run402-mcp 1.54.4 → 1.55.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +30 -3
- package/core/dist/allowance-auth.d.ts +9 -2
- package/core/dist/allowance-auth.d.ts.map +1 -1
- package/core/dist/allowance-auth.js +42 -22
- package/core/dist/allowance-auth.js.map +1 -1
- package/package.json +1 -1
- package/sdk/README.md +57 -1
- package/sdk/core-dist/allowance-auth.d.ts +9 -2
- package/sdk/core-dist/allowance-auth.js +42 -22
- package/sdk/dist/ci-credentials.d.ts +22 -0
- package/sdk/dist/ci-credentials.d.ts.map +1 -0
- package/sdk/dist/ci-credentials.js +103 -0
- package/sdk/dist/ci-credentials.js.map +1 -0
- package/sdk/dist/index.d.ts +6 -0
- package/sdk/dist/index.d.ts.map +1 -1
- package/sdk/dist/index.js +5 -0
- package/sdk/dist/index.js.map +1 -1
- package/sdk/dist/namespaces/ci.d.ts +21 -0
- package/sdk/dist/namespaces/ci.d.ts.map +1 -0
- package/sdk/dist/namespaces/ci.js +253 -0
- package/sdk/dist/namespaces/ci.js.map +1 -0
- package/sdk/dist/namespaces/ci.types.d.ts +91 -0
- package/sdk/dist/namespaces/ci.types.d.ts.map +1 -0
- package/sdk/dist/namespaces/ci.types.js +8 -0
- package/sdk/dist/namespaces/ci.types.js.map +1 -0
- package/sdk/dist/namespaces/deploy.d.ts.map +1 -1
- package/sdk/dist/namespaces/deploy.js +45 -21
- package/sdk/dist/namespaces/deploy.js.map +1 -1
- package/sdk/dist/node/ci.d.ts +12 -0
- package/sdk/dist/node/ci.d.ts.map +1 -0
- package/sdk/dist/node/ci.js +30 -0
- package/sdk/dist/node/ci.js.map +1 -0
- package/sdk/dist/node/index.d.ts +7 -2
- package/sdk/dist/node/index.d.ts.map +1 -1
- package/sdk/dist/node/index.js +3 -2
- package/sdk/dist/node/index.js.map +1 -1
package/README.md
CHANGED
|
@@ -20,11 +20,11 @@ This monorepo ships every surface an agent can pick up:
|
|
|
20
20
|
|---------|-----------|
|
|
21
21
|
| [`@run402/sdk`](./sdk/) | Calling Run402 from TypeScript — typed kernel, isomorphic (Node 22 / Deno / Bun / V8 isolates) with a Node entry that auto-loads the local keystore + allowance + x402 fetch |
|
|
22
22
|
| [`run402` CLI](./cli/) | Terminal, scripts, CI, agent-controlled shells — JSON in, JSON out, exit code on failure |
|
|
23
|
-
| [`run402-mcp`](./src/) | Claude Desktop, Cursor, Cline, Claude Code —
|
|
23
|
+
| [`run402-mcp`](./src/) | Claude Desktop, Cursor, Cline, Claude Code — core Run402 operations as MCP tools |
|
|
24
24
|
| [OpenClaw skill](./openclaw/) | OpenClaw agents (no MCP server required) |
|
|
25
25
|
| [`@run402/functions`](./functions/) | Imported _inside_ deployed functions (`db(req)`, `adminDb()`, `getUser()`, `email`, `ai`) and for TypeScript autocomplete in your editor |
|
|
26
26
|
|
|
27
|
-
All
|
|
27
|
+
All five interfaces release in lockstep at the same version and share a single typed kernel where appropriate: `@run402/sdk`. MCP tools, CLI subcommands, and OpenClaw scripts are thin shims over SDK calls; `@run402/functions` is the in-function helper that runs inside deployed code. Pick whichever interface fits your runtime.
|
|
28
28
|
|
|
29
29
|
## 30-second start
|
|
30
30
|
|
|
@@ -127,6 +127,32 @@ CLI:
|
|
|
127
127
|
run402 sites deploy-dir ./dist --project prj_… > result.json 2> events.log
|
|
128
128
|
```
|
|
129
129
|
|
|
130
|
+
### GitHub Actions OIDC deploys — link once, deploy with the same CLI
|
|
131
|
+
|
|
132
|
+
For repo-driven deploys, Run402 does not need service keys or allowance files in GitHub secrets. Run a local link command once:
|
|
133
|
+
|
|
134
|
+
```bash
|
|
135
|
+
run402 ci link github --project prj_... --manifest run402.deploy.json
|
|
136
|
+
```
|
|
137
|
+
|
|
138
|
+
That creates a deploy-scoped `/ci/v1/*` binding and writes a workflow that grants `id-token: write`, checks out the repo, and runs the existing deploy primitive:
|
|
139
|
+
|
|
140
|
+
```yaml
|
|
141
|
+
permissions:
|
|
142
|
+
contents: read
|
|
143
|
+
id-token: write
|
|
144
|
+
|
|
145
|
+
jobs:
|
|
146
|
+
deploy:
|
|
147
|
+
runs-on: ubuntu-latest
|
|
148
|
+
steps:
|
|
149
|
+
- uses: actions/checkout@v4
|
|
150
|
+
- name: Deploy to run402
|
|
151
|
+
run: npx --yes run402@1.54.4 deploy apply --manifest 'run402.deploy.json' --project 'prj_...'
|
|
152
|
+
```
|
|
153
|
+
|
|
154
|
+
CI deploys are intentionally narrow: `site`, `functions`, `database`, and absent/current `base` only. Keep secrets, domains, subdomains, routes, checks, and broader trust changes in a local allowance-backed deploy. Manage bindings with `run402 ci list` and `run402 ci revoke`.
|
|
155
|
+
|
|
130
156
|
### In-function helpers — caller-context vs BYPASSRLS
|
|
131
157
|
|
|
132
158
|
Inside a deployed function, import from `@run402/functions`. Two distinct DB clients keep RLS clean:
|
|
@@ -201,7 +227,7 @@ const project = await r.projects.provision({ tier: "prototype" });
|
|
|
201
227
|
await r.blobs.put(project.project_id, "hello.txt", { content: "hi" });
|
|
202
228
|
```
|
|
203
229
|
|
|
204
|
-
|
|
230
|
+
20 namespaces: `projects`, `deploy`, `ci`, `sites`, `blobs`, `functions`, `secrets`, `subdomains`, `domains`, `email` (+ `webhooks`), `senderDomain`, `auth`, `apps`, `tier`, `billing`, `contracts`, `ai`, `allowance`, `service`, `admin`. Every operation throws a typed `Run402Error` subclass on failure: `PaymentRequired`, `ProjectNotFound`, `Unauthorized`, `ApiError`, `NetworkError`, `LocalError`, `Run402DeployError`. See [`sdk/README.md`](./sdk/README.md).
|
|
205
231
|
|
|
206
232
|
## CLI — `run402`
|
|
207
233
|
|
|
@@ -219,6 +245,7 @@ run402 projects sql <id> "CREATE TABLE …"
|
|
|
219
245
|
run402 projects apply-expose <id> --file manifest.json
|
|
220
246
|
run402 sites deploy-dir ./dist
|
|
221
247
|
run402 functions deploy <id> <name> --file fn.ts
|
|
248
|
+
run402 ci link github --project <id> # GitHub Actions OIDC deploy binding
|
|
222
249
|
run402 blob put ./asset.png --immutable
|
|
223
250
|
run402 blob diagnose <url> # inspect live CDN state for a public URL
|
|
224
251
|
run402 cdn wait-fresh <url> --sha <hex> # poll until a mutable URL serves the new SHA
|
|
@@ -2,6 +2,7 @@
|
|
|
2
2
|
* Allowance auth helper — generates SIWX (Sign-In With X / EIP-4361) headers for Run402 API.
|
|
3
3
|
* Uses @noble/curves (lighter than viem) for signing.
|
|
4
4
|
*/
|
|
5
|
+
import type { AllowanceData } from "./allowance.js";
|
|
5
6
|
export interface SIWxAuthHeaders {
|
|
6
7
|
"SIGN-IN-WITH-X": string;
|
|
7
8
|
}
|
|
@@ -13,17 +14,23 @@ interface SIWEMessageOpts {
|
|
|
13
14
|
domain: string;
|
|
14
15
|
uri: string;
|
|
15
16
|
statement: string;
|
|
16
|
-
version
|
|
17
|
-
chainId: number;
|
|
17
|
+
version?: string;
|
|
18
|
+
chainId: number | string;
|
|
18
19
|
nonce: string;
|
|
19
20
|
issuedAt: string;
|
|
20
21
|
expirationTime?: string;
|
|
22
|
+
resources?: string[];
|
|
23
|
+
}
|
|
24
|
+
export interface SIWxAuthOptions extends SIWEMessageOpts {
|
|
25
|
+
allowance: Pick<AllowanceData, "address" | "privateKey">;
|
|
26
|
+
type?: "eip191";
|
|
21
27
|
}
|
|
22
28
|
/**
|
|
23
29
|
* Format an EIP-4361 (SIWE) message. Must be byte-for-byte compatible
|
|
24
30
|
* with the `siwe` library's message format used server-side for verification.
|
|
25
31
|
*/
|
|
26
32
|
export declare function formatSIWEMessage(opts: SIWEMessageOpts, address: string): string;
|
|
33
|
+
export declare function buildSIWxAuthHeaders(opts: SIWxAuthOptions): SIWxAuthHeaders;
|
|
27
34
|
/**
|
|
28
35
|
* Get SIWX auth headers for the Run402 API.
|
|
29
36
|
* Returns null if no allowance is configured.
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"allowance-auth.d.ts","sourceRoot":"","sources":["../src/allowance-auth.ts"],"names":[],"mappings":"AAAA;;;GAGG;
|
|
1
|
+
{"version":3,"file":"allowance-auth.d.ts","sourceRoot":"","sources":["../src/allowance-auth.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAQH,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,gBAAgB,CAAC;AAEpD,MAAM,WAAW,eAAe;IAC9B,gBAAgB,EAAE,MAAM,CAAC;CAC1B;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAAC,OAAO,EAAE,MAAM,GAAG,MAAM,CAQzD;AA4CD,UAAU,eAAe;IACvB,MAAM,EAAE,MAAM,CAAC;IACf,GAAG,EAAE,MAAM,CAAC;IACZ,SAAS,EAAE,MAAM,CAAC;IAClB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,OAAO,EAAE,MAAM,GAAG,MAAM,CAAC;IACzB,KAAK,EAAE,MAAM,CAAC;IACd,QAAQ,EAAE,MAAM,CAAC;IACjB,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,SAAS,CAAC,EAAE,MAAM,EAAE,CAAC;CACtB;AAED,MAAM,WAAW,eAAgB,SAAQ,eAAe;IACtD,SAAS,EAAE,IAAI,CAAC,aAAa,EAAE,SAAS,GAAG,YAAY,CAAC,CAAC;IACzD,IAAI,CAAC,EAAE,QAAQ,CAAC;CACjB;AAED;;;GAGG;AACH,wBAAgB,iBAAiB,CAAC,IAAI,EAAE,eAAe,EAAE,OAAO,EAAE,MAAM,GAAG,MAAM,CAsBhF;AAED,wBAAgB,oBAAoB,CAAC,IAAI,EAAE,eAAe,GAAG,eAAe,CAwB3E;AAED;;;;;GAKG;AACH,wBAAgB,uBAAuB,CAAC,IAAI,EAAE,MAAM,EAAE,aAAa,CAAC,EAAE,MAAM,GAAG,eAAe,GAAG,IAAI,CA4BpG"}
|
|
@@ -70,16 +70,44 @@ export function formatSIWEMessage(opts, address) {
|
|
|
70
70
|
opts.statement,
|
|
71
71
|
"",
|
|
72
72
|
`URI: ${opts.uri}`,
|
|
73
|
-
`Version: ${opts.version}`,
|
|
74
|
-
`Chain ID: ${opts.chainId}`,
|
|
73
|
+
`Version: ${opts.version ?? "1"}`,
|
|
74
|
+
`Chain ID: ${messageChainId(opts.chainId)}`,
|
|
75
75
|
`Nonce: ${opts.nonce}`,
|
|
76
76
|
`Issued At: ${opts.issuedAt}`,
|
|
77
77
|
];
|
|
78
78
|
if (opts.expirationTime) {
|
|
79
79
|
lines.push(`Expiration Time: ${opts.expirationTime}`);
|
|
80
80
|
}
|
|
81
|
+
if (opts.resources && opts.resources.length > 0) {
|
|
82
|
+
lines.push("Resources:");
|
|
83
|
+
for (const resource of opts.resources)
|
|
84
|
+
lines.push(`- ${resource}`);
|
|
85
|
+
}
|
|
81
86
|
return lines.join("\n");
|
|
82
87
|
}
|
|
88
|
+
export function buildSIWxAuthHeaders(opts) {
|
|
89
|
+
const message = formatSIWEMessage(opts, opts.allowance.address);
|
|
90
|
+
const signature = personalSign(opts.allowance.privateKey, opts.allowance.address, message);
|
|
91
|
+
const payload = {
|
|
92
|
+
domain: opts.domain,
|
|
93
|
+
address: toChecksumAddress(opts.allowance.address),
|
|
94
|
+
statement: opts.statement,
|
|
95
|
+
uri: opts.uri,
|
|
96
|
+
version: opts.version ?? "1",
|
|
97
|
+
chainId: payloadChainId(opts.chainId),
|
|
98
|
+
type: opts.type ?? "eip191",
|
|
99
|
+
nonce: opts.nonce,
|
|
100
|
+
issuedAt: opts.issuedAt,
|
|
101
|
+
expirationTime: opts.expirationTime,
|
|
102
|
+
signature,
|
|
103
|
+
};
|
|
104
|
+
if (opts.resources !== undefined) {
|
|
105
|
+
payload.resources = opts.resources;
|
|
106
|
+
}
|
|
107
|
+
return {
|
|
108
|
+
"SIGN-IN-WITH-X": Buffer.from(JSON.stringify(payload)).toString("base64"),
|
|
109
|
+
};
|
|
110
|
+
}
|
|
83
111
|
/**
|
|
84
112
|
* Get SIWX auth headers for the Run402 API.
|
|
85
113
|
* Returns null if no allowance is configured.
|
|
@@ -103,32 +131,24 @@ export function getAllowanceAuthHeaders(path, allowancePath) {
|
|
|
103
131
|
const now = new Date();
|
|
104
132
|
const issuedAt = now.toISOString();
|
|
105
133
|
const expirationTime = new Date(now.getTime() + 5 * 60 * 1000).toISOString();
|
|
106
|
-
|
|
134
|
+
return buildSIWxAuthHeaders({
|
|
135
|
+
allowance,
|
|
107
136
|
domain,
|
|
108
137
|
uri,
|
|
109
138
|
statement: "Sign in to Run402",
|
|
110
|
-
version: "1",
|
|
111
|
-
chainId: 84532, // Base Sepolia
|
|
112
|
-
nonce,
|
|
113
|
-
issuedAt,
|
|
114
|
-
expirationTime,
|
|
115
|
-
}, allowance.address);
|
|
116
|
-
const signature = personalSign(allowance.privateKey, allowance.address, message);
|
|
117
|
-
const payload = {
|
|
118
|
-
domain,
|
|
119
|
-
address: toChecksumAddress(allowance.address),
|
|
120
|
-
statement: "Sign in to Run402",
|
|
121
|
-
uri,
|
|
122
|
-
version: "1",
|
|
123
139
|
chainId: "eip155:84532",
|
|
124
|
-
type: "eip191",
|
|
125
140
|
nonce,
|
|
126
141
|
issuedAt,
|
|
127
142
|
expirationTime,
|
|
128
|
-
|
|
129
|
-
|
|
130
|
-
|
|
131
|
-
|
|
132
|
-
|
|
143
|
+
});
|
|
144
|
+
}
|
|
145
|
+
function messageChainId(chainId) {
|
|
146
|
+
if (typeof chainId === "number")
|
|
147
|
+
return String(chainId);
|
|
148
|
+
const match = /^eip155:(\d+)$/.exec(chainId);
|
|
149
|
+
return match ? match[1] : chainId;
|
|
150
|
+
}
|
|
151
|
+
function payloadChainId(chainId) {
|
|
152
|
+
return typeof chainId === "number" ? `eip155:${chainId}` : chainId;
|
|
133
153
|
}
|
|
134
154
|
//# sourceMappingURL=allowance-auth.js.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"allowance-auth.js","sourceRoot":"","sources":["../src/allowance-auth.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAC1C,OAAO,EAAE,SAAS,EAAE,MAAM,4BAA4B,CAAC;AACvD,OAAO,EAAE,UAAU,EAAE,MAAM,uBAAuB,CAAC;AACnD,OAAO,EAAE,UAAU,EAAE,MAAM,wBAAwB,CAAC;AACpD,OAAO,EAAE,aAAa,EAAE,MAAM,gBAAgB,CAAC;AAC/C,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;
|
|
1
|
+
{"version":3,"file":"allowance-auth.js","sourceRoot":"","sources":["../src/allowance-auth.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAC1C,OAAO,EAAE,SAAS,EAAE,MAAM,4BAA4B,CAAC;AACvD,OAAO,EAAE,UAAU,EAAE,MAAM,uBAAuB,CAAC;AACnD,OAAO,EAAE,UAAU,EAAE,MAAM,wBAAwB,CAAC;AACpD,OAAO,EAAE,aAAa,EAAE,MAAM,gBAAgB,CAAC;AAC/C,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAOzC;;GAEG;AACH,MAAM,UAAU,iBAAiB,CAAC,OAAe;IAC/C,MAAM,KAAK,GAAG,OAAO,CAAC,WAAW,EAAE,CAAC,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;IACtD,MAAM,IAAI,GAAG,UAAU,CAAC,UAAU,CAAC,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;IACrE,IAAI,WAAW,GAAG,IAAI,CAAC;IACvB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACtC,WAAW,IAAI,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAE,EAAE,EAAE,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAE,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;IAClF,CAAC;IACD,OAAO,WAAW,CAAC;AACrB,CAAC;AAED;;GAEG;AACH,SAAS,YAAY,CAAC,aAAqB,EAAE,OAAe,EAAE,OAAe;IAC3E,MAAM,QAAQ,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;IACnD,MAAM,MAAM,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CACrC,iCAAiC,QAAQ,CAAC,MAAM,EAAE,CACnD,CAAC;IACF,MAAM,QAAQ,GAAG,IAAI,UAAU,CAAC,MAAM,CAAC,MAAM,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC;IACjE,QAAQ,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;IACrB,QAAQ,CAAC,GAAG,CAAC,QAAQ,EAAE,MAAM,CAAC,MAAM,CAAC,CAAC;IAEtC,MAAM,IAAI,GAAG,UAAU,CAAC,QAAQ,CAAC,CAAC;IAClC,MAAM,KAAK,GAAG,aAAa,CAAC,UAAU,CAAC,IAAI,CAAC;QAC1C,CAAC,CAAC,aAAa,CAAC,KAAK,CAAC,CAAC,CAAC;QACxB,CAAC,CAAC,aAAa,CAAC;IAClB,MAAM,OAAO,GAAG,UAAU,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC,CAAC;IAC3D,MAAM,MAAM,GAAG,SAAS,CAAC,IAAI,CAAC,IAAI,EAAE,OAAO,EAAE,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC,CAAC;IACjE,MAAM,GAAG,GAAG,SAAS,CAAC,SAAS,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC;IAElD,iEAAiE;IACjE,IAAI,QAAQ,GAAG,CAAC,CAAC;IACjB,KAAK,MAAM,CAAC,IAAI,CAAC,CAAC,EAAE,CAAC,CAAC,EAAE,CAAC;QACvB,IAAI,CAAC;YACH,MAAM,SAAS,GAAG,GAAG,CAAC,cAAc,CAAC,CAAC,CAAC,CAAC,gBAAgB,CAAC,IAAI,CAAC,CAAC;YAC/D,MAAM,QAAQ,GAAG,SAAS,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,+BAA+B;YACnF,MAAM,SAAS,GAAG,UAAU,CAAC,QAAQ,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC;YAClD,IAAI,IAAI,GAAG,UAAU,CAAC,SAAS,CAAC,KAAK,OAAO,CAAC,WAAW,EAAE,EAAE,CAAC;gBAC3D,QAAQ,GAAG,CAAC,CAAC;gBACb,MAAM;YACR,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YACP,SAAS;QACX,CAAC;IACH,CAAC;IAED,MAAM,CAAC,GAAG,GAAG,CAAC,CAAC,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,EAAE,EAAE,GAAG,CAAC,CAAC;IAC/C,MAAM,CAAC,GAAG,GAAG,CAAC,CAAC,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,EAAE,EAAE,GAAG,CAAC,CAAC;IAC/C,MAAM,IAAI,GAAG,CAAC,QAAQ,GAAG,EAAE,CAAC,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;IAC3D,OAAO,IAAI,GAAG,CAAC,GAAG,CAAC,GAAG,IAAI,CAAC;AAC7B,CAAC;AAmBD;;;GAGG;AACH,MAAM,UAAU,iBAAiB,CAAC,IAAqB,EAAE,OAAe;IACtE,MAAM,WAAW,GAAG,iBAAiB,CAAC,OAAO,CAAC,CAAC;IAC/C,MAAM,KAAK,GAAG;QACZ,GAAG,IAAI,CAAC,MAAM,mDAAmD;QACjE,WAAW;QACX,EAAE;QACF,IAAI,CAAC,SAAS;QACd,EAAE;QACF,QAAQ,IAAI,CAAC,GAAG,EAAE;QAClB,YAAY,IAAI,CAAC,OAAO,IAAI,GAAG,EAAE;QACjC,aAAa,cAAc,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE;QAC3C,UAAU,IAAI,CAAC,KAAK,EAAE;QACtB,cAAc,IAAI,CAAC,QAAQ,EAAE;KAC9B,CAAC;IACF,IAAI,IAAI,CAAC,cAAc,EAAE,CAAC;QACxB,KAAK,CAAC,IAAI,CAAC,oBAAoB,IAAI,CAAC,cAAc,EAAE,CAAC,CAAC;IACxD,CAAC;IACD,IAAI,IAAI,CAAC,SAAS,IAAI,IAAI,CAAC,SAAS,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAChD,KAAK,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;QACzB,KAAK,MAAM,QAAQ,IAAI,IAAI,CAAC,SAAS;YAAE,KAAK,CAAC,IAAI,CAAC,KAAK,QAAQ,EAAE,CAAC,CAAC;IACrE,CAAC;IACD,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AAC1B,CAAC;AAED,MAAM,UAAU,oBAAoB,CAAC,IAAqB;IACxD,MAAM,OAAO,GAAG,iBAAiB,CAAC,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC;IAChE,MAAM,SAAS,GAAG,YAAY,CAAC,IAAI,CAAC,SAAS,CAAC,UAAU,EAAE,IAAI,CAAC,SAAS,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;IAE3F,MAAM,OAAO,GAA4B;QACvC,MAAM,EAAE,IAAI,CAAC,MAAM;QACnB,OAAO,EAAE,iBAAiB,CAAC,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC;QAClD,SAAS,EAAE,IAAI,CAAC,SAAS;QACzB,GAAG,EAAE,IAAI,CAAC,GAAG;QACb,OAAO,EAAE,IAAI,CAAC,OAAO,IAAI,GAAG;QAC5B,OAAO,EAAE,cAAc,CAAC,IAAI,CAAC,OAAO,CAAC;QACrC,IAAI,EAAE,IAAI,CAAC,IAAI,IAAI,QAAQ;QAC3B,KAAK,EAAE,IAAI,CAAC,KAAK;QACjB,QAAQ,EAAE,IAAI,CAAC,QAAQ;QACvB,cAAc,EAAE,IAAI,CAAC,cAAc;QACnC,SAAS;KACV,CAAC;IACF,IAAI,IAAI,CAAC,SAAS,KAAK,SAAS,EAAE,CAAC;QACjC,OAAO,CAAC,SAAS,GAAG,IAAI,CAAC,SAAS,CAAC;IACrC,CAAC;IAED,OAAO;QACL,gBAAgB,EAAE,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC;KAC1E,CAAC;AACJ,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,uBAAuB,CAAC,IAAY,EAAE,aAAsB;IAC1E,wEAAwE;IACxE,yEAAyE;IACzE,yEAAyE;IACzE,wEAAwE;IACxE,4EAA4E;IAC5E,MAAM,SAAS,GAAG,aAAa,CAAC,aAAa,CAAC,CAAC;IAC/C,IAAI,CAAC,SAAS,IAAI,CAAC,SAAS,CAAC,OAAO,IAAI,CAAC,SAAS,CAAC,UAAU;QAAE,OAAO,IAAI,CAAC;IAE3E,MAAM,OAAO,GAAG,UAAU,EAAE,CAAC;IAC7B,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,CAAC;IAC7B,MAAM,MAAM,GAAG,GAAG,CAAC,QAAQ,CAAC;IAC5B,MAAM,GAAG,GAAG,GAAG,OAAO,GAAG,IAAI,EAAE,CAAC;IAChC,MAAM,KAAK,GAAG,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;IAC9C,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC;IACvB,MAAM,QAAQ,GAAG,GAAG,CAAC,WAAW,EAAE,CAAC;IACnC,MAAM,cAAc,GAAG,IAAI,IAAI,CAAC,GAAG,CAAC,OAAO,EAAE,GAAG,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC,WAAW,EAAE,CAAC;IAE7E,OAAO,oBAAoB,CAAC;QAC1B,SAAS;QACT,MAAM;QACN,GAAG;QACH,SAAS,EAAE,mBAAmB;QAC9B,OAAO,EAAE,cAAc;QACvB,KAAK;QACL,QAAQ;QACR,cAAc;KACf,CAAC,CAAC;AACL,CAAC;AAED,SAAS,cAAc,CAAC,OAAwB;IAC9C,IAAI,OAAO,OAAO,KAAK,QAAQ;QAAE,OAAO,MAAM,CAAC,OAAO,CAAC,CAAC;IACxD,MAAM,KAAK,GAAG,gBAAgB,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IAC7C,OAAO,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAE,CAAC,CAAC,CAAC,OAAO,CAAC;AACrC,CAAC;AAED,SAAS,cAAc,CAAC,OAAwB;IAC9C,OAAO,OAAO,OAAO,KAAK,QAAQ,CAAC,CAAC,CAAC,UAAU,OAAO,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC;AACrE,CAAC"}
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "run402-mcp",
|
|
3
|
-
"version": "1.
|
|
3
|
+
"version": "1.55.0",
|
|
4
4
|
"description": "MCP server for Run402 — AI-native Postgres databases with REST API, auth, storage, and row-level security. Pay with x402 USDC micropayments.",
|
|
5
5
|
"type": "module",
|
|
6
6
|
"main": "dist/index.js",
|
package/sdk/README.md
CHANGED
|
@@ -54,12 +54,13 @@ const r = new Run402({
|
|
|
54
54
|
|
|
55
55
|
The `CredentialsProvider` interface has two required methods (`getAuth`, `getProject`) plus optional ones (`saveProject`, `removeProject`, `setActiveProject`, `readAllowance`, `saveAllowance`, …) for hosts that want full sticky-default behavior.
|
|
56
56
|
|
|
57
|
-
## Namespaces (
|
|
57
|
+
## Namespaces (20)
|
|
58
58
|
|
|
59
59
|
| Namespace | Highlights |
|
|
60
60
|
|---|---|
|
|
61
61
|
| `projects` | `provision`, `delete`, `list`, `sql`, `rest`, `applyExpose`, `getExpose`, `getUsage`, `getSchema`, `info`, `keys`, `use`, `active`, `pin`, `getQuote` |
|
|
62
62
|
| `deploy` | **The unified deploy primitive (v1.34+).** `apply` / `start` / `resume` / `status` / `list` / `events` / `getRelease` / `diff` / `plan` / `upload` / `commit` |
|
|
63
|
+
| `ci` | GitHub Actions OIDC federation over `/ci/v1/*`: `createBinding`, `listBindings`, `getBinding`, `revokeBinding`, `exchangeToken`; plus canonical delegation helpers |
|
|
63
64
|
| `sites` | `deployDir` — Node entry only (`@run402/sdk/node`); thin wrapper over `r.deploy.apply` |
|
|
64
65
|
| `blobs` | `put` (returns `AssetRef` with `cdnUrl` / `sri` / `etag` / `cacheKind` and `scriptTag()`/`linkTag()`/`imgTag()` emitters), `get`, `ls`, `rm`, `sign`, `diagnoseUrl`, `waitFresh` |
|
|
65
66
|
| `functions` | `deploy`, `invoke`, `logs`, `update`, `list`, `delete` |
|
|
@@ -159,6 +160,61 @@ const resumed = await r.deploy.resume(operationId);
|
|
|
159
160
|
});
|
|
160
161
|
```
|
|
161
162
|
|
|
163
|
+
### GitHub Actions OIDC — CI credentials drive deploy
|
|
164
|
+
|
|
165
|
+
The v1 CI path keeps the deploy primitive simple: link a GitHub repository once, then call the existing `r.deploy.apply` with CI-marked credentials. There is no separate `r.ci.deployApply` method and no public `ci: true` deploy option.
|
|
166
|
+
|
|
167
|
+
The CLI is the easiest setup path (`run402 ci link github`), but the SDK exposes the building blocks:
|
|
168
|
+
|
|
169
|
+
```ts
|
|
170
|
+
import {
|
|
171
|
+
CI_GITHUB_ACTIONS_PROVIDER,
|
|
172
|
+
V1_CI_ALLOWED_ACTIONS,
|
|
173
|
+
V1_CI_ALLOWED_EVENTS_DEFAULT,
|
|
174
|
+
run402,
|
|
175
|
+
signCiDelegation,
|
|
176
|
+
} from "@run402/sdk/node";
|
|
177
|
+
|
|
178
|
+
const values = {
|
|
179
|
+
project_id: projectId,
|
|
180
|
+
subject_match: "repo:owner/name:ref:refs/heads/main",
|
|
181
|
+
allowed_actions: V1_CI_ALLOWED_ACTIONS,
|
|
182
|
+
allowed_events: V1_CI_ALLOWED_EVENTS_DEFAULT,
|
|
183
|
+
github_repository_id: "123456789",
|
|
184
|
+
expires_at: null,
|
|
185
|
+
nonce: "0123456789abcdef0123456789abcdef",
|
|
186
|
+
};
|
|
187
|
+
|
|
188
|
+
const r = run402({ disablePaidFetch: true });
|
|
189
|
+
const signed_delegation = signCiDelegation(values);
|
|
190
|
+
await r.ci.createBinding({
|
|
191
|
+
...values,
|
|
192
|
+
provider: CI_GITHUB_ACTIONS_PROVIDER,
|
|
193
|
+
signed_delegation,
|
|
194
|
+
});
|
|
195
|
+
```
|
|
196
|
+
|
|
197
|
+
Inside GitHub Actions, use `githubActionsCredentials`. It reads GitHub's OIDC environment, exchanges the subject token through `r.ci.exchangeToken`, caches the Run402 session until `expires_in - refreshBeforeSeconds`, and marks the credentials so deploy uses CI Bearer auth:
|
|
198
|
+
|
|
199
|
+
```ts
|
|
200
|
+
import { githubActionsCredentials, run402, type ReleaseSpec } from "@run402/sdk/node";
|
|
201
|
+
|
|
202
|
+
const r = run402({
|
|
203
|
+
credentials: githubActionsCredentials({ projectId }),
|
|
204
|
+
disablePaidFetch: true,
|
|
205
|
+
});
|
|
206
|
+
|
|
207
|
+
const ciSpec: ReleaseSpec = {
|
|
208
|
+
project: projectId,
|
|
209
|
+
base: { release: "current" },
|
|
210
|
+
site: { patch: { put: { "index.html": "<h1>ship</h1>" } } },
|
|
211
|
+
};
|
|
212
|
+
|
|
213
|
+
await r.deploy.apply(ciSpec);
|
|
214
|
+
```
|
|
215
|
+
|
|
216
|
+
CI deploys intentionally allow only `project`, `database`, `functions`, `site`, and absent/current `base`. They reject `secrets`, `subdomains`, `routes`, `checks`, unknown future top-level fields, and specs large enough to require `manifest_ref`. Use the canonical builders (`buildCiDelegationStatement`, `buildCiDelegationResourceUri`) instead of hand-rolling SIWX text; gateway tests pin those strings as golden vectors.
|
|
217
|
+
|
|
162
218
|
### Errors
|
|
163
219
|
|
|
164
220
|
All failures throw subclasses of `Run402Error`. Every subclass carries a stable
|
|
@@ -2,6 +2,7 @@
|
|
|
2
2
|
* Allowance auth helper — generates SIWX (Sign-In With X / EIP-4361) headers for Run402 API.
|
|
3
3
|
* Uses @noble/curves (lighter than viem) for signing.
|
|
4
4
|
*/
|
|
5
|
+
import type { AllowanceData } from "./allowance.js";
|
|
5
6
|
export interface SIWxAuthHeaders {
|
|
6
7
|
"SIGN-IN-WITH-X": string;
|
|
7
8
|
}
|
|
@@ -13,17 +14,23 @@ interface SIWEMessageOpts {
|
|
|
13
14
|
domain: string;
|
|
14
15
|
uri: string;
|
|
15
16
|
statement: string;
|
|
16
|
-
version
|
|
17
|
-
chainId: number;
|
|
17
|
+
version?: string;
|
|
18
|
+
chainId: number | string;
|
|
18
19
|
nonce: string;
|
|
19
20
|
issuedAt: string;
|
|
20
21
|
expirationTime?: string;
|
|
22
|
+
resources?: string[];
|
|
23
|
+
}
|
|
24
|
+
export interface SIWxAuthOptions extends SIWEMessageOpts {
|
|
25
|
+
allowance: Pick<AllowanceData, "address" | "privateKey">;
|
|
26
|
+
type?: "eip191";
|
|
21
27
|
}
|
|
22
28
|
/**
|
|
23
29
|
* Format an EIP-4361 (SIWE) message. Must be byte-for-byte compatible
|
|
24
30
|
* with the `siwe` library's message format used server-side for verification.
|
|
25
31
|
*/
|
|
26
32
|
export declare function formatSIWEMessage(opts: SIWEMessageOpts, address: string): string;
|
|
33
|
+
export declare function buildSIWxAuthHeaders(opts: SIWxAuthOptions): SIWxAuthHeaders;
|
|
27
34
|
/**
|
|
28
35
|
* Get SIWX auth headers for the Run402 API.
|
|
29
36
|
* Returns null if no allowance is configured.
|
|
@@ -70,16 +70,44 @@ export function formatSIWEMessage(opts, address) {
|
|
|
70
70
|
opts.statement,
|
|
71
71
|
"",
|
|
72
72
|
`URI: ${opts.uri}`,
|
|
73
|
-
`Version: ${opts.version}`,
|
|
74
|
-
`Chain ID: ${opts.chainId}`,
|
|
73
|
+
`Version: ${opts.version ?? "1"}`,
|
|
74
|
+
`Chain ID: ${messageChainId(opts.chainId)}`,
|
|
75
75
|
`Nonce: ${opts.nonce}`,
|
|
76
76
|
`Issued At: ${opts.issuedAt}`,
|
|
77
77
|
];
|
|
78
78
|
if (opts.expirationTime) {
|
|
79
79
|
lines.push(`Expiration Time: ${opts.expirationTime}`);
|
|
80
80
|
}
|
|
81
|
+
if (opts.resources && opts.resources.length > 0) {
|
|
82
|
+
lines.push("Resources:");
|
|
83
|
+
for (const resource of opts.resources)
|
|
84
|
+
lines.push(`- ${resource}`);
|
|
85
|
+
}
|
|
81
86
|
return lines.join("\n");
|
|
82
87
|
}
|
|
88
|
+
export function buildSIWxAuthHeaders(opts) {
|
|
89
|
+
const message = formatSIWEMessage(opts, opts.allowance.address);
|
|
90
|
+
const signature = personalSign(opts.allowance.privateKey, opts.allowance.address, message);
|
|
91
|
+
const payload = {
|
|
92
|
+
domain: opts.domain,
|
|
93
|
+
address: toChecksumAddress(opts.allowance.address),
|
|
94
|
+
statement: opts.statement,
|
|
95
|
+
uri: opts.uri,
|
|
96
|
+
version: opts.version ?? "1",
|
|
97
|
+
chainId: payloadChainId(opts.chainId),
|
|
98
|
+
type: opts.type ?? "eip191",
|
|
99
|
+
nonce: opts.nonce,
|
|
100
|
+
issuedAt: opts.issuedAt,
|
|
101
|
+
expirationTime: opts.expirationTime,
|
|
102
|
+
signature,
|
|
103
|
+
};
|
|
104
|
+
if (opts.resources !== undefined) {
|
|
105
|
+
payload.resources = opts.resources;
|
|
106
|
+
}
|
|
107
|
+
return {
|
|
108
|
+
"SIGN-IN-WITH-X": Buffer.from(JSON.stringify(payload)).toString("base64"),
|
|
109
|
+
};
|
|
110
|
+
}
|
|
83
111
|
/**
|
|
84
112
|
* Get SIWX auth headers for the Run402 API.
|
|
85
113
|
* Returns null if no allowance is configured.
|
|
@@ -103,32 +131,24 @@ export function getAllowanceAuthHeaders(path, allowancePath) {
|
|
|
103
131
|
const now = new Date();
|
|
104
132
|
const issuedAt = now.toISOString();
|
|
105
133
|
const expirationTime = new Date(now.getTime() + 5 * 60 * 1000).toISOString();
|
|
106
|
-
|
|
134
|
+
return buildSIWxAuthHeaders({
|
|
135
|
+
allowance,
|
|
107
136
|
domain,
|
|
108
137
|
uri,
|
|
109
138
|
statement: "Sign in to Run402",
|
|
110
|
-
version: "1",
|
|
111
|
-
chainId: 84532, // Base Sepolia
|
|
112
|
-
nonce,
|
|
113
|
-
issuedAt,
|
|
114
|
-
expirationTime,
|
|
115
|
-
}, allowance.address);
|
|
116
|
-
const signature = personalSign(allowance.privateKey, allowance.address, message);
|
|
117
|
-
const payload = {
|
|
118
|
-
domain,
|
|
119
|
-
address: toChecksumAddress(allowance.address),
|
|
120
|
-
statement: "Sign in to Run402",
|
|
121
|
-
uri,
|
|
122
|
-
version: "1",
|
|
123
139
|
chainId: "eip155:84532",
|
|
124
|
-
type: "eip191",
|
|
125
140
|
nonce,
|
|
126
141
|
issuedAt,
|
|
127
142
|
expirationTime,
|
|
128
|
-
|
|
129
|
-
|
|
130
|
-
|
|
131
|
-
|
|
132
|
-
|
|
143
|
+
});
|
|
144
|
+
}
|
|
145
|
+
function messageChainId(chainId) {
|
|
146
|
+
if (typeof chainId === "number")
|
|
147
|
+
return String(chainId);
|
|
148
|
+
const match = /^eip155:(\d+)$/.exec(chainId);
|
|
149
|
+
return match ? match[1] : chainId;
|
|
150
|
+
}
|
|
151
|
+
function payloadChainId(chainId) {
|
|
152
|
+
return typeof chainId === "number" ? `eip155:${chainId}` : chainId;
|
|
133
153
|
}
|
|
134
154
|
//# sourceMappingURL=allowance-auth.js.map
|
|
@@ -0,0 +1,22 @@
|
|
|
1
|
+
/** CI-session credential helpers for OIDC-backed deploy flows. */
|
|
2
|
+
import type { CredentialsProvider } from "./credentials.js";
|
|
3
|
+
export declare const CI_SESSION_CREDENTIALS: unique symbol;
|
|
4
|
+
export interface CiMarkedCredentialsProvider extends CredentialsProvider {
|
|
5
|
+
readonly [CI_SESSION_CREDENTIALS]: true;
|
|
6
|
+
}
|
|
7
|
+
export interface CreateCiSessionCredentialsOptions {
|
|
8
|
+
projectId: string;
|
|
9
|
+
accessToken?: string;
|
|
10
|
+
getAccessToken?: () => Promise<string>;
|
|
11
|
+
}
|
|
12
|
+
export interface GithubActionsCredentialsOptions {
|
|
13
|
+
projectId: string;
|
|
14
|
+
apiBase?: string;
|
|
15
|
+
audience?: string;
|
|
16
|
+
refreshBeforeSeconds?: number;
|
|
17
|
+
fetch?: typeof globalThis.fetch;
|
|
18
|
+
}
|
|
19
|
+
export declare function isCiSessionCredentials(credentials: CredentialsProvider): credentials is CiMarkedCredentialsProvider;
|
|
20
|
+
export declare function createCiSessionCredentials(opts: CreateCiSessionCredentialsOptions): CiMarkedCredentialsProvider;
|
|
21
|
+
export declare function githubActionsCredentials(opts: GithubActionsCredentialsOptions): CiMarkedCredentialsProvider;
|
|
22
|
+
//# sourceMappingURL=ci-credentials.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"ci-credentials.d.ts","sourceRoot":"","sources":["../src/ci-credentials.ts"],"names":[],"mappings":"AAAA,kEAAkE;AAElE,OAAO,KAAK,EAAE,mBAAmB,EAAe,MAAM,kBAAkB,CAAC;AASzE,eAAO,MAAM,sBAAsB,eAAmD,CAAC;AAEvF,MAAM,WAAW,2BAA4B,SAAQ,mBAAmB;IACtE,QAAQ,CAAC,CAAC,sBAAsB,CAAC,EAAE,IAAI,CAAC;CACzC;AAED,MAAM,WAAW,iCAAiC;IAChD,SAAS,EAAE,MAAM,CAAC;IAClB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,cAAc,CAAC,EAAE,MAAM,OAAO,CAAC,MAAM,CAAC,CAAC;CACxC;AAED,MAAM,WAAW,+BAA+B;IAC9C,SAAS,EAAE,MAAM,CAAC;IAClB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,oBAAoB,CAAC,EAAE,MAAM,CAAC;IAC9B,KAAK,CAAC,EAAE,OAAO,UAAU,CAAC,KAAK,CAAC;CACjC;AAED,wBAAgB,sBAAsB,CACpC,WAAW,EAAE,mBAAmB,GAC/B,WAAW,IAAI,2BAA2B,CAE5C;AAED,wBAAgB,0BAA0B,CACxC,IAAI,EAAE,iCAAiC,GACtC,2BAA2B,CAuC7B;AAED,wBAAgB,wBAAwB,CACtC,IAAI,EAAE,+BAA+B,GACpC,2BAA2B,CA4B7B"}
|
|
@@ -0,0 +1,103 @@
|
|
|
1
|
+
/** CI-session credential helpers for OIDC-backed deploy flows. */
|
|
2
|
+
import { LocalError } from "./errors.js";
|
|
3
|
+
import { buildClient } from "./kernel.js";
|
|
4
|
+
import { Ci } from "./namespaces/ci.js";
|
|
5
|
+
import { CI_AUDIENCE, } from "./namespaces/ci.types.js";
|
|
6
|
+
export const CI_SESSION_CREDENTIALS = Symbol.for("@run402/sdk/ci-session-credentials");
|
|
7
|
+
export function isCiSessionCredentials(credentials) {
|
|
8
|
+
return Boolean(credentials[CI_SESSION_CREDENTIALS]);
|
|
9
|
+
}
|
|
10
|
+
export function createCiSessionCredentials(opts) {
|
|
11
|
+
if (!opts?.projectId) {
|
|
12
|
+
throw new LocalError("createCiSessionCredentials requires projectId", "creating CI session credentials");
|
|
13
|
+
}
|
|
14
|
+
if (!opts.accessToken && !opts.getAccessToken) {
|
|
15
|
+
throw new LocalError("createCiSessionCredentials requires accessToken or getAccessToken", "creating CI session credentials");
|
|
16
|
+
}
|
|
17
|
+
const provider = {
|
|
18
|
+
async getAuth() {
|
|
19
|
+
const token = opts.getAccessToken ? await opts.getAccessToken() : opts.accessToken;
|
|
20
|
+
if (!token) {
|
|
21
|
+
throw new LocalError("CI session credentials did not return an access token", "authenticating with CI session");
|
|
22
|
+
}
|
|
23
|
+
return { Authorization: `Bearer ${token}` };
|
|
24
|
+
},
|
|
25
|
+
async getProject(id) {
|
|
26
|
+
if (id !== opts.projectId)
|
|
27
|
+
return null;
|
|
28
|
+
return { anon_key: "", service_key: "" };
|
|
29
|
+
},
|
|
30
|
+
async getActiveProject() {
|
|
31
|
+
return opts.projectId;
|
|
32
|
+
},
|
|
33
|
+
};
|
|
34
|
+
Object.defineProperty(provider, CI_SESSION_CREDENTIALS, {
|
|
35
|
+
value: true,
|
|
36
|
+
enumerable: false,
|
|
37
|
+
});
|
|
38
|
+
return provider;
|
|
39
|
+
}
|
|
40
|
+
export function githubActionsCredentials(opts) {
|
|
41
|
+
if (!opts?.projectId) {
|
|
42
|
+
throw new LocalError("githubActionsCredentials requires projectId", "creating GitHub Actions CI credentials");
|
|
43
|
+
}
|
|
44
|
+
const apiBase = opts.apiBase ?? CI_AUDIENCE;
|
|
45
|
+
const audience = opts.audience ?? CI_AUDIENCE;
|
|
46
|
+
const fetchImpl = opts.fetch ?? globalThis.fetch.bind(globalThis);
|
|
47
|
+
const refreshBeforeMs = Math.max(0, opts.refreshBeforeSeconds ?? 60) * 1000;
|
|
48
|
+
let cached = null;
|
|
49
|
+
return createCiSessionCredentials({
|
|
50
|
+
projectId: opts.projectId,
|
|
51
|
+
getAccessToken: async () => {
|
|
52
|
+
const now = Date.now();
|
|
53
|
+
if (cached && now < cached.refreshAtMs)
|
|
54
|
+
return cached.token;
|
|
55
|
+
const subjectToken = await requestGithubOidcToken(fetchImpl, audience);
|
|
56
|
+
const exchanged = await exchangeWithRun402Ci(fetchImpl, apiBase, opts.projectId, subjectToken);
|
|
57
|
+
cached = {
|
|
58
|
+
token: exchanged.access_token,
|
|
59
|
+
refreshAtMs: now + Math.max(0, exchanged.expires_in * 1000 - refreshBeforeMs),
|
|
60
|
+
};
|
|
61
|
+
return cached.token;
|
|
62
|
+
},
|
|
63
|
+
});
|
|
64
|
+
}
|
|
65
|
+
async function requestGithubOidcToken(fetchImpl, audience) {
|
|
66
|
+
const env = getProcessEnv();
|
|
67
|
+
const requestUrl = env.ACTIONS_ID_TOKEN_REQUEST_URL;
|
|
68
|
+
const requestToken = env.ACTIONS_ID_TOKEN_REQUEST_TOKEN;
|
|
69
|
+
if (!requestUrl || !requestToken) {
|
|
70
|
+
throw new LocalError("GitHub Actions OIDC environment is missing ACTIONS_ID_TOKEN_REQUEST_URL or ACTIONS_ID_TOKEN_REQUEST_TOKEN. Ensure the workflow has permissions: id-token: write.", "requesting GitHub Actions OIDC token");
|
|
71
|
+
}
|
|
72
|
+
const url = new URL(requestUrl);
|
|
73
|
+
url.searchParams.set("audience", audience);
|
|
74
|
+
const res = await fetchImpl(url.toString(), {
|
|
75
|
+
headers: { Authorization: `Bearer ${requestToken}` },
|
|
76
|
+
});
|
|
77
|
+
const body = await res.json().catch(() => null);
|
|
78
|
+
if (!res.ok || typeof body?.value !== "string" || body.value.length === 0) {
|
|
79
|
+
throw new LocalError(`GitHub Actions OIDC token request failed (HTTP ${res.status})`, "requesting GitHub Actions OIDC token");
|
|
80
|
+
}
|
|
81
|
+
return body.value;
|
|
82
|
+
}
|
|
83
|
+
async function exchangeWithRun402Ci(fetchImpl, apiBase, projectId, subjectToken) {
|
|
84
|
+
const noAuth = {
|
|
85
|
+
async getAuth() {
|
|
86
|
+
return null;
|
|
87
|
+
},
|
|
88
|
+
async getProject() {
|
|
89
|
+
return null;
|
|
90
|
+
},
|
|
91
|
+
};
|
|
92
|
+
const ci = new Ci(buildClient({
|
|
93
|
+
apiBase,
|
|
94
|
+
fetch: fetchImpl,
|
|
95
|
+
credentials: noAuth,
|
|
96
|
+
}));
|
|
97
|
+
return ci.exchangeToken({ project_id: projectId, subject_token: subjectToken });
|
|
98
|
+
}
|
|
99
|
+
function getProcessEnv() {
|
|
100
|
+
const proc = globalThis;
|
|
101
|
+
return proc.process?.env ?? {};
|
|
102
|
+
}
|
|
103
|
+
//# sourceMappingURL=ci-credentials.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"ci-credentials.js","sourceRoot":"","sources":["../src/ci-credentials.ts"],"names":[],"mappings":"AAAA,kEAAkE;AAGlE,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AACzC,OAAO,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAC1C,OAAO,EAAE,EAAE,EAAE,MAAM,oBAAoB,CAAC;AACxC,OAAO,EACL,WAAW,GAEZ,MAAM,0BAA0B,CAAC;AAElC,MAAM,CAAC,MAAM,sBAAsB,GAAG,MAAM,CAAC,GAAG,CAAC,oCAAoC,CAAC,CAAC;AAoBvF,MAAM,UAAU,sBAAsB,CACpC,WAAgC;IAEhC,OAAO,OAAO,CAAE,WAAoD,CAAC,sBAAsB,CAAC,CAAC,CAAC;AAChG,CAAC;AAED,MAAM,UAAU,0BAA0B,CACxC,IAAuC;IAEvC,IAAI,CAAC,IAAI,EAAE,SAAS,EAAE,CAAC;QACrB,MAAM,IAAI,UAAU,CAClB,+CAA+C,EAC/C,iCAAiC,CAClC,CAAC;IACJ,CAAC;IACD,IAAI,CAAC,IAAI,CAAC,WAAW,IAAI,CAAC,IAAI,CAAC,cAAc,EAAE,CAAC;QAC9C,MAAM,IAAI,UAAU,CAClB,mEAAmE,EACnE,iCAAiC,CAClC,CAAC;IACJ,CAAC;IAED,MAAM,QAAQ,GAAwB;QACpC,KAAK,CAAC,OAAO;YACX,MAAM,KAAK,GAAG,IAAI,CAAC,cAAc,CAAC,CAAC,CAAC,MAAM,IAAI,CAAC,cAAc,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC;YACnF,IAAI,CAAC,KAAK,EAAE,CAAC;gBACX,MAAM,IAAI,UAAU,CAClB,uDAAuD,EACvD,gCAAgC,CACjC,CAAC;YACJ,CAAC;YACD,OAAO,EAAE,aAAa,EAAE,UAAU,KAAK,EAAE,EAAE,CAAC;QAC9C,CAAC;QACD,KAAK,CAAC,UAAU,CAAC,EAAU;YACzB,IAAI,EAAE,KAAK,IAAI,CAAC,SAAS;gBAAE,OAAO,IAAI,CAAC;YACvC,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,WAAW,EAAE,EAAE,EAAE,CAAC;QAC3C,CAAC;QACD,KAAK,CAAC,gBAAgB;YACpB,OAAO,IAAI,CAAC,SAAS,CAAC;QACxB,CAAC;KACF,CAAC;IAEF,MAAM,CAAC,cAAc,CAAC,QAAQ,EAAE,sBAAsB,EAAE;QACtD,KAAK,EAAE,IAAI;QACX,UAAU,EAAE,KAAK;KAClB,CAAC,CAAC;IACH,OAAO,QAAuC,CAAC;AACjD,CAAC;AAED,MAAM,UAAU,wBAAwB,CACtC,IAAqC;IAErC,IAAI,CAAC,IAAI,EAAE,SAAS,EAAE,CAAC;QACrB,MAAM,IAAI,UAAU,CAClB,6CAA6C,EAC7C,wCAAwC,CACzC,CAAC;IACJ,CAAC;IACD,MAAM,OAAO,GAAG,IAAI,CAAC,OAAO,IAAI,WAAW,CAAC;IAC5C,MAAM,QAAQ,GAAG,IAAI,CAAC,QAAQ,IAAI,WAAW,CAAC;IAC9C,MAAM,SAAS,GAAG,IAAI,CAAC,KAAK,IAAI,UAAU,CAAC,KAAK,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;IAClE,MAAM,eAAe,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,IAAI,CAAC,oBAAoB,IAAI,EAAE,CAAC,GAAG,IAAI,CAAC;IAC5E,IAAI,MAAM,GAAkD,IAAI,CAAC;IAEjE,OAAO,0BAA0B,CAAC;QAChC,SAAS,EAAE,IAAI,CAAC,SAAS;QACzB,cAAc,EAAE,KAAK,IAAI,EAAE;YACzB,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;YACvB,IAAI,MAAM,IAAI,GAAG,GAAG,MAAM,CAAC,WAAW;gBAAE,OAAO,MAAM,CAAC,KAAK,CAAC;YAE5D,MAAM,YAAY,GAAG,MAAM,sBAAsB,CAAC,SAAS,EAAE,QAAQ,CAAC,CAAC;YACvE,MAAM,SAAS,GAAG,MAAM,oBAAoB,CAAC,SAAS,EAAE,OAAO,EAAE,IAAI,CAAC,SAAS,EAAE,YAAY,CAAC,CAAC;YAC/F,MAAM,GAAG;gBACP,KAAK,EAAE,SAAS,CAAC,YAAY;gBAC7B,WAAW,EAAE,GAAG,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,SAAS,CAAC,UAAU,GAAG,IAAI,GAAG,eAAe,CAAC;aAC9E,CAAC;YACF,OAAO,MAAM,CAAC,KAAK,CAAC;QACtB,CAAC;KACF,CAAC,CAAC;AACL,CAAC;AAED,KAAK,UAAU,sBAAsB,CACnC,SAAkC,EAClC,QAAgB;IAEhB,MAAM,GAAG,GAAG,aAAa,EAAE,CAAC;IAC5B,MAAM,UAAU,GAAG,GAAG,CAAC,4BAA4B,CAAC;IACpD,MAAM,YAAY,GAAG,GAAG,CAAC,8BAA8B,CAAC;IACxD,IAAI,CAAC,UAAU,IAAI,CAAC,YAAY,EAAE,CAAC;QACjC,MAAM,IAAI,UAAU,CAClB,kKAAkK,EAClK,sCAAsC,CACvC,CAAC;IACJ,CAAC;IAED,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,UAAU,CAAC,CAAC;IAChC,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,UAAU,EAAE,QAAQ,CAAC,CAAC;IAC3C,MAAM,GAAG,GAAG,MAAM,SAAS,CAAC,GAAG,CAAC,QAAQ,EAAE,EAAE;QAC1C,OAAO,EAAE,EAAE,aAAa,EAAE,UAAU,YAAY,EAAE,EAAE;KACrD,CAAC,CAAC;IACH,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,IAAI,CAA+B,CAAC;IAC9E,IAAI,CAAC,GAAG,CAAC,EAAE,IAAI,OAAO,IAAI,EAAE,KAAK,KAAK,QAAQ,IAAI,IAAI,CAAC,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC1E,MAAM,IAAI,UAAU,CAClB,kDAAkD,GAAG,CAAC,MAAM,GAAG,EAC/D,sCAAsC,CACvC,CAAC;IACJ,CAAC;IACD,OAAO,IAAI,CAAC,KAAK,CAAC;AACpB,CAAC;AAED,KAAK,UAAU,oBAAoB,CACjC,SAAkC,EAClC,OAAe,EACf,SAAiB,EACjB,YAAoB;IAEpB,MAAM,MAAM,GAAwB;QAClC,KAAK,CAAC,OAAO;YACX,OAAO,IAAI,CAAC;QACd,CAAC;QACD,KAAK,CAAC,UAAU;YACd,OAAO,IAAI,CAAC;QACd,CAAC;KACF,CAAC;IACF,MAAM,EAAE,GAAG,IAAI,EAAE,CAAC,WAAW,CAAC;QAC5B,OAAO;QACP,KAAK,EAAE,SAAS;QAChB,WAAW,EAAE,MAAM;KACpB,CAAC,CAAC,CAAC;IACJ,OAAO,EAAE,CAAC,aAAa,CAAC,EAAE,UAAU,EAAE,SAAS,EAAE,aAAa,EAAE,YAAY,EAAE,CAAC,CAAC;AAClF,CAAC;AAED,SAAS,aAAa;IACpB,MAAM,IAAI,GAAG,UAEZ,CAAC;IACF,OAAO,IAAI,CAAC,OAAO,EAAE,GAAG,IAAI,EAAE,CAAC;AACjC,CAAC"}
|
package/sdk/dist/index.d.ts
CHANGED
|
@@ -25,6 +25,7 @@ import { Email } from "./namespaces/email.js";
|
|
|
25
25
|
import { Contracts } from "./namespaces/contracts.js";
|
|
26
26
|
import { Admin } from "./namespaces/admin.js";
|
|
27
27
|
import { Deploy } from "./namespaces/deploy.js";
|
|
28
|
+
import { Ci } from "./namespaces/ci.js";
|
|
28
29
|
import type { ContentSource, FileSet } from "./namespaces/deploy.types.js";
|
|
29
30
|
import { ScopedRun402 } from "./scoped.js";
|
|
30
31
|
export interface Run402Options {
|
|
@@ -61,6 +62,7 @@ export declare class Run402 {
|
|
|
61
62
|
readonly contracts: Contracts;
|
|
62
63
|
readonly admin: Admin;
|
|
63
64
|
readonly deploy: Deploy;
|
|
65
|
+
readonly ci: Ci;
|
|
64
66
|
constructor(opts: Run402Options);
|
|
65
67
|
/**
|
|
66
68
|
* Return a project-scoped sub-client where every project-id-bearing namespace
|
|
@@ -122,7 +124,11 @@ export { withRetry } from "./retry.js";
|
|
|
122
124
|
export type { RetryOptions } from "./retry.js";
|
|
123
125
|
export type { CredentialsProvider, ProjectKeys } from "./credentials.js";
|
|
124
126
|
export type { RequestOptions, Client } from "./kernel.js";
|
|
127
|
+
export { CI_SESSION_CREDENTIALS, createCiSessionCredentials, githubActionsCredentials, isCiSessionCredentials, } from "./ci-credentials.js";
|
|
128
|
+
export type { CiMarkedCredentialsProvider, CreateCiSessionCredentialsOptions, GithubActionsCredentialsOptions, } from "./ci-credentials.js";
|
|
125
129
|
export { Deploy } from "./namespaces/deploy.js";
|
|
130
|
+
export { Ci, CI_AUDIENCE, CI_GITHUB_ACTIONS_ISSUER, CI_GITHUB_ACTIONS_PROVIDER, DEFAULT_CI_DELEGATION_CHAIN_ID, V1_CI_ALLOWED_ACTIONS, V1_CI_ALLOWED_EVENTS_DEFAULT, assertCiDeployableSpec, buildCiDelegationResourceUri, buildCiDelegationStatement, normalizeCiDelegationValues, validateCiNonce, validateCiSubjectMatch, } from "./namespaces/ci.js";
|
|
126
131
|
export { ScopedRun402 } from "./scoped.js";
|
|
132
|
+
export type { CiAllowedAction, CiAllowedEvent, CiBindingErrorCode, CiBindingRow, CiCreateBindingInput, CiDelegationValues, CiDeployErrorCode, CiErrorCode, CiListBindingsInput, CiListBindingsResult, CiProvider, CiTokenExchangeErrorCode, CiTokenExchangeInput, CiTokenExchangeRequestBody, CiTokenExchangeResponse, NormalizedCiDelegationValues, ParsedDelegation, } from "./namespaces/ci.types.js";
|
|
127
133
|
export type { ApplyOptions, CommitResponse, CommitStatus, ContentRef, ContentSource, DatabaseSpec, DeployDiff, DeployEvent, DeployOperation, DeployResult, ExposeManifest, FileSet, FsFileSource, FunctionSpec, FunctionsSpec, MigrationSpec, MissingContent, OperationSnapshot, OperationStatus, PaymentRequiredHint, PlanRequest, PlanResponse, ReleaseSpec, RouteSpec, SecretsSpec, SiteSpec, SmokeCheck, StartOptions, SubdomainsSpec, } from "./namespaces/deploy.types.js";
|
|
128
134
|
//# sourceMappingURL=index.d.ts.map
|
package/sdk/dist/index.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAGH,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,kBAAkB,CAAC;AAC5D,OAAO,EAAE,QAAQ,EAAE,MAAM,0BAA0B,CAAC;AACpD,OAAO,EAAE,KAAK,EAAE,MAAM,uBAAuB,CAAC;AAC9C,OAAO,EAAE,SAAS,EAAE,MAAM,2BAA2B,CAAC;AACtD,OAAO,EAAE,OAAO,EAAE,MAAM,yBAAyB,CAAC;AAClD,OAAO,EAAE,UAAU,EAAE,MAAM,4BAA4B,CAAC;AACxD,OAAO,EAAE,OAAO,EAAE,MAAM,yBAAyB,CAAC;AAClD,OAAO,EAAE,KAAK,EAAE,MAAM,uBAAuB,CAAC;AAC9C,OAAO,EAAE,OAAO,EAAE,MAAM,yBAAyB,CAAC;AAClD,OAAO,EAAE,IAAI,EAAE,MAAM,sBAAsB,CAAC;AAC5C,OAAO,EAAE,SAAS,EAAE,MAAM,2BAA2B,CAAC;AACtD,OAAO,EAAE,EAAE,EAAE,MAAM,oBAAoB,CAAC;AACxC,OAAO,EAAE,IAAI,EAAE,MAAM,sBAAsB,CAAC;AAC5C,OAAO,EAAE,YAAY,EAAE,MAAM,+BAA+B,CAAC;AAC7D,OAAO,EAAE,OAAO,EAAE,MAAM,yBAAyB,CAAC;AAClD,OAAO,EAAE,IAAI,EAAE,MAAM,sBAAsB,CAAC;AAC5C,OAAO,EAAE,KAAK,EAAE,MAAM,uBAAuB,CAAC;AAC9C,OAAO,EAAE,SAAS,EAAE,MAAM,2BAA2B,CAAC;AACtD,OAAO,EAAE,KAAK,EAAE,MAAM,uBAAuB,CAAC;AAC9C,OAAO,EAAE,MAAM,EAAE,MAAM,wBAAwB,CAAC;AAChD,OAAO,KAAK,EAAE,aAAa,EAAE,OAAO,EAAE,MAAM,8BAA8B,CAAC;AAC3E,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAG3C,MAAM,WAAW,aAAa;IAC5B,mDAAmD;IACnD,OAAO,EAAE,MAAM,CAAC;IAChB,mFAAmF;IACnF,WAAW,EAAE,mBAAmB,CAAC;IACjC;;;;OAIG;IACH,KAAK,CAAC,EAAE,OAAO,UAAU,CAAC,KAAK,CAAC;CACjC;AAED,qBAAa,MAAM;;IACjB,QAAQ,CAAC,QAAQ,EAAE,QAAQ,CAAC;IAC5B,QAAQ,CAAC,KAAK,EAAE,KAAK,CAAC;IACtB,QAAQ,CAAC,SAAS,EAAE,SAAS,CAAC;IAC9B,QAAQ,CAAC,OAAO,EAAE,OAAO,CAAC;IAC1B,QAAQ,CAAC,UAAU,EAAE,UAAU,CAAC;IAChC,QAAQ,CAAC,OAAO,EAAE,OAAO,CAAC;IAC1B,QAAQ,CAAC,KAAK,EAAE,KAAK,CAAC;IACtB,QAAQ,CAAC,OAAO,EAAE,OAAO,CAAC;IAC1B,QAAQ,CAAC,IAAI,EAAE,IAAI,CAAC;IACpB,QAAQ,CAAC,SAAS,EAAE,SAAS,CAAC;IAC9B,QAAQ,CAAC,EAAE,EAAE,EAAE,CAAC;IAChB,QAAQ,CAAC,KAAK,EAAG,EAAE,CAAC;IACpB,QAAQ,CAAC,IAAI,EAAE,IAAI,CAAC;IACpB,QAAQ,CAAC,YAAY,EAAE,YAAY,CAAC;IACpC,QAAQ,CAAC,OAAO,EAAE,OAAO,CAAC;IAC1B,QAAQ,CAAC,IAAI,EAAE,IAAI,CAAC;IACpB,QAAQ,CAAC,KAAK,EAAE,KAAK,CAAC;IACtB,QAAQ,CAAC,SAAS,EAAE,SAAS,CAAC;IAC9B,QAAQ,CAAC,KAAK,EAAE,KAAK,CAAC;IACtB,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;
|
|
1
|
+
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAGH,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,kBAAkB,CAAC;AAC5D,OAAO,EAAE,QAAQ,EAAE,MAAM,0BAA0B,CAAC;AACpD,OAAO,EAAE,KAAK,EAAE,MAAM,uBAAuB,CAAC;AAC9C,OAAO,EAAE,SAAS,EAAE,MAAM,2BAA2B,CAAC;AACtD,OAAO,EAAE,OAAO,EAAE,MAAM,yBAAyB,CAAC;AAClD,OAAO,EAAE,UAAU,EAAE,MAAM,4BAA4B,CAAC;AACxD,OAAO,EAAE,OAAO,EAAE,MAAM,yBAAyB,CAAC;AAClD,OAAO,EAAE,KAAK,EAAE,MAAM,uBAAuB,CAAC;AAC9C,OAAO,EAAE,OAAO,EAAE,MAAM,yBAAyB,CAAC;AAClD,OAAO,EAAE,IAAI,EAAE,MAAM,sBAAsB,CAAC;AAC5C,OAAO,EAAE,SAAS,EAAE,MAAM,2BAA2B,CAAC;AACtD,OAAO,EAAE,EAAE,EAAE,MAAM,oBAAoB,CAAC;AACxC,OAAO,EAAE,IAAI,EAAE,MAAM,sBAAsB,CAAC;AAC5C,OAAO,EAAE,YAAY,EAAE,MAAM,+BAA+B,CAAC;AAC7D,OAAO,EAAE,OAAO,EAAE,MAAM,yBAAyB,CAAC;AAClD,OAAO,EAAE,IAAI,EAAE,MAAM,sBAAsB,CAAC;AAC5C,OAAO,EAAE,KAAK,EAAE,MAAM,uBAAuB,CAAC;AAC9C,OAAO,EAAE,SAAS,EAAE,MAAM,2BAA2B,CAAC;AACtD,OAAO,EAAE,KAAK,EAAE,MAAM,uBAAuB,CAAC;AAC9C,OAAO,EAAE,MAAM,EAAE,MAAM,wBAAwB,CAAC;AAChD,OAAO,EAAE,EAAE,EAAE,MAAM,oBAAoB,CAAC;AACxC,OAAO,KAAK,EAAE,aAAa,EAAE,OAAO,EAAE,MAAM,8BAA8B,CAAC;AAC3E,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAG3C,MAAM,WAAW,aAAa;IAC5B,mDAAmD;IACnD,OAAO,EAAE,MAAM,CAAC;IAChB,mFAAmF;IACnF,WAAW,EAAE,mBAAmB,CAAC;IACjC;;;;OAIG;IACH,KAAK,CAAC,EAAE,OAAO,UAAU,CAAC,KAAK,CAAC;CACjC;AAED,qBAAa,MAAM;;IACjB,QAAQ,CAAC,QAAQ,EAAE,QAAQ,CAAC;IAC5B,QAAQ,CAAC,KAAK,EAAE,KAAK,CAAC;IACtB,QAAQ,CAAC,SAAS,EAAE,SAAS,CAAC;IAC9B,QAAQ,CAAC,OAAO,EAAE,OAAO,CAAC;IAC1B,QAAQ,CAAC,UAAU,EAAE,UAAU,CAAC;IAChC,QAAQ,CAAC,OAAO,EAAE,OAAO,CAAC;IAC1B,QAAQ,CAAC,KAAK,EAAE,KAAK,CAAC;IACtB,QAAQ,CAAC,OAAO,EAAE,OAAO,CAAC;IAC1B,QAAQ,CAAC,IAAI,EAAE,IAAI,CAAC;IACpB,QAAQ,CAAC,SAAS,EAAE,SAAS,CAAC;IAC9B,QAAQ,CAAC,EAAE,EAAE,EAAE,CAAC;IAChB,QAAQ,CAAC,KAAK,EAAG,EAAE,CAAC;IACpB,QAAQ,CAAC,IAAI,EAAE,IAAI,CAAC;IACpB,QAAQ,CAAC,YAAY,EAAE,YAAY,CAAC;IACpC,QAAQ,CAAC,OAAO,EAAE,OAAO,CAAC;IAC1B,QAAQ,CAAC,IAAI,EAAE,IAAI,CAAC;IACpB,QAAQ,CAAC,KAAK,EAAE,KAAK,CAAC;IACtB,QAAQ,CAAC,SAAS,EAAE,SAAS,CAAC;IAC9B,QAAQ,CAAC,KAAK,EAAE,KAAK,CAAC;IACtB,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;IACxB,QAAQ,CAAC,EAAE,EAAE,EAAE,CAAC;gBAIJ,IAAI,EAAE,aAAa;IA6D/B;;;;;;;;;;;;;;;;OAgBG;IACG,OAAO,CAAC,EAAE,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,YAAY,CAAC;IAsBjD;;;;;;;;;;;OAWG;IACG,UAAU,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,YAAY,CAAC;CAIpD;AAED;;;;;;;;;;;;;;;GAeG;AACH,wBAAgB,KAAK,CAAC,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,aAAa,CAAC,GAAG,OAAO,CAEpE;AAED;;;GAGG;AACH,wBAAgB,MAAM,CAAC,IAAI,EAAE,aAAa,GAAG,MAAM,CAElD;AAED,OAAO,EACL,WAAW,EACX,eAAe,EACf,eAAe,EACf,YAAY,EACZ,QAAQ,EACR,YAAY,EACZ,UAAU,EACV,iBAAiB,EACjB,aAAa,EACb,iBAAiB,EACjB,iBAAiB,EACjB,cAAc,EACd,UAAU,EACV,cAAc,EACd,YAAY,EACZ,aAAa,EACb,sBAAsB,GACvB,MAAM,aAAa,CAAC;AACrB,YAAY,EACV,qBAAqB,EACrB,oBAAoB,EACpB,eAAe,GAChB,MAAM,aAAa,CAAC;AACrB,OAAO,EAAE,SAAS,EAAE,MAAM,YAAY,CAAC;AACvC,YAAY,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAC/C,YAAY,EAAE,mBAAmB,EAAE,WAAW,EAAE,MAAM,kBAAkB,CAAC;AACzE,YAAY,EAAE,cAAc,EAAE,MAAM,EAAE,MAAM,aAAa,CAAC;AAC1D,OAAO,EACL,sBAAsB,EACtB,0BAA0B,EAC1B,wBAAwB,EACxB,sBAAsB,GACvB,MAAM,qBAAqB,CAAC;AAC7B,YAAY,EACV,2BAA2B,EAC3B,iCAAiC,EACjC,+BAA+B,GAChC,MAAM,qBAAqB,CAAC;AAC7B,OAAO,EAAE,MAAM,EAAE,MAAM,wBAAwB,CAAC;AAChD,OAAO,EACL,EAAE,EACF,WAAW,EACX,wBAAwB,EACxB,0BAA0B,EAC1B,8BAA8B,EAC9B,qBAAqB,EACrB,4BAA4B,EAC5B,sBAAsB,EACtB,4BAA4B,EAC5B,0BAA0B,EAC1B,2BAA2B,EAC3B,eAAe,EACf,sBAAsB,GACvB,MAAM,oBAAoB,CAAC;AAC5B,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAC3C,YAAY,EACV,eAAe,EACf,cAAc,EACd,kBAAkB,EAClB,YAAY,EACZ,oBAAoB,EACpB,kBAAkB,EAClB,iBAAiB,EACjB,WAAW,EACX,mBAAmB,EACnB,oBAAoB,EACpB,UAAU,EACV,wBAAwB,EACxB,oBAAoB,EACpB,0BAA0B,EAC1B,uBAAuB,EACvB,4BAA4B,EAC5B,gBAAgB,GACjB,MAAM,0BAA0B,CAAC;AAClC,YAAY,EACV,YAAY,EACZ,cAAc,EACd,YAAY,EACZ,UAAU,EACV,aAAa,EACb,YAAY,EACZ,UAAU,EACV,WAAW,EACX,eAAe,EACf,YAAY,EACZ,cAAc,EACd,OAAO,EACP,YAAY,EACZ,YAAY,EACZ,aAAa,EACb,aAAa,EACb,cAAc,EACd,iBAAiB,EACjB,eAAe,EACf,mBAAmB,EACnB,WAAW,EACX,YAAY,EACZ,WAAW,EACX,SAAS,EACT,WAAW,EACX,QAAQ,EACR,UAAU,EACV,YAAY,EACZ,cAAc,GACf,MAAM,8BAA8B,CAAC"}
|