agents 0.10.0 → 0.10.2

package/dist/compaction-helpers-BdQbZiML.d.ts

@@ -0,0 +1,441 @@
+import { ToolSet } from "ai";
+
+//#region src/experimental/memory/session/types.d.ts
+/**
+ * Minimal message part shape used by Session internals.
+ * Vercel AI SDK's `UIMessagePart` is structurally compatible.
+ */
+interface SessionMessagePart {
+  type: string;
+  text?: string;
+  toolCallId?: string;
+  toolName?: string;
+  input?: unknown;
+  output?: unknown;
+  state?: string;
+  result?: unknown;
+}
+/**
+ * Minimal message shape used by Session internals.
+ * Vercel AI SDK's `UIMessage` is structurally compatible — you can pass
+ * `UIMessage` objects directly without conversion.
+ */
+interface SessionMessage {
+  id: string;
+  role: string;
+  parts: SessionMessagePart[];
+  createdAt?: Date;
+}
+/**
+ * Options for creating a Session.
+ */
+interface SessionOptions {
+  /** Context blocks for the system prompt. */
+  context?: ContextConfig[];
+  /** Provider for persisting the frozen system prompt. */
+  promptStore?: WritableContextProvider;
+}
+//#endregion
+//#region src/experimental/memory/session/provider.d.ts
+interface SearchResult {
+  id: string;
+  role: string;
+  content: string;
+  createdAt?: string;
+  sessionId?: string;
+}
+interface StoredCompaction {
+  id: string;
+  summary: string;
+  fromMessageId: string;
+  toMessageId: string;
+  createdAt: string;
+}
+/**
+ * Session storage provider.
+ * Messages are tree-structured via parentId for branching.
+ */
+interface SessionProvider {
+  getMessage(id: string): SessionMessage | null;
+  /**
+   * Get conversation as a path from root to leaf.
+   * Applies compaction overlays. If leafId is null, uses the latest leaf.
+   */
+  getHistory(leafId?: string | null): SessionMessage[];
+  getLatestLeaf(): SessionMessage | null;
+  getBranches(messageId: string): SessionMessage[];
+  getPathLength(leafId?: string | null): number;
+  /**
+   * Append a message. Parented to the latest leaf unless parentId is provided.
+   * Idempotent — same message.id twice is a no-op.
+   */
+  appendMessage(message: SessionMessage, parentId?: string | null): void;
+  updateMessage(message: SessionMessage): void;
+  deleteMessages(messageIds: string[]): void;
+  clearMessages(): void;
+  addCompaction(
+    summary: string,
+    fromMessageId: string,
+    toMessageId: string
+  ): StoredCompaction;
+  getCompactions(): StoredCompaction[];
+  searchMessages?(query: string, limit?: number): SearchResult[];
+}
+//#endregion
+//#region src/experimental/memory/session/providers/agent.d.ts
+interface SqlProvider {
+  sql<T = Record<string, string | number | boolean | null>>(
+    strings: TemplateStringsArray,
+    ...values: (string | number | boolean | null)[]
+  ): T[];
+}
+declare class AgentSessionProvider implements SessionProvider {
+  private agent;
+  private initialized;
+  private sessionId;
+  /**
+   * @param agent - Agent or any object with a `sql` tagged template method
+   * @param sessionId - Optional session ID to isolate multiple sessions in the same DO.
+   *                    Messages are filtered by session_id within shared tables.
+   */
+  constructor(agent: SqlProvider, sessionId?: string);
+  private ensureTable;
+  getMessage(id: string): SessionMessage | null;
+  getHistory(leafId?: string | null): SessionMessage[];
+  getLatestLeaf(): SessionMessage | null;
+  getBranches(messageId: string): SessionMessage[];
+  getPathLength(leafId?: string | null): number;
+  appendMessage(message: SessionMessage, parentId?: string | null): void;
+  updateMessage(message: SessionMessage): void;
+  deleteMessages(messageIds: string[]): void;
+  clearMessages(): void;
+  addCompaction(
+    summary: string,
+    fromMessageId: string,
+    toMessageId: string
+  ): StoredCompaction;
+  getCompactions(): StoredCompaction[];
+  searchMessages(query: string, limit?: number): SearchResult[];
+  private latestLeafRow;
+  private indexFTS;
+  private deleteFTS;
+  private applyCompactions;
+  private parse;
+  private parseRows;
+}
+//#endregion
+//#region src/experimental/memory/session/search.d.ts
+/**
+ * Storage interface for searchable context.
+ *
+ * - `get()` returns a summary of indexed content (rendered into system prompt)
+ * - `search(query)` full-text search (via search_context tool)
+ * - `set(key, content)` indexes content under a key (via set_context tool)
+ */
+interface SearchProvider extends ContextProvider {
+  search(query: string): Promise<string | null>;
+  set?(key: string, content: string): Promise<void>;
+}
+/**
+ * Check if a provider is a SearchProvider (has a `search` method).
+ */
+declare function isSearchProvider(
+  provider: unknown
+): provider is SearchProvider;
+/**
+ * SearchProvider backed by Durable Object SQLite with FTS5.
+ *
+ * - `get()` returns a count of indexed entries
+ * - `search(query)` full-text search using FTS5
+ * - `set(key, content)` indexes or replaces content under a key
+ *
+ * Each instance uses a namespaced FTS5 table to avoid collisions
+ * with the session message search.
+ *
+ * @example
+ * ```ts
+ * Session.create(this)
+ *   .withContext("knowledge", {
+ *     provider: new AgentSearchProvider(this)
+ *   })
+ * ```
+ */
+declare class AgentSearchProvider implements SearchProvider {
+  private agent;
+  private label;
+  private initialized;
+  constructor(agent: SqlProvider);
+  init(label: string): void;
+  private ensureTable;
+  get(): Promise<string | null>;
+  search(query: string): Promise<string | null>;
+  set(key: string, content: string): Promise<void>;
+  private deleteFTS;
+}
+//#endregion
+//#region src/experimental/memory/session/skills.d.ts
+/**
+ * Storage interface for skill collections.
+ *
+ * - `get()` returns metadata listing (rendered into system prompt)
+ * - `load(key)` fetches full content (via load_context tool)
+ * - `set(key, content, description?)` writes an entry (via set_context tool)
+ */
+interface SkillProvider extends ContextProvider {
+  load(key: string): Promise<string | null>;
+  set?(key: string, content: string, description?: string): Promise<void>;
+}
+/**
+ * Check if a provider is a SkillProvider (has a `load` method).
+ */
+declare function isSkillProvider(provider: unknown): provider is SkillProvider;
+/**
+ * SkillProvider backed by an R2 bucket.
+ *
+ * - `get()` returns a metadata listing of all skills (key + description)
+ * - `load(key)` fetches a skill's full content
+ * - `set(key, content, description?)` writes a skill
+ *
+ * Descriptions are pulled from R2 custom metadata (`description` key).
+ * If a prefix is provided, it is prepended on storage operations and
+ * stripped from keys in metadata.
+ *
+ * @example
+ * ```ts
+ * const skills = new R2SkillProvider(env.SKILLS_BUCKET, { prefix: "skills/" });
+ * ```
+ */
+declare class R2SkillProvider implements SkillProvider {
+  private bucket;
+  private prefix;
+  constructor(
+    bucket: R2Bucket,
+    options?: {
+      prefix?: string;
+    }
+  );
+  get(): Promise<string | null>;
+  load(key: string): Promise<string | null>;
+  set(key: string, content: string, description?: string): Promise<void>;
+}
+//#endregion
+//#region src/experimental/memory/session/context.d.ts
+/**
+ * Base storage interface for a context block.
+ * A provider with only `get()` is readonly.
+ */
+interface ContextProvider {
+  get(): Promise<string | null>;
+  /** Called by the context system to provide the block label before first use. */
+  init?(label: string): void;
+}
+/**
+ * Writable context provider — extends ContextProvider with `set()`.
+ * Blocks backed by this provider are writable via the `set_context` tool.
+ */
+interface WritableContextProvider extends ContextProvider {
+  set(content: string): Promise<void>;
+}
+/**
+ * Check if a provider is writable (has a `set` method).
+ */
+declare function isWritableProvider(
+  provider: unknown
+): provider is WritableContextProvider;
+/**
+ * Configuration for a context block.
+ */
+interface ContextConfig {
+  /** Block label — used as key and in tool descriptions */
+  label: string;
+  /** Human-readable description (shown to AI in tool) */
+  description?: string;
+  /** Maximum tokens allowed. Enforced on set. */
+  maxTokens?: number;
+  /** Storage provider. Determines block behavior:
+   *  - ContextProvider (get only) → readonly
+   *  - WritableContextProvider (get+set) → writable via set_context
+   *  - SkillProvider (get+load+set?) → on-demand via load_context
+   *  - SearchProvider (get+search+set?) → searchable via search_context
+   *  If omitted, auto-wired to writable SQLite when using builder. */
+  provider?:
+    | ContextProvider
+    | WritableContextProvider
+    | SkillProvider
+    | SearchProvider;
+}
+/**
+ * A loaded context block with computed token count.
+ */
+interface ContextBlock {
+  label: string;
+  description?: string;
+  content: string;
+  tokens: number;
+  maxTokens?: number;
+  /** True if provider is writable (has set) */
+  writable: boolean;
+  /** True if backed by a SkillProvider */
+  isSkill: boolean;
+  /** True if backed by a SearchProvider */
+  isSearchable: boolean;
+}
+//#endregion
+//#region src/experimental/memory/utils/compaction-helpers.d.ts
+/** Prefix for all compaction messages (overlays and summaries) */
+declare const COMPACTION_PREFIX = "compaction_";
+/** Check if a message is a compaction message */
+declare function isCompactionMessage(msg: SessionMessage): boolean;
+/**
+ * Align a boundary index forward to avoid splitting tool call/result groups.
+ * If the boundary falls between an assistant message with tool calls and its
+ * tool results, move it forward past the results.
+ */
+declare function alignBoundaryForward(
+  messages: SessionMessage[],
+  idx: number
+): number;
+/**
+ * Align a boundary index backward to avoid splitting tool call/result groups.
+ * If the boundary falls in the middle of tool results, move it backward to
+ * include the assistant message that made the calls.
+ */
+declare function alignBoundaryBackward(
+  messages: SessionMessage[],
+  idx: number
+): number;
+/**
+ * Find the compression end boundary using a token budget for the tail.
+ * Walks backward from the end, accumulating tokens until budget is reached.
+ * Returns the index where compression should stop (everything from this
+ * index onward is protected).
+ *
+ * @param messages All messages
+ * @param headEnd Index where the protected head ends (compression starts here)
+ * @param tailTokenBudget Maximum tokens to keep in the tail
+ * @param minTailMessages Minimum messages to protect in the tail (fallback)
+ */
+declare function findTailCutByTokens(
+  messages: SessionMessage[],
+  headEnd: number,
+  tailTokenBudget?: number,
+  minTailMessages?: number
+): number;
+/**
+ * Fix orphaned tool call/result pairs after compaction.
+ *
+ * Two failure modes:
+ * 1. Tool result references a call_id whose assistant tool_call was removed
+ *    → Remove the orphaned result
+ * 2. Assistant has tool_calls whose results were dropped
+ *    → Add stub results so the API doesn't error
+ *
+ * @param messages Messages after compaction
+ * @returns Sanitized messages with no orphaned pairs
+ */
+declare function sanitizeToolPairs(
+  messages: SessionMessage[]
+): SessionMessage[];
+/**
+ * Compute a summary token budget based on the content being compressed.
+ * 20% of the compressed content, clamped to 2K-8K tokens.
+ */
+declare function computeSummaryBudget(messages: SessionMessage[]): number;
+/**
+ * Build a prompt for LLM summarization of compressed messages.
+ *
+ * @param messages Messages to summarize
+ * @param previousSummary Previous summary for iterative updates (or null for first compaction)
+ * @param budget Target token count for the summary
+ */
+declare function buildSummaryPrompt(
+  messages: SessionMessage[],
+  previousSummary: string | null,
+  budget: number
+): string;
+/**
+ * Result of a compaction function — describes the overlay to store.
+ */
+interface CompactResult {
+  /** First message ID in the compacted range */
+  fromMessageId: string;
+  /** Last message ID in the compacted range */
+  toMessageId: string;
+  /** Summary text to store as the overlay */
+  summary: string;
+}
+interface CompactOptions {
+  /**
+   * Function to call the LLM for summarization.
+   * Takes a user prompt string, returns the LLM's text response.
+   */
+  summarize: (prompt: string) => Promise<string>;
+  /** Number of head messages to protect (default: 2) */
+  protectHead?: number;
+  /** Token budget for tail protection (default: 20000) */
+  tailTokenBudget?: number;
+  /** Minimum tail messages to protect (default: 2) */
+  minTailMessages?: number;
+}
+/**
+ * Reference compaction implementation.
+ *
+ * Implements the full hermes-style compaction algorithm:
+ * 1. Protect head messages (first N)
+ * 2. Protect tail by token budget (walk backward)
+ * 3. Align boundaries to tool call groups
+ * 4. Summarize middle section with LLM (structured format)
+ * 5. Sanitize orphaned tool pairs
+ * 6. Iterative summary updates on subsequent compactions
+ *
+ * @example
+ * ```typescript
+ * import { createCompactFunction } from "agents/experimental/memory/utils";
+ *
+ * const session = new Session(provider, {
+ *   compaction: {
+ *     tokenThreshold: 100000,
+ *     fn: createCompactFunction({
+ *       summarize: (prompt) => generateText({ model, prompt }).then(r => r.text)
+ *     })
+ *   }
+ * });
+ * ```
+ */
+declare function createCompactFunction(
+  opts: CompactOptions
+): (messages: SessionMessage[]) => Promise<CompactResult | null>;
+//#endregion
+export {
+  SessionOptions as A,
+  AgentSessionProvider as C,
+  StoredCompaction as D,
+  SessionProvider as E,
+  SessionMessage as O,
+  isSearchProvider as S,
+  SearchResult as T,
+  R2SkillProvider as _,
+  alignBoundaryForward as a,
+  AgentSearchProvider as b,
+  createCompactFunction as c,
+  sanitizeToolPairs as d,
+  ContextBlock as f,
+  isWritableProvider as g,
+  WritableContextProvider as h,
+  alignBoundaryBackward as i,
+  SessionMessagePart as k,
+  findTailCutByTokens as l,
+  ContextProvider as m,
+  CompactOptions as n,
+  buildSummaryPrompt as o,
+  ContextConfig as p,
+  CompactResult as r,
+  computeSummaryBudget as s,
+  COMPACTION_PREFIX as t,
+  isCompactionMessage as u,
+  SkillProvider as v,
+  SqlProvider as w,
+  SearchProvider as x,
+  isSkillProvider as y
+};
+//# sourceMappingURL=compaction-helpers-BdQbZiML.d.ts.map

package/dist/email.js

@@ -114,11 +114,10 @@ async function signAgentHeaders(secret, agentName, agentId) {
 	if (agentName.includes(":")) throw new Error("agentName cannot contain colons");
 	if (agentId.includes(":")) throw new Error("agentId cannot contain colons");
 	const timestamp = Math.floor(Date.now() / 1e3).toString();
-	const signature = await computeAgentSignature(secret, agentName, agentId, timestamp);
 	return {
 		"X-Agent-Name": agentName,
 		"X-Agent-ID": agentId,
-		"X-Agent-Sig": signature,
+		"X-Agent-Sig": await computeAgentSignature(secret, agentName, agentId, timestamp),
 		"X-Agent-Sig-Ts": timestamp
 	};
 }

package/dist/email.js.map

@@ -1 +1 @@
-{"version":3,"file":"email.js","names":[],"sources":["../src/email.ts"],"sourcesContent":["/**\n * Email routing types, resolvers, and signing utilities for Agents\n */\n\n// Re-export AgentEmail type\nexport type { AgentEmail } from \"./internal_context\";\n\n// ============================================================================\n// Email header utilities\n// ============================================================================\n\n/**\n * Header object as returned by postal-mime and similar email parsing libraries.\n * Each header has a lowercase key and a string value.\n */\nexport type EmailHeader = {\n  /** Lowercase header name (e.g., \"content-type\", \"x-custom-header\") */\n  key: string;\n  /** Header value */\n  value: string;\n};\n\n/**\n * Check if an email appears to be an auto-reply based on standard headers.\n * Checks for Auto-Submitted (RFC 3834), X-Auto-Response-Suppress, and Precedence headers.\n *\n * @param headers - Headers array from postal-mime Email.headers or similar format\n * @returns true if email appears to be an auto-reply\n *\n * @example\n * ```typescript\n * if (isAutoReplyEmail(parsed.headers)) {\n *   // Skip processing auto-replies\n *   return;\n * }\n * ```\n */\nexport function isAutoReplyEmail(headers: EmailHeader[]): boolean {\n  return headers.some((h) => {\n    const key = h.key.toLowerCase();\n    const value = h.value.toLowerCase();\n\n    // RFC 3834: Auto-Submitted header\n    // \"no\" means normal (human-sent) email, anything else indicates auto-reply\n    if (key === \"auto-submitted\") {\n      return value !== \"no\";\n    }\n\n    // X-Auto-Response-Suppress: any value indicates sender doesn't want auto-replies\n    if (key === \"x-auto-response-suppress\") {\n      return true;\n    }\n\n    // Precedence: only bulk/junk/list indicate automated/mass mail\n    if (key === \"precedence\") {\n      return value === \"bulk\" || value === \"junk\" || value === \"list\";\n    }\n\n    return false;\n  });\n}\n\n// ============================================================================\n// Signing utilities\n// ============================================================================\n\n/** Default signature expiration: 30 days in seconds */\nexport const DEFAULT_MAX_AGE_SECONDS = 30 * 24 * 60 * 60;\n\n/** Maximum allowed clock skew for future timestamps: 5 minutes */\nconst MAX_CLOCK_SKEW_SECONDS = 5 * 60;\n\n/**\n * Compute HMAC-SHA256 signature for agent routing headers\n * @param secret - Secret key for HMAC\n * @param agentName - Name of the agent\n * @param agentId - ID of the agent instance\n * @param timestamp - Unix timestamp in seconds\n * @returns Base64-encoded HMAC signature\n */\nasync function computeAgentSignature(\n  secret: string,\n  agentName: string,\n  agentId: string,\n  timestamp: string\n): Promise<string> {\n  const encoder = new TextEncoder();\n  const key = await crypto.subtle.importKey(\n    \"raw\",\n    encoder.encode(secret),\n    { name: \"HMAC\", hash: \"SHA-256\" },\n    false,\n    [\"sign\"]\n  );\n  const data = encoder.encode(`${agentName}:${agentId}:${timestamp}`);\n  const signature = await crypto.subtle.sign(\"HMAC\", key, data);\n  return btoa(String.fromCharCode(...new Uint8Array(signature)));\n}\n\n/**\n * Result of signature verification\n */\ntype SignatureVerificationResult =\n  | { valid: true }\n  | { valid: false; reason: \"expired\" | \"invalid\" | \"malformed_timestamp\" };\n\n/**\n * Verify HMAC-SHA256 signature for agent routing headers\n * @param secret - Secret key for HMAC\n * @param agentName - Name of the agent\n * @param agentId - ID of the agent instance\n * @param signature - Base64-encoded signature to verify\n * @param timestamp - Unix timestamp in seconds when signature was created\n * @param maxAgeSeconds - Maximum age of signature in seconds (default: 30 days)\n * @returns Verification result with reason if invalid\n */\nasync function verifyAgentSignature(\n  secret: string,\n  agentName: string,\n  agentId: string,\n  signature: string,\n  timestamp: string,\n  maxAgeSeconds: number = DEFAULT_MAX_AGE_SECONDS\n): Promise<SignatureVerificationResult> {\n  try {\n    // Validate timestamp format\n    const timestampNum = Number.parseInt(timestamp, 10);\n    if (Number.isNaN(timestampNum)) {\n      return { valid: false, reason: \"malformed_timestamp\" };\n    }\n\n    // Check timestamp validity\n    const now = Math.floor(Date.now() / 1000);\n\n    // Reject timestamps too far in the future (prevents extending signature validity)\n    if (timestampNum > now + MAX_CLOCK_SKEW_SECONDS) {\n      return { valid: false, reason: \"invalid\" };\n    }\n\n    // Check if signature has expired\n    if (now - timestampNum > maxAgeSeconds) {\n      return { valid: false, reason: \"expired\" };\n    }\n\n    const expected = await computeAgentSignature(\n      secret,\n      agentName,\n      agentId,\n      timestamp\n    );\n    // Constant-time comparison to prevent timing attacks\n    if (expected.length !== signature.length) {\n      return { valid: false, reason: \"invalid\" };\n    }\n    let result = 0;\n    for (let i = 0; i < expected.length; i++) {\n      result |= expected.charCodeAt(i) ^ signature.charCodeAt(i);\n    }\n    if (result !== 0) {\n      return { valid: false, reason: \"invalid\" };\n    }\n    return { valid: true };\n  } catch (error) {\n    console.warn(\"[agents] Signature verification error:\", error);\n    return { valid: false, reason: \"invalid\" };\n  }\n}\n\n/**\n * Sign agent routing headers for secure reply flows.\n * Use this when sending outbound emails to ensure replies can be securely routed back.\n *\n * @param secret - Secret key for HMAC signing (store in environment variables)\n * @param agentName - Name of the agent\n * @param agentId - ID of the agent instance\n * @returns Headers object with X-Agent-Name, X-Agent-ID, X-Agent-Sig, and X-Agent-Sig-Ts\n *\n * @example\n * ```typescript\n * const headers = await signAgentHeaders(env.EMAIL_SECRET, \"MyAgent\", this.name);\n * // Use these headers when sending outbound emails\n * ```\n */\nexport async function signAgentHeaders(\n  secret: string,\n  agentName: string,\n  agentId: string\n): Promise<Record<string, string>> {\n  if (!secret) {\n    throw new Error(\"secret is required for signing agent headers\");\n  }\n  if (!agentName) {\n    throw new Error(\"agentName is required for signing agent headers\");\n  }\n  if (!agentId) {\n    throw new Error(\"agentId is required for signing agent headers\");\n  }\n  // Reject colons to prevent signature confusion attacks\n  // (signature payload uses colon as delimiter: \"agentName:agentId:timestamp\")\n  if (agentName.includes(\":\")) {\n    throw new Error(\"agentName cannot contain colons\");\n  }\n  if (agentId.includes(\":\")) {\n    throw new Error(\"agentId cannot contain colons\");\n  }\n\n  const timestamp = Math.floor(Date.now() / 1000).toString();\n  const signature = await computeAgentSignature(\n    secret,\n    agentName,\n    agentId,\n    timestamp\n  );\n  return {\n    \"X-Agent-Name\": agentName,\n    \"X-Agent-ID\": agentId,\n    \"X-Agent-Sig\": signature,\n    \"X-Agent-Sig-Ts\": timestamp\n  };\n}\n\n// ============================================================================\n// Email routing types and resolvers\n// ============================================================================\n\nexport type EmailResolverResult = {\n  agentName: string;\n  agentId: string;\n  /** @internal Indicates this resolver requires secure reply signing */\n  _secureRouted?: boolean;\n} | null;\n\nexport type EmailResolver<Env> = (\n  email: ForwardableEmailMessage,\n  env: Env\n) => Promise<EmailResolverResult>;\n\n/**\n * Reason for signature verification failure\n */\nexport type SignatureFailureReason =\n  | \"missing_headers\"\n  | \"expired\"\n  | \"invalid\"\n  | \"malformed_timestamp\";\n\n/**\n * Options for createSecureReplyEmailResolver\n */\nexport type SecureReplyResolverOptions = {\n  /**\n   * Maximum age of signature in seconds.\n   * Signatures older than this will be rejected.\n   * Default: 30 days (2592000 seconds)\n   */\n  maxAge?: number;\n  /**\n   * Callback invoked when signature verification fails.\n   * Useful for logging and debugging.\n   */\n  onInvalidSignature?: (\n    email: ForwardableEmailMessage,\n    reason: SignatureFailureReason\n  ) => void;\n};\n\n/**\n * @deprecated REMOVED due to security vulnerability (IDOR via spoofed headers).\n * @throws Always throws an error with migration guidance.\n */\nexport function createHeaderBasedEmailResolver<Env>(): EmailResolver<Env> {\n  throw new Error(\n    \"createHeaderBasedEmailResolver has been removed due to a security vulnerability. \" +\n      \"It trusted attacker-controlled email headers for routing, enabling IDOR attacks.\\n\\n\" +\n      \"Migration options:\\n\" +\n      \"  - For inbound mail: use createAddressBasedEmailResolver(agentName)\\n\" +\n      \"  - For reply flows: use createSecureReplyEmailResolver(secret) with signed headers\\n\\n\" +\n      \"See https://github.com/cloudflare/agents/blob/main/docs/email.md for details.\"\n  );\n}\n\n/**\n * Create a resolver for routing email replies with signature verification.\n * This resolver verifies that replies contain a valid HMAC signature, preventing\n * attackers from routing emails to arbitrary agent instances.\n *\n * @param secret - Secret key for HMAC verification (must match the key used with signAgentHeaders)\n * @param options - Optional configuration for signature verification\n * @returns A function that resolves the agent to route the email to, or null if signature is invalid\n *\n * @example\n * ```typescript\n * // In your email handler\n * const secureResolver = createSecureReplyEmailResolver(env.EMAIL_SECRET, {\n *   maxAge: 7 * 24 * 60 * 60, // 7 days\n *   onInvalidSignature: (email, reason) => {\n *     console.warn(`Invalid signature from ${email.from}: ${reason}`);\n *   }\n * });\n * const addressResolver = createAddressBasedEmailResolver(\"MyAgent\");\n *\n * await routeAgentEmail(email, env, {\n *   resolver: async (email, env) => {\n *     // Try secure reply routing first\n *     const replyRouting = await secureResolver(email, env);\n *     if (replyRouting) return replyRouting;\n *     // Fall back to address-based routing\n *     return addressResolver(email, env);\n *   }\n * });\n * ```\n */\nexport function createSecureReplyEmailResolver<Env>(\n  secret: string,\n  options?: SecureReplyResolverOptions\n): EmailResolver<Env> {\n  if (!secret) {\n    throw new Error(\"secret is required for createSecureReplyEmailResolver\");\n  }\n\n  const maxAge = options?.maxAge ?? DEFAULT_MAX_AGE_SECONDS;\n  const onInvalidSignature = options?.onInvalidSignature;\n\n  return async (email: ForwardableEmailMessage, _env: Env) => {\n    const agentName = email.headers.get(\"x-agent-name\");\n    const agentId = email.headers.get(\"x-agent-id\");\n    const signature = email.headers.get(\"x-agent-sig\");\n    const timestamp = email.headers.get(\"x-agent-sig-ts\");\n\n    if (!agentName || !agentId || !signature || !timestamp) {\n      onInvalidSignature?.(email, \"missing_headers\");\n      return null;\n    }\n\n    const result = await verifyAgentSignature(\n      secret,\n      agentName,\n      agentId,\n      signature,\n      timestamp,\n      maxAge\n    );\n\n    if (!result.valid) {\n      onInvalidSignature?.(email, result.reason);\n      return null;\n    }\n\n    return { agentName, agentId, _secureRouted: true };\n  };\n}\n\n/**\n * Create a resolver that uses the email address to determine the agent to route the email to\n * @param defaultAgentName The default agent name to use if the email address does not contain a sub-address\n * @returns A function that resolves the agent to route the email to\n */\nexport function createAddressBasedEmailResolver<Env>(\n  defaultAgentName: string\n): EmailResolver<Env> {\n  return async (email: ForwardableEmailMessage, _env: Env) => {\n    // Length limits per RFC 5321: local part max 64 chars, domain max 253 chars\n    const emailMatch = email.to.match(\n      /^([^+@]{1,64})(?:\\+([^@]{1,64}))?@(.{1,253})$/\n    );\n    if (!emailMatch) {\n      return null;\n    }\n\n    const [, localPart, subAddress] = emailMatch;\n\n    if (subAddress) {\n      return {\n        agentName: localPart,\n        agentId: subAddress\n      };\n    }\n\n    // Option 2: Use defaultAgentName namespace, localPart as agentId\n    // Common for catch-all email routing to a single EmailAgent namespace\n    return {\n      agentName: defaultAgentName,\n      agentId: localPart\n    };\n  };\n}\n\n/**\n * Create a resolver that uses the agentName and agentId to determine the agent to route the email to\n * @param agentName The name of the agent to route the email to\n * @param agentId The id of the agent to route the email to\n * @returns A function that resolves the agent to route the email to\n */\nexport function createCatchAllEmailResolver<Env>(\n  agentName: string,\n  agentId: string\n): EmailResolver<Env> {\n  return async () => ({ agentName, agentId });\n}\n"],"mappings":";;;;;;;;;;;;;;;;AAqCA,SAAgB,iBAAiB,SAAiC;AAChE,QAAO,QAAQ,MAAM,MAAM;EACzB,MAAM,MAAM,EAAE,IAAI,aAAa;EAC/B,MAAM,QAAQ,EAAE,MAAM,aAAa;AAInC,MAAI,QAAQ,iBACV,QAAO,UAAU;AAInB,MAAI,QAAQ,2BACV,QAAO;AAIT,MAAI,QAAQ,aACV,QAAO,UAAU,UAAU,UAAU,UAAU,UAAU;AAG3D,SAAO;GACP;;;AAQJ,MAAa,0BAA0B,MAAU,KAAK;;AAGtD,MAAM,yBAAyB;;;;;;;;;AAU/B,eAAe,sBACb,QACA,WACA,SACA,WACiB;CACjB,MAAM,UAAU,IAAI,aAAa;CACjC,MAAM,MAAM,MAAM,OAAO,OAAO,UAC9B,OACA,QAAQ,OAAO,OAAO,EACtB;EAAE,MAAM;EAAQ,MAAM;EAAW,EACjC,OACA,CAAC,OAAO,CACT;CACD,MAAM,OAAO,QAAQ,OAAO,GAAG,UAAU,GAAG,QAAQ,GAAG,YAAY;CACnE,MAAM,YAAY,MAAM,OAAO,OAAO,KAAK,QAAQ,KAAK,KAAK;AAC7D,QAAO,KAAK,OAAO,aAAa,GAAG,IAAI,WAAW,UAAU,CAAC,CAAC;;;;;;;;;;;;AAoBhE,eAAe,qBACb,QACA,WACA,SACA,WACA,WACA,gBAAwB,yBACc;AACtC,KAAI;EAEF,MAAM,eAAe,OAAO,SAAS,WAAW,GAAG;AACnD,MAAI,OAAO,MAAM,aAAa,CAC5B,QAAO;GAAE,OAAO;GAAO,QAAQ;GAAuB;EAIxD,MAAM,MAAM,KAAK,MAAM,KAAK,KAAK,GAAG,IAAK;AAGzC,MAAI,eAAe,MAAM,uBACvB,QAAO;GAAE,OAAO;GAAO,QAAQ;GAAW;AAI5C,MAAI,MAAM,eAAe,cACvB,QAAO;GAAE,OAAO;GAAO,QAAQ;GAAW;EAG5C,MAAM,WAAW,MAAM,sBACrB,QACA,WACA,SACA,UACD;AAED,MAAI,SAAS,WAAW,UAAU,OAChC,QAAO;GAAE,OAAO;GAAO,QAAQ;GAAW;EAE5C,IAAI,SAAS;AACb,OAAK,IAAI,IAAI,GAAG,IAAI,SAAS,QAAQ,IACnC,WAAU,SAAS,WAAW,EAAE,GAAG,UAAU,WAAW,EAAE;AAE5D,MAAI,WAAW,EACb,QAAO;GAAE,OAAO;GAAO,QAAQ;GAAW;AAE5C,SAAO,EAAE,OAAO,MAAM;UACf,OAAO;AACd,UAAQ,KAAK,0CAA0C,MAAM;AAC7D,SAAO;GAAE,OAAO;GAAO,QAAQ;GAAW;;;;;;;;;;;;;;;;;;AAmB9C,eAAsB,iBACpB,QACA,WACA,SACiC;AACjC,KAAI,CAAC,OACH,OAAM,IAAI,MAAM,+CAA+C;AAEjE,KAAI,CAAC,UACH,OAAM,IAAI,MAAM,kDAAkD;AAEpE,KAAI,CAAC,QACH,OAAM,IAAI,MAAM,gDAAgD;AAIlE,KAAI,UAAU,SAAS,IAAI,CACzB,OAAM,IAAI,MAAM,kCAAkC;AAEpD,KAAI,QAAQ,SAAS,IAAI,CACvB,OAAM,IAAI,MAAM,gCAAgC;CAGlD,MAAM,YAAY,KAAK,MAAM,KAAK,KAAK,GAAG,IAAK,CAAC,UAAU;CAC1D,MAAM,YAAY,MAAM,sBACtB,QACA,WACA,SACA,UACD;AACD,QAAO;EACL,gBAAgB;EAChB,cAAc;EACd,eAAe;EACf,kBAAkB;EACnB;;;;;;AAoDH,SAAgB,iCAA0D;AACxE,OAAM,IAAI,MACR,saAMD;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAkCH,SAAgB,+BACd,QACA,SACoB;AACpB,KAAI,CAAC,OACH,OAAM,IAAI,MAAM,wDAAwD;CAG1E,MAAM,SAAS,SAAS,UAAA;CACxB,MAAM,qBAAqB,SAAS;AAEpC,QAAO,OAAO,OAAgC,SAAc;EAC1D,MAAM,YAAY,MAAM,QAAQ,IAAI,eAAe;EACnD,MAAM,UAAU,MAAM,QAAQ,IAAI,aAAa;EAC/C,MAAM,YAAY,MAAM,QAAQ,IAAI,cAAc;EAClD,MAAM,YAAY,MAAM,QAAQ,IAAI,iBAAiB;AAErD,MAAI,CAAC,aAAa,CAAC,WAAW,CAAC,aAAa,CAAC,WAAW;AACtD,wBAAqB,OAAO,kBAAkB;AAC9C,UAAO;;EAGT,MAAM,SAAS,MAAM,qBACnB,QACA,WACA,SACA,WACA,WACA,OACD;AAED,MAAI,CAAC,OAAO,OAAO;AACjB,wBAAqB,OAAO,OAAO,OAAO;AAC1C,UAAO;;AAGT,SAAO;GAAE;GAAW;GAAS,eAAe;GAAM;;;;;;;;AAStD,SAAgB,gCACd,kBACoB;AACpB,QAAO,OAAO,OAAgC,SAAc;EAE1D,MAAM,aAAa,MAAM,GAAG,MAC1B,gDACD;AACD,MAAI,CAAC,WACH,QAAO;EAGT,MAAM,GAAG,WAAW,cAAc;AAElC,MAAI,WACF,QAAO;GACL,WAAW;GACX,SAAS;GACV;AAKH,SAAO;GACL,WAAW;GACX,SAAS;GACV;;;;;;;;;AAUL,SAAgB,4BACd,WACA,SACoB;AACpB,QAAO,aAAa;EAAE;EAAW;EAAS"}
+{"version":3,"file":"email.js","names":[],"sources":["../src/email.ts"],"sourcesContent":["/**\n * Email routing types, resolvers, and signing utilities for Agents\n */\n\n// Re-export AgentEmail type\nexport type { AgentEmail } from \"./internal_context\";\n\n// ============================================================================\n// Email header utilities\n// ============================================================================\n\n/**\n * Header object as returned by postal-mime and similar email parsing libraries.\n * Each header has a lowercase key and a string value.\n */\nexport type EmailHeader = {\n  /** Lowercase header name (e.g., \"content-type\", \"x-custom-header\") */\n  key: string;\n  /** Header value */\n  value: string;\n};\n\n/**\n * Check if an email appears to be an auto-reply based on standard headers.\n * Checks for Auto-Submitted (RFC 3834), X-Auto-Response-Suppress, and Precedence headers.\n *\n * @param headers - Headers array from postal-mime Email.headers or similar format\n * @returns true if email appears to be an auto-reply\n *\n * @example\n * ```typescript\n * if (isAutoReplyEmail(parsed.headers)) {\n *   // Skip processing auto-replies\n *   return;\n * }\n * ```\n */\nexport function isAutoReplyEmail(headers: EmailHeader[]): boolean {\n  return headers.some((h) => {\n    const key = h.key.toLowerCase();\n    const value = h.value.toLowerCase();\n\n    // RFC 3834: Auto-Submitted header\n    // \"no\" means normal (human-sent) email, anything else indicates auto-reply\n    if (key === \"auto-submitted\") {\n      return value !== \"no\";\n    }\n\n    // X-Auto-Response-Suppress: any value indicates sender doesn't want auto-replies\n    if (key === \"x-auto-response-suppress\") {\n      return true;\n    }\n\n    // Precedence: only bulk/junk/list indicate automated/mass mail\n    if (key === \"precedence\") {\n      return value === \"bulk\" || value === \"junk\" || value === \"list\";\n    }\n\n    return false;\n  });\n}\n\n// ============================================================================\n// Signing utilities\n// ============================================================================\n\n/** Default signature expiration: 30 days in seconds */\nexport const DEFAULT_MAX_AGE_SECONDS = 30 * 24 * 60 * 60;\n\n/** Maximum allowed clock skew for future timestamps: 5 minutes */\nconst MAX_CLOCK_SKEW_SECONDS = 5 * 60;\n\n/**\n * Compute HMAC-SHA256 signature for agent routing headers\n * @param secret - Secret key for HMAC\n * @param agentName - Name of the agent\n * @param agentId - ID of the agent instance\n * @param timestamp - Unix timestamp in seconds\n * @returns Base64-encoded HMAC signature\n */\nasync function computeAgentSignature(\n  secret: string,\n  agentName: string,\n  agentId: string,\n  timestamp: string\n): Promise<string> {\n  const encoder = new TextEncoder();\n  const key = await crypto.subtle.importKey(\n    \"raw\",\n    encoder.encode(secret),\n    { name: \"HMAC\", hash: \"SHA-256\" },\n    false,\n    [\"sign\"]\n  );\n  const data = encoder.encode(`${agentName}:${agentId}:${timestamp}`);\n  const signature = await crypto.subtle.sign(\"HMAC\", key, data);\n  return btoa(String.fromCharCode(...new Uint8Array(signature)));\n}\n\n/**\n * Result of signature verification\n */\ntype SignatureVerificationResult =\n  | { valid: true }\n  | { valid: false; reason: \"expired\" | \"invalid\" | \"malformed_timestamp\" };\n\n/**\n * Verify HMAC-SHA256 signature for agent routing headers\n * @param secret - Secret key for HMAC\n * @param agentName - Name of the agent\n * @param agentId - ID of the agent instance\n * @param signature - Base64-encoded signature to verify\n * @param timestamp - Unix timestamp in seconds when signature was created\n * @param maxAgeSeconds - Maximum age of signature in seconds (default: 30 days)\n * @returns Verification result with reason if invalid\n */\nasync function verifyAgentSignature(\n  secret: string,\n  agentName: string,\n  agentId: string,\n  signature: string,\n  timestamp: string,\n  maxAgeSeconds: number = DEFAULT_MAX_AGE_SECONDS\n): Promise<SignatureVerificationResult> {\n  try {\n    // Validate timestamp format\n    const timestampNum = Number.parseInt(timestamp, 10);\n    if (Number.isNaN(timestampNum)) {\n      return { valid: false, reason: \"malformed_timestamp\" };\n    }\n\n    // Check timestamp validity\n    const now = Math.floor(Date.now() / 1000);\n\n    // Reject timestamps too far in the future (prevents extending signature validity)\n    if (timestampNum > now + MAX_CLOCK_SKEW_SECONDS) {\n      return { valid: false, reason: \"invalid\" };\n    }\n\n    // Check if signature has expired\n    if (now - timestampNum > maxAgeSeconds) {\n      return { valid: false, reason: \"expired\" };\n    }\n\n    const expected = await computeAgentSignature(\n      secret,\n      agentName,\n      agentId,\n      timestamp\n    );\n    // Constant-time comparison to prevent timing attacks\n    if (expected.length !== signature.length) {\n      return { valid: false, reason: \"invalid\" };\n    }\n    let result = 0;\n    for (let i = 0; i < expected.length; i++) {\n      result |= expected.charCodeAt(i) ^ signature.charCodeAt(i);\n    }\n    if (result !== 0) {\n      return { valid: false, reason: \"invalid\" };\n    }\n    return { valid: true };\n  } catch (error) {\n    console.warn(\"[agents] Signature verification error:\", error);\n    return { valid: false, reason: \"invalid\" };\n  }\n}\n\n/**\n * Sign agent routing headers for secure reply flows.\n * Use this when sending outbound emails to ensure replies can be securely routed back.\n *\n * @param secret - Secret key for HMAC signing (store in environment variables)\n * @param agentName - Name of the agent\n * @param agentId - ID of the agent instance\n * @returns Headers object with X-Agent-Name, X-Agent-ID, X-Agent-Sig, and X-Agent-Sig-Ts\n *\n * @example\n * ```typescript\n * const headers = await signAgentHeaders(env.EMAIL_SECRET, \"MyAgent\", this.name);\n * // Use these headers when sending outbound emails\n * ```\n */\nexport async function signAgentHeaders(\n  secret: string,\n  agentName: string,\n  agentId: string\n): Promise<Record<string, string>> {\n  if (!secret) {\n    throw new Error(\"secret is required for signing agent headers\");\n  }\n  if (!agentName) {\n    throw new Error(\"agentName is required for signing agent headers\");\n  }\n  if (!agentId) {\n    throw new Error(\"agentId is required for signing agent headers\");\n  }\n  // Reject colons to prevent signature confusion attacks\n  // (signature payload uses colon as delimiter: \"agentName:agentId:timestamp\")\n  if (agentName.includes(\":\")) {\n    throw new Error(\"agentName cannot contain colons\");\n  }\n  if (agentId.includes(\":\")) {\n    throw new Error(\"agentId cannot contain colons\");\n  }\n\n  const timestamp = Math.floor(Date.now() / 1000).toString();\n  const signature = await computeAgentSignature(\n    secret,\n    agentName,\n    agentId,\n    timestamp\n  );\n  return {\n    \"X-Agent-Name\": agentName,\n    \"X-Agent-ID\": agentId,\n    \"X-Agent-Sig\": signature,\n    \"X-Agent-Sig-Ts\": timestamp\n  };\n}\n\n// ============================================================================\n// Email routing types and resolvers\n// ============================================================================\n\nexport type EmailResolverResult = {\n  agentName: string;\n  agentId: string;\n  /** @internal Indicates this resolver requires secure reply signing */\n  _secureRouted?: boolean;\n} | null;\n\nexport type EmailResolver<Env> = (\n  email: ForwardableEmailMessage,\n  env: Env\n) => Promise<EmailResolverResult>;\n\n/**\n * Reason for signature verification failure\n */\nexport type SignatureFailureReason =\n  | \"missing_headers\"\n  | \"expired\"\n  | \"invalid\"\n  | \"malformed_timestamp\";\n\n/**\n * Options for createSecureReplyEmailResolver\n */\nexport type SecureReplyResolverOptions = {\n  /**\n   * Maximum age of signature in seconds.\n   * Signatures older than this will be rejected.\n   * Default: 30 days (2592000 seconds)\n   */\n  maxAge?: number;\n  /**\n   * Callback invoked when signature verification fails.\n   * Useful for logging and debugging.\n   */\n  onInvalidSignature?: (\n    email: ForwardableEmailMessage,\n    reason: SignatureFailureReason\n  ) => void;\n};\n\n/**\n * @deprecated REMOVED due to security vulnerability (IDOR via spoofed headers).\n * @throws Always throws an error with migration guidance.\n */\nexport function createHeaderBasedEmailResolver<Env>(): EmailResolver<Env> {\n  throw new Error(\n    \"createHeaderBasedEmailResolver has been removed due to a security vulnerability. \" +\n      \"It trusted attacker-controlled email headers for routing, enabling IDOR attacks.\\n\\n\" +\n      \"Migration options:\\n\" +\n      \"  - For inbound mail: use createAddressBasedEmailResolver(agentName)\\n\" +\n      \"  - For reply flows: use createSecureReplyEmailResolver(secret) with signed headers\\n\\n\" +\n      \"See https://github.com/cloudflare/agents/blob/main/docs/email.md for details.\"\n  );\n}\n\n/**\n * Create a resolver for routing email replies with signature verification.\n * This resolver verifies that replies contain a valid HMAC signature, preventing\n * attackers from routing emails to arbitrary agent instances.\n *\n * @param secret - Secret key for HMAC verification (must match the key used with signAgentHeaders)\n * @param options - Optional configuration for signature verification\n * @returns A function that resolves the agent to route the email to, or null if signature is invalid\n *\n * @example\n * ```typescript\n * // In your email handler\n * const secureResolver = createSecureReplyEmailResolver(env.EMAIL_SECRET, {\n *   maxAge: 7 * 24 * 60 * 60, // 7 days\n *   onInvalidSignature: (email, reason) => {\n *     console.warn(`Invalid signature from ${email.from}: ${reason}`);\n *   }\n * });\n * const addressResolver = createAddressBasedEmailResolver(\"MyAgent\");\n *\n * await routeAgentEmail(email, env, {\n *   resolver: async (email, env) => {\n *     // Try secure reply routing first\n *     const replyRouting = await secureResolver(email, env);\n *     if (replyRouting) return replyRouting;\n *     // Fall back to address-based routing\n *     return addressResolver(email, env);\n *   }\n * });\n * ```\n */\nexport function createSecureReplyEmailResolver<Env>(\n  secret: string,\n  options?: SecureReplyResolverOptions\n): EmailResolver<Env> {\n  if (!secret) {\n    throw new Error(\"secret is required for createSecureReplyEmailResolver\");\n  }\n\n  const maxAge = options?.maxAge ?? DEFAULT_MAX_AGE_SECONDS;\n  const onInvalidSignature = options?.onInvalidSignature;\n\n  return async (email: ForwardableEmailMessage, _env: Env) => {\n    const agentName = email.headers.get(\"x-agent-name\");\n    const agentId = email.headers.get(\"x-agent-id\");\n    const signature = email.headers.get(\"x-agent-sig\");\n    const timestamp = email.headers.get(\"x-agent-sig-ts\");\n\n    if (!agentName || !agentId || !signature || !timestamp) {\n      onInvalidSignature?.(email, \"missing_headers\");\n      return null;\n    }\n\n    const result = await verifyAgentSignature(\n      secret,\n      agentName,\n      agentId,\n      signature,\n      timestamp,\n      maxAge\n    );\n\n    if (!result.valid) {\n      onInvalidSignature?.(email, result.reason);\n      return null;\n    }\n\n    return { agentName, agentId, _secureRouted: true };\n  };\n}\n\n/**\n * Create a resolver that uses the email address to determine the agent to route the email to\n * @param defaultAgentName The default agent name to use if the email address does not contain a sub-address\n * @returns A function that resolves the agent to route the email to\n */\nexport function createAddressBasedEmailResolver<Env>(\n  defaultAgentName: string\n): EmailResolver<Env> {\n  return async (email: ForwardableEmailMessage, _env: Env) => {\n    // Length limits per RFC 5321: local part max 64 chars, domain max 253 chars\n    const emailMatch = email.to.match(\n      /^([^+@]{1,64})(?:\\+([^@]{1,64}))?@(.{1,253})$/\n    );\n    if (!emailMatch) {\n      return null;\n    }\n\n    const [, localPart, subAddress] = emailMatch;\n\n    if (subAddress) {\n      return {\n        agentName: localPart,\n        agentId: subAddress\n      };\n    }\n\n    // Option 2: Use defaultAgentName namespace, localPart as agentId\n    // Common for catch-all email routing to a single EmailAgent namespace\n    return {\n      agentName: defaultAgentName,\n      agentId: localPart\n    };\n  };\n}\n\n/**\n * Create a resolver that uses the agentName and agentId to determine the agent to route the email to\n * @param agentName The name of the agent to route the email to\n * @param agentId The id of the agent to route the email to\n * @returns A function that resolves the agent to route the email to\n */\nexport function createCatchAllEmailResolver<Env>(\n  agentName: string,\n  agentId: string\n): EmailResolver<Env> {\n  return async () => ({ agentName, agentId });\n}\n"],"mappings":";;;;;;;;;;;;;;;;AAqCA,SAAgB,iBAAiB,SAAiC;AAChE,QAAO,QAAQ,MAAM,MAAM;EACzB,MAAM,MAAM,EAAE,IAAI,aAAa;EAC/B,MAAM,QAAQ,EAAE,MAAM,aAAa;AAInC,MAAI,QAAQ,iBACV,QAAO,UAAU;AAInB,MAAI,QAAQ,2BACV,QAAO;AAIT,MAAI,QAAQ,aACV,QAAO,UAAU,UAAU,UAAU,UAAU,UAAU;AAG3D,SAAO;GACP;;;AAQJ,MAAa,0BAA0B,MAAU,KAAK;;AAGtD,MAAM,yBAAyB;;;;;;;;;AAU/B,eAAe,sBACb,QACA,WACA,SACA,WACiB;CACjB,MAAM,UAAU,IAAI,aAAa;CACjC,MAAM,MAAM,MAAM,OAAO,OAAO,UAC9B,OACA,QAAQ,OAAO,OAAO,EACtB;EAAE,MAAM;EAAQ,MAAM;EAAW,EACjC,OACA,CAAC,OAAO,CACT;CACD,MAAM,OAAO,QAAQ,OAAO,GAAG,UAAU,GAAG,QAAQ,GAAG,YAAY;CACnE,MAAM,YAAY,MAAM,OAAO,OAAO,KAAK,QAAQ,KAAK,KAAK;AAC7D,QAAO,KAAK,OAAO,aAAa,GAAG,IAAI,WAAW,UAAU,CAAC,CAAC;;;;;;;;;;;;AAoBhE,eAAe,qBACb,QACA,WACA,SACA,WACA,WACA,gBAAwB,yBACc;AACtC,KAAI;EAEF,MAAM,eAAe,OAAO,SAAS,WAAW,GAAG;AACnD,MAAI,OAAO,MAAM,aAAa,CAC5B,QAAO;GAAE,OAAO;GAAO,QAAQ;GAAuB;EAIxD,MAAM,MAAM,KAAK,MAAM,KAAK,KAAK,GAAG,IAAK;AAGzC,MAAI,eAAe,MAAM,uBACvB,QAAO;GAAE,OAAO;GAAO,QAAQ;GAAW;AAI5C,MAAI,MAAM,eAAe,cACvB,QAAO;GAAE,OAAO;GAAO,QAAQ;GAAW;EAG5C,MAAM,WAAW,MAAM,sBACrB,QACA,WACA,SACA,UACD;AAED,MAAI,SAAS,WAAW,UAAU,OAChC,QAAO;GAAE,OAAO;GAAO,QAAQ;GAAW;EAE5C,IAAI,SAAS;AACb,OAAK,IAAI,IAAI,GAAG,IAAI,SAAS,QAAQ,IACnC,WAAU,SAAS,WAAW,EAAE,GAAG,UAAU,WAAW,EAAE;AAE5D,MAAI,WAAW,EACb,QAAO;GAAE,OAAO;GAAO,QAAQ;GAAW;AAE5C,SAAO,EAAE,OAAO,MAAM;UACf,OAAO;AACd,UAAQ,KAAK,0CAA0C,MAAM;AAC7D,SAAO;GAAE,OAAO;GAAO,QAAQ;GAAW;;;;;;;;;;;;;;;;;;AAmB9C,eAAsB,iBACpB,QACA,WACA,SACiC;AACjC,KAAI,CAAC,OACH,OAAM,IAAI,MAAM,+CAA+C;AAEjE,KAAI,CAAC,UACH,OAAM,IAAI,MAAM,kDAAkD;AAEpE,KAAI,CAAC,QACH,OAAM,IAAI,MAAM,gDAAgD;AAIlE,KAAI,UAAU,SAAS,IAAI,CACzB,OAAM,IAAI,MAAM,kCAAkC;AAEpD,KAAI,QAAQ,SAAS,IAAI,CACvB,OAAM,IAAI,MAAM,gCAAgC;CAGlD,MAAM,YAAY,KAAK,MAAM,KAAK,KAAK,GAAG,IAAK,CAAC,UAAU;AAO1D,QAAO;EACL,gBAAgB;EAChB,cAAc;EACd,eATgB,MAAM,sBACtB,QACA,WACA,SACA,UACD;EAKC,kBAAkB;EACnB;;;;;;AAoDH,SAAgB,iCAA0D;AACxE,OAAM,IAAI,MACR,saAMD;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAkCH,SAAgB,+BACd,QACA,SACoB;AACpB,KAAI,CAAC,OACH,OAAM,IAAI,MAAM,wDAAwD;CAG1E,MAAM,SAAS,SAAS,UAAA;CACxB,MAAM,qBAAqB,SAAS;AAEpC,QAAO,OAAO,OAAgC,SAAc;EAC1D,MAAM,YAAY,MAAM,QAAQ,IAAI,eAAe;EACnD,MAAM,UAAU,MAAM,QAAQ,IAAI,aAAa;EAC/C,MAAM,YAAY,MAAM,QAAQ,IAAI,cAAc;EAClD,MAAM,YAAY,MAAM,QAAQ,IAAI,iBAAiB;AAErD,MAAI,CAAC,aAAa,CAAC,WAAW,CAAC,aAAa,CAAC,WAAW;AACtD,wBAAqB,OAAO,kBAAkB;AAC9C,UAAO;;EAGT,MAAM,SAAS,MAAM,qBACnB,QACA,WACA,SACA,WACA,WACA,OACD;AAED,MAAI,CAAC,OAAO,OAAO;AACjB,wBAAqB,OAAO,OAAO,OAAO;AAC1C,UAAO;;AAGT,SAAO;GAAE;GAAW;GAAS,eAAe;GAAM;;;;;;;;AAStD,SAAgB,gCACd,kBACoB;AACpB,QAAO,OAAO,OAAgC,SAAc;EAE1D,MAAM,aAAa,MAAM,GAAG,MAC1B,gDACD;AACD,MAAI,CAAC,WACH,QAAO;EAGT,MAAM,GAAG,WAAW,cAAc;AAElC,MAAI,WACF,QAAO;GACL,WAAW;GACX,SAAS;GACV;AAKH,SAAO;GACL,WAAW;GACX,SAAS;GACV;;;;;;;;;AAUL,SAAgB,4BACd,WACA,SACoB;AACpB,QAAO,aAAa;EAAE;EAAW;EAAS"}