@hydra-acp/browser 0.1.0

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Sam Magnuson
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,258 @@
+# hydra-acp-browser
+
+A browser-based UI for [hydra-acp](https://github.com/smagnuso/hydra-acp)
+sessions. Runs as a hydra extension (or standalone) and serves a small
+single-page app on localhost that lists live sessions, mirrors them in real
+time, and lets you prompt, approve permission requests, switch modes/models,
+create fresh sessions, kill old ones, and browse the project files of any
+session — all from a phone or laptop browser.
+
+The hydra master token never leaves the machine; the browser authenticates
+with a separate per-host authkey instead.
+
+## How it works
+
+```
+                     hydra REST    +-------------------+         browser
+       /v1/sessions   <----------  |                   |  ---->   GET /
+                                   |  hydra-acp-browser |  <---->  /ws?session=<id>
+       hydra WSS      <----------> |                   |
+       /acp                        +-------------------+
+                                            |
+                                  ~/.hydra-acp-browser/
+                                    authkey
+                                    link
+```
+
+The extension exposes:
+
+- **HTTP routes** at `/api/sessions` (GET list, POST create), `/api/agents`,
+  `/api/kill`, `/api/files/list`, `/api/files/read`, `/api/health`.
+- **A WebSocket bridge** at `/ws?session=<id>`. Each browser tab gets its
+  own attach to hydra's `/acp`; ACP frames flow through unchanged in
+  the upstream→browser direction. Browser→upstream traffic is
+  method-whitelisted (`session/prompt`, `session/cancel`, `session/set_mode`,
+  `session/set_model`, plus permission responses) so a tab can't issue
+  arbitrary admin calls.
+
+## Setup
+
+1. **Install or build.**
+
+   From npm (recommended once published):
+
+   ```sh
+   npm install -g @hydra-acp/browser
+   ```
+
+   This drops an `hydra-acp-browser` binary on your PATH.
+
+   Or from source:
+
+   ```sh
+   git clone https://github.com/smagnuso/hydra-acp-browser.git ~/dev/hydra-acp-browser
+   cd ~/dev/hydra-acp-browser
+   npm install
+   npm run build
+   ```
+
+2. **Run as a hydra extension (recommended).** Register the extension
+   with hydra. If installed via npm:
+
+   ```sh
+   hydra-acp extensions add hydra-acp-browser --command hydra-acp-browser
+   ```
+
+   Or pointed at a local build:
+
+   ```sh
+   hydra-acp extensions add hydra-acp-browser \
+     --command node \
+     --args ~/dev/hydra-acp-browser/dist/index.js
+   ```
+
+   That writes the equivalent entry into `~/.hydra-acp/config.json`:
+
+   ```json
+   {
+     "extensions": {
+       "hydra-acp-browser": {
+         "command": ["node"],
+         "args": ["/home/you/dev/hydra-acp-browser/dist/index.js"],
+         "enabled": true
+       }
+     }
+   }
+   ```
+
+   `extensions add` is config-only — it doesn't spawn anything yet.
+   Either bounce the daemon, or, if the daemon is already running,
+   kick the extension into life:
+
+   ```sh
+   hydra-acp extensions start hydra-acp-browser
+   ```
+
+   On startup, hydra spawns hydra-acp-browser with these env vars set:
+   `HYDRA_ACP_DAEMON_URL`, `HYDRA_ACP_TOKEN`, `HYDRA_ACP_WS_URL`. The
+   first launch generates `~/.hydra-acp-browser/authkey` and writes
+   the open URL (with `?authkey=…`) to `~/.hydra-acp-browser/link`.
+   Stdout/stderr land in `~/.hydra-acp/extensions/hydra-acp-browser.log`.
+   Lifecycle is managed with
+   `hydra-acp extensions start|stop|restart hydra-acp-browser` —
+   `restart` is the right call after `npm run build`. Tail the log
+   with `hydra-acp extensions logs hydra-acp-browser -f` (the open URL
+   shows up there on first launch).
+
+3. **Run standalone (alternative).** Set `HYDRA_TOKEN` in
+   `~/.hydra-acp-browser.conf` (or export `HYDRA_ACP_TOKEN`), then:
+
+   ```sh
+   npm start
+   ```
+
+4. **Open the browser** to the URL printed on stderr. The first request
+   sets a cookie; subsequent requests are authenticated by the cookie
+   alone. The URL is also at `~/.hydra-acp-browser/link` for convenience.
+
+## HTTPS
+
+Optional on `127.0.0.1`, **required** for any non-loopback bind (the server
+refuses otherwise — same rule as the hydra daemon). The simplest setup
+is a self-signed cert in `~/.hydra-acp-browser/tls/`.
+
+1. **Generate cert + key.** ECDSA P-256, 5-year validity, with a SAN
+   covering loopback. Add any extra hostnames you'll hit it from
+   (Tailscale name, LAN IP, etc.) to the SAN inline:
+
+   ```sh
+   mkdir -p ~/.hydra-acp-browser/tls && chmod 700 ~/.hydra-acp-browser/tls
+   cd ~/.hydra-acp-browser/tls
+
+   SAN='subjectAltName=DNS:localhost,DNS:'"$(hostname)"',IP:127.0.0.1,IP:::1'
+   #     ^ add ,DNS:my.tailnet.ts.net  or  ,IP:100.64.x.y  if needed.
+
+   openssl req -x509 \
+     -newkey ec -pkeyopt ec_paramgen_curve:P-256 \
+     -sha256 -days 1825 -nodes \
+     -keyout key.pem -out cert.pem \
+     -subj "/CN=hydra-acp-browser" \
+     -addext "$SAN" \
+     -addext "extendedKeyUsage=serverAuth"
+   chmod 600 key.pem cert.pem
+   ```
+
+   Verify the SAN landed:
+
+   ```sh
+   openssl x509 -in cert.pem -noout -text | grep -A1 'Subject Alternative Name'
+   ```
+
+   The cert's CN doesn't matter to modern browsers — only the SAN does.
+   Skipping `-addext "subjectAltName=…"` will make every browser reject
+   the cert with `NET::ERR_CERT_COMMON_NAME_INVALID`.
+
+2. **Wire into config.** Append to `~/.hydra-acp-browser.conf`:
+
+   ```sh
+   BROWSER_TLS_CERT=~/.hydra-acp-browser/tls/cert.pem
+   BROWSER_TLS_KEY=~/.hydra-acp-browser/tls/key.pem
+   ```
+
+   To expose beyond loopback, also set:
+
+   ```sh
+   BROWSER_HOST=0.0.0.0
+   BROWSER_ALLOWED_HOSTS=mybox,mybox.tailnet.ts.net,100.64.1.5
+   ```
+
+   Every entry in `BROWSER_ALLOWED_HOSTS` must also be in the cert's SAN.
+
+3. **Apply** with `hydra-acp extensions restart hydra-acp-browser`. The
+   log line should now read `listening on https://…` and the
+   `Open: https://…/?authkey=…` URL is what you load. The auth cookie
+   carries `Secure` automatically when serving HTTPS.
+
+4. **Trust the cert.** Self-signed certs trip browser warnings.
+   - **Click-through:** open the URL, accept the warning. Per-site only.
+   - **Linux Chrome/Chromium:**
+     `certutil -d sql:$HOME/.pki/nssdb -A -t "P,," -n hydra-acp-browser -i ~/.hydra-acp-browser/tls/cert.pem`
+   - **macOS:** double-click `cert.pem`, add to System keychain, set
+     "Always Trust" in Get Info.
+   - **iOS:** AirDrop/email `cert.pem` to the device, install profile
+     (Settings → General → VPN & Device Management), then enable under
+     Settings → General → About → Certificate Trust Settings.
+
+If you're already on Tailscale, [`tailscale cert`](https://tailscale.com/kb/1153/enabling-https)
+issues a real Let's Encrypt cert for `<host>.tailnet.ts.net` — strictly
+better than self-signed (no trust prompts, ~30 s setup). Drop the
+output paths into `BROWSER_TLS_CERT` / `BROWSER_TLS_KEY` and skip
+step 4.
+
+If you flip-flop between HTTP and HTTPS, the `Secure` cookie set under
+HTTPS won't be sent over plain HTTP. Run
+`hydra-acp-browser --rotate-authkey` to start fresh.
+
+## Configuration keys
+
+`~/.hydra-acp-browser.conf` (KEY=VALUE). All keys are optional unless noted.
+
+| Key                          | Default                                | Notes |
+|------------------------------|----------------------------------------|-------|
+| `BROWSER_HOST`               | `127.0.0.1`                            | Bind host. Non-loopback requires TLS. |
+| `BROWSER_PORT`               | `9099`                                 | Listen port. |
+| `BROWSER_TLS_CERT`           | (none)                                 | If set with `BROWSER_TLS_KEY`, listen on HTTPS. |
+| `BROWSER_TLS_KEY`            | (none)                                 | Path to TLS key. |
+| `BROWSER_AUTHKEY_FILE`       | `~/.hydra-acp-browser/authkey`         | Where the browser-side authkey lives. |
+| `BROWSER_LINK_FILE`          | `~/.hydra-acp-browser/link`            | URL written for convenience. |
+| `BROWSER_ALLOWED_HOSTS`      | empty                                  | Comma-sep extra Host values for DNS-rebind allowlist (e.g. Tailscale name). |
+| `BROWSER_FILE_MAX_BYTES`     | `262144`                               | Upper bound for `/api/files/read`. |
+| `HYDRA_DAEMON_URL`           | from env / `http://127.0.0.1:8765`     | `HYDRA_ACP_DAEMON_URL` env wins. |
+| `HYDRA_WS_URL`               | derived                                | `HYDRA_ACP_WS_URL` env wins. |
+| `HYDRA_TOKEN`                | (required)                             | Same precedence as the slack ext. |
+| `DEBUG`                      | `false`                                | Verbose logging. |
+
+## Security
+
+- **Authkey vs. hydra token.** The browser only ever sees a per-host
+  authkey (32 bytes, hex). The hydra master token stays on the server.
+- **Loopback or TLS.** The server refuses to bind a non-loopback host
+  unless `BROWSER_TLS_CERT` and `BROWSER_TLS_KEY` are configured —
+  mirrors hydra's daemon.
+- **DNS-rebind protection.** The `Host` header must match
+  `127.0.0.1[:port]`, `localhost[:port]`, or an entry in
+  `BROWSER_ALLOWED_HOSTS`.
+- **CSRF.** State-changing requests check `Origin` (against
+  `<scheme>://<allowed-host>:<port>`) and `Sec-Fetch-Site`
+  (`same-origin` / `none` only).
+- **CSP.** The HTML response carries a per-request nonce; only
+  `'self'` and the matching nonce are allowed for scripts/styles.
+- **Rate limit.** 10 failed auth attempts in 15 min from a single
+  remote IP triggers a `429` until the window rolls.
+- **WS method whitelist.** A compromised tab can only send
+  `session/prompt`, `session/cancel`, `session/set_mode`,
+  `session/set_model`, plus responses to permission requests it has
+  actually been forwarded.
+- **`fs/*` reverse calls** from agents are rejected at the bridge so a
+  tab can't accidentally expose the user's filesystem to the agent
+  via this surface.
+
+## Tests
+
+```sh
+npm test
+```
+
+Runs the auth, CSRF, file-traversal, and bridge-whitelist tests
+under the built-in Node test runner.
+
+## Status
+
+Experimental. v1 covers list / chat / tool calls / permissions /
+session create / kill / file browse / mode + model picker. Out of scope:
+multi-user UI, image upload from the browser into the agent,
+transcript search.
+
+## License
+
+MIT.

package/dist/config.js

@@ -0,0 +1,101 @@
+import { readFileSync } from "node:fs";
+import { expandHome, paths } from "./util/paths.js";
+const TRUTHY = new Set(["1", "true", "yes", "on", "t"]);
+function parseEnvFile(text) {
+    const out = new Map();
+    for (const rawLine of text.split(/\r?\n/)) {
+        const line = rawLine.trim();
+        if (!line || line.startsWith("#")) {
+            continue;
+        }
+        const eq = line.indexOf("=");
+        if (eq === -1) {
+            continue;
+        }
+        const key = line.slice(0, eq).trim();
+        let val = line.slice(eq + 1).trim();
+        if ((val.startsWith('"') && val.endsWith('"')) ||
+            (val.startsWith("'") && val.endsWith("'"))) {
+            val = val.slice(1, -1);
+        }
+        out.set(key, val);
+    }
+    return out;
+}
+function deriveWsUrl(httpUrl) {
+    if (httpUrl.startsWith("https://")) {
+        return ("wss://" + httpUrl.slice("https://".length).replace(/\/$/, "") + "/acp");
+    }
+    if (httpUrl.startsWith("http://")) {
+        return ("ws://" + httpUrl.slice("http://".length).replace(/\/$/, "") + "/acp");
+    }
+    throw new Error(`hydraDaemonUrl must start with http:// or https://: ${httpUrl}`);
+}
+function bool(map, key, fallback) {
+    const v = map.get(key);
+    if (v === undefined) {
+        return fallback;
+    }
+    return TRUTHY.has(v.toLowerCase());
+}
+function intVal(map, key, fallback) {
+    const v = map.get(key);
+    if (v === undefined || v.length === 0) {
+        return fallback;
+    }
+    const n = Number.parseInt(v, 10);
+    return Number.isFinite(n) ? n : fallback;
+}
+function commaList(map, key) {
+    const v = map.get(key);
+    if (!v) {
+        return [];
+    }
+    return v
+        .split(",")
+        .map((s) => s.trim())
+        .filter((s) => s.length > 0);
+}
+export function loadConfig(path = paths.configFile()) {
+    let text = "";
+    try {
+        text = readFileSync(path, "utf8");
+    }
+    catch {
+        // Config file is optional; defaults + env vars cover the required keys.
+    }
+    const map = parseEnvFile(text);
+    const hydraDaemonUrl = process.env.HYDRA_ACP_DAEMON_URL ??
+        map.get("HYDRA_DAEMON_URL") ??
+        "http://127.0.0.1:8765";
+    const hydraToken = process.env.HYDRA_ACP_TOKEN ?? map.get("HYDRA_TOKEN") ?? "";
+    if (!hydraToken) {
+        throw new Error("Missing HYDRA_ACP_TOKEN env var (or HYDRA_TOKEN config key). When run as a hydra extension, hydra injects this automatically; otherwise set it in ~/.hydra-acp-browser.conf.");
+    }
+    const hydraWsUrl = process.env.HYDRA_ACP_WS_URL ??
+        map.get("HYDRA_WS_URL") ??
+        deriveWsUrl(hydraDaemonUrl);
+    const tlsCert = map.get("BROWSER_TLS_CERT");
+    const tlsKey = map.get("BROWSER_TLS_KEY");
+    let tls;
+    if (tlsCert && tlsKey) {
+        tls = { cert: expandHome(tlsCert), key: expandHome(tlsKey) };
+    }
+    else if (tlsCert || tlsKey) {
+        throw new Error("BROWSER_TLS_CERT and BROWSER_TLS_KEY must both be set or both omitted.");
+    }
+    return {
+        browserHost: map.get("BROWSER_HOST") ?? "127.0.0.1",
+        browserPort: intVal(map, "BROWSER_PORT", 9099),
+        tls,
+        authkeyFile: expandHome(map.get("BROWSER_AUTHKEY_FILE") ?? paths.authkeyFile()),
+        linkFile: expandHome(map.get("BROWSER_LINK_FILE") ?? paths.linkFile()),
+        allowedHosts: commaList(map, "BROWSER_ALLOWED_HOSTS"),
+        fileMaxBytes: intVal(map, "BROWSER_FILE_MAX_BYTES", 256 * 1024),
+        hydraDaemonUrl,
+        hydraWsUrl,
+        hydraToken,
+        debug: bool(map, "DEBUG", false),
+    };
+}
+//# sourceMappingURL=config.js.map

package/dist/config.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"config.js","sourceRoot":"","sources":["../src/config.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AACvC,OAAO,EAAE,UAAU,EAAE,KAAK,EAAE,MAAM,iBAAiB,CAAC;AAqBpD,MAAM,MAAM,GAAG,IAAI,GAAG,CAAC,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,IAAI,EAAE,GAAG,CAAC,CAAC,CAAC;AAExD,SAAS,YAAY,CAAC,IAAY;IAChC,MAAM,GAAG,GAAG,IAAI,GAAG,EAAkB,CAAC;IACtC,KAAK,MAAM,OAAO,IAAI,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,EAAE,CAAC;QAC1C,MAAM,IAAI,GAAG,OAAO,CAAC,IAAI,EAAE,CAAC;QAC5B,IAAI,CAAC,IAAI,IAAI,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;YAClC,SAAS;QACX,CAAC;QACD,MAAM,EAAE,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;QAC7B,IAAI,EAAE,KAAK,CAAC,CAAC,EAAE,CAAC;YACd,SAAS;QACX,CAAC;QACD,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;QACrC,IAAI,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,EAAE,GAAG,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;QACpC,IACE,CAAC,GAAG,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,GAAG,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC;YAC1C,CAAC,GAAG,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,GAAG,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,EAC1C,CAAC;YACD,GAAG,GAAG,GAAG,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;QACzB,CAAC;QACD,GAAG,CAAC,GAAG,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC;IACpB,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED,SAAS,WAAW,CAAC,OAAe;IAClC,IAAI,OAAO,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;QACnC,OAAO,CACL,QAAQ,GAAG,OAAO,CAAC,KAAK,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,GAAG,MAAM,CACxE,CAAC;IACJ,CAAC;IACD,IAAI,OAAO,CAAC,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;QAClC,OAAO,CACL,OAAO,GAAG,OAAO,CAAC,KAAK,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,GAAG,MAAM,CACtE,CAAC;IACJ,CAAC;IACD,MAAM,IAAI,KAAK,CACb,uDAAuD,OAAO,EAAE,CACjE,CAAC;AACJ,CAAC;AAED,SAAS,IAAI,CAAC,GAAwB,EAAE,GAAW,EAAE,QAAiB;IACpE,MAAM,CAAC,GAAG,GAAG,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;IACvB,IAAI,CAAC,KAAK,SAAS,EAAE,CAAC;QACpB,OAAO,QAAQ,CAAC;IAClB,CAAC;IACD,OAAO,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC,CAAC;AACrC,CAAC;AAED,SAAS,MAAM,CACb,GAAwB,EACxB,GAAW,EACX,QAAgB;IAEhB,MAAM,CAAC,GAAG,GAAG,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;IACvB,IAAI,CAAC,KAAK,SAAS,IAAI,CAAC,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACtC,OAAO,QAAQ,CAAC;IAClB,CAAC;IACD,MAAM,CAAC,GAAG,MAAM,CAAC,QAAQ,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;IACjC,OAAO,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC;AAC3C,CAAC;AAED,SAAS,SAAS,CAAC,GAAwB,EAAE,GAAW;IACtD,MAAM,CAAC,GAAG,GAAG,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;IACvB,IAAI,CAAC,CAAC,EAAE,CAAC;QACP,OAAO,EAAE,CAAC;IACZ,CAAC;IACD,OAAO,CAAC;SACL,KAAK,CAAC,GAAG,CAAC;SACV,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;SACpB,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;AACjC,CAAC;AAED,MAAM,UAAU,UAAU,CAAC,OAAe,KAAK,CAAC,UAAU,EAAE;IAC1D,IAAI,IAAI,GAAG,EAAE,CAAC;IACd,IAAI,CAAC;QACH,IAAI,GAAG,YAAY,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;IACpC,CAAC;IAAC,MAAM,CAAC;QACP,wEAAwE;IAC1E,CAAC;IACD,MAAM,GAAG,GAAG,YAAY,CAAC,IAAI,CAAC,CAAC;IAE/B,MAAM,cAAc,GAClB,OAAO,CAAC,GAAG,CAAC,oBAAoB;QAChC,GAAG,CAAC,GAAG,CAAC,kBAAkB,CAAC;QAC3B,uBAAuB,CAAC;IAC1B,MAAM,UAAU,GACd,OAAO,CAAC,GAAG,CAAC,eAAe,IAAI,GAAG,CAAC,GAAG,CAAC,aAAa,CAAC,IAAI,EAAE,CAAC;IAC9D,IAAI,CAAC,UAAU,EAAE,CAAC;QAChB,MAAM,IAAI,KAAK,CACb,8KAA8K,CAC/K,CAAC;IACJ,CAAC;IACD,MAAM,UAAU,GACd,OAAO,CAAC,GAAG,CAAC,gBAAgB;QAC5B,GAAG,CAAC,GAAG,CAAC,cAAc,CAAC;QACvB,WAAW,CAAC,cAAc,CAAC,CAAC;IAE9B,MAAM,OAAO,GAAG,GAAG,CAAC,GAAG,CAAC,kBAAkB,CAAC,CAAC;IAC5C,MAAM,MAAM,GAAG,GAAG,CAAC,GAAG,CAAC,iBAAiB,CAAC,CAAC;IAC1C,IAAI,GAA0B,CAAC;IAC/B,IAAI,OAAO,IAAI,MAAM,EAAE,CAAC;QACtB,GAAG,GAAG,EAAE,IAAI,EAAE,UAAU,CAAC,OAAO,CAAC,EAAE,GAAG,EAAE,UAAU,CAAC,MAAM,CAAC,EAAE,CAAC;IAC/D,CAAC;SAAM,IAAI,OAAO,IAAI,MAAM,EAAE,CAAC;QAC7B,MAAM,IAAI,KAAK,CACb,wEAAwE,CACzE,CAAC;IACJ,CAAC;IAED,OAAO;QACL,WAAW,EAAE,GAAG,CAAC,GAAG,CAAC,cAAc,CAAC,IAAI,WAAW;QACnD,WAAW,EAAE,MAAM,CAAC,GAAG,EAAE,cAAc,EAAE,IAAI,CAAC;QAC9C,GAAG;QACH,WAAW,EAAE,UAAU,CACrB,GAAG,CAAC,GAAG,CAAC,sBAAsB,CAAC,IAAI,KAAK,CAAC,WAAW,EAAE,CACvD;QACD,QAAQ,EAAE,UAAU,CAAC,GAAG,CAAC,GAAG,CAAC,mBAAmB,CAAC,IAAI,KAAK,CAAC,QAAQ,EAAE,CAAC;QACtE,YAAY,EAAE,SAAS,CAAC,GAAG,EAAE,uBAAuB,CAAC;QACrD,YAAY,EAAE,MAAM,CAAC,GAAG,EAAE,wBAAwB,EAAE,GAAG,GAAG,IAAI,CAAC;QAC/D,cAAc;QACd,UAAU;QACV,UAAU;QACV,KAAK,EAAE,IAAI,CAAC,GAAG,EAAE,OAAO,EAAE,KAAK,CAAC;KACjC,CAAC;AACJ,CAAC"}

package/dist/hydra/client.js

@@ -0,0 +1,61 @@
+import { logger } from "../util/log.js";
+const log = logger("hydra-rest");
+export class HydraRestClient {
+    baseUrl;
+    token;
+    constructor(baseUrl, token) {
+        this.baseUrl = baseUrl;
+        this.token = token;
+    }
+    async json(method, path, body) {
+        const init = {
+            method,
+            headers: {
+                Authorization: `Bearer ${this.token}`,
+                "Content-Type": "application/json",
+            },
+        };
+        if (body !== undefined) {
+            init.body = JSON.stringify(body);
+        }
+        const r = await fetch(`${this.baseUrl}${path}`, init);
+        if (!r.ok) {
+            const text = await r.text().catch(() => "");
+            log.warn(`${method} ${path} → ${r.status} ${text.slice(0, 200)}`);
+            throw new HydraRestError(r.status, `${method} ${path}: ${r.status}`);
+        }
+        if (r.status === 204) {
+            return undefined;
+        }
+        return (await r.json());
+    }
+    async health() {
+        return this.json("GET", "/v1/health");
+    }
+    async listSessions(opts) {
+        const qs = new URLSearchParams();
+        if (opts?.cwd) {
+            qs.set("cwd", opts.cwd);
+        }
+        if (opts?.all) {
+            qs.set("all", "true");
+        }
+        const suffix = qs.toString() ? `?${qs.toString()}` : "";
+        return this.json("GET", `/v1/sessions${suffix}`);
+    }
+    async deleteSession(sessionId) {
+        await this.json("DELETE", `/v1/sessions/${encodeURIComponent(sessionId)}`);
+    }
+    async listAgents() {
+        return this.json("GET", "/v1/agents");
+    }
+}
+export class HydraRestError extends Error {
+    status;
+    constructor(status, message) {
+        super(message);
+        this.status = status;
+        this.name = "HydraRestError";
+    }
+}
+//# sourceMappingURL=client.js.map

package/dist/hydra/client.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"client.js","sourceRoot":"","sources":["../../src/hydra/client.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAE,MAAM,gBAAgB,CAAC;AAExC,MAAM,GAAG,GAAG,MAAM,CAAC,YAAY,CAAC,CAAC;AAqBjC,MAAM,OAAO,eAAe;IAEP;IACA;IAFnB,YACmB,OAAe,EACf,KAAa;QADb,YAAO,GAAP,OAAO,CAAQ;QACf,UAAK,GAAL,KAAK,CAAQ;IAC7B,CAAC;IAEI,KAAK,CAAC,IAAI,CAChB,MAAc,EACd,IAAY,EACZ,IAAc;QAEd,MAAM,IAAI,GAAgB;YACxB,MAAM;YACN,OAAO,EAAE;gBACP,aAAa,EAAE,UAAU,IAAI,CAAC,KAAK,EAAE;gBACrC,cAAc,EAAE,kBAAkB;aACnC;SACF,CAAC;QACF,IAAI,IAAI,KAAK,SAAS,EAAE,CAAC;YACvB,IAAI,CAAC,IAAI,GAAG,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC;QACnC,CAAC;QACD,MAAM,CAAC,GAAG,MAAM,KAAK,CAAC,GAAG,IAAI,CAAC,OAAO,GAAG,IAAI,EAAE,EAAE,IAAI,CAAC,CAAC;QACtD,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC;YACV,MAAM,IAAI,GAAG,MAAM,CAAC,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,EAAE,CAAC,CAAC;YAC5C,GAAG,CAAC,IAAI,CAAC,GAAG,MAAM,IAAI,IAAI,MAAM,CAAC,CAAC,MAAM,IAAI,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE,CAAC,CAAC;YAClE,MAAM,IAAI,cAAc,CAAC,CAAC,CAAC,MAAM,EAAE,GAAG,MAAM,IAAI,IAAI,KAAK,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC;QACvE,CAAC;QACD,IAAI,CAAC,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;YACrB,OAAO,SAAc,CAAC;QACxB,CAAC;QACD,OAAO,CAAC,MAAM,CAAC,CAAC,IAAI,EAAE,CAAM,CAAC;IAC/B,CAAC;IAED,KAAK,CAAC,MAAM;QACV,OAAO,IAAI,CAAC,IAAI,CAAC,KAAK,EAAE,YAAY,CAAC,CAAC;IACxC,CAAC;IAED,KAAK,CAAC,YAAY,CAAC,IAGlB;QACC,MAAM,EAAE,GAAG,IAAI,eAAe,EAAE,CAAC;QACjC,IAAI,IAAI,EAAE,GAAG,EAAE,CAAC;YACd,EAAE,CAAC,GAAG,CAAC,KAAK,EAAE,IAAI,CAAC,GAAG,CAAC,CAAC;QAC1B,CAAC;QACD,IAAI,IAAI,EAAE,GAAG,EAAE,CAAC;YACd,EAAE,CAAC,GAAG,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;QACxB,CAAC;QACD,MAAM,MAAM,GAAG,EAAE,CAAC,QAAQ,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,QAAQ,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QACxD,OAAO,IAAI,CAAC,IAAI,CAAC,KAAK,EAAE,eAAe,MAAM,EAAE,CAAC,CAAC;IACnD,CAAC;IAED,KAAK,CAAC,aAAa,CAAC,SAAiB;QACnC,MAAM,IAAI,CAAC,IAAI,CACb,QAAQ,EACR,gBAAgB,kBAAkB,CAAC,SAAS,CAAC,EAAE,CAChD,CAAC;IACJ,CAAC;IAED,KAAK,CAAC,UAAU;QACd,OAAO,IAAI,CAAC,IAAI,CAAC,KAAK,EAAE,YAAY,CAAC,CAAC;IACxC,CAAC;CACF;AAED,MAAM,OAAO,cAAe,SAAQ,KAAK;IAErB;IADlB,YACkB,MAAc,EAC9B,OAAe;QAEf,KAAK,CAAC,OAAO,CAAC,CAAC;QAHC,WAAM,GAAN,MAAM,CAAQ;QAI9B,IAAI,CAAC,IAAI,GAAG,gBAAgB,CAAC;IAC/B,CAAC;CACF"}

package/dist/hydra/ws.js

@@ -0,0 +1,178 @@
+import { EventEmitter } from "node:events";
+import { readFileSync } from "node:fs";
+import { WebSocket } from "ws";
+import { logger } from "../util/log.js";
+const log = logger("hydra-ws");
+const pkg = JSON.parse(readFileSync(new URL("../../package.json", import.meta.url), "utf8"));
+export function isRequest(m) {
+    return "method" in m && "id" in m;
+}
+export function isNotification(m) {
+    return "method" in m && !("id" in m);
+}
+export function isResponse(m) {
+    return !("method" in m) && "id" in m;
+}
+// Thin wrapper around an outbound WSS connection to hydra's `/acp` endpoint.
+// Authenticates via the `hydra-acp-token.<token>` subprotocol (alongside
+// `acp.v1`), exposes JSON-RPC request/notify primitives and an event stream
+// for inbound traffic. Handshake (initialize + session/attach or session/new)
+// is the caller's responsibility — see ws-bridge.ts and routes-sessions.ts.
+export class UpstreamConnection extends EventEmitter {
+    opts;
+    ws;
+    nextId = 1;
+    pending = new Map();
+    connected = false;
+    closed = false;
+    constructor(opts) {
+        super();
+        this.opts = opts;
+    }
+    get isConnected() {
+        return this.connected;
+    }
+    get clientName() {
+        return this.opts.clientName ?? "hydra-acp-browser";
+    }
+    get clientVersion() {
+        return this.opts.clientVersion ?? pkg.version;
+    }
+    start() {
+        log.debug(`connecting ${this.opts.daemonWsUrl}`);
+        const subprotocols = ["acp.v1", `hydra-acp-token.${this.opts.token}`];
+        let ws;
+        try {
+            ws = new WebSocket(this.opts.daemonWsUrl, subprotocols);
+        }
+        catch (err) {
+            this.emit("error", err);
+            return;
+        }
+        this.ws = ws;
+        ws.on("open", () => {
+            this.connected = true;
+            this.emit("open");
+        });
+        ws.on("message", (data, isBinary) => {
+            if (isBinary) {
+                return;
+            }
+            const text = data.toString("utf8");
+            try {
+                const parsed = JSON.parse(text);
+                this.onMessage(parsed);
+            }
+            catch (err) {
+                log.warn(`parse error: ${err.message}; raw=${text.slice(0, 200)}`);
+            }
+        });
+        ws.on("error", (err) => {
+            log.warn(`ws error: ${err.message}`);
+            this.emit("error", err);
+        });
+        ws.on("close", (code, reason) => {
+            this.connected = false;
+            this.closed = true;
+            const reasonText = reason.toString("utf8");
+            for (const [, p] of this.pending) {
+                p.reject(new Error("ws closed"));
+            }
+            this.pending.clear();
+            this.emit("close", { code, reason: reasonText });
+        });
+    }
+    stop() {
+        if (this.ws && this.ws.readyState !== WebSocket.CLOSED) {
+            try {
+                this.ws.close();
+            }
+            catch {
+                void 0;
+            }
+        }
+    }
+    async request(method, params) {
+        const id = this.nextId++;
+        const msg = {
+            jsonrpc: "2.0",
+            id,
+            method,
+            ...(params !== undefined ? { params } : {}),
+        };
+        this.write(msg);
+        return new Promise((resolve, reject) => {
+            this.pending.set(id, {
+                resolve: (resp) => {
+                    if (resp.error) {
+                        reject(new Error(`${resp.error.code}: ${resp.error.message}`));
+                    }
+                    else {
+                        resolve(resp.result);
+                    }
+                },
+                reject,
+            });
+        });
+    }
+    notify(method, params) {
+        const msg = {
+            jsonrpc: "2.0",
+            method,
+            ...(params !== undefined ? { params } : {}),
+        };
+        this.write(msg);
+    }
+    reply(id, result) {
+        const msg = { jsonrpc: "2.0", id, result };
+        this.write(msg);
+    }
+    replyError(id, code, message) {
+        const msg = {
+            jsonrpc: "2.0",
+            id,
+            error: { code, message },
+        };
+        this.write(msg);
+    }
+    // Send a frame as-is. Used by the WS bridge to forward browser-originated
+    // JSON-RPC messages to hydra unchanged (after method-whitelist validation).
+    sendRaw(frame) {
+        this.write(frame);
+    }
+    write(msg) {
+        if (!this.ws || this.ws.readyState !== WebSocket.OPEN) {
+            if (!this.closed) {
+                log.warn(`drop write to closed ws: ${JSON.stringify(msg).slice(0, 200)}`);
+            }
+            return;
+        }
+        this.ws.send(JSON.stringify(msg));
+    }
+    onMessage(m) {
+        if (isResponse(m)) {
+            const p = this.pending.get(m.id);
+            if (p) {
+                this.pending.delete(m.id);
+                p.resolve(m);
+            }
+            this.emit("response", m);
+        }
+        else if (isRequest(m)) {
+            this.emit("request", m);
+        }
+        else if (isNotification(m)) {
+            this.emit("notification", m);
+        }
+    }
+}
+export async function runInitialize(conn, opts = {}) {
+    await conn.request("initialize", {
+        protocolVersion: opts.protocolVersion ?? 1,
+        clientCapabilities: opts.clientCapabilities ?? {
+            fs: { readTextFile: false, writeTextFile: false },
+            terminal: false,
+        },
+    });
+}
+//# sourceMappingURL=ws.js.map

package/dist/hydra/ws.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"ws.js","sourceRoot":"","sources":["../../src/hydra/ws.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAC3C,OAAO,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AACvC,OAAO,EAAE,SAAS,EAAE,MAAM,IAAI,CAAC;AAC/B,OAAO,EAAE,MAAM,EAAE,MAAM,gBAAgB,CAAC;AAExC,MAAM,GAAG,GAAG,MAAM,CAAC,UAAU,CAAC,CAAC;AAE/B,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CACpB,YAAY,CAAC,IAAI,GAAG,CAAC,oBAAoB,EAAE,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,MAAM,CAAC,CAC9C,CAAC;AA6BzB,MAAM,UAAU,SAAS,CAAC,CAAiB;IACzC,OAAO,QAAQ,IAAI,CAAC,IAAI,IAAI,IAAI,CAAC,CAAC;AACpC,CAAC;AAED,MAAM,UAAU,cAAc,CAAC,CAAiB;IAC9C,OAAO,QAAQ,IAAI,CAAC,IAAI,CAAC,CAAC,IAAI,IAAI,CAAC,CAAC,CAAC;AACvC,CAAC;AAED,MAAM,UAAU,UAAU,CAAC,CAAiB;IAC1C,OAAO,CAAC,CAAC,QAAQ,IAAI,CAAC,CAAC,IAAI,IAAI,IAAI,CAAC,CAAC;AACvC,CAAC;AAyBD,6EAA6E;AAC7E,yEAAyE;AACzE,4EAA4E;AAC5E,8EAA8E;AAC9E,4EAA4E;AAC5E,MAAM,OAAO,kBAAmB,SAAQ,YAA4B;IAOrC;IANrB,EAAE,CAAwB;IAC1B,MAAM,GAAG,CAAC,CAAC;IACX,OAAO,GAAG,IAAI,GAAG,EAA6B,CAAC;IAC/C,SAAS,GAAG,KAAK,CAAC;IAClB,MAAM,GAAG,KAAK,CAAC;IAEvB,YAA6B,IAAqB;QAChD,KAAK,EAAE,CAAC;QADmB,SAAI,GAAJ,IAAI,CAAiB;IAElD,CAAC;IAED,IAAI,WAAW;QACb,OAAO,IAAI,CAAC,SAAS,CAAC;IACxB,CAAC;IAED,IAAI,UAAU;QACZ,OAAO,IAAI,CAAC,IAAI,CAAC,UAAU,IAAI,mBAAmB,CAAC;IACrD,CAAC;IAED,IAAI,aAAa;QACf,OAAO,IAAI,CAAC,IAAI,CAAC,aAAa,IAAI,GAAG,CAAC,OAAO,CAAC;IAChD,CAAC;IAED,KAAK;QACH,GAAG,CAAC,KAAK,CAAC,cAAc,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC,CAAC;QACjD,MAAM,YAAY,GAAG,CAAC,QAAQ,EAAE,mBAAmB,IAAI,CAAC,IAAI,CAAC,KAAK,EAAE,CAAC,CAAC;QACtE,IAAI,EAAa,CAAC;QAClB,IAAI,CAAC;YACH,EAAE,GAAG,IAAI,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,YAAY,CAAC,CAAC;QAC1D,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,GAAY,CAAC,CAAC;YACjC,OAAO;QACT,CAAC;QACD,IAAI,CAAC,EAAE,GAAG,EAAE,CAAC;QAEb,EAAE,CAAC,EAAE,CAAC,MAAM,EAAE,GAAG,EAAE;YACjB,IAAI,CAAC,SAAS,GAAG,IAAI,CAAC;YACtB,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QACpB,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,EAAE,CAAC,SAAS,EAAE,CAAC,IAAI,EAAE,QAAQ,EAAE,EAAE;YAClC,IAAI,QAAQ,EAAE,CAAC;gBACb,OAAO;YACT,CAAC;YACD,MAAM,IAAI,GAAG,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;YACnC,IAAI,CAAC;gBACH,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAmB,CAAC;gBAClD,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC;YACzB,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,GAAG,CAAC,IAAI,CAAC,gBAAiB,GAAa,CAAC,OAAO,SAAS,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE,CAAC,CAAC;YAChF,CAAC;QACH,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,GAAG,EAAE,EAAE;YACrB,GAAG,CAAC,IAAI,CAAC,aAAa,GAAG,CAAC,OAAO,EAAE,CAAC,CAAC;YACrC,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC;QAC1B,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,IAAI,EAAE,MAAM,EAAE,EAAE;YAC9B,IAAI,CAAC,SAAS,GAAG,KAAK,CAAC;YACvB,IAAI,CAAC,MAAM,GAAG,IAAI,CAAC;YACnB,MAAM,UAAU,GAAG,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;YAC3C,KAAK,MAAM,CAAC,EAAE,CAAC,CAAC,IAAI,IAAI,CAAC,OAAO,EAAE,CAAC;gBACjC,CAAC,CAAC,MAAM,CAAC,IAAI,KAAK,CAAC,WAAW,CAAC,CAAC,CAAC;YACnC,CAAC;YACD,IAAI,CAAC,OAAO,CAAC,KAAK,EAAE,CAAC;YACrB,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE,UAAU,EAAE,CAAC,CAAC;QACnD,CAAC,CAAC,CAAC;IACL,CAAC;IAED,IAAI;QACF,IAAI,IAAI,CAAC,EAAE,IAAI,IAAI,CAAC,EAAE,CAAC,UAAU,KAAK,SAAS,CAAC,MAAM,EAAE,CAAC;YACvD,IAAI,CAAC;gBACH,IAAI,CAAC,EAAE,CAAC,KAAK,EAAE,CAAC;YAClB,CAAC;YAAC,MAAM,CAAC;gBACP,KAAK,CAAC,CAAC;YACT,CAAC;QACH,CAAC;IACH,CAAC;IAED,KAAK,CAAC,OAAO,CAAc,MAAc,EAAE,MAAgB;QACzD,MAAM,EAAE,GAAG,IAAI,CAAC,MAAM,EAAE,CAAC;QACzB,MAAM,GAAG,GAAmB;YAC1B,OAAO,EAAE,KAAK;YACd,EAAE;YACF,MAAM;YACN,GAAG,CAAC,MAAM,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,MAAM,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;SAC5C,CAAC;QACF,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAChB,OAAO,IAAI,OAAO,CAAI,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;YACxC,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,EAAE;gBACnB,OAAO,EAAE,CAAC,IAAI,EAAE,EAAE;oBAChB,IAAI,IAAI,CAAC,KAAK,EAAE,CAAC;wBACf,MAAM,CAAC,IAAI,KAAK,CAAC,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,KAAK,IAAI,CAAC,KAAK,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC;oBACjE,CAAC;yBAAM,CAAC;wBACN,OAAO,CAAC,IAAI,CAAC,MAAW,CAAC,CAAC;oBAC5B,CAAC;gBACH,CAAC;gBACD,MAAM;aACP,CAAC,CAAC;QACL,CAAC,CAAC,CAAC;IACL,CAAC;IAED,MAAM,CAAC,MAAc,EAAE,MAAgB;QACrC,MAAM,GAAG,GAAwB;YAC/B,OAAO,EAAE,KAAK;YACd,MAAM;YACN,GAAG,CAAC,MAAM,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,MAAM,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;SAC5C,CAAC;QACF,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAClB,CAAC;IAED,KAAK,CAAC,EAAa,EAAE,MAAe;QAClC,MAAM,GAAG,GAAoB,EAAE,OAAO,EAAE,KAAK,EAAE,EAAE,EAAE,MAAM,EAAE,CAAC;QAC5D,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAClB,CAAC;IAED,UAAU,CAAC,EAAa,EAAE,IAAY,EAAE,OAAe;QACrD,MAAM,GAAG,GAAoB;YAC3B,OAAO,EAAE,KAAK;YACd,EAAE;YACF,KAAK,EAAE,EAAE,IAAI,EAAE,OAAO,EAAE;SACzB,CAAC;QACF,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAClB,CAAC;IAED,0EAA0E;IAC1E,4EAA4E;IAC5E,OAAO,CAAC,KAAqB;QAC3B,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;IACpB,CAAC;IAEO,KAAK,CAAC,GAAmB;QAC/B,IAAI,CAAC,IAAI,CAAC,EAAE,IAAI,IAAI,CAAC,EAAE,CAAC,UAAU,KAAK,SAAS,CAAC,IAAI,EAAE,CAAC;YACtD,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,CAAC;gBACjB,GAAG,CAAC,IAAI,CAAC,4BAA4B,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE,CAAC,CAAC;YAC5E,CAAC;YACD,OAAO;QACT,CAAC;QACD,IAAI,CAAC,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC,CAAC;IACpC,CAAC;IAEO,SAAS,CAAC,CAAiB;QACjC,IAAI,UAAU,CAAC,CAAC,CAAC,EAAE,CAAC;YAClB,MAAM,CAAC,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;YACjC,IAAI,CAAC,EAAE,CAAC;gBACN,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;gBAC1B,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC;YACf,CAAC;YACD,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,CAAC,CAAC,CAAC;QAC3B,CAAC;aAAM,IAAI,SAAS,CAAC,CAAC,CAAC,EAAE,CAAC;YACxB,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,CAAC,CAAC,CAAC;QAC1B,CAAC;aAAM,IAAI,cAAc,CAAC,CAAC,CAAC,EAAE,CAAC;YAC7B,IAAI,CAAC,IAAI,CAAC,cAAc,EAAE,CAAC,CAAC,CAAC;QAC/B,CAAC;IACH,CAAC;CACF;AAOD,MAAM,CAAC,KAAK,UAAU,aAAa,CACjC,IAAwB,EACxB,OAAyB,EAAE;IAE3B,MAAM,IAAI,CAAC,OAAO,CAAC,YAAY,EAAE;QAC/B,eAAe,EAAE,IAAI,CAAC,eAAe,IAAI,CAAC;QAC1C,kBAAkB,EAAE,IAAI,CAAC,kBAAkB,IAAI;YAC7C,EAAE,EAAE,EAAE,YAAY,EAAE,KAAK,EAAE,aAAa,EAAE,KAAK,EAAE;YACjD,QAAQ,EAAE,KAAK;SAChB;KACF,CAAC,CAAC;AACL,CAAC"}