smol-symphony 0.2.0 → 0.3.1

package/dist/agent/credential-secrets.js

@@ -1,628 +0,0 @@
-// Host credential-secrets module — homes the credential *lifecycle* (extract,
-// mint, refresh) onto Gondolin's secret-injection model. Instead of an HTTP
-// proxy that mints per-dispatch sentinels and forwards upstream (the retired
-// credential-proxy transport), we hand Gondolin a `createHttpHooks(...)` config
-// per VM (host allowlist + a token-shaped placeholder secret + request/response
-// hooks) and let Gondolin substitute the real access token into the outbound
-// request at egress (TLS-MITM). The host stays the sole owner of the durable
-// refresh token; the guest only ever sees a placeholder. See
-// `docs/research/gondolin-sandbox-migration.md` §3 (the host-only-refresh
-// invariant), §4.3 (the per-VM fan-out design), §4.4 (per-adapter routing).
-//
-// The host-side credential primitives (token extractors, the GitHub→Copilot
-// mint, the flock-serialized refresh) live in `credential-extractors.ts`; this
-// module reuses them + `adapter-names.ts` rather than duplicating — only the
-// *shape* of the output (a Gondolin hooks config + an `updateSecret` push) is new.
-//
-// The §4.3 fan-out, restated as the contract this module owns:
-//   - Each VM gets its own `createHttpHooks` instance, so each has its own
-//     `secretManager` whose live `value` Gondolin reads per-request. A push-based
-//     model means a missed `updateSecret` leaves THAT VM stale (and its
-//     `revokedValues` never learns the old token, silently dropping revocation
-//     for that VM). So this module owns a REGISTRY of every live manager and, on
-//     each rotation, pushes the fresh value to ALL of them.
-//   - A manager torn down mid-push must not throw — it is dropped.
-//   - A VM created *during* a refresh must observe the latest value at create
-//     time (seed from the module's cached value), never start stale.
-//   - A per-VM proactive tick keyed off `expiresAt` keeps a long dispatch fresh
-//     without relying solely on the global ticker cadence.
-import path from 'node:path';
-import os from 'node:os';
-import { Buffer } from 'node:buffer';
-import { createHttpHooks, makePlaceholderFunc, BASE62_ALPHABET, BASE64URL_ALPHABET, } from '@earendil-works/gondolin';
-import { log } from '../logging.js';
-import { hostOpencodeCredentialPath, opencodeGithubTokenFromAuth, opencodeGithubTokenFromEnv, } from './adapter-names.js';
-import { validAccountId } from './gondolin-creds-staging.js';
-import { extractClaudeToken, extractCodexToken, codexEnvFallback, defaultClaudeRefresher, defaultCopilotExchange, defaultFlockAcquire, COPILOT_EGRESS_HEADERS, COPILOT_EXCHANGE_HOST, COPILOT_EXCHANGE_PATH, COPILOT_INFERENCE_HOST, } from './credential-extractors.js';
-// ---------------------------------------------------------------------------
-// Per-adapter static config (placeholder shape, secret env var name, hosts).
-// ---------------------------------------------------------------------------
-/**
- * The env var / secret name each adapter's placeholder is keyed under. These are
- * the SAME names the in-VM client reads its bearer from (claude reads
- * `ANTHROPIC_AUTH_TOKEN`, codex `OPENAI_API_KEY`); `createHttpHooks` returns an
- * `env` map keyed by these so the runner can stage the placeholder into the VM
- * env / fake creds files.
- */
-const CLAUDE_SECRET_NAME = 'ANTHROPIC_AUTH_TOKEN';
-const CODEX_SECRET_NAME = 'OPENAI_API_KEY';
-const OPENCODE_SECRET_NAME = 'OPENCODE_PROXY_TOKEN';
-const CLAUDE_UPSTREAM_HOST = 'api.anthropic.com';
-const CODEX_UPSTREAM_HOST = 'chatgpt.com';
-/**
- * Token-shaped placeholder generators. The default `GONDOLIN_SECRET_…`
- * placeholder can fail a client's own token-shape validation BEFORE egress
- * substitution, so each adapter gets a placeholder shaped like the real token it
- * stands in for (design §4.3). `sk-ant-` for claude, `sk-` for codex's OpenAI
- * key shape, `gho_`-ish for the opencode Copilot bearer. The generator is called
- * ONCE at `createHttpHooks()` time; the real value arrives via `seedValue` /
- * `updateSecret` and is never the placeholder.
- */
-function claudePlaceholder() {
-    return makePlaceholderFunc({ prefix: 'sk-ant-', length: 64, alphabet: BASE62_ALPHABET });
-}
-/**
- * codex (ChatGPT-OAuth) runs in its NATIVE mode reading
- * `~/.codex/auth.json:tokens.access_token` as its bearer, so the placeholder must
- * be JWT-SHAPED (header.payload.signature) with a far-future `exp` — otherwise
- * codex treats it as expired and tries to refresh (egress-blocked, doomed). The
- * placeholder Gondolin substitutes at egress must be byte-identical to that
- * bearer, so the SAME assembled JWT is both the secret's placeholder here and the
- * staged `tokens.access_token` (see `gondolin-creds-staging.ts`, which reads this
- * placeholder out of `createHttpHooks().env` verbatim). The header + payload are
- * fixed; the signature segment is a high-entropy random string so each VM's
- * placeholder is unique + exact-matchable. Built once at `createHttpHooks()` time.
- *
- * GO-LIVE FINDING: codex-acp's local auth manager reads the
- * `https://api.openai.com/auth` claim (specifically `chatgpt_account_id`) out of
- * the bearer JWT *before* any egress. A placeholder with only `{ exp }` (no auth
- * claim) makes codex-acp consider the token incomplete and attempt a token
- * REFRESH mid-turn — which is egress-blocked → 403 → the turn is refused. The
- * spike's C7 placeholder embedded that claim and passed; production had dropped
- * it. So when the host `account_id` is known we embed it in the placeholder's
- * auth claim. The id is a NON-SECRET identifier (same one staged into auth.json's
- * `tokens.account_id`), never a token.
- */
-function codexPlaceholder(accountId) {
-    const randomSig = makePlaceholderFunc({ length: 86, alphabet: BASE64URL_ALPHABET });
-    return () => assemblePlaceholderJwt(randomSig(), accountId);
-}
-function opencodePlaceholder() {
-    // The opencode custom provider forwards this as its bearer; a `gho_`-shaped
-    // token keeps it indistinguishable in shape from a real Copilot/GitHub token.
-    return makePlaceholderFunc({ prefix: 'gho_', length: 36, alphabet: BASE64URL_ALPHABET });
-}
-/**
- * Far-future JWT `exp` (seconds since epoch — 2100-01-01T00:00:00Z) baked into the
- * codex placeholder so codex's native mode treats it as a long-lived, unexpired
- * token and never attempts a refresh (which would be egress-blocked). Exported so
- * the fake-creds staging + tests can assert the same instant.
- */
-export const PLACEHOLDER_JWT_EXP_SECONDS = 4_102_444_800;
-/**
- * Assemble a structurally-valid (but cryptographically meaningless) JWT-shaped
- * placeholder: `base64url(header).base64url(payload).<signature>`. codex never
- * verifies the signature — it reads `exp` (must be far-future, so it never tries
- * to refresh) and the `https://api.openai.com/auth.chatgpt_account_id` claim
- * (which it uses to route + to consider the token complete; a missing claim
- * triggers a refresh, see `codexPlaceholder`). The real token replaces this whole
- * string at egress. The `signature` segment is the caller's high-entropy random
- * string, making each VM's placeholder unique + exact-matchable by Gondolin's
- * header substitution.
- *
- * `accountId` is the NON-SECRET `chatgpt_account_id` (when known); embedding it in
- * the auth claim mirrors the spike's proven C7 placeholder. When null (host has no
- * account_id) the claim is omitted — the JWT is still well-formed; codex may then
- * refresh, but there is no id to embed.
- *
- * SAFETY-CRITICAL (codex review, HIGH): this JWT becomes the guest's staged BEARER,
- * so this is the LAST chokepoint before a host `account_id` lands in a bearer slot.
- * The id is re-validated through the SHARED {@link validAccountId} UUID guard here
- * (defense-in-depth — independent of the caller's own validation): a non-UUID /
- * token-shaped value is NOT embedded; the claim is simply OMITTED (the well-formed,
- * SAFE failure). A real token (JWT / `sk-…` / refresh) never matches a UUID, so it
- * can never reach the `chatgpt_account_id` claim via this path.
- */
-export function assemblePlaceholderJwt(signature, accountId = null) {
-    const safeAccountId = validAccountId(accountId);
-    const header = base64urlJson({ alg: 'RS256', typ: 'JWT' });
-    const payload = base64urlJson({
-        exp: PLACEHOLDER_JWT_EXP_SECONDS,
-        ...(safeAccountId !== null
-            ? { 'https://api.openai.com/auth': { chatgpt_account_id: safeAccountId } }
-            : {}),
-    });
-    return `${header}.${payload}.${signature}`;
-}
-function base64urlJson(obj) {
-    return Buffer.from(JSON.stringify(obj), 'utf8').toString('base64url');
-}
-/** Read+parse a JSON credential file; returns null on any IO/parse failure. */
-async function readJsonFile(p) {
-    // Lazy fs import keeps this module's IO surface in one place; the proxy keeps
-    // its own readFile. (No core-purity concern: this is an adapter.)
-    const { readFile } = await import('node:fs/promises');
-    let raw;
-    try {
-        raw = await readFile(p, 'utf8');
-    }
-    catch (err) {
-        log.warn('credential-secrets: cannot read credentials', {
-            path: p,
-            error: err.message,
-        });
-        return null;
-    }
-    try {
-        return JSON.parse(raw);
-    }
-    catch (err) {
-        log.warn('credential-secrets: credentials JSON parse failed', {
-            path: p,
-            error: err.message,
-        });
-        return null;
-    }
-}
-function defaultClaudeCredentialsPath() {
-    return path.join(os.homedir(), '.claude', '.credentials.json');
-}
-function defaultCodexCredentialsPath() {
-    return path.join(os.homedir(), '.codex', 'auth.json');
-}
-function defaultLockPath() {
-    return path.join(os.homedir(), '.symphony', 'oauth', 'refresh.lock');
-}
-/** Wrap a refresher in the shared cross-process flock + in-flight collapse. */
-function underLock(lockAcquire, lockTimeoutMs, refresher) {
-    return async () => {
-        let release = null;
-        try {
-            release = await lockAcquire(lockTimeoutMs);
-        }
-        catch (err) {
-            // Fail closed: do NOT run the refresher unserialized (it would race a peer
-            // against the same credentials file). The caller re-reads the cache and
-            // picks up whatever the lock-holding peer rotated to (mirrors the proxy's
-            // `runRefreshUnderLock`).
-            log.warn('credential-secrets: lock acquire failed; skipping refresh', {
-                error: err.message,
-            });
-            throw new Error('credential-secrets: refresh lock acquire timeout');
-        }
-        try {
-            await refresher();
-        }
-        finally {
-            await release().catch((err) => log.warn('credential-secrets: lock release error', { error: err.message }));
-        }
-    };
-}
-/**
- * Build the per-adapter credential specs. Reuses the proxy's extractors + mint +
- * flock helpers; the only new behavior is the Gondolin-shaped delivery and the
- * opencode `onRequest` path-allowlist (§4.4).
- */
-export function buildAdapterCredentialSpecs(opts = {}) {
-    const lockPath = opts.lockPath ?? defaultLockPath();
-    const lockAcquire = opts.lockAcquire ?? defaultFlockAcquire(lockPath);
-    const lockTimeoutMs = opts.lockAcquireTimeoutMs ?? 90_000;
-    const claudeCredsPath = opts.claudeCredentialsPath ?? defaultClaudeCredentialsPath();
-    const codexCredsPath = opts.codexCredentialsPath ?? defaultCodexCredentialsPath();
-    const opencodeCredsPath = opts.opencodeCredentialsPath ?? hostOpencodeCredentialPath();
-    const claudeRefresher = underLock(lockAcquire, lockTimeoutMs, opts.claudeRefresher ?? defaultClaudeRefresher());
-    return {
-        claude: {
-            adapterId: 'claude',
-            secretName: CLAUDE_SECRET_NAME,
-            substitutionHosts: [CLAUDE_UPSTREAM_HOST],
-            placeholder: claudePlaceholder,
-            readToken: async () => extractClaudeToken(await readJsonFile(claudeCredsPath)),
-            refresh: claudeRefresher,
-            allowWebSockets: false, // plain HTTPS
-        },
-        codex: {
-            adapterId: 'codex',
-            secretName: CODEX_SECRET_NAME,
-            substitutionHosts: [CODEX_UPSTREAM_HOST],
-            // codex-acp streams /backend-api/codex/responses over a WebSocket Upgrade.
-            // It MUST be allowed: the real token is substituted on the hookable Upgrade
-            // handshake (createHttpHooks onRequest → applySecretsToRequest), so the
-            // handshake reaches the ALLOWLISTED inference host with the real bearer and
-            // gets a clean 101; the post-101 frames are an opaque tunnel to that one
-            // host. SAFE — the placeholder never egresses and a non-allowlisted refresh
-            // host's upgrade is blocked. The earlier "post-101 tunnel drop" was a red
-            // herring: it was caused by an INCOMPLETE staged auth.json (codex 0.135
-            // judged the creds incomplete → sent no bearer → 401 → blocked refresh). With
-            // a COMPLETE staged auth.json (auth_mode + last_refresh + the tokens block —
-            // see gondolin-creds-staging.ts buildCodexFiles) the WS turn completes
-            // end-to-end (validated 2026-05-30 through the production dispatch path).
-            allowWebSockets: true,
-            // Bind the host account_id into the placeholder JWT's auth claim so
-            // codex-acp does not refresh the placeholder (go-live finding).
-            placeholder: () => codexPlaceholder(opts.codexAccountId ?? null),
-            // codex tokens are long-TTL (~8 days): re-read on demand, never drive an
-            // OpenAI refresh dance — identical to the proxy's posture.
-            readToken: async () => extractCodexToken(await readJsonFile(codexCredsPath)) ?? codexEnvFallback(),
-            refresh: () => Promise.reject(new Error('credential-secrets: codex refresh is host-owned (long-TTL); not driven here')),
-        },
-        opencode: buildOpencodeSpec({
-            credentialsPath: opencodeCredsPath,
-            lockAcquire,
-            lockTimeoutMs,
-            exchange: opts.copilotExchange ?? defaultCopilotExchange(),
-        }),
-    };
-}
-/**
- * The opencode spec is HOST-MINT (operator rule: "no real tokens in the VM").
- * The host runs the GitHub→Copilot exchange and pushes the minted Copilot token
- * via `updateSecret`; the guest's custom provider sends only a placeholder
- * bearer against `api.githubcopilot.com`. The durable GitHub token never enters
- * the guest. The exchange host (`api.github.com`) is allowlisted ONLY so the
- * host-side exchange can reach it — guarded by the `onRequest` path-allowlist
- * below so a guest cannot turn that allowlist entry into a durable-token oracle.
- */
-function buildOpencodeSpec(args) {
-    // In-memory cache of the short-lived Copilot token (the durable GitHub token
-    // stays host-side and never lands here as the bearer).
-    const cache = { token: null };
-    const mint = async () => {
-        const githubToken = await readOpencodeGithubToken(args.credentialsPath);
-        if (githubToken === null) {
-            throw new Error('credential-secrets: opencode has no GitHub Copilot token to exchange (auth.json + env both empty)');
-        }
-        cache.token = await args.exchange(githubToken);
-    };
-    return {
-        adapterId: 'opencode',
-        secretName: OPENCODE_SECRET_NAME,
-        // Inference host + the host-mint exchange host. The exchange host is gated by
-        // `onRequest` (only GET /copilot_internal/v2/token) — the durable-token
-        // oracle guard (§4.4). Both are substitution hosts: the minted Copilot token
-        // is valid on inference, and the exchange handshake is hookable on the
-        // exchange host (the placeholder never egresses).
-        substitutionHosts: [COPILOT_INFERENCE_HOST, COPILOT_EXCHANGE_HOST],
-        placeholder: opencodePlaceholder,
-        egressHeaders: COPILOT_EGRESS_HEADERS,
-        // The minted Copilot token is the secret value; reading it returns the cache
-        // (null until the first mint runs as `refresh`).
-        readToken: async () => cache.token,
-        refresh: underLock(args.lockAcquire, args.lockTimeoutMs, mint),
-        onRequest: makeGithubExchangePathGuard(),
-        allowWebSockets: false, // openai-compatible HTTP provider
-    };
-}
-/** Read the durable GitHub OAuth token: opencode auth.json first, then env. */
-async function readOpencodeGithubToken(credentialsPath) {
-    const parsed = await readJsonFile(credentialsPath);
-    if (parsed !== null) {
-        const fromFile = opencodeGithubTokenFromAuth(parsed);
-        if (fromFile !== null)
-            return fromFile;
-    }
-    return opencodeGithubTokenFromEnv(process.env);
-}
-// ---------------------------------------------------------------------------
-// onRequest guards.
-// ---------------------------------------------------------------------------
-/**
- * Egress audit. Wraps an adapter's optional `onRequest` guard with a log line for
- * EVERY guest egress request. Gondolin invokes `onRequest` before its host allow/deny
- * check, so this sees every request the guest attempts — allowed, about-to-be-blocked,
- * and TLS-MITM'd inference calls alike — the only host-side visibility into in-VM
- * egress (the ACP run log captures only ACP frames + adapter stderr). The `allowed`
- * flag is a best-effort match against this adapter's resolved allowlist (exact or
- * subdomain), so an `allowed:false` line pinpoints a blocked host the SDK reached.
- * NEVER logs the URL query or any header (a placeholder/real token can ride either) —
- * only method + host + pathname. Pure pass-through: logs, then delegates to `inner`
- * (if any) unchanged. (Originally added while diagnosing issue 135; kept as standing
- * observability.)
- */
-export function makeEgressAuditHook(adapterId, allowedHosts, inner) {
-    return async (request) => {
-        try {
-            const u = new URL(request.url);
-            const host = u.hostname;
-            const allowed = allowedHosts.some((h) => host === h || host.endsWith(`.${h}`));
-            log.info('egress request', {
-                adapter: adapterId,
-                method: request.method,
-                host,
-                path: u.pathname,
-                allowed,
-            });
-        }
-        catch {
-            // Logging must never break egress.
-        }
-        return inner ? inner(request) : undefined;
-    };
-}
-/**
- * opencode's `api.github.com` durable-token-oracle guard (§4.4). Gondolin secret
- * substitution is HOST-scoped, not path-scoped: once `api.github.com` is
- * allowlisted, a guest could otherwise spend the real GitHub token on ANY
- * `api.github.com` path. This guard permits ONLY the token-exchange endpoint
- * (`GET /copilot_internal/v2/token`) and short-circuits everything else on that
- * host with a 403. All other hosts pass through untouched.
- *
- * NEVER logs the Authorization header or the full URL (only host + method +
- * pathname for a blocked request) — the hook may run before secret substitution
- * and there is no guarantee it sees only placeholders (§2/§4.3).
- */
-export function makeGithubExchangePathGuard() {
-    return (request) => {
-        let url;
-        try {
-            url = new URL(request.url);
-        }
-        catch {
-            // Unparseable URL → block defensively rather than forward.
-            return new Response('blocked: unparseable request url', { status: 403 });
-        }
-        if (url.hostname !== COPILOT_EXCHANGE_HOST)
-            return; // other hosts: untouched
-        const method = request.method.toUpperCase();
-        // Permit ONLY the exact exchange endpoint with NO query string. The legitimate
-        // host-side exchange (`defaultCopilotExchange`) sends a bare path; a
-        // `?…`-variant is neither needed nor trusted, so requiring an empty search
-        // keeps the allow condition as narrow as the real call (codex review).
-        if (method === 'GET' && url.pathname === COPILOT_EXCHANGE_PATH && url.search === '')
-            return; // permit
-        log.warn('credential-secrets: blocked non-exchange request to github exchange host', {
-            host: url.hostname,
-            method,
-            pathname: url.pathname,
-        });
-        return new Response('blocked: only GET /copilot_internal/v2/token is permitted', {
-            status: 403,
-        });
-    };
-}
-/**
- * Build the `createHttpHooks` config for a single adapter spec.
- *
- * The egress firewall (`options.allowedHosts`) = the general workspace dev-tooling
- * allowlist (`egress.allowed_hosts` from WORKFLOW.md — npm/git/CDNs) UNION this
- * adapter's `substitutionHosts` (you must be able to reach the host whose token you
- * substitute on). SECURITY: only `substitutionHosts` are wired into
- * `secrets[].hosts`, so the real token is NEVER substituted for a general egress
- * host — those receive plain network egress only. The firewall is the union; the
- * substitution scope is not.
- */
-export function buildAdapterHooksConfig(spec, egressAllowlist = []) {
-    const allowedHosts = [...new Set([...egressAllowlist, ...spec.substitutionHosts])];
-    // Host-side egress audit (standing observability): wrap the adapter's optional
-    // onRequest guard so every guest egress request is logged with an `allowed` flag.
-    // Gondolin runs onRequest BEFORE its allow/deny check, so this is the only host-side
-    // window into in-VM egress. Safe with streaming (onRequest never disables it; only
-    // onResponse does — see the no-onResponse note below). To quiet it, unwrap to
-    // `spec.onRequest`.
-    const onRequest = makeEgressAuditHook(spec.adapterId, allowedHosts, spec.onRequest);
-    // FIX (issue 135, 2026-05-31): do NOT register an `onResponse` hook. Gondolin only
-    // streams a response when there is no onResponse — `canStream = Boolean(body) &&
-    // !httpHooks.onResponse` (qemu/http.js). With onResponse set, Gondolin FULLY BUFFERS
-    // every response (`bufferResponseBodyWithLimit`) before the guest sees a byte. For a
-    // long streaming model turn (~400 KB SSE over ~90–120 s) the in-VM SDK — a streaming
-    // client — gets nothing for the whole generation window, trips its stream timeout,
-    // silently retries, and after ~16 min dies with ECONNRESET → re-dispatch loop. The
-    // old `onResponse` was a pure billing-tell (rate-limit header logging), no functional
-    // role; dropping it restores streaming. To restore that logging without breaking
-    // streaming, Gondolin needs a header-only response hook (it has none today) — see the
-    // still-exported `makeBillingTellResponseHook` and the "vendor Gondolin" option.
-    const options = {
-        allowedHosts,
-        secrets: {
-            [spec.secretName]: {
-                hosts: [...spec.substitutionHosts],
-                // Seeded later via `updateSecret`; the empty initial value is never
-                // forwarded on the happy path (the registry seeds before first exec).
-                value: '',
-                placeholder: spec.placeholder(),
-            },
-        },
-        onRequest,
-    };
-    return {
-        adapterId: spec.adapterId,
-        secretName: spec.secretName,
-        options,
-        readToken: spec.readToken,
-        refresh: spec.refresh,
-        allowWebSockets: spec.allowWebSockets,
-    };
-}
-/**
- * Owns the set of live per-VM `secretManager`s and the cached latest value per
- * adapter. Implements the §4.3 fan-out contract:
- *   - `register` seeds the new manager from the latest cached value (or reads it
- *     fresh) BEFORE returning, so a VM created during a refresh never starts
- *     stale, and schedules its per-VM proactive tick keyed off `expiresAt`.
- *   - `pushToAll(adapterId, value)` updates the cache + every live manager for
- *     that adapter; a manager that throws (torn down mid-push) is dropped, not
- *     propagated.
- *   - `refreshAdapter(adapterId)` runs the host-side refresh, re-reads the token,
- *     and fans the result out — this is what the ticker calls per rotation.
- */
-export class CredentialSecretRegistry {
-    entries = new Map();
-    // Latest known value per adapter, used to seed a freshly-created manager.
-    cachedValue = new Map();
-    seq = 0;
-    // Per-adapter rotation counter, bumped on every `pushToAll(adapterId, …)`.
-    // `register` snapshots its adapter's counter across the async `readToken` so it
-    // can detect a rotation FOR THAT ADAPTER that landed mid-read and avoid
-    // clobbering the fresher value with its own stale read. Per-adapter (not global)
-    // so a rotation for a *different* adapter never makes a cold entry skip seeding.
-    cacheSeq = new Map();
-    readToken;
-    refresh;
-    now;
-    setTimer;
-    clearTimer;
-    refreshMarginMs;
-    constructor(opts) {
-        this.readToken = opts.readToken;
-        this.refresh = opts.refresh;
-        this.now = opts.now ?? (() => Date.now());
-        this.setTimer =
-            opts.setTimer ??
-                ((cb, delayMs) => {
-                    const t = setTimeout(cb, delayMs);
-                    if (typeof t.unref === 'function')
-                        t.unref();
-                    return t;
-                });
-        this.clearTimer = opts.clearTimer ?? ((t) => clearTimeout(t));
-        this.refreshMarginMs = opts.refreshMarginMs ?? 60_000;
-    }
-    /**
-     * Register a freshly-created VM's `secretManager`. Seeds it from the latest
-     * cached value (or reads one if the cache is cold) so it is never stale at
-     * birth, schedules the proactive `expiresAt` tick, and returns a handle the
-     * caller deregisters on VM teardown.
-     */
-    async register(args) {
-        const key = `vm-${++this.seq}`;
-        const entry = {
-            manager: args.manager,
-            secretName: args.secretName,
-            adapterId: args.adapterId,
-            timer: null,
-        };
-        this.entries.set(key, entry);
-        const seqBefore = this.cacheSeq.get(args.adapterId) ?? 0;
-        const token = await this.safeReadToken(args.adapterId);
-        this.seedUnlessRotated(key, entry, args.adapterId, seqBefore, token);
-        if (token?.expiresAtMs != null)
-            this.scheduleProactive(key, entry, token.expiresAtMs);
-        return {
-            key,
-            deregister: () => this.deregister(key),
-        };
-    }
-    /** Drop a VM's registration; clears its proactive timer. Idempotent. */
-    deregister(key) {
-        const entry = this.entries.get(key);
-        if (!entry)
-            return;
-        if (entry.timer !== null) {
-            this.clearTimer(entry.timer);
-            entry.timer = null;
-        }
-        this.entries.delete(key);
-    }
-    /** Number of live managers (for tests / observability). */
-    size() {
-        return this.entries.size;
-    }
-    /**
-     * Push a fresh secret value to EVERY live manager for `adapterId`, updating the
-     * module cache first so a concurrent `register` seeds from it. A manager that
-     * throws (torn down mid-push) is dropped, not propagated — the survivors still
-     * get the update. This is the atomic fan-out the ticker relies on.
-     */
-    pushToAll(adapterId, value) {
-        this.cachedValue.set(adapterId, value);
-        this.cacheSeq.set(adapterId, (this.cacheSeq.get(adapterId) ?? 0) + 1);
-        for (const [key, entry] of [...this.entries]) {
-            if (entry.adapterId !== adapterId)
-                continue;
-            this.applyToEntry(key, entry, value);
-        }
-    }
-    /**
-     * Run a host-side refresh for `adapterId`, re-read the token, and fan the fresh
-     * value out to all live managers (rescheduling each VM's proactive tick). This
-     * is the entry point the ticker calls on each rotation. Errors are logged, not
-     * thrown (a single adapter's refresh failure must not break the others' ticks).
-     */
-    async refreshAdapter(adapterId) {
-        try {
-            await this.refresh(adapterId);
-        }
-        catch (err) {
-            log.warn('credential-secrets: refresh failed', {
-                adapter: adapterId,
-                error: err.message,
-            });
-            // Fall through: re-read anyway — a peer may have rotated the file under the
-            // shared flock during our wait (mirrors the proxy's ensureFreshToken).
-        }
-        const token = await this.safeReadToken(adapterId);
-        if (token === null)
-            return;
-        this.pushToAll(adapterId, token.accessToken);
-        // Reschedule every live manager's proactive tick off the new expiry.
-        if (token.expiresAtMs != null) {
-            for (const [key, entry] of [...this.entries]) {
-                if (entry.adapterId !== adapterId)
-                    continue;
-                this.scheduleProactive(key, entry, token.expiresAtMs);
-            }
-        }
-    }
-    /**
-     * Seed a freshly-registered entry from its read token — UNLESS a rotation for
-     * the same adapter landed during the async read (codex review). The entry is
-     * inserted synchronously before `register`'s await, so a concurrent
-     * `pushToAll(adapterId, …)` already applied the fresher value to it; re-applying
-     * our older read would both regress the live value and revoke the fresher one
-     * (gondolin revokes the old value whenever the new differs). The sequence is
-     * per-adapter, so a rotation for a *different* adapter never starves this seed.
-     */
-    seedUnlessRotated(key, entry, adapterId, seqBefore, token) {
-        if ((this.cacheSeq.get(adapterId) ?? 0) !== seqBefore)
-            return;
-        const seedValue = token?.accessToken ?? this.cachedValue.get(adapterId) ?? '';
-        if (token?.accessToken)
-            this.cachedValue.set(adapterId, token.accessToken);
-        this.applyToEntry(key, entry, seedValue);
-    }
-    applyToEntry(key, entry, value) {
-        try {
-            entry.manager.updateSecret(entry.secretName, { value });
-        }
-        catch (err) {
-            // The manager was torn down mid-push (its VM closed). Drop it; never throw.
-            log.warn('credential-secrets: dropping dead secret manager', {
-                adapter: entry.adapterId,
-                error: err.message,
-            });
-            this.deregister(key);
-        }
-    }
-    async safeReadToken(adapterId) {
-        try {
-            return await this.readToken(adapterId);
-        }
-        catch (err) {
-            log.warn('credential-secrets: readToken failed', {
-                adapter: adapterId,
-                error: err.message,
-            });
-            return null;
-        }
-    }
-    /**
-     * (Re)schedule the per-VM proactive refresh: fire `refreshMarginMs` before
-     * `expiresAtMs` (clamped to ≥0) so a long dispatch refreshes without waiting on
-     * the global ticker cadence. Replaces any prior timer for this entry.
-     */
-    scheduleProactive(key, entry, expiresAtMs) {
-        if (entry.timer !== null) {
-            this.clearTimer(entry.timer);
-            entry.timer = null;
-        }
-        const delay = Math.max(0, expiresAtMs - this.now() - this.refreshMarginMs);
-        entry.timer = this.setTimer(() => {
-            entry.timer = null;
-            // The whole-adapter refresh fans out to every live manager (incl. this
-            // one) and reschedules; a per-VM tick driving the shared refresh is fine
-            // because the host-side refresh is flock-serialized + single-flighted.
-            void this.refreshAdapter(entry.adapterId);
-        }, delay);
-    }
-}
-//# sourceMappingURL=credential-secrets.js.map

package/dist/agent/credential-secrets.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"credential-secrets.js","sourceRoot":"","sources":["../../src/agent/credential-secrets.ts"],"names":[],"mappings":"AAAA,8EAA8E;AAC9E,4EAA4E;AAC5E,6EAA6E;AAC7E,gFAAgF;AAChF,gFAAgF;AAChF,6EAA6E;AAC7E,6EAA6E;AAC7E,6DAA6D;AAC7D,0EAA0E;AAC1E,4EAA4E;AAC5E,EAAE;AACF,4EAA4E;AAC5E,+EAA+E;AAC/E,6EAA6E;AAC7E,mFAAmF;AACnF,EAAE;AACF,+DAA+D;AAC/D,2EAA2E;AAC3E,kFAAkF;AAClF,wEAAwE;AACxE,+EAA+E;AAC/E,iFAAiF;AACjF,4DAA4D;AAC5D,mEAAmE;AACnE,8EAA8E;AAC9E,qEAAqE;AACrE,gFAAgF;AAChF,2DAA2D;AAE3D,OAAO,IAAI,MAAM,WAAW,CAAC;AAC7B,OAAO,EAAE,MAAM,SAAS,CAAC;AACzB,OAAO,EAAE,MAAM,EAAE,MAAM,aAAa,CAAC;AACrC,OAAO,EACL,eAAe,EACf,mBAAmB,EACnB,eAAe,EACf,kBAAkB,GAInB,MAAM,0BAA0B,CAAC;AAClC,OAAO,EAAE,GAAG,EAAE,MAAM,eAAe,CAAC;AAEpC,OAAO,EACL,0BAA0B,EAC1B,2BAA2B,EAC3B,0BAA0B,GAC3B,MAAM,oBAAoB,CAAC;AAC5B,OAAO,EAAE,cAAc,EAAE,MAAM,6BAA6B,CAAC;AAC7D,OAAO,EACL,kBAAkB,EAClB,iBAAiB,EACjB,gBAAgB,EAChB,sBAAsB,EACtB,sBAAsB,EACtB,mBAAmB,EACnB,sBAAsB,EACtB,qBAAqB,EACrB,qBAAqB,EACrB,sBAAsB,GAIvB,MAAM,4BAA4B,CAAC;AAEpC,8EAA8E;AAC9E,6EAA6E;AAC7E,8EAA8E;AAE9E;;;;;;GAMG;AACH,MAAM,kBAAkB,GAAG,sBAAsB,CAAC;AAClD,MAAM,iBAAiB,GAAG,gBAAgB,CAAC;AAC3C,MAAM,oBAAoB,GAAG,sBAAsB,CAAC;AAEpD,MAAM,oBAAoB,GAAG,mBAAmB,CAAC;AACjD,MAAM,mBAAmB,GAAG,aAAa,CAAC;AAE1C;;;;;;;;GAQG;AACH,SAAS,iBAAiB;IACxB,OAAO,mBAAmB,CAAC,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,EAAE,EAAE,EAAE,QAAQ,EAAE,eAAe,EAAE,CAAC,CAAC;AAC3F,CAAC;AACD;;;;;;;;;;;;;;;;;;;;;GAqBG;AACH,SAAS,gBAAgB,CAAC,SAAwB;IAChD,MAAM,SAAS,GAAG,mBAAmB,CAAC,EAAE,MAAM,EAAE,EAAE,EAAE,QAAQ,EAAE,kBAAkB,EAAE,CAAC,CAAC;IACpF,OAAO,GAAG,EAAE,CAAC,sBAAsB,CAAC,SAAS,EAAE,EAAE,SAAS,CAAC,CAAC;AAC9D,CAAC;AACD,SAAS,mBAAmB;IAC1B,4EAA4E;IAC5E,8EAA8E;IAC9E,OAAO,mBAAmB,CAAC,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,EAAE,EAAE,QAAQ,EAAE,kBAAkB,EAAE,CAAC,CAAC;AAC3F,CAAC;AAED;;;;;GAKG;AACH,MAAM,CAAC,MAAM,2BAA2B,GAAG,aAAa,CAAC;AAEzD;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AACH,MAAM,UAAU,sBAAsB,CAAC,SAAiB,EAAE,YAA2B,IAAI;IACvF,MAAM,aAAa,GAAG,cAAc,CAAC,SAAS,CAAC,CAAC;IAChD,MAAM,MAAM,GAAG,aAAa,CAAC,EAAE,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,KAAK,EAAE,CAAC,CAAC;IAC3D,MAAM,OAAO,GAAG,aAAa,CAAC;QAC5B,GAAG,EAAE,2BAA2B;QAChC,GAAG,CAAC,aAAa,KAAK,IAAI;YACxB,CAAC,CAAC,EAAE,6BAA6B,EAAE,EAAE,kBAAkB,EAAE,aAAa,EAAE,EAAE;YAC1E,CAAC,CAAC,EAAE,CAAC;KACR,CAAC,CAAC;IACH,OAAO,GAAG,MAAM,IAAI,OAAO,IAAI,SAAS,EAAE,CAAC;AAC7C,CAAC;AAED,SAAS,aAAa,CAAC,GAAY;IACjC,OAAO,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,EAAE,MAAM,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;AACxE,CAAC;AA+CD,+EAA+E;AAC/E,KAAK,UAAU,YAAY,CAAC,CAAS;IACnC,8EAA8E;IAC9E,kEAAkE;IAClE,MAAM,EAAE,QAAQ,EAAE,GAAG,MAAM,MAAM,CAAC,kBAAkB,CAAC,CAAC;IACtD,IAAI,GAAW,CAAC;IAChB,IAAI,CAAC;QACH,GAAG,GAAG,MAAM,QAAQ,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC;IAClC,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,GAAG,CAAC,IAAI,CAAC,6CAA6C,EAAE;YACtD,IAAI,EAAE,CAAC;YACP,KAAK,EAAG,GAAa,CAAC,OAAO;SAC9B,CAAC,CAAC;QACH,OAAO,IAAI,CAAC;IACd,CAAC;IACD,IAAI,CAAC;QACH,OAAO,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IACzB,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,GAAG,CAAC,IAAI,CAAC,mDAAmD,EAAE;YAC5D,IAAI,EAAE,CAAC;YACP,KAAK,EAAG,GAAa,CAAC,OAAO;SAC9B,CAAC,CAAC;QACH,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,SAAS,4BAA4B;IACnC,OAAO,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,EAAE,SAAS,EAAE,mBAAmB,CAAC,CAAC;AACjE,CAAC;AACD,SAAS,2BAA2B;IAClC,OAAO,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,EAAE,QAAQ,EAAE,WAAW,CAAC,CAAC;AACxD,CAAC;AACD,SAAS,eAAe;IACtB,OAAO,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,EAAE,WAAW,EAAE,OAAO,EAAE,cAAc,CAAC,CAAC;AACvE,CAAC;AAED,+EAA+E;AAC/E,SAAS,SAAS,CAChB,WAAwB,EACxB,aAAqB,EACrB,SAA8B;IAE9B,OAAO,KAAK,IAAI,EAAE;QAChB,IAAI,OAAO,GAAiC,IAAI,CAAC;QACjD,IAAI,CAAC;YACH,OAAO,GAAG,MAAM,WAAW,CAAC,aAAa,CAAC,CAAC;QAC7C,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,2EAA2E;YAC3E,wEAAwE;YACxE,0EAA0E;YAC1E,0BAA0B;YAC1B,GAAG,CAAC,IAAI,CAAC,2DAA2D,EAAE;gBACpE,KAAK,EAAG,GAAa,CAAC,OAAO;aAC9B,CAAC,CAAC;YACH,MAAM,IAAI,KAAK,CAAC,kDAAkD,CAAC,CAAC;QACtE,CAAC;QACD,IAAI,CAAC;YACH,MAAM,SAAS,EAAE,CAAC;QACpB,CAAC;gBAAS,CAAC;YACT,MAAM,OAAO,EAAE,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE,CAC5B,GAAG,CAAC,IAAI,CAAC,wCAAwC,EAAE,EAAE,KAAK,EAAG,GAAa,CAAC,OAAO,EAAE,CAAC,CACtF,CAAC;QACJ,CAAC;IACH,CAAC,CAAC;AACJ,CAAC;AA4BD;;;;GAIG;AACH,MAAM,UAAU,2BAA2B,CACzC,OAA0B,EAAE;IAE5B,MAAM,QAAQ,GAAG,IAAI,CAAC,QAAQ,IAAI,eAAe,EAAE,CAAC;IACpD,MAAM,WAAW,GAAG,IAAI,CAAC,WAAW,IAAI,mBAAmB,CAAC,QAAQ,CAAC,CAAC;IACtE,MAAM,aAAa,GAAG,IAAI,CAAC,oBAAoB,IAAI,MAAM,CAAC;IAE1D,MAAM,eAAe,GAAG,IAAI,CAAC,qBAAqB,IAAI,4BAA4B,EAAE,CAAC;IACrF,MAAM,cAAc,GAAG,IAAI,CAAC,oBAAoB,IAAI,2BAA2B,EAAE,CAAC;IAClF,MAAM,iBAAiB,GAAG,IAAI,CAAC,uBAAuB,IAAI,0BAA0B,EAAE,CAAC;IAEvF,MAAM,eAAe,GAAG,SAAS,CAC/B,WAAW,EACX,aAAa,EACb,IAAI,CAAC,eAAe,IAAI,sBAAsB,EAAE,CACjD,CAAC;IAEF,OAAO;QACL,MAAM,EAAE;YACN,SAAS,EAAE,QAAQ;YACnB,UAAU,EAAE,kBAAkB;YAC9B,iBAAiB,EAAE,CAAC,oBAAoB,CAAC;YACzC,WAAW,EAAE,iBAAiB;YAC9B,SAAS,EAAE,KAAK,IAAI,EAAE,CAAC,kBAAkB,CAAC,MAAM,YAAY,CAAC,eAAe,CAAC,CAAC;YAC9E,OAAO,EAAE,eAAe;YACxB,eAAe,EAAE,KAAK,EAAE,cAAc;SACvC;QACD,KAAK,EAAE;YACL,SAAS,EAAE,OAAO;YAClB,UAAU,EAAE,iBAAiB;YAC7B,iBAAiB,EAAE,CAAC,mBAAmB,CAAC;YACxC,2EAA2E;YAC3E,4EAA4E;YAC5E,wEAAwE;YACxE,4EAA4E;YAC5E,yEAAyE;YACzE,4EAA4E;YAC5E,0EAA0E;YAC1E,wEAAwE;YACxE,8EAA8E;YAC9E,6EAA6E;YAC7E,uEAAuE;YACvE,0EAA0E;YAC1E,eAAe,EAAE,IAAI;YACrB,oEAAoE;YACpE,gEAAgE;YAChE,WAAW,EAAE,GAAG,EAAE,CAAC,gBAAgB,CAAC,IAAI,CAAC,cAAc,IAAI,IAAI,CAAC;YAChE,yEAAyE;YACzE,2DAA2D;YAC3D,SAAS,EAAE,KAAK,IAAI,EAAE,CACpB,iBAAiB,CAAC,MAAM,YAAY,CAAC,cAAc,CAAC,CAAC,IAAI,gBAAgB,EAAE;YAC7E,OAAO,EAAE,GAAG,EAAE,CACZ,OAAO,CAAC,MAAM,CACZ,IAAI,KAAK,CAAC,6EAA6E,CAAC,CACzF;SACJ;QACD,QAAQ,EAAE,iBAAiB,CAAC;YAC1B,eAAe,EAAE,iBAAiB;YAClC,WAAW;YACX,aAAa;YACb,QAAQ,EAAE,IAAI,CAAC,eAAe,IAAI,sBAAsB,EAAE;SAC3D,CAAC;KACH,CAAC;AACJ,CAAC;AAED;;;;;;;;GAQG;AACH,SAAS,iBAAiB,CAAC,IAK1B;IACC,6EAA6E;IAC7E,uDAAuD;IACvD,MAAM,KAAK,GAAgC,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC;IAE3D,MAAM,IAAI,GAAG,KAAK,IAAmB,EAAE;QACrC,MAAM,WAAW,GAAG,MAAM,uBAAuB,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC;QACxE,IAAI,WAAW,KAAK,IAAI,EAAE,CAAC;YACzB,MAAM,IAAI,KAAK,CACb,mGAAmG,CACpG,CAAC;QACJ,CAAC;QACD,KAAK,CAAC,KAAK,GAAG,MAAM,IAAI,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;IACjD,CAAC,CAAC;IAEF,OAAO;QACL,SAAS,EAAE,UAAU;QACrB,UAAU,EAAE,oBAAoB;QAChC,8EAA8E;QAC9E,wEAAwE;QACxE,6EAA6E;QAC7E,uEAAuE;QACvE,kDAAkD;QAClD,iBAAiB,EAAE,CAAC,sBAAsB,EAAE,qBAAqB,CAAC;QAClE,WAAW,EAAE,mBAAmB;QAChC,aAAa,EAAE,sBAAsB;QACrC,6EAA6E;QAC7E,iDAAiD;QACjD,SAAS,EAAE,KAAK,IAAI,EAAE,CAAC,KAAK,CAAC,KAAK;QAClC,OAAO,EAAE,SAAS,CAAC,IAAI,CAAC,WAAW,EAAE,IAAI,CAAC,aAAa,EAAE,IAAI,CAAC;QAC9D,SAAS,EAAE,2BAA2B,EAAE;QACxC,eAAe,EAAE,KAAK,EAAE,kCAAkC;KAC3D,CAAC;AACJ,CAAC;AAED,+EAA+E;AAC/E,KAAK,UAAU,uBAAuB,CAAC,eAAuB;IAC5D,MAAM,MAAM,GAAG,MAAM,YAAY,CAAC,eAAe,CAAC,CAAC;IACnD,IAAI,MAAM,KAAK,IAAI,EAAE,CAAC;QACpB,MAAM,QAAQ,GAAG,2BAA2B,CAAC,MAAM,CAAC,CAAC;QACrD,IAAI,QAAQ,KAAK,IAAI;YAAE,OAAO,QAAQ,CAAC;IACzC,CAAC;IACD,OAAO,0BAA0B,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;AACjD,CAAC;AAED,8EAA8E;AAC9E,oBAAoB;AACpB,8EAA8E;AAE9E;;;;;;;;;;;;GAYG;AACH,MAAM,UAAU,mBAAmB,CACjC,SAAuB,EACvB,YAA+B,EAC/B,KAAyC;IAEzC,OAAO,KAAK,EAAE,OAAgB,EAAE,EAAE;QAChC,IAAI,CAAC;YACH,MAAM,CAAC,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;YAC/B,MAAM,IAAI,GAAG,CAAC,CAAC,QAAQ,CAAC;YACxB,MAAM,OAAO,GAAG,YAAY,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,IAAI,KAAK,CAAC,IAAI,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC,CAAC;YAC/E,GAAG,CAAC,IAAI,CAAC,gBAAgB,EAAE;gBACzB,OAAO,EAAE,SAAS;gBAClB,MAAM,EAAE,OAAO,CAAC,MAAM;gBACtB,IAAI;gBACJ,IAAI,EAAE,CAAC,CAAC,QAAQ;gBAChB,OAAO;aACR,CAAC,CAAC;QACL,CAAC;QAAC,MAAM,CAAC;YACP,mCAAmC;QACrC,CAAC;QACD,OAAO,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;IAC5C,CAAC,CAAC;AACJ,CAAC;AAED;;;;;;;;;;;GAWG;AACH,MAAM,UAAU,2BAA2B;IACzC,OAAO,CAAC,OAAgB,EAAmB,EAAE;QAC3C,IAAI,GAAQ,CAAC;QACb,IAAI,CAAC;YACH,GAAG,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;QAC7B,CAAC;QAAC,MAAM,CAAC;YACP,2DAA2D;YAC3D,OAAO,IAAI,QAAQ,CAAC,kCAAkC,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC,CAAC;QAC3E,CAAC;QACD,IAAI,GAAG,CAAC,QAAQ,KAAK,qBAAqB;YAAE,OAAO,CAAC,yBAAyB;QAC7E,MAAM,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,WAAW,EAAE,CAAC;QAC5C,+EAA+E;QAC/E,qEAAqE;QACrE,2EAA2E;QAC3E,uEAAuE;QACvE,IAAI,MAAM,KAAK,KAAK,IAAI,GAAG,CAAC,QAAQ,KAAK,qBAAqB,IAAI,GAAG,CAAC,MAAM,KAAK,EAAE;YAAE,OAAO,CAAC,SAAS;QACtG,GAAG,CAAC,IAAI,CAAC,0EAA0E,EAAE;YACnF,IAAI,EAAE,GAAG,CAAC,QAAQ;YAClB,MAAM;YACN,QAAQ,EAAE,GAAG,CAAC,QAAQ;SACvB,CAAC,CAAC;QACH,OAAO,IAAI,QAAQ,CAAC,2DAA2D,EAAE;YAC/E,MAAM,EAAE,GAAG;SACZ,CAAC,CAAC;IACL,CAAC,CAAC;AACJ,CAAC;AA2BD;;;;;;;;;;GAUG;AACH,MAAM,UAAU,uBAAuB,CACrC,IAA2B,EAC3B,kBAAqC,EAAE;IAEvC,MAAM,YAAY,GAAG,CAAC,GAAG,IAAI,GAAG,CAAC,CAAC,GAAG,eAAe,EAAE,GAAG,IAAI,CAAC,iBAAiB,CAAC,CAAC,CAAC,CAAC;IACnF,+EAA+E;IAC/E,kFAAkF;IAClF,qFAAqF;IACrF,mFAAmF;IACnF,8EAA8E;IAC9E,oBAAoB;IACpB,MAAM,SAAS,GAAG,mBAAmB,CAAC,IAAI,CAAC,SAAS,EAAE,YAAY,EAAE,IAAI,CAAC,SAAS,CAAC,CAAC;IACpF,mFAAmF;IACnF,iFAAiF;IACjF,qFAAqF;IACrF,qFAAqF;IACrF,qFAAqF;IACrF,mFAAmF;IACnF,mFAAmF;IACnF,sFAAsF;IACtF,iFAAiF;IACjF,sFAAsF;IACtF,iFAAiF;IACjF,MAAM,OAAO,GAA2B;QACtC,YAAY;QACZ,OAAO,EAAE;YACP,CAAC,IAAI,CAAC,UAAU,CAAC,EAAE;gBACjB,KAAK,EAAE,CAAC,GAAG,IAAI,CAAC,iBAAiB,CAAC;gBAClC,oEAAoE;gBACpE,sEAAsE;gBACtE,KAAK,EAAE,EAAE;gBACT,WAAW,EAAE,IAAI,CAAC,WAAW,EAAE;aAChC;SACF;QACD,SAAS;KACV,CAAC;IACF,OAAO;QACL,SAAS,EAAE,IAAI,CAAC,SAAS;QACzB,UAAU,EAAE,IAAI,CAAC,UAAU;QAC3B,OAAO;QACP,SAAS,EAAE,IAAI,CAAC,SAAS;QACzB,OAAO,EAAE,IAAI,CAAC,OAAO;QACrB,eAAe,EAAE,IAAI,CAAC,eAAe;KACtC,CAAC;AACJ,CAAC;AA8CD;;;;;;;;;;;GAWG;AACH,MAAM,OAAO,wBAAwB;IAClB,OAAO,GAAG,IAAI,GAAG,EAAyB,CAAC;IAC5D,0EAA0E;IACzD,WAAW,GAAG,IAAI,GAAG,EAAwB,CAAC;IACvD,GAAG,GAAG,CAAC,CAAC;IAChB,2EAA2E;IAC3E,gFAAgF;IAChF,wEAAwE;IACxE,iFAAiF;IACjF,iFAAiF;IAChE,QAAQ,GAAG,IAAI,GAAG,EAAwB,CAAC;IAC3C,SAAS,CAAyD;IAClE,OAAO,CAA6C;IACpD,GAAG,CAAe;IAClB,QAAQ,CAAsD;IAC9D,UAAU,CAAkC;IAC5C,eAAe,CAAS;IAEzC,YAAY,IAAqC;QAC/C,IAAI,CAAC,SAAS,GAAG,IAAI,CAAC,SAAS,CAAC;QAChC,IAAI,CAAC,OAAO,GAAG,IAAI,CAAC,OAAO,CAAC;QAC5B,IAAI,CAAC,GAAG,GAAG,IAAI,CAAC,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC;QAC1C,IAAI,CAAC,QAAQ;YACX,IAAI,CAAC,QAAQ;gBACb,CAAC,CAAC,EAAE,EAAE,OAAO,EAAE,EAAE;oBACf,MAAM,CAAC,GAAG,UAAU,CAAC,EAAE,EAAE,OAAO,CAAC,CAAC;oBAClC,IAAI,OAAO,CAAC,CAAC,KAAK,KAAK,UAAU;wBAAE,CAAC,CAAC,KAAK,EAAE,CAAC;oBAC7C,OAAO,CAAC,CAAC;gBACX,CAAC,CAAC,CAAC;QACL,IAAI,CAAC,UAAU,GAAG,IAAI,CAAC,UAAU,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC,CAAC;QAC9D,IAAI,CAAC,eAAe,GAAG,IAAI,CAAC,eAAe,IAAI,MAAM,CAAC;IACxD,CAAC;IAED;;;;;OAKG;IACH,KAAK,CAAC,QAAQ,CAAC,IAId;QACC,MAAM,GAAG,GAAG,MAAM,EAAE,IAAI,CAAC,GAAG,EAAE,CAAC;QAC/B,MAAM,KAAK,GAAkB;YAC3B,OAAO,EAAE,IAAI,CAAC,OAAO;YACrB,UAAU,EAAE,IAAI,CAAC,UAAU;YAC3B,SAAS,EAAE,IAAI,CAAC,SAAS;YACzB,KAAK,EAAE,IAAI;SACZ,CAAC;QACF,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;QAE7B,MAAM,SAAS,GAAG,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC;QACzD,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;QACvD,IAAI,CAAC,iBAAiB,CAAC,GAAG,EAAE,KAAK,EAAE,IAAI,CAAC,SAAS,EAAE,SAAS,EAAE,KAAK,CAAC,CAAC;QACrE,IAAI,KAAK,EAAE,WAAW,IAAI,IAAI;YAAE,IAAI,CAAC,iBAAiB,CAAC,GAAG,EAAE,KAAK,EAAE,KAAK,CAAC,WAAW,CAAC,CAAC;QAEtF,OAAO;YACL,GAAG;YACH,UAAU,EAAE,GAAG,EAAE,CAAC,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC;SACvC,CAAC;IACJ,CAAC;IAED,wEAAwE;IACxE,UAAU,CAAC,GAAW;QACpB,MAAM,KAAK,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;QACpC,IAAI,CAAC,KAAK;YAAE,OAAO;QACnB,IAAI,KAAK,CAAC,KAAK,KAAK,IAAI,EAAE,CAAC;YACzB,IAAI,CAAC,UAAU,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;YAC7B,KAAK,CAAC,KAAK,GAAG,IAAI,CAAC;QACrB,CAAC;QACD,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;IAC3B,CAAC;IAED,2DAA2D;IAC3D,IAAI;QACF,OAAO,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC;IAC3B,CAAC;IAED;;;;;OAKG;IACH,SAAS,CAAC,SAAuB,EAAE,KAAa;QAC9C,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,SAAS,EAAE,KAAK,CAAC,CAAC;QACvC,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,SAAS,EAAE,CAAC,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;QACtE,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;YAC7C,IAAI,KAAK,CAAC,SAAS,KAAK,SAAS;gBAAE,SAAS;YAC5C,IAAI,CAAC,YAAY,CAAC,GAAG,EAAE,KAAK,EAAE,KAAK,CAAC,CAAC;QACvC,CAAC;IACH,CAAC;IAED;;;;;OAKG;IACH,KAAK,CAAC,cAAc,CAAC,SAAuB;QAC1C,IAAI,CAAC;YACH,MAAM,IAAI,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;QAChC,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,GAAG,CAAC,IAAI,CAAC,oCAAoC,EAAE;gBAC7C,OAAO,EAAE,SAAS;gBAClB,KAAK,EAAG,GAAa,CAAC,OAAO;aAC9B,CAAC,CAAC;YACH,4EAA4E;YAC5E,uEAAuE;QACzE,CAAC;QACD,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,SAAS,CAAC,CAAC;QAClD,IAAI,KAAK,KAAK,IAAI;YAAE,OAAO;QAC3B,IAAI,CAAC,SAAS,CAAC,SAAS,EAAE,KAAK,CAAC,WAAW,CAAC,CAAC;QAC7C,qEAAqE;QACrE,IAAI,KAAK,CAAC,WAAW,IAAI,IAAI,EAAE,CAAC;YAC9B,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;gBAC7C,IAAI,KAAK,CAAC,SAAS,KAAK,SAAS;oBAAE,SAAS;gBAC5C,IAAI,CAAC,iBAAiB,CAAC,GAAG,EAAE,KAAK,EAAE,KAAK,CAAC,WAAW,CAAC,CAAC;YACxD,CAAC;QACH,CAAC;IACH,CAAC;IAED;;;;;;;;OAQG;IACK,iBAAiB,CACvB,GAAW,EACX,KAAoB,EACpB,SAAuB,EACvB,SAAiB,EACjB,KAAuB;QAEvB,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,KAAK,SAAS;YAAE,OAAO;QAC9D,MAAM,SAAS,GAAG,KAAK,EAAE,WAAW,IAAI,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,SAAS,CAAC,IAAI,EAAE,CAAC;QAC9E,IAAI,KAAK,EAAE,WAAW;YAAE,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,SAAS,EAAE,KAAK,CAAC,WAAW,CAAC,CAAC;QAC3E,IAAI,CAAC,YAAY,CAAC,GAAG,EAAE,KAAK,EAAE,SAAS,CAAC,CAAC;IAC3C,CAAC;IAEO,YAAY,CAAC,GAAW,EAAE,KAAoB,EAAE,KAAa;QACnE,IAAI,CAAC;YACH,KAAK,CAAC,OAAO,CAAC,YAAY,CAAC,KAAK,CAAC,UAAU,EAAE,EAAE,KAAK,EAAE,CAAC,CAAC;QAC1D,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,4EAA4E;YAC5E,GAAG,CAAC,IAAI,CAAC,kDAAkD,EAAE;gBAC3D,OAAO,EAAE,KAAK,CAAC,SAAS;gBACxB,KAAK,EAAG,GAAa,CAAC,OAAO;aAC9B,CAAC,CAAC;YACH,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC;QACvB,CAAC;IACH,CAAC;IAEO,KAAK,CAAC,aAAa,CAAC,SAAuB;QACjD,IAAI,CAAC;YACH,OAAO,MAAM,IAAI,CAAC,SAAS,CAAC,SAAS,CAAC,CAAC;QACzC,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,GAAG,CAAC,IAAI,CAAC,sCAAsC,EAAE;gBAC/C,OAAO,EAAE,SAAS;gBAClB,KAAK,EAAG,GAAa,CAAC,OAAO;aAC9B,CAAC,CAAC;YACH,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IAED;;;;OAIG;IACK,iBAAiB,CAAC,GAAW,EAAE,KAAoB,EAAE,WAAmB;QAC9E,IAAI,KAAK,CAAC,KAAK,KAAK,IAAI,EAAE,CAAC;YACzB,IAAI,CAAC,UAAU,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;YAC7B,KAAK,CAAC,KAAK,GAAG,IAAI,CAAC;QACrB,CAAC;QACD,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,WAAW,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,eAAe,CAAC,CAAC;QAC3E,KAAK,CAAC,KAAK,GAAG,IAAI,CAAC,QAAQ,CAAC,GAAG,EAAE;YAC/B,KAAK,CAAC,KAAK,GAAG,IAAI,CAAC;YACnB,uEAAuE;YACvE,yEAAyE;YACzE,uEAAuE;YACvE,KAAK,IAAI,CAAC,cAAc,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC;QAC5C,CAAC,EAAE,KAAK,CAAC,CAAC;IACZ,CAAC;CACF"}