@openape/apes 1.29.1 → 1.31.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/{chunk-NYJSBFLG.js → chunk-MMBFV5WN.js} +14 -6
- package/dist/{chunk-NYJSBFLG.js.map → chunk-MMBFV5WN.js.map} +1 -1
- package/dist/cli.js +672 -1455
- package/dist/cli.js.map +1 -1
- package/dist/{http-UPOTOYQV.js → http-SILH37L7.js} +2 -2
- package/dist/index.js +1 -1
- package/dist/{orchestrator-P7QFDBBK.js → orchestrator-6PZXCE54.js} +2 -2
- package/dist/{server-FB7FC2NT.js → server-MDXOGP2U.js} +3 -3
- package/package.json +6 -6
- /package/dist/{http-UPOTOYQV.js.map → http-SILH37L7.js.map} +0 -0
- /package/dist/{orchestrator-P7QFDBBK.js.map → orchestrator-6PZXCE54.js.map} +0 -0
- /package/dist/{server-FB7FC2NT.js.map → server-MDXOGP2U.js.map} +0 -0
|
@@ -161,6 +161,8 @@ async function ensureFreshToken() {
|
|
|
161
161
|
const oauthToken = await refreshOAuthToken();
|
|
162
162
|
return oauthToken ?? null;
|
|
163
163
|
}
|
|
164
|
+
var MAX_RATE_LIMIT_RETRIES = 3;
|
|
165
|
+
var RATE_LIMIT_WAIT_CAP_MS = 12e3;
|
|
164
166
|
async function apiFetch(path, options = {}) {
|
|
165
167
|
const token = options.token ?? await ensureFreshToken();
|
|
166
168
|
if (!token) {
|
|
@@ -185,11 +187,17 @@ async function apiFetch(path, options = {}) {
|
|
|
185
187
|
consola.debug(`${method} ${url}`);
|
|
186
188
|
consola.debug(`Token: ${token.substring(0, 20)}...${token.substring(token.length - 10)}`);
|
|
187
189
|
}
|
|
188
|
-
const
|
|
189
|
-
|
|
190
|
-
|
|
191
|
-
|
|
192
|
-
|
|
190
|
+
const fetchInit = { method, headers, body: options.body ? JSON.stringify(options.body) : void 0 };
|
|
191
|
+
let response = await fetch(url, fetchInit);
|
|
192
|
+
for (let rlAttempt = 0; response.status === 429 && rlAttempt < MAX_RATE_LIMIT_RETRIES; rlAttempt++) {
|
|
193
|
+
const retryAfter = Number(response.headers.get("retry-after"));
|
|
194
|
+
const waitMs = Math.min((Number.isFinite(retryAfter) && retryAfter > 0 ? retryAfter : 2 ** rlAttempt) * 1e3, RATE_LIMIT_WAIT_CAP_MS);
|
|
195
|
+
await response.text().catch(() => {
|
|
196
|
+
});
|
|
197
|
+
consola.info(`Rate limited by IdP \u2014 retrying in ${Math.round(waitMs / 1e3)}s (${rlAttempt + 1}/${MAX_RATE_LIMIT_RETRIES})`);
|
|
198
|
+
await new Promise((resolve) => setTimeout(resolve, waitMs));
|
|
199
|
+
response = await fetch(url, fetchInit);
|
|
200
|
+
}
|
|
193
201
|
if (debug) {
|
|
194
202
|
consola.debug(`Response: ${response.status} ${response.statusText}`);
|
|
195
203
|
}
|
|
@@ -221,4 +229,4 @@ export {
|
|
|
221
229
|
ensureFreshToken,
|
|
222
230
|
apiFetch
|
|
223
231
|
};
|
|
224
|
-
//# sourceMappingURL=chunk-
|
|
232
|
+
//# sourceMappingURL=chunk-MMBFV5WN.js.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"sources":["../src/http.ts"],"sourcesContent":["import consola from 'consola'\nimport { getAuthToken, getIdpUrl, loadAuth, loadConfig, saveAuth } from './config'\n\nconst debug = process.argv.includes('--debug')\n\nexport class ApiError extends Error {\n constructor(public statusCode: number, message: string, public problemDetails?: Record<string, unknown>) {\n super(message)\n this.name = 'ApiError'\n }\n}\n\n// OIDC Discovery cache (one-time per CLI invocation)\nconst _discoveryCache: Record<string, Record<string, unknown>> = {}\n\nexport async function discoverEndpoints(idpUrl: string): Promise<Record<string, unknown>> {\n if (_discoveryCache[idpUrl]) {\n return _discoveryCache[idpUrl]\n }\n\n try {\n const response = await fetch(`${idpUrl}/.well-known/openid-configuration`)\n if (response.ok) {\n const data = await response.json() as Record<string, unknown>\n _discoveryCache[idpUrl] = data\n return data\n }\n }\n catch {}\n\n // Return empty if discovery fails (graceful degradation)\n _discoveryCache[idpUrl] = {}\n return {}\n}\n\nexport async function getGrantsEndpoint(idpUrl: string): Promise<string> {\n const disco = await discoverEndpoints(idpUrl)\n return (disco.openape_grants_endpoint as string) || `${idpUrl}/api/grants`\n}\n\nexport async function getAgentChallengeEndpoint(idpUrl: string): Promise<string> {\n const disco = await discoverEndpoints(idpUrl)\n // Read canonical ddisa_auth_challenge_endpoint (emitted by server since M3).\n // Fall back to legacy ddisa_agent_challenge_endpoint for backward-compat with older IdPs.\n return (disco.ddisa_auth_challenge_endpoint as string)\n || (disco.ddisa_agent_challenge_endpoint as string)\n || `${idpUrl}/api/auth/challenge`\n}\n\nexport async function getAgentAuthenticateEndpoint(idpUrl: string): Promise<string> {\n const disco = await discoverEndpoints(idpUrl)\n // Read canonical ddisa_auth_authenticate_endpoint (emitted by server since M3).\n // Fall back to legacy ddisa_agent_authenticate_endpoint for backward-compat with older IdPs.\n return (disco.ddisa_auth_authenticate_endpoint as string)\n || (disco.ddisa_agent_authenticate_endpoint as string)\n || `${idpUrl}/api/auth/authenticate`\n}\n\nexport async function getDelegationsEndpoint(idpUrl: string): Promise<string> {\n const disco = await discoverEndpoints(idpUrl)\n return (disco.openape_delegations_endpoint as string) || `${idpUrl}/api/delegations`\n}\n\n/**\n * Re-authenticate an agent using Ed25519 challenge-response.\n * Called automatically when the token is expired.\n */\nasync function refreshAgentToken(): Promise<string | null> {\n const auth = loadAuth()\n if (!auth)\n return null\n\n const config = loadConfig()\n const keyPath = config.agent?.key\n if (!keyPath)\n return null\n\n try {\n const { readFileSync } = await import('node:fs')\n const { sign } = await import('node:crypto')\n const { homedir } = await import('node:os')\n const { loadEd25519PrivateKey } = await import('./ssh-key.js')\n\n const resolved = keyPath.replace(/^~/, homedir())\n const keyContent = readFileSync(resolved, 'utf-8')\n const privateKey = loadEd25519PrivateKey(keyContent)\n\n const challengeUrl = await getAgentChallengeEndpoint(auth.idp)\n const challengeResp = await fetch(challengeUrl, {\n method: 'POST',\n headers: { 'Content-Type': 'application/json' },\n // Use canonical `id` field (the server's /api/auth/challenge handler expects `id`).\n body: JSON.stringify({ id: auth.email }),\n })\n\n if (!challengeResp.ok)\n return null\n\n const { challenge } = await challengeResp.json() as { challenge: string }\n const { Buffer } = await import('node:buffer')\n const signature = sign(null, Buffer.from(challenge), privateKey).toString('base64')\n\n const authenticateUrl = await getAgentAuthenticateEndpoint(auth.idp)\n const authResp = await fetch(authenticateUrl, {\n method: 'POST',\n headers: { 'Content-Type': 'application/json' },\n // Use canonical `id` field (the server's /api/auth/authenticate handler expects `id`).\n body: JSON.stringify({ id: auth.email, challenge, signature }),\n })\n\n if (!authResp.ok)\n return null\n\n const { token, expires_in } = await authResp.json() as { token: string, expires_in: number }\n\n saveAuth({\n ...auth,\n access_token: token,\n expires_at: Math.floor(Date.now() / 1000) + (expires_in || 3600),\n })\n\n if (debug) {\n consola.debug('Token refreshed via Ed25519 challenge-response')\n }\n\n return token\n }\n catch {\n return null\n }\n}\n\n/**\n * Refresh an OAuth2 access token using a stored refresh_token. Used for\n * PKCE/browser login sessions where no Ed25519 agent key is configured.\n *\n * Serialized via a file lock so concurrent apes/ape-shell invocations don't\n * both consume the same rotating refresh token (which would revoke the\n * entire family server-side).\n */\nasync function refreshOAuthToken(): Promise<string | null> {\n const auth = loadAuth()\n if (!auth?.refresh_token)\n return null\n\n const { acquireAuthLock, releaseAuthLock } = await import('./auth-lock.js')\n const lock = await acquireAuthLock({ timeoutMs: 5000 })\n if (!lock) {\n // Another process is refreshing. It should have updated auth.json by now;\n // re-read and return whatever fresh token is there (may still be null).\n return getAuthToken()\n }\n\n try {\n // Re-read auth.json inside the lock — another holder may already have\n // refreshed while we were waiting, in which case we reuse the new token.\n const latest = loadAuth()\n if (latest?.expires_at && Date.now() / 1000 < latest.expires_at - 30)\n return latest.access_token\n\n const activeRefreshToken = latest?.refresh_token ?? auth.refresh_token\n if (!activeRefreshToken)\n return null\n\n const disco = await discoverEndpoints(auth.idp)\n const tokenEndpoint = (disco.token_endpoint as string) || `${auth.idp}/token`\n\n const body = new URLSearchParams({\n grant_type: 'refresh_token',\n refresh_token: activeRefreshToken,\n })\n\n const resp = await fetch(tokenEndpoint, {\n method: 'POST',\n headers: { 'Content-Type': 'application/x-www-form-urlencoded' },\n body: body.toString(),\n })\n\n if (!resp.ok) {\n // Family may have been revoked server-side — clear refresh_token to\n // prevent an infinite retry loop on every subsequent apes invocation.\n if (resp.status === 400 || resp.status === 401) {\n const base = latest ?? auth\n saveAuth({ ...base, refresh_token: undefined })\n }\n return null\n }\n\n const tokens = await resp.json() as {\n access_token: string\n refresh_token?: string\n expires_in?: number\n }\n\n const base = latest ?? auth\n saveAuth({\n ...base,\n access_token: tokens.access_token,\n refresh_token: tokens.refresh_token ?? base.refresh_token,\n expires_at: Math.floor(Date.now() / 1000) + (tokens.expires_in || 300),\n })\n\n if (debug)\n consola.debug('Token refreshed via OAuth refresh_token')\n\n return tokens.access_token\n }\n finally {\n await releaseAuthLock(lock)\n }\n}\n\n/**\n * Refresh the local IdP token if it has expired. Used by every code path\n * that needs an access token — `apiFetch` for IdP-bound HTTP calls, plus\n * any pure-introspection command (`apes whoami`, `apes config get …`)\n * that previously only read local auth state and surfaced a stale\n * \"expired\" without attempting renewal.\n *\n * Returns the fresh access token on success, or null when no refresh\n * path is available (no agent key AND no refresh_token, or both refresh\n * attempts failed). Callers decide what to do with null — `apiFetch`\n * throws \"Not authenticated\", `whoami` falls back to the on-disk state.\n */\nexport async function ensureFreshToken(): Promise<string | null> {\n const cached = getAuthToken()\n if (cached) return cached\n\n // Auto-refresh: priority (1) ed25519 agent key, (2) OAuth refresh_token.\n // Agent-key first because it is concurrency-safe — every challenge is\n // independent server-side, so parallel ape-shell spawns don't race.\n const agentToken = await refreshAgentToken()\n if (agentToken) return agentToken\n const oauthToken = await refreshOAuthToken()\n return oauthToken ?? null\n}\n\nexport async function apiFetch<T = unknown>(\n path: string,\n options: {\n method?: string\n body?: unknown\n idp?: string\n token?: string\n } = {},\n): Promise<T> {\n const token = options.token ?? await ensureFreshToken()\n\n if (!token) {\n throw new Error('Not authenticated (token expired). Run `apes login` first.')\n }\n\n let url: string\n if (path.startsWith('http')) {\n url = path\n }\n else {\n const idp = options.idp || getIdpUrl()\n if (!idp) {\n throw new Error('No IdP URL configured. Run `apes login` first or pass --idp.')\n }\n url = `${idp}${path}`\n }\n const method = options.method || 'GET'\n const headers: Record<string, string> = {\n 'Authorization': `Bearer ${token}`,\n 'Content-Type': 'application/json',\n }\n\n if (debug) {\n consola.debug(`${method} ${url}`)\n consola.debug(`Token: ${token.substring(0, 20)}...${token.substring(token.length - 10)}`)\n }\n\n const response = await fetch(url, {\n method,\n headers,\n body: options.body ? JSON.stringify(options.body) : undefined,\n })\n\n if (debug) {\n consola.debug(`Response: ${response.status} ${response.statusText}`)\n }\n\n if (!response.ok) {\n const contentType = response.headers.get('content-type') || ''\n\n // Parse RFC 7807 Problem Details\n if (contentType.includes('application/problem+json') || contentType.includes('application/json')) {\n try {\n const problem = await response.json() as Record<string, unknown>\n const message = (problem.detail as string) || (problem.title as string) || (problem.statusMessage as string) || (problem.message as string) || `${response.status} ${response.statusText}`\n throw new ApiError(response.status, message, problem)\n }\n catch (e) {\n if (e instanceof ApiError)\n throw e\n }\n }\n\n const text = await response.text()\n throw new ApiError(response.status, text || `${response.status} ${response.statusText}`)\n }\n\n return response.json() as Promise<T>\n}\n"],"mappings":";;;;;;;;;;AAAA,OAAO,aAAa;AAGpB,IAAM,QAAQ,QAAQ,KAAK,SAAS,SAAS;AAEtC,IAAM,WAAN,cAAuB,MAAM;AAAA,EAClC,YAAmB,YAAoB,SAAwB,gBAA0C;AACvG,UAAM,OAAO;AADI;AAA4C;AAE7D,SAAK,OAAO;AAAA,EACd;AAAA,EAHmB;AAAA,EAA4C;AAIjE;AAGA,IAAM,kBAA2D,CAAC;AAElE,eAAsB,kBAAkB,QAAkD;AACxF,MAAI,gBAAgB,MAAM,GAAG;AAC3B,WAAO,gBAAgB,MAAM;AAAA,EAC/B;AAEA,MAAI;AACF,UAAM,WAAW,MAAM,MAAM,GAAG,MAAM,mCAAmC;AACzE,QAAI,SAAS,IAAI;AACf,YAAM,OAAO,MAAM,SAAS,KAAK;AACjC,sBAAgB,MAAM,IAAI;AAC1B,aAAO;AAAA,IACT;AAAA,EACF,QACM;AAAA,EAAC;AAGP,kBAAgB,MAAM,IAAI,CAAC;AAC3B,SAAO,CAAC;AACV;AAEA,eAAsB,kBAAkB,QAAiC;AACvE,QAAM,QAAQ,MAAM,kBAAkB,MAAM;AAC5C,SAAQ,MAAM,2BAAsC,GAAG,MAAM;AAC/D;AAEA,eAAsB,0BAA0B,QAAiC;AAC/E,QAAM,QAAQ,MAAM,kBAAkB,MAAM;AAG5C,SAAQ,MAAM,iCACR,MAAM,kCACP,GAAG,MAAM;AAChB;AAEA,eAAsB,6BAA6B,QAAiC;AAClF,QAAM,QAAQ,MAAM,kBAAkB,MAAM;AAG5C,SAAQ,MAAM,oCACR,MAAM,qCACP,GAAG,MAAM;AAChB;AAEA,eAAsB,uBAAuB,QAAiC;AAC5E,QAAM,QAAQ,MAAM,kBAAkB,MAAM;AAC5C,SAAQ,MAAM,gCAA2C,GAAG,MAAM;AACpE;AAMA,eAAe,oBAA4C;AACzD,QAAM,OAAO,SAAS;AACtB,MAAI,CAAC;AACH,WAAO;AAET,QAAM,SAAS,WAAW;AAC1B,QAAM,UAAU,OAAO,OAAO;AAC9B,MAAI,CAAC;AACH,WAAO;AAET,MAAI;AACF,UAAM,EAAE,aAAa,IAAI,MAAM,OAAO,IAAS;AAC/C,UAAM,EAAE,KAAK,IAAI,MAAM,OAAO,QAAa;AAC3C,UAAM,EAAE,QAAQ,IAAI,MAAM,OAAO,IAAS;AAC1C,UAAM,EAAE,sBAAsB,IAAI,MAAM,OAAO,uBAAc;AAE7D,UAAM,WAAW,QAAQ,QAAQ,MAAM,QAAQ,CAAC;AAChD,UAAM,aAAa,aAAa,UAAU,OAAO;AACjD,UAAM,aAAa,sBAAsB,UAAU;AAEnD,UAAM,eAAe,MAAM,0BAA0B,KAAK,GAAG;AAC7D,UAAM,gBAAgB,MAAM,MAAM,cAAc;AAAA,MAC9C,QAAQ;AAAA,MACR,SAAS,EAAE,gBAAgB,mBAAmB;AAAA;AAAA,MAE9C,MAAM,KAAK,UAAU,EAAE,IAAI,KAAK,MAAM,CAAC;AAAA,IACzC,CAAC;AAED,QAAI,CAAC,cAAc;AACjB,aAAO;AAET,UAAM,EAAE,UAAU,IAAI,MAAM,cAAc,KAAK;AAC/C,UAAM,EAAE,OAAO,IAAI,MAAM,OAAO,QAAa;AAC7C,UAAM,YAAY,KAAK,MAAM,OAAO,KAAK,SAAS,GAAG,UAAU,EAAE,SAAS,QAAQ;AAElF,UAAM,kBAAkB,MAAM,6BAA6B,KAAK,GAAG;AACnE,UAAM,WAAW,MAAM,MAAM,iBAAiB;AAAA,MAC5C,QAAQ;AAAA,MACR,SAAS,EAAE,gBAAgB,mBAAmB;AAAA;AAAA,MAE9C,MAAM,KAAK,UAAU,EAAE,IAAI,KAAK,OAAO,WAAW,UAAU,CAAC;AAAA,IAC/D,CAAC;AAED,QAAI,CAAC,SAAS;AACZ,aAAO;AAET,UAAM,EAAE,OAAO,WAAW,IAAI,MAAM,SAAS,KAAK;AAElD,aAAS;AAAA,MACP,GAAG;AAAA,MACH,cAAc;AAAA,MACd,YAAY,KAAK,MAAM,KAAK,IAAI,IAAI,GAAI,KAAK,cAAc;AAAA,IAC7D,CAAC;AAED,QAAI,OAAO;AACT,cAAQ,MAAM,gDAAgD;AAAA,IAChE;AAEA,WAAO;AAAA,EACT,QACM;AACJ,WAAO;AAAA,EACT;AACF;AAUA,eAAe,oBAA4C;AACzD,QAAM,OAAO,SAAS;AACtB,MAAI,CAAC,MAAM;AACT,WAAO;AAET,QAAM,EAAE,iBAAiB,gBAAgB,IAAI,MAAM,OAAO,yBAAgB;AAC1E,QAAM,OAAO,MAAM,gBAAgB,EAAE,WAAW,IAAK,CAAC;AACtD,MAAI,CAAC,MAAM;AAGT,WAAO,aAAa;AAAA,EACtB;AAEA,MAAI;AAGF,UAAM,SAAS,SAAS;AACxB,QAAI,QAAQ,cAAc,KAAK,IAAI,IAAI,MAAO,OAAO,aAAa;AAChE,aAAO,OAAO;AAEhB,UAAM,qBAAqB,QAAQ,iBAAiB,KAAK;AACzD,QAAI,CAAC;AACH,aAAO;AAET,UAAM,QAAQ,MAAM,kBAAkB,KAAK,GAAG;AAC9C,UAAM,gBAAiB,MAAM,kBAA6B,GAAG,KAAK,GAAG;AAErE,UAAM,OAAO,IAAI,gBAAgB;AAAA,MAC/B,YAAY;AAAA,MACZ,eAAe;AAAA,IACjB,CAAC;AAED,UAAM,OAAO,MAAM,MAAM,eAAe;AAAA,MACtC,QAAQ;AAAA,MACR,SAAS,EAAE,gBAAgB,oCAAoC;AAAA,MAC/D,MAAM,KAAK,SAAS;AAAA,IACtB,CAAC;AAED,QAAI,CAAC,KAAK,IAAI;AAGZ,UAAI,KAAK,WAAW,OAAO,KAAK,WAAW,KAAK;AAC9C,cAAMA,QAAO,UAAU;AACvB,iBAAS,EAAE,GAAGA,OAAM,eAAe,OAAU,CAAC;AAAA,MAChD;AACA,aAAO;AAAA,IACT;AAEA,UAAM,SAAS,MAAM,KAAK,KAAK;AAM/B,UAAM,OAAO,UAAU;AACvB,aAAS;AAAA,MACP,GAAG;AAAA,MACH,cAAc,OAAO;AAAA,MACrB,eAAe,OAAO,iBAAiB,KAAK;AAAA,MAC5C,YAAY,KAAK,MAAM,KAAK,IAAI,IAAI,GAAI,KAAK,OAAO,cAAc;AAAA,IACpE,CAAC;AAED,QAAI;AACF,cAAQ,MAAM,yCAAyC;AAEzD,WAAO,OAAO;AAAA,EAChB,UACA;AACE,UAAM,gBAAgB,IAAI;AAAA,EAC5B;AACF;AAcA,eAAsB,mBAA2C;AAC/D,QAAM,SAAS,aAAa;AAC5B,MAAI,OAAQ,QAAO;AAKnB,QAAM,aAAa,MAAM,kBAAkB;AAC3C,MAAI,WAAY,QAAO;AACvB,QAAM,aAAa,MAAM,kBAAkB;AAC3C,SAAO,cAAc;AACvB;AAEA,eAAsB,SACpB,MACA,UAKI,CAAC,GACO;AACZ,QAAM,QAAQ,QAAQ,SAAS,MAAM,iBAAiB;AAEtD,MAAI,CAAC,OAAO;AACV,UAAM,IAAI,MAAM,4DAA4D;AAAA,EAC9E;AAEA,MAAI;AACJ,MAAI,KAAK,WAAW,MAAM,GAAG;AAC3B,UAAM;AAAA,EACR,OACK;AACH,UAAM,MAAM,QAAQ,OAAO,UAAU;AACrC,QAAI,CAAC,KAAK;AACR,YAAM,IAAI,MAAM,8DAA8D;AAAA,IAChF;AACA,UAAM,GAAG,GAAG,GAAG,IAAI;AAAA,EACrB;AACA,QAAM,SAAS,QAAQ,UAAU;AACjC,QAAM,UAAkC;AAAA,IACtC,iBAAiB,UAAU,KAAK;AAAA,IAChC,gBAAgB;AAAA,EAClB;AAEA,MAAI,OAAO;AACT,YAAQ,MAAM,GAAG,MAAM,IAAI,GAAG,EAAE;AAChC,YAAQ,MAAM,UAAU,MAAM,UAAU,GAAG,EAAE,CAAC,MAAM,MAAM,UAAU,MAAM,SAAS,EAAE,CAAC,EAAE;AAAA,EAC1F;AAEA,QAAM,WAAW,MAAM,MAAM,KAAK;AAAA,IAChC;AAAA,IACA;AAAA,IACA,MAAM,QAAQ,OAAO,KAAK,UAAU,QAAQ,IAAI,IAAI;AAAA,EACtD,CAAC;AAED,MAAI,OAAO;AACT,YAAQ,MAAM,aAAa,SAAS,MAAM,IAAI,SAAS,UAAU,EAAE;AAAA,EACrE;AAEA,MAAI,CAAC,SAAS,IAAI;AAChB,UAAM,cAAc,SAAS,QAAQ,IAAI,cAAc,KAAK;AAG5D,QAAI,YAAY,SAAS,0BAA0B,KAAK,YAAY,SAAS,kBAAkB,GAAG;AAChG,UAAI;AACF,cAAM,UAAU,MAAM,SAAS,KAAK;AACpC,cAAM,UAAW,QAAQ,UAAsB,QAAQ,SAAqB,QAAQ,iBAA6B,QAAQ,WAAsB,GAAG,SAAS,MAAM,IAAI,SAAS,UAAU;AACxL,cAAM,IAAI,SAAS,SAAS,QAAQ,SAAS,OAAO;AAAA,MACtD,SACO,GAAG;AACR,YAAI,aAAa;AACf,gBAAM;AAAA,MACV;AAAA,IACF;AAEA,UAAM,OAAO,MAAM,SAAS,KAAK;AACjC,UAAM,IAAI,SAAS,SAAS,QAAQ,QAAQ,GAAG,SAAS,MAAM,IAAI,SAAS,UAAU,EAAE;AAAA,EACzF;AAEA,SAAO,SAAS,KAAK;AACvB;","names":["base"]}
|
|
1
|
+
{"version":3,"sources":["../src/http.ts"],"sourcesContent":["import consola from 'consola'\nimport { getAuthToken, getIdpUrl, loadAuth, loadConfig, saveAuth } from './config'\n\nconst debug = process.argv.includes('--debug')\n\nexport class ApiError extends Error {\n constructor(public statusCode: number, message: string, public problemDetails?: Record<string, unknown>) {\n super(message)\n this.name = 'ApiError'\n }\n}\n\n// OIDC Discovery cache (one-time per CLI invocation)\nconst _discoveryCache: Record<string, Record<string, unknown>> = {}\n\nexport async function discoverEndpoints(idpUrl: string): Promise<Record<string, unknown>> {\n if (_discoveryCache[idpUrl]) {\n return _discoveryCache[idpUrl]\n }\n\n try {\n const response = await fetch(`${idpUrl}/.well-known/openid-configuration`)\n if (response.ok) {\n const data = await response.json() as Record<string, unknown>\n _discoveryCache[idpUrl] = data\n return data\n }\n }\n catch {}\n\n // Return empty if discovery fails (graceful degradation)\n _discoveryCache[idpUrl] = {}\n return {}\n}\n\nexport async function getGrantsEndpoint(idpUrl: string): Promise<string> {\n const disco = await discoverEndpoints(idpUrl)\n return (disco.openape_grants_endpoint as string) || `${idpUrl}/api/grants`\n}\n\nexport async function getAgentChallengeEndpoint(idpUrl: string): Promise<string> {\n const disco = await discoverEndpoints(idpUrl)\n // Read canonical ddisa_auth_challenge_endpoint (emitted by server since M3).\n // Fall back to legacy ddisa_agent_challenge_endpoint for backward-compat with older IdPs.\n return (disco.ddisa_auth_challenge_endpoint as string)\n || (disco.ddisa_agent_challenge_endpoint as string)\n || `${idpUrl}/api/auth/challenge`\n}\n\nexport async function getAgentAuthenticateEndpoint(idpUrl: string): Promise<string> {\n const disco = await discoverEndpoints(idpUrl)\n // Read canonical ddisa_auth_authenticate_endpoint (emitted by server since M3).\n // Fall back to legacy ddisa_agent_authenticate_endpoint for backward-compat with older IdPs.\n return (disco.ddisa_auth_authenticate_endpoint as string)\n || (disco.ddisa_agent_authenticate_endpoint as string)\n || `${idpUrl}/api/auth/authenticate`\n}\n\nexport async function getDelegationsEndpoint(idpUrl: string): Promise<string> {\n const disco = await discoverEndpoints(idpUrl)\n return (disco.openape_delegations_endpoint as string) || `${idpUrl}/api/delegations`\n}\n\n/**\n * Re-authenticate an agent using Ed25519 challenge-response.\n * Called automatically when the token is expired.\n */\nasync function refreshAgentToken(): Promise<string | null> {\n const auth = loadAuth()\n if (!auth)\n return null\n\n const config = loadConfig()\n const keyPath = config.agent?.key\n if (!keyPath)\n return null\n\n try {\n const { readFileSync } = await import('node:fs')\n const { sign } = await import('node:crypto')\n const { homedir } = await import('node:os')\n const { loadEd25519PrivateKey } = await import('./ssh-key.js')\n\n const resolved = keyPath.replace(/^~/, homedir())\n const keyContent = readFileSync(resolved, 'utf-8')\n const privateKey = loadEd25519PrivateKey(keyContent)\n\n const challengeUrl = await getAgentChallengeEndpoint(auth.idp)\n const challengeResp = await fetch(challengeUrl, {\n method: 'POST',\n headers: { 'Content-Type': 'application/json' },\n // Use canonical `id` field (the server's /api/auth/challenge handler expects `id`).\n body: JSON.stringify({ id: auth.email }),\n })\n\n if (!challengeResp.ok)\n return null\n\n const { challenge } = await challengeResp.json() as { challenge: string }\n const { Buffer } = await import('node:buffer')\n const signature = sign(null, Buffer.from(challenge), privateKey).toString('base64')\n\n const authenticateUrl = await getAgentAuthenticateEndpoint(auth.idp)\n const authResp = await fetch(authenticateUrl, {\n method: 'POST',\n headers: { 'Content-Type': 'application/json' },\n // Use canonical `id` field (the server's /api/auth/authenticate handler expects `id`).\n body: JSON.stringify({ id: auth.email, challenge, signature }),\n })\n\n if (!authResp.ok)\n return null\n\n const { token, expires_in } = await authResp.json() as { token: string, expires_in: number }\n\n saveAuth({\n ...auth,\n access_token: token,\n expires_at: Math.floor(Date.now() / 1000) + (expires_in || 3600),\n })\n\n if (debug) {\n consola.debug('Token refreshed via Ed25519 challenge-response')\n }\n\n return token\n }\n catch {\n return null\n }\n}\n\n/**\n * Refresh an OAuth2 access token using a stored refresh_token. Used for\n * PKCE/browser login sessions where no Ed25519 agent key is configured.\n *\n * Serialized via a file lock so concurrent apes/ape-shell invocations don't\n * both consume the same rotating refresh token (which would revoke the\n * entire family server-side).\n */\nasync function refreshOAuthToken(): Promise<string | null> {\n const auth = loadAuth()\n if (!auth?.refresh_token)\n return null\n\n const { acquireAuthLock, releaseAuthLock } = await import('./auth-lock.js')\n const lock = await acquireAuthLock({ timeoutMs: 5000 })\n if (!lock) {\n // Another process is refreshing. It should have updated auth.json by now;\n // re-read and return whatever fresh token is there (may still be null).\n return getAuthToken()\n }\n\n try {\n // Re-read auth.json inside the lock — another holder may already have\n // refreshed while we were waiting, in which case we reuse the new token.\n const latest = loadAuth()\n if (latest?.expires_at && Date.now() / 1000 < latest.expires_at - 30)\n return latest.access_token\n\n const activeRefreshToken = latest?.refresh_token ?? auth.refresh_token\n if (!activeRefreshToken)\n return null\n\n const disco = await discoverEndpoints(auth.idp)\n const tokenEndpoint = (disco.token_endpoint as string) || `${auth.idp}/token`\n\n const body = new URLSearchParams({\n grant_type: 'refresh_token',\n refresh_token: activeRefreshToken,\n })\n\n const resp = await fetch(tokenEndpoint, {\n method: 'POST',\n headers: { 'Content-Type': 'application/x-www-form-urlencoded' },\n body: body.toString(),\n })\n\n if (!resp.ok) {\n // Family may have been revoked server-side — clear refresh_token to\n // prevent an infinite retry loop on every subsequent apes invocation.\n if (resp.status === 400 || resp.status === 401) {\n const base = latest ?? auth\n saveAuth({ ...base, refresh_token: undefined })\n }\n return null\n }\n\n const tokens = await resp.json() as {\n access_token: string\n refresh_token?: string\n expires_in?: number\n }\n\n const base = latest ?? auth\n saveAuth({\n ...base,\n access_token: tokens.access_token,\n refresh_token: tokens.refresh_token ?? base.refresh_token,\n expires_at: Math.floor(Date.now() / 1000) + (tokens.expires_in || 300),\n })\n\n if (debug)\n consola.debug('Token refreshed via OAuth refresh_token')\n\n return tokens.access_token\n }\n finally {\n await releaseAuthLock(lock)\n }\n}\n\n/**\n * Refresh the local IdP token if it has expired. Used by every code path\n * that needs an access token — `apiFetch` for IdP-bound HTTP calls, plus\n * any pure-introspection command (`apes whoami`, `apes config get …`)\n * that previously only read local auth state and surfaced a stale\n * \"expired\" without attempting renewal.\n *\n * Returns the fresh access token on success, or null when no refresh\n * path is available (no agent key AND no refresh_token, or both refresh\n * attempts failed). Callers decide what to do with null — `apiFetch`\n * throws \"Not authenticated\", `whoami` falls back to the on-disk state.\n */\nexport async function ensureFreshToken(): Promise<string | null> {\n const cached = getAuthToken()\n if (cached) return cached\n\n // Auto-refresh: priority (1) ed25519 agent key, (2) OAuth refresh_token.\n // Agent-key first because it is concurrency-safe — every challenge is\n // independent server-side, so parallel ape-shell spawns don't race.\n const agentToken = await refreshAgentToken()\n if (agentToken) return agentToken\n const oauthToken = await refreshOAuthToken()\n return oauthToken ?? null\n}\n\n// Bounded 429 retry/backoff for the IdP's per-IP auth-endpoint rate limit.\nconst MAX_RATE_LIMIT_RETRIES = 3\nconst RATE_LIMIT_WAIT_CAP_MS = 12_000\n\nexport async function apiFetch<T = unknown>(\n path: string,\n options: {\n method?: string\n body?: unknown\n idp?: string\n token?: string\n } = {},\n): Promise<T> {\n const token = options.token ?? await ensureFreshToken()\n\n if (!token) {\n throw new Error('Not authenticated (token expired). Run `apes login` first.')\n }\n\n let url: string\n if (path.startsWith('http')) {\n url = path\n }\n else {\n const idp = options.idp || getIdpUrl()\n if (!idp) {\n throw new Error('No IdP URL configured. Run `apes login` first or pass --idp.')\n }\n url = `${idp}${path}`\n }\n const method = options.method || 'GET'\n const headers: Record<string, string> = {\n 'Authorization': `Bearer ${token}`,\n 'Content-Type': 'application/json',\n }\n\n if (debug) {\n consola.debug(`${method} ${url}`)\n consola.debug(`Token: ${token.substring(0, 20)}...${token.substring(token.length - 10)}`)\n }\n\n // Retry on 429 (the IdP's per-IP rate limit on auth endpoints). Rapid\n // sequences bunch on one IP and the last call trips the cap — e.g. a nest's\n // `agents spawn` (enroll + challenge + authenticate) immediately followed by\n // `agents destroy` (de-register). Honour Retry-After, bounded, so the call\n // rides it out instead of failing. This is well-behaved backoff, not bypass.\n const fetchInit = { method, headers, body: options.body ? JSON.stringify(options.body) : undefined }\n let response = await fetch(url, fetchInit)\n for (let rlAttempt = 0; response.status === 429 && rlAttempt < MAX_RATE_LIMIT_RETRIES; rlAttempt++) {\n const retryAfter = Number(response.headers.get('retry-after'))\n const waitMs = Math.min((Number.isFinite(retryAfter) && retryAfter > 0 ? retryAfter : 2 ** rlAttempt) * 1000, RATE_LIMIT_WAIT_CAP_MS)\n await response.text().catch(() => {}) // drain so the socket frees before the retry\n consola.info(`Rate limited by IdP — retrying in ${Math.round(waitMs / 1000)}s (${rlAttempt + 1}/${MAX_RATE_LIMIT_RETRIES})`)\n await new Promise(resolve => setTimeout(resolve, waitMs))\n response = await fetch(url, fetchInit)\n }\n\n if (debug) {\n consola.debug(`Response: ${response.status} ${response.statusText}`)\n }\n\n if (!response.ok) {\n const contentType = response.headers.get('content-type') || ''\n\n // Parse RFC 7807 Problem Details\n if (contentType.includes('application/problem+json') || contentType.includes('application/json')) {\n try {\n const problem = await response.json() as Record<string, unknown>\n const message = (problem.detail as string) || (problem.title as string) || (problem.statusMessage as string) || (problem.message as string) || `${response.status} ${response.statusText}`\n throw new ApiError(response.status, message, problem)\n }\n catch (e) {\n if (e instanceof ApiError)\n throw e\n }\n }\n\n const text = await response.text()\n throw new ApiError(response.status, text || `${response.status} ${response.statusText}`)\n }\n\n return response.json() as Promise<T>\n}\n"],"mappings":";;;;;;;;;;AAAA,OAAO,aAAa;AAGpB,IAAM,QAAQ,QAAQ,KAAK,SAAS,SAAS;AAEtC,IAAM,WAAN,cAAuB,MAAM;AAAA,EAClC,YAAmB,YAAoB,SAAwB,gBAA0C;AACvG,UAAM,OAAO;AADI;AAA4C;AAE7D,SAAK,OAAO;AAAA,EACd;AAAA,EAHmB;AAAA,EAA4C;AAIjE;AAGA,IAAM,kBAA2D,CAAC;AAElE,eAAsB,kBAAkB,QAAkD;AACxF,MAAI,gBAAgB,MAAM,GAAG;AAC3B,WAAO,gBAAgB,MAAM;AAAA,EAC/B;AAEA,MAAI;AACF,UAAM,WAAW,MAAM,MAAM,GAAG,MAAM,mCAAmC;AACzE,QAAI,SAAS,IAAI;AACf,YAAM,OAAO,MAAM,SAAS,KAAK;AACjC,sBAAgB,MAAM,IAAI;AAC1B,aAAO;AAAA,IACT;AAAA,EACF,QACM;AAAA,EAAC;AAGP,kBAAgB,MAAM,IAAI,CAAC;AAC3B,SAAO,CAAC;AACV;AAEA,eAAsB,kBAAkB,QAAiC;AACvE,QAAM,QAAQ,MAAM,kBAAkB,MAAM;AAC5C,SAAQ,MAAM,2BAAsC,GAAG,MAAM;AAC/D;AAEA,eAAsB,0BAA0B,QAAiC;AAC/E,QAAM,QAAQ,MAAM,kBAAkB,MAAM;AAG5C,SAAQ,MAAM,iCACR,MAAM,kCACP,GAAG,MAAM;AAChB;AAEA,eAAsB,6BAA6B,QAAiC;AAClF,QAAM,QAAQ,MAAM,kBAAkB,MAAM;AAG5C,SAAQ,MAAM,oCACR,MAAM,qCACP,GAAG,MAAM;AAChB;AAEA,eAAsB,uBAAuB,QAAiC;AAC5E,QAAM,QAAQ,MAAM,kBAAkB,MAAM;AAC5C,SAAQ,MAAM,gCAA2C,GAAG,MAAM;AACpE;AAMA,eAAe,oBAA4C;AACzD,QAAM,OAAO,SAAS;AACtB,MAAI,CAAC;AACH,WAAO;AAET,QAAM,SAAS,WAAW;AAC1B,QAAM,UAAU,OAAO,OAAO;AAC9B,MAAI,CAAC;AACH,WAAO;AAET,MAAI;AACF,UAAM,EAAE,aAAa,IAAI,MAAM,OAAO,IAAS;AAC/C,UAAM,EAAE,KAAK,IAAI,MAAM,OAAO,QAAa;AAC3C,UAAM,EAAE,QAAQ,IAAI,MAAM,OAAO,IAAS;AAC1C,UAAM,EAAE,sBAAsB,IAAI,MAAM,OAAO,uBAAc;AAE7D,UAAM,WAAW,QAAQ,QAAQ,MAAM,QAAQ,CAAC;AAChD,UAAM,aAAa,aAAa,UAAU,OAAO;AACjD,UAAM,aAAa,sBAAsB,UAAU;AAEnD,UAAM,eAAe,MAAM,0BAA0B,KAAK,GAAG;AAC7D,UAAM,gBAAgB,MAAM,MAAM,cAAc;AAAA,MAC9C,QAAQ;AAAA,MACR,SAAS,EAAE,gBAAgB,mBAAmB;AAAA;AAAA,MAE9C,MAAM,KAAK,UAAU,EAAE,IAAI,KAAK,MAAM,CAAC;AAAA,IACzC,CAAC;AAED,QAAI,CAAC,cAAc;AACjB,aAAO;AAET,UAAM,EAAE,UAAU,IAAI,MAAM,cAAc,KAAK;AAC/C,UAAM,EAAE,OAAO,IAAI,MAAM,OAAO,QAAa;AAC7C,UAAM,YAAY,KAAK,MAAM,OAAO,KAAK,SAAS,GAAG,UAAU,EAAE,SAAS,QAAQ;AAElF,UAAM,kBAAkB,MAAM,6BAA6B,KAAK,GAAG;AACnE,UAAM,WAAW,MAAM,MAAM,iBAAiB;AAAA,MAC5C,QAAQ;AAAA,MACR,SAAS,EAAE,gBAAgB,mBAAmB;AAAA;AAAA,MAE9C,MAAM,KAAK,UAAU,EAAE,IAAI,KAAK,OAAO,WAAW,UAAU,CAAC;AAAA,IAC/D,CAAC;AAED,QAAI,CAAC,SAAS;AACZ,aAAO;AAET,UAAM,EAAE,OAAO,WAAW,IAAI,MAAM,SAAS,KAAK;AAElD,aAAS;AAAA,MACP,GAAG;AAAA,MACH,cAAc;AAAA,MACd,YAAY,KAAK,MAAM,KAAK,IAAI,IAAI,GAAI,KAAK,cAAc;AAAA,IAC7D,CAAC;AAED,QAAI,OAAO;AACT,cAAQ,MAAM,gDAAgD;AAAA,IAChE;AAEA,WAAO;AAAA,EACT,QACM;AACJ,WAAO;AAAA,EACT;AACF;AAUA,eAAe,oBAA4C;AACzD,QAAM,OAAO,SAAS;AACtB,MAAI,CAAC,MAAM;AACT,WAAO;AAET,QAAM,EAAE,iBAAiB,gBAAgB,IAAI,MAAM,OAAO,yBAAgB;AAC1E,QAAM,OAAO,MAAM,gBAAgB,EAAE,WAAW,IAAK,CAAC;AACtD,MAAI,CAAC,MAAM;AAGT,WAAO,aAAa;AAAA,EACtB;AAEA,MAAI;AAGF,UAAM,SAAS,SAAS;AACxB,QAAI,QAAQ,cAAc,KAAK,IAAI,IAAI,MAAO,OAAO,aAAa;AAChE,aAAO,OAAO;AAEhB,UAAM,qBAAqB,QAAQ,iBAAiB,KAAK;AACzD,QAAI,CAAC;AACH,aAAO;AAET,UAAM,QAAQ,MAAM,kBAAkB,KAAK,GAAG;AAC9C,UAAM,gBAAiB,MAAM,kBAA6B,GAAG,KAAK,GAAG;AAErE,UAAM,OAAO,IAAI,gBAAgB;AAAA,MAC/B,YAAY;AAAA,MACZ,eAAe;AAAA,IACjB,CAAC;AAED,UAAM,OAAO,MAAM,MAAM,eAAe;AAAA,MACtC,QAAQ;AAAA,MACR,SAAS,EAAE,gBAAgB,oCAAoC;AAAA,MAC/D,MAAM,KAAK,SAAS;AAAA,IACtB,CAAC;AAED,QAAI,CAAC,KAAK,IAAI;AAGZ,UAAI,KAAK,WAAW,OAAO,KAAK,WAAW,KAAK;AAC9C,cAAMA,QAAO,UAAU;AACvB,iBAAS,EAAE,GAAGA,OAAM,eAAe,OAAU,CAAC;AAAA,MAChD;AACA,aAAO;AAAA,IACT;AAEA,UAAM,SAAS,MAAM,KAAK,KAAK;AAM/B,UAAM,OAAO,UAAU;AACvB,aAAS;AAAA,MACP,GAAG;AAAA,MACH,cAAc,OAAO;AAAA,MACrB,eAAe,OAAO,iBAAiB,KAAK;AAAA,MAC5C,YAAY,KAAK,MAAM,KAAK,IAAI,IAAI,GAAI,KAAK,OAAO,cAAc;AAAA,IACpE,CAAC;AAED,QAAI;AACF,cAAQ,MAAM,yCAAyC;AAEzD,WAAO,OAAO;AAAA,EAChB,UACA;AACE,UAAM,gBAAgB,IAAI;AAAA,EAC5B;AACF;AAcA,eAAsB,mBAA2C;AAC/D,QAAM,SAAS,aAAa;AAC5B,MAAI,OAAQ,QAAO;AAKnB,QAAM,aAAa,MAAM,kBAAkB;AAC3C,MAAI,WAAY,QAAO;AACvB,QAAM,aAAa,MAAM,kBAAkB;AAC3C,SAAO,cAAc;AACvB;AAGA,IAAM,yBAAyB;AAC/B,IAAM,yBAAyB;AAE/B,eAAsB,SACpB,MACA,UAKI,CAAC,GACO;AACZ,QAAM,QAAQ,QAAQ,SAAS,MAAM,iBAAiB;AAEtD,MAAI,CAAC,OAAO;AACV,UAAM,IAAI,MAAM,4DAA4D;AAAA,EAC9E;AAEA,MAAI;AACJ,MAAI,KAAK,WAAW,MAAM,GAAG;AAC3B,UAAM;AAAA,EACR,OACK;AACH,UAAM,MAAM,QAAQ,OAAO,UAAU;AACrC,QAAI,CAAC,KAAK;AACR,YAAM,IAAI,MAAM,8DAA8D;AAAA,IAChF;AACA,UAAM,GAAG,GAAG,GAAG,IAAI;AAAA,EACrB;AACA,QAAM,SAAS,QAAQ,UAAU;AACjC,QAAM,UAAkC;AAAA,IACtC,iBAAiB,UAAU,KAAK;AAAA,IAChC,gBAAgB;AAAA,EAClB;AAEA,MAAI,OAAO;AACT,YAAQ,MAAM,GAAG,MAAM,IAAI,GAAG,EAAE;AAChC,YAAQ,MAAM,UAAU,MAAM,UAAU,GAAG,EAAE,CAAC,MAAM,MAAM,UAAU,MAAM,SAAS,EAAE,CAAC,EAAE;AAAA,EAC1F;AAOA,QAAM,YAAY,EAAE,QAAQ,SAAS,MAAM,QAAQ,OAAO,KAAK,UAAU,QAAQ,IAAI,IAAI,OAAU;AACnG,MAAI,WAAW,MAAM,MAAM,KAAK,SAAS;AACzC,WAAS,YAAY,GAAG,SAAS,WAAW,OAAO,YAAY,wBAAwB,aAAa;AAClG,UAAM,aAAa,OAAO,SAAS,QAAQ,IAAI,aAAa,CAAC;AAC7D,UAAM,SAAS,KAAK,KAAK,OAAO,SAAS,UAAU,KAAK,aAAa,IAAI,aAAa,KAAK,aAAa,KAAM,sBAAsB;AACpI,UAAM,SAAS,KAAK,EAAE,MAAM,MAAM;AAAA,IAAC,CAAC;AACpC,YAAQ,KAAK,0CAAqC,KAAK,MAAM,SAAS,GAAI,CAAC,MAAM,YAAY,CAAC,IAAI,sBAAsB,GAAG;AAC3H,UAAM,IAAI,QAAQ,aAAW,WAAW,SAAS,MAAM,CAAC;AACxD,eAAW,MAAM,MAAM,KAAK,SAAS;AAAA,EACvC;AAEA,MAAI,OAAO;AACT,YAAQ,MAAM,aAAa,SAAS,MAAM,IAAI,SAAS,UAAU,EAAE;AAAA,EACrE;AAEA,MAAI,CAAC,SAAS,IAAI;AAChB,UAAM,cAAc,SAAS,QAAQ,IAAI,cAAc,KAAK;AAG5D,QAAI,YAAY,SAAS,0BAA0B,KAAK,YAAY,SAAS,kBAAkB,GAAG;AAChG,UAAI;AACF,cAAM,UAAU,MAAM,SAAS,KAAK;AACpC,cAAM,UAAW,QAAQ,UAAsB,QAAQ,SAAqB,QAAQ,iBAA6B,QAAQ,WAAsB,GAAG,SAAS,MAAM,IAAI,SAAS,UAAU;AACxL,cAAM,IAAI,SAAS,SAAS,QAAQ,SAAS,OAAO;AAAA,MACtD,SACO,GAAG;AACR,YAAI,aAAa;AACf,gBAAM;AAAA,MACV;AAAA,IACF;AAEA,UAAM,OAAO,MAAM,SAAS,KAAK;AACjC,UAAM,IAAI,SAAS,SAAS,QAAQ,QAAQ,GAAG,SAAS,MAAM,IAAI,SAAS,UAAU,EAAE;AAAA,EACzF;AAEA,SAAO,SAAS,KAAK;AACvB;","names":["base"]}
|