@agentunion/fastaun 0.2.20 → 0.3.1

package/dist/v2/e2ee/encrypt-p2p.js

@@ -0,0 +1,190 @@
+/**
+ * AUN E2EE V2: P2P 加密引擎
+ *
+ * 构造完整的 `e2ee.p2p_encrypted` envelope。纯计算，无 IO。
+ *
+ * 与 Python `aun_core.v2.e2ee.encrypt_p2p.encrypt_p2p_message` 对齐。
+ *
+ * 步骤：
+ *  1. 生成 master_key + msg_nonce
+ *  2. 构造 message_id / timestamp
+ *  3. 推导 peer_aid 与 wrap_protocol_str
+ *  4. 构造 AAD 并加密 payload
+ *  5. 生成 sender_session keypair
+ *  6. 计算 wrap_salt
+ *  7. 为每个 target wrap master_key
+ *  8. 排序 recipients + 计算 digest
+ *  9. 计算 sender_signature
+ * 10. 计算 sender_cert_fingerprint
+ * 11. 组装 envelope
+ */
+import { createHash, randomUUID, randomBytes } from 'node:crypto';
+import { canonicalJson } from '../crypto/canonical.js';
+import { ecdsaSignRaw } from '../crypto/ecdsa.js';
+import { aesGcmEncrypt } from '../crypto/aead.js';
+import { generateP256Keypair } from '../crypto/ecdh.js';
+import { compute3DHWrap, compute1DHWrap } from '../crypto/dh-path.js';
+import { sortRecipients, computeRecipientsDigest } from '../crypto/recipients.js';
+import { ProtectedHeaders } from '../../protected-headers.js';
+import { SUITE_NAME, } from './types.js';
+import { withMetadataAuth, PROTECTED_HEADERS_DOMAIN, PROTECTED_CONTEXT_DOMAIN } from './metadata-auth.js';
+const TEXT = new TextEncoder();
+/**
+ * 构造完整的 V2 P2P 加密 envelope。
+ */
+export function encryptP2PMessage(sender, targetSet, payload, opts = {}) {
+    // 1. master_key + msg_nonce
+    const masterKey = new Uint8Array(randomBytes(32));
+    const msgNonce = new Uint8Array(randomBytes(12));
+    // 2. message_id + timestamp
+    const messageId = opts.messageId ?? `m-${randomUUID().replace(/-/g, '')}`;
+    const timestamp = opts.timestamp ?? Date.now();
+    // 3. peer_aid（首个非 audit 的 target.aid；与 Python 一致）
+    let peerAid = '';
+    for (const t of targetSet.targets) {
+        if (t.role !== 'audit') {
+            peerAid = t.aid;
+            break;
+        }
+    }
+    // 4. wrap_protocol_str
+    const allTargets = [
+        ...targetSet.targets,
+        ...(targetSet.auditRecipients ?? []),
+    ];
+    const protocolSet = new Set();
+    for (const t of allTargets) {
+        const has3DH = !!t.spkPkDer &&
+            (t.keySource === 'peer_device_prekey' || t.keySource === 'group_device_prekey');
+        protocolSet.add(has3DH ? '3DH' : '1DH');
+    }
+    const wrapProtocolStr = protocolSet.size === 0 ? '1DH' : [...protocolSet].sort().join('+');
+    // 5. AAD（顺序在 canonical_json 时由键名排序统一，这里只是构造对象）
+    const aad = {
+        from: sender.aid,
+        from_device: sender.deviceId,
+        to: peerAid,
+        message_id: messageId,
+        timestamp,
+        suite: SUITE_NAME,
+        wrap_protocol: wrapProtocolStr,
+    };
+    // 6. encrypt body
+    const plaintextBytes = canonicalJson(payload);
+    const aadBytes = canonicalJson(aad);
+    const { ciphertext, tag } = aesGcmEncrypt(masterKey, msgNonce, plaintextBytes, aadBytes);
+    // 7. sender_session keypair
+    const [senderSessionPriv, senderSessionPubDer] = generateP256Keypair();
+    // 8. wrap_salt = SHA256(canonical_aad || sender_session_pk_der || suite)[:16]
+    const wrapSalt = computeWrapSalt(aadBytes, senderSessionPubDer);
+    // 9. wrap recipients
+    const recipientsRows = [];
+    for (const target of allTargets) {
+        recipientsRows.push(wrapForRecipient(target, masterKey, senderSessionPriv, sender.ikPriv, wrapSalt));
+    }
+    // 10. sort + digest
+    const sortedRows = sortRecipients(recipientsRows);
+    const digestHex = computeRecipientsDigest(sortedRows);
+    // 11. sender_signature
+    const digestBytes = Buffer.from(digestHex, 'hex');
+    const signInput = Buffer.concat([
+        Buffer.from(ciphertext),
+        Buffer.from(tag),
+        Buffer.from(aadBytes),
+        digestBytes,
+    ]);
+    const senderSig = ecdsaSignRaw(sender.ikPriv, new Uint8Array(signInput));
+    // 12. cert_fingerprint
+    const certFpHash = createHash('sha256').update(Buffer.from(sender.ikPubDer)).digest('hex');
+    const certFp = `sha256:${certFpHash.substring(0, 16)}`;
+    const envelope = {
+        type: 'e2ee.p2p_encrypted',
+        version: 'v2',
+        suite: SUITE_NAME,
+        msg_type: 'original',
+        t_send: timestamp,
+        t_supplement: null,
+        t_server: null,
+        nonce: Buffer.from(msgNonce).toString('base64'),
+        ciphertext: Buffer.from(ciphertext).toString('base64'),
+        tag: Buffer.from(tag).toString('base64'),
+        sender_signature: Buffer.from(senderSig).toString('base64'),
+        sender_cert_fingerprint: certFp,
+        sender_session_pk: Buffer.from(senderSessionPubDer).toString('base64'),
+        recipients_digest: digestHex,
+        recipients: sortedRows,
+        aad,
+    };
+    // protected_headers / context：HMAC 签名，不进 AAD。
+    // payload_type 自动注入 + value 转 string（与 Python _normalize_headers 对齐）
+    const normalizedHeaders = normalizeProtectedHeaders(opts.protectedHeaders, payload);
+    if (Object.keys(normalizedHeaders).length > 0) {
+        envelope.protected_headers = withMetadataAuth(normalizedHeaders, masterKey, PROTECTED_HEADERS_DOMAIN);
+    }
+    if (isPlainObject(opts.context) && Object.keys(opts.context).length > 0) {
+        // context 过滤 _auth 字段（withMetadataAuth 内部已处理）
+        envelope.context = withMetadataAuth(opts.context, masterKey, PROTECTED_CONTEXT_DOMAIN);
+    }
+    return envelope;
+}
+/**
+ * 规范化 protected_headers：value 转 string + 自动注入 payload_type。
+ * 与 Python `_normalize_headers` 对齐。
+ */
+export function normalizeProtectedHeaders(headers, payload) {
+    const normalized = {};
+    if (headers instanceof ProtectedHeaders) {
+        Object.assign(normalized, headers.toObject());
+    }
+    else if (isPlainObject(headers)) {
+        Object.assign(normalized, ProtectedHeaders.from(headers).toObject());
+    }
+    // payload_type 自动注入（与 Python 对齐：即使未显式传 protected_headers 也会注入）
+    const payloadType = typeof payload?.type === 'string' ? payload.type : '';
+    if (payloadType && !('payload_type' in normalized)) {
+        normalized['payload_type'] = payloadType;
+    }
+    return normalized;
+}
+function isPlainObject(value) {
+    if (!value || typeof value !== 'object' || Array.isArray(value)) {
+        return false;
+    }
+    const proto = Object.getPrototypeOf(value);
+    return proto === Object.prototype || proto === null;
+}
+function computeWrapSalt(aadBytes, senderSessionPubDer) {
+    const suiteBytes = TEXT.encode(SUITE_NAME);
+    const h = createHash('sha256');
+    h.update(Buffer.from(aadBytes));
+    h.update(Buffer.from(senderSessionPubDer));
+    h.update(Buffer.from(suiteBytes));
+    return new Uint8Array(h.digest()).subarray(0, 16);
+}
+function wrapForRecipient(target, masterKey, senderSessionPriv, senderMasterPriv, wrapSalt) {
+    const fpHash = createHash('sha256').update(Buffer.from(target.ikPkDer)).digest('hex');
+    const fp = `sha256:${fpHash.substring(0, 16)}`;
+    const wrapNonce = new Uint8Array(randomBytes(12));
+    let wrapKey;
+    if (target.spkPkDer &&
+        (target.keySource === 'peer_device_prekey' || target.keySource === 'group_device_prekey')) {
+        wrapKey = compute3DHWrap(senderSessionPriv, senderMasterPriv, target.ikPkDer, target.spkPkDer, wrapSalt);
+    }
+    else {
+        wrapKey = compute1DHWrap(senderSessionPriv, target.ikPkDer, wrapSalt);
+    }
+    // AES-GCM wrap master_key（无 AAD）
+    const { ciphertext: wrappedCt, tag: wrappedTag } = aesGcmEncrypt(wrapKey, wrapNonce, masterKey, new Uint8Array(0));
+    const wrappedKey = Buffer.concat([Buffer.from(wrappedCt), Buffer.from(wrappedTag)]);
+    return [
+        target.aid,
+        target.deviceId,
+        target.role,
+        target.keySource,
+        fp,
+        target.spkId ?? '',
+        Buffer.from(wrapNonce).toString('base64'),
+        wrappedKey.toString('base64'),
+    ];
+}
+//# sourceMappingURL=encrypt-p2p.js.map

package/dist/v2/e2ee/encrypt-p2p.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"encrypt-p2p.js","sourceRoot":"","sources":["../../../src/v2/e2ee/encrypt-p2p.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;GAmBG;AAEH,OAAO,EAAE,UAAU,EAAE,UAAU,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAClE,OAAO,EAAE,aAAa,EAAE,MAAM,wBAAwB,CAAC;AACvD,OAAO,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAClD,OAAO,EAAE,aAAa,EAAE,MAAM,mBAAmB,CAAC;AAClD,OAAO,EAAE,mBAAmB,EAAE,MAAM,mBAAmB,CAAC;AACxD,OAAO,EAAE,cAAc,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AACtE,OAAO,EAAE,cAAc,EAAE,uBAAuB,EAAE,MAAM,yBAAyB,CAAC;AAClF,OAAO,EAAE,gBAAgB,EAA8B,MAAM,4BAA4B,CAAC;AAC1F,OAAO,EAKL,UAAU,GACX,MAAM,YAAY,CAAC;AACpB,OAAO,EAAE,gBAAgB,EAAE,wBAAwB,EAAE,wBAAwB,EAAE,MAAM,oBAAoB,CAAC;AAE1G,MAAM,IAAI,GAAG,IAAI,WAAW,EAAE,CAAC;AAE/B;;GAEG;AACH,MAAM,UAAU,iBAAiB,CAC/B,MAAc,EACd,SAAoB,EACpB,OAAgC,EAChC,OAAuB,EAAE;IAEzB,4BAA4B;IAC5B,MAAM,SAAS,GAAG,IAAI,UAAU,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC,CAAC;IAClD,MAAM,QAAQ,GAAG,IAAI,UAAU,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC,CAAC;IAEjD,4BAA4B;IAC5B,MAAM,SAAS,GAAG,IAAI,CAAC,SAAS,IAAI,KAAK,UAAU,EAAE,CAAC,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC,EAAE,CAAC;IAC1E,MAAM,SAAS,GAAG,IAAI,CAAC,SAAS,IAAI,IAAI,CAAC,GAAG,EAAE,CAAC;IAE/C,kDAAkD;IAClD,IAAI,OAAO,GAAG,EAAE,CAAC;IACjB,KAAK,MAAM,CAAC,IAAI,SAAS,CAAC,OAAO,EAAE,CAAC;QAClC,IAAI,CAAC,CAAC,IAAI,KAAK,OAAO,EAAE,CAAC;YACvB,OAAO,GAAG,CAAC,CAAC,GAAG,CAAC;YAChB,MAAM;QACR,CAAC;IACH,CAAC;IAED,uBAAuB;IACvB,MAAM,UAAU,GAAa;QAC3B,GAAG,SAAS,CAAC,OAAO;QACpB,GAAG,CAAC,SAAS,CAAC,eAAe,IAAI,EAAE,CAAC;KACrC,CAAC;IACF,MAAM,WAAW,GAAG,IAAI,GAAG,EAAU,CAAC;IACtC,KAAK,MAAM,CAAC,IAAI,UAAU,EAAE,CAAC;QAC3B,MAAM,MAAM,GACV,CAAC,CAAC,CAAC,CAAC,QAAQ;YACZ,CAAC,CAAC,CAAC,SAAS,KAAK,oBAAoB,IAAI,CAAC,CAAC,SAAS,KAAK,qBAAqB,CAAC,CAAC;QAClF,WAAW,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC;IAC1C,CAAC;IACD,MAAM,eAAe,GACnB,WAAW,CAAC,IAAI,KAAK,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,GAAG,WAAW,CAAC,CAAC,IAAI,EAAE,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IAErE,+CAA+C;IAC/C,MAAM,GAAG,GAA4B;QACnC,IAAI,EAAE,MAAM,CAAC,GAAG;QAChB,WAAW,EAAE,MAAM,CAAC,QAAQ;QAC5B,EAAE,EAAE,OAAO;QACX,UAAU,EAAE,SAAS;QACrB,SAAS;QACT,KAAK,EAAE,UAAU;QACjB,aAAa,EAAE,eAAe;KAC/B,CAAC;IAEF,kBAAkB;IAClB,MAAM,cAAc,GAAG,aAAa,CAAC,OAAO,CAAC,CAAC;IAC9C,MAAM,QAAQ,GAAG,aAAa,CAAC,GAAG,CAAC,CAAC;IACpC,MAAM,EAAE,UAAU,EAAE,GAAG,EAAE,GAAG,aAAa,CAAC,SAAS,EAAE,QAAQ,EAAE,cAAc,EAAE,QAAQ,CAAC,CAAC;IAEzF,4BAA4B;IAC5B,MAAM,CAAC,iBAAiB,EAAE,mBAAmB,CAAC,GAAG,mBAAmB,EAAE,CAAC;IAEvE,8EAA8E;IAC9E,MAAM,QAAQ,GAAG,eAAe,CAAC,QAAQ,EAAE,mBAAmB,CAAC,CAAC;IAEhE,qBAAqB;IACrB,MAAM,cAAc,GAAe,EAAE,CAAC;IACtC,KAAK,MAAM,MAAM,IAAI,UAAU,EAAE,CAAC;QAChC,cAAc,CAAC,IAAI,CACjB,gBAAgB,CAAC,MAAM,EAAE,SAAS,EAAE,iBAAiB,EAAE,MAAM,CAAC,MAAM,EAAE,QAAQ,CAAC,CAChF,CAAC;IACJ,CAAC;IAED,oBAAoB;IACpB,MAAM,UAAU,GAAG,cAAc,CAAC,cAAc,CAAC,CAAC;IAClD,MAAM,SAAS,GAAG,uBAAuB,CAAC,UAAU,CAAC,CAAC;IAEtD,uBAAuB;IACvB,MAAM,WAAW,GAAG,MAAM,CAAC,IAAI,CAAC,SAAS,EAAE,KAAK,CAAC,CAAC;IAClD,MAAM,SAAS,GAAG,MAAM,CAAC,MAAM,CAAC;QAC9B,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC;QACvB,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC;QAChB,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC;QACrB,WAAW;KACZ,CAAC,CAAC;IACH,MAAM,SAAS,GAAG,YAAY,CAAC,MAAM,CAAC,MAAM,EAAE,IAAI,UAAU,CAAC,SAAS,CAAC,CAAC,CAAC;IAEzE,uBAAuB;IACvB,MAAM,UAAU,GAAG,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;IAC3F,MAAM,MAAM,GAAG,UAAU,UAAU,CAAC,SAAS,CAAC,CAAC,EAAE,EAAE,CAAC,EAAE,CAAC;IAEvD,MAAM,QAAQ,GAA4B;QACxC,IAAI,EAAE,oBAAoB;QAC1B,OAAO,EAAE,IAAI;QACb,KAAK,EAAE,UAAU;QACjB,QAAQ,EAAE,UAAU;QACpB,MAAM,EAAE,SAAS;QACjB,YAAY,EAAE,IAAI;QAClB,QAAQ,EAAE,IAAI;QACd,KAAK,EAAE,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC;QAC/C,UAAU,EAAE,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC;QACtD,GAAG,EAAE,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC;QACxC,gBAAgB,EAAE,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC;QAC3D,uBAAuB,EAAE,MAAM;QAC/B,iBAAiB,EAAE,MAAM,CAAC,IAAI,CAAC,mBAAmB,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC;QACtE,iBAAiB,EAAE,SAAS;QAC5B,UAAU,EAAE,UAAU;QACtB,GAAG;KACJ,CAAC;IAEF,8CAA8C;IAC9C,qEAAqE;IACrE,MAAM,iBAAiB,GAAG,yBAAyB,CAAC,IAAI,CAAC,gBAAgB,EAAE,OAAO,CAAC,CAAC;IACpF,IAAI,MAAM,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC9C,QAAQ,CAAC,iBAAiB,GAAG,gBAAgB,CAAC,iBAAiB,EAAE,SAAS,EAAE,wBAAwB,CAAC,CAAC;IACxG,CAAC;IACD,IAAI,aAAa,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACxE,8CAA8C;QAC9C,QAAQ,CAAC,OAAO,GAAG,gBAAgB,CAAC,IAAI,CAAC,OAAO,EAAE,SAAS,EAAE,wBAAwB,CAAC,CAAC;IACzF,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,yBAAyB,CACvC,OAA8B,EAC9B,OAAgC;IAEhC,MAAM,UAAU,GAA2B,EAAE,CAAC;IAC9C,IAAI,OAAO,YAAY,gBAAgB,EAAE,CAAC;QACxC,MAAM,CAAC,MAAM,CAAC,UAAU,EAAE,OAAO,CAAC,QAAQ,EAAE,CAAC,CAAC;IAChD,CAAC;SAAM,IAAI,aAAa,CAAC,OAAO,CAAC,EAAE,CAAC;QAClC,MAAM,CAAC,MAAM,CAAC,UAAU,EAAE,gBAAgB,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,QAAQ,EAAE,CAAC,CAAC;IACvE,CAAC;IACD,+DAA+D;IAC/D,MAAM,WAAW,GAAG,OAAO,OAAO,EAAE,IAAI,KAAK,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC;IAC1E,IAAI,WAAW,IAAI,CAAC,CAAC,cAAc,IAAI,UAAU,CAAC,EAAE,CAAC;QACnD,UAAU,CAAC,cAAc,CAAC,GAAG,WAAW,CAAC;IAC3C,CAAC;IACD,OAAO,UAAU,CAAC;AACpB,CAAC;AAED,SAAS,aAAa,CAAC,KAAc;IACnC,IAAI,CAAC,KAAK,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;QAChE,OAAO,KAAK,CAAC;IACf,CAAC;IACD,MAAM,KAAK,GAAG,MAAM,CAAC,cAAc,CAAC,KAAK,CAAC,CAAC;IAC3C,OAAO,KAAK,KAAK,MAAM,CAAC,SAAS,IAAI,KAAK,KAAK,IAAI,CAAC;AACtD,CAAC;AAED,SAAS,eAAe,CAAC,QAAoB,EAAE,mBAA+B;IAC5E,MAAM,UAAU,GAAG,IAAI,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC;IAC3C,MAAM,CAAC,GAAG,UAAU,CAAC,QAAQ,CAAC,CAAC;IAC/B,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC;IAChC,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,mBAAmB,CAAC,CAAC,CAAC;IAC3C,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC;IAClC,OAAO,IAAI,UAAU,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;AACpD,CAAC;AAED,SAAS,gBAAgB,CACvB,MAAc,EACd,SAAqB,EACrB,iBAA6B,EAC7B,gBAA4B,EAC5B,QAAoB;IAEpB,MAAM,MAAM,GAAG,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;IACtF,MAAM,EAAE,GAAG,UAAU,MAAM,CAAC,SAAS,CAAC,CAAC,EAAE,EAAE,CAAC,EAAE,CAAC;IAE/C,MAAM,SAAS,GAAG,IAAI,UAAU,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC,CAAC;IAElD,IAAI,OAAmB,CAAC;IACxB,IACE,MAAM,CAAC,QAAQ;QACf,CAAC,MAAM,CAAC,SAAS,KAAK,oBAAoB,IAAI,MAAM,CAAC,SAAS,KAAK,qBAAqB,CAAC,EACzF,CAAC;QACD,OAAO,GAAG,cAAc,CACtB,iBAAiB,EACjB,gBAAgB,EAChB,MAAM,CAAC,OAAO,EACd,MAAM,CAAC,QAAQ,EACf,QAAQ,CACT,CAAC;IACJ,CAAC;SAAM,CAAC;QACN,OAAO,GAAG,cAAc,CAAC,iBAAiB,EAAE,MAAM,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;IACxE,CAAC;IAED,iCAAiC;IACjC,MAAM,EAAE,UAAU,EAAE,SAAS,EAAE,GAAG,EAAE,UAAU,EAAE,GAAG,aAAa,CAC9D,OAAO,EACP,SAAS,EACT,SAAS,EACT,IAAI,UAAU,CAAC,CAAC,CAAC,CAClB,CAAC;IACF,MAAM,UAAU,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC;IAEpF,OAAO;QACL,MAAM,CAAC,GAAG;QACV,MAAM,CAAC,QAAQ;QACf,MAAM,CAAC,IAAI;QACX,MAAM,CAAC,SAAS;QAChB,EAAE;QACF,MAAM,CAAC,KAAK,IAAI,EAAE;QAClB,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC;QACzC,UAAU,CAAC,QAAQ,CAAC,QAAQ,CAAC;KAC9B,CAAC;AACJ,CAAC"}

package/dist/v2/e2ee/index.d.ts

@@ -0,0 +1,9 @@
+/**
+ * AUN E2EE V2: 加解密引擎导出。
+ */
+export { encryptP2PMessage } from './encrypt-p2p.js';
+export { encryptGroupMessage } from './encrypt-group.js';
+export { decryptMessage } from './decrypt.js';
+export { withMetadataAuth, PROTECTED_HEADERS_DOMAIN, PROTECTED_CONTEXT_DOMAIN, METADATA_KEY_DOMAIN } from './metadata-auth.js';
+export type { Sender, Target, TargetSet, EncryptOptions, StateCommitmentAAD } from './types.js';
+export { SUITE_NAME } from './types.js';

package/dist/v2/e2ee/index.js

@@ -0,0 +1,9 @@
+/**
+ * AUN E2EE V2: 加解密引擎导出。
+ */
+export { encryptP2PMessage } from './encrypt-p2p.js';
+export { encryptGroupMessage } from './encrypt-group.js';
+export { decryptMessage } from './decrypt.js';
+export { withMetadataAuth, PROTECTED_HEADERS_DOMAIN, PROTECTED_CONTEXT_DOMAIN, METADATA_KEY_DOMAIN } from './metadata-auth.js';
+export { SUITE_NAME } from './types.js';
+//# sourceMappingURL=index.js.map

package/dist/v2/e2ee/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/v2/e2ee/index.ts"],"names":[],"mappings":"AAAA;;GAEG;AACH,OAAO,EAAE,iBAAiB,EAAE,MAAM,kBAAkB,CAAC;AACrD,OAAO,EAAE,mBAAmB,EAAE,MAAM,oBAAoB,CAAC;AACzD,OAAO,EAAE,cAAc,EAAE,MAAM,cAAc,CAAC;AAC9C,OAAO,EAAE,gBAAgB,EAAE,wBAAwB,EAAE,wBAAwB,EAAE,mBAAmB,EAAE,MAAM,oBAAoB,CAAC;AAE/H,OAAO,EAAE,UAAU,EAAE,MAAM,YAAY,CAAC"}

package/dist/v2/e2ee/metadata-auth.d.ts

@@ -0,0 +1,15 @@
+/**
+ * AUN E2EE V2: protected_headers / context HMAC 签名
+ *
+ * 与 Python `aun_core.v2.e2ee.encrypt_p2p._with_metadata_auth` 对齐。
+ * 用 master_key 派生 HMAC key，对 metadata body 做签名，生成 `_auth` 字段。
+ */
+export declare const METADATA_KEY_DOMAIN: Buffer<ArrayBuffer>;
+export declare const PROTECTED_HEADERS_DOMAIN: Buffer<ArrayBuffer>;
+export declare const PROTECTED_CONTEXT_DOMAIN: Buffer<ArrayBuffer>;
+/**
+ * 为 metadata 对象添加 HMAC 签名（_auth 字段）。
+ *
+ * 如果 body（去除 _auth 后）为空，返回空对象。
+ */
+export declare function withMetadataAuth(metadata: Record<string, unknown>, key: Uint8Array, domain: Buffer): Record<string, unknown>;

package/dist/v2/e2ee/metadata-auth.js

@@ -0,0 +1,50 @@
+/**
+ * AUN E2EE V2: protected_headers / context HMAC 签名
+ *
+ * 与 Python `aun_core.v2.e2ee.encrypt_p2p._with_metadata_auth` 对齐。
+ * 用 master_key 派生 HMAC key，对 metadata body 做签名，生成 `_auth` 字段。
+ */
+import { createHmac } from 'node:crypto';
+import { canonicalJson } from '../crypto/canonical.js';
+export const METADATA_KEY_DOMAIN = Buffer.from('aun-envelope-metadata-key-v1', 'utf-8');
+export const PROTECTED_HEADERS_DOMAIN = Buffer.from('aun-protected-headers-v1', 'utf-8');
+export const PROTECTED_CONTEXT_DOMAIN = Buffer.from('aun-protected-context-v1', 'utf-8');
+/**
+ * 计算 metadata HMAC 签名 tag。
+ *
+ * metadata_key = HMAC-SHA256(key, METADATA_KEY_DOMAIN)
+ * sign_input = domain + "\0" + canonical_json(body)
+ * tag = HMAC-SHA256(metadata_key, sign_input)
+ */
+function metadataAuthTag(key, domain, body) {
+    const metadataKey = createHmac('sha256', key).update(METADATA_KEY_DOMAIN).digest();
+    const bodyBytes = canonicalJson(body);
+    return createHmac('sha256', metadataKey)
+        .update(domain)
+        .update(Buffer.from([0]))
+        .update(Buffer.from(bodyBytes))
+        .digest();
+}
+/**
+ * 为 metadata 对象添加 HMAC 签名（_auth 字段）。
+ *
+ * 如果 body（去除 _auth 后）为空，返回空对象。
+ */
+export function withMetadataAuth(metadata, key, domain) {
+    const body = {};
+    for (const [k, v] of Object.entries(metadata)) {
+        if (k !== '_auth')
+            body[k] = v;
+    }
+    if (Object.keys(body).length === 0)
+        return {};
+    const tag = metadataAuthTag(key, domain, body);
+    return {
+        ...body,
+        _auth: {
+            alg: 'HMAC-SHA256',
+            tag: tag.toString('base64'),
+        },
+    };
+}
+//# sourceMappingURL=metadata-auth.js.map

package/dist/v2/e2ee/metadata-auth.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"metadata-auth.js","sourceRoot":"","sources":["../../../src/v2/e2ee/metadata-auth.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AACzC,OAAO,EAAE,aAAa,EAAE,MAAM,wBAAwB,CAAC;AAEvD,MAAM,CAAC,MAAM,mBAAmB,GAAG,MAAM,CAAC,IAAI,CAAC,8BAA8B,EAAE,OAAO,CAAC,CAAC;AACxF,MAAM,CAAC,MAAM,wBAAwB,GAAG,MAAM,CAAC,IAAI,CAAC,0BAA0B,EAAE,OAAO,CAAC,CAAC;AACzF,MAAM,CAAC,MAAM,wBAAwB,GAAG,MAAM,CAAC,IAAI,CAAC,0BAA0B,EAAE,OAAO,CAAC,CAAC;AAEzF;;;;;;GAMG;AACH,SAAS,eAAe,CAAC,GAAe,EAAE,MAAc,EAAE,IAA6B;IACrF,MAAM,WAAW,GAAG,UAAU,CAAC,QAAQ,EAAE,GAAG,CAAC,CAAC,MAAM,CAAC,mBAAmB,CAAC,CAAC,MAAM,EAAE,CAAC;IACnF,MAAM,SAAS,GAAG,aAAa,CAAC,IAAI,CAAC,CAAC;IACtC,OAAO,UAAU,CAAC,QAAQ,EAAE,WAAW,CAAC;SACrC,MAAM,CAAC,MAAM,CAAC;SACd,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;SACxB,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;SAC9B,MAAM,EAAE,CAAC;AACd,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,gBAAgB,CAC9B,QAAiC,EACjC,GAAe,EACf,MAAc;IAEd,MAAM,IAAI,GAA4B,EAAE,CAAC;IACzC,KAAK,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,QAAQ,CAAC,EAAE,CAAC;QAC9C,IAAI,CAAC,KAAK,OAAO;YAAE,IAAI,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC;IACjC,CAAC;IACD,IAAI,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,EAAE,CAAC;IAC9C,MAAM,GAAG,GAAG,eAAe,CAAC,GAAG,EAAE,MAAM,EAAE,IAAI,CAAC,CAAC;IAC/C,OAAO;QACL,GAAG,IAAI;QACP,KAAK,EAAE;YACL,GAAG,EAAE,aAAa;YAClB,GAAG,EAAE,GAAG,CAAC,QAAQ,CAAC,QAAQ,CAAC;SAC5B;KACF,CAAC;AACJ,CAAC"}

package/dist/v2/e2ee/types.d.ts

@@ -0,0 +1,57 @@
+/**
+ * AUN E2EE V2: 加解密引擎类型定义
+ *
+ * 与 Python `aun_core.v2.e2ee.encrypt_p2p` / `encrypt_group` / `decrypt` 对齐。
+ */
+import type { ProtectedHeadersInput } from '../../protected-headers.js';
+export declare const SUITE_NAME: "P256_HKDF_SHA256_AES_256_GCM";
+/** 发送方身份。 */
+export interface Sender {
+    /** 发送方 AID。 */
+    aid: string;
+    /** 发送方 device_id。 */
+    deviceId: string;
+    /** 32 字节 P-256 私钥标量（AID 主私钥）。 */
+    ikPriv: Uint8Array;
+    /** SPKI DER 编码的公钥（用于签名指纹计算）。 */
+    ikPubDer: Uint8Array;
+}
+/** 接收方目标设备。 */
+export interface Target {
+    aid: string;
+    deviceId: string;
+    /** "peer" | "member" | "self_sync" | "audit" 等。 */
+    role: string;
+    /** "peer_device_prekey" | "group_device_prekey" | "aid_master"。 */
+    keySource: string;
+    /** 接收方 IK 公钥（DER SPKI）。 */
+    ikPkDer: Uint8Array;
+    /** 接收方 SPK 公钥（DER SPKI）；undefined 表示走 1DH 路径。 */
+    spkPkDer?: Uint8Array;
+    /** SPK 标识；3DH 时为非空字符串，1DH 时为空串/未定义。 */
+    spkId?: string;
+}
+/** 接收方集合（P2P）。 */
+export interface TargetSet {
+    /** 普通接收设备。 */
+    targets: Target[];
+    /** 监管方设备（可选）。 */
+    auditRecipients?: Target[];
+}
+/** 加密可选参数。 */
+export interface EncryptOptions {
+    /** 消息 ID；不传则自动生成 `m-{uuid4 hex}`。 */
+    messageId?: string;
+    /** 时间戳（毫秒）；不传则用 Date.now()。 */
+    timestamp?: number;
+    /** 端到端保护的信封元数据（HMAC 签名，不进 AAD）。 */
+    protectedHeaders?: ProtectedHeadersInput;
+    /** 端到端保护的上下文元数据（HMAC 签名，不进 AAD）。 */
+    context?: Record<string, unknown>;
+}
+/** Group AAD 中的 state_commitment 子结构。 */
+export interface StateCommitmentAAD {
+    state_version: number;
+    state_hash: string;
+    state_chain: string;
+}

package/dist/v2/e2ee/types.js

@@ -0,0 +1,7 @@
+/**
+ * AUN E2EE V2: 加解密引擎类型定义
+ *
+ * 与 Python `aun_core.v2.e2ee.encrypt_p2p` / `encrypt_group` / `decrypt` 对齐。
+ */
+export const SUITE_NAME = 'P256_HKDF_SHA256_AES_256_GCM';
+//# sourceMappingURL=types.js.map

package/dist/v2/e2ee/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../../../src/v2/e2ee/types.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAIH,MAAM,CAAC,MAAM,UAAU,GAAG,8BAAuC,CAAC"}

package/dist/v2/session/index.d.ts

@@ -0,0 +1,4 @@
+export { V2KeyStore, V2_DEVICE_KEYS_DDL } from './keystore.js';
+export type { SqliteLike } from './keystore.js';
+export { V2Session, PEER_KEY_CACHE_TTL_MS, DESTROY_DELAY_MS, RECENT_GENERATIONS, } from './session.js';
+export type { CallFn, SenderIdentity } from './session.js';

package/dist/v2/session/index.js

@@ -0,0 +1,3 @@
+export { V2KeyStore, V2_DEVICE_KEYS_DDL } from './keystore.js';
+export { V2Session, PEER_KEY_CACHE_TTL_MS, DESTROY_DELAY_MS, RECENT_GENERATIONS, } from './session.js';
+//# sourceMappingURL=index.js.map

package/dist/v2/session/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/v2/session/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,kBAAkB,EAAE,MAAM,eAAe,CAAC;AAE/D,OAAO,EACL,SAAS,EACT,qBAAqB,EACrB,gBAAgB,EAChB,kBAAkB,GACnB,MAAM,cAAc,CAAC"}

package/dist/v2/session/keystore.d.ts

@@ -0,0 +1,50 @@
+/**
+ * V2 E2EE 设备密钥存储。
+ *
+ * 每个 (aid, device_id) 持有一对 IK 和若干 SPK（按 spk_id 索引）。
+ * 表结构与 Python / Go SDK 完全一致（v2_device_keys）。
+ *
+ * 实现说明：
+ * - TS SDK 统一使用 Node 22+ 内置的 `node:sqlite`（与 `keystore/aid-db.ts` 保持一致）
+ * - 接受任意 sqlite-like 句柄（exec / prepare），便于复用 AIDDatabase 的连接
+ * - BLOB 字段返回 Uint8Array（node:sqlite 默认行为）
+ */
+interface SqliteStatement {
+    run(...params: unknown[]): unknown;
+    get(...params: unknown[]): unknown;
+    all(...params: unknown[]): unknown;
+}
+export interface SqliteLike {
+    exec(sql: string): unknown;
+    prepare(sql: string): SqliteStatement;
+}
+export declare const V2_DEVICE_KEYS_DDL = "\nCREATE TABLE IF NOT EXISTS v2_device_keys (\n    device_id TEXT NOT NULL,\n    key_type TEXT NOT NULL,\n    key_id TEXT NOT NULL DEFAULT '',\n    private_key BLOB NOT NULL,\n    public_key BLOB NOT NULL,\n    created_at INTEGER NOT NULL,\n    PRIMARY KEY (device_id, key_type, key_id)\n)";
+export declare class V2KeyStore {
+    private db;
+    constructor(db: SqliteLike);
+    saveIK(deviceId: string, priv: Uint8Array, pubDer: Uint8Array): void;
+    loadIK(deviceId: string): {
+        priv: Uint8Array;
+        pubDer: Uint8Array;
+    } | null;
+    saveSPK(deviceId: string, spkId: string, priv: Uint8Array, pubDer: Uint8Array): void;
+    loadSPK(deviceId: string, spkId: string): Uint8Array | null;
+    loadCurrentSPK(deviceId: string): {
+        spkId: string;
+        priv: Uint8Array;
+        pubDer: Uint8Array;
+    } | null;
+    deleteSPK(deviceId: string, spkId: string): void;
+    listRecentSPKIds(deviceId: string, n: number): string[];
+    listExpiredSPKIds(deviceId: string, maxAgeMs: number): string[];
+    /** 复合 key_id: `${groupId}\0${spkId}` */
+    private _groupSPKKeyId;
+    saveGroupSPK(deviceId: string, groupId: string, spkId: string, priv: Uint8Array, pubDer: Uint8Array): void;
+    loadGroupSPK(deviceId: string, groupId: string, spkId: string): Uint8Array | null;
+    loadCurrentGroupSPK(deviceId: string, groupId: string): {
+        spkId: string;
+        priv: Uint8Array;
+        pubDer: Uint8Array;
+    } | null;
+}
+export {};

package/dist/v2/session/keystore.js

@@ -0,0 +1,138 @@
+/**
+ * V2 E2EE 设备密钥存储。
+ *
+ * 每个 (aid, device_id) 持有一对 IK 和若干 SPK（按 spk_id 索引）。
+ * 表结构与 Python / Go SDK 完全一致（v2_device_keys）。
+ *
+ * 实现说明：
+ * - TS SDK 统一使用 Node 22+ 内置的 `node:sqlite`（与 `keystore/aid-db.ts` 保持一致）
+ * - 接受任意 sqlite-like 句柄（exec / prepare），便于复用 AIDDatabase 的连接
+ * - BLOB 字段返回 Uint8Array（node:sqlite 默认行为）
+ */
+export const V2_DEVICE_KEYS_DDL = `
+CREATE TABLE IF NOT EXISTS v2_device_keys (
+    device_id TEXT NOT NULL,
+    key_type TEXT NOT NULL,
+    key_id TEXT NOT NULL DEFAULT '',
+    private_key BLOB NOT NULL,
+    public_key BLOB NOT NULL,
+    created_at INTEGER NOT NULL,
+    PRIMARY KEY (device_id, key_type, key_id)
+)`;
+function asBuffer(value) {
+    if (value instanceof Uint8Array)
+        return value;
+    if (Buffer.isBuffer(value))
+        return new Uint8Array(value.buffer, value.byteOffset, value.byteLength);
+    if (Array.isArray(value))
+        return new Uint8Array(value);
+    throw new Error(`unexpected blob type: ${typeof value}`);
+}
+/** node:sqlite 不接受裸 Uint8Array，需要 Buffer 包装才会绑定为 BLOB。 */
+function toSqliteBlob(value) {
+    return Buffer.isBuffer(value) ? value : Buffer.from(value.buffer, value.byteOffset, value.byteLength);
+}
+export class V2KeyStore {
+    db;
+    constructor(db) {
+        this.db = db;
+        this.db.exec(V2_DEVICE_KEYS_DDL);
+    }
+    saveIK(deviceId, priv, pubDer) {
+        this.db
+            .prepare(`INSERT OR REPLACE INTO v2_device_keys (device_id, key_type, key_id, private_key, public_key, created_at)
+         VALUES (?, 'ik', '', ?, ?, ?)`)
+            .run(deviceId, toSqliteBlob(priv), toSqliteBlob(pubDer), Date.now());
+    }
+    loadIK(deviceId) {
+        const row = this.db
+            .prepare(`SELECT private_key, public_key FROM v2_device_keys WHERE device_id=? AND key_type='ik' AND key_id=''`)
+            .get(deviceId);
+        if (!row)
+            return null;
+        return { priv: asBuffer(row.private_key), pubDer: asBuffer(row.public_key) };
+    }
+    saveSPK(deviceId, spkId, priv, pubDer) {
+        this.db
+            .prepare(`INSERT OR REPLACE INTO v2_device_keys (device_id, key_type, key_id, private_key, public_key, created_at)
+         VALUES (?, 'spk', ?, ?, ?, ?)`)
+            .run(deviceId, spkId, toSqliteBlob(priv), toSqliteBlob(pubDer), Date.now());
+    }
+    loadSPK(deviceId, spkId) {
+        const row = this.db
+            .prepare(`SELECT private_key FROM v2_device_keys WHERE device_id=? AND key_type='spk' AND key_id=?`)
+            .get(deviceId, spkId);
+        return row ? asBuffer(row.private_key) : null;
+    }
+    loadCurrentSPK(deviceId) {
+        const row = this.db
+            .prepare(`SELECT key_id, private_key, public_key FROM v2_device_keys
+         WHERE device_id=? AND key_type='spk' ORDER BY created_at DESC, key_id DESC LIMIT 1`)
+            .get(deviceId);
+        if (!row)
+            return null;
+        return {
+            spkId: row.key_id,
+            priv: asBuffer(row.private_key),
+            pubDer: asBuffer(row.public_key),
+        };
+    }
+    deleteSPK(deviceId, spkId) {
+        this.db
+            .prepare(`DELETE FROM v2_device_keys WHERE device_id=? AND key_type='spk' AND key_id=?`)
+            .run(deviceId, spkId);
+    }
+    listRecentSPKIds(deviceId, n) {
+        if (n <= 0)
+            return [];
+        const rows = this.db
+            .prepare(`SELECT key_id FROM v2_device_keys
+         WHERE device_id=? AND key_type='spk' ORDER BY created_at DESC, key_id DESC LIMIT ?`)
+            .all(deviceId, n);
+        return rows.map((r) => r.key_id);
+    }
+    listExpiredSPKIds(deviceId, maxAgeMs) {
+        const cutoff = Date.now() / 1000 - maxAgeMs / 1000;
+        const rows = this.db
+            .prepare(`SELECT key_id FROM v2_device_keys
+         WHERE device_id=? AND key_type='spk' AND created_at < ?`)
+            .all(deviceId, cutoff);
+        return rows.map((r) => r.key_id);
+    }
+    // ── Group SPK ──────────────────────────────────────────────────
+    /** 复合 key_id: `${groupId}\0${spkId}` */
+    _groupSPKKeyId(groupId, spkId) {
+        return `${groupId}\0${spkId}`;
+    }
+    saveGroupSPK(deviceId, groupId, spkId, priv, pubDer) {
+        this.db
+            .prepare(`INSERT OR REPLACE INTO v2_device_keys (device_id, key_type, key_id, private_key, public_key, created_at)
+         VALUES (?, 'group_spk', ?, ?, ?, ?)`)
+            .run(deviceId, this._groupSPKKeyId(groupId, spkId), toSqliteBlob(priv), toSqliteBlob(pubDer), Date.now());
+    }
+    loadGroupSPK(deviceId, groupId, spkId) {
+        const row = this.db
+            .prepare(`SELECT private_key FROM v2_device_keys WHERE device_id=? AND key_type='group_spk' AND key_id=?`)
+            .get(deviceId, this._groupSPKKeyId(groupId, spkId));
+        return row ? asBuffer(row.private_key) : null;
+    }
+    loadCurrentGroupSPK(deviceId, groupId) {
+        const prefix = `${groupId}\0%`;
+        const row = this.db
+            .prepare(`SELECT key_id, private_key, public_key FROM v2_device_keys
+         WHERE device_id=? AND key_type='group_spk' AND key_id LIKE ?
+         ORDER BY created_at DESC LIMIT 1`)
+            .get(deviceId, prefix);
+        if (!row)
+            return null;
+        // key_id = "{groupId}\0{spkId}"，提取 spkId
+        const parts = row.key_id.split('\0');
+        const spkId = parts.length > 1 ? parts[1] : row.key_id;
+        return {
+            spkId,
+            priv: asBuffer(row.private_key),
+            pubDer: asBuffer(row.public_key),
+        };
+    }
+}
+//# sourceMappingURL=keystore.js.map

package/dist/v2/session/keystore.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"keystore.js","sourceRoot":"","sources":["../../../src/v2/session/keystore.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAaH,MAAM,CAAC,MAAM,kBAAkB,GAAG;;;;;;;;;EAShC,CAAC;AAEH,SAAS,QAAQ,CAAC,KAAc;IAC9B,IAAI,KAAK,YAAY,UAAU;QAAE,OAAO,KAAK,CAAC;IAC9C,IAAI,MAAM,CAAC,QAAQ,CAAC,KAAK,CAAC;QAAE,OAAO,IAAI,UAAU,CAAC,KAAK,CAAC,MAAM,EAAE,KAAK,CAAC,UAAU,EAAE,KAAK,CAAC,UAAU,CAAC,CAAC;IACpG,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC;QAAE,OAAO,IAAI,UAAU,CAAC,KAAiB,CAAC,CAAC;IACnE,MAAM,IAAI,KAAK,CAAC,yBAAyB,OAAO,KAAK,EAAE,CAAC,CAAC;AAC3D,CAAC;AAED,0DAA0D;AAC1D,SAAS,YAAY,CAAC,KAAiB;IACrC,OAAO,MAAM,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,MAAM,EAAE,KAAK,CAAC,UAAU,EAAE,KAAK,CAAC,UAAU,CAAC,CAAC;AACxG,CAAC;AAED,MAAM,OAAO,UAAU;IACb,EAAE,CAAa;IAEvB,YAAY,EAAc;QACxB,IAAI,CAAC,EAAE,GAAG,EAAE,CAAC;QACb,IAAI,CAAC,EAAE,CAAC,IAAI,CAAC,kBAAkB,CAAC,CAAC;IACnC,CAAC;IAED,MAAM,CAAC,QAAgB,EAAE,IAAgB,EAAE,MAAkB;QAC3D,IAAI,CAAC,EAAE;aACJ,OAAO,CACN;uCAC+B,CAChC;aACA,GAAG,CAAC,QAAQ,EAAE,YAAY,CAAC,IAAI,CAAC,EAAE,YAAY,CAAC,MAAM,CAAC,EAAE,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC;IACzE,CAAC;IAED,MAAM,CAAC,QAAgB;QACrB,MAAM,GAAG,GAAG,IAAI,CAAC,EAAE;aAChB,OAAO,CACN,sGAAsG,CACvG;aACA,GAAG,CAAC,QAAQ,CAA8D,CAAC;QAC9E,IAAI,CAAC,GAAG;YAAE,OAAO,IAAI,CAAC;QACtB,OAAO,EAAE,IAAI,EAAE,QAAQ,CAAC,GAAG,CAAC,WAAW,CAAC,EAAE,MAAM,EAAE,QAAQ,CAAC,GAAG,CAAC,UAAU,CAAC,EAAE,CAAC;IAC/E,CAAC;IAED,OAAO,CAAC,QAAgB,EAAE,KAAa,EAAE,IAAgB,EAAE,MAAkB;QAC3E,IAAI,CAAC,EAAE;aACJ,OAAO,CACN;uCAC+B,CAChC;aACA,GAAG,CAAC,QAAQ,EAAE,KAAK,EAAE,YAAY,CAAC,IAAI,CAAC,EAAE,YAAY,CAAC,MAAM,CAAC,EAAE,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC;IAChF,CAAC;IAED,OAAO,CAAC,QAAgB,EAAE,KAAa;QACrC,MAAM,GAAG,GAAG,IAAI,CAAC,EAAE;aAChB,OAAO,CACN,0FAA0F,CAC3F;aACA,GAAG,CAAC,QAAQ,EAAE,KAAK,CAAyC,CAAC;QAChE,OAAO,GAAG,CAAC,CAAC,CAAC,QAAQ,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;IAChD,CAAC;IAED,cAAc,CAAC,QAAgB;QAC7B,MAAM,GAAG,GAAG,IAAI,CAAC,EAAE;aAChB,OAAO,CACN;4FACoF,CACrF;aACA,GAAG,CAAC,QAAQ,CAA8E,CAAC;QAC9F,IAAI,CAAC,GAAG;YAAE,OAAO,IAAI,CAAC;QACtB,OAAO;YACL,KAAK,EAAE,GAAG,CAAC,MAAM;YACjB,IAAI,EAAE,QAAQ,CAAC,GAAG,CAAC,WAAW,CAAC;YAC/B,MAAM,EAAE,QAAQ,CAAC,GAAG,CAAC,UAAU,CAAC;SACjC,CAAC;IACJ,CAAC;IAED,SAAS,CAAC,QAAgB,EAAE,KAAa;QACvC,IAAI,CAAC,EAAE;aACJ,OAAO,CAAC,8EAA8E,CAAC;aACvF,GAAG,CAAC,QAAQ,EAAE,KAAK,CAAC,CAAC;IAC1B,CAAC;IAED,gBAAgB,CAAC,QAAgB,EAAE,CAAS;QAC1C,IAAI,CAAC,IAAI,CAAC;YAAE,OAAO,EAAE,CAAC;QACtB,MAAM,IAAI,GAAG,IAAI,CAAC,EAAE;aACjB,OAAO,CACN;4FACoF,CACrF;aACA,GAAG,CAAC,QAAQ,EAAE,CAAC,CAA8B,CAAC;QACjD,OAAO,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC;IACnC,CAAC;IAED,iBAAiB,CAAC,QAAgB,EAAE,QAAgB;QAClD,MAAM,MAAM,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,GAAG,QAAQ,GAAG,IAAI,CAAC;QACnD,MAAM,IAAI,GAAG,IAAI,CAAC,EAAE;aACjB,OAAO,CACN;iEACyD,CAC1D;aACA,GAAG,CAAC,QAAQ,EAAE,MAAM,CAA8B,CAAC;QACtD,OAAO,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC;IACnC,CAAC;IAED,kEAAkE;IAElE,wCAAwC;IAChC,cAAc,CAAC,OAAe,EAAE,KAAa;QACnD,OAAO,GAAG,OAAO,KAAK,KAAK,EAAE,CAAC;IAChC,CAAC;IAED,YAAY,CAAC,QAAgB,EAAE,OAAe,EAAE,KAAa,EAAE,IAAgB,EAAE,MAAkB;QACjG,IAAI,CAAC,EAAE;aACJ,OAAO,CACN;6CACqC,CACtC;aACA,GAAG,CAAC,QAAQ,EAAE,IAAI,CAAC,cAAc,CAAC,OAAO,EAAE,KAAK,CAAC,EAAE,YAAY,CAAC,IAAI,CAAC,EAAE,YAAY,CAAC,MAAM,CAAC,EAAE,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC;IAC9G,CAAC;IAED,YAAY,CAAC,QAAgB,EAAE,OAAe,EAAE,KAAa;QAC3D,MAAM,GAAG,GAAG,IAAI,CAAC,EAAE;aAChB,OAAO,CACN,gGAAgG,CACjG;aACA,GAAG,CAAC,QAAQ,EAAE,IAAI,CAAC,cAAc,CAAC,OAAO,EAAE,KAAK,CAAC,CAAyC,CAAC;QAC9F,OAAO,GAAG,CAAC,CAAC,CAAC,QAAQ,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;IAChD,CAAC;IAED,mBAAmB,CAAC,QAAgB,EAAE,OAAe;QACnD,MAAM,MAAM,GAAG,GAAG,OAAO,KAAK,CAAC;QAC/B,MAAM,GAAG,GAAG,IAAI,CAAC,EAAE;aAChB,OAAO,CACN;;0CAEkC,CACnC;aACA,GAAG,CAAC,QAAQ,EAAE,MAAM,CAA8E,CAAC;QACtG,IAAI,CAAC,GAAG;YAAE,OAAO,IAAI,CAAC;QACtB,yCAAyC;QACzC,MAAM,KAAK,GAAG,GAAG,CAAC,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QACrC,MAAM,KAAK,GAAG,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC;QACvD,OAAO;YACL,KAAK;YACL,IAAI,EAAE,QAAQ,CAAC,GAAG,CAAC,WAAW,CAAC;YAC/B,MAAM,EAAE,QAAQ,CAAC,GAAG,CAAC,UAAU,CAAC;SACjC,CAAC;IACJ,CAAC;CACF"}