@otwa/mcp-server 0.1.0

package/CHANGELOG.md

@@ -0,0 +1,11 @@
+# Changelog
+
+## 0.1.0 — unreleased
+
+Initial release.
+
+- 20 tools covering account, catalog, servers (CRUD + power + reinstall + stats + SSO), networking PTR, billing (read-only), wallet (read-only) and webhooks.
+- Bearer-key auth against `https://api.otwa.cloud/v1/*`.
+- Idempotency-Key auto-generation for `create_server` and `reinstall_server`.
+- Three-layer safety on destructive operations: `confirm` flag, `expectedLabel` typo-guard, backend scope enforcement.
+- Stdio transport; remote HTTP transport planned for 0.2.

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Otwa Cloud
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,228 @@
+# @otwa/mcp-server
+
+Official Model Context Protocol server for [otwa.cloud](https://otwa.cloud).
+Provision and manage servers from Claude Code, Cursor, Windsurf, Zed, or any
+other MCP-capable AI tool — just by talking to it.
+
+```
+> "Spin up a 4 vCPU Ubuntu 22 box in Frankfurt called prod-api-01"
+
+Claude → calls otwa_list_products, otwa_list_os_templates, otwa_list_regions
+       → quotes the monthly price, asks you to confirm
+       → calls otwa_create_server
+       → returns the new server's IP and SSH credentials
+```
+
+## Two ways to use this
+
+| Option | Best for | Install |
+|---|---|---|
+| **Hosted (no install)** | Anyone with an MCP client that supports remote HTTP | Just add `https://mcp.otwa.cloud/mcp` to your client config with `Authorization: Bearer otwa_…` |
+| **Local stdio** | Older MCP clients, offline use, total control over the binary | `npx -y @otwa/mcp-server` — full instructions below |
+
+### Hosted endpoint (recommended)
+
+```
+URL:     https://mcp.otwa.cloud/mcp
+Auth:    Authorization: Bearer otwa_xxxxxxxxxxxxxxxxxxxx
+Health:  GET https://mcp.otwa.cloud/healthz
+```
+
+The hosted server is stateless — every request is authenticated independently with your API key. No session state lives on `mcp.otwa.cloud`, so a leaked session id is useless.
+
+## Quick start (local stdio)
+
+### 1. Generate an API key
+
+Go to [otwa.cloud/dashboard/settings/api-keys](https://otwa.cloud/dashboard/settings/api-keys)
+and create a key with the scopes you want the AI to use.
+
+Recommended starter scopes:
+
+| Scope | Why |
+|---|---|
+| `account:read` | Read account info, product catalogue, regions |
+| `servers:read` | List servers, view stats, view credentials |
+| `servers:write` | Create servers, change power state, rename, reset password |
+| `billing:read` | Read invoices and wallet balance |
+
+Leave **`servers:destroy` unchecked** unless you really want the AI to be able
+to permanently delete servers — even with confirmation guards, scope-level
+denial is the strongest defence.
+
+Copy the `otwa_…` key shown once on the dashboard; it cannot be re-displayed.
+
+### 2. Install in your AI client
+
+#### Claude Code
+
+```bash
+claude mcp add otwa npx -y @otwa/mcp-server
+claude mcp env otwa OTWA_API_KEY=otwa_xxxxxxxxxxxxxxxxxxxx
+```
+
+#### Cursor
+
+Add to `~/.cursor/mcp.json`:
+
+```json
+{
+  "mcpServers": {
+    "otwa": {
+      "command": "npx",
+      "args": ["-y", "@otwa/mcp-server"],
+      "env": {
+        "OTWA_API_KEY": "otwa_xxxxxxxxxxxxxxxxxxxx"
+      }
+    }
+  }
+}
+```
+
+#### Windsurf
+
+Add to `~/.codeium/windsurf/mcp_config.json`:
+
+```json
+{
+  "mcpServers": {
+    "otwa": {
+      "command": "npx",
+      "args": ["-y", "@otwa/mcp-server"],
+      "env": {
+        "OTWA_API_KEY": "otwa_xxxxxxxxxxxxxxxxxxxx"
+      }
+    }
+  }
+}
+```
+
+#### Zed
+
+Add to `~/.config/zed/settings.json`:
+
+```json
+{
+  "context_servers": {
+    "otwa": {
+      "command": {
+        "path": "npx",
+        "args": ["-y", "@otwa/mcp-server"],
+        "env": { "OTWA_API_KEY": "otwa_xxxxxxxxxxxxxxxxxxxx" }
+      }
+    }
+  }
+}
+```
+
+#### Continue
+
+Add to `~/.continue/config.json` under `experimental.modelContextProtocolServers`:
+
+```json
+{
+  "experimental": {
+    "modelContextProtocolServers": [
+      {
+        "transport": {
+          "type": "stdio",
+          "command": "npx",
+          "args": ["-y", "@otwa/mcp-server"],
+          "env": { "OTWA_API_KEY": "otwa_xxxxxxxxxxxxxxxxxxxx" }
+        }
+      }
+    ]
+  }
+}
+```
+
+### 3. Try it
+
+Restart your client and ask:
+
+- *"What's on my otwa.cloud account?"*
+- *"List my servers"*
+- *"How much would a 4 vCPU plan cost per month?"*
+- *"Create a new Ubuntu 22 server and call it test-box-1"*
+
+## Tools
+
+20 tools across six surfaces:
+
+### Account & catalogue (read-only, `account:read`)
+- `otwa_account` — current account, balance, tier
+- `otwa_list_products` — available plans with prices
+- `otwa_list_regions` — deploy regions
+- `otwa_list_os_templates` — OS images
+
+### Servers
+- `otwa_list_servers` — list all servers *(servers:read)*
+- `otwa_get_server` — full detail for one server *(servers:read)*
+- `otwa_get_server_credentials` — SSH credentials *(servers:read, sensitive)*
+- `otwa_get_server_stats` — live CPU/RAM/disk metrics *(servers:read)*
+- `otwa_create_server` — provision new server *(servers:write)*
+- `otwa_rename_server` — change label *(servers:write)*
+- `otwa_power_server` — start/stop/reboot *(servers:write)*
+- `otwa_reset_server_password` — rotate root password *(servers:write)*
+- `otwa_reinstall_server` — wipe and reinstall OS *(servers:destroy)*
+- `otwa_destroy_server` — permanently terminate *(servers:destroy)*
+- `otwa_get_dashboard_sso` — 5-min SSO link to dashboard *(servers:read or account:read)*
+
+### Networking
+- `otwa_list_server_ips` — IPs on a server *(servers:read)*
+- `otwa_set_ptr` — set reverse DNS *(servers:write)*
+- `otwa_delete_ptr` — clear reverse DNS *(servers:write)*
+
+### Billing (read-only)
+- `otwa_list_invoices` *(billing:read)*
+- `otwa_get_invoice` *(billing:read)*
+- `otwa_list_transactions` *(billing:read)*
+- `otwa_get_wallet_balance` *(billing:read)*
+
+### Webhooks
+- `otwa_list_webhooks` *(webhooks:read)*
+- `otwa_create_webhook` *(webhooks:write)*
+- `otwa_delete_webhook` *(webhooks:write)*
+
+## Safety
+
+Destructive tools (`otwa_destroy_server`, `otwa_reinstall_server`) require:
+
+1. **`confirm: true`** and **`iAcknowledgeDataLoss: true`** in the tool call
+2. **`expectedLabel`** matching the server's current label (typo-guard, only on destroy)
+3. **`servers:destroy` scope** on the API key, enforced server-side
+
+Medium-risk tools (`otwa_power_server` for stop/reboot, `otwa_reset_server_password`,
+`otwa_delete_webhook`) require **`confirm: true`** only.
+
+`otwa_create_server` and `otwa_reinstall_server` use auto-generated idempotency
+keys so transient LLM retries cannot double-provision or double-bill.
+
+## Environment variables
+
+| Var | Required? | Default | Description |
+|---|---|---|---|
+| `OTWA_API_KEY` | yes | — | Your `otwa_…` API key |
+| `OTWA_API_BASE` | no | `https://api.otwa.cloud` | API base URL (override for staging) |
+| `OTWA_TELEMETRY` | no | off | Set to `1` to opt in to anonymous usage pings |
+
+## Troubleshooting
+
+**"OTWA_API_KEY is not set"** — Restart your editor after setting the env var.
+Some clients only read env on cold-start.
+
+**"API key is missing required scope(s): servers:destroy"** — Your key wasn't
+granted that scope. Revoke it at
+[/dashboard/settings/api-keys](https://otwa.cloud/dashboard/settings/api-keys)
+and create a new one.
+
+**"Refusing to destroy server X: expectedLabel does not match"** — Safety guard
+firing. Re-fetch the server label via `otwa_get_server`, confirm with the user,
+and call again.
+
+## License
+
+MIT — see [LICENSE](LICENSE). Source on GitHub:
+[github.com/otwacloud/mcp-server](https://github.com/otwacloud/mcp-server).
+The published npm tarball ships plain, unminified JavaScript that mirrors
+the repo at the same tag.

package/dist/client/errors.js

@@ -0,0 +1,67 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.OtwaApiError = void 0;
+exports.mapHttpError = mapHttpError;
+class OtwaApiError extends Error {
+    status;
+    code;
+    body;
+    name = 'OtwaApiError';
+    constructor(message, status, code, body) {
+        super(message);
+        this.status = status;
+        this.code = code;
+        this.body = body;
+    }
+}
+exports.OtwaApiError = OtwaApiError;
+/** Translate a raw HTTP response from otwa-cloud-api into a message the LLM
+ *  can act on. The goal is always: tell the model exactly what to do next,
+ *  not just what went wrong. */
+function mapHttpError(status, body, requestId) {
+    const bodyMessage = extractMessage(body);
+    if (status === 401) {
+        return new OtwaApiError('OTWA_API_KEY is invalid, expired, or revoked. Ask the user to create a fresh key at ' +
+            'https://otwa.cloud/dashboard/settings/api-keys, update the OTWA_API_KEY env var, and restart this MCP server.', status, 'unauthorized', body);
+    }
+    if (status === 403) {
+        return new OtwaApiError(bodyMessage ||
+            'Forbidden — the API key is missing a required scope. The dashboard at ' +
+                'https://otwa.cloud/dashboard/settings/api-keys can re-issue a key with the correct scopes.', status, 'forbidden', body);
+    }
+    if (status === 402) {
+        return new OtwaApiError('Account balance is too low to complete this operation. Tell the user to top up at ' +
+            'https://otwa.cloud/dashboard/billing, or use otwa_get_wallet_balance to fetch a crypto deposit address.', status, 'payment_required', body);
+    }
+    if (status === 404) {
+        return new OtwaApiError(bodyMessage ||
+            'Resource not found. If this is a server id, call otwa_list_servers to see what exists on this account.', status, 'not_found', body);
+    }
+    if (status === 409) {
+        return new OtwaApiError(bodyMessage || 'Conflict — the resource is already in the target state, or the operation is in progress.', status, 'conflict', body);
+    }
+    if (status === 422 || status === 400) {
+        return new OtwaApiError(bodyMessage || 'Validation failed. Check the field constraints and call again.', status, 'validation_failed', body);
+    }
+    if (status === 429) {
+        return new OtwaApiError('Rate-limited by otwa-cloud-api. Wait a few seconds before retrying.', status, 'rate_limited', body);
+    }
+    if (status >= 500) {
+        const trace = requestId ? ` Request id: ${requestId}.` : '';
+        return new OtwaApiError(`otwa-cloud-api returned ${status}. This is a server-side issue — retry once, then contact support@otwa.cloud if it persists.${trace}`, status, 'upstream_error', body);
+    }
+    return new OtwaApiError(bodyMessage || `Unexpected HTTP ${status} from otwa-cloud-api.`, status, 'unknown', body);
+}
+function extractMessage(body) {
+    if (!body || typeof body !== 'object')
+        return null;
+    const b = body;
+    if (typeof b.message === 'string')
+        return b.message;
+    if (Array.isArray(b.message))
+        return b.message.join('; ');
+    if (typeof b.error === 'string')
+        return b.error;
+    return null;
+}
+//# sourceMappingURL=errors.js.map

package/dist/client/errors.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"errors.js","sourceRoot":"","sources":["../../src/client/errors.ts"],"names":[],"mappings":";;;AAeA,oCA+EC;AA9FD,MAAa,YAAa,SAAQ,KAAK;IAInB;IACA;IACA;IALA,IAAI,GAAG,cAAc,CAAC;IACxC,YACE,OAAe,EACC,MAAc,EACd,IAAY,EACZ,IAAc;QAE9B,KAAK,CAAC,OAAO,CAAC,CAAC;QAJC,WAAM,GAAN,MAAM,CAAQ;QACd,SAAI,GAAJ,IAAI,CAAQ;QACZ,SAAI,GAAJ,IAAI,CAAU;IAGhC,CAAC;CACF;AAVD,oCAUC;AAED;;gCAEgC;AAChC,SAAgB,YAAY,CAAC,MAAc,EAAE,IAAa,EAAE,SAAkB;IAC5E,MAAM,WAAW,GAAG,cAAc,CAAC,IAAI,CAAC,CAAC;IAEzC,IAAI,MAAM,KAAK,GAAG,EAAE,CAAC;QACnB,OAAO,IAAI,YAAY,CACrB,sFAAsF;YACpF,+GAA+G,EACjH,MAAM,EACN,cAAc,EACd,IAAI,CACL,CAAC;IACJ,CAAC;IACD,IAAI,MAAM,KAAK,GAAG,EAAE,CAAC;QACnB,OAAO,IAAI,YAAY,CACrB,WAAW;YACT,wEAAwE;gBACtE,4FAA4F,EAChG,MAAM,EACN,WAAW,EACX,IAAI,CACL,CAAC;IACJ,CAAC;IACD,IAAI,MAAM,KAAK,GAAG,EAAE,CAAC;QACnB,OAAO,IAAI,YAAY,CACrB,oFAAoF;YAClF,yGAAyG,EAC3G,MAAM,EACN,kBAAkB,EAClB,IAAI,CACL,CAAC;IACJ,CAAC;IACD,IAAI,MAAM,KAAK,GAAG,EAAE,CAAC;QACnB,OAAO,IAAI,YAAY,CACrB,WAAW;YACT,wGAAwG,EAC1G,MAAM,EACN,WAAW,EACX,IAAI,CACL,CAAC;IACJ,CAAC;IACD,IAAI,MAAM,KAAK,GAAG,EAAE,CAAC;QACnB,OAAO,IAAI,YAAY,CACrB,WAAW,IAAI,0FAA0F,EACzG,MAAM,EACN,UAAU,EACV,IAAI,CACL,CAAC;IACJ,CAAC;IACD,IAAI,MAAM,KAAK,GAAG,IAAI,MAAM,KAAK,GAAG,EAAE,CAAC;QACrC,OAAO,IAAI,YAAY,CACrB,WAAW,IAAI,gEAAgE,EAC/E,MAAM,EACN,mBAAmB,EACnB,IAAI,CACL,CAAC;IACJ,CAAC;IACD,IAAI,MAAM,KAAK,GAAG,EAAE,CAAC;QACnB,OAAO,IAAI,YAAY,CACrB,qEAAqE,EACrE,MAAM,EACN,cAAc,EACd,IAAI,CACL,CAAC;IACJ,CAAC;IACD,IAAI,MAAM,IAAI,GAAG,EAAE,CAAC;QAClB,MAAM,KAAK,GAAG,SAAS,CAAC,CAAC,CAAC,gBAAgB,SAAS,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC;QAC5D,OAAO,IAAI,YAAY,CACrB,2BAA2B,MAAM,8FAA8F,KAAK,EAAE,EACtI,MAAM,EACN,gBAAgB,EAChB,IAAI,CACL,CAAC;IACJ,CAAC;IACD,OAAO,IAAI,YAAY,CACrB,WAAW,IAAI,mBAAmB,MAAM,uBAAuB,EAC/D,MAAM,EACN,SAAS,EACT,IAAI,CACL,CAAC;AACJ,CAAC;AAED,SAAS,cAAc,CAAC,IAAa;IACnC,IAAI,CAAC,IAAI,IAAI,OAAO,IAAI,KAAK,QAAQ;QAAE,OAAO,IAAI,CAAC;IACnD,MAAM,CAAC,GAAG,IAA+B,CAAC;IAC1C,IAAI,OAAO,CAAC,CAAC,OAAO,KAAK,QAAQ;QAAE,OAAO,CAAC,CAAC,OAAO,CAAC;IACpD,IAAI,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,OAAO,CAAC;QAAE,OAAO,CAAC,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAC1D,IAAI,OAAO,CAAC,CAAC,KAAK,KAAK,QAAQ;QAAE,OAAO,CAAC,CAAC,KAAK,CAAC;IAChD,OAAO,IAAI,CAAC;AACd,CAAC"}

package/dist/client/http.js

@@ -0,0 +1,92 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.OtwaClient = void 0;
+const crypto_1 = require("crypto");
+const errors_1 = require("./errors");
+const version_1 = require("../util/version");
+class OtwaClient {
+    opts;
+    userAgent;
+    constructor(opts) {
+        this.opts = opts;
+        const pkg = (0, version_1.packageInfo)();
+        this.userAgent = `${pkg.name}/${pkg.version} (+https://otwa.cloud/docs/mcp)`;
+    }
+    async request(path, options = {}) {
+        const url = this.buildUrl(path, options.query);
+        const headers = {
+            'Authorization': `Bearer ${this.opts.apiKey}`,
+            'Accept': 'application/json',
+            'User-Agent': this.userAgent,
+        };
+        if (options.body !== undefined) {
+            headers['Content-Type'] = 'application/json';
+        }
+        if (options.idempotent) {
+            headers['Idempotency-Key'] = `mcp-${(0, crypto_1.randomUUID)()}`;
+        }
+        const controller = new AbortController();
+        const timeoutMs = options.timeoutMs ?? this.opts.timeoutMs ?? 30_000;
+        const timer = setTimeout(() => controller.abort(), timeoutMs);
+        let res;
+        try {
+            res = await fetch(url, {
+                method: options.method || 'GET',
+                headers,
+                body: options.body !== undefined ? JSON.stringify(options.body) : undefined,
+                signal: controller.signal,
+            });
+        }
+        catch (err) {
+            clearTimeout(timer);
+            const msg = err instanceof Error ? err.message : String(err);
+            if (msg.includes('aborted')) {
+                throw new errors_1.OtwaApiError(`Request to ${path} timed out after ${timeoutMs}ms. Retry, or check otwa.cloud status at https://status.otwa.cloud`, 0, 'timeout');
+            }
+            throw new errors_1.OtwaApiError(`Network error contacting otwa-cloud-api at ${this.opts.apiBase}: ${msg}`, 0, 'network_error');
+        }
+        clearTimeout(timer);
+        if (options.raw) {
+            if (!res.ok) {
+                const body = await safeReadJson(res);
+                throw (0, errors_1.mapHttpError)(res.status, body, res.headers.get('x-request-id') || undefined);
+            }
+            return res;
+        }
+        // 204 No Content: many DELETE endpoints return empty
+        if (res.status === 204) {
+            return { ok: true };
+        }
+        const body = await safeReadJson(res);
+        if (!res.ok) {
+            throw (0, errors_1.mapHttpError)(res.status, body, res.headers.get('x-request-id') || undefined);
+        }
+        return body;
+    }
+    buildUrl(path, query) {
+        const base = this.opts.apiBase;
+        const normalised = path.startsWith('/') ? path : `/${path}`;
+        const url = new URL(`${base}${normalised}`);
+        if (query) {
+            for (const [k, v] of Object.entries(query)) {
+                if (v === undefined || v === null || v === '')
+                    continue;
+                url.searchParams.set(k, String(v));
+            }
+        }
+        return url.toString();
+    }
+}
+exports.OtwaClient = OtwaClient;
+async function safeReadJson(res) {
+    const text = await res.text();
+    if (!text)
+        return null;
+    try {
+        return JSON.parse(text);
+    }
+    catch {
+        return { message: text };
+    }
+}
+//# sourceMappingURL=http.js.map

package/dist/client/http.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"http.js","sourceRoot":"","sources":["../../src/client/http.ts"],"names":[],"mappings":";;;AAAA,mCAAoC;AACpC,qCAAsD;AACtD,6CAA8C;AAsB9C,MAAa,UAAU;IAGQ;IAFZ,SAAS,CAAS;IAEnC,YAA6B,IAAuB;QAAvB,SAAI,GAAJ,IAAI,CAAmB;QAClD,MAAM,GAAG,GAAG,IAAA,qBAAW,GAAE,CAAC;QAC1B,IAAI,CAAC,SAAS,GAAG,GAAG,GAAG,CAAC,IAAI,IAAI,GAAG,CAAC,OAAO,iCAAiC,CAAC;IAC/E,CAAC;IAED,KAAK,CAAC,OAAO,CAAc,IAAY,EAAE,UAA0B,EAAE;QACnE,MAAM,GAAG,GAAG,IAAI,CAAC,QAAQ,CAAC,IAAI,EAAE,OAAO,CAAC,KAAK,CAAC,CAAC;QAC/C,MAAM,OAAO,GAA2B;YACtC,eAAe,EAAE,UAAU,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE;YAC7C,QAAQ,EAAE,kBAAkB;YAC5B,YAAY,EAAE,IAAI,CAAC,SAAS;SAC7B,CAAC;QACF,IAAI,OAAO,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;YAC/B,OAAO,CAAC,cAAc,CAAC,GAAG,kBAAkB,CAAC;QAC/C,CAAC;QACD,IAAI,OAAO,CAAC,UAAU,EAAE,CAAC;YACvB,OAAO,CAAC,iBAAiB,CAAC,GAAG,OAAO,IAAA,mBAAU,GAAE,EAAE,CAAC;QACrD,CAAC;QAED,MAAM,UAAU,GAAG,IAAI,eAAe,EAAE,CAAC;QACzC,MAAM,SAAS,GAAG,OAAO,CAAC,SAAS,IAAI,IAAI,CAAC,IAAI,CAAC,SAAS,IAAI,MAAM,CAAC;QACrE,MAAM,KAAK,GAAG,UAAU,CAAC,GAAG,EAAE,CAAC,UAAU,CAAC,KAAK,EAAE,EAAE,SAAS,CAAC,CAAC;QAE9D,IAAI,GAAa,CAAC;QAClB,IAAI,CAAC;YACH,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE;gBACrB,MAAM,EAAE,OAAO,CAAC,MAAM,IAAI,KAAK;gBAC/B,OAAO;gBACP,IAAI,EAAE,OAAO,CAAC,IAAI,KAAK,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,SAAS;gBAC3E,MAAM,EAAE,UAAU,CAAC,MAAM;aAC1B,CAAC,CAAC;QACL,CAAC;QAAC,OAAO,GAAY,EAAE,CAAC;YACtB,YAAY,CAAC,KAAK,CAAC,CAAC;YACpB,MAAM,GAAG,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YAC7D,IAAI,GAAG,CAAC,QAAQ,CAAC,SAAS,CAAC,EAAE,CAAC;gBAC5B,MAAM,IAAI,qBAAY,CACpB,cAAc,IAAI,oBAAoB,SAAS,oEAAoE,EACnH,CAAC,EACD,SAAS,CACV,CAAC;YACJ,CAAC;YACD,MAAM,IAAI,qBAAY,CACpB,8CAA8C,IAAI,CAAC,IAAI,CAAC,OAAO,KAAK,GAAG,EAAE,EACzE,CAAC,EACD,eAAe,CAChB,CAAC;QACJ,CAAC;QACD,YAAY,CAAC,KAAK,CAAC,CAAC;QAEpB,IAAI,OAAO,CAAC,GAAG,EAAE,CAAC;YAChB,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;gBACZ,MAAM,IAAI,GAAG,MAAM,YAAY,CAAC,GAAG,CAAC,CAAC;gBACrC,MAAM,IAAA,qBAAY,EAAC,GAAG,CAAC,MAAM,EAAE,IAAI,EAAE,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC,IAAI,SAAS,CAAC,CAAC;YACrF,CAAC;YACD,OAAO,GAAmB,CAAC;QAC7B,CAAC;QAED,qDAAqD;QACrD,IAAI,GAAG,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;YACvB,OAAO,EAAE,EAAE,EAAE,IAAI,EAAO,CAAC;QAC3B,CAAC;QAED,MAAM,IAAI,GAAG,MAAM,YAAY,CAAC,GAAG,CAAC,CAAC;QACrC,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;YACZ,MAAM,IAAA,qBAAY,EAAC,GAAG,CAAC,MAAM,EAAE,IAAI,EAAE,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC,IAAI,SAAS,CAAC,CAAC;QACrF,CAAC;QACD,OAAO,IAAS,CAAC;IACnB,CAAC;IAEO,QAAQ,CAAC,IAAY,EAAE,KAA+B;QAC5D,MAAM,IAAI,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC;QAC/B,MAAM,UAAU,GAAG,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,IAAI,EAAE,CAAC;QAC5D,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,GAAG,IAAI,GAAG,UAAU,EAAE,CAAC,CAAC;QAC5C,IAAI,KAAK,EAAE,CAAC;YACV,KAAK,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;gBAC3C,IAAI,CAAC,KAAK,SAAS,IAAI,CAAC,KAAK,IAAI,IAAI,CAAC,KAAK,EAAE;oBAAE,SAAS;gBACxD,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC;YACrC,CAAC;QACH,CAAC;QACD,OAAO,GAAG,CAAC,QAAQ,EAAE,CAAC;IACxB,CAAC;CACF;AApFD,gCAoFC;AAED,KAAK,UAAU,YAAY,CAAC,GAAa;IACvC,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC;IAC9B,IAAI,CAAC,IAAI;QAAE,OAAO,IAAI,CAAC;IACvB,IAAI,CAAC;QACH,OAAO,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAC1B,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;IAC3B,CAAC;AACH,CAAC"}

package/dist/client/types.js

@@ -0,0 +1,6 @@
+"use strict";
+// Hand-written response shapes that mirror what `/v1/*` actually returns.
+// Kept loose on purpose — we only name fields we read; everything else passes
+// through verbatim so a backend schema addition does not break the MCP.
+Object.defineProperty(exports, "__esModule", { value: true });
+//# sourceMappingURL=types.js.map

package/dist/client/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../../src/client/types.ts"],"names":[],"mappings":";AAAA,0EAA0E;AAC1E,8EAA8E;AAC9E,wEAAwE"}

package/dist/guards/confirm.js

@@ -0,0 +1,25 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.mediumConfirm = exports.destructiveConfirm = void 0;
+const zod_1 = require("zod");
+/** A guard schema fragment for destructive operations.
+ *  Forces the LLM to set `confirm: true` AND acknowledge data loss, which
+ *  makes the call surface visibly in the model's reasoning instead of being
+ *  fired silently. Combined with backend `servers:destroy` scope enforcement
+ *  this is three layers of defense for the worst case (terminating a VM). */
+exports.destructiveConfirm = {
+    confirm: zod_1.z
+        .literal(true)
+        .describe('Must be exactly `true`. Confirms the user has been shown what is about to happen and explicitly approved it.'),
+    iAcknowledgeDataLoss: zod_1.z
+        .literal(true)
+        .describe('Must be exactly `true`. The operation will permanently destroy data on the disk.'),
+};
+/** Tag for medium-risk operations (stop a VM, reboot, reset root password).
+ *  Cheaper guard — single confirm flag, no data-loss acknowledgement. */
+exports.mediumConfirm = {
+    confirm: zod_1.z
+        .literal(true)
+        .describe('Must be exactly `true`. This operation interrupts the running workload — confirm with the user first.'),
+};
+//# sourceMappingURL=confirm.js.map

package/dist/guards/confirm.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"confirm.js","sourceRoot":"","sources":["../../src/guards/confirm.ts"],"names":[],"mappings":";;;AAAA,6BAAwB;AAExB;;;;6EAI6E;AAChE,QAAA,kBAAkB,GAAG;IAChC,OAAO,EAAE,OAAC;SACP,OAAO,CAAC,IAAI,CAAC;SACb,QAAQ,CACP,8GAA8G,CAC/G;IACH,oBAAoB,EAAE,OAAC;SACpB,OAAO,CAAC,IAAI,CAAC;SACb,QAAQ,CAAC,kFAAkF,CAAC;CAChG,CAAC;AAEF;yEACyE;AAC5D,QAAA,aAAa,GAAG;IAC3B,OAAO,EAAE,OAAC;SACP,OAAO,CAAC,IAAI,CAAC;SACb,QAAQ,CACP,uGAAuG,CACxG;CACJ,CAAC"}

package/dist/http/index.js

@@ -0,0 +1,138 @@
+#!/usr/bin/env node
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+const express_1 = __importDefault(require("express"));
+const crypto_1 = require("crypto");
+const streamableHttp_js_1 = require("@modelcontextprotocol/sdk/server/streamableHttp.js");
+const mcp_js_1 = require("@modelcontextprotocol/sdk/server/mcp.js");
+const http_1 = require("../client/http");
+const _register_1 = require("../tools/_register");
+const version_1 = require("../util/version");
+const PORT = parseInt(process.env.PORT || '3210', 10);
+const HOST = process.env.HOST || '127.0.0.1';
+const API_BASE = (process.env.OTWA_API_BASE?.trim() || 'https://api.otwa.cloud').replace(/\/+$/, '');
+const app = (0, express_1.default)();
+app.disable('x-powered-by');
+app.set('trust proxy', 'loopback');
+app.use(express_1.default.json({ limit: '1mb' }));
+const pkg = (0, version_1.packageInfo)();
+app.get('/healthz', (_req, res) => {
+    res.json({ ok: true, service: pkg.name, version: pkg.version, apiBase: API_BASE });
+});
+app.get('/', (_req, res) => {
+    res.json({
+        name: pkg.name,
+        version: pkg.version,
+        transport: 'streamable-http',
+        docs: 'https://otwa.cloud/docs/mcp',
+        endpoints: {
+            mcp: 'POST /mcp',
+            health: 'GET /healthz',
+        },
+        auth: 'Bearer otwa_… (from https://otwa.cloud/dashboard/settings/api-keys)',
+    });
+});
+function extractBearer(req) {
+    const raw = req.header('authorization') || req.header('Authorization');
+    if (!raw)
+        return null;
+    const m = /^Bearer\s+(.+)$/.exec(raw.trim());
+    return m && m[1] ? m[1].trim() : null;
+}
+/** Stateless Streamable HTTP — every request gets a fresh McpServer + transport,
+ *  scoped to the caller's API key. No session state lives on the server, so we
+ *  scale horizontally without sticky sessions and a leaked session id is useless. */
+app.post('/mcp', async (req, res) => {
+    const apiKey = extractBearer(req);
+    if (!apiKey) {
+        res.status(401).json({
+            jsonrpc: '2.0',
+            error: {
+                code: -32001,
+                message: 'Missing Authorization header. Set "Authorization: Bearer otwa_…" with an API key from ' +
+                    'https://otwa.cloud/dashboard/settings/api-keys',
+            },
+            id: null,
+        });
+        return;
+    }
+    if (!apiKey.startsWith('otwa_')) {
+        res.status(401).json({
+            jsonrpc: '2.0',
+            error: {
+                code: -32001,
+                message: 'Bearer token does not look like an otwa.cloud API key (expected prefix "otwa_").',
+            },
+            id: null,
+        });
+        return;
+    }
+    const transport = new streamableHttp_js_1.StreamableHTTPServerTransport({
+        sessionIdGenerator: undefined,
+        enableJsonResponse: true,
+    });
+    const server = new mcp_js_1.McpServer({ name: pkg.name, version: pkg.version });
+    const client = new http_1.OtwaClient({ apiKey, apiBase: API_BASE });
+    (0, _register_1.registerAllTools)(server, client);
+    res.on('close', () => {
+        transport.close().catch(() => { });
+        server.close().catch(() => { });
+    });
+    try {
+        await server.connect(transport);
+        await transport.handleRequest(req, res, req.body);
+    }
+    catch (err) {
+        const msg = err instanceof Error ? err.message : String(err);
+        process.stderr.write(`[otwa-mcp-http] handler error: ${msg}\n`);
+        if (!res.headersSent) {
+            res.status(500).json({
+                jsonrpc: '2.0',
+                error: { code: -32603, message: `Internal error: ${msg}` },
+                id: null,
+            });
+        }
+    }
+});
+// GET /mcp and DELETE /mcp are part of the Streamable HTTP spec for stateful
+// servers (session resumption + termination). We're stateless — refuse them
+// with the spec-compliant error so clients know not to bother.
+app.get('/mcp', (_req, res) => {
+    res.status(405).json({
+        jsonrpc: '2.0',
+        error: { code: -32000, message: 'Method Not Allowed. This server is stateless — use POST /mcp.' },
+        id: null,
+    });
+});
+app.delete('/mcp', (_req, res) => {
+    res.status(405).json({
+        jsonrpc: '2.0',
+        error: { code: -32000, message: 'Method Not Allowed. This server is stateless.' },
+        id: null,
+    });
+});
+app.use((req, res) => {
+    res.status(404).json({ error: 'not_found', path: req.path });
+});
+const reqId = () => (0, crypto_1.randomUUID)();
+app.use((err, req, res, _next) => {
+    const id = reqId();
+    process.stderr.write(`[otwa-mcp-http] ${id} ${req.method} ${req.path}: ${err.stack || err.message}\n`);
+    if (!res.headersSent) {
+        res.status(500).json({ error: 'internal_error', requestId: id });
+    }
+});
+const httpServer = app.listen(PORT, HOST, () => {
+    process.stdout.write(`[otwa-mcp-http] ${pkg.name} ${pkg.version} listening on ${HOST}:${PORT} (API base: ${API_BASE})\n`);
+});
+const shutdown = (signal) => {
+    process.stderr.write(`[otwa-mcp-http] shutdown on ${signal}\n`);
+    httpServer.close(() => process.exit(0));
+    setTimeout(() => process.exit(1), 5_000).unref();
+};
+process.on('SIGINT', () => shutdown('SIGINT'));
+process.on('SIGTERM', () => shutdown('SIGTERM'));
+//# sourceMappingURL=index.js.map

package/dist/http/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/http/index.ts"],"names":[],"mappings":";;;;;;AACA,sDAA8B;AAE9B,mCAAoC;AACpC,0FAAmG;AACnG,oEAAoE;AACpE,yCAA4C;AAC5C,kDAAsD;AACtD,6CAA8C;AAE9C,MAAM,IAAI,GAAG,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,IAAI,IAAI,MAAM,EAAE,EAAE,CAAC,CAAC;AACtD,MAAM,IAAI,GAAG,OAAO,CAAC,GAAG,CAAC,IAAI,IAAI,WAAW,CAAC;AAC7C,MAAM,QAAQ,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,aAAa,EAAE,IAAI,EAAE,IAAI,wBAAwB,CAAC,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;AAErG,MAAM,GAAG,GAAG,IAAA,iBAAO,GAAE,CAAC;AACtB,GAAG,CAAC,OAAO,CAAC,cAAc,CAAC,CAAC;AAC5B,GAAG,CAAC,GAAG,CAAC,aAAa,EAAE,UAAU,CAAC,CAAC;AACnC,GAAG,CAAC,GAAG,CAAC,iBAAO,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,KAAK,EAAE,CAAC,CAAC,CAAC;AAExC,MAAM,GAAG,GAAG,IAAA,qBAAW,GAAE,CAAC;AAE1B,GAAG,CAAC,GAAG,CAAC,UAAU,EAAE,CAAC,IAAa,EAAE,GAAa,EAAE,EAAE;IACnD,GAAG,CAAC,IAAI,CAAC,EAAE,EAAE,EAAE,IAAI,EAAE,OAAO,EAAE,GAAG,CAAC,IAAI,EAAE,OAAO,EAAE,GAAG,CAAC,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,CAAC,CAAC;AACrF,CAAC,CAAC,CAAC;AAEH,GAAG,CAAC,GAAG,CAAC,GAAG,EAAE,CAAC,IAAa,EAAE,GAAa,EAAE,EAAE;IAC5C,GAAG,CAAC,IAAI,CAAC;QACP,IAAI,EAAE,GAAG,CAAC,IAAI;QACd,OAAO,EAAE,GAAG,CAAC,OAAO;QACpB,SAAS,EAAE,iBAAiB;QAC5B,IAAI,EAAE,6BAA6B;QACnC,SAAS,EAAE;YACT,GAAG,EAAE,WAAW;YAChB,MAAM,EAAE,cAAc;SACvB;QACD,IAAI,EAAE,qEAAqE;KAC5E,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,SAAS,aAAa,CAAC,GAAY;IACjC,MAAM,GAAG,GAAG,GAAG,CAAC,MAAM,CAAC,eAAe,CAAC,IAAI,GAAG,CAAC,MAAM,CAAC,eAAe,CAAC,CAAC;IACvE,IAAI,CAAC,GAAG;QAAE,OAAO,IAAI,CAAC;IACtB,MAAM,CAAC,GAAG,iBAAiB,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,EAAE,CAAC,CAAC;IAC7C,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC;AACxC,CAAC;AAED;;qFAEqF;AACrF,GAAG,CAAC,IAAI,CAAC,MAAM,EAAE,KAAK,EAAE,GAAY,EAAE,GAAa,EAAE,EAAE;IACrD,MAAM,MAAM,GAAG,aAAa,CAAC,GAAG,CAAC,CAAC;IAClC,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;YACnB,OAAO,EAAE,KAAK;YACd,KAAK,EAAE;gBACL,IAAI,EAAE,CAAC,KAAK;gBACZ,OAAO,EACL,wFAAwF;oBACxF,gDAAgD;aACnD;YACD,EAAE,EAAE,IAAI;SACT,CAAC,CAAC;QACH,OAAO;IACT,CAAC;IACD,IAAI,CAAC,MAAM,CAAC,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC;QAChC,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;YACnB,OAAO,EAAE,KAAK;YACd,KAAK,EAAE;gBACL,IAAI,EAAE,CAAC,KAAK;gBACZ,OAAO,EAAE,kFAAkF;aAC5F;YACD,EAAE,EAAE,IAAI;SACT,CAAC,CAAC;QACH,OAAO;IACT,CAAC;IAED,MAAM,SAAS,GAAG,IAAI,iDAA6B,CAAC;QAClD,kBAAkB,EAAE,SAAS;QAC7B,kBAAkB,EAAE,IAAI;KACzB,CAAC,CAAC;IAEH,MAAM,MAAM,GAAG,IAAI,kBAAS,CAAC,EAAE,IAAI,EAAE,GAAG,CAAC,IAAI,EAAE,OAAO,EAAE,GAAG,CAAC,OAAO,EAAE,CAAC,CAAC;IACvE,MAAM,MAAM,GAAG,IAAI,iBAAU,CAAC,EAAE,MAAM,EAAE,OAAO,EAAE,QAAQ,EAAE,CAAC,CAAC;IAC7D,IAAA,4BAAgB,EAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAEjC,GAAG,CAAC,EAAE,CAAC,OAAO,EAAE,GAAG,EAAE;QACnB,SAAS,CAAC,KAAK,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,GAAE,CAAC,CAAC,CAAC;QAClC,MAAM,CAAC,KAAK,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,GAAE,CAAC,CAAC,CAAC;IACjC,CAAC,CAAC,CAAC;IAEH,IAAI,CAAC;QACH,MAAM,MAAM,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;QAChC,MAAM,SAAS,CAAC,aAAa,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,CAAC,IAAI,CAAC,CAAC;IACpD,CAAC;IAAC,OAAO,GAAY,EAAE,CAAC;QACtB,MAAM,GAAG,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QAC7D,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,kCAAkC,GAAG,IAAI,CAAC,CAAC;QAChE,IAAI,CAAC,GAAG,CAAC,WAAW,EAAE,CAAC;YACrB,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;gBACnB,OAAO,EAAE,KAAK;gBACd,KAAK,EAAE,EAAE,IAAI,EAAE,CAAC,KAAK,EAAE,OAAO,EAAE,mBAAmB,GAAG,EAAE,EAAE;gBAC1D,EAAE,EAAE,IAAI;aACT,CAAC,CAAC;QACL,CAAC;IACH,CAAC;AACH,CAAC,CAAC,CAAC;AAEH,6EAA6E;AAC7E,4EAA4E;AAC5E,+DAA+D;AAC/D,GAAG,CAAC,GAAG,CAAC,MAAM,EAAE,CAAC,IAAa,EAAE,GAAa,EAAE,EAAE;IAC/C,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;QACnB,OAAO,EAAE,KAAK;QACd,KAAK,EAAE,EAAE,IAAI,EAAE,CAAC,KAAK,EAAE,OAAO,EAAE,+DAA+D,EAAE;QACjG,EAAE,EAAE,IAAI;KACT,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AACH,GAAG,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC,IAAa,EAAE,GAAa,EAAE,EAAE;IAClD,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;QACnB,OAAO,EAAE,KAAK;QACd,KAAK,EAAE,EAAE,IAAI,EAAE,CAAC,KAAK,EAAE,OAAO,EAAE,+CAA+C,EAAE;QACjF,EAAE,EAAE,IAAI;KACT,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,GAAG,CAAC,GAAG,CAAC,CAAC,GAAY,EAAE,GAAa,EAAE,EAAE;IACtC,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,WAAW,EAAE,IAAI,EAAE,GAAG,CAAC,IAAI,EAAE,CAAC,CAAC;AAC/D,CAAC,CAAC,CAAC;AAEH,MAAM,KAAK,GAAG,GAAW,EAAE,CAAC,IAAA,mBAAU,GAAE,CAAC;AACzC,GAAG,CAAC,GAAG,CAAC,CAAC,GAAU,EAAE,GAAY,EAAE,GAAa,EAAE,KAA2B,EAAE,EAAE;IAC/E,MAAM,EAAE,GAAG,KAAK,EAAE,CAAC;IACnB,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,mBAAmB,EAAE,IAAI,GAAG,CAAC,MAAM,IAAI,GAAG,CAAC,IAAI,KAAK,GAAG,CAAC,KAAK,IAAI,GAAG,CAAC,OAAO,IAAI,CAAC,CAAC;IACvG,IAAI,CAAC,GAAG,CAAC,WAAW,EAAE,CAAC;QACrB,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,gBAAgB,EAAE,SAAS,EAAE,EAAE,EAAE,CAAC,CAAC;IACnE,CAAC;AACH,CAAC,CAAC,CAAC;AAEH,MAAM,UAAU,GAAG,GAAG,CAAC,MAAM,CAAC,IAAI,EAAE,IAAI,EAAE,GAAG,EAAE;IAC7C,OAAO,CAAC,MAAM,CAAC,KAAK,CAClB,mBAAmB,GAAG,CAAC,IAAI,IAAI,GAAG,CAAC,OAAO,iBAAiB,IAAI,IAAI,IAAI,eAAe,QAAQ,KAAK,CACpG,CAAC;AACJ,CAAC,CAAC,CAAC;AAEH,MAAM,QAAQ,GAAG,CAAC,MAAc,EAAQ,EAAE;IACxC,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,+BAA+B,MAAM,IAAI,CAAC,CAAC;IAChE,UAAU,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC;IACxC,UAAU,CAAC,GAAG,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,KAAK,CAAC,CAAC,KAAK,EAAE,CAAC;AACnD,CAAC,CAAC;AACF,OAAO,CAAC,EAAE,CAAC,QAAQ,EAAE,GAAG,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC,CAAC;AAC/C,OAAO,CAAC,EAAE,CAAC,SAAS,EAAE,GAAG,EAAE,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC,CAAC"}