1id 0.8.0 → 0.9.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (34) hide show
  1. package/README.md +1 -1
  2. package/dist/attestation.d.ts +59 -0
  3. package/dist/attestation.d.ts.map +1 -0
  4. package/dist/attestation.js +489 -0
  5. package/dist/attestation.js.map +1 -0
  6. package/dist/client.d.ts +8 -0
  7. package/dist/client.d.ts.map +1 -1
  8. package/dist/client.js +22 -0
  9. package/dist/client.js.map +1 -1
  10. package/dist/enroll.d.ts +1 -0
  11. package/dist/enroll.d.ts.map +1 -1
  12. package/dist/enroll.js +80 -0
  13. package/dist/enroll.js.map +1 -1
  14. package/dist/helper.d.ts +7 -0
  15. package/dist/helper.d.ts.map +1 -1
  16. package/dist/helper.js +12 -0
  17. package/dist/helper.js.map +1 -1
  18. package/dist/identity.d.ts +2 -0
  19. package/dist/identity.d.ts.map +1 -1
  20. package/dist/identity.js +2 -0
  21. package/dist/identity.js.map +1 -1
  22. package/dist/index.d.ts +12 -0
  23. package/dist/index.d.ts.map +1 -1
  24. package/dist/index.js +13 -0
  25. package/dist/index.js.map +1 -1
  26. package/dist/test/test_attestation.d.ts +8 -0
  27. package/dist/test/test_attestation.d.ts.map +1 -0
  28. package/dist/test/test_attestation.js +200 -0
  29. package/dist/test/test_attestation.js.map +1 -0
  30. package/dist/verify.d.ts +2 -0
  31. package/dist/verify.d.ts.map +1 -1
  32. package/dist/verify.js +2 -2
  33. package/dist/verify.js.map +1 -1
  34. package/package.json +3 -3
package/README.md CHANGED
@@ -7,7 +7,7 @@ Hardware-anchored identity SDK for AI agents — [1id.com](https://1id.com)
7
7
 
8
8
  ## What is 1id.com?
9
9
 
10
- An identity registrar for AI agents. Like a passport office, but for software.
10
+ An identity registrar for AI agents. Like a birth certificate registry, but for software.
11
11
 
12
12
  - **TPM-backed**: Agents with a Trusted Platform Module get cryptographic proof of identity
13
13
  - **Sybil-resistant**: One chip = one identity. No farming.
package/dist/attestation.d.ts ADDED
@@ -0,0 +1,59 @@
1
+ /**
2
+ * Protocol-agnostic attestation primitive for the 1id.com Node.js SDK.
3
+ *
4
+ * Two modes of operation:
5
+ *
6
+ * 1. **Email attestation (RFC-compliant)**:
7
+ * ```ts
8
+ * const proof = await prepareAttestation({
9
+ * emailHeaders: { From: "agent@mailpal.com", To: "bob@example.com",
10
+ * Subject: "Hello", Date: "...", "Message-ID": "<abc@mailpal.com>" },
11
+ * body: Buffer.from("Message body"),
12
+ * });
13
+ * ```
14
+ * The nonce is computed per draft-drake-email-hardware-attestation-00
15
+ * Section 5.3 using DKIM relaxed header canonicalization and a
16
+ * header+body+timestamp binding.
17
+ *
18
+ * 2. **Simple content attestation**:
19
+ * ```ts
20
+ * const proof = await prepareAttestation({ content: Buffer.from("raw bytes") });
21
+ * ```
22
+ * The nonce is base64url(SHA-256(content)). Suitable for non-email protocols.
23
+ *
24
+ * RFC: draft-drake-email-hardware-attestation-00 Section 5.
25
+ * Nonce algorithm: Section 5.3 (message-binding via issuer-signed nonce).
26
+ */
27
+ export interface AttestationProof {
28
+ sd_jwt: string | null;
29
+ sd_jwt_disclosures: Record<string, string>;
30
+ contact_token: string | null;
31
+ contact_address: string | null;
32
+ tpm_signature_b64: string | null;
33
+ content_digest: string | null;
34
+ }
35
+ export interface PrepareAttestationOptions {
36
+ content?: Buffer;
37
+ contentDigest?: string;
38
+ emailHeaders?: Record<string, string>;
39
+ body?: Buffer;
40
+ disclosedClaims?: string[];
41
+ includeContactToken?: boolean;
42
+ includeSdJwt?: boolean;
43
+ apiBaseUrl?: string;
44
+ }
45
+ export declare function canonicalise_header_value_using_dkim_relaxed(raw_value: string): string;
46
+ export declare function canonicalise_header_name_using_dkim_relaxed(raw_name: string): string;
47
+ export declare function canonicalise_headers_for_message_binding(email_headers: Record<string, string>, hardware_trust_proof_header_value_placeholder?: string): Buffer;
48
+ export declare function canonicalise_body_using_dkim_simple(body_bytes: Buffer): Buffer;
49
+ export declare function compute_rfc_message_binding_nonce(email_headers: Record<string, string>, body_bytes: Buffer, proposed_iat_unix_timestamp: number): string;
50
+ export interface DirectAttestationProof {
51
+ hardware_attestation_header_value: string;
52
+ content_digest: string;
53
+ }
54
+ export declare function canonicalise_headers_for_direct_attestation(email_headers: Record<string, string>, hardware_attestation_header_value_without_chain?: string): Buffer;
55
+ export declare function compute_attestation_digest_for_direct_mode(email_headers: Record<string, string>, body_bytes: Buffer, attestation_timestamp_unix: number, hardware_attestation_header_value_without_chain?: string): Buffer;
56
+ export declare function build_cms_signed_data_for_direct_attestation(signature_bytes: Buffer, certificate_chain_pem: string, signature_algorithm_rfc_name: string): Buffer;
57
+ export declare function prepare_direct_hardware_attestation(email_headers: Record<string, string>, body: Buffer, agent_identity_urn?: string): Promise<DirectAttestationProof>;
58
+ export declare function prepareAttestation(options?: PrepareAttestationOptions): Promise<AttestationProof>;
59
+ //# sourceMappingURL=attestation.d.ts.map
package/dist/attestation.d.ts.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"file":"attestation.d.ts","sourceRoot":"","sources":["../src/attestation.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AAaH,MAAM,WAAW,gBAAgB;IAC/B,MAAM,EAAE,MAAM,GAAG,IAAI,CAAC;IACtB,kBAAkB,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAC3C,aAAa,EAAE,MAAM,GAAG,IAAI,CAAC;IAC7B,eAAe,EAAE,MAAM,GAAG,IAAI,CAAC;IAC/B,iBAAiB,EAAE,MAAM,GAAG,IAAI,CAAC;IACjC,cAAc,EAAE,MAAM,GAAG,IAAI,CAAC;CAC/B;AAED,MAAM,WAAW,yBAAyB;IACxC,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,YAAY,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACtC,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,eAAe,CAAC,EAAE,MAAM,EAAE,CAAC;IAC3B,mBAAmB,CAAC,EAAE,OAAO,CAAC;IAC9B,YAAY,CAAC,EAAE,OAAO,CAAC;IACvB,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAED,wBAAgB,4CAA4C,CAAC,SAAS,EAAE,MAAM,GAAG,MAAM,CAKtF;AAED,wBAAgB,2CAA2C,CAAC,QAAQ,EAAE,MAAM,GAAG,MAAM,CAEpF;AAED,wBAAgB,wCAAwC,CACtD,aAAa,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,EACrC,6CAA6C,GAAE,MAAW,GACzD,MAAM,CAoCR;AAED,wBAAgB,mCAAmC,CAAC,UAAU,EAAE,MAAM,GAAG,MAAM,CAU9E;AAED,wBAAgB,iCAAiC,CAC/C,aAAa,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,EACrC,UAAU,EAAE,MAAM,EAClB,2BAA2B,EAAE,MAAM,GAClC,MAAM,CAcR;AAUD,MAAM,WAAW,sBAAsB;IACrC,iCAAiC,EAAE,MAAM,CAAC;IAC1C,cAAc,EAAE,MAAM,CAAC;CACxB;AAED,wBAAgB,2CAA2C,CACzD,aAAa,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,EACrC,+CAA+C,GAAE,MAAW,GAC3D,MAAM,CAoCR;AAED,wBAAgB,0CAA0C,CACxD,aAAa,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,EACrC,UAAU,EAAE,MAAM,EAClB,0BAA0B,EAAE,MAAM,EAClC,+CAA+C,GAAE,MAAW,GAC3D,MAAM,CAcR;AAkHD,wBAAgB,4CAA4C,CAC1D,eAAe,EAAE,MAAM,EACvB,qBAAqB,EAAE,MAAM,EAC7B,4BAA4B,EAAE,MAAM,GACnC,MAAM,CAgDR;AAED,wBAAsB,mCAAmC,CACvD,aAAa,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,EACrC,IAAI,EAAE,MAAM,EACZ,kBAAkB,CAAC,EAAE,MAAM,GAC1B,OAAO,CAAC,sBAAsB,CAAC,CAoGjC;AAED,wBAAsB,kBAAkB,CACtC,OAAO,GAAE,yBAA8B,GACtC,OAAO,CAAC,gBAAgB,CAAC,CA8F3B"}
package/dist/attestation.js ADDED
@@ -0,0 +1,489 @@
1
+ /**
2
+ * Protocol-agnostic attestation primitive for the 1id.com Node.js SDK.
3
+ *
4
+ * Two modes of operation:
5
+ *
6
+ * 1. **Email attestation (RFC-compliant)**:
7
+ * ```ts
8
+ * const proof = await prepareAttestation({
9
+ * emailHeaders: { From: "agent@mailpal.com", To: "bob@example.com",
10
+ * Subject: "Hello", Date: "...", "Message-ID": "<abc@mailpal.com>" },
11
+ * body: Buffer.from("Message body"),
12
+ * });
13
+ * ```
14
+ * The nonce is computed per draft-drake-email-hardware-attestation-00
15
+ * Section 5.3 using DKIM relaxed header canonicalization and a
16
+ * header+body+timestamp binding.
17
+ *
18
+ * 2. **Simple content attestation**:
19
+ * ```ts
20
+ * const proof = await prepareAttestation({ content: Buffer.from("raw bytes") });
21
+ * ```
22
+ * The nonce is base64url(SHA-256(content)). Suitable for non-email protocols.
23
+ *
24
+ * RFC: draft-drake-email-hardware-attestation-00 Section 5.
25
+ * Nonce algorithm: Section 5.3 (message-binding via issuer-signed nonce).
26
+ */
27
+ import { createHash } from "crypto";
28
+ import { get_token } from "./auth.js";
29
+ import { load_credentials } from "./credentials.js";
30
+ import { AuthenticationError, NotEnrolledError } from "./exceptions.js";
31
+ const _HTTP_TIMEOUT_MILLISECONDS = 15_000;
32
+ const _MINIMUM_HEADERS_FOR_RFC_MESSAGE_BINDING = [
33
+ "from", "to", "subject", "date", "message-id",
34
+ ];
35
+ export function canonicalise_header_value_using_dkim_relaxed(raw_value) {
36
+ let unfolded = raw_value.replace(/\r\n[ ]/g, " ").replace(/\r\n\t/g, " ");
37
+ unfolded = unfolded.replace(/\n[ ]/g, " ").replace(/\n\t/g, " ");
38
+ const compressed = unfolded.replace(/[ \t]+/g, " ");
39
+ return compressed.trim();
40
+ }
41
+ export function canonicalise_header_name_using_dkim_relaxed(raw_name) {
42
+ return raw_name.trim().toLowerCase();
43
+ }
44
+ export function canonicalise_headers_for_message_binding(email_headers, hardware_trust_proof_header_value_placeholder = "") {
45
+ const lowered_headers = {};
46
+ for (const [k, v] of Object.entries(email_headers)) {
47
+ lowered_headers[k.trim().toLowerCase()] = v;
48
+ }
49
+ for (const required_header_name of _MINIMUM_HEADERS_FOR_RFC_MESSAGE_BINDING) {
50
+ if (!(required_header_name in lowered_headers)) {
51
+ throw new Error(`Missing required email header '${required_header_name}' for RFC message-binding nonce. ` +
52
+ `Required headers: ${_MINIMUM_HEADERS_FOR_RFC_MESSAGE_BINDING.join(", ")}`);
53
+ }
54
+ }
55
+ const canonicalised_header_lines = [];
56
+ for (const required_header_name of _MINIMUM_HEADERS_FOR_RFC_MESSAGE_BINDING) {
57
+ const canon_name = canonicalise_header_name_using_dkim_relaxed(required_header_name);
58
+ const canon_value = canonicalise_header_value_using_dkim_relaxed(lowered_headers[required_header_name]);
59
+ canonicalised_header_lines.push(`${canon_name}:${canon_value}\r\n`);
60
+ }
61
+ for (const extra_header_name of Object.keys(lowered_headers).sort()) {
62
+ if (_MINIMUM_HEADERS_FOR_RFC_MESSAGE_BINDING.includes(extra_header_name)) {
63
+ continue;
64
+ }
65
+ if (extra_header_name === "hardware-trust-proof") {
66
+ continue;
67
+ }
68
+ const canon_name = canonicalise_header_name_using_dkim_relaxed(extra_header_name);
69
+ const canon_value = canonicalise_header_value_using_dkim_relaxed(lowered_headers[extra_header_name]);
70
+ canonicalised_header_lines.push(`${canon_name}:${canon_value}\r\n`);
71
+ }
72
+ canonicalised_header_lines.push(`hardware-trust-proof:${hardware_trust_proof_header_value_placeholder}`);
73
+ return Buffer.from(canonicalised_header_lines.join(""), "utf-8");
74
+ }
75
+ export function canonicalise_body_using_dkim_simple(body_bytes) {
76
+ if (body_bytes.length === 0) {
77
+ return Buffer.from("\r\n");
78
+ }
79
+ let result = body_bytes;
80
+ while (result.length >= 4 && result.subarray(-4).equals(Buffer.from("\r\n\r\n"))) {
81
+ result = result.subarray(0, -2);
82
+ }
83
+ if (!result.subarray(-2).equals(Buffer.from("\r\n"))) {
84
+ result = Buffer.concat([result, Buffer.from("\r\n")]);
85
+ }
86
+ return result;
87
+ }
88
+ export function compute_rfc_message_binding_nonce(email_headers, body_bytes, proposed_iat_unix_timestamp) {
89
+ const canonicalised_header_bytes = canonicalise_headers_for_message_binding(email_headers);
90
+ const h_hash = createHash("sha256").update(canonicalised_header_bytes).digest();
91
+ const canonicalised_body = canonicalise_body_using_dkim_simple(body_bytes);
92
+ const bh_raw = createHash("sha256").update(canonicalised_body).digest();
93
+ const ts_bytes = Buffer.alloc(8);
94
+ ts_bytes.writeBigUInt64BE(BigInt(proposed_iat_unix_timestamp));
95
+ const message_binding = Buffer.concat([h_hash, bh_raw, ts_bytes]);
96
+ const nonce_raw = createHash("sha256").update(message_binding).digest();
97
+ return nonce_raw.toString("base64url");
98
+ }
99
+ const _TRUST_TIER_TO_RFC_TYP_PARAMETER = {
100
+ "sovereign": "TPM",
101
+ "portable": "PIV",
102
+ "enclave": "ENC",
103
+ "virtual": "VRT",
104
+ "declared": "SFT",
105
+ };
106
+ export function canonicalise_headers_for_direct_attestation(email_headers, hardware_attestation_header_value_without_chain = "") {
107
+ const lowered_headers = {};
108
+ for (const [k, v] of Object.entries(email_headers)) {
109
+ lowered_headers[k.trim().toLowerCase()] = v;
110
+ }
111
+ for (const required_header_name of _MINIMUM_HEADERS_FOR_RFC_MESSAGE_BINDING) {
112
+ if (!(required_header_name in lowered_headers)) {
113
+ throw new Error(`Missing required email header '${required_header_name}' for Mode 1 attestation. ` +
114
+ `Required headers: ${_MINIMUM_HEADERS_FOR_RFC_MESSAGE_BINDING.join(", ")}`);
115
+ }
116
+ }
117
+ const canonicalised_header_lines = [];
118
+ for (const required_header_name of _MINIMUM_HEADERS_FOR_RFC_MESSAGE_BINDING) {
119
+ const canon_name = canonicalise_header_name_using_dkim_relaxed(required_header_name);
120
+ const canon_value = canonicalise_header_value_using_dkim_relaxed(lowered_headers[required_header_name]);
121
+ canonicalised_header_lines.push(`${canon_name}:${canon_value}\r\n`);
122
+ }
123
+ for (const extra_header_name of Object.keys(lowered_headers).sort()) {
124
+ if (_MINIMUM_HEADERS_FOR_RFC_MESSAGE_BINDING.includes(extra_header_name)) {
125
+ continue;
126
+ }
127
+ if (extra_header_name === "hardware-attestation" || extra_header_name === "hardware-trust-proof") {
128
+ continue;
129
+ }
130
+ const canon_name = canonicalise_header_name_using_dkim_relaxed(extra_header_name);
131
+ const canon_value = canonicalise_header_value_using_dkim_relaxed(lowered_headers[extra_header_name]);
132
+ canonicalised_header_lines.push(`${canon_name}:${canon_value}\r\n`);
133
+ }
134
+ canonicalised_header_lines.push(`hardware-attestation:${hardware_attestation_header_value_without_chain}`);
135
+ return Buffer.from(canonicalised_header_lines.join(""), "utf-8");
136
+ }
137
+ export function compute_attestation_digest_for_direct_mode(email_headers, body_bytes, attestation_timestamp_unix, hardware_attestation_header_value_without_chain = "") {
138
+ const canonicalised_header_bytes = canonicalise_headers_for_direct_attestation(email_headers, hardware_attestation_header_value_without_chain);
139
+ const h_hash = createHash("sha256").update(canonicalised_header_bytes).digest();
140
+ const canonicalised_body = canonicalise_body_using_dkim_simple(body_bytes);
141
+ const bh_raw = createHash("sha256").update(canonicalised_body).digest();
142
+ const ts_bytes = Buffer.alloc(8);
143
+ ts_bytes.writeBigUInt64BE(BigInt(attestation_timestamp_unix));
144
+ const attestation_input = Buffer.concat([h_hash, bh_raw, ts_bytes]);
145
+ return createHash("sha256").update(attestation_input).digest();
146
+ }
147
+ function der_encode_length(length_value) {
148
+ if (length_value < 0x80) {
149
+ return Buffer.from([length_value]);
150
+ }
151
+ if (length_value < 0x100) {
152
+ return Buffer.from([0x81, length_value]);
153
+ }
154
+ if (length_value < 0x10000) {
155
+ return Buffer.from([0x82, (length_value >> 8) & 0xFF, length_value & 0xFF]);
156
+ }
157
+ return Buffer.from([0x83, (length_value >> 16) & 0xFF, (length_value >> 8) & 0xFF, length_value & 0xFF]);
158
+ }
159
+ function der_encode_tlv(tag_byte, content_bytes) {
160
+ return Buffer.concat([Buffer.from([tag_byte]), der_encode_length(content_bytes.length), content_bytes]);
161
+ }
162
+ function der_encode_integer(integer_value) {
163
+ if (integer_value === 0n) {
164
+ return der_encode_tlv(0x02, Buffer.from([0x00]));
165
+ }
166
+ const hex = integer_value.toString(16);
167
+ const padded_hex = hex.length % 2 ? "0" + hex : hex;
168
+ let byte_buffer = Buffer.from(padded_hex, "hex");
169
+ if (byte_buffer[0] >= 0x80) {
170
+ byte_buffer = Buffer.concat([Buffer.from([0x00]), byte_buffer]);
171
+ }
172
+ return der_encode_tlv(0x02, byte_buffer);
173
+ }
174
+ function der_encode_oid(oid_dotted_string) {
175
+ const components = oid_dotted_string.split(".").map(Number);
176
+ const encoded_body = [40 * components[0] + components[1]];
177
+ for (let i = 2; i < components.length; i++) {
178
+ const component = components[i];
179
+ if (component < 0x80) {
180
+ encoded_body.push(component);
181
+ }
182
+ else {
183
+ const base128_digits = [];
184
+ let remaining = component;
185
+ while (remaining > 0) {
186
+ base128_digits.push(remaining & 0x7F);
187
+ remaining >>= 7;
188
+ }
189
+ base128_digits.reverse();
190
+ for (let j = 0; j < base128_digits.length; j++) {
191
+ encoded_body.push(j < base128_digits.length - 1 ? base128_digits[j] | 0x80 : base128_digits[j]);
192
+ }
193
+ }
194
+ }
195
+ return der_encode_tlv(0x06, Buffer.from(encoded_body));
196
+ }
197
+ const _OID_SIGNED_DATA = "1.2.840.113549.1.7.2";
198
+ const _OID_DATA = "1.2.840.113549.1.7.1";
199
+ const _OID_SHA256 = "2.16.840.1.101.3.4.2.1";
200
+ const _OID_SHA256_WITH_RSA = "1.2.840.113549.1.1.11";
201
+ const _OID_ECDSA_WITH_SHA256 = "1.2.840.10045.4.3.2";
202
+ const _RFC_ALG_TO_SIGNATURE_OID = {
203
+ "RS256": _OID_SHA256_WITH_RSA,
204
+ "ES256": _OID_ECDSA_WITH_SHA256,
205
+ };
206
+ function parse_pem_certificates_to_der(certificate_chain_pem) {
207
+ const certificate_der_list = [];
208
+ for (const pem_block of certificate_chain_pem.split("-----END CERTIFICATE-----")) {
209
+ const trimmed = pem_block.trim();
210
+ if (trimmed && trimmed.includes("-----BEGIN CERTIFICATE-----")) {
211
+ const b64 = trimmed.replace("-----BEGIN CERTIFICATE-----", "").replace(/\s/g, "");
212
+ certificate_der_list.push(Buffer.from(b64, "base64"));
213
+ }
214
+ }
215
+ return certificate_der_list;
216
+ }
217
+ function extract_issuer_and_serial_from_der(cert_der) {
218
+ let pos = 0;
219
+ const read_tag_length = (offset) => {
220
+ const tag = cert_der[offset];
221
+ offset++;
222
+ let length = cert_der[offset];
223
+ offset++;
224
+ if (length > 127) {
225
+ const num_bytes = length & 0x7F;
226
+ length = 0;
227
+ for (let i = 0; i < num_bytes; i++) {
228
+ length = (length << 8) | cert_der[offset];
229
+ offset++;
230
+ }
231
+ }
232
+ return { tag, length, value_offset: offset };
233
+ };
234
+ const outer = read_tag_length(pos);
235
+ const tbs = read_tag_length(outer.value_offset);
236
+ let tbs_pos = tbs.value_offset;
237
+ const first_elem = read_tag_length(tbs_pos);
238
+ if (first_elem.tag === 0xA0) {
239
+ tbs_pos = first_elem.value_offset + first_elem.length;
240
+ }
241
+ const serial = read_tag_length(tbs_pos);
242
+ const serial_bytes = cert_der.subarray(serial.value_offset, serial.value_offset + serial.length);
243
+ let serial_number = 0n;
244
+ for (const byte_value of serial_bytes) {
245
+ serial_number = (serial_number << 8n) | BigInt(byte_value);
246
+ }
247
+ tbs_pos = serial.value_offset + serial.length;
248
+ const sig_alg = read_tag_length(tbs_pos);
249
+ tbs_pos = sig_alg.value_offset + sig_alg.length;
250
+ const issuer = read_tag_length(tbs_pos);
251
+ const issuer_der = cert_der.subarray(tbs_pos, issuer.value_offset + issuer.length);
252
+ return { issuer_der, serial_number };
253
+ }
254
+ export function build_cms_signed_data_for_direct_attestation(signature_bytes, certificate_chain_pem, signature_algorithm_rfc_name) {
255
+ const certificate_der_list = parse_pem_certificates_to_der(certificate_chain_pem);
256
+ if (certificate_der_list.length === 0) {
257
+ throw new Error("Certificate chain PEM contains no parseable certificates");
258
+ }
259
+ const signature_oid_string = _RFC_ALG_TO_SIGNATURE_OID[signature_algorithm_rfc_name];
260
+ if (!signature_oid_string) {
261
+ throw new Error(`Unsupported signature algorithm: ${signature_algorithm_rfc_name}`);
262
+ }
263
+ const sha256_algorithm_identifier = der_encode_tlv(0x30, Buffer.concat([der_encode_oid(_OID_SHA256), der_encode_tlv(0x05, Buffer.alloc(0))]));
264
+ const digest_algorithms_set = der_encode_tlv(0x31, sha256_algorithm_identifier);
265
+ const encap_content_info = der_encode_tlv(0x30, der_encode_oid(_OID_DATA));
266
+ const all_certs_content = Buffer.concat(certificate_der_list);
267
+ const certificates_implicit_set = der_encode_tlv(0xA0, all_certs_content);
268
+ const { issuer_der, serial_number } = extract_issuer_and_serial_from_der(certificate_der_list[0]);
269
+ const issuer_and_serial_number = der_encode_tlv(0x30, Buffer.concat([issuer_der, der_encode_integer(serial_number)]));
270
+ const signature_algorithm_identifier = der_encode_tlv(0x30, der_encode_oid(signature_oid_string));
271
+ const signature_octet_string = der_encode_tlv(0x04, signature_bytes);
272
+ const signer_info = der_encode_tlv(0x30, Buffer.concat([
273
+ der_encode_integer(1n),
274
+ issuer_and_serial_number,
275
+ sha256_algorithm_identifier,
276
+ signature_algorithm_identifier,
277
+ signature_octet_string,
278
+ ]));
279
+ const signer_infos_set = der_encode_tlv(0x31, signer_info);
280
+ const signed_data = der_encode_tlv(0x30, Buffer.concat([
281
+ der_encode_integer(1n),
282
+ digest_algorithms_set,
283
+ encap_content_info,
284
+ certificates_implicit_set,
285
+ signer_infos_set,
286
+ ]));
287
+ return der_encode_tlv(0x30, Buffer.concat([
288
+ der_encode_oid(_OID_SIGNED_DATA),
289
+ der_encode_tlv(0xA0, signed_data),
290
+ ]));
291
+ }
292
+ export async function prepare_direct_hardware_attestation(email_headers, body, agent_identity_urn) {
293
+ const creds = load_credentials();
294
+ const trust_tier = creds.trust_tier ?? "declared";
295
+ const typ_parameter = _TRUST_TIER_TO_RFC_TYP_PARAMETER[trust_tier] ?? "SFT";
296
+ if (!creds.identity_certificate_chain_pem) {
297
+ throw new NotEnrolledError("Mode 1 (Direct Hardware Attestation) requires a certificate chain. " +
298
+ "Re-enroll to obtain an identity certificate.");
299
+ }
300
+ if (!agent_identity_urn) {
301
+ agent_identity_urn = creds.agent_identity_urn ?? undefined;
302
+ }
303
+ const attestation_timestamp = Math.floor(Date.now() / 1000);
304
+ const canonicalised_body = canonicalise_body_using_dkim_simple(body);
305
+ const bh_raw = createHash("sha256").update(canonicalised_body).digest();
306
+ const bh_base64url = bh_raw.toString("base64url");
307
+ const lowered_headers = {};
308
+ for (const [k, v] of Object.entries(email_headers)) {
309
+ lowered_headers[k.trim().toLowerCase()] = v;
310
+ }
311
+ let signed_header_names = _MINIMUM_HEADERS_FOR_RFC_MESSAGE_BINDING.join(":");
312
+ const extra_header_names = Object.keys(lowered_headers).filter(h => !_MINIMUM_HEADERS_FOR_RFC_MESSAGE_BINDING.includes(h) &&
313
+ h !== "hardware-attestation" && h !== "hardware-trust-proof").sort();
314
+ if (extra_header_names.length > 0) {
315
+ signed_header_names += ":" + extra_header_names.join(":");
316
+ }
317
+ let algorithm_for_header;
318
+ if (trust_tier === "sovereign" || trust_tier === "virtual" || creds.key_algorithm === "tpm-ak") {
319
+ algorithm_for_header = "RS256";
320
+ }
321
+ else if (trust_tier === "portable" || trust_tier === "enclave" || creds.hsm_key_reference === "piv-slot-9a") {
322
+ algorithm_for_header = "ES256";
323
+ }
324
+ else if (creds.private_key_pem) {
325
+ const { determine_signing_algorithm_name } = await import("./verify.js");
326
+ algorithm_for_header = determine_signing_algorithm_name(creds);
327
+ }
328
+ else {
329
+ throw new NotEnrolledError("No signing key available for Mode 1 attestation.");
330
+ }
331
+ let header_template_without_chain = (`v=1; typ=${typ_parameter}; alg=${algorithm_for_header}; ` +
332
+ `h=${signed_header_names}; bh=${bh_base64url}; ts=${attestation_timestamp}; ` +
333
+ `chain=`);
334
+ if (agent_identity_urn) {
335
+ header_template_without_chain += `; aid=${agent_identity_urn}`;
336
+ }
337
+ const attestation_digest = compute_attestation_digest_for_direct_mode(email_headers, body, attestation_timestamp, header_template_without_chain);
338
+ let signature_bytes;
339
+ if (trust_tier === "sovereign" || trust_tier === "virtual" || creds.key_algorithm === "tpm-ak") {
340
+ const { sign_challenge_with_tpm } = await import("./helper.js");
341
+ const result = await sign_challenge_with_tpm(attestation_digest.toString("base64"), creds.hsm_key_reference ?? "");
342
+ signature_bytes = Buffer.from(result["signature_b64"] ?? "", "base64");
343
+ }
344
+ else if (trust_tier === "portable" || creds.hsm_key_reference === "piv-slot-9a") {
345
+ const { sign_challenge_with_piv } = await import("./helper.js");
346
+ const result = await sign_challenge_with_piv(attestation_digest.toString("base64"));
347
+ signature_bytes = Buffer.from(result["signature_b64"] ?? "", "base64");
348
+ }
349
+ else if (trust_tier === "enclave") {
350
+ const { sign_challenge_with_enclave } = await import("./helper.js");
351
+ const result = await sign_challenge_with_enclave(attestation_digest.toString("base64"));
352
+ signature_bytes = Buffer.from(result["signature_b64"] ?? "", "base64");
353
+ }
354
+ else if (creds.private_key_pem) {
355
+ const { sign_challenge_with_private_key } = await import("./keys.js");
356
+ signature_bytes = sign_challenge_with_private_key(creds.private_key_pem, attestation_digest);
357
+ }
358
+ else {
359
+ throw new NotEnrolledError("No signing key available.");
360
+ }
361
+ const cms_der_bytes = build_cms_signed_data_for_direct_attestation(signature_bytes, creds.identity_certificate_chain_pem, algorithm_for_header);
362
+ const chain_base64 = cms_der_bytes.toString("base64");
363
+ let final_header_value = (`v=1; typ=${typ_parameter}; alg=${algorithm_for_header}; ` +
364
+ `h=${signed_header_names}; bh=${bh_base64url}; ts=${attestation_timestamp}; ` +
365
+ `chain=${chain_base64}`);
366
+ if (agent_identity_urn) {
367
+ final_header_value += `; aid=${agent_identity_urn}`;
368
+ }
369
+ const body_digest_hex = createHash("sha256").update(body).digest("hex");
370
+ return {
371
+ hardware_attestation_header_value: final_header_value,
372
+ content_digest: `sha256:${body_digest_hex}`,
373
+ };
374
+ }
375
+ export async function prepareAttestation(options = {}) {
376
+ const { content, contentDigest, emailHeaders, body, disclosedClaims = ["trust_tier"], includeContactToken = true, includeSdJwt = true, apiBaseUrl, } = options;
377
+ const rfc_email_mode_is_active = emailHeaders != null;
378
+ const simple_content_mode_is_active = content != null || contentDigest != null;
379
+ if (rfc_email_mode_is_active && simple_content_mode_is_active) {
380
+ throw new Error("Cannot mix emailHeaders/body with content/contentDigest. " +
381
+ "Use emailHeaders+body for RFC email attestation, OR content/contentDigest for simple mode.");
382
+ }
383
+ if (rfc_email_mode_is_active && body == null) {
384
+ throw new Error("body is required when emailHeaders is provided.");
385
+ }
386
+ if (content != null && contentDigest != null) {
387
+ throw new Error("Provide content OR contentDigest, not both.");
388
+ }
389
+ let effective_content_digest = null;
390
+ if (content != null) {
391
+ const digest_hex = createHash("sha256").update(content).digest("hex");
392
+ effective_content_digest = `sha256:${digest_hex}`;
393
+ }
394
+ else if (contentDigest != null) {
395
+ effective_content_digest = contentDigest;
396
+ }
397
+ else if (rfc_email_mode_is_active && body != null) {
398
+ const body_digest_hex = createHash("sha256").update(body).digest("hex");
399
+ effective_content_digest = `sha256:${body_digest_hex}`;
400
+ }
401
+ const creds = load_credentials();
402
+ const effective_api_base_url = apiBaseUrl ?? creds.api_base_url ?? "https://1id.com";
403
+ const token = await get_token();
404
+ const auth_headers = {
405
+ "Authorization": `Bearer ${token.access_token}`,
406
+ "Content-Type": "application/json",
407
+ };
408
+ const proof = {
409
+ sd_jwt: null,
410
+ sd_jwt_disclosures: {},
411
+ contact_token: null,
412
+ contact_address: null,
413
+ tpm_signature_b64: null,
414
+ content_digest: effective_content_digest,
415
+ };
416
+ if (includeSdJwt) {
417
+ const proposed_iat = Math.floor(Date.now() / 1000);
418
+ let nonce_value;
419
+ if (rfc_email_mode_is_active && body != null) {
420
+ nonce_value = compute_rfc_message_binding_nonce(emailHeaders, body, proposed_iat);
421
+ }
422
+ else {
423
+ const message_hash = effective_content_digest?.includes(":")
424
+ ? effective_content_digest.split(":")[1]
425
+ : (effective_content_digest ?? "");
426
+ nonce_value = Buffer.from(message_hash, "hex").toString("base64url");
427
+ }
428
+ const sd_jwt_result = await _fetch_sd_jwt_proof_for_message(effective_api_base_url, auth_headers, nonce_value, proposed_iat, disclosedClaims);
429
+ proof.sd_jwt = sd_jwt_result.sd_jwt;
430
+ proof.sd_jwt_disclosures = sd_jwt_result.disclosures;
431
+ }
432
+ if (includeContactToken) {
433
+ const contact_result = await _fetch_contact_token(effective_api_base_url, auth_headers);
434
+ proof.contact_token = contact_result.token;
435
+ proof.contact_address = contact_result.contact_address;
436
+ }
437
+ return proof;
438
+ }
439
+ async function _fetch_sd_jwt_proof_for_message(api_base_url, auth_headers, precomputed_nonce, proposed_iat, disclosed_claims) {
440
+ const url = `${api_base_url}/api/v1/proof/sd-jwt/message`;
441
+ const response = await fetch(url, {
442
+ method: "POST",
443
+ headers: auth_headers,
444
+ body: JSON.stringify({
445
+ nonce: precomputed_nonce,
446
+ proposed_iat,
447
+ disclosed_claims,
448
+ }),
449
+ signal: AbortSignal.timeout(_HTTP_TIMEOUT_MILLISECONDS),
450
+ });
451
+ if (response.status === 401) {
452
+ throw new AuthenticationError("Bearer token rejected by SD-JWT endpoint.");
453
+ }
454
+ if (!response.ok) {
455
+ console.error(`SD-JWT request failed (HTTP ${response.status}): ${(await response.text()).slice(0, 300)} -- Hardware-Trust-Proof header will be MISSING`);
456
+ return { sd_jwt: null, disclosures: {} };
457
+ }
458
+ let data = await response.json();
459
+ if ("data" in data) {
460
+ data = data.data;
461
+ }
462
+ return {
463
+ sd_jwt: data.sd_jwt ?? null,
464
+ disclosures: data.disclosures ?? {},
465
+ };
466
+ }
467
+ async function _fetch_contact_token(api_base_url, auth_headers) {
468
+ const url = `${api_base_url}/api/v1/contact-token`;
469
+ try {
470
+ const response = await fetch(url, {
471
+ method: "GET",
472
+ headers: auth_headers,
473
+ signal: AbortSignal.timeout(_HTTP_TIMEOUT_MILLISECONDS),
474
+ });
475
+ if (!response.ok) {
476
+ console.warn(`Contact token request failed (HTTP ${response.status})`);
477
+ return { token: null, contact_address: null };
478
+ }
479
+ const data = (await response.json()).data ?? {};
480
+ return {
481
+ token: data.token ?? null,
482
+ contact_address: data.contact_address ?? null,
483
+ };
484
+ }
485
+ catch {
486
+ return { token: null, contact_address: null };
487
+ }
488
+ }
489
+ //# sourceMappingURL=attestation.js.map
package/dist/attestation.js.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"file":"attestation.js","sourceRoot":"","sources":["../src/attestation.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AAEH,OAAO,EAAE,UAAU,EAAE,MAAM,QAAQ,CAAC;AACpC,OAAO,EAAE,SAAS,EAAE,MAAM,WAAW,CAAC;AACtC,OAAO,EAAE,gBAAgB,EAAE,MAAM,kBAAkB,CAAC;AACpD,OAAO,EAAE,mBAAmB,EAAgB,gBAAgB,EAAE,MAAM,iBAAiB,CAAC;AAEtF,MAAM,0BAA0B,GAAG,MAAM,CAAC;AAE1C,MAAM,wCAAwC,GAAG;IAC/C,MAAM,EAAE,IAAI,EAAE,SAAS,EAAE,MAAM,EAAE,YAAY;CAC9C,CAAC;AAsBF,MAAM,UAAU,4CAA4C,CAAC,SAAiB;IAC5E,IAAI,QAAQ,GAAG,SAAS,CAAC,OAAO,CAAC,UAAU,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,SAAS,EAAE,GAAG,CAAC,CAAC;IAC1E,QAAQ,GAAG,QAAQ,CAAC,OAAO,CAAC,QAAQ,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC;IACjE,MAAM,UAAU,GAAG,QAAQ,CAAC,OAAO,CAAC,SAAS,EAAE,GAAG,CAAC,CAAC;IACpD,OAAO,UAAU,CAAC,IAAI,EAAE,CAAC;AAC3B,CAAC;AAED,MAAM,UAAU,2CAA2C,CAAC,QAAgB;IAC1E,OAAO,QAAQ,CAAC,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;AACvC,CAAC;AAED,MAAM,UAAU,wCAAwC,CACtD,aAAqC,EACrC,gDAAwD,EAAE;IAE1D,MAAM,eAAe,GAA2B,EAAE,CAAC;IACnD,KAAK,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,aAAa,CAAC,EAAE,CAAC;QACnD,eAAe,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC,GAAG,CAAC,CAAC;IAC9C,CAAC;IAED,KAAK,MAAM,oBAAoB,IAAI,wCAAwC,EAAE,CAAC;QAC5E,IAAI,CAAC,CAAC,oBAAoB,IAAI,eAAe,CAAC,EAAE,CAAC;YAC/C,MAAM,IAAI,KAAK,CACb,kCAAkC,oBAAoB,mCAAmC;gBACzF,qBAAqB,wCAAwC,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAC3E,CAAC;QACJ,CAAC;IACH,CAAC;IAED,MAAM,0BAA0B,GAAa,EAAE,CAAC;IAEhD,KAAK,MAAM,oBAAoB,IAAI,wCAAwC,EAAE,CAAC;QAC5E,MAAM,UAAU,GAAG,2CAA2C,CAAC,oBAAoB,CAAC,CAAC;QACrF,MAAM,WAAW,GAAG,4CAA4C,CAAC,eAAe,CAAC,oBAAoB,CAAC,CAAC,CAAC;QACxG,0BAA0B,CAAC,IAAI,CAAC,GAAG,UAAU,IAAI,WAAW,MAAM,CAAC,CAAC;IACtE,CAAC;IAED,KAAK,MAAM,iBAAiB,IAAI,MAAM,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC;QACpE,IAAI,wCAAwC,CAAC,QAAQ,CAAC,iBAAiB,CAAC,EAAE,CAAC;YAAC,SAAS;QAAC,CAAC;QACvF,IAAI,iBAAiB,KAAK,sBAAsB,EAAE,CAAC;YAAC,SAAS;QAAC,CAAC;QAC/D,MAAM,UAAU,GAAG,2CAA2C,CAAC,iBAAiB,CAAC,CAAC;QAClF,MAAM,WAAW,GAAG,4CAA4C,CAAC,eAAe,CAAC,iBAAiB,CAAC,CAAC,CAAC;QACrG,0BAA0B,CAAC,IAAI,CAAC,GAAG,UAAU,IAAI,WAAW,MAAM,CAAC,CAAC;IACtE,CAAC;IAED,0BAA0B,CAAC,IAAI,CAC7B,wBAAwB,6CAA6C,EAAE,CACxE,CAAC;IAEF,OAAO,MAAM,CAAC,IAAI,CAAC,0BAA0B,CAAC,IAAI,CAAC,EAAE,CAAC,EAAE,OAAO,CAAC,CAAC;AACnE,CAAC;AAED,MAAM,UAAU,mCAAmC,CAAC,UAAkB;IACpE,IAAI,UAAU,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAAC,OAAO,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IAAC,CAAC;IAC5D,IAAI,MAAM,GAAG,UAAU,CAAC;IACxB,OAAO,MAAM,CAAC,MAAM,IAAI,CAAC,IAAI,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,EAAE,CAAC;QACjF,MAAM,GAAG,MAAM,CAAC,QAAQ,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;IAClC,CAAC;IACD,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,EAAE,CAAC;QACrD,MAAM,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,MAAM,EAAE,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;IACxD,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,MAAM,UAAU,iCAAiC,CAC/C,aAAqC,EACrC,UAAkB,EAClB,2BAAmC;IAEnC,MAAM,0BAA0B,GAAG,wCAAwC,CAAC,aAAa,CAAC,CAAC;IAC3F,MAAM,MAAM,GAAG,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,0BAA0B,CAAC,CAAC,MAAM,EAAE,CAAC;IAEhF,MAAM,kBAAkB,GAAG,mCAAmC,CAAC,UAAU,CAAC,CAAC;IAC3E,MAAM,MAAM,GAAG,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,kBAAkB,CAAC,CAAC,MAAM,EAAE,CAAC;IAExE,MAAM,QAAQ,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;IACjC,QAAQ,CAAC,gBAAgB,CAAC,MAAM,CAAC,2BAA2B,CAAC,CAAC,CAAC;IAE/D,MAAM,eAAe,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,MAAM,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC,CAAC;IAClE,MAAM,SAAS,GAAG,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,eAAe,CAAC,CAAC,MAAM,EAAE,CAAC;IAExE,OAAO,SAAS,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;AACzC,CAAC;AAED,MAAM,gCAAgC,GAA2B;IAC/D,WAAW,EAAE,KAAK;IAClB,UAAU,EAAE,KAAK;IACjB,SAAS,EAAE,KAAK;IAChB,SAAS,EAAE,KAAK;IAChB,UAAU,EAAE,KAAK;CAClB,CAAC;AAOF,MAAM,UAAU,2CAA2C,CACzD,aAAqC,EACrC,kDAA0D,EAAE;IAE5D,MAAM,eAAe,GAA2B,EAAE,CAAC;IACnD,KAAK,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,aAAa,CAAC,EAAE,CAAC;QACnD,eAAe,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC,GAAG,CAAC,CAAC;IAC9C,CAAC;IAED,KAAK,MAAM,oBAAoB,IAAI,wCAAwC,EAAE,CAAC;QAC5E,IAAI,CAAC,CAAC,oBAAoB,IAAI,eAAe,CAAC,EAAE,CAAC;YAC/C,MAAM,IAAI,KAAK,CACb,kCAAkC,oBAAoB,4BAA4B;gBAClF,qBAAqB,wCAAwC,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAC3E,CAAC;QACJ,CAAC;IACH,CAAC;IAED,MAAM,0BAA0B,GAAa,EAAE,CAAC;IAEhD,KAAK,MAAM,oBAAoB,IAAI,wCAAwC,EAAE,CAAC;QAC5E,MAAM,UAAU,GAAG,2CAA2C,CAAC,oBAAoB,CAAC,CAAC;QACrF,MAAM,WAAW,GAAG,4CAA4C,CAAC,eAAe,CAAC,oBAAoB,CAAE,CAAC,CAAC;QACzG,0BAA0B,CAAC,IAAI,CAAC,GAAG,UAAU,IAAI,WAAW,MAAM,CAAC,CAAC;IACtE,CAAC;IAED,KAAK,MAAM,iBAAiB,IAAI,MAAM,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC;QACpE,IAAI,wCAAwC,CAAC,QAAQ,CAAC,iBAAiB,CAAC,EAAE,CAAC;YAAC,SAAS;QAAC,CAAC;QACvF,IAAI,iBAAiB,KAAK,sBAAsB,IAAI,iBAAiB,KAAK,sBAAsB,EAAE,CAAC;YAAC,SAAS;QAAC,CAAC;QAC/G,MAAM,UAAU,GAAG,2CAA2C,CAAC,iBAAiB,CAAC,CAAC;QAClF,MAAM,WAAW,GAAG,4CAA4C,CAAC,eAAe,CAAC,iBAAiB,CAAE,CAAC,CAAC;QACtG,0BAA0B,CAAC,IAAI,CAAC,GAAG,UAAU,IAAI,WAAW,MAAM,CAAC,CAAC;IACtE,CAAC;IAED,0BAA0B,CAAC,IAAI,CAC7B,wBAAwB,+CAA+C,EAAE,CAC1E,CAAC;IAEF,OAAO,MAAM,CAAC,IAAI,CAAC,0BAA0B,CAAC,IAAI,CAAC,EAAE,CAAC,EAAE,OAAO,CAAC,CAAC;AACnE,CAAC;AAED,MAAM,UAAU,0CAA0C,CACxD,aAAqC,EACrC,UAAkB,EAClB,0BAAkC,EAClC,kDAA0D,EAAE;IAE5D,MAAM,0BAA0B,GAAG,2CAA2C,CAC5E,aAAa,EAAE,+CAA+C,CAC/D,CAAC;IACF,MAAM,MAAM,GAAG,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,0BAA0B,CAAC,CAAC,MAAM,EAAE,CAAC;IAEhF,MAAM,kBAAkB,GAAG,mCAAmC,CAAC,UAAU,CAAC,CAAC;IAC3E,MAAM,MAAM,GAAG,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,kBAAkB,CAAC,CAAC,MAAM,EAAE,CAAC;IAExE,MAAM,QAAQ,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;IACjC,QAAQ,CAAC,gBAAgB,CAAC,MAAM,CAAC,0BAA0B,CAAC,CAAC,CAAC;IAE9D,MAAM,iBAAiB,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,MAAM,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC,CAAC;IACpE,OAAO,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,iBAAiB,CAAC,CAAC,MAAM,EAAE,CAAC;AACjE,CAAC;AAED,SAAS,iBAAiB,CAAC,YAAoB;IAC7C,IAAI,YAAY,GAAG,IAAI,EAAE,CAAC;QAAC,OAAO,MAAM,CAAC,IAAI,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC;IAAC,CAAC;IAChE,IAAI,YAAY,GAAG,KAAK,EAAE,CAAC;QAAC,OAAO,MAAM,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,YAAY,CAAC,CAAC,CAAC;IAAC,CAAC;IACvE,IAAI,YAAY,GAAG,OAAO,EAAE,CAAC;QAAC,OAAO,MAAM,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,CAAC,YAAY,IAAI,CAAC,CAAC,GAAG,IAAI,EAAE,YAAY,GAAG,IAAI,CAAC,CAAC,CAAC;IAAC,CAAC;IAC5G,OAAO,MAAM,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,CAAC,YAAY,IAAI,EAAE,CAAC,GAAG,IAAI,EAAE,CAAC,YAAY,IAAI,CAAC,CAAC,GAAG,IAAI,EAAE,YAAY,GAAG,IAAI,CAAC,CAAC,CAAC;AAC3G,CAAC;AAED,SAAS,cAAc,CAAC,QAAgB,EAAE,aAAqB;IAC7D,OAAO,MAAM,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,iBAAiB,CAAC,aAAa,CAAC,MAAM,CAAC,EAAE,aAAa,CAAC,CAAC,CAAC;AAC1G,CAAC;AAED,SAAS,kBAAkB,CAAC,aAAqB;IAC/C,IAAI,aAAa,KAAK,EAAE,EAAE,CAAC;QAAC,OAAO,cAAc,CAAC,IAAI,EAAE,MAAM,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAAC,CAAC;IAC/E,MAAM,GAAG,GAAG,aAAa,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC;IACvC,MAAM,UAAU,GAAG,GAAG,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,GAAG,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC;IACpD,IAAI,WAAW,GAAG,MAAM,CAAC,IAAI,CAAC,UAAU,EAAE,KAAK,CAAC,CAAC;IACjD,IAAI,WAAW,CAAC,CAAC,CAAE,IAAI,IAAI,EAAE,CAAC;QAC5B,WAAW,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,CAAC,EAAE,WAAW,CAAC,CAAC,CAAC;IAClE,CAAC;IACD,OAAO,cAAc,CAAC,IAAI,EAAE,WAAW,CAAC,CAAC;AAC3C,CAAC;AAED,SAAS,cAAc,CAAC,iBAAyB;IAC/C,MAAM,UAAU,GAAG,iBAAiB,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;IAC5D,MAAM,YAAY,GAAa,CAAC,EAAE,GAAG,UAAU,CAAC,CAAC,CAAE,GAAG,UAAU,CAAC,CAAC,CAAE,CAAC,CAAC;IACtE,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,UAAU,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QAC3C,MAAM,SAAS,GAAG,UAAU,CAAC,CAAC,CAAE,CAAC;QACjC,IAAI,SAAS,GAAG,IAAI,EAAE,CAAC;YACrB,YAAY,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;QAC/B,CAAC;aAAM,CAAC;YACN,MAAM,cAAc,GAAa,EAAE,CAAC;YACpC,IAAI,SAAS,GAAG,SAAS,CAAC;YAC1B,OAAO,SAAS,GAAG,CAAC,EAAE,CAAC;gBACrB,cAAc,CAAC,IAAI,CAAC,SAAS,GAAG,IAAI,CAAC,CAAC;gBACtC,SAAS,KAAK,CAAC,CAAC;YAClB,CAAC;YACD,cAAc,CAAC,OAAO,EAAE,CAAC;YACzB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,cAAc,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;gBAC/C,YAAY,CAAC,IAAI,CAAC,CAAC,GAAG,cAAc,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,cAAc,CAAC,CAAC,CAAE,GAAG,IAAI,CAAC,CAAC,CAAC,cAAc,CAAC,CAAC,CAAE,CAAC,CAAC;YACpG,CAAC;QACH,CAAC;IACH,CAAC;IACD,OAAO,cAAc,CAAC,IAAI,EAAE,MAAM,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC,CAAC;AACzD,CAAC;AAED,MAAM,gBAAgB,GAAG,sBAAsB,CAAC;AAChD,MAAM,SAAS,GAAG,sBAAsB,CAAC;AACzC,MAAM,WAAW,GAAG,wBAAwB,CAAC;AAC7C,MAAM,oBAAoB,GAAG,uBAAuB,CAAC;AACrD,MAAM,sBAAsB,GAAG,qBAAqB,CAAC;AAErD,MAAM,yBAAyB,GAA2B;IACxD,OAAO,EAAE,oBAAoB;IAC7B,OAAO,EAAE,sBAAsB;CAChC,CAAC;AAEF,SAAS,6BAA6B,CAAC,qBAA6B;IAClE,MAAM,oBAAoB,GAAa,EAAE,CAAC;IAC1C,KAAK,MAAM,SAAS,IAAI,qBAAqB,CAAC,KAAK,CAAC,2BAA2B,CAAC,EAAE,CAAC;QACjF,MAAM,OAAO,GAAG,SAAS,CAAC,IAAI,EAAE,CAAC;QACjC,IAAI,OAAO,IAAI,OAAO,CAAC,QAAQ,CAAC,6BAA6B,CAAC,EAAE,CAAC;YAC/D,MAAM,GAAG,GAAG,OAAO,CAAC,OAAO,CAAC,6BAA6B,EAAE,EAAE,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;YAClF,oBAAoB,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE,QAAQ,CAAC,CAAC,CAAC;QACxD,CAAC;IACH,CAAC;IACD,OAAO,oBAAoB,CAAC;AAC9B,CAAC;AAED,SAAS,kCAAkC,CAAC,QAAgB;IAC1D,IAAI,GAAG,GAAG,CAAC,CAAC;IACZ,MAAM,eAAe,GAAG,CAAC,MAAc,EAAyD,EAAE;QAChG,MAAM,GAAG,GAAG,QAAQ,CAAC,MAAM,CAAE,CAAC;QAC9B,MAAM,EAAE,CAAC;QACT,IAAI,MAAM,GAAG,QAAQ,CAAC,MAAM,CAAE,CAAC;QAC/B,MAAM,EAAE,CAAC;QACT,IAAI,MAAM,GAAG,GAAG,EAAE,CAAC;YACjB,MAAM,SAAS,GAAG,MAAM,GAAG,IAAI,CAAC;YAChC,MAAM,GAAG,CAAC,CAAC;YACX,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,SAAS,EAAE,CAAC,EAAE,EAAE,CAAC;gBACnC,MAAM,GAAG,CAAC,MAAM,IAAI,CAAC,CAAC,GAAG,QAAQ,CAAC,MAAM,CAAE,CAAC;gBAC3C,MAAM,EAAE,CAAC;YACX,CAAC;QACH,CAAC;QACD,OAAO,EAAE,GAAG,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,EAAE,CAAC;IAC/C,CAAC,CAAC;IAEF,MAAM,KAAK,GAAG,eAAe,CAAC,GAAG,CAAC,CAAC;IACnC,MAAM,GAAG,GAAG,eAAe,CAAC,KAAK,CAAC,YAAY,CAAC,CAAC;IAChD,IAAI,OAAO,GAAG,GAAG,CAAC,YAAY,CAAC;IAE/B,MAAM,UAAU,GAAG,eAAe,CAAC,OAAO,CAAC,CAAC;IAC5C,IAAI,UAAU,CAAC,GAAG,KAAK,IAAI,EAAE,CAAC;QAC5B,OAAO,GAAG,UAAU,CAAC,YAAY,GAAG,UAAU,CAAC,MAAM,CAAC;IACxD,CAAC;IAED,MAAM,MAAM,GAAG,eAAe,CAAC,OAAO,CAAC,CAAC;IACxC,MAAM,YAAY,GAAG,QAAQ,CAAC,QAAQ,CAAC,MAAM,CAAC,YAAY,EAAE,MAAM,CAAC,YAAY,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC;IACjG,IAAI,aAAa,GAAG,EAAE,CAAC;IACvB,KAAK,MAAM,UAAU,IAAI,YAAY,EAAE,CAAC;QACtC,aAAa,GAAG,CAAC,aAAa,IAAI,EAAE,CAAC,GAAG,MAAM,CAAC,UAAU,CAAC,CAAC;IAC7D,CAAC;IACD,OAAO,GAAG,MAAM,CAAC,YAAY,GAAG,MAAM,CAAC,MAAM,CAAC;IAE9C,MAAM,OAAO,GAAG,eAAe,CAAC,OAAO,CAAC,CAAC;IACzC,OAAO,GAAG,OAAO,CAAC,YAAY,GAAG,OAAO,CAAC,MAAM,CAAC;IAEhD,MAAM,MAAM,GAAG,eAAe,CAAC,OAAO,CAAC,CAAC;IACxC,MAAM,UAAU,GAAG,QAAQ,CAAC,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC,YAAY,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC;IAEnF,OAAO,EAAE,UAAU,EAAE,aAAa,EAAE,CAAC;AACvC,CAAC;AAED,MAAM,UAAU,4CAA4C,CAC1D,eAAuB,EACvB,qBAA6B,EAC7B,4BAAoC;IAEpC,MAAM,oBAAoB,GAAG,6BAA6B,CAAC,qBAAqB,CAAC,CAAC;IAClF,IAAI,oBAAoB,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACtC,MAAM,IAAI,KAAK,CAAC,0DAA0D,CAAC,CAAC;IAC9E,CAAC;IAED,MAAM,oBAAoB,GAAG,yBAAyB,CAAC,4BAA4B,CAAC,CAAC;IACrF,IAAI,CAAC,oBAAoB,EAAE,CAAC;QAC1B,MAAM,IAAI,KAAK,CAAC,oCAAoC,4BAA4B,EAAE,CAAC,CAAC;IACtF,CAAC;IAED,MAAM,2BAA2B,GAAG,cAAc,CAAC,IAAI,EACrD,MAAM,CAAC,MAAM,CAAC,CAAC,cAAc,CAAC,WAAW,CAAC,EAAE,cAAc,CAAC,IAAI,EAAE,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IAEvF,MAAM,qBAAqB,GAAG,cAAc,CAAC,IAAI,EAAE,2BAA2B,CAAC,CAAC;IAChF,MAAM,kBAAkB,GAAG,cAAc,CAAC,IAAI,EAAE,cAAc,CAAC,SAAS,CAAC,CAAC,CAAC;IAC3E,MAAM,iBAAiB,GAAG,MAAM,CAAC,MAAM,CAAC,oBAAoB,CAAC,CAAC;IAC9D,MAAM,yBAAyB,GAAG,cAAc,CAAC,IAAI,EAAE,iBAAiB,CAAC,CAAC;IAE1E,MAAM,EAAE,UAAU,EAAE,aAAa,EAAE,GAAG,kCAAkC,CAAC,oBAAoB,CAAC,CAAC,CAAE,CAAC,CAAC;IACnG,MAAM,wBAAwB,GAAG,cAAc,CAAC,IAAI,EAClD,MAAM,CAAC,MAAM,CAAC,CAAC,UAAU,EAAE,kBAAkB,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC,CAAC;IAElE,MAAM,8BAA8B,GAAG,cAAc,CAAC,IAAI,EAAE,cAAc,CAAC,oBAAoB,CAAC,CAAC,CAAC;IAClG,MAAM,sBAAsB,GAAG,cAAc,CAAC,IAAI,EAAE,eAAe,CAAC,CAAC;IAErE,MAAM,WAAW,GAAG,cAAc,CAAC,IAAI,EAAE,MAAM,CAAC,MAAM,CAAC;QACrD,kBAAkB,CAAC,EAAE,CAAC;QACtB,wBAAwB;QACxB,2BAA2B;QAC3B,8BAA8B;QAC9B,sBAAsB;KACvB,CAAC,CAAC,CAAC;IAEJ,MAAM,gBAAgB,GAAG,cAAc,CAAC,IAAI,EAAE,WAAW,CAAC,CAAC;IAE3D,MAAM,WAAW,GAAG,cAAc,CAAC,IAAI,EAAE,MAAM,CAAC,MAAM,CAAC;QACrD,kBAAkB,CAAC,EAAE,CAAC;QACtB,qBAAqB;QACrB,kBAAkB;QAClB,yBAAyB;QACzB,gBAAgB;KACjB,CAAC,CAAC,CAAC;IAEJ,OAAO,cAAc,CAAC,IAAI,EAAE,MAAM,CAAC,MAAM,CAAC;QACxC,cAAc,CAAC,gBAAgB,CAAC;QAChC,cAAc,CAAC,IAAI,EAAE,WAAW,CAAC;KAClC,CAAC,CAAC,CAAC;AACN,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,mCAAmC,CACvD,aAAqC,EACrC,IAAY,EACZ,kBAA2B;IAE3B,MAAM,KAAK,GAAG,gBAAgB,EAAE,CAAC;IACjC,MAAM,UAAU,GAAG,KAAK,CAAC,UAAU,IAAI,UAAU,CAAC;IAClD,MAAM,aAAa,GAAG,gCAAgC,CAAC,UAAU,CAAC,IAAI,KAAK,CAAC;IAE5E,IAAI,CAAC,KAAK,CAAC,8BAA8B,EAAE,CAAC;QAC1C,MAAM,IAAI,gBAAgB,CACxB,qEAAqE;YACrE,8CAA8C,CAC/C,CAAC;IACJ,CAAC;IAED,IAAI,CAAC,kBAAkB,EAAE,CAAC;QACxB,kBAAkB,GAAG,KAAK,CAAC,kBAAkB,IAAI,SAAS,CAAC;IAC7D,CAAC;IAED,MAAM,qBAAqB,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;IAE5D,MAAM,kBAAkB,GAAG,mCAAmC,CAAC,IAAI,CAAC,CAAC;IACrE,MAAM,MAAM,GAAG,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,kBAAkB,CAAC,CAAC,MAAM,EAAE,CAAC;IACxE,MAAM,YAAY,GAAG,MAAM,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;IAElD,MAAM,eAAe,GAA2B,EAAE,CAAC;IACnD,KAAK,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,aAAa,CAAC,EAAE,CAAC;QACnD,eAAe,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC,GAAG,CAAC,CAAC;IAC9C,CAAC;IACD,IAAI,mBAAmB,GAAG,wCAAwC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IAC7E,MAAM,kBAAkB,GAAG,MAAM,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC,MAAM,CAC5D,CAAC,CAAC,EAAE,CAAC,CAAC,wCAAwC,CAAC,QAAQ,CAAC,CAAC,CAAC;QACrD,CAAC,KAAK,sBAAsB,IAAI,CAAC,KAAK,sBAAsB,CAClE,CAAC,IAAI,EAAE,CAAC;IACT,IAAI,kBAAkB,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAClC,mBAAmB,IAAI,GAAG,GAAG,kBAAkB,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IAC5D,CAAC;IAED,IAAI,oBAA4B,CAAC;IACjC,IAAI,UAAU,KAAK,WAAW,IAAI,UAAU,KAAK,SAAS,IAAI,KAAK,CAAC,aAAa,KAAK,QAAQ,EAAE,CAAC;QAC/F,oBAAoB,GAAG,OAAO,CAAC;IACjC,CAAC;SAAM,IAAI,UAAU,KAAK,UAAU,IAAI,UAAU,KAAK,SAAS,IAAI,KAAK,CAAC,iBAAiB,KAAK,aAAa,EAAE,CAAC;QAC9G,oBAAoB,GAAG,OAAO,CAAC;IACjC,CAAC;SAAM,IAAI,KAAK,CAAC,eAAe,EAAE,CAAC;QACjC,MAAM,EAAE,gCAAgC,EAAE,GAAG,MAAM,MAAM,CAAC,aAAa,CAAC,CAAC;QACzE,oBAAoB,GAAG,gCAAgC,CAAC,KAAK,CAAC,CAAC;IACjE,CAAC;SAAM,CAAC;QACN,MAAM,IAAI,gBAAgB,CAAC,kDAAkD,CAAC,CAAC;IACjF,CAAC;IAED,IAAI,6BAA6B,GAAG,CAClC,YAAY,aAAa,SAAS,oBAAoB,IAAI;QAC1D,KAAK,mBAAmB,QAAQ,YAAY,QAAQ,qBAAqB,IAAI;QAC7E,QAAQ,CACT,CAAC;IACF,IAAI,kBAAkB,EAAE,CAAC;QACvB,6BAA6B,IAAI,SAAS,kBAAkB,EAAE,CAAC;IACjE,CAAC;IAED,MAAM,kBAAkB,GAAG,0CAA0C,CACnE,aAAa,EAAE,IAAI,EAAE,qBAAqB,EAAE,6BAA6B,CAC1E,CAAC;IAEF,IAAI,eAAuB,CAAC;IAC5B,IAAI,UAAU,KAAK,WAAW,IAAI,UAAU,KAAK,SAAS,IAAI,KAAK,CAAC,aAAa,KAAK,QAAQ,EAAE,CAAC;QAC/F,MAAM,EAAE,uBAAuB,EAAE,GAAG,MAAM,MAAM,CAAC,aAAa,CAAC,CAAC;QAChE,MAAM,MAAM,GAAG,MAAM,uBAAuB,CAAC,kBAAkB,CAAC,QAAQ,CAAC,QAAQ,CAAC,EAAE,KAAK,CAAC,iBAAiB,IAAI,EAAE,CAAC,CAAC;QACnH,eAAe,GAAG,MAAM,CAAC,IAAI,CAAE,MAAM,CAAC,eAAe,CAAY,IAAI,EAAE,EAAE,QAAQ,CAAC,CAAC;IACrF,CAAC;SAAM,IAAI,UAAU,KAAK,UAAU,IAAI,KAAK,CAAC,iBAAiB,KAAK,aAAa,EAAE,CAAC;QAClF,MAAM,EAAE,uBAAuB,EAAE,GAAG,MAAM,MAAM,CAAC,aAAa,CAAC,CAAC;QAChE,MAAM,MAAM,GAAG,MAAM,uBAAuB,CAAC,kBAAkB,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC,CAAC;QACpF,eAAe,GAAG,MAAM,CAAC,IAAI,CAAE,MAAM,CAAC,eAAe,CAAY,IAAI,EAAE,EAAE,QAAQ,CAAC,CAAC;IACrF,CAAC;SAAM,IAAI,UAAU,KAAK,SAAS,EAAE,CAAC;QACpC,MAAM,EAAE,2BAA2B,EAAE,GAAG,MAAM,MAAM,CAAC,aAAa,CAAC,CAAC;QACpE,MAAM,MAAM,GAAG,MAAM,2BAA2B,CAAC,kBAAkB,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC,CAAC;QACxF,eAAe,GAAG,MAAM,CAAC,IAAI,CAAE,MAAM,CAAC,eAAe,CAAY,IAAI,EAAE,EAAE,QAAQ,CAAC,CAAC;IACrF,CAAC;SAAM,IAAI,KAAK,CAAC,eAAe,EAAE,CAAC;QACjC,MAAM,EAAE,+BAA+B,EAAE,GAAG,MAAM,MAAM,CAAC,WAAW,CAAC,CAAC;QACtE,eAAe,GAAG,+BAA+B,CAAC,KAAK,CAAC,eAAe,EAAE,kBAAkB,CAAC,CAAC;IAC/F,CAAC;SAAM,CAAC;QACN,MAAM,IAAI,gBAAgB,CAAC,2BAA2B,CAAC,CAAC;IAC1D,CAAC;IAED,MAAM,aAAa,GAAG,4CAA4C,CAChE,eAAe,EAAE,KAAK,CAAC,8BAA8B,EAAE,oBAAoB,CAC5E,CAAC;IACF,MAAM,YAAY,GAAG,aAAa,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;IAEtD,IAAI,kBAAkB,GAAG,CACvB,YAAY,aAAa,SAAS,oBAAoB,IAAI;QAC1D,KAAK,mBAAmB,QAAQ,YAAY,QAAQ,qBAAqB,IAAI;QAC7E,SAAS,YAAY,EAAE,CACxB,CAAC;IACF,IAAI,kBAAkB,EAAE,CAAC;QACvB,kBAAkB,IAAI,SAAS,kBAAkB,EAAE,CAAC;IACtD,CAAC;IAED,MAAM,eAAe,GAAG,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;IAExE,OAAO;QACL,iCAAiC,EAAE,kBAAkB;QACrD,cAAc,EAAE,UAAU,eAAe,EAAE;KAC5C,CAAC;AACJ,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,kBAAkB,CACtC,UAAqC,EAAE;IAEvC,MAAM,EACJ,OAAO,EACP,aAAa,EACb,YAAY,EACZ,IAAI,EACJ,eAAe,GAAG,CAAC,YAAY,CAAC,EAChC,mBAAmB,GAAG,IAAI,EAC1B,YAAY,GAAG,IAAI,EACnB,UAAU,GACX,GAAG,OAAO,CAAC;IAEZ,MAAM,wBAAwB,GAAG,YAAY,IAAI,IAAI,CAAC;IACtD,MAAM,6BAA6B,GAAG,OAAO,IAAI,IAAI,IAAI,aAAa,IAAI,IAAI,CAAC;IAE/E,IAAI,wBAAwB,IAAI,6BAA6B,EAAE,CAAC;QAC9D,MAAM,IAAI,KAAK,CACb,2DAA2D;YAC3D,4FAA4F,CAC7F,CAAC;IACJ,CAAC;IAED,IAAI,wBAAwB,IAAI,IAAI,IAAI,IAAI,EAAE,CAAC;QAC7C,MAAM,IAAI,KAAK,CAAC,iDAAiD,CAAC,CAAC;IACrE,CAAC;IAED,IAAI,OAAO,IAAI,IAAI,IAAI,aAAa,IAAI,IAAI,EAAE,CAAC;QAC7C,MAAM,IAAI,KAAK,CAAC,6CAA6C,CAAC,CAAC;IACjE,CAAC;IAED,IAAI,wBAAwB,GAAkB,IAAI,CAAC;IACnD,IAAI,OAAO,IAAI,IAAI,EAAE,CAAC;QACpB,MAAM,UAAU,GAAG,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QACtE,wBAAwB,GAAG,UAAU,UAAU,EAAE,CAAC;IACpD,CAAC;SAAM,IAAI,aAAa,IAAI,IAAI,EAAE,CAAC;QACjC,wBAAwB,GAAG,aAAa,CAAC;IAC3C,CAAC;SAAM,IAAI,wBAAwB,IAAI,IAAI,IAAI,IAAI,EAAE,CAAC;QACpD,MAAM,eAAe,GAAG,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QACxE,wBAAwB,GAAG,UAAU,eAAe,EAAE,CAAC;IACzD,CAAC;IAED,MAAM,KAAK,GAAG,gBAAgB,EAAE,CAAC;IACjC,MAAM,sBAAsB,GAAG,UAAU,IAAI,KAAK,CAAC,YAAY,IAAI,iBAAiB,CAAC;IAErF,MAAM,KAAK,GAAG,MAAM,SAAS,EAAE,CAAC;IAChC,MAAM,YAAY,GAA2B;QAC3C,eAAe,EAAE,UAAU,KAAK,CAAC,YAAY,EAAE;QAC/C,cAAc,EAAE,kBAAkB;KACnC,CAAC;IAEF,MAAM,KAAK,GAAqB;QAC9B,MAAM,EAAE,IAAI;QACZ,kBAAkB,EAAE,EAAE;QACtB,aAAa,EAAE,IAAI;QACnB,eAAe,EAAE,IAAI;QACrB,iBAAiB,EAAE,IAAI;QACvB,cAAc,EAAE,wBAAwB;KACzC,CAAC;IAEF,IAAI,YAAY,EAAE,CAAC;QACjB,MAAM,YAAY,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;QACnD,IAAI,WAAmB,CAAC;QAExB,IAAI,wBAAwB,IAAI,IAAI,IAAI,IAAI,EAAE,CAAC;YAC7C,WAAW,GAAG,iCAAiC,CAC7C,YAAa,EACb,IAAI,EACJ,YAAY,CACb,CAAC;QACJ,CAAC;aAAM,CAAC;YACN,MAAM,YAAY,GAAG,wBAAwB,EAAE,QAAQ,CAAC,GAAG,CAAC;gBAC1D,CAAC,CAAC,wBAAwB,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;gBACxC,CAAC,CAAC,CAAC,wBAAwB,IAAI,EAAE,CAAC,CAAC;YACrC,WAAW,GAAG,MAAM,CAAC,IAAI,CAAC,YAAY,EAAE,KAAK,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;QACvE,CAAC;QAED,MAAM,aAAa,GAAG,MAAM,+BAA+B,CACzD,sBAAsB,EACtB,YAAY,EACZ,WAAW,EACX,YAAY,EACZ,eAAe,CAChB,CAAC;QACF,KAAK,CAAC,MAAM,GAAG,aAAa,CAAC,MAAM,CAAC;QACpC,KAAK,CAAC,kBAAkB,GAAG,aAAa,CAAC,WAAW,CAAC;IACvD,CAAC;IAED,IAAI,mBAAmB,EAAE,CAAC;QACxB,MAAM,cAAc,GAAG,MAAM,oBAAoB,CAAC,sBAAsB,EAAE,YAAY,CAAC,CAAC;QACxF,KAAK,CAAC,aAAa,GAAG,cAAc,CAAC,KAAK,CAAC;QAC3C,KAAK,CAAC,eAAe,GAAG,cAAc,CAAC,eAAe,CAAC;IACzD,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC;AAED,KAAK,UAAU,+BAA+B,CAC5C,YAAoB,EACpB,YAAoC,EACpC,iBAAyB,EACzB,YAAoB,EACpB,gBAA0B;IAE1B,MAAM,GAAG,GAAG,GAAG,YAAY,8BAA8B,CAAC;IAE1D,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE;QAChC,MAAM,EAAE,MAAM;QACd,OAAO,EAAE,YAAY;QACrB,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC;YACnB,KAAK,EAAE,iBAAiB;YACxB,YAAY;YACZ,gBAAgB;SACjB,CAAC;QACF,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,0BAA0B,CAAC;KACxD,CAAC,CAAC;IAEH,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;QAC5B,MAAM,IAAI,mBAAmB,CAAC,2CAA2C,CAAC,CAAC;IAC7E,CAAC;IACD,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;QACjB,OAAO,CAAC,KAAK,CACX,+BAA+B,QAAQ,CAAC,MAAM,MAAM,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,iDAAiD,CAC3I,CAAC;QACF,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,WAAW,EAAE,EAAE,EAAE,CAAC;IAC3C,CAAC;IAED,IAAI,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAyB,CAAC;IACxD,IAAI,MAAM,IAAI,IAAI,EAAE,CAAC;QAAC,IAAI,GAAG,IAAI,CAAC,IAAI,CAAC;IAAC,CAAC;IACzC,OAAO;QACL,MAAM,EAAE,IAAI,CAAC,MAAM,IAAI,IAAI;QAC3B,WAAW,EAAE,IAAI,CAAC,WAAW,IAAI,EAAE;KACpC,CAAC;AACJ,CAAC;AAED,KAAK,UAAU,oBAAoB,CACjC,YAAoB,EACpB,YAAoC;IAEpC,MAAM,GAAG,GAAG,GAAG,YAAY,uBAAuB,CAAC;IAEnD,IAAI,CAAC;QACH,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE;YAChC,MAAM,EAAE,KAAK;YACb,OAAO,EAAE,YAAY;YACrB,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,0BAA0B,CAAC;SACxD,CAAC,CAAC;QAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACjB,OAAO,CAAC,IAAI,CAAC,sCAAsC,QAAQ,CAAC,MAAM,GAAG,CAAC,CAAC;YACvE,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,eAAe,EAAE,IAAI,EAAE,CAAC;QAChD,CAAC;QAED,MAAM,IAAI,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAA0B,CAAA,CAAC,IAAI,IAAI,EAAE,CAAC;QACvE,OAAO;YACL,KAAK,EAAE,IAAI,CAAC,KAAK,IAAI,IAAI;YACzB,eAAe,EAAE,IAAI,CAAC,eAAe,IAAI,IAAI;SAC9C,CAAC;IACJ,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,eAAe,EAAE,IAAI,EAAE,CAAC;IAChD,CAAC;AACH,CAAC"}
package/dist/client.d.ts CHANGED
@@ -44,6 +44,14 @@ export declare class OneIDAPIClient {
44
44
  * serial, and returns a nonce challenge for signature verification.
45
45
  */
46
46
  enroll_begin_piv(attestation_cert_pem: string, attestation_chain_pem: string[], signing_key_public_pem: string, hsm_type?: string, operator_email?: string | null, requested_handle?: string | null): Promise<Record<string, unknown>>;
47
+ /**
48
+ * Begin enclave enrollment by submitting the Secure Enclave public key.
49
+ *
50
+ * Server validates the P-256 key format, generates a nonce challenge,
51
+ * and returns a session ID. The client signs the nonce with the Enclave
52
+ * key and submits it to enroll_activate().
53
+ */
54
+ enroll_begin_enclave(enclave_public_key_pem: string, operator_email?: string | null, requested_handle?: string | null, display_name?: string | null): Promise<Record<string, unknown>>;
47
55
  /**
48
56
  * Complete TPM/HSM-based enrollment by proving HSM possession.
49
57
  */
package/dist/client.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"client.d.ts","sourceRoot":"","sources":["../src/client.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AA6FH;;;;;GAKG;AACH,qBAAa,cAAc;IACzB,SAAgB,YAAY,EAAE,MAAM,CAAC;IACrC,SAAgB,oBAAoB,EAAE,MAAM,CAAC;gBAG3C,YAAY,GAAE,MAA6B,EAC3C,oBAAoB,GAAE,MAA0C;IAMlE;;OAEG;YACW,aAAa;IAyB3B;;OAEG;IACG,eAAe,CACnB,gBAAgB,EAAE,MAAM,EACxB,aAAa,EAAE,MAAM,EACrB,cAAc,CAAC,EAAE,MAAM,GAAG,IAAI,EAC9B,gBAAgB,CAAC,EAAE,MAAM,GAAG,IAAI,GAC/B,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAWnC;;OAEG;IACG,YAAY,CAChB,kBAAkB,EAAE,MAAM,EAC1B,iBAAiB,EAAE,MAAM,EACzB,kBAAkB,GAAE,MAAW,EAC/B,iBAAiB,GAAE,MAAW,EAC9B,wBAAwB,CAAC,EAAE,MAAM,EAAE,EACnC,QAAQ,GAAE,MAAc,EACxB,cAAc,CAAC,EAAE,MAAM,GAAG,IAAI,EAC9B,gBAAgB,CAAC,EAAE,MAAM,GAAG,IAAI,GAC/B,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAenC;;;;;;;OAOG;IACG,gBAAgB,CACpB,oBAAoB,EAAE,MAAM,EAC5B,qBAAqB,EAAE,MAAM,EAAE,EAC/B,sBAAsB,EAAE,MAAM,EAC9B,QAAQ,GAAE,MAAkB,EAC5B,cAAc,CAAC,EAAE,MAAM,GAAG,IAAI,EAC9B,gBAAgB,CAAC,EAAE,MAAM,GAAG,IAAI,GAC/B,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAanC;;OAEG;IACG,eAAe,CACnB,qBAAqB,EAAE,MAAM,EAC7B,oBAAoB,EAAE,MAAM,GAC3B,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAOnC;;OAEG;IACG,YAAY,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAItE;;;;OAIG;IACG,iCAAiC,CACrC,SAAS,EAAE,MAAM,EACjB,aAAa,EAAE,MAAM,GACpB,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAuEnC;;OAEG;IACG,yBAAyB,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAItF;;;OAGG;IACG,0BAA0B,CAC9B,MAAM,EAAE,MAAM,EACd,QAAQ,EAAE,MAAM,EAChB,YAAY,EAAE,MAAM,EACpB,SAAS,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI,GACzC,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CAKpC"}
1
+ {"version":3,"file":"client.d.ts","sourceRoot":"","sources":["../src/client.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AA6FH;;;;;GAKG;AACH,qBAAa,cAAc;IACzB,SAAgB,YAAY,EAAE,MAAM,CAAC;IACrC,SAAgB,oBAAoB,EAAE,MAAM,CAAC;gBAG3C,YAAY,GAAE,MAA6B,EAC3C,oBAAoB,GAAE,MAA0C;IAMlE;;OAEG;YACW,aAAa;IAyB3B;;OAEG;IACG,eAAe,CACnB,gBAAgB,EAAE,MAAM,EACxB,aAAa,EAAE,MAAM,EACrB,cAAc,CAAC,EAAE,MAAM,GAAG,IAAI,EAC9B,gBAAgB,CAAC,EAAE,MAAM,GAAG,IAAI,GAC/B,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAWnC;;OAEG;IACG,YAAY,CAChB,kBAAkB,EAAE,MAAM,EAC1B,iBAAiB,EAAE,MAAM,EACzB,kBAAkB,GAAE,MAAW,EAC/B,iBAAiB,GAAE,MAAW,EAC9B,wBAAwB,CAAC,EAAE,MAAM,EAAE,EACnC,QAAQ,GAAE,MAAc,EACxB,cAAc,CAAC,EAAE,MAAM,GAAG,IAAI,EAC9B,gBAAgB,CAAC,EAAE,MAAM,GAAG,IAAI,GAC/B,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAenC;;;;;;;OAOG;IACG,gBAAgB,CACpB,oBAAoB,EAAE,MAAM,EAC5B,qBAAqB,EAAE,MAAM,EAAE,EAC/B,sBAAsB,EAAE,MAAM,EAC9B,QAAQ,GAAE,MAAkB,EAC5B,cAAc,CAAC,EAAE,MAAM,GAAG,IAAI,EAC9B,gBAAgB,CAAC,EAAE,MAAM,GAAG,IAAI,GAC/B,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAanC;;;;;;OAMG;IACG,oBAAoB,CACxB,sBAAsB,EAAE,MAAM,EAC9B,cAAc,CAAC,EAAE,MAAM,GAAG,IAAI,EAC9B,gBAAgB,CAAC,EAAE,MAAM,GAAG,IAAI,EAChC,YAAY,CAAC,EAAE,MAAM,GAAG,IAAI,GAC3B,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAWnC;;OAEG;IACG,eAAe,CACnB,qBAAqB,EAAE,MAAM,EAC7B,oBAAoB,EAAE,MAAM,GAC3B,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAOnC;;OAEG;IACG,YAAY,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAItE;;;;OAIG;IACG,iCAAiC,CACrC,SAAS,EAAE,MAAM,EACjB,aAAa,EAAE,MAAM,GACpB,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAuEnC;;OAEG;IACG,yBAAyB,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAItF;;;OAGG;IACG,0BAA0B,CAC9B,MAAM,EAAE,MAAM,EACd,QAAQ,EAAE,MAAM,EAChB,YAAY,EAAE,MAAM,EACpB,SAAS,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI,GACzC,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CAKpC"}