lorenz 0.1.4 → 0.1.6
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +83 -20
- package/RELEASE-MANIFEST.json +6 -1
- package/node_modules/@lorenz/agent-sdk/dist/index.d.ts +1 -0
- package/node_modules/@lorenz/agent-sdk/dist/index.d.ts.map +1 -1
- package/node_modules/@lorenz/agent-sdk/dist/index.js +1 -0
- package/node_modules/@lorenz/agent-sdk/dist/index.js.map +1 -1
- package/node_modules/@lorenz/agent-sdk/dist/module.d.ts +38 -0
- package/node_modules/@lorenz/agent-sdk/dist/module.d.ts.map +1 -0
- package/node_modules/@lorenz/agent-sdk/dist/module.js +41 -0
- package/node_modules/@lorenz/agent-sdk/dist/module.js.map +1 -0
- package/node_modules/@lorenz/cli/dist/agentExecutorLoader.d.ts +30 -0
- package/node_modules/@lorenz/cli/dist/agentExecutorLoader.d.ts.map +1 -0
- package/node_modules/@lorenz/cli/dist/agentExecutorLoader.js +63 -0
- package/node_modules/@lorenz/cli/dist/agentExecutorLoader.js.map +1 -0
- package/node_modules/@lorenz/cli/dist/daemon.d.ts +42 -19
- package/node_modules/@lorenz/cli/dist/daemon.d.ts.map +1 -1
- package/node_modules/@lorenz/cli/dist/daemon.js +72 -23
- package/node_modules/@lorenz/cli/dist/daemon.js.map +1 -1
- package/node_modules/@lorenz/cli/dist/daemonLock.d.ts +59 -0
- package/node_modules/@lorenz/cli/dist/daemonLock.d.ts.map +1 -0
- package/node_modules/@lorenz/cli/dist/daemonLock.js +304 -0
- package/node_modules/@lorenz/cli/dist/daemonLock.js.map +1 -0
- package/node_modules/@lorenz/cli/dist/daemonStatus.d.ts +16 -0
- package/node_modules/@lorenz/cli/dist/daemonStatus.d.ts.map +1 -0
- package/node_modules/@lorenz/cli/dist/daemonStatus.js +21 -0
- package/node_modules/@lorenz/cli/dist/daemonStatus.js.map +1 -0
- package/node_modules/@lorenz/cli/dist/doctor.d.ts +6 -0
- package/node_modules/@lorenz/cli/dist/doctor.d.ts.map +1 -1
- package/node_modules/@lorenz/cli/dist/doctor.js +39 -2
- package/node_modules/@lorenz/cli/dist/doctor.js.map +1 -1
- package/node_modules/@lorenz/cli/dist/extensionLoader.d.ts +126 -0
- package/node_modules/@lorenz/cli/dist/extensionLoader.d.ts.map +1 -0
- package/node_modules/@lorenz/cli/dist/extensionLoader.js +187 -0
- package/node_modules/@lorenz/cli/dist/extensionLoader.js.map +1 -0
- package/node_modules/@lorenz/cli/dist/flags-manifest.d.ts +42 -0
- package/node_modules/@lorenz/cli/dist/flags-manifest.d.ts.map +1 -0
- package/node_modules/@lorenz/cli/dist/flags-manifest.js +67 -0
- package/node_modules/@lorenz/cli/dist/flags-manifest.js.map +1 -0
- package/node_modules/@lorenz/cli/dist/index.d.ts +6 -0
- package/node_modules/@lorenz/cli/dist/index.d.ts.map +1 -1
- package/node_modules/@lorenz/cli/dist/index.js +4 -0
- package/node_modules/@lorenz/cli/dist/index.js.map +1 -1
- package/node_modules/@lorenz/cli/dist/leadershipStore.d.ts +42 -0
- package/node_modules/@lorenz/cli/dist/leadershipStore.d.ts.map +1 -0
- package/node_modules/@lorenz/cli/dist/leadershipStore.js +2 -0
- package/node_modules/@lorenz/cli/dist/leadershipStore.js.map +1 -0
- package/node_modules/@lorenz/cli/dist/main.d.ts +11 -7
- package/node_modules/@lorenz/cli/dist/main.d.ts.map +1 -1
- package/node_modules/@lorenz/cli/dist/main.js +58 -8
- package/node_modules/@lorenz/cli/dist/main.js.map +1 -1
- package/node_modules/@lorenz/cli/dist/toolLoader.d.ts +28 -0
- package/node_modules/@lorenz/cli/dist/toolLoader.d.ts.map +1 -0
- package/node_modules/@lorenz/cli/dist/toolLoader.js +62 -0
- package/node_modules/@lorenz/cli/dist/toolLoader.js.map +1 -0
- package/node_modules/@lorenz/cli/dist/trackerLoader.d.ts +24 -0
- package/node_modules/@lorenz/cli/dist/trackerLoader.d.ts.map +1 -0
- package/node_modules/@lorenz/cli/dist/trackerLoader.js +34 -0
- package/node_modules/@lorenz/cli/dist/trackerLoader.js.map +1 -0
- package/node_modules/@lorenz/cli/dist/workerDriverLoader.d.ts +15 -55
- package/node_modules/@lorenz/cli/dist/workerDriverLoader.d.ts.map +1 -1
- package/node_modules/@lorenz/cli/dist/workerDriverLoader.js +26 -203
- package/node_modules/@lorenz/cli/dist/workerDriverLoader.js.map +1 -1
- package/node_modules/@lorenz/cli/package.json +1 -0
- package/node_modules/@lorenz/config/dist/index.d.ts +1 -1
- package/node_modules/@lorenz/config/dist/index.d.ts.map +1 -1
- package/node_modules/@lorenz/config/dist/index.js +1 -1
- package/node_modules/@lorenz/config/dist/index.js.map +1 -1
- package/node_modules/@lorenz/config/dist/parse.d.ts +17 -0
- package/node_modules/@lorenz/config/dist/parse.d.ts.map +1 -1
- package/node_modules/@lorenz/config/dist/parse.js +107 -11
- package/node_modules/@lorenz/config/dist/parse.js.map +1 -1
- package/node_modules/@lorenz/config/dist/schemas.d.ts +0 -2
- package/node_modules/@lorenz/config/dist/schemas.d.ts.map +1 -1
- package/node_modules/@lorenz/config/dist/schemas.js +5 -1
- package/node_modules/@lorenz/config/dist/schemas.js.map +1 -1
- package/node_modules/@lorenz/dispatch-coordinator/dist/coordinator.d.ts +55 -21
- package/node_modules/@lorenz/dispatch-coordinator/dist/coordinator.d.ts.map +1 -1
- package/node_modules/@lorenz/dispatch-coordinator/dist/coordinator.js +187 -82
- package/node_modules/@lorenz/dispatch-coordinator/dist/coordinator.js.map +1 -1
- package/node_modules/@lorenz/dispatch-coordinator/dist/gate.d.ts +6 -4
- package/node_modules/@lorenz/dispatch-coordinator/dist/gate.d.ts.map +1 -1
- package/node_modules/@lorenz/dispatch-coordinator/dist/gate.js +9 -6
- package/node_modules/@lorenz/dispatch-coordinator/dist/gate.js.map +1 -1
- package/node_modules/@lorenz/dispatch-coordinator/dist/index.d.ts +1 -1
- package/node_modules/@lorenz/dispatch-coordinator/dist/index.d.ts.map +1 -1
- package/node_modules/@lorenz/dispatch-coordinator/dist/index.js +5 -6
- package/node_modules/@lorenz/dispatch-coordinator/dist/index.js.map +1 -1
- package/node_modules/@lorenz/dispatch-coordinator/dist/mcpEndpointManager.d.ts +7 -5
- package/node_modules/@lorenz/dispatch-coordinator/dist/mcpEndpointManager.d.ts.map +1 -1
- package/node_modules/@lorenz/dispatch-coordinator/dist/mcpEndpointManager.js +12 -10
- package/node_modules/@lorenz/dispatch-coordinator/dist/mcpEndpointManager.js.map +1 -1
- package/node_modules/@lorenz/dispatch-coordinator/dist/nullEndpointManager.d.ts +11 -10
- package/node_modules/@lorenz/dispatch-coordinator/dist/nullEndpointManager.d.ts.map +1 -1
- package/node_modules/@lorenz/dispatch-coordinator/dist/nullEndpointManager.js +15 -22
- package/node_modules/@lorenz/dispatch-coordinator/dist/nullEndpointManager.js.map +1 -1
- package/node_modules/@lorenz/dispatch-coordinator/dist/types.d.ts +16 -15
- package/node_modules/@lorenz/dispatch-coordinator/dist/types.d.ts.map +1 -1
- package/node_modules/@lorenz/dispatch-coordinator/dist/types.js +6 -7
- package/node_modules/@lorenz/dispatch-coordinator/dist/types.js.map +1 -1
- package/node_modules/@lorenz/domain/dist/index.d.ts +75 -9
- package/node_modules/@lorenz/domain/dist/index.d.ts.map +1 -1
- package/node_modules/@lorenz/domain/dist/index.js +40 -0
- package/node_modules/@lorenz/domain/dist/index.js.map +1 -1
- package/node_modules/@lorenz/flags/dist/coerce.d.ts +12 -0
- package/node_modules/@lorenz/flags/dist/coerce.d.ts.map +1 -0
- package/node_modules/@lorenz/flags/dist/coerce.js +44 -0
- package/node_modules/@lorenz/flags/dist/coerce.js.map +1 -0
- package/node_modules/@lorenz/flags/dist/default.d.ts +6 -0
- package/node_modules/@lorenz/flags/dist/default.d.ts.map +1 -0
- package/node_modules/@lorenz/flags/dist/default.js +22 -0
- package/node_modules/@lorenz/flags/dist/default.js.map +1 -0
- package/node_modules/@lorenz/flags/dist/deprecations.d.ts +20 -0
- package/node_modules/@lorenz/flags/dist/deprecations.d.ts.map +1 -0
- package/node_modules/@lorenz/flags/dist/deprecations.js +42 -0
- package/node_modules/@lorenz/flags/dist/deprecations.js.map +1 -0
- package/node_modules/@lorenz/flags/dist/env.d.ts +17 -0
- package/node_modules/@lorenz/flags/dist/env.d.ts.map +1 -0
- package/node_modules/@lorenz/flags/dist/env.js +90 -0
- package/node_modules/@lorenz/flags/dist/env.js.map +1 -0
- package/node_modules/@lorenz/flags/dist/errors.d.ts +22 -0
- package/node_modules/@lorenz/flags/dist/errors.d.ts.map +1 -0
- package/node_modules/@lorenz/flags/dist/errors.js +61 -0
- package/node_modules/@lorenz/flags/dist/errors.js.map +1 -0
- package/node_modules/@lorenz/flags/dist/index.d.ts +8 -0
- package/node_modules/@lorenz/flags/dist/index.d.ts.map +1 -0
- package/node_modules/@lorenz/flags/dist/index.js +11 -0
- package/node_modules/@lorenz/flags/dist/index.js.map +1 -0
- package/node_modules/@lorenz/flags/dist/keys.d.ts +6 -0
- package/node_modules/@lorenz/flags/dist/keys.d.ts.map +1 -0
- package/node_modules/@lorenz/flags/dist/keys.js +15 -0
- package/node_modules/@lorenz/flags/dist/keys.js.map +1 -0
- package/node_modules/@lorenz/flags/dist/layers.d.ts +14 -0
- package/node_modules/@lorenz/flags/dist/layers.d.ts.map +1 -0
- package/node_modules/@lorenz/flags/dist/layers.js +107 -0
- package/node_modules/@lorenz/flags/dist/layers.js.map +1 -0
- package/node_modules/@lorenz/flags/dist/manifest.d.ts +71 -0
- package/node_modules/@lorenz/flags/dist/manifest.d.ts.map +1 -0
- package/node_modules/@lorenz/flags/dist/manifest.js +137 -0
- package/node_modules/@lorenz/flags/dist/manifest.js.map +1 -0
- package/node_modules/@lorenz/flags/dist/resolve.d.ts +8 -0
- package/node_modules/@lorenz/flags/dist/resolve.d.ts.map +1 -0
- package/node_modules/@lorenz/flags/dist/resolve.js +178 -0
- package/node_modules/@lorenz/flags/dist/resolve.js.map +1 -0
- package/node_modules/@lorenz/flags/dist/testing.d.ts +19 -0
- package/node_modules/@lorenz/flags/dist/testing.d.ts.map +1 -0
- package/node_modules/@lorenz/flags/dist/testing.js +68 -0
- package/node_modules/@lorenz/flags/dist/testing.js.map +1 -0
- package/node_modules/@lorenz/flags/dist/types.d.ts +93 -0
- package/node_modules/@lorenz/flags/dist/types.d.ts.map +1 -0
- package/node_modules/@lorenz/flags/dist/types.js +2 -0
- package/node_modules/@lorenz/flags/dist/types.js.map +1 -0
- package/node_modules/@lorenz/flags/package.json +16 -0
- package/node_modules/@lorenz/mcp/dist/agentEndpoint.d.ts +16 -3
- package/node_modules/@lorenz/mcp/dist/agentEndpoint.d.ts.map +1 -1
- package/node_modules/@lorenz/mcp/dist/agentEndpoint.js +105 -17
- package/node_modules/@lorenz/mcp/dist/agentEndpoint.js.map +1 -1
- package/node_modules/@lorenz/mcp/dist/auth.d.ts +88 -0
- package/node_modules/@lorenz/mcp/dist/auth.d.ts.map +1 -1
- package/node_modules/@lorenz/mcp/dist/auth.js +53 -0
- package/node_modules/@lorenz/mcp/dist/auth.js.map +1 -1
- package/node_modules/@lorenz/mcp/dist/index.d.ts +3 -2
- package/node_modules/@lorenz/mcp/dist/index.d.ts.map +1 -1
- package/node_modules/@lorenz/mcp/dist/index.js +1 -1
- package/node_modules/@lorenz/mcp/dist/index.js.map +1 -1
- package/node_modules/@lorenz/mcp/dist/server.d.ts +22 -0
- package/node_modules/@lorenz/mcp/dist/server.d.ts.map +1 -1
- package/node_modules/@lorenz/mcp/dist/server.js +85 -12
- package/node_modules/@lorenz/mcp/dist/server.js.map +1 -1
- package/node_modules/@lorenz/orchestrator/dist/claimStore.d.ts +157 -0
- package/node_modules/@lorenz/orchestrator/dist/claimStore.d.ts.map +1 -0
- package/node_modules/@lorenz/orchestrator/dist/claimStore.js +621 -0
- package/node_modules/@lorenz/orchestrator/dist/claimStore.js.map +1 -0
- package/node_modules/@lorenz/orchestrator/dist/codec.d.ts +38 -0
- package/node_modules/@lorenz/orchestrator/dist/codec.d.ts.map +1 -0
- package/node_modules/@lorenz/orchestrator/dist/codec.js +176 -0
- package/node_modules/@lorenz/orchestrator/dist/codec.js.map +1 -0
- package/node_modules/@lorenz/orchestrator/dist/index.d.ts +55 -51
- package/node_modules/@lorenz/orchestrator/dist/index.d.ts.map +1 -1
- package/node_modules/@lorenz/orchestrator/dist/index.js +285 -45
- package/node_modules/@lorenz/orchestrator/dist/index.js.map +1 -1
- package/node_modules/@lorenz/orchestrator/dist/sqlite.d.ts +34 -0
- package/node_modules/@lorenz/orchestrator/dist/sqlite.d.ts.map +1 -0
- package/node_modules/@lorenz/orchestrator/dist/sqlite.js +142 -0
- package/node_modules/@lorenz/orchestrator/dist/sqlite.js.map +1 -0
- package/node_modules/@lorenz/orchestrator/dist/state.d.ts +47 -0
- package/node_modules/@lorenz/orchestrator/dist/state.d.ts.map +1 -0
- package/node_modules/@lorenz/orchestrator/dist/state.js +15 -0
- package/node_modules/@lorenz/orchestrator/dist/state.js.map +1 -0
- package/node_modules/@lorenz/orchestrator/dist/turso.d.ts +28 -0
- package/node_modules/@lorenz/orchestrator/dist/turso.d.ts.map +1 -0
- package/node_modules/@lorenz/orchestrator/dist/turso.js +125 -0
- package/node_modules/@lorenz/orchestrator/dist/turso.js.map +1 -0
- package/node_modules/@lorenz/orchestrator/package.json +6 -2
- package/node_modules/@lorenz/presenter/dist/index.d.ts +14 -0
- package/node_modules/@lorenz/presenter/dist/index.d.ts.map +1 -1
- package/node_modules/@lorenz/presenter/dist/index.js +18 -0
- package/node_modules/@lorenz/presenter/dist/index.js.map +1 -1
- package/node_modules/@lorenz/projections/dist/index.d.ts.map +1 -1
- package/node_modules/@lorenz/projections/dist/index.js +1 -0
- package/node_modules/@lorenz/projections/dist/index.js.map +1 -1
- package/node_modules/@lorenz/runtime/dist/index.d.ts +27 -8
- package/node_modules/@lorenz/runtime/dist/index.d.ts.map +1 -1
- package/node_modules/@lorenz/runtime/dist/index.js +422 -98
- package/node_modules/@lorenz/runtime/dist/index.js.map +1 -1
- package/node_modules/@lorenz/runtime-events/dist/index.d.ts +14 -0
- package/node_modules/@lorenz/runtime-events/dist/index.d.ts.map +1 -1
- package/node_modules/@lorenz/server/dist/index.js +1 -1
- package/node_modules/@lorenz/server/dist/index.js.map +1 -1
- package/node_modules/@lorenz/ssh/dist/index.d.ts +2 -0
- package/node_modules/@lorenz/ssh/dist/index.d.ts.map +1 -1
- package/node_modules/@lorenz/ssh/dist/index.js +2 -1
- package/node_modules/@lorenz/ssh/dist/index.js.map +1 -1
- package/node_modules/@lorenz/tool-sdk/dist/index.d.ts +1 -0
- package/node_modules/@lorenz/tool-sdk/dist/index.d.ts.map +1 -1
- package/node_modules/@lorenz/tool-sdk/dist/index.js +1 -0
- package/node_modules/@lorenz/tool-sdk/dist/index.js.map +1 -1
- package/node_modules/@lorenz/tool-sdk/dist/module.d.ts +38 -0
- package/node_modules/@lorenz/tool-sdk/dist/module.d.ts.map +1 -0
- package/node_modules/@lorenz/tool-sdk/dist/module.js +42 -0
- package/node_modules/@lorenz/tool-sdk/dist/module.js.map +1 -0
- package/node_modules/@lorenz/tracker-sdk/dist/index.d.ts +1 -0
- package/node_modules/@lorenz/tracker-sdk/dist/index.d.ts.map +1 -1
- package/node_modules/@lorenz/tracker-sdk/dist/index.js +1 -0
- package/node_modules/@lorenz/tracker-sdk/dist/index.js.map +1 -1
- package/node_modules/@lorenz/tracker-sdk/dist/module.d.ts +37 -0
- package/node_modules/@lorenz/tracker-sdk/dist/module.d.ts.map +1 -0
- package/node_modules/@lorenz/tracker-sdk/dist/module.js +38 -0
- package/node_modules/@lorenz/tracker-sdk/dist/module.js.map +1 -0
- package/node_modules/@lorenz/worker-host-pool/dist/index.d.ts +34 -6
- package/node_modules/@lorenz/worker-host-pool/dist/index.d.ts.map +1 -1
- package/node_modules/@lorenz/worker-host-pool/dist/index.js +110 -143
- package/node_modules/@lorenz/worker-host-pool/dist/index.js.map +1 -1
- package/node_modules/@lorenz/worker-sdk/dist/index.d.ts +1 -0
- package/node_modules/@lorenz/worker-sdk/dist/index.d.ts.map +1 -1
- package/node_modules/@lorenz/worker-sdk/dist/index.js +1 -0
- package/node_modules/@lorenz/worker-sdk/dist/index.js.map +1 -1
- package/node_modules/@lorenz/worker-sdk/dist/local.d.ts +74 -0
- package/node_modules/@lorenz/worker-sdk/dist/local.d.ts.map +1 -0
- package/node_modules/@lorenz/worker-sdk/dist/local.js +112 -0
- package/node_modules/@lorenz/worker-sdk/dist/local.js.map +1 -0
- package/node_modules/@lorenz/worker-sdk/dist/module.d.ts +8 -16
- package/node_modules/@lorenz/worker-sdk/dist/module.d.ts.map +1 -1
- package/node_modules/@lorenz/worker-sdk/dist/module.js +15 -35
- package/node_modules/@lorenz/worker-sdk/dist/module.js.map +1 -1
- package/node_modules/@lorenz/workflow/dist/index.d.ts +11 -0
- package/node_modules/@lorenz/workflow/dist/index.d.ts.map +1 -1
- package/node_modules/@lorenz/workflow/dist/index.js +3 -0
- package/node_modules/@lorenz/workflow/dist/index.js.map +1 -1
- package/package.json +4 -1
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
import { httpUrlHost, isRecord, normalizeHttpBindHost, } from "@lorenz/domain";
|
|
2
2
|
import { startMcpServer } from "./server.js";
|
|
3
|
-
import { issueMcpToken, mcpAuthScopeForSettings, revokeMcpToken } from "./auth.js";
|
|
3
|
+
import { issueMcpToken, issueRunMcpToken, mcpAuthScopeForSettings, revokeMcpToken, revokeRunClaim, } from "./auth.js";
|
|
4
4
|
export function trackerMcpServerName(kind) {
|
|
5
5
|
return `lorenz_${(kind ?? "tracker").replace(/[^A-Za-z0-9_]/g, "_")}`;
|
|
6
6
|
}
|
|
@@ -8,6 +8,19 @@ const mcpPath = "/mcp";
|
|
|
8
8
|
const configuredMcpProbeId = "lorenz-configured-mcp-probe";
|
|
9
9
|
const localMcpServers = new Map();
|
|
10
10
|
const localMcpServerLocks = new Map();
|
|
11
|
+
/**
|
|
12
|
+
* Monotonic generation per host:port slot, surviving entry teardown so a
|
|
13
|
+
* recreated entry gets a STRICTLY higher generation than the one it replaces.
|
|
14
|
+
* The fence (re-checked per request via the injected `isRunLive`) rejects any
|
|
15
|
+
* Token B minted against a prior, now-recycled generation of the same slot.
|
|
16
|
+
*/
|
|
17
|
+
const localMcpServerGenerations = new Map();
|
|
18
|
+
/**
|
|
19
|
+
* Coarse lifetime cap on a per-run claim (Token B). The claim is primarily
|
|
20
|
+
* run-lifetime-bound via the injected `isRunLive` re-check; this backstop only
|
|
21
|
+
* bounds a leaked token that somehow outlives both its run and its generation.
|
|
22
|
+
*/
|
|
23
|
+
const runClaimMaxLifetimeMs = 24 * 60 * 60 * 1000;
|
|
11
24
|
export async function acquireAgentMcpEndpoint(settings, workerHost, tunnels) {
|
|
12
25
|
let endpoint = null;
|
|
13
26
|
let token = null;
|
|
@@ -22,6 +35,7 @@ export async function acquireAgentMcpEndpoint(settings, workerHost, tunnels) {
|
|
|
22
35
|
return {
|
|
23
36
|
url: endpoint.url,
|
|
24
37
|
token,
|
|
38
|
+
generation: endpoint.generation,
|
|
25
39
|
acpServer: () => ({
|
|
26
40
|
type: "http",
|
|
27
41
|
name: trackerMcpServerName(settings.tracker.kind),
|
|
@@ -56,18 +70,35 @@ export async function acquireAgentMcpEndpoint(settings, workerHost, tunnels) {
|
|
|
56
70
|
throw error;
|
|
57
71
|
}
|
|
58
72
|
}
|
|
59
|
-
export async function acquireAgentMcpEndpointForRun(settings, workerHost, runKey, tunnels) {
|
|
73
|
+
export async function acquireAgentMcpEndpointForRun(settings, workerHost, runKey, tunnels, isRunLive) {
|
|
74
|
+
// Token B is bound to a per-run claim whose `workerHost` is the run's REAL ssh
|
|
75
|
+
// host (the gateway re-checks `isRunLive(runKey, workerHost, generation)` against
|
|
76
|
+
// it). An empty `workerHost` denotes a LOCAL/acp run, routed through the per-run
|
|
77
|
+
// manager's null/local path - it must NEVER reach this minting path. Fail loud:
|
|
78
|
+
// a local run here would otherwise mint a claim stamped `workerHost: ""` that
|
|
79
|
+
// `isRunLive` could match against any other local slot, and the per-run claim
|
|
80
|
+
// model only applies to real remote hosts.
|
|
81
|
+
if (workerHost.length === 0) {
|
|
82
|
+
throw new Error("per_run_mcp_endpoint_requires_remote_worker_host");
|
|
83
|
+
}
|
|
60
84
|
let endpoint = null;
|
|
61
85
|
let token = null;
|
|
62
86
|
let released = false;
|
|
63
87
|
try {
|
|
64
88
|
const configuredToken = issueConfiguredMcpToken(settings);
|
|
65
|
-
|
|
66
|
-
|
|
67
|
-
token
|
|
89
|
+
endpoint = await acquirePerRunMcpEndpoint(workerHost, runKey, settings, configuredToken, tunnels, isRunLive);
|
|
90
|
+
// The per-run lease is scoped solely by Token B (minted below), never by the
|
|
91
|
+
// settings-wide token, so revoke any configured token immediately.
|
|
92
|
+
revokeMcpToken(configuredToken?.token);
|
|
93
|
+
// Mint Token B: an opaque per-run token bound to a server-side claim. The
|
|
94
|
+
// claim's generation was captured BEFORE the `openForRun` await (see
|
|
95
|
+
// `acquirePerRunMcpEndpoint`), so a host recycle that bumps the slot's
|
|
96
|
+
// generation strands this token at the per-request liveness fence.
|
|
97
|
+
token = issueRunMcpToken(runClaimForLease(endpoint, settings, workerHost, runKey));
|
|
68
98
|
return {
|
|
69
99
|
url: endpoint.url,
|
|
70
100
|
token,
|
|
101
|
+
generation: endpoint.generation,
|
|
71
102
|
acpServer: () => ({
|
|
72
103
|
type: "http",
|
|
73
104
|
name: trackerMcpServerName(settings.tracker.kind),
|
|
@@ -78,7 +109,7 @@ export async function acquireAgentMcpEndpointForRun(settings, workerHost, runKey
|
|
|
78
109
|
if (released)
|
|
79
110
|
return;
|
|
80
111
|
released = true;
|
|
81
|
-
|
|
112
|
+
revokeRunClaim(token);
|
|
82
113
|
tunnels.closeForRun(workerHost, runKey);
|
|
83
114
|
if (endpoint?.localServer)
|
|
84
115
|
await releaseLocalMcpServer(endpoint.localServer);
|
|
@@ -86,13 +117,32 @@ export async function acquireAgentMcpEndpointForRun(settings, workerHost, runKey
|
|
|
86
117
|
};
|
|
87
118
|
}
|
|
88
119
|
catch (error) {
|
|
89
|
-
|
|
120
|
+
revokeRunClaim(token);
|
|
90
121
|
tunnels.closeForRun(workerHost, runKey);
|
|
91
122
|
if (endpoint?.localServer)
|
|
92
123
|
await releaseLocalMcpServer(endpoint.localServer);
|
|
93
124
|
throw error;
|
|
94
125
|
}
|
|
95
126
|
}
|
|
127
|
+
/**
|
|
128
|
+
* Build the server-side per-run claim (Token B) for a freshly-acquired per-run
|
|
129
|
+
* endpoint. `runKey` is the issue-scoped `${issueId}#${slotIndex}` the
|
|
130
|
+
* coordinator mints, so `issueId` is recovered as the part before the first
|
|
131
|
+
* `#`. The generation is the endpoint's captured-before-`openForRun` value, and
|
|
132
|
+
* `allowedTools` is left unset (the rest of the claim - liveness + generation +
|
|
133
|
+
* expiry - gates the run; per-tool scoping is layered in later).
|
|
134
|
+
*/
|
|
135
|
+
function runClaimForLease(endpoint, settings, workerHost, runKey) {
|
|
136
|
+
const issueId = runKey.split("#", 1)[0] ?? runKey;
|
|
137
|
+
return {
|
|
138
|
+
runKey,
|
|
139
|
+
workerHost,
|
|
140
|
+
issueId,
|
|
141
|
+
generation: endpoint.generation,
|
|
142
|
+
expiresAt: Date.now() + runClaimMaxLifetimeMs,
|
|
143
|
+
settingsScope: endpoint.authScope,
|
|
144
|
+
};
|
|
145
|
+
}
|
|
96
146
|
async function localMcpEndpoint(settings, configuredToken) {
|
|
97
147
|
const localServer = await ensureLocalMcpServer(settings, configuredToken);
|
|
98
148
|
const serverHost = normalizeHttpBindHost(settings.server.host);
|
|
@@ -102,6 +152,7 @@ async function localMcpEndpoint(settings, configuredToken) {
|
|
|
102
152
|
authScope: configuredToken?.authScope ??
|
|
103
153
|
localServer?.handle.authScope ??
|
|
104
154
|
mcpAuthScopeForSettings(settings, serverHost, configuredPort),
|
|
155
|
+
generation: localServer?.generation ?? 1,
|
|
105
156
|
localServer: localServer ?? undefined,
|
|
106
157
|
};
|
|
107
158
|
}
|
|
@@ -121,6 +172,7 @@ async function acquireRemoteMcpEndpoint(workerHost, settings, configuredToken, t
|
|
|
121
172
|
authScope: configuredToken?.authScope ??
|
|
122
173
|
localServer?.handle.authScope ??
|
|
123
174
|
mcpAuthScopeForSettings(settings, normalizeHttpBindHost(settings.server.host), localPort),
|
|
175
|
+
generation: localServer?.generation ?? 1,
|
|
124
176
|
releaseTunnel: () => tunnels.releaseRemoteMcpTunnel(tunnel),
|
|
125
177
|
localServer: localServer ?? undefined,
|
|
126
178
|
};
|
|
@@ -131,14 +183,24 @@ async function acquireRemoteMcpEndpoint(workerHost, settings, configuredToken, t
|
|
|
131
183
|
throw error;
|
|
132
184
|
}
|
|
133
185
|
}
|
|
134
|
-
async function acquirePerRunMcpEndpoint(workerHost, runKey, settings, configuredToken, tunnels) {
|
|
186
|
+
async function acquirePerRunMcpEndpoint(workerHost, runKey, settings, configuredToken, tunnels, isRunLive) {
|
|
135
187
|
// The refcounted local MCP server is acquired BEFORE the per-run tunnel is
|
|
136
188
|
// opened. If anything after this point throws (notably `openForRun` failing
|
|
137
189
|
// to spawn the reverse tunnel), this function rejects before returning an
|
|
138
190
|
// McpEndpoint, so the caller never sees `localServer` and cannot release it.
|
|
139
191
|
// Drop the ref here so repeated tunnel-spawn failures don't leak refcounted
|
|
140
|
-
// local MCP servers / their listeners.
|
|
141
|
-
|
|
192
|
+
// local MCP servers / their listeners. The per-run server is mounted with the
|
|
193
|
+
// injected `isRunLive` oracle so its Token B middleware enforces the owner
|
|
194
|
+
// re-check + generation fence on every request. `requireOwnedServer: true`
|
|
195
|
+
// refuses to attach to a foreign server lorenz cannot enforce that fence over
|
|
196
|
+
// (see `ensureLocalMcpServer`).
|
|
197
|
+
const localServer = await ensureLocalMcpServer(settings, configuredToken, isRunLive, true);
|
|
198
|
+
// Capture the shared local server's generation BEFORE the `openForRun` await.
|
|
199
|
+
// The event loop is single-writer only BETWEEN awaits, so stamping the claim
|
|
200
|
+
// with the generation live at this point (not re-read after the await, when a
|
|
201
|
+
// recycle may have bumped it) makes a stale token fail the per-request liveness
|
|
202
|
+
// fence instead of silently inheriting a generation it was never minted against.
|
|
203
|
+
const generation = localServer?.generation ?? 1;
|
|
142
204
|
try {
|
|
143
205
|
const localHost = "127.0.0.1";
|
|
144
206
|
const localPort = localServer?.handle.port ?? settings.server.port;
|
|
@@ -151,6 +213,7 @@ async function acquirePerRunMcpEndpoint(workerHost, runKey, settings, configured
|
|
|
151
213
|
authScope: configuredToken?.authScope ??
|
|
152
214
|
localServer?.handle.authScope ??
|
|
153
215
|
mcpAuthScopeForSettings(settings, normalizeHttpBindHost(settings.server.host), localPort),
|
|
216
|
+
generation,
|
|
154
217
|
localServer: localServer ?? undefined,
|
|
155
218
|
};
|
|
156
219
|
}
|
|
@@ -160,7 +223,7 @@ async function acquirePerRunMcpEndpoint(workerHost, runKey, settings, configured
|
|
|
160
223
|
throw error;
|
|
161
224
|
}
|
|
162
225
|
}
|
|
163
|
-
async function ensureLocalMcpServer(settings, configuredToken) {
|
|
226
|
+
async function ensureLocalMcpServer(settings, configuredToken, isRunLive, requireOwnedServer = false) {
|
|
164
227
|
const configuredPort = settings.server.port;
|
|
165
228
|
const serverHost = normalizeHttpBindHost(settings.server.host);
|
|
166
229
|
if (typeof configuredPort === "number" && configuredPort > 0) {
|
|
@@ -176,21 +239,39 @@ async function ensureLocalMcpServer(settings, configuredToken) {
|
|
|
176
239
|
throw new Error("configured_mcp_server_conflict");
|
|
177
240
|
}
|
|
178
241
|
existing.refCount += 1;
|
|
179
|
-
return { key, handle: existing.handle };
|
|
242
|
+
return { key, handle: existing.handle, generation: existing.generation };
|
|
180
243
|
}
|
|
181
|
-
if (await configuredMcpServerReachable(settings, configuredToken.token))
|
|
244
|
+
if (await configuredMcpServerReachable(settings, configuredToken.token)) {
|
|
245
|
+
// A foreign MCP server is already reachable on the configured port. The
|
|
246
|
+
// ACP/local path ATTACHES to it (returns null); but the per-run claim path
|
|
247
|
+
// sets `requireOwnedServer` because lorenz cannot enforce its Token B owner
|
|
248
|
+
// re-check / generation fence against a server it does not own - attaching
|
|
249
|
+
// would silently bypass the per-run claim model. Refuse loudly instead.
|
|
250
|
+
if (requireOwnedServer) {
|
|
251
|
+
throw new Error("per_run_mcp_endpoint_requires_lorenz_owned_server");
|
|
252
|
+
}
|
|
182
253
|
return null;
|
|
254
|
+
}
|
|
183
255
|
const handle = await startMcpServer(settings, {
|
|
184
256
|
host: serverHost,
|
|
185
257
|
port: configuredPort,
|
|
186
258
|
authScope: identity,
|
|
259
|
+
isRunLive,
|
|
187
260
|
});
|
|
188
|
-
|
|
189
|
-
|
|
261
|
+
// Bump the slot's generation when a brand-new entry replaces a torn-down
|
|
262
|
+
// one. The first entry for a key gets generation 1; each recycle is
|
|
263
|
+
// strictly higher, so any Token B stamped with the prior generation is
|
|
264
|
+
// fenced out by the per-request liveness re-check.
|
|
265
|
+
const generation = (localMcpServerGenerations.get(key) ?? 0) + 1;
|
|
266
|
+
localMcpServerGenerations.set(key, generation);
|
|
267
|
+
localMcpServers.set(key, { handle, identity, refCount: 1, generation });
|
|
268
|
+
return { key, handle, generation };
|
|
190
269
|
});
|
|
191
270
|
}
|
|
192
|
-
const handle = await startMcpServer(settings, { host: serverHost, port: 0 });
|
|
193
|
-
|
|
271
|
+
const handle = await startMcpServer(settings, { host: serverHost, port: 0, isRunLive });
|
|
272
|
+
// Ephemeral (port 0) servers are not shared/refcounted, so each lease is its
|
|
273
|
+
// own generation-1 slot stopped on release; nothing recycles it in place.
|
|
274
|
+
return { key: null, handle, generation: 1 };
|
|
194
275
|
}
|
|
195
276
|
function issueConfiguredMcpToken(settings) {
|
|
196
277
|
const configuredPort = settings.server.port;
|
|
@@ -227,6 +308,13 @@ async function releaseLocalMcpServer(lease) {
|
|
|
227
308
|
const entry = localMcpServers.get(key);
|
|
228
309
|
if (!entry)
|
|
229
310
|
return;
|
|
311
|
+
// Generation fence: this lease was taken against an OLDER entry that has
|
|
312
|
+
// since been fully torn down and recreated (host recycle bumped the slot's
|
|
313
|
+
// generation). A fresh owner holds the live entry's ref, so a late release
|
|
314
|
+
// from the prior generation must NOT decrement the new entry's refcount and
|
|
315
|
+
// tear down a server that is still in use.
|
|
316
|
+
if (lease.generation < entry.generation)
|
|
317
|
+
return;
|
|
230
318
|
if (entry.refCount > 1) {
|
|
231
319
|
entry.refCount -= 1;
|
|
232
320
|
return;
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"agentEndpoint.js","sourceRoot":"","sources":["../src/agentEndpoint.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,WAAW,EACX,QAAQ,EACR,qBAAqB,GAGtB,MAAM,gBAAgB,CAAC;AAGxB,OAAO,EAAE,cAAc,EAAkC,MAAM,aAAa,CAAC;AAC7E,OAAO,EAAE,aAAa,EAAE,uBAAuB,EAAE,cAAc,EAAE,MAAM,WAAW,CAAC;AAEnF,MAAM,UAAU,oBAAoB,CAAC,IAA6B;IAChE,OAAO,UAAU,CAAC,IAAI,IAAI,SAAS,CAAC,CAAC,OAAO,CAAC,gBAAgB,EAAE,GAAG,CAAC,EAAE,CAAC;AACxE,CAAC;AA6DD,MAAM,OAAO,GAAG,MAAM,CAAC;AACvB,MAAM,oBAAoB,GAAG,6BAA6B,CAAC;AAC3D,MAAM,eAAe,GAAG,IAAI,GAAG,EAA+B,CAAC;AAC/D,MAAM,mBAAmB,GAAG,IAAI,GAAG,EAAyB,CAAC;AAE7D,MAAM,CAAC,KAAK,UAAU,uBAAuB,CAC3C,QAAkB,EAClB,UAA0B,EAC1B,OAAkC;IAElC,IAAI,QAAQ,GAAuB,IAAI,CAAC;IACxC,IAAI,KAAK,GAAkB,IAAI,CAAC;IAChC,IAAI,QAAQ,GAAG,KAAK,CAAC;IACrB,IAAI,CAAC;QACH,MAAM,eAAe,GAAG,uBAAuB,CAAC,QAAQ,CAAC,CAAC;QAC1D,KAAK,GAAG,eAAe,EAAE,KAAK,IAAI,IAAI,CAAC;QACvC,QAAQ,GAAG,UAAU;YACnB,CAAC,CAAC,MAAM,wBAAwB,CAAC,UAAU,EAAE,QAAQ,EAAE,eAAe,EAAE,OAAO,CAAC;YAChF,CAAC,CAAC,MAAM,gBAAgB,CAAC,QAAQ,EAAE,eAAe,CAAC,CAAC;QACtD,KAAK,KAAK,aAAa,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC;QAC5C,OAAO;YACL,GAAG,EAAE,QAAQ,CAAC,GAAG;YACjB,KAAK;YACL,SAAS,EAAE,GAAG,EAAE,CAAC,CAAC;gBAChB,IAAI,EAAE,MAAM;gBACZ,IAAI,EAAE,oBAAoB,CAAC,QAAQ,CAAC,OAAO,CAAC,IAAI,CAAC;gBACjD,GAAG,EAAE,QAAQ,EAAE,GAAG,IAAI,EAAE;gBACxB,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,eAAe,EAAE,KAAK,EAAE,UAAU,KAAK,EAAE,EAAE,CAAC;aAC/D,CAAC;YACF,OAAO,EAAE,KAAK,IAAI,EAAE;gBAClB,IAAI,QAAQ;oBAAE,OAAO;gBACrB,QAAQ,GAAG,IAAI,CAAC;gBAChB,cAAc,CAAC,KAAK,CAAC,CAAC;gBACtB,IAAI,CAAC;oBACH,QAAQ,EAAE,aAAa,EAAE,EAAE,CAAC;gBAC9B,CAAC;wBAAS,CAAC;oBACT,IAAI,QAAQ,EAAE,WAAW;wBAAE,MAAM,qBAAqB,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;gBAC/E,CAAC;YACH,CAAC;SACF,CAAC;IACJ,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,cAAc,CAAC,KAAK,CAAC,CAAC;QACtB,IAAI,CAAC;YACH,QAAQ,EAAE,aAAa,EAAE,EAAE,CAAC;QAC9B,CAAC;QAAC,MAAM,CAAC;YACP,wFAAwF;QAC1F,CAAC;QACD,IAAI,QAAQ,EAAE,WAAW;YAAE,MAAM,qBAAqB,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;QAC7E,MAAM,KAAK,CAAC;IACd,CAAC;AACH,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,6BAA6B,CACjD,QAAkB,EAClB,UAAkB,EAClB,MAAc,EACd,OAAiC;IAEjC,IAAI,QAAQ,GAAuB,IAAI,CAAC;IACxC,IAAI,KAAK,GAAkB,IAAI,CAAC;IAChC,IAAI,QAAQ,GAAG,KAAK,CAAC;IACrB,IAAI,CAAC;QACH,MAAM,eAAe,GAAG,uBAAuB,CAAC,QAAQ,CAAC,CAAC;QAC1D,KAAK,GAAG,eAAe,EAAE,KAAK,IAAI,IAAI,CAAC;QACvC,QAAQ,GAAG,MAAM,wBAAwB,CACvC,UAAU,EACV,MAAM,EACN,QAAQ,EACR,eAAe,EACf,OAAO,CACR,CAAC;QACF,KAAK,KAAK,aAAa,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC;QAC5C,OAAO;YACL,GAAG,EAAE,QAAQ,CAAC,GAAG;YACjB,KAAK;YACL,SAAS,EAAE,GAAG,EAAE,CAAC,CAAC;gBAChB,IAAI,EAAE,MAAM;gBACZ,IAAI,EAAE,oBAAoB,CAAC,QAAQ,CAAC,OAAO,CAAC,IAAI,CAAC;gBACjD,GAAG,EAAE,QAAQ,EAAE,GAAG,IAAI,EAAE;gBACxB,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,eAAe,EAAE,KAAK,EAAE,UAAU,KAAK,EAAE,EAAE,CAAC;aAC/D,CAAC;YACF,OAAO,EAAE,KAAK,IAAI,EAAE;gBAClB,IAAI,QAAQ;oBAAE,OAAO;gBACrB,QAAQ,GAAG,IAAI,CAAC;gBAChB,cAAc,CAAC,KAAK,CAAC,CAAC;gBACtB,OAAO,CAAC,WAAW,CAAC,UAAU,EAAE,MAAM,CAAC,CAAC;gBACxC,IAAI,QAAQ,EAAE,WAAW;oBAAE,MAAM,qBAAqB,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;YAC/E,CAAC;SACF,CAAC;IACJ,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,cAAc,CAAC,KAAK,CAAC,CAAC;QACtB,OAAO,CAAC,WAAW,CAAC,UAAU,EAAE,MAAM,CAAC,CAAC;QACxC,IAAI,QAAQ,EAAE,WAAW;YAAE,MAAM,qBAAqB,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;QAC7E,MAAM,KAAK,CAAC;IACd,CAAC;AACH,CAAC;AAED,KAAK,UAAU,gBAAgB,CAC7B,QAAkB,EAClB,eAAsC;IAEtC,MAAM,WAAW,GAAG,MAAM,oBAAoB,CAAC,QAAQ,EAAE,eAAe,CAAC,CAAC;IAC1E,MAAM,UAAU,GAAG,qBAAqB,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;IAC/D,MAAM,cAAc,GAAG,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC;IAC5C,OAAO;QACL,GAAG,EAAE,WAAW,CAAC,CAAC,CAAC,WAAW,CAAC,MAAM,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,qBAAqB,CAAC,QAAQ,CAAC;QACpF,SAAS,EACP,eAAe,EAAE,SAAS;YAC1B,WAAW,EAAE,MAAM,CAAC,SAAS;YAC7B,uBAAuB,CAAC,QAAQ,EAAE,UAAU,EAAE,cAAc,CAAC;QAC/D,WAAW,EAAE,WAAW,IAAI,SAAS;KACtC,CAAC;AACJ,CAAC;AAED,KAAK,UAAU,wBAAwB,CACrC,UAAkB,EAClB,QAAkB,EAClB,eAAsC,EACtC,OAA6C;IAE7C,IAAI,CAAC,OAAO;QAAE,MAAM,IAAI,KAAK,CAAC,0CAA0C,CAAC,CAAC;IAC1E,MAAM,WAAW,GAAG,MAAM,oBAAoB,CAAC,QAAQ,EAAE,eAAe,CAAC,CAAC;IAC1E,IAAI,CAAC;QACH,MAAM,SAAS,GAAG,WAAW,CAAC;QAC9B,MAAM,SAAS,GAAG,WAAW,EAAE,MAAM,CAAC,IAAI,IAAI,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC;QACnE,IAAI,OAAO,SAAS,KAAK,QAAQ,IAAI,SAAS,IAAI,CAAC,EAAE,CAAC;YACpD,MAAM,IAAI,KAAK,CAAC,qCAAqC,CAAC,CAAC;QACzD,CAAC;QACD,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,sBAAsB,CAAC,UAAU,EAAE,SAAS,EAAE,SAAS,CAAC,CAAC;QACtF,OAAO;YACL,GAAG,EAAE,oBAAoB,MAAM,CAAC,UAAU,GAAG,OAAO,EAAE;YACtD,SAAS,EACP,eAAe,EAAE,SAAS;gBAC1B,WAAW,EAAE,MAAM,CAAC,SAAS;gBAC7B,uBAAuB,CAAC,QAAQ,EAAE,qBAAqB,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE,SAAS,CAAC;YAC3F,aAAa,EAAE,GAAG,EAAE,CAAC,OAAO,CAAC,sBAAsB,CAAC,MAAM,CAAC;YAC3D,WAAW,EAAE,WAAW,IAAI,SAAS;SACtC,CAAC;IACJ,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,IAAI,WAAW;YAAE,MAAM,qBAAqB,CAAC,WAAW,CAAC,CAAC;QAC1D,MAAM,KAAK,CAAC;IACd,CAAC;AACH,CAAC;AAED,KAAK,UAAU,wBAAwB,CACrC,UAAkB,EAClB,MAAc,EACd,QAAkB,EAClB,eAAsC,EACtC,OAAiC;IAEjC,2EAA2E;IAC3E,4EAA4E;IAC5E,0EAA0E;IAC1E,6EAA6E;IAC7E,4EAA4E;IAC5E,uCAAuC;IACvC,MAAM,WAAW,GAAG,MAAM,oBAAoB,CAAC,QAAQ,EAAE,eAAe,CAAC,CAAC;IAC1E,IAAI,CAAC;QACH,MAAM,SAAS,GAAG,WAAW,CAAC;QAC9B,MAAM,SAAS,GAAG,WAAW,EAAE,MAAM,CAAC,IAAI,IAAI,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC;QACnE,IAAI,OAAO,SAAS,KAAK,QAAQ,IAAI,SAAS,IAAI,CAAC,EAAE,CAAC;YACpD,MAAM,IAAI,KAAK,CAAC,qCAAqC,CAAC,CAAC;QACzD,CAAC;QACD,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,UAAU,CAAC,UAAU,EAAE,MAAM,EAAE,SAAS,EAAE,SAAS,CAAC,CAAC;QAClF,OAAO;YACL,GAAG,EAAE,oBAAoB,MAAM,CAAC,UAAU,GAAG,OAAO,EAAE;YACtD,SAAS,EACP,eAAe,EAAE,SAAS;gBAC1B,WAAW,EAAE,MAAM,CAAC,SAAS;gBAC7B,uBAAuB,CAAC,QAAQ,EAAE,qBAAqB,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE,SAAS,CAAC;YAC3F,WAAW,EAAE,WAAW,IAAI,SAAS;SACtC,CAAC;IACJ,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,IAAI,WAAW;YAAE,MAAM,qBAAqB,CAAC,WAAW,CAAC,CAAC;QAC1D,MAAM,KAAK,CAAC;IACd,CAAC;AACH,CAAC;AAED,KAAK,UAAU,oBAAoB,CACjC,QAAkB,EAClB,eAAsC;IAEtC,MAAM,cAAc,GAAG,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC;IAC5C,MAAM,UAAU,GAAG,qBAAqB,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;IAC/D,IAAI,OAAO,cAAc,KAAK,QAAQ,IAAI,cAAc,GAAG,CAAC,EAAE,CAAC;QAC7D,MAAM,GAAG,GAAG,GAAG,UAAU,IAAI,cAAc,EAAE,CAAC;QAC9C,MAAM,QAAQ,GAAG,uBAAuB,CAAC,QAAQ,EAAE,UAAU,EAAE,cAAc,CAAC,CAAC;QAC/E,IAAI,CAAC,eAAe,IAAI,eAAe,CAAC,SAAS,KAAK,QAAQ,EAAE,CAAC;YAC/D,MAAM,IAAI,KAAK,CAAC,qCAAqC,CAAC,CAAC;QACzD,CAAC;QACD,OAAO,sBAAsB,CAAC,GAAG,EAAE,KAAK,IAAI,EAAE;YAC5C,MAAM,QAAQ,GAAG,eAAe,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;YAC1C,IAAI,QAAQ,EAAE,CAAC;gBACb,IAAI,QAAQ,CAAC,QAAQ,KAAK,QAAQ,EAAE,CAAC;oBACnC,MAAM,IAAI,KAAK,CAAC,gCAAgC,CAAC,CAAC;gBACpD,CAAC;gBACD,QAAQ,CAAC,QAAQ,IAAI,CAAC,CAAC;gBACvB,OAAO,EAAE,GAAG,EAAE,MAAM,EAAE,QAAQ,CAAC,MAAM,EAAE,CAAC;YAC1C,CAAC;YACD,IAAI,MAAM,4BAA4B,CAAC,QAAQ,EAAE,eAAe,CAAC,KAAK,CAAC;gBAAE,OAAO,IAAI,CAAC;YACrF,MAAM,MAAM,GAAG,MAAM,cAAc,CAAC,QAAQ,EAAE;gBAC5C,IAAI,EAAE,UAAU;gBAChB,IAAI,EAAE,cAAc;gBACpB,SAAS,EAAE,QAAQ;aACpB,CAAC,CAAC;YACH,eAAe,CAAC,GAAG,CAAC,GAAG,EAAE,EAAE,MAAM,EAAE,QAAQ,EAAE,QAAQ,EAAE,CAAC,EAAE,CAAC,CAAC;YAC5D,OAAO,EAAE,GAAG,EAAE,MAAM,EAAE,CAAC;QACzB,CAAC,CAAC,CAAC;IACL,CAAC;IAED,MAAM,MAAM,GAAG,MAAM,cAAc,CAAC,QAAQ,EAAE,EAAE,IAAI,EAAE,UAAU,EAAE,IAAI,EAAE,CAAC,EAAE,CAAC,CAAC;IAC7E,OAAO,EAAE,GAAG,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC;AAC/B,CAAC;AAED,SAAS,uBAAuB,CAAC,QAAkB;IACjD,MAAM,cAAc,GAAG,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC;IAC5C,IAAI,OAAO,cAAc,KAAK,QAAQ,IAAI,cAAc,IAAI,CAAC;QAAE,OAAO,IAAI,CAAC;IAC3E,MAAM,UAAU,GAAG,qBAAqB,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;IAC/D,MAAM,SAAS,GAAG,uBAAuB,CAAC,QAAQ,EAAE,UAAU,EAAE,cAAc,CAAC,CAAC;IAChF,OAAO,EAAE,SAAS,EAAE,KAAK,EAAE,aAAa,CAAC,SAAS,CAAC,EAAE,CAAC;AACxD,CAAC;AAED,KAAK,UAAU,sBAAsB,CAAI,GAAW,EAAE,MAAwB;IAC5E,MAAM,QAAQ,GAAG,mBAAmB,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,OAAO,CAAC,OAAO,EAAE,CAAC;IACnE,IAAI,OAAoB,CAAC;IACzB,MAAM,OAAO,GAAG,IAAI,OAAO,CAAO,CAAC,OAAO,EAAE,EAAE;QAC5C,OAAO,GAAG,OAAO,CAAC;IACpB,CAAC,CAAC,CAAC;IACH,mBAAmB,CAAC,GAAG,CAAC,GAAG,EAAE,OAAO,CAAC,CAAC;IACtC,MAAM,QAAQ,CAAC,KAAK,CAAC,GAAG,EAAE,GAAE,CAAC,CAAC,CAAC;IAC/B,IAAI,CAAC;QACH,OAAO,MAAM,MAAM,EAAE,CAAC;IACxB,CAAC;YAAS,CAAC;QACT,OAAO,EAAE,CAAC;QACV,IAAI,mBAAmB,CAAC,GAAG,CAAC,GAAG,CAAC,KAAK,OAAO;YAAE,mBAAmB,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;IAChF,CAAC;AACH,CAAC;AAED,KAAK,UAAU,qBAAqB,CAAC,KAA0B;IAC7D,IAAI,KAAK,CAAC,GAAG,KAAK,IAAI,EAAE,CAAC;QACvB,MAAM,KAAK,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC;QAC1B,OAAO;IACT,CAAC;IACD,MAAM,GAAG,GAAG,KAAK,CAAC,GAAG,CAAC;IACtB,MAAM,sBAAsB,CAAC,GAAG,EAAE,KAAK,IAAI,EAAE;QAC3C,MAAM,KAAK,GAAG,eAAe,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;QACvC,IAAI,CAAC,KAAK;YAAE,OAAO;QACnB,IAAI,KAAK,CAAC,QAAQ,GAAG,CAAC,EAAE,CAAC;YACvB,KAAK,CAAC,QAAQ,IAAI,CAAC,CAAC;YACpB,OAAO;QACT,CAAC;QACD,eAAe,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QAC5B,MAAM,KAAK,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC;IAC5B,CAAC,CAAC,CAAC;AACL,CAAC;AAED,KAAK,UAAU,4BAA4B,CAAC,QAAkB,EAAE,KAAa;IAC3E,MAAM,GAAG,GAAG,qBAAqB,CAAC,QAAQ,CAAC,CAAC;IAC5C,IAAI,CAAC;QACH,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE;YAChC,MAAM,EAAE,MAAM;YACd,OAAO,EAAE;gBACP,aAAa,EAAE,UAAU,KAAK,EAAE;gBAChC,cAAc,EAAE,kBAAkB;aACnC;YACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC;gBACnB,OAAO,EAAE,KAAK;gBACd,EAAE,EAAE,oBAAoB;gBACxB,MAAM,EAAE,YAAY;aACrB,CAAC;YACF,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,GAAG,CAAC;SACjC,CAAC,CAAC;QACH,IAAI,CAAC,QAAQ,CAAC,EAAE;YAAE,OAAO,KAAK,CAAC;QAC/B,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;QACnC,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,IAAI,CAAC,OAAO,KAAK,KAAK,IAAI,IAAI,CAAC,EAAE,KAAK,oBAAoB,EAAE,CAAC;YAClF,OAAO,KAAK,CAAC;QACf,CAAC;QACD,MAAM,MAAM,GAAG,IAAI,CAAC,MAAM,CAAC;QAC3B,OAAO,QAAQ,CAAC,MAAM,CAAC,IAAI,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;IACzD,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED,SAAS,qBAAqB,CAAC,QAAkB;IAC/C,OAAO,UAAU,WAAW,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,QAAQ,CAAC,MAAM,CAAC,IAAI,GAAG,OAAO,EAAE,CAAC;AACzF,CAAC"}
|
|
1
|
+
{"version":3,"file":"agentEndpoint.js","sourceRoot":"","sources":["../src/agentEndpoint.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,WAAW,EACX,QAAQ,EACR,qBAAqB,GAGtB,MAAM,gBAAgB,CAAC;AAGxB,OAAO,EAAE,cAAc,EAAkD,MAAM,aAAa,CAAC;AAC7F,OAAO,EACL,aAAa,EACb,gBAAgB,EAChB,uBAAuB,EACvB,cAAc,EACd,cAAc,GAEf,MAAM,WAAW,CAAC;AAEnB,MAAM,UAAU,oBAAoB,CAAC,IAA6B;IAChE,OAAO,UAAU,CAAC,IAAI,IAAI,SAAS,CAAC,CAAC,OAAO,CAAC,gBAAgB,EAAE,GAAG,CAAC,EAAE,CAAC;AACxE,CAAC;AA6FD,MAAM,OAAO,GAAG,MAAM,CAAC;AACvB,MAAM,oBAAoB,GAAG,6BAA6B,CAAC;AAC3D,MAAM,eAAe,GAAG,IAAI,GAAG,EAA+B,CAAC;AAC/D,MAAM,mBAAmB,GAAG,IAAI,GAAG,EAAyB,CAAC;AAC7D;;;;;GAKG;AACH,MAAM,yBAAyB,GAAG,IAAI,GAAG,EAAkB,CAAC;AAE5D;;;;GAIG;AACH,MAAM,qBAAqB,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC;AAElD,MAAM,CAAC,KAAK,UAAU,uBAAuB,CAC3C,QAAkB,EAClB,UAA0B,EAC1B,OAAkC;IAElC,IAAI,QAAQ,GAAuB,IAAI,CAAC;IACxC,IAAI,KAAK,GAAkB,IAAI,CAAC;IAChC,IAAI,QAAQ,GAAG,KAAK,CAAC;IACrB,IAAI,CAAC;QACH,MAAM,eAAe,GAAG,uBAAuB,CAAC,QAAQ,CAAC,CAAC;QAC1D,KAAK,GAAG,eAAe,EAAE,KAAK,IAAI,IAAI,CAAC;QACvC,QAAQ,GAAG,UAAU;YACnB,CAAC,CAAC,MAAM,wBAAwB,CAAC,UAAU,EAAE,QAAQ,EAAE,eAAe,EAAE,OAAO,CAAC;YAChF,CAAC,CAAC,MAAM,gBAAgB,CAAC,QAAQ,EAAE,eAAe,CAAC,CAAC;QACtD,KAAK,KAAK,aAAa,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC;QAC5C,OAAO;YACL,GAAG,EAAE,QAAQ,CAAC,GAAG;YACjB,KAAK;YACL,UAAU,EAAE,QAAQ,CAAC,UAAU;YAC/B,SAAS,EAAE,GAAG,EAAE,CAAC,CAAC;gBAChB,IAAI,EAAE,MAAM;gBACZ,IAAI,EAAE,oBAAoB,CAAC,QAAQ,CAAC,OAAO,CAAC,IAAI,CAAC;gBACjD,GAAG,EAAE,QAAQ,EAAE,GAAG,IAAI,EAAE;gBACxB,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,eAAe,EAAE,KAAK,EAAE,UAAU,KAAK,EAAE,EAAE,CAAC;aAC/D,CAAC;YACF,OAAO,EAAE,KAAK,IAAI,EAAE;gBAClB,IAAI,QAAQ;oBAAE,OAAO;gBACrB,QAAQ,GAAG,IAAI,CAAC;gBAChB,cAAc,CAAC,KAAK,CAAC,CAAC;gBACtB,IAAI,CAAC;oBACH,QAAQ,EAAE,aAAa,EAAE,EAAE,CAAC;gBAC9B,CAAC;wBAAS,CAAC;oBACT,IAAI,QAAQ,EAAE,WAAW;wBAAE,MAAM,qBAAqB,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;gBAC/E,CAAC;YACH,CAAC;SACF,CAAC;IACJ,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,cAAc,CAAC,KAAK,CAAC,CAAC;QACtB,IAAI,CAAC;YACH,QAAQ,EAAE,aAAa,EAAE,EAAE,CAAC;QAC9B,CAAC;QAAC,MAAM,CAAC;YACP,wFAAwF;QAC1F,CAAC;QACD,IAAI,QAAQ,EAAE,WAAW;YAAE,MAAM,qBAAqB,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;QAC7E,MAAM,KAAK,CAAC;IACd,CAAC;AACH,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,6BAA6B,CACjD,QAAkB,EAClB,UAAkB,EAClB,MAAc,EACd,OAAiC,EACjC,SAAqB;IAErB,+EAA+E;IAC/E,kFAAkF;IAClF,iFAAiF;IACjF,gFAAgF;IAChF,8EAA8E;IAC9E,8EAA8E;IAC9E,2CAA2C;IAC3C,IAAI,UAAU,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC5B,MAAM,IAAI,KAAK,CAAC,kDAAkD,CAAC,CAAC;IACtE,CAAC;IACD,IAAI,QAAQ,GAAuB,IAAI,CAAC;IACxC,IAAI,KAAK,GAAkB,IAAI,CAAC;IAChC,IAAI,QAAQ,GAAG,KAAK,CAAC;IACrB,IAAI,CAAC;QACH,MAAM,eAAe,GAAG,uBAAuB,CAAC,QAAQ,CAAC,CAAC;QAC1D,QAAQ,GAAG,MAAM,wBAAwB,CACvC,UAAU,EACV,MAAM,EACN,QAAQ,EACR,eAAe,EACf,OAAO,EACP,SAAS,CACV,CAAC;QACF,6EAA6E;QAC7E,mEAAmE;QACnE,cAAc,CAAC,eAAe,EAAE,KAAK,CAAC,CAAC;QACvC,0EAA0E;QAC1E,qEAAqE;QACrE,uEAAuE;QACvE,mEAAmE;QACnE,KAAK,GAAG,gBAAgB,CAAC,gBAAgB,CAAC,QAAQ,EAAE,QAAQ,EAAE,UAAU,EAAE,MAAM,CAAC,CAAC,CAAC;QACnF,OAAO;YACL,GAAG,EAAE,QAAQ,CAAC,GAAG;YACjB,KAAK;YACL,UAAU,EAAE,QAAQ,CAAC,UAAU;YAC/B,SAAS,EAAE,GAAG,EAAE,CAAC,CAAC;gBAChB,IAAI,EAAE,MAAM;gBACZ,IAAI,EAAE,oBAAoB,CAAC,QAAQ,CAAC,OAAO,CAAC,IAAI,CAAC;gBACjD,GAAG,EAAE,QAAQ,EAAE,GAAG,IAAI,EAAE;gBACxB,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,eAAe,EAAE,KAAK,EAAE,UAAU,KAAK,EAAE,EAAE,CAAC;aAC/D,CAAC;YACF,OAAO,EAAE,KAAK,IAAI,EAAE;gBAClB,IAAI,QAAQ;oBAAE,OAAO;gBACrB,QAAQ,GAAG,IAAI,CAAC;gBAChB,cAAc,CAAC,KAAK,CAAC,CAAC;gBACtB,OAAO,CAAC,WAAW,CAAC,UAAU,EAAE,MAAM,CAAC,CAAC;gBACxC,IAAI,QAAQ,EAAE,WAAW;oBAAE,MAAM,qBAAqB,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;YAC/E,CAAC;SACF,CAAC;IACJ,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,cAAc,CAAC,KAAK,CAAC,CAAC;QACtB,OAAO,CAAC,WAAW,CAAC,UAAU,EAAE,MAAM,CAAC,CAAC;QACxC,IAAI,QAAQ,EAAE,WAAW;YAAE,MAAM,qBAAqB,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;QAC7E,MAAM,KAAK,CAAC;IACd,CAAC;AACH,CAAC;AAED;;;;;;;GAOG;AACH,SAAS,gBAAgB,CACvB,QAAqB,EACrB,QAAkB,EAClB,UAAkB,EAClB,MAAc;IAEd,MAAM,OAAO,GAAG,MAAM,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,MAAM,CAAC;IAClD,OAAO;QACL,MAAM;QACN,UAAU;QACV,OAAO;QACP,UAAU,EAAE,QAAQ,CAAC,UAAU;QAC/B,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,qBAAqB;QAC7C,aAAa,EAAE,QAAQ,CAAC,SAAS;KAClC,CAAC;AACJ,CAAC;AAED,KAAK,UAAU,gBAAgB,CAC7B,QAAkB,EAClB,eAAsC;IAEtC,MAAM,WAAW,GAAG,MAAM,oBAAoB,CAAC,QAAQ,EAAE,eAAe,CAAC,CAAC;IAC1E,MAAM,UAAU,GAAG,qBAAqB,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;IAC/D,MAAM,cAAc,GAAG,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC;IAC5C,OAAO;QACL,GAAG,EAAE,WAAW,CAAC,CAAC,CAAC,WAAW,CAAC,MAAM,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,qBAAqB,CAAC,QAAQ,CAAC;QACpF,SAAS,EACP,eAAe,EAAE,SAAS;YAC1B,WAAW,EAAE,MAAM,CAAC,SAAS;YAC7B,uBAAuB,CAAC,QAAQ,EAAE,UAAU,EAAE,cAAc,CAAC;QAC/D,UAAU,EAAE,WAAW,EAAE,UAAU,IAAI,CAAC;QACxC,WAAW,EAAE,WAAW,IAAI,SAAS;KACtC,CAAC;AACJ,CAAC;AAED,KAAK,UAAU,wBAAwB,CACrC,UAAkB,EAClB,QAAkB,EAClB,eAAsC,EACtC,OAA6C;IAE7C,IAAI,CAAC,OAAO;QAAE,MAAM,IAAI,KAAK,CAAC,0CAA0C,CAAC,CAAC;IAC1E,MAAM,WAAW,GAAG,MAAM,oBAAoB,CAAC,QAAQ,EAAE,eAAe,CAAC,CAAC;IAC1E,IAAI,CAAC;QACH,MAAM,SAAS,GAAG,WAAW,CAAC;QAC9B,MAAM,SAAS,GAAG,WAAW,EAAE,MAAM,CAAC,IAAI,IAAI,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC;QACnE,IAAI,OAAO,SAAS,KAAK,QAAQ,IAAI,SAAS,IAAI,CAAC,EAAE,CAAC;YACpD,MAAM,IAAI,KAAK,CAAC,qCAAqC,CAAC,CAAC;QACzD,CAAC;QACD,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,sBAAsB,CAAC,UAAU,EAAE,SAAS,EAAE,SAAS,CAAC,CAAC;QACtF,OAAO;YACL,GAAG,EAAE,oBAAoB,MAAM,CAAC,UAAU,GAAG,OAAO,EAAE;YACtD,SAAS,EACP,eAAe,EAAE,SAAS;gBAC1B,WAAW,EAAE,MAAM,CAAC,SAAS;gBAC7B,uBAAuB,CAAC,QAAQ,EAAE,qBAAqB,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE,SAAS,CAAC;YAC3F,UAAU,EAAE,WAAW,EAAE,UAAU,IAAI,CAAC;YACxC,aAAa,EAAE,GAAG,EAAE,CAAC,OAAO,CAAC,sBAAsB,CAAC,MAAM,CAAC;YAC3D,WAAW,EAAE,WAAW,IAAI,SAAS;SACtC,CAAC;IACJ,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,IAAI,WAAW;YAAE,MAAM,qBAAqB,CAAC,WAAW,CAAC,CAAC;QAC1D,MAAM,KAAK,CAAC;IACd,CAAC;AACH,CAAC;AAED,KAAK,UAAU,wBAAwB,CACrC,UAAkB,EAClB,MAAc,EACd,QAAkB,EAClB,eAAsC,EACtC,OAAiC,EACjC,SAAqB;IAErB,2EAA2E;IAC3E,4EAA4E;IAC5E,0EAA0E;IAC1E,6EAA6E;IAC7E,4EAA4E;IAC5E,8EAA8E;IAC9E,2EAA2E;IAC3E,2EAA2E;IAC3E,8EAA8E;IAC9E,gCAAgC;IAChC,MAAM,WAAW,GAAG,MAAM,oBAAoB,CAAC,QAAQ,EAAE,eAAe,EAAE,SAAS,EAAE,IAAI,CAAC,CAAC;IAC3F,8EAA8E;IAC9E,6EAA6E;IAC7E,8EAA8E;IAC9E,gFAAgF;IAChF,iFAAiF;IACjF,MAAM,UAAU,GAAG,WAAW,EAAE,UAAU,IAAI,CAAC,CAAC;IAChD,IAAI,CAAC;QACH,MAAM,SAAS,GAAG,WAAW,CAAC;QAC9B,MAAM,SAAS,GAAG,WAAW,EAAE,MAAM,CAAC,IAAI,IAAI,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC;QACnE,IAAI,OAAO,SAAS,KAAK,QAAQ,IAAI,SAAS,IAAI,CAAC,EAAE,CAAC;YACpD,MAAM,IAAI,KAAK,CAAC,qCAAqC,CAAC,CAAC;QACzD,CAAC;QACD,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,UAAU,CAAC,UAAU,EAAE,MAAM,EAAE,SAAS,EAAE,SAAS,CAAC,CAAC;QAClF,OAAO;YACL,GAAG,EAAE,oBAAoB,MAAM,CAAC,UAAU,GAAG,OAAO,EAAE;YACtD,SAAS,EACP,eAAe,EAAE,SAAS;gBAC1B,WAAW,EAAE,MAAM,CAAC,SAAS;gBAC7B,uBAAuB,CAAC,QAAQ,EAAE,qBAAqB,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE,SAAS,CAAC;YAC3F,UAAU;YACV,WAAW,EAAE,WAAW,IAAI,SAAS;SACtC,CAAC;IACJ,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,IAAI,WAAW;YAAE,MAAM,qBAAqB,CAAC,WAAW,CAAC,CAAC;QAC1D,MAAM,KAAK,CAAC;IACd,CAAC;AACH,CAAC;AAED,KAAK,UAAU,oBAAoB,CACjC,QAAkB,EAClB,eAAsC,EACtC,SAAqB,EACrB,kBAAkB,GAAG,KAAK;IAE1B,MAAM,cAAc,GAAG,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC;IAC5C,MAAM,UAAU,GAAG,qBAAqB,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;IAC/D,IAAI,OAAO,cAAc,KAAK,QAAQ,IAAI,cAAc,GAAG,CAAC,EAAE,CAAC;QAC7D,MAAM,GAAG,GAAG,GAAG,UAAU,IAAI,cAAc,EAAE,CAAC;QAC9C,MAAM,QAAQ,GAAG,uBAAuB,CAAC,QAAQ,EAAE,UAAU,EAAE,cAAc,CAAC,CAAC;QAC/E,IAAI,CAAC,eAAe,IAAI,eAAe,CAAC,SAAS,KAAK,QAAQ,EAAE,CAAC;YAC/D,MAAM,IAAI,KAAK,CAAC,qCAAqC,CAAC,CAAC;QACzD,CAAC;QACD,OAAO,sBAAsB,CAAC,GAAG,EAAE,KAAK,IAAI,EAAE;YAC5C,MAAM,QAAQ,GAAG,eAAe,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;YAC1C,IAAI,QAAQ,EAAE,CAAC;gBACb,IAAI,QAAQ,CAAC,QAAQ,KAAK,QAAQ,EAAE,CAAC;oBACnC,MAAM,IAAI,KAAK,CAAC,gCAAgC,CAAC,CAAC;gBACpD,CAAC;gBACD,QAAQ,CAAC,QAAQ,IAAI,CAAC,CAAC;gBACvB,OAAO,EAAE,GAAG,EAAE,MAAM,EAAE,QAAQ,CAAC,MAAM,EAAE,UAAU,EAAE,QAAQ,CAAC,UAAU,EAAE,CAAC;YAC3E,CAAC;YACD,IAAI,MAAM,4BAA4B,CAAC,QAAQ,EAAE,eAAe,CAAC,KAAK,CAAC,EAAE,CAAC;gBACxE,wEAAwE;gBACxE,2EAA2E;gBAC3E,4EAA4E;gBAC5E,2EAA2E;gBAC3E,wEAAwE;gBACxE,IAAI,kBAAkB,EAAE,CAAC;oBACvB,MAAM,IAAI,KAAK,CAAC,mDAAmD,CAAC,CAAC;gBACvE,CAAC;gBACD,OAAO,IAAI,CAAC;YACd,CAAC;YACD,MAAM,MAAM,GAAG,MAAM,cAAc,CAAC,QAAQ,EAAE;gBAC5C,IAAI,EAAE,UAAU;gBAChB,IAAI,EAAE,cAAc;gBACpB,SAAS,EAAE,QAAQ;gBACnB,SAAS;aACV,CAAC,CAAC;YACH,yEAAyE;YACzE,oEAAoE;YACpE,uEAAuE;YACvE,mDAAmD;YACnD,MAAM,UAAU,GAAG,CAAC,yBAAyB,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC;YACjE,yBAAyB,CAAC,GAAG,CAAC,GAAG,EAAE,UAAU,CAAC,CAAC;YAC/C,eAAe,CAAC,GAAG,CAAC,GAAG,EAAE,EAAE,MAAM,EAAE,QAAQ,EAAE,QAAQ,EAAE,CAAC,EAAE,UAAU,EAAE,CAAC,CAAC;YACxE,OAAO,EAAE,GAAG,EAAE,MAAM,EAAE,UAAU,EAAE,CAAC;QACrC,CAAC,CAAC,CAAC;IACL,CAAC;IAED,MAAM,MAAM,GAAG,MAAM,cAAc,CAAC,QAAQ,EAAE,EAAE,IAAI,EAAE,UAAU,EAAE,IAAI,EAAE,CAAC,EAAE,SAAS,EAAE,CAAC,CAAC;IACxF,6EAA6E;IAC7E,0EAA0E;IAC1E,OAAO,EAAE,GAAG,EAAE,IAAI,EAAE,MAAM,EAAE,UAAU,EAAE,CAAC,EAAE,CAAC;AAC9C,CAAC;AAED,SAAS,uBAAuB,CAAC,QAAkB;IACjD,MAAM,cAAc,GAAG,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC;IAC5C,IAAI,OAAO,cAAc,KAAK,QAAQ,IAAI,cAAc,IAAI,CAAC;QAAE,OAAO,IAAI,CAAC;IAC3E,MAAM,UAAU,GAAG,qBAAqB,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;IAC/D,MAAM,SAAS,GAAG,uBAAuB,CAAC,QAAQ,EAAE,UAAU,EAAE,cAAc,CAAC,CAAC;IAChF,OAAO,EAAE,SAAS,EAAE,KAAK,EAAE,aAAa,CAAC,SAAS,CAAC,EAAE,CAAC;AACxD,CAAC;AAED,KAAK,UAAU,sBAAsB,CAAI,GAAW,EAAE,MAAwB;IAC5E,MAAM,QAAQ,GAAG,mBAAmB,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,OAAO,CAAC,OAAO,EAAE,CAAC;IACnE,IAAI,OAAoB,CAAC;IACzB,MAAM,OAAO,GAAG,IAAI,OAAO,CAAO,CAAC,OAAO,EAAE,EAAE;QAC5C,OAAO,GAAG,OAAO,CAAC;IACpB,CAAC,CAAC,CAAC;IACH,mBAAmB,CAAC,GAAG,CAAC,GAAG,EAAE,OAAO,CAAC,CAAC;IACtC,MAAM,QAAQ,CAAC,KAAK,CAAC,GAAG,EAAE,GAAE,CAAC,CAAC,CAAC;IAC/B,IAAI,CAAC;QACH,OAAO,MAAM,MAAM,EAAE,CAAC;IACxB,CAAC;YAAS,CAAC;QACT,OAAO,EAAE,CAAC;QACV,IAAI,mBAAmB,CAAC,GAAG,CAAC,GAAG,CAAC,KAAK,OAAO;YAAE,mBAAmB,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;IAChF,CAAC;AACH,CAAC;AAED,KAAK,UAAU,qBAAqB,CAAC,KAA0B;IAC7D,IAAI,KAAK,CAAC,GAAG,KAAK,IAAI,EAAE,CAAC;QACvB,MAAM,KAAK,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC;QAC1B,OAAO;IACT,CAAC;IACD,MAAM,GAAG,GAAG,KAAK,CAAC,GAAG,CAAC;IACtB,MAAM,sBAAsB,CAAC,GAAG,EAAE,KAAK,IAAI,EAAE;QAC3C,MAAM,KAAK,GAAG,eAAe,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;QACvC,IAAI,CAAC,KAAK;YAAE,OAAO;QACnB,yEAAyE;QACzE,2EAA2E;QAC3E,2EAA2E;QAC3E,4EAA4E;QAC5E,2CAA2C;QAC3C,IAAI,KAAK,CAAC,UAAU,GAAG,KAAK,CAAC,UAAU;YAAE,OAAO;QAChD,IAAI,KAAK,CAAC,QAAQ,GAAG,CAAC,EAAE,CAAC;YACvB,KAAK,CAAC,QAAQ,IAAI,CAAC,CAAC;YACpB,OAAO;QACT,CAAC;QACD,eAAe,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QAC5B,MAAM,KAAK,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC;IAC5B,CAAC,CAAC,CAAC;AACL,CAAC;AAED,KAAK,UAAU,4BAA4B,CAAC,QAAkB,EAAE,KAAa;IAC3E,MAAM,GAAG,GAAG,qBAAqB,CAAC,QAAQ,CAAC,CAAC;IAC5C,IAAI,CAAC;QACH,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE;YAChC,MAAM,EAAE,MAAM;YACd,OAAO,EAAE;gBACP,aAAa,EAAE,UAAU,KAAK,EAAE;gBAChC,cAAc,EAAE,kBAAkB;aACnC;YACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC;gBACnB,OAAO,EAAE,KAAK;gBACd,EAAE,EAAE,oBAAoB;gBACxB,MAAM,EAAE,YAAY;aACrB,CAAC;YACF,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,GAAG,CAAC;SACjC,CAAC,CAAC;QACH,IAAI,CAAC,QAAQ,CAAC,EAAE;YAAE,OAAO,KAAK,CAAC;QAC/B,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;QACnC,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,IAAI,CAAC,OAAO,KAAK,KAAK,IAAI,IAAI,CAAC,EAAE,KAAK,oBAAoB,EAAE,CAAC;YAClF,OAAO,KAAK,CAAC;QACf,CAAC;QACD,MAAM,MAAM,GAAG,IAAI,CAAC,MAAM,CAAC;QAC3B,OAAO,QAAQ,CAAC,MAAM,CAAC,IAAI,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;IACzD,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED,SAAS,qBAAqB,CAAC,QAAkB;IAC/C,OAAO,UAAU,WAAW,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,QAAQ,CAAC,MAAM,CAAC,IAAI,GAAG,OAAO,EAAE,CAAC;AACzF,CAAC"}
|
|
@@ -4,4 +4,92 @@ export declare function mcpAuthScopeForSettings(settings: Settings, host: string
|
|
|
4
4
|
export declare function issueMcpToken(scope?: string): string;
|
|
5
5
|
export declare function revokeMcpToken(token: string | null | undefined): void;
|
|
6
6
|
export declare function validMcpToken(token: string | null | undefined, scope?: string): boolean;
|
|
7
|
+
/**
|
|
8
|
+
* The server-side claim record a per-run MCP token (Token B) resolves to.
|
|
9
|
+
*
|
|
10
|
+
* The token bytes stay opaque (`randomBytes(32)`); all scope lives here, in a
|
|
11
|
+
* daemon-minted Map that is the sole authority. This is an unguessable-bearer
|
|
12
|
+
* property, NOT platform attestation: the worker only ever presents its token
|
|
13
|
+
* and the daemon resolves the claim. `runKey` is therefore resolved
|
|
14
|
+
* server-side from the token and a self-reported `runKey` header is never
|
|
15
|
+
* trusted.
|
|
16
|
+
*/
|
|
17
|
+
export interface RunClaim {
|
|
18
|
+
/** The run this token authorizes. Resolved server-side; never self-reported. */
|
|
19
|
+
runKey: string;
|
|
20
|
+
/** The worker host the run is pinned to. Empty string means a local/acp run. */
|
|
21
|
+
workerHost: string;
|
|
22
|
+
/** The issue the run is working. */
|
|
23
|
+
issueId: string;
|
|
24
|
+
/**
|
|
25
|
+
* Monotonic generation of the shared endpoint this claim was minted against.
|
|
26
|
+
* Bumped on host recycle; a request whose claim generation no longer matches
|
|
27
|
+
* the live endpoint is a late/torn-down token and must be rejected.
|
|
28
|
+
*/
|
|
29
|
+
generation: number;
|
|
30
|
+
/**
|
|
31
|
+
* Coarse safety cap on the claim's lifetime (epoch millis). The claim is
|
|
32
|
+
* primarily run-lifetime-bound via the injected `isRunLive` re-check; this is
|
|
33
|
+
* only a backstop so a leaked token cannot live forever.
|
|
34
|
+
*/
|
|
35
|
+
expiresAt: number;
|
|
36
|
+
/**
|
|
37
|
+
* The coarse settings fingerprint (Token A side, `mcpAuthScopeForSettings`).
|
|
38
|
+
* Kept as a cheap pre-filter; it does NOT carry per-run identity.
|
|
39
|
+
*/
|
|
40
|
+
settingsScope: string;
|
|
41
|
+
/**
|
|
42
|
+
* Per-operation allowlist: the tool names this run may call. `undefined`
|
|
43
|
+
* means no restriction beyond the rest of the claim (every mounted tool).
|
|
44
|
+
*/
|
|
45
|
+
allowedTools?: readonly string[];
|
|
46
|
+
}
|
|
47
|
+
/**
|
|
48
|
+
* Mint an opaque per-run token (Token B) bound to {@link claim}. The token
|
|
49
|
+
* bytes carry no scope; the returned claim is resolved server-side on every
|
|
50
|
+
* request via {@link resolveRunClaim}.
|
|
51
|
+
*/
|
|
52
|
+
export declare function issueRunMcpToken(claim: RunClaim): string;
|
|
53
|
+
/**
|
|
54
|
+
* Resolve the claim for an opaque per-run token. This is the ONLY source of a
|
|
55
|
+
* request's `runKey`; callers must never trust a self-reported header. Returns
|
|
56
|
+
* `undefined` for unknown/revoked tokens (fail closed at the call site).
|
|
57
|
+
*/
|
|
58
|
+
export declare function resolveRunClaim(token: string | null | undefined): RunClaim | undefined;
|
|
59
|
+
/** Revoke a per-run token, dropping its claim. Safe no-op on unknown input. */
|
|
60
|
+
export declare function revokeRunClaim(token: string | null | undefined): void;
|
|
61
|
+
/** Inputs to {@link checkRunClaim}: what the request is asking to do. */
|
|
62
|
+
export interface RunClaimRequest {
|
|
63
|
+
/** The tool being invoked (`tools/call` name), if this is a tool request. */
|
|
64
|
+
toolName?: string | null;
|
|
65
|
+
/**
|
|
66
|
+
* Read-only liveness oracle injected from the composition root. Returns false
|
|
67
|
+
* once the run is settled/recycled/superseded. The generation argument lets
|
|
68
|
+
* liveness be paired with the generation fence so a momentary liveness lie
|
|
69
|
+
* still fails on a stale generation.
|
|
70
|
+
*/
|
|
71
|
+
isRunLive: (runKey: string, workerHost: string, generation: number) => boolean;
|
|
72
|
+
/** Wall clock, injected for testability. Defaults to {@link Date.now}. */
|
|
73
|
+
now?: () => number;
|
|
74
|
+
}
|
|
75
|
+
/** Outcome of {@link checkRunClaim}. `ok` is true only when every check passes. */
|
|
76
|
+
export type RunClaimDecision = {
|
|
77
|
+
ok: true;
|
|
78
|
+
claim: RunClaim;
|
|
79
|
+
} | {
|
|
80
|
+
ok: false;
|
|
81
|
+
reason: "expired" | "tool-not-allowed" | "not-live";
|
|
82
|
+
};
|
|
83
|
+
/**
|
|
84
|
+
* Authoritative per-request owner re-check for a resolved {@link RunClaim},
|
|
85
|
+
* ordered expiry-first, allowlist-before-secret, fail-closed:
|
|
86
|
+
*
|
|
87
|
+
* 1. `expiresAt > now` - coarse lifetime cap.
|
|
88
|
+
* 2. tool in `allowedTools` - per-operation allowlist (before liveness).
|
|
89
|
+
* 3. `isRunLive(runKey, host, generation)` - the run is still live AND the
|
|
90
|
+
* generation matches the live endpoint.
|
|
91
|
+
*
|
|
92
|
+
* Never falls back to the settings-wide scope; any miss denies.
|
|
93
|
+
*/
|
|
94
|
+
export declare function checkRunClaim(claim: RunClaim, request: RunClaimRequest): RunClaimDecision;
|
|
7
95
|
//# sourceMappingURL=auth.d.ts.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"auth.d.ts","sourceRoot":"","sources":["../src/auth.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,gBAAgB,CAAC;AAK/C,wBAAgB,kBAAkB,IAAI,MAAM,CAE3C;AAED,wBAAgB,uBAAuB,CACrC,QAAQ,EAAE,QAAQ,EAClB,IAAI,EAAE,MAAM,EACZ,IAAI,EAAE,MAAM,GAAG,SAAS,GACvB,MAAM,CAkBR;AAoBD,wBAAgB,aAAa,CAAC,KAAK,SAAsB,GAAG,MAAM,CAIjE;AAED,wBAAgB,cAAc,CAAC,KAAK,EAAE,MAAM,GAAG,IAAI,GAAG,SAAS,GAAG,IAAI,CAErE;AAED,wBAAgB,aAAa,CAC3B,KAAK,EAAE,MAAM,GAAG,IAAI,GAAG,SAAS,EAChC,KAAK,SAAsB,GAC1B,OAAO,CAET"}
|
|
1
|
+
{"version":3,"file":"auth.d.ts","sourceRoot":"","sources":["../src/auth.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,gBAAgB,CAAC;AAK/C,wBAAgB,kBAAkB,IAAI,MAAM,CAE3C;AAED,wBAAgB,uBAAuB,CACrC,QAAQ,EAAE,QAAQ,EAClB,IAAI,EAAE,MAAM,EACZ,IAAI,EAAE,MAAM,GAAG,SAAS,GACvB,MAAM,CAkBR;AAoBD,wBAAgB,aAAa,CAAC,KAAK,SAAsB,GAAG,MAAM,CAIjE;AAED,wBAAgB,cAAc,CAAC,KAAK,EAAE,MAAM,GAAG,IAAI,GAAG,SAAS,GAAG,IAAI,CAErE;AAED,wBAAgB,aAAa,CAC3B,KAAK,EAAE,MAAM,GAAG,IAAI,GAAG,SAAS,EAChC,KAAK,SAAsB,GAC1B,OAAO,CAET;AAED;;;;;;;;;GASG;AACH,MAAM,WAAW,QAAQ;IACvB,gFAAgF;IAChF,MAAM,EAAE,MAAM,CAAC;IACf,gFAAgF;IAChF,UAAU,EAAE,MAAM,CAAC;IACnB,oCAAoC;IACpC,OAAO,EAAE,MAAM,CAAC;IAChB;;;;OAIG;IACH,UAAU,EAAE,MAAM,CAAC;IACnB;;;;OAIG;IACH,SAAS,EAAE,MAAM,CAAC;IAClB;;;OAGG;IACH,aAAa,EAAE,MAAM,CAAC;IACtB;;;OAGG;IACH,YAAY,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;CAClC;AAKD;;;;GAIG;AACH,wBAAgB,gBAAgB,CAAC,KAAK,EAAE,QAAQ,GAAG,MAAM,CAIxD;AAED;;;;GAIG;AACH,wBAAgB,eAAe,CAAC,KAAK,EAAE,MAAM,GAAG,IAAI,GAAG,SAAS,GAAG,QAAQ,GAAG,SAAS,CAGtF;AAED,+EAA+E;AAC/E,wBAAgB,cAAc,CAAC,KAAK,EAAE,MAAM,GAAG,IAAI,GAAG,SAAS,GAAG,IAAI,CAErE;AAED,yEAAyE;AACzE,MAAM,WAAW,eAAe;IAC9B,6EAA6E;IAC7E,QAAQ,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACzB;;;;;OAKG;IACH,SAAS,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,KAAK,OAAO,CAAC;IAC/E,0EAA0E;IAC1E,GAAG,CAAC,EAAE,MAAM,MAAM,CAAC;CACpB;AAED,mFAAmF;AACnF,MAAM,MAAM,gBAAgB,GACxB;IAAE,EAAE,EAAE,IAAI,CAAC;IAAC,KAAK,EAAE,QAAQ,CAAA;CAAE,GAC7B;IAAE,EAAE,EAAE,KAAK,CAAC;IAAC,MAAM,EAAE,SAAS,GAAG,kBAAkB,GAAG,UAAU,CAAA;CAAE,CAAC;AAEvE;;;;;;;;;;GAUG;AACH,wBAAgB,aAAa,CAAC,KAAK,EAAE,QAAQ,EAAE,OAAO,EAAE,eAAe,GAAG,gBAAgB,CAgBzF"}
|
|
@@ -45,4 +45,57 @@ export function revokeMcpToken(token) {
|
|
|
45
45
|
export function validMcpToken(token, scope = defaultMcpAuthScope) {
|
|
46
46
|
return typeof token === "string" && activeTokens.get(token) === scope;
|
|
47
47
|
}
|
|
48
|
+
/** Opaque per-run token (Token B) -> daemon-minted claim. The sole authority. */
|
|
49
|
+
const runClaims = new Map();
|
|
50
|
+
/**
|
|
51
|
+
* Mint an opaque per-run token (Token B) bound to {@link claim}. The token
|
|
52
|
+
* bytes carry no scope; the returned claim is resolved server-side on every
|
|
53
|
+
* request via {@link resolveRunClaim}.
|
|
54
|
+
*/
|
|
55
|
+
export function issueRunMcpToken(claim) {
|
|
56
|
+
const token = randomBytes(32).toString("base64url");
|
|
57
|
+
runClaims.set(token, claim);
|
|
58
|
+
return token;
|
|
59
|
+
}
|
|
60
|
+
/**
|
|
61
|
+
* Resolve the claim for an opaque per-run token. This is the ONLY source of a
|
|
62
|
+
* request's `runKey`; callers must never trust a self-reported header. Returns
|
|
63
|
+
* `undefined` for unknown/revoked tokens (fail closed at the call site).
|
|
64
|
+
*/
|
|
65
|
+
export function resolveRunClaim(token) {
|
|
66
|
+
if (typeof token !== "string")
|
|
67
|
+
return undefined;
|
|
68
|
+
return runClaims.get(token);
|
|
69
|
+
}
|
|
70
|
+
/** Revoke a per-run token, dropping its claim. Safe no-op on unknown input. */
|
|
71
|
+
export function revokeRunClaim(token) {
|
|
72
|
+
if (token)
|
|
73
|
+
runClaims.delete(token);
|
|
74
|
+
}
|
|
75
|
+
/**
|
|
76
|
+
* Authoritative per-request owner re-check for a resolved {@link RunClaim},
|
|
77
|
+
* ordered expiry-first, allowlist-before-secret, fail-closed:
|
|
78
|
+
*
|
|
79
|
+
* 1. `expiresAt > now` - coarse lifetime cap.
|
|
80
|
+
* 2. tool in `allowedTools` - per-operation allowlist (before liveness).
|
|
81
|
+
* 3. `isRunLive(runKey, host, generation)` - the run is still live AND the
|
|
82
|
+
* generation matches the live endpoint.
|
|
83
|
+
*
|
|
84
|
+
* Never falls back to the settings-wide scope; any miss denies.
|
|
85
|
+
*/
|
|
86
|
+
export function checkRunClaim(claim, request) {
|
|
87
|
+
const now = request.now ?? Date.now;
|
|
88
|
+
if (claim.expiresAt <= now()) {
|
|
89
|
+
return { ok: false, reason: "expired" };
|
|
90
|
+
}
|
|
91
|
+
if (request.toolName != null &&
|
|
92
|
+
claim.allowedTools !== undefined &&
|
|
93
|
+
!claim.allowedTools.includes(request.toolName)) {
|
|
94
|
+
return { ok: false, reason: "tool-not-allowed" };
|
|
95
|
+
}
|
|
96
|
+
if (!request.isRunLive(claim.runKey, claim.workerHost, claim.generation)) {
|
|
97
|
+
return { ok: false, reason: "not-live" };
|
|
98
|
+
}
|
|
99
|
+
return { ok: true, claim };
|
|
100
|
+
}
|
|
48
101
|
//# sourceMappingURL=auth.js.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"auth.js","sourceRoot":"","sources":["../src/auth.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAItD,MAAM,mBAAmB,GAAG,aAAa,CAAC;AAC1C,MAAM,YAAY,GAAG,IAAI,GAAG,EAAkB,CAAC;AAE/C,MAAM,UAAU,kBAAkB;IAChC,OAAO,OAAO,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,EAAE,CAAC;AACxD,CAAC;AAED,MAAM,UAAU,uBAAuB,CACrC,QAAkB,EAClB,IAAY,EACZ,IAAwB;IAExB,MAAM,OAAO,GAAG,QAAQ,CAAC,OAAO,CAAC;IACjC,MAAM,QAAQ,GAAG,IAAI,CAAC,SAAS,CAAC;QAC9B,IAAI;QACJ,IAAI;QACJ,WAAW,EAAE,QAAQ,CAAC,WAAW,CAAC,CAAC,CAAC,oBAAoB,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,IAAI;QACrF,OAAO,EAAE;YACP,IAAI,EAAE,OAAO,CAAC,IAAI,IAAI,IAAI;YAC1B,QAAQ,EAAE,OAAO,CAAC,QAAQ,IAAI,IAAI;YAClC,MAAM,EAAE,OAAO,CAAC,MAAM,IAAI,IAAI;YAC9B,QAAQ,EAAE,OAAO,CAAC,QAAQ,IAAI,IAAI;YAClC,OAAO,EAAE,eAAe,CAAC,OAAO,CAAC,OAAO,CAAC;YACzC,YAAY,EAAE,OAAO,CAAC,YAAY;YAClC,cAAc,EAAE,OAAO,CAAC,cAAc;YACtC,QAAQ,EAAE,OAAO,CAAC,QAAQ;SAC3B;KACF,CAAC,CAAC;IACH,OAAO,OAAO,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,WAAW,CAAC,EAAE,CAAC;AAC5E,CAAC;AAED,2FAA2F;AAC3F,SAAS,eAAe,CAAC,MAA+B;IACtD,OAAO,MAAM,CAAC,WAAW,CACvB,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CACxE,CAAC;AACJ,CAAC;AAED,4FAA4F;AAC5F,SAAS,oBAAoB,CAC3B,WAAoD;IAEpD,OAAO,MAAM,CAAC,WAAW,CACvB,MAAM,CAAC,OAAO,CAAC,WAAW,CAAC;SACxB,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;SAChD,GAAG,CAAC,CAAC,CAAC,IAAI,EAAE,OAAO,CAAC,EAAE,EAAE,CAAC,CAAC,IAAI,EAAE,eAAe,CAAC,OAAO,CAAC,CAAC,CAAC,CAC9D,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,aAAa,CAAC,KAAK,GAAG,mBAAmB;IACvD,MAAM,KAAK,GAAG,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;IACpD,YAAY,CAAC,GAAG,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC;IAC/B,OAAO,KAAK,CAAC;AACf,CAAC;AAED,MAAM,UAAU,cAAc,CAAC,KAAgC;IAC7D,IAAI,KAAK;QAAE,YAAY,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;AACxC,CAAC;AAED,MAAM,UAAU,aAAa,CAC3B,KAAgC,EAChC,KAAK,GAAG,mBAAmB;IAE3B,OAAO,OAAO,KAAK,KAAK,QAAQ,IAAI,YAAY,CAAC,GAAG,CAAC,KAAK,CAAC,KAAK,KAAK,CAAC;AACxE,CAAC"}
|
|
1
|
+
{"version":3,"file":"auth.js","sourceRoot":"","sources":["../src/auth.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAItD,MAAM,mBAAmB,GAAG,aAAa,CAAC;AAC1C,MAAM,YAAY,GAAG,IAAI,GAAG,EAAkB,CAAC;AAE/C,MAAM,UAAU,kBAAkB;IAChC,OAAO,OAAO,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,EAAE,CAAC;AACxD,CAAC;AAED,MAAM,UAAU,uBAAuB,CACrC,QAAkB,EAClB,IAAY,EACZ,IAAwB;IAExB,MAAM,OAAO,GAAG,QAAQ,CAAC,OAAO,CAAC;IACjC,MAAM,QAAQ,GAAG,IAAI,CAAC,SAAS,CAAC;QAC9B,IAAI;QACJ,IAAI;QACJ,WAAW,EAAE,QAAQ,CAAC,WAAW,CAAC,CAAC,CAAC,oBAAoB,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,IAAI;QACrF,OAAO,EAAE;YACP,IAAI,EAAE,OAAO,CAAC,IAAI,IAAI,IAAI;YAC1B,QAAQ,EAAE,OAAO,CAAC,QAAQ,IAAI,IAAI;YAClC,MAAM,EAAE,OAAO,CAAC,MAAM,IAAI,IAAI;YAC9B,QAAQ,EAAE,OAAO,CAAC,QAAQ,IAAI,IAAI;YAClC,OAAO,EAAE,eAAe,CAAC,OAAO,CAAC,OAAO,CAAC;YACzC,YAAY,EAAE,OAAO,CAAC,YAAY;YAClC,cAAc,EAAE,OAAO,CAAC,cAAc;YACtC,QAAQ,EAAE,OAAO,CAAC,QAAQ;SAC3B;KACF,CAAC,CAAC;IACH,OAAO,OAAO,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,WAAW,CAAC,EAAE,CAAC;AAC5E,CAAC;AAED,2FAA2F;AAC3F,SAAS,eAAe,CAAC,MAA+B;IACtD,OAAO,MAAM,CAAC,WAAW,CACvB,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CACxE,CAAC;AACJ,CAAC;AAED,4FAA4F;AAC5F,SAAS,oBAAoB,CAC3B,WAAoD;IAEpD,OAAO,MAAM,CAAC,WAAW,CACvB,MAAM,CAAC,OAAO,CAAC,WAAW,CAAC;SACxB,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;SAChD,GAAG,CAAC,CAAC,CAAC,IAAI,EAAE,OAAO,CAAC,EAAE,EAAE,CAAC,CAAC,IAAI,EAAE,eAAe,CAAC,OAAO,CAAC,CAAC,CAAC,CAC9D,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,aAAa,CAAC,KAAK,GAAG,mBAAmB;IACvD,MAAM,KAAK,GAAG,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;IACpD,YAAY,CAAC,GAAG,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC;IAC/B,OAAO,KAAK,CAAC;AACf,CAAC;AAED,MAAM,UAAU,cAAc,CAAC,KAAgC;IAC7D,IAAI,KAAK;QAAE,YAAY,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;AACxC,CAAC;AAED,MAAM,UAAU,aAAa,CAC3B,KAAgC,EAChC,KAAK,GAAG,mBAAmB;IAE3B,OAAO,OAAO,KAAK,KAAK,QAAQ,IAAI,YAAY,CAAC,GAAG,CAAC,KAAK,CAAC,KAAK,KAAK,CAAC;AACxE,CAAC;AA2CD,iFAAiF;AACjF,MAAM,SAAS,GAAG,IAAI,GAAG,EAAoB,CAAC;AAE9C;;;;GAIG;AACH,MAAM,UAAU,gBAAgB,CAAC,KAAe;IAC9C,MAAM,KAAK,GAAG,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;IACpD,SAAS,CAAC,GAAG,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC;IAC5B,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,eAAe,CAAC,KAAgC;IAC9D,IAAI,OAAO,KAAK,KAAK,QAAQ;QAAE,OAAO,SAAS,CAAC;IAChD,OAAO,SAAS,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;AAC9B,CAAC;AAED,+EAA+E;AAC/E,MAAM,UAAU,cAAc,CAAC,KAAgC;IAC7D,IAAI,KAAK;QAAE,SAAS,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;AACrC,CAAC;AAsBD;;;;;;;;;;GAUG;AACH,MAAM,UAAU,aAAa,CAAC,KAAe,EAAE,OAAwB;IACrE,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,IAAI,IAAI,CAAC,GAAG,CAAC;IACpC,IAAI,KAAK,CAAC,SAAS,IAAI,GAAG,EAAE,EAAE,CAAC;QAC7B,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,SAAS,EAAE,CAAC;IAC1C,CAAC;IACD,IACE,OAAO,CAAC,QAAQ,IAAI,IAAI;QACxB,KAAK,CAAC,YAAY,KAAK,SAAS;QAChC,CAAC,KAAK,CAAC,YAAY,CAAC,QAAQ,CAAC,OAAO,CAAC,QAAQ,CAAC,EAC9C,CAAC;QACD,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,kBAAkB,EAAE,CAAC;IACnD,CAAC;IACD,IAAI,CAAC,OAAO,CAAC,SAAS,CAAC,KAAK,CAAC,MAAM,EAAE,KAAK,CAAC,UAAU,EAAE,KAAK,CAAC,UAAU,CAAC,EAAE,CAAC;QACzE,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,UAAU,EAAE,CAAC;IAC3C,CAAC;IACD,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC;AAC7B,CAAC"}
|
|
@@ -1,7 +1,8 @@
|
|
|
1
|
-
export { createMcpAuthScope, issueMcpToken, mcpAuthScopeForSettings, revokeMcpToken, validMcpToken, } from "./auth.js";
|
|
1
|
+
export { checkRunClaim, createMcpAuthScope, issueMcpToken, issueRunMcpToken, mcpAuthScopeForSettings, resolveRunClaim, revokeMcpToken, revokeRunClaim, validMcpToken, } from "./auth.js";
|
|
2
|
+
export type { RunClaim } from "./auth.js";
|
|
2
3
|
export { executeTool, mountedSkillSources, toolSpecs } from "./tools.js";
|
|
3
4
|
export { acquireAgentMcpEndpoint, acquireAgentMcpEndpointForRun, trackerMcpServerName, } from "./agentEndpoint.js";
|
|
4
5
|
export type { AgentMcpEndpointLease, RemoteMcpTunnelTransport } from "./agentEndpoint.js";
|
|
5
6
|
export { mountMcp, startMcpServer, mcpResponse } from "./server.js";
|
|
6
|
-
export type { ObservabilityServerHandle } from "./server.js";
|
|
7
|
+
export type { IsRunLive, ObservabilityServerHandle } from "./server.js";
|
|
7
8
|
//# sourceMappingURL=index.d.ts.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,kBAAkB,EAClB,aAAa,EACb,uBAAuB,EACvB,cAAc,EACd,aAAa,GACd,MAAM,WAAW,CAAC;AACnB,OAAO,EAAE,WAAW,EAAE,mBAAmB,EAAE,SAAS,EAAE,MAAM,YAAY,CAAC;AACzE,OAAO,EACL,uBAAuB,EACvB,6BAA6B,EAC7B,oBAAoB,GACrB,MAAM,oBAAoB,CAAC;AAC5B,YAAY,EAAE,qBAAqB,EAAE,wBAAwB,EAAE,MAAM,oBAAoB,CAAC;AAC1F,OAAO,EAAE,QAAQ,EAAE,cAAc,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AACpE,YAAY,EAAE,yBAAyB,EAAE,MAAM,aAAa,CAAC"}
|
|
1
|
+
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,aAAa,EACb,kBAAkB,EAClB,aAAa,EACb,gBAAgB,EAChB,uBAAuB,EACvB,eAAe,EACf,cAAc,EACd,cAAc,EACd,aAAa,GACd,MAAM,WAAW,CAAC;AACnB,YAAY,EAAE,QAAQ,EAAE,MAAM,WAAW,CAAC;AAC1C,OAAO,EAAE,WAAW,EAAE,mBAAmB,EAAE,SAAS,EAAE,MAAM,YAAY,CAAC;AACzE,OAAO,EACL,uBAAuB,EACvB,6BAA6B,EAC7B,oBAAoB,GACrB,MAAM,oBAAoB,CAAC;AAC5B,YAAY,EAAE,qBAAqB,EAAE,wBAAwB,EAAE,MAAM,oBAAoB,CAAC;AAC1F,OAAO,EAAE,QAAQ,EAAE,cAAc,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AACpE,YAAY,EAAE,SAAS,EAAE,yBAAyB,EAAE,MAAM,aAAa,CAAC"}
|
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
export { createMcpAuthScope, issueMcpToken, mcpAuthScopeForSettings, revokeMcpToken, validMcpToken, } from "./auth.js";
|
|
1
|
+
export { checkRunClaim, createMcpAuthScope, issueMcpToken, issueRunMcpToken, mcpAuthScopeForSettings, resolveRunClaim, revokeMcpToken, revokeRunClaim, validMcpToken, } from "./auth.js";
|
|
2
2
|
export { executeTool, mountedSkillSources, toolSpecs } from "./tools.js";
|
|
3
3
|
export { acquireAgentMcpEndpoint, acquireAgentMcpEndpointForRun, trackerMcpServerName, } from "./agentEndpoint.js";
|
|
4
4
|
export { mountMcp, startMcpServer, mcpResponse } from "./server.js";
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,kBAAkB,EAClB,aAAa,EACb,uBAAuB,EACvB,cAAc,EACd,aAAa,GACd,MAAM,WAAW,CAAC;
|
|
1
|
+
{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,aAAa,EACb,kBAAkB,EAClB,aAAa,EACb,gBAAgB,EAChB,uBAAuB,EACvB,eAAe,EACf,cAAc,EACd,cAAc,EACd,aAAa,GACd,MAAM,WAAW,CAAC;AAEnB,OAAO,EAAE,WAAW,EAAE,mBAAmB,EAAE,SAAS,EAAE,MAAM,YAAY,CAAC;AACzE,OAAO,EACL,uBAAuB,EACvB,6BAA6B,EAC7B,oBAAoB,GACrB,MAAM,oBAAoB,CAAC;AAE5B,OAAO,EAAE,QAAQ,EAAE,cAAc,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC"}
|
|
@@ -1,12 +1,28 @@
|
|
|
1
1
|
import { Hono } from "hono";
|
|
2
2
|
import { type Settings } from "@lorenz/domain";
|
|
3
3
|
import { type ToolRegistry } from "@lorenz/tool-sdk";
|
|
4
|
+
/**
|
|
5
|
+
* Read-only liveness oracle injected from the composition root (daemon.ts).
|
|
6
|
+
* Given a per-run claim's `(runKey, workerHost, generation)`, returns false once
|
|
7
|
+
* the run is settled/recycled/superseded, pairing liveness with the generation
|
|
8
|
+
* fence. The per-run claim-enforcing mount always injects the real
|
|
9
|
+
* coordinator-backed oracle; {@link defaultIsRunLive} is the FAIL-CLOSED default
|
|
10
|
+
* for any mount that resolves a Token B claim without one, so a wiring omission
|
|
11
|
+
* denies rather than authorizes.
|
|
12
|
+
*/
|
|
13
|
+
export type IsRunLive = (runKey: string, workerHost: string, generation: number) => boolean;
|
|
4
14
|
export interface ObservabilityServerOptions {
|
|
5
15
|
host: string;
|
|
6
16
|
port: number;
|
|
7
17
|
authScope?: string | undefined;
|
|
8
18
|
/** Tool packs available to this endpoint; defaults to the process-wide registry. */
|
|
9
19
|
tools?: ToolRegistry | undefined;
|
|
20
|
+
/**
|
|
21
|
+
* Read-only liveness oracle for per-run (Token B) claims. Injected at the
|
|
22
|
+
* composition root; absent on non-claim mounts, where the FAIL-CLOSED default
|
|
23
|
+
* denies any Token B presented to them.
|
|
24
|
+
*/
|
|
25
|
+
isRunLive?: IsRunLive | undefined;
|
|
10
26
|
}
|
|
11
27
|
export interface ObservabilityServerHandle {
|
|
12
28
|
host: string;
|
|
@@ -19,6 +35,12 @@ export interface McpMountOptions {
|
|
|
19
35
|
authScope?: string | undefined;
|
|
20
36
|
/** Tool packs available to this endpoint; defaults to the process-wide registry. */
|
|
21
37
|
tools?: ToolRegistry | undefined;
|
|
38
|
+
/**
|
|
39
|
+
* Read-only liveness oracle for per-run (Token B) claims. Injected at the
|
|
40
|
+
* composition root; absent on non-claim mounts, where the FAIL-CLOSED default
|
|
41
|
+
* denies any Token B presented to them.
|
|
42
|
+
*/
|
|
43
|
+
isRunLive?: IsRunLive | undefined;
|
|
22
44
|
}
|
|
23
45
|
export declare function startMcpServer(settings: Settings, options: ObservabilityServerOptions): Promise<ObservabilityServerHandle>;
|
|
24
46
|
/**
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"server.d.ts","sourceRoot":"","sources":["../src/server.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,IAAI,EAAgB,MAAM,MAAM,CAAC;AAG1C,OAAO,EAAgD,KAAK,QAAQ,EAAE,MAAM,gBAAgB,CAAC;AAC7F,OAAO,EAAuB,KAAK,YAAY,EAAE,MAAM,kBAAkB,CAAC;
|
|
1
|
+
{"version":3,"file":"server.d.ts","sourceRoot":"","sources":["../src/server.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,IAAI,EAAgB,MAAM,MAAM,CAAC;AAG1C,OAAO,EAAgD,KAAK,QAAQ,EAAE,MAAM,gBAAgB,CAAC;AAC7F,OAAO,EAAuB,KAAK,YAAY,EAAE,MAAM,kBAAkB,CAAC;AAW1E;;;;;;;;GAQG;AACH,MAAM,MAAM,SAAS,GAAG,CAAC,MAAM,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,KAAK,OAAO,CAAC;AAI5F,MAAM,WAAW,0BAA0B;IACzC,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb,SAAS,CAAC,EAAE,MAAM,GAAG,SAAS,CAAC;IAC/B,oFAAoF;IACpF,KAAK,CAAC,EAAE,YAAY,GAAG,SAAS,CAAC;IACjC;;;;OAIG;IACH,SAAS,CAAC,EAAE,SAAS,GAAG,SAAS,CAAC;CACnC;AAED,MAAM,WAAW,yBAAyB;IACxC,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb,SAAS,EAAE,MAAM,CAAC;IAClB,GAAG,CAAC,IAAI,CAAC,EAAE,MAAM,GAAG,MAAM,CAAC;IAC3B,IAAI,IAAI,OAAO,CAAC,IAAI,CAAC,CAAC;CACvB;AAED,MAAM,WAAW,eAAe;IAC9B,SAAS,CAAC,EAAE,MAAM,GAAG,SAAS,CAAC;IAC/B,oFAAoF;IACpF,KAAK,CAAC,EAAE,YAAY,GAAG,SAAS,CAAC;IACjC;;;;OAIG;IACH,SAAS,CAAC,EAAE,SAAS,GAAG,SAAS,CAAC;CACnC;AAUD,wBAAsB,cAAc,CAClC,QAAQ,EAAE,QAAQ,EAClB,OAAO,EAAE,0BAA0B,GAClC,OAAO,CAAC,yBAAyB,CAAC,CAepC;AAED;;;;GAIG;AACH,wBAAgB,QAAQ,CACtB,GAAG,EAAE,IAAI,EACT,QAAQ,EAAE,QAAQ,GAAG,CAAC,MAAM,QAAQ,CAAC,EACrC,OAAO,GAAE,eAAoB,GAC5B,IAAI,CA8CN;AAuGD,wBAAsB,WAAW,CAC/B,QAAQ,EAAE,QAAQ,EAClB,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAC7B,KAAK,GAAE,YAAkC,GACxC,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI,CAAC,CA8CzC"}
|