pi-forge 0.0.0 → 1.1.4

package/dist/server/pty-manager.js

@@ -0,0 +1,354 @@
+import { randomUUID } from "node:crypto";
+import * as nodePty from "node-pty";
+import { config } from "./config.js";
+/** Rolling output buffer cap per PTY (in bytes). 256 KB ≈ ~3000 lines of typical shell output. */
+const OUTPUT_BUFFER_BYTES = 256 * 1024;
+/**
+ * Time a detached PTY (no WS attached) is held alive before being reaped.
+ * Sourced from `config.terminalIdleReapMs` so operators in resource-
+ * constrained deployments can shorten the window, AND so the integration
+ * test can pin it down to ~200 ms to actually exercise the reap path
+ * within a test budget.
+ */
+const IDLE_REAP_MS = config.terminalIdleReapMs;
+const ptys = new Map();
+function defaultShell() {
+    return process.env.SHELL ?? "/bin/sh";
+}
+/**
+ * Find an existing PTY for `tabId` within `projectId`. Returns
+ * undefined if none exists (caller should spawn) or if a PTY with
+ * that tabId belongs to a DIFFERENT project (caller should treat as
+ * "no match" — never reattach across projects, that would expose
+ * one project's shell to another).
+ */
+export function findPtyByTabId(tabId, projectId) {
+    for (const entry of ptys.values()) {
+        if (entry.managed.tabId !== tabId)
+            continue;
+        if (entry.managed.projectId !== projectId)
+            continue;
+        return entry.managed;
+    }
+    return undefined;
+}
+export function spawnPty(opts) {
+    const shell = opts.shell ?? defaultShell();
+    const cols = opts.cols ?? 80;
+    const rows = opts.rows ?? 24;
+    const env = opts.env ?? process.env;
+    const proc = nodePty.spawn(shell, [], {
+        name: "xterm-color",
+        cols,
+        rows,
+        cwd: opts.cwd,
+        env: filterEnv(env),
+    });
+    const ptyId = randomUUID();
+    const managed = {
+        ptyId,
+        tabId: opts.tabId,
+        projectId: opts.projectId,
+        process: proc,
+        cwd: opts.cwd,
+    };
+    const entry = {
+        managed,
+        dataDisposable: undefined,
+        closeActiveSocket: undefined,
+        idleTimer: undefined,
+        buffer: [],
+        bufferBytes: 0,
+    };
+    ptys.set(ptyId, entry);
+    // Always-on output capture, independent of any attached socket —
+    // that way disconnected periods still accumulate the rolling
+    // buffer for the next reattach to replay.
+    const captureDisposable = proc.onData((chunk) => {
+        appendToBuffer(entry, chunk);
+    });
+    proc.onExit(() => {
+        captureDisposable.dispose();
+        ptys.delete(ptyId);
+        if (entry.idleTimer !== undefined)
+            clearTimeout(entry.idleTimer);
+    });
+    return managed;
+}
+/**
+ * Attach a socket-style sink to a managed PTY. Replays the rolling
+ * output buffer immediately, then forwards every subsequent
+ * `onData` chunk to `onData(chunk)`. Returns a detach function the
+ * caller MUST invoke on socket close — without this, the prior
+ * sink keeps receiving bytes and a reattach can't replace it.
+ *
+ * Cancels any pending idle reaper — the PTY is back in active use.
+ *
+ * `replayBytes` lets the caller request only the tail of the
+ * buffer (e.g. xterm already has prior scrollback locally and only
+ * wants the last ~16 KB). Pass `Infinity` (default) to replay all.
+ */
+export function attachSink(ptyId, onData, replayBytes = OUTPUT_BUFFER_BYTES, closeActiveSocket) {
+    const entry = ptys.get(ptyId);
+    if (entry === undefined)
+        return undefined;
+    if (entry.idleTimer !== undefined) {
+        clearTimeout(entry.idleTimer);
+        entry.idleTimer = undefined;
+    }
+    // Replace any existing data sink so a stale reconnect never
+    // double-delivers chunks. The previous detach() the caller
+    // captured still works (it disposes whatever disposable it
+    // captured), but the route should always call the latest detach.
+    if (entry.dataDisposable !== undefined) {
+        entry.dataDisposable.dispose();
+        entry.dataDisposable = undefined;
+    }
+    // Close the previously-attached WS, if any. Without this, two
+    // browsers with the same tabId both keep their input handlers wired
+    // up to write to the PTY; only the most recently attached one sees
+    // output, but BOTH can send input — interleaved keystrokes corrupt
+    // line-edit state. Closing the predecessor's WS lets the route's
+    // close handler unwire the input listener cleanly.
+    if (entry.closeActiveSocket !== undefined) {
+        try {
+            entry.closeActiveSocket();
+        }
+        catch {
+            // socket already gone — fine
+        }
+        entry.closeActiveSocket = undefined;
+    }
+    entry.closeActiveSocket = closeActiveSocket;
+    // Replay only the tail the caller asked for. The buffer is a
+    // chunk array; flatten just enough from the right edge to hit
+    // `replayBytes`. Edge case: replayBytes <= 0 → skip replay.
+    if (replayBytes > 0 && entry.bufferBytes > 0) {
+        let remaining = Math.min(replayBytes, entry.bufferBytes);
+        const tail = [];
+        for (let i = entry.buffer.length - 1; i >= 0 && remaining > 0; i--) {
+            const chunk = entry.buffer[i];
+            if (chunk.byteLength <= remaining) {
+                tail.unshift(chunk);
+                remaining -= chunk.byteLength;
+            }
+            else {
+                tail.unshift(chunk.subarray(chunk.byteLength - remaining));
+                remaining = 0;
+            }
+        }
+        for (const chunk of tail)
+            onData(chunk.toString("utf8"));
+    }
+    const live = entry.managed.process.onData((chunk) => {
+        onData(chunk);
+    });
+    entry.dataDisposable = live;
+    return () => {
+        if (entry.dataDisposable === live) {
+            live.dispose();
+            entry.dataDisposable = undefined;
+            // Only clear closeActiveSocket if WE are still the active
+            // attachment — a newer attachSink may have already swapped a
+            // different socket in.
+            if (entry.closeActiveSocket === closeActiveSocket) {
+                entry.closeActiveSocket = undefined;
+            }
+        }
+        else {
+            // A newer attach replaced ours; nothing to do.
+        }
+        // Start the idle reaper. If a fresh attach arrives within
+        // IDLE_REAP_MS the timer is cancelled in the next attachSink.
+        if (entry.idleTimer === undefined && ptys.has(ptyId)) {
+            entry.idleTimer = setTimeout(() => {
+                entry.idleTimer = undefined;
+                killPty(ptyId);
+            }, IDLE_REAP_MS);
+        }
+    };
+}
+function appendToBuffer(entry, chunk) {
+    const buf = Buffer.from(chunk, "utf8");
+    entry.buffer.push(buf);
+    entry.bufferBytes += buf.byteLength;
+    // Evict from the front until we're under cap. Keeps memory
+    // bounded across multi-hour shells running noisy output (npm
+    // install, pip install, etc.).
+    while (entry.bufferBytes > OUTPUT_BUFFER_BYTES && entry.buffer.length > 0) {
+        const head = entry.buffer.shift();
+        entry.bufferBytes -= head.byteLength;
+    }
+}
+export function getPty(ptyId) {
+    return ptys.get(ptyId)?.managed;
+}
+/**
+ * Grace window between SIGTERM and SIGKILL. Long enough for a
+ * well-behaved shell to clean up (zsh trap, bash exit handler), short
+ * enough that an unkillable shell doesn't linger past a deploy /
+ * shutdown for noticeable time.
+ */
+const SIGKILL_GRACE_MS = 2_000;
+export function killPty(ptyId) {
+    const entry = ptys.get(ptyId);
+    if (entry === undefined)
+        return false;
+    ptys.delete(ptyId);
+    if (entry.idleTimer !== undefined)
+        clearTimeout(entry.idleTimer);
+    if (entry.dataDisposable !== undefined)
+        entry.dataDisposable.dispose();
+    // Try SIGTERM first (gives the shell a chance to flush, run trap
+    // handlers, release tty). Schedule a SIGKILL fallback for trapped
+    // / unresponsive shells. Without the fallback, a `trap '' TERM`
+    // bash leaves an orphan process holding the PTY fd.
+    let killed = false;
+    const exitDisposable = entry.managed.process.onExit(() => {
+        killed = true;
+    });
+    try {
+        entry.managed.process.kill("SIGTERM");
+    }
+    catch {
+        // already exited between get + kill; nothing to do
+        return true;
+    }
+    setTimeout(() => {
+        exitDisposable.dispose();
+        if (killed)
+            return;
+        try {
+            entry.managed.process.kill("SIGKILL");
+        }
+        catch {
+            // already exited
+        }
+    }, SIGKILL_GRACE_MS).unref();
+    return true;
+}
+export function ptyCount() {
+    return ptys.size;
+}
+export function disposeAllPtys() {
+    for (const ptyId of Array.from(ptys.keys())) {
+        killPty(ptyId);
+    }
+}
+let exitHandlerInstalled = false;
+/**
+ * Install a `process.on("exit")` last-resort SIGTERM-all handler.
+ * Idempotent.
+ *
+ * The previous version of this module called `installExitHandler()`
+ * at module load, which meant any unit test that imported the module
+ * also installed the handler — and the handler couldn't be undone.
+ * Tests that fork child processes ended up with the wrong handler
+ * count and unpredictable shutdown behavior. The fix: require an
+ * explicit `installPtyExitHandler()` call from `index.ts` (the
+ * production entry point); tests that import `pty-manager` for unit
+ * coverage skip the install.
+ */
+export function installPtyExitHandler() {
+    if (exitHandlerInstalled)
+        return;
+    exitHandlerInstalled = true;
+    process.on("exit", () => {
+        for (const entry of ptys.values()) {
+            try {
+                entry.managed.process.kill("SIGTERM");
+            }
+            catch {
+                // Process already gone — fine. We're in the exit handler so
+                // there's no point trying anything more aggressive.
+            }
+        }
+        ptys.clear();
+    });
+}
+/**
+ * Allowlist of env-var names the PTY shell (and the `!` exec route)
+ * may inherit from the pi-forge process. Everything else is dropped.
+ *
+ * Allowlist instead of denylist because the threat model is "any
+ * secret an operator has in their host env leaks into the shell." A
+ * denylist of named secrets is fail-open — every newly-named provider
+ * key (`SOMEPROVIDER_API_KEY`), kube credential, cloud token, etc.
+ * leaks until we add it by name. An allowlist is fail-safe: anything
+ * not on this list is hidden by default; operators with a legitimate
+ * need pass specific vars through via `TERMINAL_PASSTHROUGH_ENV`.
+ *
+ * What's on the list and why:
+ *   PATH, HOME, USER, LOGNAME, SHELL — required for a usable shell
+ *   PWD                              — the shell sets it but inheriting
+ *                                      avoids a transient empty value
+ *   TERM, COLORTERM                  — xterm rendering / 256-color
+ *   TERMINFO                         — fallback terminfo lookup
+ *   LANG, LC_*                       — locale (UTF-8, sorting, dates)
+ *   TZ                               — timezone-aware tools (`date`)
+ *   HOSTNAME                         — prompt customization (`\h` in PS1)
+ *   EDITOR, PAGER, VISUAL            — interactive defaults (git
+ *                                      commit, less, etc.)
+ *
+ * Conspicuously NOT on the list (must be opt-in via
+ * `TERMINAL_PASSTHROUGH_ENV` if the operator wants them in-shell):
+ *   - pi-forge secrets: JWT_SECRET, API_KEY, UI_PASSWORD
+ *   - Provider keys:     ANTHROPIC_API_KEY, OPENAI_API_KEY, etc.
+ *   - Cloud credentials: AWS_*, GOOGLE_APPLICATION_CREDENTIALS,
+ *                        GH_TOKEN, GITHUB_TOKEN, KUBECONFIG, ...
+ *   - Anything else      — assume it's sensitive until proven harmless.
+ */
+const TERMINAL_ENV_ALLOWLIST = new Set([
+    "PATH",
+    "HOME",
+    "USER",
+    "LOGNAME",
+    "SHELL",
+    "PWD",
+    "TERM",
+    "COLORTERM",
+    "TERMINFO",
+    "LANG",
+    "TZ",
+    "HOSTNAME",
+    "EDITOR",
+    "PAGER",
+    "VISUAL",
+]);
+/**
+ * Variable names matching this prefix-style pattern are also allowed
+ * — covers the locale family (`LC_ALL`, `LC_CTYPE`, `LC_MESSAGES`, …)
+ * without enumerating every variant.
+ */
+const TERMINAL_ENV_ALLOWLIST_PREFIXES = ["LC_"];
+function isAllowedByDefault(name) {
+    if (TERMINAL_ENV_ALLOWLIST.has(name))
+        return true;
+    for (const prefix of TERMINAL_ENV_ALLOWLIST_PREFIXES) {
+        if (name.startsWith(prefix))
+            return true;
+    }
+    return false;
+}
+function filterEnv(env) {
+    const passthrough = new Set(config.terminalPassthroughEnv);
+    const out = {};
+    for (const [k, v] of Object.entries(env)) {
+        if (typeof v !== "string")
+            continue;
+        if (!isAllowedByDefault(k) && !passthrough.has(k))
+            continue;
+        out[k] = v;
+    }
+    return out;
+}
+/**
+ * Re-export so non-PTY callers (the user-bash `!` exec route) get the
+ * same env allowlist without having to re-implement it. The PTY and
+ * the one-shot user-bash share an identical threat model: an
+ * authenticated browser user must not be able to `echo
+ * $JWT_SECRET` (or any other host-env secret) from a shell the
+ * pi-forge spawned on their behalf.
+ */
+export const scrubbedEnv = () => filterEnv(process.env);
+//# sourceMappingURL=pty-manager.js.map

package/dist/server/pty-manager.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"pty-manager.js","sourceRoot":"","sources":["../src/pty-manager.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AACzC,OAAO,KAAK,OAAO,MAAM,UAAU,CAAC;AACpC,OAAO,EAAE,MAAM,EAAE,MAAM,aAAa,CAAC;AAuDrC,kGAAkG;AAClG,MAAM,mBAAmB,GAAG,GAAG,GAAG,IAAI,CAAC;AACvC;;;;;;GAMG;AACH,MAAM,YAAY,GAAG,MAAM,CAAC,kBAAkB,CAAC;AAwB/C,MAAM,IAAI,GAAG,IAAI,GAAG,EAAiB,CAAC;AAEtC,SAAS,YAAY;IACnB,OAAO,OAAO,CAAC,GAAG,CAAC,KAAK,IAAI,SAAS,CAAC;AACxC,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,cAAc,CAAC,KAAa,EAAE,SAAiB;IAC7D,KAAK,MAAM,KAAK,IAAI,IAAI,CAAC,MAAM,EAAE,EAAE,CAAC;QAClC,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,KAAK,KAAK;YAAE,SAAS;QAC5C,IAAI,KAAK,CAAC,OAAO,CAAC,SAAS,KAAK,SAAS;YAAE,SAAS;QACpD,OAAO,KAAK,CAAC,OAAO,CAAC;IACvB,CAAC;IACD,OAAO,SAAS,CAAC;AACnB,CAAC;AAED,MAAM,UAAU,QAAQ,CAAC,IAAkB;IACzC,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,IAAI,YAAY,EAAE,CAAC;IAC3C,MAAM,IAAI,GAAG,IAAI,CAAC,IAAI,IAAI,EAAE,CAAC;IAC7B,MAAM,IAAI,GAAG,IAAI,CAAC,IAAI,IAAI,EAAE,CAAC;IAC7B,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,IAAI,OAAO,CAAC,GAAG,CAAC;IACpC,MAAM,IAAI,GAAG,OAAO,CAAC,KAAK,CAAC,KAAK,EAAE,EAAE,EAAE;QACpC,IAAI,EAAE,aAAa;QACnB,IAAI;QACJ,IAAI;QACJ,GAAG,EAAE,IAAI,CAAC,GAAG;QACb,GAAG,EAAE,SAAS,CAAC,GAAG,CAAC;KACpB,CAAC,CAAC;IACH,MAAM,KAAK,GAAG,UAAU,EAAE,CAAC;IAC3B,MAAM,OAAO,GAAe;QAC1B,KAAK;QACL,KAAK,EAAE,IAAI,CAAC,KAAK;QACjB,SAAS,EAAE,IAAI,CAAC,SAAS;QACzB,OAAO,EAAE,IAAI;QACb,GAAG,EAAE,IAAI,CAAC,GAAG;KACd,CAAC;IACF,MAAM,KAAK,GAAU;QACnB,OAAO;QACP,cAAc,EAAE,SAAS;QACzB,iBAAiB,EAAE,SAAS;QAC5B,SAAS,EAAE,SAAS;QACpB,MAAM,EAAE,EAAE;QACV,WAAW,EAAE,CAAC;KACf,CAAC;IACF,IAAI,CAAC,GAAG,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC;IACvB,iEAAiE;IACjE,6DAA6D;IAC7D,0CAA0C;IAC1C,MAAM,iBAAiB,GAAG,IAAI,CAAC,MAAM,CAAC,CAAC,KAAK,EAAE,EAAE;QAC9C,cAAc,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC;IAC/B,CAAC,CAAC,CAAC;IACH,IAAI,CAAC,MAAM,CAAC,GAAG,EAAE;QACf,iBAAiB,CAAC,OAAO,EAAE,CAAC;QAC5B,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QACnB,IAAI,KAAK,CAAC,SAAS,KAAK,SAAS;YAAE,YAAY,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC;IACnE,CAAC,CAAC,CAAC;IACH,OAAO,OAAO,CAAC;AACjB,CAAC;AAED;;;;;;;;;;;;GAYG;AACH,MAAM,UAAU,UAAU,CACxB,KAAa,EACb,MAA+B,EAC/B,cAAsB,mBAAmB,EACzC,iBAA8B;IAE9B,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;IAC9B,IAAI,KAAK,KAAK,SAAS;QAAE,OAAO,SAAS,CAAC;IAC1C,IAAI,KAAK,CAAC,SAAS,KAAK,SAAS,EAAE,CAAC;QAClC,YAAY,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC;QAC9B,KAAK,CAAC,SAAS,GAAG,SAAS,CAAC;IAC9B,CAAC;IACD,4DAA4D;IAC5D,2DAA2D;IAC3D,2DAA2D;IAC3D,iEAAiE;IACjE,IAAI,KAAK,CAAC,cAAc,KAAK,SAAS,EAAE,CAAC;QACvC,KAAK,CAAC,cAAc,CAAC,OAAO,EAAE,CAAC;QAC/B,KAAK,CAAC,cAAc,GAAG,SAAS,CAAC;IACnC,CAAC;IACD,8DAA8D;IAC9D,oEAAoE;IACpE,mEAAmE;IACnE,mEAAmE;IACnE,iEAAiE;IACjE,mDAAmD;IACnD,IAAI,KAAK,CAAC,iBAAiB,KAAK,SAAS,EAAE,CAAC;QAC1C,IAAI,CAAC;YACH,KAAK,CAAC,iBAAiB,EAAE,CAAC;QAC5B,CAAC;QAAC,MAAM,CAAC;YACP,6BAA6B;QAC/B,CAAC;QACD,KAAK,CAAC,iBAAiB,GAAG,SAAS,CAAC;IACtC,CAAC;IACD,KAAK,CAAC,iBAAiB,GAAG,iBAAiB,CAAC;IAC5C,6DAA6D;IAC7D,8DAA8D;IAC9D,4DAA4D;IAC5D,IAAI,WAAW,GAAG,CAAC,IAAI,KAAK,CAAC,WAAW,GAAG,CAAC,EAAE,CAAC;QAC7C,IAAI,SAAS,GAAG,IAAI,CAAC,GAAG,CAAC,WAAW,EAAE,KAAK,CAAC,WAAW,CAAC,CAAC;QACzD,MAAM,IAAI,GAAa,EAAE,CAAC;QAC1B,KAAK,IAAI,CAAC,GAAG,KAAK,CAAC,MAAM,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC,IAAI,CAAC,IAAI,SAAS,GAAG,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC;YACnE,MAAM,KAAK,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC,CAAE,CAAC;YAC/B,IAAI,KAAK,CAAC,UAAU,IAAI,SAAS,EAAE,CAAC;gBAClC,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;gBACpB,SAAS,IAAI,KAAK,CAAC,UAAU,CAAC;YAChC,CAAC;iBAAM,CAAC;gBACN,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,QAAQ,CAAC,KAAK,CAAC,UAAU,GAAG,SAAS,CAAC,CAAC,CAAC;gBAC3D,SAAS,GAAG,CAAC,CAAC;YAChB,CAAC;QACH,CAAC;QACD,KAAK,MAAM,KAAK,IAAI,IAAI;YAAE,MAAM,CAAC,KAAK,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC;IAC3D,CAAC;IACD,MAAM,IAAI,GAAG,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,KAAa,EAAE,EAAE;QAC1D,MAAM,CAAC,KAAK,CAAC,CAAC;IAChB,CAAC,CAAC,CAAC;IACH,KAAK,CAAC,cAAc,GAAG,IAAI,CAAC;IAC5B,OAAO,GAAG,EAAE;QACV,IAAI,KAAK,CAAC,cAAc,KAAK,IAAI,EAAE,CAAC;YAClC,IAAI,CAAC,OAAO,EAAE,CAAC;YACf,KAAK,CAAC,cAAc,GAAG,SAAS,CAAC;YACjC,0DAA0D;YAC1D,6DAA6D;YAC7D,uBAAuB;YACvB,IAAI,KAAK,CAAC,iBAAiB,KAAK,iBAAiB,EAAE,CAAC;gBAClD,KAAK,CAAC,iBAAiB,GAAG,SAAS,CAAC;YACtC,CAAC;QACH,CAAC;aAAM,CAAC;YACN,+CAA+C;QACjD,CAAC;QACD,0DAA0D;QAC1D,8DAA8D;QAC9D,IAAI,KAAK,CAAC,SAAS,KAAK,SAAS,IAAI,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,EAAE,CAAC;YACrD,KAAK,CAAC,SAAS,GAAG,UAAU,CAAC,GAAG,EAAE;gBAChC,KAAK,CAAC,SAAS,GAAG,SAAS,CAAC;gBAC5B,OAAO,CAAC,KAAK,CAAC,CAAC;YACjB,CAAC,EAAE,YAAY,CAAC,CAAC;QACnB,CAAC;IACH,CAAC,CAAC;AACJ,CAAC;AAED,SAAS,cAAc,CAAC,KAAY,EAAE,KAAa;IACjD,MAAM,GAAG,GAAG,MAAM,CAAC,IAAI,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;IACvC,KAAK,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IACvB,KAAK,CAAC,WAAW,IAAI,GAAG,CAAC,UAAU,CAAC;IACpC,2DAA2D;IAC3D,6DAA6D;IAC7D,+BAA+B;IAC/B,OAAO,KAAK,CAAC,WAAW,GAAG,mBAAmB,IAAI,KAAK,CAAC,MAAM,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC1E,MAAM,IAAI,GAAG,KAAK,CAAC,MAAM,CAAC,KAAK,EAAG,CAAC;QACnC,KAAK,CAAC,WAAW,IAAI,IAAI,CAAC,UAAU,CAAC;IACvC,CAAC;AACH,CAAC;AAED,MAAM,UAAU,MAAM,CAAC,KAAa;IAClC,OAAO,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,EAAE,OAAO,CAAC;AAClC,CAAC;AAED;;;;;GAKG;AACH,MAAM,gBAAgB,GAAG,KAAK,CAAC;AAE/B,MAAM,UAAU,OAAO,CAAC,KAAa;IACnC,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;IAC9B,IAAI,KAAK,KAAK,SAAS;QAAE,OAAO,KAAK,CAAC;IACtC,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;IACnB,IAAI,KAAK,CAAC,SAAS,KAAK,SAAS;QAAE,YAAY,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC;IACjE,IAAI,KAAK,CAAC,cAAc,KAAK,SAAS;QAAE,KAAK,CAAC,cAAc,CAAC,OAAO,EAAE,CAAC;IACvE,iEAAiE;IACjE,kEAAkE;IAClE,gEAAgE;IAChE,oDAAoD;IACpD,IAAI,MAAM,GAAG,KAAK,CAAC;IACnB,MAAM,cAAc,GAAG,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,MAAM,CAAC,GAAG,EAAE;QACvD,MAAM,GAAG,IAAI,CAAC;IAChB,CAAC,CAAC,CAAC;IACH,IAAI,CAAC;QACH,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;IACxC,CAAC;IAAC,MAAM,CAAC;QACP,mDAAmD;QACnD,OAAO,IAAI,CAAC;IACd,CAAC;IACD,UAAU,CAAC,GAAG,EAAE;QACd,cAAc,CAAC,OAAO,EAAE,CAAC;QACzB,IAAI,MAAM;YAAE,OAAO;QACnB,IAAI,CAAC;YACH,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;QACxC,CAAC;QAAC,MAAM,CAAC;YACP,iBAAiB;QACnB,CAAC;IACH,CAAC,EAAE,gBAAgB,CAAC,CAAC,KAAK,EAAE,CAAC;IAC7B,OAAO,IAAI,CAAC;AACd,CAAC;AAED,MAAM,UAAU,QAAQ;IACtB,OAAO,IAAI,CAAC,IAAI,CAAC;AACnB,CAAC;AAED,MAAM,UAAU,cAAc;IAC5B,KAAK,MAAM,KAAK,IAAI,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC,EAAE,CAAC;QAC5C,OAAO,CAAC,KAAK,CAAC,CAAC;IACjB,CAAC;AACH,CAAC;AAED,IAAI,oBAAoB,GAAG,KAAK,CAAC;AACjC;;;;;;;;;;;;GAYG;AACH,MAAM,UAAU,qBAAqB;IACnC,IAAI,oBAAoB;QAAE,OAAO;IACjC,oBAAoB,GAAG,IAAI,CAAC;IAC5B,OAAO,CAAC,EAAE,CAAC,MAAM,EAAE,GAAG,EAAE;QACtB,KAAK,MAAM,KAAK,IAAI,IAAI,CAAC,MAAM,EAAE,EAAE,CAAC;YAClC,IAAI,CAAC;gBACH,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;YACxC,CAAC;YAAC,MAAM,CAAC;gBACP,4DAA4D;gBAC5D,oDAAoD;YACtD,CAAC;QACH,CAAC;QACD,IAAI,CAAC,KAAK,EAAE,CAAC;IACf,CAAC,CAAC,CAAC;AACL,CAAC;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA+BG;AACH,MAAM,sBAAsB,GAAwB,IAAI,GAAG,CAAC;IAC1D,MAAM;IACN,MAAM;IACN,MAAM;IACN,SAAS;IACT,OAAO;IACP,KAAK;IACL,MAAM;IACN,WAAW;IACX,UAAU;IACV,MAAM;IACN,IAAI;IACJ,UAAU;IACV,QAAQ;IACR,OAAO;IACP,QAAQ;CACT,CAAC,CAAC;AAEH;;;;GAIG;AACH,MAAM,+BAA+B,GAAsB,CAAC,KAAK,CAAC,CAAC;AAEnE,SAAS,kBAAkB,CAAC,IAAY;IACtC,IAAI,sBAAsB,CAAC,GAAG,CAAC,IAAI,CAAC;QAAE,OAAO,IAAI,CAAC;IAClD,KAAK,MAAM,MAAM,IAAI,+BAA+B,EAAE,CAAC;QACrD,IAAI,IAAI,CAAC,UAAU,CAAC,MAAM,CAAC;YAAE,OAAO,IAAI,CAAC;IAC3C,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAS,SAAS,CAAC,GAAsB;IACvC,MAAM,WAAW,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,sBAAsB,CAAC,CAAC;IAC3D,MAAM,GAAG,GAA2B,EAAE,CAAC;IACvC,KAAK,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC;QACzC,IAAI,OAAO,CAAC,KAAK,QAAQ;YAAE,SAAS;QACpC,IAAI,CAAC,kBAAkB,CAAC,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC,CAAC;YAAE,SAAS;QAC5D,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC;IACb,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,CAAC,MAAM,WAAW,GAAG,GAA2B,EAAE,CAAC,SAAS,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC"}

package/dist/server/routes/_schemas.js

@@ -0,0 +1,73 @@
+/**
+ * Shared response schemas used across multiple route files. Extracting these
+ * keeps the wire shape consistent — e.g. /sessions, /sessions/:id, and /fork
+ * all return the same liveSummary fields rather than each route declaring its
+ * own subset.
+ */
+/**
+ * Standard error envelope for 4xx/5xx responses. `error` is required so
+ * generated SDK clients can rely on its presence (no extra null-check).
+ * `message` is optional context for callers that want a human-readable hint.
+ */
+export const errorSchema = {
+    type: "object",
+    required: ["error"],
+    properties: {
+        error: { type: "string" },
+        message: { type: "string" },
+    },
+};
+/**
+ * Live session summary — the shape returned by routes that produce a single
+ * session metadata object (POST /sessions, GET /sessions/:id, POST /fork).
+ * `name` is optional because not every session has a user-defined display
+ * name; consumers should treat its absence as "no name set."
+ */
+export const liveSummarySchema = {
+    type: "object",
+    required: [
+        "sessionId",
+        "projectId",
+        "workspacePath",
+        "createdAt",
+        "lastActivityAt",
+        "isLive",
+        "messageCount",
+        "isStreaming",
+    ],
+    properties: {
+        sessionId: { type: "string" },
+        projectId: { type: "string" },
+        workspacePath: { type: "string" },
+        createdAt: { type: "string", format: "date-time" },
+        lastActivityAt: { type: "string", format: "date-time" },
+        isLive: { type: "boolean" },
+        name: { type: "string" },
+        messageCount: { type: "integer", minimum: 0 },
+        isStreaming: { type: "boolean" },
+    },
+};
+/**
+ * Build a wire-shaped LiveSession summary, omitting `name` when unset so the
+ * serializer doesn't emit an explicit undefined.
+ *
+ * `isLive` defaults to `true` because most callers (POST /sessions, /fork,
+ * /sessions/:id when in-memory) are returning a live session. Disk-only
+ * callers should pass `isLive: false` explicitly.
+ */
+export function liveSummaryBody(args) {
+    const out = {
+        sessionId: args.sessionId,
+        projectId: args.projectId,
+        workspacePath: args.workspacePath,
+        createdAt: args.createdAt.toISOString(),
+        lastActivityAt: args.lastActivityAt.toISOString(),
+        isLive: args.isLive ?? true,
+        messageCount: args.messageCount,
+        isStreaming: args.isStreaming,
+    };
+    if (args.name !== undefined)
+        out.name = args.name;
+    return out;
+}
+//# sourceMappingURL=_schemas.js.map

package/dist/server/routes/_schemas.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"_schemas.js","sourceRoot":"","sources":["../../src/routes/_schemas.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH;;;;GAIG;AACH,MAAM,CAAC,MAAM,WAAW,GAAG;IACzB,IAAI,EAAE,QAAQ;IACd,QAAQ,EAAE,CAAC,OAAO,CAAC;IACnB,UAAU,EAAE;QACV,KAAK,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE;QACzB,OAAO,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE;KAC5B;CACO,CAAC;AAEX;;;;;GAKG;AACH,MAAM,CAAC,MAAM,iBAAiB,GAAG;IAC/B,IAAI,EAAE,QAAQ;IACd,QAAQ,EAAE;QACR,WAAW;QACX,WAAW;QACX,eAAe;QACf,WAAW;QACX,gBAAgB;QAChB,QAAQ;QACR,cAAc;QACd,aAAa;KACd;IACD,UAAU,EAAE;QACV,SAAS,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE;QAC7B,SAAS,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE;QAC7B,aAAa,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE;QACjC,SAAS,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,MAAM,EAAE,WAAW,EAAE;QAClD,cAAc,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,MAAM,EAAE,WAAW,EAAE;QACvD,MAAM,EAAE,EAAE,IAAI,EAAE,SAAS,EAAE;QAC3B,IAAI,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE;QACxB,YAAY,EAAE,EAAE,IAAI,EAAE,SAAS,EAAE,OAAO,EAAE,CAAC,EAAE;QAC7C,WAAW,EAAE,EAAE,IAAI,EAAE,SAAS,EAAE;KACjC;CACO,CAAC;AAEX;;;;;;;GAOG;AACH,MAAM,UAAU,eAAe,CAAC,IAU/B;IACC,MAAM,GAAG,GAA4B;QACnC,SAAS,EAAE,IAAI,CAAC,SAAS;QACzB,SAAS,EAAE,IAAI,CAAC,SAAS;QACzB,aAAa,EAAE,IAAI,CAAC,aAAa;QACjC,SAAS,EAAE,IAAI,CAAC,SAAS,CAAC,WAAW,EAAE;QACvC,cAAc,EAAE,IAAI,CAAC,cAAc,CAAC,WAAW,EAAE;QACjD,MAAM,EAAE,IAAI,CAAC,MAAM,IAAI,IAAI;QAC3B,YAAY,EAAE,IAAI,CAAC,YAAY;QAC/B,WAAW,EAAE,IAAI,CAAC,WAAW;KAC9B,CAAC;IACF,IAAI,IAAI,CAAC,IAAI,KAAK,SAAS;QAAE,GAAG,CAAC,IAAI,GAAG,IAAI,CAAC,IAAI,CAAC;IAClD,OAAO,GAAG,CAAC;AACb,CAAC"}

package/dist/server/routes/auth.js

@@ -0,0 +1,164 @@
+import { config, authEnabled } from "../config.js";
+import { extractBearer, generateToken, passwordConfigured, persistPassword, verifyPasswordWithSource, verifyToken, } from "../auth.js";
+import { errorSchema } from "./_schemas.js";
+const MIN_PASSWORD_LENGTH = 8;
+const MAX_PASSWORD_LENGTH = 1024;
+export const authRoutes = async (fastify) => {
+    fastify.get("/auth/status", {
+        config: { public: true },
+        schema: {
+            description: "Returns whether auth is required to call protected routes.",
+            tags: ["auth"],
+            security: [],
+            response: {
+                200: {
+                    type: "object",
+                    required: ["authEnabled"],
+                    properties: {
+                        authEnabled: { type: "boolean" },
+                    },
+                },
+            },
+        },
+    }, async () => ({ authEnabled: authEnabled() }));
+    fastify.post("/auth/login", {
+        config: {
+            public: true,
+            rateLimit: {
+                max: config.auth.loginRateLimitMax,
+                timeWindow: config.auth.loginRateLimitWindowMs,
+            },
+        },
+        schema: {
+            description: "Exchange a password for a short-lived JWT. Returns 401 if the password is wrong, " +
+                "or 503 if browser password auth is not configured (no UI_PASSWORD set and no " +
+                "stored password hash). When the password matched the env-supplied " +
+                "UI_PASSWORD AND no stored hash exists yet, `mustChangePassword` is true on " +
+                "the response and the issued token may only call POST /auth/change-password.",
+            tags: ["auth"],
+            security: [],
+            body: {
+                type: "object",
+                required: ["password"],
+                additionalProperties: false,
+                properties: {
+                    password: { type: "string", minLength: 1, maxLength: MAX_PASSWORD_LENGTH },
+                },
+            },
+            response: {
+                200: {
+                    type: "object",
+                    required: ["token", "expiresAt", "mustChangePassword"],
+                    properties: {
+                        token: { type: "string" },
+                        expiresAt: { type: "string", format: "date-time" },
+                        mustChangePassword: { type: "boolean" },
+                    },
+                },
+                401: errorSchema,
+                503: errorSchema,
+            },
+        },
+    }, async (req, reply) => {
+        if (!passwordConfigured()) {
+            return reply.code(503).send({
+                error: "ui_password_not_configured",
+                message: "browser login is disabled (no UI_PASSWORD set and no stored password hash)",
+            });
+        }
+        const { password } = req.body;
+        const result = await verifyPasswordWithSource(password);
+        if (!result.ok) {
+            return reply.code(401).send({
+                error: "invalid_password",
+                message: "the password did not match",
+            });
+        }
+        const mustChangePassword = result.source === "env" && config.auth.requirePasswordChange;
+        const issued = generateToken({ mustChangePassword });
+        return { ...issued, mustChangePassword };
+    });
+    // Change-password is `public: true` at the route-config level so the
+    // global `must_change_password` gate (in index.ts) doesn't refuse a
+    // token that was issued specifically to call THIS endpoint. We
+    // enforce auth manually inside the handler.
+    fastify.post("/auth/change-password", {
+        config: {
+            public: true,
+            rateLimit: {
+                max: config.auth.loginRateLimitMax,
+                timeWindow: config.auth.loginRateLimitWindowMs,
+            },
+        },
+        schema: {
+            description: "Verify the current password, persist a new scrypt hash to " +
+                "${FORGE_DATA_DIR}/password-hash, and issue a fresh JWT " +
+                "(mustChangePassword=false). Once a stored hash exists the env " +
+                "UI_PASSWORD is ignored on subsequent logins. Requires a valid " +
+                "JWT (initial-login `mustChangePassword:true` tokens are accepted).",
+            tags: ["auth"],
+            body: {
+                type: "object",
+                required: ["currentPassword", "newPassword"],
+                additionalProperties: false,
+                properties: {
+                    currentPassword: {
+                        type: "string",
+                        minLength: 1,
+                        maxLength: MAX_PASSWORD_LENGTH,
+                    },
+                    newPassword: {
+                        type: "string",
+                        minLength: MIN_PASSWORD_LENGTH,
+                        maxLength: MAX_PASSWORD_LENGTH,
+                    },
+                },
+            },
+            response: {
+                200: {
+                    type: "object",
+                    required: ["token", "expiresAt", "mustChangePassword"],
+                    properties: {
+                        token: { type: "string" },
+                        expiresAt: { type: "string", format: "date-time" },
+                        mustChangePassword: { type: "boolean" },
+                    },
+                },
+                400: errorSchema,
+                401: errorSchema,
+                503: errorSchema,
+            },
+        },
+    }, async (req, reply) => {
+        // Manual auth check — the route is `public: true` so the global
+        // hook doesn't run, but we still require a valid JWT here.
+        const presented = extractBearer(req.headers.authorization);
+        if (presented === undefined || verifyToken(presented) === undefined) {
+            return reply.code(401).send({ error: "auth_required" });
+        }
+        if (!passwordConfigured()) {
+            return reply.code(503).send({
+                error: "ui_password_not_configured",
+                message: "password auth is not configured on this server",
+            });
+        }
+        const { currentPassword, newPassword } = req.body;
+        const verify = await verifyPasswordWithSource(currentPassword);
+        if (!verify.ok) {
+            return reply.code(401).send({
+                error: "invalid_password",
+                message: "the current password did not match",
+            });
+        }
+        if (currentPassword === newPassword) {
+            return reply.code(400).send({
+                error: "password_unchanged",
+                message: "new password must differ from the current one",
+            });
+        }
+        await persistPassword(newPassword);
+        const issued = generateToken({ mustChangePassword: false });
+        return { ...issued, mustChangePassword: false };
+    });
+};
+//# sourceMappingURL=auth.js.map

package/dist/server/routes/auth.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth.js","sourceRoot":"","sources":["../../src/routes/auth.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,cAAc,CAAC;AACnD,OAAO,EACL,aAAa,EACb,aAAa,EACb,kBAAkB,EAClB,eAAe,EACf,wBAAwB,EACxB,WAAW,GACZ,MAAM,YAAY,CAAC;AACpB,OAAO,EAAE,WAAW,EAAE,MAAM,eAAe,CAAC;AAW5C,MAAM,mBAAmB,GAAG,CAAC,CAAC;AAC9B,MAAM,mBAAmB,GAAG,IAAI,CAAC;AAEjC,MAAM,CAAC,MAAM,UAAU,GAAuB,KAAK,EAAE,OAAO,EAAE,EAAE;IAC9D,OAAO,CAAC,GAAG,CACT,cAAc,EACd;QACE,MAAM,EAAE,EAAE,MAAM,EAAE,IAAI,EAAE;QACxB,MAAM,EAAE;YACN,WAAW,EAAE,4DAA4D;YACzE,IAAI,EAAE,CAAC,MAAM,CAAC;YACd,QAAQ,EAAE,EAAE;YACZ,QAAQ,EAAE;gBACR,GAAG,EAAE;oBACH,IAAI,EAAE,QAAQ;oBACd,QAAQ,EAAE,CAAC,aAAa,CAAC;oBACzB,UAAU,EAAE;wBACV,WAAW,EAAE,EAAE,IAAI,EAAE,SAAS,EAAE;qBACjC;iBACF;aACF;SACF;KACF,EACD,KAAK,IAAI,EAAE,CAAC,CAAC,EAAE,WAAW,EAAE,WAAW,EAAE,EAAE,CAAC,CAC7C,CAAC;IAEF,OAAO,CAAC,IAAI,CACV,aAAa,EACb;QACE,MAAM,EAAE;YACN,MAAM,EAAE,IAAI;YACZ,SAAS,EAAE;gBACT,GAAG,EAAE,MAAM,CAAC,IAAI,CAAC,iBAAiB;gBAClC,UAAU,EAAE,MAAM,CAAC,IAAI,CAAC,sBAAsB;aAC/C;SACF;QACD,MAAM,EAAE;YACN,WAAW,EACT,mFAAmF;gBACnF,+EAA+E;gBAC/E,oEAAoE;gBACpE,6EAA6E;gBAC7E,6EAA6E;YAC/E,IAAI,EAAE,CAAC,MAAM,CAAC;YACd,QAAQ,EAAE,EAAE;YACZ,IAAI,EAAE;gBACJ,IAAI,EAAE,QAAQ;gBACd,QAAQ,EAAE,CAAC,UAAU,CAAC;gBACtB,oBAAoB,EAAE,KAAK;gBAC3B,UAAU,EAAE;oBACV,QAAQ,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,SAAS,EAAE,CAAC,EAAE,SAAS,EAAE,mBAAmB,EAAE;iBAC3E;aACF;YACD,QAAQ,EAAE;gBACR,GAAG,EAAE;oBACH,IAAI,EAAE,QAAQ;oBACd,QAAQ,EAAE,CAAC,OAAO,EAAE,WAAW,EAAE,oBAAoB,CAAC;oBACtD,UAAU,EAAE;wBACV,KAAK,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE;wBACzB,SAAS,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,MAAM,EAAE,WAAW,EAAE;wBAClD,kBAAkB,EAAE,EAAE,IAAI,EAAE,SAAS,EAAE;qBACxC;iBACF;gBACD,GAAG,EAAE,WAAW;gBAChB,GAAG,EAAE,WAAW;aACjB;SACF;KACF,EACD,KAAK,EAAE,GAAG,EAAE,KAAK,EAAE,EAAE;QACnB,IAAI,CAAC,kBAAkB,EAAE,EAAE,CAAC;YAC1B,OAAO,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;gBAC1B,KAAK,EAAE,4BAA4B;gBACnC,OAAO,EAAE,4EAA4E;aACtF,CAAC,CAAC;QACL,CAAC;QACD,MAAM,EAAE,QAAQ,EAAE,GAAG,GAAG,CAAC,IAAI,CAAC;QAC9B,MAAM,MAAM,GAAG,MAAM,wBAAwB,CAAC,QAAQ,CAAC,CAAC;QACxD,IAAI,CAAC,MAAM,CAAC,EAAE,EAAE,CAAC;YACf,OAAO,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;gBAC1B,KAAK,EAAE,kBAAkB;gBACzB,OAAO,EAAE,4BAA4B;aACtC,CAAC,CAAC;QACL,CAAC;QACD,MAAM,kBAAkB,GAAG,MAAM,CAAC,MAAM,KAAK,KAAK,IAAI,MAAM,CAAC,IAAI,CAAC,qBAAqB,CAAC;QACxF,MAAM,MAAM,GAAG,aAAa,CAAC,EAAE,kBAAkB,EAAE,CAAC,CAAC;QACrD,OAAO,EAAE,GAAG,MAAM,EAAE,kBAAkB,EAAE,CAAC;IAC3C,CAAC,CACF,CAAC;IAEF,qEAAqE;IACrE,oEAAoE;IACpE,+DAA+D;IAC/D,4CAA4C;IAC5C,OAAO,CAAC,IAAI,CACV,uBAAuB,EACvB;QACE,MAAM,EAAE;YACN,MAAM,EAAE,IAAI;YACZ,SAAS,EAAE;gBACT,GAAG,EAAE,MAAM,CAAC,IAAI,CAAC,iBAAiB;gBAClC,UAAU,EAAE,MAAM,CAAC,IAAI,CAAC,sBAAsB;aAC/C;SACF;QACD,MAAM,EAAE;YACN,WAAW,EACT,4DAA4D;gBAC5D,yDAAyD;gBACzD,gEAAgE;gBAChE,gEAAgE;gBAChE,oEAAoE;YACtE,IAAI,EAAE,CAAC,MAAM,CAAC;YACd,IAAI,EAAE;gBACJ,IAAI,EAAE,QAAQ;gBACd,QAAQ,EAAE,CAAC,iBAAiB,EAAE,aAAa,CAAC;gBAC5C,oBAAoB,EAAE,KAAK;gBAC3B,UAAU,EAAE;oBACV,eAAe,EAAE;wBACf,IAAI,EAAE,QAAQ;wBACd,SAAS,EAAE,CAAC;wBACZ,SAAS,EAAE,mBAAmB;qBAC/B;oBACD,WAAW,EAAE;wBACX,IAAI,EAAE,QAAQ;wBACd,SAAS,EAAE,mBAAmB;wBAC9B,SAAS,EAAE,mBAAmB;qBAC/B;iBACF;aACF;YACD,QAAQ,EAAE;gBACR,GAAG,EAAE;oBACH,IAAI,EAAE,QAAQ;oBACd,QAAQ,EAAE,CAAC,OAAO,EAAE,WAAW,EAAE,oBAAoB,CAAC;oBACtD,UAAU,EAAE;wBACV,KAAK,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE;wBACzB,SAAS,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,MAAM,EAAE,WAAW,EAAE;wBAClD,kBAAkB,EAAE,EAAE,IAAI,EAAE,SAAS,EAAE;qBACxC;iBACF;gBACD,GAAG,EAAE,WAAW;gBAChB,GAAG,EAAE,WAAW;gBAChB,GAAG,EAAE,WAAW;aACjB;SACF;KACF,EACD,KAAK,EAAE,GAAG,EAAE,KAAK,EAAE,EAAE;QACnB,gEAAgE;QAChE,2DAA2D;QAC3D,MAAM,SAAS,GAAG,aAAa,CAAC,GAAG,CAAC,OAAO,CAAC,aAAa,CAAC,CAAC;QAC3D,IAAI,SAAS,KAAK,SAAS,IAAI,WAAW,CAAC,SAAS,CAAC,KAAK,SAAS,EAAE,CAAC;YACpE,OAAO,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,eAAe,EAAE,CAAC,CAAC;QAC1D,CAAC;QACD,IAAI,CAAC,kBAAkB,EAAE,EAAE,CAAC;YAC1B,OAAO,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;gBAC1B,KAAK,EAAE,4BAA4B;gBACnC,OAAO,EAAE,gDAAgD;aAC1D,CAAC,CAAC;QACL,CAAC;QACD,MAAM,EAAE,eAAe,EAAE,WAAW,EAAE,GAAG,GAAG,CAAC,IAAI,CAAC;QAClD,MAAM,MAAM,GAAG,MAAM,wBAAwB,CAAC,eAAe,CAAC,CAAC;QAC/D,IAAI,CAAC,MAAM,CAAC,EAAE,EAAE,CAAC;YACf,OAAO,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;gBAC1B,KAAK,EAAE,kBAAkB;gBACzB,OAAO,EAAE,oCAAoC;aAC9C,CAAC,CAAC;QACL,CAAC;QACD,IAAI,eAAe,KAAK,WAAW,EAAE,CAAC;YACpC,OAAO,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;gBAC1B,KAAK,EAAE,oBAAoB;gBAC3B,OAAO,EAAE,+CAA+C;aACzD,CAAC,CAAC;QACL,CAAC;QACD,MAAM,eAAe,CAAC,WAAW,CAAC,CAAC;QACnC,MAAM,MAAM,GAAG,aAAa,CAAC,EAAE,kBAAkB,EAAE,KAAK,EAAE,CAAC,CAAC;QAC5D,OAAO,EAAE,GAAG,MAAM,EAAE,kBAAkB,EAAE,KAAK,EAAE,CAAC;IAClD,CAAC,CACF,CAAC;AACJ,CAAC,CAAC"}