@agentic-passport/next 0.3.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/LICENSE +202 -0
- package/dist/clerk.d.ts +137 -0
- package/dist/clerk.d.ts.map +1 -0
- package/dist/clerk.js +110 -0
- package/dist/clerk.js.map +1 -0
- package/dist/handler.d.ts +71 -0
- package/dist/handler.d.ts.map +1 -0
- package/dist/handler.js +516 -0
- package/dist/handler.js.map +1 -0
- package/dist/index.d.ts +6 -0
- package/dist/index.d.ts.map +1 -0
- package/dist/index.js +10 -0
- package/dist/index.js.map +1 -0
- package/dist/is-agent-request.d.ts +17 -0
- package/dist/is-agent-request.d.ts.map +1 -0
- package/dist/is-agent-request.js +28 -0
- package/dist/is-agent-request.js.map +1 -0
- package/dist/next-adapter.d.ts +230 -0
- package/dist/next-adapter.d.ts.map +1 -0
- package/dist/next-adapter.js +270 -0
- package/dist/next-adapter.js.map +1 -0
- package/dist/stores.d.ts +35 -0
- package/dist/stores.d.ts.map +1 -0
- package/dist/stores.js +175 -0
- package/dist/stores.js.map +1 -0
- package/dist/types.d.ts +159 -0
- package/dist/types.d.ts.map +1 -0
- package/dist/types.js +2 -0
- package/dist/types.js.map +1 -0
- package/package.json +63 -0
package/dist/handler.js
ADDED
|
@@ -0,0 +1,516 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Framework-agnostic AgentPassport handler. Built on @agentic-passport/core verifiers.
|
|
3
|
+
*
|
|
4
|
+
* Adapters (this package's middleware.ts, or @agentic-passport/express, etc.) translate
|
|
5
|
+
* framework-native requests into NormalizedRequest, call handleAgentRequest, and
|
|
6
|
+
* translate the NormalizedResponse back into the framework's response type.
|
|
7
|
+
*
|
|
8
|
+
* State is injected via config.store. Use inMemoryStore() for tests / single-
|
|
9
|
+
* instance dev; use kvStore(env) on Workers so state survives across isolates.
|
|
10
|
+
*/
|
|
11
|
+
import { exportJWK, calculateJwkThumbprint } from 'jose';
|
|
12
|
+
import { generateKeyPairSync, createPrivateKey, createPublicKey } from 'node:crypto';
|
|
13
|
+
import { AgentPassportError, AuditLog, ErrorCode, ProtocolVersion, RegisterRequestSchema, AuthorizeRequestSchema, } from '@agentic-passport/protocol';
|
|
14
|
+
import { verifyRequest, verifyMandateJwt, verifyAccessToken, verifyDpop, issueAccessToken, } from '@agentic-passport/core';
|
|
15
|
+
import { inMemoryStore } from './stores.js';
|
|
16
|
+
const MAX_BODY_BYTES = 1_048_576;
|
|
17
|
+
const TIMESTAMP_WINDOW_SECONDS = 60;
|
|
18
|
+
const ACCESS_TOKEN_TTL_SECONDS = 900;
|
|
19
|
+
const RATE_LIMIT_PER_MINUTE = 10;
|
|
20
|
+
function decodePem(raw) {
|
|
21
|
+
const t = raw.trim();
|
|
22
|
+
if (t.includes('-----BEGIN'))
|
|
23
|
+
return t.replace(/\\n/g, '\n');
|
|
24
|
+
try {
|
|
25
|
+
const dec = Buffer.from(t, 'base64').toString('utf8');
|
|
26
|
+
if (dec.includes('-----BEGIN'))
|
|
27
|
+
return dec;
|
|
28
|
+
}
|
|
29
|
+
catch { /* fall through */ }
|
|
30
|
+
throw new Error('tokenSigningKeyPem must be raw PEM, escaped-\\n PEM, or base64-encoded PEM');
|
|
31
|
+
}
|
|
32
|
+
/**
|
|
33
|
+
* Define an AgentPassport gate. Returns a cached factory — call the returned
|
|
34
|
+
* function from anywhere in your app; the gate is built once on first
|
|
35
|
+
* call and reused thereafter.
|
|
36
|
+
*
|
|
37
|
+
* // lib/agent-gate.ts
|
|
38
|
+
* export const getGate = agentPassport({
|
|
39
|
+
* vendorOrigin: 'https://kwrds.ai',
|
|
40
|
+
* trustedIssuers: ['https://issuer.example.com'],
|
|
41
|
+
* scopes: ['keyword.search'],
|
|
42
|
+
* hooks: { onAgentSignup: async (ctx) => {...} },
|
|
43
|
+
* });
|
|
44
|
+
*
|
|
45
|
+
* // route handlers:
|
|
46
|
+
* export const POST = (req: Request) => handleAgentPassport(req, getGate);
|
|
47
|
+
*
|
|
48
|
+
* Lazy init: JWKS fetching and signing-key loading happen on the first
|
|
49
|
+
* call to the returned function, not at module load. Subsequent calls
|
|
50
|
+
* return the cached instance.
|
|
51
|
+
*/
|
|
52
|
+
export function agentPassport(config) {
|
|
53
|
+
let cached = null;
|
|
54
|
+
return () => {
|
|
55
|
+
if (cached)
|
|
56
|
+
return cached;
|
|
57
|
+
cached = buildInstance(config);
|
|
58
|
+
return cached;
|
|
59
|
+
};
|
|
60
|
+
}
|
|
61
|
+
async function buildInstance(config) {
|
|
62
|
+
let privateKey;
|
|
63
|
+
if (config.tokenSigningKeyPem) {
|
|
64
|
+
privateKey = createPrivateKey({ key: decodePem(config.tokenSigningKeyPem), format: 'pem' });
|
|
65
|
+
}
|
|
66
|
+
else {
|
|
67
|
+
privateKey = generateKeyPairSync('ed25519').privateKey;
|
|
68
|
+
}
|
|
69
|
+
const publicKey = createPublicKey(privateKey);
|
|
70
|
+
const jwk = await exportJWK(publicKey);
|
|
71
|
+
jwk.alg = 'EdDSA';
|
|
72
|
+
jwk.kid = 'agentpassport-token-signer-1';
|
|
73
|
+
jwk.use = 'sig';
|
|
74
|
+
// Auto-fetch JWKS for any trusted issuer not already in jwksByIssuer.
|
|
75
|
+
// Preserve the caller's Map reference so test harnesses (or production
|
|
76
|
+
// code) can mutate the map after gate construction to add/remove
|
|
77
|
+
// trust at runtime.
|
|
78
|
+
const jwksByIssuer = config.jwksByIssuer ?? new Map();
|
|
79
|
+
for (const issuerUrl of config.trustedIssuers) {
|
|
80
|
+
if (!jwksByIssuer.has(issuerUrl)) {
|
|
81
|
+
jwksByIssuer.set(issuerUrl, await fetchIssuerJwks(issuerUrl));
|
|
82
|
+
}
|
|
83
|
+
}
|
|
84
|
+
const resolvedConfig = { ...config, jwksByIssuer };
|
|
85
|
+
const internal = {
|
|
86
|
+
config: resolvedConfig,
|
|
87
|
+
store: config.store ?? inMemoryStore(),
|
|
88
|
+
audit: new AuditLog(),
|
|
89
|
+
tokenSigningKey: privateKey,
|
|
90
|
+
tokenVerificationJwk: jwk,
|
|
91
|
+
};
|
|
92
|
+
return {
|
|
93
|
+
config: resolvedConfig,
|
|
94
|
+
store: internal.store,
|
|
95
|
+
audit: internal.audit,
|
|
96
|
+
isAgentRequest,
|
|
97
|
+
handle: (req) => handle(internal, req),
|
|
98
|
+
authorizeApiCall: (req, scope) => authorizeApiCall(internal, req, scope),
|
|
99
|
+
discoveryDoc: () => buildDiscovery(internal),
|
|
100
|
+
auditEntries: () => internal.audit.all(),
|
|
101
|
+
};
|
|
102
|
+
}
|
|
103
|
+
async function fetchIssuerJwks(issuerUrl) {
|
|
104
|
+
const url = `${issuerUrl.replace(/\/$/, '')}/.well-known/jwks.json`;
|
|
105
|
+
const res = await fetch(url);
|
|
106
|
+
if (!res.ok)
|
|
107
|
+
throw new Error(`agentpassport: failed to fetch JWKS from ${url}: ${res.status}`);
|
|
108
|
+
return (await res.json());
|
|
109
|
+
}
|
|
110
|
+
import { isAgentRequest } from './is-agent-request.js';
|
|
111
|
+
export { isAgentRequest };
|
|
112
|
+
/** @deprecated Renamed to {@link agentAuth}. Will be removed in 0.1.0. */
|
|
113
|
+
export const agentGate = agentPassport;
|
|
114
|
+
function lc(headers) {
|
|
115
|
+
const out = {};
|
|
116
|
+
for (const [k, v] of Object.entries(headers))
|
|
117
|
+
out[k.toLowerCase()] = v;
|
|
118
|
+
return out;
|
|
119
|
+
}
|
|
120
|
+
function nowMs() { return Date.now(); }
|
|
121
|
+
function jsonResponse(status, body, extraHeaders) {
|
|
122
|
+
return {
|
|
123
|
+
status,
|
|
124
|
+
headers: { 'content-type': 'application/json', ...(extraHeaders ?? {}) },
|
|
125
|
+
body: Buffer.from(JSON.stringify(body)),
|
|
126
|
+
};
|
|
127
|
+
}
|
|
128
|
+
function markdownResponse(body) {
|
|
129
|
+
return { status: 200, headers: { 'content-type': 'text/markdown; charset=utf-8' }, body: Buffer.from(body) };
|
|
130
|
+
}
|
|
131
|
+
/**
|
|
132
|
+
* Agent-readable quickstart. Returned as plain markdown so an LLM agent
|
|
133
|
+
* that fetches /.well-known/agent-passport/quickstart.md can follow the steps
|
|
134
|
+
* verbatim — generate a key, mint a mandate, sign requests, call the API —
|
|
135
|
+
* without prior knowledge of AgentPassport.
|
|
136
|
+
*/
|
|
137
|
+
function buildQuickstart(g) {
|
|
138
|
+
const origin = g.config.vendorOrigin.replace(/\/$/, '');
|
|
139
|
+
const issuers = g.config.trustedIssuers.join(', ');
|
|
140
|
+
const scopes = g.config.scopes.length > 0 ? g.config.scopes.join(', ') : '(none advertised)';
|
|
141
|
+
return `# AgentPassport Quickstart — ${g.config.vendorName ?? origin}
|
|
142
|
+
|
|
143
|
+
You are an AI agent that received a \`401\` with \`WWW-Authenticate: AgentPassport\`
|
|
144
|
+
from this vendor. This document tells you exactly how to authenticate.
|
|
145
|
+
|
|
146
|
+
## What this vendor speaks
|
|
147
|
+
|
|
148
|
+
- **Protocol:** AgentPassport v0 (signed HTTP requests + DPoP-bound tokens + mandate JWTs)
|
|
149
|
+
- **Vendor origin:** ${origin}
|
|
150
|
+
- **Discovery doc:** ${origin}/.well-known/agent-passport (JSON)
|
|
151
|
+
- **Trusted mandate issuers:** ${issuers}
|
|
152
|
+
- **Scopes the vendor offers:** ${scopes}
|
|
153
|
+
|
|
154
|
+
## How to authenticate (5 steps)
|
|
155
|
+
|
|
156
|
+
1. **Generate an Ed25519 keypair.** Keep the private key in memory only.
|
|
157
|
+
2. **Mint a mandate** from a trusted issuer (see list above). POST your task,
|
|
158
|
+
budget, scope hints, and the vendor origin as \`aud\` to the issuer's
|
|
159
|
+
\`/mint\` endpoint. You get back a signed JWT.
|
|
160
|
+
3. **Register with the vendor.** POST \`${origin}/agent/register\` with your
|
|
161
|
+
public key + the mandate JWT. The request must be signed per RFC 9421
|
|
162
|
+
(HTTP Message Signatures, Web Bot Auth profile). You get back an
|
|
163
|
+
\`agent_id\` and the scopes the vendor granted.
|
|
164
|
+
4. **Get an access token.** POST \`${origin}/agent/authorize\` (signed).
|
|
165
|
+
Returns a DPoP-bound access token.
|
|
166
|
+
5. **Call the vendor's API.** Every API request must carry the access
|
|
167
|
+
token + a fresh DPoP proof + a fresh RFC 9421 signature over the
|
|
168
|
+
request line, body digest, and headers.
|
|
169
|
+
|
|
170
|
+
## The easy way: use the published SDK
|
|
171
|
+
|
|
172
|
+
The whole loop is ~5 lines of TypeScript:
|
|
173
|
+
|
|
174
|
+
\`\`\`ts
|
|
175
|
+
import { AgentClient, HostedMandateProvider, generateEd25519KeyPair } from '@agentic-passport/agent';
|
|
176
|
+
|
|
177
|
+
const { publicKey, privateKey } = generateEd25519KeyPair();
|
|
178
|
+
const agent = new AgentClient(
|
|
179
|
+
{ keyId: 'my-agent-1', publicKey, privateKey, directoryUrl: '${origin}/.well-known/http-message-signatures-directory' },
|
|
180
|
+
new HostedMandateProvider({ issuerUrl: '${g.config.trustedIssuers[0] ?? '<issuer>'}' }),
|
|
181
|
+
);
|
|
182
|
+
const session = await agent.access('${origin}', {
|
|
183
|
+
task: 'describe what you want here',
|
|
184
|
+
budget: { usd: 1 },
|
|
185
|
+
scopes: [${g.config.scopes.map((s) => `'${s}'`).join(', ')}],
|
|
186
|
+
});
|
|
187
|
+
const res = await session.fetch('${origin}/api/<vendor-endpoint>');
|
|
188
|
+
console.log(await res.json());
|
|
189
|
+
\`\`\`
|
|
190
|
+
|
|
191
|
+
Install: \`npm install @agentic-passport/agent\`
|
|
192
|
+
|
|
193
|
+
## If you must implement from scratch
|
|
194
|
+
|
|
195
|
+
The full wire-format spec is at: ${origin}/.well-known/agent-passport/spec.md
|
|
196
|
+
|
|
197
|
+
You'll need to implement:
|
|
198
|
+
- RFC 9421 HTTP Message Signatures (Web Bot Auth profile)
|
|
199
|
+
- RFC 9449 DPoP proof generation
|
|
200
|
+
- EdDSA-only JWT verification on the access token
|
|
201
|
+
|
|
202
|
+
The reference TypeScript implementation in \`@agentic-passport/agent\` is the easier path.
|
|
203
|
+
|
|
204
|
+
## What you should NOT do
|
|
205
|
+
|
|
206
|
+
- Do not retry an unsigned request hoping for a different response.
|
|
207
|
+
- Do not pretend to be a human; the vendor's human-auth flow will reject you.
|
|
208
|
+
- Do not store the mandate JWT beyond its \`exp\` claim.
|
|
209
|
+
- Do not reuse a DPoP \`jti\` across requests.
|
|
210
|
+
`;
|
|
211
|
+
}
|
|
212
|
+
function buildSpecPointer(g) {
|
|
213
|
+
const origin = g.config.vendorOrigin.replace(/\/$/, '');
|
|
214
|
+
return `# AgentPassport Protocol Spec — pointer
|
|
215
|
+
|
|
216
|
+
This vendor speaks AgentPassport v0. The canonical wire-format specification
|
|
217
|
+
lives in the open-source protocol package:
|
|
218
|
+
|
|
219
|
+
- **Repository:** https://github.com/mkotsollaris/agent-passport
|
|
220
|
+
- **Spec source:** packages/protocol/spec.md
|
|
221
|
+
- **npm packages:** @agentic-passport/next (vendor), @agentic-passport/agent (agent client)
|
|
222
|
+
|
|
223
|
+
For a step-by-step walkthrough tailored to this vendor, see:
|
|
224
|
+
${origin}/.well-known/agent-passport/quickstart.md
|
|
225
|
+
`;
|
|
226
|
+
}
|
|
227
|
+
function errorResponse(code, g) {
|
|
228
|
+
const err = new AgentPassportError(code);
|
|
229
|
+
const extra = err.status === 401 && g ? { 'www-authenticate': buildWwwAuthenticate(g) } : undefined;
|
|
230
|
+
return jsonResponse(err.status, err.toResponseBody(), extra);
|
|
231
|
+
}
|
|
232
|
+
/**
|
|
233
|
+
* RFC 7235 WWW-Authenticate challenge advertising AgentPassport.
|
|
234
|
+
*
|
|
235
|
+
* An agent that lands on a 401 from this vendor can read this header,
|
|
236
|
+
* fetch the discovery doc + quickstart, and self-onboard without prior
|
|
237
|
+
* knowledge of the protocol. Format:
|
|
238
|
+
*
|
|
239
|
+
* WWW-Authenticate: AgentPassport realm="<vendor-origin>",
|
|
240
|
+
* discovery="<vendor>/.well-known/agent-passport",
|
|
241
|
+
* quickstart="<vendor>/.well-known/agent-passport/quickstart.md",
|
|
242
|
+
* spec="<vendor>/.well-known/agent-passport/spec.md"
|
|
243
|
+
*/
|
|
244
|
+
function buildWwwAuthenticate(g) {
|
|
245
|
+
const origin = g.config.vendorOrigin.replace(/\/$/, '');
|
|
246
|
+
return [
|
|
247
|
+
'AgentPassport',
|
|
248
|
+
`realm="${origin}"`,
|
|
249
|
+
`discovery="${origin}/.well-known/agent-passport"`,
|
|
250
|
+
`quickstart="${origin}/.well-known/agent-passport/quickstart.md"`,
|
|
251
|
+
`spec="${origin}/.well-known/agent-passport/spec.md"`,
|
|
252
|
+
].join(' ');
|
|
253
|
+
}
|
|
254
|
+
function buildDiscovery(g) {
|
|
255
|
+
return {
|
|
256
|
+
protocol: ProtocolVersion,
|
|
257
|
+
vendor: { origin: g.config.vendorOrigin, name: g.config.vendorName ?? 'agentpassport-vendor' },
|
|
258
|
+
endpoints: {
|
|
259
|
+
register: '/agent/register',
|
|
260
|
+
authorize: '/agent/authorize',
|
|
261
|
+
audit: '/agent/audit',
|
|
262
|
+
},
|
|
263
|
+
identity: {
|
|
264
|
+
accepted_profiles: ['web-bot-auth'],
|
|
265
|
+
trusted_issuers: [...g.config.trustedIssuers],
|
|
266
|
+
},
|
|
267
|
+
scopes: [...g.config.scopes],
|
|
268
|
+
payment: { rails: ['free'] },
|
|
269
|
+
limits: {
|
|
270
|
+
max_body_bytes: MAX_BODY_BYTES,
|
|
271
|
+
timestamp_window_seconds: TIMESTAMP_WINDOW_SECONDS,
|
|
272
|
+
mandate_max_lifetime_seconds: 3600,
|
|
273
|
+
},
|
|
274
|
+
docs: {
|
|
275
|
+
quickstart: '/.well-known/agent-passport/quickstart.md',
|
|
276
|
+
spec: '/.well-known/agent-passport/spec.md',
|
|
277
|
+
},
|
|
278
|
+
};
|
|
279
|
+
}
|
|
280
|
+
async function handle(g, req) {
|
|
281
|
+
try {
|
|
282
|
+
if (req.body.byteLength > MAX_BODY_BYTES) {
|
|
283
|
+
g.audit.append({ ts: nowMs(), event: 'request', outcome: 'denied', reason: ErrorCode.REQUEST_BODY_TOO_LARGE });
|
|
284
|
+
return errorResponse(ErrorCode.REQUEST_BODY_TOO_LARGE, g);
|
|
285
|
+
}
|
|
286
|
+
const url = new URL(req.url);
|
|
287
|
+
const path = url.pathname;
|
|
288
|
+
if (req.method === 'GET' && path === '/.well-known/agent-passport')
|
|
289
|
+
return jsonResponse(200, buildDiscovery(g));
|
|
290
|
+
if (req.method === 'GET' && path === '/.well-known/agent-passport/quickstart.md')
|
|
291
|
+
return markdownResponse(buildQuickstart(g));
|
|
292
|
+
if (req.method === 'GET' && path === '/.well-known/agent-passport/spec.md')
|
|
293
|
+
return markdownResponse(buildSpecPointer(g));
|
|
294
|
+
if (req.method === 'GET' && path === '/agent/audit')
|
|
295
|
+
return jsonResponse(200, { entries: g.audit.all() });
|
|
296
|
+
if (req.method === 'GET' && path === '/health')
|
|
297
|
+
return jsonResponse(200, { ok: true, vendor: g.config.vendorOrigin });
|
|
298
|
+
if (req.method === 'POST' && path === '/agent/register')
|
|
299
|
+
return await handleRegister(g, req);
|
|
300
|
+
if (req.method === 'POST' && path === '/agent/authorize')
|
|
301
|
+
return await handleAuthorize(g, req);
|
|
302
|
+
return jsonResponse(404, { error: 'not_found' });
|
|
303
|
+
}
|
|
304
|
+
catch (err) {
|
|
305
|
+
if (err instanceof AgentPassportError)
|
|
306
|
+
return jsonResponse(err.status, err.toResponseBody());
|
|
307
|
+
return jsonResponse(500, { error: 'internal_error' });
|
|
308
|
+
}
|
|
309
|
+
}
|
|
310
|
+
async function verifySignedRequest(g, req) {
|
|
311
|
+
return verifyRequest({ method: req.method, url: req.url, body: req.body, headers: req.headers }, {
|
|
312
|
+
resolveKey: (keyId) => g.store.resolveKey(keyId),
|
|
313
|
+
timestampWindowSeconds: TIMESTAMP_WINDOW_SECONDS,
|
|
314
|
+
isNonceSeen: (k, n) => g.store.isNonceSeen(k, n),
|
|
315
|
+
rememberNonce: (k, n) => g.store.rememberNonce(k, n),
|
|
316
|
+
isKeyRevoked: (k) => g.store.isKeyRevoked(k),
|
|
317
|
+
now: nowMs,
|
|
318
|
+
});
|
|
319
|
+
}
|
|
320
|
+
async function handleRegister(g, req) {
|
|
321
|
+
let bodyJson;
|
|
322
|
+
try {
|
|
323
|
+
bodyJson = JSON.parse(req.body.toString('utf8'));
|
|
324
|
+
}
|
|
325
|
+
catch {
|
|
326
|
+
return errorResponse(ErrorCode.MALFORMED_REQUEST, g);
|
|
327
|
+
}
|
|
328
|
+
const parsed = RegisterRequestSchema.safeParse(bodyJson);
|
|
329
|
+
if (!parsed.success)
|
|
330
|
+
return errorResponse(ErrorCode.MALFORMED_REQUEST, g);
|
|
331
|
+
const attempts = await g.store.recordRegisterAttempt(parsed.data.agent.key_id);
|
|
332
|
+
if (attempts > RATE_LIMIT_PER_MINUTE) {
|
|
333
|
+
g.audit.append({ ts: nowMs(), event: 'register', outcome: 'denied', reason: ErrorCode.RATE_LIMIT_EXCEEDED, agent_id: parsed.data.agent.key_id });
|
|
334
|
+
return errorResponse(ErrorCode.RATE_LIMIT_EXCEEDED, g);
|
|
335
|
+
}
|
|
336
|
+
await g.store.registerKey(parsed.data.agent.key_id, parsed.data.agent.public_jwk);
|
|
337
|
+
const verified = await verifySignedRequest(g, req);
|
|
338
|
+
if (!verified.ok) {
|
|
339
|
+
g.audit.append({ ts: nowMs(), event: 'register', outcome: 'denied', reason: verified.code, agent_id: parsed.data.agent.key_id });
|
|
340
|
+
return errorResponse(verified.code, g);
|
|
341
|
+
}
|
|
342
|
+
const mandateJwt = req.headers['x-agent-mandate'];
|
|
343
|
+
if (!mandateJwt) {
|
|
344
|
+
g.audit.append({ ts: nowMs(), event: 'register', outcome: 'denied', reason: ErrorCode.MANDATE_MISSING, agent_id: verified.agentKeyId });
|
|
345
|
+
return errorResponse(ErrorCode.MANDATE_MISSING, g);
|
|
346
|
+
}
|
|
347
|
+
const mandateResult = await verifyMandateJwt(mandateJwt, {
|
|
348
|
+
vendorOrigin: g.config.vendorOrigin,
|
|
349
|
+
trustedIssuers: g.config.trustedIssuers,
|
|
350
|
+
jwksFor: async (iss) => g.config.jwksByIssuer?.get(iss) ?? null,
|
|
351
|
+
isJtiUsed: (jti) => g.store.isMandateJtiUsed(jti),
|
|
352
|
+
rememberJti: (jti, exp) => g.store.rememberMandateJti(jti, exp),
|
|
353
|
+
now: nowMs,
|
|
354
|
+
});
|
|
355
|
+
if (!mandateResult.ok) {
|
|
356
|
+
g.audit.append({ ts: nowMs(), event: 'register', outcome: 'denied', reason: mandateResult.code, agent_id: verified.agentKeyId });
|
|
357
|
+
return errorResponse(mandateResult.code, g);
|
|
358
|
+
}
|
|
359
|
+
const agentId = `agent:${verified.agentKeyId}`;
|
|
360
|
+
const ctx = {
|
|
361
|
+
agentId,
|
|
362
|
+
mandate: mandateResult.claims,
|
|
363
|
+
request: { method: req.method, url: req.url, headers: req.headers },
|
|
364
|
+
};
|
|
365
|
+
let hookResult;
|
|
366
|
+
try {
|
|
367
|
+
hookResult = await g.config.hooks.onAgentSignup(ctx);
|
|
368
|
+
}
|
|
369
|
+
catch (err) {
|
|
370
|
+
g.audit.append({ ts: nowMs(), event: 'register', outcome: 'denied', reason: 'hook_threw', agent_id: agentId });
|
|
371
|
+
return jsonResponse(500, { error: 'agent_passport_error', error_code: ErrorCode.INTERNAL_ERROR, detail: err instanceof Error ? err.message : 'unknown' });
|
|
372
|
+
}
|
|
373
|
+
if (!hookResult.allow) {
|
|
374
|
+
g.audit.append({ ts: nowMs(), event: 'register', outcome: 'denied', reason: hookResult.reason ?? 'rejected_by_vendor', agent_id: agentId });
|
|
375
|
+
return errorResponse(ErrorCode.SCOPE_NOT_GRANTED, g);
|
|
376
|
+
}
|
|
377
|
+
const grantedScopes = hookResult.principal?.grantedScopes ?? [];
|
|
378
|
+
const userId = hookResult.principal?.userId ?? `shadow:${agentId}`;
|
|
379
|
+
await g.store.putAgent(agentId, {
|
|
380
|
+
granted_scopes: grantedScopes,
|
|
381
|
+
mandate_jti: mandateResult.claims.jti,
|
|
382
|
+
user_id: userId,
|
|
383
|
+
...(mandateResult.claims.actor !== undefined && { actor: mandateResult.claims.actor }),
|
|
384
|
+
});
|
|
385
|
+
g.audit.append({ ts: nowMs(), event: 'register', outcome: 'allowed', agent_id: agentId, mandate_jti: mandateResult.claims.jti });
|
|
386
|
+
const response = { agent_id: agentId, granted_scopes: grantedScopes, shadow_account: userId };
|
|
387
|
+
return jsonResponse(200, response);
|
|
388
|
+
}
|
|
389
|
+
async function handleAuthorize(g, req) {
|
|
390
|
+
const verified = await verifySignedRequest(g, req);
|
|
391
|
+
if (!verified.ok) {
|
|
392
|
+
g.audit.append({ ts: nowMs(), event: 'authorize', outcome: 'denied', reason: verified.code });
|
|
393
|
+
return errorResponse(verified.code, g);
|
|
394
|
+
}
|
|
395
|
+
let bodyJson;
|
|
396
|
+
try {
|
|
397
|
+
bodyJson = JSON.parse(req.body.toString('utf8'));
|
|
398
|
+
}
|
|
399
|
+
catch {
|
|
400
|
+
return errorResponse(ErrorCode.MALFORMED_REQUEST, g);
|
|
401
|
+
}
|
|
402
|
+
const parsed = AuthorizeRequestSchema.safeParse(bodyJson);
|
|
403
|
+
if (!parsed.success)
|
|
404
|
+
return errorResponse(ErrorCode.MALFORMED_REQUEST, g);
|
|
405
|
+
const agent = await g.store.getAgent(parsed.data.agent_id);
|
|
406
|
+
if (!agent) {
|
|
407
|
+
g.audit.append({ ts: nowMs(), event: 'authorize', outcome: 'denied', reason: 'unknown_agent', agent_id: parsed.data.agent_id });
|
|
408
|
+
return errorResponse(ErrorCode.SCOPE_NOT_GRANTED, g);
|
|
409
|
+
}
|
|
410
|
+
for (const s of parsed.data.requested_scopes) {
|
|
411
|
+
if (!agent.granted_scopes.includes(s)) {
|
|
412
|
+
g.audit.append({ ts: nowMs(), event: 'authorize', outcome: 'denied', reason: ErrorCode.SCOPE_NOT_GRANTED, agent_id: parsed.data.agent_id, scope: s });
|
|
413
|
+
return errorResponse(ErrorCode.SCOPE_NOT_GRANTED, g);
|
|
414
|
+
}
|
|
415
|
+
}
|
|
416
|
+
const publicKey = await g.store.resolveKey(verified.agentKeyId);
|
|
417
|
+
if (!publicKey)
|
|
418
|
+
return errorResponse(ErrorCode.SIGNATURE_INVALID, g);
|
|
419
|
+
const publicJwk = await exportJWK(publicKey);
|
|
420
|
+
const jkt = await calculateJwkThumbprint(publicJwk, 'sha256');
|
|
421
|
+
const issued = await issueAccessToken({
|
|
422
|
+
issuer: g.config.vendorOrigin,
|
|
423
|
+
vendorOrigin: g.config.vendorOrigin,
|
|
424
|
+
subject: parsed.data.agent_id,
|
|
425
|
+
scopes: parsed.data.requested_scopes,
|
|
426
|
+
mandateJti: agent.mandate_jti,
|
|
427
|
+
...(agent.actor !== undefined && { actor: agent.actor }),
|
|
428
|
+
agentKeyThumbprint: jkt,
|
|
429
|
+
ttlSeconds: ACCESS_TOKEN_TTL_SECONDS,
|
|
430
|
+
signingKey: g.tokenSigningKey,
|
|
431
|
+
now: nowMs,
|
|
432
|
+
});
|
|
433
|
+
let vendorSession;
|
|
434
|
+
if (g.config.hooks.onAgentSessionMint) {
|
|
435
|
+
try {
|
|
436
|
+
const mint = await g.config.hooks.onAgentSessionMint({
|
|
437
|
+
agentId: parsed.data.agent_id,
|
|
438
|
+
userId: agent.user_id,
|
|
439
|
+
scopes: agent.granted_scopes,
|
|
440
|
+
mandateJti: agent.mandate_jti,
|
|
441
|
+
...(agent.actor !== undefined && { actor: agent.actor }),
|
|
442
|
+
});
|
|
443
|
+
vendorSession = {
|
|
444
|
+
bootstrap_url: mint.bootstrap_url,
|
|
445
|
+
...(mint.final_url !== undefined && { final_url: mint.final_url }),
|
|
446
|
+
};
|
|
447
|
+
}
|
|
448
|
+
catch (err) {
|
|
449
|
+
g.audit.append({
|
|
450
|
+
ts: nowMs(),
|
|
451
|
+
event: 'authorize',
|
|
452
|
+
outcome: 'denied',
|
|
453
|
+
reason: `session_mint_failed: ${err instanceof Error ? err.message : 'unknown'}`,
|
|
454
|
+
agent_id: parsed.data.agent_id,
|
|
455
|
+
});
|
|
456
|
+
// Note: we don't fail authorize on session-mint errors — agent still
|
|
457
|
+
// gets the DPoP access token for AgentPassport-protected routes. The
|
|
458
|
+
// vendor_session is best-effort: the agent will simply 401 on
|
|
459
|
+
// Clerk-protected routes if the mint failed, just as if the vendor
|
|
460
|
+
// hadn't implemented onAgentSessionMint at all.
|
|
461
|
+
}
|
|
462
|
+
}
|
|
463
|
+
g.audit.append({ ts: nowMs(), event: 'authorize', outcome: 'allowed', agent_id: parsed.data.agent_id });
|
|
464
|
+
const response = {
|
|
465
|
+
access_token: issued.token,
|
|
466
|
+
token_type: 'DPoP',
|
|
467
|
+
expires_in: issued.expiresIn,
|
|
468
|
+
scopes: issued.claims.scopes,
|
|
469
|
+
...(vendorSession && { vendor_session: vendorSession }),
|
|
470
|
+
};
|
|
471
|
+
return jsonResponse(200, response);
|
|
472
|
+
}
|
|
473
|
+
async function authorizeApiCall(g, req, requiredScope) {
|
|
474
|
+
const verified = await verifySignedRequest(g, req);
|
|
475
|
+
if (!verified.ok)
|
|
476
|
+
return { ok: false, code: verified.code };
|
|
477
|
+
const auth = lc(req.headers).authorization;
|
|
478
|
+
if (!auth || !auth.startsWith('DPoP '))
|
|
479
|
+
return { ok: false, code: ErrorCode.ACCESS_TOKEN_MISSING };
|
|
480
|
+
const accessToken = auth.slice(5).trim();
|
|
481
|
+
const tokenResult = await verifyAccessToken(accessToken, {
|
|
482
|
+
issuer: g.config.vendorOrigin,
|
|
483
|
+
vendorOrigin: g.config.vendorOrigin,
|
|
484
|
+
verificationJwk: g.tokenVerificationJwk,
|
|
485
|
+
now: nowMs,
|
|
486
|
+
});
|
|
487
|
+
if (!tokenResult.ok)
|
|
488
|
+
return { ok: false, code: tokenResult.code };
|
|
489
|
+
const dpopHeader = lc(req.headers).dpop;
|
|
490
|
+
if (!dpopHeader)
|
|
491
|
+
return { ok: false, code: ErrorCode.DPOP_MISSING };
|
|
492
|
+
const dpopResult = await verifyDpop(dpopHeader, {
|
|
493
|
+
expectedThumbprint: tokenResult.claims.cnf.jkt,
|
|
494
|
+
htm: req.method.toUpperCase(),
|
|
495
|
+
htu: req.url,
|
|
496
|
+
isJtiSeen: (jti) => g.store.isDpopJtiSeen(jti),
|
|
497
|
+
rememberJti: (jti, exp) => g.store.rememberDpopJti(jti, exp),
|
|
498
|
+
now: nowMs,
|
|
499
|
+
windowSeconds: TIMESTAMP_WINDOW_SECONDS,
|
|
500
|
+
});
|
|
501
|
+
if (!dpopResult.ok)
|
|
502
|
+
return { ok: false, code: dpopResult.code };
|
|
503
|
+
if (requiredScope && !tokenResult.claims.scopes.includes(requiredScope)) {
|
|
504
|
+
return { ok: false, code: ErrorCode.SCOPE_NOT_GRANTED };
|
|
505
|
+
}
|
|
506
|
+
return {
|
|
507
|
+
ok: true,
|
|
508
|
+
principal: {
|
|
509
|
+
type: 'agent',
|
|
510
|
+
agentId: tokenResult.claims.sub,
|
|
511
|
+
scopes: tokenResult.claims.scopes,
|
|
512
|
+
mandateJti: tokenResult.claims.mandate_jti,
|
|
513
|
+
},
|
|
514
|
+
};
|
|
515
|
+
}
|
|
516
|
+
//# sourceMappingURL=handler.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"handler.js","sourceRoot":"","sources":["../src/handler.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,EAAE,SAAS,EAAE,sBAAsB,EAAE,MAAM,MAAM,CAAC;AACzD,OAAO,EAAE,mBAAmB,EAAE,gBAAgB,EAAE,eAAe,EAAkB,MAAM,aAAa,CAAC;AACrG,OAAO,EACL,kBAAkB,EAClB,QAAQ,EACR,SAAS,EACT,eAAe,EACf,qBAAqB,EACrB,sBAAsB,GAIvB,MAAM,4BAA4B,CAAC;AACpC,OAAO,EACL,aAAa,EACb,gBAAgB,EAChB,iBAAiB,EACjB,UAAU,EACV,gBAAgB,GACjB,MAAM,wBAAwB,CAAC;AAEhC,OAAO,EAAE,aAAa,EAAE,MAAM,aAAa,CAAC;AAE5C,MAAM,cAAc,GAAG,SAAS,CAAC;AACjC,MAAM,wBAAwB,GAAG,EAAE,CAAC;AACpC,MAAM,wBAAwB,GAAG,GAAG,CAAC;AACrC,MAAM,qBAAqB,GAAG,EAAE,CAAC;AAsCjC,SAAS,SAAS,CAAC,GAAW;IAC5B,MAAM,CAAC,GAAG,GAAG,CAAC,IAAI,EAAE,CAAC;IACrB,IAAI,CAAC,CAAC,QAAQ,CAAC,YAAY,CAAC;QAAE,OAAO,CAAC,CAAC,OAAO,CAAC,MAAM,EAAE,IAAI,CAAC,CAAC;IAC7D,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,MAAM,CAAC,IAAI,CAAC,CAAC,EAAE,QAAQ,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;QACtD,IAAI,GAAG,CAAC,QAAQ,CAAC,YAAY,CAAC;YAAE,OAAO,GAAG,CAAC;IAC7C,CAAC;IAAC,MAAM,CAAC,CAAC,kBAAkB,CAAC,CAAC;IAC9B,MAAM,IAAI,KAAK,CAAC,4EAA4E,CAAC,CAAC;AAChG,CAAC;AAED;;;;;;;;;;;;;;;;;;;GAmBG;AACH,MAAM,UAAU,aAAa,CAAC,MAA2B;IACvD,IAAI,MAAM,GAA0C,IAAI,CAAC;IACzD,OAAO,GAAG,EAAE;QACV,IAAI,MAAM;YAAE,OAAO,MAAM,CAAC;QAC1B,MAAM,GAAG,aAAa,CAAC,MAAM,CAAC,CAAC;QAC/B,OAAO,MAAM,CAAC;IAChB,CAAC,CAAC;AACJ,CAAC;AAED,KAAK,UAAU,aAAa,CAAC,MAA2B;IACtD,IAAI,UAAqB,CAAC;IAC1B,IAAI,MAAM,CAAC,kBAAkB,EAAE,CAAC;QAC9B,UAAU,GAAG,gBAAgB,CAAC,EAAE,GAAG,EAAE,SAAS,CAAC,MAAM,CAAC,kBAAkB,CAAC,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC,CAAC;IAC9F,CAAC;SAAM,CAAC;QACN,UAAU,GAAG,mBAAmB,CAAC,SAAS,CAAC,CAAC,UAAU,CAAC;IACzD,CAAC;IACD,MAAM,SAAS,GAAG,eAAe,CAAC,UAAU,CAAC,CAAC;IAC9C,MAAM,GAAG,GAAG,MAAM,SAAS,CAAC,SAAS,CAAC,CAAC;IACvC,GAAG,CAAC,GAAG,GAAG,OAAO,CAAC;IAClB,GAAG,CAAC,GAAG,GAAG,8BAA8B,CAAC;IACzC,GAAG,CAAC,GAAG,GAAG,KAAK,CAAC;IAEhB,sEAAsE;IACtE,uEAAuE;IACvE,iEAAiE;IACjE,oBAAoB;IACpB,MAAM,YAAY,GAAG,MAAM,CAAC,YAAY,IAAI,IAAI,GAAG,EAAwC,CAAC;IAC5F,KAAK,MAAM,SAAS,IAAI,MAAM,CAAC,cAAc,EAAE,CAAC;QAC9C,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,SAAS,CAAC,EAAE,CAAC;YACjC,YAAY,CAAC,GAAG,CAAC,SAAS,EAAE,MAAM,eAAe,CAAC,SAAS,CAAC,CAAC,CAAC;QAChE,CAAC;IACH,CAAC;IACD,MAAM,cAAc,GAAwB,EAAE,GAAG,MAAM,EAAE,YAAY,EAAE,CAAC;IAExE,MAAM,QAAQ,GAAa;QACzB,MAAM,EAAE,cAAc;QACtB,KAAK,EAAE,MAAM,CAAC,KAAK,IAAI,aAAa,EAAE;QACtC,KAAK,EAAE,IAAI,QAAQ,EAAE;QACrB,eAAe,EAAE,UAAU;QAC3B,oBAAoB,EAAE,GAAG;KAC1B,CAAC;IAEF,OAAO;QACL,MAAM,EAAE,cAAc;QACtB,KAAK,EAAE,QAAQ,CAAC,KAAK;QACrB,KAAK,EAAE,QAAQ,CAAC,KAAK;QACrB,cAAc;QACd,MAAM,EAAE,CAAC,GAAG,EAAE,EAAE,CAAC,MAAM,CAAC,QAAQ,EAAE,GAAG,CAAC;QACtC,gBAAgB,EAAE,CAAC,GAAG,EAAE,KAAK,EAAE,EAAE,CAAC,gBAAgB,CAAC,QAAQ,EAAE,GAAG,EAAE,KAAK,CAAC;QACxE,YAAY,EAAE,GAAG,EAAE,CAAC,cAAc,CAAC,QAAQ,CAAC;QAC5C,YAAY,EAAE,GAAG,EAAE,CAAC,QAAQ,CAAC,KAAK,CAAC,GAAG,EAAE;KACzC,CAAC;AACJ,CAAC;AAED,KAAK,UAAU,eAAe,CAAC,SAAiB;IAC9C,MAAM,GAAG,GAAG,GAAG,SAAS,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,wBAAwB,CAAC;IACpE,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,CAAC,CAAC;IAC7B,IAAI,CAAC,GAAG,CAAC,EAAE;QAAE,MAAM,IAAI,KAAK,CAAC,4CAA4C,GAAG,KAAK,GAAG,CAAC,MAAM,EAAE,CAAC,CAAC;IAC/F,OAAO,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAAiC,CAAC;AAC5D,CAAC;AAED,OAAO,EAAE,cAAc,EAAE,MAAM,uBAAuB,CAAC;AACvD,OAAO,EAAE,cAAc,EAAE,CAAC;AAE1B,0EAA0E;AAC1E,MAAM,CAAC,MAAM,SAAS,GAAG,aAAa,CAAC;AAIvC,SAAS,EAAE,CAAC,OAAqD;IAC/D,MAAM,GAAG,GAAuC,EAAE,CAAC;IACnD,KAAK,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC;QAAE,GAAG,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC,GAAG,CAAC,CAAC;IACvE,OAAO,GAAG,CAAC;AACb,CAAC;AAED,SAAS,KAAK,KAAa,OAAO,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC;AAE/C,SAAS,YAAY,CAAC,MAAc,EAAE,IAAa,EAAE,YAAqC;IACxF,OAAO;QACL,MAAM;QACN,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE,GAAG,CAAC,YAAY,IAAI,EAAE,CAAC,EAAE;QACxE,IAAI,EAAE,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC;KACxC,CAAC;AACJ,CAAC;AAED,SAAS,gBAAgB,CAAC,IAAY;IACpC,OAAO,EAAE,MAAM,EAAE,GAAG,EAAE,OAAO,EAAE,EAAE,cAAc,EAAE,8BAA8B,EAAE,EAAE,IAAI,EAAE,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;AAC/G,CAAC;AAED;;;;;GAKG;AACH,SAAS,eAAe,CAAC,CAAW;IAClC,MAAM,MAAM,GAAG,CAAC,CAAC,MAAM,CAAC,YAAY,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;IACxD,MAAM,OAAO,GAAG,CAAC,CAAC,MAAM,CAAC,cAAc,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACnD,MAAM,MAAM,GAAG,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,mBAAmB,CAAC;IAC7F,OAAO,gCAAgC,CAAC,CAAC,MAAM,CAAC,UAAU,IAAI,MAAM;;;;;;;;uBAQ/C,MAAM;uBACN,MAAM;iCACI,OAAO;kCACN,MAAM;;;;;;;;0CAQE,MAAM;;;;qCAIX,MAAM;;;;;;;;;;;;;;;iEAesB,MAAM;4CAC3B,CAAC,CAAC,MAAM,CAAC,cAAc,CAAC,CAAC,CAAC,IAAI,UAAU;;sCAE9C,MAAM;;;aAG/B,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC;;mCAEzB,MAAM;;;;;;;;mCAQN,MAAM;;;;;;;;;;;;;;;CAexC,CAAC;AACF,CAAC;AAED,SAAS,gBAAgB,CAAC,CAAW;IACnC,MAAM,MAAM,GAAG,CAAC,CAAC,MAAM,CAAC,YAAY,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;IACxD,OAAO;;;;;;;;;;EAUP,MAAM;CACP,CAAC;AACF,CAAC;AAED,SAAS,aAAa,CAAC,IAAe,EAAE,CAAY;IAClD,MAAM,GAAG,GAAG,IAAI,kBAAkB,CAAC,IAAI,CAAC,CAAC;IACzC,MAAM,KAAK,GAAG,GAAG,CAAC,MAAM,KAAK,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC,EAAE,kBAAkB,EAAE,oBAAoB,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,SAAS,CAAC;IACpG,OAAO,YAAY,CAAC,GAAG,CAAC,MAAM,EAAE,GAAG,CAAC,cAAc,EAAE,EAAE,KAAK,CAAC,CAAC;AAC/D,CAAC;AAED;;;;;;;;;;;GAWG;AACH,SAAS,oBAAoB,CAAC,CAAW;IACvC,MAAM,MAAM,GAAG,CAAC,CAAC,MAAM,CAAC,YAAY,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;IACxD,OAAO;QACL,eAAe;QACf,UAAU,MAAM,GAAG;QACnB,cAAc,MAAM,8BAA8B;QAClD,eAAe,MAAM,4CAA4C;QACjE,SAAS,MAAM,sCAAsC;KACtD,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AACd,CAAC;AAED,SAAS,cAAc,CAAC,CAAW;IACjC,OAAO;QACL,QAAQ,EAAE,eAAe;QACzB,MAAM,EAAE,EAAE,MAAM,EAAE,CAAC,CAAC,MAAM,CAAC,YAAY,EAAE,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC,UAAU,IAAI,sBAAsB,EAAE;QAC9F,SAAS,EAAE;YACT,QAAQ,EAAE,iBAAiB;YAC3B,SAAS,EAAE,kBAAkB;YAC7B,KAAK,EAAE,cAAc;SACtB;QACD,QAAQ,EAAE;YACR,iBAAiB,EAAE,CAAC,cAAc,CAAC;YACnC,eAAe,EAAE,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,cAAc,CAAC;SAC9C;QACD,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC;QAC5B,OAAO,EAAE,EAAE,KAAK,EAAE,CAAC,MAAM,CAAC,EAAE;QAC5B,MAAM,EAAE;YACN,cAAc,EAAE,cAAc;YAC9B,wBAAwB,EAAE,wBAAwB;YAClD,4BAA4B,EAAE,IAAI;SACnC;QACD,IAAI,EAAE;YACJ,UAAU,EAAE,2CAA2C;YACvD,IAAI,EAAE,qCAAqC;SAC5C;KACF,CAAC;AACJ,CAAC;AAED,KAAK,UAAU,MAAM,CAAC,CAAW,EAAE,GAAsB;IACvD,IAAI,CAAC;QACH,IAAI,GAAG,CAAC,IAAI,CAAC,UAAU,GAAG,cAAc,EAAE,CAAC;YACzC,CAAC,CAAC,KAAK,CAAC,MAAM,CAAC,EAAE,EAAE,EAAE,KAAK,EAAE,EAAE,KAAK,EAAE,SAAS,EAAE,OAAO,EAAE,QAAQ,EAAE,MAAM,EAAE,SAAS,CAAC,sBAAsB,EAAE,CAAC,CAAC;YAC/G,OAAO,aAAa,CAAC,SAAS,CAAC,sBAAsB,EAAE,CAAC,CAAC,CAAC;QAC5D,CAAC;QACD,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;QAC7B,MAAM,IAAI,GAAG,GAAG,CAAC,QAAQ,CAAC;QAC1B,IAAI,GAAG,CAAC,MAAM,KAAK,KAAK,IAAI,IAAI,KAAK,6BAA6B;YAAE,OAAO,YAAY,CAAC,GAAG,EAAE,cAAc,CAAC,CAAC,CAAC,CAAC,CAAC;QAChH,IAAI,GAAG,CAAC,MAAM,KAAK,KAAK,IAAI,IAAI,KAAK,2CAA2C;YAAE,OAAO,gBAAgB,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC,CAAC;QAC9H,IAAI,GAAG,CAAC,MAAM,KAAK,KAAK,IAAI,IAAI,KAAK,qCAAqC;YAAE,OAAO,gBAAgB,CAAC,gBAAgB,CAAC,CAAC,CAAC,CAAC,CAAC;QACzH,IAAI,GAAG,CAAC,MAAM,KAAK,KAAK,IAAI,IAAI,KAAK,cAAc;YAAE,OAAO,YAAY,CAAC,GAAG,EAAE,EAAE,OAAO,EAAE,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC;QAC1G,IAAI,GAAG,CAAC,MAAM,KAAK,KAAK,IAAI,IAAI,KAAK,SAAS;YAAE,OAAO,YAAY,CAAC,GAAG,EAAE,EAAE,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC,CAAC,MAAM,CAAC,YAAY,EAAE,CAAC,CAAC;QACtH,IAAI,GAAG,CAAC,MAAM,KAAK,MAAM,IAAI,IAAI,KAAK,iBAAiB;YAAE,OAAO,MAAM,cAAc,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;QAC7F,IAAI,GAAG,CAAC,MAAM,KAAK,MAAM,IAAI,IAAI,KAAK,kBAAkB;YAAE,OAAO,MAAM,eAAe,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;QAC/F,OAAO,YAAY,CAAC,GAAG,EAAE,EAAE,KAAK,EAAE,WAAW,EAAE,CAAC,CAAC;IACnD,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,IAAI,GAAG,YAAY,kBAAkB;YAAE,OAAO,YAAY,CAAC,GAAG,CAAC,MAAM,EAAE,GAAG,CAAC,cAAc,EAAE,CAAC,CAAC;QAC7F,OAAO,YAAY,CAAC,GAAG,EAAE,EAAE,KAAK,EAAE,gBAAgB,EAAE,CAAC,CAAC;IACxD,CAAC;AACH,CAAC;AAED,KAAK,UAAU,mBAAmB,CAAC,CAAW,EAAE,GAAsB;IACpE,OAAO,aAAa,CAClB,EAAE,MAAM,EAAE,GAAG,CAAC,MAAM,EAAE,GAAG,EAAE,GAAG,CAAC,GAAG,EAAE,IAAI,EAAE,GAAG,CAAC,IAAI,EAAE,OAAO,EAAE,GAAG,CAAC,OAAO,EAAE,EAC1E;QACE,UAAU,EAAE,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC,CAAC,KAAK,CAAC,UAAU,CAAC,KAAK,CAAC;QAChD,sBAAsB,EAAE,wBAAwB;QAChD,WAAW,EAAE,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,KAAK,CAAC,WAAW,CAAC,CAAC,EAAE,CAAC,CAAC;QAChD,aAAa,EAAE,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,KAAK,CAAC,aAAa,CAAC,CAAC,EAAE,CAAC,CAAC;QACpD,YAAY,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,KAAK,CAAC,YAAY,CAAC,CAAC,CAAC;QAC5C,GAAG,EAAE,KAAK;KACX,CACF,CAAC;AACJ,CAAC;AAED,KAAK,UAAU,cAAc,CAAC,CAAW,EAAE,GAAsB;IAC/D,IAAI,QAAiB,CAAC;IACtB,IAAI,CAAC;QAAC,QAAQ,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC;IAAC,CAAC;IAAC,MAAM,CAAC;QAAC,OAAO,aAAa,CAAC,SAAS,CAAC,iBAAiB,EAAE,CAAC,CAAC,CAAC;IAAC,CAAC;IACzH,MAAM,MAAM,GAAG,qBAAqB,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAC;IACzD,IAAI,CAAC,MAAM,CAAC,OAAO;QAAE,OAAO,aAAa,CAAC,SAAS,CAAC,iBAAiB,EAAE,CAAC,CAAC,CAAC;IAE1E,MAAM,QAAQ,GAAG,MAAM,CAAC,CAAC,KAAK,CAAC,qBAAqB,CAAC,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;IAC/E,IAAI,QAAQ,GAAG,qBAAqB,EAAE,CAAC;QACrC,CAAC,CAAC,KAAK,CAAC,MAAM,CAAC,EAAE,EAAE,EAAE,KAAK,EAAE,EAAE,KAAK,EAAE,UAAU,EAAE,OAAO,EAAE,QAAQ,EAAE,MAAM,EAAE,SAAS,CAAC,mBAAmB,EAAE,QAAQ,EAAE,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,MAAM,EAAE,CAAC,CAAC;QACjJ,OAAO,aAAa,CAAC,SAAS,CAAC,mBAAmB,EAAE,CAAC,CAAC,CAAC;IACzD,CAAC;IAED,MAAM,CAAC,CAAC,KAAK,CAAC,WAAW,CAAC,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,MAAM,EAAE,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC;IAElF,MAAM,QAAQ,GAAG,MAAM,mBAAmB,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;IACnD,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;QACjB,CAAC,CAAC,KAAK,CAAC,MAAM,CAAC,EAAE,EAAE,EAAE,KAAK,EAAE,EAAE,KAAK,EAAE,UAAU,EAAE,OAAO,EAAE,QAAQ,EAAE,MAAM,EAAE,QAAQ,CAAC,IAAI,EAAE,QAAQ,EAAE,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,MAAM,EAAE,CAAC,CAAC;QACjI,OAAO,aAAa,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC;IACzC,CAAC;IAED,MAAM,UAAU,GAAG,GAAG,CAAC,OAAO,CAAC,iBAAiB,CAAC,CAAC;IAClD,IAAI,CAAC,UAAU,EAAE,CAAC;QAChB,CAAC,CAAC,KAAK,CAAC,MAAM,CAAC,EAAE,EAAE,EAAE,KAAK,EAAE,EAAE,KAAK,EAAE,UAAU,EAAE,OAAO,EAAE,QAAQ,EAAE,MAAM,EAAE,SAAS,CAAC,eAAe,EAAE,QAAQ,EAAE,QAAQ,CAAC,UAAU,EAAE,CAAC,CAAC;QACxI,OAAO,aAAa,CAAC,SAAS,CAAC,eAAe,EAAE,CAAC,CAAC,CAAC;IACrD,CAAC;IAED,MAAM,aAAa,GAAG,MAAM,gBAAgB,CAAC,UAAU,EAAE;QACvD,YAAY,EAAE,CAAC,CAAC,MAAM,CAAC,YAAY;QACnC,cAAc,EAAE,CAAC,CAAC,MAAM,CAAC,cAAc;QACvC,OAAO,EAAE,KAAK,EAAE,GAAG,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,CAAC,YAAY,EAAE,GAAG,CAAC,GAAG,CAAC,IAAI,IAAI;QAC/D,SAAS,EAAE,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC,CAAC,KAAK,CAAC,gBAAgB,CAAC,GAAG,CAAC;QACjD,WAAW,EAAE,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE,CAAC,CAAC,CAAC,KAAK,CAAC,kBAAkB,CAAC,GAAG,EAAE,GAAG,CAAC;QAC/D,GAAG,EAAE,KAAK;KACX,CAAC,CAAC;IACH,IAAI,CAAC,aAAa,CAAC,EAAE,EAAE,CAAC;QACtB,CAAC,CAAC,KAAK,CAAC,MAAM,CAAC,EAAE,EAAE,EAAE,KAAK,EAAE,EAAE,KAAK,EAAE,UAAU,EAAE,OAAO,EAAE,QAAQ,EAAE,MAAM,EAAE,aAAa,CAAC,IAAI,EAAE,QAAQ,EAAE,QAAQ,CAAC,UAAU,EAAE,CAAC,CAAC;QACjI,OAAO,aAAa,CAAC,aAAa,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC;IAC9C,CAAC;IAED,MAAM,OAAO,GAAG,SAAS,QAAQ,CAAC,UAAU,EAAE,CAAC;IAC/C,MAAM,GAAG,GAAuB;QAC9B,OAAO;QACP,OAAO,EAAE,aAAa,CAAC,MAAM;QAC7B,OAAO,EAAE,EAAE,MAAM,EAAE,GAAG,CAAC,MAAM,EAAE,GAAG,EAAE,GAAG,CAAC,GAAG,EAAE,OAAO,EAAE,GAAG,CAAC,OAAO,EAAE;KACpE,CAAC;IACF,IAAI,UAA6B,CAAC;IAClC,IAAI,CAAC;QACH,UAAU,GAAG,MAAM,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,aAAa,CAAC,GAAG,CAAC,CAAC;IACvD,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,CAAC,CAAC,KAAK,CAAC,MAAM,CAAC,EAAE,EAAE,EAAE,KAAK,EAAE,EAAE,KAAK,EAAE,UAAU,EAAE,OAAO,EAAE,QAAQ,EAAE,MAAM,EAAE,YAAY,EAAE,QAAQ,EAAE,OAAO,EAAE,CAAC,CAAC;QAC/G,OAAO,YAAY,CAAC,GAAG,EAAE,EAAE,KAAK,EAAE,sBAAsB,EAAE,UAAU,EAAE,SAAS,CAAC,cAAc,EAAE,MAAM,EAAE,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,SAAS,EAAE,CAAC,CAAC;IAC5J,CAAC;IACD,IAAI,CAAC,UAAU,CAAC,KAAK,EAAE,CAAC;QACtB,CAAC,CAAC,KAAK,CAAC,MAAM,CAAC,EAAE,EAAE,EAAE,KAAK,EAAE,EAAE,KAAK,EAAE,UAAU,EAAE,OAAO,EAAE,QAAQ,EAAE,MAAM,EAAE,UAAU,CAAC,MAAM,IAAI,oBAAoB,EAAE,QAAQ,EAAE,OAAO,EAAE,CAAC,CAAC;QAC5I,OAAO,aAAa,CAAC,SAAS,CAAC,iBAAiB,EAAE,CAAC,CAAC,CAAC;IACvD,CAAC;IAED,MAAM,aAAa,GAAG,UAAU,CAAC,SAAS,EAAE,aAAa,IAAI,EAAE,CAAC;IAChE,MAAM,MAAM,GAAG,UAAU,CAAC,SAAS,EAAE,MAAM,IAAI,UAAU,OAAO,EAAE,CAAC;IACnE,MAAM,CAAC,CAAC,KAAK,CAAC,QAAQ,CAAC,OAAO,EAAE;QAC9B,cAAc,EAAE,aAAa;QAC7B,WAAW,EAAE,aAAa,CAAC,MAAM,CAAC,GAAG;QACrC,OAAO,EAAE,MAAM;QACf,GAAG,CAAC,aAAa,CAAC,MAAM,CAAC,KAAK,KAAK,SAAS,IAAI,EAAE,KAAK,EAAE,aAAa,CAAC,MAAM,CAAC,KAAK,EAAE,CAAC;KACvF,CAAC,CAAC;IAEH,CAAC,CAAC,KAAK,CAAC,MAAM,CAAC,EAAE,EAAE,EAAE,KAAK,EAAE,EAAE,KAAK,EAAE,UAAU,EAAE,OAAO,EAAE,SAAS,EAAE,QAAQ,EAAE,OAAO,EAAE,WAAW,EAAE,aAAa,CAAC,MAAM,CAAC,GAAG,EAAE,CAAC,CAAC;IACjI,MAAM,QAAQ,GAAqB,EAAE,QAAQ,EAAE,OAAO,EAAE,cAAc,EAAE,aAAa,EAAE,cAAc,EAAE,MAAM,EAAE,CAAC;IAChH,OAAO,YAAY,CAAC,GAAG,EAAE,QAAQ,CAAC,CAAC;AACrC,CAAC;AAED,KAAK,UAAU,eAAe,CAAC,CAAW,EAAE,GAAsB;IAChE,MAAM,QAAQ,GAAG,MAAM,mBAAmB,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;IACnD,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;QACjB,CAAC,CAAC,KAAK,CAAC,MAAM,CAAC,EAAE,EAAE,EAAE,KAAK,EAAE,EAAE,KAAK,EAAE,WAAW,EAAE,OAAO,EAAE,QAAQ,EAAE,MAAM,EAAE,QAAQ,CAAC,IAAI,EAAE,CAAC,CAAC;QAC9F,OAAO,aAAa,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC;IACzC,CAAC;IACD,IAAI,QAAiB,CAAC;IACtB,IAAI,CAAC;QAAC,QAAQ,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC;IAAC,CAAC;IAAC,MAAM,CAAC;QAAC,OAAO,aAAa,CAAC,SAAS,CAAC,iBAAiB,EAAE,CAAC,CAAC,CAAC;IAAC,CAAC;IACzH,MAAM,MAAM,GAAG,sBAAsB,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAC;IAC1D,IAAI,CAAC,MAAM,CAAC,OAAO;QAAE,OAAO,aAAa,CAAC,SAAS,CAAC,iBAAiB,EAAE,CAAC,CAAC,CAAC;IAE1E,MAAM,KAAK,GAAG,MAAM,CAAC,CAAC,KAAK,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;IAC3D,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,CAAC,CAAC,KAAK,CAAC,MAAM,CAAC,EAAE,EAAE,EAAE,KAAK,EAAE,EAAE,KAAK,EAAE,WAAW,EAAE,OAAO,EAAE,QAAQ,EAAE,MAAM,EAAE,eAAe,EAAE,QAAQ,EAAE,MAAM,CAAC,IAAI,CAAC,QAAQ,EAAE,CAAC,CAAC;QAChI,OAAO,aAAa,CAAC,SAAS,CAAC,iBAAiB,EAAE,CAAC,CAAC,CAAC;IACvD,CAAC;IACD,KAAK,MAAM,CAAC,IAAI,MAAM,CAAC,IAAI,CAAC,gBAAgB,EAAE,CAAC;QAC7C,IAAI,CAAC,KAAK,CAAC,cAAc,CAAC,QAAQ,CAAC,CAAC,CAAC,EAAE,CAAC;YACtC,CAAC,CAAC,KAAK,CAAC,MAAM,CAAC,EAAE,EAAE,EAAE,KAAK,EAAE,EAAE,KAAK,EAAE,WAAW,EAAE,OAAO,EAAE,QAAQ,EAAE,MAAM,EAAE,SAAS,CAAC,iBAAiB,EAAE,QAAQ,EAAE,MAAM,CAAC,IAAI,CAAC,QAAQ,EAAE,KAAK,EAAE,CAAC,EAAE,CAAC,CAAC;YACtJ,OAAO,aAAa,CAAC,SAAS,CAAC,iBAAiB,EAAE,CAAC,CAAC,CAAC;QACvD,CAAC;IACH,CAAC;IAED,MAAM,SAAS,GAAG,MAAM,CAAC,CAAC,KAAK,CAAC,UAAU,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC;IAChE,IAAI,CAAC,SAAS;QAAE,OAAO,aAAa,CAAC,SAAS,CAAC,iBAAiB,EAAE,CAAC,CAAC,CAAC;IACrE,MAAM,SAAS,GAAG,MAAM,SAAS,CAAC,SAAS,CAAC,CAAC;IAC7C,MAAM,GAAG,GAAG,MAAM,sBAAsB,CAAC,SAAS,EAAE,QAAQ,CAAC,CAAC;IAE9D,MAAM,MAAM,GAAG,MAAM,gBAAgB,CAAC;QACpC,MAAM,EAAE,CAAC,CAAC,MAAM,CAAC,YAAY;QAC7B,YAAY,EAAE,CAAC,CAAC,MAAM,CAAC,YAAY;QACnC,OAAO,EAAE,MAAM,CAAC,IAAI,CAAC,QAAQ;QAC7B,MAAM,EAAE,MAAM,CAAC,IAAI,CAAC,gBAAgB;QACpC,UAAU,EAAE,KAAK,CAAC,WAAW;QAC7B,GAAG,CAAC,KAAK,CAAC,KAAK,KAAK,SAAS,IAAI,EAAE,KAAK,EAAE,KAAK,CAAC,KAAK,EAAE,CAAC;QACxD,kBAAkB,EAAE,GAAG;QACvB,UAAU,EAAE,wBAAwB;QACpC,UAAU,EAAE,CAAC,CAAC,eAAe;QAC7B,GAAG,EAAE,KAAK;KACX,CAAC,CAAC;IAEH,IAAI,aAAkD,CAAC;IACvD,IAAI,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,kBAAkB,EAAE,CAAC;QACtC,IAAI,CAAC;YACH,MAAM,IAAI,GAAG,MAAM,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,kBAAkB,CAAC;gBACnD,OAAO,EAAE,MAAM,CAAC,IAAI,CAAC,QAAQ;gBAC7B,MAAM,EAAE,KAAK,CAAC,OAAO;gBACrB,MAAM,EAAE,KAAK,CAAC,cAAc;gBAC5B,UAAU,EAAE,KAAK,CAAC,WAAW;gBAC7B,GAAG,CAAC,KAAK,CAAC,KAAK,KAAK,SAAS,IAAI,EAAE,KAAK,EAAE,KAAK,CAAC,KAAK,EAAE,CAAC;aACzD,CAAC,CAAC;YACH,aAAa,GAAG;gBACd,aAAa,EAAE,IAAI,CAAC,aAAa;gBACjC,GAAG,CAAC,IAAI,CAAC,SAAS,KAAK,SAAS,IAAI,EAAE,SAAS,EAAE,IAAI,CAAC,SAAS,EAAE,CAAC;aACnE,CAAC;QACJ,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,CAAC,CAAC,KAAK,CAAC,MAAM,CAAC;gBACb,EAAE,EAAE,KAAK,EAAE;gBACX,KAAK,EAAE,WAAW;gBAClB,OAAO,EAAE,QAAQ;gBACjB,MAAM,EAAE,wBAAwB,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,SAAS,EAAE;gBAChF,QAAQ,EAAE,MAAM,CAAC,IAAI,CAAC,QAAQ;aAC/B,CAAC,CAAC;YACH,qEAAqE;YACrE,qEAAqE;YACrE,8DAA8D;YAC9D,mEAAmE;YACnE,gDAAgD;QAClD,CAAC;IACH,CAAC;IAED,CAAC,CAAC,KAAK,CAAC,MAAM,CAAC,EAAE,EAAE,EAAE,KAAK,EAAE,EAAE,KAAK,EAAE,WAAW,EAAE,OAAO,EAAE,SAAS,EAAE,QAAQ,EAAE,MAAM,CAAC,IAAI,CAAC,QAAQ,EAAE,CAAC,CAAC;IACxG,MAAM,QAAQ,GAAsB;QAClC,YAAY,EAAE,MAAM,CAAC,KAAK;QAC1B,UAAU,EAAE,MAAM;QAClB,UAAU,EAAE,MAAM,CAAC,SAAS;QAC5B,MAAM,EAAE,MAAM,CAAC,MAAM,CAAC,MAAM;QAC5B,GAAG,CAAC,aAAa,IAAI,EAAE,cAAc,EAAE,aAAa,EAAE,CAAC;KACxD,CAAC;IACF,OAAO,YAAY,CAAC,GAAG,EAAE,QAAQ,CAAC,CAAC;AACrC,CAAC;AAED,KAAK,UAAU,gBAAgB,CAC7B,CAAW,EACX,GAAsB,EACtB,aAA4B;IAE5B,MAAM,QAAQ,GAAG,MAAM,mBAAmB,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;IACnD,IAAI,CAAC,QAAQ,CAAC,EAAE;QAAE,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,IAAI,EAAE,QAAQ,CAAC,IAAI,EAAE,CAAC;IAE5D,MAAM,IAAI,GAAG,EAAE,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,aAAa,CAAC;IAC3C,IAAI,CAAC,IAAI,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,OAAO,CAAC;QAAE,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,IAAI,EAAE,SAAS,CAAC,oBAAoB,EAAE,CAAC;IACnG,MAAM,WAAW,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;IAEzC,MAAM,WAAW,GAAG,MAAM,iBAAiB,CAAC,WAAW,EAAE;QACvD,MAAM,EAAE,CAAC,CAAC,MAAM,CAAC,YAAY;QAC7B,YAAY,EAAE,CAAC,CAAC,MAAM,CAAC,YAAY;QACnC,eAAe,EAAE,CAAC,CAAC,oBAAoB;QACvC,GAAG,EAAE,KAAK;KACX,CAAC,CAAC;IACH,IAAI,CAAC,WAAW,CAAC,EAAE;QAAE,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,IAAI,EAAE,WAAW,CAAC,IAAI,EAAE,CAAC;IAElE,MAAM,UAAU,GAAG,EAAE,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC;IACxC,IAAI,CAAC,UAAU;QAAE,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,IAAI,EAAE,SAAS,CAAC,YAAY,EAAE,CAAC;IAEpE,MAAM,UAAU,GAAG,MAAM,UAAU,CAAC,UAAU,EAAE;QAC9C,kBAAkB,EAAE,WAAW,CAAC,MAAM,CAAC,GAAG,CAAC,GAAG;QAC9C,GAAG,EAAE,GAAG,CAAC,MAAM,CAAC,WAAW,EAAE;QAC7B,GAAG,EAAE,GAAG,CAAC,GAAG;QACZ,SAAS,EAAE,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC,CAAC,KAAK,CAAC,aAAa,CAAC,GAAG,CAAC;QAC9C,WAAW,EAAE,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE,CAAC,CAAC,CAAC,KAAK,CAAC,eAAe,CAAC,GAAG,EAAE,GAAG,CAAC;QAC5D,GAAG,EAAE,KAAK;QACV,aAAa,EAAE,wBAAwB;KACxC,CAAC,CAAC;IACH,IAAI,CAAC,UAAU,CAAC,EAAE;QAAE,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,IAAI,EAAE,UAAU,CAAC,IAAI,EAAE,CAAC;IAEhE,IAAI,aAAa,IAAI,CAAC,WAAW,CAAC,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,aAAa,CAAC,EAAE,CAAC;QACxE,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,IAAI,EAAE,SAAS,CAAC,iBAAiB,EAAE,CAAC;IAC1D,CAAC;IAED,OAAO;QACL,EAAE,EAAE,IAAI;QACR,SAAS,EAAE;YACT,IAAI,EAAE,OAAO;YACb,OAAO,EAAE,WAAW,CAAC,MAAM,CAAC,GAAG;YAC/B,MAAM,EAAE,WAAW,CAAC,MAAM,CAAC,MAAM;YACjC,UAAU,EAAE,WAAW,CAAC,MAAM,CAAC,WAAW;SAC3C;KACF,CAAC;AACJ,CAAC"}
|
package/dist/index.d.ts
ADDED
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AACA,cAAc,YAAY,CAAC;AAC3B,cAAc,cAAc,CAAC;AAC7B,cAAc,mBAAmB,CAAC;AAClC,cAAc,aAAa,CAAC;AAM5B,eAAO,MAAM,uBAAuB,UAAU,CAAC"}
|
package/dist/index.js
ADDED
|
@@ -0,0 +1,10 @@
|
|
|
1
|
+
// Full SDK (Node runtime).
|
|
2
|
+
export * from './types.js';
|
|
3
|
+
export * from './handler.js';
|
|
4
|
+
export * from './next-adapter.js';
|
|
5
|
+
export * from './stores.js';
|
|
6
|
+
// NOTE: for Edge runtime (middleware), use the subpath import:
|
|
7
|
+
// import { isAgentRequest } from '@agentic-passport/next/edge';
|
|
8
|
+
// That path never pulls in node:crypto.
|
|
9
|
+
export const VENDOR_SDK_NEXT_VERSION = '0.3.0';
|
|
10
|
+
//# sourceMappingURL=index.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,2BAA2B;AAC3B,cAAc,YAAY,CAAC;AAC3B,cAAc,cAAc,CAAC;AAC7B,cAAc,mBAAmB,CAAC;AAClC,cAAc,aAAa,CAAC;AAE5B,+DAA+D;AAC/D,kEAAkE;AAClE,wCAAwC;AAExC,MAAM,CAAC,MAAM,uBAAuB,GAAG,OAAO,CAAC"}
|
|
@@ -0,0 +1,17 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Edge-safe header sniff. NO Node-only imports anywhere in this module's
|
|
3
|
+
* transitive dep tree — vendors can call this from middleware running on the
|
|
4
|
+
* Edge runtime (Next.js middleware default, Cloudflare Workers, Deno Deploy,
|
|
5
|
+
* etc.) without webpack failing on `node:crypto`.
|
|
6
|
+
*
|
|
7
|
+
* Two headers from RFC 9421 / the AgentPassport profile uniquely identify an
|
|
8
|
+
* agent-signed request: `Signature` and `Signature-Agent`. Either header
|
|
9
|
+
* alone is ambiguous (a service might set a `Signature` header for other
|
|
10
|
+
* reasons), so we require both.
|
|
11
|
+
*/
|
|
12
|
+
export declare function isAgentRequest(req: {
|
|
13
|
+
headers: {
|
|
14
|
+
get?: (k: string) => string | null;
|
|
15
|
+
} | Readonly<Record<string, string | undefined>>;
|
|
16
|
+
}): boolean;
|
|
17
|
+
//# sourceMappingURL=is-agent-request.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"is-agent-request.d.ts","sourceRoot":"","sources":["../src/is-agent-request.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAKH,wBAAgB,cAAc,CAAC,GAAG,EAAE;IAAE,OAAO,EAAE;QAAE,GAAG,CAAC,EAAE,CAAC,CAAC,EAAE,MAAM,KAAK,MAAM,GAAG,IAAI,CAAA;KAAE,GAAG,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,SAAS,CAAC,CAAC,CAAA;CAAE,GAAG,OAAO,CAY/I"}
|
|
@@ -0,0 +1,28 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Edge-safe header sniff. NO Node-only imports anywhere in this module's
|
|
3
|
+
* transitive dep tree — vendors can call this from middleware running on the
|
|
4
|
+
* Edge runtime (Next.js middleware default, Cloudflare Workers, Deno Deploy,
|
|
5
|
+
* etc.) without webpack failing on `node:crypto`.
|
|
6
|
+
*
|
|
7
|
+
* Two headers from RFC 9421 / the AgentPassport profile uniquely identify an
|
|
8
|
+
* agent-signed request: `Signature` and `Signature-Agent`. Either header
|
|
9
|
+
* alone is ambiguous (a service might set a `Signature` header for other
|
|
10
|
+
* reasons), so we require both.
|
|
11
|
+
*/
|
|
12
|
+
const SIGNATURE_HEADER = 'signature';
|
|
13
|
+
const SIGNATURE_AGENT_HEADER = 'signature-agent';
|
|
14
|
+
export function isAgentRequest(req) {
|
|
15
|
+
const headers = req.headers;
|
|
16
|
+
if (typeof headers.get === 'function') {
|
|
17
|
+
// Headers / Request.headers
|
|
18
|
+
const h = headers;
|
|
19
|
+
return h.get(SIGNATURE_HEADER) != null && h.get(SIGNATURE_AGENT_HEADER) != null;
|
|
20
|
+
}
|
|
21
|
+
// Plain record
|
|
22
|
+
const rec = headers;
|
|
23
|
+
const lower = {};
|
|
24
|
+
for (const [k, v] of Object.entries(rec))
|
|
25
|
+
lower[k.toLowerCase()] = v;
|
|
26
|
+
return lower[SIGNATURE_HEADER] != null && lower[SIGNATURE_AGENT_HEADER] != null;
|
|
27
|
+
}
|
|
28
|
+
//# sourceMappingURL=is-agent-request.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"is-agent-request.js","sourceRoot":"","sources":["../src/is-agent-request.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,MAAM,gBAAgB,GAAG,WAAW,CAAC;AACrC,MAAM,sBAAsB,GAAG,iBAAiB,CAAC;AAEjD,MAAM,UAAU,cAAc,CAAC,GAAuG;IACpI,MAAM,OAAO,GAAG,GAAG,CAAC,OAAO,CAAC;IAC5B,IAAI,OAAQ,OAA6B,CAAC,GAAG,KAAK,UAAU,EAAE,CAAC;QAC7D,4BAA4B;QAC5B,MAAM,CAAC,GAAG,OAAgD,CAAC;QAC3D,OAAO,CAAC,CAAC,GAAG,CAAC,gBAAgB,CAAC,IAAI,IAAI,IAAI,CAAC,CAAC,GAAG,CAAC,sBAAsB,CAAC,IAAI,IAAI,CAAC;IAClF,CAAC;IACD,eAAe;IACf,MAAM,GAAG,GAAG,OAA6C,CAAC;IAC1D,MAAM,KAAK,GAAuC,EAAE,CAAC;IACrD,KAAK,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC;QAAE,KAAK,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC,GAAG,CAAC,CAAC;IACrE,OAAO,KAAK,CAAC,gBAAgB,CAAC,IAAI,IAAI,IAAI,KAAK,CAAC,sBAAsB,CAAC,IAAI,IAAI,CAAC;AAClF,CAAC"}
|