@rubytech/create-realagent 1.0.621 → 1.0.623

package/payload/platform/plugins/cloudflare/mcp/dist/lib/setup-orchestrator.js

@@ -0,0 +1,550 @@
+/**
+ * Cloudflare tunnel setup — deterministic orchestrator.
+ *
+ * Task 547: the tunnel setup flow (login → create → enable → verify) has a
+ * deterministic shape. Every branch is driven by a structured signal —
+ * either `tunnel-status`'s `unhealthyReason` enum, or the operator's
+ * literal input (domain name, subdomain names, "done"). Before Task 547
+ * the flow was driven by the LLM reading SKILL.md prose and picking the
+ * next `tunnel-*` tool; that allowed a dozen+ recurrences where the LLM
+ * forked, dispatched Playwright to the Cloudflare dashboard, or fabricated
+ * a `cp cert.pem` workaround. None of those deviations are reachable here
+ * because the LLM no longer chooses — this module does.
+ *
+ * Contract:
+ *   - `runOrchestrator(input)` is the single entry point. One call advances
+ *     one deterministic step. The LLM's only job is to pass the operator's
+ *     literal input through (domain, "done", etc.) and relay the structured
+ *     result verbatim.
+ *   - Every transition emits a `[cloudflare:setup-run:phase-transition]` log
+ *     line. Every internal sub-tool call emits
+ *     `[cloudflare:setup-run:subtool-call]`. Every terminal state emits
+ *     `[cloudflare:setup-run:terminal]`. These give a single grep path
+ *     (`[cloudflare:setup-run:`) to the full transition chain post-hoc.
+ *   - State is persisted at `~/{configDir}/cloudflared/setup.state.json`
+ *     alongside `tunnel.state` and `login.state`. On corruption or absence
+ *     the orchestrator reconciles from live `tunnel-status` + operator
+ *     input (no "state file not found" crash).
+ *   - The tool-surface gate in `platform/ui/app/lib/tool-surface-filter.ts`
+ *     reads this state file every turn and removes the raw `tunnel-*`,
+ *     Playwright, Bash, Write, Edit tools from the LLM's menu whenever
+ *     `phase !== 'idle' && phase !== 'healthy'`. No LLM regression can
+ *     re-enter the loop because the tools that enabled it are literally
+ *     absent from the menu.
+ */
+import { existsSync, readFileSync, writeFileSync, mkdirSync, unlinkSync, } from "node:fs";
+import { join } from "node:path";
+import { homedir } from "node:os";
+import * as cloudflared from "./cloudflared.js";
+import { deviceUrlBlock } from "../../../../../lib/device-url/dist/index.js";
+import { hostname as osHostname } from "node:os";
+function initialState() {
+    return {
+        phase: "idle",
+        domain: null,
+        adminSubdomain: null,
+        publicSubdomain: null,
+        tunnelId: null,
+        phaseEnteredAt: new Date().toISOString(),
+        unhealthyReason: null,
+    };
+}
+// ---------------------------------------------------------------------------
+// State file I/O
+// ---------------------------------------------------------------------------
+/**
+ * The orchestrator state file path. Consumers OUTSIDE this module (e.g. the
+ * tool-surface filter in `platform/ui/app/lib/tool-surface-filter.ts`) also
+ * need this path to read the phase. Exported so the two sides cannot drift.
+ *
+ * Brand-aware via loadBrand(); falls back to `.maxy` when PLATFORM_ROOT is
+ * unset. The fallback matters only for the tool-surface filter running
+ * outside the cloudflare MCP server's process — the MCP server always has
+ * PLATFORM_ROOT set by the claude-agent spawn.
+ */
+export function setupStatePath(configDirOverride) {
+    const configDir = configDirOverride ?? (() => {
+        try {
+            return cloudflared.loadBrand().configDir;
+        }
+        catch {
+            return ".maxy";
+        }
+    })();
+    return join(homedir(), configDir, "cloudflared", "setup.state.json");
+}
+function readState() {
+    const path = setupStatePath();
+    if (!existsSync(path))
+        return initialState();
+    try {
+        const parsed = JSON.parse(readFileSync(path, "utf-8"));
+        // Loose validation — if the file is malformed, treat as idle and rely
+        // on `tunnel-status` reconciliation to map back to the right phase.
+        // A "state file not found" crash would be a silent failure mode the
+        // operator cannot recover from; mapping to idle is loud-failure (log)
+        // but non-fatal.
+        if (typeof parsed?.phase !== "string") {
+            console.error(`[cloudflare:setup-run:state-malformed] path=${path} — resetting to idle`);
+            return initialState();
+        }
+        return {
+            phase: parsed.phase,
+            domain: parsed.domain ?? null,
+            adminSubdomain: parsed.adminSubdomain ?? null,
+            publicSubdomain: parsed.publicSubdomain ?? null,
+            tunnelId: parsed.tunnelId ?? null,
+            phaseEnteredAt: parsed.phaseEnteredAt ?? new Date().toISOString(),
+            unhealthyReason: parsed.unhealthyReason ?? null,
+        };
+    }
+    catch (err) {
+        console.error(`[cloudflare:setup-run:state-read-error] path=${path} err=${err instanceof Error ? err.message : String(err)}`);
+        return initialState();
+    }
+}
+function writeState(state) {
+    const path = setupStatePath();
+    mkdirSync(join(homedir(), cloudflared.loadBrand().configDir, "cloudflared"), { recursive: true });
+    writeFileSync(path, JSON.stringify(state, null, 2), { mode: 0o600 });
+}
+function deleteState() {
+    const path = setupStatePath();
+    try {
+        unlinkSync(path);
+    }
+    catch (err) {
+        const code = err.code;
+        if (code !== "ENOENT") {
+            console.error(`[cloudflare:setup-run:state-delete-error] path=${path} err=${err}`);
+        }
+    }
+}
+function transition(state, next, reason) {
+    if (state.phase !== next) {
+        console.error(`[cloudflare:setup-run:phase-transition] from=${state.phase} to=${next} reason=${reason}`);
+    }
+    const updated = {
+        ...state,
+        phase: next,
+        phaseEnteredAt: new Date().toISOString(),
+    };
+    writeState(updated);
+    return updated;
+}
+// ---------------------------------------------------------------------------
+// Read-only status
+//
+// Exposed so the tool-surface filter (outside this MCP server) can read
+// orchestrator phase without advancing it, and so the companion
+// `cloudflare-setup-status` tool can surface it to the admin agent.
+// ---------------------------------------------------------------------------
+export function readOrchestratorState() {
+    return readState();
+}
+/**
+ * Whether the tool-surface filter should treat this device as "setup in
+ * progress". Matches the gate condition named in the task file: the filter
+ * lifts whenever phase is idle or terminal (healthy / unhealthy).
+ */
+export function isSetupActive(state) {
+    return state.phase !== "idle" && state.phase !== "healthy" && state.phase !== "unhealthy";
+}
+function subtoolLog(name, phase) {
+    console.error(`[cloudflare:setup-run:subtool-call] subtool=${name} phase=${phase}`);
+}
+function terminalLog(outcome, reason) {
+    console.error(`[cloudflare:setup-run:terminal] outcome=${outcome} reason=${reason}`);
+}
+function operatorInputLog(phase, repr) {
+    console.error(`[cloudflare:setup-run:operator-input] phase=${phase} input=${repr}`);
+}
+// ---------------------------------------------------------------------------
+// Subdomain validation
+//
+// The operator types subdomain labels directly. Reject anything that would
+// break `cloudflared tunnel route dns` before shelling out. Labels: letters,
+// digits, hyphens; 1-63 chars; no leading/trailing hyphen.
+// ---------------------------------------------------------------------------
+const SUBDOMAIN_PATTERN = /^[a-z0-9]([a-z0-9-]{0,61}[a-z0-9])?$/i;
+function validateSubdomain(label, name) {
+    if (label.length === 0)
+        return `${name} is empty`;
+    if (label.includes("."))
+        return `${name} must be a single label (got "${label}"). Use just the prefix, e.g. "admin" — not "admin.example.com".`;
+    if (!SUBDOMAIN_PATTERN.test(label))
+        return `${name} "${label}" has invalid characters. Use letters, digits, and hyphens only.`;
+    return null;
+}
+// ---------------------------------------------------------------------------
+// Card builder — the `maxy-device-url` block wrapped in intent prose
+// ---------------------------------------------------------------------------
+function signInCard(authUrl, accountHint) {
+    const block = deviceUrlBlock({
+        url: authUrl,
+        intent: "Sign in to Cloudflare",
+        hostname: osHostname(),
+    });
+    return (`Cloudflare sign-in started on this device.\n\n` +
+        `${block}\n\n` +
+        `Click the button to open the sign-in page on this device's browser. ` +
+        `Pick the account that owns ${accountHint} — the account name is in the ` +
+        `top-left of the Cloudflare page, next to the little orange cloud — then ` +
+        `click Authorize. Tell me when you have finished.`);
+}
+function accountSwitchCard(hostname) {
+    return (`That Cloudflare account does not own ${hostname}.\n\n` +
+        `Open Cloudflare in your browser. Look at the name in the top-left. ` +
+        `If it is not the account that owns ${hostname}, switch to the correct ` +
+        `account using the top-left dropdown. Once the correct account is showing, ` +
+        `tell me and I will start the sign-in again.`);
+}
+// ---------------------------------------------------------------------------
+// The orchestrator entry point
+//
+// Every call:
+//   (1) Reads persisted state.
+//   (2) Probes live tunnel-status.
+//   (3) Reconciles — if status shows we're further along than persisted,
+//       advance persisted to match.
+//   (4) Handles current phase.
+//
+// Step (3) is what makes re-entry and cold-start correct. An operator who
+// deletes the state file mid-flow gets reconciled to the right phase on
+// the next call because tunnel-status is the ground truth. Fresh-install
+// with no state and no cert starts at `idle` → `awaiting-domain`. Fresh-
+// install with no state but cert already bound (migration from a prior
+// setup) maps to `awaiting-hostnames`.
+// ---------------------------------------------------------------------------
+export async function runOrchestrator(input) {
+    let state = readState();
+    console.error(`[cloudflare:setup-run:enter] phase=${state.phase} domain=${state.domain ?? "none"}`);
+    // Log operator input once, terse — helpful post-hoc when diagnosing how
+    // the state transitioned. Never log secrets; domain is public by design.
+    const inputRepr = JSON.stringify({
+        domain: input.domain ?? null,
+        adminSubdomain: input.adminSubdomain ?? null,
+        publicSubdomain: input.publicSubdomain ?? null,
+        confirmed: input.confirmed ?? false,
+    });
+    operatorInputLog(state.phase, inputRepr);
+    // ---------------------------------------------------------------------
+    // Reconcile persisted phase against live tunnel-status.
+    //
+    // The reconciliation rule: tunnel-status is always right. If status
+    // says we're healthy, we are healthy (regardless of persisted phase).
+    // If status says we have a cert but persisted says we still need one,
+    // we skip ahead to `awaiting-hostnames`. If persisted domain is null
+    // but input provides one, adopt it.
+    // ---------------------------------------------------------------------
+    if (input.domain) {
+        const domainTrimmed = input.domain.trim().replace(/^https?:\/\//, "").replace(/\/.*$/, "");
+        if (domainTrimmed.length === 0) {
+            return { text: "Invalid domain — please give me the bare domain, e.g. maxy.bot.", phase: state.phase, healthy: false };
+        }
+        if (state.domain !== domainTrimmed) {
+            state = { ...state, domain: domainTrimmed };
+            writeState(state);
+        }
+    }
+    if (!state.domain && state.phase === "idle") {
+        state = transition(state, "awaiting-domain", "initial-entry-no-domain");
+        return {
+            text: "What domain do you want to use for the tunnel? For example: maxy.bot.",
+            phase: state.phase,
+            healthy: false,
+        };
+    }
+    // Probe live tunnel-status. When `state.domain` is null we pass undefined
+    // and let cloudflared use persisted state.
+    subtoolLog("tunnel-status", state.phase);
+    const status = await cloudflared.getStatus(state.domain ?? undefined);
+    // Terminal healthy short-circuit — same answer from any phase.
+    if (status.healthy) {
+        // A second call after initial healthy convergence is a no-op. Log once
+        // as terminal so the review-detector can confirm the flow closed.
+        if (state.phase !== "healthy") {
+            state = transition(state, "healthy", "status-healthy");
+            terminalLog("healthy", "all-probes-ok");
+        }
+        else {
+            console.error(`[cloudflare:setup-run:no-op] reason=already-healthy`);
+        }
+        const urls = status.probes.map((p) => `  https://${p.hostname}`).join("\n");
+        return {
+            text: `Tunnel is healthy.\n\n${urls}`,
+            phase: state.phase,
+            healthy: true,
+        };
+    }
+    // --- From here: phase-specific advance logic -------------------------
+    // If we have a cert and it matches the binding, we are past the login
+    // phase. Don't re-spawn login.
+    const authedAndReady = status.hasCert && status.bound;
+    // Determine next action from (persisted phase, status, input).
+    switch (state.phase) {
+        case "awaiting-domain": {
+            // We have a domain now (input.domain was applied above). Advance.
+            if (authedAndReady) {
+                state = transition(state, "awaiting-hostnames", "cert-already-bound");
+            }
+            else {
+                state = transition(state, "awaiting-signin", "no-cert-spawning-login");
+            }
+            return continueFromPhase(state, input, status);
+        }
+        case "idle": {
+            // Cold start with domain already supplied (rare — the check above
+            // only transitions to awaiting-domain when there's no domain).
+            if (authedAndReady) {
+                state = transition(state, "awaiting-hostnames", "cert-already-bound");
+            }
+            else {
+                state = transition(state, "awaiting-signin", "cold-start-needs-login");
+            }
+            return continueFromPhase(state, input, status);
+        }
+        case "awaiting-signin": {
+            if (authedAndReady) {
+                state = transition(state, "awaiting-hostnames", "sign-in-complete");
+                return continueFromPhase(state, input, status);
+            }
+            return continueFromPhase(state, input, status);
+        }
+        case "awaiting-account-switch": {
+            // Operator confirms they have switched accounts. Re-login with force.
+            if (input.confirmed) {
+                subtoolLog("tunnel-login-force", state.phase);
+                cloudflared.resetAuth();
+                const res = await cloudflared.tunnelLogin();
+                state = transition(state, "awaiting-signin", "account-switch-relogin");
+                return {
+                    text: signInCard(res.authUrl, state.domain ?? "your domain"),
+                    phase: state.phase,
+                    healthy: false,
+                };
+            }
+            return {
+                text: accountSwitchCard(state.domain ?? "your domain"),
+                phase: state.phase,
+                healthy: false,
+            };
+        }
+        case "awaiting-hostnames": {
+            return continueFromPhase(state, input, status);
+        }
+        case "enabling": {
+            // Re-entry after crash in the middle of create/enable. Probe told
+            // us we're not healthy; fall through to re-run enable.
+            return continueFromPhase(state, input, status);
+        }
+        case "healthy": {
+            // Unreachable — the healthy short-circuit above returns before here.
+            // Keep for exhaustiveness.
+            return { text: "Tunnel is healthy.", phase: state.phase, healthy: true };
+        }
+        case "unhealthy": {
+            // Re-invoking after an unhealthy terminal re-probes and either
+            // converges (returns healthy above) or re-emits the same reason.
+            const reason = status.unhealthyReason ?? "unknown";
+            return {
+                text: `Tunnel is not healthy. Reason: ${reason}. Re-running setup from the current state — ask me again in a minute.`,
+                phase: state.phase,
+                healthy: false,
+            };
+        }
+    }
+}
+/**
+ * Handle a phase when it is the natural next step (or a fall-through from
+ * a reconciliation). Kept separate from `runOrchestrator`'s switch so the
+ * reconciliation cases above can transition and then delegate here without
+ * nested switching.
+ */
+async function continueFromPhase(state, input, status) {
+    switch (state.phase) {
+        case "awaiting-signin": {
+            subtoolLog("tunnel-login", state.phase);
+            const res = await cloudflared.tunnelLogin();
+            return {
+                text: signInCard(res.authUrl, state.domain ?? "your domain"),
+                phase: state.phase,
+                healthy: false,
+            };
+        }
+        case "awaiting-hostnames": {
+            // Need admin subdomain from the operator.
+            if (!input.adminSubdomain) {
+                return {
+                    text: `What subdomain should the admin interface use? ` +
+                        `For example "admin" → admin.${state.domain}. ` +
+                        `Optionally, what subdomain for the public chat? ` +
+                        `For example "public" → public.${state.domain}. ` +
+                        `Leave blank to skip the public chat.`,
+                    phase: state.phase,
+                    healthy: false,
+                };
+            }
+            const adminErr = validateSubdomain(input.adminSubdomain, "admin subdomain");
+            if (adminErr)
+                return { text: adminErr, phase: state.phase, healthy: false };
+            let publicSubdomain = null;
+            if (input.publicSubdomain) {
+                const pubErr = validateSubdomain(input.publicSubdomain, "public subdomain");
+                if (pubErr)
+                    return { text: pubErr, phase: state.phase, healthy: false };
+                publicSubdomain = input.publicSubdomain;
+            }
+            if (publicSubdomain && publicSubdomain === input.adminSubdomain) {
+                return {
+                    text: `Admin and public subdomains must differ — both given as "${publicSubdomain}".`,
+                    phase: state.phase,
+                    healthy: false,
+                };
+            }
+            // Persist the choices so re-entry survives mid-call crashes.
+            state = { ...state, adminSubdomain: input.adminSubdomain, publicSubdomain };
+            writeState(state);
+            // Transition to enabling and run create + enable + verify.
+            state = transition(state, "enabling", "hostnames-received");
+            try {
+                // tunnel-create
+                subtoolLog("tunnel-create", state.phase);
+                const tunnelName = (state.domain ?? "tunnel").replace(/\./g, "-");
+                const tunnel = cloudflared.createTunnelCli(tunnelName);
+                const adminHostname = `${input.adminSubdomain}.${state.domain}`;
+                const publicHostname = publicSubdomain ? `${publicSubdomain}.${state.domain}` : null;
+                const hostnames = publicHostname ? [adminHostname, publicHostname] : [adminHostname];
+                const platformPort = parseInt(process.env.PLATFORM_PORT ?? "19200", 10);
+                const configPath = cloudflared.writeLocalConfig(tunnel.tunnelId, tunnel.credentialsPath, hostnames, platformPort);
+                cloudflared.saveTunnelIdentity({
+                    tunnelId: tunnel.tunnelId,
+                    tunnelName: tunnel.tunnelName,
+                    domain: state.domain ?? "",
+                    configPath,
+                    credentialsPath: tunnel.credentialsPath,
+                    adminHostname,
+                    publicHostname,
+                });
+                state = { ...state, tunnelId: tunnel.tunnelId };
+                writeState(state);
+                // Route DNS for each hostname.
+                subtoolLog("tunnel-route-dns", state.phase);
+                for (const h of hostnames) {
+                    await cloudflared.routeDnsCli(tunnel.tunnelId, h);
+                }
+                // tunnel-enable
+                subtoolLog("tunnel-enable", state.phase);
+                cloudflared.startTunnel({
+                    tunnelId: tunnel.tunnelId,
+                    tunnelName: tunnel.tunnelName,
+                    domain: state.domain ?? "",
+                    configPath,
+                    credentialsPath: tunnel.credentialsPath,
+                });
+                // Poll `tunnel-status` until healthy or a hard reason surfaces.
+                // Same retry budget as the standalone tunnel-enable tool's verify
+                // loop: 6 attempts × 5s = 30s.
+                for (let attempt = 0; attempt < 6; attempt++) {
+                    if (attempt > 0)
+                        await new Promise((r) => setTimeout(r, 5000));
+                    const probe = await cloudflared.getStatus(state.domain ?? undefined);
+                    if (probe.healthy) {
+                        state = transition(state, "healthy", "create-enable-verified");
+                        terminalLog("healthy", "create-enable-verified");
+                        const urls = probe.probes.map((p) => `  https://${p.hostname}`).join("\n");
+                        return { text: `Tunnel is healthy.\n\n${urls}`, phase: state.phase, healthy: true };
+                    }
+                    if (probe.unhealthyReason === "bound-account-does-not-own-hostname") {
+                        state = transition(state, "awaiting-account-switch", "post-enable-wrong-account");
+                        return {
+                            text: accountSwitchCard(state.domain ?? "your domain"),
+                            phase: state.phase,
+                            healthy: false,
+                        };
+                    }
+                }
+                // Couldn't verify within retry budget — emit a diagnostic unhealthy
+                // terminal. Operator can re-invoke cloudflare-setup-run later; if
+                // the edge caught up by then it will converge to healthy.
+                const final = await cloudflared.getStatus(state.domain ?? undefined);
+                const reason = final.unhealthyReason ?? "edge-not-yet-reachable";
+                state = { ...state, unhealthyReason: reason };
+                state = transition(state, "unhealthy", `verify-failed-${reason}`);
+                terminalLog("unhealthy", reason);
+                return {
+                    text: `Tunnel created and started but the end-to-end probe has not converged yet ` +
+                        `(reason: ${reason}). DNS propagation can take 1-5 minutes. Ask me to set up ` +
+                        `the tunnel again in a minute to re-probe.`,
+                    phase: state.phase,
+                    healthy: false,
+                };
+            }
+            catch (err) {
+                // tunnel-create shelled refusal — detect the wrong-account class
+                // and route to awaiting-account-switch. Other errors bubble up as
+                // unhealthy with the message.
+                if (err instanceof cloudflared.CloudflareRefusalError) {
+                    const reason = err.refusal.reason;
+                    if (reason === "post-flight-fqdn-mismatch" ||
+                        reason === "hostname-zone-not-routable" ||
+                        reason === "account-drift" ||
+                        reason === "unbound-device") {
+                        state = transition(state, "awaiting-account-switch", `refusal-${reason}`);
+                        return {
+                            text: accountSwitchCard(state.domain ?? "your domain"),
+                            phase: state.phase,
+                            healthy: false,
+                        };
+                    }
+                }
+                const msg = err instanceof Error ? err.message : String(err);
+                state = { ...state, unhealthyReason: "create-or-enable-failed" };
+                state = transition(state, "unhealthy", "create-or-enable-threw");
+                terminalLog("unhealthy", "create-or-enable-threw");
+                return {
+                    text: `Tunnel setup failed: ${msg}`,
+                    phase: state.phase,
+                    healthy: false,
+                };
+            }
+        }
+        case "enabling": {
+            // Re-enter mid-enable after a crash. Delegate back to
+            // awaiting-hostnames with the persisted subdomains as "input" so
+            // the create/enable/verify block runs again. Idempotent: tunnel
+            // create reuses an existing tunnel by name; DNS route is overwritten.
+            if (state.adminSubdomain) {
+                const recoveredInput = {
+                    adminSubdomain: state.adminSubdomain,
+                    publicSubdomain: state.publicSubdomain ?? undefined,
+                };
+                const recoveredState = transition(state, "awaiting-hostnames", "re-entry-after-enabling-crash");
+                return continueFromPhase(recoveredState, recoveredInput, status);
+            }
+            // Somehow hit enabling without a stored adminSubdomain — reset to
+            // awaiting-hostnames and ask again.
+            state = transition(state, "awaiting-hostnames", "re-entry-missing-subdomains");
+            return continueFromPhase(state, input, status);
+        }
+        case "idle":
+        case "awaiting-domain":
+        case "awaiting-account-switch":
+        case "healthy":
+        case "unhealthy":
+            // Unreachable in this helper — the top-level switch handles these.
+            return {
+                text: `Unexpected phase: ${state.phase}. Ask me again.`,
+                phase: state.phase,
+                healthy: false,
+            };
+    }
+}
+// ---------------------------------------------------------------------------
+// Reset — exposed for tests and for the hypothetical "start over" admin flow
+// ---------------------------------------------------------------------------
+export function resetOrchestrator() {
+    console.error(`[cloudflare:setup-run:reset]`);
+    deleteState();
+}
+//# sourceMappingURL=setup-orchestrator.js.map

package/payload/platform/plugins/cloudflare/mcp/dist/lib/setup-orchestrator.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"setup-orchestrator.js","sourceRoot":"","sources":["../../src/lib/setup-orchestrator.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAiCG;AAEH,OAAO,EACL,UAAU,EACV,YAAY,EACZ,aAAa,EACb,SAAS,EACT,UAAU,GACX,MAAM,SAAS,CAAC;AACjB,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AACjC,OAAO,EAAE,OAAO,EAAE,MAAM,SAAS,CAAC;AAClC,OAAO,KAAK,WAAW,MAAM,kBAAkB,CAAC;AAChD,OAAO,EAAE,cAAc,EAAE,MAAM,6CAA6C,CAAC;AAC7E,OAAO,EAAE,QAAQ,IAAI,UAAU,EAAE,MAAM,SAAS,CAAC;AAuDjD,SAAS,YAAY;IACnB,OAAO;QACL,KAAK,EAAE,MAAM;QACb,MAAM,EAAE,IAAI;QACZ,cAAc,EAAE,IAAI;QACpB,eAAe,EAAE,IAAI;QACrB,QAAQ,EAAE,IAAI;QACd,cAAc,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;QACxC,eAAe,EAAE,IAAI;KACtB,CAAC;AACJ,CAAC;AAED,8EAA8E;AAC9E,iBAAiB;AACjB,8EAA8E;AAE9E;;;;;;;;;GASG;AACH,MAAM,UAAU,cAAc,CAAC,iBAA0B;IACvD,MAAM,SAAS,GAAG,iBAAiB,IAAI,CAAC,GAAG,EAAE;QAC3C,IAAI,CAAC;YACH,OAAO,WAAW,CAAC,SAAS,EAAE,CAAC,SAAS,CAAC;QAC3C,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,OAAO,CAAC;QACjB,CAAC;IACH,CAAC,CAAC,EAAE,CAAC;IACL,OAAO,IAAI,CAAC,OAAO,EAAE,EAAE,SAAS,EAAE,aAAa,EAAE,kBAAkB,CAAC,CAAC;AACvE,CAAC;AAED,SAAS,SAAS;IAChB,MAAM,IAAI,GAAG,cAAc,EAAE,CAAC;IAC9B,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC;QAAE,OAAO,YAAY,EAAE,CAAC;IAC7C,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC,CAAC;QACvD,sEAAsE;QACtE,oEAAoE;QACpE,oEAAoE;QACpE,sEAAsE;QACtE,iBAAiB;QACjB,IAAI,OAAO,MAAM,EAAE,KAAK,KAAK,QAAQ,EAAE,CAAC;YACtC,OAAO,CAAC,KAAK,CAAC,+CAA+C,IAAI,sBAAsB,CAAC,CAAC;YACzF,OAAO,YAAY,EAAE,CAAC;QACxB,CAAC;QACD,OAAO;YACL,KAAK,EAAE,MAAM,CAAC,KAAK;YACnB,MAAM,EAAE,MAAM,CAAC,MAAM,IAAI,IAAI;YAC7B,cAAc,EAAE,MAAM,CAAC,cAAc,IAAI,IAAI;YAC7C,eAAe,EAAE,MAAM,CAAC,eAAe,IAAI,IAAI;YAC/C,QAAQ,EAAE,MAAM,CAAC,QAAQ,IAAI,IAAI;YACjC,cAAc,EAAE,MAAM,CAAC,cAAc,IAAI,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;YACjE,eAAe,EAAE,MAAM,CAAC,eAAe,IAAI,IAAI;SAChD,CAAC;IACJ,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO,CAAC,KAAK,CACX,gDAAgD,IAAI,QAAQ,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAC/G,CAAC;QACF,OAAO,YAAY,EAAE,CAAC;IACxB,CAAC;AACH,CAAC;AAED,SAAS,UAAU,CAAC,KAAwB;IAC1C,MAAM,IAAI,GAAG,cAAc,EAAE,CAAC;IAC9B,SAAS,CAAC,IAAI,CAAC,OAAO,EAAE,EAAE,WAAW,CAAC,SAAS,EAAE,CAAC,SAAS,EAAE,aAAa,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IAClG,aAAa,CAAC,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;AACvE,CAAC;AAED,SAAS,WAAW;IAClB,MAAM,IAAI,GAAG,cAAc,EAAE,CAAC;IAC9B,IAAI,CAAC;QACH,UAAU,CAAC,IAAI,CAAC,CAAC;IACnB,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,IAAI,GAAI,GAA6B,CAAC,IAAI,CAAC;QACjD,IAAI,IAAI,KAAK,QAAQ,EAAE,CAAC;YACtB,OAAO,CAAC,KAAK,CAAC,kDAAkD,IAAI,QAAQ,GAAG,EAAE,CAAC,CAAC;QACrF,CAAC;IACH,CAAC;AACH,CAAC;AAED,SAAS,UAAU,CACjB,KAAwB,EACxB,IAAuB,EACvB,MAAc;IAEd,IAAI,KAAK,CAAC,KAAK,KAAK,IAAI,EAAE,CAAC;QACzB,OAAO,CAAC,KAAK,CACX,gDAAgD,KAAK,CAAC,KAAK,OAAO,IAAI,WAAW,MAAM,EAAE,CAC1F,CAAC;IACJ,CAAC;IACD,MAAM,OAAO,GAAsB;QACjC,GAAG,KAAK;QACR,KAAK,EAAE,IAAI;QACX,cAAc,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;KACzC,CAAC;IACF,UAAU,CAAC,OAAO,CAAC,CAAC;IACpB,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,8EAA8E;AAC9E,mBAAmB;AACnB,EAAE;AACF,wEAAwE;AACxE,gEAAgE;AAChE,oEAAoE;AACpE,8EAA8E;AAE9E,MAAM,UAAU,qBAAqB;IACnC,OAAO,SAAS,EAAE,CAAC;AACrB,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,aAAa,CAAC,KAAwB;IACpD,OAAO,KAAK,CAAC,KAAK,KAAK,MAAM,IAAI,KAAK,CAAC,KAAK,KAAK,SAAS,IAAI,KAAK,CAAC,KAAK,KAAK,WAAW,CAAC;AAC5F,CAAC;AA8BD,SAAS,UAAU,CAAC,IAAY,EAAE,KAAwB;IACxD,OAAO,CAAC,KAAK,CAAC,+CAA+C,IAAI,UAAU,KAAK,EAAE,CAAC,CAAC;AACtF,CAAC;AAED,SAAS,WAAW,CAAC,OAA8C,EAAE,MAAc;IACjF,OAAO,CAAC,KAAK,CAAC,2CAA2C,OAAO,WAAW,MAAM,EAAE,CAAC,CAAC;AACvF,CAAC;AAED,SAAS,gBAAgB,CAAC,KAAwB,EAAE,IAAY;IAC9D,OAAO,CAAC,KAAK,CAAC,+CAA+C,KAAK,UAAU,IAAI,EAAE,CAAC,CAAC;AACtF,CAAC;AAED,8EAA8E;AAC9E,uBAAuB;AACvB,EAAE;AACF,2EAA2E;AAC3E,6EAA6E;AAC7E,2DAA2D;AAC3D,8EAA8E;AAE9E,MAAM,iBAAiB,GAAG,uCAAuC,CAAC;AAElE,SAAS,iBAAiB,CAAC,KAAa,EAAE,IAAY;IACpD,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,GAAG,IAAI,WAAW,CAAC;IAClD,IAAI,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC;QAAE,OAAO,GAAG,IAAI,iCAAiC,KAAK,kEAAkE,CAAC;IAChJ,IAAI,CAAC,iBAAiB,CAAC,IAAI,CAAC,KAAK,CAAC;QAAE,OAAO,GAAG,IAAI,KAAK,KAAK,kEAAkE,CAAC;IAC/H,OAAO,IAAI,CAAC;AACd,CAAC;AAED,8EAA8E;AAC9E,qEAAqE;AACrE,8EAA8E;AAE9E,SAAS,UAAU,CAAC,OAAe,EAAE,WAAmB;IACtD,MAAM,KAAK,GAAG,cAAc,CAAC;QAC3B,GAAG,EAAE,OAAO;QACZ,MAAM,EAAE,uBAAuB;QAC/B,QAAQ,EAAE,UAAU,EAAE;KACvB,CAAC,CAAC;IACH,OAAO,CACL,gDAAgD;QAChD,GAAG,KAAK,MAAM;QACd,sEAAsE;QACtE,8BAA8B,WAAW,gCAAgC;QACzE,0EAA0E;QAC1E,kDAAkD,CACnD,CAAC;AACJ,CAAC;AAED,SAAS,iBAAiB,CAAC,QAAgB;IACzC,OAAO,CACL,wCAAwC,QAAQ,OAAO;QACvD,qEAAqE;QACrE,sCAAsC,QAAQ,0BAA0B;QACxE,4EAA4E;QAC5E,6CAA6C,CAC9C,CAAC;AACJ,CAAC;AAED,8EAA8E;AAC9E,+BAA+B;AAC/B,EAAE;AACF,cAAc;AACd,+BAA+B;AAC/B,mCAAmC;AACnC,yEAAyE;AACzE,oCAAoC;AACpC,+BAA+B;AAC/B,EAAE;AACF,0EAA0E;AAC1E,wEAAwE;AACxE,yEAAyE;AACzE,yEAAyE;AACzE,uEAAuE;AACvE,uCAAuC;AACvC,8EAA8E;AAE9E,MAAM,CAAC,KAAK,UAAU,eAAe,CAAC,KAAwB;IAC5D,IAAI,KAAK,GAAG,SAAS,EAAE,CAAC;IACxB,OAAO,CAAC,KAAK,CAAC,sCAAsC,KAAK,CAAC,KAAK,WAAW,KAAK,CAAC,MAAM,IAAI,MAAM,EAAE,CAAC,CAAC;IAEpG,wEAAwE;IACxE,yEAAyE;IACzE,MAAM,SAAS,GAAG,IAAI,CAAC,SAAS,CAAC;QAC/B,MAAM,EAAE,KAAK,CAAC,MAAM,IAAI,IAAI;QAC5B,cAAc,EAAE,KAAK,CAAC,cAAc,IAAI,IAAI;QAC5C,eAAe,EAAE,KAAK,CAAC,eAAe,IAAI,IAAI;QAC9C,SAAS,EAAE,KAAK,CAAC,SAAS,IAAI,KAAK;KACpC,CAAC,CAAC;IACH,gBAAgB,CAAC,KAAK,CAAC,KAAK,EAAE,SAAS,CAAC,CAAC;IAEzC,wEAAwE;IACxE,wDAAwD;IACxD,EAAE;IACF,oEAAoE;IACpE,sEAAsE;IACtE,sEAAsE;IACtE,qEAAqE;IACrE,oCAAoC;IACpC,wEAAwE;IAExE,IAAI,KAAK,CAAC,MAAM,EAAE,CAAC;QACjB,MAAM,aAAa,GAAG,KAAK,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC,OAAO,CAAC,cAAc,EAAE,EAAE,CAAC,CAAC,OAAO,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC;QAC3F,IAAI,aAAa,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAC/B,OAAO,EAAE,IAAI,EAAE,iEAAiE,EAAE,KAAK,EAAE,KAAK,CAAC,KAAK,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC;QACzH,CAAC;QACD,IAAI,KAAK,CAAC,MAAM,KAAK,aAAa,EAAE,CAAC;YACnC,KAAK,GAAG,EAAE,GAAG,KAAK,EAAE,MAAM,EAAE,aAAa,EAAE,CAAC;YAC5C,UAAU,CAAC,KAAK,CAAC,CAAC;QACpB,CAAC;IACH,CAAC;IAED,IAAI,CAAC,KAAK,CAAC,MAAM,IAAI,KAAK,CAAC,KAAK,KAAK,MAAM,EAAE,CAAC;QAC5C,KAAK,GAAG,UAAU,CAAC,KAAK,EAAE,iBAAiB,EAAE,yBAAyB,CAAC,CAAC;QACxE,OAAO;YACL,IAAI,EAAE,uEAAuE;YAC7E,KAAK,EAAE,KAAK,CAAC,KAAK;YAClB,OAAO,EAAE,KAAK;SACf,CAAC;IACJ,CAAC;IAED,0EAA0E;IAC1E,2CAA2C;IAC3C,UAAU,CAAC,eAAe,EAAE,KAAK,CAAC,KAAK,CAAC,CAAC;IACzC,MAAM,MAAM,GAAG,MAAM,WAAW,CAAC,SAAS,CAAC,KAAK,CAAC,MAAM,IAAI,SAAS,CAAC,CAAC;IAEtE,+DAA+D;IAC/D,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC;QACnB,uEAAuE;QACvE,kEAAkE;QAClE,IAAI,KAAK,CAAC,KAAK,KAAK,SAAS,EAAE,CAAC;YAC9B,KAAK,GAAG,UAAU,CAAC,KAAK,EAAE,SAAS,EAAE,gBAAgB,CAAC,CAAC;YACvD,WAAW,CAAC,SAAS,EAAE,eAAe,CAAC,CAAC;QAC1C,CAAC;aAAM,CAAC;YACN,OAAO,CAAC,KAAK,CAAC,qDAAqD,CAAC,CAAC;QACvE,CAAC;QACD,MAAM,IAAI,GAAG,MAAM,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,aAAa,CAAC,CAAC,QAAQ,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC5E,OAAO;YACL,IAAI,EAAE,yBAAyB,IAAI,EAAE;YACrC,KAAK,EAAE,KAAK,CAAC,KAAK;YAClB,OAAO,EAAE,IAAI;SACd,CAAC;IACJ,CAAC;IAED,wEAAwE;IAExE,sEAAsE;IACtE,+BAA+B;IAC/B,MAAM,cAAc,GAAG,MAAM,CAAC,OAAO,IAAI,MAAM,CAAC,KAAK,CAAC;IAEtD,+DAA+D;IAC/D,QAAQ,KAAK,CAAC,KAAK,EAAE,CAAC;QACpB,KAAK,iBAAiB,CAAC,CAAC,CAAC;YACvB,kEAAkE;YAClE,IAAI,cAAc,EAAE,CAAC;gBACnB,KAAK,GAAG,UAAU,CAAC,KAAK,EAAE,oBAAoB,EAAE,oBAAoB,CAAC,CAAC;YACxE,CAAC;iBAAM,CAAC;gBACN,KAAK,GAAG,UAAU,CAAC,KAAK,EAAE,iBAAiB,EAAE,wBAAwB,CAAC,CAAC;YACzE,CAAC;YACD,OAAO,iBAAiB,CAAC,KAAK,EAAE,KAAK,EAAE,MAAM,CAAC,CAAC;QACjD,CAAC;QAED,KAAK,MAAM,CAAC,CAAC,CAAC;YACZ,kEAAkE;YAClE,+DAA+D;YAC/D,IAAI,cAAc,EAAE,CAAC;gBACnB,KAAK,GAAG,UAAU,CAAC,KAAK,EAAE,oBAAoB,EAAE,oBAAoB,CAAC,CAAC;YACxE,CAAC;iBAAM,CAAC;gBACN,KAAK,GAAG,UAAU,CAAC,KAAK,EAAE,iBAAiB,EAAE,wBAAwB,CAAC,CAAC;YACzE,CAAC;YACD,OAAO,iBAAiB,CAAC,KAAK,EAAE,KAAK,EAAE,MAAM,CAAC,CAAC;QACjD,CAAC;QAED,KAAK,iBAAiB,CAAC,CAAC,CAAC;YACvB,IAAI,cAAc,EAAE,CAAC;gBACnB,KAAK,GAAG,UAAU,CAAC,KAAK,EAAE,oBAAoB,EAAE,kBAAkB,CAAC,CAAC;gBACpE,OAAO,iBAAiB,CAAC,KAAK,EAAE,KAAK,EAAE,MAAM,CAAC,CAAC;YACjD,CAAC;YACD,OAAO,iBAAiB,CAAC,KAAK,EAAE,KAAK,EAAE,MAAM,CAAC,CAAC;QACjD,CAAC;QAED,KAAK,yBAAyB,CAAC,CAAC,CAAC;YAC/B,sEAAsE;YACtE,IAAI,KAAK,CAAC,SAAS,EAAE,CAAC;gBACpB,UAAU,CAAC,oBAAoB,EAAE,KAAK,CAAC,KAAK,CAAC,CAAC;gBAC9C,WAAW,CAAC,SAAS,EAAE,CAAC;gBACxB,MAAM,GAAG,GAAG,MAAM,WAAW,CAAC,WAAW,EAAE,CAAC;gBAC5C,KAAK,GAAG,UAAU,CAAC,KAAK,EAAE,iBAAiB,EAAE,wBAAwB,CAAC,CAAC;gBACvE,OAAO;oBACL,IAAI,EAAE,UAAU,CAAC,GAAG,CAAC,OAAO,EAAE,KAAK,CAAC,MAAM,IAAI,aAAa,CAAC;oBAC5D,KAAK,EAAE,KAAK,CAAC,KAAK;oBAClB,OAAO,EAAE,KAAK;iBACf,CAAC;YACJ,CAAC;YACD,OAAO;gBACL,IAAI,EAAE,iBAAiB,CAAC,KAAK,CAAC,MAAM,IAAI,aAAa,CAAC;gBACtD,KAAK,EAAE,KAAK,CAAC,KAAK;gBAClB,OAAO,EAAE,KAAK;aACf,CAAC;QACJ,CAAC;QAED,KAAK,oBAAoB,CAAC,CAAC,CAAC;YAC1B,OAAO,iBAAiB,CAAC,KAAK,EAAE,KAAK,EAAE,MAAM,CAAC,CAAC;QACjD,CAAC;QAED,KAAK,UAAU,CAAC,CAAC,CAAC;YAChB,kEAAkE;YAClE,uDAAuD;YACvD,OAAO,iBAAiB,CAAC,KAAK,EAAE,KAAK,EAAE,MAAM,CAAC,CAAC;QACjD,CAAC;QAED,KAAK,SAAS,CAAC,CAAC,CAAC;YACf,qEAAqE;YACrE,2BAA2B;YAC3B,OAAO,EAAE,IAAI,EAAE,oBAAoB,EAAE,KAAK,EAAE,KAAK,CAAC,KAAK,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;QAC3E,CAAC;QAED,KAAK,WAAW,CAAC,CAAC,CAAC;YACjB,+DAA+D;YAC/D,iEAAiE;YACjE,MAAM,MAAM,GAAG,MAAM,CAAC,eAAe,IAAI,SAAS,CAAC;YACnD,OAAO;gBACL,IAAI,EAAE,kCAAkC,MAAM,uEAAuE;gBACrH,KAAK,EAAE,KAAK,CAAC,KAAK;gBAClB,OAAO,EAAE,KAAK;aACf,CAAC;QACJ,CAAC;IACH,CAAC;AACH,CAAC;AAED;;;;;GAKG;AACH,KAAK,UAAU,iBAAiB,CAC9B,KAAwB,EACxB,KAAwB,EACxB,MAAgC;IAEhC,QAAQ,KAAK,CAAC,KAAK,EAAE,CAAC;QACpB,KAAK,iBAAiB,CAAC,CAAC,CAAC;YACvB,UAAU,CAAC,cAAc,EAAE,KAAK,CAAC,KAAK,CAAC,CAAC;YACxC,MAAM,GAAG,GAAG,MAAM,WAAW,CAAC,WAAW,EAAE,CAAC;YAC5C,OAAO;gBACL,IAAI,EAAE,UAAU,CAAC,GAAG,CAAC,OAAO,EAAE,KAAK,CAAC,MAAM,IAAI,aAAa,CAAC;gBAC5D,KAAK,EAAE,KAAK,CAAC,KAAK;gBAClB,OAAO,EAAE,KAAK;aACf,CAAC;QACJ,CAAC;QAED,KAAK,oBAAoB,CAAC,CAAC,CAAC;YAC1B,0CAA0C;YAC1C,IAAI,CAAC,KAAK,CAAC,cAAc,EAAE,CAAC;gBAC1B,OAAO;oBACL,IAAI,EACF,iDAAiD;wBACjD,+BAA+B,KAAK,CAAC,MAAM,IAAI;wBAC/C,kDAAkD;wBAClD,iCAAiC,KAAK,CAAC,MAAM,IAAI;wBACjD,sCAAsC;oBACxC,KAAK,EAAE,KAAK,CAAC,KAAK;oBAClB,OAAO,EAAE,KAAK;iBACf,CAAC;YACJ,CAAC;YAED,MAAM,QAAQ,GAAG,iBAAiB,CAAC,KAAK,CAAC,cAAc,EAAE,iBAAiB,CAAC,CAAC;YAC5E,IAAI,QAAQ;gBAAE,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,KAAK,EAAE,KAAK,CAAC,KAAK,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC;YAC5E,IAAI,eAAe,GAAkB,IAAI,CAAC;YAC1C,IAAI,KAAK,CAAC,eAAe,EAAE,CAAC;gBAC1B,MAAM,MAAM,GAAG,iBAAiB,CAAC,KAAK,CAAC,eAAe,EAAE,kBAAkB,CAAC,CAAC;gBAC5E,IAAI,MAAM;oBAAE,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,KAAK,CAAC,KAAK,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC;gBACxE,eAAe,GAAG,KAAK,CAAC,eAAe,CAAC;YAC1C,CAAC;YACD,IAAI,eAAe,IAAI,eAAe,KAAK,KAAK,CAAC,cAAc,EAAE,CAAC;gBAChE,OAAO;oBACL,IAAI,EAAE,4DAA4D,eAAe,IAAI;oBACrF,KAAK,EAAE,KAAK,CAAC,KAAK;oBAClB,OAAO,EAAE,KAAK;iBACf,CAAC;YACJ,CAAC;YAED,6DAA6D;YAC7D,KAAK,GAAG,EAAE,GAAG,KAAK,EAAE,cAAc,EAAE,KAAK,CAAC,cAAc,EAAE,eAAe,EAAE,CAAC;YAC5E,UAAU,CAAC,KAAK,CAAC,CAAC;YAElB,2DAA2D;YAC3D,KAAK,GAAG,UAAU,CAAC,KAAK,EAAE,UAAU,EAAE,oBAAoB,CAAC,CAAC;YAE5D,IAAI,CAAC;gBACH,gBAAgB;gBAChB,UAAU,CAAC,eAAe,EAAE,KAAK,CAAC,KAAK,CAAC,CAAC;gBACzC,MAAM,UAAU,GAAG,CAAC,KAAK,CAAC,MAAM,IAAI,QAAQ,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;gBAClE,MAAM,MAAM,GAAG,WAAW,CAAC,eAAe,CAAC,UAAU,CAAC,CAAC;gBAEvD,MAAM,aAAa,GAAG,GAAG,KAAK,CAAC,cAAc,IAAI,KAAK,CAAC,MAAM,EAAE,CAAC;gBAChE,MAAM,cAAc,GAAG,eAAe,CAAC,CAAC,CAAC,GAAG,eAAe,IAAI,KAAK,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC;gBACrF,MAAM,SAAS,GAAG,cAAc,CAAC,CAAC,CAAC,CAAC,aAAa,EAAE,cAAc,CAAC,CAAC,CAAC,CAAC,CAAC,aAAa,CAAC,CAAC;gBACrF,MAAM,YAAY,GAAG,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,aAAa,IAAI,OAAO,EAAE,EAAE,CAAC,CAAC;gBAExE,MAAM,UAAU,GAAG,WAAW,CAAC,gBAAgB,CAC7C,MAAM,CAAC,QAAQ,EACf,MAAM,CAAC,eAAe,EACtB,SAAS,EACT,YAAY,CACb,CAAC;gBACF,WAAW,CAAC,kBAAkB,CAAC;oBAC7B,QAAQ,EAAE,MAAM,CAAC,QAAQ;oBACzB,UAAU,EAAE,MAAM,CAAC,UAAU;oBAC7B,MAAM,EAAE,KAAK,CAAC,MAAM,IAAI,EAAE;oBAC1B,UAAU;oBACV,eAAe,EAAE,MAAM,CAAC,eAAe;oBACvC,aAAa;oBACb,cAAc;iBACf,CAAC,CAAC;gBACH,KAAK,GAAG,EAAE,GAAG,KAAK,EAAE,QAAQ,EAAE,MAAM,CAAC,QAAQ,EAAE,CAAC;gBAChD,UAAU,CAAC,KAAK,CAAC,CAAC;gBAElB,+BAA+B;gBAC/B,UAAU,CAAC,kBAAkB,EAAE,KAAK,CAAC,KAAK,CAAC,CAAC;gBAC5C,KAAK,MAAM,CAAC,IAAI,SAAS,EAAE,CAAC;oBAC1B,MAAM,WAAW,CAAC,WAAW,CAAC,MAAM,CAAC,QAAQ,EAAE,CAAC,CAAC,CAAC;gBACpD,CAAC;gBAED,gBAAgB;gBAChB,UAAU,CAAC,eAAe,EAAE,KAAK,CAAC,KAAK,CAAC,CAAC;gBACzC,WAAW,CAAC,WAAW,CAAC;oBACtB,QAAQ,EAAE,MAAM,CAAC,QAAQ;oBACzB,UAAU,EAAE,MAAM,CAAC,UAAU;oBAC7B,MAAM,EAAE,KAAK,CAAC,MAAM,IAAI,EAAE;oBAC1B,UAAU;oBACV,eAAe,EAAE,MAAM,CAAC,eAAe;iBACxC,CAAC,CAAC;gBAEH,gEAAgE;gBAChE,kEAAkE;gBAClE,+BAA+B;gBAC/B,KAAK,IAAI,OAAO,GAAG,CAAC,EAAE,OAAO,GAAG,CAAC,EAAE,OAAO,EAAE,EAAE,CAAC;oBAC7C,IAAI,OAAO,GAAG,CAAC;wBAAE,MAAM,IAAI,OAAO,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,UAAU,CAAC,CAAC,EAAE,IAAI,CAAC,CAAC,CAAC;oBAC/D,MAAM,KAAK,GAAG,MAAM,WAAW,CAAC,SAAS,CAAC,KAAK,CAAC,MAAM,IAAI,SAAS,CAAC,CAAC;oBACrE,IAAI,KAAK,CAAC,OAAO,EAAE,CAAC;wBAClB,KAAK,GAAG,UAAU,CAAC,KAAK,EAAE,SAAS,EAAE,wBAAwB,CAAC,CAAC;wBAC/D,WAAW,CAAC,SAAS,EAAE,wBAAwB,CAAC,CAAC;wBACjD,MAAM,IAAI,GAAG,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,aAAa,CAAC,CAAC,QAAQ,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;wBAC3E,OAAO,EAAE,IAAI,EAAE,yBAAyB,IAAI,EAAE,EAAE,KAAK,EAAE,KAAK,CAAC,KAAK,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;oBACtF,CAAC;oBACD,IAAI,KAAK,CAAC,eAAe,KAAK,qCAAqC,EAAE,CAAC;wBACpE,KAAK,GAAG,UAAU,CAAC,KAAK,EAAE,yBAAyB,EAAE,2BAA2B,CAAC,CAAC;wBAClF,OAAO;4BACL,IAAI,EAAE,iBAAiB,CAAC,KAAK,CAAC,MAAM,IAAI,aAAa,CAAC;4BACtD,KAAK,EAAE,KAAK,CAAC,KAAK;4BAClB,OAAO,EAAE,KAAK;yBACf,CAAC;oBACJ,CAAC;gBACH,CAAC;gBAED,oEAAoE;gBACpE,kEAAkE;gBAClE,0DAA0D;gBAC1D,MAAM,KAAK,GAAG,MAAM,WAAW,CAAC,SAAS,CAAC,KAAK,CAAC,MAAM,IAAI,SAAS,CAAC,CAAC;gBACrE,MAAM,MAAM,GAAG,KAAK,CAAC,eAAe,IAAI,wBAAwB,CAAC;gBACjE,KAAK,GAAG,EAAE,GAAG,KAAK,EAAE,eAAe,EAAE,MAAM,EAAE,CAAC;gBAC9C,KAAK,GAAG,UAAU,CAAC,KAAK,EAAE,WAAW,EAAE,iBAAiB,MAAM,EAAE,CAAC,CAAC;gBAClE,WAAW,CAAC,WAAW,EAAE,MAAM,CAAC,CAAC;gBACjC,OAAO;oBACL,IAAI,EACF,4EAA4E;wBAC5E,YAAY,MAAM,4DAA4D;wBAC9E,2CAA2C;oBAC7C,KAAK,EAAE,KAAK,CAAC,KAAK;oBAClB,OAAO,EAAE,KAAK;iBACf,CAAC;YACJ,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,iEAAiE;gBACjE,kEAAkE;gBAClE,8BAA8B;gBAC9B,IAAI,GAAG,YAAY,WAAW,CAAC,sBAAsB,EAAE,CAAC;oBACtD,MAAM,MAAM,GAAG,GAAG,CAAC,OAAO,CAAC,MAAM,CAAC;oBAClC,IACE,MAAM,KAAK,2BAA2B;wBACtC,MAAM,KAAK,4BAA4B;wBACvC,MAAM,KAAK,eAAe;wBAC1B,MAAM,KAAK,gBAAgB,EAC3B,CAAC;wBACD,KAAK,GAAG,UAAU,CAAC,KAAK,EAAE,yBAAyB,EAAE,WAAW,MAAM,EAAE,CAAC,CAAC;wBAC1E,OAAO;4BACL,IAAI,EAAE,iBAAiB,CAAC,KAAK,CAAC,MAAM,IAAI,aAAa,CAAC;4BACtD,KAAK,EAAE,KAAK,CAAC,KAAK;4BAClB,OAAO,EAAE,KAAK;yBACf,CAAC;oBACJ,CAAC;gBACH,CAAC;gBACD,MAAM,GAAG,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;gBAC7D,KAAK,GAAG,EAAE,GAAG,KAAK,EAAE,eAAe,EAAE,yBAAyB,EAAE,CAAC;gBACjE,KAAK,GAAG,UAAU,CAAC,KAAK,EAAE,WAAW,EAAE,wBAAwB,CAAC,CAAC;gBACjE,WAAW,CAAC,WAAW,EAAE,wBAAwB,CAAC,CAAC;gBACnD,OAAO;oBACL,IAAI,EAAE,wBAAwB,GAAG,EAAE;oBACnC,KAAK,EAAE,KAAK,CAAC,KAAK;oBAClB,OAAO,EAAE,KAAK;iBACf,CAAC;YACJ,CAAC;QACH,CAAC;QAED,KAAK,UAAU,CAAC,CAAC,CAAC;YAChB,sDAAsD;YACtD,iEAAiE;YACjE,gEAAgE;YAChE,sEAAsE;YACtE,IAAI,KAAK,CAAC,cAAc,EAAE,CAAC;gBACzB,MAAM,cAAc,GAAsB;oBACxC,cAAc,EAAE,KAAK,CAAC,cAAc;oBACpC,eAAe,EAAE,KAAK,CAAC,eAAe,IAAI,SAAS;iBACpD,CAAC;gBACF,MAAM,cAAc,GAAG,UAAU,CAAC,KAAK,EAAE,oBAAoB,EAAE,+BAA+B,CAAC,CAAC;gBAChG,OAAO,iBAAiB,CAAC,cAAc,EAAE,cAAc,EAAE,MAAM,CAAC,CAAC;YACnE,CAAC;YACD,kEAAkE;YAClE,oCAAoC;YACpC,KAAK,GAAG,UAAU,CAAC,KAAK,EAAE,oBAAoB,EAAE,6BAA6B,CAAC,CAAC;YAC/E,OAAO,iBAAiB,CAAC,KAAK,EAAE,KAAK,EAAE,MAAM,CAAC,CAAC;QACjD,CAAC;QAED,KAAK,MAAM,CAAC;QACZ,KAAK,iBAAiB,CAAC;QACvB,KAAK,yBAAyB,CAAC;QAC/B,KAAK,SAAS,CAAC;QACf,KAAK,WAAW;YACd,mEAAmE;YACnE,OAAO;gBACL,IAAI,EAAE,qBAAqB,KAAK,CAAC,KAAK,iBAAiB;gBACvD,KAAK,EAAE,KAAK,CAAC,KAAK;gBAClB,OAAO,EAAE,KAAK;aACf,CAAC;IACN,CAAC;AACH,CAAC;AAED,8EAA8E;AAC9E,6EAA6E;AAC7E,8EAA8E;AAE9E,MAAM,UAAU,iBAAiB;IAC/B,OAAO,CAAC,KAAK,CAAC,8BAA8B,CAAC,CAAC;IAC9C,WAAW,EAAE,CAAC;AAChB,CAAC"}

package/payload/platform/plugins/cloudflare/references/setup-guide.md

@@ -23,14 +23,13 @@ The operator drives the browser. The agent runs `cloudflared` commands and repor
 
 ### Sign-in
 
-The agent runs `tunnel-login`, which opens a Cloudflare sign-in URL in the VNC browser. The operator picks the Cloudflare account they want this laptop to talk to (the account name shows in the top-left of the Cloudflare page, next to the little orange cloud), clicks Authorize, and confirms. The agent runs `tunnel-login` a second time; it reports `Sign-in complete.` once cert.pem has landed.
+The agent runs `tunnel-login`, which spawns `cloudflared tunnel login` on the device and returns a tool result containing a `maxy-device-url` fenced block with the Cloudflare auth URL. The chat UI renders that block as an "Open Cloudflare sign-in on device" button — clicking it drives the device's VNC browser (via CDP on 127.0.0.1:9222) to the auth page. This is device-bound because the OAuth callback round-trips to `cloudflared`'s local HTTP server on the laptop; the completion has to happen on the device that started login, not wherever the operator is viewing the chat from. The operator picks the Cloudflare account they want this laptop to talk to (the account name shows in the top-left of the Cloudflare page, next to the little orange cloud), clicks Authorize, and confirms. The agent runs `tunnel-login` a second time; it reports `Sign-in complete.` once cert.pem has landed.
 
-The `tunnel-login` tool reports one of four deterministic states on every call:
+The `tunnel-login` tool reports one of three deterministic states on every call. Every non-terminal state emits a `maxy-device-url` fenced block so the chat UI renders the sign-in URL as a click-to-open-on-device button (Task 546):
 
 - **`Sign-in complete.`** — the laptop is signed in and bound to a Cloudflare account; the agent continues to the next step.
-- **`Sign-in in progress…`** — an existing browser window is still open. The operator finishes the sign-in; the agent calls `tunnel-login` again once they confirm.
-- **`Sign-in failed — the browser didn't open on the laptop. Restarting.`** — cloudflared's browser launcher gave up. The tool respawns login and returns a new sign-in URL.
-- **`Sign-in ended without saving the cert. Restarting.`** — the login process exited without writing cert.pem. The tool respawns login and returns a new URL.
+- **`Sign-in in progress…`** — the cloudflared login process is still running and its OAuth callback is waiting. The tool result carries a `maxy-device-url` block for the sign-in URL; the operator clicks the button to open the page in the device's browser (or, if the VNC surface is unreachable, uses the inline copy-to-clipboard fallback). The agent calls `tunnel-login` again once they confirm. When cloudflared's own browser-launch subcommand failed (rare), a `[cloudflare:tunnel-login:browser-launch-failed]` log line is emitted for diagnostics — no operator-facing change, the device-URL button is still how they open the page.
+- **`Sign-in ended without saving the cert. Restarting.`** — the login process exited without writing cert.pem (crash, SIGKILL, abrupt shutdown). The tool respawns login and its result carries a fresh `maxy-device-url` block against the new auth URL.
 
 To switch Cloudflare accounts later, the agent runs `tunnel-login` with `force=true`. This signs the laptop out (deletes the local sign-in file) so a fresh sign-in can pick a different account.
 
@@ -123,7 +122,7 @@ Use `dns-lookup` for ad-hoc DNS checks — `dig` and `nslookup` are not availabl
 
 | Tool | Purpose |
 |------|---------|
-| `tunnel-login` | Browser sign-in with Cloudflare — the only auth path. Reports one of four deterministic states: `Sign-in complete.`, `Sign-in in progress…`, `Sign-in failed … Restarting.`, or `Sign-in ended without saving the cert. Restarting.`. `force=true` clears the local sign-in so a fresh one can pick a different account. |
+| `tunnel-login` | Browser sign-in with Cloudflare — the only auth path. Reports one of three deterministic states: `Sign-in complete.`, `Sign-in in progress…` (with optional one-line advisory when cloudflared couldn't open the browser itself), or `Sign-in ended without saving the cert. Restarting.`. `force=true` clears the local sign-in so a fresh one can pick a different account. |
 | `tunnel-status` | Full state including an end-to-end probe of every configured address. Trailing text is a single prescribed recovery sentence per `unhealthyReason` (see table above). `healthy: true` requires every address to probe `ok`; `boundAccountOwnsHostnames: false` means the laptop is running a tunnel that nothing from the internet is reaching. |
 | `tunnel-install` | Install the `cloudflared` binary. |
 | `tunnel-create` | Create a tunnel and route DNS for chosen sub-addresses. Refuses when the domain is not on the signed-in Cloudflare account. Idempotent. |