visionclaw 0.1.187-beta.9 → 0.1.187

package/CHANGELOG.md

@@ -1,3 +1,48 @@
+## [0.1.187](https://github.com/babelcloud/visionclaw/compare/v0.1.186...v0.1.187) (2026-04-24)
+
+### Bug Fixes
+
+* remove @latest from Playwright MCP to use local PATH resolution ([c56fd95](https://github.com/babelcloud/visionclaw/commit/c56fd95ed8ab40804a57bc6c478e7e7dada62bfd))
+* also prepend node_modules/.bin to PATH for Playwright MCP server ([657ab9b](https://github.com/babelcloud/visionclaw/commit/657ab9b7e0611848e0f7de9838b041108c7b3079))
+* use npx with PATH set to package's node_modules/.bin ([8fb8c1e](https://github.com/babelcloud/visionclaw/commit/8fb8c1e147672ab640660a3e1398a62a3f8760de))
+* resolve Playwriter MCP server path with createRequire instead of npx ([28924ff](https://github.com/babelcloud/visionclaw/commit/28924ffaa56b9f210d048d6e8693bb415a30bb9e))
+* correct laptop battery power management in prepare-mac ([30e27ff](https://github.com/babelcloud/visionclaw/commit/30e27ffe8fbaa6610cb35dd2c677167f782b5cef))
+* differentiate default effort by session type (coding=high, general=medium) ([77c65d2](https://github.com/babelcloud/visionclaw/commit/77c65d231dd91b96e3ea697a638aaf954e9322fb))
+* change default reasoning effort from high to medium ([3c411a8](https://github.com/babelcloud/visionclaw/commit/3c411a8f48b586ed9246b7283ce048dd2aa66dde))
+* **onboarding:** include runtime node_modules targets for Next standalone ([49fffd7](https://github.com/babelcloud/visionclaw/commit/49fffd7daff3a6733cfb6ef83576a31be7f3f63e))
+* **onboarding:** restore deploy build after lockfile removal ([05a2d7d](https://github.com/babelcloud/visionclaw/commit/05a2d7d25205257b21fc54c76fe73c3fff38b4b9))
+* **test:** restore darwin platform stubs for browser backend detection ([1ee1162](https://github.com/babelcloud/visionclaw/commit/1ee11627248f49e8035737eabcab83923b358579))
+* **onboarding:** preserve manually managed remote access on register updates ([665c5b4](https://github.com/babelcloud/visionclaw/commit/665c5b489806decbaba122c767cdf9367ca99e29))
+* **onboarding:** avoid nullable entries in remote access payload conversion ([16c51cc](https://github.com/babelcloud/visionclaw/commit/16c51ccb98d289b434225773b3b1264e220483ab))
+* enqueue system message after /refresh compaction ([16f58bf](https://github.com/babelcloud/visionclaw/commit/16f58bf53d098168121675a5df64a1aee0d651e2))
+* increase LLM stream silence timeouts from [60,120,180]s to [180,240,300]s ([125c8e7](https://github.com/babelcloud/visionclaw/commit/125c8e735b40750e5db968c2734b36fcbbf42183))
+* **onboarding:** sync agent avatar from profile image ([e570d2b](https://github.com/babelcloud/visionclaw/commit/e570d2bd7694a69135d9e73eafa265f09410ba13))
+* destructure ownerConfig from deps to fix lint errors ([271431e](https://github.com/babelcloud/visionclaw/commit/271431e2193235faf20548d66585c18ee87fcf86))
+* remove OBS server and tunnel from /status healthchecks ([dd64288](https://github.com/babelcloud/visionclaw/commit/dd64288bbe8fa90fb38bb3bb47b2314f7ea35e6a))
+
+### Features
+
+* fall back to Playwright when Playwriter relay is unreachable ([886ae88](https://github.com/babelcloud/visionclaw/commit/886ae88a62357d1704d2112f0da7bf6b991e6984))
+* add fallback wallpaper row and improve font handling ([571b5c2](https://github.com/babelcloud/visionclaw/commit/571b5c2e06fb9c0d75f34ce19dd5993895a7280b))
+* **onboarding:** improve machine remote access management ([5f50b96](https://github.com/babelcloud/visionclaw/commit/5f50b9697376c25123ad5c3311ed484ddc4cf7d6))
+* implement Chrome session management for Playwriter ([856e8db](https://github.com/babelcloud/visionclaw/commit/856e8db1b3166289c7d46ace568e5661dca6c44f))
+* enhance dual browser backend detection and update UI labels for Playwriter ([43c615f](https://github.com/babelcloud/visionclaw/commit/43c615f6bff5a2e695463fd1ebb343e572e1f39f))
+* add CLI maintenance commands (ctx status, ctx compact, agent status) (#218) ([989c14b](https://github.com/babelcloud/visionclaw/commit/989c14b3e1a627b7a54663a6be0796df80038518))
+* **onboarding:** support multi-software remote access credentials ([af3d489](https://github.com/babelcloud/visionclaw/commit/af3d4894e4fb5d85daac073892679204beadca3b))
+* send "back online" notification after agent restart ([aa8b8e7](https://github.com/babelcloud/visionclaw/commit/aa8b8e740f26d59653fc5bf4d67db4c5fc40773b))
+* reduce thinking effort on silence timeout retries ([931455a](https://github.com/babelcloud/visionclaw/commit/931455a131c1b663022e4506a3d6c3d7811a0eaa))
+* Enhance memory tracking and recall ([a911451](https://github.com/babelcloud/visionclaw/commit/a911451280ce7ac795153aec5426f4fc5008ee5a))
+* Implement subagent tracking and reporting in ActivityTracker ([4ace786](https://github.com/babelcloud/visionclaw/commit/4ace7860e64e0af80f32914451d38e0a9468b234))
+* Enhance /refresh command handling and session management ([0a17d9a](https://github.com/babelcloud/visionclaw/commit/0a17d9a0e033e355f17855548a385187f07ffbb8))
+* Support language and timezone settings ([7fd7036](https://github.com/babelcloud/visionclaw/commit/7fd70361f1cc29f1b8ef74d7d3bcb9a80bb2de56))
+* **onboarding:** constrain machine status editing and lock serial updates ([e97c6f2](https://github.com/babelcloud/visionclaw/commit/e97c6f27af3a9d2f9982326f8180deaf200340fa))
+* **onboarding:** add TLS certificate check to Tunnel/DNS tab ([3bb8318](https://github.com/babelcloud/visionclaw/commit/3bb8318cfeac9939f1eae79d1df77fc6f45e44fa))
+* add /set command for language + timezone, and onboarding preferences ([b1fae91](https://github.com/babelcloud/visionclaw/commit/b1fae91ee878edb1fd542174864402f65c5343b6))
+* add i18n support for system messages (en + zh) ([a9d16c2](https://github.com/babelcloud/visionclaw/commit/a9d16c21703834a9e795a0b6127f73e79bbee50f))
+* auto-detect Playwriter extension and enable prepare-mac install step ([74db129](https://github.com/babelcloud/visionclaw/commit/74db1293edcad67b36b1724b9e327182a265e397))
+* add dual browser backend support (Playwright CDP + Playwriter Extension) ([88620b0](https://github.com/babelcloud/visionclaw/commit/88620b04dc768daefb7bc871d1db0106652ad5b7))
+
+
 ## [0.1.186](https://github.com/babelcloud/visionclaw/compare/v0.1.185...v0.1.186) (2026-04-22)
 
 

package/dist/agent/applied-credential-signature.d.ts

@@ -0,0 +1,53 @@
+/**
+ * Applied-credential signature manifest.
+ *
+ * Persisted alongside materialised tunnel credentials at
+ * `<profileTunnelDir>/.applied-signature.json`. Records the signature
+ * the server handed us with the last bundle we successfully applied.
+ *
+ * The manifest is the *only* piece of state the agent has to remember
+ * across process restarts about credential bundles — everything else
+ * (creds JSON, config.yml) is reconstructable from a fresh server
+ * delivery. The signature is opaque to us; we just echo it back on the
+ * next heartbeat so the server can decide whether to re-ship the body.
+ *
+ * Self-healing properties (intentional):
+ *   - Manifest missing on disk → no signature sent → server sends
+ *     bundle → we re-apply and rewrite the manifest. Recovers any
+ *     install where the manifest was deleted but credentials weren't,
+ *     or vice versa.
+ *   - Manifest present but probe says no live tunnel files → we treat
+ *     the manifest as unusable (return null from `loadIfValid`), the
+ *     next heartbeat goes signature-free, the server re-ships the
+ *     bundle, and we land back in a coherent state.
+ *   - Process restart with everything intact → manifest signature is
+ *     sent on the startup heartbeat, server replies with no
+ *     `credentialBundle`, no disk writes, no tunnel restart.
+ */
+/**
+ * Read the persisted signature, if any. Returns `null` when the file
+ * does not exist, fails to parse, has the wrong shape, or refers to a
+ * tunnel state that no longer matches what's on disk.
+ *
+ * The on-disk-coherence check (`probeLocalTunnelCredential()`) is what
+ * gives us self-healing: a stranded manifest from a wiped tunnel dir
+ * gets ignored, forcing a fresh bundle on the next heartbeat.
+ */
+export declare function loadAppliedSignatureIfValid(): string | null;
+/**
+ * Persist the signature for the most recently applied bundle. Best-
+ * effort: a write failure is logged but does not throw, since the
+ * worst case is just an extra full-bundle delivery on the next
+ * heartbeat.
+ *
+ * The file is written with 0o600 to match the credentials sitting next
+ * to it; the directory itself is already 0o700 from
+ * `runtime-credentials.ts`.
+ */
+export declare function writeAppliedSignature(signature: string): void;
+/**
+ * Forget the persisted signature. Used by tests; production code never
+ * needs to delete it explicitly because writes overwrite in place.
+ */
+export declare function __clearAppliedSignatureForTests(): void;
+//# sourceMappingURL=applied-credential-signature.d.ts.map

package/dist/agent/applied-credential-signature.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"applied-credential-signature.d.ts","sourceRoot":"","sources":["../../src/agent/applied-credential-signature.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AAwBH;;;;;;;;GAQG;AACH,wBAAgB,2BAA2B,IAAI,MAAM,GAAG,IAAI,CA2C3D;AAED;;;;;;;;;GASG;AACH,wBAAgB,qBAAqB,CAAC,SAAS,EAAE,MAAM,GAAG,IAAI,CAgC7D;AAED;;;GAGG;AACH,wBAAgB,+BAA+B,IAAI,IAAI,CAMtD"}

package/dist/agent/applied-credential-signature.js

@@ -0,0 +1,137 @@
+/**
+ * Applied-credential signature manifest.
+ *
+ * Persisted alongside materialised tunnel credentials at
+ * `<profileTunnelDir>/.applied-signature.json`. Records the signature
+ * the server handed us with the last bundle we successfully applied.
+ *
+ * The manifest is the *only* piece of state the agent has to remember
+ * across process restarts about credential bundles — everything else
+ * (creds JSON, config.yml) is reconstructable from a fresh server
+ * delivery. The signature is opaque to us; we just echo it back on the
+ * next heartbeat so the server can decide whether to re-ship the body.
+ *
+ * Self-healing properties (intentional):
+ *   - Manifest missing on disk → no signature sent → server sends
+ *     bundle → we re-apply and rewrite the manifest. Recovers any
+ *     install where the manifest was deleted but credentials weren't,
+ *     or vice versa.
+ *   - Manifest present but probe says no live tunnel files → we treat
+ *     the manifest as unusable (return null from `loadIfValid`), the
+ *     next heartbeat goes signature-free, the server re-ships the
+ *     bundle, and we land back in a coherent state.
+ *   - Process restart with everything intact → manifest signature is
+ *     sent on the startup heartbeat, server replies with no
+ *     `credentialBundle`, no disk writes, no tunnel restart.
+ */
+import fs from "node:fs";
+import path from "node:path";
+import { getProfileTunnelDir } from "../config/index.js";
+import { probeLocalTunnelCredential } from "./runtime-credentials.js";
+import { logger } from "../logger.js";
+const MANIFEST_FILENAME = ".applied-signature.json";
+const MANIFEST_VERSION = 1;
+function getManifestPath() {
+    return path.join(getProfileTunnelDir(), MANIFEST_FILENAME);
+}
+/**
+ * Read the persisted signature, if any. Returns `null` when the file
+ * does not exist, fails to parse, has the wrong shape, or refers to a
+ * tunnel state that no longer matches what's on disk.
+ *
+ * The on-disk-coherence check (`probeLocalTunnelCredential()`) is what
+ * gives us self-healing: a stranded manifest from a wiped tunnel dir
+ * gets ignored, forcing a fresh bundle on the next heartbeat.
+ */
+export function loadAppliedSignatureIfValid() {
+    const manifestPath = getManifestPath();
+    if (!fs.existsSync(manifestPath))
+        return null;
+    let raw;
+    try {
+        raw = fs.readFileSync(manifestPath, "utf-8");
+    }
+    catch (err) {
+        logger.warn(`Applied-signature manifest unreadable: ${err instanceof Error ? err.message : String(err)}`);
+        return null;
+    }
+    let parsed;
+    try {
+        parsed = JSON.parse(raw);
+    }
+    catch {
+        logger.warn(`Applied-signature manifest malformed; ignoring`);
+        return null;
+    }
+    if (!parsed ||
+        typeof parsed !== "object" ||
+        !("signature" in parsed) ||
+        typeof parsed.signature !== "string" ||
+        parsed.signature.trim() === "") {
+        return null;
+    }
+    const signature = parsed.signature.trim();
+    // Coherence: a manifest is only meaningful when the credentials it
+    // refers to actually still exist on disk. If the tunnel files were
+    // wiped (e.g. operator deleted `~/.visionclaw/profiles/default/tunnel`)
+    // the stored signature lies about our state, so pretend we have none
+    // and let the server reissue the bundle.
+    if (probeLocalTunnelCredential() === null) {
+        return null;
+    }
+    return signature;
+}
+/**
+ * Persist the signature for the most recently applied bundle. Best-
+ * effort: a write failure is logged but does not throw, since the
+ * worst case is just an extra full-bundle delivery on the next
+ * heartbeat.
+ *
+ * The file is written with 0o600 to match the credentials sitting next
+ * to it; the directory itself is already 0o700 from
+ * `runtime-credentials.ts`.
+ */
+export function writeAppliedSignature(signature) {
+    if (typeof signature !== "string" || signature.trim() === "")
+        return;
+    const manifestPath = getManifestPath();
+    const dir = path.dirname(manifestPath);
+    try {
+        fs.mkdirSync(dir, { recursive: true });
+    }
+    catch {
+        // best-effort; the credential apply path will have created it
+    }
+    const payload = {
+        version: MANIFEST_VERSION,
+        signature: signature.trim(),
+        appliedAt: new Date().toISOString(),
+    };
+    try {
+        fs.writeFileSync(manifestPath, JSON.stringify(payload, null, 2), "utf-8");
+        if (process.platform !== "win32") {
+            try {
+                fs.chmodSync(manifestPath, 0o600);
+            }
+            catch {
+                // best-effort; directory perms still protect
+            }
+        }
+    }
+    catch (err) {
+        logger.warn(`Failed to persist applied-signature manifest: ${err instanceof Error ? err.message : String(err)}`);
+    }
+}
+/**
+ * Forget the persisted signature. Used by tests; production code never
+ * needs to delete it explicitly because writes overwrite in place.
+ */
+export function __clearAppliedSignatureForTests() {
+    try {
+        fs.rmSync(getManifestPath(), { force: true });
+    }
+    catch {
+        // ignore
+    }
+}
+//# sourceMappingURL=applied-credential-signature.js.map

package/dist/agent/applied-credential-signature.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"applied-credential-signature.js","sourceRoot":"","sources":["../../src/agent/applied-credential-signature.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AAEH,OAAO,EAAE,MAAM,SAAS,CAAC;AACzB,OAAO,IAAI,MAAM,WAAW,CAAC;AAC7B,OAAO,EAAE,mBAAmB,EAAE,MAAM,oBAAoB,CAAC;AACzD,OAAO,EAAE,0BAA0B,EAAE,MAAM,0BAA0B,CAAC;AACtE,OAAO,EAAE,MAAM,EAAE,MAAM,cAAc,CAAC;AAEtC,MAAM,iBAAiB,GAAG,yBAAyB,CAAC;AACpD,MAAM,gBAAgB,GAAG,CAAC,CAAC;AAW3B,SAAS,eAAe;IACtB,OAAO,IAAI,CAAC,IAAI,CAAC,mBAAmB,EAAE,EAAE,iBAAiB,CAAC,CAAC;AAC7D,CAAC;AAED;;;;;;;;GAQG;AACH,MAAM,UAAU,2BAA2B;IACzC,MAAM,YAAY,GAAG,eAAe,EAAE,CAAC;IACvC,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,YAAY,CAAC;QAAE,OAAO,IAAI,CAAC;IAE9C,IAAI,GAAW,CAAC;IAChB,IAAI,CAAC;QACH,GAAG,GAAG,EAAE,CAAC,YAAY,CAAC,YAAY,EAAE,OAAO,CAAC,CAAC;IAC/C,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,CAAC,IAAI,CACT,0CAA0C,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAC7F,CAAC;QACF,OAAO,IAAI,CAAC;IACd,CAAC;IAED,IAAI,MAAe,CAAC;IACpB,IAAI,CAAC;QACH,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC3B,CAAC;IAAC,MAAM,CAAC;QACP,MAAM,CAAC,IAAI,CAAC,gDAAgD,CAAC,CAAC;QAC9D,OAAO,IAAI,CAAC;IACd,CAAC;IAED,IACE,CAAC,MAAM;QACP,OAAO,MAAM,KAAK,QAAQ;QAC1B,CAAC,CAAC,WAAW,IAAI,MAAM,CAAC;QACxB,OAAQ,MAAiC,CAAC,SAAS,KAAK,QAAQ;QAC/D,MAAgC,CAAC,SAAS,CAAC,IAAI,EAAE,KAAK,EAAE,EACzD,CAAC;QACD,OAAO,IAAI,CAAC;IACd,CAAC;IACD,MAAM,SAAS,GAAI,MAAgC,CAAC,SAAS,CAAC,IAAI,EAAE,CAAC;IAErE,mEAAmE;IACnE,mEAAmE;IACnE,wEAAwE;IACxE,qEAAqE;IACrE,yCAAyC;IACzC,IAAI,0BAA0B,EAAE,KAAK,IAAI,EAAE,CAAC;QAC1C,OAAO,IAAI,CAAC;IACd,CAAC;IAED,OAAO,SAAS,CAAC;AACnB,CAAC;AAED;;;;;;;;;GASG;AACH,MAAM,UAAU,qBAAqB,CAAC,SAAiB;IACrD,IAAI,OAAO,SAAS,KAAK,QAAQ,IAAI,SAAS,CAAC,IAAI,EAAE,KAAK,EAAE;QAAE,OAAO;IAErE,MAAM,YAAY,GAAG,eAAe,EAAE,CAAC;IACvC,MAAM,GAAG,GAAG,IAAI,CAAC,OAAO,CAAC,YAAY,CAAC,CAAC;IAEvC,IAAI,CAAC;QACH,EAAE,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IACzC,CAAC;IAAC,MAAM,CAAC;QACP,8DAA8D;IAChE,CAAC;IAED,MAAM,OAAO,GAAsB;QACjC,OAAO,EAAE,gBAAgB;QACzB,SAAS,EAAE,SAAS,CAAC,IAAI,EAAE;QAC3B,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;KACpC,CAAC;IAEF,IAAI,CAAC;QACH,EAAE,CAAC,aAAa,CAAC,YAAY,EAAE,IAAI,CAAC,SAAS,CAAC,OAAO,EAAE,IAAI,EAAE,CAAC,CAAC,EAAE,OAAO,CAAC,CAAC;QAC1E,IAAI,OAAO,CAAC,QAAQ,KAAK,OAAO,EAAE,CAAC;YACjC,IAAI,CAAC;gBACH,EAAE,CAAC,SAAS,CAAC,YAAY,EAAE,KAAK,CAAC,CAAC;YACpC,CAAC;YAAC,MAAM,CAAC;gBACP,6CAA6C;YAC/C,CAAC;QACH,CAAC;IACH,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,CAAC,IAAI,CACT,iDAAiD,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CACpG,CAAC;IACJ,CAAC;AACH,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,+BAA+B;IAC7C,IAAI,CAAC;QACH,EAAE,CAAC,MAAM,CAAC,eAAe,EAAE,EAAE,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;IAChD,CAAC;IAAC,MAAM,CAAC;QACP,SAAS;IACX,CAAC;AACH,CAAC"}

package/dist/agent/tunnel-credential-handler.d.ts

@@ -0,0 +1,90 @@
+/**
+ * Tunnel credential coordinator.
+ *
+ * Owns every tunnel-specific concern around a heartbeat-delivered
+ * `runtimeCredentials` bundle:
+ *
+ *   - materialising the bundle to disk (via `runtime-credentials.ts`)
+ *   - deciding whether a cloudflared bounce is needed
+ *   - coalescing concurrent restart triggers
+ *   - tracking whether the next heartbeat should still ask the server
+ *     to bootstrap a credential (i.e. nothing usable is on disk yet)
+ *
+ * Extracted out of `HeartbeatManager` so the heartbeat layer stays
+ * concerned with heartbeats and command dispatch; the tunnel coupling
+ * lives here instead.
+ */
+import type { RuntimeCredentials } from "../onboarding/onboarding-service-client.js";
+export interface TunnelCredentialHandlerOptions {
+    /** Canonical agent name used to validate tunnel-name drift. */
+    agentName: string;
+    /**
+     * Callback that bounces cloudflared (typically the `restartTunnel`
+     * returned from `startObsServer`). Invoked when a newly materialised
+     * credential differs from what's on disk — otherwise cloudflared keeps
+     * running against the UUID it was spawned with (it does not hot-reload
+     * `config.yml`).
+     *
+     * Optional so test harnesses and non-obs builds can skip the restart
+     * side-effect entirely.
+     */
+    restartTunnel?: () => Promise<string | null>;
+}
+export declare class TunnelCredentialHandler {
+    private readonly agentName;
+    private readonly restartTunnel?;
+    private _restartInFlight;
+    /**
+     * Set whenever a `tunnelChanged` apply lands while a previous restart
+     * is still in flight. The in-flight restart already snapshotted disk
+     * state at its start (`resolveTunnelOpts()` in `obs/server.ts`), so
+     * the second rotation needs its own bounce — we re-kick from the
+     * restart's `finally` block when this flag is set.
+     *
+     * Stored as the latest `ApplyRuntimeCredentialsResult` so the rotation
+     * label in the follow-up log line still reflects the *latest* tunnel
+     * delivery, not the first one that was already restarted.
+     */
+    private _pendingRestart;
+    /**
+     * True whenever we still need the server to include a
+     * `runtimeCredentials` bundle on the next heartbeat — i.e. nothing
+     * usable is on disk yet. Flips to false the first time we materialise
+     * a credential successfully, and flips back to true whenever a probe
+     * finds the profile tunnel dir empty again.
+     */
+    private _needsBootstrap;
+    /**
+     * Latch so we only emit the "running on pre-existing local credential,
+     * awaiting server-issued bundle" notice once per process. The state it
+     * describes is benign but operators want to see it called out in logs
+     * right after an upgrade from a legacy-adopted agent when the server
+     * hasn't been provisioned yet.
+     */
+    private _loggedAwaitingServerBundle;
+    constructor(options: TunnelCredentialHandlerOptions);
+    /** Whether the next heartbeat should request a bootstrap bundle. */
+    get needsBootstrap(): boolean;
+    /**
+     * Handle a `runtimeCredentials` bundle from a heartbeat response.
+     *
+     * Defensive by contract: never throws — a failed materialisation must
+     * not block heartbeats. Missing/undefined bundles are a no-op.
+     */
+    handle(bundle: RuntimeCredentials | undefined): void;
+    /**
+     * Kick `restartTunnel` in the background, coalescing concurrent
+     * invocations. Logged at `system` level because a restart is a
+     * visible event for operators tailing pm2 logs.
+     *
+     * If a restart is already in flight when we're called, we don't drop
+     * the trigger — the in-flight restart sampled disk before this newer
+     * credential was materialised and would launch cloudflared against
+     * the stale UUID. Instead we record the latest result in
+     * `_pendingRestart` and re-kick from the in-flight restart's
+     * `finally` block, which guarantees one extra restart that picks up
+     * whatever's now on disk.
+     */
+    private triggerRestart;
+}
+//# sourceMappingURL=tunnel-credential-handler.d.ts.map

package/dist/agent/tunnel-credential-handler.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"tunnel-credential-handler.d.ts","sourceRoot":"","sources":["../../src/agent/tunnel-credential-handler.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AAEH,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,4CAA4C,CAAC;AAQrF,MAAM,WAAW,8BAA8B;IAC7C,+DAA+D;IAC/D,SAAS,EAAE,MAAM,CAAC;IAClB;;;;;;;;;OASG;IACH,aAAa,CAAC,EAAE,MAAM,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAAC;CAC9C;AAED,qBAAa,uBAAuB;IAClC,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAS;IACnC,OAAO,CAAC,QAAQ,CAAC,aAAa,CAAC,CAA+B;IAC9D,OAAO,CAAC,gBAAgB,CAA8B;IACtD;;;;;;;;;;OAUG;IACH,OAAO,CAAC,eAAe,CAA8C;IACrE;;;;;;OAMG;IACH,OAAO,CAAC,eAAe,CAAQ;IAC/B;;;;;;OAMG;IACH,OAAO,CAAC,2BAA2B,CAAS;gBAEhC,OAAO,EAAE,8BAA8B;IAKnD,oEAAoE;IACpE,IAAI,cAAc,IAAI,OAAO,CAE5B;IAED;;;;;OAKG;IACH,MAAM,CAAC,MAAM,EAAE,kBAAkB,GAAG,SAAS,GAAG,IAAI;IAiDpD;;;;;;;;;;;;OAYG;IACH,OAAO,CAAC,cAAc;CA6CvB"}

package/dist/agent/tunnel-credential-handler.js

@@ -0,0 +1,162 @@
+/**
+ * Tunnel credential coordinator.
+ *
+ * Owns every tunnel-specific concern around a heartbeat-delivered
+ * `runtimeCredentials` bundle:
+ *
+ *   - materialising the bundle to disk (via `runtime-credentials.ts`)
+ *   - deciding whether a cloudflared bounce is needed
+ *   - coalescing concurrent restart triggers
+ *   - tracking whether the next heartbeat should still ask the server
+ *     to bootstrap a credential (i.e. nothing usable is on disk yet)
+ *
+ * Extracted out of `HeartbeatManager` so the heartbeat layer stays
+ * concerned with heartbeats and command dispatch; the tunnel coupling
+ * lives here instead.
+ */
+import { applyRuntimeCredentials, probeLocalTunnelCredential, } from "./runtime-credentials.js";
+import { logger } from "../logger.js";
+export class TunnelCredentialHandler {
+    agentName;
+    restartTunnel;
+    _restartInFlight = null;
+    /**
+     * Set whenever a `tunnelChanged` apply lands while a previous restart
+     * is still in flight. The in-flight restart already snapshotted disk
+     * state at its start (`resolveTunnelOpts()` in `obs/server.ts`), so
+     * the second rotation needs its own bounce — we re-kick from the
+     * restart's `finally` block when this flag is set.
+     *
+     * Stored as the latest `ApplyRuntimeCredentialsResult` so the rotation
+     * label in the follow-up log line still reflects the *latest* tunnel
+     * delivery, not the first one that was already restarted.
+     */
+    _pendingRestart = null;
+    /**
+     * True whenever we still need the server to include a
+     * `runtimeCredentials` bundle on the next heartbeat — i.e. nothing
+     * usable is on disk yet. Flips to false the first time we materialise
+     * a credential successfully, and flips back to true whenever a probe
+     * finds the profile tunnel dir empty again.
+     */
+    _needsBootstrap = true;
+    /**
+     * Latch so we only emit the "running on pre-existing local credential,
+     * awaiting server-issued bundle" notice once per process. The state it
+     * describes is benign but operators want to see it called out in logs
+     * right after an upgrade from a legacy-adopted agent when the server
+     * hasn't been provisioned yet.
+     */
+    _loggedAwaitingServerBundle = false;
+    constructor(options) {
+        this.agentName = options.agentName;
+        this.restartTunnel = options.restartTunnel;
+    }
+    /** Whether the next heartbeat should request a bootstrap bundle. */
+    get needsBootstrap() {
+        return this._needsBootstrap;
+    }
+    /**
+     * Handle a `runtimeCredentials` bundle from a heartbeat response.
+     *
+     * Defensive by contract: never throws — a failed materialisation must
+     * not block heartbeats. Missing/undefined bundles are a no-op.
+     */
+    handle(bundle) {
+        let result = null;
+        try {
+            result = applyRuntimeCredentials(bundle, { agentName: this.agentName });
+            if (result.tunnelApplied) {
+                this._needsBootstrap = false;
+            }
+        }
+        catch (err) {
+            logger.warn(`Runtime credential apply failed: ${err instanceof Error ? err.message : String(err)}`);
+        }
+        // If the apply wrote new files to disk, bounce cloudflared so it
+        // picks up the fresh UUID/secret. Without this the obs server
+        // spawned cloudflared against whatever was on disk at startup, and
+        // a subsequent credential rotation (e.g. operator clicked
+        // "Provision tunnel" on the admin UI) would sit unused until the
+        // next manual agent restart.
+        if (result?.tunnelApplied && result.tunnelChanged && result.tunnel) {
+            this.triggerRestart(result);
+        }
+        // If we still don't have a local tunnel credential after applying,
+        // keep asking the server to bootstrap on the next heartbeat. Also
+        // covers the case where the server hasn't provisioned a tunnel for
+        // this agent yet — subsequent heartbeats stay cheap (only the flag
+        // is sent), and we pick up the credential the moment it exists.
+        const probed = probeLocalTunnelCredential();
+        if (probed === null) {
+            this._needsBootstrap = true;
+        }
+        else if (!result?.tunnelApplied &&
+            !this._loggedAwaitingServerBundle) {
+            // Covers the legacy-adoption scenario: the agent was upgraded and
+            // obs is already running on an adopted `~/.cloudflared` credential
+            // that's now in the profile dir, but the server returned no
+            // runtimeCredentials bundle (operator hasn't clicked "Provision
+            // tunnel" yet). Call this out exactly once so the state is
+            // unambiguous in logs — every subsequent heartbeat will still
+            // re-ask via `needsBootstrap`, silently, until the bundle lands.
+            this._loggedAwaitingServerBundle = true;
+            logger.system(`Runtime credential: operating on pre-existing local tunnel ${probed.tunnelId}; awaiting server-issued bundle`);
+        }
+    }
+    /**
+     * Kick `restartTunnel` in the background, coalescing concurrent
+     * invocations. Logged at `system` level because a restart is a
+     * visible event for operators tailing pm2 logs.
+     *
+     * If a restart is already in flight when we're called, we don't drop
+     * the trigger — the in-flight restart sampled disk before this newer
+     * credential was materialised and would launch cloudflared against
+     * the stale UUID. Instead we record the latest result in
+     * `_pendingRestart` and re-kick from the in-flight restart's
+     * `finally` block, which guarantees one extra restart that picks up
+     * whatever's now on disk.
+     */
+    triggerRestart(result) {
+        if (!this.restartTunnel || !result.tunnel)
+            return;
+        if (this._restartInFlight) {
+            // Always overwrite — only the most recent credential matters; any
+            // intermediate bundles will be on disk by the time the follow-up
+            // restart re-probes via `obs/server.ts:resolveTunnelOpts()`.
+            this._pendingRestart = result;
+            return;
+        }
+        const newTunnelId = result.tunnel.tunnelId;
+        const previousTunnelId = result.previousTunnelId;
+        const rotationLabel = previousTunnelId === null
+            ? "initial"
+            : previousTunnelId === newTunnelId
+                ? "refreshed"
+                : `rotated (${previousTunnelId} → ${newTunnelId})`;
+        logger.system(`Runtime credential: tunnel ${rotationLabel}; restarting cloudflared`);
+        const restart = this.restartTunnel;
+        this._restartInFlight = (async () => {
+            try {
+                await restart();
+            }
+            catch (err) {
+                logger.warn(`Failed to restart tunnel after credential update: ${err instanceof Error ? err.message : String(err)}`);
+            }
+            finally {
+                this._restartInFlight = null;
+                // Drain any rotation that landed mid-flight. We re-enter
+                // triggerRestart synchronously (not via setImmediate) so the
+                // follow-up restart starts as soon as the previous Promise
+                // resolves, but `_restartInFlight` is already null above so the
+                // recursive call goes down the spawn path, not the coalesce path.
+                const pending = this._pendingRestart;
+                if (pending) {
+                    this._pendingRestart = null;
+                    this.triggerRestart(pending);
+                }
+            }
+        })();
+    }
+}
+//# sourceMappingURL=tunnel-credential-handler.js.map

package/dist/agent/tunnel-credential-handler.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"tunnel-credential-handler.js","sourceRoot":"","sources":["../../src/agent/tunnel-credential-handler.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AAGH,OAAO,EACL,uBAAuB,EACvB,0BAA0B,GAE3B,MAAM,0BAA0B,CAAC;AAClC,OAAO,EAAE,MAAM,EAAE,MAAM,cAAc,CAAC;AAkBtC,MAAM,OAAO,uBAAuB;IACjB,SAAS,CAAS;IAClB,aAAa,CAAgC;IACtD,gBAAgB,GAAyB,IAAI,CAAC;IACtD;;;;;;;;;;OAUG;IACK,eAAe,GAAyC,IAAI,CAAC;IACrE;;;;;;OAMG;IACK,eAAe,GAAG,IAAI,CAAC;IAC/B;;;;;;OAMG;IACK,2BAA2B,GAAG,KAAK,CAAC;IAE5C,YAAY,OAAuC;QACjD,IAAI,CAAC,SAAS,GAAG,OAAO,CAAC,SAAS,CAAC;QACnC,IAAI,CAAC,aAAa,GAAG,OAAO,CAAC,aAAa,CAAC;IAC7C,CAAC;IAED,oEAAoE;IACpE,IAAI,cAAc;QAChB,OAAO,IAAI,CAAC,eAAe,CAAC;IAC9B,CAAC;IAED;;;;;OAKG;IACH,MAAM,CAAC,MAAsC;QAC3C,IAAI,MAAM,GAAyC,IAAI,CAAC;QACxD,IAAI,CAAC;YACH,MAAM,GAAG,uBAAuB,CAAC,MAAM,EAAE,EAAE,SAAS,EAAE,IAAI,CAAC,SAAS,EAAE,CAAC,CAAC;YACxE,IAAI,MAAM,CAAC,aAAa,EAAE,CAAC;gBACzB,IAAI,CAAC,eAAe,GAAG,KAAK,CAAC;YAC/B,CAAC;QACH,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,CAAC,IAAI,CACT,oCAAoC,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CACvF,CAAC;QACJ,CAAC;QAED,iEAAiE;QACjE,8DAA8D;QAC9D,mEAAmE;QACnE,0DAA0D;QAC1D,iEAAiE;QACjE,6BAA6B;QAC7B,IAAI,MAAM,EAAE,aAAa,IAAI,MAAM,CAAC,aAAa,IAAI,MAAM,CAAC,MAAM,EAAE,CAAC;YACnE,IAAI,CAAC,cAAc,CAAC,MAAM,CAAC,CAAC;QAC9B,CAAC;QAED,mEAAmE;QACnE,kEAAkE;QAClE,mEAAmE;QACnE,mEAAmE;QACnE,gEAAgE;QAChE,MAAM,MAAM,GAAG,0BAA0B,EAAE,CAAC;QAC5C,IAAI,MAAM,KAAK,IAAI,EAAE,CAAC;YACpB,IAAI,CAAC,eAAe,GAAG,IAAI,CAAC;QAC9B,CAAC;aAAM,IACL,CAAC,MAAM,EAAE,aAAa;YACtB,CAAC,IAAI,CAAC,2BAA2B,EACjC,CAAC;YACD,kEAAkE;YAClE,mEAAmE;YACnE,4DAA4D;YAC5D,gEAAgE;YAChE,2DAA2D;YAC3D,8DAA8D;YAC9D,iEAAiE;YACjE,IAAI,CAAC,2BAA2B,GAAG,IAAI,CAAC;YACxC,MAAM,CAAC,MAAM,CACX,8DAA8D,MAAM,CAAC,QAAQ,iCAAiC,CAC/G,CAAC;QACJ,CAAC;IACH,CAAC;IAED;;;;;;;;;;;;OAYG;IACK,cAAc,CAAC,MAAqC;QAC1D,IAAI,CAAC,IAAI,CAAC,aAAa,IAAI,CAAC,MAAM,CAAC,MAAM;YAAE,OAAO;QAClD,IAAI,IAAI,CAAC,gBAAgB,EAAE,CAAC;YAC1B,kEAAkE;YAClE,iEAAiE;YACjE,6DAA6D;YAC7D,IAAI,CAAC,eAAe,GAAG,MAAM,CAAC;YAC9B,OAAO;QACT,CAAC;QAED,MAAM,WAAW,GAAG,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC;QAC3C,MAAM,gBAAgB,GAAG,MAAM,CAAC,gBAAgB,CAAC;QACjD,MAAM,aAAa,GACjB,gBAAgB,KAAK,IAAI;YACvB,CAAC,CAAC,SAAS;YACX,CAAC,CAAC,gBAAgB,KAAK,WAAW;gBAChC,CAAC,CAAC,WAAW;gBACb,CAAC,CAAC,YAAY,gBAAgB,MAAM,WAAW,GAAG,CAAC;QACzD,MAAM,CAAC,MAAM,CACX,8BAA8B,aAAa,0BAA0B,CACtE,CAAC;QAEF,MAAM,OAAO,GAAG,IAAI,CAAC,aAAa,CAAC;QACnC,IAAI,CAAC,gBAAgB,GAAG,CAAC,KAAK,IAAI,EAAE;YAClC,IAAI,CAAC;gBACH,MAAM,OAAO,EAAE,CAAC;YAClB,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,MAAM,CAAC,IAAI,CACT,qDAAqD,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CACxG,CAAC;YACJ,CAAC;oBAAS,CAAC;gBACT,IAAI,CAAC,gBAAgB,GAAG,IAAI,CAAC;gBAC7B,yDAAyD;gBACzD,6DAA6D;gBAC7D,2DAA2D;gBAC3D,gEAAgE;gBAChE,kEAAkE;gBAClE,MAAM,OAAO,GAAG,IAAI,CAAC,eAAe,CAAC;gBACrC,IAAI,OAAO,EAAE,CAAC;oBACZ,IAAI,CAAC,eAAe,GAAG,IAAI,CAAC;oBAC5B,IAAI,CAAC,cAAc,CAAC,OAAO,CAAC,CAAC;gBAC/B,CAAC;YACH,CAAC;QACH,CAAC,CAAC,EAAE,CAAC;IACP,CAAC;CACF"}

package/dist/billing/payg-handler.d.ts

@@ -0,0 +1,29 @@
+/**
+ * PAYG (Pay as You Go) command handler for the `request_payment` heartbeat command.
+ *
+ * This is deterministic bot code u2014 the LLM agent is never involved in
+ * payment flows. The handler:
+ *
+ * 1. Receives `request_payment` from the backend via heartbeat (includes amounts)
+ * 2. Sends an amount selection prompt (inline keyboard) to the owner via Telegram
+ * 3. Listens for `billing_payg_selected` events from the Telegram adapter
+ * 4. Calls the backend to create a Stripe Payment Link (one-time)
+ * 5. Sends the payment URL back to the owner as a URL button
+ */
+import type { CommandHandler } from "../agent/command-dispatcher.js";
+import type { ChannelManager } from "../channels/manager.js";
+import type { BillingPaygSelectedEvent } from "../channels/interface.js";
+import type { OnboardingServiceClient } from "../onboarding/onboarding-service-client.js";
+export interface PaygHandler extends CommandHandler {
+    /** Handle a billing_payg_selected event (user tapped an amount button). */
+    handleAmountSelected: (event: BillingPaygSelectedEvent) => Promise<void>;
+}
+/**
+ * Create a CommandHandler for the "request_payment" heartbeat command.
+ *
+ * @param channelManager - To send PAYG prompts and listen for amount selection events
+ * @param ownerChatId - The owner's Telegram chat ID
+ * @param serviceClient - Onboarding service client for creating payment links
+ */
+export declare function createPaygHandler(channelManager: ChannelManager, ownerChatId: number, serviceClient: OnboardingServiceClient | null): PaygHandler;
+//# sourceMappingURL=payg-handler.d.ts.map

package/dist/billing/payg-handler.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"payg-handler.d.ts","sourceRoot":"","sources":["../../src/billing/payg-handler.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,gCAAgC,CAAC;AACrE,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,wBAAwB,CAAC;AAC7D,OAAO,KAAK,EAAE,wBAAwB,EAAE,MAAM,0BAA0B,CAAC;AACzE,OAAO,KAAK,EAAE,uBAAuB,EAAE,MAAM,4CAA4C,CAAC;AAW1F,MAAM,WAAW,WAAY,SAAQ,cAAc;IACjD,2EAA2E;IAC3E,oBAAoB,EAAE,CAAC,KAAK,EAAE,wBAAwB,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;CAC1E;AAED;;;;;;GAMG;AACH,wBAAgB,iBAAiB,CAC/B,cAAc,EAAE,cAAc,EAC9B,WAAW,EAAE,MAAM,EACnB,aAAa,EAAE,uBAAuB,GAAG,IAAI,GAC5C,WAAW,CAmGb"}

package/dist/billing/payg-handler.js

@@ -0,0 +1,92 @@
+/**
+ * PAYG (Pay as You Go) command handler for the `request_payment` heartbeat command.
+ *
+ * This is deterministic bot code u2014 the LLM agent is never involved in
+ * payment flows. The handler:
+ *
+ * 1. Receives `request_payment` from the backend via heartbeat (includes amounts)
+ * 2. Sends an amount selection prompt (inline keyboard) to the owner via Telegram
+ * 3. Listens for `billing_payg_selected` events from the Telegram adapter
+ * 4. Calls the backend to create a Stripe Payment Link (one-time)
+ * 5. Sends the payment URL back to the owner as a URL button
+ */
+import { logger } from "../logger.js";
+const MAX_RETRIES = 2;
+const RETRY_DELAY_MS = 2_000;
+function sleep(ms) {
+    return new Promise((resolve) => setTimeout(resolve, ms));
+}
+/**
+ * Create a CommandHandler for the "request_payment" heartbeat command.
+ *
+ * @param channelManager - To send PAYG prompts and listen for amount selection events
+ * @param ownerChatId - The owner's Telegram chat ID
+ * @param serviceClient - Onboarding service client for creating payment links
+ */
+export function createPaygHandler(channelManager, ownerChatId, serviceClient) {
+    async function handleAmountSelected(event) {
+        if (!serviceClient) {
+            logger.warn("[payg] No service client u2014 cannot create payment link");
+            await channelManager.sendMessage("telegram", String(event.chatId), "Payment is not configured. Please contact support.");
+            return;
+        }
+        logger.system(`[payg] Amount selected: $${event.amount} by chat ${event.chatId}`);
+        for (let attempt = 0; attempt <= MAX_RETRIES; attempt++) {
+            try {
+                const result = await serviceClient.createPaymentLink(event.amount, event.chatId);
+                if (result?.checkoutUrl) {
+                    await channelManager.sendTelegramCheckoutLink(event.chatId, `$${event.amount} Top-Up`, result.checkoutUrl);
+                    logger.system(`[payg] Payment link sent to chat ${event.chatId} for $${event.amount}`);
+                    return;
+                }
+                if (attempt < MAX_RETRIES) {
+                    logger.warn(`[payg] Payment link attempt ${attempt + 1} failed, retrying...`);
+                    await channelManager.sendMessage("telegram", String(event.chatId), "Payment setup failed, retrying...");
+                    await sleep(RETRY_DELAY_MS);
+                }
+            }
+            catch (err) {
+                const errMsg = err instanceof Error ? err.message : String(err);
+                logger.err(`[payg] Payment link attempt ${attempt + 1} error: ${errMsg}`);
+                if (attempt < MAX_RETRIES) {
+                    await sleep(RETRY_DELAY_MS);
+                }
+            }
+        }
+        logger.err("[payg] All payment link attempts failed");
+        await channelManager.sendMessage("telegram", String(event.chatId), "Payment setup failed. Please try again later.");
+    }
+    const handler = Object.assign(async (_commandId, payload) => {
+        const raw = (payload ?? {});
+        const amounts = Array.isArray(raw.amounts) ? raw.amounts : [];
+        if (amounts.length === 0) {
+            logger.warn("[payg] request_payment received with no amounts");
+            return {
+                status: "failed",
+                result: JSON.stringify({ error: "No amounts in payload" }),
+            };
+        }
+        const typedPayload = {
+            reason: typeof raw.reason === "string" ? raw.reason : undefined,
+            amounts,
+        };
+        logger.system(`[payg] Request payment received with amounts: ${typedPayload.amounts.join(", ")}`);
+        try {
+            await channelManager.sendTelegramPaygPrompt(ownerChatId, typedPayload);
+            return {
+                status: "completed",
+                result: JSON.stringify({ message: "PAYG prompt sent to owner" }),
+            };
+        }
+        catch (err) {
+            const errMsg = err instanceof Error ? err.message : String(err);
+            logger.err(`[payg] Failed to send PAYG prompt: ${errMsg}`);
+            return {
+                status: "failed",
+                result: JSON.stringify({ error: errMsg }),
+            };
+        }
+    }, { handleAmountSelected });
+    return handler;
+}
+//# sourceMappingURL=payg-handler.js.map

package/dist/billing/payg-handler.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"payg-handler.js","sourceRoot":"","sources":["../../src/billing/payg-handler.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAOH,OAAO,EAAE,MAAM,EAAE,MAAM,cAAc,CAAC;AAEtC,MAAM,WAAW,GAAG,CAAC,CAAC;AACtB,MAAM,cAAc,GAAG,KAAK,CAAC;AAE7B,SAAS,KAAK,CAAC,EAAU;IACvB,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,UAAU,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC,CAAC;AAC3D,CAAC;AAOD;;;;;;GAMG;AACH,MAAM,UAAU,iBAAiB,CAC/B,cAA8B,EAC9B,WAAmB,EACnB,aAA6C;IAE7C,KAAK,UAAU,oBAAoB,CAAC,KAA+B;QACjE,IAAI,CAAC,aAAa,EAAE,CAAC;YACnB,MAAM,CAAC,IAAI,CAAC,2DAA2D,CAAC,CAAC;YACzE,MAAM,cAAc,CAAC,WAAW,CAC9B,UAAU,EACV,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,EACpB,oDAAoD,CACrD,CAAC;YACF,OAAO;QACT,CAAC;QAED,MAAM,CAAC,MAAM,CAAC,4BAA4B,KAAK,CAAC,MAAM,YAAY,KAAK,CAAC,MAAM,EAAE,CAAC,CAAC;QAElF,KAAK,IAAI,OAAO,GAAG,CAAC,EAAE,OAAO,IAAI,WAAW,EAAE,OAAO,EAAE,EAAE,CAAC;YACxD,IAAI,CAAC;gBACH,MAAM,MAAM,GAAG,MAAM,aAAa,CAAC,iBAAiB,CAClD,KAAK,CAAC,MAAM,EACZ,KAAK,CAAC,MAAM,CACb,CAAC;gBAEF,IAAI,MAAM,EAAE,WAAW,EAAE,CAAC;oBACxB,MAAM,cAAc,CAAC,wBAAwB,CAC3C,KAAK,CAAC,MAAM,EACZ,IAAI,KAAK,CAAC,MAAM,SAAS,EACzB,MAAM,CAAC,WAAW,CACnB,CAAC;oBACF,MAAM,CAAC,MAAM,CACX,oCAAoC,KAAK,CAAC,MAAM,SAAS,KAAK,CAAC,MAAM,EAAE,CACxE,CAAC;oBACF,OAAO;gBACT,CAAC;gBAED,IAAI,OAAO,GAAG,WAAW,EAAE,CAAC;oBAC1B,MAAM,CAAC,IAAI,CAAC,+BAA+B,OAAO,GAAG,CAAC,sBAAsB,CAAC,CAAC;oBAC9E,MAAM,cAAc,CAAC,WAAW,CAC9B,UAAU,EACV,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,EACpB,mCAAmC,CACpC,CAAC;oBACF,MAAM,KAAK,CAAC,cAAc,CAAC,CAAC;gBAC9B,CAAC;YACH,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,MAAM,MAAM,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;gBAChE,MAAM,CAAC,GAAG,CAAC,+BAA+B,OAAO,GAAG,CAAC,WAAW,MAAM,EAAE,CAAC,CAAC;gBAC1E,IAAI,OAAO,GAAG,WAAW,EAAE,CAAC;oBAC1B,MAAM,KAAK,CAAC,cAAc,CAAC,CAAC;gBAC9B,CAAC;YACH,CAAC;QACH,CAAC;QAED,MAAM,CAAC,GAAG,CAAC,yCAAyC,CAAC,CAAC;QACtD,MAAM,cAAc,CAAC,WAAW,CAC9B,UAAU,EACV,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,EACpB,+CAA+C,CAChD,CAAC;IACJ,CAAC;IAED,MAAM,OAAO,GAAgB,MAAM,CAAC,MAAM,CACxC,KAAK,EAAE,UAAkB,EAAE,OAAgB,EAAE,EAAE;QAC/C,MAAM,GAAG,GAAG,CAAC,OAAO,IAAI,EAAE,CAA4B,CAAC;QACvD,MAAM,OAAO,GAAG,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,CAAE,GAAG,CAAC,OAAoB,CAAC,CAAC,CAAC,EAAE,CAAC;QAE5E,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACzB,MAAM,CAAC,IAAI,CAAC,iDAAiD,CAAC,CAAC;YAC/D,OAAO;gBACL,MAAM,EAAE,QAAiB;gBACzB,MAAM,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,uBAAuB,EAAE,CAAC;aAC3D,CAAC;QACJ,CAAC;QAED,MAAM,YAAY,GAA0B;YAC1C,MAAM,EAAE,OAAO,GAAG,CAAC,MAAM,KAAK,QAAQ,CAAC,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,SAAS;YAC/D,OAAO;SACR,CAAC;QAEF,MAAM,CAAC,MAAM,CACX,iDAAiD,YAAY,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CACnF,CAAC;QAEF,IAAI,CAAC;YACH,MAAM,cAAc,CAAC,sBAAsB,CAAC,WAAW,EAAE,YAAY,CAAC,CAAC;YACvE,OAAO;gBACL,MAAM,EAAE,WAAoB;gBAC5B,MAAM,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,OAAO,EAAE,2BAA2B,EAAE,CAAC;aACjE,CAAC;QACJ,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,MAAM,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YAChE,MAAM,CAAC,GAAG,CAAC,sCAAsC,MAAM,EAAE,CAAC,CAAC;YAC3D,OAAO;gBACL,MAAM,EAAE,QAAiB;gBACzB,MAAM,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC;aAC1C,CAAC;QACJ,CAAC;IACH,CAAC,EACC,EAAE,oBAAoB,EAAE,CACzB,CAAC;IACF,OAAO,OAAO,CAAC;AACjB,CAAC"}