@tjamescouch/agentchat 0.22.0 → 0.23.0

package/dist/lib/security.js

@@ -0,0 +1,150 @@
+/**
+ * Security utilities for AgentChat
+ * Prevents running agents in dangerous directories
+ */
+import path from 'path';
+import os from 'os';
+// Directories that are absolutely forbidden (system roots)
+const FORBIDDEN_DIRECTORIES = new Set([
+    '/',
+    '/root',
+    '/home',
+    '/Users',
+    '/var',
+    '/etc',
+    '/usr',
+    '/bin',
+    '/sbin',
+    '/lib',
+    '/opt',
+    '/tmp',
+    '/System',
+    '/Applications',
+    '/Library',
+    '/private',
+    '/private/var',
+    '/private/tmp',
+    'C:\\',
+    'C:\\Windows',
+    'C:\\Program Files',
+    'C:\\Program Files (x86)',
+    'C:\\Users',
+]);
+// Minimum depth from root required for a "project" directory
+// e.g., /Users/name/projects/myproject = depth 4 (minimum required)
+const MIN_SAFE_DEPTH = 3;
+/**
+ * Get the depth of a path from root
+ */
+function getPathDepth(dirPath) {
+    const normalized = path.normalize(dirPath);
+    const parts = normalized.split(path.sep).filter(p => p && p !== '.');
+    return parts.length;
+}
+/**
+ * Check if directory is a user's home directory
+ */
+function isHomeDirectory(dirPath) {
+    const normalized = path.normalize(dirPath);
+    const homeDir = os.homedir();
+    // Check exact match with home directory
+    if (normalized === homeDir || normalized === homeDir + path.sep) {
+        return true;
+    }
+    // Check common home directory patterns
+    const homePatterns = [
+        /^\/Users\/[^/]+$/, // macOS: /Users/username
+        /^\/home\/[^/]+$/, // Linux: /home/username
+        /^C:\\Users\\[^\\]+$/i, // Windows: C:\Users\username
+    ];
+    return homePatterns.some(pattern => pattern.test(normalized));
+}
+/**
+ * Check if a directory is safe for running agentchat
+ */
+export function checkDirectorySafety(dirPath = process.cwd()) {
+    const normalized = path.normalize(path.resolve(dirPath));
+    // Check forbidden directories
+    if (FORBIDDEN_DIRECTORIES.has(normalized)) {
+        return {
+            safe: false,
+            level: 'error',
+            error: `Cannot run agentchat in system directory: ${normalized}\n` +
+                `Please run from a project directory instead.`
+        };
+    }
+    // Check if it's a home directory BEFORE depth check
+    // Home directories are allowed but warn (they're at depth 2 which would fail depth check)
+    if (isHomeDirectory(normalized)) {
+        return {
+            safe: true,
+            level: 'warning',
+            warning: `Running agentchat in home directory: ${normalized}\n` +
+                `Consider running from a specific project directory instead.`
+        };
+    }
+    // Check path depth (too shallow = too close to root)
+    const depth = getPathDepth(normalized);
+    if (depth < MIN_SAFE_DEPTH) {
+        return {
+            safe: false,
+            level: 'error',
+            error: `Cannot run agentchat in root-level directory: ${normalized}\n` +
+                `This directory is too close to the filesystem root.\n` +
+                `Please run from a project directory (at least ${MIN_SAFE_DEPTH} levels deep).`
+        };
+    }
+    // All checks passed
+    return {
+        safe: true,
+        level: 'ok'
+    };
+}
+/**
+ * Enforce directory safety check - throws if unsafe
+ */
+export function enforceDirectorySafety(dirPath = process.cwd(), options = {}) {
+    const { allowWarnings = true, silent = false } = options;
+    const result = checkDirectorySafety(dirPath);
+    if (result.level === 'error') {
+        throw new Error(result.error);
+    }
+    if (result.level === 'warning') {
+        if (!silent) {
+            console.error(`\n⚠️  WARNING: ${result.warning}\n`);
+        }
+        if (!allowWarnings) {
+            throw new Error(result.warning);
+        }
+    }
+    return result;
+}
+/**
+ * Check if running in a project directory (has common project indicators)
+ */
+export function looksLikeProjectDirectory(dirPath = process.cwd()) {
+    const projectIndicators = [
+        'package.json',
+        'Cargo.toml',
+        'go.mod',
+        'pyproject.toml',
+        'setup.py',
+        'requirements.txt',
+        'Gemfile',
+        'pom.xml',
+        'build.gradle',
+        'Makefile',
+        'CMakeLists.txt',
+        '.git',
+        '.gitignore',
+        'README.md',
+        'README',
+    ];
+    // This is a heuristic check - doesn't actually verify files exist
+    // Just checks if the path looks reasonable
+    const normalized = path.normalize(path.resolve(dirPath));
+    const depth = getPathDepth(normalized);
+    // If it's deep enough and not a system directory, it probably looks like a project
+    return depth >= MIN_SAFE_DEPTH && !FORBIDDEN_DIRECTORIES.has(normalized);
+}
+//# sourceMappingURL=security.js.map

package/dist/lib/security.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"security.js","sourceRoot":"","sources":["../../lib/security.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,IAAI,MAAM,MAAM,CAAC;AACxB,OAAO,EAAE,MAAM,IAAI,CAAC;AAEpB,2DAA2D;AAC3D,MAAM,qBAAqB,GAAgB,IAAI,GAAG,CAAC;IACjD,GAAG;IACH,OAAO;IACP,OAAO;IACP,QAAQ;IACR,MAAM;IACN,MAAM;IACN,MAAM;IACN,MAAM;IACN,OAAO;IACP,MAAM;IACN,MAAM;IACN,MAAM;IACN,SAAS;IACT,eAAe;IACf,UAAU;IACV,UAAU;IACV,cAAc;IACd,cAAc;IACd,MAAM;IACN,aAAa;IACb,mBAAmB;IACnB,yBAAyB;IACzB,WAAW;CACZ,CAAC,CAAC;AAEH,6DAA6D;AAC7D,oEAAoE;AACpE,MAAM,cAAc,GAAG,CAAC,CAAC;AAEzB;;GAEG;AACH,SAAS,YAAY,CAAC,OAAe;IACnC,MAAM,UAAU,GAAG,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC;IAC3C,MAAM,KAAK,GAAG,UAAU,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,KAAK,GAAG,CAAC,CAAC;IACrE,OAAO,KAAK,CAAC,MAAM,CAAC;AACtB,CAAC;AAED;;GAEG;AACH,SAAS,eAAe,CAAC,OAAe;IACtC,MAAM,UAAU,GAAG,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC;IAC3C,MAAM,OAAO,GAAG,EAAE,CAAC,OAAO,EAAE,CAAC;IAE7B,wCAAwC;IACxC,IAAI,UAAU,KAAK,OAAO,IAAI,UAAU,KAAK,OAAO,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QAChE,OAAO,IAAI,CAAC;IACd,CAAC;IAED,uCAAuC;IACvC,MAAM,YAAY,GAAG;QACnB,kBAAkB,EAAY,yBAAyB;QACvD,iBAAiB,EAAa,wBAAwB;QACtD,sBAAsB,EAAQ,6BAA6B;KAC5D,CAAC;IAEF,OAAO,YAAY,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC;AAChE,CAAC;AASD;;GAEG;AACH,MAAM,UAAU,oBAAoB,CAAC,UAAkB,OAAO,CAAC,GAAG,EAAE;IAClE,MAAM,UAAU,GAAG,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,CAAC;IAEzD,8BAA8B;IAC9B,IAAI,qBAAqB,CAAC,GAAG,CAAC,UAAU,CAAC,EAAE,CAAC;QAC1C,OAAO;YACL,IAAI,EAAE,KAAK;YACX,KAAK,EAAE,OAAO;YACd,KAAK,EAAE,6CAA6C,UAAU,IAAI;gBAC3D,8CAA8C;SACtD,CAAC;IACJ,CAAC;IAED,oDAAoD;IACpD,0FAA0F;IAC1F,IAAI,eAAe,CAAC,UAAU,CAAC,EAAE,CAAC;QAChC,OAAO;YACL,IAAI,EAAE,IAAI;YACV,KAAK,EAAE,SAAS;YAChB,OAAO,EAAE,wCAAwC,UAAU,IAAI;gBACtD,6DAA6D;SACvE,CAAC;IACJ,CAAC;IAED,qDAAqD;IACrD,MAAM,KAAK,GAAG,YAAY,CAAC,UAAU,CAAC,CAAC;IACvC,IAAI,KAAK,GAAG,cAAc,EAAE,CAAC;QAC3B,OAAO;YACL,IAAI,EAAE,KAAK;YACX,KAAK,EAAE,OAAO;YACd,KAAK,EAAE,iDAAiD,UAAU,IAAI;gBAC/D,uDAAuD;gBACvD,iDAAiD,cAAc,gBAAgB;SACvF,CAAC;IACJ,CAAC;IAED,oBAAoB;IACpB,OAAO;QACL,IAAI,EAAE,IAAI;QACV,KAAK,EAAE,IAAI;KACZ,CAAC;AACJ,CAAC;AAOD;;GAEG;AACH,MAAM,UAAU,sBAAsB,CACpC,UAAkB,OAAO,CAAC,GAAG,EAAE,EAC/B,UAA0B,EAAE;IAE5B,MAAM,EAAE,aAAa,GAAG,IAAI,EAAE,MAAM,GAAG,KAAK,EAAE,GAAG,OAAO,CAAC;IAEzD,MAAM,MAAM,GAAG,oBAAoB,CAAC,OAAO,CAAC,CAAC;IAE7C,IAAI,MAAM,CAAC,KAAK,KAAK,OAAO,EAAE,CAAC;QAC7B,MAAM,IAAI,KAAK,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;IAChC,CAAC;IAED,IAAI,MAAM,CAAC,KAAK,KAAK,SAAS,EAAE,CAAC;QAC/B,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,OAAO,CAAC,KAAK,CAAC,kBAAkB,MAAM,CAAC,OAAO,IAAI,CAAC,CAAC;QACtD,CAAC;QACD,IAAI,CAAC,aAAa,EAAE,CAAC;YACnB,MAAM,IAAI,KAAK,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;QAClC,CAAC;IACH,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,yBAAyB,CAAC,UAAkB,OAAO,CAAC,GAAG,EAAE;IACvE,MAAM,iBAAiB,GAAG;QACxB,cAAc;QACd,YAAY;QACZ,QAAQ;QACR,gBAAgB;QAChB,UAAU;QACV,kBAAkB;QAClB,SAAS;QACT,SAAS;QACT,cAAc;QACd,UAAU;QACV,gBAAgB;QAChB,MAAM;QACN,YAAY;QACZ,WAAW;QACX,QAAQ;KACT,CAAC;IAEF,kEAAkE;IAClE,2CAA2C;IAC3C,MAAM,UAAU,GAAG,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,CAAC;IACzD,MAAM,KAAK,GAAG,YAAY,CAAC,UAAU,CAAC,CAAC;IAEvC,mFAAmF;IACnF,OAAO,KAAK,IAAI,cAAc,IAAI,CAAC,qBAAqB,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;AAC3E,CAAC"}

package/dist/lib/server/handlers/admin.d.ts

@@ -0,0 +1,26 @@
+/**
+ * Admin Handlers
+ * Handles allowlist administration commands
+ */
+import type { WebSocket } from 'ws';
+import type { AgentChatServer } from '../../server.js';
+import type { AdminApproveMessage, AdminRevokeMessage, AdminListMessage } from '../../types.js';
+interface ExtendedWebSocket extends WebSocket {
+    _connectedAt?: number;
+    _realIp?: string;
+    _userAgent?: string;
+}
+/**
+ * Handle ADMIN_APPROVE command - add a pubkey to the allowlist
+ */
+export declare function handleAdminApprove(server: AgentChatServer, ws: ExtendedWebSocket, msg: AdminApproveMessage): void;
+/**
+ * Handle ADMIN_REVOKE command - remove a pubkey from the allowlist
+ */
+export declare function handleAdminRevoke(server: AgentChatServer, ws: ExtendedWebSocket, msg: AdminRevokeMessage): void;
+/**
+ * Handle ADMIN_LIST command - list all approved entries
+ */
+export declare function handleAdminList(server: AgentChatServer, ws: ExtendedWebSocket, msg: AdminListMessage): void;
+export {};
+//# sourceMappingURL=admin.d.ts.map

package/dist/lib/server/handlers/admin.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"admin.d.ts","sourceRoot":"","sources":["../../../../lib/server/handlers/admin.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,IAAI,CAAC;AACpC,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,iBAAiB,CAAC;AACvD,OAAO,KAAK,EACV,mBAAmB,EACnB,kBAAkB,EAClB,gBAAgB,EACjB,MAAM,gBAAgB,CAAC;AASxB,UAAU,iBAAkB,SAAQ,SAAS;IAC3C,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAED;;GAEG;AACH,wBAAgB,kBAAkB,CAAC,MAAM,EAAE,eAAe,EAAE,EAAE,EAAE,iBAAiB,EAAE,GAAG,EAAE,mBAAmB,GAAG,IAAI,CAwBjH;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAAC,MAAM,EAAE,eAAe,EAAE,EAAE,EAAE,iBAAiB,EAAE,GAAG,EAAE,kBAAkB,GAAG,IAAI,CAyB/G;AAED;;GAEG;AACH,wBAAgB,eAAe,CAAC,MAAM,EAAE,eAAe,EAAE,EAAE,EAAE,iBAAiB,EAAE,GAAG,EAAE,gBAAgB,GAAG,IAAI,CAmB3G"}

package/dist/lib/server/handlers/admin.js

@@ -0,0 +1,76 @@
+/**
+ * Admin Handlers
+ * Handles allowlist administration commands
+ */
+import { ServerMessageType, ErrorCode, createMessage, createError, } from '../../protocol.js';
+/**
+ * Handle ADMIN_APPROVE command - add a pubkey to the allowlist
+ */
+export function handleAdminApprove(server, ws, msg) {
+    if (!server.allowlist) {
+        server._send(ws, createError(ErrorCode.INVALID_MSG, 'Allowlist not configured'));
+        return;
+    }
+    if (!msg.pubkey) {
+        server._send(ws, createError(ErrorCode.INVALID_MSG, 'Missing pubkey'));
+        return;
+    }
+    const result = server.allowlist.approve(msg.pubkey, msg.admin_key, msg.note || '');
+    if (!result.success) {
+        server._send(ws, createError(ErrorCode.AUTH_REQUIRED, result.error));
+        return;
+    }
+    server._log('admin_approve', { agentId: result.agentId });
+    server._send(ws, createMessage(ServerMessageType.ADMIN_RESULT, {
+        action: 'approve',
+        success: true,
+        agentId: `@${result.agentId}`,
+    }));
+}
+/**
+ * Handle ADMIN_REVOKE command - remove a pubkey from the allowlist
+ */
+export function handleAdminRevoke(server, ws, msg) {
+    if (!server.allowlist) {
+        server._send(ws, createError(ErrorCode.INVALID_MSG, 'Allowlist not configured'));
+        return;
+    }
+    const identifier = msg.pubkey || msg.agent_id;
+    if (!identifier) {
+        server._send(ws, createError(ErrorCode.INVALID_MSG, 'Missing pubkey or agent_id'));
+        return;
+    }
+    const result = server.allowlist.revoke(identifier, msg.admin_key);
+    if (!result.success) {
+        const code = result.error === 'invalid admin key' ? ErrorCode.AUTH_REQUIRED : ErrorCode.AGENT_NOT_FOUND;
+        server._send(ws, createError(code, result.error));
+        return;
+    }
+    server._log('admin_revoke', { identifier });
+    server._send(ws, createMessage(ServerMessageType.ADMIN_RESULT, {
+        action: 'revoke',
+        success: true,
+    }));
+}
+/**
+ * Handle ADMIN_LIST command - list all approved entries
+ */
+export function handleAdminList(server, ws, msg) {
+    if (!server.allowlist) {
+        server._send(ws, createError(ErrorCode.INVALID_MSG, 'Allowlist not configured'));
+        return;
+    }
+    // Validate admin key
+    if (!server.allowlist._validateAdminKey(msg.admin_key)) {
+        server._send(ws, createError(ErrorCode.AUTH_REQUIRED, 'Invalid admin key'));
+        return;
+    }
+    const entries = server.allowlist.list();
+    server._send(ws, createMessage(ServerMessageType.ADMIN_RESULT, {
+        action: 'list',
+        entries,
+        enabled: server.allowlist.enabled,
+        strict: server.allowlist.strict,
+    }));
+}
+//# sourceMappingURL=admin.js.map

package/dist/lib/server/handlers/admin.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"admin.js","sourceRoot":"","sources":["../../../../lib/server/handlers/admin.ts"],"names":[],"mappings":"AAAA;;;GAGG;AASH,OAAO,EACL,iBAAiB,EACjB,SAAS,EACT,aAAa,EACb,WAAW,GACZ,MAAM,mBAAmB,CAAC;AAS3B;;GAEG;AACH,MAAM,UAAU,kBAAkB,CAAC,MAAuB,EAAE,EAAqB,EAAE,GAAwB;IACzG,IAAI,CAAC,MAAM,CAAC,SAAS,EAAE,CAAC;QACtB,MAAM,CAAC,KAAK,CAAC,EAAE,EAAE,WAAW,CAAC,SAAS,CAAC,WAAW,EAAE,0BAA0B,CAAC,CAAC,CAAC;QACjF,OAAO;IACT,CAAC;IAED,IAAI,CAAC,GAAG,CAAC,MAAM,EAAE,CAAC;QAChB,MAAM,CAAC,KAAK,CAAC,EAAE,EAAE,WAAW,CAAC,SAAS,CAAC,WAAW,EAAE,gBAAgB,CAAC,CAAC,CAAC;QACvE,OAAO;IACT,CAAC;IAED,MAAM,MAAM,GAAG,MAAM,CAAC,SAAS,CAAC,OAAO,CAAC,GAAG,CAAC,MAAM,EAAE,GAAG,CAAC,SAAS,EAAE,GAAG,CAAC,IAAI,IAAI,EAAE,CAAC,CAAC;IAEnF,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;QACpB,MAAM,CAAC,KAAK,CAAC,EAAE,EAAE,WAAW,CAAC,SAAS,CAAC,aAAa,EAAE,MAAM,CAAC,KAAM,CAAC,CAAC,CAAC;QACtE,OAAO;IACT,CAAC;IAED,MAAM,CAAC,IAAI,CAAC,eAAe,EAAE,EAAE,OAAO,EAAE,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC;IAC1D,MAAM,CAAC,KAAK,CAAC,EAAE,EAAE,aAAa,CAAC,iBAAiB,CAAC,YAAY,EAAE;QAC7D,MAAM,EAAE,SAAS;QACjB,OAAO,EAAE,IAAI;QACb,OAAO,EAAE,IAAI,MAAM,CAAC,OAAO,EAAE;KAC9B,CAAC,CAAC,CAAC;AACN,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,iBAAiB,CAAC,MAAuB,EAAE,EAAqB,EAAE,GAAuB;IACvG,IAAI,CAAC,MAAM,CAAC,SAAS,EAAE,CAAC;QACtB,MAAM,CAAC,KAAK,CAAC,EAAE,EAAE,WAAW,CAAC,SAAS,CAAC,WAAW,EAAE,0BAA0B,CAAC,CAAC,CAAC;QACjF,OAAO;IACT,CAAC;IAED,MAAM,UAAU,GAAG,GAAG,CAAC,MAAM,IAAI,GAAG,CAAC,QAAQ,CAAC;IAC9C,IAAI,CAAC,UAAU,EAAE,CAAC;QAChB,MAAM,CAAC,KAAK,CAAC,EAAE,EAAE,WAAW,CAAC,SAAS,CAAC,WAAW,EAAE,4BAA4B,CAAC,CAAC,CAAC;QACnF,OAAO;IACT,CAAC;IAED,MAAM,MAAM,GAAG,MAAM,CAAC,SAAS,CAAC,MAAM,CAAC,UAAU,EAAE,GAAG,CAAC,SAAS,CAAC,CAAC;IAElE,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;QACpB,MAAM,IAAI,GAAG,MAAM,CAAC,KAAK,KAAK,mBAAmB,CAAC,CAAC,CAAC,SAAS,CAAC,aAAa,CAAC,CAAC,CAAC,SAAS,CAAC,eAAe,CAAC;QACxG,MAAM,CAAC,KAAK,CAAC,EAAE,EAAE,WAAW,CAAC,IAAI,EAAE,MAAM,CAAC,KAAM,CAAC,CAAC,CAAC;QACnD,OAAO;IACT,CAAC;IAED,MAAM,CAAC,IAAI,CAAC,cAAc,EAAE,EAAE,UAAU,EAAE,CAAC,CAAC;IAC5C,MAAM,CAAC,KAAK,CAAC,EAAE,EAAE,aAAa,CAAC,iBAAiB,CAAC,YAAY,EAAE;QAC7D,MAAM,EAAE,QAAQ;QAChB,OAAO,EAAE,IAAI;KACd,CAAC,CAAC,CAAC;AACN,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,eAAe,CAAC,MAAuB,EAAE,EAAqB,EAAE,GAAqB;IACnG,IAAI,CAAC,MAAM,CAAC,SAAS,EAAE,CAAC;QACtB,MAAM,CAAC,KAAK,CAAC,EAAE,EAAE,WAAW,CAAC,SAAS,CAAC,WAAW,EAAE,0BAA0B,CAAC,CAAC,CAAC;QACjF,OAAO;IACT,CAAC;IAED,qBAAqB;IACrB,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,iBAAiB,CAAC,GAAG,CAAC,SAAS,CAAC,EAAE,CAAC;QACvD,MAAM,CAAC,KAAK,CAAC,EAAE,EAAE,WAAW,CAAC,SAAS,CAAC,aAAa,EAAE,mBAAmB,CAAC,CAAC,CAAC;QAC5E,OAAO;IACT,CAAC;IAED,MAAM,OAAO,GAAG,MAAM,CAAC,SAAS,CAAC,IAAI,EAAE,CAAC;IACxC,MAAM,CAAC,KAAK,CAAC,EAAE,EAAE,aAAa,CAAC,iBAAiB,CAAC,YAAY,EAAE;QAC7D,MAAM,EAAE,MAAM;QACd,OAAO;QACP,OAAO,EAAE,MAAM,CAAC,SAAS,CAAC,OAAO;QACjC,MAAM,EAAE,MAAM,CAAC,SAAS,CAAC,MAAM;KAChC,CAAC,CAAC,CAAC;AACN,CAAC"}

package/dist/lib/server/handlers/identity.d.ts

@@ -0,0 +1,36 @@
+/**
+ * Identity Handlers
+ * Handles identify, verification request/response
+ */
+import type { WebSocket } from 'ws';
+import type { AgentChatServer } from '../../server.js';
+import type { IdentifyMessage, VerifyIdentityMessage, VerifyRequestMessage, VerifyResponseMessage } from '../../types.js';
+interface ExtendedWebSocket extends WebSocket {
+    _connectedAt?: number;
+    _realIp?: string;
+    _userAgent?: string;
+}
+/**
+ * Handle IDENTIFY command
+ *
+ * For ephemeral agents (no pubkey): immediately create agent state and send WELCOME.
+ * For pubkey agents: send CHALLENGE, wait for VERIFY_IDENTITY before creating state.
+ */
+export declare function handleIdentify(server: AgentChatServer, ws: ExtendedWebSocket, msg: IdentifyMessage): void;
+/**
+ * Handle VERIFY_IDENTITY command
+ *
+ * Verifies the challenge-response signature. On success, creates agent state
+ * and sends WELCOME. On failure, sends error.
+ */
+export declare function handleVerifyIdentity(server: AgentChatServer, ws: ExtendedWebSocket, msg: VerifyIdentityMessage): void;
+/**
+ * Handle VERIFY_REQUEST command
+ */
+export declare function handleVerifyRequest(server: AgentChatServer, ws: ExtendedWebSocket, msg: VerifyRequestMessage): void;
+/**
+ * Handle VERIFY_RESPONSE command
+ */
+export declare function handleVerifyResponse(server: AgentChatServer, ws: ExtendedWebSocket, msg: VerifyResponseMessage): void;
+export {};
+//# sourceMappingURL=identity.d.ts.map

package/dist/lib/server/handlers/identity.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"identity.d.ts","sourceRoot":"","sources":["../../../../lib/server/handlers/identity.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAGH,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,IAAI,CAAC;AACpC,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,iBAAiB,CAAC;AACvD,OAAO,KAAK,EACV,eAAe,EACf,qBAAqB,EACrB,oBAAoB,EACpB,qBAAqB,EACtB,MAAM,gBAAgB,CAAC;AAgBxB,UAAU,iBAAkB,SAAQ,SAAS;IAC3C,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAYD;;;;;GAKG;AACH,wBAAgB,cAAc,CAAC,MAAM,EAAE,eAAe,EAAE,EAAE,EAAE,iBAAiB,EAAE,GAAG,EAAE,eAAe,GAAG,IAAI,CAqGzG;AAED;;;;;GAKG;AACH,wBAAgB,oBAAoB,CAAC,MAAM,EAAE,eAAe,EAAE,EAAE,EAAE,iBAAiB,EAAE,GAAG,EAAE,qBAAqB,GAAG,IAAI,CAiGrH;AAED;;GAEG;AACH,wBAAgB,mBAAmB,CAAC,MAAM,EAAE,eAAe,EAAE,EAAE,EAAE,iBAAiB,EAAE,GAAG,EAAE,oBAAoB,GAAG,IAAI,CAsEnH;AAED;;GAEG;AACH,wBAAgB,oBAAoB,CAAC,MAAM,EAAE,eAAe,EAAE,EAAE,EAAE,iBAAiB,EAAE,GAAG,EAAE,qBAAqB,GAAG,IAAI,CA6ErH"}

package/dist/lib/server/handlers/identity.js

@@ -0,0 +1,330 @@
+/**
+ * Identity Handlers
+ * Handles identify, verification request/response
+ */
+import crypto from 'crypto';
+import { ServerMessageType, ErrorCode, createMessage, createError, generateAgentId, generateVerifyId, generateChallengeId, generateNonce, generateAuthSigningContent, pubkeyToAgentId, } from '../../protocol.js';
+import { Identity } from '../../identity.js';
+/**
+ * Handle IDENTIFY command
+ *
+ * For ephemeral agents (no pubkey): immediately create agent state and send WELCOME.
+ * For pubkey agents: send CHALLENGE, wait for VERIFY_IDENTITY before creating state.
+ */
+export function handleIdentify(server, ws, msg) {
+    // Check if already identified
+    if (server.agents.has(ws)) {
+        server._send(ws, createError(ErrorCode.INVALID_MSG, 'Already identified'));
+        return;
+    }
+    // Check if this ws already has a pending challenge
+    for (const [, challenge] of server.pendingChallenges) {
+        if (challenge.ws === ws) {
+            server._send(ws, createError(ErrorCode.INVALID_MSG, 'Challenge already pending'));
+            return;
+        }
+    }
+    // Allowlist check (before any state changes)
+    if (server.allowlist && server.allowlist.enabled) {
+        const check = server.allowlist.check(msg.pubkey || null);
+        if (!check.allowed) {
+            server._log('allowlist_rejected', {
+                ip: ws._realIp,
+                name: msg.name,
+                hasPubkey: !!msg.pubkey,
+                reason: check.reason
+            });
+            server._send(ws, createError(ErrorCode.NOT_ALLOWED, check.reason));
+            return;
+        }
+    }
+    if (msg.pubkey) {
+        // Pubkey agent: send challenge, do NOT create agent state yet
+        const challengeId = generateChallengeId();
+        const nonce = generateNonce();
+        const expiresAt = Date.now() + server.challengeTimeoutMs;
+        server.pendingChallenges.set(challengeId, {
+            ws,
+            name: msg.name,
+            pubkey: msg.pubkey,
+            nonce,
+            challengeId,
+            expires: expiresAt
+        });
+        // Set timeout to clean up expired challenges
+        setTimeout(() => {
+            const challenge = server.pendingChallenges.get(challengeId);
+            if (challenge) {
+                server.pendingChallenges.delete(challengeId);
+                if (challenge.ws.readyState === 1) {
+                    server._send(challenge.ws, createError(ErrorCode.VERIFICATION_EXPIRED, 'Challenge expired'));
+                    challenge.ws.close(1000, 'Challenge expired');
+                }
+            }
+        }, server.challengeTimeoutMs);
+        server._log('challenge_sent', {
+            challengeId,
+            name: msg.name,
+            ip: ws._realIp
+        });
+        server._send(ws, createMessage(ServerMessageType.CHALLENGE, {
+            challenge_id: challengeId,
+            nonce,
+            expires_at: expiresAt
+        }));
+    }
+    else {
+        // Ephemeral agent: create state immediately
+        const id = generateAgentId();
+        const agent = {
+            id,
+            name: msg.name,
+            pubkey: null,
+            channels: new Set(),
+            connectedAt: Date.now(),
+            presence: 'online',
+            status_text: null,
+            verified: false
+        };
+        server.agents.set(ws, agent);
+        server.agentById.set(id, ws);
+        server._log('identify', {
+            id,
+            name: msg.name,
+            hasPubkey: false,
+            ephemeral: true,
+            ip: ws._realIp,
+            user_agent: ws._userAgent
+        });
+        server._send(ws, createMessage(ServerMessageType.WELCOME, {
+            agent_id: `@${id}`,
+            name: msg.name,
+            server: server.serverName
+        }));
+    }
+}
+/**
+ * Handle VERIFY_IDENTITY command
+ *
+ * Verifies the challenge-response signature. On success, creates agent state
+ * and sends WELCOME. On failure, sends error.
+ */
+export function handleVerifyIdentity(server, ws, msg) {
+    // Check if already identified
+    if (server.agents.has(ws)) {
+        server._send(ws, createError(ErrorCode.INVALID_MSG, 'Already identified'));
+        return;
+    }
+    // Look up the pending challenge
+    const challenge = server.pendingChallenges.get(msg.challenge_id);
+    if (!challenge) {
+        server._send(ws, createError(ErrorCode.VERIFICATION_EXPIRED, 'Challenge not found or expired'));
+        return;
+    }
+    // Verify this is the same websocket that initiated the challenge
+    if (challenge.ws !== ws) {
+        server._send(ws, createError(ErrorCode.INVALID_MSG, 'Challenge belongs to a different connection'));
+        return;
+    }
+    // Check expiration
+    if (Date.now() > challenge.expires) {
+        server.pendingChallenges.delete(msg.challenge_id);
+        server._send(ws, createError(ErrorCode.VERIFICATION_EXPIRED, 'Challenge expired'));
+        return;
+    }
+    // Verify the signature
+    const expectedContent = generateAuthSigningContent(challenge.nonce, msg.challenge_id, msg.timestamp);
+    const verified = Identity.verify(expectedContent, msg.signature, challenge.pubkey);
+    if (!verified) {
+        server.pendingChallenges.delete(msg.challenge_id);
+        server._log('challenge_failed', {
+            challengeId: msg.challenge_id,
+            name: challenge.name,
+            ip: ws._realIp
+        });
+        server._send(ws, createError(ErrorCode.VERIFICATION_FAILED, 'Invalid signature'));
+        return;
+    }
+    // Challenge passed — clean up pending challenge
+    server.pendingChallenges.delete(msg.challenge_id);
+    // Derive stable agent ID from pubkey
+    const existingId = server.pubkeyToId.get(challenge.pubkey);
+    let id;
+    if (existingId) {
+        id = existingId;
+    }
+    else {
+        id = pubkeyToAgentId(challenge.pubkey);
+        server.pubkeyToId.set(challenge.pubkey, id);
+    }
+    // Check if this ID is currently in use by another connection
+    if (server.agentById.has(id)) {
+        const oldWs = server.agentById.get(id);
+        server._log('identity-takeover', { id, reason: 'Verified connection replacing existing' });
+        server._send(oldWs, createError(ErrorCode.INVALID_MSG, 'Disconnected: Another connection verified this identity'));
+        server._handleDisconnect(oldWs);
+        oldWs.close(1000, 'Identity claimed by verified connection');
+    }
+    // Create agent state with verified = true
+    const agent = {
+        id,
+        name: challenge.name,
+        pubkey: challenge.pubkey,
+        channels: new Set(),
+        connectedAt: Date.now(),
+        presence: 'online',
+        status_text: null,
+        verified: true
+    };
+    server.agents.set(ws, agent);
+    server.agentById.set(id, ws);
+    const isReturning = !!existingId;
+    server._log('identify', {
+        id,
+        name: challenge.name,
+        hasPubkey: true,
+        verified: true,
+        returning: isReturning,
+        ip: ws._realIp,
+        user_agent: ws._userAgent
+    });
+    server._send(ws, createMessage(ServerMessageType.WELCOME, {
+        agent_id: `@${id}`,
+        name: challenge.name,
+        server: server.serverName,
+        verified: true
+    }));
+}
+/**
+ * Handle VERIFY_REQUEST command
+ */
+export function handleVerifyRequest(server, ws, msg) {
+    const agent = server.agents.get(ws);
+    if (!agent) {
+        server._send(ws, createError(ErrorCode.AUTH_REQUIRED, 'Must IDENTIFY first'));
+        return;
+    }
+    // Find target agent
+    const targetId = msg.target.slice(1);
+    const targetWs = server.agentById.get(targetId);
+    if (!targetWs) {
+        server._send(ws, createError(ErrorCode.AGENT_NOT_FOUND, `Agent ${msg.target} not found`));
+        return;
+    }
+    const targetAgent = server.agents.get(targetWs);
+    // Target must have a pubkey for verification
+    if (!targetAgent?.pubkey) {
+        server._send(ws, createError(ErrorCode.NO_PUBKEY, `Agent ${msg.target} has no persistent identity`));
+        return;
+    }
+    // Create verification request
+    const requestId = generateVerifyId();
+    const expires = Date.now() + server.verificationTimeoutMs;
+    const pendingVerification = {
+        from: `@${agent.id}`,
+        fromWs: ws,
+        target: msg.target,
+        targetPubkey: targetAgent.pubkey,
+        nonce: msg.nonce,
+        expires
+    };
+    server.pendingVerifications.set(requestId, pendingVerification);
+    // Set timeout to clean up expired requests
+    setTimeout(() => {
+        const request = server.pendingVerifications.get(requestId);
+        if (request) {
+            server.pendingVerifications.delete(requestId);
+            // Notify requester of timeout
+            if (request.fromWs.readyState === 1) {
+                server._send(request.fromWs, createMessage(ServerMessageType.VERIFY_FAILED, {
+                    request_id: requestId,
+                    target: request.target,
+                    reason: 'Verification timed out'
+                }));
+            }
+        }
+    }, server.verificationTimeoutMs);
+    server._log('verify_request', { id: requestId, from: agent.id, target: targetId });
+    // Forward to target agent
+    server._send(targetWs, createMessage(ServerMessageType.VERIFY_REQUEST, {
+        request_id: requestId,
+        from: `@${agent.id}`,
+        nonce: msg.nonce
+    }));
+    // Acknowledge to requester
+    server._send(ws, createMessage(ServerMessageType.VERIFY_REQUEST, {
+        request_id: requestId,
+        target: msg.target,
+        status: 'pending'
+    }));
+}
+/**
+ * Handle VERIFY_RESPONSE command
+ */
+export function handleVerifyResponse(server, ws, msg) {
+    const agent = server.agents.get(ws);
+    if (!agent) {
+        server._send(ws, createError(ErrorCode.AUTH_REQUIRED, 'Must IDENTIFY first'));
+        return;
+    }
+    // Must have identity to respond to verification
+    if (!agent.pubkey) {
+        server._send(ws, createError(ErrorCode.SIGNATURE_REQUIRED, 'Responding to verification requires persistent identity'));
+        return;
+    }
+    // Find the pending verification
+    const request = server.pendingVerifications.get(msg.request_id);
+    if (!request) {
+        server._send(ws, createError(ErrorCode.VERIFICATION_EXPIRED, 'Verification request not found or expired'));
+        return;
+    }
+    // Verify the responder is the target
+    if (request.target !== `@${agent.id}`) {
+        server._send(ws, createError(ErrorCode.INVALID_MSG, 'You are not the target of this verification'));
+        return;
+    }
+    // Verify the nonce matches
+    if (msg.nonce !== request.nonce) {
+        server._send(ws, createError(ErrorCode.INVALID_MSG, 'Nonce mismatch'));
+        return;
+    }
+    // Verify the signature
+    let verified = false;
+    try {
+        const keyObj = crypto.createPublicKey(request.targetPubkey);
+        verified = crypto.verify(null, Buffer.from(msg.nonce), keyObj, Buffer.from(msg.sig, 'base64'));
+    }
+    catch (err) {
+        server._log('verify_error', { request_id: msg.request_id, error: err.message });
+    }
+    // Clean up the pending request
+    server.pendingVerifications.delete(msg.request_id);
+    server._log('verify_response', {
+        request_id: msg.request_id,
+        from: agent.id,
+        verified
+    });
+    // Notify the original requester
+    if (request.fromWs.readyState === 1) {
+        if (verified) {
+            server._send(request.fromWs, createMessage(ServerMessageType.VERIFY_SUCCESS, {
+                request_id: msg.request_id,
+                agent: request.target,
+                pubkey: request.targetPubkey
+            }));
+        }
+        else {
+            server._send(request.fromWs, createMessage(ServerMessageType.VERIFY_FAILED, {
+                request_id: msg.request_id,
+                target: request.target,
+                reason: 'Signature verification failed'
+            }));
+        }
+    }
+    // Notify the responder
+    server._send(ws, createMessage(verified ? ServerMessageType.VERIFY_SUCCESS : ServerMessageType.VERIFY_FAILED, {
+        request_id: msg.request_id,
+        verified
+    }));
+}
+//# sourceMappingURL=identity.js.map

package/dist/lib/server/handlers/identity.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"identity.js","sourceRoot":"","sources":["../../../../lib/server/handlers/identity.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,MAAM,MAAM,QAAQ,CAAC;AAS5B,OAAO,EACL,iBAAiB,EACjB,SAAS,EACT,aAAa,EACb,WAAW,EACX,eAAe,EACf,gBAAgB,EAChB,mBAAmB,EACnB,aAAa,EACb,0BAA0B,EAC1B,eAAe,GAChB,MAAM,mBAAmB,CAAC;AAC3B,OAAO,EAAE,QAAQ,EAAE,MAAM,mBAAmB,CAAC;AAmB7C;;;;;GAKG;AACH,MAAM,UAAU,cAAc,CAAC,MAAuB,EAAE,EAAqB,EAAE,GAAoB;IACjG,8BAA8B;IAC9B,IAAI,MAAM,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC,EAAE,CAAC;QAC1B,MAAM,CAAC,KAAK,CAAC,EAAE,EAAE,WAAW,CAAC,SAAS,CAAC,WAAW,EAAE,oBAAoB,CAAC,CAAC,CAAC;QAC3E,OAAO;IACT,CAAC;IAED,mDAAmD;IACnD,KAAK,MAAM,CAAC,EAAE,SAAS,CAAC,IAAI,MAAM,CAAC,iBAAiB,EAAE,CAAC;QACrD,IAAI,SAAS,CAAC,EAAE,KAAK,EAAE,EAAE,CAAC;YACxB,MAAM,CAAC,KAAK,CAAC,EAAE,EAAE,WAAW,CAAC,SAAS,CAAC,WAAW,EAAE,2BAA2B,CAAC,CAAC,CAAC;YAClF,OAAO;QACT,CAAC;IACH,CAAC;IAED,6CAA6C;IAC7C,IAAI,MAAM,CAAC,SAAS,IAAI,MAAM,CAAC,SAAS,CAAC,OAAO,EAAE,CAAC;QACjD,MAAM,KAAK,GAAG,MAAM,CAAC,SAAS,CAAC,KAAK,CAAC,GAAG,CAAC,MAAM,IAAI,IAAI,CAAC,CAAC;QACzD,IAAI,CAAC,KAAK,CAAC,OAAO,EAAE,CAAC;YACnB,MAAM,CAAC,IAAI,CAAC,oBAAoB,EAAE;gBAChC,EAAE,EAAE,EAAE,CAAC,OAAO;gBACd,IAAI,EAAE,GAAG,CAAC,IAAI;gBACd,SAAS,EAAE,CAAC,CAAC,GAAG,CAAC,MAAM;gBACvB,MAAM,EAAE,KAAK,CAAC,MAAM;aACrB,CAAC,CAAC;YACH,MAAM,CAAC,KAAK,CAAC,EAAE,EAAE,WAAW,CAAC,SAAS,CAAC,WAAW,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC;YACnE,OAAO;QACT,CAAC;IACH,CAAC;IAED,IAAI,GAAG,CAAC,MAAM,EAAE,CAAC;QACf,8DAA8D;QAC9D,MAAM,WAAW,GAAG,mBAAmB,EAAE,CAAC;QAC1C,MAAM,KAAK,GAAG,aAAa,EAAE,CAAC;QAC9B,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,MAAM,CAAC,kBAAkB,CAAC;QAEzD,MAAM,CAAC,iBAAiB,CAAC,GAAG,CAAC,WAAW,EAAE;YACxC,EAAE;YACF,IAAI,EAAE,GAAG,CAAC,IAAI;YACd,MAAM,EAAE,GAAG,CAAC,MAAM;YAClB,KAAK;YACL,WAAW;YACX,OAAO,EAAE,SAAS;SACnB,CAAC,CAAC;QAEH,6CAA6C;QAC7C,UAAU,CAAC,GAAG,EAAE;YACd,MAAM,SAAS,GAAG,MAAM,CAAC,iBAAiB,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC;YAC5D,IAAI,SAAS,EAAE,CAAC;gBACd,MAAM,CAAC,iBAAiB,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC;gBAC7C,IAAK,SAAS,CAAC,EAAgB,CAAC,UAAU,KAAK,CAAC,EAAE,CAAC;oBACjD,MAAM,CAAC,KAAK,CAAC,SAAS,CAAC,EAAE,EAAE,WAAW,CAAC,SAAS,CAAC,oBAAoB,EAAE,mBAAmB,CAAC,CAAC,CAAC;oBAC5F,SAAS,CAAC,EAAgB,CAAC,KAAK,CAAC,IAAI,EAAE,mBAAmB,CAAC,CAAC;gBAC/D,CAAC;YACH,CAAC;QACH,CAAC,EAAE,MAAM,CAAC,kBAAkB,CAAC,CAAC;QAE9B,MAAM,CAAC,IAAI,CAAC,gBAAgB,EAAE;YAC5B,WAAW;YACX,IAAI,EAAE,GAAG,CAAC,IAAI;YACd,EAAE,EAAE,EAAE,CAAC,OAAO;SACf,CAAC,CAAC;QAEH,MAAM,CAAC,KAAK,CAAC,EAAE,EAAE,aAAa,CAAC,iBAAiB,CAAC,SAAS,EAAE;YAC1D,YAAY,EAAE,WAAW;YACzB,KAAK;YACL,UAAU,EAAE,SAAS;SACtB,CAAC,CAAC,CAAC;IACN,CAAC;SAAM,CAAC;QACN,4CAA4C;QAC5C,MAAM,EAAE,GAAG,eAAe,EAAE,CAAC;QAE7B,MAAM,KAAK,GAAG;YACZ,EAAE;YACF,IAAI,EAAE,GAAG,CAAC,IAAI;YACd,MAAM,EAAE,IAAI;YACZ,QAAQ,EAAE,IAAI,GAAG,EAAU;YAC3B,WAAW,EAAE,IAAI,CAAC,GAAG,EAAE;YACvB,QAAQ,EAAE,QAAiB;YAC3B,WAAW,EAAE,IAAqB;YAClC,QAAQ,EAAE,KAAK;SAChB,CAAC;QAEF,MAAM,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,EAAE,KAAK,CAAC,CAAC;QAC7B,MAAM,CAAC,SAAS,CAAC,GAAG,CAAC,EAAE,EAAE,EAAE,CAAC,CAAC;QAE7B,MAAM,CAAC,IAAI,CAAC,UAAU,EAAE;YACtB,EAAE;YACF,IAAI,EAAE,GAAG,CAAC,IAAI;YACd,SAAS,EAAE,KAAK;YAChB,SAAS,EAAE,IAAI;YACf,EAAE,EAAE,EAAE,CAAC,OAAO;YACd,UAAU,EAAE,EAAE,CAAC,UAAU;SAC1B,CAAC,CAAC;QAEH,MAAM,CAAC,KAAK,CAAC,EAAE,EAAE,aAAa,CAAC,iBAAiB,CAAC,OAAO,EAAE;YACxD,QAAQ,EAAE,IAAI,EAAE,EAAE;YAClB,IAAI,EAAE,GAAG,CAAC,IAAI;YACd,MAAM,EAAE,MAAM,CAAC,UAAU;SAC1B,CAAC,CAAC,CAAC;IACN,CAAC;AACH,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,oBAAoB,CAAC,MAAuB,EAAE,EAAqB,EAAE,GAA0B;IAC7G,8BAA8B;IAC9B,IAAI,MAAM,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC,EAAE,CAAC;QAC1B,MAAM,CAAC,KAAK,CAAC,EAAE,EAAE,WAAW,CAAC,SAAS,CAAC,WAAW,EAAE,oBAAoB,CAAC,CAAC,CAAC;QAC3E,OAAO;IACT,CAAC;IAED,gCAAgC;IAChC,MAAM,SAAS,GAAG,MAAM,CAAC,iBAAiB,CAAC,GAAG,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC;IACjE,IAAI,CAAC,SAAS,EAAE,CAAC;QACf,MAAM,CAAC,KAAK,CAAC,EAAE,EAAE,WAAW,CAAC,SAAS,CAAC,oBAAoB,EAAE,gCAAgC,CAAC,CAAC,CAAC;QAChG,OAAO;IACT,CAAC;IAED,iEAAiE;IACjE,IAAI,SAAS,CAAC,EAAE,KAAK,EAAE,EAAE,CAAC;QACxB,MAAM,CAAC,KAAK,CAAC,EAAE,EAAE,WAAW,CAAC,SAAS,CAAC,WAAW,EAAE,6CAA6C,CAAC,CAAC,CAAC;QACpG,OAAO;IACT,CAAC;IAED,mBAAmB;IACnB,IAAI,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS,CAAC,OAAO,EAAE,CAAC;QACnC,MAAM,CAAC,iBAAiB,CAAC,MAAM,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC;QAClD,MAAM,CAAC,KAAK,CAAC,EAAE,EAAE,WAAW,CAAC,SAAS,CAAC,oBAAoB,EAAE,mBAAmB,CAAC,CAAC,CAAC;QACnF,OAAO;IACT,CAAC;IAED,uBAAuB;IACvB,MAAM,eAAe,GAAG,0BAA0B,CAAC,SAAS,CAAC,KAAK,EAAE,GAAG,CAAC,YAAY,EAAE,GAAG,CAAC,SAAS,CAAC,CAAC;IACrG,MAAM,QAAQ,GAAG,QAAQ,CAAC,MAAM,CAAC,eAAe,EAAE,GAAG,CAAC,SAAS,EAAE,SAAS,CAAC,MAAM,CAAC,CAAC;IAEnF,IAAI,CAAC,QAAQ,EAAE,CAAC;QACd,MAAM,CAAC,iBAAiB,CAAC,MAAM,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC;QAClD,MAAM,CAAC,IAAI,CAAC,kBAAkB,EAAE;YAC9B,WAAW,EAAE,GAAG,CAAC,YAAY;YAC7B,IAAI,EAAE,SAAS,CAAC,IAAI;YACpB,EAAE,EAAE,EAAE,CAAC,OAAO;SACf,CAAC,CAAC;QACH,MAAM,CAAC,KAAK,CAAC,EAAE,EAAE,WAAW,CAAC,SAAS,CAAC,mBAAmB,EAAE,mBAAmB,CAAC,CAAC,CAAC;QAClF,OAAO;IACT,CAAC;IAED,gDAAgD;IAChD,MAAM,CAAC,iBAAiB,CAAC,MAAM,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC;IAElD,qCAAqC;IACrC,MAAM,UAAU,GAAG,MAAM,CAAC,UAAU,CAAC,GAAG,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC;IAC3D,IAAI,EAAU,CAAC;IACf,IAAI,UAAU,EAAE,CAAC;QACf,EAAE,GAAG,UAAU,CAAC;IAClB,CAAC;SAAM,CAAC;QACN,EAAE,GAAG,eAAe,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC;QACvC,MAAM,CAAC,UAAU,CAAC,GAAG,CAAC,SAAS,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;IAC9C,CAAC;IAED,6DAA6D;IAC7D,IAAI,MAAM,CAAC,SAAS,CAAC,GAAG,CAAC,EAAE,CAAC,EAAE,CAAC;QAC7B,MAAM,KAAK,GAAG,MAAM,CAAC,SAAS,CAAC,GAAG,CAAC,EAAE,CAAE,CAAC;QACxC,MAAM,CAAC,IAAI,CAAC,mBAAmB,EAAE,EAAE,EAAE,EAAE,MAAM,EAAE,wCAAwC,EAAE,CAAC,CAAC;QAC3F,MAAM,CAAC,KAAK,CAAC,KAAK,EAAE,WAAW,CAAC,SAAS,CAAC,WAAW,EAAE,yDAAyD,CAAC,CAAC,CAAC;QACnH,MAAM,CAAC,iBAAiB,CAAC,KAAK,CAAC,CAAC;QAC/B,KAAmB,CAAC,KAAK,CAAC,IAAI,EAAE,yCAAyC,CAAC,CAAC;IAC9E,CAAC;IAED,0CAA0C;IAC1C,MAAM,KAAK,GAAG;QACZ,EAAE;QACF,IAAI,EAAE,SAAS,CAAC,IAAI;QACpB,MAAM,EAAE,SAAS,CAAC,MAAM;QACxB,QAAQ,EAAE,IAAI,GAAG,EAAU;QAC3B,WAAW,EAAE,IAAI,CAAC,GAAG,EAAE;QACvB,QAAQ,EAAE,QAAiB;QAC3B,WAAW,EAAE,IAAqB;QAClC,QAAQ,EAAE,IAAI;KACf,CAAC;IAEF,MAAM,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,EAAE,KAAK,CAAC,CAAC;IAC7B,MAAM,CAAC,SAAS,CAAC,GAAG,CAAC,EAAE,EAAE,EAAE,CAAC,CAAC;IAE7B,MAAM,WAAW,GAAG,CAAC,CAAC,UAAU,CAAC;IAEjC,MAAM,CAAC,IAAI,CAAC,UAAU,EAAE;QACtB,EAAE;QACF,IAAI,EAAE,SAAS,CAAC,IAAI;QACpB,SAAS,EAAE,IAAI;QACf,QAAQ,EAAE,IAAI;QACd,SAAS,EAAE,WAAW;QACtB,EAAE,EAAE,EAAE,CAAC,OAAO;QACd,UAAU,EAAE,EAAE,CAAC,UAAU;KAC1B,CAAC,CAAC;IAEH,MAAM,CAAC,KAAK,CAAC,EAAE,EAAE,aAAa,CAAC,iBAAiB,CAAC,OAAO,EAAE;QACxD,QAAQ,EAAE,IAAI,EAAE,EAAE;QAClB,IAAI,EAAE,SAAS,CAAC,IAAI;QACpB,MAAM,EAAE,MAAM,CAAC,UAAU;QACzB,QAAQ,EAAE,IAAI;KACf,CAAC,CAAC,CAAC;AACN,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,mBAAmB,CAAC,MAAuB,EAAE,EAAqB,EAAE,GAAyB;IAC3G,MAAM,KAAK,GAAG,MAAM,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IACpC,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,MAAM,CAAC,KAAK,CAAC,EAAE,EAAE,WAAW,CAAC,SAAS,CAAC,aAAa,EAAE,qBAAqB,CAAC,CAAC,CAAC;QAC9E,OAAO;IACT,CAAC;IAED,oBAAoB;IACpB,MAAM,QAAQ,GAAG,GAAG,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;IACrC,MAAM,QAAQ,GAAG,MAAM,CAAC,SAAS,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;IAEhD,IAAI,CAAC,QAAQ,EAAE,CAAC;QACd,MAAM,CAAC,KAAK,CAAC,EAAE,EAAE,WAAW,CAAC,SAAS,CAAC,eAAe,EAAE,SAAS,GAAG,CAAC,MAAM,YAAY,CAAC,CAAC,CAAC;QAC1F,OAAO;IACT,CAAC;IAED,MAAM,WAAW,GAAG,MAAM,CAAC,MAAM,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;IAEhD,6CAA6C;IAC7C,IAAI,CAAC,WAAW,EAAE,MAAM,EAAE,CAAC;QACzB,MAAM,CAAC,KAAK,CAAC,EAAE,EAAE,WAAW,CAAC,SAAS,CAAC,SAAS,EAAE,SAAS,GAAG,CAAC,MAAM,6BAA6B,CAAC,CAAC,CAAC;QACrG,OAAO;IACT,CAAC;IAED,8BAA8B;IAC9B,MAAM,SAAS,GAAG,gBAAgB,EAAE,CAAC;IACrC,MAAM,OAAO,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,MAAM,CAAC,qBAAqB,CAAC;IAE1D,MAAM,mBAAmB,GAAwB;QAC/C,IAAI,EAAE,IAAI,KAAK,CAAC,EAAE,EAAE;QACpB,MAAM,EAAE,EAAE;QACV,MAAM,EAAE,GAAG,CAAC,MAAM;QAClB,YAAY,EAAE,WAAW,CAAC,MAAM;QAChC,KAAK,EAAE,GAAG,CAAC,KAAK;QAChB,OAAO;KACR,CAAC;IAEF,MAAM,CAAC,oBAAoB,CAAC,GAAG,CAAC,SAAS,EAAE,mBAAmB,CAAC,CAAC;IAEhE,2CAA2C;IAC3C,UAAU,CAAC,GAAG,EAAE;QACd,MAAM,OAAO,GAAG,MAAM,CAAC,oBAAoB,CAAC,GAAG,CAAC,SAAS,CAAoC,CAAC;QAC9F,IAAI,OAAO,EAAE,CAAC;YACZ,MAAM,CAAC,oBAAoB,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;YAC9C,8BAA8B;YAC9B,IAAK,OAAO,CAAC,MAAoB,CAAC,UAAU,KAAK,CAAC,EAAE,CAAC;gBACnD,MAAM,CAAC,KAAK,CAAC,OAAO,CAAC,MAAM,EAAE,aAAa,CAAC,iBAAiB,CAAC,aAAa,EAAE;oBAC1E,UAAU,EAAE,SAAS;oBACrB,MAAM,EAAE,OAAO,CAAC,MAAM;oBACtB,MAAM,EAAE,wBAAwB;iBACjC,CAAC,CAAC,CAAC;YACN,CAAC;QACH,CAAC;IACH,CAAC,EAAE,MAAM,CAAC,qBAAqB,CAAC,CAAC;IAEjC,MAAM,CAAC,IAAI,CAAC,gBAAgB,EAAE,EAAE,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,CAAC,EAAE,EAAE,MAAM,EAAE,QAAQ,EAAE,CAAC,CAAC;IAEnF,0BAA0B;IAC1B,MAAM,CAAC,KAAK,CAAC,QAAQ,EAAE,aAAa,CAAC,iBAAiB,CAAC,cAAc,EAAE;QACrE,UAAU,EAAE,SAAS;QACrB,IAAI,EAAE,IAAI,KAAK,CAAC,EAAE,EAAE;QACpB,KAAK,EAAE,GAAG,CAAC,KAAK;KACjB,CAAC,CAAC,CAAC;IAEJ,2BAA2B;IAC3B,MAAM,CAAC,KAAK,CAAC,EAAE,EAAE,aAAa,CAAC,iBAAiB,CAAC,cAAc,EAAE;QAC/D,UAAU,EAAE,SAAS;QACrB,MAAM,EAAE,GAAG,CAAC,MAAM;QAClB,MAAM,EAAE,SAAS;KAClB,CAAC,CAAC,CAAC;AACN,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,oBAAoB,CAAC,MAAuB,EAAE,EAAqB,EAAE,GAA0B;IAC7G,MAAM,KAAK,GAAG,MAAM,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IACpC,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,MAAM,CAAC,KAAK,CAAC,EAAE,EAAE,WAAW,CAAC,SAAS,CAAC,aAAa,EAAE,qBAAqB,CAAC,CAAC,CAAC;QAC9E,OAAO;IACT,CAAC;IAED,gDAAgD;IAChD,IAAI,CAAC,KAAK,CAAC,MAAM,EAAE,CAAC;QAClB,MAAM,CAAC,KAAK,CAAC,EAAE,EAAE,WAAW,CAAC,SAAS,CAAC,kBAAkB,EAAE,yDAAyD,CAAC,CAAC,CAAC;QACvH,OAAO;IACT,CAAC;IAED,gCAAgC;IAChC,MAAM,OAAO,GAAG,MAAM,CAAC,oBAAoB,CAAC,GAAG,CAAC,GAAG,CAAC,UAAU,CAAoC,CAAC;IACnG,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,MAAM,CAAC,KAAK,CAAC,EAAE,EAAE,WAAW,CAAC,SAAS,CAAC,oBAAoB,EAAE,2CAA2C,CAAC,CAAC,CAAC;QAC3G,OAAO;IACT,CAAC;IAED,qCAAqC;IACrC,IAAI,OAAO,CAAC,MAAM,KAAK,IAAI,KAAK,CAAC,EAAE,EAAE,EAAE,CAAC;QACtC,MAAM,CAAC,KAAK,CAAC,EAAE,EAAE,WAAW,CAAC,SAAS,CAAC,WAAW,EAAE,6CAA6C,CAAC,CAAC,CAAC;QACpG,OAAO;IACT,CAAC;IAED,2BAA2B;IAC3B,IAAI,GAAG,CAAC,KAAK,KAAK,OAAO,CAAC,KAAK,EAAE,CAAC;QAChC,MAAM,CAAC,KAAK,CAAC,EAAE,EAAE,WAAW,CAAC,SAAS,CAAC,WAAW,EAAE,gBAAgB,CAAC,CAAC,CAAC;QACvE,OAAO;IACT,CAAC;IAED,uBAAuB;IACvB,IAAI,QAAQ,GAAG,KAAK,CAAC;IACrB,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,MAAM,CAAC,eAAe,CAAC,OAAO,CAAC,YAAY,CAAC,CAAC;QAC5D,QAAQ,GAAG,MAAM,CAAC,MAAM,CACtB,IAAI,EACJ,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,EACtB,MAAM,EACN,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,EAAE,QAAQ,CAAC,CAC/B,CAAC;IACJ,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,CAAC,IAAI,CAAC,cAAc,EAAE,EAAE,UAAU,EAAE,GAAG,CAAC,UAAU,EAAE,KAAK,EAAG,GAAa,CAAC,OAAO,EAAE,CAAC,CAAC;IAC7F,CAAC;IAED,+BAA+B;IAC/B,MAAM,CAAC,oBAAoB,CAAC,MAAM,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;IAEnD,MAAM,CAAC,IAAI,CAAC,iBAAiB,EAAE;QAC7B,UAAU,EAAE,GAAG,CAAC,UAAU;QAC1B,IAAI,EAAE,KAAK,CAAC,EAAE;QACd,QAAQ;KACT,CAAC,CAAC;IAEH,gCAAgC;IAChC,IAAK,OAAO,CAAC,MAAoB,CAAC,UAAU,KAAK,CAAC,EAAE,CAAC;QACnD,IAAI,QAAQ,EAAE,CAAC;YACb,MAAM,CAAC,KAAK,CAAC,OAAO,CAAC,MAAM,EAAE,aAAa,CAAC,iBAAiB,CAAC,cAAc,EAAE;gBAC3E,UAAU,EAAE,GAAG,CAAC,UAAU;gBAC1B,KAAK,EAAE,OAAO,CAAC,MAAM;gBACrB,MAAM,EAAE,OAAO,CAAC,YAAY;aAC7B,CAAC,CAAC,CAAC;QACN,CAAC;aAAM,CAAC;YACN,MAAM,CAAC,KAAK,CAAC,OAAO,CAAC,MAAM,EAAE,aAAa,CAAC,iBAAiB,CAAC,aAAa,EAAE;gBAC1E,UAAU,EAAE,GAAG,CAAC,UAAU;gBAC1B,MAAM,EAAE,OAAO,CAAC,MAAM;gBACtB,MAAM,EAAE,+BAA+B;aACxC,CAAC,CAAC,CAAC;QACN,CAAC;IACH,CAAC;IAED,uBAAuB;IACvB,MAAM,CAAC,KAAK,CAAC,EAAE,EAAE,aAAa,CAAC,QAAQ,CAAC,CAAC,CAAC,iBAAiB,CAAC,cAAc,CAAC,CAAC,CAAC,iBAAiB,CAAC,aAAa,EAAE;QAC5G,UAAU,EAAE,GAAG,CAAC,UAAU;QAC1B,QAAQ;KACT,CAAC,CAAC,CAAC;AACN,CAAC"}