@powerhousedao/switchboard 6.2.0-dev.2 → 6.2.0-dev.21

package/Auth.md

@@ -13,19 +13,18 @@ The Powerhouse authentication system is a sophisticated, decentralized identity
 - **Wallet Integration**: Seamless integration with Ethereum wallets and other Web3 providers
 - **Privacy Preservation**: Users can maintain pseudonymous identities while building reputation
 
-### 🎭 **Role-Based Access Control (RBAC)**
+### 🎭 **Access Control**
 
-- **Three-Tier System**: Guests, Users, and Admins with different permission levels
+- **Supreme Admins**: a global admin list (`ADMINS`) whose addresses bypass all permission checks
+- **Per-Document Permissions**: READ / WRITE / ADMIN grants, ownership, and group membership enforced per document
 - **Flexible Configuration**: Easy setup through environment variables or configuration files
-- **Granular Permissions**: Fine-grained control over what each role can access
-- **Dynamic Role Assignment**: Roles can be updated without restarting the system
+- **Runtime Management**: permissions can be granted or revoked at runtime via the GraphQL API
 
 ### 🔒 **Advanced Security Features**
 
 - **Challenge-Response Authentication**: Cryptographic proof of wallet ownership
 - **JWT Token Management**: Secure session handling with automatic expiration
 - **Credential Verification**: Real-time validation against the Renown API
-- **Token Caching**: Performance optimization with secure token storage
 - **Session Management**: Multiple active sessions with individual controls
 
 ### 🌐 **Cross-Platform Compatibility**
@@ -116,24 +115,23 @@ interface VerifiableCredential {
 4. **Renown API Check**: Validate credential still exists and is valid
 5. **User Extraction**: Create user object from verified credentials
 
-### 5. **Role-Based Authorization**
+### 5. **Authorization**
 
-The system implements a three-tier role system with configurable permissions:
+Authentication produces a verified user; authorization is then decided by a global admin list plus per-document permissions:
 
 ```typescript
 interface AuthConfig {
   enabled: boolean;
-  guests: string[]; // Array of wallet addresses
-  users: string[]; // Array of wallet addresses
-  admins: string[]; // Array of wallet addresses
+  admins: string[]; // Wallet addresses with global admin (bypass) access
+  skipCredentialVerification?: boolean; // DANGER (test/dev only): skips the Renown credential re-check, the only binding between a token's claimed address and its signing key — allows identity spoofing. Refused at boot unless VITEST/NODE_ENV=test or ALLOW_INSECURE_SKIP_CREDENTIAL_VERIFICATION=true.
 }
 ```
 
-**Permission Levels:**
+**How access is decided:**
 
-- **Guests**: Read-only access to public data
-- **Users**: Standard access to most endpoints and operations
-- **Admins**: Full access including administrative functions
+- **Supreme Admins**: addresses in `admins` bypass every check
+- **Document Owners**: implicit ADMIN on documents they create
+- **Per-Document Grants**: READ / WRITE / ADMIN granted to users or groups, inherited from protected ancestors
 
 ### 6. **Session Management**
 
@@ -171,9 +169,7 @@ interface Session {
 # Enable authentication
 export AUTH_ENABLED=true
 
-# Configure roles (comma-separated wallet addresses)
-export GUESTS="0x789,0xabc,0xdef"
-export USERS="0x123,0x456,0x789"
+# Configure admin wallet addresses (comma-separated)
 export ADMINS="0x111,0x222,0x333"
 ```
 
@@ -183,8 +179,6 @@ export ADMINS="0x111,0x222,0x333"
 {
   "auth": {
     "enabled": true,
-    "guests": ["0x789", "0xabc", "0xdef"],
-    "users": ["0x123", "0x456", "0x789"],
     "admins": ["0x111", "0x222", "0x333"]
   }
 }
@@ -245,20 +239,35 @@ import { AuthService } from "@powerhousedao/reactor-api";
 
 const authService = new AuthService({
   enabled: true,
-  guests: ["0x789", "0xabc"],
-  users: ["0x123", "0x456"],
   admins: ["0x111", "0x222"],
 });
 
-// Apply to all routes
+// Verify the Bearer token on each request. `verifyBearer` returns either an
+// AuthContext ({ user?, admins, auth_enabled }) or a Response (e.g. 401) when
+// the token is invalid, expired, or revoked.
 app.use(async (req, res, next) => {
-  await authService.authenticate(req, res, next);
+  const result = await authService.verifyBearer(req.headers.authorization);
+
+  if (result instanceof Response) {
+    // Invalid / expired / revoked token — forward the 401.
+    res.status(result.status).json(await result.json());
+    return;
+  }
+
+  if (result.auth_enabled && !result.user) {
+    // Auth is enabled but the request is anonymous.
+    res.status(401).json({ error: "Authentication required" });
+    return;
+  }
+
+  req.auth = result; // stash { user?, admins, auth_enabled } for handlers
+  next();
 });
 
-// Access user info in route handlers
+// Access the authenticated context in route handlers
 app.post("/api/data", (req, res) => {
-  const user = req.user; // Authenticated user object
-  const isAdmin = req.admins.includes(user.address);
+  const { user, admins } = req.auth;
+  const isAdmin = !!user && admins.includes(user.address);
 
   if (isAdmin) {
     // Admin-only operations
@@ -324,12 +333,13 @@ const restrictedToken = await createSession(
 );
 ```
 
-#### Role-Based Route Protection
+#### Admin-Only Route Protection
 
 ```typescript
 // Middleware for admin-only routes
 const requireAdmin = (req, res, next) => {
-  if (!req.admins.includes(req.user.address)) {
+  const { user, admins } = req.auth;
+  if (!user || !admins.includes(user.address)) {
     return res.status(403).json({ error: "Admin access required" });
   }
   next();
@@ -378,27 +388,8 @@ app.post("/admin/users", requireAdmin, (req, res) => {
    - User's wallet address not in allowed roles
    - Check role configuration and user permissions
 
-### Debug Mode
-
-Enable detailed logging for troubleshooting:
-
-```typescript
-// Enable verbose logging
-const authService = new AuthService({
-  enabled: true,
-  debug: true, // Enable debug logging
-  // ... other config
-});
-```
-
 ## Performance Optimization
 
-### Caching Strategies
-
-- **Token Caching**: Frequently used tokens are cached in memory
-- **Credential Validation**: Results are cached to reduce API calls
-- **Session Lookup**: Fast session validation using indexed lookups
-
 ### Scalability Features
 
 - **Stateless Design**: No server-side session storage required

package/CHANGELOG.md

@@ -1,3 +1,158 @@
+## 6.2.0-dev.21 (2026-06-17)
+
+### 🚀 Features
+
+- use shadcn type theming class names ([#2720](https://github.com/powerhouse-inc/powerhouse/pull/2720))
+
+### 🔥 Performance
+
+- **connect:** serve Connect + heavy deps from a prebuilt vendor in dev (opt-in) ([8c530ad4a](https://github.com/powerhouse-inc/powerhouse/commit/8c530ad4a))
+
+### ❤️ Thank You
+
+- acaldas
+- Ryan Wolhuter @ryanwolhuter
+
+## 6.2.0-dev.20 (2026-06-17)
+
+This was a version bump only for @powerhousedao/switchboard to align it with other projects, there were no code changes.
+
+## 6.2.0-dev.19 (2026-06-16)
+
+### 🩹 Fixes
+
+- allow UPPER_SNAKE_CASE ([5cd154fb7](https://github.com/powerhouse-inc/powerhouse/commit/5cd154fb7))
+
+### ❤️ Thank You
+
+- Benjamin Jordan
+
+## 6.2.0-dev.18 (2026-06-16)
+
+### 🩹 Fixes
+
+- **switchboard:** load reactor-api vite loader lazily ([05c966791](https://github.com/powerhouse-inc/powerhouse/commit/05c966791))
+
+### ❤️ Thank You
+
+- acaldas
+
+## 6.2.0-dev.17 (2026-06-16)
+
+This was a version bump only for @powerhousedao/switchboard to align it with other projects, there were no code changes.
+
+## 6.2.0-dev.16 (2026-06-15)
+
+This was a version bump only for @powerhousedao/switchboard to align it with other projects, there were no code changes.
+
+## 6.2.0-dev.15 (2026-06-15)
+
+This was a version bump only for @powerhousedao/switchboard to align it with other projects, there were no code changes.
+
+## 6.2.0-dev.14 (2026-06-14)
+
+This was a version bump only for @powerhousedao/switchboard to align it with other projects, there were no code changes.
+
+## 6.2.0-dev.13 (2026-06-13)
+
+### 🩹 Fixes
+
+- very simple ttl cache on renown credentials inside the reactor-api, full fix is grpc s2s call and/or shared cache ([dbf3d698c](https://github.com/powerhouse-inc/powerhouse/commit/dbf3d698c))
+
+### ❤️ Thank You
+
+- Benjamin Jordan
+
+## 6.2.0-dev.12 (2026-06-12)
+
+This was a version bump only for @powerhousedao/switchboard to align it with other projects, there were no code changes.
+
+## 6.2.0-dev.11 (2026-06-12)
+
+### 🚀 Features
+
+- **connect:** move theme toggle into settings nav ([7622718a7](https://github.com/powerhouse-inc/powerhouse/commit/7622718a7))
+
+### 🩹 Fixes
+
+- build fix because of vite incompatibility ([4dc94747e](https://github.com/powerhouse-inc/powerhouse/commit/4dc94747e))
+- kysely types were getting embedded in type defs and not matching later on because typescript is a broken and terrible language ([b5947709f](https://github.com/powerhouse-inc/powerhouse/commit/b5947709f))
+
+### ❤️ Thank You
+
+- Benjamin Jordan
+- CallmeT-ty @CallmeT-ty
+- Claude Sonnet 4.6
+
+## 6.2.0-dev.10 (2026-06-11)
+
+### 🩹 Fixes
+
+- **connect:** make PH_CONNECT_CONFIG_JSON overrides win over baked runtime-config defaults ([145a3d423](https://github.com/powerhouse-inc/powerhouse/commit/145a3d423))
+
+### ❤️ Thank You
+
+- Guillermo Puente @gpuente
+
+## 6.2.0-dev.9 (2026-06-11)
+
+### 🚀 Features
+
+- **switchboard:** add errors-only sentry mode via env gate ([c29bb21ee](https://github.com/powerhouse-inc/powerhouse/commit/c29bb21ee))
+
+### 🩹 Fixes
+
+- **connect:** stop nginx root-file regex from hijacking /assets at default base path ([f72fe2fe5](https://github.com/powerhouse-inc/powerhouse/commit/f72fe2fe5))
+- **switchboard:** stop tracing background DB polls + align @sentry versions ([c5b307333](https://github.com/powerhouse-inc/powerhouse/commit/c5b307333))
+
+### ❤️ Thank You
+
+- Frank Pfeift
+- Guillermo Puente @gpuente
+
+## 6.2.0-dev.8 (2026-06-11)
+
+This was a version bump only for @powerhousedao/switchboard to align it with other projects, there were no code changes.
+
+## 6.2.0-dev.7 (2026-06-11)
+
+This was a version bump only for @powerhousedao/switchboard to align it with other projects, there were no code changes.
+
+## 6.2.0-dev.6 (2026-06-10)
+
+### 🚀 Features
+
+- **connect:** runtime-dynamic deploy base for Connect builds ([2f4c6441f](https://github.com/powerhouse-inc/powerhouse/commit/2f4c6441f))
+
+### ❤️ Thank You
+
+- acaldas
+
+## 6.2.0-dev.5 (2026-06-10)
+
+This was a version bump only for @powerhousedao/switchboard to align it with other projects, there were no code changes.
+
+## 6.2.0-dev.4 (2026-06-09)
+
+### 🚀 Features
+
+- added a readiness probe to switchboard to fix tests and for best practices ([b8966f5a2](https://github.com/powerhouse-inc/powerhouse/commit/b8966f5a2))
+- added a new audit pass that creates documents and then queries them ([cde281f1e](https://github.com/powerhouse-inc/powerhouse/commit/cde281f1e))
+- more steps -- typecheck fixes and a new load function that loads it into switchboard ([0cf7649b1](https://github.com/powerhouse-inc/powerhouse/commit/0cf7649b1))
+- setting up registry audit tool ([9aa531d0b](https://github.com/powerhouse-inc/powerhouse/commit/9aa531d0b))
+
+### 🩹 Fixes
+
+- needs to hit verdaccio ([f75a67aea](https://github.com/powerhouse-inc/powerhouse/commit/f75a67aea))
+
+### ❤️ Thank You
+
+- Benjamin Jordan
+
+## 6.2.0-dev.3 (2026-06-08)
+
+This was a version bump only for @powerhousedao/switchboard to align it with other projects, there were no code changes.
+
 ## 6.2.0-dev.2 (2026-06-07)
 
 This was a version bump only for @powerhousedao/switchboard to align it with other projects, there were no code changes.

package/README.md

@@ -211,12 +211,6 @@ services:
 PH_SWITCHBOARD_DATABASE_URL="postgresql://user:pass@db:5432/switchboard"
 PH_SWITCHBOARD_REDIS_URL="redis://redis:6379"
 
-# Authentication
-PH_SWITCHBOARD_AUTH_ENABLED=true
-PH_SWITCHBOARD_ADMINS_LIST="0x123,0x456"
-PH_SWITCHBOARD_USERS_LIST="0x789,0xabc"
-PH_SWITCHBOARD_GUESTS_LIST="0xdef,0xghi"
-
 # Packages
 PH_PACKAGES="package1,package2,package3"
 ```

package/dist/index.mjs

@@ -1,7 +1,7 @@
 #!/usr/bin/env node
 
-!function(){try{var e="undefined"!=typeof window?window:"undefined"!=typeof global?global:"undefined"!=typeof globalThis?globalThis:"undefined"!=typeof self?self:{},n=(new e.Error).stack;n&&(e._sentryDebugIds=e._sentryDebugIds||{},e._sentryDebugIds[n]="93967b4b-2ee5-5ba6-9c59-5152ee59080f")}catch(e){}}();
-import { a as parseForcePgVersion, r as startSwitchboard } from "./server-DCeVXVeJ.mjs";
+!function(){try{var e="undefined"!=typeof window?window:"undefined"!=typeof global?global:"undefined"!=typeof globalThis?globalThis:"undefined"!=typeof self?self:{},n=(new e.Error).stack;n&&(e._sentryDebugIds=e._sentryDebugIds||{},e._sentryDebugIds[n]="5a65c537-fadb-5705-95c0-4cec44d7b4d2")}catch(e){}}();
+import { a as parseForcePgVersion, r as startSwitchboard } from "./server-WpAvDbVc.mjs";
 import "./utils-Baw7rThP.mjs";
 import { metrics } from "@opentelemetry/api";
 import { OTLPTraceExporter } from "@opentelemetry/exporter-trace-otlp-http";
@@ -9,6 +9,7 @@ import { ExpressInstrumentation } from "@opentelemetry/instrumentation-express";
 import { GraphQLInstrumentation } from "@opentelemetry/instrumentation-graphql";
 import { HttpInstrumentation } from "@opentelemetry/instrumentation-http";
 import { PgInstrumentation } from "@opentelemetry/instrumentation-pg";
+import { UndiciInstrumentation } from "@opentelemetry/instrumentation-undici";
 import { resourceFromAttributes } from "@opentelemetry/resources";
 import { NodeSDK } from "@opentelemetry/sdk-node";
 import { BatchSpanProcessor } from "@opentelemetry/sdk-trace-base";
@@ -50,6 +51,7 @@ const TENANT_ID = process.env.TENANT_ID || "default";
 const DEPLOY_ENV = process.env.NODE_ENV || "development";
 const TEMPO_ENDPOINT = process.env.TEMPO_ENDPOINT;
 const SENTRY_DSN = process.env.SENTRY_DSN;
+const SENTRY_TRACING_TO_SENTRY = Boolean(SENTRY_DSN) && process.env.SENTRY_TRACING_ENABLED !== "false";
 const TRACING_REQUESTED = process.env.ENABLE_TRACING === "true" || process.env.NODE_ENV === "production";
 const HAS_TRACE_DESTINATION = Boolean(TEMPO_ENDPOINT) || Boolean(SENTRY_DSN);
 const TRACING_ENABLED = TRACING_REQUESTED && HAS_TRACE_DESTINATION;
@@ -61,7 +63,7 @@ if (SENTRY_DSN) {
 		dsn: SENTRY_DSN,
 		environment: process.env.SENTRY_ENV,
 		release: process.env.SENTRY_RELEASE || (process.env.npm_package_version ? `v${process.env.npm_package_version}` : void 0),
-		tracesSampleRate: SENTRY_TRACES_SAMPLE_RATE,
+		tracesSampleRate: SENTRY_TRACING_TO_SENTRY ? SENTRY_TRACES_SAMPLE_RATE : 0,
 		skipOpenTelemetrySetup: TRACING_ENABLED
 	});
 }
@@ -85,11 +87,11 @@ if (TRACING_ENABLED) {
 	});
 	const spanProcessors = [];
 	if (TEMPO_ENDPOINT) spanProcessors.push(new BatchSpanProcessor(new OTLPTraceExporter({ url: TEMPO_ENDPOINT })));
-	if (SENTRY_DSN) spanProcessors.push(new SentrySpanProcessor());
+	if (SENTRY_TRACING_TO_SENTRY) spanProcessors.push(new SentrySpanProcessor());
 	sdk = new NodeSDK({
 		resource,
 		spanProcessors,
-		textMapPropagator: SENTRY_DSN ? new SentryPropagator() : void 0,
+		textMapPropagator: SENTRY_TRACING_TO_SENTRY ? new SentryPropagator() : void 0,
 		instrumentations: [
 			new HttpInstrumentation({
 				ignoreIncomingRequestHook: (req) => req.url === "/health" || req.url === "/ready",
@@ -105,15 +107,19 @@ if (TRACING_ENABLED) {
 			new ExpressInstrumentation({ requestHook: (span, info) => {
 				if (info.route) span.setAttribute("http.route", info.route);
 			} }),
+			new UndiciInstrumentation(),
 			new GraphQLInstrumentation({
 				mergeItems: true,
 				allowValues: true
 			}),
-			new PgInstrumentation({ enhancedDatabaseReporting: true })
+			new PgInstrumentation({
+				enhancedDatabaseReporting: true,
+				requireParentSpan: true
+			})
 		]
 	});
 	sdk.start();
-	if (SENTRY_DSN && typeof Sentry.validateOpenTelemetrySetup === "function") Sentry.validateOpenTelemetrySetup();
+	if (SENTRY_TRACING_TO_SENTRY && typeof Sentry.validateOpenTelemetrySetup === "function") Sentry.validateOpenTelemetrySetup();
 	logger$1.info("OpenTelemetry tracing initialized");
 }
 async function shutdown() {
@@ -221,4 +227,4 @@ startSwitchboard({
 export {};
 
 //# sourceMappingURL=index.mjs.map
-//# debugId=93967b4b-2ee5-5ba6-9c59-5152ee59080f
+//# debugId=5a65c537-fadb-5705-95c0-4cec44d7b4d2

package/dist/index.mjs.map

@@ -1 +1 @@
-{"version":3,"file":"index.mjs","sources":["../src/metrics.ts","../src/observability.mts","../src/config.ts","../src/profiler.ts","../src/index.mts"],"sourcesContent":["import { OTLPMetricExporter } from \"@opentelemetry/exporter-metrics-otlp-http\";\nimport { resourceFromAttributes } from \"@opentelemetry/resources\";\nimport {\n  MeterProvider,\n  PeriodicExportingMetricReader,\n} from \"@opentelemetry/sdk-metrics\";\nimport { childLogger } from \"document-model\";\n\nconst logger = childLogger([\"switchboard\", \"metrics\"]);\n\nexport function createMeterProviderFromEnv(env: {\n  OTEL_EXPORTER_OTLP_ENDPOINT?: string;\n  OTEL_METRIC_EXPORT_INTERVAL?: string;\n  OTEL_SERVICE_NAME?: string;\n}): MeterProvider | undefined {\n  const endpoint = env.OTEL_EXPORTER_OTLP_ENDPOINT;\n  if (!endpoint) return undefined;\n\n  const parsed = parseInt(env.OTEL_METRIC_EXPORT_INTERVAL ?? \"\", 10);\n  const exportIntervalMillis =\n    Number.isFinite(parsed) && parsed > 0 ? parsed : 5_000;\n\n  const base = endpoint.replace(/\\/$/, \"\");\n  const exporterUrl = base.endsWith(\"/v1/metrics\")\n    ? base\n    : `${base}/v1/metrics`;\n\n  logger.info(`Initializing OpenTelemetry metrics exporter at: ${endpoint}`);\n  const meterProvider = new MeterProvider({\n    resource: resourceFromAttributes({\n      \"service.name\": env.OTEL_SERVICE_NAME ?? \"switchboard\",\n    }),\n    readers: [\n      new PeriodicExportingMetricReader({\n        exporter: new OTLPMetricExporter({\n          url: exporterUrl,\n        }),\n        exportIntervalMillis,\n        exportTimeoutMillis: Math.max(exportIntervalMillis - 250, 1),\n      }),\n    ],\n  });\n  logger.info(`Metrics export enabled (interval: ${exportIntervalMillis}ms)`);\n  return meterProvider;\n}\n","// Single observability bootstrap: Sentry + OpenTelemetry (tracing + metrics).\n//\n// MUST be imported as the very first module in apps/switchboard/src/index.mts.\n// OpenTelemetry instrumentations register require-time hooks at module load,\n// so http/express/pg/graphql must not be imported (transitively) before this\n// file runs.\n//\n// Replaces three legacy bootstrap sites:\n// - apps/switchboard/src/server.mts top-level Sentry.init\n// - apps/switchboard/src/metrics.ts standalone MeterProvider (still exported\n//   here via createMeterProviderFromEnv so its tests keep passing)\n// - packages/reactor-api/src/tracing.ts side-effect NodeSDK\nimport { metrics } from \"@opentelemetry/api\";\nimport { OTLPTraceExporter } from \"@opentelemetry/exporter-trace-otlp-http\";\nimport { ExpressInstrumentation } from \"@opentelemetry/instrumentation-express\";\nimport { GraphQLInstrumentation } from \"@opentelemetry/instrumentation-graphql\";\nimport { HttpInstrumentation } from \"@opentelemetry/instrumentation-http\";\nimport { PgInstrumentation } from \"@opentelemetry/instrumentation-pg\";\nimport { resourceFromAttributes } from \"@opentelemetry/resources\";\nimport type { MeterProvider } from \"@opentelemetry/sdk-metrics\";\nimport { NodeSDK } from \"@opentelemetry/sdk-node\";\nimport {\n  BatchSpanProcessor,\n  type SpanProcessor,\n} from \"@opentelemetry/sdk-trace-base\";\nimport {\n  ATTR_SERVICE_NAME,\n  ATTR_SERVICE_VERSION,\n} from \"@opentelemetry/semantic-conventions\";\nimport * as Sentry from \"@sentry/node\";\nimport { SentryPropagator, SentrySpanProcessor } from \"@sentry/opentelemetry\";\nimport { childLogger } from \"document-model\";\nimport type { IncomingMessage } from \"node:http\";\nimport { createMeterProviderFromEnv } from \"./metrics.js\";\n\nconst logger = childLogger([\"switchboard\", \"observability\"]);\n\nconst SERVICE_NAME = process.env.OTEL_SERVICE_NAME || \"switchboard\";\nconst SERVICE_VERSION = process.env.npm_package_version || \"unknown\";\nconst TENANT_ID = process.env.TENANT_ID || \"default\";\nconst DEPLOY_ENV = process.env.NODE_ENV || \"development\";\n\nconst TEMPO_ENDPOINT = process.env.TEMPO_ENDPOINT;\nconst SENTRY_DSN = process.env.SENTRY_DSN;\n\nconst TRACING_REQUESTED =\n  process.env.ENABLE_TRACING === \"true\" ||\n  process.env.NODE_ENV === \"production\";\nconst HAS_TRACE_DESTINATION = Boolean(TEMPO_ENDPOINT) || Boolean(SENTRY_DSN);\nconst TRACING_ENABLED = TRACING_REQUESTED && HAS_TRACE_DESTINATION;\n\nif (TRACING_REQUESTED && !HAS_TRACE_DESTINATION) {\n  logger.warn(\n    \"Tracing was requested (NODE_ENV=production or ENABLE_TRACING=true) but \" +\n      \"no destination is configured — instrumentation will not run. Set \" +\n      \"TEMPO_ENDPOINT (e.g. http://tempo.monitoring.svc.cluster.local:4318/v1/traces) \" +\n      \"to export OTLP spans, and/or SENTRY_DSN to forward spans to Sentry.\",\n  );\n}\n\n// Default 10% APM sampling — Sentry's own production guidance; overridable\n// per-deploy. Only kicks in once tracesSampleRate * (sampler decision) lands.\nconst SENTRY_TRACES_SAMPLE_RATE = parseFloat(\n  process.env.SENTRY_TRACES_SAMPLE_RATE ?? \"0.1\",\n);\n\nif (SENTRY_DSN) {\n  logger.info(\"Initialized Sentry with env: @env\", process.env.SENTRY_ENV);\n  Sentry.init({\n    dsn: SENTRY_DSN,\n    environment: process.env.SENTRY_ENV,\n    // Match the version tag uploaded by release-branch.yml so source maps\n    // resolve. Populated by the CI (WORKSPACE_VERSION) or npm at runtime.\n    release:\n      process.env.SENTRY_RELEASE ||\n      (process.env.npm_package_version\n        ? `v${process.env.npm_package_version}`\n        : undefined),\n    tracesSampleRate: SENTRY_TRACES_SAMPLE_RATE,\n    // When tracing is on, our NodeSDK below owns the OTel globals and Sentry\n    // receives spans via SentrySpanProcessor. Skipping Sentry's bundled OTel\n    // setup avoids two TracerProviders fighting over setGlobalTracerProvider.\n    // When tracing is off, leave the flag unset so @sentry/node's default\n    // auto-OTel still records HTTP transactions for the APM dashboard.\n    skipOpenTelemetrySetup: TRACING_ENABLED,\n  });\n}\n\nconst meterProvider: MeterProvider | undefined = createMeterProviderFromEnv({\n  OTEL_EXPORTER_OTLP_ENDPOINT: process.env.OTEL_EXPORTER_OTLP_ENDPOINT,\n  OTEL_METRIC_EXPORT_INTERVAL: process.env.OTEL_METRIC_EXPORT_INTERVAL,\n  OTEL_SERVICE_NAME: process.env.OTEL_SERVICE_NAME,\n});\nif (meterProvider) {\n  // One-way door: must register before any code calls metrics.getMeter() —\n  // most notably ReactorInstrumentation inside the reactor module.\n  metrics.setGlobalMeterProvider(meterProvider);\n}\n\nlet sdk: NodeSDK | undefined;\n\nif (TRACING_ENABLED) {\n  logger.info(`Initializing OpenTelemetry tracing for ${SERVICE_NAME}`);\n  if (TEMPO_ENDPOINT) logger.info(`  Tempo endpoint: ${TEMPO_ENDPOINT}`);\n  if (SENTRY_DSN) logger.info(`  Sentry span forwarding: enabled`);\n  logger.info(`  Tenant: ${TENANT_ID}`);\n\n  const resource = resourceFromAttributes({\n    [ATTR_SERVICE_NAME]: SERVICE_NAME,\n    [ATTR_SERVICE_VERSION]: SERVICE_VERSION,\n    \"tenant.id\": TENANT_ID,\n    \"deployment.environment\": DEPLOY_ENV,\n  });\n\n  const spanProcessors: SpanProcessor[] = [];\n  if (TEMPO_ENDPOINT) {\n    spanProcessors.push(\n      new BatchSpanProcessor(new OTLPTraceExporter({ url: TEMPO_ENDPOINT })),\n    );\n  }\n  if (SENTRY_DSN) {\n    // Fan the same OTel spans into Sentry — same trace IDs as Tempo, so\n    // Sentry transactions cross-link to traces in Grafana.\n    spanProcessors.push(new SentrySpanProcessor());\n  }\n\n  sdk = new NodeSDK({\n    resource,\n    spanProcessors,\n    textMapPropagator: SENTRY_DSN ? new SentryPropagator() : undefined,\n    instrumentations: [\n      new HttpInstrumentation({\n        ignoreIncomingRequestHook: (req) =>\n          req.url === \"/health\" || req.url === \"/ready\",\n        requireParentforIncomingSpans: false,\n        requireParentforOutgoingSpans: false,\n        requestHook: (span, request) => {\n          span.setAttribute(\n            \"http.route\",\n            (request as IncomingMessage).url || \"\",\n          );\n        },\n        responseHook: (span, response) => {\n          if (response.statusCode) {\n            span.setAttribute(\"http.status_code\", response.statusCode);\n          }\n        },\n      }),\n      new ExpressInstrumentation({\n        requestHook: (span, info) => {\n          if (info.route) span.setAttribute(\"http.route\", info.route);\n        },\n      }),\n      new GraphQLInstrumentation({ mergeItems: true, allowValues: true }),\n      new PgInstrumentation({ enhancedDatabaseReporting: true }),\n    ],\n  });\n  sdk.start();\n  if (SENTRY_DSN && typeof Sentry.validateOpenTelemetrySetup === \"function\") {\n    Sentry.validateOpenTelemetrySetup();\n  }\n  logger.info(\"OpenTelemetry tracing initialized\");\n}\n\nasync function shutdown() {\n  await Promise.race([\n    Promise.all([\n      meterProvider?.shutdown().catch(() => undefined),\n      sdk?.shutdown().catch(() => undefined),\n    ]),\n    new Promise<void>((resolve) => setTimeout(resolve, 5_000)),\n  ]);\n}\n\nprocess.on(\"SIGINT\", () => {\n  void shutdown().finally(() => process.exit(0));\n});\nprocess.on(\"SIGTERM\", () => {\n  void shutdown().finally(() => process.exit(0));\n});\n\nexport { meterProvider, sdk };\n","import dotenv from \"dotenv\";\ndotenv.config();\n\nimport { getConfig } from \"@powerhousedao/config/node\";\nimport { parseForcePgVersion } from \"./pglite-version.js\";\nimport type {\n  SwitchboardDriveDocumentType,\n  SwitchboardDriveInput,\n} from \"./types.js\";\nconst phConfig = getConfig();\nconst { switchboard } = phConfig;\ninterface Config {\n  database: {\n    url: string;\n  };\n  port: number;\n  mcp: boolean;\n  migratePglite: boolean;\n  forcePgVersion: 16 | 17 | null;\n  drive: SwitchboardDriveInput;\n}\n\nfunction parseDriveType(\n  raw: string | undefined,\n): SwitchboardDriveDocumentType | undefined {\n  if (!raw) return undefined;\n  if (raw === \"powerhouse/document-drive\" || raw === \"powerhouse/reactor-drive\")\n    return raw;\n  throw new Error(\n    `Invalid PH_DEFAULT_DRIVE_TYPE: ${raw}. Expected \"powerhouse/document-drive\" or \"powerhouse/reactor-drive\".`,\n  );\n}\n\nexport const config: Config = {\n  database: {\n    // url: process.env.PH_SWITCHBOARD_DATABASE_URL ?? switchboard?.database?.url ?? \"dev.db\",\n    url:\n      process.env.PH_SWITCHBOARD_DATABASE_URL ??\n      switchboard?.database?.url ??\n      \"dev.db\",\n  },\n  port:\n    process.env.PH_SWITCHBOARD_PORT &&\n    !isNaN(Number(process.env.PH_SWITCHBOARD_PORT))\n      ? Number(process.env.PH_SWITCHBOARD_PORT)\n      : (switchboard?.port ?? 4001),\n  mcp: true,\n  migratePglite: process.env.PH_MIGRATE_PGLITE === \"true\",\n  forcePgVersion: parseForcePgVersion(process.env.PH_FORCE_PG_VERSION),\n  drive: {\n    id: \"powerhouse\",\n    slug: \"powerhouse\",\n    documentType: parseDriveType(process.env.PH_DEFAULT_DRIVE_TYPE),\n    global: {\n      name: \"Powerhouse\",\n      icon: \"https://ipfs.io/ipfs/QmcaTDBYn8X2psGaXe7iQ6qd8q6oqHLgxvMX9yXf7f9uP7\",\n    },\n    local: {\n      availableOffline: true,\n      listeners: [],\n      sharingType: \"public\",\n      triggers: [],\n    },\n  },\n};\n","import type { PyroscopeConfig } from \"@pyroscope/nodejs\";\n\nexport async function initProfilerFromEnv(env: typeof process.env) {\n  const {\n    PYROSCOPE_SERVER_ADDRESS: serverAddress,\n    PYROSCOPE_APPLICATION_NAME: appName,\n    PYROSCOPE_USER: basicAuthUser,\n    PYROSCOPE_PASSWORD: basicAuthPassword,\n    PYROSCOPE_WALL_ENABLED: wallEnabled,\n    PYROSCOPE_HEAP_ENABLED: heapEnabled,\n  } = env;\n\n  const options: PyroscopeConfig = {\n    serverAddress,\n    appName,\n    basicAuthUser,\n    basicAuthPassword,\n    // Wall profiling captures wall-clock time (includes async I/O waits)\n    // This shows GraphQL resolvers even when waiting for database\n    wall: {\n      samplingDurationMs: 10000, // 10 second sampling windows\n      samplingIntervalMicros: 10000, // 10ms sampling interval (100 samples/sec)\n      collectCpuTime: true, // Also collect CPU time alongside wall time\n    },\n    // Heap profiling for memory allocation tracking\n    heap: {\n      samplingIntervalBytes: 512 * 1024, // Sample every 512KB allocated\n      stackDepth: 64, // Capture deeper stacks for better context\n    },\n  };\n  return initProfiler(options, {\n    wallEnabled: wallEnabled !== \"false\",\n    heapEnabled: heapEnabled === \"true\",\n  });\n}\n\ninterface ProfilerFlags {\n  wallEnabled?: boolean;\n  heapEnabled?: boolean;\n}\n\nexport async function initProfiler(\n  options?: PyroscopeConfig,\n  flags: ProfilerFlags = { wallEnabled: true, heapEnabled: false },\n) {\n  console.log(\"Initializing Pyroscope profiler at:\", options?.serverAddress);\n  console.log(\"  Wall profiling:\", flags.wallEnabled ? \"enabled\" : \"disabled\");\n  console.log(\"  Heap profiling:\", flags.heapEnabled ? \"enabled\" : \"disabled\");\n\n  const { default: Pyroscope } = await import(\"@pyroscope/nodejs\");\n  Pyroscope.init(options);\n\n  // Start wall profiling (captures async I/O time - shows resolvers)\n  if (flags.wallEnabled) {\n    Pyroscope.startWallProfiling();\n  }\n\n  // Start CPU profiling (captures CPU-bound work)\n  Pyroscope.startCpuProfiling();\n\n  // Optionally start heap profiling (memory allocations)\n  if (flags.heapEnabled) {\n    Pyroscope.startHeapProfiling();\n  }\n}\n","#!/usr/bin/env node\n// Observability MUST load before any module that imports http/express/pg/graphql\n// so OpenTelemetry's require-time hooks can patch them. It also owns Sentry\n// init and the SIGINT/SIGTERM flush.\nimport \"./observability.mjs\";\n\nimport * as Sentry from \"@sentry/node\";\nimport { childLogger } from \"document-model\";\nimport { config } from \"./config.js\";\nimport { initProfilerFromEnv } from \"./profiler.js\";\nimport { startSwitchboard } from \"./server.mjs\";\n\nconst logger = childLogger([\"switchboard\"]);\n\nfunction ensureNodeVersion(minVersion = \"24\") {\n  const version = process.versions.node;\n  if (!version) {\n    return;\n  }\n\n  if (version < minVersion) {\n    console.error(\n      `Node version ${minVersion} or higher is required. Current version: ${version}`,\n    );\n    process.exit(1);\n  }\n}\n// Ensure minimum Node.js version\nensureNodeVersion(\"24\");\n\n// Each subgraph registers its own SIGINT/SIGTERM listeners, and the count\n// scales with dynamically-loaded document models beyond the default cap of 10.\nprocess.setMaxListeners(0);\n\nif (process.env.PYROSCOPE_SERVER_ADDRESS) {\n  try {\n    await initProfilerFromEnv(process.env);\n  } catch (e) {\n    Sentry.captureException(e);\n    logger.error(\"Error starting profiler: @error\", e);\n  }\n}\n\nconst cliMigratePglite = process.argv.slice(2).includes(\"--migrate-pglite\");\n\nstartSwitchboard({\n  ...config,\n  migratePglite: cliMigratePglite || config.migratePglite,\n  forcePgVersion: config.forcePgVersion ?? undefined,\n}).catch(console.error);\n"],"names":["logger","logger"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;AAQA,MAAMA,WAAS,YAAY,CAAC,eAAe,UAAU,CAAC;AAEtD,SAAgB,2BAA2B,KAIb;CAC5B,MAAM,WAAW,IAAI;AACrB,KAAI,CAAC,SAAU,QAAO,KAAA;CAEtB,MAAM,SAAS,SAAS,IAAI,+BAA+B,IAAI,GAAG;CAClE,MAAM,uBACJ,OAAO,SAAS,OAAO,IAAI,SAAS,IAAI,SAAS;CAEnD,MAAM,OAAO,SAAS,QAAQ,OAAO,GAAG;CACxC,MAAM,cAAc,KAAK,SAAS,cAAc,GAC5C,OACA,GAAG,KAAK;AAEZ,UAAO,KAAK,mDAAmD,WAAW;CAC1E,MAAM,gBAAgB,IAAI,cAAc;EACtC,UAAU,uBAAuB,EAC/B,gBAAgB,IAAI,qBAAqB,eAC1C,CAAC;EACF,SAAS,CACP,IAAI,8BAA8B;GAChC,UAAU,IAAI,mBAAmB,EAC/B,KAAK,aACN,CAAC;GACF;GACA,qBAAqB,KAAK,IAAI,uBAAuB,KAAK,EAAE;GAC7D,CAAC,CACH;EACF,CAAC;AACF,UAAO,KAAK,qCAAqC,qBAAqB,KAAK;AAC3E,QAAO;;;;ACRT,MAAMC,WAAS,YAAY,CAAC,eAAe,gBAAgB,CAAC;AAE5D,MAAM,eAAe,QAAQ,IAAI,qBAAqB;AACtD,MAAM,kBAAkB,QAAQ,IAAI,uBAAuB;AAC3D,MAAM,YAAY,QAAQ,IAAI,aAAa;AAC3C,MAAM,aAAa,QAAQ,IAAI,YAAY;AAE3C,MAAM,iBAAiB,QAAQ,IAAI;AACnC,MAAM,aAAa,QAAQ,IAAI;AAE/B,MAAM,oBACJ,QAAQ,IAAI,mBAAmB,UAC/B,QAAQ,IAAI,aAAa;AAC3B,MAAM,wBAAwB,QAAQ,eAAe,IAAI,QAAQ,WAAW;AAC5E,MAAM,kBAAkB,qBAAqB;AAE7C,IAAI,qBAAqB,CAAC,sBACxB,UAAO,KACL,6RAID;AAKH,MAAM,4BAA4B,WAChC,QAAQ,IAAI,6BAA6B,MAC1C;AAED,IAAI,YAAY;AACd,UAAO,KAAK,qCAAqC,QAAQ,IAAI,WAAW;AACxE,QAAO,KAAK;EACV,KAAK;EACL,aAAa,QAAQ,IAAI;EAGzB,SACE,QAAQ,IAAI,mBACX,QAAQ,IAAI,sBACT,IAAI,QAAQ,IAAI,wBAChB,KAAA;EACN,kBAAkB;EAMlB,wBAAwB;EACzB,CAAC;;AAGJ,MAAM,gBAA2C,2BAA2B;CAC1E,6BAA6B,QAAQ,IAAI;CACzC,6BAA6B,QAAQ,IAAI;CACzC,mBAAmB,QAAQ,IAAI;CAChC,CAAC;AACF,IAAI,cAGF,SAAQ,uBAAuB,cAAc;AAG/C,IAAI;AAEJ,IAAI,iBAAiB;AACnB,UAAO,KAAK,0CAA0C,eAAe;AACrE,KAAI,eAAgB,UAAO,KAAK,qBAAqB,iBAAiB;AACtE,KAAI,WAAY,UAAO,KAAK,oCAAoC;AAChE,UAAO,KAAK,aAAa,YAAY;CAErC,MAAM,WAAW,uBAAuB;GACrC,oBAAoB;GACpB,uBAAuB;EACxB,aAAa;EACb,0BAA0B;EAC3B,CAAC;CAEF,MAAM,iBAAkC,EAAE;AAC1C,KAAI,eACF,gBAAe,KACb,IAAI,mBAAmB,IAAI,kBAAkB,EAAE,KAAK,gBAAgB,CAAC,CAAC,CACvE;AAEH,KAAI,WAGF,gBAAe,KAAK,IAAI,qBAAqB,CAAC;AAGhD,OAAM,IAAI,QAAQ;EAChB;EACA;EACA,mBAAmB,aAAa,IAAI,kBAAkB,GAAG,KAAA;EACzD,kBAAkB;GAChB,IAAI,oBAAoB;IACtB,4BAA4B,QAC1B,IAAI,QAAQ,aAAa,IAAI,QAAQ;IACvC,+BAA+B;IAC/B,+BAA+B;IAC/B,cAAc,MAAM,YAAY;AAC9B,UAAK,aACH,cACC,QAA4B,OAAO,GACrC;;IAEH,eAAe,MAAM,aAAa;AAChC,SAAI,SAAS,WACX,MAAK,aAAa,oBAAoB,SAAS,WAAW;;IAG/D,CAAC;GACF,IAAI,uBAAuB,EACzB,cAAc,MAAM,SAAS;AAC3B,QAAI,KAAK,MAAO,MAAK,aAAa,cAAc,KAAK,MAAM;MAE9D,CAAC;GACF,IAAI,uBAAuB;IAAE,YAAY;IAAM,aAAa;IAAM,CAAC;GACnE,IAAI,kBAAkB,EAAE,2BAA2B,MAAM,CAAC;GAC3D;EACF,CAAC;AACF,KAAI,OAAO;AACX,KAAI,cAAc,OAAO,OAAO,+BAA+B,WAC7D,QAAO,4BAA4B;AAErC,UAAO,KAAK,oCAAoC;;AAGlD,eAAe,WAAW;AACxB,OAAM,QAAQ,KAAK,CACjB,QAAQ,IAAI,CACV,eAAe,UAAU,CAAC,YAAY,KAAA,EAAU,EAChD,KAAK,UAAU,CAAC,YAAY,KAAA,EAAU,CACvC,CAAC,EACF,IAAI,SAAe,YAAY,WAAW,SAAS,IAAM,CAAC,CAC3D,CAAC;;AAGJ,QAAQ,GAAG,gBAAgB;AACpB,WAAU,CAAC,cAAc,QAAQ,KAAK,EAAE,CAAC;EAC9C;AACF,QAAQ,GAAG,iBAAiB;AACrB,WAAU,CAAC,cAAc,QAAQ,KAAK,EAAE,CAAC;EAC9C;;;AClLF,OAAO,QAAQ;AASf,MAAM,EAAE,gBADS,WAAW;AAa5B,SAAS,eACP,KAC0C;AAC1C,KAAI,CAAC,IAAK,QAAO,KAAA;AACjB,KAAI,QAAQ,+BAA+B,QAAQ,2BACjD,QAAO;AACT,OAAM,IAAI,MACR,kCAAkC,IAAI,uEACvC;;AAGH,MAAa,SAAiB;CAC5B,UAAU,EAER,KACE,QAAQ,IAAI,+BACZ,aAAa,UAAU,OACvB,UACH;CACD,MACE,QAAQ,IAAI,uBACZ,CAAC,MAAM,OAAO,QAAQ,IAAI,oBAAoB,CAAC,GAC3C,OAAO,QAAQ,IAAI,oBAAoB,GACtC,aAAa,QAAQ;CAC5B,KAAK;CACL,eAAe,QAAQ,IAAI,sBAAsB;CACjD,gBAAgB,oBAAoB,QAAQ,IAAI,oBAAoB;CACpE,OAAO;EACL,IAAI;EACJ,MAAM;EACN,cAAc,eAAe,QAAQ,IAAI,sBAAsB;EAC/D,QAAQ;GACN,MAAM;GACN,MAAM;GACP;EACD,OAAO;GACL,kBAAkB;GAClB,WAAW,EAAE;GACb,aAAa;GACb,UAAU,EAAE;GACb;EACF;CACF;;;AC9DD,eAAsB,oBAAoB,KAAyB;CACjE,MAAM,EACJ,0BAA0B,eAC1B,4BAA4B,SAC5B,gBAAgB,eAChB,oBAAoB,mBACpB,wBAAwB,aACxB,wBAAwB,gBACtB;AAoBJ,QAAO,aAlB0B;EAC/B;EACA;EACA;EACA;EAGA,MAAM;GACJ,oBAAoB;GACpB,wBAAwB;GACxB,gBAAgB;GACjB;EAED,MAAM;GACJ,uBAAuB,MAAM;GAC7B,YAAY;GACb;EACF,EAC4B;EAC3B,aAAa,gBAAgB;EAC7B,aAAa,gBAAgB;EAC9B,CAAC;;AAQJ,eAAsB,aACpB,SACA,QAAuB;CAAE,aAAa;CAAM,aAAa;CAAO,EAChE;AACA,SAAQ,IAAI,uCAAuC,SAAS,cAAc;AAC1E,SAAQ,IAAI,qBAAqB,MAAM,cAAc,YAAY,WAAW;AAC5E,SAAQ,IAAI,qBAAqB,MAAM,cAAc,YAAY,WAAW;CAE5E,MAAM,EAAE,SAAS,cAAc,MAAM,OAAO;AAC5C,WAAU,KAAK,QAAQ;AAGvB,KAAI,MAAM,YACR,WAAU,oBAAoB;AAIhC,WAAU,mBAAmB;AAG7B,KAAI,MAAM,YACR,WAAU,oBAAoB;;;;AClDlC,MAAM,SAAS,YAAY,CAAC,cAAc,CAAC;AAE3C,SAAS,kBAAkB,aAAa,MAAM;CAC5C,MAAM,UAAU,QAAQ,SAAS;AACjC,KAAI,CAAC,QACH;AAGF,KAAI,UAAU,YAAY;AACxB,UAAQ,MACN,gBAAgB,WAAW,2CAA2C,UACvE;AACD,UAAQ,KAAK,EAAE;;;AAInB,kBAAkB,KAAK;AAIvB,QAAQ,gBAAgB,EAAE;AAE1B,IAAI,QAAQ,IAAI,yBACd,KAAI;AACF,OAAM,oBAAoB,QAAQ,IAAI;SAC/B,GAAG;AACV,QAAO,iBAAiB,EAAE;AAC1B,QAAO,MAAM,mCAAmC,EAAE;;AAItD,MAAM,mBAAmB,QAAQ,KAAK,MAAM,EAAE,CAAC,SAAS,mBAAmB;AAE3E,iBAAiB;CACf,GAAG;CACH,eAAe,oBAAoB,OAAO;CAC1C,gBAAgB,OAAO,kBAAkB,KAAA;CAC1C,CAAC,CAAC,MAAM,QAAQ,MAAM","debug_id":"93967b4b-2ee5-5ba6-9c59-5152ee59080f"}
+{"version":3,"file":"index.mjs","sources":["../src/metrics.ts","../src/observability.mts","../src/config.ts","../src/profiler.ts","../src/index.mts"],"sourcesContent":["import { OTLPMetricExporter } from \"@opentelemetry/exporter-metrics-otlp-http\";\nimport { resourceFromAttributes } from \"@opentelemetry/resources\";\nimport {\n  MeterProvider,\n  PeriodicExportingMetricReader,\n} from \"@opentelemetry/sdk-metrics\";\nimport { childLogger } from \"document-model\";\n\nconst logger = childLogger([\"switchboard\", \"metrics\"]);\n\nexport function createMeterProviderFromEnv(env: {\n  OTEL_EXPORTER_OTLP_ENDPOINT?: string;\n  OTEL_METRIC_EXPORT_INTERVAL?: string;\n  OTEL_SERVICE_NAME?: string;\n}): MeterProvider | undefined {\n  const endpoint = env.OTEL_EXPORTER_OTLP_ENDPOINT;\n  if (!endpoint) return undefined;\n\n  const parsed = parseInt(env.OTEL_METRIC_EXPORT_INTERVAL ?? \"\", 10);\n  const exportIntervalMillis =\n    Number.isFinite(parsed) && parsed > 0 ? parsed : 5_000;\n\n  const base = endpoint.replace(/\\/$/, \"\");\n  const exporterUrl = base.endsWith(\"/v1/metrics\")\n    ? base\n    : `${base}/v1/metrics`;\n\n  logger.info(`Initializing OpenTelemetry metrics exporter at: ${endpoint}`);\n  const meterProvider = new MeterProvider({\n    resource: resourceFromAttributes({\n      \"service.name\": env.OTEL_SERVICE_NAME ?? \"switchboard\",\n    }),\n    readers: [\n      new PeriodicExportingMetricReader({\n        exporter: new OTLPMetricExporter({\n          url: exporterUrl,\n        }),\n        exportIntervalMillis,\n        exportTimeoutMillis: Math.max(exportIntervalMillis - 250, 1),\n      }),\n    ],\n  });\n  logger.info(`Metrics export enabled (interval: ${exportIntervalMillis}ms)`);\n  return meterProvider;\n}\n","// Single observability bootstrap: Sentry + OpenTelemetry (tracing + metrics).\n//\n// MUST be imported as the very first module in apps/switchboard/src/index.mts.\n// OpenTelemetry instrumentations register require-time hooks at module load,\n// so http/express/pg/graphql must not be imported (transitively) before this\n// file runs.\n//\n// Replaces three legacy bootstrap sites:\n// - apps/switchboard/src/server.mts top-level Sentry.init\n// - apps/switchboard/src/metrics.ts standalone MeterProvider (still exported\n//   here via createMeterProviderFromEnv so its tests keep passing)\n// - packages/reactor-api/src/tracing.ts side-effect NodeSDK\nimport { metrics } from \"@opentelemetry/api\";\nimport { OTLPTraceExporter } from \"@opentelemetry/exporter-trace-otlp-http\";\nimport { ExpressInstrumentation } from \"@opentelemetry/instrumentation-express\";\nimport { GraphQLInstrumentation } from \"@opentelemetry/instrumentation-graphql\";\nimport { HttpInstrumentation } from \"@opentelemetry/instrumentation-http\";\nimport { PgInstrumentation } from \"@opentelemetry/instrumentation-pg\";\nimport { UndiciInstrumentation } from \"@opentelemetry/instrumentation-undici\";\nimport { resourceFromAttributes } from \"@opentelemetry/resources\";\nimport type { MeterProvider } from \"@opentelemetry/sdk-metrics\";\nimport { NodeSDK } from \"@opentelemetry/sdk-node\";\nimport {\n  BatchSpanProcessor,\n  type SpanProcessor,\n} from \"@opentelemetry/sdk-trace-base\";\nimport {\n  ATTR_SERVICE_NAME,\n  ATTR_SERVICE_VERSION,\n} from \"@opentelemetry/semantic-conventions\";\nimport * as Sentry from \"@sentry/node\";\nimport { SentryPropagator, SentrySpanProcessor } from \"@sentry/opentelemetry\";\nimport { childLogger } from \"document-model\";\nimport type { IncomingMessage } from \"node:http\";\nimport { createMeterProviderFromEnv } from \"./metrics.js\";\n\nconst logger = childLogger([\"switchboard\", \"observability\"]);\n\nconst SERVICE_NAME = process.env.OTEL_SERVICE_NAME || \"switchboard\";\nconst SERVICE_VERSION = process.env.npm_package_version || \"unknown\";\nconst TENANT_ID = process.env.TENANT_ID || \"default\";\nconst DEPLOY_ENV = process.env.NODE_ENV || \"development\";\n\nconst TEMPO_ENDPOINT = process.env.TEMPO_ENDPOINT;\nconst SENTRY_DSN = process.env.SENTRY_DSN;\n\n// Whether to forward TRANSACTIONS (spans) to Sentry. Errors are always sent\n// when SENTRY_DSN is set — this flag only gates APM/tracing into Sentry.\n// Default on (back-compat). Set SENTRY_TRACING_ENABLED=false for an\n// \"errors-only\" deployment: errors still go to Sentry, traces still go to\n// Tempo, but no transactions hit Sentry (no Kafka/ClickHouse/nodestore\n// cost). This is the recommended mode for tenant workloads at scale —\n// Sentry's value there is error grouping; traces live in Tempo.\nconst SENTRY_TRACING_TO_SENTRY =\n  Boolean(SENTRY_DSN) && process.env.SENTRY_TRACING_ENABLED !== \"false\";\n\nconst TRACING_REQUESTED =\n  process.env.ENABLE_TRACING === \"true\" ||\n  process.env.NODE_ENV === \"production\";\nconst HAS_TRACE_DESTINATION = Boolean(TEMPO_ENDPOINT) || Boolean(SENTRY_DSN);\nconst TRACING_ENABLED = TRACING_REQUESTED && HAS_TRACE_DESTINATION;\n\nif (TRACING_REQUESTED && !HAS_TRACE_DESTINATION) {\n  logger.warn(\n    \"Tracing was requested (NODE_ENV=production or ENABLE_TRACING=true) but \" +\n      \"no destination is configured — instrumentation will not run. Set \" +\n      \"TEMPO_ENDPOINT (e.g. http://tempo.monitoring.svc.cluster.local:4318/v1/traces) \" +\n      \"to export OTLP spans, and/or SENTRY_DSN to forward spans to Sentry.\",\n  );\n}\n\n// APM sampling for the Sentry-SDK-managed path (i.e. when TRACING is OFF and\n// @sentry/node runs its own bundled OTel — see skipOpenTelemetrySetup below).\n//\n// IMPORTANT: when TRACING_ENABLED, this value does NOT govern span volume.\n// Our NodeSDK (below) owns the pipeline and is constructed with no explicit\n// `sampler`, so @opentelemetry/sdk-node falls back to buildSamplerFromEnv()\n// and the REAL head-sampling knob is the standard OTEL_TRACES_SAMPLER /\n// OTEL_TRACES_SAMPLER_ARG env (set per-deploy in the k8s chart). That head\n// decision gates spans before any processor runs, so it bounds BOTH the\n// SentrySpanProcessor (→ Sentry transactions) and the Tempo OTLP export.\n// (Wiring @sentry/opentelemetry's SentrySampler here would let this rate\n// drive both backends and make DSC/sample_rand propagation spec-correct, but\n// that only matters for Sentry server-side dynamic sampling — a SaaS feature\n// our self-hosted install doesn't run — so it's intentionally deferred.)\nconst SENTRY_TRACES_SAMPLE_RATE = parseFloat(\n  process.env.SENTRY_TRACES_SAMPLE_RATE ?? \"0.1\",\n);\n\nif (SENTRY_DSN) {\n  logger.info(\"Initialized Sentry with env: @env\", process.env.SENTRY_ENV);\n  Sentry.init({\n    dsn: SENTRY_DSN,\n    environment: process.env.SENTRY_ENV,\n    // Match the version tag uploaded by release-branch.yml so source maps\n    // resolve. Populated by the CI (WORKSPACE_VERSION) or npm at runtime.\n    release:\n      process.env.SENTRY_RELEASE ||\n      (process.env.npm_package_version\n        ? `v${process.env.npm_package_version}`\n        : undefined),\n    // 0 in errors-only mode so even @sentry/node's bundled auto-OTel path\n    // (used when TRACING_ENABLED is false) produces no transactions.\n    tracesSampleRate: SENTRY_TRACING_TO_SENTRY ? SENTRY_TRACES_SAMPLE_RATE : 0,\n    // When tracing is on, our NodeSDK below owns the OTel globals and Sentry\n    // receives spans via SentrySpanProcessor. Skipping Sentry's bundled OTel\n    // setup avoids two TracerProviders fighting over setGlobalTracerProvider.\n    // When tracing is off, leave the flag unset so @sentry/node's default\n    // auto-OTel still records HTTP transactions for the APM dashboard.\n    skipOpenTelemetrySetup: TRACING_ENABLED,\n  });\n}\n\nconst meterProvider: MeterProvider | undefined = createMeterProviderFromEnv({\n  OTEL_EXPORTER_OTLP_ENDPOINT: process.env.OTEL_EXPORTER_OTLP_ENDPOINT,\n  OTEL_METRIC_EXPORT_INTERVAL: process.env.OTEL_METRIC_EXPORT_INTERVAL,\n  OTEL_SERVICE_NAME: process.env.OTEL_SERVICE_NAME,\n});\nif (meterProvider) {\n  // One-way door: must register before any code calls metrics.getMeter() —\n  // most notably ReactorInstrumentation inside the reactor module.\n  metrics.setGlobalMeterProvider(meterProvider);\n}\n\nlet sdk: NodeSDK | undefined;\n\nif (TRACING_ENABLED) {\n  logger.info(`Initializing OpenTelemetry tracing for ${SERVICE_NAME}`);\n  if (TEMPO_ENDPOINT) logger.info(`  Tempo endpoint: ${TEMPO_ENDPOINT}`);\n  if (SENTRY_DSN) logger.info(`  Sentry span forwarding: enabled`);\n  logger.info(`  Tenant: ${TENANT_ID}`);\n\n  const resource = resourceFromAttributes({\n    [ATTR_SERVICE_NAME]: SERVICE_NAME,\n    [ATTR_SERVICE_VERSION]: SERVICE_VERSION,\n    \"tenant.id\": TENANT_ID,\n    \"deployment.environment\": DEPLOY_ENV,\n  });\n\n  const spanProcessors: SpanProcessor[] = [];\n  if (TEMPO_ENDPOINT) {\n    spanProcessors.push(\n      new BatchSpanProcessor(new OTLPTraceExporter({ url: TEMPO_ENDPOINT })),\n    );\n  }\n  if (SENTRY_TRACING_TO_SENTRY) {\n    // Fan the same OTel spans into Sentry — same trace IDs as Tempo, so\n    // Sentry transactions cross-link to traces in Grafana. Skipped in\n    // errors-only mode (SENTRY_TRACING_ENABLED=false): spans still flow to\n    // Tempo via the BatchSpanProcessor above, just not to Sentry.\n    spanProcessors.push(new SentrySpanProcessor());\n  }\n\n  sdk = new NodeSDK({\n    resource,\n    spanProcessors,\n    textMapPropagator: SENTRY_TRACING_TO_SENTRY\n      ? new SentryPropagator()\n      : undefined,\n    instrumentations: [\n      new HttpInstrumentation({\n        ignoreIncomingRequestHook: (req) =>\n          req.url === \"/health\" || req.url === \"/ready\",\n        requireParentforIncomingSpans: false,\n        requireParentforOutgoingSpans: false,\n        requestHook: (span, request) => {\n          span.setAttribute(\n            \"http.route\",\n            (request as IncomingMessage).url || \"\",\n          );\n        },\n        responseHook: (span, response) => {\n          if (response.statusCode) {\n            span.setAttribute(\"http.status_code\", response.statusCode);\n          }\n        },\n      }),\n      new ExpressInstrumentation({\n        requestHook: (span, info) => {\n          if (info.route) span.setAttribute(\"http.route\", info.route);\n        },\n      }),\n      // HttpInstrumentation only patches node:http/https; outbound global\n      // fetch() goes through undici and is otherwise untraced — e.g. the\n      // per-request Renown credential check in AuthService.verifyCredentialExists.\n      new UndiciInstrumentation(),\n      new GraphQLInstrumentation({ mergeItems: true, allowValues: true }),\n      // requireParentSpan: only trace DB queries that run inside a request\n      // (HTTP/GraphQL) span. Parentless queries — the management\n      // switchboard's background polling loops (vetra-cloud-observability\n      // reconcile @60s + clint pull-worker @15s, each writing\n      // environment_pods / clint_runtime_endpoints) — would otherwise each\n      // become a standalone root transaction. That volume scales O(tenant\n      // count) and was ~70% of all Sentry transactions before this change.\n      // Dropping it at the instrumentation layer (no span created at all) is\n      // cheaper and cleaner than sampling it away downstream.\n      new PgInstrumentation({\n        enhancedDatabaseReporting: true,\n        requireParentSpan: true,\n      }),\n    ],\n  });\n  sdk.start();\n  if (\n    SENTRY_TRACING_TO_SENTRY &&\n    typeof Sentry.validateOpenTelemetrySetup === \"function\"\n  ) {\n    Sentry.validateOpenTelemetrySetup();\n  }\n  logger.info(\"OpenTelemetry tracing initialized\");\n}\n\nasync function shutdown() {\n  await Promise.race([\n    Promise.all([\n      meterProvider?.shutdown().catch(() => undefined),\n      sdk?.shutdown().catch(() => undefined),\n    ]),\n    new Promise<void>((resolve) => setTimeout(resolve, 5_000)),\n  ]);\n}\n\nprocess.on(\"SIGINT\", () => {\n  void shutdown().finally(() => process.exit(0));\n});\nprocess.on(\"SIGTERM\", () => {\n  void shutdown().finally(() => process.exit(0));\n});\n\nexport { meterProvider, sdk };\n","import dotenv from \"dotenv\";\ndotenv.config();\n\nimport { getConfig } from \"@powerhousedao/config/node\";\nimport { parseForcePgVersion } from \"./pglite-version.js\";\nimport type {\n  SwitchboardDriveDocumentType,\n  SwitchboardDriveInput,\n} from \"./types.js\";\nconst phConfig = getConfig();\nconst { switchboard } = phConfig;\ninterface Config {\n  database: {\n    url: string;\n  };\n  port: number;\n  mcp: boolean;\n  migratePglite: boolean;\n  forcePgVersion: 16 | 17 | null;\n  drive: SwitchboardDriveInput;\n}\n\nfunction parseDriveType(\n  raw: string | undefined,\n): SwitchboardDriveDocumentType | undefined {\n  if (!raw) return undefined;\n  if (raw === \"powerhouse/document-drive\" || raw === \"powerhouse/reactor-drive\")\n    return raw;\n  throw new Error(\n    `Invalid PH_DEFAULT_DRIVE_TYPE: ${raw}. Expected \"powerhouse/document-drive\" or \"powerhouse/reactor-drive\".`,\n  );\n}\n\nexport const config: Config = {\n  database: {\n    // url: process.env.PH_SWITCHBOARD_DATABASE_URL ?? switchboard?.database?.url ?? \"dev.db\",\n    url:\n      process.env.PH_SWITCHBOARD_DATABASE_URL ??\n      switchboard?.database?.url ??\n      \"dev.db\",\n  },\n  port:\n    process.env.PH_SWITCHBOARD_PORT &&\n    !isNaN(Number(process.env.PH_SWITCHBOARD_PORT))\n      ? Number(process.env.PH_SWITCHBOARD_PORT)\n      : (switchboard?.port ?? 4001),\n  mcp: true,\n  migratePglite: process.env.PH_MIGRATE_PGLITE === \"true\",\n  forcePgVersion: parseForcePgVersion(process.env.PH_FORCE_PG_VERSION),\n  drive: {\n    id: \"powerhouse\",\n    slug: \"powerhouse\",\n    documentType: parseDriveType(process.env.PH_DEFAULT_DRIVE_TYPE),\n    global: {\n      name: \"Powerhouse\",\n      icon: \"https://ipfs.io/ipfs/QmcaTDBYn8X2psGaXe7iQ6qd8q6oqHLgxvMX9yXf7f9uP7\",\n    },\n    local: {\n      availableOffline: true,\n      listeners: [],\n      sharingType: \"public\",\n      triggers: [],\n    },\n  },\n};\n","import type { PyroscopeConfig } from \"@pyroscope/nodejs\";\n\nexport async function initProfilerFromEnv(env: typeof process.env) {\n  const {\n    PYROSCOPE_SERVER_ADDRESS: serverAddress,\n    PYROSCOPE_APPLICATION_NAME: appName,\n    PYROSCOPE_USER: basicAuthUser,\n    PYROSCOPE_PASSWORD: basicAuthPassword,\n    PYROSCOPE_WALL_ENABLED: wallEnabled,\n    PYROSCOPE_HEAP_ENABLED: heapEnabled,\n  } = env;\n\n  const options: PyroscopeConfig = {\n    serverAddress,\n    appName,\n    basicAuthUser,\n    basicAuthPassword,\n    // Wall profiling captures wall-clock time (includes async I/O waits)\n    // This shows GraphQL resolvers even when waiting for database\n    wall: {\n      samplingDurationMs: 10000, // 10 second sampling windows\n      samplingIntervalMicros: 10000, // 10ms sampling interval (100 samples/sec)\n      collectCpuTime: true, // Also collect CPU time alongside wall time\n    },\n    // Heap profiling for memory allocation tracking\n    heap: {\n      samplingIntervalBytes: 512 * 1024, // Sample every 512KB allocated\n      stackDepth: 64, // Capture deeper stacks for better context\n    },\n  };\n  return initProfiler(options, {\n    wallEnabled: wallEnabled !== \"false\",\n    heapEnabled: heapEnabled === \"true\",\n  });\n}\n\ninterface ProfilerFlags {\n  wallEnabled?: boolean;\n  heapEnabled?: boolean;\n}\n\nexport async function initProfiler(\n  options?: PyroscopeConfig,\n  flags: ProfilerFlags = { wallEnabled: true, heapEnabled: false },\n) {\n  console.log(\"Initializing Pyroscope profiler at:\", options?.serverAddress);\n  console.log(\"  Wall profiling:\", flags.wallEnabled ? \"enabled\" : \"disabled\");\n  console.log(\"  Heap profiling:\", flags.heapEnabled ? \"enabled\" : \"disabled\");\n\n  const { default: Pyroscope } = await import(\"@pyroscope/nodejs\");\n  Pyroscope.init(options);\n\n  // Start wall profiling (captures async I/O time - shows resolvers)\n  if (flags.wallEnabled) {\n    Pyroscope.startWallProfiling();\n  }\n\n  // Start CPU profiling (captures CPU-bound work)\n  Pyroscope.startCpuProfiling();\n\n  // Optionally start heap profiling (memory allocations)\n  if (flags.heapEnabled) {\n    Pyroscope.startHeapProfiling();\n  }\n}\n","#!/usr/bin/env node\n// Observability MUST load before any module that imports http/express/pg/graphql\n// so OpenTelemetry's require-time hooks can patch them. It also owns Sentry\n// init and the SIGINT/SIGTERM flush.\nimport \"./observability.mjs\";\n\nimport * as Sentry from \"@sentry/node\";\nimport { childLogger } from \"document-model\";\nimport { config } from \"./config.js\";\nimport { initProfilerFromEnv } from \"./profiler.js\";\nimport { startSwitchboard } from \"./server.mjs\";\n\nconst logger = childLogger([\"switchboard\"]);\n\nfunction ensureNodeVersion(minVersion = \"24\") {\n  const version = process.versions.node;\n  if (!version) {\n    return;\n  }\n\n  if (version < minVersion) {\n    console.error(\n      `Node version ${minVersion} or higher is required. Current version: ${version}`,\n    );\n    process.exit(1);\n  }\n}\n// Ensure minimum Node.js version\nensureNodeVersion(\"24\");\n\n// Each subgraph registers its own SIGINT/SIGTERM listeners, and the count\n// scales with dynamically-loaded document models beyond the default cap of 10.\nprocess.setMaxListeners(0);\n\nif (process.env.PYROSCOPE_SERVER_ADDRESS) {\n  try {\n    await initProfilerFromEnv(process.env);\n  } catch (e) {\n    Sentry.captureException(e);\n    logger.error(\"Error starting profiler: @error\", e);\n  }\n}\n\nconst cliMigratePglite = process.argv.slice(2).includes(\"--migrate-pglite\");\n\nstartSwitchboard({\n  ...config,\n  migratePglite: cliMigratePglite || config.migratePglite,\n  forcePgVersion: config.forcePgVersion ?? undefined,\n}).catch(console.error);\n"],"names":["logger","logger"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;AAQA,MAAMA,WAAS,YAAY,CAAC,eAAe,UAAU,CAAC;AAEtD,SAAgB,2BAA2B,KAIb;CAC5B,MAAM,WAAW,IAAI;AACrB,KAAI,CAAC,SAAU,QAAO,KAAA;CAEtB,MAAM,SAAS,SAAS,IAAI,+BAA+B,IAAI,GAAG;CAClE,MAAM,uBACJ,OAAO,SAAS,OAAO,IAAI,SAAS,IAAI,SAAS;CAEnD,MAAM,OAAO,SAAS,QAAQ,OAAO,GAAG;CACxC,MAAM,cAAc,KAAK,SAAS,cAAc,GAC5C,OACA,GAAG,KAAK;AAEZ,UAAO,KAAK,mDAAmD,WAAW;CAC1E,MAAM,gBAAgB,IAAI,cAAc;EACtC,UAAU,uBAAuB,EAC/B,gBAAgB,IAAI,qBAAqB,eAC1C,CAAC;EACF,SAAS,CACP,IAAI,8BAA8B;GAChC,UAAU,IAAI,mBAAmB,EAC/B,KAAK,aACN,CAAC;GACF;GACA,qBAAqB,KAAK,IAAI,uBAAuB,KAAK,EAAE;GAC7D,CAAC,CACH;EACF,CAAC;AACF,UAAO,KAAK,qCAAqC,qBAAqB,KAAK;AAC3E,QAAO;;;;ACPT,MAAMC,WAAS,YAAY,CAAC,eAAe,gBAAgB,CAAC;AAE5D,MAAM,eAAe,QAAQ,IAAI,qBAAqB;AACtD,MAAM,kBAAkB,QAAQ,IAAI,uBAAuB;AAC3D,MAAM,YAAY,QAAQ,IAAI,aAAa;AAC3C,MAAM,aAAa,QAAQ,IAAI,YAAY;AAE3C,MAAM,iBAAiB,QAAQ,IAAI;AACnC,MAAM,aAAa,QAAQ,IAAI;AAS/B,MAAM,2BACJ,QAAQ,WAAW,IAAI,QAAQ,IAAI,2BAA2B;AAEhE,MAAM,oBACJ,QAAQ,IAAI,mBAAmB,UAC/B,QAAQ,IAAI,aAAa;AAC3B,MAAM,wBAAwB,QAAQ,eAAe,IAAI,QAAQ,WAAW;AAC5E,MAAM,kBAAkB,qBAAqB;AAE7C,IAAI,qBAAqB,CAAC,sBACxB,UAAO,KACL,6RAID;AAiBH,MAAM,4BAA4B,WAChC,QAAQ,IAAI,6BAA6B,MAC1C;AAED,IAAI,YAAY;AACd,UAAO,KAAK,qCAAqC,QAAQ,IAAI,WAAW;AACxE,QAAO,KAAK;EACV,KAAK;EACL,aAAa,QAAQ,IAAI;EAGzB,SACE,QAAQ,IAAI,mBACX,QAAQ,IAAI,sBACT,IAAI,QAAQ,IAAI,wBAChB,KAAA;EAGN,kBAAkB,2BAA2B,4BAA4B;EAMzE,wBAAwB;EACzB,CAAC;;AAGJ,MAAM,gBAA2C,2BAA2B;CAC1E,6BAA6B,QAAQ,IAAI;CACzC,6BAA6B,QAAQ,IAAI;CACzC,mBAAmB,QAAQ,IAAI;CAChC,CAAC;AACF,IAAI,cAGF,SAAQ,uBAAuB,cAAc;AAG/C,IAAI;AAEJ,IAAI,iBAAiB;AACnB,UAAO,KAAK,0CAA0C,eAAe;AACrE,KAAI,eAAgB,UAAO,KAAK,qBAAqB,iBAAiB;AACtE,KAAI,WAAY,UAAO,KAAK,oCAAoC;AAChE,UAAO,KAAK,aAAa,YAAY;CAErC,MAAM,WAAW,uBAAuB;GACrC,oBAAoB;GACpB,uBAAuB;EACxB,aAAa;EACb,0BAA0B;EAC3B,CAAC;CAEF,MAAM,iBAAkC,EAAE;AAC1C,KAAI,eACF,gBAAe,KACb,IAAI,mBAAmB,IAAI,kBAAkB,EAAE,KAAK,gBAAgB,CAAC,CAAC,CACvE;AAEH,KAAI,yBAKF,gBAAe,KAAK,IAAI,qBAAqB,CAAC;AAGhD,OAAM,IAAI,QAAQ;EAChB;EACA;EACA,mBAAmB,2BACf,IAAI,kBAAkB,GACtB,KAAA;EACJ,kBAAkB;GAChB,IAAI,oBAAoB;IACtB,4BAA4B,QAC1B,IAAI,QAAQ,aAAa,IAAI,QAAQ;IACvC,+BAA+B;IAC/B,+BAA+B;IAC/B,cAAc,MAAM,YAAY;AAC9B,UAAK,aACH,cACC,QAA4B,OAAO,GACrC;;IAEH,eAAe,MAAM,aAAa;AAChC,SAAI,SAAS,WACX,MAAK,aAAa,oBAAoB,SAAS,WAAW;;IAG/D,CAAC;GACF,IAAI,uBAAuB,EACzB,cAAc,MAAM,SAAS;AAC3B,QAAI,KAAK,MAAO,MAAK,aAAa,cAAc,KAAK,MAAM;MAE9D,CAAC;GAIF,IAAI,uBAAuB;GAC3B,IAAI,uBAAuB;IAAE,YAAY;IAAM,aAAa;IAAM,CAAC;GAUnE,IAAI,kBAAkB;IACpB,2BAA2B;IAC3B,mBAAmB;IACpB,CAAC;GACH;EACF,CAAC;AACF,KAAI,OAAO;AACX,KACE,4BACA,OAAO,OAAO,+BAA+B,WAE7C,QAAO,4BAA4B;AAErC,UAAO,KAAK,oCAAoC;;AAGlD,eAAe,WAAW;AACxB,OAAM,QAAQ,KAAK,CACjB,QAAQ,IAAI,CACV,eAAe,UAAU,CAAC,YAAY,KAAA,EAAU,EAChD,KAAK,UAAU,CAAC,YAAY,KAAA,EAAU,CACvC,CAAC,EACF,IAAI,SAAe,YAAY,WAAW,SAAS,IAAM,CAAC,CAC3D,CAAC;;AAGJ,QAAQ,GAAG,gBAAgB;AACpB,WAAU,CAAC,cAAc,QAAQ,KAAK,EAAE,CAAC;EAC9C;AACF,QAAQ,GAAG,iBAAiB;AACrB,WAAU,CAAC,cAAc,QAAQ,KAAK,EAAE,CAAC;EAC9C;;;AClOF,OAAO,QAAQ;AASf,MAAM,EAAE,gBADS,WAAW;AAa5B,SAAS,eACP,KAC0C;AAC1C,KAAI,CAAC,IAAK,QAAO,KAAA;AACjB,KAAI,QAAQ,+BAA+B,QAAQ,2BACjD,QAAO;AACT,OAAM,IAAI,MACR,kCAAkC,IAAI,uEACvC;;AAGH,MAAa,SAAiB;CAC5B,UAAU,EAER,KACE,QAAQ,IAAI,+BACZ,aAAa,UAAU,OACvB,UACH;CACD,MACE,QAAQ,IAAI,uBACZ,CAAC,MAAM,OAAO,QAAQ,IAAI,oBAAoB,CAAC,GAC3C,OAAO,QAAQ,IAAI,oBAAoB,GACtC,aAAa,QAAQ;CAC5B,KAAK;CACL,eAAe,QAAQ,IAAI,sBAAsB;CACjD,gBAAgB,oBAAoB,QAAQ,IAAI,oBAAoB;CACpE,OAAO;EACL,IAAI;EACJ,MAAM;EACN,cAAc,eAAe,QAAQ,IAAI,sBAAsB;EAC/D,QAAQ;GACN,MAAM;GACN,MAAM;GACP;EACD,OAAO;GACL,kBAAkB;GAClB,WAAW,EAAE;GACb,aAAa;GACb,UAAU,EAAE;GACb;EACF;CACF;;;AC9DD,eAAsB,oBAAoB,KAAyB;CACjE,MAAM,EACJ,0BAA0B,eAC1B,4BAA4B,SAC5B,gBAAgB,eAChB,oBAAoB,mBACpB,wBAAwB,aACxB,wBAAwB,gBACtB;AAoBJ,QAAO,aAlB0B;EAC/B;EACA;EACA;EACA;EAGA,MAAM;GACJ,oBAAoB;GACpB,wBAAwB;GACxB,gBAAgB;GACjB;EAED,MAAM;GACJ,uBAAuB,MAAM;GAC7B,YAAY;GACb;EACF,EAC4B;EAC3B,aAAa,gBAAgB;EAC7B,aAAa,gBAAgB;EAC9B,CAAC;;AAQJ,eAAsB,aACpB,SACA,QAAuB;CAAE,aAAa;CAAM,aAAa;CAAO,EAChE;AACA,SAAQ,IAAI,uCAAuC,SAAS,cAAc;AAC1E,SAAQ,IAAI,qBAAqB,MAAM,cAAc,YAAY,WAAW;AAC5E,SAAQ,IAAI,qBAAqB,MAAM,cAAc,YAAY,WAAW;CAE5E,MAAM,EAAE,SAAS,cAAc,MAAM,OAAO;AAC5C,WAAU,KAAK,QAAQ;AAGvB,KAAI,MAAM,YACR,WAAU,oBAAoB;AAIhC,WAAU,mBAAmB;AAG7B,KAAI,MAAM,YACR,WAAU,oBAAoB;;;;AClDlC,MAAM,SAAS,YAAY,CAAC,cAAc,CAAC;AAE3C,SAAS,kBAAkB,aAAa,MAAM;CAC5C,MAAM,UAAU,QAAQ,SAAS;AACjC,KAAI,CAAC,QACH;AAGF,KAAI,UAAU,YAAY;AACxB,UAAQ,MACN,gBAAgB,WAAW,2CAA2C,UACvE;AACD,UAAQ,KAAK,EAAE;;;AAInB,kBAAkB,KAAK;AAIvB,QAAQ,gBAAgB,EAAE;AAE1B,IAAI,QAAQ,IAAI,yBACd,KAAI;AACF,OAAM,oBAAoB,QAAQ,IAAI;SAC/B,GAAG;AACV,QAAO,iBAAiB,EAAE;AAC1B,QAAO,MAAM,mCAAmC,EAAE;;AAItD,MAAM,mBAAmB,QAAQ,KAAK,MAAM,EAAE,CAAC,SAAS,mBAAmB;AAE3E,iBAAiB;CACf,GAAG;CACH,eAAe,oBAAoB,OAAO;CAC1C,gBAAgB,OAAO,kBAAkB,KAAA;CAC1C,CAAC,CAAC,MAAM,QAAQ,MAAM","debug_id":"5a65c537-fadb-5705-95c0-4cec44d7b4d2"}