npm - @bazaar.ai/mcp-human-agents - Versions diffs - 0.1.0 - Mend

@bazaar.ai/mcp-human-agents 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (259) hide show

package/.env.example +15 -0
package/README.md +178 -0
package/dist/mcp-server/src/bin.d.ts +3 -0
package/dist/mcp-server/src/bin.d.ts.map +1 -0
package/dist/mcp-server/src/bin.js +10 -0
package/dist/mcp-server/src/bin.js.map +1 -0
package/dist/mcp-server/src/cli/setup.d.ts +2 -0
package/dist/mcp-server/src/cli/setup.d.ts.map +1 -0
package/dist/mcp-server/src/cli/setup.js +274 -0
package/dist/mcp-server/src/cli/setup.js.map +1 -0
package/dist/mcp-server/src/config/defaults.d.ts +16 -0
package/dist/mcp-server/src/config/defaults.d.ts.map +1 -0
package/dist/mcp-server/src/config/defaults.js +19 -0
package/dist/mcp-server/src/config/defaults.js.map +1 -0
package/dist/mcp-server/src/config/env.d.ts +73 -0
package/dist/mcp-server/src/config/env.d.ts.map +1 -0
package/dist/mcp-server/src/config/env.js +72 -0
package/dist/mcp-server/src/config/env.js.map +1 -0
package/dist/mcp-server/src/config/index.d.ts +3 -0
package/dist/mcp-server/src/config/index.d.ts.map +1 -0
package/dist/mcp-server/src/config/index.js +22 -0
package/dist/mcp-server/src/config/index.js.map +1 -0
package/dist/mcp-server/src/context/generator.d.ts +16 -0
package/dist/mcp-server/src/context/generator.d.ts.map +1 -0
package/dist/mcp-server/src/context/generator.js +61 -0
package/dist/mcp-server/src/context/generator.js.map +1 -0
package/dist/mcp-server/src/context/index.d.ts +3 -0
package/dist/mcp-server/src/context/index.d.ts.map +1 -0
package/dist/mcp-server/src/context/index.js +10 -0
package/dist/mcp-server/src/context/index.js.map +1 -0
package/dist/mcp-server/src/context/templates.d.ts +8 -0
package/dist/mcp-server/src/context/templates.d.ts.map +1 -0
package/dist/mcp-server/src/context/templates.js +41 -0
package/dist/mcp-server/src/context/templates.js.map +1 -0
package/dist/mcp-server/src/git/branch.d.ts +13 -0
package/dist/mcp-server/src/git/branch.d.ts.map +1 -0
package/dist/mcp-server/src/git/branch.js +49 -0
package/dist/mcp-server/src/git/branch.js.map +1 -0
package/dist/mcp-server/src/git/diff.d.ts +10 -0
package/dist/mcp-server/src/git/diff.d.ts.map +1 -0
package/dist/mcp-server/src/git/diff.js +39 -0
package/dist/mcp-server/src/git/diff.js.map +1 -0
package/dist/mcp-server/src/git/index.d.ts +5 -0
package/dist/mcp-server/src/git/index.d.ts.map +1 -0
package/dist/mcp-server/src/git/index.js +16 -0
package/dist/mcp-server/src/git/index.js.map +1 -0
package/dist/mcp-server/src/git/merge.d.ts +6 -0
package/dist/mcp-server/src/git/merge.d.ts.map +1 -0
package/dist/mcp-server/src/git/merge.js +30 -0
package/dist/mcp-server/src/git/merge.js.map +1 -0
package/dist/mcp-server/src/git/worktree.d.ts +11 -0
package/dist/mcp-server/src/git/worktree.d.ts.map +1 -0
package/dist/mcp-server/src/git/worktree.js +38 -0
package/dist/mcp-server/src/git/worktree.js.map +1 -0
package/dist/mcp-server/src/http-wrapper.d.ts +6 -0
package/dist/mcp-server/src/http-wrapper.d.ts.map +1 -0
package/dist/mcp-server/src/http-wrapper.js +85 -0
package/dist/mcp-server/src/http-wrapper.js.map +1 -0
package/dist/mcp-server/src/index.d.ts +2 -0
package/dist/mcp-server/src/index.d.ts.map +1 -0
package/dist/mcp-server/src/index.js +28 -0
package/dist/mcp-server/src/index.js.map +1 -0
package/dist/mcp-server/src/platform-client/client.d.ts +17 -0
package/dist/mcp-server/src/platform-client/client.d.ts.map +1 -0
package/dist/mcp-server/src/platform-client/client.js +68 -0
package/dist/mcp-server/src/platform-client/client.js.map +1 -0
package/dist/mcp-server/src/platform-client/index.d.ts +5 -0
package/dist/mcp-server/src/platform-client/index.d.ts.map +1 -0
package/dist/mcp-server/src/platform-client/index.js +10 -0
package/dist/mcp-server/src/platform-client/index.js.map +1 -0
package/dist/mcp-server/src/platform-client/mock-client.d.ts +28 -0
package/dist/mcp-server/src/platform-client/mock-client.d.ts.map +1 -0
package/dist/mcp-server/src/platform-client/mock-client.js +75 -0
package/dist/mcp-server/src/platform-client/mock-client.js.map +1 -0
package/dist/mcp-server/src/platform-client/polling.d.ts +9 -0
package/dist/mcp-server/src/platform-client/polling.d.ts.map +1 -0
package/dist/mcp-server/src/platform-client/polling.js +40 -0
package/dist/mcp-server/src/platform-client/polling.js.map +1 -0
package/dist/mcp-server/src/platform-client/types.d.ts +2 -0
package/dist/mcp-server/src/platform-client/types.d.ts.map +1 -0
package/dist/mcp-server/src/platform-client/types.js +3 -0
package/dist/mcp-server/src/platform-client/types.js.map +1 -0
package/dist/mcp-server/src/provisioning/authorized-keys.d.ts +14 -0
package/dist/mcp-server/src/provisioning/authorized-keys.d.ts.map +1 -0
package/dist/mcp-server/src/provisioning/authorized-keys.js +48 -0
package/dist/mcp-server/src/provisioning/authorized-keys.js.map +1 -0
package/dist/mcp-server/src/provisioning/cleanup.d.ts +19 -0
package/dist/mcp-server/src/provisioning/cleanup.d.ts.map +1 -0
package/dist/mcp-server/src/provisioning/cleanup.js +96 -0
package/dist/mcp-server/src/provisioning/cleanup.js.map +1 -0
package/dist/mcp-server/src/provisioning/index.d.ts +6 -0
package/dist/mcp-server/src/provisioning/index.d.ts.map +1 -0
package/dist/mcp-server/src/provisioning/index.js +24 -0
package/dist/mcp-server/src/provisioning/index.js.map +1 -0
package/dist/mcp-server/src/provisioning/linux-user.d.ts +15 -0
package/dist/mcp-server/src/provisioning/linux-user.d.ts.map +1 -0
package/dist/mcp-server/src/provisioning/linux-user.js +62 -0
package/dist/mcp-server/src/provisioning/linux-user.js.map +1 -0
package/dist/mcp-server/src/provisioning/privileged.d.ts +40 -0
package/dist/mcp-server/src/provisioning/privileged.d.ts.map +1 -0
package/dist/mcp-server/src/provisioning/privileged.js +123 -0
package/dist/mcp-server/src/provisioning/privileged.js.map +1 -0
package/dist/mcp-server/src/provisioning/ssh-config.d.ts +21 -0
package/dist/mcp-server/src/provisioning/ssh-config.d.ts.map +1 -0
package/dist/mcp-server/src/provisioning/ssh-config.js +161 -0
package/dist/mcp-server/src/provisioning/ssh-config.js.map +1 -0
package/dist/mcp-server/src/provisioning/tmux-session.d.ts +37 -0
package/dist/mcp-server/src/provisioning/tmux-session.d.ts.map +1 -0
package/dist/mcp-server/src/provisioning/tmux-session.js +123 -0
package/dist/mcp-server/src/provisioning/tmux-session.js.map +1 -0
package/dist/mcp-server/src/server.d.ts +3 -0
package/dist/mcp-server/src/server.d.ts.map +1 -0
package/dist/mcp-server/src/server.js +67 -0
package/dist/mcp-server/src/server.js.map +1 -0
package/dist/mcp-server/src/state/gig-store.d.ts +19 -0
package/dist/mcp-server/src/state/gig-store.d.ts.map +1 -0
package/dist/mcp-server/src/state/gig-store.js +52 -0
package/dist/mcp-server/src/state/gig-store.js.map +1 -0
package/dist/mcp-server/src/state/index.d.ts +4 -0
package/dist/mcp-server/src/state/index.d.ts.map +1 -0
package/dist/mcp-server/src/state/index.js +8 -0
package/dist/mcp-server/src/state/index.js.map +1 -0
package/dist/mcp-server/src/state/persistence.d.ts +13 -0
package/dist/mcp-server/src/state/persistence.d.ts.map +1 -0
package/dist/mcp-server/src/state/persistence.js +48 -0
package/dist/mcp-server/src/state/persistence.js.map +1 -0
package/dist/mcp-server/src/state/types.d.ts +15 -0
package/dist/mcp-server/src/state/types.d.ts.map +1 -0
package/dist/mcp-server/src/state/types.js +3 -0
package/dist/mcp-server/src/state/types.js.map +1 -0
package/dist/mcp-server/src/tools/dismiss-human.d.ts +25 -0
package/dist/mcp-server/src/tools/dismiss-human.d.ts.map +1 -0
package/dist/mcp-server/src/tools/dismiss-human.js +78 -0
package/dist/mcp-server/src/tools/dismiss-human.js.map +1 -0
package/dist/mcp-server/src/tools/index.d.ts +9 -0
package/dist/mcp-server/src/tools/index.d.ts.map +1 -0
package/dist/mcp-server/src/tools/index.js +20 -0
package/dist/mcp-server/src/tools/index.js.map +1 -0
package/dist/mcp-server/src/tools/list-humans.d.ts +18 -0
package/dist/mcp-server/src/tools/list-humans.d.ts.map +1 -0
package/dist/mcp-server/src/tools/list-humans.js +35 -0
package/dist/mcp-server/src/tools/list-humans.js.map +1 -0
package/dist/mcp-server/src/tools/message-human.d.ts +10 -0
package/dist/mcp-server/src/tools/message-human.d.ts.map +1 -0
package/dist/mcp-server/src/tools/message-human.js +19 -0
package/dist/mcp-server/src/tools/message-human.js.map +1 -0
package/dist/mcp-server/src/tools/schemas/dismiss-human.schema.d.ts +19 -0
package/dist/mcp-server/src/tools/schemas/dismiss-human.schema.d.ts.map +1 -0
package/dist/mcp-server/src/tools/schemas/dismiss-human.schema.js +22 -0
package/dist/mcp-server/src/tools/schemas/dismiss-human.schema.js.map +1 -0
package/dist/mcp-server/src/tools/schemas/list-humans.schema.d.ts +4 -0
package/dist/mcp-server/src/tools/schemas/list-humans.schema.d.ts.map +1 -0
package/dist/mcp-server/src/tools/schemas/list-humans.schema.js +7 -0
package/dist/mcp-server/src/tools/schemas/list-humans.schema.js.map +1 -0
package/dist/mcp-server/src/tools/schemas/message-human.schema.d.ts +13 -0
package/dist/mcp-server/src/tools/schemas/message-human.schema.d.ts.map +1 -0
package/dist/mcp-server/src/tools/schemas/message-human.schema.js +9 -0
package/dist/mcp-server/src/tools/schemas/message-human.schema.js.map +1 -0
package/dist/mcp-server/src/tools/schemas/summon-human.schema.d.ts +22 -0
package/dist/mcp-server/src/tools/schemas/summon-human.schema.d.ts.map +1 -0
package/dist/mcp-server/src/tools/schemas/summon-human.schema.js +18 -0
package/dist/mcp-server/src/tools/schemas/summon-human.schema.js.map +1 -0
package/dist/mcp-server/src/tools/summon-human.d.ts +31 -0
package/dist/mcp-server/src/tools/summon-human.d.ts.map +1 -0
package/dist/mcp-server/src/tools/summon-human.js +137 -0
package/dist/mcp-server/src/tools/summon-human.js.map +1 -0
package/dist/mcp-server/src/tunnel/client.d.ts +16 -0
package/dist/mcp-server/src/tunnel/client.d.ts.map +1 -0
package/dist/mcp-server/src/tunnel/client.js +100 -0
package/dist/mcp-server/src/tunnel/client.js.map +1 -0
package/dist/mcp-server/src/tunnel/index.d.ts +6 -0
package/dist/mcp-server/src/tunnel/index.d.ts.map +1 -0
package/dist/mcp-server/src/tunnel/index.js +28 -0
package/dist/mcp-server/src/tunnel/index.js.map +1 -0
package/dist/mcp-server/src/utils/errors.d.ts +28 -0
package/dist/mcp-server/src/utils/errors.d.ts.map +1 -0
package/dist/mcp-server/src/utils/errors.js +66 -0
package/dist/mcp-server/src/utils/errors.js.map +1 -0
package/dist/mcp-server/src/utils/exec.d.ts +7 -0
package/dist/mcp-server/src/utils/exec.d.ts.map +1 -0
package/dist/mcp-server/src/utils/exec.js +22 -0
package/dist/mcp-server/src/utils/exec.js.map +1 -0
package/dist/mcp-server/src/utils/ip.d.ts +6 -0
package/dist/mcp-server/src/utils/ip.d.ts.map +1 -0
package/dist/mcp-server/src/utils/ip.js +33 -0
package/dist/mcp-server/src/utils/ip.js.map +1 -0
package/dist/mcp-server/src/utils/logger.d.ts +20 -0
package/dist/mcp-server/src/utils/logger.d.ts.map +1 -0
package/dist/mcp-server/src/utils/logger.js +41 -0
package/dist/mcp-server/src/utils/logger.js.map +1 -0
package/dist/shared/src/contractor.types.d.ts +20 -0
package/dist/shared/src/contractor.types.d.ts.map +1 -0
package/dist/shared/src/contractor.types.js +3 -0
package/dist/shared/src/contractor.types.js.map +1 -0
package/dist/shared/src/gig.types.d.ts +32 -0
package/dist/shared/src/gig.types.d.ts.map +1 -0
package/dist/shared/src/gig.types.js +21 -0
package/dist/shared/src/gig.types.js.map +1 -0
package/dist/shared/src/index.d.ts +5 -0
package/dist/shared/src/index.d.ts.map +1 -0
package/dist/shared/src/index.js +21 -0
package/dist/shared/src/index.js.map +1 -0
package/dist/shared/src/mcp-tool.types.d.ts +45 -0
package/dist/shared/src/mcp-tool.types.d.ts.map +1 -0
package/dist/shared/src/mcp-tool.types.js +3 -0
package/dist/shared/src/mcp-tool.types.js.map +1 -0
package/dist/shared/src/platform-api.types.d.ts +73 -0
package/dist/shared/src/platform-api.types.d.ts.map +1 -0
package/dist/shared/src/platform-api.types.js +3 -0
package/dist/shared/src/platform-api.types.js.map +1 -0
package/package.json +41 -0
package/src/bin.ts +7 -0
package/src/cli/setup.ts +317 -0
package/src/config/defaults.ts +21 -0
package/src/config/env.ts +74 -0
package/src/config/index.ts +2 -0
package/src/context/generator.ts +71 -0
package/src/context/index.ts +6 -0
package/src/context/templates.ts +41 -0
package/src/git/branch.ts +46 -0
package/src/git/diff.ts +34 -0
package/src/git/index.ts +4 -0
package/src/git/merge.ts +36 -0
package/src/git/worktree.ts +42 -0
package/src/http-wrapper.ts +94 -0
package/src/index.ts +32 -0
package/src/platform-client/client.ts +93 -0
package/src/platform-client/index.ts +4 -0
package/src/platform-client/mock-client.ts +92 -0
package/src/platform-client/polling.ts +53 -0
package/src/platform-client/types.ts +9 -0
package/src/provisioning/authorized-keys.ts +52 -0
package/src/provisioning/cleanup.ts +106 -0
package/src/provisioning/index.ts +13 -0
package/src/provisioning/linux-user.ts +66 -0
package/src/provisioning/privileged.ts +128 -0
package/src/provisioning/ssh-config.ts +197 -0
package/src/provisioning/tmux-session.ts +136 -0
package/src/server.ts +111 -0
package/src/state/gig-store.ts +56 -0
package/src/state/index.ts +3 -0
package/src/state/persistence.ts +42 -0
package/src/state/types.ts +14 -0
package/src/tools/dismiss-human.ts +103 -0
package/src/tools/index.ts +9 -0
package/src/tools/list-humans.ts +54 -0
package/src/tools/message-human.ts +28 -0
package/src/tools/schemas/dismiss-human.schema.ts +21 -0
package/src/tools/schemas/list-humans.schema.ts +6 -0
package/src/tools/schemas/message-human.schema.ts +8 -0
package/src/tools/schemas/summon-human.schema.ts +19 -0
package/src/tools/summon-human.ts +180 -0
package/src/tunnel/client.ts +116 -0
package/src/tunnel/index.ts +26 -0
package/src/utils/errors.ts +64 -0
package/src/utils/exec.ts +29 -0
package/src/utils/ip.ts +31 -0
package/src/utils/logger.ts +55 -0
package/tsconfig.json +20 -0

package/dist/mcp-server/src/provisioning/cleanup.js ADDED Viewed

@@ -0,0 +1,96 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.cleanupContractor = cleanupContractor;
+const tmux_session_js_1 = require("./tmux-session.js");
+const authorized_keys_js_1 = require("./authorized-keys.js");
+const ssh_config_js_1 = require("./ssh-config.js");
+const linux_user_js_1 = require("./linux-user.js");
+const errors_js_1 = require("../utils/errors.js");
+const logger_js_1 = require("../utils/logger.js");
+const env_js_1 = require("../config/env.js");
+/**
+ * Aggressive cleanup sequence for dismissing a contractor.
+ * Each step is independent and wrapped in try/catch — partial failures
+ * don't prevent the remaining steps from executing.
+ *
+ * Order matters:
+ * 1. Kill tmux session (with warning if connected)
+ * 2. Kill all user processes
+ * 3. Remove SSH pubkey
+ * 4. Remove ForceCommand from sshd_config
+ * 5. Reload sshd (happens inside removeForceCommand)
+ * 6. Lock the account
+ */
+async function cleanupContractor(target) {
+    const { username, tmuxSession } = target;
+    const failures = [];
+    const env = (0, env_js_1.getEnv)();
+    logger_js_1.logger.info("Starting contractor cleanup", {
+        user: username,
+        session: tmuxSession,
+    });
+    // 1. Kill tmux session
+    try {
+        await (0, tmux_session_js_1.killSession)(tmuxSession, env.CLEANUP_WARNING_SECONDS);
+    }
+    catch (error) {
+        failures.push(`tmux kill: ${error}`);
+        logger_js_1.logger.warn("Cleanup: failed to kill tmux session", {
+            user: username,
+            error: String(error),
+        });
+    }
+    // 2. Kill all user processes
+    try {
+        await (0, linux_user_js_1.killUserProcesses)(username);
+    }
+    catch (error) {
+        failures.push(`kill processes: ${error}`);
+        logger_js_1.logger.warn("Cleanup: failed to kill user processes", {
+            user: username,
+            error: String(error),
+        });
+    }
+    // 3. Remove SSH pubkey
+    try {
+        await (0, authorized_keys_js_1.removeAuthorizedKey)(username);
+    }
+    catch (error) {
+        failures.push(`remove key: ${error}`);
+        logger_js_1.logger.warn("Cleanup: failed to remove authorized key", {
+            user: username,
+            error: String(error),
+        });
+    }
+    // 4. Remove ForceCommand (also reloads sshd)
+    try {
+        await (0, ssh_config_js_1.removeForceCommand)(username);
+    }
+    catch (error) {
+        failures.push(`remove ForceCommand: ${error}`);
+        logger_js_1.logger.warn("Cleanup: failed to remove ForceCommand", {
+            user: username,
+            error: String(error),
+        });
+    }
+    // 5. Lock account
+    try {
+        await (0, linux_user_js_1.lockUser)(username);
+    }
+    catch (error) {
+        failures.push(`lock user: ${error}`);
+        logger_js_1.logger.warn("Cleanup: failed to lock user", {
+            user: username,
+            error: String(error),
+        });
+    }
+    if (failures.length > 0) {
+        logger_js_1.logger.warn("Cleanup completed with partial failures", {
+            user: username,
+            failureCount: failures.length,
+        });
+        throw new errors_js_1.CleanupError(`Cleanup of ${username} had ${failures.length} failures`, failures);
+    }
+    logger_js_1.logger.info("Cleanup completed successfully", { user: username });
+}
+//# sourceMappingURL=cleanup.js.map

package/dist/mcp-server/src/provisioning/cleanup.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"cleanup.js","sourceRoot":"","sources":["../../../../src/provisioning/cleanup.ts"],"names":[],"mappings":";;AA0BA,8CA+EC;AAzGD,uDAAgD;AAChD,6DAA2D;AAC3D,mDAAqD;AACrD,mDAA8D;AAC9D,kDAAkD;AAClD,kDAA4C;AAC5C,6CAA0C;AAO1C;;;;;;;;;;;;GAYG;AACI,KAAK,UAAU,iBAAiB,CACrC,MAAqB;IAErB,MAAM,EAAE,QAAQ,EAAE,WAAW,EAAE,GAAG,MAAM,CAAC;IACzC,MAAM,QAAQ,GAAa,EAAE,CAAC;IAC9B,MAAM,GAAG,GAAG,IAAA,eAAM,GAAE,CAAC;IAErB,kBAAM,CAAC,IAAI,CAAC,6BAA6B,EAAE;QACzC,IAAI,EAAE,QAAQ;QACd,OAAO,EAAE,WAAW;KACrB,CAAC,CAAC;IAEH,uBAAuB;IACvB,IAAI,CAAC;QACH,MAAM,IAAA,6BAAW,EAAC,WAAW,EAAE,GAAG,CAAC,uBAAuB,CAAC,CAAC;IAC9D,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,QAAQ,CAAC,IAAI,CAAC,cAAc,KAAK,EAAE,CAAC,CAAC;QACrC,kBAAM,CAAC,IAAI,CAAC,sCAAsC,EAAE;YAClD,IAAI,EAAE,QAAQ;YACd,KAAK,EAAE,MAAM,CAAC,KAAK,CAAC;SACrB,CAAC,CAAC;IACL,CAAC;IAED,6BAA6B;IAC7B,IAAI,CAAC;QACH,MAAM,IAAA,iCAAiB,EAAC,QAAQ,CAAC,CAAC;IACpC,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,QAAQ,CAAC,IAAI,CAAC,mBAAmB,KAAK,EAAE,CAAC,CAAC;QAC1C,kBAAM,CAAC,IAAI,CAAC,wCAAwC,EAAE;YACpD,IAAI,EAAE,QAAQ;YACd,KAAK,EAAE,MAAM,CAAC,KAAK,CAAC;SACrB,CAAC,CAAC;IACL,CAAC;IAED,uBAAuB;IACvB,IAAI,CAAC;QACH,MAAM,IAAA,wCAAmB,EAAC,QAAQ,CAAC,CAAC;IACtC,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,QAAQ,CAAC,IAAI,CAAC,eAAe,KAAK,EAAE,CAAC,CAAC;QACtC,kBAAM,CAAC,IAAI,CAAC,0CAA0C,EAAE;YACtD,IAAI,EAAE,QAAQ;YACd,KAAK,EAAE,MAAM,CAAC,KAAK,CAAC;SACrB,CAAC,CAAC;IACL,CAAC;IAED,6CAA6C;IAC7C,IAAI,CAAC;QACH,MAAM,IAAA,kCAAkB,EAAC,QAAQ,CAAC,CAAC;IACrC,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,QAAQ,CAAC,IAAI,CAAC,wBAAwB,KAAK,EAAE,CAAC,CAAC;QAC/C,kBAAM,CAAC,IAAI,CAAC,wCAAwC,EAAE;YACpD,IAAI,EAAE,QAAQ;YACd,KAAK,EAAE,MAAM,CAAC,KAAK,CAAC;SACrB,CAAC,CAAC;IACL,CAAC;IAED,kBAAkB;IAClB,IAAI,CAAC;QACH,MAAM,IAAA,wBAAQ,EAAC,QAAQ,CAAC,CAAC;IAC3B,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,QAAQ,CAAC,IAAI,CAAC,cAAc,KAAK,EAAE,CAAC,CAAC;QACrC,kBAAM,CAAC,IAAI,CAAC,8BAA8B,EAAE;YAC1C,IAAI,EAAE,QAAQ;YACd,KAAK,EAAE,MAAM,CAAC,KAAK,CAAC;SACrB,CAAC,CAAC;IACL,CAAC;IAED,IAAI,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACxB,kBAAM,CAAC,IAAI,CAAC,yCAAyC,EAAE;YACrD,IAAI,EAAE,QAAQ;YACd,YAAY,EAAE,QAAQ,CAAC,MAAM;SAC9B,CAAC,CAAC;QACH,MAAM,IAAI,wBAAY,CACpB,cAAc,QAAQ,QAAQ,QAAQ,CAAC,MAAM,WAAW,EACxD,QAAQ,CACT,CAAC;IACJ,CAAC;IAED,kBAAM,CAAC,IAAI,CAAC,gCAAgC,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,CAAC,CAAC;AACpE,CAAC"}

package/dist/mcp-server/src/provisioning/index.d.ts ADDED Viewed

@@ -0,0 +1,6 @@
+export { createUser, lockUser, killUserProcesses } from "./linux-user.js";
+export { writeAuthorizedKey, removeAuthorizedKey } from "./authorized-keys.js";
+export { addForceCommand, removeForceCommand } from "./ssh-config.js";
+export { sessionName, createSession, hasClientsAttached, sessionExists, displayMessage, killSession, getLastActivity, } from "./tmux-session.js";
+export { cleanupContractor, type CleanupTarget } from "./cleanup.js";
+//# sourceMappingURL=index.d.ts.map

package/dist/mcp-server/src/provisioning/index.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../../src/provisioning/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,QAAQ,EAAE,iBAAiB,EAAE,MAAM,iBAAiB,CAAC;AAC1E,OAAO,EAAE,kBAAkB,EAAE,mBAAmB,EAAE,MAAM,sBAAsB,CAAC;AAC/E,OAAO,EAAE,eAAe,EAAE,kBAAkB,EAAE,MAAM,iBAAiB,CAAC;AACtE,OAAO,EACL,WAAW,EACX,aAAa,EACb,kBAAkB,EAClB,aAAa,EACb,cAAc,EACd,WAAW,EACX,eAAe,GAChB,MAAM,mBAAmB,CAAC;AAC3B,OAAO,EAAE,iBAAiB,EAAE,KAAK,aAAa,EAAE,MAAM,cAAc,CAAC"}

package/dist/mcp-server/src/provisioning/index.js ADDED Viewed

@@ -0,0 +1,24 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.cleanupContractor = exports.getLastActivity = exports.killSession = exports.displayMessage = exports.sessionExists = exports.hasClientsAttached = exports.createSession = exports.sessionName = exports.removeForceCommand = exports.addForceCommand = exports.removeAuthorizedKey = exports.writeAuthorizedKey = exports.killUserProcesses = exports.lockUser = exports.createUser = void 0;
+var linux_user_js_1 = require("./linux-user.js");
+Object.defineProperty(exports, "createUser", { enumerable: true, get: function () { return linux_user_js_1.createUser; } });
+Object.defineProperty(exports, "lockUser", { enumerable: true, get: function () { return linux_user_js_1.lockUser; } });
+Object.defineProperty(exports, "killUserProcesses", { enumerable: true, get: function () { return linux_user_js_1.killUserProcesses; } });
+var authorized_keys_js_1 = require("./authorized-keys.js");
+Object.defineProperty(exports, "writeAuthorizedKey", { enumerable: true, get: function () { return authorized_keys_js_1.writeAuthorizedKey; } });
+Object.defineProperty(exports, "removeAuthorizedKey", { enumerable: true, get: function () { return authorized_keys_js_1.removeAuthorizedKey; } });
+var ssh_config_js_1 = require("./ssh-config.js");
+Object.defineProperty(exports, "addForceCommand", { enumerable: true, get: function () { return ssh_config_js_1.addForceCommand; } });
+Object.defineProperty(exports, "removeForceCommand", { enumerable: true, get: function () { return ssh_config_js_1.removeForceCommand; } });
+var tmux_session_js_1 = require("./tmux-session.js");
+Object.defineProperty(exports, "sessionName", { enumerable: true, get: function () { return tmux_session_js_1.sessionName; } });
+Object.defineProperty(exports, "createSession", { enumerable: true, get: function () { return tmux_session_js_1.createSession; } });
+Object.defineProperty(exports, "hasClientsAttached", { enumerable: true, get: function () { return tmux_session_js_1.hasClientsAttached; } });
+Object.defineProperty(exports, "sessionExists", { enumerable: true, get: function () { return tmux_session_js_1.sessionExists; } });
+Object.defineProperty(exports, "displayMessage", { enumerable: true, get: function () { return tmux_session_js_1.displayMessage; } });
+Object.defineProperty(exports, "killSession", { enumerable: true, get: function () { return tmux_session_js_1.killSession; } });
+Object.defineProperty(exports, "getLastActivity", { enumerable: true, get: function () { return tmux_session_js_1.getLastActivity; } });
+var cleanup_js_1 = require("./cleanup.js");
+Object.defineProperty(exports, "cleanupContractor", { enumerable: true, get: function () { return cleanup_js_1.cleanupContractor; } });
+//# sourceMappingURL=index.js.map

package/dist/mcp-server/src/provisioning/index.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"index.js","sourceRoot":"","sources":["../../../../src/provisioning/index.ts"],"names":[],"mappings":";;;AAAA,iDAA0E;AAAjE,2GAAA,UAAU,OAAA;AAAE,yGAAA,QAAQ,OAAA;AAAE,kHAAA,iBAAiB,OAAA;AAChD,2DAA+E;AAAtE,wHAAA,kBAAkB,OAAA;AAAE,yHAAA,mBAAmB,OAAA;AAChD,iDAAsE;AAA7D,gHAAA,eAAe,OAAA;AAAE,mHAAA,kBAAkB,OAAA;AAC5C,qDAQ2B;AAPzB,8GAAA,WAAW,OAAA;AACX,gHAAA,aAAa,OAAA;AACb,qHAAA,kBAAkB,OAAA;AAClB,gHAAA,aAAa,OAAA;AACb,iHAAA,cAAc,OAAA;AACd,8GAAA,WAAW,OAAA;AACX,kHAAA,eAAe,OAAA;AAEjB,2CAAqE;AAA5D,+GAAA,iBAAiB,OAAA"}

package/dist/mcp-server/src/provisioning/linux-user.d.ts ADDED Viewed

@@ -0,0 +1,15 @@
+/**
+ * Create a new Linux user for a contractor.
+ * Creates home directory and .ssh directory.
+ */
+export declare function createUser(username: string): Promise<void>;
+/**
+ * Lock a user account so they can no longer log in.
+ */
+export declare function lockUser(username: string): Promise<void>;
+/**
+ * Kill all processes owned by a user.
+ * Does not throw if user has no processes.
+ */
+export declare function killUserProcesses(username: string): Promise<void>;
+//# sourceMappingURL=linux-user.d.ts.map

package/dist/mcp-server/src/provisioning/linux-user.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"linux-user.d.ts","sourceRoot":"","sources":["../../../../src/provisioning/linux-user.ts"],"names":[],"mappings":"AAIA;;;GAGG;AACH,wBAAsB,UAAU,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAehE;AAED;;GAEG;AACH,wBAAsB,QAAQ,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAS9D;AAED;;;GAGG;AACH,wBAAsB,iBAAiB,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAQvE"}

package/dist/mcp-server/src/provisioning/linux-user.js ADDED Viewed

@@ -0,0 +1,62 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createUser = createUser;
+exports.lockUser = lockUser;
+exports.killUserProcesses = killUserProcesses;
+const privileged_js_1 = require("./privileged.js");
+const errors_js_1 = require("../utils/errors.js");
+const logger_js_1 = require("../utils/logger.js");
+/**
+ * Create a new Linux user for a contractor.
+ * Creates home directory and .ssh directory.
+ */
+async function createUser(username) {
+    try {
+        const u = shellEscape(username);
+        await (0, privileged_js_1.runPrivileged)(`useradd -m -s /bin/bash ${u}`);
+        await (0, privileged_js_1.runPrivileged)(`mkdir -p /home/${u}/.ssh && ` +
+            `chmod 700 /home/${u}/.ssh && ` +
+            `chown ${u}:${u} /home/${u}/.ssh`);
+        logger_js_1.logger.info("Linux user created", { user: username });
+    }
+    catch (error) {
+        throw new errors_js_1.ProvisioningError(`Failed to create user ${username}: ${error}`);
+    }
+}
+/**
+ * Lock a user account so they can no longer log in.
+ */
+async function lockUser(username) {
+    try {
+        await (0, privileged_js_1.runPrivileged)(`usermod -L ${shellEscape(username)}`);
+        logger_js_1.logger.info("Linux user locked", { user: username });
+    }
+    catch (error) {
+        throw new errors_js_1.ProvisioningError(`Failed to lock user ${username}: ${error}`);
+    }
+}
+/**
+ * Kill all processes owned by a user.
+ * Does not throw if user has no processes.
+ */
+async function killUserProcesses(username) {
+    try {
+        await (0, privileged_js_1.runPrivileged)(`pkill -u ${shellEscape(username)}`);
+        logger_js_1.logger.info("Killed processes for user", { user: username });
+    }
+    catch {
+        // pkill returns non-zero if no processes found — that's fine
+        logger_js_1.logger.debug("No processes to kill for user", { user: username });
+    }
+}
+/**
+ * Basic shell escaping to prevent injection.
+ * Only allows alphanumeric, hyphen, underscore.
+ */
+function shellEscape(value) {
+    if (!/^[a-zA-Z0-9_-]+$/.test(value)) {
+        throw new errors_js_1.ProvisioningError(`Invalid value for shell command: ${value}`);
+    }
+    return value;
+}
+//# sourceMappingURL=linux-user.js.map

package/dist/mcp-server/src/provisioning/linux-user.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"linux-user.js","sourceRoot":"","sources":["../../../../src/provisioning/linux-user.ts"],"names":[],"mappings":";;AAQA,gCAeC;AAKD,4BASC;AAMD,8CAQC;AAnDD,mDAAgD;AAChD,kDAAuD;AACvD,kDAA4C;AAE5C;;;GAGG;AACI,KAAK,UAAU,UAAU,CAAC,QAAgB;IAC/C,IAAI,CAAC;QACH,MAAM,CAAC,GAAG,WAAW,CAAC,QAAQ,CAAC,CAAC;QAChC,MAAM,IAAA,6BAAa,EAAC,2BAA2B,CAAC,EAAE,CAAC,CAAC;QACpD,MAAM,IAAA,6BAAa,EACjB,kBAAkB,CAAC,WAAW;YAC5B,mBAAmB,CAAC,WAAW;YAC/B,SAAS,CAAC,IAAI,CAAC,UAAU,CAAC,OAAO,CACpC,CAAC;QACF,kBAAM,CAAC,IAAI,CAAC,oBAAoB,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,CAAC,CAAC;IACxD,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,IAAI,6BAAiB,CACzB,yBAAyB,QAAQ,KAAK,KAAK,EAAE,CAC9C,CAAC;IACJ,CAAC;AACH,CAAC;AAED;;GAEG;AACI,KAAK,UAAU,QAAQ,CAAC,QAAgB;IAC7C,IAAI,CAAC;QACH,MAAM,IAAA,6BAAa,EAAC,cAAc,WAAW,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC;QAC3D,kBAAM,CAAC,IAAI,CAAC,mBAAmB,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,CAAC,CAAC;IACvD,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,IAAI,6BAAiB,CACzB,uBAAuB,QAAQ,KAAK,KAAK,EAAE,CAC5C,CAAC;IACJ,CAAC;AACH,CAAC;AAED;;;GAGG;AACI,KAAK,UAAU,iBAAiB,CAAC,QAAgB;IACtD,IAAI,CAAC;QACH,MAAM,IAAA,6BAAa,EAAC,YAAY,WAAW,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC;QACzD,kBAAM,CAAC,IAAI,CAAC,2BAA2B,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,CAAC,CAAC;IAC/D,CAAC;IAAC,MAAM,CAAC;QACP,6DAA6D;QAC7D,kBAAM,CAAC,KAAK,CAAC,+BAA+B,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,CAAC,CAAC;IACpE,CAAC;AACH,CAAC;AAGD;;;GAGG;AACH,SAAS,WAAW,CAAC,KAAa;IAChC,IAAI,CAAC,kBAAkB,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;QACpC,MAAM,IAAI,6BAAiB,CACzB,oCAAoC,KAAK,EAAE,CAC5C,CAAC;IACJ,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC"}

package/dist/mcp-server/src/provisioning/privileged.d.ts ADDED Viewed

@@ -0,0 +1,40 @@
+/**
+ * Run a privileged shell command. With sudo enabled, the command
+ * is wrapped in `sudo -n bash -c '...'` so multi-step pipelines
+ * (`mkdir && chmod && chown`) still execute as root in one go.
+ */
+export declare function runPrivileged(command: string): Promise<void>;
+/**
+ * Run a shell command as a specific (non-root) user. Used for things
+ * like `tmux new-session` where the resulting object must be owned by
+ * the contractor, not root, so that the contractor's SSH login can
+ * attach to it.
+ *
+ * `sudo -u user` works whether the caller is root (no sudoers needed)
+ * or an unprivileged user with NOPASSWD configured for that target.
+ */
+export declare function runAsUser(user: string, command: string): Promise<{
+    stdout: string;
+    stderr: string;
+}>;
+/**
+ * Read a file. Reads always go through Node fs — `/etc/ssh/sshd_config`
+ * is world-readable by default, so this rarely needs sudo. If a future
+ * deployment locks it down, we can revisit.
+ */
+export declare function readPrivilegedFile(path: string): Promise<string>;
+/**
+ * Write a file as root, regardless of which mode we're in.
+ * In sudo mode, content is piped through `sudo tee` and chmod runs
+ * separately.
+ */
+export declare function writePrivilegedFile(path: string, content: string, mode?: number): Promise<void>;
+/**
+ * Copy a file as root. Used by the sshd_config backup/restore flow.
+ */
+export declare function copyPrivilegedFile(src: string, dst: string): Promise<void>;
+/**
+ * `chown user:group path` as root.
+ */
+export declare function chownPrivileged(owner: string, path: string): Promise<void>;
+//# sourceMappingURL=privileged.d.ts.map

package/dist/mcp-server/src/provisioning/privileged.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"privileged.d.ts","sourceRoot":"","sources":["../../../../src/provisioning/privileged.ts"],"names":[],"mappings":"AA4BA;;;;GAIG;AACH,wBAAsB,aAAa,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAMlE;AAED;;;;;;;;GAQG;AACH,wBAAsB,SAAS,CAC7B,IAAI,EAAE,MAAM,EACZ,OAAO,EAAE,MAAM,GACd,OAAO,CAAC;IAAE,MAAM,EAAE,MAAM,CAAC;IAAC,MAAM,EAAE,MAAM,CAAA;CAAE,CAAC,CAS7C;AAED;;;;GAIG;AACH,wBAAsB,kBAAkB,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAEtE;AAED;;;;GAIG;AACH,wBAAsB,mBAAmB,CACvC,IAAI,EAAE,MAAM,EACZ,OAAO,EAAE,MAAM,EACf,IAAI,CAAC,EAAE,MAAM,GACZ,OAAO,CAAC,IAAI,CAAC,CAcf;AAED;;GAEG;AACH,wBAAsB,kBAAkB,CAAC,GAAG,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAMhF;AAED;;GAEG;AACH,wBAAsB,eAAe,CAAC,KAAK,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAUhF"}

package/dist/mcp-server/src/provisioning/privileged.js ADDED Viewed

@@ -0,0 +1,123 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.runPrivileged = runPrivileged;
+exports.runAsUser = runAsUser;
+exports.readPrivilegedFile = readPrivilegedFile;
+exports.writePrivilegedFile = writePrivilegedFile;
+exports.copyPrivilegedFile = copyPrivilegedFile;
+exports.chownPrivileged = chownPrivileged;
+const promises_1 = require("node:fs/promises");
+const exec_js_1 = require("../utils/exec.js");
+const env_js_1 = require("../config/env.js");
+/**
+ * Privileged operation helpers.
+ *
+ * Two modes, controlled by `PROVISIONING_USE_SUDO`:
+ *
+ * - `false` (default): the MCP server is running as root (e.g. `sudo
+ *   claude` or a systemd service running as root). All commands and
+ *   file operations execute directly through Node fs / child_process.
+ *
+ * - `true`: the MCP server is running as an unprivileged user that
+ *   has NOPASSWD sudo for the specific commands listed in
+ *   `human-layer/mcp-server/README.md`. All commands are prefixed
+ *   with `sudo -n`, and file operations go through `sudo tee` /
+ *   `sudo cp` so writes work even when the target file is owned by
+ *   root.
+ *
+ * Centralising this in one module means the provisioning code stays
+ * readable and the sudo decision lives in exactly one place.
+ */
+function useSudo() {
+    return (0, env_js_1.getEnv)().PROVISIONING_USE_SUDO;
+}
+/**
+ * Run a privileged shell command. With sudo enabled, the command
+ * is wrapped in `sudo -n bash -c '...'` so multi-step pipelines
+ * (`mkdir && chmod && chown`) still execute as root in one go.
+ */
+async function runPrivileged(command) {
+    if (useSudo()) {
+        await (0, exec_js_1.exec)(`sudo -n bash -c ${shQuote(command)}`);
+    }
+    else {
+        await (0, exec_js_1.exec)(command);
+    }
+}
+/**
+ * Run a shell command as a specific (non-root) user. Used for things
+ * like `tmux new-session` where the resulting object must be owned by
+ * the contractor, not root, so that the contractor's SSH login can
+ * attach to it.
+ *
+ * `sudo -u user` works whether the caller is root (no sudoers needed)
+ * or an unprivileged user with NOPASSWD configured for that target.
+ */
+async function runAsUser(user, command) {
+    if (!/^[a-zA-Z0-9_-]+$/.test(user)) {
+        throw new Error(`Invalid user name: ${user}`);
+    }
+    // We always go through sudo here. When running as root, no
+    // password / NOPASSWD is needed. When running as a regular user,
+    // they need NOPASSWD for `sudo -u <target>` (covered by the
+    // sudoers template in human-layer/mcp-server/README.md).
+    return (0, exec_js_1.exec)(`sudo -n -u ${user} bash -c ${shQuote(command)}`);
+}
+/**
+ * Read a file. Reads always go through Node fs — `/etc/ssh/sshd_config`
+ * is world-readable by default, so this rarely needs sudo. If a future
+ * deployment locks it down, we can revisit.
+ */
+async function readPrivilegedFile(path) {
+    return (0, promises_1.readFile)(path, "utf-8");
+}
+/**
+ * Write a file as root, regardless of which mode we're in.
+ * In sudo mode, content is piped through `sudo tee` and chmod runs
+ * separately.
+ */
+async function writePrivilegedFile(path, content, mode) {
+    if (useSudo()) {
+        // `tee` writes the file as root; we pipe the content via stdin
+        // by base64-encoding it to dodge any quoting hazards.
+        const b64 = Buffer.from(content, "utf-8").toString("base64");
+        await (0, exec_js_1.exec)(`bash -c ${shQuote(`echo ${b64} | base64 -d | sudo -n tee ${shQuote(path)} > /dev/null`)}`);
+        if (typeof mode === "number") {
+            await (0, exec_js_1.exec)(`sudo -n chmod ${mode.toString(8)} ${shQuote(path)}`);
+        }
+    }
+    else {
+        await (0, promises_1.writeFile)(path, content, mode != null ? { encoding: "utf-8", mode } : { encoding: "utf-8" });
+    }
+}
+/**
+ * Copy a file as root. Used by the sshd_config backup/restore flow.
+ */
+async function copyPrivilegedFile(src, dst) {
+    if (useSudo()) {
+        await (0, exec_js_1.exec)(`sudo -n cp ${shQuote(src)} ${shQuote(dst)}`);
+    }
+    else {
+        await (0, promises_1.copyFile)(src, dst);
+    }
+}
+/**
+ * `chown user:group path` as root.
+ */
+async function chownPrivileged(owner, path) {
+    // shellEscape-style guard to avoid injection through `owner`
+    if (!/^[a-zA-Z0-9_.:-]+$/.test(owner)) {
+        throw new Error(`Invalid owner spec: ${owner}`);
+    }
+    if (useSudo()) {
+        await (0, exec_js_1.exec)(`sudo -n chown ${owner} ${shQuote(path)}`);
+    }
+    else {
+        await (0, exec_js_1.exec)(`chown ${owner} ${shQuote(path)}`);
+    }
+}
+/** Quote a value for safe inclusion in a single-quoted bash string. */
+function shQuote(value) {
+    return `'${value.replace(/'/g, "'\\''")}'`;
+}
+//# sourceMappingURL=privileged.js.map

package/dist/mcp-server/src/provisioning/privileged.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"privileged.js","sourceRoot":"","sources":["../../../../src/provisioning/privileged.ts"],"names":[],"mappings":";;AAiCA,sCAMC;AAWD,8BAYC;AAOD,gDAEC;AAOD,kDAkBC;AAKD,gDAMC;AAKD,0CAUC;AA1HD,+CAA4G;AAC5G,8CAAwC;AACxC,6CAA0C;AAE1C;;;;;;;;;;;;;;;;;;GAkBG;AAEH,SAAS,OAAO;IACd,OAAO,IAAA,eAAM,GAAE,CAAC,qBAAqB,CAAC;AACxC,CAAC;AAED;;;;GAIG;AACI,KAAK,UAAU,aAAa,CAAC,OAAe;IACjD,IAAI,OAAO,EAAE,EAAE,CAAC;QACd,MAAM,IAAA,cAAI,EAAC,mBAAmB,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC;IACpD,CAAC;SAAM,CAAC;QACN,MAAM,IAAA,cAAI,EAAC,OAAO,CAAC,CAAC;IACtB,CAAC;AACH,CAAC;AAED;;;;;;;;GAQG;AACI,KAAK,UAAU,SAAS,CAC7B,IAAY,EACZ,OAAe;IAEf,IAAI,CAAC,kBAAkB,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;QACnC,MAAM,IAAI,KAAK,CAAC,sBAAsB,IAAI,EAAE,CAAC,CAAC;IAChD,CAAC;IACD,2DAA2D;IAC3D,iEAAiE;IACjE,4DAA4D;IAC5D,yDAAyD;IACzD,OAAO,IAAA,cAAI,EAAC,cAAc,IAAI,YAAY,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC;AAChE,CAAC;AAED;;;;GAIG;AACI,KAAK,UAAU,kBAAkB,CAAC,IAAY;IACnD,OAAO,IAAA,mBAAU,EAAC,IAAI,EAAE,OAAO,CAAC,CAAC;AACnC,CAAC;AAED;;;;GAIG;AACI,KAAK,UAAU,mBAAmB,CACvC,IAAY,EACZ,OAAe,EACf,IAAa;IAEb,IAAI,OAAO,EAAE,EAAE,CAAC;QACd,+DAA+D;QAC/D,sDAAsD;QACtD,MAAM,GAAG,GAAG,MAAM,CAAC,IAAI,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;QAC7D,MAAM,IAAA,cAAI,EACR,WAAW,OAAO,CAAC,QAAQ,GAAG,8BAA8B,OAAO,CAAC,IAAI,CAAC,cAAc,CAAC,EAAE,CAC3F,CAAC;QACF,IAAI,OAAO,IAAI,KAAK,QAAQ,EAAE,CAAC;YAC7B,MAAM,IAAA,cAAI,EAAC,iBAAiB,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,IAAI,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACnE,CAAC;IACH,CAAC;SAAM,CAAC;QACN,MAAM,IAAA,oBAAW,EAAC,IAAI,EAAE,OAAO,EAAE,IAAI,IAAI,IAAI,CAAC,CAAC,CAAC,EAAE,QAAQ,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,EAAE,QAAQ,EAAE,OAAO,EAAE,CAAC,CAAC;IACvG,CAAC;AACH,CAAC;AAED;;GAEG;AACI,KAAK,UAAU,kBAAkB,CAAC,GAAW,EAAE,GAAW;IAC/D,IAAI,OAAO,EAAE,EAAE,CAAC;QACd,MAAM,IAAA,cAAI,EAAC,cAAc,OAAO,CAAC,GAAG,CAAC,IAAI,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAC3D,CAAC;SAAM,CAAC;QACN,MAAM,IAAA,mBAAU,EAAC,GAAG,EAAE,GAAG,CAAC,CAAC;IAC7B,CAAC;AACH,CAAC;AAED;;GAEG;AACI,KAAK,UAAU,eAAe,CAAC,KAAa,EAAE,IAAY;IAC/D,6DAA6D;IAC7D,IAAI,CAAC,oBAAoB,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;QACtC,MAAM,IAAI,KAAK,CAAC,uBAAuB,KAAK,EAAE,CAAC,CAAC;IAClD,CAAC;IACD,IAAI,OAAO,EAAE,EAAE,CAAC;QACd,MAAM,IAAA,cAAI,EAAC,iBAAiB,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACxD,CAAC;SAAM,CAAC;QACN,MAAM,IAAA,cAAI,EAAC,SAAS,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAChD,CAAC;AACH,CAAC;AAED,uEAAuE;AACvE,SAAS,OAAO,CAAC,KAAa;IAC5B,OAAO,IAAI,KAAK,CAAC,OAAO,CAAC,IAAI,EAAE,OAAO,CAAC,GAAG,CAAC;AAC7C,CAAC"}

package/dist/mcp-server/src/provisioning/ssh-config.d.ts ADDED Viewed

@@ -0,0 +1,21 @@
+/**
+ * Add a ForceCommand block to sshd_config for a contractor.
+ *
+ * Uses marker comments for deterministic insertion/removal:
+ *   # BEGIN human-layer:{username}
+ *   Match User {username}
+ *     ForceCommand tmux attach -t {session} || tmux new -s {session}
+ *     AllowTcpForwarding no
+ *     X11Forwarding no
+ *   # END human-layer:{username}
+ *
+ * CRITICAL: This is the highest-risk module in the system.
+ * Incorrect sshd_config means locked-out VMs.
+ * Always backup, validate with sshd -t, then reload.
+ */
+export declare function addForceCommand(username: string, tmuxSession: string, configPath?: string): Promise<void>;
+/**
+ * Remove the ForceCommand block for a contractor from sshd_config.
+ */
+export declare function removeForceCommand(username: string, configPath?: string): Promise<void>;
+//# sourceMappingURL=ssh-config.d.ts.map

package/dist/mcp-server/src/provisioning/ssh-config.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"ssh-config.d.ts","sourceRoot":"","sources":["../../../../src/provisioning/ssh-config.ts"],"names":[],"mappings":"AAcA;;;;;;;;;;;;;;GAcG;AACH,wBAAsB,eAAe,CACnC,QAAQ,EAAE,MAAM,EAChB,WAAW,EAAE,MAAM,EACnB,UAAU,SAAmB,GAC5B,OAAO,CAAC,IAAI,CAAC,CAuDf;AAED;;GAEG;AACH,wBAAsB,kBAAkB,CACtC,QAAQ,EAAE,MAAM,EAChB,UAAU,SAAmB,GAC5B,OAAO,CAAC,IAAI,CAAC,CA6Bf"}

package/dist/mcp-server/src/provisioning/ssh-config.js ADDED Viewed

@@ -0,0 +1,161 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.addForceCommand = addForceCommand;
+exports.removeForceCommand = removeForceCommand;
+const privileged_js_1 = require("./privileged.js");
+const errors_js_1 = require("../utils/errors.js");
+const logger_js_1 = require("../utils/logger.js");
+const defaults_js_1 = require("../config/defaults.js");
+/**
+ * Add a ForceCommand block to sshd_config for a contractor.
+ *
+ * Uses marker comments for deterministic insertion/removal:
+ *   # BEGIN human-layer:{username}
+ *   Match User {username}
+ *     ForceCommand tmux attach -t {session} || tmux new -s {session}
+ *     AllowTcpForwarding no
+ *     X11Forwarding no
+ *   # END human-layer:{username}
+ *
+ * CRITICAL: This is the highest-risk module in the system.
+ * Incorrect sshd_config means locked-out VMs.
+ * Always backup, validate with sshd -t, then reload.
+ */
+async function addForceCommand(username, tmuxSession, configPath = defaults_js_1.SSHD_CONFIG_PATH) {
+    const beginMarker = `${defaults_js_1.SSHD_MARKER_PREFIX}${username}`;
+    const endMarker = `${defaults_js_1.SSHD_MARKER_SUFFIX}${username}`;
+    const block = [
+        beginMarker,
+        `Match User ${username}`,
+        `  ForceCommand tmux attach -t ${tmuxSession} || tmux new -s ${tmuxSession}`,
+        "  AllowTcpForwarding no",
+        "  X11Forwarding no",
+        endMarker,
+    ].join("\n");
+    try {
+        // Backup current config
+        await (0, privileged_js_1.copyPrivilegedFile)(configPath, `${configPath}.bak`);
+        // Read current config
+        const current = await (0, privileged_js_1.readPrivilegedFile)(configPath);
+        // Remove existing block if present (idempotent)
+        const cleaned = removeBlock(current, beginMarker, endMarker);
+        // Append new block
+        const updated = cleaned.trimEnd() + "\n\n" + block + "\n";
+        // Write updated config
+        await (0, privileged_js_1.writePrivilegedFile)(configPath, updated);
+        // Validate with sshd -t
+        await validateSshdConfig(configPath);
+        // Reload sshd
+        await reloadSshd();
+        logger_js_1.logger.info("ForceCommand added to sshd_config", {
+            user: username,
+            session: tmuxSession,
+        });
+    }
+    catch (error) {
+        // Attempt to restore backup
+        try {
+            await (0, privileged_js_1.copyPrivilegedFile)(`${configPath}.bak`, configPath);
+            await reloadSshd();
+            logger_js_1.logger.warn("Restored sshd_config from backup after error");
+        }
+        catch (restoreError) {
+            logger_js_1.logger.error("CRITICAL: Failed to restore sshd_config backup", {
+                error: String(restoreError),
+            });
+        }
+        throw new errors_js_1.SshConfigError(`Failed to add ForceCommand for ${username}: ${error}`);
+    }
+}
+/**
+ * Remove the ForceCommand block for a contractor from sshd_config.
+ */
+async function removeForceCommand(username, configPath = defaults_js_1.SSHD_CONFIG_PATH) {
+    const beginMarker = `${defaults_js_1.SSHD_MARKER_PREFIX}${username}`;
+    const endMarker = `${defaults_js_1.SSHD_MARKER_SUFFIX}${username}`;
+    try {
+        await (0, privileged_js_1.copyPrivilegedFile)(configPath, `${configPath}.bak`);
+        const current = await (0, privileged_js_1.readPrivilegedFile)(configPath);
+        const cleaned = removeBlock(current, beginMarker, endMarker);
+        await (0, privileged_js_1.writePrivilegedFile)(configPath, cleaned);
+        await validateSshdConfig(configPath);
+        await reloadSshd();
+        logger_js_1.logger.info("ForceCommand removed from sshd_config", {
+            user: username,
+        });
+    }
+    catch (error) {
+        try {
+            await (0, privileged_js_1.copyPrivilegedFile)(`${configPath}.bak`, configPath);
+            await reloadSshd();
+        }
+        catch {
+            logger_js_1.logger.error("CRITICAL: Failed to restore sshd_config backup");
+        }
+        throw new errors_js_1.SshConfigError(`Failed to remove ForceCommand for ${username}: ${error}`);
+    }
+}
+/**
+ * Remove a marker-delimited block from config text.
+ */
+function removeBlock(content, beginMarker, endMarker) {
+    const lines = content.split("\n");
+    const result = [];
+    let inBlock = false;
+    for (const line of lines) {
+        if (line.trim() === beginMarker) {
+            inBlock = true;
+            continue;
+        }
+        if (line.trim() === endMarker) {
+            inBlock = false;
+            continue;
+        }
+        if (!inBlock) {
+            result.push(line);
+        }
+    }
+    return result.join("\n");
+}
+/**
+ * Validate sshd_config syntax. Throws if invalid.
+ */
+async function validateSshdConfig(configPath = defaults_js_1.SSHD_CONFIG_PATH) {
+    try {
+        await (0, privileged_js_1.runPrivileged)(`sshd -t -f ${configPath}`);
+    }
+    catch (error) {
+        throw new errors_js_1.SshConfigError(`sshd_config validation failed: ${error}`);
+    }
+}
+/**
+ * Reload sshd to apply config changes.
+ *
+ * Tries `systemctl reload` first (the systemd path) and falls back to
+ * `service ssh reload` for environments without systemd (some WSL2
+ * distros, minimal containers).
+ */
+async function reloadSshd() {
+    try {
+        await (0, privileged_js_1.runPrivileged)("systemctl reload sshd");
+        return;
+    }
+    catch {
+        /* fall through */
+    }
+    try {
+        await (0, privileged_js_1.runPrivileged)("systemctl reload ssh");
+        return;
+    }
+    catch {
+        /* fall through */
+    }
+    try {
+        await (0, privileged_js_1.runPrivileged)("service ssh reload");
+        return;
+    }
+    catch (error) {
+        throw new errors_js_1.SshConfigError(`Failed to reload sshd: ${error}`);
+    }
+}
+//# sourceMappingURL=ssh-config.js.map

package/dist/mcp-server/src/provisioning/ssh-config.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"ssh-config.js","sourceRoot":"","sources":["../../../../src/provisioning/ssh-config.ts"],"names":[],"mappings":";;AA6BA,0CA2DC;AAKD,gDAgCC;AA7HD,mDAKyB;AACzB,kDAAoD;AACpD,kDAA4C;AAC5C,uDAI+B;AAE/B;;;;;;;;;;;;;;GAcG;AACI,KAAK,UAAU,eAAe,CACnC,QAAgB,EAChB,WAAmB,EACnB,UAAU,GAAG,8BAAgB;IAE7B,MAAM,WAAW,GAAG,GAAG,gCAAkB,GAAG,QAAQ,EAAE,CAAC;IACvD,MAAM,SAAS,GAAG,GAAG,gCAAkB,GAAG,QAAQ,EAAE,CAAC;IAErD,MAAM,KAAK,GAAG;QACZ,WAAW;QACX,cAAc,QAAQ,EAAE;QACxB,iCAAiC,WAAW,mBAAmB,WAAW,EAAE;QAC5E,yBAAyB;QACzB,oBAAoB;QACpB,SAAS;KACV,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAEb,IAAI,CAAC;QACH,wBAAwB;QACxB,MAAM,IAAA,kCAAkB,EAAC,UAAU,EAAE,GAAG,UAAU,MAAM,CAAC,CAAC;QAE1D,sBAAsB;QACtB,MAAM,OAAO,GAAG,MAAM,IAAA,kCAAkB,EAAC,UAAU,CAAC,CAAC;QAErD,gDAAgD;QAChD,MAAM,OAAO,GAAG,WAAW,CAAC,OAAO,EAAE,WAAW,EAAE,SAAS,CAAC,CAAC;QAE7D,mBAAmB;QACnB,MAAM,OAAO,GAAG,OAAO,CAAC,OAAO,EAAE,GAAG,MAAM,GAAG,KAAK,GAAG,IAAI,CAAC;QAE1D,uBAAuB;QACvB,MAAM,IAAA,mCAAmB,EAAC,UAAU,EAAE,OAAO,CAAC,CAAC;QAE/C,wBAAwB;QACxB,MAAM,kBAAkB,CAAC,UAAU,CAAC,CAAC;QAErC,cAAc;QACd,MAAM,UAAU,EAAE,CAAC;QAEnB,kBAAM,CAAC,IAAI,CAAC,mCAAmC,EAAE;YAC/C,IAAI,EAAE,QAAQ;YACd,OAAO,EAAE,WAAW;SACrB,CAAC,CAAC;IACL,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,4BAA4B;QAC5B,IAAI,CAAC;YACH,MAAM,IAAA,kCAAkB,EAAC,GAAG,UAAU,MAAM,EAAE,UAAU,CAAC,CAAC;YAC1D,MAAM,UAAU,EAAE,CAAC;YACnB,kBAAM,CAAC,IAAI,CAAC,8CAA8C,CAAC,CAAC;QAC9D,CAAC;QAAC,OAAO,YAAY,EAAE,CAAC;YACtB,kBAAM,CAAC,KAAK,CAAC,gDAAgD,EAAE;gBAC7D,KAAK,EAAE,MAAM,CAAC,YAAY,CAAC;aAC5B,CAAC,CAAC;QACL,CAAC;QAED,MAAM,IAAI,0BAAc,CACtB,kCAAkC,QAAQ,KAAK,KAAK,EAAE,CACvD,CAAC;IACJ,CAAC;AACH,CAAC;AAED;;GAEG;AACI,KAAK,UAAU,kBAAkB,CACtC,QAAgB,EAChB,UAAU,GAAG,8BAAgB;IAE7B,MAAM,WAAW,GAAG,GAAG,gCAAkB,GAAG,QAAQ,EAAE,CAAC;IACvD,MAAM,SAAS,GAAG,GAAG,gCAAkB,GAAG,QAAQ,EAAE,CAAC;IAErD,IAAI,CAAC;QACH,MAAM,IAAA,kCAAkB,EAAC,UAAU,EAAE,GAAG,UAAU,MAAM,CAAC,CAAC;QAE1D,MAAM,OAAO,GAAG,MAAM,IAAA,kCAAkB,EAAC,UAAU,CAAC,CAAC;QACrD,MAAM,OAAO,GAAG,WAAW,CAAC,OAAO,EAAE,WAAW,EAAE,SAAS,CAAC,CAAC;QAE7D,MAAM,IAAA,mCAAmB,EAAC,UAAU,EAAE,OAAO,CAAC,CAAC;QAC/C,MAAM,kBAAkB,CAAC,UAAU,CAAC,CAAC;QACrC,MAAM,UAAU,EAAE,CAAC;QAEnB,kBAAM,CAAC,IAAI,CAAC,uCAAuC,EAAE;YACnD,IAAI,EAAE,QAAQ;SACf,CAAC,CAAC;IACL,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,IAAI,CAAC;YACH,MAAM,IAAA,kCAAkB,EAAC,GAAG,UAAU,MAAM,EAAE,UAAU,CAAC,CAAC;YAC1D,MAAM,UAAU,EAAE,CAAC;QACrB,CAAC;QAAC,MAAM,CAAC;YACP,kBAAM,CAAC,KAAK,CAAC,gDAAgD,CAAC,CAAC;QACjE,CAAC;QAED,MAAM,IAAI,0BAAc,CACtB,qCAAqC,QAAQ,KAAK,KAAK,EAAE,CAC1D,CAAC;IACJ,CAAC;AACH,CAAC;AAED;;GAEG;AACH,SAAS,WAAW,CAClB,OAAe,EACf,WAAmB,EACnB,SAAiB;IAEjB,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAClC,MAAM,MAAM,GAAa,EAAE,CAAC;IAC5B,IAAI,OAAO,GAAG,KAAK,CAAC;IAEpB,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,IAAI,IAAI,CAAC,IAAI,EAAE,KAAK,WAAW,EAAE,CAAC;YAChC,OAAO,GAAG,IAAI,CAAC;YACf,SAAS;QACX,CAAC;QACD,IAAI,IAAI,CAAC,IAAI,EAAE,KAAK,SAAS,EAAE,CAAC;YAC9B,OAAO,GAAG,KAAK,CAAC;YAChB,SAAS;QACX,CAAC;QACD,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACpB,CAAC;IACH,CAAC;IAED,OAAO,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AAC3B,CAAC;AAED;;GAEG;AACH,KAAK,UAAU,kBAAkB,CAC/B,UAAU,GAAG,8BAAgB;IAE7B,IAAI,CAAC;QACH,MAAM,IAAA,6BAAa,EAAC,cAAc,UAAU,EAAE,CAAC,CAAC;IAClD,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,IAAI,0BAAc,CAAC,kCAAkC,KAAK,EAAE,CAAC,CAAC;IACtE,CAAC;AACH,CAAC;AAED;;;;;;GAMG;AACH,KAAK,UAAU,UAAU;IACvB,IAAI,CAAC;QACH,MAAM,IAAA,6BAAa,EAAC,uBAAuB,CAAC,CAAC;QAC7C,OAAO;IACT,CAAC;IAAC,MAAM,CAAC;QACP,kBAAkB;IACpB,CAAC;IACD,IAAI,CAAC;QACH,MAAM,IAAA,6BAAa,EAAC,sBAAsB,CAAC,CAAC;QAC5C,OAAO;IACT,CAAC;IAAC,MAAM,CAAC;QACP,kBAAkB;IACpB,CAAC;IACD,IAAI,CAAC;QACH,MAAM,IAAA,6BAAa,EAAC,oBAAoB,CAAC,CAAC;QAC1C,OAAO;IACT,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,IAAI,0BAAc,CAAC,0BAA0B,KAAK,EAAE,CAAC,CAAC;IAC9D,CAAC;AACH,CAAC"}

package/dist/mcp-server/src/provisioning/tmux-session.d.ts ADDED Viewed

@@ -0,0 +1,37 @@
+/**
+ * Generate a tmux session name for a gig.
+ */
+export declare function sessionName(gigId: string): string;
+/**
+ * Create a new tmux session **owned by the contractor user** so that
+ * sshd's ForceCommand (`tmux attach -t ...`) running as that user can
+ * see and attach to it.
+ *
+ * Without `runAsUser`, a tmux session created by the MCP server (root)
+ * is owned by root, and the contractor's later attach silently fails
+ * because tmux scopes sessions per-uid via the socket directory.
+ */
+export declare function createSession(session: string, workdir: string, user?: string): Promise<void>;
+/**
+ * Check if a tmux session has any clients attached.
+ * Used to detect if a contractor is currently connected.
+ */
+export declare function hasClientsAttached(session: string): Promise<boolean>;
+/**
+ * Check if a tmux session exists.
+ */
+export declare function sessionExists(session: string): Promise<boolean>;
+/**
+ * Send a display message to a tmux session.
+ * The message is shown as an overlay for the specified duration.
+ */
+export declare function displayMessage(session: string, message: string, durationMs?: number): Promise<boolean>;
+/**
+ * Kill a tmux session, optionally showing a warning first.
+ */
+export declare function killSession(session: string, warningSeconds?: number): Promise<void>;
+/**
+ * Get the last activity time for a session (if detectable).
+ */
+export declare function getLastActivity(session: string): Promise<Date | undefined>;
+//# sourceMappingURL=tmux-session.d.ts.map

package/dist/mcp-server/src/provisioning/tmux-session.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"tmux-session.d.ts","sourceRoot":"","sources":["../../../../src/provisioning/tmux-session.ts"],"names":[],"mappings":"AAMA;;GAEG;AACH,wBAAgB,WAAW,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAEjD;AAED;;;;;;;;GAQG;AACH,wBAAsB,aAAa,CACjC,OAAO,EAAE,MAAM,EACf,OAAO,EAAE,MAAM,EACf,IAAI,CAAC,EAAE,MAAM,GACZ,OAAO,CAAC,IAAI,CAAC,CAYf;AAED;;;GAGG;AACH,wBAAsB,kBAAkB,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAQ1E;AAED;;GAEG;AACH,wBAAsB,aAAa,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAOrE;AAED;;;GAGG;AACH,wBAAsB,cAAc,CAClC,OAAO,EAAE,MAAM,EACf,OAAO,EAAE,MAAM,EACf,UAAU,SAAS,GAClB,OAAO,CAAC,OAAO,CAAC,CAYlB;AAED;;GAEG;AACH,wBAAsB,WAAW,CAC/B,OAAO,EAAE,MAAM,EACf,cAAc,SAAI,GACjB,OAAO,CAAC,IAAI,CAAC,CAiBf;AAED;;GAEG;AACH,wBAAsB,eAAe,CACnC,OAAO,EAAE,MAAM,GACd,OAAO,CAAC,IAAI,GAAG,SAAS,CAAC,CAa3B"}