@oomkapwn/enquire-mcp 2.5.0 → 2.7.0

package/dist/http-transport.js

@@ -0,0 +1,384 @@
+// HTTP transport for enquire-mcp.
+//
+// v2.6.0 — remote-MCP support. Runs the MCP server over Streamable HTTP
+// (the protocol claude.ai web, ChatGPT, mobile clients, and Cursor's HTTP
+// mode all use). Three layers in front of the SDK transport:
+//
+//   1. Bearer auth — constant-time token compare, fail-closed (401 on
+//      missing/wrong header). Token is generated by the user (we never
+//      mint tokens — this is not OAuth) and passed via --bearer-token or
+//      --bearer-token-env. See docs/http-transport.md for the security
+//      model and Tailscale Funnel / Cloudflare Tunnel deployment recipes.
+//   2. Rate-limit — per-token sliding-window bucket, 429 on overflow.
+//      In-memory; survives a single process. Default 120 req/min.
+//   3. CORS — strict allowlist via --cors-origin (repeatable). Default
+//      empty: no Access-Control-Allow-Origin header sent. Same-origin
+//      and credentialed Bearer requests work either way.
+//
+// We use the SDK's StreamableHTTPServerTransport in stateless mode
+// (sessionIdGenerator: undefined). A fresh transport + McpServer is
+// connected per request. The Vault, FtsIndex, EmbedDb handles are
+// SHARED across all sessions — opening SQLite once and reusing across
+// thousands of remote-MCP calls. This is why prepareServerDeps() is
+// called once in startHttpServer() and buildMcpServer() is called per
+// request: the heavy I/O happens once at boot.
+//
+// Stateful sessions (sessionId-keyed transports) are deferred to v2.7+
+// because they require persistence-aware shutdown handling and are only
+// needed for SSE long-running operations. Our tools are short-running
+// (search, read, frontmatter ops), so stateless is the right default.
+import { createHash, randomBytes, timingSafeEqual } from "node:crypto";
+import { createServer } from "node:http";
+import { StreamableHTTPServerTransport } from "@modelcontextprotocol/sdk/server/streamableHttp.js";
+import { buildMcpServer, formatReadyBanner, prepareServerDeps } from "./index.js";
+/**
+ * Sliding-window rate limiter. Per-token. Window is rolling 60 seconds.
+ * Uses a tiny circular buffer of timestamps per token — O(burst-size)
+ * memory per token, no GC churn (we trim when we check).
+ *
+ * NOT distributed. If the user runs multiple processes behind a load
+ * balancer they'd want a shared store (Redis); deferred to v2.7+.
+ */
+class RateLimiter {
+    perMinute;
+    windows = new Map();
+    constructor(perMinute) {
+        this.perMinute = perMinute;
+    }
+    /** Returns true if request allowed; false if over budget. */
+    consume(tokenId, nowMs = Date.now()) {
+        if (this.perMinute <= 0)
+            return true; // disabled
+        const cutoff = nowMs - 60_000;
+        let timestamps = this.windows.get(tokenId);
+        if (!timestamps) {
+            timestamps = [];
+            this.windows.set(tokenId, timestamps);
+        }
+        // Trim out-of-window entries from the front (they're append-ordered).
+        while (timestamps.length > 0 && (timestamps[0] ?? 0) < cutoff) {
+            timestamps.shift();
+        }
+        if (timestamps.length >= this.perMinute)
+            return false;
+        timestamps.push(nowMs);
+        return true;
+    }
+    /** Test-only: reset all windows. */
+    reset() {
+        this.windows.clear();
+    }
+}
+/**
+ * Constant-time bearer-token compare. The Authorization header is
+ * `Bearer <token>` per RFC 6750. We compare against the raw token
+ * supplied at startup — both sides padded to a hash so timingSafeEqual
+ * doesn't leak length.
+ *
+ * Returns the SHA-256 digest of the token (used as the rate-limit key)
+ * if valid, or null if not. We never use the raw token as the key — a
+ * compromised log dump would expose it.
+ */
+function verifyBearer(authHeader, expectedToken) {
+    if (!authHeader?.startsWith("Bearer "))
+        return null;
+    const presented = authHeader.slice("Bearer ".length).trim();
+    if (presented.length === 0)
+        return null;
+    // Hash both sides so timingSafeEqual gets equal-length buffers regardless
+    // of whether the presented token is longer or shorter than expected. The
+    // hash is constant-length, so length-comparison short-circuits don't leak.
+    const expectedHash = createHash("sha256").update(expectedToken).digest();
+    const presentedHash = createHash("sha256").update(presented).digest();
+    if (!timingSafeEqual(expectedHash, presentedHash))
+        return null;
+    // Return the digest as the rate-limit key. Different tokens produce
+    // different keys; the same token always produces the same key.
+    return presentedHash.toString("hex").slice(0, 16);
+}
+/** Read the entire request body (UTF-8 JSON). Returns undefined for empty. */
+async function readJsonBody(req, maxBytes) {
+    const chunks = [];
+    let total = 0;
+    for await (const chunk of req) {
+        const buf = Buffer.from(chunk);
+        total += buf.length;
+        if (total > maxBytes) {
+            throw new Error(`request body exceeds max ${maxBytes} bytes`);
+        }
+        chunks.push(buf);
+    }
+    if (total === 0)
+        return undefined;
+    const text = Buffer.concat(chunks).toString("utf8");
+    return JSON.parse(text);
+}
+/** Send a JSON-RPC error response with the given HTTP + RPC status. */
+function sendJsonRpcError(res, httpStatus, code, message) {
+    if (res.headersSent)
+        return;
+    res.statusCode = httpStatus;
+    res.setHeader("Content-Type", "application/json");
+    res.end(JSON.stringify({
+        jsonrpc: "2.0",
+        error: { code, message },
+        id: null
+    }));
+}
+/**
+ * Apply CORS headers if the request's Origin is allowed.
+ *
+ * Defense-in-depth against the CORS-credentials-misconfig class of bugs:
+ *
+ *   • For an explicit allowlisted origin (e.g. https://claude.ai), we
+ *     reflect ONLY that exact origin in `Access-Control-Allow-Origin` and
+ *     emit `Vary: Origin` so caches don't cross-pollinate across origins.
+ *     Pair with `Access-Control-Allow-Credentials: true` so cookies +
+ *     credentialed Bearer requests work as expected.
+ *
+ *   • For the wildcard `*` allowlist entry, we reflect `*` literally (NOT
+ *     the request's origin) and DO NOT send `Allow-Credentials: true`.
+ *     Browsers reject the combo of wildcard-origin + credentials anyway,
+ *     so this matches what they enforce. Equally important: it kills the
+ *     CORS-credential-leak attack surface where a misconfigured wildcard
+ *     could otherwise hand attacker.com a credential-bearing CORS grant.
+ *
+ *   • Disallowed origins get nothing — no Allow-Origin header → browser
+ *     blocks the actual request even if we 200.
+ *
+ * Documented as a deliberate behavior split for users who pass `*`: with
+ * `*` you get an unauthenticated public CORS endpoint (still bearer-gated
+ * server-side, just no credentialed-cookie path). That's the right
+ * trade-off.
+ */
+function applyCors(req, res, allowOrigins) {
+    const requestOrigin = req.headers.origin;
+    if (typeof requestOrigin !== "string")
+        return;
+    // Sourcing the response value from `allowOrigins` (a server-controlled
+    // CLI flag) instead of from `req.headers.origin` (an attacker-controlled
+    // request header) is a deliberate defense against the CORS-credential-
+    // leak class of bug. CodeQL's `js/cors-misconfiguration-for-credentials`
+    // query is satisfied because `matchedOrigin`'s data source is the
+    // allowlist, not the request — even though the strings are equal by
+    // construction at this point, the data-flow taint is what matters.
+    const matchedOrigin = allowOrigins.find((o) => o === requestOrigin);
+    const wildcardAllowed = matchedOrigin === undefined && allowOrigins.includes("*");
+    if (matchedOrigin === undefined && !wildcardAllowed)
+        return;
+    // Wildcard branch: reflect literal "*" + OMIT Allow-Credentials (the
+    // browser would reject the combo anyway, and we don't grant attacker
+    // origins a credentialed window). Exact-match branch: use the trusted
+    // allowlist value + send Allow-Credentials: true so cookies + Bearer
+    // requests work cross-origin.
+    if (wildcardAllowed) {
+        res.setHeader("Access-Control-Allow-Origin", "*");
+    }
+    else if (matchedOrigin !== undefined) {
+        res.setHeader("Access-Control-Allow-Origin", matchedOrigin);
+        res.setHeader("Access-Control-Allow-Credentials", "true");
+    }
+    res.setHeader("Vary", "Origin");
+    res.setHeader("Access-Control-Allow-Methods", "POST, GET, DELETE, OPTIONS");
+    res.setHeader("Access-Control-Allow-Headers", "Authorization, Content-Type, Mcp-Session-Id, Last-Event-ID");
+    res.setHeader("Access-Control-Max-Age", "600");
+}
+/**
+ * Build the request handler. Factored out of the listener-creation path
+ * so tests can drive it without binding a TCP port.
+ */
+export function createHttpHandler(deps, opts) {
+    const mcpPath = opts.mcpPath ?? "/mcp";
+    const healthPath = opts.healthPath ?? "/health";
+    const corsOrigins = opts.corsOrigins ?? [];
+    const limiter = new RateLimiter(opts.rateLimitPerMinute ?? 120);
+    const maxBodyBytes = 4 * 1024 * 1024; // 4MB — generous for tools/list with 36 tools
+    return async (req, res) => {
+        try {
+            applyCors(req, res, corsOrigins);
+            // OPTIONS preflight short-circuit.
+            if (req.method === "OPTIONS") {
+                res.statusCode = 204;
+                res.end();
+                return;
+            }
+            const url = new URL(req.url ?? "/", `http://${req.headers.host ?? "localhost"}`);
+            // Health probe — unauthenticated, no rate-limit. Useful for
+            // Tailscale/Cloudflare healthchecks. Returns just `ok` so it
+            // doesn't leak version info to unauth callers.
+            if (url.pathname === healthPath && req.method === "GET") {
+                res.statusCode = 200;
+                res.setHeader("Content-Type", "text/plain");
+                res.end("ok");
+                return;
+            }
+            if (url.pathname !== mcpPath) {
+                res.statusCode = 404;
+                res.setHeader("Content-Type", "application/json");
+                res.end(JSON.stringify({ error: "not found", path: url.pathname }));
+                return;
+            }
+            // Auth: bearer token required for /mcp.
+            const authHeader = req.headers.authorization;
+            const tokenKey = verifyBearer(typeof authHeader === "string" ? authHeader : undefined, opts.bearerToken);
+            if (tokenKey === null) {
+                res.statusCode = 401;
+                res.setHeader("WWW-Authenticate", 'Bearer realm="enquire-mcp"');
+                res.setHeader("Content-Type", "application/json");
+                res.end(JSON.stringify({ error: "unauthorized" }));
+                return;
+            }
+            // Rate-limit per token.
+            if (!limiter.consume(tokenKey)) {
+                res.statusCode = 429;
+                res.setHeader("Retry-After", "60");
+                res.setHeader("Content-Type", "application/json");
+                res.end(JSON.stringify({ error: "rate limit exceeded" }));
+                return;
+            }
+            // Method gating. POST is the main MCP entry; GET is for SSE
+            // streams (we're stateless, so we don't expose a long-lived GET
+            // — stub it with 405); DELETE is for stateful session termination
+            // (also 405 in stateless mode).
+            if (req.method !== "POST") {
+                sendJsonRpcError(res, 405, -32000, `Method ${req.method} not allowed for ${mcpPath}`);
+                return;
+            }
+            let body;
+            try {
+                body = await readJsonBody(req, maxBodyBytes);
+            }
+            catch (err) {
+                sendJsonRpcError(res, 400, -32700, err instanceof Error ? err.message : "Parse error");
+                return;
+            }
+            // Build a fresh McpServer + transport for this request. The
+            // McpServer registers tool handlers (closures over the SHARED
+            // deps.vault / deps.ftsIndex), so this is cheap — no SQLite open,
+            // no embedder load. The transport handles a single request and
+            // closes.
+            const server = buildMcpServer(deps, opts);
+            const transport = new StreamableHTTPServerTransport({ sessionIdGenerator: undefined });
+            try {
+                await server.connect(transport);
+                // Wire up cleanup so we never leak a transport on early
+                // client-disconnect. Both server and transport are per-request
+                // disposable — `server.close()` releases the connection, the
+                // transport's `close()` flushes any pending stream.
+                const cleanup = () => {
+                    void transport.close();
+                    void server.close();
+                };
+                res.on("close", cleanup);
+                await transport.handleRequest(req, res, body);
+            }
+            catch (err) {
+                process.stderr.write(`enquire http: transport error — ${err instanceof Error ? err.message : String(err)}\n`);
+                sendJsonRpcError(res, 500, -32603, "Internal server error");
+            }
+        }
+        catch (err) {
+            // Final safety net — if anything in the outer block throws (URL
+            // parse, header read), don't leave the connection hung.
+            process.stderr.write(`enquire http: handler error — ${err instanceof Error ? (err.stack ?? err.message) : String(err)}\n`);
+            if (!res.headersSent) {
+                sendJsonRpcError(res, 500, -32603, "Internal server error");
+            }
+        }
+    };
+}
+/**
+ * Generate a fresh 32-byte base64url bearer token. Used by the
+ * `enquire-mcp gen-token` subcommand.
+ */
+export function generateBearerToken() {
+    return randomBytes(32).toString("base64url");
+}
+/**
+ * Bind and start the HTTP transport. Returns the underlying http.Server
+ * so callers (tests + CLI) can listen for `listening` / close it.
+ */
+export async function startHttpServer(opts) {
+    if (!opts.bearerToken || opts.bearerToken.length < 16) {
+        throw new Error("enquire serve-http: --bearer-token is required and must be ≥16 chars. " +
+            "Generate one with: enquire-mcp gen-token");
+    }
+    const deps = await prepareServerDeps(opts);
+    const handler = createHttpHandler(deps, opts);
+    const httpServer = createServer((req, res) => {
+        void handler(req, res);
+    });
+    // Persistent-cache flush + watcher cleanup on signal. Same hooks as
+    // stdio mode — the deps own the lifecycle. Skipped under
+    // installSignalHandlers=false so tests can spawn many servers in one
+    // process without accumulating SIGINT/SIGTERM listeners.
+    if (opts.installSignalHandlers !== false) {
+        if (deps.vault.persistentCacheEnabled) {
+            let saving = false;
+            let saved = false;
+            const flush = async () => {
+                if (saving || saved)
+                    return;
+                saving = true;
+                try {
+                    await deps.vault.saveDiskCache();
+                    saved = true;
+                }
+                catch (err) {
+                    process.stderr.write(`enquire: cache flush failed — ${err instanceof Error ? err.message : String(err)}\n`);
+                }
+                finally {
+                    saving = false;
+                }
+            };
+            process.once("SIGINT", () => {
+                flush().finally(() => process.exit(0));
+            });
+            process.once("SIGTERM", () => {
+                flush().finally(() => process.exit(0));
+            });
+            process.on("beforeExit", () => {
+                if (!saved && !saving)
+                    void flush();
+            });
+        }
+        if (deps.watcher) {
+            const closeWatcher = () => void deps.watcher?.close();
+            process.once("SIGINT", closeWatcher);
+            process.once("SIGTERM", closeWatcher);
+            process.on("beforeExit", closeWatcher);
+        }
+        if (deps.ftsIndex) {
+            const closeFts = () => deps.ftsIndex?.close();
+            process.once("SIGINT", closeFts);
+            process.once("SIGTERM", closeFts);
+            process.on("beforeExit", closeFts);
+        }
+        // Graceful HTTP-server shutdown on signal.
+        const shutdown = () => {
+            httpServer.close(() => {
+                // Cascade-close happens via beforeExit hooks.
+            });
+        };
+        process.once("SIGINT", shutdown);
+        process.once("SIGTERM", shutdown);
+    }
+    await new Promise((resolve, reject) => {
+        httpServer.once("error", reject);
+        httpServer.listen(opts.port, opts.host, () => {
+            httpServer.removeListener("error", reject);
+            resolve();
+        });
+    });
+    const addr = httpServer.address();
+    const bound = addr && typeof addr === "object"
+        ? `http://${addr.address === "::" ? "::" : addr.address}:${addr.port}`
+        : `http://${opts.host}:${opts.port}`;
+    const corsLabel = (opts.corsOrigins?.length ?? 0) > 0 ? `, cors=${opts.corsOrigins?.length ?? 0}` : "";
+    const rateLabel = (opts.rateLimitPerMinute ?? 120) > 0 ? `, rate-limit=${opts.rateLimitPerMinute ?? 120}/min` : "";
+    process.stderr.write(`${formatReadyBanner(deps)} (transport=http, bound=${bound}${opts.mcpPath ?? "/mcp"}${corsLabel}${rateLabel})\n`);
+    return httpServer;
+}
+// Re-export the rate limiter and helpers for tests.
+export { RateLimiter, readJsonBody, verifyBearer };
+//# sourceMappingURL=http-transport.js.map

package/dist/http-transport.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"http-transport.js","sourceRoot":"","sources":["../src/http-transport.ts"],"names":[],"mappings":"AAAA,kCAAkC;AAClC,EAAE;AACF,wEAAwE;AACxE,0EAA0E;AAC1E,6DAA6D;AAC7D,EAAE;AACF,sEAAsE;AACtE,uEAAuE;AACvE,yEAAyE;AACzE,uEAAuE;AACvE,0EAA0E;AAC1E,sEAAsE;AACtE,kEAAkE;AAClE,uEAAuE;AACvE,sEAAsE;AACtE,yDAAyD;AACzD,EAAE;AACF,mEAAmE;AACnE,oEAAoE;AACpE,kEAAkE;AAClE,sEAAsE;AACtE,oEAAoE;AACpE,sEAAsE;AACtE,+CAA+C;AAC/C,EAAE;AACF,uEAAuE;AACvE,wEAAwE;AACxE,sEAAsE;AACtE,sEAAsE;AAEtE,OAAO,EAAE,UAAU,EAAE,WAAW,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AACvE,OAAO,EAAE,YAAY,EAAwE,MAAM,WAAW,CAAC;AAC/G,OAAO,EAAE,6BAA6B,EAAE,MAAM,oDAAoD,CAAC;AACnG,OAAO,EAAE,cAAc,EAAE,iBAAiB,EAAE,iBAAiB,EAAsC,MAAM,YAAY,CAAC;AA8CtH;;;;;;;GAOG;AACH,MAAM,WAAW;IACE,SAAS,CAAS;IAClB,OAAO,GAAG,IAAI,GAAG,EAAoB,CAAC;IAEvD,YAAY,SAAiB;QAC3B,IAAI,CAAC,SAAS,GAAG,SAAS,CAAC;IAC7B,CAAC;IAED,6DAA6D;IAC7D,OAAO,CAAC,OAAe,EAAE,QAAgB,IAAI,CAAC,GAAG,EAAE;QACjD,IAAI,IAAI,CAAC,SAAS,IAAI,CAAC;YAAE,OAAO,IAAI,CAAC,CAAC,WAAW;QACjD,MAAM,MAAM,GAAG,KAAK,GAAG,MAAM,CAAC;QAC9B,IAAI,UAAU,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;QAC3C,IAAI,CAAC,UAAU,EAAE,CAAC;YAChB,UAAU,GAAG,EAAE,CAAC;YAChB,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,OAAO,EAAE,UAAU,CAAC,CAAC;QACxC,CAAC;QACD,sEAAsE;QACtE,OAAO,UAAU,CAAC,MAAM,GAAG,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,GAAG,MAAM,EAAE,CAAC;YAC9D,UAAU,CAAC,KAAK,EAAE,CAAC;QACrB,CAAC;QACD,IAAI,UAAU,CAAC,MAAM,IAAI,IAAI,CAAC,SAAS;YAAE,OAAO,KAAK,CAAC;QACtD,UAAU,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACvB,OAAO,IAAI,CAAC;IACd,CAAC;IAED,oCAAoC;IACpC,KAAK;QACH,IAAI,CAAC,OAAO,CAAC,KAAK,EAAE,CAAC;IACvB,CAAC;CACF;AAED;;;;;;;;;GASG;AACH,SAAS,YAAY,CAAC,UAA8B,EAAE,aAAqB;IACzE,IAAI,CAAC,UAAU,EAAE,UAAU,CAAC,SAAS,CAAC;QAAE,OAAO,IAAI,CAAC;IACpD,MAAM,SAAS,GAAG,UAAU,CAAC,KAAK,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC,IAAI,EAAE,CAAC;IAC5D,IAAI,SAAS,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IACxC,0EAA0E;IAC1E,yEAAyE;IACzE,2EAA2E;IAC3E,MAAM,YAAY,GAAG,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,aAAa,CAAC,CAAC,MAAM,EAAE,CAAC;IACzE,MAAM,aAAa,GAAG,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,MAAM,EAAE,CAAC;IACtE,IAAI,CAAC,eAAe,CAAC,YAAY,EAAE,aAAa,CAAC;QAAE,OAAO,IAAI,CAAC;IAC/D,oEAAoE;IACpE,+DAA+D;IAC/D,OAAO,aAAa,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;AACpD,CAAC;AAED,8EAA8E;AAC9E,KAAK,UAAU,YAAY,CAAC,GAAoB,EAAE,QAAgB;IAChE,MAAM,MAAM,GAAa,EAAE,CAAC;IAC5B,IAAI,KAAK,GAAG,CAAC,CAAC;IACd,IAAI,KAAK,EAAE,MAAM,KAAK,IAAI,GAAG,EAAE,CAAC;QAC9B,MAAM,GAAG,GAAG,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QAC/B,KAAK,IAAI,GAAG,CAAC,MAAM,CAAC;QACpB,IAAI,KAAK,GAAG,QAAQ,EAAE,CAAC;YACrB,MAAM,IAAI,KAAK,CAAC,4BAA4B,QAAQ,QAAQ,CAAC,CAAC;QAChE,CAAC;QACD,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IACnB,CAAC;IACD,IAAI,KAAK,KAAK,CAAC;QAAE,OAAO,SAAS,CAAC;IAClC,MAAM,IAAI,GAAG,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;IACpD,OAAO,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;AAC1B,CAAC;AAED,uEAAuE;AACvE,SAAS,gBAAgB,CAAC,GAAmB,EAAE,UAAkB,EAAE,IAAY,EAAE,OAAe;IAC9F,IAAI,GAAG,CAAC,WAAW;QAAE,OAAO;IAC5B,GAAG,CAAC,UAAU,GAAG,UAAU,CAAC;IAC5B,GAAG,CAAC,SAAS,CAAC,cAAc,EAAE,kBAAkB,CAAC,CAAC;IAClD,GAAG,CAAC,GAAG,CACL,IAAI,CAAC,SAAS,CAAC;QACb,OAAO,EAAE,KAAK;QACd,KAAK,EAAE,EAAE,IAAI,EAAE,OAAO,EAAE;QACxB,EAAE,EAAE,IAAI;KACT,CAAC,CACH,CAAC;AACJ,CAAC;AAED;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AACH,SAAS,SAAS,CAAC,GAAoB,EAAE,GAAmB,EAAE,YAAsB;IAClF,MAAM,aAAa,GAAG,GAAG,CAAC,OAAO,CAAC,MAAM,CAAC;IACzC,IAAI,OAAO,aAAa,KAAK,QAAQ;QAAE,OAAO;IAC9C,uEAAuE;IACvE,yEAAyE;IACzE,uEAAuE;IACvE,yEAAyE;IACzE,kEAAkE;IAClE,oEAAoE;IACpE,mEAAmE;IACnE,MAAM,aAAa,GAAG,YAAY,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,KAAK,aAAa,CAAC,CAAC;IACpE,MAAM,eAAe,GAAG,aAAa,KAAK,SAAS,IAAI,YAAY,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC;IAClF,IAAI,aAAa,KAAK,SAAS,IAAI,CAAC,eAAe;QAAE,OAAO;IAC5D,qEAAqE;IACrE,qEAAqE;IACrE,sEAAsE;IACtE,qEAAqE;IACrE,8BAA8B;IAC9B,IAAI,eAAe,EAAE,CAAC;QACpB,GAAG,CAAC,SAAS,CAAC,6BAA6B,EAAE,GAAG,CAAC,CAAC;IACpD,CAAC;SAAM,IAAI,aAAa,KAAK,SAAS,EAAE,CAAC;QACvC,GAAG,CAAC,SAAS,CAAC,6BAA6B,EAAE,aAAa,CAAC,CAAC;QAC5D,GAAG,CAAC,SAAS,CAAC,kCAAkC,EAAE,MAAM,CAAC,CAAC;IAC5D,CAAC;IACD,GAAG,CAAC,SAAS,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;IAChC,GAAG,CAAC,SAAS,CAAC,8BAA8B,EAAE,4BAA4B,CAAC,CAAC;IAC5E,GAAG,CAAC,SAAS,CAAC,8BAA8B,EAAE,4DAA4D,CAAC,CAAC;IAC5G,GAAG,CAAC,SAAS,CAAC,wBAAwB,EAAE,KAAK,CAAC,CAAC;AACjD,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,iBAAiB,CAC/B,IAAgB,EAChB,IAAsB;IAEtB,MAAM,OAAO,GAAG,IAAI,CAAC,OAAO,IAAI,MAAM,CAAC;IACvC,MAAM,UAAU,GAAG,IAAI,CAAC,UAAU,IAAI,SAAS,CAAC;IAChD,MAAM,WAAW,GAAG,IAAI,CAAC,WAAW,IAAI,EAAE,CAAC;IAC3C,MAAM,OAAO,GAAG,IAAI,WAAW,CAAC,IAAI,CAAC,kBAAkB,IAAI,GAAG,CAAC,CAAC;IAChE,MAAM,YAAY,GAAG,CAAC,GAAG,IAAI,GAAG,IAAI,CAAC,CAAC,8CAA8C;IAEpF,OAAO,KAAK,EAAE,GAAG,EAAE,GAAG,EAAE,EAAE;QACxB,IAAI,CAAC;YACH,SAAS,CAAC,GAAG,EAAE,GAAG,EAAE,WAAW,CAAC,CAAC;YAEjC,mCAAmC;YACnC,IAAI,GAAG,CAAC,MAAM,KAAK,SAAS,EAAE,CAAC;gBAC7B,GAAG,CAAC,UAAU,GAAG,GAAG,CAAC;gBACrB,GAAG,CAAC,GAAG,EAAE,CAAC;gBACV,OAAO;YACT,CAAC;YAED,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,GAAG,IAAI,GAAG,EAAE,UAAU,GAAG,CAAC,OAAO,CAAC,IAAI,IAAI,WAAW,EAAE,CAAC,CAAC;YAEjF,4DAA4D;YAC5D,6DAA6D;YAC7D,+CAA+C;YAC/C,IAAI,GAAG,CAAC,QAAQ,KAAK,UAAU,IAAI,GAAG,CAAC,MAAM,KAAK,KAAK,EAAE,CAAC;gBACxD,GAAG,CAAC,UAAU,GAAG,GAAG,CAAC;gBACrB,GAAG,CAAC,SAAS,CAAC,cAAc,EAAE,YAAY,CAAC,CAAC;gBAC5C,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;gBACd,OAAO;YACT,CAAC;YAED,IAAI,GAAG,CAAC,QAAQ,KAAK,OAAO,EAAE,CAAC;gBAC7B,GAAG,CAAC,UAAU,GAAG,GAAG,CAAC;gBACrB,GAAG,CAAC,SAAS,CAAC,cAAc,EAAE,kBAAkB,CAAC,CAAC;gBAClD,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,WAAW,EAAE,IAAI,EAAE,GAAG,CAAC,QAAQ,EAAE,CAAC,CAAC,CAAC;gBACpE,OAAO;YACT,CAAC;YAED,wCAAwC;YACxC,MAAM,UAAU,GAAG,GAAG,CAAC,OAAO,CAAC,aAAa,CAAC;YAC7C,MAAM,QAAQ,GAAG,YAAY,CAAC,OAAO,UAAU,KAAK,QAAQ,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,SAAS,EAAE,IAAI,CAAC,WAAW,CAAC,CAAC;YACzG,IAAI,QAAQ,KAAK,IAAI,EAAE,CAAC;gBACtB,GAAG,CAAC,UAAU,GAAG,GAAG,CAAC;gBACrB,GAAG,CAAC,SAAS,CAAC,kBAAkB,EAAE,4BAA4B,CAAC,CAAC;gBAChE,GAAG,CAAC,SAAS,CAAC,cAAc,EAAE,kBAAkB,CAAC,CAAC;gBAClD,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,cAAc,EAAE,CAAC,CAAC,CAAC;gBACnD,OAAO;YACT,CAAC;YAED,wBAAwB;YACxB,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,QAAQ,CAAC,EAAE,CAAC;gBAC/B,GAAG,CAAC,UAAU,GAAG,GAAG,CAAC;gBACrB,GAAG,CAAC,SAAS,CAAC,aAAa,EAAE,IAAI,CAAC,CAAC;gBACnC,GAAG,CAAC,SAAS,CAAC,cAAc,EAAE,kBAAkB,CAAC,CAAC;gBAClD,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,qBAAqB,EAAE,CAAC,CAAC,CAAC;gBAC1D,OAAO;YACT,CAAC;YAED,4DAA4D;YAC5D,gEAAgE;YAChE,kEAAkE;YAClE,gCAAgC;YAChC,IAAI,GAAG,CAAC,MAAM,KAAK,MAAM,EAAE,CAAC;gBAC1B,gBAAgB,CAAC,GAAG,EAAE,GAAG,EAAE,CAAC,KAAK,EAAE,UAAU,GAAG,CAAC,MAAM,oBAAoB,OAAO,EAAE,CAAC,CAAC;gBACtF,OAAO;YACT,CAAC;YAED,IAAI,IAAa,CAAC;YAClB,IAAI,CAAC;gBACH,IAAI,GAAG,MAAM,YAAY,CAAC,GAAG,EAAE,YAAY,CAAC,CAAC;YAC/C,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,gBAAgB,CAAC,GAAG,EAAE,GAAG,EAAE,CAAC,KAAK,EAAE,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,aAAa,CAAC,CAAC;gBACvF,OAAO;YACT,CAAC;YAED,4DAA4D;YAC5D,8DAA8D;YAC9D,kEAAkE;YAClE,+DAA+D;YAC/D,UAAU;YACV,MAAM,MAAM,GAAG,cAAc,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC;YAC1C,MAAM,SAAS,GAAG,IAAI,6BAA6B,CAAC,EAAE,kBAAkB,EAAE,SAAS,EAAE,CAAC,CAAC;YACvF,IAAI,CAAC;gBACH,MAAM,MAAM,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;gBAChC,wDAAwD;gBACxD,+DAA+D;gBAC/D,6DAA6D;gBAC7D,oDAAoD;gBACpD,MAAM,OAAO,GAAG,GAAG,EAAE;oBACnB,KAAK,SAAS,CAAC,KAAK,EAAE,CAAC;oBACvB,KAAK,MAAM,CAAC,KAAK,EAAE,CAAC;gBACtB,CAAC,CAAC;gBACF,GAAG,CAAC,EAAE,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;gBACzB,MAAM,SAAS,CAAC,aAAa,CAAC,GAAG,EAAE,GAAG,EAAE,IAAI,CAAC,CAAC;YAChD,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,mCAAmC,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;gBAC9G,gBAAgB,CAAC,GAAG,EAAE,GAAG,EAAE,CAAC,KAAK,EAAE,uBAAuB,CAAC,CAAC;YAC9D,CAAC;QACH,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,gEAAgE;YAChE,wDAAwD;YACxD,OAAO,CAAC,MAAM,CAAC,KAAK,CAClB,iCAAiC,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,KAAK,IAAI,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,IAAI,CACrG,CAAC;YACF,IAAI,CAAC,GAAG,CAAC,WAAW,EAAE,CAAC;gBACrB,gBAAgB,CAAC,GAAG,EAAE,GAAG,EAAE,CAAC,KAAK,EAAE,uBAAuB,CAAC,CAAC;YAC9D,CAAC;QACH,CAAC;IACH,CAAC,CAAC;AACJ,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,mBAAmB;IACjC,OAAO,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;AAC/C,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,eAAe,CAAC,IAAsB;IAC1D,IAAI,CAAC,IAAI,CAAC,WAAW,IAAI,IAAI,CAAC,WAAW,CAAC,MAAM,GAAG,EAAE,EAAE,CAAC;QACtD,MAAM,IAAI,KAAK,CACb,wEAAwE;YACtE,0CAA0C,CAC7C,CAAC;IACJ,CAAC;IACD,MAAM,IAAI,GAAG,MAAM,iBAAiB,CAAC,IAAI,CAAC,CAAC;IAC3C,MAAM,OAAO,GAAG,iBAAiB,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC;IAC9C,MAAM,UAAU,GAAG,YAAY,CAAC,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE;QAC3C,KAAK,OAAO,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC;IACzB,CAAC,CAAC,CAAC;IAEH,oEAAoE;IACpE,yDAAyD;IACzD,qEAAqE;IACrE,yDAAyD;IACzD,IAAI,IAAI,CAAC,qBAAqB,KAAK,KAAK,EAAE,CAAC;QACzC,IAAI,IAAI,CAAC,KAAK,CAAC,sBAAsB,EAAE,CAAC;YACtC,IAAI,MAAM,GAAG,KAAK,CAAC;YACnB,IAAI,KAAK,GAAG,KAAK,CAAC;YAClB,MAAM,KAAK,GAAG,KAAK,IAAI,EAAE;gBACvB,IAAI,MAAM,IAAI,KAAK;oBAAE,OAAO;gBAC5B,MAAM,GAAG,IAAI,CAAC;gBACd,IAAI,CAAC;oBACH,MAAM,IAAI,CAAC,KAAK,CAAC,aAAa,EAAE,CAAC;oBACjC,KAAK,GAAG,IAAI,CAAC;gBACf,CAAC;gBAAC,OAAO,GAAG,EAAE,CAAC;oBACb,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,iCAAiC,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;gBAC9G,CAAC;wBAAS,CAAC;oBACT,MAAM,GAAG,KAAK,CAAC;gBACjB,CAAC;YACH,CAAC,CAAC;YACF,OAAO,CAAC,IAAI,CAAC,QAAQ,EAAE,GAAG,EAAE;gBAC1B,KAAK,EAAE,CAAC,OAAO,CAAC,GAAG,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC;YACzC,CAAC,CAAC,CAAC;YACH,OAAO,CAAC,IAAI,CAAC,SAAS,EAAE,GAAG,EAAE;gBAC3B,KAAK,EAAE,CAAC,OAAO,CAAC,GAAG,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC;YACzC,CAAC,CAAC,CAAC;YACH,OAAO,CAAC,EAAE,CAAC,YAAY,EAAE,GAAG,EAAE;gBAC5B,IAAI,CAAC,KAAK,IAAI,CAAC,MAAM;oBAAE,KAAK,KAAK,EAAE,CAAC;YACtC,CAAC,CAAC,CAAC;QACL,CAAC;QACD,IAAI,IAAI,CAAC,OAAO,EAAE,CAAC;YACjB,MAAM,YAAY,GAAG,GAAG,EAAE,CAAC,KAAK,IAAI,CAAC,OAAO,EAAE,KAAK,EAAE,CAAC;YACtD,OAAO,CAAC,IAAI,CAAC,QAAQ,EAAE,YAAY,CAAC,CAAC;YACrC,OAAO,CAAC,IAAI,CAAC,SAAS,EAAE,YAAY,CAAC,CAAC;YACtC,OAAO,CAAC,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC,CAAC;QACzC,CAAC;QACD,IAAI,IAAI,CAAC,QAAQ,EAAE,CAAC;YAClB,MAAM,QAAQ,GAAG,GAAG,EAAE,CAAC,IAAI,CAAC,QAAQ,EAAE,KAAK,EAAE,CAAC;YAC9C,OAAO,CAAC,IAAI,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAC;YACjC,OAAO,CAAC,IAAI,CAAC,SAAS,EAAE,QAAQ,CAAC,CAAC;YAClC,OAAO,CAAC,EAAE,CAAC,YAAY,EAAE,QAAQ,CAAC,CAAC;QACrC,CAAC;QACD,2CAA2C;QAC3C,MAAM,QAAQ,GAAG,GAAG,EAAE;YACpB,UAAU,CAAC,KAAK,CAAC,GAAG,EAAE;gBACpB,8CAA8C;YAChD,CAAC,CAAC,CAAC;QACL,CAAC,CAAC;QACF,OAAO,CAAC,IAAI,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAC;QACjC,OAAO,CAAC,IAAI,CAAC,SAAS,EAAE,QAAQ,CAAC,CAAC;IACpC,CAAC;IAED,MAAM,IAAI,OAAO,CAAO,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;QAC1C,UAAU,CAAC,IAAI,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;QACjC,UAAU,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,EAAE,IAAI,CAAC,IAAI,EAAE,GAAG,EAAE;YAC3C,UAAU,CAAC,cAAc,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;YAC3C,OAAO,EAAE,CAAC;QACZ,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,MAAM,IAAI,GAAG,UAAU,CAAC,OAAO,EAAE,CAAC;IAClC,MAAM,KAAK,GACT,IAAI,IAAI,OAAO,IAAI,KAAK,QAAQ;QAC9B,CAAC,CAAC,UAAU,IAAI,CAAC,OAAO,KAAK,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,OAAO,IAAI,IAAI,CAAC,IAAI,EAAE;QACtE,CAAC,CAAC,UAAU,IAAI,CAAC,IAAI,IAAI,IAAI,CAAC,IAAI,EAAE,CAAC;IACzC,MAAM,SAAS,GAAG,CAAC,IAAI,CAAC,WAAW,EAAE,MAAM,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,UAAU,IAAI,CAAC,WAAW,EAAE,MAAM,IAAI,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;IACvG,MAAM,SAAS,GAAG,CAAC,IAAI,CAAC,kBAAkB,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,gBAAgB,IAAI,CAAC,kBAAkB,IAAI,GAAG,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC;IACnH,OAAO,CAAC,MAAM,CAAC,KAAK,CAClB,GAAG,iBAAiB,CAAC,IAAI,CAAC,2BAA2B,KAAK,GAAG,IAAI,CAAC,OAAO,IAAI,MAAM,GAAG,SAAS,GAAG,SAAS,KAAK,CACjH,CAAC;IACF,OAAO,UAAU,CAAC;AACpB,CAAC;AAED,oDAAoD;AACpD,OAAO,EAAE,WAAW,EAAE,YAAY,EAAE,YAAY,EAAE,CAAC"}

package/dist/index.d.ts

@@ -1,5 +1,9 @@
 #!/usr/bin/env node
-interface ServeOptions {
+import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
+import { FtsIndex } from "./fts5.js";
+import { Vault } from "./vault.js";
+import { VaultWatcher } from "./watcher.js";
+export interface ServeOptions {
     vault: string;
     enableWrite?: boolean;
     maxFileBytes?: string;
@@ -17,7 +21,47 @@ interface ServeOptions {
     diagnosticSearchTools?: boolean;
 }
 declare function main(): Promise<void>;
+/**
+ * Heavyweight resources shared across every MCP-server instance: the vault
+ * (parsed-note cache + privacy filter), the FTS5 index handle, the optional
+ * filesystem watcher. v2.6.0 split this out so the HTTP transport can spin up
+ * a fresh `McpServer` per session over the SAME vault/index — opening the
+ * SQLite handle once and reusing it across thousands of remote-MCP calls.
+ *
+ * `warningTracker` is a single-fire latch for the `--disabled-tools` /
+ * `--enabled-tools` typo warnings: stdio prints them once at boot; HTTP
+ * prints them on the first session build, then never again.
+ */
+export interface ServerDeps {
+    vault: Vault;
+    ftsIndex: FtsIndex | null;
+    watcher: VaultWatcher | null;
+    disabledTools: Set<string>;
+    enabledTools: Set<string>;
+    warningTracker: {
+        printed: boolean;
+    };
+}
+/**
+ * One-time bootstrap of the heavy deps (vault open + FTS5 sync + watcher).
+ * Idempotent on a per-call basis but NOT designed to be called multiple
+ * times in one process — the FTS5 sync would double-index. Stdio + HTTP
+ * each call this exactly once at startup.
+ */
+export declare function prepareServerDeps(opts: ServeOptions): Promise<ServerDeps>;
+/**
+ * Build a fresh `McpServer` over already-prepared deps. Cheap (just
+ * registers tool handlers — no I/O, no SQLite open). Stdio calls this once;
+ * HTTP calls it per session.
+ */
+export declare function buildMcpServer(deps: ServerDeps, opts: ServeOptions): McpServer;
 declare function startServer(opts: ServeOptions): Promise<void>;
+/**
+ * Shared "ready" banner used by stdio + HTTP startup paths so the runtime
+ * configuration summary is identical regardless of transport. Transport
+ * suffix is appended by the caller.
+ */
+export declare function formatReadyBanner(deps: ServerDeps): string;
 declare function parsePositiveInt(raw: string, flag: string): number;
 export { main, parsePositiveInt, startServer };
 //# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";AA4DA,UAAU,YAAY;IACpB,KAAK,EAAE,MAAM,CAAC;IACd,WAAW,CAAC,EAAE,OAAO,CAAC;IACtB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,eAAe,CAAC,EAAE,OAAO,CAAC;IAC1B,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,eAAe,CAAC,EAAE,OAAO,CAAC;IAC1B,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,QAAQ,CAAC,EAAE,WAAW,GAAG,SAAS,CAAC;IACnC,WAAW,CAAC,EAAE,MAAM,EAAE,CAAC;IACvB,SAAS,CAAC,EAAE,MAAM,EAAE,CAAC;IACrB,KAAK,CAAC,EAAE,OAAO,CAAC;IAChB,aAAa,CAAC,EAAE,MAAM,EAAE,CAAC;IACzB,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;IACxB,qBAAqB,CAAC,EAAE,OAAO,CAAC;CACjC;AAED,iBAAe,IAAI,IAAI,OAAO,CAAC,IAAI,CAAC,CA2MnC;AAED,iBAAe,WAAW,CAAC,IAAI,EAAE,YAAY,GAAG,OAAO,CAAC,IAAI,CAAC,CA2K5D;AAotDD,iBAAS,gBAAgB,CAAC,GAAG,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,MAAM,CAM3D;AAsCD,OAAO,EAAE,IAAI,EAAE,gBAAgB,EAAE,WAAW,EAAE,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";AAIA,OAAO,EAAE,SAAS,EAAoB,MAAM,yCAAyC,CAAC;AAMtF,OAAO,EAAkC,QAAQ,EAAE,MAAM,WAAW,CAAC;AAwCrE,OAAO,EAAE,KAAK,EAAE,MAAM,YAAY,CAAC;AACnC,OAAO,EAAE,YAAY,EAAE,MAAM,cAAc,CAAC;AAW5C,MAAM,WAAW,YAAY;IAC3B,KAAK,EAAE,MAAM,CAAC;IACd,WAAW,CAAC,EAAE,OAAO,CAAC;IACtB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,eAAe,CAAC,EAAE,OAAO,CAAC;IAC1B,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,eAAe,CAAC,EAAE,OAAO,CAAC;IAC1B,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,QAAQ,CAAC,EAAE,WAAW,GAAG,SAAS,CAAC;IACnC,WAAW,CAAC,EAAE,MAAM,EAAE,CAAC;IACvB,SAAS,CAAC,EAAE,MAAM,EAAE,CAAC;IACrB,KAAK,CAAC,EAAE,OAAO,CAAC;IAChB,aAAa,CAAC,EAAE,MAAM,EAAE,CAAC;IACzB,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;IACxB,qBAAqB,CAAC,EAAE,OAAO,CAAC;CACjC;AAcD,iBAAe,IAAI,IAAI,OAAO,CAAC,IAAI,CAAC,CA0SnC;AAED;;;;;;;;;;GAUG;AACH,MAAM,WAAW,UAAU;IACzB,KAAK,EAAE,KAAK,CAAC;IACb,QAAQ,EAAE,QAAQ,GAAG,IAAI,CAAC;IAC1B,OAAO,EAAE,YAAY,GAAG,IAAI,CAAC;IAC7B,aAAa,EAAE,GAAG,CAAC,MAAM,CAAC,CAAC;IAC3B,YAAY,EAAE,GAAG,CAAC,MAAM,CAAC,CAAC;IAC1B,cAAc,EAAE;QAAE,OAAO,EAAE,OAAO,CAAA;KAAE,CAAC;CACtC;AAED;;;;;GAKG;AACH,wBAAsB,iBAAiB,CAAC,IAAI,EAAE,YAAY,GAAG,OAAO,CAAC,UAAU,CAAC,CA8C/E;AAED;;;;GAIG;AACH,wBAAgB,cAAc,CAAC,IAAI,EAAE,UAAU,EAAE,IAAI,EAAE,YAAY,GAAG,SAAS,CAqF9E;AAED,iBAAe,WAAW,CAAC,IAAI,EAAE,YAAY,GAAG,OAAO,CAAC,IAAI,CAAC,CAoD5D;AAED;;;;GAIG;AACH,wBAAgB,iBAAiB,CAAC,IAAI,EAAE,UAAU,GAAG,MAAM,CAY1D;AA4vDD,iBAAS,gBAAgB,CAAC,GAAG,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,MAAM,CAM3D;AAsCD,OAAO,EAAE,IAAI,EAAE,gBAAgB,EAAE,WAAW,EAAE,CAAC"}