@paklo/core 0.1.0

package/dist/node/dependabot-BteoKZVy.js

@@ -0,0 +1,547 @@
+import { n as logger } from "./logger-bWnHxtAf.js";
+import { s as DependabotDependencySchema } from "./job-Crr4kh3e.js";
+import { z } from "zod/v4";
+import * as crypto$1 from "node:crypto";
+import { zValidator } from "@hono/zod-validator";
+import { Hono } from "hono";
+
+//#region src/dependabot/author.ts
+const DEPENDABOT_DEFAULT_AUTHOR_EMAIL = "noreply@github.com";
+const DEPENDABOT_DEFAULT_AUTHOR_NAME = "dependabot[bot]";
+
+//#endregion
+//#region src/dependabot/branch-name.ts
+function getBranchNameForUpdate(packageEcosystem, targetBranchName, directory, dependencyGroupName, dependencies, separator = "/") {
+	let branchName;
+	if (dependencyGroupName || dependencies.length > 1) {
+		const dependencyDigest = crypto$1.createHash("md5").update(dependencies.map((d) => `${d["dependency-name"]}-${d["dependency-version"]}`).join(",")).digest("hex").substring(0, 10);
+		branchName = `${dependencyGroupName || "multi"}-${dependencyDigest}`;
+	} else branchName = `${dependencies.map((d) => d["dependency-name"]).join("-and-").replace(/[:[]]/g, "-").replace(/@/g, "")}-${dependencies[0]?.removed ? "removed" : dependencies[0]?.["dependency-version"]}`;
+	return sanitizeRef([
+		"dependabot",
+		packageEcosystem,
+		targetBranchName,
+		directory?.replace(/^\/+|\/+$/g, "").replace(/\//g, separator),
+		branchName
+	], separator);
+}
+function sanitizeRef(refParts, separator) {
+	return refParts.filter((p) => p && p.trim().length > 0).join(separator).replace(/[^A-Za-z0-9/\-_.(){}]/g, "").replace(/\/\./g, "/dot-").replace(/\.+/g, ".").replace(/\/+/g, "/").replace(/\.$/, "");
+}
+
+//#endregion
+//#region src/dependabot/experiments.ts
+const DEFAULT_EXPERIMENTS = {
+	"record-ecosystem-versions": true,
+	"record-update-job-unknown-error": true,
+	"proxy-cached": true,
+	"move-job-token": true,
+	"dependency-change-validation": true,
+	"enable-file-parser-python-local": true,
+	"npm-fallback-version-above-v6": true,
+	"lead-security-dependency": true,
+	"enable-record-ecosystem-meta": true,
+	"enable-corepack-for-npm-and-yarn": true,
+	"enable-shared-helpers-command-timeout": true,
+	"enable-dependabot-setting-up-cronjob": true,
+	"enable-engine-version-detection": true,
+	"avoid-duplicate-updates-package-json": true,
+	"allow-refresh-for-existing-pr-dependencies": true,
+	"allow-refresh-group-with-all-dependencies": true,
+	"exclude-local-composer-packages": true,
+	"enable-enhanced-error-details-for-updater": true,
+	"gradle-lockfile-updater": true,
+	"enable-exclude-paths-subdirectory-manifest-files": true,
+	"group-membership-enforcement": true
+};
+/**
+* Parses a comma-separated list of key=value pairs representing experiments.
+* @param raw A comma-separated list of key=value pairs representing experiments.
+* @returns A map of experiment names to their values.
+*/
+function parseExperiments(raw) {
+	return raw?.split(",").filter((entry) => entry.trim() !== "").reduce((acc, cur) => {
+		const [key, value] = cur.split("=", 2);
+		acc[key] = value || true;
+		return acc;
+	}, {});
+}
+
+//#endregion
+//#region src/dependabot/job-builder.ts
+/**
+* Class for building dependabot job objects
+*/
+var DependabotJobBuilder = class {
+	config;
+	update;
+	experiments;
+	debug;
+	packageManager;
+	source;
+	credentials;
+	constructor({ source, config, update, systemAccessUser, systemAccessToken, githubToken, experiments, debug }) {
+		this.config = config;
+		this.update = update;
+		this.experiments = experiments;
+		this.debug = debug;
+		this.packageManager = mapPackageEcosystemToPackageManager(update["package-ecosystem"]);
+		this.source = mapSourceFromDependabotConfigToJobConfig(source, update);
+		this.credentials = mapCredentials({
+			sourceHostname: source.hostname,
+			systemAccessUser,
+			systemAccessToken,
+			githubToken,
+			registries: config.registries
+		});
+	}
+	/**
+	* Create a dependabot update job that updates nothing, but will discover the dependency list for a package ecosystem
+	*/
+	forDependenciesList({ id, command }) {
+		id ??= makeRandomJobId();
+		return {
+			jobId: id,
+			job: {
+				id,
+				command,
+				"package-manager": this.packageManager,
+				"updating-a-pull-request": false,
+				dependencies: null,
+				"allowed-updates": [{
+					"dependency-type": "direct",
+					"update-type": "all"
+				}],
+				"ignore-conditions": [{ "dependency-name": "*" }],
+				"security-updates-only": false,
+				"security-advisories": [],
+				source: this.source,
+				"update-subdependencies": false,
+				"existing-pull-requests": [],
+				"existing-group-pull-requests": [],
+				experiments: this.experiments,
+				"requirements-update-strategy": null,
+				"lockfile-only": false,
+				"commit-message-options": {
+					prefix: null,
+					"prefix-development": null,
+					"include-scope": null
+				},
+				"vendor-dependencies": false,
+				"repo-private": true,
+				debug: this.debug
+			},
+			credentials: this.credentials
+		};
+	}
+	/**
+	* Create a dependabot update job that updates all dependencies for a package ecosystem
+	*/
+	forUpdate({ id, command, dependencyNamesToUpdate, existingPullRequests, pullRequestToUpdate, securityVulnerabilities }) {
+		id ??= makeRandomJobId();
+		const securityOnlyUpdate = this.update["open-pull-requests-limit"] === 0;
+		let updatingPullRequest;
+		let updateDependencyGroupName = null;
+		let updateDependencyNames;
+		let vulnerabilities;
+		if (pullRequestToUpdate) {
+			updatingPullRequest = true;
+			updateDependencyGroupName = Array.isArray(pullRequestToUpdate) ? null : pullRequestToUpdate["dependency-group-name"];
+			updateDependencyNames = (Array.isArray(pullRequestToUpdate) ? pullRequestToUpdate : pullRequestToUpdate.dependencies)?.map((d) => d["dependency-name"]);
+			vulnerabilities = securityVulnerabilities?.filter((v) => updateDependencyNames?.includes(v.package.name));
+		} else {
+			updatingPullRequest = false;
+			const names = dependencyNamesToUpdate?.length ? dependencyNamesToUpdate : null;
+			updateDependencyNames = securityOnlyUpdate && names ? names?.filter((d) => securityVulnerabilities?.find((v) => v.package.name === d)) : names;
+			vulnerabilities = securityVulnerabilities;
+		}
+		return {
+			jobId: id,
+			job: {
+				id,
+				command,
+				"package-manager": this.packageManager,
+				"updating-a-pull-request": updatingPullRequest || false,
+				"dependency-group-to-refresh": updateDependencyGroupName,
+				"dependency-groups": mapGroupsFromDependabotConfigToJobConfig(this.update.groups),
+				dependencies: updateDependencyNames,
+				"allowed-updates": mapAllowedUpdatesFromDependabotConfigToJobConfig(this.update.allow, securityOnlyUpdate),
+				"ignore-conditions": mapIgnoreConditionsFromDependabotConfigToJobConfig(this.update.ignore),
+				"security-updates-only": securityOnlyUpdate,
+				"security-advisories": mapSecurityAdvisories(vulnerabilities),
+				source: this.source,
+				"update-subdependencies": false,
+				"existing-pull-requests": existingPullRequests.filter((pr) => Array.isArray(pr)),
+				"existing-group-pull-requests": existingPullRequests.filter((pr) => !Array.isArray(pr)),
+				"commit-message-options": {
+					prefix: this.update["commit-message"]?.prefix ?? null,
+					"prefix-development": this.update["commit-message"]?.["prefix-development"] ?? null,
+					"include-scope": this.update["commit-message"]?.include?.toLocaleLowerCase()?.trim() === "scope" ? true : null
+				},
+				cooldown: this.update.cooldown,
+				experiments: mapExperiments(this.experiments),
+				"reject-external-code": this.update["insecure-external-code-execution"]?.toLocaleLowerCase()?.trim() === "allow",
+				"requirements-update-strategy": mapVersionStrategyToRequirementsUpdateStrategy(this.update["versioning-strategy"]),
+				"lockfile-only": this.update["versioning-strategy"] === "lockfile-only",
+				"vendor-dependencies": this.update.vendor ?? false,
+				"repo-private": true,
+				debug: this.debug,
+				"proxy-log-response-body-on-auth-failure": true,
+				"max-updater-run-time": 2700,
+				"enable-beta-ecosystems": this.config["enable-beta-ecosystems"] || false,
+				"multi-ecosystem-update": false
+			},
+			credentials: this.credentials
+		};
+	}
+};
+function mapPackageEcosystemToPackageManager(ecosystem) {
+	switch (ecosystem) {
+		case "docker-compose": return "docker_compose";
+		case "dotnet-sdk": return "dotnet_sdk";
+		case "github-actions": return "github_actions";
+		case "gitsubmodule": return "submodules";
+		case "gomod": return "go_modules";
+		case "mix": return "hex";
+		case "npm": return "npm_and_yarn";
+		case "pipenv": return "pip";
+		case "pip-compile": return "pip";
+		case "poetry": return "pip";
+		case "pnpm": return "npm_and_yarn";
+		case "yarn": return "npm_and_yarn";
+		default: return ecosystem;
+	}
+}
+function mapSourceFromDependabotConfigToJobConfig(source, update) {
+	return {
+		provider: source.provider,
+		"api-endpoint": source["api-endpoint"],
+		hostname: source.hostname,
+		repo: source["repository-slug"],
+		branch: update["target-branch"],
+		commit: null,
+		directory: update.directory,
+		directories: update.directories
+	};
+}
+function mapVersionStrategyToRequirementsUpdateStrategy(strategy) {
+	if (!strategy) return null;
+	switch (strategy) {
+		case "auto": return null;
+		case "increase": return "bump_versions";
+		case "increase-if-necessary": return "bump_versions_if_necessary";
+		case "lockfile-only": return "lockfile_only";
+		case "widen": return "widen_ranges";
+		default: throw new Error(`Invalid dependabot.yaml versioning strategy option '${strategy}'`);
+	}
+}
+function mapGroupsFromDependabotConfigToJobConfig(dependencyGroups) {
+	if (!dependencyGroups || !Object.keys(dependencyGroups).length) return [];
+	return Object.keys(dependencyGroups).filter((name) => dependencyGroups[name]).map((name) => {
+		const group = dependencyGroups[name];
+		return {
+			name,
+			"applies-to": group["applies-to"],
+			rules: {
+				patterns: group.patterns?.length ? group.patterns : ["*"],
+				"exclude-patterns": group["exclude-patterns"],
+				"dependency-type": group["dependency-type"],
+				"update-types": group["update-types"]
+			}
+		};
+	});
+}
+function mapAllowedUpdatesFromDependabotConfigToJobConfig(allowedUpdates, securityOnlyUpdate) {
+	if (!allowedUpdates) return [{
+		"dependency-type": "direct",
+		"update-type": securityOnlyUpdate ? "security" : "all"
+	}];
+	return allowedUpdates.map((allow) => {
+		return {
+			"dependency-name": allow["dependency-name"],
+			"dependency-type": allow["dependency-type"],
+			"update-type": allow["update-type"]
+		};
+	});
+}
+function mapIgnoreConditionsFromDependabotConfigToJobConfig(ignoreConditions) {
+	if (!ignoreConditions) return [];
+	return ignoreConditions.map((ignore) => {
+		return {
+			source: ignore.source,
+			"updated-at": ignore["updated-at"],
+			"dependency-name": ignore["dependency-name"] ?? "*",
+			"update-types": ignore["update-types"],
+			"version-requirement": Array.isArray(ignore.versions) ? ignore.versions?.join(", ") : ignore.versions
+		};
+	});
+}
+function mapExperiments(experiments) {
+	experiments ??= {};
+	return Object.keys(experiments).reduce((acc, key) => {
+		const value = experiments[key];
+		if (typeof value === "string" && value?.toLocaleLowerCase() === "true") acc[key] = true;
+		else if (typeof value === "string" && value?.toLocaleLowerCase() === "false") acc[key] = false;
+		else if (typeof value === "string" || typeof value === "boolean") acc[key] = value;
+		return acc;
+	}, {});
+}
+function mapSecurityAdvisories(securityVulnerabilities) {
+	if (!securityVulnerabilities) return [];
+	const vulnerabilitiesGroupedByPackageNameAndAdvisoryId = /* @__PURE__ */ new Map();
+	for (const vuln of securityVulnerabilities) {
+		const key = `${vuln.package.name}/${vuln.advisory.identifiers.map((i) => `${i.type}:${i.value}`).join("/")}`;
+		if (!vulnerabilitiesGroupedByPackageNameAndAdvisoryId.has(key)) vulnerabilitiesGroupedByPackageNameAndAdvisoryId.set(key, []);
+		vulnerabilitiesGroupedByPackageNameAndAdvisoryId.get(key).push(vuln);
+	}
+	return Array.from(vulnerabilitiesGroupedByPackageNameAndAdvisoryId.values()).map((vulns) => {
+		return {
+			"dependency-name": vulns[0].package.name,
+			"affected-versions": vulns.map((v) => v.vulnerableVersionRange).filter((v) => v && v.length > 0),
+			"patched-versions": vulns.map((v) => v.firstPatchedVersion?.identifier).filter((v) => v && v.length > 0).map((v) => v),
+			"unaffected-versions": []
+		};
+	});
+}
+function mapCredentials({ sourceHostname, systemAccessUser, systemAccessToken, githubToken, registries }) {
+	const credentials = [];
+	if (systemAccessToken) credentials.push({
+		type: "git_source",
+		host: sourceHostname,
+		username: (systemAccessUser ?? "").trim()?.length > 0 ? systemAccessUser : "x-access-token",
+		password: systemAccessToken
+	});
+	if (githubToken) credentials.push({
+		type: "git_source",
+		host: "github.com",
+		username: "x-access-token",
+		password: githubToken
+	});
+	if (registries) credentials.push(...Object.values(registries));
+	return credentials;
+}
+function makeRandomJobId() {
+	const array = new Uint32Array(1);
+	crypto.getRandomValues(array);
+	return array[0] % 1e10;
+}
+function makeRandomJobToken() {
+	const array = new Uint8Array(30);
+	crypto.getRandomValues(array);
+	return Array.from(array, (byte) => (byte % 36).toString(36)).join("");
+}
+
+//#endregion
+//#region src/dependabot/update.ts
+const DependabotDependencyFileSchema = z.object({
+	content: z.string(),
+	content_encoding: z.string().nullish(),
+	deleted: z.boolean().nullish(),
+	directory: z.string(),
+	name: z.string(),
+	operation: z.string(),
+	support_file: z.boolean().nullish(),
+	symlink_target: z.string().nullish(),
+	type: z.string().nullish(),
+	mode: z.string().nullish()
+});
+const DependabotUpdateDependencyListSchema = z.object({
+	dependencies: DependabotDependencySchema.array(),
+	dependency_files: z.string().array().nullish()
+});
+const DependabotCreatePullRequestSchema = z.object({
+	"base-commit-sha": z.string(),
+	dependencies: DependabotDependencySchema.array(),
+	"updated-dependency-files": DependabotDependencyFileSchema.array(),
+	"pr-title": z.string(),
+	"pr-body": z.string().nullish(),
+	"commit-message": z.string(),
+	"dependency-group": z.record(z.string(), z.any()).nullish()
+});
+const DependabotUpdatePullRequestSchema = z.object({
+	"base-commit-sha": z.string(),
+	"dependency-names": z.string().array(),
+	"updated-dependency-files": DependabotDependencyFileSchema.array(),
+	"pr-title": z.string().nullish(),
+	"pr-body": z.string().nullish(),
+	"commit-message": z.string().nullish(),
+	"dependency-group": z.record(z.string(), z.any()).nullish()
+});
+const DependabotClosePullRequestSchema = z.object({
+	"dependency-names": z.string().array(),
+	reason: z.string().nullish()
+});
+const DependabotMarkAsProcessedSchema = z.object({ "base-commit-sha": z.string().nullish() });
+const DependabotRecordUpdateJobErrorSchema = z.object({
+	"error-type": z.string(),
+	"error-details": z.record(z.string(), z.any()).nullish()
+});
+const DependabotRecordUpdateJobUnknownErrorSchema = z.object({
+	"error-type": z.string(),
+	"error-details": z.record(z.string(), z.any()).nullish()
+});
+const DependabotRecordEcosystemVersionsSchema = z.object({ ecosystem_versions: z.record(z.string(), z.any()).nullish() });
+const DependabotEcosystemVersionManagerSchema = z.object({
+	name: z.string(),
+	version: z.string(),
+	raw_version: z.string(),
+	requirement: z.record(z.string(), z.any()).nullish()
+});
+const DependabotEcosystemMetaSchema = z.object({
+	name: z.string(),
+	package_manager: DependabotEcosystemVersionManagerSchema.nullish(),
+	version: DependabotEcosystemVersionManagerSchema.nullish()
+});
+const DependabotRecordEcosystemMetaSchema = z.object({ ecosystem: DependabotEcosystemMetaSchema });
+const DependabotIncrementMetricSchema = z.object({
+	metric: z.string(),
+	tags: z.record(z.string(), z.any()).nullish()
+});
+const DependabotMetricSchema = z.object({
+	metric: z.string(),
+	type: z.enum([
+		"increment",
+		"gauge",
+		"distribution",
+		"histogram"
+	]),
+	value: z.number().nullish(),
+	values: z.number().array().nullish(),
+	tags: z.record(z.string(), z.string()).nullish()
+});
+
+//#endregion
+//#region src/dependabot/server.ts
+const DependabotRequestTypeSchema = z.enum([
+	"create_pull_request",
+	"update_pull_request",
+	"close_pull_request",
+	"record_update_job_error",
+	"record_update_job_unknown_error",
+	"mark_as_processed",
+	"update_dependency_list",
+	"record_ecosystem_versions",
+	"record_ecosystem_meta",
+	"increment_metric",
+	"record_metrics"
+]);
+const DependabotRequestSchema = z.discriminatedUnion("type", [
+	z.object({
+		type: z.literal("create_pull_request"),
+		data: DependabotCreatePullRequestSchema
+	}),
+	z.object({
+		type: z.literal("update_pull_request"),
+		data: DependabotUpdatePullRequestSchema
+	}),
+	z.object({
+		type: z.literal("close_pull_request"),
+		data: DependabotClosePullRequestSchema
+	}),
+	z.object({
+		type: z.literal("record_update_job_error"),
+		data: DependabotRecordUpdateJobErrorSchema
+	}),
+	z.object({
+		type: z.literal("record_update_job_unknown_error"),
+		data: DependabotRecordUpdateJobUnknownErrorSchema
+	}),
+	z.object({
+		type: z.literal("mark_as_processed"),
+		data: DependabotMarkAsProcessedSchema
+	}),
+	z.object({
+		type: z.literal("update_dependency_list"),
+		data: DependabotUpdateDependencyListSchema
+	}),
+	z.object({
+		type: z.literal("record_ecosystem_versions"),
+		data: DependabotRecordEcosystemVersionsSchema
+	}),
+	z.object({
+		type: z.literal("record_ecosystem_meta"),
+		data: DependabotRecordEcosystemMetaSchema.array()
+	}),
+	z.object({
+		type: z.literal("increment_metric"),
+		data: DependabotIncrementMetricSchema
+	}),
+	z.object({
+		type: z.literal("record_metrics"),
+		data: DependabotMetricSchema.array()
+	})
+]);
+/**
+* Creates an API server application for handling dependabot update jobs.
+* The endpoints in the server application have paths in the format: `/api/update_jobs/:id/{operation}`,
+* where `:id` is the job ID and `{operation}` is one of the defined operations e.g. `create_pull_request`.
+*
+* You should set the job endpoint URL in the job container to
+* `http://<host>:<port>/api/update_jobs/:id` where `<host>` and `<port>` are the host and port
+*
+* These endpoints are protected using the provided API key.
+* @param params - The parameters for creating the API server application.
+* @returns The created API server application.
+*/
+function createApiServerApp({ basePath = `/api/update_jobs`, authenticate, getJob, getCredentials, handle }) {
+	const app = new Hono().basePath(basePath);
+	function operation(type, schema, method) {
+		app.on(method || "post", `/:id/${type}`, zValidator("param", z.object({ id: z.coerce.number() })), async (context, next) => {
+			if (new URL(context.req.url).protocol === "https:") {
+				const { id } = context.req.valid("param");
+				const value = context.req.header("Authorization");
+				if (!value) return context.body(null, 401);
+				if (!await authenticate("job", id, value)) return context.body(null, 403);
+			} else logger.trace(`Skipping authentication because it is not secure ${context.req.url}`);
+			await next();
+		}, zValidator("json", z.object({ data: schema })), async (context) => {
+			const { id } = context.req.valid("param");
+			const { data } = context.req.valid("json");
+			const success = await handle(id, {
+				type,
+				data
+			});
+			return context.body(null, success ? 204 : 400);
+		});
+	}
+	operation("create_pull_request", DependabotCreatePullRequestSchema);
+	operation("update_pull_request", DependabotUpdatePullRequestSchema);
+	operation("close_pull_request", DependabotClosePullRequestSchema);
+	operation("record_update_job_error", DependabotRecordUpdateJobErrorSchema);
+	operation("record_update_job_unknown_error", DependabotRecordUpdateJobUnknownErrorSchema);
+	operation("mark_as_processed", DependabotMarkAsProcessedSchema, "patch");
+	operation("update_dependency_list", DependabotUpdateDependencyListSchema);
+	operation("record_ecosystem_versions", DependabotRecordEcosystemVersionsSchema);
+	operation("record_ecosystem_meta", DependabotRecordEcosystemMetaSchema.array());
+	operation("increment_metric", DependabotIncrementMetricSchema);
+	operation("record_metrics", DependabotMetricSchema.array());
+	app.on("get", "/:id/details", zValidator("param", z.object({ id: z.coerce.number() })), async (context, next) => {
+		const { id } = context.req.valid("param");
+		const value = context.req.header("Authorization");
+		if (!value) return context.body(null, 401);
+		if (!await authenticate("job", id, value)) return context.body(null, 403);
+		await next();
+	}, async (context) => {
+		const { id } = context.req.valid("param");
+		const job = await getJob(id);
+		if (!job) return context.body(null, 204);
+		return context.json(job);
+	});
+	app.on("get", "/:id/credentials", zValidator("param", z.object({ id: z.coerce.number() })), async (context, next) => {
+		const { id } = context.req.valid("param");
+		const value = context.req.header("Authorization");
+		if (!value) return context.body(null, 401);
+		if (!await authenticate("credentials", id, value)) return context.body(null, 403);
+		await next();
+	}, async (context) => {
+		const { id } = context.req.valid("param");
+		const credentials = await getCredentials(id);
+		if (!credentials) return context.body(null, 204);
+		return context.json(credentials);
+	});
+	return app;
+}
+
+//#endregion
+export { DEFAULT_EXPERIMENTS as A, mapExperiments as C, mapSecurityAdvisories as D, mapPackageEcosystemToPackageManager as E, DEPENDABOT_DEFAULT_AUTHOR_NAME as F, getBranchNameForUpdate as M, sanitizeRef as N, mapSourceFromDependabotConfigToJobConfig as O, DEPENDABOT_DEFAULT_AUTHOR_EMAIL as P, mapCredentials as S, mapIgnoreConditionsFromDependabotConfigToJobConfig as T, DependabotUpdatePullRequestSchema as _, DependabotCreatePullRequestSchema as a, makeRandomJobToken as b, DependabotEcosystemVersionManagerSchema as c, DependabotMetricSchema as d, DependabotRecordEcosystemMetaSchema as f, DependabotUpdateDependencyListSchema as g, DependabotRecordUpdateJobUnknownErrorSchema as h, DependabotClosePullRequestSchema as i, parseExperiments as j, mapVersionStrategyToRequirementsUpdateStrategy as k, DependabotIncrementMetricSchema as l, DependabotRecordUpdateJobErrorSchema as m, DependabotRequestTypeSchema as n, DependabotDependencyFileSchema as o, DependabotRecordEcosystemVersionsSchema as p, createApiServerApp as r, DependabotEcosystemMetaSchema as s, DependabotRequestSchema as t, DependabotMarkAsProcessedSchema as u, DependabotJobBuilder as v, mapGroupsFromDependabotConfigToJobConfig as w, mapAllowedUpdatesFromDependabotConfigToJobConfig as x, makeRandomJobId as y };
+//# sourceMappingURL=dependabot-BteoKZVy.js.map

package/dist/node/dependabot-BteoKZVy.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"dependabot-BteoKZVy.js","names":["branchName: string","crypto","DEFAULT_EXPERIMENTS: DependabotExperiments","updatingPullRequest: boolean","updateDependencyGroupName: string | null","updateDependencyNames: string[] | null","vulnerabilities: SecurityVulnerability[] | undefined","success: boolean"],"sources":["../../src/dependabot/author.ts","../../src/dependabot/branch-name.ts","../../src/dependabot/experiments.ts","../../src/dependabot/job-builder.ts","../../src/dependabot/update.ts","../../src/dependabot/server.ts"],"sourcesContent":["export type GitAuthor = {\n  name: string;\n  email: string;\n};\n\nexport const DEPENDABOT_DEFAULT_AUTHOR_EMAIL = 'noreply@github.com';\nexport const DEPENDABOT_DEFAULT_AUTHOR_NAME = 'dependabot[bot]';\n","import * as crypto from 'node:crypto';\nimport type { PackageEcosystem } from './config';\nimport type { DependabotExistingPR } from './job';\n\n// TODO: figure out how to handle IDENTIFIER field (in a group) in branch naming\n// Docs: https://docs.github.com/en/code-security/dependabot/working-with-dependabot/dependabot-options-reference#groups--\n// -> An identifier for a group is used in branch names and pull request titles.\n\nexport function getBranchNameForUpdate(\n  packageEcosystem: PackageEcosystem,\n  targetBranchName: string | undefined,\n  directory: string | undefined,\n  dependencyGroupName: string | undefined,\n  dependencies: DependabotExistingPR[],\n  separator: string = '/',\n): string {\n  // Based on dependabot-core implementation:\n  // https://github.com/dependabot/dependabot-core/blob/main/common/lib/dependabot/pull_request_creator/branch_namer/solo_strategy.rb\n  // https://github.com/dependabot/dependabot-core/blob/main/common/lib/dependabot/pull_request_creator/branch_namer/dependency_group_strategy.rb\n  let branchName: string;\n  const branchNameMightBeTooLong = dependencyGroupName || dependencies.length > 1;\n  if (branchNameMightBeTooLong) {\n    // Group/multi dependency update\n    // e.g. dependabot/nuget/main/microsoft-3b49c54d9e\n    const dependencyDigest = crypto\n      .createHash('md5')\n      .update(dependencies.map((d) => `${d['dependency-name']}-${d['dependency-version']}`).join(','))\n      .digest('hex')\n      .substring(0, 10);\n    branchName = `${dependencyGroupName || 'multi'}-${dependencyDigest}`;\n  } else {\n    // Single dependency update\n    // e.g. dependabot/nuget/main/Microsoft.Extensions.Logging-1.0.0\n    const dependencyNames = dependencies\n      .map((d) => d['dependency-name'])\n      .join('-and-')\n      .replace(/[:[]]/g, '-') // Replace `:` and `[]` with `-`\n      .replace(/@/g, ''); // Remove `@`\n    const versionSuffix = dependencies[0]?.removed ? 'removed' : dependencies[0]?.['dependency-version'];\n    branchName = `${dependencyNames}-${versionSuffix}`;\n  }\n\n  return sanitizeRef(\n    [\n      'dependabot',\n      packageEcosystem,\n      targetBranchName,\n      // normalize directory to remove leading/trailing slashes and replace remaining ones with the separator\n      directory\n        ?.replace(/^\\/+|\\/+$/g, '')\n        .replace(/\\//g, separator),\n      branchName,\n    ],\n    separator,\n  );\n}\n\nexport function sanitizeRef(refParts: (string | undefined)[], separator: string): string {\n  // Based on dependabot-core implementation:\n  // https://github.com/dependabot/dependabot-core/blob/fc31ae64f492dc977cfe6773ab13fb6373aabec4/common/lib/dependabot/pull_request_creator/branch_namer/base.rb#L99\n\n  // This isn't a complete implementation of git's ref validation, but it\n  // covers most cases that crop up. Its list of allowed characters is a\n  // bit stricter than git's, but that's for cosmetic reasons.\n  return (\n    refParts\n      // Join the parts with the separator, ignore empty parts\n      .filter((p) => p && p.trim().length > 0)\n      .join(separator)\n      // Remove forbidden characters (those not already replaced elsewhere)\n      .replace(/[^A-Za-z0-9/\\-_.(){}]/g, '')\n      // Slashes can't be followed by periods\n      .replace(/\\/\\./g, '/dot-')\n      // Squeeze out consecutive periods and slashes\n      .replace(/\\.+/g, '.')\n      .replace(/\\/+/g, '/')\n      // Trailing periods are forbidden\n      .replace(/\\.$/, '')\n  );\n}\n","import type { DependabotExperiments } from './job';\n\n// The default experiments known to be used by the GitHub Dependabot service.\n// This changes often, update as needed by extracting them from a Dependabot GitHub Action run.\n//  e.g. https://github.com/mburumaxwell/dependabot-azure-devops/actions/workflows/dependabot/dependabot-updates\nexport const DEFAULT_EXPERIMENTS: DependabotExperiments = {\n  'record-ecosystem-versions': true,\n  'record-update-job-unknown-error': true,\n  'proxy-cached': true,\n  'move-job-token': true,\n  'dependency-change-validation': true,\n  'enable-file-parser-python-local': true,\n  'npm-fallback-version-above-v6': true,\n  'lead-security-dependency': true,\n  'enable-record-ecosystem-meta': true,\n  'enable-corepack-for-npm-and-yarn': true,\n  'enable-shared-helpers-command-timeout': true,\n  'enable-dependabot-setting-up-cronjob': true,\n  'enable-engine-version-detection': true,\n  'avoid-duplicate-updates-package-json': true,\n  'allow-refresh-for-existing-pr-dependencies': true,\n  'allow-refresh-group-with-all-dependencies': true,\n  'exclude-local-composer-packages': true,\n  'enable-enhanced-error-details-for-updater': true,\n  'gradle-lockfile-updater': true,\n  'enable-exclude-paths-subdirectory-manifest-files': true,\n  'group-membership-enforcement': true,\n};\n\n/**\n * Parses a comma-separated list of key=value pairs representing experiments.\n * @param raw A comma-separated list of key=value pairs representing experiments.\n * @returns A map of experiment names to their values.\n */\nexport function parseExperiments(raw?: string): DependabotExperiments | undefined {\n  return raw\n    ?.split(',')\n    .filter((entry) => entry.trim() !== '') // <-- filter out empty entries\n    .reduce((acc, cur) => {\n      const [key, value] = cur.split('=', 2);\n      acc[key!] = value || true;\n      return acc;\n    }, {} as DependabotExperiments);\n}\n","import type { SecurityVulnerability } from '@/github';\nimport type {\n  DependabotAllowCondition,\n  DependabotConfig,\n  DependabotGroup,\n  DependabotIgnoreCondition,\n  DependabotRegistry,\n  DependabotUpdate,\n  PackageEcosystem,\n  VersioningStrategy,\n} from './config';\nimport type {\n  DependabotAllowed,\n  DependabotCondition,\n  DependabotCredential,\n  DependabotExistingGroupPR,\n  DependabotExistingPR,\n  DependabotExperiments,\n  DependabotGroupJob,\n  DependabotJobConfig,\n  DependabotPackageManager,\n  DependabotSecurityAdvisory,\n  DependabotSource,\n  DependabotSourceProvider,\n} from './job';\n\nexport type DependabotSourceInfo = {\n  provider: DependabotSourceProvider;\n  hostname: string;\n  'api-endpoint': string;\n  'repository-slug': string;\n};\n\nexport type DependabotJobBuilderOutput = {\n  jobId: number;\n  job: DependabotJobConfig;\n  credentials: DependabotCredential[];\n};\n\n/**\n * Class for building dependabot job objects\n */\nexport class DependabotJobBuilder {\n  private readonly config: DependabotConfig;\n  private readonly update: DependabotUpdate;\n  private readonly experiments: DependabotExperiments;\n  private readonly debug: boolean;\n\n  private readonly packageManager: DependabotPackageManager;\n  private readonly source: DependabotSource;\n  private readonly credentials: DependabotCredential[];\n\n  constructor({\n    source,\n    config,\n    update,\n    systemAccessUser,\n    systemAccessToken,\n    githubToken,\n    experiments,\n    debug,\n  }: {\n    source: DependabotSourceInfo;\n    config: DependabotConfig;\n    update: DependabotUpdate;\n    experiments: DependabotExperiments;\n    systemAccessUser?: string;\n    systemAccessToken?: string;\n    githubToken?: string;\n    /** Determines if verbose log messages are logged */\n    debug: boolean;\n  }) {\n    this.config = config;\n    this.update = update;\n    this.experiments = experiments;\n    this.debug = debug;\n\n    this.packageManager = mapPackageEcosystemToPackageManager(update['package-ecosystem']);\n    this.source = mapSourceFromDependabotConfigToJobConfig(source, update);\n    this.credentials = mapCredentials({\n      sourceHostname: source.hostname,\n      systemAccessUser,\n      systemAccessToken,\n      githubToken,\n      registries: config.registries,\n    });\n  }\n\n  /**\n   * Create a dependabot update job that updates nothing, but will discover the dependency list for a package ecosystem\n   */\n  public forDependenciesList({\n    id,\n    command,\n  }: {\n    id?: number;\n    command: DependabotJobConfig['command'];\n  }): DependabotJobBuilderOutput {\n    id ??= makeRandomJobId();\n    return {\n      jobId: id,\n      job: {\n        id: id,\n        command: command,\n        'package-manager': this.packageManager,\n        'updating-a-pull-request': false,\n        dependencies: null,\n        'allowed-updates': [{ 'dependency-type': 'direct', 'update-type': 'all' }],\n        'ignore-conditions': [{ 'dependency-name': '*' }],\n        'security-updates-only': false,\n        'security-advisories': [],\n        source: this.source,\n        'update-subdependencies': false,\n        'existing-pull-requests': [],\n        'existing-group-pull-requests': [],\n        experiments: this.experiments,\n        'requirements-update-strategy': null,\n        'lockfile-only': false,\n        'commit-message-options': {\n          prefix: null,\n          'prefix-development': null,\n          'include-scope': null,\n        },\n        'vendor-dependencies': false,\n        'repo-private': true,\n        debug: this.debug,\n      },\n      credentials: this.credentials,\n    };\n  }\n\n  /**\n   * Create a dependabot update job that updates all dependencies for a package ecosystem\n   */\n  public forUpdate({\n    id,\n    command,\n    dependencyNamesToUpdate,\n    existingPullRequests,\n    pullRequestToUpdate,\n    securityVulnerabilities,\n  }: {\n    id?: number;\n    command: DependabotJobConfig['command'];\n    dependencyNamesToUpdate?: string[];\n    existingPullRequests: (DependabotExistingPR[] | DependabotExistingGroupPR)[];\n    pullRequestToUpdate?: DependabotExistingPR[] | DependabotExistingGroupPR;\n    securityVulnerabilities?: SecurityVulnerability[];\n  }): DependabotJobBuilderOutput {\n    id ??= makeRandomJobId();\n    const securityOnlyUpdate = this.update['open-pull-requests-limit'] === 0;\n\n    let updatingPullRequest: boolean;\n    let updateDependencyGroupName: string | null = null;\n    let updateDependencyNames: string[] | null;\n    let vulnerabilities: SecurityVulnerability[] | undefined;\n\n    if (pullRequestToUpdate) {\n      updatingPullRequest = true;\n      updateDependencyGroupName = Array.isArray(pullRequestToUpdate)\n        ? null\n        : pullRequestToUpdate['dependency-group-name'];\n      updateDependencyNames = (\n        Array.isArray(pullRequestToUpdate) ? pullRequestToUpdate : pullRequestToUpdate.dependencies\n      )?.map((d) => d['dependency-name']);\n      vulnerabilities = securityVulnerabilities?.filter((v) => updateDependencyNames?.includes(v.package.name));\n    } else {\n      updatingPullRequest = false;\n      const names = dependencyNamesToUpdate?.length ? dependencyNamesToUpdate : null;\n      updateDependencyNames =\n        securityOnlyUpdate && names\n          ? names?.filter((d) => securityVulnerabilities?.find((v) => v.package.name === d))\n          : names;\n      vulnerabilities = securityVulnerabilities;\n    }\n\n    return {\n      jobId: id,\n      job: {\n        id: id,\n        command: command,\n        'package-manager': this.packageManager,\n        'updating-a-pull-request': updatingPullRequest || false,\n        'dependency-group-to-refresh': updateDependencyGroupName,\n        'dependency-groups': mapGroupsFromDependabotConfigToJobConfig(this.update.groups),\n        dependencies: updateDependencyNames,\n        'allowed-updates': mapAllowedUpdatesFromDependabotConfigToJobConfig(this.update.allow, securityOnlyUpdate),\n        'ignore-conditions': mapIgnoreConditionsFromDependabotConfigToJobConfig(this.update.ignore),\n        'security-updates-only': securityOnlyUpdate,\n        'security-advisories': mapSecurityAdvisories(vulnerabilities),\n        source: this.source,\n        'update-subdependencies': false,\n        'existing-pull-requests': existingPullRequests.filter((pr) => Array.isArray(pr)),\n        'existing-group-pull-requests': existingPullRequests.filter(\n          (pr): pr is DependabotExistingGroupPR => !Array.isArray(pr),\n        ),\n        'commit-message-options': {\n          prefix: this.update['commit-message']?.prefix ?? null,\n          'prefix-development': this.update['commit-message']?.['prefix-development'] ?? null,\n          'include-scope':\n            this.update['commit-message']?.include?.toLocaleLowerCase()?.trim() === 'scope' ? true : null,\n        },\n        cooldown: this.update.cooldown,\n        experiments: mapExperiments(this.experiments),\n        'reject-external-code':\n          this.update['insecure-external-code-execution']?.toLocaleLowerCase()?.trim() === 'allow',\n        'requirements-update-strategy': mapVersionStrategyToRequirementsUpdateStrategy(\n          this.update['versioning-strategy'],\n        ),\n        'lockfile-only': this.update['versioning-strategy'] === 'lockfile-only',\n        'vendor-dependencies': this.update.vendor ?? false,\n        'repo-private': true,\n        debug: this.debug,\n        'proxy-log-response-body-on-auth-failure': true,\n        'max-updater-run-time': 2700,\n        'enable-beta-ecosystems': this.config['enable-beta-ecosystems'] || false,\n        // Updates across ecosystems is still in development\n        // See https://github.com/dependabot/dependabot-core/issues/8126\n        //     https://github.com/dependabot/dependabot-core/pull/12339\n        // It needs to merged in the core repo first before we support it\n        // However, to match current job configs and to prevent surprises, we disable it\n        'multi-ecosystem-update': false,\n      },\n      credentials: this.credentials,\n    };\n  }\n}\n\nexport function mapPackageEcosystemToPackageManager(ecosystem: PackageEcosystem): DependabotPackageManager {\n  // Map the dependabot config \"package ecosystem\" to the equivalent dependabot-core/cli \"package manager\".\n  // Config values: https://docs.github.com/en/code-security/dependabot/working-with-dependabot/dependabot-options-reference#package-ecosystem-\n  // Core/CLI values: https://github.com/dependabot/dependabot-core/blob/main/common/lib/dependabot/config/file.rb#L60-L81\n  switch (ecosystem) {\n    case 'docker-compose':\n      return 'docker_compose';\n    case 'dotnet-sdk':\n      return 'dotnet_sdk';\n    case 'github-actions':\n      return 'github_actions';\n    case 'gitsubmodule':\n      return 'submodules';\n    case 'gomod':\n      return 'go_modules';\n    case 'mix':\n      return 'hex';\n    case 'npm':\n      return 'npm_and_yarn';\n    // Additional aliases, sometimes used for convenience\n    case 'pipenv':\n      return 'pip';\n    case 'pip-compile':\n      return 'pip';\n    case 'poetry':\n      return 'pip';\n    case 'pnpm':\n      return 'npm_and_yarn';\n    case 'yarn':\n      return 'npm_and_yarn';\n    default:\n      return ecosystem;\n  }\n}\n\nexport function mapSourceFromDependabotConfigToJobConfig(\n  source: DependabotSourceInfo,\n  update: DependabotUpdate,\n): DependabotSource {\n  return {\n    provider: source.provider,\n    'api-endpoint': source['api-endpoint'],\n    hostname: source.hostname,\n    repo: source['repository-slug'],\n    branch: update['target-branch'],\n    commit: null, // use latest commit of target branch\n    directory: update.directory,\n    directories: update.directories,\n  };\n}\n\nexport function mapVersionStrategyToRequirementsUpdateStrategy(strategy?: VersioningStrategy): string | null {\n  if (!strategy) return null;\n  switch (strategy) {\n    case 'auto':\n      return null;\n    case 'increase':\n      return 'bump_versions';\n    case 'increase-if-necessary':\n      return 'bump_versions_if_necessary';\n    case 'lockfile-only':\n      return 'lockfile_only';\n    case 'widen':\n      return 'widen_ranges';\n    default:\n      throw new Error(`Invalid dependabot.yaml versioning strategy option '${strategy}'`);\n  }\n}\n\nexport function mapGroupsFromDependabotConfigToJobConfig(\n  dependencyGroups?: Record<string, DependabotGroup | null>,\n): DependabotGroupJob[] {\n  if (!dependencyGroups || !Object.keys(dependencyGroups).length) return [];\n  return Object.keys(dependencyGroups)\n    .filter((name) => dependencyGroups[name])\n    .map((name) => {\n      const group = dependencyGroups[name]!;\n      return {\n        name: name,\n        'applies-to': group['applies-to'],\n        rules: {\n          patterns: group.patterns?.length ? group.patterns : ['*'],\n          'exclude-patterns': group['exclude-patterns'],\n          'dependency-type': group['dependency-type'],\n          'update-types': group['update-types'],\n        },\n      } satisfies DependabotGroupJob;\n    });\n}\n\nexport function mapAllowedUpdatesFromDependabotConfigToJobConfig(\n  allowedUpdates?: DependabotAllowCondition[],\n  securityOnlyUpdate?: boolean,\n): DependabotAllowed[] {\n  // If no allow conditions are specified, update direct dependencies by default; This is what GitHub does.\n  // NOTE: 'update-type' appears to be a deprecated config, but still appears in the dependabot-core model and GitHub Dependabot job logs.\n  //       See: https://github.com/dependabot/dependabot-core/blob/b3a0c1f86c20729494097ebc695067099f5b4ada/updater/lib/dependabot/job.rb#L253C1-L257C78\n  if (!allowedUpdates) {\n    return [\n      {\n        'dependency-type': 'direct',\n        'update-type': securityOnlyUpdate ? 'security' : 'all',\n      },\n    ];\n  }\n  return allowedUpdates.map((allow) => {\n    return {\n      'dependency-name': allow['dependency-name'],\n      'dependency-type': allow['dependency-type'],\n      'update-type': allow['update-type'],\n    };\n  });\n}\n\nexport function mapIgnoreConditionsFromDependabotConfigToJobConfig(\n  ignoreConditions?: DependabotIgnoreCondition[],\n): DependabotCondition[] {\n  if (!ignoreConditions) return [];\n  return ignoreConditions.map((ignore) => {\n    return {\n      source: ignore.source,\n      'updated-at': ignore['updated-at'],\n      'dependency-name': ignore['dependency-name'] ?? '*',\n      'update-types': ignore['update-types'],\n\n      // The dependabot.yml config docs are not very clear about acceptable values; after scanning dependabot-core and dependabot-cli,\n      // this could either be a single version string (e.g. '>1.0.0'), or multiple version strings separated by commas (e.g. '>1.0.0, <2.0.0')\n      'version-requirement': Array.isArray(ignore.versions) ? (<string[]>ignore.versions)?.join(', ') : ignore.versions,\n    } satisfies DependabotCondition;\n  });\n}\n\nexport function mapExperiments(experiments?: DependabotExperiments): DependabotExperiments {\n  experiments ??= {};\n  return Object.keys(experiments).reduce((acc, key) => {\n    // Experiment values are known to be either 'true', 'false', or a string value.\n    // If the value is 'true' or 'false', convert it to a boolean type so that dependabot-core handles it correctly.\n    const value = experiments[key];\n    if (typeof value === 'string' && value?.toLocaleLowerCase() === 'true') {\n      acc[key] = true;\n    } else if (typeof value === 'string' && value?.toLocaleLowerCase() === 'false') {\n      acc[key] = false;\n    } else {\n      if (typeof value === 'string' || typeof value === 'boolean') acc[key] = value;\n    }\n    return acc;\n  }, {} as DependabotExperiments);\n}\n\nexport function mapSecurityAdvisories(securityVulnerabilities?: SecurityVulnerability[]): DependabotSecurityAdvisory[] {\n  if (!securityVulnerabilities) return [];\n\n  // A single security advisory can cause a vulnerability in multiple versions of a package.\n  // We need to map each unique security advisory to a list of affected-versions and patched-versions.\n  const vulnerabilitiesGroupedByPackageNameAndAdvisoryId = new Map<string, SecurityVulnerability[]>();\n  for (const vuln of securityVulnerabilities) {\n    const key = `${vuln.package.name}/${vuln.advisory.identifiers.map((i) => `${i.type}:${i.value}`).join('/')}`;\n    if (!vulnerabilitiesGroupedByPackageNameAndAdvisoryId.has(key)) {\n      vulnerabilitiesGroupedByPackageNameAndAdvisoryId.set(key, []);\n    }\n    vulnerabilitiesGroupedByPackageNameAndAdvisoryId.get(key)!.push(vuln);\n  }\n  return Array.from(vulnerabilitiesGroupedByPackageNameAndAdvisoryId.values()).map((vulns) => {\n    return {\n      'dependency-name': vulns[0]!.package.name,\n      'affected-versions': vulns.map((v) => v.vulnerableVersionRange).filter((v) => v && v.length > 0),\n      'patched-versions': vulns\n        .map((v) => v.firstPatchedVersion?.identifier)\n        .filter((v) => v && v.length > 0)\n        .map((v) => v!),\n      'unaffected-versions': [],\n    } satisfies DependabotSecurityAdvisory;\n  });\n}\n\nexport function mapCredentials({\n  sourceHostname,\n  systemAccessUser,\n  systemAccessToken,\n  githubToken,\n  registries,\n}: {\n  sourceHostname: string;\n  systemAccessUser?: string;\n  systemAccessToken?: string;\n  githubToken?: string;\n  registries?: Record<string, DependabotRegistry>;\n}): DependabotCredential[] {\n  const credentials = [];\n\n  // Required to authenticate with the git repository when cloning the source code\n  if (systemAccessToken) {\n    credentials.push({\n      type: 'git_source',\n      host: sourceHostname,\n      username: (systemAccessUser ?? '').trim()?.length > 0 ? systemAccessUser : 'x-access-token',\n      password: systemAccessToken,\n    });\n  }\n\n  // Required to avoid rate-limiting errors when generating pull request descriptions (e.g. fetching release notes, commit messages, etc)\n  if (githubToken) {\n    credentials.push({\n      type: 'git_source',\n      host: 'github.com',\n      username: 'x-access-token',\n      password: githubToken,\n    });\n  }\n  if (registries) {\n    // TODO: only registries for the current update should be set\n    // Required to authenticate with private package feeds when finding the latest version of dependencies.\n    // The registries have already been worked on (see parseRegistries) so there is no need to do anything else.\n    credentials.push(...Object.values(registries));\n  }\n\n  return credentials;\n}\n\nexport function makeRandomJobId(): number {\n  const array = new Uint32Array(1);\n  crypto.getRandomValues(array);\n  return array[0]! % 10000000000; // Limit to 10 digits to match GitHub's job IDs\n}\n\nexport function makeRandomJobToken() {\n  const array = new Uint8Array(30);\n  crypto.getRandomValues(array);\n  return Array.from(array, (byte) => (byte % 36).toString(36)).join('');\n}\n","import { z } from 'zod/v4';\nimport { DependabotDependencySchema } from './job';\n\n// we use nullish() because it does optional() and allows the value to be set to null\n\nexport const DependabotDependencyFileSchema = z.object({\n  content: z.string(),\n  content_encoding: z.string().nullish(),\n  deleted: z.boolean().nullish(),\n  directory: z.string(),\n  name: z.string(),\n  operation: z.string(), // TODO: convert to enum?\n  support_file: z.boolean().nullish(),\n  symlink_target: z.string().nullish(),\n  type: z.string().nullish(), // TODO: convert to enum?\n  mode: z.string().nullish(),\n});\nexport type DependabotDependencyFile = z.infer<typeof DependabotDependencyFileSchema>;\n\nexport const DependabotUpdateDependencyListSchema = z.object({\n  dependencies: DependabotDependencySchema.array(),\n  dependency_files: z.string().array().nullish(),\n});\nexport type DependabotUpdateDependencyList = z.infer<typeof DependabotUpdateDependencyListSchema>;\n\nexport const DependabotCreatePullRequestSchema = z.object({\n  'base-commit-sha': z.string(),\n  dependencies: DependabotDependencySchema.array(),\n  'updated-dependency-files': DependabotDependencyFileSchema.array(),\n  'pr-title': z.string(),\n  'pr-body': z.string().nullish(),\n  'commit-message': z.string(),\n  'dependency-group': z.record(z.string(), z.any()).nullish(),\n});\nexport type DependabotCreatePullRequest = z.infer<typeof DependabotCreatePullRequestSchema>;\n\nexport const DependabotUpdatePullRequestSchema = z.object({\n  'base-commit-sha': z.string(),\n  'dependency-names': z.string().array(),\n  'updated-dependency-files': DependabotDependencyFileSchema.array(),\n  'pr-title': z.string().nullish(), // this is usually excluded when working with dependabot-cli and an empty string if the API\n  'pr-body': z.string().nullish(), // this is usually excluded when working with dependabot-cli and an empty string if the API\n  'commit-message': z.string().nullish(), // this is usually excluded when working with dependabot-cli and an empty string if the API\n  'dependency-group': z.record(z.string(), z.any()).nullish(),\n});\nexport type DependabotUpdatePullRequest = z.infer<typeof DependabotUpdatePullRequestSchema>;\n\nexport const DependabotClosePullRequestSchema = z.object({\n  'dependency-names': z.string().array(),\n  reason: z.string().nullish(), // TODO: convert to enum?\n});\nexport type DependabotClosePullRequest = z.infer<typeof DependabotClosePullRequestSchema>;\n\nexport const DependabotMarkAsProcessedSchema = z.object({\n  'base-commit-sha': z.string().nullish(),\n});\nexport type DependabotMarkAsProcessed = z.infer<typeof DependabotMarkAsProcessedSchema>;\n\nexport const DependabotRecordUpdateJobErrorSchema = z.object({\n  'error-type': z.string(),\n  'error-details': z.record(z.string(), z.any()).nullish(),\n});\nexport type DependabotRecordUpdateJobError = z.infer<typeof DependabotRecordUpdateJobErrorSchema>;\n\nexport const DependabotRecordUpdateJobUnknownErrorSchema = z.object({\n  'error-type': z.string(),\n  'error-details': z.record(z.string(), z.any()).nullish(),\n});\nexport type DependabotRecordUpdateJobUnknownError = z.infer<typeof DependabotRecordUpdateJobUnknownErrorSchema>;\n\nexport const DependabotRecordEcosystemVersionsSchema = z.object({\n  ecosystem_versions: z.record(z.string(), z.any()).nullish(),\n});\nexport type DependabotRecordEcosystemVersions = z.infer<typeof DependabotRecordEcosystemVersionsSchema>;\n\nexport const DependabotEcosystemVersionManagerSchema = z.object({\n  name: z.string(),\n  version: z.string(),\n  raw_version: z.string(),\n  requirement: z.record(z.string(), z.any()).nullish(),\n});\nexport type DependabotEcosystemVersionManager = z.infer<typeof DependabotEcosystemVersionManagerSchema>;\n\nexport const DependabotEcosystemMetaSchema = z.object({\n  name: z.string(),\n  package_manager: DependabotEcosystemVersionManagerSchema.nullish(),\n  version: DependabotEcosystemVersionManagerSchema.nullish(),\n});\nexport type DependabotEcosystemMeta = z.infer<typeof DependabotEcosystemMetaSchema>;\n\nexport const DependabotRecordEcosystemMetaSchema = z.object({\n  ecosystem: DependabotEcosystemMetaSchema,\n});\nexport type DependabotRecordEcosystemMeta = z.infer<typeof DependabotRecordEcosystemMetaSchema>;\n\nexport const DependabotIncrementMetricSchema = z.object({\n  metric: z.string(),\n  tags: z.record(z.string(), z.any()).nullish(),\n});\nexport type DependabotIncrementMetric = z.infer<typeof DependabotIncrementMetricSchema>;\n\nexport const DependabotMetricSchema = z.object({\n  metric: z.string(),\n  type: z.enum(['increment', 'gauge', 'distribution', 'histogram']),\n  value: z.number().nullish(),\n  values: z.number().array().nullish(),\n  tags: z.record(z.string(), z.string()).nullish(),\n});\nexport type DependabotMetric = z.infer<typeof DependabotMetricSchema>;\n","import { zValidator } from '@hono/zod-validator';\nimport { Hono } from 'hono';\nimport { type ZodType, z } from 'zod/v4';\nimport { logger } from '@/logger';\nimport type { DependabotCredential, DependabotJobConfig } from './job';\nimport {\n  DependabotClosePullRequestSchema,\n  DependabotCreatePullRequestSchema,\n  DependabotIncrementMetricSchema,\n  DependabotMarkAsProcessedSchema,\n  DependabotMetricSchema,\n  DependabotRecordEcosystemMetaSchema,\n  DependabotRecordEcosystemVersionsSchema,\n  DependabotRecordUpdateJobErrorSchema,\n  DependabotRecordUpdateJobUnknownErrorSchema,\n  DependabotUpdateDependencyListSchema,\n  DependabotUpdatePullRequestSchema,\n} from './update';\n\nexport const DependabotRequestTypeSchema = z.enum([\n  'create_pull_request',\n  'update_pull_request',\n  'close_pull_request',\n  'record_update_job_error',\n  'record_update_job_unknown_error',\n  'mark_as_processed',\n  'update_dependency_list',\n  'record_ecosystem_versions',\n  'record_ecosystem_meta',\n  'increment_metric',\n  'record_metrics',\n]);\nexport type DependabotRequestType = z.infer<typeof DependabotRequestTypeSchema>;\n\nexport const DependabotRequestSchema = z.discriminatedUnion('type', [\n  z.object({ type: z.literal('create_pull_request'), data: DependabotCreatePullRequestSchema }),\n  z.object({ type: z.literal('update_pull_request'), data: DependabotUpdatePullRequestSchema }),\n  z.object({ type: z.literal('close_pull_request'), data: DependabotClosePullRequestSchema }),\n  z.object({ type: z.literal('record_update_job_error'), data: DependabotRecordUpdateJobErrorSchema }),\n  z.object({ type: z.literal('record_update_job_unknown_error'), data: DependabotRecordUpdateJobUnknownErrorSchema }),\n  z.object({ type: z.literal('mark_as_processed'), data: DependabotMarkAsProcessedSchema }),\n  z.object({ type: z.literal('update_dependency_list'), data: DependabotUpdateDependencyListSchema }),\n  z.object({ type: z.literal('record_ecosystem_versions'), data: DependabotRecordEcosystemVersionsSchema }),\n  z.object({ type: z.literal('record_ecosystem_meta'), data: DependabotRecordEcosystemMetaSchema.array() }),\n  z.object({ type: z.literal('increment_metric'), data: DependabotIncrementMetricSchema }),\n  z.object({ type: z.literal('record_metrics'), data: DependabotMetricSchema.array() }),\n]);\nexport type DependabotRequest = z.infer<typeof DependabotRequestSchema>;\n\nexport type DependabotTokenType = 'job' | 'credentials';\n\n/**\n * Function type for authenticating requests.\n * @param type - The type of authentication ('job' or 'credentials').\n * @param id - The ID of the dependabot job.\n * @param value - The authentication value (e.g., API key).\n * @returns A promise that resolves to a boolean indicating whether the authentication was successful.\n */\ntype AuthenticatorFunc = (type: DependabotTokenType, id: number, value: string) => Promise<boolean>;\n\n/**\n * Handler function for processing dependabot requests.\n * @param id - The ID of the dependabot job.\n * @param request - The dependabot request to handle.\n * @returns A promise that resolves to the result of handling the request.\n */\ntype HandlerFunc = (id: number, request: DependabotRequest) => Promise<boolean>;\n\nexport type CreateApiServerAppOptions = {\n  /**\n   * Base path for the endpoints.\n   * @default `/api/update_jobs`\n   */\n  basePath?: string;\n\n  /** Handler function for authenticating requests. */\n  authenticate: AuthenticatorFunc;\n\n  /** Function for getting a dependabot job by ID. */\n  getJob: (id: number) => Promise<DependabotJobConfig | undefined>;\n\n  /** Function for getting dependabot credentials by job ID. */\n  getCredentials: (id: number) => Promise<DependabotCredential[] | undefined>;\n\n  /** Handler function for processing the operations. */\n  handle: HandlerFunc;\n};\n\n/**\n * Creates an API server application for handling dependabot update jobs.\n * The endpoints in the server application have paths in the format: `/api/update_jobs/:id/{operation}`,\n * where `:id` is the job ID and `{operation}` is one of the defined operations e.g. `create_pull_request`.\n *\n * You should set the job endpoint URL in the job container to\n * `http://<host>:<port>/api/update_jobs/:id` where `<host>` and `<port>` are the host and port\n *\n * These endpoints are protected using the provided API key.\n * @param params - The parameters for creating the API server application.\n * @returns The created API server application.\n */\nexport function createApiServerApp({\n  basePath = `/api/update_jobs`,\n  authenticate,\n  getJob,\n  getCredentials,\n  handle,\n}: CreateApiServerAppOptions): Hono {\n  // Setup app with base path and middleware\n  const app = new Hono().basePath(basePath);\n\n  // Handle endpoints:\n  // - POST  request to /create_pull_request\n  // - POST  request to /update_pull_request\n  // - POST  request to /close_pull_request\n  // - POST  request to /record_update_job_error\n  // - POST  request to /record_update_job_unknown_error\n  // - PATCH request to /mark_as_processed\n  // - POST  request to /update_dependency_list\n  // - POST  request to /record_ecosystem_versions\n  // - POST  request to /record_ecosystem_meta\n  // - POST  request to /increment_metric\n\n  function operation<T extends ZodType>(type: DependabotRequestType, schema: T, method?: string) {\n    app.on(\n      method || 'post',\n      `/:id/${type}`,\n      zValidator('param', z.object({ id: z.coerce.number() })),\n      async (context, next) => {\n        /**\n         * Do not authenticate in scenarios where the server is not using HTTPS because the\n         * dependabot proxy will not send the job token over HTTP, yet trying to get HTTPS to work\n         * with localhost (self-signed certs) against docker (host.docker.internal) is complicated.\n         */\n        const url = new URL(context.req.url);\n        const isHTTPS = url.protocol === 'https:';\n        if (isHTTPS) {\n          const { id } = context.req.valid('param');\n          const value = context.req.header('Authorization');\n          if (!value) return context.body(null, 401);\n          const valid = await authenticate('job', id, value);\n          if (!valid) return context.body(null, 403);\n        } else {\n          logger.trace(`Skipping authentication because it is not secure ${context.req.url}`);\n        }\n        await next();\n      },\n      zValidator('json', z.object({ data: schema })),\n      async (context) => {\n        const { id } = context.req.valid('param');\n        const { data } = context.req.valid('json') as { data: z.infer<typeof schema> };\n        // biome-ignore lint/suspicious/noExplicitAny: generic\n        const success: boolean = await handle(id, { type, data: data as any });\n        return context.body(null, success ? 204 : 400);\n      },\n    );\n  }\n\n  operation('create_pull_request', DependabotCreatePullRequestSchema);\n  operation('update_pull_request', DependabotUpdatePullRequestSchema);\n  operation('close_pull_request', DependabotClosePullRequestSchema);\n  operation('record_update_job_error', DependabotRecordUpdateJobErrorSchema);\n  operation('record_update_job_unknown_error', DependabotRecordUpdateJobUnknownErrorSchema);\n  operation('mark_as_processed', DependabotMarkAsProcessedSchema, 'patch');\n  operation('update_dependency_list', DependabotUpdateDependencyListSchema);\n  operation('record_ecosystem_versions', DependabotRecordEcosystemVersionsSchema);\n  operation('record_ecosystem_meta', DependabotRecordEcosystemMetaSchema.array());\n  operation('increment_metric', DependabotIncrementMetricSchema);\n  operation('record_metrics', DependabotMetricSchema.array());\n\n  // Handle endpoints:\n  // - GET request to /details\n  // - GET request to /credentials\n  app.on(\n    'get',\n    '/:id/details',\n    zValidator('param', z.object({ id: z.coerce.number() })),\n    async (context, next) => {\n      const { id } = context.req.valid('param');\n      const value = context.req.header('Authorization');\n      if (!value) return context.body(null, 401);\n      const valid = await authenticate('job', id, value);\n      if (!valid) return context.body(null, 403);\n      await next();\n    },\n    async (context) => {\n      const { id } = context.req.valid('param');\n      const job = await getJob(id);\n      if (!job) return context.body(null, 204);\n      return context.json(job);\n    },\n  );\n  app.on(\n    'get',\n    '/:id/credentials',\n    zValidator('param', z.object({ id: z.coerce.number() })),\n    async (context, next) => {\n      const { id } = context.req.valid('param');\n      const value = context.req.header('Authorization');\n      if (!value) return context.body(null, 401);\n      const valid = await authenticate('credentials', id, value);\n      if (!valid) return context.body(null, 403);\n      await next();\n    },\n    async (context) => {\n      const { id } = context.req.valid('param');\n      const credentials = await getCredentials(id);\n      if (!credentials) return context.body(null, 204);\n      return context.json(credentials);\n    },\n  );\n\n  return app;\n}\n"],"mappings":";;;;;;;;AAKA,MAAa,kCAAkC;AAC/C,MAAa,iCAAiC;;;;ACE9C,SAAgB,uBACd,kBACA,kBACA,WACA,qBACA,cACA,YAAoB,KACZ;CAIR,IAAIA;AAEJ,KADiC,uBAAuB,aAAa,SAAS,GAChD;EAG5B,MAAM,mBAAmBC,SACtB,WAAW,MAAM,CACjB,OAAO,aAAa,KAAK,MAAM,GAAG,EAAE,mBAAmB,GAAG,EAAE,wBAAwB,CAAC,KAAK,IAAI,CAAC,CAC/F,OAAO,MAAM,CACb,UAAU,GAAG,GAAG;AACnB,eAAa,GAAG,uBAAuB,QAAQ,GAAG;OAUlD,cAAa,GANW,aACrB,KAAK,MAAM,EAAE,mBAAmB,CAChC,KAAK,QAAQ,CACb,QAAQ,UAAU,IAAI,CACtB,QAAQ,MAAM,GAAG,CAEY,GADV,aAAa,IAAI,UAAU,YAAY,aAAa,KAAK;AAIjF,QAAO,YACL;EACE;EACA;EACA;EAEA,WACI,QAAQ,cAAc,GAAG,CAC1B,QAAQ,OAAO,UAAU;EAC5B;EACD,EACD,UACD;;AAGH,SAAgB,YAAY,UAAkC,WAA2B;AAOvF,QACE,SAEG,QAAQ,MAAM,KAAK,EAAE,MAAM,CAAC,SAAS,EAAE,CACvC,KAAK,UAAU,CAEf,QAAQ,0BAA0B,GAAG,CAErC,QAAQ,SAAS,QAAQ,CAEzB,QAAQ,QAAQ,IAAI,CACpB,QAAQ,QAAQ,IAAI,CAEpB,QAAQ,OAAO,GAAG;;;;;ACxEzB,MAAaC,sBAA6C;CACxD,6BAA6B;CAC7B,mCAAmC;CACnC,gBAAgB;CAChB,kBAAkB;CAClB,gCAAgC;CAChC,mCAAmC;CACnC,iCAAiC;CACjC,4BAA4B;CAC5B,gCAAgC;CAChC,oCAAoC;CACpC,yCAAyC;CACzC,wCAAwC;CACxC,mCAAmC;CACnC,wCAAwC;CACxC,8CAA8C;CAC9C,6CAA6C;CAC7C,mCAAmC;CACnC,6CAA6C;CAC7C,2BAA2B;CAC3B,oDAAoD;CACpD,gCAAgC;CACjC;;;;;;AAOD,SAAgB,iBAAiB,KAAiD;AAChF,QAAO,KACH,MAAM,IAAI,CACX,QAAQ,UAAU,MAAM,MAAM,KAAK,GAAG,CACtC,QAAQ,KAAK,QAAQ;EACpB,MAAM,CAAC,KAAK,SAAS,IAAI,MAAM,KAAK,EAAE;AACtC,MAAI,OAAQ,SAAS;AACrB,SAAO;IACN,EAAE,CAA0B;;;;;;;;ACAnC,IAAa,uBAAb,MAAkC;CAChC,AAAiB;CACjB,AAAiB;CACjB,AAAiB;CACjB,AAAiB;CAEjB,AAAiB;CACjB,AAAiB;CACjB,AAAiB;CAEjB,YAAY,EACV,QACA,QACA,QACA,kBACA,mBACA,aACA,aACA,SAWC;AACD,OAAK,SAAS;AACd,OAAK,SAAS;AACd,OAAK,cAAc;AACnB,OAAK,QAAQ;AAEb,OAAK,iBAAiB,oCAAoC,OAAO,qBAAqB;AACtF,OAAK,SAAS,yCAAyC,QAAQ,OAAO;AACtE,OAAK,cAAc,eAAe;GAChC,gBAAgB,OAAO;GACvB;GACA;GACA;GACA,YAAY,OAAO;GACpB,CAAC;;;;;CAMJ,AAAO,oBAAoB,EACzB,IACA,WAI6B;AAC7B,SAAO,iBAAiB;AACxB,SAAO;GACL,OAAO;GACP,KAAK;IACC;IACK;IACT,mBAAmB,KAAK;IACxB,2BAA2B;IAC3B,cAAc;IACd,mBAAmB,CAAC;KAAE,mBAAmB;KAAU,eAAe;KAAO,CAAC;IAC1E,qBAAqB,CAAC,EAAE,mBAAmB,KAAK,CAAC;IACjD,yBAAyB;IACzB,uBAAuB,EAAE;IACzB,QAAQ,KAAK;IACb,0BAA0B;IAC1B,0BAA0B,EAAE;IAC5B,gCAAgC,EAAE;IAClC,aAAa,KAAK;IAClB,gCAAgC;IAChC,iBAAiB;IACjB,0BAA0B;KACxB,QAAQ;KACR,sBAAsB;KACtB,iBAAiB;KAClB;IACD,uBAAuB;IACvB,gBAAgB;IAChB,OAAO,KAAK;IACb;GACD,aAAa,KAAK;GACnB;;;;;CAMH,AAAO,UAAU,EACf,IACA,SACA,yBACA,sBACA,qBACA,2BAQ6B;AAC7B,SAAO,iBAAiB;EACxB,MAAM,qBAAqB,KAAK,OAAO,gCAAgC;EAEvE,IAAIC;EACJ,IAAIC,4BAA2C;EAC/C,IAAIC;EACJ,IAAIC;AAEJ,MAAI,qBAAqB;AACvB,yBAAsB;AACtB,+BAA4B,MAAM,QAAQ,oBAAoB,GAC1D,OACA,oBAAoB;AACxB,4BACE,MAAM,QAAQ,oBAAoB,GAAG,sBAAsB,oBAAoB,eAC9E,KAAK,MAAM,EAAE,mBAAmB;AACnC,qBAAkB,yBAAyB,QAAQ,MAAM,uBAAuB,SAAS,EAAE,QAAQ,KAAK,CAAC;SACpG;AACL,yBAAsB;GACtB,MAAM,QAAQ,yBAAyB,SAAS,0BAA0B;AAC1E,2BACE,sBAAsB,QAClB,OAAO,QAAQ,MAAM,yBAAyB,MAAM,MAAM,EAAE,QAAQ,SAAS,EAAE,CAAC,GAChF;AACN,qBAAkB;;AAGpB,SAAO;GACL,OAAO;GACP,KAAK;IACC;IACK;IACT,mBAAmB,KAAK;IACxB,2BAA2B,uBAAuB;IAClD,+BAA+B;IAC/B,qBAAqB,yCAAyC,KAAK,OAAO,OAAO;IACjF,cAAc;IACd,mBAAmB,iDAAiD,KAAK,OAAO,OAAO,mBAAmB;IAC1G,qBAAqB,mDAAmD,KAAK,OAAO,OAAO;IAC3F,yBAAyB;IACzB,uBAAuB,sBAAsB,gBAAgB;IAC7D,QAAQ,KAAK;IACb,0BAA0B;IAC1B,0BAA0B,qBAAqB,QAAQ,OAAO,MAAM,QAAQ,GAAG,CAAC;IAChF,gCAAgC,qBAAqB,QAClD,OAAwC,CAAC,MAAM,QAAQ,GAAG,CAC5D;IACD,0BAA0B;KACxB,QAAQ,KAAK,OAAO,mBAAmB,UAAU;KACjD,sBAAsB,KAAK,OAAO,oBAAoB,yBAAyB;KAC/E,iBACE,KAAK,OAAO,mBAAmB,SAAS,mBAAmB,EAAE,MAAM,KAAK,UAAU,OAAO;KAC5F;IACD,UAAU,KAAK,OAAO;IACtB,aAAa,eAAe,KAAK,YAAY;IAC7C,wBACE,KAAK,OAAO,qCAAqC,mBAAmB,EAAE,MAAM,KAAK;IACnF,gCAAgC,+CAC9B,KAAK,OAAO,uBACb;IACD,iBAAiB,KAAK,OAAO,2BAA2B;IACxD,uBAAuB,KAAK,OAAO,UAAU;IAC7C,gBAAgB;IAChB,OAAO,KAAK;IACZ,2CAA2C;IAC3C,wBAAwB;IACxB,0BAA0B,KAAK,OAAO,6BAA6B;IAMnE,0BAA0B;IAC3B;GACD,aAAa,KAAK;GACnB;;;AAIL,SAAgB,oCAAoC,WAAuD;AAIzG,SAAQ,WAAR;EACE,KAAK,iBACH,QAAO;EACT,KAAK,aACH,QAAO;EACT,KAAK,iBACH,QAAO;EACT,KAAK,eACH,QAAO;EACT,KAAK,QACH,QAAO;EACT,KAAK,MACH,QAAO;EACT,KAAK,MACH,QAAO;EAET,KAAK,SACH,QAAO;EACT,KAAK,cACH,QAAO;EACT,KAAK,SACH,QAAO;EACT,KAAK,OACH,QAAO;EACT,KAAK,OACH,QAAO;EACT,QACE,QAAO;;;AAIb,SAAgB,yCACd,QACA,QACkB;AAClB,QAAO;EACL,UAAU,OAAO;EACjB,gBAAgB,OAAO;EACvB,UAAU,OAAO;EACjB,MAAM,OAAO;EACb,QAAQ,OAAO;EACf,QAAQ;EACR,WAAW,OAAO;EAClB,aAAa,OAAO;EACrB;;AAGH,SAAgB,+CAA+C,UAA8C;AAC3G,KAAI,CAAC,SAAU,QAAO;AACtB,SAAQ,UAAR;EACE,KAAK,OACH,QAAO;EACT,KAAK,WACH,QAAO;EACT,KAAK,wBACH,QAAO;EACT,KAAK,gBACH,QAAO;EACT,KAAK,QACH,QAAO;EACT,QACE,OAAM,IAAI,MAAM,uDAAuD,SAAS,GAAG;;;AAIzF,SAAgB,yCACd,kBACsB;AACtB,KAAI,CAAC,oBAAoB,CAAC,OAAO,KAAK,iBAAiB,CAAC,OAAQ,QAAO,EAAE;AACzE,QAAO,OAAO,KAAK,iBAAiB,CACjC,QAAQ,SAAS,iBAAiB,MAAM,CACxC,KAAK,SAAS;EACb,MAAM,QAAQ,iBAAiB;AAC/B,SAAO;GACC;GACN,cAAc,MAAM;GACpB,OAAO;IACL,UAAU,MAAM,UAAU,SAAS,MAAM,WAAW,CAAC,IAAI;IACzD,oBAAoB,MAAM;IAC1B,mBAAmB,MAAM;IACzB,gBAAgB,MAAM;IACvB;GACF;GACD;;AAGN,SAAgB,iDACd,gBACA,oBACqB;AAIrB,KAAI,CAAC,eACH,QAAO,CACL;EACE,mBAAmB;EACnB,eAAe,qBAAqB,aAAa;EAClD,CACF;AAEH,QAAO,eAAe,KAAK,UAAU;AACnC,SAAO;GACL,mBAAmB,MAAM;GACzB,mBAAmB,MAAM;GACzB,eAAe,MAAM;GACtB;GACD;;AAGJ,SAAgB,mDACd,kBACuB;AACvB,KAAI,CAAC,iBAAkB,QAAO,EAAE;AAChC,QAAO,iBAAiB,KAAK,WAAW;AACtC,SAAO;GACL,QAAQ,OAAO;GACf,cAAc,OAAO;GACrB,mBAAmB,OAAO,sBAAsB;GAChD,gBAAgB,OAAO;GAIvB,uBAAuB,MAAM,QAAQ,OAAO,SAAS,GAAc,OAAO,UAAW,KAAK,KAAK,GAAG,OAAO;GAC1G;GACD;;AAGJ,SAAgB,eAAe,aAA4D;AACzF,iBAAgB,EAAE;AAClB,QAAO,OAAO,KAAK,YAAY,CAAC,QAAQ,KAAK,QAAQ;EAGnD,MAAM,QAAQ,YAAY;AAC1B,MAAI,OAAO,UAAU,YAAY,OAAO,mBAAmB,KAAK,OAC9D,KAAI,OAAO;WACF,OAAO,UAAU,YAAY,OAAO,mBAAmB,KAAK,QACrE,KAAI,OAAO;WAEP,OAAO,UAAU,YAAY,OAAO,UAAU,UAAW,KAAI,OAAO;AAE1E,SAAO;IACN,EAAE,CAA0B;;AAGjC,SAAgB,sBAAsB,yBAAiF;AACrH,KAAI,CAAC,wBAAyB,QAAO,EAAE;CAIvC,MAAM,mEAAmD,IAAI,KAAsC;AACnG,MAAK,MAAM,QAAQ,yBAAyB;EAC1C,MAAM,MAAM,GAAG,KAAK,QAAQ,KAAK,GAAG,KAAK,SAAS,YAAY,KAAK,MAAM,GAAG,EAAE,KAAK,GAAG,EAAE,QAAQ,CAAC,KAAK,IAAI;AAC1G,MAAI,CAAC,iDAAiD,IAAI,IAAI,CAC5D,kDAAiD,IAAI,KAAK,EAAE,CAAC;AAE/D,mDAAiD,IAAI,IAAI,CAAE,KAAK,KAAK;;AAEvE,QAAO,MAAM,KAAK,iDAAiD,QAAQ,CAAC,CAAC,KAAK,UAAU;AAC1F,SAAO;GACL,mBAAmB,MAAM,GAAI,QAAQ;GACrC,qBAAqB,MAAM,KAAK,MAAM,EAAE,uBAAuB,CAAC,QAAQ,MAAM,KAAK,EAAE,SAAS,EAAE;GAChG,oBAAoB,MACjB,KAAK,MAAM,EAAE,qBAAqB,WAAW,CAC7C,QAAQ,MAAM,KAAK,EAAE,SAAS,EAAE,CAChC,KAAK,MAAM,EAAG;GACjB,uBAAuB,EAAE;GAC1B;GACD;;AAGJ,SAAgB,eAAe,EAC7B,gBACA,kBACA,mBACA,aACA,cAOyB;CACzB,MAAM,cAAc,EAAE;AAGtB,KAAI,kBACF,aAAY,KAAK;EACf,MAAM;EACN,MAAM;EACN,WAAW,oBAAoB,IAAI,MAAM,EAAE,SAAS,IAAI,mBAAmB;EAC3E,UAAU;EACX,CAAC;AAIJ,KAAI,YACF,aAAY,KAAK;EACf,MAAM;EACN,MAAM;EACN,UAAU;EACV,UAAU;EACX,CAAC;AAEJ,KAAI,WAIF,aAAY,KAAK,GAAG,OAAO,OAAO,WAAW,CAAC;AAGhD,QAAO;;AAGT,SAAgB,kBAA0B;CACxC,MAAM,QAAQ,IAAI,YAAY,EAAE;AAChC,QAAO,gBAAgB,MAAM;AAC7B,QAAO,MAAM,KAAM;;AAGrB,SAAgB,qBAAqB;CACnC,MAAM,QAAQ,IAAI,WAAW,GAAG;AAChC,QAAO,gBAAgB,MAAM;AAC7B,QAAO,MAAM,KAAK,QAAQ,UAAU,OAAO,IAAI,SAAS,GAAG,CAAC,CAAC,KAAK,GAAG;;;;;ACncvE,MAAa,iCAAiC,EAAE,OAAO;CACrD,SAAS,EAAE,QAAQ;CACnB,kBAAkB,EAAE,QAAQ,CAAC,SAAS;CACtC,SAAS,EAAE,SAAS,CAAC,SAAS;CAC9B,WAAW,EAAE,QAAQ;CACrB,MAAM,EAAE,QAAQ;CAChB,WAAW,EAAE,QAAQ;CACrB,cAAc,EAAE,SAAS,CAAC,SAAS;CACnC,gBAAgB,EAAE,QAAQ,CAAC,SAAS;CACpC,MAAM,EAAE,QAAQ,CAAC,SAAS;CAC1B,MAAM,EAAE,QAAQ,CAAC,SAAS;CAC3B,CAAC;AAGF,MAAa,uCAAuC,EAAE,OAAO;CAC3D,cAAc,2BAA2B,OAAO;CAChD,kBAAkB,EAAE,QAAQ,CAAC,OAAO,CAAC,SAAS;CAC/C,CAAC;AAGF,MAAa,oCAAoC,EAAE,OAAO;CACxD,mBAAmB,EAAE,QAAQ;CAC7B,cAAc,2BAA2B,OAAO;CAChD,4BAA4B,+BAA+B,OAAO;CAClE,YAAY,EAAE,QAAQ;CACtB,WAAW,EAAE,QAAQ,CAAC,SAAS;CAC/B,kBAAkB,EAAE,QAAQ;CAC5B,oBAAoB,EAAE,OAAO,EAAE,QAAQ,EAAE,EAAE,KAAK,CAAC,CAAC,SAAS;CAC5D,CAAC;AAGF,MAAa,oCAAoC,EAAE,OAAO;CACxD,mBAAmB,EAAE,QAAQ;CAC7B,oBAAoB,EAAE,QAAQ,CAAC,OAAO;CACtC,4BAA4B,+BAA+B,OAAO;CAClE,YAAY,EAAE,QAAQ,CAAC,SAAS;CAChC,WAAW,EAAE,QAAQ,CAAC,SAAS;CAC/B,kBAAkB,EAAE,QAAQ,CAAC,SAAS;CACtC,oBAAoB,EAAE,OAAO,EAAE,QAAQ,EAAE,EAAE,KAAK,CAAC,CAAC,SAAS;CAC5D,CAAC;AAGF,MAAa,mCAAmC,EAAE,OAAO;CACvD,oBAAoB,EAAE,QAAQ,CAAC,OAAO;CACtC,QAAQ,EAAE,QAAQ,CAAC,SAAS;CAC7B,CAAC;AAGF,MAAa,kCAAkC,EAAE,OAAO,EACtD,mBAAmB,EAAE,QAAQ,CAAC,SAAS,EACxC,CAAC;AAGF,MAAa,uCAAuC,EAAE,OAAO;CAC3D,cAAc,EAAE,QAAQ;CACxB,iBAAiB,EAAE,OAAO,EAAE,QAAQ,EAAE,EAAE,KAAK,CAAC,CAAC,SAAS;CACzD,CAAC;AAGF,MAAa,8CAA8C,EAAE,OAAO;CAClE,cAAc,EAAE,QAAQ;CACxB,iBAAiB,EAAE,OAAO,EAAE,QAAQ,EAAE,EAAE,KAAK,CAAC,CAAC,SAAS;CACzD,CAAC;AAGF,MAAa,0CAA0C,EAAE,OAAO,EAC9D,oBAAoB,EAAE,OAAO,EAAE,QAAQ,EAAE,EAAE,KAAK,CAAC,CAAC,SAAS,EAC5D,CAAC;AAGF,MAAa,0CAA0C,EAAE,OAAO;CAC9D,MAAM,EAAE,QAAQ;CAChB,SAAS,EAAE,QAAQ;CACnB,aAAa,EAAE,QAAQ;CACvB,aAAa,EAAE,OAAO,EAAE,QAAQ,EAAE,EAAE,KAAK,CAAC,CAAC,SAAS;CACrD,CAAC;AAGF,MAAa,gCAAgC,EAAE,OAAO;CACpD,MAAM,EAAE,QAAQ;CAChB,iBAAiB,wCAAwC,SAAS;CAClE,SAAS,wCAAwC,SAAS;CAC3D,CAAC;AAGF,MAAa,sCAAsC,EAAE,OAAO,EAC1D,WAAW,+BACZ,CAAC;AAGF,MAAa,kCAAkC,EAAE,OAAO;CACtD,QAAQ,EAAE,QAAQ;CAClB,MAAM,EAAE,OAAO,EAAE,QAAQ,EAAE,EAAE,KAAK,CAAC,CAAC,SAAS;CAC9C,CAAC;AAGF,MAAa,yBAAyB,EAAE,OAAO;CAC7C,QAAQ,EAAE,QAAQ;CAClB,MAAM,EAAE,KAAK;EAAC;EAAa;EAAS;EAAgB;EAAY,CAAC;CACjE,OAAO,EAAE,QAAQ,CAAC,SAAS;CAC3B,QAAQ,EAAE,QAAQ,CAAC,OAAO,CAAC,SAAS;CACpC,MAAM,EAAE,OAAO,EAAE,QAAQ,EAAE,EAAE,QAAQ,CAAC,CAAC,SAAS;CACjD,CAAC;;;;ACxFF,MAAa,8BAA8B,EAAE,KAAK;CAChD;CACA;CACA;CACA;CACA;CACA;CACA;CACA;CACA;CACA;CACA;CACD,CAAC;AAGF,MAAa,0BAA0B,EAAE,mBAAmB,QAAQ;CAClE,EAAE,OAAO;EAAE,MAAM,EAAE,QAAQ,sBAAsB;EAAE,MAAM;EAAmC,CAAC;CAC7F,EAAE,OAAO;EAAE,MAAM,EAAE,QAAQ,sBAAsB;EAAE,MAAM;EAAmC,CAAC;CAC7F,EAAE,OAAO;EAAE,MAAM,EAAE,QAAQ,qBAAqB;EAAE,MAAM;EAAkC,CAAC;CAC3F,EAAE,OAAO;EAAE,MAAM,EAAE,QAAQ,0BAA0B;EAAE,MAAM;EAAsC,CAAC;CACpG,EAAE,OAAO;EAAE,MAAM,EAAE,QAAQ,kCAAkC;EAAE,MAAM;EAA6C,CAAC;CACnH,EAAE,OAAO;EAAE,MAAM,EAAE,QAAQ,oBAAoB;EAAE,MAAM;EAAiC,CAAC;CACzF,EAAE,OAAO;EAAE,MAAM,EAAE,QAAQ,yBAAyB;EAAE,MAAM;EAAsC,CAAC;CACnG,EAAE,OAAO;EAAE,MAAM,EAAE,QAAQ,4BAA4B;EAAE,MAAM;EAAyC,CAAC;CACzG,EAAE,OAAO;EAAE,MAAM,EAAE,QAAQ,wBAAwB;EAAE,MAAM,oCAAoC,OAAO;EAAE,CAAC;CACzG,EAAE,OAAO;EAAE,MAAM,EAAE,QAAQ,mBAAmB;EAAE,MAAM;EAAiC,CAAC;CACxF,EAAE,OAAO;EAAE,MAAM,EAAE,QAAQ,iBAAiB;EAAE,MAAM,uBAAuB,OAAO;EAAE,CAAC;CACtF,CAAC;;;;;;;;;;;;;AAsDF,SAAgB,mBAAmB,EACjC,WAAW,oBACX,cACA,QACA,gBACA,UACkC;CAElC,MAAM,MAAM,IAAI,MAAM,CAAC,SAAS,SAAS;CAczC,SAAS,UAA6B,MAA6B,QAAW,QAAiB;AAC7F,MAAI,GACF,UAAU,QACV,QAAQ,QACR,WAAW,SAAS,EAAE,OAAO,EAAE,IAAI,EAAE,OAAO,QAAQ,EAAE,CAAC,CAAC,EACxD,OAAO,SAAS,SAAS;AAQvB,OAFY,IAAI,IAAI,QAAQ,IAAI,IAAI,CAChB,aAAa,UACpB;IACX,MAAM,EAAE,OAAO,QAAQ,IAAI,MAAM,QAAQ;IACzC,MAAM,QAAQ,QAAQ,IAAI,OAAO,gBAAgB;AACjD,QAAI,CAAC,MAAO,QAAO,QAAQ,KAAK,MAAM,IAAI;AAE1C,QAAI,CADU,MAAM,aAAa,OAAO,IAAI,MAAM,CACtC,QAAO,QAAQ,KAAK,MAAM,IAAI;SAE1C,QAAO,MAAM,oDAAoD,QAAQ,IAAI,MAAM;AAErF,SAAM,MAAM;KAEd,WAAW,QAAQ,EAAE,OAAO,EAAE,MAAM,QAAQ,CAAC,CAAC,EAC9C,OAAO,YAAY;GACjB,MAAM,EAAE,OAAO,QAAQ,IAAI,MAAM,QAAQ;GACzC,MAAM,EAAE,SAAS,QAAQ,IAAI,MAAM,OAAO;GAE1C,MAAMC,UAAmB,MAAM,OAAO,IAAI;IAAE;IAAY;IAAa,CAAC;AACtE,UAAO,QAAQ,KAAK,MAAM,UAAU,MAAM,IAAI;IAEjD;;AAGH,WAAU,uBAAuB,kCAAkC;AACnE,WAAU,uBAAuB,kCAAkC;AACnE,WAAU,sBAAsB,iCAAiC;AACjE,WAAU,2BAA2B,qCAAqC;AAC1E,WAAU,mCAAmC,4CAA4C;AACzF,WAAU,qBAAqB,iCAAiC,QAAQ;AACxE,WAAU,0BAA0B,qCAAqC;AACzE,WAAU,6BAA6B,wCAAwC;AAC/E,WAAU,yBAAyB,oCAAoC,OAAO,CAAC;AAC/E,WAAU,oBAAoB,gCAAgC;AAC9D,WAAU,kBAAkB,uBAAuB,OAAO,CAAC;AAK3D,KAAI,GACF,OACA,gBACA,WAAW,SAAS,EAAE,OAAO,EAAE,IAAI,EAAE,OAAO,QAAQ,EAAE,CAAC,CAAC,EACxD,OAAO,SAAS,SAAS;EACvB,MAAM,EAAE,OAAO,QAAQ,IAAI,MAAM,QAAQ;EACzC,MAAM,QAAQ,QAAQ,IAAI,OAAO,gBAAgB;AACjD,MAAI,CAAC,MAAO,QAAO,QAAQ,KAAK,MAAM,IAAI;AAE1C,MAAI,CADU,MAAM,aAAa,OAAO,IAAI,MAAM,CACtC,QAAO,QAAQ,KAAK,MAAM,IAAI;AAC1C,QAAM,MAAM;IAEd,OAAO,YAAY;EACjB,MAAM,EAAE,OAAO,QAAQ,IAAI,MAAM,QAAQ;EACzC,MAAM,MAAM,MAAM,OAAO,GAAG;AAC5B,MAAI,CAAC,IAAK,QAAO,QAAQ,KAAK,MAAM,IAAI;AACxC,SAAO,QAAQ,KAAK,IAAI;GAE3B;AACD,KAAI,GACF,OACA,oBACA,WAAW,SAAS,EAAE,OAAO,EAAE,IAAI,EAAE,OAAO,QAAQ,EAAE,CAAC,CAAC,EACxD,OAAO,SAAS,SAAS;EACvB,MAAM,EAAE,OAAO,QAAQ,IAAI,MAAM,QAAQ;EACzC,MAAM,QAAQ,QAAQ,IAAI,OAAO,gBAAgB;AACjD,MAAI,CAAC,MAAO,QAAO,QAAQ,KAAK,MAAM,IAAI;AAE1C,MAAI,CADU,MAAM,aAAa,eAAe,IAAI,MAAM,CAC9C,QAAO,QAAQ,KAAK,MAAM,IAAI;AAC1C,QAAM,MAAM;IAEd,OAAO,YAAY;EACjB,MAAM,EAAE,OAAO,QAAQ,IAAI,MAAM,QAAQ;EACzC,MAAM,cAAc,MAAM,eAAe,GAAG;AAC5C,MAAI,CAAC,YAAa,QAAO,QAAQ,KAAK,MAAM,IAAI;AAChD,SAAO,QAAQ,KAAK,YAAY;GAEnC;AAED,QAAO"}