@the-ai-company/cbio-node-runtime 0.31.0

package/dist/agent/agent.js

@@ -0,0 +1,565 @@
+import { derivePublicKey, LocalSigner, generateIdentityKeys } from "../protocol/crypto.js";
+import { CbioVault } from "../vault/vault.js";
+import { AuthClient } from "../http/authClient.js";
+import { SecretAcquisition, } from "../http/secretAcquisition.js";
+import { getChildIdentitySecretName, deriveRootAgentId, getVaultPath } from "../protocol/identity.js";
+import { createIdentityRef, signIssuedAgentIdentity, signRevocationRecord, verifyIssuedAgentIdentity, verifyRevocationRecord, } from "@the-ai-company/cbio-protocol";
+import { IdentityError, IdentityErrorCode } from "../errors.js";
+const identityVaults = new WeakMap();
+function getIssuedCapabilitiesFromRecord(record) {
+    if (!record || typeof record !== "object")
+        return null;
+    const issuedIdentity = record.issuedIdentity;
+    if (!issuedIdentity || typeof issuedIdentity !== "object")
+        return null;
+    const capabilities = issuedIdentity.capabilities;
+    if (capabilities === undefined)
+        return [];
+    if (!Array.isArray(capabilities))
+        return null;
+    for (const cap of capabilities) {
+        if (typeof cap !== "string" || !VALID_ISSUED_CAPABILITY_NAMES.has(cap))
+            return null;
+    }
+    return capabilities;
+}
+const VALID_ISSUED_CAPABILITY_NAMES = new Set([
+    "vault:list",
+    "vault:fetch",
+    "vault:acquire",
+    "admin:secrets",
+    "admin:issue",
+    "identity:sign",
+]);
+function capabilityToRuntimePermission(capability) {
+    return capability;
+}
+/**
+ * CbioIdentity
+ *
+ * The primary Identity container. Represents an agent's identity and its associated vault.
+ * This is the high-privilege handle that contains administrative capabilities (.admin)
+ * and private keys.
+ */
+export class CbioIdentity {
+    signer;
+    _vault;
+    admin;
+    agentId;
+    publicKey;
+    #issuedIdentity;
+    _authClient;
+    _secretAcquisition;
+    constructor(signer, _vault, agentId, publicKey) {
+        this.signer = signer;
+        this._vault = _vault;
+        this.agentId = agentId || "";
+        this.publicKey = publicKey || "";
+        const appendLog = (entry) => this._vault.appendActivityLogEntry(entry);
+        this._authClient = new AuthClient(this._vault, this.signer, appendLog);
+        this._secretAcquisition = new SecretAcquisition(this._vault, appendLog);
+        this.admin = new CbioAdmin(this, this._vault);
+        identityVaults.set(this, this._vault);
+    }
+    #bindIssuedIdentity(issuedIdentity) {
+        if (!verifyIssuedAgentIdentity(issuedIdentity)) {
+            throw new IdentityError(IdentityErrorCode.ISSUED_IDENTITY_INVALID, `Issued identity for '${this.publicKey}' failed protocol verification.`);
+        }
+        if (issuedIdentity.agent.public_key !== this.publicKey) {
+            throw new IdentityError(IdentityErrorCode.ISSUED_IDENTITY_INVALID, `Issued identity public_key does not match identity public key.`);
+        }
+        if (issuedIdentity.agent.agent_id !== this.agentId) {
+            throw new IdentityError(IdentityErrorCode.ISSUED_IDENTITY_INVALID, `Issued identity agent_id does not match identity agent id.`);
+        }
+        this.#issuedIdentity = issuedIdentity;
+    }
+    /**
+     * Primary entry point: Load identity from keys and initialize vault.
+     */
+    static async load(keys, options) {
+        const opts = options ?? {};
+        const priv = keys.privateKey;
+        const pub = keys.publicKey || derivePublicKey(priv);
+        const agentId = deriveRootAgentId(pub);
+        const signer = new LocalSigner({ publicKey: pub, privateKey: priv });
+        const identity = new CbioIdentity(signer, new CbioVault(), agentId, pub);
+        const storageKey = opts.storageKey ?? getVaultPath(pub);
+        const activityLogKeyIsDerived = opts.activityLog?.enabled !== false && opts.activityLog?.key === undefined;
+        const activityLogKey = opts.activityLog?.enabled === false
+            ? undefined
+            : (opts.activityLog?.key ?? storageKey.replace(/\.enc$/, "") + ".activity.jsonl");
+        await identity._vault.initFromStorage(signer, storageKey, opts.storage, activityLogKey, activityLogKeyIsDerived);
+        if (opts.issuedIdentity)
+            identity.#bindIssuedIdentity(opts.issuedIdentity);
+        return identity;
+    }
+    async fetchWithAuth(secretName, url, options) {
+        return this._authClient.fetchWithAuth(secretName, url, options ?? {});
+    }
+    createFetchWithAuth(secretName) {
+        return this._authClient.createFetchWithAuth(secretName);
+    }
+    async getPublicKey() {
+        return this.publicKey || this.signer.getPublicKey();
+    }
+    async getAgentId() {
+        return this.agentId || deriveRootAgentId(await this.getPublicKey());
+    }
+    async fetchJsonAndAddSecret(options) {
+        return this._secretAcquisition.fetchJsonAndAddSecret(options);
+    }
+    async fetchJsonAndUpdateSecret(options) {
+        return this._secretAcquisition.fetchJsonAndUpdateSecret(options);
+    }
+    hasSecret(secretName) {
+        return this._vault.hasSecret(secretName);
+    }
+    listSecretNames() {
+        return this._vault.listSecretNames();
+    }
+    /**
+     * Register a newly created child identity to the parent vault.
+     * @returns The child's publicKey (domain-level identifier). Use getChildIdentitySecretName(publicKey) from the protocol subpath for low-level vault access.
+     */
+    async registerChildIdentity(keys, options) {
+        return this.admin.children.registerChildIdentity(keys, options);
+    }
+    async authenticate(nonce) {
+        return this.signer.sign(nonce);
+    }
+    /**
+     * Create a standard Agent handle for this identity.
+     * The Agent handle DOES NOT have an .admin property and does not expose the signer/private key.
+     * This is the recommended handle to pass to an autonomous LLM.
+     *
+     * By default this returns a minimally privileged handle (`vault:fetch`, `vault:list`).
+     * Runtime permissions are only widened when passed explicitly or when
+     * `deriveFromIssuedIdentity` is set to `true`.
+     */
+    getAgent(options) {
+        const opts = options ?? {};
+        let finalPerms = opts.permissions;
+        if (!finalPerms && opts.deriveFromIssuedIdentity) {
+            finalPerms = {};
+            for (const cap of this.#issuedIdentity?.capabilities ?? []) {
+                finalPerms[capabilityToRuntimePermission(cap)] = true;
+            }
+            finalPerms["vault:fetch"] = true;
+            finalPerms["vault:list"] = true;
+        }
+        return new CbioAgent(this._authClient, this._secretAcquisition, this.agentId, this.publicKey, finalPerms);
+    }
+}
+/**
+ * CbioAgent
+ *
+ * A safety-wrapped version of an Identity designed for autonomous LLMs.
+ * It provides only the Standard facet (fetchWithAuth, etc.) by default and hides
+ * all administrative capabilities and private keys.
+ */
+export class CbioAgent {
+    agentId;
+    publicKey;
+    #authClient;
+    #secretAcquisition;
+    #permissions;
+    constructor(authClient, secretAcquisition, agentId, publicKey, permissions) {
+        this.agentId = agentId;
+        this.publicKey = publicKey;
+        this.#authClient = authClient;
+        this.#secretAcquisition = secretAcquisition;
+        // Default to a restricted worker (vault:fetch, vault:list) if no permissions specified
+        this.#permissions = permissions || { "vault:fetch": true, "vault:list": true };
+    }
+    /**
+     * View the runtime permissions granted to this handle.
+     */
+    get permissions() {
+        return Object.freeze({ ...this.#permissions });
+    }
+    _checkPermission(permission) {
+        if (!this.#permissions[permission]) {
+            throw new IdentityError(IdentityErrorCode.PERMISSION_DENIED, `Agent handle does not have '${permission}' permission.`);
+        }
+    }
+    async fetchWithAuth(secretName, url, options) {
+        // vault:fetch is required for network auth
+        this._checkPermission("vault:fetch");
+        return this.#authClient.fetchWithAuth(secretName, url, options ?? {});
+    }
+    createFetchWithAuth(secretName) {
+        this._checkPermission("vault:fetch");
+        return this.#authClient.createFetchWithAuth(secretName);
+    }
+    async getPublicKey() {
+        return this.publicKey;
+    }
+    async getAgentId() {
+        return this.agentId;
+    }
+    async fetchJsonAndAddSecret(options) {
+        this._checkPermission("vault:acquire");
+        return this.#secretAcquisition.fetchJsonAndAddSecret(options);
+    }
+    async fetchJsonAndUpdateSecret(options) {
+        this._checkPermission("vault:acquire");
+        return this.#secretAcquisition.fetchJsonAndUpdateSecret(options);
+    }
+    hasSecret(secretName) {
+        this._checkPermission("vault:list");
+        return this.#secretAcquisition.hasSecret(secretName);
+    }
+    listSecretNames() {
+        this._checkPermission("vault:list");
+        return this.#secretAcquisition.listSecretNames();
+    }
+    /**
+     * Check if this agent handle has the specified runtime permission.
+     */
+    can(permission) {
+        return !!this.#permissions[permission];
+    }
+}
+/**
+ * CbioManagementFacet
+ *
+ * Provides administrative (high-risk) capabilities for a CbioIdentity.
+ */
+class ManagedAgentSupport {
+    _identity;
+    _vault;
+    constructor(_identity, _vault) {
+        this._identity = _identity;
+        this._vault = _vault;
+    }
+    getSecret(secretName) {
+        return this._vault.getSecret(secretName);
+    }
+    async addSecret(secretName, secretValue, options) {
+        await this._vault.addSecret(secretName, secretValue, options);
+    }
+    _getManagedAgentRecord(publicKey) {
+        const secretName = getChildIdentitySecretName(publicKey);
+        const stored = this.getSecret(secretName);
+        if (!stored)
+            return null;
+        try {
+            const parsed = JSON.parse(stored);
+            return parsed;
+        }
+        catch {
+            return null;
+        }
+    }
+    _getManagedAgentRevocation(publicKey) {
+        const revocationKey = `cbio:revocation:${publicKey}`;
+        const stored = this.getSecret(revocationKey);
+        if (!stored)
+            return null;
+        try {
+            const parsed = JSON.parse(stored);
+            if (!verifyRevocationRecord(parsed))
+                return null;
+            if (parsed.issuer.public_key !== this._identity.publicKey)
+                return null;
+            if (parsed.issuer.agent_id !== this._identity.agentId)
+                return null;
+            if (parsed.target.kind !== "issued_agent_identity")
+                return null;
+            if (parsed.target.subject_agent_id !== deriveRootAgentId(publicKey))
+                return null;
+            const record = this._getManagedAgentRecord(publicKey);
+            const expectedSequence = record?.issuedIdentity?.issuance?.sequence;
+            if (expectedSequence !== undefined && parsed.target.sequence !== expectedSequence)
+                return null;
+            return parsed;
+        }
+        catch {
+            return null;
+        }
+    }
+    _isManagedAgentRevoked(publicKey) {
+        return this._getManagedAgentRevocation(publicKey) !== null;
+    }
+    _assertManagedAgentNotRevoked(publicKey) {
+        if (this._isManagedAgentRevoked(publicKey)) {
+            throw new IdentityError(IdentityErrorCode.PERMISSION_DENIED, `Managed agent '${publicKey}' has been revoked and cannot be loaded.`);
+        }
+    }
+}
+export class CbioVaultAdmin {
+    _identity;
+    _vault;
+    constructor(_identity, _vault) {
+        this._identity = _identity;
+        this._vault = _vault;
+    }
+    async addSecret(secretName, secretValue, options) {
+        await this._vault.addSecret(secretName, secretValue, options);
+    }
+    getSecret(secretName) {
+        return this._vault.getSecret(secretName);
+    }
+    hasSecret(secretName) {
+        return this._vault.hasSecret(secretName);
+    }
+    async deleteSecret(secretName) {
+        await this._vault.deleteSecret(secretName);
+    }
+    async setSecretAllowedOrigins(secretName, allowedOrigins) {
+        await this._vault.setSecretAllowedOrigins(secretName, allowedOrigins);
+    }
+    async getActivityLog() {
+        return this._vault.getActivityLog();
+    }
+    async getActivityLogMetadata() {
+        return this._vault.getActivityLogMetadata();
+    }
+    async mergeFrom(otherIdentity, options) {
+        const otherVault = identityVaults.get(otherIdentity);
+        if (!otherVault) {
+            throw new IdentityError(IdentityErrorCode.MERGE_IDENTITY_MISMATCH, "The source identity is not bound to a mergeable vault instance.");
+        }
+        return this._vault.mergeFrom(otherVault, options);
+    }
+    seal(kdk) {
+        return this._vault.seal(kdk);
+    }
+    loadFromSealedBlob(kdk, sealedBlob) {
+        this._vault.unseal(kdk, sealedBlob);
+    }
+    async serializeToBlob() {
+        return this._vault.serializeToBlob(this._identity.signer);
+    }
+    async saveVault() {
+        await this._vault.save(this._identity.signer);
+    }
+    /**
+     * One-time save of the vault to the given storage key.
+     * Does NOT change the bound storage for subsequent saveVault() or autosave.
+     * Binding is set during identity load (initFromStorage/initFromBlob).
+     */
+    async saveVaultAs(storageKey) {
+        await this._vault.save(this._identity.signer, storageKey);
+    }
+}
+export class CbioManagedAgentAdmin extends ManagedAgentSupport {
+    getManagedAgentCapabilities(publicKey) {
+        const record = this._getManagedAgentRecord(publicKey);
+        if (!record)
+            return { status: "missing", capabilities: [] };
+        if (this._isManagedAgentRevoked(publicKey)) {
+            return { status: "revoked", capabilities: [] };
+        }
+        const capabilities = getIssuedCapabilitiesFromRecord(record);
+        if (!capabilities) {
+            return { status: "invalid", capabilities: [] };
+        }
+        return { status: "active", capabilities };
+    }
+    async revokeManagedAgent(publicKey, reason) {
+        const secretName = getChildIdentitySecretName(publicKey);
+        if (!this._vault.hasSecret(secretName)) {
+            throw new IdentityError(IdentityErrorCode.SECRET_NOT_FOUND, `Managed agent with public key '${publicKey}' not found in this vault.`);
+        }
+        if (!(this._identity.signer instanceof LocalSigner)) {
+            throw new IdentityError(IdentityErrorCode.SIGNER_REQUIRES_PRIVATE_KEY, "Authority must have a LocalSigner to sign revocation records.");
+        }
+        const issuerPublicKey = await this._identity.getPublicKey();
+        const managedRecord = this._getManagedAgentRecord(publicKey);
+        const targetSequence = managedRecord?.issuedIdentity?.issuance?.sequence ?? 1;
+        const unsignedRevocation = {
+            cbio_protocol: "v1.0",
+            kind: "revocation_record",
+            issuer: createIdentityRef(issuerPublicKey),
+            target: {
+                kind: "issued_agent_identity",
+                subject_agent_id: deriveRootAgentId(publicKey),
+                sequence: targetSequence,
+            },
+            revocation: {
+                revoked_at: new Date().toISOString(),
+                reason,
+            },
+        };
+        const signedRevocation = signRevocationRecord(this._identity.signer.exportPrivateKey(), unsignedRevocation);
+        // Store the revocation record
+        const revocationKey = `cbio:revocation:${publicKey}`;
+        await this._vault.addSecret(revocationKey, JSON.stringify(signedRevocation));
+    }
+    async issueManagedAgent(options) {
+        const opts = options ?? {};
+        const issue = opts.issue ?? {};
+        const handle = opts.handle ?? {};
+        const storage = opts.storage ?? {};
+        const keys = issue.keys ?? generateIdentityKeys();
+        const publicKey = keys.publicKey || derivePublicKey(keys.privateKey);
+        const agentId = deriveRootAgentId(publicKey);
+        const secretName = issue.secretName ?? getChildIdentitySecretName(publicKey);
+        if (!(this._identity.signer instanceof LocalSigner)) {
+            throw new IdentityError(IdentityErrorCode.SIGNER_REQUIRES_PRIVATE_KEY, "CbioIdentity must have a LocalSigner to issue managed agents (requires private key access for signing).");
+        }
+        const issuerPublicKey = await this._identity.getPublicKey();
+        const unsignedIdentity = {
+            cbio_protocol: "v1.0",
+            kind: "issued_agent_identity",
+            agent: createIdentityRef(publicKey),
+            authority: createIdentityRef(issuerPublicKey),
+            issuance: {
+                issued_at: new Date().toISOString(),
+                sequence: 1,
+            },
+            capabilities: issue.issuedCapabilities,
+        };
+        const issuedIdentity = signIssuedAgentIdentity(this._identity.signer.exportPrivateKey(), unsignedIdentity);
+        const storageKey = storage.storageKey ?? getVaultPath(publicKey);
+        const record = {
+            agentId,
+            publicKey,
+            privateKey: keys.privateKey,
+            issuedIdentity,
+            storageKey,
+        };
+        const stored = JSON.stringify(record);
+        if (this._vault.hasSecret(secretName)) {
+            await this._vault.updateSecret(secretName, stored);
+        }
+        else {
+            await this._vault.addSecret(secretName, stored);
+        }
+        const childIdentity = await CbioIdentity.load({ privateKey: keys.privateKey, publicKey }, {
+            storage: storage.storage,
+            storageKey,
+            activityLog: storage.activityLog,
+            issuedIdentity,
+        });
+        return {
+            agentId,
+            publicKey,
+            agent: childIdentity.getAgent({ permissions: handle.runtimePermissions }),
+        };
+    }
+    async loadManagedAgent(publicKey, options) {
+        const opts = options ?? {};
+        this._assertManagedAgentNotRevoked(publicKey);
+        const secretName = getChildIdentitySecretName(publicKey);
+        const stored = this.getSecret(secretName);
+        if (!stored) {
+            throw new IdentityError(IdentityErrorCode.SECRET_NOT_FOUND, `Managed agent identity '${publicKey}' is not registered in this authority vault.`);
+        }
+        let parsed;
+        try {
+            parsed = JSON.parse(stored);
+        }
+        catch {
+            throw new IdentityError(IdentityErrorCode.ISSUED_IDENTITY_INVALID, `Managed agent identity '${publicKey}' is malformed in authority vault.`);
+        }
+        if (!parsed.privateKey || !parsed.publicKey || !parsed.issuedIdentity) {
+            throw new IdentityError(IdentityErrorCode.ISSUED_IDENTITY_INVALID, `Managed agent identity '${publicKey}' is malformed in authority vault.`);
+        }
+        // Verify protocol alignment
+        if (!verifyIssuedAgentIdentity(parsed.issuedIdentity)) {
+            throw new IdentityError(IdentityErrorCode.ISSUED_IDENTITY_INVALID, `Managed agent identity '${publicKey}' failed protocol verification.`);
+        }
+        const derivedPublicKey = derivePublicKey(parsed.privateKey);
+        const derivedAgentId = deriveRootAgentId(parsed.publicKey);
+        const authorityPublicKey = await this._identity.getPublicKey();
+        const authorityAgentId = await this._identity.getAgentId();
+        const issuedPublicKey = parsed.issuedIdentity.agent?.public_key;
+        const issuedAgentId = parsed.issuedIdentity.agent?.agent_id;
+        const issuedAuthorityPublicKey = parsed.issuedIdentity.authority?.public_key;
+        const issuedAuthorityAgentId = parsed.issuedIdentity.authority?.agent_id;
+        if (parsed.publicKey !== publicKey) {
+            throw new IdentityError(IdentityErrorCode.ISSUED_IDENTITY_INVALID, `Managed agent identity '${publicKey}' record publicKey does not match requested public key.`);
+        }
+        if (derivedPublicKey !== parsed.publicKey) {
+            throw new IdentityError(IdentityErrorCode.ISSUED_IDENTITY_INVALID, `Managed agent identity '${publicKey}' contains a privateKey/publicKey mismatch.`);
+        }
+        if ((parsed.agentId ?? derivedAgentId) !== derivedAgentId) {
+            throw new IdentityError(IdentityErrorCode.ISSUED_IDENTITY_INVALID, `Managed agent identity '${publicKey}' contains an invalid agentId.`);
+        }
+        if (issuedPublicKey !== parsed.publicKey) {
+            throw new IdentityError(IdentityErrorCode.ISSUED_IDENTITY_INVALID, `Managed agent identity '${publicKey}' issuedIdentity public_key does not match record publicKey.`);
+        }
+        if (issuedAgentId !== derivedAgentId) {
+            throw new IdentityError(IdentityErrorCode.ISSUED_IDENTITY_INVALID, `Managed agent identity '${publicKey}' issuedIdentity agent_id does not match record agentId.`);
+        }
+        if (issuedAuthorityPublicKey !== authorityPublicKey) {
+            throw new IdentityError(IdentityErrorCode.ISSUED_IDENTITY_INVALID, `Managed agent identity '${publicKey}' issuedIdentity authority public_key does not match this authority.`);
+        }
+        if (issuedAuthorityAgentId !== authorityAgentId) {
+            throw new IdentityError(IdentityErrorCode.ISSUED_IDENTITY_INVALID, `Managed agent identity '${publicKey}' issuedIdentity authority agent_id does not match this authority.`);
+        }
+        const storageKey = parsed.storageKey ?? opts.storage?.storageKey ?? getVaultPath(parsed.publicKey);
+        const childIdentity = await CbioIdentity.load({ privateKey: parsed.privateKey, publicKey: parsed.publicKey }, {
+            storage: opts.storage?.storage,
+            storageKey,
+            activityLog: opts.storage?.activityLog,
+            issuedIdentity: parsed.issuedIdentity,
+        });
+        return {
+            agentId: parsed.agentId ?? deriveRootAgentId(parsed.publicKey),
+            publicKey: parsed.publicKey,
+            agent: childIdentity.getAgent({ permissions: opts.handle?.runtimePermissions }),
+        };
+    }
+}
+export class CbioChildIdentityAdmin {
+    _identity;
+    _vault;
+    constructor(_identity, _vault) {
+        this._identity = _identity;
+        this._vault = _vault;
+    }
+    /**
+     * Registers a child identity in the parent vault.
+     * @returns The child's publicKey (domain-level identifier). Use getChildIdentitySecretName from @the-ai-company/cbio-node-runtime/protocol for vault lookups.
+     */
+    async registerChildIdentity(keys, options) {
+        if (!keys.privateKey)
+            throw new IdentityError(IdentityErrorCode.CHILD_IDENTITY_REQUIRES_PRIVATE_KEY, "Child identity requires privateKey.");
+        if (!(this._identity.signer instanceof LocalSigner)) {
+            throw new IdentityError(IdentityErrorCode.SIGNER_REQUIRES_PRIVATE_KEY, "CbioIdentity must have a LocalSigner to register child identities (requires private key access for signing).");
+        }
+        const pub = keys.publicKey || derivePublicKey(keys.privateKey);
+        const secretName = getChildIdentitySecretName(pub);
+        const issuerPublicKey = await this._identity.getPublicKey();
+        const unsignedIdentity = {
+            cbio_protocol: "v1.0",
+            kind: "issued_agent_identity",
+            agent: createIdentityRef(pub),
+            authority: createIdentityRef(issuerPublicKey),
+            issuance: {
+                issued_at: new Date().toISOString(),
+                sequence: 1,
+            },
+            capabilities: options?.issuedCapabilities,
+        };
+        const issuedIdentity = signIssuedAgentIdentity(this._identity.signer.exportPrivateKey(), unsignedIdentity);
+        const record = {
+            agentId: deriveRootAgentId(pub),
+            publicKey: pub,
+            privateKey: keys.privateKey,
+            issuedIdentity,
+        };
+        const stored = JSON.stringify(record);
+        if (this._vault.hasSecret(secretName)) {
+            await this._vault.updateSecret(secretName, stored);
+        }
+        else {
+            await this._vault.addSecret(secretName, stored);
+        }
+        return { publicKey: pub };
+    }
+}
+export class CbioAdmin {
+    vault;
+    managedAgents;
+    children;
+    constructor(identity, vault) {
+        this.vault = new CbioVaultAdmin(identity, vault);
+        this.managedAgents = new CbioManagedAgentAdmin(identity, vault);
+        this.children = new CbioChildIdentityAdmin(identity, vault);
+    }
+}
+//# sourceMappingURL=agent.js.map

package/dist/agent/agent.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"agent.js","sourceRoot":"","sources":["../../src/agent/agent.ts"],"names":[],"mappings":"AAAA,OAAO,EAAmB,eAAe,EAAE,WAAW,EAAE,oBAAoB,EAAE,MAAM,uBAAuB,CAAC;AAC5G,OAAO,EAAE,SAAS,EAAuC,MAAM,mBAAmB,CAAC;AACnF,OAAO,EAAE,UAAU,EAA6B,MAAM,uBAAuB,CAAC;AAC9E,OAAO,EACL,iBAAiB,GAIlB,MAAM,8BAA8B,CAAC;AAEtC,OAAO,EAAE,0BAA0B,EAAE,iBAAiB,EAAE,YAAY,EAAE,MAAM,yBAAyB,CAAC;AACtG,OAAO,EACL,iBAAiB,EACjB,uBAAuB,EACvB,oBAAoB,EACpB,yBAAyB,EACzB,sBAAsB,GAKvB,MAAM,+BAA+B,CAAC;AACvC,OAAO,EAAE,aAAa,EAAE,iBAAiB,EAAE,MAAM,cAAc,CAAC;AAGhE,MAAM,cAAc,GAAG,IAAI,OAAO,EAA2B,CAAC;AAW9D,SAAS,+BAA+B,CAAC,MAA0C;IACjF,IAAI,CAAC,MAAM,IAAI,OAAO,MAAM,KAAK,QAAQ;QAAE,OAAO,IAAI,CAAC;IACvD,MAAM,cAAc,GAAG,MAAM,CAAC,cAAc,CAAC;IAC7C,IAAI,CAAC,cAAc,IAAI,OAAO,cAAc,KAAK,QAAQ;QAAE,OAAO,IAAI,CAAC;IACvE,MAAM,YAAY,GAAI,cAA6C,CAAC,YAAY,CAAC;IACjF,IAAI,YAAY,KAAK,SAAS;QAAE,OAAO,EAAE,CAAC;IAC1C,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,YAAY,CAAC;QAAE,OAAO,IAAI,CAAC;IAC9C,KAAK,MAAM,GAAG,IAAI,YAAY,EAAE,CAAC;QAC/B,IAAI,OAAO,GAAG,KAAK,QAAQ,IAAI,CAAC,6BAA6B,CAAC,GAAG,CAAC,GAAG,CAAC;YAAE,OAAO,IAAI,CAAC;IACtF,CAAC;IACD,OAAO,YAAsC,CAAC;AAChD,CAAC;AA8BD,MAAM,6BAA6B,GAAwB,IAAI,GAAG,CAAuB;IACvF,YAAY;IACZ,aAAa;IACb,eAAe;IACf,eAAe;IACf,aAAa;IACb,eAAe;CAChB,CAAC,CAAC;AAmBH,SAAS,6BAA6B,CAAC,UAAgC;IACrE,OAAO,UAAU,CAAC;AACpB,CAAC;AAUD;;;;;;GAMG;AACH,MAAM,OAAO,YAAY;IAUL;IACC;IAVH,KAAK,CAAY;IACjB,OAAO,CAAS;IAChB,SAAS,CAAS;IAClC,eAAe,CAAuB;IAErB,WAAW,CAAa;IACxB,kBAAkB,CAAoB;IAEvD,YACkB,MAAc,EACb,MAAiB,EAClC,OAAgB,EAChB,SAAkB;QAHF,WAAM,GAAN,MAAM,CAAQ;QACb,WAAM,GAAN,MAAM,CAAW;QAIlC,IAAI,CAAC,OAAO,GAAG,OAAO,IAAI,EAAE,CAAC;QAC7B,IAAI,CAAC,SAAS,GAAG,SAAS,IAAI,EAAE,CAAC;QAEjC,MAAM,SAAS,GAAG,CAAC,KAAuB,EAAE,EAAE,CAAC,IAAI,CAAC,MAAM,CAAC,sBAAsB,CAAC,KAAK,CAAC,CAAC;QACzF,IAAI,CAAC,WAAW,GAAG,IAAI,UAAU,CAAC,IAAI,CAAC,MAAM,EAAE,IAAI,CAAC,MAAM,EAAE,SAAS,CAAC,CAAC;QACvE,IAAI,CAAC,kBAAkB,GAAG,IAAI,iBAAiB,CAAC,IAAI,CAAC,MAAM,EAAE,SAAS,CAAC,CAAC;QACxE,IAAI,CAAC,KAAK,GAAG,IAAI,SAAS,CAAC,IAAI,EAAE,IAAI,CAAC,MAAM,CAAC,CAAC;QAC9C,cAAc,CAAC,GAAG,CAAC,IAAI,EAAE,IAAI,CAAC,MAAM,CAAC,CAAC;IACxC,CAAC;IAED,mBAAmB,CAAC,cAAmC;QACrD,IAAI,CAAC,yBAAyB,CAAC,cAAc,CAAC,EAAE,CAAC;YAC/C,MAAM,IAAI,aAAa,CACrB,iBAAiB,CAAC,uBAAuB,EACzC,wBAAwB,IAAI,CAAC,SAAS,iCAAiC,CACxE,CAAC;QACJ,CAAC;QAED,IAAI,cAAc,CAAC,KAAK,CAAC,UAAU,KAAK,IAAI,CAAC,SAAS,EAAE,CAAC;YACvD,MAAM,IAAI,aAAa,CACrB,iBAAiB,CAAC,uBAAuB,EACzC,gEAAgE,CACjE,CAAC;QACJ,CAAC;QAED,IAAI,cAAc,CAAC,KAAK,CAAC,QAAQ,KAAK,IAAI,CAAC,OAAO,EAAE,CAAC;YACnD,MAAM,IAAI,aAAa,CACrB,iBAAiB,CAAC,uBAAuB,EACzC,4DAA4D,CAC7D,CAAC;QACJ,CAAC;QAED,IAAI,CAAC,eAAe,GAAG,cAAc,CAAC;IACxC,CAAC;IAED;;OAEG;IACH,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,IAAsB,EAAE,OAA6B;QACrE,MAAM,IAAI,GAAG,OAAO,IAAI,EAAE,CAAC;QAC3B,MAAM,IAAI,GAAG,IAAI,CAAC,UAAU,CAAC;QAC7B,MAAM,GAAG,GAAG,IAAI,CAAC,SAAS,IAAI,eAAe,CAAC,IAAI,CAAC,CAAC;QACpD,MAAM,OAAO,GAAG,iBAAiB,CAAC,GAAG,CAAC,CAAC;QACvC,MAAM,MAAM,GAAG,IAAI,WAAW,CAAC,EAAE,SAAS,EAAE,GAAG,EAAE,UAAU,EAAE,IAAI,EAAE,CAAC,CAAC;QACrE,MAAM,QAAQ,GAAG,IAAI,YAAY,CAAC,MAAM,EAAE,IAAI,SAAS,EAAE,EAAE,OAAO,EAAE,GAAG,CAAC,CAAC;QAEzE,MAAM,UAAU,GAAG,IAAI,CAAC,UAAU,IAAI,YAAY,CAAC,GAAG,CAAC,CAAC;QACxD,MAAM,uBAAuB,GAAG,IAAI,CAAC,WAAW,EAAE,OAAO,KAAK,KAAK,IAAI,IAAI,CAAC,WAAW,EAAE,GAAG,KAAK,SAAS,CAAC;QAC3G,MAAM,cAAc,GAClB,IAAI,CAAC,WAAW,EAAE,OAAO,KAAK,KAAK;YACjC,CAAC,CAAC,SAAS;YACX,CAAC,CAAC,CAAC,IAAI,CAAC,WAAW,EAAE,GAAG,IAAI,UAAU,CAAC,OAAO,CAAC,QAAQ,EAAE,EAAE,CAAC,GAAG,iBAAiB,CAAC,CAAC;QACtF,MAAM,QAAQ,CAAC,MAAM,CAAC,eAAe,CAAC,MAAM,EAAE,UAAU,EAAE,IAAI,CAAC,OAAO,EAAE,cAAc,EAAE,uBAAuB,CAAC,CAAC;QACjH,IAAI,IAAI,CAAC,cAAc;YAAE,QAAQ,CAAC,mBAAmB,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC;QAE3E,OAAO,QAAQ,CAAC;IAClB,CAAC;IAED,KAAK,CAAC,aAAa,CAAC,UAAkB,EAAE,GAAW,EAAE,OAA8B;QACjF,OAAO,IAAI,CAAC,WAAW,CAAC,aAAa,CAAC,UAAU,EAAE,GAAG,EAAE,OAAO,IAAI,EAAE,CAAC,CAAC;IACxE,CAAC;IAED,mBAAmB,CAAC,UAAkB;QACpC,OAAO,IAAI,CAAC,WAAW,CAAC,mBAAmB,CAAC,UAAU,CAAC,CAAC;IAC1D,CAAC;IAED,KAAK,CAAC,YAAY;QAChB,OAAO,IAAI,CAAC,SAAS,IAAI,IAAI,CAAC,MAAM,CAAC,YAAY,EAAE,CAAC;IACtD,CAAC;IAED,KAAK,CAAC,UAAU;QACd,OAAO,IAAI,CAAC,OAAO,IAAI,iBAAiB,CAAC,MAAM,IAAI,CAAC,YAAY,EAAE,CAAC,CAAC;IACtE,CAAC;IAED,KAAK,CAAC,qBAAqB,CACzB,OAAuD;QAEvD,OAAO,IAAI,CAAC,kBAAkB,CAAC,qBAAqB,CAAC,OAAO,CAAC,CAAC;IAChE,CAAC;IAED,KAAK,CAAC,wBAAwB,CAC5B,OAA0D;QAE1D,OAAO,IAAI,CAAC,kBAAkB,CAAC,wBAAwB,CAAC,OAAO,CAAC,CAAC;IACnE,CAAC;IAED,SAAS,CAAC,UAAkB;QAC1B,OAAO,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,UAAU,CAAC,CAAC;IAC3C,CAAC;IAED,eAAe;QACb,OAAO,IAAI,CAAC,MAAM,CAAC,eAAe,EAAE,CAAC;IACvC,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,qBAAqB,CAAC,IAAa,EAAE,OAAsC;QAC/E,OAAO,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,qBAAqB,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;IAClE,CAAC;IAED,KAAK,CAAC,YAAY,CAAC,KAAa;QAC9B,OAAO,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IACjC,CAAC;IAED;;;;;;;;OAQG;IACH,QAAQ,CAAC,OAAyB;QAChC,MAAM,IAAI,GAAG,OAAO,IAAI,EAAE,CAAC;QAC3B,IAAI,UAAU,GAAG,IAAI,CAAC,WAAW,CAAC;QAElC,IAAI,CAAC,UAAU,IAAI,IAAI,CAAC,wBAAwB,EAAE,CAAC;YACjD,UAAU,GAAG,EAAE,CAAC;YAChB,KAAK,MAAM,GAAG,IAAI,IAAI,CAAC,eAAe,EAAE,YAAY,IAAI,EAAE,EAAE,CAAC;gBAC3D,UAAU,CAAC,6BAA6B,CAAC,GAA2B,CAAC,CAAC,GAAG,IAAI,CAAC;YAChF,CAAC;YACD,UAAU,CAAC,aAAa,CAAC,GAAG,IAAI,CAAC;YACjC,UAAU,CAAC,YAAY,CAAC,GAAG,IAAI,CAAC;QAClC,CAAC;QAED,OAAO,IAAI,SAAS,CAAC,IAAI,CAAC,WAAW,EAAE,IAAI,CAAC,kBAAkB,EAAE,IAAI,CAAC,OAAO,EAAE,IAAI,CAAC,SAAS,EAAE,UAAU,CAAC,CAAC;IAC5G,CAAC;CAEF;AAED;;;;;;GAMG;AACH,MAAM,OAAO,SAAS;IAQF;IACA;IARlB,WAAW,CAAa;IACxB,kBAAkB,CAAoB;IACtC,YAAY,CAAqB;IAEjC,YACE,UAAsB,EACtB,iBAAoC,EACpB,OAAe,EACf,SAAiB,EACjC,WAAgC;QAFhB,YAAO,GAAP,OAAO,CAAQ;QACf,cAAS,GAAT,SAAS,CAAQ;QAGjC,IAAI,CAAC,WAAW,GAAG,UAAU,CAAC;QAC9B,IAAI,CAAC,kBAAkB,GAAG,iBAAiB,CAAC;QAC5C,uFAAuF;QACvF,IAAI,CAAC,YAAY,GAAG,WAAW,IAAI,EAAE,aAAa,EAAE,IAAI,EAAE,YAAY,EAAE,IAAI,EAAE,CAAC;IACjF,CAAC;IAED;;OAEG;IACH,IAAI,WAAW;QACb,OAAO,MAAM,CAAC,MAAM,CAAC,EAAE,GAAG,IAAI,CAAC,YAAY,EAAE,CAAC,CAAC;IACjD,CAAC;IAEO,gBAAgB,CAAC,UAAiC;QACxD,IAAI,CAAC,IAAI,CAAC,YAAY,CAAC,UAAU,CAAC,EAAE,CAAC;YACnC,MAAM,IAAI,aAAa,CACrB,iBAAiB,CAAC,iBAAiB,EACnC,+BAA+B,UAAU,eAAe,CACzD,CAAC;QACJ,CAAC;IACH,CAAC;IAED,KAAK,CAAC,aAAa,CAAC,UAAkB,EAAE,GAAW,EAAE,OAA8B;QACjF,2CAA2C;QAC3C,IAAI,CAAC,gBAAgB,CAAC,aAAa,CAAC,CAAC;QACrC,OAAO,IAAI,CAAC,WAAW,CAAC,aAAa,CAAC,UAAU,EAAE,GAAG,EAAE,OAAO,IAAI,EAAE,CAAC,CAAC;IACxE,CAAC;IAED,mBAAmB,CAAC,UAAkB;QACpC,IAAI,CAAC,gBAAgB,CAAC,aAAa,CAAC,CAAC;QACrC,OAAO,IAAI,CAAC,WAAW,CAAC,mBAAmB,CAAC,UAAU,CAAC,CAAC;IAC1D,CAAC;IAED,KAAK,CAAC,YAAY;QAChB,OAAO,IAAI,CAAC,SAAS,CAAC;IACxB,CAAC;IAED,KAAK,CAAC,UAAU;QACd,OAAO,IAAI,CAAC,OAAO,CAAC;IACtB,CAAC;IAED,KAAK,CAAC,qBAAqB,CACzB,OAAuD;QAEvD,IAAI,CAAC,gBAAgB,CAAC,eAAe,CAAC,CAAC;QACvC,OAAO,IAAI,CAAC,kBAAkB,CAAC,qBAAqB,CAAC,OAAO,CAAC,CAAC;IAChE,CAAC;IAED,KAAK,CAAC,wBAAwB,CAC5B,OAA0D;QAE1D,IAAI,CAAC,gBAAgB,CAAC,eAAe,CAAC,CAAC;QACvC,OAAO,IAAI,CAAC,kBAAkB,CAAC,wBAAwB,CAAC,OAAO,CAAC,CAAC;IACnE,CAAC;IAED,SAAS,CAAC,UAAkB;QAC1B,IAAI,CAAC,gBAAgB,CAAC,YAAY,CAAC,CAAC;QACpC,OAAO,IAAI,CAAC,kBAAkB,CAAC,SAAS,CAAC,UAAU,CAAC,CAAC;IACvD,CAAC;IAED,eAAe;QACb,IAAI,CAAC,gBAAgB,CAAC,YAAY,CAAC,CAAC;QACpC,OAAO,IAAI,CAAC,kBAAkB,CAAC,eAAe,EAAE,CAAC;IACnD,CAAC;IAED;;OAEG;IACH,GAAG,CAAC,UAAiC;QACnC,OAAO,CAAC,CAAC,IAAI,CAAC,YAAY,CAAC,UAAU,CAAC,CAAC;IACzC,CAAC;CACF;AAqDD;;;;GAIG;AACH,MAAM,mBAAmB;IAEF;IACA;IAFrB,YACqB,SAAuB,EACvB,MAAiB;QADjB,cAAS,GAAT,SAAS,CAAc;QACvB,WAAM,GAAN,MAAM,CAAW;IACnC,CAAC;IAEM,SAAS,CAAC,UAAkB;QACpC,OAAO,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,UAAU,CAAC,CAAC;IAC3C,CAAC;IAED,KAAK,CAAC,SAAS,CAAC,UAAkB,EAAE,WAAmB,EAAE,OAAsB;QAC7E,MAAM,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,UAAU,EAAE,WAAW,EAAE,OAAO,CAAC,CAAC;IAChE,CAAC;IAES,sBAAsB,CAAC,SAAiB;QAChD,MAAM,UAAU,GAAG,0BAA0B,CAAC,SAAS,CAAC,CAAC;QACzD,MAAM,MAAM,GAAG,IAAI,CAAC,SAAS,CAAC,UAAU,CAAC,CAAC;QAC1C,IAAI,CAAC,MAAM;YAAE,OAAO,IAAI,CAAC;QACzB,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,CAAuB,CAAC;YACxD,OAAO,MAAM,CAAC;QAChB,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IAES,0BAA0B,CAAC,SAAiB;QACpD,MAAM,aAAa,GAAG,mBAAmB,SAAS,EAAE,CAAC;QACrD,MAAM,MAAM,GAAG,IAAI,CAAC,SAAS,CAAC,aAAa,CAAC,CAAC;QAC7C,IAAI,CAAC,MAAM;YAAE,OAAO,IAAI,CAAC;QAEzB,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,CAAqB,CAAC;YACtD,IAAI,CAAC,sBAAsB,CAAC,MAAM,CAAC;gBAAE,OAAO,IAAI,CAAC;YACjD,IAAI,MAAM,CAAC,MAAM,CAAC,UAAU,KAAK,IAAI,CAAC,SAAS,CAAC,SAAS;gBAAE,OAAO,IAAI,CAAC;YACvE,IAAI,MAAM,CAAC,MAAM,CAAC,QAAQ,KAAK,IAAI,CAAC,SAAS,CAAC,OAAO;gBAAE,OAAO,IAAI,CAAC;YACnE,IAAI,MAAM,CAAC,MAAM,CAAC,IAAI,KAAK,uBAAuB;gBAAE,OAAO,IAAI,CAAC;YAChE,IAAI,MAAM,CAAC,MAAM,CAAC,gBAAgB,KAAK,iBAAiB,CAAC,SAAS,CAAC;gBAAE,OAAO,IAAI,CAAC;YAEjF,MAAM,MAAM,GAAG,IAAI,CAAC,sBAAsB,CAAC,SAAS,CAAC,CAAC;YACtD,MAAM,gBAAgB,GAAG,MAAM,EAAE,cAAc,EAAE,QAAQ,EAAE,QAAQ,CAAC;YACpE,IAAI,gBAAgB,KAAK,SAAS,IAAI,MAAM,CAAC,MAAM,CAAC,QAAQ,KAAK,gBAAgB;gBAAE,OAAO,IAAI,CAAC;YAE/F,OAAO,MAAM,CAAC;QAChB,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IAES,sBAAsB,CAAC,SAAiB;QAChD,OAAO,IAAI,CAAC,0BAA0B,CAAC,SAAS,CAAC,KAAK,IAAI,CAAC;IAC7D,CAAC;IAES,6BAA6B,CAAC,SAAiB;QACvD,IAAI,IAAI,CAAC,sBAAsB,CAAC,SAAS,CAAC,EAAE,CAAC;YAC3C,MAAM,IAAI,aAAa,CACrB,iBAAiB,CAAC,iBAAiB,EACnC,kBAAkB,SAAS,0CAA0C,CACtE,CAAC;QACJ,CAAC;IACH,CAAC;CACF;AAED,MAAM,OAAO,cAAc;IAEN;IACA;IAFnB,YACmB,SAAuB,EACvB,MAAiB;QADjB,cAAS,GAAT,SAAS,CAAc;QACvB,WAAM,GAAN,MAAM,CAAW;IACjC,CAAC;IAEJ,KAAK,CAAC,SAAS,CAAC,UAAkB,EAAE,WAAmB,EAAE,OAAsB;QAC7E,MAAM,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,UAAU,EAAE,WAAW,EAAE,OAAO,CAAC,CAAC;IAChE,CAAC;IAED,SAAS,CAAC,UAAkB;QAC1B,OAAO,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,UAAU,CAAC,CAAC;IAC3C,CAAC;IAED,SAAS,CAAC,UAAkB;QAC1B,OAAO,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,UAAU,CAAC,CAAC;IAC3C,CAAC;IAED,KAAK,CAAC,YAAY,CAAC,UAAkB;QACnC,MAAM,IAAI,CAAC,MAAM,CAAC,YAAY,CAAC,UAAU,CAAC,CAAC;IAC7C,CAAC;IAED,KAAK,CAAC,uBAAuB,CAAC,UAAkB,EAAE,cAAiC;QACjF,MAAM,IAAI,CAAC,MAAM,CAAC,uBAAuB,CAAC,UAAU,EAAE,cAAc,CAAC,CAAC;IACxE,CAAC;IAED,KAAK,CAAC,cAAc;QAClB,OAAO,IAAI,CAAC,MAAM,CAAC,cAAc,EAAE,CAAC;IACtC,CAAC;IAED,KAAK,CAAC,sBAAsB;QAC1B,OAAO,IAAI,CAAC,MAAM,CAAC,sBAAsB,EAAE,CAAC;IAC9C,CAAC;IAED,KAAK,CAAC,SAAS,CACb,aAA2B,EAC3B,OAAyD;QAEzD,MAAM,UAAU,GAAG,cAAc,CAAC,GAAG,CAAC,aAAa,CAAC,CAAC;QACrD,IAAI,CAAC,UAAU,EAAE,CAAC;YAChB,MAAM,IAAI,aAAa,CACrB,iBAAiB,CAAC,uBAAuB,EACzC,iEAAiE,CAClE,CAAC;QACJ,CAAC;QACD,OAAO,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC;IACpD,CAAC;IAED,IAAI,CAAC,GAAW;QACd,OAAO,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IAC/B,CAAC;IAED,kBAAkB,CAAC,GAAW,EAAE,UAAkB;QAChD,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,GAAG,EAAE,UAAU,CAAC,CAAC;IACtC,CAAC;IAED,KAAK,CAAC,eAAe;QACnB,OAAO,IAAI,CAAC,MAAM,CAAC,eAAe,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC;IAC5D,CAAC;IAED,KAAK,CAAC,SAAS;QACb,MAAM,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC;IAChD,CAAC;IAED;;;;OAIG;IACH,KAAK,CAAC,WAAW,CAAC,UAAkB;QAClC,MAAM,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,UAAU,CAAC,CAAC;IAC5D,CAAC;CACF;AAED,MAAM,OAAO,qBAAsB,SAAQ,mBAAmB;IAC5D,2BAA2B,CAAC,SAAiB;QAC3C,MAAM,MAAM,GAAG,IAAI,CAAC,sBAAsB,CAAC,SAAS,CAAC,CAAC;QACtD,IAAI,CAAC,MAAM;YAAE,OAAO,EAAE,MAAM,EAAE,SAAS,EAAE,YAAY,EAAE,EAAE,EAAE,CAAC;QAE5D,IAAI,IAAI,CAAC,sBAAsB,CAAC,SAAS,CAAC,EAAE,CAAC;YAC3C,OAAO,EAAE,MAAM,EAAE,SAAS,EAAE,YAAY,EAAE,EAAE,EAAE,CAAC;QACjD,CAAC;QAED,MAAM,YAAY,GAAG,+BAA+B,CAAC,MAAM,CAAC,CAAC;QAC7D,IAAI,CAAC,YAAY,EAAE,CAAC;YAClB,OAAO,EAAE,MAAM,EAAE,SAAS,EAAE,YAAY,EAAE,EAAE,EAAE,CAAC;QACjD,CAAC;QAED,OAAO,EAAE,MAAM,EAAE,QAAQ,EAAE,YAAY,EAAE,CAAC;IAC5C,CAAC;IAED,KAAK,CAAC,kBAAkB,CAAC,SAAiB,EAAE,MAAe;QACzD,MAAM,UAAU,GAAG,0BAA0B,CAAC,SAAS,CAAC,CAAC;QACzD,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,UAAU,CAAC,EAAE,CAAC;YACvC,MAAM,IAAI,aAAa,CACrB,iBAAiB,CAAC,gBAAgB,EAClC,kCAAkC,SAAS,4BAA4B,CACxE,CAAC;QACJ,CAAC;QAED,IAAI,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,YAAY,WAAW,CAAC,EAAE,CAAC;YACpD,MAAM,IAAI,aAAa,CACrB,iBAAiB,CAAC,2BAA2B,EAC7C,+DAA+D,CAChE,CAAC;QACJ,CAAC;QAED,MAAM,eAAe,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,YAAY,EAAE,CAAC;QAC5D,MAAM,aAAa,GAAG,IAAI,CAAC,sBAAsB,CAAC,SAAS,CAAC,CAAC;QAC7D,MAAM,cAAc,GAAG,aAAa,EAAE,cAAc,EAAE,QAAQ,EAAE,QAAQ,IAAI,CAAC,CAAC;QAC9E,MAAM,kBAAkB,GAA6B;YACnD,aAAa,EAAE,MAAM;YACrB,IAAI,EAAE,mBAAmB;YACzB,MAAM,EAAE,iBAAiB,CAAC,eAAe,CAAC;YAC1C,MAAM,EAAE;gBACN,IAAI,EAAE,uBAAuB;gBAC7B,gBAAgB,EAAE,iBAAiB,CAAC,SAAS,CAAC;gBAC9C,QAAQ,EAAE,cAAc;aACzB;YACD,UAAU,EAAE;gBACV,UAAU,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;gBACpC,MAAM;aACP;SACF,CAAC;QAEF,MAAM,gBAAgB,GAAG,oBAAoB,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,gBAAgB,EAAE,EAAE,kBAAkB,CAAC,CAAC;QAE5G,8BAA8B;QAC9B,MAAM,aAAa,GAAG,mBAAmB,SAAS,EAAE,CAAC;QACrD,MAAM,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,aAAa,EAAE,IAAI,CAAC,SAAS,CAAC,gBAAgB,CAAC,CAAC,CAAC;IAC/E,CAAC;IAED,KAAK,CAAC,iBAAiB,CAAC,OAAkC;QACxD,MAAM,IAAI,GAAG,OAAO,IAAI,EAAE,CAAC;QAC3B,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,IAAI,EAAE,CAAC;QAC/B,MAAM,MAAM,GAAG,IAAI,CAAC,MAAM,IAAI,EAAE,CAAC;QACjC,MAAM,OAAO,GAAG,IAAI,CAAC,OAAO,IAAI,EAAE,CAAC;QACnC,MAAM,IAAI,GAAG,KAAK,CAAC,IAAI,IAAI,oBAAoB,EAAE,CAAC;QAClD,MAAM,SAAS,GAAG,IAAI,CAAC,SAAS,IAAI,eAAe,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;QACrE,MAAM,OAAO,GAAG,iBAAiB,CAAC,SAAS,CAAC,CAAC;QAC7C,MAAM,UAAU,GAAG,KAAK,CAAC,UAAU,IAAI,0BAA0B,CAAC,SAAS,CAAC,CAAC;QAE7E,IAAI,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,YAAY,WAAW,CAAC,EAAE,CAAC;YACpD,MAAM,IAAI,aAAa,CACrB,iBAAiB,CAAC,2BAA2B,EAC7C,yGAAyG,CAC1G,CAAC;QACJ,CAAC;QAED,MAAM,eAAe,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,YAAY,EAAE,CAAC;QAE5D,MAAM,gBAAgB,GAAgC;YACpD,aAAa,EAAE,MAAM;YACrB,IAAI,EAAE,uBAAuB;YAC7B,KAAK,EAAE,iBAAiB,CAAC,SAAS,CAAC;YACnC,SAAS,EAAE,iBAAiB,CAAC,eAAe,CAAC;YAC7C,QAAQ,EAAE;gBACR,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;gBACnC,QAAQ,EAAE,CAAC;aACZ;YACD,YAAY,EAAE,KAAK,CAAC,kBAAkB;SACvC,CAAC;QAEF,MAAM,cAAc,GAAG,uBAAuB,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,gBAAgB,EAAE,EAAE,gBAAgB,CAAC,CAAC;QAE3G,MAAM,UAAU,GAAG,OAAO,CAAC,UAAU,IAAI,YAAY,CAAC,SAAS,CAAC,CAAC;QACjE,MAAM,MAAM,GAAuB;YACjC,OAAO;YACP,SAAS;YACT,UAAU,EAAE,IAAI,CAAC,UAAU;YAC3B,cAAc;YACd,UAAU;SACX,CAAC;QACF,MAAM,MAAM,GAAG,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC;QACtC,IAAI,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,UAAU,CAAC,EAAE,CAAC;YACtC,MAAM,IAAI,CAAC,MAAM,CAAC,YAAY,CAAC,UAAU,EAAE,MAAM,CAAC,CAAC;QACrD,CAAC;aAAM,CAAC;YACN,MAAM,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,UAAU,EAAE,MAAM,CAAC,CAAC;QAClD,CAAC;QAED,MAAM,aAAa,GAAG,MAAM,YAAY,CAAC,IAAI,CAC3C,EAAE,UAAU,EAAE,IAAI,CAAC,UAAU,EAAE,SAAS,EAAE,EAC1C;YACE,OAAO,EAAE,OAAO,CAAC,OAAO;YACxB,UAAU;YACV,WAAW,EAAE,OAAO,CAAC,WAAW;YAChC,cAAc;SACf,CACF,CAAC;QACF,OAAO;YACL,OAAO;YACP,SAAS;YACT,KAAK,EAAE,aAAa,CAAC,QAAQ,CAAC,EAAE,WAAW,EAAE,MAAM,CAAC,kBAAkB,EAAE,CAAC;SAC1E,CAAC;IACJ,CAAC;IAED,KAAK,CAAC,gBAAgB,CAAC,SAAiB,EAAE,OAAiC;QACzE,MAAM,IAAI,GAAG,OAAO,IAAI,EAAE,CAAC;QAC3B,IAAI,CAAC,6BAA6B,CAAC,SAAS,CAAC,CAAC;QAC9C,MAAM,UAAU,GAAG,0BAA0B,CAAC,SAAS,CAAC,CAAC;QACzD,MAAM,MAAM,GAAG,IAAI,CAAC,SAAS,CAAC,UAAU,CAAC,CAAC;QAC1C,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,MAAM,IAAI,aAAa,CACrB,iBAAiB,CAAC,gBAAgB,EAClC,2BAA2B,SAAS,8CAA8C,CACnF,CAAC;QACJ,CAAC;QAED,IAAI,MAAmC,CAAC;QACxC,IAAI,CAAC;YACH,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,CAAgC,CAAC;QAC7D,CAAC;QAAC,MAAM,CAAC;YACP,MAAM,IAAI,aAAa,CACrB,iBAAiB,CAAC,uBAAuB,EACzC,2BAA2B,SAAS,oCAAoC,CACzE,CAAC;QACJ,CAAC;QAED,IAAI,CAAC,MAAM,CAAC,UAAU,IAAI,CAAC,MAAM,CAAC,SAAS,IAAI,CAAC,MAAM,CAAC,cAAc,EAAE,CAAC;YACtE,MAAM,IAAI,aAAa,CACrB,iBAAiB,CAAC,uBAAuB,EACzC,2BAA2B,SAAS,oCAAoC,CACzE,CAAC;QACJ,CAAC;QAED,4BAA4B;QAC5B,IAAI,CAAC,yBAAyB,CAAC,MAAM,CAAC,cAAc,CAAC,EAAE,CAAC;YACtD,MAAM,IAAI,aAAa,CACrB,iBAAiB,CAAC,uBAAuB,EACzC,2BAA2B,SAAS,iCAAiC,CACtE,CAAC;QACJ,CAAC;QAED,MAAM,gBAAgB,GAAG,eAAe,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC;QAC5D,MAAM,cAAc,GAAG,iBAAiB,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;QAC3D,MAAM,kBAAkB,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,YAAY,EAAE,CAAC;QAC/D,MAAM,gBAAgB,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,UAAU,EAAE,CAAC;QAC3D,MAAM,eAAe,GAAG,MAAM,CAAC,cAAc,CAAC,KAAK,EAAE,UAAU,CAAC;QAChE,MAAM,aAAa,GAAG,MAAM,CAAC,cAAc,CAAC,KAAK,EAAE,QAAQ,CAAC;QAC5D,MAAM,wBAAwB,GAAG,MAAM,CAAC,cAAc,CAAC,SAAS,EAAE,UAAU,CAAC;QAC7E,MAAM,sBAAsB,GAAG,MAAM,CAAC,cAAc,CAAC,SAAS,EAAE,QAAQ,CAAC;QAEzE,IAAI,MAAM,CAAC,SAAS,KAAK,SAAS,EAAE,CAAC;YACnC,MAAM,IAAI,aAAa,CACrB,iBAAiB,CAAC,uBAAuB,EACzC,2BAA2B,SAAS,yDAAyD,CAC9F,CAAC;QACJ,CAAC;QAED,IAAI,gBAAgB,KAAK,MAAM,CAAC,SAAS,EAAE,CAAC;YAC1C,MAAM,IAAI,aAAa,CACrB,iBAAiB,CAAC,uBAAuB,EACzC,2BAA2B,SAAS,6CAA6C,CAClF,CAAC;QACJ,CAAC;QAED,IAAI,CAAC,MAAM,CAAC,OAAO,IAAI,cAAc,CAAC,KAAK,cAAc,EAAE,CAAC;YAC1D,MAAM,IAAI,aAAa,CACrB,iBAAiB,CAAC,uBAAuB,EACzC,2BAA2B,SAAS,gCAAgC,CACrE,CAAC;QACJ,CAAC;QAED,IAAI,eAAe,KAAK,MAAM,CAAC,SAAS,EAAE,CAAC;YACzC,MAAM,IAAI,aAAa,CACrB,iBAAiB,CAAC,uBAAuB,EACzC,2BAA2B,SAAS,8DAA8D,CACnG,CAAC;QACJ,CAAC;QAED,IAAI,aAAa,KAAK,cAAc,EAAE,CAAC;YACrC,MAAM,IAAI,aAAa,CACrB,iBAAiB,CAAC,uBAAuB,EACzC,2BAA2B,SAAS,0DAA0D,CAC/F,CAAC;QACJ,CAAC;QAED,IAAI,wBAAwB,KAAK,kBAAkB,EAAE,CAAC;YACpD,MAAM,IAAI,aAAa,CACrB,iBAAiB,CAAC,uBAAuB,EACzC,2BAA2B,SAAS,sEAAsE,CAC3G,CAAC;QACJ,CAAC;QAED,IAAI,sBAAsB,KAAK,gBAAgB,EAAE,CAAC;YAChD,MAAM,IAAI,aAAa,CACrB,iBAAiB,CAAC,uBAAuB,EACzC,2BAA2B,SAAS,oEAAoE,CACzG,CAAC;QACJ,CAAC;QAED,MAAM,UAAU,GAAG,MAAM,CAAC,UAAU,IAAI,IAAI,CAAC,OAAO,EAAE,UAAU,IAAI,YAAY,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;QACnG,MAAM,aAAa,GAAG,MAAM,YAAY,CAAC,IAAI,CAC3C,EAAE,UAAU,EAAE,MAAM,CAAC,UAAU,EAAE,SAAS,EAAE,MAAM,CAAC,SAAS,EAAE,EAC9D;YACE,OAAO,EAAE,IAAI,CAAC,OAAO,EAAE,OAAO;YAC9B,UAAU;YACV,WAAW,EAAE,IAAI,CAAC,OAAO,EAAE,WAAW;YACtC,cAAc,EAAE,MAAM,CAAC,cAAc;SACtC,CACF,CAAC;QACF,OAAO;YACL,OAAO,EAAE,MAAM,CAAC,OAAO,IAAI,iBAAiB,CAAC,MAAM,CAAC,SAAS,CAAC;YAC9D,SAAS,EAAE,MAAM,CAAC,SAAS;YAC3B,KAAK,EAAE,aAAa,CAAC,QAAQ,CAAC,EAAE,WAAW,EAAE,IAAI,CAAC,MAAM,EAAE,kBAAkB,EAAE,CAAC;SAChF,CAAC;IACJ,CAAC;CACF;AAED,MAAM,OAAO,sBAAsB;IAEd;IACA;IAFnB,YACmB,SAAuB,EACvB,MAAiB;QADjB,cAAS,GAAT,SAAS,CAAc;QACvB,WAAM,GAAN,MAAM,CAAW;IACjC,CAAC;IAEJ;;;OAGG;IACH,KAAK,CAAC,qBAAqB,CAAC,IAAa,EAAE,OAAsC;QAC/E,IAAI,CAAC,IAAI,CAAC,UAAU;YAClB,MAAM,IAAI,aAAa,CACrB,iBAAiB,CAAC,mCAAmC,EACrD,qCAAqC,CACtC,CAAC;QAEJ,IAAI,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,YAAY,WAAW,CAAC,EAAE,CAAC;YACpD,MAAM,IAAI,aAAa,CACrB,iBAAiB,CAAC,2BAA2B,EAC7C,8GAA8G,CAC/G,CAAC;QACJ,CAAC;QAED,MAAM,GAAG,GAAG,IAAI,CAAC,SAAS,IAAI,eAAe,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;QAC/D,MAAM,UAAU,GAAG,0BAA0B,CAAC,GAAG,CAAC,CAAC;QAEnD,MAAM,eAAe,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,YAAY,EAAE,CAAC;QAC5D,MAAM,gBAAgB,GAAgC;YACpD,aAAa,EAAE,MAAM;YACrB,IAAI,EAAE,uBAAuB;YAC7B,KAAK,EAAE,iBAAiB,CAAC,GAAG,CAAC;YAC7B,SAAS,EAAE,iBAAiB,CAAC,eAAe,CAAC;YAC7C,QAAQ,EAAE;gBACR,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;gBACnC,QAAQ,EAAE,CAAC;aACZ;YACD,YAAY,EAAE,OAAO,EAAE,kBAAkB;SAC1C,CAAC;QAEF,MAAM,cAAc,GAAG,uBAAuB,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,gBAAgB,EAAE,EAAE,gBAAgB,CAAC,CAAC;QAE3G,MAAM,MAAM,GAAG;YACb,OAAO,EAAE,iBAAiB,CAAC,GAAG,CAAC;YAC/B,SAAS,EAAE,GAAG;YACd,UAAU,EAAE,IAAI,CAAC,UAAU;YAC3B,cAAc;SACf,CAAC;QAEF,MAAM,MAAM,GAAG,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC;QACtC,IAAI,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,UAAU,CAAC,EAAE,CAAC;YACtC,MAAM,IAAI,CAAC,MAAM,CAAC,YAAY,CAAC,UAAU,EAAE,MAAM,CAAC,CAAC;QACrD,CAAC;aAAM,CAAC;YACN,MAAM,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,UAAU,EAAE,MAAM,CAAC,CAAC;QAClD,CAAC;QACD,OAAO,EAAE,SAAS,EAAE,GAAG,EAAE,CAAC;IAC5B,CAAC;CACF;AAED,MAAM,OAAO,SAAS;IACJ,KAAK,CAAiB;IACtB,aAAa,CAAwB;IACrC,QAAQ,CAAyB;IAEjD,YAAY,QAAsB,EAAE,KAAgB;QAClD,IAAI,CAAC,KAAK,GAAG,IAAI,cAAc,CAAC,QAAQ,EAAE,KAAK,CAAC,CAAC;QACjD,IAAI,CAAC,aAAa,GAAG,IAAI,qBAAqB,CAAC,QAAQ,EAAE,KAAK,CAAC,CAAC;QAChE,IAAI,CAAC,QAAQ,GAAG,IAAI,sBAAsB,CAAC,QAAQ,EAAE,KAAK,CAAC,CAAC;IAC9D,CAAC;CACF"}

package/dist/audit/ActivityLog.d.ts

@@ -0,0 +1,25 @@
+/**
+ * ActivityLog
+ *
+ * Audit log for fetchWithAuth/fetchJsonAndAddSecret/fetchJsonAndUpdateSecret. Separate from vault.
+ * No sensitive data. For dashboard/UI display. Optional, can be disabled.
+ * First line is metadata (_meta) for consumer identification.
+ */
+import type { IStorageProvider } from '../storage/provider.js';
+export interface ActivityLogMetadata {
+    v: number;
+    agentId: string;
+    storageKey: string;
+}
+export interface ActivityLogEntry {
+    ts: number;
+    action: 'fetchWithAuth' | 'fetchJsonAndAddSecret' | 'fetchJsonAndUpdateSecret';
+    secretName: string;
+    url: string;
+    method: string;
+    success: boolean;
+    error?: string;
+}
+export declare function appendActivityLog(storage: IStorageProvider, key: string, entry: ActivityLogEntry, metadata?: ActivityLogMetadata): Promise<void>;
+export declare function readActivityLog(storage: IStorageProvider, key: string): Promise<ActivityLogEntry[]>;
+export declare function readActivityLogMetadata(storage: IStorageProvider, key: string): Promise<ActivityLogMetadata | null>;