@chainingintention/pi-web-cn 1.202606.4 → 1.202606.6

package/dist/server/sessions/managementPermissionSystem.js

@@ -0,0 +1,94 @@
+import { createHash } from "node:crypto";
+import { mkdir, writeFile } from "node:fs/promises";
+import { join } from "node:path";
+export const PI_PERMISSION_SYSTEM_POLICY_AGENT_DIR = "PI_PERMISSION_SYSTEM_POLICY_AGENT_DIR";
+const MANAGEMENT_AGENT_TOOL_NAMES = ["read", "write", "edit", "ls", "grep", "find", "python"];
+export function createManagementPermissionSystemPolicy(context) {
+    const tools = {
+        "*": "deny",
+    };
+    for (const tool of managementAgentToolNames(context))
+        tools[tool] = "allow";
+    for (const tool of managementDeniedToolNames(context))
+        tools[tool] = "deny";
+    return {
+        defaultPolicy: {
+            tools: "deny",
+            bash: "deny",
+            mcp: "deny",
+            skills: "deny",
+            special: "deny",
+        },
+        tools,
+        bash: { "*": "deny" },
+        mcp: { "*": "deny" },
+        skills: { "*": "deny" },
+        special: {
+            doom_loop: "deny",
+            external_directory: "deny",
+        },
+    };
+}
+export function managementAgentToolNames(context) {
+    const deny = new Set([...(context.tools?.deny ?? []), "bash", "shell", "terminal"]);
+    const allow = context.tools?.allow;
+    const safeTools = MANAGEMENT_AGENT_TOOL_NAMES.filter((tool) => !deny.has(tool));
+    if (allow === undefined || allow.length === 0)
+        return [...safeTools];
+    return safeTools.filter((tool) => allow.includes(tool));
+}
+export async function writeManagementPermissionSystemPolicy(agentDir, cwd, context) {
+    const policyAgentDir = join(agentDir, "management-embed", "permission-system", safePathSegment(context.user.rootUserId), createHash("sha256").update(cwd).digest("hex").slice(0, 16));
+    await mkdir(policyAgentDir, { recursive: true });
+    await writeFile(join(policyAgentDir, "pi-permissions.jsonc"), `${JSON.stringify(createManagementPermissionSystemPolicy(context), null, 2)}\n`, "utf8");
+    return policyAgentDir;
+}
+let runtimeEnvironmentQueue = Promise.resolve();
+export async function withRuntimeCreationEnvironment(env, action) {
+    const previousQueue = runtimeEnvironmentQueue;
+    let releaseQueue = () => undefined;
+    runtimeEnvironmentQueue = new Promise((resolve) => {
+        releaseQueue = resolve;
+    });
+    await previousQueue;
+    const previousValues = new Map();
+    for (const [key, value] of Object.entries(env)) {
+        previousValues.set(key, process.env[key]);
+        if (value === undefined)
+            Reflect.deleteProperty(process.env, key);
+        else
+            process.env[key] = value;
+    }
+    try {
+        return await action();
+    }
+    finally {
+        for (const [key, value] of previousValues) {
+            if (value === undefined)
+                Reflect.deleteProperty(process.env, key);
+            else
+                process.env[key] = value;
+        }
+        releaseQueue();
+    }
+}
+function managementDeniedToolNames(context) {
+    return [
+        "bash",
+        "shell",
+        "terminal",
+        "terminal-command-runs",
+        "powershell",
+        "pwsh",
+        "mcp",
+        "http",
+        "webfetch",
+        "websearch",
+        ...(context.tools?.deny ?? []),
+    ];
+}
+function safePathSegment(value) {
+    const safe = value.trim().replace(/[^a-zA-Z0-9._-]+/g, "-").replace(/^-+|-+$/g, "");
+    return safe === "" ? "user" : safe.slice(0, 80);
+}
+//# sourceMappingURL=managementPermissionSystem.js.map

package/dist/server/sessions/managementPermissionSystem.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"managementPermissionSystem.js","sourceRoot":"","sources":["../../../src/server/sessions/managementPermissionSystem.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AACzC,OAAO,EAAE,KAAK,EAAE,SAAS,EAAE,MAAM,kBAAkB,CAAC;AACpD,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AAGjC,MAAM,CAAC,MAAM,qCAAqC,GAAG,uCAAuC,CAAC;AAC7F,MAAM,2BAA2B,GAAG,CAAC,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,MAAM,EAAE,QAAQ,CAAU,CAAC;AAsBvG,MAAM,UAAU,sCAAsC,CAAC,OAA+B;IACpF,MAAM,KAAK,GAAoC;QAC7C,GAAG,EAAE,MAAM;KACZ,CAAC;IACF,KAAK,MAAM,IAAI,IAAI,wBAAwB,CAAC,OAAO,CAAC;QAAE,KAAK,CAAC,IAAI,CAAC,GAAG,OAAO,CAAC;IAC5E,KAAK,MAAM,IAAI,IAAI,yBAAyB,CAAC,OAAO,CAAC;QAAE,KAAK,CAAC,IAAI,CAAC,GAAG,MAAM,CAAC;IAE5E,OAAO;QACL,aAAa,EAAE;YACb,KAAK,EAAE,MAAM;YACb,IAAI,EAAE,MAAM;YACZ,GAAG,EAAE,MAAM;YACX,MAAM,EAAE,MAAM;YACd,OAAO,EAAE,MAAM;SAChB;QACD,KAAK;QACL,IAAI,EAAE,EAAE,GAAG,EAAE,MAAM,EAAE;QACrB,GAAG,EAAE,EAAE,GAAG,EAAE,MAAM,EAAE;QACpB,MAAM,EAAE,EAAE,GAAG,EAAE,MAAM,EAAE;QACvB,OAAO,EAAE;YACP,SAAS,EAAE,MAAM;YACjB,kBAAkB,EAAE,MAAM;SAC3B;KACF,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,wBAAwB,CAAC,OAA+B;IACtE,MAAM,IAAI,GAAG,IAAI,GAAG,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,KAAK,EAAE,IAAI,IAAI,EAAE,CAAC,EAAE,MAAM,EAAE,OAAO,EAAE,UAAU,CAAC,CAAC,CAAC;IACpF,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,EAAE,KAAK,CAAC;IACnC,MAAM,SAAS,GAAG,2BAA2B,CAAC,MAAM,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC;IAChF,IAAI,KAAK,KAAK,SAAS,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,CAAC,GAAG,SAAS,CAAC,CAAC;IACrE,OAAO,SAAS,CAAC,MAAM,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,KAAK,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC;AAC1D,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,qCAAqC,CAAC,QAAgB,EAAE,GAAW,EAAE,OAA+B;IACxH,MAAM,cAAc,GAAG,IAAI,CAAC,QAAQ,EAAE,kBAAkB,EAAE,mBAAmB,EAAE,eAAe,CAAC,OAAO,CAAC,IAAI,CAAC,UAAU,CAAC,EAAE,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC;IACtL,MAAM,KAAK,CAAC,cAAc,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IACjD,MAAM,SAAS,CAAC,IAAI,CAAC,cAAc,EAAE,sBAAsB,CAAC,EAAE,GAAG,IAAI,CAAC,SAAS,CAAC,sCAAsC,CAAC,OAAO,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;IACvJ,OAAO,cAAc,CAAC;AACxB,CAAC;AAED,IAAI,uBAAuB,GAAG,OAAO,CAAC,OAAO,EAAE,CAAC;AAEhD,MAAM,CAAC,KAAK,UAAU,8BAA8B,CAAI,GAAuC,EAAE,MAAwB;IACvH,MAAM,aAAa,GAAG,uBAAuB,CAAC;IAC9C,IAAI,YAAY,GAAe,GAAG,EAAE,CAAC,SAAS,CAAC;IAC/C,uBAAuB,GAAG,IAAI,OAAO,CAAO,CAAC,OAAO,EAAE,EAAE;QACtD,YAAY,GAAG,OAAO,CAAC;IACzB,CAAC,CAAC,CAAC;IACH,MAAM,aAAa,CAAC;IAEpB,MAAM,cAAc,GAAG,IAAI,GAAG,EAA8B,CAAC;IAC7D,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC;QAC/C,cAAc,CAAC,GAAG,CAAC,GAAG,EAAE,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC;QAC1C,IAAI,KAAK,KAAK,SAAS;YAAE,OAAO,CAAC,cAAc,CAAC,OAAO,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC;;YAC7D,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC;IAChC,CAAC;IAED,IAAI,CAAC;QACH,OAAO,MAAM,MAAM,EAAE,CAAC;IACxB,CAAC;YAAS,CAAC;QACT,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,cAAc,EAAE,CAAC;YAC1C,IAAI,KAAK,KAAK,SAAS;gBAAE,OAAO,CAAC,cAAc,CAAC,OAAO,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC;;gBAC7D,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC;QAChC,CAAC;QACD,YAAY,EAAE,CAAC;IACjB,CAAC;AACH,CAAC;AAED,SAAS,yBAAyB,CAAC,OAA+B;IAChE,OAAO;QACL,MAAM;QACN,OAAO;QACP,UAAU;QACV,uBAAuB;QACvB,YAAY;QACZ,MAAM;QACN,KAAK;QACL,MAAM;QACN,UAAU;QACV,WAAW;QACX,GAAG,CAAC,OAAO,CAAC,KAAK,EAAE,IAAI,IAAI,EAAE,CAAC;KAC/B,CAAC;AACJ,CAAC;AAED,SAAS,eAAe,CAAC,KAAa;IACpC,MAAM,IAAI,GAAG,KAAK,CAAC,IAAI,EAAE,CAAC,OAAO,CAAC,mBAAmB,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,UAAU,EAAE,EAAE,CAAC,CAAC;IACpF,OAAO,IAAI,KAAK,EAAE,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;AAClD,CAAC"}

package/dist/server/sessions/managementSandbox.js

@@ -0,0 +1,156 @@
+const DEFAULT_PATH = "/usr/local/bin:/usr/bin:/bin";
+const SAFE_HOST_ENV_KEYS = ["PATH", "LANG", "LC_ALL", "LC_CTYPE"];
+const SENSITIVE_ENV_PATTERNS = ["TOKEN", "SECRET", "PASSWORD", "PRIVATE_KEY", "API_KEY"];
+const SANDBOX_WORKSPACE = "/workspace";
+const SANDBOX_HOME = "/tmp/pi-web-home";
+export const DEFAULT_BUBBLEWRAP_PATHS = [
+    "/usr",
+    "/bin",
+    "/lib",
+    "/lib64",
+    "/etc/alternatives",
+    "/etc/ld.so.cache",
+    "/etc/ssl",
+    "/etc/ca-certificates",
+];
+export function createManagedSandboxEnvironment(options) {
+    const env = {};
+    for (const key of SAFE_HOST_ENV_KEYS) {
+        const value = options.hostEnv[key];
+        if (value !== undefined && value !== "")
+            env[key] = value;
+    }
+    env["PATH"] ??= DEFAULT_PATH;
+    for (const [key, value] of Object.entries(options.context.sandbox?.env ?? {})) {
+        assertNonSensitiveSandboxEnvKey(key);
+        env[key] = value;
+    }
+    env["HOME"] = SANDBOX_HOME;
+    env["TMPDIR"] = "/tmp";
+    return env;
+}
+export function createBubblewrapPythonInvocation(options) {
+    const args = [
+        "--unshare-net",
+        "--unshare-ipc",
+        "--unshare-pid",
+        "--die-with-parent",
+        "--clearenv",
+        ...Object.entries(options.env ?? {}).flatMap(([key, value]) => ["--setenv", key, value ?? ""]),
+        "--tmpfs",
+        "/tmp",
+        "--dir",
+        SANDBOX_HOME,
+        "--proc",
+        "/proc",
+        "--dev",
+        "/dev",
+        ...[...new Set(options.readOnlyPaths ?? DEFAULT_BUBBLEWRAP_PATHS)].flatMap((path) => ["--ro-bind", path, path]),
+        "--bind",
+        options.workspaceRoot,
+        SANDBOX_WORKSPACE,
+        "--chdir",
+        SANDBOX_WORKSPACE,
+        options.pythonExecutable,
+        "-I",
+        "-",
+    ];
+    return { command: options.bubblewrapExecutable, args };
+}
+export function bubblewrapUnavailableReason(output) {
+    if (output.includes("setting up uid map: Permission denied"))
+        return "setting up uid map: Permission denied";
+    if (output.includes("Failed RTM_NEWADDR: Operation not permitted"))
+        return "Failed RTM_NEWADDR: Operation not permitted";
+    if (output.includes("No permissions to creating new namespace"))
+        return "No permissions to creating new namespace";
+    if (output.includes("Creating new namespace failed"))
+        return "Creating new namespace failed";
+    return undefined;
+}
+export function createManagedPythonFallbackPrelude(root) {
+    return `
+import builtins
+import io
+import os
+import pathlib
+import subprocess
+
+_PI_WEB_ROOT = ${JSON.stringify(root)}
+_PI_WEB_OPEN = builtins.open
+_PI_WEB_IO_OPEN = io.open
+_PI_WEB_PATH_OPEN = pathlib.Path.open
+_PI_WEB_PATH_READ_TEXT = pathlib.Path.read_text
+_PI_WEB_PATH_READ_BYTES = pathlib.Path.read_bytes
+_PI_WEB_PATH_WRITE_TEXT = pathlib.Path.write_text
+_PI_WEB_PATH_WRITE_BYTES = pathlib.Path.write_bytes
+
+def _pi_web_inside(path):
+    real = os.path.realpath(os.fspath(path))
+    rel = os.path.relpath(real, _PI_WEB_ROOT)
+    return rel == "." or (not rel.startswith("..") and not os.path.isabs(rel))
+
+def _pi_web_check_path(path):
+    if not isinstance(path, (str, bytes, os.PathLike)):
+        return
+    if not _pi_web_inside(path):
+        raise PermissionError("path outside the managed project sandbox: %s" % path)
+
+def open(file, mode="r", *args, **kwargs):
+    _pi_web_check_path(file)
+    return _PI_WEB_OPEN(file, mode, *args, **kwargs)
+
+def _pi_web_path_open(self, *args, **kwargs):
+    _pi_web_check_path(self)
+    return _PI_WEB_PATH_OPEN(self, *args, **kwargs)
+
+def _pi_web_path_read_text(self, *args, **kwargs):
+    _pi_web_check_path(self)
+    return _PI_WEB_PATH_READ_TEXT(self, *args, **kwargs)
+
+def _pi_web_path_read_bytes(self, *args, **kwargs):
+    _pi_web_check_path(self)
+    return _PI_WEB_PATH_READ_BYTES(self, *args, **kwargs)
+
+def _pi_web_path_write_text(self, *args, **kwargs):
+    _pi_web_check_path(self)
+    return _PI_WEB_PATH_WRITE_TEXT(self, *args, **kwargs)
+
+def _pi_web_path_write_bytes(self, *args, **kwargs):
+    _pi_web_check_path(self)
+    return _PI_WEB_PATH_WRITE_BYTES(self, *args, **kwargs)
+
+def _pi_web_blocked_os_path(path, *args, **kwargs):
+    _pi_web_check_path(path)
+    raise PermissionError("low-level os path APIs are disabled in managed Python fallback mode")
+
+def _pi_web_blocked_process(*args, **kwargs):
+    raise PermissionError("subprocess and shell execution are disabled in managed Python fallback mode")
+
+builtins.open = open
+io.open = open
+pathlib.Path.open = _pi_web_path_open
+pathlib.Path.read_text = _pi_web_path_read_text
+pathlib.Path.read_bytes = _pi_web_path_read_bytes
+pathlib.Path.write_text = _pi_web_path_write_text
+pathlib.Path.write_bytes = _pi_web_path_write_bytes
+os.open = _pi_web_blocked_os_path
+os.listdir = _pi_web_blocked_os_path
+os.scandir = _pi_web_blocked_os_path
+os.stat = _pi_web_blocked_os_path
+os.lstat = _pi_web_blocked_os_path
+subprocess.Popen = _pi_web_blocked_process
+subprocess.run = _pi_web_blocked_process
+subprocess.call = _pi_web_blocked_process
+subprocess.check_call = _pi_web_blocked_process
+subprocess.check_output = _pi_web_blocked_process
+os.system = _pi_web_blocked_process
+`;
+}
+function assertNonSensitiveSandboxEnvKey(key) {
+    const upper = key.toUpperCase();
+    if (SENSITIVE_ENV_PATTERNS.some((pattern) => upper.includes(pattern))) {
+        throw new Error(`Sensitive sandbox environment variable is not allowed: ${key}`);
+    }
+}
+//# sourceMappingURL=managementSandbox.js.map

package/dist/server/sessions/managementSandbox.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"managementSandbox.js","sourceRoot":"","sources":["../../../src/server/sessions/managementSandbox.ts"],"names":[],"mappings":"AAEA,MAAM,YAAY,GAAG,8BAA8B,CAAC;AACpD,MAAM,kBAAkB,GAAG,CAAC,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,UAAU,CAAU,CAAC;AAC3E,MAAM,sBAAsB,GAAG,CAAC,OAAO,EAAE,QAAQ,EAAE,UAAU,EAAE,aAAa,EAAE,SAAS,CAAU,CAAC;AAClG,MAAM,iBAAiB,GAAG,YAAY,CAAC;AACvC,MAAM,YAAY,GAAG,kBAAkB,CAAC;AAExC,MAAM,CAAC,MAAM,wBAAwB,GAAG;IACtC,MAAM;IACN,MAAM;IACN,MAAM;IACN,QAAQ;IACR,mBAAmB;IACnB,kBAAkB;IAClB,UAAU;IACV,sBAAsB;CACd,CAAC;AAoBX,MAAM,UAAU,+BAA+B,CAAC,OAAyC;IACvF,MAAM,GAAG,GAAsB,EAAE,CAAC;IAClC,KAAK,MAAM,GAAG,IAAI,kBAAkB,EAAE,CAAC;QACrC,MAAM,KAAK,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;QACnC,IAAI,KAAK,KAAK,SAAS,IAAI,KAAK,KAAK,EAAE;YAAE,GAAG,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC;IAC5D,CAAC;IACD,GAAG,CAAC,MAAM,CAAC,KAAK,YAAY,CAAC;IAE7B,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,OAAO,CAAC,OAAO,EAAE,GAAG,IAAI,EAAE,CAAC,EAAE,CAAC;QAC9E,+BAA+B,CAAC,GAAG,CAAC,CAAC;QACrC,GAAG,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC;IACnB,CAAC;IAED,GAAG,CAAC,MAAM,CAAC,GAAG,YAAY,CAAC;IAC3B,GAAG,CAAC,QAAQ,CAAC,GAAG,MAAM,CAAC;IACvB,OAAO,GAAG,CAAC;AACb,CAAC;AAED,MAAM,UAAU,gCAAgC,CAAC,OAA0C;IACzF,MAAM,IAAI,GAAG;QACX,eAAe;QACf,eAAe;QACf,eAAe;QACf,mBAAmB;QACnB,YAAY;QACZ,GAAG,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,GAAG,IAAI,EAAE,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,GAAG,EAAE,KAAK,CAAC,EAAE,EAAE,CAAC,CAAC,UAAU,EAAE,GAAG,EAAE,KAAK,IAAI,EAAE,CAAC,CAAC;QAC9F,SAAS;QACT,MAAM;QACN,OAAO;QACP,YAAY;QACZ,QAAQ;QACR,OAAO;QACP,OAAO;QACP,MAAM;QACN,GAAG,CAAC,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,aAAa,IAAI,wBAAwB,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC,WAAW,EAAE,IAAI,EAAE,IAAI,CAAC,CAAC;QAC/G,QAAQ;QACR,OAAO,CAAC,aAAa;QACrB,iBAAiB;QACjB,SAAS;QACT,iBAAiB;QACjB,OAAO,CAAC,gBAAgB;QACxB,IAAI;QACJ,GAAG;KACJ,CAAC;IACF,OAAO,EAAE,OAAO,EAAE,OAAO,CAAC,oBAAoB,EAAE,IAAI,EAAE,CAAC;AACzD,CAAC;AAED,MAAM,UAAU,2BAA2B,CAAC,MAAc;IACxD,IAAI,MAAM,CAAC,QAAQ,CAAC,uCAAuC,CAAC;QAAE,OAAO,uCAAuC,CAAC;IAC7G,IAAI,MAAM,CAAC,QAAQ,CAAC,6CAA6C,CAAC;QAAE,OAAO,6CAA6C,CAAC;IACzH,IAAI,MAAM,CAAC,QAAQ,CAAC,0CAA0C,CAAC;QAAE,OAAO,0CAA0C,CAAC;IACnH,IAAI,MAAM,CAAC,QAAQ,CAAC,+BAA+B,CAAC;QAAE,OAAO,+BAA+B,CAAC;IAC7F,OAAO,SAAS,CAAC;AACnB,CAAC;AAED,MAAM,UAAU,kCAAkC,CAAC,IAAY;IAC7D,OAAO;;;;;;;iBAOQ,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAqEpC,CAAC;AACF,CAAC;AAED,SAAS,+BAA+B,CAAC,GAAW;IAClD,MAAM,KAAK,GAAG,GAAG,CAAC,WAAW,EAAE,CAAC;IAChC,IAAI,sBAAsB,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,KAAK,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,EAAE,CAAC;QACtE,MAAM,IAAI,KAAK,CAAC,0DAA0D,GAAG,EAAE,CAAC,CAAC;IACnF,CAAC;AACH,CAAC"}