@agenticprimitives/connect-auth 0.1.0-alpha.2

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Agentic Trust Labs
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,100 @@
+# @agenticprimitives/connect-auth
+
+**Credential connection** for Smart Agents — passkey, SIWE, and OAuth ceremonies,
+JWT sessions, and pluggable `Signer` interfaces.
+
+This package resolves **how a user proves control** (passkey, EOA, OAuth). The
+**canonical identity** is the Smart Agent address (`agent-account`). Session JWTs
+use the SA as primary subject; credentials appear as signer claims only
+([ADR-0010](../../docs/architecture/decisions/0010-smart-agent-canonical-identifier.md)).
+
+Identity persists. Credentials rotate ([ADR-0011](../../docs/architecture/decisions/0011-credential-recovery-and-re-association.md)).
+Custodian add/remove belongs to `custody`, not here.
+
+## Use This When
+
+- You implement passkey signup/login (WebAuthn).
+- You implement SIWE or Google OAuth sign-in.
+- You mint or verify JWT cookie sessions and CSRF tokens.
+- You need `Signer` interfaces for `agent-account` or `delegation`.
+- You derive CREATE2 salt from stable user scope (`deriveSaltFromEmail`, etc.).
+
+## Do Not Use This For
+
+- Smart Agent deploy, UserOps, or ERC-1271 account logic → `agent-account`.
+- Enrolling / rotating custodians on an SA → `custody`.
+- `.agent` names → `agent-naming`.
+- Public AgentCard profiles → `agent-profile`.
+- Delegation tokens or encrypted session rows → `delegation`.
+- KMS backends → `key-custody` (implements `KMSSigner`).
+
+## Install
+
+```bash
+pnpm add @agenticprimitives/connect-auth
+```
+
+## 60-Second Quickstart
+
+```ts
+import { mintSession, verifySession } from '@agenticprimitives/connect-auth';
+import * as passkey from '@agenticprimitives/connect-auth/passkey';
+
+// In your HTTP handler (app wires cookies):
+const { sessionClaims } = await passkey.completeSignup(req);
+const cookieValue = mintSession(sessionClaims);
+// sessionClaims MUST include canonical Smart Agent address as primary subject
+```
+
+```ts
+import { deriveSaltFromEmail } from '@agenticprimitives/connect-auth';
+import { AgentAccountClient } from '@agenticprimitives/agent-account';
+
+// Salt from user scope — NOT from .agent name.
+const salt = deriveSaltFromEmail(user.email, 0);
+```
+
+## Main Concepts
+
+- **Credential**: passkey, SIWE EOA, or OAuth identity — control facet, not the SA.
+- **Canonical SA**: resolved after auth (custodian lookup); JWT primary subject.
+- **Signer**: interface consumed by `agent-account` / `delegation`.
+- **JWT session**: signed cookie session (distinct from `delegation` `SessionRow`).
+
+See [`docs/concepts.md`](docs/concepts.md).
+
+## Auth Method Subpaths (Tree-Shakable)
+
+- `@agenticprimitives/connect-auth/passkey`
+- `@agenticprimitives/connect-auth/siwe`
+- `@agenticprimitives/connect-auth/google`
+
+## Security Invariants
+
+- JWT secrets never logged; CSRF origin exact-match.
+- WebAuthn challenges one-shot.
+- Salt derivation deterministic (keccak).
+
+See [`docs/security.md`](docs/security.md) and [`AUDIT.md`](AUDIT.md).
+
+## Documentation Map
+
+- [`docs/concepts.md`](docs/concepts.md) — credential vs canonical SA.
+- [`docs/cross-browser-secure-home-passkey.md`](docs/cross-browser-secure-home-passkey.md) — Chrome/Firefox + Windows Hello secure-home flow.
+- [`docs/api.md`](docs/api.md) — public API guide.
+- [`docs/security.md`](docs/security.md) — invariants.
+- [`docs/troubleshooting.md`](docs/troubleshooting.md) — common errors.
+- [`docs/migration.md`](docs/migration.md) — migration notes.
+- [`CLAUDE.md`](CLAUDE.md) — agent routing.
+- [`spec.md`](spec.md) — spec pointer.
+
+## Validation
+
+```bash
+pnpm check:connect-auth
+pnpm check:forbidden-terms
+```
+
+## License
+
+UNLICENSED.

package/dist/csrf.d.ts

@@ -0,0 +1,13 @@
+/**
+ * Produce a CSRF token bound to the given origin and the current timestamp.
+ */
+export declare function csrfTokenFor(origin: string): string;
+/**
+ * Verify a CSRF token.
+ *   - origin (parsed exactly from the token) MUST be in allowedOrigins (exact-match).
+ *   - HMAC must match.
+ *   - Timestamp must be within the last CSRF_VALIDITY_SECONDS window.
+ * Returns true iff all three hold.
+ */
+export declare function verifyCsrf(token: string, allowedOrigins: string[]): boolean;
+//# sourceMappingURL=csrf.d.ts.map

package/dist/csrf.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"csrf.d.ts","sourceRoot":"","sources":["../src/csrf.ts"],"names":[],"mappings":"AA0CA;;GAEG;AACH,wBAAgB,YAAY,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,CAOnD;AAED;;;;;;GAMG;AACH,wBAAgB,UAAU,CAAC,KAAK,EAAE,MAAM,EAAE,cAAc,EAAE,MAAM,EAAE,GAAG,OAAO,CAyB3E"}

package/dist/csrf.js

@@ -0,0 +1,85 @@
+// CSRF tokens: HMAC-stamped origin + timestamp.
+// Token format: base64url(JSON.stringify({origin, ts})).base64url(hmac).
+// verifyCsrf checks: origin ∈ allowlist (exact match), ts ∈ recent window,
+// HMAC valid. Constant-time compare.
+import { hmac } from '@noble/hashes/hmac';
+import { sha256 } from '@noble/hashes/sha256';
+import { hexToBytes } from 'viem';
+const CSRF_VALIDITY_SECONDS = 60 * 60; // 1 hour
+function loadCsrfSecret() {
+    const hex = process.env.CSRF_SECRET;
+    if (!hex) {
+        throw new Error('connect-auth: CSRF_SECRET (hex) is required. Generate one: openssl rand -hex 32');
+    }
+    const bytes = hexToBytes(hex.startsWith('0x') ? hex : `0x${hex}`);
+    if (bytes.length < 16) {
+        throw new Error(`connect-auth: CSRF_SECRET too short (need ≥ 16 bytes)`);
+    }
+    return bytes;
+}
+function base64urlEncode(s) {
+    const data = typeof s === 'string' ? new TextEncoder().encode(s) : s;
+    const b64 = Buffer.from(data).toString('base64');
+    return b64.replace(/\+/g, '-').replace(/\//g, '_').replace(/=+$/, '');
+}
+function base64urlDecode(s) {
+    let padded = s.replace(/-/g, '+').replace(/_/g, '/');
+    while (padded.length % 4)
+        padded += '=';
+    return new Uint8Array(Buffer.from(padded, 'base64'));
+}
+function constantTimeEqual(a, b) {
+    if (a.length !== b.length)
+        return false;
+    let diff = 0;
+    for (let i = 0; i < a.length; i++)
+        diff |= (a[i] ?? 0) ^ (b[i] ?? 0);
+    return diff === 0;
+}
+/**
+ * Produce a CSRF token bound to the given origin and the current timestamp.
+ */
+export function csrfTokenFor(origin) {
+    const secret = loadCsrfSecret();
+    const ts = Math.floor(Date.now() / 1000);
+    const stamp = JSON.stringify({ origin, ts });
+    const stampEnc = base64urlEncode(stamp);
+    const sig = hmac(sha256, secret, new TextEncoder().encode(stampEnc));
+    return `${stampEnc}.${base64urlEncode(sig)}`;
+}
+/**
+ * Verify a CSRF token.
+ *   - origin (parsed exactly from the token) MUST be in allowedOrigins (exact-match).
+ *   - HMAC must match.
+ *   - Timestamp must be within the last CSRF_VALIDITY_SECONDS window.
+ * Returns true iff all three hold.
+ */
+export function verifyCsrf(token, allowedOrigins) {
+    if (!token)
+        return false;
+    const parts = token.split('.');
+    if (parts.length !== 2)
+        return false;
+    const [stampEnc, sigEnc] = parts;
+    let stamp;
+    try {
+        stamp = JSON.parse(new TextDecoder().decode(base64urlDecode(stampEnc)));
+    }
+    catch {
+        return false;
+    }
+    if (typeof stamp.origin !== 'string' || typeof stamp.ts !== 'number')
+        return false;
+    // Exact-match parsed URL allowlist (per spec §6) — origins are compared verbatim,
+    // never substring.
+    if (!allowedOrigins.includes(stamp.origin))
+        return false;
+    const now = Math.floor(Date.now() / 1000);
+    if (now - stamp.ts > CSRF_VALIDITY_SECONDS || now < stamp.ts)
+        return false;
+    const secret = loadCsrfSecret();
+    const expected = hmac(sha256, secret, new TextEncoder().encode(stampEnc));
+    const presented = base64urlDecode(sigEnc);
+    return constantTimeEqual(expected, presented);
+}
+//# sourceMappingURL=csrf.js.map

package/dist/csrf.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"csrf.js","sourceRoot":"","sources":["../src/csrf.ts"],"names":[],"mappings":"AAAA,gDAAgD;AAChD,yEAAyE;AACzE,2EAA2E;AAC3E,qCAAqC;AAErC,OAAO,EAAE,IAAI,EAAE,MAAM,oBAAoB,CAAC;AAC1C,OAAO,EAAE,MAAM,EAAE,MAAM,sBAAsB,CAAC;AAC9C,OAAO,EAAE,UAAU,EAAE,MAAM,MAAM,CAAC;AAElC,MAAM,qBAAqB,GAAG,EAAE,GAAG,EAAE,CAAC,CAAC,SAAS;AAEhD,SAAS,cAAc;IACrB,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,CAAC,WAAW,CAAC;IACpC,IAAI,CAAC,GAAG,EAAE,CAAC;QACT,MAAM,IAAI,KAAK,CAAC,iFAAiF,CAAC,CAAC;IACrG,CAAC;IACD,MAAM,KAAK,GAAG,UAAU,CAAC,GAAG,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC,CAAE,GAAqB,CAAC,CAAC,CAAE,KAAK,GAAG,EAAoB,CAAC,CAAC;IACxG,IAAI,KAAK,CAAC,MAAM,GAAG,EAAE,EAAE,CAAC;QACtB,MAAM,IAAI,KAAK,CAAC,uDAAuD,CAAC,CAAC;IAC3E,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAS,eAAe,CAAC,CAAsB;IAC7C,MAAM,IAAI,GAAG,OAAO,CAAC,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IACrE,MAAM,GAAG,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;IACjD,OAAO,GAAG,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;AACxE,CAAC;AAED,SAAS,eAAe,CAAC,CAAS;IAChC,IAAI,MAAM,GAAG,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC;IACrD,OAAO,MAAM,CAAC,MAAM,GAAG,CAAC;QAAE,MAAM,IAAI,GAAG,CAAC;IACxC,OAAO,IAAI,UAAU,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC,CAAC;AACvD,CAAC;AAED,SAAS,iBAAiB,CAAC,CAAa,EAAE,CAAa;IACrD,IAAI,CAAC,CAAC,MAAM,KAAK,CAAC,CAAC,MAAM;QAAE,OAAO,KAAK,CAAC;IACxC,IAAI,IAAI,GAAG,CAAC,CAAC;IACb,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,CAAC,MAAM,EAAE,CAAC,EAAE;QAAE,IAAI,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC;IACrE,OAAO,IAAI,KAAK,CAAC,CAAC;AACpB,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,YAAY,CAAC,MAAc;IACzC,MAAM,MAAM,GAAG,cAAc,EAAE,CAAC;IAChC,MAAM,EAAE,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;IACzC,MAAM,KAAK,GAAG,IAAI,CAAC,SAAS,CAAC,EAAE,MAAM,EAAE,EAAE,EAAE,CAAC,CAAC;IAC7C,MAAM,QAAQ,GAAG,eAAe,CAAC,KAAK,CAAC,CAAC;IACxC,MAAM,GAAG,GAAG,IAAI,CAAC,MAAM,EAAE,MAAM,EAAE,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC;IACrE,OAAO,GAAG,QAAQ,IAAI,eAAe,CAAC,GAAG,CAAC,EAAE,CAAC;AAC/C,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,UAAU,CAAC,KAAa,EAAE,cAAwB;IAChE,IAAI,CAAC,KAAK;QAAE,OAAO,KAAK,CAAC;IACzB,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC/B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,KAAK,CAAC;IACrC,MAAM,CAAC,QAAQ,EAAE,MAAM,CAAC,GAAG,KAAyB,CAAC;IAErD,IAAI,KAAuC,CAAC;IAC5C,IAAI,CAAC;QACH,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,eAAe,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC;IAC1E,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;IACD,IAAI,OAAO,KAAK,CAAC,MAAM,KAAK,QAAQ,IAAI,OAAO,KAAK,CAAC,EAAE,KAAK,QAAQ;QAAE,OAAO,KAAK,CAAC;IAEnF,kFAAkF;IAClF,mBAAmB;IACnB,IAAI,CAAC,cAAc,CAAC,QAAQ,CAAC,KAAK,CAAC,MAAM,CAAC;QAAE,OAAO,KAAK,CAAC;IAEzD,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;IAC1C,IAAI,GAAG,GAAG,KAAK,CAAC,EAAE,GAAG,qBAAqB,IAAI,GAAG,GAAG,KAAK,CAAC,EAAE;QAAE,OAAO,KAAK,CAAC;IAE3E,MAAM,MAAM,GAAG,cAAc,EAAE,CAAC;IAChC,MAAM,QAAQ,GAAG,IAAI,CAAC,MAAM,EAAE,MAAM,EAAE,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC;IAC1E,MAAM,SAAS,GAAG,eAAe,CAAC,MAAM,CAAC,CAAC;IAC1C,OAAO,iBAAiB,CAAC,QAAQ,EAAE,SAAS,CAAC,CAAC;AAChD,CAAC"}

package/dist/index.d.ts

@@ -0,0 +1,9 @@
+export { mintSession, verifySession, SESSION_COOKIE, SESSION_TTL_SECONDS } from './sessions';
+export { csrfTokenFor, verifyCsrf } from './csrf';
+export { deriveSaltFromLabel, deriveSaltFromEmail, type DeriveSaltFromEmailOpts } from './salt';
+export { ERC1271_MAGIC, ERC6492_MAGIC, universalSignatureValidatorAbi, verifyUserSignature, verifyUserSignatureView, isErc6492Wrapped, } from './verify-signature';
+export type { SignatureVerifyResult, VerifyUserSignatureArgs, UniversalValidatorClient, } from './verify-signature';
+export { P256_N, base64urlEncode, base64urlDecode, parseDerSignature, normaliseLowS, buildWebAuthnAssertion, hashToWebAuthnChallenge, parseAttestationObject, parseAuthData, } from './methods/passkey';
+export type { WebAuthnAssertion, ParsedAttestation } from './methods/passkey';
+export type { Address, Hex, AuthMethod, JwtClaims, AuthenticatedUser, TypedDataDomain, TypedDataTypes, Signer, PasskeyAssertion, PasskeySigner, EOASigner, KMSSigner, } from './types';
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAIA,OAAO,EAAE,WAAW,EAAE,aAAa,EAAE,cAAc,EAAE,mBAAmB,EAAE,MAAM,YAAY,CAAC;AAC7F,OAAO,EAAE,YAAY,EAAE,UAAU,EAAE,MAAM,QAAQ,CAAC;AAClD,OAAO,EAAE,mBAAmB,EAAE,mBAAmB,EAAE,KAAK,uBAAuB,EAAE,MAAM,QAAQ,CAAC;AAChG,OAAO,EACL,aAAa,EACb,aAAa,EACb,8BAA8B,EAC9B,mBAAmB,EACnB,uBAAuB,EACvB,gBAAgB,GACjB,MAAM,oBAAoB,CAAC;AAC5B,YAAY,EACV,qBAAqB,EACrB,uBAAuB,EACvB,wBAAwB,GACzB,MAAM,oBAAoB,CAAC;AAK5B,OAAO,EACL,MAAM,EACN,eAAe,EACf,eAAe,EACf,iBAAiB,EACjB,aAAa,EACb,sBAAsB,EACtB,uBAAuB,EACvB,sBAAsB,EACtB,aAAa,GACd,MAAM,mBAAmB,CAAC;AAC3B,YAAY,EAAE,iBAAiB,EAAE,iBAAiB,EAAE,MAAM,mBAAmB,CAAC;AAE9E,YAAY,EACV,OAAO,EACP,GAAG,EACH,UAAU,EACV,SAAS,EACT,iBAAiB,EACjB,eAAe,EACf,cAAc,EACd,MAAM,EACN,gBAAgB,EAChB,aAAa,EACb,SAAS,EACT,SAAS,GACV,MAAM,SAAS,CAAC"}

package/dist/index.js

@@ -0,0 +1,12 @@
+// @agenticprimitives/connect-auth — public API
+//
+// See ../../specs/200-connect-auth.md for the full contract.
+export { mintSession, verifySession, SESSION_COOKIE, SESSION_TTL_SECONDS } from './sessions';
+export { csrfTokenFor, verifyCsrf } from './csrf';
+export { deriveSaltFromLabel, deriveSaltFromEmail } from './salt';
+export { ERC1271_MAGIC, ERC6492_MAGIC, universalSignatureValidatorAbi, verifyUserSignature, verifyUserSignatureView, isErc6492Wrapped, } from './verify-signature';
+// WebAuthn ceremony helpers (preferred deep import:
+// `@agenticprimitives/connect-auth/passkey` for tree-shaking — re-exported
+// here for discoverability).
+export { P256_N, base64urlEncode, base64urlDecode, parseDerSignature, normaliseLowS, buildWebAuthnAssertion, hashToWebAuthnChallenge, parseAttestationObject, parseAuthData, } from './methods/passkey';
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,+CAA+C;AAC/C,EAAE;AACF,6DAA6D;AAE7D,OAAO,EAAE,WAAW,EAAE,aAAa,EAAE,cAAc,EAAE,mBAAmB,EAAE,MAAM,YAAY,CAAC;AAC7F,OAAO,EAAE,YAAY,EAAE,UAAU,EAAE,MAAM,QAAQ,CAAC;AAClD,OAAO,EAAE,mBAAmB,EAAE,mBAAmB,EAAgC,MAAM,QAAQ,CAAC;AAChG,OAAO,EACL,aAAa,EACb,aAAa,EACb,8BAA8B,EAC9B,mBAAmB,EACnB,uBAAuB,EACvB,gBAAgB,GACjB,MAAM,oBAAoB,CAAC;AAO5B,oDAAoD;AACpD,2EAA2E;AAC3E,6BAA6B;AAC7B,OAAO,EACL,MAAM,EACN,eAAe,EACf,eAAe,EACf,iBAAiB,EACjB,aAAa,EACb,sBAAsB,EACtB,uBAAuB,EACvB,sBAAsB,EACtB,aAAa,GACd,MAAM,mBAAmB,CAAC"}

package/dist/methods/google.d.ts

@@ -0,0 +1,72 @@
+export interface OidcProviderConfig {
+    /** Accepted `iss` claim values (Google issues `https://accounts.google.com`). */
+    issuers: string[];
+    authorizationEndpoint: string;
+    tokenEndpoint: string;
+    jwksUri: string;
+}
+/** Google's stable OIDC endpoints (discovery doc values, pinned). */
+export declare const GOOGLE_OIDC: OidcProviderConfig;
+export interface BeginLoginInput {
+    clientId: string;
+    redirectUri: string;
+    /** OIDC scopes; `openid` is forced. Defaults to `openid email profile`. */
+    scope?: string;
+    /** e.g. 'consent' | 'select_account'. */
+    prompt?: string;
+    config?: OidcProviderConfig;
+}
+export interface BeginLoginResult {
+    /** Redirect the user agent here. */
+    authUrl: string;
+    /** Store these in the broker's same-origin session; needed by completeLogin. */
+    codeVerifier: string;
+    state: string;
+    nonce: string;
+}
+/**
+ * Start the OIDC login: generate PKCE verifier/challenge, state, nonce, and the
+ * authorization URL. The caller stores `codeVerifier`/`state`/`nonce` server-side
+ * (the broker `BrokerSession`) and redirects to `authUrl`.
+ */
+export declare function beginLogin(input: BeginLoginInput): BeginLoginResult;
+export interface OidcPrincipal {
+    /** The verified issuer. */
+    iss: string;
+    /** The verified subject (immutable provider id). The facet key, NOT the identity. */
+    sub: string;
+    email: string | null;
+    /** Always true on success — login is rejected unless the provider asserts it. */
+    emailVerified: boolean;
+    name: string | null;
+}
+export interface CompleteLoginInput {
+    /** Authorization code returned to the redirect_uri. */
+    code: string;
+    /** `state` returned by the provider — compared to `expectedState`. */
+    returnedState: string;
+    /** Values produced by beginLogin and stored server-side. */
+    expectedState: string;
+    expectedNonce: string;
+    codeVerifier: string;
+    /** Must match the value used in beginLogin. */
+    redirectUri: string;
+    clientId: string;
+    clientSecret: string;
+    config?: OidcProviderConfig;
+    /** Injectable for tests (defaults to global fetch). */
+    fetchImpl?: typeof fetch;
+    /** Injectable clock in ms (defaults to Date.now). */
+    now?: () => number;
+}
+export type CompleteLoginResult = {
+    ok: true;
+    principal: OidcPrincipal;
+} | {
+    ok: false;
+    reason: string;
+};
+/** Build the `(iss, sub)` facet key a directory keys an OIDC credential on. */
+export declare function oidcFacetId(iss: string, sub: string): string;
+export declare function completeLogin(input: CompleteLoginInput): Promise<CompleteLoginResult>;
+//# sourceMappingURL=google.d.ts.map

package/dist/methods/google.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"google.d.ts","sourceRoot":"","sources":["../../src/methods/google.ts"],"names":[],"mappings":"AAwBA,MAAM,WAAW,kBAAkB;IACjC,iFAAiF;IACjF,OAAO,EAAE,MAAM,EAAE,CAAC;IAClB,qBAAqB,EAAE,MAAM,CAAC;IAC9B,aAAa,EAAE,MAAM,CAAC;IACtB,OAAO,EAAE,MAAM,CAAC;CACjB;AAED,qEAAqE;AACrE,eAAO,MAAM,WAAW,EAAE,kBAKzB,CAAC;AA0DF,MAAM,WAAW,eAAe;IAC9B,QAAQ,EAAE,MAAM,CAAC;IACjB,WAAW,EAAE,MAAM,CAAC;IACpB,2EAA2E;IAC3E,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,yCAAyC;IACzC,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,MAAM,CAAC,EAAE,kBAAkB,CAAC;CAC7B;AAED,MAAM,WAAW,gBAAgB;IAC/B,oCAAoC;IACpC,OAAO,EAAE,MAAM,CAAC;IAChB,gFAAgF;IAChF,YAAY,EAAE,MAAM,CAAC;IACrB,KAAK,EAAE,MAAM,CAAC;IACd,KAAK,EAAE,MAAM,CAAC;CACf;AAED;;;;GAIG;AACH,wBAAgB,UAAU,CAAC,KAAK,EAAE,eAAe,GAAG,gBAAgB,CAqBnE;AAID,MAAM,WAAW,aAAa;IAC5B,2BAA2B;IAC3B,GAAG,EAAE,MAAM,CAAC;IACZ,qFAAqF;IACrF,GAAG,EAAE,MAAM,CAAC;IACZ,KAAK,EAAE,MAAM,GAAG,IAAI,CAAC;IACrB,iFAAiF;IACjF,aAAa,EAAE,OAAO,CAAC;IACvB,IAAI,EAAE,MAAM,GAAG,IAAI,CAAC;CACrB;AAED,MAAM,WAAW,kBAAkB;IACjC,uDAAuD;IACvD,IAAI,EAAE,MAAM,CAAC;IACb,sEAAsE;IACtE,aAAa,EAAE,MAAM,CAAC;IACtB,4DAA4D;IAC5D,aAAa,EAAE,MAAM,CAAC;IACtB,aAAa,EAAE,MAAM,CAAC;IACtB,YAAY,EAAE,MAAM,CAAC;IACrB,+CAA+C;IAC/C,WAAW,EAAE,MAAM,CAAC;IACpB,QAAQ,EAAE,MAAM,CAAC;IACjB,YAAY,EAAE,MAAM,CAAC;IACrB,MAAM,CAAC,EAAE,kBAAkB,CAAC;IAC5B,uDAAuD;IACvD,SAAS,CAAC,EAAE,OAAO,KAAK,CAAC;IACzB,qDAAqD;IACrD,GAAG,CAAC,EAAE,MAAM,MAAM,CAAC;CACpB;AAED,MAAM,MAAM,mBAAmB,GAC3B;IAAE,EAAE,EAAE,IAAI,CAAC;IAAC,SAAS,EAAE,aAAa,CAAA;CAAE,GACtC;IAAE,EAAE,EAAE,KAAK,CAAC;IAAC,MAAM,EAAE,MAAM,CAAA;CAAE,CAAC;AAclC,+EAA+E;AAC/E,wBAAgB,WAAW,CAAC,GAAG,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,GAAG,MAAM,CAE5D;AAED,wBAAsB,aAAa,CAAC,KAAK,EAAE,kBAAkB,GAAG,OAAO,CAAC,mBAAmB,CAAC,CAgE3F"}

package/dist/methods/google.js

@@ -0,0 +1,239 @@
+// Google OIDC auth method (real implementation).
+//
+// Authorization-code + PKCE (S256) + state + nonce, then id_token verification
+// (RS256 via Web Crypto against the provider JWKS) and claim validation
+// (iss / aud / exp / nonce + email_verified). Dependency-light: @noble/hashes
+// for the PKCE challenge, Web Crypto (`globalThis.crypto.subtle`, Node 20+) for
+// RSA verification — no JWT library.
+//
+// SECURITY (audit CN-3 / CN-4, ADR-0017):
+//   - PKCE + state + nonce are mandatory; `state` is compared constant-time.
+//   - `alg` is PINNED to RS256 — the token's own `alg` header is never trusted
+//     to select the algorithm; `alg: none` / HS* are rejected (alg-confusion).
+//   - `iss` + `aud` validated; `nonce` matched to the expected value.
+//   - `email_verified === true` is REQUIRED; the facet is keyed on (iss, sub),
+//     never on email (resists email-reuse takeover).
+//
+// This method returns a *verified OIDC principal* (iss/sub/email). It does NOT
+// resolve to a canonical Smart Agent — that binding is the directory's job
+// (spec 223) and the broker's (spec 224); connect-auth must not import them.
+import { sha256 } from '@noble/hashes/sha256';
+/** Google's stable OIDC endpoints (discovery doc values, pinned). */
+export const GOOGLE_OIDC = {
+    issuers: ['https://accounts.google.com', 'accounts.google.com'],
+    authorizationEndpoint: 'https://accounts.google.com/o/oauth2/v2/auth',
+    tokenEndpoint: 'https://oauth2.googleapis.com/token',
+    jwksUri: 'https://www.googleapis.com/oauth2/v3/certs',
+};
+// ─── base64url + random helpers ───────────────────────────────────────
+function b64urlEncode(bytes) {
+    let s;
+    if (typeof Buffer !== 'undefined') {
+        s = Buffer.from(bytes).toString('base64');
+    }
+    else {
+        let bin = '';
+        for (const b of bytes)
+            bin += String.fromCharCode(b);
+        s = btoa(bin);
+    }
+    return s.replace(/\+/g, '-').replace(/\//g, '_').replace(/=+$/, '');
+}
+function b64urlToBytes(s) {
+    let padded = s.replace(/-/g, '+').replace(/_/g, '/');
+    while (padded.length % 4)
+        padded += '=';
+    if (typeof Buffer !== 'undefined')
+        return new Uint8Array(Buffer.from(padded, 'base64'));
+    const bin = atob(padded);
+    const out = new Uint8Array(bin.length);
+    for (let i = 0; i < bin.length; i++)
+        out[i] = bin.charCodeAt(i);
+    return out;
+}
+function b64urlToString(s) {
+    return new TextDecoder().decode(b64urlToBytes(s));
+}
+/**
+ * Copy into a fresh ArrayBuffer-backed view. Web Crypto's `BufferSource` typing
+ * (TS 5.7 typed-array generics) rejects `Uint8Array<ArrayBufferLike>`; a fresh
+ * `new Uint8Array(n)` is `Uint8Array<ArrayBuffer>`, which is accepted.
+ */
+function freshBytes(u) {
+    const out = new Uint8Array(u.byteLength);
+    out.set(u);
+    return out;
+}
+function randomB64url(byteLen) {
+    const buf = new Uint8Array(byteLen);
+    globalThis.crypto.getRandomValues(buf);
+    return b64urlEncode(buf);
+}
+function constantTimeEqualStr(a, b) {
+    const ab = new TextEncoder().encode(a);
+    const bb = new TextEncoder().encode(b);
+    if (ab.length !== bb.length)
+        return false;
+    let diff = 0;
+    for (let i = 0; i < ab.length; i++)
+        diff |= (ab[i] ?? 0) ^ (bb[i] ?? 0);
+    return diff === 0;
+}
+/**
+ * Start the OIDC login: generate PKCE verifier/challenge, state, nonce, and the
+ * authorization URL. The caller stores `codeVerifier`/`state`/`nonce` server-side
+ * (the broker `BrokerSession`) and redirects to `authUrl`.
+ */
+export function beginLogin(input) {
+    const config = input.config ?? GOOGLE_OIDC;
+    const codeVerifier = randomB64url(32); // 43-char unreserved string (RFC 7636)
+    const codeChallenge = b64urlEncode(sha256(new TextEncoder().encode(codeVerifier)));
+    const state = randomB64url(24);
+    const nonce = randomB64url(24);
+    const scope = input.scope ?? 'openid email profile';
+    const params = new URLSearchParams({
+        response_type: 'code',
+        client_id: input.clientId,
+        redirect_uri: input.redirectUri,
+        scope: scope.includes('openid') ? scope : `openid ${scope}`,
+        state,
+        nonce,
+        code_challenge: codeChallenge,
+        code_challenge_method: 'S256',
+    });
+    if (input.prompt)
+        params.set('prompt', input.prompt);
+    return { authUrl: `${config.authorizationEndpoint}?${params.toString()}`, codeVerifier, state, nonce };
+}
+/** Build the `(iss, sub)` facet key a directory keys an OIDC credential on. */
+export function oidcFacetId(iss, sub) {
+    return `${iss}#${sub}`;
+}
+export async function completeLogin(input) {
+    const config = input.config ?? GOOGLE_OIDC;
+    // Bind the global fetch to globalThis: the Cloudflare workerd runtime throws
+    // "Illegal invocation" if its native `fetch` is invoked with a `this` other
+    // than the global (e.g. `ctx.fetchImpl(url)` — a method call sets `this=ctx`).
+    // A bound function ignores the call-site `this`, so it is safe to pass around
+    // and call as a property. A caller-supplied mock is used as-is.
+    const doFetch = input.fetchImpl ?? globalThis.fetch.bind(globalThis);
+    const nowMs = (input.now ?? Date.now)();
+    // 1. State (CSRF / mix-up defense) — constant-time, before any network call.
+    if (!input.returnedState || !constantTimeEqualStr(input.returnedState, input.expectedState)) {
+        return { ok: false, reason: 'state mismatch' };
+    }
+    // 2. Authorization-code → tokens (with PKCE code_verifier).
+    let idToken;
+    try {
+        const body = new URLSearchParams({
+            grant_type: 'authorization_code',
+            code: input.code,
+            redirect_uri: input.redirectUri,
+            client_id: input.clientId,
+            client_secret: input.clientSecret,
+            code_verifier: input.codeVerifier,
+        });
+        const res = await doFetch(config.tokenEndpoint, {
+            method: 'POST',
+            headers: { 'content-type': 'application/x-www-form-urlencoded', accept: 'application/json' },
+            body: body.toString(),
+        });
+        if (!res.ok)
+            return { ok: false, reason: `token endpoint returned ${res.status}` };
+        const json = (await res.json());
+        if (!json.id_token)
+            return { ok: false, reason: 'token response missing id_token' };
+        idToken = json.id_token;
+    }
+    catch (e) {
+        return { ok: false, reason: e instanceof Error ? `token exchange failed: ${e.message}` : 'token exchange failed' };
+    }
+    // 3. Verify the id_token.
+    const verified = await verifyIdToken(idToken, {
+        config,
+        clientId: input.clientId,
+        expectedNonce: input.expectedNonce,
+        nowMs,
+        fetchImpl: doFetch,
+    });
+    if (!verified.ok)
+        return verified;
+    // 4. email_verified is mandatory (audit CN-3 / P0-3).
+    const ev = verified.claims.email_verified;
+    const emailVerified = ev === true || ev === 'true';
+    if (!emailVerified)
+        return { ok: false, reason: 'email_verified is not true' };
+    return {
+        ok: true,
+        principal: {
+            iss: verified.claims.iss,
+            sub: verified.claims.sub,
+            email: verified.claims.email ?? null,
+            emailVerified: true,
+            name: verified.claims.name ?? null,
+        },
+    };
+}
+async function verifyIdToken(idToken, ctx) {
+    const parts = idToken.split('.');
+    if (parts.length !== 3)
+        return { ok: false, reason: 'id_token is not a 3-part JWT' };
+    const [headerB64, payloadB64, sigB64] = parts;
+    let header;
+    let claims;
+    try {
+        header = JSON.parse(b64urlToString(headerB64));
+        claims = JSON.parse(b64urlToString(payloadB64));
+    }
+    catch {
+        return { ok: false, reason: 'id_token header/payload not valid JSON' };
+    }
+    // Alg pinning — never trust the token's alg to pick the algorithm (CN-4).
+    if (header.alg !== 'RS256')
+        return { ok: false, reason: `id_token alg must be RS256, got "${header.alg}"` };
+    if (!header.kid)
+        return { ok: false, reason: 'id_token missing kid' };
+    // Fetch JWKS and find the signing key.
+    let jwk;
+    try {
+        const res = await ctx.fetchImpl(ctx.config.jwksUri, { headers: { accept: 'application/json' } });
+        if (!res.ok)
+            return { ok: false, reason: `JWKS endpoint returned ${res.status}` };
+        const set = (await res.json());
+        const found = set.keys?.find((k) => k.kid === header.kid && k.kty === 'RSA');
+        if (!found)
+            return { ok: false, reason: `no RSA JWKS key for kid "${header.kid}"` };
+        jwk = found;
+    }
+    catch (e) {
+        return { ok: false, reason: e instanceof Error ? `JWKS fetch failed: ${e.message}` : 'JWKS fetch failed' };
+    }
+    // Verify RS256 over `header.payload` via Web Crypto.
+    let signatureValid;
+    try {
+        const key = await globalThis.crypto.subtle.importKey('jwk', { kty: jwk.kty, n: jwk.n, e: jwk.e, alg: 'RS256', ext: true }, { name: 'RSASSA-PKCS1-v1_5', hash: 'SHA-256' }, false, ['verify']);
+        signatureValid = await globalThis.crypto.subtle.verify({ name: 'RSASSA-PKCS1-v1_5' }, key, freshBytes(b64urlToBytes(sigB64)), freshBytes(new TextEncoder().encode(`${headerB64}.${payloadB64}`)));
+    }
+    catch (e) {
+        return { ok: false, reason: e instanceof Error ? `signature verification error: ${e.message}` : 'signature verification error' };
+    }
+    if (!signatureValid)
+        return { ok: false, reason: 'id_token signature invalid' };
+    // Claim validation.
+    if (!claims.iss || !ctx.config.issuers.includes(claims.iss)) {
+        return { ok: false, reason: `id_token iss "${claims.iss}" not accepted` };
+    }
+    const audOk = Array.isArray(claims.aud) ? claims.aud.includes(ctx.clientId) : claims.aud === ctx.clientId;
+    if (!audOk)
+        return { ok: false, reason: 'id_token aud does not match clientId' };
+    if (typeof claims.exp !== 'number' || claims.exp * 1000 <= ctx.nowMs) {
+        return { ok: false, reason: 'id_token expired' };
+    }
+    if (!claims.nonce || !constantTimeEqualStr(claims.nonce, ctx.expectedNonce)) {
+        return { ok: false, reason: 'id_token nonce mismatch' };
+    }
+    if (!claims.sub)
+        return { ok: false, reason: 'id_token missing sub' };
+    return { ok: true, claims };
+}
+//# sourceMappingURL=google.js.map

package/dist/methods/google.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"google.js","sourceRoot":"","sources":["../../src/methods/google.ts"],"names":[],"mappings":"AAAA,iDAAiD;AACjD,EAAE;AACF,+EAA+E;AAC/E,wEAAwE;AACxE,8EAA8E;AAC9E,gFAAgF;AAChF,qCAAqC;AACrC,EAAE;AACF,0CAA0C;AAC1C,6EAA6E;AAC7E,+EAA+E;AAC/E,+EAA+E;AAC/E,sEAAsE;AACtE,+EAA+E;AAC/E,qDAAqD;AACrD,EAAE;AACF,+EAA+E;AAC/E,2EAA2E;AAC3E,6EAA6E;AAE7E,OAAO,EAAE,MAAM,EAAE,MAAM,sBAAsB,CAAC;AAY9C,qEAAqE;AACrE,MAAM,CAAC,MAAM,WAAW,GAAuB;IAC7C,OAAO,EAAE,CAAC,6BAA6B,EAAE,qBAAqB,CAAC;IAC/D,qBAAqB,EAAE,8CAA8C;IACrE,aAAa,EAAE,qCAAqC;IACpD,OAAO,EAAE,4CAA4C;CACtD,CAAC;AAEF,yEAAyE;AAEzE,SAAS,YAAY,CAAC,KAAiB;IACrC,IAAI,CAAS,CAAC;IACd,IAAI,OAAO,MAAM,KAAK,WAAW,EAAE,CAAC;QAClC,CAAC,GAAG,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;IAC5C,CAAC;SAAM,CAAC;QACN,IAAI,GAAG,GAAG,EAAE,CAAC;QACb,KAAK,MAAM,CAAC,IAAI,KAAK;YAAE,GAAG,IAAI,MAAM,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;QACrD,CAAC,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC;IAChB,CAAC;IACD,OAAO,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;AACtE,CAAC;AAED,SAAS,aAAa,CAAC,CAAS;IAC9B,IAAI,MAAM,GAAG,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC;IACrD,OAAO,MAAM,CAAC,MAAM,GAAG,CAAC;QAAE,MAAM,IAAI,GAAG,CAAC;IACxC,IAAI,OAAO,MAAM,KAAK,WAAW;QAAE,OAAO,IAAI,UAAU,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC,CAAC;IACxF,MAAM,GAAG,GAAG,IAAI,CAAC,MAAM,CAAC,CAAC;IACzB,MAAM,GAAG,GAAG,IAAI,UAAU,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;IACvC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,GAAG,CAAC,MAAM,EAAE,CAAC,EAAE;QAAE,GAAG,CAAC,CAAC,CAAC,GAAG,GAAG,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC;IAChE,OAAO,GAAG,CAAC;AACb,CAAC;AAED,SAAS,cAAc,CAAC,CAAS;IAC/B,OAAO,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC,CAAC;AACpD,CAAC;AAED;;;;GAIG;AACH,SAAS,UAAU,CAAC,CAAa;IAC/B,MAAM,GAAG,GAAG,IAAI,UAAU,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC;IACzC,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;IACX,OAAO,GAAG,CAAC;AACb,CAAC;AAED,SAAS,YAAY,CAAC,OAAe;IACnC,MAAM,GAAG,GAAG,IAAI,UAAU,CAAC,OAAO,CAAC,CAAC;IACpC,UAAU,CAAC,MAAM,CAAC,eAAe,CAAC,GAAG,CAAC,CAAC;IACvC,OAAO,YAAY,CAAC,GAAG,CAAC,CAAC;AAC3B,CAAC;AAED,SAAS,oBAAoB,CAAC,CAAS,EAAE,CAAS;IAChD,MAAM,EAAE,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;IACvC,MAAM,EAAE,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;IACvC,IAAI,EAAE,CAAC,MAAM,KAAK,EAAE,CAAC,MAAM;QAAE,OAAO,KAAK,CAAC;IAC1C,IAAI,IAAI,GAAG,CAAC,CAAC;IACb,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,EAAE,CAAC,MAAM,EAAE,CAAC,EAAE;QAAE,IAAI,IAAI,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC;IACxE,OAAO,IAAI,KAAK,CAAC,CAAC;AACpB,CAAC;AAuBD;;;;GAIG;AACH,MAAM,UAAU,UAAU,CAAC,KAAsB;IAC/C,MAAM,MAAM,GAAG,KAAK,CAAC,MAAM,IAAI,WAAW,CAAC;IAC3C,MAAM,YAAY,GAAG,YAAY,CAAC,EAAE,CAAC,CAAC,CAAC,uCAAuC;IAC9E,MAAM,aAAa,GAAG,YAAY,CAAC,MAAM,CAAC,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IACnF,MAAM,KAAK,GAAG,YAAY,CAAC,EAAE,CAAC,CAAC;IAC/B,MAAM,KAAK,GAAG,YAAY,CAAC,EAAE,CAAC,CAAC;IAE/B,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,IAAI,sBAAsB,CAAC;IACpD,MAAM,MAAM,GAAG,IAAI,eAAe,CAAC;QACjC,aAAa,EAAE,MAAM;QACrB,SAAS,EAAE,KAAK,CAAC,QAAQ;QACzB,YAAY,EAAE,KAAK,CAAC,WAAW;QAC/B,KAAK,EAAE,KAAK,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,UAAU,KAAK,EAAE;QAC3D,KAAK;QACL,KAAK;QACL,cAAc,EAAE,aAAa;QAC7B,qBAAqB,EAAE,MAAM;KAC9B,CAAC,CAAC;IACH,IAAI,KAAK,CAAC,MAAM;QAAE,MAAM,CAAC,GAAG,CAAC,QAAQ,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;IAErD,OAAO,EAAE,OAAO,EAAE,GAAG,MAAM,CAAC,qBAAqB,IAAI,MAAM,CAAC,QAAQ,EAAE,EAAE,EAAE,YAAY,EAAE,KAAK,EAAE,KAAK,EAAE,CAAC;AACzG,CAAC;AAmDD,+EAA+E;AAC/E,MAAM,UAAU,WAAW,CAAC,GAAW,EAAE,GAAW;IAClD,OAAO,GAAG,GAAG,IAAI,GAAG,EAAE,CAAC;AACzB,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,aAAa,CAAC,KAAyB;IAC3D,MAAM,MAAM,GAAG,KAAK,CAAC,MAAM,IAAI,WAAW,CAAC;IAC3C,6EAA6E;IAC7E,4EAA4E;IAC5E,+EAA+E;IAC/E,8EAA8E;IAC9E,gEAAgE;IAChE,MAAM,OAAO,GAAG,KAAK,CAAC,SAAS,IAAI,UAAU,CAAC,KAAK,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;IACrE,MAAM,KAAK,GAAG,CAAC,KAAK,CAAC,GAAG,IAAI,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;IAExC,6EAA6E;IAC7E,IAAI,CAAC,KAAK,CAAC,aAAa,IAAI,CAAC,oBAAoB,CAAC,KAAK,CAAC,aAAa,EAAE,KAAK,CAAC,aAAa,CAAC,EAAE,CAAC;QAC5F,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,gBAAgB,EAAE,CAAC;IACjD,CAAC;IAED,4DAA4D;IAC5D,IAAI,OAAe,CAAC;IACpB,IAAI,CAAC;QACH,MAAM,IAAI,GAAG,IAAI,eAAe,CAAC;YAC/B,UAAU,EAAE,oBAAoB;YAChC,IAAI,EAAE,KAAK,CAAC,IAAI;YAChB,YAAY,EAAE,KAAK,CAAC,WAAW;YAC/B,SAAS,EAAE,KAAK,CAAC,QAAQ;YACzB,aAAa,EAAE,KAAK,CAAC,YAAY;YACjC,aAAa,EAAE,KAAK,CAAC,YAAY;SAClC,CAAC,CAAC;QACH,MAAM,GAAG,GAAG,MAAM,OAAO,CAAC,MAAM,CAAC,aAAa,EAAE;YAC9C,MAAM,EAAE,MAAM;YACd,OAAO,EAAE,EAAE,cAAc,EAAE,mCAAmC,EAAE,MAAM,EAAE,kBAAkB,EAAE;YAC5F,IAAI,EAAE,IAAI,CAAC,QAAQ,EAAE;SACtB,CAAC,CAAC;QACH,IAAI,CAAC,GAAG,CAAC,EAAE;YAAE,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,2BAA2B,GAAG,CAAC,MAAM,EAAE,EAAE,CAAC;QACnF,MAAM,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAA0B,CAAC;QACzD,IAAI,CAAC,IAAI,CAAC,QAAQ;YAAE,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,iCAAiC,EAAE,CAAC;QACpF,OAAO,GAAG,IAAI,CAAC,QAAQ,CAAC;IAC1B,CAAC;IAAC,OAAO,CAAC,EAAE,CAAC;QACX,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,0BAA0B,CAAC,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC,uBAAuB,EAAE,CAAC;IACrH,CAAC;IAED,0BAA0B;IAC1B,MAAM,QAAQ,GAAG,MAAM,aAAa,CAAC,OAAO,EAAE;QAC5C,MAAM;QACN,QAAQ,EAAE,KAAK,CAAC,QAAQ;QACxB,aAAa,EAAE,KAAK,CAAC,aAAa;QAClC,KAAK;QACL,SAAS,EAAE,OAAO;KACnB,CAAC,CAAC;IACH,IAAI,CAAC,QAAQ,CAAC,EAAE;QAAE,OAAO,QAAQ,CAAC;IAElC,sDAAsD;IACtD,MAAM,EAAE,GAAG,QAAQ,CAAC,MAAM,CAAC,cAAc,CAAC;IAC1C,MAAM,aAAa,GAAG,EAAE,KAAK,IAAI,IAAI,EAAE,KAAK,MAAM,CAAC;IACnD,IAAI,CAAC,aAAa;QAAE,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,4BAA4B,EAAE,CAAC;IAE/E,OAAO;QACL,EAAE,EAAE,IAAI;QACR,SAAS,EAAE;YACT,GAAG,EAAE,QAAQ,CAAC,MAAM,CAAC,GAAI;YACzB,GAAG,EAAE,QAAQ,CAAC,MAAM,CAAC,GAAI;YACzB,KAAK,EAAE,QAAQ,CAAC,MAAM,CAAC,KAAK,IAAI,IAAI;YACpC,aAAa,EAAE,IAAI;YACnB,IAAI,EAAE,QAAQ,CAAC,MAAM,CAAC,IAAI,IAAI,IAAI;SACnC;KACF,CAAC;AACJ,CAAC;AAED,KAAK,UAAU,aAAa,CAC1B,OAAe,EACf,GAAoH;IAEpH,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IACjC,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,8BAA8B,EAAE,CAAC;IACrF,MAAM,CAAC,SAAS,EAAE,UAAU,EAAE,MAAM,CAAC,GAAG,KAAiC,CAAC;IAE1E,IAAI,MAAsC,CAAC;IAC3C,IAAI,MAAqB,CAAC;IAC1B,IAAI,CAAC;QACH,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,cAAc,CAAC,SAAS,CAAC,CAAC,CAAC;QAC/C,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,cAAc,CAAC,UAAU,CAAC,CAAC,CAAC;IAClD,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,wCAAwC,EAAE,CAAC;IACzE,CAAC;IAED,0EAA0E;IAC1E,IAAI,MAAM,CAAC,GAAG,KAAK,OAAO;QAAE,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,oCAAoC,MAAM,CAAC,GAAG,GAAG,EAAE,CAAC;IAC5G,IAAI,CAAC,MAAM,CAAC,GAAG;QAAE,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,sBAAsB,EAAE,CAAC;IAEtE,uCAAuC;IACvC,IAAI,GAAkC,CAAC;IACvC,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,MAAM,GAAG,CAAC,SAAS,CAAC,GAAG,CAAC,MAAM,CAAC,OAAO,EAAE,EAAE,OAAO,EAAE,EAAE,MAAM,EAAE,kBAAkB,EAAE,EAAE,CAAC,CAAC;QACjG,IAAI,CAAC,GAAG,CAAC,EAAE;YAAE,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,0BAA0B,GAAG,CAAC,MAAM,EAAE,EAAE,CAAC;QAClF,MAAM,GAAG,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAAoD,CAAC;QAClF,MAAM,KAAK,GAAG,GAAG,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,GAAG,KAAK,MAAM,CAAC,GAAG,IAAI,CAAC,CAAC,GAAG,KAAK,KAAK,CAAC,CAAC;QAC7E,IAAI,CAAC,KAAK;YAAE,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,4BAA4B,MAAM,CAAC,GAAG,GAAG,EAAE,CAAC;QACpF,GAAG,GAAG,KAAK,CAAC;IACd,CAAC;IAAC,OAAO,CAAC,EAAE,CAAC;QACX,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,sBAAsB,CAAC,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC,mBAAmB,EAAE,CAAC;IAC7G,CAAC;IAED,qDAAqD;IACrD,IAAI,cAAuB,CAAC;IAC5B,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,MAAM,UAAU,CAAC,MAAM,CAAC,MAAM,CAAC,SAAS,CAClD,KAAK,EACL,EAAE,GAAG,EAAE,GAAG,CAAC,GAAG,EAAE,CAAC,EAAG,GAAsB,CAAC,CAAC,EAAE,CAAC,EAAG,GAAsB,CAAC,CAAC,EAAE,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,IAAI,EAAE,EACrG,EAAE,IAAI,EAAE,mBAAmB,EAAE,IAAI,EAAE,SAAS,EAAE,EAC9C,KAAK,EACL,CAAC,QAAQ,CAAC,CACX,CAAC;QACF,cAAc,GAAG,MAAM,UAAU,CAAC,MAAM,CAAC,MAAM,CAAC,MAAM,CACpD,EAAE,IAAI,EAAE,mBAAmB,EAAE,EAC7B,GAAG,EACH,UAAU,CAAC,aAAa,CAAC,MAAM,CAAC,CAAC,EACjC,UAAU,CAAC,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,GAAG,SAAS,IAAI,UAAU,EAAE,CAAC,CAAC,CACnE,CAAC;IACJ,CAAC;IAAC,OAAO,CAAC,EAAE,CAAC;QACX,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,iCAAiC,CAAC,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC,8BAA8B,EAAE,CAAC;IACnI,CAAC;IACD,IAAI,CAAC,cAAc;QAAE,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,4BAA4B,EAAE,CAAC;IAEhF,oBAAoB;IACpB,IAAI,CAAC,MAAM,CAAC,GAAG,IAAI,CAAC,GAAG,CAAC,MAAM,CAAC,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC;QAC5D,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,iBAAiB,MAAM,CAAC,GAAG,gBAAgB,EAAE,CAAC;IAC5E,CAAC;IACD,MAAM,KAAK,GAAG,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,QAAQ,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,KAAK,GAAG,CAAC,QAAQ,CAAC;IAC1G,IAAI,CAAC,KAAK;QAAE,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,sCAAsC,EAAE,CAAC;IACjF,IAAI,OAAO,MAAM,CAAC,GAAG,KAAK,QAAQ,IAAI,MAAM,CAAC,GAAG,GAAG,IAAI,IAAI,GAAG,CAAC,KAAK,EAAE,CAAC;QACrE,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,kBAAkB,EAAE,CAAC;IACnD,CAAC;IACD,IAAI,CAAC,MAAM,CAAC,KAAK,IAAI,CAAC,oBAAoB,CAAC,MAAM,CAAC,KAAK,EAAE,GAAG,CAAC,aAAa,CAAC,EAAE,CAAC;QAC5E,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,yBAAyB,EAAE,CAAC;IAC1D,CAAC;IACD,IAAI,CAAC,MAAM,CAAC,GAAG;QAAE,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,sBAAsB,EAAE,CAAC;IAEtE,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC;AAC9B,CAAC"}