studiograph 1.3.48-next.21 → 1.3.48-next.211

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (966) hide show
  1. package/README.md +26 -16
  2. package/dist/agent/agent-pool.d.ts +87 -3
  3. package/dist/agent/agent-pool.js +188 -15
  4. package/dist/agent/agent-pool.js.map +1 -1
  5. package/dist/agent/followups.d.ts +34 -0
  6. package/dist/agent/followups.js +52 -0
  7. package/dist/agent/followups.js.map +1 -0
  8. package/dist/agent/orchestrator.d.ts +101 -4
  9. package/dist/agent/orchestrator.js +464 -66
  10. package/dist/agent/orchestrator.js.map +1 -1
  11. package/dist/agent/prompts/entity-types-section.d.ts +34 -0
  12. package/dist/agent/prompts/entity-types-section.js +76 -0
  13. package/dist/agent/prompts/entity-types-section.js.map +1 -0
  14. package/dist/agent/prompts/system.md +112 -54
  15. package/dist/agent/skill-loader.d.ts +30 -17
  16. package/dist/agent/skill-loader.js +63 -30
  17. package/dist/agent/skill-loader.js.map +1 -1
  18. package/dist/agent/skills/artifact-canvas/skill.md +152 -0
  19. package/dist/agent/skills/entity-schema.md +75 -431
  20. package/dist/agent/skills/interview/entity-templates.md +38 -37
  21. package/dist/agent/skills/interview/question-domains.md +54 -49
  22. package/dist/agent/skills/interview/skill.md +84 -16
  23. package/dist/agent/skills/schema-rules.md +28 -28
  24. package/dist/agent/tools/artifact-tools.d.ts +124 -0
  25. package/dist/agent/tools/artifact-tools.js +207 -0
  26. package/dist/agent/tools/artifact-tools.js.map +1 -0
  27. package/dist/agent/tools/capture-tools.d.ts +31 -0
  28. package/dist/agent/tools/capture-tools.js +40 -0
  29. package/dist/agent/tools/capture-tools.js.map +1 -0
  30. package/dist/agent/tools/folder-tools.d.ts +47 -0
  31. package/dist/agent/tools/folder-tools.js +249 -0
  32. package/dist/agent/tools/folder-tools.js.map +1 -0
  33. package/dist/agent/tools/fs-tools.d.ts +6 -5
  34. package/dist/agent/tools/fs-tools.js +5 -5
  35. package/dist/agent/tools/fs-tools.js.map +1 -1
  36. package/dist/agent/tools/graph-tools.d.ts +48 -72
  37. package/dist/agent/tools/graph-tools.js +852 -329
  38. package/dist/agent/tools/graph-tools.js.map +1 -1
  39. package/dist/agent/tools/history-tools.d.ts +95 -0
  40. package/dist/agent/tools/history-tools.js +461 -0
  41. package/dist/agent/tools/history-tools.js.map +1 -0
  42. package/dist/agent/tools/load-skill.d.ts +6 -5
  43. package/dist/agent/tools/load-skill.js +3 -3
  44. package/dist/agent/tools/load-skill.js.map +1 -1
  45. package/dist/agent/tools/ops-tools.d.ts +5 -4
  46. package/dist/agent/tools/ops-tools.js +130 -236
  47. package/dist/agent/tools/ops-tools.js.map +1 -1
  48. package/dist/agent/tools/permission-tools.d.ts +87 -17
  49. package/dist/agent/tools/permission-tools.js +233 -43
  50. package/dist/agent/tools/permission-tools.js.map +1 -1
  51. package/dist/agent/tools/tool-loader.js +5 -4
  52. package/dist/agent/tools/tool-loader.js.map +1 -1
  53. package/dist/agent/tools/web-tools.js +58 -9
  54. package/dist/agent/tools/web-tools.js.map +1 -1
  55. package/dist/cli/commands/about.d.ts +1 -0
  56. package/dist/cli/commands/about.js +55 -3
  57. package/dist/cli/commands/about.js.map +1 -1
  58. package/dist/cli/commands/admin/audit-workspace.d.ts +23 -0
  59. package/dist/cli/commands/admin/audit-workspace.js +133 -0
  60. package/dist/cli/commands/admin/audit-workspace.js.map +1 -0
  61. package/dist/cli/commands/admin/audit.d.ts +21 -0
  62. package/dist/cli/commands/admin/audit.js +174 -0
  63. package/dist/cli/commands/admin/audit.js.map +1 -0
  64. package/dist/cli/commands/admin/backup.d.ts +54 -0
  65. package/dist/cli/commands/admin/backup.js +207 -0
  66. package/dist/cli/commands/admin/backup.js.map +1 -0
  67. package/dist/cli/commands/admin/folder.d.ts +11 -0
  68. package/dist/cli/commands/{collection.js → admin/folder.js} +33 -32
  69. package/dist/cli/commands/admin/folder.js.map +1 -0
  70. package/dist/cli/commands/admin/index.d.ts +16 -0
  71. package/dist/cli/commands/admin/index.js +46 -0
  72. package/dist/cli/commands/admin/index.js.map +1 -0
  73. package/dist/cli/commands/admin/migrate-assets.d.ts +53 -0
  74. package/dist/cli/commands/admin/migrate-assets.js +184 -0
  75. package/dist/cli/commands/admin/migrate-assets.js.map +1 -0
  76. package/dist/cli/commands/admin/migrate.d.ts +56 -0
  77. package/dist/cli/commands/admin/migrate.js +263 -0
  78. package/dist/cli/commands/admin/migrate.js.map +1 -0
  79. package/dist/cli/commands/admin/restore.d.ts +24 -0
  80. package/dist/cli/commands/admin/restore.js +228 -0
  81. package/dist/cli/commands/admin/restore.js.map +1 -0
  82. package/dist/cli/commands/admin/secrets.d.ts +23 -0
  83. package/dist/cli/commands/admin/secrets.js +256 -0
  84. package/dist/cli/commands/admin/secrets.js.map +1 -0
  85. package/dist/cli/commands/admin/settings.d.ts +28 -0
  86. package/dist/cli/commands/admin/settings.js +284 -0
  87. package/dist/cli/commands/admin/settings.js.map +1 -0
  88. package/dist/cli/commands/admin/token.d.ts +42 -0
  89. package/dist/cli/commands/admin/token.js +126 -0
  90. package/dist/cli/commands/admin/token.js.map +1 -0
  91. package/dist/cli/commands/admin/transfer-ownership.d.ts +15 -0
  92. package/dist/cli/commands/admin/transfer-ownership.js +106 -0
  93. package/dist/cli/commands/admin/transfer-ownership.js.map +1 -0
  94. package/dist/cli/commands/admin/user.d.ts +11 -0
  95. package/dist/cli/commands/admin/user.js +187 -0
  96. package/dist/cli/commands/admin/user.js.map +1 -0
  97. package/dist/cli/commands/clone.d.ts +25 -3
  98. package/dist/cli/commands/clone.js +142 -36
  99. package/dist/cli/commands/clone.js.map +1 -1
  100. package/dist/cli/commands/config.d.ts +23 -107
  101. package/dist/cli/commands/config.js +52 -260
  102. package/dist/cli/commands/config.js.map +1 -1
  103. package/dist/cli/commands/connector.d.ts +10 -13
  104. package/dist/cli/commands/connector.js +16 -58
  105. package/dist/cli/commands/connector.js.map +1 -1
  106. package/dist/cli/commands/deploy.js +215 -68
  107. package/dist/cli/commands/deploy.js.map +1 -1
  108. package/dist/cli/commands/index.js +5 -1
  109. package/dist/cli/commands/index.js.map +1 -1
  110. package/dist/cli/commands/init.js +10 -30
  111. package/dist/cli/commands/init.js.map +1 -1
  112. package/dist/cli/commands/mcp.js +54 -6
  113. package/dist/cli/commands/mcp.js.map +1 -1
  114. package/dist/cli/commands/r2.d.ts +3 -0
  115. package/dist/cli/commands/r2.js +223 -204
  116. package/dist/cli/commands/r2.js.map +1 -1
  117. package/dist/cli/commands/redeploy.js +65 -12
  118. package/dist/cli/commands/redeploy.js.map +1 -1
  119. package/dist/cli/commands/reset.d.ts +22 -6
  120. package/dist/cli/commands/reset.js +132 -34
  121. package/dist/cli/commands/reset.js.map +1 -1
  122. package/dist/cli/commands/serve.js +231 -26
  123. package/dist/cli/commands/serve.js.map +1 -1
  124. package/dist/cli/commands/sync.d.ts +1 -1
  125. package/dist/cli/commands/sync.js +237 -227
  126. package/dist/cli/commands/sync.js.map +1 -1
  127. package/dist/cli/crypto-bundle.d.ts +39 -0
  128. package/dist/cli/crypto-bundle.js +94 -0
  129. package/dist/cli/crypto-bundle.js.map +1 -0
  130. package/dist/cli/index.js +24 -26
  131. package/dist/cli/index.js.map +1 -1
  132. package/dist/cli/railway-pin.d.ts +68 -0
  133. package/dist/cli/railway-pin.js +96 -0
  134. package/dist/cli/railway-pin.js.map +1 -0
  135. package/dist/cli/railway-provisioning.d.ts +53 -0
  136. package/dist/cli/railway-provisioning.js +85 -0
  137. package/dist/cli/railway-provisioning.js.map +1 -0
  138. package/dist/cli/setup-wizard.d.ts +30 -49
  139. package/dist/cli/setup-wizard.js +39 -40
  140. package/dist/cli/setup-wizard.js.map +1 -1
  141. package/dist/core/accent-palette.d.ts +22 -0
  142. package/dist/core/accent-palette.js +47 -0
  143. package/dist/core/accent-palette.js.map +1 -0
  144. package/dist/core/artifact-asset-urls.d.ts +51 -0
  145. package/dist/core/artifact-asset-urls.js +79 -0
  146. package/dist/core/artifact-asset-urls.js.map +1 -0
  147. package/dist/core/artifact-bundle.d.ts +69 -0
  148. package/dist/core/artifact-bundle.js +305 -0
  149. package/dist/core/artifact-bundle.js.map +1 -0
  150. package/dist/core/artifact-escape.d.ts +5 -0
  151. package/dist/core/artifact-escape.js +26 -0
  152. package/dist/core/artifact-escape.js.map +1 -0
  153. package/dist/core/artifact-export.d.ts +17 -0
  154. package/dist/core/artifact-export.js +529 -0
  155. package/dist/core/artifact-export.js.map +1 -0
  156. package/dist/core/cell-anchor.d.ts +29 -0
  157. package/dist/core/cell-anchor.js +53 -0
  158. package/dist/core/cell-anchor.js.map +1 -0
  159. package/dist/core/comment-anchor.d.ts +41 -0
  160. package/dist/core/comment-anchor.js +147 -0
  161. package/dist/core/comment-anchor.js.map +1 -0
  162. package/dist/core/commit-messages.d.ts +57 -0
  163. package/dist/core/commit-messages.js +85 -0
  164. package/dist/core/commit-messages.js.map +1 -0
  165. package/dist/core/embeds.d.ts +96 -0
  166. package/dist/core/embeds.js +196 -0
  167. package/dist/core/embeds.js.map +1 -0
  168. package/dist/core/entity-body-templates.d.ts +21 -0
  169. package/dist/core/entity-body-templates.js +67 -0
  170. package/dist/core/entity-body-templates.js.map +1 -0
  171. package/dist/core/entity-types-catalog.d.ts +65 -0
  172. package/dist/core/entity-types-catalog.js +142 -0
  173. package/dist/core/entity-types-catalog.js.map +1 -0
  174. package/dist/core/field-library.d.ts +62 -0
  175. package/dist/core/field-library.js +129 -0
  176. package/dist/core/field-library.js.map +1 -0
  177. package/dist/core/folder-paths.d.ts +41 -0
  178. package/dist/core/folder-paths.js +95 -0
  179. package/dist/core/folder-paths.js.map +1 -0
  180. package/dist/core/folder-sidecar.d.ts +36 -0
  181. package/dist/core/folder-sidecar.js +91 -0
  182. package/dist/core/folder-sidecar.js.map +1 -0
  183. package/dist/core/format-registry.d.ts +170 -0
  184. package/dist/core/format-registry.js +412 -0
  185. package/dist/core/format-registry.js.map +1 -0
  186. package/dist/core/graph.d.ts +773 -14
  187. package/dist/core/graph.js +2269 -308
  188. package/dist/core/graph.js.map +1 -1
  189. package/dist/core/history-diff.d.ts +35 -0
  190. package/dist/core/history-diff.js +114 -0
  191. package/dist/core/history-diff.js.map +1 -0
  192. package/dist/core/refs.d.ts +41 -0
  193. package/dist/core/refs.js +80 -0
  194. package/dist/core/refs.js.map +1 -0
  195. package/dist/core/schema-registry.d.ts +66 -0
  196. package/dist/core/schema-registry.js +198 -37
  197. package/dist/core/schema-registry.js.map +1 -1
  198. package/dist/core/schemas/connector.d.ts +67 -0
  199. package/dist/core/schemas/connector.js +100 -0
  200. package/dist/core/schemas/connector.js.map +1 -0
  201. package/dist/core/schemas/workspace.d.ts +122 -0
  202. package/dist/core/schemas/workspace.js +211 -0
  203. package/dist/core/schemas/workspace.js.map +1 -0
  204. package/dist/core/secrets/SecretStore.d.ts +77 -0
  205. package/dist/core/secrets/SecretStore.js +13 -0
  206. package/dist/core/secrets/SecretStore.js.map +1 -0
  207. package/dist/core/secrets/SettingsResolver.d.ts +54 -0
  208. package/dist/core/secrets/SettingsResolver.js +80 -0
  209. package/dist/core/secrets/SettingsResolver.js.map +1 -0
  210. package/dist/core/secrets/SettingsStore.d.ts +30 -0
  211. package/dist/core/secrets/SettingsStore.js +9 -0
  212. package/dist/core/secrets/SettingsStore.js.map +1 -0
  213. package/dist/core/secrets/SqliteEncryptedStore.d.ts +90 -0
  214. package/dist/core/secrets/SqliteEncryptedStore.js +598 -0
  215. package/dist/core/secrets/SqliteEncryptedStore.js.map +1 -0
  216. package/dist/core/secrets/audit.d.ts +36 -0
  217. package/dist/core/secrets/audit.js +60 -0
  218. package/dist/core/secrets/audit.js.map +1 -0
  219. package/dist/core/secrets/auth-db-migration.d.ts +129 -0
  220. package/dist/core/secrets/auth-db-migration.js +653 -0
  221. package/dist/core/secrets/auth-db-migration.js.map +1 -0
  222. package/dist/core/secrets/bundle.d.ts +141 -0
  223. package/dist/core/secrets/bundle.js +435 -0
  224. package/dist/core/secrets/bundle.js.map +1 -0
  225. package/dist/core/secrets/dual-write.d.ts +81 -0
  226. package/dist/core/secrets/dual-write.js +247 -0
  227. package/dist/core/secrets/dual-write.js.map +1 -0
  228. package/dist/core/secrets/encryption.d.ts +44 -0
  229. package/dist/core/secrets/encryption.js +97 -0
  230. package/dist/core/secrets/encryption.js.map +1 -0
  231. package/dist/core/secrets/index.d.ts +49 -0
  232. package/dist/core/secrets/index.js +74 -0
  233. package/dist/core/secrets/index.js.map +1 -0
  234. package/dist/core/secrets/master-key.d.ts +38 -0
  235. package/dist/core/secrets/master-key.js +122 -0
  236. package/dist/core/secrets/master-key.js.map +1 -0
  237. package/dist/core/secrets/probes/anthropic.d.ts +98 -0
  238. package/dist/core/secrets/probes/anthropic.js +300 -0
  239. package/dist/core/secrets/probes/anthropic.js.map +1 -0
  240. package/dist/core/secrets/probes/brave.d.ts +9 -0
  241. package/dist/core/secrets/probes/brave.js +15 -0
  242. package/dist/core/secrets/probes/brave.js.map +1 -0
  243. package/dist/core/secrets/probes/r2.d.ts +15 -0
  244. package/dist/core/secrets/probes/r2.js +14 -0
  245. package/dist/core/secrets/probes/r2.js.map +1 -0
  246. package/dist/core/secrets/probes/tavily.d.ts +18 -0
  247. package/dist/core/secrets/probes/tavily.js +58 -0
  248. package/dist/core/secrets/probes/tavily.js.map +1 -0
  249. package/dist/core/secrets/probes/voyage.d.ts +13 -0
  250. package/dist/core/secrets/probes/voyage.js +52 -0
  251. package/dist/core/secrets/probes/voyage.js.map +1 -0
  252. package/dist/core/secrets/r2-structural-migration.d.ts +39 -0
  253. package/dist/core/secrets/r2-structural-migration.js +109 -0
  254. package/dist/core/secrets/r2-structural-migration.js.map +1 -0
  255. package/dist/core/secrets/read-flip.d.ts +59 -0
  256. package/dist/core/secrets/read-flip.js +87 -0
  257. package/dist/core/secrets/read-flip.js.map +1 -0
  258. package/dist/core/secrets/registry.d.ts +188 -0
  259. package/dist/core/secrets/registry.js +616 -0
  260. package/dist/core/secrets/registry.js.map +1 -0
  261. package/dist/core/types.d.ts +77 -483
  262. package/dist/core/types.js +25 -3
  263. package/dist/core/types.js.map +1 -1
  264. package/dist/core/user-config.d.ts +75 -12
  265. package/dist/core/user-config.js +155 -14
  266. package/dist/core/user-config.js.map +1 -1
  267. package/dist/core/validation.d.ts +786 -1373
  268. package/dist/core/validation.js +458 -147
  269. package/dist/core/validation.js.map +1 -1
  270. package/dist/core/workspace-manager.d.ts +87 -14
  271. package/dist/core/workspace-manager.js +222 -94
  272. package/dist/core/workspace-manager.js.map +1 -1
  273. package/dist/core/workspace.d.ts +19 -5
  274. package/dist/core/workspace.js +67 -39
  275. package/dist/core/workspace.js.map +1 -1
  276. package/dist/mcp/comment-virtual-entity.d.ts +36 -0
  277. package/dist/mcp/comment-virtual-entity.js +71 -0
  278. package/dist/mcp/comment-virtual-entity.js.map +1 -0
  279. package/dist/mcp/connector-manager.d.ts +72 -2
  280. package/dist/mcp/connector-manager.js +211 -32
  281. package/dist/mcp/connector-manager.js.map +1 -1
  282. package/dist/mcp/oauth-provider.d.ts +0 -5
  283. package/dist/mcp/oauth-provider.js +10 -22
  284. package/dist/mcp/oauth-provider.js.map +1 -1
  285. package/dist/mcp/oauth-registry.d.ts +46 -8
  286. package/dist/mcp/oauth-registry.js +52 -13
  287. package/dist/mcp/oauth-registry.js.map +1 -1
  288. package/dist/mcp/server-discovery.d.ts +73 -0
  289. package/dist/mcp/server-discovery.js +164 -0
  290. package/dist/mcp/server-discovery.js.map +1 -0
  291. package/dist/mcp/server.d.ts +24 -3
  292. package/dist/mcp/server.js +53 -10
  293. package/dist/mcp/server.js.map +1 -1
  294. package/dist/mcp/state-signer.d.ts +62 -0
  295. package/dist/mcp/state-signer.js +205 -0
  296. package/dist/mcp/state-signer.js.map +1 -0
  297. package/dist/mcp/stdio-proxy.d.ts +67 -0
  298. package/dist/mcp/stdio-proxy.js +149 -0
  299. package/dist/mcp/stdio-proxy.js.map +1 -0
  300. package/dist/mcp/tools.d.ts +65 -2
  301. package/dist/mcp/tools.js +1772 -124
  302. package/dist/mcp/tools.js.map +1 -1
  303. package/dist/server/__tests__/helpers/graph-api.d.ts +16 -0
  304. package/dist/server/__tests__/helpers/graph-api.js +16 -0
  305. package/dist/server/__tests__/helpers/graph-api.js.map +1 -0
  306. package/dist/server/artifact-asset-mint.d.ts +41 -0
  307. package/dist/server/artifact-asset-mint.js +59 -0
  308. package/dist/server/artifact-asset-mint.js.map +1 -0
  309. package/dist/server/asset-index-queue.d.ts +98 -0
  310. package/dist/server/asset-index-queue.js +193 -0
  311. package/dist/server/asset-index-queue.js.map +1 -0
  312. package/dist/server/body-write-coordinator.d.ts +161 -0
  313. package/dist/server/body-write-coordinator.js +182 -0
  314. package/dist/server/body-write-coordinator.js.map +1 -0
  315. package/dist/server/cloud-billing-flow.d.ts +32 -0
  316. package/dist/server/cloud-billing-flow.js +75 -0
  317. package/dist/server/cloud-billing-flow.js.map +1 -0
  318. package/dist/server/commit-audit.d.ts +26 -0
  319. package/dist/server/commit-audit.js +30 -0
  320. package/dist/server/commit-audit.js.map +1 -0
  321. package/dist/server/index.d.ts +29 -3
  322. package/dist/server/index.js +657 -269
  323. package/dist/server/index.js.map +1 -1
  324. package/dist/server/middleware/sanitize.d.ts +46 -0
  325. package/dist/server/middleware/sanitize.js +182 -0
  326. package/dist/server/middleware/sanitize.js.map +1 -0
  327. package/dist/server/routes/artifact-export-api.d.ts +11 -0
  328. package/dist/server/routes/artifact-export-api.js +159 -0
  329. package/dist/server/routes/artifact-export-api.js.map +1 -0
  330. package/dist/server/routes/asset-api.d.ts +76 -1
  331. package/dist/server/routes/asset-api.js +761 -61
  332. package/dist/server/routes/asset-api.js.map +1 -1
  333. package/dist/server/routes/audit-api.d.ts +24 -0
  334. package/dist/server/routes/audit-api.js +117 -0
  335. package/dist/server/routes/audit-api.js.map +1 -0
  336. package/dist/server/routes/auth-api.js +532 -63
  337. package/dist/server/routes/auth-api.js.map +1 -1
  338. package/dist/server/routes/capture-api.d.ts +10 -3
  339. package/dist/server/routes/capture-api.js +213 -25
  340. package/dist/server/routes/capture-api.js.map +1 -1
  341. package/dist/server/routes/chat-sessions-api.d.ts +13 -0
  342. package/dist/server/routes/chat-sessions-api.js +455 -0
  343. package/dist/server/routes/chat-sessions-api.js.map +1 -0
  344. package/dist/server/routes/chat.d.ts +35 -1
  345. package/dist/server/routes/chat.js +699 -54
  346. package/dist/server/routes/chat.js.map +1 -1
  347. package/dist/server/routes/comments-api.d.ts +15 -0
  348. package/dist/server/routes/comments-api.js +444 -0
  349. package/dist/server/routes/comments-api.js.map +1 -0
  350. package/dist/server/routes/config-api.d.ts +3 -2
  351. package/dist/server/routes/config-api.js +179 -49
  352. package/dist/server/routes/config-api.js.map +1 -1
  353. package/dist/server/routes/connectors-api.js +177 -42
  354. package/dist/server/routes/connectors-api.js.map +1 -1
  355. package/dist/server/routes/event-ingest-api.d.ts +15 -0
  356. package/dist/server/routes/{meeting-ingest-api.js → event-ingest-api.js} +35 -20
  357. package/dist/server/routes/event-ingest-api.js.map +1 -0
  358. package/dist/server/routes/field-library-api.d.ts +28 -0
  359. package/dist/server/routes/field-library-api.js +126 -0
  360. package/dist/server/routes/field-library-api.js.map +1 -0
  361. package/dist/server/routes/git-http.d.ts +2 -2
  362. package/dist/server/routes/git-http.js +86 -39
  363. package/dist/server/routes/git-http.js.map +1 -1
  364. package/dist/server/routes/graph-api-access.d.ts +57 -0
  365. package/dist/server/routes/graph-api-access.js +112 -0
  366. package/dist/server/routes/graph-api-access.js.map +1 -0
  367. package/dist/server/routes/graph-api.d.ts +1 -1
  368. package/dist/server/routes/graph-api.js +1455 -325
  369. package/dist/server/routes/graph-api.js.map +1 -1
  370. package/dist/server/routes/health.d.ts +18 -0
  371. package/dist/server/routes/health.js +74 -0
  372. package/dist/server/routes/health.js.map +1 -0
  373. package/dist/server/routes/import-batch.d.ts +24 -0
  374. package/dist/server/routes/import-batch.js +33 -0
  375. package/dist/server/routes/import-batch.js.map +1 -0
  376. package/dist/server/routes/insights-api.d.ts +9 -2
  377. package/dist/server/routes/insights-api.js +355 -61
  378. package/dist/server/routes/insights-api.js.map +1 -1
  379. package/dist/server/routes/mcp.d.ts +7 -3
  380. package/dist/server/routes/mcp.js +24 -8
  381. package/dist/server/routes/mcp.js.map +1 -1
  382. package/dist/server/routes/oauth-api.d.ts +67 -0
  383. package/dist/server/routes/oauth-api.js +421 -0
  384. package/dist/server/routes/oauth-api.js.map +1 -0
  385. package/dist/server/routes/permissions-api.d.ts +9 -2
  386. package/dist/server/routes/permissions-api.js +87 -31
  387. package/dist/server/routes/permissions-api.js.map +1 -1
  388. package/dist/server/routes/r2-api.d.ts +25 -0
  389. package/dist/server/routes/r2-api.js +276 -0
  390. package/dist/server/routes/r2-api.js.map +1 -0
  391. package/dist/server/routes/secrets-api.d.ts +36 -0
  392. package/dist/server/routes/secrets-api.js +308 -0
  393. package/dist/server/routes/secrets-api.js.map +1 -0
  394. package/dist/server/routes/settings-api.d.ts +29 -0
  395. package/dist/server/routes/settings-api.js +180 -0
  396. package/dist/server/routes/settings-api.js.map +1 -0
  397. package/dist/server/routes/share-api.d.ts +32 -0
  398. package/dist/server/routes/share-api.js +234 -0
  399. package/dist/server/routes/share-api.js.map +1 -0
  400. package/dist/server/routes/views-api.js +51 -0
  401. package/dist/server/routes/views-api.js.map +1 -1
  402. package/dist/server/routes/workspace-api.d.ts +2 -1
  403. package/dist/server/routes/workspace-api.js +142 -23
  404. package/dist/server/routes/workspace-api.js.map +1 -1
  405. package/dist/server/routes/ws.d.ts +3 -2
  406. package/dist/server/routes/ws.js +68 -17
  407. package/dist/server/routes/ws.js.map +1 -1
  408. package/dist/server/session-manager.d.ts +48 -5
  409. package/dist/server/session-manager.js +182 -14
  410. package/dist/server/session-manager.js.map +1 -1
  411. package/dist/server/ws-hub.d.ts +124 -37
  412. package/dist/server/ws-hub.js +0 -0
  413. package/dist/server/ws-hub.js.map +1 -1
  414. package/dist/server/yjs-manager.d.ts +278 -7
  415. package/dist/server/yjs-manager.js +830 -38
  416. package/dist/server/yjs-manager.js.map +1 -1
  417. package/dist/server/yjs-persistence.d.ts +165 -0
  418. package/dist/server/yjs-persistence.js +557 -0
  419. package/dist/server/yjs-persistence.js.map +1 -0
  420. package/dist/server/yjs-text-diff.d.ts +32 -0
  421. package/dist/server/yjs-text-diff.js +61 -0
  422. package/dist/server/yjs-text-diff.js.map +1 -0
  423. package/dist/services/access-control.d.ts +73 -0
  424. package/dist/services/access-control.js +165 -0
  425. package/dist/services/access-control.js.map +1 -0
  426. package/dist/services/artifact-asset-token.d.ts +69 -0
  427. package/dist/services/artifact-asset-token.js +94 -0
  428. package/dist/services/artifact-asset-token.js.map +1 -0
  429. package/dist/services/artifact-library-sources.d.ts +3 -0
  430. package/dist/services/artifact-library-sources.js +44 -0
  431. package/dist/services/artifact-library-sources.js.map +1 -0
  432. package/dist/services/artifact-render-export.d.ts +97 -0
  433. package/dist/services/artifact-render-export.js +467 -0
  434. package/dist/services/artifact-render-export.js.map +1 -0
  435. package/dist/services/asset-caption-service.d.ts +103 -0
  436. package/dist/services/asset-caption-service.js +186 -0
  437. package/dist/services/asset-caption-service.js.map +1 -0
  438. package/dist/services/asset-delete-authz.d.ts +31 -0
  439. package/dist/services/asset-delete-authz.js +61 -0
  440. package/dist/services/asset-delete-authz.js.map +1 -0
  441. package/dist/services/asset-finalize-service.d.ts +58 -0
  442. package/dist/services/asset-finalize-service.js +216 -0
  443. package/dist/services/asset-finalize-service.js.map +1 -0
  444. package/dist/services/asset-import-service.d.ts +111 -0
  445. package/dist/services/asset-import-service.js +394 -0
  446. package/dist/services/asset-import-service.js.map +1 -0
  447. package/dist/services/asset-index-sweep.d.ts +95 -0
  448. package/dist/services/asset-index-sweep.js +249 -0
  449. package/dist/services/asset-index-sweep.js.map +1 -0
  450. package/dist/services/asset-lifecycle-check.d.ts +22 -0
  451. package/dist/services/asset-lifecycle-check.js +80 -0
  452. package/dist/services/asset-lifecycle-check.js.map +1 -0
  453. package/dist/services/asset-listing.d.ts +72 -0
  454. package/dist/services/asset-listing.js +321 -0
  455. package/dist/services/asset-listing.js.map +1 -0
  456. package/dist/services/asset-presign-service.d.ts +68 -0
  457. package/dist/services/asset-presign-service.js +124 -0
  458. package/dist/services/asset-presign-service.js.map +1 -0
  459. package/dist/services/asset-sidecar-service.d.ts +28 -0
  460. package/dist/services/asset-sidecar-service.js +79 -0
  461. package/dist/services/asset-sidecar-service.js.map +1 -0
  462. package/dist/services/asset-upload-errors.d.ts +41 -0
  463. package/dist/services/asset-upload-errors.js +45 -0
  464. package/dist/services/asset-upload-errors.js.map +1 -0
  465. package/dist/services/asset-upload-service.d.ts +56 -0
  466. package/dist/services/asset-upload-service.js +200 -0
  467. package/dist/services/asset-upload-service.js.map +1 -0
  468. package/dist/services/asset-upload-token.d.ts +58 -0
  469. package/dist/services/asset-upload-token.js +75 -0
  470. package/dist/services/asset-upload-token.js.map +1 -0
  471. package/dist/services/assets/asset-index-service.d.ts +127 -0
  472. package/dist/services/assets/asset-index-service.js +227 -0
  473. package/dist/services/assets/asset-index-service.js.map +1 -0
  474. package/dist/services/assets/base.d.ts +128 -2
  475. package/dist/services/assets/base.js +98 -1
  476. package/dist/services/assets/base.js.map +1 -1
  477. package/dist/services/assets/index.d.ts +114 -1
  478. package/dist/services/assets/index.js +221 -0
  479. package/dist/services/assets/index.js.map +1 -1
  480. package/dist/services/assets/local.d.ts +16 -1
  481. package/dist/services/assets/local.js +110 -1
  482. package/dist/services/assets/local.js.map +1 -1
  483. package/dist/services/assets/r2-sync.d.ts +88 -0
  484. package/dist/services/assets/r2-sync.js +412 -0
  485. package/dist/services/assets/r2-sync.js.map +1 -0
  486. package/dist/services/assets/r2.d.ts +87 -1
  487. package/dist/services/assets/r2.js +203 -1
  488. package/dist/services/assets/r2.js.map +1 -1
  489. package/dist/services/auth-service.d.ts +312 -45
  490. package/dist/services/auth-service.js +1011 -195
  491. package/dist/services/auth-service.js.map +1 -1
  492. package/dist/services/chat-session-service.d.ts +188 -0
  493. package/dist/services/chat-session-service.js +512 -0
  494. package/dist/services/chat-session-service.js.map +1 -0
  495. package/dist/services/cloud-inference-billing.d.ts +64 -0
  496. package/dist/services/cloud-inference-billing.js +313 -0
  497. package/dist/services/cloud-inference-billing.js.map +1 -0
  498. package/dist/services/comment-service.d.ts +97 -0
  499. package/dist/services/comment-service.js +341 -0
  500. package/dist/services/comment-service.js.map +1 -0
  501. package/dist/services/comment-virtual-entity.d.ts +36 -0
  502. package/dist/services/comment-virtual-entity.js +71 -0
  503. package/dist/services/comment-virtual-entity.js.map +1 -0
  504. package/dist/services/convert-service.d.ts +64 -0
  505. package/dist/services/convert-service.js +68 -0
  506. package/dist/services/convert-service.js.map +1 -0
  507. package/dist/services/csv-service.d.ts +22 -17
  508. package/dist/services/csv-service.js +55 -92
  509. package/dist/services/csv-service.js.map +1 -1
  510. package/dist/services/entity-mutations.d.ts +213 -0
  511. package/dist/services/entity-mutations.js +380 -0
  512. package/dist/services/entity-mutations.js.map +1 -0
  513. package/dist/services/{meeting-processor.d.ts → event-processor.d.ts} +15 -8
  514. package/dist/services/{meeting-processor.js → event-processor.js} +124 -65
  515. package/dist/services/event-processor.js.map +1 -0
  516. package/dist/services/extract/docx.d.ts +1 -0
  517. package/dist/services/extract/docx.js +233 -0
  518. package/dist/services/extract/docx.js.map +1 -0
  519. package/dist/services/extract/index.d.ts +9 -0
  520. package/dist/services/extract/index.js +10 -0
  521. package/dist/services/extract/index.js.map +1 -0
  522. package/dist/services/extract/pdf.d.ts +13 -0
  523. package/dist/services/extract/pdf.js +69 -0
  524. package/dist/services/extract/pdf.js.map +1 -0
  525. package/dist/services/folder-creation.d.ts +33 -0
  526. package/dist/services/folder-creation.js +103 -0
  527. package/dist/services/folder-creation.js.map +1 -0
  528. package/dist/services/git.d.ts +58 -0
  529. package/dist/services/git.js +194 -55
  530. package/dist/services/git.js.map +1 -1
  531. package/dist/services/graph-maintenance.js +4 -4
  532. package/dist/services/graph-maintenance.js.map +1 -1
  533. package/dist/services/import-service.d.ts +51 -2
  534. package/dist/services/import-service.js +254 -107
  535. package/dist/services/import-service.js.map +1 -1
  536. package/dist/services/lint-service.js +10 -17
  537. package/dist/services/lint-service.js.map +1 -1
  538. package/dist/services/markdown.d.ts +12 -1
  539. package/dist/services/markdown.js +77 -9
  540. package/dist/services/markdown.js.map +1 -1
  541. package/dist/services/mention-detector.d.ts +23 -0
  542. package/dist/services/mention-detector.js +47 -0
  543. package/dist/services/mention-detector.js.map +1 -0
  544. package/dist/services/model-capabilities.d.ts +41 -0
  545. package/dist/services/model-capabilities.js +107 -0
  546. package/dist/services/model-capabilities.js.map +1 -0
  547. package/dist/services/notification-broadcast.d.ts +32 -0
  548. package/dist/services/notification-broadcast.js +38 -0
  549. package/dist/services/notification-broadcast.js.map +1 -0
  550. package/dist/services/notification-service.d.ts +41 -0
  551. package/dist/services/notification-service.js +100 -0
  552. package/dist/services/notification-service.js.map +1 -0
  553. package/dist/services/oauth-server-store.d.ts +147 -0
  554. package/dist/services/oauth-server-store.js +319 -0
  555. package/dist/services/oauth-server-store.js.map +1 -0
  556. package/dist/services/orphan-service.js +2 -2
  557. package/dist/services/orphan-service.js.map +1 -1
  558. package/dist/services/personal-folder.d.ts +40 -0
  559. package/dist/services/personal-folder.js +101 -0
  560. package/dist/services/personal-folder.js.map +1 -0
  561. package/dist/services/scratch-asset-promote.d.ts +57 -0
  562. package/dist/services/scratch-asset-promote.js +95 -0
  563. package/dist/services/scratch-asset-promote.js.map +1 -0
  564. package/dist/services/scratch-attachment-service.d.ts +196 -0
  565. package/dist/services/scratch-attachment-service.js +347 -0
  566. package/dist/services/scratch-attachment-service.js.map +1 -0
  567. package/dist/services/share-link-service.d.ts +57 -0
  568. package/dist/services/share-link-service.js +142 -0
  569. package/dist/services/share-link-service.js.map +1 -0
  570. package/dist/services/user-person-bridge.d.ts +136 -0
  571. package/dist/services/user-person-bridge.js +340 -0
  572. package/dist/services/user-person-bridge.js.map +1 -0
  573. package/dist/services/vector-service.d.ts +282 -5
  574. package/dist/services/vector-service.js +585 -29
  575. package/dist/services/vector-service.js.map +1 -1
  576. package/dist/services/workspace-access.d.ts +108 -0
  577. package/dist/services/workspace-access.js +149 -0
  578. package/dist/services/workspace-access.js.map +1 -0
  579. package/dist/services/workspace-assets-folder.d.ts +46 -0
  580. package/dist/services/workspace-assets-folder.js +75 -0
  581. package/dist/services/workspace-assets-folder.js.map +1 -0
  582. package/dist/utils/git.d.ts +17 -2
  583. package/dist/utils/git.js +23 -7
  584. package/dist/utils/git.js.map +1 -1
  585. package/dist/utils/log.d.ts +42 -0
  586. package/dist/utils/log.js +137 -0
  587. package/dist/utils/log.js.map +1 -0
  588. package/dist/utils/preflight.js +2 -2
  589. package/dist/utils/preflight.js.map +1 -1
  590. package/dist/utils/version-checker.d.ts +12 -19
  591. package/dist/utils/version-checker.js +14 -104
  592. package/dist/utils/version-checker.js.map +1 -1
  593. package/dist/web/_app/immutable/assets/0.Bs_z3Z86.css +2 -0
  594. package/dist/web/_app/immutable/assets/12.DlIf1mKh.css +1 -0
  595. package/dist/web/_app/immutable/assets/14.7d-Q37wc.css +1 -0
  596. package/dist/web/_app/immutable/assets/15.BwBFdc1D.css +1 -0
  597. package/dist/web/_app/immutable/assets/16.CmLrbzZp.css +1 -0
  598. package/dist/web/_app/immutable/assets/17.DcuK5ZVm.css +1 -0
  599. package/dist/web/_app/immutable/assets/2.DATnR31c.css +1 -0
  600. package/dist/web/_app/immutable/assets/3.Cz4H8n_O.css +1 -0
  601. package/dist/web/_app/immutable/assets/4.aDHteTDy.css +1 -0
  602. package/dist/web/_app/immutable/assets/6.CF1i5Bon.css +1 -0
  603. package/dist/web/_app/immutable/assets/ArtifactEntityView.C4ooklFD.css +1 -0
  604. package/dist/web/_app/immutable/assets/AssetLibraryPicker.BOFW0MvF.css +1 -0
  605. package/dist/web/_app/immutable/assets/BulkActionsBar.cmKvHzRK.css +1 -0
  606. package/dist/web/_app/immutable/assets/CalendarView.lBCvS3X5.css +1 -0
  607. package/dist/web/_app/immutable/assets/CodeMirrorEditor.D6hf2pNJ.css +1 -0
  608. package/dist/web/_app/immutable/assets/CopyField.DVGZtw4U.css +1 -0
  609. package/dist/web/_app/immutable/assets/FolderMembersPanel.kiYnDFHu.css +1 -0
  610. package/dist/web/_app/immutable/assets/FolderMutationDialogs.BMRF6Z3z.css +1 -0
  611. package/dist/web/_app/immutable/assets/FolderPicker.Cp46GHe2.css +1 -0
  612. package/dist/web/_app/immutable/assets/GalleryView.WBGxxUQc.css +1 -0
  613. package/dist/web/_app/immutable/assets/GraphView.BJtGL9py.css +1 -0
  614. package/dist/web/_app/immutable/assets/KanbanView.BOaI5KFL.css +1 -0
  615. package/dist/web/_app/immutable/assets/Link.vV0ne105.css +1 -0
  616. package/dist/web/_app/immutable/assets/Markdown.BZnsSOSf.css +1 -0
  617. package/dist/web/_app/immutable/assets/Rail.ilusFgD4.css +1 -0
  618. package/dist/web/_app/immutable/assets/SettingsDialog.D7-BO6S_.css +1 -0
  619. package/dist/web/_app/immutable/assets/Spinner.UBfl0pab.css +1 -0
  620. package/dist/web/_app/immutable/assets/StopFilledAlt.fNlDN65D.css +1 -0
  621. package/dist/web/_app/immutable/assets/TimelineView.xAZBJhHw.css +1 -0
  622. package/dist/web/_app/immutable/assets/WorkspaceView.C8ErUJAY.css +1 -0
  623. package/dist/web/_app/immutable/assets/button.BlLm4Dg1.css +1 -0
  624. package/dist/web/_app/immutable/assets/history-summary.LpmHXasl.css +1 -0
  625. package/dist/web/_app/immutable/assets/ibm-plex-mono-latin-400-normal.CvHOgSBP.woff +0 -0
  626. package/dist/web/_app/immutable/assets/ibm-plex-mono-latin-400-normal.DMJ8VG8y.woff2 +0 -0
  627. package/dist/web/_app/immutable/assets/ibm-plex-mono-latin-500-normal.CB9ihrfo.woff +0 -0
  628. package/dist/web/_app/immutable/assets/ibm-plex-mono-latin-500-normal.DSY6xOcd.woff2 +0 -0
  629. package/dist/web/_app/immutable/assets/ibm-plex-sans-latin-400-italic.CZTNEAuW.woff2 +0 -0
  630. package/dist/web/_app/immutable/assets/ibm-plex-sans-latin-400-italic.CsGl1sm0.woff +0 -0
  631. package/dist/web/_app/immutable/assets/ibm-plex-sans-latin-400-normal.CDDApCn2.woff2 +0 -0
  632. package/dist/web/_app/immutable/assets/ibm-plex-sans-latin-400-normal.CYLoc0-x.woff +0 -0
  633. package/dist/web/_app/immutable/assets/ibm-plex-sans-latin-500-italic.BNK2_mGO.woff2 +0 -0
  634. package/dist/web/_app/immutable/assets/ibm-plex-sans-latin-500-italic.DpEwFAQM.woff +0 -0
  635. package/dist/web/_app/immutable/assets/ibm-plex-sans-latin-500-normal.6ng42L7E.woff2 +0 -0
  636. package/dist/web/_app/immutable/assets/ibm-plex-sans-latin-500-normal.BgVn5rGT.woff +0 -0
  637. package/dist/web/_app/immutable/assets/ibm-plex-sans-latin-600-normal.Cu4Hd6ag.woff +0 -0
  638. package/dist/web/_app/immutable/assets/ibm-plex-sans-latin-600-normal.CuJfVYMP.woff2 +0 -0
  639. package/dist/web/_app/immutable/assets/inline-list.cqga56xT.css +1 -0
  640. package/dist/web/_app/immutable/assets/list-columns.BgnafZ4K.css +1 -0
  641. package/dist/web/_app/immutable/assets/realtime.DDCWxn3B.css +1 -0
  642. package/dist/web/_app/immutable/assets/select.B90KUqR4.css +1 -0
  643. package/dist/web/_app/immutable/assets/sheet.RF9RBmml.css +1 -0
  644. package/dist/web/_app/immutable/chunks/22qYtvr82.js +1 -0
  645. package/dist/web/_app/immutable/chunks/2f1VclTm.js +1 -0
  646. package/dist/web/_app/immutable/chunks/4xgUPoGj2.js +2 -0
  647. package/dist/web/_app/immutable/chunks/5CYQk4xR.js +1 -0
  648. package/dist/web/_app/immutable/chunks/6S9WOky52.js +1 -0
  649. package/dist/web/_app/immutable/chunks/9K8VREGP.js +1 -0
  650. package/dist/web/_app/immutable/chunks/B-n5q6ku.js +1 -0
  651. package/dist/web/_app/immutable/chunks/B0p2fSEV2.js +1 -0
  652. package/dist/web/_app/immutable/chunks/B2oi87jG.js +2 -0
  653. package/dist/web/_app/immutable/chunks/B5Rb52QU.js +1 -0
  654. package/dist/web/_app/immutable/chunks/B6Lt-qaJ.js +1 -0
  655. package/dist/web/_app/immutable/chunks/B6O-q2CN.js +1 -0
  656. package/dist/web/_app/immutable/chunks/B6qeIQZz.js +2 -0
  657. package/dist/web/_app/immutable/chunks/B9KfEsQw2.js +1 -0
  658. package/dist/web/_app/immutable/chunks/BB-RSeXQ.js +1 -0
  659. package/dist/web/_app/immutable/chunks/BCQQzpbj.js +1 -0
  660. package/dist/web/_app/immutable/chunks/BGdzd-Tc.js +1 -0
  661. package/dist/web/_app/immutable/chunks/BLs1h0Rh2.js +1 -0
  662. package/dist/web/_app/immutable/chunks/BPzV_xOS2.js +1 -0
  663. package/dist/web/_app/immutable/chunks/BT2C6q8n.js +1 -0
  664. package/dist/web/_app/immutable/chunks/BUesbLq2.js +1 -0
  665. package/dist/web/_app/immutable/chunks/BUrnwOw4.js +2 -0
  666. package/dist/web/_app/immutable/chunks/BV-iCKqa.js +1 -0
  667. package/dist/web/_app/immutable/chunks/BVCJtXyc.js +1 -0
  668. package/dist/web/_app/immutable/chunks/BY9a3GSt.js +6 -0
  669. package/dist/web/_app/immutable/chunks/BZi3uKF4.js +1 -0
  670. package/dist/web/_app/immutable/chunks/BbfHGU9n2.js +1 -0
  671. package/dist/web/_app/immutable/chunks/Bbqu2-5G2.js +1 -0
  672. package/dist/web/_app/immutable/chunks/BbsX1Slr.js +3 -0
  673. package/dist/web/_app/immutable/chunks/BcwjqHaZ2.js +1 -0
  674. package/dist/web/_app/immutable/chunks/BizeEpTx.js +2 -0
  675. package/dist/web/_app/immutable/chunks/BlgjVmFM2.js +14 -0
  676. package/dist/web/_app/immutable/chunks/BocSRgv12.js +1 -0
  677. package/dist/web/_app/immutable/chunks/BojBYqc3.js +1 -0
  678. package/dist/web/_app/immutable/chunks/BpCG9m962.js +1 -0
  679. package/dist/web/_app/immutable/chunks/BqvnBg_y.js +1 -0
  680. package/dist/web/_app/immutable/chunks/BsT0J1QD.js +1 -0
  681. package/dist/web/_app/immutable/chunks/BsW72fyR2.js +1 -0
  682. package/dist/web/_app/immutable/chunks/Bti_XKwx.js +2692 -0
  683. package/dist/web/_app/immutable/chunks/Bua97Had2.js +2 -0
  684. package/dist/web/_app/immutable/chunks/BuhW5Fr0.js +689 -0
  685. package/dist/web/_app/immutable/chunks/Bx74EEyn2.js +1 -0
  686. package/dist/web/_app/immutable/chunks/BxPN0T61.js +1 -0
  687. package/dist/web/_app/immutable/chunks/Bz9lrgGs.js +1 -0
  688. package/dist/web/_app/immutable/chunks/BzaxZ6j12.js +1 -0
  689. package/dist/web/_app/immutable/chunks/C1B4xDs0.js +1 -0
  690. package/dist/web/_app/immutable/chunks/C1trcC8M.js +7 -0
  691. package/dist/web/_app/immutable/chunks/C9tvkk7Y2.js +22 -0
  692. package/dist/web/_app/immutable/chunks/CBQjdDZf.js +1 -0
  693. package/dist/web/_app/immutable/chunks/CDeazMFW2.js +2 -0
  694. package/dist/web/_app/immutable/chunks/CEahbtnP.js +1 -0
  695. package/dist/web/_app/immutable/chunks/CGjVCd0e.js +8 -0
  696. package/dist/web/_app/immutable/chunks/CICK9maP.js +1 -0
  697. package/dist/web/_app/immutable/chunks/CIoNEHQ82.js +184 -0
  698. package/dist/web/_app/immutable/chunks/CP8_U450.js +1 -0
  699. package/dist/web/_app/immutable/chunks/CQ1eQ93t2.js +6 -0
  700. package/dist/web/_app/immutable/chunks/CUFQMEBn2.js +1 -0
  701. package/dist/web/_app/immutable/chunks/CYEYDNwO2.js +1 -0
  702. package/dist/web/_app/immutable/chunks/CYyIP7kP2.js +66 -0
  703. package/dist/web/_app/immutable/chunks/CZgFaimi2.js +83 -0
  704. package/dist/web/_app/immutable/chunks/CZqvCTCv.js +1 -0
  705. package/dist/web/_app/immutable/chunks/CcI9jYBV.js +1 -0
  706. package/dist/web/_app/immutable/chunks/CcWaWbrI2.js +1 -0
  707. package/dist/web/_app/immutable/chunks/CdtzRVZK.js +1 -0
  708. package/dist/web/_app/immutable/chunks/CfYG72Hc.js +1 -0
  709. package/dist/web/_app/immutable/chunks/Ch1kmm3J2.js +1 -0
  710. package/dist/web/_app/immutable/chunks/CmSSN61R2.js +1 -0
  711. package/dist/web/_app/immutable/chunks/Cqm5wAin.js +1 -0
  712. package/dist/web/_app/immutable/chunks/CuYPXpWU.js +1 -0
  713. package/dist/web/_app/immutable/chunks/CvSEodTA.js +1 -0
  714. package/dist/web/_app/immutable/chunks/CvqqrTrj.js +1 -0
  715. package/dist/web/_app/immutable/chunks/CwAmWt6h.js +1 -0
  716. package/dist/web/_app/immutable/chunks/CwP3Oa7F.js +1 -0
  717. package/dist/web/_app/immutable/chunks/CyTluew1.js +2 -0
  718. package/dist/web/_app/immutable/chunks/CzXdOgVl2.js +7 -0
  719. package/dist/web/_app/immutable/chunks/D0IAituJ.js +1 -0
  720. package/dist/web/_app/immutable/chunks/D0W7c6Sg.js +185 -0
  721. package/dist/web/_app/immutable/chunks/D0rBhnqB2.js +1 -0
  722. package/dist/web/_app/immutable/chunks/D1-GZSN1.js +1 -0
  723. package/dist/web/_app/immutable/chunks/D1yvtriI.js +1 -0
  724. package/dist/web/_app/immutable/chunks/D25NMRpl.js +1 -0
  725. package/dist/web/_app/immutable/chunks/D8wZ2xul.js +4 -0
  726. package/dist/web/_app/immutable/chunks/DA3HEX3X.js +1 -0
  727. package/dist/web/_app/immutable/chunks/DD9wj4ca2.js +1 -0
  728. package/dist/web/_app/immutable/chunks/DJ1YeiJL2.js +1 -0
  729. package/dist/web/_app/immutable/chunks/DKFZnpVC.js +5 -0
  730. package/dist/web/_app/immutable/chunks/DKJl40hl.js +1 -0
  731. package/dist/web/_app/immutable/chunks/DPUVu0T0.js +1 -0
  732. package/dist/web/_app/immutable/chunks/DQMWa2t7.js +1 -0
  733. package/dist/web/_app/immutable/chunks/DXsFrDer2.js +1 -0
  734. package/dist/web/_app/immutable/chunks/DYc5KW3F.js +1 -0
  735. package/dist/web/_app/immutable/chunks/DZcTwXBW.js +1 -0
  736. package/dist/web/_app/immutable/chunks/DcPrzUMJ.js +1 -0
  737. package/dist/web/_app/immutable/chunks/DdPO8kRu2.js +2 -0
  738. package/dist/web/_app/immutable/chunks/DeOXyJZw2.js +1 -0
  739. package/dist/web/_app/immutable/chunks/DfufUFR1.js +2 -0
  740. package/dist/web/_app/immutable/chunks/DiQg3ing.js +1 -0
  741. package/dist/web/_app/immutable/chunks/DjIqa1_y.js +2 -0
  742. package/dist/web/_app/immutable/chunks/DkJ1dkxV2.js +1 -0
  743. package/dist/web/_app/immutable/chunks/Dl63IUnH2.js +224 -0
  744. package/dist/web/_app/immutable/chunks/DmFdD6zT.js +1 -0
  745. package/dist/web/_app/immutable/chunks/Dn3R8S-U.js +1 -0
  746. package/dist/web/_app/immutable/chunks/DpNr1GQ2.js +1 -0
  747. package/dist/web/_app/immutable/chunks/DpVNDHXz.js +2 -0
  748. package/dist/web/_app/immutable/chunks/DuxziNnw.js +1 -0
  749. package/dist/web/_app/immutable/chunks/Dv3A3Wcj.js +1 -0
  750. package/dist/web/_app/immutable/chunks/FuiJnZG0.js +1 -0
  751. package/dist/web/_app/immutable/chunks/Izkulod7.js +1 -0
  752. package/dist/web/_app/immutable/chunks/KZY6ongq2.js +2 -0
  753. package/dist/web/_app/immutable/chunks/LYL8znYR2.js +23 -0
  754. package/dist/web/_app/immutable/chunks/PhN6tXuJ2.js +1 -0
  755. package/dist/web/_app/immutable/chunks/PyLyCpuL.js +1 -0
  756. package/dist/web/_app/immutable/chunks/RK4gCWN0.js +2 -0
  757. package/dist/web/_app/immutable/chunks/VsBngTf4.js +2 -0
  758. package/dist/web/_app/immutable/chunks/XcWejFm_.js +5 -0
  759. package/dist/web/_app/immutable/chunks/al_nidE9.js +1 -0
  760. package/dist/web/_app/immutable/chunks/e50-izZO2.js +1 -0
  761. package/dist/web/_app/immutable/chunks/hG-QCarB.js +1 -0
  762. package/dist/web/_app/immutable/chunks/hStvCHkX.js +1 -0
  763. package/dist/web/_app/immutable/chunks/iJVY9p0y.js +3 -0
  764. package/dist/web/_app/immutable/chunks/kNaey6uv.js +1 -0
  765. package/dist/web/_app/immutable/chunks/pIXNe0C1.js +1 -0
  766. package/dist/web/_app/immutable/chunks/pNSRq_1B.js +2 -0
  767. package/dist/web/_app/immutable/chunks/qwr5boV8.js +1 -0
  768. package/dist/web/_app/immutable/chunks/rjjyuGhb.js +1 -0
  769. package/dist/web/_app/immutable/chunks/sg-T-FoN.js +1 -0
  770. package/dist/web/_app/immutable/chunks/uBgoVlsx.js +3 -0
  771. package/dist/web/_app/immutable/chunks/ulshNz6x.js +2 -0
  772. package/dist/web/_app/immutable/chunks/xY0c-UfG.js +3 -0
  773. package/dist/web/_app/immutable/chunks/xeNvx4Bl2.js +1 -0
  774. package/dist/web/_app/immutable/chunks/xihTtKlq.js +1 -0
  775. package/dist/web/_app/immutable/entry/app.pNUW-q4U.js +2 -0
  776. package/dist/web/_app/immutable/entry/start.DxGtIGG_.js +1 -0
  777. package/dist/web/_app/immutable/nodes/0.D6ZCY_R6.js +2 -0
  778. package/dist/web/_app/immutable/nodes/1.BryH3TNr.js +1 -0
  779. package/dist/web/_app/immutable/nodes/10.CMZMvR17.js +1 -0
  780. package/dist/web/_app/immutable/nodes/11.QHx_JShx.js +1 -0
  781. package/dist/web/_app/immutable/nodes/12.CiRWbb4X.js +1 -0
  782. package/dist/web/_app/immutable/nodes/13.CYrHXCA8.js +1 -0
  783. package/dist/web/_app/immutable/nodes/14.K18eIE5Z.js +1 -0
  784. package/dist/web/_app/immutable/nodes/15.DxgnZ61h.js +1 -0
  785. package/dist/web/_app/immutable/nodes/16.Dn6iuWIo.js +1 -0
  786. package/dist/web/_app/immutable/nodes/17.viwS7vTR.js +77 -0
  787. package/dist/web/_app/immutable/nodes/2.BQkQ_uUM.js +122 -0
  788. package/dist/web/_app/immutable/nodes/3.B4pqXsqq.js +6 -0
  789. package/dist/web/_app/immutable/nodes/4.CKXEgIAP.js +11 -0
  790. package/dist/web/_app/immutable/nodes/5.A2TASl4Q.js +1 -0
  791. package/dist/web/_app/immutable/nodes/6.DaIRO3SI.js +6 -0
  792. package/dist/web/_app/immutable/nodes/7.ga2UvFm-.js +1 -0
  793. package/dist/web/_app/immutable/nodes/8.BTEWT81u.js +1 -0
  794. package/dist/web/_app/immutable/nodes/9.BVxo0E0c.js +1 -0
  795. package/dist/web/_app/version.json +1 -1
  796. package/dist/web/favicon-16.png +0 -0
  797. package/dist/web/favicon-180.png +0 -0
  798. package/dist/web/favicon-32.png +0 -0
  799. package/dist/web/favicon-48.png +0 -0
  800. package/dist/web/favicon-512.png +0 -0
  801. package/dist/web/favicon.ico +0 -0
  802. package/dist/web/favicon.svg +8 -0
  803. package/dist/web/index.html +56 -21
  804. package/dist/web/studiograph-logomark.svg +29 -0
  805. package/package.json +35 -14
  806. package/dist/agent/skills/enrich-entities.md +0 -136
  807. package/dist/agent/skills/sync-configuration.md +0 -119
  808. package/dist/agent/skills/sync-setup.md +0 -82
  809. package/dist/agent/tools/message-tools.d.ts +0 -42
  810. package/dist/agent/tools/message-tools.js +0 -106
  811. package/dist/agent/tools/message-tools.js.map +0 -1
  812. package/dist/cli/commands/app.d.ts +0 -7
  813. package/dist/cli/commands/app.js +0 -268
  814. package/dist/cli/commands/app.js.map +0 -1
  815. package/dist/cli/commands/clear.d.ts +0 -5
  816. package/dist/cli/commands/clear.js +0 -36
  817. package/dist/cli/commands/clear.js.map +0 -1
  818. package/dist/cli/commands/collection.d.ts +0 -10
  819. package/dist/cli/commands/collection.js.map +0 -1
  820. package/dist/cli/commands/join.d.ts +0 -9
  821. package/dist/cli/commands/join.js +0 -255
  822. package/dist/cli/commands/join.js.map +0 -1
  823. package/dist/cli/commands/start.d.ts +0 -7
  824. package/dist/cli/commands/start.js +0 -584
  825. package/dist/cli/commands/start.js.map +0 -1
  826. package/dist/cli/commands/update.d.ts +0 -8
  827. package/dist/cli/commands/update.js +0 -155
  828. package/dist/cli/commands/update.js.map +0 -1
  829. package/dist/cli/commands/user.d.ts +0 -7
  830. package/dist/cli/commands/user.js +0 -175
  831. package/dist/cli/commands/user.js.map +0 -1
  832. package/dist/cli/scaffolding.d.ts +0 -12
  833. package/dist/cli/scaffolding.js +0 -397
  834. package/dist/cli/scaffolding.js.map +0 -1
  835. package/dist/integrations/registry.d.ts +0 -8
  836. package/dist/integrations/registry.js +0 -7
  837. package/dist/integrations/registry.js.map +0 -1
  838. package/dist/integrations/types.d.ts +0 -43
  839. package/dist/integrations/types.js +0 -5
  840. package/dist/integrations/types.js.map +0 -1
  841. package/dist/lib/lib/utils.d.ts +0 -2
  842. package/dist/lib/lib/utils.js +0 -6
  843. package/dist/lib/lib/utils.js.map +0 -1
  844. package/dist/server/chrome/chrome.css +0 -691
  845. package/dist/server/chrome/chrome.js +0 -374
  846. package/dist/server/commit-scheduler.d.ts +0 -39
  847. package/dist/server/commit-scheduler.js +0 -113
  848. package/dist/server/commit-scheduler.js.map +0 -1
  849. package/dist/server/plugin-loader.d.ts +0 -53
  850. package/dist/server/plugin-loader.js +0 -155
  851. package/dist/server/plugin-loader.js.map +0 -1
  852. package/dist/server/routes/meeting-ingest-api.d.ts +0 -14
  853. package/dist/server/routes/meeting-ingest-api.js.map +0 -1
  854. package/dist/server/routes/messages-api.d.ts +0 -15
  855. package/dist/server/routes/messages-api.js +0 -385
  856. package/dist/server/routes/messages-api.js.map +0 -1
  857. package/dist/services/batch-processor.d.ts +0 -49
  858. package/dist/services/batch-processor.js +0 -166
  859. package/dist/services/batch-processor.js.map +0 -1
  860. package/dist/services/briefing.d.ts +0 -26
  861. package/dist/services/briefing.js +0 -230
  862. package/dist/services/briefing.js.map +0 -1
  863. package/dist/services/heartbeat.d.ts +0 -28
  864. package/dist/services/heartbeat.js +0 -183
  865. package/dist/services/heartbeat.js.map +0 -1
  866. package/dist/services/image-import-service.d.ts +0 -24
  867. package/dist/services/image-import-service.js +0 -108
  868. package/dist/services/image-import-service.js.map +0 -1
  869. package/dist/services/insights.d.ts +0 -38
  870. package/dist/services/insights.js +0 -269
  871. package/dist/services/insights.js.map +0 -1
  872. package/dist/services/meeting-processor.js.map +0 -1
  873. package/dist/services/message-service.d.ts +0 -68
  874. package/dist/services/message-service.js +0 -220
  875. package/dist/services/message-service.js.map +0 -1
  876. package/dist/utils/workspace-config.d.ts +0 -8
  877. package/dist/utils/workspace-config.js +0 -22
  878. package/dist/utils/workspace-config.js.map +0 -1
  879. package/dist/web/_app/immutable/assets/0.uPSqtsC5.css +0 -1
  880. package/dist/web/_app/immutable/assets/11.2jzI3cZY.css +0 -1
  881. package/dist/web/_app/immutable/assets/12.CT4xL4K3.css +0 -1
  882. package/dist/web/_app/immutable/assets/13.BUrHkYry.css +0 -1
  883. package/dist/web/_app/immutable/assets/2.DpQWr6q6.css +0 -1
  884. package/dist/web/_app/immutable/assets/3.BxdqT7zi.css +0 -1
  885. package/dist/web/_app/immutable/assets/4.DdNqjd0T.css +0 -1
  886. package/dist/web/_app/immutable/assets/5.DFeGxLYf.css +0 -1
  887. package/dist/web/_app/immutable/assets/6.DXZr_rI_.css +0 -1
  888. package/dist/web/_app/immutable/assets/GraphView.D9ePpZez.css +0 -1
  889. package/dist/web/_app/immutable/assets/Toaster.rN8r_Hzv.css +0 -1
  890. package/dist/web/_app/immutable/assets/ViewToolbar.BWE03S64.css +0 -1
  891. package/dist/web/_app/immutable/assets/WorkspaceView.CgGDi_Zb.css +0 -1
  892. package/dist/web/_app/immutable/assets/wikilinks.CzMBkUMB.css +0 -1
  893. package/dist/web/_app/immutable/chunks/-jG4Obyh.js +0 -4
  894. package/dist/web/_app/immutable/chunks/2nrc8f_O.js +0 -1
  895. package/dist/web/_app/immutable/chunks/7S2LGqoP.js +0 -2
  896. package/dist/web/_app/immutable/chunks/8Q3ZJIYu.js +0 -1
  897. package/dist/web/_app/immutable/chunks/B8ydT5xX.js +0 -2
  898. package/dist/web/_app/immutable/chunks/BB_5th5W.js +0 -3383
  899. package/dist/web/_app/immutable/chunks/BEn6N5c2.js +0 -1
  900. package/dist/web/_app/immutable/chunks/BFNNbCAM.js +0 -1
  901. package/dist/web/_app/immutable/chunks/BFZZEUd5.js +0 -1
  902. package/dist/web/_app/immutable/chunks/BGk8kfOE.js +0 -2
  903. package/dist/web/_app/immutable/chunks/BIBCr278.js +0 -1
  904. package/dist/web/_app/immutable/chunks/BPCkkwqe.js +0 -1
  905. package/dist/web/_app/immutable/chunks/BhlvzGQx.js +0 -1
  906. package/dist/web/_app/immutable/chunks/BlMknQeF.js +0 -1
  907. package/dist/web/_app/immutable/chunks/BpjqrlCg.js +0 -1
  908. package/dist/web/_app/immutable/chunks/BrebtJNG.js +0 -18
  909. package/dist/web/_app/immutable/chunks/ByBZ7JIT.js +0 -1
  910. package/dist/web/_app/immutable/chunks/Bz0ZjVQE.js +0 -2
  911. package/dist/web/_app/immutable/chunks/BzJTZOK2.js +0 -1
  912. package/dist/web/_app/immutable/chunks/C0LVZhvn.js +0 -1
  913. package/dist/web/_app/immutable/chunks/C3uBrOS5.js +0 -1
  914. package/dist/web/_app/immutable/chunks/C8R1sDpW.js +0 -1
  915. package/dist/web/_app/immutable/chunks/CDRHrs0g.js +0 -1
  916. package/dist/web/_app/immutable/chunks/CN5_py1I.js +0 -1
  917. package/dist/web/_app/immutable/chunks/CPne482a.js +0 -1
  918. package/dist/web/_app/immutable/chunks/CSVbGg_b.js +0 -5
  919. package/dist/web/_app/immutable/chunks/CWyU-seV.js +0 -1
  920. package/dist/web/_app/immutable/chunks/CX_61fY8.js +0 -5
  921. package/dist/web/_app/immutable/chunks/CYrVHOHA.js +0 -1
  922. package/dist/web/_app/immutable/chunks/ChsiIm-E.js +0 -1
  923. package/dist/web/_app/immutable/chunks/CojKppbh.js +0 -1
  924. package/dist/web/_app/immutable/chunks/CqkleIqs.js +0 -1
  925. package/dist/web/_app/immutable/chunks/CtYLtD7K.js +0 -1
  926. package/dist/web/_app/immutable/chunks/D-HDy5qS.js +0 -1
  927. package/dist/web/_app/immutable/chunks/D5aIYSkd.js +0 -1
  928. package/dist/web/_app/immutable/chunks/DBBXARVf.js +0 -1
  929. package/dist/web/_app/immutable/chunks/DFYOFE3o.js +0 -1
  930. package/dist/web/_app/immutable/chunks/DKaafS50.js +0 -1
  931. package/dist/web/_app/immutable/chunks/DUMOo1Pn.js +0 -1
  932. package/dist/web/_app/immutable/chunks/DWX9f6AF.js +0 -1
  933. package/dist/web/_app/immutable/chunks/DY8-EONP.js +0 -1
  934. package/dist/web/_app/immutable/chunks/DkoHPElM.js +0 -1
  935. package/dist/web/_app/immutable/chunks/DnL9f0lc.js +0 -7
  936. package/dist/web/_app/immutable/chunks/DsnmJJEf.js +0 -1
  937. package/dist/web/_app/immutable/chunks/DujahU3W.js +0 -1
  938. package/dist/web/_app/immutable/chunks/FBn-ES5k.js +0 -1
  939. package/dist/web/_app/immutable/chunks/HQpwSOb3.js +0 -1
  940. package/dist/web/_app/immutable/chunks/KyjzlWRN.js +0 -2
  941. package/dist/web/_app/immutable/chunks/PPVm8Dsz.js +0 -1
  942. package/dist/web/_app/immutable/chunks/UwYfmrPx.js +0 -2
  943. package/dist/web/_app/immutable/chunks/W25ZVI8L.js +0 -2
  944. package/dist/web/_app/immutable/chunks/WSUKABI_.js +0 -1
  945. package/dist/web/_app/immutable/chunks/XjsuEnNE.js +0 -5
  946. package/dist/web/_app/immutable/chunks/ZD6ARAtb.js +0 -1
  947. package/dist/web/_app/immutable/chunks/pBTf4stg.js +0 -2
  948. package/dist/web/_app/immutable/chunks/rGIarcnp.js +0 -1
  949. package/dist/web/_app/immutable/chunks/vxEtkL8z.js +0 -1
  950. package/dist/web/_app/immutable/chunks/wDIGUaoU.js +0 -3
  951. package/dist/web/_app/immutable/entry/app.ZHiTM8WS.js +0 -2
  952. package/dist/web/_app/immutable/entry/start.C9-FfAVc.js +0 -1
  953. package/dist/web/_app/immutable/nodes/0.D92Orz8k.js +0 -2
  954. package/dist/web/_app/immutable/nodes/1.BMdyglM_.js +0 -1
  955. package/dist/web/_app/immutable/nodes/10.BilVDHSL.js +0 -1
  956. package/dist/web/_app/immutable/nodes/11.CS9E0Hic.js +0 -1
  957. package/dist/web/_app/immutable/nodes/12.D3BOxYzG.js +0 -1
  958. package/dist/web/_app/immutable/nodes/13.CClMKYtN.js +0 -1
  959. package/dist/web/_app/immutable/nodes/2.C8KKElPL.js +0 -267
  960. package/dist/web/_app/immutable/nodes/3.C5n5uiWU.js +0 -5
  961. package/dist/web/_app/immutable/nodes/4.DcGVvgiL.js +0 -11
  962. package/dist/web/_app/immutable/nodes/5.DxIjnFQO.js +0 -4
  963. package/dist/web/_app/immutable/nodes/6.lkh6kKLj.js +0 -1
  964. package/dist/web/_app/immutable/nodes/7.Bg7SbfhA.js +0 -1
  965. package/dist/web/_app/immutable/nodes/8.DcXWCNBE.js +0 -1
  966. package/dist/web/_app/immutable/nodes/9.Cefi8Jfm.js +0 -1
@@ -0,0 +1,67 @@
1
+ /**
2
+ * OAuth 2.0 Authorization Server routes
3
+ *
4
+ * Makes Studiograph's `/mcp` server connectable by Claude Desktop's Chat/Cowork
5
+ * connector pipeline (OAuth-only). Implements the minimal authorization-server
6
+ * surface an MCP client drives:
7
+ *
8
+ * GET /.well-known/oauth-protected-resource[/mcp] — resource metadata
9
+ * GET /.well-known/oauth-authorization-server — AS metadata
10
+ * POST /oauth/register — Dynamic Client Registration
11
+ * GET /oauth/authorize — consent screen
12
+ * POST /oauth/authorize — consent submit → code
13
+ * POST /oauth/token — code + refresh grants
14
+ * POST /oauth/revoke — revoke a refresh token
15
+ *
16
+ * Security posture (see plan reflective-sprouting-turtle):
17
+ * - Issuer + endpoint URLs are PINNED to a configured canonical base URL,
18
+ * never the inbound Host header (metadata-spoofing defense).
19
+ * - DCR is unauthenticated (the client has no user yet) but rate-limited,
20
+ * and redirect URIs are validated (https-only, no fragments/wildcards).
21
+ * - PKCE S256 is mandatory; authorization codes are single-use, ≤60s.
22
+ * - The consent form carries an HMAC-signed blob of the authorize params
23
+ * (incl. `state` + the logged-in userId) so the POST can't be forged.
24
+ * - All values rendered into the consent HTML are escaped (DCR is attacker-
25
+ * controlled). Token responses are `Cache-Control: no-store`.
26
+ * - Access tokens are minted with `aud = <canonical>/mcp`; the global auth
27
+ * hook scopes them to `/mcp` + `/oauth/*`.
28
+ */
29
+ import type { FastifyInstance, FastifyRequest } from 'fastify';
30
+ import type { AuthService } from '../../services/auth-service.js';
31
+ interface WorkspaceConfigLike {
32
+ server_url?: unknown;
33
+ [k: string]: unknown;
34
+ }
35
+ /** Thrown when no canonical URL is pinned in a proxied/production-like deployment. */
36
+ export declare class CanonicalUrlError extends Error {
37
+ constructor();
38
+ }
39
+ /**
40
+ * Resolve the canonical public base URL for this tenant, in priority order:
41
+ * 1. STUDIOGRAPH_PUBLIC_URL env (explicit operator override)
42
+ * 2. workspace config `server_url`
43
+ * 3. RAILWAY_PUBLIC_DOMAIN env → https://<domain>
44
+ * 4. request origin (LOCAL DEV ONLY fallback)
45
+ * Trailing slash stripped. Pinning to a configured value (not the inbound
46
+ * Host header) is what prevents discovery-metadata spoofing behind a proxy.
47
+ *
48
+ * **Fails closed:** in a proxied/production-like deployment (`mustPinIssuer`)
49
+ * with no pinned value, throws `CanonicalUrlError` rather than trusting the
50
+ * (spoofable) forwarded Host. The dev fallback to request origin only applies
51
+ * locally, where there is no untrusted proxy in front.
52
+ */
53
+ export declare function resolveCanonicalBaseUrl(workspaceConfig: WorkspaceConfigLike, req: FastifyRequest): string;
54
+ /** True if a stable canonical URL is configured (not relying on the dev fallback). */
55
+ export declare function hasCanonicalUrl(workspaceConfig: WorkspaceConfigLike): boolean;
56
+ /**
57
+ * Same-origin guard for post-login `returnTo` paths. Returns the path only if
58
+ * it is a safe root-relative path on this origin, else `/`.
59
+ *
60
+ * Must reject: absolute/protocol-relative URLs (`//evil`, `https://evil`) AND
61
+ * backslash variants (`/\evil`, `/\/evil`) — browsers normalize `\` to `/` in a
62
+ * `Location` header, so `/\evil.com` becomes `//evil.com` → an off-origin
63
+ * redirect. Also reject control characters.
64
+ */
65
+ export declare function safeReturnTo(raw: string | undefined | null): string;
66
+ export declare function registerOAuthApiRoutes(fastify: FastifyInstance, authService: AuthService, workspaceConfig: WorkspaceConfigLike): Promise<void>;
67
+ export {};
@@ -0,0 +1,421 @@
1
+ /**
2
+ * OAuth 2.0 Authorization Server routes
3
+ *
4
+ * Makes Studiograph's `/mcp` server connectable by Claude Desktop's Chat/Cowork
5
+ * connector pipeline (OAuth-only). Implements the minimal authorization-server
6
+ * surface an MCP client drives:
7
+ *
8
+ * GET /.well-known/oauth-protected-resource[/mcp] — resource metadata
9
+ * GET /.well-known/oauth-authorization-server — AS metadata
10
+ * POST /oauth/register — Dynamic Client Registration
11
+ * GET /oauth/authorize — consent screen
12
+ * POST /oauth/authorize — consent submit → code
13
+ * POST /oauth/token — code + refresh grants
14
+ * POST /oauth/revoke — revoke a refresh token
15
+ *
16
+ * Security posture (see plan reflective-sprouting-turtle):
17
+ * - Issuer + endpoint URLs are PINNED to a configured canonical base URL,
18
+ * never the inbound Host header (metadata-spoofing defense).
19
+ * - DCR is unauthenticated (the client has no user yet) but rate-limited,
20
+ * and redirect URIs are validated (https-only, no fragments/wildcards).
21
+ * - PKCE S256 is mandatory; authorization codes are single-use, ≤60s.
22
+ * - The consent form carries an HMAC-signed blob of the authorize params
23
+ * (incl. `state` + the logged-in userId) so the POST can't be forged.
24
+ * - All values rendered into the consent HTML are escaped (DCR is attacker-
25
+ * controlled). Token responses are `Cache-Control: no-store`.
26
+ * - Access tokens are minted with `aud = <canonical>/mcp`; the global auth
27
+ * hook scopes them to `/mcp` + `/oauth/*`.
28
+ */
29
+ import { OAuthServerStore, OAuthRegistrationError } from '../../services/oauth-server-store.js';
30
+ import { log } from '../../utils/log.js';
31
+ /** v1 ships a single full-access scope (granular scopes deferred — TODOS.md). */
32
+ const OAUTH_SCOPE = 'mcp:full';
33
+ const CONSENT_TTL_MS = 10 * 60 * 1000;
34
+ /** httpOnly cookie carrying the signed consent blob between authorize GET, the
35
+ * consent screen's context fetch, and the Allow POST. Never exposed to JS. */
36
+ const CONSENT_COOKIE = '__sg_oauth_consent';
37
+ /** Thrown when no canonical URL is pinned in a proxied/production-like deployment. */
38
+ export class CanonicalUrlError extends Error {
39
+ constructor() {
40
+ super('OAuth issuer URL is not configured (set STUDIOGRAPH_PUBLIC_URL / server_url)');
41
+ this.name = 'CanonicalUrlError';
42
+ }
43
+ }
44
+ /**
45
+ * True in a deployment where the server sits behind a proxy and the inbound
46
+ * Host header cannot be trusted. In these modes the issuer MUST be pinned to a
47
+ * configured value, or the OAuth-AS fails closed (no spoofable metadata).
48
+ */
49
+ function mustPinIssuer() {
50
+ if (process.env.NODE_ENV === 'production')
51
+ return true;
52
+ if (process.env.RAILWAY_ENVIRONMENT)
53
+ return true;
54
+ const managed = (process.env.STUDIOGRAPH_MANAGED_AUTH || '').toLowerCase();
55
+ return managed === '1' || managed === 'true' || managed === 'yes';
56
+ }
57
+ /**
58
+ * Resolve the canonical public base URL for this tenant, in priority order:
59
+ * 1. STUDIOGRAPH_PUBLIC_URL env (explicit operator override)
60
+ * 2. workspace config `server_url`
61
+ * 3. RAILWAY_PUBLIC_DOMAIN env → https://<domain>
62
+ * 4. request origin (LOCAL DEV ONLY fallback)
63
+ * Trailing slash stripped. Pinning to a configured value (not the inbound
64
+ * Host header) is what prevents discovery-metadata spoofing behind a proxy.
65
+ *
66
+ * **Fails closed:** in a proxied/production-like deployment (`mustPinIssuer`)
67
+ * with no pinned value, throws `CanonicalUrlError` rather than trusting the
68
+ * (spoofable) forwarded Host. The dev fallback to request origin only applies
69
+ * locally, where there is no untrusted proxy in front.
70
+ */
71
+ export function resolveCanonicalBaseUrl(workspaceConfig, req) {
72
+ const fromEnv = process.env.STUDIOGRAPH_PUBLIC_URL?.trim();
73
+ if (fromEnv)
74
+ return stripSlash(fromEnv);
75
+ const fromConfig = typeof workspaceConfig.server_url === 'string' ? workspaceConfig.server_url.trim() : '';
76
+ if (fromConfig)
77
+ return stripSlash(fromConfig);
78
+ const railway = process.env.RAILWAY_PUBLIC_DOMAIN?.trim();
79
+ if (railway)
80
+ return `https://${stripSlash(railway)}`;
81
+ // No pinned value. Behind a proxy this is unsafe (Host is attacker-influenced)
82
+ // — fail closed. Locally, fall back to the request origin.
83
+ if (mustPinIssuer())
84
+ throw new CanonicalUrlError();
85
+ const proto = req.headers['x-forwarded-proto'] || req.protocol || 'http';
86
+ const host = req.headers['x-forwarded-host'] || req.headers.host || req.hostname;
87
+ return stripSlash(`${proto}://${host}`);
88
+ }
89
+ /** True if a stable canonical URL is configured (not relying on the dev fallback). */
90
+ export function hasCanonicalUrl(workspaceConfig) {
91
+ return Boolean(process.env.STUDIOGRAPH_PUBLIC_URL?.trim() ||
92
+ (typeof workspaceConfig.server_url === 'string' && workspaceConfig.server_url.trim()) ||
93
+ process.env.RAILWAY_PUBLIC_DOMAIN?.trim());
94
+ }
95
+ function stripSlash(s) {
96
+ return s.replace(/\/+$/, '');
97
+ }
98
+ /**
99
+ * Same-origin guard for post-login `returnTo` paths. Returns the path only if
100
+ * it is a safe root-relative path on this origin, else `/`.
101
+ *
102
+ * Must reject: absolute/protocol-relative URLs (`//evil`, `https://evil`) AND
103
+ * backslash variants (`/\evil`, `/\/evil`) — browsers normalize `\` to `/` in a
104
+ * `Location` header, so `/\evil.com` becomes `//evil.com` → an off-origin
105
+ * redirect. Also reject control characters.
106
+ */
107
+ export function safeReturnTo(raw) {
108
+ if (!raw || typeof raw !== 'string')
109
+ return '/';
110
+ if (!raw.startsWith('/'))
111
+ return '/'; // must be root-relative
112
+ if (raw.startsWith('//'))
113
+ return '/'; // protocol-relative -> off-origin
114
+ if (raw.includes('\\'))
115
+ return '/'; // backslash -> browser-normalized off-origin
116
+ // eslint-disable-next-line no-control-regex
117
+ if (/[\x00-\x1f\x7f]/.test(raw))
118
+ return '/'; // control chars
119
+ return raw;
120
+ }
121
+ function redirectError(reply, redirectUri, error, state, description) {
122
+ const url = new URL(redirectUri);
123
+ url.searchParams.set('error', error);
124
+ if (description)
125
+ url.searchParams.set('error_description', description);
126
+ if (state)
127
+ url.searchParams.set('state', state);
128
+ reply.redirect(url.toString());
129
+ }
130
+ function noStore(reply) {
131
+ reply.header('Cache-Control', 'no-store');
132
+ reply.header('Pragma', 'no-cache');
133
+ }
134
+ export async function registerOAuthApiRoutes(fastify, authService, workspaceConfig) {
135
+ const store = authService.oauthServer;
136
+ const allowLoopback = process.env.NODE_ENV !== 'production';
137
+ // Boot-time check: managed tenants must have a pinned canonical URL, else
138
+ // discovery metadata would fall back to the spoofable request origin.
139
+ if (!hasCanonicalUrl(workspaceConfig)) {
140
+ const managed = (process.env.STUDIOGRAPH_MANAGED_AUTH || '').toLowerCase();
141
+ const isManaged = managed === '1' || managed === 'true' || managed === 'yes';
142
+ const msg = '[oauth-as] No canonical public URL configured (STUDIOGRAPH_PUBLIC_URL / server_url / RAILWAY_PUBLIC_DOMAIN). OAuth discovery metadata will use the request origin.';
143
+ if (isManaged)
144
+ log.warn(`${msg} This is unsafe on a managed/proxied tenant.`);
145
+ else
146
+ log.info(`${msg} OK for local dev.`);
147
+ }
148
+ const resourceUrl = (base) => `${base}/mcp`;
149
+ // Resolve the pinned canonical base URL, or fail closed: in a proxied/
150
+ // production-like deployment with no pinned URL we return null + send 503
151
+ // rather than emit spoofable metadata built from the inbound Host header.
152
+ const requireCanonical = (req, reply) => {
153
+ try {
154
+ return resolveCanonicalBaseUrl(workspaceConfig, req);
155
+ }
156
+ catch (err) {
157
+ if (err instanceof CanonicalUrlError) {
158
+ log.error('[oauth-as] refusing OAuth request: no canonical issuer URL configured');
159
+ reply.status(503).send({ error: 'server_error', error_description: 'issuer not configured' });
160
+ return null;
161
+ }
162
+ throw err;
163
+ }
164
+ };
165
+ // ── Discovery: protected-resource metadata (RFC 9728) ──
166
+ // Serve both the root and the `/mcp`-suffixed form — MCP clients differ on
167
+ // which they fetch (the SDK's helper suffixes the resource path).
168
+ const protectedResource = (req, reply) => {
169
+ const base = requireCanonical(req, reply);
170
+ if (!base)
171
+ return;
172
+ reply.send({
173
+ resource: resourceUrl(base),
174
+ authorization_servers: [base],
175
+ });
176
+ };
177
+ fastify.get('/.well-known/oauth-protected-resource', protectedResource);
178
+ fastify.get('/.well-known/oauth-protected-resource/mcp', protectedResource);
179
+ // ── Discovery: authorization-server metadata (RFC 8414) ──
180
+ fastify.get('/.well-known/oauth-authorization-server', (req, reply) => {
181
+ const base = requireCanonical(req, reply);
182
+ if (!base)
183
+ return;
184
+ reply.send({
185
+ issuer: base,
186
+ authorization_endpoint: `${base}/oauth/authorize`,
187
+ token_endpoint: `${base}/oauth/token`,
188
+ registration_endpoint: `${base}/oauth/register`,
189
+ revocation_endpoint: `${base}/oauth/revoke`,
190
+ response_types_supported: ['code'],
191
+ grant_types_supported: ['authorization_code', 'refresh_token'],
192
+ code_challenge_methods_supported: ['S256'],
193
+ token_endpoint_auth_methods_supported: ['none'],
194
+ scopes_supported: [OAUTH_SCOPE],
195
+ });
196
+ });
197
+ // ── Dynamic Client Registration (RFC 7591) ──
198
+ fastify.post('/oauth/register', { config: { rateLimit: { max: 10, timeWindow: '1 hour' } } }, (req, reply) => {
199
+ const body = (req.body ?? {});
200
+ try {
201
+ const client = store.registerClient({ client_name: body.client_name ?? '', redirect_uris: body.redirect_uris ?? [] }, { allowLoopback });
202
+ noStore(reply);
203
+ reply.status(201).send({
204
+ client_id: client.client_id,
205
+ client_name: client.client_name,
206
+ redirect_uris: client.redirect_uris,
207
+ token_endpoint_auth_method: 'none',
208
+ grant_types: ['authorization_code', 'refresh_token'],
209
+ response_types: ['code'],
210
+ });
211
+ }
212
+ catch (err) {
213
+ if (err instanceof OAuthRegistrationError) {
214
+ log.warn(`[oauth-as] registration rejected: ${err.code} ${err.message}`);
215
+ return reply.status(400).send({ error: err.code, error_description: err.message });
216
+ }
217
+ throw err;
218
+ }
219
+ });
220
+ // ── Authorization endpoint — consent screen (GET) ──
221
+ // The global auth hook resolves the logged-in user (cookie) BEFORE this runs,
222
+ // and bounces to /login?returnTo= when there's none. We re-assert that here
223
+ // as defense-in-depth.
224
+ fastify.get('/oauth/authorize', { config: { rateLimit: { max: 60, timeWindow: '1 minute' } } }, (req, reply) => {
225
+ const user = req.user;
226
+ const q = req.query;
227
+ const base = requireCanonical(req, reply);
228
+ if (!base)
229
+ return;
230
+ if (!user) {
231
+ const returnTo = `/oauth/authorize${req.raw.url?.includes('?') ? req.raw.url.slice(req.raw.url.indexOf('?')) : ''}`;
232
+ return reply.redirect(`/login?returnTo=${encodeURIComponent(safeReturnTo(returnTo))}`);
233
+ }
234
+ const clientId = q.client_id ?? '';
235
+ const redirectUri = q.redirect_uri ?? '';
236
+ const client = store.getClient(clientId);
237
+ // Client / redirect_uri problems must NOT redirect to the (untrusted)
238
+ // client redirect_uri (open-redirect risk, RFC 6749 §4.1.2.1). Bounce to
239
+ // our OWN branded consent page in its error state instead — same-origin,
240
+ // so no open-redirect concern.
241
+ if (!client || !redirectUri || !store.clientAllowsRedirect(clientId, redirectUri)) {
242
+ log.warn(`[oauth-as] authorize rejected: bad client_id/redirect_uri (client=${clientId})`);
243
+ return reply.redirect('/oauth/consent?error=invalid_request');
244
+ }
245
+ const state = q.state;
246
+ // From here, errors can be safely redirected back to the (validated) URI.
247
+ if (q.response_type !== 'code') {
248
+ return redirectError(reply, redirectUri, 'unsupported_response_type', state);
249
+ }
250
+ if (q.code_challenge_method && q.code_challenge_method !== 'S256') {
251
+ return redirectError(reply, redirectUri, 'invalid_request', state, 'code_challenge_method must be S256');
252
+ }
253
+ if (!q.code_challenge) {
254
+ return redirectError(reply, redirectUri, 'invalid_request', state, 'code_challenge (PKCE) required');
255
+ }
256
+ if (q.resource && q.resource !== resourceUrl(base)) {
257
+ return redirectError(reply, redirectUri, 'invalid_target', state, 'unknown resource');
258
+ }
259
+ // Bind the authorize params + the logged-in user into a signed blob the
260
+ // POST handler will verify. Includes `state` so it can't be substituted.
261
+ const consent = store.signConsent({
262
+ client_id: clientId,
263
+ redirect_uri: redirectUri,
264
+ code_challenge: q.code_challenge,
265
+ scope: OAUTH_SCOPE,
266
+ resource: resourceUrl(base),
267
+ userId: user.id,
268
+ state: state ?? '',
269
+ });
270
+ // Hand off to the branded SvelteKit consent screen. The signed blob rides
271
+ // in an httpOnly cookie (never the DOM): the consent page only fetches
272
+ // display fields from /api/oauth/consent-context, and the Allow POST reads
273
+ // the blob back from this cookie. Short TTL matches the signer's window.
274
+ reply.setCookie(CONSENT_COOKIE, consent, {
275
+ path: '/',
276
+ httpOnly: true,
277
+ sameSite: 'lax',
278
+ secure: req.headers['x-forwarded-proto'] === 'https',
279
+ maxAge: CONSENT_TTL_MS / 1000,
280
+ });
281
+ return reply.redirect('/oauth/consent');
282
+ });
283
+ // ── Consent display context (for the SvelteKit consent screen) ──
284
+ // Session-authed (global hook sets req.user). Returns ONLY display fields
285
+ // resolved from the httpOnly consent cookie — never the signed blob itself.
286
+ fastify.get('/api/oauth/consent-context', (req, reply) => {
287
+ noStore(reply);
288
+ const user = req.user;
289
+ if (!user)
290
+ return reply.status(401).send({ error: 'login_required' });
291
+ const raw = req.cookies?.[CONSENT_COOKIE];
292
+ const payload = raw ? store.verifyConsent(raw) : null;
293
+ if (!payload || payload.userId !== user.id) {
294
+ return reply.status(410).send({ error: 'consent_expired' });
295
+ }
296
+ const client = store.getClient(String(payload.client_id));
297
+ if (!client || !store.clientAllowsRedirect(client.client_id, String(payload.redirect_uri))) {
298
+ return reply.status(410).send({ error: 'invalid_client' });
299
+ }
300
+ let redirectHost = String(payload.redirect_uri);
301
+ try {
302
+ redirectHost = new URL(String(payload.redirect_uri)).host;
303
+ }
304
+ catch { /* keep raw */ }
305
+ return reply.send({
306
+ client_name: client.client_name,
307
+ redirect_host: redirectHost,
308
+ scope: String(payload.scope ?? OAUTH_SCOPE),
309
+ user_label: user.displayName || user.email,
310
+ });
311
+ });
312
+ // ── Authorization endpoint — consent submit (POST) ──
313
+ // The signed blob comes from the httpOnly consent cookie (set by the GET
314
+ // handler), NOT a form field — the browser only submits `decision`. A
315
+ // cross-site POST can't carry the Lax cookie, so this is CSRF-safe.
316
+ fastify.post('/oauth/authorize', { config: { rateLimit: { max: 60, timeWindow: '1 minute' } } }, (req, reply) => {
317
+ const user = req.user;
318
+ const body = (req.body ?? {});
319
+ if (!user)
320
+ return reply.status(401).send({ error: 'login_required' });
321
+ const rawConsent = req.cookies?.[CONSENT_COOKIE];
322
+ const payload = rawConsent ? store.verifyConsent(rawConsent) : null;
323
+ // Consume the cookie regardless of outcome (single-use).
324
+ reply.clearCookie(CONSENT_COOKIE, { path: '/' });
325
+ // Pre-consent failures bounce to the branded consent page's error state
326
+ // (same-origin redirect — see the GET handler).
327
+ if (!payload) {
328
+ return reply.redirect('/oauth/consent?error=expired');
329
+ }
330
+ // The signed blob must belong to THIS logged-in user.
331
+ if (payload.userId !== user.id) {
332
+ log.warn('[oauth-as] consent userId mismatch — rejecting');
333
+ return reply.redirect('/oauth/consent?error=expired');
334
+ }
335
+ const clientId = String(payload.client_id);
336
+ const redirectUri = String(payload.redirect_uri);
337
+ const state = String(payload.state ?? '');
338
+ // Re-check the client + redirect_uri still valid (could have changed/been
339
+ // deleted between the GET render and this POST).
340
+ if (!store.clientAllowsRedirect(clientId, redirectUri)) {
341
+ return reply.redirect('/oauth/consent?error=invalid_request');
342
+ }
343
+ if (body.decision !== 'allow') {
344
+ return redirectError(reply, redirectUri, 'access_denied', state || undefined);
345
+ }
346
+ const code = store.saveCode({
347
+ client_id: clientId,
348
+ user_id: user.id,
349
+ redirect_uri: redirectUri,
350
+ code_challenge: String(payload.code_challenge),
351
+ scope: String(payload.scope ?? OAUTH_SCOPE),
352
+ resource: String(payload.resource),
353
+ });
354
+ const url = new URL(redirectUri);
355
+ url.searchParams.set('code', code);
356
+ if (state)
357
+ url.searchParams.set('state', state);
358
+ reply.redirect(url.toString());
359
+ });
360
+ // ── Token endpoint ──
361
+ fastify.post('/oauth/token', { config: { rateLimit: { max: 30, timeWindow: '1 minute' } } }, (req, reply) => {
362
+ noStore(reply);
363
+ const body = (req.body ?? {});
364
+ const base = requireCanonical(req, reply);
365
+ if (!base)
366
+ return;
367
+ // Opportunistic GC on this low-frequency endpoint (never per-request).
368
+ store.gcStale();
369
+ const grant = body.grant_type;
370
+ if (grant === 'authorization_code') {
371
+ const { code, code_verifier, redirect_uri, client_id } = body;
372
+ if (!code || !code_verifier || !redirect_uri || !client_id) {
373
+ return reply.status(400).send({ error: 'invalid_request' });
374
+ }
375
+ const consumed = store.consumeCode(code);
376
+ if (!consumed)
377
+ return reply.status(400).send({ error: 'invalid_grant' });
378
+ if (consumed.client_id !== client_id || consumed.redirect_uri !== redirect_uri) {
379
+ return reply.status(400).send({ error: 'invalid_grant' });
380
+ }
381
+ if (!OAuthServerStore.verifyPkce(consumed.code_challenge, code_verifier)) {
382
+ return reply.status(400).send({ error: 'invalid_grant', error_description: 'PKCE verification failed' });
383
+ }
384
+ const user = authService.findUserById(consumed.user_id);
385
+ if (!user)
386
+ return reply.status(400).send({ error: 'invalid_grant' });
387
+ const tokens = store.issueTokens(user, consumed.client_id, consumed.scope, consumed.resource);
388
+ return reply.send(tokens);
389
+ }
390
+ if (grant === 'refresh_token') {
391
+ const { refresh_token, client_id } = body;
392
+ // Public clients MUST identify themselves (RFC 6749 §3.2.1). Require
393
+ // client_id and validate it BEFORE the token is consumed, so a stolen
394
+ // refresh token presented with the wrong client_id can't grief the
395
+ // victim's grant into invalidation (rotation deletes the old token).
396
+ if (!refresh_token || !client_id)
397
+ return reply.status(400).send({ error: 'invalid_request' });
398
+ const rotated = store.rotateRefreshToken(refresh_token, client_id);
399
+ if (!rotated)
400
+ return reply.status(400).send({ error: 'invalid_grant' });
401
+ const access_token = store.createAccessToken(rotated.user, rotated.clientId, resourceUrl(base));
402
+ return reply.send({
403
+ access_token,
404
+ refresh_token: rotated.refreshToken,
405
+ token_type: 'Bearer',
406
+ expires_in: 3600,
407
+ scope: rotated.scope,
408
+ });
409
+ }
410
+ return reply.status(400).send({ error: 'unsupported_grant_type' });
411
+ });
412
+ // ── Revocation (RFC 7009) — always 200, no token-scanning oracle ──
413
+ fastify.post('/oauth/revoke', { config: { rateLimit: { max: 30, timeWindow: '1 minute' } } }, (req, reply) => {
414
+ noStore(reply);
415
+ const body = (req.body ?? {});
416
+ if (body.token)
417
+ store.revokeRefreshToken(body.token);
418
+ reply.status(200).send({});
419
+ });
420
+ }
421
+ //# sourceMappingURL=oauth-api.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"oauth-api.js","sourceRoot":"","sources":["../../../src/server/routes/oauth-api.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2BG;AAIH,OAAO,EAAE,gBAAgB,EAAE,sBAAsB,EAAE,MAAM,sCAAsC,CAAC;AAChG,OAAO,EAAE,GAAG,EAAE,MAAM,oBAAoB,CAAC;AAEzC,iFAAiF;AACjF,MAAM,WAAW,GAAG,UAAU,CAAC;AAC/B,MAAM,cAAc,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC;AACtC;+EAC+E;AAC/E,MAAM,cAAc,GAAG,oBAAoB,CAAC;AAO5C,sFAAsF;AACtF,MAAM,OAAO,iBAAkB,SAAQ,KAAK;IAC1C;QACE,KAAK,CAAC,8EAA8E,CAAC,CAAC;QACtF,IAAI,CAAC,IAAI,GAAG,mBAAmB,CAAC;IAClC,CAAC;CACF;AAED;;;;GAIG;AACH,SAAS,aAAa;IACpB,IAAI,OAAO,CAAC,GAAG,CAAC,QAAQ,KAAK,YAAY;QAAE,OAAO,IAAI,CAAC;IACvD,IAAI,OAAO,CAAC,GAAG,CAAC,mBAAmB;QAAE,OAAO,IAAI,CAAC;IACjD,MAAM,OAAO,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,wBAAwB,IAAI,EAAE,CAAC,CAAC,WAAW,EAAE,CAAC;IAC3E,OAAO,OAAO,KAAK,GAAG,IAAI,OAAO,KAAK,MAAM,IAAI,OAAO,KAAK,KAAK,CAAC;AACpE,CAAC;AAED;;;;;;;;;;;;;GAaG;AACH,MAAM,UAAU,uBAAuB,CAAC,eAAoC,EAAE,GAAmB;IAC/F,MAAM,OAAO,GAAG,OAAO,CAAC,GAAG,CAAC,sBAAsB,EAAE,IAAI,EAAE,CAAC;IAC3D,IAAI,OAAO;QAAE,OAAO,UAAU,CAAC,OAAO,CAAC,CAAC;IAExC,MAAM,UAAU,GAAG,OAAO,eAAe,CAAC,UAAU,KAAK,QAAQ,CAAC,CAAC,CAAC,eAAe,CAAC,UAAU,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;IAC3G,IAAI,UAAU;QAAE,OAAO,UAAU,CAAC,UAAU,CAAC,CAAC;IAE9C,MAAM,OAAO,GAAG,OAAO,CAAC,GAAG,CAAC,qBAAqB,EAAE,IAAI,EAAE,CAAC;IAC1D,IAAI,OAAO;QAAE,OAAO,WAAW,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC;IAErD,+EAA+E;IAC/E,2DAA2D;IAC3D,IAAI,aAAa,EAAE;QAAE,MAAM,IAAI,iBAAiB,EAAE,CAAC;IACnD,MAAM,KAAK,GAAI,GAAG,CAAC,OAAO,CAAC,mBAAmB,CAAY,IAAI,GAAG,CAAC,QAAQ,IAAI,MAAM,CAAC;IACrF,MAAM,IAAI,GAAI,GAAG,CAAC,OAAO,CAAC,kBAAkB,CAAY,IAAK,GAAG,CAAC,OAAO,CAAC,IAAe,IAAI,GAAG,CAAC,QAAQ,CAAC;IACzG,OAAO,UAAU,CAAC,GAAG,KAAK,MAAM,IAAI,EAAE,CAAC,CAAC;AAC1C,CAAC;AAED,sFAAsF;AACtF,MAAM,UAAU,eAAe,CAAC,eAAoC;IAClE,OAAO,OAAO,CACZ,OAAO,CAAC,GAAG,CAAC,sBAAsB,EAAE,IAAI,EAAE;QAC1C,CAAC,OAAO,eAAe,CAAC,UAAU,KAAK,QAAQ,IAAI,eAAe,CAAC,UAAU,CAAC,IAAI,EAAE,CAAC;QACrF,OAAO,CAAC,GAAG,CAAC,qBAAqB,EAAE,IAAI,EAAE,CAC1C,CAAC;AACJ,CAAC;AAED,SAAS,UAAU,CAAC,CAAS;IAC3B,OAAO,CAAC,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;AAC/B,CAAC;AAED;;;;;;;;GAQG;AACH,MAAM,UAAU,YAAY,CAAC,GAA8B;IACzD,IAAI,CAAC,GAAG,IAAI,OAAO,GAAG,KAAK,QAAQ;QAAE,OAAO,GAAG,CAAC;IAChD,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,GAAG,CAAC;QAAE,OAAO,GAAG,CAAC,CAAK,wBAAwB;IAClE,IAAI,GAAG,CAAC,UAAU,CAAC,IAAI,CAAC;QAAE,OAAO,GAAG,CAAC,CAAK,kCAAkC;IAC5E,IAAI,GAAG,CAAC,QAAQ,CAAC,IAAI,CAAC;QAAE,OAAO,GAAG,CAAC,CAAO,6CAA6C;IACvF,4CAA4C;IAC5C,IAAI,iBAAiB,CAAC,IAAI,CAAC,GAAG,CAAC;QAAE,OAAO,GAAG,CAAC,CAAC,gBAAgB;IAC7D,OAAO,GAAG,CAAC;AACb,CAAC;AAED,SAAS,aAAa,CAAC,KAAmB,EAAE,WAAmB,EAAE,KAAa,EAAE,KAAyB,EAAE,WAAoB;IAC7H,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,WAAW,CAAC,CAAC;IACjC,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,EAAE,KAAK,CAAC,CAAC;IACrC,IAAI,WAAW;QAAE,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,mBAAmB,EAAE,WAAW,CAAC,CAAC;IACxE,IAAI,KAAK;QAAE,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,EAAE,KAAK,CAAC,CAAC;IAChD,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC,QAAQ,EAAE,CAAC,CAAC;AACjC,CAAC;AAED,SAAS,OAAO,CAAC,KAAmB;IAClC,KAAK,CAAC,MAAM,CAAC,eAAe,EAAE,UAAU,CAAC,CAAC;IAC1C,KAAK,CAAC,MAAM,CAAC,QAAQ,EAAE,UAAU,CAAC,CAAC;AACrC,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,sBAAsB,CAC1C,OAAwB,EACxB,WAAwB,EACxB,eAAoC;IAEpC,MAAM,KAAK,GAAG,WAAW,CAAC,WAAW,CAAC;IACtC,MAAM,aAAa,GAAG,OAAO,CAAC,GAAG,CAAC,QAAQ,KAAK,YAAY,CAAC;IAE5D,0EAA0E;IAC1E,sEAAsE;IACtE,IAAI,CAAC,eAAe,CAAC,eAAe,CAAC,EAAE,CAAC;QACtC,MAAM,OAAO,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,wBAAwB,IAAI,EAAE,CAAC,CAAC,WAAW,EAAE,CAAC;QAC3E,MAAM,SAAS,GAAG,OAAO,KAAK,GAAG,IAAI,OAAO,KAAK,MAAM,IAAI,OAAO,KAAK,KAAK,CAAC;QAC7E,MAAM,GAAG,GAAG,oKAAoK,CAAC;QACjL,IAAI,SAAS;YAAE,GAAG,CAAC,IAAI,CAAC,GAAG,GAAG,8CAA8C,CAAC,CAAC;;YACzE,GAAG,CAAC,IAAI,CAAC,GAAG,GAAG,oBAAoB,CAAC,CAAC;IAC5C,CAAC;IAED,MAAM,WAAW,GAAG,CAAC,IAAY,EAAE,EAAE,CAAC,GAAG,IAAI,MAAM,CAAC;IACpD,uEAAuE;IACvE,0EAA0E;IAC1E,0EAA0E;IAC1E,MAAM,gBAAgB,GAAG,CAAC,GAAmB,EAAE,KAAmB,EAAiB,EAAE;QACnF,IAAI,CAAC;YACH,OAAO,uBAAuB,CAAC,eAAe,EAAE,GAAG,CAAC,CAAC;QACvD,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,IAAI,GAAG,YAAY,iBAAiB,EAAE,CAAC;gBACrC,GAAG,CAAC,KAAK,CAAC,uEAAuE,CAAC,CAAC;gBACnF,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,cAAc,EAAE,iBAAiB,EAAE,uBAAuB,EAAE,CAAC,CAAC;gBAC9F,OAAO,IAAI,CAAC;YACd,CAAC;YACD,MAAM,GAAG,CAAC;QACZ,CAAC;IACH,CAAC,CAAC;IAEF,0DAA0D;IAC1D,2EAA2E;IAC3E,kEAAkE;IAClE,MAAM,iBAAiB,GAAG,CAAC,GAAmB,EAAE,KAAmB,EAAE,EAAE;QACrE,MAAM,IAAI,GAAG,gBAAgB,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;QAC1C,IAAI,CAAC,IAAI;YAAE,OAAO;QAClB,KAAK,CAAC,IAAI,CAAC;YACT,QAAQ,EAAE,WAAW,CAAC,IAAI,CAAC;YAC3B,qBAAqB,EAAE,CAAC,IAAI,CAAC;SAC9B,CAAC,CAAC;IACL,CAAC,CAAC;IACF,OAAO,CAAC,GAAG,CAAC,uCAAuC,EAAE,iBAAiB,CAAC,CAAC;IACxE,OAAO,CAAC,GAAG,CAAC,2CAA2C,EAAE,iBAAiB,CAAC,CAAC;IAE5E,4DAA4D;IAC5D,OAAO,CAAC,GAAG,CAAC,yCAAyC,EAAE,CAAC,GAAG,EAAE,KAAK,EAAE,EAAE;QACpE,MAAM,IAAI,GAAG,gBAAgB,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;QAC1C,IAAI,CAAC,IAAI;YAAE,OAAO;QAClB,KAAK,CAAC,IAAI,CAAC;YACT,MAAM,EAAE,IAAI;YACZ,sBAAsB,EAAE,GAAG,IAAI,kBAAkB;YACjD,cAAc,EAAE,GAAG,IAAI,cAAc;YACrC,qBAAqB,EAAE,GAAG,IAAI,iBAAiB;YAC/C,mBAAmB,EAAE,GAAG,IAAI,eAAe;YAC3C,wBAAwB,EAAE,CAAC,MAAM,CAAC;YAClC,qBAAqB,EAAE,CAAC,oBAAoB,EAAE,eAAe,CAAC;YAC9D,gCAAgC,EAAE,CAAC,MAAM,CAAC;YAC1C,qCAAqC,EAAE,CAAC,MAAM,CAAC;YAC/C,gBAAgB,EAAE,CAAC,WAAW,CAAC;SAChC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,+CAA+C;IAC/C,OAAO,CAAC,IAAI,CACV,iBAAiB,EACjB,EAAE,MAAM,EAAE,EAAE,SAAS,EAAE,EAAE,GAAG,EAAE,EAAE,EAAE,UAAU,EAAE,QAAQ,EAAE,EAAE,EAAE,EAC5D,CAAC,GAAG,EAAE,KAAK,EAAE,EAAE;QACb,MAAM,IAAI,GAAG,CAAC,GAAG,CAAC,IAAI,IAAI,EAAE,CAAuD,CAAC;QACpF,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,KAAK,CAAC,cAAc,CACjC,EAAE,WAAW,EAAE,IAAI,CAAC,WAAW,IAAI,EAAE,EAAE,aAAa,EAAE,IAAI,CAAC,aAAa,IAAI,EAAE,EAAE,EAChF,EAAE,aAAa,EAAE,CAClB,CAAC;YACF,OAAO,CAAC,KAAK,CAAC,CAAC;YACf,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;gBACrB,SAAS,EAAE,MAAM,CAAC,SAAS;gBAC3B,WAAW,EAAE,MAAM,CAAC,WAAW;gBAC/B,aAAa,EAAE,MAAM,CAAC,aAAa;gBACnC,0BAA0B,EAAE,MAAM;gBAClC,WAAW,EAAE,CAAC,oBAAoB,EAAE,eAAe,CAAC;gBACpD,cAAc,EAAE,CAAC,MAAM,CAAC;aACzB,CAAC,CAAC;QACL,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,IAAI,GAAG,YAAY,sBAAsB,EAAE,CAAC;gBAC1C,GAAG,CAAC,IAAI,CAAC,qCAAqC,GAAG,CAAC,IAAI,IAAI,GAAG,CAAC,OAAO,EAAE,CAAC,CAAC;gBACzE,OAAO,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,GAAG,CAAC,IAAI,EAAE,iBAAiB,EAAE,GAAG,CAAC,OAAO,EAAE,CAAC,CAAC;YACrF,CAAC;YACD,MAAM,GAAG,CAAC;QACZ,CAAC;IACH,CAAC,CACF,CAAC;IAEF,sDAAsD;IACtD,8EAA8E;IAC9E,4EAA4E;IAC5E,uBAAuB;IACvB,OAAO,CAAC,GAAG,CAAC,kBAAkB,EAAE,EAAE,MAAM,EAAE,EAAE,SAAS,EAAE,EAAE,GAAG,EAAE,EAAE,EAAE,UAAU,EAAE,UAAU,EAAE,EAAE,EAAE,EAAE,CAAC,GAAG,EAAE,KAAK,EAAE,EAAE;QAC7G,MAAM,IAAI,GAAI,GAAW,CAAC,IAA4B,CAAC;QACvD,MAAM,CAAC,GAAG,GAAG,CAAC,KAA2C,CAAC;QAC1D,MAAM,IAAI,GAAG,gBAAgB,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;QAC1C,IAAI,CAAC,IAAI;YAAE,OAAO;QAElB,IAAI,CAAC,IAAI,EAAE,CAAC;YACV,MAAM,QAAQ,GAAG,mBAAmB,GAAG,CAAC,GAAG,CAAC,GAAG,EAAE,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,GAAG,CAAC,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC;YACpH,OAAO,KAAK,CAAC,QAAQ,CAAC,mBAAmB,kBAAkB,CAAC,YAAY,CAAC,QAAQ,CAAC,CAAC,EAAE,CAAC,CAAC;QACzF,CAAC;QAED,MAAM,QAAQ,GAAG,CAAC,CAAC,SAAS,IAAI,EAAE,CAAC;QACnC,MAAM,WAAW,GAAG,CAAC,CAAC,YAAY,IAAI,EAAE,CAAC;QACzC,MAAM,MAAM,GAAG,KAAK,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAC;QAEzC,sEAAsE;QACtE,yEAAyE;QACzE,yEAAyE;QACzE,+BAA+B;QAC/B,IAAI,CAAC,MAAM,IAAI,CAAC,WAAW,IAAI,CAAC,KAAK,CAAC,oBAAoB,CAAC,QAAQ,EAAE,WAAW,CAAC,EAAE,CAAC;YAClF,GAAG,CAAC,IAAI,CAAC,qEAAqE,QAAQ,GAAG,CAAC,CAAC;YAC3F,OAAO,KAAK,CAAC,QAAQ,CAAC,sCAAsC,CAAC,CAAC;QAChE,CAAC;QAED,MAAM,KAAK,GAAG,CAAC,CAAC,KAAK,CAAC;QACtB,0EAA0E;QAC1E,IAAI,CAAC,CAAC,aAAa,KAAK,MAAM,EAAE,CAAC;YAC/B,OAAO,aAAa,CAAC,KAAK,EAAE,WAAW,EAAE,2BAA2B,EAAE,KAAK,CAAC,CAAC;QAC/E,CAAC;QACD,IAAI,CAAC,CAAC,qBAAqB,IAAI,CAAC,CAAC,qBAAqB,KAAK,MAAM,EAAE,CAAC;YAClE,OAAO,aAAa,CAAC,KAAK,EAAE,WAAW,EAAE,iBAAiB,EAAE,KAAK,EAAE,oCAAoC,CAAC,CAAC;QAC3G,CAAC;QACD,IAAI,CAAC,CAAC,CAAC,cAAc,EAAE,CAAC;YACtB,OAAO,aAAa,CAAC,KAAK,EAAE,WAAW,EAAE,iBAAiB,EAAE,KAAK,EAAE,gCAAgC,CAAC,CAAC;QACvG,CAAC;QACD,IAAI,CAAC,CAAC,QAAQ,IAAI,CAAC,CAAC,QAAQ,KAAK,WAAW,CAAC,IAAI,CAAC,EAAE,CAAC;YACnD,OAAO,aAAa,CAAC,KAAK,EAAE,WAAW,EAAE,gBAAgB,EAAE,KAAK,EAAE,kBAAkB,CAAC,CAAC;QACxF,CAAC;QAED,wEAAwE;QACxE,yEAAyE;QACzE,MAAM,OAAO,GAAG,KAAK,CAAC,WAAW,CAAC;YAChC,SAAS,EAAE,QAAQ;YACnB,YAAY,EAAE,WAAW;YACzB,cAAc,EAAE,CAAC,CAAC,cAAc;YAChC,KAAK,EAAE,WAAW;YAClB,QAAQ,EAAE,WAAW,CAAC,IAAI,CAAC;YAC3B,MAAM,EAAE,IAAI,CAAC,EAAE;YACf,KAAK,EAAE,KAAK,IAAI,EAAE;SACnB,CAAC,CAAC;QAEH,0EAA0E;QAC1E,uEAAuE;QACvE,2EAA2E;QAC3E,yEAAyE;QACzE,KAAK,CAAC,SAAS,CAAC,cAAc,EAAE,OAAO,EAAE;YACvC,IAAI,EAAE,GAAG;YACT,QAAQ,EAAE,IAAI;YACd,QAAQ,EAAE,KAAK;YACf,MAAM,EAAE,GAAG,CAAC,OAAO,CAAC,mBAAmB,CAAC,KAAK,OAAO;YACpD,MAAM,EAAE,cAAc,GAAG,IAAI;SAC9B,CAAC,CAAC;QACH,OAAO,KAAK,CAAC,QAAQ,CAAC,gBAAgB,CAAC,CAAC;IAC1C,CAAC,CAAC,CAAC;IAEH,mEAAmE;IACnE,0EAA0E;IAC1E,4EAA4E;IAC5E,OAAO,CAAC,GAAG,CAAC,4BAA4B,EAAE,CAAC,GAAG,EAAE,KAAK,EAAE,EAAE;QACvD,OAAO,CAAC,KAAK,CAAC,CAAC;QACf,MAAM,IAAI,GAAI,GAAW,CAAC,IAA4B,CAAC;QACvD,IAAI,CAAC,IAAI;YAAE,OAAO,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,gBAAgB,EAAE,CAAC,CAAC;QACtE,MAAM,GAAG,GAAI,GAAG,CAAC,OAA8C,EAAE,CAAC,cAAc,CAAC,CAAC;QAClF,MAAM,OAAO,GAAG,GAAG,CAAC,CAAC,CAAC,KAAK,CAAC,aAAa,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;QACtD,IAAI,CAAC,OAAO,IAAI,OAAO,CAAC,MAAM,KAAK,IAAI,CAAC,EAAE,EAAE,CAAC;YAC3C,OAAO,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,iBAAiB,EAAE,CAAC,CAAC;QAC9D,CAAC;QACD,MAAM,MAAM,GAAG,KAAK,CAAC,SAAS,CAAC,MAAM,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC,CAAC;QAC1D,IAAI,CAAC,MAAM,IAAI,CAAC,KAAK,CAAC,oBAAoB,CAAC,MAAM,CAAC,SAAS,EAAE,MAAM,CAAC,OAAO,CAAC,YAAY,CAAC,CAAC,EAAE,CAAC;YAC3F,OAAO,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,gBAAgB,EAAE,CAAC,CAAC;QAC7D,CAAC;QACD,IAAI,YAAY,GAAG,MAAM,CAAC,OAAO,CAAC,YAAY,CAAC,CAAC;QAChD,IAAI,CAAC;YAAC,YAAY,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,OAAO,CAAC,YAAY,CAAC,CAAC,CAAC,IAAI,CAAC;QAAC,CAAC;QAAC,MAAM,CAAC,CAAC,cAAc,CAAC,CAAC;QAC3F,OAAO,KAAK,CAAC,IAAI,CAAC;YAChB,WAAW,EAAE,MAAM,CAAC,WAAW;YAC/B,aAAa,EAAE,YAAY;YAC3B,KAAK,EAAE,MAAM,CAAC,OAAO,CAAC,KAAK,IAAI,WAAW,CAAC;YAC3C,UAAU,EAAE,IAAI,CAAC,WAAW,IAAI,IAAI,CAAC,KAAK;SAC3C,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,uDAAuD;IACvD,yEAAyE;IACzE,sEAAsE;IACtE,oEAAoE;IACpE,OAAO,CAAC,IAAI,CAAC,kBAAkB,EAAE,EAAE,MAAM,EAAE,EAAE,SAAS,EAAE,EAAE,GAAG,EAAE,EAAE,EAAE,UAAU,EAAE,UAAU,EAAE,EAAE,EAAE,EAAE,CAAC,GAAG,EAAE,KAAK,EAAE,EAAE;QAC9G,MAAM,IAAI,GAAI,GAAW,CAAC,IAA4B,CAAC;QACvD,MAAM,IAAI,GAAG,CAAC,GAAG,CAAC,IAAI,IAAI,EAAE,CAA0B,CAAC;QACvD,IAAI,CAAC,IAAI;YAAE,OAAO,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,gBAAgB,EAAE,CAAC,CAAC;QAEtE,MAAM,UAAU,GAAI,GAAG,CAAC,OAA8C,EAAE,CAAC,cAAc,CAAC,CAAC;QACzF,MAAM,OAAO,GAAG,UAAU,CAAC,CAAC,CAAC,KAAK,CAAC,aAAa,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;QACpE,yDAAyD;QACzD,KAAK,CAAC,WAAW,CAAC,cAAc,EAAE,EAAE,IAAI,EAAE,GAAG,EAAE,CAAC,CAAC;QACjD,wEAAwE;QACxE,gDAAgD;QAChD,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,OAAO,KAAK,CAAC,QAAQ,CAAC,8BAA8B,CAAC,CAAC;QACxD,CAAC;QACD,sDAAsD;QACtD,IAAI,OAAO,CAAC,MAAM,KAAK,IAAI,CAAC,EAAE,EAAE,CAAC;YAC/B,GAAG,CAAC,IAAI,CAAC,gDAAgD,CAAC,CAAC;YAC3D,OAAO,KAAK,CAAC,QAAQ,CAAC,8BAA8B,CAAC,CAAC;QACxD,CAAC;QAED,MAAM,QAAQ,GAAG,MAAM,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;QAC3C,MAAM,WAAW,GAAG,MAAM,CAAC,OAAO,CAAC,YAAY,CAAC,CAAC;QACjD,MAAM,KAAK,GAAG,MAAM,CAAC,OAAO,CAAC,KAAK,IAAI,EAAE,CAAC,CAAC;QAE1C,0EAA0E;QAC1E,iDAAiD;QACjD,IAAI,CAAC,KAAK,CAAC,oBAAoB,CAAC,QAAQ,EAAE,WAAW,CAAC,EAAE,CAAC;YACvD,OAAO,KAAK,CAAC,QAAQ,CAAC,sCAAsC,CAAC,CAAC;QAChE,CAAC;QAED,IAAI,IAAI,CAAC,QAAQ,KAAK,OAAO,EAAE,CAAC;YAC9B,OAAO,aAAa,CAAC,KAAK,EAAE,WAAW,EAAE,eAAe,EAAE,KAAK,IAAI,SAAS,CAAC,CAAC;QAChF,CAAC;QAED,MAAM,IAAI,GAAG,KAAK,CAAC,QAAQ,CAAC;YAC1B,SAAS,EAAE,QAAQ;YACnB,OAAO,EAAE,IAAI,CAAC,EAAE;YAChB,YAAY,EAAE,WAAW;YACzB,cAAc,EAAE,MAAM,CAAC,OAAO,CAAC,cAAc,CAAC;YAC9C,KAAK,EAAE,MAAM,CAAC,OAAO,CAAC,KAAK,IAAI,WAAW,CAAC;YAC3C,QAAQ,EAAE,MAAM,CAAC,OAAO,CAAC,QAAQ,CAAC;SACnC,CAAC,CAAC;QAEH,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,WAAW,CAAC,CAAC;QACjC,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,MAAM,EAAE,IAAI,CAAC,CAAC;QACnC,IAAI,KAAK;YAAE,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,EAAE,KAAK,CAAC,CAAC;QAChD,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC,QAAQ,EAAE,CAAC,CAAC;IACjC,CAAC,CAAC,CAAC;IAEH,uBAAuB;IACvB,OAAO,CAAC,IAAI,CAAC,cAAc,EAAE,EAAE,MAAM,EAAE,EAAE,SAAS,EAAE,EAAE,GAAG,EAAE,EAAE,EAAE,UAAU,EAAE,UAAU,EAAE,EAAE,EAAE,EAAE,CAAC,GAAG,EAAE,KAAK,EAAE,EAAE;QAC1G,OAAO,CAAC,KAAK,CAAC,CAAC;QACf,MAAM,IAAI,GAAG,CAAC,GAAG,CAAC,IAAI,IAAI,EAAE,CAAuC,CAAC;QACpE,MAAM,IAAI,GAAG,gBAAgB,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;QAC1C,IAAI,CAAC,IAAI;YAAE,OAAO;QAClB,uEAAuE;QACvE,KAAK,CAAC,OAAO,EAAE,CAAC;QAEhB,MAAM,KAAK,GAAG,IAAI,CAAC,UAAU,CAAC;QAC9B,IAAI,KAAK,KAAK,oBAAoB,EAAE,CAAC;YACnC,MAAM,EAAE,IAAI,EAAE,aAAa,EAAE,YAAY,EAAE,SAAS,EAAE,GAAG,IAAI,CAAC;YAC9D,IAAI,CAAC,IAAI,IAAI,CAAC,aAAa,IAAI,CAAC,YAAY,IAAI,CAAC,SAAS,EAAE,CAAC;gBAC3D,OAAO,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,iBAAiB,EAAE,CAAC,CAAC;YAC9D,CAAC;YACD,MAAM,QAAQ,GAAG,KAAK,CAAC,WAAW,CAAC,IAAI,CAAC,CAAC;YACzC,IAAI,CAAC,QAAQ;gBAAE,OAAO,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,eAAe,EAAE,CAAC,CAAC;YACzE,IAAI,QAAQ,CAAC,SAAS,KAAK,SAAS,IAAI,QAAQ,CAAC,YAAY,KAAK,YAAY,EAAE,CAAC;gBAC/E,OAAO,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,eAAe,EAAE,CAAC,CAAC;YAC5D,CAAC;YACD,IAAI,CAAC,gBAAgB,CAAC,UAAU,CAAC,QAAQ,CAAC,cAAc,EAAE,aAAa,CAAC,EAAE,CAAC;gBACzE,OAAO,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,eAAe,EAAE,iBAAiB,EAAE,0BAA0B,EAAE,CAAC,CAAC;YAC3G,CAAC;YACD,MAAM,IAAI,GAAG,WAAW,CAAC,YAAY,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;YACxD,IAAI,CAAC,IAAI;gBAAE,OAAO,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,eAAe,EAAE,CAAC,CAAC;YACrE,MAAM,MAAM,GAAG,KAAK,CAAC,WAAW,CAAC,IAAI,EAAE,QAAQ,CAAC,SAAS,EAAE,QAAQ,CAAC,KAAK,EAAE,QAAQ,CAAC,QAAQ,CAAC,CAAC;YAC9F,OAAO,KAAK,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QAC5B,CAAC;QAED,IAAI,KAAK,KAAK,eAAe,EAAE,CAAC;YAC9B,MAAM,EAAE,aAAa,EAAE,SAAS,EAAE,GAAG,IAAI,CAAC;YAC1C,qEAAqE;YACrE,sEAAsE;YACtE,mEAAmE;YACnE,qEAAqE;YACrE,IAAI,CAAC,aAAa,IAAI,CAAC,SAAS;gBAAE,OAAO,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,iBAAiB,EAAE,CAAC,CAAC;YAC9F,MAAM,OAAO,GAAG,KAAK,CAAC,kBAAkB,CAAC,aAAa,EAAE,SAAS,CAAC,CAAC;YACnE,IAAI,CAAC,OAAO;gBAAE,OAAO,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,eAAe,EAAE,CAAC,CAAC;YACxE,MAAM,YAAY,GAAG,KAAK,CAAC,iBAAiB,CAAC,OAAO,CAAC,IAAI,EAAE,OAAO,CAAC,QAAQ,EAAE,WAAW,CAAC,IAAI,CAAC,CAAC,CAAC;YAChG,OAAO,KAAK,CAAC,IAAI,CAAC;gBAChB,YAAY;gBACZ,aAAa,EAAE,OAAO,CAAC,YAAY;gBACnC,UAAU,EAAE,QAAQ;gBACpB,UAAU,EAAE,IAAI;gBAChB,KAAK,EAAE,OAAO,CAAC,KAAK;aACrB,CAAC,CAAC;QACL,CAAC;QAED,OAAO,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,wBAAwB,EAAE,CAAC,CAAC;IACrE,CAAC,CAAC,CAAC;IAEH,qEAAqE;IACrE,OAAO,CAAC,IAAI,CAAC,eAAe,EAAE,EAAE,MAAM,EAAE,EAAE,SAAS,EAAE,EAAE,GAAG,EAAE,EAAE,EAAE,UAAU,EAAE,UAAU,EAAE,EAAE,EAAE,EAAE,CAAC,GAAG,EAAE,KAAK,EAAE,EAAE;QAC3G,OAAO,CAAC,KAAK,CAAC,CAAC;QACf,MAAM,IAAI,GAAG,CAAC,GAAG,CAAC,IAAI,IAAI,EAAE,CAAuB,CAAC;QACpD,IAAI,IAAI,CAAC,KAAK;YAAE,KAAK,CAAC,kBAAkB,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACrD,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAC7B,CAAC,CAAC,CAAC;AACL,CAAC"}
@@ -1,8 +1,15 @@
1
1
  /**
2
2
  * Permissions API routes
3
3
  *
4
- * Self-hosted per-collection access management backed by AuthService.
5
- * All endpoints require admin role.
4
+ * Per-folder membership management. Only folder admins (member with
5
+ * role='admin') can grant/revoke access to their folder; workspace
6
+ * ownership alone does NOT confer folder-admin rights, so owners can't
7
+ * push users into private folders they aren't members of. The list of
8
+ * folders returned by GET /api/permissions/folders is scoped by
9
+ * `isFolderAdminOrOwner` so workspace owners see shared folders they
10
+ * can oversee, but solo/private folders of other users stay hidden
11
+ * (matching the AGENTS.md rule that privacy holds even against the
12
+ * workspace owner).
6
13
  */
7
14
  import type { FastifyInstance } from 'fastify';
8
15
  import { AuthService } from '../../services/auth-service.js';