@openape/apes 0.16.0 → 0.18.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/{auth-lock-NYI376IM.js → auth-lock-GPLHRXOM.js} +2 -2
- package/dist/chunk-7NUT2PFT.js +220 -0
- package/dist/chunk-7NUT2PFT.js.map +1 -0
- package/dist/{chunk-OFIVF6NH.js → chunk-EDYICCBC.js} +2 -2
- package/dist/{chunk-6GPSKAMU.js → chunk-IDPV5SNB.js} +1 -1
- package/dist/{chunk-O7GSG3OE.js → chunk-IT6T6AKX.js} +31 -240
- package/dist/chunk-IT6T6AKX.js.map +1 -0
- package/dist/cli.js +103 -25
- package/dist/cli.js.map +1 -1
- package/dist/config-JH2IEPIR.js +30 -0
- package/dist/config-JH2IEPIR.js.map +1 -0
- package/dist/http-JZT4XV5I.js +23 -0
- package/dist/http-JZT4XV5I.js.map +1 -0
- package/dist/index.js +7 -5
- package/dist/{orchestrator-PUAO57CY.js → orchestrator-FJVDWH45.js} +8 -6
- package/dist/{orchestrator-PUAO57CY.js.map → orchestrator-FJVDWH45.js.map} +1 -1
- package/dist/{server-NZMLYPN4.js → server-RPC46G4J.js} +8 -6
- package/dist/{server-NZMLYPN4.js.map → server-RPC46G4J.js.map} +1 -1
- package/package.json +3 -3
- package/dist/chunk-O7GSG3OE.js.map +0 -1
- /package/dist/{auth-lock-NYI376IM.js.map → auth-lock-GPLHRXOM.js.map} +0 -0
- /package/dist/{chunk-OFIVF6NH.js.map → chunk-EDYICCBC.js.map} +0 -0
- /package/dist/{chunk-6GPSKAMU.js.map → chunk-IDPV5SNB.js.map} +0 -0
|
@@ -1,209 +1,7 @@
|
|
|
1
1
|
#!/usr/bin/env node
|
|
2
2
|
import {
|
|
3
|
-
|
|
4
|
-
|
|
5
|
-
getIdpUrl,
|
|
6
|
-
loadAuth,
|
|
7
|
-
loadConfig,
|
|
8
|
-
saveAuth
|
|
9
|
-
} from "./chunk-6GPSKAMU.js";
|
|
10
|
-
|
|
11
|
-
// src/http.ts
|
|
12
|
-
import consola from "consola";
|
|
13
|
-
var debug = process.argv.includes("--debug");
|
|
14
|
-
var ApiError = class extends Error {
|
|
15
|
-
constructor(statusCode, message, problemDetails) {
|
|
16
|
-
super(message);
|
|
17
|
-
this.statusCode = statusCode;
|
|
18
|
-
this.problemDetails = problemDetails;
|
|
19
|
-
this.name = "ApiError";
|
|
20
|
-
}
|
|
21
|
-
};
|
|
22
|
-
var _discoveryCache = {};
|
|
23
|
-
async function discoverEndpoints(idpUrl) {
|
|
24
|
-
if (_discoveryCache[idpUrl]) {
|
|
25
|
-
return _discoveryCache[idpUrl];
|
|
26
|
-
}
|
|
27
|
-
try {
|
|
28
|
-
const response = await fetch(`${idpUrl}/.well-known/openid-configuration`);
|
|
29
|
-
if (response.ok) {
|
|
30
|
-
const data = await response.json();
|
|
31
|
-
_discoveryCache[idpUrl] = data;
|
|
32
|
-
return data;
|
|
33
|
-
}
|
|
34
|
-
} catch {
|
|
35
|
-
}
|
|
36
|
-
_discoveryCache[idpUrl] = {};
|
|
37
|
-
return {};
|
|
38
|
-
}
|
|
39
|
-
async function getGrantsEndpoint(idpUrl) {
|
|
40
|
-
const disco = await discoverEndpoints(idpUrl);
|
|
41
|
-
return disco.openape_grants_endpoint || `${idpUrl}/api/grants`;
|
|
42
|
-
}
|
|
43
|
-
async function getAgentChallengeEndpoint(idpUrl) {
|
|
44
|
-
const disco = await discoverEndpoints(idpUrl);
|
|
45
|
-
return disco.ddisa_agent_challenge_endpoint || `${idpUrl}/api/agent/challenge`;
|
|
46
|
-
}
|
|
47
|
-
async function getAgentAuthenticateEndpoint(idpUrl) {
|
|
48
|
-
const disco = await discoverEndpoints(idpUrl);
|
|
49
|
-
return disco.ddisa_agent_authenticate_endpoint || `${idpUrl}/api/agent/authenticate`;
|
|
50
|
-
}
|
|
51
|
-
async function getDelegationsEndpoint(idpUrl) {
|
|
52
|
-
const disco = await discoverEndpoints(idpUrl);
|
|
53
|
-
return disco.openape_delegations_endpoint || `${idpUrl}/api/delegations`;
|
|
54
|
-
}
|
|
55
|
-
async function refreshAgentToken() {
|
|
56
|
-
const auth = loadAuth();
|
|
57
|
-
if (!auth)
|
|
58
|
-
return null;
|
|
59
|
-
const config = loadConfig();
|
|
60
|
-
const keyPath = config.agent?.key;
|
|
61
|
-
if (!keyPath)
|
|
62
|
-
return null;
|
|
63
|
-
try {
|
|
64
|
-
const { readFileSync: readFileSync5 } = await import("fs");
|
|
65
|
-
const { sign } = await import("crypto");
|
|
66
|
-
const { homedir: homedir7 } = await import("os");
|
|
67
|
-
const { loadEd25519PrivateKey } = await import("./ssh-key-YBNNG5K5.js");
|
|
68
|
-
const resolved = keyPath.replace(/^~/, homedir7());
|
|
69
|
-
const keyContent = readFileSync5(resolved, "utf-8");
|
|
70
|
-
const privateKey = loadEd25519PrivateKey(keyContent);
|
|
71
|
-
const challengeUrl = await getAgentChallengeEndpoint(auth.idp);
|
|
72
|
-
const challengeResp = await fetch(challengeUrl, {
|
|
73
|
-
method: "POST",
|
|
74
|
-
headers: { "Content-Type": "application/json" },
|
|
75
|
-
body: JSON.stringify({ agent_id: auth.email })
|
|
76
|
-
});
|
|
77
|
-
if (!challengeResp.ok)
|
|
78
|
-
return null;
|
|
79
|
-
const { challenge } = await challengeResp.json();
|
|
80
|
-
const { Buffer: Buffer2 } = await import("buffer");
|
|
81
|
-
const signature = sign(null, Buffer2.from(challenge), privateKey).toString("base64");
|
|
82
|
-
const authenticateUrl = await getAgentAuthenticateEndpoint(auth.idp);
|
|
83
|
-
const authResp = await fetch(authenticateUrl, {
|
|
84
|
-
method: "POST",
|
|
85
|
-
headers: { "Content-Type": "application/json" },
|
|
86
|
-
body: JSON.stringify({ agent_id: auth.email, challenge, signature })
|
|
87
|
-
});
|
|
88
|
-
if (!authResp.ok)
|
|
89
|
-
return null;
|
|
90
|
-
const { token, expires_in } = await authResp.json();
|
|
91
|
-
saveAuth({
|
|
92
|
-
...auth,
|
|
93
|
-
access_token: token,
|
|
94
|
-
expires_at: Math.floor(Date.now() / 1e3) + (expires_in || 3600)
|
|
95
|
-
});
|
|
96
|
-
if (debug) {
|
|
97
|
-
consola.debug("Token refreshed via Ed25519 challenge-response");
|
|
98
|
-
}
|
|
99
|
-
return token;
|
|
100
|
-
} catch {
|
|
101
|
-
return null;
|
|
102
|
-
}
|
|
103
|
-
}
|
|
104
|
-
async function refreshOAuthToken() {
|
|
105
|
-
const auth = loadAuth();
|
|
106
|
-
if (!auth?.refresh_token)
|
|
107
|
-
return null;
|
|
108
|
-
const { acquireAuthLock, releaseAuthLock } = await import("./auth-lock-NYI376IM.js");
|
|
109
|
-
const lock = await acquireAuthLock({ timeoutMs: 5e3 });
|
|
110
|
-
if (!lock) {
|
|
111
|
-
return getAuthToken();
|
|
112
|
-
}
|
|
113
|
-
try {
|
|
114
|
-
const latest = loadAuth();
|
|
115
|
-
if (latest?.expires_at && Date.now() / 1e3 < latest.expires_at - 30)
|
|
116
|
-
return latest.access_token;
|
|
117
|
-
const activeRefreshToken = latest?.refresh_token ?? auth.refresh_token;
|
|
118
|
-
if (!activeRefreshToken)
|
|
119
|
-
return null;
|
|
120
|
-
const disco = await discoverEndpoints(auth.idp);
|
|
121
|
-
const tokenEndpoint = disco.token_endpoint || `${auth.idp}/token`;
|
|
122
|
-
const body = new URLSearchParams({
|
|
123
|
-
grant_type: "refresh_token",
|
|
124
|
-
refresh_token: activeRefreshToken
|
|
125
|
-
});
|
|
126
|
-
const resp = await fetch(tokenEndpoint, {
|
|
127
|
-
method: "POST",
|
|
128
|
-
headers: { "Content-Type": "application/x-www-form-urlencoded" },
|
|
129
|
-
body: body.toString()
|
|
130
|
-
});
|
|
131
|
-
if (!resp.ok) {
|
|
132
|
-
if (resp.status === 400 || resp.status === 401) {
|
|
133
|
-
const base2 = latest ?? auth;
|
|
134
|
-
saveAuth({ ...base2, refresh_token: void 0 });
|
|
135
|
-
}
|
|
136
|
-
return null;
|
|
137
|
-
}
|
|
138
|
-
const tokens = await resp.json();
|
|
139
|
-
const base = latest ?? auth;
|
|
140
|
-
saveAuth({
|
|
141
|
-
...base,
|
|
142
|
-
access_token: tokens.access_token,
|
|
143
|
-
refresh_token: tokens.refresh_token ?? base.refresh_token,
|
|
144
|
-
expires_at: Math.floor(Date.now() / 1e3) + (tokens.expires_in || 300)
|
|
145
|
-
});
|
|
146
|
-
if (debug)
|
|
147
|
-
consola.debug("Token refreshed via OAuth refresh_token");
|
|
148
|
-
return tokens.access_token;
|
|
149
|
-
} finally {
|
|
150
|
-
await releaseAuthLock(lock);
|
|
151
|
-
}
|
|
152
|
-
}
|
|
153
|
-
async function apiFetch(path, options = {}) {
|
|
154
|
-
let token = options.token || getAuthToken();
|
|
155
|
-
if (!token) {
|
|
156
|
-
token = await refreshAgentToken();
|
|
157
|
-
if (!token)
|
|
158
|
-
token = await refreshOAuthToken();
|
|
159
|
-
}
|
|
160
|
-
if (!token) {
|
|
161
|
-
throw new Error("Not authenticated (token expired). Run `apes login` first.");
|
|
162
|
-
}
|
|
163
|
-
let url;
|
|
164
|
-
if (path.startsWith("http")) {
|
|
165
|
-
url = path;
|
|
166
|
-
} else {
|
|
167
|
-
const idp = options.idp || getIdpUrl();
|
|
168
|
-
if (!idp) {
|
|
169
|
-
throw new Error("No IdP URL configured. Run `apes login` first or pass --idp.");
|
|
170
|
-
}
|
|
171
|
-
url = `${idp}${path}`;
|
|
172
|
-
}
|
|
173
|
-
const method = options.method || "GET";
|
|
174
|
-
const headers = {
|
|
175
|
-
"Authorization": `Bearer ${token}`,
|
|
176
|
-
"Content-Type": "application/json"
|
|
177
|
-
};
|
|
178
|
-
if (debug) {
|
|
179
|
-
consola.debug(`${method} ${url}`);
|
|
180
|
-
consola.debug(`Token: ${token.substring(0, 20)}...${token.substring(token.length - 10)}`);
|
|
181
|
-
}
|
|
182
|
-
const response = await fetch(url, {
|
|
183
|
-
method,
|
|
184
|
-
headers,
|
|
185
|
-
body: options.body ? JSON.stringify(options.body) : void 0
|
|
186
|
-
});
|
|
187
|
-
if (debug) {
|
|
188
|
-
consola.debug(`Response: ${response.status} ${response.statusText}`);
|
|
189
|
-
}
|
|
190
|
-
if (!response.ok) {
|
|
191
|
-
const contentType = response.headers.get("content-type") || "";
|
|
192
|
-
if (contentType.includes("application/problem+json") || contentType.includes("application/json")) {
|
|
193
|
-
try {
|
|
194
|
-
const problem = await response.json();
|
|
195
|
-
const message = problem.detail || problem.title || problem.statusMessage || problem.message || `${response.status} ${response.statusText}`;
|
|
196
|
-
throw new ApiError(response.status, message, problem);
|
|
197
|
-
} catch (e) {
|
|
198
|
-
if (e instanceof ApiError)
|
|
199
|
-
throw e;
|
|
200
|
-
}
|
|
201
|
-
}
|
|
202
|
-
const text = await response.text();
|
|
203
|
-
throw new ApiError(response.status, text || `${response.status} ${response.statusText}`);
|
|
204
|
-
}
|
|
205
|
-
return response.json();
|
|
206
|
-
}
|
|
3
|
+
getGenericAuditLogPath
|
|
4
|
+
} from "./chunk-IDPV5SNB.js";
|
|
207
5
|
|
|
208
6
|
// src/shapes/adapters.ts
|
|
209
7
|
import { createHash } from "crypto";
|
|
@@ -620,7 +418,7 @@ function findAdapter(index, idOrExecutable) {
|
|
|
620
418
|
|
|
621
419
|
// src/shapes/shell-parser.ts
|
|
622
420
|
import { basename as basename2 } from "path";
|
|
623
|
-
import
|
|
421
|
+
import consola from "consola";
|
|
624
422
|
import { parse as shellParse } from "shell-quote";
|
|
625
423
|
var COMPOUND_OPERATORS = /* @__PURE__ */ new Set(["&&", "||", ";", "|", "&", ">", ">>", "<"]);
|
|
626
424
|
function parseShellCommand(raw) {
|
|
@@ -665,7 +463,7 @@ async function loadOrInstallAdapter(cliId) {
|
|
|
665
463
|
const index = await fetchRegistry();
|
|
666
464
|
const entry = findAdapter(index, lookupId);
|
|
667
465
|
if (!entry) return null;
|
|
668
|
-
|
|
466
|
+
consola.info(`Installing shapes adapter for ${entry.id} from registry...`);
|
|
669
467
|
await installAdapter(entry, { local: false });
|
|
670
468
|
appendAuditLog({
|
|
671
469
|
action: "adapter-auto-install",
|
|
@@ -675,7 +473,7 @@ async function loadOrInstallAdapter(cliId) {
|
|
|
675
473
|
});
|
|
676
474
|
return tryLoadAdapter(entry.id);
|
|
677
475
|
} catch (err) {
|
|
678
|
-
|
|
476
|
+
consola.debug(`ape-shell adapter auto-install failed for ${lookupId}:`, err);
|
|
679
477
|
return null;
|
|
680
478
|
}
|
|
681
479
|
}
|
|
@@ -1055,14 +853,14 @@ import { computeCmdHash } from "@openape/core";
|
|
|
1055
853
|
import { cliAuthorizationDetailCovers, verifyAuthzJWT } from "@openape/grants";
|
|
1056
854
|
import { execFileSync } from "child_process";
|
|
1057
855
|
import { hostname } from "os";
|
|
1058
|
-
import
|
|
856
|
+
import consola2 from "consola";
|
|
1059
857
|
|
|
1060
858
|
// src/shapes/config.ts
|
|
1061
859
|
import { existsSync as existsSync5, readFileSync as readFileSync4 } from "fs";
|
|
1062
860
|
import { homedir as homedir5 } from "os";
|
|
1063
861
|
import { join as join5 } from "path";
|
|
1064
862
|
var AUTH_FILE = join5(homedir5(), ".config", "apes", "auth.json");
|
|
1065
|
-
function
|
|
863
|
+
function loadAuth() {
|
|
1066
864
|
if (!existsSync5(AUTH_FILE))
|
|
1067
865
|
return null;
|
|
1068
866
|
try {
|
|
@@ -1071,17 +869,17 @@ function loadAuth2() {
|
|
|
1071
869
|
return null;
|
|
1072
870
|
}
|
|
1073
871
|
}
|
|
1074
|
-
function
|
|
872
|
+
function getIdpUrl(explicit) {
|
|
1075
873
|
if (explicit)
|
|
1076
874
|
return explicit;
|
|
1077
875
|
if (process.env.APES_IDP)
|
|
1078
876
|
return process.env.APES_IDP;
|
|
1079
877
|
if (process.env.SHAPES_IDP)
|
|
1080
878
|
return process.env.SHAPES_IDP;
|
|
1081
|
-
return
|
|
879
|
+
return loadAuth()?.idp ?? null;
|
|
1082
880
|
}
|
|
1083
|
-
function
|
|
1084
|
-
const auth =
|
|
881
|
+
function getAuthToken() {
|
|
882
|
+
const auth = loadAuth();
|
|
1085
883
|
if (!auth)
|
|
1086
884
|
return null;
|
|
1087
885
|
if (auth.expires_at && Date.now() / 1e3 > auth.expires_at - 30)
|
|
@@ -1089,25 +887,25 @@ function getAuthToken2() {
|
|
|
1089
887
|
return auth.access_token;
|
|
1090
888
|
}
|
|
1091
889
|
function getRequesterIdentity() {
|
|
1092
|
-
return
|
|
890
|
+
return loadAuth()?.email ?? null;
|
|
1093
891
|
}
|
|
1094
892
|
|
|
1095
893
|
// src/shapes/http.ts
|
|
1096
|
-
async function
|
|
894
|
+
async function discoverEndpoints(idpUrl) {
|
|
1097
895
|
const response = await fetch(`${idpUrl}/.well-known/openid-configuration`);
|
|
1098
896
|
if (!response.ok)
|
|
1099
897
|
return {};
|
|
1100
898
|
return response.json();
|
|
1101
899
|
}
|
|
1102
|
-
async function
|
|
1103
|
-
const discovery = await
|
|
900
|
+
async function getGrantsEndpoint(idpUrl) {
|
|
901
|
+
const discovery = await discoverEndpoints(idpUrl);
|
|
1104
902
|
return String(discovery.openape_grants_endpoint ?? `${idpUrl}/api/grants`);
|
|
1105
903
|
}
|
|
1106
|
-
async function
|
|
1107
|
-
const token = options.token ??
|
|
904
|
+
async function apiFetch(path, options = {}) {
|
|
905
|
+
const token = options.token ?? getAuthToken();
|
|
1108
906
|
if (!token)
|
|
1109
907
|
throw new Error("Not authenticated. Run `apes login` first.");
|
|
1110
|
-
const idp = options.idp ??
|
|
908
|
+
const idp = options.idp ?? getIdpUrl();
|
|
1111
909
|
if (!path.startsWith("http") && !idp)
|
|
1112
910
|
throw new Error("No IdP URL configured. Use --idp or log in with apes.");
|
|
1113
911
|
const url = path.startsWith("http") ? path : `${idp}${path}`;
|
|
@@ -1148,12 +946,12 @@ function decodePayload(token) {
|
|
|
1148
946
|
return JSON.parse(Buffer.from(payload, "base64url").toString("utf-8"));
|
|
1149
947
|
}
|
|
1150
948
|
async function createShapesGrant(resolved, params) {
|
|
1151
|
-
const grantsEndpoint = await
|
|
949
|
+
const grantsEndpoint = await getGrantsEndpoint(params.idp);
|
|
1152
950
|
const requester = getRequesterIdentity();
|
|
1153
951
|
if (!requester) {
|
|
1154
952
|
throw new Error("No requester identity available. Run `apes login` first.");
|
|
1155
953
|
}
|
|
1156
|
-
return
|
|
954
|
+
return apiFetch(grantsEndpoint, {
|
|
1157
955
|
method: "POST",
|
|
1158
956
|
idp: params.idp,
|
|
1159
957
|
body: {
|
|
@@ -1170,10 +968,10 @@ async function createShapesGrant(resolved, params) {
|
|
|
1170
968
|
});
|
|
1171
969
|
}
|
|
1172
970
|
async function waitForGrantStatus(idp, grantId) {
|
|
1173
|
-
const grantsEndpoint = await
|
|
971
|
+
const grantsEndpoint = await getGrantsEndpoint(idp);
|
|
1174
972
|
const deadline = Date.now() + 3e5;
|
|
1175
973
|
while (Date.now() < deadline) {
|
|
1176
|
-
const grant = await
|
|
974
|
+
const grant = await apiFetch(`${grantsEndpoint}/${grantId}`, { idp });
|
|
1177
975
|
if (grant.status === "approved" || grant.status === "denied" || grant.status === "revoked")
|
|
1178
976
|
return grant.status;
|
|
1179
977
|
await new Promise((resolve) => setTimeout(resolve, 3e3));
|
|
@@ -1181,8 +979,8 @@ async function waitForGrantStatus(idp, grantId) {
|
|
|
1181
979
|
throw new Error("Timed out waiting for grant approval");
|
|
1182
980
|
}
|
|
1183
981
|
async function fetchGrantToken(idp, grantId) {
|
|
1184
|
-
const grantsEndpoint = await
|
|
1185
|
-
const response = await
|
|
982
|
+
const grantsEndpoint = await getGrantsEndpoint(idp);
|
|
983
|
+
const response = await apiFetch(`${grantsEndpoint}/${grantId}/token`, {
|
|
1186
984
|
method: "POST",
|
|
1187
985
|
idp
|
|
1188
986
|
});
|
|
@@ -1204,7 +1002,7 @@ async function verifyAndConsume(token, resolved) {
|
|
|
1204
1002
|
const issuer = String(payload.iss ?? "");
|
|
1205
1003
|
if (!issuer)
|
|
1206
1004
|
throw new Error("Grant token is missing issuer");
|
|
1207
|
-
const discovery = await
|
|
1005
|
+
const discovery = await discoverEndpoints(issuer);
|
|
1208
1006
|
const jwksUri = String(discovery.jwks_uri ?? `${issuer}/.well-known/jwks.json`);
|
|
1209
1007
|
const result = await verifyAuthzJWT(token, {
|
|
1210
1008
|
expectedIss: issuer,
|
|
@@ -1247,7 +1045,7 @@ async function verifyAndConsume(token, resolved) {
|
|
|
1247
1045
|
throw new Error("Granted command does not match current argv");
|
|
1248
1046
|
}
|
|
1249
1047
|
}
|
|
1250
|
-
const grantsEndpoint = await
|
|
1048
|
+
const grantsEndpoint = await getGrantsEndpoint(issuer);
|
|
1251
1049
|
const consume = await fetch(`${grantsEndpoint}/${claims.grant_id}/consume`, {
|
|
1252
1050
|
method: "POST",
|
|
1253
1051
|
headers: {
|
|
@@ -1263,7 +1061,7 @@ async function verifyAndConsume(token, resolved) {
|
|
|
1263
1061
|
}
|
|
1264
1062
|
}
|
|
1265
1063
|
function executeResolvedViaExec(resolved) {
|
|
1266
|
-
|
|
1064
|
+
consola2.info(`Executing ${(resolved.executionContext.argv ?? [resolved.executable, ...resolved.commandArgv]).join(" ")}`);
|
|
1267
1065
|
execFileSync(resolved.executable, resolved.commandArgv, { stdio: "inherit" });
|
|
1268
1066
|
}
|
|
1269
1067
|
async function verifyAndExecute(token, resolved, grantId) {
|
|
@@ -1292,7 +1090,7 @@ async function verifyAndExecute(token, resolved, grantId) {
|
|
|
1292
1090
|
getGenericAuditLogPath()
|
|
1293
1091
|
);
|
|
1294
1092
|
} catch (logErr) {
|
|
1295
|
-
|
|
1093
|
+
consola2.debug("Failed to append generic-call audit entry:", logErr);
|
|
1296
1094
|
}
|
|
1297
1095
|
}
|
|
1298
1096
|
}
|
|
@@ -1315,8 +1113,8 @@ async function resolveFromGrant(grant) {
|
|
|
1315
1113
|
return resolved;
|
|
1316
1114
|
}
|
|
1317
1115
|
async function findExistingGrant(resolved, idp) {
|
|
1318
|
-
const grantsEndpoint = await
|
|
1319
|
-
const response = await
|
|
1116
|
+
const grantsEndpoint = await getGrantsEndpoint(idp);
|
|
1117
|
+
const response = await apiFetch(
|
|
1320
1118
|
`${grantsEndpoint}?status=approved`,
|
|
1321
1119
|
{ idp }
|
|
1322
1120
|
);
|
|
@@ -1382,13 +1180,6 @@ async function buildStructuredCliGrantRequest(resolved, options) {
|
|
|
1382
1180
|
}
|
|
1383
1181
|
|
|
1384
1182
|
export {
|
|
1385
|
-
ApiError,
|
|
1386
|
-
discoverEndpoints,
|
|
1387
|
-
getGrantsEndpoint,
|
|
1388
|
-
getAgentChallengeEndpoint,
|
|
1389
|
-
getAgentAuthenticateEndpoint,
|
|
1390
|
-
getDelegationsEndpoint,
|
|
1391
|
-
apiFetch,
|
|
1392
1183
|
GENERIC_OPERATION_ID,
|
|
1393
1184
|
buildGenericResolved,
|
|
1394
1185
|
resolveAdapterPath,
|
|
@@ -1421,4 +1212,4 @@ export {
|
|
|
1421
1212
|
buildExactCommandGrantRequest,
|
|
1422
1213
|
buildStructuredCliGrantRequest
|
|
1423
1214
|
};
|
|
1424
|
-
//# sourceMappingURL=chunk-
|
|
1215
|
+
//# sourceMappingURL=chunk-IT6T6AKX.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"sources":["../src/shapes/adapters.ts","../src/shapes/toml.ts","../src/shapes/generic.ts","../src/shapes/audit.ts","../src/shapes/installer.ts","../src/shapes/registry.ts","../src/shapes/shell-parser.ts","../src/shapes/capabilities.ts","../src/shapes/parser.ts","../src/shapes/commands/explain.ts","../src/shapes/grants.ts","../src/shapes/config.ts","../src/shapes/http.ts","../src/audit/generic-log.ts","../src/shapes/request-builders.ts"],"sourcesContent":["import { createHash } from 'node:crypto'\nimport { existsSync, readdirSync, readFileSync } from 'node:fs'\nimport { homedir } from 'node:os'\nimport { basename, join } from 'node:path'\nimport type { LoadedAdapter, ResolvedCommand } from './types.js'\nimport { parseAdapterToml } from './toml.js'\nimport { buildGenericResolved } from './generic.js'\n\nfunction digest(content: string): string {\n return `SHA-256:${createHash('sha256').update(content).digest('hex')}`\n}\n\nfunction adapterDirs(): string[] {\n return [\n join(process.cwd(), '.openape', 'shapes', 'adapters'),\n join(homedir(), '.openape', 'shapes', 'adapters'),\n join('/etc', 'openape', 'shapes', 'adapters'),\n ]\n}\n\nfunction findByExecutable(executable: string): string | undefined {\n for (const dir of adapterDirs()) {\n if (!existsSync(dir))\n continue\n try {\n const files = readdirSync(dir).filter(f => f.endsWith('.toml'))\n for (const file of files) {\n const path = join(dir, file)\n const content = readFileSync(path, 'utf-8')\n const match = content.match(/^\\s*executable\\s*=\\s*\"([^\"]+)\"/m)\n if (match && match[1] === executable)\n return path\n }\n }\n catch {\n // directory not readable\n }\n }\n return undefined\n}\n\nexport function resolveAdapterPath(cliId: string, explicitPath?: string): string {\n if (explicitPath) {\n if (existsSync(explicitPath))\n return explicitPath\n throw new Error(`Adapter file not found: ${explicitPath}`)\n }\n\n // Try direct lookup by ID\n const candidates = adapterDirs().map(dir => join(dir, `${cliId}.toml`))\n const match = candidates.find(path => existsSync(path))\n if (match)\n return match\n\n // Fallback: scan for adapter with matching executable name\n const byExec = findByExecutable(cliId)\n if (byExec)\n return byExec\n\n throw new Error(`No adapter found for ${cliId}`)\n}\n\nexport function loadAdapter(cliId: string, explicitPath?: string): LoadedAdapter {\n const source = resolveAdapterPath(cliId, explicitPath)\n const content = readFileSync(source, 'utf-8')\n const adapter = parseAdapterToml(content)\n\n // Accept if either the adapter ID or the executable matches the requested cliId\n const idMatch = adapter.cli.id === cliId\n const fileMatch = basename(source) === `${cliId}.toml`\n const execMatch = adapter.cli.executable === cliId\n if (!idMatch && !fileMatch && !execMatch)\n throw new Error(`Adapter ${source} does not match requested CLI ${cliId}`)\n\n return {\n adapter,\n source,\n digest: digest(content),\n }\n}\n\n/**\n * Called by `run.ts` when `loadAdapter(cliId)` has already failed with\n * \"No adapter found\". If generic-fallback mode is enabled in config,\n * return a synthetic `ResolvedCommand` that bypasses the parser. If\n * disabled, re-throw the original error (restoring legacy behaviour).\n *\n * @param cliId The CLI that had no registered shape\n * @param fullArgv Argv to execute (including the executable itself)\n * @param opts `genericEnabled: true` → return synthetic resolved;\n * `false` → throw `\"No adapter found for <cliId>\"`.\n */\nexport async function resolveGenericOrReject(\n cliId: string,\n fullArgv: string[],\n opts: { genericEnabled: boolean },\n): Promise<ResolvedCommand> {\n if (!opts.genericEnabled)\n throw new Error(`No adapter found for ${cliId}`)\n return await buildGenericResolved(cliId, fullArgv)\n}\n\n/** Try to load an adapter locally, return null instead of throwing when not found. */\nexport function tryLoadAdapter(cliId: string, explicitPath?: string): LoadedAdapter | null {\n try {\n return loadAdapter(cliId, explicitPath)\n }\n catch {\n return null\n }\n}\n","import type { ShapesAdapter, ShapesOperation } from './types.js'\n\ninterface AdapterTomlFile {\n schema?: string\n cli?: ShapesAdapter['cli']\n operation?: ShapesOperation[]\n}\n\nfunction parseKeyValue(line: string): { key: string, value: string } | null {\n const eqIndex = line.indexOf('=')\n if (eqIndex === -1)\n return null\n const key = line.slice(0, eqIndex).trim()\n const value = line.slice(eqIndex + 1).trim()\n if (!key || !value)\n return null\n return { key, value }\n}\n\nfunction parseTomlValue(raw: string): unknown {\n const trimmed = raw.trim()\n\n if (trimmed.startsWith('\"') && trimmed.endsWith('\"'))\n return trimmed.slice(1, -1)\n if (trimmed === 'true')\n return true\n if (trimmed === 'false')\n return false\n if (trimmed.startsWith('[') && trimmed.endsWith(']')) {\n const inner = trimmed.slice(1, -1).trim()\n if (!inner)\n return []\n return inner.split(',').map(value => value.trim().replace(/^\"|\"$/g, ''))\n }\n\n return trimmed\n}\n\nexport function parseAdapterToml(content: string): ShapesAdapter {\n const result: AdapterTomlFile = {}\n const operations: ShapesOperation[] = []\n let currentSection: 'root' | 'cli' | 'operation' = 'root'\n let currentEntry: Record<string, unknown> = {}\n\n const flushOperation = () => {\n if (currentSection === 'operation' && Object.keys(currentEntry).length > 0) {\n operations.push(currentEntry as unknown as ShapesOperation)\n currentEntry = {}\n }\n }\n\n for (const rawLine of content.split('\\n')) {\n const line = rawLine.trim()\n if (!line || line.startsWith('#'))\n continue\n\n if (line === '[cli]') {\n flushOperation()\n currentSection = 'cli'\n result.cli = {} as ShapesAdapter['cli']\n continue\n }\n\n if (line === '[[operation]]') {\n flushOperation()\n currentSection = 'operation'\n currentEntry = {}\n continue\n }\n\n const kv = parseKeyValue(line)\n if (!kv)\n continue\n\n const value = parseTomlValue(kv.value)\n if (currentSection === 'root') {\n ;(result as Record<string, unknown>)[kv.key] = value\n }\n else if (currentSection === 'cli') {\n ;(result.cli as Record<string, unknown>)[kv.key] = value\n }\n else {\n currentEntry[kv.key] = value\n }\n }\n\n flushOperation()\n result.operation = operations\n\n if (result.schema !== 'openape-shapes/v1') {\n throw new Error(`Unsupported adapter schema: ${result.schema ?? 'missing'}`)\n }\n if (!result.cli?.id || !result.cli.executable) {\n throw new Error('Adapter is missing cli.id or cli.executable')\n }\n if (!result.operation?.length) {\n throw new Error('Adapter must define at least one [[operation]] entry')\n }\n\n return {\n schema: result.schema,\n cli: {\n id: String(result.cli.id),\n executable: String(result.cli.executable),\n ...(result.cli.audience ? { audience: String(result.cli.audience) } : {}),\n ...(result.cli.version ? { version: String(result.cli.version) } : {}),\n },\n operations: result.operation.map((operation) => {\n if (!Array.isArray(operation.command) || operation.command.some(token => typeof token !== 'string')) {\n throw new Error(`Operation ${String(operation.id ?? '<unknown>')} is missing command[]`)\n }\n if (!Array.isArray(operation.resource_chain) || operation.resource_chain.some(token => typeof token !== 'string')) {\n throw new Error(`Operation ${String(operation.id ?? '<unknown>')} is missing resource_chain[]`)\n }\n if (typeof operation.id !== 'string' || typeof operation.display !== 'string' || typeof operation.action !== 'string') {\n throw new TypeError('Operation must define id, display, and action')\n }\n return {\n id: operation.id,\n command: operation.command as string[],\n ...(Array.isArray(operation.positionals) ? { positionals: operation.positionals as string[] } : {}),\n ...(Array.isArray(operation.required_options) ? { required_options: operation.required_options as string[] } : {}),\n display: operation.display,\n action: operation.action,\n risk: (operation.risk as ShapesOperation['risk']) || 'low',\n resource_chain: operation.resource_chain as string[],\n ...(operation.exact_command !== undefined ? { exact_command: Boolean(operation.exact_command) } : {}),\n }\n }),\n }\n}\n","import type { OpenApeCliAuthorizationDetail } from '@openape/core'\nimport { canonicalizeCliPermission, computeArgvHash } from '@openape/grants'\nimport type { LoadedAdapter, ResolvedCommand, ShapesAdapter } from './types.js'\n\n/**\n * The synthetic operation ID used for generic-fallback grants. Downstream\n * code (audit logging, UI banner) keys off this exact string.\n */\nexport const GENERIC_OPERATION_ID = '_generic.exec'\n\n/**\n * Schema version for synthetic adapters. Not persisted anywhere — exists\n * only so the in-memory adapter shape matches `ShapesAdapter`.\n */\nconst SYNTHETIC_SCHEMA = 'openape-shapes/v1'\n\n/**\n * Build a synthetic in-memory `LoadedAdapter` for a CLI that has no\n * registered shape. The adapter is marked with `synthetic: true` so\n * callers can branch on it if needed.\n *\n * NOTE: This does NOT produce a parser-matchable adapter. The generic\n * pipeline bypasses `resolveCommand()` entirely — see `buildGenericResolved()`.\n * This function exists for flow-control markers and tests.\n */\nexport function buildGenericAdapter(cliId: string): LoadedAdapter {\n const adapter: ShapesAdapter = {\n schema: SYNTHETIC_SCHEMA,\n cli: {\n id: cliId,\n executable: cliId,\n audience: 'shapes',\n version: 'synthetic',\n },\n operations: [],\n }\n return {\n adapter,\n source: '<synthetic>',\n digest: 'synthetic',\n synthetic: true,\n }\n}\n\n/**\n * Build a `ResolvedCommand` directly for a CLI that has no registered shape.\n *\n * Unlike the normal flow (loadAdapter → resolveCommand), the generic path\n * bypasses the parser entirely. Rationale:\n *\n * - `resolveCommand()` matches argv against declarative operation specs\n * via `matchOperation()`, which requires `positionals.length ===\n * operation.positionals.length`. A \"match-all\" spec (`command: []`,\n * `positionals: []`) would reject any non-empty argv.\n *\n * - Synthetic adapters have no declarative spec — we already know what\n * to execute. Running the parser is theatre.\n *\n * The returned `ResolvedCommand` has:\n * - `detail.operation_id === GENERIC_OPERATION_ID` — marker consumed by\n * the audit-log hook in `verifyAndExecute`.\n * - `detail.risk === 'high'` — forced.\n * - `detail.constraints.exact_command === true` — forced, binds the\n * grant to this exact argv via `argv_hash`.\n * - `resource_chain = [{resource: 'cli', selector: {name: cliId}},\n * {resource: 'argv', selector: {hash: <sha256>}}]`\n */\nexport async function buildGenericResolved(\n cliId: string,\n fullArgv: string[],\n): Promise<ResolvedCommand> {\n if (fullArgv.length === 0)\n throw new Error('buildGenericResolved: fullArgv must include the executable')\n const executable = fullArgv[0]!\n const commandArgv = fullArgv.slice(1)\n const argvHash = await computeArgvHash(fullArgv)\n\n const display = `Execute (unshaped): \\`${cliId} ${commandArgv.join(' ')}\\``\n\n const detail: OpenApeCliAuthorizationDetail = {\n type: 'openape_cli',\n cli_id: cliId,\n operation_id: GENERIC_OPERATION_ID,\n resource_chain: [\n { resource: 'cli', selector: { name: cliId } },\n { resource: 'argv', selector: { hash: argvHash } },\n ],\n action: 'exec',\n permission: '',\n display,\n risk: 'high',\n constraints: { exact_command: true },\n }\n detail.permission = canonicalizeCliPermission(detail)\n\n const adapter = buildGenericAdapter(cliId)\n\n return {\n adapter: adapter.adapter,\n source: adapter.source,\n digest: adapter.digest,\n executable,\n commandArgv,\n bindings: {},\n detail,\n executionContext: {\n argv: fullArgv,\n argv_hash: argvHash,\n adapter_id: cliId,\n adapter_version: SYNTHETIC_SCHEMA,\n adapter_digest: adapter.digest,\n resolved_executable: executable,\n context_bindings: {},\n },\n permission: detail.permission,\n }\n}\n\n/**\n * Type guard: does this `ResolvedCommand` come from the generic fallback path?\n */\nexport function isGenericResolved(resolved: ResolvedCommand): boolean {\n return resolved.detail.operation_id === GENERIC_OPERATION_ID\n}\n","import { appendFileSync, existsSync, mkdirSync } from 'node:fs'\nimport { homedir } from 'node:os'\nimport { dirname, join } from 'node:path'\n\n/** Single audit log entry. Always includes a timestamp and an action string. */\nexport interface AuditEntry {\n action: string\n timestamp: number\n [key: string]: unknown\n}\n\nfunction auditPath(): string {\n return join(homedir(), '.config', 'apes', 'audit.jsonl')\n}\n\n/**\n * Append a single entry to the audit log at ~/.config/apes/audit.jsonl.\n * Failures are swallowed — the audit log should never break the actual flow.\n */\nexport function appendAuditLog(entry: { action: string, timestamp?: number } & Record<string, unknown>): void {\n const full: AuditEntry = {\n ...entry,\n action: entry.action,\n timestamp: entry.timestamp ?? Date.now(),\n }\n const path = auditPath()\n const dir = dirname(path)\n try {\n if (!existsSync(dir)) mkdirSync(dir, { recursive: true })\n appendFileSync(path, `${JSON.stringify(full)}\\n`)\n }\n catch {\n // intentionally ignored — audit log must never break the flow\n }\n}\n","import { createHash } from 'node:crypto'\nimport { existsSync, mkdirSync, readdirSync, readFileSync, unlinkSync, writeFileSync } from 'node:fs'\nimport { homedir } from 'node:os'\nimport { join } from 'node:path'\nimport type { RegistryEntry } from './types.js'\n\nfunction adapterDir(local: boolean): string {\n const base = local ? process.cwd() : homedir()\n return join(base, '.openape', 'shapes', 'adapters')\n}\n\nfunction adapterPath(id: string, local: boolean): string {\n return join(adapterDir(local), `${id}.toml`)\n}\n\nfunction sha256(content: string): string {\n return `SHA-256:${createHash('sha256').update(content).digest('hex')}`\n}\n\nexport interface InstallResult {\n id: string\n path: string\n digest: string\n updated: boolean\n}\n\nexport async function installAdapter(entry: RegistryEntry, options: { local?: boolean } = {}): Promise<InstallResult> {\n const local = options.local ?? false\n const dest = adapterPath(entry.id, local)\n const dir = adapterDir(local)\n\n const response = await fetch(entry.download_url)\n if (!response.ok)\n throw new Error(`Failed to download adapter ${entry.id}: ${response.status} ${response.statusText}`)\n\n const content = await response.text()\n const digest = sha256(content)\n\n if (digest !== entry.digest)\n throw new Error(`Digest mismatch for ${entry.id}: expected ${entry.digest}, got ${digest}`)\n\n const updated = existsSync(dest)\n\n if (!existsSync(dir))\n mkdirSync(dir, { recursive: true })\n\n writeFileSync(dest, content)\n\n return { id: entry.id, path: dest, digest, updated }\n}\n\nexport function getInstalledDigest(id: string, local: boolean): string | null {\n const path = adapterPath(id, local)\n if (!existsSync(path))\n return null\n\n const content = readFileSync(path, 'utf-8')\n return sha256(content)\n}\n\nexport function isInstalled(id: string, local: boolean): boolean {\n return existsSync(adapterPath(id, local))\n}\n\nexport function getInstalledPath(id: string, local: boolean): string {\n return adapterPath(id, local)\n}\n\nexport function removeAdapter(id: string, local: boolean): boolean {\n const path = adapterPath(id, local)\n if (!existsSync(path))\n return false\n unlinkSync(path)\n return true\n}\n\nexport interface ConflictingAdapter {\n file: string\n path: string\n adapterId: string\n executable: string\n}\n\nexport function findConflictingAdapters(executable: string, excludeId: string): ConflictingAdapter[] {\n const conflicts: ConflictingAdapter[] = []\n const dirs = [\n join(process.cwd(), '.openape', 'shapes', 'adapters'),\n join(homedir(), '.openape', 'shapes', 'adapters'),\n ]\n\n for (const dir of dirs) {\n if (!existsSync(dir))\n continue\n try {\n for (const file of readdirSync(dir).filter(f => f.endsWith('.toml'))) {\n const path = join(dir, file)\n const content = readFileSync(path, 'utf-8')\n const execMatch = content.match(/^\\s*executable\\s*=\\s*\"([^\"]+)\"/m)\n const idMatch = content.match(/^\\s*id\\s*=\\s*\"([^\"]+)\"/m)\n if (execMatch?.[1] === executable && idMatch?.[1] !== excludeId) {\n conflicts.push({ file, path, adapterId: idMatch?.[1] ?? file, executable })\n }\n }\n }\n catch {\n // directory not readable\n }\n }\n\n return conflicts\n}\n","import { existsSync, mkdirSync, readFileSync, writeFileSync } from 'node:fs'\nimport { homedir } from 'node:os'\nimport { join } from 'node:path'\nimport type { RegistryEntry, RegistryIndex } from './types.js'\n\nconst REGISTRY_URL = process.env.SHAPES_REGISTRY_URL\n ?? 'https://raw.githubusercontent.com/openape-ai/shapes-registry/main/registry.json'\n\nconst CACHE_TTL_MS = 60 * 60 * 1000 // 1 hour\n\nfunction cacheDir(): string {\n return join(homedir(), '.openape', 'shapes', 'cache')\n}\n\nfunction cachePath(): string {\n return join(cacheDir(), 'registry.json')\n}\n\nfunction readCache(): RegistryIndex | null {\n const path = cachePath()\n if (!existsSync(path))\n return null\n\n try {\n const raw = readFileSync(path, 'utf-8')\n const stat = JSON.parse(raw) as RegistryIndex & { _cached_at?: number }\n if (stat._cached_at && Date.now() - stat._cached_at > CACHE_TTL_MS)\n return null\n return stat\n }\n catch {\n return null\n }\n}\n\nfunction writeCache(index: RegistryIndex): void {\n const dir = cacheDir()\n if (!existsSync(dir))\n mkdirSync(dir, { recursive: true })\n\n writeFileSync(cachePath(), JSON.stringify({ ...index, _cached_at: Date.now() }, null, 2))\n}\n\nexport async function fetchRegistry(forceRefresh = false): Promise<RegistryIndex> {\n if (!forceRefresh) {\n const cached = readCache()\n if (cached)\n return cached\n }\n\n const response = await fetch(REGISTRY_URL)\n if (!response.ok)\n throw new Error(`Failed to fetch registry: ${response.status} ${response.statusText}`)\n\n const index = await response.json() as RegistryIndex\n writeCache(index)\n return index\n}\n\nexport function searchAdapters(index: RegistryIndex, query: string): RegistryEntry[] {\n const q = query.toLowerCase()\n return index.adapters.filter(a =>\n a.id.includes(q)\n || a.name.toLowerCase().includes(q)\n || a.description.toLowerCase().includes(q)\n || a.tags.some(t => t.includes(q))\n || a.category.includes(q),\n )\n}\n\n/**\n * Look up a registry entry by its id or its executable field. This lets callers\n * pass either the registry id (\"o365\") or the binary name (\"o365-cli\"); most\n * adapters have id === executable, but the two can diverge.\n */\nexport function findAdapter(index: RegistryIndex, idOrExecutable: string): RegistryEntry | undefined {\n return index.adapters.find(\n a => a.id === idOrExecutable || a.executable === idOrExecutable,\n )\n}\n","import { basename } from 'node:path'\nimport consola from 'consola'\nimport { parse as shellParse } from 'shell-quote'\nimport { loadAdapter, tryLoadAdapter } from './adapters.js'\nimport { installAdapter } from './installer.js'\nimport { fetchRegistry, findAdapter } from './registry.js'\nimport { appendAuditLog } from './audit.js'\nimport type { LoadedAdapter } from './types.js'\n\n/** A parsed shell command string with the executable and its argv extracted. */\nexport interface ParsedShellCommand {\n /** The program to run (first token, e.g. \"rm\") */\n executable: string\n /** Remaining tokens after the executable (e.g. [\"-f\", \"/tmp/foo.txt\"]) */\n argv: string[]\n /**\n * true if the command contains compound operators (&&, ||, ;, |),\n * subshells ($(...)), or backticks. These cannot be safely handled\n * by the adapter mode and must fall back to the generic shell grant flow.\n */\n isCompound: boolean\n /** The original command string for display/logging */\n raw: string\n}\n\nconst COMPOUND_OPERATORS = new Set(['&&', '||', ';', '|', '&', '>', '>>', '<'])\n\ntype ShellQuoteToken = string | { op: string } | { comment: string } | { pattern: string }\n\n/**\n * Parse a shell command string like `rm /tmp/foo.txt` or `git commit -m \"hello\"` into\n * its executable and argv. Uses `shell-quote` to handle quoting correctly.\n *\n * Returns null for empty/whitespace-only input.\n */\nexport function parseShellCommand(raw: string): ParsedShellCommand | null {\n const trimmed = raw.trim()\n if (trimmed.length === 0) return null\n\n let tokens: ShellQuoteToken[]\n try {\n tokens = shellParse(trimmed) as ShellQuoteToken[]\n }\n catch {\n return null\n }\n\n // Detect compound operators and subshells\n const hasShellExpansion = /\\$\\(|`/.test(trimmed)\n const hasOperatorToken = tokens.some(t => typeof t === 'object' && t !== null && 'op' in t && COMPOUND_OPERATORS.has(t.op))\n const isCompound = hasShellExpansion || hasOperatorToken\n\n // Extract leading string tokens up to the first operator object\n const stringTokens: string[] = []\n for (const t of tokens) {\n if (typeof t === 'string') {\n stringTokens.push(t)\n }\n else {\n break\n }\n }\n\n if (stringTokens.length === 0) return null\n\n return {\n executable: stringTokens[0]!,\n argv: stringTokens.slice(1),\n isCompound,\n raw: trimmed,\n }\n}\n\n/**\n * Extract the command string from an `apes run --shell -- bash -c \"…\"` argv.\n * Returns null if the argv does not follow that shape.\n */\nexport function extractShellCommandString(command: string[]): string | null {\n if (command.length < 3) return null\n if (command[0] !== 'bash' && command[0] !== 'sh') return null\n if (command[1] !== '-c') return null\n // Everything after `-c` is the quoted command string\n return command.slice(2).join(' ')\n}\n\n/**\n * Load an adapter for the given CLI id. If the adapter is not installed locally,\n * try to fetch it from the shapes registry and auto-install it.\n *\n * Returns null when no adapter exists in either location, or when any step fails.\n * Failures are logged but never thrown — callers should fall back to the generic flow.\n */\nexport async function loadOrInstallAdapter(cliId: string): Promise<LoadedAdapter | null> {\n // Absolute or relative paths like `/usr/local/bin/o365-cli` must be reduced\n // to the binary name before any lookup — neither the local file scan nor the\n // registry knows how to match a path.\n const lookupId = basename(cliId)\n\n // 1. Try local\n const local = tryLoadAdapter(lookupId)\n if (local) return local\n\n // 2. Remote registry lookup + auto-install.\n // findAdapter matches both `id` and `executable`, so a bare binary name\n // like `o365-cli` resolves to a registry entry whose id is `o365`.\n try {\n const index = await fetchRegistry()\n const entry = findAdapter(index, lookupId)\n if (!entry) return null\n\n consola.info(`Installing shapes adapter for ${entry.id} from registry...`)\n await installAdapter(entry, { local: false })\n appendAuditLog({\n action: 'adapter-auto-install',\n cli_id: entry.id,\n digest: entry.digest,\n source: 'ape-shell',\n })\n\n // Adapters are installed under their registry `id` — always reload by id\n // even if the caller passed the executable name.\n return tryLoadAdapter(entry.id)\n }\n catch (err) {\n consola.debug(`ape-shell adapter auto-install failed for ${lookupId}:`, err)\n return null\n }\n}\n\n// Re-export loadAdapter so callers can import everything from one module\nexport { loadAdapter }\n","import type { OpenApeCliAuthorizationDetail, OpenApeCliResourceRef } from '@openape/core'\nimport { canonicalizeCliPermission } from '@openape/grants'\nimport type { LoadedAdapter, ResolvedCapability, ShapesOperation } from './types.js'\n\ninterface ParsedOperationChainEntry {\n resource: string\n selectorKeys: string[]\n}\n\nfunction parseOperationChainEntry(entry: string): ParsedOperationChainEntry {\n const [resource, selectorSpec = '*'] = entry.split(':', 2)\n if (!resource) {\n throw new Error(`Invalid resource chain entry: ${entry}`)\n }\n\n if (selectorSpec === '*') {\n return { resource, selectorKeys: [] }\n }\n\n const selectorKeys = selectorSpec.split(',')\n .map((segment) => {\n const [key] = segment.split('=', 2)\n if (!key)\n throw new Error(`Invalid selector segment: ${segment}`)\n return key\n })\n\n return { resource, selectorKeys }\n}\n\nfunction operationChain(operation: ShapesOperation): ParsedOperationChainEntry[] {\n return operation.resource_chain.map(parseOperationChainEntry)\n}\n\nfunction knownSelectorKeys(operations: ShapesOperation[], resource: string): string[] {\n const keys = new Set<string>()\n for (const operation of operations) {\n for (const entry of operationChain(operation)) {\n if (entry.resource !== resource)\n continue\n for (const key of entry.selectorKeys) {\n keys.add(key)\n }\n }\n }\n return Array.from(keys).sort()\n}\n\nfunction parseResourceSelector(raw: string): { resource: string, key: string, value: string } {\n const [lhs, value] = raw.split('=', 2)\n if (!lhs || !value) {\n throw new Error(`Invalid selector: ${raw}`)\n }\n\n const [resource, key] = lhs.split('.', 2)\n if (!resource || !key) {\n throw new Error(`Selectors must be in resource.key=value form: ${raw}`)\n }\n\n return { resource, key, value }\n}\n\nfunction formatSelector(selector?: Record<string, string>): string {\n if (!selector || Object.keys(selector).length === 0)\n return '*'\n return Object.entries(selector)\n .sort(([a], [b]) => a.localeCompare(b))\n .map(([key, value]) => `${key}=${value}`)\n .join(',')\n}\n\nfunction summarizeDetail(detail: OpenApeCliAuthorizationDetail): string {\n const chain = detail.resource_chain\n .map(resource => `${resource.resource}[${formatSelector(resource.selector)}]`)\n .join(' -> ')\n return `Allow ${detail.action} on ${detail.cli_id} ${chain}`\n}\n\nexport function resolveCapabilityRequest(\n loaded: LoadedAdapter,\n params: {\n resources: string[]\n selectors?: string[]\n actions: string[]\n },\n): ResolvedCapability {\n if (params.resources.length === 0) {\n throw new Error('At least one --resource is required')\n }\n if (params.actions.length === 0) {\n throw new Error('At least one --action is required')\n }\n\n const selectorMap = new Map<string, Record<string, string>>()\n for (const rawSelector of params.selectors ?? []) {\n const { resource, key, value } = parseResourceSelector(rawSelector)\n const current = selectorMap.get(resource) ?? {}\n current[key] = value\n selectorMap.set(resource, current)\n }\n\n const resource_chain: OpenApeCliResourceRef[] = params.resources.map((resource) => {\n const selector = selectorMap.get(resource)\n const knownKeys = knownSelectorKeys(loaded.adapter.operations, resource)\n if (selector) {\n for (const key of Object.keys(selector)) {\n if (!knownKeys.includes(key)) {\n throw new Error(`Unknown selector ${resource}.${key} for adapter ${loaded.adapter.cli.id}`)\n }\n }\n }\n return selector && Object.keys(selector).length > 0 ? { resource, selector } : { resource }\n })\n\n const requestedSequence = params.resources.join('\\0')\n const matchingOperations = loaded.adapter.operations.filter((operation) => {\n const sequence = operationChain(operation).map(entry => entry.resource).join('\\0')\n return sequence === requestedSequence || sequence.startsWith(`${requestedSequence}\\0`)\n })\n\n if (matchingOperations.length === 0) {\n throw new Error(`No adapter operation supports resource chain: ${params.resources.join(' -> ')}`)\n }\n\n const details = params.actions.map((action) => {\n const matchingActionOps = matchingOperations.filter(operation => operation.action === action)\n if (matchingActionOps.length === 0) {\n throw new Error(`Action ${action} is not valid for resource chain: ${params.resources.join(' -> ')}`)\n }\n\n const exact_command = matchingActionOps.every(operation => operation.exact_command === true)\n const risks = ['low', 'medium', 'high', 'critical'] as const\n const risk = matchingActionOps.reduce<typeof risks[number]>((current, operation) => {\n return risks.indexOf(operation.risk) > risks.indexOf(current) ? operation.risk : current\n }, 'low')\n\n const detail: OpenApeCliAuthorizationDetail = {\n type: 'openape_cli',\n cli_id: loaded.adapter.cli.id,\n operation_id: `capability.${action}`,\n resource_chain,\n action,\n permission: '',\n display: '',\n risk,\n ...(exact_command ? { constraints: { exact_command: true } } : {}),\n }\n detail.permission = canonicalizeCliPermission(detail)\n detail.display = summarizeDetail(detail)\n return detail\n })\n\n return {\n adapter: loaded.adapter,\n source: loaded.source,\n digest: loaded.digest,\n executable: loaded.adapter.cli.executable,\n details,\n executionContext: {\n adapter_id: loaded.adapter.cli.id,\n adapter_version: loaded.adapter.cli.version ?? loaded.adapter.schema,\n adapter_digest: loaded.digest,\n resolved_executable: loaded.adapter.cli.executable,\n context_bindings: Object.fromEntries(\n Array.from(selectorMap.entries()).flatMap(([resource, selector]) =>\n Object.entries(selector).map(([key, value]) => [`${resource}.${key}`, value] as const),\n ),\n ),\n },\n permissions: details.map(detail => detail.permission),\n summary: details.map(detail => detail.display).join('; '),\n }\n}\n","import type { OpenApeCliAuthorizationDetail, OpenApeCliResourceRef } from '@openape/core'\nimport { canonicalizeCliPermission, computeArgvHash } from '@openape/grants'\nimport type { LoadedAdapter, ResolvedCommand, ShapesOperation } from './types.js'\n\nfunction parseOptionArgs(tokens: string[], valueOptions?: string[]): { options: Record<string, string>, positionals: string[] } {\n const options: Record<string, string> = {}\n const positionals: string[] = []\n const takesValue = new Set(valueOptions ?? [])\n\n for (let index = 0; index < tokens.length; index += 1) {\n const token = tokens[index]!\n\n if (token.startsWith('--')) {\n // Long option: --name value or --name=value\n const stripped = token.slice(2)\n const eqIndex = stripped.indexOf('=')\n if (eqIndex >= 0) {\n options[stripped.slice(0, eqIndex)] = stripped.slice(eqIndex + 1)\n continue\n }\n\n const next = tokens[index + 1]\n if (next && !next.startsWith('-')) {\n options[stripped] = next\n index += 1\n continue\n }\n\n options[stripped] = 'true'\n }\n else if (token.startsWith('-') && token.length > 1 && !/^-\\d/.test(token)) {\n // Short option: -name value, -f value, or -l (boolean)\n const key = token.slice(1)\n\n if (key.length === 1 && !takesValue.has(key)) {\n // Single-char flag not in required_options → boolean\n options[key] = 'true'\n }\n else {\n // Multi-char option (-name) or known value option (-f) → consume next as value\n const next = tokens[index + 1]\n if (next && !next.startsWith('-')) {\n options[key] = next\n index += 1\n }\n else {\n options[key] = 'true'\n }\n }\n }\n else {\n positionals.push(token)\n }\n }\n\n return { options, positionals }\n}\n\nfunction resolveBindingToken(binding: string, bindings: Record<string, string>): string {\n const match = binding.match(/^\\{([^}|]+)(?:\\|([^}]+))?\\}$/)\n if (!match)\n return binding\n\n const [, name, transform] = match\n const value = bindings[name]\n if (!value)\n throw new Error(`Missing binding: ${name}`)\n if (!transform)\n return value\n\n if (transform === 'owner' || transform === 'name') {\n const [owner, repo] = value.split('/')\n if (!owner || !repo)\n throw new Error(`Binding ${name} must be in owner/name form`)\n return transform === 'owner' ? owner : repo\n }\n\n throw new Error(`Unsupported binding transform: ${transform}`)\n}\n\nfunction renderTemplate(template: string, bindings: Record<string, string>): string {\n return template.replace(/\\{([^}]+)\\}/g, (_, expression: string) => resolveBindingToken(`{${expression}}`, bindings))\n}\n\nfunction parseResourceChain(chain: string[], bindings: Record<string, string>): OpenApeCliResourceRef[] {\n return chain.map((entry) => {\n const [resource, selectorSpec = '*'] = entry.split(':', 2)\n if (!resource)\n throw new Error(`Invalid resource chain entry: ${entry}`)\n\n if (selectorSpec === '*') {\n return { resource }\n }\n\n const selector = Object.fromEntries(\n selectorSpec.split(',').map((segment) => {\n const [key, rawValue] = segment.split('=', 2)\n if (!key || !rawValue)\n throw new Error(`Invalid selector segment: ${segment}`)\n return [key, renderTemplate(rawValue, bindings)]\n }),\n )\n\n return { resource, selector }\n })\n}\n\nfunction matchOperation(operation: ShapesOperation, argv: string[]): Record<string, string> | null {\n if (argv.length < operation.command.length)\n return null\n\n const prefix = argv.slice(0, operation.command.length)\n if (prefix.join('\\0') !== operation.command.join('\\0'))\n return null\n\n const remainder = argv.slice(operation.command.length)\n const { options, positionals } = parseOptionArgs(remainder, operation.required_options)\n\n const expectedPositionals = operation.positionals ?? []\n if (positionals.length !== expectedPositionals.length)\n return null\n\n for (const option of operation.required_options ?? []) {\n if (!options[option])\n return null\n }\n\n const bindings: Record<string, string> = { ...options }\n for (let index = 0; index < expectedPositionals.length; index += 1) {\n const name = expectedPositionals[index]!\n const value = positionals[index]!\n if (name.startsWith('=')) {\n if (value !== name.slice(1))\n return null\n continue\n }\n bindings[name] = value\n }\n return bindings\n}\n\nfunction expandCombinedFlags(argv: string[]): string[] {\n return argv.flatMap((token) => {\n // Expand -rl into -r, -l (only single-letter combined flags)\n if (token.startsWith('-') && !token.startsWith('--') && token.length > 2 && /^-[a-z]+$/i.test(token)) {\n return Array.from(token.slice(1), c => `-${c}`)\n }\n return [token]\n })\n}\n\nfunction tryMatch(operations: ShapesOperation[], argv: string[]) {\n return operations.flatMap((operation) => {\n try {\n const bindings = matchOperation(operation, argv)\n return bindings ? [{ operation, bindings }] : []\n }\n catch {\n return []\n }\n })\n}\n\nexport async function resolveCommand(loaded: LoadedAdapter, fullArgv: string[]): Promise<ResolvedCommand> {\n const [executable, ...commandArgv] = fullArgv\n if (!executable) {\n throw new Error('Missing wrapped command')\n }\n if (executable !== loaded.adapter.cli.executable) {\n throw new Error(`Adapter ${loaded.adapter.cli.id} expects executable ${loaded.adapter.cli.executable}, got ${executable}`)\n }\n\n // Pass 1: exact match\n let matches = tryMatch(loaded.adapter.operations, commandArgv)\n\n // Pass 2: try with expanded combined flags (e.g. -rl → -r -l)\n if (matches.length === 0) {\n const expanded = expandCombinedFlags(commandArgv)\n if (expanded.length !== commandArgv.length) {\n matches = tryMatch(loaded.adapter.operations, expanded)\n }\n }\n\n if (matches.length === 0) {\n throw new Error(`No adapter operation matched: ${fullArgv.join(' ')}`)\n }\n if (matches.length > 1) {\n // Prefer the most specific match (longest command prefix)\n matches.sort((a, b) => b.operation.command.length - a.operation.command.length)\n matches = [matches[0]!]\n }\n\n const { operation, bindings } = matches[0]!\n const resource_chain = parseResourceChain(operation.resource_chain, bindings)\n const detail: OpenApeCliAuthorizationDetail = {\n type: 'openape_cli',\n cli_id: loaded.adapter.cli.id,\n operation_id: operation.id,\n resource_chain,\n action: operation.action,\n permission: '',\n display: renderTemplate(operation.display, bindings),\n risk: operation.risk,\n ...(operation.exact_command ? { constraints: { exact_command: true } } : {}),\n }\n detail.permission = canonicalizeCliPermission(detail)\n\n return {\n adapter: loaded.adapter,\n source: loaded.source,\n digest: loaded.digest,\n executable,\n commandArgv,\n bindings,\n detail,\n executionContext: {\n argv: fullArgv,\n argv_hash: await computeArgvHash(fullArgv),\n adapter_id: loaded.adapter.cli.id,\n adapter_version: loaded.adapter.cli.version ?? loaded.adapter.schema,\n adapter_digest: loaded.digest,\n resolved_executable: executable,\n context_bindings: bindings,\n },\n permission: detail.permission,\n }\n}\n","import { defineCommand } from 'citty'\nimport { loadAdapter } from '../adapters.js'\nimport { resolveCommand } from '../parser.js'\n\nexport const explainCommand = defineCommand({\n meta: {\n name: 'explain',\n description: 'Show what permission a wrapped command would need',\n },\n args: {\n adapter: {\n type: 'string',\n description: 'Explicit path to adapter TOML file',\n },\n _: {\n type: 'positional',\n description: 'Wrapped command (after --)',\n required: false,\n },\n },\n async run({ rawArgs }) {\n const command = extractWrappedCommand(rawArgs ?? [])\n if (command.length === 0)\n throw new Error('Missing wrapped command. Usage: shapes explain [--adapter <file>] -- <cli> ...')\n\n const adapterOpt = extractOption(rawArgs ?? [], 'adapter')\n const loaded = loadAdapter(command[0]!, adapterOpt)\n const resolved = await resolveCommand(loaded, command)\n\n process.stdout.write(`${JSON.stringify({\n adapter: resolved.adapter.cli.id,\n source: resolved.source,\n operation: resolved.detail.operation_id,\n display: resolved.detail.display,\n permission: resolved.permission,\n resource_chain: resolved.detail.resource_chain,\n exact_command: resolved.detail.constraints?.exact_command ?? false,\n adapter_digest: resolved.digest,\n }, null, 2)}\\n`)\n },\n})\n\nexport function extractWrappedCommand(args: string[]): string[] {\n const delimiter = args.indexOf('--')\n return delimiter >= 0 ? args.slice(delimiter + 1) : []\n}\n\nexport function extractOption(args: string[], name: string): string | undefined {\n const delimiter = args.indexOf('--')\n const optionArgs = delimiter >= 0 ? args.slice(0, delimiter) : args\n const index = optionArgs.indexOf(`--${name}`)\n if (index >= 0 && index + 1 < optionArgs.length)\n return optionArgs[index + 1]\n return undefined\n}\n","import type { OpenApeCliAuthorizationDetail, OpenApeGrant } from '@openape/core'\nimport { computeCmdHash } from '@openape/core'\nimport { cliAuthorizationDetailCovers, verifyAuthzJWT } from '@openape/grants'\nimport { execFileSync } from 'node:child_process'\nimport { hostname } from 'node:os'\nimport consola from 'consola'\nimport { getRequesterIdentity } from './config.js'\nimport { getGenericAuditLogPath } from '../config.js'\nimport { resolveCommand } from './parser.js'\nimport { loadOrInstallAdapter } from './shell-parser.js'\nimport type { ResolvedCommand } from './types.js'\nimport { apiFetch, discoverEndpoints, getGrantsEndpoint } from './http.js'\nimport { appendGenericCallLog } from '../audit/generic-log.js'\nimport { isGenericResolved } from './generic.js'\n\nfunction decodePayload(token: string): Record<string, unknown> {\n const [, payload] = token.split('.')\n if (!payload)\n throw new Error('Invalid JWT')\n return JSON.parse(Buffer.from(payload, 'base64url').toString('utf-8')) as Record<string, unknown>\n}\n\ninterface SimilarGrantsInfo {\n similar_grants: Array<{ grant: { id: string }, similar_detail_indices: number[] }>\n widened_details: Array<{ permission: string }>\n merged_details: Array<{ permission: string }>\n}\n\nexport async function createShapesGrant(\n resolved: ResolvedCommand,\n params: {\n idp: string\n approval: 'once' | 'timed' | 'always'\n reason?: string\n },\n): Promise<{ id: string, status: string, similar_grants?: SimilarGrantsInfo }> {\n const grantsEndpoint = await getGrantsEndpoint(params.idp)\n const requester = getRequesterIdentity()\n if (!requester) {\n throw new Error('No requester identity available. Run `apes login` first.')\n }\n return apiFetch<{ id: string, status: string, similar_grants?: SimilarGrantsInfo }>(grantsEndpoint, {\n method: 'POST',\n idp: params.idp,\n body: {\n requester,\n target_host: hostname(),\n audience: resolved.adapter.cli.audience ?? 'shapes',\n grant_type: params.approval,\n command: resolved.executionContext.argv,\n reason: params.reason ?? resolved.detail.display,\n permissions: [resolved.permission],\n authorization_details: [resolved.detail],\n execution_context: resolved.executionContext,\n },\n })\n}\n\nexport async function waitForGrantStatus(idp: string, grantId: string): Promise<'approved' | 'denied' | 'revoked'> {\n const grantsEndpoint = await getGrantsEndpoint(idp)\n const deadline = Date.now() + 300_000\n\n while (Date.now() < deadline) {\n const grant = await apiFetch<{ status: 'pending' | 'approved' | 'denied' | 'revoked' }>(`${grantsEndpoint}/${grantId}`, { idp })\n if (grant.status === 'approved' || grant.status === 'denied' || grant.status === 'revoked')\n return grant.status\n await new Promise(resolve => setTimeout(resolve, 3000))\n }\n\n throw new Error('Timed out waiting for grant approval')\n}\n\nexport async function fetchGrantToken(idp: string, grantId: string): Promise<string> {\n const grantsEndpoint = await getGrantsEndpoint(idp)\n const response = await apiFetch<{ authz_jwt: string }>(`${grantsEndpoint}/${grantId}/token`, {\n method: 'POST',\n idp,\n })\n return response.authz_jwt\n}\n\nfunction grantedCliDetails(claims: Record<string, unknown>): OpenApeCliAuthorizationDetail[] {\n const details = claims.authorization_details\n if (!Array.isArray(details))\n return []\n\n return details.filter((detail): detail is OpenApeCliAuthorizationDetail =>\n typeof detail === 'object'\n && detail !== null\n && (detail as Record<string, unknown>).type === 'openape_cli',\n )\n}\n\nfunction hasStructuredCliGrant(claims: Record<string, unknown>): boolean {\n return grantedCliDetails(claims).length > 0\n}\n\n/**\n * Verifies a grant token against the resolved command and marks the grant\n * as consumed on the IdP. Does NOT execute anything — callers that want\n * the one-shot behavior should use `verifyAndExecute`, callers that want\n * to run the command themselves (e.g. the interactive REPL piping through\n * a persistent bash pty) should call this and then do their own execution.\n *\n * Split out so the interactive shell can re-use the verify + consume path\n * without being forced into the `execFileSync`-based one-shot execution.\n */\nexport async function verifyAndConsume(token: string, resolved: ResolvedCommand): Promise<void> {\n const payload = decodePayload(token)\n const issuer = String(payload.iss ?? '')\n if (!issuer)\n throw new Error('Grant token is missing issuer')\n\n const discovery = await discoverEndpoints(issuer)\n const jwksUri = String(discovery.jwks_uri ?? `${issuer}/.well-known/jwks.json`)\n const result = await verifyAuthzJWT(token, {\n expectedIss: issuer,\n expectedAud: resolved.adapter.cli.audience ?? 'shapes',\n jwksUri,\n })\n\n if (!result.valid || !result.claims) {\n throw new Error(result.error ?? 'Grant verification failed')\n }\n\n const claims = result.claims\n const details = grantedCliDetails(claims as unknown as Record<string, unknown>)\n\n if (claims.execution_context?.adapter_digest && claims.execution_context.adapter_digest !== resolved.digest) {\n throw new Error('Adapter digest mismatch')\n }\n\n if (!hasStructuredCliGrant(claims as unknown as Record<string, unknown>)) {\n const argv = resolved.executionContext.argv\n if (!argv?.length) {\n throw new Error('Resolved command is missing argv')\n }\n const expectedCmdHash = await computeCmdHash(argv.join(' '))\n if (claims.command?.join('\\0') !== argv.join('\\0')) {\n throw new Error('Granted command does not match current argv')\n }\n if (claims.cmd_hash && claims.cmd_hash !== expectedCmdHash) {\n throw new Error('Granted command does not match current argv')\n }\n if (!claims.command?.length && !claims.cmd_hash) {\n throw new Error('Grant is not a structured CLI grant and is missing command binding')\n }\n }\n else {\n if (!details.some(detail => cliAuthorizationDetailCovers(detail, resolved.detail))) {\n throw new Error(`Grant does not cover required permission: ${resolved.permission}`)\n }\n\n const exactRequired = details.some(detail =>\n cliAuthorizationDetailCovers(detail, resolved.detail) && detail.constraints?.exact_command,\n )\n\n const isOnce = claims.grant_type === 'once' || claims.approval === 'once'\n const enforceArgvHash = exactRequired || (isOnce && !!claims.execution_context?.argv_hash)\n\n if (enforceArgvHash && claims.execution_context?.argv_hash !== resolved.executionContext.argv_hash) {\n throw new Error('Granted command does not match current argv')\n }\n }\n\n const grantsEndpoint = await getGrantsEndpoint(issuer)\n const consume = await fetch(`${grantsEndpoint}/${claims.grant_id}/consume`, {\n method: 'POST',\n headers: {\n Authorization: `Bearer ${token}`,\n },\n })\n\n if (!consume.ok) {\n throw new Error(`Consume failed: ${consume.status} ${consume.statusText}`)\n }\n\n const consumeResult = await consume.json() as { error?: string }\n if (consumeResult.error) {\n throw new Error(`Grant rejected at consume step: ${consumeResult.error}`)\n }\n}\n\n/**\n * Execute a verified + consumed resolved command directly via execFileSync,\n * inheriting stdio so the caller's terminal is handed to the child. Used by\n * the one-shot `apes run --shell` path.\n */\nexport function executeResolvedViaExec(resolved: ResolvedCommand): void {\n consola.info(`Executing ${(resolved.executionContext.argv ?? [resolved.executable, ...resolved.commandArgv]).join(' ')}`)\n execFileSync(resolved.executable, resolved.commandArgv, { stdio: 'inherit' })\n}\n\n/**\n * One-shot verify + consume + execute. Preserves the legacy behavior of\n * the `apes run --shell` path so existing callers keep working unchanged.\n *\n * When `resolved` carries the generic-fallback operation id\n * (`_generic.exec`), a JSONL audit entry is appended to the generic-calls\n * log after the child process exits. `grantId` is needed to write the\n * entry — callers that know the grant id should pass it; if omitted, the\n * log entry is skipped (the audit hook is best-effort, not a hard gate).\n *\n * This is the central exec path for sync (`--wait`), async-default\n * (`apes grants run <id> --wait`), and REPL one-shot, so a hook here\n * covers all three flows without duplicating logic in each caller.\n */\nexport async function verifyAndExecute(\n token: string,\n resolved: ResolvedCommand,\n grantId?: string,\n): Promise<void> {\n await verifyAndConsume(token, resolved)\n\n const isGeneric = isGenericResolved(resolved)\n const start = Date.now()\n let exitCode = 0\n try {\n executeResolvedViaExec(resolved)\n }\n catch (err) {\n exitCode = (err as { status?: number })?.status ?? 1\n throw err\n }\n finally {\n if (isGeneric && grantId) {\n // Best-effort: swallow log errors so a broken audit file never\n // blocks a successful command.\n try {\n await appendGenericCallLog(\n {\n ts: new Date().toISOString(),\n cli: resolved.detail.cli_id,\n argv: resolved.executionContext.argv ?? [resolved.executable, ...resolved.commandArgv],\n argv_hash: resolved.executionContext.argv_hash ?? '',\n grant_id: grantId,\n exit_code: exitCode,\n duration_ms: Date.now() - start,\n },\n getGenericAuditLogPath(),\n )\n }\n catch (logErr) {\n consola.debug('Failed to append generic-call audit entry:', logErr)\n }\n }\n }\n}\n\n/**\n * Re-resolve a ResolvedCommand from a previously-created grant's recorded\n * request (argv + adapter digest). Used by `apes grants run <id>` to replay\n * an approved grant locally after the async approval step.\n *\n * Throws when the grant is missing argv, when the adapter cannot be loaded,\n * or when the locally installed adapter's digest no longer matches what the\n * grant was issued against.\n */\nexport async function resolveFromGrant(\n grant: {\n request: {\n command?: string[]\n execution_context?: { adapter_digest?: string, argv_hash?: string }\n authorization_details?: Array<{ type?: string, permission?: string }>\n }\n },\n): Promise<ResolvedCommand> {\n const argv = grant.request?.command\n if (!argv || argv.length === 0)\n throw new Error('Grant request is missing command argv')\n\n const executable = argv[0]\n const adapter = await loadOrInstallAdapter(executable)\n if (!adapter)\n throw new Error(`No shapes adapter found for ${executable}`)\n\n const resolved = await resolveCommand(adapter, argv)\n\n const grantDigest = grant.request.execution_context?.adapter_digest\n if (grantDigest && grantDigest !== resolved.digest) {\n throw new Error(\n `Adapter digest mismatch: grant was created against adapter ${grantDigest}, but local adapter is ${resolved.digest}. Reinstall or revert the adapter.`,\n )\n }\n\n return resolved\n}\n\nexport async function findExistingGrant(\n resolved: ResolvedCommand,\n idp: string,\n): Promise<string | null> {\n const grantsEndpoint = await getGrantsEndpoint(idp)\n const response = await apiFetch<{ data: OpenApeGrant[] }>(\n `${grantsEndpoint}?status=approved`,\n { idp },\n )\n\n const now = Math.floor(Date.now() / 1000)\n const expectedAudience = resolved.adapter.cli.audience ?? 'shapes'\n\n for (const grant of response.data) {\n const req = grant.request\n if (req.grant_type === 'once')\n continue\n if (req.grant_type === 'timed' && grant.expires_at && grant.expires_at <= now)\n continue\n if (req.audience !== expectedAudience)\n continue\n if (req.execution_context?.adapter_digest && req.execution_context.adapter_digest !== resolved.digest)\n continue\n\n const cliDetails = (req.authorization_details ?? []).filter(\n (d): d is OpenApeCliAuthorizationDetail => d.type === 'openape_cli',\n )\n\n if (cliDetails.length > 0) {\n if (cliDetails.some(detail => cliAuthorizationDetailCovers(detail, resolved.detail)))\n return grant.id\n }\n else if (req.permissions?.includes(resolved.permission)) {\n return grant.id\n }\n }\n\n return null\n}\n","import { existsSync, readFileSync } from 'node:fs'\nimport { homedir } from 'node:os'\nimport { join } from 'node:path'\n\ninterface AuthData {\n idp: string\n access_token: string\n email: string\n expires_at: number\n}\n\nconst AUTH_FILE = join(homedir(), '.config', 'apes', 'auth.json')\n\nexport function loadAuth(): AuthData | null {\n if (!existsSync(AUTH_FILE))\n return null\n try {\n return JSON.parse(readFileSync(AUTH_FILE, 'utf-8')) as AuthData\n }\n catch {\n return null\n }\n}\n\nexport function getIdpUrl(explicit?: string): string | null {\n if (explicit)\n return explicit\n if (process.env.APES_IDP)\n return process.env.APES_IDP\n if (process.env.SHAPES_IDP)\n return process.env.SHAPES_IDP\n return loadAuth()?.idp ?? null\n}\n\nexport function getAuthToken(): string | null {\n const auth = loadAuth()\n if (!auth)\n return null\n if (auth.expires_at && Date.now() / 1000 > auth.expires_at - 30)\n return null\n return auth.access_token\n}\n\nexport function getRequesterIdentity(): string | null {\n return loadAuth()?.email ?? null\n}\n","import { getAuthToken, getIdpUrl } from './config.js'\n\nexport async function discoverEndpoints(idpUrl: string): Promise<Record<string, unknown>> {\n const response = await fetch(`${idpUrl}/.well-known/openid-configuration`)\n if (!response.ok)\n return {}\n return response.json() as Promise<Record<string, unknown>>\n}\n\nexport async function getGrantsEndpoint(idpUrl: string): Promise<string> {\n const discovery = await discoverEndpoints(idpUrl)\n return String(discovery.openape_grants_endpoint ?? `${idpUrl}/api/grants`)\n}\n\nexport async function apiFetch<T>(\n path: string,\n options: {\n method?: string\n body?: unknown\n idp?: string\n token?: string\n } = {},\n): Promise<T> {\n const token = options.token ?? getAuthToken()\n if (!token)\n throw new Error('Not authenticated. Run `apes login` first.')\n\n const idp = options.idp ?? getIdpUrl()\n if (!path.startsWith('http') && !idp)\n throw new Error('No IdP URL configured. Use --idp or log in with apes.')\n\n const url = path.startsWith('http') ? path : `${idp}${path}`\n const response = await fetch(url, {\n method: options.method ?? 'GET',\n headers: {\n Authorization: `Bearer ${token}`,\n 'Content-Type': 'application/json',\n },\n body: options.body ? JSON.stringify(options.body) : undefined,\n })\n\n if (!response.ok) {\n const text = await response.text()\n throw new Error(text || `${response.status} ${response.statusText}`)\n }\n\n return response.json() as Promise<T>\n}\n","import { mkdir, appendFile } from 'node:fs/promises'\nimport { homedir } from 'node:os'\nimport { dirname, join } from 'node:path'\n\n/**\n * A single successful generic-fallback execution entry.\n * Denied, timeout, and cancelled grants are NOT logged here — they are\n * captured by the IdP's server-side audit trail.\n */\nexport interface GenericCallLogEntry {\n /** ISO 8601 timestamp of execution completion */\n ts: string\n /** CLI id as requested by the user (e.g. \"kubectl\") */\n cli: string\n /** Full argv as executed, including the executable */\n argv: string[]\n /** SHA-256 of the argv — matches the `argv:hash` selector in resource_chain */\n argv_hash: string\n /** Grant that authorized this execution */\n grant_id: string\n /** Process exit code */\n exit_code: number\n /** Wall-clock duration from grant-approval to process exit, milliseconds */\n duration_ms: number\n}\n\n/**\n * Default audit log location. Lives under `~/.config/apes/` for consistency\n * with the rest of apes' client state (`config.toml`, `auth.json`, …).\n */\nexport function defaultGenericLogPath(): string {\n return join(homedir(), '.config', 'apes', 'generic-calls.log')\n}\n\n/**\n * Append a single generic-call entry to the audit log in JSONL format.\n * Creates the containing directory if needed.\n *\n * @param entry The call record to append\n * @param logPath Optional override (usually from `config.generic.audit_log`)\n */\nexport async function appendGenericCallLog(\n entry: GenericCallLogEntry,\n logPath?: string,\n): Promise<void> {\n const path = logPath ?? defaultGenericLogPath()\n await mkdir(dirname(path), { recursive: true })\n await appendFile(path, `${JSON.stringify(entry)}\\n`, 'utf-8')\n}\n","import { computeCmdHash } from '@openape/core'\nimport type { BuiltGrantRequest, GrantRequestOptions, ResolvedCapability, ResolvedCommand } from './types.js'\n\nexport async function buildExactCommandGrantRequest(\n command: string[],\n options: GrantRequestOptions & {\n audience: string\n },\n): Promise<BuiltGrantRequest> {\n return {\n request: {\n requester: options.requester,\n target_host: options.target_host,\n audience: options.audience,\n grant_type: options.grant_type,\n command,\n cmd_hash: await computeCmdHash(command.join(' ')),\n ...(options.reason ? { reason: options.reason } : {}),\n ...(options.run_as ? { run_as: options.run_as } : {}),\n },\n }\n}\n\nexport async function buildStructuredCliGrantRequest(\n resolved: ResolvedCommand | ResolvedCapability,\n options: GrantRequestOptions,\n): Promise<BuiltGrantRequest> {\n const details = 'detail' in resolved ? [resolved.detail] : resolved.details\n const permissions = 'permission' in resolved ? [resolved.permission] : resolved.permissions\n const command = 'executionContext' in resolved && resolved.executionContext.argv?.length\n ? resolved.executionContext.argv\n : undefined\n\n return {\n request: {\n requester: options.requester,\n target_host: options.target_host,\n audience: resolved.adapter.cli.audience ?? 'shapes',\n grant_type: options.grant_type,\n permissions,\n authorization_details: details,\n execution_context: resolved.executionContext,\n ...(command ? { command } : {}),\n ...(options.reason ? { reason: options.reason } : { reason: 'summary' in resolved ? resolved.summary : details[0]?.display }),\n ...(options.run_as ? { run_as: options.run_as } : {}),\n },\n }\n}\n"],"mappings":";;;;;;AAAA,SAAS,kBAAkB;AAC3B,SAAS,YAAY,aAAa,oBAAoB;AACtD,SAAS,eAAe;AACxB,SAAS,UAAU,YAAY;;;ACK/B,SAAS,cAAc,MAAqD;AAC1E,QAAM,UAAU,KAAK,QAAQ,GAAG;AAChC,MAAI,YAAY;AACd,WAAO;AACT,QAAM,MAAM,KAAK,MAAM,GAAG,OAAO,EAAE,KAAK;AACxC,QAAM,QAAQ,KAAK,MAAM,UAAU,CAAC,EAAE,KAAK;AAC3C,MAAI,CAAC,OAAO,CAAC;AACX,WAAO;AACT,SAAO,EAAE,KAAK,MAAM;AACtB;AAEA,SAAS,eAAe,KAAsB;AAC5C,QAAM,UAAU,IAAI,KAAK;AAEzB,MAAI,QAAQ,WAAW,GAAG,KAAK,QAAQ,SAAS,GAAG;AACjD,WAAO,QAAQ,MAAM,GAAG,EAAE;AAC5B,MAAI,YAAY;AACd,WAAO;AACT,MAAI,YAAY;AACd,WAAO;AACT,MAAI,QAAQ,WAAW,GAAG,KAAK,QAAQ,SAAS,GAAG,GAAG;AACpD,UAAM,QAAQ,QAAQ,MAAM,GAAG,EAAE,EAAE,KAAK;AACxC,QAAI,CAAC;AACH,aAAO,CAAC;AACV,WAAO,MAAM,MAAM,GAAG,EAAE,IAAI,WAAS,MAAM,KAAK,EAAE,QAAQ,UAAU,EAAE,CAAC;AAAA,EACzE;AAEA,SAAO;AACT;AAEO,SAAS,iBAAiB,SAAgC;AAC/D,QAAM,SAA0B,CAAC;AACjC,QAAM,aAAgC,CAAC;AACvC,MAAI,iBAA+C;AACnD,MAAI,eAAwC,CAAC;AAE7C,QAAM,iBAAiB,MAAM;AAC3B,QAAI,mBAAmB,eAAe,OAAO,KAAK,YAAY,EAAE,SAAS,GAAG;AAC1E,iBAAW,KAAK,YAA0C;AAC1D,qBAAe,CAAC;AAAA,IAClB;AAAA,EACF;AAEA,aAAW,WAAW,QAAQ,MAAM,IAAI,GAAG;AACzC,UAAM,OAAO,QAAQ,KAAK;AAC1B,QAAI,CAAC,QAAQ,KAAK,WAAW,GAAG;AAC9B;AAEF,QAAI,SAAS,SAAS;AACpB,qBAAe;AACf,uBAAiB;AACjB,aAAO,MAAM,CAAC;AACd;AAAA,IACF;AAEA,QAAI,SAAS,iBAAiB;AAC5B,qBAAe;AACf,uBAAiB;AACjB,qBAAe,CAAC;AAChB;AAAA,IACF;AAEA,UAAM,KAAK,cAAc,IAAI;AAC7B,QAAI,CAAC;AACH;AAEF,UAAM,QAAQ,eAAe,GAAG,KAAK;AACrC,QAAI,mBAAmB,QAAQ;AAC7B;AAAC,MAAC,OAAmC,GAAG,GAAG,IAAI;AAAA,IACjD,WACS,mBAAmB,OAAO;AACjC;AAAC,MAAC,OAAO,IAAgC,GAAG,GAAG,IAAI;AAAA,IACrD,OACK;AACH,mBAAa,GAAG,GAAG,IAAI;AAAA,IACzB;AAAA,EACF;AAEA,iBAAe;AACf,SAAO,YAAY;AAEnB,MAAI,OAAO,WAAW,qBAAqB;AACzC,UAAM,IAAI,MAAM,+BAA+B,OAAO,UAAU,SAAS,EAAE;AAAA,EAC7E;AACA,MAAI,CAAC,OAAO,KAAK,MAAM,CAAC,OAAO,IAAI,YAAY;AAC7C,UAAM,IAAI,MAAM,6CAA6C;AAAA,EAC/D;AACA,MAAI,CAAC,OAAO,WAAW,QAAQ;AAC7B,UAAM,IAAI,MAAM,sDAAsD;AAAA,EACxE;AAEA,SAAO;AAAA,IACL,QAAQ,OAAO;AAAA,IACf,KAAK;AAAA,MACH,IAAI,OAAO,OAAO,IAAI,EAAE;AAAA,MACxB,YAAY,OAAO,OAAO,IAAI,UAAU;AAAA,MACxC,GAAI,OAAO,IAAI,WAAW,EAAE,UAAU,OAAO,OAAO,IAAI,QAAQ,EAAE,IAAI,CAAC;AAAA,MACvE,GAAI,OAAO,IAAI,UAAU,EAAE,SAAS,OAAO,OAAO,IAAI,OAAO,EAAE,IAAI,CAAC;AAAA,IACtE;AAAA,IACA,YAAY,OAAO,UAAU,IAAI,CAAC,cAAc;AAC9C,UAAI,CAAC,MAAM,QAAQ,UAAU,OAAO,KAAK,UAAU,QAAQ,KAAK,WAAS,OAAO,UAAU,QAAQ,GAAG;AACnG,cAAM,IAAI,MAAM,aAAa,OAAO,UAAU,MAAM,WAAW,CAAC,uBAAuB;AAAA,MACzF;AACA,UAAI,CAAC,MAAM,QAAQ,UAAU,cAAc,KAAK,UAAU,eAAe,KAAK,WAAS,OAAO,UAAU,QAAQ,GAAG;AACjH,cAAM,IAAI,MAAM,aAAa,OAAO,UAAU,MAAM,WAAW,CAAC,8BAA8B;AAAA,MAChG;AACA,UAAI,OAAO,UAAU,OAAO,YAAY,OAAO,UAAU,YAAY,YAAY,OAAO,UAAU,WAAW,UAAU;AACrH,cAAM,IAAI,UAAU,+CAA+C;AAAA,MACrE;AACA,aAAO;AAAA,QACL,IAAI,UAAU;AAAA,QACd,SAAS,UAAU;AAAA,QACnB,GAAI,MAAM,QAAQ,UAAU,WAAW,IAAI,EAAE,aAAa,UAAU,YAAwB,IAAI,CAAC;AAAA,QACjG,GAAI,MAAM,QAAQ,UAAU,gBAAgB,IAAI,EAAE,kBAAkB,UAAU,iBAA6B,IAAI,CAAC;AAAA,QAChH,SAAS,UAAU;AAAA,QACnB,QAAQ,UAAU;AAAA,QAClB,MAAO,UAAU,QAAoC;AAAA,QACrD,gBAAgB,UAAU;AAAA,QAC1B,GAAI,UAAU,kBAAkB,SAAY,EAAE,eAAe,QAAQ,UAAU,aAAa,EAAE,IAAI,CAAC;AAAA,MACrG;AAAA,IACF,CAAC;AAAA,EACH;AACF;;;ACjIA,SAAS,2BAA2B,uBAAuB;AAOpD,IAAM,uBAAuB;AAMpC,IAAM,mBAAmB;AAWlB,SAAS,oBAAoB,OAA8B;AAChE,QAAM,UAAyB;AAAA,IAC7B,QAAQ;AAAA,IACR,KAAK;AAAA,MACH,IAAI;AAAA,MACJ,YAAY;AAAA,MACZ,UAAU;AAAA,MACV,SAAS;AAAA,IACX;AAAA,IACA,YAAY,CAAC;AAAA,EACf;AACA,SAAO;AAAA,IACL;AAAA,IACA,QAAQ;AAAA,IACR,QAAQ;AAAA,IACR,WAAW;AAAA,EACb;AACF;AAyBA,eAAsB,qBACpB,OACA,UAC0B;AAC1B,MAAI,SAAS,WAAW;AACtB,UAAM,IAAI,MAAM,4DAA4D;AAC9E,QAAM,aAAa,SAAS,CAAC;AAC7B,QAAM,cAAc,SAAS,MAAM,CAAC;AACpC,QAAM,WAAW,MAAM,gBAAgB,QAAQ;AAE/C,QAAM,UAAU,yBAAyB,KAAK,IAAI,YAAY,KAAK,GAAG,CAAC;AAEvE,QAAM,SAAwC;AAAA,IAC5C,MAAM;AAAA,IACN,QAAQ;AAAA,IACR,cAAc;AAAA,IACd,gBAAgB;AAAA,MACd,EAAE,UAAU,OAAO,UAAU,EAAE,MAAM,MAAM,EAAE;AAAA,MAC7C,EAAE,UAAU,QAAQ,UAAU,EAAE,MAAM,SAAS,EAAE;AAAA,IACnD;AAAA,IACA,QAAQ;AAAA,IACR,YAAY;AAAA,IACZ;AAAA,IACA,MAAM;AAAA,IACN,aAAa,EAAE,eAAe,KAAK;AAAA,EACrC;AACA,SAAO,aAAa,0BAA0B,MAAM;AAEpD,QAAM,UAAU,oBAAoB,KAAK;AAEzC,SAAO;AAAA,IACL,SAAS,QAAQ;AAAA,IACjB,QAAQ,QAAQ;AAAA,IAChB,QAAQ,QAAQ;AAAA,IAChB;AAAA,IACA;AAAA,IACA,UAAU,CAAC;AAAA,IACX;AAAA,IACA,kBAAkB;AAAA,MAChB,MAAM;AAAA,MACN,WAAW;AAAA,MACX,YAAY;AAAA,MACZ,iBAAiB;AAAA,MACjB,gBAAgB,QAAQ;AAAA,MACxB,qBAAqB;AAAA,MACrB,kBAAkB,CAAC;AAAA,IACrB;AAAA,IACA,YAAY,OAAO;AAAA,EACrB;AACF;AAKO,SAAS,kBAAkB,UAAoC;AACpE,SAAO,SAAS,OAAO,iBAAiB;AAC1C;;;AFnHA,SAAS,OAAO,SAAyB;AACvC,SAAO,WAAW,WAAW,QAAQ,EAAE,OAAO,OAAO,EAAE,OAAO,KAAK,CAAC;AACtE;AAEA,SAAS,cAAwB;AAC/B,SAAO;AAAA,IACL,KAAK,QAAQ,IAAI,GAAG,YAAY,UAAU,UAAU;AAAA,IACpD,KAAK,QAAQ,GAAG,YAAY,UAAU,UAAU;AAAA,IAChD,KAAK,QAAQ,WAAW,UAAU,UAAU;AAAA,EAC9C;AACF;AAEA,SAAS,iBAAiB,YAAwC;AAChE,aAAW,OAAO,YAAY,GAAG;AAC/B,QAAI,CAAC,WAAW,GAAG;AACjB;AACF,QAAI;AACF,YAAM,QAAQ,YAAY,GAAG,EAAE,OAAO,OAAK,EAAE,SAAS,OAAO,CAAC;AAC9D,iBAAW,QAAQ,OAAO;AACxB,cAAM,OAAO,KAAK,KAAK,IAAI;AAC3B,cAAM,UAAU,aAAa,MAAM,OAAO;AAC1C,cAAM,QAAQ,QAAQ,MAAM,iCAAiC;AAC7D,YAAI,SAAS,MAAM,CAAC,MAAM;AACxB,iBAAO;AAAA,MACX;AAAA,IACF,QACM;AAAA,IAEN;AAAA,EACF;AACA,SAAO;AACT;AAEO,SAAS,mBAAmB,OAAe,cAA+B;AAC/E,MAAI,cAAc;AAChB,QAAI,WAAW,YAAY;AACzB,aAAO;AACT,UAAM,IAAI,MAAM,2BAA2B,YAAY,EAAE;AAAA,EAC3D;AAGA,QAAM,aAAa,YAAY,EAAE,IAAI,SAAO,KAAK,KAAK,GAAG,KAAK,OAAO,CAAC;AACtE,QAAM,QAAQ,WAAW,KAAK,UAAQ,WAAW,IAAI,CAAC;AACtD,MAAI;AACF,WAAO;AAGT,QAAM,SAAS,iBAAiB,KAAK;AACrC,MAAI;AACF,WAAO;AAET,QAAM,IAAI,MAAM,wBAAwB,KAAK,EAAE;AACjD;AAEO,SAAS,YAAY,OAAe,cAAsC;AAC/E,QAAM,SAAS,mBAAmB,OAAO,YAAY;AACrD,QAAM,UAAU,aAAa,QAAQ,OAAO;AAC5C,QAAM,UAAU,iBAAiB,OAAO;AAGxC,QAAM,UAAU,QAAQ,IAAI,OAAO;AACnC,QAAM,YAAY,SAAS,MAAM,MAAM,GAAG,KAAK;AAC/C,QAAM,YAAY,QAAQ,IAAI,eAAe;AAC7C,MAAI,CAAC,WAAW,CAAC,aAAa,CAAC;AAC7B,UAAM,IAAI,MAAM,WAAW,MAAM,iCAAiC,KAAK,EAAE;AAE3E,SAAO;AAAA,IACL;AAAA,IACA;AAAA,IACA,QAAQ,OAAO,OAAO;AAAA,EACxB;AACF;AAaA,eAAsB,uBACpB,OACA,UACA,MAC0B;AAC1B,MAAI,CAAC,KAAK;AACR,UAAM,IAAI,MAAM,wBAAwB,KAAK,EAAE;AACjD,SAAO,MAAM,qBAAqB,OAAO,QAAQ;AACnD;AAGO,SAAS,eAAe,OAAe,cAA6C;AACzF,MAAI;AACF,WAAO,YAAY,OAAO,YAAY;AAAA,EACxC,QACM;AACJ,WAAO;AAAA,EACT;AACF;;;AG9GA,SAAS,gBAAgB,cAAAA,aAAY,iBAAiB;AACtD,SAAS,WAAAC,gBAAe;AACxB,SAAS,SAAS,QAAAC,aAAY;AAS9B,SAAS,YAAoB;AAC3B,SAAOA,MAAKD,SAAQ,GAAG,WAAW,QAAQ,aAAa;AACzD;AAMO,SAAS,eAAe,OAA+E;AAC5G,QAAM,OAAmB;AAAA,IACvB,GAAG;AAAA,IACH,QAAQ,MAAM;AAAA,IACd,WAAW,MAAM,aAAa,KAAK,IAAI;AAAA,EACzC;AACA,QAAM,OAAO,UAAU;AACvB,QAAM,MAAM,QAAQ,IAAI;AACxB,MAAI;AACF,QAAI,CAACD,YAAW,GAAG,EAAG,WAAU,KAAK,EAAE,WAAW,KAAK,CAAC;AACxD,mBAAe,MAAM,GAAG,KAAK,UAAU,IAAI,CAAC;AAAA,CAAI;AAAA,EAClD,QACM;AAAA,EAEN;AACF;;;AClCA,SAAS,cAAAG,mBAAkB;AAC3B,SAAS,cAAAC,aAAY,aAAAC,YAAW,eAAAC,cAAa,gBAAAC,eAAc,YAAY,qBAAqB;AAC5F,SAAS,WAAAC,gBAAe;AACxB,SAAS,QAAAC,aAAY;AAGrB,SAAS,WAAW,OAAwB;AAC1C,QAAM,OAAO,QAAQ,QAAQ,IAAI,IAAID,SAAQ;AAC7C,SAAOC,MAAK,MAAM,YAAY,UAAU,UAAU;AACpD;AAEA,SAAS,YAAY,IAAY,OAAwB;AACvD,SAAOA,MAAK,WAAW,KAAK,GAAG,GAAG,EAAE,OAAO;AAC7C;AAEA,SAAS,OAAO,SAAyB;AACvC,SAAO,WAAWN,YAAW,QAAQ,EAAE,OAAO,OAAO,EAAE,OAAO,KAAK,CAAC;AACtE;AASA,eAAsB,eAAe,OAAsB,UAA+B,CAAC,GAA2B;AACpH,QAAM,QAAQ,QAAQ,SAAS;AAC/B,QAAM,OAAO,YAAY,MAAM,IAAI,KAAK;AACxC,QAAM,MAAM,WAAW,KAAK;AAE5B,QAAM,WAAW,MAAM,MAAM,MAAM,YAAY;AAC/C,MAAI,CAAC,SAAS;AACZ,UAAM,IAAI,MAAM,8BAA8B,MAAM,EAAE,KAAK,SAAS,MAAM,IAAI,SAAS,UAAU,EAAE;AAErG,QAAM,UAAU,MAAM,SAAS,KAAK;AACpC,QAAMO,UAAS,OAAO,OAAO;AAE7B,MAAIA,YAAW,MAAM;AACnB,UAAM,IAAI,MAAM,uBAAuB,MAAM,EAAE,cAAc,MAAM,MAAM,SAASA,OAAM,EAAE;AAE5F,QAAM,UAAUN,YAAW,IAAI;AAE/B,MAAI,CAACA,YAAW,GAAG;AACjB,IAAAC,WAAU,KAAK,EAAE,WAAW,KAAK,CAAC;AAEpC,gBAAc,MAAM,OAAO;AAE3B,SAAO,EAAE,IAAI,MAAM,IAAI,MAAM,MAAM,QAAAK,SAAQ,QAAQ;AACrD;AAEO,SAAS,mBAAmB,IAAY,OAA+B;AAC5E,QAAM,OAAO,YAAY,IAAI,KAAK;AAClC,MAAI,CAACN,YAAW,IAAI;AAClB,WAAO;AAET,QAAM,UAAUG,cAAa,MAAM,OAAO;AAC1C,SAAO,OAAO,OAAO;AACvB;AAEO,SAAS,YAAY,IAAY,OAAyB;AAC/D,SAAOH,YAAW,YAAY,IAAI,KAAK,CAAC;AAC1C;AAMO,SAAS,cAAc,IAAY,OAAyB;AACjE,QAAM,OAAO,YAAY,IAAI,KAAK;AAClC,MAAI,CAACO,YAAW,IAAI;AAClB,WAAO;AACT,aAAW,IAAI;AACf,SAAO;AACT;AASO,SAAS,wBAAwB,YAAoB,WAAyC;AACnG,QAAM,YAAkC,CAAC;AACzC,QAAM,OAAO;AAAA,IACXC,MAAK,QAAQ,IAAI,GAAG,YAAY,UAAU,UAAU;AAAA,IACpDA,MAAKC,SAAQ,GAAG,YAAY,UAAU,UAAU;AAAA,EAClD;AAEA,aAAW,OAAO,MAAM;AACtB,QAAI,CAACF,YAAW,GAAG;AACjB;AACF,QAAI;AACF,iBAAW,QAAQG,aAAY,GAAG,EAAE,OAAO,OAAK,EAAE,SAAS,OAAO,CAAC,GAAG;AACpE,cAAM,OAAOF,MAAK,KAAK,IAAI;AAC3B,cAAM,UAAUG,cAAa,MAAM,OAAO;AAC1C,cAAM,YAAY,QAAQ,MAAM,iCAAiC;AACjE,cAAM,UAAU,QAAQ,MAAM,yBAAyB;AACvD,YAAI,YAAY,CAAC,MAAM,cAAc,UAAU,CAAC,MAAM,WAAW;AAC/D,oBAAU,KAAK,EAAE,MAAM,MAAM,WAAW,UAAU,CAAC,KAAK,MAAM,WAAW,CAAC;AAAA,QAC5E;AAAA,MACF;AAAA,IACF,QACM;AAAA,IAEN;AAAA,EACF;AAEA,SAAO;AACT;;;AC9GA,SAAS,cAAAC,aAAY,aAAAC,YAAW,gBAAAC,eAAc,iBAAAC,sBAAqB;AACnE,SAAS,WAAAC,gBAAe;AACxB,SAAS,QAAAC,aAAY;AAGrB,IAAM,eAAe,QAAQ,IAAI,uBAC5B;AAEL,IAAM,eAAe,KAAK,KAAK;AAE/B,SAAS,WAAmB;AAC1B,SAAOA,MAAKD,SAAQ,GAAG,YAAY,UAAU,OAAO;AACtD;AAEA,SAAS,YAAoB;AAC3B,SAAOC,MAAK,SAAS,GAAG,eAAe;AACzC;AAEA,SAAS,YAAkC;AACzC,QAAM,OAAO,UAAU;AACvB,MAAI,CAACL,YAAW,IAAI;AAClB,WAAO;AAET,MAAI;AACF,UAAM,MAAME,cAAa,MAAM,OAAO;AACtC,UAAM,OAAO,KAAK,MAAM,GAAG;AAC3B,QAAI,KAAK,cAAc,KAAK,IAAI,IAAI,KAAK,aAAa;AACpD,aAAO;AACT,WAAO;AAAA,EACT,QACM;AACJ,WAAO;AAAA,EACT;AACF;AAEA,SAAS,WAAW,OAA4B;AAC9C,QAAM,MAAM,SAAS;AACrB,MAAI,CAACF,YAAW,GAAG;AACjB,IAAAC,WAAU,KAAK,EAAE,WAAW,KAAK,CAAC;AAEpC,EAAAE,eAAc,UAAU,GAAG,KAAK,UAAU,EAAE,GAAG,OAAO,YAAY,KAAK,IAAI,EAAE,GAAG,MAAM,CAAC,CAAC;AAC1F;AAEA,eAAsB,cAAc,eAAe,OAA+B;AAChF,MAAI,CAAC,cAAc;AACjB,UAAM,SAAS,UAAU;AACzB,QAAI;AACF,aAAO;AAAA,EACX;AAEA,QAAM,WAAW,MAAM,MAAM,YAAY;AACzC,MAAI,CAAC,SAAS;AACZ,UAAM,IAAI,MAAM,6BAA6B,SAAS,MAAM,IAAI,SAAS,UAAU,EAAE;AAEvF,QAAM,QAAQ,MAAM,SAAS,KAAK;AAClC,aAAW,KAAK;AAChB,SAAO;AACT;AAEO,SAAS,eAAe,OAAsB,OAAgC;AACnF,QAAM,IAAI,MAAM,YAAY;AAC5B,SAAO,MAAM,SAAS;AAAA,IAAO,OAC3B,EAAE,GAAG,SAAS,CAAC,KACZ,EAAE,KAAK,YAAY,EAAE,SAAS,CAAC,KAC/B,EAAE,YAAY,YAAY,EAAE,SAAS,CAAC,KACtC,EAAE,KAAK,KAAK,OAAK,EAAE,SAAS,CAAC,CAAC,KAC9B,EAAE,SAAS,SAAS,CAAC;AAAA,EAC1B;AACF;AAOO,SAAS,YAAY,OAAsB,gBAAmD;AACnG,SAAO,MAAM,SAAS;AAAA,IACpB,OAAK,EAAE,OAAO,kBAAkB,EAAE,eAAe;AAAA,EACnD;AACF;;;AC/EA,SAAS,YAAAG,iBAAgB;AACzB,OAAO,aAAa;AACpB,SAAS,SAAS,kBAAkB;AAuBpC,IAAM,qBAAqB,oBAAI,IAAI,CAAC,MAAM,MAAM,KAAK,KAAK,KAAK,KAAK,MAAM,GAAG,CAAC;AAUvE,SAAS,kBAAkB,KAAwC;AACxE,QAAM,UAAU,IAAI,KAAK;AACzB,MAAI,QAAQ,WAAW,EAAG,QAAO;AAEjC,MAAI;AACJ,MAAI;AACF,aAAS,WAAW,OAAO;AAAA,EAC7B,QACM;AACJ,WAAO;AAAA,EACT;AAGA,QAAM,oBAAoB,SAAS,KAAK,OAAO;AAC/C,QAAM,mBAAmB,OAAO,KAAK,OAAK,OAAO,MAAM,YAAY,MAAM,QAAQ,QAAQ,KAAK,mBAAmB,IAAI,EAAE,EAAE,CAAC;AAC1H,QAAM,aAAa,qBAAqB;AAGxC,QAAM,eAAyB,CAAC;AAChC,aAAW,KAAK,QAAQ;AACtB,QAAI,OAAO,MAAM,UAAU;AACzB,mBAAa,KAAK,CAAC;AAAA,IACrB,OACK;AACH;AAAA,IACF;AAAA,EACF;AAEA,MAAI,aAAa,WAAW,EAAG,QAAO;AAEtC,SAAO;AAAA,IACL,YAAY,aAAa,CAAC;AAAA,IAC1B,MAAM,aAAa,MAAM,CAAC;AAAA,IAC1B;AAAA,IACA,KAAK;AAAA,EACP;AACF;AAMO,SAAS,0BAA0B,SAAkC;AAC1E,MAAI,QAAQ,SAAS,EAAG,QAAO;AAC/B,MAAI,QAAQ,CAAC,MAAM,UAAU,QAAQ,CAAC,MAAM,KAAM,QAAO;AACzD,MAAI,QAAQ,CAAC,MAAM,KAAM,QAAO;AAEhC,SAAO,QAAQ,MAAM,CAAC,EAAE,KAAK,GAAG;AAClC;AASA,eAAsB,qBAAqB,OAA8C;AAIvF,QAAM,WAAWC,UAAS,KAAK;AAG/B,QAAM,QAAQ,eAAe,QAAQ;AACrC,MAAI,MAAO,QAAO;AAKlB,MAAI;AACF,UAAM,QAAQ,MAAM,cAAc;AAClC,UAAM,QAAQ,YAAY,OAAO,QAAQ;AACzC,QAAI,CAAC,MAAO,QAAO;AAEnB,YAAQ,KAAK,iCAAiC,MAAM,EAAE,mBAAmB;AACzE,UAAM,eAAe,OAAO,EAAE,OAAO,MAAM,CAAC;AAC5C,mBAAe;AAAA,MACb,QAAQ;AAAA,MACR,QAAQ,MAAM;AAAA,MACd,QAAQ,MAAM;AAAA,MACd,QAAQ;AAAA,IACV,CAAC;AAID,WAAO,eAAe,MAAM,EAAE;AAAA,EAChC,SACO,KAAK;AACV,YAAQ,MAAM,6CAA6C,QAAQ,KAAK,GAAG;AAC3E,WAAO;AAAA,EACT;AACF;;;AC9HA,SAAS,6BAAAC,kCAAiC;AAQ1C,SAAS,yBAAyB,OAA0C;AAC1E,QAAM,CAAC,UAAU,eAAe,GAAG,IAAI,MAAM,MAAM,KAAK,CAAC;AACzD,MAAI,CAAC,UAAU;AACb,UAAM,IAAI,MAAM,iCAAiC,KAAK,EAAE;AAAA,EAC1D;AAEA,MAAI,iBAAiB,KAAK;AACxB,WAAO,EAAE,UAAU,cAAc,CAAC,EAAE;AAAA,EACtC;AAEA,QAAM,eAAe,aAAa,MAAM,GAAG,EACxC,IAAI,CAAC,YAAY;AAChB,UAAM,CAAC,GAAG,IAAI,QAAQ,MAAM,KAAK,CAAC;AAClC,QAAI,CAAC;AACH,YAAM,IAAI,MAAM,6BAA6B,OAAO,EAAE;AACxD,WAAO;AAAA,EACT,CAAC;AAEH,SAAO,EAAE,UAAU,aAAa;AAClC;AAEA,SAAS,eAAe,WAAyD;AAC/E,SAAO,UAAU,eAAe,IAAI,wBAAwB;AAC9D;AAEA,SAAS,kBAAkB,YAA+B,UAA4B;AACpF,QAAM,OAAO,oBAAI,IAAY;AAC7B,aAAW,aAAa,YAAY;AAClC,eAAW,SAAS,eAAe,SAAS,GAAG;AAC7C,UAAI,MAAM,aAAa;AACrB;AACF,iBAAW,OAAO,MAAM,cAAc;AACpC,aAAK,IAAI,GAAG;AAAA,MACd;AAAA,IACF;AAAA,EACF;AACA,SAAO,MAAM,KAAK,IAAI,EAAE,KAAK;AAC/B;AAEA,SAAS,sBAAsB,KAA+D;AAC5F,QAAM,CAAC,KAAK,KAAK,IAAI,IAAI,MAAM,KAAK,CAAC;AACrC,MAAI,CAAC,OAAO,CAAC,OAAO;AAClB,UAAM,IAAI,MAAM,qBAAqB,GAAG,EAAE;AAAA,EAC5C;AAEA,QAAM,CAAC,UAAU,GAAG,IAAI,IAAI,MAAM,KAAK,CAAC;AACxC,MAAI,CAAC,YAAY,CAAC,KAAK;AACrB,UAAM,IAAI,MAAM,iDAAiD,GAAG,EAAE;AAAA,EACxE;AAEA,SAAO,EAAE,UAAU,KAAK,MAAM;AAChC;AAEA,SAAS,eAAe,UAA2C;AACjE,MAAI,CAAC,YAAY,OAAO,KAAK,QAAQ,EAAE,WAAW;AAChD,WAAO;AACT,SAAO,OAAO,QAAQ,QAAQ,EAC3B,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,MAAM,EAAE,cAAc,CAAC,CAAC,EACrC,IAAI,CAAC,CAAC,KAAK,KAAK,MAAM,GAAG,GAAG,IAAI,KAAK,EAAE,EACvC,KAAK,GAAG;AACb;AAEA,SAAS,gBAAgB,QAA+C;AACtE,QAAM,QAAQ,OAAO,eAClB,IAAI,cAAY,GAAG,SAAS,QAAQ,IAAI,eAAe,SAAS,QAAQ,CAAC,GAAG,EAC5E,KAAK,MAAM;AACd,SAAO,SAAS,OAAO,MAAM,OAAO,OAAO,MAAM,IAAI,KAAK;AAC5D;AAEO,SAAS,yBACd,QACA,QAKoB;AACpB,MAAI,OAAO,UAAU,WAAW,GAAG;AACjC,UAAM,IAAI,MAAM,qCAAqC;AAAA,EACvD;AACA,MAAI,OAAO,QAAQ,WAAW,GAAG;AAC/B,UAAM,IAAI,MAAM,mCAAmC;AAAA,EACrD;AAEA,QAAM,cAAc,oBAAI,IAAoC;AAC5D,aAAW,eAAe,OAAO,aAAa,CAAC,GAAG;AAChD,UAAM,EAAE,UAAU,KAAK,MAAM,IAAI,sBAAsB,WAAW;AAClE,UAAM,UAAU,YAAY,IAAI,QAAQ,KAAK,CAAC;AAC9C,YAAQ,GAAG,IAAI;AACf,gBAAY,IAAI,UAAU,OAAO;AAAA,EACnC;AAEA,QAAM,iBAA0C,OAAO,UAAU,IAAI,CAAC,aAAa;AACjF,UAAM,WAAW,YAAY,IAAI,QAAQ;AACzC,UAAM,YAAY,kBAAkB,OAAO,QAAQ,YAAY,QAAQ;AACvE,QAAI,UAAU;AACZ,iBAAW,OAAO,OAAO,KAAK,QAAQ,GAAG;AACvC,YAAI,CAAC,UAAU,SAAS,GAAG,GAAG;AAC5B,gBAAM,IAAI,MAAM,oBAAoB,QAAQ,IAAI,GAAG,gBAAgB,OAAO,QAAQ,IAAI,EAAE,EAAE;AAAA,QAC5F;AAAA,MACF;AAAA,IACF;AACA,WAAO,YAAY,OAAO,KAAK,QAAQ,EAAE,SAAS,IAAI,EAAE,UAAU,SAAS,IAAI,EAAE,SAAS;AAAA,EAC5F,CAAC;AAED,QAAM,oBAAoB,OAAO,UAAU,KAAK,IAAI;AACpD,QAAM,qBAAqB,OAAO,QAAQ,WAAW,OAAO,CAAC,cAAc;AACzE,UAAM,WAAW,eAAe,SAAS,EAAE,IAAI,WAAS,MAAM,QAAQ,EAAE,KAAK,IAAI;AACjF,WAAO,aAAa,qBAAqB,SAAS,WAAW,GAAG,iBAAiB,IAAI;AAAA,EACvF,CAAC;AAED,MAAI,mBAAmB,WAAW,GAAG;AACnC,UAAM,IAAI,MAAM,iDAAiD,OAAO,UAAU,KAAK,MAAM,CAAC,EAAE;AAAA,EAClG;AAEA,QAAM,UAAU,OAAO,QAAQ,IAAI,CAAC,WAAW;AAC7C,UAAM,oBAAoB,mBAAmB,OAAO,eAAa,UAAU,WAAW,MAAM;AAC5F,QAAI,kBAAkB,WAAW,GAAG;AAClC,YAAM,IAAI,MAAM,UAAU,MAAM,qCAAqC,OAAO,UAAU,KAAK,MAAM,CAAC,EAAE;AAAA,IACtG;AAEA,UAAM,gBAAgB,kBAAkB,MAAM,eAAa,UAAU,kBAAkB,IAAI;AAC3F,UAAM,QAAQ,CAAC,OAAO,UAAU,QAAQ,UAAU;AAClD,UAAM,OAAO,kBAAkB,OAA6B,CAAC,SAAS,cAAc;AAClF,aAAO,MAAM,QAAQ,UAAU,IAAI,IAAI,MAAM,QAAQ,OAAO,IAAI,UAAU,OAAO;AAAA,IACnF,GAAG,KAAK;AAER,UAAM,SAAwC;AAAA,MAC5C,MAAM;AAAA,MACN,QAAQ,OAAO,QAAQ,IAAI;AAAA,MAC3B,cAAc,cAAc,MAAM;AAAA,MAClC;AAAA,MACA;AAAA,MACA,YAAY;AAAA,MACZ,SAAS;AAAA,MACT;AAAA,MACA,GAAI,gBAAgB,EAAE,aAAa,EAAE,eAAe,KAAK,EAAE,IAAI,CAAC;AAAA,IAClE;AACA,WAAO,aAAaA,2BAA0B,MAAM;AACpD,WAAO,UAAU,gBAAgB,MAAM;AACvC,WAAO;AAAA,EACT,CAAC;AAED,SAAO;AAAA,IACL,SAAS,OAAO;AAAA,IAChB,QAAQ,OAAO;AAAA,IACf,QAAQ,OAAO;AAAA,IACf,YAAY,OAAO,QAAQ,IAAI;AAAA,IAC/B;AAAA,IACA,kBAAkB;AAAA,MAChB,YAAY,OAAO,QAAQ,IAAI;AAAA,MAC/B,iBAAiB,OAAO,QAAQ,IAAI,WAAW,OAAO,QAAQ;AAAA,MAC9D,gBAAgB,OAAO;AAAA,MACvB,qBAAqB,OAAO,QAAQ,IAAI;AAAA,MACxC,kBAAkB,OAAO;AAAA,QACvB,MAAM,KAAK,YAAY,QAAQ,CAAC,EAAE;AAAA,UAAQ,CAAC,CAAC,UAAU,QAAQ,MAC5D,OAAO,QAAQ,QAAQ,EAAE,IAAI,CAAC,CAAC,KAAK,KAAK,MAAM,CAAC,GAAG,QAAQ,IAAI,GAAG,IAAI,KAAK,CAAU;AAAA,QACvF;AAAA,MACF;AAAA,IACF;AAAA,IACA,aAAa,QAAQ,IAAI,YAAU,OAAO,UAAU;AAAA,IACpD,SAAS,QAAQ,IAAI,YAAU,OAAO,OAAO,EAAE,KAAK,IAAI;AAAA,EAC1D;AACF;;;AC3KA,SAAS,6BAAAC,4BAA2B,mBAAAC,wBAAuB;AAG3D,SAAS,gBAAgB,QAAkB,cAAqF;AAC9H,QAAM,UAAkC,CAAC;AACzC,QAAM,cAAwB,CAAC;AAC/B,QAAM,aAAa,IAAI,IAAI,gBAAgB,CAAC,CAAC;AAE7C,WAAS,QAAQ,GAAG,QAAQ,OAAO,QAAQ,SAAS,GAAG;AACrD,UAAM,QAAQ,OAAO,KAAK;AAE1B,QAAI,MAAM,WAAW,IAAI,GAAG;AAE1B,YAAM,WAAW,MAAM,MAAM,CAAC;AAC9B,YAAM,UAAU,SAAS,QAAQ,GAAG;AACpC,UAAI,WAAW,GAAG;AAChB,gBAAQ,SAAS,MAAM,GAAG,OAAO,CAAC,IAAI,SAAS,MAAM,UAAU,CAAC;AAChE;AAAA,MACF;AAEA,YAAM,OAAO,OAAO,QAAQ,CAAC;AAC7B,UAAI,QAAQ,CAAC,KAAK,WAAW,GAAG,GAAG;AACjC,gBAAQ,QAAQ,IAAI;AACpB,iBAAS;AACT;AAAA,MACF;AAEA,cAAQ,QAAQ,IAAI;AAAA,IACtB,WACS,MAAM,WAAW,GAAG,KAAK,MAAM,SAAS,KAAK,CAAC,OAAO,KAAK,KAAK,GAAG;AAEzE,YAAM,MAAM,MAAM,MAAM,CAAC;AAEzB,UAAI,IAAI,WAAW,KAAK,CAAC,WAAW,IAAI,GAAG,GAAG;AAE5C,gBAAQ,GAAG,IAAI;AAAA,MACjB,OACK;AAEH,cAAM,OAAO,OAAO,QAAQ,CAAC;AAC7B,YAAI,QAAQ,CAAC,KAAK,WAAW,GAAG,GAAG;AACjC,kBAAQ,GAAG,IAAI;AACf,mBAAS;AAAA,QACX,OACK;AACH,kBAAQ,GAAG,IAAI;AAAA,QACjB;AAAA,MACF;AAAA,IACF,OACK;AACH,kBAAY,KAAK,KAAK;AAAA,IACxB;AAAA,EACF;AAEA,SAAO,EAAE,SAAS,YAAY;AAChC;AAEA,SAAS,oBAAoB,SAAiB,UAA0C;AACtF,QAAM,QAAQ,QAAQ,MAAM,8BAA8B;AAC1D,MAAI,CAAC;AACH,WAAO;AAET,QAAM,CAAC,EAAE,MAAM,SAAS,IAAI;AAC5B,QAAM,QAAQ,SAAS,IAAI;AAC3B,MAAI,CAAC;AACH,UAAM,IAAI,MAAM,oBAAoB,IAAI,EAAE;AAC5C,MAAI,CAAC;AACH,WAAO;AAET,MAAI,cAAc,WAAW,cAAc,QAAQ;AACjD,UAAM,CAAC,OAAO,IAAI,IAAI,MAAM,MAAM,GAAG;AACrC,QAAI,CAAC,SAAS,CAAC;AACb,YAAM,IAAI,MAAM,WAAW,IAAI,6BAA6B;AAC9D,WAAO,cAAc,UAAU,QAAQ;AAAA,EACzC;AAEA,QAAM,IAAI,MAAM,kCAAkC,SAAS,EAAE;AAC/D;AAEA,SAAS,eAAe,UAAkB,UAA0C;AAClF,SAAO,SAAS,QAAQ,gBAAgB,CAAC,GAAG,eAAuB,oBAAoB,IAAI,UAAU,KAAK,QAAQ,CAAC;AACrH;AAEA,SAAS,mBAAmB,OAAiB,UAA2D;AACtG,SAAO,MAAM,IAAI,CAAC,UAAU;AAC1B,UAAM,CAAC,UAAU,eAAe,GAAG,IAAI,MAAM,MAAM,KAAK,CAAC;AACzD,QAAI,CAAC;AACH,YAAM,IAAI,MAAM,iCAAiC,KAAK,EAAE;AAE1D,QAAI,iBAAiB,KAAK;AACxB,aAAO,EAAE,SAAS;AAAA,IACpB;AAEA,UAAM,WAAW,OAAO;AAAA,MACtB,aAAa,MAAM,GAAG,EAAE,IAAI,CAAC,YAAY;AACvC,cAAM,CAAC,KAAK,QAAQ,IAAI,QAAQ,MAAM,KAAK,CAAC;AAC5C,YAAI,CAAC,OAAO,CAAC;AACX,gBAAM,IAAI,MAAM,6BAA6B,OAAO,EAAE;AACxD,eAAO,CAAC,KAAK,eAAe,UAAU,QAAQ,CAAC;AAAA,MACjD,CAAC;AAAA,IACH;AAEA,WAAO,EAAE,UAAU,SAAS;AAAA,EAC9B,CAAC;AACH;AAEA,SAAS,eAAe,WAA4B,MAA+C;AACjG,MAAI,KAAK,SAAS,UAAU,QAAQ;AAClC,WAAO;AAET,QAAM,SAAS,KAAK,MAAM,GAAG,UAAU,QAAQ,MAAM;AACrD,MAAI,OAAO,KAAK,IAAI,MAAM,UAAU,QAAQ,KAAK,IAAI;AACnD,WAAO;AAET,QAAM,YAAY,KAAK,MAAM,UAAU,QAAQ,MAAM;AACrD,QAAM,EAAE,SAAS,YAAY,IAAI,gBAAgB,WAAW,UAAU,gBAAgB;AAEtF,QAAM,sBAAsB,UAAU,eAAe,CAAC;AACtD,MAAI,YAAY,WAAW,oBAAoB;AAC7C,WAAO;AAET,aAAW,UAAU,UAAU,oBAAoB,CAAC,GAAG;AACrD,QAAI,CAAC,QAAQ,MAAM;AACjB,aAAO;AAAA,EACX;AAEA,QAAM,WAAmC,EAAE,GAAG,QAAQ;AACtD,WAAS,QAAQ,GAAG,QAAQ,oBAAoB,QAAQ,SAAS,GAAG;AAClE,UAAM,OAAO,oBAAoB,KAAK;AACtC,UAAM,QAAQ,YAAY,KAAK;AAC/B,QAAI,KAAK,WAAW,GAAG,GAAG;AACxB,UAAI,UAAU,KAAK,MAAM,CAAC;AACxB,eAAO;AACT;AAAA,IACF;AACA,aAAS,IAAI,IAAI;AAAA,EACnB;AACA,SAAO;AACT;AAEA,SAAS,oBAAoB,MAA0B;AACrD,SAAO,KAAK,QAAQ,CAAC,UAAU;AAE7B,QAAI,MAAM,WAAW,GAAG,KAAK,CAAC,MAAM,WAAW,IAAI,KAAK,MAAM,SAAS,KAAK,aAAa,KAAK,KAAK,GAAG;AACpG,aAAO,MAAM,KAAK,MAAM,MAAM,CAAC,GAAG,OAAK,IAAI,CAAC,EAAE;AAAA,IAChD;AACA,WAAO,CAAC,KAAK;AAAA,EACf,CAAC;AACH;AAEA,SAAS,SAAS,YAA+B,MAAgB;AAC/D,SAAO,WAAW,QAAQ,CAAC,cAAc;AACvC,QAAI;AACF,YAAM,WAAW,eAAe,WAAW,IAAI;AAC/C,aAAO,WAAW,CAAC,EAAE,WAAW,SAAS,CAAC,IAAI,CAAC;AAAA,IACjD,QACM;AACJ,aAAO,CAAC;AAAA,IACV;AAAA,EACF,CAAC;AACH;AAEA,eAAsB,eAAe,QAAuB,UAA8C;AACxG,QAAM,CAAC,YAAY,GAAG,WAAW,IAAI;AACrC,MAAI,CAAC,YAAY;AACf,UAAM,IAAI,MAAM,yBAAyB;AAAA,EAC3C;AACA,MAAI,eAAe,OAAO,QAAQ,IAAI,YAAY;AAChD,UAAM,IAAI,MAAM,WAAW,OAAO,QAAQ,IAAI,EAAE,uBAAuB,OAAO,QAAQ,IAAI,UAAU,SAAS,UAAU,EAAE;AAAA,EAC3H;AAGA,MAAI,UAAU,SAAS,OAAO,QAAQ,YAAY,WAAW;AAG7D,MAAI,QAAQ,WAAW,GAAG;AACxB,UAAM,WAAW,oBAAoB,WAAW;AAChD,QAAI,SAAS,WAAW,YAAY,QAAQ;AAC1C,gBAAU,SAAS,OAAO,QAAQ,YAAY,QAAQ;AAAA,IACxD;AAAA,EACF;AAEA,MAAI,QAAQ,WAAW,GAAG;AACxB,UAAM,IAAI,MAAM,iCAAiC,SAAS,KAAK,GAAG,CAAC,EAAE;AAAA,EACvE;AACA,MAAI,QAAQ,SAAS,GAAG;AAEtB,YAAQ,KAAK,CAAC,GAAG,MAAM,EAAE,UAAU,QAAQ,SAAS,EAAE,UAAU,QAAQ,MAAM;AAC9E,cAAU,CAAC,QAAQ,CAAC,CAAE;AAAA,EACxB;AAEA,QAAM,EAAE,WAAW,SAAS,IAAI,QAAQ,CAAC;AACzC,QAAM,iBAAiB,mBAAmB,UAAU,gBAAgB,QAAQ;AAC5E,QAAM,SAAwC;AAAA,IAC5C,MAAM;AAAA,IACN,QAAQ,OAAO,QAAQ,IAAI;AAAA,IAC3B,cAAc,UAAU;AAAA,IACxB;AAAA,IACA,QAAQ,UAAU;AAAA,IAClB,YAAY;AAAA,IACZ,SAAS,eAAe,UAAU,SAAS,QAAQ;AAAA,IACnD,MAAM,UAAU;AAAA,IAChB,GAAI,UAAU,gBAAgB,EAAE,aAAa,EAAE,eAAe,KAAK,EAAE,IAAI,CAAC;AAAA,EAC5E;AACA,SAAO,aAAaD,2BAA0B,MAAM;AAEpD,SAAO;AAAA,IACL,SAAS,OAAO;AAAA,IAChB,QAAQ,OAAO;AAAA,IACf,QAAQ,OAAO;AAAA,IACf;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA,kBAAkB;AAAA,MAChB,MAAM;AAAA,MACN,WAAW,MAAMC,iBAAgB,QAAQ;AAAA,MACzC,YAAY,OAAO,QAAQ,IAAI;AAAA,MAC/B,iBAAiB,OAAO,QAAQ,IAAI,WAAW,OAAO,QAAQ;AAAA,MAC9D,gBAAgB,OAAO;AAAA,MACvB,qBAAqB;AAAA,MACrB,kBAAkB;AAAA,IACpB;AAAA,IACA,YAAY,OAAO;AAAA,EACrB;AACF;;;AClOA,SAAS,qBAAqB;AAIvB,IAAM,iBAAiB,cAAc;AAAA,EAC1C,MAAM;AAAA,IACJ,MAAM;AAAA,IACN,aAAa;AAAA,EACf;AAAA,EACA,MAAM;AAAA,IACJ,SAAS;AAAA,MACP,MAAM;AAAA,MACN,aAAa;AAAA,IACf;AAAA,IACA,GAAG;AAAA,MACD,MAAM;AAAA,MACN,aAAa;AAAA,MACb,UAAU;AAAA,IACZ;AAAA,EACF;AAAA,EACA,MAAM,IAAI,EAAE,QAAQ,GAAG;AACrB,UAAM,UAAU,sBAAsB,WAAW,CAAC,CAAC;AACnD,QAAI,QAAQ,WAAW;AACrB,YAAM,IAAI,MAAM,gFAAgF;AAElG,UAAM,aAAa,cAAc,WAAW,CAAC,GAAG,SAAS;AACzD,UAAM,SAAS,YAAY,QAAQ,CAAC,GAAI,UAAU;AAClD,UAAM,WAAW,MAAM,eAAe,QAAQ,OAAO;AAErD,YAAQ,OAAO,MAAM,GAAG,KAAK,UAAU;AAAA,MACrC,SAAS,SAAS,QAAQ,IAAI;AAAA,MAC9B,QAAQ,SAAS;AAAA,MACjB,WAAW,SAAS,OAAO;AAAA,MAC3B,SAAS,SAAS,OAAO;AAAA,MACzB,YAAY,SAAS;AAAA,MACrB,gBAAgB,SAAS,OAAO;AAAA,MAChC,eAAe,SAAS,OAAO,aAAa,iBAAiB;AAAA,MAC7D,gBAAgB,SAAS;AAAA,IAC3B,GAAG,MAAM,CAAC,CAAC;AAAA,CAAI;AAAA,EACjB;AACF,CAAC;AAEM,SAAS,sBAAsB,MAA0B;AAC9D,QAAM,YAAY,KAAK,QAAQ,IAAI;AACnC,SAAO,aAAa,IAAI,KAAK,MAAM,YAAY,CAAC,IAAI,CAAC;AACvD;AAEO,SAAS,cAAc,MAAgB,MAAkC;AAC9E,QAAM,YAAY,KAAK,QAAQ,IAAI;AACnC,QAAM,aAAa,aAAa,IAAI,KAAK,MAAM,GAAG,SAAS,IAAI;AAC/D,QAAM,QAAQ,WAAW,QAAQ,KAAK,IAAI,EAAE;AAC5C,MAAI,SAAS,KAAK,QAAQ,IAAI,WAAW;AACvC,WAAO,WAAW,QAAQ,CAAC;AAC7B,SAAO;AACT;;;ACrDA,SAAS,sBAAsB;AAC/B,SAAS,8BAA8B,sBAAsB;AAC7D,SAAS,oBAAoB;AAC7B,SAAS,gBAAgB;AACzB,OAAOC,cAAa;;;ACLpB,SAAS,cAAAC,aAAY,gBAAAC,qBAAoB;AACzC,SAAS,WAAAC,gBAAe;AACxB,SAAS,QAAAC,aAAY;AASrB,IAAM,YAAYA,MAAKD,SAAQ,GAAG,WAAW,QAAQ,WAAW;AAEzD,SAAS,WAA4B;AAC1C,MAAI,CAACF,YAAW,SAAS;AACvB,WAAO;AACT,MAAI;AACF,WAAO,KAAK,MAAMC,cAAa,WAAW,OAAO,CAAC;AAAA,EACpD,QACM;AACJ,WAAO;AAAA,EACT;AACF;AAEO,SAAS,UAAU,UAAkC;AAC1D,MAAI;AACF,WAAO;AACT,MAAI,QAAQ,IAAI;AACd,WAAO,QAAQ,IAAI;AACrB,MAAI,QAAQ,IAAI;AACd,WAAO,QAAQ,IAAI;AACrB,SAAO,SAAS,GAAG,OAAO;AAC5B;AAEO,SAAS,eAA8B;AAC5C,QAAM,OAAO,SAAS;AACtB,MAAI,CAAC;AACH,WAAO;AACT,MAAI,KAAK,cAAc,KAAK,IAAI,IAAI,MAAO,KAAK,aAAa;AAC3D,WAAO;AACT,SAAO,KAAK;AACd;AAEO,SAAS,uBAAsC;AACpD,SAAO,SAAS,GAAG,SAAS;AAC9B;;;AC3CA,eAAsB,kBAAkB,QAAkD;AACxF,QAAM,WAAW,MAAM,MAAM,GAAG,MAAM,mCAAmC;AACzE,MAAI,CAAC,SAAS;AACZ,WAAO,CAAC;AACV,SAAO,SAAS,KAAK;AACvB;AAEA,eAAsB,kBAAkB,QAAiC;AACvE,QAAM,YAAY,MAAM,kBAAkB,MAAM;AAChD,SAAO,OAAO,UAAU,2BAA2B,GAAG,MAAM,aAAa;AAC3E;AAEA,eAAsB,SACpB,MACA,UAKI,CAAC,GACO;AACZ,QAAM,QAAQ,QAAQ,SAAS,aAAa;AAC5C,MAAI,CAAC;AACH,UAAM,IAAI,MAAM,4CAA4C;AAE9D,QAAM,MAAM,QAAQ,OAAO,UAAU;AACrC,MAAI,CAAC,KAAK,WAAW,MAAM,KAAK,CAAC;AAC/B,UAAM,IAAI,MAAM,uDAAuD;AAEzE,QAAM,MAAM,KAAK,WAAW,MAAM,IAAI,OAAO,GAAG,GAAG,GAAG,IAAI;AAC1D,QAAM,WAAW,MAAM,MAAM,KAAK;AAAA,IAChC,QAAQ,QAAQ,UAAU;AAAA,IAC1B,SAAS;AAAA,MACP,eAAe,UAAU,KAAK;AAAA,MAC9B,gBAAgB;AAAA,IAClB;AAAA,IACA,MAAM,QAAQ,OAAO,KAAK,UAAU,QAAQ,IAAI,IAAI;AAAA,EACtD,CAAC;AAED,MAAI,CAAC,SAAS,IAAI;AAChB,UAAM,OAAO,MAAM,SAAS,KAAK;AACjC,UAAM,IAAI,MAAM,QAAQ,GAAG,SAAS,MAAM,IAAI,SAAS,UAAU,EAAE;AAAA,EACrE;AAEA,SAAO,SAAS,KAAK;AACvB;;;AC/CA,SAAS,OAAO,kBAAkB;AAClC,SAAS,WAAAG,gBAAe;AACxB,SAAS,WAAAC,UAAS,QAAAC,aAAY;AA4BvB,SAAS,wBAAgC;AAC9C,SAAOA,MAAKF,SAAQ,GAAG,WAAW,QAAQ,mBAAmB;AAC/D;AASA,eAAsB,qBACpB,OACA,SACe;AACf,QAAM,OAAO,WAAW,sBAAsB;AAC9C,QAAM,MAAMC,SAAQ,IAAI,GAAG,EAAE,WAAW,KAAK,CAAC;AAC9C,QAAM,WAAW,MAAM,GAAG,KAAK,UAAU,KAAK,CAAC;AAAA,GAAM,OAAO;AAC9D;;;AHjCA,SAAS,cAAc,OAAwC;AAC7D,QAAM,CAAC,EAAE,OAAO,IAAI,MAAM,MAAM,GAAG;AACnC,MAAI,CAAC;AACH,UAAM,IAAI,MAAM,aAAa;AAC/B,SAAO,KAAK,MAAM,OAAO,KAAK,SAAS,WAAW,EAAE,SAAS,OAAO,CAAC;AACvE;AAQA,eAAsB,kBACpB,UACA,QAK6E;AAC7E,QAAM,iBAAiB,MAAM,kBAAkB,OAAO,GAAG;AACzD,QAAM,YAAY,qBAAqB;AACvC,MAAI,CAAC,WAAW;AACd,UAAM,IAAI,MAAM,0DAA0D;AAAA,EAC5E;AACA,SAAO,SAA6E,gBAAgB;AAAA,IAClG,QAAQ;AAAA,IACR,KAAK,OAAO;AAAA,IACZ,MAAM;AAAA,MACJ;AAAA,MACA,aAAa,SAAS;AAAA,MACtB,UAAU,SAAS,QAAQ,IAAI,YAAY;AAAA,MAC3C,YAAY,OAAO;AAAA,MACnB,SAAS,SAAS,iBAAiB;AAAA,MACnC,QAAQ,OAAO,UAAU,SAAS,OAAO;AAAA,MACzC,aAAa,CAAC,SAAS,UAAU;AAAA,MACjC,uBAAuB,CAAC,SAAS,MAAM;AAAA,MACvC,mBAAmB,SAAS;AAAA,IAC9B;AAAA,EACF,CAAC;AACH;AAEA,eAAsB,mBAAmB,KAAa,SAA6D;AACjH,QAAM,iBAAiB,MAAM,kBAAkB,GAAG;AAClD,QAAM,WAAW,KAAK,IAAI,IAAI;AAE9B,SAAO,KAAK,IAAI,IAAI,UAAU;AAC5B,UAAM,QAAQ,MAAM,SAAoE,GAAG,cAAc,IAAI,OAAO,IAAI,EAAE,IAAI,CAAC;AAC/H,QAAI,MAAM,WAAW,cAAc,MAAM,WAAW,YAAY,MAAM,WAAW;AAC/E,aAAO,MAAM;AACf,UAAM,IAAI,QAAQ,aAAW,WAAW,SAAS,GAAI,CAAC;AAAA,EACxD;AAEA,QAAM,IAAI,MAAM,sCAAsC;AACxD;AAEA,eAAsB,gBAAgB,KAAa,SAAkC;AACnF,QAAM,iBAAiB,MAAM,kBAAkB,GAAG;AAClD,QAAM,WAAW,MAAM,SAAgC,GAAG,cAAc,IAAI,OAAO,UAAU;AAAA,IAC3F,QAAQ;AAAA,IACR;AAAA,EACF,CAAC;AACD,SAAO,SAAS;AAClB;AAEA,SAAS,kBAAkB,QAAkE;AAC3F,QAAM,UAAU,OAAO;AACvB,MAAI,CAAC,MAAM,QAAQ,OAAO;AACxB,WAAO,CAAC;AAEV,SAAO,QAAQ;AAAA,IAAO,CAAC,WACrB,OAAO,WAAW,YACf,WAAW,QACV,OAAmC,SAAS;AAAA,EAClD;AACF;AAEA,SAAS,sBAAsB,QAA0C;AACvE,SAAO,kBAAkB,MAAM,EAAE,SAAS;AAC5C;AAYA,eAAsB,iBAAiB,OAAe,UAA0C;AAC9F,QAAM,UAAU,cAAc,KAAK;AACnC,QAAM,SAAS,OAAO,QAAQ,OAAO,EAAE;AACvC,MAAI,CAAC;AACH,UAAM,IAAI,MAAM,+BAA+B;AAEjD,QAAM,YAAY,MAAM,kBAAkB,MAAM;AAChD,QAAM,UAAU,OAAO,UAAU,YAAY,GAAG,MAAM,wBAAwB;AAC9E,QAAM,SAAS,MAAM,eAAe,OAAO;AAAA,IACzC,aAAa;AAAA,IACb,aAAa,SAAS,QAAQ,IAAI,YAAY;AAAA,IAC9C;AAAA,EACF,CAAC;AAED,MAAI,CAAC,OAAO,SAAS,CAAC,OAAO,QAAQ;AACnC,UAAM,IAAI,MAAM,OAAO,SAAS,2BAA2B;AAAA,EAC7D;AAEA,QAAM,SAAS,OAAO;AACtB,QAAM,UAAU,kBAAkB,MAA4C;AAE9E,MAAI,OAAO,mBAAmB,kBAAkB,OAAO,kBAAkB,mBAAmB,SAAS,QAAQ;AAC3G,UAAM,IAAI,MAAM,yBAAyB;AAAA,EAC3C;AAEA,MAAI,CAAC,sBAAsB,MAA4C,GAAG;AACxE,UAAM,OAAO,SAAS,iBAAiB;AACvC,QAAI,CAAC,MAAM,QAAQ;AACjB,YAAM,IAAI,MAAM,kCAAkC;AAAA,IACpD;AACA,UAAM,kBAAkB,MAAM,eAAe,KAAK,KAAK,GAAG,CAAC;AAC3D,QAAI,OAAO,SAAS,KAAK,IAAI,MAAM,KAAK,KAAK,IAAI,GAAG;AAClD,YAAM,IAAI,MAAM,6CAA6C;AAAA,IAC/D;AACA,QAAI,OAAO,YAAY,OAAO,aAAa,iBAAiB;AAC1D,YAAM,IAAI,MAAM,6CAA6C;AAAA,IAC/D;AACA,QAAI,CAAC,OAAO,SAAS,UAAU,CAAC,OAAO,UAAU;AAC/C,YAAM,IAAI,MAAM,oEAAoE;AAAA,IACtF;AAAA,EACF,OACK;AACH,QAAI,CAAC,QAAQ,KAAK,YAAU,6BAA6B,QAAQ,SAAS,MAAM,CAAC,GAAG;AAClF,YAAM,IAAI,MAAM,6CAA6C,SAAS,UAAU,EAAE;AAAA,IACpF;AAEA,UAAM,gBAAgB,QAAQ;AAAA,MAAK,YACjC,6BAA6B,QAAQ,SAAS,MAAM,KAAK,OAAO,aAAa;AAAA,IAC/E;AAEA,UAAM,SAAS,OAAO,eAAe,UAAU,OAAO,aAAa;AACnE,UAAM,kBAAkB,iBAAkB,UAAU,CAAC,CAAC,OAAO,mBAAmB;AAEhF,QAAI,mBAAmB,OAAO,mBAAmB,cAAc,SAAS,iBAAiB,WAAW;AAClG,YAAM,IAAI,MAAM,6CAA6C;AAAA,IAC/D;AAAA,EACF;AAEA,QAAM,iBAAiB,MAAM,kBAAkB,MAAM;AACrD,QAAM,UAAU,MAAM,MAAM,GAAG,cAAc,IAAI,OAAO,QAAQ,YAAY;AAAA,IAC1E,QAAQ;AAAA,IACR,SAAS;AAAA,MACP,eAAe,UAAU,KAAK;AAAA,IAChC;AAAA,EACF,CAAC;AAED,MAAI,CAAC,QAAQ,IAAI;AACf,UAAM,IAAI,MAAM,mBAAmB,QAAQ,MAAM,IAAI,QAAQ,UAAU,EAAE;AAAA,EAC3E;AAEA,QAAM,gBAAgB,MAAM,QAAQ,KAAK;AACzC,MAAI,cAAc,OAAO;AACvB,UAAM,IAAI,MAAM,mCAAmC,cAAc,KAAK,EAAE;AAAA,EAC1E;AACF;AAOO,SAAS,uBAAuB,UAAiC;AACtE,EAAAE,SAAQ,KAAK,cAAc,SAAS,iBAAiB,QAAQ,CAAC,SAAS,YAAY,GAAG,SAAS,WAAW,GAAG,KAAK,GAAG,CAAC,EAAE;AACxH,eAAa,SAAS,YAAY,SAAS,aAAa,EAAE,OAAO,UAAU,CAAC;AAC9E;AAgBA,eAAsB,iBACpB,OACA,UACA,SACe;AACf,QAAM,iBAAiB,OAAO,QAAQ;AAEtC,QAAM,YAAY,kBAAkB,QAAQ;AAC5C,QAAM,QAAQ,KAAK,IAAI;AACvB,MAAI,WAAW;AACf,MAAI;AACF,2BAAuB,QAAQ;AAAA,EACjC,SACO,KAAK;AACV,eAAY,KAA6B,UAAU;AACnD,UAAM;AAAA,EACR,UACA;AACE,QAAI,aAAa,SAAS;AAGxB,UAAI;AACF,cAAM;AAAA,UACJ;AAAA,YACE,KAAI,oBAAI,KAAK,GAAE,YAAY;AAAA,YAC3B,KAAK,SAAS,OAAO;AAAA,YACrB,MAAM,SAAS,iBAAiB,QAAQ,CAAC,SAAS,YAAY,GAAG,SAAS,WAAW;AAAA,YACrF,WAAW,SAAS,iBAAiB,aAAa;AAAA,YAClD,UAAU;AAAA,YACV,WAAW;AAAA,YACX,aAAa,KAAK,IAAI,IAAI;AAAA,UAC5B;AAAA,UACA,uBAAuB;AAAA,QACzB;AAAA,MACF,SACO,QAAQ;AACb,QAAAA,SAAQ,MAAM,8CAA8C,MAAM;AAAA,MACpE;AAAA,IACF;AAAA,EACF;AACF;AAWA,eAAsB,iBACpB,OAO0B;AAC1B,QAAM,OAAO,MAAM,SAAS;AAC5B,MAAI,CAAC,QAAQ,KAAK,WAAW;AAC3B,UAAM,IAAI,MAAM,uCAAuC;AAEzD,QAAM,aAAa,KAAK,CAAC;AACzB,QAAM,UAAU,MAAM,qBAAqB,UAAU;AACrD,MAAI,CAAC;AACH,UAAM,IAAI,MAAM,+BAA+B,UAAU,EAAE;AAE7D,QAAM,WAAW,MAAM,eAAe,SAAS,IAAI;AAEnD,QAAM,cAAc,MAAM,QAAQ,mBAAmB;AACrD,MAAI,eAAe,gBAAgB,SAAS,QAAQ;AAClD,UAAM,IAAI;AAAA,MACR,8DAA8D,WAAW,0BAA0B,SAAS,MAAM;AAAA,IACpH;AAAA,EACF;AAEA,SAAO;AACT;AAEA,eAAsB,kBACpB,UACA,KACwB;AACxB,QAAM,iBAAiB,MAAM,kBAAkB,GAAG;AAClD,QAAM,WAAW,MAAM;AAAA,IACrB,GAAG,cAAc;AAAA,IACjB,EAAE,IAAI;AAAA,EACR;AAEA,QAAM,MAAM,KAAK,MAAM,KAAK,IAAI,IAAI,GAAI;AACxC,QAAM,mBAAmB,SAAS,QAAQ,IAAI,YAAY;AAE1D,aAAW,SAAS,SAAS,MAAM;AACjC,UAAM,MAAM,MAAM;AAClB,QAAI,IAAI,eAAe;AACrB;AACF,QAAI,IAAI,eAAe,WAAW,MAAM,cAAc,MAAM,cAAc;AACxE;AACF,QAAI,IAAI,aAAa;AACnB;AACF,QAAI,IAAI,mBAAmB,kBAAkB,IAAI,kBAAkB,mBAAmB,SAAS;AAC7F;AAEF,UAAM,cAAc,IAAI,yBAAyB,CAAC,GAAG;AAAA,MACnD,CAAC,MAA0C,EAAE,SAAS;AAAA,IACxD;AAEA,QAAI,WAAW,SAAS,GAAG;AACzB,UAAI,WAAW,KAAK,YAAU,6BAA6B,QAAQ,SAAS,MAAM,CAAC;AACjF,eAAO,MAAM;AAAA,IACjB,WACS,IAAI,aAAa,SAAS,SAAS,UAAU,GAAG;AACvD,aAAO,MAAM;AAAA,IACf;AAAA,EACF;AAEA,SAAO;AACT;;;AItUA,SAAS,kBAAAC,uBAAsB;AAG/B,eAAsB,8BACpB,SACA,SAG4B;AAC5B,SAAO;AAAA,IACL,SAAS;AAAA,MACP,WAAW,QAAQ;AAAA,MACnB,aAAa,QAAQ;AAAA,MACrB,UAAU,QAAQ;AAAA,MAClB,YAAY,QAAQ;AAAA,MACpB;AAAA,MACA,UAAU,MAAMA,gBAAe,QAAQ,KAAK,GAAG,CAAC;AAAA,MAChD,GAAI,QAAQ,SAAS,EAAE,QAAQ,QAAQ,OAAO,IAAI,CAAC;AAAA,MACnD,GAAI,QAAQ,SAAS,EAAE,QAAQ,QAAQ,OAAO,IAAI,CAAC;AAAA,IACrD;AAAA,EACF;AACF;AAEA,eAAsB,+BACpB,UACA,SAC4B;AAC5B,QAAM,UAAU,YAAY,WAAW,CAAC,SAAS,MAAM,IAAI,SAAS;AACpE,QAAM,cAAc,gBAAgB,WAAW,CAAC,SAAS,UAAU,IAAI,SAAS;AAChF,QAAM,UAAU,sBAAsB,YAAY,SAAS,iBAAiB,MAAM,SAC9E,SAAS,iBAAiB,OAC1B;AAEJ,SAAO;AAAA,IACL,SAAS;AAAA,MACP,WAAW,QAAQ;AAAA,MACnB,aAAa,QAAQ;AAAA,MACrB,UAAU,SAAS,QAAQ,IAAI,YAAY;AAAA,MAC3C,YAAY,QAAQ;AAAA,MACpB;AAAA,MACA,uBAAuB;AAAA,MACvB,mBAAmB,SAAS;AAAA,MAC5B,GAAI,UAAU,EAAE,QAAQ,IAAI,CAAC;AAAA,MAC7B,GAAI,QAAQ,SAAS,EAAE,QAAQ,QAAQ,OAAO,IAAI,EAAE,QAAQ,aAAa,WAAW,SAAS,UAAU,QAAQ,CAAC,GAAG,QAAQ;AAAA,MAC3H,GAAI,QAAQ,SAAS,EAAE,QAAQ,QAAQ,OAAO,IAAI,CAAC;AAAA,IACrD;AAAA,EACF;AACF;","names":["existsSync","homedir","join","createHash","existsSync","mkdirSync","readdirSync","readFileSync","homedir","join","digest","existsSync","join","homedir","readdirSync","readFileSync","existsSync","mkdirSync","readFileSync","writeFileSync","homedir","join","basename","basename","canonicalizeCliPermission","canonicalizeCliPermission","computeArgvHash","consola","existsSync","readFileSync","homedir","join","homedir","dirname","join","consola","computeCmdHash"]}
|