hatchkit 0.1.22 → 0.1.24

package/dist/provision/s3-buckets.js

@@ -0,0 +1,376 @@
+/*
+ * S3/R2 bucket provisioning for adopted projects.
+ *
+ * Closes the gap between `hatchkit config add s3 r2` (which only stores
+ * credentials in the global config + keychain) and a project that
+ * actually needs working buckets + env wiring at runtime. Splits the
+ * provisioning into two clear roles:
+ *
+ *   · "assets"  — public, hot path. Fronts large pre-built media
+ *                 (AVIF/WebP/originals). Public URL goes into a
+ *                 NEXT_PUBLIC_ASSETS_BASE_URL-style env var so the
+ *                 client can fetch directly.
+ *   · "state"   — private, cold. Used for small server-side files
+ *                 (cron state, audit logs). Never publicly reachable.
+ *
+ * Public URL strategy for the assets bucket, in order:
+ *   1. Custom domain on a Cloudflare zone the user owns
+ *      (`assets.<project-domain>` or a caller-provided override) —
+ *      preferred long-term, no `r2.dev` rate limits.
+ *   2. Managed `pub-<hash>.r2.dev` domain — fallback when no zone
+ *      matches the project's domain.
+ *
+ * Env var names are project-specific. Some projects standardised on
+ * R2_*; others on the generic S3_* / AWS_* set the starter ships. We
+ * sniff the project's `.env.example` for whichever prefix the runtime
+ * already reads, so the seeded values match. Without this the env
+ * lands under names the app's `process.env.X` calls won't pick up.
+ *
+ * Idempotent on every step: existing buckets are reused (409 →
+ * success), existing managed/custom domains are re-fetched, and env
+ * vars overwrite in place (so re-runs after a failure don't duplicate
+ * lines or leave the file half-written).
+ */
+import { existsSync, readFileSync } from "node:fs";
+import { join } from "node:path";
+import { set as dotenvxSet } from "@dotenvx/dotenvx";
+import chalk from "chalk";
+import ora from "ora";
+import { getDnsConfig, getS3Config } from "../config.js";
+import { MANIFEST_FILENAME, readManifest, writeManifest, } from "../scaffold/manifest.js";
+import { CloudflareApi } from "../utils/cloudflare-api.js";
+import { SECRET_KEYS, getSecret } from "../utils/secrets.js";
+/** Account ID = the subdomain in the S3 endpoint
+ *  `https://<accountId>.r2.cloudflarestorage.com`. */
+export function accountIdFromR2Endpoint(endpoint) {
+    const m = endpoint.match(/https?:\/\/([0-9a-f]{32})\.r2\.cloudflarestorage\.com/i);
+    if (!m)
+        throw new Error(`Endpoint ${endpoint} doesn't look like an R2 S3 endpoint.`);
+    return m[1];
+}
+/** Sniff the project's `.env.example` (and falling back to source files)
+ *  to pick the env-var prefix the runtime already reads. Some projects
+ *  use R2_*, others S3_*, others AWS_*. Picking the wrong prefix here
+ *  is the difference between "deploys" and "deploys but every request
+ *  throws Missing required env var". */
+export function detectEnvPrefix(projectDir) {
+    const candidates = [
+        join(projectDir, ".env.example"),
+        join(projectDir, ".env.development"),
+        join(projectDir, ".env.production"),
+    ];
+    let r2 = 0;
+    let s3 = 0;
+    let aws = 0;
+    for (const p of candidates) {
+        if (!existsSync(p))
+            continue;
+        const text = readFileSync(p, "utf-8");
+        r2 += (text.match(/(^|\s)R2_[A-Z_]+\s*=/gm) ?? []).length;
+        s3 += (text.match(/(^|\s)S3_[A-Z_]+\s*=/gm) ?? []).length;
+        aws += (text.match(/(^|\s)AWS_(REGION|ACCESS_KEY_ID|SECRET_ACCESS_KEY)\s*=/gm) ?? []).length;
+    }
+    // Highest wins; ties prefer R2 (most explicit) > S3 > AWS.
+    const pairs = [
+        ["R2", r2],
+        ["S3", s3],
+        ["AWS", aws],
+    ];
+    pairs.sort((a, b) => b[1] - a[1]);
+    if (pairs[0][1] === 0)
+        return "S3"; // nothing detected — match starter default
+    return pairs[0][0];
+}
+/** Map the detected prefix to the full set of env var names. R2 and S3
+ *  use distinct endpoint/bucket names but share the access-key shape;
+ *  AWS uses the AWS_* triple instead of S3_*. */
+export function envKeysForPrefix(prefix) {
+    if (prefix === "R2") {
+        return {
+            endpoint: "R2_ENDPOINT",
+            accessKey: "R2_ACCESS_KEY_ID",
+            secretKey: "R2_SECRET_ACCESS_KEY",
+            region: "R2_REGION",
+            bucket: "R2_STATE_BUCKET",
+            publicUrl: "NEXT_PUBLIC_ASSETS_BASE_URL",
+        };
+    }
+    if (prefix === "AWS") {
+        return {
+            endpoint: "S3_ENDPOINT",
+            accessKey: "AWS_ACCESS_KEY_ID",
+            secretKey: "AWS_SECRET_ACCESS_KEY",
+            region: "AWS_REGION",
+            bucket: "S3_BUCKET_NAME",
+            publicUrl: "S3_PUBLIC_URL",
+        };
+    }
+    return {
+        endpoint: "S3_ENDPOINT",
+        accessKey: "S3_ACCESS_KEY_ID",
+        secretKey: "S3_SECRET_ACCESS_KEY",
+        region: "S3_REGION",
+        bucket: "S3_BUCKET_NAME",
+        publicUrl: "S3_PUBLIC_URL",
+    };
+}
+/** Read existing keys in `.env.production` so re-runs don't clobber a
+ *  value the user has since edited. Returns the set of plain or
+ *  encrypted KEYs present (we don't try to decrypt — encrypted values
+ *  always have a `KEY="encrypted:..."` shape). */
+function existingEnvKeys(envPath) {
+    if (!existsSync(envPath))
+        return new Set();
+    const text = readFileSync(envPath, "utf-8");
+    const keys = new Set();
+    for (const line of text.split("\n")) {
+        const m = line.match(/^([A-Z][A-Z0-9_]*)=/);
+        if (m)
+            keys.add(m[1]);
+    }
+    return keys;
+}
+/** Build the rclone config snippet the user can paste into
+ *  `~/.config/rclone/rclone.conf`. Keeps this OUT of the file system
+ *  (the user's existing rclone config has other remotes — we don't
+ *  want to mangle them). */
+function buildRcloneSnippet(opts) {
+    return [
+        `[${opts.remoteName}]`,
+        `type = s3`,
+        `provider = Cloudflare`,
+        `access_key_id = ${opts.accessKey}`,
+        `secret_access_key = ${opts.secretKey}`,
+        `endpoint = ${opts.endpoint}`,
+        `acl = private`,
+        `no_check_bucket = true`,
+        "",
+    ].join("\n");
+}
+/** Provision the public+private bucket pair for an adopted project,
+ *  wire the resulting credentials/URLs into its `.env.production`, and
+ *  record the bucket names in `.hatchkit.json`. Idempotent on re-run. */
+export async function provisionS3ForProject(opts) {
+    const provider = opts.provider ?? "r2";
+    const manifest = readManifest(opts.projectDir);
+    if (!manifest) {
+        throw new Error(`No ${MANIFEST_FILENAME} in ${opts.projectDir}. Run \`hatchkit adopt\` first.`);
+    }
+    // Provider config + credentials. Both must be present — without
+    // them we'd be writing CHANGE_ME values into the encrypted file,
+    // which is worse than failing fast.
+    const s3 = await getS3Config(provider);
+    if (!s3) {
+        throw new Error(`S3 provider "${provider}" is not configured. Run \`hatchkit config add s3\` and pick ${provider}.`);
+    }
+    if (!s3.endpoint) {
+        throw new Error(`S3 provider "${provider}" has no endpoint set in global config.`);
+    }
+    if (provider !== "r2") {
+        throw new Error(`Bucket auto-provisioning is only implemented for R2 today (got ${provider}). The runtime env wiring still works for any S3 — see \`hatchkit provision s3 --skip-create\` (TODO).`);
+    }
+    const accountId = accountIdFromR2Endpoint(s3.endpoint);
+    // DNS config — needed only when we're about to attempt a custom
+    // domain. Absence is fine; we fall back to the managed r2.dev URL.
+    const dns = await getDnsConfig();
+    // R2 admin token. Kept separate from the DNS token because the DNS
+    // token is typically scoped narrowly (Zone:DNS:Edit + Zone:Zone:Read)
+    // and the R2 admin endpoints need account-level perms. Caller
+    // (handleProvisionS3) is responsible for prompting + storing this
+    // when missing — this function fails fast so non-interactive callers
+    // (adopt's auto-step) get a clear hint instead of an opaque 10000.
+    const adminToken = await getSecret(SECRET_KEYS.r2AdminToken);
+    if (!adminToken) {
+        throw new Error("R2 admin token not configured. Run `hatchkit provision s3` interactively, " +
+            "or pre-set with: hatchkit config add s3 (TODO) — needs Account > Workers R2 Storage > Edit.");
+    }
+    // For the zone lookup (custom-domain attach) we need the DNS token's
+    // Zone:Zone:Read; the admin token may or may not have it. Use whichever
+    // we have available, preferring the DNS token because that's the one
+    // that's been verified for zone reads in `hatchkit doctor`.
+    const zoneToken = dns?.provider === "cloudflare" ? (dns.apiToken ?? adminToken) : adminToken;
+    const cf = new CloudflareApi({ token: adminToken });
+    const cfZone = new CloudflareApi({ token: zoneToken });
+    const projectName = manifest.name;
+    const domain = manifest.domain;
+    const assetsBucketName = opts.assetsBucketName ?? `${projectName}-assets`;
+    const stateBucketName = opts.stateBucketName ?? `${projectName}-state`;
+    const locationHint = opts.locationHint ?? "weur";
+    // 1. Create the two buckets (idempotent).
+    const spinner = ora(`Creating R2 buckets (${assetsBucketName}, ${stateBucketName})`).start();
+    let assetsBucket;
+    let stateBucket;
+    try {
+        assetsBucket = await cf.createR2Bucket(accountId, assetsBucketName, { locationHint });
+        stateBucket = await cf.createR2Bucket(accountId, stateBucketName, { locationHint });
+        spinner.succeed(`R2 buckets ready — ${assetsBucketName} (${assetsBucket.existed ? "exists" : "created"}), ${stateBucketName} (${stateBucket.existed ? "exists" : "created"})`);
+    }
+    catch (err) {
+        spinner.fail("R2 bucket creation failed");
+        const msg = err.message;
+        if (/403|10001|permission/i.test(msg)) {
+            throw new Error(`${msg}\n\n  → Cloudflare token is missing the "Workers R2 Storage: Edit" permission.\n  → Edit it at https://dash.cloudflare.com/profile/api-tokens, then re-run.`);
+        }
+        throw err;
+    }
+    // 2. Public URL for the assets bucket. Prefer a custom domain on a
+    //    Cloudflare zone we own; fall back to the managed r2.dev URL.
+    let publicUrl;
+    let publicUrlSource;
+    // Pick the hostname. Default `assets.<domain>`; allow caller override.
+    const customHostname = opts.publicHostname ?? `assets.${domain}`;
+    // Find the closest matching zone (the registrable name — last
+    // two labels of the host, or the host itself if the user passed a
+    // bare apex).
+    const zoneName = pickClosestZoneName(customHostname);
+    try {
+        const zone = await cfZone.getZoneByName(zoneName);
+        if (zone) {
+            const customSpinner = ora(`Attaching custom domain ${customHostname}`).start();
+            try {
+                const cd = await cf.addR2CustomDomain(accountId, assetsBucketName, {
+                    domain: customHostname,
+                    zoneId: zone.id,
+                    minTLS: "1.2",
+                });
+                publicUrl = `https://${cd.domain}`;
+                publicUrlSource = "custom-domain";
+                customSpinner.succeed(`Custom domain ${cd.existed ? "already attached" : "attached"} — ${publicUrl}`);
+            }
+            catch (err) {
+                customSpinner.warn(`Custom domain failed (${err.message.split("\n")[0]}) — falling back to r2.dev managed URL`);
+            }
+        }
+    }
+    catch (err) {
+        // Zone lookup is best-effort. Don't fail the whole flow on it.
+        console.log(chalk.dim(`  · Zone lookup for ${zoneName} failed: ${err.message.split("\n")[0]}`));
+    }
+    if (!publicUrl) {
+        const managedSpinner = ora(`Enabling managed r2.dev URL on ${assetsBucketName}`).start();
+        try {
+            const md = await cf.enableR2ManagedDomain(accountId, assetsBucketName, true);
+            publicUrl = `https://${md.domain}`;
+            publicUrlSource = "managed-r2dev";
+            managedSpinner.succeed(`Managed r2.dev URL enabled — ${publicUrl}`);
+        }
+        catch (err) {
+            managedSpinner.fail("Could not enable a public URL on the assets bucket");
+            throw err;
+        }
+    }
+    // 3. Seed `.env.production` with the credentials + URLs. Names are
+    //    chosen by the prefix the project's runtime actually reads —
+    //    detected from `.env.example` etc.
+    const envPrefix = opts.envPrefix ?? detectEnvPrefix(opts.projectDir);
+    const keys = envKeysForPrefix(envPrefix);
+    const envPath = join(opts.projectDir, ".env.production");
+    const existingKeys = existingEnvKeys(envPath);
+    const toWrite = [];
+    const skip = (key) => existingKeys.has(key);
+    // ENDPOINT, ACCESS_KEY, SECRET_KEY, REGION are credentials that
+    // the runtime always needs. Re-write on every run (cheap, and the
+    // user might've rotated keys). REGION is "auto" for R2 — the SDK
+    // ignores it anyway when an explicit endpoint is given, but
+    // setting it suppresses an `AWS_REGION` warning at runtime.
+    toWrite.push({ key: keys.endpoint, value: s3.endpoint });
+    toWrite.push({ key: keys.accessKey, value: s3.accessKey });
+    toWrite.push({ key: keys.secretKey, value: s3.secretKey });
+    toWrite.push({ key: keys.region, value: s3.region ?? "auto" });
+    // BUCKET name — keys.bucket is "<PREFIX>_STATE_BUCKET" for R2 (the
+    // private bucket is the only one a server lib reads through env;
+    // assets are URL-driven). For S3/AWS prefixes the canonical key is
+    // <PREFIX>_BUCKET_NAME pointing at the assets bucket. Match the
+    // semantics of each prefix.
+    if (envPrefix === "R2") {
+        toWrite.push({ key: keys.bucket, value: stateBucketName });
+    }
+    else {
+        toWrite.push({ key: keys.bucket, value: assetsBucketName });
+    }
+    // Public URL — only seed if the project's runtime reads the
+    // matching key. Detected via `.env.example` keys for both the
+    // primary (`NEXT_PUBLIC_ASSETS_BASE_URL`) and the prefixed fallback.
+    // Always write it under NEXT_PUBLIC_ASSETS_BASE_URL when present in
+    // .env.example since that's the next.js convention; under
+    // <PREFIX>_PUBLIC_URL for non-Next projects.
+    const examplePath = join(opts.projectDir, ".env.example");
+    const exampleText = existsSync(examplePath) ? readFileSync(examplePath, "utf-8") : "";
+    const usesNextPublicAssets = /NEXT_PUBLIC_ASSETS_BASE_URL/.test(exampleText);
+    if (usesNextPublicAssets) {
+        toWrite.push({ key: "NEXT_PUBLIC_ASSETS_BASE_URL", value: publicUrl });
+    }
+    else if (envPrefix === "S3" || envPrefix === "AWS") {
+        toWrite.push({ key: keys.publicUrl, value: publicUrl });
+    }
+    // CRON_SECRET — the project's .env.example documents one if it has
+    // a cron route. Generate fresh, encrypt. Skip if already set.
+    if (opts.generateCronSecret !== false &&
+        /CRON_SECRET/.test(exampleText) &&
+        !skip("CRON_SECRET")) {
+        const { randomBytes } = await import("node:crypto");
+        toWrite.push({ key: "CRON_SECRET", value: randomBytes(32).toString("hex") });
+    }
+    const envWritten = [];
+    const envKept = [];
+    const envSpinner = ora(`Writing ${toWrite.length} entries to .env.production`).start();
+    try {
+        for (const { key, value } of toWrite) {
+            // Idempotency: re-write everything except CRON_SECRET (treated
+            // above) on every run. dotenvx.set overwrites in place, so
+            // values stay singletons in the file.
+            if (key === "CRON_SECRET" && skip(key)) {
+                envKept.push(key);
+                continue;
+            }
+            dotenvxSet(key, value, { path: envPath, encrypt: true });
+            envWritten.push(key);
+        }
+        envSpinner.succeed(`Wrote ${envWritten.length} encrypted entries to .env.production`);
+    }
+    catch (err) {
+        envSpinner.fail("Could not write .env.production");
+        throw err;
+    }
+    // 4. Record bucket names + public URL in the manifest so re-runs
+    //    don't have to re-derive them and a future `hatchkit destroy`
+    //    knows what to clean up.
+    const updated = {
+        ...manifest,
+        s3Buckets: {
+            assets: { name: assetsBucketName, publicUrl },
+            state: { name: stateBucketName, publicUrl: null },
+        },
+    };
+    writeManifest(opts.projectDir, updated);
+    console.log(chalk.dim(`  · Recorded bucket names in ${MANIFEST_FILENAME} (${publicUrlSource}).`));
+    // 5. rclone snippet (printed by caller, returned here so callers
+    //    can capture it programmatically too). Don't write the snippet
+    //    to disk — the user's existing rclone config has unrelated
+    //    remotes and we don't want to mangle them.
+    const rcloneSnippet = buildRcloneSnippet({
+        remoteName: `r2-${projectName}`,
+        endpoint: s3.endpoint,
+        accessKey: s3.accessKey,
+        secretKey: s3.secretKey,
+    });
+    return {
+        assets: { name: assetsBucketName, publicUrl, created: !assetsBucket.existed },
+        state: { name: stateBucketName, created: !stateBucket.existed },
+        envWritten,
+        envKept,
+        rcloneSnippet,
+    };
+}
+/** Pick the registrable zone name for a hostname. Cloudflare keeps
+ *  zones at the registrable level (example.com), so to attach
+ *  `assets.foo.example.com` we look up `example.com`. Two-label
+ *  apex stays as-is. This is the same shape the existing DNS code
+ *  uses; see `cli/src/deploy/coolify-app.ts` for parallels. */
+function pickClosestZoneName(hostname) {
+    const parts = hostname.split(".");
+    if (parts.length <= 2)
+        return hostname;
+    return parts.slice(-2).join(".");
+}
+//# sourceMappingURL=s3-buckets.js.map

package/dist/provision/s3-buckets.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"s3-buckets.js","sourceRoot":"","sources":["../../src/provision/s3-buckets.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAgCG;AAEH,OAAO,EAAE,UAAU,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AACnD,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AACjC,OAAO,EAAE,GAAG,IAAI,UAAU,EAAE,MAAM,kBAAkB,CAAC;AACrD,OAAO,KAAK,MAAM,OAAO,CAAC;AAC1B,OAAO,GAAG,MAAM,KAAK,CAAC;AACtB,OAAO,EAAE,YAAY,EAAE,WAAW,EAAE,MAAM,cAAc,CAAC;AACzD,OAAO,EACL,iBAAiB,EAEjB,YAAY,EACZ,aAAa,GACd,MAAM,yBAAyB,CAAC;AACjC,OAAO,EAAE,aAAa,EAAE,MAAM,4BAA4B,CAAC;AAC3D,OAAO,EAAE,WAAW,EAAE,SAAS,EAAE,MAAM,qBAAqB,CAAC;AAmC7D;sDACsD;AACtD,MAAM,UAAU,uBAAuB,CAAC,QAAgB;IACtD,MAAM,CAAC,GAAG,QAAQ,CAAC,KAAK,CAAC,wDAAwD,CAAC,CAAC;IACnF,IAAI,CAAC,CAAC;QAAE,MAAM,IAAI,KAAK,CAAC,YAAY,QAAQ,uCAAuC,CAAC,CAAC;IACrF,OAAO,CAAC,CAAC,CAAC,CAAC,CAAC;AACd,CAAC;AAED;;;;wCAIwC;AACxC,MAAM,UAAU,eAAe,CAAC,UAAkB;IAChD,MAAM,UAAU,GAAG;QACjB,IAAI,CAAC,UAAU,EAAE,cAAc,CAAC;QAChC,IAAI,CAAC,UAAU,EAAE,kBAAkB,CAAC;QACpC,IAAI,CAAC,UAAU,EAAE,iBAAiB,CAAC;KACpC,CAAC;IACF,IAAI,EAAE,GAAG,CAAC,CAAC;IACX,IAAI,EAAE,GAAG,CAAC,CAAC;IACX,IAAI,GAAG,GAAG,CAAC,CAAC;IACZ,KAAK,MAAM,CAAC,IAAI,UAAU,EAAE,CAAC;QAC3B,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC;YAAE,SAAS;QAC7B,MAAM,IAAI,GAAG,YAAY,CAAC,CAAC,EAAE,OAAO,CAAC,CAAC;QACtC,EAAE,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,wBAAwB,CAAC,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC;QAC1D,EAAE,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,wBAAwB,CAAC,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC;QAC1D,GAAG,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,0DAA0D,CAAC,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC;IAC/F,CAAC;IACD,2DAA2D;IAC3D,MAAM,KAAK,GAA+B;QACxC,CAAC,IAAI,EAAE,EAAE,CAAC;QACV,CAAC,IAAI,EAAE,EAAE,CAAC;QACV,CAAC,KAAK,EAAE,GAAG,CAAC;KACb,CAAC;IACF,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IAClC,IAAI,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC,CAAC,2CAA2C;IAC/E,OAAO,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;AACrB,CAAC;AAED;;iDAEiD;AACjD,MAAM,UAAU,gBAAgB,CAAC,MAAiB;IAQhD,IAAI,MAAM,KAAK,IAAI,EAAE,CAAC;QACpB,OAAO;YACL,QAAQ,EAAE,aAAa;YACvB,SAAS,EAAE,kBAAkB;YAC7B,SAAS,EAAE,sBAAsB;YACjC,MAAM,EAAE,WAAW;YACnB,MAAM,EAAE,iBAAiB;YACzB,SAAS,EAAE,6BAA6B;SACzC,CAAC;IACJ,CAAC;IACD,IAAI,MAAM,KAAK,KAAK,EAAE,CAAC;QACrB,OAAO;YACL,QAAQ,EAAE,aAAa;YACvB,SAAS,EAAE,mBAAmB;YAC9B,SAAS,EAAE,uBAAuB;YAClC,MAAM,EAAE,YAAY;YACpB,MAAM,EAAE,gBAAgB;YACxB,SAAS,EAAE,eAAe;SAC3B,CAAC;IACJ,CAAC;IACD,OAAO;QACL,QAAQ,EAAE,aAAa;QACvB,SAAS,EAAE,kBAAkB;QAC7B,SAAS,EAAE,sBAAsB;QACjC,MAAM,EAAE,WAAW;QACnB,MAAM,EAAE,gBAAgB;QACxB,SAAS,EAAE,eAAe;KAC3B,CAAC;AACJ,CAAC;AAED;;;kDAGkD;AAClD,SAAS,eAAe,CAAC,OAAe;IACtC,IAAI,CAAC,UAAU,CAAC,OAAO,CAAC;QAAE,OAAO,IAAI,GAAG,EAAE,CAAC;IAC3C,MAAM,IAAI,GAAG,YAAY,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;IAC5C,MAAM,IAAI,GAAG,IAAI,GAAG,EAAU,CAAC;IAC/B,KAAK,MAAM,IAAI,IAAI,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC;QACpC,MAAM,CAAC,GAAG,IAAI,CAAC,KAAK,CAAC,qBAAqB,CAAC,CAAC;QAC5C,IAAI,CAAC;YAAE,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IACxB,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;4BAG4B;AAC5B,SAAS,kBAAkB,CAAC,IAK3B;IACC,OAAO;QACL,IAAI,IAAI,CAAC,UAAU,GAAG;QACtB,WAAW;QACX,uBAAuB;QACvB,mBAAmB,IAAI,CAAC,SAAS,EAAE;QACnC,uBAAuB,IAAI,CAAC,SAAS,EAAE;QACvC,cAAc,IAAI,CAAC,QAAQ,EAAE;QAC7B,eAAe;QACf,wBAAwB;QACxB,EAAE;KACH,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AACf,CAAC;AAED;;yEAEyE;AACzE,MAAM,CAAC,KAAK,UAAU,qBAAqB,CAAC,IAAqB;IAC/D,MAAM,QAAQ,GAAG,IAAI,CAAC,QAAQ,IAAI,IAAI,CAAC;IACvC,MAAM,QAAQ,GAAG,YAAY,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;IAC/C,IAAI,CAAC,QAAQ,EAAE,CAAC;QACd,MAAM,IAAI,KAAK,CAAC,MAAM,iBAAiB,OAAO,IAAI,CAAC,UAAU,iCAAiC,CAAC,CAAC;IAClG,CAAC;IAED,gEAAgE;IAChE,iEAAiE;IACjE,oCAAoC;IACpC,MAAM,EAAE,GAAG,MAAM,WAAW,CAAC,QAAQ,CAAC,CAAC;IACvC,IAAI,CAAC,EAAE,EAAE,CAAC;QACR,MAAM,IAAI,KAAK,CACb,gBAAgB,QAAQ,gEAAgE,QAAQ,GAAG,CACpG,CAAC;IACJ,CAAC;IACD,IAAI,CAAC,EAAE,CAAC,QAAQ,EAAE,CAAC;QACjB,MAAM,IAAI,KAAK,CAAC,gBAAgB,QAAQ,yCAAyC,CAAC,CAAC;IACrF,CAAC;IACD,IAAI,QAAQ,KAAK,IAAI,EAAE,CAAC;QACtB,MAAM,IAAI,KAAK,CACb,kEAAkE,QAAQ,wGAAwG,CACnL,CAAC;IACJ,CAAC;IAED,MAAM,SAAS,GAAG,uBAAuB,CAAC,EAAE,CAAC,QAAQ,CAAC,CAAC;IAEvD,gEAAgE;IAChE,mEAAmE;IACnE,MAAM,GAAG,GAAG,MAAM,YAAY,EAAE,CAAC;IAEjC,mEAAmE;IACnE,sEAAsE;IACtE,8DAA8D;IAC9D,kEAAkE;IAClE,qEAAqE;IACrE,mEAAmE;IACnE,MAAM,UAAU,GAAG,MAAM,SAAS,CAAC,WAAW,CAAC,YAAY,CAAC,CAAC;IAC7D,IAAI,CAAC,UAAU,EAAE,CAAC;QAChB,MAAM,IAAI,KAAK,CACb,4EAA4E;YAC1E,6FAA6F,CAChG,CAAC;IACJ,CAAC;IAED,qEAAqE;IACrE,wEAAwE;IACxE,qEAAqE;IACrE,4DAA4D;IAC5D,MAAM,SAAS,GAAG,GAAG,EAAE,QAAQ,KAAK,YAAY,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,QAAQ,IAAI,UAAU,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC;IAC7F,MAAM,EAAE,GAAG,IAAI,aAAa,CAAC,EAAE,KAAK,EAAE,UAAU,EAAE,CAAC,CAAC;IACpD,MAAM,MAAM,GAAG,IAAI,aAAa,CAAC,EAAE,KAAK,EAAE,SAAS,EAAE,CAAC,CAAC;IAEvD,MAAM,WAAW,GAAG,QAAQ,CAAC,IAAI,CAAC;IAClC,MAAM,MAAM,GAAG,QAAQ,CAAC,MAAM,CAAC;IAC/B,MAAM,gBAAgB,GAAG,IAAI,CAAC,gBAAgB,IAAI,GAAG,WAAW,SAAS,CAAC;IAC1E,MAAM,eAAe,GAAG,IAAI,CAAC,eAAe,IAAI,GAAG,WAAW,QAAQ,CAAC;IACvE,MAAM,YAAY,GAAG,IAAI,CAAC,YAAY,IAAI,MAAM,CAAC;IAEjD,0CAA0C;IAC1C,MAAM,OAAO,GAAG,GAAG,CAAC,wBAAwB,gBAAgB,KAAK,eAAe,GAAG,CAAC,CAAC,KAAK,EAAE,CAAC;IAC7F,IAAI,YAAkC,CAAC;IACvC,IAAI,WAAiC,CAAC;IACtC,IAAI,CAAC;QACH,YAAY,GAAG,MAAM,EAAE,CAAC,cAAc,CAAC,SAAS,EAAE,gBAAgB,EAAE,EAAE,YAAY,EAAE,CAAC,CAAC;QACtF,WAAW,GAAG,MAAM,EAAE,CAAC,cAAc,CAAC,SAAS,EAAE,eAAe,EAAE,EAAE,YAAY,EAAE,CAAC,CAAC;QACpF,OAAO,CAAC,OAAO,CACb,sBAAsB,gBAAgB,KAAK,YAAY,CAAC,OAAO,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,SAAS,MAAM,eAAe,KAAK,WAAW,CAAC,OAAO,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,SAAS,GAAG,CAC9J,CAAC;IACJ,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO,CAAC,IAAI,CAAC,2BAA2B,CAAC,CAAC;QAC1C,MAAM,GAAG,GAAI,GAAa,CAAC,OAAO,CAAC;QACnC,IAAI,uBAAuB,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;YACtC,MAAM,IAAI,KAAK,CACb,GAAG,GAAG,6JAA6J,CACpK,CAAC;QACJ,CAAC;QACD,MAAM,GAAG,CAAC;IACZ,CAAC;IAED,mEAAmE;IACnE,kEAAkE;IAClE,IAAI,SAA6B,CAAC;IAClC,IAAI,eAA8D,CAAC;IAEnE,uEAAuE;IACvE,MAAM,cAAc,GAAG,IAAI,CAAC,cAAc,IAAI,UAAU,MAAM,EAAE,CAAC;IACjE,8DAA8D;IAC9D,kEAAkE;IAClE,cAAc;IACd,MAAM,QAAQ,GAAG,mBAAmB,CAAC,cAAc,CAAC,CAAC;IAErD,IAAI,CAAC;QACH,MAAM,IAAI,GAAG,MAAM,MAAM,CAAC,aAAa,CAAC,QAAQ,CAAC,CAAC;QAClD,IAAI,IAAI,EAAE,CAAC;YACT,MAAM,aAAa,GAAG,GAAG,CAAC,2BAA2B,cAAc,EAAE,CAAC,CAAC,KAAK,EAAE,CAAC;YAC/E,IAAI,CAAC;gBACH,MAAM,EAAE,GAAG,MAAM,EAAE,CAAC,iBAAiB,CAAC,SAAS,EAAE,gBAAgB,EAAE;oBACjE,MAAM,EAAE,cAAc;oBACtB,MAAM,EAAE,IAAI,CAAC,EAAE;oBACf,MAAM,EAAE,KAAK;iBACd,CAAC,CAAC;gBACH,SAAS,GAAG,WAAW,EAAE,CAAC,MAAM,EAAE,CAAC;gBACnC,eAAe,GAAG,eAAe,CAAC;gBAClC,aAAa,CAAC,OAAO,CACnB,iBAAiB,EAAE,CAAC,OAAO,CAAC,CAAC,CAAC,kBAAkB,CAAC,CAAC,CAAC,UAAU,MAAM,SAAS,EAAE,CAC/E,CAAC;YACJ,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,aAAa,CAAC,IAAI,CAChB,yBAA0B,GAAa,CAAC,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,wCAAwC,CACvG,CAAC;YACJ,CAAC;QACH,CAAC;IACH,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,+DAA+D;QAC/D,OAAO,CAAC,GAAG,CACT,KAAK,CAAC,GAAG,CAAC,uBAAuB,QAAQ,YAAa,GAAa,CAAC,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAC9F,CAAC;IACJ,CAAC;IAED,IAAI,CAAC,SAAS,EAAE,CAAC;QACf,MAAM,cAAc,GAAG,GAAG,CAAC,kCAAkC,gBAAgB,EAAE,CAAC,CAAC,KAAK,EAAE,CAAC;QACzF,IAAI,CAAC;YACH,MAAM,EAAE,GAAG,MAAM,EAAE,CAAC,qBAAqB,CAAC,SAAS,EAAE,gBAAgB,EAAE,IAAI,CAAC,CAAC;YAC7E,SAAS,GAAG,WAAW,EAAE,CAAC,MAAM,EAAE,CAAC;YACnC,eAAe,GAAG,eAAe,CAAC;YAClC,cAAc,CAAC,OAAO,CAAC,gCAAgC,SAAS,EAAE,CAAC,CAAC;QACtE,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,cAAc,CAAC,IAAI,CAAC,oDAAoD,CAAC,CAAC;YAC1E,MAAM,GAAG,CAAC;QACZ,CAAC;IACH,CAAC;IAED,mEAAmE;IACnE,iEAAiE;IACjE,uCAAuC;IACvC,MAAM,SAAS,GAAG,IAAI,CAAC,SAAS,IAAI,eAAe,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;IACrE,MAAM,IAAI,GAAG,gBAAgB,CAAC,SAAS,CAAC,CAAC;IACzC,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,iBAAiB,CAAC,CAAC;IAEzD,MAAM,YAAY,GAAG,eAAe,CAAC,OAAO,CAAC,CAAC;IAE9C,MAAM,OAAO,GAA0C,EAAE,CAAC;IAC1D,MAAM,IAAI,GAAG,CAAC,GAAW,EAAW,EAAE,CAAC,YAAY,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;IAE7D,gEAAgE;IAChE,kEAAkE;IAClE,iEAAiE;IACjE,4DAA4D;IAC5D,4DAA4D;IAC5D,OAAO,CAAC,IAAI,CAAC,EAAE,GAAG,EAAE,IAAI,CAAC,QAAQ,EAAE,KAAK,EAAE,EAAE,CAAC,QAAQ,EAAE,CAAC,CAAC;IACzD,OAAO,CAAC,IAAI,CAAC,EAAE,GAAG,EAAE,IAAI,CAAC,SAAS,EAAE,KAAK,EAAE,EAAE,CAAC,SAAS,EAAE,CAAC,CAAC;IAC3D,OAAO,CAAC,IAAI,CAAC,EAAE,GAAG,EAAE,IAAI,CAAC,SAAS,EAAE,KAAK,EAAE,EAAE,CAAC,SAAS,EAAE,CAAC,CAAC;IAC3D,OAAO,CAAC,IAAI,CAAC,EAAE,GAAG,EAAE,IAAI,CAAC,MAAM,EAAE,KAAK,EAAE,EAAE,CAAC,MAAM,IAAI,MAAM,EAAE,CAAC,CAAC;IAE/D,mEAAmE;IACnE,iEAAiE;IACjE,mEAAmE;IACnE,gEAAgE;IAChE,4BAA4B;IAC5B,IAAI,SAAS,KAAK,IAAI,EAAE,CAAC;QACvB,OAAO,CAAC,IAAI,CAAC,EAAE,GAAG,EAAE,IAAI,CAAC,MAAM,EAAE,KAAK,EAAE,eAAe,EAAE,CAAC,CAAC;IAC7D,CAAC;SAAM,CAAC;QACN,OAAO,CAAC,IAAI,CAAC,EAAE,GAAG,EAAE,IAAI,CAAC,MAAM,EAAE,KAAK,EAAE,gBAAgB,EAAE,CAAC,CAAC;IAC9D,CAAC;IAED,4DAA4D;IAC5D,8DAA8D;IAC9D,qEAAqE;IACrE,oEAAoE;IACpE,0DAA0D;IAC1D,6CAA6C;IAC7C,MAAM,WAAW,GAAG,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,cAAc,CAAC,CAAC;IAC1D,MAAM,WAAW,GAAG,UAAU,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,YAAY,CAAC,WAAW,EAAE,OAAO,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;IACtF,MAAM,oBAAoB,GAAG,6BAA6B,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;IAC7E,IAAI,oBAAoB,EAAE,CAAC;QACzB,OAAO,CAAC,IAAI,CAAC,EAAE,GAAG,EAAE,6BAA6B,EAAE,KAAK,EAAE,SAAS,EAAE,CAAC,CAAC;IACzE,CAAC;SAAM,IAAI,SAAS,KAAK,IAAI,IAAI,SAAS,KAAK,KAAK,EAAE,CAAC;QACrD,OAAO,CAAC,IAAI,CAAC,EAAE,GAAG,EAAE,IAAI,CAAC,SAAS,EAAE,KAAK,EAAE,SAAS,EAAE,CAAC,CAAC;IAC1D,CAAC;IAED,mEAAmE;IACnE,8DAA8D;IAC9D,IACE,IAAI,CAAC,kBAAkB,KAAK,KAAK;QACjC,aAAa,CAAC,IAAI,CAAC,WAAW,CAAC;QAC/B,CAAC,IAAI,CAAC,aAAa,CAAC,EACpB,CAAC;QACD,MAAM,EAAE,WAAW,EAAE,GAAG,MAAM,MAAM,CAAC,aAAa,CAAC,CAAC;QACpD,OAAO,CAAC,IAAI,CAAC,EAAE,GAAG,EAAE,aAAa,EAAE,KAAK,EAAE,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;IAC/E,CAAC;IAED,MAAM,UAAU,GAAa,EAAE,CAAC;IAChC,MAAM,OAAO,GAAa,EAAE,CAAC;IAC7B,MAAM,UAAU,GAAG,GAAG,CAAC,WAAW,OAAO,CAAC,MAAM,6BAA6B,CAAC,CAAC,KAAK,EAAE,CAAC;IACvF,IAAI,CAAC;QACH,KAAK,MAAM,EAAE,GAAG,EAAE,KAAK,EAAE,IAAI,OAAO,EAAE,CAAC;YACrC,+DAA+D;YAC/D,2DAA2D;YAC3D,sCAAsC;YACtC,IAAI,GAAG,KAAK,aAAa,IAAI,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;gBACvC,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;gBAClB,SAAS;YACX,CAAC;YACD,UAAU,CAAC,GAAG,EAAE,KAAK,EAAE,EAAE,IAAI,EAAE,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC,CAAC;YACzD,UAAU,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QACvB,CAAC;QACD,UAAU,CAAC,OAAO,CAAC,SAAS,UAAU,CAAC,MAAM,uCAAuC,CAAC,CAAC;IACxF,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,UAAU,CAAC,IAAI,CAAC,iCAAiC,CAAC,CAAC;QACnD,MAAM,GAAG,CAAC;IACZ,CAAC;IAED,iEAAiE;IACjE,kEAAkE;IAClE,6BAA6B;IAC7B,MAAM,OAAO,GAAoB;QAC/B,GAAG,QAAQ;QACX,SAAS,EAAE;YACT,MAAM,EAAE,EAAE,IAAI,EAAE,gBAAgB,EAAE,SAAS,EAAE;YAC7C,KAAK,EAAE,EAAE,IAAI,EAAE,eAAe,EAAE,SAAS,EAAE,IAAI,EAAE;SAClD;KACF,CAAC;IACF,aAAa,CAAC,IAAI,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC;IACxC,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,gCAAgC,iBAAiB,KAAK,eAAe,IAAI,CAAC,CAAC,CAAC;IAElG,iEAAiE;IACjE,mEAAmE;IACnE,+DAA+D;IAC/D,+CAA+C;IAC/C,MAAM,aAAa,GAAG,kBAAkB,CAAC;QACvC,UAAU,EAAE,MAAM,WAAW,EAAE;QAC/B,QAAQ,EAAE,EAAE,CAAC,QAAQ;QACrB,SAAS,EAAE,EAAE,CAAC,SAAS;QACvB,SAAS,EAAE,EAAE,CAAC,SAAS;KACxB,CAAC,CAAC;IAEH,OAAO;QACL,MAAM,EAAE,EAAE,IAAI,EAAE,gBAAgB,EAAE,SAAS,EAAE,OAAO,EAAE,CAAC,YAAY,CAAC,OAAO,EAAE;QAC7E,KAAK,EAAE,EAAE,IAAI,EAAE,eAAe,EAAE,OAAO,EAAE,CAAC,WAAW,CAAC,OAAO,EAAE;QAC/D,UAAU;QACV,OAAO;QACP,aAAa;KACd,CAAC;AACJ,CAAC;AAED;;;;+DAI+D;AAC/D,SAAS,mBAAmB,CAAC,QAAgB;IAC3C,MAAM,KAAK,GAAG,QAAQ,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAClC,IAAI,KAAK,CAAC,MAAM,IAAI,CAAC;QAAE,OAAO,QAAQ,CAAC;IACvC,OAAO,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AACnC,CAAC"}

package/dist/scaffold/manifest.d.ts

@@ -45,6 +45,30 @@ export interface ProjectManifest {
      *  Optional for back-compat with manifests written before this
      *  field existed; readers should fall back to detection. */
     surfaces?: "server-only" | "client-only" | "both";
+    /** S3 buckets provisioned by `hatchkit provision s3`. Names go in
+     *  the manifest (so re-runs are idempotent and `hatchkit destroy`
+     *  knows what to undo); credentials never do — those live in the
+     *  global config / OS keychain.
+     *
+     *  `assets`  is the public bucket fronting NEXT_PUBLIC_ASSETS_BASE_URL
+     *           or equivalent. Reachable over HTTPS via either an r2.dev
+     *           managed domain or a custom domain on a zone the user owns.
+     *  `state`  is the private bucket — used for state files, logs, cron
+     *           inputs. Never publicly readable.
+     *
+     *  `publicUrl` is the canonical no-trailing-slash URL the runtime
+     *  should serve assets from. Always present on `assets`; null on
+     *  `state` (private buckets aren't publicly reachable). */
+    s3Buckets?: {
+        assets?: {
+            name: string;
+            publicUrl: string;
+        };
+        state?: {
+            name: string;
+            publicUrl: null;
+        };
+    };
 }
 /** Build a manifest from the internal ProjectConfig, explicitly
  *  whitelisting only the safe fields. Any new field on ProjectConfig

package/dist/scaffold/manifest.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"manifest.d.ts","sourceRoot":"","sources":["../../src/scaffold/manifest.ts"],"names":[],"mappings":"AAgCA,OAAO,KAAK,EAAE,OAAO,EAAE,WAAW,EAAE,SAAS,EAAE,aAAa,EAAE,UAAU,EAAE,MAAM,eAAe,CAAC;AAChG,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,mBAAmB,CAAC;AAEtD,eAAO,MAAM,iBAAiB,mBAAmB,CAAC;AAClD,eAAO,MAAM,gBAAgB,IAAI,CAAC;AAElC,MAAM,WAAW,eAAe;IAC9B,qEAAqE;IACrE,OAAO,EAAE,OAAO,gBAAgB,CAAC;IACjC,iEAAiE;IACjE,UAAU,EAAE,MAAM,CAAC;IACnB,qCAAqC;IACrC,YAAY,EAAE,MAAM,CAAC;IACrB,mEAAmE;IACnE,IAAI,EAAE,MAAM,CAAC;IACb,gEAAgE;IAChE,MAAM,EAAE,MAAM,CAAC;IACf,0CAA0C;IAC1C,QAAQ,EAAE,OAAO,EAAE,CAAC;IACpB,0CAA0C;IAC1C,UAAU,EAAE,SAAS,EAAE,CAAC;IACxB;6DACyD;IACzD,UAAU,EAAE,UAAU,CAAC;IACvB;qDACiD;IACjD,YAAY,EAAE,UAAU,GAAG,KAAK,CAAC;IACjC;;mDAE+C;IAC/C,YAAY,CAAC,EAAE,WAAW,EAAE,CAAC;IAC7B,oEAAoE;IACpE,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,2DAA2D;IAC3D,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB;oEACgE;IAChE,KAAK,EAAE;QAAE,MAAM,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,CAAC;QAAC,SAAS,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC;IAC9D;;;;;gEAK4D;IAC5D,QAAQ,CAAC,EAAE,aAAa,GAAG,aAAa,GAAG,MAAM,CAAC;CACnD;AAED;;oEAEoE;AACpE,wBAAgB,UAAU,CACxB,MAAM,EAAE,aAAa,EACrB,KAAK,EAAE,YAAY,EACnB,UAAU,EAAE,MAAM,GACjB,eAAe,CAoBjB;AAED,wBAAgB,aAAa,CAAC,SAAS,EAAE,MAAM,EAAE,QAAQ,EAAE,eAAe,GAAG,IAAI,CAGhF;AAED;;;gCAGgC;AAChC,wBAAgB,YAAY,CAAC,UAAU,EAAE,MAAM,GAAG,eAAe,GAAG,IAAI,CAiBvE"}
+{"version":3,"file":"manifest.d.ts","sourceRoot":"","sources":["../../src/scaffold/manifest.ts"],"names":[],"mappings":"AAgCA,OAAO,KAAK,EAAE,OAAO,EAAE,WAAW,EAAE,SAAS,EAAE,aAAa,EAAE,UAAU,EAAE,MAAM,eAAe,CAAC;AAChG,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,mBAAmB,CAAC;AAEtD,eAAO,MAAM,iBAAiB,mBAAmB,CAAC;AAClD,eAAO,MAAM,gBAAgB,IAAI,CAAC;AAElC,MAAM,WAAW,eAAe;IAC9B,qEAAqE;IACrE,OAAO,EAAE,OAAO,gBAAgB,CAAC;IACjC,iEAAiE;IACjE,UAAU,EAAE,MAAM,CAAC;IACnB,qCAAqC;IACrC,YAAY,EAAE,MAAM,CAAC;IACrB,mEAAmE;IACnE,IAAI,EAAE,MAAM,CAAC;IACb,gEAAgE;IAChE,MAAM,EAAE,MAAM,CAAC;IACf,0CAA0C;IAC1C,QAAQ,EAAE,OAAO,EAAE,CAAC;IACpB,0CAA0C;IAC1C,UAAU,EAAE,SAAS,EAAE,CAAC;IACxB;6DACyD;IACzD,UAAU,EAAE,UAAU,CAAC;IACvB;qDACiD;IACjD,YAAY,EAAE,UAAU,GAAG,KAAK,CAAC;IACjC;;mDAE+C;IAC/C,YAAY,CAAC,EAAE,WAAW,EAAE,CAAC;IAC7B,oEAAoE;IACpE,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,2DAA2D;IAC3D,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB;oEACgE;IAChE,KAAK,EAAE;QAAE,MAAM,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,CAAC;QAAC,SAAS,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC;IAC9D;;;;;gEAK4D;IAC5D,QAAQ,CAAC,EAAE,aAAa,GAAG,aAAa,GAAG,MAAM,CAAC;IAClD;;;;;;;;;;;;;+DAa2D;IAC3D,SAAS,CAAC,EAAE;QACV,MAAM,CAAC,EAAE;YAAE,IAAI,EAAE,MAAM,CAAC;YAAC,SAAS,EAAE,MAAM,CAAA;SAAE,CAAC;QAC7C,KAAK,CAAC,EAAE;YAAE,IAAI,EAAE,MAAM,CAAC;YAAC,SAAS,EAAE,IAAI,CAAA;SAAE,CAAC;KAC3C,CAAC;CACH;AAED;;oEAEoE;AACpE,wBAAgB,UAAU,CACxB,MAAM,EAAE,aAAa,EACrB,KAAK,EAAE,YAAY,EACnB,UAAU,EAAE,MAAM,GACjB,eAAe,CAoBjB;AAED,wBAAgB,aAAa,CAAC,SAAS,EAAE,MAAM,EAAE,QAAQ,EAAE,eAAe,GAAG,IAAI,CAGhF;AAED;;;gCAGgC;AAChC,wBAAgB,YAAY,CAAC,UAAU,EAAE,MAAM,GAAG,eAAe,GAAG,IAAI,CAiBvE"}

package/dist/scaffold/manifest.js.map

@@ -1 +1 @@
-{"version":3,"file":"manifest.js","sourceRoot":"","sources":["../../src/scaffold/manifest.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA4BG;AAEH,OAAO,EAAE,UAAU,EAAE,YAAY,EAAE,aAAa,EAAE,MAAM,SAAS,CAAC;AAClE,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AAIjC,MAAM,CAAC,MAAM,iBAAiB,GAAG,gBAAgB,CAAC;AAClD,MAAM,CAAC,MAAM,gBAAgB,GAAG,CAAC,CAAC;AA2ClC;;oEAEoE;AACpE,MAAM,UAAU,UAAU,CACxB,MAAqB,EACrB,KAAmB,EACnB,UAAkB;IAElB,OAAO;QACL,OAAO,EAAE,gBAAgB;QACzB,UAAU;QACV,YAAY,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;QACtC,IAAI,EAAE,MAAM,CAAC,IAAI;QACjB,MAAM,EAAE,MAAM,CAAC,MAAM;QACrB,QAAQ,EAAE,CAAC,GAAG,MAAM,CAAC,QAAQ,CAAC;QAC9B,UAAU,EAAE,CAAC,GAAG,MAAM,CAAC,UAAU,CAAC;QAClC,UAAU,EAAE,MAAM,CAAC,UAAU;QAC7B,YAAY,EAAE,MAAM,CAAC,YAAY;QACjC,YAAY,EAAE,MAAM,CAAC,YAAY;QACjC,eAAe,EAAE,MAAM,CAAC,eAAe;QACvC,eAAe,EAAE,MAAM,CAAC,eAAe;QACvC,KAAK,EAAE;YACL,MAAM,EAAE,KAAK,CAAC,MAAM;YACpB,MAAM,EAAE,KAAK,CAAC,MAAM;YACpB,SAAS,EAAE,KAAK,CAAC,SAAS;SAC3B;KACF,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,aAAa,CAAC,SAAiB,EAAE,QAAyB;IACxE,MAAM,IAAI,GAAG,IAAI,CAAC,SAAS,EAAE,iBAAiB,CAAC,CAAC;IAChD,aAAa,CAAC,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,QAAQ,EAAE,IAAI,EAAE,CAAC,CAAC,GAAG,IAAI,EAAE,OAAO,CAAC,CAAC;AACzE,CAAC;AAED;;;gCAGgC;AAChC,MAAM,UAAU,YAAY,CAAC,UAAkB;IAC7C,MAAM,IAAI,GAAG,IAAI,CAAC,UAAU,EAAE,iBAAiB,CAAC,CAAC;IACjD,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC;QAAE,OAAO,IAAI,CAAC;IACnC,IAAI,MAAe,CAAC;IACpB,IAAI,CAAC;QACH,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC,CAAC;IACnD,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,IAAI,KAAK,CAAC,eAAe,IAAI,uBAAwB,GAAa,CAAC,OAAO,EAAE,CAAC,CAAC;IACtF,CAAC;IACD,IACE,CAAC,MAAM;QACP,OAAO,MAAM,KAAK,QAAQ;QACzB,MAAgC,CAAC,OAAO,KAAK,gBAAgB,EAC9D,CAAC;QACD,MAAM,IAAI,KAAK,CAAC,eAAe,IAAI,kCAAkC,gBAAgB,GAAG,CAAC,CAAC;IAC5F,CAAC;IACD,OAAO,MAAyB,CAAC;AACnC,CAAC"}
+{"version":3,"file":"manifest.js","sourceRoot":"","sources":["../../src/scaffold/manifest.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA4BG;AAEH,OAAO,EAAE,UAAU,EAAE,YAAY,EAAE,aAAa,EAAE,MAAM,SAAS,CAAC;AAClE,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AAIjC,MAAM,CAAC,MAAM,iBAAiB,GAAG,gBAAgB,CAAC;AAClD,MAAM,CAAC,MAAM,gBAAgB,GAAG,CAAC,CAAC;AA6DlC;;oEAEoE;AACpE,MAAM,UAAU,UAAU,CACxB,MAAqB,EACrB,KAAmB,EACnB,UAAkB;IAElB,OAAO;QACL,OAAO,EAAE,gBAAgB;QACzB,UAAU;QACV,YAAY,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;QACtC,IAAI,EAAE,MAAM,CAAC,IAAI;QACjB,MAAM,EAAE,MAAM,CAAC,MAAM;QACrB,QAAQ,EAAE,CAAC,GAAG,MAAM,CAAC,QAAQ,CAAC;QAC9B,UAAU,EAAE,CAAC,GAAG,MAAM,CAAC,UAAU,CAAC;QAClC,UAAU,EAAE,MAAM,CAAC,UAAU;QAC7B,YAAY,EAAE,MAAM,CAAC,YAAY;QACjC,YAAY,EAAE,MAAM,CAAC,YAAY;QACjC,eAAe,EAAE,MAAM,CAAC,eAAe;QACvC,eAAe,EAAE,MAAM,CAAC,eAAe;QACvC,KAAK,EAAE;YACL,MAAM,EAAE,KAAK,CAAC,MAAM;YACpB,MAAM,EAAE,KAAK,CAAC,MAAM;YACpB,SAAS,EAAE,KAAK,CAAC,SAAS;SAC3B;KACF,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,aAAa,CAAC,SAAiB,EAAE,QAAyB;IACxE,MAAM,IAAI,GAAG,IAAI,CAAC,SAAS,EAAE,iBAAiB,CAAC,CAAC;IAChD,aAAa,CAAC,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,QAAQ,EAAE,IAAI,EAAE,CAAC,CAAC,GAAG,IAAI,EAAE,OAAO,CAAC,CAAC;AACzE,CAAC;AAED;;;gCAGgC;AAChC,MAAM,UAAU,YAAY,CAAC,UAAkB;IAC7C,MAAM,IAAI,GAAG,IAAI,CAAC,UAAU,EAAE,iBAAiB,CAAC,CAAC;IACjD,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC;QAAE,OAAO,IAAI,CAAC;IACnC,IAAI,MAAe,CAAC;IACpB,IAAI,CAAC;QACH,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC,CAAC;IACnD,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,IAAI,KAAK,CAAC,eAAe,IAAI,uBAAwB,GAAa,CAAC,OAAO,EAAE,CAAC,CAAC;IACtF,CAAC;IACD,IACE,CAAC,MAAM;QACP,OAAO,MAAM,KAAK,QAAQ;QACzB,MAAgC,CAAC,OAAO,KAAK,gBAAgB,EAC9D,CAAC;QACD,MAAM,IAAI,KAAK,CAAC,eAAe,IAAI,kCAAkC,gBAAgB,GAAG,CAAC,CAAC;IAC5F,CAAC;IACD,OAAO,MAAyB,CAAC;AACnC,CAAC"}

package/dist/utils/cloudflare-api.d.ts

@@ -52,5 +52,93 @@ export declare class CloudflareApi {
     /** Delete a DNS record by id. Returns "not-found" on 404 so the
      *  caller can treat already-gone records as success during rollback. */
     deleteRecord(zoneId: string, recordId: string): Promise<"deleted" | "not-found">;
+    /** Read a single zone setting's current value. Used by
+     *  `enableEdgeHardening` to skip no-op PATCHes (and avoid downgrading
+     *  user-set stricter values). Returns the raw `value` field — typed
+     *  loosely because each setting has its own value shape. */
+    getZoneSetting(zoneId: string, settingId: string): Promise<unknown>;
+    /** Patch a single zone setting. Returns the new value. */
+    setZoneSetting(zoneId: string, settingId: string, value: unknown): Promise<unknown>;
+    /** Apply hatchkit's curated edge-hardening defaults idempotently.
+     *  Only changes settings that are currently weaker than the target —
+     *  stricter user-set values are left alone (e.g. if the user has TLS
+     *  1.3 enforced, we don't pull it back to 1.2).
+     *
+     *  Settings (and why):
+     *    · `always_use_https = on` — 301s plain `http://` to `https://`
+     *      at the edge so users who type the bare URL aren't left wondering
+     *      why nothing loads. Default off, has to be opted in.
+     *    · `ssl = full` — Cloudflare → origin uses HTTPS, but accepts
+     *      self-signed certs. Coolify auto-issues Let's Encrypt at the
+     *      origin but the cert can be a few seconds late on a cold deploy;
+     *      `full` (vs `full (strict)`) means we don't 526 the user during
+     *      that window. Bump to `strict` once the deploy is stable.
+     *    · `min_tls_version = 1.2` — drops legacy TLS 1.0/1.1 with no
+     *      practical compat cost in 2026.
+     *    · `automatic_https_rewrites = on` — Cloudflare rewrites any
+     *      remaining `http://` references in HTML responses, killing the
+     *      mixed-content warnings that bite static-export apps.
+     *
+     *  Returns a per-setting summary for the caller to log. */
+    /** Create a bucket. Returns the metadata. If the bucket already
+     *  exists (409), returns `{ existed: true }` plus a fresh GET. */
+    createR2Bucket(accountId: string, name: string, opts?: {
+        locationHint?: string;
+        storageClass?: "Standard" | "InfrequentAccess";
+    }): Promise<{
+        name: string;
+        location?: string;
+        creation_date?: string;
+        storage_class?: string;
+        existed: boolean;
+    }>;
+    /** Get bucket metadata. Returns null on 404. */
+    getR2Bucket(accountId: string, name: string): Promise<{
+        name: string;
+        location?: string;
+        creation_date?: string;
+        storage_class?: string;
+    } | null>;
+    /** Enable (or disable) the managed `pub-<hash>.r2.dev` public URL on
+     *  a bucket. Returns the assigned `pub-<hash>.r2.dev` hostname. */
+    enableR2ManagedDomain(accountId: string, bucket: string, enabled?: boolean): Promise<{
+        bucketId: string;
+        domain: string;
+        enabled: boolean;
+    }>;
+    /** List custom domains attached to a bucket — used to short-circuit
+     *  re-runs that already added the domain. */
+    listR2CustomDomains(accountId: string, bucket: string): Promise<Array<{
+        domain: string;
+        enabled: boolean;
+        status?: {
+            ownership?: string;
+            ssl?: string;
+        };
+    }>>;
+    /** Attach a custom domain (a hostname on a Cloudflare zone you own)
+     *  to an R2 bucket. Idempotent — duplicates short-circuit via list. */
+    addR2CustomDomain(accountId: string, bucket: string, params: {
+        domain: string;
+        zoneId: string;
+        minTLS?: "1.0" | "1.1" | "1.2" | "1.3";
+    }): Promise<{
+        domain: string;
+        enabled: boolean;
+        zoneId: string;
+        existed: boolean;
+    }>;
+    enableEdgeHardening(zoneId: string): Promise<{
+        changed: Array<{
+            id: string;
+            from: unknown;
+            to: unknown;
+        }>;
+        kept: string[];
+        failed: Array<{
+            id: string;
+            error: string;
+        }>;
+    }>;
 }
 //# sourceMappingURL=cloudflare-api.d.ts.map

package/dist/utils/cloudflare-api.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"cloudflare-api.d.ts","sourceRoot":"","sources":["../../src/utils/cloudflare-api.ts"],"names":[],"mappings":"AAcA,MAAM,WAAW,cAAc;IAC7B,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,MAAM,CAAC;IACb,YAAY,EAAE,MAAM,EAAE,CAAC;IACvB,MAAM,EAAE,MAAM,CAAC;CAChB;AAED,MAAM,WAAW,oBAAoB;IACnC,KAAK,EAAE,MAAM,CAAC;IACd,2EAA2E;IAC3E,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAiBD,kCAAkC;AAClC,qBAAa,aAAa;IACxB,OAAO,CAAC,KAAK,CAAS;IACtB,OAAO,CAAC,SAAS,CAAC,CAAS;gBAEf,OAAO,EAAE,oBAAoB;YAK3B,OAAO;IAoBrB,iDAAiD;IAC3C,WAAW,IAAI,OAAO,CAAC,MAAM,CAAC;IAKpC;;;;;OAKG;IACG,SAAS,IAAI,OAAO,CAAC,cAAc,EAAE,CAAC;IA2B5C,gEAAgE;IAC1D,aAAa,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,cAAc,GAAG,IAAI,CAAC;IAOjE,6DAA6D;IACvD,UAAU,CACd,MAAM,EAAE,MAAM,EACd,IAAI,EAAE,MAAM,EACZ,IAAI,EAAE,GAAG,GAAG,MAAM,GAAG,OAAO,GAC3B,OAAO,CAAC;QAAE,EAAE,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAC;QAAC,OAAO,EAAE,MAAM,CAAC;QAAC,OAAO,EAAE,OAAO,CAAA;KAAE,GAAG,IAAI,CAAC;IAQhG;;;qEAGiE;IAC3D,YAAY,CAChB,MAAM,EAAE,MAAM,EACd,MAAM,EAAE;QACN,IAAI,EAAE,GAAG,GAAG,MAAM,GAAG,OAAO,CAAC;QAC7B,IAAI,EAAE,MAAM,CAAC;QACb,OAAO,EAAE,MAAM,CAAC;QAChB,OAAO,CAAC,EAAE,OAAO,CAAC;QAClB,GAAG,CAAC,EAAE,MAAM,CAAC;KACd,GACA,OAAO,CAAC;QAAE,EAAE,EAAE,MAAM,CAAC;QAAC,OAAO,EAAE,OAAO,CAAC;QAAC,OAAO,EAAE,OAAO,CAAA;KAAE,CAAC;IA8B9D;4EACwE;IAClE,YAAY,CAAC,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,SAAS,GAAG,WAAW,CAAC;CAUvF"}
+{"version":3,"file":"cloudflare-api.d.ts","sourceRoot":"","sources":["../../src/utils/cloudflare-api.ts"],"names":[],"mappings":"AAcA,MAAM,WAAW,cAAc;IAC7B,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,MAAM,CAAC;IACb,YAAY,EAAE,MAAM,EAAE,CAAC;IACvB,MAAM,EAAE,MAAM,CAAC;CAChB;AAED,MAAM,WAAW,oBAAoB;IACnC,KAAK,EAAE,MAAM,CAAC;IACd,2EAA2E;IAC3E,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAiBD,kCAAkC;AAClC,qBAAa,aAAa;IACxB,OAAO,CAAC,KAAK,CAAS;IACtB,OAAO,CAAC,SAAS,CAAC,CAAS;gBAEf,OAAO,EAAE,oBAAoB;YAK3B,OAAO;IAoBrB,iDAAiD;IAC3C,WAAW,IAAI,OAAO,CAAC,MAAM,CAAC;IAKpC;;;;;OAKG;IACG,SAAS,IAAI,OAAO,CAAC,cAAc,EAAE,CAAC;IA2B5C,gEAAgE;IAC1D,aAAa,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,cAAc,GAAG,IAAI,CAAC;IAOjE,6DAA6D;IACvD,UAAU,CACd,MAAM,EAAE,MAAM,EACd,IAAI,EAAE,MAAM,EACZ,IAAI,EAAE,GAAG,GAAG,MAAM,GAAG,OAAO,GAC3B,OAAO,CAAC;QAAE,EAAE,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAC;QAAC,OAAO,EAAE,MAAM,CAAC;QAAC,OAAO,EAAE,OAAO,CAAA;KAAE,GAAG,IAAI,CAAC;IAQhG;;;qEAGiE;IAC3D,YAAY,CAChB,MAAM,EAAE,MAAM,EACd,MAAM,EAAE;QACN,IAAI,EAAE,GAAG,GAAG,MAAM,GAAG,OAAO,CAAC;QAC7B,IAAI,EAAE,MAAM,CAAC;QACb,OAAO,EAAE,MAAM,CAAC;QAChB,OAAO,CAAC,EAAE,OAAO,CAAC;QAClB,GAAG,CAAC,EAAE,MAAM,CAAC;KACd,GACA,OAAO,CAAC;QAAE,EAAE,EAAE,MAAM,CAAC;QAAC,OAAO,EAAE,OAAO,CAAC;QAAC,OAAO,EAAE,OAAO,CAAA;KAAE,CAAC;IA8B9D;4EACwE;IAClE,YAAY,CAAC,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,SAAS,GAAG,WAAW,CAAC;IA0BtF;;;gEAG4D;IACtD,cAAc,CAAC,MAAM,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAQzE,0DAA0D;IACpD,cAAc,CAAC,MAAM,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,EAAE,KAAK,EAAE,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC;IASzF;;;;;;;;;;;;;;;;;;;;+DAoB2D;IAoB3D;sEACkE;IAC5D,cAAc,CAClB,SAAS,EAAE,MAAM,EACjB,IAAI,EAAE,MAAM,EACZ,IAAI,GAAE;QAAE,YAAY,CAAC,EAAE,MAAM,CAAC;QAAC,YAAY,CAAC,EAAE,UAAU,GAAG,kBAAkB,CAAA;KAAO,GACnF,OAAO,CAAC;QACT,IAAI,EAAE,MAAM,CAAC;QACb,QAAQ,CAAC,EAAE,MAAM,CAAC;QAClB,aAAa,CAAC,EAAE,MAAM,CAAC;QACvB,aAAa,CAAC,EAAE,MAAM,CAAC;QACvB,OAAO,EAAE,OAAO,CAAC;KAClB,CAAC;IAwBF,gDAAgD;IAC1C,WAAW,CACf,SAAS,EAAE,MAAM,EACjB,IAAI,EAAE,MAAM,GACX,OAAO,CAAC;QACT,IAAI,EAAE,MAAM,CAAC;QACb,QAAQ,CAAC,EAAE,MAAM,CAAC;QAClB,aAAa,CAAC,EAAE,MAAM,CAAC;QACvB,aAAa,CAAC,EAAE,MAAM,CAAC;KACxB,GAAG,IAAI,CAAC;IAST;uEACmE;IAC7D,qBAAqB,CACzB,SAAS,EAAE,MAAM,EACjB,MAAM,EAAE,MAAM,EACd,OAAO,UAAO,GACb,OAAO,CAAC;QAAE,QAAQ,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,CAAC;QAAC,OAAO,EAAE,OAAO,CAAA;KAAE,CAAC;IAMlE;iDAC6C;IACvC,mBAAmB,CACvB,SAAS,EAAE,MAAM,EACjB,MAAM,EAAE,MAAM,GACb,OAAO,CACR,KAAK,CAAC;QAAE,MAAM,EAAE,MAAM,CAAC;QAAC,OAAO,EAAE,OAAO,CAAC;QAAC,MAAM,CAAC,EAAE;YAAE,SAAS,CAAC,EAAE,MAAM,CAAC;YAAC,GAAG,CAAC,EAAE,MAAM,CAAA;SAAE,CAAA;KAAE,CAAC,CAC3F;IAeD;2EACuE;IACjE,iBAAiB,CACrB,SAAS,EAAE,MAAM,EACjB,MAAM,EAAE,MAAM,EACd,MAAM,EAAE;QAAE,MAAM,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,CAAC;QAAC,MAAM,CAAC,EAAE,KAAK,GAAG,KAAK,GAAG,KAAK,GAAG,KAAK,CAAA;KAAE,GACjF,OAAO,CAAC;QAAE,MAAM,EAAE,MAAM,CAAC;QAAC,OAAO,EAAE,OAAO,CAAC;QAAC,MAAM,EAAE,MAAM,CAAC;QAAC,OAAO,EAAE,OAAO,CAAA;KAAE,CAAC;IAoB5E,mBAAmB,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC;QACjD,OAAO,EAAE,KAAK,CAAC;YAAE,EAAE,EAAE,MAAM,CAAC;YAAC,IAAI,EAAE,OAAO,CAAC;YAAC,EAAE,EAAE,OAAO,CAAA;SAAE,CAAC,CAAC;QAC3D,IAAI,EAAE,MAAM,EAAE,CAAC;QACf,MAAM,EAAE,KAAK,CAAC;YAAE,EAAE,EAAE,MAAM,CAAC;YAAC,KAAK,EAAE,MAAM,CAAA;SAAE,CAAC,CAAC;KAC9C,CAAC;CAkDH"}