npm - @openpalm/ui - Versions diffs - 0.11.0-rc.2 - Mend

@openpalm/ui 0.11.0-rc.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (329) hide show

package/build/server/chunks/helpers-5jd3ccud.js ADDED Viewed

@@ -0,0 +1,226 @@
+import { a8 as readSecret, ak as resolveStackDir, z as createOpenCodeClient } from './src-FpMyngcw.js';
+import { g as getActiveEndpoint } from './endpoints-L7Wjvq44.js';
+import { timingSafeEqual, createHash } from 'node:crypto';
+//#region src/lib/server/session-store.ts
+/**
+* In-memory session store for op_session cookies.
+*
+* Replaces the plaintext-password-as-cookie scheme: instead of storing the
+* operator's password in the cookie jar, `createSession()` mints a random
+* opaque token and maps it to an expiry timestamp. `requireAdmin` /
+* `validateSession` then check the token without touching the password.
+*
+* The store is module-level (process lifetime). Sessions are valid for 24 h
+* and are lazily pruned on access so the map does not grow unbounded.
+*/
+var SESSION_TTL_MS = 864e5;
+/** token → absolute expiry timestamp (ms since epoch) */
+var sessions = /* @__PURE__ */ new Map();
+/**
+* Mint a new session token, store it with a 24-hour TTL, and return it.
+* The caller is responsible for placing the token in the `op_session` cookie.
+*/
+function createSession() {
+	const token = crypto.randomUUID();
+	sessions.set(token, Date.now() + SESSION_TTL_MS);
+	return token;
+}
+/**
+* Return true iff `token` is a known, non-expired session.
+* Expired entries are removed on access.
+*/
+function validateSession(token) {
+	if (!token) return false;
+	const expiresAt = sessions.get(token);
+	if (expiresAt === void 0) return false;
+	if (Date.now() >= expiresAt) {
+		sessions.delete(token);
+		return false;
+	}
+	return true;
+}
+/**
+* Remove a session token from the store (used by logout).
+* Safe to call with an unknown token — it's a no-op.
+*/
+function invalidateSession(token) {
+	sessions.delete(token);
+}
+//#endregion
+//#region src/lib/server/helpers.ts
+/**
+* Lazy OpenCode client bound to the currently active endpoint. The client is
+* recreated whenever the active endpoint URL changes so user switches in the
+* UI take effect on the next call.
+*/
+var _openCodeClient;
+var _openCodeClientUrl;
+function getOpenCodeClient() {
+	const { url } = getActiveEndpoint();
+	if (!_openCodeClient || url !== _openCodeClientUrl) {
+		_openCodeClient = createOpenCodeClient({ baseUrl: url });
+		_openCodeClientUrl = url;
+	}
+	return _openCodeClient;
+}
+function safeTokenCompare(a, b) {
+	if (typeof a !== "string" || typeof b !== "string") return false;
+	if (!a || !b) return false;
+	return timingSafeEqual(createHash("sha256").update(a).digest(), createHash("sha256").update(b).digest());
+}
+/** Standard JSON response with request ID header */
+function jsonResponse(status, body, requestId = "") {
+	return new Response(JSON.stringify(body), {
+		status,
+		headers: {
+			"content-type": "application/json",
+			...requestId ? { "x-request-id": requestId } : {}
+		}
+	});
+}
+/** Standard error envelope */
+function errorResponse(status, error, message, details = {}, requestId = "") {
+	return jsonResponse(status, {
+		error,
+		message,
+		details,
+		requestId
+	}, requestId);
+}
+/** Extract or generate request ID */
+function getRequestId(event) {
+	return event.request.headers.get("x-request-id") || crypto.randomUUID();
+}
+/**
+* Read the operator UI login password from the host environment or the
+* file-based stack secret.
+*
+* Phase 4 of the auth/proxy refactor collapsed
+* `ControlPlaneState.adminToken` (and the assistant token alongside it).
+* Runtime persistence lives in `knowledge/secrets/op_ui_login_password`.
+* `process.env.OP_UI_LOGIN_PASSWORD` is still accepted for tests and explicit
+* host-process overrides.
+*
+* Returns the empty string when the env var is unset — `requireNonEmptyUiLoginPassword()`
+* surfaces that case as a 503 so all authenticated routes fail loudly
+* rather than silently accepting any cookie.
+*/
+function getUiLoginPassword() {
+	const envValue = process.env.OP_UI_LOGIN_PASSWORD;
+	if (envValue) return envValue;
+	return readSecret(resolveStackDir(), "op_ui_login_password")?.trimEnd() ?? "";
+}
+/**
+* Extract raw session token from the `op_session` cookie.
+*
+* Phase 2 of the auth/proxy refactor (docs/technical/auth-and-proxy-refactor-plan.md)
+* removed the legacy `x-admin-token` / `Authorization: Bearer` header fallbacks.
+* The cookie is HttpOnly + SameSite=Strict and is the ONLY credential the browser
+* holds; XSS cannot read it and out-of-process callers must obtain a session via
+* `POST /admin/auth/login` (or `/session`) and present the cookie on subsequent
+* requests.
+*/
+function extractToken(event) {
+	const match = (event.request.headers.get("cookie") ?? "").match(/(?:^|;\s*)op_session=([^;]+)/);
+	if (match) return match[1];
+	return "";
+}
+/** Check admin auth — returns error Response or null if OK */
+function requireAdmin(event, requestId) {
+	if (!getUiLoginPassword()) return errorResponse(503, "admin_not_configured", "OP_UI_LOGIN_PASSWORD has not been set. Complete setup first.", {}, requestId);
+	if (!validateSession(extractToken(event))) return errorResponse(401, "unauthorized", "Missing or invalid credentials", {}, requestId);
+	return null;
+}
+/** Parse JSON body safely — returns discriminated result with error type */
+async function parseJsonBody(request, maxBytes = 1048576) {
+	try {
+		const contentLength = request.headers.get("content-length");
+		if (contentLength && parseInt(contentLength, 10) > maxBytes) return { error: "too_large" };
+		return { data: await request.json() };
+	} catch (e) {
+		console.warn("[helpers] Failed to parse JSON request body", e);
+		return { error: "invalid_json" };
+	}
+}
+/** Convert a ParseJsonBodyError to an appropriate HTTP error response */
+function jsonBodyError(err, requestId) {
+	if (err.error === "too_large") return errorResponse(413, "too_large", "Request body too large", {}, requestId);
+	return errorResponse(400, "invalid_json", "Request body must be valid JSON", {}, requestId);
+}
+/**
+* Auth + JSON body wrapper for admin POST/DELETE handlers.
+*
+* Replaces the 4-line boilerplate copy-pasted across 30+ routes:
+*   const requestId = getRequestId(event);
+*   const authError = requireAdmin(event, requestId);
+*   if (authError) return authError;
+*   const result = await parseJsonBody(event.request);
+*   if ('error' in result) return jsonBodyError(result, requestId);
+*
+* Use for routes that need both auth and a JSON body. For auth-only or
+* GET routes, call `requireAdmin` directly.
+*/
+async function withAdminBody(event, handler) {
+	const requestId = getRequestId(event);
+	const originError = checkOriginHeader(event.request, UI_PORT);
+	if (originError) return originError;
+	const authError = requireAdmin(event, requestId);
+	if (authError) return authError;
+	const result = await parseJsonBody(event.request);
+	if ("error" in result) return jsonBodyError(result, requestId);
+	return handler({
+		requestId,
+		body: result.data
+	});
+}
+/**
+* Reject requests whose Host header does not match localhost or 127.0.0.1
+* on the configured admin port.
+*
+* @param request  Incoming Request (or SvelteKit RequestEvent.request)
+* @param port     The port this server is bound to (e.g. 3880 or 8100)
+* @returns        A 400 Response if the host is rejected; null if allowed
+*/
+function checkHostHeader(request, port) {
+	const normalized = (request.headers.get("host") ?? "").trim().replace(/\.$/, "");
+	if ([`localhost:${port}`, `127.0.0.1:${port}`].includes(normalized)) return null;
+	return new Response(JSON.stringify({
+		error: "invalid_host",
+		host: normalized,
+		message: "Request rejected: Host header does not match allowed hosts. The admin UI binds to loopback (127.0.0.1) only; reach it via localhost or front it with a reverse proxy/tunnel for remote access."
+	}), {
+		status: 400,
+		headers: { "content-type": "application/json" }
+	});
+}
+/**
+* Reject POST/PUT/DELETE requests whose Origin header does not match
+* localhost or 127.0.0.1. Requests with no Origin (non-browser clients)
+* are always allowed.
+*
+* @param request  Incoming Request
+* @param port     The port this server is bound to
+* @returns        A 403 Response if the origin is rejected; null if allowed
+*/
+function checkOriginHeader(request, port) {
+	const method = request.method.toUpperCase();
+	if (method === "GET" || method === "HEAD" || method === "OPTIONS") return null;
+	const origin = request.headers.get("origin");
+	if (!origin) return null;
+	try {
+		const u = new URL(origin);
+		if ([`localhost:${port}`, `127.0.0.1:${port}`].includes(u.host)) return null;
+	} catch {}
+	return new Response(JSON.stringify({
+		error: "forbidden_origin",
+		origin
+	}), {
+		status: 403,
+		headers: { "content-type": "application/json" }
+	});
+}
+var UI_PORT = Number(process.env.PORT ?? 3880);
+export { UI_PORT as U, checkOriginHeader as a, createSession as b, checkHostHeader as c, getRequestId as d, errorResponse as e, getUiLoginPassword as f, getOpenCodeClient as g, jsonResponse as h, invalidateSession as i, jsonBodyError as j, parseJsonBody as p, requireAdmin as r, safeTokenCompare as s, withAdminBody as w };
+//# sourceMappingURL=helpers-5jd3ccud.js.map

package/build/server/chunks/helpers-5jd3ccud.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"helpers-5jd3ccud.js","sources":["../../../.svelte-kit/adapter-node/chunks/helpers.js"],"sourcesContent":["import { $ as createOpenCodeClient, St as readSecret, jt as resolveStackDir } from \"./src.js\";\nimport { r as getActiveEndpoint } from \"./endpoints.js\";\nimport { createHash, timingSafeEqual } from \"node:crypto\";\n//#region src/lib/server/session-store.ts\n/**\n* In-memory session store for op_session cookies.\n*\n* Replaces the plaintext-password-as-cookie scheme: instead of storing the\n* operator's password in the cookie jar, `createSession()` mints a random\n* opaque token and maps it to an expiry timestamp. `requireAdmin` /\n* `validateSession` then check the token without touching the password.\n*\n* The store is module-level (process lifetime). Sessions are valid for 24 h\n* and are lazily pruned on access so the map does not grow unbounded.\n*/\nvar SESSION_TTL_MS = 864e5;\n/** token → absolute expiry timestamp (ms since epoch) */\nvar sessions = /* @__PURE__ */ new Map();\n/**\n* Mint a new session token, store it with a 24-hour TTL, and return it.\n* The caller is responsible for placing the token in the `op_session` cookie.\n*/\nfunction createSession() {\n\tconst token = crypto.randomUUID();\n\tsessions.set(token, Date.now() + SESSION_TTL_MS);\n\treturn token;\n}\n/**\n* Return true iff `token` is a known, non-expired session.\n* Expired entries are removed on access.\n*/\nfunction validateSession(token) {\n\tif (!token) return false;\n\tconst expiresAt = sessions.get(token);\n\tif (expiresAt === void 0) return false;\n\tif (Date.now() >= expiresAt) {\n\t\tsessions.delete(token);\n\t\treturn false;\n\t}\n\treturn true;\n}\n/**\n* Remove a session token from the store (used by logout).\n* Safe to call with an unknown token — it's a no-op.\n*/\nfunction invalidateSession(token) {\n\tsessions.delete(token);\n}\n//#endregion\n//#region src/lib/server/helpers.ts\n/**\n* Lazy OpenCode client bound to the currently active endpoint. The client is\n* recreated whenever the active endpoint URL changes so user switches in the\n* UI take effect on the next call.\n*/\nvar _openCodeClient;\nvar _openCodeClientUrl;\nfunction getOpenCodeClient() {\n\tconst { url } = getActiveEndpoint();\n\tif (!_openCodeClient || url !== _openCodeClientUrl) {\n\t\t_openCodeClient = createOpenCodeClient({ baseUrl: url });\n\t\t_openCodeClientUrl = url;\n\t}\n\treturn _openCodeClient;\n}\nfunction safeTokenCompare(a, b) {\n\tif (typeof a !== \"string\" || typeof b !== \"string\") return false;\n\tif (!a || !b) return false;\n\treturn timingSafeEqual(createHash(\"sha256\").update(a).digest(), createHash(\"sha256\").update(b).digest());\n}\n/** Standard JSON response with request ID header */\nfunction jsonResponse(status, body, requestId = \"\") {\n\treturn new Response(JSON.stringify(body), {\n\t\tstatus,\n\t\theaders: {\n\t\t\t\"content-type\": \"application/json\",\n\t\t\t...requestId ? { \"x-request-id\": requestId } : {}\n\t\t}\n\t});\n}\n/** Standard error envelope */\nfunction errorResponse(status, error, message, details = {}, requestId = \"\") {\n\treturn jsonResponse(status, {\n\t\terror,\n\t\tmessage,\n\t\tdetails,\n\t\trequestId\n\t}, requestId);\n}\n/** Extract or generate request ID */\nfunction getRequestId(event) {\n\treturn event.request.headers.get(\"x-request-id\") || crypto.randomUUID();\n}\n/**\n* Read the operator UI login password from the host environment or the\n* file-based stack secret.\n*\n* Phase 4 of the auth/proxy refactor collapsed\n* `ControlPlaneState.adminToken` (and the assistant token alongside it).\n* Runtime persistence lives in `knowledge/secrets/op_ui_login_password`.\n* `process.env.OP_UI_LOGIN_PASSWORD` is still accepted for tests and explicit\n* host-process overrides.\n*\n* Returns the empty string when the env var is unset — `requireNonEmptyUiLoginPassword()`\n* surfaces that case as a 503 so all authenticated routes fail loudly\n* rather than silently accepting any cookie.\n*/\nfunction getUiLoginPassword() {\n\tconst envValue = process.env.OP_UI_LOGIN_PASSWORD;\n\tif (envValue) return envValue;\n\treturn readSecret(resolveStackDir(), \"op_ui_login_password\")?.trimEnd() ?? \"\";\n}\n/**\n* Extract raw session token from the `op_session` cookie.\n*\n* Phase 2 of the auth/proxy refactor (docs/technical/auth-and-proxy-refactor-plan.md)\n* removed the legacy `x-admin-token` / `Authorization: Bearer` header fallbacks.\n* The cookie is HttpOnly + SameSite=Strict and is the ONLY credential the browser\n* holds; XSS cannot read it and out-of-process callers must obtain a session via\n* `POST /admin/auth/login` (or `/session`) and present the cookie on subsequent\n* requests.\n*/\nfunction extractToken(event) {\n\tconst match = (event.request.headers.get(\"cookie\") ?? \"\").match(/(?:^|;\\s*)op_session=([^;]+)/);\n\tif (match) return match[1];\n\treturn \"\";\n}\n/** Check admin auth — returns error Response or null if OK */\nfunction requireAdmin(event, requestId) {\n\tif (!getUiLoginPassword()) return errorResponse(503, \"admin_not_configured\", \"OP_UI_LOGIN_PASSWORD has not been set. Complete setup first.\", {}, requestId);\n\tif (!validateSession(extractToken(event))) return errorResponse(401, \"unauthorized\", \"Missing or invalid credentials\", {}, requestId);\n\treturn null;\n}\n/** Parse JSON body safely — returns discriminated result with error type */\nasync function parseJsonBody(request, maxBytes = 1048576) {\n\ttry {\n\t\tconst contentLength = request.headers.get(\"content-length\");\n\t\tif (contentLength && parseInt(contentLength, 10) > maxBytes) return { error: \"too_large\" };\n\t\treturn { data: await request.json() };\n\t} catch (e) {\n\t\tconsole.warn(\"[helpers] Failed to parse JSON request body\", e);\n\t\treturn { error: \"invalid_json\" };\n\t}\n}\n/** Convert a ParseJsonBodyError to an appropriate HTTP error response */\nfunction jsonBodyError(err, requestId) {\n\tif (err.error === \"too_large\") return errorResponse(413, \"too_large\", \"Request body too large\", {}, requestId);\n\treturn errorResponse(400, \"invalid_json\", \"Request body must be valid JSON\", {}, requestId);\n}\n/**\n* Auth + JSON body wrapper for admin POST/DELETE handlers.\n*\n* Replaces the 4-line boilerplate copy-pasted across 30+ routes:\n* const requestId = getRequestId(event);\n* const authError = requireAdmin(event, requestId);\n* if (authError) return authError;\n* const result = await parseJsonBody(event.request);\n* if ('error' in result) return jsonBodyError(result, requestId);\n*\n* Use for routes that need both auth and a JSON body. For auth-only or\n* GET routes, call `requireAdmin` directly.\n*/\nasync function withAdminBody(event, handler) {\n\tconst requestId = getRequestId(event);\n\tconst originError = checkOriginHeader(event.request, UI_PORT);\n\tif (originError) return originError;\n\tconst authError = requireAdmin(event, requestId);\n\tif (authError) return authError;\n\tconst result = await parseJsonBody(event.request);\n\tif (\"error\" in result) return jsonBodyError(result, requestId);\n\treturn handler({\n\t\trequestId,\n\t\tbody: result.data\n\t});\n}\n/**\n* Reject requests whose Host header does not match localhost or 127.0.0.1\n* on the configured admin port.\n*\n* @param request Incoming Request (or SvelteKit RequestEvent.request)\n* @param port The port this server is bound to (e.g. 3880 or 8100)\n* @returns A 400 Response if the host is rejected; null if allowed\n*/\nfunction checkHostHeader(request, port) {\n\tconst normalized = (request.headers.get(\"host\") ?? \"\").trim().replace(/\\.$/, \"\");\n\tif ([`localhost:${port}`, `127.0.0.1:${port}`].includes(normalized)) return null;\n\treturn new Response(JSON.stringify({\n\t\terror: \"invalid_host\",\n\t\thost: normalized,\n\t\tmessage: \"Request rejected: Host header does not match allowed hosts. The admin UI binds to loopback (127.0.0.1) only; reach it via localhost or front it with a reverse proxy/tunnel for remote access.\"\n\t}), {\n\t\tstatus: 400,\n\t\theaders: { \"content-type\": \"application/json\" }\n\t});\n}\n/**\n* Reject POST/PUT/DELETE requests whose Origin header does not match\n* localhost or 127.0.0.1. Requests with no Origin (non-browser clients)\n* are always allowed.\n*\n* @param request Incoming Request\n* @param port The port this server is bound to\n* @returns A 403 Response if the origin is rejected; null if allowed\n*/\nfunction checkOriginHeader(request, port) {\n\tconst method = request.method.toUpperCase();\n\tif (method === \"GET\" || method === \"HEAD\" || method === \"OPTIONS\") return null;\n\tconst origin = request.headers.get(\"origin\");\n\tif (!origin) return null;\n\ttry {\n\t\tconst u = new URL(origin);\n\t\tif ([`localhost:${port}`, `127.0.0.1:${port}`].includes(u.host)) return null;\n\t} catch {}\n\treturn new Response(JSON.stringify({\n\t\terror: \"forbidden_origin\",\n\t\torigin\n\t}), {\n\t\tstatus: 403,\n\t\theaders: { \"content-type\": \"application/json\" }\n\t});\n}\nvar UI_PORT = Number(process.env.PORT ?? 3880);\n//#endregion\nexport { getOpenCodeClient as a, jsonBodyError as c, requireAdmin as d, safeTokenCompare as f, invalidateSession as h, errorResponse as i, jsonResponse as l, createSession as m, checkHostHeader as n, getRequestId as o, withAdminBody as p, checkOriginHeader as r, getUiLoginPassword as s, UI_PORT as t, parseJsonBody as u };\n"],"names":[],"mappings":";;;;AAGA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,IAAI,cAAc,GAAG,KAAK;AAC1B;AACA,IAAI,QAAQ,mBAAmB,IAAI,GAAG,EAAE;AACxC;AACA;AACA;AACA;AACA,SAAS,aAAa,GAAG;AACzB,CAAC,MAAM,KAAK,GAAG,MAAM,CAAC,UAAU,EAAE;AAClC,CAAC,QAAQ,CAAC,GAAG,CAAC,KAAK,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,cAAc,CAAC;AACjD,CAAC,OAAO,KAAK;AACb;AACA;AACA;AACA;AACA;AACA,SAAS,eAAe,CAAC,KAAK,EAAE;AAChC,CAAC,IAAI,CAAC,KAAK,EAAE,OAAO,KAAK;AACzB,CAAC,MAAM,SAAS,GAAG,QAAQ,CAAC,GAAG,CAAC,KAAK,CAAC;AACtC,CAAC,IAAI,SAAS,KAAK,MAAM,EAAE,OAAO,KAAK;AACvC,CAAC,IAAI,IAAI,CAAC,GAAG,EAAE,IAAI,SAAS,EAAE;AAC9B,EAAE,QAAQ,CAAC,MAAM,CAAC,KAAK,CAAC;AACxB,EAAE,OAAO,KAAK;AACd,CAAC;AACD,CAAC,OAAO,IAAI;AACZ;AACA;AACA;AACA;AACA;AACA,SAAS,iBAAiB,CAAC,KAAK,EAAE;AAClC,CAAC,QAAQ,CAAC,MAAM,CAAC,KAAK,CAAC;AACvB;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,IAAI,eAAe;AACnB,IAAI,kBAAkB;AACtB,SAAS,iBAAiB,GAAG;AAC7B,CAAC,MAAM,EAAE,GAAG,EAAE,GAAG,iBAAiB,EAAE;AACpC,CAAC,IAAI,CAAC,eAAe,IAAI,GAAG,KAAK,kBAAkB,EAAE;AACrD,EAAE,eAAe,GAAG,oBAAoB,CAAC,EAAE,OAAO,EAAE,GAAG,EAAE,CAAC;AAC1D,EAAE,kBAAkB,GAAG,GAAG;AAC1B,CAAC;AACD,CAAC,OAAO,eAAe;AACvB;AACA,SAAS,gBAAgB,CAAC,CAAC,EAAE,CAAC,EAAE;AAChC,CAAC,IAAI,OAAO,CAAC,KAAK,QAAQ,IAAI,OAAO,CAAC,KAAK,QAAQ,EAAE,OAAO,KAAK;AACjE,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,CAAC,EAAE,OAAO,KAAK;AAC3B,CAAC,OAAO,eAAe,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,MAAM,EAAE,EAAE,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC;AACzG;AACA;AACA,SAAS,YAAY,CAAC,MAAM,EAAE,IAAI,EAAE,SAAS,GAAG,EAAE,EAAE;AACpD,CAAC,OAAO,IAAI,QAAQ,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,EAAE;AAC3C,EAAE,MAAM;AACR,EAAE,OAAO,EAAE;AACX,GAAG,cAAc,EAAE,kBAAkB;AACrC,GAAG,GAAG,SAAS,GAAG,EAAE,cAAc,EAAE,SAAS,EAAE,GAAG;AAClD;AACA,EAAE,CAAC;AACH;AACA;AACA,SAAS,aAAa,CAAC,MAAM,EAAE,KAAK,EAAE,OAAO,EAAE,OAAO,GAAG,EAAE,EAAE,SAAS,GAAG,EAAE,EAAE;AAC7E,CAAC,OAAO,YAAY,CAAC,MAAM,EAAE;AAC7B,EAAE,KAAK;AACP,EAAE,OAAO;AACT,EAAE,OAAO;AACT,EAAE;AACF,EAAE,EAAE,SAAS,CAAC;AACd;AACA;AACA,SAAS,YAAY,CAAC,KAAK,EAAE;AAC7B,CAAC,OAAO,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC,IAAI,MAAM,CAAC,UAAU,EAAE;AACxE;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,SAAS,kBAAkB,GAAG;AAC9B,CAAC,MAAM,QAAQ,GAAG,OAAO,CAAC,GAAG,CAAC,oBAAoB;AAClD,CAAC,IAAI,QAAQ,EAAE,OAAO,QAAQ;AAC9B,CAAC,OAAO,UAAU,CAAC,eAAe,EAAE,EAAE,sBAAsB,CAAC,EAAE,OAAO,EAAE,IAAI,EAAE;AAC9E;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,SAAS,YAAY,CAAC,KAAK,EAAE;AAC7B,CAAC,MAAM,KAAK,GAAG,CAAC,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,IAAI,EAAE,EAAE,KAAK,CAAC,8BAA8B,CAAC;AAChG,CAAC,IAAI,KAAK,EAAE,OAAO,KAAK,CAAC,CAAC,CAAC;AAC3B,CAAC,OAAO,EAAE;AACV;AACA;AACA,SAAS,YAAY,CAAC,KAAK,EAAE,SAAS,EAAE;AACxC,CAAC,IAAI,CAAC,kBAAkB,EAAE,EAAE,OAAO,aAAa,CAAC,GAAG,EAAE,sBAAsB,EAAE,8DAA8D,EAAE,EAAE,EAAE,SAAS,CAAC;AAC5J,CAAC,IAAI,CAAC,eAAe,CAAC,YAAY,CAAC,KAAK,CAAC,CAAC,EAAE,OAAO,aAAa,CAAC,GAAG,EAAE,cAAc,EAAE,gCAAgC,EAAE,EAAE,EAAE,SAAS,CAAC;AACtI,CAAC,OAAO,IAAI;AACZ;AACA;AACA,eAAe,aAAa,CAAC,OAAO,EAAE,QAAQ,GAAG,OAAO,EAAE;AAC1D,CAAC,IAAI;AACL,EAAE,MAAM,aAAa,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,gBAAgB,CAAC;AAC7D,EAAE,IAAI,aAAa,IAAI,QAAQ,CAAC,aAAa,EAAE,EAAE,CAAC,GAAG,QAAQ,EAAE,OAAO,EAAE,KAAK,EAAE,WAAW,EAAE;AAC5F,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,OAAO,CAAC,IAAI,EAAE,EAAE;AACvC,CAAC,CAAC,CAAC,OAAO,CAAC,EAAE;AACb,EAAE,OAAO,CAAC,IAAI,CAAC,6CAA6C,EAAE,CAAC,CAAC;AAChE,EAAE,OAAO,EAAE,KAAK,EAAE,cAAc,EAAE;AAClC,CAAC;AACD;AACA;AACA,SAAS,aAAa,CAAC,GAAG,EAAE,SAAS,EAAE;AACvC,CAAC,IAAI,GAAG,CAAC,KAAK,KAAK,WAAW,EAAE,OAAO,aAAa,CAAC,GAAG,EAAE,WAAW,EAAE,wBAAwB,EAAE,EAAE,EAAE,SAAS,CAAC;AAC/G,CAAC,OAAO,aAAa,CAAC,GAAG,EAAE,cAAc,EAAE,iCAAiC,EAAE,EAAE,EAAE,SAAS,CAAC;AAC5F;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,eAAe,aAAa,CAAC,KAAK,EAAE,OAAO,EAAE;AAC7C,CAAC,MAAM,SAAS,GAAG,YAAY,CAAC,KAAK,CAAC;AACtC,CAAC,MAAM,WAAW,GAAG,iBAAiB,CAAC,KAAK,CAAC,OAAO,EAAE,OAAO,CAAC;AAC9D,CAAC,IAAI,WAAW,EAAE,OAAO,WAAW;AACpC,CAAC,MAAM,SAAS,GAAG,YAAY,CAAC,KAAK,EAAE,SAAS,CAAC;AACjD,CAAC,IAAI,SAAS,EAAE,OAAO,SAAS;AAChC,CAAC,MAAM,MAAM,GAAG,MAAM,aAAa,CAAC,KAAK,CAAC,OAAO,CAAC;AAClD,CAAC,IAAI,OAAO,IAAI,MAAM,EAAE,OAAO,aAAa,CAAC,MAAM,EAAE,SAAS,CAAC;AAC/D,CAAC,OAAO,OAAO,CAAC;AAChB,EAAE,SAAS;AACX,EAAE,IAAI,EAAE,MAAM,CAAC;AACf,EAAE,CAAC;AACH;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,SAAS,eAAe,CAAC,OAAO,EAAE,IAAI,EAAE;AACxC,CAAC,MAAM,UAAU,GAAG,CAAC,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,EAAE,EAAE,IAAI,EAAE,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC;AACjF,CAAC,IAAI,CAAC,CAAC,UAAU,EAAE,IAAI,CAAC,CAAC,EAAE,CAAC,UAAU,EAAE,IAAI,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,UAAU,CAAC,EAAE,OAAO,IAAI;AACjF,CAAC,OAAO,IAAI,QAAQ,CAAC,IAAI,CAAC,SAAS,CAAC;AACpC,EAAE,KAAK,EAAE,cAAc;AACvB,EAAE,IAAI,EAAE,UAAU;AAClB,EAAE,OAAO,EAAE;AACX,EAAE,CAAC,EAAE;AACL,EAAE,MAAM,EAAE,GAAG;AACb,EAAE,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB;AAC/C,EAAE,CAAC;AACH;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,SAAS,iBAAiB,CAAC,OAAO,EAAE,IAAI,EAAE;AAC1C,CAAC,MAAM,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,WAAW,EAAE;AAC5C,CAAC,IAAI,MAAM,KAAK,KAAK,IAAI,MAAM,KAAK,MAAM,IAAI,MAAM,KAAK,SAAS,EAAE,OAAO,IAAI;AAC/E,CAAC,MAAM,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC;AAC7C,CAAC,IAAI,CAAC,MAAM,EAAE,OAAO,IAAI;AACzB,CAAC,IAAI;AACL,EAAE,MAAM,CAAC,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC;AAC3B,EAAE,IAAI,CAAC,CAAC,UAAU,EAAE,IAAI,CAAC,CAAC,EAAE,CAAC,UAAU,EAAE,IAAI,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,EAAE,OAAO,IAAI;AAC9E,CAAC,CAAC,CAAC,MAAM,CAAC;AACV,CAAC,OAAO,IAAI,QAAQ,CAAC,IAAI,CAAC,SAAS,CAAC;AACpC,EAAE,KAAK,EAAE,kBAAkB;AAC3B,EAAE;AACF,EAAE,CAAC,EAAE;AACL,EAAE,MAAM,EAAE,GAAG;AACb,EAAE,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB;AAC/C,EAAE,CAAC;AACH;AACG,IAAC,OAAO,GAAG,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,IAAI,IAAI,IAAI;;;;"}

package/build/server/chunks/hooks.server-Al9-eO5K.js ADDED Viewed

@@ -0,0 +1,82 @@
+import { r as redirect } from './exports-D1quPX8S.js';
+import { _ as isSetupComplete, ak as resolveStackDir, J as ensureHomeDirs, M as ensureSecrets, ab as readStackRuntimeEnv, K as ensureOpenCodeConfig, L as ensureOpenCodeSystemConfig, aj as resolveRuntimeFiles, ar as writeRuntimeFiles, y as createLogger } from './src-FpMyngcw.js';
+import { b as getState } from './endpoints-L7Wjvq44.js';
+import { c as checkHostHeader, a as checkOriginHeader, U as UI_PORT } from './helpers-5jd3ccud.js';
+import './utils-BSRjJDrZ.js';
+import './chunk-CLZ62Ad-.js';
+import 'node:module';
+import 'node:fs';
+import 'node:path';
+import 'node:child_process';
+import 'node:os';
+import 'buffer';
+import 'node:url';
+import 'node:crypto';
+import 'events';
+import 'fs';
+import 'node:events';
+import 'node:stream';
+import 'node:string_decoder';
+import 'path';
+import 'assert';
+import 'zlib';
+import 'node:assert';
+import 'node:fs/promises';
+//#region src/hooks.server.ts
+var logger = createLogger("admin");
+var startupApplyDone = false;
+function runStartupApply() {
+	if (startupApplyDone) return;
+	startupApplyDone = true;
+	try {
+		ensureHomeDirs();
+		const state = getState();
+		ensureSecrets(state);
+		const stackVars = readStackRuntimeEnv(state.stackDir);
+		for (const [k, v] of Object.entries(stackVars)) if (v && !process.env[k]) process.env[k] = v;
+		ensureOpenCodeConfig();
+		ensureOpenCodeSystemConfig();
+		state.artifacts = resolveRuntimeFiles();
+		writeRuntimeFiles(state);
+		logger.info("startup auto-apply completed successfully", { artifactMeta: state.artifactMeta });
+	} catch (err) {
+		logger.error("startup auto-apply failed", { error: String(err) });
+	}
+}
+runStartupApply();
+var SETUP_PATHS = [
+	"/setup",
+	"/api/setup",
+	"/health",
+	"/guardian/health"
+];
+function isLocalhostAddress(ip) {
+	return ip === "127.0.0.1" || ip === "::1" || ip === "::ffff:127.0.0.1";
+}
+var handle = async ({ event, resolve }) => {
+	const hostError = checkHostHeader(event.request, UI_PORT);
+	if (hostError) return hostError;
+	const originError = checkOriginHeader(event.request, UI_PORT);
+	if (originError) return originError;
+	const path = event.url.pathname;
+	const isSetupPath = SETUP_PATHS.some((p) => path === p || path.startsWith(p + "/"));
+	if (isSetupPath && !isSetupComplete(resolveStackDir())) {
+		if (!isLocalhostAddress(event.getClientAddress())) return new Response(JSON.stringify({
+			error: "setup_localhost_only",
+			message: "Setup is only accessible from the host machine until installation is complete."
+		}), {
+			status: 403,
+			headers: { "content-type": "application/json" }
+		});
+	}
+	if (!isSetupPath && !isSetupComplete(resolveStackDir())) redirect(302, "/setup");
+	const response = await resolve(event);
+	response.headers.set("X-Frame-Options", "DENY");
+	response.headers.set("X-Content-Type-Options", "nosniff");
+	response.headers.set("Referrer-Policy", "no-referrer");
+	return response;
+};
+export { handle };
+//# sourceMappingURL=hooks.server-Al9-eO5K.js.map

package/build/server/chunks/hooks.server-Al9-eO5K.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"hooks.server-Al9-eO5K.js","sources":["../../../.svelte-kit/adapter-node/entries/hooks.server.js"],"sourcesContent":["import { i as redirect } from \"../chunks/exports.js\";\nimport { J as isSetupComplete, Nt as createLogger, _t as readStackRuntimeEnv, dt as resolveRuntimeFiles, ft as writeRuntimeFiles, ht as ensureSecrets, jt as resolveStackDir, kt as ensureHomeDirs, mt as ensureOpenCodeConfig, pt as ensureOpenCodeSystemConfig } from \"../chunks/src.js\";\nimport { c as getState } from \"../chunks/endpoints.js\";\nimport { n as checkHostHeader, r as checkOriginHeader, t as UI_PORT } from \"../chunks/helpers.js\";\n//#region src/hooks.server.ts\nvar logger = createLogger(\"admin\");\nvar startupApplyDone = false;\nfunction runStartupApply() {\n\tif (startupApplyDone) return;\n\tstartupApplyDone = true;\n\ttry {\n\t\tensureHomeDirs();\n\t\tconst state = getState();\n\t\tensureSecrets(state);\n\t\tconst stackVars = readStackRuntimeEnv(state.stackDir);\n\t\tfor (const [k, v] of Object.entries(stackVars)) if (v && !process.env[k]) process.env[k] = v;\n\t\tensureOpenCodeConfig();\n\t\tensureOpenCodeSystemConfig();\n\t\tstate.artifacts = resolveRuntimeFiles();\n\t\twriteRuntimeFiles(state);\n\t\tlogger.info(\"startup auto-apply completed successfully\", { artifactMeta: state.artifactMeta });\n\t} catch (err) {\n\t\tlogger.error(\"startup auto-apply failed\", { error: String(err) });\n\t}\n}\nrunStartupApply();\nvar SETUP_PATHS = [\n\t\"/setup\",\n\t\"/api/setup\",\n\t\"/health\",\n\t\"/guardian/health\"\n];\nfunction isLocalhostAddress(ip) {\n\treturn ip === \"127.0.0.1\" || ip === \"::1\" || ip === \"::ffff:127.0.0.1\";\n}\nvar handle = async ({ event, resolve }) => {\n\tconst hostError = checkHostHeader(event.request, UI_PORT);\n\tif (hostError) return hostError;\n\tconst originError = checkOriginHeader(event.request, UI_PORT);\n\tif (originError) return originError;\n\tconst path = event.url.pathname;\n\tconst isSetupPath = SETUP_PATHS.some((p) => path === p || path.startsWith(p + \"/\"));\n\tif (isSetupPath && !isSetupComplete(resolveStackDir())) {\n\t\tif (!isLocalhostAddress(event.getClientAddress())) return new Response(JSON.stringify({\n\t\t\terror: \"setup_localhost_only\",\n\t\t\tmessage: \"Setup is only accessible from the host machine until installation is complete.\"\n\t\t}), {\n\t\t\tstatus: 403,\n\t\t\theaders: { \"content-type\": \"application/json\" }\n\t\t});\n\t}\n\tif (!isSetupPath && !isSetupComplete(resolveStackDir())) redirect(302, \"/setup\");\n\tconst response = await resolve(event);\n\tresponse.headers.set(\"X-Frame-Options\", \"DENY\");\n\tresponse.headers.set(\"X-Content-Type-Options\", \"nosniff\");\n\tresponse.headers.set(\"Referrer-Policy\", \"no-referrer\");\n\treturn response;\n};\n//#endregion\nexport { handle };\n"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;AAIA;AACA,IAAI,MAAM,GAAG,YAAY,CAAC,OAAO,CAAC;AAClC,IAAI,gBAAgB,GAAG,KAAK;AAC5B,SAAS,eAAe,GAAG;AAC3B,CAAC,IAAI,gBAAgB,EAAE;AACvB,CAAC,gBAAgB,GAAG,IAAI;AACxB,CAAC,IAAI;AACL,EAAE,cAAc,EAAE;AAClB,EAAE,MAAM,KAAK,GAAG,QAAQ,EAAE;AAC1B,EAAE,aAAa,CAAC,KAAK,CAAC;AACtB,EAAE,MAAM,SAAS,GAAG,mBAAmB,CAAC,KAAK,CAAC,QAAQ,CAAC;AACvD,EAAE,KAAK,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,SAAS,CAAC,EAAE,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC;AAC9F,EAAE,oBAAoB,EAAE;AACxB,EAAE,0BAA0B,EAAE;AAC9B,EAAE,KAAK,CAAC,SAAS,GAAG,mBAAmB,EAAE;AACzC,EAAE,iBAAiB,CAAC,KAAK,CAAC;AAC1B,EAAE,MAAM,CAAC,IAAI,CAAC,2CAA2C,EAAE,EAAE,YAAY,EAAE,KAAK,CAAC,YAAY,EAAE,CAAC;AAChG,CAAC,CAAC,CAAC,OAAO,GAAG,EAAE;AACf,EAAE,MAAM,CAAC,KAAK,CAAC,2BAA2B,EAAE,EAAE,KAAK,EAAE,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC;AACnE,CAAC;AACD;AACA,eAAe,EAAE;AACjB,IAAI,WAAW,GAAG;AAClB,CAAC,QAAQ;AACT,CAAC,YAAY;AACb,CAAC,SAAS;AACV,CAAC;AACD,CAAC;AACD,SAAS,kBAAkB,CAAC,EAAE,EAAE;AAChC,CAAC,OAAO,EAAE,KAAK,WAAW,IAAI,EAAE,KAAK,KAAK,IAAI,EAAE,KAAK,kBAAkB;AACvE;AACG,IAAC,MAAM,GAAG,OAAO,EAAE,KAAK,EAAE,OAAO,EAAE,KAAK;AAC3C,CAAC,MAAM,SAAS,GAAG,eAAe,CAAC,KAAK,CAAC,OAAO,EAAE,OAAO,CAAC;AAC1D,CAAC,IAAI,SAAS,EAAE,OAAO,SAAS;AAChC,CAAC,MAAM,WAAW,GAAG,iBAAiB,CAAC,KAAK,CAAC,OAAO,EAAE,OAAO,CAAC;AAC9D,CAAC,IAAI,WAAW,EAAE,OAAO,WAAW;AACpC,CAAC,MAAM,IAAI,GAAG,KAAK,CAAC,GAAG,CAAC,QAAQ;AAChC,CAAC,MAAM,WAAW,GAAG,WAAW,CAAC,IAAI,CAAC,CAAC,CAAC,KAAK,IAAI,KAAK,CAAC,IAAI,IAAI,CAAC,UAAU,CAAC,CAAC,GAAG,GAAG,CAAC,CAAC;AACpF,CAAC,IAAI,WAAW,IAAI,CAAC,eAAe,CAAC,eAAe,EAAE,CAAC,EAAE;AACzD,EAAE,IAAI,CAAC,kBAAkB,CAAC,KAAK,CAAC,gBAAgB,EAAE,CAAC,EAAE,OAAO,IAAI,QAAQ,CAAC,IAAI,CAAC,SAAS,CAAC;AACxF,GAAG,KAAK,EAAE,sBAAsB;AAChC,GAAG,OAAO,EAAE;AACZ,GAAG,CAAC,EAAE;AACN,GAAG,MAAM,EAAE,GAAG;AACd,GAAG,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB;AAChD,GAAG,CAAC;AACJ,CAAC;AACD,CAAC,IAAI,CAAC,WAAW,IAAI,CAAC,eAAe,CAAC,eAAe,EAAE,CAAC,EAAE,QAAQ,CAAC,GAAG,EAAE,QAAQ,CAAC;AACjF,CAAC,MAAM,QAAQ,GAAG,MAAM,OAAO,CAAC,KAAK,CAAC;AACtC,CAAC,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,iBAAiB,EAAE,MAAM,CAAC;AAChD,CAAC,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,wBAAwB,EAAE,SAAS,CAAC;AAC1D,CAAC,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,iBAAiB,EAAE,aAAa,CAAC;AACvD,CAAC,OAAO,QAAQ;AAChB;;;;"}

package/build/server/chunks/http-D5xo_m60.js ADDED Viewed

@@ -0,0 +1,31 @@
+import { g as getActiveEndpoint } from './endpoints-L7Wjvq44.js';
+//#region src/lib/server/opencode/http.ts
+/**
+* HTTP transport for talking to the active OpenCode endpoint.
+*
+* Used by sibling modules (`config.ts`, `catalog.ts`) — not part of the
+* public API of `$lib/server/opencode`. Reads the active endpoint per-call
+* so user switches in the UI take effect immediately.
+*/
+async function opencodeFetch(path, init) {
+	const endpoint = getActiveEndpoint();
+	const headers = {
+		"content-type": "application/json",
+		...init?.headers
+	};
+	if (endpoint.password) {
+		const user = endpoint.username || "openpalm";
+		headers["authorization"] = `Basic ${btoa(`${user}:${endpoint.password}`)}`;
+	}
+	const response = await fetch(`${endpoint.url}${path}`, {
+		...init,
+		headers
+	});
+	if (!response.ok) throw new Error(`${init?.method ?? "GET"} ${path} failed with ${response.status}`);
+	if (response.status === 204) return;
+	return await response.json();
+}
+export { opencodeFetch as o };
+//# sourceMappingURL=http-D5xo_m60.js.map

package/build/server/chunks/http-D5xo_m60.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"http-D5xo_m60.js","sources":["../../../.svelte-kit/adapter-node/chunks/http.js"],"sourcesContent":["import { r as getActiveEndpoint } from \"./endpoints.js\";\n//#region src/lib/server/opencode/http.ts\n/**\n* HTTP transport for talking to the active OpenCode endpoint.\n*\n* Used by sibling modules (`config.ts`, `catalog.ts`) — not part of the\n* public API of `$lib/server/opencode`. Reads the active endpoint per-call\n* so user switches in the UI take effect immediately.\n*/\nasync function opencodeFetch(path, init) {\n\tconst endpoint = getActiveEndpoint();\n\tconst headers = {\n\t\t\"content-type\": \"application/json\",\n\t\t...init?.headers\n\t};\n\tif (endpoint.password) {\n\t\tconst user = endpoint.username || \"openpalm\";\n\t\theaders[\"authorization\"] = `Basic ${btoa(`${user}:${endpoint.password}`)}`;\n\t}\n\tconst response = await fetch(`${endpoint.url}${path}`, {\n\t\t...init,\n\t\theaders\n\t});\n\tif (!response.ok) throw new Error(`${init?.method ?? \"GET\"} ${path} failed with ${response.status}`);\n\tif (response.status === 204) return;\n\treturn await response.json();\n}\n//#endregion\nexport { opencodeFetch as t };\n"],"names":[],"mappings":";;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,eAAe,aAAa,CAAC,IAAI,EAAE,IAAI,EAAE;AACzC,CAAC,MAAM,QAAQ,GAAG,iBAAiB,EAAE;AACrC,CAAC,MAAM,OAAO,GAAG;AACjB,EAAE,cAAc,EAAE,kBAAkB;AACpC,EAAE,GAAG,IAAI,EAAE;AACX,EAAE;AACF,CAAC,IAAI,QAAQ,CAAC,QAAQ,EAAE;AACxB,EAAE,MAAM,IAAI,GAAG,QAAQ,CAAC,QAAQ,IAAI,UAAU;AAC9C,EAAE,OAAO,CAAC,eAAe,CAAC,GAAG,CAAC,MAAM,EAAE,IAAI,CAAC,CAAC,EAAE,IAAI,CAAC,CAAC,EAAE,QAAQ,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC;AAC5E,CAAC;AACD,CAAC,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,CAAC,EAAE,QAAQ,CAAC,GAAG,CAAC,EAAE,IAAI,CAAC,CAAC,EAAE;AACxD,EAAE,GAAG,IAAI;AACT,EAAE;AACF,EAAE,CAAC;AACH,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,MAAM,IAAI,KAAK,CAAC,CAAC,EAAE,IAAI,EAAE,MAAM,IAAI,KAAK,CAAC,CAAC,EAAE,IAAI,CAAC,aAAa,EAAE,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC;AACrG,CAAC,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE;AAC9B,CAAC,OAAO,MAAM,QAAQ,CAAC,IAAI,EAAE;AAC7B;;;;"}