@p0security/cli 0.27.2 → 0.27.4

package/build/dist/commands/claude/mcp.js

@@ -161,26 +161,37 @@ const provisionServer = (argv, { client }, { server }) => __awaiter(void 0, void
     const claudeFile = yield getClaudeFile();
     (0, node_assert_1.default)(client.secret, "No client secret");
     (0, stdio_1.debug)(argv, "Server", server);
+    // Claude Code's `mcp add-json` doesn't accept oauth fields in its JSON
+    // schema (verified against claude 2.1.141). Use `claude mcp add` with
+    // explicit OAuth flags instead — the resulting `~/.claude.json` shape
+    // is the same `{ type: "http", url, oauth: { clientId, callbackPort } }`
+    // that the add-json form would have produced, but assembled by claude
+    // from the flags rather than parsed from the JSON.
+    //
+    // The client secret is delivered via the MCP_CLIENT_SECRET env var (+
+    // the `--client-secret` flag), so it never lands on disk.
+    const callbackPort = Number(client.redirectUri.split(":").at(-1));
     const args = [
         "mcp",
-        "add-json",
-        server.id,
-        `'${JSON.stringify({
-            type: "http",
-            url: server.url,
-            oauth: {
-                clientId: client.id,
-                clientSecret: client.secret,
-                callbackPort: Number(client.redirectUri.split(":").at(-1)),
-            },
-        })}'`,
-        ...(argv.scope ? ["--scope", argv.scope] : []),
+        "add",
+        "--transport",
+        "http",
+        "--client-id",
+        client.id,
+        "--callback-port",
+        String(callbackPort),
         "--client-secret",
+        ...(argv.scope ? ["--scope", argv.scope] : []),
+        server.id,
+        server.url,
     ];
     (0, stdio_1.debug)(argv, "Client secret", client.secret);
     (0, stdio_1.debug)(argv, ["claude", ...args].join(" "));
+    // Spread process.env so the spawned `claude` inherits PATH / HOME /
+    // NODE_OPTIONS / etc. (`env: { MCP_CLIENT_SECRET }` alone would replace
+    // the whole environment).
     yield (0, node_util_1.promisify)(node_child_process_1.spawn)(claudeFile, args, {
-        env: { MCP_CLIENT_SECRET: client.secret },
+        env: Object.assign(Object.assign({}, process.env), { MCP_CLIENT_SECRET: client.secret }),
         stdio: "inherit",
     });
 });

package/build/dist/commands/claude/mcp.js.map

@@ -1 +1 @@
-{"version":3,"file":"mcp.js","sourceRoot":"","sources":["../../../../src/commands/claude/mcp.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;AAAA;;;;;;;;;GASG;AACH,2CAAyD;AACzD,6CAAkD;AAClD,kDAAsD;AACtD,+CAAoD;AAEpD,qCAA6D;AAC7D,8DAAiC;AACjC,2DAAiD;AACjD,gEAAkC;AAClC,0DAA6B;AAC7B,yCAAsC;AAqCtC,MAAM,WAAW,GAAG,IAAA,kBAAW,EAAC,wBAAwB,CAAC,CAAC;AAE1D,mGAAmG;AACnG,sFAAsF;AACtF,MAAM,aAAa,GAAG,KAAK,CAAC;AAErB,MAAM,UAAU,GAAG,CAAC,KAAsC,EAAE,EAAE,CACnE,KAAK;KACF,OAAO,CACN,cAAc,EACd,mBAAmB,EACnB,CAAC,CAAC,EAAE,EAAE,CACJ,CAAC;KACE,UAAU,CAAC,QAAQ,EAAE;IACpB,IAAI,EAAE,QAAQ;IACd,QAAQ,EAAE,gBAAgB;IAC1B,MAAM,EAAE,IAAI;CACb,CAAC;KACD,MAAM,CAAC,cAAc,EAAE;IACtB,QAAQ,EAAE,8BAA8B;IACxC,IAAI,EAAE,QAAQ;IACd,OAAO,EAAE,aAAa;CACvB,CAAC;KACD,MAAM,CAAC,OAAO,EAAE;IACf,KAAK,EAAE,GAAG;IACV,QAAQ,EACN,kEAAkE;IACpE,IAAI,EAAE,QAAQ;IACd,OAAO,EAAE,CAAC,OAAO,EAAE,MAAM,EAAE,SAAS,CAAC;CACtC,CAAC,EACN,CAAO,IAAI,EAAE,EAAE;IACb,IAAA,qBAAM,EAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IACpB,MAAM,kBAAkB,iCAAM,IAAI,KAAE,MAAM,EAAE,IAAI,CAAC,MAAM,IAAG,CAAC;AAC7D,CAAC,CAAA,CACF;KACA,OAAO,CACN,MAAM,EACN,4BAA4B,EAC5B,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,EACR,CAAO,IAAI,EAAE,EAAE;IACb,MAAM,oBAAoB,CAAC,IAAI,CAAC,CAAC;AACnC,CAAC,CAAA,CACF,CAAC;AApCO,QAAA,UAAU,cAoCjB;AAEN,MAAM,oBAAoB,GAAG,CAAO,IAAuB,EAAE,EAAE;IAC7D,MAAM,KAAK,GAAG,MAAM,IAAA,mBAAY,GAAE,CAAC;IAEnC,MAAM,MAAM,GAAG,MAAM,IAAA,eAAS,EAAqB,KAAK,EAAE;QACxD,GAAG,EAAE,GAAG,IAAA,eAAS,EAAC,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,CAAC,cAAc;QACxD,MAAM,EAAE,KAAK;QACb,KAAK,EAAE,IAAI,CAAC,KAAK;KAClB,CAAC,CAAC;IACH,IAAA,cAAM,EAAC,MAAM,CAAC,CAAC;AACjB,CAAC,CAAA,CAAC;AAEF,MAAM,kBAAkB,GAAG,CAAO,IAAsB,EAAE,EAAE;IAC1D,MAAM,KAAK,GAAG,MAAM,IAAA,mBAAY,GAAE,CAAC;IAEnC,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE;QAChB,MAAM,sBAAsB,CAAC;KAC9B;IAED,MAAM,MAAM,GAAG,MAAM,YAAY,CAAC,KAAK,EAAE,IAAI,CAAC,CAAC;IAC/C,MAAM,MAAM,GAAG,MAAM,SAAS,CAAC,KAAK,EAAE,IAAI,CAAC,CAAC;IAE5C,MAAM,eAAe,CAAC,IAAI,EAAE,MAAM,EAAE,MAAM,CAAC,CAAC;AAC9C,CAAC,CAAA,CAAC;AAEF,MAAM,WAAW,GAAG,GAAS,EAAE;IAC7B,MAAM,EAAE,GAAG,IAAA,yBAAkB,GAAE,CAAC;IAChC,QAAQ,EAAE,EAAE;QACV,KAAK,KAAK;YACR,OAAO,CAAC,MAAM,IAAA,qBAAS,EAAC,yBAAI,CAAC,CAAC,4BAA4B,CAAC,CAAC,CAAC,MAAM,CAAC;QACtE,KAAK,OAAO,CAAC;QACb,KAAK,KAAK;YACR,OAAO,CAAC,MAAM,IAAA,qBAAS,EAAC,yBAAI,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,MAAM,CAAC;QACpD,KAAK,SAAS;YACZ,MAAM,iCAAiC,EAAE,EAAE,CAAC;QAC9C;YACE,MAAM,IAAA,kBAAW,EAAC,EAAE,CAAC,CAAC;KACzB;AACH,CAAC,CAAA,CAAC;AAEF,MAAM,YAAY,GAAG,CAAO,KAAY,EAAE,IAAsB,EAAE,EAAE;;IAClE,MAAM,OAAO,GAAG,CAAC,MAAM,IAAA,qBAAS,EAAC,yBAAI,CAAC,CAAC,kBAAkB,CAAC,CAAC,CAAC,MAAM,CAAC;IACnE,MAAM,QAAQ,GAAG,MAAM,WAAW,EAAE,CAAC;IAErC,MAAM,UAAU,GAAG,MAAM,IAAA,eAAS,EAAsB,KAAK,EAAE;QAC7D,GAAG,EAAE,GAAG,IAAA,eAAS,EAAC,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,CAAC,cAAc;QACxD,MAAM,EAAE,MAAM;QACd,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC;YACnB,QAAQ;YACR,QAAQ,EAAE,aAAa;YACvB,OAAO;YACP,WAAW,EAAE,oBAAoB,MAAA,IAAI,CAAC,YAAY,mCAAI,aAAa,EAAE;SACzC,CAAC;QAC/B,KAAK,EAAE,IAAI,CAAC,KAAK;KAClB,CAAC,CAAC;IAEH,MAAM,kBAAE,CAAC,KAAK,CAAC,mBAAI,CAAC,OAAO,CAAC,WAAW,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IAC/D,MAAM,kBAAE,CAAC,SAAS,CAAC,WAAW,EAAE,IAAI,CAAC,SAAS,CAAC,UAAU,EAAE,IAAI,EAAE,CAAC,CAAC,EAAE;QACnE,IAAI,EAAE,KAAK;KACZ,CAAC,CAAC;IAEH,OAAO,UAAU,CAAC;AACpB,CAAC,CAAA,CAAC;AAEF,MAAM,YAAY,GAAG,CAAO,KAAY,EAAE,IAAsB,EAAE,EAAE;IAClE,IAAI;QACF,MAAM,gBAAgB,GAAG,MAAM,kBAAE,CAAC,QAAQ,CAAC,WAAW,EAAE;YACtD,QAAQ,EAAE,OAAO;SAClB,CAAC,CAAC;QAEH,IAAI,gBAAgB,EAAE;YACpB,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,gBAAgB,CAAwB,CAAC;YACnE,IAAA,aAAK,EACH,IAAI,EACJ,wBAAwB,EACxB,WAAW,EACX,4CAA4C,CAC7C,CAAC;YACF,OAAO,MAAM,CAAC;SACf;KACF;IAAC,OAAO,KAAc,EAAE;QACvB,IAAA,aAAK,EAAC,IAAI,EAAE,gDAAgD,CAAC,CAAC;KAC/D;IAED,OAAO,MAAM,YAAY,CAAC,KAAK,EAAE,IAAI,CAAC,CAAC;AACzC,CAAC,CAAA,CAAC;AAEF,MAAM,SAAS,GAAG,CAAO,KAAY,EAAE,IAAsB,EAAE,EAAE;IAC/D,OAAA,MAAM,IAAA,eAAS,EAAmB,KAAK,EAAE;QACvC,GAAG,EAAE,GAAG,IAAA,eAAS,EAAC,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,CAAC,gBAAgB,kBAAkB,CAAC,IAAI,CAAC,MAAM,CAAC,EAAE;QAC3F,MAAM,EAAE,KAAK;KACd,CAAC,CAAA;EAAA,CAAC;AAEL,MAAM,aAAa,GAAG,GAAS,EAAE;;IAC/B,MAAM,EAAE,GAAG,IAAA,yBAAkB,GAAE,CAAC;IAChC,QAAQ,EAAE,EAAE;QACV,KAAK,OAAO,CAAC;QACb,KAAK,KAAK;YACR,OAAO,CAAC,MAAM,IAAA,qBAAS,EAAC,yBAAI,CAAC,CAAC,cAAc,CAAC,CAAC,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC;QAC/D,KAAK,KAAK,CAAC,CAAC;YACV,MAAM,KAAK,GAAG,CAAC,MAAM,IAAA,qBAAS,EAAC,yBAAI,CAAC,CAAC,kBAAkB,CAAC,CAAC,CAAC,MAAM;iBAC7D,KAAK,CAAC,MAAM,CAAC;iBACb,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;iBACpB,MAAM,CAAC,OAAO,CAAC,CAAC;YACnB,OAAO,MAAA,MAAA,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,mCAAI,KAAK,CAAC,CAAC,CAAC,mCAAI,EAAE,CAAC;SAChE;QACD,KAAK,SAAS;YACZ,MAAM,iCAAiC,EAAE,EAAE,CAAC;QAC9C;YACE,MAAM,IAAA,kBAAW,EAAC,EAAE,CAAC,CAAC;KACzB;AACH,CAAC,CAAA,CAAC;AAEF,MAAM,eAAe,GAAG,CACtB,IAAsB,EACtB,EAAE,MAAM,EAAuB,EAC/B,EAAE,MAAM,EAAoB,EAC5B,EAAE;IACF,MAAM,UAAU,GAAG,MAAM,aAAa,EAAE,CAAC;IACzC,IAAA,qBAAM,EAAC,MAAM,CAAC,MAAM,EAAE,kBAAkB,CAAC,CAAC;IAC1C,IAAA,aAAK,EAAC,IAAI,EAAE,QAAQ,EAAE,MAAM,CAAC,CAAC;IAC9B,MAAM,IAAI,GAAG;QACX,KAAK;QACL,UAAU;QACV,MAAM,CAAC,EAAE;QACT,IAAI,IAAI,CAAC,SAAS,CAAC;YACjB,IAAI,EAAE,MAAM;YACZ,GAAG,EAAE,MAAM,CAAC,GAAG;YACf,KAAK,EAAE;gBACL,QAAQ,EAAE,MAAM,CAAC,EAAE;gBACnB,YAAY,EAAE,MAAM,CAAC,MAAM;gBAC3B,YAAY,EAAE,MAAM,CAAC,MAAM,CAAC,WAAW,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAE,CAAC;aAC5D;SACF,CAAC,GAAG;QACL,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,SAAS,EAAE,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;QAC9C,iBAAiB;KAClB,CAAC;IACF,IAAA,aAAK,EAAC,IAAI,EAAE,eAAe,EAAE,MAAM,CAAC,MAAM,CAAC,CAAC;IAC5C,IAAA,aAAK,EAAC,IAAI,EAAE,CAAC,QAAQ,EAAE,GAAG,IAAI,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC;IAC3C,MAAM,IAAA,qBAAS,EAAC,0BAAK,CAAC,CAAC,UAAU,EAAE,IAAI,EAAE;QACvC,GAAG,EAAE,EAAE,iBAAiB,EAAE,MAAM,CAAC,MAAM,EAAE;QACzC,KAAK,EAAE,SAAS;KACjB,CAAC,CAAC;AACL,CAAC,CAAA,CAAC"}
+{"version":3,"file":"mcp.js","sourceRoot":"","sources":["../../../../src/commands/claude/mcp.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;AAAA;;;;;;;;;GASG;AACH,2CAAyD;AACzD,6CAAkD;AAClD,kDAAsD;AACtD,+CAAoD;AAEpD,qCAA6D;AAC7D,8DAAiC;AACjC,2DAAiD;AACjD,gEAAkC;AAClC,0DAA6B;AAC7B,yCAAsC;AAqCtC,MAAM,WAAW,GAAG,IAAA,kBAAW,EAAC,wBAAwB,CAAC,CAAC;AAE1D,mGAAmG;AACnG,sFAAsF;AACtF,MAAM,aAAa,GAAG,KAAK,CAAC;AAErB,MAAM,UAAU,GAAG,CAAC,KAAsC,EAAE,EAAE,CACnE,KAAK;KACF,OAAO,CACN,cAAc,EACd,mBAAmB,EACnB,CAAC,CAAC,EAAE,EAAE,CACJ,CAAC;KACE,UAAU,CAAC,QAAQ,EAAE;IACpB,IAAI,EAAE,QAAQ;IACd,QAAQ,EAAE,gBAAgB;IAC1B,MAAM,EAAE,IAAI;CACb,CAAC;KACD,MAAM,CAAC,cAAc,EAAE;IACtB,QAAQ,EAAE,8BAA8B;IACxC,IAAI,EAAE,QAAQ;IACd,OAAO,EAAE,aAAa;CACvB,CAAC;KACD,MAAM,CAAC,OAAO,EAAE;IACf,KAAK,EAAE,GAAG;IACV,QAAQ,EACN,kEAAkE;IACpE,IAAI,EAAE,QAAQ;IACd,OAAO,EAAE,CAAC,OAAO,EAAE,MAAM,EAAE,SAAS,CAAC;CACtC,CAAC,EACN,CAAO,IAAI,EAAE,EAAE;IACb,IAAA,qBAAM,EAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IACpB,MAAM,kBAAkB,iCAAM,IAAI,KAAE,MAAM,EAAE,IAAI,CAAC,MAAM,IAAG,CAAC;AAC7D,CAAC,CAAA,CACF;KACA,OAAO,CACN,MAAM,EACN,4BAA4B,EAC5B,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,EACR,CAAO,IAAI,EAAE,EAAE;IACb,MAAM,oBAAoB,CAAC,IAAI,CAAC,CAAC;AACnC,CAAC,CAAA,CACF,CAAC;AApCO,QAAA,UAAU,cAoCjB;AAEN,MAAM,oBAAoB,GAAG,CAAO,IAAuB,EAAE,EAAE;IAC7D,MAAM,KAAK,GAAG,MAAM,IAAA,mBAAY,GAAE,CAAC;IAEnC,MAAM,MAAM,GAAG,MAAM,IAAA,eAAS,EAAqB,KAAK,EAAE;QACxD,GAAG,EAAE,GAAG,IAAA,eAAS,EAAC,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,CAAC,cAAc;QACxD,MAAM,EAAE,KAAK;QACb,KAAK,EAAE,IAAI,CAAC,KAAK;KAClB,CAAC,CAAC;IACH,IAAA,cAAM,EAAC,MAAM,CAAC,CAAC;AACjB,CAAC,CAAA,CAAC;AAEF,MAAM,kBAAkB,GAAG,CAAO,IAAsB,EAAE,EAAE;IAC1D,MAAM,KAAK,GAAG,MAAM,IAAA,mBAAY,GAAE,CAAC;IAEnC,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE;QAChB,MAAM,sBAAsB,CAAC;KAC9B;IAED,MAAM,MAAM,GAAG,MAAM,YAAY,CAAC,KAAK,EAAE,IAAI,CAAC,CAAC;IAC/C,MAAM,MAAM,GAAG,MAAM,SAAS,CAAC,KAAK,EAAE,IAAI,CAAC,CAAC;IAE5C,MAAM,eAAe,CAAC,IAAI,EAAE,MAAM,EAAE,MAAM,CAAC,CAAC;AAC9C,CAAC,CAAA,CAAC;AAEF,MAAM,WAAW,GAAG,GAAS,EAAE;IAC7B,MAAM,EAAE,GAAG,IAAA,yBAAkB,GAAE,CAAC;IAChC,QAAQ,EAAE,EAAE;QACV,KAAK,KAAK;YACR,OAAO,CAAC,MAAM,IAAA,qBAAS,EAAC,yBAAI,CAAC,CAAC,4BAA4B,CAAC,CAAC,CAAC,MAAM,CAAC;QACtE,KAAK,OAAO,CAAC;QACb,KAAK,KAAK;YACR,OAAO,CAAC,MAAM,IAAA,qBAAS,EAAC,yBAAI,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,MAAM,CAAC;QACpD,KAAK,SAAS;YACZ,MAAM,iCAAiC,EAAE,EAAE,CAAC;QAC9C;YACE,MAAM,IAAA,kBAAW,EAAC,EAAE,CAAC,CAAC;KACzB;AACH,CAAC,CAAA,CAAC;AAEF,MAAM,YAAY,GAAG,CAAO,KAAY,EAAE,IAAsB,EAAE,EAAE;;IAClE,MAAM,OAAO,GAAG,CAAC,MAAM,IAAA,qBAAS,EAAC,yBAAI,CAAC,CAAC,kBAAkB,CAAC,CAAC,CAAC,MAAM,CAAC;IACnE,MAAM,QAAQ,GAAG,MAAM,WAAW,EAAE,CAAC;IAErC,MAAM,UAAU,GAAG,MAAM,IAAA,eAAS,EAAsB,KAAK,EAAE;QAC7D,GAAG,EAAE,GAAG,IAAA,eAAS,EAAC,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,CAAC,cAAc;QACxD,MAAM,EAAE,MAAM;QACd,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC;YACnB,QAAQ;YACR,QAAQ,EAAE,aAAa;YACvB,OAAO;YACP,WAAW,EAAE,oBAAoB,MAAA,IAAI,CAAC,YAAY,mCAAI,aAAa,EAAE;SACzC,CAAC;QAC/B,KAAK,EAAE,IAAI,CAAC,KAAK;KAClB,CAAC,CAAC;IAEH,MAAM,kBAAE,CAAC,KAAK,CAAC,mBAAI,CAAC,OAAO,CAAC,WAAW,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IAC/D,MAAM,kBAAE,CAAC,SAAS,CAAC,WAAW,EAAE,IAAI,CAAC,SAAS,CAAC,UAAU,EAAE,IAAI,EAAE,CAAC,CAAC,EAAE;QACnE,IAAI,EAAE,KAAK;KACZ,CAAC,CAAC;IAEH,OAAO,UAAU,CAAC;AACpB,CAAC,CAAA,CAAC;AAEF,MAAM,YAAY,GAAG,CAAO,KAAY,EAAE,IAAsB,EAAE,EAAE;IAClE,IAAI;QACF,MAAM,gBAAgB,GAAG,MAAM,kBAAE,CAAC,QAAQ,CAAC,WAAW,EAAE;YACtD,QAAQ,EAAE,OAAO;SAClB,CAAC,CAAC;QAEH,IAAI,gBAAgB,EAAE;YACpB,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,gBAAgB,CAAwB,CAAC;YACnE,IAAA,aAAK,EACH,IAAI,EACJ,wBAAwB,EACxB,WAAW,EACX,4CAA4C,CAC7C,CAAC;YACF,OAAO,MAAM,CAAC;SACf;KACF;IAAC,OAAO,KAAc,EAAE;QACvB,IAAA,aAAK,EAAC,IAAI,EAAE,gDAAgD,CAAC,CAAC;KAC/D;IAED,OAAO,MAAM,YAAY,CAAC,KAAK,EAAE,IAAI,CAAC,CAAC;AACzC,CAAC,CAAA,CAAC;AAEF,MAAM,SAAS,GAAG,CAAO,KAAY,EAAE,IAAsB,EAAE,EAAE;IAC/D,OAAA,MAAM,IAAA,eAAS,EAAmB,KAAK,EAAE;QACvC,GAAG,EAAE,GAAG,IAAA,eAAS,EAAC,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,CAAC,gBAAgB,kBAAkB,CAAC,IAAI,CAAC,MAAM,CAAC,EAAE;QAC3F,MAAM,EAAE,KAAK;KACd,CAAC,CAAA;EAAA,CAAC;AAEL,MAAM,aAAa,GAAG,GAAS,EAAE;;IAC/B,MAAM,EAAE,GAAG,IAAA,yBAAkB,GAAE,CAAC;IAChC,QAAQ,EAAE,EAAE;QACV,KAAK,OAAO,CAAC;QACb,KAAK,KAAK;YACR,OAAO,CAAC,MAAM,IAAA,qBAAS,EAAC,yBAAI,CAAC,CAAC,cAAc,CAAC,CAAC,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC;QAC/D,KAAK,KAAK,CAAC,CAAC;YACV,MAAM,KAAK,GAAG,CAAC,MAAM,IAAA,qBAAS,EAAC,yBAAI,CAAC,CAAC,kBAAkB,CAAC,CAAC,CAAC,MAAM;iBAC7D,KAAK,CAAC,MAAM,CAAC;iBACb,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;iBACpB,MAAM,CAAC,OAAO,CAAC,CAAC;YACnB,OAAO,MAAA,MAAA,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,mCAAI,KAAK,CAAC,CAAC,CAAC,mCAAI,EAAE,CAAC;SAChE;QACD,KAAK,SAAS;YACZ,MAAM,iCAAiC,EAAE,EAAE,CAAC;QAC9C;YACE,MAAM,IAAA,kBAAW,EAAC,EAAE,CAAC,CAAC;KACzB;AACH,CAAC,CAAA,CAAC;AAEF,MAAM,eAAe,GAAG,CACtB,IAAsB,EACtB,EAAE,MAAM,EAAuB,EAC/B,EAAE,MAAM,EAAoB,EAC5B,EAAE;IACF,MAAM,UAAU,GAAG,MAAM,aAAa,EAAE,CAAC;IACzC,IAAA,qBAAM,EAAC,MAAM,CAAC,MAAM,EAAE,kBAAkB,CAAC,CAAC;IAC1C,IAAA,aAAK,EAAC,IAAI,EAAE,QAAQ,EAAE,MAAM,CAAC,CAAC;IAC9B,uEAAuE;IACvE,sEAAsE;IACtE,sEAAsE;IACtE,yEAAyE;IACzE,sEAAsE;IACtE,mDAAmD;IACnD,EAAE;IACF,sEAAsE;IACtE,0DAA0D;IAC1D,MAAM,YAAY,GAAG,MAAM,CAAC,MAAM,CAAC,WAAW,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAE,CAAC,CAAC;IACnE,MAAM,IAAI,GAAG;QACX,KAAK;QACL,KAAK;QACL,aAAa;QACb,MAAM;QACN,aAAa;QACb,MAAM,CAAC,EAAE;QACT,iBAAiB;QACjB,MAAM,CAAC,YAAY,CAAC;QACpB,iBAAiB;QACjB,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,SAAS,EAAE,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;QAC9C,MAAM,CAAC,EAAE;QACT,MAAM,CAAC,GAAG;KACX,CAAC;IACF,IAAA,aAAK,EAAC,IAAI,EAAE,eAAe,EAAE,MAAM,CAAC,MAAM,CAAC,CAAC;IAC5C,IAAA,aAAK,EAAC,IAAI,EAAE,CAAC,QAAQ,EAAE,GAAG,IAAI,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC;IAC3C,oEAAoE;IACpE,wEAAwE;IACxE,0BAA0B;IAC1B,MAAM,IAAA,qBAAS,EAAC,0BAAK,CAAC,CAAC,UAAU,EAAE,IAAI,EAAE;QACvC,GAAG,kCAAO,OAAO,CAAC,GAAG,KAAE,iBAAiB,EAAE,MAAM,CAAC,MAAM,GAAE;QACzD,KAAK,EAAE,SAAS;KACjB,CAAC,CAAC;AACL,CAAC,CAAA,CAAC"}

package/build/dist/commands/file-transfer.js

@@ -8,6 +8,17 @@ var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, ge
         step((generator = generator.apply(thisArg, _arguments || [])).next());
     });
 };
+var __rest = (this && this.__rest) || function (s, e) {
+    var t = {};
+    for (var p in s) if (Object.prototype.hasOwnProperty.call(s, p) && e.indexOf(p) < 0)
+        t[p] = s[p];
+    if (s != null && typeof Object.getOwnPropertySymbols === "function")
+        for (var i = 0, p = Object.getOwnPropertySymbols(s); i < p.length; i++) {
+            if (e.indexOf(p[i]) < 0 && Object.prototype.propertyIsEnumerable.call(s, p[i]))
+                t[p[i]] = s[p[i]];
+        }
+    return t;
+};
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.fileTransferCommand = void 0;
 /** Copyright © 2024-present P0 Security
@@ -25,6 +36,8 @@ const auth_1 = require("../drivers/auth");
 const stdio_1 = require("../drivers/stdio");
 const otel_helpers_1 = require("../opentelemetry/otel-helpers");
 const file_transfer_1 = require("../plugins/file-transfer");
+const ssh_1 = require("../plugins/ssh");
+const ssh_2 = require("./shared/ssh");
 const lib_storage_1 = require("@aws-sdk/lib-storage");
 const fs_1 = require("fs");
 const node_path_1 = require("node:path");
@@ -70,11 +83,15 @@ const fileTransferAction = (args) => __awaiter(void 0, void 0, void 0, function*
         (0, stdio_1.print2)("Requesting file-transfer access...");
         const target = yield (0, file_transfer_1.provisionTransferRequest)(authn, args);
         (0, stdio_1.print2)(`Access approved for s3://${target.bucket}/${target.prefix}`);
-        // target.prefix is the backend-granted prefix (ends in `/`); append the
-        // local file's basename so the S3 object preserves the original filename.
+        // append original basename so the S3 object preserves the original filename.
         const uploadKey = `${target.prefix}${(0, node_path_1.basename)(args.source)}`;
         (0, stdio_1.print2)("Preparing upload credentials...");
         const s3 = (0, file_transfer_1.createTransferClient)(authn, target, args.debug);
+        const { signedUrl: deleteUrl, expirySeconds: deleteExpirySeconds } = yield (0, file_transfer_1.generateSignedUrl)(authn, s3, Object.assign(Object.assign({}, target), { key: uploadKey }), "delete", args.debug);
+        // TODO: remove logging actual credential but log expiry when we remove the launchdarkly file-transfer flag
+        if (args.debug) {
+            (0, stdio_1.print2)(`DELETE (${renderDurationSec(deleteExpirySeconds)}): ${deleteUrl}`);
+        }
         (0, stdio_1.print2)(`Uploading ${args.source}...`);
         // The backend grants the AWS role permission to write to our prefix, but
         // IAM has eventual consistency — the policy can take several seconds to
@@ -118,13 +135,45 @@ const fileTransferAction = (args) => __awaiter(void 0, void 0, void 0, function*
             throw `Upload failed: ${message}`;
         }
         (0, stdio_1.print2)("Uploaded.");
-        // Sign the download/cleanup URLs only now that the file is uploaded — the
-        // GET window is finite, so we don't want it ticking during the upload.
-        const { getUrl, deleteUrl, expirySeconds } = yield (0, file_transfer_1.generateTransferUrls)(authn, s3, { bucket: target.bucket, key: uploadKey, awsSpec: target.awsSpec }, args.debug);
-        // TODO: remove logging when we remove the launchdarkly file-transfer flag
+        // TODO we need to remove this second request. it should be included in file transfer delegation. Will be removed in future ticket
+        (0, stdio_1.print2)(`Requesting download access on ${args.destination}...`);
+        // Drop `source` (local file path) before passing to SSH plumbing —
+        // `createCommand` uses `"source" in args` to branch between scp and ssh path, and we want the ssh branch here.
+        const { source: _source } = args, sshBaseArgs = __rest(args, ["source"]);
+        const sshCmdArgs = Object.assign(Object.assign({}, sshBaseArgs), { arguments: [], sshOptions: [] });
+        const { request, requestId, privateKey, sshProvider, sshHostKeys } = yield (0, ssh_2.prepareRequest)(authn, sshCmdArgs, args.destination);
+        // Sign GET URL now so the 5-min TTL starts after approval clears,
+        // not before — otherwise long approval waits could expire the URL.
+        const { signedUrl: getUrl, expirySeconds: getExpirySeconds } = yield (0, file_transfer_1.generateSignedUrl)(authn, s3, { bucket: target.bucket, key: uploadKey, awsSpec: target.awsSpec }, "get", args.debug);
         if (args.debug) {
-            (0, stdio_1.print2)(`GET    (${renderDurationSec(expirySeconds.get)}): ${getUrl}`);
-            (0, stdio_1.print2)(`DELETE (${renderDurationSec(expirySeconds.delete)}): ${deleteUrl}`);
+            (0, stdio_1.print2)(`GET    (${renderDurationSec(getExpirySeconds)}): ${getUrl}`);
+        }
+        const remotePath = `/home/${request.linuxUserName}/${(0, node_path_1.basename)(args.source)}`;
+        (0, stdio_1.print2)(`Downloading to ${request.linuxUserName}@${args.destination}:${remotePath}...`);
+        // TODO decide final downloader to use and maybe add fallback downloaders if not present. Using curl for now — universally present on mainstream EC2 AMIs (Amazon Linux, Ubuntu, RHEL, etc.).
+        const downloadCmdArgs = Object.assign(Object.assign({}, sshCmdArgs), { command: "curl", arguments: ["-sSfL", getUrl, "-o", remotePath] });
+        const exitCode = yield (0, ssh_1.sshOrScp)({
+            authn,
+            request,
+            requestId,
+            cmdArgs: downloadCmdArgs,
+            privateKey,
+            sshProvider,
+            sshHostKeys,
+        });
+        // TODO update comment when we add fallback downloader if needed
+        if (exitCode === 127) {
+            throw `curl not found on ${args.destination}. The file is in S3 — install curl on the destination instance and re-run file-transfer command`;
+        }
+        if (exitCode !== null && exitCode !== 0) {
+            throw `Remote download exited with code ${exitCode}`;
+        }
+        (0, stdio_1.print2)(`Downloaded to ${remotePath}.`);
+        // Force exit to prevent hanging due to orphaned child processes (e.g.,
+        // session-manager-plugin) holding open file descriptors. See:
+        // https://github.com/aws/amazon-ssm-agent/issues/173
+        if (process.env.NODE_ENV !== "unit") {
+            (0, otel_helpers_1.exitProcess)(0);
         }
     }), {
         command: "file-transfer",

package/build/dist/commands/file-transfer.js.map

@@ -1 +1 @@
-{"version":3,"file":"file-transfer.js","sourceRoot":"","sources":["../../../src/commands/file-transfer.ts"],"names":[],"mappings":";;;;;;;;;;;;AAAA;;;;;;;;;GASG;AACH,2CAAiD;AACjD,0CAA+C;AAC/C,4CAA0C;AAC1C,gEAA0D;AAC1D,4DAIkC;AAClC,sDAA8C;AAC9C,2BAAgD;AAChD,yCAAqC;AAUrC,MAAM,iBAAiB,GAAG,CAAC,CAAS,EAAE,EAAE,CACtC,CAAC,IAAI,IAAI,CAAC,CAAC,CAAC,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,CAAC,GAAG,CAAC;AAE7D,MAAM,mBAAmB,GAAG,CAAC,KAAiB,EAAE,EAAE,CACvD,KAAK,CAAC,OAAO,CACX,sCAAsC,EACtC,uEAAuE,EACvE,CAAC,KAAK,EAAE,EAAE,CACR,KAAK;KACF,UAAU,CAAC,QAAQ,EAAE;IACpB,IAAI,EAAE,QAAQ;IACd,YAAY,EAAE,IAAI;IAClB,WAAW,EAAE,iBAAiB;CAC/B,CAAC;KACD,UAAU,CAAC,aAAa,EAAE;IACzB,IAAI,EAAE,QAAQ;IACd,YAAY,EAAE,IAAI;IAClB,WAAW,EAAE,yCAAyC;CACvD,CAAC;KACD,MAAM,CAAC,QAAQ,EAAE;IAChB,IAAI,EAAE,QAAQ;IACd,QAAQ,EAAE,yBAAyB;CACpC,CAAC;KACD,MAAM,CAAC,OAAO,EAAE;IACf,IAAI,EAAE,SAAS;IACf,QAAQ,EAAE,iDAAiD;CAC5D,CAAC,EACN,kBAAkB,CACnB,CAAC;AAzBS,QAAA,mBAAmB,uBAyB5B;AAEJ,MAAM,kBAAkB,GAAG,CACzB,IAAuD,EACvD,EAAE;IACF,MAAM,IAAA,wBAAS,EACb,uBAAuB,EACvB,CAAO,IAAI,EAAE,EAAE;QACb,IAAI,CAAC,YAAY,CAAC,QAAQ,EAAE,IAAI,CAAC,MAAM,CAAC,CAAC;QACzC,IAAI,CAAC,YAAY,CAAC,aAAa,EAAE,IAAI,CAAC,WAAW,CAAC,CAAC;QAEnD,4EAA4E;QAC5E,6EAA6E;QAC7E,oDAAoD;QACpD,IAAI,WAAW,CAAC;QAChB,IAAI;YACF,WAAW,GAAG,IAAA,aAAQ,EAAC,IAAI,CAAC,MAAM,CAAC,CAAC;SACrC;QAAC,WAAM;YACN,MAAM,0BAA0B,IAAI,CAAC,MAAM,EAAE,CAAC;SAC/C;QACD,IAAI,CAAC,WAAW,CAAC,MAAM,EAAE,EAAE;YACzB,MAAM,sCAAsC,IAAI,CAAC,MAAM,EAAE,CAAC;SAC3D;QAED,MAAM,KAAK,GAAG,MAAM,IAAA,mBAAY,EAAC,IAAI,CAAC,CAAC;QAEvC,IAAA,cAAM,EAAC,oCAAoC,CAAC,CAAC;QAC7C,MAAM,MAAM,GAAG,MAAM,IAAA,wCAAwB,EAAC,KAAK,EAAE,IAAI,CAAC,CAAC;QAC3D,IAAA,cAAM,EAAC,4BAA4B,MAAM,CAAC,MAAM,IAAI,MAAM,CAAC,MAAM,EAAE,CAAC,CAAC;QAErE,wEAAwE;QACxE,0EAA0E;QAC1E,MAAM,SAAS,GAAG,GAAG,MAAM,CAAC,MAAM,GAAG,IAAA,oBAAQ,EAAC,IAAI,CAAC,MAAM,CAAC,EAAE,CAAC;QAE7D,IAAA,cAAM,EAAC,iCAAiC,CAAC,CAAC;QAC1C,MAAM,EAAE,GAAG,IAAA,oCAAoB,EAAC,KAAK,EAAE,MAAM,EAAE,IAAI,CAAC,KAAK,CAAC,CAAC;QAE3D,IAAA,cAAM,EAAC,aAAa,IAAI,CAAC,MAAM,KAAK,CAAC,CAAC;QAEtC,yEAAyE;QACzE,wEAAwE;QACxE,iEAAiE;QACjE,qDAAqD;QACrD,IAAI;YACF,MAAM,IAAA,sBAAc,EAClB,GAAS,EAAE;gBACT,MAAM,MAAM,GAAG,IAAI,oBAAM,CAAC;oBACxB,MAAM,EAAE,EAAE;oBACV,MAAM,EAAE;wBACN,MAAM,EAAE,MAAM,CAAC,MAAM;wBACrB,GAAG,EAAE,SAAS;wBACd,IAAI,EAAE,IAAA,qBAAgB,EAAC,IAAI,CAAC,MAAM,CAAC;qBACpC;iBACF,CAAC,CAAC;gBACH,MAAM,CAAC,EAAE,CAAC,oBAAoB,EAAE,CAAC,QAAQ,EAAE,EAAE;;oBAC3C,MAAM,MAAM,GAAG,MAAA,QAAQ,CAAC,MAAM,mCAAI,CAAC,CAAC;oBACpC,MAAM,KAAK,GAAG,MAAA,QAAQ,CAAC,KAAK,mCAAI,CAAC,CAAC;oBAClC,MAAM,EAAE,GAAG,CAAC,MAAM,GAAG,IAAI,GAAG,IAAI,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC;oBAC7C,MAAM,GAAG,GAAG,KAAK;wBACf,CAAC,CAAC,KAAK,IAAI,CAAC,KAAK,CAAC,CAAC,MAAM,GAAG,KAAK,CAAC,GAAG,GAAG,CAAC,IAAI;wBAC7C,CAAC,CAAC,EAAE,CAAC;oBACP,IAAA,cAAM,EAAC,cAAc,EAAE,MAAM,GAAG,EAAE,CAAC,CAAC;gBACtC,CAAC,CAAC,CAAC;gBACH,MAAM,MAAM,CAAC,IAAI,EAAE,CAAC;YACtB,CAAC,CAAA,EACD;gBACE,OAAO,EAAE,EAAE;gBACX,OAAO,EAAE,IAAK;gBACd,UAAU,EAAE,KAAM;gBAClB,UAAU,EAAE,GAAG;gBACf,YAAY,EAAE,GAAG;gBACjB,mEAAmE;gBACnE,kEAAkE;gBAClE,WAAW,EAAE,CAAC,GAAG,EAAE,EAAE,CACnB,GAAG,YAAY,KAAK,IAAI,GAAG,CAAC,IAAI,KAAK,cAAc;gBACrD,KAAK,EAAE,IAAI,CAAC,KAAK;aAClB,CACF,CAAC;SACH;QAAC,OAAO,GAAG,EAAE;YACZ,MAAM,OAAO,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YACjE,MAAM,kBAAkB,OAAO,EAAE,CAAC;SACnC;QAED,IAAA,cAAM,EAAC,WAAW,CAAC,CAAC;QAEpB,0EAA0E;QAC1E,uEAAuE;QACvE,MAAM,EAAE,MAAM,EAAE,SAAS,EAAE,aAAa,EAAE,GAAG,MAAM,IAAA,oCAAoB,EACrE,KAAK,EACL,EAAE,EACF,EAAE,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,EAAE,SAAS,EAAE,OAAO,EAAE,MAAM,CAAC,OAAO,EAAE,EAClE,IAAI,CAAC,KAAK,CACX,CAAC;QAEF,0EAA0E;QAC1E,IAAI,IAAI,CAAC,KAAK,EAAE;YACd,IAAA,cAAM,EAAC,WAAW,iBAAiB,CAAC,aAAa,CAAC,GAAG,CAAC,MAAM,MAAM,EAAE,CAAC,CAAC;YACtE,IAAA,cAAM,EACJ,WAAW,iBAAiB,CAAC,aAAa,CAAC,MAAM,CAAC,MAAM,SAAS,EAAE,CACpE,CAAC;SACH;IACH,CAAC,CAAA,EACD;QACE,OAAO,EAAE,eAAe;KACzB,CACF,CAAC;AACJ,CAAC,CAAA,CAAC"}
+{"version":3,"file":"file-transfer.js","sourceRoot":"","sources":["../../../src/commands/file-transfer.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;AAAA;;;;;;;;;GASG;AACH,2CAAiD;AACjD,0CAA+C;AAC/C,4CAA0C;AAC1C,gEAAuE;AACvE,4DAIkC;AAClC,wCAA0C;AAC1C,sCAA8C;AAC9C,sDAA8C;AAC9C,2BAAgD;AAChD,yCAAqC;AAUrC,MAAM,iBAAiB,GAAG,CAAC,CAAS,EAAE,EAAE,CACtC,CAAC,IAAI,IAAI,CAAC,CAAC,CAAC,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,CAAC,GAAG,CAAC;AAE7D,MAAM,mBAAmB,GAAG,CAAC,KAAiB,EAAE,EAAE,CACvD,KAAK,CAAC,OAAO,CACX,sCAAsC,EACtC,uEAAuE,EACvE,CAAC,KAAK,EAAE,EAAE,CACR,KAAK;KACF,UAAU,CAAC,QAAQ,EAAE;IACpB,IAAI,EAAE,QAAQ;IACd,YAAY,EAAE,IAAI;IAClB,WAAW,EAAE,iBAAiB;CAC/B,CAAC;KACD,UAAU,CAAC,aAAa,EAAE;IACzB,IAAI,EAAE,QAAQ;IACd,YAAY,EAAE,IAAI;IAClB,WAAW,EAAE,yCAAyC;CACvD,CAAC;KACD,MAAM,CAAC,QAAQ,EAAE;IAChB,IAAI,EAAE,QAAQ;IACd,QAAQ,EAAE,yBAAyB;CACpC,CAAC;KACD,MAAM,CAAC,OAAO,EAAE;IACf,IAAI,EAAE,SAAS;IACf,QAAQ,EAAE,iDAAiD;CAC5D,CAAC,EACN,kBAAkB,CACnB,CAAC;AAzBS,QAAA,mBAAmB,uBAyB5B;AAEJ,MAAM,kBAAkB,GAAG,CACzB,IAAuD,EACvD,EAAE;IACF,MAAM,IAAA,wBAAS,EACb,uBAAuB,EACvB,CAAO,IAAI,EAAE,EAAE;QACb,IAAI,CAAC,YAAY,CAAC,QAAQ,EAAE,IAAI,CAAC,MAAM,CAAC,CAAC;QACzC,IAAI,CAAC,YAAY,CAAC,aAAa,EAAE,IAAI,CAAC,WAAW,CAAC,CAAC;QAEnD,4EAA4E;QAC5E,6EAA6E;QAC7E,oDAAoD;QACpD,IAAI,WAAW,CAAC;QAChB,IAAI;YACF,WAAW,GAAG,IAAA,aAAQ,EAAC,IAAI,CAAC,MAAM,CAAC,CAAC;SACrC;QAAC,WAAM;YACN,MAAM,0BAA0B,IAAI,CAAC,MAAM,EAAE,CAAC;SAC/C;QACD,IAAI,CAAC,WAAW,CAAC,MAAM,EAAE,EAAE;YACzB,MAAM,sCAAsC,IAAI,CAAC,MAAM,EAAE,CAAC;SAC3D;QAED,MAAM,KAAK,GAAG,MAAM,IAAA,mBAAY,EAAC,IAAI,CAAC,CAAC;QAEvC,IAAA,cAAM,EAAC,oCAAoC,CAAC,CAAC;QAC7C,MAAM,MAAM,GAAG,MAAM,IAAA,wCAAwB,EAAC,KAAK,EAAE,IAAI,CAAC,CAAC;QAC3D,IAAA,cAAM,EAAC,4BAA4B,MAAM,CAAC,MAAM,IAAI,MAAM,CAAC,MAAM,EAAE,CAAC,CAAC;QAErE,6EAA6E;QAC7E,MAAM,SAAS,GAAG,GAAG,MAAM,CAAC,MAAM,GAAG,IAAA,oBAAQ,EAAC,IAAI,CAAC,MAAM,CAAC,EAAE,CAAC;QAE7D,IAAA,cAAM,EAAC,iCAAiC,CAAC,CAAC;QAC1C,MAAM,EAAE,GAAG,IAAA,oCAAoB,EAAC,KAAK,EAAE,MAAM,EAAE,IAAI,CAAC,KAAK,CAAC,CAAC;QAC3D,MAAM,EAAE,SAAS,EAAE,SAAS,EAAE,aAAa,EAAE,mBAAmB,EAAE,GAChE,MAAM,IAAA,iCAAiB,EACrB,KAAK,EACL,EAAE,kCACG,MAAM,KAAE,GAAG,EAAE,SAAS,KAC3B,QAAQ,EACR,IAAI,CAAC,KAAK,CACX,CAAC;QAEJ,2GAA2G;QAC3G,IAAI,IAAI,CAAC,KAAK,EAAE;YACd,IAAA,cAAM,EACJ,WAAW,iBAAiB,CAAC,mBAAmB,CAAC,MAAM,SAAS,EAAE,CACnE,CAAC;SACH;QAED,IAAA,cAAM,EAAC,aAAa,IAAI,CAAC,MAAM,KAAK,CAAC,CAAC;QAEtC,yEAAyE;QACzE,wEAAwE;QACxE,iEAAiE;QACjE,qDAAqD;QACrD,IAAI;YACF,MAAM,IAAA,sBAAc,EAClB,GAAS,EAAE;gBACT,MAAM,MAAM,GAAG,IAAI,oBAAM,CAAC;oBACxB,MAAM,EAAE,EAAE;oBACV,MAAM,EAAE;wBACN,MAAM,EAAE,MAAM,CAAC,MAAM;wBACrB,GAAG,EAAE,SAAS;wBACd,IAAI,EAAE,IAAA,qBAAgB,EAAC,IAAI,CAAC,MAAM,CAAC;qBACpC;iBACF,CAAC,CAAC;gBACH,MAAM,CAAC,EAAE,CAAC,oBAAoB,EAAE,CAAC,QAAQ,EAAE,EAAE;;oBAC3C,MAAM,MAAM,GAAG,MAAA,QAAQ,CAAC,MAAM,mCAAI,CAAC,CAAC;oBACpC,MAAM,KAAK,GAAG,MAAA,QAAQ,CAAC,KAAK,mCAAI,CAAC,CAAC;oBAClC,MAAM,EAAE,GAAG,CAAC,MAAM,GAAG,IAAI,GAAG,IAAI,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC;oBAC7C,MAAM,GAAG,GAAG,KAAK;wBACf,CAAC,CAAC,KAAK,IAAI,CAAC,KAAK,CAAC,CAAC,MAAM,GAAG,KAAK,CAAC,GAAG,GAAG,CAAC,IAAI;wBAC7C,CAAC,CAAC,EAAE,CAAC;oBACP,IAAA,cAAM,EAAC,cAAc,EAAE,MAAM,GAAG,EAAE,CAAC,CAAC;gBACtC,CAAC,CAAC,CAAC;gBACH,MAAM,MAAM,CAAC,IAAI,EAAE,CAAC;YACtB,CAAC,CAAA,EACD;gBACE,OAAO,EAAE,EAAE;gBACX,OAAO,EAAE,IAAK;gBACd,UAAU,EAAE,KAAM;gBAClB,UAAU,EAAE,GAAG;gBACf,YAAY,EAAE,GAAG;gBACjB,mEAAmE;gBACnE,kEAAkE;gBAClE,WAAW,EAAE,CAAC,GAAG,EAAE,EAAE,CACnB,GAAG,YAAY,KAAK,IAAI,GAAG,CAAC,IAAI,KAAK,cAAc;gBACrD,KAAK,EAAE,IAAI,CAAC,KAAK;aAClB,CACF,CAAC;SACH;QAAC,OAAO,GAAG,EAAE;YACZ,MAAM,OAAO,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YACjE,MAAM,kBAAkB,OAAO,EAAE,CAAC;SACnC;QAED,IAAA,cAAM,EAAC,WAAW,CAAC,CAAC;QAEpB,kIAAkI;QAClI,IAAA,cAAM,EAAC,iCAAiC,IAAI,CAAC,WAAW,KAAK,CAAC,CAAC;QAE/D,mEAAmE;QACnE,+GAA+G;QAC/G,MAAM,EAAE,MAAM,EAAE,OAAO,KAAqB,IAAI,EAApB,WAAW,UAAK,IAAI,EAA1C,UAAmC,CAAO,CAAC;QACjD,MAAM,UAAU,mCACX,WAAW,KACd,SAAS,EAAE,EAAE,EACb,UAAU,EAAE,EAAE,GACf,CAAC;QAEF,MAAM,EAAE,OAAO,EAAE,SAAS,EAAE,UAAU,EAAE,WAAW,EAAE,WAAW,EAAE,GAChE,MAAM,IAAA,oBAAc,EAAC,KAAK,EAAE,UAAU,EAAE,IAAI,CAAC,WAAW,CAAC,CAAC;QAE5D,kEAAkE;QAClE,mEAAmE;QACnE,MAAM,EAAE,SAAS,EAAE,MAAM,EAAE,aAAa,EAAE,gBAAgB,EAAE,GAC1D,MAAM,IAAA,iCAAiB,EACrB,KAAK,EACL,EAAE,EACF,EAAE,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,EAAE,SAAS,EAAE,OAAO,EAAE,MAAM,CAAC,OAAO,EAAE,EAClE,KAAK,EACL,IAAI,CAAC,KAAK,CACX,CAAC;QACJ,IAAI,IAAI,CAAC,KAAK,EAAE;YACd,IAAA,cAAM,EAAC,WAAW,iBAAiB,CAAC,gBAAgB,CAAC,MAAM,MAAM,EAAE,CAAC,CAAC;SACtE;QAED,MAAM,UAAU,GAAG,SAAS,OAAO,CAAC,aAAa,IAAI,IAAA,oBAAQ,EAAC,IAAI,CAAC,MAAM,CAAC,EAAE,CAAC;QAC7E,IAAA,cAAM,EACJ,kBAAkB,OAAO,CAAC,aAAa,IAAI,IAAI,CAAC,WAAW,IAAI,UAAU,KAAK,CAC/E,CAAC;QAEF,6LAA6L;QAC7L,MAAM,eAAe,mCAChB,UAAU,KACb,OAAO,EAAE,MAAM,EACf,SAAS,EAAE,CAAC,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,UAAU,CAAC,GAC/C,CAAC;QAEF,MAAM,QAAQ,GAAG,MAAM,IAAA,cAAQ,EAAC;YAC9B,KAAK;YACL,OAAO;YACP,SAAS;YACT,OAAO,EAAE,eAAe;YACxB,UAAU;YACV,WAAW;YACX,WAAW;SACZ,CAAC,CAAC;QAEH,gEAAgE;QAChE,IAAI,QAAQ,KAAK,GAAG,EAAE;YACpB,MAAM,qBAAqB,IAAI,CAAC,WAAW,iGAAiG,CAAC;SAC9I;QACD,IAAI,QAAQ,KAAK,IAAI,IAAI,QAAQ,KAAK,CAAC,EAAE;YACvC,MAAM,oCAAoC,QAAQ,EAAE,CAAC;SACtD;QAED,IAAA,cAAM,EAAC,iBAAiB,UAAU,GAAG,CAAC,CAAC;QAEvC,uEAAuE;QACvE,8DAA8D;QAC9D,qDAAqD;QACrD,IAAI,OAAO,CAAC,GAAG,CAAC,QAAQ,KAAK,MAAM,EAAE;YACnC,IAAA,0BAAW,EAAC,CAAC,CAAC,CAAC;SAChB;IACH,CAAC,CAAA,EACD;QACE,OAAO,EAAE,eAAe;KACzB,CACF,CAAC;AACJ,CAAC,CAAA,CAAC"}

package/build/dist/plugins/file-transfer/index.d.ts

@@ -13,6 +13,8 @@ import { Authn } from "../../types/identity";
 import { AwsResourcePermissionSpec } from "../aws/types";
 import { S3Client } from "@aws-sdk/client-s3";
 import yargs from "yargs";
+export declare const MAX_SECONDS_TO_EXPIRE_GET_URL: number;
+export declare const MAX_SECONDS_TO_EXPIRE_DELETE_URL: number;
 export declare const provisionTransferRequest: (authn: Authn, args: yargs.ArgumentsCamelCase<FileTransferCommandArgs>) => Promise<{
     bucket: string;
     prefix: string;
@@ -30,22 +32,20 @@ export declare const createTransferClient: (authn: Authn, target: {
     awsSpec: AwsResourcePermissionSpec;
 }, debug?: boolean) => S3Client;
 /**
- * Signs the GET (download) and DELETE (cleanup) URLs. Call this AFTER the upload
+ * Signs the GET (download) or DELETE (cleanup) URL. Call this AFTER the upload
  * completes: the GET window is finite, and signing before a large upload would
  * burn that window while the file is still uploading.
  *
  * Each expiry is capped to the credentials' remaining lifetime so a URL can
  * never outlive the credentials that signed it.
  */
-export declare const generateTransferUrls: (authn: Authn, s3: S3Client, target: {
+type SignedUrlCommand = "delete" | "get";
+export declare const generateSignedUrl: (authn: Authn, s3: S3Client, target: {
     bucket: string;
     key: string;
     awsSpec: AwsResourcePermissionSpec;
-}, debug?: boolean) => Promise<{
-    getUrl: string;
-    deleteUrl: string;
-    expirySeconds: {
-        get: number;
-        delete: number;
-    };
+}, command: SignedUrlCommand, debug?: boolean) => Promise<{
+    signedUrl: string;
+    expirySeconds: number;
 }>;
+export {};

package/build/dist/plugins/file-transfer/index.js

@@ -9,14 +9,15 @@ var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, ge
     });
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.generateTransferUrls = exports.createTransferClient = exports.provisionTransferRequest = void 0;
+exports.generateSignedUrl = exports.createTransferClient = exports.provisionTransferRequest = exports.MAX_SECONDS_TO_EXPIRE_DELETE_URL = exports.MAX_SECONDS_TO_EXPIRE_GET_URL = void 0;
 const request_1 = require("../../commands/shared/request");
+const delegation_1 = require("../../types/delegation");
 const auth_1 = require("../aws/auth");
 const client_s3_1 = require("@aws-sdk/client-s3");
 const s3_request_presigner_1 = require("@aws-sdk/s3-request-presigner");
 const lodash_1 = require("lodash");
-const SECONDS_TO_EXPIRE_GET_URL = 60 * 60;
-const SECONDS_TO_EXPIRE_DELETE_URL = 60 * 60;
+exports.MAX_SECONDS_TO_EXPIRE_GET_URL = 5 * 60;
+exports.MAX_SECONDS_TO_EXPIRE_DELETE_URL = 60 * 60;
 const MIN_URL_EXPIRY_THRESHOLD_SECONDS = 60;
 const provisionTransferRequest = (authn, args) => __awaiter(void 0, void 0, void 0, function* () {
     const response = yield (0, request_1.request)("request")(Object.assign(Object.assign({}, (0, lodash_1.pick)(args, "$0", "_")), { arguments: [
@@ -28,7 +29,7 @@ const provisionTransferRequest = (authn, args) => __awaiter(void 0, void 0, void
     if (!response) {
         throw "Did not receive a response from server";
     }
-    const awsSpec = response.request.delegation.aws;
+    const awsSpec = (0, delegation_1.getDelegate)(response.request.delegation, "aws");
     if (!awsSpec) {
         throw "Backend granted file-transfer access, but there was an error getting AWS access details";
     }
@@ -57,15 +58,7 @@ const createTransferClient = (authn, target, debug) => new client_s3_1.S3Client(
     }),
 });
 exports.createTransferClient = createTransferClient;
-/**
- * Signs the GET (download) and DELETE (cleanup) URLs. Call this AFTER the upload
- * completes: the GET window is finite, and signing before a large upload would
- * burn that window while the file is still uploading.
- *
- * Each expiry is capped to the credentials' remaining lifetime so a URL can
- * never outlive the credentials that signed it.
- */
-const generateTransferUrls = (authn, s3, target, debug) => __awaiter(void 0, void 0, void 0, function* () {
+const generateSignedUrl = (authn, s3, target, command, debug) => __awaiter(void 0, void 0, void 0, function* () {
     const { expiresAt } = yield (0, auth_1.awsCloudAuth)(authn, target.awsSpec, debug);
     const remaining = expiresAt !== undefined
         ? Math.floor((expiresAt - Date.now()) / 1000)
@@ -74,26 +67,32 @@ const generateTransferUrls = (authn, s3, target, debug) => __awaiter(void 0, voi
         throw new Error(`AWS credentials expire in ${remaining}s — too soon to sign usable URLs. ` +
             `Check your system clock or re-run the request.`);
     }
-    const secondsToExpireGetUrl = Math.min(SECONDS_TO_EXPIRE_GET_URL, remaining);
-    const secondsToExpireDeleteUrl = Math.min(SECONDS_TO_EXPIRE_DELETE_URL, remaining);
-    const objectArgs = { Bucket: target.bucket, Key: target.key };
-    const [getUrl, deleteUrl] = yield Promise.all([
-        (0, s3_request_presigner_1.getSignedUrl)(s3, new client_s3_1.GetObjectCommand(objectArgs), {
-            expiresIn: secondsToExpireGetUrl,
-        }),
-        (0, s3_request_presigner_1.getSignedUrl)(s3, new client_s3_1.DeleteObjectCommand(objectArgs), {
-            expiresIn: secondsToExpireDeleteUrl,
-        }),
-    ]);
+    const URL_CONFIGS = {
+        get: {
+            maxExpiry: exports.MAX_SECONDS_TO_EXPIRE_GET_URL,
+            s3Command: new client_s3_1.GetObjectCommand({
+                Bucket: target.bucket,
+                Key: target.key,
+            }),
+        },
+        delete: {
+            maxExpiry: exports.MAX_SECONDS_TO_EXPIRE_DELETE_URL,
+            s3Command: new client_s3_1.DeleteObjectCommand({
+                Bucket: target.bucket,
+                Key: target.key,
+            }),
+        },
+    };
+    const urlConfig = URL_CONFIGS[command];
+    const secondsToExpireUrl = Math.min(urlConfig.maxExpiry, remaining);
+    const signedUrl = yield (0, s3_request_presigner_1.getSignedUrl)(s3, urlConfig.s3Command, {
+        expiresIn: secondsToExpireUrl,
+    });
     return {
-        getUrl,
-        deleteUrl,
+        signedUrl,
         // Report the ACTUAL (capped) seconds so debug output is honest.
-        expirySeconds: {
-            get: secondsToExpireGetUrl,
-            delete: secondsToExpireDeleteUrl,
-        },
+        expirySeconds: secondsToExpireUrl,
     };
 });
-exports.generateTransferUrls = generateTransferUrls;
+exports.generateSignedUrl = generateSignedUrl;
 //# sourceMappingURL=index.js.map

package/build/dist/plugins/file-transfer/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../../src/plugins/file-transfer/index.ts"],"names":[],"mappings":";;;;;;;;;;;;AAWA,2DAAwD;AAGxD,sCAA2C;AAG3C,kDAI4B;AAC5B,wEAA6D;AAC7D,mCAA8B;AAG9B,MAAM,yBAAyB,GAAG,EAAE,GAAG,EAAE,CAAC;AAC1C,MAAM,4BAA4B,GAAG,EAAE,GAAG,EAAE,CAAC;AAC7C,MAAM,gCAAgC,GAAG,EAAE,CAAC;AAErC,MAAM,wBAAwB,GAAG,CACtC,KAAY,EACZ,IAAuD,EACvD,EAAE;IACF,MAAM,QAAQ,GAAG,MAAM,IAAA,iBAAO,EAAC,SAAS,CAAC,iCAIlC,IAAA,aAAI,EAAC,IAAI,EAAE,IAAI,EAAE,GAAG,CAAC,KACxB,SAAS,EAAE;YACT,eAAe;YACf,SAAS;YACT,IAAI,CAAC,WAAW;YAChB,GAAG,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,UAAU,EAAE,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;SAClD,EACD,IAAI,EAAE,IAAI,KAEZ,KAAK,EACL,EAAE,OAAO,EAAE,mBAAmB,EAAE,CACjC,CAAC;IAEF,IAAI,CAAC,QAAQ,EAAE;QACb,MAAM,wCAAwC,CAAC;KAChD;IAED,MAAM,OAAO,GAAG,QAAQ,CAAC,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC;IAChD,IAAI,CAAC,OAAO,EAAE;QACZ,MAAM,yFAAyF,CAAC;KACjG;IAED,MAAM,EAAE,UAAU,EAAE,YAAY,EAAE,YAAY,EAAE,GAC9C,QAAQ,CAAC,OAAO,CAAC,UAAU,CAAC,QAAQ,CAAC;IAEvC,OAAO;QACL,MAAM,EAAE,UAAU;QAClB,MAAM,EAAE,YAAY;QACpB,MAAM,EAAE,YAAY;QACpB,OAAO;KACR,CAAC;AACJ,CAAC,CAAA,CAAC;AAvCW,QAAA,wBAAwB,4BAuCnC;AAEF;;;;;GAKG;AACI,MAAM,oBAAoB,GAAG,CAClC,KAAY,EACZ,MAA8D,EAC9D,KAAe,EACL,EAAE,CACZ,IAAI,oBAAQ,CAAC;IACX,MAAM,EAAE,MAAM,CAAC,MAAM;IACrB,WAAW,EAAE,GAAS,EAAE;QACtB,MAAM,WAAW,GAAG,MAAM,IAAA,mBAAY,EAAC,KAAK,EAAE,MAAM,CAAC,OAAO,EAAE,KAAK,CAAC,CAAC;QACrE,uBACE,WAAW,EAAE,WAAW,CAAC,iBAAiB,EAC1C,eAAe,EAAE,WAAW,CAAC,qBAAqB,EAClD,YAAY,EAAE,WAAW,CAAC,iBAAiB,IAIxC,CAAC,WAAW,CAAC,SAAS,KAAK,SAAS;YACrC,CAAC,CAAC,EAAE,UAAU,EAAE,IAAI,IAAI,CAAC,WAAW,CAAC,SAAS,CAAC,EAAE;YACjD,CAAC,CAAC,EAAE,CAAC,EACP;IACJ,CAAC,CAAA;CACF,CAAC,CAAC;AArBQ,QAAA,oBAAoB,wBAqB5B;AAEL;;;;;;;GAOG;AACI,MAAM,oBAAoB,GAAG,CAClC,KAAY,EACZ,EAAY,EACZ,MAA2E,EAC3E,KAAe,EAKd,EAAE;IACH,MAAM,EAAE,SAAS,EAAE,GAAG,MAAM,IAAA,mBAAY,EAAC,KAAK,EAAE,MAAM,CAAC,OAAO,EAAE,KAAK,CAAC,CAAC;IACvE,MAAM,SAAS,GACb,SAAS,KAAK,SAAS;QACrB,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC,GAAG,IAAI,CAAC;QAC7C,CAAC,CAAC,QAAQ,CAAC;IACf,IAAI,SAAS,GAAG,gCAAgC,EAAE;QAChD,MAAM,IAAI,KAAK,CACb,6BAA6B,SAAS,oCAAoC;YACxE,gDAAgD,CACnD,CAAC;KACH;IACD,MAAM,qBAAqB,GAAG,IAAI,CAAC,GAAG,CAAC,yBAAyB,EAAE,SAAS,CAAC,CAAC;IAC7E,MAAM,wBAAwB,GAAG,IAAI,CAAC,GAAG,CACvC,4BAA4B,EAC5B,SAAS,CACV,CAAC;IAEF,MAAM,UAAU,GAAG,EAAE,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,EAAE,MAAM,CAAC,GAAG,EAAE,CAAC;IAC9D,MAAM,CAAC,MAAM,EAAE,SAAS,CAAC,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC;QAC5C,IAAA,mCAAY,EAAC,EAAE,EAAE,IAAI,4BAAgB,CAAC,UAAU,CAAC,EAAE;YACjD,SAAS,EAAE,qBAAqB;SACjC,CAAC;QACF,IAAA,mCAAY,EAAC,EAAE,EAAE,IAAI,+BAAmB,CAAC,UAAU,CAAC,EAAE;YACpD,SAAS,EAAE,wBAAwB;SACpC,CAAC;KACH,CAAC,CAAC;IAEH,OAAO;QACL,MAAM;QACN,SAAS;QACT,gEAAgE;QAChE,aAAa,EAAE;YACb,GAAG,EAAE,qBAAqB;YAC1B,MAAM,EAAE,wBAAwB;SACjC;KACF,CAAC;AACJ,CAAC,CAAA,CAAC;AA9CW,QAAA,oBAAoB,wBA8C/B"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../../src/plugins/file-transfer/index.ts"],"names":[],"mappings":";;;;;;;;;;;;AAWA,2DAAwD;AACxD,uDAAqD;AAGrD,sCAA2C;AAG3C,kDAI4B;AAC5B,wEAA6D;AAC7D,mCAA8B;AAGjB,QAAA,6BAA6B,GAAG,CAAC,GAAG,EAAE,CAAC;AACvC,QAAA,gCAAgC,GAAG,EAAE,GAAG,EAAE,CAAC;AACxD,MAAM,gCAAgC,GAAG,EAAE,CAAC;AAErC,MAAM,wBAAwB,GAAG,CACtC,KAAY,EACZ,IAAuD,EACvD,EAAE;IACF,MAAM,QAAQ,GAAG,MAAM,IAAA,iBAAO,EAAC,SAAS,CAAC,iCAIlC,IAAA,aAAI,EAAC,IAAI,EAAE,IAAI,EAAE,GAAG,CAAC,KACxB,SAAS,EAAE;YACT,eAAe;YACf,SAAS;YACT,IAAI,CAAC,WAAW;YAChB,GAAG,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,UAAU,EAAE,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;SAClD,EACD,IAAI,EAAE,IAAI,KAEZ,KAAK,EACL,EAAE,OAAO,EAAE,mBAAmB,EAAE,CACjC,CAAC;IAEF,IAAI,CAAC,QAAQ,EAAE;QACb,MAAM,wCAAwC,CAAC;KAChD;IAED,MAAM,OAAO,GAAG,IAAA,wBAAW,EAAC,QAAQ,CAAC,OAAO,CAAC,UAAU,EAAE,KAAK,CAAC,CAAC;IAChE,IAAI,CAAC,OAAO,EAAE;QACZ,MAAM,yFAAyF,CAAC;KACjG;IAED,MAAM,EAAE,UAAU,EAAE,YAAY,EAAE,YAAY,EAAE,GAC9C,QAAQ,CAAC,OAAO,CAAC,UAAU,CAAC,QAAQ,CAAC;IAEvC,OAAO;QACL,MAAM,EAAE,UAAU;QAClB,MAAM,EAAE,YAAY;QACpB,MAAM,EAAE,YAAY;QACpB,OAAO;KACR,CAAC;AACJ,CAAC,CAAA,CAAC;AAvCW,QAAA,wBAAwB,4BAuCnC;AAEF;;;;;GAKG;AACI,MAAM,oBAAoB,GAAG,CAClC,KAAY,EACZ,MAA8D,EAC9D,KAAe,EACL,EAAE,CACZ,IAAI,oBAAQ,CAAC;IACX,MAAM,EAAE,MAAM,CAAC,MAAM;IACrB,WAAW,EAAE,GAAS,EAAE;QACtB,MAAM,WAAW,GAAG,MAAM,IAAA,mBAAY,EAAC,KAAK,EAAE,MAAM,CAAC,OAAO,EAAE,KAAK,CAAC,CAAC;QACrE,uBACE,WAAW,EAAE,WAAW,CAAC,iBAAiB,EAC1C,eAAe,EAAE,WAAW,CAAC,qBAAqB,EAClD,YAAY,EAAE,WAAW,CAAC,iBAAiB,IAIxC,CAAC,WAAW,CAAC,SAAS,KAAK,SAAS;YACrC,CAAC,CAAC,EAAE,UAAU,EAAE,IAAI,IAAI,CAAC,WAAW,CAAC,SAAS,CAAC,EAAE;YACjD,CAAC,CAAC,EAAE,CAAC,EACP;IACJ,CAAC,CAAA;CACF,CAAC,CAAC;AArBQ,QAAA,oBAAoB,wBAqB5B;AAaE,MAAM,iBAAiB,GAAG,CAC/B,KAAY,EACZ,EAAY,EACZ,MAA2E,EAC3E,OAAyB,EACzB,KAAe,EAId,EAAE;IACH,MAAM,EAAE,SAAS,EAAE,GAAG,MAAM,IAAA,mBAAY,EAAC,KAAK,EAAE,MAAM,CAAC,OAAO,EAAE,KAAK,CAAC,CAAC;IACvE,MAAM,SAAS,GACb,SAAS,KAAK,SAAS;QACrB,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC,GAAG,IAAI,CAAC;QAC7C,CAAC,CAAC,QAAQ,CAAC;IACf,IAAI,SAAS,GAAG,gCAAgC,EAAE;QAChD,MAAM,IAAI,KAAK,CACb,6BAA6B,SAAS,oCAAoC;YACxE,gDAAgD,CACnD,CAAC;KACH;IAED,MAAM,WAAW,GAGb;QACF,GAAG,EAAE;YACH,SAAS,EAAE,qCAA6B;YACxC,SAAS,EAAE,IAAI,4BAAgB,CAAC;gBAC9B,MAAM,EAAE,MAAM,CAAC,MAAM;gBACrB,GAAG,EAAE,MAAM,CAAC,GAAG;aAChB,CAAC;SACH;QACD,MAAM,EAAE;YACN,SAAS,EAAE,wCAAgC;YAC3C,SAAS,EAAE,IAAI,+BAAmB,CAAC;gBACjC,MAAM,EAAE,MAAM,CAAC,MAAM;gBACrB,GAAG,EAAE,MAAM,CAAC,GAAG;aAChB,CAAC;SACH;KACF,CAAC;IAEF,MAAM,SAAS,GAAG,WAAW,CAAC,OAAO,CAAC,CAAC;IAEvC,MAAM,kBAAkB,GAAG,IAAI,CAAC,GAAG,CAAC,SAAS,CAAC,SAAS,EAAE,SAAS,CAAC,CAAC;IAEpE,MAAM,SAAS,GAAG,MAAM,IAAA,mCAAY,EAAC,EAAE,EAAE,SAAS,CAAC,SAAS,EAAE;QAC5D,SAAS,EAAE,kBAAkB;KAC9B,CAAC,CAAC;IAEH,OAAO;QACL,SAAS;QACT,gEAAgE;QAChE,aAAa,EAAE,kBAAkB;KAClC,CAAC;AACJ,CAAC,CAAA,CAAC;AAvDW,QAAA,iBAAiB,qBAuD5B"}

package/build/dist/plugins/file-transfer/types.d.ts

@@ -24,8 +24,6 @@ export type FileTransferPermission = {
     destination: string;
     type: "resource";
 };
-export type FileTransferPermissionSpec = PermissionSpec<"file-transfer", FileTransferPermission, Record<string, never>> & {
-    delegation: {
-        aws?: AwsResourcePermissionSpec;
-    };
-};
+export type FileTransferPermissionSpec = PermissionSpec<"file-transfer", FileTransferPermission, Record<string, never>, {
+    aws?: AwsResourcePermissionSpec;
+}>;

package/build/dist/plugins/google/connection-error.d.ts

@@ -0,0 +1,39 @@
+/** Copyright © 2024-present P0 Security
+
+This file is part of @p0security/cli
+
+@p0security/cli is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, version 3 of the License.
+
+@p0security/cli is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
+**/
+import { GcpSshRequest } from "./types";
+/**
+ * P0 grants the IAM roles needed for GCP SSH, but OS Login must be enabled in
+ * the customer's project — P0 cannot enable it on their behalf. When OS Login is
+ * off the IAM grant still succeeds, but the connection fails at SSH
+ * authentication: without OS Login the user's key is never provisioned onto the
+ * VM (P0's grant does not include permission to write keys to instance
+ * metadata), so auth is rejected with `Permission denied (publickey)`.
+ *
+ * Historically the user saw only that raw, generic rejection and concluded P0
+ * was broken. We surface a targeted hint instead. `Permission denied
+ * (publickey)` is not exclusively an OS Login problem — it can also be a brief
+ * key-propagation delay or a just-granted IAM role — so the message names OS
+ * Login as the most likely cause while listing the alternatives, and never
+ * claims certainty.
+ *
+ * We deliberately do NOT try to classify the other GCP prerequisite failure (IAP
+ * / firewall not configured, which fails earlier, at the gcloud tunnel rather
+ * than at SSH auth). Its `gcloud start-iap-tunnel` error strings vary by gcloud
+ * version and are easy to misattribute; since misattributing is worse than the
+ * status quo, those failures fall through to the raw error unchanged.
+ */
+export declare const GCP_SSH_PREREQUISITES_DOC = "https://docs.p0.dev/integrations/resource-integrations/ssh#gcp-project-requirements";
+/**
+ * Inspects the captured stderr of a failed GCP SSH connection and returns an
+ * actionable message when the failure is an SSH auth rejection (most likely OS
+ * Login not being enabled), or `undefined` to fall through to the raw error.
+ */
+export declare const classifyGcpConnectionError: (stderr: string, request: Pick<GcpSshRequest, "id">) => string | undefined;

package/build/dist/plugins/google/connection-error.js

@@ -0,0 +1,43 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.classifyGcpConnectionError = exports.GCP_SSH_PREREQUISITES_DOC = void 0;
+/**
+ * P0 grants the IAM roles needed for GCP SSH, but OS Login must be enabled in
+ * the customer's project — P0 cannot enable it on their behalf. When OS Login is
+ * off the IAM grant still succeeds, but the connection fails at SSH
+ * authentication: without OS Login the user's key is never provisioned onto the
+ * VM (P0's grant does not include permission to write keys to instance
+ * metadata), so auth is rejected with `Permission denied (publickey)`.
+ *
+ * Historically the user saw only that raw, generic rejection and concluded P0
+ * was broken. We surface a targeted hint instead. `Permission denied
+ * (publickey)` is not exclusively an OS Login problem — it can also be a brief
+ * key-propagation delay or a just-granted IAM role — so the message names OS
+ * Login as the most likely cause while listing the alternatives, and never
+ * claims certainty.
+ *
+ * We deliberately do NOT try to classify the other GCP prerequisite failure (IAP
+ * / firewall not configured, which fails earlier, at the gcloud tunnel rather
+ * than at SSH auth). Its `gcloud start-iap-tunnel` error strings vary by gcloud
+ * version and are easy to misattribute; since misattributing is worse than the
+ * status quo, those failures fall through to the raw error unchanged.
+ */
+exports.GCP_SSH_PREREQUISITES_DOC = "https://docs.p0.dev/integrations/resource-integrations/ssh#gcp-project-requirements";
+/** SSH auth was reached and rejected — most likely because OS Login is off. */
+const AUTH_REJECTED_PATTERN = /Permission denied \(publickey\)/;
+// Leads with a newline so it prints with one blank line above the preceding SSH
+// output, for legibility.
+const osLoginMessage = (instance) => `\nConnected to ${instance} but authentication was rejected ` +
+    `(Permission denied (publickey)). The most common cause is OS Login not ` +
+    `being enabled. Enable it by setting enable-oslogin=TRUE on the project (or ` +
+    `instance) metadata, then retry. If OS Login is already enabled, this can ` +
+    `also be a brief key-propagation delay or a just-granted IAM role — wait ` +
+    `~30s and retry. See ${exports.GCP_SSH_PREREQUISITES_DOC}`;
+/**
+ * Inspects the captured stderr of a failed GCP SSH connection and returns an
+ * actionable message when the failure is an SSH auth rejection (most likely OS
+ * Login not being enabled), or `undefined` to fall through to the raw error.
+ */
+const classifyGcpConnectionError = (stderr, request) => AUTH_REJECTED_PATTERN.test(stderr) ? osLoginMessage(request.id) : undefined;
+exports.classifyGcpConnectionError = classifyGcpConnectionError;
+//# sourceMappingURL=connection-error.js.map

package/build/dist/plugins/google/connection-error.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"connection-error.js","sourceRoot":"","sources":["../../../../src/plugins/google/connection-error.ts"],"names":[],"mappings":";;;AAYA;;;;;;;;;;;;;;;;;;;;GAoBG;AAEU,QAAA,yBAAyB,GACpC,qFAAqF,CAAC;AAExF,+EAA+E;AAC/E,MAAM,qBAAqB,GAAG,iCAAiC,CAAC;AAEhE,gFAAgF;AAChF,0BAA0B;AAC1B,MAAM,cAAc,GAAG,CAAC,QAAgB,EAAE,EAAE,CAC1C,kBAAkB,QAAQ,mCAAmC;IAC7D,yEAAyE;IACzE,6EAA6E;IAC7E,2EAA2E;IAC3E,0EAA0E;IAC1E,uBAAuB,iCAAyB,EAAE,CAAC;AAErD;;;;GAIG;AACI,MAAM,0BAA0B,GAAG,CACxC,MAAc,EACd,OAAkC,EACd,EAAE,CACtB,qBAAqB,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,cAAc,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;AAJjE,QAAA,0BAA0B,8BAIuC"}

package/build/dist/plugins/google/install.d.ts

@@ -1,2 +1,17 @@
+/** Copyright © 2024-present P0 Security
+
+This file is part of @p0security/cli
+
+@p0security/cli is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, version 3 of the License.
+
+@p0security/cli is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
+**/
+import { InstallMetadata } from "../../common/install";
 export declare const SupportedPlatforms: readonly ["darwin"];
+declare const GcpSshItems: readonly ["gcloud"];
+type GcpSshItem = (typeof GcpSshItems)[number];
+export declare const GcpSshInstall: Readonly<Record<GcpSshItem, InstallMetadata>>;
 export declare const ensureGcpSshInstall: () => Promise<boolean>;
+export {};

package/build/dist/plugins/google/install.js

@@ -1,6 +1,6 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.ensureGcpSshInstall = exports.SupportedPlatforms = void 0;
+exports.ensureGcpSshInstall = exports.GcpSshInstall = exports.SupportedPlatforms = void 0;
 /** Copyright © 2024-present P0 Security
 
 This file is part of @p0security/cli
@@ -14,14 +14,14 @@ You should have received a copy of the GNU General Public License along with @p0
 const install_1 = require("../../common/install");
 exports.SupportedPlatforms = ["darwin"];
 const GcpSshItems = ["gcloud"];
-const GcpSshInstall = {
+exports.GcpSshInstall = {
     gcloud: {
         label: "GCloud CLI",
         commands: {
             darwin: [
                 // See https://cloud.google.com/sdk/docs/install-sdk
                 "architecture=$(arch)",
-                'package=$([ $architecture = "arm64" ] && echo "https://dl.google.com/dl/cloudsdk/channels/rapid/downloads/google-cloud-cli-darwin-arm.tar.gz" || "https://dl.google.com/dl/cloudsdk/channels/rapid/downloads/google-cloud-cli-darwin-x86_64.tar.gz" )',
+                'package=$([ "$architecture" = "arm64" ] && echo "https://dl.google.com/dl/cloudsdk/channels/rapid/downloads/google-cloud-cli-darwin-arm.tar.gz" || echo "https://dl.google.com/dl/cloudsdk/channels/rapid/downloads/google-cloud-cli-darwin-x86_64.tar.gz" )',
                 "wget -O ~/google-cloud-cli.tar.gz $package",
                 "tar -xzf ~/google-cloud-cli.tar.gz -C ~",
                 "~/google-cloud-sdk/install.sh",
@@ -34,6 +34,6 @@ const GcpSshInstall = {
         },
     },
 };
-const ensureGcpSshInstall = () => (0, install_1.ensureInstall)(GcpSshItems, GcpSshInstall);
+const ensureGcpSshInstall = () => (0, install_1.ensureInstall)(GcpSshItems, exports.GcpSshInstall);
 exports.ensureGcpSshInstall = ensureGcpSshInstall;
 //# sourceMappingURL=install.js.map

package/build/dist/plugins/google/install.js.map

@@ -1 +1 @@
-{"version":3,"file":"install.js","sourceRoot":"","sources":["../../../../src/plugins/google/install.ts"],"names":[],"mappings":";;;AAAA;;;;;;;;;GASG;AACH,kDAAsE;AAEzD,QAAA,kBAAkB,GAAG,CAAC,QAAQ,CAAU,CAAC;AAEtD,MAAM,WAAW,GAAG,CAAC,QAAQ,CAAU,CAAC;AAGxC,MAAM,aAAa,GAAkD;IACnE,MAAM,EAAE;QACN,KAAK,EAAE,YAAY;QACnB,QAAQ,EAAE;YACR,MAAM,EAAE;gBACN,oDAAoD;gBACpD,sBAAsB;gBACtB,uPAAuP;gBACvP,4CAA4C;gBAC5C,yCAAyC;gBACzC,+BAA+B;gBAC/B,kCAAkC;gBAClC,8HAA8H;gBAC9H,8BAA8B;gBAC9B,gEAAgE;gBAChE,wCAAwC;aACzC;SACF;KACF;CACF,CAAC;AAEK,MAAM,mBAAmB,GAAG,GAAG,EAAE,CACtC,IAAA,uBAAa,EAAC,WAAW,EAAE,aAAa,CAAC,CAAC;AAD/B,QAAA,mBAAmB,uBACY"}
+{"version":3,"file":"install.js","sourceRoot":"","sources":["../../../../src/plugins/google/install.ts"],"names":[],"mappings":";;;AAAA;;;;;;;;;GASG;AACH,kDAAsE;AAEzD,QAAA,kBAAkB,GAAG,CAAC,QAAQ,CAAU,CAAC;AAEtD,MAAM,WAAW,GAAG,CAAC,QAAQ,CAAU,CAAC;AAG3B,QAAA,aAAa,GAAkD;IAC1E,MAAM,EAAE;QACN,KAAK,EAAE,YAAY;QACnB,QAAQ,EAAE;YACR,MAAM,EAAE;gBACN,oDAAoD;gBACpD,sBAAsB;gBACtB,8PAA8P;gBAC9P,4CAA4C;gBAC5C,yCAAyC;gBACzC,+BAA+B;gBAC/B,kCAAkC;gBAClC,8HAA8H;gBAC9H,8BAA8B;gBAC9B,gEAAgE;gBAChE,wCAAwC;aACzC;SACF;KACF;CACF,CAAC;AAEK,MAAM,mBAAmB,GAAG,GAAG,EAAE,CACtC,IAAA,uBAAa,EAAC,WAAW,EAAE,qBAAa,CAAC,CAAC;AAD/B,QAAA,mBAAmB,uBACY"}

package/build/dist/plugins/google/ssh.js

@@ -23,6 +23,7 @@ You should have received a copy of the GNU General Public License along with @p0
 const ssh_1 = require("../../commands/shared/ssh");
 const keys_1 = require("../../common/keys");
 const auth_1 = require("./auth");
+const connection_error_1 = require("./connection-error");
 const install_1 = require("./install");
 const ssh_key_1 = require("./ssh-key");
 const util_1 = require("./util");
@@ -65,6 +66,7 @@ exports.gcpSshProvider = {
         yield (0, auth_1.ensureGcloudLogin)({ debug });
         return undefined;
     }),
+    connectionErrorMessage: (stderr, request) => (0, connection_error_1.classifyGcpConnectionError)(stderr, request),
     ensureInstall: () => __awaiter(void 0, void 0, void 0, function* () {
         if (!(yield (0, install_1.ensureGcpSshInstall)())) {
             throw "Please try again after installing the required GCP utilities";

package/build/dist/plugins/google/ssh.js.map

@@ -1 +1 @@
-{"version":3,"file":"ssh.js","sourceRoot":"","sources":["../../../../src/plugins/google/ssh.ts"],"names":[],"mappings":";;;;;;;;;;;;AAAA;;;;;;;;;GASG;AACH,mDAA0D;AAC1D,4CAAqD;AAErD,iCAA2C;AAC3C,uCAAgD;AAChD,uCAAyC;AAEzC,iCAA2C;AAE3C,oGAAoG;AACpG,MAAM,4BAA4B,GAAG,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC;AAEnD;;;;;;;;;;;;;;;;;;GAkBG;AACH,MAAM,2BAA2B,GAAG;IAClC,EAAE,OAAO,EAAE,iCAAiC,EAAE;IAC9C;QACE,mEAAmE;QACnE,OAAO,EAAE,uCAAuC;KACjD;IACD,EAAE,OAAO,EAAE,mDAAmD,EAAE;IAChE;QACE,OAAO,EAAE,+CAA+C;QACxD,kBAAkB,EAAE,IAAI;KACzB;IACD,EAAE,OAAO,EAAE,4DAA4D,EAAE;CACjE,CAAC;AAEE,QAAA,cAAc,GAIvB;IACF,kBAAkB,EAAE,CAAO,MAAM,EAAE,QAAQ,EAAE,KAAK,EAAE,EAAE;QACpD,MAAM,IAAA,wBAAiB,EAAC,EAAE,KAAK,EAAE,CAAC,CAAC;QACnC,OAAO,SAAS,CAAC;IACnB,CAAC,CAAA;IAED,aAAa,EAAE,GAAS,EAAE;QACxB,IAAI,CAAC,CAAC,MAAM,IAAA,6BAAmB,GAAE,CAAC,EAAE;YAClC,MAAM,8DAA8D,CAAC;SACtE;IACH,CAAC,CAAA;IAED,YAAY,EAAE,cAAc;IAE5B,oBAAoB,EAClB,2DAA2D;IAE7D,oBAAoB,EAAE,sDAAsD;IAE5E,oBAAoB,EAAE,4BAA4B;IAElD,4BAA4B,EAAE,CAAC,OAAO,EAAE,EAAE;QACxC,IAAI,IAAA,mBAAa,EAAC,OAAO,CAAC,EAAE;YAC1B,uCACK,OAAO;gBACV,6GAA6G;gBAC7G,6HAA6H;gBAC7H,OAAO,EAAE,MAAM,EACf,SAAS,EAAE,CAAC,IAAI,CAAC,IACjB;SACH;QACD,OAAO,SAAS,CAAC;IACnB,CAAC;IAED,YAAY,EAAE,CAAO,MAAM,EAAE,OAAO,EAAE,EAAE;QACtC,OAAO;YACL,QAAQ,EAAE,OAAO,CAAC,aAAa;YAC/B,cAAc,EAAE,uBAAgB;SACjC,CAAC;IACJ,CAAC,CAAA;IAED,YAAY,EAAE,CAAC,OAAO,EAAE,IAAI,EAAE,EAAE;QAC9B,MAAM,EAAE,OAAO,EAAE,IAAI,EAAE,GAAG,IAAA,wBAAiB,EAAC;YAC1C,SAAS;YACT,kBAAkB;YAClB,OAAO,CAAC,EAAE;YACV,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI;YAClB,kEAAkE;YAClE,oGAAoG;YACpG,oEAAoE;YACpE,kDAAkD;YAClD,mBAAmB;YACnB,UAAU,OAAO,CAAC,IAAI,EAAE;YACxB,aAAa,OAAO,CAAC,SAAS,EAAE;SACjC,CAAC,CAAC;QACH,OAAO,CAAC,OAAO,EAAE,GAAG,IAAI,CAAC,CAAC;IAC5B,CAAC;IAED,aAAa,EAAE,GAAG,EAAE,CAAC,SAAS;IAE9B,YAAY,EAAE,CAAC,OAAO,EAAE,EAAE;QACxB,OAAO;YACL,EAAE,EAAE,OAAO,CAAC,UAAU,CAAC,QAAQ,CAAC,YAAY;YAC5C,SAAS,EAAE,OAAO,CAAC,UAAU,CAAC,QAAQ,CAAC,SAAS;YAChD,IAAI,EAAE,OAAO,CAAC,UAAU,CAAC,IAAI;YAC7B,aAAa,EAAE,OAAO,CAAC,YAAY,CAAC,aAAa;YACjD,IAAI,EAAE,QAAQ;SACf,CAAC;IACJ,CAAC;IAED,2BAA2B;IAE3B,YAAY,EAAE,CAAO,OAAO,EAAE,OAAO,EAAE,EAAE;QAAC,OAAA,iCACrC,OAAO,KACV,YAAY,EAAE;gBACZ,aAAa,EAAE,MAAM,IAAA,sBAAY,EAAC,OAAO,CAAC,SAAS,EAAE,OAAO,CAAC;aAC9D,IACD,CAAA;MAAA;CACH,CAAC"}
+{"version":3,"file":"ssh.js","sourceRoot":"","sources":["../../../../src/plugins/google/ssh.ts"],"names":[],"mappings":";;;;;;;;;;;;AAAA;;;;;;;;;GASG;AACH,mDAA0D;AAC1D,4CAAqD;AAErD,iCAA2C;AAC3C,yDAAgE;AAChE,uCAAgD;AAChD,uCAAyC;AAEzC,iCAA2C;AAE3C,oGAAoG;AACpG,MAAM,4BAA4B,GAAG,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC;AAEnD;;;;;;;;;;;;;;;;;;GAkBG;AACH,MAAM,2BAA2B,GAAG;IAClC,EAAE,OAAO,EAAE,iCAAiC,EAAE;IAC9C;QACE,mEAAmE;QACnE,OAAO,EAAE,uCAAuC;KACjD;IACD,EAAE,OAAO,EAAE,mDAAmD,EAAE;IAChE;QACE,OAAO,EAAE,+CAA+C;QACxD,kBAAkB,EAAE,IAAI;KACzB;IACD,EAAE,OAAO,EAAE,4DAA4D,EAAE;CACjE,CAAC;AAEE,QAAA,cAAc,GAIvB;IACF,kBAAkB,EAAE,CAAO,MAAM,EAAE,QAAQ,EAAE,KAAK,EAAE,EAAE;QACpD,MAAM,IAAA,wBAAiB,EAAC,EAAE,KAAK,EAAE,CAAC,CAAC;QACnC,OAAO,SAAS,CAAC;IACnB,CAAC,CAAA;IAED,sBAAsB,EAAE,CAAC,MAAM,EAAE,OAAO,EAAE,EAAE,CAC1C,IAAA,6CAA0B,EAAC,MAAM,EAAE,OAAO,CAAC;IAE7C,aAAa,EAAE,GAAS,EAAE;QACxB,IAAI,CAAC,CAAC,MAAM,IAAA,6BAAmB,GAAE,CAAC,EAAE;YAClC,MAAM,8DAA8D,CAAC;SACtE;IACH,CAAC,CAAA;IAED,YAAY,EAAE,cAAc;IAE5B,oBAAoB,EAClB,2DAA2D;IAE7D,oBAAoB,EAAE,sDAAsD;IAE5E,oBAAoB,EAAE,4BAA4B;IAElD,4BAA4B,EAAE,CAAC,OAAO,EAAE,EAAE;QACxC,IAAI,IAAA,mBAAa,EAAC,OAAO,CAAC,EAAE;YAC1B,uCACK,OAAO;gBACV,6GAA6G;gBAC7G,6HAA6H;gBAC7H,OAAO,EAAE,MAAM,EACf,SAAS,EAAE,CAAC,IAAI,CAAC,IACjB;SACH;QACD,OAAO,SAAS,CAAC;IACnB,CAAC;IAED,YAAY,EAAE,CAAO,MAAM,EAAE,OAAO,EAAE,EAAE;QACtC,OAAO;YACL,QAAQ,EAAE,OAAO,CAAC,aAAa;YAC/B,cAAc,EAAE,uBAAgB;SACjC,CAAC;IACJ,CAAC,CAAA;IAED,YAAY,EAAE,CAAC,OAAO,EAAE,IAAI,EAAE,EAAE;QAC9B,MAAM,EAAE,OAAO,EAAE,IAAI,EAAE,GAAG,IAAA,wBAAiB,EAAC;YAC1C,SAAS;YACT,kBAAkB;YAClB,OAAO,CAAC,EAAE;YACV,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI;YAClB,kEAAkE;YAClE,oGAAoG;YACpG,oEAAoE;YACpE,kDAAkD;YAClD,mBAAmB;YACnB,UAAU,OAAO,CAAC,IAAI,EAAE;YACxB,aAAa,OAAO,CAAC,SAAS,EAAE;SACjC,CAAC,CAAC;QACH,OAAO,CAAC,OAAO,EAAE,GAAG,IAAI,CAAC,CAAC;IAC5B,CAAC;IAED,aAAa,EAAE,GAAG,EAAE,CAAC,SAAS;IAE9B,YAAY,EAAE,CAAC,OAAO,EAAE,EAAE;QACxB,OAAO;YACL,EAAE,EAAE,OAAO,CAAC,UAAU,CAAC,QAAQ,CAAC,YAAY;YAC5C,SAAS,EAAE,OAAO,CAAC,UAAU,CAAC,QAAQ,CAAC,SAAS;YAChD,IAAI,EAAE,OAAO,CAAC,UAAU,CAAC,IAAI;YAC7B,aAAa,EAAE,OAAO,CAAC,YAAY,CAAC,aAAa;YACjD,IAAI,EAAE,QAAQ;SACf,CAAC;IACJ,CAAC;IAED,2BAA2B;IAE3B,YAAY,EAAE,CAAO,OAAO,EAAE,OAAO,EAAE,EAAE;QAAC,OAAA,iCACrC,OAAO,KACV,YAAY,EAAE;gBACZ,aAAa,EAAE,MAAM,IAAA,sBAAY,EAAC,OAAO,CAAC,SAAS,EAAE,OAAO,CAAC;aAC9D,IACD,CAAA;MAAA;CACH,CAAC"}