@tom2012/cc-web 2026.5.20-b → 2026.5.24-b

package/backend/dist/routes/browser-proxy.d.ts

@@ -0,0 +1,43 @@
+import { Router } from 'express';
+declare const router: Router;
+interface ParsedHostport {
+    host: string;
+    port: number;
+}
+export declare function parseHostport(raw: string): ParsedHostport | null;
+/**
+ * Allowlist check on a literal IPv4/IPv6 address. Unlike notify-service's
+ * isPrivateAddress (which is a deny-list for outbound webhooks and uses
+ * loose startsWith on the *hostname*), this is strictly numeric and refuses
+ * the cloud-metadata link-local addresses even though they're RFC1918.
+ */
+export declare function isAllowedProxyIp(addr: string): boolean;
+/**
+ * Resolve hostname to a single IP (or accept literal IP) and confirm it's
+ * in the allowed private range. Returns the resolved IP to pin against
+ * DNS-rebinding TOCTOU: callers fetch by IP, not by hostname.
+ */
+export declare function resolveAllowedTarget(host: string): Promise<string | null>;
+/**
+ * Strip `_bp_tok=<jwt>` from a subPath string ("/foo/bar?x=1&_bp_tok=...&y=2#z")
+ * so the upstream never sees the session token. Idempotent: missing token
+ * is a no-op. Handles token in any query position and an empty resulting
+ * query (leaves no orphan "?").
+ */
+export declare function stripTokenFromSubPath(subPath: string): string;
+/**
+ * Rewrite root-relative absolute paths (src/href/action="/...") through
+ * this proxy. Also strip any upstream `<base href="...">` so the original
+ * declaration cannot redirect relative resolution back out to the bare
+ * ccweb origin. Each rewritten URL carries the session token so the iframe
+ * can fetch it without relying on cookies that the sandbox would drop.
+ * Protocol-relative and relative paths are untouched — relative URLs are
+ * resolved by the browser against the iframe URL (which already has the
+ * token in its query), and the browser preserves that query on the resolved
+ * URL? No — relative resolution does NOT inherit query. So relative paths
+ * within the page will appear without the token. They will fail. v0 limit.
+ */
+export declare function rewriteHtml(html: string, prefix: string, token: string): string;
+export declare function rewriteLocationHeader(loc: string, parsed: ParsedHostport, mountPrefix: string, token: string): string;
+export default router;
+//# sourceMappingURL=browser-proxy.d.ts.map

package/backend/dist/routes/browser-proxy.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"browser-proxy.d.ts","sourceRoot":"","sources":["../../src/routes/browser-proxy.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAA0B,MAAM,SAAS,CAAC;AAUzD,QAAA,MAAM,MAAM,EAAE,MAAiB,CAAC;AAoDhC,UAAU,cAAc;IACtB,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;CACd;AAED,wBAAgB,aAAa,CAAC,GAAG,EAAE,MAAM,GAAG,cAAc,GAAG,IAAI,CAShE;AAED;;;;;GAKG;AACH,wBAAgB,gBAAgB,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAetD;AAED;;;;GAIG;AACH,wBAAsB,oBAAoB,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAa/E;AAWD;;;;;GAKG;AACH,wBAAgB,qBAAqB,CAAC,OAAO,EAAE,MAAM,GAAG,MAAM,CAa7D;AAED;;;;;;;;;;;GAWG;AACH,wBAAgB,WAAW,CAAC,IAAI,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,MAAM,CAU/E;AAED,wBAAgB,qBAAqB,CACnC,GAAG,EAAE,MAAM,EACX,MAAM,EAAE,cAAc,EACtB,WAAW,EAAE,MAAM,EACnB,KAAK,EAAE,MAAM,GACZ,MAAM,CAoBR;AAgLD,eAAe,MAAM,CAAC"}

package/backend/dist/routes/browser-proxy.js

@@ -0,0 +1,400 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.parseHostport = parseHostport;
+exports.isAllowedProxyIp = isAllowedProxyIp;
+exports.resolveAllowedTarget = resolveAllowedTarget;
+exports.stripTokenFromSubPath = stripTokenFromSubPath;
+exports.rewriteHtml = rewriteHtml;
+exports.rewriteLocationHeader = rewriteLocationHeader;
+const express_1 = require("express");
+const dns = __importStar(require("dns/promises"));
+const net = __importStar(require("net"));
+const jwt = __importStar(require("jsonwebtoken"));
+const auth_1 = require("../auth");
+const config_1 = require("../config");
+const logger_1 = require("../logger");
+const log = (0, logger_1.modLogger)('browser-proxy');
+const router = (0, express_1.Router)();
+const BLOCKED_PORTS = new Set([
+    22, 23, 25, 110, 143, 465, 587, 993, 995,
+    2049, 3389, 5432, 5984, 6379, 9200, 11211, 27017,
+]);
+const STRIPPED_RESPONSE_HEADERS = new Set([
+    'x-frame-options',
+    'frame-options',
+    'content-security-policy',
+    'content-security-policy-report-only',
+    'cross-origin-opener-policy',
+    'cross-origin-embedder-policy',
+    'cross-origin-resource-policy',
+    'set-cookie',
+    'content-length',
+    'transfer-encoding',
+    'content-encoding',
+    // P1 (codex review): upstream must not be able to clobber ccweb's
+    // own cookies/storage or register service workers on the daemon origin.
+    'clear-site-data',
+    'service-worker-allowed',
+    'permissions-policy',
+    'feature-policy',
+]);
+// CSP sandbox without allow-same-origin forces an opaque origin even for
+// same-origin iframes — proxied page JS cannot reach ccweb's localStorage
+// / IndexedDB / cookies. Pair with the `<iframe sandbox>` attribute on the
+// frontend so a direct GET to /api/browser-proxy/... in another tab is
+// also opaque.
+const PROXY_HTML_CSP = "sandbox allow-scripts allow-forms allow-popups";
+const MAX_PROXY_SIZE = 16 * 1024 * 1024;
+const UPSTREAM_TIMEOUT_MS = 15000;
+// Cloud metadata services + IPv4 link-local that should NEVER be reachable.
+// 169.254.169.254 = AWS/GCP/Azure metadata. 169.254.170.2 = ECS task role.
+const BLOCKED_IPS = new Set(['169.254.169.254', '169.254.170.2']);
+const BLOCKED_HOSTS = new Set(['metadata.google.internal', 'metadata']);
+// Session token presented as ?_bp_tok=<jwt> on every proxy GET. Cookies
+// would have been cleaner but a sandboxed iframe (no allow-same-origin)
+// is treated as opaque origin → SameSite=Lax cookies are NOT sent on
+// subresource requests originating inside the iframe. The query-param
+// approach trades access-log exposure for working sandboxed iframes.
+// Token is stripped before the URL is forwarded upstream so it never
+// reaches the proxied site.
+const TOKEN_QUERY_PARAM = '_bp_tok';
+const SESSION_MAX_AGE_SEC = 60 * 60;
+function parseHostport(raw) {
+    // v0: http only. IPv6 literals out of scope (path-segment ambiguity).
+    const m = raw.match(/^([a-zA-Z0-9.\-_]+):(\d{1,5})$/);
+    if (!m)
+        return null;
+    const host = m[1].toLowerCase();
+    const port = Number(m[2]);
+    if (!Number.isInteger(port) || port < 1 || port > 65535)
+        return null;
+    if (BLOCKED_PORTS.has(port))
+        return null;
+    return { host, port };
+}
+/**
+ * Allowlist check on a literal IPv4/IPv6 address. Unlike notify-service's
+ * isPrivateAddress (which is a deny-list for outbound webhooks and uses
+ * loose startsWith on the *hostname*), this is strictly numeric and refuses
+ * the cloud-metadata link-local addresses even though they're RFC1918.
+ */
+function isAllowedProxyIp(addr) {
+    const a = addr.replace(/^\[|\]$/g, '').toLowerCase();
+    const mapped = a.match(/^::ffff:(\d{1,3}(?:\.\d{1,3}){3})$/);
+    if (mapped)
+        return isAllowedProxyIp(mapped[1]);
+    // Reject anything that isn't a real IP — without this `10.evil.com`
+    // would match the `/^10\./` prefix below and slip through.
+    if (!net.isIP(a))
+        return false;
+    if (BLOCKED_IPS.has(a))
+        return false;
+    if (a === '0.0.0.0' || a === '::1')
+        return true;
+    if (/^127\./.test(a))
+        return true;
+    if (/^10\./.test(a))
+        return true;
+    if (/^192\.168\./.test(a))
+        return true;
+    if (/^172\.(1[6-9]|2\d|3[01])\./.test(a))
+        return true;
+    if (/^fc/.test(a) || /^fd/.test(a))
+        return true; // ULA v6
+    return false;
+}
+/**
+ * Resolve hostname to a single IP (or accept literal IP) and confirm it's
+ * in the allowed private range. Returns the resolved IP to pin against
+ * DNS-rebinding TOCTOU: callers fetch by IP, not by hostname.
+ */
+async function resolveAllowedTarget(host) {
+    const h = host.replace(/\.$/, '').toLowerCase();
+    if (BLOCKED_HOSTS.has(h))
+        return null;
+    if (h === 'localhost')
+        return '127.0.0.1';
+    if (net.isIP(h))
+        return isAllowedProxyIp(h) ? h : null;
+    try {
+        const records = await dns.lookup(h, { all: true, verbatim: true });
+        if (records.length === 0)
+            return null;
+        if (!records.every((r) => isAllowedProxyIp(r.address)))
+            return null;
+        return records[0].address;
+    }
+    catch {
+        return null;
+    }
+}
+function appendToken(url, token) {
+    // Preserve fragment, insert token into query string.
+    const hashIdx = url.indexOf('#');
+    const hash = hashIdx >= 0 ? url.slice(hashIdx) : '';
+    const beforeHash = hashIdx >= 0 ? url.slice(0, hashIdx) : url;
+    const sep = beforeHash.includes('?') ? '&' : '?';
+    return `${beforeHash}${sep}${TOKEN_QUERY_PARAM}=${encodeURIComponent(token)}${hash}`;
+}
+/**
+ * Strip `_bp_tok=<jwt>` from a subPath string ("/foo/bar?x=1&_bp_tok=...&y=2#z")
+ * so the upstream never sees the session token. Idempotent: missing token
+ * is a no-op. Handles token in any query position and an empty resulting
+ * query (leaves no orphan "?").
+ */
+function stripTokenFromSubPath(subPath) {
+    const hashIdx = subPath.indexOf('#');
+    const hash = hashIdx >= 0 ? subPath.slice(hashIdx) : '';
+    const beforeHash = hashIdx >= 0 ? subPath.slice(0, hashIdx) : subPath;
+    const qIdx = beforeHash.indexOf('?');
+    if (qIdx < 0)
+        return subPath;
+    const pathPart = beforeHash.slice(0, qIdx);
+    const queryPart = beforeHash.slice(qIdx + 1);
+    const kept = queryPart
+        .split('&')
+        .filter((kv) => kv !== '' && !kv.startsWith(`${TOKEN_QUERY_PARAM}=`) && kv !== TOKEN_QUERY_PARAM);
+    const newQuery = kept.length > 0 ? `?${kept.join('&')}` : '';
+    return `${pathPart}${newQuery}${hash}`;
+}
+/**
+ * Rewrite root-relative absolute paths (src/href/action="/...") through
+ * this proxy. Also strip any upstream `<base href="...">` so the original
+ * declaration cannot redirect relative resolution back out to the bare
+ * ccweb origin. Each rewritten URL carries the session token so the iframe
+ * can fetch it without relying on cookies that the sandbox would drop.
+ * Protocol-relative and relative paths are untouched — relative URLs are
+ * resolved by the browser against the iframe URL (which already has the
+ * token in its query), and the browser preserves that query on the resolved
+ * URL? No — relative resolution does NOT inherit query. So relative paths
+ * within the page will appear without the token. They will fail. v0 limit.
+ */
+function rewriteHtml(html, prefix, token) {
+    return html
+        .replace(/<base\b[^>]*>/gi, '')
+        .replace(/\b(src|href|action)\s*=\s*(["'])\/(?!\/)([^"']*)\2/gi, (_, attr, quote, rest) => {
+        const rewritten = appendToken(`${prefix}/${rest}`, token);
+        return `${attr}=${quote}${rewritten}${quote}`;
+    });
+}
+function rewriteLocationHeader(loc, parsed, mountPrefix, token) {
+    try {
+        const absUrl = new URL(loc);
+        // Same scheme + same host + same port → safe to rewrite. Different
+        // scheme on the same host (e.g. http page issuing https:// redirect)
+        // is treated as cross-target and left untouched.
+        const expectedProto = 'http:';
+        const sameProto = absUrl.protocol === expectedProto;
+        const sameHost = absUrl.hostname.toLowerCase() === parsed.host;
+        const samePort = Number(absUrl.port || 80) === parsed.port;
+        if (sameProto && sameHost && samePort) {
+            return appendToken(`${mountPrefix}${absUrl.pathname}${absUrl.search}${absUrl.hash}`, token);
+        }
+        return loc;
+    }
+    catch {
+        if (loc.startsWith('/') && !loc.startsWith('//')) {
+            return appendToken(`${mountPrefix}${loc}`, token);
+        }
+        return loc;
+    }
+}
+function hasValidSessionToken(req) {
+    const token = req.query[TOKEN_QUERY_PARAM];
+    if (typeof token !== 'string' || !token)
+        return false;
+    try {
+        const config = (0, config_1.getConfig)();
+        const decoded = jwt.verify(token, config.jwtSecret);
+        return decoded.typ === 'browser-proxy' && typeof decoded.username === 'string';
+    }
+    catch {
+        return false;
+    }
+}
+/**
+ * Explicit-Bearer admin gate. Deliberately does NOT fall back to localhost
+ * auto-auth: any same-machine browser can blind-CSRF /_session if we trust
+ * the socket address, which would let a malicious page mint cookies and
+ * then drive arbitrary GETs through /api/browser-proxy/. Caller must
+ * present a real admin JWT (the frontend already has one via
+ * /api/auth/local-token or /api/auth/login).
+ */
+function requireBearerAdmin(req, res, next) {
+    const authHeader = req.headers['authorization'];
+    if (!authHeader?.startsWith('Bearer ')) {
+        res.status(401).json({ error: 'Bearer token required' });
+        return;
+    }
+    const user = (0, auth_1.verifyToken)(authHeader.slice(7));
+    if (!user || !(0, config_1.isAdminUser)(user.username)) {
+        res.status(403).json({ error: 'Admin only' });
+        return;
+    }
+    req.user = user;
+    next();
+}
+/**
+ * Issues a short-lived JWT that the frontend attaches as ?_bp_tok=... to
+ * the iframe src. We deliberately do NOT use a cookie here — sandboxed
+ * iframes (no allow-same-origin) are treated as opaque origins, and Lax
+ * cookies are not sent on subresource requests originating inside such
+ * iframes. The query-param token is the only way to authenticate iframe
+ * subresource fetches without relaxing the sandbox.
+ */
+router.post('/_session', requireBearerAdmin, (req, res) => {
+    const config = (0, config_1.getConfig)();
+    const token = jwt.sign({ username: req.user?.username, typ: 'browser-proxy' }, config.jwtSecret, { expiresIn: `${SESSION_MAX_AGE_SEC}s` });
+    res.json({ token, maxAge: SESSION_MAX_AGE_SEC });
+});
+async function handle(req, res) {
+    // Trust ONLY the query-param session token. Route mounted without
+    // authMiddleware so localhost auto-auth / any CSRF-able header cannot
+    // reach the proxy. Token can only be issued by POST /_session which
+    // requires explicit Bearer admin.
+    if (!hasValidSessionToken(req)) {
+        res.status(403).send('Browser proxy session required — call POST /_session first');
+        return;
+    }
+    const sessionToken = req.query[TOKEN_QUERY_PARAM];
+    const hostportRaw = req.params['hostport'];
+    if (!hostportRaw) {
+        res.status(400).send('hostport required');
+        return;
+    }
+    const parsed = parseHostport(hostportRaw);
+    if (!parsed) {
+        res.status(400).send('Invalid hostport (expected host:port, http only, ports 1-65535 except blocked)');
+        return;
+    }
+    const resolvedIp = await resolveAllowedTarget(parsed.host);
+    if (!resolvedIp) {
+        res.status(403).send('Target not allowed — must resolve to RFC1918 / loopback (excluding cloud-metadata)');
+        return;
+    }
+    // req.url is mount-relative. Strip hostport segment + the session-token
+    // query param before forwarding to upstream (token must NEVER leak to
+    // the proxied site).
+    const afterMount = req.url.replace(/^\/+/, '');
+    const slashIdx = afterMount.indexOf('/');
+    const rawSubPath = slashIdx >= 0 ? afterMount.slice(slashIdx) : '/';
+    const subPath = stripTokenFromSubPath(rawSubPath);
+    // Fetch by resolved IP — pins the connection to the address we just
+    // validated, so DNS rebinding between validation and fetch is harmless.
+    const targetUrl = `http://${resolvedIp}:${parsed.port}${subPath}`;
+    const mountPrefix = `/api/browser-proxy/${hostportRaw}`;
+    try {
+        const upstream = await fetch(targetUrl, {
+            method: 'GET',
+            redirect: 'manual',
+            signal: AbortSignal.timeout(UPSTREAM_TIMEOUT_MS),
+            headers: {
+                // Send original hostname as Host so vhost-aware servers route correctly.
+                'Host': `${parsed.host}:${parsed.port}`,
+                'User-Agent': req.headers['user-agent'] || 'ccweb-browser-proxy',
+                'Accept': req.headers['accept'] || '*/*',
+                'Accept-Language': req.headers['accept-language'] || 'en',
+            },
+        });
+        const declaredLen = Number(upstream.headers.get('content-length') || '0');
+        if (declaredLen > MAX_PROXY_SIZE) {
+            res.status(413).send('Upstream response too large for proxy');
+            return;
+        }
+        res.status(upstream.status);
+        upstream.headers.forEach((value, name) => {
+            const lower = name.toLowerCase();
+            if (STRIPPED_RESPONSE_HEADERS.has(lower))
+                return;
+            if (lower === 'location') {
+                res.setHeader('Location', rewriteLocationHeader(value, parsed, mountPrefix, sessionToken));
+                return;
+            }
+            res.setHeader(name, value);
+        });
+        const contentType = upstream.headers.get('content-type') || '';
+        const isHtml = contentType.includes('text/html');
+        // Stream-aware cap: read in chunks, abort if we exceed limit before
+        // the whole body lands in memory. Compatible with chunked responses
+        // that don't declare Content-Length.
+        const chunks = [];
+        let total = 0;
+        if (upstream.body) {
+            const reader = upstream.body.getReader();
+            while (true) {
+                const { done, value } = await reader.read();
+                if (done)
+                    break;
+                total += value.byteLength;
+                if (total > MAX_PROXY_SIZE) {
+                    reader.cancel().catch(() => { });
+                    if (!res.headersSent)
+                        res.status(413);
+                    res.end();
+                    return;
+                }
+                chunks.push(value);
+            }
+        }
+        const buf = Buffer.concat(chunks.map((c) => Buffer.from(c)));
+        if (isHtml) {
+            res.setHeader('Content-Security-Policy', PROXY_HTML_CSP);
+            const rewritten = rewriteHtml(buf.toString('utf-8'), mountPrefix, sessionToken);
+            const out = Buffer.from(rewritten, 'utf-8');
+            res.setHeader('Content-Length', String(out.byteLength));
+            res.end(out);
+        }
+        else {
+            res.setHeader('Content-Length', String(buf.byteLength));
+            res.end(buf);
+        }
+    }
+    catch (err) {
+        const name = err?.name;
+        const reason = name === 'TimeoutError' ? 'Upstream timeout' : 'Upstream fetch failed';
+        log.warn({ err, targetUrl }, 'browser-proxy upstream error');
+        if (!res.headersSent) {
+            res.status(502).send(reason);
+        }
+        else if (!res.writableEnded) {
+            res.end();
+        }
+    }
+}
+router.get('/:hostport', handle);
+router.get('/:hostport/*', handle);
+exports.default = router;
+//# sourceMappingURL=browser-proxy.js.map

package/backend/dist/routes/browser-proxy.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"browser-proxy.js","sourceRoot":"","sources":["../../src/routes/browser-proxy.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAmEA,sCASC;AAQD,4CAeC;AAOD,oDAaC;AAiBD,sDAaC;AAcD,kCAUC;AAED,sDAyBC;AAxMD,qCAAyD;AACzD,kDAAoC;AACpC,yCAA2B;AAC3B,kDAAoC;AACpC,kCAAmD;AACnD,sCAAmD;AACnD,sCAAsC;AAEtC,MAAM,GAAG,GAAG,IAAA,kBAAS,EAAC,eAAe,CAAC,CAAC;AAEvC,MAAM,MAAM,GAAW,IAAA,gBAAM,GAAE,CAAC;AAEhC,MAAM,aAAa,GAAG,IAAI,GAAG,CAAC;IAC5B,EAAE,EAAE,EAAE,EAAE,EAAE,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG;IACxC,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,KAAK,EAAE,KAAK;CACjD,CAAC,CAAC;AAEH,MAAM,yBAAyB,GAAG,IAAI,GAAG,CAAC;IACxC,iBAAiB;IACjB,eAAe;IACf,yBAAyB;IACzB,qCAAqC;IACrC,4BAA4B;IAC5B,8BAA8B;IAC9B,8BAA8B;IAC9B,YAAY;IACZ,gBAAgB;IAChB,mBAAmB;IACnB,kBAAkB;IAClB,kEAAkE;IAClE,wEAAwE;IACxE,iBAAiB;IACjB,wBAAwB;IACxB,oBAAoB;IACpB,gBAAgB;CACjB,CAAC,CAAC;AAEH,yEAAyE;AACzE,0EAA0E;AAC1E,2EAA2E;AAC3E,uEAAuE;AACvE,eAAe;AACf,MAAM,cAAc,GAAG,gDAAgD,CAAC;AAExE,MAAM,cAAc,GAAG,EAAE,GAAG,IAAI,GAAG,IAAI,CAAC;AACxC,MAAM,mBAAmB,GAAG,KAAM,CAAC;AAEnC,4EAA4E;AAC5E,2EAA2E;AAC3E,MAAM,WAAW,GAAG,IAAI,GAAG,CAAC,CAAC,iBAAiB,EAAE,eAAe,CAAC,CAAC,CAAC;AAClE,MAAM,aAAa,GAAG,IAAI,GAAG,CAAC,CAAC,0BAA0B,EAAE,UAAU,CAAC,CAAC,CAAC;AAExE,wEAAwE;AACxE,wEAAwE;AACxE,qEAAqE;AACrE,sEAAsE;AACtE,qEAAqE;AACrE,qEAAqE;AACrE,4BAA4B;AAC5B,MAAM,iBAAiB,GAAG,SAAS,CAAC;AACpC,MAAM,mBAAmB,GAAG,EAAE,GAAG,EAAE,CAAC;AAOpC,SAAgB,aAAa,CAAC,GAAW;IACvC,sEAAsE;IACtE,MAAM,CAAC,GAAG,GAAG,CAAC,KAAK,CAAC,gCAAgC,CAAC,CAAC;IACtD,IAAI,CAAC,CAAC;QAAE,OAAO,IAAI,CAAC;IACpB,MAAM,IAAI,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC;IAChC,MAAM,IAAI,GAAG,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IAC1B,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,IAAI,CAAC,IAAI,IAAI,GAAG,CAAC,IAAI,IAAI,GAAG,KAAK;QAAE,OAAO,IAAI,CAAC;IACrE,IAAI,aAAa,CAAC,GAAG,CAAC,IAAI,CAAC;QAAE,OAAO,IAAI,CAAC;IACzC,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC;AACxB,CAAC;AAED;;;;;GAKG;AACH,SAAgB,gBAAgB,CAAC,IAAY;IAC3C,MAAM,CAAC,GAAG,IAAI,CAAC,OAAO,CAAC,UAAU,EAAE,EAAE,CAAC,CAAC,WAAW,EAAE,CAAC;IACrD,MAAM,MAAM,GAAG,CAAC,CAAC,KAAK,CAAC,oCAAoC,CAAC,CAAC;IAC7D,IAAI,MAAM;QAAE,OAAO,gBAAgB,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC;IAC/C,oEAAoE;IACpE,2DAA2D;IAC3D,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC;QAAE,OAAO,KAAK,CAAC;IAC/B,IAAI,WAAW,CAAC,GAAG,CAAC,CAAC,CAAC;QAAE,OAAO,KAAK,CAAC;IACrC,IAAI,CAAC,KAAK,SAAS,IAAI,CAAC,KAAK,KAAK;QAAE,OAAO,IAAI,CAAC;IAChD,IAAI,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC;QAAE,OAAO,IAAI,CAAC;IAClC,IAAI,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC;QAAE,OAAO,IAAI,CAAC;IACjC,IAAI,aAAa,CAAC,IAAI,CAAC,CAAC,CAAC;QAAE,OAAO,IAAI,CAAC;IACvC,IAAI,4BAA4B,CAAC,IAAI,CAAC,CAAC,CAAC;QAAE,OAAO,IAAI,CAAC;IACtD,IAAI,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC;QAAE,OAAO,IAAI,CAAC,CAAC,SAAS;IAC1D,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;;;GAIG;AACI,KAAK,UAAU,oBAAoB,CAAC,IAAY;IACrD,MAAM,CAAC,GAAG,IAAI,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC,WAAW,EAAE,CAAC;IAChD,IAAI,aAAa,CAAC,GAAG,CAAC,CAAC,CAAC;QAAE,OAAO,IAAI,CAAC;IACtC,IAAI,CAAC,KAAK,WAAW;QAAE,OAAO,WAAW,CAAC;IAC1C,IAAI,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC;QAAE,OAAO,gBAAgB,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;IACvD,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,MAAM,GAAG,CAAC,MAAM,CAAC,CAAC,EAAE,EAAE,GAAG,EAAE,IAAI,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC,CAAC;QACnE,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO,IAAI,CAAC;QACtC,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,gBAAgB,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC;YAAE,OAAO,IAAI,CAAC;QACpE,OAAO,OAAO,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC;IAC5B,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,SAAS,WAAW,CAAC,GAAW,EAAE,KAAa;IAC7C,qDAAqD;IACrD,MAAM,OAAO,GAAG,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;IACjC,MAAM,IAAI,GAAG,OAAO,IAAI,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;IACpD,MAAM,UAAU,GAAG,OAAO,IAAI,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,EAAE,OAAO,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC;IAC9D,MAAM,GAAG,GAAG,UAAU,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC;IACjD,OAAO,GAAG,UAAU,GAAG,GAAG,GAAG,iBAAiB,IAAI,kBAAkB,CAAC,KAAK,CAAC,GAAG,IAAI,EAAE,CAAC;AACvF,CAAC;AAED;;;;;GAKG;AACH,SAAgB,qBAAqB,CAAC,OAAe;IACnD,MAAM,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;IACrC,MAAM,IAAI,GAAG,OAAO,IAAI,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;IACxD,MAAM,UAAU,GAAG,OAAO,IAAI,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,OAAO,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC;IACtE,MAAM,IAAI,GAAG,UAAU,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;IACrC,IAAI,IAAI,GAAG,CAAC;QAAE,OAAO,OAAO,CAAC;IAC7B,MAAM,QAAQ,GAAG,UAAU,CAAC,KAAK,CAAC,CAAC,EAAE,IAAI,CAAC,CAAC;IAC3C,MAAM,SAAS,GAAG,UAAU,CAAC,KAAK,CAAC,IAAI,GAAG,CAAC,CAAC,CAAC;IAC7C,MAAM,IAAI,GAAG,SAAS;SACnB,KAAK,CAAC,GAAG,CAAC;SACV,MAAM,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,EAAE,KAAK,EAAE,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,GAAG,iBAAiB,GAAG,CAAC,IAAI,EAAE,KAAK,iBAAiB,CAAC,CAAC;IACpG,MAAM,QAAQ,GAAG,IAAI,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;IAC7D,OAAO,GAAG,QAAQ,GAAG,QAAQ,GAAG,IAAI,EAAE,CAAC;AACzC,CAAC;AAED;;;;;;;;;;;GAWG;AACH,SAAgB,WAAW,CAAC,IAAY,EAAE,MAAc,EAAE,KAAa;IACrE,OAAO,IAAI;SACR,OAAO,CAAC,iBAAiB,EAAE,EAAE,CAAC;SAC9B,OAAO,CACN,sDAAsD,EACtD,CAAC,CAAC,EAAE,IAAY,EAAE,KAAa,EAAE,IAAY,EAAE,EAAE;QAC/C,MAAM,SAAS,GAAG,WAAW,CAAC,GAAG,MAAM,IAAI,IAAI,EAAE,EAAE,KAAK,CAAC,CAAC;QAC1D,OAAO,GAAG,IAAI,IAAI,KAAK,GAAG,SAAS,GAAG,KAAK,EAAE,CAAC;IAChD,CAAC,CACF,CAAC;AACN,CAAC;AAED,SAAgB,qBAAqB,CACnC,GAAW,EACX,MAAsB,EACtB,WAAmB,EACnB,KAAa;IAEb,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC;QAC5B,mEAAmE;QACnE,qEAAqE;QACrE,iDAAiD;QACjD,MAAM,aAAa,GAAG,OAAO,CAAC;QAC9B,MAAM,SAAS,GAAG,MAAM,CAAC,QAAQ,KAAK,aAAa,CAAC;QACpD,MAAM,QAAQ,GAAG,MAAM,CAAC,QAAQ,CAAC,WAAW,EAAE,KAAK,MAAM,CAAC,IAAI,CAAC;QAC/D,MAAM,QAAQ,GAAG,MAAM,CAAC,MAAM,CAAC,IAAI,IAAI,EAAE,CAAC,KAAK,MAAM,CAAC,IAAI,CAAC;QAC3D,IAAI,SAAS,IAAI,QAAQ,IAAI,QAAQ,EAAE,CAAC;YACtC,OAAO,WAAW,CAAC,GAAG,WAAW,GAAG,MAAM,CAAC,QAAQ,GAAG,MAAM,CAAC,MAAM,GAAG,MAAM,CAAC,IAAI,EAAE,EAAE,KAAK,CAAC,CAAC;QAC9F,CAAC;QACD,OAAO,GAAG,CAAC;IACb,CAAC;IAAC,MAAM,CAAC;QACP,IAAI,GAAG,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;YACjD,OAAO,WAAW,CAAC,GAAG,WAAW,GAAG,GAAG,EAAE,EAAE,KAAK,CAAC,CAAC;QACpD,CAAC;QACD,OAAO,GAAG,CAAC;IACb,CAAC;AACH,CAAC;AAED,SAAS,oBAAoB,CAAC,GAAgB;IAC5C,MAAM,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC,iBAAiB,CAAC,CAAC;IAC3C,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,CAAC,KAAK;QAAE,OAAO,KAAK,CAAC;IACtD,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,IAAA,kBAAS,GAAE,CAAC;QAC3B,MAAM,OAAO,GAAG,GAAG,CAAC,MAAM,CAAC,KAAK,EAAE,MAAM,CAAC,SAAS,CAAmB,CAAC;QACtE,OAAO,OAAO,CAAC,GAAG,KAAK,eAAe,IAAI,OAAO,OAAO,CAAC,QAAQ,KAAK,QAAQ,CAAC;IACjF,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED;;;;;;;GAOG;AACH,SAAS,kBAAkB,CAAC,GAAgB,EAAE,GAAa,EAAE,IAAkB;IAC7E,MAAM,UAAU,GAAG,GAAG,CAAC,OAAO,CAAC,eAAe,CAAC,CAAC;IAChD,IAAI,CAAC,UAAU,EAAE,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;QACvC,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,uBAAuB,EAAE,CAAC,CAAC;QACzD,OAAO;IACT,CAAC;IACD,MAAM,IAAI,GAAG,IAAA,kBAAW,EAAC,UAAU,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;IAC9C,IAAI,CAAC,IAAI,IAAI,CAAC,IAAA,oBAAW,EAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC;QACzC,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,YAAY,EAAE,CAAC,CAAC;QAC9C,OAAO;IACT,CAAC;IACD,GAAG,CAAC,IAAI,GAAG,IAAI,CAAC;IAChB,IAAI,EAAE,CAAC;AACT,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,CAAC,IAAI,CAAC,WAAW,EAAE,kBAAkB,EAAE,CAAC,GAAgB,EAAE,GAAa,EAAQ,EAAE;IACrF,MAAM,MAAM,GAAG,IAAA,kBAAS,GAAE,CAAC;IAC3B,MAAM,KAAK,GAAG,GAAG,CAAC,IAAI,CACpB,EAAE,QAAQ,EAAE,GAAG,CAAC,IAAI,EAAE,QAAQ,EAAE,GAAG,EAAE,eAAe,EAAE,EACtD,MAAM,CAAC,SAAS,EAChB,EAAE,SAAS,EAAE,GAAG,mBAAmB,GAAG,EAAE,CACzC,CAAC;IACF,GAAG,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,MAAM,EAAE,mBAAmB,EAAE,CAAC,CAAC;AACnD,CAAC,CAAC,CAAC;AAEH,KAAK,UAAU,MAAM,CAAC,GAAgB,EAAE,GAAa;IACnD,kEAAkE;IAClE,sEAAsE;IACtE,oEAAoE;IACpE,kCAAkC;IAClC,IAAI,CAAC,oBAAoB,CAAC,GAAG,CAAC,EAAE,CAAC;QAC/B,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,4DAA4D,CAAC,CAAC;QACnF,OAAO;IACT,CAAC;IACD,MAAM,YAAY,GAAG,GAAG,CAAC,KAAK,CAAC,iBAAiB,CAAW,CAAC;IAE5D,MAAM,WAAW,GAAG,GAAG,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC;IAC3C,IAAI,CAAC,WAAW,EAAE,CAAC;QAAC,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,mBAAmB,CAAC,CAAC;QAAC,OAAO;IAAC,CAAC;IAExE,MAAM,MAAM,GAAG,aAAa,CAAC,WAAW,CAAC,CAAC;IAC1C,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,gFAAgF,CAAC,CAAC;QACvG,OAAO;IACT,CAAC;IAED,MAAM,UAAU,GAAG,MAAM,oBAAoB,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;IAC3D,IAAI,CAAC,UAAU,EAAE,CAAC;QAChB,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,oFAAoF,CAAC,CAAC;QAC3G,OAAO;IACT,CAAC;IAED,wEAAwE;IACxE,sEAAsE;IACtE,qBAAqB;IACrB,MAAM,UAAU,GAAG,GAAG,CAAC,GAAG,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;IAC/C,MAAM,QAAQ,GAAG,UAAU,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;IACzC,MAAM,UAAU,GAAG,QAAQ,IAAI,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC;IACpE,MAAM,OAAO,GAAG,qBAAqB,CAAC,UAAU,CAAC,CAAC;IAElD,oEAAoE;IACpE,wEAAwE;IACxE,MAAM,SAAS,GAAG,UAAU,UAAU,IAAI,MAAM,CAAC,IAAI,GAAG,OAAO,EAAE,CAAC;IAClE,MAAM,WAAW,GAAG,sBAAsB,WAAW,EAAE,CAAC;IAExD,IAAI,CAAC;QACH,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,SAAS,EAAE;YACtC,MAAM,EAAE,KAAK;YACb,QAAQ,EAAE,QAAQ;YAClB,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,mBAAmB,CAAC;YAChD,OAAO,EAAE;gBACP,yEAAyE;gBACzE,MAAM,EAAE,GAAG,MAAM,CAAC,IAAI,IAAI,MAAM,CAAC,IAAI,EAAE;gBACvC,YAAY,EAAE,GAAG,CAAC,OAAO,CAAC,YAAY,CAAC,IAAI,qBAAqB;gBAChE,QAAQ,EAAG,GAAG,CAAC,OAAO,CAAC,QAAQ,CAAY,IAAI,KAAK;gBACpD,iBAAiB,EAAG,GAAG,CAAC,OAAO,CAAC,iBAAiB,CAAY,IAAI,IAAI;aACtE;SACF,CAAC,CAAC;QAEH,MAAM,WAAW,GAAG,MAAM,CAAC,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,gBAAgB,CAAC,IAAI,GAAG,CAAC,CAAC;QAC1E,IAAI,WAAW,GAAG,cAAc,EAAE,CAAC;YACjC,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,uCAAuC,CAAC,CAAC;YAC9D,OAAO;QACT,CAAC;QAED,GAAG,CAAC,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;QAE5B,QAAQ,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,KAAK,EAAE,IAAI,EAAE,EAAE;YACvC,MAAM,KAAK,GAAG,IAAI,CAAC,WAAW,EAAE,CAAC;YACjC,IAAI,yBAAyB,CAAC,GAAG,CAAC,KAAK,CAAC;gBAAE,OAAO;YACjD,IAAI,KAAK,KAAK,UAAU,EAAE,CAAC;gBACzB,GAAG,CAAC,SAAS,CAAC,UAAU,EAAE,qBAAqB,CAAC,KAAK,EAAE,MAAM,EAAE,WAAW,EAAE,YAAY,CAAC,CAAC,CAAC;gBAC3F,OAAO;YACT,CAAC;YACD,GAAG,CAAC,SAAS,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC;QAC7B,CAAC,CAAC,CAAC;QAEH,MAAM,WAAW,GAAG,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC,IAAI,EAAE,CAAC;QAC/D,MAAM,MAAM,GAAG,WAAW,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;QAEjD,oEAAoE;QACpE,oEAAoE;QACpE,qCAAqC;QACrC,MAAM,MAAM,GAAiB,EAAE,CAAC;QAChC,IAAI,KAAK,GAAG,CAAC,CAAC;QACd,IAAI,QAAQ,CAAC,IAAI,EAAE,CAAC;YAClB,MAAM,MAAM,GAAG,QAAQ,CAAC,IAAI,CAAC,SAAS,EAAE,CAAC;YACzC,OAAO,IAAI,EAAE,CAAC;gBACZ,MAAM,EAAE,IAAI,EAAE,KAAK,EAAE,GAAG,MAAM,MAAM,CAAC,IAAI,EAAE,CAAC;gBAC5C,IAAI,IAAI;oBAAE,MAAM;gBAChB,KAAK,IAAI,KAAK,CAAC,UAAU,CAAC;gBAC1B,IAAI,KAAK,GAAG,cAAc,EAAE,CAAC;oBAC3B,MAAM,CAAC,MAAM,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,GAAE,CAAC,CAAC,CAAC;oBAChC,IAAI,CAAC,GAAG,CAAC,WAAW;wBAAE,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;oBACtC,GAAG,CAAC,GAAG,EAAE,CAAC;oBACV,OAAO;gBACT,CAAC;gBACD,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;YACrB,CAAC;QACH,CAAC;QACD,MAAM,GAAG,GAAG,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;QAE7D,IAAI,MAAM,EAAE,CAAC;YACX,GAAG,CAAC,SAAS,CAAC,yBAAyB,EAAE,cAAc,CAAC,CAAC;YACzD,MAAM,SAAS,GAAG,WAAW,CAAC,GAAG,CAAC,QAAQ,CAAC,OAAO,CAAC,EAAE,WAAW,EAAE,YAAY,CAAC,CAAC;YAChF,MAAM,GAAG,GAAG,MAAM,CAAC,IAAI,CAAC,SAAS,EAAE,OAAO,CAAC,CAAC;YAC5C,GAAG,CAAC,SAAS,CAAC,gBAAgB,EAAE,MAAM,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC,CAAC;YACxD,GAAG,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;QACf,CAAC;aAAM,CAAC;YACN,GAAG,CAAC,SAAS,CAAC,gBAAgB,EAAE,MAAM,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC,CAAC;YACxD,GAAG,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;QACf,CAAC;IACH,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,IAAI,GAAI,GAAyB,EAAE,IAAI,CAAC;QAC9C,MAAM,MAAM,GAAG,IAAI,KAAK,cAAc,CAAC,CAAC,CAAC,kBAAkB,CAAC,CAAC,CAAC,uBAAuB,CAAC;QACtF,GAAG,CAAC,IAAI,CAAC,EAAE,GAAG,EAAE,SAAS,EAAE,EAAE,8BAA8B,CAAC,CAAC;QAC7D,IAAI,CAAC,GAAG,CAAC,WAAW,EAAE,CAAC;YACrB,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QAC/B,CAAC;aAAM,IAAI,CAAC,GAAG,CAAC,aAAa,EAAE,CAAC;YAC9B,GAAG,CAAC,GAAG,EAAE,CAAC;QACZ,CAAC;IACH,CAAC;AACH,CAAC;AAED,MAAM,CAAC,GAAG,CAAC,YAAY,EAAE,MAAM,CAAC,CAAC;AACjC,MAAM,CAAC,GAAG,CAAC,cAAc,EAAE,MAAM,CAAC,CAAC;AAEnC,kBAAe,MAAM,CAAC"}

package/frontend/dist/assets/{ChatOverlay-C6C_KmoQ.js → ChatOverlay-Cm7M9uTo.js}

@@ -1,4 +1,4 @@
-import{bH as e,bI as t,r as n,bJ as r,c as a,h as i,bK as o,aX as s,j as l,R as c,d as u,U as d,bL as p,t as m,b2 as g,B as h,A as f,q as b,bM as y,a as E,a8 as v,aa as S,a6 as w,a5 as k,a9 as x,a4 as T,bk as A,aG as _,bz as I,bA as N,bB as R,i as C,bN as O,bO as L,s as D,bP as M,bQ as P,bC as F,bR as B,bE as U,bF as z,S as $,l as G,p as j}from"./index-Bf5BlYFK.js";import{C as H}from"./chevron-down-UeSwXtvj.js";import{a as q,C as V,u as W,c as Y}from"./index-BoEETvjx.js";function K(){!e.current&&t();const[a]=n.useState(r.current);return a}
+import{bH as e,bI as t,r as n,bJ as r,c as a,h as i,bK as o,aX as s,j as l,R as c,d as u,U as d,bL as p,t as m,b2 as g,B as h,A as f,q as b,bM as y,a as E,a8 as v,aa as S,a6 as w,a5 as k,a9 as x,a4 as T,bk as A,aH as _,bz as I,bA as N,bB as R,i as C,bN as O,bO as L,s as D,bP as M,bQ as P,bC as F,bR as B,bE as U,bF as z,S as $,l as G,p as j}from"./index-Fi22OrSt.js";import{C as H}from"./chevron-down-BjD1KDpf.js";import{a as q,C as V,u as W,c as Y}from"./index-BxSzFzfM.js";function K(){!e.current&&t();const[a]=n.useState(r.current);return a}
 /**
  * @license lucide-react v0.309.0 - ISC
  *

package/frontend/dist/assets/{GraphPreview-3Jt6HVoR.js → GraphPreview-Bu-zdWO0.js}

@@ -1,4 +1,4 @@
-import{c as e,r as t,b as n,j as i,U as r,B as o,m as a}from"./index-Bf5BlYFK.js";import{Z as l,a as s}from"./ProjectPage-DdDicE9q.js";import"./purify.es-CgRAQgUo.js";import"./ChatOverlay-C6C_KmoQ.js";import"./chevron-down-UeSwXtvj.js";import"./index-BoEETvjx.js";import"./select-CYI-GI6f.js";import"./search-DY3wMq7s.js";
+import{c as e,r as t,b as n,j as i,U as r,B as o,m as a}from"./index-Fi22OrSt.js";import{Z as l,a as s}from"./ProjectPage-D8O-uvJ3.js";import"./purify.es-CgRAQgUo.js";import"./ChatOverlay-Cm7M9uTo.js";import"./chevron-down-BjD1KDpf.js";import"./index-BxSzFzfM.js";import"./select-nwQBXqLw.js";import"./search-CfhpkpXs.js";
 /**
  * @license lucide-react v0.309.0 - ISC
  *