return true;
63
+ return false;
60
64
  }
61
65
  function checkSudoRejection(parsed) {
62
66
  if (!parsed || parsed.isCompound) return null;
@@ -73,4 +77,4 @@ export {
73
77
  isApesSelfDispatch,
74
78
  checkSudoRejection
75
79
  };
76
- //# sourceMappingURL=chunk-M2NBHR2E.js.map
80
+ //# sourceMappingURL=chunk-OFIVF6NH.js.map