mcp-interactive-terminal 1.0.0

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 mcp-interactive-terminal contributors
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,202 @@
+# mcp-interactive-terminal
+
+MCP server for interactive shell sessions. Run REPLs, SSH, database clients, and any interactive CLI through AI agents like Claude Code, Cursor, and others.
+
+## The Problem
+
+AI coding agents can't handle interactive commands — no PTY, no stdin streaming. You can't run `rails console`, `python`, `psql`, `ssh`, or any REPL through them.
+
+## The Solution
+
+This MCP server spawns real pseudo-terminals (PTY) and uses xterm-headless (the same terminal emulator as VS Code) to render clean text output. The AI sees exactly what a human would see — no raw ANSI escape codes.
+
+```
+AI Agent (Claude Code, Cursor, etc.)
+    ↕  MCP (JSON-RPC over stdio)
+MCP Terminal Server
+    ↕  node-pty (pseudo-terminal)
+Interactive Process (rails console, python, psql, ssh, bash...)
+    ↕  xterm-headless (terminal emulation)
+Clean text output
+```
+
+## Quick Start
+
+### Claude Code
+
+```bash
+claude mcp add terminal -- npx -y mcp-interactive-terminal
+```
+
+### Manual Configuration
+
+Add to `~/.claude.json` or `.mcp.json`:
+
+```json
+{
+  "mcpServers": {
+    "terminal": {
+      "command": "npx",
+      "args": ["-y", "mcp-interactive-terminal"]
+    }
+  }
+}
+```
+
+## Tools
+
+### `create_session` — Spawn an interactive process
+
+```json
+{ "command": "python3", "name": "my-python", "cwd": "/project" }
+→ { "session_id": "a1b2c3d4", "name": "my-python", "pid": 12345 }
+```
+
+**Parameters:** `command` (required), `args?`, `name?`, `cwd?`, `env?`, `cols?` (default 120), `rows?` (default 40)
+
+### `send_command` — Send input and get output
+
+```json
+{ "session_id": "a1b2c3d4", "input": "1 + 1" }
+→ { "output": "2", "is_complete": true, "is_alive": true }
+```
+
+**Parameters:** `session_id`, `input`, `timeout_ms?` (default 5000), `max_output_chars?`
+
+Dangerous commands (rm -rf, DROP TABLE, curl|bash, etc.) are blocked and require `confirm_dangerous_command` first.
+
+### `read_output` — Read terminal screen (read-only)
+
+```json
+{ "session_id": "a1b2c3d4" }
+→ { "output": ">>> ", "is_alive": true }
+```
+
+**Parameters:** `session_id`, `full_screen?` (default false)
+
+### `list_sessions` — List active sessions (read-only)
+
+```json
+→ [{ "session_id": "a1b2c3d4", "name": "my-python", "command": "python3", "pid": 12345, "is_alive": true, "created_at": "..." }]
+```
+
+### `close_session` — Kill a session
+
+```json
+{ "session_id": "a1b2c3d4" }
+→ { "success": true }
+```
+
+**Parameters:** `session_id`, `signal?` (default SIGTERM)
+
+### `send_control` — Send control characters
+
+```json
+{ "session_id": "a1b2c3d4", "control": "ctrl+c" }
+→ { "output": "^C\n>>>" }
+```
+
+**Supported keys:** ctrl+c, ctrl+d, ctrl+z, ctrl+l, ctrl+r, tab, escape, up, down, left, right, enter, backspace, delete, home, end, and more.
+
+### `confirm_dangerous_command` — Two-step safety confirmation
+
+```json
+{ "session_id": "a1b2c3d4", "input": "rm -rf /tmp/old", "justification": "Cleaning up stale temp files from failed build" }
+→ { "output": "...", "is_complete": true, "is_alive": true }
+```
+
+Required when `send_command` detects a dangerous pattern. The AI must provide a justification.
+
+## Security
+
+Seven-layer defense-in-depth model:
+
+| Layer | What It Does | Default |
+|-------|-------------|---------|
+| MCP Tool Annotations | `readOnlyHint`/`destructiveHint` on each tool | Always on |
+| Confirmation flow | Dangerous patterns require `confirm_dangerous_command` | Always on |
+| Input pattern detection | Detect rm -rf, DROP TABLE, curl\|bash, etc. | Always on |
+| Command blocklist/allowlist | Block/allow specific commands | Configurable |
+| OS-level sandbox | Kernel-level process sandboxing | Off (opt-in) |
+| Secret redaction | Redact AWS keys, tokens, private keys in output | Off (opt-in) |
+| Resource limits | Max sessions, output cap, idle timeout | Always on |
+
+**Recommended permission configuration** — only auto-approve read-only tools:
+
+```json
+{
+  "permissions": {
+    "allow": [
+      "mcp__terminal__list_sessions",
+      "mcp__terminal__read_output"
+    ]
+  }
+}
+```
+
+## Configuration
+
+All configuration via environment variables:
+
+| Variable | Default | Description |
+|----------|---------|-------------|
+| `MCP_TERMINAL_MAX_SESSIONS` | `10` | Max concurrent sessions |
+| `MCP_TERMINAL_MAX_OUTPUT` | `20000` | Max output chars per read |
+| `MCP_TERMINAL_DEFAULT_TIMEOUT` | `5000` | Default wait timeout (ms) |
+| `MCP_TERMINAL_BLOCKED_COMMANDS` | (none) | Comma-separated blocklist |
+| `MCP_TERMINAL_ALLOWED_COMMANDS` | (none) | Comma-separated allowlist |
+| `MCP_TERMINAL_REDACT_SECRETS` | `false` | Redact detected secrets |
+| `MCP_TERMINAL_LOG_INPUTS` | `false` | Log all inputs to stderr |
+| `MCP_TERMINAL_IDLE_TIMEOUT` | `0` | Auto-close idle sessions (ms, 0=disabled) |
+| `MCP_TERMINAL_DANGER_DETECTION` | `true` | Enable dangerous command detection |
+
+Example with env vars:
+
+```json
+{
+  "mcpServers": {
+    "terminal": {
+      "command": "npx",
+      "args": ["-y", "mcp-interactive-terminal"],
+      "env": {
+        "MCP_TERMINAL_ALLOWED_COMMANDS": "bash,python3,node,psql",
+        "MCP_TERMINAL_REDACT_SECRETS": "true",
+        "MCP_TERMINAL_IDLE_TIMEOUT": "300000"
+      }
+    }
+  }
+}
+```
+
+## How It Works
+
+### Clean Output via xterm-headless
+
+Instead of dumping raw ANSI escape codes, PTY output is fed into xterm-headless (the same terminal emulator used by VS Code, but headless). The buffer is read as plain text — properly wrapped, cursor-positioned, clean.
+
+### Smart "Command Done" Detection
+
+Layered strategy (most to least reliable):
+
+1. **Process exit** — If the process died, command is done
+2. **Prompt detection** — Auto-detects the session's prompt at startup (bash `$`, python `>>>`, psql `#`, etc.), watches for it to reappear
+3. **Output settling** — No new output for 300ms
+4. **Timeout** — Always returns after `timeout_ms` with `is_complete: false`
+
+## Development
+
+```bash
+npm install
+npm run build
+npm test
+```
+
+Test with MCP Inspector:
+
+```bash
+npx @modelcontextprotocol/inspector dist/index.js
+```
+
+## License
+
+MIT

package/dist/index.d.ts

@@ -0,0 +1,10 @@
+#!/usr/bin/env node
+/**
+ * MCP Interactive Terminal Server
+ *
+ * Provides AI agents with interactive terminal sessions via the
+ * Model Context Protocol. Supports REPLs, SSH, databases, and
+ * any interactive CLI.
+ */
+export {};
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";AAEA;;;;;;GAMG"}

package/dist/index.js

@@ -0,0 +1,173 @@
+#!/usr/bin/env node
+/**
+ * MCP Interactive Terminal Server
+ *
+ * Provides AI agents with interactive terminal sessions via the
+ * Model Context Protocol. Supports REPLs, SSH, databases, and
+ * any interactive CLI.
+ */
+import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
+import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js";
+import { loadConfig } from "./types.js";
+import { SessionManager } from "./session-manager.js";
+import { createSessionSchema, handleCreateSession } from "./tools/create-session.js";
+import { sendCommandSchema, handleSendCommand } from "./tools/send-command.js";
+import { readOutputSchema, handleReadOutput } from "./tools/read-output.js";
+import { handleListSessions } from "./tools/list-sessions.js";
+import { closeSessionSchema, handleCloseSession } from "./tools/close-session.js";
+import { sendControlSchema, handleSendControl } from "./tools/send-control.js";
+import { confirmDangerousCommandSchema, handleConfirmDangerousCommand, } from "./tools/confirm-dangerous-command.js";
+import { initSandbox, resetSandbox } from "./sandbox.js";
+import { configureAudit, audit } from "./utils/audit-logger.js";
+const config = loadConfig();
+const sessionManager = new SessionManager(config);
+const server = new McpServer({
+    name: "mcp-interactive-terminal",
+    version: "1.0.0",
+});
+// --- Tool Registration ---
+server.tool("create_session", "Spawn an interactive terminal session (REPL, shell, database client, SSH, etc.). Returns a session_id for subsequent commands.", createSessionSchema.shape, { title: "Create Session", readOnlyHint: false, destructiveHint: false, idempotentHint: false, openWorldHint: true }, async ({ command, args, name, cwd, env, cols, rows }) => {
+    try {
+        const result = await handleCreateSession({ command, args, name, cwd, env, cols, rows }, sessionManager, config);
+        return { content: [{ type: "text", text: JSON.stringify(result, null, 2) }] };
+    }
+    catch (err) {
+        return {
+            content: [{ type: "text", text: `Error: ${err.message}` }],
+            isError: true,
+        };
+    }
+});
+server.tool("send_command", "Send a command/input to an interactive session and wait for output. Appends newline automatically. Returns clean text output (no ANSI codes). If a dangerous command is detected, you must use confirm_dangerous_command first.", sendCommandSchema.shape, { title: "Send Command", readOnlyHint: false, destructiveHint: true, idempotentHint: false, openWorldHint: true }, async ({ session_id, input, timeout_ms, max_output_chars }) => {
+    try {
+        const result = await handleSendCommand({ session_id, input, timeout_ms, max_output_chars }, sessionManager, config);
+        return { content: [{ type: "text", text: JSON.stringify(result, null, 2) }] };
+    }
+    catch (err) {
+        return {
+            content: [{ type: "text", text: `Error: ${err.message}` }],
+            isError: true,
+        };
+    }
+});
+server.tool("read_output", "Read the current terminal screen without sending any input. Safe read-only operation.", readOutputSchema.shape, { title: "Read Output", readOnlyHint: true, destructiveHint: false, idempotentHint: true, openWorldHint: false }, async ({ session_id, full_screen }) => {
+    try {
+        const result = await handleReadOutput({ session_id, full_screen }, sessionManager, config);
+        return { content: [{ type: "text", text: JSON.stringify(result, null, 2) }] };
+    }
+    catch (err) {
+        return {
+            content: [{ type: "text", text: `Error: ${err.message}` }],
+            isError: true,
+        };
+    }
+});
+server.tool("list_sessions", "List all active interactive terminal sessions. Safe read-only operation.", {}, { title: "List Sessions", readOnlyHint: true, destructiveHint: false, idempotentHint: true, openWorldHint: false }, async () => {
+    try {
+        const result = await handleListSessions(sessionManager);
+        return { content: [{ type: "text", text: JSON.stringify(result, null, 2) }] };
+    }
+    catch (err) {
+        return {
+            content: [{ type: "text", text: `Error: ${err.message}` }],
+            isError: true,
+        };
+    }
+});
+server.tool("close_session", "Close/kill an interactive terminal session.", closeSessionSchema.shape, { title: "Close Session", readOnlyHint: false, destructiveHint: true, idempotentHint: true, openWorldHint: false }, async ({ session_id, signal }) => {
+    try {
+        const result = await handleCloseSession({ session_id, signal }, sessionManager);
+        return { content: [{ type: "text", text: JSON.stringify(result, null, 2) }] };
+    }
+    catch (err) {
+        return {
+            content: [{ type: "text", text: `Error: ${err.message}` }],
+            isError: true,
+        };
+    }
+});
+server.tool("send_control", "Send a control character or special key to a session (e.g., ctrl+c to interrupt, ctrl+d to send EOF, arrow keys, tab for completion).", sendControlSchema.shape, { title: "Send Control", readOnlyHint: false, destructiveHint: false, idempotentHint: true, openWorldHint: false }, async ({ session_id, control }) => {
+    try {
+        const result = await handleSendControl({ session_id, control }, sessionManager, config);
+        return { content: [{ type: "text", text: JSON.stringify(result, null, 2) }] };
+    }
+    catch (err) {
+        return {
+            content: [{ type: "text", text: `Error: ${err.message}` }],
+            isError: true,
+        };
+    }
+});
+server.tool("confirm_dangerous_command", "Execute a command that was flagged as dangerous by send_command. Requires a justification explaining WHY the command is necessary. This is a separate confirmation step for safety.", confirmDangerousCommandSchema.shape, { title: "Confirm Dangerous Command", readOnlyHint: false, destructiveHint: true, idempotentHint: false, openWorldHint: true }, async ({ session_id, input, justification }) => {
+    try {
+        const result = await handleConfirmDangerousCommand({ session_id, input, justification }, sessionManager, config);
+        return { content: [{ type: "text", text: JSON.stringify(result, null, 2) }] };
+    }
+    catch (err) {
+        return {
+            content: [{ type: "text", text: `Error: ${err.message}` }],
+            isError: true,
+        };
+    }
+});
+// --- Lifecycle ---
+async function main() {
+    const transport = new StdioServerTransport();
+    // Initialize audit logger
+    if (config.auditLog) {
+        configureAudit(config.auditLog);
+    }
+    // Initialize sandbox if enabled
+    if (config.sandbox) {
+        await initSandbox(config);
+    }
+    // Cleanup on shutdown
+    process.on("SIGINT", async () => {
+        audit("server_stop");
+        sessionManager.closeAll();
+        await resetSandbox();
+        process.exit(0);
+    });
+    process.on("SIGTERM", async () => {
+        audit("server_stop");
+        sessionManager.closeAll();
+        await resetSandbox();
+        process.exit(0);
+    });
+    console.error("[mcp-terminal] Starting MCP Interactive Terminal Server v1.0.0");
+    console.error(`[mcp-terminal] Config: maxSessions=${config.maxSessions}, maxOutput=${config.maxOutput}, defaultTimeout=${config.defaultTimeout}ms`);
+    if (config.dangerDetection) {
+        console.error("[mcp-terminal] Dangerous command detection: ENABLED");
+    }
+    if (config.redactSecrets) {
+        console.error("[mcp-terminal] Secret redaction: ENABLED");
+    }
+    if (config.blockedCommands.length > 0) {
+        console.error(`[mcp-terminal] Blocked commands: ${config.blockedCommands.join(", ")}`);
+    }
+    if (config.allowedCommands.length > 0) {
+        console.error(`[mcp-terminal] Allowed commands: ${config.allowedCommands.join(", ")}`);
+    }
+    if (config.allowedPaths.length > 0) {
+        console.error(`[mcp-terminal] Allowed paths: ${config.allowedPaths.join(", ")}`);
+    }
+    if (config.auditLog) {
+        console.error(`[mcp-terminal] Audit log: ${config.auditLog}`);
+    }
+    audit("server_start", undefined, {
+        maxSessions: config.maxSessions,
+        dangerDetection: config.dangerDetection,
+        sandbox: config.sandbox,
+        redactSecrets: config.redactSecrets,
+        allowedCommands: config.allowedCommands,
+        blockedCommands: config.blockedCommands,
+        allowedPaths: config.allowedPaths,
+    });
+    await server.connect(transport);
+}
+main().catch((err) => {
+    console.error("[mcp-terminal] Fatal error:", err);
+    sessionManager.closeAll();
+    process.exit(1);
+});
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";AAEA;;;;;;GAMG;AAEH,OAAO,EAAE,SAAS,EAAE,MAAM,yCAAyC,CAAC;AACpE,OAAO,EAAE,oBAAoB,EAAE,MAAM,2CAA2C,CAAC;AACjF,OAAO,EAAE,UAAU,EAAE,MAAM,YAAY,CAAC;AACxC,OAAO,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AAEtD,OAAO,EAAE,mBAAmB,EAAE,mBAAmB,EAAE,MAAM,2BAA2B,CAAC;AACrF,OAAO,EAAE,iBAAiB,EAAE,iBAAiB,EAAE,MAAM,yBAAyB,CAAC;AAC/E,OAAO,EAAE,gBAAgB,EAAE,gBAAgB,EAAE,MAAM,wBAAwB,CAAC;AAC5E,OAAO,EAAE,kBAAkB,EAAE,MAAM,0BAA0B,CAAC;AAC9D,OAAO,EAAE,kBAAkB,EAAE,kBAAkB,EAAE,MAAM,0BAA0B,CAAC;AAClF,OAAO,EAAE,iBAAiB,EAAE,iBAAiB,EAAE,MAAM,yBAAyB,CAAC;AAC/E,OAAO,EACL,6BAA6B,EAC7B,6BAA6B,GAC9B,MAAM,sCAAsC,CAAC;AAC9C,OAAO,EAAE,WAAW,EAAE,YAAY,EAAE,MAAM,cAAc,CAAC;AACzD,OAAO,EAAE,cAAc,EAAE,KAAK,EAAE,MAAM,yBAAyB,CAAC;AAEhE,MAAM,MAAM,GAAG,UAAU,EAAE,CAAC;AAC5B,MAAM,cAAc,GAAG,IAAI,cAAc,CAAC,MAAM,CAAC,CAAC;AAElD,MAAM,MAAM,GAAG,IAAI,SAAS,CAAC;IAC3B,IAAI,EAAE,0BAA0B;IAChC,OAAO,EAAE,OAAO;CACjB,CAAC,CAAC;AAEH,4BAA4B;AAE5B,MAAM,CAAC,IAAI,CACT,gBAAgB,EAChB,gIAAgI,EAChI,mBAAmB,CAAC,KAAK,EACzB,EAAE,KAAK,EAAE,gBAAgB,EAAE,YAAY,EAAE,KAAK,EAAE,eAAe,EAAE,KAAK,EAAE,cAAc,EAAE,KAAK,EAAE,aAAa,EAAE,IAAI,EAAE,EACpH,KAAK,EAAE,EAAE,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,GAAG,EAAE,GAAG,EAAE,IAAI,EAAE,IAAI,EAAE,EAAE,EAAE;IACtD,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,MAAM,mBAAmB,CACtC,EAAE,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,GAAG,EAAE,GAAG,EAAE,IAAI,EAAE,IAAI,EAAE,EAC7C,cAAc,EACd,MAAM,CACP,CAAC;QACF,OAAO,EAAE,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,EAAE,CAAC,EAAE,CAAC;IAChF,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO;YACL,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,UAAW,GAAa,CAAC,OAAO,EAAE,EAAE,CAAC;YACrE,OAAO,EAAE,IAAI;SACd,CAAC;IACJ,CAAC;AACH,CAAC,CACF,CAAC;AAEF,MAAM,CAAC,IAAI,CACT,cAAc,EACd,iOAAiO,EACjO,iBAAiB,CAAC,KAAK,EACvB,EAAE,KAAK,EAAE,cAAc,EAAE,YAAY,EAAE,KAAK,EAAE,eAAe,EAAE,IAAI,EAAE,cAAc,EAAE,KAAK,EAAE,aAAa,EAAE,IAAI,EAAE,EACjH,KAAK,EAAE,EAAE,UAAU,EAAE,KAAK,EAAE,UAAU,EAAE,gBAAgB,EAAE,EAAE,EAAE;IAC5D,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,MAAM,iBAAiB,CACpC,EAAE,UAAU,EAAE,KAAK,EAAE,UAAU,EAAE,gBAAgB,EAAE,EACnD,cAAc,EACd,MAAM,CACP,CAAC;QACF,OAAO,EAAE,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,EAAE,CAAC,EAAE,CAAC;IAChF,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO;YACL,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,UAAW,GAAa,CAAC,OAAO,EAAE,EAAE,CAAC;YACrE,OAAO,EAAE,IAAI;SACd,CAAC;IACJ,CAAC;AACH,CAAC,CACF,CAAC;AAEF,MAAM,CAAC,IAAI,CACT,aAAa,EACb,uFAAuF,EACvF,gBAAgB,CAAC,KAAK,EACtB,EAAE,KAAK,EAAE,aAAa,EAAE,YAAY,EAAE,IAAI,EAAE,eAAe,EAAE,KAAK,EAAE,cAAc,EAAE,IAAI,EAAE,aAAa,EAAE,KAAK,EAAE,EAChH,KAAK,EAAE,EAAE,UAAU,EAAE,WAAW,EAAE,EAAE,EAAE;IACpC,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,MAAM,gBAAgB,CACnC,EAAE,UAAU,EAAE,WAAW,EAAE,EAC3B,cAAc,EACd,MAAM,CACP,CAAC;QACF,OAAO,EAAE,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,EAAE,CAAC,EAAE,CAAC;IAChF,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO;YACL,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,UAAW,GAAa,CAAC,OAAO,EAAE,EAAE,CAAC;YACrE,OAAO,EAAE,IAAI;SACd,CAAC;IACJ,CAAC;AACH,CAAC,CACF,CAAC;AAEF,MAAM,CAAC,IAAI,CACT,eAAe,EACf,0EAA0E,EAC1E,EAAE,EACF,EAAE,KAAK,EAAE,eAAe,EAAE,YAAY,EAAE,IAAI,EAAE,eAAe,EAAE,KAAK,EAAE,cAAc,EAAE,IAAI,EAAE,aAAa,EAAE,KAAK,EAAE,EAClH,KAAK,IAAI,EAAE;IACT,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,MAAM,kBAAkB,CAAC,cAAc,CAAC,CAAC;QACxD,OAAO,EAAE,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,EAAE,CAAC,EAAE,CAAC;IAChF,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO;YACL,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,UAAW,GAAa,CAAC,OAAO,EAAE,EAAE,CAAC;YACrE,OAAO,EAAE,IAAI;SACd,CAAC;IACJ,CAAC;AACH,CAAC,CACF,CAAC;AAEF,MAAM,CAAC,IAAI,CACT,eAAe,EACf,6CAA6C,EAC7C,kBAAkB,CAAC,KAAK,EACxB,EAAE,KAAK,EAAE,eAAe,EAAE,YAAY,EAAE,KAAK,EAAE,eAAe,EAAE,IAAI,EAAE,cAAc,EAAE,IAAI,EAAE,aAAa,EAAE,KAAK,EAAE,EAClH,KAAK,EAAE,EAAE,UAAU,EAAE,MAAM,EAAE,EAAE,EAAE;IAC/B,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,MAAM,kBAAkB,CACrC,EAAE,UAAU,EAAE,MAAM,EAAE,EACtB,cAAc,CACf,CAAC;QACF,OAAO,EAAE,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,EAAE,CAAC,EAAE,CAAC;IAChF,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO;YACL,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,UAAW,GAAa,CAAC,OAAO,EAAE,EAAE,CAAC;YACrE,OAAO,EAAE,IAAI;SACd,CAAC;IACJ,CAAC;AACH,CAAC,CACF,CAAC;AAEF,MAAM,CAAC,IAAI,CACT,cAAc,EACd,uIAAuI,EACvI,iBAAiB,CAAC,KAAK,EACvB,EAAE,KAAK,EAAE,cAAc,EAAE,YAAY,EAAE,KAAK,EAAE,eAAe,EAAE,KAAK,EAAE,cAAc,EAAE,IAAI,EAAE,aAAa,EAAE,KAAK,EAAE,EAClH,KAAK,EAAE,EAAE,UAAU,EAAE,OAAO,EAAE,EAAE,EAAE;IAChC,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,MAAM,iBAAiB,CACpC,EAAE,UAAU,EAAE,OAAO,EAAE,EACvB,cAAc,EACd,MAAM,CACP,CAAC;QACF,OAAO,EAAE,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,EAAE,CAAC,EAAE,CAAC;IAChF,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO;YACL,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,UAAW,GAAa,CAAC,OAAO,EAAE,EAAE,CAAC;YACrE,OAAO,EAAE,IAAI;SACd,CAAC;IACJ,CAAC;AACH,CAAC,CACF,CAAC;AAEF,MAAM,CAAC,IAAI,CACT,2BAA2B,EAC3B,qLAAqL,EACrL,6BAA6B,CAAC,KAAK,EACnC,EAAE,KAAK,EAAE,2BAA2B,EAAE,YAAY,EAAE,KAAK,EAAE,eAAe,EAAE,IAAI,EAAE,cAAc,EAAE,KAAK,EAAE,aAAa,EAAE,IAAI,EAAE,EAC9H,KAAK,EAAE,EAAE,UAAU,EAAE,KAAK,EAAE,aAAa,EAAE,EAAE,EAAE;IAC7C,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,MAAM,6BAA6B,CAChD,EAAE,UAAU,EAAE,KAAK,EAAE,aAAa,EAAE,EACpC,cAAc,EACd,MAAM,CACP,CAAC;QACF,OAAO,EAAE,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,EAAE,CAAC,EAAE,CAAC;IAChF,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO;YACL,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,UAAW,GAAa,CAAC,OAAO,EAAE,EAAE,CAAC;YACrE,OAAO,EAAE,IAAI;SACd,CAAC;IACJ,CAAC;AACH,CAAC,CACF,CAAC;AAEF,oBAAoB;AAEpB,KAAK,UAAU,IAAI;IACjB,MAAM,SAAS,GAAG,IAAI,oBAAoB,EAAE,CAAC;IAE7C,0BAA0B;IAC1B,IAAI,MAAM,CAAC,QAAQ,EAAE,CAAC;QACpB,cAAc,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;IAClC,CAAC;IAED,gCAAgC;IAChC,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC;QACnB,MAAM,WAAW,CAAC,MAAM,CAAC,CAAC;IAC5B,CAAC;IAED,sBAAsB;IACtB,OAAO,CAAC,EAAE,CAAC,QAAQ,EAAE,KAAK,IAAI,EAAE;QAC9B,KAAK,CAAC,aAAa,CAAC,CAAC;QACrB,cAAc,CAAC,QAAQ,EAAE,CAAC;QAC1B,MAAM,YAAY,EAAE,CAAC;QACrB,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC,CAAC,CAAC;IACH,OAAO,CAAC,EAAE,CAAC,SAAS,EAAE,KAAK,IAAI,EAAE;QAC/B,KAAK,CAAC,aAAa,CAAC,CAAC;QACrB,cAAc,CAAC,QAAQ,EAAE,CAAC;QAC1B,MAAM,YAAY,EAAE,CAAC;QACrB,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC,CAAC,CAAC;IAEH,OAAO,CAAC,KAAK,CAAC,gEAAgE,CAAC,CAAC;IAChF,OAAO,CAAC,KAAK,CAAC,sCAAsC,MAAM,CAAC,WAAW,eAAe,MAAM,CAAC,SAAS,oBAAoB,MAAM,CAAC,cAAc,IAAI,CAAC,CAAC;IAEpJ,IAAI,MAAM,CAAC,eAAe,EAAE,CAAC;QAC3B,OAAO,CAAC,KAAK,CAAC,qDAAqD,CAAC,CAAC;IACvE,CAAC;IACD,IAAI,MAAM,CAAC,aAAa,EAAE,CAAC;QACzB,OAAO,CAAC,KAAK,CAAC,0CAA0C,CAAC,CAAC;IAC5D,CAAC;IACD,IAAI,MAAM,CAAC,eAAe,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACtC,OAAO,CAAC,KAAK,CAAC,oCAAoC,MAAM,CAAC,eAAe,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACzF,CAAC;IACD,IAAI,MAAM,CAAC,eAAe,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACtC,OAAO,CAAC,KAAK,CAAC,oCAAoC,MAAM,CAAC,eAAe,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACzF,CAAC;IACD,IAAI,MAAM,CAAC,YAAY,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACnC,OAAO,CAAC,KAAK,CAAC,iCAAiC,MAAM,CAAC,YAAY,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACnF,CAAC;IACD,IAAI,MAAM,CAAC,QAAQ,EAAE,CAAC;QACpB,OAAO,CAAC,KAAK,CAAC,6BAA6B,MAAM,CAAC,QAAQ,EAAE,CAAC,CAAC;IAChE,CAAC;IAED,KAAK,CAAC,cAAc,EAAE,SAAS,EAAE;QAC/B,WAAW,EAAE,MAAM,CAAC,WAAW;QAC/B,eAAe,EAAE,MAAM,CAAC,eAAe;QACvC,OAAO,EAAE,MAAM,CAAC,OAAO;QACvB,aAAa,EAAE,MAAM,CAAC,aAAa;QACnC,eAAe,EAAE,MAAM,CAAC,eAAe;QACvC,eAAe,EAAE,MAAM,CAAC,eAAe;QACvC,YAAY,EAAE,MAAM,CAAC,YAAY;KAClC,CAAC,CAAC;IAEH,MAAM,MAAM,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;AAClC,CAAC;AAED,IAAI,EAAE,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;IACnB,OAAO,CAAC,KAAK,CAAC,6BAA6B,EAAE,GAAG,CAAC,CAAC;IAClD,cAAc,CAAC,QAAQ,EAAE,CAAC;IAC1B,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;AAClB,CAAC,CAAC,CAAC"}

package/dist/sandbox.d.ts

@@ -0,0 +1,33 @@
+/**
+ * Optional OS-level sandbox integration via @anthropic-ai/sandbox-runtime.
+ *
+ * When enabled (MCP_TERMINAL_SANDBOX=true), wraps spawned commands with
+ * kernel-level filesystem and network restrictions using sandbox-exec (macOS)
+ * or bubblewrap (Linux).
+ *
+ * This is an optional feature — if the package isn't installed or the platform
+ * isn't supported, it logs a warning and falls back to unsandboxed execution.
+ */
+import type { ServerConfig } from "./types.js";
+/**
+ * Initialize the sandbox if enabled in config.
+ * Call this once at startup. Safe to call even if the package isn't installed.
+ */
+export declare function initSandbox(config: ServerConfig): Promise<boolean>;
+/**
+ * Wrap a command string with sandbox restrictions.
+ * Returns the original command unchanged if sandbox is not available.
+ */
+export declare function wrapCommand(command: string): Promise<{
+    command: string;
+    useShell: boolean;
+}>;
+/**
+ * Check if sandbox is currently active.
+ */
+export declare function isSandboxActive(): boolean;
+/**
+ * Cleanup sandbox resources on shutdown.
+ */
+export declare function resetSandbox(): Promise<void>;
+//# sourceMappingURL=sandbox.d.ts.map

package/dist/sandbox.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"sandbox.d.ts","sourceRoot":"","sources":["../src/sandbox.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAQ/C;;;GAGG;AACH,wBAAsB,WAAW,CAAC,MAAM,EAAE,YAAY,GAAG,OAAO,CAAC,OAAO,CAAC,CA+CxE;AAED;;;GAGG;AACH,wBAAsB,WAAW,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC;IAAE,OAAO,EAAE,MAAM,CAAC;IAAC,QAAQ,EAAE,OAAO,CAAA;CAAE,CAAC,CAYlG;AAED;;GAEG;AACH,wBAAgB,eAAe,IAAI,OAAO,CAEzC;AAED;;GAEG;AACH,wBAAsB,YAAY,IAAI,OAAO,CAAC,IAAI,CAAC,CAQlD"}

package/dist/sandbox.js

@@ -0,0 +1,99 @@
+/**
+ * Optional OS-level sandbox integration via @anthropic-ai/sandbox-runtime.
+ *
+ * When enabled (MCP_TERMINAL_SANDBOX=true), wraps spawned commands with
+ * kernel-level filesystem and network restrictions using sandbox-exec (macOS)
+ * or bubblewrap (Linux).
+ *
+ * This is an optional feature — if the package isn't installed or the platform
+ * isn't supported, it logs a warning and falls back to unsandboxed execution.
+ */
+import { audit } from "./utils/audit-logger.js";
+// Lazy-loaded sandbox manager instance
+let sandboxManager = null;
+let sandboxInitialized = false;
+let sandboxAvailable = false;
+/**
+ * Initialize the sandbox if enabled in config.
+ * Call this once at startup. Safe to call even if the package isn't installed.
+ */
+export async function initSandbox(config) {
+    if (!config.sandbox)
+        return false;
+    try {
+        const { SandboxManager } = await import("@anthropic-ai/sandbox-runtime");
+        sandboxManager = SandboxManager;
+        // Check platform support
+        if (!SandboxManager.isSupportedPlatform()) {
+            console.error("[mcp-terminal] Sandbox: platform not supported, sandbox disabled");
+            return false;
+        }
+        // Build config from our env vars
+        const allowWrite = config.sandboxAllowWrite.length > 0
+            ? config.sandboxAllowWrite
+            : ["/tmp"];
+        const allowedDomains = config.sandboxAllowNetwork[0] === "*"
+            ? [] // Empty = no restriction (but sandbox-runtime treats empty as "block all")
+            : config.sandboxAllowNetwork;
+        // If user wants unrestricted network ("*"), we use a permissive config
+        const networkConfig = config.sandboxAllowNetwork[0] === "*"
+            ? { allowedDomains: ["*"], deniedDomains: [] }
+            : { allowedDomains, deniedDomains: [] };
+        await SandboxManager.initialize({
+            network: networkConfig,
+            filesystem: {
+                denyRead: [],
+                allowWrite,
+                denyWrite: [],
+            },
+            allowPty: true,
+        });
+        sandboxInitialized = true;
+        sandboxAvailable = true;
+        audit("sandbox_init", undefined, { allowWrite, network: config.sandboxAllowNetwork });
+        console.error(`[mcp-terminal] Sandbox: ENABLED (write: ${allowWrite.join(", ")}, network: ${config.sandboxAllowNetwork.join(", ")})`);
+        return true;
+    }
+    catch (err) {
+        audit("sandbox_fail", undefined, { error: String(err) });
+        console.error(`[mcp-terminal] Sandbox: failed to initialize (${err}). Sandbox disabled.`);
+        return false;
+    }
+}
+/**
+ * Wrap a command string with sandbox restrictions.
+ * Returns the original command unchanged if sandbox is not available.
+ */
+export async function wrapCommand(command) {
+    if (!sandboxAvailable || !sandboxManager) {
+        return { command, useShell: false };
+    }
+    try {
+        const wrapped = await sandboxManager.wrapWithSandbox(command);
+        return { command: wrapped, useShell: true };
+    }
+    catch (err) {
+        console.error(`[mcp-terminal] Sandbox: wrapWithSandbox failed (${err}), running unsandboxed`);
+        return { command, useShell: false };
+    }
+}
+/**
+ * Check if sandbox is currently active.
+ */
+export function isSandboxActive() {
+    return sandboxAvailable;
+}
+/**
+ * Cleanup sandbox resources on shutdown.
+ */
+export async function resetSandbox() {
+    if (sandboxManager && sandboxInitialized) {
+        try {
+            await sandboxManager.reset();
+        }
+        catch {
+            // Ignore cleanup errors
+        }
+    }
+}
+//# sourceMappingURL=sandbox.js.map

package/dist/sandbox.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"sandbox.js","sourceRoot":"","sources":["../src/sandbox.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAGH,OAAO,EAAE,KAAK,EAAE,MAAM,yBAAyB,CAAC;AAEhD,uCAAuC;AACvC,IAAI,cAAc,GAAQ,IAAI,CAAC;AAC/B,IAAI,kBAAkB,GAAG,KAAK,CAAC;AAC/B,IAAI,gBAAgB,GAAG,KAAK,CAAC;AAE7B;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,WAAW,CAAC,MAAoB;IACpD,IAAI,CAAC,MAAM,CAAC,OAAO;QAAE,OAAO,KAAK,CAAC;IAElC,IAAI,CAAC;QACH,MAAM,EAAE,cAAc,EAAE,GAAG,MAAM,MAAM,CAAC,+BAA+B,CAAC,CAAC;QACzE,cAAc,GAAG,cAAc,CAAC;QAEhC,yBAAyB;QACzB,IAAI,CAAC,cAAc,CAAC,mBAAmB,EAAE,EAAE,CAAC;YAC1C,OAAO,CAAC,KAAK,CAAC,kEAAkE,CAAC,CAAC;YAClF,OAAO,KAAK,CAAC;QACf,CAAC;QAED,iCAAiC;QACjC,MAAM,UAAU,GAAG,MAAM,CAAC,iBAAiB,CAAC,MAAM,GAAG,CAAC;YACpD,CAAC,CAAC,MAAM,CAAC,iBAAiB;YAC1B,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC;QAEb,MAAM,cAAc,GAAG,MAAM,CAAC,mBAAmB,CAAC,CAAC,CAAC,KAAK,GAAG;YAC1D,CAAC,CAAC,EAAE,CAAC,2EAA2E;YAChF,CAAC,CAAC,MAAM,CAAC,mBAAmB,CAAC;QAE/B,uEAAuE;QACvE,MAAM,aAAa,GAAG,MAAM,CAAC,mBAAmB,CAAC,CAAC,CAAC,KAAK,GAAG;YACzD,CAAC,CAAC,EAAE,cAAc,EAAE,CAAC,GAAG,CAAC,EAAE,aAAa,EAAE,EAAc,EAAE;YAC1D,CAAC,CAAC,EAAE,cAAc,EAAE,aAAa,EAAE,EAAc,EAAE,CAAC;QAEtD,MAAM,cAAc,CAAC,UAAU,CAAC;YAC9B,OAAO,EAAE,aAAa;YACtB,UAAU,EAAE;gBACV,QAAQ,EAAE,EAAE;gBACZ,UAAU;gBACV,SAAS,EAAE,EAAE;aACd;YACD,QAAQ,EAAE,IAAI;SACf,CAAC,CAAC;QAEH,kBAAkB,GAAG,IAAI,CAAC;QAC1B,gBAAgB,GAAG,IAAI,CAAC;QACxB,KAAK,CAAC,cAAc,EAAE,SAAS,EAAE,EAAE,UAAU,EAAE,OAAO,EAAE,MAAM,CAAC,mBAAmB,EAAE,CAAC,CAAC;QACtF,OAAO,CAAC,KAAK,CAAC,2CAA2C,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,cAAc,MAAM,CAAC,mBAAmB,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QACtI,OAAO,IAAI,CAAC;IACd,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,KAAK,CAAC,cAAc,EAAE,SAAS,EAAE,EAAE,KAAK,EAAE,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QACzD,OAAO,CAAC,KAAK,CAAC,iDAAiD,GAAG,sBAAsB,CAAC,CAAC;QAC1F,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,WAAW,CAAC,OAAe;IAC/C,IAAI,CAAC,gBAAgB,IAAI,CAAC,cAAc,EAAE,CAAC;QACzC,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,KAAK,EAAE,CAAC;IACtC,CAAC;IAED,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,MAAM,cAAc,CAAC,eAAe,CAAC,OAAO,CAAC,CAAC;QAC9D,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC;IAC9C,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO,CAAC,KAAK,CAAC,mDAAmD,GAAG,wBAAwB,CAAC,CAAC;QAC9F,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,KAAK,EAAE,CAAC;IACtC,CAAC;AACH,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,eAAe;IAC7B,OAAO,gBAAgB,CAAC;AAC1B,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,YAAY;IAChC,IAAI,cAAc,IAAI,kBAAkB,EAAE,CAAC;QACzC,IAAI,CAAC;YACH,MAAM,cAAc,CAAC,KAAK,EAAE,CAAC;QAC/B,CAAC;QAAC,MAAM,CAAC;YACP,wBAAwB;QAC1B,CAAC;IACH,CAAC;AACH,CAAC"}

package/dist/session-manager.d.ts

@@ -0,0 +1,31 @@
+/**
+ * Session lifecycle management.
+ * Handles creation, lookup, idle cleanup, and resource limits.
+ */
+import { type TerminalOptions } from "./terminal.js";
+import type { Session, SessionInfo, ServerConfig } from "./types.js";
+export declare class SessionManager {
+    private config;
+    private sessions;
+    private idleTimers;
+    constructor(config: ServerConfig);
+    get sessionCount(): number;
+    createSession(options: TerminalOptions & {
+        name?: string;
+    }): Promise<Session>;
+    getSession(id: string): Session;
+    listSessions(): SessionInfo[];
+    closeSession(id: string, signal?: string): void;
+    closeAll(): void;
+    touchSession(id: string): void;
+    /**
+     * Check if an absolute path is within the allowed paths list.
+     * Returns true if no allowedPaths are configured (unrestricted).
+     */
+    isPathAllowed(targetPath: string): boolean;
+    private validatePath;
+    private validateCommand;
+    private resetIdleTimer;
+    private clearIdleTimer;
+}
+//# sourceMappingURL=session-manager.d.ts.map

package/dist/session-manager.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"session-manager.d.ts","sourceRoot":"","sources":["../src/session-manager.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAIH,OAAO,EAAkB,KAAK,eAAe,EAAE,MAAM,eAAe,CAAC;AACrE,OAAO,KAAK,EAAE,OAAO,EAAE,WAAW,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAGrE,qBAAa,cAAc;IAIb,OAAO,CAAC,MAAM;IAH1B,OAAO,CAAC,QAAQ,CAA8B;IAC9C,OAAO,CAAC,UAAU,CAAoD;gBAElD,MAAM,EAAE,YAAY;IAExC,IAAI,YAAY,IAAI,MAAM,CAEzB;IAEK,aAAa,CAAC,OAAO,EAAE,eAAe,GAAG;QAAE,IAAI,CAAC,EAAE,MAAM,CAAA;KAAE,GAAG,OAAO,CAAC,OAAO,CAAC;IA+CnF,UAAU,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO;IAU/B,YAAY,IAAI,WAAW,EAAE;IAW7B,YAAY,CAAC,EAAE,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,MAAM,GAAG,IAAI;IAS/C,QAAQ,IAAI,IAAI;IAUhB,YAAY,CAAC,EAAE,EAAE,MAAM,GAAG,IAAI;IAU9B;;;OAGG;IACH,aAAa,CAAC,UAAU,EAAE,MAAM,GAAG,OAAO;IAS1C,OAAO,CAAC,YAAY;IAUpB,OAAO,CAAC,eAAe;IAgBvB,OAAO,CAAC,cAAc;IAgBtB,OAAO,CAAC,cAAc;CAOvB"}