@vm0/cli 9.177.11 → 9.177.13
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/{chunk-26CIENVP.js → chunk-CGUELQJH.js} +2075 -710
- package/{chunk-26CIENVP.js.map → chunk-CGUELQJH.js.map} +1 -1
- package/index.js +9 -9
- package/package.json +1 -1
- package/zero.js +11 -11
- package/zero.js.map +1 -1
|
@@ -74083,7 +74083,7 @@ if (DSN) {
|
|
|
74083
74083
|
init2({
|
|
74084
74084
|
dsn: DSN,
|
|
74085
74085
|
environment: process.env.SENTRY_ENVIRONMENT ?? "production",
|
|
74086
|
-
release: "9.177.
|
|
74086
|
+
release: "9.177.13",
|
|
74087
74087
|
sendDefaultPii: false,
|
|
74088
74088
|
tracesSampleRate: 0,
|
|
74089
74089
|
shutdownTimeout: 500,
|
|
@@ -74102,7 +74102,7 @@ if (DSN) {
|
|
|
74102
74102
|
}
|
|
74103
74103
|
});
|
|
74104
74104
|
setContext("cli", {
|
|
74105
|
-
version: "9.177.
|
|
74105
|
+
version: "9.177.13",
|
|
74106
74106
|
command: process.argv.slice(2).join(" ")
|
|
74107
74107
|
});
|
|
74108
74108
|
setContext("runtime", {
|
|
@@ -93050,8 +93050,1406 @@ var authHeadersSchema = external_exports.object({
|
|
|
93050
93050
|
authorization: external_exports.string().optional()
|
|
93051
93051
|
});
|
|
93052
93052
|
|
|
93053
|
-
// ../../packages/api-contracts/src/contracts/
|
|
93053
|
+
// ../../packages/api-contracts/src/contracts/runners.ts
|
|
93054
|
+
init_esm_shims();
|
|
93055
|
+
|
|
93056
|
+
// ../../packages/connectors/src/firewall-types.ts
|
|
93057
|
+
init_esm_shims();
|
|
93058
|
+
|
|
93059
|
+
// ../../packages/connectors/src/firewall-url-utils.ts
|
|
93060
|
+
init_esm_shims();
|
|
93061
|
+
var ASCII_CONTROL_MAX = 32;
|
|
93062
|
+
var ASCII_DELETE = 127;
|
|
93063
|
+
var UNICODE_HIGH_SURROGATE_MIN = 55296;
|
|
93064
|
+
var UNICODE_HIGH_SURROGATE_MAX = 56319;
|
|
93065
|
+
var UNICODE_LOW_SURROGATE_MIN = 56320;
|
|
93066
|
+
var UNICODE_LOW_SURROGATE_MAX = 57343;
|
|
93067
|
+
function hasRawWhitespace(value) {
|
|
93068
|
+
for (let i = 0; i < value.length; i += 1) {
|
|
93069
|
+
const char = value[i];
|
|
93070
|
+
if (char === " " || char === " " || char === "\n" || char === "\r" || char === "\f" || char === "\v") {
|
|
93071
|
+
return true;
|
|
93072
|
+
}
|
|
93073
|
+
}
|
|
93074
|
+
return false;
|
|
93075
|
+
}
|
|
93076
|
+
function hasUnsafeUrlCodepoint(value) {
|
|
93077
|
+
for (let i = 0; i < value.length; i += 1) {
|
|
93078
|
+
const codeUnit = value.charCodeAt(i);
|
|
93079
|
+
if (codeUnit < ASCII_CONTROL_MAX || codeUnit === ASCII_DELETE) {
|
|
93080
|
+
return true;
|
|
93081
|
+
}
|
|
93082
|
+
if (UNICODE_HIGH_SURROGATE_MIN <= codeUnit && codeUnit <= UNICODE_HIGH_SURROGATE_MAX) {
|
|
93083
|
+
const nextCodeUnit = value.charCodeAt(i + 1);
|
|
93084
|
+
if (!(UNICODE_LOW_SURROGATE_MIN <= nextCodeUnit && nextCodeUnit <= UNICODE_LOW_SURROGATE_MAX)) {
|
|
93085
|
+
return true;
|
|
93086
|
+
}
|
|
93087
|
+
i += 1;
|
|
93088
|
+
continue;
|
|
93089
|
+
}
|
|
93090
|
+
if (UNICODE_LOW_SURROGATE_MIN <= codeUnit && codeUnit <= UNICODE_LOW_SURROGATE_MAX) {
|
|
93091
|
+
return true;
|
|
93092
|
+
}
|
|
93093
|
+
}
|
|
93094
|
+
return false;
|
|
93095
|
+
}
|
|
93096
|
+
|
|
93097
|
+
// ../../packages/connectors/src/segment-parser.ts
|
|
93098
|
+
init_esm_shims();
|
|
93099
|
+
var ERROR_HINT = 'use "{name}", "prefix{name}", "{name}suffix", or "prefix{name}suffix"';
|
|
93100
|
+
function parseSegment(seg) {
|
|
93101
|
+
const openCount = countChar(seg, "{");
|
|
93102
|
+
const closeCount = countChar(seg, "}");
|
|
93103
|
+
if (openCount === 0 && closeCount === 0) {
|
|
93104
|
+
return { kind: "literal", value: seg };
|
|
93105
|
+
}
|
|
93106
|
+
if (openCount !== closeCount) {
|
|
93107
|
+
return {
|
|
93108
|
+
kind: "error",
|
|
93109
|
+
reason: `unbalanced brace in segment "${seg}" \u2014 ${ERROR_HINT}`
|
|
93110
|
+
};
|
|
93111
|
+
}
|
|
93112
|
+
const open1 = seg.indexOf("{");
|
|
93113
|
+
const close1 = seg.indexOf("}");
|
|
93114
|
+
if (close1 < open1) {
|
|
93115
|
+
return {
|
|
93116
|
+
kind: "error",
|
|
93117
|
+
reason: `unbalanced brace in segment "${seg}" \u2014 ${ERROR_HINT}`
|
|
93118
|
+
};
|
|
93119
|
+
}
|
|
93120
|
+
if (openCount >= 2) {
|
|
93121
|
+
const open2 = seg.indexOf("{", close1 + 1);
|
|
93122
|
+
if (close1 + 1 === open2) {
|
|
93123
|
+
return {
|
|
93124
|
+
kind: "error",
|
|
93125
|
+
reason: `adjacent parameters in segment "${seg}" \u2014 only one parameter per segment is allowed; ${ERROR_HINT}`
|
|
93126
|
+
};
|
|
93127
|
+
}
|
|
93128
|
+
return {
|
|
93129
|
+
kind: "error",
|
|
93130
|
+
reason: `literal-separated parameters in segment "${seg}" \u2014 only one parameter per segment is allowed; ${ERROR_HINT}`
|
|
93131
|
+
};
|
|
93132
|
+
}
|
|
93133
|
+
const prefix = seg.slice(0, open1);
|
|
93134
|
+
const content = seg.slice(open1 + 1, close1);
|
|
93135
|
+
const suffix = seg.slice(close1 + 1);
|
|
93136
|
+
if (prefix.includes("{") || prefix.includes("}") || suffix.includes("{") || suffix.includes("}")) {
|
|
93137
|
+
return {
|
|
93138
|
+
kind: "error",
|
|
93139
|
+
reason: `unbalanced brace in segment "${seg}" \u2014 ${ERROR_HINT}`
|
|
93140
|
+
};
|
|
93141
|
+
}
|
|
93142
|
+
let greedy = "";
|
|
93143
|
+
let name = content;
|
|
93144
|
+
if (content.length > 0) {
|
|
93145
|
+
const last = content[content.length - 1];
|
|
93146
|
+
if (last === "+" || last === "*") {
|
|
93147
|
+
greedy = last;
|
|
93148
|
+
name = content.slice(0, -1);
|
|
93149
|
+
}
|
|
93150
|
+
}
|
|
93151
|
+
if (name.length === 0) {
|
|
93152
|
+
return {
|
|
93153
|
+
kind: "error",
|
|
93154
|
+
reason: `empty parameter name in segment "${seg}" \u2014 ${ERROR_HINT}`
|
|
93155
|
+
};
|
|
93156
|
+
}
|
|
93157
|
+
return { kind: "param", prefix, name, suffix, greedy };
|
|
93158
|
+
}
|
|
93159
|
+
function splitPathSegments(path3) {
|
|
93160
|
+
if (path3 === "" || path3 === "/") return [];
|
|
93161
|
+
const pathWithoutLeadingSlash = path3.startsWith("/") ? path3.slice(1) : path3;
|
|
93162
|
+
if (pathWithoutLeadingSlash === "") return [];
|
|
93163
|
+
return pathWithoutLeadingSlash.split("/");
|
|
93164
|
+
}
|
|
93165
|
+
function countChar(s, ch) {
|
|
93166
|
+
let n = 0;
|
|
93167
|
+
for (let i = 0; i < s.length; i++) {
|
|
93168
|
+
if (s[i] === ch) n++;
|
|
93169
|
+
}
|
|
93170
|
+
return n;
|
|
93171
|
+
}
|
|
93172
|
+
|
|
93173
|
+
// ../../packages/connectors/src/firewall-types.ts
|
|
93174
|
+
var firewallPermissionSchema = external_exports.object({
|
|
93175
|
+
name: external_exports.string(),
|
|
93176
|
+
description: external_exports.string().optional(),
|
|
93177
|
+
rules: external_exports.array(external_exports.string())
|
|
93178
|
+
});
|
|
93179
|
+
var firewallApiSchema = external_exports.object({
|
|
93180
|
+
base: external_exports.string(),
|
|
93181
|
+
auth: external_exports.object({
|
|
93182
|
+
headers: external_exports.record(external_exports.string(), external_exports.string()).optional(),
|
|
93183
|
+
base: external_exports.string().optional(),
|
|
93184
|
+
query: external_exports.record(external_exports.string(), external_exports.string()).optional()
|
|
93185
|
+
}),
|
|
93186
|
+
permissions: external_exports.array(firewallPermissionSchema).optional()
|
|
93187
|
+
});
|
|
93188
|
+
var firewallSchema = external_exports.object({
|
|
93189
|
+
name: external_exports.string(),
|
|
93190
|
+
apis: external_exports.array(firewallApiSchema)
|
|
93191
|
+
});
|
|
93192
|
+
var firewallsSchema = external_exports.array(firewallSchema);
|
|
93193
|
+
var firewallConfigSchema = external_exports.object({
|
|
93194
|
+
name: external_exports.string().min(1, "Firewall name is required"),
|
|
93195
|
+
description: external_exports.string().optional(),
|
|
93196
|
+
apis: external_exports.array(firewallApiSchema).min(1, "Firewall must have at least one API entry"),
|
|
93197
|
+
placeholders: external_exports.record(external_exports.string(), external_exports.string()).optional()
|
|
93198
|
+
});
|
|
93199
|
+
var firewallPolicyValueSchema = external_exports.enum(["allow", "deny", "ask"]);
|
|
93200
|
+
var firewallPolicySchema = external_exports.object({
|
|
93201
|
+
policies: external_exports.record(external_exports.string(), firewallPolicyValueSchema),
|
|
93202
|
+
unknownPolicy: firewallPolicyValueSchema.optional()
|
|
93203
|
+
});
|
|
93204
|
+
var firewallPoliciesSchema = external_exports.record(
|
|
93205
|
+
external_exports.string(),
|
|
93206
|
+
firewallPolicySchema
|
|
93207
|
+
);
|
|
93208
|
+
var networkPolicySchema = external_exports.object({
|
|
93209
|
+
allow: external_exports.array(external_exports.string()),
|
|
93210
|
+
deny: external_exports.array(external_exports.string()),
|
|
93211
|
+
ask: external_exports.array(external_exports.string()),
|
|
93212
|
+
unknownPolicy: firewallPolicyValueSchema
|
|
93213
|
+
});
|
|
93214
|
+
var networkPoliciesSchema = external_exports.record(external_exports.string(), networkPolicySchema);
|
|
93215
|
+
var AUTH_SECRET_PATTERN = /\$\{\{\s*secrets\.([a-zA-Z_][a-zA-Z0-9_]*)\s*\}\}/g;
|
|
93216
|
+
var AUTH_REFERENCE_PATTERN = /\$\{\{\s*(secrets|vars)\.([a-zA-Z_][a-zA-Z0-9_]*)\s*\}\}/g;
|
|
93217
|
+
var AUTH_REFERENCE_PATTERN_G = new RegExp(AUTH_REFERENCE_PATTERN.source, "g");
|
|
93218
|
+
var AUTH_REFERENCE_PREFIX_PATTERN = new RegExp(
|
|
93219
|
+
`^${AUTH_REFERENCE_PATTERN.source}`
|
|
93220
|
+
);
|
|
93221
|
+
var AUTH_TEMPLATE_START = "${{";
|
|
93222
|
+
var AUTH_TEMPLATE_URL_PLACEHOLDER = "placeholder";
|
|
93223
|
+
var IPV4_MAX_OCTET = 255;
|
|
93224
|
+
function isTemplateWhitespace(char) {
|
|
93225
|
+
return char === " " || char === " " || char === "\n" || char === "\r" || char === "\f" || char === "\v";
|
|
93226
|
+
}
|
|
93227
|
+
function skipTemplateWhitespace(template, index) {
|
|
93228
|
+
let nextIndex = index;
|
|
93229
|
+
while (nextIndex < template.length && isTemplateWhitespace(template[nextIndex])) {
|
|
93230
|
+
nextIndex += 1;
|
|
93231
|
+
}
|
|
93232
|
+
return nextIndex;
|
|
93233
|
+
}
|
|
93234
|
+
function isIdentifierStart(char) {
|
|
93235
|
+
const code = char.charCodeAt(0);
|
|
93236
|
+
return char === "_" || code >= 65 && code <= 90 || code >= 97 && code <= 122;
|
|
93237
|
+
}
|
|
93238
|
+
function isIdentifierPart(char) {
|
|
93239
|
+
const code = char.charCodeAt(0);
|
|
93240
|
+
return isIdentifierStart(char) || code >= 48 && code <= 57;
|
|
93241
|
+
}
|
|
93242
|
+
function parseTemplateIdentifier(template, index) {
|
|
93243
|
+
if (index >= template.length || !isIdentifierStart(template[index])) {
|
|
93244
|
+
return null;
|
|
93245
|
+
}
|
|
93246
|
+
let nextIndex = index + 1;
|
|
93247
|
+
while (nextIndex < template.length && isIdentifierPart(template[nextIndex])) {
|
|
93248
|
+
nextIndex += 1;
|
|
93249
|
+
}
|
|
93250
|
+
return {
|
|
93251
|
+
value: template.slice(index, nextIndex),
|
|
93252
|
+
index: nextIndex
|
|
93253
|
+
};
|
|
93254
|
+
}
|
|
93255
|
+
function createBasicAuthTemplateParserContext(template) {
|
|
93256
|
+
const nextQuoteIndexes = new Int32Array(template.length + 1);
|
|
93257
|
+
const nextBackslashIndexes = new Int32Array(template.length + 1);
|
|
93258
|
+
const nextTemplateIndexes = new Int32Array(template.length + 1);
|
|
93259
|
+
let nextQuoteIndex = -1;
|
|
93260
|
+
let nextBackslashIndex = -1;
|
|
93261
|
+
let nextTemplateIndex = -1;
|
|
93262
|
+
nextQuoteIndexes[template.length] = nextQuoteIndex;
|
|
93263
|
+
nextBackslashIndexes[template.length] = nextBackslashIndex;
|
|
93264
|
+
nextTemplateIndexes[template.length] = nextTemplateIndex;
|
|
93265
|
+
for (let index = template.length - 1; index >= 0; index -= 1) {
|
|
93266
|
+
if (template[index] === '"') {
|
|
93267
|
+
nextQuoteIndex = index;
|
|
93268
|
+
}
|
|
93269
|
+
if (template[index] === "\\") {
|
|
93270
|
+
nextBackslashIndex = index;
|
|
93271
|
+
}
|
|
93272
|
+
if (template.startsWith("${{", index)) {
|
|
93273
|
+
nextTemplateIndex = index;
|
|
93274
|
+
}
|
|
93275
|
+
nextQuoteIndexes[index] = nextQuoteIndex;
|
|
93276
|
+
nextBackslashIndexes[index] = nextBackslashIndex;
|
|
93277
|
+
nextTemplateIndexes[index] = nextTemplateIndex;
|
|
93278
|
+
}
|
|
93279
|
+
return { nextQuoteIndexes, nextBackslashIndexes, nextTemplateIndexes };
|
|
93280
|
+
}
|
|
93281
|
+
function parseBasicAuthTemplateArg(context2, template, index) {
|
|
93282
|
+
let nextIndex = skipTemplateWhitespace(template, index);
|
|
93283
|
+
const char = template[nextIndex];
|
|
93284
|
+
if (char === "," || char === ")") {
|
|
93285
|
+
return { arg: {}, index: nextIndex };
|
|
93286
|
+
}
|
|
93287
|
+
if (char === '"') {
|
|
93288
|
+
const literalStart = nextIndex + 1;
|
|
93289
|
+
const quoteIndex = context2.nextQuoteIndexes[literalStart] ?? -1;
|
|
93290
|
+
if (quoteIndex === -1) {
|
|
93291
|
+
const nestedTemplateStart = context2.nextTemplateIndexes[literalStart] ?? -1;
|
|
93292
|
+
return {
|
|
93293
|
+
arg: null,
|
|
93294
|
+
index: nestedTemplateStart === -1 ? template.length : nestedTemplateStart
|
|
93295
|
+
};
|
|
93296
|
+
}
|
|
93297
|
+
const escapeIndex = context2.nextBackslashIndexes[literalStart] ?? -1;
|
|
93298
|
+
if (escapeIndex !== -1 && escapeIndex < quoteIndex) {
|
|
93299
|
+
const nestedTemplateStart = context2.nextTemplateIndexes[literalStart] ?? -1;
|
|
93300
|
+
return {
|
|
93301
|
+
arg: null,
|
|
93302
|
+
index: nestedTemplateStart !== -1 && nestedTemplateStart < escapeIndex ? nestedTemplateStart : escapeIndex + 1
|
|
93303
|
+
};
|
|
93304
|
+
}
|
|
93305
|
+
return {
|
|
93306
|
+
arg: { literal: template.slice(literalStart, quoteIndex) },
|
|
93307
|
+
index: quoteIndex + 1
|
|
93308
|
+
};
|
|
93309
|
+
}
|
|
93310
|
+
let namespace;
|
|
93311
|
+
if (template.startsWith("secrets.", nextIndex)) {
|
|
93312
|
+
namespace = "secrets";
|
|
93313
|
+
nextIndex += "secrets.".length;
|
|
93314
|
+
} else if (template.startsWith("vars.", nextIndex)) {
|
|
93315
|
+
namespace = "vars";
|
|
93316
|
+
nextIndex += "vars.".length;
|
|
93317
|
+
} else {
|
|
93318
|
+
return { arg: null, index: nextIndex };
|
|
93319
|
+
}
|
|
93320
|
+
const key = parseTemplateIdentifier(template, nextIndex);
|
|
93321
|
+
if (!key) {
|
|
93322
|
+
return { arg: null, index: nextIndex };
|
|
93323
|
+
}
|
|
93324
|
+
return {
|
|
93325
|
+
arg: { namespace, key: key.value },
|
|
93326
|
+
index: key.index
|
|
93327
|
+
};
|
|
93328
|
+
}
|
|
93329
|
+
function parseBasicAuthTemplateAt(context2, template, start) {
|
|
93330
|
+
let index = start + "${{".length;
|
|
93331
|
+
index = skipTemplateWhitespace(template, index);
|
|
93332
|
+
if (!template.startsWith("basic(", index)) {
|
|
93333
|
+
return { match: null, index: start + "${{".length };
|
|
93334
|
+
}
|
|
93335
|
+
index += "basic(".length;
|
|
93336
|
+
const first = parseBasicAuthTemplateArg(context2, template, index);
|
|
93337
|
+
if (!first.arg) {
|
|
93338
|
+
return { match: null, index: first.index };
|
|
93339
|
+
}
|
|
93340
|
+
index = skipTemplateWhitespace(template, first.index);
|
|
93341
|
+
if (template[index] !== ",") {
|
|
93342
|
+
return { match: null, index: Math.max(index + 1, first.index) };
|
|
93343
|
+
}
|
|
93344
|
+
index += 1;
|
|
93345
|
+
const second = parseBasicAuthTemplateArg(context2, template, index);
|
|
93346
|
+
if (!second.arg) {
|
|
93347
|
+
return { match: null, index: second.index };
|
|
93348
|
+
}
|
|
93349
|
+
index = skipTemplateWhitespace(template, second.index);
|
|
93350
|
+
if (template[index] !== ")") {
|
|
93351
|
+
return { match: null, index: Math.max(index + 1, second.index) };
|
|
93352
|
+
}
|
|
93353
|
+
index += 1;
|
|
93354
|
+
index = skipTemplateWhitespace(template, index);
|
|
93355
|
+
if (!template.startsWith("}}", index)) {
|
|
93356
|
+
return { match: null, index: Math.max(index + 1, second.index) };
|
|
93357
|
+
}
|
|
93358
|
+
const end = index + "}}".length;
|
|
93359
|
+
return {
|
|
93360
|
+
match: {
|
|
93361
|
+
start,
|
|
93362
|
+
end,
|
|
93363
|
+
first: first.arg,
|
|
93364
|
+
second: second.arg
|
|
93365
|
+
},
|
|
93366
|
+
index: end
|
|
93367
|
+
};
|
|
93368
|
+
}
|
|
93369
|
+
function findNextBasicAuthTemplateStart(template, index) {
|
|
93370
|
+
let basicIndex = template.indexOf("basic(", index);
|
|
93371
|
+
while (basicIndex !== -1) {
|
|
93372
|
+
let contentStart = basicIndex;
|
|
93373
|
+
while (contentStart > index && isTemplateWhitespace(template[contentStart - 1])) {
|
|
93374
|
+
contentStart -= 1;
|
|
93375
|
+
}
|
|
93376
|
+
const start = contentStart - "${{".length;
|
|
93377
|
+
if (start >= index && template.startsWith("${{", start)) {
|
|
93378
|
+
return start;
|
|
93379
|
+
}
|
|
93380
|
+
basicIndex = template.indexOf("basic(", basicIndex + "basic(".length);
|
|
93381
|
+
}
|
|
93382
|
+
return -1;
|
|
93383
|
+
}
|
|
93384
|
+
function parseBasicAuthTemplates(template) {
|
|
93385
|
+
const matches = [];
|
|
93386
|
+
let start = findNextBasicAuthTemplateStart(template, 0);
|
|
93387
|
+
if (start === -1) {
|
|
93388
|
+
return matches;
|
|
93389
|
+
}
|
|
93390
|
+
const context2 = createBasicAuthTemplateParserContext(template);
|
|
93391
|
+
while (start !== -1) {
|
|
93392
|
+
const parsed = parseBasicAuthTemplateAt(context2, template, start);
|
|
93393
|
+
if (parsed.match) {
|
|
93394
|
+
matches.push(parsed.match);
|
|
93395
|
+
start = findNextBasicAuthTemplateStart(template, parsed.index);
|
|
93396
|
+
} else {
|
|
93397
|
+
start = findNextBasicAuthTemplateStart(
|
|
93398
|
+
template,
|
|
93399
|
+
Math.max(parsed.index, start + "${{".length)
|
|
93400
|
+
);
|
|
93401
|
+
}
|
|
93402
|
+
}
|
|
93403
|
+
return matches;
|
|
93404
|
+
}
|
|
93405
|
+
function forEachSimpleAuthReference(template, basicMatches, callback) {
|
|
93406
|
+
let basicMatchIndex = 0;
|
|
93407
|
+
for (const match of template.matchAll(AUTH_REFERENCE_PATTERN)) {
|
|
93408
|
+
if (!match[1] || !match[2] || match.index === void 0) {
|
|
93409
|
+
continue;
|
|
93410
|
+
}
|
|
93411
|
+
while (basicMatchIndex < basicMatches.length && basicMatches[basicMatchIndex].end <= match.index) {
|
|
93412
|
+
basicMatchIndex += 1;
|
|
93413
|
+
}
|
|
93414
|
+
const basicMatch = basicMatches[basicMatchIndex];
|
|
93415
|
+
if (basicMatch && match.index >= basicMatch.start && match.index < basicMatch.end) {
|
|
93416
|
+
continue;
|
|
93417
|
+
}
|
|
93418
|
+
callback(match[1], match[2]);
|
|
93419
|
+
}
|
|
93420
|
+
}
|
|
93421
|
+
function extractSecretNamesFromApis(apis) {
|
|
93422
|
+
const names = /* @__PURE__ */ new Set();
|
|
93423
|
+
for (const entry of apis) {
|
|
93424
|
+
for (const value of Object.values(entry.auth.headers ?? {})) {
|
|
93425
|
+
const basicMatches = parseBasicAuthTemplates(value);
|
|
93426
|
+
forEachSimpleAuthReference(value, basicMatches, (namespace, name) => {
|
|
93427
|
+
if (namespace === "secrets") {
|
|
93428
|
+
names.add(name);
|
|
93429
|
+
}
|
|
93430
|
+
});
|
|
93431
|
+
for (const match of basicMatches) {
|
|
93432
|
+
if (match.first.namespace === "secrets" && match.first.key) {
|
|
93433
|
+
names.add(match.first.key);
|
|
93434
|
+
}
|
|
93435
|
+
if (match.second.namespace === "secrets" && match.second.key) {
|
|
93436
|
+
names.add(match.second.key);
|
|
93437
|
+
}
|
|
93438
|
+
}
|
|
93439
|
+
}
|
|
93440
|
+
if (entry.auth.base) {
|
|
93441
|
+
for (const match of entry.auth.base.matchAll(AUTH_SECRET_PATTERN)) {
|
|
93442
|
+
names.add(match[1]);
|
|
93443
|
+
}
|
|
93444
|
+
}
|
|
93445
|
+
if (entry.auth.query) {
|
|
93446
|
+
for (const value of Object.values(entry.auth.query)) {
|
|
93447
|
+
for (const match of value.matchAll(AUTH_SECRET_PATTERN)) {
|
|
93448
|
+
names.add(match[1]);
|
|
93449
|
+
}
|
|
93450
|
+
}
|
|
93451
|
+
}
|
|
93452
|
+
}
|
|
93453
|
+
return [...names];
|
|
93454
|
+
}
|
|
93455
|
+
var BASE_URL_VARS_PATTERN = /\$\{\{\s*vars\.([a-zA-Z_][a-zA-Z0-9_]*)\s*\}\}/;
|
|
93456
|
+
var BASE_URL_VARS_PATTERN_G = new RegExp(BASE_URL_VARS_PATTERN.source, "g");
|
|
93457
|
+
function hasBaseUrlVars(base) {
|
|
93458
|
+
return BASE_URL_VARS_PATTERN.test(base);
|
|
93459
|
+
}
|
|
93460
|
+
function hasBaseUrlParams(base) {
|
|
93461
|
+
let stripped = base;
|
|
93462
|
+
let start = stripped.indexOf("${{");
|
|
93463
|
+
while (start !== -1) {
|
|
93464
|
+
const end = stripped.indexOf("}}", start + 3);
|
|
93465
|
+
if (end === -1) break;
|
|
93466
|
+
stripped = stripped.slice(0, start) + stripped.slice(end + 2);
|
|
93467
|
+
start = stripped.indexOf("${{");
|
|
93468
|
+
}
|
|
93469
|
+
return stripped.includes("{") && stripped.includes("}");
|
|
93470
|
+
}
|
|
93471
|
+
function errMsg(base, svc, detail) {
|
|
93472
|
+
return `Invalid base URL "${base}" in firewall "${svc}": ${detail}`;
|
|
93473
|
+
}
|
|
93474
|
+
var HOST_DOT_EQUIVALENTS = /* @__PURE__ */ new Set([".", "\u3002", "\uFF0E", "\uFF61"]);
|
|
93475
|
+
var HOST_DOT_EQUIVALENT_PATTERN = /[\u3002\uff0e\uff61]/g;
|
|
93476
|
+
var FORBIDDEN_NORMALIZED_LABEL_CHARS = new Set("#%,/:<>?@[\\]^|[]".split(""));
|
|
93477
|
+
var ALLOWED_BASE_URL_SCHEMES = /* @__PURE__ */ new Set(["http", "https"]);
|
|
93478
|
+
var WHITESPACE_PATTERN = /\s/u;
|
|
93479
|
+
var UNICODE_CONTROL_PATTERN = /\p{C}/u;
|
|
93480
|
+
var UNICODE_MARK_PATTERN = /\p{M}/u;
|
|
93481
|
+
var UNICODE_LETTER_PATTERN = /\p{L}/u;
|
|
93482
|
+
var GREEK_COMBINING_YPOGEGRAMMENI = "\u0345";
|
|
93483
|
+
var GREEK_SMALL_IOTA = "\u03B9";
|
|
93484
|
+
var IDNA_BIDI_RTL_LABEL_RANGES = [
|
|
93485
|
+
[1565, 1565],
|
|
93486
|
+
[2160, 2190],
|
|
93487
|
+
[2229, 2229],
|
|
93488
|
+
[2248, 2249],
|
|
93489
|
+
[64450, 64450],
|
|
93490
|
+
[69488, 69505],
|
|
93491
|
+
[69510, 69513]
|
|
93492
|
+
];
|
|
93493
|
+
var UNSAFE_UTS46_COLLISION_CHARS = /* @__PURE__ */ new Set([
|
|
93494
|
+
"\u03F2",
|
|
93495
|
+
"\u04C0",
|
|
93496
|
+
"\u1E9E",
|
|
93497
|
+
"\u1806",
|
|
93498
|
+
"\u2132",
|
|
93499
|
+
"\u2183",
|
|
93500
|
+
"\u3164",
|
|
93501
|
+
"\uFFA0",
|
|
93502
|
+
"\uFFFC",
|
|
93503
|
+
"\uFFFD",
|
|
93504
|
+
"\u{2F868}",
|
|
93505
|
+
"\u{2F874}",
|
|
93506
|
+
"\u{2F91F}",
|
|
93507
|
+
"\u{2F95F}",
|
|
93508
|
+
"\u{2F9BF}"
|
|
93509
|
+
]);
|
|
93510
|
+
var UNSAFE_UTS46_COLLISION_RANGES = [
|
|
93511
|
+
[4256, 4293],
|
|
93512
|
+
[4447, 4448],
|
|
93513
|
+
[6068, 6069],
|
|
93514
|
+
[12272, 12283]
|
|
93515
|
+
];
|
|
93516
|
+
var UNSAFE_UTS46_IGNORABLE_RANGES = [
|
|
93517
|
+
[847, 847],
|
|
93518
|
+
[6155, 6157],
|
|
93519
|
+
[6159, 6159],
|
|
93520
|
+
[65024, 65039],
|
|
93521
|
+
[917760, 917999]
|
|
93522
|
+
];
|
|
93523
|
+
function isHexDigit(char) {
|
|
93524
|
+
return char >= "0" && char <= "9" || char >= "a" && char <= "f" || char >= "A" && char <= "F";
|
|
93525
|
+
}
|
|
93526
|
+
function validateBaseUrlScheme(scheme, base, serviceName2) {
|
|
93527
|
+
if (!ALLOWED_BASE_URL_SCHEMES.has(scheme.toLowerCase())) {
|
|
93528
|
+
throw new Error(errMsg(base, serviceName2, "scheme must be http or https"));
|
|
93529
|
+
}
|
|
93530
|
+
}
|
|
93531
|
+
function validateUrlSchemeDelimiter(value, serviceName2, label, displayValue = value) {
|
|
93532
|
+
if (value.includes("://")) return;
|
|
93533
|
+
const colonIndex = value.indexOf(":");
|
|
93534
|
+
if (colonIndex !== -1) {
|
|
93535
|
+
const scheme = value.slice(0, colonIndex);
|
|
93536
|
+
if (!ALLOWED_BASE_URL_SCHEMES.has(scheme.toLowerCase())) {
|
|
93537
|
+
throw new Error(
|
|
93538
|
+
`Invalid ${label} "${displayValue}" in firewall "${serviceName2}": scheme must be http or https`
|
|
93539
|
+
);
|
|
93540
|
+
}
|
|
93541
|
+
throw new Error(
|
|
93542
|
+
`Invalid ${label} "${displayValue}" in firewall "${serviceName2}": URL must include "://" after the scheme`
|
|
93543
|
+
);
|
|
93544
|
+
}
|
|
93545
|
+
throw new Error(
|
|
93546
|
+
`Invalid ${label} "${displayValue}" in firewall "${serviceName2}": URL must include a scheme (e.g. "https://${displayValue}")`
|
|
93547
|
+
);
|
|
93548
|
+
}
|
|
93549
|
+
function isAscii(value) {
|
|
93550
|
+
for (let i = 0; i < value.length; i += 1) {
|
|
93551
|
+
if (value.charCodeAt(i) > 127) return false;
|
|
93552
|
+
}
|
|
93553
|
+
return true;
|
|
93554
|
+
}
|
|
93555
|
+
function isIpv4NumberComponent(value) {
|
|
93556
|
+
if (value === "") return false;
|
|
93557
|
+
if (value.toLowerCase().startsWith("0x")) {
|
|
93558
|
+
return value.length > 2 && [...value.slice(2)].every((char) => {
|
|
93559
|
+
return isHexDigit(char);
|
|
93560
|
+
});
|
|
93561
|
+
}
|
|
93562
|
+
return [...value].every((char) => {
|
|
93563
|
+
return char >= "0" && char <= "9";
|
|
93564
|
+
});
|
|
93565
|
+
}
|
|
93566
|
+
function isIpv4LiteralLike(value) {
|
|
93567
|
+
const parts = value.split(".");
|
|
93568
|
+
return parts.length >= 1 && parts.length <= 4 && parts.every(isIpv4NumberComponent);
|
|
93569
|
+
}
|
|
93570
|
+
function isCanonicalIpv4Address(value) {
|
|
93571
|
+
const parts = value.split(".");
|
|
93572
|
+
if (parts.length !== 4) return false;
|
|
93573
|
+
return parts.every((part) => {
|
|
93574
|
+
if (part === "" || ![...part].every((char) => {
|
|
93575
|
+
return char >= "0" && char <= "9";
|
|
93576
|
+
})) {
|
|
93577
|
+
return false;
|
|
93578
|
+
}
|
|
93579
|
+
if (part.length > 1 && part.startsWith("0")) return false;
|
|
93580
|
+
return Number(part) <= IPV4_MAX_OCTET;
|
|
93581
|
+
});
|
|
93582
|
+
}
|
|
93583
|
+
function codePointInRanges(codePoint, ranges) {
|
|
93584
|
+
return ranges.some(([start, end]) => {
|
|
93585
|
+
return start <= codePoint && codePoint <= end;
|
|
93586
|
+
});
|
|
93587
|
+
}
|
|
93588
|
+
function hasUnsafeUts46MappingChar(value) {
|
|
93589
|
+
for (const char of value) {
|
|
93590
|
+
const codePoint = char.codePointAt(0);
|
|
93591
|
+
if (UNSAFE_UTS46_COLLISION_CHARS.has(char) || codePoint !== void 0 && (codePointInRanges(codePoint, UNSAFE_UTS46_COLLISION_RANGES) || codePointInRanges(codePoint, UNSAFE_UTS46_IGNORABLE_RANGES))) {
|
|
93592
|
+
return true;
|
|
93593
|
+
}
|
|
93594
|
+
}
|
|
93595
|
+
return false;
|
|
93596
|
+
}
|
|
93597
|
+
function normalizesToAscii(value) {
|
|
93598
|
+
return isAscii(normalizeLabelTextForIdnaValidation(value));
|
|
93599
|
+
}
|
|
93600
|
+
function normalizeLabelTextForIdnaValidation(value) {
|
|
93601
|
+
return value.replaceAll(GREEK_COMBINING_YPOGEGRAMMENI, GREEK_SMALL_IOTA).normalize("NFKD").normalize("NFC").toLowerCase();
|
|
93602
|
+
}
|
|
93603
|
+
function hasForbiddenNormalizedLabelChar(value) {
|
|
93604
|
+
for (const char of normalizeLabelTextForIdnaValidation(value)) {
|
|
93605
|
+
if (FORBIDDEN_NORMALIZED_LABEL_CHARS.has(char) || HOST_DOT_EQUIVALENTS.has(char) || WHITESPACE_PATTERN.test(char) || UNICODE_CONTROL_PATTERN.test(char)) {
|
|
93606
|
+
return true;
|
|
93607
|
+
}
|
|
93608
|
+
}
|
|
93609
|
+
return false;
|
|
93610
|
+
}
|
|
93611
|
+
function normalizedLabelStartsWithMark(value) {
|
|
93612
|
+
const [firstChar] = normalizeLabelTextForIdnaValidation(value);
|
|
93613
|
+
return firstChar !== void 0 && UNICODE_MARK_PATTERN.test(firstChar);
|
|
93614
|
+
}
|
|
93615
|
+
function isIdnaBidiRtlLabelChar(char) {
|
|
93616
|
+
const codePoint = char.codePointAt(0);
|
|
93617
|
+
return codePoint !== void 0 && codePointInRanges(codePoint, IDNA_BIDI_RTL_LABEL_RANGES);
|
|
93618
|
+
}
|
|
93619
|
+
function isLtrLetterForBidiCheck(char) {
|
|
93620
|
+
return UNICODE_LETTER_PATTERN.test(char) && !isIdnaBidiRtlLabelChar(char);
|
|
93621
|
+
}
|
|
93622
|
+
function isAsciiDigit(char) {
|
|
93623
|
+
return char >= "0" && char <= "9";
|
|
93624
|
+
}
|
|
93625
|
+
function isArabicNumberForBidiCheck(char) {
|
|
93626
|
+
const codePoint = char.codePointAt(0);
|
|
93627
|
+
return codePoint !== void 0 && 1632 <= codePoint && codePoint <= 1641;
|
|
93628
|
+
}
|
|
93629
|
+
function effectiveBidiEndChar(chars) {
|
|
93630
|
+
for (let index = chars.length - 1; index >= 0; index -= 1) {
|
|
93631
|
+
const char = chars[index];
|
|
93632
|
+
if (!UNICODE_MARK_PATTERN.test(char)) return char;
|
|
93633
|
+
}
|
|
93634
|
+
return chars.at(-1);
|
|
93635
|
+
}
|
|
93636
|
+
function firstEffectiveBidiChar(chars) {
|
|
93637
|
+
return chars.find((char) => {
|
|
93638
|
+
return !UNICODE_MARK_PATTERN.test(char);
|
|
93639
|
+
});
|
|
93640
|
+
}
|
|
93641
|
+
function isRtlEndCharForBidiCheck(char) {
|
|
93642
|
+
return isIdnaBidiRtlLabelChar(char) || isAsciiDigit(char) || isArabicNumberForBidiCheck(char);
|
|
93643
|
+
}
|
|
93644
|
+
function hasInvalidMixedBidiLabelText(value) {
|
|
93645
|
+
const chars = Array.from(normalizeLabelTextForIdnaValidation(value));
|
|
93646
|
+
const firstRtlIndex = chars.findIndex((char) => {
|
|
93647
|
+
return isIdnaBidiRtlLabelChar(char);
|
|
93648
|
+
});
|
|
93649
|
+
if (firstRtlIndex === -1) return false;
|
|
93650
|
+
const suffix = chars.slice(firstRtlIndex + 1);
|
|
93651
|
+
if (firstRtlIndex === 0) {
|
|
93652
|
+
const suffixHasLtrLetter2 = suffix.some((char) => {
|
|
93653
|
+
return isLtrLetterForBidiCheck(char);
|
|
93654
|
+
});
|
|
93655
|
+
if (suffixHasLtrLetter2) return true;
|
|
93656
|
+
const endChar2 = effectiveBidiEndChar(chars);
|
|
93657
|
+
return endChar2 !== void 0 && !isRtlEndCharForBidiCheck(endChar2);
|
|
93658
|
+
}
|
|
93659
|
+
const suffixHasLtrLetter = suffix.some((char) => {
|
|
93660
|
+
return isLtrLetterForBidiCheck(char);
|
|
93661
|
+
});
|
|
93662
|
+
if (suffixHasLtrLetter) return true;
|
|
93663
|
+
const prefix = chars.slice(0, firstRtlIndex);
|
|
93664
|
+
const prefixHasLtrLetter = prefix.some((char) => {
|
|
93665
|
+
return isLtrLetterForBidiCheck(char);
|
|
93666
|
+
});
|
|
93667
|
+
if (prefixHasLtrLetter) {
|
|
93668
|
+
if (prefix.some(isArabicNumberForBidiCheck)) return true;
|
|
93669
|
+
const firstPrefixChar = firstEffectiveBidiChar(prefix);
|
|
93670
|
+
if (firstPrefixChar === void 0 || !isLtrLetterForBidiCheck(firstPrefixChar)) {
|
|
93671
|
+
return true;
|
|
93672
|
+
}
|
|
93673
|
+
return suffix.some((char) => {
|
|
93674
|
+
return !UNICODE_MARK_PATTERN.test(char);
|
|
93675
|
+
});
|
|
93676
|
+
}
|
|
93677
|
+
const endChar = effectiveBidiEndChar(chars);
|
|
93678
|
+
return endChar !== void 0 && !isRtlEndCharForBidiCheck(endChar);
|
|
93679
|
+
}
|
|
93680
|
+
function baseUrlRawSyntaxTarget(base) {
|
|
93681
|
+
return base.replace(BASE_URL_VARS_PATTERN_G, AUTH_TEMPLATE_URL_PLACEHOLDER);
|
|
93682
|
+
}
|
|
93683
|
+
function validateHostPercentEncoding(host, base, serviceName2) {
|
|
93684
|
+
if (host.includes(",")) {
|
|
93685
|
+
throw new Error(errMsg(base, serviceName2, "host must not contain commas"));
|
|
93686
|
+
}
|
|
93687
|
+
for (let i = 0; i < host.length; i += 1) {
|
|
93688
|
+
if (host[i] !== "%") continue;
|
|
93689
|
+
if (i + 2 >= host.length || !isHexDigit(host[i + 1]) || !isHexDigit(host[i + 2])) {
|
|
93690
|
+
throw new Error(
|
|
93691
|
+
errMsg(base, serviceName2, "host has invalid percent encoding")
|
|
93692
|
+
);
|
|
93693
|
+
}
|
|
93694
|
+
let end = i;
|
|
93695
|
+
while (end + 2 < host.length && host[end] === "%" && isHexDigit(host[end + 1]) && isHexDigit(host[end + 2])) {
|
|
93696
|
+
end += 3;
|
|
93697
|
+
}
|
|
93698
|
+
let decoded;
|
|
93699
|
+
try {
|
|
93700
|
+
decoded = decodeURIComponent(host.slice(i, end));
|
|
93701
|
+
} catch {
|
|
93702
|
+
throw new Error(
|
|
93703
|
+
errMsg(base, serviceName2, "host has invalid percent encoding")
|
|
93704
|
+
);
|
|
93705
|
+
}
|
|
93706
|
+
for (const char of decoded) {
|
|
93707
|
+
if (char === "{" || char === "}") {
|
|
93708
|
+
throw new Error(
|
|
93709
|
+
errMsg(
|
|
93710
|
+
base,
|
|
93711
|
+
serviceName2,
|
|
93712
|
+
"host must not contain percent-encoded braces"
|
|
93713
|
+
)
|
|
93714
|
+
);
|
|
93715
|
+
}
|
|
93716
|
+
if (HOST_DOT_EQUIVALENTS.has(char)) {
|
|
93717
|
+
throw new Error(
|
|
93718
|
+
errMsg(
|
|
93719
|
+
base,
|
|
93720
|
+
serviceName2,
|
|
93721
|
+
"host must not contain percent-encoded dots"
|
|
93722
|
+
)
|
|
93723
|
+
);
|
|
93724
|
+
}
|
|
93725
|
+
if (char === ",") {
|
|
93726
|
+
throw new Error(
|
|
93727
|
+
errMsg(base, serviceName2, "host must not contain commas")
|
|
93728
|
+
);
|
|
93729
|
+
}
|
|
93730
|
+
}
|
|
93731
|
+
i = end - 1;
|
|
93732
|
+
}
|
|
93733
|
+
if (host.includes("%")) {
|
|
93734
|
+
let decoded;
|
|
93735
|
+
try {
|
|
93736
|
+
decoded = decodeURIComponent(host);
|
|
93737
|
+
} catch {
|
|
93738
|
+
throw new Error(
|
|
93739
|
+
errMsg(base, serviceName2, "host has invalid percent encoding")
|
|
93740
|
+
);
|
|
93741
|
+
}
|
|
93742
|
+
validateHostHasNoUnsafeIdnaMappings(decoded, base, serviceName2);
|
|
93743
|
+
}
|
|
93744
|
+
}
|
|
93745
|
+
function rawAuthorityFromBaseUrl(base) {
|
|
93746
|
+
const schemeEnd = base.indexOf("://");
|
|
93747
|
+
if (schemeEnd === -1) return null;
|
|
93748
|
+
const rest = base.slice(schemeEnd + 3);
|
|
93749
|
+
const delimiterIndexes = [
|
|
93750
|
+
rest.indexOf("/"),
|
|
93751
|
+
rest.indexOf("?"),
|
|
93752
|
+
rest.indexOf("#")
|
|
93753
|
+
].filter((index) => {
|
|
93754
|
+
return index !== -1;
|
|
93755
|
+
});
|
|
93756
|
+
const authorityEnd = delimiterIndexes.length === 0 ? -1 : Math.min(...delimiterIndexes);
|
|
93757
|
+
return authorityEnd === -1 ? rest : rest.slice(0, authorityEnd);
|
|
93758
|
+
}
|
|
93759
|
+
function validateNoUserinfo(authority, base, serviceName2) {
|
|
93760
|
+
if (authority.includes("@")) {
|
|
93761
|
+
throw new Error(errMsg(base, serviceName2, "must not contain userinfo"));
|
|
93762
|
+
}
|
|
93763
|
+
}
|
|
93764
|
+
function validateHostHasNoEmptyLabels(host, base, serviceName2) {
|
|
93765
|
+
let normalizedHost = host.replace(HOST_DOT_EQUIVALENT_PATTERN, ".");
|
|
93766
|
+
if (normalizedHost.endsWith(".")) {
|
|
93767
|
+
normalizedHost = normalizedHost.slice(0, -1);
|
|
93768
|
+
}
|
|
93769
|
+
if (normalizedHost === "" || normalizedHost.endsWith(".") || normalizedHost.split(".").some((label) => {
|
|
93770
|
+
return label === "";
|
|
93771
|
+
})) {
|
|
93772
|
+
throw new Error(
|
|
93773
|
+
errMsg(base, serviceName2, "host must not contain empty labels")
|
|
93774
|
+
);
|
|
93775
|
+
}
|
|
93776
|
+
return normalizedHost;
|
|
93777
|
+
}
|
|
93778
|
+
function normalizeHostForIpv4LiteralSyntax(host) {
|
|
93779
|
+
let normalized = host.replace(HOST_DOT_EQUIVALENT_PATTERN, ".").toLowerCase();
|
|
93780
|
+
if (normalized.endsWith(".")) {
|
|
93781
|
+
normalized = normalized.slice(0, -1);
|
|
93782
|
+
}
|
|
93783
|
+
return normalized;
|
|
93784
|
+
}
|
|
93785
|
+
function rawHostForCanonicalIpv4Syntax(host) {
|
|
93786
|
+
const normalized = host.toLowerCase();
|
|
93787
|
+
return normalized.endsWith(".") ? normalized.slice(0, -1) : normalized;
|
|
93788
|
+
}
|
|
93789
|
+
function splitAuthorityHostSegments(host) {
|
|
93790
|
+
if (host.startsWith("[") && host.endsWith("]")) {
|
|
93791
|
+
return [host];
|
|
93792
|
+
}
|
|
93793
|
+
return host.split(".");
|
|
93794
|
+
}
|
|
93795
|
+
function rawHostFromAuthority(authority) {
|
|
93796
|
+
const withoutUserinfo = authority.slice(authority.lastIndexOf("@") + 1);
|
|
93797
|
+
if (withoutUserinfo.startsWith("[")) {
|
|
93798
|
+
const closeBracket = withoutUserinfo.indexOf("]");
|
|
93799
|
+
return closeBracket === -1 ? withoutUserinfo : withoutUserinfo.slice(0, closeBracket + 1);
|
|
93800
|
+
}
|
|
93801
|
+
const portSeparator = withoutUserinfo.lastIndexOf(":");
|
|
93802
|
+
return portSeparator === -1 ? withoutUserinfo : withoutUserinfo.slice(0, portSeparator);
|
|
93803
|
+
}
|
|
93804
|
+
function validateLabelHasNoUnsafeIdnaMappings(label, base, serviceName2) {
|
|
93805
|
+
const parsed = parseSegment(label);
|
|
93806
|
+
const value = parsed.kind === "param" ? `${parsed.prefix}${parsed.suffix}` : label;
|
|
93807
|
+
if (value === "" || isAscii(value)) return;
|
|
93808
|
+
if (hasForbiddenNormalizedLabelChar(value)) {
|
|
93809
|
+
throw new Error(
|
|
93810
|
+
errMsg(
|
|
93811
|
+
base,
|
|
93812
|
+
serviceName2,
|
|
93813
|
+
"host must not contain characters that normalize to forbidden host syntax"
|
|
93814
|
+
)
|
|
93815
|
+
);
|
|
93816
|
+
}
|
|
93817
|
+
if (normalizedLabelStartsWithMark(value)) {
|
|
93818
|
+
throw new Error(
|
|
93819
|
+
errMsg(
|
|
93820
|
+
base,
|
|
93821
|
+
serviceName2,
|
|
93822
|
+
"host label must not start with a combining mark"
|
|
93823
|
+
)
|
|
93824
|
+
);
|
|
93825
|
+
}
|
|
93826
|
+
if (hasInvalidMixedBidiLabelText(value)) {
|
|
93827
|
+
throw new Error(
|
|
93828
|
+
errMsg(
|
|
93829
|
+
base,
|
|
93830
|
+
serviceName2,
|
|
93831
|
+
"host must not contain invalid bidirectional label text"
|
|
93832
|
+
)
|
|
93833
|
+
);
|
|
93834
|
+
}
|
|
93835
|
+
if (hasUnsafeUts46MappingChar(value) || normalizesToAscii(value)) {
|
|
93836
|
+
throw new Error(
|
|
93837
|
+
errMsg(
|
|
93838
|
+
base,
|
|
93839
|
+
serviceName2,
|
|
93840
|
+
"host must not contain unsafe IDNA compatibility mappings"
|
|
93841
|
+
)
|
|
93842
|
+
);
|
|
93843
|
+
}
|
|
93844
|
+
}
|
|
93845
|
+
function validateHostHasNoUnsafeIdnaMappings(authorityOrHost, base, serviceName2) {
|
|
93846
|
+
const host = rawHostFromAuthority(authorityOrHost);
|
|
93847
|
+
if (host.startsWith("[") && host.endsWith("]")) return;
|
|
93848
|
+
for (const label of host.replace(HOST_DOT_EQUIVALENT_PATTERN, ".").split(".")) {
|
|
93849
|
+
validateLabelHasNoUnsafeIdnaMappings(label, base, serviceName2);
|
|
93850
|
+
}
|
|
93851
|
+
}
|
|
93852
|
+
function validateHostHasCanonicalIpv4Syntax(authorityOrHost, base, serviceName2) {
|
|
93853
|
+
const host = rawHostFromAuthority(authorityOrHost);
|
|
93854
|
+
if (host.startsWith("[") && host.endsWith("]")) return;
|
|
93855
|
+
const normalizedHost = normalizeHostForIpv4LiteralSyntax(host);
|
|
93856
|
+
if (isIpv4LiteralLike(normalizedHost) && (rawHostForCanonicalIpv4Syntax(host) !== normalizedHost || !isCanonicalIpv4Address(normalizedHost))) {
|
|
93857
|
+
throw new Error(
|
|
93858
|
+
errMsg(base, serviceName2, "host must use canonical IPv4 address syntax")
|
|
93859
|
+
);
|
|
93860
|
+
}
|
|
93861
|
+
}
|
|
93862
|
+
function splitParameterizedAuthority(authority, base, serviceName2) {
|
|
93863
|
+
let host = authority;
|
|
93864
|
+
let portSuffix = "";
|
|
93865
|
+
if (authority.startsWith("[")) {
|
|
93866
|
+
const closeBracket = authority.indexOf("]");
|
|
93867
|
+
if (closeBracket === -1) {
|
|
93868
|
+
throw new Error(errMsg(base, serviceName2, "not a valid URL authority"));
|
|
93869
|
+
}
|
|
93870
|
+
host = authority.slice(0, closeBracket + 1);
|
|
93871
|
+
portSuffix = authority.slice(closeBracket + 1);
|
|
93872
|
+
if (portSuffix !== "" && !portSuffix.startsWith(":")) {
|
|
93873
|
+
throw new Error(errMsg(base, serviceName2, "not a valid URL authority"));
|
|
93874
|
+
}
|
|
93875
|
+
} else {
|
|
93876
|
+
const portSeparator = authority.lastIndexOf(":");
|
|
93877
|
+
if (portSeparator !== -1) {
|
|
93878
|
+
host = authority.slice(0, portSeparator);
|
|
93879
|
+
portSuffix = authority.slice(portSeparator);
|
|
93880
|
+
}
|
|
93881
|
+
}
|
|
93882
|
+
const normalizedHost = validateHostHasNoEmptyLabels(host, base, serviceName2);
|
|
93883
|
+
return { normalizedHost, portSuffix };
|
|
93884
|
+
}
|
|
93885
|
+
function validateStaticHostLabels(hostname4, base, serviceName2) {
|
|
93886
|
+
if (hostname4.startsWith("[") && hostname4.endsWith("]")) return;
|
|
93887
|
+
validateHostHasNoEmptyLabels(hostname4, base, serviceName2);
|
|
93888
|
+
}
|
|
93889
|
+
function hostSegmentForSyntaxValidation(seg, base, svc) {
|
|
93890
|
+
const parsed = parseSegment(seg);
|
|
93891
|
+
if (parsed.kind === "literal") return seg;
|
|
93892
|
+
if (parsed.kind === "error") {
|
|
93893
|
+
throw new Error(errMsg(base, svc, parsed.reason));
|
|
93894
|
+
}
|
|
93895
|
+
if (!isAscii(parsed.prefix) || !isAscii(parsed.suffix)) {
|
|
93896
|
+
throw new Error(
|
|
93897
|
+
errMsg(
|
|
93898
|
+
base,
|
|
93899
|
+
svc,
|
|
93900
|
+
`host parameter segment "${seg}" must use ASCII literal prefix and suffix`
|
|
93901
|
+
)
|
|
93902
|
+
);
|
|
93903
|
+
}
|
|
93904
|
+
return `${parsed.prefix}x${parsed.suffix}`;
|
|
93905
|
+
}
|
|
93906
|
+
function validateParameterizedHostUrlSyntax(scheme, authority, base, serviceName2) {
|
|
93907
|
+
const syntaxHost = splitAuthorityHostSegments(authority.normalizedHost).map((seg) => {
|
|
93908
|
+
return hostSegmentForSyntaxValidation(seg, base, serviceName2);
|
|
93909
|
+
}).join(".");
|
|
93910
|
+
try {
|
|
93911
|
+
new URL(`${scheme}://${syntaxHost}${authority.portSuffix}`);
|
|
93912
|
+
} catch {
|
|
93913
|
+
throw new Error(errMsg(base, serviceName2, "not a valid URL authority"));
|
|
93914
|
+
}
|
|
93915
|
+
}
|
|
93916
|
+
function validateHostParams(segments, paramNames, base, svc) {
|
|
93917
|
+
if (segments.length < 2) {
|
|
93918
|
+
throw new Error(errMsg(base, svc, "host must have at least two segments"));
|
|
93919
|
+
}
|
|
93920
|
+
let hasStatic = false;
|
|
93921
|
+
for (let i = 0; i < segments.length; i++) {
|
|
93922
|
+
const seg = segments[i];
|
|
93923
|
+
const parsed = parseSegment(seg);
|
|
93924
|
+
if (parsed.kind === "error") {
|
|
93925
|
+
throw new Error(errMsg(base, svc, parsed.reason));
|
|
93926
|
+
}
|
|
93927
|
+
if (parsed.kind === "literal") {
|
|
93928
|
+
hasStatic = true;
|
|
93929
|
+
continue;
|
|
93930
|
+
}
|
|
93931
|
+
const { name, greedy, prefix, suffix } = parsed;
|
|
93932
|
+
if (paramNames.has(name)) {
|
|
93933
|
+
throw new Error(
|
|
93934
|
+
errMsg(base, svc, `duplicate parameter name "{${name}}" in host`)
|
|
93935
|
+
);
|
|
93936
|
+
}
|
|
93937
|
+
paramNames.add(name);
|
|
93938
|
+
if (greedy && i !== 0) {
|
|
93939
|
+
throw new Error(
|
|
93940
|
+
errMsg(base, svc, `{${name}${greedy}} must be the first host segment`)
|
|
93941
|
+
);
|
|
93942
|
+
}
|
|
93943
|
+
if (greedy && (prefix !== "" || suffix !== "")) {
|
|
93944
|
+
throw new Error(
|
|
93945
|
+
errMsg(
|
|
93946
|
+
base,
|
|
93947
|
+
svc,
|
|
93948
|
+
`greedy parameter {${name}${greedy}} cannot be combined with a literal prefix or suffix in host segment "${seg}"`
|
|
93949
|
+
)
|
|
93950
|
+
);
|
|
93951
|
+
}
|
|
93952
|
+
}
|
|
93953
|
+
if (!hasStatic) {
|
|
93954
|
+
throw new Error(
|
|
93955
|
+
errMsg(base, svc, "host must have at least one static segment")
|
|
93956
|
+
);
|
|
93957
|
+
}
|
|
93958
|
+
}
|
|
93959
|
+
function validatePathParams(segments, paramNames, base, svc) {
|
|
93960
|
+
for (const seg of segments) {
|
|
93961
|
+
const parsed = parseSegment(seg);
|
|
93962
|
+
if (parsed.kind === "error") {
|
|
93963
|
+
throw new Error(errMsg(base, svc, parsed.reason));
|
|
93964
|
+
}
|
|
93965
|
+
if (parsed.kind === "literal") continue;
|
|
93966
|
+
const { name, greedy } = parsed;
|
|
93967
|
+
if (greedy) {
|
|
93968
|
+
throw new Error(
|
|
93969
|
+
errMsg(
|
|
93970
|
+
base,
|
|
93971
|
+
svc,
|
|
93972
|
+
`greedy parameter {${name}${greedy}} is not allowed in base URL path`
|
|
93973
|
+
)
|
|
93974
|
+
);
|
|
93975
|
+
}
|
|
93976
|
+
if (paramNames.has(name)) {
|
|
93977
|
+
throw new Error(
|
|
93978
|
+
errMsg(base, svc, `duplicate parameter name "{${name}}"`)
|
|
93979
|
+
);
|
|
93980
|
+
}
|
|
93981
|
+
paramNames.add(name);
|
|
93982
|
+
}
|
|
93983
|
+
}
|
|
93984
|
+
function validateBaseUrlParams(base, serviceName2) {
|
|
93985
|
+
const schemeEnd = base.indexOf("://");
|
|
93986
|
+
if (schemeEnd === -1) {
|
|
93987
|
+
throw new Error(errMsg(base, serviceName2, "missing scheme"));
|
|
93988
|
+
}
|
|
93989
|
+
const scheme = base.slice(0, schemeEnd);
|
|
93990
|
+
if (scheme.includes("{")) {
|
|
93991
|
+
throw new Error(
|
|
93992
|
+
errMsg(base, serviceName2, "scheme must not contain parameters")
|
|
93993
|
+
);
|
|
93994
|
+
}
|
|
93995
|
+
validateBaseUrlScheme(scheme, base, serviceName2);
|
|
93996
|
+
if (base.includes("?")) {
|
|
93997
|
+
throw new Error(errMsg(base, serviceName2, "must not contain query string"));
|
|
93998
|
+
}
|
|
93999
|
+
if (base.includes("#")) {
|
|
94000
|
+
throw new Error(errMsg(base, serviceName2, "must not contain fragment"));
|
|
94001
|
+
}
|
|
94002
|
+
const rest = base.slice(schemeEnd + 3);
|
|
94003
|
+
const slashIdx = rest.indexOf("/");
|
|
94004
|
+
const host = slashIdx === -1 ? rest : rest.slice(0, slashIdx);
|
|
94005
|
+
const path3 = slashIdx === -1 ? "" : rest.slice(slashIdx);
|
|
94006
|
+
validateNoUserinfo(host, base, serviceName2);
|
|
94007
|
+
validateHostPercentEncoding(host, base, serviceName2);
|
|
94008
|
+
const authority = splitParameterizedAuthority(host, base, serviceName2);
|
|
94009
|
+
validateHostHasCanonicalIpv4Syntax(
|
|
94010
|
+
authority.normalizedHost,
|
|
94011
|
+
base,
|
|
94012
|
+
serviceName2
|
|
94013
|
+
);
|
|
94014
|
+
validateHostHasNoUnsafeIdnaMappings(
|
|
94015
|
+
authority.normalizedHost,
|
|
94016
|
+
base,
|
|
94017
|
+
serviceName2
|
|
94018
|
+
);
|
|
94019
|
+
validateParameterizedHostUrlSyntax(
|
|
94020
|
+
base.slice(0, schemeEnd),
|
|
94021
|
+
authority,
|
|
94022
|
+
base,
|
|
94023
|
+
serviceName2
|
|
94024
|
+
);
|
|
94025
|
+
const paramNames = /* @__PURE__ */ new Set();
|
|
94026
|
+
validateHostParams(
|
|
94027
|
+
splitAuthorityHostSegments(authority.normalizedHost),
|
|
94028
|
+
paramNames,
|
|
94029
|
+
base,
|
|
94030
|
+
serviceName2
|
|
94031
|
+
);
|
|
94032
|
+
if (path3) {
|
|
94033
|
+
validatePathParams(splitPathSegments(path3), paramNames, base, serviceName2);
|
|
94034
|
+
}
|
|
94035
|
+
}
|
|
94036
|
+
function validateBaseUrl(base, serviceName2) {
|
|
94037
|
+
if (base.includes("\\")) {
|
|
94038
|
+
throw new Error(
|
|
94039
|
+
`Invalid base URL "${base}" in firewall "${serviceName2}": must not contain backslash`
|
|
94040
|
+
);
|
|
94041
|
+
}
|
|
94042
|
+
const rawSyntaxTarget = baseUrlRawSyntaxTarget(base);
|
|
94043
|
+
if (hasRawWhitespace(rawSyntaxTarget)) {
|
|
94044
|
+
throw new Error(
|
|
94045
|
+
`Invalid base URL "${base}" in firewall "${serviceName2}": must not contain whitespace`
|
|
94046
|
+
);
|
|
94047
|
+
}
|
|
94048
|
+
if (hasUnsafeUrlCodepoint(rawSyntaxTarget)) {
|
|
94049
|
+
throw new Error(
|
|
94050
|
+
`Invalid base URL "${base}" in firewall "${serviceName2}": must not contain control characters or invalid Unicode`
|
|
94051
|
+
);
|
|
94052
|
+
}
|
|
94053
|
+
if (hasBaseUrlVars(base)) return;
|
|
94054
|
+
validateUrlSchemeDelimiter(base, serviceName2, "base URL");
|
|
94055
|
+
if (hasBaseUrlParams(base)) {
|
|
94056
|
+
validateBaseUrlParams(base, serviceName2);
|
|
94057
|
+
return;
|
|
94058
|
+
}
|
|
94059
|
+
let url2;
|
|
94060
|
+
try {
|
|
94061
|
+
url2 = new URL(base);
|
|
94062
|
+
} catch {
|
|
94063
|
+
if (!base.includes("://")) {
|
|
94064
|
+
throw new Error(
|
|
94065
|
+
`Invalid base URL "${base}" in firewall "${serviceName2}": URL must include a scheme (e.g. "https://${base}")`
|
|
94066
|
+
);
|
|
94067
|
+
}
|
|
94068
|
+
throw new Error(
|
|
94069
|
+
`Invalid base URL "${base}" in firewall "${serviceName2}": not a valid URL`
|
|
94070
|
+
);
|
|
94071
|
+
}
|
|
94072
|
+
validateBaseUrlScheme(url2.protocol.slice(0, -1), base, serviceName2);
|
|
94073
|
+
if (url2.search) {
|
|
94074
|
+
throw new Error(
|
|
94075
|
+
`Invalid base URL "${base}" in firewall "${serviceName2}": must not contain query string`
|
|
94076
|
+
);
|
|
94077
|
+
}
|
|
94078
|
+
if (url2.hash) {
|
|
94079
|
+
throw new Error(
|
|
94080
|
+
`Invalid base URL "${base}" in firewall "${serviceName2}": must not contain fragment`
|
|
94081
|
+
);
|
|
94082
|
+
}
|
|
94083
|
+
const authority = rawAuthorityFromBaseUrl(base);
|
|
94084
|
+
if (authority !== null) {
|
|
94085
|
+
if (authority === "") {
|
|
94086
|
+
throw new Error(
|
|
94087
|
+
`Invalid base URL "${base}" in firewall "${serviceName2}": not a valid URL authority`
|
|
94088
|
+
);
|
|
94089
|
+
}
|
|
94090
|
+
validateNoUserinfo(authority, base, serviceName2);
|
|
94091
|
+
validateHostPercentEncoding(authority, base, serviceName2);
|
|
94092
|
+
validateHostHasCanonicalIpv4Syntax(authority, base, serviceName2);
|
|
94093
|
+
validateHostHasNoUnsafeIdnaMappings(authority, base, serviceName2);
|
|
94094
|
+
}
|
|
94095
|
+
validateStaticHostLabels(url2.hostname, base, serviceName2);
|
|
94096
|
+
if (url2.hostname.includes("{") || url2.hostname.includes("}")) {
|
|
94097
|
+
throw new Error(
|
|
94098
|
+
`Invalid base URL "${base}" in firewall "${serviceName2}": host must not contain braces`
|
|
94099
|
+
);
|
|
94100
|
+
}
|
|
94101
|
+
}
|
|
94102
|
+
function authBaseForStaticUrlValidation(authBase) {
|
|
94103
|
+
if (!authBase.includes(AUTH_TEMPLATE_START)) {
|
|
94104
|
+
return { url: authBase, dynamicPrefixSuffix: "" };
|
|
94105
|
+
}
|
|
94106
|
+
const replaced = authBase.replace(
|
|
94107
|
+
AUTH_REFERENCE_PATTERN_G,
|
|
94108
|
+
AUTH_TEMPLATE_URL_PLACEHOLDER
|
|
94109
|
+
);
|
|
94110
|
+
if (replaced.includes(AUTH_TEMPLATE_START)) {
|
|
94111
|
+
return { url: authBase, dynamicPrefixSuffix: "" };
|
|
94112
|
+
}
|
|
94113
|
+
const prefixMatch = AUTH_REFERENCE_PREFIX_PATTERN.exec(authBase);
|
|
94114
|
+
if (prefixMatch) {
|
|
94115
|
+
return {
|
|
94116
|
+
url: null,
|
|
94117
|
+
dynamicPrefixSuffix: authBase.slice(prefixMatch[0].length).replace(AUTH_REFERENCE_PATTERN_G, AUTH_TEMPLATE_URL_PLACEHOLDER)
|
|
94118
|
+
};
|
|
94119
|
+
}
|
|
94120
|
+
return { url: replaced, dynamicPrefixSuffix: "" };
|
|
94121
|
+
}
|
|
94122
|
+
function validateDynamicAuthBaseSuffix(authBase, suffix, serviceName2) {
|
|
94123
|
+
if (suffix.includes(AUTH_TEMPLATE_START)) {
|
|
94124
|
+
throw new Error(
|
|
94125
|
+
`Invalid auth.base URL "${authBase}" in firewall "${serviceName2}": contains unsupported template reference`
|
|
94126
|
+
);
|
|
94127
|
+
}
|
|
94128
|
+
if (hasRawWhitespace(suffix)) {
|
|
94129
|
+
throw new Error(
|
|
94130
|
+
`Invalid auth.base URL "${authBase}" in firewall "${serviceName2}": must not contain whitespace`
|
|
94131
|
+
);
|
|
94132
|
+
}
|
|
94133
|
+
if (hasUnsafeUrlCodepoint(suffix)) {
|
|
94134
|
+
throw new Error(
|
|
94135
|
+
`Invalid auth.base URL "${authBase}" in firewall "${serviceName2}": must not contain control characters or invalid Unicode`
|
|
94136
|
+
);
|
|
94137
|
+
}
|
|
94138
|
+
if (suffix.includes("#")) {
|
|
94139
|
+
throw new Error(
|
|
94140
|
+
`Invalid auth.base URL "${authBase}" in firewall "${serviceName2}": must not contain fragment`
|
|
94141
|
+
);
|
|
94142
|
+
}
|
|
94143
|
+
if (suffix !== "" && !suffix.startsWith("/") && !suffix.startsWith("?")) {
|
|
94144
|
+
throw new Error(
|
|
94145
|
+
`Invalid auth.base URL "${authBase}" in firewall "${serviceName2}": dynamic URL suffix must start with "/" or "?"`
|
|
94146
|
+
);
|
|
94147
|
+
}
|
|
94148
|
+
}
|
|
94149
|
+
function validateAuthBaseUrl(authBase, serviceName2) {
|
|
94150
|
+
if (authBase.includes("\\")) {
|
|
94151
|
+
throw new Error(
|
|
94152
|
+
`Invalid auth.base URL "${authBase}" in firewall "${serviceName2}": must not contain backslash`
|
|
94153
|
+
);
|
|
94154
|
+
}
|
|
94155
|
+
const target = authBaseForStaticUrlValidation(authBase);
|
|
94156
|
+
validateDynamicAuthBaseSuffix(
|
|
94157
|
+
authBase,
|
|
94158
|
+
target.dynamicPrefixSuffix,
|
|
94159
|
+
serviceName2
|
|
94160
|
+
);
|
|
94161
|
+
const validationUrl = target.url;
|
|
94162
|
+
if (validationUrl === null) return;
|
|
94163
|
+
if (validationUrl.includes(AUTH_TEMPLATE_START)) {
|
|
94164
|
+
throw new Error(
|
|
94165
|
+
`Invalid auth.base URL "${authBase}" in firewall "${serviceName2}": contains unsupported template reference`
|
|
94166
|
+
);
|
|
94167
|
+
}
|
|
94168
|
+
if (hasRawWhitespace(validationUrl)) {
|
|
94169
|
+
throw new Error(
|
|
94170
|
+
`Invalid auth.base URL "${authBase}" in firewall "${serviceName2}": must not contain whitespace`
|
|
94171
|
+
);
|
|
94172
|
+
}
|
|
94173
|
+
if (hasUnsafeUrlCodepoint(validationUrl)) {
|
|
94174
|
+
throw new Error(
|
|
94175
|
+
`Invalid auth.base URL "${authBase}" in firewall "${serviceName2}": must not contain control characters or invalid Unicode`
|
|
94176
|
+
);
|
|
94177
|
+
}
|
|
94178
|
+
validateUrlSchemeDelimiter(
|
|
94179
|
+
validationUrl,
|
|
94180
|
+
serviceName2,
|
|
94181
|
+
"auth.base URL",
|
|
94182
|
+
authBase
|
|
94183
|
+
);
|
|
94184
|
+
let url2;
|
|
94185
|
+
try {
|
|
94186
|
+
url2 = new URL(validationUrl);
|
|
94187
|
+
} catch {
|
|
94188
|
+
throw new Error(
|
|
94189
|
+
`Invalid auth.base URL "${authBase}" in firewall "${serviceName2}": not a valid URL`
|
|
94190
|
+
);
|
|
94191
|
+
}
|
|
94192
|
+
if (!ALLOWED_BASE_URL_SCHEMES.has(url2.protocol.slice(0, -1).toLowerCase())) {
|
|
94193
|
+
throw new Error(
|
|
94194
|
+
`Invalid auth.base URL "${authBase}" in firewall "${serviceName2}": scheme must be http or https`
|
|
94195
|
+
);
|
|
94196
|
+
}
|
|
94197
|
+
if (url2.hash) {
|
|
94198
|
+
throw new Error(
|
|
94199
|
+
`Invalid auth.base URL "${authBase}" in firewall "${serviceName2}": must not contain fragment`
|
|
94200
|
+
);
|
|
94201
|
+
}
|
|
94202
|
+
const authority = rawAuthorityFromBaseUrl(validationUrl);
|
|
94203
|
+
if (authority !== null) {
|
|
94204
|
+
if (authority === "") {
|
|
94205
|
+
throw new Error(
|
|
94206
|
+
`Invalid auth.base URL "${authBase}" in firewall "${serviceName2}": not a valid URL authority`
|
|
94207
|
+
);
|
|
94208
|
+
}
|
|
94209
|
+
if (authority.includes("@")) {
|
|
94210
|
+
throw new Error(
|
|
94211
|
+
`Invalid auth.base URL "${authBase}" in firewall "${serviceName2}": must not contain userinfo`
|
|
94212
|
+
);
|
|
94213
|
+
}
|
|
94214
|
+
validateHostPercentEncoding(authority, validationUrl, serviceName2);
|
|
94215
|
+
validateHostHasCanonicalIpv4Syntax(authority, validationUrl, serviceName2);
|
|
94216
|
+
validateHostHasNoUnsafeIdnaMappings(authority, validationUrl, serviceName2);
|
|
94217
|
+
}
|
|
94218
|
+
validateStaticHostLabels(url2.hostname, validationUrl, serviceName2);
|
|
94219
|
+
}
|
|
94220
|
+
|
|
94221
|
+
// ../../packages/api-contracts/src/contracts/runners.ts
|
|
93054
94222
|
var c = initContract();
|
|
94223
|
+
var MIN_EPOCH_MS_TIMESTAMP = 1e12;
|
|
94224
|
+
var apiStartTimeSchema = external_exports.number().int().min(MIN_EPOCH_MS_TIMESTAMP);
|
|
94225
|
+
var CANONICAL_WORKING_DIR = "/home/user/workspace";
|
|
94226
|
+
var CANONICAL_CLAUDE_PROJECT_NAME = CANONICAL_WORKING_DIR.replace(
|
|
94227
|
+
/^\//,
|
|
94228
|
+
""
|
|
94229
|
+
).replace(/\//g, "-");
|
|
94230
|
+
var CANONICAL_CLAUDE_MEMORY_MOUNT_PATH = `/home/user/.claude/projects/-${CANONICAL_CLAUDE_PROJECT_NAME}/memory`;
|
|
94231
|
+
var runnerGroupSchema = external_exports.string().regex(
|
|
94232
|
+
/^[a-z0-9-]+\/[a-z0-9-]+$/,
|
|
94233
|
+
"Runner group must be in vm0/<name> format (e.g., vm0/production)"
|
|
94234
|
+
);
|
|
94235
|
+
var jobSchema = external_exports.object({
|
|
94236
|
+
runId: external_exports.uuid(),
|
|
94237
|
+
prompt: external_exports.string(),
|
|
94238
|
+
appendSystemPrompt: external_exports.string().nullable(),
|
|
94239
|
+
agentComposeVersionId: external_exports.string().nullable(),
|
|
94240
|
+
vars: external_exports.record(external_exports.string(), external_exports.string()).nullable(),
|
|
94241
|
+
checkpointId: external_exports.uuid().nullable(),
|
|
94242
|
+
experimentalProfile: external_exports.string().optional()
|
|
94243
|
+
});
|
|
94244
|
+
var heldSessionStateSchema = external_exports.object({
|
|
94245
|
+
sessionId: external_exports.string(),
|
|
94246
|
+
lastCompletedAt: external_exports.string().datetime({ offset: true })
|
|
94247
|
+
});
|
|
94248
|
+
var runnersPollContract = c.router({
|
|
94249
|
+
poll: {
|
|
94250
|
+
method: "POST",
|
|
94251
|
+
path: "/api/runners/poll",
|
|
94252
|
+
headers: authHeadersSchema,
|
|
94253
|
+
body: external_exports.object({
|
|
94254
|
+
group: runnerGroupSchema,
|
|
94255
|
+
profiles: external_exports.array(external_exports.string()).optional(),
|
|
94256
|
+
heldSessionStates: external_exports.array(heldSessionStateSchema).max(100).optional()
|
|
94257
|
+
}),
|
|
94258
|
+
responses: {
|
|
94259
|
+
200: external_exports.object({
|
|
94260
|
+
job: jobSchema.nullable()
|
|
94261
|
+
}),
|
|
94262
|
+
400: apiErrorSchema,
|
|
94263
|
+
401: apiErrorSchema,
|
|
94264
|
+
500: apiErrorSchema
|
|
94265
|
+
},
|
|
94266
|
+
summary: "Poll for pending jobs (long-polling with 30s timeout)"
|
|
94267
|
+
}
|
|
94268
|
+
});
|
|
94269
|
+
var storageEntrySchema = external_exports.object({
|
|
94270
|
+
name: external_exports.string(),
|
|
94271
|
+
mountPath: external_exports.string(),
|
|
94272
|
+
vasStorageName: external_exports.string(),
|
|
94273
|
+
vasVersionId: external_exports.string(),
|
|
94274
|
+
instructionsTargetFilename: external_exports.string().optional(),
|
|
94275
|
+
archiveUrl: external_exports.string()
|
|
94276
|
+
});
|
|
94277
|
+
var artifactEntrySchema = external_exports.object({
|
|
94278
|
+
mountPath: external_exports.string(),
|
|
94279
|
+
vasStorageName: external_exports.string(),
|
|
94280
|
+
vasStorageId: external_exports.string(),
|
|
94281
|
+
vasVersionId: external_exports.string(),
|
|
94282
|
+
archiveUrl: external_exports.string(),
|
|
94283
|
+
manifestUrl: external_exports.string().optional()
|
|
94284
|
+
});
|
|
94285
|
+
var storageManifestSchema = external_exports.object({
|
|
94286
|
+
storages: external_exports.array(storageEntrySchema),
|
|
94287
|
+
artifacts: external_exports.array(artifactEntrySchema)
|
|
94288
|
+
});
|
|
94289
|
+
var resumeSessionSchema = external_exports.object({
|
|
94290
|
+
sessionId: external_exports.string(),
|
|
94291
|
+
sessionHistory: external_exports.string()
|
|
94292
|
+
});
|
|
94293
|
+
var secretConnectorMetadataSchema = external_exports.object({
|
|
94294
|
+
sourceType: external_exports.enum(["connector", "model-provider"]),
|
|
94295
|
+
sourceUserId: external_exports.string().optional(),
|
|
94296
|
+
metadataKey: external_exports.string().optional()
|
|
94297
|
+
});
|
|
94298
|
+
var secretConnectorMetadataMapSchema = external_exports.record(
|
|
94299
|
+
external_exports.string(),
|
|
94300
|
+
secretConnectorMetadataSchema
|
|
94301
|
+
);
|
|
94302
|
+
var storedExecutionContextSchema = external_exports.object({
|
|
94303
|
+
storageManifest: storageManifestSchema.nullable(),
|
|
94304
|
+
environment: external_exports.record(external_exports.string(), external_exports.string()).nullable(),
|
|
94305
|
+
resumeSession: resumeSessionSchema.nullable(),
|
|
94306
|
+
// AES-256-GCM encrypted Record<string, string>. Keys are the runtime secret
|
|
94307
|
+
// names used by `${{ secrets.NAME }}`; connector/model-provider keys are env
|
|
94308
|
+
// aliases, not backing storage secret names.
|
|
94309
|
+
encryptedSecrets: external_exports.string().nullable(),
|
|
94310
|
+
// Maps firewall auth secret env aliases (the `NAME` in `${{ secrets.NAME }}`) to
|
|
94311
|
+
// their connector or provider owner. Keys are env aliases, not storage secret names.
|
|
94312
|
+
secretConnectorMap: external_exports.record(external_exports.string(), external_exports.string()).nullable().optional(),
|
|
94313
|
+
// Same keys as secretConnectorMap; adds source details when the owner alone
|
|
94314
|
+
// is not enough to locate access storage (for example, personal model providers).
|
|
94315
|
+
secretConnectorMetadataMap: secretConnectorMetadataMapSchema.nullable().optional(),
|
|
94316
|
+
cliAgentType: external_exports.string(),
|
|
94317
|
+
// Debug flag to force real Claude in mock environments (internal use only)
|
|
94318
|
+
debugNoMockClaude: external_exports.boolean().optional(),
|
|
94319
|
+
// Debug flag to force real Codex in mock environments (internal use only)
|
|
94320
|
+
debugNoMockCodex: external_exports.boolean().optional(),
|
|
94321
|
+
// Capture HTTP request headers, request bodies, and response bodies in network logs
|
|
94322
|
+
captureNetworkBodies: external_exports.boolean().optional(),
|
|
94323
|
+
// Dispatch timestamp for E2E timing metrics, as Unix epoch milliseconds
|
|
94324
|
+
apiStartTime: apiStartTimeSchema.optional(),
|
|
94325
|
+
// User's timezone preference (IANA format, e.g., "Asia/Shanghai")
|
|
94326
|
+
userTimezone: external_exports.string().optional(),
|
|
94327
|
+
// Firewall for proxy-side token replacement (complete config, all permissions)
|
|
94328
|
+
firewalls: firewallsSchema.optional(),
|
|
94329
|
+
// Per-firewall network policies: which permissions are granted + unknownPolicy
|
|
94330
|
+
networkPolicies: networkPoliciesSchema.optional(),
|
|
94331
|
+
// Tools to disable in Claude CLI (passed as --disallowed-tools)
|
|
94332
|
+
disallowedTools: external_exports.array(external_exports.string()).optional(),
|
|
94333
|
+
// Tools to make available in Claude CLI (passed as --tools)
|
|
94334
|
+
tools: external_exports.array(external_exports.string()).optional(),
|
|
94335
|
+
// Settings JSON to pass to Claude CLI (passed as --settings)
|
|
94336
|
+
settings: external_exports.string().optional(),
|
|
94337
|
+
// VM profile for resource allocation (e.g., "vm0/default")
|
|
94338
|
+
experimentalProfile: external_exports.string().optional(),
|
|
94339
|
+
// Feature flags evaluated at job creation time (all switch states for user/org)
|
|
94340
|
+
featureFlags: external_exports.record(external_exports.string(), external_exports.boolean()).optional(),
|
|
94341
|
+
billableFirewalls: external_exports.array(external_exports.string()).optional(),
|
|
94342
|
+
modelUsageProvider: external_exports.string().optional()
|
|
94343
|
+
});
|
|
94344
|
+
var executionContextSchema = external_exports.object({
|
|
94345
|
+
runId: external_exports.uuid(),
|
|
94346
|
+
prompt: external_exports.string(),
|
|
94347
|
+
appendSystemPrompt: external_exports.string().nullable(),
|
|
94348
|
+
agentComposeVersionId: external_exports.string().nullable(),
|
|
94349
|
+
vars: external_exports.record(external_exports.string(), external_exports.string()).nullable(),
|
|
94350
|
+
checkpointId: external_exports.uuid().nullable(),
|
|
94351
|
+
sandboxToken: external_exports.string(),
|
|
94352
|
+
storageManifest: storageManifestSchema.nullable(),
|
|
94353
|
+
environment: external_exports.record(external_exports.string(), external_exports.string()).nullable(),
|
|
94354
|
+
resumeSession: resumeSessionSchema.nullable(),
|
|
94355
|
+
// Plain secret values used by the runner for redaction. These are values, not
|
|
94356
|
+
// names, and are base64-encoded only when exported through VM0_SECRET_VALUES.
|
|
94357
|
+
secretValues: external_exports.array(external_exports.string()).nullable(),
|
|
94358
|
+
// AES-256-GCM encrypted Record<string, string>, passed through to mitm-addon
|
|
94359
|
+
// for auth resolution. Keys are runtime secret names used by
|
|
94360
|
+
// `${{ secrets.NAME }}`; connector/model-provider keys are env aliases, not
|
|
94361
|
+
// backing storage secret names.
|
|
94362
|
+
encryptedSecrets: external_exports.string().nullable(),
|
|
94363
|
+
// Maps firewall auth secret env aliases (the `NAME` in `${{ secrets.NAME }}`) to
|
|
94364
|
+
// their connector or provider owner. Keys are env aliases, not storage secret names.
|
|
94365
|
+
secretConnectorMap: external_exports.record(external_exports.string(), external_exports.string()).nullable().optional(),
|
|
94366
|
+
// Same keys as secretConnectorMap; adds source details when the owner alone
|
|
94367
|
+
// is not enough to locate access storage (for example, personal model providers).
|
|
94368
|
+
secretConnectorMetadataMap: secretConnectorMetadataMapSchema.nullable().optional(),
|
|
94369
|
+
cliAgentType: external_exports.string(),
|
|
94370
|
+
// Debug flag to force real Claude in mock environments (internal use only)
|
|
94371
|
+
debugNoMockClaude: external_exports.boolean().optional(),
|
|
94372
|
+
// Debug flag to force real Codex in mock environments (internal use only)
|
|
94373
|
+
debugNoMockCodex: external_exports.boolean().optional(),
|
|
94374
|
+
// Capture HTTP request headers, request bodies, and response bodies in network logs
|
|
94375
|
+
captureNetworkBodies: external_exports.boolean().optional(),
|
|
94376
|
+
// Dispatch timestamp for E2E timing metrics, as Unix epoch milliseconds
|
|
94377
|
+
apiStartTime: apiStartTimeSchema.optional(),
|
|
94378
|
+
// User's timezone preference (IANA format, e.g., "Asia/Shanghai")
|
|
94379
|
+
userTimezone: external_exports.string().optional(),
|
|
94380
|
+
// Firewall for proxy-side token replacement (complete config, all permissions)
|
|
94381
|
+
firewalls: firewallsSchema.optional(),
|
|
94382
|
+
// Per-firewall network policies: which permissions are granted + unknownPolicy
|
|
94383
|
+
networkPolicies: networkPoliciesSchema.optional(),
|
|
94384
|
+
// Tools to disable in Claude CLI (passed as --disallowed-tools)
|
|
94385
|
+
disallowedTools: external_exports.array(external_exports.string()).optional(),
|
|
94386
|
+
// Tools to make available in Claude CLI (passed as --tools)
|
|
94387
|
+
tools: external_exports.array(external_exports.string()).optional(),
|
|
94388
|
+
// Settings JSON to pass to Claude CLI (passed as --settings)
|
|
94389
|
+
settings: external_exports.string().optional(),
|
|
94390
|
+
// VM profile for resource allocation (e.g., "vm0/default")
|
|
94391
|
+
experimentalProfile: external_exports.string().optional(),
|
|
94392
|
+
// Feature flags evaluated at job creation time (all switch states for user/org)
|
|
94393
|
+
featureFlags: external_exports.record(external_exports.string(), external_exports.boolean()).optional(),
|
|
94394
|
+
billableFirewalls: external_exports.array(external_exports.string()).optional(),
|
|
94395
|
+
modelUsageProvider: external_exports.string().optional()
|
|
94396
|
+
});
|
|
94397
|
+
var runnersJobClaimContract = c.router({
|
|
94398
|
+
claim: {
|
|
94399
|
+
method: "POST",
|
|
94400
|
+
path: "/api/runners/jobs/:id/claim",
|
|
94401
|
+
headers: authHeadersSchema,
|
|
94402
|
+
pathParams: external_exports.object({
|
|
94403
|
+
id: external_exports.uuid()
|
|
94404
|
+
}),
|
|
94405
|
+
body: external_exports.object({}),
|
|
94406
|
+
responses: {
|
|
94407
|
+
200: executionContextSchema,
|
|
94408
|
+
400: apiErrorSchema,
|
|
94409
|
+
401: apiErrorSchema,
|
|
94410
|
+
403: apiErrorSchema,
|
|
94411
|
+
// Job does not belong to user
|
|
94412
|
+
404: apiErrorSchema,
|
|
94413
|
+
409: apiErrorSchema,
|
|
94414
|
+
// Already claimed
|
|
94415
|
+
500: apiErrorSchema
|
|
94416
|
+
},
|
|
94417
|
+
summary: "Claim a pending job for execution"
|
|
94418
|
+
}
|
|
94419
|
+
});
|
|
94420
|
+
var heartbeatBodySchema = external_exports.object({
|
|
94421
|
+
runnerId: external_exports.uuid(),
|
|
94422
|
+
runnerName: external_exports.string(),
|
|
94423
|
+
group: runnerGroupSchema,
|
|
94424
|
+
profiles: external_exports.array(external_exports.string()),
|
|
94425
|
+
totalVcpu: external_exports.number().int().nonnegative(),
|
|
94426
|
+
totalMemoryMb: external_exports.number().int().nonnegative(),
|
|
94427
|
+
maxConcurrent: external_exports.number().int().nonnegative(),
|
|
94428
|
+
allocatedVcpu: external_exports.number().int().nonnegative(),
|
|
94429
|
+
allocatedMemoryMb: external_exports.number().int().nonnegative(),
|
|
94430
|
+
runningCount: external_exports.number().int().nonnegative(),
|
|
94431
|
+
heldSessionStates: external_exports.array(heldSessionStateSchema),
|
|
94432
|
+
mode: external_exports.enum(["running", "draining", "stopping"])
|
|
94433
|
+
});
|
|
94434
|
+
var runnersHeartbeatContract = c.router({
|
|
94435
|
+
heartbeat: {
|
|
94436
|
+
method: "POST",
|
|
94437
|
+
path: "/api/runners/heartbeat",
|
|
94438
|
+
headers: authHeadersSchema,
|
|
94439
|
+
body: heartbeatBodySchema,
|
|
94440
|
+
responses: {
|
|
94441
|
+
200: external_exports.object({ ok: external_exports.literal(true) }),
|
|
94442
|
+
400: apiErrorSchema,
|
|
94443
|
+
401: apiErrorSchema,
|
|
94444
|
+
500: apiErrorSchema
|
|
94445
|
+
},
|
|
94446
|
+
summary: "Report runner heartbeat with capacity and state"
|
|
94447
|
+
}
|
|
94448
|
+
});
|
|
94449
|
+
|
|
94450
|
+
// ../../packages/api-contracts/src/contracts/composes.ts
|
|
94451
|
+
var c2 = initContract();
|
|
94452
|
+
var MOUNT_PATH_TEMPLATE = "${{ working_dir }}";
|
|
93055
94453
|
var composeVersionQuerySchema = external_exports.string().min(1, "Missing version query parameter").regex(
|
|
93056
94454
|
/^[a-f0-9]{8,64}$|^latest$/i,
|
|
93057
94455
|
"Version must be 8-64 hex characters or 'latest'"
|
|
@@ -93067,10 +94465,9 @@ var volumeConfigSchema = external_exports.object({
|
|
|
93067
94465
|
/** When true, skip mounting without error if volume doesn't exist */
|
|
93068
94466
|
optional: external_exports.boolean().optional()
|
|
93069
94467
|
});
|
|
93070
|
-
var MOUNT_PATH_TEMPLATE = "${{ working_dir }}";
|
|
93071
94468
|
var mountPathSchema = external_exports.string().min(1, "mount_path cannot be empty").refine((val) => {
|
|
93072
94469
|
return val === MOUNT_PATH_TEMPLATE || val.startsWith("/");
|
|
93073
|
-
},
|
|
94470
|
+
}, "mount_path must be an absolute path or ${{ working_dir }}");
|
|
93074
94471
|
var artifactConfigSchema = external_exports.object({
|
|
93075
94472
|
name: external_exports.string().min(1, "Artifact name is required"),
|
|
93076
94473
|
version: external_exports.string().min(1).optional(),
|
|
@@ -93166,7 +94563,7 @@ var createComposeResponseSchema = external_exports.object({
|
|
|
93166
94563
|
action: external_exports.enum(["created", "existing"]),
|
|
93167
94564
|
updatedAt: external_exports.string()
|
|
93168
94565
|
});
|
|
93169
|
-
var composesMainContract =
|
|
94566
|
+
var composesMainContract = c2.router({
|
|
93170
94567
|
/**
|
|
93171
94568
|
* GET /api/agent/composes?name={name}&org={org}
|
|
93172
94569
|
* Get agent compose by name with HEAD version content
|
|
@@ -93212,7 +94609,7 @@ var composesMainContract = c.router({
|
|
|
93212
94609
|
summary: "Create or update agent compose version"
|
|
93213
94610
|
}
|
|
93214
94611
|
});
|
|
93215
|
-
var composesByIdContract =
|
|
94612
|
+
var composesByIdContract = c2.router({
|
|
93216
94613
|
/**
|
|
93217
94614
|
* GET /api/agent/composes/:id
|
|
93218
94615
|
* Get agent compose by ID with HEAD version content
|
|
@@ -93245,9 +94642,9 @@ var composesByIdContract = c.router({
|
|
|
93245
94642
|
pathParams: external_exports.object({
|
|
93246
94643
|
id: external_exports.string().uuid("Compose ID is required")
|
|
93247
94644
|
}),
|
|
93248
|
-
body:
|
|
94645
|
+
body: c2.noBody(),
|
|
93249
94646
|
responses: {
|
|
93250
|
-
204:
|
|
94647
|
+
204: c2.noBody(),
|
|
93251
94648
|
401: apiErrorSchema,
|
|
93252
94649
|
403: apiErrorSchema,
|
|
93253
94650
|
404: apiErrorSchema,
|
|
@@ -93256,7 +94653,7 @@ var composesByIdContract = c.router({
|
|
|
93256
94653
|
summary: "Delete agent compose"
|
|
93257
94654
|
}
|
|
93258
94655
|
});
|
|
93259
|
-
var composesVersionsContract =
|
|
94656
|
+
var composesVersionsContract = c2.router({
|
|
93260
94657
|
/**
|
|
93261
94658
|
* GET /api/agent/composes/versions?composeId={id}&version={hash|tag}
|
|
93262
94659
|
* Resolve a version specifier to a full version ID
|
|
@@ -93291,7 +94688,7 @@ var composeListItemSchema = external_exports.object({
|
|
|
93291
94688
|
headVersionId: external_exports.string().nullable(),
|
|
93292
94689
|
updatedAt: external_exports.string()
|
|
93293
94690
|
});
|
|
93294
|
-
var composesListContract =
|
|
94691
|
+
var composesListContract = c2.router({
|
|
93295
94692
|
/**
|
|
93296
94693
|
* GET /api/agent/composes/list
|
|
93297
94694
|
* List all agent composes for an org
|
|
@@ -93318,7 +94715,7 @@ var metadataUpdateSchema = external_exports.object({
|
|
|
93318
94715
|
description: external_exports.string().optional(),
|
|
93319
94716
|
sound: external_exports.string().optional()
|
|
93320
94717
|
});
|
|
93321
|
-
var composesMetadataContract =
|
|
94718
|
+
var composesMetadataContract = c2.router({
|
|
93322
94719
|
/**
|
|
93323
94720
|
* PATCH /api/agent/composes/:id/metadata
|
|
93324
94721
|
* Update agent compose metadata (displayName, description, sound)
|
|
@@ -93345,7 +94742,7 @@ var composeInstructionsResponseSchema = external_exports.object({
|
|
|
93345
94742
|
content: external_exports.string().nullable(),
|
|
93346
94743
|
filename: external_exports.string().nullable()
|
|
93347
94744
|
});
|
|
93348
|
-
var composesInstructionsContract =
|
|
94745
|
+
var composesInstructionsContract = c2.router({
|
|
93349
94746
|
/**
|
|
93350
94747
|
* GET /api/agent/composes/:id/instructions
|
|
93351
94748
|
* Get the instructions content for an agent compose
|
|
@@ -94269,7 +95666,7 @@ init_esm_shims();
|
|
|
94269
95666
|
|
|
94270
95667
|
// ../../packages/api-contracts/src/contracts/zero-user-preferences.ts
|
|
94271
95668
|
init_esm_shims();
|
|
94272
|
-
var
|
|
95669
|
+
var c3 = initContract();
|
|
94273
95670
|
var sendModeSchema = external_exports.enum(["enter", "cmd-enter"]);
|
|
94274
95671
|
var userPreferencesResponseSchema = external_exports.object({
|
|
94275
95672
|
timezone: external_exports.string().nullable(),
|
|
@@ -94290,7 +95687,7 @@ var updateUserPreferencesRequestSchema = external_exports.object({
|
|
|
94290
95687
|
message: "At least one preference must be provided"
|
|
94291
95688
|
}
|
|
94292
95689
|
);
|
|
94293
|
-
var zeroUserPreferencesContract =
|
|
95690
|
+
var zeroUserPreferencesContract = c3.router({
|
|
94294
95691
|
get: {
|
|
94295
95692
|
method: "GET",
|
|
94296
95693
|
path: "/api/zero/user-preferences",
|
|
@@ -94403,7 +95800,7 @@ var orgMessageResponseSchema = external_exports.object({
|
|
|
94403
95800
|
});
|
|
94404
95801
|
|
|
94405
95802
|
// ../../packages/api-contracts/src/contracts/orgs.ts
|
|
94406
|
-
var
|
|
95803
|
+
var c4 = initContract();
|
|
94407
95804
|
var orgTierSchema = external_exports.enum(["free", "pro-suspend", "pro", "team"]);
|
|
94408
95805
|
var orgSlugSchema = external_exports.string().min(3, "Org slug must be at least 3 characters").max(64, "Org slug must be at most 64 characters").regex(
|
|
94409
95806
|
/^[a-z0-9][a-z0-9-]*[a-z0-9]$|^[a-z0-9]{1,2}$/,
|
|
@@ -94424,7 +95821,7 @@ var updateOrgRequestSchema = external_exports.object({
|
|
|
94424
95821
|
name: external_exports.string().min(1).max(128).optional(),
|
|
94425
95822
|
force: external_exports.boolean().optional().default(false)
|
|
94426
95823
|
});
|
|
94427
|
-
var orgDefaultAgentContract =
|
|
95824
|
+
var orgDefaultAgentContract = c4.router({
|
|
94428
95825
|
/**
|
|
94429
95826
|
* PUT /api/zero/default-agent
|
|
94430
95827
|
* Set or unset the default agent for an org.
|
|
@@ -94454,8 +95851,8 @@ var orgDefaultAgentContract = c3.router({
|
|
|
94454
95851
|
});
|
|
94455
95852
|
|
|
94456
95853
|
// ../../packages/api-contracts/src/contracts/zero-org.ts
|
|
94457
|
-
var
|
|
94458
|
-
var zeroOrgContract =
|
|
95854
|
+
var c5 = initContract();
|
|
95855
|
+
var zeroOrgContract = c5.router({
|
|
94459
95856
|
get: {
|
|
94460
95857
|
method: "GET",
|
|
94461
95858
|
path: "/api/zero/org",
|
|
@@ -94484,7 +95881,7 @@ var zeroOrgContract = c4.router({
|
|
|
94484
95881
|
summary: "Update org slug (zero proxy)"
|
|
94485
95882
|
}
|
|
94486
95883
|
});
|
|
94487
|
-
var zeroOrgLeaveContract =
|
|
95884
|
+
var zeroOrgLeaveContract = c5.router({
|
|
94488
95885
|
leave: {
|
|
94489
95886
|
method: "POST",
|
|
94490
95887
|
path: "/api/zero/org/leave",
|
|
@@ -94500,7 +95897,7 @@ var zeroOrgLeaveContract = c4.router({
|
|
|
94500
95897
|
summary: "Leave the current org (zero proxy)"
|
|
94501
95898
|
}
|
|
94502
95899
|
});
|
|
94503
|
-
var zeroOrgDeleteContract =
|
|
95900
|
+
var zeroOrgDeleteContract = c5.router({
|
|
94504
95901
|
delete: {
|
|
94505
95902
|
method: "POST",
|
|
94506
95903
|
path: "/api/zero/org/delete",
|
|
@@ -94520,12 +95917,12 @@ var zeroOrgDeleteContract = c4.router({
|
|
|
94520
95917
|
|
|
94521
95918
|
// ../../packages/api-contracts/src/contracts/cli-auth.ts
|
|
94522
95919
|
init_esm_shims();
|
|
94523
|
-
var
|
|
95920
|
+
var c6 = initContract();
|
|
94524
95921
|
var oauthErrorSchema = external_exports.object({
|
|
94525
95922
|
error: external_exports.string(),
|
|
94526
95923
|
error_description: external_exports.string()
|
|
94527
95924
|
});
|
|
94528
|
-
var cliAuthDeviceContract =
|
|
95925
|
+
var cliAuthDeviceContract = c6.router({
|
|
94529
95926
|
/**
|
|
94530
95927
|
* POST /api/cli/auth/device
|
|
94531
95928
|
* Initiate device authorization flow
|
|
@@ -94547,7 +95944,7 @@ var cliAuthDeviceContract = c5.router({
|
|
|
94547
95944
|
summary: "Initiate device authorization flow"
|
|
94548
95945
|
}
|
|
94549
95946
|
});
|
|
94550
|
-
var cliAuthTokenContract =
|
|
95947
|
+
var cliAuthTokenContract = c6.router({
|
|
94551
95948
|
/**
|
|
94552
95949
|
* POST /api/cli/auth/token
|
|
94553
95950
|
* Exchange device code for access token
|
|
@@ -94581,7 +95978,7 @@ var cliAuthApproveErrorSchema = external_exports.object({
|
|
|
94581
95978
|
success: external_exports.literal(false),
|
|
94582
95979
|
error: external_exports.string()
|
|
94583
95980
|
});
|
|
94584
|
-
var cliAuthApproveContract =
|
|
95981
|
+
var cliAuthApproveContract = c6.router({
|
|
94585
95982
|
/**
|
|
94586
95983
|
* POST /api/cli/auth/approve
|
|
94587
95984
|
* Approve a pending CLI device code from a browser session
|
|
@@ -94603,7 +96000,7 @@ var cliAuthApproveContract = c5.router({
|
|
|
94603
96000
|
summary: "Approve a CLI device authorization flow"
|
|
94604
96001
|
}
|
|
94605
96002
|
});
|
|
94606
|
-
var cliAuthOrgContract =
|
|
96003
|
+
var cliAuthOrgContract = c6.router({
|
|
94607
96004
|
/**
|
|
94608
96005
|
* POST /api/cli/auth/org
|
|
94609
96006
|
* Switch active organization and get new CLI JWT
|
|
@@ -94643,8 +96040,8 @@ var orgListResponseSchema = external_exports.object({
|
|
|
94643
96040
|
});
|
|
94644
96041
|
|
|
94645
96042
|
// ../../packages/api-contracts/src/contracts/zero-org-list.ts
|
|
94646
|
-
var
|
|
94647
|
-
var zeroOrgListContract =
|
|
96043
|
+
var c7 = initContract();
|
|
96044
|
+
var zeroOrgListContract = c7.router({
|
|
94648
96045
|
list: {
|
|
94649
96046
|
method: "GET",
|
|
94650
96047
|
path: "/api/zero/org/list",
|
|
@@ -94660,8 +96057,8 @@ var zeroOrgListContract = c6.router({
|
|
|
94660
96057
|
|
|
94661
96058
|
// ../../packages/api-contracts/src/contracts/zero-org-members.ts
|
|
94662
96059
|
init_esm_shims();
|
|
94663
|
-
var
|
|
94664
|
-
var zeroOrgMembersContract =
|
|
96060
|
+
var c8 = initContract();
|
|
96061
|
+
var zeroOrgMembersContract = c8.router({
|
|
94665
96062
|
members: {
|
|
94666
96063
|
method: "GET",
|
|
94667
96064
|
path: "/api/zero/org/members",
|
|
@@ -94707,7 +96104,7 @@ var zeroOrgMembersContract = c7.router({
|
|
|
94707
96104
|
summary: "Remove a member from the org (zero proxy)"
|
|
94708
96105
|
}
|
|
94709
96106
|
});
|
|
94710
|
-
var zeroOrgInviteContract =
|
|
96107
|
+
var zeroOrgInviteContract = c8.router({
|
|
94711
96108
|
invite: {
|
|
94712
96109
|
method: "POST",
|
|
94713
96110
|
path: "/api/zero/org/invite",
|
|
@@ -94737,7 +96134,7 @@ var zeroOrgInviteContract = c7.router({
|
|
|
94737
96134
|
summary: "Revoke a pending invitation (zero proxy)"
|
|
94738
96135
|
}
|
|
94739
96136
|
});
|
|
94740
|
-
var zeroOrgMembershipRequestsContract =
|
|
96137
|
+
var zeroOrgMembershipRequestsContract = c8.router({
|
|
94741
96138
|
accept: {
|
|
94742
96139
|
method: "POST",
|
|
94743
96140
|
path: "/api/zero/org/membership-requests",
|
|
@@ -94885,7 +96282,7 @@ init_esm_shims();
|
|
|
94885
96282
|
|
|
94886
96283
|
// ../../packages/api-contracts/src/contracts/zero-attribution.ts
|
|
94887
96284
|
init_esm_shims();
|
|
94888
|
-
var
|
|
96285
|
+
var c9 = initContract();
|
|
94889
96286
|
var SOURCE_TYPES = [
|
|
94890
96287
|
"paid",
|
|
94891
96288
|
"organic_search",
|
|
@@ -94921,7 +96318,7 @@ var recordSignupAttributionRequestSchema = external_exports.object({
|
|
|
94921
96318
|
var recordSignupAttributionResponseSchema = external_exports.object({
|
|
94922
96319
|
recorded: external_exports.boolean()
|
|
94923
96320
|
});
|
|
94924
|
-
var zeroAttributionContract =
|
|
96321
|
+
var zeroAttributionContract = c9.router({
|
|
94925
96322
|
recordSignup: {
|
|
94926
96323
|
method: "POST",
|
|
94927
96324
|
path: "/api/zero/attribution/signup",
|
|
@@ -94938,7 +96335,7 @@ var zeroAttributionContract = c8.router({
|
|
|
94938
96335
|
});
|
|
94939
96336
|
|
|
94940
96337
|
// ../../packages/api-contracts/src/contracts/zero-billing.ts
|
|
94941
|
-
var
|
|
96338
|
+
var c10 = initContract();
|
|
94942
96339
|
var autoRechargeSchema = external_exports.object({
|
|
94943
96340
|
enabled: external_exports.boolean(),
|
|
94944
96341
|
threshold: external_exports.number().nullable(),
|
|
@@ -95055,7 +96452,7 @@ var redeemRequestSchema = external_exports.object({
|
|
|
95055
96452
|
successUrl: external_exports.string().url(),
|
|
95056
96453
|
cancelUrl: external_exports.string().url()
|
|
95057
96454
|
});
|
|
95058
|
-
var zeroBillingStatusContract =
|
|
96455
|
+
var zeroBillingStatusContract = c10.router({
|
|
95059
96456
|
get: {
|
|
95060
96457
|
method: "GET",
|
|
95061
96458
|
path: "/api/zero/billing/status",
|
|
@@ -95069,7 +96466,7 @@ var zeroBillingStatusContract = c9.router({
|
|
|
95069
96466
|
summary: "Get billing status for current org"
|
|
95070
96467
|
}
|
|
95071
96468
|
});
|
|
95072
|
-
var zeroBillingCheckoutContract =
|
|
96469
|
+
var zeroBillingCheckoutContract = c10.router({
|
|
95073
96470
|
create: {
|
|
95074
96471
|
method: "POST",
|
|
95075
96472
|
path: "/api/zero/billing/checkout",
|
|
@@ -95101,7 +96498,7 @@ var zeroBillingCheckoutContract = c9.router({
|
|
|
95101
96498
|
summary: "Complete Stripe checkout session"
|
|
95102
96499
|
}
|
|
95103
96500
|
});
|
|
95104
|
-
var zeroBillingCreditCheckoutContract =
|
|
96501
|
+
var zeroBillingCreditCheckoutContract = c10.router({
|
|
95105
96502
|
create: {
|
|
95106
96503
|
method: "POST",
|
|
95107
96504
|
path: "/api/zero/billing/credit-checkout",
|
|
@@ -95118,7 +96515,7 @@ var zeroBillingCreditCheckoutContract = c9.router({
|
|
|
95118
96515
|
summary: "Create Stripe checkout session for credits"
|
|
95119
96516
|
}
|
|
95120
96517
|
});
|
|
95121
|
-
var zeroBillingPortalContract =
|
|
96518
|
+
var zeroBillingPortalContract = c10.router({
|
|
95122
96519
|
create: {
|
|
95123
96520
|
method: "POST",
|
|
95124
96521
|
path: "/api/zero/billing/portal",
|
|
@@ -95135,7 +96532,7 @@ var zeroBillingPortalContract = c9.router({
|
|
|
95135
96532
|
summary: "Create Stripe billing portal session"
|
|
95136
96533
|
}
|
|
95137
96534
|
});
|
|
95138
|
-
var zeroBillingAutoRechargeContract =
|
|
96535
|
+
var zeroBillingAutoRechargeContract = c10.router({
|
|
95139
96536
|
get: {
|
|
95140
96537
|
method: "GET",
|
|
95141
96538
|
path: "/api/zero/billing/auto-recharge",
|
|
@@ -95173,7 +96570,7 @@ var invoiceSchema = external_exports.object({
|
|
|
95173
96570
|
var billingInvoicesResponseSchema = external_exports.object({
|
|
95174
96571
|
invoices: external_exports.array(invoiceSchema)
|
|
95175
96572
|
});
|
|
95176
|
-
var zeroBillingInvoicesContract =
|
|
96573
|
+
var zeroBillingInvoicesContract = c10.router({
|
|
95177
96574
|
get: {
|
|
95178
96575
|
method: "GET",
|
|
95179
96576
|
path: "/api/zero/billing/invoices",
|
|
@@ -95194,7 +96591,7 @@ var downgradeResponseSchema = external_exports.object({
|
|
|
95194
96591
|
success: external_exports.boolean(),
|
|
95195
96592
|
effectiveDate: external_exports.string().nullable()
|
|
95196
96593
|
});
|
|
95197
|
-
var zeroBillingDowngradeContract =
|
|
96594
|
+
var zeroBillingDowngradeContract = c10.router({
|
|
95198
96595
|
create: {
|
|
95199
96596
|
method: "POST",
|
|
95200
96597
|
path: "/api/zero/billing/downgrade",
|
|
@@ -95212,7 +96609,7 @@ var zeroBillingDowngradeContract = c9.router({
|
|
|
95212
96609
|
summary: "Downgrade subscription to a lower tier"
|
|
95213
96610
|
}
|
|
95214
96611
|
});
|
|
95215
|
-
var zeroBillingRedeemContract =
|
|
96612
|
+
var zeroBillingRedeemContract = c10.router({
|
|
95216
96613
|
create: {
|
|
95217
96614
|
method: "POST",
|
|
95218
96615
|
path: "/api/zero/billing/redeem/:campaign",
|
|
@@ -95305,8 +96702,8 @@ var setVariableRequestSchema = external_exports.object({
|
|
|
95305
96702
|
});
|
|
95306
96703
|
|
|
95307
96704
|
// ../../packages/api-contracts/src/contracts/zero-secrets.ts
|
|
95308
|
-
var
|
|
95309
|
-
var zeroSecretsContract =
|
|
96705
|
+
var c11 = initContract();
|
|
96706
|
+
var zeroSecretsContract = c11.router({
|
|
95310
96707
|
list: {
|
|
95311
96708
|
method: "GET",
|
|
95312
96709
|
path: "/api/zero/secrets",
|
|
@@ -95333,7 +96730,7 @@ var zeroSecretsContract = c10.router({
|
|
|
95333
96730
|
summary: "Create or update a secret"
|
|
95334
96731
|
}
|
|
95335
96732
|
});
|
|
95336
|
-
var zeroSecretsByNameContract =
|
|
96733
|
+
var zeroSecretsByNameContract = c11.router({
|
|
95337
96734
|
delete: {
|
|
95338
96735
|
method: "DELETE",
|
|
95339
96736
|
path: "/api/zero/secrets/:name",
|
|
@@ -95342,7 +96739,7 @@ var zeroSecretsByNameContract = c10.router({
|
|
|
95342
96739
|
name: secretNameSchema
|
|
95343
96740
|
}),
|
|
95344
96741
|
responses: {
|
|
95345
|
-
204:
|
|
96742
|
+
204: c11.noBody(),
|
|
95346
96743
|
401: apiErrorSchema,
|
|
95347
96744
|
404: apiErrorSchema,
|
|
95348
96745
|
500: apiErrorSchema
|
|
@@ -95350,7 +96747,7 @@ var zeroSecretsByNameContract = c10.router({
|
|
|
95350
96747
|
summary: "Delete a secret by name"
|
|
95351
96748
|
}
|
|
95352
96749
|
});
|
|
95353
|
-
var zeroVariablesContract =
|
|
96750
|
+
var zeroVariablesContract = c11.router({
|
|
95354
96751
|
list: {
|
|
95355
96752
|
method: "GET",
|
|
95356
96753
|
path: "/api/zero/variables",
|
|
@@ -95377,7 +96774,7 @@ var zeroVariablesContract = c10.router({
|
|
|
95377
96774
|
summary: "Create or update a variable"
|
|
95378
96775
|
}
|
|
95379
96776
|
});
|
|
95380
|
-
var zeroVariablesByNameContract =
|
|
96777
|
+
var zeroVariablesByNameContract = c11.router({
|
|
95381
96778
|
delete: {
|
|
95382
96779
|
method: "DELETE",
|
|
95383
96780
|
path: "/api/zero/variables/:name",
|
|
@@ -95386,7 +96783,7 @@ var zeroVariablesByNameContract = c10.router({
|
|
|
95386
96783
|
name: variableNameSchema
|
|
95387
96784
|
}),
|
|
95388
96785
|
responses: {
|
|
95389
|
-
204:
|
|
96786
|
+
204: c11.noBody(),
|
|
95390
96787
|
401: apiErrorSchema,
|
|
95391
96788
|
404: apiErrorSchema,
|
|
95392
96789
|
500: apiErrorSchema
|
|
@@ -95463,8 +96860,8 @@ init_esm_shims();
|
|
|
95463
96860
|
|
|
95464
96861
|
// ../../packages/api-contracts/src/contracts/zero-model-policies.ts
|
|
95465
96862
|
init_esm_shims();
|
|
95466
|
-
var
|
|
95467
|
-
var zeroModelPoliciesMainContract =
|
|
96863
|
+
var c12 = initContract();
|
|
96864
|
+
var zeroModelPoliciesMainContract = c12.router({
|
|
95468
96865
|
list: {
|
|
95469
96866
|
method: "GET",
|
|
95470
96867
|
path: "/api/zero/model-policies",
|
|
@@ -95511,360 +96908,7 @@ init_esm_shims();
|
|
|
95511
96908
|
|
|
95512
96909
|
// ../../packages/api-contracts/src/contracts/zero-agents.ts
|
|
95513
96910
|
init_esm_shims();
|
|
95514
|
-
|
|
95515
|
-
// ../../packages/connectors/src/firewall-types.ts
|
|
95516
|
-
init_esm_shims();
|
|
95517
|
-
|
|
95518
|
-
// ../../packages/connectors/src/segment-parser.ts
|
|
95519
|
-
init_esm_shims();
|
|
95520
|
-
var ERROR_HINT = 'use "{name}", "prefix{name}", "{name}suffix", or "prefix{name}suffix"';
|
|
95521
|
-
function parseSegment(seg) {
|
|
95522
|
-
const openCount = countChar(seg, "{");
|
|
95523
|
-
const closeCount = countChar(seg, "}");
|
|
95524
|
-
if (openCount === 0 && closeCount === 0) {
|
|
95525
|
-
return { kind: "literal", value: seg };
|
|
95526
|
-
}
|
|
95527
|
-
if (openCount !== closeCount) {
|
|
95528
|
-
return {
|
|
95529
|
-
kind: "error",
|
|
95530
|
-
reason: `unbalanced brace in segment "${seg}" \u2014 ${ERROR_HINT}`
|
|
95531
|
-
};
|
|
95532
|
-
}
|
|
95533
|
-
const open1 = seg.indexOf("{");
|
|
95534
|
-
const close1 = seg.indexOf("}");
|
|
95535
|
-
if (close1 < open1) {
|
|
95536
|
-
return {
|
|
95537
|
-
kind: "error",
|
|
95538
|
-
reason: `unbalanced brace in segment "${seg}" \u2014 ${ERROR_HINT}`
|
|
95539
|
-
};
|
|
95540
|
-
}
|
|
95541
|
-
if (openCount >= 2) {
|
|
95542
|
-
const open2 = seg.indexOf("{", close1 + 1);
|
|
95543
|
-
if (close1 + 1 === open2) {
|
|
95544
|
-
return {
|
|
95545
|
-
kind: "error",
|
|
95546
|
-
reason: `adjacent parameters in segment "${seg}" \u2014 only one parameter per segment is allowed; ${ERROR_HINT}`
|
|
95547
|
-
};
|
|
95548
|
-
}
|
|
95549
|
-
return {
|
|
95550
|
-
kind: "error",
|
|
95551
|
-
reason: `literal-separated parameters in segment "${seg}" \u2014 only one parameter per segment is allowed; ${ERROR_HINT}`
|
|
95552
|
-
};
|
|
95553
|
-
}
|
|
95554
|
-
const prefix = seg.slice(0, open1);
|
|
95555
|
-
const content = seg.slice(open1 + 1, close1);
|
|
95556
|
-
const suffix = seg.slice(close1 + 1);
|
|
95557
|
-
if (prefix.includes("{") || prefix.includes("}") || suffix.includes("{") || suffix.includes("}")) {
|
|
95558
|
-
return {
|
|
95559
|
-
kind: "error",
|
|
95560
|
-
reason: `unbalanced brace in segment "${seg}" \u2014 ${ERROR_HINT}`
|
|
95561
|
-
};
|
|
95562
|
-
}
|
|
95563
|
-
let greedy = "";
|
|
95564
|
-
let name = content;
|
|
95565
|
-
if (content.length > 0) {
|
|
95566
|
-
const last = content[content.length - 1];
|
|
95567
|
-
if (last === "+" || last === "*") {
|
|
95568
|
-
greedy = last;
|
|
95569
|
-
name = content.slice(0, -1);
|
|
95570
|
-
}
|
|
95571
|
-
}
|
|
95572
|
-
if (name.length === 0) {
|
|
95573
|
-
return {
|
|
95574
|
-
kind: "error",
|
|
95575
|
-
reason: `empty parameter name in segment "${seg}" \u2014 ${ERROR_HINT}`
|
|
95576
|
-
};
|
|
95577
|
-
}
|
|
95578
|
-
return { kind: "param", prefix, name, suffix, greedy };
|
|
95579
|
-
}
|
|
95580
|
-
function countChar(s, ch) {
|
|
95581
|
-
let n = 0;
|
|
95582
|
-
for (let i = 0; i < s.length; i++) {
|
|
95583
|
-
if (s[i] === ch) n++;
|
|
95584
|
-
}
|
|
95585
|
-
return n;
|
|
95586
|
-
}
|
|
95587
|
-
|
|
95588
|
-
// ../../packages/connectors/src/firewall-types.ts
|
|
95589
|
-
var firewallPermissionSchema = external_exports.object({
|
|
95590
|
-
name: external_exports.string(),
|
|
95591
|
-
description: external_exports.string().optional(),
|
|
95592
|
-
rules: external_exports.array(external_exports.string())
|
|
95593
|
-
});
|
|
95594
|
-
var firewallApiSchema = external_exports.object({
|
|
95595
|
-
base: external_exports.string(),
|
|
95596
|
-
auth: external_exports.object({
|
|
95597
|
-
headers: external_exports.record(external_exports.string(), external_exports.string()).optional(),
|
|
95598
|
-
base: external_exports.string().optional(),
|
|
95599
|
-
query: external_exports.record(external_exports.string(), external_exports.string()).optional()
|
|
95600
|
-
}),
|
|
95601
|
-
permissions: external_exports.array(firewallPermissionSchema).optional()
|
|
95602
|
-
});
|
|
95603
|
-
var firewallSchema = external_exports.object({
|
|
95604
|
-
name: external_exports.string(),
|
|
95605
|
-
apis: external_exports.array(firewallApiSchema)
|
|
95606
|
-
});
|
|
95607
|
-
var firewallsSchema = external_exports.array(firewallSchema);
|
|
95608
|
-
var firewallConfigSchema = external_exports.object({
|
|
95609
|
-
name: external_exports.string().min(1, "Firewall name is required"),
|
|
95610
|
-
description: external_exports.string().optional(),
|
|
95611
|
-
apis: external_exports.array(firewallApiSchema).min(1, "Firewall must have at least one API entry"),
|
|
95612
|
-
placeholders: external_exports.record(external_exports.string(), external_exports.string()).optional()
|
|
95613
|
-
});
|
|
95614
|
-
var firewallPolicyValueSchema = external_exports.enum(["allow", "deny", "ask"]);
|
|
95615
|
-
var firewallPolicySchema = external_exports.object({
|
|
95616
|
-
policies: external_exports.record(external_exports.string(), firewallPolicyValueSchema),
|
|
95617
|
-
unknownPolicy: firewallPolicyValueSchema.optional()
|
|
95618
|
-
});
|
|
95619
|
-
var firewallPoliciesSchema = external_exports.record(
|
|
95620
|
-
external_exports.string(),
|
|
95621
|
-
firewallPolicySchema
|
|
95622
|
-
);
|
|
95623
|
-
var networkPolicySchema = external_exports.object({
|
|
95624
|
-
allow: external_exports.array(external_exports.string()),
|
|
95625
|
-
deny: external_exports.array(external_exports.string()),
|
|
95626
|
-
ask: external_exports.array(external_exports.string()),
|
|
95627
|
-
unknownPolicy: firewallPolicyValueSchema
|
|
95628
|
-
});
|
|
95629
|
-
var networkPoliciesSchema = external_exports.record(external_exports.string(), networkPolicySchema);
|
|
95630
|
-
var AUTH_SECRET_PATTERN = /\$\{\{\s*secrets\.([a-zA-Z_][a-zA-Z0-9_]*)\s*\}\}/g;
|
|
95631
|
-
var AUTH_REFERENCE_PATTERN = /\$\{\{\s*(secrets|vars)\.([a-zA-Z_][a-zA-Z0-9_]*)\s*\}\}/g;
|
|
95632
|
-
function isTemplateWhitespace(char) {
|
|
95633
|
-
return char === " " || char === " " || char === "\n" || char === "\r" || char === "\f" || char === "\v";
|
|
95634
|
-
}
|
|
95635
|
-
function skipTemplateWhitespace(template, index) {
|
|
95636
|
-
let nextIndex = index;
|
|
95637
|
-
while (nextIndex < template.length && isTemplateWhitespace(template[nextIndex])) {
|
|
95638
|
-
nextIndex += 1;
|
|
95639
|
-
}
|
|
95640
|
-
return nextIndex;
|
|
95641
|
-
}
|
|
95642
|
-
function isIdentifierStart(char) {
|
|
95643
|
-
const code = char.charCodeAt(0);
|
|
95644
|
-
return char === "_" || code >= 65 && code <= 90 || code >= 97 && code <= 122;
|
|
95645
|
-
}
|
|
95646
|
-
function isIdentifierPart(char) {
|
|
95647
|
-
const code = char.charCodeAt(0);
|
|
95648
|
-
return isIdentifierStart(char) || code >= 48 && code <= 57;
|
|
95649
|
-
}
|
|
95650
|
-
function parseTemplateIdentifier(template, index) {
|
|
95651
|
-
if (index >= template.length || !isIdentifierStart(template[index])) {
|
|
95652
|
-
return null;
|
|
95653
|
-
}
|
|
95654
|
-
let nextIndex = index + 1;
|
|
95655
|
-
while (nextIndex < template.length && isIdentifierPart(template[nextIndex])) {
|
|
95656
|
-
nextIndex += 1;
|
|
95657
|
-
}
|
|
95658
|
-
return {
|
|
95659
|
-
value: template.slice(index, nextIndex),
|
|
95660
|
-
index: nextIndex
|
|
95661
|
-
};
|
|
95662
|
-
}
|
|
95663
|
-
function createBasicAuthTemplateParserContext(template) {
|
|
95664
|
-
const nextQuoteIndexes = new Int32Array(template.length + 1);
|
|
95665
|
-
const nextBackslashIndexes = new Int32Array(template.length + 1);
|
|
95666
|
-
const nextTemplateIndexes = new Int32Array(template.length + 1);
|
|
95667
|
-
let nextQuoteIndex = -1;
|
|
95668
|
-
let nextBackslashIndex = -1;
|
|
95669
|
-
let nextTemplateIndex = -1;
|
|
95670
|
-
nextQuoteIndexes[template.length] = nextQuoteIndex;
|
|
95671
|
-
nextBackslashIndexes[template.length] = nextBackslashIndex;
|
|
95672
|
-
nextTemplateIndexes[template.length] = nextTemplateIndex;
|
|
95673
|
-
for (let index = template.length - 1; index >= 0; index -= 1) {
|
|
95674
|
-
if (template[index] === '"') {
|
|
95675
|
-
nextQuoteIndex = index;
|
|
95676
|
-
}
|
|
95677
|
-
if (template[index] === "\\") {
|
|
95678
|
-
nextBackslashIndex = index;
|
|
95679
|
-
}
|
|
95680
|
-
if (template.startsWith("${{", index)) {
|
|
95681
|
-
nextTemplateIndex = index;
|
|
95682
|
-
}
|
|
95683
|
-
nextQuoteIndexes[index] = nextQuoteIndex;
|
|
95684
|
-
nextBackslashIndexes[index] = nextBackslashIndex;
|
|
95685
|
-
nextTemplateIndexes[index] = nextTemplateIndex;
|
|
95686
|
-
}
|
|
95687
|
-
return { nextQuoteIndexes, nextBackslashIndexes, nextTemplateIndexes };
|
|
95688
|
-
}
|
|
95689
|
-
function parseBasicAuthTemplateArg(context2, template, index) {
|
|
95690
|
-
let nextIndex = skipTemplateWhitespace(template, index);
|
|
95691
|
-
const char = template[nextIndex];
|
|
95692
|
-
if (char === "," || char === ")") {
|
|
95693
|
-
return { arg: {}, index: nextIndex };
|
|
95694
|
-
}
|
|
95695
|
-
if (char === '"') {
|
|
95696
|
-
const literalStart = nextIndex + 1;
|
|
95697
|
-
const quoteIndex = context2.nextQuoteIndexes[literalStart] ?? -1;
|
|
95698
|
-
if (quoteIndex === -1) {
|
|
95699
|
-
const nestedTemplateStart = context2.nextTemplateIndexes[literalStart] ?? -1;
|
|
95700
|
-
return {
|
|
95701
|
-
arg: null,
|
|
95702
|
-
index: nestedTemplateStart === -1 ? template.length : nestedTemplateStart
|
|
95703
|
-
};
|
|
95704
|
-
}
|
|
95705
|
-
const escapeIndex = context2.nextBackslashIndexes[literalStart] ?? -1;
|
|
95706
|
-
if (escapeIndex !== -1 && escapeIndex < quoteIndex) {
|
|
95707
|
-
const nestedTemplateStart = context2.nextTemplateIndexes[literalStart] ?? -1;
|
|
95708
|
-
return {
|
|
95709
|
-
arg: null,
|
|
95710
|
-
index: nestedTemplateStart !== -1 && nestedTemplateStart < escapeIndex ? nestedTemplateStart : escapeIndex + 1
|
|
95711
|
-
};
|
|
95712
|
-
}
|
|
95713
|
-
return {
|
|
95714
|
-
arg: { literal: template.slice(literalStart, quoteIndex) },
|
|
95715
|
-
index: quoteIndex + 1
|
|
95716
|
-
};
|
|
95717
|
-
}
|
|
95718
|
-
let namespace;
|
|
95719
|
-
if (template.startsWith("secrets.", nextIndex)) {
|
|
95720
|
-
namespace = "secrets";
|
|
95721
|
-
nextIndex += "secrets.".length;
|
|
95722
|
-
} else if (template.startsWith("vars.", nextIndex)) {
|
|
95723
|
-
namespace = "vars";
|
|
95724
|
-
nextIndex += "vars.".length;
|
|
95725
|
-
} else {
|
|
95726
|
-
return { arg: null, index: nextIndex };
|
|
95727
|
-
}
|
|
95728
|
-
const key = parseTemplateIdentifier(template, nextIndex);
|
|
95729
|
-
if (!key) {
|
|
95730
|
-
return { arg: null, index: nextIndex };
|
|
95731
|
-
}
|
|
95732
|
-
return {
|
|
95733
|
-
arg: { namespace, key: key.value },
|
|
95734
|
-
index: key.index
|
|
95735
|
-
};
|
|
95736
|
-
}
|
|
95737
|
-
function parseBasicAuthTemplateAt(context2, template, start) {
|
|
95738
|
-
let index = start + "${{".length;
|
|
95739
|
-
index = skipTemplateWhitespace(template, index);
|
|
95740
|
-
if (!template.startsWith("basic(", index)) {
|
|
95741
|
-
return { match: null, index: start + "${{".length };
|
|
95742
|
-
}
|
|
95743
|
-
index += "basic(".length;
|
|
95744
|
-
const first = parseBasicAuthTemplateArg(context2, template, index);
|
|
95745
|
-
if (!first.arg) {
|
|
95746
|
-
return { match: null, index: first.index };
|
|
95747
|
-
}
|
|
95748
|
-
index = skipTemplateWhitespace(template, first.index);
|
|
95749
|
-
if (template[index] !== ",") {
|
|
95750
|
-
return { match: null, index: Math.max(index + 1, first.index) };
|
|
95751
|
-
}
|
|
95752
|
-
index += 1;
|
|
95753
|
-
const second = parseBasicAuthTemplateArg(context2, template, index);
|
|
95754
|
-
if (!second.arg) {
|
|
95755
|
-
return { match: null, index: second.index };
|
|
95756
|
-
}
|
|
95757
|
-
index = skipTemplateWhitespace(template, second.index);
|
|
95758
|
-
if (template[index] !== ")") {
|
|
95759
|
-
return { match: null, index: Math.max(index + 1, second.index) };
|
|
95760
|
-
}
|
|
95761
|
-
index += 1;
|
|
95762
|
-
index = skipTemplateWhitespace(template, index);
|
|
95763
|
-
if (!template.startsWith("}}", index)) {
|
|
95764
|
-
return { match: null, index: Math.max(index + 1, second.index) };
|
|
95765
|
-
}
|
|
95766
|
-
const end = index + "}}".length;
|
|
95767
|
-
return {
|
|
95768
|
-
match: {
|
|
95769
|
-
start,
|
|
95770
|
-
end,
|
|
95771
|
-
first: first.arg,
|
|
95772
|
-
second: second.arg
|
|
95773
|
-
},
|
|
95774
|
-
index: end
|
|
95775
|
-
};
|
|
95776
|
-
}
|
|
95777
|
-
function findNextBasicAuthTemplateStart(template, index) {
|
|
95778
|
-
let basicIndex = template.indexOf("basic(", index);
|
|
95779
|
-
while (basicIndex !== -1) {
|
|
95780
|
-
let contentStart = basicIndex;
|
|
95781
|
-
while (contentStart > index && isTemplateWhitespace(template[contentStart - 1])) {
|
|
95782
|
-
contentStart -= 1;
|
|
95783
|
-
}
|
|
95784
|
-
const start = contentStart - "${{".length;
|
|
95785
|
-
if (start >= index && template.startsWith("${{", start)) {
|
|
95786
|
-
return start;
|
|
95787
|
-
}
|
|
95788
|
-
basicIndex = template.indexOf("basic(", basicIndex + "basic(".length);
|
|
95789
|
-
}
|
|
95790
|
-
return -1;
|
|
95791
|
-
}
|
|
95792
|
-
function parseBasicAuthTemplates(template) {
|
|
95793
|
-
const matches = [];
|
|
95794
|
-
let start = findNextBasicAuthTemplateStart(template, 0);
|
|
95795
|
-
if (start === -1) {
|
|
95796
|
-
return matches;
|
|
95797
|
-
}
|
|
95798
|
-
const context2 = createBasicAuthTemplateParserContext(template);
|
|
95799
|
-
while (start !== -1) {
|
|
95800
|
-
const parsed = parseBasicAuthTemplateAt(context2, template, start);
|
|
95801
|
-
if (parsed.match) {
|
|
95802
|
-
matches.push(parsed.match);
|
|
95803
|
-
start = findNextBasicAuthTemplateStart(template, parsed.index);
|
|
95804
|
-
} else {
|
|
95805
|
-
start = findNextBasicAuthTemplateStart(
|
|
95806
|
-
template,
|
|
95807
|
-
Math.max(parsed.index, start + "${{".length)
|
|
95808
|
-
);
|
|
95809
|
-
}
|
|
95810
|
-
}
|
|
95811
|
-
return matches;
|
|
95812
|
-
}
|
|
95813
|
-
function forEachSimpleAuthReference(template, basicMatches, callback) {
|
|
95814
|
-
let basicMatchIndex = 0;
|
|
95815
|
-
for (const match of template.matchAll(AUTH_REFERENCE_PATTERN)) {
|
|
95816
|
-
if (!match[1] || !match[2] || match.index === void 0) {
|
|
95817
|
-
continue;
|
|
95818
|
-
}
|
|
95819
|
-
while (basicMatchIndex < basicMatches.length && basicMatches[basicMatchIndex].end <= match.index) {
|
|
95820
|
-
basicMatchIndex += 1;
|
|
95821
|
-
}
|
|
95822
|
-
const basicMatch = basicMatches[basicMatchIndex];
|
|
95823
|
-
if (basicMatch && match.index >= basicMatch.start && match.index < basicMatch.end) {
|
|
95824
|
-
continue;
|
|
95825
|
-
}
|
|
95826
|
-
callback(match[1], match[2]);
|
|
95827
|
-
}
|
|
95828
|
-
}
|
|
95829
|
-
function extractSecretNamesFromApis(apis) {
|
|
95830
|
-
const names = /* @__PURE__ */ new Set();
|
|
95831
|
-
for (const entry of apis) {
|
|
95832
|
-
for (const value of Object.values(entry.auth.headers ?? {})) {
|
|
95833
|
-
const basicMatches = parseBasicAuthTemplates(value);
|
|
95834
|
-
forEachSimpleAuthReference(value, basicMatches, (namespace, name) => {
|
|
95835
|
-
if (namespace === "secrets") {
|
|
95836
|
-
names.add(name);
|
|
95837
|
-
}
|
|
95838
|
-
});
|
|
95839
|
-
for (const match of basicMatches) {
|
|
95840
|
-
if (match.first.namespace === "secrets" && match.first.key) {
|
|
95841
|
-
names.add(match.first.key);
|
|
95842
|
-
}
|
|
95843
|
-
if (match.second.namespace === "secrets" && match.second.key) {
|
|
95844
|
-
names.add(match.second.key);
|
|
95845
|
-
}
|
|
95846
|
-
}
|
|
95847
|
-
}
|
|
95848
|
-
if (entry.auth.base) {
|
|
95849
|
-
for (const match of entry.auth.base.matchAll(AUTH_SECRET_PATTERN)) {
|
|
95850
|
-
names.add(match[1]);
|
|
95851
|
-
}
|
|
95852
|
-
}
|
|
95853
|
-
if (entry.auth.query) {
|
|
95854
|
-
for (const value of Object.values(entry.auth.query)) {
|
|
95855
|
-
for (const match of value.matchAll(AUTH_SECRET_PATTERN)) {
|
|
95856
|
-
names.add(match[1]);
|
|
95857
|
-
}
|
|
95858
|
-
}
|
|
95859
|
-
}
|
|
95860
|
-
}
|
|
95861
|
-
return [...names];
|
|
95862
|
-
}
|
|
95863
|
-
var BASE_URL_VARS_PATTERN = /\$\{\{\s*vars\.([a-zA-Z_][a-zA-Z0-9_]*)\s*\}\}/;
|
|
95864
|
-
var BASE_URL_VARS_PATTERN_G = new RegExp(BASE_URL_VARS_PATTERN.source, "g");
|
|
95865
|
-
|
|
95866
|
-
// ../../packages/api-contracts/src/contracts/zero-agents.ts
|
|
95867
|
-
var c12 = initContract();
|
|
96911
|
+
var c13 = initContract();
|
|
95868
96912
|
var zeroAgentVisibilitySchema = external_exports.enum(["public", "private"]);
|
|
95869
96913
|
var zeroAgentCustomSkillNameSchema = external_exports.string().min(2).max(64).regex(/^[a-z0-9][a-z0-9-]*[a-z0-9]$/);
|
|
95870
96914
|
var zeroAgentResponseSchema = external_exports.object({
|
|
@@ -95903,7 +96947,7 @@ var zeroAgentInstructionsResponseSchema = external_exports.object({
|
|
|
95903
96947
|
var zeroAgentInstructionsRequestSchema = external_exports.object({
|
|
95904
96948
|
content: external_exports.string()
|
|
95905
96949
|
});
|
|
95906
|
-
var zeroAgentsMainContract =
|
|
96950
|
+
var zeroAgentsMainContract = c13.router({
|
|
95907
96951
|
create: {
|
|
95908
96952
|
method: "POST",
|
|
95909
96953
|
path: "/api/zero/agents",
|
|
@@ -95931,7 +96975,7 @@ var zeroAgentsMainContract = c12.router({
|
|
|
95931
96975
|
summary: "List zero agents"
|
|
95932
96976
|
}
|
|
95933
96977
|
});
|
|
95934
|
-
var zeroAgentsByIdContract =
|
|
96978
|
+
var zeroAgentsByIdContract = c13.router({
|
|
95935
96979
|
get: {
|
|
95936
96980
|
method: "GET",
|
|
95937
96981
|
path: "/api/zero/agents/:id",
|
|
@@ -95984,9 +97028,9 @@ var zeroAgentsByIdContract = c12.router({
|
|
|
95984
97028
|
path: "/api/zero/agents/:id",
|
|
95985
97029
|
headers: authHeadersSchema,
|
|
95986
97030
|
pathParams: external_exports.object({ id: external_exports.string().uuid() }),
|
|
95987
|
-
body:
|
|
97031
|
+
body: c13.noBody(),
|
|
95988
97032
|
responses: {
|
|
95989
|
-
204:
|
|
97033
|
+
204: c13.noBody(),
|
|
95990
97034
|
400: apiErrorSchema,
|
|
95991
97035
|
401: apiErrorSchema,
|
|
95992
97036
|
403: apiErrorSchema,
|
|
@@ -96000,7 +97044,7 @@ var zeroAgentPermissionPoliciesRequestSchema = external_exports.object({
|
|
|
96000
97044
|
agentId: external_exports.string().uuid(),
|
|
96001
97045
|
policies: firewallPoliciesSchema
|
|
96002
97046
|
});
|
|
96003
|
-
var zeroAgentPermissionPoliciesContract =
|
|
97047
|
+
var zeroAgentPermissionPoliciesContract = c13.router({
|
|
96004
97048
|
update: {
|
|
96005
97049
|
method: "PUT",
|
|
96006
97050
|
path: "/api/zero/permission-policies",
|
|
@@ -96016,7 +97060,7 @@ var zeroAgentPermissionPoliciesContract = c12.router({
|
|
|
96016
97060
|
summary: "Update zero agent permission policies (owner only)"
|
|
96017
97061
|
}
|
|
96018
97062
|
});
|
|
96019
|
-
var zeroAgentInstructionsContract =
|
|
97063
|
+
var zeroAgentInstructionsContract = c13.router({
|
|
96020
97064
|
get: {
|
|
96021
97065
|
method: "GET",
|
|
96022
97066
|
path: "/api/zero/agents/:id/instructions",
|
|
@@ -96108,7 +97152,7 @@ var zeroAgentSkillContentResponseSchema = external_exports.object({
|
|
|
96108
97152
|
var zeroAgentSkillListResponseSchema = external_exports.array(
|
|
96109
97153
|
zeroAgentCustomSkillSchema
|
|
96110
97154
|
);
|
|
96111
|
-
var zeroSkillsCollectionContract =
|
|
97155
|
+
var zeroSkillsCollectionContract = c13.router({
|
|
96112
97156
|
list: {
|
|
96113
97157
|
method: "GET",
|
|
96114
97158
|
path: "/api/zero/skills",
|
|
@@ -96139,7 +97183,7 @@ var zeroSkillsCollectionContract = c12.router({
|
|
|
96139
97183
|
summary: "Create a custom skill in the organization"
|
|
96140
97184
|
}
|
|
96141
97185
|
});
|
|
96142
|
-
var zeroSkillsDetailContract =
|
|
97186
|
+
var zeroSkillsDetailContract = c13.router({
|
|
96143
97187
|
get: {
|
|
96144
97188
|
method: "GET",
|
|
96145
97189
|
path: "/api/zero/skills/:name",
|
|
@@ -96173,9 +97217,9 @@ var zeroSkillsDetailContract = c12.router({
|
|
|
96173
97217
|
path: "/api/zero/skills/:name",
|
|
96174
97218
|
headers: authHeadersSchema,
|
|
96175
97219
|
pathParams: external_exports.object({ name: zeroAgentCustomSkillNameSchema }),
|
|
96176
|
-
body:
|
|
97220
|
+
body: c13.noBody(),
|
|
96177
97221
|
responses: {
|
|
96178
|
-
204:
|
|
97222
|
+
204: c13.noBody(),
|
|
96179
97223
|
401: apiErrorSchema,
|
|
96180
97224
|
403: apiErrorSchema,
|
|
96181
97225
|
404: apiErrorSchema
|
|
@@ -96218,7 +97262,7 @@ var resolvePermissionAccessRequestSchema = external_exports.object({
|
|
|
96218
97262
|
requestId: external_exports.string().uuid(),
|
|
96219
97263
|
action: external_exports.enum(["approve", "reject"])
|
|
96220
97264
|
});
|
|
96221
|
-
var permissionAccessRequestsCreateContract =
|
|
97265
|
+
var permissionAccessRequestsCreateContract = c13.router({
|
|
96222
97266
|
create: {
|
|
96223
97267
|
method: "POST",
|
|
96224
97268
|
path: "/api/zero/permission-access-requests",
|
|
@@ -96239,7 +97283,7 @@ var permissionAccessRequestsListQuerySchema = external_exports.object({
|
|
|
96239
97283
|
requestId: external_exports.string().optional(),
|
|
96240
97284
|
status: external_exports.string().optional()
|
|
96241
97285
|
});
|
|
96242
|
-
var permissionAccessRequestsListContract =
|
|
97286
|
+
var permissionAccessRequestsListContract = c13.router({
|
|
96243
97287
|
list: {
|
|
96244
97288
|
method: "GET",
|
|
96245
97289
|
path: "/api/zero/permission-access-requests",
|
|
@@ -96254,7 +97298,7 @@ var permissionAccessRequestsListContract = c12.router({
|
|
|
96254
97298
|
summary: "List permission access requests for an agent"
|
|
96255
97299
|
}
|
|
96256
97300
|
});
|
|
96257
|
-
var permissionAccessRequestsResolveContract =
|
|
97301
|
+
var permissionAccessRequestsResolveContract = c13.router({
|
|
96258
97302
|
resolve: {
|
|
96259
97303
|
method: "PUT",
|
|
96260
97304
|
path: "/api/zero/permission-access-requests",
|
|
@@ -96273,11 +97317,11 @@ var permissionAccessRequestsResolveContract = c12.router({
|
|
|
96273
97317
|
|
|
96274
97318
|
// ../../packages/api-contracts/src/contracts/user-connectors.ts
|
|
96275
97319
|
init_esm_shims();
|
|
96276
|
-
var
|
|
97320
|
+
var c14 = initContract();
|
|
96277
97321
|
var userConnectorEnabledTypesSchema = external_exports.object({
|
|
96278
97322
|
enabledTypes: external_exports.array(external_exports.string())
|
|
96279
97323
|
});
|
|
96280
|
-
var zeroUserConnectorsContract =
|
|
97324
|
+
var zeroUserConnectorsContract = c14.router({
|
|
96281
97325
|
get: {
|
|
96282
97326
|
method: "GET",
|
|
96283
97327
|
path: "/api/zero/agents/:id/user-connectors",
|
|
@@ -105061,6 +106105,18 @@ var tavily = {
|
|
|
105061
106105
|
// ../../packages/connectors/src/connectors/test-oauth.ts
|
|
105062
106106
|
init_esm_shims();
|
|
105063
106107
|
var OAUTH_TOKEN_URL37 = "/api/test/oauth-provider/token";
|
|
106108
|
+
var TEST_OAUTH_CLIENT = {
|
|
106109
|
+
clientRegistration: "static",
|
|
106110
|
+
clientType: "confidential",
|
|
106111
|
+
clientId: "test-oauth-client",
|
|
106112
|
+
clientSecret: "test-oauth-secret"
|
|
106113
|
+
};
|
|
106114
|
+
var TEST_OAUTH_AUTH_CODE_GRANT = {
|
|
106115
|
+
kind: "auth-code",
|
|
106116
|
+
tokenUrl: OAUTH_TOKEN_URL37,
|
|
106117
|
+
scopes: ["read"]
|
|
106118
|
+
};
|
|
106119
|
+
var TEST_OAUTH_REVOKE = { kind: "none" };
|
|
105064
106120
|
var testOauth = {
|
|
105065
106121
|
"test-oauth": {
|
|
105066
106122
|
label: "Test OAuth (internal)",
|
|
@@ -105071,17 +106127,8 @@ var testOauth = {
|
|
|
105071
106127
|
featureFlag: "testOauthConnector" /* TestOauthConnector */,
|
|
105072
106128
|
label: "OAuth",
|
|
105073
106129
|
helpText: "Test-only OAuth provider. Only reachable in dev/preview.",
|
|
105074
|
-
client:
|
|
105075
|
-
|
|
105076
|
-
clientType: "confidential",
|
|
105077
|
-
clientId: "test-oauth-client",
|
|
105078
|
-
clientSecret: "test-oauth-secret"
|
|
105079
|
-
},
|
|
105080
|
-
grant: {
|
|
105081
|
-
kind: "auth-code",
|
|
105082
|
-
tokenUrl: OAUTH_TOKEN_URL37,
|
|
105083
|
-
scopes: ["read"]
|
|
105084
|
-
},
|
|
106130
|
+
client: TEST_OAUTH_CLIENT,
|
|
106131
|
+
grant: TEST_OAUTH_AUTH_CODE_GRANT,
|
|
105085
106132
|
access: {
|
|
105086
106133
|
kind: "refresh-token",
|
|
105087
106134
|
tokenUrl: OAUTH_TOKEN_URL37,
|
|
@@ -105091,7 +106138,24 @@ var testOauth = {
|
|
|
105091
106138
|
TEST_OAUTH_TOKEN: "$secrets.TEST_OAUTH_ACCESS_TOKEN"
|
|
105092
106139
|
}
|
|
105093
106140
|
},
|
|
105094
|
-
revoke:
|
|
106141
|
+
revoke: TEST_OAUTH_REVOKE
|
|
106142
|
+
},
|
|
106143
|
+
api: {
|
|
106144
|
+
featureFlag: "testOauthConnector" /* TestOauthConnector */,
|
|
106145
|
+
label: "API OAuth",
|
|
106146
|
+
helpText: "Secondary test-only OAuth method used to exercise method-aware provider registration.",
|
|
106147
|
+
client: TEST_OAUTH_CLIENT,
|
|
106148
|
+
grant: TEST_OAUTH_AUTH_CODE_GRANT,
|
|
106149
|
+
access: {
|
|
106150
|
+
kind: "refresh-token",
|
|
106151
|
+
tokenUrl: OAUTH_TOKEN_URL37,
|
|
106152
|
+
accessToken: "TEST_OAUTH_API_ACCESS_TOKEN",
|
|
106153
|
+
refreshToken: "TEST_OAUTH_API_REFRESH_TOKEN",
|
|
106154
|
+
envBindings: {
|
|
106155
|
+
TEST_OAUTH_TOKEN: "$secrets.TEST_OAUTH_API_ACCESS_TOKEN"
|
|
106156
|
+
}
|
|
106157
|
+
},
|
|
106158
|
+
revoke: TEST_OAUTH_REVOKE
|
|
105095
106159
|
}
|
|
105096
106160
|
},
|
|
105097
106161
|
defaultAuthMethod: "oauth"
|
|
@@ -106371,8 +107435,8 @@ var connectorOauthDeviceAuthSessionPollResponseSchema = external_exports.discrim
|
|
|
106371
107435
|
]);
|
|
106372
107436
|
|
|
106373
107437
|
// ../../packages/api-contracts/src/contracts/zero-connectors.ts
|
|
106374
|
-
var
|
|
106375
|
-
var zeroConnectorsMainContract =
|
|
107438
|
+
var c15 = initContract();
|
|
107439
|
+
var zeroConnectorsMainContract = c15.router({
|
|
106376
107440
|
list: {
|
|
106377
107441
|
method: "GET",
|
|
106378
107442
|
path: "/api/zero/connectors",
|
|
@@ -106386,7 +107450,7 @@ var zeroConnectorsMainContract = c14.router({
|
|
|
106386
107450
|
summary: "List all connectors (zero proxy)"
|
|
106387
107451
|
}
|
|
106388
107452
|
});
|
|
106389
|
-
var zeroConnectorsByTypeContract =
|
|
107453
|
+
var zeroConnectorsByTypeContract = c15.router({
|
|
106390
107454
|
get: {
|
|
106391
107455
|
method: "GET",
|
|
106392
107456
|
path: "/api/zero/connectors/:type",
|
|
@@ -106406,14 +107470,14 @@ var zeroConnectorsByTypeContract = c14.router({
|
|
|
106406
107470
|
headers: authHeadersSchema,
|
|
106407
107471
|
pathParams: external_exports.object({ type: connectorTypeSchema }),
|
|
106408
107472
|
responses: {
|
|
106409
|
-
204:
|
|
107473
|
+
204: c15.noBody(),
|
|
106410
107474
|
401: apiErrorSchema,
|
|
106411
107475
|
404: apiErrorSchema
|
|
106412
107476
|
},
|
|
106413
107477
|
summary: "Disconnect a connector (zero proxy)"
|
|
106414
107478
|
}
|
|
106415
107479
|
});
|
|
106416
|
-
var zeroConnectorScopeDiffContract =
|
|
107480
|
+
var zeroConnectorScopeDiffContract = c15.router({
|
|
106417
107481
|
getScopeDiff: {
|
|
106418
107482
|
method: "GET",
|
|
106419
107483
|
path: "/api/zero/connectors/:type/scope-diff",
|
|
@@ -106428,7 +107492,7 @@ var zeroConnectorScopeDiffContract = c14.router({
|
|
|
106428
107492
|
summary: "Get scope diff for a connector"
|
|
106429
107493
|
}
|
|
106430
107494
|
});
|
|
106431
|
-
var zeroConnectorAuthorizeContract =
|
|
107495
|
+
var zeroConnectorAuthorizeContract = c15.router({
|
|
106432
107496
|
authorize: {
|
|
106433
107497
|
method: "GET",
|
|
106434
107498
|
path: "/api/zero/connectors/:type/authorize",
|
|
@@ -106436,16 +107500,16 @@ var zeroConnectorAuthorizeContract = c14.router({
|
|
|
106436
107500
|
pathParams: external_exports.object({ type: external_exports.string() }),
|
|
106437
107501
|
query: external_exports.object({ session: external_exports.string().optional() }),
|
|
106438
107502
|
responses: {
|
|
106439
|
-
307:
|
|
107503
|
+
307: c15.noBody(),
|
|
106440
107504
|
400: external_exports.object({ error: external_exports.string() }),
|
|
106441
|
-
401:
|
|
107505
|
+
401: c15.noBody(),
|
|
106442
107506
|
403: external_exports.object({ error: external_exports.string() }),
|
|
106443
107507
|
500: external_exports.object({ error: external_exports.string() })
|
|
106444
107508
|
},
|
|
106445
107509
|
summary: "Start connector OAuth authorization (zero proxy)"
|
|
106446
107510
|
}
|
|
106447
107511
|
});
|
|
106448
|
-
var zeroConnectorOauthStartContract =
|
|
107512
|
+
var zeroConnectorOauthStartContract = c15.router({
|
|
106449
107513
|
start: {
|
|
106450
107514
|
method: "POST",
|
|
106451
107515
|
path: "/api/zero/connectors/:type/oauth/start",
|
|
@@ -106462,7 +107526,7 @@ var zeroConnectorOauthStartContract = c14.router({
|
|
|
106462
107526
|
summary: "Create connector OAuth handoff and authorization URL"
|
|
106463
107527
|
}
|
|
106464
107528
|
});
|
|
106465
|
-
var zeroConnectorManualGrantContract =
|
|
107529
|
+
var zeroConnectorManualGrantContract = c15.router({
|
|
106466
107530
|
connect: {
|
|
106467
107531
|
method: "POST",
|
|
106468
107532
|
path: "/api/zero/connectors/:type/manual-grant",
|
|
@@ -106483,7 +107547,7 @@ var zeroConnectorManualGrantContract = c14.router({
|
|
|
106483
107547
|
summary: "Connect a connector with a manual grant"
|
|
106484
107548
|
}
|
|
106485
107549
|
});
|
|
106486
|
-
var zeroConnectorOauthDeviceAuthSessionContract =
|
|
107550
|
+
var zeroConnectorOauthDeviceAuthSessionContract = c15.router({
|
|
106487
107551
|
create: {
|
|
106488
107552
|
method: "POST",
|
|
106489
107553
|
path: "/api/zero/connectors/:type/oauth/device/sessions",
|
|
@@ -106528,7 +107592,7 @@ var connectorSearchItemSchema = external_exports.object({
|
|
|
106528
107592
|
var connectorSearchResponseSchema = external_exports.object({
|
|
106529
107593
|
connectors: external_exports.array(connectorSearchItemSchema)
|
|
106530
107594
|
});
|
|
106531
|
-
var zeroConnectorsSearchContract =
|
|
107595
|
+
var zeroConnectorsSearchContract = c15.router({
|
|
106532
107596
|
search: {
|
|
106533
107597
|
method: "GET",
|
|
106534
107598
|
path: "/api/zero/connectors/search",
|
|
@@ -106542,7 +107606,7 @@ var zeroConnectorsSearchContract = c14.router({
|
|
|
106542
107606
|
summary: "Search available connector types"
|
|
106543
107607
|
}
|
|
106544
107608
|
});
|
|
106545
|
-
var zeroConnectorSessionsContract =
|
|
107609
|
+
var zeroConnectorSessionsContract = c15.router({
|
|
106546
107610
|
create: {
|
|
106547
107611
|
method: "POST",
|
|
106548
107612
|
path: "/api/zero/connectors/:type/sessions",
|
|
@@ -106558,7 +107622,7 @@ var zeroConnectorSessionsContract = c14.router({
|
|
|
106558
107622
|
summary: "Create connector session for auth-code handoff"
|
|
106559
107623
|
}
|
|
106560
107624
|
});
|
|
106561
|
-
var zeroConnectorSessionByIdContract =
|
|
107625
|
+
var zeroConnectorSessionByIdContract = c15.router({
|
|
106562
107626
|
get: {
|
|
106563
107627
|
method: "GET",
|
|
106564
107628
|
path: "/api/zero/connectors/:type/sessions/:sessionId",
|
|
@@ -106646,7 +107710,7 @@ var listQuerySchema = external_exports.object({
|
|
|
106646
107710
|
cursor: external_exports.string().optional(),
|
|
106647
107711
|
limit: external_exports.coerce.number().min(1).max(100).default(20)
|
|
106648
107712
|
});
|
|
106649
|
-
var
|
|
107713
|
+
var c16 = initContract();
|
|
106650
107714
|
var logStatusSchema = external_exports.enum([
|
|
106651
107715
|
"queued",
|
|
106652
107716
|
"pending",
|
|
@@ -106717,7 +107781,7 @@ var logDetailSchema = external_exports.object({
|
|
|
106717
107781
|
completedAt: external_exports.string().nullable(),
|
|
106718
107782
|
artifact: artifactSchema
|
|
106719
107783
|
});
|
|
106720
|
-
var logsListContract =
|
|
107784
|
+
var logsListContract = c16.router({
|
|
106721
107785
|
list: {
|
|
106722
107786
|
method: "GET",
|
|
106723
107787
|
path: "/api/zero/logs",
|
|
@@ -106739,7 +107803,7 @@ var logsListContract = c15.router({
|
|
|
106739
107803
|
summary: "List agent run logs with pagination"
|
|
106740
107804
|
}
|
|
106741
107805
|
});
|
|
106742
|
-
var logsByIdContract =
|
|
107806
|
+
var logsByIdContract = c16.router({
|
|
106743
107807
|
getById: {
|
|
106744
107808
|
method: "GET",
|
|
106745
107809
|
path: "/api/zero/logs/:id",
|
|
@@ -106758,7 +107822,7 @@ var logsByIdContract = c15.router({
|
|
|
106758
107822
|
});
|
|
106759
107823
|
|
|
106760
107824
|
// ../../packages/api-contracts/src/contracts/runs.ts
|
|
106761
|
-
var
|
|
107825
|
+
var c17 = initContract();
|
|
106762
107826
|
var directRunModelProviderTypeSchema = modelProviderTypeSchema.refine(
|
|
106763
107827
|
(type) => {
|
|
106764
107828
|
return type !== "vm0";
|
|
@@ -106923,7 +107987,7 @@ var runListItemSchema = external_exports.object({
|
|
|
106923
107987
|
var runsListResponseSchema = external_exports.object({
|
|
106924
107988
|
runs: external_exports.array(runListItemSchema)
|
|
106925
107989
|
});
|
|
106926
|
-
var runsMainContract =
|
|
107990
|
+
var runsMainContract = c17.router({
|
|
106927
107991
|
/**
|
|
106928
107992
|
* GET /api/agent/runs
|
|
106929
107993
|
* List agent runs (pending and running by default)
|
|
@@ -106974,7 +108038,7 @@ var runsMainContract = c16.router({
|
|
|
106974
108038
|
summary: "Create and execute agent run"
|
|
106975
108039
|
}
|
|
106976
108040
|
});
|
|
106977
|
-
var runsByIdContract =
|
|
108041
|
+
var runsByIdContract = c17.router({
|
|
106978
108042
|
/**
|
|
106979
108043
|
* GET /api/agent/runs/:id
|
|
106980
108044
|
* Get agent run status and results
|
|
@@ -107000,7 +108064,7 @@ var cancelRunResponseSchema = external_exports.object({
|
|
|
107000
108064
|
status: external_exports.literal("cancelled"),
|
|
107001
108065
|
message: external_exports.string()
|
|
107002
108066
|
});
|
|
107003
|
-
var runsCancelContract =
|
|
108067
|
+
var runsCancelContract = c17.router({
|
|
107004
108068
|
/**
|
|
107005
108069
|
* POST /api/agent/runs/:id/cancel
|
|
107006
108070
|
* Cancel a pending or running run
|
|
@@ -107023,7 +108087,7 @@ var runsCancelContract = c16.router({
|
|
|
107023
108087
|
summary: "Cancel a pending or running run"
|
|
107024
108088
|
}
|
|
107025
108089
|
});
|
|
107026
|
-
var runEventsContract =
|
|
108090
|
+
var runEventsContract = c17.router({
|
|
107027
108091
|
/**
|
|
107028
108092
|
* GET /api/agent/runs/:id/events
|
|
107029
108093
|
* Poll for agent run events with pagination
|
|
@@ -107117,7 +108181,7 @@ var telemetryResponseSchema = external_exports.object({
|
|
|
107117
108181
|
systemLog: external_exports.string(),
|
|
107118
108182
|
metrics: external_exports.array(telemetryMetricSchema)
|
|
107119
108183
|
});
|
|
107120
|
-
var runTelemetryContract =
|
|
108184
|
+
var runTelemetryContract = c17.router({
|
|
107121
108185
|
/**
|
|
107122
108186
|
* GET /api/agent/runs/:id/telemetry
|
|
107123
108187
|
* Get aggregated telemetry data for a run (legacy combined format)
|
|
@@ -107137,7 +108201,7 @@ var runTelemetryContract = c16.router({
|
|
|
107137
108201
|
summary: "Get run telemetry data"
|
|
107138
108202
|
}
|
|
107139
108203
|
});
|
|
107140
|
-
var runSystemLogContract =
|
|
108204
|
+
var runSystemLogContract = c17.router({
|
|
107141
108205
|
/**
|
|
107142
108206
|
* GET /api/agent/runs/:id/telemetry/system-log
|
|
107143
108207
|
* Get system log with pagination
|
|
@@ -107162,7 +108226,7 @@ var runSystemLogContract = c16.router({
|
|
|
107162
108226
|
summary: "Get system log with pagination"
|
|
107163
108227
|
}
|
|
107164
108228
|
});
|
|
107165
|
-
var runMetricsContract =
|
|
108229
|
+
var runMetricsContract = c17.router({
|
|
107166
108230
|
/**
|
|
107167
108231
|
* GET /api/agent/runs/:id/telemetry/metrics
|
|
107168
108232
|
* Get metrics with pagination
|
|
@@ -107187,7 +108251,7 @@ var runMetricsContract = c16.router({
|
|
|
107187
108251
|
summary: "Get metrics with pagination"
|
|
107188
108252
|
}
|
|
107189
108253
|
});
|
|
107190
|
-
var runAgentEventsContract =
|
|
108254
|
+
var runAgentEventsContract = c17.router({
|
|
107191
108255
|
/**
|
|
107192
108256
|
* GET /api/agent/runs/:id/telemetry/agent
|
|
107193
108257
|
* Get agent events with pagination (for vm0 logs default)
|
|
@@ -107212,7 +108276,7 @@ var runAgentEventsContract = c16.router({
|
|
|
107212
108276
|
summary: "Get agent events with pagination"
|
|
107213
108277
|
}
|
|
107214
108278
|
});
|
|
107215
|
-
var runNetworkLogsContract =
|
|
108279
|
+
var runNetworkLogsContract = c17.router({
|
|
107216
108280
|
/**
|
|
107217
108281
|
* GET /api/agent/runs/:id/telemetry/network
|
|
107218
108282
|
* Get network logs with pagination (for vm0 logs --network)
|
|
@@ -107248,7 +108312,7 @@ var logsSearchResponseSchema = external_exports.object({
|
|
|
107248
108312
|
results: external_exports.array(searchResultSchema),
|
|
107249
108313
|
hasMore: external_exports.boolean()
|
|
107250
108314
|
});
|
|
107251
|
-
var logsSearchContract =
|
|
108315
|
+
var logsSearchContract = c17.router({
|
|
107252
108316
|
/**
|
|
107253
108317
|
* GET /api/logs/search
|
|
107254
108318
|
* Search agent events across runs using keyword matching
|
|
@@ -107305,7 +108369,7 @@ var queueResponseSchema = external_exports.object({
|
|
|
107305
108369
|
runningTasks: external_exports.array(runningTaskSchema),
|
|
107306
108370
|
estimatedTimePerRun: external_exports.number().nullable()
|
|
107307
108371
|
});
|
|
107308
|
-
var runsQueueContract =
|
|
108372
|
+
var runsQueueContract = c17.router({
|
|
107309
108373
|
/**
|
|
107310
108374
|
* GET /api/agent/runs/queue
|
|
107311
108375
|
* Get org run queue status including concurrency context and queued entries
|
|
@@ -107326,233 +108390,6 @@ var runsQueueContract = c16.router({
|
|
|
107326
108390
|
// ../../packages/api-contracts/src/contracts/webhooks.ts
|
|
107327
108391
|
init_esm_shims();
|
|
107328
108392
|
|
|
107329
|
-
// ../../packages/api-contracts/src/contracts/runners.ts
|
|
107330
|
-
init_esm_shims();
|
|
107331
|
-
var c17 = initContract();
|
|
107332
|
-
var MIN_EPOCH_MS_TIMESTAMP = 1e12;
|
|
107333
|
-
var apiStartTimeSchema = external_exports.number().int().min(MIN_EPOCH_MS_TIMESTAMP);
|
|
107334
|
-
var runnerGroupSchema = external_exports.string().regex(
|
|
107335
|
-
/^[a-z0-9-]+\/[a-z0-9-]+$/,
|
|
107336
|
-
"Runner group must be in vm0/<name> format (e.g., vm0/production)"
|
|
107337
|
-
);
|
|
107338
|
-
var jobSchema = external_exports.object({
|
|
107339
|
-
runId: external_exports.uuid(),
|
|
107340
|
-
prompt: external_exports.string(),
|
|
107341
|
-
appendSystemPrompt: external_exports.string().nullable(),
|
|
107342
|
-
agentComposeVersionId: external_exports.string().nullable(),
|
|
107343
|
-
vars: external_exports.record(external_exports.string(), external_exports.string()).nullable(),
|
|
107344
|
-
checkpointId: external_exports.uuid().nullable(),
|
|
107345
|
-
experimentalProfile: external_exports.string().optional()
|
|
107346
|
-
});
|
|
107347
|
-
var heldSessionStateSchema = external_exports.object({
|
|
107348
|
-
sessionId: external_exports.string(),
|
|
107349
|
-
lastCompletedAt: external_exports.string().datetime({ offset: true })
|
|
107350
|
-
});
|
|
107351
|
-
var runnersPollContract = c17.router({
|
|
107352
|
-
poll: {
|
|
107353
|
-
method: "POST",
|
|
107354
|
-
path: "/api/runners/poll",
|
|
107355
|
-
headers: authHeadersSchema,
|
|
107356
|
-
body: external_exports.object({
|
|
107357
|
-
group: runnerGroupSchema,
|
|
107358
|
-
profiles: external_exports.array(external_exports.string()).optional(),
|
|
107359
|
-
heldSessionStates: external_exports.array(heldSessionStateSchema).max(100).optional()
|
|
107360
|
-
}),
|
|
107361
|
-
responses: {
|
|
107362
|
-
200: external_exports.object({
|
|
107363
|
-
job: jobSchema.nullable()
|
|
107364
|
-
}),
|
|
107365
|
-
400: apiErrorSchema,
|
|
107366
|
-
401: apiErrorSchema,
|
|
107367
|
-
500: apiErrorSchema
|
|
107368
|
-
},
|
|
107369
|
-
summary: "Poll for pending jobs (long-polling with 30s timeout)"
|
|
107370
|
-
}
|
|
107371
|
-
});
|
|
107372
|
-
var storageEntrySchema = external_exports.object({
|
|
107373
|
-
name: external_exports.string(),
|
|
107374
|
-
mountPath: external_exports.string(),
|
|
107375
|
-
vasStorageName: external_exports.string(),
|
|
107376
|
-
vasVersionId: external_exports.string(),
|
|
107377
|
-
instructionsTargetFilename: external_exports.string().optional(),
|
|
107378
|
-
archiveUrl: external_exports.string()
|
|
107379
|
-
});
|
|
107380
|
-
var artifactEntrySchema = external_exports.object({
|
|
107381
|
-
mountPath: external_exports.string(),
|
|
107382
|
-
vasStorageName: external_exports.string(),
|
|
107383
|
-
vasStorageId: external_exports.string(),
|
|
107384
|
-
vasVersionId: external_exports.string(),
|
|
107385
|
-
archiveUrl: external_exports.string(),
|
|
107386
|
-
manifestUrl: external_exports.string().optional()
|
|
107387
|
-
});
|
|
107388
|
-
var storageManifestSchema = external_exports.object({
|
|
107389
|
-
storages: external_exports.array(storageEntrySchema),
|
|
107390
|
-
artifacts: external_exports.array(artifactEntrySchema)
|
|
107391
|
-
});
|
|
107392
|
-
var resumeSessionSchema = external_exports.object({
|
|
107393
|
-
sessionId: external_exports.string(),
|
|
107394
|
-
sessionHistory: external_exports.string()
|
|
107395
|
-
});
|
|
107396
|
-
var secretConnectorMetadataSchema = external_exports.object({
|
|
107397
|
-
sourceType: external_exports.enum(["connector", "model-provider"]),
|
|
107398
|
-
sourceUserId: external_exports.string().optional(),
|
|
107399
|
-
metadataKey: external_exports.string().optional()
|
|
107400
|
-
});
|
|
107401
|
-
var secretConnectorMetadataMapSchema = external_exports.record(
|
|
107402
|
-
external_exports.string(),
|
|
107403
|
-
secretConnectorMetadataSchema
|
|
107404
|
-
);
|
|
107405
|
-
var storedExecutionContextSchema = external_exports.object({
|
|
107406
|
-
workingDir: external_exports.string(),
|
|
107407
|
-
storageManifest: storageManifestSchema.nullable(),
|
|
107408
|
-
environment: external_exports.record(external_exports.string(), external_exports.string()).nullable(),
|
|
107409
|
-
resumeSession: resumeSessionSchema.nullable(),
|
|
107410
|
-
// AES-256-GCM encrypted Record<string, string>. Keys are the runtime secret
|
|
107411
|
-
// names used by `${{ secrets.NAME }}`; connector/model-provider keys are env
|
|
107412
|
-
// aliases, not backing storage secret names.
|
|
107413
|
-
encryptedSecrets: external_exports.string().nullable(),
|
|
107414
|
-
// Maps firewall auth secret env aliases (the `NAME` in `${{ secrets.NAME }}`) to
|
|
107415
|
-
// their connector or provider owner. Keys are env aliases, not storage secret names.
|
|
107416
|
-
secretConnectorMap: external_exports.record(external_exports.string(), external_exports.string()).nullable().optional(),
|
|
107417
|
-
// Same keys as secretConnectorMap; adds source details when the owner alone
|
|
107418
|
-
// is not enough to locate access storage (for example, personal model providers).
|
|
107419
|
-
secretConnectorMetadataMap: secretConnectorMetadataMapSchema.nullable().optional(),
|
|
107420
|
-
cliAgentType: external_exports.string(),
|
|
107421
|
-
// Debug flag to force real Claude in mock environments (internal use only)
|
|
107422
|
-
debugNoMockClaude: external_exports.boolean().optional(),
|
|
107423
|
-
// Debug flag to force real Codex in mock environments (internal use only)
|
|
107424
|
-
debugNoMockCodex: external_exports.boolean().optional(),
|
|
107425
|
-
// Capture HTTP request headers, request bodies, and response bodies in network logs
|
|
107426
|
-
captureNetworkBodies: external_exports.boolean().optional(),
|
|
107427
|
-
// Dispatch timestamp for E2E timing metrics, as Unix epoch milliseconds
|
|
107428
|
-
apiStartTime: apiStartTimeSchema.optional(),
|
|
107429
|
-
// User's timezone preference (IANA format, e.g., "Asia/Shanghai")
|
|
107430
|
-
userTimezone: external_exports.string().optional(),
|
|
107431
|
-
// Firewall for proxy-side token replacement (complete config, all permissions)
|
|
107432
|
-
firewalls: firewallsSchema.optional(),
|
|
107433
|
-
// Per-firewall network policies: which permissions are granted + unknownPolicy
|
|
107434
|
-
networkPolicies: networkPoliciesSchema.optional(),
|
|
107435
|
-
// Tools to disable in Claude CLI (passed as --disallowed-tools)
|
|
107436
|
-
disallowedTools: external_exports.array(external_exports.string()).optional(),
|
|
107437
|
-
// Tools to make available in Claude CLI (passed as --tools)
|
|
107438
|
-
tools: external_exports.array(external_exports.string()).optional(),
|
|
107439
|
-
// Settings JSON to pass to Claude CLI (passed as --settings)
|
|
107440
|
-
settings: external_exports.string().optional(),
|
|
107441
|
-
// VM profile for resource allocation (e.g., "vm0/default")
|
|
107442
|
-
experimentalProfile: external_exports.string().optional(),
|
|
107443
|
-
// Feature flags evaluated at job creation time (all switch states for user/org)
|
|
107444
|
-
featureFlags: external_exports.record(external_exports.string(), external_exports.boolean()).optional(),
|
|
107445
|
-
billableFirewalls: external_exports.array(external_exports.string()).optional(),
|
|
107446
|
-
modelUsageProvider: external_exports.string().optional()
|
|
107447
|
-
});
|
|
107448
|
-
var executionContextSchema = external_exports.object({
|
|
107449
|
-
runId: external_exports.uuid(),
|
|
107450
|
-
prompt: external_exports.string(),
|
|
107451
|
-
appendSystemPrompt: external_exports.string().nullable(),
|
|
107452
|
-
agentComposeVersionId: external_exports.string().nullable(),
|
|
107453
|
-
vars: external_exports.record(external_exports.string(), external_exports.string()).nullable(),
|
|
107454
|
-
checkpointId: external_exports.uuid().nullable(),
|
|
107455
|
-
sandboxToken: external_exports.string(),
|
|
107456
|
-
// New fields for E2B parity:
|
|
107457
|
-
workingDir: external_exports.string(),
|
|
107458
|
-
storageManifest: storageManifestSchema.nullable(),
|
|
107459
|
-
environment: external_exports.record(external_exports.string(), external_exports.string()).nullable(),
|
|
107460
|
-
resumeSession: resumeSessionSchema.nullable(),
|
|
107461
|
-
// Plain secret values used by the runner for redaction. These are values, not
|
|
107462
|
-
// names, and are base64-encoded only when exported through VM0_SECRET_VALUES.
|
|
107463
|
-
secretValues: external_exports.array(external_exports.string()).nullable(),
|
|
107464
|
-
// AES-256-GCM encrypted Record<string, string>, passed through to mitm-addon
|
|
107465
|
-
// for auth resolution. Keys are runtime secret names used by
|
|
107466
|
-
// `${{ secrets.NAME }}`; connector/model-provider keys are env aliases, not
|
|
107467
|
-
// backing storage secret names.
|
|
107468
|
-
encryptedSecrets: external_exports.string().nullable(),
|
|
107469
|
-
// Maps firewall auth secret env aliases (the `NAME` in `${{ secrets.NAME }}`) to
|
|
107470
|
-
// their connector or provider owner. Keys are env aliases, not storage secret names.
|
|
107471
|
-
secretConnectorMap: external_exports.record(external_exports.string(), external_exports.string()).nullable().optional(),
|
|
107472
|
-
// Same keys as secretConnectorMap; adds source details when the owner alone
|
|
107473
|
-
// is not enough to locate access storage (for example, personal model providers).
|
|
107474
|
-
secretConnectorMetadataMap: secretConnectorMetadataMapSchema.nullable().optional(),
|
|
107475
|
-
cliAgentType: external_exports.string(),
|
|
107476
|
-
// Debug flag to force real Claude in mock environments (internal use only)
|
|
107477
|
-
debugNoMockClaude: external_exports.boolean().optional(),
|
|
107478
|
-
// Debug flag to force real Codex in mock environments (internal use only)
|
|
107479
|
-
debugNoMockCodex: external_exports.boolean().optional(),
|
|
107480
|
-
// Capture HTTP request headers, request bodies, and response bodies in network logs
|
|
107481
|
-
captureNetworkBodies: external_exports.boolean().optional(),
|
|
107482
|
-
// Dispatch timestamp for E2E timing metrics, as Unix epoch milliseconds
|
|
107483
|
-
apiStartTime: apiStartTimeSchema.optional(),
|
|
107484
|
-
// User's timezone preference (IANA format, e.g., "Asia/Shanghai")
|
|
107485
|
-
userTimezone: external_exports.string().optional(),
|
|
107486
|
-
// Firewall for proxy-side token replacement (complete config, all permissions)
|
|
107487
|
-
firewalls: firewallsSchema.optional(),
|
|
107488
|
-
// Per-firewall network policies: which permissions are granted + unknownPolicy
|
|
107489
|
-
networkPolicies: networkPoliciesSchema.optional(),
|
|
107490
|
-
// Tools to disable in Claude CLI (passed as --disallowed-tools)
|
|
107491
|
-
disallowedTools: external_exports.array(external_exports.string()).optional(),
|
|
107492
|
-
// Tools to make available in Claude CLI (passed as --tools)
|
|
107493
|
-
tools: external_exports.array(external_exports.string()).optional(),
|
|
107494
|
-
// Settings JSON to pass to Claude CLI (passed as --settings)
|
|
107495
|
-
settings: external_exports.string().optional(),
|
|
107496
|
-
// VM profile for resource allocation (e.g., "vm0/default")
|
|
107497
|
-
experimentalProfile: external_exports.string().optional(),
|
|
107498
|
-
// Feature flags evaluated at job creation time (all switch states for user/org)
|
|
107499
|
-
featureFlags: external_exports.record(external_exports.string(), external_exports.boolean()).optional(),
|
|
107500
|
-
billableFirewalls: external_exports.array(external_exports.string()).optional(),
|
|
107501
|
-
modelUsageProvider: external_exports.string().optional()
|
|
107502
|
-
});
|
|
107503
|
-
var runnersJobClaimContract = c17.router({
|
|
107504
|
-
claim: {
|
|
107505
|
-
method: "POST",
|
|
107506
|
-
path: "/api/runners/jobs/:id/claim",
|
|
107507
|
-
headers: authHeadersSchema,
|
|
107508
|
-
pathParams: external_exports.object({
|
|
107509
|
-
id: external_exports.uuid()
|
|
107510
|
-
}),
|
|
107511
|
-
body: external_exports.object({}),
|
|
107512
|
-
responses: {
|
|
107513
|
-
200: executionContextSchema,
|
|
107514
|
-
400: apiErrorSchema,
|
|
107515
|
-
401: apiErrorSchema,
|
|
107516
|
-
403: apiErrorSchema,
|
|
107517
|
-
// Job does not belong to user
|
|
107518
|
-
404: apiErrorSchema,
|
|
107519
|
-
409: apiErrorSchema,
|
|
107520
|
-
// Already claimed
|
|
107521
|
-
500: apiErrorSchema
|
|
107522
|
-
},
|
|
107523
|
-
summary: "Claim a pending job for execution"
|
|
107524
|
-
}
|
|
107525
|
-
});
|
|
107526
|
-
var heartbeatBodySchema = external_exports.object({
|
|
107527
|
-
runnerId: external_exports.uuid(),
|
|
107528
|
-
runnerName: external_exports.string(),
|
|
107529
|
-
group: runnerGroupSchema,
|
|
107530
|
-
profiles: external_exports.array(external_exports.string()),
|
|
107531
|
-
totalVcpu: external_exports.number().int().nonnegative(),
|
|
107532
|
-
totalMemoryMb: external_exports.number().int().nonnegative(),
|
|
107533
|
-
maxConcurrent: external_exports.number().int().nonnegative(),
|
|
107534
|
-
allocatedVcpu: external_exports.number().int().nonnegative(),
|
|
107535
|
-
allocatedMemoryMb: external_exports.number().int().nonnegative(),
|
|
107536
|
-
runningCount: external_exports.number().int().nonnegative(),
|
|
107537
|
-
heldSessionStates: external_exports.array(heldSessionStateSchema),
|
|
107538
|
-
mode: external_exports.enum(["running", "draining", "stopping"])
|
|
107539
|
-
});
|
|
107540
|
-
var runnersHeartbeatContract = c17.router({
|
|
107541
|
-
heartbeat: {
|
|
107542
|
-
method: "POST",
|
|
107543
|
-
path: "/api/runners/heartbeat",
|
|
107544
|
-
headers: authHeadersSchema,
|
|
107545
|
-
body: heartbeatBodySchema,
|
|
107546
|
-
responses: {
|
|
107547
|
-
200: external_exports.object({ ok: external_exports.literal(true) }),
|
|
107548
|
-
400: apiErrorSchema,
|
|
107549
|
-
401: apiErrorSchema,
|
|
107550
|
-
500: apiErrorSchema
|
|
107551
|
-
},
|
|
107552
|
-
summary: "Report runner heartbeat with capacity and state"
|
|
107553
|
-
}
|
|
107554
|
-
});
|
|
107555
|
-
|
|
107556
108393
|
// ../../packages/api-contracts/src/contracts/storages.ts
|
|
107557
108394
|
init_esm_shims();
|
|
107558
108395
|
var c18 = initContract();
|
|
@@ -108318,7 +109155,8 @@ var zeroRunRequestSchema = unifiedRunRequestSchema.omit({
|
|
|
108318
109155
|
secrets: true,
|
|
108319
109156
|
agentComposeId: true,
|
|
108320
109157
|
appendSystemPrompt: true,
|
|
108321
|
-
modelProviderType: true
|
|
109158
|
+
modelProviderType: true,
|
|
109159
|
+
permissionPolicies: true
|
|
108322
109160
|
}).extend({
|
|
108323
109161
|
agentId: external_exports.string().optional(),
|
|
108324
109162
|
modelProvider: external_exports.string().optional()
|
|
@@ -128596,18 +129434,524 @@ var MAX_RESPONSE_SIZE = 128 * 1024;
|
|
|
128596
129434
|
|
|
128597
129435
|
// ../../packages/connectors/src/firewall-rule-matcher.ts
|
|
128598
129436
|
init_esm_shims();
|
|
129437
|
+
var VALID_RULE_METHODS = /* @__PURE__ */ new Set([
|
|
129438
|
+
"GET",
|
|
129439
|
+
"POST",
|
|
129440
|
+
"PUT",
|
|
129441
|
+
"PATCH",
|
|
129442
|
+
"DELETE",
|
|
129443
|
+
"HEAD",
|
|
129444
|
+
"OPTIONS",
|
|
129445
|
+
"ANY"
|
|
129446
|
+
]);
|
|
129447
|
+
var FORBIDDEN_RUNTIME_HOST_CHARS = new Set("#%,/<>?@\\^|{}".split(""));
|
|
129448
|
+
var FORBIDDEN_BASE_PATTERN_HOST_CHARS = new Set("#%,/<>?@\\^|".split(""));
|
|
129449
|
+
var PERCENT_ESCAPE_LENGTH = 3;
|
|
129450
|
+
var HEX_DIGITS = new Set("0123456789abcdefABCDEF".split(""));
|
|
129451
|
+
var PATH_SCORE_MULTIPLIER = 1e6;
|
|
129452
|
+
var AUTHORITY_SCORE_MULTIPLIER = 100;
|
|
129453
|
+
var LITERAL_SEGMENT_SCORE = 1e3;
|
|
129454
|
+
var MIXED_PARAM_SEGMENT_SCORE = 100;
|
|
129455
|
+
var PLAIN_PARAM_SEGMENT_SCORE = 10;
|
|
129456
|
+
var PLUS_GREEDY_SEGMENT_SCORE = 1;
|
|
129457
|
+
var ROOT_PATH_SCORE = 1;
|
|
129458
|
+
var STATIC_BASE_SCORE_BONUS = 1;
|
|
129459
|
+
var PERCENT_DECODED_AUTHORITY_SYNTAX_CHARS = /* @__PURE__ */ new Set([
|
|
129460
|
+
"{",
|
|
129461
|
+
"}",
|
|
129462
|
+
".",
|
|
129463
|
+
"\u3002",
|
|
129464
|
+
"\uFF0E",
|
|
129465
|
+
"\uFF61",
|
|
129466
|
+
":"
|
|
129467
|
+
]);
|
|
128599
129468
|
function matchMixedSegment(runtime, prefix, suffix) {
|
|
128600
129469
|
if (!runtime.startsWith(prefix)) return null;
|
|
128601
129470
|
if (!runtime.endsWith(suffix)) return null;
|
|
128602
129471
|
if (runtime.length <= prefix.length + suffix.length) return null;
|
|
128603
129472
|
return runtime.slice(prefix.length, runtime.length - suffix.length);
|
|
128604
129473
|
}
|
|
129474
|
+
function hasNonEmptySegment(segments, start) {
|
|
129475
|
+
for (let i = start; i < segments.length; i++) {
|
|
129476
|
+
if (segments[i] !== "") return true;
|
|
129477
|
+
}
|
|
129478
|
+
return false;
|
|
129479
|
+
}
|
|
129480
|
+
function codePointLength(value) {
|
|
129481
|
+
return [...value].length;
|
|
129482
|
+
}
|
|
129483
|
+
function hasUnsafeRuntimeUrlSyntax(value) {
|
|
129484
|
+
return hasUnsafeUrlCodepoint(value) || hasRawWhitespace(value) || value.includes("\\") || !value.includes("://");
|
|
129485
|
+
}
|
|
129486
|
+
function stripTrailingSlash(value) {
|
|
129487
|
+
return value.endsWith("/") ? value.slice(0, -1) : value;
|
|
129488
|
+
}
|
|
129489
|
+
function isInvalidGreedyParam(patternIndex, lastPatternIndex, prefix, suffix) {
|
|
129490
|
+
return patternIndex !== lastPatternIndex || prefix !== "" || suffix !== "";
|
|
129491
|
+
}
|
|
129492
|
+
function pathSpecificity(pattern) {
|
|
129493
|
+
if (!pattern.startsWith("/") || pattern.includes("?") || pattern.includes("#") || pattern.includes("\\") || hasRawWhitespace(pattern) || hasUnsafeUrlCodepoint(pattern)) {
|
|
129494
|
+
return null;
|
|
129495
|
+
}
|
|
129496
|
+
let literalSegments = 0;
|
|
129497
|
+
let mixedParamSegments = 0;
|
|
129498
|
+
let plainParamSegments = 0;
|
|
129499
|
+
let plusGreedySegments = 0;
|
|
129500
|
+
let starGreedySegments = 0;
|
|
129501
|
+
let literalChars = 0;
|
|
129502
|
+
const segments = splitPathSegments(pattern);
|
|
129503
|
+
const paramNames = /* @__PURE__ */ new Set();
|
|
129504
|
+
const lastSegmentIndex = segments.length - 1;
|
|
129505
|
+
for (let index = 0; index < segments.length; index += 1) {
|
|
129506
|
+
const seg = segments[index];
|
|
129507
|
+
const parsed = parseSegment(seg);
|
|
129508
|
+
if (parsed.kind === "error") return null;
|
|
129509
|
+
if (parsed.kind === "literal") {
|
|
129510
|
+
literalSegments += 1;
|
|
129511
|
+
literalChars += codePointLength(parsed.value);
|
|
129512
|
+
continue;
|
|
129513
|
+
}
|
|
129514
|
+
if (paramNames.has(parsed.name)) return null;
|
|
129515
|
+
paramNames.add(parsed.name);
|
|
129516
|
+
if (parsed.greedy !== "" && isInvalidGreedyParam(
|
|
129517
|
+
index,
|
|
129518
|
+
lastSegmentIndex,
|
|
129519
|
+
parsed.prefix,
|
|
129520
|
+
parsed.suffix
|
|
129521
|
+
)) {
|
|
129522
|
+
return null;
|
|
129523
|
+
}
|
|
129524
|
+
literalChars += codePointLength(parsed.prefix) + codePointLength(parsed.suffix);
|
|
129525
|
+
if (parsed.prefix !== "" || parsed.suffix !== "") {
|
|
129526
|
+
mixedParamSegments += 1;
|
|
129527
|
+
} else if (parsed.greedy === "+") {
|
|
129528
|
+
plusGreedySegments += 1;
|
|
129529
|
+
} else if (parsed.greedy === "*") {
|
|
129530
|
+
starGreedySegments += 1;
|
|
129531
|
+
} else {
|
|
129532
|
+
plainParamSegments += 1;
|
|
129533
|
+
}
|
|
129534
|
+
}
|
|
129535
|
+
return [
|
|
129536
|
+
literalSegments,
|
|
129537
|
+
mixedParamSegments,
|
|
129538
|
+
plainParamSegments,
|
|
129539
|
+
plusGreedySegments,
|
|
129540
|
+
-starGreedySegments,
|
|
129541
|
+
literalChars,
|
|
129542
|
+
segments.length
|
|
129543
|
+
];
|
|
129544
|
+
}
|
|
129545
|
+
function comparePathSpecificity(left, right) {
|
|
129546
|
+
for (let i = 0; i < left.length; i++) {
|
|
129547
|
+
const difference = left[i] - right[i];
|
|
129548
|
+
if (difference !== 0) return difference;
|
|
129549
|
+
}
|
|
129550
|
+
return 0;
|
|
129551
|
+
}
|
|
129552
|
+
function matchingRulePath(rule, upperMethod) {
|
|
129553
|
+
const spaceIdx = rule.indexOf(" ");
|
|
129554
|
+
if (spaceIdx === -1) return null;
|
|
129555
|
+
const ruleMethod = rule.slice(0, spaceIdx);
|
|
129556
|
+
if (!VALID_RULE_METHODS.has(ruleMethod)) return null;
|
|
129557
|
+
if (ruleMethod !== "ANY" && ruleMethod !== upperMethod) return null;
|
|
129558
|
+
return rule.slice(spaceIdx + 1);
|
|
129559
|
+
}
|
|
129560
|
+
function isValidPermissionName(permissionName) {
|
|
129561
|
+
return permissionName !== "" && permissionName !== "all";
|
|
129562
|
+
}
|
|
129563
|
+
function isObjectRecord(value) {
|
|
129564
|
+
if (typeof value !== "object" || value === null || Array.isArray(value)) {
|
|
129565
|
+
return false;
|
|
129566
|
+
}
|
|
129567
|
+
const prototype = Object.getPrototypeOf(value);
|
|
129568
|
+
return prototype === Object.prototype || prototype === null;
|
|
129569
|
+
}
|
|
129570
|
+
function isStringRecord(value) {
|
|
129571
|
+
if (!isObjectRecord(value)) return false;
|
|
129572
|
+
return Object.values(value).every((entry) => {
|
|
129573
|
+
return typeof entry === "string";
|
|
129574
|
+
});
|
|
129575
|
+
}
|
|
129576
|
+
function isValidAuthConfig(auth, serviceName2) {
|
|
129577
|
+
if (!isObjectRecord(auth)) return false;
|
|
129578
|
+
if (auth.headers !== void 0 && !isStringRecord(auth.headers)) return false;
|
|
129579
|
+
if (auth.base !== void 0) {
|
|
129580
|
+
if (typeof auth.base !== "string") return false;
|
|
129581
|
+
validateAuthBaseUrl(auth.base, serviceName2);
|
|
129582
|
+
}
|
|
129583
|
+
return auth.query === void 0 || isStringRecord(auth.query);
|
|
129584
|
+
}
|
|
129585
|
+
function isValidApiEntry(api, serviceName2) {
|
|
129586
|
+
if (!isObjectRecord(api)) return false;
|
|
129587
|
+
if (typeof api.base !== "string") return false;
|
|
129588
|
+
try {
|
|
129589
|
+
validateBaseUrl(api.base, serviceName2);
|
|
129590
|
+
if (!isValidAuthConfig(api.auth, serviceName2)) return false;
|
|
129591
|
+
} catch {
|
|
129592
|
+
return false;
|
|
129593
|
+
}
|
|
129594
|
+
return true;
|
|
129595
|
+
}
|
|
129596
|
+
function getPermissionName(permission) {
|
|
129597
|
+
if (!isObjectRecord(permission)) return null;
|
|
129598
|
+
if (typeof permission.name !== "string") return null;
|
|
129599
|
+
if (!isValidPermissionName(permission.name)) return null;
|
|
129600
|
+
return permission.name;
|
|
129601
|
+
}
|
|
129602
|
+
function getPermissionRules(permission) {
|
|
129603
|
+
if (!isObjectRecord(permission)) return [];
|
|
129604
|
+
if (!Array.isArray(permission.rules)) return [];
|
|
129605
|
+
const rules = permission.rules.filter((rule) => {
|
|
129606
|
+
return typeof rule === "string";
|
|
129607
|
+
});
|
|
129608
|
+
return rules;
|
|
129609
|
+
}
|
|
129610
|
+
function getApiPermissionsForMatch(api, serviceName2, apiBase) {
|
|
129611
|
+
if (!isValidApiEntry(api, serviceName2)) return null;
|
|
129612
|
+
if (apiBase !== null && stripTrailingSlash(api.base) !== apiBase) return null;
|
|
129613
|
+
if (api.permissions === void 0) return null;
|
|
129614
|
+
if (!Array.isArray(api.permissions)) return null;
|
|
129615
|
+
return api.permissions;
|
|
129616
|
+
}
|
|
129617
|
+
function recordPermissionMatch(state, permission, specificity) {
|
|
129618
|
+
if (state.bestSpecificity === null || comparePathSpecificity(specificity, state.bestSpecificity) > 0) {
|
|
129619
|
+
state.bestSpecificity = specificity;
|
|
129620
|
+
state.matched.length = 0;
|
|
129621
|
+
}
|
|
129622
|
+
if (comparePathSpecificity(specificity, state.bestSpecificity) === 0 && !state.matched.includes(permission)) {
|
|
129623
|
+
state.matched.push(permission);
|
|
129624
|
+
}
|
|
129625
|
+
}
|
|
129626
|
+
function relativePathFromSegments(segments, consumed) {
|
|
129627
|
+
const rest = segments.slice(consumed).join("/");
|
|
129628
|
+
return rest === "" ? "/" : `/${rest}`;
|
|
129629
|
+
}
|
|
129630
|
+
function stripUrlQueryAndFragment2(url2) {
|
|
129631
|
+
const queryIndex = url2.indexOf("?");
|
|
129632
|
+
const fragmentIndex = url2.indexOf("#");
|
|
129633
|
+
let end = url2.length;
|
|
129634
|
+
if (queryIndex !== -1) end = Math.min(end, queryIndex);
|
|
129635
|
+
if (fragmentIndex !== -1) end = Math.min(end, fragmentIndex);
|
|
129636
|
+
return url2.slice(0, end);
|
|
129637
|
+
}
|
|
129638
|
+
function rawPathFromUrl(url2) {
|
|
129639
|
+
const urlWithoutQuery = stripUrlQueryAndFragment2(url2);
|
|
129640
|
+
const schemeEnd = urlWithoutQuery.indexOf("://");
|
|
129641
|
+
const authorityStart = schemeEnd === -1 ? 0 : schemeEnd + 3;
|
|
129642
|
+
const pathStart = urlWithoutQuery.indexOf("/", authorityStart);
|
|
129643
|
+
return pathStart === -1 ? "/" : urlWithoutQuery.slice(pathStart);
|
|
129644
|
+
}
|
|
129645
|
+
function rawBasePathFromUrl(url2) {
|
|
129646
|
+
const urlWithoutQuery = stripUrlQueryAndFragment2(url2);
|
|
129647
|
+
const schemeEnd = urlWithoutQuery.indexOf("://");
|
|
129648
|
+
const authorityStart = schemeEnd === -1 ? 0 : schemeEnd + 3;
|
|
129649
|
+
const pathStart = urlWithoutQuery.indexOf("/", authorityStart);
|
|
129650
|
+
return pathStart === -1 ? "" : urlWithoutQuery.slice(pathStart);
|
|
129651
|
+
}
|
|
129652
|
+
function rawAuthorityFromUrl(url2) {
|
|
129653
|
+
const urlWithoutQuery = stripUrlQueryAndFragment2(url2);
|
|
129654
|
+
const schemeEnd = urlWithoutQuery.indexOf("://");
|
|
129655
|
+
if (schemeEnd === -1) return null;
|
|
129656
|
+
const authorityStart = schemeEnd + 3;
|
|
129657
|
+
const pathStart = urlWithoutQuery.indexOf("/", authorityStart);
|
|
129658
|
+
const authority = pathStart === -1 ? urlWithoutQuery.slice(authorityStart) : urlWithoutQuery.slice(authorityStart, pathStart);
|
|
129659
|
+
return authority === "" ? null : authority;
|
|
129660
|
+
}
|
|
129661
|
+
function hasNonAscii(value) {
|
|
129662
|
+
for (let index = 0; index < value.length; index += 1) {
|
|
129663
|
+
if (value.charCodeAt(index) > 127) return true;
|
|
129664
|
+
}
|
|
129665
|
+
return false;
|
|
129666
|
+
}
|
|
129667
|
+
function rawHostFromAuthority2(authority) {
|
|
129668
|
+
const withoutUserinfo = authority.slice(authority.lastIndexOf("@") + 1);
|
|
129669
|
+
if (withoutUserinfo.startsWith("[")) {
|
|
129670
|
+
const closeBracket = withoutUserinfo.indexOf("]");
|
|
129671
|
+
return closeBracket === -1 ? withoutUserinfo : withoutUserinfo.slice(0, closeBracket + 1);
|
|
129672
|
+
}
|
|
129673
|
+
const portSeparator = withoutUserinfo.lastIndexOf(":");
|
|
129674
|
+
return portSeparator === -1 ? withoutUserinfo : withoutUserinfo.slice(0, portSeparator);
|
|
129675
|
+
}
|
|
129676
|
+
function rawAuthorityHostStartsWithDigit(authority) {
|
|
129677
|
+
const firstChar = rawHostFromAuthority2(authority)[0];
|
|
129678
|
+
return firstChar !== void 0 && firstChar >= "0" && firstChar <= "9";
|
|
129679
|
+
}
|
|
129680
|
+
function runtimeAuthorityOriginForHostValidation(url2) {
|
|
129681
|
+
const authority = rawAuthorityFromUrl(url2);
|
|
129682
|
+
if (authority === null) return null;
|
|
129683
|
+
if (!authority.includes("%") && !hasNonAscii(authority) && !rawAuthorityHostStartsWithDigit(authority)) {
|
|
129684
|
+
return null;
|
|
129685
|
+
}
|
|
129686
|
+
const schemeEnd = url2.indexOf("://");
|
|
129687
|
+
if (schemeEnd === -1) return null;
|
|
129688
|
+
return `${url2.slice(0, schemeEnd)}://${authority}`;
|
|
129689
|
+
}
|
|
129690
|
+
function hasPercentEncodedAuthoritySyntax(value) {
|
|
129691
|
+
let index = value.indexOf("%");
|
|
129692
|
+
while (index !== -1) {
|
|
129693
|
+
let runEnd = index;
|
|
129694
|
+
while (runEnd < value.length && value[runEnd] === "%") {
|
|
129695
|
+
const firstHexDigit = value[runEnd + 1];
|
|
129696
|
+
const secondHexDigit = value[runEnd + 2];
|
|
129697
|
+
if (!firstHexDigit || !secondHexDigit || !HEX_DIGITS.has(firstHexDigit) || !HEX_DIGITS.has(secondHexDigit)) {
|
|
129698
|
+
return true;
|
|
129699
|
+
}
|
|
129700
|
+
runEnd += PERCENT_ESCAPE_LENGTH;
|
|
129701
|
+
}
|
|
129702
|
+
let decodedRun;
|
|
129703
|
+
try {
|
|
129704
|
+
decodedRun = decodeURIComponent(value.slice(index, runEnd));
|
|
129705
|
+
} catch {
|
|
129706
|
+
return true;
|
|
129707
|
+
}
|
|
129708
|
+
for (const char of decodedRun) {
|
|
129709
|
+
if (PERCENT_DECODED_AUTHORITY_SYNTAX_CHARS.has(char)) {
|
|
129710
|
+
return true;
|
|
129711
|
+
}
|
|
129712
|
+
}
|
|
129713
|
+
index = value.indexOf("%", runEnd);
|
|
129714
|
+
}
|
|
129715
|
+
return false;
|
|
129716
|
+
}
|
|
129717
|
+
function hasMalformedRuntimeAuthoritySyntax(url2) {
|
|
129718
|
+
const authority = rawAuthorityFromUrl(url2);
|
|
129719
|
+
if (authority === null) return false;
|
|
129720
|
+
return authority.includes("\\") || hasPercentEncodedAuthoritySyntax(authority);
|
|
129721
|
+
}
|
|
129722
|
+
function scoreLiteralSegment(segment2) {
|
|
129723
|
+
return LITERAL_SEGMENT_SCORE + codePointLength(segment2);
|
|
129724
|
+
}
|
|
129725
|
+
function scorePatternSegment(segment2, allowParams) {
|
|
129726
|
+
if (!allowParams) return scoreLiteralSegment(segment2);
|
|
129727
|
+
const parsed = parseSegment(segment2);
|
|
129728
|
+
if (parsed.kind === "error") return 0;
|
|
129729
|
+
if (parsed.kind === "literal") {
|
|
129730
|
+
return scoreLiteralSegment(parsed.value);
|
|
129731
|
+
}
|
|
129732
|
+
const literalChars = codePointLength(parsed.prefix) + codePointLength(parsed.suffix);
|
|
129733
|
+
if (parsed.prefix !== "" || parsed.suffix !== "") {
|
|
129734
|
+
return MIXED_PARAM_SEGMENT_SCORE + literalChars;
|
|
129735
|
+
}
|
|
129736
|
+
if (parsed.greedy === "+") return PLUS_GREEDY_SEGMENT_SCORE;
|
|
129737
|
+
if (parsed.greedy === "*") return 0;
|
|
129738
|
+
return PLAIN_PARAM_SEGMENT_SCORE;
|
|
129739
|
+
}
|
|
129740
|
+
function scorePatternSegments(segments, allowParams) {
|
|
129741
|
+
return segments.reduce((score, segment2) => {
|
|
129742
|
+
return score + scorePatternSegment(segment2, allowParams);
|
|
129743
|
+
}, 0);
|
|
129744
|
+
}
|
|
129745
|
+
function scorePathPattern(path3, allowParams) {
|
|
129746
|
+
if (path3 === "") return 0;
|
|
129747
|
+
if (path3 === "/") return ROOT_PATH_SCORE;
|
|
129748
|
+
return scorePatternSegments(splitPathSegments(path3), allowParams);
|
|
129749
|
+
}
|
|
129750
|
+
function splitAuthoritySegments(authority) {
|
|
129751
|
+
if (authority.startsWith("[")) return [authority];
|
|
129752
|
+
const normalized = authority.endsWith(".") ? authority.slice(0, -1) : authority;
|
|
129753
|
+
return normalized === "" ? [] : normalized.split(".");
|
|
129754
|
+
}
|
|
129755
|
+
function baseUrlSpecificityScore(rawBase, hasParams) {
|
|
129756
|
+
const baseForMatch = stripTrailingSlash(rawBase);
|
|
129757
|
+
const authorityScore = scorePatternSegments(
|
|
129758
|
+
splitAuthoritySegments(rawAuthorityFromUrl(baseForMatch) ?? ""),
|
|
129759
|
+
hasParams
|
|
129760
|
+
);
|
|
129761
|
+
const pathScore = scorePathPattern(
|
|
129762
|
+
rawBasePathFromUrl(baseForMatch),
|
|
129763
|
+
hasParams
|
|
129764
|
+
);
|
|
129765
|
+
return pathScore * PATH_SCORE_MULTIPLIER + authorityScore * AUTHORITY_SCORE_MULTIPLIER + (hasParams ? 0 : STATIC_BASE_SCORE_BONUS);
|
|
129766
|
+
}
|
|
129767
|
+
function matchStaticBasePathPrefix(path3, pattern) {
|
|
129768
|
+
if (pattern === "") {
|
|
129769
|
+
return path3 === "" ? "/" : path3;
|
|
129770
|
+
}
|
|
129771
|
+
if (pattern === "/") {
|
|
129772
|
+
if (!path3.startsWith(pattern)) return null;
|
|
129773
|
+
const relativePath2 = path3.slice(pattern.length);
|
|
129774
|
+
if (relativePath2 !== "" && !relativePath2.startsWith("/")) return null;
|
|
129775
|
+
return relativePath2 === "" ? "/" : relativePath2;
|
|
129776
|
+
}
|
|
129777
|
+
if (!path3.startsWith(pattern)) return null;
|
|
129778
|
+
const relativePath = path3.slice(pattern.length);
|
|
129779
|
+
if (relativePath !== "" && !relativePath.startsWith("/")) return null;
|
|
129780
|
+
return relativePath === "" ? "/" : relativePath;
|
|
129781
|
+
}
|
|
129782
|
+
function normalizeUrlHostname(hostname4, options = {}) {
|
|
129783
|
+
let normalized = hostname4.toLowerCase();
|
|
129784
|
+
if (normalized.endsWith(".")) {
|
|
129785
|
+
normalized = normalized.slice(0, -1);
|
|
129786
|
+
if (normalized === "" || normalized.endsWith(".")) {
|
|
129787
|
+
return null;
|
|
129788
|
+
}
|
|
129789
|
+
}
|
|
129790
|
+
if (normalized.split(".").some((label) => {
|
|
129791
|
+
return label === "";
|
|
129792
|
+
})) {
|
|
129793
|
+
return null;
|
|
129794
|
+
}
|
|
129795
|
+
const forbiddenChars = options.allowHostParams === true ? FORBIDDEN_BASE_PATTERN_HOST_CHARS : FORBIDDEN_RUNTIME_HOST_CHARS;
|
|
129796
|
+
if (!normalized.startsWith("[") && [...normalized].some((char) => {
|
|
129797
|
+
return forbiddenChars.has(char);
|
|
129798
|
+
})) {
|
|
129799
|
+
return null;
|
|
129800
|
+
}
|
|
129801
|
+
return normalized;
|
|
129802
|
+
}
|
|
129803
|
+
function normalizedUrlAuthority(parsed, options = {}) {
|
|
129804
|
+
if (parsed.username !== "" || parsed.password !== "") {
|
|
129805
|
+
return null;
|
|
129806
|
+
}
|
|
129807
|
+
const hostname4 = normalizeUrlHostname(parsed.hostname, options);
|
|
129808
|
+
if (hostname4 === null || hostname4 === "") {
|
|
129809
|
+
return null;
|
|
129810
|
+
}
|
|
129811
|
+
return parsed.port === "" ? hostname4 : `${hostname4}:${parsed.port}`;
|
|
129812
|
+
}
|
|
129813
|
+
function matchStaticFirewallBaseUrl(url2, rawBase) {
|
|
129814
|
+
const parsedUrl = new URL(url2);
|
|
129815
|
+
const parsedBase = new URL(rawBase);
|
|
129816
|
+
if (parsedUrl.protocol.toLowerCase() !== parsedBase.protocol.toLowerCase()) {
|
|
129817
|
+
return null;
|
|
129818
|
+
}
|
|
129819
|
+
const baseHasParams = hasBaseUrlParams(rawBase);
|
|
129820
|
+
const baseForMatch = stripTrailingSlash(rawBase);
|
|
129821
|
+
const urlAuthority = normalizedUrlAuthority(parsedUrl);
|
|
129822
|
+
const baseAuthority = normalizedUrlAuthority(parsedBase, {
|
|
129823
|
+
allowHostParams: baseHasParams
|
|
129824
|
+
});
|
|
129825
|
+
if (urlAuthority === null || baseAuthority === null) return null;
|
|
129826
|
+
if (baseHasParams) {
|
|
129827
|
+
if (matchFirewallHost(urlAuthority, baseAuthority) === null) return null;
|
|
129828
|
+
} else if (urlAuthority !== baseAuthority) {
|
|
129829
|
+
return null;
|
|
129830
|
+
}
|
|
129831
|
+
const basePath = rawBasePathFromUrl(baseForMatch);
|
|
129832
|
+
const relativePath = baseHasParams ? matchFirewallPathPrefix(rawPathFromUrl(url2), basePath) : matchStaticBasePathPrefix(rawPathFromUrl(url2), basePath);
|
|
129833
|
+
if (relativePath === null) return null;
|
|
129834
|
+
const displayBase = stripTrailingSlash(rawBase);
|
|
129835
|
+
return {
|
|
129836
|
+
displayBase,
|
|
129837
|
+
relativePath,
|
|
129838
|
+
score: baseUrlSpecificityScore(rawBase, baseHasParams)
|
|
129839
|
+
};
|
|
129840
|
+
}
|
|
129841
|
+
function matchFirewallBaseUrl(url2, rawBase) {
|
|
129842
|
+
if (hasUnsafeRuntimeUrlSyntax(url2) || hasMalformedRuntimeAuthoritySyntax(url2)) {
|
|
129843
|
+
return null;
|
|
129844
|
+
}
|
|
129845
|
+
const runtimeAuthorityOrigin = runtimeAuthorityOriginForHostValidation(url2);
|
|
129846
|
+
try {
|
|
129847
|
+
if (runtimeAuthorityOrigin !== null) {
|
|
129848
|
+
validateBaseUrl(runtimeAuthorityOrigin, "runtime");
|
|
129849
|
+
}
|
|
129850
|
+
validateBaseUrl(rawBase, "firewall");
|
|
129851
|
+
return matchStaticFirewallBaseUrl(url2, rawBase);
|
|
129852
|
+
} catch {
|
|
129853
|
+
return null;
|
|
129854
|
+
}
|
|
129855
|
+
}
|
|
129856
|
+
function matchFirewallHost(host, pattern) {
|
|
129857
|
+
const hostSegsOrig = host.split(".");
|
|
129858
|
+
const hostSegsLower = hostSegsOrig.map((segment2) => {
|
|
129859
|
+
return segment2.toLowerCase();
|
|
129860
|
+
});
|
|
129861
|
+
const patternSegs = pattern.split(".").reverse();
|
|
129862
|
+
hostSegsOrig.reverse();
|
|
129863
|
+
hostSegsLower.reverse();
|
|
129864
|
+
const params = {};
|
|
129865
|
+
let hi = 0;
|
|
129866
|
+
const lastPatternIndex = patternSegs.length - 1;
|
|
129867
|
+
for (let patternIndex = 0; patternIndex < patternSegs.length; patternIndex++) {
|
|
129868
|
+
const seg = patternSegs[patternIndex];
|
|
129869
|
+
const parsed = parseSegment(seg);
|
|
129870
|
+
if (parsed.kind === "error") return null;
|
|
129871
|
+
if (parsed.kind === "literal") {
|
|
129872
|
+
if (hi >= hostSegsLower.length || hostSegsLower[hi] !== parsed.value.toLowerCase()) {
|
|
129873
|
+
return null;
|
|
129874
|
+
}
|
|
129875
|
+
hi += 1;
|
|
129876
|
+
continue;
|
|
129877
|
+
}
|
|
129878
|
+
const { name, prefix, suffix, greedy } = parsed;
|
|
129879
|
+
if (greedy === "+") {
|
|
129880
|
+
if (isInvalidGreedyParam(patternIndex, lastPatternIndex, prefix, suffix))
|
|
129881
|
+
return null;
|
|
129882
|
+
if (hi >= hostSegsOrig.length) return null;
|
|
129883
|
+
params[name] = hostSegsOrig.slice(hi).reverse().join(".");
|
|
129884
|
+
return params;
|
|
129885
|
+
}
|
|
129886
|
+
if (greedy === "*") {
|
|
129887
|
+
if (isInvalidGreedyParam(patternIndex, lastPatternIndex, prefix, suffix))
|
|
129888
|
+
return null;
|
|
129889
|
+
params[name] = hostSegsOrig.slice(hi).reverse().join(".");
|
|
129890
|
+
return params;
|
|
129891
|
+
}
|
|
129892
|
+
if (hi >= hostSegsOrig.length) return null;
|
|
129893
|
+
if (prefix === "" && suffix === "") {
|
|
129894
|
+
params[name] = hostSegsLower[hi];
|
|
129895
|
+
} else {
|
|
129896
|
+
const captured = matchMixedSegment(
|
|
129897
|
+
hostSegsLower[hi],
|
|
129898
|
+
prefix.toLowerCase(),
|
|
129899
|
+
suffix.toLowerCase()
|
|
129900
|
+
);
|
|
129901
|
+
if (captured === null) return null;
|
|
129902
|
+
params[name] = captured;
|
|
129903
|
+
}
|
|
129904
|
+
hi += 1;
|
|
129905
|
+
}
|
|
129906
|
+
return hi === hostSegsOrig.length ? params : null;
|
|
129907
|
+
}
|
|
129908
|
+
function matchFirewallPathPrefix(path3, pattern) {
|
|
129909
|
+
const pathSegs = splitPathSegments(path3);
|
|
129910
|
+
const patternSegs = splitPathSegments(pattern);
|
|
129911
|
+
let pi = 0;
|
|
129912
|
+
const lastPatternIndex = patternSegs.length - 1;
|
|
129913
|
+
for (let patternIndex = 0; patternIndex < patternSegs.length; patternIndex++) {
|
|
129914
|
+
const seg = patternSegs[patternIndex];
|
|
129915
|
+
const parsed = parseSegment(seg);
|
|
129916
|
+
if (parsed.kind === "error") return null;
|
|
129917
|
+
if (parsed.kind === "literal") {
|
|
129918
|
+
if (pi >= pathSegs.length || pathSegs[pi] !== parsed.value) return null;
|
|
129919
|
+
pi += 1;
|
|
129920
|
+
continue;
|
|
129921
|
+
}
|
|
129922
|
+
const { prefix, suffix, greedy } = parsed;
|
|
129923
|
+
if (greedy === "+") {
|
|
129924
|
+
if (isInvalidGreedyParam(patternIndex, lastPatternIndex, prefix, suffix))
|
|
129925
|
+
return null;
|
|
129926
|
+
if (pi >= pathSegs.length || !hasNonEmptySegment(pathSegs, pi)) {
|
|
129927
|
+
return null;
|
|
129928
|
+
}
|
|
129929
|
+
return "/";
|
|
129930
|
+
}
|
|
129931
|
+
if (greedy === "*") {
|
|
129932
|
+
if (isInvalidGreedyParam(patternIndex, lastPatternIndex, prefix, suffix))
|
|
129933
|
+
return null;
|
|
129934
|
+
return "/";
|
|
129935
|
+
}
|
|
129936
|
+
if (pi >= pathSegs.length) return null;
|
|
129937
|
+
const runtime = pathSegs[pi];
|
|
129938
|
+
if (prefix === "" && suffix === "") {
|
|
129939
|
+
if (runtime === "") return null;
|
|
129940
|
+
} else if (matchMixedSegment(runtime, prefix, suffix) === null) {
|
|
129941
|
+
return null;
|
|
129942
|
+
}
|
|
129943
|
+
pi += 1;
|
|
129944
|
+
}
|
|
129945
|
+
return relativePathFromSegments(pathSegs, pi);
|
|
129946
|
+
}
|
|
128605
129947
|
function matchFirewallPath(path3, pattern) {
|
|
128606
|
-
const pathSegs = path3
|
|
128607
|
-
const patternSegs = pattern
|
|
129948
|
+
const pathSegs = splitPathSegments(path3);
|
|
129949
|
+
const patternSegs = splitPathSegments(pattern);
|
|
128608
129950
|
const params = {};
|
|
128609
129951
|
let pi = 0;
|
|
128610
|
-
|
|
129952
|
+
const lastPatternIndex = patternSegs.length - 1;
|
|
129953
|
+
for (let patternIndex = 0; patternIndex < patternSegs.length; patternIndex++) {
|
|
129954
|
+
const seg = patternSegs[patternIndex];
|
|
128611
129955
|
const parsed = parseSegment(seg);
|
|
128612
129956
|
if (parsed.kind === "error") return null;
|
|
128613
129957
|
if (parsed.kind === "literal") {
|
|
@@ -128617,17 +129961,24 @@ function matchFirewallPath(path3, pattern) {
|
|
|
128617
129961
|
}
|
|
128618
129962
|
const { name, prefix, suffix, greedy } = parsed;
|
|
128619
129963
|
if (greedy === "+") {
|
|
128620
|
-
if (
|
|
129964
|
+
if (isInvalidGreedyParam(patternIndex, lastPatternIndex, prefix, suffix))
|
|
129965
|
+
return null;
|
|
129966
|
+
if (pi >= pathSegs.length || !hasNonEmptySegment(pathSegs, pi)) {
|
|
129967
|
+
return null;
|
|
129968
|
+
}
|
|
128621
129969
|
params[name] = pathSegs.slice(pi).join("/");
|
|
128622
129970
|
return params;
|
|
128623
129971
|
}
|
|
128624
129972
|
if (greedy === "*") {
|
|
129973
|
+
if (isInvalidGreedyParam(patternIndex, lastPatternIndex, prefix, suffix))
|
|
129974
|
+
return null;
|
|
128625
129975
|
params[name] = pathSegs.slice(pi).join("/");
|
|
128626
129976
|
return params;
|
|
128627
129977
|
}
|
|
128628
129978
|
if (pi >= pathSegs.length) return null;
|
|
128629
129979
|
const runtime = pathSegs[pi];
|
|
128630
129980
|
if (prefix === "" && suffix === "") {
|
|
129981
|
+
if (runtime === "") return null;
|
|
128631
129982
|
params[name] = runtime;
|
|
128632
129983
|
} else {
|
|
128633
129984
|
const captured = matchMixedSegment(runtime, prefix, suffix);
|
|
@@ -128639,27 +129990,40 @@ function matchFirewallPath(path3, pattern) {
|
|
|
128639
129990
|
if (pi !== pathSegs.length) return null;
|
|
128640
129991
|
return params;
|
|
128641
129992
|
}
|
|
128642
|
-
function findMatchingPermissions(method, path3, config4) {
|
|
129993
|
+
function findMatchingPermissions(method, path3, config4, options = {}) {
|
|
129994
|
+
if (!isObjectRecord(config4)) return [];
|
|
129995
|
+
if (typeof config4.name !== "string" || config4.name === "") return [];
|
|
129996
|
+
if (!Array.isArray(config4.apis)) return [];
|
|
128643
129997
|
const upperMethod = method.toUpperCase();
|
|
128644
|
-
const
|
|
129998
|
+
const apiBase = options.apiBase === void 0 ? null : stripTrailingSlash(options.apiBase);
|
|
129999
|
+
const matched = [];
|
|
128645
130000
|
for (const api of config4.apis) {
|
|
128646
|
-
|
|
128647
|
-
|
|
128648
|
-
|
|
128649
|
-
|
|
128650
|
-
|
|
128651
|
-
|
|
128652
|
-
|
|
128653
|
-
|
|
128654
|
-
|
|
130001
|
+
const permissions = getApiPermissionsForMatch(api, config4.name, apiBase);
|
|
130002
|
+
if (permissions === null) continue;
|
|
130003
|
+
const state = { bestSpecificity: null, matched: [] };
|
|
130004
|
+
const seenPermissionNames = /* @__PURE__ */ new Set();
|
|
130005
|
+
for (const rawPermission of permissions) {
|
|
130006
|
+
const permissionName = getPermissionName(rawPermission);
|
|
130007
|
+
if (permissionName === null) continue;
|
|
130008
|
+
if (seenPermissionNames.has(permissionName)) continue;
|
|
130009
|
+
seenPermissionNames.add(permissionName);
|
|
130010
|
+
for (const rule of getPermissionRules(rawPermission)) {
|
|
130011
|
+
const rest = matchingRulePath(rule, upperMethod);
|
|
130012
|
+
if (rest === null) continue;
|
|
128655
130013
|
if (matchFirewallPath(path3, rest) !== null) {
|
|
128656
|
-
|
|
128657
|
-
|
|
130014
|
+
const specificity = pathSpecificity(rest);
|
|
130015
|
+
if (specificity === null) continue;
|
|
130016
|
+
recordPermissionMatch(state, permissionName, specificity);
|
|
128658
130017
|
}
|
|
128659
130018
|
}
|
|
128660
130019
|
}
|
|
130020
|
+
for (const permission of state.matched) {
|
|
130021
|
+
if (!matched.includes(permission)) {
|
|
130022
|
+
matched.push(permission);
|
|
130023
|
+
}
|
|
130024
|
+
}
|
|
128661
130025
|
}
|
|
128662
|
-
return
|
|
130026
|
+
return matched;
|
|
128663
130027
|
}
|
|
128664
130028
|
|
|
128665
130029
|
// ../../packages/api-contracts/src/contracts/zero-feature-switches.ts
|
|
@@ -132800,6 +134164,7 @@ export {
|
|
|
132800
134164
|
withErrorHandler,
|
|
132801
134165
|
require_dist,
|
|
132802
134166
|
extractAndGroupVariables,
|
|
134167
|
+
extractSecretNamesFromApis,
|
|
132803
134168
|
volumeConfigSchema,
|
|
132804
134169
|
agentDefinitionSchema,
|
|
132805
134170
|
getComposeByName,
|
|
@@ -132807,7 +134172,6 @@ export {
|
|
|
132807
134172
|
getComposeById,
|
|
132808
134173
|
getComposeVersion,
|
|
132809
134174
|
createOrUpdateCompose,
|
|
132810
|
-
extractSecretNamesFromApis,
|
|
132811
134175
|
getVm0ModelMultiplier,
|
|
132812
134176
|
MODEL_PROVIDER_TYPES,
|
|
132813
134177
|
getSelectableProviderTypes,
|
|
@@ -132950,6 +134314,7 @@ export {
|
|
|
132950
134314
|
isFirewallConnectorType,
|
|
132951
134315
|
getConnectorFirewall,
|
|
132952
134316
|
resolveFirewallPolicies,
|
|
134317
|
+
matchFirewallBaseUrl,
|
|
132953
134318
|
findMatchingPermissions,
|
|
132954
134319
|
parseEvent,
|
|
132955
134320
|
EventStreamNormalizer,
|
|
@@ -132978,4 +134343,4 @@ undici/lib/web/fetch/body.js:
|
|
|
132978
134343
|
undici/lib/web/websocket/frame.js:
|
|
132979
134344
|
(*! ws. MIT License. Einar Otto Stangvik <einaros@gmail.com> *)
|
|
132980
134345
|
*/
|
|
132981
|
-
//# sourceMappingURL=chunk-
|
|
134346
|
+
//# sourceMappingURL=chunk-CGUELQJH.js.map
|