vskill 1.0.15 → 1.0.18

package/dist/eval-server/oauth-github-routes.js

@@ -0,0 +1,505 @@
+// ---------------------------------------------------------------------------
+// oauth-github-routes.ts — GitHub OAuth 2.0 Authorization Code flow.
+//
+// Why this replaces the Tauri IPC device-flow path (2026-05-11):
+//
+//   1. The vskill OAuth App at github.com/settings/developers has Device Flow
+//      DISABLED. Every device-code request returns
+//      `{"error":"device_flow_disabled"}` so the Tauri device-flow IPC was
+//      always going to silently fail at the GitHub layer.
+//
+//   2. The Tauri 2.x ACL was rejecting every custom #[tauri::command] at
+//      runtime because src-tauri/build.rs doesn't pass the command list to
+//      `Attributes::app_manifest(AppManifest::new().commands(&[...]))`. Even
+//      with a permission TOML correctly compiled into the binary, the runtime
+//      `allowed_commands` HashMap stayed empty for app-level commands. See
+//      `~/.claude/skills/tauri-desktop-release/SKILL.md` for the deep dive.
+//
+//   3. Doing OAuth through the sidecar HTTP layer sidesteps both issues:
+//      - JS in the WebView already authenticates to the sidecar via
+//        X-Studio-Token (the v1.0.30 fix). All it needs to do is POST/GET.
+//      - The browser callback first hits the registered verified-skill.com
+//        callback, which owns the GitHub client secret and exchanges the code.
+//        It then posts the resulting GitHub token back to the local sidecar.
+//
+// This mirrors how `claude-code` does it (Claude AI / Anthropic console
+// login): localhost HTTP server starts the flow, validates the returning
+// state, then stores the token in the OS keychain (with file fallback).
+// See `anymodel-umb/repositories/antonoly/claude-code/services/oauth/`.
+//
+// Flow:
+//   1. JS: POST /api/oauth/github/start
+//      → server generates random state (CSRF protection)
+//      → server stores {state → {expiresAt}} in in-memory map
+//      → server returns {state, authUrl}
+//   2. JS: window.__TAURI__.shell.open(authUrl)   (no IPC ACL needed —
+//      shell:allow-open is in default capabilities)
+//   3. User authorizes in their browser → GitHub redirects to the registered
+//      verified-skill.com callback, which detects desktop state, exchanges
+//      the code using the platform client secret, and form-POSTs the token to
+//      http://localhost:<sidecar-port>/api/oauth/github/desktop-complete
+//   4. Sidecar desktop-complete handler:
+//      → looks up state in map (404 if not found / expired)
+//      → stores access_token via keychain.setGithubToken()
+//      → marks the state as "ready" with the user info
+//      → returns a small HTML "close this tab" success page
+//   5. JS polls GET /api/oauth/github/status?state=...
+//      → on "ready" → frontend shows signed-in chip
+//      → on "error" → frontend shows error toast
+//
+// Token storage is the SAME slot used by the old Tauri device-flow path
+// (`~/.vskill/keys.env` or OS keychain), so existing token-consuming code
+// in the studio (per-skill streams, account API) continues working.
+// ---------------------------------------------------------------------------
+import { randomBytes } from "node:crypto";
+import { sendJson } from "./router.js";
+// ---------------------------------------------------------------------------
+// Config
+// ---------------------------------------------------------------------------
+// Public OAuth App client_id. Matches the value baked into the desktop
+// binary at build time (src-tauri/build.rs reads GITHUB_OAUTH_CLIENT_ID env).
+// PUBLIC value — no secret protection needed, intentionally hardcoded.
+const GITHUB_OAUTH_CLIENT_ID = "Ov23li6H8OpvPfuhyDEt";
+const GITHUB_AUTHORIZE_URL = "https://github.com/login/oauth/authorize";
+const GITHUB_USER_API = "https://api.github.com/user";
+const REQUESTED_SCOPE = "repo read:user user:email";
+const STATE_TTL_MS = 10 * 60 * 1000; // 10 minutes — GitHub auth pages
+// allow ~15 min before user code expires
+const STATE_GC_INTERVAL_MS = 60 * 1000;
+// 2026-05-20: GitHub requires redirect_uri to exactly match the OAuth App's
+// registered callback. The platform callback detects desktop state values,
+// exchanges the code with its confidential client secret, then posts the
+// GitHub access token back to the local sidecar.
+const DESKTOP_BOUNCE_REDIRECT = "https://verified-skill.com/api/v1/auth/github/callback";
+// Allow overriding the bounce URL via env (useful for local platform
+// development against http://localhost:3000 etc.).
+function getRedirectUri() {
+    return process.env.VSKILL_OAUTH_BOUNCE_URL || DESKTOP_BOUNCE_REDIRECT;
+}
+const flows = new Map();
+function gcExpiredFlows() {
+    const now = Date.now();
+    for (const [state, flow] of flows) {
+        if (flow.expiresAt < now)
+            flows.delete(state);
+    }
+}
+setInterval(gcExpiredFlows, STATE_GC_INTERVAL_MS).unref();
+// ---------------------------------------------------------------------------
+// OAuth helpers
+// ---------------------------------------------------------------------------
+function base64UrlEncode(buf) {
+    return buf.toString("base64").replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+}
+function generateState() {
+    return base64UrlEncode(randomBytes(32)); // 43 chars
+}
+// ---------------------------------------------------------------------------
+// Helpers
+// ---------------------------------------------------------------------------
+/**
+ * The redirect_uri we send to GitHub. This must be the registered platform
+ * callback; the platform callback handles the localhost bounce for desktop
+ * states after GitHub redirects back to it.
+ */
+function buildGitHubRedirectUri(_req) {
+    return getRedirectUri();
+}
+/**
+ * Extract the local sidecar port from the request host header so we can
+ * embed it in `state`. The platform bounce-redirect reads the port back
+ * out of state and forwards the user's browser to localhost:<port>.
+ */
+function getLocalPort(req) {
+    const host = req.headers.host || "";
+    const m = host.match(/:(\d+)$/);
+    if (m) {
+        const n = Number.parseInt(m[1], 10);
+        if (Number.isFinite(n) && n > 0 && n <= 65535)
+            return n;
+    }
+    // No port in host → default 80. Should never happen for sidecar binds.
+    return 80;
+}
+/**
+ * Fetch the user's GitHub profile using the access token. Used to populate
+ * the signed-in chip in the studio UI.
+ */
+async function fetchUserProfile(accessToken) {
+    const res = await fetch(GITHUB_USER_API, {
+        headers: {
+            "Authorization": `token ${accessToken}`,
+            "Accept": "application/vnd.github+json",
+            "User-Agent": "vskill-studio",
+        },
+    });
+    if (!res.ok) {
+        const text = await res.text().catch(() => "");
+        throw new Error(`GitHub user API failed: HTTP ${res.status}: ${text.slice(0, 200)}`);
+    }
+    const data = (await res.json());
+    return {
+        login: data.login,
+        id: data.id,
+        name: data.name,
+        email: data.email,
+        avatarUrl: data.avatar_url,
+    };
+}
+/**
+ * Persist the GitHub token to the same storage slot the existing keychain
+ * code uses (~/.vskill/keys.env or OS keychain). Lazy-imports keychain.ts
+ * so this file stays usable in environments where keychain isn't available
+ * (e.g., the test runner — keychain has hard ESM deps on native modules).
+ */
+async function persistGithubToken(token) {
+    try {
+        const mod = await import("../lib/keychain.js");
+        const kc = mod.createKeychain();
+        kc.setGitHubToken(token);
+        return;
+    }
+    catch (err) {
+        // Fall back to manually writing keys.env so the next vskill launch can
+        // still read the token (the studio looks in both keychain and keys.env).
+        const fs = await import("node:fs");
+        const path = await import("node:path");
+        const os = await import("node:os");
+        const dir = path.join(os.homedir(), ".vskill");
+        fs.mkdirSync(dir, { recursive: true });
+        const file = path.join(dir, "keys.env");
+        let contents = "";
+        try {
+            contents = fs.readFileSync(file, "utf-8");
+        }
+        catch { /* fresh */ }
+        // Overwrite both canonical + legacy keys.
+        const lines = contents
+            .split("\n")
+            .filter((l) => !l.startsWith("github-oauth-token=") && !l.startsWith("github_token="));
+        lines.push(`github-oauth-token=${token}`);
+        lines.push(`github_token=${token}`);
+        fs.writeFileSync(file, lines.filter(Boolean).join("\n") + "\n", { mode: 0o600 });
+        // Surface the fallback so debugging is easy.
+        // eslint-disable-next-line no-console
+        console.warn(`[oauth-github] keychain.setGithubToken failed (${err.message}); wrote ${file} instead`);
+    }
+}
+async function readUrlEncodedBody(req) {
+    const MAX_BODY_SIZE = 64 * 1024;
+    const TIMEOUT_MS = 10_000;
+    return new Promise((resolve, reject) => {
+        const chunks = [];
+        let size = 0;
+        const timer = setTimeout(() => {
+            req.destroy();
+            reject(new Error("Request body timeout"));
+        }, TIMEOUT_MS);
+        req.on("data", (chunk) => {
+            size += chunk.length;
+            if (size > MAX_BODY_SIZE) {
+                clearTimeout(timer);
+                req.destroy();
+                reject(new Error("Request body too large"));
+                return;
+            }
+            chunks.push(Buffer.isBuffer(chunk) ? chunk : Buffer.from(chunk));
+        });
+        req.on("end", () => {
+            clearTimeout(timer);
+            resolve(new URLSearchParams(Buffer.concat(chunks).toString()));
+        });
+        req.on("error", (err) => {
+            clearTimeout(timer);
+            reject(err);
+        });
+    });
+}
+// ---------------------------------------------------------------------------
+// Route registration
+// ---------------------------------------------------------------------------
+export function registerOauthGithubRoutes(router) {
+    // -------------------------------------------------------------------------
+    // POST /api/oauth/github/start
+    //
+    // Initiates an OAuth flow. Returns the auth URL for the JS to open in the
+    // user's browser via Tauri's shell.open (or window.open for the CLI/web
+    // path — both are same-origin loopback so the redirect lands back here).
+    // -------------------------------------------------------------------------
+    router.post("/api/oauth/github/start", async (req, res) => {
+        // 2026-05-11 Option B: encode the sidecar's local port into state so
+        // the verified-skill.com bounce-redirect knows where to forward the
+        // user's browser. Format: <random base64url>.<port>. The same state
+        // round-trips through GitHub → platform → localhost callback.
+        const port = getLocalPort(req);
+        const state = `${generateState()}.${port}`;
+        const redirectUri = buildGitHubRedirectUri(req);
+        flows.set(state, {
+            expiresAt: Date.now() + STATE_TTL_MS,
+            status: "pending",
+        });
+        const authUrl = new URL(GITHUB_AUTHORIZE_URL);
+        authUrl.searchParams.set("client_id", GITHUB_OAUTH_CLIENT_ID);
+        authUrl.searchParams.set("redirect_uri", redirectUri);
+        authUrl.searchParams.set("scope", REQUESTED_SCOPE);
+        authUrl.searchParams.set("state", state);
+        // Force GitHub to always show the authorize page (even if previously
+        // authorized) — clearer UX when the user is debugging or rotating.
+        authUrl.searchParams.set("allow_signup", "true");
+        sendJson(res, {
+            state,
+            authUrl: authUrl.toString(),
+            expiresAt: flows.get(state).expiresAt,
+        });
+    });
+    // -------------------------------------------------------------------------
+    // GET /api/oauth/github/callback?error=...&state=...
+    //
+    // Browser-driven error callback. Success callbacks are now exchanged on the
+    // platform and delivered to /desktop-complete so the local sidecar never
+    // needs the confidential GitHub client secret.
+    // -------------------------------------------------------------------------
+    router.get("/api/oauth/github/callback", async (req, res) => {
+        const url = new URL(req.url || "/", `http://${req.headers.host || "localhost"}`);
+        const state = url.searchParams.get("state");
+        const errorParam = url.searchParams.get("error");
+        const errorDesc = url.searchParams.get("error_description");
+        if (errorParam) {
+            const flow = state ? flows.get(state) : null;
+            if (flow) {
+                flow.status = "error";
+                flow.errorMessage = `${errorParam}${errorDesc ? `: ${errorDesc}` : ""}`;
+            }
+            respondHtml(res, 400, errorPage(errorParam, errorDesc));
+            return;
+        }
+        if (!state) {
+            respondHtml(res, 400, errorPage("missing_params", "state not present in callback URL"));
+            return;
+        }
+        const flow = flows.get(state);
+        if (flow) {
+            flow.status = "error";
+            flow.errorMessage = "Outdated platform callback returned a code to the sidecar instead of posting a token.";
+        }
+        respondHtml(res, 400, errorPage("outdated_callback", "Skill Studio received an old callback shape. Click Sign in again so the platform can exchange the code securely."));
+    });
+    // -------------------------------------------------------------------------
+    // POST /api/oauth/github/desktop-complete
+    //
+    // Browser-driven completion from verified-skill.com. UNAUTHENTICATED
+    // (no X-Studio-Token header) and CSRF-protected by the random in-memory
+    // state. The GitHub access token arrives in an application/x-www-form-urlencoded
+    // body, not in the URL, so it does not land in browser history.
+    // -------------------------------------------------------------------------
+    router.post("/api/oauth/github/desktop-complete", async (req, res) => {
+        const body = await readUrlEncodedBody(req);
+        const state = body.get("state");
+        const accessToken = body.get("github_token");
+        if (!state || !accessToken) {
+            respondHtml(res, 400, errorPage("missing_params", "state or github_token not present in callback body"));
+            return;
+        }
+        const flow = flows.get(state);
+        if (!flow) {
+            respondHtml(res, 400, errorPage("expired_or_unknown_state", "This sign-in attempt expired or was never started. Close this tab and click Sign in again from Skill Studio."));
+            return;
+        }
+        if (flow.expiresAt < Date.now()) {
+            flows.delete(state);
+            respondHtml(res, 400, errorPage("expired", "This sign-in attempt expired. Try again."));
+            return;
+        }
+        if (flow.status !== "pending") {
+            // Already consumed — defensive.
+            respondHtml(res, 200, alreadyDonePage());
+            return;
+        }
+        try {
+            await persistGithubToken(accessToken);
+            const user = await fetchUserProfile(accessToken);
+            flow.status = "ready";
+            flow.user = user;
+            respondHtml(res, 200, successPage(user.login));
+        }
+        catch (err) {
+            const msg = err instanceof Error ? err.message : String(err);
+            flow.status = "error";
+            flow.errorMessage = msg;
+            // Log so a CI failure or upstream outage is visible in the sidecar log.
+            // eslint-disable-next-line no-console
+            console.error("[oauth-github] desktop completion failed:", msg);
+            respondHtml(res, 502, errorPage("completion_failed", msg));
+        }
+    });
+    // -------------------------------------------------------------------------
+    // GET /api/oauth/github/status?state=...
+    //
+    // Poll endpoint for the studio UI. Returns the flow's current status so
+    // the React UserDropdown can transition from "Signing in…" to either
+    // signed-in or error.
+    // -------------------------------------------------------------------------
+    router.get("/api/oauth/github/status", async (req, res) => {
+        const url = new URL(req.url || "/", `http://${req.headers.host || "localhost"}`);
+        const state = url.searchParams.get("state");
+        if (!state) {
+            sendJson(res, { status: "error", error: "missing state" }, 400);
+            return;
+        }
+        const flow = flows.get(state);
+        if (!flow) {
+            sendJson(res, { status: "expired" }, 200);
+            return;
+        }
+        if (flow.expiresAt < Date.now()) {
+            flows.delete(state);
+            sendJson(res, { status: "expired" }, 200);
+            return;
+        }
+        if (flow.status === "ready") {
+            // Keep the flow around for a few more polls so a slow UI doesn't miss
+            // it, but mark it consumed so re-polls keep returning ready.
+            sendJson(res, { status: "ready", user: flow.user }, 200);
+            return;
+        }
+        if (flow.status === "error") {
+            sendJson(res, { status: "error", error: flow.errorMessage ?? "unknown error" }, 200);
+            return;
+        }
+        sendJson(res, { status: "pending" }, 200);
+    });
+    // -------------------------------------------------------------------------
+    // GET /api/auth/me
+    //
+    // Returns the current signed-in user, looked up via the cached GitHub
+    // token in keychain/keys.env. Used by the studio UI on cold start to
+    // restore the signed-in chip without re-running the OAuth flow.
+    // -------------------------------------------------------------------------
+    router.get("/api/auth/me", async (_req, res) => {
+        try {
+            const mod = await import("../lib/keychain.js");
+            const kc = mod.createKeychain();
+            const token = kc.getGitHubToken();
+            if (!token) {
+                sendJson(res, { signedIn: false }, 200);
+                return;
+            }
+            try {
+                const user = await fetchUserProfile(token);
+                sendJson(res, { signedIn: true, user }, 200);
+            }
+            catch {
+                // Token present but invalid/expired — treat as signed-out so the UI
+                // doesn't get stuck. The next Sign in click will replace it.
+                sendJson(res, { signedIn: false, reason: "token_invalid" }, 200);
+            }
+        }
+        catch (err) {
+            sendJson(res, {
+                signedIn: false,
+                reason: "keychain_unavailable",
+                detail: err.message,
+            }, 200);
+        }
+    });
+    // -------------------------------------------------------------------------
+    // POST /api/auth/sign-out
+    //
+    // Deletes the cached GitHub token. The next /api/auth/me will return
+    // signedIn=false. Idempotent.
+    // -------------------------------------------------------------------------
+    router.post("/api/auth/sign-out", async (_req, res) => {
+        try {
+            const mod = await import("../lib/keychain.js");
+            const kc = mod.createKeychain();
+            kc.clearGitHubToken();
+            sendJson(res, { ok: true }, 200);
+        }
+        catch (err) {
+            sendJson(res, { ok: false, error: err.message }, 500);
+        }
+    });
+}
+// ---------------------------------------------------------------------------
+// HTML responses for the browser-driven callback page
+// ---------------------------------------------------------------------------
+function respondHtml(res, status, html) {
+    res.writeHead(status, { "Content-Type": "text/html; charset=utf-8" });
+    res.end(html);
+}
+function successPage(login) {
+    const safeLogin = String(login).replace(/[<>&"]/g, (c) => ({
+        "<": "&lt;",
+        ">": "&gt;",
+        "&": "&amp;",
+        '"': "&quot;",
+    }[c]));
+    return `<!doctype html>
+<meta charset="utf-8">
+<title>Signed in — Skill Studio</title>
+<style>
+  body { font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", sans-serif;
+         margin: 0; padding: 2rem; display: grid; place-items: center;
+         min-height: 100vh; background: #fafafa; color: #1f2328; }
+  .card { max-width: 480px; padding: 2rem 2.5rem; background: white;
+          border-radius: 12px; border: 1px solid #d0d7de;
+          box-shadow: 0 8px 24px rgba(140,149,159,0.12); text-align: center; }
+  h1 { margin: 0 0 0.5rem; font-size: 1.5rem; font-weight: 600; }
+  p { margin: 0.5rem 0; line-height: 1.5; color: #57606a; }
+  code { background: #f6f8fa; padding: 0.125rem 0.375rem; border-radius: 4px;
+         font-family: ui-monospace, SFMono-Regular, monospace; }
+  .check { font-size: 3rem; margin-bottom: 1rem; }
+</style>
+<div class="card">
+  <div class="check">✓</div>
+  <h1>Signed in as <code>${safeLogin}</code></h1>
+  <p>You can close this tab and return to Skill Studio.</p>
+</div>
+<script>
+  // Try to auto-close. macOS Safari may block this; that's OK — the user can close manually.
+  setTimeout(() => { window.close(); }, 1500);
+</script>`;
+}
+function alreadyDonePage() {
+    return `<!doctype html>
+<meta charset="utf-8">
+<title>Sign-in already completed</title>
+<style>
+  body { font-family: -apple-system, sans-serif; margin: 0; padding: 2rem;
+         display: grid; place-items: center; min-height: 100vh;
+         background: #fafafa; color: #1f2328; }
+  .card { max-width: 480px; padding: 2rem 2.5rem; background: white;
+          border-radius: 12px; border: 1px solid #d0d7de; text-align: center; }
+</style>
+<div class="card">
+  <h1>Sign-in already completed</h1>
+  <p>You can close this tab.</p>
+</div>`;
+}
+function errorPage(error, description) {
+    const safe = (s) => String(s ?? "")
+        .replace(/[<>&"]/g, (c) => ({ "<": "&lt;", ">": "&gt;", "&": "&amp;", '"': "&quot;" }[c]));
+    return `<!doctype html>
+<meta charset="utf-8">
+<title>Sign-in failed — Skill Studio</title>
+<style>
+  body { font-family: -apple-system, sans-serif; margin: 0; padding: 2rem;
+         display: grid; place-items: center; min-height: 100vh;
+         background: #fafafa; color: #1f2328; }
+  .card { max-width: 520px; padding: 2rem 2.5rem; background: white;
+          border-radius: 12px; border: 1px solid #d0d7de;
+          box-shadow: 0 8px 24px rgba(140,149,159,0.12); text-align: center; }
+  h1 { margin: 0 0 0.5rem; font-size: 1.25rem; font-weight: 600; color: #cf222e; }
+  p { margin: 0.5rem 0; line-height: 1.5; color: #57606a; }
+  pre { background: #f6f8fa; padding: 0.75rem; border-radius: 6px;
+        font-family: ui-monospace, monospace; font-size: 0.8125rem;
+        text-align: left; overflow: auto; max-height: 200px; }
+</style>
+<div class="card">
+  <h1>Sign-in failed</h1>
+  <p><strong>${safe(error)}</strong></p>
+  ${description ? `<pre>${safe(description)}</pre>` : ""}
+  <p>Close this tab and try Sign in again from Skill Studio.</p>
+</div>`;
+}
+//# sourceMappingURL=oauth-github-routes.js.map

package/dist/eval-server/oauth-github-routes.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth-github-routes.js","sourceRoot":"","sources":["../../src/eval-server/oauth-github-routes.ts"],"names":[],"mappings":"AAAA,8EAA8E;AAC9E,qEAAqE;AACrE,EAAE;AACF,iEAAiE;AACjE,EAAE;AACF,8EAA8E;AAC9E,mDAAmD;AACnD,2EAA2E;AAC3E,0DAA0D;AAC1D,EAAE;AACF,yEAAyE;AACzE,2EAA2E;AAC3E,6EAA6E;AAC7E,8EAA8E;AAC9E,2EAA2E;AAC3E,4EAA4E;AAC5E,EAAE;AACF,yEAAyE;AACzE,oEAAoE;AACpE,2EAA2E;AAC3E,2EAA2E;AAC3E,+EAA+E;AAC/E,6EAA6E;AAC7E,EAAE;AACF,wEAAwE;AACxE,yEAAyE;AACzE,wEAAwE;AACxE,wEAAwE;AACxE,EAAE;AACF,QAAQ;AACR,wCAAwC;AACxC,yDAAyD;AACzD,8DAA8D;AAC9D,yCAAyC;AACzC,uEAAuE;AACvE,oDAAoD;AACpD,6EAA6E;AAC7E,2EAA2E;AAC3E,8EAA8E;AAC9E,yEAAyE;AACzE,yCAAyC;AACzC,4DAA4D;AAC5D,2DAA2D;AAC3D,uDAAuD;AACvD,4DAA4D;AAC5D,uDAAuD;AACvD,oDAAoD;AACpD,iDAAiD;AACjD,EAAE;AACF,wEAAwE;AACxE,0EAA0E;AAC1E,oEAAoE;AACpE,8EAA8E;AAE9E,OAAO,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAG1C,OAAO,EAAE,QAAQ,EAAE,MAAM,aAAa,CAAC;AAEvC,8EAA8E;AAC9E,SAAS;AACT,8EAA8E;AAE9E,uEAAuE;AACvE,8EAA8E;AAC9E,uEAAuE;AACvE,MAAM,sBAAsB,GAAG,sBAAsB,CAAC;AACtD,MAAM,oBAAoB,GAAG,0CAA0C,CAAC;AACxE,MAAM,eAAe,GAAG,6BAA6B,CAAC;AACtD,MAAM,eAAe,GAAG,2BAA2B,CAAC;AACpD,MAAM,YAAY,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC,CAAG,iCAAiC;AAChC,yCAAyC;AACjF,MAAM,oBAAoB,GAAG,EAAE,GAAG,IAAI,CAAC;AAEvC,4EAA4E;AAC5E,2EAA2E;AAC3E,yEAAyE;AACzE,iDAAiD;AACjD,MAAM,uBAAuB,GAAG,wDAAwD,CAAC;AAEzF,qEAAqE;AACrE,mDAAmD;AACnD,SAAS,cAAc;IACrB,OAAO,OAAO,CAAC,GAAG,CAAC,uBAAuB,IAAI,uBAAuB,CAAC;AACxE,CAAC;AAuBD,MAAM,KAAK,GAAG,IAAI,GAAG,EAA0B,CAAC;AAEhD,SAAS,cAAc;IACrB,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IACvB,KAAK,MAAM,CAAC,KAAK,EAAE,IAAI,CAAC,IAAI,KAAK,EAAE,CAAC;QAClC,IAAI,IAAI,CAAC,SAAS,GAAG,GAAG;YAAE,KAAK,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;IAChD,CAAC;AACH,CAAC;AAED,WAAW,CAAC,cAAc,EAAE,oBAAoB,CAAC,CAAC,KAAK,EAAE,CAAC;AAE1D,8EAA8E;AAC9E,gBAAgB;AAChB,8EAA8E;AAE9E,SAAS,eAAe,CAAC,GAAW;IAClC,OAAO,GAAG,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;AAC3F,CAAC;AAED,SAAS,aAAa;IACpB,OAAO,eAAe,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC,CAAC,CAAG,WAAW;AACxD,CAAC;AAED,8EAA8E;AAC9E,UAAU;AACV,8EAA8E;AAE9E;;;;GAIG;AACH,SAAS,sBAAsB,CAAC,IAA0B;IACxD,OAAO,cAAc,EAAE,CAAC;AAC1B,CAAC;AAED;;;;GAIG;AACH,SAAS,YAAY,CAAC,GAAyB;IAC7C,MAAM,IAAI,GAAG,GAAG,CAAC,OAAO,CAAC,IAAI,IAAI,EAAE,CAAC;IACpC,MAAM,CAAC,GAAG,IAAI,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC;IAChC,IAAI,CAAC,EAAE,CAAC;QACN,MAAM,CAAC,GAAG,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;QACpC,IAAI,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,KAAK;YAAE,OAAO,CAAC,CAAC;IAC1D,CAAC;IACD,uEAAuE;IACvE,OAAO,EAAE,CAAC;AACZ,CAAC;AAED;;;GAGG;AACH,KAAK,UAAU,gBAAgB,CAAC,WAAmB;IAOjD,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,eAAe,EAAE;QACvC,OAAO,EAAE;YACP,eAAe,EAAE,SAAS,WAAW,EAAE;YACvC,QAAQ,EAAE,6BAA6B;YACvC,YAAY,EAAE,eAAe;SAC9B;KACF,CAAC,CAAC;IACH,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;QACZ,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,EAAE,CAAC,CAAC;QAC9C,MAAM,IAAI,KAAK,CAAC,gCAAgC,GAAG,CAAC,MAAM,KAAK,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE,CAAC,CAAC;IACvF,CAAC;IACD,MAAM,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAM7B,CAAC;IACF,OAAO;QACL,KAAK,EAAE,IAAI,CAAC,KAAK;QACjB,EAAE,EAAE,IAAI,CAAC,EAAE;QACX,IAAI,EAAE,IAAI,CAAC,IAAI;QACf,KAAK,EAAE,IAAI,CAAC,KAAK;QACjB,SAAS,EAAE,IAAI,CAAC,UAAU;KAC3B,CAAC;AACJ,CAAC;AAED;;;;;GAKG;AACH,KAAK,UAAU,kBAAkB,CAAC,KAAa;IAC7C,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,MAAM,MAAM,CAAC,oBAAoB,CAAC,CAAC;QAC/C,MAAM,EAAE,GAAG,GAAG,CAAC,cAAc,EAAE,CAAC;QAChC,EAAE,CAAC,cAAc,CAAC,KAAK,CAAC,CAAC;QACzB,OAAO;IACT,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,uEAAuE;QACvE,yEAAyE;QACzE,MAAM,EAAE,GAAG,MAAM,MAAM,CAAC,SAAS,CAAC,CAAC;QACnC,MAAM,IAAI,GAAG,MAAM,MAAM,CAAC,WAAW,CAAC,CAAC;QACvC,MAAM,EAAE,GAAG,MAAM,MAAM,CAAC,SAAS,CAAC,CAAC;QACnC,MAAM,GAAG,GAAG,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,EAAE,SAAS,CAAC,CAAC;QAC/C,EAAE,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QACvC,MAAM,IAAI,GAAG,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,UAAU,CAAC,CAAC;QACxC,IAAI,QAAQ,GAAG,EAAE,CAAC;QAClB,IAAI,CAAC;YAAC,QAAQ,GAAG,EAAE,CAAC,YAAY,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;QAAC,CAAC;QAAC,MAAM,CAAC,CAAC,WAAW,CAAC,CAAC;QACxE,0CAA0C;QAC1C,MAAM,KAAK,GAAG,QAAQ;aACnB,KAAK,CAAC,IAAI,CAAC;aACX,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC,qBAAqB,CAAC,IAAI,CAAC,CAAC,CAAC,UAAU,CAAC,eAAe,CAAC,CAAC,CAAC;QACzF,KAAK,CAAC,IAAI,CAAC,sBAAsB,KAAK,EAAE,CAAC,CAAC;QAC1C,KAAK,CAAC,IAAI,CAAC,gBAAgB,KAAK,EAAE,CAAC,CAAC;QACpC,EAAE,CAAC,aAAa,CAAC,IAAI,EAAE,KAAK,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,IAAI,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;QACjF,6CAA6C;QAC7C,sCAAsC;QACtC,OAAO,CAAC,IAAI,CAAC,kDAAmD,GAAa,CAAC,OAAO,YAAY,IAAI,UAAU,CAAC,CAAC;IACnH,CAAC;AACH,CAAC;AAED,KAAK,UAAU,kBAAkB,CAAC,GAAyB;IACzD,MAAM,aAAa,GAAG,EAAE,GAAG,IAAI,CAAC;IAChC,MAAM,UAAU,GAAG,MAAM,CAAC;IAC1B,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;QACrC,MAAM,MAAM,GAAa,EAAE,CAAC;QAC5B,IAAI,IAAI,GAAG,CAAC,CAAC;QACb,MAAM,KAAK,GAAG,UAAU,CAAC,GAAG,EAAE;YAC5B,GAAG,CAAC,OAAO,EAAE,CAAC;YACd,MAAM,CAAC,IAAI,KAAK,CAAC,sBAAsB,CAAC,CAAC,CAAC;QAC5C,CAAC,EAAE,UAAU,CAAC,CAAC;QACf,GAAG,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,KAAsB,EAAE,EAAE;YACxC,IAAI,IAAI,KAAK,CAAC,MAAM,CAAC;YACrB,IAAI,IAAI,GAAG,aAAa,EAAE,CAAC;gBACzB,YAAY,CAAC,KAAK,CAAC,CAAC;gBACpB,GAAG,CAAC,OAAO,EAAE,CAAC;gBACd,MAAM,CAAC,IAAI,KAAK,CAAC,wBAAwB,CAAC,CAAC,CAAC;gBAC5C,OAAO;YACT,CAAC;YACD,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC;QACnE,CAAC,CAAC,CAAC;QACH,GAAG,CAAC,EAAE,CAAC,KAAK,EAAE,GAAG,EAAE;YACjB,YAAY,CAAC,KAAK,CAAC,CAAC;YACpB,OAAO,CAAC,IAAI,eAAe,CAAC,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,QAAQ,EAAE,CAAC,CAAC,CAAC;QACjE,CAAC,CAAC,CAAC;QACH,GAAG,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,GAAG,EAAE,EAAE;YACtB,YAAY,CAAC,KAAK,CAAC,CAAC;YACpB,MAAM,CAAC,GAAG,CAAC,CAAC;QACd,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AACL,CAAC;AAED,8EAA8E;AAC9E,qBAAqB;AACrB,8EAA8E;AAE9E,MAAM,UAAU,yBAAyB,CAAC,MAAc;IACtD,4EAA4E;IAC5E,+BAA+B;IAC/B,EAAE;IACF,0EAA0E;IAC1E,wEAAwE;IACxE,yEAAyE;IACzE,4EAA4E;IAC5E,MAAM,CAAC,IAAI,CAAC,yBAAyB,EAAE,KAAK,EAAE,GAAG,EAAE,GAAG,EAAE,EAAE;QACxD,qEAAqE;QACrE,oEAAoE;QACpE,oEAAoE;QACpE,8DAA8D;QAC9D,MAAM,IAAI,GAAG,YAAY,CAAC,GAAG,CAAC,CAAC;QAC/B,MAAM,KAAK,GAAG,GAAG,aAAa,EAAE,IAAI,IAAI,EAAE,CAAC;QAC3C,MAAM,WAAW,GAAG,sBAAsB,CAAC,GAAG,CAAC,CAAC;QAEhD,KAAK,CAAC,GAAG,CAAC,KAAK,EAAE;YACf,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,YAAY;YACpC,MAAM,EAAE,SAAS;SAClB,CAAC,CAAC;QAEH,MAAM,OAAO,GAAG,IAAI,GAAG,CAAC,oBAAoB,CAAC,CAAC;QAC9C,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,WAAW,EAAE,sBAAsB,CAAC,CAAC;QAC9D,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,cAAc,EAAE,WAAW,CAAC,CAAC;QACtD,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,EAAE,eAAe,CAAC,CAAC;QACnD,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,EAAE,KAAK,CAAC,CAAC;QACzC,qEAAqE;QACrE,mEAAmE;QACnE,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,cAAc,EAAE,MAAM,CAAC,CAAC;QAEjD,QAAQ,CAAC,GAAG,EAAE;YACZ,KAAK;YACL,OAAO,EAAE,OAAO,CAAC,QAAQ,EAAE;YAC3B,SAAS,EAAE,KAAK,CAAC,GAAG,CAAC,KAAK,CAAE,CAAC,SAAS;SACvC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,4EAA4E;IAC5E,qDAAqD;IACrD,EAAE;IACF,4EAA4E;IAC5E,yEAAyE;IACzE,+CAA+C;IAC/C,4EAA4E;IAC5E,MAAM,CAAC,GAAG,CAAC,4BAA4B,EAAE,KAAK,EAAE,GAAG,EAAE,GAAG,EAAE,EAAE;QAC1D,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,GAAG,IAAI,GAAG,EAAE,UAAU,GAAG,CAAC,OAAO,CAAC,IAAI,IAAI,WAAW,EAAE,CAAC,CAAC;QACjF,MAAM,KAAK,GAAG,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;QAC5C,MAAM,UAAU,GAAG,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;QACjD,MAAM,SAAS,GAAG,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,mBAAmB,CAAC,CAAC;QAE5D,IAAI,UAAU,EAAE,CAAC;YACf,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;YAC7C,IAAI,IAAI,EAAE,CAAC;gBACT,IAAI,CAAC,MAAM,GAAG,OAAO,CAAC;gBACtB,IAAI,CAAC,YAAY,GAAG,GAAG,UAAU,GAAG,SAAS,CAAC,CAAC,CAAC,KAAK,SAAS,EAAE,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC;YAC1E,CAAC;YACD,WAAW,CAAC,GAAG,EAAE,GAAG,EAAE,SAAS,CAAC,UAAU,EAAE,SAAS,CAAC,CAAC,CAAC;YACxD,OAAO;QACT,CAAC;QAED,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,WAAW,CAAC,GAAG,EAAE,GAAG,EAAE,SAAS,CAAC,gBAAgB,EAAE,mCAAmC,CAAC,CAAC,CAAC;YACxF,OAAO;QACT,CAAC;QAED,MAAM,IAAI,GAAG,KAAK,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;QAC9B,IAAI,IAAI,EAAE,CAAC;YACT,IAAI,CAAC,MAAM,GAAG,OAAO,CAAC;YACtB,IAAI,CAAC,YAAY,GAAG,uFAAuF,CAAC;QAC9G,CAAC;QACD,WAAW,CAAC,GAAG,EAAE,GAAG,EAAE,SAAS,CAC7B,mBAAmB,EACnB,kHAAkH,CACnH,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,4EAA4E;IAC5E,0CAA0C;IAC1C,EAAE;IACF,qEAAqE;IACrE,wEAAwE;IACxE,iFAAiF;IACjF,gEAAgE;IAChE,4EAA4E;IAC5E,MAAM,CAAC,IAAI,CAAC,oCAAoC,EAAE,KAAK,EAAE,GAAG,EAAE,GAAG,EAAE,EAAE;QACnE,MAAM,IAAI,GAAG,MAAM,kBAAkB,CAAC,GAAG,CAAC,CAAC;QAC3C,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;QAChC,MAAM,WAAW,GAAG,IAAI,CAAC,GAAG,CAAC,cAAc,CAAC,CAAC;QAE7C,IAAI,CAAC,KAAK,IAAI,CAAC,WAAW,EAAE,CAAC;YAC3B,WAAW,CAAC,GAAG,EAAE,GAAG,EAAE,SAAS,CAAC,gBAAgB,EAAE,oDAAoD,CAAC,CAAC,CAAC;YACzG,OAAO;QACT,CAAC;QAED,MAAM,IAAI,GAAG,KAAK,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;QAC9B,IAAI,CAAC,IAAI,EAAE,CAAC;YACV,WAAW,CAAC,GAAG,EAAE,GAAG,EAAE,SAAS,CAAC,0BAA0B,EACxD,8GAA8G,CAAC,CAAC,CAAC;YACnH,OAAO;QACT,CAAC;QACD,IAAI,IAAI,CAAC,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC;YAChC,KAAK,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;YACpB,WAAW,CAAC,GAAG,EAAE,GAAG,EAAE,SAAS,CAAC,SAAS,EAAE,0CAA0C,CAAC,CAAC,CAAC;YACxF,OAAO;QACT,CAAC;QACD,IAAI,IAAI,CAAC,MAAM,KAAK,SAAS,EAAE,CAAC;YAC9B,gCAAgC;YAChC,WAAW,CAAC,GAAG,EAAE,GAAG,EAAE,eAAe,EAAE,CAAC,CAAC;YACzC,OAAO;QACT,CAAC;QAED,IAAI,CAAC;YACH,MAAM,kBAAkB,CAAC,WAAW,CAAC,CAAC;YACtC,MAAM,IAAI,GAAG,MAAM,gBAAgB,CAAC,WAAW,CAAC,CAAC;YACjD,IAAI,CAAC,MAAM,GAAG,OAAO,CAAC;YACtB,IAAI,CAAC,IAAI,GAAG,IAAI,CAAC;YACjB,WAAW,CAAC,GAAG,EAAE,GAAG,EAAE,WAAW,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC;QACjD,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,GAAG,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YAC7D,IAAI,CAAC,MAAM,GAAG,OAAO,CAAC;YACtB,IAAI,CAAC,YAAY,GAAG,GAAG,CAAC;YACxB,wEAAwE;YACxE,sCAAsC;YACtC,OAAO,CAAC,KAAK,CAAC,2CAA2C,EAAE,GAAG,CAAC,CAAC;YAChE,WAAW,CAAC,GAAG,EAAE,GAAG,EAAE,SAAS,CAAC,mBAAmB,EAAE,GAAG,CAAC,CAAC,CAAC;QAC7D,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,4EAA4E;IAC5E,yCAAyC;IACzC,EAAE;IACF,wEAAwE;IACxE,qEAAqE;IACrE,sBAAsB;IACtB,4EAA4E;IAC5E,MAAM,CAAC,GAAG,CAAC,0BAA0B,EAAE,KAAK,EAAE,GAAG,EAAE,GAAG,EAAE,EAAE;QACxD,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,GAAG,IAAI,GAAG,EAAE,UAAU,GAAG,CAAC,OAAO,CAAC,IAAI,IAAI,WAAW,EAAE,CAAC,CAAC;QACjF,MAAM,KAAK,GAAG,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;QAC5C,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,QAAQ,CAAC,GAAG,EAAE,EAAE,MAAM,EAAE,OAAO,EAAE,KAAK,EAAE,eAAe,EAAE,EAAE,GAAG,CAAC,CAAC;YAChE,OAAO;QACT,CAAC;QACD,MAAM,IAAI,GAAG,KAAK,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;QAC9B,IAAI,CAAC,IAAI,EAAE,CAAC;YACV,QAAQ,CAAC,GAAG,EAAE,EAAE,MAAM,EAAE,SAAS,EAAE,EAAE,GAAG,CAAC,CAAC;YAC1C,OAAO;QACT,CAAC;QACD,IAAI,IAAI,CAAC,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC;YAChC,KAAK,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;YACpB,QAAQ,CAAC,GAAG,EAAE,EAAE,MAAM,EAAE,SAAS,EAAE,EAAE,GAAG,CAAC,CAAC;YAC1C,OAAO;QACT,CAAC;QACD,IAAI,IAAI,CAAC,MAAM,KAAK,OAAO,EAAE,CAAC;YAC5B,sEAAsE;YACtE,6DAA6D;YAC7D,QAAQ,CAAC,GAAG,EAAE,EAAE,MAAM,EAAE,OAAO,EAAE,IAAI,EAAE,IAAI,CAAC,IAAI,EAAE,EAAE,GAAG,CAAC,CAAC;YACzD,OAAO;QACT,CAAC;QACD,IAAI,IAAI,CAAC,MAAM,KAAK,OAAO,EAAE,CAAC;YAC5B,QAAQ,CAAC,GAAG,EAAE,EAAE,MAAM,EAAE,OAAO,EAAE,KAAK,EAAE,IAAI,CAAC,YAAY,IAAI,eAAe,EAAE,EAAE,GAAG,CAAC,CAAC;YACrF,OAAO;QACT,CAAC;QACD,QAAQ,CAAC,GAAG,EAAE,EAAE,MAAM,EAAE,SAAS,EAAE,EAAE,GAAG,CAAC,CAAC;IAC5C,CAAC,CAAC,CAAC;IAEH,4EAA4E;IAC5E,mBAAmB;IACnB,EAAE;IACF,sEAAsE;IACtE,qEAAqE;IACrE,gEAAgE;IAChE,4EAA4E;IAC5E,MAAM,CAAC,GAAG,CAAC,cAAc,EAAE,KAAK,EAAE,IAAI,EAAE,GAAG,EAAE,EAAE;QAC7C,IAAI,CAAC;YACH,MAAM,GAAG,GAAG,MAAM,MAAM,CAAC,oBAAoB,CAAC,CAAC;YAC/C,MAAM,EAAE,GAAG,GAAG,CAAC,cAAc,EAAE,CAAC;YAChC,MAAM,KAAK,GAAG,EAAE,CAAC,cAAc,EAAE,CAAC;YAClC,IAAI,CAAC,KAAK,EAAE,CAAC;gBACX,QAAQ,CAAC,GAAG,EAAE,EAAE,QAAQ,EAAE,KAAK,EAAE,EAAE,GAAG,CAAC,CAAC;gBACxC,OAAO;YACT,CAAC;YACD,IAAI,CAAC;gBACH,MAAM,IAAI,GAAG,MAAM,gBAAgB,CAAC,KAAK,CAAC,CAAC;gBAC3C,QAAQ,CAAC,GAAG,EAAE,EAAE,QAAQ,EAAE,IAAI,EAAE,IAAI,EAAE,EAAE,GAAG,CAAC,CAAC;YAC/C,CAAC;YAAC,MAAM,CAAC;gBACP,oEAAoE;gBACpE,6DAA6D;gBAC7D,QAAQ,CAAC,GAAG,EAAE,EAAE,QAAQ,EAAE,KAAK,EAAE,MAAM,EAAE,eAAe,EAAE,EAAE,GAAG,CAAC,CAAC;YACnE,CAAC;QACH,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,QAAQ,CAAC,GAAG,EAAE;gBACZ,QAAQ,EAAE,KAAK;gBACf,MAAM,EAAE,sBAAsB;gBAC9B,MAAM,EAAG,GAAa,CAAC,OAAO;aAC/B,EAAE,GAAG,CAAC,CAAC;QACV,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,4EAA4E;IAC5E,0BAA0B;IAC1B,EAAE;IACF,qEAAqE;IACrE,8BAA8B;IAC9B,4EAA4E;IAC5E,MAAM,CAAC,IAAI,CAAC,oBAAoB,EAAE,KAAK,EAAE,IAAI,EAAE,GAAG,EAAE,EAAE;QACpD,IAAI,CAAC;YACH,MAAM,GAAG,GAAG,MAAM,MAAM,CAAC,oBAAoB,CAAC,CAAC;YAC/C,MAAM,EAAE,GAAG,GAAG,CAAC,cAAc,EAAE,CAAC;YAChC,EAAE,CAAC,gBAAgB,EAAE,CAAC;YACtB,QAAQ,CAAC,GAAG,EAAE,EAAE,EAAE,EAAE,IAAI,EAAE,EAAE,GAAG,CAAC,CAAC;QACnC,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,QAAQ,CAAC,GAAG,EAAE,EAAE,EAAE,EAAE,KAAK,EAAE,KAAK,EAAG,GAAa,CAAC,OAAO,EAAE,EAAE,GAAG,CAAC,CAAC;QACnE,CAAC;IACH,CAAC,CAAC,CAAC;AACL,CAAC;AAED,8EAA8E;AAC9E,sDAAsD;AACtD,8EAA8E;AAE9E,SAAS,WAAW,CAAC,GAAwB,EAAE,MAAc,EAAE,IAAY;IACzE,GAAG,CAAC,SAAS,CAAC,MAAM,EAAE,EAAE,cAAc,EAAE,0BAA0B,EAAE,CAAC,CAAC;IACtE,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;AAChB,CAAC;AAED,SAAS,WAAW,CAAC,KAAa;IAChC,MAAM,SAAS,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC,OAAO,CAAC,SAAS,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;QACzD,GAAG,EAAE,MAAM;QACX,GAAG,EAAE,MAAM;QACX,GAAG,EAAE,OAAO;QACZ,GAAG,EAAE,QAAQ;KACd,CAAC,CAAC,CAAE,CAAC,CAAC,CAAC;IACR,OAAO;;;;;;;;;;;;;;;;;;2BAkBkB,SAAS;;;;;;UAM1B,CAAC;AACX,CAAC;AAED,SAAS,eAAe;IACtB,OAAO;;;;;;;;;;;;;OAaF,CAAC;AACR,CAAC;AAED,SAAS,SAAS,CAAC,KAAa,EAAE,WAA2B;IAC3D,MAAM,IAAI,GAAG,CAAC,CAA4B,EAAE,EAAE,CAAC,MAAM,CAAC,CAAC,IAAI,EAAE,CAAC;SAC3D,OAAO,CAAC,SAAS,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,EAAE,GAAG,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,EAAE,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,QAAQ,EAAE,CAAC,CAAC,CAAE,CAAC,CAAC,CAAC;IAC9F,OAAO;;;;;;;;;;;;;;;;;;eAkBM,IAAI,CAAC,KAAK,CAAC;IACtB,WAAW,CAAC,CAAC,CAAC,QAAQ,IAAI,CAAC,WAAW,CAAC,QAAQ,CAAC,CAAC,CAAC,EAAE;;OAEjD,CAAC;AACR,CAAC"}

package/dist/eval-server/platform-proxy.d.ts

@@ -2,7 +2,14 @@ import * as http from "node:http";
 export declare function getPlatformBaseUrl(): string;
 export declare function shouldProxyToPlatform(url: string | undefined): boolean;
 export declare function shouldInjectAuth(url: string | undefined): boolean;
-/** Test-only reset hook. */
+/**
+ * Public invalidation hook so callers (e.g. an HTTP control endpoint, or a
+ * future SIGUSR1 handler) can drop the cached token immediately on auth
+ * state changes. Tests use this to reset between cases as well.
+ */
+export declare function invalidatePlatformProxyTokenCache(): void;
+/** @deprecated Prefer `invalidatePlatformProxyTokenCache`. Kept for any
+ * existing test imports until they migrate. */
 export declare function _resetPlatformProxyAuthCacheForTests(): void;
 export interface PickHeadersOptions {
     /** Request path (e.g. "/api/v1/tenants/abc/skills"). */
@@ -19,6 +26,15 @@ export declare function pickHeadersForUpstream(src: http.IncomingHttpHeaders, op
  * Resolves once the proxy pipeline finishes (either side ended) — callers
  * can `await` to know the response has been written, but typical use is
  * fire-and-forget within an HTTP server handler.
+ *
+ * SSE diagnostic logging (0838 / AC-US1-02):
+ *   When `VSKILL_DEBUG_SSE=1`, every `text/event-stream`-shaped request emits
+ *     proxy.sse.start{requestId, upstreamUrl}  on dispatch
+ *     proxy.sse.end{requestId, status, durationMs}  on completion
+ *   AND the response gets `X-Request-Id: <requestId>` so client-side debug
+ *   logs (in useSkillUpdates) can be correlated with server-side logs.
+ *   When the flag is unset (or "0"), no per-request logs and no header
+ *   injection — preserves the production hot path.
  */
 export declare function proxyToPlatform(req: http.IncomingMessage, res: http.ServerResponse, baseUrl?: string): Promise<void>;
 export interface SubmitSkillUpdateEventInput {