codepiper 0.1.4 → 0.2.0

package/.env.example

@@ -7,8 +7,11 @@
 # CODEPIPER_WS_PORT=9999                    # WebSocket port (standalone)
 
 # ── Remote Access ───────────────────────────────────────────────────
-# Comma-separated hostnames or origins allowed for WebSocket connections.
-# Required when accessing from a non-localhost domain (reverse proxy, tunnel, etc.).
+# Comma-separated list of allowed origin hostnames for WebSocket and CSRF checks.
+# Required when accessing the web dashboard from a non-localhost domain
+# (e.g., via reverse proxy, Cloudflare Tunnel, etc.).
+# Accepts bare hostnames or full origins (scheme is stripped).
+# Localhost (127.0.0.1, ::1, localhost) is always allowed implicitly.
 # CODEPIPER_ALLOWED_ORIGINS=myapp.example.com,other.dev
 
 # ── Database ────────────────────────────────────────────────────────
@@ -16,6 +19,9 @@
 
 # ── Security ───────────────────────────────────────────────────────
 # CODEPIPER_SECRET=                         # Hook authentication secret (auto-generated if unset)
+# CODEPIPER_FORCE_SECURE_COOKIES=0          # Set to 1 to force Secure auth cookies behind TLS-terminating proxies
+# CODEPIPER_TRUST_PROXY_HEADERS=0           # Set to 1 to trust X-Forwarded-For/X-Real-IP/X-Forwarded-Proto headers
+# CODEPIPER_MFA_QR_TIMEOUT_MS=8000          # Optional QR generation timeout before fallback to manual MFA key
 
 # ── Push Delivery (Optional) ───────────────────────────────────────
 # CODEPIPER_PUSH_ENABLED=0                  # Set to 1 to enable daemon web-push delivery

package/CHANGELOG.md

@@ -6,6 +6,22 @@ This project follows [Semantic Versioning](https://semver.org/).
 
 ## [Unreleased]
 
+## [0.2.0] - 2026-02-21
+
+### Added
+- First-run bootstrap password flow for web onboarding when no password exists.
+- CLI password rotation generator (`codepiper auth reset-password --generate`).
+- Onboarding-aware auth status signals (`onboardingPending`) across daemon and web auth state.
+
+### Changed
+- Enforced MFA-first onboarding flow for initial web sign-in.
+- Improved onboarding and production docs for bootstrap password, remote origin allowlisting, and CSRF/WS origin controls.
+- Updated setup/login UI copy and recovery flow for clearer first-run guidance.
+
+### Fixed
+- Added QR generation timeout with manual-key fallback to prevent MFA setup hangs on constrained VPS environments.
+- Hardened MFA setup handling in API/UI paths with explicit failure and retry behavior.
+
 ## [0.1.4] - 2026-02-20
 
 ### Fixed

package/README.md

@@ -224,7 +224,7 @@ codepiper daemon --web --port 3456
 Then:
 1. Open `http://127.0.0.1:3000` (or your custom port).
 2. Complete onboarding:
-   1. Set admin password.
+   1. Sign in with the bootstrap password printed by the daemon on first web start.
    2. Set up and verify MFA (required before first sign-in).
 3. Create your first session in **Sessions**.
 4. Send a prompt from terminal/conversation view.
@@ -232,8 +232,10 @@ Then:
 ### First-Run Onboarding (Mandatory MFA)
 
 Web onboarding is a strict two-step flow:
-1. Set your admin password.
-2. Complete TOTP MFA setup and verification.
+1. Daemon generates a secure bootstrap password once (printed on first `codepiper daemon --web` run).
+   - Password is printed only on TTY startup (not in non-interactive service logs).
+   - For headless/service deployments, rotate/generate from host CLI: `codepiper auth reset-password --generate`
+2. After signing in with that password, complete TOTP MFA setup and verification.
 
 Until MFA verification succeeds, the dashboard remains in onboarding mode and does not issue a normal authenticated session.
 
@@ -242,6 +244,12 @@ MFA disable/reset is CLI-only:
 codepiper auth reset-mfa
 ```
 
+Rotate password with a generated secure value:
+```bash
+codepiper auth reset-password --generate
+```
+If MFA is not enabled, this command forces MFA onboarding on the next sign-in.
+
 ### Direct Tmux Attach
 
 Use this when you want to attach from your local terminal without going through CLI streaming:
@@ -375,8 +383,13 @@ Environment Variables:
   CODEPIPER_DB_PATH       SQLite database path (default: ~/.codepiper/codepiper.db)
   CODEPIPER_WS_PORT       WebSocket port (default: 9999)
   CODEPIPER_HTTP_PORT     HTTP port (default: 3000, overridden by --port)
+  CODEPIPER_ALLOWED_ORIGINS       Comma-separated allowed origin hostnames for WebSocket and CSRF checks.
+                                  Required when accessing the dashboard from a non-localhost domain
+                                  (e.g., via reverse proxy, Cloudflare Tunnel, etc.).
+                                  Localhost is always allowed implicitly
   CODEPIPER_FORCE_SECURE_COOKIES  Optional (`1`) to force `Secure` auth cookies behind TLS-terminating proxies
   CODEPIPER_TRUST_PROXY_HEADERS   Optional (`1`) to trust proxy headers (`X-Forwarded-For`, `X-Real-IP`, `X-Forwarded-Proto`) for client IP and secure-cookie inference
+  CODEPIPER_MFA_QR_TIMEOUT_MS     Optional QR generation timeout in ms before manual-key fallback (default: 8000)
   CODEPIPER_PUSH_ENABLED  Optional daemon push delivery toggle (`1` to enable)
   CODEPIPER_PUSH_PUBLIC_KEY   Optional Base64URL VAPID public key for daemon push delivery
   CODEPIPER_PUSH_PRIVATE_KEY  Optional Base64URL VAPID private key for daemon push delivery
@@ -476,7 +489,8 @@ Sessions support two billing modes via `--billing` flag or `billingMode` API par
 - Unix socket API is trusted local access (no session token required)
 - HTTP/WebSocket dashboard routes enforce session auth when auth is configured
 - MFA disable/reset is CLI-only (`codepiper auth reset-mfa`) to reduce browser downgrade risk
-- Browser-originated mutating HTTP API requests require same-origin (CSRF mitigation)
+- Browser-originated mutating HTTP API requests require same-origin or `CODEPIPER_ALLOWED_ORIGINS` match (CSRF mitigation)
+- WebSocket upgrades gated by `Origin` header (CSWSH prevention) — only localhost and `CODEPIPER_ALLOWED_ORIGINS` accepted
 - Input validation prevents injection attacks
 - Audit logs for all permission decisions
 - Remote access recommended via SSH port forwarding

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "codepiper",
-  "version": "0.1.4",
+  "version": "0.2.0",
   "description": "Orchestrate Claude Code and Codex sessions from one control plane: policy-guarded, real-time, and recoverable across devices.",
   "license": "MIT",
   "author": "g3ortega",

package/packages/cli/src/commands/auth.ts

@@ -7,7 +7,7 @@ interface AuthOptions {
   args: string[];
 }
 
-function parseAuthOptions(args: string[]): AuthOptions {
+export function parseAuthOptions(args: string[]): AuthOptions {
   let socket = "/tmp/codepiper.sock";
   const positional: string[] = [];
 
@@ -69,7 +69,41 @@ async function handleStatus(socket: string): Promise<void> {
   }
 }
 
-async function handleResetPassword(socket: string): Promise<void> {
+interface ResetPasswordFlags {
+  generate: boolean;
+}
+
+export function parseResetPasswordFlags(args: string[]): ResetPasswordFlags {
+  const flags: ResetPasswordFlags = { generate: false };
+  for (const arg of args) {
+    if (arg === "--generate" || arg === "-g") {
+      flags.generate = true;
+      continue;
+    }
+    throw new Error(`Unknown reset-password option: ${arg}`);
+  }
+  return flags;
+}
+
+async function handleResetPassword(socket: string, args: string[]): Promise<void> {
+  const flags = parseResetPasswordFlags(args);
+  if (flags.generate) {
+    const result = await daemonRequest<{ ok: boolean; generated: boolean; password: string }>(
+      socket,
+      "/auth/cli/reset-password",
+      {
+        method: "POST",
+        body: JSON.stringify({ generate: true }),
+      }
+    );
+
+    console.log("\x1b[32m✓\x1b[0m Password rotated with a generated secure value");
+    console.log(`  New password: ${result.password}`);
+    console.log("  All existing sessions have been invalidated.");
+    console.log("  Keep this password secure and complete MFA onboarding if prompted.");
+    return;
+  }
+
   process.stdout.write("New password: ");
   const password = await readPasswordFromStdin();
 
@@ -240,7 +274,7 @@ export async function runAuthCommand(args: string[]): Promise<void> {
       await handleStatus(options.socket);
       break;
     case "reset-password":
-      await handleResetPassword(options.socket);
+      await handleResetPassword(options.socket, options.args);
       break;
     case "reset-mfa":
       await handleResetMfa(options.socket);
@@ -254,7 +288,7 @@ export async function runAuthCommand(args: string[]): Promise<void> {
     default:
       console.error(`Unknown auth subcommand: ${options.subcommand}`);
       console.error(
-        "Available subcommands: status, reset-password, reset-mfa, sessions, revoke-all"
+        "Available subcommands: status, reset-password [--generate], reset-mfa, sessions, revoke-all"
       );
       process.exit(1);
   }

package/packages/cli/src/main.ts

@@ -114,7 +114,7 @@ Manage authentication and security settings.
 
 Subcommands:
   status          Show auth configuration status
-  reset-password  Reset the dashboard password
+  reset-password  Reset the dashboard password (or generate one)
   reset-mfa       Disable two-factor authentication
   sessions        List active login sessions
   revoke-all      Revoke all active sessions
@@ -125,6 +125,7 @@ Options:
 Examples:
   codepiper auth status
   codepiper auth reset-password
+  codepiper auth reset-password --generate
   codepiper auth reset-mfa
   codepiper auth sessions
   codepiper auth revoke-all`,

package/packages/daemon/src/api/authRoutes.ts

@@ -46,13 +46,20 @@ export async function handleAuthStatus(req: Request, ctx: RouteContext): Promise
     return Response.json({
       setupRequired: false,
       mfaEnabled: false,
+      onboardingPending: false,
       authenticated: false,
       authEnabled: false,
     });
   }
 
   const setupRequired = authService.isSetupRequired();
-  const mfaSetupRequired = !setupRequired && authService.isMfaSetupPending();
+  const onboardingPending = !setupRequired && authService.isMfaSetupPending();
+  let mfaSetupRequired = false;
+  if (onboardingPending) {
+    const onboardingTokenHash = extractAndHashOnboardingToken(req);
+    mfaSetupRequired =
+      onboardingTokenHash !== null && authService.validateOnboardingToken(onboardingTokenHash);
+  }
   const tokenHash = extractAndHashToken(req);
   const authenticated = tokenHash ? authService.validateSession(tokenHash) : false;
 
@@ -62,7 +69,13 @@ export async function handleAuthStatus(req: Request, ctx: RouteContext): Promise
     mfaEnabled = config?.totpEnabled ?? false;
   }
 
-  return Response.json({ setupRequired, mfaEnabled, mfaSetupRequired, authenticated });
+  return Response.json({
+    setupRequired,
+    mfaEnabled,
+    mfaSetupRequired,
+    onboardingPending,
+    authenticated,
+  });
 }
 
 export async function handleAuthSetup(req: Request, ctx: RouteContext): Promise<Response> {
@@ -233,8 +246,15 @@ export async function handleMfaSetup(_req: Request, ctx: RouteContext): Promise<
     return Response.json({ error: "Auth not configured" }, { status: 500 });
   }
 
-  const result = await authService.generateTotpSetup();
-  return Response.json(result);
+  try {
+    const result = await authService.generateTotpSetup();
+    return Response.json(result);
+  } catch (error) {
+    if (error instanceof AuthError) {
+      return Response.json({ error: error.message, code: error.code }, { status: 400 });
+    }
+    return Response.json({ error: "Failed to generate MFA setup data" }, { status: 500 });
+  }
 }
 
 export async function handleMfaVerify(req: Request, ctx: RouteContext): Promise<Response> {
@@ -318,12 +338,30 @@ export async function handleCliResetPassword(req: Request, ctx: RouteContext): P
 
   try {
     const body = (await req.json()) as Record<string, unknown>;
-    const password = getStringField(body, "password");
-    if (!password) {
-      return Response.json({ error: "Password is required" }, { status: 400 });
+    const shouldGenerate = body.generate === true;
+
+    let password: string;
+    if (shouldGenerate) {
+      password = authService.generateSecurePassword();
+    } else {
+      const provided = getStringField(body, "password");
+      if (!provided) {
+        return Response.json({ error: "Password is required" }, { status: 400 });
+      }
+      password = provided;
     }
 
     await authService.resetPassword(password);
+
+    // Re-enter MFA onboarding when MFA is not currently enabled
+    const config = ctx.db.getAuthConfig();
+    if (config && !config.totpEnabled) {
+      ctx.db.updateAuthOnboardingState(true, null, null);
+    }
+
+    if (shouldGenerate) {
+      return Response.json({ ok: true, generated: true, password });
+    }
     return Response.json({ ok: true });
   } catch (error) {
     if (error instanceof AuthError) {

package/packages/daemon/src/auth/authService.ts

@@ -18,6 +18,8 @@ const ONBOARDING_TOKEN_EXPIRY_MS = 24 * 60 * 60 * 1000; // 24 hours
 const TOTP_WINDOW = 1; // ±1 step (90 seconds total)
 const RECOVERY_CODE_COUNT = 8;
 const MIN_PASSWORD_LENGTH = 8;
+const GENERATED_PASSWORD_LENGTH = 24;
+const DEFAULT_MFA_QR_TIMEOUT_MS = 8000;
 
 export interface LoginResult {
   token: string;
@@ -35,7 +37,7 @@ export interface MfaSetupRequiredResult {
 export interface TotpSetupResult {
   secret: string;
   otpauthUri: string;
-  qrDataUrl: string;
+  qrDataUrl: string | null;
 }
 
 export interface TotpVerifyResult {
@@ -46,6 +48,10 @@ export interface OnboardingTotpVerifyResult extends TotpVerifyResult {
   token: string;
 }
 
+export interface BootstrapPasswordResult {
+  password: string;
+}
+
 export class AuthService {
   private pendingTotpSecret: string | null = null;
 
@@ -97,6 +103,27 @@ export class AuthService {
     };
   }
 
+  async initializeBootstrapPassword(): Promise<BootstrapPasswordResult> {
+    if (!this.isSetupRequired()) {
+      throw new AuthError("Password is already configured", "PASSWORD_ALREADY_CONFIGURED");
+    }
+
+    const password = this.generateSecurePassword();
+    const hash = await Bun.password.hash(password, {
+      algorithm: "argon2id",
+      memoryCost: 65536,
+      timeCost: 3,
+    });
+
+    this.db.createAuthConfig(hash, {
+      mfaSetupPending: true,
+      onboardingTokenHash: null,
+      onboardingTokenExpiresAt: null,
+    });
+
+    return { password };
+  }
+
   // ─── Login ────────────────────────────────────────────────────────
 
   async login(
@@ -269,7 +296,15 @@ export class AuthService {
     });
 
     const otpauthUri = totp.toString();
-    const qrDataUrl = await QRCode.toDataURL(otpauthUri);
+    let qrDataUrl: string | null = null;
+    try {
+      qrDataUrl = await this.withTimeout(QRCode.toDataURL(otpauthUri), this.getQrTimeoutMs());
+    } catch (error) {
+      console.warn(
+        "[auth] QR generation failed or timed out; falling back to manual setup key only:",
+        error
+      );
+    }
 
     // Store pending secret (not persisted until verified)
     this.pendingTotpSecret = secret.base32;
@@ -457,6 +492,70 @@ export class AuthService {
     return codes;
   }
 
+  generateSecurePassword(length = GENERATED_PASSWORD_LENGTH): string {
+    const safeLength = Math.max(length, MIN_PASSWORD_LENGTH);
+    const charSets = {
+      upper: "ABCDEFGHJKLMNPQRSTUVWXYZ",
+      lower: "abcdefghijkmnopqrstuvwxyz",
+      digits: "23456789",
+      symbols: "!@#$%^&*_-+=",
+    };
+    const allChars = Object.values(charSets).join("");
+
+    const pickFrom = (set: string): string => set.charAt(crypto.randomInt(0, set.length));
+
+    // Guarantee at least one character from each class
+    const chars: string[] = [
+      pickFrom(charSets.upper),
+      pickFrom(charSets.lower),
+      pickFrom(charSets.digits),
+      pickFrom(charSets.symbols),
+    ];
+
+    for (let i = chars.length; i < safeLength; i++) {
+      chars.push(pickFrom(allChars));
+    }
+
+    // Fisher-Yates shuffle
+    for (let i = chars.length - 1; i > 0; i--) {
+      const j = crypto.randomInt(0, i + 1);
+      const tmp = chars[i] ?? "";
+      chars[i] = chars[j] ?? "";
+      chars[j] = tmp;
+    }
+
+    return chars.join("");
+  }
+
+  private getQrTimeoutMs(): number {
+    const raw = process.env.CODEPIPER_MFA_QR_TIMEOUT_MS;
+    if (!raw) {
+      return DEFAULT_MFA_QR_TIMEOUT_MS;
+    }
+    const parsed = Number.parseInt(raw, 10);
+    if (!Number.isFinite(parsed) || parsed <= 0) {
+      return DEFAULT_MFA_QR_TIMEOUT_MS;
+    }
+    return parsed;
+  }
+
+  private async withTimeout<T>(promise: Promise<T>, timeoutMs: number): Promise<T> {
+    let timeoutHandle: ReturnType<typeof setTimeout> | undefined;
+    try {
+      return await Promise.race([
+        promise,
+        new Promise<never>((_resolve, reject) => {
+          timeoutHandle = setTimeout(
+            () => reject(new Error("QR code generation timed out")),
+            timeoutMs
+          );
+        }),
+      ]);
+    } finally {
+      clearTimeout(timeoutHandle);
+    }
+  }
+
   private hashRecoveryCode(code: string): string {
     return crypto.createHash("sha256").update(code).digest("hex");
   }

package/packages/daemon/src/main.ts

@@ -372,7 +372,7 @@ async function main() {
   }
 
   // Initialize authentication
-  const { AuthService } = await import("./auth/authService");
+  const { AuthError, AuthService } = await import("./auth/authService");
   const { RateLimiter } = await import("./auth/rateLimiter");
   const { getOrCreateEncryptionKey, getOrCreateHookSecret } = await import("./crypto/encryption");
 
@@ -388,8 +388,30 @@ async function main() {
     console.log(`Cleaned up ${expiredSessions} expired auth session(s)`);
   }
 
-  if (authService.isSetupRequired()) {
-    console.log("Auth: No password configured. Web dashboard will show setup page.");
+  if (authService.isSetupRequired() && cliArgs.web) {
+    try {
+      const bootstrap = await authService.initializeBootstrapPassword();
+      console.log("Auth: Generated first-run bootstrap password for web onboarding.");
+      if (process.stdout.isTTY) {
+        console.log(`Auth: Bootstrap password: ${bootstrap.password}`);
+      } else {
+        console.log(
+          "Auth: Bootstrap password was generated but is not printed because stdout is not a TTY."
+        );
+      }
+      console.log("Auth: Sign in once with this password, then complete mandatory MFA setup.");
+      console.log("Auth: Rotate anytime with `codepiper auth reset-password --generate`.");
+    } catch (error) {
+      // Race guard: another process may have configured the password between the check and now
+      if (!(error instanceof AuthError && error.code === "PASSWORD_ALREADY_CONFIGURED")) {
+        throw error;
+      }
+      console.log("Auth: Password configured. Web dashboard requires login.");
+    }
+  } else if (authService.isSetupRequired()) {
+    console.log(
+      "Auth: No password configured yet. Start with `codepiper daemon --web` to auto-generate a bootstrap password."
+    );
   } else {
     console.log("Auth: Password configured. Web dashboard requires login.");
   }

package/packages/web/dist/assets/{AnalyticsPage-tt9VQaeG.js → AnalyticsPage-B2Jo5KhD.js}

@@ -1,4 +1,4 @@
-import{r as i,j as e}from"./react-vendor-B5MgMUHH.js";import{c as A,a as f,f as h,u as U,S as ne,b as le,d as ce,e as de,g as N,B as xe,M as me,A as he,Z as pe}from"./index-DcbqZfqt.js";import{R as g,A as B,C as E,X as w,Y as S,T as v,a as u,B as K,b as F,P as ue,d as fe,e as je}from"./chart-vendor-DlOHLaCG.js";import"./monaco-core-DQ5Mk8AK.js";/**
+import{r as i,j as e}from"./react-vendor-B5MgMUHH.js";import{c as A,a as f,f as h,u as U,S as ne,b as le,d as ce,e as de,g as N,B as xe,M as me,A as he,Z as pe}from"./index-CpYkYxsw.js";import{R as g,A as B,C as E,X as w,Y as S,T as v,a as u,B as K,b as F,P as ue,d as fe,e as je}from"./chart-vendor-DlOHLaCG.js";import"./monaco-core-DQ5Mk8AK.js";/**
  * @license lucide-react v0.564.0 - ISC
  *
  * This source code is licensed under the ISC license.

package/packages/web/dist/assets/{PoliciesPage-GcKOy8iE.js → PoliciesPage-Co0wDxU6.js}

@@ -1,4 +1,4 @@
-import{r as c,j as e}from"./react-vendor-B5MgMUHH.js";import{c as z,S as V,b as O,d as U,e as q,g as y,h as v,i as B,j as f,u,B as p,P as D,I as j,D as S,k as $,l as F,m as I,n as E,o as R,p as T,C as X,q as J,X as K,r as L}from"./index-DcbqZfqt.js";import{T as _}from"./trash-2-DCNTb20S.js";import{P as Q,L as k}from"./pencil-CSMVe0ds.js";import{T as Y,a as Z,b as C,c as P}from"./tabs-Ckbv8J0d.js";import"./monaco-core-DQ5Mk8AK.js";import"./chart-vendor-DlOHLaCG.js";/**
+import{r as c,j as e}from"./react-vendor-B5MgMUHH.js";import{c as z,S as V,b as O,d as U,e as q,g as y,h as v,i as B,j as f,u,B as p,P as D,I as j,D as S,k as $,l as F,m as I,n as E,o as R,p as T,C as X,q as J,X as K,r as L}from"./index-CpYkYxsw.js";import{T as _}from"./trash-2-kiez5gqY.js";import{P as Q,L as k}from"./pencil-BQdMfs6R.js";import{T as Y,a as Z,b as C,c as P}from"./tabs-8Wa2H5Vg.js";import"./monaco-core-DQ5Mk8AK.js";import"./chart-vendor-DlOHLaCG.js";/**
  * @license lucide-react v0.564.0 - ISC
  *
  * This source code is licensed under the ISC license.

package/packages/web/dist/assets/{SessionDetailPage-CXhaRigf.js → SessionDetailPage-B02hN2vV.js}

@@ -1,5 +1,5 @@
 const __vite__mapDeps=(i,m=__vite__mapDeps,d=(m.f||(m.f=["assets/monacoSetup-DvBj52bT.js","assets/monaco-react-DfZNWvtW.js","assets/react-vendor-B5MgMUHH.js","assets/monaco-core-DQ5Mk8AK.js","assets/monaco-core-B_19GPAS.css"])))=>i.map(i=>d[i]);
-import{r as u,j as t,k as ur,l as hs,o as gt,m as pt,n as wn,p as At,q as Vt,t as ps,w as dr,E as xs,x as kn,y as Rt,z as ke,A as gs,C as bs,D as We,F as Zt,G as ys,H as St,I as ft,J as vs,M as ws,K as ks,u as js}from"./react-vendor-B5MgMUHH.js";import{c as K,j as A,q as xt,i as Gt,S as mr,b as fr,G as jn,d as hr,e as pr,g as pn,s as Ns,a as Qe,t as xr,C as gr,u as q,T as Cs,v as Ss,B as Ke,P as Es,X as et,r as Rs,h as Et,L as br,w as Ae,x as yr,M as vr,y as en,z as wr,E as Ts,F as As,H as Ms,J as Ds,K as Ps,N as Ls,O as _s,Q as Fs,R as zs,U as $s,I as Is,V as Os,W as Bs,Y as Hs,_ as Us,$ as qs}from"./index-DcbqZfqt.js";import{_ as In}from"./monaco-core-DQ5Mk8AK.js";import{R as Vs}from"./refresh-cw-CdfhRXCd.js";import{L as On,P as Ks}from"./pencil-CSMVe0ds.js";import{x as Gs,a as Ws}from"./terminal-vendor-Cs8KPbV3.js";import{T as Qs,a as Ys,b as Xs,c as kt}from"./tabs-Ckbv8J0d.js";import"./chart-vendor-DlOHLaCG.js";/**
+import{r as u,j as t,k as ur,l as hs,o as gt,m as pt,n as wn,p as At,q as Vt,t as ps,w as dr,E as xs,x as kn,y as Rt,z as ke,A as gs,C as bs,D as We,F as Zt,G as ys,H as St,I as ft,J as vs,M as ws,K as ks,u as js}from"./react-vendor-B5MgMUHH.js";import{c as K,j as A,q as xt,i as Gt,S as mr,b as fr,G as jn,d as hr,e as pr,g as pn,s as Ns,a as Qe,t as xr,C as gr,u as q,T as Cs,v as Ss,B as Ke,P as Es,X as et,r as Rs,h as Et,L as br,w as Ae,x as yr,M as vr,y as en,z as wr,E as Ts,F as As,H as Ms,J as Ds,K as Ps,N as Ls,O as _s,Q as Fs,R as zs,U as $s,I as Is,V as Os,W as Bs,Y as Hs,_ as Us,$ as qs}from"./index-CpYkYxsw.js";import{_ as In}from"./monaco-core-DQ5Mk8AK.js";import{R as Vs}from"./refresh-cw-Bk2hIBMy.js";import{L as On,P as Ks}from"./pencil-BQdMfs6R.js";import{x as Gs,a as Ws}from"./terminal-vendor-Cs8KPbV3.js";import{T as Qs,a as Ys,b as Xs,c as kt}from"./tabs-8Wa2H5Vg.js";import"./chart-vendor-DlOHLaCG.js";/**
  * @license lucide-react v0.564.0 - ISC
  *
  * This source code is licensed under the ISC license.