@the-ai-company/cbio-node-runtime 0.39.0 → 1.0.0

package/dist/vault-ingress/flow-factories.js

@@ -0,0 +1,48 @@
+function normalizeMethod(method) {
+    const normalized = method.trim().toUpperCase();
+    if (!normalized) {
+        throw new Error("VAULT_FLOW_METHOD_REQUIRED");
+    }
+    return normalized;
+}
+export function createOwnerHttpFlowBoundary(boundary) {
+    const normalized = {
+        ...boundary,
+        method: normalizeMethod(boundary.method),
+    };
+    if (normalized.mode !== "send_secret" && !normalized.responseSecret) {
+        throw new Error("VAULT_FLOW_RESPONSE_SECRET_REQUIRED");
+    }
+    return normalized;
+}
+export function createStandardAcquireBoundary(input) {
+    return createOwnerHttpFlowBoundary({
+        mode: "acquire_secret",
+        targetUrl: input.targetUrl,
+        method: input.method ?? "POST",
+        responseVisibility: "shape_only",
+        responseSecret: {
+            kind: "json_field",
+            field: input.responseField,
+            storeAlias: input.storeAlias,
+        },
+    });
+}
+export function createStandardDispatchBoundary(input) {
+    return createOwnerHttpFlowBoundary({
+        mode: "send_secret",
+        targetUrl: input.targetUrl,
+        method: input.method,
+        responseVisibility: "passthrough",
+    });
+}
+export function toOwnerHttpFlowBoundary(flow) {
+    return createOwnerHttpFlowBoundary({
+        mode: flow.mode,
+        targetUrl: flow.targetUrl,
+        method: flow.method,
+        responseVisibility: flow.responseVisibility,
+        responseSecret: flow.responseSecret,
+    });
+}
+//# sourceMappingURL=flow-factories.js.map

package/dist/vault-ingress/flow-factories.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"flow-factories.js","sourceRoot":"","sources":["../../src/vault-ingress/flow-factories.ts"],"names":[],"mappings":"AAcA,SAAS,eAAe,CAAC,MAAc;IACrC,MAAM,UAAU,GAAG,MAAM,CAAC,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;IAC/C,IAAI,CAAC,UAAU,EAAE,CAAC;QAChB,MAAM,IAAI,KAAK,CAAC,4BAA4B,CAAC,CAAC;IAChD,CAAC;IACD,OAAO,UAAU,CAAC;AACpB,CAAC;AAED,MAAM,UAAU,2BAA2B,CAAC,QAA+B;IACzE,MAAM,UAAU,GAAG;QACjB,GAAG,QAAQ;QACX,MAAM,EAAE,eAAe,CAAC,QAAQ,CAAC,MAAM,CAAC;KACzC,CAAC;IACF,IAAI,UAAU,CAAC,IAAI,KAAK,aAAa,IAAI,CAAC,UAAU,CAAC,cAAc,EAAE,CAAC;QACpE,MAAM,IAAI,KAAK,CAAC,qCAAqC,CAAC,CAAC;IACzD,CAAC;IACD,OAAO,UAAU,CAAC;AACpB,CAAC;AAED,MAAM,UAAU,6BAA6B,CAAC,KAK7C;IACC,OAAO,2BAA2B,CAAC;QACjC,IAAI,EAAE,gBAAgB;QACtB,SAAS,EAAE,KAAK,CAAC,SAAS;QAC1B,MAAM,EAAE,KAAK,CAAC,MAAM,IAAI,MAAM;QAC9B,kBAAkB,EAAE,YAAY;QAChC,cAAc,EAAE;YACd,IAAI,EAAE,YAAY;YAClB,KAAK,EAAE,KAAK,CAAC,aAAa;YAC1B,UAAU,EAAE,KAAK,CAAC,UAAU;SAC7B;KACF,CAAC,CAAC;AACL,CAAC;AAED,MAAM,UAAU,8BAA8B,CAAC,KAG9C;IACC,OAAO,2BAA2B,CAAC;QACjC,IAAI,EAAE,aAAa;QACnB,SAAS,EAAE,KAAK,CAAC,SAAS;QAC1B,MAAM,EAAE,KAAK,CAAC,MAAM;QACpB,kBAAkB,EAAE,aAAa;KAClC,CAAC,CAAC;AACL,CAAC;AAED,MAAM,UAAU,uBAAuB,CAAC,IAGvC;IACC,OAAO,2BAA2B,CAAC;QACjC,IAAI,EAAE,IAAI,CAAC,IAAI;QACf,SAAS,EAAE,IAAI,CAAC,SAAS;QACzB,MAAM,EAAE,IAAI,CAAC,MAAM;QACnB,kBAAkB,EAAE,IAAI,CAAC,kBAAkB;QAC3C,cAAc,EAAE,IAAI,CAAC,cAAc;KACpC,CAAC,CAAC;AACL,CAAC"}

package/dist/vault-ingress/index.d.ts

@@ -0,0 +1,81 @@
+import { type AgentCapability, type VaultCore, type VaultCoreDependencies, type DispatchRequest, type DispatchResult, type Clock, type OwnerAuditRequest, type OwnerRegisterAgentIdentityCommand, type OwnerRegisterCustomHttpFlowCommand, type OwnerRegisterOwnerIdentityCommand, type CustomHttpFlowDefinition, type OwnerIdentityRecord, type SecretRecord, type VaultId } from "../vault-core/index.js";
+export type RedactedResponseShape = null | string | number | boolean | RedactedResponseShape[] | {
+    [key: string]: RedactedResponseShape;
+};
+export type VaultAcquireSecretFlow = "oauth_token_response.access_token" | "oauth_token_response.refresh_token" | "openid_token_response.id_token";
+export interface VaultCapabilityResolver {
+    resolve(vaultId: VaultId, agentId: string, capabilityId: string): Promise<AgentCapability>;
+}
+export interface VaultAgentDispatchRequest {
+    vaultId: string;
+    requestId: string;
+    requestedAt: string;
+    agentId: string;
+    capabilityId: string;
+    secretAlias?: string;
+    targetUrl: string;
+    method: string;
+    headers?: Record<string, string>;
+    body?: string;
+    proof: {
+        signature: string;
+    };
+}
+export interface VaultAgentDispatchResponse {
+    ok: true;
+    result: DispatchResult;
+}
+export interface VaultAgentDispatchErrorResponse {
+    ok: false;
+    error: {
+        code: string;
+        message: string;
+    };
+}
+export interface VaultAcquireSecretInput {
+    alias: string;
+    issuerId: string;
+    url: string;
+    flow: VaultAcquireSecretFlow;
+    method?: string;
+    headers?: Record<string, string>;
+    body?: string;
+    requestedAt?: string;
+}
+export interface VaultAcquireSecretResult {
+    vaultId: VaultId;
+    alias: string;
+    status: "stored";
+    responseStatus: number;
+    contentType: string | null;
+    responseShape: RedactedResponseShape;
+}
+export interface VaultCustomFlowResolver {
+    get(vaultId: VaultId, flowId: string): Promise<CustomHttpFlowDefinition | null>;
+}
+export interface VaultService {
+    readonly vaultId: VaultCore["vaultId"];
+    bootstrapOwnerIdentity(request: OwnerIdentityRecord): Promise<void>;
+    registerAgentIdentity(request: OwnerRegisterAgentIdentityCommand): Promise<void>;
+    registerOwnerIdentity(request: OwnerRegisterOwnerIdentityCommand): Promise<void>;
+    registerCustomFlow(request: OwnerRegisterCustomHttpFlowCommand): Promise<void>;
+    writeSecret(request: import("../vault-core/index.js").VaultWriteSecretCommand): Promise<SecretRecord>;
+    acquireSecret(request: VaultAcquireSecretInput): Promise<VaultAcquireSecretResult>;
+    dispatch(request: DispatchRequest): Promise<DispatchResult>;
+    handleAgentDispatch(request: VaultAgentDispatchRequest): Promise<VaultAgentDispatchResponse | VaultAgentDispatchErrorResponse>;
+    readAudit(request: OwnerAuditRequest): Promise<readonly import("../vault-core/index.js").AuditEntry[]>;
+}
+export declare function createVaultService(deps: VaultCoreDependencies, options?: {
+    capabilities?: VaultCapabilityResolver;
+    customFlows?: VaultCustomFlowResolver;
+    clock?: Clock;
+    fetchImpl?: typeof fetch;
+}): VaultService;
+export declare function wrapVaultCoreAsVaultService(core: VaultCore, options?: {
+    capabilities?: VaultCapabilityResolver;
+    customFlows?: VaultCustomFlowResolver;
+    clock?: Clock;
+    fetchImpl?: typeof fetch;
+}): VaultService;
+export type { OwnerHttpFlowBoundary } from "./flow-factories.js";
+export { createOwnerHttpFlowBoundary, createStandardAcquireBoundary, createStandardDispatchBoundary, toOwnerHttpFlowBoundary, } from "./flow-factories.js";

package/dist/vault-ingress/index.js

@@ -0,0 +1,357 @@
+import { createVaultCore, } from "../vault-core/index.js";
+import { createOwnerHttpFlowBoundary, createStandardAcquireBoundary, toOwnerHttpFlowBoundary, } from "./flow-factories.js";
+class LocalVaultService {
+    _authority;
+    _capabilities;
+    _customFlows;
+    _clock;
+    _fetchImpl;
+    constructor(_authority, _capabilities, _customFlows, _clock, _fetchImpl = fetch) {
+        this._authority = _authority;
+        this._capabilities = _capabilities;
+        this._customFlows = _customFlows;
+        this._clock = _clock;
+        this._fetchImpl = _fetchImpl;
+    }
+    get vaultId() {
+        return this._authority.vaultId;
+    }
+    bootstrapOwnerIdentity(request) {
+        return this._authority.bootstrapOwnerIdentity(request);
+    }
+    registerAgentIdentity(request) {
+        return this._authority.registerAgentIdentity(request);
+    }
+    registerOwnerIdentity(request) {
+        return this._authority.registerOwnerIdentity(request);
+    }
+    registerCustomFlow(request) {
+        return this._authority.registerCustomFlow(request);
+    }
+    writeSecret(request) {
+        return this._authority.writeSecret(request);
+    }
+    redactResponseShape(value) {
+        if (value === null || value === undefined) {
+            return null;
+        }
+        if (Array.isArray(value)) {
+            return value.map((entry) => this.redactResponseShape(entry));
+        }
+        if (typeof value === "object") {
+            return Object.fromEntries(Object.entries(value).map(([key, entry]) => [key, this.redactResponseShape(entry)]));
+        }
+        return null;
+    }
+    buildAcquireResponseShape(flow, payload) {
+        if (!payload || typeof payload !== "object" || Array.isArray(payload)) {
+            return this.redactResponseShape(payload);
+        }
+        const record = payload;
+        const response = {};
+        switch (flow) {
+            case "oauth_token_response.access_token":
+            case "oauth_token_response.refresh_token":
+            case "openid_token_response.id_token": {
+                if ("token_type" in record) {
+                    response.token_type = typeof record.token_type === "string" ? record.token_type : null;
+                }
+                if ("expires_in" in record) {
+                    response.expires_in = typeof record.expires_in === "number" ? record.expires_in : null;
+                }
+                if ("scope" in record) {
+                    response.scope = typeof record.scope === "string" ? record.scope : null;
+                }
+                break;
+            }
+        }
+        return response;
+    }
+    extractSecretForFlow(flow, payload) {
+        if (!payload || typeof payload !== "object" || Array.isArray(payload)) {
+            throw new Error("VAULT_ACQUISITION_RESPONSE_INVALID");
+        }
+        const record = payload;
+        switch (flow) {
+            case "oauth_token_response.access_token": {
+                if (typeof record.access_token !== "string" || !record.access_token) {
+                    throw new Error("VAULT_ACQUISITION_SECRET_NOT_FOUND");
+                }
+                return record.access_token;
+            }
+            case "oauth_token_response.refresh_token": {
+                if (typeof record.refresh_token !== "string" || !record.refresh_token) {
+                    throw new Error("VAULT_ACQUISITION_SECRET_NOT_FOUND");
+                }
+                return record.refresh_token;
+            }
+            case "openid_token_response.id_token": {
+                if (typeof record.id_token !== "string" || !record.id_token) {
+                    throw new Error("VAULT_ACQUISITION_SECRET_NOT_FOUND");
+                }
+                return record.id_token;
+            }
+        }
+    }
+    parseRawResponse(contentType, rawPayload) {
+        if (!rawPayload) {
+            return null;
+        }
+        if (contentType?.includes("json")) {
+            return JSON.parse(rawPayload);
+        }
+        try {
+            return JSON.parse(rawPayload);
+        }
+        catch {
+            return rawPayload;
+        }
+    }
+    async fetchAndParse(request) {
+        const response = await this._fetchImpl(request.url, {
+            method: request.method ?? "GET",
+            headers: request.headers,
+            body: request.body,
+        });
+        const contentType = response.headers.get("content-type");
+        const rawBody = await response.text();
+        return {
+            contentType,
+            rawBody,
+            parsedBody: this.parseRawResponse(contentType, rawBody),
+            responseStatus: response.status,
+        };
+    }
+    extractCustomFlowSecret(flow, payload) {
+        if (!flow.responseSecret) {
+            return null;
+        }
+        if (flow.responseSecret.kind === "json_field") {
+            if (!payload || typeof payload !== "object" || Array.isArray(payload)) {
+                throw new Error("VAULT_CUSTOM_FLOW_RESPONSE_INVALID");
+            }
+            const value = payload[flow.responseSecret.field];
+            if (typeof value !== "string" || !value) {
+                throw new Error("VAULT_CUSTOM_FLOW_SECRET_NOT_FOUND");
+            }
+            return value;
+        }
+        return null;
+    }
+    async acquireSecret(request) {
+        const standardBoundary = createStandardAcquireBoundary({
+            targetUrl: request.url,
+            method: request.method,
+            responseField: request.flow === "oauth_token_response.access_token"
+                ? "access_token"
+                : request.flow === "oauth_token_response.refresh_token"
+                    ? "refresh_token"
+                    : "id_token",
+            storeAlias: request.alias,
+        });
+        const payload = await this.fetchAndParse(request);
+        const targetBindings = [{
+                kind: "site",
+                targetId: request.issuerId,
+                targetUrl: standardBoundary.targetUrl,
+                methods: [standardBoundary.method],
+                paths: [new URL(standardBoundary.targetUrl).pathname || "/"],
+            }];
+        await this._authority.writeSecret({
+            kind: "issuer.write_secret",
+            vaultId: this._authority.vaultId,
+            issuer: {
+                kind: "trusted_issuer",
+                id: request.issuerId,
+            },
+            alias: request.alias,
+            plaintext: this.extractSecretForFlow(request.flow, payload.parsedBody),
+            issuerSiteId: request.issuerId,
+            targetBindings,
+            requestedAt: request.requestedAt ?? (this._clock?.nowIso() ?? new Date().toISOString()),
+        });
+        return {
+            vaultId: this._authority.vaultId,
+            alias: request.alias,
+            status: "stored",
+            responseStatus: payload.responseStatus,
+            contentType: payload.contentType,
+            responseShape: this.buildAcquireResponseShape(request.flow, payload.parsedBody),
+        };
+    }
+    dispatch(request) {
+        return this._authority.dispatchSecret(request);
+    }
+    async handleAgentDispatch(request) {
+        try {
+            const vaultId = { value: request.vaultId };
+            const capability = await this.resolveCapability(vaultId, request.agentId, request.capabilityId);
+            const customFlow = capability.operation === "custom_http"
+                ? await this.resolveCustomFlow(vaultId, capability.customFlowId)
+                : null;
+            const boundary = customFlow
+                ? toOwnerHttpFlowBoundary(customFlow)
+                : createOwnerHttpFlowBoundary({
+                    mode: "send_secret",
+                    targetUrl: request.targetUrl,
+                    method: request.method,
+                    responseVisibility: "passthrough",
+                });
+            if (customFlow) {
+                if (request.targetUrl !== boundary.targetUrl || request.method.toUpperCase() !== boundary.method.toUpperCase()) {
+                    throw new Error("VAULT_CUSTOM_FLOW_BINDING_MISMATCH");
+                }
+            }
+            if (boundary.mode === "acquire_secret") {
+                if (!customFlow) {
+                    throw new Error("VAULT_CUSTOM_FLOW_NOT_FOUND");
+                }
+                const authorization = await this._authority.authorizeDispatch({
+                    vaultId,
+                    requestId: request.requestId,
+                    requestedAt: request.requestedAt,
+                    agent: {
+                        kind: "agent",
+                        id: request.agentId,
+                    },
+                    capability,
+                    proof: {
+                        agentId: request.agentId,
+                        signature: request.proof.signature,
+                        requestId: request.requestId,
+                        requestedAt: request.requestedAt,
+                    },
+                    secretAlias: undefined,
+                    targetUrl: request.targetUrl,
+                    method: request.method,
+                    headers: request.headers,
+                    body: request.body,
+                });
+                if (authorization.decision !== "allow") {
+                    throw new Error("VAULT_CUSTOM_FLOW_DENIED");
+                }
+                const payload = await this.fetchAndParse({
+                    url: request.targetUrl,
+                    method: request.method,
+                    headers: request.headers,
+                    body: request.body,
+                });
+                const acquiredSecret = this.extractCustomFlowSecret(customFlow, payload.parsedBody);
+                if (!acquiredSecret || !customFlow.responseSecret) {
+                    throw new Error("VAULT_CUSTOM_FLOW_SECRET_NOT_FOUND");
+                }
+                await this._authority.storeCustomFlowSecret(customFlow, customFlow.responseSecret.storeAlias, acquiredSecret);
+                return {
+                    ok: true,
+                    result: {
+                        vaultId,
+                        requestId: request.requestId,
+                        status: "succeeded",
+                        targetUrl: request.targetUrl,
+                        method: request.method,
+                        responseStatus: payload.responseStatus,
+                        responseBody: boundary.responseVisibility === "shape_only"
+                            ? JSON.stringify(this.redactResponseShape(payload.parsedBody))
+                            : payload.rawBody,
+                    },
+                };
+            }
+            const result = await this._authority.dispatchSecret({
+                vaultId,
+                requestId: request.requestId,
+                requestedAt: request.requestedAt,
+                agent: {
+                    kind: "agent",
+                    id: request.agentId,
+                },
+                capability,
+                proof: {
+                    agentId: request.agentId,
+                    signature: request.proof.signature,
+                    requestId: request.requestId,
+                    requestedAt: request.requestedAt,
+                },
+                secretAlias: request.secretAlias,
+                targetUrl: request.targetUrl,
+                method: request.method,
+                headers: request.headers,
+                body: request.body,
+            });
+            if (boundary.mode === "bidirectional_secret") {
+                if (!customFlow) {
+                    throw new Error("VAULT_CUSTOM_FLOW_NOT_FOUND");
+                }
+                const parsedBody = this.parseBody(result.responseBody);
+                const acquiredSecret = this.extractCustomFlowSecret(customFlow, parsedBody);
+                if (!acquiredSecret || !customFlow.responseSecret) {
+                    throw new Error("VAULT_CUSTOM_FLOW_SECRET_NOT_FOUND");
+                }
+                await this._authority.storeCustomFlowSecret(customFlow, customFlow.responseSecret.storeAlias, acquiredSecret);
+            }
+            return {
+                ok: true,
+                result: boundary.responseVisibility === "shape_only"
+                    ? {
+                        ...result,
+                        responseBody: JSON.stringify(this.redactResponseShape(this.parseBody(result.responseBody))),
+                    }
+                    : result,
+            };
+        }
+        catch (error) {
+            const message = error instanceof Error ? error.message : String(error);
+            const code = error instanceof Error && "code" in error && typeof error.code === "string"
+                ? error.code
+                : "VAULT_AGENT_DISPATCH_REJECTED";
+            return {
+                ok: false,
+                error: { code, message },
+            };
+        }
+    }
+    readAudit(request) {
+        return this._authority.getAudit(request.actor, request.query, {
+            requestId: request.requestId,
+            requestedAt: request.requestedAt,
+            proof: request.proof,
+        });
+    }
+    async resolveCapability(vaultId, agentId, capabilityId) {
+        if (!this._capabilities) {
+            throw new Error("VAULT_CAPABILITY_RESOLVER_NOT_CONFIGURED");
+        }
+        return this._capabilities.resolve(vaultId, agentId, capabilityId);
+    }
+    parseBody(body) {
+        if (!body) {
+            return null;
+        }
+        try {
+            return JSON.parse(body);
+        }
+        catch {
+            return body;
+        }
+    }
+    async resolveCustomFlow(vaultId, flowId) {
+        if (!flowId) {
+            throw new Error("VAULT_CUSTOM_FLOW_NOT_PROVIDED");
+        }
+        if (!this._customFlows) {
+            throw new Error("VAULT_CUSTOM_FLOW_RESOLVER_NOT_CONFIGURED");
+        }
+        const flow = await this._customFlows.get(vaultId, flowId);
+        if (!flow) {
+            throw new Error("VAULT_CUSTOM_FLOW_NOT_FOUND");
+        }
+        return flow;
+    }
+}
+export function createVaultService(deps, options = {}) {
+    return new LocalVaultService(createVaultCore(deps), options.capabilities, options.customFlows ?? deps.customFlows, options.clock, options.fetchImpl);
+}
+export function wrapVaultCoreAsVaultService(core, options = {}) {
+    return new LocalVaultService(core, options.capabilities, options.customFlows, options.clock, options.fetchImpl);
+}
+export { createOwnerHttpFlowBoundary, createStandardAcquireBoundary, createStandardDispatchBoundary, toOwnerHttpFlowBoundary, } from "./flow-factories.js";
+//# sourceMappingURL=index.js.map

package/dist/vault-ingress/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/vault-ingress/index.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,eAAe,GAiBhB,MAAM,wBAAwB,CAAC;AAChC,OAAO,EACL,2BAA2B,EAC3B,6BAA6B,EAC7B,uBAAuB,GACxB,MAAM,qBAAqB,CAAC;AA0F7B,MAAM,iBAAiB;IAEF;IACA;IACA;IACA;IACA;IALnB,YACmB,UAAqB,EACrB,aAAuC,EACvC,YAAsC,EACtC,MAAc,EACd,aAA2B,KAAK;QAJhC,eAAU,GAAV,UAAU,CAAW;QACrB,kBAAa,GAAb,aAAa,CAA0B;QACvC,iBAAY,GAAZ,YAAY,CAA0B;QACtC,WAAM,GAAN,MAAM,CAAQ;QACd,eAAU,GAAV,UAAU,CAAsB;IAChD,CAAC;IAEJ,IAAI,OAAO;QACT,OAAO,IAAI,CAAC,UAAU,CAAC,OAAO,CAAC;IACjC,CAAC;IAED,sBAAsB,CAAC,OAA4B;QACjD,OAAO,IAAI,CAAC,UAAU,CAAC,sBAAsB,CAAC,OAAO,CAAC,CAAC;IACzD,CAAC;IAED,qBAAqB,CAAC,OAA0C;QAC9D,OAAO,IAAI,CAAC,UAAU,CAAC,qBAAqB,CAAC,OAAO,CAAC,CAAC;IACxD,CAAC;IAED,qBAAqB,CAAC,OAA0C;QAC9D,OAAO,IAAI,CAAC,UAAU,CAAC,qBAAqB,CAAC,OAAO,CAAC,CAAC;IACxD,CAAC;IAED,kBAAkB,CAAC,OAA2C;QAC5D,OAAO,IAAI,CAAC,UAAU,CAAC,kBAAkB,CAAC,OAAO,CAAC,CAAC;IACrD,CAAC;IAED,WAAW,CAAC,OAAiE;QAC3E,OAAO,IAAI,CAAC,UAAU,CAAC,WAAW,CAAC,OAAO,CAAC,CAAC;IAC9C,CAAC;IAEO,mBAAmB,CAAC,KAAc;QACxC,IAAI,KAAK,KAAK,IAAI,IAAI,KAAK,KAAK,SAAS,EAAE,CAAC;YAC1C,OAAO,IAAI,CAAC;QACd,CAAC;QACD,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;YACzB,OAAO,KAAK,CAAC,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,IAAI,CAAC,mBAAmB,CAAC,KAAK,CAAC,CAAC,CAAC;QAC/D,CAAC;QACD,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;YAC9B,OAAO,MAAM,CAAC,WAAW,CACvB,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,EAAE,KAAK,CAAC,EAAE,EAAE,CAAC,CAAC,GAAG,EAAE,IAAI,CAAC,mBAAmB,CAAC,KAAK,CAAC,CAAC,CAAC,CACpF,CAAC;QACJ,CAAC;QACD,OAAO,IAAI,CAAC;IACd,CAAC;IAEO,yBAAyB,CAAC,IAA4B,EAAE,OAAgB;QAC9E,IAAI,CAAC,OAAO,IAAI,OAAO,OAAO,KAAK,QAAQ,IAAI,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC;YACtE,OAAO,IAAI,CAAC,mBAAmB,CAAC,OAAO,CAAC,CAAC;QAC3C,CAAC;QACD,MAAM,MAAM,GAAG,OAAkC,CAAC;QAClD,MAAM,QAAQ,GAA0C,EAAE,CAAC;QAC3D,QAAQ,IAAI,EAAE,CAAC;YACb,KAAK,mCAAmC,CAAC;YACzC,KAAK,oCAAoC,CAAC;YAC1C,KAAK,gCAAgC,CAAC,CAAC,CAAC;gBACtC,IAAI,YAAY,IAAI,MAAM,EAAE,CAAC;oBAC3B,QAAQ,CAAC,UAAU,GAAG,OAAO,MAAM,CAAC,UAAU,KAAK,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC,CAAC,IAAI,CAAC;gBACzF,CAAC;gBACD,IAAI,YAAY,IAAI,MAAM,EAAE,CAAC;oBAC3B,QAAQ,CAAC,UAAU,GAAG,OAAO,MAAM,CAAC,UAAU,KAAK,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC,CAAC,IAAI,CAAC;gBACzF,CAAC;gBACD,IAAI,OAAO,IAAI,MAAM,EAAE,CAAC;oBACtB,QAAQ,CAAC,KAAK,GAAG,OAAO,MAAM,CAAC,KAAK,KAAK,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC;gBAC1E,CAAC;gBACD,MAAM;YACR,CAAC;QACH,CAAC;QACD,OAAO,QAAQ,CAAC;IAClB,CAAC;IAEO,oBAAoB,CAAC,IAA4B,EAAE,OAAgB;QACzE,IAAI,CAAC,OAAO,IAAI,OAAO,OAAO,KAAK,QAAQ,IAAI,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC;YACtE,MAAM,IAAI,KAAK,CAAC,oCAAoC,CAAC,CAAC;QACxD,CAAC;QACD,MAAM,MAAM,GAAG,OAAkC,CAAC;QAClD,QAAQ,IAAI,EAAE,CAAC;YACb,KAAK,mCAAmC,CAAC,CAAC,CAAC;gBACzC,IAAI,OAAO,MAAM,CAAC,YAAY,KAAK,QAAQ,IAAI,CAAC,MAAM,CAAC,YAAY,EAAE,CAAC;oBACpE,MAAM,IAAI,KAAK,CAAC,oCAAoC,CAAC,CAAC;gBACxD,CAAC;gBACD,OAAO,MAAM,CAAC,YAAY,CAAC;YAC7B,CAAC;YACD,KAAK,oCAAoC,CAAC,CAAC,CAAC;gBAC1C,IAAI,OAAO,MAAM,CAAC,aAAa,KAAK,QAAQ,IAAI,CAAC,MAAM,CAAC,aAAa,EAAE,CAAC;oBACtE,MAAM,IAAI,KAAK,CAAC,oCAAoC,CAAC,CAAC;gBACxD,CAAC;gBACD,OAAO,MAAM,CAAC,aAAa,CAAC;YAC9B,CAAC;YACD,KAAK,gCAAgC,CAAC,CAAC,CAAC;gBACtC,IAAI,OAAO,MAAM,CAAC,QAAQ,KAAK,QAAQ,IAAI,CAAC,MAAM,CAAC,QAAQ,EAAE,CAAC;oBAC5D,MAAM,IAAI,KAAK,CAAC,oCAAoC,CAAC,CAAC;gBACxD,CAAC;gBACD,OAAO,MAAM,CAAC,QAAQ,CAAC;YACzB,CAAC;QACH,CAAC;IACH,CAAC;IAEO,gBAAgB,CAAC,WAA0B,EAAE,UAAkB;QACrE,IAAI,CAAC,UAAU,EAAE,CAAC;YAChB,OAAO,IAAI,CAAC;QACd,CAAC;QACD,IAAI,WAAW,EAAE,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC;YAClC,OAAO,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC;QAChC,CAAC;QACD,IAAI,CAAC;YACH,OAAO,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC;QAChC,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,UAAU,CAAC;QACpB,CAAC;IACH,CAAC;IAEO,KAAK,CAAC,aAAa,CAAC,OAK3B;QACC,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,UAAU,CAAC,OAAO,CAAC,GAAG,EAAE;YAClD,MAAM,EAAE,OAAO,CAAC,MAAM,IAAI,KAAK;YAC/B,OAAO,EAAE,OAAO,CAAC,OAAO;YACxB,IAAI,EAAE,OAAO,CAAC,IAAI;SACnB,CAAC,CAAC;QACH,MAAM,WAAW,GAAG,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC,CAAC;QACzD,MAAM,OAAO,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;QACtC,OAAO;YACL,WAAW;YACX,OAAO;YACP,UAAU,EAAE,IAAI,CAAC,gBAAgB,CAAC,WAAW,EAAE,OAAO,CAAC;YACvD,cAAc,EAAE,QAAQ,CAAC,MAAM;SAChC,CAAC;IACJ,CAAC;IAEO,uBAAuB,CAAC,IAA8B,EAAE,OAAgB;QAC9E,IAAI,CAAC,IAAI,CAAC,cAAc,EAAE,CAAC;YACzB,OAAO,IAAI,CAAC;QACd,CAAC;QACD,IAAI,IAAI,CAAC,cAAc,CAAC,IAAI,KAAK,YAAY,EAAE,CAAC;YAC9C,IAAI,CAAC,OAAO,IAAI,OAAO,OAAO,KAAK,QAAQ,IAAI,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC;gBACtE,MAAM,IAAI,KAAK,CAAC,oCAAoC,CAAC,CAAC;YACxD,CAAC;YACD,MAAM,KAAK,GAAI,OAAmC,CAAC,IAAI,CAAC,cAAc,CAAC,KAAK,CAAC,CAAC;YAC9E,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,CAAC,KAAK,EAAE,CAAC;gBACxC,MAAM,IAAI,KAAK,CAAC,oCAAoC,CAAC,CAAC;YACxD,CAAC;YACD,OAAO,KAAK,CAAC;QACf,CAAC;QACD,OAAO,IAAI,CAAC;IACd,CAAC;IAED,KAAK,CAAC,aAAa,CAAC,OAAgC;QAClD,MAAM,gBAAgB,GAAG,6BAA6B,CAAC;YACrD,SAAS,EAAE,OAAO,CAAC,GAAG;YACtB,MAAM,EAAE,OAAO,CAAC,MAAM;YACtB,aAAa,EAAE,OAAO,CAAC,IAAI,KAAK,mCAAmC;gBACjE,CAAC,CAAC,cAAc;gBAChB,CAAC,CAAC,OAAO,CAAC,IAAI,KAAK,oCAAoC;oBACrD,CAAC,CAAC,eAAe;oBACjB,CAAC,CAAC,UAAU;YAChB,UAAU,EAAE,OAAO,CAAC,KAAK;SAC1B,CAAC,CAAC;QACH,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,OAAO,CAAC,CAAC;QAClD,MAAM,cAAc,GAAkC,CAAC;gBACrD,IAAI,EAAE,MAAM;gBACZ,QAAQ,EAAE,OAAO,CAAC,QAAQ;gBAC1B,SAAS,EAAE,gBAAgB,CAAC,SAAS;gBACrC,OAAO,EAAE,CAAC,gBAAgB,CAAC,MAAM,CAAC;gBAClC,KAAK,EAAE,CAAC,IAAI,GAAG,CAAC,gBAAgB,CAAC,SAAS,CAAC,CAAC,QAAQ,IAAI,GAAG,CAAC;aAC7D,CAAC,CAAC;QAEH,MAAM,IAAI,CAAC,UAAU,CAAC,WAAW,CAAC;YAChC,IAAI,EAAE,qBAAqB;YAC3B,OAAO,EAAE,IAAI,CAAC,UAAU,CAAC,OAAO;YAChC,MAAM,EAAE;gBACN,IAAI,EAAE,gBAAgB;gBACtB,EAAE,EAAE,OAAO,CAAC,QAAQ;aACrB;YACD,KAAK,EAAE,OAAO,CAAC,KAAK;YACpB,SAAS,EAAE,IAAI,CAAC,oBAAoB,CAAC,OAAO,CAAC,IAAI,EAAE,OAAO,CAAC,UAAU,CAAC;YACtE,YAAY,EAAE,OAAO,CAAC,QAAQ;YAC9B,cAAc;YACd,WAAW,EAAE,OAAO,CAAC,WAAW,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,MAAM,EAAE,IAAI,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;SACxF,CAAC,CAAC;QACH,OAAO;YACL,OAAO,EAAE,IAAI,CAAC,UAAU,CAAC,OAAO;YAChC,KAAK,EAAE,OAAO,CAAC,KAAK;YACpB,MAAM,EAAE,QAAQ;YAChB,cAAc,EAAE,OAAO,CAAC,cAAc;YACtC,WAAW,EAAE,OAAO,CAAC,WAAW;YAChC,aAAa,EAAE,IAAI,CAAC,yBAAyB,CAAC,OAAO,CAAC,IAAI,EAAE,OAAO,CAAC,UAAU,CAAC;SAChF,CAAC;IACJ,CAAC;IAED,QAAQ,CAAC,OAAwB;QAC/B,OAAO,IAAI,CAAC,UAAU,CAAC,cAAc,CAAC,OAAO,CAAC,CAAC;IACjD,CAAC;IAED,KAAK,CAAC,mBAAmB,CACvB,OAAkC;QAElC,IAAI,CAAC;YACH,MAAM,OAAO,GAAG,EAAE,KAAK,EAAE,OAAO,CAAC,OAAO,EAAE,CAAC;YAC3C,MAAM,UAAU,GAAG,MAAM,IAAI,CAAC,iBAAiB,CAAC,OAAO,EAAE,OAAO,CAAC,OAAO,EAAE,OAAO,CAAC,YAAY,CAAC,CAAC;YAChG,MAAM,UAAU,GAAG,UAAU,CAAC,SAAS,KAAK,aAAa;gBACvD,CAAC,CAAC,MAAM,IAAI,CAAC,iBAAiB,CAAC,OAAO,EAAE,UAAU,CAAC,YAAY,CAAC;gBAChE,CAAC,CAAC,IAAI,CAAC;YACT,MAAM,QAAQ,GAAG,UAAU;gBACzB,CAAC,CAAC,uBAAuB,CAAC,UAAU,CAAC;gBACrC,CAAC,CAAC,2BAA2B,CAAC;oBAC5B,IAAI,EAAE,aAAa;oBACnB,SAAS,EAAE,OAAO,CAAC,SAAS;oBAC5B,MAAM,EAAE,OAAO,CAAC,MAAM;oBACtB,kBAAkB,EAAE,aAAa;iBAClC,CAAC,CAAC;YACL,IAAI,UAAU,EAAE,CAAC;gBACf,IAAI,OAAO,CAAC,SAAS,KAAK,QAAQ,CAAC,SAAS,IAAI,OAAO,CAAC,MAAM,CAAC,WAAW,EAAE,KAAK,QAAQ,CAAC,MAAM,CAAC,WAAW,EAAE,EAAE,CAAC;oBAC/G,MAAM,IAAI,KAAK,CAAC,oCAAoC,CAAC,CAAC;gBACxD,CAAC;YACH,CAAC;YACD,IAAI,QAAQ,CAAC,IAAI,KAAK,gBAAgB,EAAE,CAAC;gBACvC,IAAI,CAAC,UAAU,EAAE,CAAC;oBAChB,MAAM,IAAI,KAAK,CAAC,6BAA6B,CAAC,CAAC;gBACjD,CAAC;gBACD,MAAM,aAAa,GAAG,MAAM,IAAI,CAAC,UAAU,CAAC,iBAAiB,CAAC;oBAC5D,OAAO;oBACP,SAAS,EAAE,OAAO,CAAC,SAAS;oBAC5B,WAAW,EAAE,OAAO,CAAC,WAAW;oBAChC,KAAK,EAAE;wBACL,IAAI,EAAE,OAAO;wBACb,EAAE,EAAE,OAAO,CAAC,OAAO;qBACpB;oBACD,UAAU;oBACV,KAAK,EAAE;wBACL,OAAO,EAAE,OAAO,CAAC,OAAO;wBACxB,SAAS,EAAE,OAAO,CAAC,KAAK,CAAC,SAAS;wBAClC,SAAS,EAAE,OAAO,CAAC,SAAS;wBAC5B,WAAW,EAAE,OAAO,CAAC,WAAW;qBACjC;oBACD,WAAW,EAAE,SAAS;oBACtB,SAAS,EAAE,OAAO,CAAC,SAAS;oBAC5B,MAAM,EAAE,OAAO,CAAC,MAAM;oBACtB,OAAO,EAAE,OAAO,CAAC,OAAO;oBACxB,IAAI,EAAE,OAAO,CAAC,IAAI;iBACnB,CAAC,CAAC;gBACH,IAAI,aAAa,CAAC,QAAQ,KAAK,OAAO,EAAE,CAAC;oBACvC,MAAM,IAAI,KAAK,CAAC,0BAA0B,CAAC,CAAC;gBAC9C,CAAC;gBACD,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC;oBACvC,GAAG,EAAE,OAAO,CAAC,SAAS;oBACtB,MAAM,EAAE,OAAO,CAAC,MAAM;oBACtB,OAAO,EAAE,OAAO,CAAC,OAAO;oBACxB,IAAI,EAAE,OAAO,CAAC,IAAI;iBACnB,CAAC,CAAC;gBACH,MAAM,cAAc,GAAG,IAAI,CAAC,uBAAuB,CAAC,UAAU,EAAE,OAAO,CAAC,UAAU,CAAC,CAAC;gBACpF,IAAI,CAAC,cAAc,IAAI,CAAC,UAAU,CAAC,cAAc,EAAE,CAAC;oBAClD,MAAM,IAAI,KAAK,CAAC,oCAAoC,CAAC,CAAC;gBACxD,CAAC;gBACD,MAAM,IAAI,CAAC,UAAU,CAAC,qBAAqB,CAAC,UAAU,EAAE,UAAU,CAAC,cAAc,CAAC,UAAU,EAAE,cAAc,CAAC,CAAC;gBAC9G,OAAO;oBACL,EAAE,EAAE,IAAI;oBACR,MAAM,EAAE;wBACN,OAAO;wBACP,SAAS,EAAE,OAAO,CAAC,SAAS;wBAC5B,MAAM,EAAE,WAAW;wBACnB,SAAS,EAAE,OAAO,CAAC,SAAS;wBAC5B,MAAM,EAAE,OAAO,CAAC,MAAM;wBACtB,cAAc,EAAE,OAAO,CAAC,cAAc;wBACtC,YAAY,EAAE,QAAQ,CAAC,kBAAkB,KAAK,YAAY;4BACxD,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,mBAAmB,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC;4BAC9D,CAAC,CAAC,OAAO,CAAC,OAAO;qBACpB;iBACF,CAAC;YACJ,CAAC;YAED,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,UAAU,CAAC,cAAc,CAAC;gBAClD,OAAO;gBACP,SAAS,EAAE,OAAO,CAAC,SAAS;gBAC5B,WAAW,EAAE,OAAO,CAAC,WAAW;gBAChC,KAAK,EAAE;oBACL,IAAI,EAAE,OAAO;oBACb,EAAE,EAAE,OAAO,CAAC,OAAO;iBACpB;gBACD,UAAU;gBACV,KAAK,EAAE;oBACL,OAAO,EAAE,OAAO,CAAC,OAAO;oBACxB,SAAS,EAAE,OAAO,CAAC,KAAK,CAAC,SAAS;oBAClC,SAAS,EAAE,OAAO,CAAC,SAAS;oBAC5B,WAAW,EAAE,OAAO,CAAC,WAAW;iBACjC;gBACD,WAAW,EAAE,OAAO,CAAC,WAAW;gBAChC,SAAS,EAAE,OAAO,CAAC,SAAS;gBAC5B,MAAM,EAAE,OAAO,CAAC,MAAM;gBACtB,OAAO,EAAE,OAAO,CAAC,OAAO;gBACxB,IAAI,EAAE,OAAO,CAAC,IAAI;aACnB,CAAC,CAAC;YACH,IAAI,QAAQ,CAAC,IAAI,KAAK,sBAAsB,EAAE,CAAC;gBAC7C,IAAI,CAAC,UAAU,EAAE,CAAC;oBAChB,MAAM,IAAI,KAAK,CAAC,6BAA6B,CAAC,CAAC;gBACjD,CAAC;gBACD,MAAM,UAAU,GAAG,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC;gBACvD,MAAM,cAAc,GAAG,IAAI,CAAC,uBAAuB,CAAC,UAAU,EAAE,UAAU,CAAC,CAAC;gBAC5E,IAAI,CAAC,cAAc,IAAI,CAAC,UAAU,CAAC,cAAc,EAAE,CAAC;oBAClD,MAAM,IAAI,KAAK,CAAC,oCAAoC,CAAC,CAAC;gBACxD,CAAC;gBACD,MAAM,IAAI,CAAC,UAAU,CAAC,qBAAqB,CAAC,UAAU,EAAE,UAAU,CAAC,cAAc,CAAC,UAAU,EAAE,cAAc,CAAC,CAAC;YAChH,CAAC;YACD,OAAO;gBACL,EAAE,EAAE,IAAI;gBACR,MAAM,EAAE,QAAQ,CAAC,kBAAkB,KAAK,YAAY;oBAClD,CAAC,CAAC;wBACA,GAAG,MAAM;wBACT,YAAY,EAAE,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,mBAAmB,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC,CAAC;qBAC5F;oBACD,CAAC,CAAC,MAAM;aACX,CAAC;QACJ,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,OAAO,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;YACvE,MAAM,IAAI,GAAG,KAAK,YAAY,KAAK,IAAI,MAAM,IAAI,KAAK,IAAI,OAAQ,KAA4B,CAAC,IAAI,KAAK,QAAQ;gBAC9G,CAAC,CAAE,KAA0B,CAAC,IAAI;gBAClC,CAAC,CAAC,+BAA+B,CAAC;YACpC,OAAO;gBACL,EAAE,EAAE,KAAK;gBACT,KAAK,EAAE,EAAE,IAAI,EAAE,OAAO,EAAE;aACzB,CAAC;QACJ,CAAC;IACH,CAAC;IAED,SAAS,CAAC,OAA0B;QAClC,OAAO,IAAI,CAAC,UAAU,CAAC,QAAQ,CAAC,OAAO,CAAC,KAAK,EAAE,OAAO,CAAC,KAAK,EAAE;YAC5D,SAAS,EAAE,OAAO,CAAC,SAAS;YAC5B,WAAW,EAAE,OAAO,CAAC,WAAW;YAChC,KAAK,EAAE,OAAO,CAAC,KAAK;SACrB,CAAC,CAAC;IACL,CAAC;IAEO,KAAK,CAAC,iBAAiB,CAAC,OAAgB,EAAE,OAAe,EAAE,YAAoB;QACrF,IAAI,CAAC,IAAI,CAAC,aAAa,EAAE,CAAC;YACxB,MAAM,IAAI,KAAK,CAAC,0CAA0C,CAAC,CAAC;QAC9D,CAAC;QACD,OAAO,IAAI,CAAC,aAAa,CAAC,OAAO,CAAC,OAAO,EAAE,OAAO,EAAE,YAAY,CAAC,CAAC;IACpE,CAAC;IAEO,SAAS,CAAC,IAAwB;QACxC,IAAI,CAAC,IAAI,EAAE,CAAC;YACV,OAAO,IAAI,CAAC;QACd,CAAC;QACD,IAAI,CAAC;YACH,OAAO,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QAC1B,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IAEO,KAAK,CAAC,iBAAiB,CAAC,OAAgB,EAAE,MAA0B;QAC1E,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,MAAM,IAAI,KAAK,CAAC,gCAAgC,CAAC,CAAC;QACpD,CAAC;QACD,IAAI,CAAC,IAAI,CAAC,YAAY,EAAE,CAAC;YACvB,MAAM,IAAI,KAAK,CAAC,2CAA2C,CAAC,CAAC;QAC/D,CAAC;QACD,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;QAC1D,IAAI,CAAC,IAAI,EAAE,CAAC;YACV,MAAM,IAAI,KAAK,CAAC,6BAA6B,CAAC,CAAC;QACjD,CAAC;QACD,OAAO,IAAI,CAAC;IACd,CAAC;CACF;AAED,MAAM,UAAU,kBAAkB,CAChC,IAA2B,EAC3B,UAKI,EAAE;IAEN,OAAO,IAAI,iBAAiB,CAAC,eAAe,CAAC,IAAI,CAAC,EAAE,OAAO,CAAC,YAAY,EAAE,OAAO,CAAC,WAAW,IAAI,IAAI,CAAC,WAAW,EAAE,OAAO,CAAC,KAAK,EAAE,OAAO,CAAC,SAAS,CAAC,CAAC;AACvJ,CAAC;AAED,MAAM,UAAU,2BAA2B,CACzC,IAAe,EACf,UAKI,EAAE;IAEN,OAAO,IAAI,iBAAiB,CAAC,IAAI,EAAE,OAAO,CAAC,YAAY,EAAE,OAAO,CAAC,WAAW,EAAE,OAAO,CAAC,KAAK,EAAE,OAAO,CAAC,SAAS,CAAC,CAAC;AAClH,CAAC;AAGD,OAAO,EACL,2BAA2B,EAC3B,6BAA6B,EAC7B,8BAA8B,EAC9B,uBAAuB,GACxB,MAAM,qBAAqB,CAAC"}

package/docs/ARCHITECTURE.md

@@ -1,100 +1,68 @@
-# CBIO Runtime Architecture
+# Architecture
 
-This document defines the architectural boundaries and naming rules for the runtime.
+Current product architecture is vault-first.
 
-For cross-language runtime rules that Node and Rust must share, see [spec/runtime/README.md](./spec/runtime/README.md).
+## Public Modules
 
-## Layer Boundaries
+- `vault-core`
+  Stores secret plaintext, validates writes, validates dispatch, appends audit, invokes trusted executors.
 
-- `runtime/`: public consumer surface only.
-- `protocol/`: protocol adapters and identity/crypto helpers layered on top of `cbio-protocol`.
-- `vault/`: local secret storage, persistence, recovery, and secret policy enforcement.
-- `agent/`: identity and managed-agent orchestration.
-- `http/`: HTTP-facing workflows and local proxy helpers.
-- `audit/`: activity log data structures and persistence helpers.
-- `docs/`: examples, guidance, and integration patterns. Not executable product logic.
-- `docs/spec/runtime/`: shared runtime contracts for multi-language implementations.
+- `clients/owner`
+  Owner-facing client for secret writes and audit reads.
 
-## Naming Rules
+- `clients/agent`
+  Agent-facing client for signed dispatch requests. It never receives secret plaintext.
 
-### 1. One name, one layer
+- `vault-ingress`
+  Accepts request-shaped calls, resolves capability inside the vault boundary, performs trusted acquisition flows, and forwards dispatch into vault-core internals.
 
-Do not use the same term for different layers of authority or behavior.
+## Core Rules
 
-- Protocol-level privileges must be named differently from runtime handle permissions.
-- Internal storage records must not be named like public API concepts.
+1. Secret plaintext exists only inside vault-core.
+2. Only owner and trusted issuer paths may write secrets.
+3. Agent can only request dispatch through capability + proof.
+4. Vault validates and audits every dispatch.
 
-Good examples:
+## Current HTTP Secret Flows
 
-- `issuedCapabilities`: privileges embedded into a signed identity document
-- `runtimePermissions`: permissions granted to a returned `CbioAgent` handle
+The current runtime surface supports two explicit flow classes:
 
-### 2. Name by responsibility
+- `acquire_secret`
+  Vault performs an acquisition flow, stores the extracted secret, and returns only protocol metadata plus a flow-specific redacted response shape.
 
-Names should describe what the code does, not merely what topic it is near.
+- `send_secret`
+  Vault sends a stored secret to an approved target and returns the remote response as normal agent-visible output.
+  This is the standard secret-use path, not the acquisition path.
 
-Good:
+The runtime does not attempt to enumerate or understand arbitrary remote protocols. Acquisition is limited to built-in standard flows rather than caller-defined extraction logic. Unsupported mixed or non-secret flows are outside the current production surface.
 
-- `startLocalAuthProxy`
-- `fetchWithAuth`
-- `getManagedAgentCapabilities`
+This is deliberate rather than accidental:
 
-Bad:
+- acquisition flows are treated as sensitive on the response path because they may mint or return new secret material
+- built-in acquisition flows may still expose protocol-defined non-sensitive fields such as expiry or token type
+- normal secret-backed dispatch is treated as a standard protocol call to an owner-approved target
 
-- vague helper names
-- names that only imply a provider or product example
+If a target returns sensitive values during a normal dispatch flow, the vault does not try to reinterpret the remote protocol and redact it retroactively. That responsibility belongs to the remote protocol contract and the owner's authorization boundary.
 
-### 3. Name public contracts by actual requirements
+## Owner-Defined Custom HTTP Flows
 
-Public option and parameter names must reflect what callers truly need.
+The current runtime also exposes a narrow exception path for non-standard integrations:
 
-Good:
+- owner registers a `custom_http` flow
+- the flow fixes `mode`, `targetUrl`, `method`, and `responseVisibility`
+- agent capabilities reference `customFlowId`
+- agent may trigger the flow, but may not redefine it
 
-- `IdentityLoadKeys`: requires `privateKey`, allows optional `publicKey`
+The owner HTTP boundary itself is modeled as a factory surface:
 
-Bad:
+- `createOwnerHttpFlowBoundary(...)`
+- `createStandardAcquireBoundary(...)`
+- `createStandardDispatchBoundary(...)`
 
-- names that imply stronger requirements than the implementation actually needs
+This keeps the escape hatch inside the vault boundary rather than reopening caller-defined open extraction or open response policies.
 
-### 4. Do not promote examples into core abstractions
+Current custom modes are:
 
-Common configurations belong in docs, not in the core naming system.
-
-- External service examples such as OpenAI, Anthropic, or Resend are documentation concerns.
-- Core APIs should accept general configuration such as `upstreamBaseUrl`, `authHeaderName`, and `authPrefix`.
-
-### 5. Split option objects by operation
-
-If one options type starts describing multiple operations, split it.
-
-A single options object may still group inputs that are consumed by one concrete operation path.
-For example, an identity load API may accept both storage binding and issued-identity binding if both are applied during the same load step.
-
-Good:
-
-- `ManagedAgentIssueOptions`
-- `ManagedAgentLoadOptions`
-- `RegisterChildIdentityOptions`
-
-Bad:
-
-- one broad options object that mixes issue, load, storage, and permission semantics
-
-### 6. Internal escape hatches stay internal
-
-If a method exists only to let implementation pieces cooperate, it should not become part of the public API shape.
-
-- Prefer module-local coordination over public bridge methods.
-- Avoid exposing internal records, vault objects, or persistence schemas from `runtime/`.
-
-## Review Checklist
-
-When evaluating a new function, type, or field name, ask:
-
-1. Does this name describe one thing only?
-2. Does it reveal the correct layer and authority level?
-3. Would a user infer the correct behavior without reading implementation code?
-4. Is this a stable domain concept, or just a popular example?
-5. Is this exposing an internal detail as if it were public API?
-
-If any answer is "no", rename or split before expanding the API surface.
+- `acquire_secret`
+- `send_secret`
+- `bidirectional_secret`