ssh-mcp-pro 1.0.0

package/dist/safety.js

@@ -0,0 +1,174 @@
+/**
+ * Safety utilities for SSH command execution
+ *
+ * Provides warnings for potentially dangerous commands without blocking them.
+ * Users are free to execute any command - this is just informational.
+ */
+import { logger } from "./logging.js";
+/**
+ * Patterns for potentially dangerous commands
+ */
+const RECURSIVE_RM_OPTIONS = String.raw `(?=(?:[^\s]+\s+)*?(?:-[A-Za-z]*r[A-Za-z]*|--recursive))(?:-[A-Za-z]+|--[A-Za-z-]+)(?:\s+(?:-[A-Za-z]+|--[A-Za-z-]+))*`;
+const SHELL_ARG = String.raw `(?:"[^"]*"|'[^']*'|\S+)`;
+const SHELL_ARG_END = String.raw `(?:[\s;&|]|$)`;
+function recursiveRmTargetPattern(targetPattern) {
+    return new RegExp(String.raw `rm\s+${RECURSIVE_RM_OPTIONS}(?:\s+${SHELL_ARG})*\s+${targetPattern}${SHELL_ARG_END}`, "i");
+}
+const DANGEROUS_PATTERNS = [
+    // Critical: System destruction
+    {
+        pattern: recursiveRmTargetPattern(String.raw `(?:"/"|'/'|/)`),
+        riskLevel: "critical",
+        warning: "This command will delete the entire root filesystem!",
+        suggestion: "Double-check the path before executing",
+    },
+    {
+        pattern: recursiveRmTargetPattern(String.raw `(?:"/\*"|'/\*'|/\*)`),
+        riskLevel: "critical",
+        warning: "This command will delete all files in the root directory!",
+        suggestion: "Double-check the path before executing",
+    },
+    {
+        pattern: /mkfs\./i,
+        riskLevel: "critical",
+        warning: "This command will format a filesystem, causing data loss!",
+        suggestion: "Verify the target device carefully",
+    },
+    {
+        pattern: /dd\s+.*of=\/dev\/(sd|hd|nvme|vd)/i,
+        riskLevel: "critical",
+        warning: "This command writes directly to a disk device!",
+        suggestion: "Verify input and output devices before executing",
+    },
+    // High: System configuration changes
+    {
+        pattern: /chmod\s+(-R\s+)?777\s+\//i,
+        riskLevel: "high",
+        warning: "Setting 777 permissions on root is a security risk!",
+        suggestion: "Use more restrictive permissions",
+    },
+    {
+        pattern: /chown\s+-R\s+.*\s+\/\s*$/i,
+        riskLevel: "high",
+        warning: "Changing ownership of root directory recursively!",
+        suggestion: "Verify the target path",
+    },
+    {
+        pattern: /:\(\)\{\s*:\|:&\s*\};\s*:/i,
+        riskLevel: "critical",
+        warning: "Fork bomb detected! This will crash the system!",
+        suggestion: "Do not execute this command",
+    },
+    {
+        pattern: />\s*\/dev\/sd[a-z]$/i,
+        riskLevel: "critical",
+        warning: "Writing directly to disk device!",
+        suggestion: "Verify the target device",
+    },
+    // Medium: Service disruption
+    {
+        pattern: /shutdown|reboot|init\s+[0-6]|poweroff/i,
+        riskLevel: "medium",
+        warning: "This command will shutdown or reboot the system",
+        suggestion: "Ensure you have physical or out-of-band access",
+    },
+    {
+        pattern: /systemctl\s+(stop|disable)\s+(sshd|ssh|networking|network)/i,
+        riskLevel: "high",
+        warning: "Stopping this service may disconnect your SSH session!",
+        suggestion: "Have alternative access method ready",
+    },
+    {
+        pattern: /iptables\s+-F/i,
+        riskLevel: "medium",
+        warning: "Flushing firewall rules may expose the system",
+        suggestion: "Have a backup of current rules",
+    },
+    {
+        pattern: /ufw\s+disable/i,
+        riskLevel: "medium",
+        warning: "Disabling firewall will expose all ports",
+        suggestion: "Consider using specific allow rules instead",
+    },
+    // Low: Common mistakes
+    {
+        pattern: recursiveRmTargetPattern(String.raw `(?:"\."|'\.'|\.)`),
+        riskLevel: "low",
+        warning: "This will delete the current directory recursively",
+        suggestion: "Verify you are in the correct directory",
+    },
+    {
+        pattern: />\s*\/etc\/(passwd|shadow|sudoers)/i,
+        riskLevel: "high",
+        warning: "Overwriting critical system file!",
+        suggestion: "Use proper editing tools like visudo",
+    },
+    {
+        pattern: /curl\s+.*\|\s*(sudo\s+)?(bash|sh)/i,
+        riskLevel: "medium",
+        warning: "Piping remote script directly to shell",
+        suggestion: "Review the script before executing",
+    },
+    {
+        pattern: /wget\s+.*\|\s*(sudo\s+)?(bash|sh)/i,
+        riskLevel: "medium",
+        warning: "Piping remote script directly to shell",
+        suggestion: "Review the script before executing",
+    },
+];
+/**
+ * Checks if a command is potentially dangerous
+ * This NEVER blocks commands - only provides warnings
+ */
+export function checkCommandSafety(command) {
+    if (!command) {
+        return { safe: true };
+    }
+    const normalizedCommand = command.trim();
+    for (const { pattern, riskLevel, warning, suggestion } of DANGEROUS_PATTERNS) {
+        if (pattern.test(normalizedCommand)) {
+            logger.debug("Safety warning triggered", {
+                command: normalizedCommand.substring(0, 50),
+                riskLevel,
+            });
+            return {
+                safe: false,
+                warning,
+                riskLevel,
+                ...(suggestion ? { suggestion } : {}),
+            };
+        }
+    }
+    return { safe: true };
+}
+/**
+ * Formats a safety warning for inclusion in command output
+ */
+export function formatSafetyWarning(result) {
+    if (result.safe) {
+        return undefined;
+    }
+    const label = {
+        low: "LOW",
+        medium: "MEDIUM",
+        high: "HIGH",
+        critical: "CRITICAL",
+    };
+    let message = `[${label[result.riskLevel ?? "medium"]}] WARNING: ${result.warning}`;
+    if (result.suggestion) {
+        message += `\nSuggestion: ${result.suggestion}`;
+    }
+    return message;
+}
+/**
+ * Enhances command result with safety warning if applicable
+ */
+export function addSafetyWarningToResult(command, result) {
+    const safetyCheck = checkCommandSafety(command);
+    const warning = formatSafetyWarning(safetyCheck);
+    if (warning) {
+        return { ...result, safetyWarning: warning };
+    }
+    return result;
+}
+//# sourceMappingURL=safety.js.map

package/dist/safety.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"safety.js","sourceRoot":"","sources":["../src/safety.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAE,MAAM,EAAE,MAAM,cAAc,CAAC;AAYtC;;GAEG;AACH,MAAM,oBAAoB,GAAG,MAAM,CAAC,GAAG,CAAA,uHAAuH,CAAC;AAC/J,MAAM,SAAS,GAAG,MAAM,CAAC,GAAG,CAAA,yBAAyB,CAAC;AACtD,MAAM,aAAa,GAAG,MAAM,CAAC,GAAG,CAAA,eAAe,CAAC;AAEhD,SAAS,wBAAwB,CAAC,aAAqB;IACrD,OAAO,IAAI,MAAM,CACf,MAAM,CAAC,GAAG,CAAA,QAAQ,oBAAoB,SAAS,SAAS,QAAQ,aAAa,GAAG,aAAa,EAAE,EAC/F,GAAG,CACJ,CAAC;AACJ,CAAC;AAED,MAAM,kBAAkB,GAKnB;IACH,+BAA+B;IAC/B;QACE,OAAO,EAAE,wBAAwB,CAAC,MAAM,CAAC,GAAG,CAAA,eAAe,CAAC;QAC5D,SAAS,EAAE,UAAU;QACrB,OAAO,EAAE,sDAAsD;QAC/D,UAAU,EAAE,wCAAwC;KACrD;IACD;QACE,OAAO,EAAE,wBAAwB,CAAC,MAAM,CAAC,GAAG,CAAA,qBAAqB,CAAC;QAClE,SAAS,EAAE,UAAU;QACrB,OAAO,EAAE,2DAA2D;QACpE,UAAU,EAAE,wCAAwC;KACrD;IACD;QACE,OAAO,EAAE,SAAS;QAClB,SAAS,EAAE,UAAU;QACrB,OAAO,EAAE,2DAA2D;QACpE,UAAU,EAAE,oCAAoC;KACjD;IACD;QACE,OAAO,EAAE,mCAAmC;QAC5C,SAAS,EAAE,UAAU;QACrB,OAAO,EAAE,gDAAgD;QACzD,UAAU,EAAE,kDAAkD;KAC/D;IAED,qCAAqC;IACrC;QACE,OAAO,EAAE,2BAA2B;QACpC,SAAS,EAAE,MAAM;QACjB,OAAO,EAAE,qDAAqD;QAC9D,UAAU,EAAE,kCAAkC;KAC/C;IACD;QACE,OAAO,EAAE,2BAA2B;QACpC,SAAS,EAAE,MAAM;QACjB,OAAO,EAAE,mDAAmD;QAC5D,UAAU,EAAE,wBAAwB;KACrC;IACD;QACE,OAAO,EAAE,4BAA4B;QACrC,SAAS,EAAE,UAAU;QACrB,OAAO,EAAE,iDAAiD;QAC1D,UAAU,EAAE,6BAA6B;KAC1C;IACD;QACE,OAAO,EAAE,sBAAsB;QAC/B,SAAS,EAAE,UAAU;QACrB,OAAO,EAAE,kCAAkC;QAC3C,UAAU,EAAE,0BAA0B;KACvC;IAED,6BAA6B;IAC7B;QACE,OAAO,EAAE,wCAAwC;QACjD,SAAS,EAAE,QAAQ;QACnB,OAAO,EAAE,iDAAiD;QAC1D,UAAU,EAAE,gDAAgD;KAC7D;IACD;QACE,OAAO,EAAE,6DAA6D;QACtE,SAAS,EAAE,MAAM;QACjB,OAAO,EAAE,wDAAwD;QACjE,UAAU,EAAE,sCAAsC;KACnD;IACD;QACE,OAAO,EAAE,gBAAgB;QACzB,SAAS,EAAE,QAAQ;QACnB,OAAO,EAAE,+CAA+C;QACxD,UAAU,EAAE,gCAAgC;KAC7C;IACD;QACE,OAAO,EAAE,gBAAgB;QACzB,SAAS,EAAE,QAAQ;QACnB,OAAO,EAAE,0CAA0C;QACnD,UAAU,EAAE,6CAA6C;KAC1D;IAED,uBAAuB;IACvB;QACE,OAAO,EAAE,wBAAwB,CAAC,MAAM,CAAC,GAAG,CAAA,kBAAkB,CAAC;QAC/D,SAAS,EAAE,KAAK;QAChB,OAAO,EAAE,oDAAoD;QAC7D,UAAU,EAAE,yCAAyC;KACtD;IACD;QACE,OAAO,EAAE,qCAAqC;QAC9C,SAAS,EAAE,MAAM;QACjB,OAAO,EAAE,mCAAmC;QAC5C,UAAU,EAAE,sCAAsC;KACnD;IACD;QACE,OAAO,EAAE,oCAAoC;QAC7C,SAAS,EAAE,QAAQ;QACnB,OAAO,EAAE,wCAAwC;QACjD,UAAU,EAAE,oCAAoC;KACjD;IACD;QACE,OAAO,EAAE,oCAAoC;QAC7C,SAAS,EAAE,QAAQ;QACnB,OAAO,EAAE,wCAAwC;QACjD,UAAU,EAAE,oCAAoC;KACjD;CACF,CAAC;AAEF;;;GAGG;AACH,MAAM,UAAU,kBAAkB,CAAC,OAAe;IAChD,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC;IACxB,CAAC;IAED,MAAM,iBAAiB,GAAG,OAAO,CAAC,IAAI,EAAE,CAAC;IAEzC,KAAK,MAAM,EAAE,OAAO,EAAE,SAAS,EAAE,OAAO,EAAE,UAAU,EAAE,IAAI,kBAAkB,EAAE,CAAC;QAC7E,IAAI,OAAO,CAAC,IAAI,CAAC,iBAAiB,CAAC,EAAE,CAAC;YACpC,MAAM,CAAC,KAAK,CAAC,0BAA0B,EAAE;gBACvC,OAAO,EAAE,iBAAiB,CAAC,SAAS,CAAC,CAAC,EAAE,EAAE,CAAC;gBAC3C,SAAS;aACV,CAAC,CAAC;YAEH,OAAO;gBACL,IAAI,EAAE,KAAK;gBACX,OAAO;gBACP,SAAS;gBACT,GAAG,CAAC,UAAU,CAAC,CAAC,CAAC,EAAE,UAAU,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;aACtC,CAAC;QACJ,CAAC;IACH,CAAC;IAED,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC;AACxB,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,mBAAmB,CAAC,MAAyB;IAC3D,IAAI,MAAM,CAAC,IAAI,EAAE,CAAC;QAChB,OAAO,SAAS,CAAC;IACnB,CAAC;IAED,MAAM,KAAK,GAAG;QACZ,GAAG,EAAE,KAAK;QACV,MAAM,EAAE,QAAQ;QAChB,IAAI,EAAE,MAAM;QACZ,QAAQ,EAAE,UAAU;KACrB,CAAC;IAEF,IAAI,OAAO,GAAG,IAAI,KAAK,CAAC,MAAM,CAAC,SAAS,IAAI,QAAQ,CAAC,cAAc,MAAM,CAAC,OAAO,EAAE,CAAC;IAEpF,IAAI,MAAM,CAAC,UAAU,EAAE,CAAC;QACtB,OAAO,IAAI,iBAAiB,MAAM,CAAC,UAAU,EAAE,CAAC;IAClD,CAAC;IAED,OAAO,OAAO,CAAC;AACjB,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,wBAAwB,CACtC,OAAe,EACf,MAAS;IAET,MAAM,WAAW,GAAG,kBAAkB,CAAC,OAAO,CAAC,CAAC;IAChD,MAAM,OAAO,GAAG,mBAAmB,CAAC,WAAW,CAAC,CAAC;IAEjD,IAAI,OAAO,EAAE,CAAC;QACZ,OAAO,EAAE,GAAG,MAAM,EAAE,aAAa,EAAE,OAAO,EAAE,CAAC;IAC/C,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC"}

package/dist/server-http.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=server-http.d.ts.map

package/dist/server-http.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"server-http.d.ts","sourceRoot":"","sources":["../src/server-http.ts"],"names":[],"mappings":""}

package/dist/server-http.js

@@ -0,0 +1,432 @@
+import { randomUUID } from "node:crypto";
+import { createServer } from "node:http";
+import { readFileSync } from "node:fs";
+import { URL } from "node:url";
+import { StreamableHTTPServerTransport } from "@modelcontextprotocol/sdk/server/streamableHttp.js";
+import { SSEServerTransport } from "@modelcontextprotocol/sdk/server/sse.js";
+import { isInitializeRequest } from "@modelcontextprotocol/sdk/types.js";
+import { isBearerAuthorizationValid } from "./auth.js";
+import { createContainer } from "./container.js";
+import { SERVER_VERSION, SSHMCPServer } from "./mcp.js";
+import { logger } from "./logging.js";
+import { isOAuthAuthorizationValid } from "./oauth.js";
+import { initTelemetry, shutdownTelemetry, withSpan } from "./telemetry.js";
+import { corsHeaders, isLoopbackHost, isOriginAllowed, oauthProtectedResourceMetadataUrl, oauthWwwAuthenticateHeader, validateHttpStartupConfig, } from "./http-security.js";
+import { attachRateLimitHeaders, buildRateLimitHeaders } from "./http-rate-limit.js";
+import { createRemoteControlPlane } from "./remote/control-plane.js";
+import { loadRemoteConfig } from "./remote/config.js";
+import { userSafeError } from "./remote/util.js";
+const endpoint = "/mcp";
+const legacySseEndpoint = "/sse";
+const legacyMessageEndpoint = "/messages";
+const healthEndpoint = "/healthz";
+const oauthProtectedResourceEndpoint = "/.well-known/oauth-protected-resource";
+const container = createContainer();
+const httpConfig = container.config.get("http");
+const authConfig = container.config.get("auth");
+const connectorConfig = container.config.get("connector");
+const policyConfig = container.config.get("policy");
+const remoteConfig = loadRemoteConfig();
+const remoteControlPlanePromise = remoteConfig.enabled ? createRemoteControlPlane() : undefined;
+const sessions = new Map();
+const bearerToken = httpConfig.bearerTokenFile
+    ? readFileSync(httpConfig.bearerTokenFile, "utf8").trim()
+    : undefined;
+initTelemetry({ serviceVersion: SERVER_VERSION });
+class RequestBodyTooLargeError extends Error {
+    constructor() {
+        super("Request body is too large");
+    }
+}
+function sendJson(req, res, statusCode, payload, extraHeaders = {}) {
+    res.writeHead(statusCode, {
+        "Content-Type": "application/json",
+        ...corsHeaders(req.headers.origin, httpConfig.allowedOrigins),
+        ...extraHeaders,
+    });
+    res.end(JSON.stringify(payload, null, 2));
+}
+function configuredPublicMcpUrl() {
+    if (!httpConfig.publicUrl) {
+        return undefined;
+    }
+    const url = new URL(httpConfig.publicUrl);
+    if (url.pathname === "" || url.pathname === "/") {
+        url.pathname = endpoint;
+    }
+    else if (!url.pathname.endsWith(endpoint)) {
+        url.pathname = `${url.pathname.replace(/\/$/u, "")}${endpoint}`;
+    }
+    return url.toString();
+}
+function buildPublicMcpUrl(req) {
+    const configured = configuredPublicMcpUrl();
+    if (configured) {
+        return configured;
+    }
+    const forwardedProto = req.headers["x-forwarded-proto"];
+    const rawProtocol = Array.isArray(forwardedProto) ? forwardedProto[0] : forwardedProto;
+    const protocol = httpConfig.trustProxy && (rawProtocol === "http" || rawProtocol === "https")
+        ? rawProtocol
+        : isLoopbackHost(httpConfig.host)
+            ? "http"
+            : "https";
+    return `${protocol}://${req.headers.host ?? `localhost:${httpConfig.port}`}${endpoint}`;
+}
+function isHttpSessionExpired(session, now = Date.now()) {
+    return now - session.lastSeenAt > httpConfig.sessionIdleTtlMs;
+}
+function removeHttpSession(sessionId, reason) {
+    if (sessions.delete(sessionId)) {
+        logger.info("HTTP MCP session removed", { sessionId, reason });
+    }
+}
+function closeHttpSession(sessionId, reason) {
+    const session = sessions.get(sessionId);
+    if (!session) {
+        return;
+    }
+    removeHttpSession(sessionId, reason);
+    void session.transport.close().catch((error) => {
+        logger.warn("Failed to close HTTP MCP transport cleanly", { sessionId, error });
+    });
+}
+function cleanupExpiredHttpSessions() {
+    const now = Date.now();
+    for (const [sessionId, session] of sessions) {
+        if (isHttpSessionExpired(session, now)) {
+            closeHttpSession(sessionId, "idle-timeout");
+        }
+    }
+}
+function getHttpSession(sessionId) {
+    if (!sessionId) {
+        return undefined;
+    }
+    const session = sessions.get(sessionId);
+    if (!session) {
+        return undefined;
+    }
+    if (isHttpSessionExpired(session)) {
+        closeHttpSession(sessionId, "idle-timeout");
+        return undefined;
+    }
+    session.lastSeenAt = Date.now();
+    return session;
+}
+function canOpenHttpSession(req, res) {
+    cleanupExpiredHttpSessions();
+    if (sessions.size < httpConfig.maxSessions) {
+        return true;
+    }
+    sendJson(req, res, 503, {
+        error: "HTTP MCP session limit reached",
+        maxSessions: httpConfig.maxSessions,
+    });
+    return false;
+}
+const httpSessionCleanupInterval = setInterval(cleanupExpiredHttpSessions, Math.max(1000, Math.min(httpConfig.sessionIdleTtlMs, 60_000)));
+httpSessionCleanupInterval.unref?.();
+function protectedResourceMetadata(req) {
+    return {
+        resource: authConfig.oauthResource ?? buildPublicMcpUrl(req),
+        resource_name: "ssh-mcp-pro",
+        bearer_methods_supported: ["header"],
+        scopes_supported: authConfig.oauthRequiredScopes,
+        authorization_servers: authConfig.oauthIssuer ? [authConfig.oauthIssuer] : [],
+    };
+}
+function attachCurrentRateLimitHeaders(res) {
+    attachRateLimitHeaders(res, () => buildRateLimitHeaders(container.rateLimiter, container.config.get("rateLimit")));
+}
+function oauthChallengeHeader(req) {
+    return oauthWwwAuthenticateHeader(oauthProtectedResourceMetadataUrl(buildPublicMcpUrl(req)), authConfig.oauthRequiredScopes, req.headers.authorization !== undefined);
+}
+async function rejectIfUnauthorized(req, res) {
+    const origin = req.headers.origin;
+    if (!isOriginAllowed(origin, httpConfig.allowedOrigins)) {
+        sendJson(req, res, 403, { error: "Origin is not allowed" });
+        return true;
+    }
+    if (authConfig.mode === "oauth") {
+        const verificationConfig = {
+            audience: authConfig.oauthAudience ?? authConfig.oauthResource ?? buildPublicMcpUrl(req),
+            requiredScopes: authConfig.oauthRequiredScopes,
+        };
+        if (authConfig.oauthIssuer) {
+            verificationConfig.issuer = authConfig.oauthIssuer;
+        }
+        if (authConfig.oauthJwksUrl) {
+            verificationConfig.jwksUrl = authConfig.oauthJwksUrl;
+        }
+        const valid = await isOAuthAuthorizationValid(req.headers.authorization, verificationConfig);
+        if (!valid) {
+            sendJson(req, res, 401, { error: "Missing or invalid OAuth bearer token" }, { "WWW-Authenticate": oauthChallengeHeader(req) });
+            return true;
+        }
+        return false;
+    }
+    if (!bearerToken) {
+        return false;
+    }
+    if (!isBearerAuthorizationValid(req.headers.authorization, bearerToken)) {
+        sendJson(req, res, 401, { error: "Missing or invalid bearer token" });
+        return true;
+    }
+    return false;
+}
+async function readJsonBody(req) {
+    const chunks = [];
+    let size = 0;
+    for await (const chunk of req) {
+        const buffer = Buffer.isBuffer(chunk) ? chunk : Buffer.from(chunk);
+        size += buffer.byteLength;
+        if (size > httpConfig.maxRequestBodyBytes) {
+            throw new RequestBodyTooLargeError();
+        }
+        chunks.push(buffer);
+    }
+    if (chunks.length === 0) {
+        return undefined;
+    }
+    const raw = Buffer.concat(chunks).toString("utf8");
+    return raw ? JSON.parse(raw) : undefined;
+}
+async function handleStreamableRequest(req, res, parsedBody) {
+    await withSpan("http.streamable.request", async (span) => {
+        const sessionHeader = req.headers["mcp-session-id"];
+        const sessionId = Array.isArray(sessionHeader) ? sessionHeader[0] : sessionHeader;
+        cleanupExpiredHttpSessions();
+        let session = getHttpSession(sessionId);
+        span.setAttribute("http.route", endpoint);
+        span.setAttribute("http.method", req.method ?? "UNKNOWN");
+        if (sessionId) {
+            span.setAttribute("mcp.session.id", sessionId);
+        }
+        if (!session && req.method === "POST" && isInitializeRequest(parsedBody)) {
+            if (!canOpenHttpSession(req, res)) {
+                return;
+            }
+            const transport = new StreamableHTTPServerTransport({
+                sessionIdGenerator: () => randomUUID(),
+                onsessioninitialized: (newSessionId) => {
+                    sessions.set(newSessionId, { server, transport, lastSeenAt: Date.now() });
+                    logger.info("Streamable HTTP MCP session initialized", { sessionId: newSessionId });
+                },
+            });
+            const server = new SSHMCPServer(container);
+            transport.onclose = () => {
+                const closedSessionId = transport.sessionId;
+                if (closedSessionId) {
+                    removeHttpSession(closedSessionId, "transport-closed");
+                }
+            };
+            transport.onerror = (error) => {
+                logger.error("Streamable HTTP MCP transport error", { error: error.message });
+            };
+            await server.connect(transport);
+            session = { server, transport, lastSeenAt: Date.now() };
+        }
+        if (!session) {
+            sendJson(req, res, 400, {
+                jsonrpc: "2.0",
+                error: {
+                    code: -32000,
+                    message: "Bad Request: initialize with POST /mcp or provide a valid MCP-Session-Id",
+                },
+                id: null,
+            });
+            return;
+        }
+        if (!(session.transport instanceof StreamableHTTPServerTransport)) {
+            sendJson(req, res, 400, {
+                error: "Session exists but uses a different transport protocol",
+            });
+            return;
+        }
+        await session.transport.handleRequest(req, res, parsedBody);
+    }, {
+        attributes: {
+            "http.route": endpoint,
+            "http.method": req.method ?? "UNKNOWN",
+        },
+    });
+}
+async function handleLegacySseConnection(req, res) {
+    if (!canOpenHttpSession(req, res)) {
+        return;
+    }
+    const transport = new SSEServerTransport(legacyMessageEndpoint, res);
+    const sessionId = transport.sessionId;
+    const server = new SSHMCPServer(container);
+    transport.onclose = () => {
+        removeHttpSession(sessionId, "legacy-transport-closed");
+    };
+    sessions.set(sessionId, { server, transport, lastSeenAt: Date.now() });
+    await server.connect(transport);
+    logger.warn("Legacy HTTP/SSE MCP session established", { sessionId });
+}
+async function handleLegacyMessage(req, res) {
+    const baseUrl = `http://${req.headers.host ?? "localhost"}`;
+    const requestUrl = new URL(req.url ?? legacyMessageEndpoint, baseUrl);
+    const sessionId = requestUrl.searchParams.get("sessionId");
+    if (!sessionId) {
+        sendJson(req, res, 400, { error: "Missing sessionId query parameter" });
+        return;
+    }
+    const session = getHttpSession(sessionId);
+    if (!session || !(session.transport instanceof SSEServerTransport)) {
+        sendJson(req, res, 404, { error: "Legacy SSE session not found" });
+        return;
+    }
+    await session.transport.handlePostMessage(req, res);
+}
+if (!remoteConfig.enabled) {
+    validateHttpStartupConfig(httpConfig, bearerToken, {
+        toolProfile: connectorConfig.toolProfile,
+        allowedHosts: policyConfig.allowedHosts,
+        hostKeyPolicy: container.config.get("security").hostKeyPolicy,
+        authMode: authConfig.mode,
+        oauthConfigured: Boolean(authConfig.oauthIssuer && authConfig.oauthJwksUrl),
+    });
+}
+const httpServer = createServer((req, res) => {
+    void (async () => {
+        try {
+            const requestUrl = new URL(req.url ?? endpoint, "http://localhost");
+            attachCurrentRateLimitHeaders(res);
+            if (remoteControlPlanePromise) {
+                const remoteControlPlane = await remoteControlPlanePromise;
+                const handled = await remoteControlPlane.handleHttp(req, res, requestUrl.pathname);
+                if (handled) {
+                    return;
+                }
+            }
+            if (requestUrl.pathname === oauthProtectedResourceEndpoint && req.method === "GET") {
+                sendJson(req, res, 200, protectedResourceMetadata(req));
+                return;
+            }
+            if (requestUrl.pathname === healthEndpoint && req.method === "GET") {
+                sendJson(req, res, 200, {
+                    ok: true,
+                    service: "ssh-mcp-pro",
+                    transport: "streamable-http",
+                });
+                return;
+            }
+            if (requestUrl.pathname === endpoint && req.method === "OPTIONS") {
+                if (!isOriginAllowed(req.headers.origin, httpConfig.allowedOrigins)) {
+                    sendJson(req, res, 403, { error: "Origin is not allowed" });
+                    return;
+                }
+                res.writeHead(204, corsHeaders(req.headers.origin, httpConfig.allowedOrigins));
+                res.end();
+                return;
+            }
+            if (await rejectIfUnauthorized(req, res)) {
+                return;
+            }
+            if (requestUrl.pathname === endpoint) {
+                if (req.method !== "GET" && req.method !== "POST" && req.method !== "DELETE") {
+                    sendJson(req, res, 405, { error: "Method not allowed" });
+                    return;
+                }
+                const parsedBody = req.method === "POST" ? await readJsonBody(req) : undefined;
+                await handleStreamableRequest(req, res, parsedBody);
+                return;
+            }
+            if (httpConfig.enableLegacySse && requestUrl.pathname === legacySseEndpoint) {
+                if (req.method !== "GET") {
+                    sendJson(req, res, 405, { error: "Method not allowed" });
+                    return;
+                }
+                await handleLegacySseConnection(req, res);
+                return;
+            }
+            if (httpConfig.enableLegacySse && requestUrl.pathname === legacyMessageEndpoint) {
+                if (req.method !== "POST") {
+                    sendJson(req, res, 405, { error: "Method not allowed" });
+                    return;
+                }
+                await handleLegacyMessage(req, res);
+                return;
+            }
+            sendJson(req, res, 404, { error: "Not found" });
+        }
+        catch (error) {
+            logger.error("HTTP MCP request failed", {
+                error: userSafeError(error),
+            });
+            if (!res.headersSent) {
+                if (error && typeof error === "object" && "status" in error && "message" in error) {
+                    const status = Number(error.status);
+                    const message = String(error.message);
+                    const code = "code" in error ? String(error.code) : undefined;
+                    sendJson(req, res, Number.isFinite(status) ? status : 500, { error: message, code });
+                }
+                else {
+                    const statusCode = error instanceof RequestBodyTooLargeError ? 413 : 500;
+                    const message = error instanceof RequestBodyTooLargeError
+                        ? "Request body is too large"
+                        : "Internal server error";
+                    sendJson(req, res, statusCode, { error: message });
+                }
+            }
+        }
+    })();
+});
+httpServer.on("upgrade", (req, socket, head) => {
+    void (async () => {
+        try {
+            const requestUrl = new URL(req.url ?? "/", "http://localhost");
+            if (remoteControlPlanePromise) {
+                const remoteControlPlane = await remoteControlPlanePromise;
+                if (remoteControlPlane.handleUpgrade(req, socket, head, requestUrl.pathname)) {
+                    return;
+                }
+            }
+            socket.destroy();
+        }
+        catch {
+            socket.destroy();
+        }
+    })();
+});
+let shuttingDown = false;
+async function shutdown(signal) {
+    if (shuttingDown) {
+        process.exit(0);
+    }
+    shuttingDown = true;
+    logger.info(`Received ${signal}, shutting down HTTP MCP server...`);
+    httpServer.close();
+    clearInterval(httpSessionCleanupInterval);
+    await Promise.all(Array.from(sessions.entries()).map(async ([sessionId, session]) => {
+        try {
+            await session.transport.close();
+        }
+        catch (error) {
+            logger.warn("Failed to close HTTP MCP transport cleanly", { sessionId, error });
+        }
+    }));
+    sessions.clear();
+    container.rateLimiter.destroy();
+    await container.sessionManager.destroy();
+    if (remoteControlPlanePromise) {
+        const remoteControlPlane = await remoteControlPlanePromise;
+        remoteControlPlane.close();
+    }
+    await shutdownTelemetry();
+    process.exit(0);
+}
+httpServer.listen(httpConfig.port, httpConfig.host, () => {
+    logger.info("Streamable HTTP MCP server listening", {
+        host: httpConfig.host,
+        port: httpConfig.port,
+        endpoint,
+        legacySse: httpConfig.enableLegacySse,
+    });
+});
+process.on("SIGINT", () => void shutdown("SIGINT"));
+process.on("SIGTERM", () => void shutdown("SIGTERM"));
+//# sourceMappingURL=server-http.js.map

package/dist/server-http.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"server-http.js","sourceRoot":"","sources":["../src/server-http.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AACzC,OAAO,EAAE,YAAY,EAA6C,MAAM,WAAW,CAAC;AACpF,OAAO,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AACvC,OAAO,EAAE,GAAG,EAAE,MAAM,UAAU,CAAC;AAC/B,OAAO,EAAE,6BAA6B,EAAE,MAAM,oDAAoD,CAAC;AAEnG,OAAO,EAAE,kBAAkB,EAAE,MAAM,yCAAyC,CAAC;AAC7E,OAAO,EAAE,mBAAmB,EAAE,MAAM,oCAAoC,CAAC;AACzE,OAAO,EAAE,0BAA0B,EAAE,MAAM,WAAW,CAAC;AACvD,OAAO,EAAE,eAAe,EAAE,MAAM,gBAAgB,CAAC;AACjD,OAAO,EAAE,cAAc,EAAE,YAAY,EAAE,MAAM,UAAU,CAAC;AACxD,OAAO,EAAE,MAAM,EAAE,MAAM,cAAc,CAAC;AACtC,OAAO,EAAE,yBAAyB,EAAgC,MAAM,YAAY,CAAC;AACrF,OAAO,EAAE,aAAa,EAAE,iBAAiB,EAAE,QAAQ,EAAE,MAAM,gBAAgB,CAAC;AAC5E,OAAO,EACL,WAAW,EACX,cAAc,EACd,eAAe,EACf,iCAAiC,EACjC,0BAA0B,EAC1B,yBAAyB,GAC1B,MAAM,oBAAoB,CAAC;AAC5B,OAAO,EAAE,sBAAsB,EAAE,qBAAqB,EAAE,MAAM,sBAAsB,CAAC;AACrF,OAAO,EAAE,wBAAwB,EAAE,MAAM,2BAA2B,CAAC;AACrE,OAAO,EAAE,gBAAgB,EAAE,MAAM,oBAAoB,CAAC;AACtD,OAAO,EAAE,aAAa,EAAE,MAAM,kBAAkB,CAAC;AAUjD,MAAM,QAAQ,GAAG,MAAM,CAAC;AACxB,MAAM,iBAAiB,GAAG,MAAM,CAAC;AACjC,MAAM,qBAAqB,GAAG,WAAW,CAAC;AAC1C,MAAM,cAAc,GAAG,UAAU,CAAC;AAClC,MAAM,8BAA8B,GAAG,uCAAuC,CAAC;AAC/E,MAAM,SAAS,GAAG,eAAe,EAAE,CAAC;AACpC,MAAM,UAAU,GAAG,SAAS,CAAC,MAAM,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;AAChD,MAAM,UAAU,GAAG,SAAS,CAAC,MAAM,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;AAChD,MAAM,eAAe,GAAG,SAAS,CAAC,MAAM,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC;AAC1D,MAAM,YAAY,GAAG,SAAS,CAAC,MAAM,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;AACpD,MAAM,YAAY,GAAG,gBAAgB,EAAE,CAAC;AACxC,MAAM,yBAAyB,GAAG,YAAY,CAAC,OAAO,CAAC,CAAC,CAAC,wBAAwB,EAAE,CAAC,CAAC,CAAC,SAAS,CAAC;AAChG,MAAM,QAAQ,GAAG,IAAI,GAAG,EAAuB,CAAC;AAChD,MAAM,WAAW,GAAG,UAAU,CAAC,eAAe;IAC5C,CAAC,CAAC,YAAY,CAAC,UAAU,CAAC,eAAe,EAAE,MAAM,CAAC,CAAC,IAAI,EAAE;IACzD,CAAC,CAAC,SAAS,CAAC;AAEd,aAAa,CAAC,EAAE,cAAc,EAAE,cAAc,EAAE,CAAC,CAAC;AAElD,MAAM,wBAAyB,SAAQ,KAAK;IAC1C;QACE,KAAK,CAAC,2BAA2B,CAAC,CAAC;IACrC,CAAC;CACF;AAED,SAAS,QAAQ,CACf,GAAoB,EACpB,GAAmB,EACnB,UAAkB,EAClB,OAAgC,EAChC,eAAuC,EAAE;IAEzC,GAAG,CAAC,SAAS,CAAC,UAAU,EAAE;QACxB,cAAc,EAAE,kBAAkB;QAClC,GAAG,WAAW,CAAC,GAAG,CAAC,OAAO,CAAC,MAAM,EAAE,UAAU,CAAC,cAAc,CAAC;QAC7D,GAAG,YAAY;KAChB,CAAC,CAAC;IACH,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,OAAO,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;AAC5C,CAAC;AAED,SAAS,sBAAsB;IAC7B,IAAI,CAAC,UAAU,CAAC,SAAS,EAAE,CAAC;QAC1B,OAAO,SAAS,CAAC;IACnB,CAAC;IAED,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,UAAU,CAAC,SAAS,CAAC,CAAC;IAC1C,IAAI,GAAG,CAAC,QAAQ,KAAK,EAAE,IAAI,GAAG,CAAC,QAAQ,KAAK,GAAG,EAAE,CAAC;QAChD,GAAG,CAAC,QAAQ,GAAG,QAAQ,CAAC;IAC1B,CAAC;SAAM,IAAI,CAAC,GAAG,CAAC,QAAQ,CAAC,QAAQ,CAAC,QAAQ,CAAC,EAAE,CAAC;QAC5C,GAAG,CAAC,QAAQ,GAAG,GAAG,GAAG,CAAC,QAAQ,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,GAAG,QAAQ,EAAE,CAAC;IAClE,CAAC;IACD,OAAO,GAAG,CAAC,QAAQ,EAAE,CAAC;AACxB,CAAC;AAED,SAAS,iBAAiB,CAAC,GAAoB;IAC7C,MAAM,UAAU,GAAG,sBAAsB,EAAE,CAAC;IAC5C,IAAI,UAAU,EAAE,CAAC;QACf,OAAO,UAAU,CAAC;IACpB,CAAC;IAED,MAAM,cAAc,GAAG,GAAG,CAAC,OAAO,CAAC,mBAAmB,CAAC,CAAC;IACxD,MAAM,WAAW,GAAG,KAAK,CAAC,OAAO,CAAC,cAAc,CAAC,CAAC,CAAC,CAAC,cAAc,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,cAAc,CAAC;IACvF,MAAM,QAAQ,GACZ,UAAU,CAAC,UAAU,IAAI,CAAC,WAAW,KAAK,MAAM,IAAI,WAAW,KAAK,OAAO,CAAC;QAC1E,CAAC,CAAC,WAAW;QACb,CAAC,CAAC,cAAc,CAAC,UAAU,CAAC,IAAI,CAAC;YAC/B,CAAC,CAAC,MAAM;YACR,CAAC,CAAC,OAAO,CAAC;IAChB,OAAO,GAAG,QAAQ,MAAM,GAAG,CAAC,OAAO,CAAC,IAAI,IAAI,aAAa,UAAU,CAAC,IAAI,EAAE,GAAG,QAAQ,EAAE,CAAC;AAC1F,CAAC;AAED,SAAS,oBAAoB,CAAC,OAAoB,EAAE,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE;IAClE,OAAO,GAAG,GAAG,OAAO,CAAC,UAAU,GAAG,UAAU,CAAC,gBAAgB,CAAC;AAChE,CAAC;AAED,SAAS,iBAAiB,CAAC,SAAiB,EAAE,MAAc;IAC1D,IAAI,QAAQ,CAAC,MAAM,CAAC,SAAS,CAAC,EAAE,CAAC;QAC/B,MAAM,CAAC,IAAI,CAAC,0BAA0B,EAAE,EAAE,SAAS,EAAE,MAAM,EAAE,CAAC,CAAC;IACjE,CAAC;AACH,CAAC;AAED,SAAS,gBAAgB,CAAC,SAAiB,EAAE,MAAc;IACzD,MAAM,OAAO,GAAG,QAAQ,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;IACxC,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,OAAO;IACT,CAAC;IAED,iBAAiB,CAAC,SAAS,EAAE,MAAM,CAAC,CAAC;IACrC,KAAK,OAAO,CAAC,SAAS,CAAC,KAAK,EAAE,CAAC,KAAK,CAAC,CAAC,KAAK,EAAE,EAAE;QAC7C,MAAM,CAAC,IAAI,CAAC,4CAA4C,EAAE,EAAE,SAAS,EAAE,KAAK,EAAE,CAAC,CAAC;IAClF,CAAC,CAAC,CAAC;AACL,CAAC;AAED,SAAS,0BAA0B;IACjC,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IACvB,KAAK,MAAM,CAAC,SAAS,EAAE,OAAO,CAAC,IAAI,QAAQ,EAAE,CAAC;QAC5C,IAAI,oBAAoB,CAAC,OAAO,EAAE,GAAG,CAAC,EAAE,CAAC;YACvC,gBAAgB,CAAC,SAAS,EAAE,cAAc,CAAC,CAAC;QAC9C,CAAC;IACH,CAAC;AACH,CAAC;AAED,SAAS,cAAc,CAAC,SAA6B;IACnD,IAAI,CAAC,SAAS,EAAE,CAAC;QACf,OAAO,SAAS,CAAC;IACnB,CAAC;IACD,MAAM,OAAO,GAAG,QAAQ,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;IACxC,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,OAAO,SAAS,CAAC;IACnB,CAAC;IACD,IAAI,oBAAoB,CAAC,OAAO,CAAC,EAAE,CAAC;QAClC,gBAAgB,CAAC,SAAS,EAAE,cAAc,CAAC,CAAC;QAC5C,OAAO,SAAS,CAAC;IACnB,CAAC;IACD,OAAO,CAAC,UAAU,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IAChC,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,SAAS,kBAAkB,CAAC,GAAoB,EAAE,GAAmB;IACnE,0BAA0B,EAAE,CAAC;IAC7B,IAAI,QAAQ,CAAC,IAAI,GAAG,UAAU,CAAC,WAAW,EAAE,CAAC;QAC3C,OAAO,IAAI,CAAC;IACd,CAAC;IACD,QAAQ,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE;QACtB,KAAK,EAAE,gCAAgC;QACvC,WAAW,EAAE,UAAU,CAAC,WAAW;KACpC,CAAC,CAAC;IACH,OAAO,KAAK,CAAC;AACf,CAAC;AAED,MAAM,0BAA0B,GAAG,WAAW,CAC5C,0BAA0B,EAC1B,IAAI,CAAC,GAAG,CAAC,IAAI,EAAE,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,gBAAgB,EAAE,MAAM,CAAC,CAAC,CAC9D,CAAC;AACF,0BAA0B,CAAC,KAAK,EAAE,EAAE,CAAC;AAErC,SAAS,yBAAyB,CAAC,GAAoB;IACrD,OAAO;QACL,QAAQ,EAAE,UAAU,CAAC,aAAa,IAAI,iBAAiB,CAAC,GAAG,CAAC;QAC5D,aAAa,EAAE,aAAa;QAC5B,wBAAwB,EAAE,CAAC,QAAQ,CAAC;QACpC,gBAAgB,EAAE,UAAU,CAAC,mBAAmB;QAChD,qBAAqB,EAAE,UAAU,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,EAAE;KAC9E,CAAC;AACJ,CAAC;AAED,SAAS,6BAA6B,CAAC,GAAmB;IACxD,sBAAsB,CAAC,GAAG,EAAE,GAAG,EAAE,CAC/B,qBAAqB,CAAC,SAAS,CAAC,WAAW,EAAE,SAAS,CAAC,MAAM,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC,CAChF,CAAC;AACJ,CAAC;AAED,SAAS,oBAAoB,CAAC,GAAoB;IAChD,OAAO,0BAA0B,CAC/B,iCAAiC,CAAC,iBAAiB,CAAC,GAAG,CAAC,CAAC,EACzD,UAAU,CAAC,mBAAmB,EAC9B,GAAG,CAAC,OAAO,CAAC,aAAa,KAAK,SAAS,CACxC,CAAC;AACJ,CAAC;AAED,KAAK,UAAU,oBAAoB,CAAC,GAAoB,EAAE,GAAmB;IAC3E,MAAM,MAAM,GAAG,GAAG,CAAC,OAAO,CAAC,MAAM,CAAC;IAClC,IAAI,CAAC,eAAe,CAAC,MAAM,EAAE,UAAU,CAAC,cAAc,CAAC,EAAE,CAAC;QACxD,QAAQ,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,EAAE,KAAK,EAAE,uBAAuB,EAAE,CAAC,CAAC;QAC5D,OAAO,IAAI,CAAC;IACd,CAAC;IAED,IAAI,UAAU,CAAC,IAAI,KAAK,OAAO,EAAE,CAAC;QAChC,MAAM,kBAAkB,GAA4B;YAClD,QAAQ,EAAE,UAAU,CAAC,aAAa,IAAI,UAAU,CAAC,aAAa,IAAI,iBAAiB,CAAC,GAAG,CAAC;YACxF,cAAc,EAAE,UAAU,CAAC,mBAAmB;SAC/C,CAAC;QACF,IAAI,UAAU,CAAC,WAAW,EAAE,CAAC;YAC3B,kBAAkB,CAAC,MAAM,GAAG,UAAU,CAAC,WAAW,CAAC;QACrD,CAAC;QACD,IAAI,UAAU,CAAC,YAAY,EAAE,CAAC;YAC5B,kBAAkB,CAAC,OAAO,GAAG,UAAU,CAAC,YAAY,CAAC;QACvD,CAAC;QAED,MAAM,KAAK,GAAG,MAAM,yBAAyB,CAAC,GAAG,CAAC,OAAO,CAAC,aAAa,EAAE,kBAAkB,CAAC,CAAC;QAC7F,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,QAAQ,CACN,GAAG,EACH,GAAG,EACH,GAAG,EACH,EAAE,KAAK,EAAE,uCAAuC,EAAE,EAClD,EAAE,kBAAkB,EAAE,oBAAoB,CAAC,GAAG,CAAC,EAAE,CAClD,CAAC;YACF,OAAO,IAAI,CAAC;QACd,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC;IAED,IAAI,CAAC,WAAW,EAAE,CAAC;QACjB,OAAO,KAAK,CAAC;IACf,CAAC;IAED,IAAI,CAAC,0BAA0B,CAAC,GAAG,CAAC,OAAO,CAAC,aAAa,EAAE,WAAW,CAAC,EAAE,CAAC;QACxE,QAAQ,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,EAAE,KAAK,EAAE,iCAAiC,EAAE,CAAC,CAAC;QACtE,OAAO,IAAI,CAAC;IACd,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC;AAED,KAAK,UAAU,YAAY,CAAC,GAAoB;IAC9C,MAAM,MAAM,GAAa,EAAE,CAAC;IAC5B,IAAI,IAAI,GAAG,CAAC,CAAC;IACb,IAAI,KAAK,EAAE,MAAM,KAAK,IAAI,GAAG,EAAE,CAAC;QAC9B,MAAM,MAAM,GAAG,MAAM,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACnE,IAAI,IAAI,MAAM,CAAC,UAAU,CAAC;QAC1B,IAAI,IAAI,GAAG,UAAU,CAAC,mBAAmB,EAAE,CAAC;YAC1C,MAAM,IAAI,wBAAwB,EAAE,CAAC;QACvC,CAAC;QACD,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IACtB,CAAC;IAED,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACxB,OAAO,SAAS,CAAC;IACnB,CAAC;IAED,MAAM,GAAG,GAAG,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;IACnD,OAAO,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;AAC3C,CAAC;AAED,KAAK,UAAU,uBAAuB,CACpC,GAAoB,EACpB,GAAmB,EACnB,UAAoB;IAEpB,MAAM,QAAQ,CACZ,yBAAyB,EACzB,KAAK,EAAE,IAAI,EAAE,EAAE;QACb,MAAM,aAAa,GAAG,GAAG,CAAC,OAAO,CAAC,gBAAgB,CAAC,CAAC;QACpD,MAAM,SAAS,GAAG,KAAK,CAAC,OAAO,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,aAAa,CAAC;QAClF,0BAA0B,EAAE,CAAC;QAC7B,IAAI,OAAO,GAAG,cAAc,CAAC,SAAS,CAAC,CAAC;QAExC,IAAI,CAAC,YAAY,CAAC,YAAY,EAAE,QAAQ,CAAC,CAAC;QAC1C,IAAI,CAAC,YAAY,CAAC,aAAa,EAAE,GAAG,CAAC,MAAM,IAAI,SAAS,CAAC,CAAC;QAC1D,IAAI,SAAS,EAAE,CAAC;YACd,IAAI,CAAC,YAAY,CAAC,gBAAgB,EAAE,SAAS,CAAC,CAAC;QACjD,CAAC;QAED,IAAI,CAAC,OAAO,IAAI,GAAG,CAAC,MAAM,KAAK,MAAM,IAAI,mBAAmB,CAAC,UAAU,CAAC,EAAE,CAAC;YACzE,IAAI,CAAC,kBAAkB,CAAC,GAAG,EAAE,GAAG,CAAC,EAAE,CAAC;gBAClC,OAAO;YACT,CAAC;YACD,MAAM,SAAS,GAAG,IAAI,6BAA6B,CAAC;gBAClD,kBAAkB,EAAE,GAAG,EAAE,CAAC,UAAU,EAAE;gBACtC,oBAAoB,EAAE,CAAC,YAAY,EAAE,EAAE;oBACrC,QAAQ,CAAC,GAAG,CAAC,YAAY,EAAE,EAAE,MAAM,EAAE,SAAS,EAAE,UAAU,EAAE,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC;oBAC1E,MAAM,CAAC,IAAI,CAAC,yCAAyC,EAAE,EAAE,SAAS,EAAE,YAAY,EAAE,CAAC,CAAC;gBACtF,CAAC;aACF,CAAC,CAAC;YACH,MAAM,MAAM,GAAG,IAAI,YAAY,CAAC,SAAS,CAAC,CAAC;YAC3C,SAAS,CAAC,OAAO,GAAG,GAAG,EAAE;gBACvB,MAAM,eAAe,GAAG,SAAS,CAAC,SAAS,CAAC;gBAC5C,IAAI,eAAe,EAAE,CAAC;oBACpB,iBAAiB,CAAC,eAAe,EAAE,kBAAkB,CAAC,CAAC;gBACzD,CAAC;YACH,CAAC,CAAC;YACF,SAAS,CAAC,OAAO,GAAG,CAAC,KAAK,EAAE,EAAE;gBAC5B,MAAM,CAAC,KAAK,CAAC,qCAAqC,EAAE,EAAE,KAAK,EAAE,KAAK,CAAC,OAAO,EAAE,CAAC,CAAC;YAChF,CAAC,CAAC;YACF,MAAM,MAAM,CAAC,OAAO,CAAC,SAAsB,CAAC,CAAC;YAC7C,OAAO,GAAG,EAAE,MAAM,EAAE,SAAS,EAAE,UAAU,EAAE,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC;QAC1D,CAAC;QAED,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,QAAQ,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE;gBACtB,OAAO,EAAE,KAAK;gBACd,KAAK,EAAE;oBACL,IAAI,EAAE,CAAC,KAAK;oBACZ,OAAO,EAAE,0EAA0E;iBACpF;gBACD,EAAE,EAAE,IAAI;aACT,CAAC,CAAC;YACH,OAAO;QACT,CAAC;QAED,IAAI,CAAC,CAAC,OAAO,CAAC,SAAS,YAAY,6BAA6B,CAAC,EAAE,CAAC;YAClE,QAAQ,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE;gBACtB,KAAK,EAAE,wDAAwD;aAChE,CAAC,CAAC;YACH,OAAO;QACT,CAAC;QAED,MAAM,OAAO,CAAC,SAAS,CAAC,aAAa,CAAC,GAAG,EAAE,GAAG,EAAE,UAAU,CAAC,CAAC;IAC9D,CAAC,EACD;QACE,UAAU,EAAE;YACV,YAAY,EAAE,QAAQ;YACtB,aAAa,EAAE,GAAG,CAAC,MAAM,IAAI,SAAS;SACvC;KACF,CACF,CAAC;AACJ,CAAC;AAED,KAAK,UAAU,yBAAyB,CAAC,GAAoB,EAAE,GAAmB;IAChF,IAAI,CAAC,kBAAkB,CAAC,GAAG,EAAE,GAAG,CAAC,EAAE,CAAC;QAClC,OAAO;IACT,CAAC;IACD,MAAM,SAAS,GAAG,IAAI,kBAAkB,CAAC,qBAAqB,EAAE,GAAG,CAAC,CAAC;IACrE,MAAM,SAAS,GAAG,SAAS,CAAC,SAAS,CAAC;IACtC,MAAM,MAAM,GAAG,IAAI,YAAY,CAAC,SAAS,CAAC,CAAC;IAE3C,SAAS,CAAC,OAAO,GAAG,GAAG,EAAE;QACvB,iBAAiB,CAAC,SAAS,EAAE,yBAAyB,CAAC,CAAC;IAC1D,CAAC,CAAC;IACF,QAAQ,CAAC,GAAG,CAAC,SAAS,EAAE,EAAE,MAAM,EAAE,SAAS,EAAE,UAAU,EAAE,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC;IACvE,MAAM,MAAM,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;IAChC,MAAM,CAAC,IAAI,CAAC,yCAAyC,EAAE,EAAE,SAAS,EAAE,CAAC,CAAC;AACxE,CAAC;AAED,KAAK,UAAU,mBAAmB,CAAC,GAAoB,EAAE,GAAmB;IAC1E,MAAM,OAAO,GAAG,UAAU,GAAG,CAAC,OAAO,CAAC,IAAI,IAAI,WAAW,EAAE,CAAC;IAC5D,MAAM,UAAU,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,GAAG,IAAI,qBAAqB,EAAE,OAAO,CAAC,CAAC;IACtE,MAAM,SAAS,GAAG,UAAU,CAAC,YAAY,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC;IAC3D,IAAI,CAAC,SAAS,EAAE,CAAC;QACf,QAAQ,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,EAAE,KAAK,EAAE,mCAAmC,EAAE,CAAC,CAAC;QACxE,OAAO;IACT,CAAC;IAED,MAAM,OAAO,GAAG,cAAc,CAAC,SAAS,CAAC,CAAC;IAC1C,IAAI,CAAC,OAAO,IAAI,CAAC,CAAC,OAAO,CAAC,SAAS,YAAY,kBAAkB,CAAC,EAAE,CAAC;QACnE,QAAQ,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,EAAE,KAAK,EAAE,8BAA8B,EAAE,CAAC,CAAC;QACnE,OAAO;IACT,CAAC;IAED,MAAM,OAAO,CAAC,SAAS,CAAC,iBAAiB,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC;AACtD,CAAC;AAED,IAAI,CAAC,YAAY,CAAC,OAAO,EAAE,CAAC;IAC1B,yBAAyB,CAAC,UAAU,EAAE,WAAW,EAAE;QACjD,WAAW,EAAE,eAAe,CAAC,WAAW;QACxC,YAAY,EAAE,YAAY,CAAC,YAAY;QACvC,aAAa,EAAE,SAAS,CAAC,MAAM,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC,aAAa;QAC7D,QAAQ,EAAE,UAAU,CAAC,IAAI;QACzB,eAAe,EAAE,OAAO,CAAC,UAAU,CAAC,WAAW,IAAI,UAAU,CAAC,YAAY,CAAC;KAC5E,CAAC,CAAC;AACL,CAAC;AAED,MAAM,UAAU,GAAG,YAAY,CAAC,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE;IAC3C,KAAK,CAAC,KAAK,IAAI,EAAE;QACf,IAAI,CAAC;YACH,MAAM,UAAU,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,GAAG,IAAI,QAAQ,EAAE,kBAAkB,CAAC,CAAC;YACpE,6BAA6B,CAAC,GAAG,CAAC,CAAC;YAEnC,IAAI,yBAAyB,EAAE,CAAC;gBAC9B,MAAM,kBAAkB,GAAG,MAAM,yBAAyB,CAAC;gBAC3D,MAAM,OAAO,GAAG,MAAM,kBAAkB,CAAC,UAAU,CAAC,GAAG,EAAE,GAAG,EAAE,UAAU,CAAC,QAAQ,CAAC,CAAC;gBACnF,IAAI,OAAO,EAAE,CAAC;oBACZ,OAAO;gBACT,CAAC;YACH,CAAC;YAED,IAAI,UAAU,CAAC,QAAQ,KAAK,8BAA8B,IAAI,GAAG,CAAC,MAAM,KAAK,KAAK,EAAE,CAAC;gBACnF,QAAQ,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,yBAAyB,CAAC,GAAG,CAAC,CAAC,CAAC;gBACxD,OAAO;YACT,CAAC;YAED,IAAI,UAAU,CAAC,QAAQ,KAAK,cAAc,IAAI,GAAG,CAAC,MAAM,KAAK,KAAK,EAAE,CAAC;gBACnE,QAAQ,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE;oBACtB,EAAE,EAAE,IAAI;oBACR,OAAO,EAAE,aAAa;oBACtB,SAAS,EAAE,iBAAiB;iBAC7B,CAAC,CAAC;gBACH,OAAO;YACT,CAAC;YAED,IAAI,UAAU,CAAC,QAAQ,KAAK,QAAQ,IAAI,GAAG,CAAC,MAAM,KAAK,SAAS,EAAE,CAAC;gBACjE,IAAI,CAAC,eAAe,CAAC,GAAG,CAAC,OAAO,CAAC,MAAM,EAAE,UAAU,CAAC,cAAc,CAAC,EAAE,CAAC;oBACpE,QAAQ,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,EAAE,KAAK,EAAE,uBAAuB,EAAE,CAAC,CAAC;oBAC5D,OAAO;gBACT,CAAC;gBACD,GAAG,CAAC,SAAS,CAAC,GAAG,EAAE,WAAW,CAAC,GAAG,CAAC,OAAO,CAAC,MAAM,EAAE,UAAU,CAAC,cAAc,CAAC,CAAC,CAAC;gBAC/E,GAAG,CAAC,GAAG,EAAE,CAAC;gBACV,OAAO;YACT,CAAC;YAED,IAAI,MAAM,oBAAoB,CAAC,GAAG,EAAE,GAAG,CAAC,EAAE,CAAC;gBACzC,OAAO;YACT,CAAC;YAED,IAAI,UAAU,CAAC,QAAQ,KAAK,QAAQ,EAAE,CAAC;gBACrC,IAAI,GAAG,CAAC,MAAM,KAAK,KAAK,IAAI,GAAG,CAAC,MAAM,KAAK,MAAM,IAAI,GAAG,CAAC,MAAM,KAAK,QAAQ,EAAE,CAAC;oBAC7E,QAAQ,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,EAAE,KAAK,EAAE,oBAAoB,EAAE,CAAC,CAAC;oBACzD,OAAO;gBACT,CAAC;gBAED,MAAM,UAAU,GAAG,GAAG,CAAC,MAAM,KAAK,MAAM,CAAC,CAAC,CAAC,MAAM,YAAY,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;gBAC/E,MAAM,uBAAuB,CAAC,GAAG,EAAE,GAAG,EAAE,UAAU,CAAC,CAAC;gBACpD,OAAO;YACT,CAAC;YAED,IAAI,UAAU,CAAC,eAAe,IAAI,UAAU,CAAC,QAAQ,KAAK,iBAAiB,EAAE,CAAC;gBAC5E,IAAI,GAAG,CAAC,MAAM,KAAK,KAAK,EAAE,CAAC;oBACzB,QAAQ,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,EAAE,KAAK,EAAE,oBAAoB,EAAE,CAAC,CAAC;oBACzD,OAAO;gBACT,CAAC;gBACD,MAAM,yBAAyB,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC;gBAC1C,OAAO;YACT,CAAC;YAED,IAAI,UAAU,CAAC,eAAe,IAAI,UAAU,CAAC,QAAQ,KAAK,qBAAqB,EAAE,CAAC;gBAChF,IAAI,GAAG,CAAC,MAAM,KAAK,MAAM,EAAE,CAAC;oBAC1B,QAAQ,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,EAAE,KAAK,EAAE,oBAAoB,EAAE,CAAC,CAAC;oBACzD,OAAO;gBACT,CAAC;gBACD,MAAM,mBAAmB,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC;gBACpC,OAAO;YACT,CAAC;YAED,QAAQ,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,EAAE,KAAK,EAAE,WAAW,EAAE,CAAC,CAAC;QAClD,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,CAAC,KAAK,CAAC,yBAAyB,EAAE;gBACtC,KAAK,EAAE,aAAa,CAAC,KAAK,CAAC;aAC5B,CAAC,CAAC;YACH,IAAI,CAAC,GAAG,CAAC,WAAW,EAAE,CAAC;gBACrB,IAAI,KAAK,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,QAAQ,IAAI,KAAK,IAAI,SAAS,IAAI,KAAK,EAAE,CAAC;oBAClF,MAAM,MAAM,GAAG,MAAM,CAAE,KAA4B,CAAC,MAAM,CAAC,CAAC;oBAC5D,MAAM,OAAO,GAAG,MAAM,CAAE,KAA6B,CAAC,OAAO,CAAC,CAAC;oBAC/D,MAAM,IAAI,GAAG,MAAM,IAAI,KAAK,CAAC,CAAC,CAAC,MAAM,CAAE,KAA0B,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;oBACpF,QAAQ,CAAC,GAAG,EAAE,GAAG,EAAE,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,GAAG,EAAE,EAAE,KAAK,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC,CAAC;gBACvF,CAAC;qBAAM,CAAC;oBACN,MAAM,UAAU,GAAG,KAAK,YAAY,wBAAwB,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC;oBACzE,MAAM,OAAO,GACX,KAAK,YAAY,wBAAwB;wBACvC,CAAC,CAAC,2BAA2B;wBAC7B,CAAC,CAAC,uBAAuB,CAAC;oBAC9B,QAAQ,CAAC,GAAG,EAAE,GAAG,EAAE,UAAU,EAAE,EAAE,KAAK,EAAE,OAAO,EAAE,CAAC,CAAC;gBACrD,CAAC;YACH,CAAC;QACH,CAAC;IACH,CAAC,CAAC,EAAE,CAAC;AACP,CAAC,CAAC,CAAC;AAEH,UAAU,CAAC,EAAE,CAAC,SAAS,EAAE,CAAC,GAAG,EAAE,MAAM,EAAE,IAAI,EAAE,EAAE;IAC7C,KAAK,CAAC,KAAK,IAAI,EAAE;QACf,IAAI,CAAC;YACH,MAAM,UAAU,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,GAAG,IAAI,GAAG,EAAE,kBAAkB,CAAC,CAAC;YAC/D,IAAI,yBAAyB,EAAE,CAAC;gBAC9B,MAAM,kBAAkB,GAAG,MAAM,yBAAyB,CAAC;gBAC3D,IAAI,kBAAkB,CAAC,aAAa,CAAC,GAAG,EAAE,MAAM,EAAE,IAAI,EAAE,UAAU,CAAC,QAAQ,CAAC,EAAE,CAAC;oBAC7E,OAAO;gBACT,CAAC;YACH,CAAC;YACD,MAAM,CAAC,OAAO,EAAE,CAAC;QACnB,CAAC;QAAC,MAAM,CAAC;YACP,MAAM,CAAC,OAAO,EAAE,CAAC;QACnB,CAAC;IACH,CAAC,CAAC,EAAE,CAAC;AACP,CAAC,CAAC,CAAC;AAEH,IAAI,YAAY,GAAG,KAAK,CAAC;AACzB,KAAK,UAAU,QAAQ,CAAC,MAAc;IACpC,IAAI,YAAY,EAAE,CAAC;QACjB,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAED,YAAY,GAAG,IAAI,CAAC;IACpB,MAAM,CAAC,IAAI,CAAC,YAAY,MAAM,oCAAoC,CAAC,CAAC;IAEpE,UAAU,CAAC,KAAK,EAAE,CAAC;IACnB,aAAa,CAAC,0BAA0B,CAAC,CAAC;IAE1C,MAAM,OAAO,CAAC,GAAG,CACf,KAAK,CAAC,IAAI,CAAC,QAAQ,CAAC,OAAO,EAAE,CAAC,CAAC,GAAG,CAAC,KAAK,EAAE,CAAC,SAAS,EAAE,OAAO,CAAC,EAAE,EAAE;QAChE,IAAI,CAAC;YACH,MAAM,OAAO,CAAC,SAAS,CAAC,KAAK,EAAE,CAAC;QAClC,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,CAAC,IAAI,CAAC,4CAA4C,EAAE,EAAE,SAAS,EAAE,KAAK,EAAE,CAAC,CAAC;QAClF,CAAC;IACH,CAAC,CAAC,CACH,CAAC;IACF,QAAQ,CAAC,KAAK,EAAE,CAAC;IAEjB,SAAS,CAAC,WAAW,CAAC,OAAO,EAAE,CAAC;IAChC,MAAM,SAAS,CAAC,cAAc,CAAC,OAAO,EAAE,CAAC;IACzC,IAAI,yBAAyB,EAAE,CAAC;QAC9B,MAAM,kBAAkB,GAAG,MAAM,yBAAyB,CAAC;QAC3D,kBAAkB,CAAC,KAAK,EAAE,CAAC;IAC7B,CAAC;IACD,MAAM,iBAAiB,EAAE,CAAC;IAC1B,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;AAClB,CAAC;AAED,UAAU,CAAC,MAAM,CAAC,UAAU,CAAC,IAAI,EAAE,UAAU,CAAC,IAAI,EAAE,GAAG,EAAE;IACvD,MAAM,CAAC,IAAI,CAAC,sCAAsC,EAAE;QAClD,IAAI,EAAE,UAAU,CAAC,IAAI;QACrB,IAAI,EAAE,UAAU,CAAC,IAAI;QACrB,QAAQ;QACR,SAAS,EAAE,UAAU,CAAC,eAAe;KACtC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,OAAO,CAAC,EAAE,CAAC,QAAQ,EAAE,GAAG,EAAE,CAAC,KAAK,QAAQ,CAAC,QAAQ,CAAC,CAAC,CAAC;AACpD,OAAO,CAAC,EAAE,CAAC,SAAS,EAAE,GAAG,EAAE,CAAC,KAAK,QAAQ,CAAC,SAAS,CAAC,CAAC,CAAC"}