codebase-cli 2.0.0-pre.0

package/dist/auth/flow.js

@@ -0,0 +1,222 @@
+import { exec } from "node:child_process";
+import { createServer } from "node:http";
+import { constantTimeEquals, generateCodeChallenge, generateCodeVerifier, generateState } from "./pkce.js";
+const DEFAULT_TIMEOUT_MS = 5 * 60 * 1000; // 5 minutes for the user to complete the browser flow
+/**
+ * Build the URL we open in the user's browser. Every parameter is
+ * URL-encoded — a space in the scope used to break the redirect in
+ * the Go v1 (commit ac1dd56), and we don't want that bug to come
+ * back unnoticed.
+ */
+export function buildAuthorizationUrl(config, params) {
+    const url = new URL(config.authorizationUrl);
+    url.searchParams.set("response_type", "code");
+    url.searchParams.set("client_id", config.clientId);
+    url.searchParams.set("redirect_uri", params.redirectUri);
+    url.searchParams.set("scope", config.scopes.join(" "));
+    url.searchParams.set("state", params.state);
+    url.searchParams.set("code_challenge", params.codeChallenge);
+    url.searchParams.set("code_challenge_method", "S256");
+    return url.toString();
+}
+/**
+ * Spin a localhost HTTP server, listen for one /callback hit, return
+ * the code+state. Validates the returned state against the supplied
+ * value to defend against CSRF; treats anything else as an error.
+ *
+ * Resolves with { code, state } on success. Rejects on timeout, state
+ * mismatch, or upstream error param.
+ */
+export function awaitCallback(server, expectedState, timeoutMs) {
+    return new Promise((resolve, reject) => {
+        let settled = false;
+        const safeResolve = (value) => {
+            if (settled)
+                return;
+            settled = true;
+            clearTimeout(timer);
+            resolve(value);
+        };
+        const safeReject = (err) => {
+            if (settled)
+                return;
+            settled = true;
+            clearTimeout(timer);
+            reject(err);
+        };
+        const timer = setTimeout(() => {
+            server.close();
+            safeReject(new Error(`OAuth callback timed out after ${Math.round(timeoutMs / 1000)}s`));
+        }, timeoutMs);
+        server.on("request", (req, res) => {
+            const url = new URL(req.url ?? "/", "http://localhost");
+            if (url.pathname !== "/callback") {
+                res.statusCode = 404;
+                res.end("Not Found. The codebase OAuth callback expects /callback.");
+                return;
+            }
+            const error = url.searchParams.get("error");
+            if (error) {
+                const desc = url.searchParams.get("error_description") ?? "";
+                renderResponse(res, false, `Sign-in failed: ${error}${desc ? ` — ${desc}` : ""}`);
+                server.close();
+                safeReject(new Error(`OAuth provider returned error: ${error}${desc ? ` — ${desc}` : ""}`));
+                return;
+            }
+            const code = url.searchParams.get("code") ?? "";
+            const state = url.searchParams.get("state") ?? "";
+            if (!code) {
+                renderResponse(res, false, "Sign-in failed: provider did not return a code.");
+                server.close();
+                safeReject(new Error("OAuth callback missing code parameter"));
+                return;
+            }
+            if (!constantTimeEquals(state, expectedState)) {
+                renderResponse(res, false, "Sign-in failed: state mismatch (possible CSRF).");
+                server.close();
+                safeReject(new Error("OAuth callback state mismatch"));
+                return;
+            }
+            renderResponse(res, true, "Signed in. You can close this tab.");
+            server.close();
+            safeResolve({ code, state });
+        });
+        server.on("error", (err) => {
+            safeReject(err);
+        });
+    });
+}
+function renderResponse(res, ok, message) {
+    const html = `<!doctype html>
+<html><head><meta charset="utf-8"><title>codebase</title></head>
+<body style="font-family:system-ui;padding:40px;max-width:560px;margin:auto;">
+<h1>${ok ? "✓" : "✗"} codebase</h1>
+<p>${message}</p>
+</body></html>`;
+    res.statusCode = ok ? 200 : 400;
+    res.setHeader("Content-Type", "text/html; charset=utf-8");
+    res.end(html);
+}
+export async function exchangeCode(config, params) {
+    const body = new URLSearchParams({
+        grant_type: "authorization_code",
+        client_id: config.clientId,
+        code: params.code,
+        code_verifier: params.codeVerifier,
+        redirect_uri: params.redirectUri,
+    });
+    const res = await fetch(config.tokenUrl, {
+        method: "POST",
+        headers: { "Content-Type": "application/x-www-form-urlencoded", Accept: "application/json" },
+        body,
+    });
+    if (!res.ok) {
+        const text = await res.text();
+        throw new Error(`token exchange failed: ${res.status} ${res.statusText}${text ? ` — ${text.slice(0, 200)}` : ""}`);
+    }
+    const json = (await res.json());
+    return tokenToCredentials(json, config);
+}
+export async function refreshAccessToken(config, refreshToken) {
+    const body = new URLSearchParams({
+        grant_type: "refresh_token",
+        client_id: config.clientId,
+        refresh_token: refreshToken,
+    });
+    const res = await fetch(config.refreshUrl, {
+        method: "POST",
+        headers: { "Content-Type": "application/x-www-form-urlencoded", Accept: "application/json" },
+        body,
+    });
+    if (!res.ok) {
+        const text = await res.text();
+        throw new Error(`token refresh failed: ${res.status} ${res.statusText}${text ? ` — ${text.slice(0, 200)}` : ""}`);
+    }
+    const json = (await res.json());
+    return tokenToCredentials(json, config);
+}
+export async function revokeToken(config, accessToken) {
+    if (!config.revokeUrl)
+        return;
+    const body = new URLSearchParams({ token: accessToken, client_id: config.clientId });
+    try {
+        await fetch(config.revokeUrl, {
+            method: "POST",
+            headers: { "Content-Type": "application/x-www-form-urlencoded" },
+            body,
+        });
+    }
+    catch {
+        // Best-effort logout — local credentials clear regardless.
+    }
+}
+function tokenToCredentials(token, config) {
+    if (!token.access_token)
+        throw new Error("token response missing access_token");
+    const scopes = token.scope ? token.scope.split(/\s+/).filter(Boolean) : config.scopes.slice();
+    return {
+        version: 1,
+        accessToken: token.access_token,
+        refreshToken: token.refresh_token,
+        expiresAt: token.expires_in ? Date.now() + token.expires_in * 1000 : undefined,
+        scopes,
+        userId: token.user?.id,
+        email: token.user?.email,
+        source: "codebase",
+    };
+}
+/**
+ * Run the full browser OAuth flow:
+ *   1. PKCE: generate verifier + challenge + state
+ *   2. Bind a localhost HTTP server on a random port
+ *   3. Open the authorization URL in the user's browser
+ *   4. Wait for /callback, validate state
+ *   5. Exchange the code for tokens
+ *
+ * Returns ready-to-save Credentials.
+ */
+export async function runOAuthLogin(config, openBrowserFn = openBrowser) {
+    const verifier = generateCodeVerifier();
+    const challenge = generateCodeChallenge(verifier);
+    const state = generateState();
+    const server = createServer();
+    await new Promise((resolve, reject) => {
+        server.once("error", reject);
+        server.listen(0, "127.0.0.1", () => resolve());
+    });
+    const port = server.address().port;
+    const redirectUri = `http://127.0.0.1:${port}/callback`;
+    const authUrl = buildAuthorizationUrl(config, { codeChallenge: challenge, state, redirectUri });
+    const callbackPromise = awaitCallback(server, state, config.timeoutMs ?? DEFAULT_TIMEOUT_MS);
+    try {
+        await openBrowserFn(authUrl);
+    }
+    catch (err) {
+        server.close();
+        throw new Error(`couldn't open browser automatically: ${err instanceof Error ? err.message : String(err)}. ` +
+            `Open this URL manually:\n${authUrl}`);
+    }
+    const { code } = await callbackPromise;
+    return exchangeCode(config, { code, codeVerifier: verifier, redirectUri });
+}
+/** Best-effort browser open. Falls back to printing the URL on platforms we can't detect. */
+export async function openBrowser(url) {
+    const command = browserOpenCommand(url);
+    if (!command) {
+        throw new Error(`unsupported platform ${process.platform}`);
+    }
+    await new Promise((resolve, reject) => {
+        exec(command, (err) => (err ? reject(err) : resolve()));
+    });
+}
+function browserOpenCommand(url) {
+    const escaped = url.replace(/"/g, '\\"');
+    if (process.platform === "darwin")
+        return `open "${escaped}"`;
+    if (process.platform === "win32")
+        return `start "" "${escaped}"`;
+    if (process.platform === "linux")
+        return `xdg-open "${escaped}"`;
+    return null;
+}
+//# sourceMappingURL=flow.js.map

package/dist/auth/flow.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"flow.js","sourceRoot":"","sources":["../../src/auth/flow.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,IAAI,EAAE,MAAM,oBAAoB,CAAC;AAC1C,OAAO,EAAE,YAAY,EAA0D,MAAM,WAAW,CAAC;AAGjG,OAAO,EAAE,kBAAkB,EAAE,qBAAqB,EAAE,oBAAoB,EAAE,aAAa,EAAE,MAAM,WAAW,CAAC;AAE3G,MAAM,kBAAkB,GAAG,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC,sDAAsD;AAyBhG;;;;;GAKG;AACH,MAAM,UAAU,qBAAqB,CAAC,MAAmB,EAAE,MAA8B;IACxF,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,gBAAgB,CAAC,CAAC;IAC7C,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,eAAe,EAAE,MAAM,CAAC,CAAC;IAC9C,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,WAAW,EAAE,MAAM,CAAC,QAAQ,CAAC,CAAC;IACnD,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,cAAc,EAAE,MAAM,CAAC,WAAW,CAAC,CAAC;IACzD,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,EAAE,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC;IACvD,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,EAAE,MAAM,CAAC,KAAK,CAAC,CAAC;IAC5C,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,gBAAgB,EAAE,MAAM,CAAC,aAAa,CAAC,CAAC;IAC7D,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,uBAAuB,EAAE,MAAM,CAAC,CAAC;IACtD,OAAO,GAAG,CAAC,QAAQ,EAAE,CAAC;AACvB,CAAC;AAOD;;;;;;;GAOG;AACH,MAAM,UAAU,aAAa,CAAC,MAAc,EAAE,aAAqB,EAAE,SAAiB;IACrF,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;QACtC,IAAI,OAAO,GAAG,KAAK,CAAC;QACpB,MAAM,WAAW,GAAG,CAAC,KAAqB,EAAQ,EAAE;YACnD,IAAI,OAAO;gBAAE,OAAO;YACpB,OAAO,GAAG,IAAI,CAAC;YACf,YAAY,CAAC,KAAK,CAAC,CAAC;YACpB,OAAO,CAAC,KAAK,CAAC,CAAC;QAChB,CAAC,CAAC;QACF,MAAM,UAAU,GAAG,CAAC,GAAU,EAAQ,EAAE;YACvC,IAAI,OAAO;gBAAE,OAAO;YACpB,OAAO,GAAG,IAAI,CAAC;YACf,YAAY,CAAC,KAAK,CAAC,CAAC;YACpB,MAAM,CAAC,GAAG,CAAC,CAAC;QACb,CAAC,CAAC;QAEF,MAAM,KAAK,GAAG,UAAU,CAAC,GAAG,EAAE;YAC7B,MAAM,CAAC,KAAK,EAAE,CAAC;YACf,UAAU,CAAC,IAAI,KAAK,CAAC,kCAAkC,IAAI,CAAC,KAAK,CAAC,SAAS,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC;QAC1F,CAAC,EAAE,SAAS,CAAC,CAAC;QAEd,MAAM,CAAC,EAAE,CAAC,SAAS,EAAE,CAAC,GAAoB,EAAE,GAAmB,EAAE,EAAE;YAClE,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,GAAG,IAAI,GAAG,EAAE,kBAAkB,CAAC,CAAC;YACxD,IAAI,GAAG,CAAC,QAAQ,KAAK,WAAW,EAAE,CAAC;gBAClC,GAAG,CAAC,UAAU,GAAG,GAAG,CAAC;gBACrB,GAAG,CAAC,GAAG,CAAC,2DAA2D,CAAC,CAAC;gBACrE,OAAO;YACR,CAAC;YACD,MAAM,KAAK,GAAG,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;YAC5C,IAAI,KAAK,EAAE,CAAC;gBACX,MAAM,IAAI,GAAG,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,mBAAmB,CAAC,IAAI,EAAE,CAAC;gBAC7D,cAAc,CAAC,GAAG,EAAE,KAAK,EAAE,mBAAmB,KAAK,GAAG,IAAI,CAAC,CAAC,CAAC,MAAM,IAAI,EAAE,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;gBAClF,MAAM,CAAC,KAAK,EAAE,CAAC;gBACf,UAAU,CAAC,IAAI,KAAK,CAAC,kCAAkC,KAAK,GAAG,IAAI,CAAC,CAAC,CAAC,MAAM,IAAI,EAAE,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC;gBAC5F,OAAO;YACR,CAAC;YACD,MAAM,IAAI,GAAG,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC;YAChD,MAAM,KAAK,GAAG,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC;YAClD,IAAI,CAAC,IAAI,EAAE,CAAC;gBACX,cAAc,CAAC,GAAG,EAAE,KAAK,EAAE,iDAAiD,CAAC,CAAC;gBAC9E,MAAM,CAAC,KAAK,EAAE,CAAC;gBACf,UAAU,CAAC,IAAI,KAAK,CAAC,uCAAuC,CAAC,CAAC,CAAC;gBAC/D,OAAO;YACR,CAAC;YACD,IAAI,CAAC,kBAAkB,CAAC,KAAK,EAAE,aAAa,CAAC,EAAE,CAAC;gBAC/C,cAAc,CAAC,GAAG,EAAE,KAAK,EAAE,iDAAiD,CAAC,CAAC;gBAC9E,MAAM,CAAC,KAAK,EAAE,CAAC;gBACf,UAAU,CAAC,IAAI,KAAK,CAAC,+BAA+B,CAAC,CAAC,CAAC;gBACvD,OAAO;YACR,CAAC;YAED,cAAc,CAAC,GAAG,EAAE,IAAI,EAAE,oCAAoC,CAAC,CAAC;YAChE,MAAM,CAAC,KAAK,EAAE,CAAC;YACf,WAAW,CAAC,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;QAC9B,CAAC,CAAC,CAAC;QAEH,MAAM,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,GAAG,EAAE,EAAE;YAC1B,UAAU,CAAC,GAAG,CAAC,CAAC;QACjB,CAAC,CAAC,CAAC;IACJ,CAAC,CAAC,CAAC;AACJ,CAAC;AAED,SAAS,cAAc,CAAC,GAAmB,EAAE,EAAW,EAAE,OAAe;IACxE,MAAM,IAAI,GAAG;;;MAGR,EAAE,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG;KACf,OAAO;eACG,CAAC;IACf,GAAG,CAAC,UAAU,GAAG,EAAE,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC;IAChC,GAAG,CAAC,SAAS,CAAC,cAAc,EAAE,0BAA0B,CAAC,CAAC;IAC1D,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;AACf,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,YAAY,CACjC,MAAmB,EACnB,MAAmE;IAEnE,MAAM,IAAI,GAAG,IAAI,eAAe,CAAC;QAChC,UAAU,EAAE,oBAAoB;QAChC,SAAS,EAAE,MAAM,CAAC,QAAQ;QAC1B,IAAI,EAAE,MAAM,CAAC,IAAI;QACjB,aAAa,EAAE,MAAM,CAAC,YAAY;QAClC,YAAY,EAAE,MAAM,CAAC,WAAW;KAChC,CAAC,CAAC;IAEH,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,MAAM,CAAC,QAAQ,EAAE;QACxC,MAAM,EAAE,MAAM;QACd,OAAO,EAAE,EAAE,cAAc,EAAE,mCAAmC,EAAE,MAAM,EAAE,kBAAkB,EAAE;QAC5F,IAAI;KACJ,CAAC,CAAC;IACH,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;QACb,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC;QAC9B,MAAM,IAAI,KAAK,CACd,0BAA0B,GAAG,CAAC,MAAM,IAAI,GAAG,CAAC,UAAU,GAAG,IAAI,CAAC,CAAC,CAAC,MAAM,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,EAAE,CACjG,CAAC;IACH,CAAC;IACD,MAAM,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAAkB,CAAC;IACjD,OAAO,kBAAkB,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;AACzC,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,kBAAkB,CAAC,MAAmB,EAAE,YAAoB;IACjF,MAAM,IAAI,GAAG,IAAI,eAAe,CAAC;QAChC,UAAU,EAAE,eAAe;QAC3B,SAAS,EAAE,MAAM,CAAC,QAAQ;QAC1B,aAAa,EAAE,YAAY;KAC3B,CAAC,CAAC;IACH,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,MAAM,CAAC,UAAU,EAAE;QAC1C,MAAM,EAAE,MAAM;QACd,OAAO,EAAE,EAAE,cAAc,EAAE,mCAAmC,EAAE,MAAM,EAAE,kBAAkB,EAAE;QAC5F,IAAI;KACJ,CAAC,CAAC;IACH,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;QACb,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC;QAC9B,MAAM,IAAI,KAAK,CAAC,yBAAyB,GAAG,CAAC,MAAM,IAAI,GAAG,CAAC,UAAU,GAAG,IAAI,CAAC,CAAC,CAAC,MAAM,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;IACnH,CAAC;IACD,MAAM,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAAkB,CAAC;IACjD,OAAO,kBAAkB,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;AACzC,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,WAAW,CAAC,MAAmB,EAAE,WAAmB;IACzE,IAAI,CAAC,MAAM,CAAC,SAAS;QAAE,OAAO;IAC9B,MAAM,IAAI,GAAG,IAAI,eAAe,CAAC,EAAE,KAAK,EAAE,WAAW,EAAE,SAAS,EAAE,MAAM,CAAC,QAAQ,EAAE,CAAC,CAAC;IACrF,IAAI,CAAC;QACJ,MAAM,KAAK,CAAC,MAAM,CAAC,SAAS,EAAE;YAC7B,MAAM,EAAE,MAAM;YACd,OAAO,EAAE,EAAE,cAAc,EAAE,mCAAmC,EAAE;YAChE,IAAI;SACJ,CAAC,CAAC;IACJ,CAAC;IAAC,MAAM,CAAC;QACR,2DAA2D;IAC5D,CAAC;AACF,CAAC;AAWD,SAAS,kBAAkB,CAAC,KAAoB,EAAE,MAAmB;IACpE,IAAI,CAAC,KAAK,CAAC,YAAY;QAAE,MAAM,IAAI,KAAK,CAAC,qCAAqC,CAAC,CAAC;IAChF,MAAM,MAAM,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,KAAK,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,KAAK,EAAE,CAAC;IAC9F,OAAO;QACN,OAAO,EAAE,CAAC;QACV,WAAW,EAAE,KAAK,CAAC,YAAY;QAC/B,YAAY,EAAE,KAAK,CAAC,aAAa;QACjC,SAAS,EAAE,KAAK,CAAC,UAAU,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,KAAK,CAAC,UAAU,GAAG,IAAI,CAAC,CAAC,CAAC,SAAS;QAC9E,MAAM;QACN,MAAM,EAAE,KAAK,CAAC,IAAI,EAAE,EAAE;QACtB,KAAK,EAAE,KAAK,CAAC,IAAI,EAAE,KAAK;QACxB,MAAM,EAAE,UAAU;KAClB,CAAC;AACH,CAAC;AAED;;;;;;;;;GASG;AACH,MAAM,CAAC,KAAK,UAAU,aAAa,CAClC,MAAmB,EACnB,gBAAgD,WAAW;IAE3D,MAAM,QAAQ,GAAG,oBAAoB,EAAE,CAAC;IACxC,MAAM,SAAS,GAAG,qBAAqB,CAAC,QAAQ,CAAC,CAAC;IAClD,MAAM,KAAK,GAAG,aAAa,EAAE,CAAC;IAE9B,MAAM,MAAM,GAAG,YAAY,EAAE,CAAC;IAC9B,MAAM,IAAI,OAAO,CAAO,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;QAC3C,MAAM,CAAC,IAAI,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;QAC7B,MAAM,CAAC,MAAM,CAAC,CAAC,EAAE,WAAW,EAAE,GAAG,EAAE,CAAC,OAAO,EAAE,CAAC,CAAC;IAChD,CAAC,CAAC,CAAC;IACH,MAAM,IAAI,GAAI,MAAM,CAAC,OAAO,EAAkB,CAAC,IAAI,CAAC;IACpD,MAAM,WAAW,GAAG,oBAAoB,IAAI,WAAW,CAAC;IACxD,MAAM,OAAO,GAAG,qBAAqB,CAAC,MAAM,EAAE,EAAE,aAAa,EAAE,SAAS,EAAE,KAAK,EAAE,WAAW,EAAE,CAAC,CAAC;IAEhG,MAAM,eAAe,GAAG,aAAa,CAAC,MAAM,EAAE,KAAK,EAAE,MAAM,CAAC,SAAS,IAAI,kBAAkB,CAAC,CAAC;IAE7F,IAAI,CAAC;QACJ,MAAM,aAAa,CAAC,OAAO,CAAC,CAAC;IAC9B,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACd,MAAM,CAAC,KAAK,EAAE,CAAC;QACf,MAAM,IAAI,KAAK,CACd,wCAAwC,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,IAAI;YAC3F,4BAA4B,OAAO,EAAE,CACtC,CAAC;IACH,CAAC;IAED,MAAM,EAAE,IAAI,EAAE,GAAG,MAAM,eAAe,CAAC;IACvC,OAAO,YAAY,CAAC,MAAM,EAAE,EAAE,IAAI,EAAE,YAAY,EAAE,QAAQ,EAAE,WAAW,EAAE,CAAC,CAAC;AAC5E,CAAC;AAED,6FAA6F;AAC7F,MAAM,CAAC,KAAK,UAAU,WAAW,CAAC,GAAW;IAC5C,MAAM,OAAO,GAAG,kBAAkB,CAAC,GAAG,CAAC,CAAC;IACxC,IAAI,CAAC,OAAO,EAAE,CAAC;QACd,MAAM,IAAI,KAAK,CAAC,wBAAwB,OAAO,CAAC,QAAQ,EAAE,CAAC,CAAC;IAC7D,CAAC;IACD,MAAM,IAAI,OAAO,CAAO,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;QAC3C,IAAI,CAAC,OAAO,EAAE,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC;IACzD,CAAC,CAAC,CAAC;AACJ,CAAC;AAED,SAAS,kBAAkB,CAAC,GAAW;IACtC,MAAM,OAAO,GAAG,GAAG,CAAC,OAAO,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC;IACzC,IAAI,OAAO,CAAC,QAAQ,KAAK,QAAQ;QAAE,OAAO,SAAS,OAAO,GAAG,CAAC;IAC9D,IAAI,OAAO,CAAC,QAAQ,KAAK,OAAO;QAAE,OAAO,aAAa,OAAO,GAAG,CAAC;IACjE,IAAI,OAAO,CAAC,QAAQ,KAAK,OAAO;QAAE,OAAO,aAAa,OAAO,GAAG,CAAC;IACjE,OAAO,IAAI,CAAC;AACb,CAAC"}

package/dist/auth/pkce.js

@@ -0,0 +1,46 @@
+import { createHash, randomBytes } from "node:crypto";
+/**
+ * PKCE helpers for RFC 7636. Used by the OAuth flow to bind the
+ * /callback redirect to this specific login attempt — without these
+ * the auth code on the redirect URL would be replayable.
+ */
+const VERIFIER_BYTE_LENGTH = 64;
+const STATE_BYTE_LENGTH = 24;
+/**
+ * Base64url encoding without padding (RFC 7636 §4.2). Node's
+ * `Buffer.toString("base64url")` lands in the right shape; this
+ * wrapper exists so call sites can swap to a different encoder
+ * without rippling through.
+ */
+export function base64url(buf) {
+    return buf.toString("base64url");
+}
+/** Generate the code_verifier — 64 random bytes, base64url-encoded. */
+export function generateCodeVerifier() {
+    return base64url(randomBytes(VERIFIER_BYTE_LENGTH));
+}
+/** Derive the code_challenge from a code_verifier using SHA-256 (RFC 7636 §4.2). */
+export function generateCodeChallenge(verifier) {
+    if (typeof verifier !== "string" || verifier.length === 0) {
+        throw new Error("code verifier must be a non-empty string");
+    }
+    return base64url(createHash("sha256").update(verifier).digest());
+}
+/** Generate an anti-CSRF state token, base64url-encoded random bytes. */
+export function generateState() {
+    return base64url(randomBytes(STATE_BYTE_LENGTH));
+}
+/**
+ * Constant-time comparison for state validation to avoid timing leaks
+ * in the (unlikely) event an attacker probes the callback handler.
+ */
+export function constantTimeEquals(a, b) {
+    if (a.length !== b.length)
+        return false;
+    let diff = 0;
+    for (let i = 0; i < a.length; i++) {
+        diff |= a.charCodeAt(i) ^ b.charCodeAt(i);
+    }
+    return diff === 0;
+}
+//# sourceMappingURL=pkce.js.map

package/dist/auth/pkce.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"pkce.js","sourceRoot":"","sources":["../../src/auth/pkce.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAEtD;;;;GAIG;AAEH,MAAM,oBAAoB,GAAG,EAAE,CAAC;AAChC,MAAM,iBAAiB,GAAG,EAAE,CAAC;AAE7B;;;;;GAKG;AACH,MAAM,UAAU,SAAS,CAAC,GAAW;IACpC,OAAO,GAAG,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;AAClC,CAAC;AAED,uEAAuE;AACvE,MAAM,UAAU,oBAAoB;IACnC,OAAO,SAAS,CAAC,WAAW,CAAC,oBAAoB,CAAC,CAAC,CAAC;AACrD,CAAC;AAED,oFAAoF;AACpF,MAAM,UAAU,qBAAqB,CAAC,QAAgB;IACrD,IAAI,OAAO,QAAQ,KAAK,QAAQ,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC3D,MAAM,IAAI,KAAK,CAAC,0CAA0C,CAAC,CAAC;IAC7D,CAAC;IACD,OAAO,SAAS,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC;AAClE,CAAC;AAED,yEAAyE;AACzE,MAAM,UAAU,aAAa;IAC5B,OAAO,SAAS,CAAC,WAAW,CAAC,iBAAiB,CAAC,CAAC,CAAC;AAClD,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,kBAAkB,CAAC,CAAS,EAAE,CAAS;IACtD,IAAI,CAAC,CAAC,MAAM,KAAK,CAAC,CAAC,MAAM;QAAE,OAAO,KAAK,CAAC;IACxC,IAAI,IAAI,GAAG,CAAC,CAAC;IACb,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACnC,IAAI,IAAI,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC;IAC3C,CAAC;IACD,OAAO,IAAI,KAAK,CAAC,CAAC;AACnB,CAAC"}

package/dist/cli.js

@@ -0,0 +1,69 @@
+#!/usr/bin/env node
+import { jsx as _jsx } from "react/jsx-runtime";
+import { readFileSync } from "node:fs";
+import { render } from "ink";
+import { runAuthSubcommand } from "./auth/cli.js";
+import { loadDotEnv } from "./dotenv/loader.js";
+import { runHeadless } from "./headless/run.js";
+import { App } from "./ui/App.js";
+// Auto-load .env files before any subsystem reads process.env.
+loadDotEnv();
+const argv = process.argv.slice(2);
+if (argv[0] === "--version" || argv[0] === "-v") {
+    process.stdout.write(`${readPackageVersion()}\n`);
+    process.exit(0);
+}
+else if (argv[0] === "--help" || argv[0] === "-h") {
+    printHelp();
+    process.exit(0);
+}
+else if (argv[0] === "auth") {
+    runAuthSubcommand(argv).then((code) => process.exit(code));
+}
+else if (argv[0] === "run") {
+    const prompt = argv.slice(1).join(" ").trim();
+    if (!prompt) {
+        process.stderr.write("usage: codebase run <prompt>\n");
+        process.exit(2);
+    }
+    runHeadless({ prompt }).then((code) => process.exit(code));
+}
+else {
+    const instance = render(_jsx(App, {}));
+    instance.waitUntilExit().catch(() => {
+        process.exit(1);
+    });
+}
+function readPackageVersion() {
+    // dist/cli.js → ../package.json. Works for tsc-emitted output; if
+    // we ever ship a bundled binary this needs to switch to a build-time
+    // version constant.
+    try {
+        const url = new URL("../package.json", import.meta.url);
+        const pkg = JSON.parse(readFileSync(url, "utf8"));
+        return pkg.version ?? "unknown";
+    }
+    catch {
+        return "unknown";
+    }
+}
+function printHelp() {
+    process.stdout.write([
+        "codebase — AI coding agent in your terminal",
+        "",
+        "Usage:",
+        "  codebase                     run the interactive TUI in the current directory",
+        "  codebase run <prompt>        one-shot headless run, prints to stdout",
+        "  codebase auth login          sign in via codebase.foundation OAuth",
+        "  codebase auth logout         revoke the current session",
+        "  codebase auth status         show current sign-in",
+        "  codebase auth refresh        force-refresh the access token",
+        "  codebase auth <cbk_xxx>      save a manual API key (for SSH / headless)",
+        "  codebase --version           print version and exit",
+        "  codebase --help              show this message",
+        "",
+        "More: https://github.com/codebase-foundation/codebase-cli",
+        "",
+    ].join("\n"));
+}
+//# sourceMappingURL=cli.js.map

package/dist/cli.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"cli.js","sourceRoot":"","sources":["../src/cli.tsx"],"names":[],"mappings":";;AACA,OAAO,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AACvC,OAAO,EAAE,MAAM,EAAE,MAAM,KAAK,CAAC;AAC7B,OAAO,EAAE,iBAAiB,EAAE,MAAM,eAAe,CAAC;AAClD,OAAO,EAAE,UAAU,EAAE,MAAM,oBAAoB,CAAC;AAChD,OAAO,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AAChD,OAAO,EAAE,GAAG,EAAE,MAAM,aAAa,CAAC;AAElC,+DAA+D;AAC/D,UAAU,EAAE,CAAC;AAEb,MAAM,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;AAEnC,IAAI,IAAI,CAAC,CAAC,CAAC,KAAK,WAAW,IAAI,IAAI,CAAC,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;IACjD,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,GAAG,kBAAkB,EAAE,IAAI,CAAC,CAAC;IAClD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;AACjB,CAAC;KAAM,IAAI,IAAI,CAAC,CAAC,CAAC,KAAK,QAAQ,IAAI,IAAI,CAAC,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;IACrD,SAAS,EAAE,CAAC;IACZ,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;AACjB,CAAC;KAAM,IAAI,IAAI,CAAC,CAAC,CAAC,KAAK,MAAM,EAAE,CAAC;IAC/B,iBAAiB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC;AAC5D,CAAC;KAAM,IAAI,IAAI,CAAC,CAAC,CAAC,KAAK,KAAK,EAAE,CAAC;IAC9B,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC;IAC9C,IAAI,CAAC,MAAM,EAAE,CAAC;QACb,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,gCAAgC,CAAC,CAAC;QACvD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IACjB,CAAC;IACD,WAAW,CAAC,EAAE,MAAM,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC;AAC5D,CAAC;KAAM,CAAC;IACP,MAAM,QAAQ,GAAG,MAAM,CAAC,KAAC,GAAG,KAAG,CAAC,CAAC;IACjC,QAAQ,CAAC,aAAa,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE;QACnC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IACjB,CAAC,CAAC,CAAC;AACJ,CAAC;AAED,SAAS,kBAAkB;IAC1B,kEAAkE;IAClE,qEAAqE;IACrE,oBAAoB;IACpB,IAAI,CAAC;QACJ,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,iBAAiB,EAAE,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QACxD,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,GAAG,EAAE,MAAM,CAAC,CAAyB,CAAC;QAC1E,OAAO,GAAG,CAAC,OAAO,IAAI,SAAS,CAAC;IACjC,CAAC;IAAC,MAAM,CAAC;QACR,OAAO,SAAS,CAAC;IAClB,CAAC;AACF,CAAC;AAED,SAAS,SAAS;IACjB,OAAO,CAAC,MAAM,CAAC,KAAK,CACnB;QACC,6CAA6C;QAC7C,EAAE;QACF,QAAQ;QACR,iFAAiF;QACjF,wEAAwE;QACxE,sEAAsE;QACtE,2DAA2D;QAC3D,qDAAqD;QACrD,+DAA+D;QAC/D,2EAA2E;QAC3E,uDAAuD;QACvD,kDAAkD;QAClD,EAAE;QACF,2DAA2D;QAC3D,EAAE;KACF,CAAC,IAAI,CAAC,IAAI,CAAC,CACZ,CAAC;AACH,CAAC"}

package/dist/clipboard/copy.js

@@ -0,0 +1,106 @@
+import { spawn } from "node:child_process";
+const DEFAULT_MAX_BYTES = 75_000;
+/**
+ * Push text to the system clipboard via the most reliable available
+ * channel. Strategy:
+ *   1. SSH session → OSC 52 (only path that crosses the network)
+ *   2. macOS → pbcopy (rock solid)
+ *   3. WSL → clip.exe (writes to Windows clipboard from WSL)
+ *   4. Linux Wayland with wl-copy installed → wl-copy
+ *   5. Linux X11 with xclip installed → xclip
+ *   6. fallback → OSC 52 (works in most modern terminals)
+ *
+ * Caller can override via `options.method` for tests or to force a
+ * specific path. Always returns the actual method used and the byte
+ * count written; throws if the method's underlying transport fails.
+ */
+export async function copyToClipboard(text, options = {}) {
+    const max = options.maxBytes ?? DEFAULT_MAX_BYTES;
+    const truncated = Buffer.byteLength(text, "utf8") > max;
+    const payload = truncated ? text.slice(0, max) : text;
+    const method = options.method ?? (await detectClipboardMethod());
+    switch (method) {
+        case "osc52":
+            writeOsc52(payload, options.stdout ?? process.stdout, options.insideTmux ?? !!process.env.TMUX);
+            break;
+        case "pbcopy":
+            await spawnCopy("pbcopy", [], payload);
+            break;
+        case "clip.exe":
+            await spawnCopy("clip.exe", [], payload);
+            break;
+        case "wl-copy":
+            await spawnCopy("wl-copy", [], payload);
+            break;
+        case "xclip":
+            await spawnCopy("xclip", ["-selection", "clipboard"], payload);
+            break;
+    }
+    return { method, bytes: Buffer.byteLength(payload, "utf8"), truncated };
+}
+export async function detectClipboardMethod(env = process.env) {
+    if (env.SSH_CONNECTION || env.SSH_CLIENT)
+        return "osc52";
+    if (process.platform === "darwin")
+        return "pbcopy";
+    if (await commandExists("clip.exe"))
+        return "clip.exe";
+    if (env.WAYLAND_DISPLAY && (await commandExists("wl-copy")))
+        return "wl-copy";
+    if (await commandExists("xclip"))
+        return "xclip";
+    return "osc52";
+}
+/**
+ * Emit an OSC 52 escape sequence carrying the base64-encoded payload.
+ * Inside tmux we wrap it in tmux's DCS pass-through so the embedding
+ * terminal still sees the escape.
+ */
+export function writeOsc52(text, stdout, insideTmux) {
+    const b64 = Buffer.from(text, "utf8").toString("base64");
+    if (insideTmux) {
+        stdout.write(`\x1bPtmux;\x1b\x1b]52;c;${b64}\x07\x1b\\`);
+    }
+    else {
+        stdout.write(`\x1b]52;c;${b64}\x07`);
+    }
+}
+function spawnCopy(cmd, args, text) {
+    return new Promise((resolve, reject) => {
+        const child = spawn(cmd, args, { stdio: ["pipe", "ignore", "ignore"] });
+        child.on("error", reject);
+        child.on("close", (code) => {
+            if (code !== 0)
+                reject(new Error(`${cmd} exited ${code}`));
+            else
+                resolve();
+        });
+        child.stdin?.end(text, "utf8");
+    });
+}
+function commandExists(cmd) {
+    return new Promise((resolve) => {
+        const which = process.platform === "win32" ? "where" : "which";
+        const child = spawn(which, [cmd], { stdio: "ignore" });
+        child.on("error", () => resolve(false));
+        child.on("close", (code) => resolve(code === 0));
+    });
+}
+/**
+ * Pull the most-recent code block out of a markdown body. Recognizes
+ * triple-backtick fences with or without a language tag. Returns null
+ * if no fenced block is found.
+ */
+export function extractLastCodeBlock(markdown) {
+    const fenceRe = /```[^\n]*\n([\s\S]*?)```/g;
+    let match;
+    let last = null;
+    while (true) {
+        match = fenceRe.exec(markdown);
+        if (!match)
+            break;
+        last = match[1];
+    }
+    return last !== null ? last.replace(/\n$/, "") : null;
+}
+//# sourceMappingURL=copy.js.map

package/dist/clipboard/copy.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"copy.js","sourceRoot":"","sources":["../../src/clipboard/copy.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,KAAK,EAAE,MAAM,oBAAoB,CAAC;AAqB3C,MAAM,iBAAiB,GAAG,MAAM,CAAC;AAEjC;;;;;;;;;;;;;GAaG;AACH,MAAM,CAAC,KAAK,UAAU,eAAe,CAAC,IAAY,EAAE,UAAuB,EAAE;IAC5E,MAAM,GAAG,GAAG,OAAO,CAAC,QAAQ,IAAI,iBAAiB,CAAC;IAClD,MAAM,SAAS,GAAG,MAAM,CAAC,UAAU,CAAC,IAAI,EAAE,MAAM,CAAC,GAAG,GAAG,CAAC;IACxD,MAAM,OAAO,GAAG,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;IACtD,MAAM,MAAM,GAAG,OAAO,CAAC,MAAM,IAAI,CAAC,MAAM,qBAAqB,EAAE,CAAC,CAAC;IAEjE,QAAQ,MAAM,EAAE,CAAC;QAChB,KAAK,OAAO;YACX,UAAU,CAAC,OAAO,EAAE,OAAO,CAAC,MAAM,IAAI,OAAO,CAAC,MAAM,EAAE,OAAO,CAAC,UAAU,IAAI,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;YAChG,MAAM;QACP,KAAK,QAAQ;YACZ,MAAM,SAAS,CAAC,QAAQ,EAAE,EAAE,EAAE,OAAO,CAAC,CAAC;YACvC,MAAM;QACP,KAAK,UAAU;YACd,MAAM,SAAS,CAAC,UAAU,EAAE,EAAE,EAAE,OAAO,CAAC,CAAC;YACzC,MAAM;QACP,KAAK,SAAS;YACb,MAAM,SAAS,CAAC,SAAS,EAAE,EAAE,EAAE,OAAO,CAAC,CAAC;YACxC,MAAM;QACP,KAAK,OAAO;YACX,MAAM,SAAS,CAAC,OAAO,EAAE,CAAC,YAAY,EAAE,WAAW,CAAC,EAAE,OAAO,CAAC,CAAC;YAC/D,MAAM;IACR,CAAC;IAED,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,CAAC,UAAU,CAAC,OAAO,EAAE,MAAM,CAAC,EAAE,SAAS,EAAE,CAAC;AACzE,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,qBAAqB,CAAC,MAAyB,OAAO,CAAC,GAAG;IAC/E,IAAI,GAAG,CAAC,cAAc,IAAI,GAAG,CAAC,UAAU;QAAE,OAAO,OAAO,CAAC;IACzD,IAAI,OAAO,CAAC,QAAQ,KAAK,QAAQ;QAAE,OAAO,QAAQ,CAAC;IACnD,IAAI,MAAM,aAAa,CAAC,UAAU,CAAC;QAAE,OAAO,UAAU,CAAC;IACvD,IAAI,GAAG,CAAC,eAAe,IAAI,CAAC,MAAM,aAAa,CAAC,SAAS,CAAC,CAAC;QAAE,OAAO,SAAS,CAAC;IAC9E,IAAI,MAAM,aAAa,CAAC,OAAO,CAAC;QAAE,OAAO,OAAO,CAAC;IACjD,OAAO,OAAO,CAAC;AAChB,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,UAAU,CAAC,IAAY,EAAE,MAA6B,EAAE,UAAmB;IAC1F,MAAM,GAAG,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;IACzD,IAAI,UAAU,EAAE,CAAC;QAChB,MAAM,CAAC,KAAK,CAAC,2BAA2B,GAAG,YAAY,CAAC,CAAC;IAC1D,CAAC;SAAM,CAAC;QACP,MAAM,CAAC,KAAK,CAAC,aAAa,GAAG,MAAM,CAAC,CAAC;IACtC,CAAC;AACF,CAAC;AAED,SAAS,SAAS,CAAC,GAAW,EAAE,IAAc,EAAE,IAAY;IAC3D,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;QACtC,MAAM,KAAK,GAAG,KAAK,CAAC,GAAG,EAAE,IAAI,EAAE,EAAE,KAAK,EAAE,CAAC,MAAM,EAAE,QAAQ,EAAE,QAAQ,CAAC,EAAE,CAAC,CAAC;QACxE,KAAK,CAAC,EAAE,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;QAC1B,KAAK,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,IAAI,EAAE,EAAE;YAC1B,IAAI,IAAI,KAAK,CAAC;gBAAE,MAAM,CAAC,IAAI,KAAK,CAAC,GAAG,GAAG,WAAW,IAAI,EAAE,CAAC,CAAC,CAAC;;gBACtD,OAAO,EAAE,CAAC;QAChB,CAAC,CAAC,CAAC;QACH,KAAK,CAAC,KAAK,EAAE,GAAG,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;IAChC,CAAC,CAAC,CAAC;AACJ,CAAC;AAED,SAAS,aAAa,CAAC,GAAW;IACjC,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,EAAE;QAC9B,MAAM,KAAK,GAAG,OAAO,CAAC,QAAQ,KAAK,OAAO,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,OAAO,CAAC;QAC/D,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,EAAE,CAAC,GAAG,CAAC,EAAE,EAAE,KAAK,EAAE,QAAQ,EAAE,CAAC,CAAC;QACvD,KAAK,CAAC,EAAE,CAAC,OAAO,EAAE,GAAG,EAAE,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC;QACxC,KAAK,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,IAAI,EAAE,EAAE,CAAC,OAAO,CAAC,IAAI,KAAK,CAAC,CAAC,CAAC,CAAC;IAClD,CAAC,CAAC,CAAC;AACJ,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,oBAAoB,CAAC,QAAgB;IACpD,MAAM,OAAO,GAAG,2BAA2B,CAAC;IAC5C,IAAI,KAA6B,CAAC;IAClC,IAAI,IAAI,GAAkB,IAAI,CAAC;IAC/B,OAAO,IAAI,EAAE,CAAC;QACb,KAAK,GAAG,OAAO,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QAC/B,IAAI,CAAC,KAAK;YAAE,MAAM;QAClB,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;IACjB,CAAC;IACD,OAAO,IAAI,KAAK,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;AACvD,CAAC"}