@adcp/sdk 7.6.0 → 7.8.0

package/dist/lib/signing/response-verifier.js

@@ -0,0 +1,271 @@
+"use strict";
+/**
+ * RFC 9421 response-signing verifier (§2.2.9).
+ *
+ * Companion to `verifier.ts` (request signatures) and `webhook-verifier.ts`
+ * (webhook callbacks). This verifier runs on the buyer / receiver side of
+ * a signed response: a client receives a response from a seller agent and
+ * hands it here, with the originating request URL the client sent, for
+ * signature validation before parsing the body.
+ *
+ * Distinct from request / webhook signing:
+ *   - Tag: `adcp/response-signing/v1`.
+ *   - Key purpose: `adcp_use: "response-signing"`.
+ *   - Default covered components: `@status`, `@authority`, `@target-uri`,
+ *     plus `content-type` + `content-digest` when the body is non-empty.
+ *   - The originating request URL is carried explicitly on `ResponseLike.request`
+ *     because RFC 9421 §2.2 binds response signatures to their request
+ *     context via `@authority` and `@target-uri`. The client supplies the URL
+ *     it actually sent — a malformed reconstruction (e.g. `req.protocol`
+ *     lying behind a proxy) will trip step 6a or fail the crypto check.
+ *
+ * Checklist steps below mirror the 13-step shape in `webhook-verifier.ts`
+ * so failures point at the same step numbers the request and webhook
+ * verifiers use. Numbers are 1-based.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.verifyResponseSignature = verifyResponseSignature;
+exports.createResponseVerifier = createResponseVerifier;
+const canonicalize_1 = require("./canonicalize");
+const content_digest_1 = require("./content-digest");
+const errors_1 = require("./errors");
+const parser_1 = require("./parser");
+const crypto_1 = require("./crypto");
+const replay_1 = require("./replay");
+const revocation_1 = require("./revocation");
+const types_1 = require("./types");
+/**
+ * Verify an inbound response's RFC 9421 signature.
+ *
+ * Ordering invariant matches the webhook verifier: cheap invariant checks
+ * (tag, alg, window, components) run before JWKS resolution; revocation and
+ * rate-abuse run before cryptographic verify so an attacker can't amplify
+ * Ed25519/ECDSA work. Replay insert commits only after every earlier check
+ * passes — any signature failing crypto verify never consumes a cap entry.
+ *
+ * The replay scope is `(keyid, @target-uri-of-originating-request)`. Two
+ * responses to two different request URLs under the same keyid use
+ * independent replay budgets — same shape as webhook verification.
+ *
+ * Throws {@link ResponseSignatureError} on the first failed step.
+ */
+async function verifyResponseSignature(response, options) {
+    const now = options.now ? options.now() : Math.floor(Date.now() / 1000);
+    const requiredTag = options.requiredTag ?? types_1.RESPONSE_SIGNING_TAG;
+    // Step 1: both signature headers present AND parseable. Bound-pair rule.
+    const sigInputHeader = (0, canonicalize_1.getHeaderValue)(response.headers, 'Signature-Input');
+    const sigHeader = (0, canonicalize_1.getHeaderValue)(response.headers, 'Signature');
+    if (!sigInputHeader || !sigHeader) {
+        throw new errors_1.ResponseSignatureError('response_signature_header_malformed', 1, 'Response is missing Signature or Signature-Input headers.');
+    }
+    let parsedInput;
+    let parsedSig;
+    try {
+        parsedInput = (0, parser_1.parseSignatureInput)(sigInputHeader);
+        parsedSig = (0, parser_1.parseSignature)(sigHeader, parsedInput.label);
+    }
+    catch (err) {
+        throw new errors_1.ResponseSignatureError('response_signature_header_malformed', 1, err instanceof Error ? err.message : String(err));
+    }
+    // Step 2: required params present.
+    requireParams(parsedInput);
+    // Step 3: tag match.
+    if (parsedInput.params.tag !== requiredTag) {
+        throw new errors_1.ResponseSignatureError('response_signature_tag_invalid', 3, `Signature tag must be "${requiredTag}"; got "${parsedInput.params.tag}".`);
+    }
+    // Step 4: alg allowlist.
+    if (!types_1.ALLOWED_ALGS.has(parsedInput.params.alg)) {
+        throw new errors_1.ResponseSignatureError('response_signature_alg_not_allowed', 4, `Signature alg "${parsedInput.params.alg}" is not in the AdCP allowlist.`);
+    }
+    // Step 5: window valid.
+    validateWindow(parsedInput.params.created, parsedInput.params.expires, now);
+    // Step 6: covered components must include the response-signing mandatory set.
+    validateCoveredComponents(parsedInput.components, response.body);
+    // Step 6a: `@target-uri` syntactic validation against the originating-
+    // request URL the caller passed in. Same rationale as the webhook
+    // verifier — flag dangerous URI shapes (non-https, userinfo, fragment)
+    // before cryptographic work. Distinct from `header_malformed`, which
+    // flags the Signature / Signature-Input headers.
+    //
+    // Note: response-side `@target-uri` comes from `response.request.url`,
+    // which is the *client's* reconstruction of what they sent. This check
+    // most often fires on caller-side bugs (Express `req.protocol` lying
+    // behind a non-trust-proxy reverse proxy → http://...) rather than on
+    // wire-level attacker payloads. See ResponseLike.request JSDoc.
+    validateTargetUri(response.request.url);
+    // Step 7: resolve keyid.
+    const jwk = await options.jwks.resolve(parsedInput.params.keyid);
+    if (!jwk) {
+        throw new errors_1.ResponseSignatureError('response_signature_key_unknown', 7, `No JWK found for keyid "${parsedInput.params.keyid}".`);
+    }
+    if (jwk.kid !== parsedInput.params.keyid) {
+        throw new errors_1.ResponseSignatureError('response_signature_key_unknown', 7, `JWKS resolver returned a JWK whose kid "${jwk.kid}" does not match requested keyid "${parsedInput.params.keyid}".`);
+    }
+    // Step 8: key purpose — MUST be scoped for response signing.
+    //
+    // Same split as webhook: "no purpose declared" vs "declared but wrong".
+    // The former needs the publisher to add a purpose; the latter needs a
+    // new keypair (purpose binding is the whole point of `adcp_use`).
+    if (jwk.adcp_use === undefined || !jwk.key_ops?.includes('verify')) {
+        throw new errors_1.ResponseSignatureError('response_signature_key_purpose_invalid', 8, `JWK "${jwk.kid}" is not scoped for response-signing verification.`);
+    }
+    if (jwk.adcp_use !== 'response-signing') {
+        throw new errors_1.ResponseSignatureError('response_mode_mismatch', 8, `JWK "${jwk.kid}" declares adcp_use="${jwk.adcp_use}" but this endpoint requires "response-signing".`);
+    }
+    // Step 9: revocation. The shared revocation store throws
+    // `request_signature_revocation_stale` when its cached snapshot is past
+    // grace — re-map to the response taxonomy so callers see consistent codes.
+    try {
+        if (await options.revocationStore.isRevoked(jwk.kid)) {
+            throw new errors_1.ResponseSignatureError('response_signature_key_revoked', 9, `JWK "${jwk.kid}" is revoked.`);
+        }
+    }
+    catch (err) {
+        if (err instanceof errors_1.RequestSignatureError && err.code === 'request_signature_revocation_stale') {
+            throw new errors_1.ResponseSignatureError('response_signature_revocation_stale', 9, err.message);
+        }
+        throw err;
+    }
+    // Replay scope is `(keyid, @target-uri-of-originating-request)` — same
+    // rationale as webhook signing. A response to /adcp/get_products MUST NOT
+    // count against the replay budget for a response to /adcp/create_media_buy
+    // under the same keyid.
+    const replayScope = (0, canonicalize_1.canonicalTargetUri)(response.request.url);
+    // Step 9a: per-keyid rate abuse. Distinct code from step 12 replay — cap
+    // exhaustion is a compromised-key / misconfig signal, not "same nonce
+    // twice."
+    if (await options.replayStore.isCapHit(jwk.kid, replayScope, now)) {
+        throw new errors_1.ResponseSignatureError('response_signature_rate_abuse', 9, `Per-keyid replay cache cap exceeded for keyid=${jwk.kid}.`);
+    }
+    // Pre-check replay before crypto so a replayed nonce short-circuits an
+    // expensive Ed25519 / ECDSA verify.
+    if (await options.replayStore.has(jwk.kid, replayScope, parsedInput.params.nonce, now)) {
+        throw new errors_1.ResponseSignatureError('response_signature_replayed', 12, `Replay of (keyid=${jwk.kid}, nonce=${parsedInput.params.nonce}) within signature window.`);
+    }
+    // Step 10: cryptographic verify. Use the verbatim signatureParamsValue
+    // from the parsed input so byte-identity with what the signer sent is
+    // preserved regardless of param-order differences across SDKs.
+    const base = (0, canonicalize_1.buildResponseSignatureBase)(parsedInput.components, response, parsedInput.params, parsedInput.signatureParamsValue);
+    const publicKey = (0, crypto_1.jwkToPublicKey)(jwk);
+    const valid = (0, crypto_1.verifySignature)(parsedInput.params.alg, publicKey, Buffer.from(base, 'utf8'), parsedSig.bytes);
+    if (!valid) {
+        throw new errors_1.ResponseSignatureError('response_signature_invalid', 10, 'Cryptographic verification of response signature base failed.');
+    }
+    // Step 11: content-digest match (only when the signature covered it).
+    if (parsedInput.components.includes('content-digest')) {
+        const digestHeader = (0, canonicalize_1.getHeaderValue)(response.headers, 'Content-Digest');
+        if (!digestHeader || !(0, content_digest_1.contentDigestMatches)(digestHeader, response.body ?? '')) {
+            throw new errors_1.ResponseSignatureError('response_signature_digest_mismatch', 11, 'Content-Digest header does not match recomputed body hash.');
+        }
+    }
+    // Step 13: commit nonce. Insert AFTER every prior check passes — external
+    // traffic can't grow the cap because any signature failing at step 10
+    // never reaches this point.
+    const remaining = parsedInput.params.expires - now + types_1.CLOCK_SKEW_TOLERANCE_SECONDS;
+    const ttl = Math.max(remaining, types_1.MAX_SIGNATURE_WINDOW_SECONDS + types_1.CLOCK_SKEW_TOLERANCE_SECONDS);
+    const insertResult = await options.replayStore.insert(jwk.kid, replayScope, parsedInput.params.nonce, ttl, now);
+    if (insertResult === 'replayed') {
+        throw new errors_1.ResponseSignatureError('response_signature_replayed', 13, `Replay of (keyid=${jwk.kid}, nonce=${parsedInput.params.nonce}) within signature window.`);
+    }
+    if (insertResult === 'rate_abuse') {
+        throw new errors_1.ResponseSignatureError('response_signature_rate_abuse', 13, `Per-keyid replay cache cap exceeded on commit for keyid=${jwk.kid}.`);
+    }
+    const agent_url = options.agentUrlForKeyid?.(jwk.kid);
+    return { status: 'verified', keyid: jwk.kid, ...(agent_url !== undefined && { agent_url }), verified_at: now };
+}
+function requireParams(parsed) {
+    const required = ['created', 'expires', 'nonce', 'keyid', 'alg', 'tag'];
+    const missing = required.filter(k => parsed.params[k] === undefined);
+    if (missing.length) {
+        throw new errors_1.ResponseSignatureError('response_signature_params_incomplete', 2, `Signature-Input missing required parameter(s): ${missing.join(', ')}.`);
+    }
+}
+function validateWindow(created, expires, now) {
+    // Same shape as webhook: every window failure (expired, negative window,
+    // over-long window, created-in-future) folds to a single code. Specific
+    // subtype lives in the error message for diagnostics.
+    if (expires <= created) {
+        throw new errors_1.ResponseSignatureError('response_signature_window_invalid', 5, 'Signature expires must be strictly greater than created.');
+    }
+    if (expires - created > types_1.MAX_SIGNATURE_WINDOW_SECONDS) {
+        throw new errors_1.ResponseSignatureError('response_signature_window_invalid', 5, `Signature window exceeds ${types_1.MAX_SIGNATURE_WINDOW_SECONDS}s maximum.`);
+    }
+    if (now < created - types_1.CLOCK_SKEW_TOLERANCE_SECONDS) {
+        throw new errors_1.ResponseSignatureError('response_signature_window_invalid', 5, 'Signature created is in the future beyond skew tolerance.');
+    }
+    if (now > expires + types_1.CLOCK_SKEW_TOLERANCE_SECONDS) {
+        throw new errors_1.ResponseSignatureError('response_signature_window_invalid', 5, 'Signature is expired.');
+    }
+}
+function validateCoveredComponents(components, body) {
+    for (const mandatory of types_1.RESPONSE_MANDATORY_COMPONENTS) {
+        if (!components.includes(mandatory)) {
+            throw new errors_1.ResponseSignatureError('response_signature_components_incomplete', 6, `Covered components must include "${mandatory}".`);
+        }
+    }
+    // When the response carries a body, `content-digest` coverage is required
+    // — an unbound body is the cross-purpose footgun the signer's default
+    // opt-out behavior is designed to prevent. The signer omits
+    // content-digest only when the body is empty (e.g. 204 No Content); the
+    // verifier mirrors that envelope.
+    const hasBody = (body ?? '').length > 0;
+    if (hasBody && !components.includes('content-digest')) {
+        throw new errors_1.ResponseSignatureError('response_signature_components_incomplete', 6, 'Response carries a body but "content-digest" is not in covered components.');
+    }
+}
+/**
+ * Syntactic validation of the originating-request `@target-uri` value. Four
+ * failure modes mirror the webhook verifier:
+ *   - URL doesn't parse at all.
+ *   - Scheme is not https (response signatures bound to http will fail
+ *     strict-HTTPS verifier profiles; loopback hosts are exempt for local
+ *     test mock servers).
+ *   - Authority contains userinfo — credentials don't belong in a signed URI.
+ *   - URL carries a fragment — fragments are client-side and never transmitted.
+ *
+ * Each throws `response_target_uri_malformed`. The error message names the
+ * failure reason.
+ */
+function validateTargetUri(rawUrl) {
+    let url;
+    try {
+        url = new URL(rawUrl);
+    }
+    catch {
+        throw new errors_1.ResponseSignatureError('response_target_uri_malformed', 6, `@target-uri "${rawUrl}" is not a parseable URL.`);
+    }
+    if (url.protocol !== 'https:' && !isLoopbackHost(url.hostname)) {
+        throw new errors_1.ResponseSignatureError('response_target_uri_malformed', 6, `@target-uri must use https; got "${url.protocol}" in "${rawUrl}".`);
+    }
+    if (url.username || url.password) {
+        throw new errors_1.ResponseSignatureError('response_target_uri_malformed', 6, '@target-uri must not embed userinfo.');
+    }
+    if (url.hash) {
+        throw new errors_1.ResponseSignatureError('response_target_uri_malformed', 6, '@target-uri must not carry a fragment.');
+    }
+}
+function isLoopbackHost(hostname) {
+    if (!hostname)
+        return false;
+    const normalized = hostname.toLowerCase();
+    return normalized === 'localhost' || normalized === '::1' || normalized.startsWith('127.');
+}
+/**
+ * Create a bound response-signature verifier with shared replay and
+ * revocation stores. Mirrors {@link createWebhookVerifier} for the response
+ * profile.
+ *
+ * **Why a factory?** Replay detection requires the same store instance to
+ * be consulted across every response. Constructing stores inside a
+ * per-response call would silently defeat replay dedup. The factory pattern
+ * captures stores in closure scope at wire-up time.
+ *
+ * **Multi-replica deployments MUST pass an explicit `replayStore`** backed
+ * by a shared persistence layer.
+ */
+function createResponseVerifier(options) {
+    const replayStore = options.replayStore ?? new replay_1.InMemoryReplayStore();
+    const revocationStore = options.revocationStore ?? new revocation_1.InMemoryRevocationStore();
+    return (response) => verifyResponseSignature(response, { ...options, replayStore, revocationStore });
+}
+//# sourceMappingURL=response-verifier.js.map

package/dist/lib/signing/response-verifier.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"response-verifier.js","sourceRoot":"","sources":["../../../src/lib/signing/response-verifier.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;;;;;;;;;GAuBG;;AAwDH,0DA0MC;AAyJD,wDAMC;AA/ZD,iDAAmH;AACnH,qDAAwD;AACxD,qCAAyE;AACzE,qCAA0F;AAC1F,qCAA2D;AAE3D,qCAAiE;AACjE,6CAA6E;AAC7E,mCAMiB;AAyBjB;;;;;;;;;;;;;;GAcG;AACI,KAAK,UAAU,uBAAuB,CAC3C,QAAsB,EACtB,OAA8B;IAE9B,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,OAAO,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;IACxE,MAAM,WAAW,GAAG,OAAO,CAAC,WAAW,IAAI,4BAAoB,CAAC;IAEhE,yEAAyE;IACzE,MAAM,cAAc,GAAG,IAAA,6BAAc,EAAC,QAAQ,CAAC,OAAO,EAAE,iBAAiB,CAAC,CAAC;IAC3E,MAAM,SAAS,GAAG,IAAA,6BAAc,EAAC,QAAQ,CAAC,OAAO,EAAE,WAAW,CAAC,CAAC;IAChE,IAAI,CAAC,cAAc,IAAI,CAAC,SAAS,EAAE,CAAC;QAClC,MAAM,IAAI,+BAAsB,CAC9B,qCAAqC,EACrC,CAAC,EACD,2DAA2D,CAC5D,CAAC;IACJ,CAAC;IACD,IAAI,WAAiC,CAAC;IACtC,IAAI,SAA4C,CAAC;IACjD,IAAI,CAAC;QACH,WAAW,GAAG,IAAA,4BAAmB,EAAC,cAAc,CAAC,CAAC;QAClD,SAAS,GAAG,IAAA,uBAAc,EAAC,SAAS,EAAE,WAAW,CAAC,KAAK,CAAC,CAAC;IAC3D,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,IAAI,+BAAsB,CAC9B,qCAAqC,EACrC,CAAC,EACD,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CACjD,CAAC;IACJ,CAAC;IAED,mCAAmC;IACnC,aAAa,CAAC,WAAW,CAAC,CAAC;IAE3B,qBAAqB;IACrB,IAAI,WAAW,CAAC,MAAM,CAAC,GAAG,KAAK,WAAW,EAAE,CAAC;QAC3C,MAAM,IAAI,+BAAsB,CAC9B,gCAAgC,EAChC,CAAC,EACD,0BAA0B,WAAW,WAAW,WAAW,CAAC,MAAM,CAAC,GAAG,IAAI,CAC3E,CAAC;IACJ,CAAC;IAED,yBAAyB;IACzB,IAAI,CAAC,oBAAY,CAAC,GAAG,CAAC,WAAW,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC;QAC9C,MAAM,IAAI,+BAAsB,CAC9B,oCAAoC,EACpC,CAAC,EACD,kBAAkB,WAAW,CAAC,MAAM,CAAC,GAAG,iCAAiC,CAC1E,CAAC;IACJ,CAAC;IAED,wBAAwB;IACxB,cAAc,CAAC,WAAW,CAAC,MAAM,CAAC,OAAO,EAAE,WAAW,CAAC,MAAM,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC;IAE5E,8EAA8E;IAC9E,yBAAyB,CAAC,WAAW,CAAC,UAAU,EAAE,QAAQ,CAAC,IAAI,CAAC,CAAC;IAEjE,uEAAuE;IACvE,kEAAkE;IAClE,uEAAuE;IACvE,qEAAqE;IACrE,iDAAiD;IACjD,EAAE;IACF,uEAAuE;IACvE,uEAAuE;IACvE,qEAAqE;IACrE,sEAAsE;IACtE,gEAAgE;IAChE,iBAAiB,CAAC,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;IAExC,yBAAyB;IACzB,MAAM,GAAG,GAAG,MAAM,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,WAAW,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;IACjE,IAAI,CAAC,GAAG,EAAE,CAAC;QACT,MAAM,IAAI,+BAAsB,CAC9B,gCAAgC,EAChC,CAAC,EACD,2BAA2B,WAAW,CAAC,MAAM,CAAC,KAAK,IAAI,CACxD,CAAC;IACJ,CAAC;IACD,IAAI,GAAG,CAAC,GAAG,KAAK,WAAW,CAAC,MAAM,CAAC,KAAK,EAAE,CAAC;QACzC,MAAM,IAAI,+BAAsB,CAC9B,gCAAgC,EAChC,CAAC,EACD,2CAA2C,GAAG,CAAC,GAAG,qCAAqC,WAAW,CAAC,MAAM,CAAC,KAAK,IAAI,CACpH,CAAC;IACJ,CAAC;IAED,6DAA6D;IAC7D,EAAE;IACF,wEAAwE;IACxE,sEAAsE;IACtE,kEAAkE;IAClE,IAAI,GAAG,CAAC,QAAQ,KAAK,SAAS,IAAI,CAAC,GAAG,CAAC,OAAO,EAAE,QAAQ,CAAC,QAAQ,CAAC,EAAE,CAAC;QACnE,MAAM,IAAI,+BAAsB,CAC9B,wCAAwC,EACxC,CAAC,EACD,QAAQ,GAAG,CAAC,GAAG,oDAAoD,CACpE,CAAC;IACJ,CAAC;IACD,IAAI,GAAG,CAAC,QAAQ,KAAK,kBAAkB,EAAE,CAAC;QACxC,MAAM,IAAI,+BAAsB,CAC9B,wBAAwB,EACxB,CAAC,EACD,QAAQ,GAAG,CAAC,GAAG,wBAAwB,GAAG,CAAC,QAAQ,kDAAkD,CACtG,CAAC;IACJ,CAAC;IAED,yDAAyD;IACzD,wEAAwE;IACxE,2EAA2E;IAC3E,IAAI,CAAC;QACH,IAAI,MAAM,OAAO,CAAC,eAAe,CAAC,SAAS,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC;YACrD,MAAM,IAAI,+BAAsB,CAAC,gCAAgC,EAAE,CAAC,EAAE,QAAQ,GAAG,CAAC,GAAG,eAAe,CAAC,CAAC;QACxG,CAAC;IACH,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,IAAI,GAAG,YAAY,8BAAqB,IAAI,GAAG,CAAC,IAAI,KAAK,oCAAoC,EAAE,CAAC;YAC9F,MAAM,IAAI,+BAAsB,CAAC,qCAAqC,EAAE,CAAC,EAAE,GAAG,CAAC,OAAO,CAAC,CAAC;QAC1F,CAAC;QACD,MAAM,GAAG,CAAC;IACZ,CAAC;IAED,uEAAuE;IACvE,0EAA0E;IAC1E,2EAA2E;IAC3E,wBAAwB;IACxB,MAAM,WAAW,GAAG,IAAA,iCAAkB,EAAC,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;IAE7D,yEAAyE;IACzE,sEAAsE;IACtE,UAAU;IACV,IAAI,MAAM,OAAO,CAAC,WAAW,CAAC,QAAQ,CAAC,GAAG,CAAC,GAAG,EAAE,WAAW,EAAE,GAAG,CAAC,EAAE,CAAC;QAClE,MAAM,IAAI,+BAAsB,CAC9B,+BAA+B,EAC/B,CAAC,EACD,iDAAiD,GAAG,CAAC,GAAG,GAAG,CAC5D,CAAC;IACJ,CAAC;IAED,uEAAuE;IACvE,oCAAoC;IACpC,IAAI,MAAM,OAAO,CAAC,WAAW,CAAC,GAAG,CAAC,GAAG,CAAC,GAAG,EAAE,WAAW,EAAE,WAAW,CAAC,MAAM,CAAC,KAAK,EAAE,GAAG,CAAC,EAAE,CAAC;QACvF,MAAM,IAAI,+BAAsB,CAC9B,6BAA6B,EAC7B,EAAE,EACF,oBAAoB,GAAG,CAAC,GAAG,WAAW,WAAW,CAAC,MAAM,CAAC,KAAK,4BAA4B,CAC3F,CAAC;IACJ,CAAC;IAED,uEAAuE;IACvE,sEAAsE;IACtE,+DAA+D;IAC/D,MAAM,IAAI,GAAG,IAAA,yCAA0B,EACrC,WAAW,CAAC,UAAU,EACtB,QAAQ,EACR,WAAW,CAAC,MAAM,EAClB,WAAW,CAAC,oBAAoB,CACjC,CAAC;IACF,MAAM,SAAS,GAAG,IAAA,uBAAc,EAAC,GAAG,CAAC,CAAC;IACtC,MAAM,KAAK,GAAG,IAAA,wBAAe,EAAC,WAAW,CAAC,MAAM,CAAC,GAAG,EAAE,SAAS,EAAE,MAAM,CAAC,IAAI,CAAC,IAAI,EAAE,MAAM,CAAC,EAAE,SAAS,CAAC,KAAK,CAAC,CAAC;IAC7G,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,MAAM,IAAI,+BAAsB,CAC9B,4BAA4B,EAC5B,EAAE,EACF,+DAA+D,CAChE,CAAC;IACJ,CAAC;IAED,sEAAsE;IACtE,IAAI,WAAW,CAAC,UAAU,CAAC,QAAQ,CAAC,gBAAgB,CAAC,EAAE,CAAC;QACtD,MAAM,YAAY,GAAG,IAAA,6BAAc,EAAC,QAAQ,CAAC,OAAO,EAAE,gBAAgB,CAAC,CAAC;QACxE,IAAI,CAAC,YAAY,IAAI,CAAC,IAAA,qCAAoB,EAAC,YAAY,EAAE,QAAQ,CAAC,IAAI,IAAI,EAAE,CAAC,EAAE,CAAC;YAC9E,MAAM,IAAI,+BAAsB,CAC9B,oCAAoC,EACpC,EAAE,EACF,4DAA4D,CAC7D,CAAC;QACJ,CAAC;IACH,CAAC;IAED,0EAA0E;IAC1E,sEAAsE;IACtE,4BAA4B;IAC5B,MAAM,SAAS,GAAG,WAAW,CAAC,MAAM,CAAC,OAAO,GAAG,GAAG,GAAG,oCAA4B,CAAC;IAClF,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,CAAC,SAAS,EAAE,oCAA4B,GAAG,oCAA4B,CAAC,CAAC;IAC7F,MAAM,YAAY,GAAG,MAAM,OAAO,CAAC,WAAW,CAAC,MAAM,CAAC,GAAG,CAAC,GAAG,EAAE,WAAW,EAAE,WAAW,CAAC,MAAM,CAAC,KAAK,EAAE,GAAG,EAAE,GAAG,CAAC,CAAC;IAChH,IAAI,YAAY,KAAK,UAAU,EAAE,CAAC;QAChC,MAAM,IAAI,+BAAsB,CAC9B,6BAA6B,EAC7B,EAAE,EACF,oBAAoB,GAAG,CAAC,GAAG,WAAW,WAAW,CAAC,MAAM,CAAC,KAAK,4BAA4B,CAC3F,CAAC;IACJ,CAAC;IACD,IAAI,YAAY,KAAK,YAAY,EAAE,CAAC;QAClC,MAAM,IAAI,+BAAsB,CAC9B,+BAA+B,EAC/B,EAAE,EACF,2DAA2D,GAAG,CAAC,GAAG,GAAG,CACtE,CAAC;IACJ,CAAC;IAED,MAAM,SAAS,GAAG,OAAO,CAAC,gBAAgB,EAAE,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;IACtD,OAAO,EAAE,MAAM,EAAE,UAAU,EAAE,KAAK,EAAE,GAAG,CAAC,GAAG,EAAE,GAAG,CAAC,SAAS,KAAK,SAAS,IAAI,EAAE,SAAS,EAAE,CAAC,EAAE,WAAW,EAAE,GAAG,EAAE,CAAC;AACjH,CAAC;AAED,SAAS,aAAa,CAAC,MAA4B;IACjD,MAAM,QAAQ,GAAgD,CAAC,SAAS,EAAE,SAAS,EAAE,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,CAAC,CAAC;IACrH,MAAM,OAAO,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,KAAK,SAAS,CAAC,CAAC;IACrE,IAAI,OAAO,CAAC,MAAM,EAAE,CAAC;QACnB,MAAM,IAAI,+BAAsB,CAC9B,sCAAsC,EACtC,CAAC,EACD,kDAAkD,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CACxE,CAAC;IACJ,CAAC;AACH,CAAC;AAED,SAAS,cAAc,CAAC,OAAe,EAAE,OAAe,EAAE,GAAW;IACnE,yEAAyE;IACzE,wEAAwE;IACxE,sDAAsD;IACtD,IAAI,OAAO,IAAI,OAAO,EAAE,CAAC;QACvB,MAAM,IAAI,+BAAsB,CAC9B,mCAAmC,EACnC,CAAC,EACD,0DAA0D,CAC3D,CAAC;IACJ,CAAC;IACD,IAAI,OAAO,GAAG,OAAO,GAAG,oCAA4B,EAAE,CAAC;QACrD,MAAM,IAAI,+BAAsB,CAC9B,mCAAmC,EACnC,CAAC,EACD,4BAA4B,oCAA4B,YAAY,CACrE,CAAC;IACJ,CAAC;IACD,IAAI,GAAG,GAAG,OAAO,GAAG,oCAA4B,EAAE,CAAC;QACjD,MAAM,IAAI,+BAAsB,CAC9B,mCAAmC,EACnC,CAAC,EACD,2DAA2D,CAC5D,CAAC;IACJ,CAAC;IACD,IAAI,GAAG,GAAG,OAAO,GAAG,oCAA4B,EAAE,CAAC;QACjD,MAAM,IAAI,+BAAsB,CAAC,mCAAmC,EAAE,CAAC,EAAE,uBAAuB,CAAC,CAAC;IACpG,CAAC;AACH,CAAC;AAED,SAAS,yBAAyB,CAAC,UAAoB,EAAE,IAAwB;IAC/E,KAAK,MAAM,SAAS,IAAI,qCAA6B,EAAE,CAAC;QACtD,IAAI,CAAC,UAAU,CAAC,QAAQ,CAAC,SAAS,CAAC,EAAE,CAAC;YACpC,MAAM,IAAI,+BAAsB,CAC9B,0CAA0C,EAC1C,CAAC,EACD,oCAAoC,SAAS,IAAI,CAClD,CAAC;QACJ,CAAC;IACH,CAAC;IACD,0EAA0E;IAC1E,sEAAsE;IACtE,4DAA4D;IAC5D,wEAAwE;IACxE,kCAAkC;IAClC,MAAM,OAAO,GAAG,CAAC,IAAI,IAAI,EAAE,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC;IACxC,IAAI,OAAO,IAAI,CAAC,UAAU,CAAC,QAAQ,CAAC,gBAAgB,CAAC,EAAE,CAAC;QACtD,MAAM,IAAI,+BAAsB,CAC9B,0CAA0C,EAC1C,CAAC,EACD,4EAA4E,CAC7E,CAAC;IACJ,CAAC;AACH,CAAC;AAED;;;;;;;;;;;;GAYG;AACH,SAAS,iBAAiB,CAAC,MAAc;IACvC,IAAI,GAAQ,CAAC;IACb,IAAI,CAAC;QACH,GAAG,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,CAAC;IACxB,CAAC;IAAC,MAAM,CAAC;QACP,MAAM,IAAI,+BAAsB,CAC9B,+BAA+B,EAC/B,CAAC,EACD,gBAAgB,MAAM,2BAA2B,CAClD,CAAC;IACJ,CAAC;IACD,IAAI,GAAG,CAAC,QAAQ,KAAK,QAAQ,IAAI,CAAC,cAAc,CAAC,GAAG,CAAC,QAAQ,CAAC,EAAE,CAAC;QAC/D,MAAM,IAAI,+BAAsB,CAC9B,+BAA+B,EAC/B,CAAC,EACD,oCAAoC,GAAG,CAAC,QAAQ,SAAS,MAAM,IAAI,CACpE,CAAC;IACJ,CAAC;IACD,IAAI,GAAG,CAAC,QAAQ,IAAI,GAAG,CAAC,QAAQ,EAAE,CAAC;QACjC,MAAM,IAAI,+BAAsB,CAAC,+BAA+B,EAAE,CAAC,EAAE,sCAAsC,CAAC,CAAC;IAC/G,CAAC;IACD,IAAI,GAAG,CAAC,IAAI,EAAE,CAAC;QACb,MAAM,IAAI,+BAAsB,CAAC,+BAA+B,EAAE,CAAC,EAAE,wCAAwC,CAAC,CAAC;IACjH,CAAC;AACH,CAAC;AAED,SAAS,cAAc,CAAC,QAAgB;IACtC,IAAI,CAAC,QAAQ;QAAE,OAAO,KAAK,CAAC;IAC5B,MAAM,UAAU,GAAG,QAAQ,CAAC,WAAW,EAAE,CAAC;IAC1C,OAAO,UAAU,KAAK,WAAW,IAAI,UAAU,KAAK,KAAK,IAAI,UAAU,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC;AAC7F,CAAC;AA4BD;;;;;;;;;;;;GAYG;AACH,SAAgB,sBAAsB,CACpC,OAAsC;IAEtC,MAAM,WAAW,GAAG,OAAO,CAAC,WAAW,IAAI,IAAI,4BAAmB,EAAE,CAAC;IACrE,MAAM,eAAe,GAAG,OAAO,CAAC,eAAe,IAAI,IAAI,oCAAuB,EAAE,CAAC;IACjF,OAAO,CAAC,QAAsB,EAAE,EAAE,CAAC,uBAAuB,CAAC,QAAQ,EAAE,EAAE,GAAG,OAAO,EAAE,WAAW,EAAE,eAAe,EAAE,CAAC,CAAC;AACrH,CAAC"}

package/dist/lib/signing/server.d.ts

@@ -8,10 +8,11 @@
  * capability cache). The aggregate `@adcp/sdk/signing` barrel re-exports
  * both for back-compat.
  */
-export { buildSignatureBase, canonicalAuthority, canonicalMethod, canonicalTargetUri, formatSignatureParams, getHeaderValue, type RequestLike, type SignatureParams, } from './canonicalize';
+export { buildResponseSignatureBase, buildSignatureBase, canonicalAuthority, canonicalMethod, canonicalTargetUri, formatSignatureParams, getHeaderValue, type RequestLike, type ResponseLike, type SignatureParams, } from './canonicalize';
 export { computeContentDigest, contentDigestMatches, parseContentDigest } from './content-digest';
+export { requestContextFromExpress, requestContextFromFetch, requestContextFromLambda, type ExpressRequestLike, type FetchRequestLike, type LambdaRequestEvent, type RequestContextFromExpressOptions, type RequestContextFromLambdaOptions, } from './request-context';
 export { jwkToPublicKey, verifySignature } from './crypto';
-export { RequestSignatureError, type RequestSignatureErrorCode, WebhookSignatureError, type WebhookSignatureErrorCode, } from './errors';
+export { RequestSignatureError, type RequestSignatureErrorCode, ResponseSignatureError, type ResponseSignatureErrorCode, WebhookSignatureError, type WebhookSignatureErrorCode, } from './errors';
 export { StaticJwksResolver, type JwksResolver } from './jwks';
 export { HttpsJwksResolver, type HttpsJwksResolverOptions } from './jwks-https';
 export { BrandJsonJwksResolver, BrandJsonResolverError, type BrandAgentType, type BrandJsonJwksResolverOptions, type BrandJsonResolverErrorCode, } from './brand-jwks';
@@ -20,8 +21,9 @@ export { InMemoryReplayStore, type InMemoryReplayStoreOptions, type ReplayInsert
 export { PostgresReplayStore, REPLAY_CACHE_MIGRATION, getReplayStoreMigration, sweepExpiredReplays, type PostgresReplayStoreOptions, type SweepExpiredReplaysOptions, } from './postgres-replay-store';
 export { InMemoryRevocationStore, type RevocationStore } from './revocation';
 export { HttpsRevocationStore, type HttpsRevocationStoreOptions } from './revocation-https';
-export { ALLOWED_ALGS, CLOCK_SKEW_TOLERANCE_SECONDS, MANDATORY_COMPONENTS, MAX_SIGNATURE_WINDOW_SECONDS, REQUEST_SIGNING_TAG, type AdcpJsonWebKey, type ContentDigestPolicy, type RevocationSnapshot, type VerifiedSigner, type VerifierCapability, type VerifyResult, } from './types';
+export { ALLOWED_ALGS, CLOCK_SKEW_TOLERANCE_SECONDS, MANDATORY_COMPONENTS, MAX_SIGNATURE_WINDOW_SECONDS, REQUEST_SIGNING_TAG, RESPONSE_MANDATORY_COMPONENTS, RESPONSE_SIGNING_TAG, type AdcpJsonWebKey, type ContentDigestPolicy, type RevocationSnapshot, type VerifiedSigner, type VerifierCapability, type VerifyResult, } from './types';
 export { verifyRequestSignature, type VerifyRequestOptions } from './verifier';
+export { createResponseVerifier, verifyResponseSignature, type CreateResponseVerifierOptions, type VerifyResponseOptions, type VerifyResponseResult, } from './response-verifier';
 export { createWebhookVerifier, verifyWebhookSignature, WEBHOOK_MANDATORY_COMPONENTS, WEBHOOK_SIGNING_TAG, type CreateWebhookVerifierOptions, type VerifyWebhookOptions, type VerifyWebhookResult, } from './webhook-verifier';
 export { createExpressVerifier, type ExpressLike, type ExpressMiddlewareOptions } from './middleware';
 export { resolveAgent, getAgentJwks, createAgentJwksSet, AgentResolverError, attackerInfluencedFields, ATTACKER_INFLUENCED, readBrandJsonUrl, readIdentityPosture, type AgentResolution, type AgentProtocol, type AgentResolverErrorCode, type AgentResolverErrorDetail, type AgentEntry, type AgentJwksResult, type CapabilitiesWithBrandJsonUrl, type CreateAgentJwksSetOptions, type FetchCapabilitiesFn, type GetAgentJwksOptions, type IdentityKeyOriginPurpose, type IdentityKeyOrigins, type IdentityPosture, type ResolveAgentOptions, type TraceStep, } from './agent-resolver';

package/dist/lib/signing/server.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"server.d.ts","sourceRoot":"","sources":["../../../src/lib/signing/server.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AACH,OAAO,EACL,kBAAkB,EAClB,kBAAkB,EAClB,eAAe,EACf,kBAAkB,EAClB,qBAAqB,EACrB,cAAc,EACd,KAAK,WAAW,EAChB,KAAK,eAAe,GACrB,MAAM,gBAAgB,CAAC;AACxB,OAAO,EAAE,oBAAoB,EAAE,oBAAoB,EAAE,kBAAkB,EAAE,MAAM,kBAAkB,CAAC;AAClG,OAAO,EAAE,cAAc,EAAE,eAAe,EAAE,MAAM,UAAU,CAAC;AAC3D,OAAO,EACL,qBAAqB,EACrB,KAAK,yBAAyB,EAC9B,qBAAqB,EACrB,KAAK,yBAAyB,GAC/B,MAAM,UAAU,CAAC;AAClB,OAAO,EAAE,kBAAkB,EAAE,KAAK,YAAY,EAAE,MAAM,QAAQ,CAAC;AAC/D,OAAO,EAAE,iBAAiB,EAAE,KAAK,wBAAwB,EAAE,MAAM,cAAc,CAAC;AAChF,OAAO,EACL,qBAAqB,EACrB,sBAAsB,EACtB,KAAK,cAAc,EACnB,KAAK,4BAA4B,EACjC,KAAK,0BAA0B,GAChC,MAAM,cAAc,CAAC;AACtB,OAAO,EAAE,cAAc,EAAE,mBAAmB,EAAE,KAAK,eAAe,EAAE,KAAK,oBAAoB,EAAE,MAAM,UAAU,CAAC;AAChH,OAAO,EACL,mBAAmB,EACnB,KAAK,0BAA0B,EAC/B,KAAK,kBAAkB,EACvB,KAAK,WAAW,GACjB,MAAM,UAAU,CAAC;AAClB,OAAO,EACL,mBAAmB,EACnB,sBAAsB,EACtB,uBAAuB,EACvB,mBAAmB,EACnB,KAAK,0BAA0B,EAC/B,KAAK,0BAA0B,GAChC,MAAM,yBAAyB,CAAC;AACjC,OAAO,EAAE,uBAAuB,EAAE,KAAK,eAAe,EAAE,MAAM,cAAc,CAAC;AAC7E,OAAO,EAAE,oBAAoB,EAAE,KAAK,2BAA2B,EAAE,MAAM,oBAAoB,CAAC;AAC5F,OAAO,EACL,YAAY,EACZ,4BAA4B,EAC5B,oBAAoB,EACpB,4BAA4B,EAC5B,mBAAmB,EACnB,KAAK,cAAc,EACnB,KAAK,mBAAmB,EACxB,KAAK,kBAAkB,EACvB,KAAK,cAAc,EACnB,KAAK,kBAAkB,EACvB,KAAK,YAAY,GAClB,MAAM,SAAS,CAAC;AACjB,OAAO,EAAE,sBAAsB,EAAE,KAAK,oBAAoB,EAAE,MAAM,YAAY,CAAC;AAC/E,OAAO,EACL,qBAAqB,EACrB,sBAAsB,EACtB,4BAA4B,EAC5B,mBAAmB,EACnB,KAAK,4BAA4B,EACjC,KAAK,oBAAoB,EACzB,KAAK,mBAAmB,GACzB,MAAM,oBAAoB,CAAC;AAC5B,OAAO,EAAE,qBAAqB,EAAE,KAAK,WAAW,EAAE,KAAK,wBAAwB,EAAE,MAAM,cAAc,CAAC;AACtG,OAAO,EACL,YAAY,EACZ,YAAY,EACZ,kBAAkB,EAClB,kBAAkB,EAClB,wBAAwB,EACxB,mBAAmB,EACnB,gBAAgB,EAChB,mBAAmB,EACnB,KAAK,eAAe,EACpB,KAAK,aAAa,EAClB,KAAK,sBAAsB,EAC3B,KAAK,wBAAwB,EAC7B,KAAK,UAAU,EACf,KAAK,eAAe,EACpB,KAAK,4BAA4B,EACjC,KAAK,yBAAyB,EAC9B,KAAK,mBAAmB,EACxB,KAAK,mBAAmB,EACxB,KAAK,wBAAwB,EAC7B,KAAK,kBAAkB,EACvB,KAAK,eAAe,EACpB,KAAK,mBAAmB,EACxB,KAAK,SAAS,GACf,MAAM,kBAAkB,CAAC"}
+{"version":3,"file":"server.d.ts","sourceRoot":"","sources":["../../../src/lib/signing/server.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AACH,OAAO,EACL,0BAA0B,EAC1B,kBAAkB,EAClB,kBAAkB,EAClB,eAAe,EACf,kBAAkB,EAClB,qBAAqB,EACrB,cAAc,EACd,KAAK,WAAW,EAChB,KAAK,YAAY,EACjB,KAAK,eAAe,GACrB,MAAM,gBAAgB,CAAC;AACxB,OAAO,EAAE,oBAAoB,EAAE,oBAAoB,EAAE,kBAAkB,EAAE,MAAM,kBAAkB,CAAC;AAClG,OAAO,EACL,yBAAyB,EACzB,uBAAuB,EACvB,wBAAwB,EACxB,KAAK,kBAAkB,EACvB,KAAK,gBAAgB,EACrB,KAAK,kBAAkB,EACvB,KAAK,gCAAgC,EACrC,KAAK,+BAA+B,GACrC,MAAM,mBAAmB,CAAC;AAC3B,OAAO,EAAE,cAAc,EAAE,eAAe,EAAE,MAAM,UAAU,CAAC;AAC3D,OAAO,EACL,qBAAqB,EACrB,KAAK,yBAAyB,EAC9B,sBAAsB,EACtB,KAAK,0BAA0B,EAC/B,qBAAqB,EACrB,KAAK,yBAAyB,GAC/B,MAAM,UAAU,CAAC;AAClB,OAAO,EAAE,kBAAkB,EAAE,KAAK,YAAY,EAAE,MAAM,QAAQ,CAAC;AAC/D,OAAO,EAAE,iBAAiB,EAAE,KAAK,wBAAwB,EAAE,MAAM,cAAc,CAAC;AAChF,OAAO,EACL,qBAAqB,EACrB,sBAAsB,EACtB,KAAK,cAAc,EACnB,KAAK,4BAA4B,EACjC,KAAK,0BAA0B,GAChC,MAAM,cAAc,CAAC;AACtB,OAAO,EAAE,cAAc,EAAE,mBAAmB,EAAE,KAAK,eAAe,EAAE,KAAK,oBAAoB,EAAE,MAAM,UAAU,CAAC;AAChH,OAAO,EACL,mBAAmB,EACnB,KAAK,0BAA0B,EAC/B,KAAK,kBAAkB,EACvB,KAAK,WAAW,GACjB,MAAM,UAAU,CAAC;AAClB,OAAO,EACL,mBAAmB,EACnB,sBAAsB,EACtB,uBAAuB,EACvB,mBAAmB,EACnB,KAAK,0BAA0B,EAC/B,KAAK,0BAA0B,GAChC,MAAM,yBAAyB,CAAC;AACjC,OAAO,EAAE,uBAAuB,EAAE,KAAK,eAAe,EAAE,MAAM,cAAc,CAAC;AAC7E,OAAO,EAAE,oBAAoB,EAAE,KAAK,2BAA2B,EAAE,MAAM,oBAAoB,CAAC;AAC5F,OAAO,EACL,YAAY,EACZ,4BAA4B,EAC5B,oBAAoB,EACpB,4BAA4B,EAC5B,mBAAmB,EACnB,6BAA6B,EAC7B,oBAAoB,EACpB,KAAK,cAAc,EACnB,KAAK,mBAAmB,EACxB,KAAK,kBAAkB,EACvB,KAAK,cAAc,EACnB,KAAK,kBAAkB,EACvB,KAAK,YAAY,GAClB,MAAM,SAAS,CAAC;AACjB,OAAO,EAAE,sBAAsB,EAAE,KAAK,oBAAoB,EAAE,MAAM,YAAY,CAAC;AAC/E,OAAO,EACL,sBAAsB,EACtB,uBAAuB,EACvB,KAAK,6BAA6B,EAClC,KAAK,qBAAqB,EAC1B,KAAK,oBAAoB,GAC1B,MAAM,qBAAqB,CAAC;AAC7B,OAAO,EACL,qBAAqB,EACrB,sBAAsB,EACtB,4BAA4B,EAC5B,mBAAmB,EACnB,KAAK,4BAA4B,EACjC,KAAK,oBAAoB,EACzB,KAAK,mBAAmB,GACzB,MAAM,oBAAoB,CAAC;AAC5B,OAAO,EAAE,qBAAqB,EAAE,KAAK,WAAW,EAAE,KAAK,wBAAwB,EAAE,MAAM,cAAc,CAAC;AACtG,OAAO,EACL,YAAY,EACZ,YAAY,EACZ,kBAAkB,EAClB,kBAAkB,EAClB,wBAAwB,EACxB,mBAAmB,EACnB,gBAAgB,EAChB,mBAAmB,EACnB,KAAK,eAAe,EACpB,KAAK,aAAa,EAClB,KAAK,sBAAsB,EAC3B,KAAK,wBAAwB,EAC7B,KAAK,UAAU,EACf,KAAK,eAAe,EACpB,KAAK,4BAA4B,EACjC,KAAK,yBAAyB,EAC9B,KAAK,mBAAmB,EACxB,KAAK,mBAAmB,EACxB,KAAK,wBAAwB,EAC7B,KAAK,kBAAkB,EACvB,KAAK,eAAe,EACpB,KAAK,mBAAmB,EACxB,KAAK,SAAS,GACf,MAAM,kBAAkB,CAAC"}

package/dist/lib/signing/server.js

@@ -1,6 +1,7 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.readIdentityPosture = exports.readBrandJsonUrl = exports.ATTACKER_INFLUENCED = exports.attackerInfluencedFields = exports.AgentResolverError = exports.createAgentJwksSet = exports.getAgentJwks = exports.resolveAgent = exports.createExpressVerifier = exports.WEBHOOK_SIGNING_TAG = exports.WEBHOOK_MANDATORY_COMPONENTS = exports.verifyWebhookSignature = exports.createWebhookVerifier = exports.verifyRequestSignature = exports.REQUEST_SIGNING_TAG = exports.MAX_SIGNATURE_WINDOW_SECONDS = exports.MANDATORY_COMPONENTS = exports.CLOCK_SKEW_TOLERANCE_SECONDS = exports.ALLOWED_ALGS = exports.HttpsRevocationStore = exports.InMemoryRevocationStore = exports.sweepExpiredReplays = exports.getReplayStoreMigration = exports.REPLAY_CACHE_MIGRATION = exports.PostgresReplayStore = exports.InMemoryReplayStore = exports.parseSignatureInput = exports.parseSignature = exports.BrandJsonResolverError = exports.BrandJsonJwksResolver = exports.HttpsJwksResolver = exports.StaticJwksResolver = exports.WebhookSignatureError = exports.RequestSignatureError = exports.verifySignature = exports.jwkToPublicKey = exports.parseContentDigest = exports.contentDigestMatches = exports.computeContentDigest = exports.getHeaderValue = exports.formatSignatureParams = exports.canonicalTargetUri = exports.canonicalMethod = exports.canonicalAuthority = exports.buildSignatureBase = void 0;
+exports.AgentResolverError = exports.createAgentJwksSet = exports.getAgentJwks = exports.resolveAgent = exports.createExpressVerifier = exports.WEBHOOK_SIGNING_TAG = exports.WEBHOOK_MANDATORY_COMPONENTS = exports.verifyWebhookSignature = exports.createWebhookVerifier = exports.verifyResponseSignature = exports.createResponseVerifier = exports.verifyRequestSignature = exports.RESPONSE_SIGNING_TAG = exports.RESPONSE_MANDATORY_COMPONENTS = exports.REQUEST_SIGNING_TAG = exports.MAX_SIGNATURE_WINDOW_SECONDS = exports.MANDATORY_COMPONENTS = exports.CLOCK_SKEW_TOLERANCE_SECONDS = exports.ALLOWED_ALGS = exports.HttpsRevocationStore = exports.InMemoryRevocationStore = exports.sweepExpiredReplays = exports.getReplayStoreMigration = exports.REPLAY_CACHE_MIGRATION = exports.PostgresReplayStore = exports.InMemoryReplayStore = exports.parseSignatureInput = exports.parseSignature = exports.BrandJsonResolverError = exports.BrandJsonJwksResolver = exports.HttpsJwksResolver = exports.StaticJwksResolver = exports.WebhookSignatureError = exports.ResponseSignatureError = exports.RequestSignatureError = exports.verifySignature = exports.jwkToPublicKey = exports.requestContextFromLambda = exports.requestContextFromFetch = exports.requestContextFromExpress = exports.parseContentDigest = exports.contentDigestMatches = exports.computeContentDigest = exports.getHeaderValue = exports.formatSignatureParams = exports.canonicalTargetUri = exports.canonicalMethod = exports.canonicalAuthority = exports.buildSignatureBase = exports.buildResponseSignatureBase = void 0;
+exports.readIdentityPosture = exports.readBrandJsonUrl = exports.ATTACKER_INFLUENCED = exports.attackerInfluencedFields = void 0;
 /**
  * Server-side signing surface: what a seller running an AdCP agent needs to
  * verify inbound RFC 9421 signatures — verifier pipeline, Express-shaped
@@ -12,6 +13,7 @@ exports.readIdentityPosture = exports.readBrandJsonUrl = exports.ATTACKER_INFLUE
  * both for back-compat.
  */
 var canonicalize_1 = require("./canonicalize");
+Object.defineProperty(exports, "buildResponseSignatureBase", { enumerable: true, get: function () { return canonicalize_1.buildResponseSignatureBase; } });
 Object.defineProperty(exports, "buildSignatureBase", { enumerable: true, get: function () { return canonicalize_1.buildSignatureBase; } });
 Object.defineProperty(exports, "canonicalAuthority", { enumerable: true, get: function () { return canonicalize_1.canonicalAuthority; } });
 Object.defineProperty(exports, "canonicalMethod", { enumerable: true, get: function () { return canonicalize_1.canonicalMethod; } });
@@ -22,11 +24,16 @@ var content_digest_1 = require("./content-digest");
 Object.defineProperty(exports, "computeContentDigest", { enumerable: true, get: function () { return content_digest_1.computeContentDigest; } });
 Object.defineProperty(exports, "contentDigestMatches", { enumerable: true, get: function () { return content_digest_1.contentDigestMatches; } });
 Object.defineProperty(exports, "parseContentDigest", { enumerable: true, get: function () { return content_digest_1.parseContentDigest; } });
+var request_context_1 = require("./request-context");
+Object.defineProperty(exports, "requestContextFromExpress", { enumerable: true, get: function () { return request_context_1.requestContextFromExpress; } });
+Object.defineProperty(exports, "requestContextFromFetch", { enumerable: true, get: function () { return request_context_1.requestContextFromFetch; } });
+Object.defineProperty(exports, "requestContextFromLambda", { enumerable: true, get: function () { return request_context_1.requestContextFromLambda; } });
 var crypto_1 = require("./crypto");
 Object.defineProperty(exports, "jwkToPublicKey", { enumerable: true, get: function () { return crypto_1.jwkToPublicKey; } });
 Object.defineProperty(exports, "verifySignature", { enumerable: true, get: function () { return crypto_1.verifySignature; } });
 var errors_1 = require("./errors");
 Object.defineProperty(exports, "RequestSignatureError", { enumerable: true, get: function () { return errors_1.RequestSignatureError; } });
+Object.defineProperty(exports, "ResponseSignatureError", { enumerable: true, get: function () { return errors_1.ResponseSignatureError; } });
 Object.defineProperty(exports, "WebhookSignatureError", { enumerable: true, get: function () { return errors_1.WebhookSignatureError; } });
 var jwks_1 = require("./jwks");
 Object.defineProperty(exports, "StaticJwksResolver", { enumerable: true, get: function () { return jwks_1.StaticJwksResolver; } });
@@ -55,8 +62,13 @@ Object.defineProperty(exports, "CLOCK_SKEW_TOLERANCE_SECONDS", { enumerable: tru
 Object.defineProperty(exports, "MANDATORY_COMPONENTS", { enumerable: true, get: function () { return types_1.MANDATORY_COMPONENTS; } });
 Object.defineProperty(exports, "MAX_SIGNATURE_WINDOW_SECONDS", { enumerable: true, get: function () { return types_1.MAX_SIGNATURE_WINDOW_SECONDS; } });
 Object.defineProperty(exports, "REQUEST_SIGNING_TAG", { enumerable: true, get: function () { return types_1.REQUEST_SIGNING_TAG; } });
+Object.defineProperty(exports, "RESPONSE_MANDATORY_COMPONENTS", { enumerable: true, get: function () { return types_1.RESPONSE_MANDATORY_COMPONENTS; } });
+Object.defineProperty(exports, "RESPONSE_SIGNING_TAG", { enumerable: true, get: function () { return types_1.RESPONSE_SIGNING_TAG; } });
 var verifier_1 = require("./verifier");
 Object.defineProperty(exports, "verifyRequestSignature", { enumerable: true, get: function () { return verifier_1.verifyRequestSignature; } });
+var response_verifier_1 = require("./response-verifier");
+Object.defineProperty(exports, "createResponseVerifier", { enumerable: true, get: function () { return response_verifier_1.createResponseVerifier; } });
+Object.defineProperty(exports, "verifyResponseSignature", { enumerable: true, get: function () { return response_verifier_1.verifyResponseSignature; } });
 var webhook_verifier_1 = require("./webhook-verifier");
 Object.defineProperty(exports, "createWebhookVerifier", { enumerable: true, get: function () { return webhook_verifier_1.createWebhookVerifier; } });
 Object.defineProperty(exports, "verifyWebhookSignature", { enumerable: true, get: function () { return webhook_verifier_1.verifyWebhookSignature; } });

package/dist/lib/signing/server.js.map

@@ -1 +1 @@
-{"version":3,"file":"server.js","sourceRoot":"","sources":["../../../src/lib/signing/server.ts"],"names":[],"mappings":";;;AAAA;;;;;;;;;GASG;AACH,+CASwB;AARtB,kHAAA,kBAAkB,OAAA;AAClB,kHAAA,kBAAkB,OAAA;AAClB,+GAAA,eAAe,OAAA;AACf,kHAAA,kBAAkB,OAAA;AAClB,qHAAA,qBAAqB,OAAA;AACrB,8GAAA,cAAc,OAAA;AAIhB,mDAAkG;AAAzF,sHAAA,oBAAoB,OAAA;AAAE,sHAAA,oBAAoB,OAAA;AAAE,oHAAA,kBAAkB,OAAA;AACvE,mCAA2D;AAAlD,wGAAA,cAAc,OAAA;AAAE,yGAAA,eAAe,OAAA;AACxC,mCAKkB;AAJhB,+GAAA,qBAAqB,OAAA;AAErB,+GAAA,qBAAqB,OAAA;AAGvB,+BAA+D;AAAtD,0GAAA,kBAAkB,OAAA;AAC3B,2CAAgF;AAAvE,+GAAA,iBAAiB,OAAA;AAC1B,2CAMsB;AALpB,mHAAA,qBAAqB,OAAA;AACrB,oHAAA,sBAAsB,OAAA;AAKxB,mCAAgH;AAAvG,wGAAA,cAAc,OAAA;AAAE,6GAAA,mBAAmB,OAAA;AAC5C,mCAKkB;AAJhB,6GAAA,mBAAmB,OAAA;AAKrB,iEAOiC;AAN/B,4HAAA,mBAAmB,OAAA;AACnB,+HAAA,sBAAsB,OAAA;AACtB,gIAAA,uBAAuB,OAAA;AACvB,4HAAA,mBAAmB,OAAA;AAIrB,2CAA6E;AAApE,qHAAA,uBAAuB,OAAA;AAChC,uDAA4F;AAAnF,wHAAA,oBAAoB,OAAA;AAC7B,iCAYiB;AAXf,qGAAA,YAAY,OAAA;AACZ,qHAAA,4BAA4B,OAAA;AAC5B,6GAAA,oBAAoB,OAAA;AACpB,qHAAA,4BAA4B,OAAA;AAC5B,4GAAA,mBAAmB,OAAA;AAQrB,uCAA+E;AAAtE,kHAAA,sBAAsB,OAAA;AAC/B,uDAQ4B;AAP1B,yHAAA,qBAAqB,OAAA;AACrB,0HAAA,sBAAsB,OAAA;AACtB,gIAAA,4BAA4B,OAAA;AAC5B,uHAAA,mBAAmB,OAAA;AAKrB,2CAAsG;AAA7F,mHAAA,qBAAqB,OAAA;AAC9B,mDAwB0B;AAvBxB,8GAAA,YAAY,OAAA;AACZ,8GAAA,YAAY,OAAA;AACZ,oHAAA,kBAAkB,OAAA;AAClB,oHAAA,kBAAkB,OAAA;AAClB,0HAAA,wBAAwB,OAAA;AACxB,qHAAA,mBAAmB,OAAA;AACnB,kHAAA,gBAAgB,OAAA;AAChB,qHAAA,mBAAmB,OAAA"}
+{"version":3,"file":"server.js","sourceRoot":"","sources":["../../../src/lib/signing/server.ts"],"names":[],"mappings":";;;;AAAA;;;;;;;;;GASG;AACH,+CAWwB;AAVtB,0HAAA,0BAA0B,OAAA;AAC1B,kHAAA,kBAAkB,OAAA;AAClB,kHAAA,kBAAkB,OAAA;AAClB,+GAAA,eAAe,OAAA;AACf,kHAAA,kBAAkB,OAAA;AAClB,qHAAA,qBAAqB,OAAA;AACrB,8GAAA,cAAc,OAAA;AAKhB,mDAAkG;AAAzF,sHAAA,oBAAoB,OAAA;AAAE,sHAAA,oBAAoB,OAAA;AAAE,oHAAA,kBAAkB,OAAA;AACvE,qDAS2B;AARzB,4HAAA,yBAAyB,OAAA;AACzB,0HAAA,uBAAuB,OAAA;AACvB,2HAAA,wBAAwB,OAAA;AAO1B,mCAA2D;AAAlD,wGAAA,cAAc,OAAA;AAAE,yGAAA,eAAe,OAAA;AACxC,mCAOkB;AANhB,+GAAA,qBAAqB,OAAA;AAErB,gHAAA,sBAAsB,OAAA;AAEtB,+GAAA,qBAAqB,OAAA;AAGvB,+BAA+D;AAAtD,0GAAA,kBAAkB,OAAA;AAC3B,2CAAgF;AAAvE,+GAAA,iBAAiB,OAAA;AAC1B,2CAMsB;AALpB,mHAAA,qBAAqB,OAAA;AACrB,oHAAA,sBAAsB,OAAA;AAKxB,mCAAgH;AAAvG,wGAAA,cAAc,OAAA;AAAE,6GAAA,mBAAmB,OAAA;AAC5C,mCAKkB;AAJhB,6GAAA,mBAAmB,OAAA;AAKrB,iEAOiC;AAN/B,4HAAA,mBAAmB,OAAA;AACnB,+HAAA,sBAAsB,OAAA;AACtB,gIAAA,uBAAuB,OAAA;AACvB,4HAAA,mBAAmB,OAAA;AAIrB,2CAA6E;AAApE,qHAAA,uBAAuB,OAAA;AAChC,uDAA4F;AAAnF,wHAAA,oBAAoB,OAAA;AAC7B,iCAciB;AAbf,qGAAA,YAAY,OAAA;AACZ,qHAAA,4BAA4B,OAAA;AAC5B,6GAAA,oBAAoB,OAAA;AACpB,qHAAA,4BAA4B,OAAA;AAC5B,4GAAA,mBAAmB,OAAA;AACnB,sHAAA,6BAA6B,OAAA;AAC7B,6GAAA,oBAAoB,OAAA;AAQtB,uCAA+E;AAAtE,kHAAA,sBAAsB,OAAA;AAC/B,yDAM6B;AAL3B,2HAAA,sBAAsB,OAAA;AACtB,4HAAA,uBAAuB,OAAA;AAKzB,uDAQ4B;AAP1B,yHAAA,qBAAqB,OAAA;AACrB,0HAAA,sBAAsB,OAAA;AACtB,gIAAA,4BAA4B,OAAA;AAC5B,uHAAA,mBAAmB,OAAA;AAKrB,2CAAsG;AAA7F,mHAAA,qBAAqB,OAAA;AAC9B,mDAwB0B;AAvBxB,8GAAA,YAAY,OAAA;AACZ,8GAAA,YAAY,OAAA;AACZ,oHAAA,kBAAkB,OAAA;AAClB,oHAAA,kBAAkB,OAAA;AAClB,0HAAA,wBAAwB,OAAA;AACxB,qHAAA,mBAAmB,OAAA;AACnB,kHAAA,gBAAgB,OAAA;AAChB,qHAAA,mBAAmB,OAAA"}

package/dist/lib/signing/signer-async.d.ts

@@ -1,6 +1,6 @@
-import type { RequestLike } from './canonicalize';
+import type { RequestLike, ResponseLike } from './canonicalize';
 import type { SigningProvider } from './provider';
-import type { SignedRequest, SignRequestOptions, SignWebhookOptions } from './signer';
+import type { SignedRequest, SignedResponse, SignRequestOptions, SignResponseOptions, SignWebhookOptions } from './signer';
 /**
  * Async variant of `signRequest` that delegates the actual signature
  * production to a {@link SigningProvider}. Reuses
@@ -21,4 +21,10 @@ export declare function signRequestAsync(request: RequestLike, provider: Signing
  * `Content-Digest` header stay in lockstep.
  */
 export declare function signWebhookAsync(request: RequestLike, provider: SigningProvider, options?: SignWebhookOptions): Promise<SignedRequest>;
+/**
+ * Async variant of `signResponse`. Reuses {@link prepareResponseSignature}
+ * and {@link finalizeResponseSignature} from the sync path so canonicalization
+ * stays identical — `provider.sign(payload)` is the only difference.
+ */
+export declare function signResponseAsync(response: ResponseLike, provider: SigningProvider, options?: SignResponseOptions): Promise<SignedResponse>;
 //# sourceMappingURL=signer-async.d.ts.map

package/dist/lib/signing/signer-async.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"signer-async.d.ts","sourceRoot":"","sources":["../../../src/lib/signing/signer-async.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,gBAAgB,CAAC;AAClD,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,YAAY,CAAC;AAClD,OAAO,KAAK,EAAE,aAAa,EAAE,kBAAkB,EAAE,kBAAkB,EAAE,MAAM,UAAU,CAAC;AAGtF;;;;;;;;;;;GAWG;AACH,wBAAsB,gBAAgB,CACpC,OAAO,EAAE,WAAW,EACpB,QAAQ,EAAE,eAAe,EACzB,OAAO,GAAE,kBAAuB,GAC/B,OAAO,CAAC,aAAa,CAAC,CAIxB;AAED;;;;;GAKG;AACH,wBAAsB,gBAAgB,CACpC,OAAO,EAAE,WAAW,EACpB,QAAQ,EAAE,eAAe,EACzB,OAAO,GAAE,kBAAuB,GAC/B,OAAO,CAAC,aAAa,CAAC,CAIxB"}
+{"version":3,"file":"signer-async.d.ts","sourceRoot":"","sources":["../../../src/lib/signing/signer-async.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,WAAW,EAAE,YAAY,EAAE,MAAM,gBAAgB,CAAC;AAChE,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,YAAY,CAAC;AAClD,OAAO,KAAK,EACV,aAAa,EACb,cAAc,EACd,kBAAkB,EAClB,mBAAmB,EACnB,kBAAkB,EACnB,MAAM,UAAU,CAAC;AAUlB;;;;;;;;;;;GAWG;AACH,wBAAsB,gBAAgB,CACpC,OAAO,EAAE,WAAW,EACpB,QAAQ,EAAE,eAAe,EACzB,OAAO,GAAE,kBAAuB,GAC/B,OAAO,CAAC,aAAa,CAAC,CAKxB;AAED;;;;;GAKG;AACH,wBAAsB,gBAAgB,CACpC,OAAO,EAAE,WAAW,EACpB,QAAQ,EAAE,eAAe,EACzB,OAAO,GAAE,kBAAuB,GAC/B,OAAO,CAAC,aAAa,CAAC,CAKxB;AAED;;;;GAIG;AACH,wBAAsB,iBAAiB,CACrC,QAAQ,EAAE,YAAY,EACtB,QAAQ,EAAE,eAAe,EACzB,OAAO,GAAE,mBAAwB,GAChC,OAAO,CAAC,cAAc,CAAC,CAKzB"}

package/dist/lib/signing/signer-async.js

@@ -2,6 +2,7 @@
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.signRequestAsync = signRequestAsync;
 exports.signWebhookAsync = signWebhookAsync;
+exports.signResponseAsync = signResponseAsync;
 const signer_1 = require("./signer");
 /**
  * Async variant of `signRequest` that delegates the actual signature
@@ -16,6 +17,7 @@ const signer_1 = require("./signer");
  * deployments that store private keys in a managed key store.
  */
 async function signRequestAsync(request, provider, options = {}) {
+    (0, signer_1.assertProviderPurpose)(provider, 'request-signing');
     const prepared = (0, signer_1.prepareRequestSignature)(request, { keyid: provider.keyid, alg: provider.algorithm }, options);
     const signature = await provider.sign(Buffer.from(prepared.base, 'utf8'));
     return (0, signer_1.finalizeRequestSignature)(prepared, signature);
@@ -27,8 +29,20 @@ async function signRequestAsync(request, provider, options = {}) {
  * `Content-Digest` header stay in lockstep.
  */
 async function signWebhookAsync(request, provider, options = {}) {
+    (0, signer_1.assertProviderPurpose)(provider, 'webhook-signing');
     const prepared = (0, signer_1.prepareWebhookSignature)(request, { keyid: provider.keyid, alg: provider.algorithm }, options);
     const signature = await provider.sign(Buffer.from(prepared.base, 'utf8'));
     return (0, signer_1.finalizeRequestSignature)(prepared, signature);
 }
+/**
+ * Async variant of `signResponse`. Reuses {@link prepareResponseSignature}
+ * and {@link finalizeResponseSignature} from the sync path so canonicalization
+ * stays identical — `provider.sign(payload)` is the only difference.
+ */
+async function signResponseAsync(response, provider, options = {}) {
+    (0, signer_1.assertProviderPurpose)(provider, 'response-signing');
+    const prepared = (0, signer_1.prepareResponseSignature)(response, { keyid: provider.keyid, alg: provider.algorithm }, options);
+    const signature = await provider.sign(Buffer.from(prepared.base, 'utf8'));
+    return (0, signer_1.finalizeResponseSignature)(prepared, signature);
+}
 //# sourceMappingURL=signer-async.js.map

package/dist/lib/signing/signer-async.js.map

@@ -1 +1 @@
-{"version":3,"file":"signer-async.js","sourceRoot":"","sources":["../../../src/lib/signing/signer-async.ts"],"names":[],"mappings":";;AAiBA,4CAQC;AAQD,4CAQC;AAtCD,qCAAsG;AAEtG;;;;;;;;;;;GAWG;AACI,KAAK,UAAU,gBAAgB,CACpC,OAAoB,EACpB,QAAyB,EACzB,UAA8B,EAAE;IAEhC,MAAM,QAAQ,GAAG,IAAA,gCAAuB,EAAC,OAAO,EAAE,EAAE,KAAK,EAAE,QAAQ,CAAC,KAAK,EAAE,GAAG,EAAE,QAAQ,CAAC,SAAS,EAAE,EAAE,OAAO,CAAC,CAAC;IAC/G,MAAM,SAAS,GAAG,MAAM,QAAQ,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC,CAAC;IAC1E,OAAO,IAAA,iCAAwB,EAAC,QAAQ,EAAE,SAAS,CAAC,CAAC;AACvD,CAAC;AAED;;;;;GAKG;AACI,KAAK,UAAU,gBAAgB,CACpC,OAAoB,EACpB,QAAyB,EACzB,UAA8B,EAAE;IAEhC,MAAM,QAAQ,GAAG,IAAA,gCAAuB,EAAC,OAAO,EAAE,EAAE,KAAK,EAAE,QAAQ,CAAC,KAAK,EAAE,GAAG,EAAE,QAAQ,CAAC,SAAS,EAAE,EAAE,OAAO,CAAC,CAAC;IAC/G,MAAM,SAAS,GAAG,MAAM,QAAQ,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC,CAAC;IAC1E,OAAO,IAAA,iCAAwB,EAAC,QAAQ,EAAE,SAAS,CAAC,CAAC;AACvD,CAAC"}
+{"version":3,"file":"signer-async.js","sourceRoot":"","sources":["../../../src/lib/signing/signer-async.ts"],"names":[],"mappings":";;AA8BA,4CASC;AAQD,4CASC;AAOD,8CASC;AA/DD,qCAOkB;AAElB;;;;;;;;;;;GAWG;AACI,KAAK,UAAU,gBAAgB,CACpC,OAAoB,EACpB,QAAyB,EACzB,UAA8B,EAAE;IAEhC,IAAA,8BAAqB,EAAC,QAAQ,EAAE,iBAAiB,CAAC,CAAC;IACnD,MAAM,QAAQ,GAAG,IAAA,gCAAuB,EAAC,OAAO,EAAE,EAAE,KAAK,EAAE,QAAQ,CAAC,KAAK,EAAE,GAAG,EAAE,QAAQ,CAAC,SAAS,EAAE,EAAE,OAAO,CAAC,CAAC;IAC/G,MAAM,SAAS,GAAG,MAAM,QAAQ,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC,CAAC;IAC1E,OAAO,IAAA,iCAAwB,EAAC,QAAQ,EAAE,SAAS,CAAC,CAAC;AACvD,CAAC;AAED;;;;;GAKG;AACI,KAAK,UAAU,gBAAgB,CACpC,OAAoB,EACpB,QAAyB,EACzB,UAA8B,EAAE;IAEhC,IAAA,8BAAqB,EAAC,QAAQ,EAAE,iBAAiB,CAAC,CAAC;IACnD,MAAM,QAAQ,GAAG,IAAA,gCAAuB,EAAC,OAAO,EAAE,EAAE,KAAK,EAAE,QAAQ,CAAC,KAAK,EAAE,GAAG,EAAE,QAAQ,CAAC,SAAS,EAAE,EAAE,OAAO,CAAC,CAAC;IAC/G,MAAM,SAAS,GAAG,MAAM,QAAQ,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC,CAAC;IAC1E,OAAO,IAAA,iCAAwB,EAAC,QAAQ,EAAE,SAAS,CAAC,CAAC;AACvD,CAAC;AAED;;;;GAIG;AACI,KAAK,UAAU,iBAAiB,CACrC,QAAsB,EACtB,QAAyB,EACzB,UAA+B,EAAE;IAEjC,IAAA,8BAAqB,EAAC,QAAQ,EAAE,kBAAkB,CAAC,CAAC;IACpD,MAAM,QAAQ,GAAG,IAAA,iCAAwB,EAAC,QAAQ,EAAE,EAAE,KAAK,EAAE,QAAQ,CAAC,KAAK,EAAE,GAAG,EAAE,QAAQ,CAAC,SAAS,EAAE,EAAE,OAAO,CAAC,CAAC;IACjH,MAAM,SAAS,GAAG,MAAM,QAAQ,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC,CAAC;IAC1E,OAAO,IAAA,kCAAyB,EAAC,QAAQ,EAAE,SAAS,CAAC,CAAC;AACxD,CAAC"}