hatchkit 0.1.30 → 0.1.32

package/dist/provision/s3.js

@@ -0,0 +1,347 @@
+/*
+ * S3 / R2 token provisioning for the `hatchkit add` flow.
+ *
+ * Sister flow to `hatchkit provision s3` (s3-buckets.ts), which creates
+ * the bucket pair and mints a single shared token. THIS flow is the
+ * "buckets already exist; just give me scoped credentials" path. It's
+ * what runs when the project's `.hatchkit.json` declares `s3Buckets`
+ * (e.g. `s3Provider: "existing"`) and the user runs:
+ *
+ *   hatchkit add <project> s3
+ *
+ * For each bucket entry in the manifest, we mint a Cloudflare R2
+ * **Account** API token (`POST /accounts/{id}/tokens`) scoped to that
+ * bucket only — Object Read + Write permissions. One token per bucket
+ * is the deliberate choice: narrower blast radius than a single
+ * multi-bucket token, and it matches the `R2_<NAME>_*` env-var naming
+ * the runtime expects (each bucket has its own credential pair).
+ *
+ * Source of truth for which tokens exist: the manifest. Each minted
+ * token's id is pinned under `s3Buckets[bucketKey].tokenId` in
+ * `.hatchkit.json` (committed) so re-runs reuse it instead of
+ * minting a duplicate, and `hatchkit remove <project> s3` knows
+ * which tokens to revoke. Credentials never go in the manifest —
+ * they live encrypted in `.env.production` only.
+ *
+ * Coexists with `hatchkit provision s3`'s shared-token model: that
+ * flow records ONE token id at `s3Buckets.tokenId` covering both
+ * built-in buckets (`assets` + `state`). Per-bucket tokens minted
+ * here use `s3Buckets[bucketKey].tokenId` instead — distinct field,
+ * distinct semantics.
+ *
+ * Inverse: `unprovisionR2BucketTokens` — revokes each token via
+ * DELETE /accounts/{id}/tokens/{id}. Called by `hatchkit remove`.
+ */
+import { join } from "node:path";
+import chalk from "chalk";
+import ora from "ora";
+import { readManifest, writeManifest } from "../scaffold/manifest.js";
+import { CloudflareApi } from "../utils/cloudflare-api.js";
+import { SECRET_KEYS, getSecret } from "../utils/secrets.js";
+import { accountIdFromR2Endpoint } from "./s3-buckets.js";
+/** Mint (or reuse) a per-bucket scoped R2 Account API token for every
+ *  bucket declared in `.hatchkit.json` → `s3Buckets`. Returns the
+ *  endpoint + per-bucket S3-style credential pairs ready for the env
+ *  writer. The token id of every minted token is persisted into the
+ *  manifest so re-runs are idempotent and destroy can clean up. */
+export async function provisionR2BucketTokens(opts) {
+    const provider = "r2";
+    const manifest = readManifest(opts.projectDir);
+    if (!manifest) {
+        throw new Error(`No .hatchkit.json in ${opts.projectDir}. Run \`hatchkit adopt\` (or move into the project directory) first.`);
+    }
+    // Manifest's S3 provider must be R2-compatible. `existing` is the
+    // primary user-facing case (buckets pre-created elsewhere); `r2`
+    // means hatchkit created them itself. Both go through the same
+    // token-minting code path.
+    if (manifest.s3Provider !== "existing" && manifest.s3Provider !== "r2") {
+        if (manifest.s3Provider === "hetzner" || manifest.s3Provider === "aws") {
+            throw new Error(`s3Provider "${manifest.s3Provider}" is not yet supported by \`hatchkit add s3\`. Only Cloudflare R2 (provider "r2" or "existing") can mint scoped tokens today.`);
+        }
+        throw new Error(`s3Provider "${manifest.s3Provider}" — nothing to provision. Add s3Buckets to .hatchkit.json or run \`hatchkit provision s3\`.`);
+    }
+    const buckets = enumerateBuckets(manifest);
+    if (buckets.length === 0) {
+        throw new Error(`No s3Buckets declared in ${join(opts.projectDir, ".hatchkit.json")}. Add at least one bucket entry (e.g. "assets": { "name": "<bucket>", "publicUrl": "..." }) and re-run.`);
+    }
+    // Pull provider metadata (endpoint) from the global config store.
+    const { getStore } = await import("../config.js");
+    const meta = getStore().get(`providers.s3.${provider}`);
+    if (!meta || meta.status !== "configured" || !meta.endpoint) {
+        throw new Error(`R2 provider is not configured globally. Run \`hatchkit config add s3 r2\` to paste the admin token + endpoint, then re-run.`);
+    }
+    const accountId = accountIdFromR2Endpoint(meta.endpoint);
+    const adminToken = await getSecret(SECRET_KEYS.r2AdminToken);
+    if (!adminToken) {
+        throw new Error("R2 admin token missing from the keychain. Run `hatchkit config add s3 r2` to paste + verify it, then re-run.");
+    }
+    const cf = new CloudflareApi({ token: adminToken });
+    // Read the .env.production keys to know whether existing manifest
+    // tokens still have usable credentials in the file. CF doesn't
+    // expose the secret-access-key after creation, so a manifest token
+    // without matching env entries is effectively dead — re-mint.
+    const envPath = join(opts.projectDir, ".env.production");
+    const existingEnv = await readEnvKeysSet(envPath);
+    const bucketTokens = [];
+    const updatedBucketEntries = {};
+    for (const bucket of buckets) {
+        const existingTokenId = bucket.tokenId;
+        const reusable = existingTokenId && hasBucketEnvCreds(existingEnv, bucket.key);
+        let probe = null;
+        if (reusable) {
+            try {
+                probe = await cf.getAccountToken(accountId, existingTokenId);
+            }
+            catch (err) {
+                // Probe failure (network/permissions) — fall through to mint
+                // fresh. Better to lose one token to orphans than to keep
+                // running with credentials we can't verify.
+                console.log(chalk.dim(`  · Couldn't verify R2 token ${existingTokenId.slice(0, 8)}… for ${bucket.key} (${err.message.split("\n")[0]}). Minting a fresh one.`));
+            }
+        }
+        if (reusable && probe?.status === "active") {
+            // Reuse: env already has the credentials, just record the entry.
+            bucketTokens.push({
+                bucketKey: bucket.key,
+                bucketName: bucket.name,
+                accessKeyId: existingTokenId,
+                secretAccessKey: "", // unknown to us; .env.production has the live one
+                tokenId: existingTokenId,
+                accountId,
+                minted: false,
+            });
+            updatedBucketEntries[bucket.key] = {
+                name: bucket.name,
+                publicUrl: bucket.publicUrl,
+                tokenId: existingTokenId,
+            };
+            console.log(chalk.dim(`  · Reusing R2 account token ${existingTokenId.slice(0, 8)}… for bucket ${bucket.key} (alive in CF; creds in .env.production)`));
+            continue;
+        }
+        // Revoke a stale manifest token (status disabled/expired/404)
+        // before minting the replacement so we don't pile up orphans.
+        if (existingTokenId) {
+            try {
+                await cf.deleteAccountToken(accountId, existingTokenId);
+            }
+            catch {
+                /* best-effort */
+            }
+        }
+        const spinner = ora(`R2: minting scoped account token for bucket ${chalk.cyan(bucket.name)} (${bucket.key})`).start();
+        try {
+            const minted = await cf.createR2AccountToken({
+                accountId,
+                name: `hatchkit-${opts.projectName}-${bucket.key}`,
+                bucketNames: [bucket.name],
+                permissions: "read-write",
+            });
+            bucketTokens.push({
+                bucketKey: bucket.key,
+                bucketName: bucket.name,
+                accessKeyId: minted.accessKeyId,
+                secretAccessKey: minted.secretAccessKey,
+                tokenId: minted.tokenId,
+                accountId,
+                minted: true,
+            });
+            updatedBucketEntries[bucket.key] = {
+                name: bucket.name,
+                publicUrl: bucket.publicUrl,
+                tokenId: minted.tokenId,
+            };
+            spinner.succeed(`R2: minted account token for ${bucket.name} (id ${minted.tokenId.slice(0, 8)}…, visible in R2 → Manage R2 API Tokens)`);
+        }
+        catch (err) {
+            spinner.fail(`R2: minting account token for ${bucket.name} failed`);
+            const msg = err.message;
+            if (/9109|10000|10001|403|invalid api token/i.test(msg)) {
+                throw new Error(`${msg}\n\n  → The admin token (s3:r2:admin-token) needs:\n    · Account > Workers R2 Storage > Edit  (list/access buckets)\n    · Account Settings > Edit               (mint per-project account tokens — commonly the missing one)\n  → Edit at https://dash.cloudflare.com/profile/api-tokens, save, re-run.`);
+            }
+            throw err;
+        }
+    }
+    // Persist the per-bucket tokenIds back into the manifest. Preserve
+    // any other s3Buckets fields (like `tokenId` + `accountId` from a
+    // prior `provision s3` shared-token run, or built-in `state` entry
+    // we didn't touch on this run).
+    if (bucketTokens.some((bt) => bt.minted)) {
+        const merged = {
+            ...(manifest.s3Buckets ?? {}),
+            ...updatedBucketEntries,
+        };
+        const updated = { ...manifest, s3Buckets: merged };
+        writeManifest(opts.projectDir, updated);
+    }
+    return { endpoint: meta.endpoint, bucketTokens };
+}
+/** Convert a `provisionR2BucketTokens` result into the KEY=VALUE lines
+ *  the orchestrator writes to `.env.production`. Names follow the
+ *  R2_ prefix convention; for projects with a single bucket we ALSO
+ *  emit unprefixed `R2_ACCESS_KEY_ID` / `R2_SECRET_ACCESS_KEY` aliases
+ *  so existing single-bucket runtimes (which expect the unprefixed
+ *  form) keep working without code changes.
+ *
+ *  Reused tokens (where we don't know the secret-access-key; CF
+ *  doesn't expose it after creation) emit only the bucket-name +
+ *  endpoint lines — the existing encrypted .env.production is the
+ *  source of truth for the credentials, and we don't want to overwrite
+ *  it with a placeholder. */
+export function renderR2BucketTokensEnv(result) {
+    const lines = [];
+    lines.push(`R2_ENDPOINT=${result.endpoint}`);
+    for (const bt of result.bucketTokens) {
+        const name = bt.bucketKey.toUpperCase();
+        lines.push(`R2_${name}_BUCKET=${bt.bucketName}`);
+        if (bt.minted) {
+            lines.push(`R2_${name}_ACCESS_KEY_ID=${bt.accessKeyId}`);
+            lines.push(`R2_${name}_SECRET_ACCESS_KEY=${bt.secretAccessKey}`);
+        }
+    }
+    // Single-bucket alias. Most single-bucket consumers (Next.js apps,
+    // standalone sync scripts) read R2_ACCESS_KEY_ID / R2_SECRET_ACCESS_KEY
+    // directly without the bucket-name segment. Skip when there's
+    // ambiguity (multi-bucket).
+    if (result.bucketTokens.length === 1 && result.bucketTokens[0].minted) {
+        const sole = result.bucketTokens[0];
+        lines.push(`R2_ACCESS_KEY_ID=${sole.accessKeyId}`);
+        lines.push(`R2_SECRET_ACCESS_KEY=${sole.secretAccessKey}`);
+    }
+    return lines;
+}
+/** Delete every per-bucket scoped R2 account token minted for this
+ *  project, both upstream (CF API) and locally (manifest). Idempotent
+ *  — missing upstream tokens count as `not-found`.
+ *
+ *  Source of truth: the manifest's `s3Buckets[bucketKey].tokenId`
+ *  fields. When the manifest is missing or unreadable, returns an
+ *  empty result — the user must manually revoke tokens via the CF
+ *  dashboard. (No keychain fallback exists for the per-bucket model;
+ *  unlike the legacy single-token-per-project flow, tokens are never
+ *  written to the OS keychain in the new design.) */
+export async function unprovisionR2BucketTokens(opts) {
+    const out = { buckets: [] };
+    if (!opts.projectDir)
+        return out;
+    let manifest = null;
+    try {
+        manifest = readManifest(opts.projectDir);
+    }
+    catch {
+        return out;
+    }
+    if (!manifest)
+        return out;
+    const buckets = enumerateBuckets(manifest);
+    if (buckets.length === 0)
+        return out;
+    const accountId = manifest.s3Buckets?.accountId ?? deriveAccountId();
+    const adminToken = await getSecret(SECRET_KEYS.r2AdminToken);
+    if (!adminToken) {
+        throw new Error("R2 admin token not in keychain — re-add via `hatchkit config add s3 r2`, then retry remove.");
+    }
+    const cf = new CloudflareApi({ token: adminToken });
+    const resolvedAccountId = accountId ?? (await fallbackAccountId());
+    for (const bucket of buckets) {
+        const tokenId = bucket.tokenId;
+        if (!tokenId) {
+            out.buckets.push({ bucketKey: bucket.key, outcome: "not-found" });
+            continue;
+        }
+        if (!resolvedAccountId) {
+            throw new Error("Couldn't resolve the Cloudflare account id for this project — manifest has no `s3Buckets.accountId` and the global R2 endpoint is not set. Run `hatchkit config add s3 r2` to fix.");
+        }
+        let outcome = "not-found";
+        try {
+            outcome = await cf.deleteAccountToken(resolvedAccountId, tokenId);
+        }
+        catch (err) {
+            throw new Error(`Could not delete R2 account token for bucket ${bucket.key}: ${err.message}`);
+        }
+        out.buckets.push({ bucketKey: bucket.key, outcome });
+    }
+    // Wipe per-bucket tokenIds from the manifest (keep names + URLs —
+    // the buckets still exist; only the tokens are gone).
+    if (manifest.s3Buckets) {
+        const updated = { ...manifest.s3Buckets };
+        for (const bucket of buckets) {
+            const entry = updated[bucket.key];
+            if (entry && typeof entry === "object") {
+                updated[bucket.key] = {
+                    name: entry.name,
+                    publicUrl: entry.publicUrl,
+                };
+            }
+        }
+        writeManifest(opts.projectDir, { ...manifest, s3Buckets: updated });
+    }
+    return out;
+}
+/** Read the manifest's `s3Buckets` map into a stable, sorted list.
+ *  Sort by key so multi-bucket runs always produce the same env-var
+ *  order on disk. Skips the scalar `tokenId` / `accountId` fields
+ *  that share the s3Buckets namespace — those belong to the legacy
+ *  single-token flow, not to this per-bucket flow. */
+function enumerateBuckets(manifest) {
+    const map = manifest.s3Buckets;
+    if (!map)
+        return [];
+    const entries = [];
+    for (const key of Object.keys(map).sort()) {
+        if (key === "tokenId" || key === "accountId")
+            continue;
+        const value = map[key];
+        if (!value || typeof value !== "object" || typeof value.name !== "string" || value.name === "")
+            continue;
+        entries.push({
+            key,
+            name: value.name,
+            publicUrl: value.publicUrl ?? null,
+            tokenId: value.tokenId,
+        });
+    }
+    return entries;
+}
+/** Read every `KEY=` line out of a `.env.production` file (encrypted or
+ *  not — we only care about the keys present). Returns an empty set
+ *  when the file doesn't exist. */
+async function readEnvKeysSet(envPath) {
+    const { existsSync, readFileSync } = await import("node:fs");
+    if (!existsSync(envPath))
+        return new Set();
+    const text = readFileSync(envPath, "utf-8");
+    const out = new Set();
+    for (const line of text.split("\n")) {
+        const m = line.match(/^([A-Z][A-Z0-9_]*)=/);
+        if (m)
+            out.add(m[1]);
+    }
+    return out;
+}
+/** Returns true if the `.env.production` already has access-key + secret
+ *  entries for the bucket, so reusing an existing manifest tokenId is
+ *  safe (we won't be left with credentials we can't recover). Checks
+ *  the prefixed `R2_<NAME>_*` form first; falls back to the unprefixed
+ *  alias used for single-bucket projects. */
+function hasBucketEnvCreds(envKeys, bucketKey) {
+    const upper = bucketKey.toUpperCase();
+    const prefixed = envKeys.has(`R2_${upper}_ACCESS_KEY_ID`) && envKeys.has(`R2_${upper}_SECRET_ACCESS_KEY`);
+    const aliased = envKeys.has("R2_ACCESS_KEY_ID") && envKeys.has("R2_SECRET_ACCESS_KEY");
+    return prefixed || aliased;
+}
+function deriveAccountId() {
+    return undefined;
+}
+async function fallbackAccountId() {
+    const { getStore } = await import("../config.js");
+    const meta = getStore().get("providers.s3.r2");
+    if (!meta?.endpoint)
+        return undefined;
+    try {
+        return accountIdFromR2Endpoint(meta.endpoint);
+    }
+    catch {
+        return undefined;
+    }
+}
+//# sourceMappingURL=s3.js.map

package/dist/provision/s3.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"s3.js","sourceRoot":"","sources":["../../src/provision/s3.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAiCG;AAEH,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AACjC,OAAO,KAAK,MAAM,OAAO,CAAC;AAC1B,OAAO,GAAG,MAAM,KAAK,CAAC;AACtB,OAAO,EAAwB,YAAY,EAAE,aAAa,EAAE,MAAM,yBAAyB,CAAC;AAC5F,OAAO,EAAE,aAAa,EAAE,MAAM,4BAA4B,CAAC;AAC3D,OAAO,EAAE,WAAW,EAAE,SAAS,EAAE,MAAM,qBAAqB,CAAC;AAC7D,OAAO,EAAE,uBAAuB,EAAE,MAAM,iBAAiB,CAAC;AAqC1D;;;;mEAImE;AACnE,MAAM,CAAC,KAAK,UAAU,uBAAuB,CAC3C,IAA2B;IAE3B,MAAM,QAAQ,GAAG,IAAI,CAAC;IACtB,MAAM,QAAQ,GAAG,YAAY,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;IAC/C,IAAI,CAAC,QAAQ,EAAE,CAAC;QACd,MAAM,IAAI,KAAK,CACb,wBAAwB,IAAI,CAAC,UAAU,sEAAsE,CAC9G,CAAC;IACJ,CAAC;IAED,kEAAkE;IAClE,iEAAiE;IACjE,+DAA+D;IAC/D,2BAA2B;IAC3B,IAAI,QAAQ,CAAC,UAAU,KAAK,UAAU,IAAI,QAAQ,CAAC,UAAU,KAAK,IAAI,EAAE,CAAC;QACvE,IAAI,QAAQ,CAAC,UAAU,KAAK,SAAS,IAAI,QAAQ,CAAC,UAAU,KAAK,KAAK,EAAE,CAAC;YACvE,MAAM,IAAI,KAAK,CACb,eAAe,QAAQ,CAAC,UAAU,+HAA+H,CAClK,CAAC;QACJ,CAAC;QACD,MAAM,IAAI,KAAK,CACb,eAAe,QAAQ,CAAC,UAAU,6FAA6F,CAChI,CAAC;IACJ,CAAC;IAED,MAAM,OAAO,GAAG,gBAAgB,CAAC,QAAQ,CAAC,CAAC;IAC3C,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACzB,MAAM,IAAI,KAAK,CACb,4BAA4B,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,gBAAgB,CAAC,yGAAyG,CAC7K,CAAC;IACJ,CAAC;IAED,kEAAkE;IAClE,MAAM,EAAE,QAAQ,EAAE,GAAG,MAAM,MAAM,CAAC,cAAc,CAAC,CAAC;IAClD,MAAM,IAAI,GAAG,QAAQ,EAAE,CAAC,GAAG,CAAC,gBAAgB,QAAQ,EAAE,CAEzC,CAAC;IACd,IAAI,CAAC,IAAI,IAAI,IAAI,CAAC,MAAM,KAAK,YAAY,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,CAAC;QAC5D,MAAM,IAAI,KAAK,CACb,6HAA6H,CAC9H,CAAC;IACJ,CAAC;IACD,MAAM,SAAS,GAAG,uBAAuB,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;IAEzD,MAAM,UAAU,GAAG,MAAM,SAAS,CAAC,WAAW,CAAC,YAAY,CAAC,CAAC;IAC7D,IAAI,CAAC,UAAU,EAAE,CAAC;QAChB,MAAM,IAAI,KAAK,CACb,8GAA8G,CAC/G,CAAC;IACJ,CAAC;IACD,MAAM,EAAE,GAAG,IAAI,aAAa,CAAC,EAAE,KAAK,EAAE,UAAU,EAAE,CAAC,CAAC;IAEpD,kEAAkE;IAClE,+DAA+D;IAC/D,mEAAmE;IACnE,8DAA8D;IAC9D,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,iBAAiB,CAAC,CAAC;IACzD,MAAM,WAAW,GAAG,MAAM,cAAc,CAAC,OAAO,CAAC,CAAC;IAElD,MAAM,YAAY,GAAoB,EAAE,CAAC;IACzC,MAAM,oBAAoB,GAGtB,EAAE,CAAC;IAEP,KAAK,MAAM,MAAM,IAAI,OAAO,EAAE,CAAC;QAC7B,MAAM,eAAe,GAAG,MAAM,CAAC,OAAO,CAAC;QACvC,MAAM,QAAQ,GAAG,eAAe,IAAI,iBAAiB,CAAC,WAAW,EAAE,MAAM,CAAC,GAAG,CAAC,CAAC;QAC/E,IAAI,KAAK,GAAwD,IAAI,CAAC;QACtE,IAAI,QAAQ,EAAE,CAAC;YACb,IAAI,CAAC;gBACH,KAAK,GAAG,MAAM,EAAE,CAAC,eAAe,CAAC,SAAS,EAAE,eAAe,CAAC,CAAC;YAC/D,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,6DAA6D;gBAC7D,0DAA0D;gBAC1D,4CAA4C;gBAC5C,OAAO,CAAC,GAAG,CACT,KAAK,CAAC,GAAG,CACP,gCAAgC,eAAe,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,SAAS,MAAM,CAAC,GAAG,KAAM,GAAa,CAAC,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,yBAAyB,CAClJ,CACF,CAAC;YACJ,CAAC;QACH,CAAC;QAED,IAAI,QAAQ,IAAI,KAAK,EAAE,MAAM,KAAK,QAAQ,EAAE,CAAC;YAC3C,iEAAiE;YACjE,YAAY,CAAC,IAAI,CAAC;gBAChB,SAAS,EAAE,MAAM,CAAC,GAAG;gBACrB,UAAU,EAAE,MAAM,CAAC,IAAI;gBACvB,WAAW,EAAE,eAAe;gBAC5B,eAAe,EAAE,EAAE,EAAE,kDAAkD;gBACvE,OAAO,EAAE,eAAe;gBACxB,SAAS;gBACT,MAAM,EAAE,KAAK;aACd,CAAC,CAAC;YACH,oBAAoB,CAAC,MAAM,CAAC,GAAG,CAAC,GAAG;gBACjC,IAAI,EAAE,MAAM,CAAC,IAAI;gBACjB,SAAS,EAAE,MAAM,CAAC,SAAS;gBAC3B,OAAO,EAAE,eAAe;aACzB,CAAC;YACF,OAAO,CAAC,GAAG,CACT,KAAK,CAAC,GAAG,CACP,gCAAgC,eAAe,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,gBAAgB,MAAM,CAAC,GAAG,0CAA0C,CAChI,CACF,CAAC;YACF,SAAS;QACX,CAAC;QAED,8DAA8D;QAC9D,8DAA8D;QAC9D,IAAI,eAAe,EAAE,CAAC;YACpB,IAAI,CAAC;gBACH,MAAM,EAAE,CAAC,kBAAkB,CAAC,SAAS,EAAE,eAAe,CAAC,CAAC;YAC1D,CAAC;YAAC,MAAM,CAAC;gBACP,iBAAiB;YACnB,CAAC;QACH,CAAC;QAED,MAAM,OAAO,GAAG,GAAG,CACjB,+CAA+C,KAAK,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,KAAK,MAAM,CAAC,GAAG,GAAG,CACzF,CAAC,KAAK,EAAE,CAAC;QACV,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,MAAM,EAAE,CAAC,oBAAoB,CAAC;gBAC3C,SAAS;gBACT,IAAI,EAAE,YAAY,IAAI,CAAC,WAAW,IAAI,MAAM,CAAC,GAAG,EAAE;gBAClD,WAAW,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC;gBAC1B,WAAW,EAAE,YAAY;aAC1B,CAAC,CAAC;YACH,YAAY,CAAC,IAAI,CAAC;gBAChB,SAAS,EAAE,MAAM,CAAC,GAAG;gBACrB,UAAU,EAAE,MAAM,CAAC,IAAI;gBACvB,WAAW,EAAE,MAAM,CAAC,WAAW;gBAC/B,eAAe,EAAE,MAAM,CAAC,eAAe;gBACvC,OAAO,EAAE,MAAM,CAAC,OAAO;gBACvB,SAAS;gBACT,MAAM,EAAE,IAAI;aACb,CAAC,CAAC;YACH,oBAAoB,CAAC,MAAM,CAAC,GAAG,CAAC,GAAG;gBACjC,IAAI,EAAE,MAAM,CAAC,IAAI;gBACjB,SAAS,EAAE,MAAM,CAAC,SAAS;gBAC3B,OAAO,EAAE,MAAM,CAAC,OAAO;aACxB,CAAC;YACF,OAAO,CAAC,OAAO,CACb,gCAAgC,MAAM,CAAC,IAAI,QAAQ,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,0CAA0C,CACxH,CAAC;QACJ,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,OAAO,CAAC,IAAI,CAAC,iCAAiC,MAAM,CAAC,IAAI,SAAS,CAAC,CAAC;YACpE,MAAM,GAAG,GAAI,GAAa,CAAC,OAAO,CAAC;YACnC,IAAI,yCAAyC,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;gBACxD,MAAM,IAAI,KAAK,CACb,GAAG,GAAG,2SAA2S,CAClT,CAAC;YACJ,CAAC;YACD,MAAM,GAAG,CAAC;QACZ,CAAC;IACH,CAAC;IAED,mEAAmE;IACnE,kEAAkE;IAClE,mEAAmE;IACnE,gCAAgC;IAChC,IAAI,YAAY,CAAC,IAAI,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,EAAE,CAAC,MAAM,CAAC,EAAE,CAAC;QACzC,MAAM,MAAM,GAA8C;YACxD,GAAG,CAAC,QAAQ,CAAC,SAAS,IAAI,EAAE,CAAC;YAC7B,GAAG,oBAAoB;SACxB,CAAC;QACF,MAAM,OAAO,GAAoB,EAAE,GAAG,QAAQ,EAAE,SAAS,EAAE,MAAM,EAAE,CAAC;QACpE,aAAa,CAAC,IAAI,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC;IAC1C,CAAC;IAED,OAAO,EAAE,QAAQ,EAAE,IAAI,CAAC,QAAQ,EAAE,YAAY,EAAE,CAAC;AACnD,CAAC;AAED;;;;;;;;;;;6BAW6B;AAC7B,MAAM,UAAU,uBAAuB,CAAC,MAA+B;IACrE,MAAM,KAAK,GAAa,EAAE,CAAC;IAC3B,KAAK,CAAC,IAAI,CAAC,eAAe,MAAM,CAAC,QAAQ,EAAE,CAAC,CAAC;IAE7C,KAAK,MAAM,EAAE,IAAI,MAAM,CAAC,YAAY,EAAE,CAAC;QACrC,MAAM,IAAI,GAAG,EAAE,CAAC,SAAS,CAAC,WAAW,EAAE,CAAC;QACxC,KAAK,CAAC,IAAI,CAAC,MAAM,IAAI,WAAW,EAAE,CAAC,UAAU,EAAE,CAAC,CAAC;QACjD,IAAI,EAAE,CAAC,MAAM,EAAE,CAAC;YACd,KAAK,CAAC,IAAI,CAAC,MAAM,IAAI,kBAAkB,EAAE,CAAC,WAAW,EAAE,CAAC,CAAC;YACzD,KAAK,CAAC,IAAI,CAAC,MAAM,IAAI,sBAAsB,EAAE,CAAC,eAAe,EAAE,CAAC,CAAC;QACnE,CAAC;IACH,CAAC;IAED,mEAAmE;IACnE,wEAAwE;IACxE,8DAA8D;IAC9D,4BAA4B;IAC5B,IAAI,MAAM,CAAC,YAAY,CAAC,MAAM,KAAK,CAAC,IAAI,MAAM,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC;QACtE,MAAM,IAAI,GAAG,MAAM,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;QACpC,KAAK,CAAC,IAAI,CAAC,oBAAoB,IAAI,CAAC,WAAW,EAAE,CAAC,CAAC;QACnD,KAAK,CAAC,IAAI,CAAC,wBAAwB,IAAI,CAAC,eAAe,EAAE,CAAC,CAAC;IAC7D,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC;AASD;;;;;;;;;qDASqD;AACrD,MAAM,CAAC,KAAK,UAAU,yBAAyB,CAAC,IAM/C;IACC,MAAM,GAAG,GAA8B,EAAE,OAAO,EAAE,EAAE,EAAE,CAAC;IACvD,IAAI,CAAC,IAAI,CAAC,UAAU;QAAE,OAAO,GAAG,CAAC;IAEjC,IAAI,QAAQ,GAA2B,IAAI,CAAC;IAC5C,IAAI,CAAC;QACH,QAAQ,GAAG,YAAY,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;IAC3C,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,GAAG,CAAC;IACb,CAAC;IACD,IAAI,CAAC,QAAQ;QAAE,OAAO,GAAG,CAAC;IAE1B,MAAM,OAAO,GAAG,gBAAgB,CAAC,QAAQ,CAAC,CAAC;IAC3C,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,GAAG,CAAC;IAErC,MAAM,SAAS,GAAG,QAAQ,CAAC,SAAS,EAAE,SAAS,IAAI,eAAe,EAAE,CAAC;IACrE,MAAM,UAAU,GAAG,MAAM,SAAS,CAAC,WAAW,CAAC,YAAY,CAAC,CAAC;IAC7D,IAAI,CAAC,UAAU,EAAE,CAAC;QAChB,MAAM,IAAI,KAAK,CACb,6FAA6F,CAC9F,CAAC;IACJ,CAAC;IACD,MAAM,EAAE,GAAG,IAAI,aAAa,CAAC,EAAE,KAAK,EAAE,UAAU,EAAE,CAAC,CAAC;IACpD,MAAM,iBAAiB,GAAG,SAAS,IAAI,CAAC,MAAM,iBAAiB,EAAE,CAAC,CAAC;IAEnE,KAAK,MAAM,MAAM,IAAI,OAAO,EAAE,CAAC;QAC7B,MAAM,OAAO,GAAG,MAAM,CAAC,OAAO,CAAC;QAC/B,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,GAAG,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,SAAS,EAAE,MAAM,CAAC,GAAG,EAAE,OAAO,EAAE,WAAW,EAAE,CAAC,CAAC;YAClE,SAAS;QACX,CAAC;QACD,IAAI,CAAC,iBAAiB,EAAE,CAAC;YACvB,MAAM,IAAI,KAAK,CACb,oLAAoL,CACrL,CAAC;QACJ,CAAC;QACD,IAAI,OAAO,GAAiB,WAAW,CAAC;QACxC,IAAI,CAAC;YACH,OAAO,GAAG,MAAM,EAAE,CAAC,kBAAkB,CAAC,iBAAiB,EAAE,OAAO,CAAC,CAAC;QACpE,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,IAAI,KAAK,CACb,gDAAgD,MAAM,CAAC,GAAG,KAAM,GAAa,CAAC,OAAO,EAAE,CACxF,CAAC;QACJ,CAAC;QACD,GAAG,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,SAAS,EAAE,MAAM,CAAC,GAAG,EAAE,OAAO,EAAE,CAAC,CAAC;IACvD,CAAC;IAED,kEAAkE;IAClE,sDAAsD;IACtD,IAAI,QAAQ,CAAC,SAAS,EAAE,CAAC;QACvB,MAAM,OAAO,GAA8C,EAAE,GAAG,QAAQ,CAAC,SAAS,EAAE,CAAC;QACrF,KAAK,MAAM,MAAM,IAAI,OAAO,EAAE,CAAC;YAC7B,MAAM,KAAK,GAAG,OAAO,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YAClC,IAAI,KAAK,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;gBACvC,OAAO,CAAC,MAAM,CAAC,GAAG,CAAC,GAAG;oBACpB,IAAI,EAAE,KAAK,CAAC,IAAI;oBAChB,SAAS,EAAE,KAAK,CAAC,SAAS;iBAC3B,CAAC;YACJ,CAAC;QACH,CAAC;QACD,aAAa,CAAC,IAAI,CAAC,UAAU,EAAE,EAAE,GAAG,QAAQ,EAAE,SAAS,EAAE,OAAO,EAAE,CAAC,CAAC;IACtE,CAAC;IAED,OAAO,GAAG,CAAC;AACb,CAAC;AASD;;;;sDAIsD;AACtD,SAAS,gBAAgB,CAAC,QAAyB;IACjD,MAAM,GAAG,GAAG,QAAQ,CAAC,SAAS,CAAC;IAC/B,IAAI,CAAC,GAAG;QAAE,OAAO,EAAE,CAAC;IACpB,MAAM,OAAO,GAAkB,EAAE,CAAC;IAClC,KAAK,MAAM,GAAG,IAAI,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC;QAC1C,IAAI,GAAG,KAAK,SAAS,IAAI,GAAG,KAAK,WAAW;YAAE,SAAS;QACvD,MAAM,KAAK,GAAG,GAAG,CAAC,GAAG,CAAC,CAAC;QACvB,IAAI,CAAC,KAAK,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,OAAO,KAAK,CAAC,IAAI,KAAK,QAAQ,IAAI,KAAK,CAAC,IAAI,KAAK,EAAE;YAC5F,SAAS;QACX,OAAO,CAAC,IAAI,CAAC;YACX,GAAG;YACH,IAAI,EAAE,KAAK,CAAC,IAAI;YAChB,SAAS,EAAE,KAAK,CAAC,SAAS,IAAI,IAAI;YAClC,OAAO,EAAE,KAAK,CAAC,OAAO;SACvB,CAAC,CAAC;IACL,CAAC;IACD,OAAO,OAAO,CAAC;AACjB,CAAC;AAED;;mCAEmC;AACnC,KAAK,UAAU,cAAc,CAAC,OAAe;IAC3C,MAAM,EAAE,UAAU,EAAE,YAAY,EAAE,GAAG,MAAM,MAAM,CAAC,SAAS,CAAC,CAAC;IAC7D,IAAI,CAAC,UAAU,CAAC,OAAO,CAAC;QAAE,OAAO,IAAI,GAAG,EAAE,CAAC;IAC3C,MAAM,IAAI,GAAG,YAAY,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;IAC5C,MAAM,GAAG,GAAG,IAAI,GAAG,EAAU,CAAC;IAC9B,KAAK,MAAM,IAAI,IAAI,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC;QACpC,MAAM,CAAC,GAAG,IAAI,CAAC,KAAK,CAAC,qBAAqB,CAAC,CAAC;QAC5C,IAAI,CAAC;YAAE,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IACvB,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED;;;;6CAI6C;AAC7C,SAAS,iBAAiB,CAAC,OAAoB,EAAE,SAAiB;IAChE,MAAM,KAAK,GAAG,SAAS,CAAC,WAAW,EAAE,CAAC;IACtC,MAAM,QAAQ,GACZ,OAAO,CAAC,GAAG,CAAC,MAAM,KAAK,gBAAgB,CAAC,IAAI,OAAO,CAAC,GAAG,CAAC,MAAM,KAAK,oBAAoB,CAAC,CAAC;IAC3F,MAAM,OAAO,GAAG,OAAO,CAAC,GAAG,CAAC,kBAAkB,CAAC,IAAI,OAAO,CAAC,GAAG,CAAC,sBAAsB,CAAC,CAAC;IACvF,OAAO,QAAQ,IAAI,OAAO,CAAC;AAC7B,CAAC;AAED,SAAS,eAAe;IACtB,OAAO,SAAS,CAAC;AACnB,CAAC;AAED,KAAK,UAAU,iBAAiB;IAC9B,MAAM,EAAE,QAAQ,EAAE,GAAG,MAAM,MAAM,CAAC,cAAc,CAAC,CAAC;IAClD,MAAM,IAAI,GAAG,QAAQ,EAAE,CAAC,GAAG,CAAC,iBAAiB,CAAsC,CAAC;IACpF,IAAI,CAAC,IAAI,EAAE,QAAQ;QAAE,OAAO,SAAS,CAAC;IACtC,IAAI,CAAC;QACH,OAAO,uBAAuB,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;IAChD,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,SAAS,CAAC;IACnB,CAAC;AACH,CAAC"}

package/dist/scaffold/manifest.d.ts

@@ -45,10 +45,10 @@ export interface ProjectManifest {
      *  Optional for back-compat with manifests written before this
      *  field existed; readers should fall back to detection. */
     surfaces?: "server-only" | "client-only" | "both";
-    /** S3 buckets provisioned by `hatchkit provision s3`. Names go in
-     *  the manifest (so re-runs are idempotent and `hatchkit destroy`
-     *  knows what to undo); credentials never do — those live in the
-     *  global config / OS keychain.
+    /** S3 buckets provisioned by `hatchkit provision s3`. Names + the
+     *  shared token id go in the manifest (so re-runs are idempotent and
+     *  `hatchkit destroy` knows what to undo); credentials never do —
+     *  those live encrypted in `.env.production`.
      *
      *  `assets`  is the public bucket fronting NEXT_PUBLIC_ASSETS_BASE_URL
      *           or equivalent. Reachable over HTTPS via either an r2.dev
@@ -58,16 +58,56 @@ export interface ProjectManifest {
      *
      *  `publicUrl` is the canonical no-trailing-slash URL the runtime
      *  should serve assets from. Always present on `assets`; null on
-     *  `state` (private buckets aren't publicly reachable). */
+     *  `state` (private buckets aren't publicly reachable).
+     *
+     *  `tokenId` + `accountId` (top-level) identify the Cloudflare R2
+     *  Account API Token whose resource policy is scoped to whichever
+     *  buckets exist for this project. ONE token covers both buckets —
+     *  the runtime is a single app reading both. Destroy revokes the
+     *  token via `DELETE /accounts/{accountId}/tokens/{tokenId}` after
+     *  the buckets themselves are gone.
+     *
+     *  Neither field is a credential — the token id is an identifier
+     *  (= S3 access key id), and accountId is already public-safe. The
+     *  actual access/secret pair lives encrypted in .env.production.
+     *
+     *  Both are optional for back-compat with manifests written before
+     *  account-token provisioning landed (legacy projects still have
+     *  user-tokens stashed in the OS keychain; provision migrates them
+     *  on next run). */
     s3Buckets?: {
         assets?: {
             name: string;
             publicUrl: string;
+            tokenId?: string;
         };
         state?: {
             name: string;
             publicUrl: null;
+            tokenId?: string;
         };
+        /** Shared Cloudflare R2 Account API Token id covering the
+         *  built-in `assets`/`state` pair (one token, one resource policy
+         *  listing both buckets). Recorded by `hatchkit provision s3`.
+         *  Per-bucket tokens minted by `hatchkit add s3` for arbitrary
+         *  user-declared buckets live under each bucket entry's own
+         *  `tokenId` field instead. */
+        tokenId?: string;
+        /** Account that owns the buckets and the shared token. */
+        accountId?: string;
+        /** Arbitrary user-declared bucket entries (beyond the built-in
+         *  `assets`/`state` pair) — `hatchkit add <project> s3` mints a
+         *  per-bucket scoped R2 token for each one. The union value type
+         *  also covers the scalar `tokenId`/`accountId` fields above:
+         *  TS requires the index signature to be no narrower than any
+         *  named property, so `string` (for those scalars) is part of
+         *  the union. Callers narrow on `typeof === "object"` before
+         *  reading `name` / `publicUrl` / `tokenId`. */
+        [key: string]: {
+            name: string;
+            publicUrl: string | null;
+            tokenId?: string;
+        } | string | undefined;
     };
 }
 /** Build a manifest from the internal ProjectConfig, explicitly

package/dist/scaffold/manifest.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"manifest.d.ts","sourceRoot":"","sources":["../../src/scaffold/manifest.ts"],"names":[],"mappings":"AAgCA,OAAO,KAAK,EAAE,OAAO,EAAE,WAAW,EAAE,SAAS,EAAE,aAAa,EAAE,UAAU,EAAE,MAAM,eAAe,CAAC;AAChG,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,mBAAmB,CAAC;AAEtD,eAAO,MAAM,iBAAiB,mBAAmB,CAAC;AAClD,eAAO,MAAM,gBAAgB,IAAI,CAAC;AAElC,MAAM,WAAW,eAAe;IAC9B,qEAAqE;IACrE,OAAO,EAAE,OAAO,gBAAgB,CAAC;IACjC,iEAAiE;IACjE,UAAU,EAAE,MAAM,CAAC;IACnB,qCAAqC;IACrC,YAAY,EAAE,MAAM,CAAC;IACrB,mEAAmE;IACnE,IAAI,EAAE,MAAM,CAAC;IACb,gEAAgE;IAChE,MAAM,EAAE,MAAM,CAAC;IACf,0CAA0C;IAC1C,QAAQ,EAAE,OAAO,EAAE,CAAC;IACpB,0CAA0C;IAC1C,UAAU,EAAE,SAAS,EAAE,CAAC;IACxB;6DACyD;IACzD,UAAU,EAAE,UAAU,CAAC;IACvB;qDACiD;IACjD,YAAY,EAAE,UAAU,GAAG,KAAK,CAAC;IACjC;;mDAE+C;IAC/C,YAAY,CAAC,EAAE,WAAW,EAAE,CAAC;IAC7B,oEAAoE;IACpE,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,2DAA2D;IAC3D,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB;oEACgE;IAChE,KAAK,EAAE;QAAE,MAAM,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,CAAC;QAAC,SAAS,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC;IAC9D;;;;;gEAK4D;IAC5D,QAAQ,CAAC,EAAE,aAAa,GAAG,aAAa,GAAG,MAAM,CAAC;IAClD;;;;;;;;;;;;;+DAa2D;IAC3D,SAAS,CAAC,EAAE;QACV,MAAM,CAAC,EAAE;YAAE,IAAI,EAAE,MAAM,CAAC;YAAC,SAAS,EAAE,MAAM,CAAA;SAAE,CAAC;QAC7C,KAAK,CAAC,EAAE;YAAE,IAAI,EAAE,MAAM,CAAC;YAAC,SAAS,EAAE,IAAI,CAAA;SAAE,CAAC;KAC3C,CAAC;CACH;AAED;;oEAEoE;AACpE,wBAAgB,UAAU,CACxB,MAAM,EAAE,aAAa,EACrB,KAAK,EAAE,YAAY,EACnB,UAAU,EAAE,MAAM,GACjB,eAAe,CAoBjB;AAED,wBAAgB,aAAa,CAAC,SAAS,EAAE,MAAM,EAAE,QAAQ,EAAE,eAAe,GAAG,IAAI,CAGhF;AAED;;;gCAGgC;AAChC,wBAAgB,YAAY,CAAC,UAAU,EAAE,MAAM,GAAG,eAAe,GAAG,IAAI,CAiBvE"}
+{"version":3,"file":"manifest.d.ts","sourceRoot":"","sources":["../../src/scaffold/manifest.ts"],"names":[],"mappings":"AAgCA,OAAO,KAAK,EAAE,OAAO,EAAE,WAAW,EAAE,SAAS,EAAE,aAAa,EAAE,UAAU,EAAE,MAAM,eAAe,CAAC;AAChG,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,mBAAmB,CAAC;AAEtD,eAAO,MAAM,iBAAiB,mBAAmB,CAAC;AAClD,eAAO,MAAM,gBAAgB,IAAI,CAAC;AAElC,MAAM,WAAW,eAAe;IAC9B,qEAAqE;IACrE,OAAO,EAAE,OAAO,gBAAgB,CAAC;IACjC,iEAAiE;IACjE,UAAU,EAAE,MAAM,CAAC;IACnB,qCAAqC;IACrC,YAAY,EAAE,MAAM,CAAC;IACrB,mEAAmE;IACnE,IAAI,EAAE,MAAM,CAAC;IACb,gEAAgE;IAChE,MAAM,EAAE,MAAM,CAAC;IACf,0CAA0C;IAC1C,QAAQ,EAAE,OAAO,EAAE,CAAC;IACpB,0CAA0C;IAC1C,UAAU,EAAE,SAAS,EAAE,CAAC;IACxB;6DACyD;IACzD,UAAU,EAAE,UAAU,CAAC;IACvB;qDACiD;IACjD,YAAY,EAAE,UAAU,GAAG,KAAK,CAAC;IACjC;;mDAE+C;IAC/C,YAAY,CAAC,EAAE,WAAW,EAAE,CAAC;IAC7B,oEAAoE;IACpE,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,2DAA2D;IAC3D,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB;oEACgE;IAChE,KAAK,EAAE;QAAE,MAAM,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,CAAC;QAAC,SAAS,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC;IAC9D;;;;;gEAK4D;IAC5D,QAAQ,CAAC,EAAE,aAAa,GAAG,aAAa,GAAG,MAAM,CAAC;IAClD;;;;;;;;;;;;;;;;;;;;;;;;;;;;;wBA6BoB;IACpB,SAAS,CAAC,EAAE;QACV,MAAM,CAAC,EAAE;YAAE,IAAI,EAAE,MAAM,CAAC;YAAC,SAAS,EAAE,MAAM,CAAC;YAAC,OAAO,CAAC,EAAE,MAAM,CAAA;SAAE,CAAC;QAC/D,KAAK,CAAC,EAAE;YAAE,IAAI,EAAE,MAAM,CAAC;YAAC,SAAS,EAAE,IAAI,CAAC;YAAC,OAAO,CAAC,EAAE,MAAM,CAAA;SAAE,CAAC;QAC5D;;;;;uCAK+B;QAC/B,OAAO,CAAC,EAAE,MAAM,CAAC;QACjB,0DAA0D;QAC1D,SAAS,CAAC,EAAE,MAAM,CAAC;QACnB;;;;;;;wDAOgD;QAChD,CAAC,GAAG,EAAE,MAAM,GACR;YAAE,IAAI,EAAE,MAAM,CAAC;YAAC,SAAS,EAAE,MAAM,GAAG,IAAI,CAAC;YAAC,OAAO,CAAC,EAAE,MAAM,CAAA;SAAE,GAC5D,MAAM,GACN,SAAS,CAAC;KACf,CAAC;CACH;AAED;;oEAEoE;AACpE,wBAAgB,UAAU,CACxB,MAAM,EAAE,aAAa,EACrB,KAAK,EAAE,YAAY,EACnB,UAAU,EAAE,MAAM,GACjB,eAAe,CAoBjB;AAED,wBAAgB,aAAa,CAAC,SAAS,EAAE,MAAM,EAAE,QAAQ,EAAE,eAAe,GAAG,IAAI,CAGhF;AAED;;;gCAGgC;AAChC,wBAAgB,YAAY,CAAC,UAAU,EAAE,MAAM,GAAG,eAAe,GAAG,IAAI,CAiBvE"}

package/dist/scaffold/manifest.js.map

@@ -1 +1 @@
-{"version":3,"file":"manifest.js","sourceRoot":"","sources":["../../src/scaffold/manifest.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA4BG;AAEH,OAAO,EAAE,UAAU,EAAE,YAAY,EAAE,aAAa,EAAE,MAAM,SAAS,CAAC;AAClE,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AAIjC,MAAM,CAAC,MAAM,iBAAiB,GAAG,gBAAgB,CAAC;AAClD,MAAM,CAAC,MAAM,gBAAgB,GAAG,CAAC,CAAC;AA6DlC;;oEAEoE;AACpE,MAAM,UAAU,UAAU,CACxB,MAAqB,EACrB,KAAmB,EACnB,UAAkB;IAElB,OAAO;QACL,OAAO,EAAE,gBAAgB;QACzB,UAAU;QACV,YAAY,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;QACtC,IAAI,EAAE,MAAM,CAAC,IAAI;QACjB,MAAM,EAAE,MAAM,CAAC,MAAM;QACrB,QAAQ,EAAE,CAAC,GAAG,MAAM,CAAC,QAAQ,CAAC;QAC9B,UAAU,EAAE,CAAC,GAAG,MAAM,CAAC,UAAU,CAAC;QAClC,UAAU,EAAE,MAAM,CAAC,UAAU;QAC7B,YAAY,EAAE,MAAM,CAAC,YAAY;QACjC,YAAY,EAAE,MAAM,CAAC,YAAY;QACjC,eAAe,EAAE,MAAM,CAAC,eAAe;QACvC,eAAe,EAAE,MAAM,CAAC,eAAe;QACvC,KAAK,EAAE;YACL,MAAM,EAAE,KAAK,CAAC,MAAM;YACpB,MAAM,EAAE,KAAK,CAAC,MAAM;YACpB,SAAS,EAAE,KAAK,CAAC,SAAS;SAC3B;KACF,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,aAAa,CAAC,SAAiB,EAAE,QAAyB;IACxE,MAAM,IAAI,GAAG,IAAI,CAAC,SAAS,EAAE,iBAAiB,CAAC,CAAC;IAChD,aAAa,CAAC,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,QAAQ,EAAE,IAAI,EAAE,CAAC,CAAC,GAAG,IAAI,EAAE,OAAO,CAAC,CAAC;AACzE,CAAC;AAED;;;gCAGgC;AAChC,MAAM,UAAU,YAAY,CAAC,UAAkB;IAC7C,MAAM,IAAI,GAAG,IAAI,CAAC,UAAU,EAAE,iBAAiB,CAAC,CAAC;IACjD,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC;QAAE,OAAO,IAAI,CAAC;IACnC,IAAI,MAAe,CAAC;IACpB,IAAI,CAAC;QACH,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC,CAAC;IACnD,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,IAAI,KAAK,CAAC,eAAe,IAAI,uBAAwB,GAAa,CAAC,OAAO,EAAE,CAAC,CAAC;IACtF,CAAC;IACD,IACE,CAAC,MAAM;QACP,OAAO,MAAM,KAAK,QAAQ;QACzB,MAAgC,CAAC,OAAO,KAAK,gBAAgB,EAC9D,CAAC;QACD,MAAM,IAAI,KAAK,CAAC,eAAe,IAAI,kCAAkC,gBAAgB,GAAG,CAAC,CAAC;IAC5F,CAAC;IACD,OAAO,MAAyB,CAAC;AACnC,CAAC"}
+{"version":3,"file":"manifest.js","sourceRoot":"","sources":["../../src/scaffold/manifest.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA4BG;AAEH,OAAO,EAAE,UAAU,EAAE,YAAY,EAAE,aAAa,EAAE,MAAM,SAAS,CAAC;AAClE,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AAIjC,MAAM,CAAC,MAAM,iBAAiB,GAAG,gBAAgB,CAAC;AAClD,MAAM,CAAC,MAAM,gBAAgB,GAAG,CAAC,CAAC;AAkGlC;;oEAEoE;AACpE,MAAM,UAAU,UAAU,CACxB,MAAqB,EACrB,KAAmB,EACnB,UAAkB;IAElB,OAAO;QACL,OAAO,EAAE,gBAAgB;QACzB,UAAU;QACV,YAAY,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;QACtC,IAAI,EAAE,MAAM,CAAC,IAAI;QACjB,MAAM,EAAE,MAAM,CAAC,MAAM;QACrB,QAAQ,EAAE,CAAC,GAAG,MAAM,CAAC,QAAQ,CAAC;QAC9B,UAAU,EAAE,CAAC,GAAG,MAAM,CAAC,UAAU,CAAC;QAClC,UAAU,EAAE,MAAM,CAAC,UAAU;QAC7B,YAAY,EAAE,MAAM,CAAC,YAAY;QACjC,YAAY,EAAE,MAAM,CAAC,YAAY;QACjC,eAAe,EAAE,MAAM,CAAC,eAAe;QACvC,eAAe,EAAE,MAAM,CAAC,eAAe;QACvC,KAAK,EAAE;YACL,MAAM,EAAE,KAAK,CAAC,MAAM;YACpB,MAAM,EAAE,KAAK,CAAC,MAAM;YACpB,SAAS,EAAE,KAAK,CAAC,SAAS;SAC3B;KACF,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,aAAa,CAAC,SAAiB,EAAE,QAAyB;IACxE,MAAM,IAAI,GAAG,IAAI,CAAC,SAAS,EAAE,iBAAiB,CAAC,CAAC;IAChD,aAAa,CAAC,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,QAAQ,EAAE,IAAI,EAAE,CAAC,CAAC,GAAG,IAAI,EAAE,OAAO,CAAC,CAAC;AACzE,CAAC;AAED;;;gCAGgC;AAChC,MAAM,UAAU,YAAY,CAAC,UAAkB;IAC7C,MAAM,IAAI,GAAG,IAAI,CAAC,UAAU,EAAE,iBAAiB,CAAC,CAAC;IACjD,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC;QAAE,OAAO,IAAI,CAAC;IACnC,IAAI,MAAe,CAAC;IACpB,IAAI,CAAC;QACH,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC,CAAC;IACnD,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,IAAI,KAAK,CAAC,eAAe,IAAI,uBAAwB,GAAa,CAAC,OAAO,EAAE,CAAC,CAAC;IACtF,CAAC;IACD,IACE,CAAC,MAAM;QACP,OAAO,MAAM,KAAK,QAAQ;QACzB,MAAgC,CAAC,OAAO,KAAK,gBAAgB,EAC9D,CAAC;QACD,MAAM,IAAI,KAAK,CAAC,eAAe,IAAI,kCAAkC,gBAAgB,GAAG,CAAC,CAAC;IAC5F,CAAC;IACD,OAAO,MAAyB,CAAC;AACnC,CAAC"}

package/dist/utils/cloudflare-api.d.ts

@@ -99,6 +99,16 @@ export declare class CloudflareApi {
         creation_date?: string;
         storage_class?: string;
     } | null>;
+    /** Delete a bucket. Idempotent: 404 → "not-found".
+     *
+     *  Cloudflare refuses to delete a bucket that still has objects in
+     *  it (returns 10039 / "bucket is not empty"); the caller should
+     *  surface that as a `RollbackSkip` with a recipe for the user to
+     *  empty manually rather than silently destroying their data.
+     *  We don't auto-empty here — that's a destructive choice that
+     *  belongs at the rollback layer, not the API client.
+     */
+    deleteR2Bucket(accountId: string, name: string): Promise<"deleted" | "not-found" | "not-empty">;
     /** Enable (or disable) the managed `pub-<hash>.r2.dev` public URL on
      *  a bucket. Returns the assigned `pub-<hash>.r2.dev` hostname. */
     enableR2ManagedDomain(accountId: string, bucket: string, enabled?: boolean): Promise<{
@@ -157,12 +167,64 @@ export declare class CloudflareApi {
         /** S3 Secret Access Key — sha256(tokenValue), hex. */
         secretAccessKey: string;
     }>;
-    /** Cached lookup of /user/tokens/permission_groups filtered to R2
-     *  groups. Returns at minimum the entries hatchkit looks up by name
-     *  in `createR2ApiToken`. */
-    private permissionGroupsCache?;
+    /** Mint a per-bucket-scoped R2 **Account** API token via
+     *  `POST /accounts/{accountId}/tokens`. Same resource policy shape as
+     *  `createR2ApiToken`, but the token is account-scoped (visible in
+     *  `R2 → Manage R2 API Tokens` in the dashboard, and tied to the
+     *  account rather than the user — survives any one user being
+     *  removed from the account).
+     *
+     *  Why this exists alongside `createR2ApiToken`: the user-token
+     *  variant predates this, requires `User > API Tokens > Edit` on
+     *  the calling token, and tucks the result into a list users
+     *  rarely visit (`Profile > API Tokens`). New code paths use this
+     *  one; the user-token flavour stays for legacy migration only
+     *  (revoking old user-tokens during provision).
+     *
+     *  The calling token needs `Account Settings > Edit` (which lets it
+     *  create account tokens). An R2-only admin token won't have that
+     *  by default — the caller surfaces a hint when the 403 comes back.
+     */
+    createR2AccountToken(params: {
+        accountId: string;
+        name: string;
+        bucketNames: string[];
+        jurisdiction?: "default" | "eu" | "fedramp";
+        permissions?: "read" | "read-write";
+    }): Promise<{
+        tokenId: string;
+        tokenValue: string;
+        accessKeyId: string;
+        secretAccessKey: string;
+    }>;
+    /** GET /accounts/{accountId}/tokens/{tokenId} — used to verify a
+     *  recorded token still exists (and isn't disabled/expired) before
+     *  we trust the encrypted credentials in the project's
+     *  .env.production. Returns null on 404. */
+    getAccountToken(accountId: string, tokenId: string): Promise<{
+        id: string;
+        status: string;
+        name: string;
+    } | null>;
+    /** DELETE /accounts/{accountId}/tokens/{tokenId} — used by the
+     *  destroy / rollback flow to take the per-bucket token down with
+     *  its bucket(s). Idempotent: 404 → "not-found". */
+    deleteAccountToken(accountId: string, tokenId: string): Promise<"deleted" | "not-found">;
+    /** Cached lookup of permission groups. Pass `accountId` to use the
+     *  per-account endpoint (preferred — works with R2 admin tokens that
+     *  don't have `User > API Tokens > Read`). When `accountId` is
+     *  omitted, falls back to `/user/tokens/permission_groups` for the
+     *  legacy `createR2ApiToken` (user-token) path. Both return the same
+     *  permission group catalog.
+     *
+     *  Cache is keyed on `accountId ?? ""` so user-token + account-token
+     *  flows can coexist in one process without crosstalk. */
+    private permissionGroupsCache;
     private getR2PermissionGroups;
-    /** Delete a Cloudflare API token by id. Idempotent: 404 → "not-found". */
+    /** Delete a USER-scoped API token by id (`DELETE /user/tokens/{id}`).
+     *  Distinct from `deleteAccountToken` — this is used during
+     *  migration to clean up the legacy user-tokens hatchkit minted
+     *  before we switched provisioning to account tokens. Idempotent. */
     deleteApiToken(tokenId: string): Promise<"deleted" | "not-found">;
     /** Attach a custom domain (a hostname on a Cloudflare zone you own)
      *  to an R2 bucket. Idempotent — duplicates short-circuit via list. */

package/dist/utils/cloudflare-api.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"cloudflare-api.d.ts","sourceRoot":"","sources":["../../src/utils/cloudflare-api.ts"],"names":[],"mappings":"AAcA,MAAM,WAAW,cAAc;IAC7B,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,MAAM,CAAC;IACb,YAAY,EAAE,MAAM,EAAE,CAAC;IACvB,MAAM,EAAE,MAAM,CAAC;CAChB;AAED,MAAM,WAAW,oBAAoB;IACnC,KAAK,EAAE,MAAM,CAAC;IACd,2EAA2E;IAC3E,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAiBD,kCAAkC;AAClC,qBAAa,aAAa;IACxB,OAAO,CAAC,KAAK,CAAS;IACtB,OAAO,CAAC,SAAS,CAAC,CAAS;gBAEf,OAAO,EAAE,oBAAoB;YAK3B,OAAO;IAoBrB,iDAAiD;IAC3C,WAAW,IAAI,OAAO,CAAC,MAAM,CAAC;IAKpC;;;;;OAKG;IACG,SAAS,IAAI,OAAO,CAAC,cAAc,EAAE,CAAC;IA2B5C,gEAAgE;IAC1D,aAAa,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,cAAc,GAAG,IAAI,CAAC;IAOjE,6DAA6D;IACvD,UAAU,CACd,MAAM,EAAE,MAAM,EACd,IAAI,EAAE,MAAM,EACZ,IAAI,EAAE,GAAG,GAAG,MAAM,GAAG,OAAO,GAC3B,OAAO,CAAC;QAAE,EAAE,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAC;QAAC,OAAO,EAAE,MAAM,CAAC;QAAC,OAAO,EAAE,OAAO,CAAA;KAAE,GAAG,IAAI,CAAC;IAQhG;;;qEAGiE;IAC3D,YAAY,CAChB,MAAM,EAAE,MAAM,EACd,MAAM,EAAE;QACN,IAAI,EAAE,GAAG,GAAG,MAAM,GAAG,OAAO,CAAC;QAC7B,IAAI,EAAE,MAAM,CAAC;QACb,OAAO,EAAE,MAAM,CAAC;QAChB,OAAO,CAAC,EAAE,OAAO,CAAC;QAClB,GAAG,CAAC,EAAE,MAAM,CAAC;KACd,GACA,OAAO,CAAC;QAAE,EAAE,EAAE,MAAM,CAAC;QAAC,OAAO,EAAE,OAAO,CAAC;QAAC,OAAO,EAAE,OAAO,CAAA;KAAE,CAAC;IA8B9D;4EACwE;IAClE,YAAY,CAAC,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,SAAS,GAAG,WAAW,CAAC;IA0BtF;;;gEAG4D;IACtD,cAAc,CAAC,MAAM,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAQzE,0DAA0D;IACpD,cAAc,CAAC,MAAM,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,EAAE,KAAK,EAAE,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC;IASzF;;;;;;;;;;;;;;;;;;;;+DAoB2D;IAoB3D;sEACkE;IAC5D,cAAc,CAClB,SAAS,EAAE,MAAM,EACjB,IAAI,EAAE,MAAM,EACZ,IAAI,GAAE;QAAE,YAAY,CAAC,EAAE,MAAM,CAAC;QAAC,YAAY,CAAC,EAAE,UAAU,GAAG,kBAAkB,CAAA;KAAO,GACnF,OAAO,CAAC;QACT,IAAI,EAAE,MAAM,CAAC;QACb,QAAQ,CAAC,EAAE,MAAM,CAAC;QAClB,aAAa,CAAC,EAAE,MAAM,CAAC;QACvB,aAAa,CAAC,EAAE,MAAM,CAAC;QACvB,OAAO,EAAE,OAAO,CAAC;KAClB,CAAC;IAwBF,gDAAgD;IAC1C,WAAW,CACf,SAAS,EAAE,MAAM,EACjB,IAAI,EAAE,MAAM,GACX,OAAO,CAAC;QACT,IAAI,EAAE,MAAM,CAAC;QACb,QAAQ,CAAC,EAAE,MAAM,CAAC;QAClB,aAAa,CAAC,EAAE,MAAM,CAAC;QACvB,aAAa,CAAC,EAAE,MAAM,CAAC;KACxB,GAAG,IAAI,CAAC;IAST;uEACmE;IAC7D,qBAAqB,CACzB,SAAS,EAAE,MAAM,EACjB,MAAM,EAAE,MAAM,EACd,OAAO,UAAO,GACb,OAAO,CAAC;QAAE,QAAQ,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,CAAC;QAAC,OAAO,EAAE,OAAO,CAAA;KAAE,CAAC;IAMlE;iDAC6C;IACvC,mBAAmB,CACvB,SAAS,EAAE,MAAM,EACjB,MAAM,EAAE,MAAM,GACb,OAAO,CACR,KAAK,CAAC;QAAE,MAAM,EAAE,MAAM,CAAC;QAAC,OAAO,EAAE,OAAO,CAAC;QAAC,MAAM,CAAC,EAAE;YAAE,SAAS,CAAC,EAAE,MAAM,CAAC;YAAC,GAAG,CAAC,EAAE,MAAM,CAAA;SAAE,CAAA;KAAE,CAAC,CAC3F;IAeD;;;;;;;;;;;;;;;;;;oEAkBgE;IAC1D,gBAAgB,CAAC,MAAM,EAAE;QAC7B,SAAS,EAAE,MAAM,CAAC;QAClB;kCAC0B;QAC1B,IAAI,EAAE,MAAM,CAAC;QACb,uEAAuE;QACvE,WAAW,EAAE,MAAM,EAAE,CAAC;QACtB;8EACsE;QACtE,YAAY,CAAC,EAAE,SAAS,GAAG,IAAI,GAAG,SAAS,CAAC;QAC5C,wEAAwE;QACxE,WAAW,CAAC,EAAE,MAAM,GAAG,YAAY,CAAC;KACrC,GAAG,OAAO,CAAC;QACV,6DAA6D;QAC7D,OAAO,EAAE,MAAM,CAAC;QAChB,+CAA+C;QAC/C,UAAU,EAAE,MAAM,CAAC;QACnB,yEAAyE;QACzE,WAAW,EAAE,MAAM,CAAC;QACpB,sDAAsD;QACtD,eAAe,EAAE,MAAM,CAAC;KACzB,CAAC;IAkDF;;iCAE6B;IAC7B,OAAO,CAAC,qBAAqB,CAAC,CAAsC;YACtD,qBAAqB;IAiBnC,0EAA0E;IACpE,cAAc,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,SAAS,GAAG,WAAW,CAAC;IAUvE;2EACuE;IACjE,iBAAiB,CACrB,SAAS,EAAE,MAAM,EACjB,MAAM,EAAE,MAAM,EACd,MAAM,EAAE;QAAE,MAAM,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,CAAC;QAAC,MAAM,CAAC,EAAE,KAAK,GAAG,KAAK,GAAG,KAAK,GAAG,KAAK,CAAA;KAAE,GACjF,OAAO,CAAC;QAAE,MAAM,EAAE,MAAM,CAAC;QAAC,OAAO,EAAE,OAAO,CAAC;QAAC,MAAM,EAAE,MAAM,CAAC;QAAC,OAAO,EAAE,OAAO,CAAA;KAAE,CAAC;IAoB5E,mBAAmB,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC;QACjD,OAAO,EAAE,KAAK,CAAC;YAAE,EAAE,EAAE,MAAM,CAAC;YAAC,IAAI,EAAE,OAAO,CAAC;YAAC,EAAE,EAAE,OAAO,CAAA;SAAE,CAAC,CAAC;QAC3D,IAAI,EAAE,MAAM,EAAE,CAAC;QACf,MAAM,EAAE,KAAK,CAAC;YAAE,EAAE,EAAE,MAAM,CAAC;YAAC,KAAK,EAAE,MAAM,CAAA;SAAE,CAAC,CAAC;KAC9C,CAAC;CAkDH"}
+{"version":3,"file":"cloudflare-api.d.ts","sourceRoot":"","sources":["../../src/utils/cloudflare-api.ts"],"names":[],"mappings":"AAcA,MAAM,WAAW,cAAc;IAC7B,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,MAAM,CAAC;IACb,YAAY,EAAE,MAAM,EAAE,CAAC;IACvB,MAAM,EAAE,MAAM,CAAC;CAChB;AAED,MAAM,WAAW,oBAAoB;IACnC,KAAK,EAAE,MAAM,CAAC;IACd,2EAA2E;IAC3E,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAiBD,kCAAkC;AAClC,qBAAa,aAAa;IACxB,OAAO,CAAC,KAAK,CAAS;IACtB,OAAO,CAAC,SAAS,CAAC,CAAS;gBAEf,OAAO,EAAE,oBAAoB;YAK3B,OAAO;IAoBrB,iDAAiD;IAC3C,WAAW,IAAI,OAAO,CAAC,MAAM,CAAC;IAKpC;;;;;OAKG;IACG,SAAS,IAAI,OAAO,CAAC,cAAc,EAAE,CAAC;IA2B5C,gEAAgE;IAC1D,aAAa,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,cAAc,GAAG,IAAI,CAAC;IAOjE,6DAA6D;IACvD,UAAU,CACd,MAAM,EAAE,MAAM,EACd,IAAI,EAAE,MAAM,EACZ,IAAI,EAAE,GAAG,GAAG,MAAM,GAAG,OAAO,GAC3B,OAAO,CAAC;QAAE,EAAE,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAC;QAAC,OAAO,EAAE,MAAM,CAAC;QAAC,OAAO,EAAE,OAAO,CAAA;KAAE,GAAG,IAAI,CAAC;IAQhG;;;qEAGiE;IAC3D,YAAY,CAChB,MAAM,EAAE,MAAM,EACd,MAAM,EAAE;QACN,IAAI,EAAE,GAAG,GAAG,MAAM,GAAG,OAAO,CAAC;QAC7B,IAAI,EAAE,MAAM,CAAC;QACb,OAAO,EAAE,MAAM,CAAC;QAChB,OAAO,CAAC,EAAE,OAAO,CAAC;QAClB,GAAG,CAAC,EAAE,MAAM,CAAC;KACd,GACA,OAAO,CAAC;QAAE,EAAE,EAAE,MAAM,CAAC;QAAC,OAAO,EAAE,OAAO,CAAC;QAAC,OAAO,EAAE,OAAO,CAAA;KAAE,CAAC;IA8B9D;4EACwE;IAClE,YAAY,CAAC,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,SAAS,GAAG,WAAW,CAAC;IA0BtF;;;gEAG4D;IACtD,cAAc,CAAC,MAAM,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAQzE,0DAA0D;IACpD,cAAc,CAAC,MAAM,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,EAAE,KAAK,EAAE,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC;IASzF;;;;;;;;;;;;;;;;;;;;+DAoB2D;IAoB3D;sEACkE;IAC5D,cAAc,CAClB,SAAS,EAAE,MAAM,EACjB,IAAI,EAAE,MAAM,EACZ,IAAI,GAAE;QAAE,YAAY,CAAC,EAAE,MAAM,CAAC;QAAC,YAAY,CAAC,EAAE,UAAU,GAAG,kBAAkB,CAAA;KAAO,GACnF,OAAO,CAAC;QACT,IAAI,EAAE,MAAM,CAAC;QACb,QAAQ,CAAC,EAAE,MAAM,CAAC;QAClB,aAAa,CAAC,EAAE,MAAM,CAAC;QACvB,aAAa,CAAC,EAAE,MAAM,CAAC;QACvB,OAAO,EAAE,OAAO,CAAC;KAClB,CAAC;IAwBF,gDAAgD;IAC1C,WAAW,CACf,SAAS,EAAE,MAAM,EACjB,IAAI,EAAE,MAAM,GACX,OAAO,CAAC;QACT,IAAI,EAAE,MAAM,CAAC;QACb,QAAQ,CAAC,EAAE,MAAM,CAAC;QAClB,aAAa,CAAC,EAAE,MAAM,CAAC;QACvB,aAAa,CAAC,EAAE,MAAM,CAAC;KACxB,GAAG,IAAI,CAAC;IAST;;;;;;;;OAQG;IACG,cAAc,CAClB,SAAS,EAAE,MAAM,EACjB,IAAI,EAAE,MAAM,GACX,OAAO,CAAC,SAAS,GAAG,WAAW,GAAG,WAAW,CAAC;IAYjD;uEACmE;IAC7D,qBAAqB,CACzB,SAAS,EAAE,MAAM,EACjB,MAAM,EAAE,MAAM,EACd,OAAO,UAAO,GACb,OAAO,CAAC;QAAE,QAAQ,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,CAAC;QAAC,OAAO,EAAE,OAAO,CAAA;KAAE,CAAC;IAMlE;iDAC6C;IACvC,mBAAmB,CACvB,SAAS,EAAE,MAAM,EACjB,MAAM,EAAE,MAAM,GACb,OAAO,CACR,KAAK,CAAC;QAAE,MAAM,EAAE,MAAM,CAAC;QAAC,OAAO,EAAE,OAAO,CAAC;QAAC,MAAM,CAAC,EAAE;YAAE,SAAS,CAAC,EAAE,MAAM,CAAC;YAAC,GAAG,CAAC,EAAE,MAAM,CAAA;SAAE,CAAA;KAAE,CAAC,CAC3F;IAeD;;;;;;;;;;;;;;;;;;oEAkBgE;IAC1D,gBAAgB,CAAC,MAAM,EAAE;QAC7B,SAAS,EAAE,MAAM,CAAC;QAClB;kCAC0B;QAC1B,IAAI,EAAE,MAAM,CAAC;QACb,uEAAuE;QACvE,WAAW,EAAE,MAAM,EAAE,CAAC;QACtB;8EACsE;QACtE,YAAY,CAAC,EAAE,SAAS,GAAG,IAAI,GAAG,SAAS,CAAC;QAC5C,wEAAwE;QACxE,WAAW,CAAC,EAAE,MAAM,GAAG,YAAY,CAAC;KACrC,GAAG,OAAO,CAAC;QACV,6DAA6D;QAC7D,OAAO,EAAE,MAAM,CAAC;QAChB,+CAA+C;QAC/C,UAAU,EAAE,MAAM,CAAC;QACnB,yEAAyE;QACzE,WAAW,EAAE,MAAM,CAAC;QACpB,sDAAsD;QACtD,eAAe,EAAE,MAAM,CAAC;KACzB,CAAC;IAkDF;;;;;;;;;;;;;;;;;OAiBG;IACG,oBAAoB,CAAC,MAAM,EAAE;QACjC,SAAS,EAAE,MAAM,CAAC;QAClB,IAAI,EAAE,MAAM,CAAC;QACb,WAAW,EAAE,MAAM,EAAE,CAAC;QACtB,YAAY,CAAC,EAAE,SAAS,GAAG,IAAI,GAAG,SAAS,CAAC;QAC5C,WAAW,CAAC,EAAE,MAAM,GAAG,YAAY,CAAC;KACrC,GAAG,OAAO,CAAC;QACV,OAAO,EAAE,MAAM,CAAC;QAChB,UAAU,EAAE,MAAM,CAAC;QACnB,WAAW,EAAE,MAAM,CAAC;QACpB,eAAe,EAAE,MAAM,CAAC;KACzB,CAAC;IAmDF;;;gDAG4C;IACtC,eAAe,CACnB,SAAS,EAAE,MAAM,EACjB,OAAO,EAAE,MAAM,GACd,OAAO,CAAC;QAAE,EAAE,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAA;KAAE,GAAG,IAAI,CAAC;IAY/D;;wDAEoD;IAC9C,kBAAkB,CAAC,SAAS,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,SAAS,GAAG,WAAW,CAAC;IAU9F;;;;;;;;8DAQ0D;IAC1D,OAAO,CAAC,qBAAqB,CAA+D;YAC9E,qBAAqB;IAwBnC;;;yEAGqE;IAC/D,cAAc,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,SAAS,GAAG,WAAW,CAAC;IAUvE;2EACuE;IACjE,iBAAiB,CACrB,SAAS,EAAE,MAAM,EACjB,MAAM,EAAE,MAAM,EACd,MAAM,EAAE;QAAE,MAAM,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,CAAC;QAAC,MAAM,CAAC,EAAE,KAAK,GAAG,KAAK,GAAG,KAAK,GAAG,KAAK,CAAA;KAAE,GACjF,OAAO,CAAC;QAAE,MAAM,EAAE,MAAM,CAAC;QAAC,OAAO,EAAE,OAAO,CAAC;QAAC,MAAM,EAAE,MAAM,CAAC;QAAC,OAAO,EAAE,OAAO,CAAA;KAAE,CAAC;IAoB5E,mBAAmB,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC;QACjD,OAAO,EAAE,KAAK,CAAC;YAAE,EAAE,EAAE,MAAM,CAAC;YAAC,IAAI,EAAE,OAAO,CAAC;YAAC,EAAE,EAAE,OAAO,CAAA;SAAE,CAAC,CAAC;QAC3D,IAAI,EAAE,MAAM,EAAE,CAAC;QACf,MAAM,EAAE,KAAK,CAAC;YAAE,EAAE,EAAE,MAAM,CAAC;YAAC,KAAK,EAAE,MAAM,CAAA;SAAE,CAAC,CAAC;KAC9C,CAAC;CAkDH"}