@unbrained/pm-web 1.0.0

package/CHANGELOG.md

@@ -0,0 +1,7 @@
+# Changelog
+
+## 1.0.0 - 2026-05-26
+
+### Other
+
+- Release readiness hardening for pm-web ([pm-web-srg8](https://github.com/unbraind/pm-web/blob/main/.agents/pm/tasks/pm-web-srg8.toon))

package/README.md

@@ -0,0 +1,107 @@
+# pm-web
+
+Full web UI for [pm-cli](https://github.com/unbraind/pm-cli) — browse, create, update, search, dedupe-audit, validate and manage pm projects in the browser.
+
+Features user auth, multi-project support, sharing, groups, GitHub import/sync, admin-only management, local Ollama semantic search configuration, and pm-graph/Neo4j relationship graphs. Hosted at **pm-web.unbrained.dev** or self-host via Docker.
+
+---
+
+## Quick Start (Self-Hosted)
+
+### Docker
+
+```bash
+docker build -t pm-web .
+docker run -p 4000:4000 -e DATABASE_URL=postgres://... pm-web
+```
+
+### Node.js
+
+```bash
+git clone https://github.com/unbraind/pm-web.git
+cd pm-web
+npm install
+npm run build
+
+# Set environment variables
+export PORT=4000
+export DATABASE_URL=postgres://user:pass@localhost:5432/pmweb
+export JWT_SECRET=change-me
+export OLLAMA_BASE_URL=http://localhost:11434
+export PM_OLLAMA_MODEL=qwen3-embedding:0.6b
+export NEO4J_URI=bolt://localhost:7687
+export NEO4J_USER=neo4j
+export NEO4J_PASSWORD=change-me
+
+npm start
+```
+
+Open http://localhost:4000 in your browser.
+
+---
+
+## Installation as pm Package
+
+```bash
+pm install github.com/unbraind/pm-web --global
+```
+
+The package repository is at **github.com/unbraind/pm-web**.
+
+### Commands
+
+| Command | Description |
+|---|---|
+| `pm web` | Start the pm-web server |
+| `pm web --port 8080` | Start on a custom port |
+
+### Environment Variables
+
+| Variable | Required | Description |
+|---|---|---|
+| `DATABASE_URL` | Yes | PostgreSQL connection string |
+| `JWT_SECRET` | Yes | Secret for signing JWT tokens |
+| `PM_WEB_SECRET_KEY` | Recommended | At-rest encryption key for saved GitHub PATs. Falls back to `JWT_SECRET`; use at least 32 characters |
+| `PM_WEB_BOOTSTRAP_ADMIN_EMAIL` | Recommended | Email of the user account to auto-promote to admin on schema init. Leave unset to skip auto-promotion (manage admins via the admin UI). |
+| `PORT` | No | Server port (default: 4000) |
+| `NODE_ENV` | No | `production` enables caching |
+| `OLLAMA_BASE_URL` / `OLLAMA_HOST` | No | Local Ollama endpoint for semantic pm search |
+| `PM_OLLAMA_MODEL` | No | Embedding model for new projects, default `qwen3-embedding:0.6b` |
+| `NEO4J_URI` | No | Neo4j Bolt URI for graph sync |
+| `NEO4J_USER` / `NEO4J_USERNAME` | No | Neo4j username |
+| `NEO4J_PASSWORD` | No | Neo4j password |
+| `PM_GRAPH_EXTENSION_PATH` | No | Bundled pm-graph extension path, default `extensions/pm-graph` |
+
+New pm-web projects configure local Ollama search automatically and install the bundled `pm-graph` extension into the project workspace. Neo4j graph rows are scoped per pm-web project so syncing one project does not overwrite another.
+
+Saved GitHub personal access tokens are encrypted at rest before they are written to PostgreSQL. Existing plaintext tokens from older installs still work when read, and are replaced with encrypted values the next time the user saves a token.
+
+---
+
+## Architecture
+
+- **Backend**: Express.js with PostgreSQL
+- **Frontend**: Single-page app in `public/`
+- **Auth**: JWT-based user authentication
+- **API**: RESTful API at `/api/*`
+
+### API Routes
+
+| Route | Description |
+|---|---|
+| `/api/auth` | Authentication (login, register) |
+| `/api/projects` | Project CRUD |
+| `/api/projects/:id/pm` | PM item operations |
+| `/api/groups` | Group management |
+| `/api/projects/:id/shares` | Sharing |
+| `/api/projects/:id/github` | GitHub integration |
+
+---
+
+## License
+
+MIT
+
+## Release Automation
+
+This package is release-ready for GitHub, npm, and Bun-compatible installs. CI runs type checking, build, production dependency audit, package packing, Bun install verification, and pm-changelog validation. The daily release workflow publishes only when commits exist after the latest release tag and uses pm-changelog to generate CHANGELOG.md and GitHub release notes.

package/dist/auth.js

@@ -0,0 +1,20 @@
+import jwt from "jsonwebtoken";
+const JWT_SECRET = process.env.JWT_SECRET || "pm-web-dev-secret-change-in-prod";
+const JWT_EXPIRES = "30d";
+export function signToken(payload) {
+    return jwt.sign(payload, JWT_SECRET, { expiresIn: JWT_EXPIRES });
+}
+export function verifyToken(token) {
+    return jwt.verify(token, JWT_SECRET);
+}
+export function extractToken(req) {
+    const authHeader = req.headers.authorization;
+    if (authHeader?.startsWith("Bearer ")) {
+        return authHeader.slice(7);
+    }
+    const cookie = req.cookies?.pm_token;
+    if (cookie)
+        return cookie;
+    return null;
+}
+//# sourceMappingURL=auth.js.map

package/dist/auth.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth.js","sourceRoot":"","sources":["../src/auth.ts"],"names":[],"mappings":"AAAA,OAAO,GAAG,MAAM,cAAc,CAAC;AAG/B,MAAM,UAAU,GAAG,OAAO,CAAC,GAAG,CAAC,UAAU,IAAI,kCAAkC,CAAC;AAChF,MAAM,WAAW,GAAG,KAAK,CAAC;AAO1B,MAAM,UAAU,SAAS,CAAC,OAAmB;IAC3C,OAAO,GAAG,CAAC,IAAI,CAAC,OAAO,EAAE,UAAU,EAAE,EAAE,SAAS,EAAE,WAAW,EAAE,CAAC,CAAC;AACnE,CAAC;AAED,MAAM,UAAU,WAAW,CAAC,KAAa;IACvC,OAAO,GAAG,CAAC,MAAM,CAAC,KAAK,EAAE,UAAU,CAAe,CAAC;AACrD,CAAC;AAED,MAAM,UAAU,YAAY,CAAC,GAAY;IACvC,MAAM,UAAU,GAAG,GAAG,CAAC,OAAO,CAAC,aAAa,CAAC;IAC7C,IAAI,UAAU,EAAE,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;QACtC,OAAO,UAAU,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;IAC7B,CAAC;IACD,MAAM,MAAM,GAAI,GAAsD,CAAC,OAAO,EAAE,QAAQ,CAAC;IACzF,IAAI,MAAM;QAAE,OAAO,MAAM,CAAC;IAC1B,OAAO,IAAI,CAAC;AACd,CAAC"}

package/dist/crypto.js

@@ -0,0 +1,42 @@
+import crypto from "node:crypto";
+const TOKEN_PREFIX = "pmweb:v1";
+function secretMaterial() {
+    const value = process.env.PM_WEB_SECRET_KEY || process.env.JWT_SECRET;
+    if (!value || value.length < 32) {
+        throw new Error("Set PM_WEB_SECRET_KEY or a JWT_SECRET of at least 32 characters before storing GitHub tokens.");
+    }
+    return value;
+}
+function encryptionKey() {
+    return crypto.createHash("sha256").update(secretMaterial(), "utf8").digest();
+}
+export function encryptSecret(plainText) {
+    const iv = crypto.randomBytes(12);
+    const cipher = crypto.createCipheriv("aes-256-gcm", encryptionKey(), iv);
+    const encrypted = Buffer.concat([cipher.update(plainText, "utf8"), cipher.final()]);
+    const tag = cipher.getAuthTag();
+    return [
+        TOKEN_PREFIX,
+        iv.toString("base64url"),
+        tag.toString("base64url"),
+        encrypted.toString("base64url"),
+    ].join(":");
+}
+export function decryptSecret(stored) {
+    if (!stored)
+        return null;
+    if (!stored.startsWith(`${TOKEN_PREFIX}:`)) {
+        return stored;
+    }
+    const [, , ivRaw, tagRaw, encryptedRaw] = stored.split(":");
+    if (!ivRaw || !tagRaw || !encryptedRaw) {
+        throw new Error("Stored GitHub token is malformed.");
+    }
+    const decipher = crypto.createDecipheriv("aes-256-gcm", encryptionKey(), Buffer.from(ivRaw, "base64url"));
+    decipher.setAuthTag(Buffer.from(tagRaw, "base64url"));
+    return Buffer.concat([
+        decipher.update(Buffer.from(encryptedRaw, "base64url")),
+        decipher.final(),
+    ]).toString("utf8");
+}
+//# sourceMappingURL=crypto.js.map

package/dist/crypto.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"crypto.js","sourceRoot":"","sources":["../src/crypto.ts"],"names":[],"mappings":"AAAA,OAAO,MAAM,MAAM,aAAa,CAAC;AAEjC,MAAM,YAAY,GAAG,UAAU,CAAC;AAEhC,SAAS,cAAc;IACrB,MAAM,KAAK,GAAG,OAAO,CAAC,GAAG,CAAC,iBAAiB,IAAI,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC;IACtE,IAAI,CAAC,KAAK,IAAI,KAAK,CAAC,MAAM,GAAG,EAAE,EAAE,CAAC;QAChC,MAAM,IAAI,KAAK,CAAC,+FAA+F,CAAC,CAAC;IACnH,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAS,aAAa;IACpB,OAAO,MAAM,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,cAAc,EAAE,EAAE,MAAM,CAAC,CAAC,MAAM,EAAE,CAAC;AAC/E,CAAC;AAED,MAAM,UAAU,aAAa,CAAC,SAAiB;IAC7C,MAAM,EAAE,GAAG,MAAM,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC;IAClC,MAAM,MAAM,GAAG,MAAM,CAAC,cAAc,CAAC,aAAa,EAAE,aAAa,EAAE,EAAE,EAAE,CAAC,CAAC;IACzE,MAAM,SAAS,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,SAAS,EAAE,MAAM,CAAC,EAAE,MAAM,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;IACpF,MAAM,GAAG,GAAG,MAAM,CAAC,UAAU,EAAE,CAAC;IAChC,OAAO;QACL,YAAY;QACZ,EAAE,CAAC,QAAQ,CAAC,WAAW,CAAC;QACxB,GAAG,CAAC,QAAQ,CAAC,WAAW,CAAC;QACzB,SAAS,CAAC,QAAQ,CAAC,WAAW,CAAC;KAChC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AACd,CAAC;AAED,MAAM,UAAU,aAAa,CAAC,MAAiC;IAC7D,IAAI,CAAC,MAAM;QAAE,OAAO,IAAI,CAAC;IACzB,IAAI,CAAC,MAAM,CAAC,UAAU,CAAC,GAAG,YAAY,GAAG,CAAC,EAAE,CAAC;QAC3C,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,MAAM,CAAC,EAAE,AAAD,EAAG,KAAK,EAAE,MAAM,EAAE,YAAY,CAAC,GAAG,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC5D,IAAI,CAAC,KAAK,IAAI,CAAC,MAAM,IAAI,CAAC,YAAY,EAAE,CAAC;QACvC,MAAM,IAAI,KAAK,CAAC,mCAAmC,CAAC,CAAC;IACvD,CAAC;IAED,MAAM,QAAQ,GAAG,MAAM,CAAC,gBAAgB,CACtC,aAAa,EACb,aAAa,EAAE,EACf,MAAM,CAAC,IAAI,CAAC,KAAK,EAAE,WAAW,CAAC,CAChC,CAAC;IACF,QAAQ,CAAC,UAAU,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,EAAE,WAAW,CAAC,CAAC,CAAC;IACtD,OAAO,MAAM,CAAC,MAAM,CAAC;QACnB,QAAQ,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,YAAY,EAAE,WAAW,CAAC,CAAC;QACvD,QAAQ,CAAC,KAAK,EAAE;KACjB,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;AACtB,CAAC"}

package/dist/db.js

@@ -0,0 +1,111 @@
+import pg from "pg";
+const { Pool } = pg;
+export const pool = new Pool({
+    ...(process.env.DATABASE_URL
+        ? { connectionString: process.env.DATABASE_URL }
+        : {
+            host: process.env.POSTGRES_HOST || "pm-telemetry-postgres",
+            port: parseInt(process.env.POSTGRES_PORT || "5432", 10),
+            user: process.env.POSTGRES_USER,
+            password: process.env.POSTGRES_PASSWORD,
+            database: process.env.POSTGRES_DB,
+        }),
+    max: 10,
+    idleTimeoutMillis: 30_000,
+    connectionTimeoutMillis: 5_000,
+});
+const bootstrapAdminEmail = (process.env.PM_WEB_BOOTSTRAP_ADMIN_EMAIL || "")
+    .trim()
+    .toLowerCase();
+export async function initSchema() {
+    await pool.query(`
+    CREATE TABLE IF NOT EXISTS pm_users (
+      id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+      email TEXT UNIQUE NOT NULL,
+      password_hash TEXT NOT NULL,
+      display_name TEXT,
+      is_admin BOOLEAN NOT NULL DEFAULT FALSE,
+      created_at TIMESTAMPTZ DEFAULT NOW(),
+      updated_at TIMESTAMPTZ DEFAULT NOW()
+    );
+
+    CREATE TABLE IF NOT EXISTS pm_projects (
+      id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+      user_id UUID NOT NULL REFERENCES pm_users(id) ON DELETE CASCADE,
+      name TEXT NOT NULL,
+      slug TEXT NOT NULL,
+      description TEXT DEFAULT '',
+      prefix TEXT NOT NULL,
+      created_at TIMESTAMPTZ DEFAULT NOW(),
+      updated_at TIMESTAMPTZ DEFAULT NOW(),
+      UNIQUE(user_id, slug)
+    );
+
+    CREATE INDEX IF NOT EXISTS pm_projects_user_id ON pm_projects(user_id);
+
+    CREATE TABLE IF NOT EXISTS pm_groups (
+      id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+      owner_id UUID NOT NULL REFERENCES pm_users(id) ON DELETE CASCADE,
+      name TEXT NOT NULL,
+      description TEXT DEFAULT '',
+      created_at TIMESTAMPTZ DEFAULT NOW(),
+      updated_at TIMESTAMPTZ DEFAULT NOW()
+    );
+
+    CREATE TABLE IF NOT EXISTS pm_group_members (
+      id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+      group_id UUID NOT NULL REFERENCES pm_groups(id) ON DELETE CASCADE,
+      user_id UUID NOT NULL REFERENCES pm_users(id) ON DELETE CASCADE,
+      role TEXT NOT NULL DEFAULT 'member',
+      invited_at TIMESTAMPTZ DEFAULT NOW(),
+      UNIQUE(group_id, user_id)
+    );
+
+    CREATE TABLE IF NOT EXISTS pm_project_shares (
+      id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+      project_id UUID NOT NULL REFERENCES pm_projects(id) ON DELETE CASCADE,
+      shared_with_user_id UUID REFERENCES pm_users(id) ON DELETE CASCADE,
+      shared_with_group_id UUID REFERENCES pm_groups(id) ON DELETE CASCADE,
+      permission TEXT NOT NULL DEFAULT 'view',
+      shared_at TIMESTAMPTZ DEFAULT NOW(),
+      CONSTRAINT share_target CHECK (
+        (shared_with_user_id IS NOT NULL AND shared_with_group_id IS NULL) OR
+        (shared_with_user_id IS NULL AND shared_with_group_id IS NOT NULL)
+      ),
+      UNIQUE(project_id, shared_with_user_id),
+      UNIQUE(project_id, shared_with_group_id)
+    );
+  `);
+    // Migrations for new columns (idempotent)
+    await pool.query(`
+    ALTER TABLE pm_users ADD COLUMN IF NOT EXISTS github_token TEXT;
+    ALTER TABLE pm_users ADD COLUMN IF NOT EXISTS is_admin BOOLEAN NOT NULL DEFAULT FALSE;
+    ALTER TABLE pm_projects ADD COLUMN IF NOT EXISTS github_owner TEXT;
+    ALTER TABLE pm_projects ADD COLUMN IF NOT EXISTS github_repo TEXT;
+    ALTER TABLE pm_projects ADD COLUMN IF NOT EXISTS github_sync_enabled BOOLEAN DEFAULT FALSE;
+  `);
+    await pool.query(`CREATE TABLE IF NOT EXISTS pm_admin_audit (
+      id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+      actor_id UUID NOT NULL REFERENCES pm_users(id) ON DELETE CASCADE,
+      action TEXT NOT NULL,
+      description TEXT DEFAULT '',
+      created_at TIMESTAMPTZ DEFAULT NOW()
+    )`);
+    await pool.query(`CREATE INDEX IF NOT EXISTS pm_admin_audit_created_at ON pm_admin_audit(created_at DESC)`);
+    await pool.query(`
+    CREATE TABLE IF NOT EXISTS pm_github_item_links (
+      id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+      project_id UUID NOT NULL REFERENCES pm_projects(id) ON DELETE CASCADE,
+      pm_item_id TEXT NOT NULL,
+      issue_number INTEGER NOT NULL,
+      issue_url TEXT NOT NULL,
+      synced_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+      UNIQUE (project_id, pm_item_id)
+    );
+  `);
+    await pool.query(`CREATE INDEX IF NOT EXISTS pm_github_item_links_project ON pm_github_item_links(project_id)`);
+    if (bootstrapAdminEmail) {
+        await pool.query(`UPDATE pm_users SET is_admin = TRUE, updated_at = NOW() WHERE lower(email) = lower($1)`, [bootstrapAdminEmail]);
+    }
+}
+//# sourceMappingURL=db.js.map

package/dist/db.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"db.js","sourceRoot":"","sources":["../src/db.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,IAAI,CAAC;AAEpB,MAAM,EAAE,IAAI,EAAE,GAAG,EAAE,CAAC;AAEpB,MAAM,CAAC,MAAM,IAAI,GAAG,IAAI,IAAI,CAAC;IAC3B,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,YAAY;QAC1B,CAAC,CAAC,EAAE,gBAAgB,EAAE,OAAO,CAAC,GAAG,CAAC,YAAY,EAAE;QAChD,CAAC,CAAC;YACE,IAAI,EAAE,OAAO,CAAC,GAAG,CAAC,aAAa,IAAI,uBAAuB;YAC1D,IAAI,EAAE,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,aAAa,IAAI,MAAM,EAAE,EAAE,CAAC;YACvD,IAAI,EAAE,OAAO,CAAC,GAAG,CAAC,aAAa;YAC/B,QAAQ,EAAE,OAAO,CAAC,GAAG,CAAC,iBAAiB;YACvC,QAAQ,EAAE,OAAO,CAAC,GAAG,CAAC,WAAW;SAClC,CAAC;IACN,GAAG,EAAE,EAAE;IACP,iBAAiB,EAAE,MAAM;IACzB,uBAAuB,EAAE,KAAK;CAC/B,CAAC,CAAC;AAEH,MAAM,mBAAmB,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,4BAA4B,IAAI,EAAE,CAAC;KACzE,IAAI,EAAE;KACN,WAAW,EAAE,CAAC;AAEjB,MAAM,CAAC,KAAK,UAAU,UAAU;IAC9B,MAAM,IAAI,CAAC,KAAK,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAyDhB,CAAC,CAAC;IAEH,0CAA0C;IAC1C,MAAM,IAAI,CAAC,KAAK,CAAC;;;;;;GAMhB,CAAC,CAAC;IAEH,MAAM,IAAI,CAAC,KAAK,CACd;;;;;;MAME,CACH,CAAC;IAEF,MAAM,IAAI,CAAC,KAAK,CACd,yFAAyF,CAC1F,CAAC;IAEF,MAAM,IAAI,CAAC,KAAK,CAAC;;;;;;;;;;GAUhB,CAAC,CAAC;IAEH,MAAM,IAAI,CAAC,KAAK,CACd,6FAA6F,CAC9F,CAAC;IAEF,IAAI,mBAAmB,EAAE,CAAC;QACxB,MAAM,IAAI,CAAC,KAAK,CACd,wFAAwF,EACxF,CAAC,mBAAmB,CAAC,CACtB,CAAC;IACJ,CAAC;AACH,CAAC"}

package/dist/index.js

@@ -0,0 +1,88 @@
+// pm-web — Extension wrapper for the pm-web server
+// This file registers the web server as a pm extension command.
+import { spawn, spawnSync } from "node:child_process";
+import fs from "node:fs";
+import path from "node:path";
+import { fileURLToPath } from "node:url";
+// Inline defineExtension helper (avoids runtime dependency on @unbrained/pm-cli/sdk)
+function defineExtension(m) { return m; }
+const __dirname = path.dirname(fileURLToPath(import.meta.url));
+const packageRoot = path.resolve(__dirname, "..");
+let serverProcess = null;
+function ensureRuntimeDependencies() {
+    const expressPackage = path.join(packageRoot, "node_modules", "express", "package.json");
+    if (fs.existsSync(expressPackage))
+        return;
+    console.error("Installing pm-web runtime dependencies...");
+    const install = spawnSync("npm", ["install", "--omit=dev"], {
+        cwd: packageRoot,
+        stdio: "inherit",
+        env: { ...process.env, NODE_ENV: "production" },
+    });
+    if (install.error)
+        throw install.error;
+    if (install.status !== 0) {
+        throw new Error(`npm install --omit=dev failed with exit code ${install.status ?? "unknown"}`);
+    }
+}
+export default defineExtension({
+    name: "pm-web",
+    version: "1.0.0",
+    activate(api) {
+        // -----------------------------------------------------------------------
+        // Command: pm web [--port <port>]
+        // -----------------------------------------------------------------------
+        api.registerCommand({
+            name: "web",
+            description: "Start the pm-web server. Opens a browser-based UI for managing pm projects.",
+            intent: "launch the pm-web server",
+            examples: [
+                "pm web",
+                "pm web --port 8080",
+            ],
+            flags: [
+                { long: "--port", value_name: "port", description: "Port to listen on (default: 4000 or PORT env var)" },
+                { long: "--detach", description: "Run the server in the background" },
+            ],
+            async run(ctx) {
+                const port = ctx.options["port"] ?? process.env["PORT"] ?? "4000";
+                const detach = Boolean(ctx.options["detach"]);
+                const serverPath = path.resolve(__dirname, "server.js");
+                ensureRuntimeDependencies();
+                if (detach) {
+                    if (serverProcess) {
+                        console.error(`pm-web is already running (PID ${serverProcess.pid})`);
+                        return { status: "already_running", pid: serverProcess.pid };
+                    }
+                    serverProcess = spawn("node", [serverPath], {
+                        env: { ...process.env, PORT: String(port) },
+                        detached: true,
+                        stdio: "ignore",
+                    });
+                    serverProcess.unref();
+                    console.error(`pm-web started on port ${port} (PID ${serverProcess.pid})`);
+                    return { status: "started", port: Number(port), pid: serverProcess.pid };
+                }
+                // Foreground mode — the server takes over the process
+                console.error(`Starting pm-web on port ${port}…`);
+                console.error("Press Ctrl+C to stop.\n");
+                const child = spawn("node", [serverPath], {
+                    env: { ...process.env, PORT: String(port) },
+                    stdio: "inherit",
+                });
+                await new Promise((resolve, reject) => {
+                    child.on("error", reject);
+                    child.on("exit", (code, signal) => {
+                        if (code === 0 || signal === "SIGINT" || signal === "SIGTERM") {
+                            resolve();
+                            return;
+                        }
+                        reject(new Error(`pm-web exited with code ${code ?? `signal ${signal}`}`));
+                    });
+                });
+                return { status: "stopped", port: Number(port) };
+            },
+        });
+    },
+});
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,mDAAmD;AACnD,gEAAgE;AAEhE,OAAO,EAAE,KAAK,EAAE,SAAS,EAAE,MAAM,oBAAoB,CAAC;AACtD,OAAO,EAAE,MAAM,SAAS,CAAC;AACzB,OAAO,IAAI,MAAM,WAAW,CAAC;AAC7B,OAAO,EAAE,aAAa,EAAE,MAAM,UAAU,CAAC;AAEzC,qFAAqF;AACrF,SAAS,eAAe,CAAI,CAAI,IAAO,OAAO,CAAC,CAAC,CAAC,CAAC;AAsBlD,MAAM,SAAS,GAAG,IAAI,CAAC,OAAO,CAAC,aAAa,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC;AAC/D,MAAM,WAAW,GAAG,IAAI,CAAC,OAAO,CAAC,SAAS,EAAE,IAAI,CAAC,CAAC;AAElD,IAAI,aAAa,GAAoC,IAAI,CAAC;AAE1D,SAAS,yBAAyB;IAChC,MAAM,cAAc,GAAG,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,cAAc,EAAE,SAAS,EAAE,cAAc,CAAC,CAAC;IACzF,IAAI,EAAE,CAAC,UAAU,CAAC,cAAc,CAAC;QAAE,OAAO;IAE1C,OAAO,CAAC,KAAK,CAAC,2CAA2C,CAAC,CAAC;IAC3D,MAAM,OAAO,GAAG,SAAS,CAAC,KAAK,EAAE,CAAC,SAAS,EAAE,YAAY,CAAC,EAAE;QAC1D,GAAG,EAAE,WAAW;QAChB,KAAK,EAAE,SAAS;QAChB,GAAG,EAAE,EAAE,GAAG,OAAO,CAAC,GAAG,EAAE,QAAQ,EAAE,YAAY,EAAE;KAChD,CAAC,CAAC;IACH,IAAI,OAAO,CAAC,KAAK;QAAE,MAAM,OAAO,CAAC,KAAK,CAAC;IACvC,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACzB,MAAM,IAAI,KAAK,CAAC,gDAAgD,OAAO,CAAC,MAAM,IAAI,SAAS,EAAE,CAAC,CAAC;IACjG,CAAC;AACH,CAAC;AAED,eAAe,eAAe,CAAC;IAC7B,IAAI,EAAE,QAAQ;IACd,OAAO,EAAE,OAAO;IAEhB,QAAQ,CAAC,GAAiB;QACxB,0EAA0E;QAC1E,kCAAkC;QAClC,0EAA0E;QAC1E,GAAG,CAAC,eAAe,CAAC;YAClB,IAAI,EAAE,KAAK;YACX,WAAW,EACT,6EAA6E;YAC/E,MAAM,EAAE,0BAA0B;YAClC,QAAQ,EAAE;gBACR,QAAQ;gBACR,oBAAoB;aACrB;YACD,KAAK,EAAE;gBACL,EAAE,IAAI,EAAE,QAAQ,EAAE,UAAU,EAAE,MAAM,EAAE,WAAW,EAAE,mDAAmD,EAAE;gBACxG,EAAE,IAAI,EAAE,UAAU,EAAE,WAAW,EAAE,kCAAkC,EAAE;aACtE;YACD,KAAK,CAAC,GAAG,CAAC,GAA0B;gBAClC,MAAM,IAAI,GAAI,GAAG,CAAC,OAAO,CAAC,MAAM,CAAwB,IAAI,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,MAAM,CAAC;gBAC1F,MAAM,MAAM,GAAG,OAAO,CAAC,GAAG,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC,CAAC;gBAE9C,MAAM,UAAU,GAAG,IAAI,CAAC,OAAO,CAAC,SAAS,EAAE,WAAW,CAAC,CAAC;gBACxD,yBAAyB,EAAE,CAAC;gBAE5B,IAAI,MAAM,EAAE,CAAC;oBACX,IAAI,aAAa,EAAE,CAAC;wBAClB,OAAO,CAAC,KAAK,CAAC,kCAAkC,aAAa,CAAC,GAAG,GAAG,CAAC,CAAC;wBACtE,OAAO,EAAE,MAAM,EAAE,iBAAiB,EAAE,GAAG,EAAE,aAAa,CAAC,GAAG,EAAE,CAAC;oBAC/D,CAAC;oBAED,aAAa,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,UAAU,CAAC,EAAE;wBAC1C,GAAG,EAAE,EAAE,GAAG,OAAO,CAAC,GAAG,EAAE,IAAI,EAAE,MAAM,CAAC,IAAI,CAAC,EAAE;wBAC3C,QAAQ,EAAE,IAAI;wBACd,KAAK,EAAE,QAAQ;qBAChB,CAAC,CAAC;oBAEH,aAAa,CAAC,KAAK,EAAE,CAAC;oBAEtB,OAAO,CAAC,KAAK,CAAC,0BAA0B,IAAI,SAAS,aAAa,CAAC,GAAG,GAAG,CAAC,CAAC;oBAC3E,OAAO,EAAE,MAAM,EAAE,SAAS,EAAE,IAAI,EAAE,MAAM,CAAC,IAAI,CAAC,EAAE,GAAG,EAAE,aAAa,CAAC,GAAG,EAAE,CAAC;gBAC3E,CAAC;gBAED,sDAAsD;gBACtD,OAAO,CAAC,KAAK,CAAC,2BAA2B,IAAI,GAAG,CAAC,CAAC;gBAClD,OAAO,CAAC,KAAK,CAAC,yBAAyB,CAAC,CAAC;gBAEzC,MAAM,KAAK,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,UAAU,CAAC,EAAE;oBACxC,GAAG,EAAE,EAAE,GAAG,OAAO,CAAC,GAAG,EAAE,IAAI,EAAE,MAAM,CAAC,IAAI,CAAC,EAAE;oBAC3C,KAAK,EAAE,SAAS;iBACjB,CAAC,CAAC;gBAEH,MAAM,IAAI,OAAO,CAAO,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;oBAC1C,KAAK,CAAC,EAAE,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;oBAC1B,KAAK,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,IAAI,EAAE,MAAM,EAAE,EAAE;wBAChC,IAAI,IAAI,KAAK,CAAC,IAAI,MAAM,KAAK,QAAQ,IAAI,MAAM,KAAK,SAAS,EAAE,CAAC;4BAC9D,OAAO,EAAE,CAAC;4BACV,OAAO;wBACT,CAAC;wBACD,MAAM,CAAC,IAAI,KAAK,CAAC,2BAA2B,IAAI,IAAI,UAAU,MAAM,EAAE,EAAE,CAAC,CAAC,CAAC;oBAC7E,CAAC,CAAC,CAAC;gBACL,CAAC,CAAC,CAAC;gBAEH,OAAO,EAAE,MAAM,EAAE,SAAS,EAAE,IAAI,EAAE,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC;YACnD,CAAC;SACF,CAAC,CAAC;IACL,CAAC;CACF,CAAC,CAAC"}

package/dist/middleware/auth.js

@@ -0,0 +1,16 @@
+import { verifyToken, extractToken } from "../auth.js";
+export function requireAuth(req, res, next) {
+    const token = extractToken(req);
+    if (!token) {
+        res.status(401).json({ error: "Authentication required" });
+        return;
+    }
+    try {
+        req.user = verifyToken(token);
+        next();
+    }
+    catch {
+        res.status(401).json({ error: "Invalid or expired token" });
+    }
+}
+//# sourceMappingURL=auth.js.map

package/dist/middleware/auth.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth.js","sourceRoot":"","sources":["../../src/middleware/auth.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,WAAW,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAMvD,MAAM,UAAU,WAAW,CAAC,GAAgB,EAAE,GAAa,EAAE,IAAkB;IAC7E,MAAM,KAAK,GAAG,YAAY,CAAC,GAAG,CAAC,CAAC;IAChC,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,yBAAyB,EAAE,CAAC,CAAC;QAC3D,OAAO;IACT,CAAC;IACD,IAAI,CAAC;QACH,GAAG,CAAC,IAAI,GAAG,WAAW,CAAC,KAAK,CAAC,CAAC;QAC9B,IAAI,EAAE,CAAC;IACT,CAAC;IAAC,MAAM,CAAC;QACP,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,0BAA0B,EAAE,CAAC,CAAC;IAC9D,CAAC;AACH,CAAC"}

package/dist/routes/admin.js

@@ -0,0 +1,207 @@
+import { Router } from "express";
+import { pool } from "../db.js";
+import { requireAuth } from "../middleware/auth.js";
+const router = Router();
+router.use(requireAuth);
+async function getAdminCount() {
+    const result = await pool.query(`SELECT COUNT(*)::int AS count FROM pm_users WHERE is_admin = TRUE`);
+    return result.rows[0]?.count ?? 0;
+}
+async function isUserAdmin(userId) {
+    const result = await pool.query(`SELECT is_admin FROM pm_users WHERE id = $1`, [userId]);
+    return result.rows[0]?.is_admin === true;
+}
+async function requireAdmin(req, res, next) {
+    try {
+        const result = await pool.query(`SELECT is_admin FROM pm_users WHERE id = $1`, [req.user.userId]);
+        if (result.rows[0]?.is_admin === true) {
+            next();
+            return;
+        }
+        res.status(403).json({ error: "Admin access is required" });
+    }
+    catch (err) {
+        console.error("Admin auth check failed:", err);
+        res.status(500).json({ error: "Failed to verify admin access" });
+    }
+}
+router.use(requireAdmin);
+router.get("/overview", async (_req, res) => {
+    try {
+        const [users, projects, shares, groups] = await Promise.all([
+            pool.query(`
+        SELECT id, email, display_name, is_admin, github_token IS NOT NULL AS has_github_token, created_at, updated_at
+        FROM pm_users
+        ORDER BY is_admin DESC, created_at DESC
+      `),
+            pool.query(`
+        SELECT p.id, p.name, p.slug, p.prefix, p.description, p.github_owner, p.github_repo,
+               p.github_sync_enabled, p.created_at, p.updated_at,
+               u.email AS owner_email, u.display_name AS owner_display_name
+        FROM pm_projects p
+        JOIN pm_users u ON u.id = p.user_id
+        ORDER BY p.updated_at DESC NULLS LAST, p.created_at DESC
+      `),
+            pool.query(`SELECT COUNT(*)::int AS count FROM pm_project_shares`),
+            pool.query(`
+        SELECT g.id, g.name, g.description, owner.email AS owner_email, COUNT(m.id)::int AS member_count, g.created_at
+        FROM pm_groups g
+        JOIN pm_users owner ON owner.id = g.owner_id
+        LEFT JOIN pm_group_members m ON m.group_id = g.id
+        GROUP BY g.id, owner.email
+        ORDER BY g.created_at DESC
+      `),
+        ]);
+        res.json({
+            users: users.rows,
+            projects: projects.rows,
+            groups: groups.rows,
+            stats: {
+                users: users.rowCount,
+                admins: users.rows.filter((user) => user.is_admin === true).length,
+                projects: projects.rowCount,
+                sharedProjects: shares.rows[0]?.count ?? 0,
+                groups: groups.rowCount,
+            },
+            serverVersion: process.env.npm_package_version || '1.0.0',
+            uptimeSeconds: Math.floor(process.uptime()),
+        });
+    }
+    catch (err) {
+        console.error("Admin overview failed:", err);
+        res.status(500).json({ error: "Failed to load admin overview" });
+    }
+});
+router.patch("/users/:id", async (req, res) => {
+    const { isAdmin } = req.body;
+    if (typeof isAdmin !== "boolean") {
+        res.status(400).json({ error: "isAdmin boolean is required" });
+        return;
+    }
+    try {
+        const currentAdmin = await isUserAdmin(req.params.id);
+        if (currentAdmin && !isAdmin) {
+            const adminCount = await getAdminCount();
+            if (adminCount <= 1) {
+                res.status(409).json({ error: "Cannot remove the last admin user." });
+                return;
+            }
+        }
+        const result = await pool.query(`UPDATE pm_users SET is_admin = $1, updated_at = NOW()
+       WHERE id = $2
+       RETURNING id, email, display_name, is_admin, github_token IS NOT NULL AS has_github_token, created_at, updated_at`, [isAdmin, req.params.id]);
+        if (result.rows.length === 0) {
+            res.status(404).json({ error: "User not found" });
+            return;
+        }
+        await logAudit(req.user.userId, "user.update", `Set is_admin=${isAdmin} for user ${req.params.id}`);
+        res.json({ user: result.rows[0] });
+    }
+    catch (err) {
+        console.error("Admin user update failed:", err);
+        res.status(500).json({ error: "Failed to update user" });
+    }
+});
+// DELETE /admin/users/:id — Delete a user and all their data
+router.delete("/users/:id", async (req, res) => {
+    try {
+        if (await isUserAdmin(req.params.id)) {
+            const adminCount = await getAdminCount();
+            if (adminCount <= 1) {
+                res.status(409).json({ error: "Cannot delete the last admin user." });
+                return;
+            }
+        }
+        const result = await pool.query(`DELETE FROM pm_users WHERE id = $1 RETURNING id, email`, [req.params.id]);
+        if (result.rows.length === 0) {
+            res.status(404).json({ error: "User not found" });
+            return;
+        }
+        await logAudit(req.user.userId, "user.delete", `Deleted user ${result.rows[0].email} (${req.params.id})`);
+        res.json({ ok: true, deleted: result.rows[0] });
+    }
+    catch (err) {
+        console.error("Admin user delete failed:", err);
+        res.status(500).json({ error: "Failed to delete user" });
+    }
+});
+// DELETE /admin/projects/:id — Delete a project
+router.delete("/projects/:id", async (req, res) => {
+    try {
+        const result = await pool.query(`DELETE FROM pm_projects WHERE id = $1 RETURNING id, name, slug`, [req.params.id]);
+        if (result.rows.length === 0) {
+            res.status(404).json({ error: "Project not found" });
+            return;
+        }
+        await logAudit(req.user.userId, "project.delete", `Deleted project ${result.rows[0].name} (${req.params.id})`);
+        res.json({ ok: true, deleted: result.rows[0] });
+    }
+    catch (err) {
+        console.error("Admin project delete failed:", err);
+        res.status(500).json({ error: "Failed to delete project" });
+    }
+});
+// POST /admin/groups — Create a new group
+router.post("/groups", async (req, res) => {
+    const { name, description } = req.body;
+    if (!name?.trim()) {
+        res.status(400).json({ error: "Group name is required" });
+        return;
+    }
+    try {
+        const result = await pool.query(`INSERT INTO pm_groups (owner_id, name, description) VALUES ($1, $2, $3)
+       RETURNING id, name, description, created_at`, [req.user.userId, name.trim(), description?.trim() || ""]);
+        await logAudit(req.user.userId, "group.create", `Created group "${name.trim()}"`);
+        res.status(201).json({ group: result.rows[0] });
+    }
+    catch (err) {
+        console.error("Admin group create failed:", err);
+        res.status(500).json({ error: "Failed to create group" });
+    }
+});
+// DELETE /admin/groups/:id — Delete a group
+router.delete("/groups/:id", async (req, res) => {
+    try {
+        const result = await pool.query(`DELETE FROM pm_groups WHERE id = $1 RETURNING id, name`, [req.params.id]);
+        if (result.rows.length === 0) {
+            res.status(404).json({ error: "Group not found" });
+            return;
+        }
+        await logAudit(req.user.userId, "group.delete", `Deleted group "${result.rows[0].name}" (${req.params.id})`);
+        res.json({ ok: true, deleted: result.rows[0] });
+    }
+    catch (err) {
+        console.error("Admin group delete failed:", err);
+        res.status(500).json({ error: "Failed to delete group" });
+    }
+});
+// GET /admin/audit — Retrieve audit log entries
+router.get("/audit", async (req, res) => {
+    const limit = Math.min(parseInt(req.query.limit) || 100, 500);
+    const offset = parseInt(req.query.offset) || 0;
+    try {
+        const [entries, countResult] = await Promise.all([
+            pool.query(`SELECT a.id, a.action, a.description, a.created_at, u.email AS actor_email, u.display_name AS actor_name
+         FROM pm_admin_audit a
+         JOIN pm_users u ON u.id = a.actor_id
+         ORDER BY a.created_at DESC
+         LIMIT $1 OFFSET $2`, [limit, offset]),
+            pool.query(`SELECT COUNT(*)::int AS count FROM pm_admin_audit`),
+        ]);
+        res.json({ entries: entries.rows, total: countResult.rows[0]?.count ?? 0, limit, offset });
+    }
+    catch (err) {
+        console.error("Admin audit log failed:", err);
+        res.status(500).json({ error: "Failed to load audit log" });
+    }
+});
+async function logAudit(actorId, action, description) {
+    try {
+        await pool.query(`INSERT INTO pm_admin_audit (actor_id, action, description) VALUES ($1, $2, $3)`, [actorId, action, description]);
+    }
+    catch (err) {
+        console.error("Audit log write failed:", err);
+    }
+}
+export { router as adminRouter };
+//# sourceMappingURL=admin.js.map

package/dist/routes/admin.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"admin.js","sourceRoot":"","sources":["../../src/routes/admin.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAoC,MAAM,SAAS,CAAC;AACnE,OAAO,EAAE,IAAI,EAAE,MAAM,UAAU,CAAC;AAChC,OAAO,EAAE,WAAW,EAAoB,MAAM,uBAAuB,CAAC;AAEtE,MAAM,MAAM,GAAG,MAAM,EAAE,CAAC;AAExB,MAAM,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC;AAExB,KAAK,UAAU,aAAa;IAC1B,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,mEAAmE,CAAC,CAAC;IACrG,OAAO,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,KAAK,IAAI,CAAC,CAAC;AACpC,CAAC;AAED,KAAK,UAAU,WAAW,CAAC,MAAc;IACvC,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,6CAA6C,EAAE,CAAC,MAAM,CAAC,CAAC,CAAC;IACzF,OAAO,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,QAAQ,KAAK,IAAI,CAAC;AAC3C,CAAC;AAED,KAAK,UAAU,YAAY,CAAC,GAAgB,EAAE,GAAa,EAAE,IAAkB;IAC7E,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,6CAA6C,EAAE,CAAC,GAAG,CAAC,IAAK,CAAC,MAAM,CAAC,CAAC,CAAC;QACnG,IAAI,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,QAAQ,KAAK,IAAI,EAAE,CAAC;YACtC,IAAI,EAAE,CAAC;YACP,OAAO;QACT,CAAC;QACD,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,0BAA0B,EAAE,CAAC,CAAC;IAC9D,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO,CAAC,KAAK,CAAC,0BAA0B,EAAE,GAAG,CAAC,CAAC;QAC/C,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,+BAA+B,EAAE,CAAC,CAAC;IACnE,CAAC;AACH,CAAC;AAED,MAAM,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC;AAEzB,MAAM,CAAC,GAAG,CAAC,WAAW,EAAE,KAAK,EAAE,IAAI,EAAE,GAAG,EAAE,EAAE;IAC1C,IAAI,CAAC;QACH,MAAM,CAAC,KAAK,EAAE,QAAQ,EAAE,MAAM,EAAE,MAAM,CAAC,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC;YAC1D,IAAI,CAAC,KAAK,CAAC;;;;OAIV,CAAC;YACF,IAAI,CAAC,KAAK,CAAC;;;;;;;OAOV,CAAC;YACF,IAAI,CAAC,KAAK,CAAC,sDAAsD,CAAC;YAClE,IAAI,CAAC,KAAK,CAAC;;;;;;;OAOV,CAAC;SACH,CAAC,CAAC;QAEH,GAAG,CAAC,IAAI,CAAC;YACP,KAAK,EAAE,KAAK,CAAC,IAAI;YACjB,QAAQ,EAAE,QAAQ,CAAC,IAAI;YACvB,MAAM,EAAE,MAAM,CAAC,IAAI;YACnB,KAAK,EAAE;gBACL,KAAK,EAAE,KAAK,CAAC,QAAQ;gBACrB,MAAM,EAAE,KAAK,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,QAAQ,KAAK,IAAI,CAAC,CAAC,MAAM;gBAClE,QAAQ,EAAE,QAAQ,CAAC,QAAQ;gBAC3B,cAAc,EAAE,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,KAAK,IAAI,CAAC;gBAC1C,MAAM,EAAE,MAAM,CAAC,QAAQ;aACxB;YACD,aAAa,EAAE,OAAO,CAAC,GAAG,CAAC,mBAAmB,IAAI,OAAO;YACzD,aAAa,EAAE,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,MAAM,EAAE,CAAC;SAC5C,CAAC,CAAC;IACL,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO,CAAC,KAAK,CAAC,wBAAwB,EAAE,GAAG,CAAC,CAAC;QAC7C,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,+BAA+B,EAAE,CAAC,CAAC;IACnE,CAAC;AACH,CAAC,CAAC,CAAC;AAEH,MAAM,CAAC,KAAK,CAAC,YAAY,EAAE,KAAK,EAAE,GAAgB,EAAE,GAAG,EAAE,EAAE;IACzD,MAAM,EAAE,OAAO,EAAE,GAAG,GAAG,CAAC,IAA6B,CAAC;IACtD,IAAI,OAAO,OAAO,KAAK,SAAS,EAAE,CAAC;QACjC,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,6BAA6B,EAAE,CAAC,CAAC;QAC/D,OAAO;IACT,CAAC;IAED,IAAI,CAAC;QACH,MAAM,YAAY,GAAG,MAAM,WAAW,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;QACtD,IAAI,YAAY,IAAI,CAAC,OAAO,EAAE,CAAC;YAC7B,MAAM,UAAU,GAAG,MAAM,aAAa,EAAE,CAAC;YACzC,IAAI,UAAU,IAAI,CAAC,EAAE,CAAC;gBACpB,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,oCAAoC,EAAE,CAAC,CAAC;gBACtE,OAAO;YACT,CAAC;QACH,CAAC;QAED,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,KAAK,CAC7B;;yHAEmH,EACnH,CAAC,OAAO,EAAE,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC,CACzB,CAAC;QACF,IAAI,MAAM,CAAC,IAAI,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAC7B,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,gBAAgB,EAAE,CAAC,CAAC;YAClD,OAAO;QACT,CAAC;QACD,MAAM,QAAQ,CAAC,GAAG,CAAC,IAAK,CAAC,MAAM,EAAE,aAAa,EAAE,gBAAgB,OAAO,aAAa,GAAG,CAAC,MAAM,CAAC,EAAE,EAAE,CAAC,CAAC;QACrG,GAAG,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;IACrC,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO,CAAC,KAAK,CAAC,2BAA2B,EAAE,GAAG,CAAC,CAAC;QAChD,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,uBAAuB,EAAE,CAAC,CAAC;IAC3D,CAAC;AACH,CAAC,CAAC,CAAC;AAEH,6DAA6D;AAC7D,MAAM,CAAC,MAAM,CAAC,YAAY,EAAE,KAAK,EAAE,GAAgB,EAAE,GAAG,EAAE,EAAE;IAC1D,IAAI,CAAC;QACH,IAAI,MAAM,WAAW,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC,EAAE,CAAC;YACrC,MAAM,UAAU,GAAG,MAAM,aAAa,EAAE,CAAC;YACzC,IAAI,UAAU,IAAI,CAAC,EAAE,CAAC;gBACpB,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,oCAAoC,EAAE,CAAC,CAAC;gBACtE,OAAO;YACT,CAAC;QACH,CAAC;QAED,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,wDAAwD,EAAE,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC,CAAC;QAC3G,IAAI,MAAM,CAAC,IAAI,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAC7B,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,gBAAgB,EAAE,CAAC,CAAC;YAClD,OAAO;QACT,CAAC;QACD,MAAM,QAAQ,CAAC,GAAG,CAAC,IAAK,CAAC,MAAM,EAAE,aAAa,EAAE,gBAAgB,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,KAAK,KAAK,GAAG,CAAC,MAAM,CAAC,EAAE,GAAG,CAAC,CAAC;QAC3G,GAAG,CAAC,IAAI,CAAC,EAAE,EAAE,EAAE,IAAI,EAAE,OAAO,EAAE,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;IAClD,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO,CAAC,KAAK,CAAC,2BAA2B,EAAE,GAAG,CAAC,CAAC;QAChD,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,uBAAuB,EAAE,CAAC,CAAC;IAC3D,CAAC;AACH,CAAC,CAAC,CAAC;AAEH,gDAAgD;AAChD,MAAM,CAAC,MAAM,CAAC,eAAe,EAAE,KAAK,EAAE,GAAgB,EAAE,GAAG,EAAE,EAAE;IAC7D,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,gEAAgE,EAAE,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC,CAAC;QACnH,IAAI,MAAM,CAAC,IAAI,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAC7B,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,mBAAmB,EAAE,CAAC,CAAC;YACrD,OAAO;QACT,CAAC;QACD,MAAM,QAAQ,CAAC,GAAG,CAAC,IAAK,CAAC,MAAM,EAAE,gBAAgB,EAAE,mBAAmB,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI,KAAK,GAAG,CAAC,MAAM,CAAC,EAAE,GAAG,CAAC,CAAC;QAChH,GAAG,CAAC,IAAI,CAAC,EAAE,EAAE,EAAE,IAAI,EAAE,OAAO,EAAE,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;IAClD,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO,CAAC,KAAK,CAAC,8BAA8B,EAAE,GAAG,CAAC,CAAC;QACnD,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,0BAA0B,EAAE,CAAC,CAAC;IAC9D,CAAC;AACH,CAAC,CAAC,CAAC;AAEH,0CAA0C;AAC1C,MAAM,CAAC,IAAI,CAAC,SAAS,EAAE,KAAK,EAAE,GAAgB,EAAE,GAAG,EAAE,EAAE;IACrD,MAAM,EAAE,IAAI,EAAE,WAAW,EAAE,GAAG,GAAG,CAAC,IAA+C,CAAC;IAClF,IAAI,CAAC,IAAI,EAAE,IAAI,EAAE,EAAE,CAAC;QAClB,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,wBAAwB,EAAE,CAAC,CAAC;QAC1D,OAAO;IACT,CAAC;IACD,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,KAAK,CAC7B;mDAC6C,EAC7C,CAAC,GAAG,CAAC,IAAK,CAAC,MAAM,EAAE,IAAI,CAAC,IAAI,EAAE,EAAE,WAAW,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC,CAC3D,CAAC;QACF,MAAM,QAAQ,CAAC,GAAG,CAAC,IAAK,CAAC,MAAM,EAAE,cAAc,EAAE,kBAAkB,IAAI,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC;QACnF,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;IAClD,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO,CAAC,KAAK,CAAC,4BAA4B,EAAE,GAAG,CAAC,CAAC;QACjD,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,wBAAwB,EAAE,CAAC,CAAC;IAC5D,CAAC;AACH,CAAC,CAAC,CAAC;AAEH,4CAA4C;AAC5C,MAAM,CAAC,MAAM,CAAC,aAAa,EAAE,KAAK,EAAE,GAAgB,EAAE,GAAG,EAAE,EAAE;IAC3D,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,wDAAwD,EAAE,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC,CAAC;QAC3G,IAAI,MAAM,CAAC,IAAI,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAC7B,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,iBAAiB,EAAE,CAAC,CAAC;YACnD,OAAO;QACT,CAAC;QACD,MAAM,QAAQ,CAAC,GAAG,CAAC,IAAK,CAAC,MAAM,EAAE,cAAc,EAAE,kBAAkB,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI,MAAM,GAAG,CAAC,MAAM,CAAC,EAAE,GAAG,CAAC,CAAC;QAC9G,GAAG,CAAC,IAAI,CAAC,EAAE,EAAE,EAAE,IAAI,EAAE,OAAO,EAAE,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;IAClD,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO,CAAC,KAAK,CAAC,4BAA4B,EAAE,GAAG,CAAC,CAAC;QACjD,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,wBAAwB,EAAE,CAAC,CAAC;IAC5D,CAAC;AACH,CAAC,CAAC,CAAC;AAEH,gDAAgD;AAChD,MAAM,CAAC,GAAG,CAAC,QAAQ,EAAE,KAAK,EAAE,GAAgB,EAAE,GAAG,EAAE,EAAE;IACnD,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,CAAC,QAAQ,CAAC,GAAG,CAAC,KAAK,CAAC,KAAe,CAAC,IAAI,GAAG,EAAE,GAAG,CAAC,CAAC;IACxE,MAAM,MAAM,GAAG,QAAQ,CAAC,GAAG,CAAC,KAAK,CAAC,MAAgB,CAAC,IAAI,CAAC,CAAC;IACzD,IAAI,CAAC;QACH,MAAM,CAAC,OAAO,EAAE,WAAW,CAAC,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC;YAC/C,IAAI,CAAC,KAAK,CACR;;;;4BAIoB,EACpB,CAAC,KAAK,EAAE,MAAM,CAAC,CAChB;YACD,IAAI,CAAC,KAAK,CAAC,mDAAmD,CAAC;SAChE,CAAC,CAAC;QACH,GAAG,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,OAAO,CAAC,IAAI,EAAE,KAAK,EAAE,WAAW,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,KAAK,IAAI,CAAC,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC,CAAC;IAC7F,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO,CAAC,KAAK,CAAC,yBAAyB,EAAE,GAAG,CAAC,CAAC;QAC9C,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,0BAA0B,EAAE,CAAC,CAAC;IAC9D,CAAC;AACH,CAAC,CAAC,CAAC;AAEH,KAAK,UAAU,QAAQ,CAAC,OAAe,EAAE,MAAc,EAAE,WAAmB;IAC1E,IAAI,CAAC;QACH,MAAM,IAAI,CAAC,KAAK,CACd,gFAAgF,EAChF,CAAC,OAAO,EAAE,MAAM,EAAE,WAAW,CAAC,CAC/B,CAAC;IACJ,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO,CAAC,KAAK,CAAC,yBAAyB,EAAE,GAAG,CAAC,CAAC;IAChD,CAAC;AACH,CAAC;AAED,OAAO,EAAE,MAAM,IAAI,WAAW,EAAE,CAAC"}