fengming 0.3.8 → 0.3.9
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +8 -0
- package/dist/abort-CCR8oZyg.js +277 -0
- package/dist/abort.runtime-eqx84NZa.js +2 -0
- package/dist/abort.runtime.js +1 -1
- package/dist/acp-spawn-BcDyvaXh.js +2 -0
- package/dist/acp-spawn-CCtSel-_.js +1286 -0
- package/dist/acp-stateful-target-driver-B3pCvuOV.js +89 -0
- package/dist/active-tool-schema-warnings-Cf-5q5WU.js +105 -0
- package/dist/active-tool-schema-warnings-Dzt3XE-y.js +2 -0
- package/dist/agent-1M2dVE2G.js +2 -0
- package/dist/agent-DLDIbUT4.js +1825 -0
- package/dist/agent-DZi6j3o6.js +3 -0
- package/dist/agent-command-ppfDBwET.js +1435 -0
- package/dist/agent-harness-runtime-C0bo62eY.d.ts +913 -0
- package/dist/agent-harness-runtime-RkTGiliR.js +207 -0
- package/dist/agent-runner-utils-B4YeVAO_.js +267 -0
- package/dist/agent-runner.runtime-T_3tlZN1.js +3784 -0
- package/dist/agent-runner.runtime.js +1 -1
- package/dist/agent-runtime-CloshyK-.d.ts +207 -0
- package/dist/agent-runtime-DZsmp1xr.js +199 -0
- package/dist/agent-tools-CET9usCz.js +2506 -0
- package/dist/agent-via-gateway-CZ0X0YkM.js +486 -0
- package/dist/agent-wait-dedupe-I81_F2tr.js +180 -0
- package/dist/agents/embedded-agent-runner/run/runtime-context-prompt.d.ts +1 -1
- package/dist/agents/embedded-agent-runner/tool-split.d.ts +1 -1
- package/dist/agents/model-catalog.runtime.d.ts +1 -1
- package/dist/api-BDB5xHYj.js +3 -0
- package/dist/api-BH7bfI5d.js +6 -0
- package/dist/api-BxJNXitd.js +2 -0
- package/dist/approval-client-helpers-CfQA9Jzh.d.ts +78 -0
- package/dist/approval-native-helpers-B2zyhxWc.d.ts +241 -0
- package/dist/approval-renderers-CMqSXyvm.d.ts +39 -0
- package/dist/assistant-Cu_Mzzgu.js +291 -0
- package/dist/attachment-normalize-Bb3v5iCC.js +213 -0
- package/dist/attempt-execution-BskbAq5I.js +584 -0
- package/dist/attempt-execution.runtime-BuT1wpNS.js +3 -0
- package/dist/attempt-execution.runtime.js +1 -1
- package/dist/attempt.prompt-helpers-ByKj-vQ7.js +543 -0
- package/dist/auto-reply/reply/commands-crestodian.d.ts +1 -1
- package/dist/binding-routing-EGRNvRC4.js +113 -0
- package/dist/binding-targets-B9vYS8n6.js +121 -0
- package/dist/bridge-server-DG9YtKQe.js +113 -0
- package/dist/browser-cli-B0Ou-Nbm.js +2 -0
- package/dist/browser-cli-GF25gL6M.js +230 -0
- package/dist/browser-cli-actions-input-CuER6RVe.js +522 -0
- package/dist/browser-cli-actions-observe-Dq-Zz_FA.js +81 -0
- package/dist/browser-cli-debug-7hvb49S1.js +137 -0
- package/dist/browser-cli-inspect-WU5KeWOK.js +117 -0
- package/dist/browser-cli-manage-B9D9BvSe.js +446 -0
- package/dist/browser-cli-resize-BUOusOPb.js +32 -0
- package/dist/browser-cli-shared-DmpSN-Qi.js +69 -0
- package/dist/browser-cli-state-D_YxTqRw.js +371 -0
- package/dist/browser-control-auth-Cqd1n9FA.js +2 -0
- package/dist/browser-profiles-9tQ05wYh.js +2 -0
- package/dist/browser-runtime-Bbzumoha.js +389 -0
- package/dist/build-CBXuT2K1.js +261 -0
- package/dist/build-info.json +3 -3
- package/dist/bundled/boot-md/handler.js +2 -2
- package/dist/bundled/session-memory/handler.js +1 -1
- package/dist/bundled-channel-config-schema-DpdKMATU.d.ts +3168 -0
- package/dist/canvas-host/a2ui/.bundle.hash +1 -1
- package/dist/capability-cli-CiVGX7ut.js +1809 -0
- package/dist/channel-BIVwHq7P.js +2309 -0
- package/dist/channel-CiA2FVdL.d.ts +427 -0
- package/dist/channel-core-Cj9JTqeu.js +5 -0
- package/dist/channel-core-DjVpcH1C.d.ts +6 -0
- package/dist/channel-entry-contract-Bs_54m1D.d.ts +114 -0
- package/dist/channel-inbound-CdUdeQRa.js +121 -0
- package/dist/channel-inbound-iGiqx6CS.d.ts +97 -0
- package/dist/channel-message-C3QPaDUk.js +12 -0
- package/dist/channel-message-CXDjxb2U.d.ts +9 -0
- package/dist/channel-outbound-ofvvmMSK.d.ts +325 -0
- package/dist/channel-pairing-DKscOV1K.d.ts +58 -0
- package/dist/channel.runtime-VW6PW_ez.js +697 -0
- package/dist/channel.runtime.js +1 -1
- package/dist/chat-CFkQepUQ.js +3 -0
- package/dist/chat-Czh_tXM0.js +2940 -0
- package/dist/chrome-B2cq8YyH.js +1517 -0
- package/dist/cli/run-main.js +5 -5
- package/dist/cli-compaction-Dxv4nt7R.js +363 -0
- package/dist/cli-runner-CimXSTVs.js +2 -0
- package/dist/cli-runner-orCzE1Sr.js +597 -0
- package/dist/cli-runner.runtime-CsW0dXJW.js +3 -0
- package/dist/cli-runner.runtime-DgPrc1do.js +4 -0
- package/dist/cli-runner.runtime.js +1 -1
- package/dist/cli-startup-metadata.json +10 -12
- package/dist/command-registry-C5ooX6PF.js +4 -0
- package/dist/command-registry-DMB-HKIk.js +9 -0
- package/dist/command-registry-core-B2w_XWvn.js +114 -0
- package/dist/command-status.runtime-Bdy3Dkar.js +90 -0
- package/dist/command-status.runtime.js +1 -1
- package/dist/commands-compact.runtime-Bk2jTQo6.js +10 -0
- package/dist/commands-compact.runtime.js +1 -1
- package/dist/commands-handlers.runtime-Csw1og0U.js +6327 -0
- package/dist/commands-handlers.runtime.js +1 -1
- package/dist/commands-mRqmLIVz.d.ts +117 -0
- package/dist/commands-status-Dgrj_ubK.js +3 -0
- package/dist/commands-status-s32HJOpD.js +16 -0
- package/dist/commands-status.runtime-Dgrj_ubK.js +3 -0
- package/dist/commands-status.runtime.js +1 -1
- package/dist/commands-subagents-control.runtime-C_hnOO9l.js +2 -0
- package/dist/commands-subagents-control.runtime.js +1 -1
- package/dist/commands-system-prompt-CQV742Cc.js +2 -0
- package/dist/commands-system-prompt-DTfsKwK1.js +161 -0
- package/dist/commands-types-MXHhrssO.d.ts +132 -0
- package/dist/commands.runtime-akiVK67l.js +175 -0
- package/dist/commands.runtime.js +1 -1
- package/dist/commitments/runtime.js +1 -1
- package/dist/compact-U6ZhvPtD.js +1165 -0
- package/dist/compact.runtime-36E5vKsC.js +12 -0
- package/dist/compact.runtime.js +1 -1
- package/dist/completion-cli-Bf4mEw2W.js +393 -0
- package/dist/config-BJJhHN9E.js +374 -0
- package/dist/config-mutations-swLu-j_p.js +161 -0
- package/dist/config-schema-Tjner6bM.d.ts +20 -0
- package/dist/context-engine-host-compat-6fkn_daV.js +280 -0
- package/dist/context-engine-host-compat-DtAZC1bS.js +2 -0
- package/dist/context-engine-lifecycle-R__Idxi1.js +627 -0
- package/dist/control-auth-DnkI94_D.js +114 -0
- package/dist/control-service-BBsamNjq.js +40 -0
- package/dist/control-service-BGpHj7RL.js +3 -0
- package/dist/control-ui/assets/activity-B2W-IeAT.js +124 -0
- package/dist/control-ui/assets/agents-mRUyNVCz.js +1030 -0
- package/dist/control-ui/assets/channels-8QHOqBnt.js +120 -0
- package/dist/control-ui/assets/cron-H3unP_mO.js +1016 -0
- package/dist/control-ui/assets/debug-CxLsQ9vH.js +97 -0
- package/dist/control-ui/assets/index-jtIYT0Eh.js +7214 -0
- package/dist/control-ui/assets/instances-B1JQeCRb.js +57 -0
- package/dist/control-ui/assets/nodes-RGOmq_1l.js +444 -0
- package/dist/control-ui/assets/sessions-C2O-Jgpg.js +425 -0
- package/dist/control-ui/assets/skills-jyJOYA4I.js +362 -0
- package/dist/control-ui/assets/workboard-uM_kK8cQ.js +402 -0
- package/dist/control-ui/index.html +1 -1
- package/dist/control-ui/sw.js +1 -1
- package/dist/conversation-runtime-DDekWU-U.js +31 -0
- package/dist/core-Bpk-qSJH.js +284 -0
- package/dist/core-Chrz4oRB.d.ts +223 -0
- package/dist/core-api-DSpUKNVW.js +2 -0
- package/dist/core-api-hLsW03Wo.js +5 -0
- package/dist/crestodian/crestodian.js +1 -1
- package/dist/crestodian/rescue-message.d.ts +1 -1
- package/dist/crestodian/rescue-message.js +1 -1
- package/dist/crestodian-C0x7JjF-.js +55 -0
- package/dist/delegate-BArFIZ4B.d.ts +30 -0
- package/dist/deliver-BnVp3VbL.d.ts +111 -0
- package/dist/delivery-queue-BFOASdf5.d.ts +161 -0
- package/dist/delivery-queue-runtime-BFfc8AEs.d.ts +9 -0
- package/dist/dialogue-No0NvYX7.js +37 -0
- package/dist/direct-dm-C-h88JJH.d.ts +79 -0
- package/dist/directive-handling.fast-lane-DTyDKhZb.js +70 -0
- package/dist/directive-handling.impl-DMReM6tu.js +2 -0
- package/dist/directive-handling.impl-DzPouhV-.js +823 -0
- package/dist/directive-handling.model-selection-BjwTBAZJ.js +122 -0
- package/dist/directive-handling.persist.runtime-D_O1okkR.js +274 -0
- package/dist/directive-handling.persist.runtime.js +1 -1
- package/dist/dispatch-Dtl-oRuN.js +2057 -0
- package/dist/dispatch-acp-transcript.runtime-M4y0Dq74.js +40 -0
- package/dist/dispatch-acp-transcript.runtime.js +1 -1
- package/dist/dispatch-acp.runtime-B8uCIKZS.js +18 -0
- package/dist/dispatch-acp.runtime.js +1 -1
- package/dist/dispatcher-DslvaRcj.js +106 -0
- package/dist/doctor-config-flow-LU2C94af.js +1819 -0
- package/dist/doctor-core-checks-BqcjExIZ.js +666 -0
- package/dist/doctor-core-checks-Diuk8l0N.js +2 -0
- package/dist/doctor-core-checks.runtime-DbS-kMZN.js +278 -0
- package/dist/doctor-core-checks.runtime.js +1 -1
- package/dist/doctor-health-BdqHwfYE.js +65 -0
- package/dist/doctor-health-contributions-DLLTVnll.js +874 -0
- package/dist/doctor-lint-PZqkVMWf.js +95 -0
- package/dist/doctor-mRfJMSb5.js +6 -0
- package/dist/doctor-state-integrity-Cdlm-peH.js +1257 -0
- package/dist/draft-stream-controls-B7uLonbw.d.ts +159 -0
- package/dist/embedded-agent-CEpOPW6X.js +4 -0
- package/dist/embedded-agent-CNINO_M-.d.ts +5 -0
- package/dist/embedded-agent-DxwzoZkp.js +4074 -0
- package/dist/embedded-agent.runtime-DDbhA85-.js +4 -0
- package/dist/embedded-agent.runtime.js +1 -1
- package/dist/embedded-backend-ChaKCepC.js +1581 -0
- package/dist/embedded-gateway-stub.runtime-e_ZxGhcW.js +12 -0
- package/dist/embedded-gateway-stub.runtime.js +1 -1
- package/dist/entry.d.ts +1 -1
- package/dist/extensionAPI.d.ts +2 -2
- package/dist/extensionAPI.js +1 -1
- package/dist/extensions/active-memory/index.d.ts +1 -1
- package/dist/extensions/active-memory/index.js +1 -1
- package/dist/extensions/admin-http-rpc/index.d.ts +1 -1
- package/dist/extensions/admin-http-rpc/index.js +1 -1
- package/dist/extensions/bonjour/index.d.ts +1 -1
- package/dist/extensions/browser/browser-bridge.js +1 -1
- package/dist/extensions/browser/browser-config.js +4 -4
- package/dist/extensions/browser/browser-control-auth.js +2 -2
- package/dist/extensions/browser/browser-doctor.js +2 -2
- package/dist/extensions/browser/browser-maintenance.js +1 -1
- package/dist/extensions/browser/browser-profiles.js +2 -2
- package/dist/extensions/browser/browser-runtime-api.js +12 -12
- package/dist/extensions/browser/cli-metadata.d.ts +1 -1
- package/dist/extensions/browser/cli-metadata.js +1 -1
- package/dist/extensions/browser/index.d.ts +1 -1
- package/dist/extensions/browser/index.js +1 -1
- package/dist/extensions/browser/plugin-registration.d.ts +1 -1
- package/dist/extensions/browser/plugin-registration.js +1 -1
- package/dist/extensions/browser/register.runtime.d.ts +2 -2
- package/dist/extensions/browser/register.runtime.js +4 -4
- package/dist/extensions/browser/runtime-api.d.ts +3 -3
- package/dist/extensions/browser/runtime-api.js +14 -14
- package/dist/extensions/browser/setup-api.d.ts +1 -1
- package/dist/extensions/canvas/cli-metadata.d.ts +1 -1
- package/dist/extensions/canvas/index.d.ts +1 -1
- package/dist/extensions/canvas/index.js +1 -1
- package/dist/extensions/canvas/setup-api.d.ts +1 -1
- package/dist/extensions/deepseek/api.d.ts +1 -1
- package/dist/extensions/deepseek/index.d.ts +1 -1
- package/dist/extensions/deepseek/provider-discovery.d.ts +1 -1
- package/dist/extensions/deepseek/stream.d.ts +1 -1
- package/dist/extensions/device-pair/api.d.ts +4 -4
- package/dist/extensions/device-pair/api.js +1 -1
- package/dist/extensions/device-pair/index.d.ts +1 -1
- package/dist/extensions/device-pair/notify.d.ts +1 -1
- package/dist/extensions/device-pair/pair-command-approve.js +1 -1
- package/dist/extensions/device-pair/qr-image.d.ts +1 -1
- package/dist/extensions/memory-core/api.d.ts +1 -1
- package/dist/extensions/memory-core/cli-metadata.d.ts +1 -1
- package/dist/extensions/memory-core/cli-metadata.js +1 -1
- package/dist/extensions/memory-core/index.d.ts +1 -1
- package/dist/extensions/memory-core/manager-runtime.d.ts +1 -1
- package/dist/extensions/memory-core/runtime-api.d.ts +3 -3
- package/dist/extensions/skill-workshop/api.d.ts +2 -2
- package/dist/extensions/skill-workshop/api.js +1 -1
- package/dist/extensions/skill-workshop/index.d.ts +1 -1
- package/dist/extensions/skill-workshop/index.js +2 -2
- package/dist/extensions/tavily/index.d.ts +1 -1
- package/dist/extensions/tavily/web-search-contract-api.d.ts +1 -1
- package/dist/extensions/tavily/web-search-provider.d.ts +1 -1
- package/dist/extensions/thread-ownership/api.d.ts +2 -2
- package/dist/extensions/thread-ownership/index.d.ts +1 -1
- package/dist/extensions/webhooks/api.d.ts +2 -2
- package/dist/extensions/webhooks/api.js +1 -1
- package/dist/extensions/webhooks/index.d.ts +1 -1
- package/dist/extensions/webhooks/index.js +1 -1
- package/dist/extensions/webhooks/runtime-api.d.ts +1 -1
- package/dist/extensions/workboard/api.d.ts +2 -2
- package/dist/extensions/workboard/index.d.ts +1 -1
- package/dist/extensions/workboard/index.js +1 -1
- package/dist/extensions/workboard/runtime-api.d.ts +1 -1
- package/dist/fengming-runtime-CtRd5677.d.ts +153 -0
- package/dist/fengming-tools-DBLsJfsf.js +12221 -0
- package/dist/gateway/protocol/index.d.ts +1 -1
- package/dist/gateway-cli-BgDV2HF9.js +443 -0
- package/dist/gateway-method-runtime-d9oN_XO9.js +21 -0
- package/dist/get-reply-CEMtvaTJ.js +5198 -0
- package/dist/get-reply-from-config.runtime-CE8zmX7o.js +2 -0
- package/dist/get-reply-from-config.runtime.js +1 -1
- package/dist/heartbeat-runner-H8SmaKmJ.js +5 -0
- package/dist/heartbeat-runner.runtime-6hUaxEbl.js +3 -0
- package/dist/heartbeat-runner.runtime.js +1 -1
- package/dist/hooks-DkEvkwzS.js +536 -0
- package/dist/host-compat-DeAq3dnI.d.ts +21 -0
- package/dist/http-registry-BDoApjTY.d.ts +23 -0
- package/dist/inbound-reply-dispatch-CIYP2OPo.d.ts +156 -0
- package/dist/inbound-reply-dispatch-geHu6oUK.js +147 -0
- package/dist/inbound-reply-dispatch-vwW5Hl-_.js +2 -0
- package/dist/index-DhOQs6M_.d.ts +1497 -0
- package/dist/index.js +1 -1
- package/dist/init-DpE_6dG4.js +59 -0
- package/dist/interactive-Cb_1f91G.d.ts +26 -0
- package/dist/isolated-agent-B_upYOOM.js +2 -0
- package/dist/isolated-agent-KH9uwWhw.js +1097 -0
- package/dist/kernel-BHnBXnm2.d.ts +241 -0
- package/dist/lifecycle-BmZwopzF.js +570 -0
- package/dist/list.probe-5kzWm9Jk.js +451 -0
- package/dist/list.probe-9zBcGGQ4.js +2 -0
- package/dist/list.status-command-DY2ifqp1.js +815 -0
- package/dist/llm-slug-generator-Bmx0I84M.js +78 -0
- package/dist/llm-slug-generator.js +1 -1
- package/dist/loader-BVz75gSb.d.ts +142 -0
- package/dist/local-dispatch.runtime-CX3IOY1E.js +10 -0
- package/dist/local-dispatch.runtime.js +1 -1
- package/dist/manager-BXGg8bfG.d.ts +409 -0
- package/dist/mcp-http-B1lnh67s.js +2 -0
- package/dist/mcp-http-CamghE-W.js +583 -0
- package/dist/media-runtime-DpykroJR.d.ts +261 -0
- package/dist/memory-core-host-engine-embeddings-N2dX5P40.d.ts +324 -0
- package/dist/memory-core-host-engine-storage-WQfkQMer.d.ts +54 -0
- package/dist/message-handler-Ca_pqGVS.js +1806 -0
- package/dist/model-catalog-BBMLIjhq.d.ts +88 -0
- package/dist/model-selection-Cq82FXLy.js +352 -0
- package/dist/models-cli-Dm_393dw.js +257 -0
- package/dist/monitor-d0eyE2k0.js +60 -0
- package/dist/monitor.account-vLQ3bKHu.js +5382 -0
- package/dist/nodes-Bunvrb33.js +1483 -0
- package/dist/nodes-edNlxb2I.js +3 -0
- package/dist/nodes-pending-DEIwVh9v.js +211 -0
- package/dist/openai-compat-errors-CvWEoG98.js +136 -0
- package/dist/openai-http-Bskdv4Tv.js +836 -0
- package/dist/openresponses-http-DxdgCxFU.js +1175 -0
- package/dist/operations-Z85LFqsT.js +805 -0
- package/dist/outbound.types-DVkbsxo8.d.ts +291 -0
- package/dist/plugin-enabled-fvhTpvYS.js +232 -0
- package/dist/plugin-entry-CunlVUw6.d.ts +47 -0
- package/dist/plugin-registration-9ovnK_Tk.js +97 -0
- package/dist/plugin-runtime-DH2ZM9P5.d.ts +117 -0
- package/dist/plugin-sdk/.boundary-entry-shims.stamp +1 -1
- package/dist/plugin-sdk/acp-runtime-backend.js +1 -1
- package/dist/plugin-sdk/acp-runtime.js +1 -1
- package/dist/plugin-sdk/agent-harness-runtime.js +5 -5
- package/dist/plugin-sdk/agent-harness-task-runtime.js +1 -1
- package/dist/plugin-sdk/agent-harness.js +6 -6
- package/dist/plugin-sdk/agent-runtime.js +2 -2
- package/dist/plugin-sdk/bundled-channel-config-schema-Dfn3b8sF.d.ts +3169 -0
- package/dist/plugin-sdk/bundled-channel-config-schema.d.ts +1 -1
- package/dist/plugin-sdk/channel-config-schema-legacy.d.ts +1 -1
- package/dist/plugin-sdk/channel-core.js +2 -2
- package/dist/plugin-sdk/channel-envelope.js +1 -1
- package/dist/plugin-sdk/channel-inbound-roots.js +1 -1
- package/dist/plugin-sdk/channel-inbound.js +2 -2
- package/dist/plugin-sdk/channel-location.js +1 -1
- package/dist/plugin-sdk/channel-message-runtime.js +3 -3
- package/dist/plugin-sdk/channel-message.js +2 -2
- package/dist/plugin-sdk/channel-runtime.js +0 -1
- package/dist/plugin-sdk/command-status-runtime.js +1 -1
- package/dist/plugin-sdk/compat.js +1 -1
- package/dist/plugin-sdk/config-schema.d.ts +4 -4
- package/dist/plugin-sdk/conversation-binding-runtime.js +1 -1
- package/dist/plugin-sdk/conversation-runtime.js +3 -3
- package/dist/plugin-sdk/core.js +2 -2
- package/dist/plugin-sdk/discord.d.ts +1 -1
- package/dist/plugin-sdk/gateway-method-runtime.js +1 -1
- package/dist/plugin-sdk/health.js +1 -1
- package/dist/plugin-sdk/hook-runtime.js +0 -1
- package/dist/plugin-sdk/inbound-reply-dispatch.js +2 -2
- package/dist/plugin-sdk/index.js +1 -1
- package/dist/plugin-sdk/infra-runtime.js +3 -1
- package/dist/plugin-sdk/provider-auth-api-key.js +0 -1
- package/dist/plugin-sdk/provider-stream-family.js +0 -1
- package/dist/plugin-sdk/provider-usage.js +649 -1
- package/dist/plugin-sdk/reply-runtime.js +4 -4
- package/dist/plugin-sdk/video-generation.js +206 -1
- package/dist/plugin-service-BdZxoKBZ.js +1249 -0
- package/dist/plugin-service-quTl5hT0.d.ts +24 -0
- package/dist/plugins/build-smoke-entry.d.ts +2 -2
- package/dist/plugins/loader.d.ts +1 -1
- package/dist/plugins/provider-discovery.runtime.d.ts +1 -1
- package/dist/plugins/provider-runtime.runtime.d.ts +1 -1
- package/dist/plugins/runtime/index.d.ts +1 -1
- package/dist/plugins/runtime/index.js +4 -4
- package/dist/plugins/tools.d.ts +1 -1
- package/dist/prepare.runtime-DFvkUqBZ.js +798 -0
- package/dist/prepare.runtime.js +1 -1
- package/dist/preview-warnings-CGzc8ccG.js +618 -0
- package/dist/program-D19g2jaa.js +131 -0
- package/dist/provider-api-key-auth-B8GgTfo8.d.ts +27 -0
- package/dist/provider-auth-result-Diw-woMA.d.ts +21 -0
- package/dist/provider-catalog-shared-hMvzzDgL.d.ts +62 -0
- package/dist/provider-dispatcher-DCTc4lG_.js +22 -0
- package/dist/provider-dispatcher.runtime.js +1 -1
- package/dist/provider-model-shared-BUCh3uCL.d.ts +143 -0
- package/dist/provider-registry-BIokPlxa.d.ts +8 -0
- package/dist/provider-registry-CyUOXHG-.d.ts +8 -0
- package/dist/provider-registry-i--H79Ao.d.ts +29 -0
- package/dist/provider-self-hosted-setup-BF8UR8wg.d.ts +74 -0
- package/dist/provider-stream-NF0XJnar.d.ts +139 -0
- package/dist/provider-stream-shared-DLwDaYed.d.ts +132 -0
- package/dist/provider-web-search-contract-fields-D61Vl5Kl.d.ts +25 -0
- package/dist/pw-ai-DYR-D7xR.js +3064 -0
- package/dist/register.agent-DwW0mQPk.js +152 -0
- package/dist/register.crestodian-BhIukKDA.js +24 -0
- package/dist/register.maintenance-DWHlvztJ.js +85 -0
- package/dist/register.subclis-Bsvdh8RI.js +3 -0
- package/dist/register.subclis-DVk0HU4k.js +31 -0
- package/dist/register.subclis-core-BK7nVvl6.js +278 -0
- package/dist/registry-hscEPAcC.d.ts +8 -0
- package/dist/registry-types-Ce-n1tuw.d.ts +392 -0
- package/dist/repair-sequencing-0-qGNSUO.js +652 -0
- package/dist/reply-payload-mCw4ZND6.d.ts +200 -0
- package/dist/reply-turn-admission-DMWNadoS.js +2056 -0
- package/dist/reply.runtime-CE8zmX7o.js +2 -0
- package/dist/reply.runtime.js +1 -1
- package/dist/result-fallback-classifier-BZmv2ACy.js +98 -0
- package/dist/route-qQ-jYpFa.js +475 -0
- package/dist/routes-dTCmw98g.js +2 -0
- package/dist/routes-r8DRKa83.js +3701 -0
- package/dist/run-BgH7EPGH.js +1162 -0
- package/dist/run-command-DCsM-BVh.js +23 -0
- package/dist/run-command-I2ib4dwS.js +2 -0
- package/dist/run-context-CWaKUKKJ.js +66 -0
- package/dist/run-embedded.runtime-CBnDBWN0.js +4 -0
- package/dist/run-embedded.runtime.js +1 -1
- package/dist/run-execution-cli.runtime-DlYXI-lw.js +4 -0
- package/dist/run-execution-cli.runtime.js +1 -1
- package/dist/run-executor.runtime-DwepGrmB.js +330 -0
- package/dist/run-executor.runtime.js +1 -1
- package/dist/run-subagent-registry.runtime-CeVpoIhj.js +2 -0
- package/dist/run-subagent-registry.runtime.js +1 -1
- package/dist/runtime-D2ee-rNh.js +436 -0
- package/dist/runtime-api-B99ZlkNt.d.ts +5 -0
- package/dist/runtime-api-Cta2L_Yo.js +12 -0
- package/dist/runtime-channel-LKOkML3M.js +2 -0
- package/dist/runtime-channel-UtWvrTZ5.js +148 -0
- package/dist/runtime-embedded-agent.runtime-9O2Idzyb.js +2 -0
- package/dist/runtime-embedded-agent.runtime.js +1 -1
- package/dist/runtime-forwarders-DjI8RFL5.d.ts +39 -0
- package/dist/sdk-setup-tools-B-X04pa6.js +8 -0
- package/dist/selection-B02h8Old.js +3 -0
- package/dist/selection-DEPvzrW2.js +18365 -0
- package/dist/server-CMYi8gDo.js +24 -0
- package/dist/server-Cx07rsiY.js +72 -0
- package/dist/server-close.runtime.js +1 -1
- package/dist/server-context-BIemGRt4.js +2 -0
- package/dist/server-context-CB_an9iy.js +955 -0
- package/dist/server-cron-BeyuBUjb.js +3173 -0
- package/dist/server-cron-CV7KkVeB.js +2 -0
- package/dist/server-methods-C7EnpOhB.js +497 -0
- package/dist/server-node-events-DMMzZciN.js +597 -0
- package/dist/server-plugin-bootstrap-O6MzvzL8.js +71 -0
- package/dist/server-plugins-Dwnaz9kX.js +435 -0
- package/dist/server-reload-handlers-C-6TyPvI.js +719 -0
- package/dist/server-restart-sentinel-Dc35eYgk.js +700 -0
- package/dist/server-runtime-services-DCs-gqh_.js +3 -0
- package/dist/server-runtime-services-DF2fzzVd.js +147 -0
- package/dist/server-startup-plugins-t-YeYibm.js +127 -0
- package/dist/server-startup-post-attach-CiEki-DC.js +793 -0
- package/dist/server-ws-runtime-uaUpI-e8.js +374 -0
- package/dist/server.impl-MoHjSMr5.js +2622 -0
- package/dist/session-kill-http-CYCiQpt2.js +121 -0
- package/dist/session-reset-service-BYbADY57.js +651 -0
- package/dist/session-status.runtime-8NASbeO4.js +2 -0
- package/dist/session-status.runtime.js +1 -1
- package/dist/session-subagent-reactivation.runtime-DGeNY2Rb.js +2 -0
- package/dist/session-subagent-reactivation.runtime.js +1 -1
- package/dist/session-tab-registry-C2eElZrt.js +551 -0
- package/dist/sessions-DXAdVXIx.js +1917 -0
- package/dist/sessions-history-http-BwK7b8OH.js +432 -0
- package/dist/sessions-patch-BYC5gvY1.js +401 -0
- package/dist/sessions-resolve-C3ORcdmo.js +180 -0
- package/dist/sessions.runtime-BijldeSY.js +2 -0
- package/dist/sessions.runtime.js +1 -1
- package/dist/snapshot-urls-C5CfP3Co.js +317 -0
- package/dist/speech-core-wWkTZPpQ.d.ts +49 -0
- package/dist/standalone-CHrieUsw.js +42 -0
- package/dist/startup-context-CZfmG8-g.js +314 -0
- package/dist/status-subagents.runtime-D2XMebiS.js +32 -0
- package/dist/status-subagents.runtime.js +1 -1
- package/dist/status-text-JR7IPyzZ.js +301 -0
- package/dist/stream-BJgTkLEI.d.ts +5 -0
- package/dist/subagent-announce-B9cfs_KZ.js +353 -0
- package/dist/subagent-announce-delivery-CtmEvLTS.js +1369 -0
- package/dist/subagent-control-DVqLHi9O.js +492 -0
- package/dist/subagent-hooks-D251uSvy.js +230 -0
- package/dist/subagent-hooks-api-DvdMKxsC.js +23 -0
- package/dist/subagent-hooks-uLORYChc.js +2 -0
- package/dist/subagent-registry-BW2l_oYu.js +3 -0
- package/dist/subagent-registry-BxEMHuiN.js +2627 -0
- package/dist/subagent-registry.runtime.d.ts +1 -1
- package/dist/subagent-registry.runtime.js +1 -1
- package/dist/subagent-session-cleanup-BC5wV2qQ.js +390 -0
- package/dist/system-fvgHsr2x.js +111 -0
- package/dist/talk-DU0Sod_K.js +2454 -0
- package/dist/target-id-BR2xJIkd.js +107 -0
- package/dist/task-registry-control.runtime.js +1 -1
- package/dist/thread-bindings-8XNu5U2p.js +228 -0
- package/dist/tool-Boeg0N5g.js +143 -0
- package/dist/tool-dispatch-BhLLaL2g.js +155 -0
- package/dist/tool-resolution-CzsLs-87.js +153 -0
- package/dist/tool-split-Bedy42Ms.d.ts +19 -0
- package/dist/tools-B6egHpE3.d.ts +38 -0
- package/dist/tools-effective-NXscxK8n.js +442 -0
- package/dist/tools-effective-inventory-NsGMUVo-.js +379 -0
- package/dist/tools-invoke-_sSu96Kq.js +51 -0
- package/dist/tools-invoke-http-BDhlRl-G.js +68 -0
- package/dist/tools-invoke-shared-BH-T9Bcg.js +200 -0
- package/dist/tts-runtime-C1wu3o15.d.ts +230 -0
- package/dist/tui-C733Qov0.js +2 -0
- package/dist/tui-DqbscVN5.js +3 -0
- package/dist/tui-backend-_Pn3Byj-.js +257 -0
- package/dist/tui-cli-CAiC39zd.js +40 -0
- package/dist/tui-ink-run-ChXEGj1h.js +7414 -0
- package/dist/tui-ink-run-D4mSfLHj.js +2 -0
- package/dist/types-BQw1qXGl.d.ts +7034 -0
- package/dist/types-BzMoU6-C.d.ts +111 -0
- package/dist/types-DltHmoCX.d.ts +393 -0
- package/dist/types.public-C_bVIMBl.d.ts +70 -0
- package/dist/web-fetch/runtime.d.ts +1 -1
- package/dist/webhook-targets-DW2jhddP.d.ts +99 -0
- package/dist/zod-schema.core-Cuz0lz6m.d.ts +166 -0
- package/npm-shrinkwrap.json +12861 -11889
- package/package.json +2 -5
- package/skills/batch/SKILL.md +118 -0
- package/skills/code-review/SKILL.md +107 -0
- package/skills/debug/SKILL.md +83 -0
- package/skills/loop/SKILL.md +118 -0
- package/skills/run/SKILL.md +79 -0
- package/skills/run-skill-generator/SKILL.md +179 -0
- package/skills/verify/SKILL.md +103 -0
- package/dist/abort-DGskei2p.js +0 -277
- package/dist/abort.runtime-Buq9IZxn.js +0 -2
- package/dist/acp-spawn-DC6IyYaB.js +0 -1286
- package/dist/acp-spawn-Diqb3nel.js +0 -2
- package/dist/acp-stateful-target-driver-Clhe_L8v.js +0 -89
- package/dist/active-tool-schema-warnings-BRhKkyvt.js +0 -2
- package/dist/active-tool-schema-warnings-C6N0-ce6.js +0 -105
- package/dist/agent-C5lhsEZJ.js +0 -2
- package/dist/agent-WEb757bl.js +0 -1825
- package/dist/agent-command-iLD_nsVY.js +0 -1435
- package/dist/agent-core-BeDN8Ns5.d.ts +0 -13
- package/dist/agent-harness-runtime-C89_Q-bW.d.ts +0 -913
- package/dist/agent-harness-runtime-Dfn5rik2.js +0 -207
- package/dist/agent-runner-utils-DNiuuo43.js +0 -267
- package/dist/agent-runner.runtime-CFF_qJ5V.js +0 -3784
- package/dist/agent-runtime-BkMtWXxn.js +0 -199
- package/dist/agent-runtime-HufMO_YR.d.ts +0 -207
- package/dist/agent-tools-HmaDv4ot.js +0 -2506
- package/dist/agent-via-gateway-CZQG8RYL.js +0 -486
- package/dist/agent-wait-dedupe-C3xQk2Ww.js +0 -180
- package/dist/agent-z1cs3c7n.js +0 -3
- package/dist/api-B4IMKjSe.js +0 -3
- package/dist/api-BwSbBWI8.js +0 -3
- package/dist/api-CE9In9m4.js +0 -5
- package/dist/api-ClPvYNGa.js +0 -32
- package/dist/api-CntBCaZf.js +0 -3
- package/dist/api-DBZBwTsn.js +0 -6
- package/dist/api-OCPwGOvK.js +0 -2
- package/dist/api-yYhEo7gK.js +0 -4
- package/dist/approval-client-helpers-CfdQ3-vv.d.ts +0 -78
- package/dist/approval-native-helpers-DSHPksK4.d.ts +0 -241
- package/dist/approval-renderers-BfEfwk44.d.ts +0 -39
- package/dist/assistant-v5fdOYu7.js +0 -291
- package/dist/attachment-normalize-BHAbLiL2.js +0 -213
- package/dist/attempt-execution-5w9WYbaJ.js +0 -584
- package/dist/attempt-execution.runtime-DnhOWGzr.js +0 -3
- package/dist/attempt.prompt-helpers-C4M4erF7.js +0 -543
- package/dist/binding-routing-Dpes-QF1.js +0 -113
- package/dist/binding-targets-B6H5Pd-A.js +0 -121
- package/dist/bridge-server-BCpxCRm_.js +0 -113
- package/dist/browser-cli-DMhXHopl.js +0 -230
- package/dist/browser-cli-Dy_VugK0.js +0 -2
- package/dist/browser-cli-actions-input-WMP7_lm6.js +0 -522
- package/dist/browser-cli-actions-observe-DQWAWhwU.js +0 -81
- package/dist/browser-cli-debug-CaT2ZKAx.js +0 -137
- package/dist/browser-cli-inspect-DU-LUXq1.js +0 -117
- package/dist/browser-cli-manage-DAuogqIh.js +0 -446
- package/dist/browser-cli-resize-Cz5uO_aR.js +0 -32
- package/dist/browser-cli-shared-CjPZcG3j.js +0 -69
- package/dist/browser-cli-state-CC3l77-K.js +0 -371
- package/dist/browser-control-auth-ELccIUZy.js +0 -2
- package/dist/browser-profiles-Cuy4ia6_.js +0 -2
- package/dist/browser-runtime-De-iUfME.js +0 -389
- package/dist/build-DEF8Per9.js +0 -261
- package/dist/bundled-channel-config-schema-Bte--ZlY.d.ts +0 -3168
- package/dist/capability-cli-Bydel4E7.js +0 -1809
- package/dist/channel-6SGL4R5P.js +0 -2309
- package/dist/channel-D3Q3b8J-.d.ts +0 -427
- package/dist/channel-core-Bj71kAB5.d.ts +0 -6
- package/dist/channel-core-DMvyWnHg.js +0 -5
- package/dist/channel-entry-contract-zYxRmEdf.d.ts +0 -114
- package/dist/channel-inbound-DVJzBcJ8.d.ts +0 -97
- package/dist/channel-inbound-DlCa7eJe.js +0 -121
- package/dist/channel-message-CyPGMMFB.js +0 -12
- package/dist/channel-message-Czl4cdoA.d.ts +0 -9
- package/dist/channel-outbound-BNbhmruA.d.ts +0 -325
- package/dist/channel-pairing-BiS-tSvl.d.ts +0 -58
- package/dist/channel-runtime-D8hntg7H.js +0 -7
- package/dist/channel.runtime-DxErReJR.js +0 -697
- package/dist/chat-BLA8ORQI.js +0 -3
- package/dist/chat-DWRXkuvU.js +0 -2940
- package/dist/chrome-DPwFYi-g.js +0 -1517
- package/dist/cli-compaction-YZpssARf.js +0 -363
- package/dist/cli-runner-D2OAqxu3.js +0 -597
- package/dist/cli-runner-DO4SORQf.js +0 -2
- package/dist/cli-runner.runtime-CNSIpbeT.js +0 -4
- package/dist/cli-runner.runtime-DAOYvpVQ.js +0 -3
- package/dist/command-registry-DpD0fb8D.js +0 -4
- package/dist/command-registry-core-Cl3tLG8G.js +0 -114
- package/dist/command-registry-nbP7c8RT.js +0 -9
- package/dist/command-status.runtime-BBuXTkq0.js +0 -90
- package/dist/commands-CR8MVvlD.d.ts +0 -117
- package/dist/commands-compact.runtime-BoafIjjg.js +0 -10
- package/dist/commands-handlers.runtime-D9jViG_x.js +0 -6327
- package/dist/commands-status-BqqJ7PVq.js +0 -16
- package/dist/commands-status-CMd41Vxf.js +0 -3
- package/dist/commands-status.runtime-CMd41Vxf.js +0 -3
- package/dist/commands-subagents-control.runtime-CU4I3A_n.js +0 -2
- package/dist/commands-system-prompt-CTtu1D3-.js +0 -2
- package/dist/commands-system-prompt-xswhORdM.js +0 -161
- package/dist/commands-types-B67CsqXf.d.ts +0 -132
- package/dist/commands.runtime-BUFhkrjQ.js +0 -175
- package/dist/compact-Dz_WvRkQ.js +0 -1165
- package/dist/compact.runtime-n-AKErni.js +0 -12
- package/dist/completion-cli-DJYs_L4_.js +0 -393
- package/dist/config-CFMbHJb0.js +0 -374
- package/dist/config-mutations-DCAloTKR.js +0 -161
- package/dist/config-schema-Drw1zrnG.d.ts +0 -20
- package/dist/context-engine-host-compat-4mNm1HCE.js +0 -2
- package/dist/context-engine-host-compat-BzJ7fUIn.js +0 -280
- package/dist/context-engine-lifecycle-V4PNQp6k.js +0 -627
- package/dist/control-auth-DG_cw-aN.js +0 -114
- package/dist/control-service-CurYipgK.js +0 -3
- package/dist/control-service-VyncoV7j.js +0 -40
- package/dist/control-ui/assets/activity-D5Plhlo-.js +0 -124
- package/dist/control-ui/assets/agents-Chcdfe1E.js +0 -1030
- package/dist/control-ui/assets/channels-BEtB4H37.js +0 -120
- package/dist/control-ui/assets/cron-CZyPkxSU.js +0 -1016
- package/dist/control-ui/assets/debug-DvM8iG47.js +0 -97
- package/dist/control-ui/assets/index-Rmpgh0f1.js +0 -7214
- package/dist/control-ui/assets/instances-yTC_uu60.js +0 -57
- package/dist/control-ui/assets/nodes-vbAxVHIH.js +0 -444
- package/dist/control-ui/assets/sessions-DOviHme5.js +0 -425
- package/dist/control-ui/assets/skills-Bfp5HEGW.js +0 -362
- package/dist/control-ui/assets/workboard-5sU2kHsV.js +0 -402
- package/dist/conversation-runtime-DgaABwHh.js +0 -31
- package/dist/core-BeBXdneV.js +0 -284
- package/dist/core-Chqb7X6l.d.ts +0 -223
- package/dist/core-api-BlK0FgBM.js +0 -2
- package/dist/core-api-pAvYk716.js +0 -5
- package/dist/crestodian-FeGTBqO1.js +0 -55
- package/dist/delegate-BjIjSU_E.d.ts +0 -30
- package/dist/deliver-CvtWN4Ey.d.ts +0 -111
- package/dist/delivery-queue-CQ-cj3KG.d.ts +0 -161
- package/dist/delivery-queue-runtime-ut7MG04m.d.ts +0 -9
- package/dist/detect-BjXPyrwn.js +0 -115
- package/dist/detect-C1xeIemQ.d.ts +0 -16
- package/dist/dialogue-BowVYhEC.js +0 -37
- package/dist/direct-dm-DoZZHpA0.d.ts +0 -79
- package/dist/directive-handling.fast-lane-hnmQ_CvD.js +0 -70
- package/dist/directive-handling.impl-Cai-CFS1.js +0 -2
- package/dist/directive-handling.impl-DY84qIfU.js +0 -823
- package/dist/directive-handling.model-selection-DASssLFQ.js +0 -122
- package/dist/directive-handling.persist.runtime-BY7tJUs2.js +0 -274
- package/dist/dispatch-D5iG5A8j.js +0 -2057
- package/dist/dispatch-acp-transcript.runtime-D3r16hbD.js +0 -40
- package/dist/dispatch-acp.runtime-CAIau5qX.js +0 -18
- package/dist/dispatcher-7-d2gw3J.js +0 -106
- package/dist/doctor-DD5YEMmf.js +0 -6
- package/dist/doctor-config-flow-CdlLHJmX.js +0 -1819
- package/dist/doctor-core-checks-6MP99TQG.js +0 -666
- package/dist/doctor-core-checks-Dm_o576z.js +0 -2
- package/dist/doctor-core-checks.runtime-B2qbKATd.js +0 -278
- package/dist/doctor-health-BKrhOv1v.js +0 -65
- package/dist/doctor-health-contributions-bIBLmw69.js +0 -874
- package/dist/doctor-lint-aOLOWli4.js +0 -95
- package/dist/doctor-state-integrity-23NQNNuo.js +0 -1257
- package/dist/draft-stream-controls-Bk1GVJ1l.d.ts +0 -159
- package/dist/embedded-agent-BeK8FhZr.d.ts +0 -5
- package/dist/embedded-agent-CNp_y7jW.js +0 -4074
- package/dist/embedded-agent-NEmNlXDR.js +0 -4
- package/dist/embedded-agent.runtime-hEby8P2s.js +0 -4
- package/dist/embedded-backend-BdbgfpBP.js +0 -1581
- package/dist/embedded-gateway-stub.runtime-ySZUA3Gy.js +0 -12
- package/dist/extensions/alibaba/fengming.plugin.json +0 -47
- package/dist/extensions/alibaba/index.d.ts +0 -12
- package/dist/extensions/alibaba/index.js +0 -13
- package/dist/extensions/alibaba/package.json +0 -15
- package/dist/extensions/alibaba/video-generation-provider.d.ts +0 -6
- package/dist/extensions/alibaba/video-generation-provider.js +0 -2
- package/dist/extensions/baichuan/fengming.plugin.json +0 -69
- package/dist/extensions/baichuan/index.d.ts +0 -11
- package/dist/extensions/baichuan/index.js +0 -45
- package/dist/extensions/baichuan/models.d.ts +0 -7
- package/dist/extensions/baichuan/models.js +0 -2
- package/dist/extensions/baichuan/onboard.d.ts +0 -5
- package/dist/extensions/baichuan/onboard.js +0 -2
- package/dist/extensions/baichuan/package.json +0 -15
- package/dist/extensions/baichuan/provider-catalog.d.ts +0 -2
- package/dist/extensions/baichuan/provider-catalog.js +0 -2
- package/dist/extensions/baichuan/provider-discovery.d.ts +0 -2
- package/dist/extensions/baichuan/provider-discovery.js +0 -5
- package/dist/extensions/byteplus/api.d.ts +0 -3
- package/dist/extensions/byteplus/api.js +0 -3
- package/dist/extensions/byteplus/fengming.plugin.json +0 -196
- package/dist/extensions/byteplus/index.d.ts +0 -12
- package/dist/extensions/byteplus/index.js +0 -85
- package/dist/extensions/byteplus/models.d.ts +0 -2
- package/dist/extensions/byteplus/models.js +0 -2
- package/dist/extensions/byteplus/package.json +0 -15
- package/dist/extensions/byteplus/provider-catalog.d.ts +0 -2
- package/dist/extensions/byteplus/provider-catalog.js +0 -2
- package/dist/extensions/byteplus/provider-discovery.d.ts +0 -5
- package/dist/extensions/byteplus/provider-discovery.js +0 -23
- package/dist/extensions/byteplus/video-generation-provider.d.ts +0 -6
- package/dist/extensions/byteplus/video-generation-provider.js +0 -2
- package/dist/extensions/longcat/fengming.plugin.json +0 -84
- package/dist/extensions/longcat/index.d.ts +0 -11
- package/dist/extensions/longcat/index.js +0 -45
- package/dist/extensions/longcat/models.d.ts +0 -7
- package/dist/extensions/longcat/models.js +0 -2
- package/dist/extensions/longcat/onboard.d.ts +0 -5
- package/dist/extensions/longcat/onboard.js +0 -2
- package/dist/extensions/longcat/package.json +0 -15
- package/dist/extensions/longcat/provider-catalog.d.ts +0 -2
- package/dist/extensions/longcat/provider-catalog.js +0 -2
- package/dist/extensions/longcat/provider-discovery.d.ts +0 -2
- package/dist/extensions/longcat/provider-discovery.js +0 -5
- package/dist/extensions/minimax/api.d.ts +0 -5
- package/dist/extensions/minimax/api.js +0 -6
- package/dist/extensions/minimax/fengming.plugin.json +0 -206
- package/dist/extensions/minimax/image-generation-provider.d.ts +0 -6
- package/dist/extensions/minimax/image-generation-provider.js +0 -2
- package/dist/extensions/minimax/index.d.ts +0 -12
- package/dist/extensions/minimax/index.js +0 -29
- package/dist/extensions/minimax/media-understanding-provider.d.ts +0 -6
- package/dist/extensions/minimax/media-understanding-provider.js +0 -2
- package/dist/extensions/minimax/model-definitions.d.ts +0 -2
- package/dist/extensions/minimax/model-definitions.js +0 -2
- package/dist/extensions/minimax/music-generation-provider.d.ts +0 -6
- package/dist/extensions/minimax/music-generation-provider.js +0 -2
- package/dist/extensions/minimax/oauth.d.ts +0 -2
- package/dist/extensions/minimax/oauth.js +0 -2
- package/dist/extensions/minimax/oauth.runtime.d.ts +0 -2
- package/dist/extensions/minimax/oauth.runtime.js +0 -2
- package/dist/extensions/minimax/onboard.d.ts +0 -2
- package/dist/extensions/minimax/onboard.js +0 -2
- package/dist/extensions/minimax/package.json +0 -15
- package/dist/extensions/minimax/provider-catalog.d.ts +0 -2
- package/dist/extensions/minimax/provider-catalog.js +0 -2
- package/dist/extensions/minimax/provider-contract-api.d.ts +0 -6
- package/dist/extensions/minimax/provider-contract-api.js +0 -77
- package/dist/extensions/minimax/provider-discovery.d.ts +0 -5
- package/dist/extensions/minimax/provider-discovery.js +0 -23
- package/dist/extensions/minimax/provider-models.d.ts +0 -2
- package/dist/extensions/minimax/provider-models.js +0 -2
- package/dist/extensions/minimax/provider-registration.d.ts +0 -7
- package/dist/extensions/minimax/provider-registration.js +0 -2
- package/dist/extensions/minimax/speech-provider.d.ts +0 -5
- package/dist/extensions/minimax/speech-provider.js +0 -2
- package/dist/extensions/minimax/tts.d.ts +0 -20
- package/dist/extensions/minimax/tts.js +0 -2
- package/dist/extensions/minimax/video-generation-provider.d.ts +0 -7
- package/dist/extensions/minimax/video-generation-provider.js +0 -2
- package/dist/extensions/minimax/web-search-contract-api.d.ts +0 -5
- package/dist/extensions/minimax/web-search-contract-api.js +0 -31
- package/dist/extensions/minimax/web-search-provider.d.ts +0 -5
- package/dist/extensions/minimax/web-search-provider.js +0 -2
- package/dist/extensions/moonshot/api.d.ts +0 -3
- package/dist/extensions/moonshot/api.js +0 -4
- package/dist/extensions/moonshot/fengming.plugin.json +0 -250
- package/dist/extensions/moonshot/index.d.ts +0 -11
- package/dist/extensions/moonshot/index.js +0 -70
- package/dist/extensions/moonshot/media-understanding-provider.d.ts +0 -6
- package/dist/extensions/moonshot/media-understanding-provider.js +0 -2
- package/dist/extensions/moonshot/onboard.d.ts +0 -2
- package/dist/extensions/moonshot/onboard.js +0 -2
- package/dist/extensions/moonshot/package.json +0 -15
- package/dist/extensions/moonshot/provider-catalog.d.ts +0 -2
- package/dist/extensions/moonshot/provider-catalog.js +0 -2
- package/dist/extensions/moonshot/provider-contract-api.d.ts +0 -5
- package/dist/extensions/moonshot/provider-contract-api.js +0 -27
- package/dist/extensions/moonshot/provider-discovery.d.ts +0 -5
- package/dist/extensions/moonshot/provider-discovery.js +0 -15
- package/dist/extensions/moonshot/web-search-contract-api.d.ts +0 -5
- package/dist/extensions/moonshot/web-search-contract-api.js +0 -29
- package/dist/extensions/moonshot/web-search-provider.d.ts +0 -5
- package/dist/extensions/moonshot/web-search-provider.js +0 -2
- package/dist/extensions/qianfan/api.d.ts +0 -3
- package/dist/extensions/qianfan/api.js +0 -3
- package/dist/extensions/qianfan/fengming.plugin.json +0 -89
- package/dist/extensions/qianfan/index.d.ts +0 -11
- package/dist/extensions/qianfan/index.js +0 -26
- package/dist/extensions/qianfan/onboard.d.ts +0 -2
- package/dist/extensions/qianfan/onboard.js +0 -2
- package/dist/extensions/qianfan/package.json +0 -15
- package/dist/extensions/qianfan/provider-catalog.d.ts +0 -2
- package/dist/extensions/qianfan/provider-catalog.js +0 -2
- package/dist/extensions/qwen/api.d.ts +0 -4
- package/dist/extensions/qwen/api.js +0 -5
- package/dist/extensions/qwen/fengming.plugin.json +0 -389
- package/dist/extensions/qwen/index.d.ts +0 -11
- package/dist/extensions/qwen/index.js +0 -202
- package/dist/extensions/qwen/media-understanding-provider.d.ts +0 -6
- package/dist/extensions/qwen/media-understanding-provider.js +0 -2
- package/dist/extensions/qwen/model-definitions.d.ts +0 -2
- package/dist/extensions/qwen/model-definitions.js +0 -2
- package/dist/extensions/qwen/models.d.ts +0 -2
- package/dist/extensions/qwen/models.js +0 -2
- package/dist/extensions/qwen/onboard.d.ts +0 -21
- package/dist/extensions/qwen/onboard.js +0 -2
- package/dist/extensions/qwen/package.json +0 -15
- package/dist/extensions/qwen/provider-catalog.d.ts +0 -2
- package/dist/extensions/qwen/provider-catalog.js +0 -2
- package/dist/extensions/qwen/stream.d.ts +0 -2
- package/dist/extensions/qwen/stream.js +0 -2
- package/dist/extensions/qwen/video-generation-provider.d.ts +0 -6
- package/dist/extensions/qwen/video-generation-provider.js +0 -2
- package/dist/extensions/sensenova/fengming.plugin.json +0 -69
- package/dist/extensions/sensenova/index.d.ts +0 -11
- package/dist/extensions/sensenova/index.js +0 -45
- package/dist/extensions/sensenova/models.d.ts +0 -7
- package/dist/extensions/sensenova/models.js +0 -2
- package/dist/extensions/sensenova/onboard.d.ts +0 -5
- package/dist/extensions/sensenova/onboard.js +0 -2
- package/dist/extensions/sensenova/package.json +0 -15
- package/dist/extensions/sensenova/provider-catalog.d.ts +0 -2
- package/dist/extensions/sensenova/provider-catalog.js +0 -2
- package/dist/extensions/sensenova/provider-discovery.d.ts +0 -2
- package/dist/extensions/sensenova/provider-discovery.js +0 -5
- package/dist/extensions/stepfun/fengming.plugin.json +0 -162
- package/dist/extensions/stepfun/index.d.ts +0 -12
- package/dist/extensions/stepfun/index.js +0 -165
- package/dist/extensions/stepfun/onboard.d.ts +0 -7
- package/dist/extensions/stepfun/onboard.js +0 -2
- package/dist/extensions/stepfun/package.json +0 -15
- package/dist/extensions/stepfun/provider-catalog.d.ts +0 -14
- package/dist/extensions/stepfun/provider-catalog.js +0 -2
- package/dist/extensions/tencent/api.d.ts +0 -3
- package/dist/extensions/tencent/api.js +0 -4
- package/dist/extensions/tencent/fengming.plugin.json +0 -105
- package/dist/extensions/tencent/index.d.ts +0 -12
- package/dist/extensions/tencent/index.js +0 -62
- package/dist/extensions/tencent/models.d.ts +0 -2
- package/dist/extensions/tencent/models.js +0 -2
- package/dist/extensions/tencent/onboard.d.ts +0 -6
- package/dist/extensions/tencent/onboard.js +0 -2
- package/dist/extensions/tencent/package.json +0 -15
- package/dist/extensions/tencent/provider-catalog.d.ts +0 -2
- package/dist/extensions/tencent/provider-catalog.js +0 -2
- package/dist/extensions/tencent/provider-discovery.d.ts +0 -5
- package/dist/extensions/tencent/provider-discovery.js +0 -14
- package/dist/extensions/tiangong/fengming.plugin.json +0 -69
- package/dist/extensions/tiangong/index.d.ts +0 -11
- package/dist/extensions/tiangong/index.js +0 -45
- package/dist/extensions/tiangong/models.d.ts +0 -7
- package/dist/extensions/tiangong/models.js +0 -2
- package/dist/extensions/tiangong/onboard.d.ts +0 -5
- package/dist/extensions/tiangong/onboard.js +0 -2
- package/dist/extensions/tiangong/package.json +0 -15
- package/dist/extensions/tiangong/provider-catalog.d.ts +0 -2
- package/dist/extensions/tiangong/provider-catalog.js +0 -2
- package/dist/extensions/tiangong/provider-discovery.d.ts +0 -2
- package/dist/extensions/tiangong/provider-discovery.js +0 -5
- package/dist/extensions/volcengine/api.d.ts +0 -12
- package/dist/extensions/volcengine/api.js +0 -4
- package/dist/extensions/volcengine/fengming.plugin.json +0 -263
- package/dist/extensions/volcengine/index.d.ts +0 -12
- package/dist/extensions/volcengine/index.js +0 -88
- package/dist/extensions/volcengine/models.d.ts +0 -2
- package/dist/extensions/volcengine/models.js +0 -2
- package/dist/extensions/volcengine/package.json +0 -15
- package/dist/extensions/volcengine/provider-catalog.d.ts +0 -2
- package/dist/extensions/volcengine/provider-catalog.js +0 -2
- package/dist/extensions/volcengine/provider-discovery.d.ts +0 -5
- package/dist/extensions/volcengine/provider-discovery.js +0 -23
- package/dist/extensions/volcengine/speech-provider.d.ts +0 -5
- package/dist/extensions/volcengine/speech-provider.js +0 -2
- package/dist/extensions/volcengine/tts.d.ts +0 -22
- package/dist/extensions/volcengine/tts.js +0 -2
- package/dist/extensions/weixin/fengming.plugin.json +0 -22
- package/dist/extensions/weixin/index.d.ts +0 -26
- package/dist/extensions/weixin/index.js +0 -862
- package/dist/extensions/weixin/package.json +0 -45
- package/dist/extensions/xiaomi/api.d.ts +0 -3
- package/dist/extensions/xiaomi/api.js +0 -3
- package/dist/extensions/xiaomi/fengming.plugin.json +0 -260
- package/dist/extensions/xiaomi/index.d.ts +0 -12
- package/dist/extensions/xiaomi/index.js +0 -284
- package/dist/extensions/xiaomi/onboard.d.ts +0 -2
- package/dist/extensions/xiaomi/onboard.js +0 -2
- package/dist/extensions/xiaomi/package.json +0 -15
- package/dist/extensions/xiaomi/provider-catalog.d.ts +0 -2
- package/dist/extensions/xiaomi/provider-catalog.js +0 -2
- package/dist/extensions/xiaomi/speech-provider.d.ts +0 -5
- package/dist/extensions/xiaomi/speech-provider.js +0 -2
- package/dist/extensions/xiaomi/stream.d.ts +0 -5
- package/dist/extensions/xiaomi/stream.js +0 -2
- package/dist/extensions/xiaomi/thinking.d.ts +0 -11
- package/dist/extensions/xiaomi/thinking.js +0 -2
- package/dist/extensions/xingchen/fengming.plugin.json +0 -69
- package/dist/extensions/xingchen/index.d.ts +0 -11
- package/dist/extensions/xingchen/index.js +0 -45
- package/dist/extensions/xingchen/models.d.ts +0 -7
- package/dist/extensions/xingchen/models.js +0 -2
- package/dist/extensions/xingchen/onboard.d.ts +0 -5
- package/dist/extensions/xingchen/onboard.js +0 -2
- package/dist/extensions/xingchen/package.json +0 -15
- package/dist/extensions/xingchen/provider-catalog.d.ts +0 -2
- package/dist/extensions/xingchen/provider-catalog.js +0 -2
- package/dist/extensions/xingchen/provider-discovery.d.ts +0 -2
- package/dist/extensions/xingchen/provider-discovery.js +0 -5
- package/dist/extensions/yi/fengming.plugin.json +0 -84
- package/dist/extensions/yi/index.d.ts +0 -11
- package/dist/extensions/yi/index.js +0 -45
- package/dist/extensions/yi/models.d.ts +0 -7
- package/dist/extensions/yi/models.js +0 -2
- package/dist/extensions/yi/onboard.d.ts +0 -5
- package/dist/extensions/yi/onboard.js +0 -2
- package/dist/extensions/yi/package.json +0 -15
- package/dist/extensions/yi/provider-catalog.d.ts +0 -2
- package/dist/extensions/yi/provider-catalog.js +0 -2
- package/dist/extensions/yi/provider-discovery.d.ts +0 -2
- package/dist/extensions/yi/provider-discovery.js +0 -5
- package/dist/extensions/zai/api.d.ts +0 -4
- package/dist/extensions/zai/api.js +0 -4
- package/dist/extensions/zai/detect.d.ts +0 -2
- package/dist/extensions/zai/detect.js +0 -2
- package/dist/extensions/zai/fengming.plugin.json +0 -377
- package/dist/extensions/zai/index.d.ts +0 -12
- package/dist/extensions/zai/index.js +0 -297
- package/dist/extensions/zai/media-understanding-provider.d.ts +0 -5
- package/dist/extensions/zai/media-understanding-provider.js +0 -2
- package/dist/extensions/zai/model-definitions.d.ts +0 -2
- package/dist/extensions/zai/model-definitions.js +0 -2
- package/dist/extensions/zai/onboard.d.ts +0 -2
- package/dist/extensions/zai/onboard.js +0 -2
- package/dist/extensions/zai/package.json +0 -15
- package/dist/extensions/zai/runtime-api.d.ts +0 -2
- package/dist/extensions/zai/runtime-api.js +0 -2
- package/dist/extensions/zhinao/fengming.plugin.json +0 -69
- package/dist/extensions/zhinao/index.d.ts +0 -11
- package/dist/extensions/zhinao/index.js +0 -45
- package/dist/extensions/zhinao/models.d.ts +0 -7
- package/dist/extensions/zhinao/models.js +0 -2
- package/dist/extensions/zhinao/onboard.d.ts +0 -5
- package/dist/extensions/zhinao/onboard.js +0 -2
- package/dist/extensions/zhinao/package.json +0 -15
- package/dist/extensions/zhinao/provider-catalog.d.ts +0 -2
- package/dist/extensions/zhinao/provider-catalog.js +0 -2
- package/dist/extensions/zhinao/provider-discovery.d.ts +0 -2
- package/dist/extensions/zhinao/provider-discovery.js +0 -5
- package/dist/fengming-runtime-0jdu_329.d.ts +0 -153
- package/dist/fengming-tools-gQkwsWYz.js +0 -12221
- package/dist/fengming.plugin-C-Kdi1_5.js +0 -130
- package/dist/fengming.plugin-CRPqMj85.js +0 -166
- package/dist/gateway-cli-BV1V43-D.js +0 -443
- package/dist/gateway-method-runtime-J2OPP_oH.js +0 -21
- package/dist/get-reply-BE8ZGJos.js +0 -5198
- package/dist/get-reply-from-config.runtime-C5wfxVI_.js +0 -2
- package/dist/heartbeat-runner-_0HlObMb.js +0 -5
- package/dist/heartbeat-runner.runtime-DvYz_4Z3.js +0 -3
- package/dist/hook-runtime-BH9moP5T.js +0 -4
- package/dist/hooks-icCwsmrQ.js +0 -536
- package/dist/host-compat-dfJvEfe7.d.ts +0 -21
- package/dist/http-registry-Buj7R-F_.d.ts +0 -23
- package/dist/image-generation-provider-hrRXkkGc.js +0 -152
- package/dist/inbound-reply-dispatch-5AYt56Yt.js +0 -147
- package/dist/inbound-reply-dispatch-B5weFW8i.js +0 -2
- package/dist/inbound-reply-dispatch-cJh4H31y.d.ts +0 -156
- package/dist/index-AZzJCgph.d.ts +0 -1497
- package/dist/infra-runtime-3_0R8nmO.js +0 -32
- package/dist/init-BnfkYG_k.js +0 -59
- package/dist/interactive-V8NfYsTW.d.ts +0 -26
- package/dist/isolated-agent-CgH7dfOj.js +0 -1097
- package/dist/isolated-agent-dBWkiw0a.js +0 -2
- package/dist/kernel-Ds2aqAJF.d.ts +0 -241
- package/dist/kimi-web-search-provider-QJT3Ftj3.js +0 -80
- package/dist/kimi-web-search-provider.runtime-Dj3SS4T5.js +0 -307
- package/dist/kimi-web-search-provider.runtime.js +0 -1
- package/dist/lib-Dg4yjNFQ.js +0 -871
- package/dist/lifecycle-B9k7QGsS.js +0 -570
- package/dist/list.probe-CbVHFNwf.js +0 -2
- package/dist/list.probe-CxiEBmyW.js +0 -451
- package/dist/list.status-command-DE-edGgB.js +0 -815
- package/dist/llm-slug-generator-DJgq9eFd.js +0 -78
- package/dist/loader-5AqYM9PC.d.ts +0 -142
- package/dist/local-dispatch.runtime-D3F4v51B.js +0 -10
- package/dist/manager-BWf1ks-Z.d.ts +0 -409
- package/dist/mcp-http-DU7Nsg4P.js +0 -583
- package/dist/mcp-http-iZCW6Cet.js +0 -2
- package/dist/media-runtime-DZ5RpQN7.d.ts +0 -261
- package/dist/media-understanding-DEdEyoQB.d.ts +0 -46
- package/dist/media-understanding-provider-4JHrQOUE.js +0 -70
- package/dist/media-understanding-provider-BV7O82XV.js +0 -29
- package/dist/media-understanding-provider-BlPRhYkx.js +0 -69
- package/dist/media-understanding-provider-BuX8eQLj.js +0 -13
- package/dist/memory-core-host-engine-embeddings-BDu5fx8E.d.ts +0 -324
- package/dist/memory-core-host-engine-storage-CdCuH-E2.d.ts +0 -54
- package/dist/message-handler-L6QLWNVP.js +0 -1806
- package/dist/minimax-web-search-provider-_gxeEOy8.js +0 -58
- package/dist/minimax-web-search-provider.runtime-BF4mGi6U.js +0 -148
- package/dist/minimax-web-search-provider.runtime.js +0 -1
- package/dist/model-catalog-DCnRkX8f.d.ts +0 -88
- package/dist/model-definitions-B2gY43hI.d.ts +0 -34
- package/dist/model-definitions-BLOyeH5h.js +0 -73
- package/dist/model-definitions-CoByf5mT.js +0 -243
- package/dist/model-definitions-WP3OmzbS.d.ts +0 -57
- package/dist/model-selection-DhTE6GZD.js +0 -352
- package/dist/models--iAR9QkZ.js +0 -175
- package/dist/models-8ImVEkvh.js +0 -36
- package/dist/models-BIDM8htk.js +0 -48
- package/dist/models-BRgRfrcS.js +0 -36
- package/dist/models-Bib5-APc.js +0 -67
- package/dist/models-Bl67zOoe.js +0 -36
- package/dist/models-BqDDYFE3.d.ts +0 -65
- package/dist/models-BtRQoRIu.js +0 -36
- package/dist/models-BvXmOXik.js +0 -48
- package/dist/models-C-sJciOD.d.ts +0 -9
- package/dist/models-COnXPdlL.js +0 -24
- package/dist/models-CXTmk-Da.d.ts +0 -8
- package/dist/models-Cz0C_8re.js +0 -36
- package/dist/models-DbwEIt-m.d.ts +0 -15
- package/dist/models-DgXkSADi.js +0 -30
- package/dist/models-cli-Bv3y3JgQ.js +0 -257
- package/dist/monitor-BiVOsbbN.js +0 -1024
- package/dist/monitor-BumfRp1t.js +0 -60
- package/dist/monitor.account-Cd6EwtuZ.js +0 -5382
- package/dist/music-generation-provider-ZdDMiC-c.js +0 -308
- package/dist/nodes-C0f8XgD5.js +0 -1483
- package/dist/nodes-Dk4vOgg9.js +0 -3
- package/dist/nodes-pending-Cjg09MXz.js +0 -211
- package/dist/oauth-BIO69Qw0.d.ts +0 -25
- package/dist/oauth-CnO10TN2.js +0 -207
- package/dist/onboard-B3BYT5k7.js +0 -34
- package/dist/onboard-BDMNV6RE.js +0 -23
- package/dist/onboard-B_WNNy5F.d.ts +0 -6
- package/dist/onboard-BbyMaErU.js +0 -69
- package/dist/onboard-BuYPNE6j2.js +0 -23
- package/dist/onboard-C394zMnM.d.ts +0 -11
- package/dist/onboard-CHn4oVbY.js +0 -24
- package/dist/onboard-CPpVbb0O.js +0 -73
- package/dist/onboard-CWDx7Crt.js +0 -23
- package/dist/onboard-CbzkwBzu.d.ts +0 -12
- package/dist/onboard-D099qUd0.js +0 -23
- package/dist/onboard-D7dbzfHc.js +0 -23
- package/dist/onboard-DB-x0nHF.js +0 -30
- package/dist/onboard-DFVrRnxJ.js +0 -23
- package/dist/onboard-DFiqoOc2.d.ts +0 -7
- package/dist/onboard-DJaMK3rr.d.ts +0 -6
- package/dist/onboard-DMdK8D_h.js +0 -67
- package/dist/onboard-J-KL-I6m.js +0 -48
- package/dist/onboard-MIBU-Rmv.js +0 -39
- package/dist/onboard-vmGylfFe.js +0 -23
- package/dist/openai-compat-errors-Dcr5Y8bF.js +0 -136
- package/dist/openai-http-CcqspzU6.js +0 -836
- package/dist/openresponses-http-BnyYYvUF.js +0 -1175
- package/dist/operations-H2Oq0KYz.js +0 -805
- package/dist/outbound.types-BhRehecY.d.ts +0 -291
- package/dist/plugin-enabled-CEIKWKrq.js +0 -232
- package/dist/plugin-entry-CTVRRaaA.d.ts +0 -47
- package/dist/plugin-registration-BTyO5Fwt.js +0 -97
- package/dist/plugin-runtime-_XF2N_UQ.d.ts +0 -117
- package/dist/plugin-sdk/bundled-channel-config-schema-BsOWCrJT.d.ts +0 -3169
- package/dist/plugin-service-B91jVlmZ.d.ts +0 -24
- package/dist/plugin-service-CtGwVz8V.js +0 -1249
- package/dist/prepare.runtime-9dlboph7.js +0 -798
- package/dist/preview-warnings-DJx4KJpC.js +0 -618
- package/dist/program-CWC-NBBB.js +0 -131
- package/dist/provider-api-key-auth-BmNcYRMl.d.ts +0 -27
- package/dist/provider-auth-api-key-CCaFiqY3.js +0 -5
- package/dist/provider-auth-result-D_E9dcVc.d.ts +0 -21
- package/dist/provider-catalog-5KZLmrDO.js +0 -11
- package/dist/provider-catalog-7P6AvDzS.js +0 -11
- package/dist/provider-catalog-B2gyTjTU.js +0 -88
- package/dist/provider-catalog-B3YBhe77.js +0 -17
- package/dist/provider-catalog-B7XEeuUm.js +0 -11
- package/dist/provider-catalog-BFGPRd9v.js +0 -17
- package/dist/provider-catalog-BLvkIMSk.d.ts +0 -6
- package/dist/provider-catalog-BPBL9mJf.d.ts +0 -5
- package/dist/provider-catalog-BRkZ6-HD.d.ts +0 -5
- package/dist/provider-catalog-Bfl_AoTZ.js +0 -142
- package/dist/provider-catalog-BpiHWHu1.js +0 -11
- package/dist/provider-catalog-C1qDLekT.d.ts +0 -5
- package/dist/provider-catalog-CKWNCfry.js +0 -11
- package/dist/provider-catalog-CUHB2pSt.d.ts +0 -7
- package/dist/provider-catalog-CWqN2j6J.d.ts +0 -5
- package/dist/provider-catalog-CZ8oYbx3.js +0 -11
- package/dist/provider-catalog-CcQ5-4ZW.d.ts +0 -6
- package/dist/provider-catalog-Cd16uZ0U.js +0 -20
- package/dist/provider-catalog-CpF2D0VK.js +0 -61
- package/dist/provider-catalog-CvXq36zW.d.ts +0 -5
- package/dist/provider-catalog-D2pgEME3.js +0 -48
- package/dist/provider-catalog-DPzcupEl.d.ts +0 -5
- package/dist/provider-catalog-DaeI606G.d.ts +0 -9
- package/dist/provider-catalog-DrOCtTb-.js +0 -11
- package/dist/provider-catalog-DwZ1J2Al.d.ts +0 -6
- package/dist/provider-catalog-Dy7IcHmS.js +0 -107
- package/dist/provider-catalog-TsZS52nq.d.ts +0 -10
- package/dist/provider-catalog-YqIFRCND.d.ts +0 -5
- package/dist/provider-catalog-Ywb5jRwG.d.ts +0 -5
- package/dist/provider-catalog-evknl1oN.js +0 -11
- package/dist/provider-catalog-l0hFpFO2.d.ts +0 -17
- package/dist/provider-catalog-shared-DsRBv0Tp.d.ts +0 -62
- package/dist/provider-dispatcher-BMy9mBJ1.js +0 -22
- package/dist/provider-model-shared-CPAfQBNs.d.ts +0 -143
- package/dist/provider-models-Diu65OcG.d.ts +0 -18
- package/dist/provider-models-LE7PlLYY.js +0 -22
- package/dist/provider-onboard-CpvXEmvz.d.ts +0 -91
- package/dist/provider-registration-DF-LkmNE.js +0 -235
- package/dist/provider-registry-D9cTPW1F.d.ts +0 -8
- package/dist/provider-registry-DI7gMKUP.d.ts +0 -8
- package/dist/provider-registry-DZtgZDkl.d.ts +0 -29
- package/dist/provider-self-hosted-setup-CoHvoyKm.d.ts +0 -74
- package/dist/provider-stream-BpXJr5Ap.d.ts +0 -139
- package/dist/provider-stream-family-Bj5aBD8w.js +0 -2
- package/dist/provider-stream-shared-BaUkhUHj.d.ts +0 -132
- package/dist/provider-usage-DFUhW2do.js +0 -651
- package/dist/provider-web-search-contract-fields-CkXzSsWu.d.ts +0 -25
- package/dist/pw-ai-9Q_dIq4B.js +0 -3064
- package/dist/register.agent-CbfrlzXB.js +0 -152
- package/dist/register.crestodian-CEg0rPfK.js +0 -24
- package/dist/register.maintenance-k9N8I4Wg.js +0 -85
- package/dist/register.subclis-CrXOeaS3.js +0 -3
- package/dist/register.subclis-DfKlni8N.js +0 -31
- package/dist/register.subclis-core-Bg4wbDsO.js +0 -278
- package/dist/registry-Bh3-P2HL.d.ts +0 -8
- package/dist/registry-types-BmEUS4d3.d.ts +0 -392
- package/dist/repair-sequencing-E4yViXG9.js +0 -652
- package/dist/reply-payload-S2mrc_Mh.d.ts +0 -200
- package/dist/reply-turn-admission-BBoPjmGB.js +0 -2056
- package/dist/reply.runtime-C5wfxVI_.js +0 -2
- package/dist/result-fallback-classifier-CX4iLD1G.js +0 -98
- package/dist/route-CifxcQZ1.js +0 -475
- package/dist/routes-B3XAOeWo.js +0 -2
- package/dist/routes-H185h3U-.js +0 -3701
- package/dist/run-CTJFbwbB.js +0 -1162
- package/dist/run-command-B7B53tYk.js +0 -23
- package/dist/run-command-BFuxRDxS.js +0 -2
- package/dist/run-context-C7im9ICg.js +0 -66
- package/dist/run-embedded.runtime-TljBTbzh.js +0 -4
- package/dist/run-execution-cli.runtime-Bt5zwx1W.js +0 -4
- package/dist/run-executor.runtime-hmbWX2Ct.js +0 -330
- package/dist/run-subagent-registry.runtime-B70X80nS.js +0 -2
- package/dist/runtime-DoKE0o7v.js +0 -436
- package/dist/runtime-api-Ca4Llbgf.js +0 -12
- package/dist/runtime-api-pa8xcEmg.d.ts +0 -5
- package/dist/runtime-channel-CFQ59svm.js +0 -148
- package/dist/runtime-channel-DRwCWGUx.js +0 -2
- package/dist/runtime-embedded-agent.runtime-DwmqKUVp.js +0 -2
- package/dist/runtime-forwarders-BMThPHg_.d.ts +0 -39
- package/dist/sdk-setup-tools-Cg_Tabrf.js +0 -8
- package/dist/selection-COhr7g82.js +0 -18365
- package/dist/selection-_G44EVqd.js +0 -3
- package/dist/send-media-BNc67G7I.js +0 -2072
- package/dist/server-5rR0RCpI.js +0 -24
- package/dist/server-context-BhiPROPA.js +0 -955
- package/dist/server-context-OShBAJZQ.js +0 -2
- package/dist/server-cron-Bkzb9edh.js +0 -3173
- package/dist/server-cron-DdR-ugiU.js +0 -2
- package/dist/server-lwtC1vaS.js +0 -72
- package/dist/server-methods-BY_ZqDFJ.js +0 -497
- package/dist/server-node-events-CLvE94AS.js +0 -597
- package/dist/server-plugin-bootstrap-cKOAH5GL.js +0 -71
- package/dist/server-plugins-CPpUykw5.js +0 -435
- package/dist/server-reload-handlers-uzt4VDZ-.js +0 -719
- package/dist/server-restart-sentinel-CpvV0t4O.js +0 -700
- package/dist/server-runtime-services-BhOHoerM.js +0 -147
- package/dist/server-runtime-services-D3Ig68nC.js +0 -3
- package/dist/server-startup-plugins-DslzKVHK.js +0 -127
- package/dist/server-startup-post-attach-DPFBTQez.js +0 -793
- package/dist/server-ws-runtime-D0zoWoiz.js +0 -374
- package/dist/server.impl-CzqLQ3qt.js +0 -2622
- package/dist/session-kill-http-D8JhwZVS.js +0 -121
- package/dist/session-reset-service-uoi7E4Xp.js +0 -651
- package/dist/session-status.runtime-CZK5IU8w.js +0 -2
- package/dist/session-subagent-reactivation.runtime-BSO00-FY.js +0 -2
- package/dist/session-tab-registry-DM9U7e3o.js +0 -551
- package/dist/sessions-B-SkIoaa.js +0 -1917
- package/dist/sessions-history-http-DCiOG4FK.js +0 -432
- package/dist/sessions-patch-DlAAvQvB.js +0 -401
- package/dist/sessions-resolve-DfMXookg.js +0 -180
- package/dist/sessions.runtime-0V2YxKxB.js +0 -2
- package/dist/snapshot-urls-Ble1-NEW.js +0 -317
- package/dist/speech-core-Bk60ZS_y.d.ts +0 -49
- package/dist/speech-provider-DQO9eZd0.js +0 -233
- package/dist/speech-provider-DnBCla4V.js +0 -171
- package/dist/speech-provider-DyYHFxT5.js +0 -227
- package/dist/standalone-9EWfcxeO.js +0 -42
- package/dist/startup-context-nti4X0_w.js +0 -314
- package/dist/status-subagents.runtime-CPZb1EF1.js +0 -32
- package/dist/status-text-C1Hf37lF.js +0 -301
- package/dist/stream-9VBt1MDs.js +0 -26
- package/dist/stream-B_3P7v7P.js +0 -86
- package/dist/stream-CXsue2-v.d.ts +0 -9
- package/dist/stream-oNBFxfKt.d.ts +0 -5
- package/dist/subagent-announce-CPjQQLy8.js +0 -353
- package/dist/subagent-announce-delivery-B6iBOicL.js +0 -1369
- package/dist/subagent-control-DP72sk-l.js +0 -492
- package/dist/subagent-hooks-B1oUIYH3.js +0 -2
- package/dist/subagent-hooks-BkGj4_xI.js +0 -230
- package/dist/subagent-hooks-api-D2mulK3S.js +0 -23
- package/dist/subagent-registry-CEKAUB5h.js +0 -3
- package/dist/subagent-registry-OUVucPAn.js +0 -2627
- package/dist/subagent-session-cleanup-Bx8d3kw0.js +0 -390
- package/dist/system-CelaP2zI.js +0 -111
- package/dist/talk-DGOI3Lu3.js +0 -2454
- package/dist/target-id-BXRG7x9x.js +0 -107
- package/dist/thinking-B8V29FhB.js +0 -35
- package/dist/thread-bindings-DpVdEPZ0.js +0 -228
- package/dist/tool-DHzDpxE4.js +0 -143
- package/dist/tool-dispatch-ClP3Rc7g.js +0 -155
- package/dist/tool-resolution-CZcLod1d.js +0 -153
- package/dist/tool-split-BhiQ8676.d.ts +0 -19
- package/dist/tools-ZvSvbsCW.d.ts +0 -38
- package/dist/tools-effective-C2mHZT-A.js +0 -442
- package/dist/tools-effective-inventory-ctnM7hc6.js +0 -379
- package/dist/tools-invoke-Ci6Rux2s.js +0 -51
- package/dist/tools-invoke-http-CJflXcJk.js +0 -68
- package/dist/tools-invoke-shared-BLu_mJEX.js +0 -200
- package/dist/tts-B2rPJPij.js +0 -83
- package/dist/tts-Gp9FI3_n.js +0 -163
- package/dist/tts-runtime-DNi1HXPF.d.ts +0 -230
- package/dist/tui-BUhfQ9vD.js +0 -3
- package/dist/tui-BhH5mvLf.js +0 -2
- package/dist/tui-backend-C_4ajTHI.js +0 -257
- package/dist/tui-cli-BhWJ-QoB.js +0 -40
- package/dist/tui-ink-run-BTWbUQGb.js +0 -7414
- package/dist/tui-ink-run-DfTdivkh.js +0 -2
- package/dist/types-B4fW3r5y.d.ts +0 -111
- package/dist/types-DI62NfFe.d.ts +0 -7034
- package/dist/types-sAih_uQb.d.ts +0 -393
- package/dist/types.public-B3MKhuo2.d.ts +0 -70
- package/dist/video-generation-B9c6a5cw.js +0 -207
- package/dist/video-generation-BgJp7UIA.d.ts +0 -224
- package/dist/video-generation-provider-BjiVjf40.js +0 -325
- package/dist/video-generation-provider-CsnQJg_h.js +0 -297
- package/dist/video-generation-provider-DtU-ZPqP.js +0 -64
- package/dist/video-generation-provider-wZ0bzv0e.js +0 -77
- package/dist/webhook-targets-Cy8e7y3g.d.ts +0 -99
- package/dist/zod-schema.core-BGLctDlK.d.ts +0 -166
- package/skills/canvas/SKILL.md +0 -78
- package/skills/clawhub/SKILL.md +0 -77
- package/skills/coding-agent/SKILL.md +0 -143
- package/skills/diagram-maker/SKILL.md +0 -53
- package/skills/diagram-maker/references/excalidraw-patterns.md +0 -85
- package/skills/diagram-maker/references/svg-template.md +0 -112
- package/skills/gemini/SKILL.md +0 -47
- package/skills/gh-issues/SKILL.md +0 -213
- package/skills/gifgrep/SKILL.md +0 -85
- package/skills/github/SKILL.md +0 -84
- package/skills/healthcheck/SKILL.md +0 -105
- package/skills/mcporter/SKILL.md +0 -61
- package/skills/meme-maker/SKILL.md +0 -42
- package/skills/meme-maker/references/templates.json +0 -358
- package/skills/meme-maker/scripts/meme.mjs +0 -398
- package/skills/model-usage/SKILL.md +0 -71
- package/skills/model-usage/references/codexbar-cli.md +0 -33
- package/skills/model-usage/scripts/model_usage.py +0 -319
- package/skills/model-usage/scripts/test_model_usage.py +0 -40
- package/skills/nano-pdf/SKILL.md +0 -38
- package/skills/node-connect/SKILL.md +0 -143
- package/skills/node-inspect-debugger/SKILL.md +0 -85
- package/skills/openai-whisper/SKILL.md +0 -38
- package/skills/openai-whisper-api/SKILL.md +0 -71
- package/skills/openai-whisper-api/scripts/transcribe.sh +0 -154
- package/skills/oracle/SKILL.md +0 -126
- package/skills/pyproject.toml +0 -10
- package/skills/python-debugpy/SKILL.md +0 -73
- package/skills/sag/SKILL.md +0 -87
- package/skills/session-logs/SKILL.md +0 -151
- package/skills/sherpa-onnx-tts/SKILL.md +0 -109
- package/skills/sherpa-onnx-tts/bin/sherpa-onnx-tts +0 -178
- package/skills/skill-creator/SKILL.md +0 -78
- package/skills/skill-creator/license.txt +0 -202
- package/skills/skill-creator/scripts/init_skill.py +0 -378
- package/skills/skill-creator/scripts/package_skill.py +0 -139
- package/skills/skill-creator/scripts/quick_validate.py +0 -169
- package/skills/skill-creator/scripts/test_package_skill.py +0 -161
- package/skills/skill-creator/scripts/test_quick_validate.py +0 -116
- package/skills/spike/SKILL.md +0 -51
- package/skills/summarize/SKILL.md +0 -87
- package/skills/taskflow/SKILL.md +0 -149
- package/skills/taskflow/examples/inbox-triage.lobster +0 -33
- package/skills/taskflow/examples/pr-intake.lobster +0 -32
- package/skills/taskflow-inbox-triage/SKILL.md +0 -119
- package/skills/video-frames/SKILL.md +0 -46
- package/skills/video-frames/scripts/frame.sh +0 -81
- package/skills/voice-call/SKILL.md +0 -45
- package/skills/weather/SKILL.md +0 -64
- /package/dist/{acp-runtime-backend-DbchQ02o.js → acp-runtime-backend-DZ1Lnt7f.js} +0 -0
- /package/dist/{delegate-k1aptKei.js → delegate-CwhxUdeb.js} +0 -0
- /package/dist/{dispatch-acp-CD4YxPpf.js → dispatch-acp-BP4I5ZQf.js} +0 -0
- /package/dist/{exec-approvals-ByWUCFQM.js → exec-approvals-ByWUCFQM2.js} +0 -0
- /package/dist/{heartbeat-runner-CM0UZxa_.js → heartbeat-runner-CL3alQ8-.js} +0 -0
- /package/dist/{index-B0VJdRJQ.d.ts → index-B0VJdRJQ2.d.ts} +0 -0
- /package/dist/{library-CQ71yATP.js → library-CiTr_aqC.js} +0 -0
- /package/dist/{run-session-state-DbDeH-q6.js → run-session-state-BOMUtBKZ.js} +0 -0
- /package/dist/{session-subagent-reactivation-Bj91A2ms.js → session-subagent-reactivation-CH0C2I6Y.js} +0 -0
- /package/dist/{types-C4HgagiY2.d.ts → types-C4HgagiY.d.ts} +0 -0
|
@@ -0,0 +1,1806 @@
|
|
|
1
|
+
import { a as normalizeLowercaseStringOrEmpty, c as normalizeOptionalString } from "./string-coerce-DKw2K5wM.js";
|
|
2
|
+
import { S as resolveIntegerOption } from "./number-coercion-D1aDmIZp.js";
|
|
3
|
+
import { y as resolveStateDir } from "./paths-9MqJt9oL.js";
|
|
4
|
+
import { _ as uniqueStrings } from "./string-normalization-B8G0vlWE.js";
|
|
5
|
+
import { s as resolveRuntimeServiceVersion } from "./version-DbEUUfgr.js";
|
|
6
|
+
import { E as runWithDiagnosticTraceContext, _ as createDiagnosticTraceContext } from "./diagnostic-events-Bwqd0ZOT.js";
|
|
7
|
+
import { a as isPrivateOrLoopbackAddress, c as isTrustedProxyAddress, f as resolveClientIp, h as resolveHostName, i as isLoopbackHost, n as isLocalishHost, o as isPrivateOrLoopbackHost, r as isLoopbackAddress } from "./net-DAt4-3lj.js";
|
|
8
|
+
import { i as AUTH_RATE_LIMIT_SCOPE_SHARED_SECRET, n as AUTH_RATE_LIMIT_SCOPE_DEVICE_TOKEN } from "./auth-rate-limit-BvIq8WVd.js";
|
|
9
|
+
import { a as hasForwardedRequestHeaders, i as authorizeWsControlUiGatewayConnect, o as isLocalDirectRequest, r as authorizeHttpGatewayConnect, s as checkBrowserOrigin } from "./auth-CLEZzwsq.js";
|
|
10
|
+
import { i as getRuntimeConfig } from "./io-T1CV3Z1L.js";
|
|
11
|
+
import { n as GATEWAY_CLIENT_IDS, r as GATEWAY_CLIENT_MODES } from "./client-info-D6_UASoA.js";
|
|
12
|
+
import { At as validateRequestFrame, M as validateConnectParams, Ri as ErrorCodes, t as formatValidationErrors, zi as errorShape } from "./src-B1Y482-m.js";
|
|
13
|
+
import "./version-D5ISQOpk.js";
|
|
14
|
+
import { c as buildDeviceAuthPayloadV3, l as normalizeDeviceMetadataForAuth, s as buildDeviceAuthPayload } from "./client-DkoDxk8Z.js";
|
|
15
|
+
import { i as normalizeDevicePublicKeyBase64Url, s as verifyDeviceSignature, t as deriveDeviceIdFromPublicKey } from "./device-identity-CdQCTTc_.js";
|
|
16
|
+
import { a as isOperatorUiClient, n as isGatewayCliClient, o as isWebchatClient, t as isBrowserOperatorUiClient } from "./message-channel-DcN_7tYD.js";
|
|
17
|
+
import { i as buildPairingConnectErrorMessage, m as resolveDeviceAuthConnectErrorDetailCode, n as buildPairingConnectCloseReason, p as resolveAuthConnectErrorDetailCode, r as buildPairingConnectErrorDetails, t as ConnectErrorDetailCodes } from "./connect-error-details-BqV3wdWQ.js";
|
|
18
|
+
import { i as gatewayStartupUnavailableDetails, n as GATEWAY_STARTUP_CLOSE_REASON, r as GATEWAY_STARTUP_PENDING_CLOSE_CAUSE, t as GATEWAY_STARTUP_CLOSE_CODE } from "./startup-unavailable-WFvkTNiD.js";
|
|
19
|
+
import { t as ADMIN_SCOPE } from "./operator-scopes-DGvgHuOd.js";
|
|
20
|
+
import "./method-scopes-CTk-6mpm.js";
|
|
21
|
+
import { n as isOperatorApprovalRuntimeToken } from "./operator-approval-runtime-token-C5pv_wEb.js";
|
|
22
|
+
import { t as rawDataToString } from "./ws-C3qhmaFC.js";
|
|
23
|
+
import { l as roleScopesAllow } from "./pairing-token-z_j9TFu2.js";
|
|
24
|
+
import { c as updatePairedNodeMetadata, d as sameNodeApprovalSurfaceSet, f as sameNodePermissionSurface, n as getPairedNode, s as requestNodePairing, u as normalizeNodeApprovalSurfaceList } from "./node-pairing-BexWuBNg.js";
|
|
25
|
+
import { i as recordRemoteNodeInfo, o as refreshRemoteNodeBins } from "./remote-e1szzQLr.js";
|
|
26
|
+
import { n as logRejectedLargePayload } from "./diagnostic-payload-BP1TpHgP.js";
|
|
27
|
+
import { a as MAX_PAYLOAD_BYTES, i as MAX_BUFFERED_BYTES, o as MAX_PREAUTH_PAYLOAD_BYTES, s as TICK_INTERVAL_MS } from "./server-constants-BGwLM6XN.js";
|
|
28
|
+
import { a as indexPluginNodeCapabilitySurfaces, l as resolvePluginNodeCapabilityTtlMs, o as mintPluginNodeCapabilityToken, r as buildPluginNodeCapabilityScopedHostUrl, u as setClientPluginNodeCapability } from "./plugin-node-capability-DH-ae5Gb.js";
|
|
29
|
+
import { a as normalizeDeclaredNodeCommands, o as resolveNodeCommandAllowlist, s as resolveNodePairingCommandAllowlist } from "./node-command-policy-Txp7J9Jt.js";
|
|
30
|
+
import { n as logWs, t as formatForLog } from "./ws-log-BzGc41ZC.js";
|
|
31
|
+
import { a as redeemDeviceBootstrapTokenProfile, d as isPairingSetupBootstrapProfile, l as verifyDeviceBootstrapToken, m as resolveBootstrapProfileScopesForRoles, n as getBoundDeviceBootstrapProfile, o as restoreDeviceBootstrapToken, p as resolveBootstrapProfileScopesForRole, r as getDeviceBootstrapTokenProfile, s as revokeDeviceBootstrapToken } from "./device-bootstrap-DYI_rb0J.js";
|
|
32
|
+
import { _ as updatePairedDeviceMetadata, a as getPairedDevice, c as listApprovedPairedDeviceRoles, l as listDevicePairing, n as approveDevicePairing, p as requestDevicePairing, r as ensureDeviceToken, s as hasEffectivePairedDeviceRole, t as approveBootstrapDevicePairing, u as listEffectivePairedDeviceRoles, v as verifyDeviceToken } from "./device-pairing-rQ2ou8kg.js";
|
|
33
|
+
import { t as resolveSharedGatewaySessionGeneration } from "./ws-shared-generation-Bp5l7wzu.js";
|
|
34
|
+
import { r as loadVoiceWakeConfig, t as formatError } from "./server-utils-Ca_6k9LO.js";
|
|
35
|
+
import { r as upsertPresence } from "./system-presence-DEwsx86K.js";
|
|
36
|
+
import { a as incrementPresenceVersion, n as getHealthCache, r as getHealthVersion, t as buildGatewaySnapshot } from "./health-state-R9QouhXJ.js";
|
|
37
|
+
import { n as parseGatewayRole, r as roleCanSkipDeviceIdentity } from "./role-policy-DLlx6KCe.js";
|
|
38
|
+
import { t as loadVoiceWakeRoutingConfig } from "./voicewake-routing-Hlporigi.js";
|
|
39
|
+
import { n as buildHandshakeAuthLogKey, r as shouldLimitMissingCredentialAuthLog, t as HandshakeAuthLogLimiter } from "./handshake-auth-log-limiter-ImTDtQlH.js";
|
|
40
|
+
import { t as truncateCloseReason } from "./close-reason-f7R6T5LC.js";
|
|
41
|
+
import fs from "node:fs";
|
|
42
|
+
import path from "node:path";
|
|
43
|
+
import os from "node:os";
|
|
44
|
+
//#region src/gateway/node-connect-reconcile.ts
|
|
45
|
+
function resolveApprovedReconnectCommands(params) {
|
|
46
|
+
return normalizeDeclaredNodeCommands({
|
|
47
|
+
declaredCommands: Array.isArray(params.pairedCommands) ? params.pairedCommands : [],
|
|
48
|
+
allowlist: params.allowlist
|
|
49
|
+
});
|
|
50
|
+
}
|
|
51
|
+
function normalizePermissionMap(value) {
|
|
52
|
+
if (!value) return;
|
|
53
|
+
const entries = Object.entries(value).toSorted(([leftKey], [rightKey]) => leftKey.localeCompare(rightKey));
|
|
54
|
+
return entries.length > 0 ? Object.fromEntries(entries) : void 0;
|
|
55
|
+
}
|
|
56
|
+
function intersectApprovalSurfaceList(params) {
|
|
57
|
+
const approved = new Set(normalizeNodeApprovalSurfaceList(params.approved));
|
|
58
|
+
return normalizeNodeApprovalSurfaceList(params.declared).filter((entry) => approved.has(entry));
|
|
59
|
+
}
|
|
60
|
+
function intersectPermissionSurface(params) {
|
|
61
|
+
const entries = [];
|
|
62
|
+
for (const [key, declaredValue] of Object.entries(params.declared ?? {})) {
|
|
63
|
+
const approvedValue = params.approved?.[key];
|
|
64
|
+
if (!declaredValue) {
|
|
65
|
+
entries.push([key, false]);
|
|
66
|
+
continue;
|
|
67
|
+
}
|
|
68
|
+
if (approvedValue === true) {
|
|
69
|
+
entries.push([key, true]);
|
|
70
|
+
continue;
|
|
71
|
+
}
|
|
72
|
+
if (approvedValue === false) entries.push([key, false]);
|
|
73
|
+
}
|
|
74
|
+
return entries.length > 0 ? Object.fromEntries(entries) : void 0;
|
|
75
|
+
}
|
|
76
|
+
function buildNodePairingRequestInput(params) {
|
|
77
|
+
return {
|
|
78
|
+
nodeId: params.nodeId,
|
|
79
|
+
displayName: params.connectParams.client.displayName,
|
|
80
|
+
platform: params.connectParams.client.platform,
|
|
81
|
+
version: params.connectParams.client.version,
|
|
82
|
+
deviceFamily: params.connectParams.client.deviceFamily,
|
|
83
|
+
modelIdentifier: params.connectParams.client.modelIdentifier,
|
|
84
|
+
caps: params.caps,
|
|
85
|
+
commands: params.commands,
|
|
86
|
+
permissions: params.permissions,
|
|
87
|
+
remoteIp: params.remoteIp
|
|
88
|
+
};
|
|
89
|
+
}
|
|
90
|
+
async function reconcileNodePairingOnConnect(params) {
|
|
91
|
+
const nodeId = params.connectParams.device?.id ?? params.connectParams.client.id;
|
|
92
|
+
const policyNode = {
|
|
93
|
+
platform: params.connectParams.client.platform,
|
|
94
|
+
deviceFamily: params.connectParams.client.deviceFamily,
|
|
95
|
+
caps: params.connectParams.caps,
|
|
96
|
+
commands: params.connectParams.commands
|
|
97
|
+
};
|
|
98
|
+
const pairingAllowlist = resolveNodePairingCommandAllowlist(params.cfg, policyNode);
|
|
99
|
+
const declared = normalizeDeclaredNodeCommands({
|
|
100
|
+
declaredCommands: Array.isArray(params.connectParams.commands) ? params.connectParams.commands : [],
|
|
101
|
+
allowlist: pairingAllowlist
|
|
102
|
+
});
|
|
103
|
+
const declaredCaps = normalizeNodeApprovalSurfaceList(params.connectParams.caps);
|
|
104
|
+
const declaredPermissions = normalizePermissionMap(params.connectParams.permissions);
|
|
105
|
+
if (!params.pairedNode) return {
|
|
106
|
+
nodeId,
|
|
107
|
+
declaredCaps,
|
|
108
|
+
effectiveCaps: [],
|
|
109
|
+
declaredCommands: declared,
|
|
110
|
+
effectiveCommands: [],
|
|
111
|
+
declaredPermissions,
|
|
112
|
+
effectivePermissions: void 0,
|
|
113
|
+
pendingPairing: await params.requestPairing(buildNodePairingRequestInput({
|
|
114
|
+
nodeId,
|
|
115
|
+
connectParams: params.connectParams,
|
|
116
|
+
caps: declaredCaps,
|
|
117
|
+
commands: declared,
|
|
118
|
+
permissions: declaredPermissions,
|
|
119
|
+
remoteIp: params.reportedClientIp
|
|
120
|
+
}))
|
|
121
|
+
};
|
|
122
|
+
const runtimeAllowlist = resolveNodeCommandAllowlist(params.cfg, {
|
|
123
|
+
...policyNode,
|
|
124
|
+
approvedCommands: params.pairedNode.commands
|
|
125
|
+
});
|
|
126
|
+
const approvedCommands = resolveApprovedReconnectCommands({
|
|
127
|
+
pairedCommands: params.pairedNode.commands,
|
|
128
|
+
allowlist: runtimeAllowlist
|
|
129
|
+
});
|
|
130
|
+
const approvedCaps = normalizeNodeApprovalSurfaceList(params.pairedNode.caps);
|
|
131
|
+
const approvedPermissions = normalizePermissionMap(params.pairedNode.permissions);
|
|
132
|
+
const hasCommandUpgrade = declared.some((command) => !approvedCommands.includes(command));
|
|
133
|
+
const hasCapabilityChange = !sameNodeApprovalSurfaceSet(params.pairedNode.caps, declaredCaps);
|
|
134
|
+
const hasPermissionChange = !sameNodePermissionSurface(params.pairedNode.permissions, declaredPermissions);
|
|
135
|
+
const effectiveApprovedDeclaredCaps = intersectApprovalSurfaceList({
|
|
136
|
+
approved: approvedCaps,
|
|
137
|
+
declared: declaredCaps
|
|
138
|
+
});
|
|
139
|
+
const effectiveApprovedDeclaredCommands = intersectApprovalSurfaceList({
|
|
140
|
+
approved: approvedCommands,
|
|
141
|
+
declared
|
|
142
|
+
});
|
|
143
|
+
const effectiveApprovedDeclaredPermissions = intersectPermissionSurface({
|
|
144
|
+
approved: approvedPermissions,
|
|
145
|
+
declared: declaredPermissions
|
|
146
|
+
});
|
|
147
|
+
if (hasCommandUpgrade || hasCapabilityChange || hasPermissionChange) return {
|
|
148
|
+
nodeId,
|
|
149
|
+
declaredCaps,
|
|
150
|
+
effectiveCaps: effectiveApprovedDeclaredCaps,
|
|
151
|
+
declaredCommands: declared,
|
|
152
|
+
effectiveCommands: effectiveApprovedDeclaredCommands,
|
|
153
|
+
declaredPermissions,
|
|
154
|
+
effectivePermissions: effectiveApprovedDeclaredPermissions,
|
|
155
|
+
pendingPairing: await params.requestPairing(buildNodePairingRequestInput({
|
|
156
|
+
nodeId,
|
|
157
|
+
connectParams: params.connectParams,
|
|
158
|
+
caps: declaredCaps,
|
|
159
|
+
commands: declared,
|
|
160
|
+
permissions: declaredPermissions ?? (hasPermissionChange ? {} : void 0),
|
|
161
|
+
remoteIp: params.reportedClientIp
|
|
162
|
+
}))
|
|
163
|
+
};
|
|
164
|
+
return {
|
|
165
|
+
nodeId,
|
|
166
|
+
declaredCaps,
|
|
167
|
+
effectiveCaps: declaredCaps,
|
|
168
|
+
declaredCommands: declared,
|
|
169
|
+
effectiveCommands: declared,
|
|
170
|
+
declaredPermissions,
|
|
171
|
+
effectivePermissions: declaredPermissions
|
|
172
|
+
};
|
|
173
|
+
}
|
|
174
|
+
//#endregion
|
|
175
|
+
//#region src/gateway/node-pairing-auto-approve.ts
|
|
176
|
+
function resolveNodePairingClientIpSource(params) {
|
|
177
|
+
if (!params.reportedClientIp) return "none";
|
|
178
|
+
if (!params.hasProxyHeaders || !params.remoteIsTrustedProxy) return "direct";
|
|
179
|
+
return params.remoteIsLoopback ? "loopback-trusted-proxy" : "trusted-proxy";
|
|
180
|
+
}
|
|
181
|
+
function shouldAutoApproveNodePairingFromTrustedCidrs(params) {
|
|
182
|
+
if (params.existingPairedDevice) return false;
|
|
183
|
+
if (params.role !== "node") return false;
|
|
184
|
+
if (params.reason !== "not-paired") return false;
|
|
185
|
+
if (params.scopes.length > 0) return false;
|
|
186
|
+
if (params.hasBrowserOriginHeader || params.isControlUi || params.isWebchat) return false;
|
|
187
|
+
if (params.reportedClientIpSource === "none" || params.reportedClientIpSource === "loopback-trusted-proxy") return false;
|
|
188
|
+
if (!params.reportedClientIp) return false;
|
|
189
|
+
const autoApproveCidrs = params.autoApproveCidrs?.map((entry) => entry.trim()).filter((entry) => entry.length > 0);
|
|
190
|
+
if (!autoApproveCidrs || autoApproveCidrs.length === 0) return false;
|
|
191
|
+
return isTrustedProxyAddress(params.reportedClientIp, autoApproveCidrs);
|
|
192
|
+
}
|
|
193
|
+
//#endregion
|
|
194
|
+
//#region src/gateway/server/ws-connection/auth-context.ts
|
|
195
|
+
function mapDeviceTokenAuthFailureReason(params) {
|
|
196
|
+
if (params.tokenCheckReason === "scope-mismatch" || params.tokenCheckReason === "scope_mismatch") return "scope_mismatch";
|
|
197
|
+
if (params.candidateSource === "explicit-device-token") return "device_token_mismatch";
|
|
198
|
+
return params.fallbackReason ?? "device_token_mismatch";
|
|
199
|
+
}
|
|
200
|
+
function resolveSharedConnectAuth(connectAuth) {
|
|
201
|
+
const token = normalizeOptionalString(connectAuth?.token);
|
|
202
|
+
const password = normalizeOptionalString(connectAuth?.password);
|
|
203
|
+
if (!token && !password) return;
|
|
204
|
+
return {
|
|
205
|
+
token,
|
|
206
|
+
password
|
|
207
|
+
};
|
|
208
|
+
}
|
|
209
|
+
function resolveDeviceTokenCandidate(connectAuth) {
|
|
210
|
+
const explicitDeviceToken = normalizeOptionalString(connectAuth?.deviceToken);
|
|
211
|
+
if (explicitDeviceToken) return {
|
|
212
|
+
token: explicitDeviceToken,
|
|
213
|
+
source: "explicit-device-token"
|
|
214
|
+
};
|
|
215
|
+
const fallbackToken = normalizeOptionalString(connectAuth?.token);
|
|
216
|
+
if (!fallbackToken) return {};
|
|
217
|
+
return {
|
|
218
|
+
token: fallbackToken,
|
|
219
|
+
source: "shared-token-fallback"
|
|
220
|
+
};
|
|
221
|
+
}
|
|
222
|
+
async function resolveConnectAuthState(params) {
|
|
223
|
+
const sharedConnectAuth = resolveSharedConnectAuth(params.connectAuth);
|
|
224
|
+
const sharedAuthProvided = Boolean(sharedConnectAuth);
|
|
225
|
+
const bootstrapTokenCandidate = params.hasDeviceIdentity ? normalizeOptionalString(params.connectAuth?.bootstrapToken) : void 0;
|
|
226
|
+
const { token: deviceTokenCandidate, source: deviceTokenCandidateSource } = params.hasDeviceIdentity ? resolveDeviceTokenCandidate(params.connectAuth) : {};
|
|
227
|
+
let authResult = await authorizeWsControlUiGatewayConnect({
|
|
228
|
+
auth: params.resolvedAuth,
|
|
229
|
+
connectAuth: sharedConnectAuth,
|
|
230
|
+
req: params.req,
|
|
231
|
+
trustedProxies: params.trustedProxies,
|
|
232
|
+
allowRealIpFallback: params.allowRealIpFallback,
|
|
233
|
+
rateLimiter: sharedAuthProvided ? params.rateLimiter : void 0,
|
|
234
|
+
clientIp: params.clientIp,
|
|
235
|
+
rateLimitScope: AUTH_RATE_LIMIT_SCOPE_SHARED_SECRET
|
|
236
|
+
});
|
|
237
|
+
const sharedAuthResult = sharedConnectAuth && await authorizeHttpGatewayConnect({
|
|
238
|
+
auth: {
|
|
239
|
+
...params.resolvedAuth,
|
|
240
|
+
allowTailscale: false
|
|
241
|
+
},
|
|
242
|
+
connectAuth: sharedConnectAuth,
|
|
243
|
+
req: params.req,
|
|
244
|
+
trustedProxies: params.trustedProxies,
|
|
245
|
+
allowRealIpFallback: params.allowRealIpFallback,
|
|
246
|
+
rateLimitScope: "shared-secret"
|
|
247
|
+
});
|
|
248
|
+
const sharedAuthOk = sharedAuthResult?.ok === true && (sharedAuthResult.method === "token" || sharedAuthResult.method === "password") || authResult.ok && authResult.method === "trusted-proxy";
|
|
249
|
+
return {
|
|
250
|
+
authResult,
|
|
251
|
+
authOk: authResult.ok,
|
|
252
|
+
authMethod: authResult.method ?? (params.resolvedAuth.mode === "password" ? "password" : "token"),
|
|
253
|
+
sharedAuthOk,
|
|
254
|
+
sharedAuthProvided,
|
|
255
|
+
bootstrapTokenCandidate,
|
|
256
|
+
deviceTokenCandidate,
|
|
257
|
+
deviceTokenCandidateSource
|
|
258
|
+
};
|
|
259
|
+
}
|
|
260
|
+
async function resolveConnectAuthDecision(params) {
|
|
261
|
+
let authResult = params.state.authResult;
|
|
262
|
+
let authOk = params.state.authOk;
|
|
263
|
+
let authMethod = params.state.authMethod;
|
|
264
|
+
let deviceTokenSharedGatewaySessionGeneration;
|
|
265
|
+
const bootstrapTokenCandidate = params.state.bootstrapTokenCandidate;
|
|
266
|
+
if (params.hasDeviceIdentity && params.deviceId && params.publicKey && bootstrapTokenCandidate) {
|
|
267
|
+
const tokenCheck = await params.verifyBootstrapToken({
|
|
268
|
+
deviceId: params.deviceId,
|
|
269
|
+
publicKey: params.publicKey,
|
|
270
|
+
token: bootstrapTokenCandidate,
|
|
271
|
+
role: params.role,
|
|
272
|
+
scopes: params.scopes
|
|
273
|
+
});
|
|
274
|
+
if (tokenCheck.ok) {
|
|
275
|
+
authOk = true;
|
|
276
|
+
authMethod = "bootstrap-token";
|
|
277
|
+
} else if (!authOk) authResult = {
|
|
278
|
+
ok: false,
|
|
279
|
+
reason: tokenCheck.reason ?? "bootstrap_token_invalid"
|
|
280
|
+
};
|
|
281
|
+
}
|
|
282
|
+
const deviceTokenCandidate = params.state.deviceTokenCandidate;
|
|
283
|
+
if (!params.hasDeviceIdentity || !params.deviceId || authOk || !deviceTokenCandidate) return {
|
|
284
|
+
authResult,
|
|
285
|
+
authOk,
|
|
286
|
+
authMethod
|
|
287
|
+
};
|
|
288
|
+
let deviceTokenRateLimited = false;
|
|
289
|
+
if (params.rateLimiter) {
|
|
290
|
+
const deviceRateCheck = params.rateLimiter.check(params.clientIp, AUTH_RATE_LIMIT_SCOPE_DEVICE_TOKEN);
|
|
291
|
+
if (!deviceRateCheck.allowed) {
|
|
292
|
+
deviceTokenRateLimited = true;
|
|
293
|
+
authResult = {
|
|
294
|
+
ok: false,
|
|
295
|
+
reason: "rate_limited",
|
|
296
|
+
rateLimited: true,
|
|
297
|
+
retryAfterMs: deviceRateCheck.retryAfterMs
|
|
298
|
+
};
|
|
299
|
+
}
|
|
300
|
+
}
|
|
301
|
+
if (!deviceTokenRateLimited) {
|
|
302
|
+
const tokenCheck = await params.verifyDeviceToken({
|
|
303
|
+
deviceId: params.deviceId,
|
|
304
|
+
token: deviceTokenCandidate,
|
|
305
|
+
role: params.role,
|
|
306
|
+
scopes: params.scopes
|
|
307
|
+
});
|
|
308
|
+
if (tokenCheck.ok) {
|
|
309
|
+
authOk = true;
|
|
310
|
+
authMethod = "device-token";
|
|
311
|
+
if (tokenCheck.issuer?.kind === "shared-gateway-auth") deviceTokenSharedGatewaySessionGeneration = tokenCheck.issuer.generation;
|
|
312
|
+
params.rateLimiter?.reset(params.clientIp, AUTH_RATE_LIMIT_SCOPE_DEVICE_TOKEN);
|
|
313
|
+
if (params.state.sharedAuthProvided) params.rateLimiter?.reset(params.clientIp, AUTH_RATE_LIMIT_SCOPE_SHARED_SECRET);
|
|
314
|
+
} else {
|
|
315
|
+
authResult = {
|
|
316
|
+
ok: false,
|
|
317
|
+
reason: mapDeviceTokenAuthFailureReason({
|
|
318
|
+
tokenCheckReason: tokenCheck.reason,
|
|
319
|
+
candidateSource: params.state.deviceTokenCandidateSource,
|
|
320
|
+
fallbackReason: authResult.reason
|
|
321
|
+
})
|
|
322
|
+
};
|
|
323
|
+
params.rateLimiter?.recordFailure(params.clientIp, AUTH_RATE_LIMIT_SCOPE_DEVICE_TOKEN);
|
|
324
|
+
}
|
|
325
|
+
}
|
|
326
|
+
return {
|
|
327
|
+
authResult,
|
|
328
|
+
authOk,
|
|
329
|
+
authMethod,
|
|
330
|
+
deviceTokenSharedGatewaySessionGeneration
|
|
331
|
+
};
|
|
332
|
+
}
|
|
333
|
+
//#endregion
|
|
334
|
+
//#region src/gateway/server/ws-connection/auth-messages.ts
|
|
335
|
+
function formatGatewayAuthFailureMessage(params) {
|
|
336
|
+
const { authMode, authProvided, reason, client } = params;
|
|
337
|
+
const isCli = isGatewayCliClient(client);
|
|
338
|
+
const isControlUi = isOperatorUiClient(client);
|
|
339
|
+
const isWebchat = isWebchatClient(client);
|
|
340
|
+
const tokenHint = isCli ? "set gateway.remote.token to match gateway.auth.token" : isControlUi || isWebchat ? "open the dashboard URL and paste the token in Control UI settings" : "provide gateway auth token";
|
|
341
|
+
const passwordHint = isCli ? "set gateway.remote.password to match gateway.auth.password" : isControlUi || isWebchat ? "enter the password in Control UI settings" : "provide gateway auth password";
|
|
342
|
+
switch (reason) {
|
|
343
|
+
case "token_missing": return `unauthorized: gateway token missing (${tokenHint})`;
|
|
344
|
+
case "token_mismatch": return `unauthorized: gateway token mismatch (${tokenHint})`;
|
|
345
|
+
case "token_missing_config": return "unauthorized: gateway token not configured on gateway (set gateway.auth.token)";
|
|
346
|
+
case "password_missing": return `unauthorized: gateway password missing (${passwordHint})`;
|
|
347
|
+
case "password_mismatch": return `unauthorized: gateway password mismatch (${passwordHint})`;
|
|
348
|
+
case "password_missing_config": return "unauthorized: gateway password not configured on gateway (set gateway.auth.password)";
|
|
349
|
+
case "bootstrap_token_invalid": return "unauthorized: bootstrap token invalid or expired (scan a fresh setup code)";
|
|
350
|
+
case "tailscale_user_missing": return "unauthorized: tailscale identity missing (use Tailscale Serve auth or gateway token/password)";
|
|
351
|
+
case "tailscale_proxy_missing": return "unauthorized: tailscale proxy headers missing (use Tailscale Serve or gateway token/password)";
|
|
352
|
+
case "tailscale_whois_failed": return "unauthorized: tailscale identity check failed (use Tailscale Serve auth or gateway token/password)";
|
|
353
|
+
case "tailscale_user_mismatch": return "unauthorized: tailscale identity mismatch (use Tailscale Serve auth or gateway token/password)";
|
|
354
|
+
case "rate_limited": return "unauthorized: too many failed authentication attempts (retry later)";
|
|
355
|
+
case "device_token_mismatch": return "unauthorized: device token mismatch (rotate/reissue device token)";
|
|
356
|
+
case "scope_mismatch": return "unauthorized: device token scope mismatch (re-pair or approve scope upgrade)";
|
|
357
|
+
default: break;
|
|
358
|
+
}
|
|
359
|
+
if (authMode === "token" && authProvided === "none") return `unauthorized: gateway token missing (${tokenHint})`;
|
|
360
|
+
if (authMode === "token" && authProvided === "device-token") return "unauthorized: device token rejected (pair/repair this device, or provide gateway token)";
|
|
361
|
+
if (authProvided === "bootstrap-token") return "unauthorized: bootstrap token invalid or expired (scan a fresh setup code)";
|
|
362
|
+
if (authMode === "password" && authProvided === "none") return `unauthorized: gateway password missing (${passwordHint})`;
|
|
363
|
+
return "unauthorized";
|
|
364
|
+
}
|
|
365
|
+
//#endregion
|
|
366
|
+
//#region src/gateway/server/ws-connection/connect-policy.ts
|
|
367
|
+
function resolveControlUiAuthPolicy(params) {
|
|
368
|
+
const allowInsecureAuthConfigured = params.isControlUi && params.controlUiConfig?.allowInsecureAuth === true;
|
|
369
|
+
const dangerouslyDisableDeviceAuth = params.isControlUi && params.controlUiConfig?.dangerouslyDisableDeviceAuth === true;
|
|
370
|
+
return {
|
|
371
|
+
isControlUi: params.isControlUi,
|
|
372
|
+
allowInsecureAuthConfigured,
|
|
373
|
+
dangerouslyDisableDeviceAuth,
|
|
374
|
+
allowBypass: dangerouslyDisableDeviceAuth,
|
|
375
|
+
device: dangerouslyDisableDeviceAuth ? null : params.deviceRaw
|
|
376
|
+
};
|
|
377
|
+
}
|
|
378
|
+
function shouldSkipControlUiPairing(policy, role, _trustedProxyAuthOk = false, authMode, authMethod) {
|
|
379
|
+
if (policy.isControlUi && role === "operator" && authMethod === "tailscale" && policy.device) return true;
|
|
380
|
+
if (policy.isControlUi && role === "operator" && authMode === "none") return true;
|
|
381
|
+
return role === "operator" && policy.allowBypass;
|
|
382
|
+
}
|
|
383
|
+
function isTrustedProxyControlUiOperatorAuth(params) {
|
|
384
|
+
return params.isControlUi && params.role === "operator" && params.authMode === "trusted-proxy" && params.authOk && params.authMethod === "trusted-proxy";
|
|
385
|
+
}
|
|
386
|
+
function shouldClearUnboundScopesForMissingDeviceIdentity(params) {
|
|
387
|
+
return params.decision.kind !== "allow" || !params.controlUiAuthPolicy.allowBypass && !params.preserveInsecureLocalControlUiScopes && (params.authMethod === "token" || params.authMethod === "password" || params.authMethod === "trusted-proxy");
|
|
388
|
+
}
|
|
389
|
+
function evaluateMissingDeviceIdentity(params) {
|
|
390
|
+
if (params.hasDeviceIdentity) return { kind: "allow" };
|
|
391
|
+
if (params.isControlUi && params.trustedProxyAuthOk) return { kind: "allow" };
|
|
392
|
+
if (params.isControlUi && params.controlUiAuthPolicy.allowBypass && params.role === "operator") return { kind: "allow" };
|
|
393
|
+
if (params.localBackendSelfPairingOk && params.role === "operator") return { kind: "allow" };
|
|
394
|
+
if (params.isControlUi && !params.controlUiAuthPolicy.allowBypass) {
|
|
395
|
+
if (!params.controlUiAuthPolicy.allowInsecureAuthConfigured || !params.isLocalClient) return { kind: "reject-control-ui-insecure-auth" };
|
|
396
|
+
}
|
|
397
|
+
if (roleCanSkipDeviceIdentity(params.role, params.sharedAuthOk)) return { kind: "allow" };
|
|
398
|
+
if (!params.authOk && params.hasSharedAuth) return { kind: "reject-unauthorized" };
|
|
399
|
+
return { kind: "reject-device-required" };
|
|
400
|
+
}
|
|
401
|
+
//#endregion
|
|
402
|
+
//#region src/gateway/server/ws-connection/handshake-auth-helpers.ts
|
|
403
|
+
const BROWSER_ORIGIN_LOOPBACK_RATE_LIMIT_IP = "198.18.0.1";
|
|
404
|
+
const BROWSER_ORIGIN_RATE_LIMIT_KEY_PREFIX = "browser-origin:";
|
|
405
|
+
function resolveBrowserOriginRateLimitKey(requestOrigin) {
|
|
406
|
+
const trimmedOrigin = requestOrigin?.trim();
|
|
407
|
+
if (!trimmedOrigin) return BROWSER_ORIGIN_LOOPBACK_RATE_LIMIT_IP;
|
|
408
|
+
try {
|
|
409
|
+
return `${BROWSER_ORIGIN_RATE_LIMIT_KEY_PREFIX}${normalizeLowercaseStringOrEmpty(new URL(trimmedOrigin).origin)}`;
|
|
410
|
+
} catch {
|
|
411
|
+
return BROWSER_ORIGIN_LOOPBACK_RATE_LIMIT_IP;
|
|
412
|
+
}
|
|
413
|
+
}
|
|
414
|
+
function resolveHandshakeBrowserSecurityContext(params) {
|
|
415
|
+
const hasBrowserOriginHeader = Boolean(params.requestOrigin && params.requestOrigin.trim() !== "");
|
|
416
|
+
return {
|
|
417
|
+
hasBrowserOriginHeader,
|
|
418
|
+
enforceOriginCheckForAnyClient: hasBrowserOriginHeader,
|
|
419
|
+
rateLimitClientIp: hasBrowserOriginHeader && isLoopbackAddress(params.clientIp) ? resolveBrowserOriginRateLimitKey(params.requestOrigin) : params.clientIp,
|
|
420
|
+
authRateLimiter: hasBrowserOriginHeader && params.browserRateLimiter ? params.browserRateLimiter : params.rateLimiter
|
|
421
|
+
};
|
|
422
|
+
}
|
|
423
|
+
function shouldAllowSilentLocalPairing(params) {
|
|
424
|
+
if (params.locality === "remote") return false;
|
|
425
|
+
if (params.hasBrowserOriginHeader && !params.isControlUi && !params.isWebchat) return false;
|
|
426
|
+
if (params.reason === "not-paired" || params.reason === "scope-upgrade" || params.reason === "role-upgrade") return true;
|
|
427
|
+
if (params.reason === "metadata-upgrade" && !params.hasBrowserOriginHeader && !params.isControlUi && !params.isWebchat && (params.locality === "direct_local" && params.isNativeAppUi === true || params.locality === "cli_container_local" || params.locality === "shared_secret_loopback_local")) return true;
|
|
428
|
+
return false;
|
|
429
|
+
}
|
|
430
|
+
function isCliContainerLocalEquivalent(params) {
|
|
431
|
+
const isCliClient = params.connectParams.client.id === GATEWAY_CLIENT_IDS.CLI && params.connectParams.client.mode === GATEWAY_CLIENT_MODES.CLI;
|
|
432
|
+
const usesSharedSecretAuth = params.authMethod === "token" || params.authMethod === "password";
|
|
433
|
+
return isCliClient && params.sharedAuthOk && usesSharedSecretAuth && !params.hasProxyHeaders && !params.hasBrowserOriginHeader && isLoopbackAddress(params.remoteAddress) && isPrivateOrLoopbackHost(resolveHostName(params.requestHost));
|
|
434
|
+
}
|
|
435
|
+
function isSharedSecretLoopbackLocalEquivalent(params) {
|
|
436
|
+
const usesSharedSecretAuth = params.authMethod === "token" || params.authMethod === "password";
|
|
437
|
+
return params.sharedAuthOk && usesSharedSecretAuth && !params.hasProxyHeaders && !params.hasBrowserOriginHeader && isLoopbackAddress(params.remoteAddress) && isPrivateOrLoopbackHost(resolveHostName(params.requestHost));
|
|
438
|
+
}
|
|
439
|
+
function resolveOriginHost(origin) {
|
|
440
|
+
const trimmed = origin?.trim();
|
|
441
|
+
if (!trimmed) return "";
|
|
442
|
+
try {
|
|
443
|
+
return new URL(trimmed).hostname;
|
|
444
|
+
} catch {
|
|
445
|
+
return "";
|
|
446
|
+
}
|
|
447
|
+
}
|
|
448
|
+
function isControlUiBrowserContainerLocalEquivalent(params) {
|
|
449
|
+
const isControlUiBrowser = params.connectParams.client.id === GATEWAY_CLIENT_IDS.CONTROL_UI && params.connectParams.client.mode === GATEWAY_CLIENT_MODES.WEBCHAT;
|
|
450
|
+
const usesSharedSecretAuth = params.authMethod === "token" || params.authMethod === "password";
|
|
451
|
+
return isControlUiBrowser && params.sharedAuthOk && usesSharedSecretAuth && !params.hasProxyHeaders && params.hasBrowserOriginHeader && isPrivateOrLoopbackAddress(params.remoteAddress) && isLoopbackHost(resolveHostName(params.requestHost)) && isLoopbackHost(resolveOriginHost(params.requestOrigin));
|
|
452
|
+
}
|
|
453
|
+
function resolvePairingLocality(params) {
|
|
454
|
+
if (params.isLocalClient) return "direct_local";
|
|
455
|
+
if (isControlUiBrowserContainerLocalEquivalent({
|
|
456
|
+
connectParams: params.connectParams,
|
|
457
|
+
requestHost: params.requestHost,
|
|
458
|
+
requestOrigin: params.requestOrigin,
|
|
459
|
+
remoteAddress: params.remoteAddress,
|
|
460
|
+
hasProxyHeaders: params.hasProxyHeaders,
|
|
461
|
+
hasBrowserOriginHeader: params.hasBrowserOriginHeader,
|
|
462
|
+
sharedAuthOk: params.sharedAuthOk,
|
|
463
|
+
authMethod: params.authMethod
|
|
464
|
+
})) return "browser_container_local";
|
|
465
|
+
if (isCliContainerLocalEquivalent({
|
|
466
|
+
connectParams: params.connectParams,
|
|
467
|
+
requestHost: params.requestHost,
|
|
468
|
+
remoteAddress: params.remoteAddress,
|
|
469
|
+
hasProxyHeaders: params.hasProxyHeaders,
|
|
470
|
+
hasBrowserOriginHeader: params.hasBrowserOriginHeader,
|
|
471
|
+
sharedAuthOk: params.sharedAuthOk,
|
|
472
|
+
authMethod: params.authMethod
|
|
473
|
+
})) return "cli_container_local";
|
|
474
|
+
if (isSharedSecretLoopbackLocalEquivalent({
|
|
475
|
+
requestHost: params.requestHost,
|
|
476
|
+
remoteAddress: params.remoteAddress,
|
|
477
|
+
hasProxyHeaders: params.hasProxyHeaders,
|
|
478
|
+
hasBrowserOriginHeader: params.hasBrowserOriginHeader,
|
|
479
|
+
sharedAuthOk: params.sharedAuthOk,
|
|
480
|
+
authMethod: params.authMethod
|
|
481
|
+
})) return "shared_secret_loopback_local";
|
|
482
|
+
return "remote";
|
|
483
|
+
}
|
|
484
|
+
function shouldSkipLocalBackendSelfPairing(params) {
|
|
485
|
+
if (!(params.connectParams.client.id === GATEWAY_CLIENT_IDS.GATEWAY_CLIENT && params.connectParams.client.mode === GATEWAY_CLIENT_MODES.BACKEND)) return false;
|
|
486
|
+
if (!(params.locality === "direct_local" || params.locality === "shared_secret_loopback_local") || params.hasBrowserOriginHeader) return false;
|
|
487
|
+
if (params.authMethod === "none") return true;
|
|
488
|
+
const usesSharedSecretAuth = params.authMethod === "token" || params.authMethod === "password";
|
|
489
|
+
const usesDeviceTokenAuth = params.authMethod === "device-token";
|
|
490
|
+
return params.sharedAuthOk && usesSharedSecretAuth || usesDeviceTokenAuth;
|
|
491
|
+
}
|
|
492
|
+
function resolveSignatureToken(connectParams) {
|
|
493
|
+
return connectParams.auth?.token ?? connectParams.auth?.deviceToken ?? connectParams.auth?.bootstrapToken ?? null;
|
|
494
|
+
}
|
|
495
|
+
function buildUnauthorizedHandshakeContext(params) {
|
|
496
|
+
return {
|
|
497
|
+
authProvided: params.authProvided,
|
|
498
|
+
canRetryWithDeviceToken: params.canRetryWithDeviceToken,
|
|
499
|
+
recommendedNextStep: params.recommendedNextStep
|
|
500
|
+
};
|
|
501
|
+
}
|
|
502
|
+
function resolveDeviceSignaturePayloadVersion(params) {
|
|
503
|
+
const signatureToken = resolveSignatureToken(params.connectParams);
|
|
504
|
+
const basePayload = {
|
|
505
|
+
deviceId: params.device.id,
|
|
506
|
+
clientId: params.connectParams.client.id,
|
|
507
|
+
clientMode: params.connectParams.client.mode,
|
|
508
|
+
role: params.role,
|
|
509
|
+
scopes: params.scopes,
|
|
510
|
+
signedAtMs: params.signedAtMs,
|
|
511
|
+
token: signatureToken,
|
|
512
|
+
nonce: params.nonce
|
|
513
|
+
};
|
|
514
|
+
const payloadV3 = buildDeviceAuthPayloadV3({
|
|
515
|
+
...basePayload,
|
|
516
|
+
platform: params.connectParams.client.platform,
|
|
517
|
+
deviceFamily: params.connectParams.client.deviceFamily
|
|
518
|
+
});
|
|
519
|
+
if (verifyDeviceSignature(params.device.publicKey, payloadV3, params.device.signature)) return "v3";
|
|
520
|
+
const payloadV2 = buildDeviceAuthPayload(basePayload);
|
|
521
|
+
if (verifyDeviceSignature(params.device.publicKey, payloadV2, params.device.signature)) return "v2";
|
|
522
|
+
return null;
|
|
523
|
+
}
|
|
524
|
+
function resolveAuthProvidedKind(connectAuth) {
|
|
525
|
+
return connectAuth?.password ? "password" : connectAuth?.token ? "token" : connectAuth?.bootstrapToken ? "bootstrap-token" : connectAuth?.deviceToken ? "device-token" : "none";
|
|
526
|
+
}
|
|
527
|
+
function resolveUnauthorizedHandshakeContext(params) {
|
|
528
|
+
const authProvided = resolveAuthProvidedKind(params.connectAuth);
|
|
529
|
+
const canRetryWithDeviceToken = params.failedAuth.reason === "token_mismatch" && params.hasDeviceIdentity && authProvided === "token" && !params.connectAuth?.deviceToken;
|
|
530
|
+
if (canRetryWithDeviceToken) return buildUnauthorizedHandshakeContext({
|
|
531
|
+
authProvided,
|
|
532
|
+
canRetryWithDeviceToken,
|
|
533
|
+
recommendedNextStep: "retry_with_device_token"
|
|
534
|
+
});
|
|
535
|
+
switch (params.failedAuth.reason) {
|
|
536
|
+
case "token_missing":
|
|
537
|
+
case "token_missing_config":
|
|
538
|
+
case "password_missing":
|
|
539
|
+
case "password_missing_config": return buildUnauthorizedHandshakeContext({
|
|
540
|
+
authProvided,
|
|
541
|
+
canRetryWithDeviceToken,
|
|
542
|
+
recommendedNextStep: "update_auth_configuration"
|
|
543
|
+
});
|
|
544
|
+
case "token_mismatch":
|
|
545
|
+
case "password_mismatch":
|
|
546
|
+
case "device_token_mismatch": return buildUnauthorizedHandshakeContext({
|
|
547
|
+
authProvided,
|
|
548
|
+
canRetryWithDeviceToken,
|
|
549
|
+
recommendedNextStep: "update_auth_credentials"
|
|
550
|
+
});
|
|
551
|
+
case "scope_mismatch": return buildUnauthorizedHandshakeContext({
|
|
552
|
+
authProvided,
|
|
553
|
+
canRetryWithDeviceToken,
|
|
554
|
+
recommendedNextStep: "review_auth_configuration"
|
|
555
|
+
});
|
|
556
|
+
case "rate_limited": return buildUnauthorizedHandshakeContext({
|
|
557
|
+
authProvided,
|
|
558
|
+
canRetryWithDeviceToken,
|
|
559
|
+
recommendedNextStep: "wait_then_retry"
|
|
560
|
+
});
|
|
561
|
+
default: return buildUnauthorizedHandshakeContext({
|
|
562
|
+
authProvided,
|
|
563
|
+
canRetryWithDeviceToken,
|
|
564
|
+
recommendedNextStep: "review_auth_configuration"
|
|
565
|
+
});
|
|
566
|
+
}
|
|
567
|
+
}
|
|
568
|
+
//#endregion
|
|
569
|
+
//#region src/gateway/server/ws-connection/unauthorized-flood-guard.ts
|
|
570
|
+
const DEFAULT_CLOSE_AFTER = 10;
|
|
571
|
+
const DEFAULT_LOG_EVERY = 100;
|
|
572
|
+
var UnauthorizedFloodGuard = class {
|
|
573
|
+
constructor(options) {
|
|
574
|
+
this.count = 0;
|
|
575
|
+
this.suppressedSinceLastLog = 0;
|
|
576
|
+
this.closeAfter = resolveIntegerOption(options?.closeAfter, DEFAULT_CLOSE_AFTER, { min: 1 });
|
|
577
|
+
this.logEvery = resolveIntegerOption(options?.logEvery, DEFAULT_LOG_EVERY, { min: 1 });
|
|
578
|
+
}
|
|
579
|
+
registerUnauthorized() {
|
|
580
|
+
this.count += 1;
|
|
581
|
+
const shouldClose = this.count > this.closeAfter;
|
|
582
|
+
if (!(this.count === 1 || this.count % this.logEvery === 0 || shouldClose)) {
|
|
583
|
+
this.suppressedSinceLastLog += 1;
|
|
584
|
+
return {
|
|
585
|
+
shouldClose,
|
|
586
|
+
shouldLog: false,
|
|
587
|
+
count: this.count,
|
|
588
|
+
suppressedSinceLastLog: 0
|
|
589
|
+
};
|
|
590
|
+
}
|
|
591
|
+
const suppressedSinceLastLog = this.suppressedSinceLastLog;
|
|
592
|
+
this.suppressedSinceLastLog = 0;
|
|
593
|
+
return {
|
|
594
|
+
shouldClose,
|
|
595
|
+
shouldLog: true,
|
|
596
|
+
count: this.count,
|
|
597
|
+
suppressedSinceLastLog
|
|
598
|
+
};
|
|
599
|
+
}
|
|
600
|
+
reset() {
|
|
601
|
+
this.count = 0;
|
|
602
|
+
this.suppressedSinceLastLog = 0;
|
|
603
|
+
}
|
|
604
|
+
};
|
|
605
|
+
function isUnauthorizedRoleError(error) {
|
|
606
|
+
if (!error) return false;
|
|
607
|
+
return error.code === ErrorCodes.INVALID_REQUEST && typeof error.message === "string" && error.message.startsWith("unauthorized role:");
|
|
608
|
+
}
|
|
609
|
+
//#endregion
|
|
610
|
+
//#region src/gateway/server/ws-connection/message-handler.ts
|
|
611
|
+
const DEVICE_SIGNATURE_SKEW_MS = 120 * 1e3;
|
|
612
|
+
const DEVICE_CREDENTIAL_INVALIDATING_METHODS = new Set([
|
|
613
|
+
"device.pair.remove",
|
|
614
|
+
"device.token.rotate",
|
|
615
|
+
"device.token.revoke"
|
|
616
|
+
]);
|
|
617
|
+
const unauthorizedHandshakeLogLimiter = new HandshakeAuthLogLimiter();
|
|
618
|
+
/** Match production release versions (YYYY.M.D or YYYY.M.D-beta.N). */
|
|
619
|
+
const RELEASED_VERSION_RE = /^\d{4}\.\d+\.\d+/;
|
|
620
|
+
function isReleasedVersion(version) {
|
|
621
|
+
return RELEASED_VERSION_RE.test(version);
|
|
622
|
+
}
|
|
623
|
+
/**
|
|
624
|
+
* Lazily resolve the local node host's nodeId from ~/.fengming/node.json.
|
|
625
|
+
* Process-stable: only changes on `fengming node install`, which requires restart.
|
|
626
|
+
*/
|
|
627
|
+
let cachedLocalNodeId;
|
|
628
|
+
function resolveLocalNodeId() {
|
|
629
|
+
if (cachedLocalNodeId !== void 0) return cachedLocalNodeId;
|
|
630
|
+
try {
|
|
631
|
+
const raw = fs.readFileSync(path.join(resolveStateDir(), "node.json"), "utf8");
|
|
632
|
+
const parsed = JSON.parse(raw);
|
|
633
|
+
cachedLocalNodeId = typeof parsed.nodeId === "string" ? parsed.nodeId.trim() || null : null;
|
|
634
|
+
} catch {
|
|
635
|
+
cachedLocalNodeId = null;
|
|
636
|
+
}
|
|
637
|
+
return cachedLocalNodeId;
|
|
638
|
+
}
|
|
639
|
+
function firstHeaderValue(value) {
|
|
640
|
+
return Array.isArray(value) ? value[0] : value;
|
|
641
|
+
}
|
|
642
|
+
function resolveTrustedProxyControlUiScopes(params) {
|
|
643
|
+
const rawHeader = firstHeaderValue(params.upgradeReq.headers["x-fengming-scopes"]);
|
|
644
|
+
if (rawHeader === void 0) return params.requestedScopes;
|
|
645
|
+
const declaredScopes = new Set(rawHeader.split(",").map((scope) => scope.trim()).filter((scope) => scope.length > 0));
|
|
646
|
+
if (declaredScopes.size === 0) return [];
|
|
647
|
+
return params.requestedScopes.filter((scope) => declaredScopes.has(scope));
|
|
648
|
+
}
|
|
649
|
+
function resolvePinnedClientMetadata(params) {
|
|
650
|
+
function normalizeLegacyNodeHostPlatformPin(value) {
|
|
651
|
+
switch (value) {
|
|
652
|
+
case "darwin":
|
|
653
|
+
case "macos": return "macos";
|
|
654
|
+
case "win32":
|
|
655
|
+
case "windows": return "windows";
|
|
656
|
+
default: return value;
|
|
657
|
+
}
|
|
658
|
+
}
|
|
659
|
+
function normalizeMobileAppPlatformPin(clientId, value) {
|
|
660
|
+
if (clientId === GATEWAY_CLIENT_IDS.IOS_APP && /^(?:ios|ipados)(?:\s|$)/.test(value)) return "ios-family";
|
|
661
|
+
if (clientId === GATEWAY_CLIENT_IDS.ANDROID_APP && /^android(?:\s|$)/.test(value)) return "android";
|
|
662
|
+
return value;
|
|
663
|
+
}
|
|
664
|
+
const claimedPlatform = normalizeDeviceMetadataForAuth(params.claimedPlatform);
|
|
665
|
+
const claimedDeviceFamily = normalizeDeviceMetadataForAuth(params.claimedDeviceFamily);
|
|
666
|
+
const pairedPlatform = normalizeDeviceMetadataForAuth(params.pairedPlatform);
|
|
667
|
+
const pairedDeviceFamily = normalizeDeviceMetadataForAuth(params.pairedDeviceFamily);
|
|
668
|
+
const hasPinnedPlatform = pairedPlatform !== "";
|
|
669
|
+
const hasPinnedDeviceFamily = pairedDeviceFamily !== "";
|
|
670
|
+
const isLegacyNodeHostPlatformPin = params.clientId === GATEWAY_CLIENT_IDS.NODE_HOST && params.clientMode === GATEWAY_CLIENT_MODES.NODE && hasPinnedPlatform && claimedPlatform !== "" && normalizeLegacyNodeHostPlatformPin(claimedPlatform) === normalizeLegacyNodeHostPlatformPin(pairedPlatform);
|
|
671
|
+
const isMobileAppPlatformVersionRefresh = hasPinnedPlatform && claimedPlatform !== "" && claimedPlatform !== pairedPlatform && normalizeMobileAppPlatformPin(params.clientId, claimedPlatform) === normalizeMobileAppPlatformPin(params.clientId, pairedPlatform);
|
|
672
|
+
const platformMismatch = hasPinnedPlatform && claimedPlatform !== pairedPlatform && !isLegacyNodeHostPlatformPin && !isMobileAppPlatformVersionRefresh;
|
|
673
|
+
const deviceFamilyMismatch = hasPinnedDeviceFamily && claimedDeviceFamily !== pairedDeviceFamily;
|
|
674
|
+
const pinnedPlatform = claimedPlatform === pairedPlatform ? params.pairedPlatform : isLegacyNodeHostPlatformPin ? normalizeLegacyNodeHostPlatformPin(pairedPlatform) : isMobileAppPlatformVersionRefresh ? params.claimedPlatform : void 0;
|
|
675
|
+
return {
|
|
676
|
+
platformMismatch,
|
|
677
|
+
deviceFamilyMismatch,
|
|
678
|
+
pinnedPlatform: hasPinnedPlatform ? pinnedPlatform : void 0,
|
|
679
|
+
pinnedDeviceFamily: hasPinnedDeviceFamily ? params.pairedDeviceFamily : void 0,
|
|
680
|
+
...isMobileAppPlatformVersionRefresh ? { refreshPairedPlatform: params.claimedPlatform } : {}
|
|
681
|
+
};
|
|
682
|
+
}
|
|
683
|
+
function attachGatewayWsMessageHandler(params) {
|
|
684
|
+
const { socket, upgradeReq, connId, remoteAddr, remotePort, localAddr, localPort, endpoint, forwardedFor, realIp, requestHost, requestOrigin, requestUserAgent, pluginSurfaceBaseUrl, pluginNodeCapabilities = [], connectNonce, getResolvedAuth, getRequiredSharedGatewaySessionGeneration, rateLimiter, browserRateLimiter, isStartupPending, gatewayMethods, events, extraHandlers, getMethodRegistry, buildRequestContext, refreshHealthSnapshot, send, close, isClosed, clearHandshakeTimer, getClient, setClient, setHandshakeState, setCloseCause, setLastFrameMeta, originCheckMetrics, logGateway, logHealth, logWsControl } = params;
|
|
685
|
+
const sendFrame = async (obj) => await new Promise((resolve, reject) => {
|
|
686
|
+
socket.send(JSON.stringify(obj), (err) => {
|
|
687
|
+
if (err) {
|
|
688
|
+
reject(err);
|
|
689
|
+
return;
|
|
690
|
+
}
|
|
691
|
+
resolve();
|
|
692
|
+
});
|
|
693
|
+
});
|
|
694
|
+
const configSnapshot = getRuntimeConfig();
|
|
695
|
+
const trustedProxies = configSnapshot.gateway?.trustedProxies ?? [];
|
|
696
|
+
const allowRealIpFallback = configSnapshot.gateway?.allowRealIpFallback === true;
|
|
697
|
+
const clientIp = resolveClientIp({
|
|
698
|
+
remoteAddr,
|
|
699
|
+
forwardedFor,
|
|
700
|
+
realIp,
|
|
701
|
+
trustedProxies,
|
|
702
|
+
allowRealIpFallback
|
|
703
|
+
});
|
|
704
|
+
const peerLabel = endpoint ?? remoteAddr ?? "n/a";
|
|
705
|
+
const hasProxyHeaders = hasForwardedRequestHeaders(upgradeReq);
|
|
706
|
+
const remoteIsTrustedProxy = isTrustedProxyAddress(remoteAddr, trustedProxies);
|
|
707
|
+
const hasUntrustedProxyHeaders = hasProxyHeaders && !remoteIsTrustedProxy;
|
|
708
|
+
const hostIsLocalish = isLocalishHost(requestHost);
|
|
709
|
+
const isLocalClient = isLocalDirectRequest(upgradeReq, trustedProxies, allowRealIpFallback);
|
|
710
|
+
const reportedClientIp = isLocalClient || hasUntrustedProxyHeaders ? void 0 : clientIp && !isLoopbackAddress(clientIp) ? clientIp : void 0;
|
|
711
|
+
const reportedClientIpSource = resolveNodePairingClientIpSource({
|
|
712
|
+
reportedClientIp,
|
|
713
|
+
hasProxyHeaders,
|
|
714
|
+
remoteIsTrustedProxy,
|
|
715
|
+
remoteIsLoopback: isLoopbackAddress(remoteAddr)
|
|
716
|
+
});
|
|
717
|
+
if (hasUntrustedProxyHeaders) logWsControl.warn("Proxy headers detected from untrusted address. Connection will not be treated as local. Configure gateway.trustedProxies to restore local client detection behind your proxy.");
|
|
718
|
+
if (!hostIsLocalish && isLoopbackAddress(remoteAddr) && !hasProxyHeaders) logWsControl.warn("Loopback connection with non-local Host header. Treating it as remote. If you're behind a reverse proxy, set gateway.trustedProxies and forward X-Forwarded-For/X-Real-IP.");
|
|
719
|
+
const isWebchatConnect = (p) => isWebchatClient(p?.client);
|
|
720
|
+
const unauthorizedFloodGuard = new UnauthorizedFloodGuard();
|
|
721
|
+
let deviceCredentialMutationBarrier;
|
|
722
|
+
const { hasBrowserOriginHeader, enforceOriginCheckForAnyClient, rateLimitClientIp: browserRateLimitClientIp, authRateLimiter } = resolveHandshakeBrowserSecurityContext({
|
|
723
|
+
requestOrigin,
|
|
724
|
+
clientIp,
|
|
725
|
+
rateLimiter,
|
|
726
|
+
browserRateLimiter
|
|
727
|
+
});
|
|
728
|
+
const closeInvalidatedClient = (client, method) => {
|
|
729
|
+
if (!client.invalidated) return false;
|
|
730
|
+
const reason = client.invalidatedReason ?? "invalidated";
|
|
731
|
+
setCloseCause("client-invalidated", {
|
|
732
|
+
reason,
|
|
733
|
+
method
|
|
734
|
+
});
|
|
735
|
+
close(4001, `client invalidated: ${reason}`);
|
|
736
|
+
return true;
|
|
737
|
+
};
|
|
738
|
+
const handleMessage = async (data) => {
|
|
739
|
+
if (isClosed()) return;
|
|
740
|
+
const preauthPayloadBytes = !getClient() ? getRawDataByteLength(data) : void 0;
|
|
741
|
+
if (preauthPayloadBytes !== void 0 && preauthPayloadBytes > 65536) {
|
|
742
|
+
logRejectedLargePayload({
|
|
743
|
+
surface: "gateway.ws.preauth",
|
|
744
|
+
bytes: preauthPayloadBytes,
|
|
745
|
+
limitBytes: MAX_PREAUTH_PAYLOAD_BYTES,
|
|
746
|
+
reason: "preauth_frame_limit"
|
|
747
|
+
});
|
|
748
|
+
setHandshakeState("failed");
|
|
749
|
+
setCloseCause("preauth-payload-too-large", {
|
|
750
|
+
payloadBytes: preauthPayloadBytes,
|
|
751
|
+
limitBytes: MAX_PREAUTH_PAYLOAD_BYTES
|
|
752
|
+
});
|
|
753
|
+
close(1009, "preauth payload too large");
|
|
754
|
+
return;
|
|
755
|
+
}
|
|
756
|
+
const text = rawDataToString(data);
|
|
757
|
+
try {
|
|
758
|
+
const parsed = JSON.parse(text);
|
|
759
|
+
const frameType = parsed && typeof parsed === "object" && "type" in parsed ? typeof parsed.type === "string" ? String(parsed.type) : void 0 : void 0;
|
|
760
|
+
const frameMethod = parsed && typeof parsed === "object" && "method" in parsed ? typeof parsed.method === "string" ? String(parsed.method) : void 0 : void 0;
|
|
761
|
+
const frameId = parsed && typeof parsed === "object" && "id" in parsed ? typeof parsed.id === "string" ? String(parsed.id) : void 0 : void 0;
|
|
762
|
+
if (frameType || frameMethod || frameId) setLastFrameMeta({
|
|
763
|
+
type: frameType,
|
|
764
|
+
method: frameMethod,
|
|
765
|
+
id: frameId
|
|
766
|
+
});
|
|
767
|
+
const client = getClient();
|
|
768
|
+
if (!client) {
|
|
769
|
+
const isRequestFrame = validateRequestFrame(parsed);
|
|
770
|
+
if (!isRequestFrame || parsed.method !== "connect" || !validateConnectParams(parsed.params)) {
|
|
771
|
+
const handshakeError = isRequestFrame ? parsed.method === "connect" ? `invalid connect params: ${formatValidationErrors(validateConnectParams.errors)}` : "invalid handshake: first request must be connect" : "invalid request frame";
|
|
772
|
+
setHandshakeState("failed");
|
|
773
|
+
setCloseCause("invalid-handshake", {
|
|
774
|
+
frameType,
|
|
775
|
+
frameMethod,
|
|
776
|
+
frameId,
|
|
777
|
+
handshakeError
|
|
778
|
+
});
|
|
779
|
+
if (isRequestFrame) send({
|
|
780
|
+
type: "res",
|
|
781
|
+
id: parsed.id,
|
|
782
|
+
ok: false,
|
|
783
|
+
error: errorShape(ErrorCodes.INVALID_REQUEST, handshakeError)
|
|
784
|
+
});
|
|
785
|
+
else logWsControl.warn(`invalid handshake conn=${connId} peer=${formatForLog(peerLabel)} remote=${remoteAddr ?? "?"} fwd=${formatForLog(forwardedFor ?? "n/a")} origin=${formatForLog(requestOrigin ?? "n/a")} host=${formatForLog(requestHost ?? "n/a")} ua=${formatForLog(requestUserAgent ?? "n/a")}`);
|
|
786
|
+
const closeReason = truncateCloseReason(handshakeError || "invalid handshake");
|
|
787
|
+
if (isRequestFrame) queueMicrotask(() => close(1008, closeReason));
|
|
788
|
+
else close(1008, closeReason);
|
|
789
|
+
return;
|
|
790
|
+
}
|
|
791
|
+
const frame = parsed;
|
|
792
|
+
const connectParams = frame.params;
|
|
793
|
+
const resolvedAuth = getResolvedAuth();
|
|
794
|
+
const clientLabel = connectParams.client.displayName ?? connectParams.client.id;
|
|
795
|
+
const clientMeta = {
|
|
796
|
+
client: connectParams.client.id,
|
|
797
|
+
clientDisplayName: connectParams.client.displayName,
|
|
798
|
+
mode: connectParams.client.mode,
|
|
799
|
+
version: connectParams.client.version,
|
|
800
|
+
platform: connectParams.client.platform,
|
|
801
|
+
deviceFamily: connectParams.client.deviceFamily,
|
|
802
|
+
modelIdentifier: connectParams.client.modelIdentifier,
|
|
803
|
+
instanceId: connectParams.client.instanceId
|
|
804
|
+
};
|
|
805
|
+
const markHandshakeFailure = (cause, meta) => {
|
|
806
|
+
setHandshakeState("failed");
|
|
807
|
+
setCloseCause(cause, {
|
|
808
|
+
...meta,
|
|
809
|
+
...clientMeta
|
|
810
|
+
});
|
|
811
|
+
};
|
|
812
|
+
const sendHandshakeErrorResponse = (code, message, options) => {
|
|
813
|
+
send({
|
|
814
|
+
type: "res",
|
|
815
|
+
id: frame.id,
|
|
816
|
+
ok: false,
|
|
817
|
+
error: errorShape(code, message, options)
|
|
818
|
+
});
|
|
819
|
+
};
|
|
820
|
+
if (isStartupPending?.()) {
|
|
821
|
+
markHandshakeFailure(GATEWAY_STARTUP_PENDING_CLOSE_CAUSE);
|
|
822
|
+
await sendFrame({
|
|
823
|
+
type: "res",
|
|
824
|
+
id: frame.id,
|
|
825
|
+
ok: false,
|
|
826
|
+
error: errorShape(ErrorCodes.UNAVAILABLE, "gateway starting; retry shortly", {
|
|
827
|
+
retryable: true,
|
|
828
|
+
retryAfterMs: 500,
|
|
829
|
+
details: gatewayStartupUnavailableDetails()
|
|
830
|
+
})
|
|
831
|
+
}).catch(() => {});
|
|
832
|
+
queueMicrotask(() => close(GATEWAY_STARTUP_CLOSE_CODE, GATEWAY_STARTUP_CLOSE_REASON));
|
|
833
|
+
return;
|
|
834
|
+
}
|
|
835
|
+
const { minProtocol, maxProtocol } = connectParams;
|
|
836
|
+
const supportsCurrentProtocol = maxProtocol >= 4 && minProtocol <= 4;
|
|
837
|
+
const supportsProbeRestartProtocol = connectParams.client.mode === GATEWAY_CLIENT_MODES.PROBE && maxProtocol >= 4 && minProtocol <= 4;
|
|
838
|
+
if (!supportsCurrentProtocol && !supportsProbeRestartProtocol) {
|
|
839
|
+
markHandshakeFailure("protocol-mismatch", {
|
|
840
|
+
minProtocol,
|
|
841
|
+
maxProtocol,
|
|
842
|
+
expectedProtocol: 4,
|
|
843
|
+
minimumProbeProtocol: 4
|
|
844
|
+
});
|
|
845
|
+
logWsControl.warn(`protocol mismatch conn=${connId} peer=${formatForLog(peerLabel)} remote=${remoteAddr ?? "?"} remotePort=${remotePort ?? "?"} client=${formatForLog(clientLabel)} ${connectParams.client.mode} v${formatForLog(connectParams.client.version)} min=${minProtocol} max=${maxProtocol} expected=4 probeMin=4 instance=${formatForLog(connectParams.client.instanceId ?? "n/a")}`);
|
|
846
|
+
sendHandshakeErrorResponse(ErrorCodes.INVALID_REQUEST, "protocol mismatch", { details: {
|
|
847
|
+
code: ConnectErrorDetailCodes.PROTOCOL_MISMATCH,
|
|
848
|
+
clientMinProtocol: minProtocol,
|
|
849
|
+
clientMaxProtocol: maxProtocol,
|
|
850
|
+
expectedProtocol: 4,
|
|
851
|
+
minimumProbeProtocol: 4
|
|
852
|
+
} });
|
|
853
|
+
close(1002, "protocol mismatch");
|
|
854
|
+
return;
|
|
855
|
+
}
|
|
856
|
+
const roleRaw = connectParams.role ?? "operator";
|
|
857
|
+
const role = parseGatewayRole(roleRaw);
|
|
858
|
+
if (!role) {
|
|
859
|
+
markHandshakeFailure("invalid-role", { role: roleRaw });
|
|
860
|
+
sendHandshakeErrorResponse(ErrorCodes.INVALID_REQUEST, "invalid role");
|
|
861
|
+
close(1008, "invalid role");
|
|
862
|
+
return;
|
|
863
|
+
}
|
|
864
|
+
let scopes = Array.isArray(connectParams.scopes) ? connectParams.scopes : [];
|
|
865
|
+
connectParams.role = role;
|
|
866
|
+
connectParams.scopes = scopes;
|
|
867
|
+
const isControlUi = isOperatorUiClient(connectParams.client);
|
|
868
|
+
const isBrowserOperatorUi = isBrowserOperatorUiClient(connectParams.client);
|
|
869
|
+
const isWebchat = isWebchatConnect(connectParams);
|
|
870
|
+
const isNativeAppUi = connectParams.client.mode === GATEWAY_CLIENT_MODES.UI && (connectParams.client.id === GATEWAY_CLIENT_IDS.MACOS_APP || connectParams.client.id === GATEWAY_CLIENT_IDS.IOS_APP || connectParams.client.id === GATEWAY_CLIENT_IDS.ANDROID_APP);
|
|
871
|
+
if (enforceOriginCheckForAnyClient || isBrowserOperatorUi || isWebchat) {
|
|
872
|
+
const hostHeaderOriginFallbackEnabled = configSnapshot.gateway?.controlUi?.dangerouslyAllowHostHeaderOriginFallback === true;
|
|
873
|
+
const originCheck = checkBrowserOrigin({
|
|
874
|
+
requestHost,
|
|
875
|
+
origin: requestOrigin,
|
|
876
|
+
allowedOrigins: configSnapshot.gateway?.controlUi?.allowedOrigins,
|
|
877
|
+
allowHostHeaderOriginFallback: hostHeaderOriginFallbackEnabled,
|
|
878
|
+
isLocalClient
|
|
879
|
+
});
|
|
880
|
+
if (!originCheck.ok) {
|
|
881
|
+
const errorMessage = "origin not allowed (open the Control UI from the gateway host or allow it in gateway.controlUi.allowedOrigins)";
|
|
882
|
+
markHandshakeFailure("origin-mismatch", {
|
|
883
|
+
origin: requestOrigin ?? "n/a",
|
|
884
|
+
host: requestHost ?? "n/a",
|
|
885
|
+
reason: originCheck.reason
|
|
886
|
+
});
|
|
887
|
+
sendHandshakeErrorResponse(ErrorCodes.INVALID_REQUEST, errorMessage, { details: {
|
|
888
|
+
code: ConnectErrorDetailCodes.CONTROL_UI_ORIGIN_NOT_ALLOWED,
|
|
889
|
+
reason: originCheck.reason
|
|
890
|
+
} });
|
|
891
|
+
close(1008, truncateCloseReason(errorMessage));
|
|
892
|
+
return;
|
|
893
|
+
}
|
|
894
|
+
if (originCheck.matchedBy === "host-header-fallback") {
|
|
895
|
+
originCheckMetrics.hostHeaderFallbackAccepted += 1;
|
|
896
|
+
logWsControl.warn(`security warning: websocket origin accepted via Host-header fallback conn=${connId} count=${originCheckMetrics.hostHeaderFallbackAccepted} host=${requestHost ?? "n/a"} origin=${requestOrigin ?? "n/a"}`);
|
|
897
|
+
if (hostHeaderOriginFallbackEnabled) logGateway.warn("security metric: gateway.controlUi.dangerouslyAllowHostHeaderOriginFallback accepted a websocket connect request");
|
|
898
|
+
}
|
|
899
|
+
}
|
|
900
|
+
const deviceRaw = connectParams.device;
|
|
901
|
+
let devicePublicKey = null;
|
|
902
|
+
let deviceAuthPayloadVersion = null;
|
|
903
|
+
const hasTokenAuth = Boolean(connectParams.auth?.token);
|
|
904
|
+
const hasPasswordAuth = Boolean(connectParams.auth?.password);
|
|
905
|
+
const hasSharedAuth = hasTokenAuth || hasPasswordAuth;
|
|
906
|
+
const controlUiAuthPolicy = resolveControlUiAuthPolicy({
|
|
907
|
+
isControlUi,
|
|
908
|
+
controlUiConfig: configSnapshot.gateway?.controlUi,
|
|
909
|
+
deviceRaw
|
|
910
|
+
});
|
|
911
|
+
const device = controlUiAuthPolicy.device;
|
|
912
|
+
let { authResult, authOk, authMethod, sharedAuthOk, bootstrapTokenCandidate, deviceTokenCandidate, deviceTokenCandidateSource } = await resolveConnectAuthState({
|
|
913
|
+
resolvedAuth,
|
|
914
|
+
connectAuth: connectParams.auth,
|
|
915
|
+
hasDeviceIdentity: Boolean(device),
|
|
916
|
+
req: upgradeReq,
|
|
917
|
+
trustedProxies,
|
|
918
|
+
allowRealIpFallback,
|
|
919
|
+
rateLimiter: authRateLimiter,
|
|
920
|
+
clientIp: browserRateLimitClientIp
|
|
921
|
+
});
|
|
922
|
+
const rejectUnauthorized = (failedAuth) => {
|
|
923
|
+
const { authProvided, canRetryWithDeviceToken, recommendedNextStep } = resolveUnauthorizedHandshakeContext({
|
|
924
|
+
connectAuth: connectParams.auth,
|
|
925
|
+
failedAuth,
|
|
926
|
+
hasDeviceIdentity: Boolean(device)
|
|
927
|
+
});
|
|
928
|
+
markHandshakeFailure("unauthorized", {
|
|
929
|
+
authMode: resolvedAuth.mode,
|
|
930
|
+
authProvided,
|
|
931
|
+
authReason: failedAuth.reason,
|
|
932
|
+
allowTailscale: resolvedAuth.allowTailscale,
|
|
933
|
+
peer: peerLabel,
|
|
934
|
+
remoteAddr,
|
|
935
|
+
remotePort,
|
|
936
|
+
localAddr,
|
|
937
|
+
localPort,
|
|
938
|
+
role,
|
|
939
|
+
scopeCount: scopes.length,
|
|
940
|
+
hasDeviceIdentity: Boolean(device)
|
|
941
|
+
});
|
|
942
|
+
const authLogDecision = shouldLimitMissingCredentialAuthLog({
|
|
943
|
+
reason: failedAuth.reason,
|
|
944
|
+
authProvided
|
|
945
|
+
}) ? unauthorizedHandshakeLogLimiter.register(buildHandshakeAuthLogKey({
|
|
946
|
+
reason: failedAuth.reason,
|
|
947
|
+
remoteAddr,
|
|
948
|
+
client: clientLabel,
|
|
949
|
+
mode: connectParams.client.mode,
|
|
950
|
+
authProvided
|
|
951
|
+
})) : {
|
|
952
|
+
shouldLog: true,
|
|
953
|
+
suppressedSinceLastLog: 0
|
|
954
|
+
};
|
|
955
|
+
if (authLogDecision.shouldLog) {
|
|
956
|
+
const suppressedText = authLogDecision.suppressedSinceLastLog > 0 ? ` suppressed=${authLogDecision.suppressedSinceLastLog}` : "";
|
|
957
|
+
logWsControl.warn(`unauthorized conn=${connId} peer=${formatForLog(peerLabel)} remote=${remoteAddr ?? "?"} client=${formatForLog(clientLabel)} ${connectParams.client.mode} v${formatForLog(connectParams.client.version)} role=${role} scopes=${scopes.length} auth=${authProvided} device=${device ? "yes" : "no"} platform=${formatForLog(connectParams.client.platform)} instance=${formatForLog(connectParams.client.instanceId ?? "n/a")} host=${formatForLog(requestHost ?? "n/a")} origin=${formatForLog(requestOrigin ?? "n/a")} ua=${formatForLog(requestUserAgent ?? "n/a")} reason=${failedAuth.reason ?? "unknown"}${suppressedText}`);
|
|
958
|
+
}
|
|
959
|
+
const authMessage = formatGatewayAuthFailureMessage({
|
|
960
|
+
authMode: resolvedAuth.mode,
|
|
961
|
+
authProvided,
|
|
962
|
+
reason: failedAuth.reason,
|
|
963
|
+
client: connectParams.client
|
|
964
|
+
});
|
|
965
|
+
sendHandshakeErrorResponse(ErrorCodes.INVALID_REQUEST, authMessage, { details: {
|
|
966
|
+
code: resolveAuthConnectErrorDetailCode(failedAuth.reason),
|
|
967
|
+
authReason: failedAuth.reason,
|
|
968
|
+
canRetryWithDeviceToken,
|
|
969
|
+
recommendedNextStep
|
|
970
|
+
} });
|
|
971
|
+
close(1008, truncateCloseReason(authMessage));
|
|
972
|
+
};
|
|
973
|
+
const clearUnboundScopes = () => {
|
|
974
|
+
if (scopes.length > 0) {
|
|
975
|
+
scopes = [];
|
|
976
|
+
connectParams.scopes = scopes;
|
|
977
|
+
}
|
|
978
|
+
};
|
|
979
|
+
let pairingLocality = resolvePairingLocality({
|
|
980
|
+
connectParams,
|
|
981
|
+
isLocalClient,
|
|
982
|
+
requestHost,
|
|
983
|
+
requestOrigin,
|
|
984
|
+
remoteAddress: remoteAddr,
|
|
985
|
+
hasProxyHeaders,
|
|
986
|
+
hasBrowserOriginHeader,
|
|
987
|
+
sharedAuthOk,
|
|
988
|
+
authMethod
|
|
989
|
+
});
|
|
990
|
+
let skipLocalBackendSelfPairing = shouldSkipLocalBackendSelfPairing({
|
|
991
|
+
connectParams,
|
|
992
|
+
locality: pairingLocality,
|
|
993
|
+
hasBrowserOriginHeader,
|
|
994
|
+
sharedAuthOk,
|
|
995
|
+
authMethod
|
|
996
|
+
});
|
|
997
|
+
const handleMissingDeviceIdentity = () => {
|
|
998
|
+
const trustedProxyAuthOk = isTrustedProxyControlUiOperatorAuth({
|
|
999
|
+
isControlUi,
|
|
1000
|
+
role,
|
|
1001
|
+
authMode: resolvedAuth.mode,
|
|
1002
|
+
authOk,
|
|
1003
|
+
authMethod
|
|
1004
|
+
});
|
|
1005
|
+
const preserveInsecureLocalControlUiScopes = isControlUi && controlUiAuthPolicy.allowInsecureAuthConfigured && isLocalClient && (authMethod === "token" || authMethod === "password");
|
|
1006
|
+
const decision = evaluateMissingDeviceIdentity({
|
|
1007
|
+
hasDeviceIdentity: Boolean(device),
|
|
1008
|
+
role,
|
|
1009
|
+
isControlUi,
|
|
1010
|
+
controlUiAuthPolicy,
|
|
1011
|
+
trustedProxyAuthOk,
|
|
1012
|
+
localBackendSelfPairingOk: skipLocalBackendSelfPairing,
|
|
1013
|
+
sharedAuthOk,
|
|
1014
|
+
authOk,
|
|
1015
|
+
hasSharedAuth,
|
|
1016
|
+
isLocalClient
|
|
1017
|
+
});
|
|
1018
|
+
if (!device && !skipLocalBackendSelfPairing && shouldClearUnboundScopesForMissingDeviceIdentity({
|
|
1019
|
+
decision,
|
|
1020
|
+
controlUiAuthPolicy,
|
|
1021
|
+
preserveInsecureLocalControlUiScopes,
|
|
1022
|
+
authMethod,
|
|
1023
|
+
trustedProxyAuthOk
|
|
1024
|
+
})) clearUnboundScopes();
|
|
1025
|
+
if (authMethod === "none" && isLocalClient && scopes.length === 0) {
|
|
1026
|
+
scopes = ["operator.admin"];
|
|
1027
|
+
connectParams.scopes = scopes;
|
|
1028
|
+
}
|
|
1029
|
+
if (decision.kind === "allow") return true;
|
|
1030
|
+
if (decision.kind === "reject-control-ui-insecure-auth") {
|
|
1031
|
+
const errorMessage = "control ui requires device identity (use HTTPS or localhost secure context)";
|
|
1032
|
+
markHandshakeFailure("control-ui-insecure-auth", { insecureAuthConfigured: controlUiAuthPolicy.allowInsecureAuthConfigured });
|
|
1033
|
+
sendHandshakeErrorResponse(ErrorCodes.INVALID_REQUEST, errorMessage, { details: { code: ConnectErrorDetailCodes.CONTROL_UI_DEVICE_IDENTITY_REQUIRED } });
|
|
1034
|
+
close(1008, errorMessage);
|
|
1035
|
+
return false;
|
|
1036
|
+
}
|
|
1037
|
+
if (decision.kind === "reject-unauthorized") {
|
|
1038
|
+
rejectUnauthorized(authResult);
|
|
1039
|
+
return false;
|
|
1040
|
+
}
|
|
1041
|
+
markHandshakeFailure("device-required");
|
|
1042
|
+
sendHandshakeErrorResponse(ErrorCodes.NOT_PAIRED, "device identity required", { details: { code: ConnectErrorDetailCodes.DEVICE_IDENTITY_REQUIRED } });
|
|
1043
|
+
close(1008, "device identity required");
|
|
1044
|
+
return false;
|
|
1045
|
+
};
|
|
1046
|
+
if (!handleMissingDeviceIdentity()) return;
|
|
1047
|
+
if (device) {
|
|
1048
|
+
const rejectDeviceAuthInvalid = (reason, message) => {
|
|
1049
|
+
setHandshakeState("failed");
|
|
1050
|
+
setCloseCause("device-auth-invalid", {
|
|
1051
|
+
reason,
|
|
1052
|
+
client: connectParams.client.id,
|
|
1053
|
+
deviceId: device.id
|
|
1054
|
+
});
|
|
1055
|
+
send({
|
|
1056
|
+
type: "res",
|
|
1057
|
+
id: frame.id,
|
|
1058
|
+
ok: false,
|
|
1059
|
+
error: errorShape(ErrorCodes.INVALID_REQUEST, message, { details: {
|
|
1060
|
+
code: resolveDeviceAuthConnectErrorDetailCode(reason),
|
|
1061
|
+
reason
|
|
1062
|
+
} })
|
|
1063
|
+
});
|
|
1064
|
+
close(1008, message);
|
|
1065
|
+
};
|
|
1066
|
+
const derivedId = deriveDeviceIdFromPublicKey(device.publicKey);
|
|
1067
|
+
if (!derivedId || derivedId !== device.id) {
|
|
1068
|
+
rejectDeviceAuthInvalid("device-id-mismatch", "device identity mismatch");
|
|
1069
|
+
return;
|
|
1070
|
+
}
|
|
1071
|
+
const signedAt = device.signedAt;
|
|
1072
|
+
if (typeof signedAt !== "number" || Math.abs(Date.now() - signedAt) > DEVICE_SIGNATURE_SKEW_MS) {
|
|
1073
|
+
rejectDeviceAuthInvalid("device-signature-stale", "device signature expired");
|
|
1074
|
+
return;
|
|
1075
|
+
}
|
|
1076
|
+
const providedNonce = typeof device.nonce === "string" ? device.nonce.trim() : "";
|
|
1077
|
+
if (!providedNonce) {
|
|
1078
|
+
rejectDeviceAuthInvalid("device-nonce-missing", "device nonce required");
|
|
1079
|
+
return;
|
|
1080
|
+
}
|
|
1081
|
+
if (providedNonce !== connectNonce) {
|
|
1082
|
+
rejectDeviceAuthInvalid("device-nonce-mismatch", "device nonce mismatch");
|
|
1083
|
+
return;
|
|
1084
|
+
}
|
|
1085
|
+
const rejectDeviceSignatureInvalid = () => rejectDeviceAuthInvalid("device-signature", "device signature invalid");
|
|
1086
|
+
const payloadVersion = resolveDeviceSignaturePayloadVersion({
|
|
1087
|
+
device,
|
|
1088
|
+
connectParams,
|
|
1089
|
+
role,
|
|
1090
|
+
scopes,
|
|
1091
|
+
signedAtMs: signedAt,
|
|
1092
|
+
nonce: providedNonce
|
|
1093
|
+
});
|
|
1094
|
+
if (!payloadVersion) {
|
|
1095
|
+
rejectDeviceSignatureInvalid();
|
|
1096
|
+
return;
|
|
1097
|
+
}
|
|
1098
|
+
deviceAuthPayloadVersion = payloadVersion;
|
|
1099
|
+
devicePublicKey = normalizeDevicePublicKeyBase64Url(device.publicKey);
|
|
1100
|
+
if (!devicePublicKey) {
|
|
1101
|
+
rejectDeviceAuthInvalid("device-public-key", "device public key invalid");
|
|
1102
|
+
return;
|
|
1103
|
+
}
|
|
1104
|
+
}
|
|
1105
|
+
const authDecision = await resolveConnectAuthDecision({
|
|
1106
|
+
state: {
|
|
1107
|
+
authResult,
|
|
1108
|
+
authOk,
|
|
1109
|
+
authMethod,
|
|
1110
|
+
sharedAuthOk,
|
|
1111
|
+
sharedAuthProvided: hasSharedAuth,
|
|
1112
|
+
bootstrapTokenCandidate,
|
|
1113
|
+
deviceTokenCandidate,
|
|
1114
|
+
deviceTokenCandidateSource
|
|
1115
|
+
},
|
|
1116
|
+
hasDeviceIdentity: Boolean(device),
|
|
1117
|
+
deviceId: device?.id,
|
|
1118
|
+
publicKey: device?.publicKey,
|
|
1119
|
+
role,
|
|
1120
|
+
scopes,
|
|
1121
|
+
rateLimiter: authRateLimiter,
|
|
1122
|
+
clientIp: browserRateLimitClientIp,
|
|
1123
|
+
verifyBootstrapToken: async ({ deviceId, publicKey, token, role, scopes }) => await verifyDeviceBootstrapToken({
|
|
1124
|
+
deviceId,
|
|
1125
|
+
publicKey,
|
|
1126
|
+
token,
|
|
1127
|
+
role,
|
|
1128
|
+
scopes
|
|
1129
|
+
}),
|
|
1130
|
+
verifyDeviceToken: async (params) => await verifyDeviceToken({
|
|
1131
|
+
...params,
|
|
1132
|
+
requiredSharedGatewaySessionGeneration: getRequiredSharedGatewaySessionGeneration?.()
|
|
1133
|
+
})
|
|
1134
|
+
});
|
|
1135
|
+
({authResult, authOk, authMethod} = authDecision);
|
|
1136
|
+
const deviceTokenSharedGatewaySessionGeneration = authDecision.deviceTokenSharedGatewaySessionGeneration;
|
|
1137
|
+
pairingLocality = resolvePairingLocality({
|
|
1138
|
+
connectParams,
|
|
1139
|
+
isLocalClient,
|
|
1140
|
+
requestHost,
|
|
1141
|
+
requestOrigin,
|
|
1142
|
+
remoteAddress: remoteAddr,
|
|
1143
|
+
hasProxyHeaders,
|
|
1144
|
+
hasBrowserOriginHeader,
|
|
1145
|
+
sharedAuthOk,
|
|
1146
|
+
authMethod
|
|
1147
|
+
});
|
|
1148
|
+
skipLocalBackendSelfPairing = shouldSkipLocalBackendSelfPairing({
|
|
1149
|
+
connectParams,
|
|
1150
|
+
locality: pairingLocality,
|
|
1151
|
+
hasBrowserOriginHeader,
|
|
1152
|
+
sharedAuthOk,
|
|
1153
|
+
authMethod
|
|
1154
|
+
});
|
|
1155
|
+
if (!authOk) {
|
|
1156
|
+
rejectUnauthorized(authResult);
|
|
1157
|
+
return;
|
|
1158
|
+
}
|
|
1159
|
+
const usesSharedGatewayAuth = authMethod === "token" || authMethod === "password" || authMethod === "trusted-proxy";
|
|
1160
|
+
const sharedGatewaySessionGeneration = usesSharedGatewayAuth ? resolveSharedGatewaySessionGeneration(resolvedAuth, trustedProxies) : void 0;
|
|
1161
|
+
const sessionUsesSharedGatewayAuth = usesSharedGatewayAuth || deviceTokenSharedGatewaySessionGeneration !== void 0;
|
|
1162
|
+
const sessionSharedGatewaySessionGeneration = sharedGatewaySessionGeneration ?? deviceTokenSharedGatewaySessionGeneration;
|
|
1163
|
+
if (sessionUsesSharedGatewayAuth) {
|
|
1164
|
+
const requiredSharedGatewaySessionGeneration = getRequiredSharedGatewaySessionGeneration?.();
|
|
1165
|
+
if (requiredSharedGatewaySessionGeneration !== void 0 && sessionSharedGatewaySessionGeneration !== requiredSharedGatewaySessionGeneration) {
|
|
1166
|
+
setCloseCause("gateway-auth-rotated", { authGenerationStale: true });
|
|
1167
|
+
close(4001, "gateway auth changed");
|
|
1168
|
+
return;
|
|
1169
|
+
}
|
|
1170
|
+
}
|
|
1171
|
+
const issuedBootstrapProfile = authMethod === "bootstrap-token" && bootstrapTokenCandidate ? await getDeviceBootstrapTokenProfile({ token: bootstrapTokenCandidate }) : null;
|
|
1172
|
+
let handoffBootstrapProfile = null;
|
|
1173
|
+
const trustedProxyAuthOk = isTrustedProxyControlUiOperatorAuth({
|
|
1174
|
+
isControlUi,
|
|
1175
|
+
role,
|
|
1176
|
+
authMode: resolvedAuth.mode,
|
|
1177
|
+
authOk,
|
|
1178
|
+
authMethod
|
|
1179
|
+
});
|
|
1180
|
+
if (trustedProxyAuthOk) {
|
|
1181
|
+
scopes = resolveTrustedProxyControlUiScopes({
|
|
1182
|
+
requestedScopes: scopes,
|
|
1183
|
+
upgradeReq
|
|
1184
|
+
});
|
|
1185
|
+
connectParams.scopes = scopes;
|
|
1186
|
+
}
|
|
1187
|
+
const skipControlUiPairingForDevice = shouldSkipControlUiPairing(controlUiAuthPolicy, role, trustedProxyAuthOk, resolvedAuth.mode, authMethod);
|
|
1188
|
+
let hasServerApprovedDeviceTokenBaseline = false;
|
|
1189
|
+
if (device && devicePublicKey) {
|
|
1190
|
+
const formatAuditList = (items) => {
|
|
1191
|
+
if (!items || items.length === 0) return "<none>";
|
|
1192
|
+
const out = /* @__PURE__ */ new Set();
|
|
1193
|
+
for (const item of items) {
|
|
1194
|
+
const trimmed = item.trim();
|
|
1195
|
+
if (trimmed) out.add(trimmed);
|
|
1196
|
+
}
|
|
1197
|
+
if (out.size === 0) return "<none>";
|
|
1198
|
+
return [...out].toSorted().join(",");
|
|
1199
|
+
};
|
|
1200
|
+
const logUpgradeAudit = (reason, currentRoles, currentScopes) => {
|
|
1201
|
+
logGateway.warn(`security audit: device access upgrade requested reason=${reason} device=${device.id} ip=${reportedClientIp ?? "unknown-ip"} auth=${authMethod} roleFrom=${formatAuditList(currentRoles)} roleTo=${role} scopesFrom=${formatAuditList(currentScopes)} scopesTo=${formatAuditList(scopes)} client=${connectParams.client.id} conn=${connId}`);
|
|
1202
|
+
};
|
|
1203
|
+
const clientPairingMetadata = {
|
|
1204
|
+
displayName: connectParams.client.displayName,
|
|
1205
|
+
platform: connectParams.client.platform,
|
|
1206
|
+
deviceFamily: connectParams.client.deviceFamily,
|
|
1207
|
+
clientId: connectParams.client.id,
|
|
1208
|
+
clientMode: connectParams.client.mode,
|
|
1209
|
+
role,
|
|
1210
|
+
scopes,
|
|
1211
|
+
remoteIp: reportedClientIp
|
|
1212
|
+
};
|
|
1213
|
+
const clientAccessMetadata = {
|
|
1214
|
+
displayName: connectParams.client.displayName,
|
|
1215
|
+
remoteIp: reportedClientIp
|
|
1216
|
+
};
|
|
1217
|
+
const requirePairing = async (reason, existingPairedDevice = null) => {
|
|
1218
|
+
const pairingStateAllowsRequestedAccess = (pairedCandidate) => {
|
|
1219
|
+
if (!pairedCandidate || pairedCandidate.publicKey !== devicePublicKey) return false;
|
|
1220
|
+
if (!hasEffectivePairedDeviceRole(pairedCandidate, role)) return false;
|
|
1221
|
+
if (scopes.length === 0) return true;
|
|
1222
|
+
const pairedScopes = Array.isArray(pairedCandidate.approvedScopes) ? pairedCandidate.approvedScopes : Array.isArray(pairedCandidate.scopes) ? pairedCandidate.scopes : [];
|
|
1223
|
+
if (pairedScopes.length === 0) return false;
|
|
1224
|
+
return roleScopesAllow({
|
|
1225
|
+
role,
|
|
1226
|
+
requestedScopes: scopes,
|
|
1227
|
+
allowedScopes: pairedScopes
|
|
1228
|
+
});
|
|
1229
|
+
};
|
|
1230
|
+
const allowSilentLocalPairing = !(existingPairedDevice && role !== "operator") && shouldAllowSilentLocalPairing({
|
|
1231
|
+
locality: pairingLocality,
|
|
1232
|
+
hasBrowserOriginHeader,
|
|
1233
|
+
isControlUi,
|
|
1234
|
+
isWebchat,
|
|
1235
|
+
isNativeAppUi,
|
|
1236
|
+
reason
|
|
1237
|
+
});
|
|
1238
|
+
const allowSilentTrustedCidrsNodePairing = shouldAutoApproveNodePairingFromTrustedCidrs({
|
|
1239
|
+
existingPairedDevice: Boolean(existingPairedDevice),
|
|
1240
|
+
role,
|
|
1241
|
+
reason,
|
|
1242
|
+
scopes,
|
|
1243
|
+
hasBrowserOriginHeader,
|
|
1244
|
+
isControlUi,
|
|
1245
|
+
isWebchat,
|
|
1246
|
+
reportedClientIpSource,
|
|
1247
|
+
reportedClientIp,
|
|
1248
|
+
autoApproveCidrs: configSnapshot.gateway?.nodes?.pairing?.autoApproveCidrs
|
|
1249
|
+
});
|
|
1250
|
+
const boundBootstrapProfile = authMethod === "bootstrap-token" && bootstrapTokenCandidate && reason === "not-paired" && role === "node" && scopes.length === 0 && !existingPairedDevice && !isControlUi && !isBrowserOperatorUi && !isWebchat && connectParams.client.mode === GATEWAY_CLIENT_MODES.NODE ? await getBoundDeviceBootstrapProfile({
|
|
1251
|
+
token: bootstrapTokenCandidate,
|
|
1252
|
+
deviceId: device.id,
|
|
1253
|
+
publicKey: devicePublicKey
|
|
1254
|
+
}) : null;
|
|
1255
|
+
const allowSilentBootstrapPairing = boundBootstrapProfile !== null && isPairingSetupBootstrapProfile(boundBootstrapProfile);
|
|
1256
|
+
const bootstrapPairingRoles = allowSilentBootstrapPairing ? uniqueStrings([role, ...boundBootstrapProfile.roles]) : void 0;
|
|
1257
|
+
const bootstrapPairingScopes = allowSilentBootstrapPairing && bootstrapPairingRoles ? resolveBootstrapProfileScopesForRoles(bootstrapPairingRoles, boundBootstrapProfile.scopes) : void 0;
|
|
1258
|
+
const pairing = await requestDevicePairing({
|
|
1259
|
+
deviceId: device.id,
|
|
1260
|
+
publicKey: devicePublicKey,
|
|
1261
|
+
...clientPairingMetadata,
|
|
1262
|
+
...bootstrapPairingRoles ? {
|
|
1263
|
+
roles: bootstrapPairingRoles,
|
|
1264
|
+
scopes: bootstrapPairingScopes ?? []
|
|
1265
|
+
} : {},
|
|
1266
|
+
silent: reason === "scope-upgrade" ? false : allowSilentLocalPairing || allowSilentTrustedCidrsNodePairing || allowSilentBootstrapPairing
|
|
1267
|
+
});
|
|
1268
|
+
const context = buildRequestContext();
|
|
1269
|
+
let approved;
|
|
1270
|
+
let resolvedByConcurrentApproval = false;
|
|
1271
|
+
let recoveryRequestId = pairing.request.requestId;
|
|
1272
|
+
const resolveLivePendingRequestId = async () => {
|
|
1273
|
+
const pendingList = await listDevicePairing();
|
|
1274
|
+
const exactPending = pendingList.pending.find((pending) => pending.requestId === pairing.request.requestId);
|
|
1275
|
+
if (exactPending) return exactPending.requestId;
|
|
1276
|
+
return pendingList.pending.find((pending) => pending.deviceId === device.id && pending.publicKey === devicePublicKey)?.requestId;
|
|
1277
|
+
};
|
|
1278
|
+
if (pairing.request.silent === true) {
|
|
1279
|
+
approved = allowSilentBootstrapPairing && boundBootstrapProfile ? await approveBootstrapDevicePairing(pairing.request.requestId, boundBootstrapProfile) : await approveDevicePairing(pairing.request.requestId, { callerScopes: scopes });
|
|
1280
|
+
if (approved?.status === "approved") {
|
|
1281
|
+
if (allowSilentBootstrapPairing && boundBootstrapProfile) handoffBootstrapProfile = boundBootstrapProfile;
|
|
1282
|
+
logGateway.info(`device pairing auto-approved device=${approved.device.deviceId} role=${approved.device.role ?? "unknown"}`);
|
|
1283
|
+
context.broadcast("device.pair.resolved", {
|
|
1284
|
+
requestId: pairing.request.requestId,
|
|
1285
|
+
deviceId: approved.device.deviceId,
|
|
1286
|
+
decision: "approved",
|
|
1287
|
+
ts: Date.now()
|
|
1288
|
+
}, { dropIfSlow: true });
|
|
1289
|
+
} else {
|
|
1290
|
+
resolvedByConcurrentApproval = pairingStateAllowsRequestedAccess(await getPairedDevice(device.id));
|
|
1291
|
+
let requestStillPending = false;
|
|
1292
|
+
if (!resolvedByConcurrentApproval) {
|
|
1293
|
+
recoveryRequestId = await resolveLivePendingRequestId();
|
|
1294
|
+
requestStillPending = recoveryRequestId === pairing.request.requestId;
|
|
1295
|
+
}
|
|
1296
|
+
if (requestStillPending) context.broadcast("device.pair.requested", pairing.request, { dropIfSlow: true });
|
|
1297
|
+
}
|
|
1298
|
+
} else if (pairing.created) context.broadcast("device.pair.requested", pairing.request, { dropIfSlow: true });
|
|
1299
|
+
recoveryRequestId = await resolveLivePendingRequestId();
|
|
1300
|
+
if (!(pairing.request.silent === true && (approved?.status === "approved" || resolvedByConcurrentApproval))) {
|
|
1301
|
+
const exposeApprovedAccess = existingPairedDevice?.publicKey === devicePublicKey;
|
|
1302
|
+
const approvedRoles = exposeApprovedAccess ? listApprovedPairedDeviceRoles(existingPairedDevice) : [];
|
|
1303
|
+
const approvedScopes = exposeApprovedAccess ? Array.isArray(existingPairedDevice.approvedScopes) ? existingPairedDevice.approvedScopes : Array.isArray(existingPairedDevice.scopes) ? existingPairedDevice.scopes : [] : [];
|
|
1304
|
+
const retryAfterBootstrapPairingApproval = authMethod === "bootstrap-token" && reason === "not-paired" && role === "node" && scopes.length === 0 && !existingPairedDevice;
|
|
1305
|
+
const pairingErrorDetails = buildPairingConnectErrorDetails({
|
|
1306
|
+
reason,
|
|
1307
|
+
requestId: recoveryRequestId,
|
|
1308
|
+
...retryAfterBootstrapPairingApproval ? {
|
|
1309
|
+
recommendedNextStep: "wait_then_retry",
|
|
1310
|
+
retryable: true,
|
|
1311
|
+
pauseReconnect: false
|
|
1312
|
+
} : {},
|
|
1313
|
+
deviceId: device.id,
|
|
1314
|
+
requestedRole: role,
|
|
1315
|
+
requestedScopes: scopes,
|
|
1316
|
+
...approvedRoles.length > 0 ? { approvedRoles } : {},
|
|
1317
|
+
...approvedScopes.length > 0 ? { approvedScopes } : {}
|
|
1318
|
+
});
|
|
1319
|
+
const pairingErrorMessage = buildPairingConnectErrorMessage(reason);
|
|
1320
|
+
setHandshakeState("failed");
|
|
1321
|
+
setCloseCause("pairing-required", {
|
|
1322
|
+
deviceId: device.id,
|
|
1323
|
+
...recoveryRequestId ? { requestId: recoveryRequestId } : {},
|
|
1324
|
+
reason
|
|
1325
|
+
});
|
|
1326
|
+
send({
|
|
1327
|
+
type: "res",
|
|
1328
|
+
id: frame.id,
|
|
1329
|
+
ok: false,
|
|
1330
|
+
error: errorShape(ErrorCodes.NOT_PAIRED, pairingErrorMessage, { details: pairingErrorDetails })
|
|
1331
|
+
});
|
|
1332
|
+
close(1008, truncateCloseReason(buildPairingConnectCloseReason({
|
|
1333
|
+
reason,
|
|
1334
|
+
requestId: recoveryRequestId
|
|
1335
|
+
})));
|
|
1336
|
+
return false;
|
|
1337
|
+
}
|
|
1338
|
+
return true;
|
|
1339
|
+
};
|
|
1340
|
+
const paired = await getPairedDevice(device.id);
|
|
1341
|
+
if (!(paired?.publicKey === devicePublicKey)) {
|
|
1342
|
+
if (!(skipLocalBackendSelfPairing || skipControlUiPairingForDevice)) {
|
|
1343
|
+
if (!await requirePairing("not-paired", paired)) return;
|
|
1344
|
+
hasServerApprovedDeviceTokenBaseline = true;
|
|
1345
|
+
} else if (skipControlUiPairingForDevice || skipLocalBackendSelfPairing && authMethod !== "device-token") hasServerApprovedDeviceTokenBaseline = true;
|
|
1346
|
+
} else {
|
|
1347
|
+
hasServerApprovedDeviceTokenBaseline = true;
|
|
1348
|
+
const claimedPlatform = connectParams.client.platform;
|
|
1349
|
+
const pairedPlatform = paired.platform;
|
|
1350
|
+
const claimedDeviceFamily = connectParams.client.deviceFamily;
|
|
1351
|
+
const pairedDeviceFamily = paired.deviceFamily;
|
|
1352
|
+
const metadataPinning = resolvePinnedClientMetadata({
|
|
1353
|
+
clientId: connectParams.client.id,
|
|
1354
|
+
clientMode: connectParams.client.mode,
|
|
1355
|
+
claimedPlatform,
|
|
1356
|
+
claimedDeviceFamily,
|
|
1357
|
+
pairedPlatform,
|
|
1358
|
+
pairedDeviceFamily
|
|
1359
|
+
});
|
|
1360
|
+
const { platformMismatch, deviceFamilyMismatch } = metadataPinning;
|
|
1361
|
+
if (platformMismatch || deviceFamilyMismatch) {
|
|
1362
|
+
if (!shouldAllowSilentLocalPairing({
|
|
1363
|
+
locality: pairingLocality,
|
|
1364
|
+
hasBrowserOriginHeader,
|
|
1365
|
+
isControlUi,
|
|
1366
|
+
isWebchat,
|
|
1367
|
+
isNativeAppUi,
|
|
1368
|
+
reason: "metadata-upgrade"
|
|
1369
|
+
})) logGateway.warn(`security audit: device metadata upgrade requested reason=metadata-upgrade device=${device.id} ip=${reportedClientIp ?? "unknown-ip"} auth=${authMethod} payload=${deviceAuthPayloadVersion ?? "unknown"} claimedPlatform=${claimedPlatform ?? "<none>"} pinnedPlatform=${pairedPlatform ?? "<none>"} claimedDeviceFamily=${claimedDeviceFamily ?? "<none>"} pinnedDeviceFamily=${pairedDeviceFamily ?? "<none>"} client=${connectParams.client.id} conn=${connId}`);
|
|
1370
|
+
if (!await requirePairing("metadata-upgrade", paired)) return;
|
|
1371
|
+
} else {
|
|
1372
|
+
if (metadataPinning.pinnedPlatform) connectParams.client.platform = metadataPinning.pinnedPlatform;
|
|
1373
|
+
if (metadataPinning.pinnedDeviceFamily) connectParams.client.deviceFamily = metadataPinning.pinnedDeviceFamily;
|
|
1374
|
+
}
|
|
1375
|
+
const pairedRoles = listEffectivePairedDeviceRoles(paired);
|
|
1376
|
+
const pairedScopes = Array.isArray(paired.approvedScopes) ? paired.approvedScopes : Array.isArray(paired.scopes) ? paired.scopes : [];
|
|
1377
|
+
const allowedRoles = new Set(pairedRoles);
|
|
1378
|
+
if (allowedRoles.size === 0) {
|
|
1379
|
+
logUpgradeAudit("role-upgrade", pairedRoles, pairedScopes);
|
|
1380
|
+
if (!await requirePairing("role-upgrade", paired)) return;
|
|
1381
|
+
} else if (!allowedRoles.has(role)) {
|
|
1382
|
+
logUpgradeAudit("role-upgrade", pairedRoles, pairedScopes);
|
|
1383
|
+
if (!await requirePairing("role-upgrade", paired)) return;
|
|
1384
|
+
}
|
|
1385
|
+
if (scopes.length > 0) {
|
|
1386
|
+
if (pairedScopes.length === 0) {
|
|
1387
|
+
logUpgradeAudit("scope-upgrade", pairedRoles, pairedScopes);
|
|
1388
|
+
if (!await requirePairing("scope-upgrade", paired)) return;
|
|
1389
|
+
} else if (!roleScopesAllow({
|
|
1390
|
+
role,
|
|
1391
|
+
requestedScopes: scopes,
|
|
1392
|
+
allowedScopes: pairedScopes
|
|
1393
|
+
})) {
|
|
1394
|
+
logUpgradeAudit("scope-upgrade", pairedRoles, pairedScopes);
|
|
1395
|
+
if (!await requirePairing("scope-upgrade", paired)) return;
|
|
1396
|
+
}
|
|
1397
|
+
}
|
|
1398
|
+
const retryBootstrapHandoffProfile = authMethod === "bootstrap-token" && bootstrapTokenCandidate && role === "node" && scopes.length === 0 && !isControlUi && !isBrowserOperatorUi && !isWebchat && connectParams.client.mode === GATEWAY_CLIENT_MODES.NODE && pairedRoles.includes("operator") ? await getBoundDeviceBootstrapProfile({
|
|
1399
|
+
token: bootstrapTokenCandidate,
|
|
1400
|
+
deviceId: device.id,
|
|
1401
|
+
publicKey: devicePublicKey
|
|
1402
|
+
}) : null;
|
|
1403
|
+
if (retryBootstrapHandoffProfile) {
|
|
1404
|
+
const retryBootstrapOperatorScopes = resolveBootstrapProfileScopesForRole("operator", retryBootstrapHandoffProfile.scopes);
|
|
1405
|
+
if (isPairingSetupBootstrapProfile(retryBootstrapHandoffProfile) && roleScopesAllow({
|
|
1406
|
+
role: "operator",
|
|
1407
|
+
requestedScopes: retryBootstrapOperatorScopes,
|
|
1408
|
+
allowedScopes: pairedScopes
|
|
1409
|
+
})) handoffBootstrapProfile = retryBootstrapHandoffProfile;
|
|
1410
|
+
}
|
|
1411
|
+
await updatePairedDeviceMetadata(device.id, {
|
|
1412
|
+
...clientAccessMetadata,
|
|
1413
|
+
...metadataPinning.refreshPairedPlatform ? { platform: metadataPinning.refreshPairedPlatform } : {}
|
|
1414
|
+
});
|
|
1415
|
+
}
|
|
1416
|
+
}
|
|
1417
|
+
const shouldIssueDeviceToken = !trustedProxyAuthOk;
|
|
1418
|
+
const sharedGatewayAuthIssuer = sessionSharedGatewaySessionGeneration && (deviceTokenSharedGatewaySessionGeneration !== void 0 || usesSharedGatewayAuth && (isBrowserOperatorUi || isWebchat)) ? {
|
|
1419
|
+
kind: "shared-gateway-auth",
|
|
1420
|
+
generation: sessionSharedGatewaySessionGeneration
|
|
1421
|
+
} : void 0;
|
|
1422
|
+
const deviceToken = shouldIssueDeviceToken && device && hasServerApprovedDeviceTokenBaseline ? await ensureDeviceToken({
|
|
1423
|
+
deviceId: device.id,
|
|
1424
|
+
role,
|
|
1425
|
+
scopes,
|
|
1426
|
+
issuer: sharedGatewayAuthIssuer
|
|
1427
|
+
}) : null;
|
|
1428
|
+
const bootstrapDeviceTokens = [];
|
|
1429
|
+
if (deviceToken) bootstrapDeviceTokens.push({
|
|
1430
|
+
deviceToken: deviceToken.token,
|
|
1431
|
+
role: deviceToken.role,
|
|
1432
|
+
scopes: deviceToken.scopes,
|
|
1433
|
+
issuedAtMs: deviceToken.rotatedAtMs ?? deviceToken.createdAtMs
|
|
1434
|
+
});
|
|
1435
|
+
const approvedHandoffBootstrapProfile = handoffBootstrapProfile;
|
|
1436
|
+
if (device && approvedHandoffBootstrapProfile) for (const bootstrapRole of approvedHandoffBootstrapProfile.roles) {
|
|
1437
|
+
if (bootstrapDeviceTokens.some((entry) => entry.role === bootstrapRole)) continue;
|
|
1438
|
+
const bootstrapRoleScopes = bootstrapRole === "operator" ? resolveBootstrapProfileScopesForRole(bootstrapRole, approvedHandoffBootstrapProfile.scopes) : [];
|
|
1439
|
+
const extraToken = await ensureDeviceToken({
|
|
1440
|
+
deviceId: device.id,
|
|
1441
|
+
role: bootstrapRole,
|
|
1442
|
+
scopes: bootstrapRoleScopes
|
|
1443
|
+
});
|
|
1444
|
+
if (!extraToken) continue;
|
|
1445
|
+
bootstrapDeviceTokens.push({
|
|
1446
|
+
deviceToken: extraToken.token,
|
|
1447
|
+
role: extraToken.role,
|
|
1448
|
+
scopes: extraToken.scopes,
|
|
1449
|
+
issuedAtMs: extraToken.rotatedAtMs ?? extraToken.createdAtMs
|
|
1450
|
+
});
|
|
1451
|
+
}
|
|
1452
|
+
if (role === "node") {
|
|
1453
|
+
const reconciliation = await reconcileNodePairingOnConnect({
|
|
1454
|
+
cfg: getRuntimeConfig(),
|
|
1455
|
+
connectParams,
|
|
1456
|
+
pairedNode: await getPairedNode(connectParams.device?.id ?? connectParams.client.id),
|
|
1457
|
+
reportedClientIp,
|
|
1458
|
+
requestPairing: async (input) => await requestNodePairing(input)
|
|
1459
|
+
});
|
|
1460
|
+
if (reconciliation.pendingPairing?.created) {
|
|
1461
|
+
const requestContext = buildRequestContext();
|
|
1462
|
+
const resolvedAt = Date.now();
|
|
1463
|
+
for (const superseded of reconciliation.pendingPairing.superseded ?? []) requestContext.broadcast("node.pair.resolved", {
|
|
1464
|
+
requestId: superseded.requestId,
|
|
1465
|
+
nodeId: superseded.nodeId,
|
|
1466
|
+
decision: "rejected",
|
|
1467
|
+
ts: resolvedAt
|
|
1468
|
+
}, { dropIfSlow: true });
|
|
1469
|
+
requestContext.broadcast("node.pair.requested", reconciliation.pendingPairing.request, { dropIfSlow: true });
|
|
1470
|
+
}
|
|
1471
|
+
const nodeConnectParams = connectParams;
|
|
1472
|
+
nodeConnectParams.declaredCaps = reconciliation.declaredCaps;
|
|
1473
|
+
nodeConnectParams.declaredCommands = reconciliation.declaredCommands;
|
|
1474
|
+
nodeConnectParams.declaredPermissions = reconciliation.declaredPermissions;
|
|
1475
|
+
connectParams.caps = reconciliation.effectiveCaps;
|
|
1476
|
+
connectParams.commands = reconciliation.effectiveCommands;
|
|
1477
|
+
connectParams.permissions = reconciliation.effectivePermissions;
|
|
1478
|
+
}
|
|
1479
|
+
const shouldTrackPresence = !isGatewayCliClient(connectParams.client);
|
|
1480
|
+
const clientId = connectParams.client.id;
|
|
1481
|
+
const instanceId = connectParams.client.instanceId;
|
|
1482
|
+
const presenceKey = shouldTrackPresence ? device?.id ?? instanceId ?? connId : void 0;
|
|
1483
|
+
if (isClosed()) {
|
|
1484
|
+
setCloseCause("connect-aborted-before-register", {
|
|
1485
|
+
...clientMeta,
|
|
1486
|
+
auth: authMethod
|
|
1487
|
+
});
|
|
1488
|
+
return;
|
|
1489
|
+
}
|
|
1490
|
+
const pluginSurfaceUrls = {};
|
|
1491
|
+
const pluginNodeCapabilitySurfaces = indexPluginNodeCapabilitySurfaces(pluginNodeCapabilities);
|
|
1492
|
+
const pendingPluginNodeCapabilities = [];
|
|
1493
|
+
if (pluginSurfaceBaseUrl) for (const pluginCapabilitySurface of Object.values(pluginNodeCapabilitySurfaces)) {
|
|
1494
|
+
const capability = mintPluginNodeCapabilityToken();
|
|
1495
|
+
const expiresAtMs = Date.now() + resolvePluginNodeCapabilityTtlMs(pluginCapabilitySurface);
|
|
1496
|
+
const scopedUrl = buildPluginNodeCapabilityScopedHostUrl(pluginSurfaceBaseUrl, capability) ?? pluginSurfaceBaseUrl;
|
|
1497
|
+
pluginSurfaceUrls[pluginCapabilitySurface.surface] = scopedUrl;
|
|
1498
|
+
pendingPluginNodeCapabilities.push({
|
|
1499
|
+
surface: pluginCapabilitySurface,
|
|
1500
|
+
capability,
|
|
1501
|
+
expiresAtMs
|
|
1502
|
+
});
|
|
1503
|
+
}
|
|
1504
|
+
const isTrustedApprovalRuntime = scopes.includes("operator.approvals") && connectParams.client.id === GATEWAY_CLIENT_IDS.GATEWAY_CLIENT && connectParams.client.mode === GATEWAY_CLIENT_MODES.BACKEND && isOperatorApprovalRuntimeToken(connectParams.auth?.approvalRuntimeToken);
|
|
1505
|
+
clearHandshakeTimer();
|
|
1506
|
+
const nextClient = {
|
|
1507
|
+
socket,
|
|
1508
|
+
connect: connectParams,
|
|
1509
|
+
connId,
|
|
1510
|
+
isDeviceTokenAuth: authMethod === "device-token",
|
|
1511
|
+
usesSharedGatewayAuth: sessionUsesSharedGatewayAuth,
|
|
1512
|
+
sharedGatewaySessionGeneration: sessionSharedGatewaySessionGeneration,
|
|
1513
|
+
presenceKey,
|
|
1514
|
+
clientIp: reportedClientIp,
|
|
1515
|
+
...isTrustedApprovalRuntime ? { internal: { approvalRuntime: true } } : {},
|
|
1516
|
+
...Object.keys(pluginSurfaceUrls).length > 0 ? { pluginSurfaceUrls } : {},
|
|
1517
|
+
...Object.keys(pluginNodeCapabilitySurfaces).length > 0 ? { pluginNodeCapabilitySurfaces } : {}
|
|
1518
|
+
};
|
|
1519
|
+
for (const entry of pendingPluginNodeCapabilities) setClientPluginNodeCapability({
|
|
1520
|
+
client: nextClient,
|
|
1521
|
+
surface: entry.surface,
|
|
1522
|
+
capability: entry.capability,
|
|
1523
|
+
expiresAtMs: entry.expiresAtMs
|
|
1524
|
+
});
|
|
1525
|
+
setSocketMaxPayload(socket, MAX_PAYLOAD_BYTES);
|
|
1526
|
+
if (role === "node" && isLocalClient) {
|
|
1527
|
+
const localNodeId = resolveLocalNodeId();
|
|
1528
|
+
const clientInstanceId = connectParams.client.instanceId?.trim();
|
|
1529
|
+
if (localNodeId && clientInstanceId && clientInstanceId === localNodeId) {
|
|
1530
|
+
const gatewayVersion = resolveRuntimeServiceVersion(process.env);
|
|
1531
|
+
const clientVersion = connectParams.client.version;
|
|
1532
|
+
if (clientVersion && gatewayVersion && clientVersion !== gatewayVersion && isReleasedVersion(gatewayVersion) && isReleasedVersion(clientVersion)) {
|
|
1533
|
+
logWsControl.info(`node version mismatch conn=${connId} client=${formatForLog(clientLabel)} clientVersion=${formatForLog(clientVersion)} gatewayVersion=${gatewayVersion}; closing for supervisor restart`);
|
|
1534
|
+
sendHandshakeErrorResponse(ErrorCodes.INVALID_REQUEST, "client version mismatch", { details: {
|
|
1535
|
+
code: ConnectErrorDetailCodes.CLIENT_VERSION_MISMATCH,
|
|
1536
|
+
clientVersion,
|
|
1537
|
+
gatewayVersion
|
|
1538
|
+
} });
|
|
1539
|
+
close(1008, "client version mismatch");
|
|
1540
|
+
return;
|
|
1541
|
+
}
|
|
1542
|
+
}
|
|
1543
|
+
}
|
|
1544
|
+
if (!setClient(nextClient)) {
|
|
1545
|
+
setCloseCause("connect-aborted-before-register", {
|
|
1546
|
+
...clientMeta,
|
|
1547
|
+
auth: authMethod
|
|
1548
|
+
});
|
|
1549
|
+
return;
|
|
1550
|
+
}
|
|
1551
|
+
setHandshakeState("connected");
|
|
1552
|
+
logWs("in", "connect", {
|
|
1553
|
+
connId,
|
|
1554
|
+
client: connectParams.client.id,
|
|
1555
|
+
clientDisplayName: connectParams.client.displayName,
|
|
1556
|
+
version: connectParams.client.version,
|
|
1557
|
+
mode: connectParams.client.mode,
|
|
1558
|
+
clientId,
|
|
1559
|
+
platform: connectParams.client.platform,
|
|
1560
|
+
auth: authMethod
|
|
1561
|
+
});
|
|
1562
|
+
if (isWebchatConnect(connectParams)) logWsControl.info(`webchat connected conn=${connId} remote=${remoteAddr ?? "?"} client=${clientLabel} ${connectParams.client.mode} v${connectParams.client.version}`);
|
|
1563
|
+
if (presenceKey) {
|
|
1564
|
+
upsertPresence(presenceKey, {
|
|
1565
|
+
host: connectParams.client.displayName ?? connectParams.client.id ?? os.hostname(),
|
|
1566
|
+
ip: isLocalClient ? void 0 : reportedClientIp,
|
|
1567
|
+
version: connectParams.client.version,
|
|
1568
|
+
platform: connectParams.client.platform,
|
|
1569
|
+
deviceFamily: connectParams.client.deviceFamily,
|
|
1570
|
+
modelIdentifier: connectParams.client.modelIdentifier,
|
|
1571
|
+
mode: connectParams.client.mode,
|
|
1572
|
+
deviceId: device?.id,
|
|
1573
|
+
roles: [role],
|
|
1574
|
+
scopes,
|
|
1575
|
+
instanceId: device?.id ?? instanceId,
|
|
1576
|
+
reason: "connect"
|
|
1577
|
+
});
|
|
1578
|
+
incrementPresenceVersion();
|
|
1579
|
+
}
|
|
1580
|
+
if (role === "node") {
|
|
1581
|
+
const context = buildRequestContext();
|
|
1582
|
+
const nodeSession = context.nodeRegistry.register(nextClient, { remoteIp: reportedClientIp });
|
|
1583
|
+
const instanceIdRaw = connectParams.client.instanceId;
|
|
1584
|
+
const instanceId = typeof instanceIdRaw === "string" ? instanceIdRaw.trim() : "";
|
|
1585
|
+
const nodeIdsForPairing = new Set([nodeSession.nodeId]);
|
|
1586
|
+
if (instanceId) nodeIdsForPairing.add(instanceId);
|
|
1587
|
+
for (const nodeId of nodeIdsForPairing) updatePairedNodeMetadata(nodeId, { lastConnectedAtMs: nodeSession.connectedAtMs }).catch((err) => logGateway.warn(`failed to record last connect for ${nodeId}: ${formatForLog(err)}`));
|
|
1588
|
+
recordRemoteNodeInfo({
|
|
1589
|
+
nodeId: nodeSession.nodeId,
|
|
1590
|
+
displayName: nodeSession.displayName,
|
|
1591
|
+
platform: nodeSession.platform,
|
|
1592
|
+
deviceFamily: nodeSession.deviceFamily,
|
|
1593
|
+
commands: nodeSession.commands,
|
|
1594
|
+
remoteIp: nodeSession.remoteIp
|
|
1595
|
+
});
|
|
1596
|
+
refreshRemoteNodeBins({
|
|
1597
|
+
nodeId: nodeSession.nodeId,
|
|
1598
|
+
platform: nodeSession.platform,
|
|
1599
|
+
deviceFamily: nodeSession.deviceFamily,
|
|
1600
|
+
commands: nodeSession.commands,
|
|
1601
|
+
cfg: getRuntimeConfig()
|
|
1602
|
+
}).catch((err) => logGateway.warn(`remote bin probe failed for ${nodeSession.nodeId}: ${formatForLog(err)}`));
|
|
1603
|
+
loadVoiceWakeConfig().then((cfg) => {
|
|
1604
|
+
context.nodeRegistry.sendEvent(nodeSession.nodeId, "voicewake.changed", { triggers: cfg.triggers });
|
|
1605
|
+
}).catch((err) => logGateway.warn(`voicewake snapshot failed for ${nodeSession.nodeId}: ${formatForLog(err)}`));
|
|
1606
|
+
loadVoiceWakeRoutingConfig().then((routing) => {
|
|
1607
|
+
context.nodeRegistry.sendEvent(nodeSession.nodeId, "voicewake.routing.changed", { config: routing });
|
|
1608
|
+
}).catch((err) => logGateway.warn(`voicewake routing snapshot failed for ${nodeSession.nodeId}: ${formatForLog(err)}`));
|
|
1609
|
+
}
|
|
1610
|
+
const snapshot = buildGatewaySnapshot({ includeSensitive: scopes.includes(ADMIN_SCOPE) });
|
|
1611
|
+
const cachedHealth = getHealthCache();
|
|
1612
|
+
if (cachedHealth) {
|
|
1613
|
+
snapshot.health = cachedHealth;
|
|
1614
|
+
snapshot.stateVersion.health = getHealthVersion();
|
|
1615
|
+
}
|
|
1616
|
+
const helloOkAuthScopes = deviceToken ? deviceToken.scopes : scopes;
|
|
1617
|
+
const helloOk = {
|
|
1618
|
+
type: "hello-ok",
|
|
1619
|
+
protocol: 4,
|
|
1620
|
+
server: {
|
|
1621
|
+
version: resolveRuntimeServiceVersion(process.env),
|
|
1622
|
+
connId
|
|
1623
|
+
},
|
|
1624
|
+
features: {
|
|
1625
|
+
methods: gatewayMethods,
|
|
1626
|
+
events
|
|
1627
|
+
},
|
|
1628
|
+
snapshot,
|
|
1629
|
+
...Object.keys(pluginSurfaceUrls).length > 0 ? { pluginSurfaceUrls } : {},
|
|
1630
|
+
auth: {
|
|
1631
|
+
role,
|
|
1632
|
+
scopes: helloOkAuthScopes,
|
|
1633
|
+
...deviceToken ? {
|
|
1634
|
+
deviceToken: deviceToken.token,
|
|
1635
|
+
issuedAtMs: deviceToken.rotatedAtMs ?? deviceToken.createdAtMs,
|
|
1636
|
+
...bootstrapDeviceTokens.length > 1 ? { deviceTokens: bootstrapDeviceTokens.slice(1) } : {}
|
|
1637
|
+
} : {}
|
|
1638
|
+
},
|
|
1639
|
+
policy: {
|
|
1640
|
+
maxPayload: MAX_PAYLOAD_BYTES,
|
|
1641
|
+
maxBufferedBytes: MAX_BUFFERED_BYTES,
|
|
1642
|
+
tickIntervalMs: TICK_INTERVAL_MS
|
|
1643
|
+
}
|
|
1644
|
+
};
|
|
1645
|
+
let revokedBootstrapTokenRecord;
|
|
1646
|
+
if (authMethod === "bootstrap-token" && bootstrapTokenCandidate && device) try {
|
|
1647
|
+
if (handoffBootstrapProfile || issuedBootstrapProfile) {
|
|
1648
|
+
const redemption = await redeemDeviceBootstrapTokenProfile({
|
|
1649
|
+
token: bootstrapTokenCandidate,
|
|
1650
|
+
role,
|
|
1651
|
+
scopes
|
|
1652
|
+
});
|
|
1653
|
+
if (handoffBootstrapProfile || redemption.fullyRedeemed) {
|
|
1654
|
+
const revoked = await revokeDeviceBootstrapToken({ token: bootstrapTokenCandidate });
|
|
1655
|
+
if (!revoked.removed) logGateway.warn(`bootstrap token revoke skipped after profile redemption device=${device.id}`);
|
|
1656
|
+
else revokedBootstrapTokenRecord = revoked.record;
|
|
1657
|
+
}
|
|
1658
|
+
}
|
|
1659
|
+
} catch (err) {
|
|
1660
|
+
logGateway.warn(`bootstrap token post-connect bookkeeping failed device=${device.id}: ${formatForLog(err)}`);
|
|
1661
|
+
}
|
|
1662
|
+
try {
|
|
1663
|
+
await sendFrame({
|
|
1664
|
+
type: "res",
|
|
1665
|
+
id: frame.id,
|
|
1666
|
+
ok: true,
|
|
1667
|
+
payload: helloOk
|
|
1668
|
+
});
|
|
1669
|
+
} catch (err) {
|
|
1670
|
+
if (revokedBootstrapTokenRecord) try {
|
|
1671
|
+
await restoreDeviceBootstrapToken({ record: revokedBootstrapTokenRecord });
|
|
1672
|
+
} catch (restoreErr) {
|
|
1673
|
+
logGateway.warn(`bootstrap token restore after hello-send failure failed device=${device?.id ?? "unknown"}: ${formatForLog(restoreErr)}`);
|
|
1674
|
+
}
|
|
1675
|
+
setCloseCause("hello-send-failed", { error: formatForLog(err) });
|
|
1676
|
+
close();
|
|
1677
|
+
return;
|
|
1678
|
+
}
|
|
1679
|
+
logWs("out", "hello-ok", {
|
|
1680
|
+
connId,
|
|
1681
|
+
methods: gatewayMethods.length,
|
|
1682
|
+
events: events.length,
|
|
1683
|
+
presence: snapshot.presence.length,
|
|
1684
|
+
stateVersion: snapshot.stateVersion.presence
|
|
1685
|
+
});
|
|
1686
|
+
refreshHealthSnapshot({ probe: false }).catch((err) => logHealth.error(`post-connect health refresh failed: ${formatError(err)}`));
|
|
1687
|
+
return;
|
|
1688
|
+
}
|
|
1689
|
+
if (!validateRequestFrame(parsed)) {
|
|
1690
|
+
send({
|
|
1691
|
+
type: "res",
|
|
1692
|
+
id: parsed?.id ?? "invalid",
|
|
1693
|
+
ok: false,
|
|
1694
|
+
error: errorShape(ErrorCodes.INVALID_REQUEST, `invalid request frame: ${formatValidationErrors(validateRequestFrame.errors)}`)
|
|
1695
|
+
});
|
|
1696
|
+
return;
|
|
1697
|
+
}
|
|
1698
|
+
const req = parsed;
|
|
1699
|
+
logWs("in", "req", {
|
|
1700
|
+
connId,
|
|
1701
|
+
id: req.id,
|
|
1702
|
+
method: req.method
|
|
1703
|
+
});
|
|
1704
|
+
for (;;) {
|
|
1705
|
+
const barrier = deviceCredentialMutationBarrier;
|
|
1706
|
+
if (!barrier) break;
|
|
1707
|
+
await barrier.catch(() => void 0);
|
|
1708
|
+
if (isClosed()) return;
|
|
1709
|
+
}
|
|
1710
|
+
if (closeInvalidatedClient(client, req.method)) return;
|
|
1711
|
+
if (client.usesSharedGatewayAuth) {
|
|
1712
|
+
const requiredSharedGatewaySessionGeneration = getRequiredSharedGatewaySessionGeneration?.();
|
|
1713
|
+
if (requiredSharedGatewaySessionGeneration !== void 0 && client.sharedGatewaySessionGeneration !== requiredSharedGatewaySessionGeneration) {
|
|
1714
|
+
setCloseCause("gateway-auth-rotated", {
|
|
1715
|
+
authGenerationStale: true,
|
|
1716
|
+
method: req.method
|
|
1717
|
+
});
|
|
1718
|
+
close(4001, "gateway auth changed");
|
|
1719
|
+
return;
|
|
1720
|
+
}
|
|
1721
|
+
}
|
|
1722
|
+
const respond = (ok, payload, error, meta) => {
|
|
1723
|
+
send({
|
|
1724
|
+
type: "res",
|
|
1725
|
+
id: req.id,
|
|
1726
|
+
ok,
|
|
1727
|
+
payload,
|
|
1728
|
+
error
|
|
1729
|
+
});
|
|
1730
|
+
const unauthorizedRoleError = isUnauthorizedRoleError(error);
|
|
1731
|
+
let logMeta = meta;
|
|
1732
|
+
if (unauthorizedRoleError) {
|
|
1733
|
+
const unauthorizedDecision = unauthorizedFloodGuard.registerUnauthorized();
|
|
1734
|
+
if (unauthorizedDecision.suppressedSinceLastLog > 0) logMeta = {
|
|
1735
|
+
...logMeta,
|
|
1736
|
+
suppressedUnauthorizedResponses: unauthorizedDecision.suppressedSinceLastLog
|
|
1737
|
+
};
|
|
1738
|
+
if (!unauthorizedDecision.shouldLog) return;
|
|
1739
|
+
if (unauthorizedDecision.shouldClose) {
|
|
1740
|
+
setCloseCause("repeated-unauthorized-requests", {
|
|
1741
|
+
unauthorizedCount: unauthorizedDecision.count,
|
|
1742
|
+
method: req.method
|
|
1743
|
+
});
|
|
1744
|
+
queueMicrotask(() => close(1008, "repeated unauthorized calls"));
|
|
1745
|
+
}
|
|
1746
|
+
logMeta = {
|
|
1747
|
+
...logMeta,
|
|
1748
|
+
unauthorizedCount: unauthorizedDecision.count
|
|
1749
|
+
};
|
|
1750
|
+
} else unauthorizedFloodGuard.reset();
|
|
1751
|
+
logWs("out", "res", {
|
|
1752
|
+
connId,
|
|
1753
|
+
id: req.id,
|
|
1754
|
+
ok,
|
|
1755
|
+
method: req.method,
|
|
1756
|
+
errorCode: error?.code,
|
|
1757
|
+
errorMessage: error?.message,
|
|
1758
|
+
...logMeta
|
|
1759
|
+
});
|
|
1760
|
+
};
|
|
1761
|
+
const dispatch = (async () => {
|
|
1762
|
+
const { handleGatewayRequest } = await import("./server-methods-C7EnpOhB.js");
|
|
1763
|
+
await handleGatewayRequest({
|
|
1764
|
+
req,
|
|
1765
|
+
respond,
|
|
1766
|
+
client,
|
|
1767
|
+
isWebchatConnect,
|
|
1768
|
+
extraHandlers,
|
|
1769
|
+
methodRegistry: getMethodRegistry?.(),
|
|
1770
|
+
context: buildRequestContext()
|
|
1771
|
+
});
|
|
1772
|
+
})().catch((err) => {
|
|
1773
|
+
logGateway.error(`request handler failed: ${formatForLog(err)}`);
|
|
1774
|
+
respond(false, void 0, errorShape(ErrorCodes.UNAVAILABLE, formatForLog(err)));
|
|
1775
|
+
});
|
|
1776
|
+
if (DEVICE_CREDENTIAL_INVALIDATING_METHODS.has(req.method)) {
|
|
1777
|
+
const barrier = dispatch.finally(() => {
|
|
1778
|
+
if (deviceCredentialMutationBarrier === barrier) deviceCredentialMutationBarrier = void 0;
|
|
1779
|
+
});
|
|
1780
|
+
deviceCredentialMutationBarrier = barrier;
|
|
1781
|
+
}
|
|
1782
|
+
} catch (err) {
|
|
1783
|
+
logGateway.error(`parse/handle error: ${String(err)}`);
|
|
1784
|
+
logWs("out", "parse-error", {
|
|
1785
|
+
connId,
|
|
1786
|
+
error: formatForLog(err)
|
|
1787
|
+
});
|
|
1788
|
+
if (!getClient()) close();
|
|
1789
|
+
}
|
|
1790
|
+
};
|
|
1791
|
+
socket.on("message", (data) => {
|
|
1792
|
+
runWithDiagnosticTraceContext(createDiagnosticTraceContext(), () => handleMessage(data));
|
|
1793
|
+
});
|
|
1794
|
+
}
|
|
1795
|
+
function getRawDataByteLength(data) {
|
|
1796
|
+
if (Buffer.isBuffer(data)) return data.byteLength;
|
|
1797
|
+
if (Array.isArray(data)) return data.reduce((total, chunk) => total + chunk.byteLength, 0);
|
|
1798
|
+
if (data instanceof ArrayBuffer) return data.byteLength;
|
|
1799
|
+
return Buffer.byteLength(String(data));
|
|
1800
|
+
}
|
|
1801
|
+
function setSocketMaxPayload(socket, maxPayload) {
|
|
1802
|
+
const receiver = socket["_receiver"];
|
|
1803
|
+
if (receiver) receiver["_maxPayload"] = maxPayload;
|
|
1804
|
+
}
|
|
1805
|
+
//#endregion
|
|
1806
|
+
export { attachGatewayWsMessageHandler };
|