@xopcai/xopc 0.0.77 → 0.0.78

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (126) hide show
  1. package/dist/browser-ext/manifest.json +1 -1
  2. package/dist/extensions/telegram/xopc.extension.json +1 -1
  3. package/dist/gateway/static/root/assets/{agents-DN3vr8pb.js → agents-Bh_9-1KB.js} +2 -2
  4. package/dist/gateway/static/root/assets/{agents-DN3vr8pb.js.map → agents-Bh_9-1KB.js.map} +1 -1
  5. package/dist/gateway/static/root/assets/{apps-page-BUn41aPi.js → apps-page-CB5anZpc.js} +2 -2
  6. package/dist/gateway/static/root/assets/{apps-page-BUn41aPi.js.map → apps-page-CB5anZpc.js.map} +1 -1
  7. package/dist/gateway/static/root/assets/{channels-settings-CYMmWDtP.js → channels-settings-Bt1sprhC.js} +2 -2
  8. package/dist/gateway/static/root/assets/{channels-settings-CYMmWDtP.js.map → channels-settings-Bt1sprhC.js.map} +1 -1
  9. package/dist/gateway/static/root/assets/{channels-status-swr-sJj4ueTp.js → channels-status-swr-Crgak3fg.js} +2 -2
  10. package/dist/gateway/static/root/assets/{channels-status-swr-sJj4ueTp.js.map → channels-status-swr-Crgak3fg.js.map} +1 -1
  11. package/dist/gateway/static/root/assets/{cron-api-CLxnaHdq.js → cron-api-CzJGvQQ7.js} +2 -2
  12. package/dist/gateway/static/root/assets/{cron-api-CLxnaHdq.js.map → cron-api-CzJGvQQ7.js.map} +1 -1
  13. package/dist/gateway/static/root/assets/{cron-page-BAQ8xSnJ.js → cron-page-BoNRJNVV.js} +2 -2
  14. package/dist/gateway/static/root/assets/{cron-page-BAQ8xSnJ.js.map → cron-page-BoNRJNVV.js.map} +1 -1
  15. package/dist/gateway/static/root/assets/{dist-BfJYxiK5.js → dist-a-eaOUvs.js} +2 -2
  16. package/dist/gateway/static/root/assets/{dist-BfJYxiK5.js.map → dist-a-eaOUvs.js.map} +1 -1
  17. package/dist/gateway/static/root/assets/{extension-debug-page-bgvVs-Sy.js → extension-debug-page-D-O1XjAa.js} +2 -2
  18. package/dist/gateway/static/root/assets/{extension-debug-page-bgvVs-Sy.js.map → extension-debug-page-D-O1XjAa.js.map} +1 -1
  19. package/dist/gateway/static/root/assets/{extension-page-SG4TVv-u.js → extension-page-B2VpqBTH.js} +2 -2
  20. package/dist/gateway/static/root/assets/{extension-page-SG4TVv-u.js.map → extension-page-B2VpqBTH.js.map} +1 -1
  21. package/dist/gateway/static/root/assets/{extension-settings-page-CJZRTsjF.js → extension-settings-page-CmBcQfeO.js} +2 -2
  22. package/dist/gateway/static/root/assets/{extension-settings-page-CJZRTsjF.js.map → extension-settings-page-CmBcQfeO.js.map} +1 -1
  23. package/dist/gateway/static/root/assets/{fetch-K_0JRCXU.js → fetch-EGO9T3MN.js} +3 -3
  24. package/dist/gateway/static/root/assets/{fetch-K_0JRCXU.js.map → fetch-EGO9T3MN.js.map} +1 -1
  25. package/dist/gateway/static/root/assets/{field-primitives-Z76hyBYS.js → field-primitives-Bh7G1y4D.js} +2 -2
  26. package/dist/gateway/static/root/assets/{field-primitives-Z76hyBYS.js.map → field-primitives-Bh7G1y4D.js.map} +1 -1
  27. package/dist/gateway/static/root/assets/{heartbeat-config-api-BqfDabSI.js → heartbeat-config-api-DxpIEZNs.js} +2 -2
  28. package/dist/gateway/static/root/assets/{heartbeat-config-api-BqfDabSI.js.map → heartbeat-config-api-DxpIEZNs.js.map} +1 -1
  29. package/dist/gateway/static/root/assets/{index-ChiUhJAs.js → index-Dxy9ZCtC.js} +5 -5
  30. package/dist/gateway/static/root/assets/{index-ChiUhJAs.js.map → index-Dxy9ZCtC.js.map} +1 -1
  31. package/dist/gateway/static/root/assets/{logs-page-DrIMhDE2.js → logs-page-Dw58E2GE.js} +2 -2
  32. package/dist/gateway/static/root/assets/{logs-page-DrIMhDE2.js.map → logs-page-Dw58E2GE.js.map} +1 -1
  33. package/dist/gateway/static/root/assets/{sessions-page-B-RGO3N0.js → sessions-page-CPkhCy57.js} +2 -2
  34. package/dist/gateway/static/root/assets/{sessions-page-B-RGO3N0.js.map → sessions-page-CPkhCy57.js.map} +1 -1
  35. package/dist/gateway/static/root/assets/{settings-form-section-Csvl1iL6.js → settings-form-section-DLZDVMEf.js} +2 -2
  36. package/dist/gateway/static/root/assets/{settings-form-section-Csvl1iL6.js.map → settings-form-section-DLZDVMEf.js.map} +1 -1
  37. package/dist/gateway/static/root/assets/settings-page-CVPCa0PE.js +4 -0
  38. package/dist/gateway/static/root/assets/settings-page-CVPCa0PE.js.map +1 -0
  39. package/dist/gateway/static/root/assets/{skills-page-dHwx2vh0.js → skills-page-DueZ9Qfg.js} +2 -2
  40. package/dist/gateway/static/root/assets/{skills-page-dHwx2vh0.js.map → skills-page-DueZ9Qfg.js.map} +1 -1
  41. package/dist/gateway/static/root/assets/{theme-store-Bl5A2Fd_.js → theme-store-CWPq9gW1.js} +2 -2
  42. package/dist/gateway/static/root/assets/{theme-store-Bl5A2Fd_.js.map → theme-store-CWPq9gW1.js.map} +1 -1
  43. package/dist/gateway/static/root/assets/{utils-COYrNFF7.js → utils-Cnix55r9.js} +2 -2
  44. package/dist/gateway/static/root/assets/{utils-COYrNFF7.js.map → utils-Cnix55r9.js.map} +1 -1
  45. package/dist/gateway/static/root/assets/{voice-api-key-field-5WZZaxH3.js → voice-api-key-field-BR3Ut06g.js} +2 -2
  46. package/dist/gateway/static/root/assets/{voice-api-key-field-5WZZaxH3.js.map → voice-api-key-field-BR3Ut06g.js.map} +1 -1
  47. package/dist/gateway/static/root/index.html +3 -3
  48. package/dist/package.js +1 -1
  49. package/dist/src/browser/providers/browser-ext-install.js +23 -4
  50. package/dist/src/browser/providers/browser-ext-install.js.map +1 -1
  51. package/dist/src/cli/commands/tunnel.js +4 -5
  52. package/dist/src/cli/commands/tunnel.js.map +1 -1
  53. package/dist/src/config/index.js +2 -2
  54. package/dist/src/config/rules.js +0 -5
  55. package/dist/src/config/rules.js.map +1 -1
  56. package/dist/src/config/schema.d.ts +0 -27
  57. package/dist/src/config/schema.js +4 -18
  58. package/dist/src/config/schema.js.map +1 -1
  59. package/dist/src/gateway/auth-rate-limit.d.ts +2 -0
  60. package/dist/src/gateway/auth-rate-limit.js +9 -3
  61. package/dist/src/gateway/auth-rate-limit.js.map +1 -1
  62. package/dist/src/gateway/hono/app.js +19 -13
  63. package/dist/src/gateway/hono/app.js.map +1 -1
  64. package/dist/src/gateway/hono/lib/config-payload.d.ts +3 -1
  65. package/dist/src/gateway/hono/lib/config-payload.js +1 -2
  66. package/dist/src/gateway/hono/lib/config-payload.js.map +1 -1
  67. package/dist/src/gateway/hono/routes/tunnel.js +32 -30
  68. package/dist/src/gateway/hono/routes/tunnel.js.map +1 -1
  69. package/dist/src/gateway/host.d.ts +24 -0
  70. package/dist/src/gateway/host.js +33 -1
  71. package/dist/src/gateway/host.js.map +1 -1
  72. package/dist/src/gateway/index.d.ts +1 -1
  73. package/dist/src/gateway/index.js +2 -2
  74. package/dist/src/gateway/runtime-config.js +1 -8
  75. package/dist/src/gateway/runtime-config.js.map +1 -1
  76. package/dist/src/gateway/security/audit.js +4 -4
  77. package/dist/src/gateway/security/audit.js.map +1 -1
  78. package/dist/src/gateway/server.js +2 -3
  79. package/dist/src/gateway/server.js.map +1 -1
  80. package/dist/src/gateway/service/types.d.ts +2 -0
  81. package/dist/src/gateway/service.d.ts +2 -0
  82. package/dist/src/gateway/service.js +7 -2
  83. package/dist/src/gateway/service.js.map +1 -1
  84. package/dist/src/tunnel/frp-subdomain-host.d.ts +2 -0
  85. package/dist/src/tunnel/frp-subdomain-host.js +15 -0
  86. package/dist/src/tunnel/frp-subdomain-host.js.map +1 -0
  87. package/dist/src/tunnel/gateway-lifecycle.d.ts +0 -4
  88. package/dist/src/tunnel/gateway-lifecycle.js +9 -11
  89. package/dist/src/tunnel/gateway-lifecycle.js.map +1 -1
  90. package/dist/src/tunnel/index.d.ts +2 -4
  91. package/dist/src/tunnel/index.js +2 -4
  92. package/dist/src/tunnel/pair-url.js +7 -1
  93. package/dist/src/tunnel/pair-url.js.map +1 -1
  94. package/dist/src/tunnel/pairing.d.ts +13 -0
  95. package/dist/src/tunnel/pairing.js +48 -1
  96. package/dist/src/tunnel/pairing.js.map +1 -1
  97. package/dist/src/tunnel/tunnel-config.js +2 -16
  98. package/dist/src/tunnel/tunnel-config.js.map +1 -1
  99. package/dist/src/tunnel/tunnel-service.d.ts +1 -10
  100. package/dist/src/tunnel/tunnel-service.js +7 -60
  101. package/dist/src/tunnel/tunnel-service.js.map +1 -1
  102. package/dist/src/tunnel/tunnel-types.d.ts +3 -18
  103. package/dist/src/tunnel/well-known.d.ts +5 -0
  104. package/dist/src/tunnel/well-known.js +2 -1
  105. package/dist/src/tunnel/well-known.js.map +1 -1
  106. package/package.json +2 -2
  107. package/dist/gateway/static/root/assets/settings-page-nxAc0ta1.js +0 -4
  108. package/dist/gateway/static/root/assets/settings-page-nxAc0ta1.js.map +0 -1
  109. package/dist/src/tunnel/acme-cert-store.d.ts +0 -34
  110. package/dist/src/tunnel/acme-cert-store.js +0 -184
  111. package/dist/src/tunnel/acme-cert-store.js.map +0 -1
  112. package/dist/src/tunnel/acme-client.d.ts +0 -50
  113. package/dist/src/tunnel/acme-client.js +0 -473
  114. package/dist/src/tunnel/acme-client.js.map +0 -1
  115. package/dist/src/tunnel/acme-crypto.d.ts +0 -25
  116. package/dist/src/tunnel/acme-crypto.js +0 -58
  117. package/dist/src/tunnel/acme-crypto.js.map +0 -1
  118. package/dist/src/tunnel/acme-csr.d.ts +0 -5
  119. package/dist/src/tunnel/acme-csr.js +0 -48
  120. package/dist/src/tunnel/acme-csr.js.map +0 -1
  121. package/dist/src/tunnel/tls-server.d.ts +0 -14
  122. package/dist/src/tunnel/tls-server.js +0 -126
  123. package/dist/src/tunnel/tls-server.js.map +0 -1
  124. package/dist/src/tunnel/tunnel-e2e-config.d.ts +0 -11
  125. package/dist/src/tunnel/tunnel-e2e-config.js +0 -29
  126. package/dist/src/tunnel/tunnel-e2e-config.js.map +0 -1
package/dist/src/config/schema.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"schema.js","names":[],"sources":["../../../src/config/schema.ts"],"sourcesContent":["import { z } from 'zod';\n\nimport { getDefaultWorkspacePath } from '../agent/agent-scope.js';\nimport { checkCacheDir } from '../browser/cache-dir-policy.js';\n\n// ============================================\n// Agent Configs\n// ============================================\n\nexport const AgentModelRefSchema = z.union([\n z.string(),\n z\n .object({\n primary: z.string().optional(),\n fallbacks: z.array(z.string()).optional(),\n })\n .strict(),\n]);\n\nexport type AgentModelConfig = z.infer<typeof AgentModelRefSchema>;\n\n/**\n * Image-generation model ref. Superset of {@link AgentModelRefSchema} with\n * runtime knobs (`timeoutMs`, `autoProviderFallback`) used by the\n * image-generation runtime; falls back to a plain string for backward\n * compatibility with old configs.\n */\nexport const AgentImageGenerationModelSchema = z.union([\n z.string(),\n z\n .object({\n primary: z.string().optional(),\n fallbacks: z.array(z.string()).optional(),\n /** Hard cap for the whole generation attempt (ms). */\n timeoutMs: z.number().int().positive().optional(),\n /**\n * When all `primary + fallbacks` candidates fail, sweep every other\n * configured provider before giving up.\n */\n autoProviderFallback: z.boolean().optional(),\n })\n .strict(),\n]);\n\nexport type AgentImageGenerationModelConfig = z.infer<typeof AgentImageGenerationModelSchema>;\n\nexport const AgentDefaultsSchema = z.object({\n /** Parent directory: each agent’s Markdown root is `<expanded>/<agentId>/` (e.g. `.../workspace/main`). */\n workspace: z.string().default('~/.xopc/workspace'),\n model: z.union([\n z.string(),\n z.object({\n primary: z.string().optional(),\n fallbacks: z.array(z.string()).optional(),\n }).strict(),\n ]).default(''), // Empty default - will be resolved dynamically at runtime\n /** Vision / image understanding model (provider/model). Falls back to heuristics when unset. */\n imageModel: AgentModelRefSchema.optional(),\n /** Image generation model (provider/model), e.g. openai/gpt-image-1. Supports plugin-based providers (OpenAI / DashScope / MiniMax / Google / Fal). */\n imageGenerationModel: AgentImageGenerationModelSchema.optional(),\n /** Max image size for image tool loads (MB). */\n mediaMaxMb: z.number().positive().optional(),\n maxTokens: z.number().default(8192),\n temperature: z.number().default(0.7),\n maxToolIterations: z.number().default(20),\n // Wall-clock limit for one user turn (LLM + tools). Default 30m if unset; cap 4h.\n maxTaskDurationMs: z.number().min(60000).max(14_400_000).optional(),\n // Reliability settings\n maxRequestsPerTurn: z.number().min(10).max(200).default(50),\n maxToolFailuresPerTurn: z.number().min(1).max(20).default(3),\n // Thinking ability settings\n thinkingDefault: z.enum(['off', 'minimal', 'low', 'medium', 'high', 'xhigh', 'adaptive']).optional(),\n reasoningDefault: z.enum(['off', 'on', 'stream']).optional(),\n verboseDefault: z.enum(['off', 'on', 'full']).optional(),\n bootstrapMaxChars: z.number().int().positive().optional(),\n bootstrapTotalMaxChars: z.number().int().positive().optional(),\n bootstrapPromptTruncationWarning: z.enum(['off', 'once', 'always']).optional(),\n startupContext: z\n .object({\n enabled: z.boolean().optional(),\n applyOn: z.array(z.enum(['new', 'reset'])).optional(),\n dailyMemoryDays: z.number().int().min(1).optional(),\n maxFileBytes: z.number().int().positive().optional(),\n maxFileChars: z.number().int().positive().optional(),\n maxTotalChars: z.number().int().positive().optional(),\n })\n .optional(),\n contextLimits: z\n .object({\n postCompactionMaxChars: z.number().int().positive().optional(),\n })\n .optional(),\n compaction: z.object({\n enabled: z.boolean().default(true),\n mode: z.enum(['default', 'safeguard']).default('default'),\n reserveTokens: z.number().default(8000),\n triggerThreshold: z.number().min(0.5).max(0.95).default(0.8),\n minMessagesBeforeCompact: z.number().default(10),\n keepRecentMessages: z.number().default(5),\n // Dual-strategy compaction\n evictionWindow: z.number().min(0.1).max(0.5).default(0.2),\n retentionWindow: z.number().min(3).max(20).default(6),\n postCompactionSections: z.array(z.string()).optional(),\n }).optional(),\n pruning: z.object({\n enabled: z.boolean().default(true),\n maxToolResultChars: z.number().default(10000),\n headKeepRatio: z.number().default(0.3),\n tailKeepRatio: z.number().default(0.3),\n }).optional(),\n /**\n * Curated memory (`agents/<id>/memories/`) + pluggable external provider.\n * Only one external provider at a time.\n */\n memory: z\n .object({\n /** Master switch: `curated_memory` tool, prefetch, and external provider. Default true. */\n enabled: z.boolean().optional(),\n /** When false, disable curated_memory tool and memory subsystem helpers. Default true. */\n useEnhancedSystem: z.boolean().optional(),\n /** Include USER.md in snapshot. Default true. */\n userProfileEnabled: z.boolean().optional(),\n memoryCharLimit: z.number().positive().optional(),\n userCharLimit: z.number().positive().optional(),\n provider: z.enum(['none', 'stub']).optional(),\n /** How often prefetched external memory is injected into the user message. */\n injectionFrequency: z.enum(['every-turn', 'first-turn']).optional(),\n /** Inject prefetch on turns 1, 1+N, 1+2N, … (only when injectionFrequency is every-turn). Min 1. */\n contextCadence: z.number().int().min(1).optional(),\n /** Reserved for future external “dialectic” sync cadence (not wired yet). */\n dialecticCadence: z.number().int().min(1).optional(),\n /**\n * Background memory consolidation (\"dreaming\"): three-phase sleep model that\n * promotes short-term recall signals into long-term memory (`MEMORY.md`).\n *\n * Phases:\n * - **light** — fast, frequent sweep (default every 6 h): dedup + signal collection.\n * - **deep** — daily deep promotion (default 3 AM): score-gated write to MEMORY.md.\n * - **rem** — weekly pattern discovery (default Sun 5 AM): cross-session insight mining.\n */\n dreaming: z\n .object({\n enabled: z.boolean().optional(),\n /** Default deep-phase cron when `phases.deep.cron` is omitted. */\n frequency: z.string().optional(),\n timezone: z.string().optional(),\n phases: z\n .object({\n light: z\n .object({\n enabled: z.boolean().optional(),\n cron: z.string().optional(),\n lookbackDays: z.number().int().min(1).optional(),\n limit: z.number().int().min(0).optional(),\n dedupeSimilarity: z.number().min(0).max(1).optional(),\n })\n .optional(),\n deep: z\n .object({\n enabled: z.boolean().optional(),\n cron: z.string().optional(),\n minScore: z.number().min(0).max(1).optional(),\n minRecallCount: z.number().int().min(1).optional(),\n minUniqueQueries: z.number().int().min(1).optional(),\n limit: z.number().int().min(0).optional(),\n recencyHalfLifeDays: z.number().min(1).optional(),\n maxAgeDays: z.number().int().min(1).optional(),\n })\n .optional(),\n rem: z\n .object({\n enabled: z.boolean().optional(),\n cron: z.string().optional(),\n lookbackDays: z.number().int().min(1).optional(),\n limit: z.number().int().min(0).optional(),\n minPatternStrength: z.number().min(0).max(1).optional(),\n })\n .optional(),\n })\n .optional(),\n })\n .optional(),\n })\n .optional(),\n /** Cross-session transcript search (`session_search` tool). */\n sessionSearch: z\n .object({\n /** Model ref for per-session summaries (e.g. openai/gpt-4o-mini). */\n summaryModel: z.string().optional(),\n })\n .optional(),\n /**\n * Post-turn background review (Hermes-style): optional quiet follow-up that may call\n * `curated_memory` / `skill_manage` so durable facts and reusable workflows persist\n * without bloating the main user-visible turn.\n */\n backgroundReview: z\n .object({\n /** When true, nudges may run after successful turns. Default false (opt-in). */\n enabled: z.boolean().optional(),\n /** User-turn cadence for memory review. 0 disables the memory channel. Default 10. */\n memoryNudgeInterval: z.number().int().min(0).optional(),\n /** LLM rounds without `skill_manage` before a skill review. 0 disables the skill channel. Default 10. */\n skillNudgeInterval: z.number().int().min(0).optional(),\n /** Max tool executions for the review agent. Default 8. */\n maxToolRounds: z.number().int().min(1).max(32).optional(),\n /** Max prior messages passed into the review context (tail). Default 80. */\n maxHistoryMessages: z.number().int().min(10).max(200).optional(),\n /** Wall-clock cap for the review run (ms). Default 120000. */\n maxDurationMs: z.number().int().min(30_000).max(600_000).optional(),\n })\n .optional(),\n /** LLM pass for `web_extract` (markdown-focused extraction). */\n webExtract: z\n .object({\n model: z.string().optional(),\n maxLength: z.number().positive().optional(),\n })\n .optional(),\n /**\n * Browser capability via unified `browser_use` tool. Enabled by default (set `enabled: false` to disable).\n * The local Playwright backend requires Chromium on the gateway host: `npx playwright install chromium`.\n */\n browser: z\n .object({\n enabled: z.boolean().optional(),\n /** Run browser in headless mode (default: false — visible window). */\n headless: z.boolean().optional(),\n /** When true, skip private-IP blocking for browser navigation (cloud metadata endpoints are always blocked). */\n allowPrivateUrls: z.boolean().optional(),\n /** Browser command timeout in seconds (default: 30). */\n commandTimeout: z.number().min(5).optional(),\n /** Browser backend mode (default: 'extension'). Also: 'local' (Playwright), 'cdp', 'cloud', or 'cloakbrowser'. */\n backend: z.enum(['local', 'cdp', 'cloud', 'extension', 'cloakbrowser']).optional(),\n /** Cloud browser backend: 'local' (default Playwright), 'browserbase', or 'browser-use'. */\n cloudProvider: z.enum(['local', 'browserbase', 'browser-use']).optional(),\n /** Cloud browser credentials and optional session hints. */\n cloud: z.object({\n /** API key for the selected cloud provider. Environment variables are still supported as fallback. */\n apiKey: z.string().optional(),\n /** Browserbase project id. Falls back to BROWSERBASE_PROJECT_ID. */\n projectId: z.string().optional(),\n /** Optional cloud provider region. */\n region: z.string().optional(),\n }).optional(),\n /** Direct CDP WebSocket endpoint URL (bypasses cloud provider). */\n cdpUrl: z.string().optional(),\n /** Chrome Extension bridge settings (only used when backend = 'extension'). */\n extension: z.object({\n /** WebSocket server port. Default: 19820. */\n port: z.number().min(1024).max(65535).optional(),\n /** Host to bind. Default: 127.0.0.1. */\n host: z.string().optional(),\n /** Timeout waiting for extension connection (ms). Default: 30000. */\n connectionTimeout: z.number().min(1000).optional(),\n }).optional(),\n /** JS dialog handling policy: 'must_respond' (agent must act), 'auto_dismiss', or 'auto_accept'. */\n dialogPolicy: z.enum(['must_respond', 'auto_dismiss', 'auto_accept']).optional(),\n /** Dialog auto-dismiss/accept timeout in seconds (default: 300). */\n dialogTimeoutSeconds: z.number().min(1).optional(),\n /** Enable humanized input simulation (Bezier mouse, per-char typing, wheel scroll). Default: false. */\n humanize: z.boolean().optional(),\n /** Humanize behavior preset: 'default' (fast) or 'careful' (slower, more realistic). Default: 'careful'. */\n humanPreset: z.enum(['default', 'careful']).optional(),\n /** CloakBrowser settings (only used when backend = 'cloakbrowser'). */\n cloakbrowser: z.object({\n /** Keep browser process alive between tasks. Default: true. */\n keepOpen: z.boolean().optional(),\n /** Create a temporary profile directory, cleaned up on close. Default: false. */\n temporaryProfile: z.boolean().optional(),\n /** Directory for cached CloakBrowser binaries. Must live under the user's home directory. Default: ~/.xopc/bin/cloakbrowser. */\n cacheDir: z\n .string()\n .optional()\n .superRefine((v, ctx) => {\n const r = checkCacheDir(v);\n if (r.ok === false) ctx.addIssue({ code: 'custom', message: r.message });\n }),\n /** Override the CloakBrowser binary path (skip auto-download). */\n binaryPath: z.string().optional(),\n /** Timezone to emulate (e.g. \"America/New_York\"). */\n timezone: z.string().optional(),\n /** Locale to emulate (e.g. \"en-US\"). */\n locale: z.string().optional(),\n /** Public IP for WebRTC leak prevention. */\n webrtcIp: z.string().optional(),\n /** Platform to emulate in fingerprint (e.g. \"windows\", \"macos\"). */\n fingerprintPlatform: z.string().optional(),\n /** Extra Chromium launch args (override defaults with same --key= prefix). */\n extraArgs: z.array(z.string()).optional(),\n }).optional(),\n })\n .optional(),\n /** Sub-agent delegation (`delegate_task`). Opt-in. */\n delegate: z\n .object({\n enabled: z.boolean().optional(),\n })\n .optional(),\n /** Sandboxed `execute_code` (programmatic tool calls). Opt-in. */\n executeCode: z\n .object({\n enabled: z.boolean().optional(),\n })\n .optional(),\n /** Optional full system prompt replacement (merged with per-agent entry; entry wins). */\n systemPromptOverride: z.string().optional(),\n /** Optional allowlist of skill names for `<available_skills>`; when set, replaces unfiltered list. */\n skills: z.array(z.string()).optional(),\n /** Disable built-in tools by name (e.g. `shell`, `web_search`). */\n tools: z\n .object({\n disable: z.array(z.string()).optional(),\n })\n .optional(),\n /** Opaque per-process params (reserved for extensions / future use). */\n params: z.record(z.string(), z.unknown()).optional(),\n});\n\nexport const AgentConfigSchema = z.object({\n id: z.string(),\n /** When true, this entry is the default routing agent. */\n default: z.boolean().optional(),\n name: z.string().optional(),\n /** Short human-readable summary for UIs (gateway console, pickers). */\n description: z.string().max(4000).optional(),\n enabled: z.boolean().default(true),\n /** Per-agent workspace root (`~` expanded at runtime). */\n workspace: z.string().optional(),\n /**\n * Internal agent state directory (`…/credentials`, `agent.json`, pid, inbox).\n * Default: `<stateDir>/agents/<id>/agent`.\n */\n agentDir: z.string().optional(),\n model: AgentModelRefSchema.optional(),\n thinkingDefault: z.enum(['off', 'minimal', 'low', 'medium', 'high', 'xhigh', 'adaptive']).optional(),\n reasoningDefault: z.enum(['off', 'on', 'stream']).optional(),\n verboseDefault: z.enum(['off', 'on', 'full']).optional(),\n systemPromptOverride: z.string().optional(),\n skills: z.array(z.string()).optional(),\n tools: z\n .object({\n disable: z.array(z.string()).optional(),\n })\n .optional(),\n params: z.record(z.string(), z.unknown()).optional(),\n});\n\nexport const AgentsConfigSchema = z.object({\n /** Default agent id when not specified (routing / session creation). */\n default: z.string().optional(),\n defaults: AgentDefaultsSchema.optional(),\n list: z.array(AgentConfigSchema).optional(),\n}).default({\n defaults: {\n workspace: '~/.xopc/workspace',\n model: '', // Empty default - will be resolved dynamically at runtime\n maxTokens: 8192,\n temperature: 0.7,\n maxToolIterations: 20,\n maxRequestsPerTurn: 50,\n maxToolFailuresPerTurn: 3,\n thinkingDefault: 'medium',\n reasoningDefault: 'stream',\n verboseDefault: 'full',\n compaction: {\n enabled: true,\n mode: 'default',\n reserveTokens: 8000,\n triggerThreshold: 0.8,\n minMessagesBeforeCompact: 10,\n keepRecentMessages: 5,\n evictionWindow: 0.2,\n retentionWindow: 6,\n },\n pruning: {\n enabled: true,\n maxToolResultChars: 10000,\n headKeepRatio: 0.3,\n tailKeepRatio: 0.3,\n },\n browser: {\n backend: 'extension',\n },\n },\n} as any);\n\n// ============================================\n// Channel Configs (per-channel Zod lives in bundled extensions; root schema is open)\n// ============================================\n\nexport {\n TelegramTopicConfigSchema,\n TelegramGroupConfigSchema,\n TelegramAccountConfigSchema,\n TelegramConfigSchema,\n} from '../../extensions/telegram/src/config-schema.js';\nexport type { TelegramConfig } from '../../extensions/telegram/src/config-schema.js';\nexport { WeixinAccountConfigSchema, WeixinConfigSchema } from '../../extensions/weixin/src/config-schema.js';\nexport type { WeixinConfig } from '../../extensions/weixin/src/config-schema.js';\n// ============================================\n// Session Routing Configuration\n// ============================================\n\nexport const BindingMatchSchema = z.object({\n channel: z.string(),\n accountId: z.string().optional(),\n peerKind: z.string().optional(),\n peerId: z.string().optional(),\n guildId: z.string().optional(),\n teamId: z.string().optional(),\n memberRoleIds: z.array(z.string()).optional(),\n});\n\nexport const BindingRuleSchema = z.object({\n id: z.string().optional(),\n agentId: z.string(),\n priority: z.number().default(100),\n match: BindingMatchSchema,\n enabled: z.boolean().default(true),\n});\n\nexport const BindingsConfigSchema = z.array(BindingRuleSchema).default([]);\n\nexport const SessionDmScopeSchema = z.enum([\n 'main',\n 'per-peer',\n 'per-channel-peer',\n 'per-account-channel-peer',\n]);\n\nexport const SessionStorageConfigSchema = z.object({\n pruneAfterMs: z.number().optional(),\n maxEntries: z.number().optional(),\n});\n\nexport const SessionConfigSchema = z.object({\n dmScope: SessionDmScopeSchema.default('main'),\n identityLinks: z.record(z.string(), z.array(z.string())).optional(),\n storage: SessionStorageConfigSchema.optional(),\n}).default({\n dmScope: 'main',\n});\n\n/** Channel buckets — shapes validated post-parse by registered channel plugins. */\nexport const ChannelsConfigSchema = z.record(z.string(), z.unknown()).default({\n telegram: {\n enabled: false,\n allowFrom: [],\n groupAllowFrom: [],\n debug: false,\n accounts: {\n default: {\n accountId: 'default',\n enabled: true,\n botToken: '',\n allowFrom: [],\n dmPolicy: 'pairing' as const,\n groupPolicy: 'open' as const,\n replyToMode: 'off' as const,\n historyLimit: 50,\n textChunkLimit: 4000,\n streamMode: 'partial' as const,\n },\n },\n dmPolicy: 'pairing' as const,\n groupPolicy: 'open' as const,\n replyToMode: 'off' as const,\n historyLimit: 50,\n textChunkLimit: 4000,\n },\n});\n\nexport const SearchProviderEntrySchema = z.object({\n type: z.enum(['brave', 'tavily', 'bing', 'searxng']),\n apiKey: z.string().optional(),\n /** SearXNG instance base URL (e.g. http://localhost:8080) */\n url: z.string().optional(),\n disabled: z.boolean().optional(),\n});\n\nexport type SearchProviderEntry = z.infer<typeof SearchProviderEntrySchema>;\n\nexport const WebSearchConfigSchema = z.object({\n maxResults: z.number().default(5),\n /** Ordered API providers; empty → HTML fallback only */\n providers: z.array(SearchProviderEntrySchema).default([]),\n});\n\nexport type WebSearchConfig = z.infer<typeof WebSearchConfigSchema>;\n\nexport const WebsiteBlocklistSchema = z.object({\n /** Master switch. Default false (no blocking). */\n enabled: z.boolean().default(false),\n /** Domain patterns to block (e.g. \"example.com\", \"*.evil.org\"). */\n domains: z.array(z.string()).default([]),\n});\n\nexport type WebsiteBlocklistConfig = z.infer<typeof WebsiteBlocklistSchema>;\n\nexport const WebToolsConfigSchema = z.object({\n /** Search result HTML fallback: cn → Bing, otherwise DuckDuckGo */\n region: z.enum(['cn', 'global']).optional(),\n search: WebSearchConfigSchema.optional(),\n /** Domain blocklist for web_fetch / web_extract / browser tools. */\n blocklist: WebsiteBlocklistSchema.optional(),\n});\n\nexport type WebToolsConfig = z.infer<typeof WebToolsConfigSchema>;\n\nexport const ToolsConfigSchema = z.object({\n web: WebToolsConfigSchema.optional(),\n /**\n * Per-capability media providers. Currently only `audio` (STT) is wired;\n * `image` / `video` slots are reserved for future capabilities.\n */\n media: z.lazy(() => ToolsMediaConfigSchema),\n}).default({\n web: {\n search: {\n maxResults: 5,\n providers: [],\n },\n },\n});\n\n// ============================================\n// Gateway Configuration\n// ============================================\n\nexport const GatewayAuthRateLimitSchema = z\n .object({\n enabled: z.boolean().default(true),\n maxAttempts: z.number().int().min(1).default(5),\n windowMs: z.number().default(900_000),\n blockDurationMs: z.number().default(300_000),\n /** OpenClaw alias for blockDurationMs. */\n lockoutMs: z.number().optional(),\n /** Skip rate limiting for loopback client IPs (default true). Remote browser Origin requests never exempt. */\n exemptLoopback: z.boolean().default(true),\n })\n .optional();\n\nexport const GatewaySecuritySchema = z\n .object({\n /** When true, non-loopback binds require explicit gateway.auth.rateLimit configuration. */\n strict: z.boolean().optional(),\n })\n .optional();\n\nexport const GatewayTrustedProxySchema = z\n .object({\n /** Header set by the reverse proxy with the authenticated user identity. */\n userHeader: z.string().min(1),\n /** Additional headers that must be present (e.g. proxy auth markers). */\n requiredHeaders: z.array(z.string()).optional(),\n /** When non-empty, only these user identities are allowed. */\n allowUsers: z.array(z.string()).optional(),\n /** Allow trusted-proxy auth when the TCP source is loopback (same-host reverse proxy). */\n allowLoopback: z.boolean().optional(),\n })\n .strict();\n\nexport const GatewayAuthSchema = z\n .object({\n mode: z.enum(['none', 'token', 'password', 'trusted-proxy']).default('token'),\n token: z.string().optional(),\n password: z.string().optional(),\n /** When true (default for Serve), browser UI may auth via Tailscale identity headers. API routes still require token. */\n allowTailscale: z.boolean().optional(),\n rateLimit: GatewayAuthRateLimitSchema,\n trustedProxy: GatewayTrustedProxySchema.optional(),\n })\n .default({\n mode: 'token',\n });\n\nexport const GatewayTailscaleConsentSchema = z.object({\n version: z.string().min(1),\n acceptedAt: z.string().min(1),\n});\n\nexport const GatewayTailscaleSchema = z\n .object({\n mode: z.enum(['off', 'serve', 'funnel']).default('off'),\n resetOnExit: z.boolean().default(true),\n consent: GatewayTailscaleConsentSchema.optional(),\n })\n .default({\n mode: 'off',\n resetOnExit: true,\n });\n\nexport const GatewayRemoteSchema = z.object({\n url: z.string().url(),\n token: z.string().optional(),\n password: z.string().optional(),\n transport: z.enum(['direct', 'ssh']).default('direct'),\n sshTarget: z.string().optional(),\n sshIdentity: z.string().optional(),\n tlsFingerprint: z.string().optional(),\n});\n\nexport const GatewayTlsSchema = z\n .object({\n enabled: z.boolean().default(false),\n autoGenerate: z.boolean().default(false),\n certPath: z.string().optional(),\n keyPath: z.string().optional(),\n })\n .default({\n enabled: false,\n autoGenerate: false,\n });\n\nexport const GatewayModeSchema = z.enum(['local', 'remote']).default('local');\n\nexport const HeartbeatConfigSchema = z\n .object({\n enabled: z.boolean(),\n intervalMs: z.number(),\n /** When false, heartbeat instructions are only sent during heartbeat polling turns (not in every chat system prompt). */\n includeSystemPromptSection: z.boolean().optional().default(false),\n target: z.string().optional(),\n targetChatId: z.string().optional(),\n prompt: z.string().optional(),\n ackMaxChars: z.number().optional(),\n isolatedSession: z.boolean().optional(),\n activeHours: z\n .object({\n start: z.string(),\n end: z.string(),\n timezone: z.string().optional(),\n })\n .optional(),\n })\n .default({\n enabled: true,\n intervalMs: 1_800_000,\n includeSystemPromptSection: false,\n });\n\nexport const GatewayChannelConnectDeferModeSchema = z.enum(['auto', 'off', 'explicit']);\n\nexport const TunnelConsentSchema = z.object({\n version: z.string().min(1),\n acceptedAt: z.string().min(1),\n});\n\nexport const TunnelE2eSchema = z\n .object({\n enabled: z.boolean().default(true),\n tlsPort: z.number().int().min(1024).max(65535).default(18791),\n staging: z.boolean().default(false),\n })\n .default({\n enabled: true,\n tlsPort: 18791,\n staging: false,\n });\n\nexport const TunnelExposureModeSchema = z.enum(['public', 'pairing-only']);\n\nexport const TunnelConfigSchema = z\n .object({\n enabled: z.boolean().default(false),\n brokerUrl: z.string().url().default('https://frp.xopc.ai/api'),\n /** Broker register API secret (env `XOPC_TUNNEL_REGISTRATION_SECRET` overrides when set). */\n registrationSecret: z.string().min(1).optional(),\n autoStart: z.boolean().default(false),\n subdomain: z.string().optional(),\n /** public: full gateway; pairing-only: broker routes only mobile pair endpoints. */\n exposure: TunnelExposureModeSchema.default('public'),\n consent: TunnelConsentSchema.optional(),\n e2e: TunnelE2eSchema.optional(),\n })\n .default({\n enabled: false,\n brokerUrl: 'https://frp.xopc.ai/api',\n autoStart: false,\n exposure: 'public',\n });\n\nexport type TunnelConfig = z.infer<typeof TunnelConfigSchema>;\n\n/**\n * Workspace-scoped concerns (file import, etc.). Distinct from\n * `agents.defaults.workspace`, which is the workspace *path*; this block carries\n * feature configuration for workspace-related routes.\n */\nexport const WorkspaceImportConfigSchema = z.object({\n /** Workspace-relative subdir for imported files. Default `imports`. */\n targetDir: z.string().default('imports'),\n /** Per-file byte cap. Default 100 MiB. */\n maxBytes: z.number().int().min(1024).max(10_737_418_240).default(104_857_600),\n /** When false, the route rejects `onConflict: 'overwrite'`. Default true. */\n allowOverwrite: z.boolean().default(true),\n});\nexport type WorkspaceImportConfig = z.infer<typeof WorkspaceImportConfigSchema>;\n\nexport const WorkspaceConfigSchema = z.object({\n import: WorkspaceImportConfigSchema.optional(),\n}).optional();\nexport type WorkspaceConfig = z.infer<typeof WorkspaceConfigSchema>;\n\nexport const GatewayBindModeSchema = z.enum(['auto', 'loopback', 'lan', 'tailnet', 'custom']);\n\nexport const GatewayConfigSchema = z.object({\n /** Semantic bind mode. */\n bind: GatewayBindModeSchema.optional(),\n /** IPv4 listen address when `bind` is `custom`. */\n customBindHost: z.string().optional(),\n port: z.number().optional(),\n /** local: this process runs the gateway; remote: CLI clients target gateway.remote. */\n mode: GatewayModeSchema.optional(),\n /** Persistent remote gateway target for CLI/TUI/MCP when mode=remote. */\n remote: GatewayRemoteSchema.optional(),\n tailscale: GatewayTailscaleSchema.optional(),\n tls: GatewayTlsSchema.optional(),\n auth: GatewayAuthSchema.optional(),\n heartbeat: HeartbeatConfigSchema.optional(),\n maxSseConnections: z.number().optional(),\n corsOrigins: z.array(z.string()).optional(),\n /** Dangerous: allow browser Origin to match the HTTP Host header when not in corsOrigins. */\n dangerouslyAllowHostHeaderOriginFallback: z.boolean().optional(),\n /** CIDRs or exact IPs of reverse proxies allowed to terminate auth (trusted-proxy mode). */\n trustedProxies: z.array(z.string()).optional(),\n /** When true, fall back to X-Real-IP if X-Forwarded-For chain parsing fails. Default false (fail closed). */\n allowRealIpFallback: z.boolean().optional(),\n security: GatewaySecuritySchema,\n /**\n * How channel `start()` is split around HTTP listen when using `GatewayServer`.\n * - `auto` (default): defer ids come from channel plugin `meta.deferConnectUntilAfterListen` + enabled config.\n * - `off`: always start all channels in phase1 (troubleshooting / strict ordering).\n * - `explicit`: defer only `channelConnectDeferIds` (empty = defer none).\n */\n channelConnectDeferMode: GatewayChannelConnectDeferModeSchema.optional(),\n /** When `channelConnectDeferMode` is `explicit`, these channel plugin ids are deferred until after listen. */\n channelConnectDeferIds: z.array(z.string().min(1)).max(24).optional(),\n /** Removed from the defer set (applied after `auto` or `explicit` resolution). */\n channelConnectDeferSkipIds: z.array(z.string().min(1)).max(24).optional(),\n /** Default skills marketplace provider id. Built-in: 'store', 'skillhub', 'clawhub'. Extensions may register more. */\n skillsMarketplaceProvider: z.string().optional(),\n /** Base URL for the xopc skills marketplace (public REST API). */\n skillsStoreBaseUrl: z.string().url().optional(),\n /** File sharing configuration (temporary public download links for workspace files). */\n share: z.object({\n enabled: z.boolean().default(true),\n /** Default TTL in ms (default 24h). */\n defaultTtlMs: z.number().min(60_000).max(604_800_000).default(86_400_000),\n /** Maximum TTL in ms (default 7 days). */\n maxTtlMs: z.number().min(60_000).max(2_592_000_000).default(604_800_000),\n /** Maximum concurrent active shares (default 100). */\n maxActiveShares: z.number().min(1).max(10_000).default(100),\n /** Maximum shareable file size in bytes (default 100MB). */\n maxFileSize: z.number().min(1_048_576).max(10_737_418_240).default(104_857_600),\n /** MIME types allowed for inline preview (?inline=1). */\n inlinePreviewMimes: z.array(z.string()).default([\n 'image/png',\n 'image/jpeg',\n 'image/gif',\n 'image/webp',\n 'image/svg+xml',\n 'application/pdf',\n 'text/html',\n 'text/markdown',\n 'text/plain',\n 'application/json',\n ]),\n }).optional(),\n}).default({\n bind: 'loopback',\n port: 18790,\n auth: {\n mode: 'token',\n },\n heartbeat: {\n enabled: true,\n intervalMs: 1_800_000,\n includeSystemPromptSection: false,\n },\n maxSseConnections: 100,\n corsOrigins: [],\n skillsMarketplaceProvider: 'skillhub',\n skillsStoreBaseUrl: 'https://store.xopc.ai',\n});\n\nexport const CronConfigSchema = z.object({\n enabled: z.boolean().optional(),\n maxConcurrentJobs: z.number().optional(),\n defaultTimezone: z.string().optional(),\n historyRetentionDays: z.number().optional(),\n enableMetrics: z.boolean().optional(),\n}).default({\n enabled: true,\n maxConcurrentJobs: 5,\n defaultTimezone: 'UTC',\n historyRetentionDays: 7,\n enableMetrics: true,\n});\n\nexport const ModelsDevConfigSchema = z.object({\n enabled: z.boolean().default(true),\n}).default({\n enabled: true,\n});\n\n// ============================================\n// STT (Speech-to-Text) Config\n// ============================================\n\nconst SttProviderConfigCatchallSchema = z.union([\n z.string(),\n z.number(),\n z.boolean(),\n z.null(),\n z.array(z.unknown()),\n z.record(z.string(), z.unknown()),\n]);\n\nexport const STTProviderConfigSchema = z\n .object({\n apiKey: z.string().optional(),\n model: z.string().optional(),\n baseUrl: z.string().optional(),\n headers: z.record(z.string(), z.string()).optional(),\n language: z.string().optional(),\n prompt: z.string().optional(),\n })\n .catchall(SttProviderConfigCatchallSchema);\n\nexport const STTFallbackConfigSchema = z.object({\n enabled: z.boolean().default(true),\n order: z.array(z.string().min(1)).default(['alibaba', 'openai']),\n});\n\nexport const MediaUnderstandingCapabilitiesSchema = z\n .array(z.enum(['image', 'audio', 'video']))\n .optional();\n\nexport const MediaUnderstandingModelSchema = z\n .object({\n provider: z.string().optional(),\n model: z.string().optional(),\n capabilities: MediaUnderstandingCapabilitiesSchema,\n type: z.union([z.literal('provider'), z.literal('cli')]).optional(),\n command: z.string().optional(),\n baseUrl: z.string().optional(),\n headers: z.record(z.string(), z.string()).optional(),\n apiKey: z.string().optional(),\n language: z.string().optional(),\n prompt: z.string().optional(),\n })\n .catchall(SttProviderConfigCatchallSchema);\n\nexport const STTConfigSchema = z\n .object({\n enabled: z.boolean().default(false),\n /** Primary provider id — any registered MediaUnderstandingProvider id. */\n provider: z.string().min(1).default('alibaba'),\n fallback: STTFallbackConfigSchema.optional(),\n timeoutMs: z.number().int().min(1000).max(180000).optional(),\n /** Ordered model entries for this capability (OpenClaw `tools.media.audio.models`). */\n models: z.array(MediaUnderstandingModelSchema).optional(),\n /** OpenClaw-aligned provider settings map (`tools.media.audio.providers.<id>`). */\n providers: z.record(z.string(), STTProviderConfigSchema).optional(),\n /** Legacy flat provider keys — kept for backward compatibility. */\n alibaba: STTProviderConfigSchema.optional(),\n openai: STTProviderConfigSchema.optional(),\n })\n .passthrough();\n\n// ============================================\n// TTS (Text-to-Speech) Config\n// ============================================\n\nconst TtsProviderConfigCatchallSchema = z.union([\n z.string(),\n z.number(),\n z.boolean(),\n z.null(),\n z.array(z.unknown()),\n z.record(z.string(), z.unknown()),\n]);\n\nexport const TTSProviderConfigSchema = z\n .object({\n apiKey: z.string().optional(),\n model: z.string().optional(),\n voice: z.string().optional(),\n })\n .catchall(TtsProviderConfigCatchallSchema);\n\nexport const TTSFallbackConfigSchema = z.object({\n enabled: z.boolean().default(true),\n order: z\n .array(z.string().min(1))\n .default(['openai', 'alibaba', 'minimax', 'edge']),\n});\n\nexport const TTSModelOverridesConfigSchema = z.object({\n enabled: z.boolean().default(true),\n allowText: z.boolean().default(true),\n allowProvider: z.boolean().default(false),\n allowVoice: z.boolean().default(true),\n allowModelId: z.boolean().default(true),\n allowVoiceSettings: z.boolean().default(false),\n allowNormalization: z.boolean().default(false),\n allowSeed: z.boolean().default(false),\n});\n\nexport const TTSEdgeConfigSchema = z.object({\n enabled: z.boolean().default(true),\n voice: z.string().optional(),\n lang: z.string().optional(),\n outputFormat: z.string().optional(),\n pitch: z.string().optional(),\n rate: z.string().optional(),\n volume: z.string().optional(),\n proxy: z.string().optional(),\n timeoutMs: z.number().int().min(1000).max(120000).optional(),\n});\n\nexport const TTSSummarizationConfigSchema = z.object({\n enabled: z.boolean().optional(),\n targetLength: z.number().int().min(1).optional(),\n threshold: z.number().int().min(1).optional(),\n model: z.string().optional(),\n});\n\nexport const TTSConfigSchema = z\n .object({\n enabled: z.boolean().default(false),\n /** Primary provider id — any registered SpeechProviderPlugin id. */\n provider: z.string().min(1).default('openai'),\n trigger: z.enum(['off', 'always', 'inbound', 'tagged']).default('always'),\n fallback: TTSFallbackConfigSchema.optional(),\n maxTextLength: z.number().int().min(1).default(512), // Conservative default to accommodate all providers (Alibaba limit is 512)\n timeoutMs: z.number().int().min(1000).max(180000).default(60000),\n summarization: TTSSummarizationConfigSchema.optional(),\n modelOverrides: TTSModelOverridesConfigSchema.optional(),\n /** OpenClaw-aligned provider settings map (`messages.tts.providers.<id>`). */\n providers: z.record(z.string(), TTSProviderConfigSchema).optional(),\n /** Legacy flat provider keys — kept for backward compatibility. */\n alibaba: TTSProviderConfigSchema.optional(),\n openai: TTSProviderConfigSchema.optional(),\n edge: TTSEdgeConfigSchema.optional(),\n minimax: TTSProviderConfigSchema.optional(),\n })\n .passthrough();\n\n// ============================================\n// messages.* — delivery / presentation concerns\n// ============================================\n\nexport const MessagesConfigSchema = z.object({\n /** Voice (text-to-speech) output configuration. */\n tts: TTSConfigSchema.optional(),\n}).optional();\n\nexport const ToolsMediaAudioConfigSchema = STTConfigSchema;\n\nexport const ToolsMediaConfigSchema = z\n .object({\n /** Shared model entries applied across media capabilities when entry lacks capabilities. */\n models: z.array(MediaUnderstandingModelSchema).optional(),\n /** Audio (speech-to-text) capability provider config. */\n audio: ToolsMediaAudioConfigSchema.optional(),\n })\n .optional();\n\n// ============================================\n// Provider Configs (capability providers: image / audio / video)\n// ============================================\n\n/**\n * Optional Azure OpenAI overrides used when an OpenAI image-generation\n * request should hit an Azure deployment instead of `api.openai.com`.\n *\n * URL template (when present):\n * `https://<resource>.openai.azure.com/openai/deployments/<deployment>/images/generations?api-version=<apiVersion>`\n */\nexport const ProviderAzureConfigSchema = z\n .object({\n /** Azure resource name (subdomain before `.openai.azure.com`). */\n resource: z.string().min(1).optional(),\n /** Azure deployment id (configured per model). */\n deployment: z.string().min(1).optional(),\n /** Azure REST API version, e.g. `2024-08-01-preview`. */\n apiVersion: z.string().min(1).optional(),\n })\n .strict();\n\n/** Per-vendor request overrides applied by the provider HTTP layer. */\nexport const ProviderRequestOverridesSchema = z\n .object({\n /** Hard cap for a single HTTP call (ms). */\n timeoutMs: z.number().int().positive().optional(),\n /** Extra headers merged into every outbound request. */\n headers: z.record(z.string(), z.string()).optional(),\n })\n .strict();\n\n/**\n * Generic per-vendor provider config — used by image / audio / video\n * capability providers via `cfg.providers.<id>`. Kept loose (`.strict()` but\n * everything optional) so adding a new vendor never requires a config\n * migration.\n */\nexport const ProviderAuthConfigSchema = z\n .object({\n /** Static API key (api-key / azure-key modes). */\n apiKey: z.string().optional(),\n /** Override the default REST base URL. */\n baseUrl: z.string().url().optional(),\n /** Vendor region (DashScope: `beijing` / `singapore`; AWS: region id). */\n region: z.string().optional(),\n /** Image-only base URL override (DashScope splits image vs LLM). */\n imageBaseUrl: z.string().url().optional(),\n /** Per-vendor request overrides. */\n request: ProviderRequestOverridesSchema.optional(),\n /** Azure OpenAI deployment overrides; only consumed by OpenAI image provider. */\n azure: ProviderAzureConfigSchema.optional(),\n })\n .strict();\n\nexport type ProviderAuthConfig = z.infer<typeof ProviderAuthConfigSchema>;\n\n/**\n * `cfg.providers.<id>` is keyed by provider id (`openai`, `dashscope`,\n * `minimax`, `google`, `fal`, …). Every entry is optional and validated by\n * {@link ProviderAuthConfigSchema}.\n */\nexport const ProvidersConfigSchema = z.record(z.string(), ProviderAuthConfigSchema);\n\nexport type ProvidersConfig = z.infer<typeof ProvidersConfigSchema>;\n\n// ============================================\n// Extension Configs \n// ============================================\n\n// Security config for extensions \nexport const ExtensionSecurityConfigSchema = z.object({\n checkPermissions: z.boolean().default(true),\n allowUntrusted: z.boolean().default(false),\n allow: z.array(z.string()).default([]),\n trackProvenance: z.boolean().default(true),\n allowPromptInjection: z.boolean().default(false),\n});\n\n// Slot config for extensions \nexport const ExtensionSlotsConfigSchema = z.object({\n memory: z.string().optional(),\n tts: z.string().optional(),\n imageGeneration: z.string().optional(),\n webSearch: z.string().optional(),\n});\n\n// Complete extensions config\n// Extension config allows both known fields AND arbitrary extension-specific config\n// Known fields: enabled (array), allow (array), security (object), slots (object)\n// Arbitrary: any other key is extension-specific config (e.g., extensions.hello.greeting)\nexport const ExtensionsConfigSchema: z.ZodType<Record<string, unknown>> = z.record(z.string(), z.unknown());\n\n// ============================================\n// Update Config\n// ============================================\n\nexport const UpdateAutoConfigSchema = z\n .object({\n /** Enable automatic update installation. Default false. */\n enabled: z.boolean().default(false),\n /** Hours to wait before applying a stable update after first detection. */\n stableDelayHours: z.number().min(0).default(6),\n /** Additional random jitter hours for stable rollout (avoids thundering herd). */\n stableJitterHours: z.number().min(0).default(12),\n /** How often to re-check for beta updates (hours). Min 0.25. */\n betaCheckIntervalHours: z.number().min(0.25).default(1),\n })\n .strict()\n .optional();\n\n/** Persistent `/goal` (Ralph loop) — Hermes-aligned defaults. */\nexport const GoalsConfigSchema = z\n .object({\n /** Max continuation turns before auto-pause (Hermes default 20). */\n maxTurns: z.number().int().min(1).max(500).default(20),\n /** Optional judge model ref; defaults to `agents.defaults.model`. */\n judgeModelRef: z.string().optional(),\n /**\n * When true (default), first post-turn runs a decomposition judge to build a checklist;\n * subsequent turns evaluate progress per item (Hermes-style). When false, use legacy freeform judge only.\n */\n checklistMode: z.boolean().default(true),\n /** Auto-pause after this many consecutive judge JSON/tool parse failures (Hermes default 3). */\n maxConsecutiveParseFailures: z.number().int().min(1).max(20).default(3),\n /** Judge LLM call timeout in ms (Hermes uses 60s). */\n judgeTimeoutMs: z.number().int().min(5_000).max(120_000).default(60_000),\n /** Max characters of recent transcript JSON passed to the checklist judge as extra context. */\n checklistHistoryChars: z.number().int().min(0).max(100_000).default(24_000),\n })\n .strict();\n\nexport type GoalsConfig = z.infer<typeof GoalsConfigSchema>;\n\nexport const UpdateConfigSchema = z\n .object({\n /** Check for updates on gateway startup. Default true. */\n checkOnStart: z.boolean().default(true),\n /** Update channel: stable (default), beta, or dev. */\n channel: z.enum(['stable', 'beta', 'dev']).default('stable'),\n /** Automatic update policy. */\n auto: UpdateAutoConfigSchema,\n })\n .strict()\n .optional();\n\nexport type UpdateConfig = z.infer<typeof UpdateConfigSchema>;\n\n// ============================================\n// MCP (Model Context Protocol)\n// ============================================\n\nconst McpHttpUrlSchema = z\n .string()\n .url()\n .refine((value) => {\n try {\n const protocol = new URL(value).protocol;\n return protocol === 'http:' || protocol === 'https:';\n } catch {\n return false;\n }\n }, 'MCP server URL must use http or https');\n\nexport const McpServerSchema = z\n .object({\n command: z.string().optional(),\n args: z.array(z.string()).optional(),\n env: z.record(z.string(), z.union([z.string(), z.number(), z.boolean()])).optional(),\n cwd: z.string().optional(),\n workingDirectory: z.string().optional(),\n url: McpHttpUrlSchema.optional(),\n transport: z.enum(['sse', 'streamable-http']).optional(),\n headers: z.record(z.string(), z.union([z.string(), z.number(), z.boolean()])).optional(),\n connectionTimeoutMs: z.number().finite().positive().optional(),\n })\n .catchall(z.unknown())\n .superRefine((value, ctx) => {\n const hasCommand = typeof value.command === 'string' && value.command.trim().length > 0;\n const hasUrl = typeof value.url === 'string' && value.url.trim().length > 0;\n if (hasCommand && hasUrl) {\n ctx.addIssue({\n code: 'custom',\n message: 'MCP server cannot define both command and url',\n });\n }\n });\n\nexport const McpConfigSchema = z\n .object({\n servers: z.record(z.string(), McpServerSchema).optional(),\n sessionIdleTtlMs: z.number().finite().min(0).optional(),\n })\n .strict()\n .optional();\n\nexport type McpServerConfig = z.infer<typeof McpServerSchema>;\nexport type McpConfig = z.infer<typeof McpConfigSchema>;\n\n// ============================================\n// Root Config\n// ============================================\n\nexport const ConfigSchema = z.object({\n agents: AgentsConfigSchema,\n bindings: BindingsConfigSchema,\n session: SessionConfigSchema,\n channels: ChannelsConfigSchema,\n gateway: GatewayConfigSchema,\n tunnel: TunnelConfigSchema.optional(),\n workspace: WorkspaceConfigSchema,\n tools: ToolsConfigSchema,\n mcp: McpConfigSchema,\n cron: CronConfigSchema,\n goals: GoalsConfigSchema.optional(),\n extensions: ExtensionsConfigSchema.default({}),\n /** Per-vendor capability provider config (image / audio / video). */\n providers: ProvidersConfigSchema.optional(),\n modelsDev: ModelsDevConfigSchema,\n /** Delivery / presentation concerns (currently `tts`). */\n messages: MessagesConfigSchema,\n update: UpdateConfigSchema,\n}).default({\n agents: {\n defaults: {\n workspace: '~/.xopc/workspace',\n model: '', // Empty default - will be resolved dynamically at runtime\n maxTokens: 8192,\n temperature: 0.7,\n maxToolIterations: 20,\n maxRequestsPerTurn: 50,\n maxToolFailuresPerTurn: 3,\n thinkingDefault: 'medium',\n reasoningDefault: 'stream',\n verboseDefault: 'full',\n compaction: {\n enabled: true,\n mode: 'default',\n reserveTokens: 8000,\n triggerThreshold: 0.8,\n minMessagesBeforeCompact: 10,\n keepRecentMessages: 5,\n evictionWindow: 0.2,\n retentionWindow: 6,\n },\n pruning: {\n enabled: true,\n maxToolResultChars: 10000,\n headKeepRatio: 0.3,\n tailKeepRatio: 0.3,\n },\n browser: {\n backend: 'extension',\n },\n },\n },\n bindings: [],\n session: {\n dmScope: 'main' as const,\n },\n channels: {\n telegram: {\n enabled: false,\n allowFrom: [],\n groupAllowFrom: [],\n debug: false,\n accounts: {\n default: {\n accountId: 'default',\n enabled: true,\n botToken: '',\n allowFrom: [],\n dmPolicy: 'pairing' as const,\n groupPolicy: 'open' as const,\n replyToMode: 'off' as const,\n historyLimit: 50,\n textChunkLimit: 4000,\n streamMode: 'partial' as const,\n },\n },\n dmPolicy: 'pairing' as const,\n groupPolicy: 'open' as const,\n replyToMode: 'off' as const,\n historyLimit: 50,\n textChunkLimit: 4000,\n },\n },\n gateway: {\n bind: 'loopback',\n port: 18790,\n auth: {\n mode: 'token',\n },\n heartbeat: {\n enabled: true,\n intervalMs: 1_800_000,\n includeSystemPromptSection: false,\n },\n maxSseConnections: 100,\n corsOrigins: [],\n skillsMarketplaceProvider: 'skillhub',\n skillsStoreBaseUrl: 'https://store.xopc.ai',\n },\n tools: {\n web: {\n search: {\n maxResults: 5,\n providers: [],\n },\n },\n },\n cron: {\n enabled: true,\n maxConcurrentJobs: 5,\n defaultTimezone: 'UTC',\n historyRetentionDays: 7,\n enableMetrics: true,\n },\n goals: {\n maxTurns: 20,\n checklistMode: true,\n maxConsecutiveParseFailures: 3,\n judgeTimeoutMs: 60_000,\n checklistHistoryChars: 24_000,\n },\n extensions: {\n allow: [],\n security: {\n checkPermissions: true,\n allowUntrusted: false,\n allow: [],\n trackProvenance: true,\n allowPromptInjection: false,\n },\n slots: {},\n },\n modelsDev: {\n enabled: true,\n },\n // messages.tts / tools.media.audio start undefined; the factory layer fills\n // in provider-level defaults (model/voice) on demand. Fresh configs don't\n // ship with enabled providers so they never make surprise STT/TTS calls.\n});\n\nexport type Config = z.infer<typeof ConfigSchema>;\nexport type AgentDefaults = z.infer<typeof AgentDefaultsSchema>;\nexport type GatewayAuthConfig = z.infer<typeof GatewayAuthSchema>;\nexport type GatewayTrustedProxyConfig = z.infer<typeof GatewayTrustedProxySchema>;\nexport type GatewayAuthRateLimitConfig = z.infer<typeof GatewayAuthRateLimitSchema>;\nexport type GatewayBindMode = z.infer<typeof GatewayBindModeSchema>;\nexport type STTConfig = z.infer<typeof STTConfigSchema>;\nexport type TTSConfig = z.infer<typeof TTSConfigSchema>;\n\n// ============================================\n// Helper Functions\n// ============================================\n\n/**\n * Parse a model reference string.\n */\nexport interface ParsedModelRef {\n provider: string;\n model: string;\n}\n\n/**\n * Default agent’s resolved Markdown workspace root (`resolveAgentWorkspaceDir` for the default agent id).\n */\nexport function getWorkspacePath(config: Config): string {\n return getDefaultWorkspacePath(config);\n}\n\n/**\n * Primary model ref from `agents.defaults.model` (string or `{ primary }`).\n * Returns undefined when unset or empty.\n */\nexport function getAgentDefaultModelRef(config: Config): string | undefined {\n const raw = config.agents?.defaults?.model;\n if (raw === undefined || raw === null) return undefined;\n const ref = typeof raw === 'string' ? raw : raw.primary;\n if (ref === undefined || ref === null) return undefined;\n const s = String(ref).trim();\n return s ? s : undefined;\n}\n\n/** `provider/model` or null when invalid. */\nexport function parseModelRef(ref: string): ParsedModelRef | null {\n const trimmed = ref.trim();\n const idx = trimmed.indexOf('/');\n if (idx <= 0 || idx === trimmed.length - 1) {\n return null;\n }\n return { provider: trimmed.slice(0, idx).trim(), model: trimmed.slice(idx + 1).trim() };\n}\n"],"mappings":";;;;;;;;;;AA2zCA,SAAgB,iBAAiB,QAAwB;AACvD,QAAO,wBAAwB,OAAO;;;;;;AAOxC,SAAgB,wBAAwB,QAAoC;CAC1E,MAAM,MAAM,OAAO,QAAQ,UAAU;AACrC,KAAI,QAAQ,KAAA,KAAa,QAAQ,KAAM,QAAO,KAAA;CAC9C,MAAM,MAAM,OAAO,QAAQ,WAAW,MAAM,IAAI;AAChD,KAAI,QAAQ,KAAA,KAAa,QAAQ,KAAM,QAAO,KAAA;CAC9C,MAAM,IAAI,OAAO,IAAI,CAAC,MAAM;AAC5B,QAAO,IAAI,IAAI,KAAA;;;AAIjB,SAAgB,cAAc,KAAoC;CAChE,MAAM,UAAU,IAAI,MAAM;CAC1B,MAAM,MAAM,QAAQ,QAAQ,IAAI;AAChC,KAAI,OAAO,KAAK,QAAQ,QAAQ,SAAS,EACvC,QAAO;AAET,QAAO;EAAE,UAAU,QAAQ,MAAM,GAAG,IAAI,CAAC,MAAM;EAAE,OAAO,QAAQ,MAAM,MAAM,EAAE,CAAC,MAAM;EAAE;;;;mBAj1CvB;wBACH;qBAyYP;uBAEqD;AArYhG,uBAAsB,EAAE,MAAM,CACzC,EAAE,QAAQ,EACV,EACG,OAAO;EACN,SAAS,EAAE,QAAQ,CAAC,UAAU;EAC9B,WAAW,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC,UAAU;EAC1C,CAAC,CACD,QAAQ,CACZ,CAAC;AAUW,mCAAkC,EAAE,MAAM,CACrD,EAAE,QAAQ,EACV,EACG,OAAO;EACN,SAAS,EAAE,QAAQ,CAAC,UAAU;EAC9B,WAAW,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC,UAAU;;EAEzC,WAAW,EAAE,QAAQ,CAAC,KAAK,CAAC,UAAU,CAAC,UAAU;;;;;EAKjD,sBAAsB,EAAE,SAAS,CAAC,UAAU;EAC7C,CAAC,CACD,QAAQ,CACZ,CAAC;AAIW,uBAAsB,EAAE,OAAO;;EAE1C,WAAW,EAAE,QAAQ,CAAC,QAAQ,oBAAoB;EAClD,OAAO,EAAE,MAAM,CACb,EAAE,QAAQ,EACV,EAAE,OAAO;GACP,SAAS,EAAE,QAAQ,CAAC,UAAU;GAC9B,WAAW,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC,UAAU;GAC1C,CAAC,CAAC,QAAQ,CACZ,CAAC,CAAC,QAAQ,GAAG;;EAEd,YAAY,oBAAoB,UAAU;;EAE1C,sBAAsB,gCAAgC,UAAU;;EAEhE,YAAY,EAAE,QAAQ,CAAC,UAAU,CAAC,UAAU;EAC5C,WAAW,EAAE,QAAQ,CAAC,QAAQ,KAAK;EACnC,aAAa,EAAE,QAAQ,CAAC,QAAQ,GAAI;EACpC,mBAAmB,EAAE,QAAQ,CAAC,QAAQ,GAAG;EAEzC,mBAAmB,EAAE,QAAQ,CAAC,IAAI,IAAM,CAAC,IAAI,MAAW,CAAC,UAAU;EAEnE,oBAAoB,EAAE,QAAQ,CAAC,IAAI,GAAG,CAAC,IAAI,IAAI,CAAC,QAAQ,GAAG;EAC3D,wBAAwB,EAAE,QAAQ,CAAC,IAAI,EAAE,CAAC,IAAI,GAAG,CAAC,QAAQ,EAAE;EAE5D,iBAAiB,EAAE,KAAK;GAAC;GAAO;GAAW;GAAO;GAAU;GAAQ;GAAS;GAAW,CAAC,CAAC,UAAU;EACpG,kBAAkB,EAAE,KAAK;GAAC;GAAO;GAAM;GAAS,CAAC,CAAC,UAAU;EAC5D,gBAAgB,EAAE,KAAK;GAAC;GAAO;GAAM;GAAO,CAAC,CAAC,UAAU;EACxD,mBAAmB,EAAE,QAAQ,CAAC,KAAK,CAAC,UAAU,CAAC,UAAU;EACzD,wBAAwB,EAAE,QAAQ,CAAC,KAAK,CAAC,UAAU,CAAC,UAAU;EAC9D,kCAAkC,EAAE,KAAK;GAAC;GAAO;GAAQ;GAAS,CAAC,CAAC,UAAU;EAC9E,gBAAgB,EACb,OAAO;GACN,SAAS,EAAE,SAAS,CAAC,UAAU;GAC/B,SAAS,EAAE,MAAM,EAAE,KAAK,CAAC,OAAO,QAAQ,CAAC,CAAC,CAAC,UAAU;GACrD,iBAAiB,EAAE,QAAQ,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC,UAAU;GACnD,cAAc,EAAE,QAAQ,CAAC,KAAK,CAAC,UAAU,CAAC,UAAU;GACpD,cAAc,EAAE,QAAQ,CAAC,KAAK,CAAC,UAAU,CAAC,UAAU;GACpD,eAAe,EAAE,QAAQ,CAAC,KAAK,CAAC,UAAU,CAAC,UAAU;GACtD,CAAC,CACD,UAAU;EACb,eAAe,EACZ,OAAO,EACN,wBAAwB,EAAE,QAAQ,CAAC,KAAK,CAAC,UAAU,CAAC,UAAU,EAC/D,CAAC,CACD,UAAU;EACb,YAAY,EAAE,OAAO;GACnB,SAAS,EAAE,SAAS,CAAC,QAAQ,KAAK;GAClC,MAAM,EAAE,KAAK,CAAC,WAAW,YAAY,CAAC,CAAC,QAAQ,UAAU;GACzD,eAAe,EAAE,QAAQ,CAAC,QAAQ,IAAK;GACvC,kBAAkB,EAAE,QAAQ,CAAC,IAAI,GAAI,CAAC,IAAI,IAAK,CAAC,QAAQ,GAAI;GAC5D,0BAA0B,EAAE,QAAQ,CAAC,QAAQ,GAAG;GAChD,oBAAoB,EAAE,QAAQ,CAAC,QAAQ,EAAE;GAEzC,gBAAgB,EAAE,QAAQ,CAAC,IAAI,GAAI,CAAC,IAAI,GAAI,CAAC,QAAQ,GAAI;GACzD,iBAAiB,EAAE,QAAQ,CAAC,IAAI,EAAE,CAAC,IAAI,GAAG,CAAC,QAAQ,EAAE;GACrD,wBAAwB,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC,UAAU;GACvD,CAAC,CAAC,UAAU;EACb,SAAS,EAAE,OAAO;GAChB,SAAS,EAAE,SAAS,CAAC,QAAQ,KAAK;GAClC,oBAAoB,EAAE,QAAQ,CAAC,QAAQ,IAAM;GAC7C,eAAe,EAAE,QAAQ,CAAC,QAAQ,GAAI;GACtC,eAAe,EAAE,QAAQ,CAAC,QAAQ,GAAI;GACvC,CAAC,CAAC,UAAU;;;;;EAKb,QAAQ,EACL,OAAO;;GAEN,SAAS,EAAE,SAAS,CAAC,UAAU;;GAE/B,mBAAmB,EAAE,SAAS,CAAC,UAAU;;GAEzC,oBAAoB,EAAE,SAAS,CAAC,UAAU;GAC1C,iBAAiB,EAAE,QAAQ,CAAC,UAAU,CAAC,UAAU;GACjD,eAAe,EAAE,QAAQ,CAAC,UAAU,CAAC,UAAU;GAC/C,UAAU,EAAE,KAAK,CAAC,QAAQ,OAAO,CAAC,CAAC,UAAU;;GAE7C,oBAAoB,EAAE,KAAK,CAAC,cAAc,aAAa,CAAC,CAAC,UAAU;;GAEnE,gBAAgB,EAAE,QAAQ,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC,UAAU;;GAElD,kBAAkB,EAAE,QAAQ,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC,UAAU;;;;;;;;;;GAUpD,UAAU,EACP,OAAO;IACN,SAAS,EAAE,SAAS,CAAC,UAAU;;IAE/B,WAAW,EAAE,QAAQ,CAAC,UAAU;IAChC,UAAU,EAAE,QAAQ,CAAC,UAAU;IAC/B,QAAQ,EACL,OAAO;KACN,OAAO,EACJ,OAAO;MACN,SAAS,EAAE,SAAS,CAAC,UAAU;MAC/B,MAAM,EAAE,QAAQ,CAAC,UAAU;MAC3B,cAAc,EAAE,QAAQ,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC,UAAU;MAChD,OAAO,EAAE,QAAQ,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC,UAAU;MACzC,kBAAkB,EAAE,QAAQ,CAAC,IAAI,EAAE,CAAC,IAAI,EAAE,CAAC,UAAU;MACtD,CAAC,CACD,UAAU;KACb,MAAM,EACH,OAAO;MACN,SAAS,EAAE,SAAS,CAAC,UAAU;MAC/B,MAAM,EAAE,QAAQ,CAAC,UAAU;MAC3B,UAAU,EAAE,QAAQ,CAAC,IAAI,EAAE,CAAC,IAAI,EAAE,CAAC,UAAU;MAC7C,gBAAgB,EAAE,QAAQ,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC,UAAU;MAClD,kBAAkB,EAAE,QAAQ,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC,UAAU;MACpD,OAAO,EAAE,QAAQ,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC,UAAU;MACzC,qBAAqB,EAAE,QAAQ,CAAC,IAAI,EAAE,CAAC,UAAU;MACjD,YAAY,EAAE,QAAQ,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC,UAAU;MAC/C,CAAC,CACD,UAAU;KACb,KAAK,EACF,OAAO;MACN,SAAS,EAAE,SAAS,CAAC,UAAU;MAC/B,MAAM,EAAE,QAAQ,CAAC,UAAU;MAC3B,cAAc,EAAE,QAAQ,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC,UAAU;MAChD,OAAO,EAAE,QAAQ,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC,UAAU;MACzC,oBAAoB,EAAE,QAAQ,CAAC,IAAI,EAAE,CAAC,IAAI,EAAE,CAAC,UAAU;MACxD,CAAC,CACD,UAAU;KACd,CAAC,CACD,UAAU;IACd,CAAC,CACD,UAAU;GACd,CAAC,CACD,UAAU;;EAEb,eAAe,EACZ,OAAO;;AAEN,cAAc,EAAE,QAAQ,CAAC,UAAU,EACpC,CAAC,CACD,UAAU;;;;;;EAMb,kBAAkB,EACf,OAAO;;GAEN,SAAS,EAAE,SAAS,CAAC,UAAU;;GAE/B,qBAAqB,EAAE,QAAQ,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC,UAAU;;GAEvD,oBAAoB,EAAE,QAAQ,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC,UAAU;;GAEtD,eAAe,EAAE,QAAQ,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC,IAAI,GAAG,CAAC,UAAU;;GAEzD,oBAAoB,EAAE,QAAQ,CAAC,KAAK,CAAC,IAAI,GAAG,CAAC,IAAI,IAAI,CAAC,UAAU;;GAEhE,eAAe,EAAE,QAAQ,CAAC,KAAK,CAAC,IAAI,IAAO,CAAC,IAAI,IAAQ,CAAC,UAAU;GACpE,CAAC,CACD,UAAU;;EAEb,YAAY,EACT,OAAO;GACN,OAAO,EAAE,QAAQ,CAAC,UAAU;GAC5B,WAAW,EAAE,QAAQ,CAAC,UAAU,CAAC,UAAU;GAC5C,CAAC,CACD,UAAU;;;;;EAKb,SAAS,EACN,OAAO;GACN,SAAS,EAAE,SAAS,CAAC,UAAU;;GAE/B,UAAU,EAAE,SAAS,CAAC,UAAU;;GAEhC,kBAAkB,EAAE,SAAS,CAAC,UAAU;;GAExC,gBAAgB,EAAE,QAAQ,CAAC,IAAI,EAAE,CAAC,UAAU;;GAE5C,SAAS,EAAE,KAAK;IAAC;IAAS;IAAO;IAAS;IAAa;IAAe,CAAC,CAAC,UAAU;;GAElF,eAAe,EAAE,KAAK;IAAC;IAAS;IAAe;IAAc,CAAC,CAAC,UAAU;;GAEzE,OAAO,EAAE,OAAO;;IAEd,QAAQ,EAAE,QAAQ,CAAC,UAAU;;IAE7B,WAAW,EAAE,QAAQ,CAAC,UAAU;;IAEhC,QAAQ,EAAE,QAAQ,CAAC,UAAU;IAC9B,CAAC,CAAC,UAAU;;GAEb,QAAQ,EAAE,QAAQ,CAAC,UAAU;;GAE7B,WAAW,EAAE,OAAO;;IAElB,MAAM,EAAE,QAAQ,CAAC,IAAI,KAAK,CAAC,IAAI,MAAM,CAAC,UAAU;;IAEhD,MAAM,EAAE,QAAQ,CAAC,UAAU;;IAE3B,mBAAmB,EAAE,QAAQ,CAAC,IAAI,IAAK,CAAC,UAAU;IACnD,CAAC,CAAC,UAAU;;GAEb,cAAc,EAAE,KAAK;IAAC;IAAgB;IAAgB;IAAc,CAAC,CAAC,UAAU;;GAEhF,sBAAsB,EAAE,QAAQ,CAAC,IAAI,EAAE,CAAC,UAAU;;GAElD,UAAU,EAAE,SAAS,CAAC,UAAU;;GAEhC,aAAa,EAAE,KAAK,CAAC,WAAW,UAAU,CAAC,CAAC,UAAU;;GAEtD,cAAc,EAAE,OAAO;;IAErB,UAAU,EAAE,SAAS,CAAC,UAAU;;IAEhC,kBAAkB,EAAE,SAAS,CAAC,UAAU;;IAExC,UAAU,EACP,QAAQ,CACR,UAAU,CACV,aAAa,GAAG,QAAQ;KACvB,MAAM,IAAI,cAAc,EAAE;AAC1B,SAAI,EAAE,OAAO,MAAO,KAAI,SAAS;MAAE,MAAM;MAAU,SAAS,EAAE;MAAS,CAAC;MACxE;;IAEJ,YAAY,EAAE,QAAQ,CAAC,UAAU;;IAEjC,UAAU,EAAE,QAAQ,CAAC,UAAU;;IAE/B,QAAQ,EAAE,QAAQ,CAAC,UAAU;;IAE7B,UAAU,EAAE,QAAQ,CAAC,UAAU;;IAE/B,qBAAqB,EAAE,QAAQ,CAAC,UAAU;;IAE1C,WAAW,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC,UAAU;IAC1C,CAAC,CAAC,UAAU;GACd,CAAC,CACD,UAAU;;EAEb,UAAU,EACP,OAAO,EACN,SAAS,EAAE,SAAS,CAAC,UAAU,EAChC,CAAC,CACD,UAAU;;EAEb,aAAa,EACV,OAAO,EACN,SAAS,EAAE,SAAS,CAAC,UAAU,EAChC,CAAC,CACD,UAAU;;EAEb,sBAAsB,EAAE,QAAQ,CAAC,UAAU;;EAE3C,QAAQ,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC,UAAU;;EAEtC,OAAO,EACJ,OAAO,EACN,SAAS,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC,UAAU,EACxC,CAAC,CACD,UAAU;;EAEb,QAAQ,EAAE,OAAO,EAAE,QAAQ,EAAE,EAAE,SAAS,CAAC,CAAC,UAAU;EACrD,CAAC;AAEW,qBAAoB,EAAE,OAAO;EACxC,IAAI,EAAE,QAAQ;;EAEd,SAAS,EAAE,SAAS,CAAC,UAAU;EAC/B,MAAM,EAAE,QAAQ,CAAC,UAAU;;EAE3B,aAAa,EAAE,QAAQ,CAAC,IAAI,IAAK,CAAC,UAAU;EAC5C,SAAS,EAAE,SAAS,CAAC,QAAQ,KAAK;;EAElC,WAAW,EAAE,QAAQ,CAAC,UAAU;;;;;EAKhC,UAAU,EAAE,QAAQ,CAAC,UAAU;EAC/B,OAAO,oBAAoB,UAAU;EACrC,iBAAiB,EAAE,KAAK;GAAC;GAAO;GAAW;GAAO;GAAU;GAAQ;GAAS;GAAW,CAAC,CAAC,UAAU;EACpG,kBAAkB,EAAE,KAAK;GAAC;GAAO;GAAM;GAAS,CAAC,CAAC,UAAU;EAC5D,gBAAgB,EAAE,KAAK;GAAC;GAAO;GAAM;GAAO,CAAC,CAAC,UAAU;EACxD,sBAAsB,EAAE,QAAQ,CAAC,UAAU;EAC3C,QAAQ,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC,UAAU;EACtC,OAAO,EACJ,OAAO,EACN,SAAS,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC,UAAU,EACxC,CAAC,CACD,UAAU;EACb,QAAQ,EAAE,OAAO,EAAE,QAAQ,EAAE,EAAE,SAAS,CAAC,CAAC,UAAU;EACrD,CAAC;AAEW,sBAAqB,EAAE,OAAO;;EAEzC,SAAS,EAAE,QAAQ,CAAC,UAAU;EAC9B,UAAU,oBAAoB,UAAU;EACxC,MAAM,EAAE,MAAM,kBAAkB,CAAC,UAAU;EAC5C,CAAC,CAAC,QAAQ,EACT,UAAU;EACR,WAAW;EACX,OAAO;EACP,WAAW;EACX,aAAa;EACb,mBAAmB;EACnB,oBAAoB;EACpB,wBAAwB;EACxB,iBAAiB;EACjB,kBAAkB;EAClB,gBAAgB;EAChB,YAAY;GACV,SAAS;GACT,MAAM;GACN,eAAe;GACf,kBAAkB;GAClB,0BAA0B;GAC1B,oBAAoB;GACpB,gBAAgB;GAChB,iBAAiB;GAClB;EACD,SAAS;GACP,SAAS;GACT,oBAAoB;GACpB,eAAe;GACf,eAAe;GAChB;EACD,SAAS,EACP,SAAS,aACV;EACF,EACF,CAAQ;AAmBI,sBAAqB,EAAE,OAAO;EACzC,SAAS,EAAE,QAAQ;EACnB,WAAW,EAAE,QAAQ,CAAC,UAAU;EAChC,UAAU,EAAE,QAAQ,CAAC,UAAU;EAC/B,QAAQ,EAAE,QAAQ,CAAC,UAAU;EAC7B,SAAS,EAAE,QAAQ,CAAC,UAAU;EAC9B,QAAQ,EAAE,QAAQ,CAAC,UAAU;EAC7B,eAAe,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC,UAAU;EAC9C,CAAC;AAEW,qBAAoB,EAAE,OAAO;EACxC,IAAI,EAAE,QAAQ,CAAC,UAAU;EACzB,SAAS,EAAE,QAAQ;EACnB,UAAU,EAAE,QAAQ,CAAC,QAAQ,IAAI;EACjC,OAAO;EACP,SAAS,EAAE,SAAS,CAAC,QAAQ,KAAK;EACnC,CAAC;AAEW,wBAAuB,EAAE,MAAM,kBAAkB,CAAC,QAAQ,EAAE,CAAC;AAE7D,wBAAuB,EAAE,KAAK;EACzC;EACA;EACA;EACA;EACD,CAAC;AAEW,8BAA6B,EAAE,OAAO;EACjD,cAAc,EAAE,QAAQ,CAAC,UAAU;EACnC,YAAY,EAAE,QAAQ,CAAC,UAAU;EAClC,CAAC;AAEW,uBAAsB,EAAE,OAAO;EAC1C,SAAS,qBAAqB,QAAQ,OAAO;EAC7C,eAAe,EAAE,OAAO,EAAE,QAAQ,EAAE,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC,CAAC,UAAU;EACnE,SAAS,2BAA2B,UAAU;EAC/C,CAAC,CAAC,QAAQ,EACT,SAAS,QACV,CAAC;AAGW,wBAAuB,EAAE,OAAO,EAAE,QAAQ,EAAE,EAAE,SAAS,CAAC,CAAC,QAAQ,EAC5E,UAAU;EACR,SAAS;EACT,WAAW,EAAE;EACb,gBAAgB,EAAE;EAClB,OAAO;EACP,UAAU,EACR,SAAS;GACP,WAAW;GACX,SAAS;GACT,UAAU;GACV,WAAW,EAAE;GACb,UAAU;GACV,aAAa;GACb,aAAa;GACb,cAAc;GACd,gBAAgB;GAChB,YAAY;GACb,EACF;EACD,UAAU;EACV,aAAa;EACb,aAAa;EACb,cAAc;EACd,gBAAgB;EACjB,EACF,CAAC;AAEW,6BAA4B,EAAE,OAAO;EAChD,MAAM,EAAE,KAAK;GAAC;GAAS;GAAU;GAAQ;GAAU,CAAC;EACpD,QAAQ,EAAE,QAAQ,CAAC,UAAU;;EAE7B,KAAK,EAAE,QAAQ,CAAC,UAAU;EAC1B,UAAU,EAAE,SAAS,CAAC,UAAU;EACjC,CAAC;AAIW,yBAAwB,EAAE,OAAO;EAC5C,YAAY,EAAE,QAAQ,CAAC,QAAQ,EAAE;;EAEjC,WAAW,EAAE,MAAM,0BAA0B,CAAC,QAAQ,EAAE,CAAC;EAC1D,CAAC;AAIW,0BAAyB,EAAE,OAAO;;EAE7C,SAAS,EAAE,SAAS,CAAC,QAAQ,MAAM;;EAEnC,SAAS,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC,QAAQ,EAAE,CAAC;EACzC,CAAC;AAIW,wBAAuB,EAAE,OAAO;;EAE3C,QAAQ,EAAE,KAAK,CAAC,MAAM,SAAS,CAAC,CAAC,UAAU;EAC3C,QAAQ,sBAAsB,UAAU;;EAExC,WAAW,uBAAuB,UAAU;EAC7C,CAAC;AAIW,qBAAoB,EAAE,OAAO;EACxC,KAAK,qBAAqB,UAAU;;;;;EAKpC,OAAO,EAAE,WAAW,uBAAuB;EAC5C,CAAC,CAAC,QAAQ,EACT,KAAK,EACH,QAAQ;EACN,YAAY;EACZ,WAAW,EAAE;EACd,EACF,EACF,CAAC;AAMW,8BAA6B,EACvC,OAAO;EACN,SAAS,EAAE,SAAS,CAAC,QAAQ,KAAK;EAClC,aAAa,EAAE,QAAQ,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC,QAAQ,EAAE;EAC/C,UAAU,EAAE,QAAQ,CAAC,QAAQ,IAAQ;EACrC,iBAAiB,EAAE,QAAQ,CAAC,QAAQ,IAAQ;;EAE5C,WAAW,EAAE,QAAQ,CAAC,UAAU;;EAEhC,gBAAgB,EAAE,SAAS,CAAC,QAAQ,KAAK;EAC1C,CAAC,CACD,UAAU;AAEA,yBAAwB,EAClC,OAAO;;AAEN,QAAQ,EAAE,SAAS,CAAC,UAAU,EAC/B,CAAC,CACD,UAAU;AAEA,6BAA4B,EACtC,OAAO;;EAEN,YAAY,EAAE,QAAQ,CAAC,IAAI,EAAE;;EAE7B,iBAAiB,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC,UAAU;;EAE/C,YAAY,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC,UAAU;;EAE1C,eAAe,EAAE,SAAS,CAAC,UAAU;EACtC,CAAC,CACD,QAAQ;AAEE,qBAAoB,EAC9B,OAAO;EACN,MAAM,EAAE,KAAK;GAAC;GAAQ;GAAS;GAAY;GAAgB,CAAC,CAAC,QAAQ,QAAQ;EAC7E,OAAO,EAAE,QAAQ,CAAC,UAAU;EAC5B,UAAU,EAAE,QAAQ,CAAC,UAAU;;EAE/B,gBAAgB,EAAE,SAAS,CAAC,UAAU;EACtC,WAAW;EACX,cAAc,0BAA0B,UAAU;EACnD,CAAC,CACD,QAAQ,EACP,MAAM,SACP,CAAC;AAES,iCAAgC,EAAE,OAAO;EACpD,SAAS,EAAE,QAAQ,CAAC,IAAI,EAAE;EAC1B,YAAY,EAAE,QAAQ,CAAC,IAAI,EAAE;EAC9B,CAAC;AAEW,0BAAyB,EACnC,OAAO;EACN,MAAM,EAAE,KAAK;GAAC;GAAO;GAAS;GAAS,CAAC,CAAC,QAAQ,MAAM;EACvD,aAAa,EAAE,SAAS,CAAC,QAAQ,KAAK;EACtC,SAAS,8BAA8B,UAAU;EAClD,CAAC,CACD,QAAQ;EACP,MAAM;EACN,aAAa;EACd,CAAC;AAES,uBAAsB,EAAE,OAAO;EAC1C,KAAK,EAAE,QAAQ,CAAC,KAAK;EACrB,OAAO,EAAE,QAAQ,CAAC,UAAU;EAC5B,UAAU,EAAE,QAAQ,CAAC,UAAU;EAC/B,WAAW,EAAE,KAAK,CAAC,UAAU,MAAM,CAAC,CAAC,QAAQ,SAAS;EACtD,WAAW,EAAE,QAAQ,CAAC,UAAU;EAChC,aAAa,EAAE,QAAQ,CAAC,UAAU;EAClC,gBAAgB,EAAE,QAAQ,CAAC,UAAU;EACtC,CAAC;AAEW,oBAAmB,EAC7B,OAAO;EACN,SAAS,EAAE,SAAS,CAAC,QAAQ,MAAM;EACnC,cAAc,EAAE,SAAS,CAAC,QAAQ,MAAM;EACxC,UAAU,EAAE,QAAQ,CAAC,UAAU;EAC/B,SAAS,EAAE,QAAQ,CAAC,UAAU;EAC/B,CAAC,CACD,QAAQ;EACP,SAAS;EACT,cAAc;EACf,CAAC;AAES,qBAAoB,EAAE,KAAK,CAAC,SAAS,SAAS,CAAC,CAAC,QAAQ,QAAQ;AAEhE,yBAAwB,EAClC,OAAO;EACN,SAAS,EAAE,SAAS;EACpB,YAAY,EAAE,QAAQ;;EAEtB,4BAA4B,EAAE,SAAS,CAAC,UAAU,CAAC,QAAQ,MAAM;EACjE,QAAQ,EAAE,QAAQ,CAAC,UAAU;EAC7B,cAAc,EAAE,QAAQ,CAAC,UAAU;EACnC,QAAQ,EAAE,QAAQ,CAAC,UAAU;EAC7B,aAAa,EAAE,QAAQ,CAAC,UAAU;EAClC,iBAAiB,EAAE,SAAS,CAAC,UAAU;EACvC,aAAa,EACV,OAAO;GACN,OAAO,EAAE,QAAQ;GACjB,KAAK,EAAE,QAAQ;GACf,UAAU,EAAE,QAAQ,CAAC,UAAU;GAChC,CAAC,CACD,UAAU;EACd,CAAC,CACD,QAAQ;EACP,SAAS;EACT,YAAY;EACZ,4BAA4B;EAC7B,CAAC;AAES,wCAAuC,EAAE,KAAK;EAAC;EAAQ;EAAO;EAAW,CAAC;AAE1E,uBAAsB,EAAE,OAAO;EAC1C,SAAS,EAAE,QAAQ,CAAC,IAAI,EAAE;EAC1B,YAAY,EAAE,QAAQ,CAAC,IAAI,EAAE;EAC9B,CAAC;AAEW,mBAAkB,EAC5B,OAAO;EACN,SAAS,EAAE,SAAS,CAAC,QAAQ,KAAK;EAClC,SAAS,EAAE,QAAQ,CAAC,KAAK,CAAC,IAAI,KAAK,CAAC,IAAI,MAAM,CAAC,QAAQ,MAAM;EAC7D,SAAS,EAAE,SAAS,CAAC,QAAQ,MAAM;EACpC,CAAC,CACD,QAAQ;EACP,SAAS;EACT,SAAS;EACT,SAAS;EACV,CAAC;AAES,4BAA2B,EAAE,KAAK,CAAC,UAAU,eAAe,CAAC;AAE7D,sBAAqB,EAC/B,OAAO;EACN,SAAS,EAAE,SAAS,CAAC,QAAQ,MAAM;EACnC,WAAW,EAAE,QAAQ,CAAC,KAAK,CAAC,QAAQ,0BAA0B;;EAE9D,oBAAoB,EAAE,QAAQ,CAAC,IAAI,EAAE,CAAC,UAAU;EAChD,WAAW,EAAE,SAAS,CAAC,QAAQ,MAAM;EACrC,WAAW,EAAE,QAAQ,CAAC,UAAU;;EAEhC,UAAU,yBAAyB,QAAQ,SAAS;EACpD,SAAS,oBAAoB,UAAU;EACvC,KAAK,gBAAgB,UAAU;EAChC,CAAC,CACD,QAAQ;EACP,SAAS;EACT,WAAW;EACX,WAAW;EACX,UAAU;EACX,CAAC;AASS,+BAA8B,EAAE,OAAO;;EAElD,WAAW,EAAE,QAAQ,CAAC,QAAQ,UAAU;;EAExC,UAAU,EAAE,QAAQ,CAAC,KAAK,CAAC,IAAI,KAAK,CAAC,IAAI,YAAe,CAAC,QAAQ,UAAY;;EAE7E,gBAAgB,EAAE,SAAS,CAAC,QAAQ,KAAK;EAC1C,CAAC;AAGW,yBAAwB,EAAE,OAAO,EAC5C,QAAQ,4BAA4B,UAAU,EAC/C,CAAC,CAAC,UAAU;AAGA,yBAAwB,EAAE,KAAK;EAAC;EAAQ;EAAY;EAAO;EAAW;EAAS,CAAC;AAEhF,uBAAsB,EAAE,OAAO;;EAE1C,MAAM,sBAAsB,UAAU;;EAEtC,gBAAgB,EAAE,QAAQ,CAAC,UAAU;EACrC,MAAM,EAAE,QAAQ,CAAC,UAAU;;EAE3B,MAAM,kBAAkB,UAAU;;EAElC,QAAQ,oBAAoB,UAAU;EACtC,WAAW,uBAAuB,UAAU;EAC5C,KAAK,iBAAiB,UAAU;EAChC,MAAM,kBAAkB,UAAU;EAClC,WAAW,sBAAsB,UAAU;EAC3C,mBAAmB,EAAE,QAAQ,CAAC,UAAU;EACxC,aAAa,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC,UAAU;;EAE3C,0CAA0C,EAAE,SAAS,CAAC,UAAU;;EAEhE,gBAAgB,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC,UAAU;;EAE9C,qBAAqB,EAAE,SAAS,CAAC,UAAU;EAC3C,UAAU;;;;;;;EAOV,yBAAyB,qCAAqC,UAAU;;EAExE,wBAAwB,EAAE,MAAM,EAAE,QAAQ,CAAC,IAAI,EAAE,CAAC,CAAC,IAAI,GAAG,CAAC,UAAU;;EAErE,4BAA4B,EAAE,MAAM,EAAE,QAAQ,CAAC,IAAI,EAAE,CAAC,CAAC,IAAI,GAAG,CAAC,UAAU;;EAEzE,2BAA2B,EAAE,QAAQ,CAAC,UAAU;;EAEhD,oBAAoB,EAAE,QAAQ,CAAC,KAAK,CAAC,UAAU;;EAE/C,OAAO,EAAE,OAAO;GACd,SAAS,EAAE,SAAS,CAAC,QAAQ,KAAK;;GAElC,cAAc,EAAE,QAAQ,CAAC,IAAI,IAAO,CAAC,IAAI,OAAY,CAAC,QAAQ,MAAW;;GAEzE,UAAU,EAAE,QAAQ,CAAC,IAAI,IAAO,CAAC,IAAI,OAAc,CAAC,QAAQ,OAAY;;GAExE,iBAAiB,EAAE,QAAQ,CAAC,IAAI,EAAE,CAAC,IAAI,IAAO,CAAC,QAAQ,IAAI;;GAE3D,aAAa,EAAE,QAAQ,CAAC,IAAI,QAAU,CAAC,IAAI,YAAe,CAAC,QAAQ,UAAY;;GAE/E,oBAAoB,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC,QAAQ;IAC9C;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACD,CAAC;GACH,CAAC,CAAC,UAAU;EACd,CAAC,CAAC,QAAQ;EACT,MAAM;EACN,MAAM;EACN,MAAM,EACJ,MAAM,SACP;EACD,WAAW;GACT,SAAS;GACT,YAAY;GACZ,4BAA4B;GAC7B;EACD,mBAAmB;EACnB,aAAa,EAAE;EACf,2BAA2B;EAC3B,oBAAoB;EACrB,CAAC;AAEW,oBAAmB,EAAE,OAAO;EACvC,SAAS,EAAE,SAAS,CAAC,UAAU;EAC/B,mBAAmB,EAAE,QAAQ,CAAC,UAAU;EACxC,iBAAiB,EAAE,QAAQ,CAAC,UAAU;EACtC,sBAAsB,EAAE,QAAQ,CAAC,UAAU;EAC3C,eAAe,EAAE,SAAS,CAAC,UAAU;EACtC,CAAC,CAAC,QAAQ;EACT,SAAS;EACT,mBAAmB;EACnB,iBAAiB;EACjB,sBAAsB;EACtB,eAAe;EAChB,CAAC;AAEW,yBAAwB,EAAE,OAAO,EAC5C,SAAS,EAAE,SAAS,CAAC,QAAQ,KAAK,EACnC,CAAC,CAAC,QAAQ,EACT,SAAS,MACV,CAAC;AAMI,mCAAkC,EAAE,MAAM;EAC9C,EAAE,QAAQ;EACV,EAAE,QAAQ;EACV,EAAE,SAAS;EACX,EAAE,MAAM;EACR,EAAE,MAAM,EAAE,SAAS,CAAC;EACpB,EAAE,OAAO,EAAE,QAAQ,EAAE,EAAE,SAAS,CAAC;EAClC,CAAC;AAEW,2BAA0B,EACpC,OAAO;EACN,QAAQ,EAAE,QAAQ,CAAC,UAAU;EAC7B,OAAO,EAAE,QAAQ,CAAC,UAAU;EAC5B,SAAS,EAAE,QAAQ,CAAC,UAAU;EAC9B,SAAS,EAAE,OAAO,EAAE,QAAQ,EAAE,EAAE,QAAQ,CAAC,CAAC,UAAU;EACpD,UAAU,EAAE,QAAQ,CAAC,UAAU;EAC/B,QAAQ,EAAE,QAAQ,CAAC,UAAU;EAC9B,CAAC,CACD,SAAS,gCAAgC;AAE/B,2BAA0B,EAAE,OAAO;EAC9C,SAAS,EAAE,SAAS,CAAC,QAAQ,KAAK;EAClC,OAAO,EAAE,MAAM,EAAE,QAAQ,CAAC,IAAI,EAAE,CAAC,CAAC,QAAQ,CAAC,WAAW,SAAS,CAAC;EACjE,CAAC;AAEW,wCAAuC,EACjD,MAAM,EAAE,KAAK;EAAC;EAAS;EAAS;EAAQ,CAAC,CAAC,CAC1C,UAAU;AAEA,iCAAgC,EAC1C,OAAO;EACN,UAAU,EAAE,QAAQ,CAAC,UAAU;EAC/B,OAAO,EAAE,QAAQ,CAAC,UAAU;EAC5B,cAAc;EACd,MAAM,EAAE,MAAM,CAAC,EAAE,QAAQ,WAAW,EAAE,EAAE,QAAQ,MAAM,CAAC,CAAC,CAAC,UAAU;EACnE,SAAS,EAAE,QAAQ,CAAC,UAAU;EAC9B,SAAS,EAAE,QAAQ,CAAC,UAAU;EAC9B,SAAS,EAAE,OAAO,EAAE,QAAQ,EAAE,EAAE,QAAQ,CAAC,CAAC,UAAU;EACpD,QAAQ,EAAE,QAAQ,CAAC,UAAU;EAC7B,UAAU,EAAE,QAAQ,CAAC,UAAU;EAC/B,QAAQ,EAAE,QAAQ,CAAC,UAAU;EAC9B,CAAC,CACD,SAAS,gCAAgC;AAE/B,mBAAkB,EAC5B,OAAO;EACN,SAAS,EAAE,SAAS,CAAC,QAAQ,MAAM;;EAEnC,UAAU,EAAE,QAAQ,CAAC,IAAI,EAAE,CAAC,QAAQ,UAAU;EAC9C,UAAU,wBAAwB,UAAU;EAC5C,WAAW,EAAE,QAAQ,CAAC,KAAK,CAAC,IAAI,IAAK,CAAC,IAAI,KAAO,CAAC,UAAU;;EAE5D,QAAQ,EAAE,MAAM,8BAA8B,CAAC,UAAU;;EAEzD,WAAW,EAAE,OAAO,EAAE,QAAQ,EAAE,wBAAwB,CAAC,UAAU;;EAEnE,SAAS,wBAAwB,UAAU;EAC3C,QAAQ,wBAAwB,UAAU;EAC3C,CAAC,CACD,aAAa;AAMV,mCAAkC,EAAE,MAAM;EAC9C,EAAE,QAAQ;EACV,EAAE,QAAQ;EACV,EAAE,SAAS;EACX,EAAE,MAAM;EACR,EAAE,MAAM,EAAE,SAAS,CAAC;EACpB,EAAE,OAAO,EAAE,QAAQ,EAAE,EAAE,SAAS,CAAC;EAClC,CAAC;AAEW,2BAA0B,EACpC,OAAO;EACN,QAAQ,EAAE,QAAQ,CAAC,UAAU;EAC7B,OAAO,EAAE,QAAQ,CAAC,UAAU;EAC5B,OAAO,EAAE,QAAQ,CAAC,UAAU;EAC7B,CAAC,CACD,SAAS,gCAAgC;AAE/B,2BAA0B,EAAE,OAAO;EAC9C,SAAS,EAAE,SAAS,CAAC,QAAQ,KAAK;EAClC,OAAO,EACJ,MAAM,EAAE,QAAQ,CAAC,IAAI,EAAE,CAAC,CACxB,QAAQ;GAAC;GAAU;GAAW;GAAW;GAAO,CAAC;EACrD,CAAC;AAEW,iCAAgC,EAAE,OAAO;EACpD,SAAS,EAAE,SAAS,CAAC,QAAQ,KAAK;EAClC,WAAW,EAAE,SAAS,CAAC,QAAQ,KAAK;EACpC,eAAe,EAAE,SAAS,CAAC,QAAQ,MAAM;EACzC,YAAY,EAAE,SAAS,CAAC,QAAQ,KAAK;EACrC,cAAc,EAAE,SAAS,CAAC,QAAQ,KAAK;EACvC,oBAAoB,EAAE,SAAS,CAAC,QAAQ,MAAM;EAC9C,oBAAoB,EAAE,SAAS,CAAC,QAAQ,MAAM;EAC9C,WAAW,EAAE,SAAS,CAAC,QAAQ,MAAM;EACtC,CAAC;AAEW,uBAAsB,EAAE,OAAO;EAC1C,SAAS,EAAE,SAAS,CAAC,QAAQ,KAAK;EAClC,OAAO,EAAE,QAAQ,CAAC,UAAU;EAC5B,MAAM,EAAE,QAAQ,CAAC,UAAU;EAC3B,cAAc,EAAE,QAAQ,CAAC,UAAU;EACnC,OAAO,EAAE,QAAQ,CAAC,UAAU;EAC5B,MAAM,EAAE,QAAQ,CAAC,UAAU;EAC3B,QAAQ,EAAE,QAAQ,CAAC,UAAU;EAC7B,OAAO,EAAE,QAAQ,CAAC,UAAU;EAC5B,WAAW,EAAE,QAAQ,CAAC,KAAK,CAAC,IAAI,IAAK,CAAC,IAAI,KAAO,CAAC,UAAU;EAC7D,CAAC;AAEW,gCAA+B,EAAE,OAAO;EACnD,SAAS,EAAE,SAAS,CAAC,UAAU;EAC/B,cAAc,EAAE,QAAQ,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC,UAAU;EAChD,WAAW,EAAE,QAAQ,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC,UAAU;EAC7C,OAAO,EAAE,QAAQ,CAAC,UAAU;EAC7B,CAAC;AAEW,mBAAkB,EAC5B,OAAO;EACN,SAAS,EAAE,SAAS,CAAC,QAAQ,MAAM;;EAEnC,UAAU,EAAE,QAAQ,CAAC,IAAI,EAAE,CAAC,QAAQ,SAAS;EAC7C,SAAS,EAAE,KAAK;GAAC;GAAO;GAAU;GAAW;GAAS,CAAC,CAAC,QAAQ,SAAS;EACzE,UAAU,wBAAwB,UAAU;EAC5C,eAAe,EAAE,QAAQ,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC,QAAQ,IAAI;EACnD,WAAW,EAAE,QAAQ,CAAC,KAAK,CAAC,IAAI,IAAK,CAAC,IAAI,KAAO,CAAC,QAAQ,IAAM;EAChE,eAAe,6BAA6B,UAAU;EACtD,gBAAgB,8BAA8B,UAAU;;EAExD,WAAW,EAAE,OAAO,EAAE,QAAQ,EAAE,wBAAwB,CAAC,UAAU;;EAEnE,SAAS,wBAAwB,UAAU;EAC3C,QAAQ,wBAAwB,UAAU;EAC1C,MAAM,oBAAoB,UAAU;EACpC,SAAS,wBAAwB,UAAU;EAC5C,CAAC,CACD,aAAa;AAMH,wBAAuB,EAAE,OAAO;;AAE3C,KAAK,gBAAgB,UAAU,EAChC,CAAC,CAAC,UAAU;AAEA,+BAA8B;AAE9B,0BAAyB,EACnC,OAAO;;EAEN,QAAQ,EAAE,MAAM,8BAA8B,CAAC,UAAU;;EAEzD,OAAO,4BAA4B,UAAU;EAC9C,CAAC,CACD,UAAU;AAaA,6BAA4B,EACtC,OAAO;;EAEN,UAAU,EAAE,QAAQ,CAAC,IAAI,EAAE,CAAC,UAAU;;EAEtC,YAAY,EAAE,QAAQ,CAAC,IAAI,EAAE,CAAC,UAAU;;EAExC,YAAY,EAAE,QAAQ,CAAC,IAAI,EAAE,CAAC,UAAU;EACzC,CAAC,CACD,QAAQ;AAGE,kCAAiC,EAC3C,OAAO;;EAEN,WAAW,EAAE,QAAQ,CAAC,KAAK,CAAC,UAAU,CAAC,UAAU;;EAEjD,SAAS,EAAE,OAAO,EAAE,QAAQ,EAAE,EAAE,QAAQ,CAAC,CAAC,UAAU;EACrD,CAAC,CACD,QAAQ;AAQE,4BAA2B,EACrC,OAAO;;EAEN,QAAQ,EAAE,QAAQ,CAAC,UAAU;;EAE7B,SAAS,EAAE,QAAQ,CAAC,KAAK,CAAC,UAAU;;EAEpC,QAAQ,EAAE,QAAQ,CAAC,UAAU;;EAE7B,cAAc,EAAE,QAAQ,CAAC,KAAK,CAAC,UAAU;;EAEzC,SAAS,+BAA+B,UAAU;;EAElD,OAAO,0BAA0B,UAAU;EAC5C,CAAC,CACD,QAAQ;AASE,yBAAwB,EAAE,OAAO,EAAE,QAAQ,EAAE,yBAAyB;AAStE,iCAAgC,EAAE,OAAO;EACpD,kBAAkB,EAAE,SAAS,CAAC,QAAQ,KAAK;EAC3C,gBAAgB,EAAE,SAAS,CAAC,QAAQ,MAAM;EAC1C,OAAO,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC,QAAQ,EAAE,CAAC;EACtC,iBAAiB,EAAE,SAAS,CAAC,QAAQ,KAAK;EAC1C,sBAAsB,EAAE,SAAS,CAAC,QAAQ,MAAM;EACjD,CAAC;AAGW,8BAA6B,EAAE,OAAO;EACjD,QAAQ,EAAE,QAAQ,CAAC,UAAU;EAC7B,KAAK,EAAE,QAAQ,CAAC,UAAU;EAC1B,iBAAiB,EAAE,QAAQ,CAAC,UAAU;EACtC,WAAW,EAAE,QAAQ,CAAC,UAAU;EACjC,CAAC;AAMW,0BAA6D,EAAE,OAAO,EAAE,QAAQ,EAAE,EAAE,SAAS,CAAC;AAM9F,0BAAyB,EACnC,OAAO;;EAEN,SAAS,EAAE,SAAS,CAAC,QAAQ,MAAM;;EAEnC,kBAAkB,EAAE,QAAQ,CAAC,IAAI,EAAE,CAAC,QAAQ,EAAE;;EAE9C,mBAAmB,EAAE,QAAQ,CAAC,IAAI,EAAE,CAAC,QAAQ,GAAG;;EAEhD,wBAAwB,EAAE,QAAQ,CAAC,IAAI,IAAK,CAAC,QAAQ,EAAE;EACxD,CAAC,CACD,QAAQ,CACR,UAAU;AAGA,qBAAoB,EAC9B,OAAO;;EAEN,UAAU,EAAE,QAAQ,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC,IAAI,IAAI,CAAC,QAAQ,GAAG;;EAEtD,eAAe,EAAE,QAAQ,CAAC,UAAU;;;;;EAKpC,eAAe,EAAE,SAAS,CAAC,QAAQ,KAAK;;EAExC,6BAA6B,EAAE,QAAQ,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC,IAAI,GAAG,CAAC,QAAQ,EAAE;;EAEvE,gBAAgB,EAAE,QAAQ,CAAC,KAAK,CAAC,IAAI,IAAM,CAAC,IAAI,KAAQ,CAAC,QAAQ,IAAO;;EAExE,uBAAuB,EAAE,QAAQ,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC,IAAI,IAAQ,CAAC,QAAQ,KAAO;EAC5E,CAAC,CACD,QAAQ;AAIE,sBAAqB,EAC/B,OAAO;;EAEN,cAAc,EAAE,SAAS,CAAC,QAAQ,KAAK;;EAEvC,SAAS,EAAE,KAAK;GAAC;GAAU;GAAQ;GAAM,CAAC,CAAC,QAAQ,SAAS;;EAE5D,MAAM;EACP,CAAC,CACD,QAAQ,CACR,UAAU;AAQP,oBAAmB,EACtB,QAAQ,CACR,KAAK,CACL,QAAQ,UAAU;AACjB,MAAI;GACF,MAAM,WAAW,IAAI,IAAI,MAAM,CAAC;AAChC,UAAO,aAAa,WAAW,aAAa;UACtC;AACN,UAAO;;IAER,wCAAwC;AAEhC,mBAAkB,EAC5B,OAAO;EACN,SAAS,EAAE,QAAQ,CAAC,UAAU;EAC9B,MAAM,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC,UAAU;EACpC,KAAK,EAAE,OAAO,EAAE,QAAQ,EAAE,EAAE,MAAM;GAAC,EAAE,QAAQ;GAAE,EAAE,QAAQ;GAAE,EAAE,SAAS;GAAC,CAAC,CAAC,CAAC,UAAU;EACpF,KAAK,EAAE,QAAQ,CAAC,UAAU;EAC1B,kBAAkB,EAAE,QAAQ,CAAC,UAAU;EACvC,KAAK,iBAAiB,UAAU;EAChC,WAAW,EAAE,KAAK,CAAC,OAAO,kBAAkB,CAAC,CAAC,UAAU;EACxD,SAAS,EAAE,OAAO,EAAE,QAAQ,EAAE,EAAE,MAAM;GAAC,EAAE,QAAQ;GAAE,EAAE,QAAQ;GAAE,EAAE,SAAS;GAAC,CAAC,CAAC,CAAC,UAAU;EACxF,qBAAqB,EAAE,QAAQ,CAAC,QAAQ,CAAC,UAAU,CAAC,UAAU;EAC/D,CAAC,CACD,SAAS,EAAE,SAAS,CAAC,CACrB,aAAa,OAAO,QAAQ;EAC3B,MAAM,aAAa,OAAO,MAAM,YAAY,YAAY,MAAM,QAAQ,MAAM,CAAC,SAAS;EACtF,MAAM,SAAS,OAAO,MAAM,QAAQ,YAAY,MAAM,IAAI,MAAM,CAAC,SAAS;AAC1E,MAAI,cAAc,OAChB,KAAI,SAAS;GACX,MAAM;GACN,SAAS;GACV,CAAC;GAEJ;AAES,mBAAkB,EAC5B,OAAO;EACN,SAAS,EAAE,OAAO,EAAE,QAAQ,EAAE,gBAAgB,CAAC,UAAU;EACzD,kBAAkB,EAAE,QAAQ,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC,UAAU;EACxD,CAAC,CACD,QAAQ,CACR,UAAU;AASA,gBAAe,EAAE,OAAO;EACnC,QAAQ;EACR,UAAU;EACV,SAAS;EACT,UAAU;EACV,SAAS;EACT,QAAQ,mBAAmB,UAAU;EACrC,WAAW;EACX,OAAO;EACP,KAAK;EACL,MAAM;EACN,OAAO,kBAAkB,UAAU;EACnC,YAAY,uBAAuB,QAAQ,EAAE,CAAC;;EAE9C,WAAW,sBAAsB,UAAU;EAC3C,WAAW;;EAEX,UAAU;EACV,QAAQ;EACT,CAAC,CAAC,QAAQ;EACT,QAAQ,EACN,UAAU;GACR,WAAW;GACX,OAAO;GACP,WAAW;GACX,aAAa;GACb,mBAAmB;GACnB,oBAAoB;GACpB,wBAAwB;GACxB,iBAAiB;GACjB,kBAAkB;GAClB,gBAAgB;GAChB,YAAY;IACV,SAAS;IACT,MAAM;IACN,eAAe;IACf,kBAAkB;IAClB,0BAA0B;IAC1B,oBAAoB;IACpB,gBAAgB;IAChB,iBAAiB;IAClB;GACD,SAAS;IACP,SAAS;IACT,oBAAoB;IACpB,eAAe;IACf,eAAe;IAChB;GACD,SAAS,EACP,SAAS,aACV;GACF,EACF;EACD,UAAU,EAAE;EACZ,SAAS,EACP,SAAS,QACV;EACD,UAAU,EACR,UAAU;GACR,SAAS;GACT,WAAW,EAAE;GACb,gBAAgB,EAAE;GAClB,OAAO;GACP,UAAU,EACR,SAAS;IACP,WAAW;IACX,SAAS;IACT,UAAU;IACV,WAAW,EAAE;IACb,UAAU;IACV,aAAa;IACb,aAAa;IACb,cAAc;IACd,gBAAgB;IAChB,YAAY;IACb,EACF;GACD,UAAU;GACV,aAAa;GACb,aAAa;GACb,cAAc;GACd,gBAAgB;GACjB,EACF;EACD,SAAS;GACP,MAAM;GACN,MAAM;GACN,MAAM,EACJ,MAAM,SACP;GACD,WAAW;IACT,SAAS;IACT,YAAY;IACZ,4BAA4B;IAC7B;GACD,mBAAmB;GACnB,aAAa,EAAE;GACf,2BAA2B;GAC3B,oBAAoB;GACrB;EACD,OAAO,EACL,KAAK,EACH,QAAQ;GACN,YAAY;GACZ,WAAW,EAAE;GACd,EACF,EACF;EACD,MAAM;GACJ,SAAS;GACT,mBAAmB;GACnB,iBAAiB;GACjB,sBAAsB;GACtB,eAAe;GAChB;EACD,OAAO;GACL,UAAU;GACV,eAAe;GACf,6BAA6B;GAC7B,gBAAgB;GAChB,uBAAuB;GACxB;EACD,YAAY;GACV,OAAO,EAAE;GACT,UAAU;IACR,kBAAkB;IAClB,gBAAgB;IAChB,OAAO,EAAE;IACT,iBAAiB;IACjB,sBAAsB;IACvB;GACD,OAAO,EAAE;GACV;EACD,WAAW,EACT,SAAS,MACV;EAIF,CAAC"}
1
+ {"version":3,"file":"schema.js","names":[],"sources":["../../../src/config/schema.ts"],"sourcesContent":["import { z } from 'zod';\n\nimport { getDefaultWorkspacePath } from '../agent/agent-scope.js';\nimport { checkCacheDir } from '../browser/cache-dir-policy.js';\n\n// ============================================\n// Agent Configs\n// ============================================\n\nexport const AgentModelRefSchema = z.union([\n z.string(),\n z\n .object({\n primary: z.string().optional(),\n fallbacks: z.array(z.string()).optional(),\n })\n .strict(),\n]);\n\nexport type AgentModelConfig = z.infer<typeof AgentModelRefSchema>;\n\n/**\n * Image-generation model ref. Superset of {@link AgentModelRefSchema} with\n * runtime knobs (`timeoutMs`, `autoProviderFallback`) used by the\n * image-generation runtime; falls back to a plain string for backward\n * compatibility with old configs.\n */\nexport const AgentImageGenerationModelSchema = z.union([\n z.string(),\n z\n .object({\n primary: z.string().optional(),\n fallbacks: z.array(z.string()).optional(),\n /** Hard cap for the whole generation attempt (ms). */\n timeoutMs: z.number().int().positive().optional(),\n /**\n * When all `primary + fallbacks` candidates fail, sweep every other\n * configured provider before giving up.\n */\n autoProviderFallback: z.boolean().optional(),\n })\n .strict(),\n]);\n\nexport type AgentImageGenerationModelConfig = z.infer<typeof AgentImageGenerationModelSchema>;\n\nexport const AgentDefaultsSchema = z.object({\n /** Parent directory: each agent’s Markdown root is `<expanded>/<agentId>/` (e.g. `.../workspace/main`). */\n workspace: z.string().default('~/.xopc/workspace'),\n model: z.union([\n z.string(),\n z.object({\n primary: z.string().optional(),\n fallbacks: z.array(z.string()).optional(),\n }).strict(),\n ]).default(''), // Empty default - will be resolved dynamically at runtime\n /** Vision / image understanding model (provider/model). Falls back to heuristics when unset. */\n imageModel: AgentModelRefSchema.optional(),\n /** Image generation model (provider/model), e.g. openai/gpt-image-1. Supports plugin-based providers (OpenAI / DashScope / MiniMax / Google / Fal). */\n imageGenerationModel: AgentImageGenerationModelSchema.optional(),\n /** Max image size for image tool loads (MB). */\n mediaMaxMb: z.number().positive().optional(),\n maxTokens: z.number().default(8192),\n temperature: z.number().default(0.7),\n maxToolIterations: z.number().default(20),\n // Wall-clock limit for one user turn (LLM + tools). Default 30m if unset; cap 4h.\n maxTaskDurationMs: z.number().min(60000).max(14_400_000).optional(),\n // Reliability settings\n maxRequestsPerTurn: z.number().min(10).max(200).default(50),\n maxToolFailuresPerTurn: z.number().min(1).max(20).default(3),\n // Thinking ability settings\n thinkingDefault: z.enum(['off', 'minimal', 'low', 'medium', 'high', 'xhigh', 'adaptive']).optional(),\n reasoningDefault: z.enum(['off', 'on', 'stream']).optional(),\n verboseDefault: z.enum(['off', 'on', 'full']).optional(),\n bootstrapMaxChars: z.number().int().positive().optional(),\n bootstrapTotalMaxChars: z.number().int().positive().optional(),\n bootstrapPromptTruncationWarning: z.enum(['off', 'once', 'always']).optional(),\n startupContext: z\n .object({\n enabled: z.boolean().optional(),\n applyOn: z.array(z.enum(['new', 'reset'])).optional(),\n dailyMemoryDays: z.number().int().min(1).optional(),\n maxFileBytes: z.number().int().positive().optional(),\n maxFileChars: z.number().int().positive().optional(),\n maxTotalChars: z.number().int().positive().optional(),\n })\n .optional(),\n contextLimits: z\n .object({\n postCompactionMaxChars: z.number().int().positive().optional(),\n })\n .optional(),\n compaction: z.object({\n enabled: z.boolean().default(true),\n mode: z.enum(['default', 'safeguard']).default('default'),\n reserveTokens: z.number().default(8000),\n triggerThreshold: z.number().min(0.5).max(0.95).default(0.8),\n minMessagesBeforeCompact: z.number().default(10),\n keepRecentMessages: z.number().default(5),\n // Dual-strategy compaction\n evictionWindow: z.number().min(0.1).max(0.5).default(0.2),\n retentionWindow: z.number().min(3).max(20).default(6),\n postCompactionSections: z.array(z.string()).optional(),\n }).optional(),\n pruning: z.object({\n enabled: z.boolean().default(true),\n maxToolResultChars: z.number().default(10000),\n headKeepRatio: z.number().default(0.3),\n tailKeepRatio: z.number().default(0.3),\n }).optional(),\n /**\n * Curated memory (`agents/<id>/memories/`) + pluggable external provider.\n * Only one external provider at a time.\n */\n memory: z\n .object({\n /** Master switch: `curated_memory` tool, prefetch, and external provider. Default true. */\n enabled: z.boolean().optional(),\n /** When false, disable curated_memory tool and memory subsystem helpers. Default true. */\n useEnhancedSystem: z.boolean().optional(),\n /** Include USER.md in snapshot. Default true. */\n userProfileEnabled: z.boolean().optional(),\n memoryCharLimit: z.number().positive().optional(),\n userCharLimit: z.number().positive().optional(),\n provider: z.enum(['none', 'stub']).optional(),\n /** How often prefetched external memory is injected into the user message. */\n injectionFrequency: z.enum(['every-turn', 'first-turn']).optional(),\n /** Inject prefetch on turns 1, 1+N, 1+2N, … (only when injectionFrequency is every-turn). Min 1. */\n contextCadence: z.number().int().min(1).optional(),\n /** Reserved for future external “dialectic” sync cadence (not wired yet). */\n dialecticCadence: z.number().int().min(1).optional(),\n /**\n * Background memory consolidation (\"dreaming\"): three-phase sleep model that\n * promotes short-term recall signals into long-term memory (`MEMORY.md`).\n *\n * Phases:\n * - **light** — fast, frequent sweep (default every 6 h): dedup + signal collection.\n * - **deep** — daily deep promotion (default 3 AM): score-gated write to MEMORY.md.\n * - **rem** — weekly pattern discovery (default Sun 5 AM): cross-session insight mining.\n */\n dreaming: z\n .object({\n enabled: z.boolean().optional(),\n /** Default deep-phase cron when `phases.deep.cron` is omitted. */\n frequency: z.string().optional(),\n timezone: z.string().optional(),\n phases: z\n .object({\n light: z\n .object({\n enabled: z.boolean().optional(),\n cron: z.string().optional(),\n lookbackDays: z.number().int().min(1).optional(),\n limit: z.number().int().min(0).optional(),\n dedupeSimilarity: z.number().min(0).max(1).optional(),\n })\n .optional(),\n deep: z\n .object({\n enabled: z.boolean().optional(),\n cron: z.string().optional(),\n minScore: z.number().min(0).max(1).optional(),\n minRecallCount: z.number().int().min(1).optional(),\n minUniqueQueries: z.number().int().min(1).optional(),\n limit: z.number().int().min(0).optional(),\n recencyHalfLifeDays: z.number().min(1).optional(),\n maxAgeDays: z.number().int().min(1).optional(),\n })\n .optional(),\n rem: z\n .object({\n enabled: z.boolean().optional(),\n cron: z.string().optional(),\n lookbackDays: z.number().int().min(1).optional(),\n limit: z.number().int().min(0).optional(),\n minPatternStrength: z.number().min(0).max(1).optional(),\n })\n .optional(),\n })\n .optional(),\n })\n .optional(),\n })\n .optional(),\n /** Cross-session transcript search (`session_search` tool). */\n sessionSearch: z\n .object({\n /** Model ref for per-session summaries (e.g. openai/gpt-4o-mini). */\n summaryModel: z.string().optional(),\n })\n .optional(),\n /**\n * Post-turn background review (Hermes-style): optional quiet follow-up that may call\n * `curated_memory` / `skill_manage` so durable facts and reusable workflows persist\n * without bloating the main user-visible turn.\n */\n backgroundReview: z\n .object({\n /** When true, nudges may run after successful turns. Default false (opt-in). */\n enabled: z.boolean().optional(),\n /** User-turn cadence for memory review. 0 disables the memory channel. Default 10. */\n memoryNudgeInterval: z.number().int().min(0).optional(),\n /** LLM rounds without `skill_manage` before a skill review. 0 disables the skill channel. Default 10. */\n skillNudgeInterval: z.number().int().min(0).optional(),\n /** Max tool executions for the review agent. Default 8. */\n maxToolRounds: z.number().int().min(1).max(32).optional(),\n /** Max prior messages passed into the review context (tail). Default 80. */\n maxHistoryMessages: z.number().int().min(10).max(200).optional(),\n /** Wall-clock cap for the review run (ms). Default 120000. */\n maxDurationMs: z.number().int().min(30_000).max(600_000).optional(),\n })\n .optional(),\n /** LLM pass for `web_extract` (markdown-focused extraction). */\n webExtract: z\n .object({\n model: z.string().optional(),\n maxLength: z.number().positive().optional(),\n })\n .optional(),\n /**\n * Browser capability via unified `browser_use` tool. Enabled by default (set `enabled: false` to disable).\n * The local Playwright backend requires Chromium on the gateway host: `npx playwright install chromium`.\n */\n browser: z\n .object({\n enabled: z.boolean().optional(),\n /** Run browser in headless mode (default: false — visible window). */\n headless: z.boolean().optional(),\n /** When true, skip private-IP blocking for browser navigation (cloud metadata endpoints are always blocked). */\n allowPrivateUrls: z.boolean().optional(),\n /** Browser command timeout in seconds (default: 30). */\n commandTimeout: z.number().min(5).optional(),\n /** Browser backend mode (default: 'extension'). Also: 'local' (Playwright), 'cdp', 'cloud', or 'cloakbrowser'. */\n backend: z.enum(['local', 'cdp', 'cloud', 'extension', 'cloakbrowser']).optional(),\n /** Cloud browser backend: 'local' (default Playwright), 'browserbase', or 'browser-use'. */\n cloudProvider: z.enum(['local', 'browserbase', 'browser-use']).optional(),\n /** Cloud browser credentials and optional session hints. */\n cloud: z.object({\n /** API key for the selected cloud provider. Environment variables are still supported as fallback. */\n apiKey: z.string().optional(),\n /** Browserbase project id. Falls back to BROWSERBASE_PROJECT_ID. */\n projectId: z.string().optional(),\n /** Optional cloud provider region. */\n region: z.string().optional(),\n }).optional(),\n /** Direct CDP WebSocket endpoint URL (bypasses cloud provider). */\n cdpUrl: z.string().optional(),\n /** Chrome Extension bridge settings (only used when backend = 'extension'). */\n extension: z.object({\n /** WebSocket server port. Default: 19820. */\n port: z.number().min(1024).max(65535).optional(),\n /** Host to bind. Default: 127.0.0.1. */\n host: z.string().optional(),\n /** Timeout waiting for extension connection (ms). Default: 30000. */\n connectionTimeout: z.number().min(1000).optional(),\n }).optional(),\n /** JS dialog handling policy: 'must_respond' (agent must act), 'auto_dismiss', or 'auto_accept'. */\n dialogPolicy: z.enum(['must_respond', 'auto_dismiss', 'auto_accept']).optional(),\n /** Dialog auto-dismiss/accept timeout in seconds (default: 300). */\n dialogTimeoutSeconds: z.number().min(1).optional(),\n /** Enable humanized input simulation (Bezier mouse, per-char typing, wheel scroll). Default: false. */\n humanize: z.boolean().optional(),\n /** Humanize behavior preset: 'default' (fast) or 'careful' (slower, more realistic). Default: 'careful'. */\n humanPreset: z.enum(['default', 'careful']).optional(),\n /** CloakBrowser settings (only used when backend = 'cloakbrowser'). */\n cloakbrowser: z.object({\n /** Keep browser process alive between tasks. Default: true. */\n keepOpen: z.boolean().optional(),\n /** Create a temporary profile directory, cleaned up on close. Default: false. */\n temporaryProfile: z.boolean().optional(),\n /** Directory for cached CloakBrowser binaries. Must live under the user's home directory. Default: ~/.xopc/bin/cloakbrowser. */\n cacheDir: z\n .string()\n .optional()\n .superRefine((v, ctx) => {\n const r = checkCacheDir(v);\n if (r.ok === false) ctx.addIssue({ code: 'custom', message: r.message });\n }),\n /** Override the CloakBrowser binary path (skip auto-download). */\n binaryPath: z.string().optional(),\n /** Timezone to emulate (e.g. \"America/New_York\"). */\n timezone: z.string().optional(),\n /** Locale to emulate (e.g. \"en-US\"). */\n locale: z.string().optional(),\n /** Public IP for WebRTC leak prevention. */\n webrtcIp: z.string().optional(),\n /** Platform to emulate in fingerprint (e.g. \"windows\", \"macos\"). */\n fingerprintPlatform: z.string().optional(),\n /** Extra Chromium launch args (override defaults with same --key= prefix). */\n extraArgs: z.array(z.string()).optional(),\n }).optional(),\n })\n .optional(),\n /** Sub-agent delegation (`delegate_task`). Opt-in. */\n delegate: z\n .object({\n enabled: z.boolean().optional(),\n })\n .optional(),\n /** Sandboxed `execute_code` (programmatic tool calls). Opt-in. */\n executeCode: z\n .object({\n enabled: z.boolean().optional(),\n })\n .optional(),\n /** Optional full system prompt replacement (merged with per-agent entry; entry wins). */\n systemPromptOverride: z.string().optional(),\n /** Optional allowlist of skill names for `<available_skills>`; when set, replaces unfiltered list. */\n skills: z.array(z.string()).optional(),\n /** Disable built-in tools by name (e.g. `shell`, `web_search`). */\n tools: z\n .object({\n disable: z.array(z.string()).optional(),\n })\n .optional(),\n /** Opaque per-process params (reserved for extensions / future use). */\n params: z.record(z.string(), z.unknown()).optional(),\n});\n\nexport const AgentConfigSchema = z.object({\n id: z.string(),\n /** When true, this entry is the default routing agent. */\n default: z.boolean().optional(),\n name: z.string().optional(),\n /** Short human-readable summary for UIs (gateway console, pickers). */\n description: z.string().max(4000).optional(),\n enabled: z.boolean().default(true),\n /** Per-agent workspace root (`~` expanded at runtime). */\n workspace: z.string().optional(),\n /**\n * Internal agent state directory (`…/credentials`, `agent.json`, pid, inbox).\n * Default: `<stateDir>/agents/<id>/agent`.\n */\n agentDir: z.string().optional(),\n model: AgentModelRefSchema.optional(),\n thinkingDefault: z.enum(['off', 'minimal', 'low', 'medium', 'high', 'xhigh', 'adaptive']).optional(),\n reasoningDefault: z.enum(['off', 'on', 'stream']).optional(),\n verboseDefault: z.enum(['off', 'on', 'full']).optional(),\n systemPromptOverride: z.string().optional(),\n skills: z.array(z.string()).optional(),\n tools: z\n .object({\n disable: z.array(z.string()).optional(),\n })\n .optional(),\n params: z.record(z.string(), z.unknown()).optional(),\n});\n\nexport const AgentsConfigSchema = z.object({\n /** Default agent id when not specified (routing / session creation). */\n default: z.string().optional(),\n defaults: AgentDefaultsSchema.optional(),\n list: z.array(AgentConfigSchema).optional(),\n}).default({\n defaults: {\n workspace: '~/.xopc/workspace',\n model: '', // Empty default - will be resolved dynamically at runtime\n maxTokens: 8192,\n temperature: 0.7,\n maxToolIterations: 20,\n maxRequestsPerTurn: 50,\n maxToolFailuresPerTurn: 3,\n thinkingDefault: 'medium',\n reasoningDefault: 'stream',\n verboseDefault: 'full',\n compaction: {\n enabled: true,\n mode: 'default',\n reserveTokens: 8000,\n triggerThreshold: 0.8,\n minMessagesBeforeCompact: 10,\n keepRecentMessages: 5,\n evictionWindow: 0.2,\n retentionWindow: 6,\n },\n pruning: {\n enabled: true,\n maxToolResultChars: 10000,\n headKeepRatio: 0.3,\n tailKeepRatio: 0.3,\n },\n browser: {\n backend: 'extension',\n },\n },\n} as any);\n\n// ============================================\n// Channel Configs (per-channel Zod lives in bundled extensions; root schema is open)\n// ============================================\n\nexport {\n TelegramTopicConfigSchema,\n TelegramGroupConfigSchema,\n TelegramAccountConfigSchema,\n TelegramConfigSchema,\n} from '../../extensions/telegram/src/config-schema.js';\nexport type { TelegramConfig } from '../../extensions/telegram/src/config-schema.js';\nexport { WeixinAccountConfigSchema, WeixinConfigSchema } from '../../extensions/weixin/src/config-schema.js';\nexport type { WeixinConfig } from '../../extensions/weixin/src/config-schema.js';\n// ============================================\n// Session Routing Configuration\n// ============================================\n\nexport const BindingMatchSchema = z.object({\n channel: z.string(),\n accountId: z.string().optional(),\n peerKind: z.string().optional(),\n peerId: z.string().optional(),\n guildId: z.string().optional(),\n teamId: z.string().optional(),\n memberRoleIds: z.array(z.string()).optional(),\n});\n\nexport const BindingRuleSchema = z.object({\n id: z.string().optional(),\n agentId: z.string(),\n priority: z.number().default(100),\n match: BindingMatchSchema,\n enabled: z.boolean().default(true),\n});\n\nexport const BindingsConfigSchema = z.array(BindingRuleSchema).default([]);\n\nexport const SessionDmScopeSchema = z.enum([\n 'main',\n 'per-peer',\n 'per-channel-peer',\n 'per-account-channel-peer',\n]);\n\nexport const SessionStorageConfigSchema = z.object({\n pruneAfterMs: z.number().optional(),\n maxEntries: z.number().optional(),\n});\n\nexport const SessionConfigSchema = z.object({\n dmScope: SessionDmScopeSchema.default('main'),\n identityLinks: z.record(z.string(), z.array(z.string())).optional(),\n storage: SessionStorageConfigSchema.optional(),\n}).default({\n dmScope: 'main',\n});\n\n/** Channel buckets — shapes validated post-parse by registered channel plugins. */\nexport const ChannelsConfigSchema = z.record(z.string(), z.unknown()).default({\n telegram: {\n enabled: false,\n allowFrom: [],\n groupAllowFrom: [],\n debug: false,\n accounts: {\n default: {\n accountId: 'default',\n enabled: true,\n botToken: '',\n allowFrom: [],\n dmPolicy: 'pairing' as const,\n groupPolicy: 'open' as const,\n replyToMode: 'off' as const,\n historyLimit: 50,\n textChunkLimit: 4000,\n streamMode: 'partial' as const,\n },\n },\n dmPolicy: 'pairing' as const,\n groupPolicy: 'open' as const,\n replyToMode: 'off' as const,\n historyLimit: 50,\n textChunkLimit: 4000,\n },\n});\n\nexport const SearchProviderEntrySchema = z.object({\n type: z.enum(['brave', 'tavily', 'bing', 'searxng']),\n apiKey: z.string().optional(),\n /** SearXNG instance base URL (e.g. http://localhost:8080) */\n url: z.string().optional(),\n disabled: z.boolean().optional(),\n});\n\nexport type SearchProviderEntry = z.infer<typeof SearchProviderEntrySchema>;\n\nexport const WebSearchConfigSchema = z.object({\n maxResults: z.number().default(5),\n /** Ordered API providers; empty → HTML fallback only */\n providers: z.array(SearchProviderEntrySchema).default([]),\n});\n\nexport type WebSearchConfig = z.infer<typeof WebSearchConfigSchema>;\n\nexport const WebsiteBlocklistSchema = z.object({\n /** Master switch. Default false (no blocking). */\n enabled: z.boolean().default(false),\n /** Domain patterns to block (e.g. \"example.com\", \"*.evil.org\"). */\n domains: z.array(z.string()).default([]),\n});\n\nexport type WebsiteBlocklistConfig = z.infer<typeof WebsiteBlocklistSchema>;\n\nexport const WebToolsConfigSchema = z.object({\n /** Search result HTML fallback: cn → Bing, otherwise DuckDuckGo */\n region: z.enum(['cn', 'global']).optional(),\n search: WebSearchConfigSchema.optional(),\n /** Domain blocklist for web_fetch / web_extract / browser tools. */\n blocklist: WebsiteBlocklistSchema.optional(),\n});\n\nexport type WebToolsConfig = z.infer<typeof WebToolsConfigSchema>;\n\nexport const ToolsConfigSchema = z.object({\n web: WebToolsConfigSchema.optional(),\n /**\n * Per-capability media providers. Currently only `audio` (STT) is wired;\n * `image` / `video` slots are reserved for future capabilities.\n */\n media: z.lazy(() => ToolsMediaConfigSchema),\n}).default({\n web: {\n search: {\n maxResults: 5,\n providers: [],\n },\n },\n});\n\n// ============================================\n// Gateway Configuration\n// ============================================\n\nexport const GatewayAuthRateLimitSchema = z\n .object({\n enabled: z.boolean().default(true),\n maxAttempts: z.number().int().min(1).default(5),\n windowMs: z.number().default(900_000),\n blockDurationMs: z.number().default(300_000),\n /** OpenClaw alias for blockDurationMs. */\n lockoutMs: z.number().optional(),\n /** Skip rate limiting for loopback client IPs (default true). Remote browser Origin requests never exempt. */\n exemptLoopback: z.boolean().default(true),\n })\n .optional();\n\nexport const GatewaySecuritySchema = z\n .object({\n /** When true, non-loopback binds require explicit gateway.auth.rateLimit configuration. */\n strict: z.boolean().optional(),\n })\n .optional();\n\nexport const GatewayTrustedProxySchema = z\n .object({\n /** Header set by the reverse proxy with the authenticated user identity. */\n userHeader: z.string().min(1),\n /** Additional headers that must be present (e.g. proxy auth markers). */\n requiredHeaders: z.array(z.string()).optional(),\n /** When non-empty, only these user identities are allowed. */\n allowUsers: z.array(z.string()).optional(),\n /** Allow trusted-proxy auth when the TCP source is loopback (same-host reverse proxy). */\n allowLoopback: z.boolean().optional(),\n })\n .strict();\n\nexport const GatewayAuthSchema = z\n .object({\n mode: z.enum(['none', 'token', 'password', 'trusted-proxy']).default('token'),\n token: z.string().optional(),\n password: z.string().optional(),\n /** When true (default for Serve), browser UI may auth via Tailscale identity headers. API routes still require token. */\n allowTailscale: z.boolean().optional(),\n rateLimit: GatewayAuthRateLimitSchema,\n trustedProxy: GatewayTrustedProxySchema.optional(),\n })\n .default({\n mode: 'token',\n });\n\nexport const GatewayTailscaleConsentSchema = z.object({\n version: z.string().min(1),\n acceptedAt: z.string().min(1),\n});\n\nexport const GatewayTailscaleSchema = z\n .object({\n mode: z.enum(['off', 'serve', 'funnel']).default('off'),\n resetOnExit: z.boolean().default(true),\n consent: GatewayTailscaleConsentSchema.optional(),\n })\n .default({\n mode: 'off',\n resetOnExit: true,\n });\n\nexport const GatewayRemoteSchema = z.object({\n url: z.string().url(),\n token: z.string().optional(),\n password: z.string().optional(),\n transport: z.enum(['direct', 'ssh']).default('direct'),\n sshTarget: z.string().optional(),\n sshIdentity: z.string().optional(),\n tlsFingerprint: z.string().optional(),\n});\n\nexport const GatewayTlsSchema = z\n .object({\n enabled: z.boolean().default(false),\n autoGenerate: z.boolean().default(false),\n certPath: z.string().optional(),\n keyPath: z.string().optional(),\n })\n .default({\n enabled: false,\n autoGenerate: false,\n });\n\nexport const GatewayModeSchema = z.enum(['local', 'remote']).default('local');\n\nexport const HeartbeatConfigSchema = z\n .object({\n enabled: z.boolean(),\n intervalMs: z.number(),\n /** When false, heartbeat instructions are only sent during heartbeat polling turns (not in every chat system prompt). */\n includeSystemPromptSection: z.boolean().optional().default(false),\n target: z.string().optional(),\n targetChatId: z.string().optional(),\n prompt: z.string().optional(),\n ackMaxChars: z.number().optional(),\n isolatedSession: z.boolean().optional(),\n activeHours: z\n .object({\n start: z.string(),\n end: z.string(),\n timezone: z.string().optional(),\n })\n .optional(),\n })\n .default({\n enabled: true,\n intervalMs: 1_800_000,\n includeSystemPromptSection: false,\n });\n\nexport const GatewayChannelConnectDeferModeSchema = z.enum(['auto', 'off', 'explicit']);\n\nexport const TunnelConsentSchema = z.object({\n version: z.string().min(1),\n acceptedAt: z.string().min(1),\n});\n\nexport const TunnelConfigSchema = z\n .object({\n enabled: z.boolean().default(false),\n brokerUrl: z.string().url().default('https://frp.xopc.ai/api'),\n /** Broker register API secret (env `XOPC_TUNNEL_REGISTRATION_SECRET` overrides when set). */\n registrationSecret: z.string().min(1).optional(),\n autoStart: z.boolean().default(false),\n subdomain: z.string().optional(),\n consent: TunnelConsentSchema.optional(),\n })\n .default({\n enabled: false,\n brokerUrl: 'https://frp.xopc.ai/api',\n autoStart: false,\n });\n\nexport type TunnelConfig = z.infer<typeof TunnelConfigSchema>;\n\n/**\n * Workspace-scoped concerns (file import, etc.). Distinct from\n * `agents.defaults.workspace`, which is the workspace *path*; this block carries\n * feature configuration for workspace-related routes.\n */\nexport const WorkspaceImportConfigSchema = z.object({\n /** Workspace-relative subdir for imported files. Default `imports`. */\n targetDir: z.string().default('imports'),\n /** Per-file byte cap. Default 100 MiB. */\n maxBytes: z.number().int().min(1024).max(10_737_418_240).default(104_857_600),\n /** When false, the route rejects `onConflict: 'overwrite'`. Default true. */\n allowOverwrite: z.boolean().default(true),\n});\nexport type WorkspaceImportConfig = z.infer<typeof WorkspaceImportConfigSchema>;\n\nexport const WorkspaceConfigSchema = z.object({\n import: WorkspaceImportConfigSchema.optional(),\n}).optional();\nexport type WorkspaceConfig = z.infer<typeof WorkspaceConfigSchema>;\n\nexport const GatewayBindModeSchema = z.enum(['auto', 'loopback', 'lan', 'tailnet', 'custom']);\n\nexport const GatewayConfigSchema = z.object({\n /** Semantic bind mode. */\n bind: GatewayBindModeSchema.optional(),\n /** IPv4 listen address when `bind` is `custom`. */\n customBindHost: z.string().optional(),\n port: z.number().optional(),\n /** local: this process runs the gateway; remote: CLI clients target gateway.remote. */\n mode: GatewayModeSchema.optional(),\n /** Persistent remote gateway target for CLI/TUI/MCP when mode=remote. */\n remote: GatewayRemoteSchema.optional(),\n tailscale: GatewayTailscaleSchema.optional(),\n tls: GatewayTlsSchema.optional(),\n auth: GatewayAuthSchema.optional(),\n heartbeat: HeartbeatConfigSchema.optional(),\n maxSseConnections: z.number().optional(),\n corsOrigins: z.array(z.string()).optional(),\n /** Dangerous: allow browser Origin to match the HTTP Host header when not in corsOrigins. */\n dangerouslyAllowHostHeaderOriginFallback: z.boolean().optional(),\n /** CIDRs or exact IPs of reverse proxies allowed to terminate auth (trusted-proxy mode). */\n trustedProxies: z.array(z.string()).optional(),\n /** When true, fall back to X-Real-IP if X-Forwarded-For chain parsing fails. Default false (fail closed). */\n allowRealIpFallback: z.boolean().optional(),\n security: GatewaySecuritySchema,\n /**\n * How channel `start()` is split around HTTP listen when using `GatewayServer`.\n * - `auto` (default): defer ids come from channel plugin `meta.deferConnectUntilAfterListen` + enabled config.\n * - `off`: always start all channels in phase1 (troubleshooting / strict ordering).\n * - `explicit`: defer only `channelConnectDeferIds` (empty = defer none).\n */\n channelConnectDeferMode: GatewayChannelConnectDeferModeSchema.optional(),\n /** When `channelConnectDeferMode` is `explicit`, these channel plugin ids are deferred until after listen. */\n channelConnectDeferIds: z.array(z.string().min(1)).max(24).optional(),\n /** Removed from the defer set (applied after `auto` or `explicit` resolution). */\n channelConnectDeferSkipIds: z.array(z.string().min(1)).max(24).optional(),\n /** Default skills marketplace provider id. Built-in: 'store', 'skillhub', 'clawhub'. Extensions may register more. */\n skillsMarketplaceProvider: z.string().optional(),\n /** Base URL for the xopc skills marketplace (public REST API). */\n skillsStoreBaseUrl: z.string().url().optional(),\n /** File sharing configuration (temporary public download links for workspace files). */\n share: z.object({\n enabled: z.boolean().default(true),\n /** Default TTL in ms (default 24h). */\n defaultTtlMs: z.number().min(60_000).max(604_800_000).default(86_400_000),\n /** Maximum TTL in ms (default 7 days). */\n maxTtlMs: z.number().min(60_000).max(2_592_000_000).default(604_800_000),\n /** Maximum concurrent active shares (default 100). */\n maxActiveShares: z.number().min(1).max(10_000).default(100),\n /** Maximum shareable file size in bytes (default 100MB). */\n maxFileSize: z.number().min(1_048_576).max(10_737_418_240).default(104_857_600),\n /** MIME types allowed for inline preview (?inline=1). */\n inlinePreviewMimes: z.array(z.string()).default([\n 'image/png',\n 'image/jpeg',\n 'image/gif',\n 'image/webp',\n 'image/svg+xml',\n 'application/pdf',\n 'text/html',\n 'text/markdown',\n 'text/plain',\n 'application/json',\n ]),\n }).optional(),\n}).default({\n bind: 'loopback',\n port: 18790,\n auth: {\n mode: 'token',\n },\n heartbeat: {\n enabled: true,\n intervalMs: 1_800_000,\n includeSystemPromptSection: false,\n },\n maxSseConnections: 100,\n corsOrigins: [],\n skillsMarketplaceProvider: 'skillhub',\n skillsStoreBaseUrl: 'https://store.xopc.ai',\n});\n\nexport const CronConfigSchema = z.object({\n enabled: z.boolean().optional(),\n maxConcurrentJobs: z.number().optional(),\n defaultTimezone: z.string().optional(),\n historyRetentionDays: z.number().optional(),\n enableMetrics: z.boolean().optional(),\n}).default({\n enabled: true,\n maxConcurrentJobs: 5,\n defaultTimezone: 'UTC',\n historyRetentionDays: 7,\n enableMetrics: true,\n});\n\nexport const ModelsDevConfigSchema = z.object({\n enabled: z.boolean().default(true),\n}).default({\n enabled: true,\n});\n\n// ============================================\n// STT (Speech-to-Text) Config\n// ============================================\n\nconst SttProviderConfigCatchallSchema = z.union([\n z.string(),\n z.number(),\n z.boolean(),\n z.null(),\n z.array(z.unknown()),\n z.record(z.string(), z.unknown()),\n]);\n\nexport const STTProviderConfigSchema = z\n .object({\n apiKey: z.string().optional(),\n model: z.string().optional(),\n baseUrl: z.string().optional(),\n headers: z.record(z.string(), z.string()).optional(),\n language: z.string().optional(),\n prompt: z.string().optional(),\n })\n .catchall(SttProviderConfigCatchallSchema);\n\nexport const STTFallbackConfigSchema = z.object({\n enabled: z.boolean().default(true),\n order: z.array(z.string().min(1)).default(['alibaba', 'openai']),\n});\n\nexport const MediaUnderstandingCapabilitiesSchema = z\n .array(z.enum(['image', 'audio', 'video']))\n .optional();\n\nexport const MediaUnderstandingModelSchema = z\n .object({\n provider: z.string().optional(),\n model: z.string().optional(),\n capabilities: MediaUnderstandingCapabilitiesSchema,\n type: z.union([z.literal('provider'), z.literal('cli')]).optional(),\n command: z.string().optional(),\n baseUrl: z.string().optional(),\n headers: z.record(z.string(), z.string()).optional(),\n apiKey: z.string().optional(),\n language: z.string().optional(),\n prompt: z.string().optional(),\n })\n .catchall(SttProviderConfigCatchallSchema);\n\nexport const STTConfigSchema = z\n .object({\n enabled: z.boolean().default(false),\n /** Primary provider id — any registered MediaUnderstandingProvider id. */\n provider: z.string().min(1).default('alibaba'),\n fallback: STTFallbackConfigSchema.optional(),\n timeoutMs: z.number().int().min(1000).max(180000).optional(),\n /** Ordered model entries for this capability (OpenClaw `tools.media.audio.models`). */\n models: z.array(MediaUnderstandingModelSchema).optional(),\n /** OpenClaw-aligned provider settings map (`tools.media.audio.providers.<id>`). */\n providers: z.record(z.string(), STTProviderConfigSchema).optional(),\n /** Legacy flat provider keys — kept for backward compatibility. */\n alibaba: STTProviderConfigSchema.optional(),\n openai: STTProviderConfigSchema.optional(),\n })\n .passthrough();\n\n// ============================================\n// TTS (Text-to-Speech) Config\n// ============================================\n\nconst TtsProviderConfigCatchallSchema = z.union([\n z.string(),\n z.number(),\n z.boolean(),\n z.null(),\n z.array(z.unknown()),\n z.record(z.string(), z.unknown()),\n]);\n\nexport const TTSProviderConfigSchema = z\n .object({\n apiKey: z.string().optional(),\n model: z.string().optional(),\n voice: z.string().optional(),\n })\n .catchall(TtsProviderConfigCatchallSchema);\n\nexport const TTSFallbackConfigSchema = z.object({\n enabled: z.boolean().default(true),\n order: z\n .array(z.string().min(1))\n .default(['openai', 'alibaba', 'minimax', 'edge']),\n});\n\nexport const TTSModelOverridesConfigSchema = z.object({\n enabled: z.boolean().default(true),\n allowText: z.boolean().default(true),\n allowProvider: z.boolean().default(false),\n allowVoice: z.boolean().default(true),\n allowModelId: z.boolean().default(true),\n allowVoiceSettings: z.boolean().default(false),\n allowNormalization: z.boolean().default(false),\n allowSeed: z.boolean().default(false),\n});\n\nexport const TTSEdgeConfigSchema = z.object({\n enabled: z.boolean().default(true),\n voice: z.string().optional(),\n lang: z.string().optional(),\n outputFormat: z.string().optional(),\n pitch: z.string().optional(),\n rate: z.string().optional(),\n volume: z.string().optional(),\n proxy: z.string().optional(),\n timeoutMs: z.number().int().min(1000).max(120000).optional(),\n});\n\nexport const TTSSummarizationConfigSchema = z.object({\n enabled: z.boolean().optional(),\n targetLength: z.number().int().min(1).optional(),\n threshold: z.number().int().min(1).optional(),\n model: z.string().optional(),\n});\n\nexport const TTSConfigSchema = z\n .object({\n enabled: z.boolean().default(false),\n /** Primary provider id — any registered SpeechProviderPlugin id. */\n provider: z.string().min(1).default('openai'),\n trigger: z.enum(['off', 'always', 'inbound', 'tagged']).default('always'),\n fallback: TTSFallbackConfigSchema.optional(),\n maxTextLength: z.number().int().min(1).default(512), // Conservative default to accommodate all providers (Alibaba limit is 512)\n timeoutMs: z.number().int().min(1000).max(180000).default(60000),\n summarization: TTSSummarizationConfigSchema.optional(),\n modelOverrides: TTSModelOverridesConfigSchema.optional(),\n /** OpenClaw-aligned provider settings map (`messages.tts.providers.<id>`). */\n providers: z.record(z.string(), TTSProviderConfigSchema).optional(),\n /** Legacy flat provider keys — kept for backward compatibility. */\n alibaba: TTSProviderConfigSchema.optional(),\n openai: TTSProviderConfigSchema.optional(),\n edge: TTSEdgeConfigSchema.optional(),\n minimax: TTSProviderConfigSchema.optional(),\n })\n .passthrough();\n\n// ============================================\n// messages.* — delivery / presentation concerns\n// ============================================\n\nexport const MessagesConfigSchema = z.object({\n /** Voice (text-to-speech) output configuration. */\n tts: TTSConfigSchema.optional(),\n}).optional();\n\nexport const ToolsMediaAudioConfigSchema = STTConfigSchema;\n\nexport const ToolsMediaConfigSchema = z\n .object({\n /** Shared model entries applied across media capabilities when entry lacks capabilities. */\n models: z.array(MediaUnderstandingModelSchema).optional(),\n /** Audio (speech-to-text) capability provider config. */\n audio: ToolsMediaAudioConfigSchema.optional(),\n })\n .optional();\n\n// ============================================\n// Provider Configs (capability providers: image / audio / video)\n// ============================================\n\n/**\n * Optional Azure OpenAI overrides used when an OpenAI image-generation\n * request should hit an Azure deployment instead of `api.openai.com`.\n *\n * URL template (when present):\n * `https://<resource>.openai.azure.com/openai/deployments/<deployment>/images/generations?api-version=<apiVersion>`\n */\nexport const ProviderAzureConfigSchema = z\n .object({\n /** Azure resource name (subdomain before `.openai.azure.com`). */\n resource: z.string().min(1).optional(),\n /** Azure deployment id (configured per model). */\n deployment: z.string().min(1).optional(),\n /** Azure REST API version, e.g. `2024-08-01-preview`. */\n apiVersion: z.string().min(1).optional(),\n })\n .strict();\n\n/** Per-vendor request overrides applied by the provider HTTP layer. */\nexport const ProviderRequestOverridesSchema = z\n .object({\n /** Hard cap for a single HTTP call (ms). */\n timeoutMs: z.number().int().positive().optional(),\n /** Extra headers merged into every outbound request. */\n headers: z.record(z.string(), z.string()).optional(),\n })\n .strict();\n\n/**\n * Generic per-vendor provider config — used by image / audio / video\n * capability providers via `cfg.providers.<id>`. Kept loose (`.strict()` but\n * everything optional) so adding a new vendor never requires a config\n * migration.\n */\nexport const ProviderAuthConfigSchema = z\n .object({\n /** Static API key (api-key / azure-key modes). */\n apiKey: z.string().optional(),\n /** Override the default REST base URL. */\n baseUrl: z.string().url().optional(),\n /** Vendor region (DashScope: `beijing` / `singapore`; AWS: region id). */\n region: z.string().optional(),\n /** Image-only base URL override (DashScope splits image vs LLM). */\n imageBaseUrl: z.string().url().optional(),\n /** Per-vendor request overrides. */\n request: ProviderRequestOverridesSchema.optional(),\n /** Azure OpenAI deployment overrides; only consumed by OpenAI image provider. */\n azure: ProviderAzureConfigSchema.optional(),\n })\n .strict();\n\nexport type ProviderAuthConfig = z.infer<typeof ProviderAuthConfigSchema>;\n\n/**\n * `cfg.providers.<id>` is keyed by provider id (`openai`, `dashscope`,\n * `minimax`, `google`, `fal`, …). Every entry is optional and validated by\n * {@link ProviderAuthConfigSchema}.\n */\nexport const ProvidersConfigSchema = z.record(z.string(), ProviderAuthConfigSchema);\n\nexport type ProvidersConfig = z.infer<typeof ProvidersConfigSchema>;\n\n// ============================================\n// Extension Configs \n// ============================================\n\n// Security config for extensions \nexport const ExtensionSecurityConfigSchema = z.object({\n checkPermissions: z.boolean().default(true),\n allowUntrusted: z.boolean().default(false),\n allow: z.array(z.string()).default([]),\n trackProvenance: z.boolean().default(true),\n allowPromptInjection: z.boolean().default(false),\n});\n\n// Slot config for extensions \nexport const ExtensionSlotsConfigSchema = z.object({\n memory: z.string().optional(),\n tts: z.string().optional(),\n imageGeneration: z.string().optional(),\n webSearch: z.string().optional(),\n});\n\n// Complete extensions config\n// Extension config allows both known fields AND arbitrary extension-specific config\n// Known fields: enabled (array), allow (array), security (object), slots (object)\n// Arbitrary: any other key is extension-specific config (e.g., extensions.hello.greeting)\nexport const ExtensionsConfigSchema: z.ZodType<Record<string, unknown>> = z.record(z.string(), z.unknown());\n\n// ============================================\n// Update Config\n// ============================================\n\nexport const UpdateAutoConfigSchema = z\n .object({\n /** Enable automatic update installation. Default false. */\n enabled: z.boolean().default(false),\n /** Hours to wait before applying a stable update after first detection. */\n stableDelayHours: z.number().min(0).default(6),\n /** Additional random jitter hours for stable rollout (avoids thundering herd). */\n stableJitterHours: z.number().min(0).default(12),\n /** How often to re-check for beta updates (hours). Min 0.25. */\n betaCheckIntervalHours: z.number().min(0.25).default(1),\n })\n .strict()\n .optional();\n\n/** Persistent `/goal` (Ralph loop) — Hermes-aligned defaults. */\nexport const GoalsConfigSchema = z\n .object({\n /** Max continuation turns before auto-pause (Hermes default 20). */\n maxTurns: z.number().int().min(1).max(500).default(20),\n /** Optional judge model ref; defaults to `agents.defaults.model`. */\n judgeModelRef: z.string().optional(),\n /**\n * When true (default), first post-turn runs a decomposition judge to build a checklist;\n * subsequent turns evaluate progress per item (Hermes-style). When false, use legacy freeform judge only.\n */\n checklistMode: z.boolean().default(true),\n /** Auto-pause after this many consecutive judge JSON/tool parse failures (Hermes default 3). */\n maxConsecutiveParseFailures: z.number().int().min(1).max(20).default(3),\n /** Judge LLM call timeout in ms (Hermes uses 60s). */\n judgeTimeoutMs: z.number().int().min(5_000).max(120_000).default(60_000),\n /** Max characters of recent transcript JSON passed to the checklist judge as extra context. */\n checklistHistoryChars: z.number().int().min(0).max(100_000).default(24_000),\n })\n .strict();\n\nexport type GoalsConfig = z.infer<typeof GoalsConfigSchema>;\n\nexport const UpdateConfigSchema = z\n .object({\n /** Check for updates on gateway startup. Default true. */\n checkOnStart: z.boolean().default(true),\n /** Update channel: stable (default), beta, or dev. */\n channel: z.enum(['stable', 'beta', 'dev']).default('stable'),\n /** Automatic update policy. */\n auto: UpdateAutoConfigSchema,\n })\n .strict()\n .optional();\n\nexport type UpdateConfig = z.infer<typeof UpdateConfigSchema>;\n\n// ============================================\n// MCP (Model Context Protocol)\n// ============================================\n\nconst McpHttpUrlSchema = z\n .string()\n .url()\n .refine((value) => {\n try {\n const protocol = new URL(value).protocol;\n return protocol === 'http:' || protocol === 'https:';\n } catch {\n return false;\n }\n }, 'MCP server URL must use http or https');\n\nexport const McpServerSchema = z\n .object({\n command: z.string().optional(),\n args: z.array(z.string()).optional(),\n env: z.record(z.string(), z.union([z.string(), z.number(), z.boolean()])).optional(),\n cwd: z.string().optional(),\n workingDirectory: z.string().optional(),\n url: McpHttpUrlSchema.optional(),\n transport: z.enum(['sse', 'streamable-http']).optional(),\n headers: z.record(z.string(), z.union([z.string(), z.number(), z.boolean()])).optional(),\n connectionTimeoutMs: z.number().finite().positive().optional(),\n })\n .catchall(z.unknown())\n .superRefine((value, ctx) => {\n const hasCommand = typeof value.command === 'string' && value.command.trim().length > 0;\n const hasUrl = typeof value.url === 'string' && value.url.trim().length > 0;\n if (hasCommand && hasUrl) {\n ctx.addIssue({\n code: 'custom',\n message: 'MCP server cannot define both command and url',\n });\n }\n });\n\nexport const McpConfigSchema = z\n .object({\n servers: z.record(z.string(), McpServerSchema).optional(),\n sessionIdleTtlMs: z.number().finite().min(0).optional(),\n })\n .strict()\n .optional();\n\nexport type McpServerConfig = z.infer<typeof McpServerSchema>;\nexport type McpConfig = z.infer<typeof McpConfigSchema>;\n\n// ============================================\n// Root Config\n// ============================================\n\nexport const ConfigSchema = z.object({\n agents: AgentsConfigSchema,\n bindings: BindingsConfigSchema,\n session: SessionConfigSchema,\n channels: ChannelsConfigSchema,\n gateway: GatewayConfigSchema,\n tunnel: TunnelConfigSchema.optional(),\n workspace: WorkspaceConfigSchema,\n tools: ToolsConfigSchema,\n mcp: McpConfigSchema,\n cron: CronConfigSchema,\n goals: GoalsConfigSchema.optional(),\n extensions: ExtensionsConfigSchema.default({}),\n /** Per-vendor capability provider config (image / audio / video). */\n providers: ProvidersConfigSchema.optional(),\n modelsDev: ModelsDevConfigSchema,\n /** Delivery / presentation concerns (currently `tts`). */\n messages: MessagesConfigSchema,\n update: UpdateConfigSchema,\n}).default({\n agents: {\n defaults: {\n workspace: '~/.xopc/workspace',\n model: '', // Empty default - will be resolved dynamically at runtime\n maxTokens: 8192,\n temperature: 0.7,\n maxToolIterations: 20,\n maxRequestsPerTurn: 50,\n maxToolFailuresPerTurn: 3,\n thinkingDefault: 'medium',\n reasoningDefault: 'stream',\n verboseDefault: 'full',\n compaction: {\n enabled: true,\n mode: 'default',\n reserveTokens: 8000,\n triggerThreshold: 0.8,\n minMessagesBeforeCompact: 10,\n keepRecentMessages: 5,\n evictionWindow: 0.2,\n retentionWindow: 6,\n },\n pruning: {\n enabled: true,\n maxToolResultChars: 10000,\n headKeepRatio: 0.3,\n tailKeepRatio: 0.3,\n },\n browser: {\n backend: 'extension',\n },\n },\n },\n bindings: [],\n session: {\n dmScope: 'main' as const,\n },\n channels: {\n telegram: {\n enabled: false,\n allowFrom: [],\n groupAllowFrom: [],\n debug: false,\n accounts: {\n default: {\n accountId: 'default',\n enabled: true,\n botToken: '',\n allowFrom: [],\n dmPolicy: 'pairing' as const,\n groupPolicy: 'open' as const,\n replyToMode: 'off' as const,\n historyLimit: 50,\n textChunkLimit: 4000,\n streamMode: 'partial' as const,\n },\n },\n dmPolicy: 'pairing' as const,\n groupPolicy: 'open' as const,\n replyToMode: 'off' as const,\n historyLimit: 50,\n textChunkLimit: 4000,\n },\n },\n gateway: {\n bind: 'loopback',\n port: 18790,\n auth: {\n mode: 'token',\n },\n heartbeat: {\n enabled: true,\n intervalMs: 1_800_000,\n includeSystemPromptSection: false,\n },\n maxSseConnections: 100,\n corsOrigins: [],\n skillsMarketplaceProvider: 'skillhub',\n skillsStoreBaseUrl: 'https://store.xopc.ai',\n },\n tools: {\n web: {\n search: {\n maxResults: 5,\n providers: [],\n },\n },\n },\n cron: {\n enabled: true,\n maxConcurrentJobs: 5,\n defaultTimezone: 'UTC',\n historyRetentionDays: 7,\n enableMetrics: true,\n },\n goals: {\n maxTurns: 20,\n checklistMode: true,\n maxConsecutiveParseFailures: 3,\n judgeTimeoutMs: 60_000,\n checklistHistoryChars: 24_000,\n },\n extensions: {\n allow: [],\n security: {\n checkPermissions: true,\n allowUntrusted: false,\n allow: [],\n trackProvenance: true,\n allowPromptInjection: false,\n },\n slots: {},\n },\n modelsDev: {\n enabled: true,\n },\n // messages.tts / tools.media.audio start undefined; the factory layer fills\n // in provider-level defaults (model/voice) on demand. Fresh configs don't\n // ship with enabled providers so they never make surprise STT/TTS calls.\n});\n\nexport type Config = z.infer<typeof ConfigSchema>;\nexport type AgentDefaults = z.infer<typeof AgentDefaultsSchema>;\nexport type GatewayAuthConfig = z.infer<typeof GatewayAuthSchema>;\nexport type GatewayTrustedProxyConfig = z.infer<typeof GatewayTrustedProxySchema>;\nexport type GatewayAuthRateLimitConfig = z.infer<typeof GatewayAuthRateLimitSchema>;\nexport type GatewayBindMode = z.infer<typeof GatewayBindModeSchema>;\nexport type STTConfig = z.infer<typeof STTConfigSchema>;\nexport type TTSConfig = z.infer<typeof TTSConfigSchema>;\n\n// ============================================\n// Helper Functions\n// ============================================\n\n/**\n * Parse a model reference string.\n */\nexport interface ParsedModelRef {\n provider: string;\n model: string;\n}\n\n/**\n * Default agent’s resolved Markdown workspace root (`resolveAgentWorkspaceDir` for the default agent id).\n */\nexport function getWorkspacePath(config: Config): string {\n return getDefaultWorkspacePath(config);\n}\n\n/**\n * Primary model ref from `agents.defaults.model` (string or `{ primary }`).\n * Returns undefined when unset or empty.\n */\nexport function getAgentDefaultModelRef(config: Config): string | undefined {\n const raw = config.agents?.defaults?.model;\n if (raw === undefined || raw === null) return undefined;\n const ref = typeof raw === 'string' ? raw : raw.primary;\n if (ref === undefined || ref === null) return undefined;\n const s = String(ref).trim();\n return s ? s : undefined;\n}\n\n/** `provider/model` or null when invalid. */\nexport function parseModelRef(ref: string): ParsedModelRef | null {\n const trimmed = ref.trim();\n const idx = trimmed.indexOf('/');\n if (idx <= 0 || idx === trimmed.length - 1) {\n return null;\n }\n return { provider: trimmed.slice(0, idx).trim(), model: trimmed.slice(idx + 1).trim() };\n}\n"],"mappings":";;;;;;;;;;AAyyCA,SAAgB,iBAAiB,QAAwB;AACvD,QAAO,wBAAwB,OAAO;;;;;;AAOxC,SAAgB,wBAAwB,QAAoC;CAC1E,MAAM,MAAM,OAAO,QAAQ,UAAU;AACrC,KAAI,QAAQ,KAAA,KAAa,QAAQ,KAAM,QAAO,KAAA;CAC9C,MAAM,MAAM,OAAO,QAAQ,WAAW,MAAM,IAAI;AAChD,KAAI,QAAQ,KAAA,KAAa,QAAQ,KAAM,QAAO,KAAA;CAC9C,MAAM,IAAI,OAAO,IAAI,CAAC,MAAM;AAC5B,QAAO,IAAI,IAAI,KAAA;;;AAIjB,SAAgB,cAAc,KAAoC;CAChE,MAAM,UAAU,IAAI,MAAM;CAC1B,MAAM,MAAM,QAAQ,QAAQ,IAAI;AAChC,KAAI,OAAO,KAAK,QAAQ,QAAQ,SAAS,EACvC,QAAO;AAET,QAAO;EAAE,UAAU,QAAQ,MAAM,GAAG,IAAI,CAAC,MAAM;EAAE,OAAO,QAAQ,MAAM,MAAM,EAAE,CAAC,MAAM;EAAE;;;;mBA/zCvB;wBACH;qBAyYP;uBAEqD;AArYhG,uBAAsB,EAAE,MAAM,CACzC,EAAE,QAAQ,EACV,EACG,OAAO;EACN,SAAS,EAAE,QAAQ,CAAC,UAAU;EAC9B,WAAW,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC,UAAU;EAC1C,CAAC,CACD,QAAQ,CACZ,CAAC;AAUW,mCAAkC,EAAE,MAAM,CACrD,EAAE,QAAQ,EACV,EACG,OAAO;EACN,SAAS,EAAE,QAAQ,CAAC,UAAU;EAC9B,WAAW,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC,UAAU;;EAEzC,WAAW,EAAE,QAAQ,CAAC,KAAK,CAAC,UAAU,CAAC,UAAU;;;;;EAKjD,sBAAsB,EAAE,SAAS,CAAC,UAAU;EAC7C,CAAC,CACD,QAAQ,CACZ,CAAC;AAIW,uBAAsB,EAAE,OAAO;;EAE1C,WAAW,EAAE,QAAQ,CAAC,QAAQ,oBAAoB;EAClD,OAAO,EAAE,MAAM,CACb,EAAE,QAAQ,EACV,EAAE,OAAO;GACP,SAAS,EAAE,QAAQ,CAAC,UAAU;GAC9B,WAAW,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC,UAAU;GAC1C,CAAC,CAAC,QAAQ,CACZ,CAAC,CAAC,QAAQ,GAAG;;EAEd,YAAY,oBAAoB,UAAU;;EAE1C,sBAAsB,gCAAgC,UAAU;;EAEhE,YAAY,EAAE,QAAQ,CAAC,UAAU,CAAC,UAAU;EAC5C,WAAW,EAAE,QAAQ,CAAC,QAAQ,KAAK;EACnC,aAAa,EAAE,QAAQ,CAAC,QAAQ,GAAI;EACpC,mBAAmB,EAAE,QAAQ,CAAC,QAAQ,GAAG;EAEzC,mBAAmB,EAAE,QAAQ,CAAC,IAAI,IAAM,CAAC,IAAI,MAAW,CAAC,UAAU;EAEnE,oBAAoB,EAAE,QAAQ,CAAC,IAAI,GAAG,CAAC,IAAI,IAAI,CAAC,QAAQ,GAAG;EAC3D,wBAAwB,EAAE,QAAQ,CAAC,IAAI,EAAE,CAAC,IAAI,GAAG,CAAC,QAAQ,EAAE;EAE5D,iBAAiB,EAAE,KAAK;GAAC;GAAO;GAAW;GAAO;GAAU;GAAQ;GAAS;GAAW,CAAC,CAAC,UAAU;EACpG,kBAAkB,EAAE,KAAK;GAAC;GAAO;GAAM;GAAS,CAAC,CAAC,UAAU;EAC5D,gBAAgB,EAAE,KAAK;GAAC;GAAO;GAAM;GAAO,CAAC,CAAC,UAAU;EACxD,mBAAmB,EAAE,QAAQ,CAAC,KAAK,CAAC,UAAU,CAAC,UAAU;EACzD,wBAAwB,EAAE,QAAQ,CAAC,KAAK,CAAC,UAAU,CAAC,UAAU;EAC9D,kCAAkC,EAAE,KAAK;GAAC;GAAO;GAAQ;GAAS,CAAC,CAAC,UAAU;EAC9E,gBAAgB,EACb,OAAO;GACN,SAAS,EAAE,SAAS,CAAC,UAAU;GAC/B,SAAS,EAAE,MAAM,EAAE,KAAK,CAAC,OAAO,QAAQ,CAAC,CAAC,CAAC,UAAU;GACrD,iBAAiB,EAAE,QAAQ,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC,UAAU;GACnD,cAAc,EAAE,QAAQ,CAAC,KAAK,CAAC,UAAU,CAAC,UAAU;GACpD,cAAc,EAAE,QAAQ,CAAC,KAAK,CAAC,UAAU,CAAC,UAAU;GACpD,eAAe,EAAE,QAAQ,CAAC,KAAK,CAAC,UAAU,CAAC,UAAU;GACtD,CAAC,CACD,UAAU;EACb,eAAe,EACZ,OAAO,EACN,wBAAwB,EAAE,QAAQ,CAAC,KAAK,CAAC,UAAU,CAAC,UAAU,EAC/D,CAAC,CACD,UAAU;EACb,YAAY,EAAE,OAAO;GACnB,SAAS,EAAE,SAAS,CAAC,QAAQ,KAAK;GAClC,MAAM,EAAE,KAAK,CAAC,WAAW,YAAY,CAAC,CAAC,QAAQ,UAAU;GACzD,eAAe,EAAE,QAAQ,CAAC,QAAQ,IAAK;GACvC,kBAAkB,EAAE,QAAQ,CAAC,IAAI,GAAI,CAAC,IAAI,IAAK,CAAC,QAAQ,GAAI;GAC5D,0BAA0B,EAAE,QAAQ,CAAC,QAAQ,GAAG;GAChD,oBAAoB,EAAE,QAAQ,CAAC,QAAQ,EAAE;GAEzC,gBAAgB,EAAE,QAAQ,CAAC,IAAI,GAAI,CAAC,IAAI,GAAI,CAAC,QAAQ,GAAI;GACzD,iBAAiB,EAAE,QAAQ,CAAC,IAAI,EAAE,CAAC,IAAI,GAAG,CAAC,QAAQ,EAAE;GACrD,wBAAwB,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC,UAAU;GACvD,CAAC,CAAC,UAAU;EACb,SAAS,EAAE,OAAO;GAChB,SAAS,EAAE,SAAS,CAAC,QAAQ,KAAK;GAClC,oBAAoB,EAAE,QAAQ,CAAC,QAAQ,IAAM;GAC7C,eAAe,EAAE,QAAQ,CAAC,QAAQ,GAAI;GACtC,eAAe,EAAE,QAAQ,CAAC,QAAQ,GAAI;GACvC,CAAC,CAAC,UAAU;;;;;EAKb,QAAQ,EACL,OAAO;;GAEN,SAAS,EAAE,SAAS,CAAC,UAAU;;GAE/B,mBAAmB,EAAE,SAAS,CAAC,UAAU;;GAEzC,oBAAoB,EAAE,SAAS,CAAC,UAAU;GAC1C,iBAAiB,EAAE,QAAQ,CAAC,UAAU,CAAC,UAAU;GACjD,eAAe,EAAE,QAAQ,CAAC,UAAU,CAAC,UAAU;GAC/C,UAAU,EAAE,KAAK,CAAC,QAAQ,OAAO,CAAC,CAAC,UAAU;;GAE7C,oBAAoB,EAAE,KAAK,CAAC,cAAc,aAAa,CAAC,CAAC,UAAU;;GAEnE,gBAAgB,EAAE,QAAQ,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC,UAAU;;GAElD,kBAAkB,EAAE,QAAQ,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC,UAAU;;;;;;;;;;GAUpD,UAAU,EACP,OAAO;IACN,SAAS,EAAE,SAAS,CAAC,UAAU;;IAE/B,WAAW,EAAE,QAAQ,CAAC,UAAU;IAChC,UAAU,EAAE,QAAQ,CAAC,UAAU;IAC/B,QAAQ,EACL,OAAO;KACN,OAAO,EACJ,OAAO;MACN,SAAS,EAAE,SAAS,CAAC,UAAU;MAC/B,MAAM,EAAE,QAAQ,CAAC,UAAU;MAC3B,cAAc,EAAE,QAAQ,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC,UAAU;MAChD,OAAO,EAAE,QAAQ,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC,UAAU;MACzC,kBAAkB,EAAE,QAAQ,CAAC,IAAI,EAAE,CAAC,IAAI,EAAE,CAAC,UAAU;MACtD,CAAC,CACD,UAAU;KACb,MAAM,EACH,OAAO;MACN,SAAS,EAAE,SAAS,CAAC,UAAU;MAC/B,MAAM,EAAE,QAAQ,CAAC,UAAU;MAC3B,UAAU,EAAE,QAAQ,CAAC,IAAI,EAAE,CAAC,IAAI,EAAE,CAAC,UAAU;MAC7C,gBAAgB,EAAE,QAAQ,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC,UAAU;MAClD,kBAAkB,EAAE,QAAQ,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC,UAAU;MACpD,OAAO,EAAE,QAAQ,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC,UAAU;MACzC,qBAAqB,EAAE,QAAQ,CAAC,IAAI,EAAE,CAAC,UAAU;MACjD,YAAY,EAAE,QAAQ,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC,UAAU;MAC/C,CAAC,CACD,UAAU;KACb,KAAK,EACF,OAAO;MACN,SAAS,EAAE,SAAS,CAAC,UAAU;MAC/B,MAAM,EAAE,QAAQ,CAAC,UAAU;MAC3B,cAAc,EAAE,QAAQ,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC,UAAU;MAChD,OAAO,EAAE,QAAQ,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC,UAAU;MACzC,oBAAoB,EAAE,QAAQ,CAAC,IAAI,EAAE,CAAC,IAAI,EAAE,CAAC,UAAU;MACxD,CAAC,CACD,UAAU;KACd,CAAC,CACD,UAAU;IACd,CAAC,CACD,UAAU;GACd,CAAC,CACD,UAAU;;EAEb,eAAe,EACZ,OAAO;;AAEN,cAAc,EAAE,QAAQ,CAAC,UAAU,EACpC,CAAC,CACD,UAAU;;;;;;EAMb,kBAAkB,EACf,OAAO;;GAEN,SAAS,EAAE,SAAS,CAAC,UAAU;;GAE/B,qBAAqB,EAAE,QAAQ,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC,UAAU;;GAEvD,oBAAoB,EAAE,QAAQ,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC,UAAU;;GAEtD,eAAe,EAAE,QAAQ,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC,IAAI,GAAG,CAAC,UAAU;;GAEzD,oBAAoB,EAAE,QAAQ,CAAC,KAAK,CAAC,IAAI,GAAG,CAAC,IAAI,IAAI,CAAC,UAAU;;GAEhE,eAAe,EAAE,QAAQ,CAAC,KAAK,CAAC,IAAI,IAAO,CAAC,IAAI,IAAQ,CAAC,UAAU;GACpE,CAAC,CACD,UAAU;;EAEb,YAAY,EACT,OAAO;GACN,OAAO,EAAE,QAAQ,CAAC,UAAU;GAC5B,WAAW,EAAE,QAAQ,CAAC,UAAU,CAAC,UAAU;GAC5C,CAAC,CACD,UAAU;;;;;EAKb,SAAS,EACN,OAAO;GACN,SAAS,EAAE,SAAS,CAAC,UAAU;;GAE/B,UAAU,EAAE,SAAS,CAAC,UAAU;;GAEhC,kBAAkB,EAAE,SAAS,CAAC,UAAU;;GAExC,gBAAgB,EAAE,QAAQ,CAAC,IAAI,EAAE,CAAC,UAAU;;GAE5C,SAAS,EAAE,KAAK;IAAC;IAAS;IAAO;IAAS;IAAa;IAAe,CAAC,CAAC,UAAU;;GAElF,eAAe,EAAE,KAAK;IAAC;IAAS;IAAe;IAAc,CAAC,CAAC,UAAU;;GAEzE,OAAO,EAAE,OAAO;;IAEd,QAAQ,EAAE,QAAQ,CAAC,UAAU;;IAE7B,WAAW,EAAE,QAAQ,CAAC,UAAU;;IAEhC,QAAQ,EAAE,QAAQ,CAAC,UAAU;IAC9B,CAAC,CAAC,UAAU;;GAEb,QAAQ,EAAE,QAAQ,CAAC,UAAU;;GAE7B,WAAW,EAAE,OAAO;;IAElB,MAAM,EAAE,QAAQ,CAAC,IAAI,KAAK,CAAC,IAAI,MAAM,CAAC,UAAU;;IAEhD,MAAM,EAAE,QAAQ,CAAC,UAAU;;IAE3B,mBAAmB,EAAE,QAAQ,CAAC,IAAI,IAAK,CAAC,UAAU;IACnD,CAAC,CAAC,UAAU;;GAEb,cAAc,EAAE,KAAK;IAAC;IAAgB;IAAgB;IAAc,CAAC,CAAC,UAAU;;GAEhF,sBAAsB,EAAE,QAAQ,CAAC,IAAI,EAAE,CAAC,UAAU;;GAElD,UAAU,EAAE,SAAS,CAAC,UAAU;;GAEhC,aAAa,EAAE,KAAK,CAAC,WAAW,UAAU,CAAC,CAAC,UAAU;;GAEtD,cAAc,EAAE,OAAO;;IAErB,UAAU,EAAE,SAAS,CAAC,UAAU;;IAEhC,kBAAkB,EAAE,SAAS,CAAC,UAAU;;IAExC,UAAU,EACP,QAAQ,CACR,UAAU,CACV,aAAa,GAAG,QAAQ;KACvB,MAAM,IAAI,cAAc,EAAE;AAC1B,SAAI,EAAE,OAAO,MAAO,KAAI,SAAS;MAAE,MAAM;MAAU,SAAS,EAAE;MAAS,CAAC;MACxE;;IAEJ,YAAY,EAAE,QAAQ,CAAC,UAAU;;IAEjC,UAAU,EAAE,QAAQ,CAAC,UAAU;;IAE/B,QAAQ,EAAE,QAAQ,CAAC,UAAU;;IAE7B,UAAU,EAAE,QAAQ,CAAC,UAAU;;IAE/B,qBAAqB,EAAE,QAAQ,CAAC,UAAU;;IAE1C,WAAW,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC,UAAU;IAC1C,CAAC,CAAC,UAAU;GACd,CAAC,CACD,UAAU;;EAEb,UAAU,EACP,OAAO,EACN,SAAS,EAAE,SAAS,CAAC,UAAU,EAChC,CAAC,CACD,UAAU;;EAEb,aAAa,EACV,OAAO,EACN,SAAS,EAAE,SAAS,CAAC,UAAU,EAChC,CAAC,CACD,UAAU;;EAEb,sBAAsB,EAAE,QAAQ,CAAC,UAAU;;EAE3C,QAAQ,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC,UAAU;;EAEtC,OAAO,EACJ,OAAO,EACN,SAAS,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC,UAAU,EACxC,CAAC,CACD,UAAU;;EAEb,QAAQ,EAAE,OAAO,EAAE,QAAQ,EAAE,EAAE,SAAS,CAAC,CAAC,UAAU;EACrD,CAAC;AAEW,qBAAoB,EAAE,OAAO;EACxC,IAAI,EAAE,QAAQ;;EAEd,SAAS,EAAE,SAAS,CAAC,UAAU;EAC/B,MAAM,EAAE,QAAQ,CAAC,UAAU;;EAE3B,aAAa,EAAE,QAAQ,CAAC,IAAI,IAAK,CAAC,UAAU;EAC5C,SAAS,EAAE,SAAS,CAAC,QAAQ,KAAK;;EAElC,WAAW,EAAE,QAAQ,CAAC,UAAU;;;;;EAKhC,UAAU,EAAE,QAAQ,CAAC,UAAU;EAC/B,OAAO,oBAAoB,UAAU;EACrC,iBAAiB,EAAE,KAAK;GAAC;GAAO;GAAW;GAAO;GAAU;GAAQ;GAAS;GAAW,CAAC,CAAC,UAAU;EACpG,kBAAkB,EAAE,KAAK;GAAC;GAAO;GAAM;GAAS,CAAC,CAAC,UAAU;EAC5D,gBAAgB,EAAE,KAAK;GAAC;GAAO;GAAM;GAAO,CAAC,CAAC,UAAU;EACxD,sBAAsB,EAAE,QAAQ,CAAC,UAAU;EAC3C,QAAQ,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC,UAAU;EACtC,OAAO,EACJ,OAAO,EACN,SAAS,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC,UAAU,EACxC,CAAC,CACD,UAAU;EACb,QAAQ,EAAE,OAAO,EAAE,QAAQ,EAAE,EAAE,SAAS,CAAC,CAAC,UAAU;EACrD,CAAC;AAEW,sBAAqB,EAAE,OAAO;;EAEzC,SAAS,EAAE,QAAQ,CAAC,UAAU;EAC9B,UAAU,oBAAoB,UAAU;EACxC,MAAM,EAAE,MAAM,kBAAkB,CAAC,UAAU;EAC5C,CAAC,CAAC,QAAQ,EACT,UAAU;EACR,WAAW;EACX,OAAO;EACP,WAAW;EACX,aAAa;EACb,mBAAmB;EACnB,oBAAoB;EACpB,wBAAwB;EACxB,iBAAiB;EACjB,kBAAkB;EAClB,gBAAgB;EAChB,YAAY;GACV,SAAS;GACT,MAAM;GACN,eAAe;GACf,kBAAkB;GAClB,0BAA0B;GAC1B,oBAAoB;GACpB,gBAAgB;GAChB,iBAAiB;GAClB;EACD,SAAS;GACP,SAAS;GACT,oBAAoB;GACpB,eAAe;GACf,eAAe;GAChB;EACD,SAAS,EACP,SAAS,aACV;EACF,EACF,CAAQ;AAmBI,sBAAqB,EAAE,OAAO;EACzC,SAAS,EAAE,QAAQ;EACnB,WAAW,EAAE,QAAQ,CAAC,UAAU;EAChC,UAAU,EAAE,QAAQ,CAAC,UAAU;EAC/B,QAAQ,EAAE,QAAQ,CAAC,UAAU;EAC7B,SAAS,EAAE,QAAQ,CAAC,UAAU;EAC9B,QAAQ,EAAE,QAAQ,CAAC,UAAU;EAC7B,eAAe,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC,UAAU;EAC9C,CAAC;AAEW,qBAAoB,EAAE,OAAO;EACxC,IAAI,EAAE,QAAQ,CAAC,UAAU;EACzB,SAAS,EAAE,QAAQ;EACnB,UAAU,EAAE,QAAQ,CAAC,QAAQ,IAAI;EACjC,OAAO;EACP,SAAS,EAAE,SAAS,CAAC,QAAQ,KAAK;EACnC,CAAC;AAEW,wBAAuB,EAAE,MAAM,kBAAkB,CAAC,QAAQ,EAAE,CAAC;AAE7D,wBAAuB,EAAE,KAAK;EACzC;EACA;EACA;EACA;EACD,CAAC;AAEW,8BAA6B,EAAE,OAAO;EACjD,cAAc,EAAE,QAAQ,CAAC,UAAU;EACnC,YAAY,EAAE,QAAQ,CAAC,UAAU;EAClC,CAAC;AAEW,uBAAsB,EAAE,OAAO;EAC1C,SAAS,qBAAqB,QAAQ,OAAO;EAC7C,eAAe,EAAE,OAAO,EAAE,QAAQ,EAAE,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC,CAAC,UAAU;EACnE,SAAS,2BAA2B,UAAU;EAC/C,CAAC,CAAC,QAAQ,EACT,SAAS,QACV,CAAC;AAGW,wBAAuB,EAAE,OAAO,EAAE,QAAQ,EAAE,EAAE,SAAS,CAAC,CAAC,QAAQ,EAC5E,UAAU;EACR,SAAS;EACT,WAAW,EAAE;EACb,gBAAgB,EAAE;EAClB,OAAO;EACP,UAAU,EACR,SAAS;GACP,WAAW;GACX,SAAS;GACT,UAAU;GACV,WAAW,EAAE;GACb,UAAU;GACV,aAAa;GACb,aAAa;GACb,cAAc;GACd,gBAAgB;GAChB,YAAY;GACb,EACF;EACD,UAAU;EACV,aAAa;EACb,aAAa;EACb,cAAc;EACd,gBAAgB;EACjB,EACF,CAAC;AAEW,6BAA4B,EAAE,OAAO;EAChD,MAAM,EAAE,KAAK;GAAC;GAAS;GAAU;GAAQ;GAAU,CAAC;EACpD,QAAQ,EAAE,QAAQ,CAAC,UAAU;;EAE7B,KAAK,EAAE,QAAQ,CAAC,UAAU;EAC1B,UAAU,EAAE,SAAS,CAAC,UAAU;EACjC,CAAC;AAIW,yBAAwB,EAAE,OAAO;EAC5C,YAAY,EAAE,QAAQ,CAAC,QAAQ,EAAE;;EAEjC,WAAW,EAAE,MAAM,0BAA0B,CAAC,QAAQ,EAAE,CAAC;EAC1D,CAAC;AAIW,0BAAyB,EAAE,OAAO;;EAE7C,SAAS,EAAE,SAAS,CAAC,QAAQ,MAAM;;EAEnC,SAAS,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC,QAAQ,EAAE,CAAC;EACzC,CAAC;AAIW,wBAAuB,EAAE,OAAO;;EAE3C,QAAQ,EAAE,KAAK,CAAC,MAAM,SAAS,CAAC,CAAC,UAAU;EAC3C,QAAQ,sBAAsB,UAAU;;EAExC,WAAW,uBAAuB,UAAU;EAC7C,CAAC;AAIW,qBAAoB,EAAE,OAAO;EACxC,KAAK,qBAAqB,UAAU;;;;;EAKpC,OAAO,EAAE,WAAW,uBAAuB;EAC5C,CAAC,CAAC,QAAQ,EACT,KAAK,EACH,QAAQ;EACN,YAAY;EACZ,WAAW,EAAE;EACd,EACF,EACF,CAAC;AAMW,8BAA6B,EACvC,OAAO;EACN,SAAS,EAAE,SAAS,CAAC,QAAQ,KAAK;EAClC,aAAa,EAAE,QAAQ,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC,QAAQ,EAAE;EAC/C,UAAU,EAAE,QAAQ,CAAC,QAAQ,IAAQ;EACrC,iBAAiB,EAAE,QAAQ,CAAC,QAAQ,IAAQ;;EAE5C,WAAW,EAAE,QAAQ,CAAC,UAAU;;EAEhC,gBAAgB,EAAE,SAAS,CAAC,QAAQ,KAAK;EAC1C,CAAC,CACD,UAAU;AAEA,yBAAwB,EAClC,OAAO;;AAEN,QAAQ,EAAE,SAAS,CAAC,UAAU,EAC/B,CAAC,CACD,UAAU;AAEA,6BAA4B,EACtC,OAAO;;EAEN,YAAY,EAAE,QAAQ,CAAC,IAAI,EAAE;;EAE7B,iBAAiB,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC,UAAU;;EAE/C,YAAY,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC,UAAU;;EAE1C,eAAe,EAAE,SAAS,CAAC,UAAU;EACtC,CAAC,CACD,QAAQ;AAEE,qBAAoB,EAC9B,OAAO;EACN,MAAM,EAAE,KAAK;GAAC;GAAQ;GAAS;GAAY;GAAgB,CAAC,CAAC,QAAQ,QAAQ;EAC7E,OAAO,EAAE,QAAQ,CAAC,UAAU;EAC5B,UAAU,EAAE,QAAQ,CAAC,UAAU;;EAE/B,gBAAgB,EAAE,SAAS,CAAC,UAAU;EACtC,WAAW;EACX,cAAc,0BAA0B,UAAU;EACnD,CAAC,CACD,QAAQ,EACP,MAAM,SACP,CAAC;AAES,iCAAgC,EAAE,OAAO;EACpD,SAAS,EAAE,QAAQ,CAAC,IAAI,EAAE;EAC1B,YAAY,EAAE,QAAQ,CAAC,IAAI,EAAE;EAC9B,CAAC;AAEW,0BAAyB,EACnC,OAAO;EACN,MAAM,EAAE,KAAK;GAAC;GAAO;GAAS;GAAS,CAAC,CAAC,QAAQ,MAAM;EACvD,aAAa,EAAE,SAAS,CAAC,QAAQ,KAAK;EACtC,SAAS,8BAA8B,UAAU;EAClD,CAAC,CACD,QAAQ;EACP,MAAM;EACN,aAAa;EACd,CAAC;AAES,uBAAsB,EAAE,OAAO;EAC1C,KAAK,EAAE,QAAQ,CAAC,KAAK;EACrB,OAAO,EAAE,QAAQ,CAAC,UAAU;EAC5B,UAAU,EAAE,QAAQ,CAAC,UAAU;EAC/B,WAAW,EAAE,KAAK,CAAC,UAAU,MAAM,CAAC,CAAC,QAAQ,SAAS;EACtD,WAAW,EAAE,QAAQ,CAAC,UAAU;EAChC,aAAa,EAAE,QAAQ,CAAC,UAAU;EAClC,gBAAgB,EAAE,QAAQ,CAAC,UAAU;EACtC,CAAC;AAEW,oBAAmB,EAC7B,OAAO;EACN,SAAS,EAAE,SAAS,CAAC,QAAQ,MAAM;EACnC,cAAc,EAAE,SAAS,CAAC,QAAQ,MAAM;EACxC,UAAU,EAAE,QAAQ,CAAC,UAAU;EAC/B,SAAS,EAAE,QAAQ,CAAC,UAAU;EAC/B,CAAC,CACD,QAAQ;EACP,SAAS;EACT,cAAc;EACf,CAAC;AAES,qBAAoB,EAAE,KAAK,CAAC,SAAS,SAAS,CAAC,CAAC,QAAQ,QAAQ;AAEhE,yBAAwB,EAClC,OAAO;EACN,SAAS,EAAE,SAAS;EACpB,YAAY,EAAE,QAAQ;;EAEtB,4BAA4B,EAAE,SAAS,CAAC,UAAU,CAAC,QAAQ,MAAM;EACjE,QAAQ,EAAE,QAAQ,CAAC,UAAU;EAC7B,cAAc,EAAE,QAAQ,CAAC,UAAU;EACnC,QAAQ,EAAE,QAAQ,CAAC,UAAU;EAC7B,aAAa,EAAE,QAAQ,CAAC,UAAU;EAClC,iBAAiB,EAAE,SAAS,CAAC,UAAU;EACvC,aAAa,EACV,OAAO;GACN,OAAO,EAAE,QAAQ;GACjB,KAAK,EAAE,QAAQ;GACf,UAAU,EAAE,QAAQ,CAAC,UAAU;GAChC,CAAC,CACD,UAAU;EACd,CAAC,CACD,QAAQ;EACP,SAAS;EACT,YAAY;EACZ,4BAA4B;EAC7B,CAAC;AAES,wCAAuC,EAAE,KAAK;EAAC;EAAQ;EAAO;EAAW,CAAC;AAE1E,uBAAsB,EAAE,OAAO;EAC1C,SAAS,EAAE,QAAQ,CAAC,IAAI,EAAE;EAC1B,YAAY,EAAE,QAAQ,CAAC,IAAI,EAAE;EAC9B,CAAC;AAEW,sBAAqB,EAC/B,OAAO;EACN,SAAS,EAAE,SAAS,CAAC,QAAQ,MAAM;EACnC,WAAW,EAAE,QAAQ,CAAC,KAAK,CAAC,QAAQ,0BAA0B;;EAE9D,oBAAoB,EAAE,QAAQ,CAAC,IAAI,EAAE,CAAC,UAAU;EAChD,WAAW,EAAE,SAAS,CAAC,QAAQ,MAAM;EACrC,WAAW,EAAE,QAAQ,CAAC,UAAU;EAChC,SAAS,oBAAoB,UAAU;EACxC,CAAC,CACD,QAAQ;EACP,SAAS;EACT,WAAW;EACX,WAAW;EACZ,CAAC;AASS,+BAA8B,EAAE,OAAO;;EAElD,WAAW,EAAE,QAAQ,CAAC,QAAQ,UAAU;;EAExC,UAAU,EAAE,QAAQ,CAAC,KAAK,CAAC,IAAI,KAAK,CAAC,IAAI,YAAe,CAAC,QAAQ,UAAY;;EAE7E,gBAAgB,EAAE,SAAS,CAAC,QAAQ,KAAK;EAC1C,CAAC;AAGW,yBAAwB,EAAE,OAAO,EAC5C,QAAQ,4BAA4B,UAAU,EAC/C,CAAC,CAAC,UAAU;AAGA,yBAAwB,EAAE,KAAK;EAAC;EAAQ;EAAY;EAAO;EAAW;EAAS,CAAC;AAEhF,uBAAsB,EAAE,OAAO;;EAE1C,MAAM,sBAAsB,UAAU;;EAEtC,gBAAgB,EAAE,QAAQ,CAAC,UAAU;EACrC,MAAM,EAAE,QAAQ,CAAC,UAAU;;EAE3B,MAAM,kBAAkB,UAAU;;EAElC,QAAQ,oBAAoB,UAAU;EACtC,WAAW,uBAAuB,UAAU;EAC5C,KAAK,iBAAiB,UAAU;EAChC,MAAM,kBAAkB,UAAU;EAClC,WAAW,sBAAsB,UAAU;EAC3C,mBAAmB,EAAE,QAAQ,CAAC,UAAU;EACxC,aAAa,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC,UAAU;;EAE3C,0CAA0C,EAAE,SAAS,CAAC,UAAU;;EAEhE,gBAAgB,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC,UAAU;;EAE9C,qBAAqB,EAAE,SAAS,CAAC,UAAU;EAC3C,UAAU;;;;;;;EAOV,yBAAyB,qCAAqC,UAAU;;EAExE,wBAAwB,EAAE,MAAM,EAAE,QAAQ,CAAC,IAAI,EAAE,CAAC,CAAC,IAAI,GAAG,CAAC,UAAU;;EAErE,4BAA4B,EAAE,MAAM,EAAE,QAAQ,CAAC,IAAI,EAAE,CAAC,CAAC,IAAI,GAAG,CAAC,UAAU;;EAEzE,2BAA2B,EAAE,QAAQ,CAAC,UAAU;;EAEhD,oBAAoB,EAAE,QAAQ,CAAC,KAAK,CAAC,UAAU;;EAE/C,OAAO,EAAE,OAAO;GACd,SAAS,EAAE,SAAS,CAAC,QAAQ,KAAK;;GAElC,cAAc,EAAE,QAAQ,CAAC,IAAI,IAAO,CAAC,IAAI,OAAY,CAAC,QAAQ,MAAW;;GAEzE,UAAU,EAAE,QAAQ,CAAC,IAAI,IAAO,CAAC,IAAI,OAAc,CAAC,QAAQ,OAAY;;GAExE,iBAAiB,EAAE,QAAQ,CAAC,IAAI,EAAE,CAAC,IAAI,IAAO,CAAC,QAAQ,IAAI;;GAE3D,aAAa,EAAE,QAAQ,CAAC,IAAI,QAAU,CAAC,IAAI,YAAe,CAAC,QAAQ,UAAY;;GAE/E,oBAAoB,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC,QAAQ;IAC9C;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACD,CAAC;GACH,CAAC,CAAC,UAAU;EACd,CAAC,CAAC,QAAQ;EACT,MAAM;EACN,MAAM;EACN,MAAM,EACJ,MAAM,SACP;EACD,WAAW;GACT,SAAS;GACT,YAAY;GACZ,4BAA4B;GAC7B;EACD,mBAAmB;EACnB,aAAa,EAAE;EACf,2BAA2B;EAC3B,oBAAoB;EACrB,CAAC;AAEW,oBAAmB,EAAE,OAAO;EACvC,SAAS,EAAE,SAAS,CAAC,UAAU;EAC/B,mBAAmB,EAAE,QAAQ,CAAC,UAAU;EACxC,iBAAiB,EAAE,QAAQ,CAAC,UAAU;EACtC,sBAAsB,EAAE,QAAQ,CAAC,UAAU;EAC3C,eAAe,EAAE,SAAS,CAAC,UAAU;EACtC,CAAC,CAAC,QAAQ;EACT,SAAS;EACT,mBAAmB;EACnB,iBAAiB;EACjB,sBAAsB;EACtB,eAAe;EAChB,CAAC;AAEW,yBAAwB,EAAE,OAAO,EAC5C,SAAS,EAAE,SAAS,CAAC,QAAQ,KAAK,EACnC,CAAC,CAAC,QAAQ,EACT,SAAS,MACV,CAAC;AAMI,mCAAkC,EAAE,MAAM;EAC9C,EAAE,QAAQ;EACV,EAAE,QAAQ;EACV,EAAE,SAAS;EACX,EAAE,MAAM;EACR,EAAE,MAAM,EAAE,SAAS,CAAC;EACpB,EAAE,OAAO,EAAE,QAAQ,EAAE,EAAE,SAAS,CAAC;EAClC,CAAC;AAEW,2BAA0B,EACpC,OAAO;EACN,QAAQ,EAAE,QAAQ,CAAC,UAAU;EAC7B,OAAO,EAAE,QAAQ,CAAC,UAAU;EAC5B,SAAS,EAAE,QAAQ,CAAC,UAAU;EAC9B,SAAS,EAAE,OAAO,EAAE,QAAQ,EAAE,EAAE,QAAQ,CAAC,CAAC,UAAU;EACpD,UAAU,EAAE,QAAQ,CAAC,UAAU;EAC/B,QAAQ,EAAE,QAAQ,CAAC,UAAU;EAC9B,CAAC,CACD,SAAS,gCAAgC;AAE/B,2BAA0B,EAAE,OAAO;EAC9C,SAAS,EAAE,SAAS,CAAC,QAAQ,KAAK;EAClC,OAAO,EAAE,MAAM,EAAE,QAAQ,CAAC,IAAI,EAAE,CAAC,CAAC,QAAQ,CAAC,WAAW,SAAS,CAAC;EACjE,CAAC;AAEW,wCAAuC,EACjD,MAAM,EAAE,KAAK;EAAC;EAAS;EAAS;EAAQ,CAAC,CAAC,CAC1C,UAAU;AAEA,iCAAgC,EAC1C,OAAO;EACN,UAAU,EAAE,QAAQ,CAAC,UAAU;EAC/B,OAAO,EAAE,QAAQ,CAAC,UAAU;EAC5B,cAAc;EACd,MAAM,EAAE,MAAM,CAAC,EAAE,QAAQ,WAAW,EAAE,EAAE,QAAQ,MAAM,CAAC,CAAC,CAAC,UAAU;EACnE,SAAS,EAAE,QAAQ,CAAC,UAAU;EAC9B,SAAS,EAAE,QAAQ,CAAC,UAAU;EAC9B,SAAS,EAAE,OAAO,EAAE,QAAQ,EAAE,EAAE,QAAQ,CAAC,CAAC,UAAU;EACpD,QAAQ,EAAE,QAAQ,CAAC,UAAU;EAC7B,UAAU,EAAE,QAAQ,CAAC,UAAU;EAC/B,QAAQ,EAAE,QAAQ,CAAC,UAAU;EAC9B,CAAC,CACD,SAAS,gCAAgC;AAE/B,mBAAkB,EAC5B,OAAO;EACN,SAAS,EAAE,SAAS,CAAC,QAAQ,MAAM;;EAEnC,UAAU,EAAE,QAAQ,CAAC,IAAI,EAAE,CAAC,QAAQ,UAAU;EAC9C,UAAU,wBAAwB,UAAU;EAC5C,WAAW,EAAE,QAAQ,CAAC,KAAK,CAAC,IAAI,IAAK,CAAC,IAAI,KAAO,CAAC,UAAU;;EAE5D,QAAQ,EAAE,MAAM,8BAA8B,CAAC,UAAU;;EAEzD,WAAW,EAAE,OAAO,EAAE,QAAQ,EAAE,wBAAwB,CAAC,UAAU;;EAEnE,SAAS,wBAAwB,UAAU;EAC3C,QAAQ,wBAAwB,UAAU;EAC3C,CAAC,CACD,aAAa;AAMV,mCAAkC,EAAE,MAAM;EAC9C,EAAE,QAAQ;EACV,EAAE,QAAQ;EACV,EAAE,SAAS;EACX,EAAE,MAAM;EACR,EAAE,MAAM,EAAE,SAAS,CAAC;EACpB,EAAE,OAAO,EAAE,QAAQ,EAAE,EAAE,SAAS,CAAC;EAClC,CAAC;AAEW,2BAA0B,EACpC,OAAO;EACN,QAAQ,EAAE,QAAQ,CAAC,UAAU;EAC7B,OAAO,EAAE,QAAQ,CAAC,UAAU;EAC5B,OAAO,EAAE,QAAQ,CAAC,UAAU;EAC7B,CAAC,CACD,SAAS,gCAAgC;AAE/B,2BAA0B,EAAE,OAAO;EAC9C,SAAS,EAAE,SAAS,CAAC,QAAQ,KAAK;EAClC,OAAO,EACJ,MAAM,EAAE,QAAQ,CAAC,IAAI,EAAE,CAAC,CACxB,QAAQ;GAAC;GAAU;GAAW;GAAW;GAAO,CAAC;EACrD,CAAC;AAEW,iCAAgC,EAAE,OAAO;EACpD,SAAS,EAAE,SAAS,CAAC,QAAQ,KAAK;EAClC,WAAW,EAAE,SAAS,CAAC,QAAQ,KAAK;EACpC,eAAe,EAAE,SAAS,CAAC,QAAQ,MAAM;EACzC,YAAY,EAAE,SAAS,CAAC,QAAQ,KAAK;EACrC,cAAc,EAAE,SAAS,CAAC,QAAQ,KAAK;EACvC,oBAAoB,EAAE,SAAS,CAAC,QAAQ,MAAM;EAC9C,oBAAoB,EAAE,SAAS,CAAC,QAAQ,MAAM;EAC9C,WAAW,EAAE,SAAS,CAAC,QAAQ,MAAM;EACtC,CAAC;AAEW,uBAAsB,EAAE,OAAO;EAC1C,SAAS,EAAE,SAAS,CAAC,QAAQ,KAAK;EAClC,OAAO,EAAE,QAAQ,CAAC,UAAU;EAC5B,MAAM,EAAE,QAAQ,CAAC,UAAU;EAC3B,cAAc,EAAE,QAAQ,CAAC,UAAU;EACnC,OAAO,EAAE,QAAQ,CAAC,UAAU;EAC5B,MAAM,EAAE,QAAQ,CAAC,UAAU;EAC3B,QAAQ,EAAE,QAAQ,CAAC,UAAU;EAC7B,OAAO,EAAE,QAAQ,CAAC,UAAU;EAC5B,WAAW,EAAE,QAAQ,CAAC,KAAK,CAAC,IAAI,IAAK,CAAC,IAAI,KAAO,CAAC,UAAU;EAC7D,CAAC;AAEW,gCAA+B,EAAE,OAAO;EACnD,SAAS,EAAE,SAAS,CAAC,UAAU;EAC/B,cAAc,EAAE,QAAQ,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC,UAAU;EAChD,WAAW,EAAE,QAAQ,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC,UAAU;EAC7C,OAAO,EAAE,QAAQ,CAAC,UAAU;EAC7B,CAAC;AAEW,mBAAkB,EAC5B,OAAO;EACN,SAAS,EAAE,SAAS,CAAC,QAAQ,MAAM;;EAEnC,UAAU,EAAE,QAAQ,CAAC,IAAI,EAAE,CAAC,QAAQ,SAAS;EAC7C,SAAS,EAAE,KAAK;GAAC;GAAO;GAAU;GAAW;GAAS,CAAC,CAAC,QAAQ,SAAS;EACzE,UAAU,wBAAwB,UAAU;EAC5C,eAAe,EAAE,QAAQ,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC,QAAQ,IAAI;EACnD,WAAW,EAAE,QAAQ,CAAC,KAAK,CAAC,IAAI,IAAK,CAAC,IAAI,KAAO,CAAC,QAAQ,IAAM;EAChE,eAAe,6BAA6B,UAAU;EACtD,gBAAgB,8BAA8B,UAAU;;EAExD,WAAW,EAAE,OAAO,EAAE,QAAQ,EAAE,wBAAwB,CAAC,UAAU;;EAEnE,SAAS,wBAAwB,UAAU;EAC3C,QAAQ,wBAAwB,UAAU;EAC1C,MAAM,oBAAoB,UAAU;EACpC,SAAS,wBAAwB,UAAU;EAC5C,CAAC,CACD,aAAa;AAMH,wBAAuB,EAAE,OAAO;;AAE3C,KAAK,gBAAgB,UAAU,EAChC,CAAC,CAAC,UAAU;AAEA,+BAA8B;AAE9B,0BAAyB,EACnC,OAAO;;EAEN,QAAQ,EAAE,MAAM,8BAA8B,CAAC,UAAU;;EAEzD,OAAO,4BAA4B,UAAU;EAC9C,CAAC,CACD,UAAU;AAaA,6BAA4B,EACtC,OAAO;;EAEN,UAAU,EAAE,QAAQ,CAAC,IAAI,EAAE,CAAC,UAAU;;EAEtC,YAAY,EAAE,QAAQ,CAAC,IAAI,EAAE,CAAC,UAAU;;EAExC,YAAY,EAAE,QAAQ,CAAC,IAAI,EAAE,CAAC,UAAU;EACzC,CAAC,CACD,QAAQ;AAGE,kCAAiC,EAC3C,OAAO;;EAEN,WAAW,EAAE,QAAQ,CAAC,KAAK,CAAC,UAAU,CAAC,UAAU;;EAEjD,SAAS,EAAE,OAAO,EAAE,QAAQ,EAAE,EAAE,QAAQ,CAAC,CAAC,UAAU;EACrD,CAAC,CACD,QAAQ;AAQE,4BAA2B,EACrC,OAAO;;EAEN,QAAQ,EAAE,QAAQ,CAAC,UAAU;;EAE7B,SAAS,EAAE,QAAQ,CAAC,KAAK,CAAC,UAAU;;EAEpC,QAAQ,EAAE,QAAQ,CAAC,UAAU;;EAE7B,cAAc,EAAE,QAAQ,CAAC,KAAK,CAAC,UAAU;;EAEzC,SAAS,+BAA+B,UAAU;;EAElD,OAAO,0BAA0B,UAAU;EAC5C,CAAC,CACD,QAAQ;AASE,yBAAwB,EAAE,OAAO,EAAE,QAAQ,EAAE,yBAAyB;AAStE,iCAAgC,EAAE,OAAO;EACpD,kBAAkB,EAAE,SAAS,CAAC,QAAQ,KAAK;EAC3C,gBAAgB,EAAE,SAAS,CAAC,QAAQ,MAAM;EAC1C,OAAO,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC,QAAQ,EAAE,CAAC;EACtC,iBAAiB,EAAE,SAAS,CAAC,QAAQ,KAAK;EAC1C,sBAAsB,EAAE,SAAS,CAAC,QAAQ,MAAM;EACjD,CAAC;AAGW,8BAA6B,EAAE,OAAO;EACjD,QAAQ,EAAE,QAAQ,CAAC,UAAU;EAC7B,KAAK,EAAE,QAAQ,CAAC,UAAU;EAC1B,iBAAiB,EAAE,QAAQ,CAAC,UAAU;EACtC,WAAW,EAAE,QAAQ,CAAC,UAAU;EACjC,CAAC;AAMW,0BAA6D,EAAE,OAAO,EAAE,QAAQ,EAAE,EAAE,SAAS,CAAC;AAM9F,0BAAyB,EACnC,OAAO;;EAEN,SAAS,EAAE,SAAS,CAAC,QAAQ,MAAM;;EAEnC,kBAAkB,EAAE,QAAQ,CAAC,IAAI,EAAE,CAAC,QAAQ,EAAE;;EAE9C,mBAAmB,EAAE,QAAQ,CAAC,IAAI,EAAE,CAAC,QAAQ,GAAG;;EAEhD,wBAAwB,EAAE,QAAQ,CAAC,IAAI,IAAK,CAAC,QAAQ,EAAE;EACxD,CAAC,CACD,QAAQ,CACR,UAAU;AAGA,qBAAoB,EAC9B,OAAO;;EAEN,UAAU,EAAE,QAAQ,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC,IAAI,IAAI,CAAC,QAAQ,GAAG;;EAEtD,eAAe,EAAE,QAAQ,CAAC,UAAU;;;;;EAKpC,eAAe,EAAE,SAAS,CAAC,QAAQ,KAAK;;EAExC,6BAA6B,EAAE,QAAQ,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC,IAAI,GAAG,CAAC,QAAQ,EAAE;;EAEvE,gBAAgB,EAAE,QAAQ,CAAC,KAAK,CAAC,IAAI,IAAM,CAAC,IAAI,KAAQ,CAAC,QAAQ,IAAO;;EAExE,uBAAuB,EAAE,QAAQ,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC,IAAI,IAAQ,CAAC,QAAQ,KAAO;EAC5E,CAAC,CACD,QAAQ;AAIE,sBAAqB,EAC/B,OAAO;;EAEN,cAAc,EAAE,SAAS,CAAC,QAAQ,KAAK;;EAEvC,SAAS,EAAE,KAAK;GAAC;GAAU;GAAQ;GAAM,CAAC,CAAC,QAAQ,SAAS;;EAE5D,MAAM;EACP,CAAC,CACD,QAAQ,CACR,UAAU;AAQP,oBAAmB,EACtB,QAAQ,CACR,KAAK,CACL,QAAQ,UAAU;AACjB,MAAI;GACF,MAAM,WAAW,IAAI,IAAI,MAAM,CAAC;AAChC,UAAO,aAAa,WAAW,aAAa;UACtC;AACN,UAAO;;IAER,wCAAwC;AAEhC,mBAAkB,EAC5B,OAAO;EACN,SAAS,EAAE,QAAQ,CAAC,UAAU;EAC9B,MAAM,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC,UAAU;EACpC,KAAK,EAAE,OAAO,EAAE,QAAQ,EAAE,EAAE,MAAM;GAAC,EAAE,QAAQ;GAAE,EAAE,QAAQ;GAAE,EAAE,SAAS;GAAC,CAAC,CAAC,CAAC,UAAU;EACpF,KAAK,EAAE,QAAQ,CAAC,UAAU;EAC1B,kBAAkB,EAAE,QAAQ,CAAC,UAAU;EACvC,KAAK,iBAAiB,UAAU;EAChC,WAAW,EAAE,KAAK,CAAC,OAAO,kBAAkB,CAAC,CAAC,UAAU;EACxD,SAAS,EAAE,OAAO,EAAE,QAAQ,EAAE,EAAE,MAAM;GAAC,EAAE,QAAQ;GAAE,EAAE,QAAQ;GAAE,EAAE,SAAS;GAAC,CAAC,CAAC,CAAC,UAAU;EACxF,qBAAqB,EAAE,QAAQ,CAAC,QAAQ,CAAC,UAAU,CAAC,UAAU;EAC/D,CAAC,CACD,SAAS,EAAE,SAAS,CAAC,CACrB,aAAa,OAAO,QAAQ;EAC3B,MAAM,aAAa,OAAO,MAAM,YAAY,YAAY,MAAM,QAAQ,MAAM,CAAC,SAAS;EACtF,MAAM,SAAS,OAAO,MAAM,QAAQ,YAAY,MAAM,IAAI,MAAM,CAAC,SAAS;AAC1E,MAAI,cAAc,OAChB,KAAI,SAAS;GACX,MAAM;GACN,SAAS;GACV,CAAC;GAEJ;AAES,mBAAkB,EAC5B,OAAO;EACN,SAAS,EAAE,OAAO,EAAE,QAAQ,EAAE,gBAAgB,CAAC,UAAU;EACzD,kBAAkB,EAAE,QAAQ,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC,UAAU;EACxD,CAAC,CACD,QAAQ,CACR,UAAU;AASA,gBAAe,EAAE,OAAO;EACnC,QAAQ;EACR,UAAU;EACV,SAAS;EACT,UAAU;EACV,SAAS;EACT,QAAQ,mBAAmB,UAAU;EACrC,WAAW;EACX,OAAO;EACP,KAAK;EACL,MAAM;EACN,OAAO,kBAAkB,UAAU;EACnC,YAAY,uBAAuB,QAAQ,EAAE,CAAC;;EAE9C,WAAW,sBAAsB,UAAU;EAC3C,WAAW;;EAEX,UAAU;EACV,QAAQ;EACT,CAAC,CAAC,QAAQ;EACT,QAAQ,EACN,UAAU;GACR,WAAW;GACX,OAAO;GACP,WAAW;GACX,aAAa;GACb,mBAAmB;GACnB,oBAAoB;GACpB,wBAAwB;GACxB,iBAAiB;GACjB,kBAAkB;GAClB,gBAAgB;GAChB,YAAY;IACV,SAAS;IACT,MAAM;IACN,eAAe;IACf,kBAAkB;IAClB,0BAA0B;IAC1B,oBAAoB;IACpB,gBAAgB;IAChB,iBAAiB;IAClB;GACD,SAAS;IACP,SAAS;IACT,oBAAoB;IACpB,eAAe;IACf,eAAe;IAChB;GACD,SAAS,EACP,SAAS,aACV;GACF,EACF;EACD,UAAU,EAAE;EACZ,SAAS,EACP,SAAS,QACV;EACD,UAAU,EACR,UAAU;GACR,SAAS;GACT,WAAW,EAAE;GACb,gBAAgB,EAAE;GAClB,OAAO;GACP,UAAU,EACR,SAAS;IACP,WAAW;IACX,SAAS;IACT,UAAU;IACV,WAAW,EAAE;IACb,UAAU;IACV,aAAa;IACb,aAAa;IACb,cAAc;IACd,gBAAgB;IAChB,YAAY;IACb,EACF;GACD,UAAU;GACV,aAAa;GACb,aAAa;GACb,cAAc;GACd,gBAAgB;GACjB,EACF;EACD,SAAS;GACP,MAAM;GACN,MAAM;GACN,MAAM,EACJ,MAAM,SACP;GACD,WAAW;IACT,SAAS;IACT,YAAY;IACZ,4BAA4B;IAC7B;GACD,mBAAmB;GACnB,aAAa,EAAE;GACf,2BAA2B;GAC3B,oBAAoB;GACrB;EACD,OAAO,EACL,KAAK,EACH,QAAQ;GACN,YAAY;GACZ,WAAW,EAAE;GACd,EACF,EACF;EACD,MAAM;GACJ,SAAS;GACT,mBAAmB;GACnB,iBAAiB;GACjB,sBAAsB;GACtB,eAAe;GAChB;EACD,OAAO;GACL,UAAU;GACV,eAAe;GACf,6BAA6B;GAC7B,gBAAgB;GAChB,uBAAuB;GACxB;EACD,YAAY;GACV,OAAO,EAAE;GACT,UAAU;IACR,kBAAkB;IAClB,gBAAgB;IAChB,OAAO,EAAE;IACT,iBAAiB;IACjB,sBAAsB;IACvB;GACD,OAAO,EAAE;GACV;EACD,WAAW,EACT,SAAS,MACV;EAIF,CAAC"}
package/dist/src/gateway/auth-rate-limit.d.ts CHANGED
@@ -30,6 +30,8 @@ export declare function isGatewayStrictSecurityEnabled(cfg?: {
30
30
  export declare function isLoopbackClientIp(clientIp: string | undefined): boolean;
31
31
  /** True when a browser Origin header targets the local gateway console (Electron / loopback SPA). */
32
32
  export declare function isLoopbackBrowserOrigin(origin: string | undefined): boolean;
33
+ /** Loopback gateway console in a same-machine browser (Electron embedded UI, local dev). */
34
+ export declare function isLoopbackEmbeddedBrowserClient(origin: string | undefined, clientIp: string): boolean;
33
35
  /** Browser-origin auth failures are tracked independently from CLI/server clients. */
34
36
  export declare function buildBrowserOriginRateLimitKey(origin: string, clientIp: string): string;
35
37
  /**
package/dist/src/gateway/auth-rate-limit.js CHANGED
@@ -43,6 +43,12 @@ function isLoopbackBrowserOrigin(origin) {
43
43
  return false;
44
44
  }
45
45
  }
46
+ /** Loopback gateway console in a same-machine browser (Electron embedded UI, local dev). */
47
+ function isLoopbackEmbeddedBrowserClient(origin, clientIp) {
48
+ if (!isLoopbackBrowserOrigin(origin)) return false;
49
+ if (clientIp === "unknown") return true;
50
+ return isLoopbackClientIp(clientIp);
51
+ }
46
52
  function parseBrowserOriginRateLimitKey(clientKey) {
47
53
  if (!clientKey.startsWith("browser-origin:")) return null;
48
54
  const pipeIdx = clientKey.indexOf("|");
@@ -55,7 +61,7 @@ function parseBrowserOriginRateLimitKey(clientKey) {
55
61
  function isLocalBrowserAuthClient(clientKey) {
56
62
  const parsed = parseBrowserOriginRateLimitKey(clientKey);
57
63
  if (!parsed) return false;
58
- return isLoopbackBrowserOrigin(parsed.origin) && isLoopbackClientIp(parsed.clientIp);
64
+ return isLoopbackEmbeddedBrowserClient(parsed.origin, parsed.clientIp);
59
65
  }
60
66
  /** Browser-origin auth failures are tracked independently from CLI/server clients. */
61
67
  function buildBrowserOriginRateLimitKey(origin, clientIp) {
@@ -164,7 +170,7 @@ function getClientIpFromHeaders(headers) {
164
170
  function resolveAuthRateLimitTracking(params) {
165
171
  const origin = params.origin?.trim();
166
172
  if (origin) {
167
- const localBrowserClient = isLoopbackBrowserOrigin(origin) && isLoopbackClientIp(params.clientIp);
173
+ const localBrowserClient = isLoopbackEmbeddedBrowserClient(origin, params.clientIp);
168
174
  return {
169
175
  limiter: getBrowserOriginAuthFailureRateLimiter(),
170
176
  key: buildBrowserOriginRateLimitKey(origin, params.clientIp),
@@ -181,6 +187,6 @@ function resolveAuthRateLimitTracking(params) {
181
187
  };
182
188
  }
183
189
  //#endregion
184
- export { AuthFailureRateLimiter, buildBrowserOriginRateLimitKey, getAuthFailureRateLimiter, getBrowserOriginAuthFailureRateLimiter, getClientIpFromHeaders, isAuthRateLimitGloballyDisabled, isGatewayStrictSecurityEnabled, isLoopbackBrowserOrigin, isLoopbackClientIp, resetAuthRateLimitersForTests, resolveAuthRateLimitConfig, resolveAuthRateLimitTracking };
190
+ export { AuthFailureRateLimiter, buildBrowserOriginRateLimitKey, getAuthFailureRateLimiter, getBrowserOriginAuthFailureRateLimiter, getClientIpFromHeaders, isAuthRateLimitGloballyDisabled, isGatewayStrictSecurityEnabled, isLoopbackBrowserOrigin, isLoopbackClientIp, isLoopbackEmbeddedBrowserClient, resetAuthRateLimitersForTests, resolveAuthRateLimitConfig, resolveAuthRateLimitTracking };
185
191
 
186
192
  //# sourceMappingURL=auth-rate-limit.js.map
package/dist/src/gateway/auth-rate-limit.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"auth-rate-limit.js","names":[],"sources":["../../../src/gateway/auth-rate-limit.ts"],"sourcesContent":["/**\n * Rate limiting for failed gateway token authentication attempts (per client IP).\n */\n\nimport { isLoopbackHost } from './host.js';\n\nexport type AuthRateLimitConfig = {\n enabled: boolean;\n maxAttempts: number;\n windowMs: number;\n blockDurationMs: number;\n /** When true, loopback client IPs skip rate limiting (default). */\n exemptLoopback: boolean;\n};\n\nconst DEFAULT_CONFIG: AuthRateLimitConfig = {\n enabled: true,\n maxAttempts: 5,\n windowMs: 15 * 60 * 1000,\n blockDurationMs: 5 * 60 * 1000,\n exemptLoopback: true,\n};\n\nexport type GatewayAuthRateLimitInput = {\n enabled?: boolean;\n maxAttempts?: number;\n windowMs?: number;\n blockDurationMs?: number;\n /** OpenClaw alias for blockDurationMs. */\n lockoutMs?: number;\n exemptLoopback?: boolean;\n} | undefined;\n\nexport function resolveAuthRateLimitConfig(\n input: GatewayAuthRateLimitInput,\n): AuthRateLimitConfig {\n if (!input) {\n return { ...DEFAULT_CONFIG };\n }\n const blockDurationMs = input.blockDurationMs ?? input.lockoutMs ?? DEFAULT_CONFIG.blockDurationMs;\n return {\n enabled: input.enabled ?? DEFAULT_CONFIG.enabled,\n maxAttempts: Math.max(1, Math.floor(input.maxAttempts ?? DEFAULT_CONFIG.maxAttempts)),\n windowMs: Math.max(1000, Math.floor(input.windowMs ?? DEFAULT_CONFIG.windowMs)),\n blockDurationMs: Math.max(1000, Math.floor(blockDurationMs)),\n exemptLoopback: input.exemptLoopback ?? DEFAULT_CONFIG.exemptLoopback,\n };\n}\n\nexport function isAuthRateLimitGloballyDisabled(): boolean {\n return process.env.XOPC_AUTH_RATE_LIMIT === 'false';\n}\n\nexport function isGatewayStrictSecurityEnabled(cfg?: {\n gateway?: { security?: { strict?: boolean } };\n}): boolean {\n return (\n cfg?.gateway?.security?.strict === true ||\n process.env.XOPC_GATEWAY_STRICT_SECURITY === '1'\n );\n}\n\nexport function isLoopbackClientIp(clientIp: string | undefined): boolean {\n if (!clientIp || clientIp === 'unknown') {\n return false;\n }\n const trimmed = clientIp.trim();\n if (trimmed.includes(':') && !trimmed.includes('.')) {\n return isLoopbackHost(trimmed.replace(/^\\[/, '').replace(/\\]$/, ''));\n }\n return isLoopbackHost(trimmed.split(':')[0]);\n}\n\n/** True when a browser Origin header targets the local gateway console (Electron / loopback SPA). */\nexport function isLoopbackBrowserOrigin(origin: string | undefined): boolean {\n const trimmed = origin?.trim();\n if (!trimmed || trimmed === 'null') {\n return false;\n }\n try {\n return isLoopbackHost(new URL(trimmed).hostname);\n } catch {\n return false;\n }\n}\n\nfunction parseBrowserOriginRateLimitKey(clientKey: string): { origin: string; clientIp: string } | null {\n if (!clientKey.startsWith('browser-origin:')) {\n return null;\n }\n const pipeIdx = clientKey.indexOf('|');\n if (pipeIdx === -1) {\n return null;\n }\n return {\n origin: clientKey.slice('browser-origin:'.length, pipeIdx),\n clientIp: clientKey.slice(pipeIdx + 1),\n };\n}\n\nfunction isLocalBrowserAuthClient(clientKey: string): boolean {\n const parsed = parseBrowserOriginRateLimitKey(clientKey);\n if (!parsed) {\n return false;\n }\n return isLoopbackBrowserOrigin(parsed.origin) && isLoopbackClientIp(parsed.clientIp);\n}\n\n/** Browser-origin auth failures are tracked independently from CLI/server clients. */\nexport function buildBrowserOriginRateLimitKey(origin: string, clientIp: string): string {\n const normalizedOrigin = origin.trim().toLowerCase();\n return `browser-origin:${normalizedOrigin}|${clientIp.trim()}`;\n}\n\nfunction shouldSkipRateLimit(clientKey: string, cfg: AuthRateLimitConfig): boolean {\n if (!cfg.exemptLoopback) {\n return false;\n }\n if (clientKey.startsWith('browser-origin:')) {\n return isLocalBrowserAuthClient(clientKey);\n }\n return isLoopbackClientIp(clientKey);\n}\n\ntype IpState = {\n windowStart: number;\n count: number;\n blockedUntil?: number;\n};\n\n/**\n * Tracks failed auth attempts per IP; blocks further attempts after the threshold.\n */\nexport class AuthFailureRateLimiter {\n private readonly store = new Map<string, IpState>();\n private cleanupTimer?: NodeJS.Timeout;\n\n constructor() {\n const interval = 10 * 60 * 1000;\n this.cleanupTimer = setInterval(() => this.cleanupStale(), interval);\n this.cleanupTimer.unref?.();\n }\n\n destroy(): void {\n if (this.cleanupTimer) {\n clearInterval(this.cleanupTimer);\n this.cleanupTimer = undefined;\n }\n this.store.clear();\n }\n\n private cleanupStale(): void {\n const now = Date.now();\n const maxAge = 24 * 60 * 60 * 1000;\n for (const [ip, state] of this.store.entries()) {\n const last = state.blockedUntil ?? state.windowStart;\n if (now - last > maxAge) {\n this.store.delete(ip);\n }\n }\n }\n\n checkBlocked(\n clientKey: string,\n cfg: AuthRateLimitConfig,\n nowMs: number = Date.now(),\n ): { blocked: false } | { blocked: true; retryAfterSec: number } {\n if (shouldSkipRateLimit(clientKey, cfg)) {\n return { blocked: false };\n }\n\n const state = this.store.get(clientKey);\n if (!state?.blockedUntil) {\n return { blocked: false };\n }\n if (nowMs >= state.blockedUntil) {\n state.blockedUntil = undefined;\n state.count = 0;\n state.windowStart = nowMs;\n return { blocked: false };\n }\n return {\n blocked: true,\n retryAfterSec: Math.max(1, Math.ceil((state.blockedUntil - nowMs) / 1000)),\n };\n }\n\n recordFailure(clientKey: string, cfg: AuthRateLimitConfig, nowMs: number = Date.now()): void {\n if (shouldSkipRateLimit(clientKey, cfg)) {\n return;\n }\n\n let state = this.store.get(clientKey);\n if (!state) {\n state = { windowStart: nowMs, count: 0 };\n this.store.set(clientKey, state);\n }\n\n if (state.blockedUntil && nowMs < state.blockedUntil) {\n return;\n }\n if (state.blockedUntil && nowMs >= state.blockedUntil) {\n state.blockedUntil = undefined;\n state.count = 0;\n state.windowStart = nowMs;\n }\n\n if (nowMs - state.windowStart > cfg.windowMs) {\n state.count = 0;\n state.windowStart = nowMs;\n }\n\n state.count += 1;\n if (state.count >= cfg.maxAttempts) {\n state.blockedUntil = nowMs + cfg.blockDurationMs;\n }\n }\n\n recordSuccess(clientKey: string): void {\n this.store.delete(clientKey);\n }\n\n resetForTests(): void {\n this.store.clear();\n }\n}\n\nlet singleton: AuthFailureRateLimiter | null = null;\nlet browserOriginSingleton: AuthFailureRateLimiter | null = null;\n\nexport function getAuthFailureRateLimiter(): AuthFailureRateLimiter {\n if (!singleton) {\n singleton = new AuthFailureRateLimiter();\n }\n return singleton;\n}\n\n/** Browser-origin limiter: never exempts loopback (defense-in-depth). */\nexport function getBrowserOriginAuthFailureRateLimiter(): AuthFailureRateLimiter {\n if (!browserOriginSingleton) {\n browserOriginSingleton = new AuthFailureRateLimiter();\n }\n return browserOriginSingleton;\n}\n\nexport function resetAuthRateLimitersForTests(): void {\n getAuthFailureRateLimiter().resetForTests();\n getBrowserOriginAuthFailureRateLimiter().resetForTests();\n}\n\nexport function getClientIpFromHeaders(headers: {\n get(name: string): string | undefined;\n}): string {\n const xff = headers.get('x-forwarded-for');\n if (xff) {\n const first = xff.split(',')[0]?.trim();\n if (first) return first;\n }\n const real = headers.get('x-real-ip')?.trim();\n if (real) return real;\n const cf = headers.get('cf-connecting-ip')?.trim();\n if (cf) return cf;\n return 'unknown';\n}\n\nexport function resolveAuthRateLimitTracking(params: {\n clientIp: string;\n origin?: string | null;\n cfg: AuthRateLimitConfig;\n}): { limiter: AuthFailureRateLimiter; key: string; cfg: AuthRateLimitConfig } {\n const origin = params.origin?.trim();\n if (origin) {\n const localBrowserClient =\n isLoopbackBrowserOrigin(origin) && isLoopbackClientIp(params.clientIp);\n return {\n limiter: getBrowserOriginAuthFailureRateLimiter(),\n key: buildBrowserOriginRateLimitKey(origin, params.clientIp),\n cfg: {\n ...params.cfg,\n exemptLoopback: localBrowserClient ? params.cfg.exemptLoopback : false,\n },\n };\n }\n return {\n limiter: getAuthFailureRateLimiter(),\n key: params.clientIp,\n cfg: params.cfg,\n };\n}\n"],"mappings":";;;;;AAeA,MAAM,iBAAsC;CAC1C,SAAS;CACT,aAAa;CACb,UAAU,MAAU;CACpB,iBAAiB,MAAS;CAC1B,gBAAgB;CACjB;AAYD,SAAgB,2BACd,OACqB;AACrB,KAAI,CAAC,MACH,QAAO,EAAE,GAAG,gBAAgB;CAE9B,MAAM,kBAAkB,MAAM,mBAAmB,MAAM,aAAa,eAAe;AACnF,QAAO;EACL,SAAS,MAAM,WAAW,eAAe;EACzC,aAAa,KAAK,IAAI,GAAG,KAAK,MAAM,MAAM,eAAe,eAAe,YAAY,CAAC;EACrF,UAAU,KAAK,IAAI,KAAM,KAAK,MAAM,MAAM,YAAY,eAAe,SAAS,CAAC;EAC/E,iBAAiB,KAAK,IAAI,KAAM,KAAK,MAAM,gBAAgB,CAAC;EAC5D,gBAAgB,MAAM,kBAAkB,eAAe;EACxD;;AAGH,SAAgB,kCAA2C;AACzD,QAAO,QAAQ,IAAI,yBAAyB;;AAG9C,SAAgB,+BAA+B,KAEnC;AACV,QACE,KAAK,SAAS,UAAU,WAAW,QACnC,QAAQ,IAAI,iCAAiC;;AAIjD,SAAgB,mBAAmB,UAAuC;AACxE,KAAI,CAAC,YAAY,aAAa,UAC5B,QAAO;CAET,MAAM,UAAU,SAAS,MAAM;AAC/B,KAAI,QAAQ,SAAS,IAAI,IAAI,CAAC,QAAQ,SAAS,IAAI,CACjD,QAAO,eAAe,QAAQ,QAAQ,OAAO,GAAG,CAAC,QAAQ,OAAO,GAAG,CAAC;AAEtE,QAAO,eAAe,QAAQ,MAAM,IAAI,CAAC,GAAG;;;AAI9C,SAAgB,wBAAwB,QAAqC;CAC3E,MAAM,UAAU,QAAQ,MAAM;AAC9B,KAAI,CAAC,WAAW,YAAY,OAC1B,QAAO;AAET,KAAI;AACF,SAAO,eAAe,IAAI,IAAI,QAAQ,CAAC,SAAS;SAC1C;AACN,SAAO;;;AAIX,SAAS,+BAA+B,WAAgE;AACtG,KAAI,CAAC,UAAU,WAAW,kBAAkB,CAC1C,QAAO;CAET,MAAM,UAAU,UAAU,QAAQ,IAAI;AACtC,KAAI,YAAY,GACd,QAAO;AAET,QAAO;EACL,QAAQ,UAAU,MAAM,IAA0B,QAAQ;EAC1D,UAAU,UAAU,MAAM,UAAU,EAAE;EACvC;;AAGH,SAAS,yBAAyB,WAA4B;CAC5D,MAAM,SAAS,+BAA+B,UAAU;AACxD,KAAI,CAAC,OACH,QAAO;AAET,QAAO,wBAAwB,OAAO,OAAO,IAAI,mBAAmB,OAAO,SAAS;;;AAItF,SAAgB,+BAA+B,QAAgB,UAA0B;AAEvF,QAAO,kBADkB,OAAO,MAAM,CAAC,aACE,CAAC,GAAG,SAAS,MAAM;;AAG9D,SAAS,oBAAoB,WAAmB,KAAmC;AACjF,KAAI,CAAC,IAAI,eACP,QAAO;AAET,KAAI,UAAU,WAAW,kBAAkB,CACzC,QAAO,yBAAyB,UAAU;AAE5C,QAAO,mBAAmB,UAAU;;;;;AAYtC,IAAa,yBAAb,MAAoC;CAClC,wBAAyB,IAAI,KAAsB;CACnD;CAEA,cAAc;EACZ,MAAM,WAAW,MAAU;AAC3B,OAAK,eAAe,kBAAkB,KAAK,cAAc,EAAE,SAAS;AACpE,OAAK,aAAa,SAAS;;CAG7B,UAAgB;AACd,MAAI,KAAK,cAAc;AACrB,iBAAc,KAAK,aAAa;AAChC,QAAK,eAAe,KAAA;;AAEtB,OAAK,MAAM,OAAO;;CAGpB,eAA6B;EAC3B,MAAM,MAAM,KAAK,KAAK;EACtB,MAAM,SAAS,OAAU,KAAK;AAC9B,OAAK,MAAM,CAAC,IAAI,UAAU,KAAK,MAAM,SAAS,CAE5C,KAAI,OADS,MAAM,gBAAgB,MAAM,eACxB,OACf,MAAK,MAAM,OAAO,GAAG;;CAK3B,aACE,WACA,KACA,QAAgB,KAAK,KAAK,EACqC;AAC/D,MAAI,oBAAoB,WAAW,IAAI,CACrC,QAAO,EAAE,SAAS,OAAO;EAG3B,MAAM,QAAQ,KAAK,MAAM,IAAI,UAAU;AACvC,MAAI,CAAC,OAAO,aACV,QAAO,EAAE,SAAS,OAAO;AAE3B,MAAI,SAAS,MAAM,cAAc;AAC/B,SAAM,eAAe,KAAA;AACrB,SAAM,QAAQ;AACd,SAAM,cAAc;AACpB,UAAO,EAAE,SAAS,OAAO;;AAE3B,SAAO;GACL,SAAS;GACT,eAAe,KAAK,IAAI,GAAG,KAAK,MAAM,MAAM,eAAe,SAAS,IAAK,CAAC;GAC3E;;CAGH,cAAc,WAAmB,KAA0B,QAAgB,KAAK,KAAK,EAAQ;AAC3F,MAAI,oBAAoB,WAAW,IAAI,CACrC;EAGF,IAAI,QAAQ,KAAK,MAAM,IAAI,UAAU;AACrC,MAAI,CAAC,OAAO;AACV,WAAQ;IAAE,aAAa;IAAO,OAAO;IAAG;AACxC,QAAK,MAAM,IAAI,WAAW,MAAM;;AAGlC,MAAI,MAAM,gBAAgB,QAAQ,MAAM,aACtC;AAEF,MAAI,MAAM,gBAAgB,SAAS,MAAM,cAAc;AACrD,SAAM,eAAe,KAAA;AACrB,SAAM,QAAQ;AACd,SAAM,cAAc;;AAGtB,MAAI,QAAQ,MAAM,cAAc,IAAI,UAAU;AAC5C,SAAM,QAAQ;AACd,SAAM,cAAc;;AAGtB,QAAM,SAAS;AACf,MAAI,MAAM,SAAS,IAAI,YACrB,OAAM,eAAe,QAAQ,IAAI;;CAIrC,cAAc,WAAyB;AACrC,OAAK,MAAM,OAAO,UAAU;;CAG9B,gBAAsB;AACpB,OAAK,MAAM,OAAO;;;AAItB,IAAI,YAA2C;AAC/C,IAAI,yBAAwD;AAE5D,SAAgB,4BAAoD;AAClE,KAAI,CAAC,UACH,aAAY,IAAI,wBAAwB;AAE1C,QAAO;;;AAIT,SAAgB,yCAAiE;AAC/E,KAAI,CAAC,uBACH,0BAAyB,IAAI,wBAAwB;AAEvD,QAAO;;AAGT,SAAgB,gCAAsC;AACpD,4BAA2B,CAAC,eAAe;AAC3C,yCAAwC,CAAC,eAAe;;AAG1D,SAAgB,uBAAuB,SAE5B;CACT,MAAM,MAAM,QAAQ,IAAI,kBAAkB;AAC1C,KAAI,KAAK;EACP,MAAM,QAAQ,IAAI,MAAM,IAAI,CAAC,IAAI,MAAM;AACvC,MAAI,MAAO,QAAO;;CAEpB,MAAM,OAAO,QAAQ,IAAI,YAAY,EAAE,MAAM;AAC7C,KAAI,KAAM,QAAO;CACjB,MAAM,KAAK,QAAQ,IAAI,mBAAmB,EAAE,MAAM;AAClD,KAAI,GAAI,QAAO;AACf,QAAO;;AAGT,SAAgB,6BAA6B,QAIkC;CAC7E,MAAM,SAAS,OAAO,QAAQ,MAAM;AACpC,KAAI,QAAQ;EACV,MAAM,qBACJ,wBAAwB,OAAO,IAAI,mBAAmB,OAAO,SAAS;AACxE,SAAO;GACL,SAAS,wCAAwC;GACjD,KAAK,+BAA+B,QAAQ,OAAO,SAAS;GAC5D,KAAK;IACH,GAAG,OAAO;IACV,gBAAgB,qBAAqB,OAAO,IAAI,iBAAiB;IAClE;GACF;;AAEH,QAAO;EACL,SAAS,2BAA2B;EACpC,KAAK,OAAO;EACZ,KAAK,OAAO;EACb"}
1
+ {"version":3,"file":"auth-rate-limit.js","names":[],"sources":["../../../src/gateway/auth-rate-limit.ts"],"sourcesContent":["/**\n * Rate limiting for failed gateway token authentication attempts (per client IP).\n */\n\nimport { isLoopbackHost } from './host.js';\n\nexport type AuthRateLimitConfig = {\n enabled: boolean;\n maxAttempts: number;\n windowMs: number;\n blockDurationMs: number;\n /** When true, loopback client IPs skip rate limiting (default). */\n exemptLoopback: boolean;\n};\n\nconst DEFAULT_CONFIG: AuthRateLimitConfig = {\n enabled: true,\n maxAttempts: 5,\n windowMs: 15 * 60 * 1000,\n blockDurationMs: 5 * 60 * 1000,\n exemptLoopback: true,\n};\n\nexport type GatewayAuthRateLimitInput = {\n enabled?: boolean;\n maxAttempts?: number;\n windowMs?: number;\n blockDurationMs?: number;\n /** OpenClaw alias for blockDurationMs. */\n lockoutMs?: number;\n exemptLoopback?: boolean;\n} | undefined;\n\nexport function resolveAuthRateLimitConfig(\n input: GatewayAuthRateLimitInput,\n): AuthRateLimitConfig {\n if (!input) {\n return { ...DEFAULT_CONFIG };\n }\n const blockDurationMs = input.blockDurationMs ?? input.lockoutMs ?? DEFAULT_CONFIG.blockDurationMs;\n return {\n enabled: input.enabled ?? DEFAULT_CONFIG.enabled,\n maxAttempts: Math.max(1, Math.floor(input.maxAttempts ?? DEFAULT_CONFIG.maxAttempts)),\n windowMs: Math.max(1000, Math.floor(input.windowMs ?? DEFAULT_CONFIG.windowMs)),\n blockDurationMs: Math.max(1000, Math.floor(blockDurationMs)),\n exemptLoopback: input.exemptLoopback ?? DEFAULT_CONFIG.exemptLoopback,\n };\n}\n\nexport function isAuthRateLimitGloballyDisabled(): boolean {\n return process.env.XOPC_AUTH_RATE_LIMIT === 'false';\n}\n\nexport function isGatewayStrictSecurityEnabled(cfg?: {\n gateway?: { security?: { strict?: boolean } };\n}): boolean {\n return (\n cfg?.gateway?.security?.strict === true ||\n process.env.XOPC_GATEWAY_STRICT_SECURITY === '1'\n );\n}\n\nexport function isLoopbackClientIp(clientIp: string | undefined): boolean {\n if (!clientIp || clientIp === 'unknown') {\n return false;\n }\n const trimmed = clientIp.trim();\n if (trimmed.includes(':') && !trimmed.includes('.')) {\n return isLoopbackHost(trimmed.replace(/^\\[/, '').replace(/\\]$/, ''));\n }\n return isLoopbackHost(trimmed.split(':')[0]);\n}\n\n/** True when a browser Origin header targets the local gateway console (Electron / loopback SPA). */\nexport function isLoopbackBrowserOrigin(origin: string | undefined): boolean {\n const trimmed = origin?.trim();\n if (!trimmed || trimmed === 'null') {\n return false;\n }\n try {\n return isLoopbackHost(new URL(trimmed).hostname);\n } catch {\n return false;\n }\n}\n\n/** Loopback gateway console in a same-machine browser (Electron embedded UI, local dev). */\nexport function isLoopbackEmbeddedBrowserClient(\n origin: string | undefined,\n clientIp: string,\n): boolean {\n if (!isLoopbackBrowserOrigin(origin)) {\n return false;\n }\n if (clientIp === 'unknown') {\n return true;\n }\n return isLoopbackClientIp(clientIp);\n}\n\nfunction parseBrowserOriginRateLimitKey(clientKey: string): { origin: string; clientIp: string } | null {\n if (!clientKey.startsWith('browser-origin:')) {\n return null;\n }\n const pipeIdx = clientKey.indexOf('|');\n if (pipeIdx === -1) {\n return null;\n }\n return {\n origin: clientKey.slice('browser-origin:'.length, pipeIdx),\n clientIp: clientKey.slice(pipeIdx + 1),\n };\n}\n\nfunction isLocalBrowserAuthClient(clientKey: string): boolean {\n const parsed = parseBrowserOriginRateLimitKey(clientKey);\n if (!parsed) {\n return false;\n }\n return isLoopbackEmbeddedBrowserClient(parsed.origin, parsed.clientIp);\n}\n\n/** Browser-origin auth failures are tracked independently from CLI/server clients. */\nexport function buildBrowserOriginRateLimitKey(origin: string, clientIp: string): string {\n const normalizedOrigin = origin.trim().toLowerCase();\n return `browser-origin:${normalizedOrigin}|${clientIp.trim()}`;\n}\n\nfunction shouldSkipRateLimit(clientKey: string, cfg: AuthRateLimitConfig): boolean {\n if (!cfg.exemptLoopback) {\n return false;\n }\n if (clientKey.startsWith('browser-origin:')) {\n return isLocalBrowserAuthClient(clientKey);\n }\n return isLoopbackClientIp(clientKey);\n}\n\ntype IpState = {\n windowStart: number;\n count: number;\n blockedUntil?: number;\n};\n\n/**\n * Tracks failed auth attempts per IP; blocks further attempts after the threshold.\n */\nexport class AuthFailureRateLimiter {\n private readonly store = new Map<string, IpState>();\n private cleanupTimer?: NodeJS.Timeout;\n\n constructor() {\n const interval = 10 * 60 * 1000;\n this.cleanupTimer = setInterval(() => this.cleanupStale(), interval);\n this.cleanupTimer.unref?.();\n }\n\n destroy(): void {\n if (this.cleanupTimer) {\n clearInterval(this.cleanupTimer);\n this.cleanupTimer = undefined;\n }\n this.store.clear();\n }\n\n private cleanupStale(): void {\n const now = Date.now();\n const maxAge = 24 * 60 * 60 * 1000;\n for (const [ip, state] of this.store.entries()) {\n const last = state.blockedUntil ?? state.windowStart;\n if (now - last > maxAge) {\n this.store.delete(ip);\n }\n }\n }\n\n checkBlocked(\n clientKey: string,\n cfg: AuthRateLimitConfig,\n nowMs: number = Date.now(),\n ): { blocked: false } | { blocked: true; retryAfterSec: number } {\n if (shouldSkipRateLimit(clientKey, cfg)) {\n return { blocked: false };\n }\n\n const state = this.store.get(clientKey);\n if (!state?.blockedUntil) {\n return { blocked: false };\n }\n if (nowMs >= state.blockedUntil) {\n state.blockedUntil = undefined;\n state.count = 0;\n state.windowStart = nowMs;\n return { blocked: false };\n }\n return {\n blocked: true,\n retryAfterSec: Math.max(1, Math.ceil((state.blockedUntil - nowMs) / 1000)),\n };\n }\n\n recordFailure(clientKey: string, cfg: AuthRateLimitConfig, nowMs: number = Date.now()): void {\n if (shouldSkipRateLimit(clientKey, cfg)) {\n return;\n }\n\n let state = this.store.get(clientKey);\n if (!state) {\n state = { windowStart: nowMs, count: 0 };\n this.store.set(clientKey, state);\n }\n\n if (state.blockedUntil && nowMs < state.blockedUntil) {\n return;\n }\n if (state.blockedUntil && nowMs >= state.blockedUntil) {\n state.blockedUntil = undefined;\n state.count = 0;\n state.windowStart = nowMs;\n }\n\n if (nowMs - state.windowStart > cfg.windowMs) {\n state.count = 0;\n state.windowStart = nowMs;\n }\n\n state.count += 1;\n if (state.count >= cfg.maxAttempts) {\n state.blockedUntil = nowMs + cfg.blockDurationMs;\n }\n }\n\n recordSuccess(clientKey: string): void {\n this.store.delete(clientKey);\n }\n\n resetForTests(): void {\n this.store.clear();\n }\n}\n\nlet singleton: AuthFailureRateLimiter | null = null;\nlet browserOriginSingleton: AuthFailureRateLimiter | null = null;\n\nexport function getAuthFailureRateLimiter(): AuthFailureRateLimiter {\n if (!singleton) {\n singleton = new AuthFailureRateLimiter();\n }\n return singleton;\n}\n\n/** Browser-origin limiter: never exempts loopback (defense-in-depth). */\nexport function getBrowserOriginAuthFailureRateLimiter(): AuthFailureRateLimiter {\n if (!browserOriginSingleton) {\n browserOriginSingleton = new AuthFailureRateLimiter();\n }\n return browserOriginSingleton;\n}\n\nexport function resetAuthRateLimitersForTests(): void {\n getAuthFailureRateLimiter().resetForTests();\n getBrowserOriginAuthFailureRateLimiter().resetForTests();\n}\n\nexport function getClientIpFromHeaders(headers: {\n get(name: string): string | undefined;\n}): string {\n const xff = headers.get('x-forwarded-for');\n if (xff) {\n const first = xff.split(',')[0]?.trim();\n if (first) return first;\n }\n const real = headers.get('x-real-ip')?.trim();\n if (real) return real;\n const cf = headers.get('cf-connecting-ip')?.trim();\n if (cf) return cf;\n return 'unknown';\n}\n\nexport function resolveAuthRateLimitTracking(params: {\n clientIp: string;\n origin?: string | null;\n cfg: AuthRateLimitConfig;\n}): { limiter: AuthFailureRateLimiter; key: string; cfg: AuthRateLimitConfig } {\n const origin = params.origin?.trim();\n if (origin) {\n const localBrowserClient = isLoopbackEmbeddedBrowserClient(origin, params.clientIp);\n return {\n limiter: getBrowserOriginAuthFailureRateLimiter(),\n key: buildBrowserOriginRateLimitKey(origin, params.clientIp),\n cfg: {\n ...params.cfg,\n exemptLoopback: localBrowserClient ? params.cfg.exemptLoopback : false,\n },\n };\n }\n return {\n limiter: getAuthFailureRateLimiter(),\n key: params.clientIp,\n cfg: params.cfg,\n };\n}\n"],"mappings":";;;;;AAeA,MAAM,iBAAsC;CAC1C,SAAS;CACT,aAAa;CACb,UAAU,MAAU;CACpB,iBAAiB,MAAS;CAC1B,gBAAgB;CACjB;AAYD,SAAgB,2BACd,OACqB;AACrB,KAAI,CAAC,MACH,QAAO,EAAE,GAAG,gBAAgB;CAE9B,MAAM,kBAAkB,MAAM,mBAAmB,MAAM,aAAa,eAAe;AACnF,QAAO;EACL,SAAS,MAAM,WAAW,eAAe;EACzC,aAAa,KAAK,IAAI,GAAG,KAAK,MAAM,MAAM,eAAe,eAAe,YAAY,CAAC;EACrF,UAAU,KAAK,IAAI,KAAM,KAAK,MAAM,MAAM,YAAY,eAAe,SAAS,CAAC;EAC/E,iBAAiB,KAAK,IAAI,KAAM,KAAK,MAAM,gBAAgB,CAAC;EAC5D,gBAAgB,MAAM,kBAAkB,eAAe;EACxD;;AAGH,SAAgB,kCAA2C;AACzD,QAAO,QAAQ,IAAI,yBAAyB;;AAG9C,SAAgB,+BAA+B,KAEnC;AACV,QACE,KAAK,SAAS,UAAU,WAAW,QACnC,QAAQ,IAAI,iCAAiC;;AAIjD,SAAgB,mBAAmB,UAAuC;AACxE,KAAI,CAAC,YAAY,aAAa,UAC5B,QAAO;CAET,MAAM,UAAU,SAAS,MAAM;AAC/B,KAAI,QAAQ,SAAS,IAAI,IAAI,CAAC,QAAQ,SAAS,IAAI,CACjD,QAAO,eAAe,QAAQ,QAAQ,OAAO,GAAG,CAAC,QAAQ,OAAO,GAAG,CAAC;AAEtE,QAAO,eAAe,QAAQ,MAAM,IAAI,CAAC,GAAG;;;AAI9C,SAAgB,wBAAwB,QAAqC;CAC3E,MAAM,UAAU,QAAQ,MAAM;AAC9B,KAAI,CAAC,WAAW,YAAY,OAC1B,QAAO;AAET,KAAI;AACF,SAAO,eAAe,IAAI,IAAI,QAAQ,CAAC,SAAS;SAC1C;AACN,SAAO;;;;AAKX,SAAgB,gCACd,QACA,UACS;AACT,KAAI,CAAC,wBAAwB,OAAO,CAClC,QAAO;AAET,KAAI,aAAa,UACf,QAAO;AAET,QAAO,mBAAmB,SAAS;;AAGrC,SAAS,+BAA+B,WAAgE;AACtG,KAAI,CAAC,UAAU,WAAW,kBAAkB,CAC1C,QAAO;CAET,MAAM,UAAU,UAAU,QAAQ,IAAI;AACtC,KAAI,YAAY,GACd,QAAO;AAET,QAAO;EACL,QAAQ,UAAU,MAAM,IAA0B,QAAQ;EAC1D,UAAU,UAAU,MAAM,UAAU,EAAE;EACvC;;AAGH,SAAS,yBAAyB,WAA4B;CAC5D,MAAM,SAAS,+BAA+B,UAAU;AACxD,KAAI,CAAC,OACH,QAAO;AAET,QAAO,gCAAgC,OAAO,QAAQ,OAAO,SAAS;;;AAIxE,SAAgB,+BAA+B,QAAgB,UAA0B;AAEvF,QAAO,kBADkB,OAAO,MAAM,CAAC,aACE,CAAC,GAAG,SAAS,MAAM;;AAG9D,SAAS,oBAAoB,WAAmB,KAAmC;AACjF,KAAI,CAAC,IAAI,eACP,QAAO;AAET,KAAI,UAAU,WAAW,kBAAkB,CACzC,QAAO,yBAAyB,UAAU;AAE5C,QAAO,mBAAmB,UAAU;;;;;AAYtC,IAAa,yBAAb,MAAoC;CAClC,wBAAyB,IAAI,KAAsB;CACnD;CAEA,cAAc;EACZ,MAAM,WAAW,MAAU;AAC3B,OAAK,eAAe,kBAAkB,KAAK,cAAc,EAAE,SAAS;AACpE,OAAK,aAAa,SAAS;;CAG7B,UAAgB;AACd,MAAI,KAAK,cAAc;AACrB,iBAAc,KAAK,aAAa;AAChC,QAAK,eAAe,KAAA;;AAEtB,OAAK,MAAM,OAAO;;CAGpB,eAA6B;EAC3B,MAAM,MAAM,KAAK,KAAK;EACtB,MAAM,SAAS,OAAU,KAAK;AAC9B,OAAK,MAAM,CAAC,IAAI,UAAU,KAAK,MAAM,SAAS,CAE5C,KAAI,OADS,MAAM,gBAAgB,MAAM,eACxB,OACf,MAAK,MAAM,OAAO,GAAG;;CAK3B,aACE,WACA,KACA,QAAgB,KAAK,KAAK,EACqC;AAC/D,MAAI,oBAAoB,WAAW,IAAI,CACrC,QAAO,EAAE,SAAS,OAAO;EAG3B,MAAM,QAAQ,KAAK,MAAM,IAAI,UAAU;AACvC,MAAI,CAAC,OAAO,aACV,QAAO,EAAE,SAAS,OAAO;AAE3B,MAAI,SAAS,MAAM,cAAc;AAC/B,SAAM,eAAe,KAAA;AACrB,SAAM,QAAQ;AACd,SAAM,cAAc;AACpB,UAAO,EAAE,SAAS,OAAO;;AAE3B,SAAO;GACL,SAAS;GACT,eAAe,KAAK,IAAI,GAAG,KAAK,MAAM,MAAM,eAAe,SAAS,IAAK,CAAC;GAC3E;;CAGH,cAAc,WAAmB,KAA0B,QAAgB,KAAK,KAAK,EAAQ;AAC3F,MAAI,oBAAoB,WAAW,IAAI,CACrC;EAGF,IAAI,QAAQ,KAAK,MAAM,IAAI,UAAU;AACrC,MAAI,CAAC,OAAO;AACV,WAAQ;IAAE,aAAa;IAAO,OAAO;IAAG;AACxC,QAAK,MAAM,IAAI,WAAW,MAAM;;AAGlC,MAAI,MAAM,gBAAgB,QAAQ,MAAM,aACtC;AAEF,MAAI,MAAM,gBAAgB,SAAS,MAAM,cAAc;AACrD,SAAM,eAAe,KAAA;AACrB,SAAM,QAAQ;AACd,SAAM,cAAc;;AAGtB,MAAI,QAAQ,MAAM,cAAc,IAAI,UAAU;AAC5C,SAAM,QAAQ;AACd,SAAM,cAAc;;AAGtB,QAAM,SAAS;AACf,MAAI,MAAM,SAAS,IAAI,YACrB,OAAM,eAAe,QAAQ,IAAI;;CAIrC,cAAc,WAAyB;AACrC,OAAK,MAAM,OAAO,UAAU;;CAG9B,gBAAsB;AACpB,OAAK,MAAM,OAAO;;;AAItB,IAAI,YAA2C;AAC/C,IAAI,yBAAwD;AAE5D,SAAgB,4BAAoD;AAClE,KAAI,CAAC,UACH,aAAY,IAAI,wBAAwB;AAE1C,QAAO;;;AAIT,SAAgB,yCAAiE;AAC/E,KAAI,CAAC,uBACH,0BAAyB,IAAI,wBAAwB;AAEvD,QAAO;;AAGT,SAAgB,gCAAsC;AACpD,4BAA2B,CAAC,eAAe;AAC3C,yCAAwC,CAAC,eAAe;;AAG1D,SAAgB,uBAAuB,SAE5B;CACT,MAAM,MAAM,QAAQ,IAAI,kBAAkB;AAC1C,KAAI,KAAK;EACP,MAAM,QAAQ,IAAI,MAAM,IAAI,CAAC,IAAI,MAAM;AACvC,MAAI,MAAO,QAAO;;CAEpB,MAAM,OAAO,QAAQ,IAAI,YAAY,EAAE,MAAM;AAC7C,KAAI,KAAM,QAAO;CACjB,MAAM,KAAK,QAAQ,IAAI,mBAAmB,EAAE,MAAM;AAClD,KAAI,GAAI,QAAO;AACf,QAAO;;AAGT,SAAgB,6BAA6B,QAIkC;CAC7E,MAAM,SAAS,OAAO,QAAQ,MAAM;AACpC,KAAI,QAAQ;EACV,MAAM,qBAAqB,gCAAgC,QAAQ,OAAO,SAAS;AACnF,SAAO;GACL,SAAS,wCAAwC;GACjD,KAAK,+BAA+B,QAAQ,OAAO,SAAS;GAC5D,KAAK;IACH,GAAG,OAAO;IACV,gBAAgB,qBAAqB,OAAO,IAAI,iBAAiB;IAClE;GACF;;AAEH,QAAO;EACL,SAAS,2BAA2B;EACpC,KAAK,OAAO;EACZ,KAAK,OAAO;EACb"}
package/dist/src/gateway/hono/app.js CHANGED
@@ -1,8 +1,9 @@
1
1
  import { createLogger } from "../../utils/logger/index.js";
2
2
  import { init_logger } from "../../utils/logger.js";
3
- import { resolveGatewayCorsOrigins } from "../host.js";
3
+ import { resolveAllowedBrowserOrigins, resolveGatewayServiceListenPort } from "../host.js";
4
4
  import { resolveGatewayEffectiveHost } from "../../config/gateway-bind.js";
5
5
  import { maxWebchatAgentRequestBodyBytes } from "../chat-limits.js";
6
+ import { loadTunnelState } from "../../tunnel/tunnel-state.js";
6
7
  import { createFixedWindowRateLimiter } from "../../infra/rate-limit.js";
7
8
  import { buildGatewayConsoleCspHeader } from "../security/csp.js";
8
9
  import { checkBrowserOrigin } from "../security/origin-check.js";
@@ -31,14 +32,23 @@ function isExtensionGatewayUiAssetPath(path) {
31
32
  function createHonoApp(config) {
32
33
  const { service, token } = config;
33
34
  const app = new Hono();
34
- const gatewayPort = service.currentConfig.gateway.port ?? 18790;
35
- const corsOrigin = resolveGatewayCorsOrigins({
35
+ const gatewayPort = resolveGatewayServiceListenPort(service);
36
+ const resolveBrowserOrigins = () => resolveAllowedBrowserOrigins({
36
37
  configuredOrigins: service.currentConfig.gateway.corsOrigins,
37
38
  port: gatewayPort,
38
- bindHost: resolveGatewayEffectiveHost(service.currentConfig)
39
+ bindHost: resolveGatewayEffectiveHost(service.currentConfig),
40
+ tunnelPublicUrl: loadTunnelState()?.publicUrl
39
41
  });
40
- const CORS_OPTIONS = {
41
- origin: corsOrigin,
42
+ app.use(logContextMiddleware());
43
+ app.use(logger());
44
+ app.use(cors({
45
+ origin: (origin) => {
46
+ const allowed = resolveBrowserOrigins();
47
+ if (!origin) return allowed[0] ?? `http://127.0.0.1:${gatewayPort}`;
48
+ const normalized = origin.toLowerCase();
49
+ if (allowed.find((entry) => entry.toLowerCase() === normalized)) return origin;
50
+ return allowed.includes("*") ? "*" : "";
51
+ },
42
52
  allowMethods: [
43
53
  "GET",
44
54
  "POST",
@@ -55,10 +65,7 @@ function createHonoApp(config) {
55
65
  ],
56
66
  credentials: true,
57
67
  maxAge: 86400
58
- };
59
- app.use(logContextMiddleware());
60
- app.use(logger());
61
- app.use(cors(CORS_OPTIONS));
68
+ }));
62
69
  const gatewayConsoleCsp = buildGatewayConsoleCspHeader();
63
70
  app.use(createMiddleware(async (c, next) => {
64
71
  await next();
@@ -70,16 +77,15 @@ function createHonoApp(config) {
70
77
  c.header("Permissions-Policy", "camera=(), microphone=(self), geolocation=()");
71
78
  c.header("Content-Security-Policy", gatewayConsoleCsp);
72
79
  }));
73
- const allowedOrigins = Array.isArray(corsOrigin) ? corsOrigin : [corsOrigin];
74
80
  const allowHostHeaderOriginFallback = service.currentConfig.gateway?.dangerouslyAllowHostHeaderOriginFallback === true;
75
81
  app.use("/api/*", createMiddleware(async (c, next) => {
76
82
  if (isExtensionGatewayUiAssetPath(c.req.path)) return next();
77
83
  const origin = c.req.header("origin");
78
- if (!origin) return next();
84
+ if (!origin || origin.trim().toLowerCase() === "null") return next();
79
85
  const result = checkBrowserOrigin({
80
86
  requestHost: c.req.header("host"),
81
87
  origin,
82
- allowedOrigins,
88
+ allowedOrigins: resolveBrowserOrigins(),
83
89
  allowHostHeaderOriginFallback,
84
90
  isLocalClient: false
85
91
  });