@promptbook/cli 0.112.0-101 → 0.112.0-102

package/apps/agents-server/src/app/api/auth/shibboleth/login/route.ts

@@ -1,46 +1,70 @@
-import { NextRequest, NextResponse } from 'next/server';
+import { NextResponse } from 'next/server';
 import {
     createShibbolethSamlClient,
-    loadShibbolethConfiguration,
-    logShibbolethAuthenticationEvent,
-    resolveSafeShibbolethRelayState,
-    ShibbolethConfigurationError,
+    getShibbolethRequestDetails,
+    recordShibbolethAuthenticationAttempt,
+    resolveShibbolethAuthenticationConfiguration,
+    sanitizeShibbolethRelayState,
 } from '../../../../../utils/shibbolethAuthentication';
 
-/**
- * Forces this route to run in Node.js because node-saml depends on Node crypto/zlib APIs.
- */
-export const runtime = 'nodejs';
-
 /**
  * Handles get.
  */
-export async function GET(request: NextRequest) {
-    const configuration = await loadShibbolethConfiguration(request);
+export async function GET(request: Request) {
+    const requestDetails = getShibbolethRequestDetails(request);
+    const relayState = sanitizeShibbolethRelayState(new URL(request.url).searchParams.get('returnTo'));
 
-    if (!configuration.isEnabled) {
-        logShibbolethAuthenticationEvent('login_rejected_disabled');
-        return NextResponse.json({ error: 'Shibboleth authentication is not enabled.' }, { status: 404 });
-    }
-
-    if (!configuration.isConfigured) {
-        const error = new ShibbolethConfigurationError(configuration.missingConfiguration);
-        logShibbolethAuthenticationEvent('login_rejected_incomplete_configuration', {
-            missingConfiguration: configuration.missingConfiguration,
+    try {
+        const configuration = await resolveShibbolethAuthenticationConfiguration({
+            requestUrl: request.url,
+            isIdentityProviderMetadataValidationEnabled: true,
         });
-        return NextResponse.json({ error: error.message }, { status: 503 });
-    }
 
-    const relayState = resolveSafeShibbolethRelayState(request.nextUrl.searchParams.get('redirectTo'));
-    const saml = createShibbolethSamlClient(configuration);
-    const redirectUrl = await saml.getAuthorizeUrlAsync(relayState, undefined, {});
+        if (!configuration.isActive) {
+            await recordShibbolethAuthenticationAttempt({
+                stage: 'LOGIN_REQUEST',
+                status: 'REJECTED',
+                requestDetails,
+                relayState,
+                errorMessage: 'Shibboleth authentication is not active.',
+            });
+            return NextResponse.json({ error: 'Shibboleth authentication is not active.' }, { status: 404 });
+        }
 
-    logShibbolethAuthenticationEvent('login_redirect_created', {
-        issuer: configuration.issuer,
-        callbackUrl: configuration.callbackUrl,
-        entryPoint: configuration.entryPoint,
-        relayState,
-    });
+        if (!configuration.isConfigured) {
+            const errorMessage = configuration.errors.join(' ');
+            await recordShibbolethAuthenticationAttempt({
+                stage: 'LOGIN_REQUEST',
+                status: 'FAILED',
+                requestDetails,
+                relayState,
+                errorMessage,
+            });
+            return NextResponse.json({ error: errorMessage }, { status: 503 });
+        }
 
-    return NextResponse.redirect(redirectUrl);
+        const saml = createShibbolethSamlClient(configuration);
+        const authorizeUrl = await saml.getAuthorizeUrlAsync(relayState, undefined, {});
+
+        await recordShibbolethAuthenticationAttempt({
+            stage: 'LOGIN_REQUEST',
+            status: 'REDIRECTED',
+            requestDetails,
+            relayState,
+        });
+
+        return NextResponse.redirect(authorizeUrl);
+    } catch (error) {
+        const errorMessage = error instanceof Error ? error.message : 'Failed to start Shibboleth authentication.';
+        await recordShibbolethAuthenticationAttempt({
+            stage: 'LOGIN_REQUEST',
+            status: 'FAILED',
+            requestDetails,
+            relayState,
+            errorMessage,
+        });
+
+        console.error('Shibboleth login start error:', error);
+        return NextResponse.json({ error: errorMessage }, { status: 500 });
+    }
 }

package/apps/agents-server/src/app/api/auth/shibboleth/metadata/route.ts

@@ -1,40 +1,15 @@
-import { NextRequest, NextResponse } from 'next/server';
-import {
-    createShibbolethServiceProviderMetadata,
-    loadShibbolethConfiguration,
-    logShibbolethAuthenticationEvent,
-} from '../../../../../utils/shibbolethAuthentication';
-
-/**
- * Forces this route to run in Node.js because node-saml metadata generation depends on Node APIs.
- */
-export const runtime = 'nodejs';
+import { NextResponse } from 'next/server';
+import { createShibbolethServiceProviderMetadataXml } from '../../../../../utils/shibbolethAuthentication';
 
 /**
  * Handles get.
  */
-export async function GET(request: NextRequest) {
-    const configuration = await loadShibbolethConfiguration(request);
-
-    if (!configuration.isEnabled || !configuration.issuer || !configuration.callbackUrl) {
-        logShibbolethAuthenticationEvent('metadata_rejected_disabled');
-        return NextResponse.json({ error: 'Shibboleth authentication is not enabled.' }, { status: 404 });
-    }
-
-    const metadataXml = createShibbolethServiceProviderMetadata({
-        issuer: configuration.issuer,
-        callbackUrl: configuration.callbackUrl,
-    });
-
-    logShibbolethAuthenticationEvent('metadata_served', {
-        issuer: configuration.issuer,
-        callbackUrl: configuration.callbackUrl,
-    });
+export async function GET(request: Request) {
+    const metadataXml = await createShibbolethServiceProviderMetadataXml(request.url);
 
     return new NextResponse(metadataXml, {
         headers: {
             'Content-Type': 'application/samlmetadata+xml; charset=utf-8',
-            'Cache-Control': 'no-store',
         },
     });
 }

package/apps/agents-server/src/app/api/auth/shibboleth/status/route.ts

@@ -0,0 +1,17 @@
+import { NextResponse } from 'next/server';
+import { resolveShibbolethAuthenticationConfiguration } from '../../../../../utils/shibbolethAuthentication';
+
+/**
+ * Handles get.
+ */
+export async function GET(request: Request) {
+    const configuration = await resolveShibbolethAuthenticationConfiguration({
+        requestUrl: request.url,
+        isIdentityProviderMetadataValidationEnabled: false,
+    });
+
+    return NextResponse.json({
+        isActive: configuration.isActive,
+        isConfigured: configuration.isConfigured,
+    });
+}

package/apps/agents-server/src/app/api/upload/route.ts

@@ -1,10 +1,15 @@
 import { $getTableName } from '@/src/database/$getTableName';
 import { $provideSupabase } from '@/src/database/$provideSupabase';
+import { $provideUntrackedCdnForServer } from '@/src/tools/$provideCdnForServer';
+import { getSafeCdnPath } from '@/src/utils/cdn/utils/getSafeCdnPath';
 import { serializeError } from '@promptbook-local/utils';
 import type { PostgrestSingleResponse, SupabaseClient } from '@supabase/supabase-js';
 import { handleUpload, type HandleUploadBody } from '@vercel/blob/client';
 import { NextRequest, NextResponse } from 'next/server';
 import { assertsError } from '../../../../../../src/errors/assertsError';
+import { DatabaseError } from '../../../../../../src/errors/DatabaseError';
+import { LimitReachedError } from '../../../../../../src/errors/LimitReachedError';
+import { NotAllowed } from '../../../../../../src/errors/NotAllowed';
 import { getUserIdFromRequest } from '../../../../src/utils/getUserIdFromRequest';
 import type { AgentsServerDatabase } from '../../../database/schema';
 import { FILE_SECURITY_CHECKERS } from '../../../file-security-checkers';
@@ -48,6 +53,41 @@ const DEFAULT_UPLOAD_CONTENT_TYPE = 'application/octet-stream';
  */
 const MIME_TYPE_PATTERN = /^[a-z0-9!#$&^_.+-]+\/[a-z0-9!#$&^_.+-]+$/i;
 
+/**
+ * Form-data field containing the uploaded file for S3-backed server uploads.
+ *
+ * @private
+ */
+const SERVER_ROUTED_UPLOAD_FILE_FIELD = 'file';
+
+/**
+ * Form-data field containing the requested CDN object key for S3-backed server uploads.
+ *
+ * @private
+ */
+const SERVER_ROUTED_UPLOAD_PATHNAME_FIELD = 'pathname';
+
+/**
+ * Form-data field containing upload purpose for S3-backed server uploads.
+ *
+ * @private
+ */
+const SERVER_ROUTED_UPLOAD_PURPOSE_FIELD = 'purpose';
+
+/**
+ * Form-data field containing content type for S3-backed server uploads.
+ *
+ * @private
+ */
+const SERVER_ROUTED_UPLOAD_CONTENT_TYPE_FIELD = 'contentType';
+
+/**
+ * Multipart content type prefix used by server-routed S3 uploads.
+ *
+ * @private
+ */
+const MULTIPART_FORM_DATA_CONTENT_TYPE = 'multipart/form-data';
+
 /**
  * Safely parses a JSON string into an object; returns empty object on invalid payload.
  *
@@ -119,11 +159,200 @@ function resolveUploadClientPayload(clientPayload: string | null | undefined): {
     };
 }
 
+/**
+ * Checks whether the upload request uses the server-routed multipart protocol.
+ *
+ * @private
+ */
+function isServerRoutedUploadRequest(request: NextRequest): boolean {
+    return (request.headers.get('content-type') || '').toLowerCase().includes(MULTIPART_FORM_DATA_CONTENT_TYPE);
+}
+
+/**
+ * Reads a string field from multipart form data.
+ *
+ * @private
+ */
+function getFormDataString(formData: FormData, fieldName: string): string | null {
+    const value = formData.get(fieldName);
+
+    return typeof value === 'string' ? value : null;
+}
+
+/**
+ * Normalizes a client-provided CDN pathname into a relative object key.
+ *
+ * @private
+ */
+function normalizeServerUploadPathname(value: unknown, fallbackFilename: string): string {
+    const rawPathname = typeof value === 'string' ? value : fallbackFilename;
+    const normalizedPathname = rawPathname
+        .trim()
+        .replace(/\\/g, '/')
+        .replace(/^\/+/g, '')
+        .replace(/\/+/g, '/');
+
+    if (!normalizedPathname || normalizedPathname.split('/').includes('..')) {
+        throw new NotAllowed('Upload pathname must be a safe relative CDN path.');
+    }
+
+    return getSafeCdnPath({ pathname: normalizedPathname });
+}
+
+/**
+ * Runs configured file-security checks for an uploaded public URL.
+ *
+ * @private
+ */
+async function checkUploadedFileSecurity(storageUrl: string): Promise<Record<string, unknown>> {
+    const securityResults: Record<string, unknown> = {};
+
+    for (const checkerId in FILE_SECURITY_CHECKERS) {
+        try {
+            const checker = FILE_SECURITY_CHECKERS[checkerId]!;
+            console.info(`🛡️ Checking file security with ${checker.title} (${storageUrl})...`);
+            const result = await checker.checkFile(storageUrl);
+            securityResults[checkerId] = result;
+            console.info(`🛡️ Security check result from ${checker.title}:`, result.status);
+        } catch (error) {
+            console.error(`🛡️ Security check failed for ${checkerId}:`, error);
+            securityResults[checkerId] = {
+                isSafe: false,
+                status: 'ERROR',
+                confidence: 0,
+                message: error instanceof Error ? error.message : String(error),
+            };
+        }
+    }
+
+    return securityResults;
+}
+
+/**
+ * Inserts a completed file row for a server-routed upload.
+ *
+ * @private
+ */
+async function insertCompletedUploadFileRecord(options: {
+    supabase: SupabaseClient<AgentsServerDatabase>;
+    userId: number | null;
+    fileName: string;
+    fileSize: number;
+    fileType: string;
+    storageUrl: string;
+    purpose: string;
+    securityResult: AgentsServerDatabase['public']['Tables']['File']['Insert']['securityResult'];
+}): Promise<number | null> {
+    const {
+        supabase,
+        userId,
+        fileName,
+        fileSize,
+        fileType,
+        storageUrl,
+        purpose,
+        securityResult,
+    } = options;
+    const { data, error }: PostgrestSingleResponse<Pick<AgentsServerDatabase['public']['Tables']['File']['Row'], 'id'>> =
+        await supabase
+            .from(await $getTableName('File'))
+            .insert({
+                userId,
+                fileName,
+                fileSize,
+                fileType,
+                storageUrl,
+                shortUrl: null,
+                purpose,
+                status: 'COMPLETED',
+                securityResult,
+            })
+            .select('id')
+            .single();
+
+    if (error) {
+        throw new DatabaseError(`Failed to create completed file record: ${error.message}`);
+    }
+
+    return data?.id ?? null;
+}
+
+/**
+ * Handles direct multipart uploads for S3-compatible storage backends.
+ *
+ * @private
+ */
+async function handleServerRoutedUpload(request: NextRequest): Promise<NextResponse> {
+    const formData = await request.formData();
+    const uploadFile = formData.get(SERVER_ROUTED_UPLOAD_FILE_FIELD);
+
+    if (!(uploadFile instanceof File)) {
+        throw new NotAllowed('Upload request must contain a file.');
+    }
+
+    const userId = await getUserIdFromRequest(request);
+    const purpose = normalizeUploadPurpose(getFormDataString(formData, SERVER_ROUTED_UPLOAD_PURPOSE_FIELD));
+    const contentType = normalizeUploadContentType(
+        getFormDataString(formData, SERVER_ROUTED_UPLOAD_CONTENT_TYPE_FIELD) || uploadFile.type,
+    );
+    const pathname = normalizeServerUploadPathname(
+        getFormDataString(formData, SERVER_ROUTED_UPLOAD_PATHNAME_FIELD),
+        uploadFile.name,
+    );
+    const maxFileSize = await getMaxFileUploadSizeBytes();
+
+    if (uploadFile.size > maxFileSize) {
+        throw new LimitReachedError(`Uploaded file exceeds the configured maximum size of ${maxFileSize} bytes.`);
+    }
+
+    const buffer = Buffer.from(await uploadFile.arrayBuffer());
+    if (buffer.byteLength > maxFileSize) {
+        throw new LimitReachedError(`Uploaded file exceeds the configured maximum size of ${maxFileSize} bytes.`);
+    }
+
+    const cdn = $provideUntrackedCdnForServer();
+    await cdn.setItem(pathname, {
+        type: contentType,
+        data: buffer,
+        userId: userId || undefined,
+        purpose,
+        fileSize: buffer.byteLength,
+    });
+
+    const storageUrl = cdn.getItemUrl(pathname).href;
+    const securityResults = await checkUploadedFileSecurity(storageUrl);
+    const securityResultForDatabase =
+        securityResults as AgentsServerDatabase['public']['Tables']['File']['Insert']['securityResult'];
+    const supabase: SupabaseClient<AgentsServerDatabase> = $provideSupabase();
+    const fileId = await insertCompletedUploadFileRecord({
+        supabase,
+        userId: userId || null,
+        fileName: pathname,
+        fileSize: buffer.byteLength,
+        fileType: contentType,
+        storageUrl,
+        purpose,
+        securityResult: securityResultForDatabase,
+    });
+
+    return NextResponse.json({
+        url: storageUrl,
+        pathname,
+        fileId,
+        contentType,
+        size: buffer.byteLength,
+    });
+}
+
 /**
  * Handles post.
  */
 export async function POST(request: NextRequest) {
     try {
+        if (isServerRoutedUploadRequest(request)) {
+            return await handleServerRoutedUpload(request);
+        }
+
         const body = (await request.json()) as HandleUploadBody;
         const userId = await getUserIdFromRequest(request);
         const supabase: SupabaseClient<AgentsServerDatabase> = $provideSupabase();
@@ -209,26 +438,9 @@ export async function POST(request: NextRequest) {
                     const supabase = $provideSupabase();
 
                     // Security checks
-                    const securityResults: Record<string, unknown> = {};
+                    const securityResults = await checkUploadedFileSecurity(blob.url);
                     const securityResultForDatabase =
                         securityResults as AgentsServerDatabase['public']['Tables']['File']['Update']['securityResult'];
-                    for (const checkerId in FILE_SECURITY_CHECKERS) {
-                        try {
-                            const checker = FILE_SECURITY_CHECKERS[checkerId]!;
-                            console.info(`🛡️ Checking file security with ${checker.title} (${blob.url})...`);
-                            const result = await checker.checkFile(blob.url);
-                            securityResults[checkerId] = result;
-                            console.info(`🛡️ Security check result from ${checker.title}:`, result.status);
-                        } catch (error) {
-                            console.error(`🛡️ Security check failed for ${checkerId}:`, error);
-                            securityResults[checkerId] = {
-                                isSafe: false,
-                                status: 'ERROR',
-                                confidence: 0,
-                                message: error instanceof Error ? error.message : String(error),
-                            };
-                        }
-                    }
 
                     if (fileId) {
                         // Update the existing record by ID

package/apps/agents-server/src/app/api/users/[username]/route.ts

@@ -34,7 +34,7 @@ export async function PATCH(request: Request, { params }: { params: Promise<{ us
             .from(await $getTableName('User'))
             .update(updates)
             .eq('username', usernameParam)
-            .select('id, username, createdAt, updatedAt, isAdmin')
+            .select('*')
             .single();
 
         if (error) {

package/apps/agents-server/src/app/api/users/route.ts

@@ -16,7 +16,7 @@ export async function GET() {
         const supabase = $provideSupabaseForServer();
         const { data: users, error } = await supabase
             .from(await $getTableName('User'))
-            .select('id, username, createdAt, updatedAt, isAdmin')
+            .select('*')
             .order('username');
 
         if (error) {
@@ -58,18 +58,18 @@ export async function POST(request: Request) {
                 createdAt: new Date().toISOString(),
                 updatedAt: new Date().toISOString(),
             })
-            .select('id, username, createdAt, updatedAt, isAdmin')
+            .select('*')
             .single();
 
         if (error) {
-            if (error.code === '23505') { // unique_violation
-                 return NextResponse.json({ error: 'Username already exists' }, { status: 409 });
+            if (error.code === '23505') {
+                // unique_violation
+                return NextResponse.json({ error: 'Username already exists' }, { status: 409 });
             }
             throw error;
         }
 
         return NextResponse.json(newUser);
-
     } catch (error) {
         console.error('Create user error:', error);
         const passwordValidationMessage = getPasswordValidationMessage(error);

package/apps/agents-server/src/app/dashboard/page.tsx

@@ -56,7 +56,7 @@ export default async function DashboardPage() {
     const host = (await headers()).get('host') || 'unknown';
 
     return (
-        <div className="min-h-screen bg-gradient-to-br from-blue-50 via-white to-purple-50">
+        <div className="min-h-screen bg-gradient-to-br from-blue-50 via-white to-purple-50 dark:from-slate-950 dark:via-slate-950 dark:to-slate-900">
             <div className="container mx-auto px-4 py-16">
                 <HomepagePrimarySections
                     agents={agents}

package/apps/agents-server/src/app/docs/[docId]/page.tsx

@@ -32,7 +32,7 @@ export default async function DocPage(props: DocPageProps) {
     const { primary, aliases } = group;
 
     return (
-        <div className="min-h-screen bg-gradient-to-br from-blue-50 via-white to-purple-50">
+        <div className="min-h-screen bg-gradient-to-br from-blue-50 via-white to-purple-50 dark:from-slate-950 dark:via-slate-950 dark:to-slate-900">
             <div className="container mx-auto px-4 py-16">
                 <DocsToolbar />
                 <PrintHeader title={primary.type} />

package/apps/agents-server/src/app/docs/page.tsx

@@ -19,7 +19,7 @@ export default function DocsPage() {
     const groupedCommitments = getVisibleCommitmentDefinitions();
 
     return (
-        <div className="min-h-screen bg-gradient-to-br from-blue-50 via-white to-purple-50">
+        <div className="min-h-screen bg-gradient-to-br from-blue-50 via-white to-purple-50 dark:from-slate-950 dark:via-slate-950 dark:to-slate-900">
             <div className="container mx-auto px-4 py-16">
                 <DocsToolbar />
                 <PrintHeader title="Full Documentation" />

package/apps/agents-server/src/app/globals.css

@@ -640,6 +640,26 @@ html.dark .agent-chat-route-surface .agent-chat-sidebar-toggle.agent-chat-solid-
     box-shadow: 0 20px 38px rgba(2, 6, 23, 0.6), inset 1px 0 0 rgba(191, 219, 254, 0.18);
 }
 
+html.dark .agent-chat-sidebar-item-active {
+    border-color: rgba(125, 211, 252, 0.52) !important;
+    background: linear-gradient(145deg, rgba(8, 47, 73, 0.88), rgba(15, 23, 42, 0.96)) !important;
+    color: #e0f2fe !important;
+    box-shadow: 0 14px 30px rgba(2, 6, 23, 0.4), inset 0 0 0 1px rgba(125, 211, 252, 0.16) !important;
+}
+
+html.dark .agent-chat-sidebar-item-active .agent-chat-sidebar-item-preview-card {
+    border-color: rgba(125, 211, 252, 0.34) !important;
+    background: rgba(15, 23, 42, 0.82) !important;
+}
+
+html.dark .agent-chat-sidebar-item-active .agent-chat-sidebar-item-title {
+    color: #f8fafc !important;
+}
+
+html.dark .agent-chat-sidebar-item-active .agent-chat-sidebar-item-preview {
+    color: #bae6fd !important;
+}
+
 .agent-chat-route-surface .chat-scrollToBottom.chat-scrollToBottom + [role='status'] {
     top: auto;
     right: auto;
@@ -807,6 +827,36 @@ html.dark .bg-slate-100\/80 {
     background-color: #111827 !important;
 }
 
+html.dark .bg-gray-200,
+html.dark .bg-slate-200 {
+    background-color: rgba(30, 41, 59, 0.92) !important;
+}
+
+html.dark .bg-gray-300,
+html.dark .bg-slate-300 {
+    background-color: rgba(51, 65, 85, 0.94) !important;
+}
+
+html.dark .bg-blue-50,
+html.dark .bg-blue-100 {
+    background-color: rgba(30, 64, 175, 0.24) !important;
+}
+
+html.dark .bg-amber-50,
+html.dark .bg-amber-100 {
+    background-color: rgba(120, 53, 15, 0.28) !important;
+}
+
+html.dark .bg-red-50,
+html.dark .bg-red-100 {
+    background-color: rgba(127, 29, 29, 0.3) !important;
+}
+
+html.dark .bg-emerald-50,
+html.dark .bg-emerald-100 {
+    background-color: rgba(6, 78, 59, 0.28) !important;
+}
+
 html.dark .border-gray-100,
 html.dark .border-gray-200,
 html.dark .border-slate-100,
@@ -844,9 +894,34 @@ html.dark .text-slate-400 {
     color: #64748b !important;
 }
 
+html.dark .text-blue-600,
+html.dark .text-blue-700,
+html.dark .hover\:text-blue-700:hover {
+    color: #93c5fd !important;
+}
+
+html.dark .text-amber-700,
+html.dark .text-amber-800,
+html.dark .text-amber-900 {
+    color: #fcd34d !important;
+}
+
+html.dark .text-red-600,
+html.dark .text-red-700,
+html.dark .text-red-800,
+html.dark .text-red-900 {
+    color: #fca5a5 !important;
+}
+
+html.dark .text-emerald-600,
+html.dark .text-emerald-700 {
+    color: #86efac !important;
+}
+
 html.dark .hover\:bg-white:hover,
 html.dark .hover\:bg-gray-50:hover,
 html.dark .hover\:bg-gray-100:hover,
+html.dark .hover\:bg-gray-300:hover,
 html.dark .hover\:bg-slate-50:hover,
 html.dark .hover\:bg-slate-100:hover {
     background-color: #0f172a !important;
@@ -864,6 +939,31 @@ html.dark .hover\:border-slate-400:hover {
     border-color: rgba(125, 211, 252, 0.45) !important;
 }
 
+html.dark input:not([type='checkbox']):not([type='radio']):not([type='range']),
+html.dark textarea,
+html.dark select {
+    background-color: #0f172a;
+    color: #e2e8f0;
+    border-color: rgba(71, 85, 105, 0.92);
+}
+
+html.dark input:not([type='checkbox']):not([type='radio']):not([type='range'])::placeholder,
+html.dark textarea::placeholder {
+    color: #94a3b8;
+}
+
+html.dark input:not([type='checkbox']):not([type='radio']):not([type='range']):disabled,
+html.dark textarea:disabled,
+html.dark select:disabled {
+    background-color: #111827;
+    color: #64748b;
+}
+
+html.dark option {
+    background-color: #0f172a;
+    color: #e2e8f0;
+}
+
 html.dark .prose {
     color: #cbd5e1;
 }