@openpalm/ui 0.11.0-rc.3 → 0.11.0-rc.5

package/build/server/chunks/{helpers-B8h4zchW.js.map → helpers-CXOtgOuA.js.map}

@@ -1 +1 @@
-{"version":3,"file":"helpers-B8h4zchW.js","sources":["../../../.svelte-kit/adapter-node/chunks/helpers.js"],"sourcesContent":["import { $ as createOpenCodeClient, St as readSecret, jt as resolveStackDir } from \"./src.js\";\nimport { r as getActiveEndpoint } from \"./endpoints.js\";\nimport { createHash, timingSafeEqual } from \"node:crypto\";\n//#region src/lib/server/session-store.ts\n/**\n* In-memory session store for op_session cookies.\n*\n* Replaces the plaintext-password-as-cookie scheme: instead of storing the\n* operator's password in the cookie jar, `createSession()` mints a random\n* opaque token and maps it to an expiry timestamp. `requireAdmin` /\n* `validateSession` then check the token without touching the password.\n*\n* The store is module-level (process lifetime). Sessions are valid for 24 h\n* and are lazily pruned on access so the map does not grow unbounded.\n*/\nvar SESSION_TTL_MS = 864e5;\n/** token → absolute expiry timestamp (ms since epoch) */\nvar sessions = /* @__PURE__ */ new Map();\n/**\n* Mint a new session token, store it with a 24-hour TTL, and return it.\n* The caller is responsible for placing the token in the `op_session` cookie.\n*/\nfunction createSession() {\n\tconst token = crypto.randomUUID();\n\tsessions.set(token, Date.now() + SESSION_TTL_MS);\n\treturn token;\n}\n/**\n* Return true iff `token` is a known, non-expired session.\n* Expired entries are removed on access.\n*/\nfunction validateSession(token) {\n\tif (!token) return false;\n\tconst expiresAt = sessions.get(token);\n\tif (expiresAt === void 0) return false;\n\tif (Date.now() >= expiresAt) {\n\t\tsessions.delete(token);\n\t\treturn false;\n\t}\n\treturn true;\n}\n/**\n* Remove a session token from the store (used by logout).\n* Safe to call with an unknown token — it's a no-op.\n*/\nfunction invalidateSession(token) {\n\tsessions.delete(token);\n}\n//#endregion\n//#region src/lib/server/helpers.ts\n/**\n* Lazy OpenCode client bound to the currently active endpoint. The client is\n* recreated whenever the active endpoint URL changes so user switches in the\n* UI take effect on the next call.\n*/\nvar _openCodeClient;\nvar _openCodeClientUrl;\nfunction getOpenCodeClient() {\n\tconst { url } = getActiveEndpoint();\n\tif (!_openCodeClient || url !== _openCodeClientUrl) {\n\t\t_openCodeClient = createOpenCodeClient({ baseUrl: url });\n\t\t_openCodeClientUrl = url;\n\t}\n\treturn _openCodeClient;\n}\nfunction safeTokenCompare(a, b) {\n\tif (typeof a !== \"string\" || typeof b !== \"string\") return false;\n\tif (!a || !b) return false;\n\treturn timingSafeEqual(createHash(\"sha256\").update(a).digest(), createHash(\"sha256\").update(b).digest());\n}\n/** Standard JSON response with request ID header */\nfunction jsonResponse(status, body, requestId = \"\") {\n\treturn new Response(JSON.stringify(body), {\n\t\tstatus,\n\t\theaders: {\n\t\t\t\"content-type\": \"application/json\",\n\t\t\t...requestId ? { \"x-request-id\": requestId } : {}\n\t\t}\n\t});\n}\n/** Standard error envelope */\nfunction errorResponse(status, error, message, details = {}, requestId = \"\") {\n\treturn jsonResponse(status, {\n\t\terror,\n\t\tmessage,\n\t\tdetails,\n\t\trequestId\n\t}, requestId);\n}\n/** Extract or generate request ID */\nfunction getRequestId(event) {\n\treturn event.request.headers.get(\"x-request-id\") || crypto.randomUUID();\n}\n/**\n* Read the operator UI login password from the host environment or the\n* file-based stack secret.\n*\n* Phase 4 of the auth/proxy refactor collapsed\n* `ControlPlaneState.adminToken` (and the assistant token alongside it).\n* Runtime persistence lives in `knowledge/secrets/op_ui_login_password`.\n* `process.env.OP_UI_LOGIN_PASSWORD` is still accepted for tests and explicit\n* host-process overrides.\n*\n* Returns the empty string when the env var is unset — `requireNonEmptyUiLoginPassword()`\n* surfaces that case as a 503 so all authenticated routes fail loudly\n* rather than silently accepting any cookie.\n*/\nfunction getUiLoginPassword() {\n\tconst envValue = process.env.OP_UI_LOGIN_PASSWORD;\n\tif (envValue) return envValue;\n\treturn readSecret(resolveStackDir(), \"op_ui_login_password\")?.trimEnd() ?? \"\";\n}\n/**\n* Extract raw session token from the `op_session` cookie.\n*\n* Phase 2 of the auth/proxy refactor (docs/technical/auth-and-proxy-refactor-plan.md)\n* removed the legacy `x-admin-token` / `Authorization: Bearer` header fallbacks.\n* The cookie is HttpOnly + SameSite=Strict and is the ONLY credential the browser\n* holds; XSS cannot read it and out-of-process callers must obtain a session via\n* `POST /admin/auth/login` (or `/session`) and present the cookie on subsequent\n* requests.\n*/\nfunction extractToken(event) {\n\tconst match = (event.request.headers.get(\"cookie\") ?? \"\").match(/(?:^|;\\s*)op_session=([^;]+)/);\n\tif (match) return match[1];\n\treturn \"\";\n}\n/** Check admin auth — returns error Response or null if OK */\nfunction requireAdmin(event, requestId) {\n\tif (!getUiLoginPassword()) return errorResponse(503, \"admin_not_configured\", \"OP_UI_LOGIN_PASSWORD has not been set. Complete setup first.\", {}, requestId);\n\tif (!validateSession(extractToken(event))) return errorResponse(401, \"unauthorized\", \"Missing or invalid credentials\", {}, requestId);\n\treturn null;\n}\n/** Parse JSON body safely — returns discriminated result with error type */\nasync function parseJsonBody(request, maxBytes = 1048576) {\n\ttry {\n\t\tconst contentLength = request.headers.get(\"content-length\");\n\t\tif (contentLength && parseInt(contentLength, 10) > maxBytes) return { error: \"too_large\" };\n\t\treturn { data: await request.json() };\n\t} catch (e) {\n\t\tconsole.warn(\"[helpers] Failed to parse JSON request body\", e);\n\t\treturn { error: \"invalid_json\" };\n\t}\n}\n/** Convert a ParseJsonBodyError to an appropriate HTTP error response */\nfunction jsonBodyError(err, requestId) {\n\tif (err.error === \"too_large\") return errorResponse(413, \"too_large\", \"Request body too large\", {}, requestId);\n\treturn errorResponse(400, \"invalid_json\", \"Request body must be valid JSON\", {}, requestId);\n}\n/**\n* Auth + JSON body wrapper for admin POST/DELETE handlers.\n*\n* Replaces the 4-line boilerplate copy-pasted across 30+ routes:\n*   const requestId = getRequestId(event);\n*   const authError = requireAdmin(event, requestId);\n*   if (authError) return authError;\n*   const result = await parseJsonBody(event.request);\n*   if ('error' in result) return jsonBodyError(result, requestId);\n*\n* Use for routes that need both auth and a JSON body. For auth-only or\n* GET routes, call `requireAdmin` directly.\n*/\nasync function withAdminBody(event, handler) {\n\tconst requestId = getRequestId(event);\n\tconst originError = checkOriginHeader(event.request, UI_PORT);\n\tif (originError) return originError;\n\tconst authError = requireAdmin(event, requestId);\n\tif (authError) return authError;\n\tconst result = await parseJsonBody(event.request);\n\tif (\"error\" in result) return jsonBodyError(result, requestId);\n\treturn handler({\n\t\trequestId,\n\t\tbody: result.data\n\t});\n}\n/**\n* Reject requests whose Host header does not match localhost or 127.0.0.1\n* on the configured admin port.\n*\n* @param request  Incoming Request (or SvelteKit RequestEvent.request)\n* @param port     The port this server is bound to (e.g. 3880 or 8100)\n* @returns        A 400 Response if the host is rejected; null if allowed\n*/\nfunction checkHostHeader(request, port) {\n\tconst normalized = (request.headers.get(\"host\") ?? \"\").trim().replace(/\\.$/, \"\");\n\tif ([`localhost:${port}`, `127.0.0.1:${port}`].includes(normalized)) return null;\n\treturn new Response(JSON.stringify({\n\t\terror: \"invalid_host\",\n\t\thost: normalized,\n\t\tmessage: \"Request rejected: Host header does not match allowed hosts. The admin UI binds to loopback (127.0.0.1) only; reach it via localhost or front it with a reverse proxy/tunnel for remote access.\"\n\t}), {\n\t\tstatus: 400,\n\t\theaders: { \"content-type\": \"application/json\" }\n\t});\n}\n/**\n* Reject POST/PUT/DELETE requests whose Origin header does not match\n* localhost or 127.0.0.1. Requests with no Origin (non-browser clients)\n* are always allowed.\n*\n* @param request  Incoming Request\n* @param port     The port this server is bound to\n* @returns        A 403 Response if the origin is rejected; null if allowed\n*/\nfunction checkOriginHeader(request, port) {\n\tconst method = request.method.toUpperCase();\n\tif (method === \"GET\" || method === \"HEAD\" || method === \"OPTIONS\") return null;\n\tconst origin = request.headers.get(\"origin\");\n\tif (!origin) return null;\n\ttry {\n\t\tconst u = new URL(origin);\n\t\tif ([`localhost:${port}`, `127.0.0.1:${port}`].includes(u.host)) return null;\n\t} catch {}\n\treturn new Response(JSON.stringify({\n\t\terror: \"forbidden_origin\",\n\t\torigin\n\t}), {\n\t\tstatus: 403,\n\t\theaders: { \"content-type\": \"application/json\" }\n\t});\n}\nvar UI_PORT = Number(process.env.PORT ?? 3880);\n//#endregion\nexport { getOpenCodeClient as a, jsonBodyError as c, requireAdmin as d, safeTokenCompare as f, invalidateSession as h, errorResponse as i, jsonResponse as l, createSession as m, checkHostHeader as n, getRequestId as o, withAdminBody as p, checkOriginHeader as r, getUiLoginPassword as s, UI_PORT as t, parseJsonBody as u };\n"],"names":[],"mappings":";;;;AAGA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,IAAI,cAAc,GAAG,KAAK;AAC1B;AACA,IAAI,QAAQ,mBAAmB,IAAI,GAAG,EAAE;AACxC;AACA;AACA;AACA;AACA,SAAS,aAAa,GAAG;AACzB,CAAC,MAAM,KAAK,GAAG,MAAM,CAAC,UAAU,EAAE;AAClC,CAAC,QAAQ,CAAC,GAAG,CAAC,KAAK,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,cAAc,CAAC;AACjD,CAAC,OAAO,KAAK;AACb;AACA;AACA;AACA;AACA;AACA,SAAS,eAAe,CAAC,KAAK,EAAE;AAChC,CAAC,IAAI,CAAC,KAAK,EAAE,OAAO,KAAK;AACzB,CAAC,MAAM,SAAS,GAAG,QAAQ,CAAC,GAAG,CAAC,KAAK,CAAC;AACtC,CAAC,IAAI,SAAS,KAAK,MAAM,EAAE,OAAO,KAAK;AACvC,CAAC,IAAI,IAAI,CAAC,GAAG,EAAE,IAAI,SAAS,EAAE;AAC9B,EAAE,QAAQ,CAAC,MAAM,CAAC,KAAK,CAAC;AACxB,EAAE,OAAO,KAAK;AACd,CAAC;AACD,CAAC,OAAO,IAAI;AACZ;AACA;AACA;AACA;AACA;AACA,SAAS,iBAAiB,CAAC,KAAK,EAAE;AAClC,CAAC,QAAQ,CAAC,MAAM,CAAC,KAAK,CAAC;AACvB;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,IAAI,eAAe;AACnB,IAAI,kBAAkB;AACtB,SAAS,iBAAiB,GAAG;AAC7B,CAAC,MAAM,EAAE,GAAG,EAAE,GAAG,iBAAiB,EAAE;AACpC,CAAC,IAAI,CAAC,eAAe,IAAI,GAAG,KAAK,kBAAkB,EAAE;AACrD,EAAE,eAAe,GAAG,oBAAoB,CAAC,EAAE,OAAO,EAAE,GAAG,EAAE,CAAC;AAC1D,EAAE,kBAAkB,GAAG,GAAG;AAC1B,CAAC;AACD,CAAC,OAAO,eAAe;AACvB;AACA,SAAS,gBAAgB,CAAC,CAAC,EAAE,CAAC,EAAE;AAChC,CAAC,IAAI,OAAO,CAAC,KAAK,QAAQ,IAAI,OAAO,CAAC,KAAK,QAAQ,EAAE,OAAO,KAAK;AACjE,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,CAAC,EAAE,OAAO,KAAK;AAC3B,CAAC,OAAO,eAAe,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,MAAM,EAAE,EAAE,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC;AACzG;AACA;AACA,SAAS,YAAY,CAAC,MAAM,EAAE,IAAI,EAAE,SAAS,GAAG,EAAE,EAAE;AACpD,CAAC,OAAO,IAAI,QAAQ,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,EAAE;AAC3C,EAAE,MAAM;AACR,EAAE,OAAO,EAAE;AACX,GAAG,cAAc,EAAE,kBAAkB;AACrC,GAAG,GAAG,SAAS,GAAG,EAAE,cAAc,EAAE,SAAS,EAAE,GAAG;AAClD;AACA,EAAE,CAAC;AACH;AACA;AACA,SAAS,aAAa,CAAC,MAAM,EAAE,KAAK,EAAE,OAAO,EAAE,OAAO,GAAG,EAAE,EAAE,SAAS,GAAG,EAAE,EAAE;AAC7E,CAAC,OAAO,YAAY,CAAC,MAAM,EAAE;AAC7B,EAAE,KAAK;AACP,EAAE,OAAO;AACT,EAAE,OAAO;AACT,EAAE;AACF,EAAE,EAAE,SAAS,CAAC;AACd;AACA;AACA,SAAS,YAAY,CAAC,KAAK,EAAE;AAC7B,CAAC,OAAO,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC,IAAI,MAAM,CAAC,UAAU,EAAE;AACxE;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,SAAS,kBAAkB,GAAG;AAC9B,CAAC,MAAM,QAAQ,GAAG,OAAO,CAAC,GAAG,CAAC,oBAAoB;AAClD,CAAC,IAAI,QAAQ,EAAE,OAAO,QAAQ;AAC9B,CAAC,OAAO,UAAU,CAAC,eAAe,EAAE,EAAE,sBAAsB,CAAC,EAAE,OAAO,EAAE,IAAI,EAAE;AAC9E;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,SAAS,YAAY,CAAC,KAAK,EAAE;AAC7B,CAAC,MAAM,KAAK,GAAG,CAAC,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,IAAI,EAAE,EAAE,KAAK,CAAC,8BAA8B,CAAC;AAChG,CAAC,IAAI,KAAK,EAAE,OAAO,KAAK,CAAC,CAAC,CAAC;AAC3B,CAAC,OAAO,EAAE;AACV;AACA;AACA,SAAS,YAAY,CAAC,KAAK,EAAE,SAAS,EAAE;AACxC,CAAC,IAAI,CAAC,kBAAkB,EAAE,EAAE,OAAO,aAAa,CAAC,GAAG,EAAE,sBAAsB,EAAE,8DAA8D,EAAE,EAAE,EAAE,SAAS,CAAC;AAC5J,CAAC,IAAI,CAAC,eAAe,CAAC,YAAY,CAAC,KAAK,CAAC,CAAC,EAAE,OAAO,aAAa,CAAC,GAAG,EAAE,cAAc,EAAE,gCAAgC,EAAE,EAAE,EAAE,SAAS,CAAC;AACtI,CAAC,OAAO,IAAI;AACZ;AACA;AACA,eAAe,aAAa,CAAC,OAAO,EAAE,QAAQ,GAAG,OAAO,EAAE;AAC1D,CAAC,IAAI;AACL,EAAE,MAAM,aAAa,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,gBAAgB,CAAC;AAC7D,EAAE,IAAI,aAAa,IAAI,QAAQ,CAAC,aAAa,EAAE,EAAE,CAAC,GAAG,QAAQ,EAAE,OAAO,EAAE,KAAK,EAAE,WAAW,EAAE;AAC5F,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,OAAO,CAAC,IAAI,EAAE,EAAE;AACvC,CAAC,CAAC,CAAC,OAAO,CAAC,EAAE;AACb,EAAE,OAAO,CAAC,IAAI,CAAC,6CAA6C,EAAE,CAAC,CAAC;AAChE,EAAE,OAAO,EAAE,KAAK,EAAE,cAAc,EAAE;AAClC,CAAC;AACD;AACA;AACA,SAAS,aAAa,CAAC,GAAG,EAAE,SAAS,EAAE;AACvC,CAAC,IAAI,GAAG,CAAC,KAAK,KAAK,WAAW,EAAE,OAAO,aAAa,CAAC,GAAG,EAAE,WAAW,EAAE,wBAAwB,EAAE,EAAE,EAAE,SAAS,CAAC;AAC/G,CAAC,OAAO,aAAa,CAAC,GAAG,EAAE,cAAc,EAAE,iCAAiC,EAAE,EAAE,EAAE,SAAS,CAAC;AAC5F;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,eAAe,aAAa,CAAC,KAAK,EAAE,OAAO,EAAE;AAC7C,CAAC,MAAM,SAAS,GAAG,YAAY,CAAC,KAAK,CAAC;AACtC,CAAC,MAAM,WAAW,GAAG,iBAAiB,CAAC,KAAK,CAAC,OAAO,EAAE,OAAO,CAAC;AAC9D,CAAC,IAAI,WAAW,EAAE,OAAO,WAAW;AACpC,CAAC,MAAM,SAAS,GAAG,YAAY,CAAC,KAAK,EAAE,SAAS,CAAC;AACjD,CAAC,IAAI,SAAS,EAAE,OAAO,SAAS;AAChC,CAAC,MAAM,MAAM,GAAG,MAAM,aAAa,CAAC,KAAK,CAAC,OAAO,CAAC;AAClD,CAAC,IAAI,OAAO,IAAI,MAAM,EAAE,OAAO,aAAa,CAAC,MAAM,EAAE,SAAS,CAAC;AAC/D,CAAC,OAAO,OAAO,CAAC;AAChB,EAAE,SAAS;AACX,EAAE,IAAI,EAAE,MAAM,CAAC;AACf,EAAE,CAAC;AACH;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,SAAS,eAAe,CAAC,OAAO,EAAE,IAAI,EAAE;AACxC,CAAC,MAAM,UAAU,GAAG,CAAC,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,EAAE,EAAE,IAAI,EAAE,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC;AACjF,CAAC,IAAI,CAAC,CAAC,UAAU,EAAE,IAAI,CAAC,CAAC,EAAE,CAAC,UAAU,EAAE,IAAI,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,UAAU,CAAC,EAAE,OAAO,IAAI;AACjF,CAAC,OAAO,IAAI,QAAQ,CAAC,IAAI,CAAC,SAAS,CAAC;AACpC,EAAE,KAAK,EAAE,cAAc;AACvB,EAAE,IAAI,EAAE,UAAU;AAClB,EAAE,OAAO,EAAE;AACX,EAAE,CAAC,EAAE;AACL,EAAE,MAAM,EAAE,GAAG;AACb,EAAE,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB;AAC/C,EAAE,CAAC;AACH;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,SAAS,iBAAiB,CAAC,OAAO,EAAE,IAAI,EAAE;AAC1C,CAAC,MAAM,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,WAAW,EAAE;AAC5C,CAAC,IAAI,MAAM,KAAK,KAAK,IAAI,MAAM,KAAK,MAAM,IAAI,MAAM,KAAK,SAAS,EAAE,OAAO,IAAI;AAC/E,CAAC,MAAM,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC;AAC7C,CAAC,IAAI,CAAC,MAAM,EAAE,OAAO,IAAI;AACzB,CAAC,IAAI;AACL,EAAE,MAAM,CAAC,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC;AAC3B,EAAE,IAAI,CAAC,CAAC,UAAU,EAAE,IAAI,CAAC,CAAC,EAAE,CAAC,UAAU,EAAE,IAAI,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,EAAE,OAAO,IAAI;AAC9E,CAAC,CAAC,CAAC,MAAM,CAAC;AACV,CAAC,OAAO,IAAI,QAAQ,CAAC,IAAI,CAAC,SAAS,CAAC;AACpC,EAAE,KAAK,EAAE,kBAAkB;AAC3B,EAAE;AACF,EAAE,CAAC,EAAE;AACL,EAAE,MAAM,EAAE,GAAG;AACb,EAAE,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB;AAC/C,EAAE,CAAC;AACH;AACG,IAAC,OAAO,GAAG,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,IAAI,IAAI,IAAI;;;;"}
+{"version":3,"file":"helpers-CXOtgOuA.js","sources":["../../../.svelte-kit/adapter-node/chunks/helpers.js"],"sourcesContent":["import { $ as createOpenCodeClient, St as readSecret, jt as resolveStackDir } from \"./src.js\";\nimport { r as getActiveEndpoint } from \"./endpoints.js\";\nimport { createHash, timingSafeEqual } from \"node:crypto\";\n//#region src/lib/server/session-store.ts\n/**\n* In-memory session store for op_session cookies.\n*\n* Replaces the plaintext-password-as-cookie scheme: instead of storing the\n* operator's password in the cookie jar, `createSession()` mints a random\n* opaque token and maps it to an expiry timestamp. `requireAdmin` /\n* `validateSession` then check the token without touching the password.\n*\n* The store is module-level (process lifetime). Sessions are valid for 24 h\n* and are lazily pruned on access so the map does not grow unbounded.\n*/\nvar SESSION_TTL_MS = 864e5;\n/** token → absolute expiry timestamp (ms since epoch) */\nvar sessions = /* @__PURE__ */ new Map();\n/**\n* Mint a new session token, store it with a 24-hour TTL, and return it.\n* The caller is responsible for placing the token in the `op_session` cookie.\n*/\nfunction createSession() {\n\tconst token = crypto.randomUUID();\n\tsessions.set(token, Date.now() + SESSION_TTL_MS);\n\treturn token;\n}\n/**\n* Return true iff `token` is a known, non-expired session.\n* Expired entries are removed on access.\n*/\nfunction validateSession(token) {\n\tif (!token) return false;\n\tconst expiresAt = sessions.get(token);\n\tif (expiresAt === void 0) return false;\n\tif (Date.now() >= expiresAt) {\n\t\tsessions.delete(token);\n\t\treturn false;\n\t}\n\treturn true;\n}\n/**\n* Remove a session token from the store (used by logout).\n* Safe to call with an unknown token — it's a no-op.\n*/\nfunction invalidateSession(token) {\n\tsessions.delete(token);\n}\n//#endregion\n//#region src/lib/server/helpers.ts\n/**\n* Lazy OpenCode client bound to the currently active endpoint. The client is\n* recreated whenever the active endpoint URL changes so user switches in the\n* UI take effect on the next call.\n*/\nvar _openCodeClient;\nvar _openCodeClientUrl;\nfunction getOpenCodeClient() {\n\tconst { url } = getActiveEndpoint();\n\tif (!_openCodeClient || url !== _openCodeClientUrl) {\n\t\t_openCodeClient = createOpenCodeClient({ baseUrl: url });\n\t\t_openCodeClientUrl = url;\n\t}\n\treturn _openCodeClient;\n}\nfunction safeTokenCompare(a, b) {\n\tif (typeof a !== \"string\" || typeof b !== \"string\") return false;\n\tif (!a || !b) return false;\n\treturn timingSafeEqual(createHash(\"sha256\").update(a).digest(), createHash(\"sha256\").update(b).digest());\n}\n/** Standard JSON response with request ID header */\nfunction jsonResponse(status, body, requestId = \"\") {\n\treturn new Response(JSON.stringify(body), {\n\t\tstatus,\n\t\theaders: {\n\t\t\t\"content-type\": \"application/json\",\n\t\t\t...requestId ? { \"x-request-id\": requestId } : {}\n\t\t}\n\t});\n}\n/** Standard error envelope */\nfunction errorResponse(status, error, message, details = {}, requestId = \"\") {\n\treturn jsonResponse(status, {\n\t\terror,\n\t\tmessage,\n\t\tdetails,\n\t\trequestId\n\t}, requestId);\n}\n/** Extract or generate request ID */\nfunction getRequestId(event) {\n\treturn event.request.headers.get(\"x-request-id\") || crypto.randomUUID();\n}\n/**\n* Read the operator UI login password from the host environment or the\n* file-based stack secret.\n*\n* Phase 4 of the auth/proxy refactor collapsed\n* `ControlPlaneState.adminToken` (and the assistant token alongside it).\n* Runtime persistence lives in `knowledge/secrets/op_ui_login_password`.\n* `process.env.OP_UI_LOGIN_PASSWORD` is still accepted for tests and explicit\n* host-process overrides.\n*\n* Returns the empty string when the env var is unset — `requireNonEmptyUiLoginPassword()`\n* surfaces that case as a 503 so all authenticated routes fail loudly\n* rather than silently accepting any cookie.\n*/\nfunction getUiLoginPassword() {\n\tconst envValue = process.env.OP_UI_LOGIN_PASSWORD;\n\tif (envValue) return envValue;\n\treturn readSecret(resolveStackDir(), \"op_ui_login_password\")?.trimEnd() ?? \"\";\n}\n/**\n* Extract raw session token from the `op_session` cookie.\n*\n* Phase 2 of the auth/proxy refactor (docs/technical/auth-and-proxy-refactor-plan.md)\n* removed the legacy `x-admin-token` / `Authorization: Bearer` header fallbacks.\n* The cookie is HttpOnly + SameSite=Strict and is the ONLY credential the browser\n* holds; XSS cannot read it and out-of-process callers must obtain a session via\n* `POST /admin/auth/login` (or `/session`) and present the cookie on subsequent\n* requests.\n*/\nfunction extractToken(event) {\n\tconst match = (event.request.headers.get(\"cookie\") ?? \"\").match(/(?:^|;\\s*)op_session=([^;]+)/);\n\tif (match) return match[1];\n\treturn \"\";\n}\n/** Check admin auth — returns error Response or null if OK */\nfunction requireAdmin(event, requestId) {\n\tif (!getUiLoginPassword()) return errorResponse(503, \"admin_not_configured\", \"OP_UI_LOGIN_PASSWORD has not been set. Complete setup first.\", {}, requestId);\n\tif (!validateSession(extractToken(event))) return errorResponse(401, \"unauthorized\", \"Missing or invalid credentials\", {}, requestId);\n\treturn null;\n}\n/** Parse JSON body safely — returns discriminated result with error type */\nasync function parseJsonBody(request, maxBytes = 1048576) {\n\ttry {\n\t\tconst contentLength = request.headers.get(\"content-length\");\n\t\tif (contentLength && parseInt(contentLength, 10) > maxBytes) return { error: \"too_large\" };\n\t\treturn { data: await request.json() };\n\t} catch (e) {\n\t\tconsole.warn(\"[helpers] Failed to parse JSON request body\", e);\n\t\treturn { error: \"invalid_json\" };\n\t}\n}\n/** Convert a ParseJsonBodyError to an appropriate HTTP error response */\nfunction jsonBodyError(err, requestId) {\n\tif (err.error === \"too_large\") return errorResponse(413, \"too_large\", \"Request body too large\", {}, requestId);\n\treturn errorResponse(400, \"invalid_json\", \"Request body must be valid JSON\", {}, requestId);\n}\n/**\n* Auth + JSON body wrapper for admin POST/DELETE handlers.\n*\n* Replaces the 4-line boilerplate copy-pasted across 30+ routes:\n*   const requestId = getRequestId(event);\n*   const authError = requireAdmin(event, requestId);\n*   if (authError) return authError;\n*   const result = await parseJsonBody(event.request);\n*   if ('error' in result) return jsonBodyError(result, requestId);\n*\n* Use for routes that need both auth and a JSON body. For auth-only or\n* GET routes, call `requireAdmin` directly.\n*/\nasync function withAdminBody(event, handler) {\n\tconst requestId = getRequestId(event);\n\tconst originError = checkOriginHeader(event.request, UI_PORT);\n\tif (originError) return originError;\n\tconst authError = requireAdmin(event, requestId);\n\tif (authError) return authError;\n\tconst result = await parseJsonBody(event.request);\n\tif (\"error\" in result) return jsonBodyError(result, requestId);\n\treturn handler({\n\t\trequestId,\n\t\tbody: result.data\n\t});\n}\n/**\n* Reject requests whose Host header does not match localhost or 127.0.0.1\n* on the configured admin port.\n*\n* @param request  Incoming Request (or SvelteKit RequestEvent.request)\n* @param port     The port this server is bound to (e.g. 3880 or 8100)\n* @returns        A 400 Response if the host is rejected; null if allowed\n*/\nfunction checkHostHeader(request, port) {\n\tconst normalized = (request.headers.get(\"host\") ?? \"\").trim().replace(/\\.$/, \"\");\n\tif ([`localhost:${port}`, `127.0.0.1:${port}`].includes(normalized)) return null;\n\treturn new Response(JSON.stringify({\n\t\terror: \"invalid_host\",\n\t\thost: normalized,\n\t\tmessage: \"Request rejected: Host header does not match allowed hosts. The admin UI binds to loopback (127.0.0.1) only; reach it via localhost or front it with a reverse proxy/tunnel for remote access.\"\n\t}), {\n\t\tstatus: 400,\n\t\theaders: { \"content-type\": \"application/json\" }\n\t});\n}\n/**\n* Reject POST/PUT/DELETE requests whose Origin header does not match\n* localhost or 127.0.0.1. Requests with no Origin (non-browser clients)\n* are always allowed.\n*\n* @param request  Incoming Request\n* @param port     The port this server is bound to\n* @returns        A 403 Response if the origin is rejected; null if allowed\n*/\nfunction checkOriginHeader(request, port) {\n\tconst method = request.method.toUpperCase();\n\tif (method === \"GET\" || method === \"HEAD\" || method === \"OPTIONS\") return null;\n\tconst origin = request.headers.get(\"origin\");\n\tif (!origin) return null;\n\ttry {\n\t\tconst u = new URL(origin);\n\t\tif ([`localhost:${port}`, `127.0.0.1:${port}`].includes(u.host)) return null;\n\t} catch {}\n\treturn new Response(JSON.stringify({\n\t\terror: \"forbidden_origin\",\n\t\torigin\n\t}), {\n\t\tstatus: 403,\n\t\theaders: { \"content-type\": \"application/json\" }\n\t});\n}\nvar UI_PORT = Number(process.env.PORT ?? 3880);\n//#endregion\nexport { getOpenCodeClient as a, jsonBodyError as c, requireAdmin as d, safeTokenCompare as f, invalidateSession as h, errorResponse as i, jsonResponse as l, createSession as m, checkHostHeader as n, getRequestId as o, withAdminBody as p, checkOriginHeader as r, getUiLoginPassword as s, UI_PORT as t, parseJsonBody as u };\n"],"names":[],"mappings":";;;;AAGA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,IAAI,cAAc,GAAG,KAAK;AAC1B;AACA,IAAI,QAAQ,mBAAmB,IAAI,GAAG,EAAE;AACxC;AACA;AACA;AACA;AACA,SAAS,aAAa,GAAG;AACzB,CAAC,MAAM,KAAK,GAAG,MAAM,CAAC,UAAU,EAAE;AAClC,CAAC,QAAQ,CAAC,GAAG,CAAC,KAAK,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,cAAc,CAAC;AACjD,CAAC,OAAO,KAAK;AACb;AACA;AACA;AACA;AACA;AACA,SAAS,eAAe,CAAC,KAAK,EAAE;AAChC,CAAC,IAAI,CAAC,KAAK,EAAE,OAAO,KAAK;AACzB,CAAC,MAAM,SAAS,GAAG,QAAQ,CAAC,GAAG,CAAC,KAAK,CAAC;AACtC,CAAC,IAAI,SAAS,KAAK,MAAM,EAAE,OAAO,KAAK;AACvC,CAAC,IAAI,IAAI,CAAC,GAAG,EAAE,IAAI,SAAS,EAAE;AAC9B,EAAE,QAAQ,CAAC,MAAM,CAAC,KAAK,CAAC;AACxB,EAAE,OAAO,KAAK;AACd,CAAC;AACD,CAAC,OAAO,IAAI;AACZ;AACA;AACA;AACA;AACA;AACA,SAAS,iBAAiB,CAAC,KAAK,EAAE;AAClC,CAAC,QAAQ,CAAC,MAAM,CAAC,KAAK,CAAC;AACvB;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,IAAI,eAAe;AACnB,IAAI,kBAAkB;AACtB,SAAS,iBAAiB,GAAG;AAC7B,CAAC,MAAM,EAAE,GAAG,EAAE,GAAG,iBAAiB,EAAE;AACpC,CAAC,IAAI,CAAC,eAAe,IAAI,GAAG,KAAK,kBAAkB,EAAE;AACrD,EAAE,eAAe,GAAG,oBAAoB,CAAC,EAAE,OAAO,EAAE,GAAG,EAAE,CAAC;AAC1D,EAAE,kBAAkB,GAAG,GAAG;AAC1B,CAAC;AACD,CAAC,OAAO,eAAe;AACvB;AACA,SAAS,gBAAgB,CAAC,CAAC,EAAE,CAAC,EAAE;AAChC,CAAC,IAAI,OAAO,CAAC,KAAK,QAAQ,IAAI,OAAO,CAAC,KAAK,QAAQ,EAAE,OAAO,KAAK;AACjE,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,CAAC,EAAE,OAAO,KAAK;AAC3B,CAAC,OAAO,eAAe,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,MAAM,EAAE,EAAE,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC;AACzG;AACA;AACA,SAAS,YAAY,CAAC,MAAM,EAAE,IAAI,EAAE,SAAS,GAAG,EAAE,EAAE;AACpD,CAAC,OAAO,IAAI,QAAQ,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,EAAE;AAC3C,EAAE,MAAM;AACR,EAAE,OAAO,EAAE;AACX,GAAG,cAAc,EAAE,kBAAkB;AACrC,GAAG,GAAG,SAAS,GAAG,EAAE,cAAc,EAAE,SAAS,EAAE,GAAG;AAClD;AACA,EAAE,CAAC;AACH;AACA;AACA,SAAS,aAAa,CAAC,MAAM,EAAE,KAAK,EAAE,OAAO,EAAE,OAAO,GAAG,EAAE,EAAE,SAAS,GAAG,EAAE,EAAE;AAC7E,CAAC,OAAO,YAAY,CAAC,MAAM,EAAE;AAC7B,EAAE,KAAK;AACP,EAAE,OAAO;AACT,EAAE,OAAO;AACT,EAAE;AACF,EAAE,EAAE,SAAS,CAAC;AACd;AACA;AACA,SAAS,YAAY,CAAC,KAAK,EAAE;AAC7B,CAAC,OAAO,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC,IAAI,MAAM,CAAC,UAAU,EAAE;AACxE;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,SAAS,kBAAkB,GAAG;AAC9B,CAAC,MAAM,QAAQ,GAAG,OAAO,CAAC,GAAG,CAAC,oBAAoB;AAClD,CAAC,IAAI,QAAQ,EAAE,OAAO,QAAQ;AAC9B,CAAC,OAAO,UAAU,CAAC,eAAe,EAAE,EAAE,sBAAsB,CAAC,EAAE,OAAO,EAAE,IAAI,EAAE;AAC9E;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,SAAS,YAAY,CAAC,KAAK,EAAE;AAC7B,CAAC,MAAM,KAAK,GAAG,CAAC,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,IAAI,EAAE,EAAE,KAAK,CAAC,8BAA8B,CAAC;AAChG,CAAC,IAAI,KAAK,EAAE,OAAO,KAAK,CAAC,CAAC,CAAC;AAC3B,CAAC,OAAO,EAAE;AACV;AACA;AACA,SAAS,YAAY,CAAC,KAAK,EAAE,SAAS,EAAE;AACxC,CAAC,IAAI,CAAC,kBAAkB,EAAE,EAAE,OAAO,aAAa,CAAC,GAAG,EAAE,sBAAsB,EAAE,8DAA8D,EAAE,EAAE,EAAE,SAAS,CAAC;AAC5J,CAAC,IAAI,CAAC,eAAe,CAAC,YAAY,CAAC,KAAK,CAAC,CAAC,EAAE,OAAO,aAAa,CAAC,GAAG,EAAE,cAAc,EAAE,gCAAgC,EAAE,EAAE,EAAE,SAAS,CAAC;AACtI,CAAC,OAAO,IAAI;AACZ;AACA;AACA,eAAe,aAAa,CAAC,OAAO,EAAE,QAAQ,GAAG,OAAO,EAAE;AAC1D,CAAC,IAAI;AACL,EAAE,MAAM,aAAa,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,gBAAgB,CAAC;AAC7D,EAAE,IAAI,aAAa,IAAI,QAAQ,CAAC,aAAa,EAAE,EAAE,CAAC,GAAG,QAAQ,EAAE,OAAO,EAAE,KAAK,EAAE,WAAW,EAAE;AAC5F,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,OAAO,CAAC,IAAI,EAAE,EAAE;AACvC,CAAC,CAAC,CAAC,OAAO,CAAC,EAAE;AACb,EAAE,OAAO,CAAC,IAAI,CAAC,6CAA6C,EAAE,CAAC,CAAC;AAChE,EAAE,OAAO,EAAE,KAAK,EAAE,cAAc,EAAE;AAClC,CAAC;AACD;AACA;AACA,SAAS,aAAa,CAAC,GAAG,EAAE,SAAS,EAAE;AACvC,CAAC,IAAI,GAAG,CAAC,KAAK,KAAK,WAAW,EAAE,OAAO,aAAa,CAAC,GAAG,EAAE,WAAW,EAAE,wBAAwB,EAAE,EAAE,EAAE,SAAS,CAAC;AAC/G,CAAC,OAAO,aAAa,CAAC,GAAG,EAAE,cAAc,EAAE,iCAAiC,EAAE,EAAE,EAAE,SAAS,CAAC;AAC5F;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,eAAe,aAAa,CAAC,KAAK,EAAE,OAAO,EAAE;AAC7C,CAAC,MAAM,SAAS,GAAG,YAAY,CAAC,KAAK,CAAC;AACtC,CAAC,MAAM,WAAW,GAAG,iBAAiB,CAAC,KAAK,CAAC,OAAO,EAAE,OAAO,CAAC;AAC9D,CAAC,IAAI,WAAW,EAAE,OAAO,WAAW;AACpC,CAAC,MAAM,SAAS,GAAG,YAAY,CAAC,KAAK,EAAE,SAAS,CAAC;AACjD,CAAC,IAAI,SAAS,EAAE,OAAO,SAAS;AAChC,CAAC,MAAM,MAAM,GAAG,MAAM,aAAa,CAAC,KAAK,CAAC,OAAO,CAAC;AAClD,CAAC,IAAI,OAAO,IAAI,MAAM,EAAE,OAAO,aAAa,CAAC,MAAM,EAAE,SAAS,CAAC;AAC/D,CAAC,OAAO,OAAO,CAAC;AAChB,EAAE,SAAS;AACX,EAAE,IAAI,EAAE,MAAM,CAAC;AACf,EAAE,CAAC;AACH;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,SAAS,eAAe,CAAC,OAAO,EAAE,IAAI,EAAE;AACxC,CAAC,MAAM,UAAU,GAAG,CAAC,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,EAAE,EAAE,IAAI,EAAE,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC;AACjF,CAAC,IAAI,CAAC,CAAC,UAAU,EAAE,IAAI,CAAC,CAAC,EAAE,CAAC,UAAU,EAAE,IAAI,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,UAAU,CAAC,EAAE,OAAO,IAAI;AACjF,CAAC,OAAO,IAAI,QAAQ,CAAC,IAAI,CAAC,SAAS,CAAC;AACpC,EAAE,KAAK,EAAE,cAAc;AACvB,EAAE,IAAI,EAAE,UAAU;AAClB,EAAE,OAAO,EAAE;AACX,EAAE,CAAC,EAAE;AACL,EAAE,MAAM,EAAE,GAAG;AACb,EAAE,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB;AAC/C,EAAE,CAAC;AACH;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,SAAS,iBAAiB,CAAC,OAAO,EAAE,IAAI,EAAE;AAC1C,CAAC,MAAM,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,WAAW,EAAE;AAC5C,CAAC,IAAI,MAAM,KAAK,KAAK,IAAI,MAAM,KAAK,MAAM,IAAI,MAAM,KAAK,SAAS,EAAE,OAAO,IAAI;AAC/E,CAAC,MAAM,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC;AAC7C,CAAC,IAAI,CAAC,MAAM,EAAE,OAAO,IAAI;AACzB,CAAC,IAAI;AACL,EAAE,MAAM,CAAC,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC;AAC3B,EAAE,IAAI,CAAC,CAAC,UAAU,EAAE,IAAI,CAAC,CAAC,EAAE,CAAC,UAAU,EAAE,IAAI,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,EAAE,OAAO,IAAI;AAC9E,CAAC,CAAC,CAAC,MAAM,CAAC;AACV,CAAC,OAAO,IAAI,QAAQ,CAAC,IAAI,CAAC,SAAS,CAAC;AACpC,EAAE,KAAK,EAAE,kBAAkB;AAC3B,EAAE;AACF,EAAE,CAAC,EAAE;AACL,EAAE,MAAM,EAAE,GAAG;AACb,EAAE,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB;AAC/C,EAAE,CAAC;AACH;AACG,IAAC,OAAO,GAAG,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,IAAI,IAAI,IAAI;;;;"}

package/build/server/chunks/{hooks.server-DERyGNuF.js → hooks.server-DAguS3lI.js}

@@ -1,7 +1,7 @@
 import { r as redirect } from './exports-D1quPX8S.js';
-import { _ as isSetupComplete, ak as resolveStackDir, J as ensureHomeDirs, M as ensureSecrets, ab as readStackRuntimeEnv, K as ensureOpenCodeConfig, L as ensureOpenCodeSystemConfig, aj as resolveRuntimeFiles, ar as writeRuntimeFiles, y as createLogger } from './src-BsgfqG_-.js';
-import { b as getState } from './endpoints-kaPFORka.js';
-import { c as checkHostHeader, a as checkOriginHeader, U as UI_PORT } from './helpers-B8h4zchW.js';
+import { _ as isSetupComplete, ak as resolveStackDir, J as ensureHomeDirs, M as ensureSecrets, ab as readStackRuntimeEnv, K as ensureOpenCodeConfig, L as ensureOpenCodeSystemConfig, aj as resolveRuntimeFiles, ar as writeRuntimeFiles, y as createLogger } from './src-BWQ05CjI.js';
+import { b as getState } from './endpoints-Cl-EGY98.js';
+import { c as checkHostHeader, a as checkOriginHeader, U as UI_PORT } from './helpers-CXOtgOuA.js';
 import './utils-BSRjJDrZ.js';
 import './chunk-CLZ62Ad-.js';
 import 'node:module';
@@ -79,4 +79,4 @@ var handle = async ({ event, resolve }) => {
 };
 
 export { handle };
-//# sourceMappingURL=hooks.server-DERyGNuF.js.map
+//# sourceMappingURL=hooks.server-DAguS3lI.js.map

package/build/server/chunks/{hooks.server-DERyGNuF.js.map → hooks.server-DAguS3lI.js.map}

@@ -1 +1 @@
-{"version":3,"file":"hooks.server-DERyGNuF.js","sources":["../../../.svelte-kit/adapter-node/entries/hooks.server.js"],"sourcesContent":["import { i as redirect } from \"../chunks/exports.js\";\nimport { J as isSetupComplete, Nt as createLogger, _t as readStackRuntimeEnv, dt as resolveRuntimeFiles, ft as writeRuntimeFiles, ht as ensureSecrets, jt as resolveStackDir, kt as ensureHomeDirs, mt as ensureOpenCodeConfig, pt as ensureOpenCodeSystemConfig } from \"../chunks/src.js\";\nimport { c as getState } from \"../chunks/endpoints.js\";\nimport { n as checkHostHeader, r as checkOriginHeader, t as UI_PORT } from \"../chunks/helpers.js\";\n//#region src/hooks.server.ts\nvar logger = createLogger(\"admin\");\nvar startupApplyDone = false;\nfunction runStartupApply() {\n\tif (startupApplyDone) return;\n\tstartupApplyDone = true;\n\ttry {\n\t\tensureHomeDirs();\n\t\tconst state = getState();\n\t\tensureSecrets(state);\n\t\tconst stackVars = readStackRuntimeEnv(state.stackDir);\n\t\tfor (const [k, v] of Object.entries(stackVars)) if (v && !process.env[k]) process.env[k] = v;\n\t\tensureOpenCodeConfig();\n\t\tensureOpenCodeSystemConfig();\n\t\tstate.artifacts = resolveRuntimeFiles();\n\t\twriteRuntimeFiles(state);\n\t\tlogger.info(\"startup auto-apply completed successfully\", { artifactMeta: state.artifactMeta });\n\t} catch (err) {\n\t\tlogger.error(\"startup auto-apply failed\", { error: String(err) });\n\t}\n}\nrunStartupApply();\nvar SETUP_PATHS = [\n\t\"/setup\",\n\t\"/api/setup\",\n\t\"/health\",\n\t\"/guardian/health\"\n];\nfunction isLocalhostAddress(ip) {\n\treturn ip === \"127.0.0.1\" || ip === \"::1\" || ip === \"::ffff:127.0.0.1\";\n}\nvar handle = async ({ event, resolve }) => {\n\tconst hostError = checkHostHeader(event.request, UI_PORT);\n\tif (hostError) return hostError;\n\tconst originError = checkOriginHeader(event.request, UI_PORT);\n\tif (originError) return originError;\n\tconst path = event.url.pathname;\n\tconst isSetupPath = SETUP_PATHS.some((p) => path === p || path.startsWith(p + \"/\"));\n\tif (isSetupPath && !isSetupComplete(resolveStackDir())) {\n\t\tif (!isLocalhostAddress(event.getClientAddress())) return new Response(JSON.stringify({\n\t\t\terror: \"setup_localhost_only\",\n\t\t\tmessage: \"Setup is only accessible from the host machine until installation is complete.\"\n\t\t}), {\n\t\t\tstatus: 403,\n\t\t\theaders: { \"content-type\": \"application/json\" }\n\t\t});\n\t}\n\tif (!isSetupPath && !isSetupComplete(resolveStackDir())) redirect(302, \"/setup\");\n\tconst response = await resolve(event);\n\tresponse.headers.set(\"X-Frame-Options\", \"DENY\");\n\tresponse.headers.set(\"X-Content-Type-Options\", \"nosniff\");\n\tresponse.headers.set(\"Referrer-Policy\", \"no-referrer\");\n\treturn response;\n};\n//#endregion\nexport { handle };\n"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;AAIA;AACA,IAAI,MAAM,GAAG,YAAY,CAAC,OAAO,CAAC;AAClC,IAAI,gBAAgB,GAAG,KAAK;AAC5B,SAAS,eAAe,GAAG;AAC3B,CAAC,IAAI,gBAAgB,EAAE;AACvB,CAAC,gBAAgB,GAAG,IAAI;AACxB,CAAC,IAAI;AACL,EAAE,cAAc,EAAE;AAClB,EAAE,MAAM,KAAK,GAAG,QAAQ,EAAE;AAC1B,EAAE,aAAa,CAAC,KAAK,CAAC;AACtB,EAAE,MAAM,SAAS,GAAG,mBAAmB,CAAC,KAAK,CAAC,QAAQ,CAAC;AACvD,EAAE,KAAK,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,SAAS,CAAC,EAAE,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC;AAC9F,EAAE,oBAAoB,EAAE;AACxB,EAAE,0BAA0B,EAAE;AAC9B,EAAE,KAAK,CAAC,SAAS,GAAG,mBAAmB,EAAE;AACzC,EAAE,iBAAiB,CAAC,KAAK,CAAC;AAC1B,EAAE,MAAM,CAAC,IAAI,CAAC,2CAA2C,EAAE,EAAE,YAAY,EAAE,KAAK,CAAC,YAAY,EAAE,CAAC;AAChG,CAAC,CAAC,CAAC,OAAO,GAAG,EAAE;AACf,EAAE,MAAM,CAAC,KAAK,CAAC,2BAA2B,EAAE,EAAE,KAAK,EAAE,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC;AACnE,CAAC;AACD;AACA,eAAe,EAAE;AACjB,IAAI,WAAW,GAAG;AAClB,CAAC,QAAQ;AACT,CAAC,YAAY;AACb,CAAC,SAAS;AACV,CAAC;AACD,CAAC;AACD,SAAS,kBAAkB,CAAC,EAAE,EAAE;AAChC,CAAC,OAAO,EAAE,KAAK,WAAW,IAAI,EAAE,KAAK,KAAK,IAAI,EAAE,KAAK,kBAAkB;AACvE;AACG,IAAC,MAAM,GAAG,OAAO,EAAE,KAAK,EAAE,OAAO,EAAE,KAAK;AAC3C,CAAC,MAAM,SAAS,GAAG,eAAe,CAAC,KAAK,CAAC,OAAO,EAAE,OAAO,CAAC;AAC1D,CAAC,IAAI,SAAS,EAAE,OAAO,SAAS;AAChC,CAAC,MAAM,WAAW,GAAG,iBAAiB,CAAC,KAAK,CAAC,OAAO,EAAE,OAAO,CAAC;AAC9D,CAAC,IAAI,WAAW,EAAE,OAAO,WAAW;AACpC,CAAC,MAAM,IAAI,GAAG,KAAK,CAAC,GAAG,CAAC,QAAQ;AAChC,CAAC,MAAM,WAAW,GAAG,WAAW,CAAC,IAAI,CAAC,CAAC,CAAC,KAAK,IAAI,KAAK,CAAC,IAAI,IAAI,CAAC,UAAU,CAAC,CAAC,GAAG,GAAG,CAAC,CAAC;AACpF,CAAC,IAAI,WAAW,IAAI,CAAC,eAAe,CAAC,eAAe,EAAE,CAAC,EAAE;AACzD,EAAE,IAAI,CAAC,kBAAkB,CAAC,KAAK,CAAC,gBAAgB,EAAE,CAAC,EAAE,OAAO,IAAI,QAAQ,CAAC,IAAI,CAAC,SAAS,CAAC;AACxF,GAAG,KAAK,EAAE,sBAAsB;AAChC,GAAG,OAAO,EAAE;AACZ,GAAG,CAAC,EAAE;AACN,GAAG,MAAM,EAAE,GAAG;AACd,GAAG,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB;AAChD,GAAG,CAAC;AACJ,CAAC;AACD,CAAC,IAAI,CAAC,WAAW,IAAI,CAAC,eAAe,CAAC,eAAe,EAAE,CAAC,EAAE,QAAQ,CAAC,GAAG,EAAE,QAAQ,CAAC;AACjF,CAAC,MAAM,QAAQ,GAAG,MAAM,OAAO,CAAC,KAAK,CAAC;AACtC,CAAC,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,iBAAiB,EAAE,MAAM,CAAC;AAChD,CAAC,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,wBAAwB,EAAE,SAAS,CAAC;AAC1D,CAAC,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,iBAAiB,EAAE,aAAa,CAAC;AACvD,CAAC,OAAO,QAAQ;AAChB;;;;"}
+{"version":3,"file":"hooks.server-DAguS3lI.js","sources":["../../../.svelte-kit/adapter-node/entries/hooks.server.js"],"sourcesContent":["import { i as redirect } from \"../chunks/exports.js\";\nimport { J as isSetupComplete, Nt as createLogger, _t as readStackRuntimeEnv, dt as resolveRuntimeFiles, ft as writeRuntimeFiles, ht as ensureSecrets, jt as resolveStackDir, kt as ensureHomeDirs, mt as ensureOpenCodeConfig, pt as ensureOpenCodeSystemConfig } from \"../chunks/src.js\";\nimport { c as getState } from \"../chunks/endpoints.js\";\nimport { n as checkHostHeader, r as checkOriginHeader, t as UI_PORT } from \"../chunks/helpers.js\";\n//#region src/hooks.server.ts\nvar logger = createLogger(\"admin\");\nvar startupApplyDone = false;\nfunction runStartupApply() {\n\tif (startupApplyDone) return;\n\tstartupApplyDone = true;\n\ttry {\n\t\tensureHomeDirs();\n\t\tconst state = getState();\n\t\tensureSecrets(state);\n\t\tconst stackVars = readStackRuntimeEnv(state.stackDir);\n\t\tfor (const [k, v] of Object.entries(stackVars)) if (v && !process.env[k]) process.env[k] = v;\n\t\tensureOpenCodeConfig();\n\t\tensureOpenCodeSystemConfig();\n\t\tstate.artifacts = resolveRuntimeFiles();\n\t\twriteRuntimeFiles(state);\n\t\tlogger.info(\"startup auto-apply completed successfully\", { artifactMeta: state.artifactMeta });\n\t} catch (err) {\n\t\tlogger.error(\"startup auto-apply failed\", { error: String(err) });\n\t}\n}\nrunStartupApply();\nvar SETUP_PATHS = [\n\t\"/setup\",\n\t\"/api/setup\",\n\t\"/health\",\n\t\"/guardian/health\"\n];\nfunction isLocalhostAddress(ip) {\n\treturn ip === \"127.0.0.1\" || ip === \"::1\" || ip === \"::ffff:127.0.0.1\";\n}\nvar handle = async ({ event, resolve }) => {\n\tconst hostError = checkHostHeader(event.request, UI_PORT);\n\tif (hostError) return hostError;\n\tconst originError = checkOriginHeader(event.request, UI_PORT);\n\tif (originError) return originError;\n\tconst path = event.url.pathname;\n\tconst isSetupPath = SETUP_PATHS.some((p) => path === p || path.startsWith(p + \"/\"));\n\tif (isSetupPath && !isSetupComplete(resolveStackDir())) {\n\t\tif (!isLocalhostAddress(event.getClientAddress())) return new Response(JSON.stringify({\n\t\t\terror: \"setup_localhost_only\",\n\t\t\tmessage: \"Setup is only accessible from the host machine until installation is complete.\"\n\t\t}), {\n\t\t\tstatus: 403,\n\t\t\theaders: { \"content-type\": \"application/json\" }\n\t\t});\n\t}\n\tif (!isSetupPath && !isSetupComplete(resolveStackDir())) redirect(302, \"/setup\");\n\tconst response = await resolve(event);\n\tresponse.headers.set(\"X-Frame-Options\", \"DENY\");\n\tresponse.headers.set(\"X-Content-Type-Options\", \"nosniff\");\n\tresponse.headers.set(\"Referrer-Policy\", \"no-referrer\");\n\treturn response;\n};\n//#endregion\nexport { handle };\n"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;AAIA;AACA,IAAI,MAAM,GAAG,YAAY,CAAC,OAAO,CAAC;AAClC,IAAI,gBAAgB,GAAG,KAAK;AAC5B,SAAS,eAAe,GAAG;AAC3B,CAAC,IAAI,gBAAgB,EAAE;AACvB,CAAC,gBAAgB,GAAG,IAAI;AACxB,CAAC,IAAI;AACL,EAAE,cAAc,EAAE;AAClB,EAAE,MAAM,KAAK,GAAG,QAAQ,EAAE;AAC1B,EAAE,aAAa,CAAC,KAAK,CAAC;AACtB,EAAE,MAAM,SAAS,GAAG,mBAAmB,CAAC,KAAK,CAAC,QAAQ,CAAC;AACvD,EAAE,KAAK,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,SAAS,CAAC,EAAE,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC;AAC9F,EAAE,oBAAoB,EAAE;AACxB,EAAE,0BAA0B,EAAE;AAC9B,EAAE,KAAK,CAAC,SAAS,GAAG,mBAAmB,EAAE;AACzC,EAAE,iBAAiB,CAAC,KAAK,CAAC;AAC1B,EAAE,MAAM,CAAC,IAAI,CAAC,2CAA2C,EAAE,EAAE,YAAY,EAAE,KAAK,CAAC,YAAY,EAAE,CAAC;AAChG,CAAC,CAAC,CAAC,OAAO,GAAG,EAAE;AACf,EAAE,MAAM,CAAC,KAAK,CAAC,2BAA2B,EAAE,EAAE,KAAK,EAAE,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC;AACnE,CAAC;AACD;AACA,eAAe,EAAE;AACjB,IAAI,WAAW,GAAG;AAClB,CAAC,QAAQ;AACT,CAAC,YAAY;AACb,CAAC,SAAS;AACV,CAAC;AACD,CAAC;AACD,SAAS,kBAAkB,CAAC,EAAE,EAAE;AAChC,CAAC,OAAO,EAAE,KAAK,WAAW,IAAI,EAAE,KAAK,KAAK,IAAI,EAAE,KAAK,kBAAkB;AACvE;AACG,IAAC,MAAM,GAAG,OAAO,EAAE,KAAK,EAAE,OAAO,EAAE,KAAK;AAC3C,CAAC,MAAM,SAAS,GAAG,eAAe,CAAC,KAAK,CAAC,OAAO,EAAE,OAAO,CAAC;AAC1D,CAAC,IAAI,SAAS,EAAE,OAAO,SAAS;AAChC,CAAC,MAAM,WAAW,GAAG,iBAAiB,CAAC,KAAK,CAAC,OAAO,EAAE,OAAO,CAAC;AAC9D,CAAC,IAAI,WAAW,EAAE,OAAO,WAAW;AACpC,CAAC,MAAM,IAAI,GAAG,KAAK,CAAC,GAAG,CAAC,QAAQ;AAChC,CAAC,MAAM,WAAW,GAAG,WAAW,CAAC,IAAI,CAAC,CAAC,CAAC,KAAK,IAAI,KAAK,CAAC,IAAI,IAAI,CAAC,UAAU,CAAC,CAAC,GAAG,GAAG,CAAC,CAAC;AACpF,CAAC,IAAI,WAAW,IAAI,CAAC,eAAe,CAAC,eAAe,EAAE,CAAC,EAAE;AACzD,EAAE,IAAI,CAAC,kBAAkB,CAAC,KAAK,CAAC,gBAAgB,EAAE,CAAC,EAAE,OAAO,IAAI,QAAQ,CAAC,IAAI,CAAC,SAAS,CAAC;AACxF,GAAG,KAAK,EAAE,sBAAsB;AAChC,GAAG,OAAO,EAAE;AACZ,GAAG,CAAC,EAAE;AACN,GAAG,MAAM,EAAE,GAAG;AACd,GAAG,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB;AAChD,GAAG,CAAC;AACJ,CAAC;AACD,CAAC,IAAI,CAAC,WAAW,IAAI,CAAC,eAAe,CAAC,eAAe,EAAE,CAAC,EAAE,QAAQ,CAAC,GAAG,EAAE,QAAQ,CAAC;AACjF,CAAC,MAAM,QAAQ,GAAG,MAAM,OAAO,CAAC,KAAK,CAAC;AACtC,CAAC,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,iBAAiB,EAAE,MAAM,CAAC;AAChD,CAAC,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,wBAAwB,EAAE,SAAS,CAAC;AAC1D,CAAC,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,iBAAiB,EAAE,aAAa,CAAC;AACvD,CAAC,OAAO,QAAQ;AAChB;;;;"}

package/build/server/chunks/{http-8UL6GfDM.js → http-Cl3z_Fum.js}

@@ -1,4 +1,4 @@
-import { g as getActiveEndpoint } from './endpoints-kaPFORka.js';
+import { g as getActiveEndpoint } from './endpoints-Cl-EGY98.js';
 
 //#region src/lib/server/opencode/http.ts
 /**
@@ -28,4 +28,4 @@ async function opencodeFetch(path, init) {
 }
 
 export { opencodeFetch as o };
-//# sourceMappingURL=http-8UL6GfDM.js.map
+//# sourceMappingURL=http-Cl3z_Fum.js.map

package/build/server/chunks/{http-8UL6GfDM.js.map → http-Cl3z_Fum.js.map}

@@ -1 +1 @@
-{"version":3,"file":"http-8UL6GfDM.js","sources":["../../../.svelte-kit/adapter-node/chunks/http.js"],"sourcesContent":["import { r as getActiveEndpoint } from \"./endpoints.js\";\n//#region src/lib/server/opencode/http.ts\n/**\n* HTTP transport for talking to the active OpenCode endpoint.\n*\n* Used by sibling modules (`config.ts`, `catalog.ts`) — not part of the\n* public API of `$lib/server/opencode`. Reads the active endpoint per-call\n* so user switches in the UI take effect immediately.\n*/\nasync function opencodeFetch(path, init) {\n\tconst endpoint = getActiveEndpoint();\n\tconst headers = {\n\t\t\"content-type\": \"application/json\",\n\t\t...init?.headers\n\t};\n\tif (endpoint.password) {\n\t\tconst user = endpoint.username || \"openpalm\";\n\t\theaders[\"authorization\"] = `Basic ${btoa(`${user}:${endpoint.password}`)}`;\n\t}\n\tconst response = await fetch(`${endpoint.url}${path}`, {\n\t\t...init,\n\t\theaders\n\t});\n\tif (!response.ok) throw new Error(`${init?.method ?? \"GET\"} ${path} failed with ${response.status}`);\n\tif (response.status === 204) return;\n\treturn await response.json();\n}\n//#endregion\nexport { opencodeFetch as t };\n"],"names":[],"mappings":";;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,eAAe,aAAa,CAAC,IAAI,EAAE,IAAI,EAAE;AACzC,CAAC,MAAM,QAAQ,GAAG,iBAAiB,EAAE;AACrC,CAAC,MAAM,OAAO,GAAG;AACjB,EAAE,cAAc,EAAE,kBAAkB;AACpC,EAAE,GAAG,IAAI,EAAE;AACX,EAAE;AACF,CAAC,IAAI,QAAQ,CAAC,QAAQ,EAAE;AACxB,EAAE,MAAM,IAAI,GAAG,QAAQ,CAAC,QAAQ,IAAI,UAAU;AAC9C,EAAE,OAAO,CAAC,eAAe,CAAC,GAAG,CAAC,MAAM,EAAE,IAAI,CAAC,CAAC,EAAE,IAAI,CAAC,CAAC,EAAE,QAAQ,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC;AAC5E,CAAC;AACD,CAAC,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,CAAC,EAAE,QAAQ,CAAC,GAAG,CAAC,EAAE,IAAI,CAAC,CAAC,EAAE;AACxD,EAAE,GAAG,IAAI;AACT,EAAE;AACF,EAAE,CAAC;AACH,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,MAAM,IAAI,KAAK,CAAC,CAAC,EAAE,IAAI,EAAE,MAAM,IAAI,KAAK,CAAC,CAAC,EAAE,IAAI,CAAC,aAAa,EAAE,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC;AACrG,CAAC,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE;AAC9B,CAAC,OAAO,MAAM,QAAQ,CAAC,IAAI,EAAE;AAC7B;;;;"}
+{"version":3,"file":"http-Cl3z_Fum.js","sources":["../../../.svelte-kit/adapter-node/chunks/http.js"],"sourcesContent":["import { r as getActiveEndpoint } from \"./endpoints.js\";\n//#region src/lib/server/opencode/http.ts\n/**\n* HTTP transport for talking to the active OpenCode endpoint.\n*\n* Used by sibling modules (`config.ts`, `catalog.ts`) — not part of the\n* public API of `$lib/server/opencode`. Reads the active endpoint per-call\n* so user switches in the UI take effect immediately.\n*/\nasync function opencodeFetch(path, init) {\n\tconst endpoint = getActiveEndpoint();\n\tconst headers = {\n\t\t\"content-type\": \"application/json\",\n\t\t...init?.headers\n\t};\n\tif (endpoint.password) {\n\t\tconst user = endpoint.username || \"openpalm\";\n\t\theaders[\"authorization\"] = `Basic ${btoa(`${user}:${endpoint.password}`)}`;\n\t}\n\tconst response = await fetch(`${endpoint.url}${path}`, {\n\t\t...init,\n\t\theaders\n\t});\n\tif (!response.ok) throw new Error(`${init?.method ?? \"GET\"} ${path} failed with ${response.status}`);\n\tif (response.status === 204) return;\n\treturn await response.json();\n}\n//#endregion\nexport { opencodeFetch as t };\n"],"names":[],"mappings":";;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,eAAe,aAAa,CAAC,IAAI,EAAE,IAAI,EAAE;AACzC,CAAC,MAAM,QAAQ,GAAG,iBAAiB,EAAE;AACrC,CAAC,MAAM,OAAO,GAAG;AACjB,EAAE,cAAc,EAAE,kBAAkB;AACpC,EAAE,GAAG,IAAI,EAAE;AACX,EAAE;AACF,CAAC,IAAI,QAAQ,CAAC,QAAQ,EAAE;AACxB,EAAE,MAAM,IAAI,GAAG,QAAQ,CAAC,QAAQ,IAAI,UAAU;AAC9C,EAAE,OAAO,CAAC,eAAe,CAAC,GAAG,CAAC,MAAM,EAAE,IAAI,CAAC,CAAC,EAAE,IAAI,CAAC,CAAC,EAAE,QAAQ,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC;AAC5E,CAAC;AACD,CAAC,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,CAAC,EAAE,QAAQ,CAAC,GAAG,CAAC,EAAE,IAAI,CAAC,CAAC,EAAE;AACxD,EAAE,GAAG,IAAI;AACT,EAAE;AACF,EAAE,CAAC;AACH,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,MAAM,IAAI,KAAK,CAAC,CAAC,EAAE,IAAI,EAAE,MAAM,IAAI,KAAK,CAAC,CAAC,EAAE,IAAI,CAAC,aAAa,EAAE,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC;AACrG,CAAC,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE;AAC9B,CAAC,OAAO,MAAM,QAAQ,CAAC,IAAI,EAAE;AAC7B;;;;"}

package/build/server/chunks/{internal-CGO6-n-l.js → internal-CgdcWAsz.js}

@@ -1518,7 +1518,7 @@ var options = {
 		app: ({ head, body, assets, nonce, env }) => "<!doctype html>\n<html lang=\"en\">\n  <head>\n    <meta charset=\"utf-8\" />\n    <meta name=\"viewport\" content=\"width=device-width, initial-scale=1\" />\n    <meta name=\"theme-color\" content=\"#ffffff\" />\n    <meta name=\"color-scheme\" content=\"light\" />\n    <script>\n      (() => {\n        const storageKey = 'openpalm.theme';\n        const darkThemeColor = '#161c22';\n        const lightThemeColor = '#f9fafb';\n\n        try {\n          const stored = window.localStorage.getItem(storageKey);\n          const preference = stored === 'light' || stored === 'dark' || stored === 'system' ? stored : 'system';\n          const resolved = preference === 'system'\n            ? (window.matchMedia && window.matchMedia('(prefers-color-scheme: dark)').matches ? 'dark' : 'light')\n            : preference;\n          const root = document.documentElement;\n          root.setAttribute('data-theme', resolved);\n          root.style.colorScheme = resolved;\n\n          const themeColorMeta = document.querySelector('meta[name=\"theme-color\"]');\n          if (themeColorMeta) {\n            themeColorMeta.setAttribute('content', resolved === 'dark' ? darkThemeColor : lightThemeColor);\n          }\n\n          const colorSchemeMeta = document.querySelector('meta[name=\"color-scheme\"]');\n          if (colorSchemeMeta) {\n            colorSchemeMeta.setAttribute('content', resolved);\n          }\n        } catch {\n          // Keep the default light metadata if storage access is unavailable.\n        }\n      })();\n    <\/script>\n    <link rel=\"preconnect\" href=\"https://fonts.googleapis.com\" />\n    <link rel=\"preconnect\" href=\"https://fonts.gstatic.com\" crossorigin />\n    <link\n      href=\"https://fonts.googleapis.com/css2?family=Source+Sans+3:wght@400;500;600;700&family=IBM+Plex+Mono:wght@400;500&display=swap\"\n      rel=\"stylesheet\"\n    />\n    " + head + "\n  </head>\n  <body data-sveltekit-preload-data=\"hover\">\n    <div style=\"display: contents\">" + body + "</div>\n  </body>\n</html>\n",
 		error: ({ status, message }) => "<!doctype html>\n<html lang=\"en\">\n	<head>\n		<meta charset=\"utf-8\" />\n		<title>" + message + "</title>\n\n		<style>\n			body {\n				--bg: white;\n				--fg: #222;\n				--divider: #ccc;\n				background: var(--bg);\n				color: var(--fg);\n				font-family:\n					system-ui,\n					-apple-system,\n					BlinkMacSystemFont,\n					'Segoe UI',\n					Roboto,\n					Oxygen,\n					Ubuntu,\n					Cantarell,\n					'Open Sans',\n					'Helvetica Neue',\n					sans-serif;\n				display: flex;\n				align-items: center;\n				justify-content: center;\n				height: 100vh;\n				margin: 0;\n			}\n\n			.error {\n				display: flex;\n				align-items: center;\n				max-width: 32rem;\n				margin: 0 1rem;\n			}\n\n			.status {\n				font-weight: 200;\n				font-size: 3rem;\n				line-height: 1;\n				position: relative;\n				top: -0.05rem;\n			}\n\n			.message {\n				border-left: 1px solid var(--divider);\n				padding: 0 0 0 1rem;\n				margin: 0 0 0 1rem;\n				min-height: 2.5rem;\n				display: flex;\n				align-items: center;\n			}\n\n			.message h1 {\n				font-weight: 400;\n				font-size: 1em;\n				margin: 0;\n			}\n\n			@media (prefers-color-scheme: dark) {\n				body {\n					--bg: #222;\n					--fg: #ddd;\n					--divider: #666;\n				}\n			}\n		</style>\n	</head>\n	<body>\n		<div class=\"error\">\n			<span class=\"status\">" + status + "</span>\n			<div class=\"message\">\n				<h1>" + message + "</h1>\n			</div>\n		</div>\n	</body>\n</html>\n"
 	},
-	version_hash: "txf0dg"
+	version_hash: "5q94pu"
 };
 async function get_hooks() {
 	let handle;
@@ -1526,7 +1526,7 @@ async function get_hooks() {
 	let handleError;
 	let handleValidationError;
 	let init;
-	({handle, handleFetch, handleError, handleValidationError, init} = await import('./hooks.server-DERyGNuF.js'));
+	({handle, handleFetch, handleError, handleValidationError, init} = await import('./hooks.server-DAguS3lI.js'));
 	let reroute;
 	let transport;
 	return {
@@ -1541,4 +1541,4 @@ async function get_hooks() {
 }
 
 export { stringify$1 as A, validate_layout_exports as B, validate_layout_server_exports as C, validate_page_exports as D, validate_page_server_exports as E, with_request_store as F, INVALIDATED_PARAM as I, NULL_BODY_STATUS as N, TRAILING_SLASH_PARAM as T, IN_WEBCONTAINER as a, compact as b, coalesce_to_error as c, create_remote_key as d, decode_pathname as e, disable_search as f, find_route as g, get_hooks as h, get_message as i, get_status as j, hash as k, merge_tracing as l, make_trackable as m, noop as n, noop_span as o, normalize_error as p, normalize_path as q, once as r, options as s, parse as t, parse_remote_arg as u, read_implementation as v, resolve as w, set_read_implementation as x, split_remote_key as y, stringify as z };
-//# sourceMappingURL=internal-CGO6-n-l.js.map
+//# sourceMappingURL=internal-CgdcWAsz.js.map