1id 0.1.0

package/dist/enroll.js

@@ -0,0 +1,226 @@
+/**
+ * Enrollment logic for the 1id.com Node.js SDK.
+ *
+ * Orchestrates the enrollment flow for all trust tiers:
+ * - Declared: Pure software, generates a keypair, sends public key to server.
+ * - Sovereign: Spawns Go binary for TPM operations, two-phase enrollment.
+ * - Sovereign-portable: Spawns Go binary for YubiKey/PIV operations.
+ *
+ * CRITICAL DESIGN RULE: requestTier is a REQUIREMENT, not a preference.
+ * The agent gets exactly the tier it requests, or an exception.
+ * There are NO automatic fallbacks. The caller's logic decides what to do.
+ */
+import { OneIDAPIClient } from "./client.js";
+import { DEFAULT_API_BASE_URL, save_credentials, } from "./credentials.js";
+import { EnrollmentError, NoHSMError } from "./exceptions.js";
+import { DEFAULT_KEY_ALGORITHM, HSMType, KeyAlgorithm, TrustTier, } from "./identity.js";
+import { generate_keypair } from "./keys.js";
+/** Trust tiers that require an HSM and the Go binary. */
+const TIERS_REQUIRING_HSM = new Set([
+    TrustTier.SOVEREIGN,
+    TrustTier.SOVEREIGN_PORTABLE,
+    TrustTier.LEGACY,
+    TrustTier.VIRTUAL,
+    TrustTier.ENCLAVE,
+]);
+/** HSM type preferences by tier. */
+const TIER_TO_HSM_TYPE_PREFERENCES = {
+    [TrustTier.SOVEREIGN]: ["tpm"],
+    [TrustTier.SOVEREIGN_PORTABLE]: ["yubikey", "nitrokey", "feitian", "solokeys"],
+    [TrustTier.LEGACY]: ["tpm", "yubikey", "nitrokey", "feitian"],
+    [TrustTier.VIRTUAL]: ["tpm"],
+    [TrustTier.ENCLAVE]: ["secure_enclave"],
+};
+/**
+ * Enroll this agent with 1id.com to receive a unique, verifiable identity.
+ *
+ * This is the primary entry point for enrollment. The agent specifies
+ * which trust tier it requires, and gets exactly that tier or an exception.
+ *
+ * THERE ARE NO AUTOMATIC FALLBACKS.
+ *
+ * @param options Enrollment options including the required request_tier.
+ * @returns The enrolled Identity.
+ * @throws NoHSMError if requested tier requires an HSM but none was found.
+ * @throws EnrollmentError for any enrollment failure.
+ * @throws NetworkError if the server cannot be reached.
+ */
+export async function enroll(options) {
+    // Validate and normalize the requested tier
+    const valid_tiers = Object.values(TrustTier);
+    if (!valid_tiers.includes(options.request_tier)) {
+        throw new EnrollmentError(`Invalid trust tier: '${options.request_tier}'. Valid tiers: ${valid_tiers.join(", ")}`);
+    }
+    const tier = options.request_tier;
+    // Normalize key algorithm
+    let resolved_key_algorithm;
+    if (options.key_algorithm == null) {
+        resolved_key_algorithm = DEFAULT_KEY_ALGORITHM;
+    }
+    else if (typeof options.key_algorithm === "string") {
+        const valid_algorithms = Object.values(KeyAlgorithm);
+        if (!valid_algorithms.includes(options.key_algorithm)) {
+            throw new EnrollmentError(`Invalid key algorithm: '${options.key_algorithm}'. Valid: ${valid_algorithms.join(", ")}`);
+        }
+        resolved_key_algorithm = options.key_algorithm;
+    }
+    else {
+        resolved_key_algorithm = options.key_algorithm;
+    }
+    const api_base_url = options.api_base_url ?? DEFAULT_API_BASE_URL;
+    // Route to the appropriate enrollment flow
+    if (tier === TrustTier.DECLARED) {
+        return enroll_declared_tier(options.operator_email ?? null, options.requested_handle ?? null, resolved_key_algorithm, api_base_url);
+    }
+    else if (TIERS_REQUIRING_HSM.has(tier)) {
+        return enroll_hsm_tier(tier, options.operator_email ?? null, options.requested_handle ?? null, api_base_url);
+    }
+    else {
+        throw new EnrollmentError(`Tier '${tier}' is not yet implemented`);
+    }
+}
+/**
+ * Enroll at the declared trust tier (software keys, no HSM).
+ */
+async function enroll_declared_tier(operator_email, requested_handle, key_algorithm, api_base_url) {
+    // Step 1: Generate keypair
+    const { private_key_pem, public_key_pem } = generate_keypair(key_algorithm);
+    // Step 2: Send enrollment request to server
+    const api_client = new OneIDAPIClient(api_base_url);
+    const server_response = await api_client.enroll_declared(public_key_pem, key_algorithm, operator_email, requested_handle);
+    // Step 3: Parse server response
+    const identity_data = (server_response.identity ?? {});
+    const credentials_data = (server_response.credentials ?? {});
+    const internal_id = identity_data.internal_id ?? "";
+    const handle = identity_data.handle ?? `@${internal_id.slice(0, 12)}`;
+    const enrolled_at_str = identity_data.registered_at ?? new Date().toISOString();
+    // Step 4: Store credentials locally
+    const stored_credentials = {
+        client_id: credentials_data.client_id ?? internal_id,
+        client_secret: credentials_data.client_secret ?? "",
+        token_endpoint: credentials_data.token_endpoint ??
+            `${api_base_url}/realms/agents/protocol/openid-connect/token`,
+        api_base_url,
+        trust_tier: TrustTier.DECLARED,
+        key_algorithm,
+        private_key_pem,
+        enrolled_at: enrolled_at_str,
+    };
+    const credentials_file_path = save_credentials(stored_credentials);
+    console.log(`[oneid] Credentials saved to ${credentials_file_path}`);
+    // Step 5: Return Identity object
+    let enrolled_at;
+    try {
+        enrolled_at = new Date(enrolled_at_str);
+    }
+    catch {
+        enrolled_at = new Date();
+    }
+    return {
+        internal_id,
+        handle,
+        trust_tier: TrustTier.DECLARED,
+        hsm_type: HSMType.SOFTWARE,
+        hsm_manufacturer: null,
+        enrolled_at,
+        device_count: 0,
+        key_algorithm,
+    };
+}
+/**
+ * Enroll at an HSM-backed trust tier (sovereign, sovereign-portable, etc.).
+ */
+async function enroll_hsm_tier(request_tier, operator_email, requested_handle, api_base_url) {
+    const { detect_available_hsms, extract_attestation_data, activate_credential, } = await import("./helper.js");
+    // Step 1: Detect HSMs via Go binary
+    const detected_hsms = await detect_available_hsms();
+    if (detected_hsms.length === 0) {
+        throw new NoHSMError(`No hardware security module found. ` +
+            `The '${request_tier}' tier requires a TPM, YubiKey, or similar device.`);
+    }
+    // Step 2: Select the appropriate HSM
+    const selected_hsm = select_hsm_for_tier(detected_hsms, request_tier);
+    if (selected_hsm == null) {
+        const hsm_types = detected_hsms.map(h => h.type ?? "unknown").join(", ");
+        throw new NoHSMError(`Found HSM(s) (${hsm_types}) but none are compatible with the '${request_tier}' tier.`);
+    }
+    // Step 3: Extract attestation (requires elevation)
+    const attestation_data = await extract_attestation_data(selected_hsm);
+    // Step 4: Begin enrollment with server
+    const api_client = new OneIDAPIClient(api_base_url);
+    const begin_response = await api_client.enroll_begin(attestation_data.ek_cert_pem, attestation_data.ak_public_pem ?? "", attestation_data.ak_tpmt_public_b64 ?? "", attestation_data.ek_public_pem ?? "", attestation_data.chain_pem ?? undefined, selected_hsm.type ?? "tpm", operator_email, requested_handle);
+    // Step 5: Activate credential via TPM (requires elevation)
+    const decrypted_credential = await activate_credential(selected_hsm, begin_response.credential_blob, begin_response.encrypted_secret, attestation_data.ak_handle ?? "0x81000100");
+    // Step 6: Complete enrollment with server
+    const activate_response = await api_client.enroll_activate(begin_response.enrollment_session_id, decrypted_credential);
+    // Step 7: Store credentials and return Identity
+    const identity_data = (activate_response.identity ?? {});
+    const credentials_data = (activate_response.credentials ?? {});
+    const internal_id = identity_data.internal_id ?? "";
+    const handle = identity_data.handle ?? `@${internal_id.slice(0, 12)}`;
+    const trust_tier_str = identity_data.trust_tier ?? request_tier;
+    const enrolled_at_str = identity_data.registered_at ?? new Date().toISOString();
+    const stored_credentials = {
+        client_id: credentials_data.client_id ?? internal_id,
+        client_secret: credentials_data.client_secret ?? "",
+        token_endpoint: credentials_data.token_endpoint ??
+            `${api_base_url}/realms/agents/protocol/openid-connect/token`,
+        api_base_url,
+        trust_tier: trust_tier_str,
+        key_algorithm: "tpm-ak",
+        hsm_key_reference: attestation_data.ak_handle ?? null,
+        enrolled_at: enrolled_at_str,
+    };
+    save_credentials(stored_credentials);
+    let enrolled_at;
+    try {
+        enrolled_at = new Date(enrolled_at_str);
+    }
+    catch {
+        enrolled_at = new Date();
+    }
+    // Resolve trust tier enum
+    let trust_tier;
+    const valid_tiers = Object.values(TrustTier);
+    if (valid_tiers.includes(trust_tier_str)) {
+        trust_tier = trust_tier_str;
+    }
+    else {
+        trust_tier = request_tier;
+    }
+    // Resolve HSM type enum
+    let hsm_type;
+    const hsm_type_str = selected_hsm.type ?? "tpm";
+    const valid_hsm_types = Object.values(HSMType);
+    if (valid_hsm_types.includes(hsm_type_str)) {
+        hsm_type = hsm_type_str;
+    }
+    else {
+        hsm_type = HSMType.TPM;
+    }
+    return {
+        internal_id,
+        handle,
+        trust_tier,
+        hsm_type,
+        hsm_manufacturer: selected_hsm.manufacturer ?? null,
+        enrolled_at,
+        device_count: identity_data.device_count ?? 1,
+        key_algorithm: KeyAlgorithm.RSA_2048,
+    };
+}
+/**
+ * Select the best matching HSM for the requested tier.
+ */
+function select_hsm_for_tier(detected_hsms, request_tier) {
+    const preferred_types = TIER_TO_HSM_TYPE_PREFERENCES[request_tier] ?? [];
+    for (const preferred_type of preferred_types) {
+        for (const hsm of detected_hsms) {
+            if (hsm.type === preferred_type) {
+                return hsm;
+            }
+        }
+    }
+    return null;
+}
+//# sourceMappingURL=enroll.js.map

package/dist/enroll.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"enroll.js","sourceRoot":"","sources":["../src/enroll.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,EAAE,cAAc,EAAE,MAAM,aAAa,CAAC;AAC7C,OAAO,EACL,oBAAoB,EAEpB,gBAAgB,GACjB,MAAM,kBAAkB,CAAC;AAC1B,OAAO,EAAE,eAAe,EAAE,UAAU,EAAE,MAAM,iBAAiB,CAAC;AAC9D,OAAO,EACL,qBAAqB,EACrB,OAAO,EAEP,YAAY,EACZ,SAAS,GACV,MAAM,eAAe,CAAC;AACvB,OAAO,EAAE,gBAAgB,EAAE,MAAM,WAAW,CAAC;AAE7C,yDAAyD;AACzD,MAAM,mBAAmB,GAA2B,IAAI,GAAG,CAAC;IAC1D,SAAS,CAAC,SAAS;IACnB,SAAS,CAAC,kBAAkB;IAC5B,SAAS,CAAC,MAAM;IAChB,SAAS,CAAC,OAAO;IACjB,SAAS,CAAC,OAAO;CAClB,CAAC,CAAC;AAEH,oCAAoC;AACpC,MAAM,4BAA4B,GAAuC;IACvE,CAAC,SAAS,CAAC,SAAS,CAAC,EAAE,CAAC,KAAK,CAAC;IAC9B,CAAC,SAAS,CAAC,kBAAkB,CAAC,EAAE,CAAC,SAAS,EAAE,UAAU,EAAE,SAAS,EAAE,UAAU,CAAC;IAC9E,CAAC,SAAS,CAAC,MAAM,CAAC,EAAE,CAAC,KAAK,EAAE,SAAS,EAAE,UAAU,EAAE,SAAS,CAAC;IAC7D,CAAC,SAAS,CAAC,OAAO,CAAC,EAAE,CAAC,KAAK,CAAC;IAC5B,CAAC,SAAS,CAAC,OAAO,CAAC,EAAE,CAAC,gBAAgB,CAAC;CACxC,CAAC;AAkBF;;;;;;;;;;;;;GAaG;AACH,MAAM,CAAC,KAAK,UAAU,MAAM,CAAC,OAAsB;IACjD,4CAA4C;IAC5C,MAAM,WAAW,GAAG,MAAM,CAAC,MAAM,CAAC,SAAS,CAAa,CAAC;IACzD,IAAI,CAAC,WAAW,CAAC,QAAQ,CAAC,OAAO,CAAC,YAAY,CAAC,EAAE,CAAC;QAChD,MAAM,IAAI,eAAe,CACvB,wBAAwB,OAAO,CAAC,YAAY,mBAAmB,WAAW,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CACxF,CAAC;IACJ,CAAC;IACD,MAAM,IAAI,GAAG,OAAO,CAAC,YAAyB,CAAC;IAE/C,0BAA0B;IAC1B,IAAI,sBAAoC,CAAC;IACzC,IAAI,OAAO,CAAC,aAAa,IAAI,IAAI,EAAE,CAAC;QAClC,sBAAsB,GAAG,qBAAqB,CAAC;IACjD,CAAC;SAAM,IAAI,OAAO,OAAO,CAAC,aAAa,KAAK,QAAQ,EAAE,CAAC;QACrD,MAAM,gBAAgB,GAAG,MAAM,CAAC,MAAM,CAAC,YAAY,CAAa,CAAC;QACjE,IAAI,CAAC,gBAAgB,CAAC,QAAQ,CAAC,OAAO,CAAC,aAAa,CAAC,EAAE,CAAC;YACtD,MAAM,IAAI,eAAe,CACvB,2BAA2B,OAAO,CAAC,aAAa,aAAa,gBAAgB,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAC3F,CAAC;QACJ,CAAC;QACD,sBAAsB,GAAG,OAAO,CAAC,aAA6B,CAAC;IACjE,CAAC;SAAM,CAAC;QACN,sBAAsB,GAAG,OAAO,CAAC,aAAa,CAAC;IACjD,CAAC;IAED,MAAM,YAAY,GAAG,OAAO,CAAC,YAAY,IAAI,oBAAoB,CAAC;IAElE,2CAA2C;IAC3C,IAAI,IAAI,KAAK,SAAS,CAAC,QAAQ,EAAE,CAAC;QAChC,OAAO,oBAAoB,CACzB,OAAO,CAAC,cAAc,IAAI,IAAI,EAC9B,OAAO,CAAC,gBAAgB,IAAI,IAAI,EAChC,sBAAsB,EACtB,YAAY,CACb,CAAC;IACJ,CAAC;SAAM,IAAI,mBAAmB,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC;QACzC,OAAO,eAAe,CACpB,IAAI,EACJ,OAAO,CAAC,cAAc,IAAI,IAAI,EAC9B,OAAO,CAAC,gBAAgB,IAAI,IAAI,EAChC,YAAY,CACb,CAAC;IACJ,CAAC;SAAM,CAAC;QACN,MAAM,IAAI,eAAe,CAAC,SAAS,IAAI,0BAA0B,CAAC,CAAC;IACrE,CAAC;AACH,CAAC;AAED;;GAEG;AACH,KAAK,UAAU,oBAAoB,CACjC,cAA6B,EAC7B,gBAA+B,EAC/B,aAA2B,EAC3B,YAAoB;IAEpB,2BAA2B;IAC3B,MAAM,EAAE,eAAe,EAAE,cAAc,EAAE,GAAG,gBAAgB,CAAC,aAAa,CAAC,CAAC;IAE5E,4CAA4C;IAC5C,MAAM,UAAU,GAAG,IAAI,cAAc,CAAC,YAAY,CAAC,CAAC;IACpD,MAAM,eAAe,GAAG,MAAM,UAAU,CAAC,eAAe,CACtD,cAAc,EACd,aAAa,EACb,cAAc,EACd,gBAAgB,CACjB,CAAC;IAEF,gCAAgC;IAChC,MAAM,aAAa,GAAG,CAAC,eAAe,CAAC,QAAQ,IAAI,EAAE,CAA4B,CAAC;IAClF,MAAM,gBAAgB,GAAG,CAAC,eAAe,CAAC,WAAW,IAAI,EAAE,CAA4B,CAAC;IAExF,MAAM,WAAW,GAAI,aAAa,CAAC,WAAsB,IAAI,EAAE,CAAC;IAChE,MAAM,MAAM,GAAI,aAAa,CAAC,MAAiB,IAAI,IAAI,WAAW,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,EAAE,CAAC;IAClF,MAAM,eAAe,GAAI,aAAa,CAAC,aAAwB,IAAI,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;IAE5F,oCAAoC;IACpC,MAAM,kBAAkB,GAAsB;QAC5C,SAAS,EAAG,gBAAgB,CAAC,SAAoB,IAAI,WAAW;QAChE,aAAa,EAAG,gBAAgB,CAAC,aAAwB,IAAI,EAAE;QAC/D,cAAc,EAAG,gBAAgB,CAAC,cAAyB;YACzD,GAAG,YAAY,8CAA8C;QAC/D,YAAY;QACZ,UAAU,EAAE,SAAS,CAAC,QAAQ;QAC9B,aAAa;QACb,eAAe;QACf,WAAW,EAAE,eAAe;KAC7B,CAAC;IACF,MAAM,qBAAqB,GAAG,gBAAgB,CAAC,kBAAkB,CAAC,CAAC;IACnE,OAAO,CAAC,GAAG,CAAC,gCAAgC,qBAAqB,EAAE,CAAC,CAAC;IAErE,iCAAiC;IACjC,IAAI,WAAiB,CAAC;IACtB,IAAI,CAAC;QACH,WAAW,GAAG,IAAI,IAAI,CAAC,eAAe,CAAC,CAAC;IAC1C,CAAC;IAAC,MAAM,CAAC;QACP,WAAW,GAAG,IAAI,IAAI,EAAE,CAAC;IAC3B,CAAC;IAED,OAAO;QACL,WAAW;QACX,MAAM;QACN,UAAU,EAAE,SAAS,CAAC,QAAQ;QAC9B,QAAQ,EAAE,OAAO,CAAC,QAAQ;QAC1B,gBAAgB,EAAE,IAAI;QACtB,WAAW;QACX,YAAY,EAAE,CAAC;QACf,aAAa;KACd,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,KAAK,UAAU,eAAe,CAC5B,YAAuB,EACvB,cAA6B,EAC7B,gBAA+B,EAC/B,YAAoB;IAEpB,MAAM,EACJ,qBAAqB,EACrB,wBAAwB,EACxB,mBAAmB,GACpB,GAAG,MAAM,MAAM,CAAC,aAAa,CAAC,CAAC;IAEhC,oCAAoC;IACpC,MAAM,aAAa,GAAG,MAAM,qBAAqB,EAAE,CAAC;IAEpD,IAAI,aAAa,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC/B,MAAM,IAAI,UAAU,CAClB,qCAAqC;YACrC,QAAQ,YAAY,oDAAoD,CACzE,CAAC;IACJ,CAAC;IAED,qCAAqC;IACrC,MAAM,YAAY,GAAG,mBAAmB,CAAC,aAAa,EAAE,YAAY,CAAC,CAAC;IACtE,IAAI,YAAY,IAAI,IAAI,EAAE,CAAC;QACzB,MAAM,SAAS,GAAG,aAAa,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAE,CAAC,CAAC,IAAe,IAAI,SAAS,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACrF,MAAM,IAAI,UAAU,CAClB,iBAAiB,SAAS,uCAAuC,YAAY,SAAS,CACvF,CAAC;IACJ,CAAC;IAED,mDAAmD;IACnD,MAAM,gBAAgB,GAAG,MAAM,wBAAwB,CAAC,YAAY,CAAC,CAAC;IAEtE,uCAAuC;IACvC,MAAM,UAAU,GAAG,IAAI,cAAc,CAAC,YAAY,CAAC,CAAC;IACpD,MAAM,cAAc,GAAG,MAAM,UAAU,CAAC,YAAY,CAClD,gBAAgB,CAAC,WAAqB,EACrC,gBAAgB,CAAC,aAAwB,IAAI,EAAE,EAC/C,gBAAgB,CAAC,kBAA6B,IAAI,EAAE,EACpD,gBAAgB,CAAC,aAAwB,IAAI,EAAE,EAC/C,gBAAgB,CAAC,SAAsB,IAAI,SAAS,EACpD,YAAY,CAAC,IAAe,IAAI,KAAK,EACtC,cAAc,EACd,gBAAgB,CACjB,CAAC;IAEF,2DAA2D;IAC3D,MAAM,oBAAoB,GAAG,MAAM,mBAAmB,CACpD,YAAY,EACZ,cAAc,CAAC,eAAyB,EACxC,cAAc,CAAC,gBAA0B,EACxC,gBAAgB,CAAC,SAAoB,IAAI,YAAY,CACvD,CAAC;IAEF,0CAA0C;IAC1C,MAAM,iBAAiB,GAAG,MAAM,UAAU,CAAC,eAAe,CACxD,cAAc,CAAC,qBAA+B,EAC9C,oBAAoB,CACrB,CAAC;IAEF,gDAAgD;IAChD,MAAM,aAAa,GAAG,CAAC,iBAAiB,CAAC,QAAQ,IAAI,EAAE,CAA4B,CAAC;IACpF,MAAM,gBAAgB,GAAG,CAAC,iBAAiB,CAAC,WAAW,IAAI,EAAE,CAA4B,CAAC;IAE1F,MAAM,WAAW,GAAI,aAAa,CAAC,WAAsB,IAAI,EAAE,CAAC;IAChE,MAAM,MAAM,GAAI,aAAa,CAAC,MAAiB,IAAI,IAAI,WAAW,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,EAAE,CAAC;IAClF,MAAM,cAAc,GAAI,aAAa,CAAC,UAAqB,IAAI,YAAY,CAAC;IAC5E,MAAM,eAAe,GAAI,aAAa,CAAC,aAAwB,IAAI,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;IAE5F,MAAM,kBAAkB,GAAsB;QAC5C,SAAS,EAAG,gBAAgB,CAAC,SAAoB,IAAI,WAAW;QAChE,aAAa,EAAG,gBAAgB,CAAC,aAAwB,IAAI,EAAE;QAC/D,cAAc,EAAG,gBAAgB,CAAC,cAAyB;YACzD,GAAG,YAAY,8CAA8C;QAC/D,YAAY;QACZ,UAAU,EAAE,cAAc;QAC1B,aAAa,EAAE,QAAQ;QACvB,iBAAiB,EAAG,gBAAgB,CAAC,SAAoB,IAAI,IAAI;QACjE,WAAW,EAAE,eAAe;KAC7B,CAAC;IACF,gBAAgB,CAAC,kBAAkB,CAAC,CAAC;IAErC,IAAI,WAAiB,CAAC;IACtB,IAAI,CAAC;QACH,WAAW,GAAG,IAAI,IAAI,CAAC,eAAe,CAAC,CAAC;IAC1C,CAAC;IAAC,MAAM,CAAC;QACP,WAAW,GAAG,IAAI,IAAI,EAAE,CAAC;IAC3B,CAAC;IAED,0BAA0B;IAC1B,IAAI,UAAqB,CAAC;IAC1B,MAAM,WAAW,GAAG,MAAM,CAAC,MAAM,CAAC,SAAS,CAAa,CAAC;IACzD,IAAI,WAAW,CAAC,QAAQ,CAAC,cAAc,CAAC,EAAE,CAAC;QACzC,UAAU,GAAG,cAA2B,CAAC;IAC3C,CAAC;SAAM,CAAC;QACN,UAAU,GAAG,YAAY,CAAC;IAC5B,CAAC;IAED,wBAAwB;IACxB,IAAI,QAAiB,CAAC;IACtB,MAAM,YAAY,GAAI,YAAY,CAAC,IAAe,IAAI,KAAK,CAAC;IAC5D,MAAM,eAAe,GAAG,MAAM,CAAC,MAAM,CAAC,OAAO,CAAa,CAAC;IAC3D,IAAI,eAAe,CAAC,QAAQ,CAAC,YAAY,CAAC,EAAE,CAAC;QAC3C,QAAQ,GAAG,YAAuB,CAAC;IACrC,CAAC;SAAM,CAAC;QACN,QAAQ,GAAG,OAAO,CAAC,GAAG,CAAC;IACzB,CAAC;IAED,OAAO;QACL,WAAW;QACX,MAAM;QACN,UAAU;QACV,QAAQ;QACR,gBAAgB,EAAG,YAAY,CAAC,YAAuB,IAAI,IAAI;QAC/D,WAAW;QACX,YAAY,EAAG,aAAa,CAAC,YAAuB,IAAI,CAAC;QACzD,aAAa,EAAE,YAAY,CAAC,QAAQ;KACrC,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,SAAS,mBAAmB,CAC1B,aAAwC,EACxC,YAAuB;IAEvB,MAAM,eAAe,GAAG,4BAA4B,CAAC,YAAY,CAAC,IAAI,EAAE,CAAC;IAEzE,KAAK,MAAM,cAAc,IAAI,eAAe,EAAE,CAAC;QAC7C,KAAK,MAAM,GAAG,IAAI,aAAa,EAAE,CAAC;YAChC,IAAI,GAAG,CAAC,IAAI,KAAK,cAAc,EAAE,CAAC;gBAChC,OAAO,GAAG,CAAC;YACb,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC"}

package/dist/exceptions.d.ts

@@ -0,0 +1,109 @@
+/**
+ * Exception hierarchy for the 1id.com Node.js SDK.
+ *
+ * All exceptions inherit from OneIDError. Enrollment-specific exceptions
+ * inherit from EnrollmentError. The hierarchy is designed so callers can
+ * catch at any level of specificity:
+ *
+ *     try {
+ *       await oneid.enroll({ requestTier: "sovereign" });
+ *     } catch (e) {
+ *       if (e instanceof NoHSMError) { ... }
+ *       else if (e instanceof EnrollmentError) { ... }
+ *       else if (e instanceof OneIDError) { ... }
+ *     }
+ *
+ * CRITICAL DESIGN RULE: requestTier is a REQUIREMENT, not a preference.
+ * These exceptions are raised when the requested tier CANNOT be satisfied.
+ * The SDK NEVER silently falls back to a lower tier.
+ */
+/**
+ * Base error for all 1id.com SDK errors.
+ */
+export declare class OneIDError extends Error {
+    readonly error_code: string | null;
+    constructor(message?: string, error_code?: string | null);
+}
+/**
+ * Base error for all enrollment failures.
+ */
+export declare class EnrollmentError extends OneIDError {
+    constructor(message?: string, error_code?: string | null);
+}
+/**
+ * Requested trust tier requires an HSM but none was found.
+ */
+export declare class NoHSMError extends EnrollmentError {
+    constructor(message?: string);
+}
+/**
+ * User denied the elevation prompt (clicked No on UAC/sudo/pkexec).
+ */
+export declare class UACDeniedError extends EnrollmentError {
+    constructor(message?: string);
+}
+/**
+ * HSM was found but could not be accessed.
+ */
+export declare class HSMAccessError extends EnrollmentError {
+    constructor(message?: string);
+}
+/**
+ * This HSM is already enrolled with a different identity.
+ */
+export declare class AlreadyEnrolledError extends EnrollmentError {
+    constructor(message?: string);
+}
+/**
+ * Requested vanity handle is already in use by another identity.
+ */
+export declare class HandleTakenError extends EnrollmentError {
+    constructor(message?: string);
+}
+/**
+ * Requested handle violates naming rules.
+ */
+export declare class HandleInvalidError extends EnrollmentError {
+    constructor(message?: string);
+}
+/**
+ * Requested handle was previously used and is permanently retired.
+ */
+export declare class HandleRetiredError extends EnrollmentError {
+    constructor(message?: string);
+}
+/**
+ * Token acquisition or refresh failed.
+ */
+export declare class AuthenticationError extends OneIDError {
+    constructor(message?: string);
+}
+/**
+ * Could not reach the 1id.com API server.
+ */
+export declare class NetworkError extends OneIDError {
+    constructor(message?: string);
+}
+/**
+ * No enrollment credentials found on this machine.
+ */
+export declare class NotEnrolledError extends OneIDError {
+    constructor(message?: string);
+}
+/**
+ * The oneid-enroll Go binary could not be found or downloaded.
+ */
+export declare class BinaryNotFoundError extends OneIDError {
+    constructor(message?: string);
+}
+/**
+ * Too many enrollment attempts from this IP address.
+ */
+export declare class RateLimitExceededError extends EnrollmentError {
+    constructor(message?: string);
+}
+/**
+ * Raise the appropriate exception for a server error response.
+ */
+export declare function raise_from_server_error_response(error_code: string, error_message: string): never;
+//# sourceMappingURL=exceptions.d.ts.map

package/dist/exceptions.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"exceptions.d.ts","sourceRoot":"","sources":["../src/exceptions.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;GAkBG;AAEH;;GAEG;AACH,qBAAa,UAAW,SAAQ,KAAK;IACnC,SAAgB,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;gBAE9B,OAAO,GAAE,MAA2C,EAAE,UAAU,GAAE,MAAM,GAAG,IAAW;CAOnG;AAED;;GAEG;AACH,qBAAa,eAAgB,SAAQ,UAAU;gBACjC,OAAO,GAAE,MAA4B,EAAE,UAAU,GAAE,MAAM,GAAG,IAAW;CAIpF;AAED;;GAEG;AACH,qBAAa,UAAW,SAAQ,eAAe;gBACjC,OAAO,GAAE,MAA4C;CAIlE;AAED;;GAEG;AACH,qBAAa,cAAe,SAAQ,eAAe;gBACrC,OAAO,GAAE,MAAuC;CAI7D;AAED;;GAEG;AACH,qBAAa,cAAe,SAAQ,eAAe;gBACrC,OAAO,GAAE,MAAsC;CAI5D;AAED;;GAEG;AACH,qBAAa,oBAAqB,SAAQ,eAAe;gBAC3C,OAAO,GAAE,MAAiE;CAIvF;AAED;;GAEG;AACH,qBAAa,gBAAiB,SAAQ,eAAe;gBACvC,OAAO,GAAE,MAA6C;CAInE;AAED;;GAEG;AACH,qBAAa,kBAAmB,SAAQ,eAAe;gBACzC,OAAO,GAAE,MAAiD;CAIvE;AAED;;GAEG;AACH,qBAAa,kBAAmB,SAAQ,eAAe;gBACzC,OAAO,GAAE,MAAgE;CAItF;AAED;;GAEG;AACH,qBAAa,mBAAoB,SAAQ,UAAU;gBACrC,OAAO,GAAE,MAAgC;CAItD;AAED;;GAEG;AACH,qBAAa,YAAa,SAAQ,UAAU;gBAC9B,OAAO,GAAE,MAAkC;CAIxD;AAED;;GAEG;AACH,qBAAa,gBAAiB,SAAQ,UAAU;gBAClC,OAAO,GAAE,MAAoD;CAI1E;AAED;;GAEG;AACH,qBAAa,mBAAoB,SAAQ,UAAU;gBACrC,OAAO,GAAE,MAAoE;CAI1F;AAED;;GAEG;AACH,qBAAa,sBAAuB,SAAQ,eAAe;gBAC7C,OAAO,GAAE,MAA8D;CAIpF;AAcD;;GAEG;AACH,wBAAgB,gCAAgC,CAAC,UAAU,EAAE,MAAM,EAAE,aAAa,EAAE,MAAM,GAAG,KAAK,CAGjG"}

package/dist/exceptions.js

@@ -0,0 +1,168 @@
+/**
+ * Exception hierarchy for the 1id.com Node.js SDK.
+ *
+ * All exceptions inherit from OneIDError. Enrollment-specific exceptions
+ * inherit from EnrollmentError. The hierarchy is designed so callers can
+ * catch at any level of specificity:
+ *
+ *     try {
+ *       await oneid.enroll({ requestTier: "sovereign" });
+ *     } catch (e) {
+ *       if (e instanceof NoHSMError) { ... }
+ *       else if (e instanceof EnrollmentError) { ... }
+ *       else if (e instanceof OneIDError) { ... }
+ *     }
+ *
+ * CRITICAL DESIGN RULE: requestTier is a REQUIREMENT, not a preference.
+ * These exceptions are raised when the requested tier CANNOT be satisfied.
+ * The SDK NEVER silently falls back to a lower tier.
+ */
+/**
+ * Base error for all 1id.com SDK errors.
+ */
+export class OneIDError extends Error {
+    error_code;
+    constructor(message = "An error occurred in the 1id SDK", error_code = null) {
+        super(message);
+        this.name = "OneIDError";
+        this.error_code = error_code;
+        // Restore prototype chain (needed for instanceof to work with TS class extends Error)
+        Object.setPrototypeOf(this, new.target.prototype);
+    }
+}
+/**
+ * Base error for all enrollment failures.
+ */
+export class EnrollmentError extends OneIDError {
+    constructor(message = "Enrollment failed", error_code = null) {
+        super(message, error_code);
+        this.name = "EnrollmentError";
+    }
+}
+/**
+ * Requested trust tier requires an HSM but none was found.
+ */
+export class NoHSMError extends EnrollmentError {
+    constructor(message = "No hardware security module found") {
+        super(message, "NO_HSM_FOUND");
+        this.name = "NoHSMError";
+    }
+}
+/**
+ * User denied the elevation prompt (clicked No on UAC/sudo/pkexec).
+ */
+export class UACDeniedError extends EnrollmentError {
+    constructor(message = "User denied elevation prompt") {
+        super(message, "UAC_DENIED");
+        this.name = "UACDeniedError";
+    }
+}
+/**
+ * HSM was found but could not be accessed.
+ */
+export class HSMAccessError extends EnrollmentError {
+    constructor(message = "HSM found but access failed") {
+        super(message, "HSM_ACCESS_ERROR");
+        this.name = "HSMAccessError";
+    }
+}
+/**
+ * This HSM is already enrolled with a different identity.
+ */
+export class AlreadyEnrolledError extends EnrollmentError {
+    constructor(message = "This HSM is already enrolled with a different identity") {
+        super(message, "EK_ALREADY_REGISTERED");
+        this.name = "AlreadyEnrolledError";
+    }
+}
+/**
+ * Requested vanity handle is already in use by another identity.
+ */
+export class HandleTakenError extends EnrollmentError {
+    constructor(message = "Requested handle is already in use") {
+        super(message, "HANDLE_TAKEN");
+        this.name = "HandleTakenError";
+    }
+}
+/**
+ * Requested handle violates naming rules.
+ */
+export class HandleInvalidError extends EnrollmentError {
+    constructor(message = "Requested handle violates naming rules") {
+        super(message, "HANDLE_INVALID");
+        this.name = "HandleInvalidError";
+    }
+}
+/**
+ * Requested handle was previously used and is permanently retired.
+ */
+export class HandleRetiredError extends EnrollmentError {
+    constructor(message = "Handle was previously used and is permanently retired") {
+        super(message, "HANDLE_RETIRED");
+        this.name = "HandleRetiredError";
+    }
+}
+/**
+ * Token acquisition or refresh failed.
+ */
+export class AuthenticationError extends OneIDError {
+    constructor(message = "Authentication failed") {
+        super(message, "AUTH_FAILED");
+        this.name = "AuthenticationError";
+    }
+}
+/**
+ * Could not reach the 1id.com API server.
+ */
+export class NetworkError extends OneIDError {
+    constructor(message = "Could not reach 1id.com") {
+        super(message, "NETWORK_ERROR");
+        this.name = "NetworkError";
+    }
+}
+/**
+ * No enrollment credentials found on this machine.
+ */
+export class NotEnrolledError extends OneIDError {
+    constructor(message = "Not enrolled -- call oneid.enroll() first") {
+        super(message, "NOT_ENROLLED");
+        this.name = "NotEnrolledError";
+    }
+}
+/**
+ * The oneid-enroll Go binary could not be found or downloaded.
+ */
+export class BinaryNotFoundError extends OneIDError {
+    constructor(message = "oneid-enroll binary not found and could not be downloaded") {
+        super(message, "BINARY_NOT_FOUND");
+        this.name = "BinaryNotFoundError";
+    }
+}
+/**
+ * Too many enrollment attempts from this IP address.
+ */
+export class RateLimitExceededError extends EnrollmentError {
+    constructor(message = "Rate limit exceeded -- too many enrollment attempts") {
+        super(message, "RATE_LIMIT_EXCEEDED");
+        this.name = "RateLimitExceededError";
+    }
+}
+// -- Mapping from server API error codes to exception classes --
+const SERVER_ERROR_CODE_TO_EXCEPTION_CLASS = {
+    "EK_ALREADY_REGISTERED": AlreadyEnrolledError,
+    "EK_CERT_INVALID": EnrollmentError,
+    "EK_CERT_CHAIN_UNTRUSTED": EnrollmentError,
+    "HANDLE_TAKEN": HandleTakenError,
+    "HANDLE_INVALID": HandleInvalidError,
+    "HANDLE_RETIRED": HandleRetiredError,
+    "RATE_LIMIT_EXCEEDED": RateLimitExceededError,
+    "RATE_LIMITED": RateLimitExceededError,
+};
+/**
+ * Raise the appropriate exception for a server error response.
+ */
+export function raise_from_server_error_response(error_code, error_message) {
+    const ExceptionClass = SERVER_ERROR_CODE_TO_EXCEPTION_CLASS[error_code] ?? EnrollmentError;
+    throw new ExceptionClass(error_message);
+}
+//# sourceMappingURL=exceptions.js.map

package/dist/exceptions.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"exceptions.js","sourceRoot":"","sources":["../src/exceptions.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;GAkBG;AAEH;;GAEG;AACH,MAAM,OAAO,UAAW,SAAQ,KAAK;IACnB,UAAU,CAAgB;IAE1C,YAAY,UAAkB,kCAAkC,EAAE,aAA4B,IAAI;QAChG,KAAK,CAAC,OAAO,CAAC,CAAC;QACf,IAAI,CAAC,IAAI,GAAG,YAAY,CAAC;QACzB,IAAI,CAAC,UAAU,GAAG,UAAU,CAAC;QAC7B,sFAAsF;QACtF,MAAM,CAAC,cAAc,CAAC,IAAI,EAAE,GAAG,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;IACpD,CAAC;CACF;AAED;;GAEG;AACH,MAAM,OAAO,eAAgB,SAAQ,UAAU;IAC7C,YAAY,UAAkB,mBAAmB,EAAE,aAA4B,IAAI;QACjF,KAAK,CAAC,OAAO,EAAE,UAAU,CAAC,CAAC;QAC3B,IAAI,CAAC,IAAI,GAAG,iBAAiB,CAAC;IAChC,CAAC;CACF;AAED;;GAEG;AACH,MAAM,OAAO,UAAW,SAAQ,eAAe;IAC7C,YAAY,UAAkB,mCAAmC;QAC/D,KAAK,CAAC,OAAO,EAAE,cAAc,CAAC,CAAC;QAC/B,IAAI,CAAC,IAAI,GAAG,YAAY,CAAC;IAC3B,CAAC;CACF;AAED;;GAEG;AACH,MAAM,OAAO,cAAe,SAAQ,eAAe;IACjD,YAAY,UAAkB,8BAA8B;QAC1D,KAAK,CAAC,OAAO,EAAE,YAAY,CAAC,CAAC;QAC7B,IAAI,CAAC,IAAI,GAAG,gBAAgB,CAAC;IAC/B,CAAC;CACF;AAED;;GAEG;AACH,MAAM,OAAO,cAAe,SAAQ,eAAe;IACjD,YAAY,UAAkB,6BAA6B;QACzD,KAAK,CAAC,OAAO,EAAE,kBAAkB,CAAC,CAAC;QACnC,IAAI,CAAC,IAAI,GAAG,gBAAgB,CAAC;IAC/B,CAAC;CACF;AAED;;GAEG;AACH,MAAM,OAAO,oBAAqB,SAAQ,eAAe;IACvD,YAAY,UAAkB,wDAAwD;QACpF,KAAK,CAAC,OAAO,EAAE,uBAAuB,CAAC,CAAC;QACxC,IAAI,CAAC,IAAI,GAAG,sBAAsB,CAAC;IACrC,CAAC;CACF;AAED;;GAEG;AACH,MAAM,OAAO,gBAAiB,SAAQ,eAAe;IACnD,YAAY,UAAkB,oCAAoC;QAChE,KAAK,CAAC,OAAO,EAAE,cAAc,CAAC,CAAC;QAC/B,IAAI,CAAC,IAAI,GAAG,kBAAkB,CAAC;IACjC,CAAC;CACF;AAED;;GAEG;AACH,MAAM,OAAO,kBAAmB,SAAQ,eAAe;IACrD,YAAY,UAAkB,wCAAwC;QACpE,KAAK,CAAC,OAAO,EAAE,gBAAgB,CAAC,CAAC;QACjC,IAAI,CAAC,IAAI,GAAG,oBAAoB,CAAC;IACnC,CAAC;CACF;AAED;;GAEG;AACH,MAAM,OAAO,kBAAmB,SAAQ,eAAe;IACrD,YAAY,UAAkB,uDAAuD;QACnF,KAAK,CAAC,OAAO,EAAE,gBAAgB,CAAC,CAAC;QACjC,IAAI,CAAC,IAAI,GAAG,oBAAoB,CAAC;IACnC,CAAC;CACF;AAED;;GAEG;AACH,MAAM,OAAO,mBAAoB,SAAQ,UAAU;IACjD,YAAY,UAAkB,uBAAuB;QACnD,KAAK,CAAC,OAAO,EAAE,aAAa,CAAC,CAAC;QAC9B,IAAI,CAAC,IAAI,GAAG,qBAAqB,CAAC;IACpC,CAAC;CACF;AAED;;GAEG;AACH,MAAM,OAAO,YAAa,SAAQ,UAAU;IAC1C,YAAY,UAAkB,yBAAyB;QACrD,KAAK,CAAC,OAAO,EAAE,eAAe,CAAC,CAAC;QAChC,IAAI,CAAC,IAAI,GAAG,cAAc,CAAC;IAC7B,CAAC;CACF;AAED;;GAEG;AACH,MAAM,OAAO,gBAAiB,SAAQ,UAAU;IAC9C,YAAY,UAAkB,2CAA2C;QACvE,KAAK,CAAC,OAAO,EAAE,cAAc,CAAC,CAAC;QAC/B,IAAI,CAAC,IAAI,GAAG,kBAAkB,CAAC;IACjC,CAAC;CACF;AAED;;GAEG;AACH,MAAM,OAAO,mBAAoB,SAAQ,UAAU;IACjD,YAAY,UAAkB,2DAA2D;QACvF,KAAK,CAAC,OAAO,EAAE,kBAAkB,CAAC,CAAC;QACnC,IAAI,CAAC,IAAI,GAAG,qBAAqB,CAAC;IACpC,CAAC;CACF;AAED;;GAEG;AACH,MAAM,OAAO,sBAAuB,SAAQ,eAAe;IACzD,YAAY,UAAkB,qDAAqD;QACjF,KAAK,CAAC,OAAO,EAAE,qBAAqB,CAAC,CAAC;QACtC,IAAI,CAAC,IAAI,GAAG,wBAAwB,CAAC;IACvC,CAAC;CACF;AAED,iEAAiE;AACjE,MAAM,oCAAoC,GAAwD;IAChG,uBAAuB,EAAE,oBAAoB;IAC7C,iBAAiB,EAAE,eAAe;IAClC,yBAAyB,EAAE,eAAe;IAC1C,cAAc,EAAE,gBAAgB;IAChC,gBAAgB,EAAE,kBAAkB;IACpC,gBAAgB,EAAE,kBAAkB;IACpC,qBAAqB,EAAE,sBAAsB;IAC7C,cAAc,EAAE,sBAAsB;CACvC,CAAC;AAEF;;GAEG;AACH,MAAM,UAAU,gCAAgC,CAAC,UAAkB,EAAE,aAAqB;IACxF,MAAM,cAAc,GAAG,oCAAoC,CAAC,UAAU,CAAC,IAAI,eAAe,CAAC;IAC3F,MAAM,IAAI,cAAc,CAAC,aAAa,CAAC,CAAC;AAC1C,CAAC"}

package/dist/helper.d.ts

@@ -0,0 +1,57 @@
+/**
+ * Go binary helper for the 1id.com Node.js SDK.
+ *
+ * Manages the oneid-enroll Go binary:
+ * - Locates the binary (cached or PATH)
+ * - Downloads it from GitHub releases if not present
+ * - Spawns it for HSM operations (detect, extract, activate, sign)
+ * - Parses JSON output
+ *
+ * The binary handles all platform-specific HSM operations:
+ * - TPM access (Windows TBS.dll, Linux /dev/tpm*)
+ * - YubiKey/PIV access (PCSC)
+ * - Privilege elevation (UAC, sudo, pkexec)
+ */
+/**
+ * Locate the oneid-enroll binary.
+ *
+ * Search order:
+ * 1. Binary cache directory (~/.local/share/oneid/bin/ or %APPDATA%/oneid/bin/)
+ * 2. Current working directory
+ * 3. System PATH
+ *
+ * @returns Path to the binary if found, null otherwise.
+ */
+export declare function find_binary(): string | null;
+/**
+ * Ensure the oneid-enroll binary is available, downloading if needed.
+ *
+ * @returns Path to the available binary.
+ * @throws BinaryNotFoundError if the binary cannot be found or downloaded.
+ */
+export declare function ensure_binary_available(): Promise<string>;
+/**
+ * Run an oneid-enroll subcommand and parse its JSON output.
+ */
+export declare function run_binary_command(command: string, args?: string[], json_mode?: boolean, timeout_milliseconds?: number): Promise<Record<string, unknown>>;
+/**
+ * Detect available hardware security modules via the Go binary.
+ *
+ * Runs 'oneid-enroll detect --json' which does NOT require elevation.
+ */
+export declare function detect_available_hsms(): Promise<Record<string, unknown>[]>;
+/**
+ * Extract attestation data from an HSM (requires elevation).
+ */
+export declare function extract_attestation_data(hsm: Record<string, unknown>): Promise<Record<string, unknown>>;
+/**
+ * Decrypt a credential activation challenge via the HSM (requires elevation).
+ */
+export declare function activate_credential(_hsm: Record<string, unknown>, credential_blob_b64: string, encrypted_secret_b64: string, ak_handle: string): Promise<string>;
+/**
+ * Sign a challenge nonce using the TPM AK -- NO ELEVATION NEEDED.
+ *
+ * This is the core of ongoing TPM-backed authentication.
+ */
+export declare function sign_challenge_with_tpm(nonce_b64: string, ak_handle: string): Promise<Record<string, unknown>>;
+//# sourceMappingURL=helper.d.ts.map

package/dist/helper.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"helper.d.ts","sourceRoot":"","sources":["../src/helper.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAoEH;;;;;;;;;GASG;AACH,wBAAgB,WAAW,IAAI,MAAM,GAAG,IAAI,CAyC3C;AAsJD;;;;;GAKG;AACH,wBAAsB,uBAAuB,IAAI,OAAO,CAAC,MAAM,CAAC,CAqB/D;AAED;;GAEG;AACH,wBAAsB,kBAAkB,CACtC,OAAO,EAAE,MAAM,EACf,IAAI,CAAC,EAAE,MAAM,EAAE,EACf,SAAS,GAAE,OAAc,EACzB,oBAAoB,GAAE,MAAe,GACpC,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC,CAgElC;AAED;;;;GAIG;AACH,wBAAsB,qBAAqB,IAAI,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,CAAC,CAShF;AAED;;GAEG;AACH,wBAAsB,wBAAwB,CAC5C,GAAG,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAC3B,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC,CAGlC;AAED;;GAEG;AACH,wBAAsB,mBAAmB,CACvC,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAC7B,mBAAmB,EAAE,MAAM,EAC3B,oBAAoB,EAAE,MAAM,EAC5B,SAAS,EAAE,MAAM,GAChB,OAAO,CAAC,MAAM,CAAC,CAQjB;AAED;;;;GAIG;AACH,wBAAsB,uBAAuB,CAC3C,SAAS,EAAE,MAAM,EACjB,SAAS,EAAE,MAAM,GAChB,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC,CAKlC"}