@vivero/stoma 0.1.0-rc.10

package/dist/core/errors.d.ts

@@ -0,0 +1,66 @@
+/**
+ * Error handling utilities for the stoma gateway.
+ *
+ * {@link GatewayError} is thrown by policies and core code to produce
+ * structured JSON error responses. The gateway's `onError` handler catches
+ * these and converts them via {@link errorToResponse}. Unexpected errors
+ * fall through to {@link defaultErrorResponse}.
+ *
+ * @module errors
+ */
+/**
+ * Structured gateway error with HTTP status code, machine-readable code,
+ * and optional response headers (e.g. `Retry-After`, `X-RateLimit-*`).
+ *
+ * Throw this from policies or handlers to produce a structured JSON error
+ * response. The gateway error handler catches it automatically.
+ *
+ * @example
+ * ```ts
+ * throw new GatewayError(429, "rate_limited", "Too many requests", {
+ *   "retry-after": "60",
+ * });
+ * // Produces: { "error": "rate_limited", "message": "Too many requests", "statusCode": 429 }
+ * ```
+ */
+declare class GatewayError extends Error {
+    readonly statusCode: number;
+    readonly code: string;
+    /** Optional headers to include in the error response (e.g. rate-limit headers) */
+    readonly headers?: Record<string, string>;
+    constructor(statusCode: number, code: string, message: string, headers?: Record<string, string>);
+}
+/** Standard JSON error response shape returned by all gateway errors. */
+interface ErrorResponse {
+    /** Machine-readable error code (e.g. `"rate_limited"`, `"unauthorized"`). */
+    error: string;
+    /** Human-readable error description. */
+    message: string;
+    /** HTTP status code (e.g. 401, 429, 503). */
+    statusCode: number;
+    /** Request ID for tracing, when available. */
+    requestId?: string;
+}
+/**
+ * Build a JSON {@link Response} from a {@link GatewayError}.
+ *
+ * Merges any custom headers from the error (e.g. `Retry-After`) into the
+ * response. Includes the request ID when available for tracing.
+ *
+ * @param error - The gateway error to convert.
+ * @param requestId - Optional request ID to include in the response body.
+ * @returns A `Response` with JSON body and appropriate status code.
+ */
+declare function errorToResponse(error: GatewayError, requestId?: string): Response;
+/**
+ * Produce a generic 500 error response for unexpected (non-{@link GatewayError}) errors.
+ *
+ * Used by the global error handler when an unrecognized error reaches the
+ * gateway boundary. Does not leak internal error details.
+ *
+ * @param requestId - Optional request ID to include in the response body.
+ * @returns A 500 `Response` with a generic error message.
+ */
+declare function defaultErrorResponse(requestId?: string, message?: string): Response;
+
+export { type ErrorResponse, GatewayError, defaultErrorResponse, errorToResponse };

package/dist/core/errors.js

@@ -0,0 +1,47 @@
+class GatewayError extends Error {
+  statusCode;
+  code;
+  /** Optional headers to include in the error response (e.g. rate-limit headers) */
+  headers;
+  constructor(statusCode, code, message, headers) {
+    super(message);
+    this.name = "GatewayError";
+    this.statusCode = statusCode;
+    this.code = code;
+    this.headers = headers;
+  }
+}
+function errorToResponse(error, requestId) {
+  const body = {
+    error: error.code,
+    message: error.message,
+    statusCode: error.statusCode,
+    ...requestId ? { requestId } : {}
+  };
+  const headers = {
+    "content-type": "application/json",
+    ...error.headers
+  };
+  return new Response(JSON.stringify(body), {
+    status: error.statusCode,
+    headers
+  });
+}
+function defaultErrorResponse(requestId, message = "An unexpected error occurred") {
+  const body = {
+    error: "internal_error",
+    message,
+    statusCode: 500,
+    ...requestId ? { requestId } : {}
+  };
+  return new Response(JSON.stringify(body), {
+    status: 500,
+    headers: { "content-type": "application/json" }
+  });
+}
+export {
+  GatewayError,
+  defaultErrorResponse,
+  errorToResponse
+};
+//# sourceMappingURL=errors.js.map

package/dist/core/errors.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../src/core/errors.ts"],"sourcesContent":["/**\n * Error handling utilities for the stoma gateway.\n *\n * {@link GatewayError} is thrown by policies and core code to produce\n * structured JSON error responses. The gateway's `onError` handler catches\n * these and converts them via {@link errorToResponse}. Unexpected errors\n * fall through to {@link defaultErrorResponse}.\n *\n * @module errors\n */\n\n/**\n * Structured gateway error with HTTP status code, machine-readable code,\n * and optional response headers (e.g. `Retry-After`, `X-RateLimit-*`).\n *\n * Throw this from policies or handlers to produce a structured JSON error\n * response. The gateway error handler catches it automatically.\n *\n * @example\n * ```ts\n * throw new GatewayError(429, \"rate_limited\", \"Too many requests\", {\n *   \"retry-after\": \"60\",\n * });\n * // Produces: { \"error\": \"rate_limited\", \"message\": \"Too many requests\", \"statusCode\": 429 }\n * ```\n */\nexport class GatewayError extends Error {\n  readonly statusCode: number;\n  readonly code: string;\n  /** Optional headers to include in the error response (e.g. rate-limit headers) */\n  readonly headers?: Record<string, string>;\n\n  constructor(\n    statusCode: number,\n    code: string,\n    message: string,\n    headers?: Record<string, string>\n  ) {\n    super(message);\n    this.name = \"GatewayError\";\n    this.statusCode = statusCode;\n    this.code = code;\n    this.headers = headers;\n  }\n}\n\n/** Standard JSON error response shape returned by all gateway errors. */\nexport interface ErrorResponse {\n  /** Machine-readable error code (e.g. `\"rate_limited\"`, `\"unauthorized\"`). */\n  error: string;\n  /** Human-readable error description. */\n  message: string;\n  /** HTTP status code (e.g. 401, 429, 503). */\n  statusCode: number;\n  /** Request ID for tracing, when available. */\n  requestId?: string;\n}\n\n/**\n * Build a JSON {@link Response} from a {@link GatewayError}.\n *\n * Merges any custom headers from the error (e.g. `Retry-After`) into the\n * response. Includes the request ID when available for tracing.\n *\n * @param error - The gateway error to convert.\n * @param requestId - Optional request ID to include in the response body.\n * @returns A `Response` with JSON body and appropriate status code.\n */\nexport function errorToResponse(\n  error: GatewayError,\n  requestId?: string\n): Response {\n  const body: ErrorResponse = {\n    error: error.code,\n    message: error.message,\n    statusCode: error.statusCode,\n    ...(requestId ? { requestId } : {}),\n  };\n  const headers: Record<string, string> = {\n    \"content-type\": \"application/json\",\n    ...error.headers,\n  };\n  return new Response(JSON.stringify(body), {\n    status: error.statusCode,\n    headers,\n  });\n}\n\n/**\n * Produce a generic 500 error response for unexpected (non-{@link GatewayError}) errors.\n *\n * Used by the global error handler when an unrecognized error reaches the\n * gateway boundary. Does not leak internal error details.\n *\n * @param requestId - Optional request ID to include in the response body.\n * @returns A 500 `Response` with a generic error message.\n */\nexport function defaultErrorResponse(\n  requestId?: string,\n  message = \"An unexpected error occurred\"\n): Response {\n  const body: ErrorResponse = {\n    error: \"internal_error\",\n    message,\n    statusCode: 500,\n    ...(requestId ? { requestId } : {}),\n  };\n  return new Response(JSON.stringify(body), {\n    status: 500,\n    headers: { \"content-type\": \"application/json\" },\n  });\n}\n"],"mappings":"AA0BO,MAAM,qBAAqB,MAAM;AAAA,EAC7B;AAAA,EACA;AAAA;AAAA,EAEA;AAAA,EAET,YACE,YACA,MACA,SACA,SACA;AACA,UAAM,OAAO;AACb,SAAK,OAAO;AACZ,SAAK,aAAa;AAClB,SAAK,OAAO;AACZ,SAAK,UAAU;AAAA,EACjB;AACF;AAwBO,SAAS,gBACd,OACA,WACU;AACV,QAAM,OAAsB;AAAA,IAC1B,OAAO,MAAM;AAAA,IACb,SAAS,MAAM;AAAA,IACf,YAAY,MAAM;AAAA,IAClB,GAAI,YAAY,EAAE,UAAU,IAAI,CAAC;AAAA,EACnC;AACA,QAAM,UAAkC;AAAA,IACtC,gBAAgB;AAAA,IAChB,GAAG,MAAM;AAAA,EACX;AACA,SAAO,IAAI,SAAS,KAAK,UAAU,IAAI,GAAG;AAAA,IACxC,QAAQ,MAAM;AAAA,IACd;AAAA,EACF,CAAC;AACH;AAWO,SAAS,qBACd,WACA,UAAU,gCACA;AACV,QAAM,OAAsB;AAAA,IAC1B,OAAO;AAAA,IACP;AAAA,IACA,YAAY;AAAA,IACZ,GAAI,YAAY,EAAE,UAAU,IAAI,CAAC;AAAA,EACnC;AACA,SAAO,IAAI,SAAS,KAAK,UAAU,IAAI,GAAG;AAAA,IACxC,QAAQ;AAAA,IACR,SAAS,EAAE,gBAAgB,mBAAmB;AAAA,EAChD,CAAC;AACH;","names":[]}

package/dist/core/gateway.d.ts

@@ -0,0 +1,44 @@
+import { GatewayConfig, GatewayInstance } from './types.js';
+import 'hono';
+import '../protocol-2fD3DJrL.js';
+import '../policies/sdk/trace.js';
+import '@vivero/stoma-core';
+import '../observability/metrics.js';
+import '../observability/tracing.js';
+
+/**
+ * Create a gateway instance from a declarative configuration.
+ *
+ * Registers all routes on a Hono app, builds per-route policy pipelines
+ * (merging global + route-level policies), and wires up upstream dispatch.
+ * Returns a {@link GatewayInstance} whose `.app` property is the Hono app
+ * ready to be exported as a Cloudflare Worker default export.
+ *
+ * @param config - Full gateway configuration including routes, policies, and options.
+ * @returns A {@link GatewayInstance} with the configured Hono app.
+ * @throws {GatewayError} If no routes are provided.
+ *
+ * @example
+ * ```ts
+ * import { createGateway, jwtAuth, rateLimit } from "@vivero/stoma";
+ *
+ * const gateway = createGateway({
+ *   name: "my-api",
+ *   basePath: "/api",
+ *   routes: [
+ *     {
+ *       path: "/users/*",
+ *       pipeline: {
+ *         policies: [jwtAuth({ secret: env.JWT_SECRET }), rateLimit({ max: 100 })],
+ *         upstream: { type: "url", target: "https://users-service.internal" },
+ *       },
+ *     },
+ *   ],
+ * });
+ *
+ * export default gateway.app;
+ * ```
+ */
+declare function createGateway<TBindings = Record<string, unknown>>(config: GatewayConfig<TBindings>): GatewayInstance;
+
+export { createGateway };

package/dist/core/gateway.js

@@ -0,0 +1,400 @@
+import { Hono } from "hono";
+import { registerAdminRoutes } from "../observability/admin";
+import {
+  generateOtelSpanId,
+  SemConv,
+  SpanBuilder
+} from "../observability/tracing";
+import { createDebugFactory, noopDebugLogger } from "../utils/debug";
+import { cloneRequestHeaders } from "../utils/headers";
+import { formatTraceparent, generateSpanId } from "../utils/trace-context";
+import { defaultErrorResponse, errorToResponse, GatewayError } from "./errors";
+import {
+  buildPolicyChain,
+  createContextInjector,
+  getGatewayContext,
+  policiesToMiddleware
+} from "./pipeline";
+function createGateway(config) {
+  if (!config.routes || config.routes.length === 0) {
+    throw new GatewayError(
+      500,
+      "config_error",
+      "Gateway requires at least one route"
+    );
+  }
+  const gatewayName = config.name ?? "edge-gateway";
+  const debugFactory = createDebugFactory(config.debug);
+  const debug = debugFactory("stoma:gateway");
+  const debugPipeline = debugFactory("stoma:pipeline");
+  const debugUpstream = debugFactory("stoma:upstream");
+  const app = new Hono();
+  app.onError((err, c) => {
+    if (config.onError) {
+      return config.onError(err, c);
+    }
+    const ctx = getGatewayContext(c);
+    if (err instanceof GatewayError) {
+      return errorToResponse(err, ctx?.requestId);
+    }
+    console.error(
+      `[${gatewayName}] Unhandled error on ${c.req.method} ${c.req.path}:`,
+      err
+    );
+    return defaultErrorResponse(ctx?.requestId, config.defaultErrorMessage);
+  });
+  app.notFound((c) => {
+    debug(`no route matches ${c.req.method} ${c.req.path}`);
+    return c.json(
+      {
+        error: "not_found",
+        message: `No route matches ${c.req.method} ${c.req.path}`,
+        statusCode: 404,
+        gateway: gatewayName
+      },
+      404
+    );
+  });
+  let routeCount = 0;
+  const registeredRoutes = [];
+  const allPoliciesMap = /* @__PURE__ */ new Map();
+  for (const route of config.routes) {
+    const fullPath = joinPaths(config.basePath, route.path);
+    const contextInjector = createContextInjector(
+      gatewayName,
+      route.path,
+      debugFactory,
+      config.requestIdHeader,
+      config.adapter,
+      config.debugHeaders,
+      config.tracing
+    );
+    const mergedPolicies = buildPolicyChain(
+      config.policies ?? [],
+      route.pipeline.policies ?? [],
+      debugPipeline,
+      config.defaultPolicyPriority
+    );
+    const middlewareChain = policiesToMiddleware(mergedPolicies);
+    const upstreamHandler = createUpstreamHandler(
+      route,
+      debugUpstream,
+      config.adapter
+    );
+    const allHandlers = [contextInjector, ...middlewareChain, upstreamHandler];
+    const methods = route.methods ?? config.defaultMethods ?? ["GET", "POST", "PUT", "PATCH", "DELETE", "OPTIONS"];
+    const methodNames = methods.map((m) => m.toUpperCase());
+    const hasCors = mergedPolicies.some((p) => p.name === "cors");
+    if (hasCors && !methodNames.includes("OPTIONS")) {
+      const preflightHandlers = [
+        contextInjector,
+        ...middlewareChain,
+        async (c) => c.body(null, 204)
+      ];
+      app.on("OPTIONS", fullPath, ...preflightHandlers);
+      routeCount += 1;
+    }
+    app.on(methodNames, fullPath, ...allHandlers);
+    routeCount += methods.length;
+    const needsSlashAlias = fullPath.length > 1 && !fullPath.endsWith("/") && !fullPath.endsWith("*");
+    if (needsSlashAlias) {
+      const withSlash = `${fullPath}/`;
+      app.on(methodNames, withSlash, ...allHandlers);
+      routeCount += methods.length;
+      if (hasCors && !methodNames.includes("OPTIONS")) {
+        const preflightHandlers = [
+          contextInjector,
+          ...middlewareChain,
+          async (c) => c.body(null, 204)
+        ];
+        app.on("OPTIONS", withSlash, ...preflightHandlers);
+        routeCount += 1;
+      }
+    }
+    const policyNames = mergedPolicies.map((p) => p.name);
+    const registeredMethods = hasCors && !methodNames.includes("OPTIONS") ? [...methodNames, "OPTIONS"] : methodNames;
+    registeredRoutes.push({
+      path: fullPath,
+      methods: registeredMethods,
+      policyNames,
+      upstreamType: route.pipeline.upstream.type
+    });
+    for (const p of mergedPolicies) {
+      if (!allPoliciesMap.has(p.name)) {
+        allPoliciesMap.set(p.name, {
+          name: p.name,
+          priority: p.priority ?? config.defaultPolicyPriority ?? 100
+        });
+      }
+    }
+    debug(
+      `route ${fullPath} [${methodNames.join(",")}]${policyNames.length ? ` policies=[${policyNames.join(", ")}]` : ""} upstream=${route.pipeline.upstream.type}`
+    );
+  }
+  const registry = {
+    routes: registeredRoutes,
+    policies: Array.from(allPoliciesMap.values()).sort(
+      (a, b) => a.priority - b.priority
+    ),
+    gatewayName
+  };
+  if (config.admin) {
+    const adminConfig = typeof config.admin === "boolean" ? { enabled: true } : config.admin;
+    if (adminConfig.enabled) {
+      if (!adminConfig.auth) {
+        console.warn(
+          `[stoma:${gatewayName}] admin routes enabled without authentication`
+        );
+      }
+      registerAdminRoutes(app, adminConfig, registry);
+      debug(
+        `admin routes registered at /${adminConfig.prefix ?? "___gateway"}/*`
+      );
+    }
+  }
+  debug(`"${gatewayName}" started with ${routeCount} route handlers`);
+  return { app, routeCount, name: gatewayName, _registry: registry };
+}
+function joinPaths(basePath, routePath) {
+  if (!basePath) return routePath;
+  const base = basePath.endsWith("/") ? basePath.slice(0, -1) : basePath;
+  const route = routePath.startsWith("/") ? routePath : `/${routePath}`;
+  return `${base}${route}`;
+}
+function createUpstreamHandler(route, debug = noopDebugLogger, adapter) {
+  const upstream = route.pipeline.upstream;
+  switch (upstream.type) {
+    case "handler":
+      return createHandlerUpstream(upstream);
+    case "url":
+      return createUrlUpstream(upstream, debug);
+    case "service-binding":
+      return createServiceBindingUpstream(upstream, debug, adapter);
+    default:
+      throw new GatewayError(
+        500,
+        "config_error",
+        `Unknown upstream type: ${upstream.type}`
+      );
+  }
+}
+function createHandlerUpstream(upstream) {
+  return async (c) => {
+    c.set("_upstreamTarget", "handler");
+    return upstream.handler(c);
+  };
+}
+const HOP_BY_HOP_HEADERS = [
+  "connection",
+  "keep-alive",
+  "proxy-authenticate",
+  "proxy-authorization",
+  "proxy-connection",
+  "te",
+  "trailer",
+  "transfer-encoding",
+  "upgrade"
+];
+const ENCODING_HEADERS = ["content-encoding", "content-length"];
+function createServiceBindingUpstream(upstream, debug = noopDebugLogger, adapter) {
+  return async (c) => {
+    c.set("_upstreamTarget", `service-binding:${upstream.service}`);
+    if (!adapter?.dispatchBinding) {
+      throw new GatewayError(
+        502,
+        "config_error",
+        `Service binding "${upstream.service}" requires adapter.dispatchBinding - pass "env" to cloudflareAdapter() or provide a custom dispatchBinding`
+      );
+    }
+    const incomingUrl = new URL(c.req.url);
+    let targetPath = incomingUrl.pathname;
+    if (upstream.rewritePath) {
+      const originalPath = targetPath;
+      targetPath = upstream.rewritePath(targetPath);
+      debug(`path rewrite: ${originalPath} -> ${targetPath}`);
+    }
+    const targetUrl = new URL(targetPath + incomingUrl.search, c.req.url);
+    debug(
+      `service-binding "${upstream.service}": ${c.req.method} ${targetUrl.pathname}${targetUrl.search}`
+    );
+    const headers = cloneRequestHeaders(c);
+    for (const h of HOP_BY_HOP_HEADERS) {
+      headers.delete(h);
+    }
+    const ctx = getGatewayContext(c);
+    if (ctx) {
+      const upstreamSpanId = generateSpanId();
+      headers.set(
+        "traceparent",
+        formatTraceparent({
+          version: "00",
+          traceId: ctx.traceId,
+          parentId: upstreamSpanId,
+          flags: "01"
+        })
+      );
+    }
+    const proxyRequest = new Request(targetUrl.toString(), {
+      method: c.req.method,
+      headers,
+      body: c.req.raw.body,
+      // @ts-expect-error -- duplex is needed for streaming bodies
+      duplex: c.req.raw.body ? "half" : void 0
+    });
+    const otelSpans = c.get("_otelSpans");
+    let upstreamSpan;
+    if (otelSpans !== void 0) {
+      const rootSpan = c.get("_otelRootSpan");
+      upstreamSpan = new SpanBuilder(
+        `upstream:service-binding:${upstream.service}`,
+        "CLIENT",
+        rootSpan.traceId,
+        generateOtelSpanId(),
+        rootSpan.spanId
+      );
+      upstreamSpan.setAttribute(SemConv.HTTP_METHOD, c.req.method).setAttribute(SemConv.URL_PATH, targetUrl.pathname).setAttribute("rpc.service", upstream.service);
+    }
+    const startTime = Date.now();
+    const response = await adapter.dispatchBinding(
+      upstream.service,
+      proxyRequest
+    );
+    debug(
+      `service-binding responded: ${response.status} (${Date.now() - startTime}ms)`
+    );
+    if (upstreamSpan) {
+      upstreamSpan.setAttribute(SemConv.HTTP_STATUS_CODE, response.status).setStatus(response.status >= 500 ? "ERROR" : "OK");
+      otelSpans.push(upstreamSpan.end());
+    }
+    const responseHeaders = new Headers(response.headers);
+    for (const h of HOP_BY_HOP_HEADERS) {
+      responseHeaders.delete(h);
+    }
+    for (const h of ENCODING_HEADERS) {
+      responseHeaders.delete(h);
+    }
+    return new Response(response.body, {
+      status: response.status,
+      statusText: response.statusText,
+      headers: responseHeaders
+    });
+  };
+}
+function createUrlUpstream(upstream, debug = noopDebugLogger) {
+  const targetBase = new URL(upstream.target);
+  return async (c) => {
+    const incomingUrl = new URL(c.req.url);
+    let targetPath = incomingUrl.pathname;
+    if (upstream.rewritePath) {
+      const originalPath = targetPath;
+      targetPath = upstream.rewritePath(targetPath);
+      debug(`path rewrite: ${originalPath} -> ${targetPath}`);
+    }
+    const targetUrl = new URL(targetPath + incomingUrl.search, targetBase);
+    c.set("_upstreamTarget", targetUrl.toString());
+    if (targetUrl.origin !== targetBase.origin) {
+      debug(
+        `SSRF blocked: rewritten URL origin ${targetUrl.origin} != ${targetBase.origin}`
+      );
+      throw new GatewayError(
+        502,
+        "upstream_error",
+        "Rewritten URL must not change the upstream origin"
+      );
+    }
+    debug(`proxying ${c.req.method} ${c.req.path} -> ${targetUrl.toString()}`);
+    const headers = cloneRequestHeaders(c);
+    for (const h of HOP_BY_HOP_HEADERS) {
+      headers.delete(h);
+    }
+    const preserveHost = c.get("_preserveHost") === true;
+    if (!preserveHost) {
+      headers.set("host", targetUrl.host);
+    }
+    if (upstream.headers) {
+      for (const [key, value] of Object.entries(upstream.headers)) {
+        headers.set(key, value);
+      }
+    }
+    const ctx = getGatewayContext(c);
+    if (ctx) {
+      const upstreamSpanId = generateSpanId();
+      headers.set(
+        "traceparent",
+        formatTraceparent({
+          version: "00",
+          traceId: ctx.traceId,
+          parentId: upstreamSpanId,
+          flags: "01"
+        })
+      );
+    }
+    const proxyRequest = new Request(targetUrl.toString(), {
+      method: c.req.method,
+      headers,
+      body: c.req.raw.body,
+      redirect: "manual",
+      // Prevent SSRF via redirect to internal services
+      // @ts-expect-error -- duplex is needed for streaming bodies
+      duplex: c.req.raw.body ? "half" : void 0
+    });
+    c.set("_proxyRequest", proxyRequest.clone());
+    const timeoutSignal = c.get("_timeoutSignal");
+    const otelSpans = c.get("_otelSpans");
+    let upstreamSpan;
+    if (otelSpans !== void 0) {
+      const rootSpan = c.get("_otelRootSpan");
+      upstreamSpan = new SpanBuilder(
+        `upstream:url:${targetUrl.host}`,
+        "CLIENT",
+        rootSpan.traceId,
+        generateOtelSpanId(),
+        rootSpan.spanId
+      );
+      upstreamSpan.setAttribute(SemConv.HTTP_METHOD, c.req.method).setAttribute(SemConv.URL_PATH, targetUrl.pathname).setAttribute(SemConv.SERVER_ADDRESS, targetUrl.host);
+    }
+    const startTime = Date.now();
+    let response;
+    try {
+      response = await fetch(
+        proxyRequest,
+        timeoutSignal ? { signal: timeoutSignal } : void 0
+      );
+    } catch (err) {
+      if (err instanceof DOMException && err.name === "AbortError") {
+        throw err;
+      }
+      debug(
+        `upstream fetch failed: ${err instanceof Error ? err.message : err}`
+      );
+      throw new GatewayError(
+        502,
+        "upstream_error",
+        `Upstream request to ${targetUrl.host} failed: ${err instanceof Error ? err.message : String(err)}`
+      );
+    }
+    debug(
+      `upstream responded: ${response.status} (${Date.now() - startTime}ms)`
+    );
+    if (upstreamSpan) {
+      upstreamSpan.setAttribute(SemConv.HTTP_STATUS_CODE, response.status).setStatus(response.status >= 500 ? "ERROR" : "OK");
+      otelSpans.push(upstreamSpan.end());
+    }
+    const responseHeaders = new Headers(response.headers);
+    for (const h of HOP_BY_HOP_HEADERS) {
+      responseHeaders.delete(h);
+    }
+    for (const h of ENCODING_HEADERS) {
+      responseHeaders.delete(h);
+    }
+    return new Response(response.body, {
+      status: response.status,
+      statusText: response.statusText,
+      headers: responseHeaders
+    });
+  };
+}
+export {
+  createGateway
+};
+//# sourceMappingURL=gateway.js.map

package/dist/core/gateway.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../src/core/gateway.ts"],"sourcesContent":["/**\n * Gateway factory - the main entry point for creating a stoma gateway.\n *\n * Wires together route registration, the policy pipeline, error handling,\n * and upstream dispatch (URL proxy, Service Binding, or custom handler).\n * All configuration is declarative - pass a {@link GatewayConfig} to\n * {@link createGateway} and export the resulting Hono app as your Worker.\n *\n * @module gateway\n *\n * @example\n * ```ts\n * import { createGateway, jwtAuth, rateLimit, cors } from \"@vivero/stoma\";\n *\n * const gateway = createGateway({\n *   name: \"my-api\",\n *   basePath: \"/api\",\n *   debug: env.DEBUG, // \"stoma:*\" for all, or \"stoma:policy:*\" for policies only\n *   policies: [cors(), rateLimit({ max: 100 })],\n *   routes: [\n *     {\n *       path: \"/users/*\",\n *       pipeline: {\n *         policies: [jwtAuth({ secret: env.JWT_SECRET })],\n *         upstream: { type: \"url\", target: \"https://users-service.internal\" },\n *       },\n *     },\n *   ],\n * });\n *\n * export default gateway.app;\n * ```\n */\nimport { type Context, Hono } from \"hono\";\nimport type { GatewayAdapter } from \"../adapters/types\";\nimport { registerAdminRoutes } from \"../observability/admin\";\nimport type { ReadableSpan } from \"../observability/tracing\";\nimport {\n  generateOtelSpanId,\n  SemConv,\n  SpanBuilder,\n} from \"../observability/tracing\";\nimport { createDebugFactory, noopDebugLogger } from \"../utils/debug\";\nimport { cloneRequestHeaders } from \"../utils/headers\";\nimport { formatTraceparent, generateSpanId } from \"../utils/trace-context\";\nimport { defaultErrorResponse, errorToResponse, GatewayError } from \"./errors\";\nimport {\n  buildPolicyChain,\n  createContextInjector,\n  getGatewayContext,\n  policiesToMiddleware,\n} from \"./pipeline\";\nimport type {\n  AdminConfig,\n  GatewayConfig,\n  GatewayInstance,\n  GatewayRegistry,\n  HandlerUpstream,\n  HttpMethod,\n  RegisteredPolicy,\n  RegisteredRoute,\n  RouteConfig,\n  ServiceBindingUpstream,\n  UrlUpstream,\n} from \"./types\";\n\n/**\n * Create a gateway instance from a declarative configuration.\n *\n * Registers all routes on a Hono app, builds per-route policy pipelines\n * (merging global + route-level policies), and wires up upstream dispatch.\n * Returns a {@link GatewayInstance} whose `.app` property is the Hono app\n * ready to be exported as a Cloudflare Worker default export.\n *\n * @param config - Full gateway configuration including routes, policies, and options.\n * @returns A {@link GatewayInstance} with the configured Hono app.\n * @throws {GatewayError} If no routes are provided.\n *\n * @example\n * ```ts\n * import { createGateway, jwtAuth, rateLimit } from \"@vivero/stoma\";\n *\n * const gateway = createGateway({\n *   name: \"my-api\",\n *   basePath: \"/api\",\n *   routes: [\n *     {\n *       path: \"/users/*\",\n *       pipeline: {\n *         policies: [jwtAuth({ secret: env.JWT_SECRET }), rateLimit({ max: 100 })],\n *         upstream: { type: \"url\", target: \"https://users-service.internal\" },\n *       },\n *     },\n *   ],\n * });\n *\n * export default gateway.app;\n * ```\n */\nexport function createGateway<TBindings = Record<string, unknown>>(\n  config: GatewayConfig<TBindings>\n): GatewayInstance {\n  if (!config.routes || config.routes.length === 0) {\n    throw new GatewayError(\n      500,\n      \"config_error\",\n      \"Gateway requires at least one route\"\n    );\n  }\n\n  const gatewayName = config.name ?? \"edge-gateway\";\n  const debugFactory = createDebugFactory(config.debug);\n  const debug = debugFactory(\"stoma:gateway\");\n  const debugPipeline = debugFactory(\"stoma:pipeline\");\n  const debugUpstream = debugFactory(\"stoma:upstream\");\n\n  const app = new Hono();\n\n  // Global error handler\n  app.onError((err, c) => {\n    if (config.onError) {\n      return config.onError(err, c);\n    }\n\n    const ctx = getGatewayContext(c);\n\n    if (err instanceof GatewayError) {\n      return errorToResponse(err, ctx?.requestId);\n    }\n\n    // Log unexpected errors - these are bugs, not expected policy rejections\n    console.error(\n      `[${gatewayName}] Unhandled error on ${c.req.method} ${c.req.path}:`,\n      err\n    );\n\n    return defaultErrorResponse(ctx?.requestId, config.defaultErrorMessage);\n  });\n\n  // Catch-all for unmatched routes - return structured JSON instead of Hono's plain-text 404\n  app.notFound((c) => {\n    debug(`no route matches ${c.req.method} ${c.req.path}`);\n    return c.json(\n      {\n        error: \"not_found\",\n        message: `No route matches ${c.req.method} ${c.req.path}`,\n        statusCode: 404,\n        gateway: gatewayName,\n      },\n      404\n    );\n  });\n\n  let routeCount = 0;\n\n  // Build registry for admin introspection\n  const registeredRoutes: RegisteredRoute[] = [];\n  const allPoliciesMap = new Map<string, RegisteredPolicy>();\n\n  for (const route of config.routes) {\n    const fullPath = joinPaths(config.basePath, route.path);\n\n    // Build the policy chain: context injector + merged policies\n    const contextInjector = createContextInjector(\n      gatewayName,\n      route.path,\n      debugFactory,\n      config.requestIdHeader,\n      config.adapter,\n      config.debugHeaders,\n      config.tracing\n    );\n    const mergedPolicies = buildPolicyChain(\n      config.policies ?? [],\n      route.pipeline.policies ?? [],\n      debugPipeline,\n      config.defaultPolicyPriority\n    );\n    const middlewareChain = policiesToMiddleware(mergedPolicies);\n\n    // Build the upstream handler\n    const upstreamHandler = createUpstreamHandler(\n      route,\n      debugUpstream,\n      config.adapter\n    );\n\n    // All middleware in order: context → policies → upstream\n    const allHandlers = [contextInjector, ...middlewareChain, upstreamHandler];\n\n    const methods =\n      route.methods ??\n      config.defaultMethods ??\n      ([\"GET\", \"POST\", \"PUT\", \"PATCH\", \"DELETE\", \"OPTIONS\"] as HttpMethod[]);\n\n    // Use app.on() for safe method registration - avoids missing method issues\n    // (Hono handles HEAD automatically when GET is registered)\n    const methodNames = methods.map((m) => m.toUpperCase());\n\n    // Auto-inject an OPTIONS handler for CORS preflight when a cors policy\n    // is present but OPTIONS is not already in the route's method list.\n    // The preflight handler runs only the context injector + policy chain\n    // (no upstream) — the CORS middleware returns 204 and the terminal\n    // handler ensures the context is finalized if CORS doesn't short-circuit.\n    const hasCors = mergedPolicies.some((p) => p.name === \"cors\");\n    if (hasCors && !methodNames.includes(\"OPTIONS\")) {\n      const preflightHandlers = [\n        contextInjector,\n        ...middlewareChain,\n        async (c: Context) => c.body(null, 204),\n      ];\n      // biome-ignore lint/suspicious/noExplicitAny: Hono's overloaded .on() types don't infer well with dynamic method arrays\n      (app as any).on(\"OPTIONS\", fullPath, ...preflightHandlers);\n      routeCount += 1;\n    }\n\n    // biome-ignore lint/suspicious/noExplicitAny: Hono's overloaded .on() types don't infer well with dynamic method arrays\n    (app as any).on(methodNames, fullPath, ...allHandlers);\n    routeCount += methods.length;\n\n    // Register a trailing-slash alias so /path and /path/ both resolve.\n    // Hono treats them as distinct routes, but users (and browsers sending\n    // CORS preflight) expect both to work.  Skip wildcard and already-\n    // trailing-slash paths — they don't need an alias.\n    const needsSlashAlias =\n      fullPath.length > 1 && !fullPath.endsWith(\"/\") && !fullPath.endsWith(\"*\");\n    if (needsSlashAlias) {\n      const withSlash = `${fullPath}/`;\n      // biome-ignore lint/suspicious/noExplicitAny: Hono's overloaded .on() types\n      (app as any).on(methodNames, withSlash, ...allHandlers);\n      routeCount += methods.length;\n      if (hasCors && !methodNames.includes(\"OPTIONS\")) {\n        const preflightHandlers = [\n          contextInjector,\n          ...middlewareChain,\n          async (c: Context) => c.body(null, 204),\n        ];\n        // biome-ignore lint/suspicious/noExplicitAny: Hono's overloaded .on() types\n        (app as any).on(\"OPTIONS\", withSlash, ...preflightHandlers);\n        routeCount += 1;\n      }\n    }\n\n    const policyNames = mergedPolicies.map((p) => p.name);\n\n    // Track registry data (include auto-injected OPTIONS in the method list)\n    const registeredMethods =\n      hasCors && !methodNames.includes(\"OPTIONS\")\n        ? [...methodNames, \"OPTIONS\"]\n        : methodNames;\n    registeredRoutes.push({\n      path: fullPath,\n      methods: registeredMethods,\n      policyNames,\n      upstreamType: route.pipeline.upstream.type,\n    });\n\n    for (const p of mergedPolicies) {\n      if (!allPoliciesMap.has(p.name)) {\n        allPoliciesMap.set(p.name, {\n          name: p.name,\n          priority: p.priority ?? config.defaultPolicyPriority ?? 100,\n        });\n      }\n    }\n\n    debug(\n      `route ${fullPath} [${methodNames.join(\",\")}]${policyNames.length ? ` policies=[${policyNames.join(\", \")}]` : \"\"} upstream=${route.pipeline.upstream.type}`\n    );\n  }\n\n  const registry: GatewayRegistry = {\n    routes: registeredRoutes,\n    policies: Array.from(allPoliciesMap.values()).sort(\n      (a, b) => a.priority - b.priority\n    ),\n    gatewayName,\n  };\n\n  // Register admin introspection routes if configured\n  if (config.admin) {\n    const adminConfig: AdminConfig =\n      typeof config.admin === \"boolean\" ? { enabled: true } : config.admin;\n    if (adminConfig.enabled) {\n      if (!adminConfig.auth) {\n        console.warn(\n          `[stoma:${gatewayName}] admin routes enabled without authentication`\n        );\n      }\n      registerAdminRoutes(app, adminConfig, registry);\n      debug(\n        `admin routes registered at /${adminConfig.prefix ?? \"___gateway\"}/*`\n      );\n    }\n  }\n\n  debug(`\"${gatewayName}\" started with ${routeCount} route handlers`);\n\n  return { app, routeCount, name: gatewayName, _registry: registry };\n}\n\n/** Join a base path with a route path, handling slashes */\nfunction joinPaths(basePath: string | undefined, routePath: string): string {\n  if (!basePath) return routePath;\n  const base = basePath.endsWith(\"/\") ? basePath.slice(0, -1) : basePath;\n  const route = routePath.startsWith(\"/\") ? routePath : `/${routePath}`;\n  return `${base}${route}`;\n}\n\n/** Create the terminal handler that dispatches to the upstream */\nfunction createUpstreamHandler(\n  // biome-ignore lint/suspicious/noExplicitAny: Internal function - TBindings is erased at runtime\n  route: RouteConfig<any>,\n  debug = noopDebugLogger,\n  adapter?: GatewayAdapter\n) {\n  const upstream = route.pipeline.upstream;\n\n  switch (upstream.type) {\n    case \"handler\":\n      return createHandlerUpstream(upstream);\n    case \"url\":\n      return createUrlUpstream(upstream, debug);\n    case \"service-binding\":\n      return createServiceBindingUpstream(upstream, debug, adapter);\n    default:\n      throw new GatewayError(\n        500,\n        \"config_error\",\n        `Unknown upstream type: ${(upstream as { type: string }).type}`\n      );\n  }\n}\n\n/** Handler upstream - invoke the custom function directly */\nfunction createHandlerUpstream(upstream: HandlerUpstream) {\n  return async (c: Context) => {\n    c.set(\"_upstreamTarget\", \"handler\");\n    return upstream.handler(c);\n  };\n}\n\n/**\n * Hop-by-hop headers that MUST NOT be forwarded by proxies (RFC 2616 §13.5.1).\n * These are connection-specific and meaningless to the upstream.\n */\nconst HOP_BY_HOP_HEADERS = [\n  \"connection\",\n  \"keep-alive\",\n  \"proxy-authenticate\",\n  \"proxy-authorization\",\n  \"proxy-connection\",\n  \"te\",\n  \"trailer\",\n  \"transfer-encoding\",\n  \"upgrade\",\n];\n\n/**\n * Headers that become stale after the runtime's `fetch()` transparently\n * decompresses the response body. The body is already decoded, so these\n * headers no longer describe it and will cause browser errors\n * (ERR_CONTENT_DECODING_FAILED / ERR_CONTENT_LENGTH_MISMATCH) if forwarded.\n */\nconst ENCODING_HEADERS = [\"content-encoding\", \"content-length\"];\n\n/**\n * Service Binding upstream - forward to a named service binding or sidecar.\n *\n * Requires `adapter.dispatchBinding` to be configured. On Cloudflare, pass\n * `env` to `cloudflareAdapter()`. On other runtimes, provide a custom\n * `dispatchBinding` implementation.\n */\nfunction createServiceBindingUpstream(\n  upstream: ServiceBindingUpstream,\n  debug = noopDebugLogger,\n  adapter?: GatewayAdapter\n) {\n  return async (c: Context) => {\n    c.set(\"_upstreamTarget\", `service-binding:${upstream.service}`);\n\n    if (!adapter?.dispatchBinding) {\n      throw new GatewayError(\n        502,\n        \"config_error\",\n        `Service binding \"${upstream.service}\" requires adapter.dispatchBinding - pass \"env\" to cloudflareAdapter() or provide a custom dispatchBinding`\n      );\n    }\n\n    const incomingUrl = new URL(c.req.url);\n\n    // Apply path rewrite if configured\n    let targetPath = incomingUrl.pathname;\n    if (upstream.rewritePath) {\n      const originalPath = targetPath;\n      targetPath = upstream.rewritePath(targetPath);\n      debug(`path rewrite: ${originalPath} -> ${targetPath}`);\n    }\n\n    // Build the forwarded URL preserving query string\n    const targetUrl = new URL(targetPath + incomingUrl.search, c.req.url);\n\n    debug(\n      `service-binding \"${upstream.service}\": ${c.req.method} ${targetUrl.pathname}${targetUrl.search}`\n    );\n\n    // Clone headers, strip hop-by-hop\n    const headers = cloneRequestHeaders(c);\n    for (const h of HOP_BY_HOP_HEADERS) {\n      headers.delete(h);\n    }\n\n    // Forward W3C traceparent with a new spanId for the upstream leg\n    const ctx = getGatewayContext(c);\n    if (ctx) {\n      const upstreamSpanId = generateSpanId();\n      headers.set(\n        \"traceparent\",\n        formatTraceparent({\n          version: \"00\",\n          traceId: ctx.traceId,\n          parentId: upstreamSpanId,\n          flags: \"01\",\n        })\n      );\n    }\n\n    const proxyRequest = new Request(targetUrl.toString(), {\n      method: c.req.method,\n      headers,\n      body: c.req.raw.body,\n      // @ts-expect-error -- duplex is needed for streaming bodies\n      duplex: c.req.raw.body ? \"half\" : undefined,\n    });\n\n    // OTel: create CLIENT span for the service binding call\n    const otelSpans = c.get(\"_otelSpans\") as ReadableSpan[] | undefined;\n    let upstreamSpan: SpanBuilder | undefined;\n    if (otelSpans !== undefined) {\n      const rootSpan = c.get(\"_otelRootSpan\") as SpanBuilder;\n      upstreamSpan = new SpanBuilder(\n        `upstream:service-binding:${upstream.service}`,\n        \"CLIENT\",\n        rootSpan.traceId,\n        generateOtelSpanId(),\n        rootSpan.spanId\n      );\n      upstreamSpan\n        .setAttribute(SemConv.HTTP_METHOD, c.req.method)\n        .setAttribute(SemConv.URL_PATH, targetUrl.pathname)\n        .setAttribute(\"rpc.service\", upstream.service);\n    }\n\n    const startTime = Date.now();\n    const response = await adapter.dispatchBinding(\n      upstream.service,\n      proxyRequest\n    );\n\n    debug(\n      `service-binding responded: ${response.status} (${Date.now() - startTime}ms)`\n    );\n\n    // OTel: finalize upstream span\n    if (upstreamSpan) {\n      upstreamSpan\n        .setAttribute(SemConv.HTTP_STATUS_CODE, response.status)\n        .setStatus(response.status >= 500 ? \"ERROR\" : \"OK\");\n      otelSpans!.push(upstreamSpan.end());\n    }\n\n    // Strip hop-by-hop and stale encoding headers from the upstream response\n    const responseHeaders = new Headers(response.headers);\n    for (const h of HOP_BY_HOP_HEADERS) {\n      responseHeaders.delete(h);\n    }\n    for (const h of ENCODING_HEADERS) {\n      responseHeaders.delete(h);\n    }\n\n    return new Response(response.body, {\n      status: response.status,\n      statusText: response.statusText,\n      headers: responseHeaders,\n    });\n  };\n}\n\n/** URL upstream - proxy the request to a remote URL */\nfunction createUrlUpstream(upstream: UrlUpstream, debug = noopDebugLogger) {\n  // Pre-validate the target URL at config time\n  const targetBase = new URL(upstream.target);\n\n  return async (c: Context) => {\n    const incomingUrl = new URL(c.req.url);\n\n    // Apply path rewrite if configured\n    let targetPath = incomingUrl.pathname;\n    if (upstream.rewritePath) {\n      const originalPath = targetPath;\n      targetPath = upstream.rewritePath(targetPath);\n      debug(`path rewrite: ${originalPath} -> ${targetPath}`);\n    }\n\n    const targetUrl = new URL(targetPath + incomingUrl.search, targetBase);\n\n    // Set after path rewrite so the log captures the actual resolved URL\n    c.set(\"_upstreamTarget\", targetUrl.toString());\n\n    // SSRF protection: ensure the rewritten URL still points to the\n    // configured upstream origin (protocol + host + port).\n    if (targetUrl.origin !== targetBase.origin) {\n      debug(\n        `SSRF blocked: rewritten URL origin ${targetUrl.origin} != ${targetBase.origin}`\n      );\n      throw new GatewayError(\n        502,\n        \"upstream_error\",\n        \"Rewritten URL must not change the upstream origin\"\n      );\n    }\n\n    debug(`proxying ${c.req.method} ${c.req.path} -> ${targetUrl.toString()}`);\n\n    // Clone headers, strip hop-by-hop headers\n    const headers = cloneRequestHeaders(c);\n    for (const h of HOP_BY_HOP_HEADERS) {\n      headers.delete(h);\n    }\n\n    // Preserve inbound Host only when explicitly requested by proxy policy.\n    const preserveHost = c.get(\"_preserveHost\") === true;\n    if (!preserveHost) {\n      headers.set(\"host\", targetUrl.host);\n    }\n\n    // Apply configured header overrides\n    if (upstream.headers) {\n      for (const [key, value] of Object.entries(upstream.headers)) {\n        headers.set(key, value);\n      }\n    }\n\n    // Forward W3C traceparent with a new spanId for the upstream leg\n    const ctx = getGatewayContext(c);\n    if (ctx) {\n      const upstreamSpanId = generateSpanId();\n      headers.set(\n        \"traceparent\",\n        formatTraceparent({\n          version: \"00\",\n          traceId: ctx.traceId,\n          parentId: upstreamSpanId,\n          flags: \"01\",\n        })\n      );\n    }\n\n    const proxyRequest = new Request(targetUrl.toString(), {\n      method: c.req.method,\n      headers,\n      body: c.req.raw.body,\n      redirect: \"manual\", // Prevent SSRF via redirect to internal services\n      // @ts-expect-error -- duplex is needed for streaming bodies\n      duplex: c.req.raw.body ? \"half\" : undefined,\n    });\n\n    // Store the proxy request on context so the retry policy can re-issue\n    // it directly via fetch() without monkey-patching globalThis.fetch.\n    c.set(\"_proxyRequest\", proxyRequest.clone());\n\n    // Read the timeout signal if the timeout policy set one\n    const timeoutSignal = c.get(\"_timeoutSignal\") as AbortSignal | undefined;\n\n    // OTel: create CLIENT span for the upstream call\n    const otelSpans = c.get(\"_otelSpans\") as ReadableSpan[] | undefined;\n    let upstreamSpan: SpanBuilder | undefined;\n    if (otelSpans !== undefined) {\n      const rootSpan = c.get(\"_otelRootSpan\") as SpanBuilder;\n      upstreamSpan = new SpanBuilder(\n        `upstream:url:${targetUrl.host}`,\n        \"CLIENT\",\n        rootSpan.traceId,\n        generateOtelSpanId(),\n        rootSpan.spanId\n      );\n      upstreamSpan\n        .setAttribute(SemConv.HTTP_METHOD, c.req.method)\n        .setAttribute(SemConv.URL_PATH, targetUrl.pathname)\n        .setAttribute(SemConv.SERVER_ADDRESS, targetUrl.host);\n    }\n\n    const startTime = Date.now();\n    let response: Response;\n    try {\n      response = await fetch(\n        proxyRequest,\n        timeoutSignal ? { signal: timeoutSignal } : undefined\n      );\n    } catch (err) {\n      // AbortError from the timeout policy should stay as-is so the\n      // timeout policy's catch handler can identify it.\n      if (err instanceof DOMException && err.name === \"AbortError\") {\n        throw err;\n      }\n      debug(\n        `upstream fetch failed: ${err instanceof Error ? err.message : err}`\n      );\n      throw new GatewayError(\n        502,\n        \"upstream_error\",\n        `Upstream request to ${targetUrl.host} failed: ${err instanceof Error ? err.message : String(err)}`\n      );\n    }\n    debug(\n      `upstream responded: ${response.status} (${Date.now() - startTime}ms)`\n    );\n\n    // OTel: finalize upstream span\n    if (upstreamSpan) {\n      upstreamSpan\n        .setAttribute(SemConv.HTTP_STATUS_CODE, response.status)\n        .setStatus(response.status >= 500 ? \"ERROR\" : \"OK\");\n      otelSpans!.push(upstreamSpan.end());\n    }\n\n    // Strip hop-by-hop and stale encoding headers from the upstream response.\n    // fetch() transparently decompresses, so content-encoding/content-length\n    // no longer describe the body and will cause browser decode errors.\n    const responseHeaders = new Headers(response.headers);\n    for (const h of HOP_BY_HOP_HEADERS) {\n      responseHeaders.delete(h);\n    }\n    for (const h of ENCODING_HEADERS) {\n      responseHeaders.delete(h);\n    }\n\n    return new Response(response.body, {\n      status: response.status,\n      statusText: response.statusText,\n      headers: responseHeaders,\n    });\n  };\n}\n"],"mappings":"AAiCA,SAAuB,YAAY;AAEnC,SAAS,2BAA2B;AAEpC;AAAA,EACE;AAAA,EACA;AAAA,EACA;AAAA,OACK;AACP,SAAS,oBAAoB,uBAAuB;AACpD,SAAS,2BAA2B;AACpC,SAAS,mBAAmB,sBAAsB;AAClD,SAAS,sBAAsB,iBAAiB,oBAAoB;AACpE;AAAA,EACE;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,OACK;AAgDA,SAAS,cACd,QACiB;AACjB,MAAI,CAAC,OAAO,UAAU,OAAO,OAAO,WAAW,GAAG;AAChD,UAAM,IAAI;AAAA,MACR;AAAA,MACA;AAAA,MACA;AAAA,IACF;AAAA,EACF;AAEA,QAAM,cAAc,OAAO,QAAQ;AACnC,QAAM,eAAe,mBAAmB,OAAO,KAAK;AACpD,QAAM,QAAQ,aAAa,eAAe;AAC1C,QAAM,gBAAgB,aAAa,gBAAgB;AACnD,QAAM,gBAAgB,aAAa,gBAAgB;AAEnD,QAAM,MAAM,IAAI,KAAK;AAGrB,MAAI,QAAQ,CAAC,KAAK,MAAM;AACtB,QAAI,OAAO,SAAS;AAClB,aAAO,OAAO,QAAQ,KAAK,CAAC;AAAA,IAC9B;AAEA,UAAM,MAAM,kBAAkB,CAAC;AAE/B,QAAI,eAAe,cAAc;AAC/B,aAAO,gBAAgB,KAAK,KAAK,SAAS;AAAA,IAC5C;AAGA,YAAQ;AAAA,MACN,IAAI,WAAW,wBAAwB,EAAE,IAAI,MAAM,IAAI,EAAE,IAAI,IAAI;AAAA,MACjE;AAAA,IACF;AAEA,WAAO,qBAAqB,KAAK,WAAW,OAAO,mBAAmB;AAAA,EACxE,CAAC;AAGD,MAAI,SAAS,CAAC,MAAM;AAClB,UAAM,oBAAoB,EAAE,IAAI,MAAM,IAAI,EAAE,IAAI,IAAI,EAAE;AACtD,WAAO,EAAE;AAAA,MACP;AAAA,QACE,OAAO;AAAA,QACP,SAAS,oBAAoB,EAAE,IAAI,MAAM,IAAI,EAAE,IAAI,IAAI;AAAA,QACvD,YAAY;AAAA,QACZ,SAAS;AAAA,MACX;AAAA,MACA;AAAA,IACF;AAAA,EACF,CAAC;AAED,MAAI,aAAa;AAGjB,QAAM,mBAAsC,CAAC;AAC7C,QAAM,iBAAiB,oBAAI,IAA8B;AAEzD,aAAW,SAAS,OAAO,QAAQ;AACjC,UAAM,WAAW,UAAU,OAAO,UAAU,MAAM,IAAI;AAGtD,UAAM,kBAAkB;AAAA,MACtB;AAAA,MACA,MAAM;AAAA,MACN;AAAA,MACA,OAAO;AAAA,MACP,OAAO;AAAA,MACP,OAAO;AAAA,MACP,OAAO;AAAA,IACT;AACA,UAAM,iBAAiB;AAAA,MACrB,OAAO,YAAY,CAAC;AAAA,MACpB,MAAM,SAAS,YAAY,CAAC;AAAA,MAC5B;AAAA,MACA,OAAO;AAAA,IACT;AACA,UAAM,kBAAkB,qBAAqB,cAAc;AAG3D,UAAM,kBAAkB;AAAA,MACtB;AAAA,MACA;AAAA,MACA,OAAO;AAAA,IACT;AAGA,UAAM,cAAc,CAAC,iBAAiB,GAAG,iBAAiB,eAAe;AAEzE,UAAM,UACJ,MAAM,WACN,OAAO,kBACN,CAAC,OAAO,QAAQ,OAAO,SAAS,UAAU,SAAS;AAItD,UAAM,cAAc,QAAQ,IAAI,CAAC,MAAM,EAAE,YAAY,CAAC;AAOtD,UAAM,UAAU,eAAe,KAAK,CAAC,MAAM,EAAE,SAAS,MAAM;AAC5D,QAAI,WAAW,CAAC,YAAY,SAAS,SAAS,GAAG;AAC/C,YAAM,oBAAoB;AAAA,QACxB;AAAA,QACA,GAAG;AAAA,QACH,OAAO,MAAe,EAAE,KAAK,MAAM,GAAG;AAAA,MACxC;AAEA,MAAC,IAAY,GAAG,WAAW,UAAU,GAAG,iBAAiB;AACzD,oBAAc;AAAA,IAChB;AAGA,IAAC,IAAY,GAAG,aAAa,UAAU,GAAG,WAAW;AACrD,kBAAc,QAAQ;AAMtB,UAAM,kBACJ,SAAS,SAAS,KAAK,CAAC,SAAS,SAAS,GAAG,KAAK,CAAC,SAAS,SAAS,GAAG;AAC1E,QAAI,iBAAiB;AACnB,YAAM,YAAY,GAAG,QAAQ;AAE7B,MAAC,IAAY,GAAG,aAAa,WAAW,GAAG,WAAW;AACtD,oBAAc,QAAQ;AACtB,UAAI,WAAW,CAAC,YAAY,SAAS,SAAS,GAAG;AAC/C,cAAM,oBAAoB;AAAA,UACxB;AAAA,UACA,GAAG;AAAA,UACH,OAAO,MAAe,EAAE,KAAK,MAAM,GAAG;AAAA,QACxC;AAEA,QAAC,IAAY,GAAG,WAAW,WAAW,GAAG,iBAAiB;AAC1D,sBAAc;AAAA,MAChB;AAAA,IACF;AAEA,UAAM,cAAc,eAAe,IAAI,CAAC,MAAM,EAAE,IAAI;AAGpD,UAAM,oBACJ,WAAW,CAAC,YAAY,SAAS,SAAS,IACtC,CAAC,GAAG,aAAa,SAAS,IAC1B;AACN,qBAAiB,KAAK;AAAA,MACpB,MAAM;AAAA,MACN,SAAS;AAAA,MACT;AAAA,MACA,cAAc,MAAM,SAAS,SAAS;AAAA,IACxC,CAAC;AAED,eAAW,KAAK,gBAAgB;AAC9B,UAAI,CAAC,eAAe,IAAI,EAAE,IAAI,GAAG;AAC/B,uBAAe,IAAI,EAAE,MAAM;AAAA,UACzB,MAAM,EAAE;AAAA,UACR,UAAU,EAAE,YAAY,OAAO,yBAAyB;AAAA,QAC1D,CAAC;AAAA,MACH;AAAA,IACF;AAEA;AAAA,MACE,SAAS,QAAQ,KAAK,YAAY,KAAK,GAAG,CAAC,IAAI,YAAY,SAAS,cAAc,YAAY,KAAK,IAAI,CAAC,MAAM,EAAE,aAAa,MAAM,SAAS,SAAS,IAAI;AAAA,IAC3J;AAAA,EACF;AAEA,QAAM,WAA4B;AAAA,IAChC,QAAQ;AAAA,IACR,UAAU,MAAM,KAAK,eAAe,OAAO,CAAC,EAAE;AAAA,MAC5C,CAAC,GAAG,MAAM,EAAE,WAAW,EAAE;AAAA,IAC3B;AAAA,IACA;AAAA,EACF;AAGA,MAAI,OAAO,OAAO;AAChB,UAAM,cACJ,OAAO,OAAO,UAAU,YAAY,EAAE,SAAS,KAAK,IAAI,OAAO;AACjE,QAAI,YAAY,SAAS;AACvB,UAAI,CAAC,YAAY,MAAM;AACrB,gBAAQ;AAAA,UACN,UAAU,WAAW;AAAA,QACvB;AAAA,MACF;AACA,0BAAoB,KAAK,aAAa,QAAQ;AAC9C;AAAA,QACE,+BAA+B,YAAY,UAAU,YAAY;AAAA,MACnE;AAAA,IACF;AAAA,EACF;AAEA,QAAM,IAAI,WAAW,kBAAkB,UAAU,iBAAiB;AAElE,SAAO,EAAE,KAAK,YAAY,MAAM,aAAa,WAAW,SAAS;AACnE;AAGA,SAAS,UAAU,UAA8B,WAA2B;AAC1E,MAAI,CAAC,SAAU,QAAO;AACtB,QAAM,OAAO,SAAS,SAAS,GAAG,IAAI,SAAS,MAAM,GAAG,EAAE,IAAI;AAC9D,QAAM,QAAQ,UAAU,WAAW,GAAG,IAAI,YAAY,IAAI,SAAS;AACnE,SAAO,GAAG,IAAI,GAAG,KAAK;AACxB;AAGA,SAAS,sBAEP,OACA,QAAQ,iBACR,SACA;AACA,QAAM,WAAW,MAAM,SAAS;AAEhC,UAAQ,SAAS,MAAM;AAAA,IACrB,KAAK;AACH,aAAO,sBAAsB,QAAQ;AAAA,IACvC,KAAK;AACH,aAAO,kBAAkB,UAAU,KAAK;AAAA,IAC1C,KAAK;AACH,aAAO,6BAA6B,UAAU,OAAO,OAAO;AAAA,IAC9D;AACE,YAAM,IAAI;AAAA,QACR;AAAA,QACA;AAAA,QACA,0BAA2B,SAA8B,IAAI;AAAA,MAC/D;AAAA,EACJ;AACF;AAGA,SAAS,sBAAsB,UAA2B;AACxD,SAAO,OAAO,MAAe;AAC3B,MAAE,IAAI,mBAAmB,SAAS;AAClC,WAAO,SAAS,QAAQ,CAAC;AAAA,EAC3B;AACF;AAMA,MAAM,qBAAqB;AAAA,EACzB;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AACF;AAQA,MAAM,mBAAmB,CAAC,oBAAoB,gBAAgB;AAS9D,SAAS,6BACP,UACA,QAAQ,iBACR,SACA;AACA,SAAO,OAAO,MAAe;AAC3B,MAAE,IAAI,mBAAmB,mBAAmB,SAAS,OAAO,EAAE;AAE9D,QAAI,CAAC,SAAS,iBAAiB;AAC7B,YAAM,IAAI;AAAA,QACR;AAAA,QACA;AAAA,QACA,oBAAoB,SAAS,OAAO;AAAA,MACtC;AAAA,IACF;AAEA,UAAM,cAAc,IAAI,IAAI,EAAE,IAAI,GAAG;AAGrC,QAAI,aAAa,YAAY;AAC7B,QAAI,SAAS,aAAa;AACxB,YAAM,eAAe;AACrB,mBAAa,SAAS,YAAY,UAAU;AAC5C,YAAM,iBAAiB,YAAY,OAAO,UAAU,EAAE;AAAA,IACxD;AAGA,UAAM,YAAY,IAAI,IAAI,aAAa,YAAY,QAAQ,EAAE,IAAI,GAAG;AAEpE;AAAA,MACE,oBAAoB,SAAS,OAAO,MAAM,EAAE,IAAI,MAAM,IAAI,UAAU,QAAQ,GAAG,UAAU,MAAM;AAAA,IACjG;AAGA,UAAM,UAAU,oBAAoB,CAAC;AACrC,eAAW,KAAK,oBAAoB;AAClC,cAAQ,OAAO,CAAC;AAAA,IAClB;AAGA,UAAM,MAAM,kBAAkB,CAAC;AAC/B,QAAI,KAAK;AACP,YAAM,iBAAiB,eAAe;AACtC,cAAQ;AAAA,QACN;AAAA,QACA,kBAAkB;AAAA,UAChB,SAAS;AAAA,UACT,SAAS,IAAI;AAAA,UACb,UAAU;AAAA,UACV,OAAO;AAAA,QACT,CAAC;AAAA,MACH;AAAA,IACF;AAEA,UAAM,eAAe,IAAI,QAAQ,UAAU,SAAS,GAAG;AAAA,MACrD,QAAQ,EAAE,IAAI;AAAA,MACd;AAAA,MACA,MAAM,EAAE,IAAI,IAAI;AAAA;AAAA,MAEhB,QAAQ,EAAE,IAAI,IAAI,OAAO,SAAS;AAAA,IACpC,CAAC;AAGD,UAAM,YAAY,EAAE,IAAI,YAAY;AACpC,QAAI;AACJ,QAAI,cAAc,QAAW;AAC3B,YAAM,WAAW,EAAE,IAAI,eAAe;AACtC,qBAAe,IAAI;AAAA,QACjB,4BAA4B,SAAS,OAAO;AAAA,QAC5C;AAAA,QACA,SAAS;AAAA,QACT,mBAAmB;AAAA,QACnB,SAAS;AAAA,MACX;AACA,mBACG,aAAa,QAAQ,aAAa,EAAE,IAAI,MAAM,EAC9C,aAAa,QAAQ,UAAU,UAAU,QAAQ,EACjD,aAAa,eAAe,SAAS,OAAO;AAAA,IACjD;AAEA,UAAM,YAAY,KAAK,IAAI;AAC3B,UAAM,WAAW,MAAM,QAAQ;AAAA,MAC7B,SAAS;AAAA,MACT;AAAA,IACF;AAEA;AAAA,MACE,8BAA8B,SAAS,MAAM,KAAK,KAAK,IAAI,IAAI,SAAS;AAAA,IAC1E;AAGA,QAAI,cAAc;AAChB,mBACG,aAAa,QAAQ,kBAAkB,SAAS,MAAM,EACtD,UAAU,SAAS,UAAU,MAAM,UAAU,IAAI;AACpD,gBAAW,KAAK,aAAa,IAAI,CAAC;AAAA,IACpC;AAGA,UAAM,kBAAkB,IAAI,QAAQ,SAAS,OAAO;AACpD,eAAW,KAAK,oBAAoB;AAClC,sBAAgB,OAAO,CAAC;AAAA,IAC1B;AACA,eAAW,KAAK,kBAAkB;AAChC,sBAAgB,OAAO,CAAC;AAAA,IAC1B;AAEA,WAAO,IAAI,SAAS,SAAS,MAAM;AAAA,MACjC,QAAQ,SAAS;AAAA,MACjB,YAAY,SAAS;AAAA,MACrB,SAAS;AAAA,IACX,CAAC;AAAA,EACH;AACF;AAGA,SAAS,kBAAkB,UAAuB,QAAQ,iBAAiB;AAEzE,QAAM,aAAa,IAAI,IAAI,SAAS,MAAM;AAE1C,SAAO,OAAO,MAAe;AAC3B,UAAM,cAAc,IAAI,IAAI,EAAE,IAAI,GAAG;AAGrC,QAAI,aAAa,YAAY;AAC7B,QAAI,SAAS,aAAa;AACxB,YAAM,eAAe;AACrB,mBAAa,SAAS,YAAY,UAAU;AAC5C,YAAM,iBAAiB,YAAY,OAAO,UAAU,EAAE;AAAA,IACxD;AAEA,UAAM,YAAY,IAAI,IAAI,aAAa,YAAY,QAAQ,UAAU;AAGrE,MAAE,IAAI,mBAAmB,UAAU,SAAS,CAAC;AAI7C,QAAI,UAAU,WAAW,WAAW,QAAQ;AAC1C;AAAA,QACE,sCAAsC,UAAU,MAAM,OAAO,WAAW,MAAM;AAAA,MAChF;AACA,YAAM,IAAI;AAAA,QACR;AAAA,QACA;AAAA,QACA;AAAA,MACF;AAAA,IACF;AAEA,UAAM,YAAY,EAAE,IAAI,MAAM,IAAI,EAAE,IAAI,IAAI,OAAO,UAAU,SAAS,CAAC,EAAE;AAGzE,UAAM,UAAU,oBAAoB,CAAC;AACrC,eAAW,KAAK,oBAAoB;AAClC,cAAQ,OAAO,CAAC;AAAA,IAClB;AAGA,UAAM,eAAe,EAAE,IAAI,eAAe,MAAM;AAChD,QAAI,CAAC,cAAc;AACjB,cAAQ,IAAI,QAAQ,UAAU,IAAI;AAAA,IACpC;AAGA,QAAI,SAAS,SAAS;AACpB,iBAAW,CAAC,KAAK,KAAK,KAAK,OAAO,QAAQ,SAAS,OAAO,GAAG;AAC3D,gBAAQ,IAAI,KAAK,KAAK;AAAA,MACxB;AAAA,IACF;AAGA,UAAM,MAAM,kBAAkB,CAAC;AAC/B,QAAI,KAAK;AACP,YAAM,iBAAiB,eAAe;AACtC,cAAQ;AAAA,QACN;AAAA,QACA,kBAAkB;AAAA,UAChB,SAAS;AAAA,UACT,SAAS,IAAI;AAAA,UACb,UAAU;AAAA,UACV,OAAO;AAAA,QACT,CAAC;AAAA,MACH;AAAA,IACF;AAEA,UAAM,eAAe,IAAI,QAAQ,UAAU,SAAS,GAAG;AAAA,MACrD,QAAQ,EAAE,IAAI;AAAA,MACd;AAAA,MACA,MAAM,EAAE,IAAI,IAAI;AAAA,MAChB,UAAU;AAAA;AAAA;AAAA,MAEV,QAAQ,EAAE,IAAI,IAAI,OAAO,SAAS;AAAA,IACpC,CAAC;AAID,MAAE,IAAI,iBAAiB,aAAa,MAAM,CAAC;AAG3C,UAAM,gBAAgB,EAAE,IAAI,gBAAgB;AAG5C,UAAM,YAAY,EAAE,IAAI,YAAY;AACpC,QAAI;AACJ,QAAI,cAAc,QAAW;AAC3B,YAAM,WAAW,EAAE,IAAI,eAAe;AACtC,qBAAe,IAAI;AAAA,QACjB,gBAAgB,UAAU,IAAI;AAAA,QAC9B;AAAA,QACA,SAAS;AAAA,QACT,mBAAmB;AAAA,QACnB,SAAS;AAAA,MACX;AACA,mBACG,aAAa,QAAQ,aAAa,EAAE,IAAI,MAAM,EAC9C,aAAa,QAAQ,UAAU,UAAU,QAAQ,EACjD,aAAa,QAAQ,gBAAgB,UAAU,IAAI;AAAA,IACxD;AAEA,UAAM,YAAY,KAAK,IAAI;AAC3B,QAAI;AACJ,QAAI;AACF,iBAAW,MAAM;AAAA,QACf;AAAA,QACA,gBAAgB,EAAE,QAAQ,cAAc,IAAI;AAAA,MAC9C;AAAA,IACF,SAAS,KAAK;AAGZ,UAAI,eAAe,gBAAgB,IAAI,SAAS,cAAc;AAC5D,cAAM;AAAA,MACR;AACA;AAAA,QACE,0BAA0B,eAAe,QAAQ,IAAI,UAAU,GAAG;AAAA,MACpE;AACA,YAAM,IAAI;AAAA,QACR;AAAA,QACA;AAAA,QACA,uBAAuB,UAAU,IAAI,YAAY,eAAe,QAAQ,IAAI,UAAU,OAAO,GAAG,CAAC;AAAA,MACnG;AAAA,IACF;AACA;AAAA,MACE,uBAAuB,SAAS,MAAM,KAAK,KAAK,IAAI,IAAI,SAAS;AAAA,IACnE;AAGA,QAAI,cAAc;AAChB,mBACG,aAAa,QAAQ,kBAAkB,SAAS,MAAM,EACtD,UAAU,SAAS,UAAU,MAAM,UAAU,IAAI;AACpD,gBAAW,KAAK,aAAa,IAAI,CAAC;AAAA,IACpC;AAKA,UAAM,kBAAkB,IAAI,QAAQ,SAAS,OAAO;AACpD,eAAW,KAAK,oBAAoB;AAClC,sBAAgB,OAAO,CAAC;AAAA,IAC1B;AACA,eAAW,KAAK,kBAAkB;AAChC,sBAAgB,OAAO,CAAC;AAAA,IAC1B;AAEA,WAAO,IAAI,SAAS,SAAS,MAAM;AAAA,MACjC,QAAQ,SAAS;AAAA,MACjB,YAAY,SAAS;AAAA,MACrB,SAAS;AAAA,IACX,CAAC;AAAA,EACH;AACF;","names":[]}