agent-relay 4.0.2 → 4.0.4

package/packages/sdk/dist/provisioner/compiler.js

@@ -0,0 +1,355 @@
+import ignore from 'ignore';
+import { existsSync, readdirSync, readFileSync } from 'node:fs';
+import path from 'node:path';
+const SKIPPED_DIRS = new Set(['.git', '.relay', 'node_modules']);
+function cleanPatterns(content) {
+    return content
+        .split(/\r?\n/u)
+        .map((line) => line.trim())
+        .filter((line) => line !== '' && !line.startsWith('#'));
+}
+function unique(values) {
+    const seen = new Set();
+    const result = [];
+    for (const value of values) {
+        const normalized = String(value ?? '').trim();
+        if (normalized === '' || seen.has(normalized)) {
+            continue;
+        }
+        seen.add(normalized);
+        result.push(normalized);
+    }
+    return result;
+}
+function normalizeRelativePath(value) {
+    return String(value ?? '')
+        .trim()
+        .replace(/\\/gu, '/')
+        .replace(/^\.\/+/u, '')
+        .replace(/^\/+/u, '')
+        .replace(/\/+/gu, '/');
+}
+function normalizeRelayPath(value) {
+    const normalized = normalizeRelativePath(value);
+    return normalized === '' ? '/' : `/${normalized}`;
+}
+function normalizeAclDir(relativeDir) {
+    const normalized = normalizeRelativePath(relativeDir);
+    return normalized === '' || normalized === '.' ? '/' : `/${normalized}`;
+}
+function readPatternFile(filePath) {
+    if (!existsSync(filePath)) {
+        return [];
+    }
+    return cleanPatterns(readFileSync(filePath, 'utf8'));
+}
+function createMatcher(patterns) {
+    const matcher = ignore();
+    if (patterns.length > 0) {
+        matcher.add([...patterns]);
+    }
+    return matcher;
+}
+function loadDotfileRules(projectDir, agentName) {
+    const resolvedProjectDir = path.resolve(projectDir);
+    return {
+        deny: unique([
+            ...readPatternFile(path.join(resolvedProjectDir, '.agentignore')),
+            ...readPatternFile(path.join(resolvedProjectDir, `.${agentName}.agentignore`)),
+        ]),
+        readonly: unique([
+            ...readPatternFile(path.join(resolvedProjectDir, '.agentreadonly')),
+            ...readPatternFile(path.join(resolvedProjectDir, `.${agentName}.agentreadonly`)),
+        ]),
+    };
+}
+function normalizeFileRules(permissions) {
+    return {
+        read: unique(permissions.files?.read ?? []),
+        write: unique(permissions.files?.write ?? []),
+        deny: unique(permissions.files?.deny ?? []),
+    };
+}
+function resolveScopedWorkdirPatterns(projectDir, workdir) {
+    if (!workdir) {
+        return undefined;
+    }
+    const resolvedProjectDir = path.resolve(projectDir);
+    const resolvedWorkdir = path.resolve(resolvedProjectDir, workdir);
+    const relativeWorkdir = normalizeRelativePath(path.relative(resolvedProjectDir, resolvedWorkdir));
+    if (relativeWorkdir === '' || relativeWorkdir === '.') {
+        return undefined;
+    }
+    if (relativeWorkdir === '..' || relativeWorkdir.startsWith('../')) {
+        return [];
+    }
+    return unique([relativeWorkdir, `${relativeWorkdir}/**`]);
+}
+function matchesAny(relativePath, matcher) {
+    return matcher.ignores(normalizeRelativePath(relativePath));
+}
+function walkProjectFiles(projectDir, currentDir = projectDir, files = []) {
+    const entries = readdirSync(currentDir, { withFileTypes: true }).sort((left, right) => left.name.localeCompare(right.name));
+    for (const entry of entries) {
+        if (entry.isDirectory() && SKIPPED_DIRS.has(entry.name)) {
+            continue;
+        }
+        const fullPath = path.join(currentDir, entry.name);
+        const relativePath = normalizeRelativePath(path.relative(projectDir, fullPath));
+        if (entry.isDirectory()) {
+            walkProjectFiles(projectDir, fullPath, files);
+            continue;
+        }
+        files.push(relativePath);
+    }
+    return files;
+}
+function buildSources(dotfileRules, preset, presetRules, fileRules, rawScopes, inherited) {
+    const sources = [];
+    if (inherited && (dotfileRules.deny.length > 0 || dotfileRules.readonly.length > 0)) {
+        sources.push({
+            type: 'dotfile',
+            label: 'dotfiles',
+            ruleCount: dotfileRules.deny.length + dotfileRules.readonly.length,
+        });
+    }
+    if (presetRules.read.length > 0 || presetRules.write.length > 0 || presetRules.deny.length > 0) {
+        sources.push({
+            type: 'preset',
+            label: `access: ${preset ?? 'readwrite'}`,
+            ruleCount: presetRules.read.length + presetRules.write.length + presetRules.deny.length,
+        });
+    }
+    if (fileRules.read.length > 0 || fileRules.write.length > 0 || fileRules.deny.length > 0) {
+        sources.push({
+            type: 'yaml',
+            label: 'permissions.files',
+            ruleCount: fileRules.read.length + fileRules.write.length + fileRules.deny.length,
+        });
+    }
+    if (rawScopes.length > 0) {
+        sources.push({
+            type: 'scope',
+            label: 'permissions.scopes',
+            ruleCount: rawScopes.length,
+        });
+    }
+    return sources;
+}
+function buildAcl(agentName, readonlyPaths, readwritePaths, deniedPaths) {
+    const aclMap = new Map();
+    const addRule = (relativePath, rule) => {
+        const aclDir = normalizeAclDir(path.posix.dirname(normalizeRelativePath(relativePath)));
+        const rules = aclMap.get(aclDir) ?? new Set();
+        rules.add(rule);
+        aclMap.set(aclDir, rules);
+    };
+    for (const relativePath of readonlyPaths) {
+        addRule(relativePath, 'read');
+    }
+    for (const relativePath of readwritePaths) {
+        addRule(relativePath, 'read');
+        addRule(relativePath, 'write');
+    }
+    const deniedDirs = new Map();
+    for (const relativePath of deniedPaths) {
+        const aclDir = normalizeAclDir(path.posix.dirname(normalizeRelativePath(relativePath)));
+        const summary = deniedDirs.get(aclDir) ?? { denied: 0, allowed: 0 };
+        summary.denied += 1;
+        deniedDirs.set(aclDir, summary);
+    }
+    for (const relativePath of [...readonlyPaths, ...readwritePaths]) {
+        const aclDir = normalizeAclDir(path.posix.dirname(normalizeRelativePath(relativePath)));
+        const summary = deniedDirs.get(aclDir) ?? { denied: 0, allowed: 0 };
+        summary.allowed += 1;
+        deniedDirs.set(aclDir, summary);
+    }
+    for (const [aclDir, summary] of deniedDirs.entries()) {
+        if (summary.denied > 0 && summary.allowed === 0) {
+            const rules = aclMap.get(aclDir) ?? new Set();
+            rules.add(`deny:agent:${agentName}`);
+            aclMap.set(aclDir, rules);
+        }
+    }
+    return Object.fromEntries([...aclMap.entries()]
+        .sort(([left], [right]) => left.localeCompare(right))
+        .map(([aclDir, rules]) => [aclDir, [...rules].sort()]));
+}
+function pathsToScopes(paths, action) {
+    return unique([...paths]
+        .map((relativePath) => normalizeRelativePath(relativePath))
+        .filter((relativePath) => relativePath !== '')
+        .sort((left, right) => left.localeCompare(right))
+        .map((relativePath) => `relayfile:fs:${action}:${normalizeRelayPath(relativePath)}`));
+}
+function buildReadonlyPatterns(presetRules, dotfileRules, fileRules) {
+    const presetReadonly = presetRules.write.length === 0 ? presetRules.read : [];
+    const yamlReadonly = fileRules.read.filter((pattern) => !fileRules.write.includes(pattern));
+    return unique([...dotfileRules.readonly, ...presetReadonly, ...yamlReadonly]);
+}
+function buildReadwritePatterns(presetRules, fileRules) {
+    return unique([...presetRules.write, ...fileRules.write]);
+}
+function buildDeniedPatterns(dotfileRules, fileRules) {
+    return unique([...dotfileRules.deny, ...fileRules.deny]);
+}
+export function defaultPermissionsForPreset(preset) {
+    switch (preset) {
+        case 'lead':
+            return { access: 'full' };
+        case 'reviewer':
+        case 'analyst':
+            return { access: 'readonly' };
+        case 'worker':
+            return { access: 'readwrite' };
+        default:
+            return {};
+    }
+}
+export function expandPreset(preset, options) {
+    const scopedWorkdirPatterns = preset === 'readwrite' && options?.projectDir
+        ? resolveScopedWorkdirPatterns(options.projectDir, options.workdir)
+        : undefined;
+    switch (preset ?? 'readwrite') {
+        case 'readonly':
+            return { read: ['**'], write: [], deny: [] };
+        case 'restricted':
+            return { read: [], write: [], deny: [] };
+        case 'full':
+            return { read: ['**'], write: ['**'], deny: [] };
+        case 'readwrite':
+        default:
+            return {
+                read: scopedWorkdirPatterns ?? ['**'],
+                write: scopedWorkdirPatterns ?? ['**'],
+                deny: [],
+            };
+    }
+}
+export function globsToScopes(globs, action) {
+    return unique(globs
+        .map((glob) => normalizeRelativePath(glob))
+        .filter((glob) => glob !== '')
+        .map((glob) => `relayfile:fs:${action}:${normalizeRelayPath(glob)}`));
+}
+export function compileAgentPermissions(input) {
+    const permissions = input.permissions ?? {};
+    const effectiveAccess = permissions.access ?? 'readwrite';
+    const inherited = effectiveAccess !== 'full' && permissions.inherit !== false;
+    const projectDir = path.resolve(input.projectDir);
+    const scopedInput = input;
+    const dotfileRules = inherited ? loadDotfileRules(projectDir, input.agentName) : { deny: [], readonly: [] };
+    const presetRules = expandPreset(effectiveAccess, {
+        projectDir,
+        workdir: scopedInput.workdir,
+    });
+    const fileRules = normalizeFileRules(permissions);
+    const rawScopes = unique(permissions.scopes ?? []);
+    const dotDenyMatcher = createMatcher(dotfileRules.deny);
+    const dotReadonlyMatcher = createMatcher(dotfileRules.readonly);
+    const presetReadMatcher = createMatcher(presetRules.read);
+    const presetWriteMatcher = createMatcher(presetRules.write);
+    const fileReadMatcher = createMatcher(fileRules.read);
+    const fileWriteMatcher = createMatcher(fileRules.write);
+    const fileDenyMatcher = createMatcher(fileRules.deny);
+    const readonlyPaths = [];
+    const readwritePaths = [];
+    const deniedPaths = [];
+    for (const relativePath of walkProjectFiles(projectDir)) {
+        const dotDenied = inherited && matchesAny(relativePath, dotDenyMatcher);
+        const dotReadonly = inherited && !dotDenied && matchesAny(relativePath, dotReadonlyMatcher);
+        const yamlRead = matchesAny(relativePath, fileReadMatcher);
+        const yamlWrite = matchesAny(relativePath, fileWriteMatcher);
+        const yamlDeny = matchesAny(relativePath, fileDenyMatcher);
+        const explicitYamlGrant = yamlRead || yamlWrite;
+        if (yamlDeny) {
+            deniedPaths.push(relativePath);
+            continue;
+        }
+        if (dotDenied && !explicitYamlGrant) {
+            deniedPaths.push(relativePath);
+            continue;
+        }
+        const presetRead = matchesAny(relativePath, presetReadMatcher);
+        const presetWrite = matchesAny(relativePath, presetWriteMatcher);
+        const canRead = explicitYamlGrant || presetRead || presetWrite;
+        let canWrite = yamlWrite || presetWrite;
+        if (dotReadonly && !yamlWrite) {
+            canWrite = false;
+        }
+        if (canWrite) {
+            readwritePaths.push(relativePath);
+            continue;
+        }
+        if (canRead) {
+            readonlyPaths.push(relativePath);
+            continue;
+        }
+        deniedPaths.push(relativePath);
+    }
+    readonlyPaths.sort((left, right) => left.localeCompare(right));
+    readwritePaths.sort((left, right) => left.localeCompare(right));
+    deniedPaths.sort((left, right) => left.localeCompare(right));
+    const readonlyPatterns = buildReadonlyPatterns(presetRules, dotfileRules, fileRules);
+    const readwritePatterns = buildReadwritePatterns(presetRules, fileRules);
+    const deniedPatterns = buildDeniedPatterns(dotfileRules, fileRules);
+    const scopes = mergePermissionSources([
+        ...pathsToScopes([...readonlyPaths, ...readwritePaths], 'read'),
+        ...pathsToScopes(readwritePaths, 'write'),
+    ], [], rawScopes);
+    return {
+        agentName: input.agentName,
+        workspace: input.workspace,
+        effectiveAccess,
+        inherited,
+        sources: buildSources(dotfileRules, effectiveAccess, presetRules, fileRules, rawScopes, inherited),
+        readonlyPatterns,
+        readwritePatterns,
+        deniedPatterns,
+        readonlyPaths,
+        readwritePaths,
+        deniedPaths,
+        scopes,
+        network: permissions.network,
+        exec: permissions.exec ? [...permissions.exec] : undefined,
+        acl: buildAcl(input.agentName, readonlyPaths, readwritePaths, deniedPaths),
+        summary: {
+            readonly: readonlyPaths.length,
+            readwrite: readwritePaths.length,
+            denied: deniedPaths.length,
+            customScopes: rawScopes.length,
+        },
+    };
+}
+export function mergeAcl(compilations) {
+    const merged = new Map();
+    for (const compilation of compilations) {
+        for (const [directory, rules] of Object.entries(compilation.acl)) {
+            const bucket = merged.get(directory) ?? new Set();
+            for (const rule of rules) {
+                bucket.add(rule);
+            }
+            merged.set(directory, bucket);
+        }
+    }
+    return Object.fromEntries([...merged.entries()]
+        .sort(([left], [right]) => left.localeCompare(right))
+        .map(([directory, rules]) => [directory, [...rules].sort()]));
+}
+export function resolveAgentPermissions(agentName, permissions, projectDir, workspace) {
+    return compileAgentPermissions({
+        agentName,
+        workspace,
+        projectDir,
+        permissions: permissions ?? {},
+    });
+}
+export function compileAgentScopes(input) {
+    return compileAgentPermissions(input);
+}
+export function mergePermissionSources(dotfileScopes, yamlScopes, rawScopes) {
+    return unique([...dotfileScopes, ...yamlScopes, ...rawScopes]);
+}
+export const expandAccessPreset = expandPreset;
+export const globToScopes = (globs, action, _projectDir) => globsToScopes(globs, action);
+//# sourceMappingURL=compiler.js.map

package/packages/sdk/dist/provisioner/compiler.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"compiler.js","sourceRoot":"","sources":["../../src/provisioner/compiler.ts"],"names":[],"mappings":"AAAA,OAAO,MAAuB,MAAM,QAAQ,CAAC;AAC7C,OAAO,EAAE,UAAU,EAAE,WAAW,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AAChE,OAAO,IAAI,MAAM,WAAW,CAAC;AA4B7B,MAAM,YAAY,GAAG,IAAI,GAAG,CAAC,CAAC,MAAM,EAAE,QAAQ,EAAE,cAAc,CAAC,CAAC,CAAC;AAEjE,SAAS,aAAa,CAAC,OAAe;IACpC,OAAO,OAAO;SACX,KAAK,CAAC,QAAQ,CAAC;SACf,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC;SAC1B,MAAM,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,KAAK,EAAE,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC;AAC5D,CAAC;AAED,SAAS,MAAM,CAAC,MAAyB;IACvC,MAAM,IAAI,GAAG,IAAI,GAAG,EAAU,CAAC;IAC/B,MAAM,MAAM,GAAa,EAAE,CAAC;IAE5B,KAAK,MAAM,KAAK,IAAI,MAAM,EAAE,CAAC;QAC3B,MAAM,UAAU,GAAG,MAAM,CAAC,KAAK,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;QAC9C,IAAI,UAAU,KAAK,EAAE,IAAI,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,EAAE,CAAC;YAC9C,SAAS;QACX,CAAC;QAED,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;QACrB,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;IAC1B,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,SAAS,qBAAqB,CAAC,KAAa;IAC1C,OAAO,MAAM,CAAC,KAAK,IAAI,EAAE,CAAC;SACvB,IAAI,EAAE;SACN,OAAO,CAAC,MAAM,EAAE,GAAG,CAAC;SACpB,OAAO,CAAC,SAAS,EAAE,EAAE,CAAC;SACtB,OAAO,CAAC,OAAO,EAAE,EAAE,CAAC;SACpB,OAAO,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC;AAC3B,CAAC;AAED,SAAS,kBAAkB,CAAC,KAAa;IACvC,MAAM,UAAU,GAAG,qBAAqB,CAAC,KAAK,CAAC,CAAC;IAChD,OAAO,UAAU,KAAK,EAAE,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,UAAU,EAAE,CAAC;AACpD,CAAC;AAED,SAAS,eAAe,CAAC,WAAmB;IAC1C,MAAM,UAAU,GAAG,qBAAqB,CAAC,WAAW,CAAC,CAAC;IACtD,OAAO,UAAU,KAAK,EAAE,IAAI,UAAU,KAAK,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,UAAU,EAAE,CAAC;AAC1E,CAAC;AAED,SAAS,eAAe,CAAC,QAAgB;IACvC,IAAI,CAAC,UAAU,CAAC,QAAQ,CAAC,EAAE,CAAC;QAC1B,OAAO,EAAE,CAAC;IACZ,CAAC;IAED,OAAO,aAAa,CAAC,YAAY,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC,CAAC;AACvD,CAAC;AAED,SAAS,aAAa,CAAC,QAA2B;IAChD,MAAM,OAAO,GAAG,MAAM,EAAE,CAAC;IACzB,IAAI,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACxB,OAAO,CAAC,GAAG,CAAC,CAAC,GAAG,QAAQ,CAAC,CAAC,CAAC;IAC7B,CAAC;IACD,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,SAAS,gBAAgB,CAAC,UAAkB,EAAE,SAAiB;IAC7D,MAAM,kBAAkB,GAAG,IAAI,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC;IAEpD,OAAO;QACL,IAAI,EAAE,MAAM,CAAC;YACX,GAAG,eAAe,CAAC,IAAI,CAAC,IAAI,CAAC,kBAAkB,EAAE,cAAc,CAAC,CAAC;YACjE,GAAG,eAAe,CAAC,IAAI,CAAC,IAAI,CAAC,kBAAkB,EAAE,IAAI,SAAS,cAAc,CAAC,CAAC;SAC/E,CAAC;QACF,QAAQ,EAAE,MAAM,CAAC;YACf,GAAG,eAAe,CAAC,IAAI,CAAC,IAAI,CAAC,kBAAkB,EAAE,gBAAgB,CAAC,CAAC;YACnE,GAAG,eAAe,CAAC,IAAI,CAAC,IAAI,CAAC,kBAAkB,EAAE,IAAI,SAAS,gBAAgB,CAAC,CAAC;SACjF,CAAC;KACH,CAAC;AACJ,CAAC;AAED,SAAS,kBAAkB,CAAC,WAA6B;IACvD,OAAO;QACL,IAAI,EAAE,MAAM,CAAC,WAAW,CAAC,KAAK,EAAE,IAAI,IAAI,EAAE,CAAC;QAC3C,KAAK,EAAE,MAAM,CAAC,WAAW,CAAC,KAAK,EAAE,KAAK,IAAI,EAAE,CAAC;QAC7C,IAAI,EAAE,MAAM,CAAC,WAAW,CAAC,KAAK,EAAE,IAAI,IAAI,EAAE,CAAC;KAC5C,CAAC;AACJ,CAAC;AAED,SAAS,4BAA4B,CAAC,UAAkB,EAAE,OAAgB;IACxE,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,OAAO,SAAS,CAAC;IACnB,CAAC;IAED,MAAM,kBAAkB,GAAG,IAAI,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC;IACpD,MAAM,eAAe,GAAG,IAAI,CAAC,OAAO,CAAC,kBAAkB,EAAE,OAAO,CAAC,CAAC;IAClE,MAAM,eAAe,GAAG,qBAAqB,CAAC,IAAI,CAAC,QAAQ,CAAC,kBAAkB,EAAE,eAAe,CAAC,CAAC,CAAC;IAElG,IAAI,eAAe,KAAK,EAAE,IAAI,eAAe,KAAK,GAAG,EAAE,CAAC;QACtD,OAAO,SAAS,CAAC;IACnB,CAAC;IAED,IAAI,eAAe,KAAK,IAAI,IAAI,eAAe,CAAC,UAAU,CAAC,KAAK,CAAC,EAAE,CAAC;QAClE,OAAO,EAAE,CAAC;IACZ,CAAC;IAED,OAAO,MAAM,CAAC,CAAC,eAAe,EAAE,GAAG,eAAe,KAAK,CAAC,CAAC,CAAC;AAC5D,CAAC;AAED,SAAS,UAAU,CAAC,YAAoB,EAAE,OAAe;IACvD,OAAO,OAAO,CAAC,OAAO,CAAC,qBAAqB,CAAC,YAAY,CAAC,CAAC,CAAC;AAC9D,CAAC;AAED,SAAS,gBAAgB,CAAC,UAAkB,EAAE,UAAU,GAAG,UAAU,EAAE,QAAkB,EAAE;IACzF,MAAM,OAAO,GAAG,WAAW,CAAC,UAAU,EAAE,EAAE,aAAa,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE,CACpF,IAAI,CAAC,IAAI,CAAC,aAAa,CAAC,KAAK,CAAC,IAAI,CAAC,CACpC,CAAC;IAEF,KAAK,MAAM,KAAK,IAAI,OAAO,EAAE,CAAC;QAC5B,IAAI,KAAK,CAAC,WAAW,EAAE,IAAI,YAAY,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC;YACxD,SAAS;QACX,CAAC;QAED,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,KAAK,CAAC,IAAI,CAAC,CAAC;QACnD,MAAM,YAAY,GAAG,qBAAqB,CAAC,IAAI,CAAC,QAAQ,CAAC,UAAU,EAAE,QAAQ,CAAC,CAAC,CAAC;QAEhF,IAAI,KAAK,CAAC,WAAW,EAAE,EAAE,CAAC;YACxB,gBAAgB,CAAC,UAAU,EAAE,QAAQ,EAAE,KAAK,CAAC,CAAC;YAC9C,SAAS;QACX,CAAC;QAED,KAAK,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;IAC3B,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAS,YAAY,CACnB,YAA0B,EAC1B,MAAkC,EAClC,WAA2B,EAC3B,SAA8B,EAC9B,SAA4B,EAC5B,SAAkB;IAElB,MAAM,OAAO,GAAuB,EAAE,CAAC;IAEvC,IAAI,SAAS,IAAI,CAAC,YAAY,CAAC,IAAI,CAAC,MAAM,GAAG,CAAC,IAAI,YAAY,CAAC,QAAQ,CAAC,MAAM,GAAG,CAAC,CAAC,EAAE,CAAC;QACpF,OAAO,CAAC,IAAI,CAAC;YACX,IAAI,EAAE,SAAS;YACf,KAAK,EAAE,UAAU;YACjB,SAAS,EAAE,YAAY,CAAC,IAAI,CAAC,MAAM,GAAG,YAAY,CAAC,QAAQ,CAAC,MAAM;SACnE,CAAC,CAAC;IACL,CAAC;IAED,IAAI,WAAW,CAAC,IAAI,CAAC,MAAM,GAAG,CAAC,IAAI,WAAW,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,IAAI,WAAW,CAAC,IAAI,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC/F,OAAO,CAAC,IAAI,CAAC;YACX,IAAI,EAAE,QAAQ;YACd,KAAK,EAAE,WAAW,MAAM,IAAI,WAAW,EAAE;YACzC,SAAS,EAAE,WAAW,CAAC,IAAI,CAAC,MAAM,GAAG,WAAW,CAAC,KAAK,CAAC,MAAM,GAAG,WAAW,CAAC,IAAI,CAAC,MAAM;SACxF,CAAC,CAAC;IACL,CAAC;IAED,IAAI,SAAS,CAAC,IAAI,CAAC,MAAM,GAAG,CAAC,IAAI,SAAS,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,IAAI,SAAS,CAAC,IAAI,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACzF,OAAO,CAAC,IAAI,CAAC;YACX,IAAI,EAAE,MAAM;YACZ,KAAK,EAAE,mBAAmB;YAC1B,SAAS,EAAE,SAAS,CAAC,IAAI,CAAC,MAAM,GAAG,SAAS,CAAC,KAAK,CAAC,MAAM,GAAG,SAAS,CAAC,IAAI,CAAC,MAAM;SAClF,CAAC,CAAC;IACL,CAAC;IAED,IAAI,SAAS,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACzB,OAAO,CAAC,IAAI,CAAC;YACX,IAAI,EAAE,OAAO;YACb,KAAK,EAAE,oBAAoB;YAC3B,SAAS,EAAE,SAAS,CAAC,MAAM;SAC5B,CAAC,CAAC;IACL,CAAC;IAED,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,SAAS,QAAQ,CACf,SAAiB,EACjB,aAAgC,EAChC,cAAiC,EACjC,WAA8B;IAE9B,MAAM,MAAM,GAAG,IAAI,GAAG,EAAuB,CAAC;IAE9C,MAAM,OAAO,GAAG,CAAC,YAAoB,EAAE,IAAY,EAAQ,EAAE;QAC3D,MAAM,MAAM,GAAG,eAAe,CAAC,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,qBAAqB,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;QACxF,MAAM,KAAK,GAAG,MAAM,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,IAAI,GAAG,EAAU,CAAC;QACtD,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;QAChB,MAAM,CAAC,GAAG,CAAC,MAAM,EAAE,KAAK,CAAC,CAAC;IAC5B,CAAC,CAAC;IAEF,KAAK,MAAM,YAAY,IAAI,aAAa,EAAE,CAAC;QACzC,OAAO,CAAC,YAAY,EAAE,MAAM,CAAC,CAAC;IAChC,CAAC;IAED,KAAK,MAAM,YAAY,IAAI,cAAc,EAAE,CAAC;QAC1C,OAAO,CAAC,YAAY,EAAE,MAAM,CAAC,CAAC;QAC9B,OAAO,CAAC,YAAY,EAAE,OAAO,CAAC,CAAC;IACjC,CAAC;IAED,MAAM,UAAU,GAAG,IAAI,GAAG,EAA+C,CAAC;IAC1E,KAAK,MAAM,YAAY,IAAI,WAAW,EAAE,CAAC;QACvC,MAAM,MAAM,GAAG,eAAe,CAAC,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,qBAAqB,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;QACxF,MAAM,OAAO,GAAG,UAAU,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,EAAE,MAAM,EAAE,CAAC,EAAE,OAAO,EAAE,CAAC,EAAE,CAAC;QACpE,OAAO,CAAC,MAAM,IAAI,CAAC,CAAC;QACpB,UAAU,CAAC,GAAG,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAClC,CAAC;IAED,KAAK,MAAM,YAAY,IAAI,CAAC,GAAG,aAAa,EAAE,GAAG,cAAc,CAAC,EAAE,CAAC;QACjE,MAAM,MAAM,GAAG,eAAe,CAAC,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,qBAAqB,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;QACxF,MAAM,OAAO,GAAG,UAAU,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,EAAE,MAAM,EAAE,CAAC,EAAE,OAAO,EAAE,CAAC,EAAE,CAAC;QACpE,OAAO,CAAC,OAAO,IAAI,CAAC,CAAC;QACrB,UAAU,CAAC,GAAG,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAClC,CAAC;IAED,KAAK,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,IAAI,UAAU,CAAC,OAAO,EAAE,EAAE,CAAC;QACrD,IAAI,OAAO,CAAC,MAAM,GAAG,CAAC,IAAI,OAAO,CAAC,OAAO,KAAK,CAAC,EAAE,CAAC;YAChD,MAAM,KAAK,GAAG,MAAM,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,IAAI,GAAG,EAAU,CAAC;YACtD,KAAK,CAAC,GAAG,CAAC,cAAc,SAAS,EAAE,CAAC,CAAC;YACrC,MAAM,CAAC,GAAG,CAAC,MAAM,EAAE,KAAK,CAAC,CAAC;QAC5B,CAAC;IACH,CAAC;IAED,OAAO,MAAM,CAAC,WAAW,CACvB,CAAC,GAAG,MAAM,CAAC,OAAO,EAAE,CAAC;SAClB,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,KAAK,CAAC,EAAE,EAAE,CAAC,IAAI,CAAC,aAAa,CAAC,KAAK,CAAC,CAAC;SACpD,GAAG,CAAC,CAAC,CAAC,MAAM,EAAE,KAAK,CAAC,EAAE,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,KAAK,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,CACzD,CAAC;AACJ,CAAC;AAED,SAAS,aAAa,CAAC,KAAwB,EAAE,MAAkB;IACjE,OAAO,MAAM,CACX,CAAC,GAAG,KAAK,CAAC;SACP,GAAG,CAAC,CAAC,YAAY,EAAE,EAAE,CAAC,qBAAqB,CAAC,YAAY,CAAC,CAAC;SAC1D,MAAM,CAAC,CAAC,YAAY,EAAE,EAAE,CAAC,YAAY,KAAK,EAAE,CAAC;SAC7C,IAAI,CAAC,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE,CAAC,IAAI,CAAC,aAAa,CAAC,KAAK,CAAC,CAAC;SAChD,GAAG,CAAC,CAAC,YAAY,EAAE,EAAE,CAAC,gBAAgB,MAAM,IAAI,kBAAkB,CAAC,YAAY,CAAC,EAAE,CAAC,CACvF,CAAC;AACJ,CAAC;AAED,SAAS,qBAAqB,CAC5B,WAA2B,EAC3B,YAA0B,EAC1B,SAA8B;IAE9B,MAAM,cAAc,GAAG,WAAW,CAAC,KAAK,CAAC,MAAM,KAAK,CAAC,CAAC,CAAC,CAAC,WAAW,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC;IAC9E,MAAM,YAAY,GAAG,SAAS,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC,SAAS,CAAC,KAAK,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC;IAE5F,OAAO,MAAM,CAAC,CAAC,GAAG,YAAY,CAAC,QAAQ,EAAE,GAAG,cAAc,EAAE,GAAG,YAAY,CAAC,CAAC,CAAC;AAChF,CAAC;AAED,SAAS,sBAAsB,CAAC,WAA2B,EAAE,SAA8B;IACzF,OAAO,MAAM,CAAC,CAAC,GAAG,WAAW,CAAC,KAAK,EAAE,GAAG,SAAS,CAAC,KAAK,CAAC,CAAC,CAAC;AAC5D,CAAC;AAED,SAAS,mBAAmB,CAAC,YAA0B,EAAE,SAA8B;IACrF,OAAO,MAAM,CAAC,CAAC,GAAG,YAAY,CAAC,IAAI,EAAE,GAAG,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC;AAC3D,CAAC;AAED,MAAM,UAAU,2BAA2B,CAAC,MAA+B;IACzE,QAAQ,MAAM,EAAE,CAAC;QACf,KAAK,MAAM;YACT,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,CAAC;QAC5B,KAAK,UAAU,CAAC;QAChB,KAAK,SAAS;YACZ,OAAO,EAAE,MAAM,EAAE,UAAU,EAAE,CAAC;QAChC,KAAK,QAAQ;YACX,OAAO,EAAE,MAAM,EAAE,WAAW,EAAE,CAAC;QACjC;YACE,OAAO,EAAE,CAAC;IACd,CAAC;AACH,CAAC;AAED,MAAM,UAAU,YAAY,CAC1B,MAAkC,EAClC,OAAmD;IAEnD,MAAM,qBAAqB,GACzB,MAAM,KAAK,WAAW,IAAI,OAAO,EAAE,UAAU;QAC3C,CAAC,CAAC,4BAA4B,CAAC,OAAO,CAAC,UAAU,EAAE,OAAO,CAAC,OAAO,CAAC;QACnE,CAAC,CAAC,SAAS,CAAC;IAEhB,QAAQ,MAAM,IAAI,WAAW,EAAE,CAAC;QAC9B,KAAK,UAAU;YACb,OAAO,EAAE,IAAI,EAAE,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,EAAE,EAAE,IAAI,EAAE,EAAE,EAAE,CAAC;QAC/C,KAAK,YAAY;YACf,OAAO,EAAE,IAAI,EAAE,EAAE,EAAE,KAAK,EAAE,EAAE,EAAE,IAAI,EAAE,EAAE,EAAE,CAAC;QAC3C,KAAK,MAAM;YACT,OAAO,EAAE,IAAI,EAAE,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,EAAE,EAAE,CAAC;QACnD,KAAK,WAAW,CAAC;QACjB;YACE,OAAO;gBACL,IAAI,EAAE,qBAAqB,IAAI,CAAC,IAAI,CAAC;gBACrC,KAAK,EAAE,qBAAqB,IAAI,CAAC,IAAI,CAAC;gBACtC,IAAI,EAAE,EAAE;aACT,CAAC;IACN,CAAC;AACH,CAAC;AAED,MAAM,UAAU,aAAa,CAAC,KAAe,EAAE,MAAkB;IAC/D,OAAO,MAAM,CACX,KAAK;SACF,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,qBAAqB,CAAC,IAAI,CAAC,CAAC;SAC1C,MAAM,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,KAAK,EAAE,CAAC;SAC7B,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,gBAAgB,MAAM,IAAI,kBAAkB,CAAC,IAAI,CAAC,EAAE,CAAC,CACvE,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,uBAAuB,CAAC,KAAmB;IACzD,MAAM,WAAW,GAAG,KAAK,CAAC,WAAW,IAAI,EAAE,CAAC;IAC5C,MAAM,eAAe,GAAG,WAAW,CAAC,MAAM,IAAI,WAAW,CAAC;IAC1D,MAAM,SAAS,GAAG,eAAe,KAAK,MAAM,IAAI,WAAW,CAAC,OAAO,KAAK,KAAK,CAAC;IAC9E,MAAM,UAAU,GAAG,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC;IAClD,MAAM,WAAW,GAAG,KAAgC,CAAC;IAErD,MAAM,YAAY,GAAG,SAAS,CAAC,CAAC,CAAC,gBAAgB,CAAC,UAAU,EAAE,KAAK,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,EAAE,EAAE,QAAQ,EAAE,EAAE,EAAE,CAAC;IAC5G,MAAM,WAAW,GAAG,YAAY,CAAC,eAAe,EAAE;QAChD,UAAU;QACV,OAAO,EAAE,WAAW,CAAC,OAAO;KAC7B,CAAC,CAAC;IACH,MAAM,SAAS,GAAG,kBAAkB,CAAC,WAAW,CAAC,CAAC;IAClD,MAAM,SAAS,GAAG,MAAM,CAAC,WAAW,CAAC,MAAM,IAAI,EAAE,CAAC,CAAC;IAEnD,MAAM,cAAc,GAAG,aAAa,CAAC,YAAY,CAAC,IAAI,CAAC,CAAC;IACxD,MAAM,kBAAkB,GAAG,aAAa,CAAC,YAAY,CAAC,QAAQ,CAAC,CAAC;IAChE,MAAM,iBAAiB,GAAG,aAAa,CAAC,WAAW,CAAC,IAAI,CAAC,CAAC;IAC1D,MAAM,kBAAkB,GAAG,aAAa,CAAC,WAAW,CAAC,KAAK,CAAC,CAAC;IAC5D,MAAM,eAAe,GAAG,aAAa,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC;IACtD,MAAM,gBAAgB,GAAG,aAAa,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC;IACxD,MAAM,eAAe,GAAG,aAAa,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC;IAEtD,MAAM,aAAa,GAAa,EAAE,CAAC;IACnC,MAAM,cAAc,GAAa,EAAE,CAAC;IACpC,MAAM,WAAW,GAAa,EAAE,CAAC;IAEjC,KAAK,MAAM,YAAY,IAAI,gBAAgB,CAAC,UAAU,CAAC,EAAE,CAAC;QACxD,MAAM,SAAS,GAAG,SAAS,IAAI,UAAU,CAAC,YAAY,EAAE,cAAc,CAAC,CAAC;QACxE,MAAM,WAAW,GAAG,SAAS,IAAI,CAAC,SAAS,IAAI,UAAU,CAAC,YAAY,EAAE,kBAAkB,CAAC,CAAC;QAC5F,MAAM,QAAQ,GAAG,UAAU,CAAC,YAAY,EAAE,eAAe,CAAC,CAAC;QAC3D,MAAM,SAAS,GAAG,UAAU,CAAC,YAAY,EAAE,gBAAgB,CAAC,CAAC;QAC7D,MAAM,QAAQ,GAAG,UAAU,CAAC,YAAY,EAAE,eAAe,CAAC,CAAC;QAC3D,MAAM,iBAAiB,GAAG,QAAQ,IAAI,SAAS,CAAC;QAEhD,IAAI,QAAQ,EAAE,CAAC;YACb,WAAW,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;YAC/B,SAAS;QACX,CAAC;QAED,IAAI,SAAS,IAAI,CAAC,iBAAiB,EAAE,CAAC;YACpC,WAAW,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;YAC/B,SAAS;QACX,CAAC;QAED,MAAM,UAAU,GAAG,UAAU,CAAC,YAAY,EAAE,iBAAiB,CAAC,CAAC;QAC/D,MAAM,WAAW,GAAG,UAAU,CAAC,YAAY,EAAE,kBAAkB,CAAC,CAAC;QAEjE,MAAM,OAAO,GAAG,iBAAiB,IAAI,UAAU,IAAI,WAAW,CAAC;QAC/D,IAAI,QAAQ,GAAG,SAAS,IAAI,WAAW,CAAC;QAExC,IAAI,WAAW,IAAI,CAAC,SAAS,EAAE,CAAC;YAC9B,QAAQ,GAAG,KAAK,CAAC;QACnB,CAAC;QAED,IAAI,QAAQ,EAAE,CAAC;YACb,cAAc,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;YAClC,SAAS;QACX,CAAC;QAED,IAAI,OAAO,EAAE,CAAC;YACZ,aAAa,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;YACjC,SAAS;QACX,CAAC;QAED,WAAW,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;IACjC,CAAC;IAED,aAAa,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE,CAAC,IAAI,CAAC,aAAa,CAAC,KAAK,CAAC,CAAC,CAAC;IAC/D,cAAc,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE,CAAC,IAAI,CAAC,aAAa,CAAC,KAAK,CAAC,CAAC,CAAC;IAChE,WAAW,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE,CAAC,IAAI,CAAC,aAAa,CAAC,KAAK,CAAC,CAAC,CAAC;IAE7D,MAAM,gBAAgB,GAAG,qBAAqB,CAAC,WAAW,EAAE,YAAY,EAAE,SAAS,CAAC,CAAC;IACrF,MAAM,iBAAiB,GAAG,sBAAsB,CAAC,WAAW,EAAE,SAAS,CAAC,CAAC;IACzE,MAAM,cAAc,GAAG,mBAAmB,CAAC,YAAY,EAAE,SAAS,CAAC,CAAC;IAEpE,MAAM,MAAM,GAAG,sBAAsB,CACnC;QACE,GAAG,aAAa,CAAC,CAAC,GAAG,aAAa,EAAE,GAAG,cAAc,CAAC,EAAE,MAAM,CAAC;QAC/D,GAAG,aAAa,CAAC,cAAc,EAAE,OAAO,CAAC;KAC1C,EACD,EAAE,EACF,SAAS,CACV,CAAC;IAEF,OAAO;QACL,SAAS,EAAE,KAAK,CAAC,SAAS;QAC1B,SAAS,EAAE,KAAK,CAAC,SAAS;QAC1B,eAAe;QACf,SAAS;QACT,OAAO,EAAE,YAAY,CAAC,YAAY,EAAE,eAAe,EAAE,WAAW,EAAE,SAAS,EAAE,SAAS,EAAE,SAAS,CAAC;QAClG,gBAAgB;QAChB,iBAAiB;QACjB,cAAc;QACd,aAAa;QACb,cAAc;QACd,WAAW;QACX,MAAM;QACN,OAAO,EAAE,WAAW,CAAC,OAAO;QAC5B,IAAI,EAAE,WAAW,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,GAAG,WAAW,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,SAAS;QAC1D,GAAG,EAAE,QAAQ,CAAC,KAAK,CAAC,SAAS,EAAE,aAAa,EAAE,cAAc,EAAE,WAAW,CAAC;QAC1E,OAAO,EAAE;YACP,QAAQ,EAAE,aAAa,CAAC,MAAM;YAC9B,SAAS,EAAE,cAAc,CAAC,MAAM;YAChC,MAAM,EAAE,WAAW,CAAC,MAAM;YAC1B,YAAY,EAAE,SAAS,CAAC,MAAM;SAC/B;KACF,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,QAAQ,CAAC,YAAiD;IACxE,MAAM,MAAM,GAAG,IAAI,GAAG,EAAuB,CAAC;IAE9C,KAAK,MAAM,WAAW,IAAI,YAAY,EAAE,CAAC;QACvC,KAAK,MAAM,CAAC,SAAS,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,WAAW,CAAC,GAAG,CAAC,EAAE,CAAC;YACjE,MAAM,MAAM,GAAG,MAAM,CAAC,GAAG,CAAC,SAAS,CAAC,IAAI,IAAI,GAAG,EAAU,CAAC;YAC1D,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;gBACzB,MAAM,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;YACnB,CAAC;YACD,MAAM,CAAC,GAAG,CAAC,SAAS,EAAE,MAAM,CAAC,CAAC;QAChC,CAAC;IACH,CAAC;IAED,OAAO,MAAM,CAAC,WAAW,CACvB,CAAC,GAAG,MAAM,CAAC,OAAO,EAAE,CAAC;SAClB,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,KAAK,CAAC,EAAE,EAAE,CAAC,IAAI,CAAC,aAAa,CAAC,KAAK,CAAC,CAAC;SACpD,GAAG,CAAC,CAAC,CAAC,SAAS,EAAE,KAAK,CAAC,EAAE,EAAE,CAAC,CAAC,SAAS,EAAE,CAAC,GAAG,KAAK,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,CAC/D,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,uBAAuB,CACrC,SAAiB,EACjB,WAAyC,EACzC,UAAkB,EAClB,SAAiB;IAEjB,OAAO,uBAAuB,CAAC;QAC7B,SAAS;QACT,SAAS;QACT,UAAU;QACV,WAAW,EAAE,WAAW,IAAI,EAAE;KAC/B,CAAC,CAAC;AACL,CAAC;AAED,MAAM,UAAU,kBAAkB,CAAC,KAAmB;IACpD,OAAO,uBAAuB,CAAC,KAAK,CAAC,CAAC;AACxC,CAAC;AAED,MAAM,UAAU,sBAAsB,CACpC,aAAuB,EACvB,UAAoB,EACpB,SAAmB;IAEnB,OAAO,MAAM,CAAC,CAAC,GAAG,aAAa,EAAE,GAAG,UAAU,EAAE,GAAG,SAAS,CAAC,CAAC,CAAC;AACjE,CAAC;AAED,MAAM,CAAC,MAAM,kBAAkB,GAAG,YAAY,CAAC;AAC/C,MAAM,CAAC,MAAM,YAAY,GAAG,CAAC,KAAe,EAAE,MAAkB,EAAE,WAAoB,EAAY,EAAE,CAClG,aAAa,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC"}

package/packages/sdk/dist/provisioner/index.d.ts

@@ -0,0 +1,9 @@
+import type { ProvisionResult, WorkflowProvisionConfig } from './types.js';
+export * from './compiler.js';
+export * from './mount.js';
+export * from './seeder.js';
+export * from './token.js';
+export * from './types.js';
+export * from './audit.js';
+export declare function provisionWorkflowAgents(config: WorkflowProvisionConfig): Promise<ProvisionResult>;
+//# sourceMappingURL=index.d.ts.map

package/packages/sdk/dist/provisioner/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/provisioner/index.ts"],"names":[],"mappings":"AAQA,OAAO,KAAK,EAKV,eAAe,EAEf,uBAAuB,EACxB,MAAM,YAAY,CAAC;AAEpB,cAAc,eAAe,CAAC;AAC9B,cAAc,YAAY,CAAC;AAC3B,cAAc,aAAa,CAAC;AAC5B,cAAc,YAAY,CAAC;AAC3B,cAAc,YAAY,CAAC;AAC3B,cAAc,YAAY,CAAC;AA+F3B,wBAAsB,uBAAuB,CAAC,MAAM,EAAE,uBAAuB,GAAG,OAAO,CAAC,eAAe,CAAC,CAqNvG"}

package/packages/sdk/dist/provisioner/index.js

@@ -0,0 +1,266 @@
+import { existsSync, readdirSync } from 'node:fs';
+import path from 'node:path';
+import { getDefaultPermissionAuditPath, PermissionAuditLog } from './audit.js';
+import { compileAgentScopes } from './compiler.js';
+import { ensureRelayfileMount } from './mount.js';
+import { createWorkspaceIfNeeded, seedWorkspace, seedWorkflowAcls } from './seeder.js';
+import { DEFAULT_ADMIN_AGENT_NAME, DEFAULT_ADMIN_SCOPES, mintAgentToken } from './token.js';
+export * from './compiler.js';
+export * from './mount.js';
+export * from './seeder.js';
+export * from './token.js';
+export * from './types.js';
+export * from './audit.js';
+const DEFAULT_AGENT_NAME = 'default-agent';
+function discoverAgentNames(projectDir) {
+    if (!existsSync(projectDir)) {
+        return [DEFAULT_AGENT_NAME];
+    }
+    const agentNames = new Set();
+    for (const entry of readdirSync(projectDir)) {
+        const match = entry.match(/^\.(.+)\.(agentignore|agentreadonly)$/u);
+        if (match?.[1]) {
+            agentNames.add(match[1]);
+        }
+    }
+    const discovered = [...agentNames].sort((left, right) => left.localeCompare(right));
+    return discovered.length > 0 ? discovered : [DEFAULT_AGENT_NAME];
+}
+function resolveAgents(config) {
+    const configuredAgents = Object.entries(config.agents ?? {});
+    if (configuredAgents.length > 0) {
+        return configuredAgents.map(([name, permissions]) => ({
+            name,
+            permissions: permissions ?? {},
+            resolutionSource: 'configured',
+        }));
+    }
+    return discoverAgentNames(config.projectDir).map((name) => ({
+        name,
+        permissions: {},
+        resolutionSource: 'auto-discovered',
+    }));
+}
+function buildSummary(compilations) {
+    return compilations.reduce((summary, compiled) => ({
+        readonly: summary.readonly + compiled.summary.readonly,
+        readwrite: summary.readwrite + compiled.summary.readwrite,
+        denied: summary.denied + compiled.summary.denied,
+        customScopes: summary.customScopes + compiled.summary.customScopes,
+    }), {
+        readonly: 0,
+        readwrite: 0,
+        denied: 0,
+        customScopes: 0,
+    });
+}
+function buildAgentResult(projectDir, name, token, compiled, mountPoint) {
+    return {
+        name,
+        tokenPath: path.resolve(projectDir, '.relay', 'tokens', `${name}.jwt`),
+        token,
+        scopes: [...compiled.scopes],
+        compiled,
+        mountPoint,
+    };
+}
+function sanitizePathComponent(value) {
+    return value.replace(/[^a-zA-Z0-9._-]+/g, '-');
+}
+function countAclDirectories(compilations) {
+    const directories = new Set();
+    for (const compilation of compilations) {
+        for (const directory of Object.keys(compilation.acl)) {
+            directories.add(directory);
+        }
+    }
+    return directories.size;
+}
+export async function provisionWorkflowAgents(config) {
+    const audit = new PermissionAuditLog();
+    const auditPath = getDefaultPermissionAuditPath(config.projectDir);
+    try {
+        const agents = resolveAgents(config);
+        const tokens = new Map();
+        const scopes = new Map();
+        const mounts = new Map();
+        const agentResults = {};
+        const compilations = [];
+        const compiledByAgent = new Map();
+        for (const agent of agents) {
+            audit.log({
+                agentName: agent.name,
+                action: 'resolve',
+                details: {
+                    source: agent.resolutionSource,
+                    workspace: config.workspace,
+                    permissionKeys: Object.keys(agent.permissions).sort(),
+                },
+            });
+            const compiled = compileAgentScopes({
+                agentName: agent.name,
+                workspace: config.workspace,
+                projectDir: config.projectDir,
+                permissions: agent.permissions,
+            });
+            const token = mintAgentToken({
+                secret: config.secret,
+                agentName: agent.name,
+                workspace: config.workspace,
+                scopes: compiled.scopes,
+                ttlSeconds: config.tokenTtlSeconds,
+            });
+            audit.log({
+                agentName: agent.name,
+                action: 'mint',
+                details: {
+                    workspace: config.workspace,
+                    jwtPath: path.resolve(config.projectDir, '.relay', 'tokens', `${agent.name}.jwt`),
+                    scopeCount: compiled.scopes.length,
+                    scopes: [...compiled.scopes],
+                    ttlSeconds: config.tokenTtlSeconds ?? null,
+                },
+            });
+            tokens.set(agent.name, token);
+            scopes.set(agent.name, [...compiled.scopes]);
+            compilations.push(compiled);
+            compiledByAgent.set(agent.name, compiled);
+        }
+        const adminScopes = [...(config.adminScopes ?? DEFAULT_ADMIN_SCOPES)];
+        const adminToken = mintAgentToken({
+            secret: config.secret,
+            agentName: DEFAULT_ADMIN_AGENT_NAME,
+            workspace: config.workspace,
+            scopes: adminScopes,
+            ttlSeconds: config.tokenTtlSeconds,
+        });
+        audit.log({
+            agentName: DEFAULT_ADMIN_AGENT_NAME,
+            action: 'mint',
+            details: {
+                workspace: config.workspace,
+                role: 'admin',
+                scopeCount: adminScopes.length,
+                scopes: adminScopes,
+                ttlSeconds: config.tokenTtlSeconds ?? null,
+            },
+        });
+        let seededAclCount = 0;
+        let seededFileCount = 0;
+        if (!config.skipSeeding) {
+            await createWorkspaceIfNeeded(config.relayfileBaseUrl, adminToken, config.workspace);
+            audit.log({
+                agentName: DEFAULT_ADMIN_AGENT_NAME,
+                action: 'seed',
+                details: {
+                    workspace: config.workspace,
+                    step: 'workspace',
+                    relayfileBaseUrl: config.relayfileBaseUrl,
+                },
+            });
+            seededFileCount = await seedWorkspace(config.relayfileBaseUrl, adminToken, config.workspace, config.projectDir, config.excludeDirs ?? []);
+            audit.log({
+                agentName: DEFAULT_ADMIN_AGENT_NAME,
+                action: 'seed',
+                details: {
+                    workspace: config.workspace,
+                    step: 'files',
+                    projectDir: config.projectDir,
+                    excludeDirs: config.excludeDirs ?? [],
+                    fileCount: seededFileCount,
+                },
+            });
+            await seedWorkflowAcls({
+                relayfileUrl: config.relayfileBaseUrl,
+                adminToken,
+                workspace: config.workspace,
+                agents: compilations.map((compilation) => ({
+                    name: compilation.agentName,
+                    acl: compilation.acl,
+                })),
+            });
+            seededAclCount = countAclDirectories(compilations);
+            audit.log({
+                agentName: DEFAULT_ADMIN_AGENT_NAME,
+                action: 'seed',
+                details: {
+                    workspace: config.workspace,
+                    step: 'acl',
+                    directoryCount: seededAclCount,
+                    agentCount: compilations.length,
+                },
+            });
+        }
+        if (!config.skipMount) {
+            const mountRoot = path.resolve(config.mountBaseDir ?? path.join(config.projectDir, '.relay'));
+            try {
+                for (const agent of agents) {
+                    const token = tokens.get(agent.name);
+                    const compiled = compiledByAgent.get(agent.name);
+                    if (!token || !compiled) {
+                        continue;
+                    }
+                    const mountHandle = await ensureRelayfileMount({
+                        binaryPath: config.mountBinaryPath,
+                        relayfileUrl: config.relayfileBaseUrl,
+                        workspace: config.workspace,
+                        token,
+                        mountPoint: path.join(mountRoot, `workspace-${sanitizePathComponent(config.workspace)}-${sanitizePathComponent(agent.name)}`),
+                    });
+                    mounts.set(agent.name, mountHandle);
+                    agentResults[agent.name] = buildAgentResult(config.projectDir, agent.name, token, compiled, mountHandle.mountPoint);
+                }
+            }
+            catch (mountError) {
+                for (const [, mount] of mounts) {
+                    try {
+                        if (typeof mount.stop === 'function') {
+                            await mount.stop();
+                        }
+                    }
+                    catch {
+                        // Best-effort cleanup — ignore individual stop failures.
+                    }
+                }
+                mounts.clear();
+                throw mountError;
+            }
+        }
+        else {
+            for (const agent of agents) {
+                const token = tokens.get(agent.name);
+                const compiled = compiledByAgent.get(agent.name);
+                if (!token || !compiled) {
+                    continue;
+                }
+                agentResults[agent.name] = buildAgentResult(config.projectDir, agent.name, token, compiled);
+            }
+        }
+        return {
+            agents: agentResults,
+            agentNames: agents.map((agent) => agent.name),
+            adminToken,
+            seededFileCount,
+            seededAclCount,
+            summary: buildSummary(compilations),
+            mounts,
+            tokens,
+            scopes,
+        };
+    }
+    finally {
+        try {
+            await audit.writeTo(auditPath);
+        }
+        catch (error) {
+            if (config.verbose) {
+                const message = error instanceof Error ? error.message : String(error);
+                console.warn(`Failed to write permission audit to ${auditPath}: ${message}`);
+            }
+        }
+        if (config.verbose) {
+            console.info(audit.summary());
+        }
+    }
+}
+//# sourceMappingURL=index.js.map