@adcp/sdk 8.1.0-beta.13 → 8.1.0-beta.14

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@adcp/sdk",
-  "version": "8.1.0-beta.13",
+  "version": "8.1.0-beta.14",
   "description": "AdCP SDK — client, server, and compliance harnesses for the AdContext Protocol (MCP + A2A)",
   "workspaces": [
     ".",
@@ -93,6 +93,11 @@
       "require": "./dist/lib/net/index.js",
       "types": "./dist/lib/net/index.d.ts"
     },
+    "./canonical-references": {
+      "import": "./dist/lib/canonical-references/index.js",
+      "require": "./dist/lib/canonical-references/index.js",
+      "types": "./dist/lib/canonical-references/index.d.ts"
+    },
     "./server": {
       "import": "./dist/lib/server/index.js",
       "require": "./dist/lib/server/index.js",
@@ -204,6 +209,9 @@
       "net": [
         "dist/lib/net/index.d.ts"
       ],
+      "canonical-references": [
+        "dist/lib/canonical-references/index.d.ts"
+      ],
       "server": [
         "dist/lib/server/index.d.ts"
       ],
@@ -257,6 +265,7 @@
     "ADCP_VERSION",
     "docs/llms.txt",
     "docs/guides/BUILD-AN-AGENT.md",
+    "docs/guides/CANONICAL-REFERENCE-RESOLVER.md",
     "examples/**/*",
     "AGENTS.md",
     "README.md",
@@ -270,9 +279,14 @@
     "build:lib": "npm run sync-version && npm run schemas:ensure && tsx scripts/generate-wire-spec-fields.ts && tsc --project tsconfig.lib.json && tsx scripts/copy-schemas-to-dist.ts && tsx scripts/copy-v2-projection-catalog.ts && tsx scripts/generate-per-tool-types.ts",
     "build:test-agents": "npm run build:lib && tsc -p test-agents/tsconfig.json --rootDir test-agents",
     "pretest": "npm run schemas:ensure",
-    "test": "NODE_ENV=test node --test-timeout=60000 --test-force-exit --test test/*.test.js test/lib/*.test.js && npm test --workspace=packages/eslint-plugin --if-present",
+    "test": "npm run test:node && npm test --workspace=packages/eslint-plugin --if-present",
+    "test:node": "npm run test:node:fast && npm run test:node:slow",
+    "test:node:fast": "NODE_ENV=test node --test-timeout=60000 --test-force-exit --test $(find test -maxdepth 1 -name '*.test.js' ! -name 'generate-zod-object-intersections.test.js' -print) $(find test/lib -maxdepth 1 -name '*.test.js' ! -name 'cli-auth-scheme.test.js' ! -name 'cli-webhook-receiver-flag.test.js' ! -name 'conformance-cli.test.js' -print)",
+    "test:node:slow": "NODE_ENV=test node --test-timeout=180000 --test-force-exit --test test/generate-zod-object-intersections.test.js test/lib/cli-auth-scheme.test.js test/lib/cli-webhook-receiver-flag.test.js test/lib/conformance-cli.test.js",
     "pretest:lib": "npm run schemas:ensure",
-    "test:lib": "NODE_ENV=test node --test-timeout=60000 --test-force-exit --test test/lib/*.test.js",
+    "test:lib": "npm run test:lib:fast && npm run test:lib:slow",
+    "test:lib:fast": "NODE_ENV=test node --test-timeout=60000 --test-force-exit --test $(find test/lib -maxdepth 1 -name '*.test.js' ! -name 'cli-auth-scheme.test.js' ! -name 'cli-webhook-receiver-flag.test.js' ! -name 'conformance-cli.test.js' -print)",
+    "test:lib:slow": "NODE_ENV=test node --test-timeout=180000 --test-force-exit --test test/lib/cli-auth-scheme.test.js test/lib/cli-webhook-receiver-flag.test.js test/lib/conformance-cli.test.js",
     "pretest:examples": "npm run build",
     "test:examples": "NODE_ENV=test node --test-timeout=180000 --test-force-exit --test-concurrency=1 --test test/examples/*.test.js",
     "test:e2e": "node test/e2e/adcp-e2e.test.js",
@@ -290,6 +304,7 @@
     "sync-schemas:v2.5": "tsx scripts/sync-v2-5-schemas.ts",
     "sync-schemas:3.1-beta": "tsx scripts/sync-3-1-beta-schemas.ts",
     "sync-schemas:all": "npm run sync-schemas && npm run sync-schemas:v2.5 && npm run sync-schemas:3.1-beta",
+    "sync-registry-schemas": "tsx scripts/generate-registry-types.ts --sync",
     "schemas:ensure": "tsx scripts/schemas-ensure.ts",
     "schema-diff": "tsx scripts/schema-diff.ts",
     "generate-types": "tsx scripts/generate-types.ts && tsx scripts/generate-enum-arrays.ts && tsx scripts/generate-manifest-derived.ts && tsx scripts/generate-entity-hydration.ts",
@@ -304,7 +319,7 @@
     "generate-zod-schemas": "tsx scripts/generate-zod-from-ts.ts && tsx scripts/generate-inline-enum-arrays.ts",
     "generate-wellknown-schemas": "tsx scripts/generate-wellknown-schemas.ts",
     "generate-agent-docs": "tsx scripts/generate-agent-docs.ts",
-    "compliance:fork-matrix": "node --test --test-timeout=300000 'test/examples/hello-*.test.js'",
+    "compliance:fork-matrix": "node --test --test-timeout=300000 'test/examples/hello-*.test.js' test/examples/proxy-seller-snap.test.js",
     "typecheck:skill-examples": "tsx scripts/typecheck-skill-examples.ts",
     "check:skill-sync": "tsx scripts/check-skill-sync.ts",
     "check:adopter-types": "tsx scripts/check-adopter-types.ts",

package/skills/build-creative-agent/SKILL.md

@@ -76,21 +76,7 @@ Audio templates (TTS / mix / master, e.g. AudioStack / ElevenLabs / Resemble) fo
    The `audioAsset` builder injects the `asset_type: 'audio'` discriminator the creative-manifest oneOf requires.
 4. Seed an audio template in your upstream platform — see `tpl_audiostack_spot_30s_v1` in `src/lib/mock-server/creative-template/seed-data.ts` for the worked reference.
 
-**Storyboard coverage for audio is not yet upstream** — the `creative_template/build_creative` step asserts display-shaped assets, tracked at [adcontextprotocol/adcp#4015](https://github.com/adcontextprotocol/adcp/issues/4015). Until that ships, audio adopters validate via `npm run compliance:fork-matrix -- --test-name-pattern="hello-creative-adapter-template"` (display + video gate inherited) plus a manual round-trip against the seeded audio template:
-
-```bash
-npx adcp mock-server creative-template --port 4250
-# In another shell:
-curl -X POST http://127.0.0.1:4250/v3/workspaces/ws_acme_studio/renders \
-  -H 'Authorization: Bearer mock_creative_template_key_do_not_use_in_prod' \
-  -H 'Content-Type: application/json' \
-  -d '{"template_id":"tpl_audiostack_spot_30s_v1","mode":"build","inputs":[{"slot_id":"script","value":"Built for the trail."}],"client_request_id":"smoke-1"}'
-# → { "render_id": "rnd_…", "status": "queued" }
-# Poll twice (queued → running → complete):
-curl -H 'Authorization: Bearer mock_creative_template_key_do_not_use_in_prod' \
-  http://127.0.0.1:4250/v3/workspaces/ws_acme_studio/renders/rnd_…
-# Final: { ..., "status": "complete", "output": { "audio_url": "….mp3", "preview_url": "...", "assets": [{ "kind": "audio_url", "mime_type": "audio/mpeg" }] } }
-```
+The `creative_template` storyboard includes an optional `audio_build` phase. Enable it with a test kit that sets `supports_audio_formats: true` once your `list_creative_formats` response declares an audio format; the hello adapter CI gate asserts both the discovered audio format and the seeded AudioStack-style build output.
 
 ### `creative-generative`
 

package/skills/build-decisioning-platform/SKILL.md

@@ -243,7 +243,8 @@ import {
   InvalidRequestError, // generic field-level bad input
   InvalidStateError, // illegal transition (paused → archived violations)
   BackwardsTimeRangeError, // start_time >= end_time
-  AuthRequiredError, // need auth, then retry
+  AuthMissingError, // no Authorization header was presented
+  AuthInvalidError, // credentials were presented but rejected
   PermissionDeniedError, // auth present, lacks scope
   RateLimitedError, // throttled (clamps retry_after to [1, 3600])
   UnsupportedFeatureError, // tool unimplemented
@@ -253,6 +254,10 @@ import {
 } from '@adcp/sdk/server';
 ```
 
+`AuthRequiredError` still exists for older code and emits legacy `AUTH_REQUIRED`;
+new seller code should use `AuthMissingError` / `AuthInvalidError` so buyers can
+distinguish missing credentials from rejected credentials.
+
 Each class encodes the right `code` / `recovery` / `field` shape. **Don't throw generic `Error`** — the framework catches that and maps to `SERVICE_UNAVAILABLE`, which the buyer can't pattern-match.
 
 ## Persisting platform state — `ctx.ctxMetadata`

package/skills/build-seller-agent/SKILL.md

@@ -5,17 +5,18 @@ description: Use when building an AdCP seller agent — a publisher, SSP, or ret
 
 # Build a Seller Agent
 
-A seller agent receives briefs from buyers, returns products, accepts media buys, manages creatives, and reports delivery. The fastest path to a passing agent is to **fork a worked adapter** and replace its `// SWAP:` markers with calls to your backend. Each `// SWAP:` comment marks one line you change to your platform's backend call — change only those lines, run the gate, ship. ([`examples/CONTRIBUTING.md`](../../examples/CONTRIBUTING.md) covers the SWAP-marker convention in detail.) This skill tells you which adapter to fork and what cross-cutting rules apply across all of them.
+A seller agent receives briefs from buyers, returns products, accepts media buys, manages creatives, and reports delivery. The fastest path to a passing agent is to **fork a worked adapter** and replace its `// SWAP:` markers with calls to your backend. Each `// SWAP:` comment marks one line you change to your platform's backend call — change only those lines, run the gate, ship. ([`examples/CONTRIBUTING.md`](../../examples/CONTRIBUTING.md) covers the SWAP-marker convention in detail.) Proxy-shaped sellers use the lighter `proxy-seller-snap/` bridge-pattern fork target plus a live-OAuth sandbox runner. This skill tells you which adapter to fork and what cross-cutting rules apply across all of them.
 
 ## Pick your fork target
 
-Each of these is a worked, currently-running, three-gate-tested reference adapter. Fork it, swap the upstream, ship.
+Each `hello_*_adapter_*` entry is a worked, currently-running, three-gate-tested reference adapter. `proxy-seller-snap/` is a bridge-pattern fork target for the seed-read problem; pair it with your own live-OAuth sandbox gate before production.
 
 | Specialism              | Fork this                                                                                         | Mock upstream                               | Storyboard             |
 | ----------------------- | ------------------------------------------------------------------------------------------------- | ------------------------------------------- | ---------------------- |
 | `sales-guaranteed`      | [`hello_seller_adapter_guaranteed.ts`](../../examples/hello_seller_adapter_guaranteed.ts)         | `npx adcp mock-server sales-guaranteed`     | `sales_guaranteed`     |
 | `sales-non-guaranteed`  | [`hello_seller_adapter_non_guaranteed.ts`](../../examples/hello_seller_adapter_non_guaranteed.ts) | `npx adcp mock-server sales-non-guaranteed` | `sales_non_guaranteed` |
 | `sales-social`          | [`hello_seller_adapter_social.ts`](../../examples/hello_seller_adapter_social.ts)                 | `npx adcp mock-server sales-social`         | `sales_social`         |
+| Proxy-shaped seller     | [`proxy-seller-snap/`](../../examples/proxy-seller-snap/)                                        | upstream sandbox / OAuth                    | bridge + live run      |
 | Multi-tenant holdco hub | [`hello_seller_adapter_multi_tenant.ts`](../../examples/hello_seller_adapter_multi_tenant.ts)     | composed                                    | per specialism         |
 
 The other sales-\* specialisms reuse one of the primary fork targets and apply specialism deltas:
@@ -93,6 +94,8 @@ To pass storyboards, you need the runner's `comply_test_controller.seed_product`
 
 - **Handler reads from a system you don't control** (DSPs proxying to Meta/Snap/TikTok, retail-media networks reading retailer catalog APIs, signals agents brokering third-party data marketplaces, walled-garden brokers). A seeded write to your local store is dead — your handler never sees it; if `comply_test_controller` seeds never appear in your responses, that's the symptom. **Wire the `TestControllerBridge`** ([`docs/guides/VALIDATE-YOUR-AGENT.md` § "Platform-proxy sellers"](../../docs/guides/VALIDATE-YOUR-AGENT.md#platform-proxy-sellers-state-of-record-lives-upstream)). The real handler still runs first (so a broken upstream call still fails the conformance gate), and the SDK merges seeded fixtures into the response after.
 
+  Start from [`examples/proxy-seller-snap/`](../../examples/proxy-seller-snap/) for the concrete fork shape: `TestControllerBridge<TAccount>`, `bridgeFromSessionStore`, resolved-account session keying, `getSeededProducts`, `getSeededCreatives`, and governance list selectors. Keep `resolveAccount` as the production trust boundary and pair bridge-green storyboards with a live-OAuth sandbox run; bridge passes prove wire conformance, not upstream adapter health.
+
 Either path earns the **wire-conformance** half of compliance — your storyboards pass, you speak AdCP correctly. The **live-integration** half requires marker-free passes against a real test surface (sandbox credentials with real upstream traffic), independent of whether the bridge is wired. The `_bridge` marker the SDK stamps on bridge-merged responses tracks which steps in a storyboard run used fixtures vs real upstream.
 
 > Certification names in #1782 are under review; the mechanism here is stable.

package/skills/build-si-agent/SKILL.md

@@ -20,7 +20,7 @@ The agent owns the brand voice, transcript state, and product knowledge. The hos
 | --- | --- | --- |
 | `sponsored-intelligence` | [`hello_si_adapter_brand.ts`](../../examples/hello_si_adapter_brand.ts) | `si_baseline` |
 
-SI is a **protocol** in AdCP 3.0, not a specialism. Declare it via the `sponsoredIntelligence` field on the v6 `DecisioningPlatform`; the framework auto-derives `'sponsored_intelligence'` into `supported_protocols` from the four registered SI tools. There's no `specialisms: ['sponsored-intelligence']` claim today (tracked at adcontextprotocol/adcp#3961 for 3.1).
+SI is a **protocol and specialism** in AdCP 3.1. Declare it with `specialisms: ['sponsored-intelligence']` and implement the `sponsoredIntelligence` field on the v6 `DecisioningPlatform`; the framework auto-derives the wire-side `supported_protocols: ['sponsored_intelligence']` entry from the four registered SI tools. Older 3.0-era agents that omit the specialism still dispatch through `platform.sponsoredIntelligence`, but new agents should claim the specialism for compile-time and runtime validation.
 
 The storyboard at `compliance/cache/latest/protocols/sponsored-intelligence/index.yaml` has three phases (capability_discovery, offering_discovery, session_lifecycle) covering all four tools. The reference adapter passes 3/3.
 
@@ -53,7 +53,7 @@ One SI-specific note on idempotency:
 
 ## Specialism deltas at a glance
 
-**`sponsored-intelligence` protocol** —
+**`sponsored-intelligence` specialism** —
 
 - **Single brand per deployment is typical** — one Agentforce instance per advertiser, one OpenAI Assistant per brand. Multi-brand variants route via per-API-key tenant binding inside `accounts.resolve`, not by carrying `account` on the wire (SI tool schemas don't have it).
 - **Session state**: the framework auto-hydrates a small `req.session` record (intent, offering scoping, identity consent, negotiated capabilities) onto `si_send_message` / `si_terminate_session`. Production brand engines almost always own full transcript state in their own backend (Postgres, Redis, vector store) — full transcripts, RAG embeddings, tool-call logs are too rich for `ctx_metadata` and easily exceed the 16KB blob cap. Treat `req.session` as a convenience, not authoritative state.

package/skills/call-adcp-agent/SKILL.md

@@ -241,7 +241,10 @@ Quick lookup before reading the full envelope. Match what you see in `adcp_error
 | `recovery: 'correctable'` | Buyer-side fix | Read `issues[]`, patch the pointers, resend. Most cases close in one attempt. |
 | `recovery: 'terminal'` (account suspended, payment required, …) | Requires human action | Don't retry. Surface to the user. |
 | `[adcp] Warning: agent … does not expose get_adcp_capabilities` (one-shot per client, `@adcp/client` only) | Seller didn't ship v3 discovery — routed through the v2 adapter with idempotency-TTL guarantee unknown | Branch on `client.isSyntheticV2()` before dispatch. Tighten retry policy (lower attempt cap, longer backoff) or fall back to natural-key recovery for these sellers. Same predicate also flags synthetic v3 caveat — see `isSyntheticV2()` JSDoc. |
-| HTTP 401 with `WWW-Authenticate` header | Missing or expired credential | Add `Authorization` per the agent's auth spec; re-auth if applicable. If the challenge `scheme` is `Basic` (gateway-fronted agents — Apigee, Kong, AWS API GW), the SDK / CLI need `auth: { type: 'basic', username, password }` or `--auth user:pass --auth-scheme basic` — `Bearer` will never succeed against that gateway. **Saved aliases**: if registered with `--auth-scheme basic`, the scheme persists in `~/.adcp/config.json` and auto-applies on every later invocation — don't redundantly repeat the flag on each call. |
+| `adcp_error.code: 'AUTH_MISSING'` | No credential was presented | Escalate by default. Retry only if you own a credential supply or refresh path; otherwise surface re-auth to a human. |
+| `adcp_error.code: 'AUTH_INVALID'` | Credential was presented but rejected or revoked | Do not retry blindly. Refresh once only if you own a valid refresh grant and the rejection is token-expiry-shaped; otherwise surface to a human to rotate credentials. |
+| `adcp_error.code: 'AUTH_REQUIRED'` | Legacy compatibility code; older sellers and some SDK helper paths still use it for missing or rejected credentials | Treat as auth escalation by default. Retry only if your agent owns a credential-refresh path; otherwise surface to a human. |
+| HTTP 401 with `WWW-Authenticate` header | Transport auth challenge; may be missing credentials, wrong scheme, rejected credentials, or required request signing | Follow the challenge scheme. `Bearer` means send/refresh an OAuth-style `Authorization: Bearer ...` token. `Basic` means configure basic auth (`auth: { type: 'basic', username, password }` or `--auth user:pass --auth-scheme basic`) — `Bearer` will never succeed against that gateway. `Signature` means enable RFC 9421 request signing with an AdCP signing key, not an `Authorization` retry. **Saved aliases**: if registered with `--auth-scheme basic`, the scheme persists in `~/.adcp/config.json` and auto-applies on every later invocation — don't redundantly repeat the flag on each call. |
 
 If your symptom isn't here, fall through to the next section.
 

package/dist/lib/signing/response-verifier.d.ts

@@ -1,105 +0,0 @@
-/**
- * RFC 9421 response-signing verifier (§2.2.9).
- *
- * Companion to `verifier.ts` (request signatures) and `webhook-verifier.ts`
- * (webhook callbacks). This verifier runs on the buyer / receiver side of
- * a signed response: a client receives a response from a seller agent and
- * hands it here, with the originating request URL the client sent, for
- * signature validation before parsing the body.
- *
- * Distinct from request / webhook signing:
- *   - Tag: `adcp/response-signing/v1`.
- *   - Key purpose: `adcp_use: "response-signing"`.
- *   - Default covered components: `@status`, `@authority`, `@target-uri`,
- *     plus `content-type` + `content-digest` when the body is non-empty.
- *   - The originating request URL is carried explicitly on `ResponseLike.request`
- *     because RFC 9421 §2.2 binds response signatures to their request
- *     context via `@authority` and `@target-uri`. The client supplies the URL
- *     it actually sent — a malformed reconstruction (e.g. `req.protocol`
- *     lying behind a proxy) will trip step 6a or fail the crypto check.
- *
- * Checklist steps below mirror the 13-step shape in `webhook-verifier.ts`
- * so failures point at the same step numbers the request and webhook
- * verifiers use. Numbers are 1-based.
- */
-import { type ResponseLike } from './canonicalize';
-import type { JwksResolver } from './jwks';
-import { type ReplayStore } from './replay';
-import { type RevocationStore } from './revocation';
-export interface VerifyResponseOptions {
-    jwks: JwksResolver;
-    replayStore: ReplayStore;
-    revocationStore: RevocationStore;
-    /** Now in seconds since epoch. Defaults to `Date.now() / 1000`. */
-    now?: () => number;
-    /**
-     * Optional tag override — spec currently defines exactly
-     * `adcp/response-signing/v1`; the override lets test vectors pin a
-     * version.
-     */
-    requiredTag?: string;
-    /** Optional reverse-lookup (kid → publisher URL) for result attribution. */
-    agentUrlForKeyid?: (keyid: string) => string | undefined;
-}
-export interface VerifyResponseResult {
-    status: 'verified';
-    keyid: string;
-    agent_url?: string;
-    verified_at: number;
-}
-/**
- * Verify an inbound response's RFC 9421 signature.
- *
- * Ordering invariant matches the webhook verifier: cheap invariant checks
- * (tag, alg, window, components) run before JWKS resolution; revocation and
- * rate-abuse run before cryptographic verify so an attacker can't amplify
- * Ed25519/ECDSA work. Replay insert commits only after every earlier check
- * passes — any signature failing crypto verify never consumes a cap entry.
- *
- * The replay scope is `(keyid, @target-uri-of-originating-request)`. Two
- * responses to two different request URLs under the same keyid use
- * independent replay budgets — same shape as webhook verification.
- *
- * Throws {@link ResponseSignatureError} on the first failed step.
- */
-export declare function verifyResponseSignature(response: ResponseLike, options: VerifyResponseOptions): Promise<VerifyResponseResult>;
-/**
- * Options for {@link createResponseVerifier}. Identical to
- * {@link VerifyResponseOptions} except `replayStore` and `revocationStore`
- * are optional — the factory defaults them once at creation time so replay
- * state is shared across every response the returned verifier handles.
- */
-export interface CreateResponseVerifierOptions extends Omit<VerifyResponseOptions, 'replayStore' | 'revocationStore'> {
-    /**
-     * Stores `(keyid, scope, nonce)` tuples for replay detection. Defaults to
-     * a fresh {@link InMemoryReplayStore} — suitable for single-process
-     * deployments only. **Multi-replica deployments MUST pass an explicit
-     * shared store** (Redis, Postgres, etc.); the default in-memory store
-     * does not survive process boundaries, so a signature accepted on
-     * replica A is invisible to replica B and can be replayed there within
-     * the signature window.
-     */
-    replayStore?: ReplayStore;
-    /**
-     * Consulted for revoked `kid` before accepting a signature. Defaults to a
-     * fresh {@link InMemoryRevocationStore}, which starts empty and does not
-     * poll for updates. Pass a store backed by your secrets manager or admin
-     * tooling when you revoke keys at runtime.
-     */
-    revocationStore?: RevocationStore;
-}
-/**
- * Create a bound response-signature verifier with shared replay and
- * revocation stores. Mirrors {@link createWebhookVerifier} for the response
- * profile.
- *
- * **Why a factory?** Replay detection requires the same store instance to
- * be consulted across every response. Constructing stores inside a
- * per-response call would silently defeat replay dedup. The factory pattern
- * captures stores in closure scope at wire-up time.
- *
- * **Multi-replica deployments MUST pass an explicit `replayStore`** backed
- * by a shared persistence layer.
- */
-export declare function createResponseVerifier(options: CreateResponseVerifierOptions): (response: ResponseLike) => Promise<VerifyResponseResult>;
-//# sourceMappingURL=response-verifier.d.ts.map

package/dist/lib/signing/response-verifier.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"response-verifier.d.ts","sourceRoot":"","sources":["../../../src/lib/signing/response-verifier.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AAEH,OAAO,EAAkE,KAAK,YAAY,EAAE,MAAM,gBAAgB,CAAC;AAKnH,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,QAAQ,CAAC;AAC3C,OAAO,EAAuB,KAAK,WAAW,EAAE,MAAM,UAAU,CAAC;AACjE,OAAO,EAA2B,KAAK,eAAe,EAAE,MAAM,cAAc,CAAC;AAS7E,MAAM,WAAW,qBAAqB;IACpC,IAAI,EAAE,YAAY,CAAC;IACnB,WAAW,EAAE,WAAW,CAAC;IACzB,eAAe,EAAE,eAAe,CAAC;IACjC,mEAAmE;IACnE,GAAG,CAAC,EAAE,MAAM,MAAM,CAAC;IACnB;;;;OAIG;IACH,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,4EAA4E;IAC5E,gBAAgB,CAAC,EAAE,CAAC,KAAK,EAAE,MAAM,KAAK,MAAM,GAAG,SAAS,CAAC;CAC1D;AAED,MAAM,WAAW,oBAAoB;IACnC,MAAM,EAAE,UAAU,CAAC;IACnB,KAAK,EAAE,MAAM,CAAC;IACd,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,WAAW,EAAE,MAAM,CAAC;CACrB;AAED;;;;;;;;;;;;;;GAcG;AACH,wBAAsB,uBAAuB,CAC3C,QAAQ,EAAE,YAAY,EACtB,OAAO,EAAE,qBAAqB,GAC7B,OAAO,CAAC,oBAAoB,CAAC,CAuM/B;AAkHD;;;;;GAKG;AACH,MAAM,WAAW,6BAA8B,SAAQ,IAAI,CAAC,qBAAqB,EAAE,aAAa,GAAG,iBAAiB,CAAC;IACnH;;;;;;;;OAQG;IACH,WAAW,CAAC,EAAE,WAAW,CAAC;IAC1B;;;;;OAKG;IACH,eAAe,CAAC,EAAE,eAAe,CAAC;CACnC;AAED;;;;;;;;;;;;GAYG;AACH,wBAAgB,sBAAsB,CACpC,OAAO,EAAE,6BAA6B,GACrC,CAAC,QAAQ,EAAE,YAAY,KAAK,OAAO,CAAC,oBAAoB,CAAC,CAI3D"}

package/dist/lib/signing/response-verifier.js

@@ -1,271 +0,0 @@
-"use strict";
-/**
- * RFC 9421 response-signing verifier (§2.2.9).
- *
- * Companion to `verifier.ts` (request signatures) and `webhook-verifier.ts`
- * (webhook callbacks). This verifier runs on the buyer / receiver side of
- * a signed response: a client receives a response from a seller agent and
- * hands it here, with the originating request URL the client sent, for
- * signature validation before parsing the body.
- *
- * Distinct from request / webhook signing:
- *   - Tag: `adcp/response-signing/v1`.
- *   - Key purpose: `adcp_use: "response-signing"`.
- *   - Default covered components: `@status`, `@authority`, `@target-uri`,
- *     plus `content-type` + `content-digest` when the body is non-empty.
- *   - The originating request URL is carried explicitly on `ResponseLike.request`
- *     because RFC 9421 §2.2 binds response signatures to their request
- *     context via `@authority` and `@target-uri`. The client supplies the URL
- *     it actually sent — a malformed reconstruction (e.g. `req.protocol`
- *     lying behind a proxy) will trip step 6a or fail the crypto check.
- *
- * Checklist steps below mirror the 13-step shape in `webhook-verifier.ts`
- * so failures point at the same step numbers the request and webhook
- * verifiers use. Numbers are 1-based.
- */
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.verifyResponseSignature = verifyResponseSignature;
-exports.createResponseVerifier = createResponseVerifier;
-const canonicalize_1 = require("./canonicalize");
-const content_digest_1 = require("./content-digest");
-const errors_1 = require("./errors");
-const parser_1 = require("./parser");
-const crypto_1 = require("./crypto");
-const replay_1 = require("./replay");
-const revocation_1 = require("./revocation");
-const types_1 = require("./types");
-/**
- * Verify an inbound response's RFC 9421 signature.
- *
- * Ordering invariant matches the webhook verifier: cheap invariant checks
- * (tag, alg, window, components) run before JWKS resolution; revocation and
- * rate-abuse run before cryptographic verify so an attacker can't amplify
- * Ed25519/ECDSA work. Replay insert commits only after every earlier check
- * passes — any signature failing crypto verify never consumes a cap entry.
- *
- * The replay scope is `(keyid, @target-uri-of-originating-request)`. Two
- * responses to two different request URLs under the same keyid use
- * independent replay budgets — same shape as webhook verification.
- *
- * Throws {@link ResponseSignatureError} on the first failed step.
- */
-async function verifyResponseSignature(response, options) {
-    const now = options.now ? options.now() : Math.floor(Date.now() / 1000);
-    const requiredTag = options.requiredTag ?? types_1.RESPONSE_SIGNING_TAG;
-    // Step 1: both signature headers present AND parseable. Bound-pair rule.
-    const sigInputHeader = (0, canonicalize_1.getHeaderValue)(response.headers, 'Signature-Input');
-    const sigHeader = (0, canonicalize_1.getHeaderValue)(response.headers, 'Signature');
-    if (!sigInputHeader || !sigHeader) {
-        throw new errors_1.ResponseSignatureError('response_signature_header_malformed', 1, 'Response is missing Signature or Signature-Input headers.');
-    }
-    let parsedInput;
-    let parsedSig;
-    try {
-        parsedInput = (0, parser_1.parseSignatureInput)(sigInputHeader);
-        parsedSig = (0, parser_1.parseSignature)(sigHeader, parsedInput.label);
-    }
-    catch (err) {
-        throw new errors_1.ResponseSignatureError('response_signature_header_malformed', 1, err instanceof Error ? err.message : String(err));
-    }
-    // Step 2: required params present.
-    requireParams(parsedInput);
-    // Step 3: tag match.
-    if (parsedInput.params.tag !== requiredTag) {
-        throw new errors_1.ResponseSignatureError('response_signature_tag_invalid', 3, `Signature tag must be "${requiredTag}"; got "${parsedInput.params.tag}".`);
-    }
-    // Step 4: alg allowlist.
-    if (!types_1.ALLOWED_ALGS.has(parsedInput.params.alg)) {
-        throw new errors_1.ResponseSignatureError('response_signature_alg_not_allowed', 4, `Signature alg "${parsedInput.params.alg}" is not in the AdCP allowlist.`);
-    }
-    // Step 5: window valid.
-    validateWindow(parsedInput.params.created, parsedInput.params.expires, now);
-    // Step 6: covered components must include the response-signing mandatory set.
-    validateCoveredComponents(parsedInput.components, response.body);
-    // Step 6a: `@target-uri` syntactic validation against the originating-
-    // request URL the caller passed in. Same rationale as the webhook
-    // verifier — flag dangerous URI shapes (non-https, userinfo, fragment)
-    // before cryptographic work. Distinct from `header_malformed`, which
-    // flags the Signature / Signature-Input headers.
-    //
-    // Note: response-side `@target-uri` comes from `response.request.url`,
-    // which is the *client's* reconstruction of what they sent. This check
-    // most often fires on caller-side bugs (Express `req.protocol` lying
-    // behind a non-trust-proxy reverse proxy → http://...) rather than on
-    // wire-level attacker payloads. See ResponseLike.request JSDoc.
-    validateTargetUri(response.request.url);
-    // Step 7: resolve keyid.
-    const jwk = await options.jwks.resolve(parsedInput.params.keyid);
-    if (!jwk) {
-        throw new errors_1.ResponseSignatureError('response_signature_key_unknown', 7, `No JWK found for keyid "${parsedInput.params.keyid}".`);
-    }
-    if (jwk.kid !== parsedInput.params.keyid) {
-        throw new errors_1.ResponseSignatureError('response_signature_key_unknown', 7, `JWKS resolver returned a JWK whose kid "${jwk.kid}" does not match requested keyid "${parsedInput.params.keyid}".`);
-    }
-    // Step 8: key purpose — MUST be scoped for response signing.
-    //
-    // Same split as webhook: "no purpose declared" vs "declared but wrong".
-    // The former needs the publisher to add a purpose; the latter needs a
-    // new keypair (purpose binding is the whole point of `adcp_use`).
-    if (jwk.adcp_use === undefined || !jwk.key_ops?.includes('verify')) {
-        throw new errors_1.ResponseSignatureError('response_signature_key_purpose_invalid', 8, `JWK "${jwk.kid}" is not scoped for response-signing verification.`);
-    }
-    if (jwk.adcp_use !== 'response-signing') {
-        throw new errors_1.ResponseSignatureError('response_mode_mismatch', 8, `JWK "${jwk.kid}" declares adcp_use="${jwk.adcp_use}" but this endpoint requires "response-signing".`);
-    }
-    // Step 9: revocation. The shared revocation store throws
-    // `request_signature_revocation_stale` when its cached snapshot is past
-    // grace — re-map to the response taxonomy so callers see consistent codes.
-    try {
-        if (await options.revocationStore.isRevoked(jwk.kid)) {
-            throw new errors_1.ResponseSignatureError('response_signature_key_revoked', 9, `JWK "${jwk.kid}" is revoked.`);
-        }
-    }
-    catch (err) {
-        if (err instanceof errors_1.RequestSignatureError && err.code === 'request_signature_revocation_stale') {
-            throw new errors_1.ResponseSignatureError('response_signature_revocation_stale', 9, err.message);
-        }
-        throw err;
-    }
-    // Replay scope is `(keyid, @target-uri-of-originating-request)` — same
-    // rationale as webhook signing. A response to /adcp/get_products MUST NOT
-    // count against the replay budget for a response to /adcp/create_media_buy
-    // under the same keyid.
-    const replayScope = (0, canonicalize_1.canonicalTargetUri)(response.request.url);
-    // Step 9a: per-keyid rate abuse. Distinct code from step 12 replay — cap
-    // exhaustion is a compromised-key / misconfig signal, not "same nonce
-    // twice."
-    if (await options.replayStore.isCapHit(jwk.kid, replayScope, now)) {
-        throw new errors_1.ResponseSignatureError('response_signature_rate_abuse', 9, `Per-keyid replay cache cap exceeded for keyid=${jwk.kid}.`);
-    }
-    // Pre-check replay before crypto so a replayed nonce short-circuits an
-    // expensive Ed25519 / ECDSA verify.
-    if (await options.replayStore.has(jwk.kid, replayScope, parsedInput.params.nonce, now)) {
-        throw new errors_1.ResponseSignatureError('response_signature_replayed', 12, `Replay of (keyid=${jwk.kid}, nonce=${parsedInput.params.nonce}) within signature window.`);
-    }
-    // Step 10: cryptographic verify. Use the verbatim signatureParamsValue
-    // from the parsed input so byte-identity with what the signer sent is
-    // preserved regardless of param-order differences across SDKs.
-    const base = (0, canonicalize_1.buildResponseSignatureBase)(parsedInput.components, response, parsedInput.params, parsedInput.signatureParamsValue);
-    const publicKey = (0, crypto_1.jwkToPublicKey)(jwk);
-    const valid = (0, crypto_1.verifySignature)(parsedInput.params.alg, publicKey, Buffer.from(base, 'utf8'), parsedSig.bytes);
-    if (!valid) {
-        throw new errors_1.ResponseSignatureError('response_signature_invalid', 10, 'Cryptographic verification of response signature base failed.');
-    }
-    // Step 11: content-digest match (only when the signature covered it).
-    if (parsedInput.components.includes('content-digest')) {
-        const digestHeader = (0, canonicalize_1.getHeaderValue)(response.headers, 'Content-Digest');
-        if (!digestHeader || !(0, content_digest_1.contentDigestMatches)(digestHeader, response.body ?? '')) {
-            throw new errors_1.ResponseSignatureError('response_signature_digest_mismatch', 11, 'Content-Digest header does not match recomputed body hash.');
-        }
-    }
-    // Step 13: commit nonce. Insert AFTER every prior check passes — external
-    // traffic can't grow the cap because any signature failing at step 10
-    // never reaches this point.
-    const remaining = parsedInput.params.expires - now + types_1.CLOCK_SKEW_TOLERANCE_SECONDS;
-    const ttl = Math.max(remaining, types_1.MAX_SIGNATURE_WINDOW_SECONDS + types_1.CLOCK_SKEW_TOLERANCE_SECONDS);
-    const insertResult = await options.replayStore.insert(jwk.kid, replayScope, parsedInput.params.nonce, ttl, now);
-    if (insertResult === 'replayed') {
-        throw new errors_1.ResponseSignatureError('response_signature_replayed', 13, `Replay of (keyid=${jwk.kid}, nonce=${parsedInput.params.nonce}) within signature window.`);
-    }
-    if (insertResult === 'rate_abuse') {
-        throw new errors_1.ResponseSignatureError('response_signature_rate_abuse', 13, `Per-keyid replay cache cap exceeded on commit for keyid=${jwk.kid}.`);
-    }
-    const agent_url = options.agentUrlForKeyid?.(jwk.kid);
-    return { status: 'verified', keyid: jwk.kid, ...(agent_url !== undefined && { agent_url }), verified_at: now };
-}
-function requireParams(parsed) {
-    const required = ['created', 'expires', 'nonce', 'keyid', 'alg', 'tag'];
-    const missing = required.filter(k => parsed.params[k] === undefined);
-    if (missing.length) {
-        throw new errors_1.ResponseSignatureError('response_signature_params_incomplete', 2, `Signature-Input missing required parameter(s): ${missing.join(', ')}.`);
-    }
-}
-function validateWindow(created, expires, now) {
-    // Same shape as webhook: every window failure (expired, negative window,
-    // over-long window, created-in-future) folds to a single code. Specific
-    // subtype lives in the error message for diagnostics.
-    if (expires <= created) {
-        throw new errors_1.ResponseSignatureError('response_signature_window_invalid', 5, 'Signature expires must be strictly greater than created.');
-    }
-    if (expires - created > types_1.MAX_SIGNATURE_WINDOW_SECONDS) {
-        throw new errors_1.ResponseSignatureError('response_signature_window_invalid', 5, `Signature window exceeds ${types_1.MAX_SIGNATURE_WINDOW_SECONDS}s maximum.`);
-    }
-    if (now < created - types_1.CLOCK_SKEW_TOLERANCE_SECONDS) {
-        throw new errors_1.ResponseSignatureError('response_signature_window_invalid', 5, 'Signature created is in the future beyond skew tolerance.');
-    }
-    if (now > expires + types_1.CLOCK_SKEW_TOLERANCE_SECONDS) {
-        throw new errors_1.ResponseSignatureError('response_signature_window_invalid', 5, 'Signature is expired.');
-    }
-}
-function validateCoveredComponents(components, body) {
-    for (const mandatory of types_1.RESPONSE_MANDATORY_COMPONENTS) {
-        if (!components.includes(mandatory)) {
-            throw new errors_1.ResponseSignatureError('response_signature_components_incomplete', 6, `Covered components must include "${mandatory}".`);
-        }
-    }
-    // When the response carries a body, `content-digest` coverage is required
-    // — an unbound body is the cross-purpose footgun the signer's default
-    // opt-out behavior is designed to prevent. The signer omits
-    // content-digest only when the body is empty (e.g. 204 No Content); the
-    // verifier mirrors that envelope.
-    const hasBody = (body ?? '').length > 0;
-    if (hasBody && !components.includes('content-digest')) {
-        throw new errors_1.ResponseSignatureError('response_signature_components_incomplete', 6, 'Response carries a body but "content-digest" is not in covered components.');
-    }
-}
-/**
- * Syntactic validation of the originating-request `@target-uri` value. Four
- * failure modes mirror the webhook verifier:
- *   - URL doesn't parse at all.
- *   - Scheme is not https (response signatures bound to http will fail
- *     strict-HTTPS verifier profiles; loopback hosts are exempt for local
- *     test mock servers).
- *   - Authority contains userinfo — credentials don't belong in a signed URI.
- *   - URL carries a fragment — fragments are client-side and never transmitted.
- *
- * Each throws `response_target_uri_malformed`. The error message names the
- * failure reason.
- */
-function validateTargetUri(rawUrl) {
-    let url;
-    try {
-        url = new URL(rawUrl);
-    }
-    catch {
-        throw new errors_1.ResponseSignatureError('response_target_uri_malformed', 6, `@target-uri "${rawUrl}" is not a parseable URL.`);
-    }
-    if (url.protocol !== 'https:' && !isLoopbackHost(url.hostname)) {
-        throw new errors_1.ResponseSignatureError('response_target_uri_malformed', 6, `@target-uri must use https; got "${url.protocol}" in "${rawUrl}".`);
-    }
-    if (url.username || url.password) {
-        throw new errors_1.ResponseSignatureError('response_target_uri_malformed', 6, '@target-uri must not embed userinfo.');
-    }
-    if (url.hash) {
-        throw new errors_1.ResponseSignatureError('response_target_uri_malformed', 6, '@target-uri must not carry a fragment.');
-    }
-}
-function isLoopbackHost(hostname) {
-    if (!hostname)
-        return false;
-    const normalized = hostname.toLowerCase();
-    return normalized === 'localhost' || normalized === '::1' || normalized.startsWith('127.');
-}
-/**
- * Create a bound response-signature verifier with shared replay and
- * revocation stores. Mirrors {@link createWebhookVerifier} for the response
- * profile.
- *
- * **Why a factory?** Replay detection requires the same store instance to
- * be consulted across every response. Constructing stores inside a
- * per-response call would silently defeat replay dedup. The factory pattern
- * captures stores in closure scope at wire-up time.
- *
- * **Multi-replica deployments MUST pass an explicit `replayStore`** backed
- * by a shared persistence layer.
- */
-function createResponseVerifier(options) {
-    const replayStore = options.replayStore ?? new replay_1.InMemoryReplayStore();
-    const revocationStore = options.revocationStore ?? new revocation_1.InMemoryRevocationStore();
-    return (response) => verifyResponseSignature(response, { ...options, replayStore, revocationStore });
-}
-//# sourceMappingURL=response-verifier.js.map

package/dist/lib/signing/response-verifier.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"response-verifier.js","sourceRoot":"","sources":["../../../src/lib/signing/response-verifier.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;;;;;;;;;GAuBG;;AAwDH,0DA0MC;AAyJD,wDAMC;AA/ZD,iDAAmH;AACnH,qDAAwD;AACxD,qCAAyE;AACzE,qCAA0F;AAC1F,qCAA2D;AAE3D,qCAAiE;AACjE,6CAA6E;AAC7E,mCAMiB;AAyBjB;;;;;;;;;;;;;;GAcG;AACI,KAAK,UAAU,uBAAuB,CAC3C,QAAsB,EACtB,OAA8B;IAE9B,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,OAAO,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;IACxE,MAAM,WAAW,GAAG,OAAO,CAAC,WAAW,IAAI,4BAAoB,CAAC;IAEhE,yEAAyE;IACzE,MAAM,cAAc,GAAG,IAAA,6BAAc,EAAC,QAAQ,CAAC,OAAO,EAAE,iBAAiB,CAAC,CAAC;IAC3E,MAAM,SAAS,GAAG,IAAA,6BAAc,EAAC,QAAQ,CAAC,OAAO,EAAE,WAAW,CAAC,CAAC;IAChE,IAAI,CAAC,cAAc,IAAI,CAAC,SAAS,EAAE,CAAC;QAClC,MAAM,IAAI,+BAAsB,CAC9B,qCAAqC,EACrC,CAAC,EACD,2DAA2D,CAC5D,CAAC;IACJ,CAAC;IACD,IAAI,WAAiC,CAAC;IACtC,IAAI,SAA4C,CAAC;IACjD,IAAI,CAAC;QACH,WAAW,GAAG,IAAA,4BAAmB,EAAC,cAAc,CAAC,CAAC;QAClD,SAAS,GAAG,IAAA,uBAAc,EAAC,SAAS,EAAE,WAAW,CAAC,KAAK,CAAC,CAAC;IAC3D,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,IAAI,+BAAsB,CAC9B,qCAAqC,EACrC,CAAC,EACD,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CACjD,CAAC;IACJ,CAAC;IAED,mCAAmC;IACnC,aAAa,CAAC,WAAW,CAAC,CAAC;IAE3B,qBAAqB;IACrB,IAAI,WAAW,CAAC,MAAM,CAAC,GAAG,KAAK,WAAW,EAAE,CAAC;QAC3C,MAAM,IAAI,+BAAsB,CAC9B,gCAAgC,EAChC,CAAC,EACD,0BAA0B,WAAW,WAAW,WAAW,CAAC,MAAM,CAAC,GAAG,IAAI,CAC3E,CAAC;IACJ,CAAC;IAED,yBAAyB;IACzB,IAAI,CAAC,oBAAY,CAAC,GAAG,CAAC,WAAW,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC;QAC9C,MAAM,IAAI,+BAAsB,CAC9B,oCAAoC,EACpC,CAAC,EACD,kBAAkB,WAAW,CAAC,MAAM,CAAC,GAAG,iCAAiC,CAC1E,CAAC;IACJ,CAAC;IAED,wBAAwB;IACxB,cAAc,CAAC,WAAW,CAAC,MAAM,CAAC,OAAO,EAAE,WAAW,CAAC,MAAM,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC;IAE5E,8EAA8E;IAC9E,yBAAyB,CAAC,WAAW,CAAC,UAAU,EAAE,QAAQ,CAAC,IAAI,CAAC,CAAC;IAEjE,uEAAuE;IACvE,kEAAkE;IAClE,uEAAuE;IACvE,qEAAqE;IACrE,iDAAiD;IACjD,EAAE;IACF,uEAAuE;IACvE,uEAAuE;IACvE,qEAAqE;IACrE,sEAAsE;IACtE,gEAAgE;IAChE,iBAAiB,CAAC,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;IAExC,yBAAyB;IACzB,MAAM,GAAG,GAAG,MAAM,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,WAAW,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;IACjE,IAAI,CAAC,GAAG,EAAE,CAAC;QACT,MAAM,IAAI,+BAAsB,CAC9B,gCAAgC,EAChC,CAAC,EACD,2BAA2B,WAAW,CAAC,MAAM,CAAC,KAAK,IAAI,CACxD,CAAC;IACJ,CAAC;IACD,IAAI,GAAG,CAAC,GAAG,KAAK,WAAW,CAAC,MAAM,CAAC,KAAK,EAAE,CAAC;QACzC,MAAM,IAAI,+BAAsB,CAC9B,gCAAgC,EAChC,CAAC,EACD,2CAA2C,GAAG,CAAC,GAAG,qCAAqC,WAAW,CAAC,MAAM,CAAC,KAAK,IAAI,CACpH,CAAC;IACJ,CAAC;IAED,6DAA6D;IAC7D,EAAE;IACF,wEAAwE;IACxE,sEAAsE;IACtE,kEAAkE;IAClE,IAAI,GAAG,CAAC,QAAQ,KAAK,SAAS,IAAI,CAAC,GAAG,CAAC,OAAO,EAAE,QAAQ,CAAC,QAAQ,CAAC,EAAE,CAAC;QACnE,MAAM,IAAI,+BAAsB,CAC9B,wCAAwC,EACxC,CAAC,EACD,QAAQ,GAAG,CAAC,GAAG,oDAAoD,CACpE,CAAC;IACJ,CAAC;IACD,IAAI,GAAG,CAAC,QAAQ,KAAK,kBAAkB,EAAE,CAAC;QACxC,MAAM,IAAI,+BAAsB,CAC9B,wBAAwB,EACxB,CAAC,EACD,QAAQ,GAAG,CAAC,GAAG,wBAAwB,GAAG,CAAC,QAAQ,kDAAkD,CACtG,CAAC;IACJ,CAAC;IAED,yDAAyD;IACzD,wEAAwE;IACxE,2EAA2E;IAC3E,IAAI,CAAC;QACH,IAAI,MAAM,OAAO,CAAC,eAAe,CAAC,SAAS,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC;YACrD,MAAM,IAAI,+BAAsB,CAAC,gCAAgC,EAAE,CAAC,EAAE,QAAQ,GAAG,CAAC,GAAG,eAAe,CAAC,CAAC;QACxG,CAAC;IACH,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,IAAI,GAAG,YAAY,8BAAqB,IAAI,GAAG,CAAC,IAAI,KAAK,oCAAoC,EAAE,CAAC;YAC9F,MAAM,IAAI,+BAAsB,CAAC,qCAAqC,EAAE,CAAC,EAAE,GAAG,CAAC,OAAO,CAAC,CAAC;QAC1F,CAAC;QACD,MAAM,GAAG,CAAC;IACZ,CAAC;IAED,uEAAuE;IACvE,0EAA0E;IAC1E,2EAA2E;IAC3E,wBAAwB;IACxB,MAAM,WAAW,GAAG,IAAA,iCAAkB,EAAC,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;IAE7D,yEAAyE;IACzE,sEAAsE;IACtE,UAAU;IACV,IAAI,MAAM,OAAO,CAAC,WAAW,CAAC,QAAQ,CAAC,GAAG,CAAC,GAAG,EAAE,WAAW,EAAE,GAAG,CAAC,EAAE,CAAC;QAClE,MAAM,IAAI,+BAAsB,CAC9B,+BAA+B,EAC/B,CAAC,EACD,iDAAiD,GAAG,CAAC,GAAG,GAAG,CAC5D,CAAC;IACJ,CAAC;IAED,uEAAuE;IACvE,oCAAoC;IACpC,IAAI,MAAM,OAAO,CAAC,WAAW,CAAC,GAAG,CAAC,GAAG,CAAC,GAAG,EAAE,WAAW,EAAE,WAAW,CAAC,MAAM,CAAC,KAAK,EAAE,GAAG,CAAC,EAAE,CAAC;QACvF,MAAM,IAAI,+BAAsB,CAC9B,6BAA6B,EAC7B,EAAE,EACF,oBAAoB,GAAG,CAAC,GAAG,WAAW,WAAW,CAAC,MAAM,CAAC,KAAK,4BAA4B,CAC3F,CAAC;IACJ,CAAC;IAED,uEAAuE;IACvE,sEAAsE;IACtE,+DAA+D;IAC/D,MAAM,IAAI,GAAG,IAAA,yCAA0B,EACrC,WAAW,CAAC,UAAU,EACtB,QAAQ,EACR,WAAW,CAAC,MAAM,EAClB,WAAW,CAAC,oBAAoB,CACjC,CAAC;IACF,MAAM,SAAS,GAAG,IAAA,uBAAc,EAAC,GAAG,CAAC,CAAC;IACtC,MAAM,KAAK,GAAG,IAAA,wBAAe,EAAC,WAAW,CAAC,MAAM,CAAC,GAAG,EAAE,SAAS,EAAE,MAAM,CAAC,IAAI,CAAC,IAAI,EAAE,MAAM,CAAC,EAAE,SAAS,CAAC,KAAK,CAAC,CAAC;IAC7G,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,MAAM,IAAI,+BAAsB,CAC9B,4BAA4B,EAC5B,EAAE,EACF,+DAA+D,CAChE,CAAC;IACJ,CAAC;IAED,sEAAsE;IACtE,IAAI,WAAW,CAAC,UAAU,CAAC,QAAQ,CAAC,gBAAgB,CAAC,EAAE,CAAC;QACtD,MAAM,YAAY,GAAG,IAAA,6BAAc,EAAC,QAAQ,CAAC,OAAO,EAAE,gBAAgB,CAAC,CAAC;QACxE,IAAI,CAAC,YAAY,IAAI,CAAC,IAAA,qCAAoB,EAAC,YAAY,EAAE,QAAQ,CAAC,IAAI,IAAI,EAAE,CAAC,EAAE,CAAC;YAC9E,MAAM,IAAI,+BAAsB,CAC9B,oCAAoC,EACpC,EAAE,EACF,4DAA4D,CAC7D,CAAC;QACJ,CAAC;IACH,CAAC;IAED,0EAA0E;IAC1E,sEAAsE;IACtE,4BAA4B;IAC5B,MAAM,SAAS,GAAG,WAAW,CAAC,MAAM,CAAC,OAAO,GAAG,GAAG,GAAG,oCAA4B,CAAC;IAClF,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,CAAC,SAAS,EAAE,oCAA4B,GAAG,oCAA4B,CAAC,CAAC;IAC7F,MAAM,YAAY,GAAG,MAAM,OAAO,CAAC,WAAW,CAAC,MAAM,CAAC,GAAG,CAAC,GAAG,EAAE,WAAW,EAAE,WAAW,CAAC,MAAM,CAAC,KAAK,EAAE,GAAG,EAAE,GAAG,CAAC,CAAC;IAChH,IAAI,YAAY,KAAK,UAAU,EAAE,CAAC;QAChC,MAAM,IAAI,+BAAsB,CAC9B,6BAA6B,EAC7B,EAAE,EACF,oBAAoB,GAAG,CAAC,GAAG,WAAW,WAAW,CAAC,MAAM,CAAC,KAAK,4BAA4B,CAC3F,CAAC;IACJ,CAAC;IACD,IAAI,YAAY,KAAK,YAAY,EAAE,CAAC;QAClC,MAAM,IAAI,+BAAsB,CAC9B,+BAA+B,EAC/B,EAAE,EACF,2DAA2D,GAAG,CAAC,GAAG,GAAG,CACtE,CAAC;IACJ,CAAC;IAED,MAAM,SAAS,GAAG,OAAO,CAAC,gBAAgB,EAAE,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;IACtD,OAAO,EAAE,MAAM,EAAE,UAAU,EAAE,KAAK,EAAE,GAAG,CAAC,GAAG,EAAE,GAAG,CAAC,SAAS,KAAK,SAAS,IAAI,EAAE,SAAS,EAAE,CAAC,EAAE,WAAW,EAAE,GAAG,EAAE,CAAC;AACjH,CAAC;AAED,SAAS,aAAa,CAAC,MAA4B;IACjD,MAAM,QAAQ,GAAgD,CAAC,SAAS,EAAE,SAAS,EAAE,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,CAAC,CAAC;IACrH,MAAM,OAAO,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,KAAK,SAAS,CAAC,CAAC;IACrE,IAAI,OAAO,CAAC,MAAM,EAAE,CAAC;QACnB,MAAM,IAAI,+BAAsB,CAC9B,sCAAsC,EACtC,CAAC,EACD,kDAAkD,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CACxE,CAAC;IACJ,CAAC;AACH,CAAC;AAED,SAAS,cAAc,CAAC,OAAe,EAAE,OAAe,EAAE,GAAW;IACnE,yEAAyE;IACzE,wEAAwE;IACxE,sDAAsD;IACtD,IAAI,OAAO,IAAI,OAAO,EAAE,CAAC;QACvB,MAAM,IAAI,+BAAsB,CAC9B,mCAAmC,EACnC,CAAC,EACD,0DAA0D,CAC3D,CAAC;IACJ,CAAC;IACD,IAAI,OAAO,GAAG,OAAO,GAAG,oCAA4B,EAAE,CAAC;QACrD,MAAM,IAAI,+BAAsB,CAC9B,mCAAmC,EACnC,CAAC,EACD,4BAA4B,oCAA4B,YAAY,CACrE,CAAC;IACJ,CAAC;IACD,IAAI,GAAG,GAAG,OAAO,GAAG,oCAA4B,EAAE,CAAC;QACjD,MAAM,IAAI,+BAAsB,CAC9B,mCAAmC,EACnC,CAAC,EACD,2DAA2D,CAC5D,CAAC;IACJ,CAAC;IACD,IAAI,GAAG,GAAG,OAAO,GAAG,oCAA4B,EAAE,CAAC;QACjD,MAAM,IAAI,+BAAsB,CAAC,mCAAmC,EAAE,CAAC,EAAE,uBAAuB,CAAC,CAAC;IACpG,CAAC;AACH,CAAC;AAED,SAAS,yBAAyB,CAAC,UAAoB,EAAE,IAAwB;IAC/E,KAAK,MAAM,SAAS,IAAI,qCAA6B,EAAE,CAAC;QACtD,IAAI,CAAC,UAAU,CAAC,QAAQ,CAAC,SAAS,CAAC,EAAE,CAAC;YACpC,MAAM,IAAI,+BAAsB,CAC9B,0CAA0C,EAC1C,CAAC,EACD,oCAAoC,SAAS,IAAI,CAClD,CAAC;QACJ,CAAC;IACH,CAAC;IACD,0EAA0E;IAC1E,sEAAsE;IACtE,4DAA4D;IAC5D,wEAAwE;IACxE,kCAAkC;IAClC,MAAM,OAAO,GAAG,CAAC,IAAI,IAAI,EAAE,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC;IACxC,IAAI,OAAO,IAAI,CAAC,UAAU,CAAC,QAAQ,CAAC,gBAAgB,CAAC,EAAE,CAAC;QACtD,MAAM,IAAI,+BAAsB,CAC9B,0CAA0C,EAC1C,CAAC,EACD,4EAA4E,CAC7E,CAAC;IACJ,CAAC;AACH,CAAC;AAED;;;;;;;;;;;;GAYG;AACH,SAAS,iBAAiB,CAAC,MAAc;IACvC,IAAI,GAAQ,CAAC;IACb,IAAI,CAAC;QACH,GAAG,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,CAAC;IACxB,CAAC;IAAC,MAAM,CAAC;QACP,MAAM,IAAI,+BAAsB,CAC9B,+BAA+B,EAC/B,CAAC,EACD,gBAAgB,MAAM,2BAA2B,CAClD,CAAC;IACJ,CAAC;IACD,IAAI,GAAG,CAAC,QAAQ,KAAK,QAAQ,IAAI,CAAC,cAAc,CAAC,GAAG,CAAC,QAAQ,CAAC,EAAE,CAAC;QAC/D,MAAM,IAAI,+BAAsB,CAC9B,+BAA+B,EAC/B,CAAC,EACD,oCAAoC,GAAG,CAAC,QAAQ,SAAS,MAAM,IAAI,CACpE,CAAC;IACJ,CAAC;IACD,IAAI,GAAG,CAAC,QAAQ,IAAI,GAAG,CAAC,QAAQ,EAAE,CAAC;QACjC,MAAM,IAAI,+BAAsB,CAAC,+BAA+B,EAAE,CAAC,EAAE,sCAAsC,CAAC,CAAC;IAC/G,CAAC;IACD,IAAI,GAAG,CAAC,IAAI,EAAE,CAAC;QACb,MAAM,IAAI,+BAAsB,CAAC,+BAA+B,EAAE,CAAC,EAAE,wCAAwC,CAAC,CAAC;IACjH,CAAC;AACH,CAAC;AAED,SAAS,cAAc,CAAC,QAAgB;IACtC,IAAI,CAAC,QAAQ;QAAE,OAAO,KAAK,CAAC;IAC5B,MAAM,UAAU,GAAG,QAAQ,CAAC,WAAW,EAAE,CAAC;IAC1C,OAAO,UAAU,KAAK,WAAW,IAAI,UAAU,KAAK,KAAK,IAAI,UAAU,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC;AAC7F,CAAC;AA4BD;;;;;;;;;;;;GAYG;AACH,SAAgB,sBAAsB,CACpC,OAAsC;IAEtC,MAAM,WAAW,GAAG,OAAO,CAAC,WAAW,IAAI,IAAI,4BAAmB,EAAE,CAAC;IACrE,MAAM,eAAe,GAAG,OAAO,CAAC,eAAe,IAAI,IAAI,oCAAuB,EAAE,CAAC;IACjF,OAAO,CAAC,QAAsB,EAAE,EAAE,CAAC,uBAAuB,CAAC,QAAQ,EAAE,EAAE,GAAG,OAAO,EAAE,WAAW,EAAE,eAAe,EAAE,CAAC,CAAC;AACrH,CAAC"}