@ait-co/devtools 0.1.56 → 0.1.57

package/dist/unplugin/index.js

@@ -131,12 +131,14 @@ const aitDevtoolsPlugin = createUnplugin((options) => {
 							console.warn("[@ait-co/devtools] tunnel: could not determine the dev server port; skipping.");
 							return;
 						}
-						import("../tunnel-Cj8g1LIL.js").then(async ({ startQuickTunnel, printTunnelBanner }) => {
+						import("../tunnel-CI61NvPI.js").then(async ({ startQuickTunnel, printTunnelBanner }) => {
 							const t = await startQuickTunnel(port);
 							tunnel = t;
 							let relayWssUrl;
 							if (tunnelConfig.cdp) try {
-								const { assertRelayAuthConfigured, buildRelayVerifyAuth } = await import("../totp-CxHsagqY.js");
+								const { ensureRelaySecret } = await import("../relay-secret-store-DqyUoeXy.js");
+								await ensureRelaySecret({ projectRoot: server.config.root });
+								const { assertRelayAuthConfigured, buildRelayVerifyAuth } = await import("../totp-BkP5yU2K.js");
 								assertRelayAuthConfigured();
 								const verifyAuth = buildRelayVerifyAuth();
 								const { startChiiRelay } = await import("../chii-relay-itXOz7kS.js");

package/dist/unplugin/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","names":[],"sources":["../../src/unplugin/index.ts"],"sourcesContent":["/**\n * @ait-co/devtools unplugin\n *\n * 모든 주요 번들러를 지원하는 단일 플러그인.\n * @apps-in-toss/web-framework → @ait-co/devtools/mock 으로 alias 설정.\n *\n * Usage:\n *   import aitDevtools from '@ait-co/devtools/unplugin';\n *\n *   // Vite\n *   export default { plugins: [aitDevtools.vite()] };\n *\n *   // Webpack / Next.js\n *   config.plugins.push(aitDevtools.webpack());\n *\n *   // Rspack\n *   config.plugins.push(aitDevtools.rspack());\n *\n *   // esbuild\n *   { plugins: [aitDevtools.esbuild()] }\n *\n *   // Rollup\n *   { plugins: [aitDevtools.rollup()] }\n */\n\nimport { fileURLToPath } from 'node:url';\nimport { createUnplugin } from 'unplugin';\n\n/**\n * Resolve `@ait-co/devtools/mock` to its real file path at plugin-load time.\n *\n * Returning the bare specifier from `resolveId` would stop the bundler from\n * walking node_modules for it — Vite 8+ treats such a non-null string as the\n * final resolved id and serves it via the virtual `/@id/` prefix, which 404s\n * because we don't provide a `load` hook. Resolving to an absolute path here\n * lets every supported bundler load the file the normal way.\n */\nconst MOCK_PATH = (() => {\n  try {\n    return fileURLToPath(import.meta.resolve('@ait-co/devtools/mock'));\n  } catch {\n    // Fallback for runtimes where `import.meta.resolve` is unavailable.\n    return '@ait-co/devtools/mock';\n  }\n})();\n\nexport interface AitDevtoolsOptions {\n  /**\n   * 패널 자동 주입 여부 (default: true)\n   * true이면 진입점에 floating panel import를 자동 추가한다.\n   */\n  panel?: boolean;\n  /**\n   * production 환경에서도 devtools를 강제로 활성화 (default: false)\n   */\n  forceEnable?: boolean;\n  /**\n   * mock alias 활성화 여부. default: true (development), false (production + forceEnable)\n   */\n  mock?: boolean;\n  /**\n   * Vite dev server에 MCP state endpoint를 추가할지 여부 (default: false).\n   *\n   * `true`로 설정하면:\n   *  - GET  /api/ait-devtools/state  — 마지막으로 브라우저가 push한 mock state 스냅샷 반환\n   *  - POST /api/ait-devtools/state  — 브라우저 panel이 상태 변경 시 자동 push (panel 내부 처리)\n   *\n   * 이 endpoint를 `@ait-co/devtools` MCP stdio server가 읽어 AI 에이전트에 mock state를 노출한다.\n   * Vite 전용: webpack/rspack/esbuild/rollup 환경에서는 무시된다.\n   */\n  mcp?: boolean;\n  /**\n   * Vite dev 서버를 Cloudflare quick tunnel(`*.trycloudflare.com`, 계정 불필요)로\n   * 외부 노출해 실제 폰에서 미리보기. **Vite dev 모드 전용** — production은\n   * `forceEnable`이어도 터널을 띄우지 않는다 (의도치 않은 노출 방지). 다른 번들러는\n   * 무시. `true`면 기본 동작, 객체로 세부 설정 가능.\n   */\n  tunnel?:\n    | boolean\n    | {\n        /** 노출할 포트 (미지정 시 dev 서버가 실제 listen한 포트 자동 감지). */\n        port?: number;\n        /** 터미널 ASCII QR 출력 (default: true). */\n        qr?: boolean;\n        /**\n         * 환경 2(실기기 PWA)에 CDP 디버깅 배선 (default: false).\n         *\n         * `true`면 dev 서버 HTTP 터널과 **별도로** Chii relay를 띄우고 그 relay에\n         * 두 번째 quick tunnel을 붙여, launcher QR deep-link에 `&debug=1&relay=<wss>`를\n         * 실어 보낸다. 폰의 PWA iframe이 in-app debug gate를 통과해 target.js를 주입받고,\n         * AI host MCP가 그 relay에 client로 붙으면 실기기 WebKit 위에서 CDP 디버깅이 열린다.\n         * mock SDK는 그대로라 `call_sdk`는 환경 2에서 mock을 친다 (fidelity 사다리의\n         * 설계 의도 — SDK fidelity가 필요하면 환경 3로 올라간다).\n         */\n        cdp?: boolean;\n      };\n}\n\nconst FRAMEWORK_ID = '@apps-in-toss/web-framework';\nconst BRIDGE_ID = '@apps-in-toss/web-bridge'; // back-compat (2.x)\nconst ANALYTICS_ID = '@apps-in-toss/web-analytics'; // back-compat (2.x)\nconst WEBVIEW_BRIDGE_ID = '@apps-in-toss/webview-bridge'; // 3.0+\n\n/** MCP state endpoint path — browser panel POSTs here, MCP server GETs here */\nconst MCP_STATE_PATH = '/api/ait-devtools/state';\n\nconst aitDevtoolsPlugin = createUnplugin((options?: AitDevtoolsOptions) => {\n  const isDev = process.env.NODE_ENV !== 'production';\n  const shouldEnable = isDev || (options?.forceEnable ?? false);\n  const shouldMock = shouldEnable && (options?.mock ?? isDev);\n  const shouldPanel = shouldEnable && (options?.panel ?? true);\n  const shouldMcp = shouldEnable && (options?.mcp ?? false);\n\n  // In-memory store for the last state snapshot pushed by the browser panel.\n  // Only allocated when mcp: true to avoid any overhead in the common case.\n  let lastState: string | null = null;\n\n  // Tunnel is dev-only and Vite-only. Never under production — even with\n  // forceEnable — so a production build can't accidentally expose itself.\n  const tunnelOpt = options?.tunnel;\n  const shouldTunnel = isDev && !!tunnelOpt;\n  const tunnelConfig = typeof tunnelOpt === 'object' ? tunnelOpt : {};\n\n  return {\n    name: 'ait-co-devtools',\n    enforce: 'pre' as const,\n\n    resolveId(id: string) {\n      if (!shouldMock) return null;\n      // @apps-in-toss/web-framework → @ait-co/devtools/mock (absolute path)\n      if (\n        id === FRAMEWORK_ID ||\n        id === WEBVIEW_BRIDGE_ID ||\n        id === BRIDGE_ID ||\n        id === ANALYTICS_ID\n      ) {\n        return MOCK_PATH;\n      }\n      return null;\n    },\n\n    transformInclude(id: string) {\n      if (!shouldPanel) return false;\n      // 진입점 파일에만 패널 import를 주입\n      return (\n        /\\.(tsx?|jsx?)$/.test(id) &&\n        /\\/(main|index|entry|app)\\.[tj]sx?$/i.test(id) &&\n        !id.includes('node_modules')\n      );\n    },\n\n    transform(code: string) {\n      // transformInclude가 이미 shouldPanel을 확인하지만, 안전망으로 유지\n      if (!shouldPanel) return null;\n      // 이미 패널이 import 되어있으면 스킵\n      if (code.includes('@ait-co/devtools/panel')) return null;\n      // transformInclude가 진입점 파일만 통과시키므로 바로 prepend\n      return `import '@ait-co/devtools/panel';\\n${code}`;\n    },\n\n    // Vite-only: register the MCP state HTTP endpoint on the dev server, and\n    // optionally start a Cloudflare quick tunnel once the dev server is listening.\n    // Non-Vite bundlers do not have a dev server concept so this is silently\n    // skipped (unplugin passes `vite` key only when building for Vite).\n    vite: {\n      config() {\n        if (!shouldTunnel) return;\n        // Vite blocks requests whose Host header isn't in `server.allowedHosts`\n        // (defaults to localhost only). The quick-tunnel hostname is random per\n        // run, so allow the whole `.trycloudflare.com` suffix while the tunnel\n        // is on. (A leading `.` makes Vite match the domain and its subdomains.)\n        return { server: { allowedHosts: ['.trycloudflare.com'] } };\n      },\n\n      configureServer(server: import('vite').ViteDevServer) {\n        // MCP state endpoint: browser panel POSTs state here, MCP stdio server GETs it.\n        if (shouldMcp) {\n          server.middlewares.use(MCP_STATE_PATH, (req, res) => {\n            // Allow Claude Code / AI agents (running locally) to read state\n            res.setHeader('Access-Control-Allow-Origin', '*');\n            res.setHeader('Access-Control-Allow-Methods', 'GET, POST, OPTIONS');\n            res.setHeader('Access-Control-Allow-Headers', 'Content-Type');\n\n            if (req.method === 'OPTIONS') {\n              res.writeHead(204);\n              res.end();\n              return;\n            }\n\n            if (req.method === 'GET') {\n              if (lastState === null) {\n                res.writeHead(503, { 'Content-Type': 'application/json' });\n                res.end(\n                  JSON.stringify({\n                    error: 'No state received yet. Open the app in a browser first.',\n                  }),\n                );\n                return;\n              }\n              res.writeHead(200, { 'Content-Type': 'application/json' });\n              res.end(lastState);\n              return;\n            }\n\n            if (req.method === 'POST') {\n              const chunks: Buffer[] = [];\n              req.on('data', (chunk: Buffer) => chunks.push(chunk));\n              req.on('end', () => {\n                try {\n                  const body = Buffer.concat(chunks).toString('utf-8');\n                  // Validate it's parseable JSON before caching\n                  JSON.parse(body);\n                  lastState = body;\n                  res.writeHead(204);\n                  res.end();\n                } catch {\n                  res.writeHead(400, { 'Content-Type': 'application/json' });\n                  res.end(JSON.stringify({ error: 'Invalid JSON' }));\n                }\n              });\n              return;\n            }\n\n            res.writeHead(405, { 'Content-Type': 'application/json' });\n            res.end(JSON.stringify({ error: 'Method not allowed' }));\n          });\n        }\n\n        // Tunnel: start a Cloudflare quick tunnel once the dev server is listening.\n        if (shouldTunnel) {\n          let tunnel: { stop: () => void } | null = null;\n          // env-2 CDP wiring (tunnel.cdp): a second tunnel + Chii relay, torn\n          // down alongside the HTTP tunnel. Fire-and-forget close on teardown.\n          let relayTunnel: { stop: () => void } | null = null;\n          let relay: { close: () => Promise<void> } | null = null;\n          const httpServer = server.httpServer;\n\n          httpServer?.once('listening', () => {\n            const address = httpServer?.address();\n            const port =\n              tunnelConfig.port ??\n              (address && typeof address === 'object' ? address.port : undefined);\n            if (!port) {\n              console.warn(\n                '[@ait-co/devtools] tunnel: could not determine the dev server port; skipping.',\n              );\n              return;\n            }\n            // Dynamic import keeps `cloudflared` / `qrcode-terminal` off the\n            // module graph unless the tunnel is actually used.\n            import('./tunnel.js')\n              .then(async ({ startQuickTunnel, printTunnelBanner }) => {\n                const t = await startQuickTunnel(port);\n                tunnel = t;\n\n                // env-2 CDP: boot a Chii relay (OS-assigned local port) and a\n                // second quick tunnel to it. The relay's https tunnel URL becomes\n                // the `wss://` relay the launcher QR carries (&debug=1&relay=).\n                let relayWssUrl: string | undefined;\n                if (tunnelConfig.cdp) {\n                  try {\n                    // Relay-auth baseline (issue #250): the env-2 CDP relay is\n                    // reachable over a public `*.trycloudflare.com` tunnel, so a\n                    // configured TOTP secret is MANDATORY and the relay enforces\n                    // it on every WS upgrade. assertRelayAuthConfigured throws\n                    // when AIT_DEBUG_TOTP_SECRET is unset/weak — the catch below\n                    // then skips the relay entirely (no UNAUTHENTICATED relay is\n                    // ever exposed; screen preview still works).\n                    // SECRET-HANDLING: the guard/predicate never log the value.\n                    const { assertRelayAuthConfigured, buildRelayVerifyAuth } = await import(\n                      '../mcp/totp.js'\n                    );\n                    assertRelayAuthConfigured();\n                    const verifyAuth = buildRelayVerifyAuth();\n                    const { startChiiRelay } = await import('../mcp/chii-relay.js');\n                    const r = await startChiiRelay({ port: 0, verifyAuth });\n                    relay = r;\n                    const rt = await startQuickTunnel(r.port);\n                    relayTunnel = rt;\n                    relayWssUrl = rt.url.replace(/^https:/, 'wss:');\n                  } catch (err: unknown) {\n                    console.warn(\n                      `[@ait-co/devtools] tunnel: CDP relay not started — screen preview works without on-device debugging: ${\n                        err instanceof Error ? err.message : String(err)\n                      }`,\n                    );\n                  }\n                }\n\n                await printTunnelBanner(t.url, { qr: tunnelConfig.qr, relayWssUrl });\n              })\n              .catch((err: unknown) => {\n                console.warn(\n                  `[@ait-co/devtools] tunnel failed to start: ${\n                    err instanceof Error ? err.message : String(err)\n                  }`,\n                );\n              });\n          });\n\n          const cleanup = () => {\n            tunnel?.stop();\n            relayTunnel?.stop();\n            void relay?.close();\n          };\n          httpServer?.once('close', cleanup);\n          process.once('SIGINT', cleanup);\n          process.once('SIGTERM', cleanup);\n          process.once('exit', cleanup);\n        }\n      },\n    },\n  };\n});\n\nexport const vite = aitDevtoolsPlugin.vite;\nexport const webpack = aitDevtoolsPlugin.webpack;\nexport const rollup = aitDevtoolsPlugin.rollup;\nexport const esbuild = aitDevtoolsPlugin.esbuild;\nexport const rspack = aitDevtoolsPlugin.rspack;\n\nexport default aitDevtoolsPlugin;\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAqCA,MAAM,mBAAmB;AACvB,KAAI;AACF,SAAO,cAAc,OAAO,KAAK,QAAQ,wBAAwB,CAAC;SAC5D;AAEN,SAAO;;IAEP;AAsDJ,MAAM,eAAe;AACrB,MAAM,YAAY;AAClB,MAAM,eAAe;AACrB,MAAM,oBAAoB;;AAG1B,MAAM,iBAAiB;AAEvB,MAAM,oBAAoB,gBAAgB,YAAiC;CACzE,MAAM,QAAQ,QAAQ,IAAI,aAAa;CACvC,MAAM,eAAe,UAAU,SAAS,eAAe;CACvD,MAAM,aAAa,iBAAiB,SAAS,QAAQ;CACrD,MAAM,cAAc,iBAAiB,SAAS,SAAS;CACvD,MAAM,YAAY,iBAAiB,SAAS,OAAO;CAInD,IAAI,YAA2B;CAI/B,MAAM,YAAY,SAAS;CAC3B,MAAM,eAAe,SAAS,CAAC,CAAC;CAChC,MAAM,eAAe,OAAO,cAAc,WAAW,YAAY,EAAE;AAEnE,QAAO;EACL,MAAM;EACN,SAAS;EAET,UAAU,IAAY;AACpB,OAAI,CAAC,WAAY,QAAO;AAExB,OACE,OAAO,gBACP,OAAO,qBACP,OAAO,aACP,OAAO,aAEP,QAAO;AAET,UAAO;;EAGT,iBAAiB,IAAY;AAC3B,OAAI,CAAC,YAAa,QAAO;AAEzB,UACE,iBAAiB,KAAK,GAAG,IACzB,sCAAsC,KAAK,GAAG,IAC9C,CAAC,GAAG,SAAS,eAAe;;EAIhC,UAAU,MAAc;AAEtB,OAAI,CAAC,YAAa,QAAO;AAEzB,OAAI,KAAK,SAAS,yBAAyB,CAAE,QAAO;AAEpD,UAAO,qCAAqC;;EAO9C,MAAM;GACJ,SAAS;AACP,QAAI,CAAC,aAAc;AAKnB,WAAO,EAAE,QAAQ,EAAE,cAAc,CAAC,qBAAqB,EAAE,EAAE;;GAG7D,gBAAgB,QAAsC;AAEpD,QAAI,UACF,QAAO,YAAY,IAAI,iBAAiB,KAAK,QAAQ;AAEnD,SAAI,UAAU,+BAA+B,IAAI;AACjD,SAAI,UAAU,gCAAgC,qBAAqB;AACnE,SAAI,UAAU,gCAAgC,eAAe;AAE7D,SAAI,IAAI,WAAW,WAAW;AAC5B,UAAI,UAAU,IAAI;AAClB,UAAI,KAAK;AACT;;AAGF,SAAI,IAAI,WAAW,OAAO;AACxB,UAAI,cAAc,MAAM;AACtB,WAAI,UAAU,KAAK,EAAE,gBAAgB,oBAAoB,CAAC;AAC1D,WAAI,IACF,KAAK,UAAU,EACb,OAAO,2DACR,CAAC,CACH;AACD;;AAEF,UAAI,UAAU,KAAK,EAAE,gBAAgB,oBAAoB,CAAC;AAC1D,UAAI,IAAI,UAAU;AAClB;;AAGF,SAAI,IAAI,WAAW,QAAQ;MACzB,MAAM,SAAmB,EAAE;AAC3B,UAAI,GAAG,SAAS,UAAkB,OAAO,KAAK,MAAM,CAAC;AACrD,UAAI,GAAG,aAAa;AAClB,WAAI;QACF,MAAM,OAAO,OAAO,OAAO,OAAO,CAAC,SAAS,QAAQ;AAEpD,aAAK,MAAM,KAAK;AAChB,oBAAY;AACZ,YAAI,UAAU,IAAI;AAClB,YAAI,KAAK;eACH;AACN,YAAI,UAAU,KAAK,EAAE,gBAAgB,oBAAoB,CAAC;AAC1D,YAAI,IAAI,KAAK,UAAU,EAAE,OAAO,gBAAgB,CAAC,CAAC;;QAEpD;AACF;;AAGF,SAAI,UAAU,KAAK,EAAE,gBAAgB,oBAAoB,CAAC;AAC1D,SAAI,IAAI,KAAK,UAAU,EAAE,OAAO,sBAAsB,CAAC,CAAC;MACxD;AAIJ,QAAI,cAAc;KAChB,IAAI,SAAsC;KAG1C,IAAI,cAA2C;KAC/C,IAAI,QAA+C;KACnD,MAAM,aAAa,OAAO;AAE1B,iBAAY,KAAK,mBAAmB;MAClC,MAAM,UAAU,YAAY,SAAS;MACrC,MAAM,OACJ,aAAa,SACZ,WAAW,OAAO,YAAY,WAAW,QAAQ,OAAO,KAAA;AAC3D,UAAI,CAAC,MAAM;AACT,eAAQ,KACN,gFACD;AACD;;AAIF,aAAO,yBACJ,KAAK,OAAO,EAAE,kBAAkB,wBAAwB;OACvD,MAAM,IAAI,MAAM,iBAAiB,KAAK;AACtC,gBAAS;OAKT,IAAI;AACJ,WAAI,aAAa,IACf,KAAI;QASF,MAAM,EAAE,2BAA2B,yBAAyB,MAAM,OAChE;AAEF,mCAA2B;QAC3B,MAAM,aAAa,sBAAsB;QACzC,MAAM,EAAE,mBAAmB,MAAM,OAAO;QACxC,MAAM,IAAI,MAAM,eAAe;SAAE,MAAM;SAAG;SAAY,CAAC;AACvD,gBAAQ;QACR,MAAM,KAAK,MAAM,iBAAiB,EAAE,KAAK;AACzC,sBAAc;AACd,sBAAc,GAAG,IAAI,QAAQ,WAAW,OAAO;gBACxC,KAAc;AACrB,gBAAQ,KACN,wGACE,eAAe,QAAQ,IAAI,UAAU,OAAO,IAAI,GAEnD;;AAIL,aAAM,kBAAkB,EAAE,KAAK;QAAE,IAAI,aAAa;QAAI;QAAa,CAAC;QACpE,CACD,OAAO,QAAiB;AACvB,eAAQ,KACN,8CACE,eAAe,QAAQ,IAAI,UAAU,OAAO,IAAI,GAEnD;QACD;OACJ;KAEF,MAAM,gBAAgB;AACpB,cAAQ,MAAM;AACd,mBAAa,MAAM;AACd,aAAO,OAAO;;AAErB,iBAAY,KAAK,SAAS,QAAQ;AAClC,aAAQ,KAAK,UAAU,QAAQ;AAC/B,aAAQ,KAAK,WAAW,QAAQ;AAChC,aAAQ,KAAK,QAAQ,QAAQ;;;GAGlC;EACF;EACD;AAEF,MAAa,OAAO,kBAAkB;AACtC,MAAa,UAAU,kBAAkB;AACzC,MAAa,SAAS,kBAAkB;AACxC,MAAa,UAAU,kBAAkB;AACzC,MAAa,SAAS,kBAAkB"}
+{"version":3,"file":"index.js","names":[],"sources":["../../src/unplugin/index.ts"],"sourcesContent":["/**\n * @ait-co/devtools unplugin\n *\n * 모든 주요 번들러를 지원하는 단일 플러그인.\n * @apps-in-toss/web-framework → @ait-co/devtools/mock 으로 alias 설정.\n *\n * Usage:\n *   import aitDevtools from '@ait-co/devtools/unplugin';\n *\n *   // Vite\n *   export default { plugins: [aitDevtools.vite()] };\n *\n *   // Webpack / Next.js\n *   config.plugins.push(aitDevtools.webpack());\n *\n *   // Rspack\n *   config.plugins.push(aitDevtools.rspack());\n *\n *   // esbuild\n *   { plugins: [aitDevtools.esbuild()] }\n *\n *   // Rollup\n *   { plugins: [aitDevtools.rollup()] }\n */\n\nimport { fileURLToPath } from 'node:url';\nimport { createUnplugin } from 'unplugin';\n\n/**\n * Resolve `@ait-co/devtools/mock` to its real file path at plugin-load time.\n *\n * Returning the bare specifier from `resolveId` would stop the bundler from\n * walking node_modules for it — Vite 8+ treats such a non-null string as the\n * final resolved id and serves it via the virtual `/@id/` prefix, which 404s\n * because we don't provide a `load` hook. Resolving to an absolute path here\n * lets every supported bundler load the file the normal way.\n */\nconst MOCK_PATH = (() => {\n  try {\n    return fileURLToPath(import.meta.resolve('@ait-co/devtools/mock'));\n  } catch {\n    // Fallback for runtimes where `import.meta.resolve` is unavailable.\n    return '@ait-co/devtools/mock';\n  }\n})();\n\nexport interface AitDevtoolsOptions {\n  /**\n   * 패널 자동 주입 여부 (default: true)\n   * true이면 진입점에 floating panel import를 자동 추가한다.\n   */\n  panel?: boolean;\n  /**\n   * production 환경에서도 devtools를 강제로 활성화 (default: false)\n   */\n  forceEnable?: boolean;\n  /**\n   * mock alias 활성화 여부. default: true (development), false (production + forceEnable)\n   */\n  mock?: boolean;\n  /**\n   * Vite dev server에 MCP state endpoint를 추가할지 여부 (default: false).\n   *\n   * `true`로 설정하면:\n   *  - GET  /api/ait-devtools/state  — 마지막으로 브라우저가 push한 mock state 스냅샷 반환\n   *  - POST /api/ait-devtools/state  — 브라우저 panel이 상태 변경 시 자동 push (panel 내부 처리)\n   *\n   * 이 endpoint를 `@ait-co/devtools` MCP stdio server가 읽어 AI 에이전트에 mock state를 노출한다.\n   * Vite 전용: webpack/rspack/esbuild/rollup 환경에서는 무시된다.\n   */\n  mcp?: boolean;\n  /**\n   * Vite dev 서버를 Cloudflare quick tunnel(`*.trycloudflare.com`, 계정 불필요)로\n   * 외부 노출해 실제 폰에서 미리보기. **Vite dev 모드 전용** — production은\n   * `forceEnable`이어도 터널을 띄우지 않는다 (의도치 않은 노출 방지). 다른 번들러는\n   * 무시. `true`면 기본 동작, 객체로 세부 설정 가능.\n   */\n  tunnel?:\n    | boolean\n    | {\n        /** 노출할 포트 (미지정 시 dev 서버가 실제 listen한 포트 자동 감지). */\n        port?: number;\n        /** 터미널 ASCII QR 출력 (default: true). */\n        qr?: boolean;\n        /**\n         * 환경 2(실기기 PWA)에 CDP 디버깅 배선 (default: false).\n         *\n         * `true`면 dev 서버 HTTP 터널과 **별도로** Chii relay를 띄우고 그 relay에\n         * 두 번째 quick tunnel을 붙여, launcher QR deep-link에 `&debug=1&relay=<wss>`를\n         * 실어 보낸다. 폰의 PWA iframe이 in-app debug gate를 통과해 target.js를 주입받고,\n         * AI host MCP가 그 relay에 client로 붙으면 실기기 WebKit 위에서 CDP 디버깅이 열린다.\n         * mock SDK는 그대로라 `call_sdk`는 환경 2에서 mock을 친다 (fidelity 사다리의\n         * 설계 의도 — SDK fidelity가 필요하면 환경 3로 올라간다).\n         */\n        cdp?: boolean;\n      };\n}\n\nconst FRAMEWORK_ID = '@apps-in-toss/web-framework';\nconst BRIDGE_ID = '@apps-in-toss/web-bridge'; // back-compat (2.x)\nconst ANALYTICS_ID = '@apps-in-toss/web-analytics'; // back-compat (2.x)\nconst WEBVIEW_BRIDGE_ID = '@apps-in-toss/webview-bridge'; // 3.0+\n\n/** MCP state endpoint path — browser panel POSTs here, MCP server GETs here */\nconst MCP_STATE_PATH = '/api/ait-devtools/state';\n\nconst aitDevtoolsPlugin = createUnplugin((options?: AitDevtoolsOptions) => {\n  const isDev = process.env.NODE_ENV !== 'production';\n  const shouldEnable = isDev || (options?.forceEnable ?? false);\n  const shouldMock = shouldEnable && (options?.mock ?? isDev);\n  const shouldPanel = shouldEnable && (options?.panel ?? true);\n  const shouldMcp = shouldEnable && (options?.mcp ?? false);\n\n  // In-memory store for the last state snapshot pushed by the browser panel.\n  // Only allocated when mcp: true to avoid any overhead in the common case.\n  let lastState: string | null = null;\n\n  // Tunnel is dev-only and Vite-only. Never under production — even with\n  // forceEnable — so a production build can't accidentally expose itself.\n  const tunnelOpt = options?.tunnel;\n  const shouldTunnel = isDev && !!tunnelOpt;\n  const tunnelConfig = typeof tunnelOpt === 'object' ? tunnelOpt : {};\n\n  return {\n    name: 'ait-co-devtools',\n    enforce: 'pre' as const,\n\n    resolveId(id: string) {\n      if (!shouldMock) return null;\n      // @apps-in-toss/web-framework → @ait-co/devtools/mock (absolute path)\n      if (\n        id === FRAMEWORK_ID ||\n        id === WEBVIEW_BRIDGE_ID ||\n        id === BRIDGE_ID ||\n        id === ANALYTICS_ID\n      ) {\n        return MOCK_PATH;\n      }\n      return null;\n    },\n\n    transformInclude(id: string) {\n      if (!shouldPanel) return false;\n      // 진입점 파일에만 패널 import를 주입\n      return (\n        /\\.(tsx?|jsx?)$/.test(id) &&\n        /\\/(main|index|entry|app)\\.[tj]sx?$/i.test(id) &&\n        !id.includes('node_modules')\n      );\n    },\n\n    transform(code: string) {\n      // transformInclude가 이미 shouldPanel을 확인하지만, 안전망으로 유지\n      if (!shouldPanel) return null;\n      // 이미 패널이 import 되어있으면 스킵\n      if (code.includes('@ait-co/devtools/panel')) return null;\n      // transformInclude가 진입점 파일만 통과시키므로 바로 prepend\n      return `import '@ait-co/devtools/panel';\\n${code}`;\n    },\n\n    // Vite-only: register the MCP state HTTP endpoint on the dev server, and\n    // optionally start a Cloudflare quick tunnel once the dev server is listening.\n    // Non-Vite bundlers do not have a dev server concept so this is silently\n    // skipped (unplugin passes `vite` key only when building for Vite).\n    vite: {\n      config() {\n        if (!shouldTunnel) return;\n        // Vite blocks requests whose Host header isn't in `server.allowedHosts`\n        // (defaults to localhost only). The quick-tunnel hostname is random per\n        // run, so allow the whole `.trycloudflare.com` suffix while the tunnel\n        // is on. (A leading `.` makes Vite match the domain and its subdomains.)\n        return { server: { allowedHosts: ['.trycloudflare.com'] } };\n      },\n\n      configureServer(server: import('vite').ViteDevServer) {\n        // MCP state endpoint: browser panel POSTs state here, MCP stdio server GETs it.\n        if (shouldMcp) {\n          server.middlewares.use(MCP_STATE_PATH, (req, res) => {\n            // Allow Claude Code / AI agents (running locally) to read state\n            res.setHeader('Access-Control-Allow-Origin', '*');\n            res.setHeader('Access-Control-Allow-Methods', 'GET, POST, OPTIONS');\n            res.setHeader('Access-Control-Allow-Headers', 'Content-Type');\n\n            if (req.method === 'OPTIONS') {\n              res.writeHead(204);\n              res.end();\n              return;\n            }\n\n            if (req.method === 'GET') {\n              if (lastState === null) {\n                res.writeHead(503, { 'Content-Type': 'application/json' });\n                res.end(\n                  JSON.stringify({\n                    error: 'No state received yet. Open the app in a browser first.',\n                  }),\n                );\n                return;\n              }\n              res.writeHead(200, { 'Content-Type': 'application/json' });\n              res.end(lastState);\n              return;\n            }\n\n            if (req.method === 'POST') {\n              const chunks: Buffer[] = [];\n              req.on('data', (chunk: Buffer) => chunks.push(chunk));\n              req.on('end', () => {\n                try {\n                  const body = Buffer.concat(chunks).toString('utf-8');\n                  // Validate it's parseable JSON before caching\n                  JSON.parse(body);\n                  lastState = body;\n                  res.writeHead(204);\n                  res.end();\n                } catch {\n                  res.writeHead(400, { 'Content-Type': 'application/json' });\n                  res.end(JSON.stringify({ error: 'Invalid JSON' }));\n                }\n              });\n              return;\n            }\n\n            res.writeHead(405, { 'Content-Type': 'application/json' });\n            res.end(JSON.stringify({ error: 'Method not allowed' }));\n          });\n        }\n\n        // Tunnel: start a Cloudflare quick tunnel once the dev server is listening.\n        if (shouldTunnel) {\n          let tunnel: { stop: () => void } | null = null;\n          // env-2 CDP wiring (tunnel.cdp): a second tunnel + Chii relay, torn\n          // down alongside the HTTP tunnel. Fire-and-forget close on teardown.\n          let relayTunnel: { stop: () => void } | null = null;\n          let relay: { close: () => Promise<void> } | null = null;\n          const httpServer = server.httpServer;\n\n          httpServer?.once('listening', () => {\n            const address = httpServer?.address();\n            const port =\n              tunnelConfig.port ??\n              (address && typeof address === 'object' ? address.port : undefined);\n            if (!port) {\n              console.warn(\n                '[@ait-co/devtools] tunnel: could not determine the dev server port; skipping.',\n              );\n              return;\n            }\n            // Dynamic import keeps `cloudflared` / `qrcode-terminal` off the\n            // module graph unless the tunnel is actually used.\n            import('./tunnel.js')\n              .then(async ({ startQuickTunnel, printTunnelBanner }) => {\n                const t = await startQuickTunnel(port);\n                tunnel = t;\n\n                // env-2 CDP: boot a Chii relay (OS-assigned local port) and a\n                // second quick tunnel to it. The relay's https tunnel URL becomes\n                // the `wss://` relay the launcher QR carries (&debug=1&relay=).\n                let relayWssUrl: string | undefined;\n                if (tunnelConfig.cdp) {\n                  try {\n                    // Relay-auth baseline (issue #250): the env-2 CDP relay is\n                    // reachable over a public `*.trycloudflare.com` tunnel, so a\n                    // configured TOTP secret is MANDATORY and the relay enforces\n                    // it on every WS upgrade.\n                    //\n                    // First-run auto-mint (issue #394, project-local #396): if\n                    // AIT_DEBUG_TOTP_SECRET is not yet set, ensureRelaySecret()\n                    // mints a 256-bit random secret, persists it to the project-\n                    // local file <project>/.ait_relay (0600, anchored at the\n                    // nearest package.json directory above server.config.root),\n                    // and injects it into process.env so the following\n                    // assertRelayAuthConfigured() call succeeds. On subsequent\n                    // runs the persisted value is loaded silently — no manual\n                    // export needed. The MCP daemon reads the SAME file read-only\n                    // via loadRelaySecretReadOnly() when switching to a relay env.\n                    // SECRET-HANDLING: neither ensureRelaySecret nor the\n                    // guard/predicate log the secret value.\n                    const { ensureRelaySecret } = await import('../mcp/relay-secret-store.js');\n                    await ensureRelaySecret({ projectRoot: server.config.root });\n                    const { assertRelayAuthConfigured, buildRelayVerifyAuth } = await import(\n                      '../mcp/totp.js'\n                    );\n                    assertRelayAuthConfigured();\n                    const verifyAuth = buildRelayVerifyAuth();\n                    const { startChiiRelay } = await import('../mcp/chii-relay.js');\n                    const r = await startChiiRelay({ port: 0, verifyAuth });\n                    relay = r;\n                    const rt = await startQuickTunnel(r.port);\n                    relayTunnel = rt;\n                    relayWssUrl = rt.url.replace(/^https:/, 'wss:');\n                  } catch (err: unknown) {\n                    console.warn(\n                      `[@ait-co/devtools] tunnel: CDP relay not started — screen preview works without on-device debugging: ${\n                        err instanceof Error ? err.message : String(err)\n                      }`,\n                    );\n                  }\n                }\n\n                await printTunnelBanner(t.url, { qr: tunnelConfig.qr, relayWssUrl });\n              })\n              .catch((err: unknown) => {\n                console.warn(\n                  `[@ait-co/devtools] tunnel failed to start: ${\n                    err instanceof Error ? err.message : String(err)\n                  }`,\n                );\n              });\n          });\n\n          const cleanup = () => {\n            tunnel?.stop();\n            relayTunnel?.stop();\n            void relay?.close();\n          };\n          httpServer?.once('close', cleanup);\n          process.once('SIGINT', cleanup);\n          process.once('SIGTERM', cleanup);\n          process.once('exit', cleanup);\n        }\n      },\n    },\n  };\n});\n\nexport const vite = aitDevtoolsPlugin.vite;\nexport const webpack = aitDevtoolsPlugin.webpack;\nexport const rollup = aitDevtoolsPlugin.rollup;\nexport const esbuild = aitDevtoolsPlugin.esbuild;\nexport const rspack = aitDevtoolsPlugin.rspack;\n\nexport default aitDevtoolsPlugin;\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAqCA,MAAM,mBAAmB;AACvB,KAAI;AACF,SAAO,cAAc,OAAO,KAAK,QAAQ,wBAAwB,CAAC;SAC5D;AAEN,SAAO;;IAEP;AAsDJ,MAAM,eAAe;AACrB,MAAM,YAAY;AAClB,MAAM,eAAe;AACrB,MAAM,oBAAoB;;AAG1B,MAAM,iBAAiB;AAEvB,MAAM,oBAAoB,gBAAgB,YAAiC;CACzE,MAAM,QAAQ,QAAQ,IAAI,aAAa;CACvC,MAAM,eAAe,UAAU,SAAS,eAAe;CACvD,MAAM,aAAa,iBAAiB,SAAS,QAAQ;CACrD,MAAM,cAAc,iBAAiB,SAAS,SAAS;CACvD,MAAM,YAAY,iBAAiB,SAAS,OAAO;CAInD,IAAI,YAA2B;CAI/B,MAAM,YAAY,SAAS;CAC3B,MAAM,eAAe,SAAS,CAAC,CAAC;CAChC,MAAM,eAAe,OAAO,cAAc,WAAW,YAAY,EAAE;AAEnE,QAAO;EACL,MAAM;EACN,SAAS;EAET,UAAU,IAAY;AACpB,OAAI,CAAC,WAAY,QAAO;AAExB,OACE,OAAO,gBACP,OAAO,qBACP,OAAO,aACP,OAAO,aAEP,QAAO;AAET,UAAO;;EAGT,iBAAiB,IAAY;AAC3B,OAAI,CAAC,YAAa,QAAO;AAEzB,UACE,iBAAiB,KAAK,GAAG,IACzB,sCAAsC,KAAK,GAAG,IAC9C,CAAC,GAAG,SAAS,eAAe;;EAIhC,UAAU,MAAc;AAEtB,OAAI,CAAC,YAAa,QAAO;AAEzB,OAAI,KAAK,SAAS,yBAAyB,CAAE,QAAO;AAEpD,UAAO,qCAAqC;;EAO9C,MAAM;GACJ,SAAS;AACP,QAAI,CAAC,aAAc;AAKnB,WAAO,EAAE,QAAQ,EAAE,cAAc,CAAC,qBAAqB,EAAE,EAAE;;GAG7D,gBAAgB,QAAsC;AAEpD,QAAI,UACF,QAAO,YAAY,IAAI,iBAAiB,KAAK,QAAQ;AAEnD,SAAI,UAAU,+BAA+B,IAAI;AACjD,SAAI,UAAU,gCAAgC,qBAAqB;AACnE,SAAI,UAAU,gCAAgC,eAAe;AAE7D,SAAI,IAAI,WAAW,WAAW;AAC5B,UAAI,UAAU,IAAI;AAClB,UAAI,KAAK;AACT;;AAGF,SAAI,IAAI,WAAW,OAAO;AACxB,UAAI,cAAc,MAAM;AACtB,WAAI,UAAU,KAAK,EAAE,gBAAgB,oBAAoB,CAAC;AAC1D,WAAI,IACF,KAAK,UAAU,EACb,OAAO,2DACR,CAAC,CACH;AACD;;AAEF,UAAI,UAAU,KAAK,EAAE,gBAAgB,oBAAoB,CAAC;AAC1D,UAAI,IAAI,UAAU;AAClB;;AAGF,SAAI,IAAI,WAAW,QAAQ;MACzB,MAAM,SAAmB,EAAE;AAC3B,UAAI,GAAG,SAAS,UAAkB,OAAO,KAAK,MAAM,CAAC;AACrD,UAAI,GAAG,aAAa;AAClB,WAAI;QACF,MAAM,OAAO,OAAO,OAAO,OAAO,CAAC,SAAS,QAAQ;AAEpD,aAAK,MAAM,KAAK;AAChB,oBAAY;AACZ,YAAI,UAAU,IAAI;AAClB,YAAI,KAAK;eACH;AACN,YAAI,UAAU,KAAK,EAAE,gBAAgB,oBAAoB,CAAC;AAC1D,YAAI,IAAI,KAAK,UAAU,EAAE,OAAO,gBAAgB,CAAC,CAAC;;QAEpD;AACF;;AAGF,SAAI,UAAU,KAAK,EAAE,gBAAgB,oBAAoB,CAAC;AAC1D,SAAI,IAAI,KAAK,UAAU,EAAE,OAAO,sBAAsB,CAAC,CAAC;MACxD;AAIJ,QAAI,cAAc;KAChB,IAAI,SAAsC;KAG1C,IAAI,cAA2C;KAC/C,IAAI,QAA+C;KACnD,MAAM,aAAa,OAAO;AAE1B,iBAAY,KAAK,mBAAmB;MAClC,MAAM,UAAU,YAAY,SAAS;MACrC,MAAM,OACJ,aAAa,SACZ,WAAW,OAAO,YAAY,WAAW,QAAQ,OAAO,KAAA;AAC3D,UAAI,CAAC,MAAM;AACT,eAAQ,KACN,gFACD;AACD;;AAIF,aAAO,yBACJ,KAAK,OAAO,EAAE,kBAAkB,wBAAwB;OACvD,MAAM,IAAI,MAAM,iBAAiB,KAAK;AACtC,gBAAS;OAKT,IAAI;AACJ,WAAI,aAAa,IACf,KAAI;QAkBF,MAAM,EAAE,sBAAsB,MAAM,OAAO;AAC3C,cAAM,kBAAkB,EAAE,aAAa,OAAO,OAAO,MAAM,CAAC;QAC5D,MAAM,EAAE,2BAA2B,yBAAyB,MAAM,OAChE;AAEF,mCAA2B;QAC3B,MAAM,aAAa,sBAAsB;QACzC,MAAM,EAAE,mBAAmB,MAAM,OAAO;QACxC,MAAM,IAAI,MAAM,eAAe;SAAE,MAAM;SAAG;SAAY,CAAC;AACvD,gBAAQ;QACR,MAAM,KAAK,MAAM,iBAAiB,EAAE,KAAK;AACzC,sBAAc;AACd,sBAAc,GAAG,IAAI,QAAQ,WAAW,OAAO;gBACxC,KAAc;AACrB,gBAAQ,KACN,wGACE,eAAe,QAAQ,IAAI,UAAU,OAAO,IAAI,GAEnD;;AAIL,aAAM,kBAAkB,EAAE,KAAK;QAAE,IAAI,aAAa;QAAI;QAAa,CAAC;QACpE,CACD,OAAO,QAAiB;AACvB,eAAQ,KACN,8CACE,eAAe,QAAQ,IAAI,UAAU,OAAO,IAAI,GAEnD;QACD;OACJ;KAEF,MAAM,gBAAgB;AACpB,cAAQ,MAAM;AACd,mBAAa,MAAM;AACd,aAAO,OAAO;;AAErB,iBAAY,KAAK,SAAS,QAAQ;AAClC,aAAQ,KAAK,UAAU,QAAQ;AAC/B,aAAQ,KAAK,WAAW,QAAQ;AAChC,aAAQ,KAAK,QAAQ,QAAQ;;;GAGlC;EACF;EACD;AAEF,MAAa,OAAO,kBAAkB;AACtC,MAAa,UAAU,kBAAkB;AACzC,MAAa,SAAS,kBAAkB;AACxC,MAAa,UAAU,kBAAkB;AACzC,MAAa,SAAS,kBAAkB"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@ait-co/devtools",
-  "version": "0.1.56",
+  "version": "0.1.57",
   "description": "Development tools for Apps in Toss mini-apps — mock SDK, floating devtools panel, and universal bundler plugin",
   "type": "module",
   "engines": {

package/dist/totp-BkKP4m8H.cjs.map

@@ -1 +0,0 @@
-{"version":3,"file":"totp-BkKP4m8H.cjs","names":[],"sources":["../src/mcp/totp.ts"],"sourcesContent":["/**\n * RFC 6238 TOTP implementation (Node.js, node:crypto only).\n *\n * External TOTP libraries (otplib, speakeasy, …) are intentionally NOT used\n * to keep the dependency surface minimal. This hand-roll is ~30 lines and\n * covers exactly what relay-side auth needs.\n *\n * Algorithm summary (RFC 6238 + RFC 4226):\n *   T  = floor(now / 30)          — 30-second time step counter\n *   K  = Buffer.from(secret, 'hex') — shared secret (raw bytes, hex-encoded)\n *   MAC = HMAC-SHA1(K, T as 8-byte big-endian uint64)\n *   offset = MAC[19] & 0x0f\n *   code = (MAC[offset..offset+4] & 0x7fffffff) % 10^6  — 6 digits\n *\n * Security note (keep this comment accurate):\n *   The baked-in secret in a dogfood build is extractable from the bundle by a\n *   determined reverse engineer. This mechanism raises the bar from\n *   \"anyone with the URL\" to \"URL + bundle extraction + live TOTP calculation\".\n *   Casual URL leaks (Slack paste, QR screenshot, shoulder-surfing) are\n *   blocked; deliberate reverse engineering is not. See threat model in\n *   src/mcp/chii-relay.ts and umbrella CLAUDE.md §4.\n *\n * SECRET-HANDLING: secret values and computed codes MUST NOT appear in any\n * log, error message, or string visible outside this module. Only boolean\n * pass/fail and reason enum values are safe to surface.\n */\n\nimport { createHmac, timingSafeEqual } from 'node:crypto';\n\n/** Time step window in seconds (RFC 6238 default). */\nconst TIME_STEP = 30;\n\n/** Number of digits in the generated code. */\nconst DIGITS = 6;\n\n/**\n * Derives a 6-digit TOTP code from a hex-encoded secret at the given wall-\n * clock time.\n *\n * @param secret - The shared secret as a hex string (e.g. 64 hex chars = 32\n *   bytes). Must be the output of `generateAttachToken()` or compatible.\n * @param when - Unix timestamp in milliseconds. Defaults to `Date.now()`.\n * @returns A zero-padded 6-digit decimal string, e.g. `\"042193\"`.\n */\nexport function generateTotp(secret: string, when: number = Date.now()): string {\n  const key = Buffer.from(secret, 'hex');\n  // Clamp to 0 so negative timestamps (e.g. in ±skew checks near epoch) do not\n  // produce a negative counter, which would cause writeUInt32BE to throw.\n  const counter = Math.max(0, Math.floor(when / 1000 / TIME_STEP));\n\n  // Encode counter as 8-byte big-endian unsigned integer.\n  const counterBuf = Buffer.alloc(8);\n  // JavaScript numbers are safe integers up to 2^53; counter is ~7.5×10^10 at\n  // year 9999 — well within safe range so standard bitwise ops are fine.\n  const hi = Math.floor(counter / 0x100000000);\n  const lo = counter >>> 0;\n  counterBuf.writeUInt32BE(hi, 0);\n  counterBuf.writeUInt32BE(lo, 4);\n\n  const mac = createHmac('sha1', key).update(counterBuf).digest();\n\n  // Dynamic truncation (RFC 4226 §5.4).\n  const offset = mac[19] & 0x0f;\n  const binCode =\n    ((mac[offset] & 0x7f) << 24) |\n    ((mac[offset + 1] & 0xff) << 16) |\n    ((mac[offset + 2] & 0xff) << 8) |\n    (mac[offset + 3] & 0xff);\n\n  const otp = binCode % 10 ** DIGITS;\n  return otp.toString().padStart(DIGITS, '0');\n}\n\n/**\n * Verifies a TOTP code against the secret, accepting ±`skew` time steps to\n * tolerate clock drift between the relay host and the client device.\n *\n * Uses `timingSafeEqual` for constant-time comparison to prevent timing\n * side-channel attacks.\n *\n * @param secret - Hex-encoded shared secret.\n * @param code - The 6-digit code to verify (string or numeric).\n * @param when - Unix timestamp in milliseconds. Defaults to `Date.now()`.\n * @param skew - Number of adjacent steps to accept on either side. Default 1\n *   (accepts T-1, T, T+1 — a 90-second acceptance window).\n * @returns `true` if the code matches any accepted step, `false` otherwise.\n */\nexport function verifyTotp(\n  secret: string,\n  code: string,\n  when: number = Date.now(),\n  skew: number = 1,\n): boolean {\n  const normalised = String(code).padStart(DIGITS, '0');\n  if (normalised.length !== DIGITS || !/^\\d{6}$/.test(normalised)) {\n    return false;\n  }\n\n  const candidateBuf = Buffer.from(normalised, 'utf8');\n\n  for (let delta = -skew; delta <= skew; delta++) {\n    const stepWhen = when + delta * TIME_STEP * 1000;\n    const expected = generateTotp(secret, stepWhen);\n    const expectedBuf = Buffer.from(expected, 'utf8');\n    if (timingSafeEqual(expectedBuf, candidateBuf)) {\n      return true;\n    }\n  }\n\n  return false;\n}\n\n/**\n * Minimum length (in hex characters) accepted for `AIT_DEBUG_TOTP_SECRET`.\n *\n * The secret is hex-encoded (see {@link generateTotp} — `Buffer.from(secret,\n * 'hex')`). 32 hex chars = 16 bytes = 128 bits, the floor for an HMAC-SHA1 key\n * we are willing to gate a public relay behind. `generateAttachToken()` emits\n * 64 hex chars (32 bytes), comfortably above this bar.\n */\nconst MIN_SECRET_HEX_CHARS = 32;\n\n/** Hex string: one or more hex digits, case-insensitive (RFC 4648 base16). */\nconst HEX_RE = /^[0-9a-fA-F]+$/;\n\n/**\n * Human-facing guidance printed when {@link assertRelayAuthConfigured} fails.\n *\n * SECRET-HANDLING: this message states only the REQUIREMENT (≥32 hex chars) and\n * how to mint one. It NEVER echoes the configured value, its length, or any\n * fragment derived from it — see {@link assertRelayAuthConfigured}.\n *\n * Note on encoding: the secret is hex (base16), not base32 — `generateTotp`\n * decodes it with `Buffer.from(secret, 'hex')`. A base32 string would be\n * silently mis-decoded and every TOTP code would fail to match, so the minting\n * command emits hex.\n */\nexport const RELAY_AUTH_SECRET_MISSING_MESSAGE = [\n  '[ait-debug] AIT_DEBUG_TOTP_SECRET이 필수입니다. 32자 이상 16진수(hex) 문자열을 설정하세요.',\n  '발급: openssl rand -hex 32',\n  '자세히: https://docs.aitc.dev/guides/relay-auth-totp',\n].join('\\n');\n\n/**\n * Whether `secret` is a well-formed relay-auth TOTP secret: a hex string of at\n * least {@link MIN_SECRET_HEX_CHARS} characters with an even length (an odd\n * length would have its trailing nibble silently dropped by `Buffer.from(...,\n * 'hex')`, weakening the key without warning).\n *\n * Pure predicate so callers can test the validation independently of the\n * fail-fast side effect in {@link assertRelayAuthConfigured}.\n *\n * SECRET-HANDLING: returns only a boolean — the input value is never returned,\n * logged, or echoed.\n */\nexport function isValidRelayAuthSecret(secret: string | undefined): secret is string {\n  if (secret === undefined || secret === '') return false;\n  if (secret.length < MIN_SECRET_HEX_CHARS) return false;\n  if (secret.length % 2 !== 0) return false;\n  return HEX_RE.test(secret);\n}\n\n/**\n * Fail-fast guard enforcing that a relay-auth TOTP secret is configured before\n * a public-internet-exposed relay is booted (issue #250).\n *\n * Relay-auth (the §4 Layer C TOTP gate) is the only fail-fast layer that closes\n * the real gap: a leaked `wss://…trycloudflare.com` URL otherwise lets a third\n * party attach a debugger to a dogfood/live mini-app. Without a secret the relay\n * comes up unauthenticated, so this guard is called at every relay-boot site —\n * `bootRelayFamily` (intoss env 3/4) and `bootExternalRelayFamily` (env-2 PWA),\n * both eager and lazy. Local-only sessions never boot a relay and so never reach\n * this guard, matching the issue's exemption for non-relay debugging.\n *\n * Throws when the secret is unset, empty, too short, or not a valid hex string.\n * The thrown message is the bin entry's fatal stderr (see `cli.ts` `main().catch`)\n * — the same fatal model as the missing-`AIT_RELAY_BASE_URL` path.\n *\n * SECRET-HANDLING: the env value is read once, passed ONLY to the boolean\n * predicate, and never logged. The thrown message names the requirement, never\n * the value, its length, or any derived fragment.\n *\n * @param env - Environment to read from. Defaults to `process.env`; injectable\n *   for tests so they never mutate the real process environment.\n */\nexport function assertRelayAuthConfigured(env: NodeJS.ProcessEnv = process.env): void {\n  if (!isValidRelayAuthSecret(env.AIT_DEBUG_TOTP_SECRET)) {\n    throw new Error(RELAY_AUTH_SECRET_MISSING_MESSAGE);\n  }\n}\n\n/**\n * Reads `AIT_DEBUG_TOTP_SECRET` from `process.env` at runtime and builds a\n * `verifyAuth` predicate for the Chii relay's WebSocket upgrade gate.\n *\n * The predicate checks the `at` query parameter against the current and\n * adjacent TOTP time steps (±1 skew) using {@link verifyTotp}.\n *\n * Returns `undefined` when the env var is not set — callers treat that as\n * \"auth disabled\" (no predicate registered on the relay). Note that since\n * issue #250 the secret is MANDATORY at every relay-boot site (enforced by\n * {@link assertRelayAuthConfigured} BEFORE the relay starts), so in production\n * this never returns `undefined` for a relay that actually boots; the\n * `undefined` branch only matters for the no-relay local path and tests.\n *\n * Lives here (not in the MCP server) so the unplugin's env-2 relay can wire the\n * same gate without importing the heavy MCP server module graph. Re-exported\n * from `debug-server.ts` for back-compat.\n *\n * SECRET-HANDLING: The secret value read from env is captured in a closure and\n * is NEVER written to any log, error message, or process output.\n */\nexport function buildRelayVerifyAuth(\n  env: NodeJS.ProcessEnv = process.env,\n): ((req: import('node:http').IncomingMessage) => boolean) | undefined {\n  const secret = env.AIT_DEBUG_TOTP_SECRET;\n  if (!secret) return undefined;\n\n  return (req) => {\n    // Parse the `at` query param from the upgrade request URL.\n    // req.url is the raw request path + query, e.g. `/client/id?target=…&at=123456`\n    const rawUrl = req.url ?? '';\n    const qIndex = rawUrl.indexOf('?');\n    const queryStr = qIndex === -1 ? '' : rawUrl.slice(qIndex + 1);\n    const params = new URLSearchParams(queryStr);\n    const code = params.get('at') ?? '';\n\n    // Do NOT log `code`, `secret`, or any derived value here.\n    return verifyTotp(secret, code);\n  };\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;AA8BA,MAAM,YAAY;;AAGlB,MAAM,SAAS;;;;;;;;;;AAWf,SAAgB,aAAa,QAAgB,OAAe,KAAK,KAAK,EAAU;CAC9E,MAAM,MAAM,OAAO,KAAK,QAAQ,MAAM;CAGtC,MAAM,UAAU,KAAK,IAAI,GAAG,KAAK,MAAM,OAAO,MAAO,UAAU,CAAC;CAGhE,MAAM,aAAa,OAAO,MAAM,EAAE;CAGlC,MAAM,KAAK,KAAK,MAAM,UAAU,WAAY;CAC5C,MAAM,KAAK,YAAY;AACvB,YAAW,cAAc,IAAI,EAAE;AAC/B,YAAW,cAAc,IAAI,EAAE;CAE/B,MAAM,OAAA,GAAA,YAAA,YAAiB,QAAQ,IAAI,CAAC,OAAO,WAAW,CAAC,QAAQ;CAG/D,MAAM,SAAS,IAAI,MAAM;AAQzB,WANI,IAAI,UAAU,QAAS,MACvB,IAAI,SAAS,KAAK,QAAS,MAC3B,IAAI,SAAS,KAAK,QAAS,IAC5B,IAAI,SAAS,KAAK,OAEC,MAAM,QACjB,UAAU,CAAC,SAAS,QAAQ,IAAI;;;;;;;;;;;;;;;;AAiB7C,SAAgB,WACd,QACA,MACA,OAAe,KAAK,KAAK,EACzB,OAAe,GACN;CACT,MAAM,aAAa,OAAO,KAAK,CAAC,SAAS,QAAQ,IAAI;AACrD,KAAI,WAAW,WAAW,UAAU,CAAC,UAAU,KAAK,WAAW,CAC7D,QAAO;CAGT,MAAM,eAAe,OAAO,KAAK,YAAY,OAAO;AAEpD,MAAK,IAAI,QAAQ,CAAC,MAAM,SAAS,MAAM,SAAS;EAE9C,MAAM,WAAW,aAAa,QADb,OAAO,QAAQ,YAAY,IACG;AAE/C,OAAA,GAAA,YAAA,iBADoB,OAAO,KAAK,UAAU,OAAO,EAChB,aAAa,CAC5C,QAAO;;AAIX,QAAO;;;;;;;;;;AAWT,MAAM,uBAAuB;;AAG7B,MAAM,SAAS;;;;;;;;;;;;;AAcf,MAAa,oCAAoC;CAC/C;CACA;CACA;CACD,CAAC,KAAK,KAAK;;;;;;;;;;;;;AAcZ,SAAgB,uBAAuB,QAA8C;AACnF,KAAI,WAAW,KAAA,KAAa,WAAW,GAAI,QAAO;AAClD,KAAI,OAAO,SAAS,qBAAsB,QAAO;AACjD,KAAI,OAAO,SAAS,MAAM,EAAG,QAAO;AACpC,QAAO,OAAO,KAAK,OAAO;;;;;;;;;;;;;;;;;;;;;;;;;AA0B5B,SAAgB,0BAA0B,MAAyB,QAAQ,KAAW;AACpF,KAAI,CAAC,uBAAuB,IAAI,sBAAsB,CACpD,OAAM,IAAI,MAAM,kCAAkC;;;;;;;;;;;;;;;;;;;;;;;AAyBtD,SAAgB,qBACd,MAAyB,QAAQ,KACoC;CACrE,MAAM,SAAS,IAAI;AACnB,KAAI,CAAC,OAAQ,QAAO,KAAA;AAEpB,SAAQ,QAAQ;EAGd,MAAM,SAAS,IAAI,OAAO;EAC1B,MAAM,SAAS,OAAO,QAAQ,IAAI;EAClC,MAAM,WAAW,WAAW,KAAK,KAAK,OAAO,MAAM,SAAS,EAAE;AAK9D,SAAO,WAAW,QAJH,IAAI,gBAAgB,SAAS,CACxB,IAAI,KAAK,IAAI,GAGF"}

package/dist/totp-CxHsagqY.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"totp-CxHsagqY.js","names":[],"sources":["../src/mcp/totp.ts"],"sourcesContent":["/**\n * RFC 6238 TOTP implementation (Node.js, node:crypto only).\n *\n * External TOTP libraries (otplib, speakeasy, …) are intentionally NOT used\n * to keep the dependency surface minimal. This hand-roll is ~30 lines and\n * covers exactly what relay-side auth needs.\n *\n * Algorithm summary (RFC 6238 + RFC 4226):\n *   T  = floor(now / 30)          — 30-second time step counter\n *   K  = Buffer.from(secret, 'hex') — shared secret (raw bytes, hex-encoded)\n *   MAC = HMAC-SHA1(K, T as 8-byte big-endian uint64)\n *   offset = MAC[19] & 0x0f\n *   code = (MAC[offset..offset+4] & 0x7fffffff) % 10^6  — 6 digits\n *\n * Security note (keep this comment accurate):\n *   The baked-in secret in a dogfood build is extractable from the bundle by a\n *   determined reverse engineer. This mechanism raises the bar from\n *   \"anyone with the URL\" to \"URL + bundle extraction + live TOTP calculation\".\n *   Casual URL leaks (Slack paste, QR screenshot, shoulder-surfing) are\n *   blocked; deliberate reverse engineering is not. See threat model in\n *   src/mcp/chii-relay.ts and umbrella CLAUDE.md §4.\n *\n * SECRET-HANDLING: secret values and computed codes MUST NOT appear in any\n * log, error message, or string visible outside this module. Only boolean\n * pass/fail and reason enum values are safe to surface.\n */\n\nimport { createHmac, timingSafeEqual } from 'node:crypto';\n\n/** Time step window in seconds (RFC 6238 default). */\nconst TIME_STEP = 30;\n\n/** Number of digits in the generated code. */\nconst DIGITS = 6;\n\n/**\n * Derives a 6-digit TOTP code from a hex-encoded secret at the given wall-\n * clock time.\n *\n * @param secret - The shared secret as a hex string (e.g. 64 hex chars = 32\n *   bytes). Must be the output of `generateAttachToken()` or compatible.\n * @param when - Unix timestamp in milliseconds. Defaults to `Date.now()`.\n * @returns A zero-padded 6-digit decimal string, e.g. `\"042193\"`.\n */\nexport function generateTotp(secret: string, when: number = Date.now()): string {\n  const key = Buffer.from(secret, 'hex');\n  // Clamp to 0 so negative timestamps (e.g. in ±skew checks near epoch) do not\n  // produce a negative counter, which would cause writeUInt32BE to throw.\n  const counter = Math.max(0, Math.floor(when / 1000 / TIME_STEP));\n\n  // Encode counter as 8-byte big-endian unsigned integer.\n  const counterBuf = Buffer.alloc(8);\n  // JavaScript numbers are safe integers up to 2^53; counter is ~7.5×10^10 at\n  // year 9999 — well within safe range so standard bitwise ops are fine.\n  const hi = Math.floor(counter / 0x100000000);\n  const lo = counter >>> 0;\n  counterBuf.writeUInt32BE(hi, 0);\n  counterBuf.writeUInt32BE(lo, 4);\n\n  const mac = createHmac('sha1', key).update(counterBuf).digest();\n\n  // Dynamic truncation (RFC 4226 §5.4).\n  const offset = mac[19] & 0x0f;\n  const binCode =\n    ((mac[offset] & 0x7f) << 24) |\n    ((mac[offset + 1] & 0xff) << 16) |\n    ((mac[offset + 2] & 0xff) << 8) |\n    (mac[offset + 3] & 0xff);\n\n  const otp = binCode % 10 ** DIGITS;\n  return otp.toString().padStart(DIGITS, '0');\n}\n\n/**\n * Verifies a TOTP code against the secret, accepting ±`skew` time steps to\n * tolerate clock drift between the relay host and the client device.\n *\n * Uses `timingSafeEqual` for constant-time comparison to prevent timing\n * side-channel attacks.\n *\n * @param secret - Hex-encoded shared secret.\n * @param code - The 6-digit code to verify (string or numeric).\n * @param when - Unix timestamp in milliseconds. Defaults to `Date.now()`.\n * @param skew - Number of adjacent steps to accept on either side. Default 1\n *   (accepts T-1, T, T+1 — a 90-second acceptance window).\n * @returns `true` if the code matches any accepted step, `false` otherwise.\n */\nexport function verifyTotp(\n  secret: string,\n  code: string,\n  when: number = Date.now(),\n  skew: number = 1,\n): boolean {\n  const normalised = String(code).padStart(DIGITS, '0');\n  if (normalised.length !== DIGITS || !/^\\d{6}$/.test(normalised)) {\n    return false;\n  }\n\n  const candidateBuf = Buffer.from(normalised, 'utf8');\n\n  for (let delta = -skew; delta <= skew; delta++) {\n    const stepWhen = when + delta * TIME_STEP * 1000;\n    const expected = generateTotp(secret, stepWhen);\n    const expectedBuf = Buffer.from(expected, 'utf8');\n    if (timingSafeEqual(expectedBuf, candidateBuf)) {\n      return true;\n    }\n  }\n\n  return false;\n}\n\n/**\n * Minimum length (in hex characters) accepted for `AIT_DEBUG_TOTP_SECRET`.\n *\n * The secret is hex-encoded (see {@link generateTotp} — `Buffer.from(secret,\n * 'hex')`). 32 hex chars = 16 bytes = 128 bits, the floor for an HMAC-SHA1 key\n * we are willing to gate a public relay behind. `generateAttachToken()` emits\n * 64 hex chars (32 bytes), comfortably above this bar.\n */\nconst MIN_SECRET_HEX_CHARS = 32;\n\n/** Hex string: one or more hex digits, case-insensitive (RFC 4648 base16). */\nconst HEX_RE = /^[0-9a-fA-F]+$/;\n\n/**\n * Human-facing guidance printed when {@link assertRelayAuthConfigured} fails.\n *\n * SECRET-HANDLING: this message states only the REQUIREMENT (≥32 hex chars) and\n * how to mint one. It NEVER echoes the configured value, its length, or any\n * fragment derived from it — see {@link assertRelayAuthConfigured}.\n *\n * Note on encoding: the secret is hex (base16), not base32 — `generateTotp`\n * decodes it with `Buffer.from(secret, 'hex')`. A base32 string would be\n * silently mis-decoded and every TOTP code would fail to match, so the minting\n * command emits hex.\n */\nexport const RELAY_AUTH_SECRET_MISSING_MESSAGE = [\n  '[ait-debug] AIT_DEBUG_TOTP_SECRET이 필수입니다. 32자 이상 16진수(hex) 문자열을 설정하세요.',\n  '발급: openssl rand -hex 32',\n  '자세히: https://docs.aitc.dev/guides/relay-auth-totp',\n].join('\\n');\n\n/**\n * Whether `secret` is a well-formed relay-auth TOTP secret: a hex string of at\n * least {@link MIN_SECRET_HEX_CHARS} characters with an even length (an odd\n * length would have its trailing nibble silently dropped by `Buffer.from(...,\n * 'hex')`, weakening the key without warning).\n *\n * Pure predicate so callers can test the validation independently of the\n * fail-fast side effect in {@link assertRelayAuthConfigured}.\n *\n * SECRET-HANDLING: returns only a boolean — the input value is never returned,\n * logged, or echoed.\n */\nexport function isValidRelayAuthSecret(secret: string | undefined): secret is string {\n  if (secret === undefined || secret === '') return false;\n  if (secret.length < MIN_SECRET_HEX_CHARS) return false;\n  if (secret.length % 2 !== 0) return false;\n  return HEX_RE.test(secret);\n}\n\n/**\n * Fail-fast guard enforcing that a relay-auth TOTP secret is configured before\n * a public-internet-exposed relay is booted (issue #250).\n *\n * Relay-auth (the §4 Layer C TOTP gate) is the only fail-fast layer that closes\n * the real gap: a leaked `wss://…trycloudflare.com` URL otherwise lets a third\n * party attach a debugger to a dogfood/live mini-app. Without a secret the relay\n * comes up unauthenticated, so this guard is called at every relay-boot site —\n * `bootRelayFamily` (intoss env 3/4) and `bootExternalRelayFamily` (env-2 PWA),\n * both eager and lazy. Local-only sessions never boot a relay and so never reach\n * this guard, matching the issue's exemption for non-relay debugging.\n *\n * Throws when the secret is unset, empty, too short, or not a valid hex string.\n * The thrown message is the bin entry's fatal stderr (see `cli.ts` `main().catch`)\n * — the same fatal model as the missing-`AIT_RELAY_BASE_URL` path.\n *\n * SECRET-HANDLING: the env value is read once, passed ONLY to the boolean\n * predicate, and never logged. The thrown message names the requirement, never\n * the value, its length, or any derived fragment.\n *\n * @param env - Environment to read from. Defaults to `process.env`; injectable\n *   for tests so they never mutate the real process environment.\n */\nexport function assertRelayAuthConfigured(env: NodeJS.ProcessEnv = process.env): void {\n  if (!isValidRelayAuthSecret(env.AIT_DEBUG_TOTP_SECRET)) {\n    throw new Error(RELAY_AUTH_SECRET_MISSING_MESSAGE);\n  }\n}\n\n/**\n * Reads `AIT_DEBUG_TOTP_SECRET` from `process.env` at runtime and builds a\n * `verifyAuth` predicate for the Chii relay's WebSocket upgrade gate.\n *\n * The predicate checks the `at` query parameter against the current and\n * adjacent TOTP time steps (±1 skew) using {@link verifyTotp}.\n *\n * Returns `undefined` when the env var is not set — callers treat that as\n * \"auth disabled\" (no predicate registered on the relay). Note that since\n * issue #250 the secret is MANDATORY at every relay-boot site (enforced by\n * {@link assertRelayAuthConfigured} BEFORE the relay starts), so in production\n * this never returns `undefined` for a relay that actually boots; the\n * `undefined` branch only matters for the no-relay local path and tests.\n *\n * Lives here (not in the MCP server) so the unplugin's env-2 relay can wire the\n * same gate without importing the heavy MCP server module graph. Re-exported\n * from `debug-server.ts` for back-compat.\n *\n * SECRET-HANDLING: The secret value read from env is captured in a closure and\n * is NEVER written to any log, error message, or process output.\n */\nexport function buildRelayVerifyAuth(\n  env: NodeJS.ProcessEnv = process.env,\n): ((req: import('node:http').IncomingMessage) => boolean) | undefined {\n  const secret = env.AIT_DEBUG_TOTP_SECRET;\n  if (!secret) return undefined;\n\n  return (req) => {\n    // Parse the `at` query param from the upgrade request URL.\n    // req.url is the raw request path + query, e.g. `/client/id?target=…&at=123456`\n    const rawUrl = req.url ?? '';\n    const qIndex = rawUrl.indexOf('?');\n    const queryStr = qIndex === -1 ? '' : rawUrl.slice(qIndex + 1);\n    const params = new URLSearchParams(queryStr);\n    const code = params.get('at') ?? '';\n\n    // Do NOT log `code`, `secret`, or any derived value here.\n    return verifyTotp(secret, code);\n  };\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;AA8BA,MAAM,YAAY;;AAGlB,MAAM,SAAS;;;;;;;;;;AAWf,SAAgB,aAAa,QAAgB,OAAe,KAAK,KAAK,EAAU;CAC9E,MAAM,MAAM,OAAO,KAAK,QAAQ,MAAM;CAGtC,MAAM,UAAU,KAAK,IAAI,GAAG,KAAK,MAAM,OAAO,MAAO,UAAU,CAAC;CAGhE,MAAM,aAAa,OAAO,MAAM,EAAE;CAGlC,MAAM,KAAK,KAAK,MAAM,UAAU,WAAY;CAC5C,MAAM,KAAK,YAAY;AACvB,YAAW,cAAc,IAAI,EAAE;AAC/B,YAAW,cAAc,IAAI,EAAE;CAE/B,MAAM,MAAM,WAAW,QAAQ,IAAI,CAAC,OAAO,WAAW,CAAC,QAAQ;CAG/D,MAAM,SAAS,IAAI,MAAM;AAQzB,WANI,IAAI,UAAU,QAAS,MACvB,IAAI,SAAS,KAAK,QAAS,MAC3B,IAAI,SAAS,KAAK,QAAS,IAC5B,IAAI,SAAS,KAAK,OAEC,MAAM,QACjB,UAAU,CAAC,SAAS,QAAQ,IAAI;;;;;;;;;;;;;;;;AAiB7C,SAAgB,WACd,QACA,MACA,OAAe,KAAK,KAAK,EACzB,OAAe,GACN;CACT,MAAM,aAAa,OAAO,KAAK,CAAC,SAAS,QAAQ,IAAI;AACrD,KAAI,WAAW,WAAW,UAAU,CAAC,UAAU,KAAK,WAAW,CAC7D,QAAO;CAGT,MAAM,eAAe,OAAO,KAAK,YAAY,OAAO;AAEpD,MAAK,IAAI,QAAQ,CAAC,MAAM,SAAS,MAAM,SAAS;EAE9C,MAAM,WAAW,aAAa,QADb,OAAO,QAAQ,YAAY,IACG;AAE/C,MAAI,gBADgB,OAAO,KAAK,UAAU,OAAO,EAChB,aAAa,CAC5C,QAAO;;AAIX,QAAO;;;;;;;;;;AAWT,MAAM,uBAAuB;;AAG7B,MAAM,SAAS;;;;;;;;;;;;;AAcf,MAAa,oCAAoC;CAC/C;CACA;CACA;CACD,CAAC,KAAK,KAAK;;;;;;;;;;;;;AAcZ,SAAgB,uBAAuB,QAA8C;AACnF,KAAI,WAAW,KAAA,KAAa,WAAW,GAAI,QAAO;AAClD,KAAI,OAAO,SAAS,qBAAsB,QAAO;AACjD,KAAI,OAAO,SAAS,MAAM,EAAG,QAAO;AACpC,QAAO,OAAO,KAAK,OAAO;;;;;;;;;;;;;;;;;;;;;;;;;AA0B5B,SAAgB,0BAA0B,MAAyB,QAAQ,KAAW;AACpF,KAAI,CAAC,uBAAuB,IAAI,sBAAsB,CACpD,OAAM,IAAI,MAAM,kCAAkC;;;;;;;;;;;;;;;;;;;;;;;AAyBtD,SAAgB,qBACd,MAAyB,QAAQ,KACoC;CACrE,MAAM,SAAS,IAAI;AACnB,KAAI,CAAC,OAAQ,QAAO,KAAA;AAEpB,SAAQ,QAAQ;EAGd,MAAM,SAAS,IAAI,OAAO;EAC1B,MAAM,SAAS,OAAO,QAAQ,IAAI;EAClC,MAAM,WAAW,WAAW,KAAK,KAAK,OAAO,MAAM,SAAS,EAAE;AAK9D,SAAO,WAAW,QAJH,IAAI,gBAAgB,SAAS,CACxB,IAAI,KAAK,IAAI,GAGF"}