lorenz 0.1.4 → 0.1.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (249) hide show
  1. package/README.md +83 -20
  2. package/RELEASE-MANIFEST.json +6 -1
  3. package/node_modules/@lorenz/agent-sdk/dist/index.d.ts +1 -0
  4. package/node_modules/@lorenz/agent-sdk/dist/index.d.ts.map +1 -1
  5. package/node_modules/@lorenz/agent-sdk/dist/index.js +1 -0
  6. package/node_modules/@lorenz/agent-sdk/dist/index.js.map +1 -1
  7. package/node_modules/@lorenz/agent-sdk/dist/module.d.ts +38 -0
  8. package/node_modules/@lorenz/agent-sdk/dist/module.d.ts.map +1 -0
  9. package/node_modules/@lorenz/agent-sdk/dist/module.js +41 -0
  10. package/node_modules/@lorenz/agent-sdk/dist/module.js.map +1 -0
  11. package/node_modules/@lorenz/cli/dist/agentExecutorLoader.d.ts +30 -0
  12. package/node_modules/@lorenz/cli/dist/agentExecutorLoader.d.ts.map +1 -0
  13. package/node_modules/@lorenz/cli/dist/agentExecutorLoader.js +63 -0
  14. package/node_modules/@lorenz/cli/dist/agentExecutorLoader.js.map +1 -0
  15. package/node_modules/@lorenz/cli/dist/daemon.d.ts +42 -19
  16. package/node_modules/@lorenz/cli/dist/daemon.d.ts.map +1 -1
  17. package/node_modules/@lorenz/cli/dist/daemon.js +72 -23
  18. package/node_modules/@lorenz/cli/dist/daemon.js.map +1 -1
  19. package/node_modules/@lorenz/cli/dist/daemonLock.d.ts +59 -0
  20. package/node_modules/@lorenz/cli/dist/daemonLock.d.ts.map +1 -0
  21. package/node_modules/@lorenz/cli/dist/daemonLock.js +304 -0
  22. package/node_modules/@lorenz/cli/dist/daemonLock.js.map +1 -0
  23. package/node_modules/@lorenz/cli/dist/daemonStatus.d.ts +16 -0
  24. package/node_modules/@lorenz/cli/dist/daemonStatus.d.ts.map +1 -0
  25. package/node_modules/@lorenz/cli/dist/daemonStatus.js +21 -0
  26. package/node_modules/@lorenz/cli/dist/daemonStatus.js.map +1 -0
  27. package/node_modules/@lorenz/cli/dist/doctor.d.ts +6 -0
  28. package/node_modules/@lorenz/cli/dist/doctor.d.ts.map +1 -1
  29. package/node_modules/@lorenz/cli/dist/doctor.js +39 -2
  30. package/node_modules/@lorenz/cli/dist/doctor.js.map +1 -1
  31. package/node_modules/@lorenz/cli/dist/extensionLoader.d.ts +126 -0
  32. package/node_modules/@lorenz/cli/dist/extensionLoader.d.ts.map +1 -0
  33. package/node_modules/@lorenz/cli/dist/extensionLoader.js +187 -0
  34. package/node_modules/@lorenz/cli/dist/extensionLoader.js.map +1 -0
  35. package/node_modules/@lorenz/cli/dist/flags-manifest.d.ts +42 -0
  36. package/node_modules/@lorenz/cli/dist/flags-manifest.d.ts.map +1 -0
  37. package/node_modules/@lorenz/cli/dist/flags-manifest.js +67 -0
  38. package/node_modules/@lorenz/cli/dist/flags-manifest.js.map +1 -0
  39. package/node_modules/@lorenz/cli/dist/index.d.ts +6 -0
  40. package/node_modules/@lorenz/cli/dist/index.d.ts.map +1 -1
  41. package/node_modules/@lorenz/cli/dist/index.js +4 -0
  42. package/node_modules/@lorenz/cli/dist/index.js.map +1 -1
  43. package/node_modules/@lorenz/cli/dist/leadershipStore.d.ts +42 -0
  44. package/node_modules/@lorenz/cli/dist/leadershipStore.d.ts.map +1 -0
  45. package/node_modules/@lorenz/cli/dist/leadershipStore.js +2 -0
  46. package/node_modules/@lorenz/cli/dist/leadershipStore.js.map +1 -0
  47. package/node_modules/@lorenz/cli/dist/main.d.ts +11 -7
  48. package/node_modules/@lorenz/cli/dist/main.d.ts.map +1 -1
  49. package/node_modules/@lorenz/cli/dist/main.js +58 -8
  50. package/node_modules/@lorenz/cli/dist/main.js.map +1 -1
  51. package/node_modules/@lorenz/cli/dist/toolLoader.d.ts +28 -0
  52. package/node_modules/@lorenz/cli/dist/toolLoader.d.ts.map +1 -0
  53. package/node_modules/@lorenz/cli/dist/toolLoader.js +62 -0
  54. package/node_modules/@lorenz/cli/dist/toolLoader.js.map +1 -0
  55. package/node_modules/@lorenz/cli/dist/trackerLoader.d.ts +24 -0
  56. package/node_modules/@lorenz/cli/dist/trackerLoader.d.ts.map +1 -0
  57. package/node_modules/@lorenz/cli/dist/trackerLoader.js +34 -0
  58. package/node_modules/@lorenz/cli/dist/trackerLoader.js.map +1 -0
  59. package/node_modules/@lorenz/cli/dist/workerDriverLoader.d.ts +15 -55
  60. package/node_modules/@lorenz/cli/dist/workerDriverLoader.d.ts.map +1 -1
  61. package/node_modules/@lorenz/cli/dist/workerDriverLoader.js +26 -203
  62. package/node_modules/@lorenz/cli/dist/workerDriverLoader.js.map +1 -1
  63. package/node_modules/@lorenz/cli/package.json +1 -0
  64. package/node_modules/@lorenz/config/dist/index.d.ts +1 -1
  65. package/node_modules/@lorenz/config/dist/index.d.ts.map +1 -1
  66. package/node_modules/@lorenz/config/dist/index.js +1 -1
  67. package/node_modules/@lorenz/config/dist/index.js.map +1 -1
  68. package/node_modules/@lorenz/config/dist/parse.d.ts +17 -0
  69. package/node_modules/@lorenz/config/dist/parse.d.ts.map +1 -1
  70. package/node_modules/@lorenz/config/dist/parse.js +107 -11
  71. package/node_modules/@lorenz/config/dist/parse.js.map +1 -1
  72. package/node_modules/@lorenz/config/dist/schemas.d.ts +0 -2
  73. package/node_modules/@lorenz/config/dist/schemas.d.ts.map +1 -1
  74. package/node_modules/@lorenz/config/dist/schemas.js +5 -1
  75. package/node_modules/@lorenz/config/dist/schemas.js.map +1 -1
  76. package/node_modules/@lorenz/dispatch-coordinator/dist/coordinator.d.ts +55 -21
  77. package/node_modules/@lorenz/dispatch-coordinator/dist/coordinator.d.ts.map +1 -1
  78. package/node_modules/@lorenz/dispatch-coordinator/dist/coordinator.js +187 -82
  79. package/node_modules/@lorenz/dispatch-coordinator/dist/coordinator.js.map +1 -1
  80. package/node_modules/@lorenz/dispatch-coordinator/dist/gate.d.ts +6 -4
  81. package/node_modules/@lorenz/dispatch-coordinator/dist/gate.d.ts.map +1 -1
  82. package/node_modules/@lorenz/dispatch-coordinator/dist/gate.js +9 -6
  83. package/node_modules/@lorenz/dispatch-coordinator/dist/gate.js.map +1 -1
  84. package/node_modules/@lorenz/dispatch-coordinator/dist/index.d.ts +1 -1
  85. package/node_modules/@lorenz/dispatch-coordinator/dist/index.d.ts.map +1 -1
  86. package/node_modules/@lorenz/dispatch-coordinator/dist/index.js +5 -6
  87. package/node_modules/@lorenz/dispatch-coordinator/dist/index.js.map +1 -1
  88. package/node_modules/@lorenz/dispatch-coordinator/dist/mcpEndpointManager.d.ts +7 -5
  89. package/node_modules/@lorenz/dispatch-coordinator/dist/mcpEndpointManager.d.ts.map +1 -1
  90. package/node_modules/@lorenz/dispatch-coordinator/dist/mcpEndpointManager.js +12 -10
  91. package/node_modules/@lorenz/dispatch-coordinator/dist/mcpEndpointManager.js.map +1 -1
  92. package/node_modules/@lorenz/dispatch-coordinator/dist/nullEndpointManager.d.ts +11 -10
  93. package/node_modules/@lorenz/dispatch-coordinator/dist/nullEndpointManager.d.ts.map +1 -1
  94. package/node_modules/@lorenz/dispatch-coordinator/dist/nullEndpointManager.js +15 -22
  95. package/node_modules/@lorenz/dispatch-coordinator/dist/nullEndpointManager.js.map +1 -1
  96. package/node_modules/@lorenz/dispatch-coordinator/dist/types.d.ts +16 -15
  97. package/node_modules/@lorenz/dispatch-coordinator/dist/types.d.ts.map +1 -1
  98. package/node_modules/@lorenz/dispatch-coordinator/dist/types.js +6 -7
  99. package/node_modules/@lorenz/dispatch-coordinator/dist/types.js.map +1 -1
  100. package/node_modules/@lorenz/domain/dist/index.d.ts +75 -9
  101. package/node_modules/@lorenz/domain/dist/index.d.ts.map +1 -1
  102. package/node_modules/@lorenz/domain/dist/index.js +40 -0
  103. package/node_modules/@lorenz/domain/dist/index.js.map +1 -1
  104. package/node_modules/@lorenz/flags/dist/coerce.d.ts +12 -0
  105. package/node_modules/@lorenz/flags/dist/coerce.d.ts.map +1 -0
  106. package/node_modules/@lorenz/flags/dist/coerce.js +44 -0
  107. package/node_modules/@lorenz/flags/dist/coerce.js.map +1 -0
  108. package/node_modules/@lorenz/flags/dist/default.d.ts +6 -0
  109. package/node_modules/@lorenz/flags/dist/default.d.ts.map +1 -0
  110. package/node_modules/@lorenz/flags/dist/default.js +22 -0
  111. package/node_modules/@lorenz/flags/dist/default.js.map +1 -0
  112. package/node_modules/@lorenz/flags/dist/deprecations.d.ts +20 -0
  113. package/node_modules/@lorenz/flags/dist/deprecations.d.ts.map +1 -0
  114. package/node_modules/@lorenz/flags/dist/deprecations.js +42 -0
  115. package/node_modules/@lorenz/flags/dist/deprecations.js.map +1 -0
  116. package/node_modules/@lorenz/flags/dist/env.d.ts +17 -0
  117. package/node_modules/@lorenz/flags/dist/env.d.ts.map +1 -0
  118. package/node_modules/@lorenz/flags/dist/env.js +90 -0
  119. package/node_modules/@lorenz/flags/dist/env.js.map +1 -0
  120. package/node_modules/@lorenz/flags/dist/errors.d.ts +22 -0
  121. package/node_modules/@lorenz/flags/dist/errors.d.ts.map +1 -0
  122. package/node_modules/@lorenz/flags/dist/errors.js +61 -0
  123. package/node_modules/@lorenz/flags/dist/errors.js.map +1 -0
  124. package/node_modules/@lorenz/flags/dist/index.d.ts +8 -0
  125. package/node_modules/@lorenz/flags/dist/index.d.ts.map +1 -0
  126. package/node_modules/@lorenz/flags/dist/index.js +11 -0
  127. package/node_modules/@lorenz/flags/dist/index.js.map +1 -0
  128. package/node_modules/@lorenz/flags/dist/keys.d.ts +6 -0
  129. package/node_modules/@lorenz/flags/dist/keys.d.ts.map +1 -0
  130. package/node_modules/@lorenz/flags/dist/keys.js +15 -0
  131. package/node_modules/@lorenz/flags/dist/keys.js.map +1 -0
  132. package/node_modules/@lorenz/flags/dist/layers.d.ts +14 -0
  133. package/node_modules/@lorenz/flags/dist/layers.d.ts.map +1 -0
  134. package/node_modules/@lorenz/flags/dist/layers.js +107 -0
  135. package/node_modules/@lorenz/flags/dist/layers.js.map +1 -0
  136. package/node_modules/@lorenz/flags/dist/manifest.d.ts +71 -0
  137. package/node_modules/@lorenz/flags/dist/manifest.d.ts.map +1 -0
  138. package/node_modules/@lorenz/flags/dist/manifest.js +137 -0
  139. package/node_modules/@lorenz/flags/dist/manifest.js.map +1 -0
  140. package/node_modules/@lorenz/flags/dist/resolve.d.ts +8 -0
  141. package/node_modules/@lorenz/flags/dist/resolve.d.ts.map +1 -0
  142. package/node_modules/@lorenz/flags/dist/resolve.js +178 -0
  143. package/node_modules/@lorenz/flags/dist/resolve.js.map +1 -0
  144. package/node_modules/@lorenz/flags/dist/testing.d.ts +19 -0
  145. package/node_modules/@lorenz/flags/dist/testing.d.ts.map +1 -0
  146. package/node_modules/@lorenz/flags/dist/testing.js +68 -0
  147. package/node_modules/@lorenz/flags/dist/testing.js.map +1 -0
  148. package/node_modules/@lorenz/flags/dist/types.d.ts +93 -0
  149. package/node_modules/@lorenz/flags/dist/types.d.ts.map +1 -0
  150. package/node_modules/@lorenz/flags/dist/types.js +2 -0
  151. package/node_modules/@lorenz/flags/dist/types.js.map +1 -0
  152. package/node_modules/@lorenz/flags/package.json +16 -0
  153. package/node_modules/@lorenz/mcp/dist/agentEndpoint.d.ts +16 -3
  154. package/node_modules/@lorenz/mcp/dist/agentEndpoint.d.ts.map +1 -1
  155. package/node_modules/@lorenz/mcp/dist/agentEndpoint.js +105 -17
  156. package/node_modules/@lorenz/mcp/dist/agentEndpoint.js.map +1 -1
  157. package/node_modules/@lorenz/mcp/dist/auth.d.ts +88 -0
  158. package/node_modules/@lorenz/mcp/dist/auth.d.ts.map +1 -1
  159. package/node_modules/@lorenz/mcp/dist/auth.js +53 -0
  160. package/node_modules/@lorenz/mcp/dist/auth.js.map +1 -1
  161. package/node_modules/@lorenz/mcp/dist/index.d.ts +3 -2
  162. package/node_modules/@lorenz/mcp/dist/index.d.ts.map +1 -1
  163. package/node_modules/@lorenz/mcp/dist/index.js +1 -1
  164. package/node_modules/@lorenz/mcp/dist/index.js.map +1 -1
  165. package/node_modules/@lorenz/mcp/dist/server.d.ts +22 -0
  166. package/node_modules/@lorenz/mcp/dist/server.d.ts.map +1 -1
  167. package/node_modules/@lorenz/mcp/dist/server.js +85 -12
  168. package/node_modules/@lorenz/mcp/dist/server.js.map +1 -1
  169. package/node_modules/@lorenz/orchestrator/dist/claimStore.d.ts +157 -0
  170. package/node_modules/@lorenz/orchestrator/dist/claimStore.d.ts.map +1 -0
  171. package/node_modules/@lorenz/orchestrator/dist/claimStore.js +621 -0
  172. package/node_modules/@lorenz/orchestrator/dist/claimStore.js.map +1 -0
  173. package/node_modules/@lorenz/orchestrator/dist/codec.d.ts +38 -0
  174. package/node_modules/@lorenz/orchestrator/dist/codec.d.ts.map +1 -0
  175. package/node_modules/@lorenz/orchestrator/dist/codec.js +176 -0
  176. package/node_modules/@lorenz/orchestrator/dist/codec.js.map +1 -0
  177. package/node_modules/@lorenz/orchestrator/dist/index.d.ts +55 -51
  178. package/node_modules/@lorenz/orchestrator/dist/index.d.ts.map +1 -1
  179. package/node_modules/@lorenz/orchestrator/dist/index.js +285 -45
  180. package/node_modules/@lorenz/orchestrator/dist/index.js.map +1 -1
  181. package/node_modules/@lorenz/orchestrator/dist/sqlite.d.ts +34 -0
  182. package/node_modules/@lorenz/orchestrator/dist/sqlite.d.ts.map +1 -0
  183. package/node_modules/@lorenz/orchestrator/dist/sqlite.js +142 -0
  184. package/node_modules/@lorenz/orchestrator/dist/sqlite.js.map +1 -0
  185. package/node_modules/@lorenz/orchestrator/dist/state.d.ts +47 -0
  186. package/node_modules/@lorenz/orchestrator/dist/state.d.ts.map +1 -0
  187. package/node_modules/@lorenz/orchestrator/dist/state.js +15 -0
  188. package/node_modules/@lorenz/orchestrator/dist/state.js.map +1 -0
  189. package/node_modules/@lorenz/orchestrator/dist/turso.d.ts +28 -0
  190. package/node_modules/@lorenz/orchestrator/dist/turso.d.ts.map +1 -0
  191. package/node_modules/@lorenz/orchestrator/dist/turso.js +125 -0
  192. package/node_modules/@lorenz/orchestrator/dist/turso.js.map +1 -0
  193. package/node_modules/@lorenz/orchestrator/package.json +6 -2
  194. package/node_modules/@lorenz/presenter/dist/index.d.ts +14 -0
  195. package/node_modules/@lorenz/presenter/dist/index.d.ts.map +1 -1
  196. package/node_modules/@lorenz/presenter/dist/index.js +18 -0
  197. package/node_modules/@lorenz/presenter/dist/index.js.map +1 -1
  198. package/node_modules/@lorenz/projections/dist/index.d.ts.map +1 -1
  199. package/node_modules/@lorenz/projections/dist/index.js +1 -0
  200. package/node_modules/@lorenz/projections/dist/index.js.map +1 -1
  201. package/node_modules/@lorenz/runtime/dist/index.d.ts +27 -8
  202. package/node_modules/@lorenz/runtime/dist/index.d.ts.map +1 -1
  203. package/node_modules/@lorenz/runtime/dist/index.js +422 -98
  204. package/node_modules/@lorenz/runtime/dist/index.js.map +1 -1
  205. package/node_modules/@lorenz/runtime-events/dist/index.d.ts +14 -0
  206. package/node_modules/@lorenz/runtime-events/dist/index.d.ts.map +1 -1
  207. package/node_modules/@lorenz/server/dist/index.js +1 -1
  208. package/node_modules/@lorenz/server/dist/index.js.map +1 -1
  209. package/node_modules/@lorenz/ssh/dist/index.d.ts +2 -0
  210. package/node_modules/@lorenz/ssh/dist/index.d.ts.map +1 -1
  211. package/node_modules/@lorenz/ssh/dist/index.js +2 -1
  212. package/node_modules/@lorenz/ssh/dist/index.js.map +1 -1
  213. package/node_modules/@lorenz/tool-sdk/dist/index.d.ts +1 -0
  214. package/node_modules/@lorenz/tool-sdk/dist/index.d.ts.map +1 -1
  215. package/node_modules/@lorenz/tool-sdk/dist/index.js +1 -0
  216. package/node_modules/@lorenz/tool-sdk/dist/index.js.map +1 -1
  217. package/node_modules/@lorenz/tool-sdk/dist/module.d.ts +38 -0
  218. package/node_modules/@lorenz/tool-sdk/dist/module.d.ts.map +1 -0
  219. package/node_modules/@lorenz/tool-sdk/dist/module.js +42 -0
  220. package/node_modules/@lorenz/tool-sdk/dist/module.js.map +1 -0
  221. package/node_modules/@lorenz/tracker-sdk/dist/index.d.ts +1 -0
  222. package/node_modules/@lorenz/tracker-sdk/dist/index.d.ts.map +1 -1
  223. package/node_modules/@lorenz/tracker-sdk/dist/index.js +1 -0
  224. package/node_modules/@lorenz/tracker-sdk/dist/index.js.map +1 -1
  225. package/node_modules/@lorenz/tracker-sdk/dist/module.d.ts +37 -0
  226. package/node_modules/@lorenz/tracker-sdk/dist/module.d.ts.map +1 -0
  227. package/node_modules/@lorenz/tracker-sdk/dist/module.js +38 -0
  228. package/node_modules/@lorenz/tracker-sdk/dist/module.js.map +1 -0
  229. package/node_modules/@lorenz/worker-host-pool/dist/index.d.ts +34 -6
  230. package/node_modules/@lorenz/worker-host-pool/dist/index.d.ts.map +1 -1
  231. package/node_modules/@lorenz/worker-host-pool/dist/index.js +110 -143
  232. package/node_modules/@lorenz/worker-host-pool/dist/index.js.map +1 -1
  233. package/node_modules/@lorenz/worker-sdk/dist/index.d.ts +1 -0
  234. package/node_modules/@lorenz/worker-sdk/dist/index.d.ts.map +1 -1
  235. package/node_modules/@lorenz/worker-sdk/dist/index.js +1 -0
  236. package/node_modules/@lorenz/worker-sdk/dist/index.js.map +1 -1
  237. package/node_modules/@lorenz/worker-sdk/dist/local.d.ts +74 -0
  238. package/node_modules/@lorenz/worker-sdk/dist/local.d.ts.map +1 -0
  239. package/node_modules/@lorenz/worker-sdk/dist/local.js +112 -0
  240. package/node_modules/@lorenz/worker-sdk/dist/local.js.map +1 -0
  241. package/node_modules/@lorenz/worker-sdk/dist/module.d.ts +8 -16
  242. package/node_modules/@lorenz/worker-sdk/dist/module.d.ts.map +1 -1
  243. package/node_modules/@lorenz/worker-sdk/dist/module.js +15 -35
  244. package/node_modules/@lorenz/worker-sdk/dist/module.js.map +1 -1
  245. package/node_modules/@lorenz/workflow/dist/index.d.ts +11 -0
  246. package/node_modules/@lorenz/workflow/dist/index.d.ts.map +1 -1
  247. package/node_modules/@lorenz/workflow/dist/index.js +3 -0
  248. package/node_modules/@lorenz/workflow/dist/index.js.map +1 -1
  249. package/package.json +4 -1
@@ -1,6 +1,6 @@
1
1
  import { httpUrlHost, isRecord, normalizeHttpBindHost, } from "@lorenz/domain";
2
2
  import { startMcpServer } from "./server.js";
3
- import { issueMcpToken, mcpAuthScopeForSettings, revokeMcpToken } from "./auth.js";
3
+ import { issueMcpToken, issueRunMcpToken, mcpAuthScopeForSettings, revokeMcpToken, revokeRunClaim, } from "./auth.js";
4
4
  export function trackerMcpServerName(kind) {
5
5
  return `lorenz_${(kind ?? "tracker").replace(/[^A-Za-z0-9_]/g, "_")}`;
6
6
  }
@@ -8,6 +8,19 @@ const mcpPath = "/mcp";
8
8
  const configuredMcpProbeId = "lorenz-configured-mcp-probe";
9
9
  const localMcpServers = new Map();
10
10
  const localMcpServerLocks = new Map();
11
+ /**
12
+ * Monotonic generation per host:port slot, surviving entry teardown so a
13
+ * recreated entry gets a STRICTLY higher generation than the one it replaces.
14
+ * The fence (re-checked per request via the injected `isRunLive`) rejects any
15
+ * Token B minted against a prior, now-recycled generation of the same slot.
16
+ */
17
+ const localMcpServerGenerations = new Map();
18
+ /**
19
+ * Coarse lifetime cap on a per-run claim (Token B). The claim is primarily
20
+ * run-lifetime-bound via the injected `isRunLive` re-check; this backstop only
21
+ * bounds a leaked token that somehow outlives both its run and its generation.
22
+ */
23
+ const runClaimMaxLifetimeMs = 24 * 60 * 60 * 1000;
11
24
  export async function acquireAgentMcpEndpoint(settings, workerHost, tunnels) {
12
25
  let endpoint = null;
13
26
  let token = null;
@@ -22,6 +35,7 @@ export async function acquireAgentMcpEndpoint(settings, workerHost, tunnels) {
22
35
  return {
23
36
  url: endpoint.url,
24
37
  token,
38
+ generation: endpoint.generation,
25
39
  acpServer: () => ({
26
40
  type: "http",
27
41
  name: trackerMcpServerName(settings.tracker.kind),
@@ -56,18 +70,35 @@ export async function acquireAgentMcpEndpoint(settings, workerHost, tunnels) {
56
70
  throw error;
57
71
  }
58
72
  }
59
- export async function acquireAgentMcpEndpointForRun(settings, workerHost, runKey, tunnels) {
73
+ export async function acquireAgentMcpEndpointForRun(settings, workerHost, runKey, tunnels, isRunLive) {
74
+ // Token B is bound to a per-run claim whose `workerHost` is the run's REAL ssh
75
+ // host (the gateway re-checks `isRunLive(runKey, workerHost, generation)` against
76
+ // it). An empty `workerHost` denotes a LOCAL/acp run, routed through the per-run
77
+ // manager's null/local path - it must NEVER reach this minting path. Fail loud:
78
+ // a local run here would otherwise mint a claim stamped `workerHost: ""` that
79
+ // `isRunLive` could match against any other local slot, and the per-run claim
80
+ // model only applies to real remote hosts.
81
+ if (workerHost.length === 0) {
82
+ throw new Error("per_run_mcp_endpoint_requires_remote_worker_host");
83
+ }
60
84
  let endpoint = null;
61
85
  let token = null;
62
86
  let released = false;
63
87
  try {
64
88
  const configuredToken = issueConfiguredMcpToken(settings);
65
- token = configuredToken?.token ?? null;
66
- endpoint = await acquirePerRunMcpEndpoint(workerHost, runKey, settings, configuredToken, tunnels);
67
- token ??= issueMcpToken(endpoint.authScope);
89
+ endpoint = await acquirePerRunMcpEndpoint(workerHost, runKey, settings, configuredToken, tunnels, isRunLive);
90
+ // The per-run lease is scoped solely by Token B (minted below), never by the
91
+ // settings-wide token, so revoke any configured token immediately.
92
+ revokeMcpToken(configuredToken?.token);
93
+ // Mint Token B: an opaque per-run token bound to a server-side claim. The
94
+ // claim's generation was captured BEFORE the `openForRun` await (see
95
+ // `acquirePerRunMcpEndpoint`), so a host recycle that bumps the slot's
96
+ // generation strands this token at the per-request liveness fence.
97
+ token = issueRunMcpToken(runClaimForLease(endpoint, settings, workerHost, runKey));
68
98
  return {
69
99
  url: endpoint.url,
70
100
  token,
101
+ generation: endpoint.generation,
71
102
  acpServer: () => ({
72
103
  type: "http",
73
104
  name: trackerMcpServerName(settings.tracker.kind),
@@ -78,7 +109,7 @@ export async function acquireAgentMcpEndpointForRun(settings, workerHost, runKey
78
109
  if (released)
79
110
  return;
80
111
  released = true;
81
- revokeMcpToken(token);
112
+ revokeRunClaim(token);
82
113
  tunnels.closeForRun(workerHost, runKey);
83
114
  if (endpoint?.localServer)
84
115
  await releaseLocalMcpServer(endpoint.localServer);
@@ -86,13 +117,32 @@ export async function acquireAgentMcpEndpointForRun(settings, workerHost, runKey
86
117
  };
87
118
  }
88
119
  catch (error) {
89
- revokeMcpToken(token);
120
+ revokeRunClaim(token);
90
121
  tunnels.closeForRun(workerHost, runKey);
91
122
  if (endpoint?.localServer)
92
123
  await releaseLocalMcpServer(endpoint.localServer);
93
124
  throw error;
94
125
  }
95
126
  }
127
+ /**
128
+ * Build the server-side per-run claim (Token B) for a freshly-acquired per-run
129
+ * endpoint. `runKey` is the issue-scoped `${issueId}#${slotIndex}` the
130
+ * coordinator mints, so `issueId` is recovered as the part before the first
131
+ * `#`. The generation is the endpoint's captured-before-`openForRun` value, and
132
+ * `allowedTools` is left unset (the rest of the claim - liveness + generation +
133
+ * expiry - gates the run; per-tool scoping is layered in later).
134
+ */
135
+ function runClaimForLease(endpoint, settings, workerHost, runKey) {
136
+ const issueId = runKey.split("#", 1)[0] ?? runKey;
137
+ return {
138
+ runKey,
139
+ workerHost,
140
+ issueId,
141
+ generation: endpoint.generation,
142
+ expiresAt: Date.now() + runClaimMaxLifetimeMs,
143
+ settingsScope: endpoint.authScope,
144
+ };
145
+ }
96
146
  async function localMcpEndpoint(settings, configuredToken) {
97
147
  const localServer = await ensureLocalMcpServer(settings, configuredToken);
98
148
  const serverHost = normalizeHttpBindHost(settings.server.host);
@@ -102,6 +152,7 @@ async function localMcpEndpoint(settings, configuredToken) {
102
152
  authScope: configuredToken?.authScope ??
103
153
  localServer?.handle.authScope ??
104
154
  mcpAuthScopeForSettings(settings, serverHost, configuredPort),
155
+ generation: localServer?.generation ?? 1,
105
156
  localServer: localServer ?? undefined,
106
157
  };
107
158
  }
@@ -121,6 +172,7 @@ async function acquireRemoteMcpEndpoint(workerHost, settings, configuredToken, t
121
172
  authScope: configuredToken?.authScope ??
122
173
  localServer?.handle.authScope ??
123
174
  mcpAuthScopeForSettings(settings, normalizeHttpBindHost(settings.server.host), localPort),
175
+ generation: localServer?.generation ?? 1,
124
176
  releaseTunnel: () => tunnels.releaseRemoteMcpTunnel(tunnel),
125
177
  localServer: localServer ?? undefined,
126
178
  };
@@ -131,14 +183,24 @@ async function acquireRemoteMcpEndpoint(workerHost, settings, configuredToken, t
131
183
  throw error;
132
184
  }
133
185
  }
134
- async function acquirePerRunMcpEndpoint(workerHost, runKey, settings, configuredToken, tunnels) {
186
+ async function acquirePerRunMcpEndpoint(workerHost, runKey, settings, configuredToken, tunnels, isRunLive) {
135
187
  // The refcounted local MCP server is acquired BEFORE the per-run tunnel is
136
188
  // opened. If anything after this point throws (notably `openForRun` failing
137
189
  // to spawn the reverse tunnel), this function rejects before returning an
138
190
  // McpEndpoint, so the caller never sees `localServer` and cannot release it.
139
191
  // Drop the ref here so repeated tunnel-spawn failures don't leak refcounted
140
- // local MCP servers / their listeners.
141
- const localServer = await ensureLocalMcpServer(settings, configuredToken);
192
+ // local MCP servers / their listeners. The per-run server is mounted with the
193
+ // injected `isRunLive` oracle so its Token B middleware enforces the owner
194
+ // re-check + generation fence on every request. `requireOwnedServer: true`
195
+ // refuses to attach to a foreign server lorenz cannot enforce that fence over
196
+ // (see `ensureLocalMcpServer`).
197
+ const localServer = await ensureLocalMcpServer(settings, configuredToken, isRunLive, true);
198
+ // Capture the shared local server's generation BEFORE the `openForRun` await.
199
+ // The event loop is single-writer only BETWEEN awaits, so stamping the claim
200
+ // with the generation live at this point (not re-read after the await, when a
201
+ // recycle may have bumped it) makes a stale token fail the per-request liveness
202
+ // fence instead of silently inheriting a generation it was never minted against.
203
+ const generation = localServer?.generation ?? 1;
142
204
  try {
143
205
  const localHost = "127.0.0.1";
144
206
  const localPort = localServer?.handle.port ?? settings.server.port;
@@ -151,6 +213,7 @@ async function acquirePerRunMcpEndpoint(workerHost, runKey, settings, configured
151
213
  authScope: configuredToken?.authScope ??
152
214
  localServer?.handle.authScope ??
153
215
  mcpAuthScopeForSettings(settings, normalizeHttpBindHost(settings.server.host), localPort),
216
+ generation,
154
217
  localServer: localServer ?? undefined,
155
218
  };
156
219
  }
@@ -160,7 +223,7 @@ async function acquirePerRunMcpEndpoint(workerHost, runKey, settings, configured
160
223
  throw error;
161
224
  }
162
225
  }
163
- async function ensureLocalMcpServer(settings, configuredToken) {
226
+ async function ensureLocalMcpServer(settings, configuredToken, isRunLive, requireOwnedServer = false) {
164
227
  const configuredPort = settings.server.port;
165
228
  const serverHost = normalizeHttpBindHost(settings.server.host);
166
229
  if (typeof configuredPort === "number" && configuredPort > 0) {
@@ -176,21 +239,39 @@ async function ensureLocalMcpServer(settings, configuredToken) {
176
239
  throw new Error("configured_mcp_server_conflict");
177
240
  }
178
241
  existing.refCount += 1;
179
- return { key, handle: existing.handle };
242
+ return { key, handle: existing.handle, generation: existing.generation };
180
243
  }
181
- if (await configuredMcpServerReachable(settings, configuredToken.token))
244
+ if (await configuredMcpServerReachable(settings, configuredToken.token)) {
245
+ // A foreign MCP server is already reachable on the configured port. The
246
+ // ACP/local path ATTACHES to it (returns null); but the per-run claim path
247
+ // sets `requireOwnedServer` because lorenz cannot enforce its Token B owner
248
+ // re-check / generation fence against a server it does not own - attaching
249
+ // would silently bypass the per-run claim model. Refuse loudly instead.
250
+ if (requireOwnedServer) {
251
+ throw new Error("per_run_mcp_endpoint_requires_lorenz_owned_server");
252
+ }
182
253
  return null;
254
+ }
183
255
  const handle = await startMcpServer(settings, {
184
256
  host: serverHost,
185
257
  port: configuredPort,
186
258
  authScope: identity,
259
+ isRunLive,
187
260
  });
188
- localMcpServers.set(key, { handle, identity, refCount: 1 });
189
- return { key, handle };
261
+ // Bump the slot's generation when a brand-new entry replaces a torn-down
262
+ // one. The first entry for a key gets generation 1; each recycle is
263
+ // strictly higher, so any Token B stamped with the prior generation is
264
+ // fenced out by the per-request liveness re-check.
265
+ const generation = (localMcpServerGenerations.get(key) ?? 0) + 1;
266
+ localMcpServerGenerations.set(key, generation);
267
+ localMcpServers.set(key, { handle, identity, refCount: 1, generation });
268
+ return { key, handle, generation };
190
269
  });
191
270
  }
192
- const handle = await startMcpServer(settings, { host: serverHost, port: 0 });
193
- return { key: null, handle };
271
+ const handle = await startMcpServer(settings, { host: serverHost, port: 0, isRunLive });
272
+ // Ephemeral (port 0) servers are not shared/refcounted, so each lease is its
273
+ // own generation-1 slot stopped on release; nothing recycles it in place.
274
+ return { key: null, handle, generation: 1 };
194
275
  }
195
276
  function issueConfiguredMcpToken(settings) {
196
277
  const configuredPort = settings.server.port;
@@ -227,6 +308,13 @@ async function releaseLocalMcpServer(lease) {
227
308
  const entry = localMcpServers.get(key);
228
309
  if (!entry)
229
310
  return;
311
+ // Generation fence: this lease was taken against an OLDER entry that has
312
+ // since been fully torn down and recreated (host recycle bumped the slot's
313
+ // generation). A fresh owner holds the live entry's ref, so a late release
314
+ // from the prior generation must NOT decrement the new entry's refcount and
315
+ // tear down a server that is still in use.
316
+ if (lease.generation < entry.generation)
317
+ return;
230
318
  if (entry.refCount > 1) {
231
319
  entry.refCount -= 1;
232
320
  return;
@@ -1 +1 @@
1
- {"version":3,"file":"agentEndpoint.js","sourceRoot":"","sources":["../src/agentEndpoint.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,WAAW,EACX,QAAQ,EACR,qBAAqB,GAGtB,MAAM,gBAAgB,CAAC;AAGxB,OAAO,EAAE,cAAc,EAAkC,MAAM,aAAa,CAAC;AAC7E,OAAO,EAAE,aAAa,EAAE,uBAAuB,EAAE,cAAc,EAAE,MAAM,WAAW,CAAC;AAEnF,MAAM,UAAU,oBAAoB,CAAC,IAA6B;IAChE,OAAO,UAAU,CAAC,IAAI,IAAI,SAAS,CAAC,CAAC,OAAO,CAAC,gBAAgB,EAAE,GAAG,CAAC,EAAE,CAAC;AACxE,CAAC;AA6DD,MAAM,OAAO,GAAG,MAAM,CAAC;AACvB,MAAM,oBAAoB,GAAG,6BAA6B,CAAC;AAC3D,MAAM,eAAe,GAAG,IAAI,GAAG,EAA+B,CAAC;AAC/D,MAAM,mBAAmB,GAAG,IAAI,GAAG,EAAyB,CAAC;AAE7D,MAAM,CAAC,KAAK,UAAU,uBAAuB,CAC3C,QAAkB,EAClB,UAA0B,EAC1B,OAAkC;IAElC,IAAI,QAAQ,GAAuB,IAAI,CAAC;IACxC,IAAI,KAAK,GAAkB,IAAI,CAAC;IAChC,IAAI,QAAQ,GAAG,KAAK,CAAC;IACrB,IAAI,CAAC;QACH,MAAM,eAAe,GAAG,uBAAuB,CAAC,QAAQ,CAAC,CAAC;QAC1D,KAAK,GAAG,eAAe,EAAE,KAAK,IAAI,IAAI,CAAC;QACvC,QAAQ,GAAG,UAAU;YACnB,CAAC,CAAC,MAAM,wBAAwB,CAAC,UAAU,EAAE,QAAQ,EAAE,eAAe,EAAE,OAAO,CAAC;YAChF,CAAC,CAAC,MAAM,gBAAgB,CAAC,QAAQ,EAAE,eAAe,CAAC,CAAC;QACtD,KAAK,KAAK,aAAa,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC;QAC5C,OAAO;YACL,GAAG,EAAE,QAAQ,CAAC,GAAG;YACjB,KAAK;YACL,SAAS,EAAE,GAAG,EAAE,CAAC,CAAC;gBAChB,IAAI,EAAE,MAAM;gBACZ,IAAI,EAAE,oBAAoB,CAAC,QAAQ,CAAC,OAAO,CAAC,IAAI,CAAC;gBACjD,GAAG,EAAE,QAAQ,EAAE,GAAG,IAAI,EAAE;gBACxB,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,eAAe,EAAE,KAAK,EAAE,UAAU,KAAK,EAAE,EAAE,CAAC;aAC/D,CAAC;YACF,OAAO,EAAE,KAAK,IAAI,EAAE;gBAClB,IAAI,QAAQ;oBAAE,OAAO;gBACrB,QAAQ,GAAG,IAAI,CAAC;gBAChB,cAAc,CAAC,KAAK,CAAC,CAAC;gBACtB,IAAI,CAAC;oBACH,QAAQ,EAAE,aAAa,EAAE,EAAE,CAAC;gBAC9B,CAAC;wBAAS,CAAC;oBACT,IAAI,QAAQ,EAAE,WAAW;wBAAE,MAAM,qBAAqB,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;gBAC/E,CAAC;YACH,CAAC;SACF,CAAC;IACJ,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,cAAc,CAAC,KAAK,CAAC,CAAC;QACtB,IAAI,CAAC;YACH,QAAQ,EAAE,aAAa,EAAE,EAAE,CAAC;QAC9B,CAAC;QAAC,MAAM,CAAC;YACP,wFAAwF;QAC1F,CAAC;QACD,IAAI,QAAQ,EAAE,WAAW;YAAE,MAAM,qBAAqB,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;QAC7E,MAAM,KAAK,CAAC;IACd,CAAC;AACH,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,6BAA6B,CACjD,QAAkB,EAClB,UAAkB,EAClB,MAAc,EACd,OAAiC;IAEjC,IAAI,QAAQ,GAAuB,IAAI,CAAC;IACxC,IAAI,KAAK,GAAkB,IAAI,CAAC;IAChC,IAAI,QAAQ,GAAG,KAAK,CAAC;IACrB,IAAI,CAAC;QACH,MAAM,eAAe,GAAG,uBAAuB,CAAC,QAAQ,CAAC,CAAC;QAC1D,KAAK,GAAG,eAAe,EAAE,KAAK,IAAI,IAAI,CAAC;QACvC,QAAQ,GAAG,MAAM,wBAAwB,CACvC,UAAU,EACV,MAAM,EACN,QAAQ,EACR,eAAe,EACf,OAAO,CACR,CAAC;QACF,KAAK,KAAK,aAAa,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC;QAC5C,OAAO;YACL,GAAG,EAAE,QAAQ,CAAC,GAAG;YACjB,KAAK;YACL,SAAS,EAAE,GAAG,EAAE,CAAC,CAAC;gBAChB,IAAI,EAAE,MAAM;gBACZ,IAAI,EAAE,oBAAoB,CAAC,QAAQ,CAAC,OAAO,CAAC,IAAI,CAAC;gBACjD,GAAG,EAAE,QAAQ,EAAE,GAAG,IAAI,EAAE;gBACxB,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,eAAe,EAAE,KAAK,EAAE,UAAU,KAAK,EAAE,EAAE,CAAC;aAC/D,CAAC;YACF,OAAO,EAAE,KAAK,IAAI,EAAE;gBAClB,IAAI,QAAQ;oBAAE,OAAO;gBACrB,QAAQ,GAAG,IAAI,CAAC;gBAChB,cAAc,CAAC,KAAK,CAAC,CAAC;gBACtB,OAAO,CAAC,WAAW,CAAC,UAAU,EAAE,MAAM,CAAC,CAAC;gBACxC,IAAI,QAAQ,EAAE,WAAW;oBAAE,MAAM,qBAAqB,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;YAC/E,CAAC;SACF,CAAC;IACJ,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,cAAc,CAAC,KAAK,CAAC,CAAC;QACtB,OAAO,CAAC,WAAW,CAAC,UAAU,EAAE,MAAM,CAAC,CAAC;QACxC,IAAI,QAAQ,EAAE,WAAW;YAAE,MAAM,qBAAqB,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;QAC7E,MAAM,KAAK,CAAC;IACd,CAAC;AACH,CAAC;AAED,KAAK,UAAU,gBAAgB,CAC7B,QAAkB,EAClB,eAAsC;IAEtC,MAAM,WAAW,GAAG,MAAM,oBAAoB,CAAC,QAAQ,EAAE,eAAe,CAAC,CAAC;IAC1E,MAAM,UAAU,GAAG,qBAAqB,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;IAC/D,MAAM,cAAc,GAAG,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC;IAC5C,OAAO;QACL,GAAG,EAAE,WAAW,CAAC,CAAC,CAAC,WAAW,CAAC,MAAM,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,qBAAqB,CAAC,QAAQ,CAAC;QACpF,SAAS,EACP,eAAe,EAAE,SAAS;YAC1B,WAAW,EAAE,MAAM,CAAC,SAAS;YAC7B,uBAAuB,CAAC,QAAQ,EAAE,UAAU,EAAE,cAAc,CAAC;QAC/D,WAAW,EAAE,WAAW,IAAI,SAAS;KACtC,CAAC;AACJ,CAAC;AAED,KAAK,UAAU,wBAAwB,CACrC,UAAkB,EAClB,QAAkB,EAClB,eAAsC,EACtC,OAA6C;IAE7C,IAAI,CAAC,OAAO;QAAE,MAAM,IAAI,KAAK,CAAC,0CAA0C,CAAC,CAAC;IAC1E,MAAM,WAAW,GAAG,MAAM,oBAAoB,CAAC,QAAQ,EAAE,eAAe,CAAC,CAAC;IAC1E,IAAI,CAAC;QACH,MAAM,SAAS,GAAG,WAAW,CAAC;QAC9B,MAAM,SAAS,GAAG,WAAW,EAAE,MAAM,CAAC,IAAI,IAAI,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC;QACnE,IAAI,OAAO,SAAS,KAAK,QAAQ,IAAI,SAAS,IAAI,CAAC,EAAE,CAAC;YACpD,MAAM,IAAI,KAAK,CAAC,qCAAqC,CAAC,CAAC;QACzD,CAAC;QACD,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,sBAAsB,CAAC,UAAU,EAAE,SAAS,EAAE,SAAS,CAAC,CAAC;QACtF,OAAO;YACL,GAAG,EAAE,oBAAoB,MAAM,CAAC,UAAU,GAAG,OAAO,EAAE;YACtD,SAAS,EACP,eAAe,EAAE,SAAS;gBAC1B,WAAW,EAAE,MAAM,CAAC,SAAS;gBAC7B,uBAAuB,CAAC,QAAQ,EAAE,qBAAqB,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE,SAAS,CAAC;YAC3F,aAAa,EAAE,GAAG,EAAE,CAAC,OAAO,CAAC,sBAAsB,CAAC,MAAM,CAAC;YAC3D,WAAW,EAAE,WAAW,IAAI,SAAS;SACtC,CAAC;IACJ,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,IAAI,WAAW;YAAE,MAAM,qBAAqB,CAAC,WAAW,CAAC,CAAC;QAC1D,MAAM,KAAK,CAAC;IACd,CAAC;AACH,CAAC;AAED,KAAK,UAAU,wBAAwB,CACrC,UAAkB,EAClB,MAAc,EACd,QAAkB,EAClB,eAAsC,EACtC,OAAiC;IAEjC,2EAA2E;IAC3E,4EAA4E;IAC5E,0EAA0E;IAC1E,6EAA6E;IAC7E,4EAA4E;IAC5E,uCAAuC;IACvC,MAAM,WAAW,GAAG,MAAM,oBAAoB,CAAC,QAAQ,EAAE,eAAe,CAAC,CAAC;IAC1E,IAAI,CAAC;QACH,MAAM,SAAS,GAAG,WAAW,CAAC;QAC9B,MAAM,SAAS,GAAG,WAAW,EAAE,MAAM,CAAC,IAAI,IAAI,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC;QACnE,IAAI,OAAO,SAAS,KAAK,QAAQ,IAAI,SAAS,IAAI,CAAC,EAAE,CAAC;YACpD,MAAM,IAAI,KAAK,CAAC,qCAAqC,CAAC,CAAC;QACzD,CAAC;QACD,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,UAAU,CAAC,UAAU,EAAE,MAAM,EAAE,SAAS,EAAE,SAAS,CAAC,CAAC;QAClF,OAAO;YACL,GAAG,EAAE,oBAAoB,MAAM,CAAC,UAAU,GAAG,OAAO,EAAE;YACtD,SAAS,EACP,eAAe,EAAE,SAAS;gBAC1B,WAAW,EAAE,MAAM,CAAC,SAAS;gBAC7B,uBAAuB,CAAC,QAAQ,EAAE,qBAAqB,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE,SAAS,CAAC;YAC3F,WAAW,EAAE,WAAW,IAAI,SAAS;SACtC,CAAC;IACJ,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,IAAI,WAAW;YAAE,MAAM,qBAAqB,CAAC,WAAW,CAAC,CAAC;QAC1D,MAAM,KAAK,CAAC;IACd,CAAC;AACH,CAAC;AAED,KAAK,UAAU,oBAAoB,CACjC,QAAkB,EAClB,eAAsC;IAEtC,MAAM,cAAc,GAAG,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC;IAC5C,MAAM,UAAU,GAAG,qBAAqB,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;IAC/D,IAAI,OAAO,cAAc,KAAK,QAAQ,IAAI,cAAc,GAAG,CAAC,EAAE,CAAC;QAC7D,MAAM,GAAG,GAAG,GAAG,UAAU,IAAI,cAAc,EAAE,CAAC;QAC9C,MAAM,QAAQ,GAAG,uBAAuB,CAAC,QAAQ,EAAE,UAAU,EAAE,cAAc,CAAC,CAAC;QAC/E,IAAI,CAAC,eAAe,IAAI,eAAe,CAAC,SAAS,KAAK,QAAQ,EAAE,CAAC;YAC/D,MAAM,IAAI,KAAK,CAAC,qCAAqC,CAAC,CAAC;QACzD,CAAC;QACD,OAAO,sBAAsB,CAAC,GAAG,EAAE,KAAK,IAAI,EAAE;YAC5C,MAAM,QAAQ,GAAG,eAAe,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;YAC1C,IAAI,QAAQ,EAAE,CAAC;gBACb,IAAI,QAAQ,CAAC,QAAQ,KAAK,QAAQ,EAAE,CAAC;oBACnC,MAAM,IAAI,KAAK,CAAC,gCAAgC,CAAC,CAAC;gBACpD,CAAC;gBACD,QAAQ,CAAC,QAAQ,IAAI,CAAC,CAAC;gBACvB,OAAO,EAAE,GAAG,EAAE,MAAM,EAAE,QAAQ,CAAC,MAAM,EAAE,CAAC;YAC1C,CAAC;YACD,IAAI,MAAM,4BAA4B,CAAC,QAAQ,EAAE,eAAe,CAAC,KAAK,CAAC;gBAAE,OAAO,IAAI,CAAC;YACrF,MAAM,MAAM,GAAG,MAAM,cAAc,CAAC,QAAQ,EAAE;gBAC5C,IAAI,EAAE,UAAU;gBAChB,IAAI,EAAE,cAAc;gBACpB,SAAS,EAAE,QAAQ;aACpB,CAAC,CAAC;YACH,eAAe,CAAC,GAAG,CAAC,GAAG,EAAE,EAAE,MAAM,EAAE,QAAQ,EAAE,QAAQ,EAAE,CAAC,EAAE,CAAC,CAAC;YAC5D,OAAO,EAAE,GAAG,EAAE,MAAM,EAAE,CAAC;QACzB,CAAC,CAAC,CAAC;IACL,CAAC;IAED,MAAM,MAAM,GAAG,MAAM,cAAc,CAAC,QAAQ,EAAE,EAAE,IAAI,EAAE,UAAU,EAAE,IAAI,EAAE,CAAC,EAAE,CAAC,CAAC;IAC7E,OAAO,EAAE,GAAG,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC;AAC/B,CAAC;AAED,SAAS,uBAAuB,CAAC,QAAkB;IACjD,MAAM,cAAc,GAAG,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC;IAC5C,IAAI,OAAO,cAAc,KAAK,QAAQ,IAAI,cAAc,IAAI,CAAC;QAAE,OAAO,IAAI,CAAC;IAC3E,MAAM,UAAU,GAAG,qBAAqB,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;IAC/D,MAAM,SAAS,GAAG,uBAAuB,CAAC,QAAQ,EAAE,UAAU,EAAE,cAAc,CAAC,CAAC;IAChF,OAAO,EAAE,SAAS,EAAE,KAAK,EAAE,aAAa,CAAC,SAAS,CAAC,EAAE,CAAC;AACxD,CAAC;AAED,KAAK,UAAU,sBAAsB,CAAI,GAAW,EAAE,MAAwB;IAC5E,MAAM,QAAQ,GAAG,mBAAmB,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,OAAO,CAAC,OAAO,EAAE,CAAC;IACnE,IAAI,OAAoB,CAAC;IACzB,MAAM,OAAO,GAAG,IAAI,OAAO,CAAO,CAAC,OAAO,EAAE,EAAE;QAC5C,OAAO,GAAG,OAAO,CAAC;IACpB,CAAC,CAAC,CAAC;IACH,mBAAmB,CAAC,GAAG,CAAC,GAAG,EAAE,OAAO,CAAC,CAAC;IACtC,MAAM,QAAQ,CAAC,KAAK,CAAC,GAAG,EAAE,GAAE,CAAC,CAAC,CAAC;IAC/B,IAAI,CAAC;QACH,OAAO,MAAM,MAAM,EAAE,CAAC;IACxB,CAAC;YAAS,CAAC;QACT,OAAO,EAAE,CAAC;QACV,IAAI,mBAAmB,CAAC,GAAG,CAAC,GAAG,CAAC,KAAK,OAAO;YAAE,mBAAmB,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;IAChF,CAAC;AACH,CAAC;AAED,KAAK,UAAU,qBAAqB,CAAC,KAA0B;IAC7D,IAAI,KAAK,CAAC,GAAG,KAAK,IAAI,EAAE,CAAC;QACvB,MAAM,KAAK,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC;QAC1B,OAAO;IACT,CAAC;IACD,MAAM,GAAG,GAAG,KAAK,CAAC,GAAG,CAAC;IACtB,MAAM,sBAAsB,CAAC,GAAG,EAAE,KAAK,IAAI,EAAE;QAC3C,MAAM,KAAK,GAAG,eAAe,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;QACvC,IAAI,CAAC,KAAK;YAAE,OAAO;QACnB,IAAI,KAAK,CAAC,QAAQ,GAAG,CAAC,EAAE,CAAC;YACvB,KAAK,CAAC,QAAQ,IAAI,CAAC,CAAC;YACpB,OAAO;QACT,CAAC;QACD,eAAe,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QAC5B,MAAM,KAAK,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC;IAC5B,CAAC,CAAC,CAAC;AACL,CAAC;AAED,KAAK,UAAU,4BAA4B,CAAC,QAAkB,EAAE,KAAa;IAC3E,MAAM,GAAG,GAAG,qBAAqB,CAAC,QAAQ,CAAC,CAAC;IAC5C,IAAI,CAAC;QACH,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE;YAChC,MAAM,EAAE,MAAM;YACd,OAAO,EAAE;gBACP,aAAa,EAAE,UAAU,KAAK,EAAE;gBAChC,cAAc,EAAE,kBAAkB;aACnC;YACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC;gBACnB,OAAO,EAAE,KAAK;gBACd,EAAE,EAAE,oBAAoB;gBACxB,MAAM,EAAE,YAAY;aACrB,CAAC;YACF,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,GAAG,CAAC;SACjC,CAAC,CAAC;QACH,IAAI,CAAC,QAAQ,CAAC,EAAE;YAAE,OAAO,KAAK,CAAC;QAC/B,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;QACnC,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,IAAI,CAAC,OAAO,KAAK,KAAK,IAAI,IAAI,CAAC,EAAE,KAAK,oBAAoB,EAAE,CAAC;YAClF,OAAO,KAAK,CAAC;QACf,CAAC;QACD,MAAM,MAAM,GAAG,IAAI,CAAC,MAAM,CAAC;QAC3B,OAAO,QAAQ,CAAC,MAAM,CAAC,IAAI,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;IACzD,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED,SAAS,qBAAqB,CAAC,QAAkB;IAC/C,OAAO,UAAU,WAAW,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,QAAQ,CAAC,MAAM,CAAC,IAAI,GAAG,OAAO,EAAE,CAAC;AACzF,CAAC"}
1
+ {"version":3,"file":"agentEndpoint.js","sourceRoot":"","sources":["../src/agentEndpoint.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,WAAW,EACX,QAAQ,EACR,qBAAqB,GAGtB,MAAM,gBAAgB,CAAC;AAGxB,OAAO,EAAE,cAAc,EAAkD,MAAM,aAAa,CAAC;AAC7F,OAAO,EACL,aAAa,EACb,gBAAgB,EAChB,uBAAuB,EACvB,cAAc,EACd,cAAc,GAEf,MAAM,WAAW,CAAC;AAEnB,MAAM,UAAU,oBAAoB,CAAC,IAA6B;IAChE,OAAO,UAAU,CAAC,IAAI,IAAI,SAAS,CAAC,CAAC,OAAO,CAAC,gBAAgB,EAAE,GAAG,CAAC,EAAE,CAAC;AACxE,CAAC;AA6FD,MAAM,OAAO,GAAG,MAAM,CAAC;AACvB,MAAM,oBAAoB,GAAG,6BAA6B,CAAC;AAC3D,MAAM,eAAe,GAAG,IAAI,GAAG,EAA+B,CAAC;AAC/D,MAAM,mBAAmB,GAAG,IAAI,GAAG,EAAyB,CAAC;AAC7D;;;;;GAKG;AACH,MAAM,yBAAyB,GAAG,IAAI,GAAG,EAAkB,CAAC;AAE5D;;;;GAIG;AACH,MAAM,qBAAqB,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC;AAElD,MAAM,CAAC,KAAK,UAAU,uBAAuB,CAC3C,QAAkB,EAClB,UAA0B,EAC1B,OAAkC;IAElC,IAAI,QAAQ,GAAuB,IAAI,CAAC;IACxC,IAAI,KAAK,GAAkB,IAAI,CAAC;IAChC,IAAI,QAAQ,GAAG,KAAK,CAAC;IACrB,IAAI,CAAC;QACH,MAAM,eAAe,GAAG,uBAAuB,CAAC,QAAQ,CAAC,CAAC;QAC1D,KAAK,GAAG,eAAe,EAAE,KAAK,IAAI,IAAI,CAAC;QACvC,QAAQ,GAAG,UAAU;YACnB,CAAC,CAAC,MAAM,wBAAwB,CAAC,UAAU,EAAE,QAAQ,EAAE,eAAe,EAAE,OAAO,CAAC;YAChF,CAAC,CAAC,MAAM,gBAAgB,CAAC,QAAQ,EAAE,eAAe,CAAC,CAAC;QACtD,KAAK,KAAK,aAAa,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC;QAC5C,OAAO;YACL,GAAG,EAAE,QAAQ,CAAC,GAAG;YACjB,KAAK;YACL,UAAU,EAAE,QAAQ,CAAC,UAAU;YAC/B,SAAS,EAAE,GAAG,EAAE,CAAC,CAAC;gBAChB,IAAI,EAAE,MAAM;gBACZ,IAAI,EAAE,oBAAoB,CAAC,QAAQ,CAAC,OAAO,CAAC,IAAI,CAAC;gBACjD,GAAG,EAAE,QAAQ,EAAE,GAAG,IAAI,EAAE;gBACxB,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,eAAe,EAAE,KAAK,EAAE,UAAU,KAAK,EAAE,EAAE,CAAC;aAC/D,CAAC;YACF,OAAO,EAAE,KAAK,IAAI,EAAE;gBAClB,IAAI,QAAQ;oBAAE,OAAO;gBACrB,QAAQ,GAAG,IAAI,CAAC;gBAChB,cAAc,CAAC,KAAK,CAAC,CAAC;gBACtB,IAAI,CAAC;oBACH,QAAQ,EAAE,aAAa,EAAE,EAAE,CAAC;gBAC9B,CAAC;wBAAS,CAAC;oBACT,IAAI,QAAQ,EAAE,WAAW;wBAAE,MAAM,qBAAqB,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;gBAC/E,CAAC;YACH,CAAC;SACF,CAAC;IACJ,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,cAAc,CAAC,KAAK,CAAC,CAAC;QACtB,IAAI,CAAC;YACH,QAAQ,EAAE,aAAa,EAAE,EAAE,CAAC;QAC9B,CAAC;QAAC,MAAM,CAAC;YACP,wFAAwF;QAC1F,CAAC;QACD,IAAI,QAAQ,EAAE,WAAW;YAAE,MAAM,qBAAqB,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;QAC7E,MAAM,KAAK,CAAC;IACd,CAAC;AACH,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,6BAA6B,CACjD,QAAkB,EAClB,UAAkB,EAClB,MAAc,EACd,OAAiC,EACjC,SAAqB;IAErB,+EAA+E;IAC/E,kFAAkF;IAClF,iFAAiF;IACjF,gFAAgF;IAChF,8EAA8E;IAC9E,8EAA8E;IAC9E,2CAA2C;IAC3C,IAAI,UAAU,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC5B,MAAM,IAAI,KAAK,CAAC,kDAAkD,CAAC,CAAC;IACtE,CAAC;IACD,IAAI,QAAQ,GAAuB,IAAI,CAAC;IACxC,IAAI,KAAK,GAAkB,IAAI,CAAC;IAChC,IAAI,QAAQ,GAAG,KAAK,CAAC;IACrB,IAAI,CAAC;QACH,MAAM,eAAe,GAAG,uBAAuB,CAAC,QAAQ,CAAC,CAAC;QAC1D,QAAQ,GAAG,MAAM,wBAAwB,CACvC,UAAU,EACV,MAAM,EACN,QAAQ,EACR,eAAe,EACf,OAAO,EACP,SAAS,CACV,CAAC;QACF,6EAA6E;QAC7E,mEAAmE;QACnE,cAAc,CAAC,eAAe,EAAE,KAAK,CAAC,CAAC;QACvC,0EAA0E;QAC1E,qEAAqE;QACrE,uEAAuE;QACvE,mEAAmE;QACnE,KAAK,GAAG,gBAAgB,CAAC,gBAAgB,CAAC,QAAQ,EAAE,QAAQ,EAAE,UAAU,EAAE,MAAM,CAAC,CAAC,CAAC;QACnF,OAAO;YACL,GAAG,EAAE,QAAQ,CAAC,GAAG;YACjB,KAAK;YACL,UAAU,EAAE,QAAQ,CAAC,UAAU;YAC/B,SAAS,EAAE,GAAG,EAAE,CAAC,CAAC;gBAChB,IAAI,EAAE,MAAM;gBACZ,IAAI,EAAE,oBAAoB,CAAC,QAAQ,CAAC,OAAO,CAAC,IAAI,CAAC;gBACjD,GAAG,EAAE,QAAQ,EAAE,GAAG,IAAI,EAAE;gBACxB,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,eAAe,EAAE,KAAK,EAAE,UAAU,KAAK,EAAE,EAAE,CAAC;aAC/D,CAAC;YACF,OAAO,EAAE,KAAK,IAAI,EAAE;gBAClB,IAAI,QAAQ;oBAAE,OAAO;gBACrB,QAAQ,GAAG,IAAI,CAAC;gBAChB,cAAc,CAAC,KAAK,CAAC,CAAC;gBACtB,OAAO,CAAC,WAAW,CAAC,UAAU,EAAE,MAAM,CAAC,CAAC;gBACxC,IAAI,QAAQ,EAAE,WAAW;oBAAE,MAAM,qBAAqB,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;YAC/E,CAAC;SACF,CAAC;IACJ,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,cAAc,CAAC,KAAK,CAAC,CAAC;QACtB,OAAO,CAAC,WAAW,CAAC,UAAU,EAAE,MAAM,CAAC,CAAC;QACxC,IAAI,QAAQ,EAAE,WAAW;YAAE,MAAM,qBAAqB,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;QAC7E,MAAM,KAAK,CAAC;IACd,CAAC;AACH,CAAC;AAED;;;;;;;GAOG;AACH,SAAS,gBAAgB,CACvB,QAAqB,EACrB,QAAkB,EAClB,UAAkB,EAClB,MAAc;IAEd,MAAM,OAAO,GAAG,MAAM,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,MAAM,CAAC;IAClD,OAAO;QACL,MAAM;QACN,UAAU;QACV,OAAO;QACP,UAAU,EAAE,QAAQ,CAAC,UAAU;QAC/B,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,qBAAqB;QAC7C,aAAa,EAAE,QAAQ,CAAC,SAAS;KAClC,CAAC;AACJ,CAAC;AAED,KAAK,UAAU,gBAAgB,CAC7B,QAAkB,EAClB,eAAsC;IAEtC,MAAM,WAAW,GAAG,MAAM,oBAAoB,CAAC,QAAQ,EAAE,eAAe,CAAC,CAAC;IAC1E,MAAM,UAAU,GAAG,qBAAqB,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;IAC/D,MAAM,cAAc,GAAG,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC;IAC5C,OAAO;QACL,GAAG,EAAE,WAAW,CAAC,CAAC,CAAC,WAAW,CAAC,MAAM,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,qBAAqB,CAAC,QAAQ,CAAC;QACpF,SAAS,EACP,eAAe,EAAE,SAAS;YAC1B,WAAW,EAAE,MAAM,CAAC,SAAS;YAC7B,uBAAuB,CAAC,QAAQ,EAAE,UAAU,EAAE,cAAc,CAAC;QAC/D,UAAU,EAAE,WAAW,EAAE,UAAU,IAAI,CAAC;QACxC,WAAW,EAAE,WAAW,IAAI,SAAS;KACtC,CAAC;AACJ,CAAC;AAED,KAAK,UAAU,wBAAwB,CACrC,UAAkB,EAClB,QAAkB,EAClB,eAAsC,EACtC,OAA6C;IAE7C,IAAI,CAAC,OAAO;QAAE,MAAM,IAAI,KAAK,CAAC,0CAA0C,CAAC,CAAC;IAC1E,MAAM,WAAW,GAAG,MAAM,oBAAoB,CAAC,QAAQ,EAAE,eAAe,CAAC,CAAC;IAC1E,IAAI,CAAC;QACH,MAAM,SAAS,GAAG,WAAW,CAAC;QAC9B,MAAM,SAAS,GAAG,WAAW,EAAE,MAAM,CAAC,IAAI,IAAI,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC;QACnE,IAAI,OAAO,SAAS,KAAK,QAAQ,IAAI,SAAS,IAAI,CAAC,EAAE,CAAC;YACpD,MAAM,IAAI,KAAK,CAAC,qCAAqC,CAAC,CAAC;QACzD,CAAC;QACD,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,sBAAsB,CAAC,UAAU,EAAE,SAAS,EAAE,SAAS,CAAC,CAAC;QACtF,OAAO;YACL,GAAG,EAAE,oBAAoB,MAAM,CAAC,UAAU,GAAG,OAAO,EAAE;YACtD,SAAS,EACP,eAAe,EAAE,SAAS;gBAC1B,WAAW,EAAE,MAAM,CAAC,SAAS;gBAC7B,uBAAuB,CAAC,QAAQ,EAAE,qBAAqB,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE,SAAS,CAAC;YAC3F,UAAU,EAAE,WAAW,EAAE,UAAU,IAAI,CAAC;YACxC,aAAa,EAAE,GAAG,EAAE,CAAC,OAAO,CAAC,sBAAsB,CAAC,MAAM,CAAC;YAC3D,WAAW,EAAE,WAAW,IAAI,SAAS;SACtC,CAAC;IACJ,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,IAAI,WAAW;YAAE,MAAM,qBAAqB,CAAC,WAAW,CAAC,CAAC;QAC1D,MAAM,KAAK,CAAC;IACd,CAAC;AACH,CAAC;AAED,KAAK,UAAU,wBAAwB,CACrC,UAAkB,EAClB,MAAc,EACd,QAAkB,EAClB,eAAsC,EACtC,OAAiC,EACjC,SAAqB;IAErB,2EAA2E;IAC3E,4EAA4E;IAC5E,0EAA0E;IAC1E,6EAA6E;IAC7E,4EAA4E;IAC5E,8EAA8E;IAC9E,2EAA2E;IAC3E,2EAA2E;IAC3E,8EAA8E;IAC9E,gCAAgC;IAChC,MAAM,WAAW,GAAG,MAAM,oBAAoB,CAAC,QAAQ,EAAE,eAAe,EAAE,SAAS,EAAE,IAAI,CAAC,CAAC;IAC3F,8EAA8E;IAC9E,6EAA6E;IAC7E,8EAA8E;IAC9E,gFAAgF;IAChF,iFAAiF;IACjF,MAAM,UAAU,GAAG,WAAW,EAAE,UAAU,IAAI,CAAC,CAAC;IAChD,IAAI,CAAC;QACH,MAAM,SAAS,GAAG,WAAW,CAAC;QAC9B,MAAM,SAAS,GAAG,WAAW,EAAE,MAAM,CAAC,IAAI,IAAI,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC;QACnE,IAAI,OAAO,SAAS,KAAK,QAAQ,IAAI,SAAS,IAAI,CAAC,EAAE,CAAC;YACpD,MAAM,IAAI,KAAK,CAAC,qCAAqC,CAAC,CAAC;QACzD,CAAC;QACD,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,UAAU,CAAC,UAAU,EAAE,MAAM,EAAE,SAAS,EAAE,SAAS,CAAC,CAAC;QAClF,OAAO;YACL,GAAG,EAAE,oBAAoB,MAAM,CAAC,UAAU,GAAG,OAAO,EAAE;YACtD,SAAS,EACP,eAAe,EAAE,SAAS;gBAC1B,WAAW,EAAE,MAAM,CAAC,SAAS;gBAC7B,uBAAuB,CAAC,QAAQ,EAAE,qBAAqB,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE,SAAS,CAAC;YAC3F,UAAU;YACV,WAAW,EAAE,WAAW,IAAI,SAAS;SACtC,CAAC;IACJ,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,IAAI,WAAW;YAAE,MAAM,qBAAqB,CAAC,WAAW,CAAC,CAAC;QAC1D,MAAM,KAAK,CAAC;IACd,CAAC;AACH,CAAC;AAED,KAAK,UAAU,oBAAoB,CACjC,QAAkB,EAClB,eAAsC,EACtC,SAAqB,EACrB,kBAAkB,GAAG,KAAK;IAE1B,MAAM,cAAc,GAAG,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC;IAC5C,MAAM,UAAU,GAAG,qBAAqB,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;IAC/D,IAAI,OAAO,cAAc,KAAK,QAAQ,IAAI,cAAc,GAAG,CAAC,EAAE,CAAC;QAC7D,MAAM,GAAG,GAAG,GAAG,UAAU,IAAI,cAAc,EAAE,CAAC;QAC9C,MAAM,QAAQ,GAAG,uBAAuB,CAAC,QAAQ,EAAE,UAAU,EAAE,cAAc,CAAC,CAAC;QAC/E,IAAI,CAAC,eAAe,IAAI,eAAe,CAAC,SAAS,KAAK,QAAQ,EAAE,CAAC;YAC/D,MAAM,IAAI,KAAK,CAAC,qCAAqC,CAAC,CAAC;QACzD,CAAC;QACD,OAAO,sBAAsB,CAAC,GAAG,EAAE,KAAK,IAAI,EAAE;YAC5C,MAAM,QAAQ,GAAG,eAAe,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;YAC1C,IAAI,QAAQ,EAAE,CAAC;gBACb,IAAI,QAAQ,CAAC,QAAQ,KAAK,QAAQ,EAAE,CAAC;oBACnC,MAAM,IAAI,KAAK,CAAC,gCAAgC,CAAC,CAAC;gBACpD,CAAC;gBACD,QAAQ,CAAC,QAAQ,IAAI,CAAC,CAAC;gBACvB,OAAO,EAAE,GAAG,EAAE,MAAM,EAAE,QAAQ,CAAC,MAAM,EAAE,UAAU,EAAE,QAAQ,CAAC,UAAU,EAAE,CAAC;YAC3E,CAAC;YACD,IAAI,MAAM,4BAA4B,CAAC,QAAQ,EAAE,eAAe,CAAC,KAAK,CAAC,EAAE,CAAC;gBACxE,wEAAwE;gBACxE,2EAA2E;gBAC3E,4EAA4E;gBAC5E,2EAA2E;gBAC3E,wEAAwE;gBACxE,IAAI,kBAAkB,EAAE,CAAC;oBACvB,MAAM,IAAI,KAAK,CAAC,mDAAmD,CAAC,CAAC;gBACvE,CAAC;gBACD,OAAO,IAAI,CAAC;YACd,CAAC;YACD,MAAM,MAAM,GAAG,MAAM,cAAc,CAAC,QAAQ,EAAE;gBAC5C,IAAI,EAAE,UAAU;gBAChB,IAAI,EAAE,cAAc;gBACpB,SAAS,EAAE,QAAQ;gBACnB,SAAS;aACV,CAAC,CAAC;YACH,yEAAyE;YACzE,oEAAoE;YACpE,uEAAuE;YACvE,mDAAmD;YACnD,MAAM,UAAU,GAAG,CAAC,yBAAyB,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC;YACjE,yBAAyB,CAAC,GAAG,CAAC,GAAG,EAAE,UAAU,CAAC,CAAC;YAC/C,eAAe,CAAC,GAAG,CAAC,GAAG,EAAE,EAAE,MAAM,EAAE,QAAQ,EAAE,QAAQ,EAAE,CAAC,EAAE,UAAU,EAAE,CAAC,CAAC;YACxE,OAAO,EAAE,GAAG,EAAE,MAAM,EAAE,UAAU,EAAE,CAAC;QACrC,CAAC,CAAC,CAAC;IACL,CAAC;IAED,MAAM,MAAM,GAAG,MAAM,cAAc,CAAC,QAAQ,EAAE,EAAE,IAAI,EAAE,UAAU,EAAE,IAAI,EAAE,CAAC,EAAE,SAAS,EAAE,CAAC,CAAC;IACxF,6EAA6E;IAC7E,0EAA0E;IAC1E,OAAO,EAAE,GAAG,EAAE,IAAI,EAAE,MAAM,EAAE,UAAU,EAAE,CAAC,EAAE,CAAC;AAC9C,CAAC;AAED,SAAS,uBAAuB,CAAC,QAAkB;IACjD,MAAM,cAAc,GAAG,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC;IAC5C,IAAI,OAAO,cAAc,KAAK,QAAQ,IAAI,cAAc,IAAI,CAAC;QAAE,OAAO,IAAI,CAAC;IAC3E,MAAM,UAAU,GAAG,qBAAqB,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;IAC/D,MAAM,SAAS,GAAG,uBAAuB,CAAC,QAAQ,EAAE,UAAU,EAAE,cAAc,CAAC,CAAC;IAChF,OAAO,EAAE,SAAS,EAAE,KAAK,EAAE,aAAa,CAAC,SAAS,CAAC,EAAE,CAAC;AACxD,CAAC;AAED,KAAK,UAAU,sBAAsB,CAAI,GAAW,EAAE,MAAwB;IAC5E,MAAM,QAAQ,GAAG,mBAAmB,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,OAAO,CAAC,OAAO,EAAE,CAAC;IACnE,IAAI,OAAoB,CAAC;IACzB,MAAM,OAAO,GAAG,IAAI,OAAO,CAAO,CAAC,OAAO,EAAE,EAAE;QAC5C,OAAO,GAAG,OAAO,CAAC;IACpB,CAAC,CAAC,CAAC;IACH,mBAAmB,CAAC,GAAG,CAAC,GAAG,EAAE,OAAO,CAAC,CAAC;IACtC,MAAM,QAAQ,CAAC,KAAK,CAAC,GAAG,EAAE,GAAE,CAAC,CAAC,CAAC;IAC/B,IAAI,CAAC;QACH,OAAO,MAAM,MAAM,EAAE,CAAC;IACxB,CAAC;YAAS,CAAC;QACT,OAAO,EAAE,CAAC;QACV,IAAI,mBAAmB,CAAC,GAAG,CAAC,GAAG,CAAC,KAAK,OAAO;YAAE,mBAAmB,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;IAChF,CAAC;AACH,CAAC;AAED,KAAK,UAAU,qBAAqB,CAAC,KAA0B;IAC7D,IAAI,KAAK,CAAC,GAAG,KAAK,IAAI,EAAE,CAAC;QACvB,MAAM,KAAK,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC;QAC1B,OAAO;IACT,CAAC;IACD,MAAM,GAAG,GAAG,KAAK,CAAC,GAAG,CAAC;IACtB,MAAM,sBAAsB,CAAC,GAAG,EAAE,KAAK,IAAI,EAAE;QAC3C,MAAM,KAAK,GAAG,eAAe,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;QACvC,IAAI,CAAC,KAAK;YAAE,OAAO;QACnB,yEAAyE;QACzE,2EAA2E;QAC3E,2EAA2E;QAC3E,4EAA4E;QAC5E,2CAA2C;QAC3C,IAAI,KAAK,CAAC,UAAU,GAAG,KAAK,CAAC,UAAU;YAAE,OAAO;QAChD,IAAI,KAAK,CAAC,QAAQ,GAAG,CAAC,EAAE,CAAC;YACvB,KAAK,CAAC,QAAQ,IAAI,CAAC,CAAC;YACpB,OAAO;QACT,CAAC;QACD,eAAe,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QAC5B,MAAM,KAAK,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC;IAC5B,CAAC,CAAC,CAAC;AACL,CAAC;AAED,KAAK,UAAU,4BAA4B,CAAC,QAAkB,EAAE,KAAa;IAC3E,MAAM,GAAG,GAAG,qBAAqB,CAAC,QAAQ,CAAC,CAAC;IAC5C,IAAI,CAAC;QACH,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE;YAChC,MAAM,EAAE,MAAM;YACd,OAAO,EAAE;gBACP,aAAa,EAAE,UAAU,KAAK,EAAE;gBAChC,cAAc,EAAE,kBAAkB;aACnC;YACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC;gBACnB,OAAO,EAAE,KAAK;gBACd,EAAE,EAAE,oBAAoB;gBACxB,MAAM,EAAE,YAAY;aACrB,CAAC;YACF,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,GAAG,CAAC;SACjC,CAAC,CAAC;QACH,IAAI,CAAC,QAAQ,CAAC,EAAE;YAAE,OAAO,KAAK,CAAC;QAC/B,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;QACnC,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,IAAI,CAAC,OAAO,KAAK,KAAK,IAAI,IAAI,CAAC,EAAE,KAAK,oBAAoB,EAAE,CAAC;YAClF,OAAO,KAAK,CAAC;QACf,CAAC;QACD,MAAM,MAAM,GAAG,IAAI,CAAC,MAAM,CAAC;QAC3B,OAAO,QAAQ,CAAC,MAAM,CAAC,IAAI,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;IACzD,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED,SAAS,qBAAqB,CAAC,QAAkB;IAC/C,OAAO,UAAU,WAAW,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,QAAQ,CAAC,MAAM,CAAC,IAAI,GAAG,OAAO,EAAE,CAAC;AACzF,CAAC"}
@@ -4,4 +4,92 @@ export declare function mcpAuthScopeForSettings(settings: Settings, host: string
4
4
  export declare function issueMcpToken(scope?: string): string;
5
5
  export declare function revokeMcpToken(token: string | null | undefined): void;
6
6
  export declare function validMcpToken(token: string | null | undefined, scope?: string): boolean;
7
+ /**
8
+ * The server-side claim record a per-run MCP token (Token B) resolves to.
9
+ *
10
+ * The token bytes stay opaque (`randomBytes(32)`); all scope lives here, in a
11
+ * daemon-minted Map that is the sole authority. This is an unguessable-bearer
12
+ * property, NOT platform attestation: the worker only ever presents its token
13
+ * and the daemon resolves the claim. `runKey` is therefore resolved
14
+ * server-side from the token and a self-reported `runKey` header is never
15
+ * trusted.
16
+ */
17
+ export interface RunClaim {
18
+ /** The run this token authorizes. Resolved server-side; never self-reported. */
19
+ runKey: string;
20
+ /** The worker host the run is pinned to. Empty string means a local/acp run. */
21
+ workerHost: string;
22
+ /** The issue the run is working. */
23
+ issueId: string;
24
+ /**
25
+ * Monotonic generation of the shared endpoint this claim was minted against.
26
+ * Bumped on host recycle; a request whose claim generation no longer matches
27
+ * the live endpoint is a late/torn-down token and must be rejected.
28
+ */
29
+ generation: number;
30
+ /**
31
+ * Coarse safety cap on the claim's lifetime (epoch millis). The claim is
32
+ * primarily run-lifetime-bound via the injected `isRunLive` re-check; this is
33
+ * only a backstop so a leaked token cannot live forever.
34
+ */
35
+ expiresAt: number;
36
+ /**
37
+ * The coarse settings fingerprint (Token A side, `mcpAuthScopeForSettings`).
38
+ * Kept as a cheap pre-filter; it does NOT carry per-run identity.
39
+ */
40
+ settingsScope: string;
41
+ /**
42
+ * Per-operation allowlist: the tool names this run may call. `undefined`
43
+ * means no restriction beyond the rest of the claim (every mounted tool).
44
+ */
45
+ allowedTools?: readonly string[];
46
+ }
47
+ /**
48
+ * Mint an opaque per-run token (Token B) bound to {@link claim}. The token
49
+ * bytes carry no scope; the returned claim is resolved server-side on every
50
+ * request via {@link resolveRunClaim}.
51
+ */
52
+ export declare function issueRunMcpToken(claim: RunClaim): string;
53
+ /**
54
+ * Resolve the claim for an opaque per-run token. This is the ONLY source of a
55
+ * request's `runKey`; callers must never trust a self-reported header. Returns
56
+ * `undefined` for unknown/revoked tokens (fail closed at the call site).
57
+ */
58
+ export declare function resolveRunClaim(token: string | null | undefined): RunClaim | undefined;
59
+ /** Revoke a per-run token, dropping its claim. Safe no-op on unknown input. */
60
+ export declare function revokeRunClaim(token: string | null | undefined): void;
61
+ /** Inputs to {@link checkRunClaim}: what the request is asking to do. */
62
+ export interface RunClaimRequest {
63
+ /** The tool being invoked (`tools/call` name), if this is a tool request. */
64
+ toolName?: string | null;
65
+ /**
66
+ * Read-only liveness oracle injected from the composition root. Returns false
67
+ * once the run is settled/recycled/superseded. The generation argument lets
68
+ * liveness be paired with the generation fence so a momentary liveness lie
69
+ * still fails on a stale generation.
70
+ */
71
+ isRunLive: (runKey: string, workerHost: string, generation: number) => boolean;
72
+ /** Wall clock, injected for testability. Defaults to {@link Date.now}. */
73
+ now?: () => number;
74
+ }
75
+ /** Outcome of {@link checkRunClaim}. `ok` is true only when every check passes. */
76
+ export type RunClaimDecision = {
77
+ ok: true;
78
+ claim: RunClaim;
79
+ } | {
80
+ ok: false;
81
+ reason: "expired" | "tool-not-allowed" | "not-live";
82
+ };
83
+ /**
84
+ * Authoritative per-request owner re-check for a resolved {@link RunClaim},
85
+ * ordered expiry-first, allowlist-before-secret, fail-closed:
86
+ *
87
+ * 1. `expiresAt > now` - coarse lifetime cap.
88
+ * 2. tool in `allowedTools` - per-operation allowlist (before liveness).
89
+ * 3. `isRunLive(runKey, host, generation)` - the run is still live AND the
90
+ * generation matches the live endpoint.
91
+ *
92
+ * Never falls back to the settings-wide scope; any miss denies.
93
+ */
94
+ export declare function checkRunClaim(claim: RunClaim, request: RunClaimRequest): RunClaimDecision;
7
95
  //# sourceMappingURL=auth.d.ts.map
@@ -1 +1 @@
1
- {"version":3,"file":"auth.d.ts","sourceRoot":"","sources":["../src/auth.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,gBAAgB,CAAC;AAK/C,wBAAgB,kBAAkB,IAAI,MAAM,CAE3C;AAED,wBAAgB,uBAAuB,CACrC,QAAQ,EAAE,QAAQ,EAClB,IAAI,EAAE,MAAM,EACZ,IAAI,EAAE,MAAM,GAAG,SAAS,GACvB,MAAM,CAkBR;AAoBD,wBAAgB,aAAa,CAAC,KAAK,SAAsB,GAAG,MAAM,CAIjE;AAED,wBAAgB,cAAc,CAAC,KAAK,EAAE,MAAM,GAAG,IAAI,GAAG,SAAS,GAAG,IAAI,CAErE;AAED,wBAAgB,aAAa,CAC3B,KAAK,EAAE,MAAM,GAAG,IAAI,GAAG,SAAS,EAChC,KAAK,SAAsB,GAC1B,OAAO,CAET"}
1
+ {"version":3,"file":"auth.d.ts","sourceRoot":"","sources":["../src/auth.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,gBAAgB,CAAC;AAK/C,wBAAgB,kBAAkB,IAAI,MAAM,CAE3C;AAED,wBAAgB,uBAAuB,CACrC,QAAQ,EAAE,QAAQ,EAClB,IAAI,EAAE,MAAM,EACZ,IAAI,EAAE,MAAM,GAAG,SAAS,GACvB,MAAM,CAkBR;AAoBD,wBAAgB,aAAa,CAAC,KAAK,SAAsB,GAAG,MAAM,CAIjE;AAED,wBAAgB,cAAc,CAAC,KAAK,EAAE,MAAM,GAAG,IAAI,GAAG,SAAS,GAAG,IAAI,CAErE;AAED,wBAAgB,aAAa,CAC3B,KAAK,EAAE,MAAM,GAAG,IAAI,GAAG,SAAS,EAChC,KAAK,SAAsB,GAC1B,OAAO,CAET;AAED;;;;;;;;;GASG;AACH,MAAM,WAAW,QAAQ;IACvB,gFAAgF;IAChF,MAAM,EAAE,MAAM,CAAC;IACf,gFAAgF;IAChF,UAAU,EAAE,MAAM,CAAC;IACnB,oCAAoC;IACpC,OAAO,EAAE,MAAM,CAAC;IAChB;;;;OAIG;IACH,UAAU,EAAE,MAAM,CAAC;IACnB;;;;OAIG;IACH,SAAS,EAAE,MAAM,CAAC;IAClB;;;OAGG;IACH,aAAa,EAAE,MAAM,CAAC;IACtB;;;OAGG;IACH,YAAY,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;CAClC;AAKD;;;;GAIG;AACH,wBAAgB,gBAAgB,CAAC,KAAK,EAAE,QAAQ,GAAG,MAAM,CAIxD;AAED;;;;GAIG;AACH,wBAAgB,eAAe,CAAC,KAAK,EAAE,MAAM,GAAG,IAAI,GAAG,SAAS,GAAG,QAAQ,GAAG,SAAS,CAGtF;AAED,+EAA+E;AAC/E,wBAAgB,cAAc,CAAC,KAAK,EAAE,MAAM,GAAG,IAAI,GAAG,SAAS,GAAG,IAAI,CAErE;AAED,yEAAyE;AACzE,MAAM,WAAW,eAAe;IAC9B,6EAA6E;IAC7E,QAAQ,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACzB;;;;;OAKG;IACH,SAAS,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,KAAK,OAAO,CAAC;IAC/E,0EAA0E;IAC1E,GAAG,CAAC,EAAE,MAAM,MAAM,CAAC;CACpB;AAED,mFAAmF;AACnF,MAAM,MAAM,gBAAgB,GACxB;IAAE,EAAE,EAAE,IAAI,CAAC;IAAC,KAAK,EAAE,QAAQ,CAAA;CAAE,GAC7B;IAAE,EAAE,EAAE,KAAK,CAAC;IAAC,MAAM,EAAE,SAAS,GAAG,kBAAkB,GAAG,UAAU,CAAA;CAAE,CAAC;AAEvE;;;;;;;;;;GAUG;AACH,wBAAgB,aAAa,CAAC,KAAK,EAAE,QAAQ,EAAE,OAAO,EAAE,eAAe,GAAG,gBAAgB,CAgBzF"}
@@ -45,4 +45,57 @@ export function revokeMcpToken(token) {
45
45
  export function validMcpToken(token, scope = defaultMcpAuthScope) {
46
46
  return typeof token === "string" && activeTokens.get(token) === scope;
47
47
  }
48
+ /** Opaque per-run token (Token B) -> daemon-minted claim. The sole authority. */
49
+ const runClaims = new Map();
50
+ /**
51
+ * Mint an opaque per-run token (Token B) bound to {@link claim}. The token
52
+ * bytes carry no scope; the returned claim is resolved server-side on every
53
+ * request via {@link resolveRunClaim}.
54
+ */
55
+ export function issueRunMcpToken(claim) {
56
+ const token = randomBytes(32).toString("base64url");
57
+ runClaims.set(token, claim);
58
+ return token;
59
+ }
60
+ /**
61
+ * Resolve the claim for an opaque per-run token. This is the ONLY source of a
62
+ * request's `runKey`; callers must never trust a self-reported header. Returns
63
+ * `undefined` for unknown/revoked tokens (fail closed at the call site).
64
+ */
65
+ export function resolveRunClaim(token) {
66
+ if (typeof token !== "string")
67
+ return undefined;
68
+ return runClaims.get(token);
69
+ }
70
+ /** Revoke a per-run token, dropping its claim. Safe no-op on unknown input. */
71
+ export function revokeRunClaim(token) {
72
+ if (token)
73
+ runClaims.delete(token);
74
+ }
75
+ /**
76
+ * Authoritative per-request owner re-check for a resolved {@link RunClaim},
77
+ * ordered expiry-first, allowlist-before-secret, fail-closed:
78
+ *
79
+ * 1. `expiresAt > now` - coarse lifetime cap.
80
+ * 2. tool in `allowedTools` - per-operation allowlist (before liveness).
81
+ * 3. `isRunLive(runKey, host, generation)` - the run is still live AND the
82
+ * generation matches the live endpoint.
83
+ *
84
+ * Never falls back to the settings-wide scope; any miss denies.
85
+ */
86
+ export function checkRunClaim(claim, request) {
87
+ const now = request.now ?? Date.now;
88
+ if (claim.expiresAt <= now()) {
89
+ return { ok: false, reason: "expired" };
90
+ }
91
+ if (request.toolName != null &&
92
+ claim.allowedTools !== undefined &&
93
+ !claim.allowedTools.includes(request.toolName)) {
94
+ return { ok: false, reason: "tool-not-allowed" };
95
+ }
96
+ if (!request.isRunLive(claim.runKey, claim.workerHost, claim.generation)) {
97
+ return { ok: false, reason: "not-live" };
98
+ }
99
+ return { ok: true, claim };
100
+ }
48
101
  //# sourceMappingURL=auth.js.map
@@ -1 +1 @@
1
- {"version":3,"file":"auth.js","sourceRoot":"","sources":["../src/auth.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAItD,MAAM,mBAAmB,GAAG,aAAa,CAAC;AAC1C,MAAM,YAAY,GAAG,IAAI,GAAG,EAAkB,CAAC;AAE/C,MAAM,UAAU,kBAAkB;IAChC,OAAO,OAAO,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,EAAE,CAAC;AACxD,CAAC;AAED,MAAM,UAAU,uBAAuB,CACrC,QAAkB,EAClB,IAAY,EACZ,IAAwB;IAExB,MAAM,OAAO,GAAG,QAAQ,CAAC,OAAO,CAAC;IACjC,MAAM,QAAQ,GAAG,IAAI,CAAC,SAAS,CAAC;QAC9B,IAAI;QACJ,IAAI;QACJ,WAAW,EAAE,QAAQ,CAAC,WAAW,CAAC,CAAC,CAAC,oBAAoB,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,IAAI;QACrF,OAAO,EAAE;YACP,IAAI,EAAE,OAAO,CAAC,IAAI,IAAI,IAAI;YAC1B,QAAQ,EAAE,OAAO,CAAC,QAAQ,IAAI,IAAI;YAClC,MAAM,EAAE,OAAO,CAAC,MAAM,IAAI,IAAI;YAC9B,QAAQ,EAAE,OAAO,CAAC,QAAQ,IAAI,IAAI;YAClC,OAAO,EAAE,eAAe,CAAC,OAAO,CAAC,OAAO,CAAC;YACzC,YAAY,EAAE,OAAO,CAAC,YAAY;YAClC,cAAc,EAAE,OAAO,CAAC,cAAc;YACtC,QAAQ,EAAE,OAAO,CAAC,QAAQ;SAC3B;KACF,CAAC,CAAC;IACH,OAAO,OAAO,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,WAAW,CAAC,EAAE,CAAC;AAC5E,CAAC;AAED,2FAA2F;AAC3F,SAAS,eAAe,CAAC,MAA+B;IACtD,OAAO,MAAM,CAAC,WAAW,CACvB,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CACxE,CAAC;AACJ,CAAC;AAED,4FAA4F;AAC5F,SAAS,oBAAoB,CAC3B,WAAoD;IAEpD,OAAO,MAAM,CAAC,WAAW,CACvB,MAAM,CAAC,OAAO,CAAC,WAAW,CAAC;SACxB,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;SAChD,GAAG,CAAC,CAAC,CAAC,IAAI,EAAE,OAAO,CAAC,EAAE,EAAE,CAAC,CAAC,IAAI,EAAE,eAAe,CAAC,OAAO,CAAC,CAAC,CAAC,CAC9D,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,aAAa,CAAC,KAAK,GAAG,mBAAmB;IACvD,MAAM,KAAK,GAAG,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;IACpD,YAAY,CAAC,GAAG,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC;IAC/B,OAAO,KAAK,CAAC;AACf,CAAC;AAED,MAAM,UAAU,cAAc,CAAC,KAAgC;IAC7D,IAAI,KAAK;QAAE,YAAY,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;AACxC,CAAC;AAED,MAAM,UAAU,aAAa,CAC3B,KAAgC,EAChC,KAAK,GAAG,mBAAmB;IAE3B,OAAO,OAAO,KAAK,KAAK,QAAQ,IAAI,YAAY,CAAC,GAAG,CAAC,KAAK,CAAC,KAAK,KAAK,CAAC;AACxE,CAAC"}
1
+ {"version":3,"file":"auth.js","sourceRoot":"","sources":["../src/auth.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAItD,MAAM,mBAAmB,GAAG,aAAa,CAAC;AAC1C,MAAM,YAAY,GAAG,IAAI,GAAG,EAAkB,CAAC;AAE/C,MAAM,UAAU,kBAAkB;IAChC,OAAO,OAAO,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,EAAE,CAAC;AACxD,CAAC;AAED,MAAM,UAAU,uBAAuB,CACrC,QAAkB,EAClB,IAAY,EACZ,IAAwB;IAExB,MAAM,OAAO,GAAG,QAAQ,CAAC,OAAO,CAAC;IACjC,MAAM,QAAQ,GAAG,IAAI,CAAC,SAAS,CAAC;QAC9B,IAAI;QACJ,IAAI;QACJ,WAAW,EAAE,QAAQ,CAAC,WAAW,CAAC,CAAC,CAAC,oBAAoB,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,IAAI;QACrF,OAAO,EAAE;YACP,IAAI,EAAE,OAAO,CAAC,IAAI,IAAI,IAAI;YAC1B,QAAQ,EAAE,OAAO,CAAC,QAAQ,IAAI,IAAI;YAClC,MAAM,EAAE,OAAO,CAAC,MAAM,IAAI,IAAI;YAC9B,QAAQ,EAAE,OAAO,CAAC,QAAQ,IAAI,IAAI;YAClC,OAAO,EAAE,eAAe,CAAC,OAAO,CAAC,OAAO,CAAC;YACzC,YAAY,EAAE,OAAO,CAAC,YAAY;YAClC,cAAc,EAAE,OAAO,CAAC,cAAc;YACtC,QAAQ,EAAE,OAAO,CAAC,QAAQ;SAC3B;KACF,CAAC,CAAC;IACH,OAAO,OAAO,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,WAAW,CAAC,EAAE,CAAC;AAC5E,CAAC;AAED,2FAA2F;AAC3F,SAAS,eAAe,CAAC,MAA+B;IACtD,OAAO,MAAM,CAAC,WAAW,CACvB,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CACxE,CAAC;AACJ,CAAC;AAED,4FAA4F;AAC5F,SAAS,oBAAoB,CAC3B,WAAoD;IAEpD,OAAO,MAAM,CAAC,WAAW,CACvB,MAAM,CAAC,OAAO,CAAC,WAAW,CAAC;SACxB,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;SAChD,GAAG,CAAC,CAAC,CAAC,IAAI,EAAE,OAAO,CAAC,EAAE,EAAE,CAAC,CAAC,IAAI,EAAE,eAAe,CAAC,OAAO,CAAC,CAAC,CAAC,CAC9D,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,aAAa,CAAC,KAAK,GAAG,mBAAmB;IACvD,MAAM,KAAK,GAAG,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;IACpD,YAAY,CAAC,GAAG,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC;IAC/B,OAAO,KAAK,CAAC;AACf,CAAC;AAED,MAAM,UAAU,cAAc,CAAC,KAAgC;IAC7D,IAAI,KAAK;QAAE,YAAY,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;AACxC,CAAC;AAED,MAAM,UAAU,aAAa,CAC3B,KAAgC,EAChC,KAAK,GAAG,mBAAmB;IAE3B,OAAO,OAAO,KAAK,KAAK,QAAQ,IAAI,YAAY,CAAC,GAAG,CAAC,KAAK,CAAC,KAAK,KAAK,CAAC;AACxE,CAAC;AA2CD,iFAAiF;AACjF,MAAM,SAAS,GAAG,IAAI,GAAG,EAAoB,CAAC;AAE9C;;;;GAIG;AACH,MAAM,UAAU,gBAAgB,CAAC,KAAe;IAC9C,MAAM,KAAK,GAAG,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;IACpD,SAAS,CAAC,GAAG,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC;IAC5B,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,eAAe,CAAC,KAAgC;IAC9D,IAAI,OAAO,KAAK,KAAK,QAAQ;QAAE,OAAO,SAAS,CAAC;IAChD,OAAO,SAAS,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;AAC9B,CAAC;AAED,+EAA+E;AAC/E,MAAM,UAAU,cAAc,CAAC,KAAgC;IAC7D,IAAI,KAAK;QAAE,SAAS,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;AACrC,CAAC;AAsBD;;;;;;;;;;GAUG;AACH,MAAM,UAAU,aAAa,CAAC,KAAe,EAAE,OAAwB;IACrE,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,IAAI,IAAI,CAAC,GAAG,CAAC;IACpC,IAAI,KAAK,CAAC,SAAS,IAAI,GAAG,EAAE,EAAE,CAAC;QAC7B,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,SAAS,EAAE,CAAC;IAC1C,CAAC;IACD,IACE,OAAO,CAAC,QAAQ,IAAI,IAAI;QACxB,KAAK,CAAC,YAAY,KAAK,SAAS;QAChC,CAAC,KAAK,CAAC,YAAY,CAAC,QAAQ,CAAC,OAAO,CAAC,QAAQ,CAAC,EAC9C,CAAC;QACD,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,kBAAkB,EAAE,CAAC;IACnD,CAAC;IACD,IAAI,CAAC,OAAO,CAAC,SAAS,CAAC,KAAK,CAAC,MAAM,EAAE,KAAK,CAAC,UAAU,EAAE,KAAK,CAAC,UAAU,CAAC,EAAE,CAAC;QACzE,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,UAAU,EAAE,CAAC;IAC3C,CAAC;IACD,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC;AAC7B,CAAC"}
@@ -1,7 +1,8 @@
1
- export { createMcpAuthScope, issueMcpToken, mcpAuthScopeForSettings, revokeMcpToken, validMcpToken, } from "./auth.js";
1
+ export { checkRunClaim, createMcpAuthScope, issueMcpToken, issueRunMcpToken, mcpAuthScopeForSettings, resolveRunClaim, revokeMcpToken, revokeRunClaim, validMcpToken, } from "./auth.js";
2
+ export type { RunClaim } from "./auth.js";
2
3
  export { executeTool, mountedSkillSources, toolSpecs } from "./tools.js";
3
4
  export { acquireAgentMcpEndpoint, acquireAgentMcpEndpointForRun, trackerMcpServerName, } from "./agentEndpoint.js";
4
5
  export type { AgentMcpEndpointLease, RemoteMcpTunnelTransport } from "./agentEndpoint.js";
5
6
  export { mountMcp, startMcpServer, mcpResponse } from "./server.js";
6
- export type { ObservabilityServerHandle } from "./server.js";
7
+ export type { IsRunLive, ObservabilityServerHandle } from "./server.js";
7
8
  //# sourceMappingURL=index.d.ts.map
@@ -1 +1 @@
1
- {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,kBAAkB,EAClB,aAAa,EACb,uBAAuB,EACvB,cAAc,EACd,aAAa,GACd,MAAM,WAAW,CAAC;AACnB,OAAO,EAAE,WAAW,EAAE,mBAAmB,EAAE,SAAS,EAAE,MAAM,YAAY,CAAC;AACzE,OAAO,EACL,uBAAuB,EACvB,6BAA6B,EAC7B,oBAAoB,GACrB,MAAM,oBAAoB,CAAC;AAC5B,YAAY,EAAE,qBAAqB,EAAE,wBAAwB,EAAE,MAAM,oBAAoB,CAAC;AAC1F,OAAO,EAAE,QAAQ,EAAE,cAAc,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AACpE,YAAY,EAAE,yBAAyB,EAAE,MAAM,aAAa,CAAC"}
1
+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,aAAa,EACb,kBAAkB,EAClB,aAAa,EACb,gBAAgB,EAChB,uBAAuB,EACvB,eAAe,EACf,cAAc,EACd,cAAc,EACd,aAAa,GACd,MAAM,WAAW,CAAC;AACnB,YAAY,EAAE,QAAQ,EAAE,MAAM,WAAW,CAAC;AAC1C,OAAO,EAAE,WAAW,EAAE,mBAAmB,EAAE,SAAS,EAAE,MAAM,YAAY,CAAC;AACzE,OAAO,EACL,uBAAuB,EACvB,6BAA6B,EAC7B,oBAAoB,GACrB,MAAM,oBAAoB,CAAC;AAC5B,YAAY,EAAE,qBAAqB,EAAE,wBAAwB,EAAE,MAAM,oBAAoB,CAAC;AAC1F,OAAO,EAAE,QAAQ,EAAE,cAAc,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AACpE,YAAY,EAAE,SAAS,EAAE,yBAAyB,EAAE,MAAM,aAAa,CAAC"}
@@ -1,4 +1,4 @@
1
- export { createMcpAuthScope, issueMcpToken, mcpAuthScopeForSettings, revokeMcpToken, validMcpToken, } from "./auth.js";
1
+ export { checkRunClaim, createMcpAuthScope, issueMcpToken, issueRunMcpToken, mcpAuthScopeForSettings, resolveRunClaim, revokeMcpToken, revokeRunClaim, validMcpToken, } from "./auth.js";
2
2
  export { executeTool, mountedSkillSources, toolSpecs } from "./tools.js";
3
3
  export { acquireAgentMcpEndpoint, acquireAgentMcpEndpointForRun, trackerMcpServerName, } from "./agentEndpoint.js";
4
4
  export { mountMcp, startMcpServer, mcpResponse } from "./server.js";
@@ -1 +1 @@
1
- {"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,kBAAkB,EAClB,aAAa,EACb,uBAAuB,EACvB,cAAc,EACd,aAAa,GACd,MAAM,WAAW,CAAC;AACnB,OAAO,EAAE,WAAW,EAAE,mBAAmB,EAAE,SAAS,EAAE,MAAM,YAAY,CAAC;AACzE,OAAO,EACL,uBAAuB,EACvB,6BAA6B,EAC7B,oBAAoB,GACrB,MAAM,oBAAoB,CAAC;AAE5B,OAAO,EAAE,QAAQ,EAAE,cAAc,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC"}
1
+ {"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,aAAa,EACb,kBAAkB,EAClB,aAAa,EACb,gBAAgB,EAChB,uBAAuB,EACvB,eAAe,EACf,cAAc,EACd,cAAc,EACd,aAAa,GACd,MAAM,WAAW,CAAC;AAEnB,OAAO,EAAE,WAAW,EAAE,mBAAmB,EAAE,SAAS,EAAE,MAAM,YAAY,CAAC;AACzE,OAAO,EACL,uBAAuB,EACvB,6BAA6B,EAC7B,oBAAoB,GACrB,MAAM,oBAAoB,CAAC;AAE5B,OAAO,EAAE,QAAQ,EAAE,cAAc,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC"}
@@ -1,12 +1,28 @@
1
1
  import { Hono } from "hono";
2
2
  import { type Settings } from "@lorenz/domain";
3
3
  import { type ToolRegistry } from "@lorenz/tool-sdk";
4
+ /**
5
+ * Read-only liveness oracle injected from the composition root (daemon.ts).
6
+ * Given a per-run claim's `(runKey, workerHost, generation)`, returns false once
7
+ * the run is settled/recycled/superseded, pairing liveness with the generation
8
+ * fence. The per-run claim-enforcing mount always injects the real
9
+ * coordinator-backed oracle; {@link defaultIsRunLive} is the FAIL-CLOSED default
10
+ * for any mount that resolves a Token B claim without one, so a wiring omission
11
+ * denies rather than authorizes.
12
+ */
13
+ export type IsRunLive = (runKey: string, workerHost: string, generation: number) => boolean;
4
14
  export interface ObservabilityServerOptions {
5
15
  host: string;
6
16
  port: number;
7
17
  authScope?: string | undefined;
8
18
  /** Tool packs available to this endpoint; defaults to the process-wide registry. */
9
19
  tools?: ToolRegistry | undefined;
20
+ /**
21
+ * Read-only liveness oracle for per-run (Token B) claims. Injected at the
22
+ * composition root; absent on non-claim mounts, where the FAIL-CLOSED default
23
+ * denies any Token B presented to them.
24
+ */
25
+ isRunLive?: IsRunLive | undefined;
10
26
  }
11
27
  export interface ObservabilityServerHandle {
12
28
  host: string;
@@ -19,6 +35,12 @@ export interface McpMountOptions {
19
35
  authScope?: string | undefined;
20
36
  /** Tool packs available to this endpoint; defaults to the process-wide registry. */
21
37
  tools?: ToolRegistry | undefined;
38
+ /**
39
+ * Read-only liveness oracle for per-run (Token B) claims. Injected at the
40
+ * composition root; absent on non-claim mounts, where the FAIL-CLOSED default
41
+ * denies any Token B presented to them.
42
+ */
43
+ isRunLive?: IsRunLive | undefined;
22
44
  }
23
45
  export declare function startMcpServer(settings: Settings, options: ObservabilityServerOptions): Promise<ObservabilityServerHandle>;
24
46
  /**
@@ -1 +1 @@
1
- {"version":3,"file":"server.d.ts","sourceRoot":"","sources":["../src/server.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,IAAI,EAAgB,MAAM,MAAM,CAAC;AAG1C,OAAO,EAAgD,KAAK,QAAQ,EAAE,MAAM,gBAAgB,CAAC;AAC7F,OAAO,EAAuB,KAAK,YAAY,EAAE,MAAM,kBAAkB,CAAC;AAK1E,MAAM,WAAW,0BAA0B;IACzC,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb,SAAS,CAAC,EAAE,MAAM,GAAG,SAAS,CAAC;IAC/B,oFAAoF;IACpF,KAAK,CAAC,EAAE,YAAY,GAAG,SAAS,CAAC;CAClC;AAED,MAAM,WAAW,yBAAyB;IACxC,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb,SAAS,EAAE,MAAM,CAAC;IAClB,GAAG,CAAC,IAAI,CAAC,EAAE,MAAM,GAAG,MAAM,CAAC;IAC3B,IAAI,IAAI,OAAO,CAAC,IAAI,CAAC,CAAC;CACvB;AAED,MAAM,WAAW,eAAe;IAC9B,SAAS,CAAC,EAAE,MAAM,GAAG,SAAS,CAAC;IAC/B,oFAAoF;IACpF,KAAK,CAAC,EAAE,YAAY,GAAG,SAAS,CAAC;CAClC;AAID,wBAAsB,cAAc,CAClC,QAAQ,EAAE,QAAQ,EAClB,OAAO,EAAE,0BAA0B,GAClC,OAAO,CAAC,yBAAyB,CAAC,CAepC;AAED;;;;GAIG;AACH,wBAAgB,QAAQ,CACtB,GAAG,EAAE,IAAI,EACT,QAAQ,EAAE,QAAQ,GAAG,CAAC,MAAM,QAAQ,CAAC,EACrC,OAAO,GAAE,eAAoB,GAC5B,IAAI,CAuBN;AA6DD,wBAAsB,WAAW,CAC/B,QAAQ,EAAE,QAAQ,EAClB,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAC7B,KAAK,GAAE,YAAkC,GACxC,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI,CAAC,CA8CzC"}
1
+ {"version":3,"file":"server.d.ts","sourceRoot":"","sources":["../src/server.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,IAAI,EAAgB,MAAM,MAAM,CAAC;AAG1C,OAAO,EAAgD,KAAK,QAAQ,EAAE,MAAM,gBAAgB,CAAC;AAC7F,OAAO,EAAuB,KAAK,YAAY,EAAE,MAAM,kBAAkB,CAAC;AAW1E;;;;;;;;GAQG;AACH,MAAM,MAAM,SAAS,GAAG,CAAC,MAAM,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,KAAK,OAAO,CAAC;AAI5F,MAAM,WAAW,0BAA0B;IACzC,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb,SAAS,CAAC,EAAE,MAAM,GAAG,SAAS,CAAC;IAC/B,oFAAoF;IACpF,KAAK,CAAC,EAAE,YAAY,GAAG,SAAS,CAAC;IACjC;;;;OAIG;IACH,SAAS,CAAC,EAAE,SAAS,GAAG,SAAS,CAAC;CACnC;AAED,MAAM,WAAW,yBAAyB;IACxC,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb,SAAS,EAAE,MAAM,CAAC;IAClB,GAAG,CAAC,IAAI,CAAC,EAAE,MAAM,GAAG,MAAM,CAAC;IAC3B,IAAI,IAAI,OAAO,CAAC,IAAI,CAAC,CAAC;CACvB;AAED,MAAM,WAAW,eAAe;IAC9B,SAAS,CAAC,EAAE,MAAM,GAAG,SAAS,CAAC;IAC/B,oFAAoF;IACpF,KAAK,CAAC,EAAE,YAAY,GAAG,SAAS,CAAC;IACjC;;;;OAIG;IACH,SAAS,CAAC,EAAE,SAAS,GAAG,SAAS,CAAC;CACnC;AAUD,wBAAsB,cAAc,CAClC,QAAQ,EAAE,QAAQ,EAClB,OAAO,EAAE,0BAA0B,GAClC,OAAO,CAAC,yBAAyB,CAAC,CAepC;AAED;;;;GAIG;AACH,wBAAgB,QAAQ,CACtB,GAAG,EAAE,IAAI,EACT,QAAQ,EAAE,QAAQ,GAAG,CAAC,MAAM,QAAQ,CAAC,EACrC,OAAO,GAAE,eAAoB,GAC5B,IAAI,CA8CN;AAuGD,wBAAsB,WAAW,CAC/B,QAAQ,EAAE,QAAQ,EAClB,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAC7B,KAAK,GAAE,YAAkC,GACxC,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI,CAAC,CA8CzC"}