@agentvault/agentvault 0.20.6 → 0.20.7
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/cli.js +1 -1
- package/dist/cli.js.map +1 -1
- package/dist/index.js +1 -1
- package/dist/index.js.map +1 -1
- package/dist/openclaw-entry.js +11 -5
- package/dist/openclaw-entry.js.map +2 -2
- package/openclaw.plugin.json +1 -1
- package/package.json +1 -1
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
{
|
|
2
2
|
"version": 3,
|
|
3
3
|
"sources": ["../src/http-handlers.ts", "../src/openclaw-compat.ts", "../src/mcp-server.ts", "../src/skill-manifest.ts", "../../crypto/src/commercial-provider.ts", "../../crypto/src/init.ts", "../../crypto/src/keys.ts", "../../crypto/src/x3dh.ts", "../../crypto/src/ratchet.ts", "../../crypto/src/file-crypto.ts", "../../crypto/src/did.ts", "../../crypto/src/scan-engine.ts", "../../crypto/src/merkle.ts", "../../crypto/src/vc.ts", "../../crypto/src/transport.ts", "../../crypto/src/telemetry.ts", "../../crypto/src/telemetry-reporter.ts", "../../crypto/src/backup.ts", "../../crypto/src/approval.ts", "../../crypto/node_modules/ts-mls/src/codec/tlsEncoder.ts", "../../crypto/node_modules/ts-mls/src/codec/number.ts", "../../crypto/node_modules/ts-mls/src/codec/tlsDecoder.ts", "../../crypto/node_modules/ts-mls/src/util/enumHelpers.ts", "../../crypto/node_modules/ts-mls/src/defaultProposalType.ts", "../../crypto/node_modules/ts-mls/src/defaultExtensionType.ts", "../../crypto/node_modules/ts-mls/src/incomingMessageAction.ts", "../../crypto/node_modules/ts-mls/src/mlsError.ts", "../../crypto/node_modules/ts-mls/src/util/byteArray.ts", "../../crypto/node_modules/ts-mls/src/codec/variableLength.ts", "../../crypto/node_modules/ts-mls/src/util/constantTimeCompare.ts", "../../crypto/node_modules/ts-mls/src/extension.ts", "../../crypto/node_modules/ts-mls/src/credentialType.ts", "../../crypto/node_modules/ts-mls/src/credential.ts", "../../crypto/node_modules/ts-mls/src/externalSender.ts", "../../crypto/node_modules/ts-mls/src/crypto/hash.ts", "../../crypto/node_modules/ts-mls/src/codec/optional.ts", "../../crypto/node_modules/ts-mls/src/crypto/ciphersuite.ts", "../../crypto/node_modules/ts-mls/src/crypto/signature.ts", "../../crypto/node_modules/ts-mls/src/protocolVersion.ts", "../../crypto/node_modules/ts-mls/src/capabilities.ts", "../../crypto/node_modules/ts-mls/src/leafNodeSource.ts", "../../crypto/node_modules/ts-mls/src/lifetime.ts", "../../crypto/node_modules/ts-mls/src/leafNode.ts", "../../crypto/node_modules/ts-mls/src/keyPackage.ts", "../../crypto/node_modules/ts-mls/src/crypto/kdf.ts", "../../crypto/node_modules/ts-mls/src/presharedkey.ts", "../../crypto/node_modules/ts-mls/src/proposal.ts", "../../crypto/node_modules/ts-mls/src/proposalOrRefType.ts", "../../crypto/node_modules/ts-mls/src/crypto/hpke.ts", "../../crypto/node_modules/ts-mls/src/groupContext.ts", "../../crypto/node_modules/ts-mls/src/nodeType.ts", "../../crypto/node_modules/ts-mls/src/parentNode.ts", "../../crypto/node_modules/ts-mls/src/treemath.ts", "../../crypto/node_modules/ts-mls/src/ratchetTree.ts", "../../crypto/node_modules/ts-mls/src/treeHash.ts", "../../crypto/node_modules/ts-mls/src/parentHash.ts", "../../crypto/node_modules/ts-mls/src/hpkeCiphertext.ts", "../../crypto/node_modules/ts-mls/src/updatePath.ts", "../../crypto/node_modules/ts-mls/src/commit.ts", "../../crypto/node_modules/ts-mls/src/contentType.ts", "../../crypto/node_modules/ts-mls/src/wireformat.ts", "../../crypto/node_modules/ts-mls/src/sender.ts", "../../crypto/node_modules/ts-mls/src/framedContent.ts", "../../crypto/node_modules/ts-mls/src/authenticatedContent.ts", "../../crypto/node_modules/ts-mls/src/publicMessage.ts", "../../crypto/node_modules/ts-mls/src/messageProtectionPublic.ts", "../../crypto/node_modules/ts-mls/src/externalProposal.ts", "../../crypto/node_modules/ts-mls/src/requiredCapabilities.ts", "../../crypto/node_modules/ts-mls/src/authenticationService.ts", "../../crypto/node_modules/ts-mls/src/paddingConfig.ts", "../../crypto/node_modules/ts-mls/src/keyPackageEqualityConfig.ts", "../../crypto/node_modules/ts-mls/src/lifetimeConfig.ts", "../../crypto/node_modules/ts-mls/src/keyRetentionConfig.ts", "../../crypto/node_modules/ts-mls/src/groupInfo.ts", "../../crypto/node_modules/ts-mls/src/keySchedule.ts", "../../crypto/node_modules/ts-mls/src/secretTree.ts", "../../crypto/node_modules/ts-mls/src/transcriptHash.ts", "../../crypto/node_modules/ts-mls/src/groupSecrets.ts", "../../crypto/node_modules/ts-mls/src/welcome.ts", "../../crypto/node_modules/ts-mls/src/pathSecrets.ts", "../../crypto/node_modules/ts-mls/src/privateKeyPath.ts", "../../crypto/node_modules/ts-mls/src/unappliedProposals.ts", "../../crypto/node_modules/ts-mls/src/pskIndex.ts", "../../crypto/node_modules/ts-mls/src/util/addToMap.ts", "../../crypto/node_modules/ts-mls/src/clientConfig.ts", "../../crypto/node_modules/ts-mls/src/util/array.ts", "../../crypto/node_modules/ts-mls/src/codec/string.ts", "../../crypto/node_modules/ts-mls/src/groupActiveState.ts", "../../crypto/node_modules/ts-mls/src/epochReceiverData.ts", "../../crypto/node_modules/ts-mls/src/clientState.ts", "../../crypto/node_modules/ts-mls/src/privateMessage.ts", "../../crypto/node_modules/ts-mls/src/messageProtection.ts", "../../crypto/node_modules/ts-mls/src/createMessage.ts", "../../crypto/node_modules/ts-mls/src/createCommit.ts", "../../crypto/node_modules/ts-mls/src/processMessages.ts", "../../crypto/node_modules/ts-mls/src/crypto/implementation/default/makeHashImpl.ts", "../../../node_modules/@hpke/common/esm/src/errors.js", "../../../node_modules/@hpke/common/esm/_dnt.shims.js", "../../../node_modules/@hpke/common/esm/src/algorithm.js", "../../../node_modules/@hpke/common/esm/src/identifiers.js", "../../../node_modules/@hpke/common/esm/src/consts.js", "../../../node_modules/@hpke/common/esm/src/interfaces/kemInterface.js", "../../../node_modules/@hpke/common/esm/src/kdfs/hkdf.js", "../../../node_modules/@hpke/common/esm/src/utils/misc.js", "../../../node_modules/@hpke/common/esm/src/kems/dhkem.js", "../../../node_modules/@hpke/common/esm/src/interfaces/dhkemPrimitives.js", "../../../node_modules/@hpke/common/esm/src/utils/bignum.js", "../../../node_modules/@hpke/common/esm/src/kems/dhkemPrimitives/ec.js", "../../../node_modules/@hpke/common/esm/src/xCryptoKey.js", "../../../node_modules/@hpke/common/esm/src/kems/dhkemPrimitives/xCurve.js", "../../../node_modules/@hpke/common/esm/src/kems/hybridkem.js", "../../../node_modules/@hpke/common/esm/src/interfaces/aeadEncryptionContext.js", "../../../node_modules/@hpke/common/esm/src/utils/noble.js", "../../../node_modules/@hpke/common/esm/src/hash/hash.js", "../../../node_modules/@hpke/common/esm/src/hash/hmac.js", "../../../node_modules/@hpke/common/esm/src/hash/md.js", "../../../node_modules/@hpke/common/esm/src/hash/u64.js", "../../../node_modules/@hpke/common/esm/src/hash/sha2.js", "../../../node_modules/@hpke/common/esm/src/hash/sha3.js", "../../../node_modules/@hpke/common/esm/src/curve/modular.js", "../../../node_modules/@hpke/common/esm/src/curve/curve.js", "../../../node_modules/@hpke/common/esm/src/curve/montgomery.js", "../../../node_modules/@hpke/common/esm/mod.js", "../../../node_modules/@hpke/core/esm/src/aeads/aesGcm.js", "../../../node_modules/@hpke/core/esm/src/aeads/exportOnly.js", "../../../node_modules/@hpke/core/esm/src/utils/emitNotSupported.js", "../../../node_modules/@hpke/core/esm/src/exporterContext.js", "../../../node_modules/@hpke/core/esm/src/encryptionContext.js", "../../../node_modules/@hpke/core/esm/src/mutex.js", "../../../node_modules/@hpke/core/esm/src/recipientContext.js", "../../../node_modules/@hpke/core/esm/src/senderContext.js", "../../../node_modules/@hpke/core/esm/src/cipherSuiteNative.js", "../../../node_modules/@hpke/core/esm/src/kems/dhkemNative.js", "../../../node_modules/@hpke/core/esm/src/native.js", "../../../node_modules/@hpke/core/esm/src/kems/dhkemPrimitives/x25519.js", "../../../node_modules/@hpke/core/esm/src/kems/dhkemX25519.js", "../../../node_modules/@hpke/core/esm/src/kems/dhkemPrimitives/x448.js", "../../../node_modules/@hpke/core/esm/src/kems/dhkemX448.js", "../../../node_modules/@hpke/core/esm/mod.js", "../../crypto/node_modules/ts-mls/src/crypto/implementation/hpke.ts", "../../crypto/node_modules/ts-mls/src/crypto/implementation/default/makeAead.ts", "../../crypto/node_modules/ts-mls/src/crypto/implementation/default/makeKdfImpl.ts", "../../crypto/node_modules/ts-mls/src/crypto/implementation/default/makeDhKem.ts", "../../crypto/node_modules/ts-mls/src/crypto/implementation/default/makeHpke.ts", "../../crypto/node_modules/ts-mls/src/crypto/implementation/default/rng.ts", "../../crypto/node_modules/ts-mls/src/crypto/implementation/default/makeNobleSignatureImpl.ts", "../../crypto/node_modules/ts-mls/src/crypto/implementation/default/provider.ts", "../../crypto/node_modules/ts-mls/src/crypto/getCiphersuiteImpl.ts", "../../crypto/node_modules/ts-mls/src/resumption.ts", "../../crypto/node_modules/ts-mls/src/crypto/implementation/noble/makeHashImpl.ts", "../../crypto/node_modules/ts-mls/src/crypto/implementation/noble/makeNobleSignatureImpl.ts", "../../crypto/node_modules/ts-mls/src/crypto/implementation/noble/makeAead.ts", "../../crypto/node_modules/ts-mls/src/crypto/implementation/noble/makeKdfImpl.ts", "../../crypto/node_modules/ts-mls/src/crypto/implementation/noble/makeDhKem.ts", "../../crypto/node_modules/ts-mls/src/crypto/implementation/noble/makeHpke.ts", "../../crypto/node_modules/ts-mls/src/crypto/implementation/noble/rng.ts", "../../crypto/node_modules/ts-mls/src/crypto/implementation/noble/provider.ts", "../../crypto/node_modules/ts-mls/src/message.ts", "../../crypto/node_modules/ts-mls/src/grease.ts", "../../crypto/node_modules/ts-mls/src/defaultCapabilities.ts", "../../crypto/node_modules/ts-mls/src/index.ts", "../../crypto/src/mls-group.ts", "../../crypto/src/index.ts", "../src/state.ts", "../src/openclaw-entry.ts", "../src/account-config.ts", "../src/fetch-interceptor.ts", "../src/types.ts"],
|
|
4
|
-
"sourcesContent": ["/**\n * Extracted HTTP handler logic for the AgentVault plugin.\n *\n * These handlers are shared between:\n * 1. The self-managed HTTP server in channel.ts (legacy/fallback path)\n * 2. OpenClaw's registerHttpRoute() managed routes (new path)\n *\n * Both entry points call the same handler functions, ensuring consistent\n * behavior regardless of how the route is served.\n */\n\nimport type { SecureChannel } from \"./channel.js\";\nimport type { DeliveryTarget } from \"./types.js\";\n\nexport interface HandlerResult {\n status: number;\n body: Record<string, unknown>;\n}\n\n/**\n * Handle POST /send \u2014 send a message (text, file, or room).\n *\n * Routing: explicit target fields only \u2014 no silent lastInboundRoomId fallback.\n * - hub_address / a2a_address / channel_id \u2192 A2A\n * - room_id \u2192 room\n * - target: \"context\" \u2192 resolve from lastInboundRoomId (opt-in)\n * - No target fields \u2192 owner (the breaking fix)\n */\nexport async function handleSendRequest(\n parsed: Record<string, unknown>,\n channel: SecureChannel,\n): Promise<HandlerResult> {\n const text = parsed.text;\n if (!text || typeof text !== \"string\") {\n return { status: 400, body: { ok: false, error: \"Missing 'text' field\" } };\n }\n\n try {\n // Build DeliveryTarget from request fields\n let target: DeliveryTarget;\n\n // A2A send: accept hub_address, a2a_address, a2aAddress, or channel_id\n let a2aTarget = (parsed.hub_address ?? parsed.a2a_address ?? parsed.a2aAddress) as string | undefined;\n\n // Resolve channel_id to hub address if provided\n if (!a2aTarget && parsed.channel_id && typeof parsed.channel_id === \"string\") {\n const hubAddr = channel.resolveA2AChannelHub(parsed.channel_id as string);\n if (hubAddr) a2aTarget = hubAddr;\n }\n\n if (a2aTarget && typeof a2aTarget === \"string\") {\n target = { kind: \"a2a\", hubAddress: a2aTarget };\n } else if (typeof parsed.room_id === \"string\") {\n target = { kind: \"room\", roomId: parsed.room_id };\n } else if (parsed.target === \"context\") {\n target = { kind: \"context\" };\n } else if (parsed.file_path && typeof parsed.file_path === \"string\") {\n // Attachment \u2014 goes to owner\n const receipt = await channel.deliver(\n { kind: \"owner\" },\n { type: \"attachment\", text: text as string, filePath: parsed.file_path as string },\n { topicId: parsed.topicId as string | undefined },\n );\n return {\n status: receipt.ok ? 200 : 500,\n body: {\n ok: receipt.ok,\n destination: receipt.destination,\n ...(receipt.error ? { error: receipt.error } : {}),\n },\n };\n } else {\n // Default: owner (NOT context \u2014 this is the breaking fix)\n target = { kind: \"owner\" };\n }\n\n const receipt = await channel.deliver(\n target,\n { type: \"text\", text: text as string },\n {\n topicId: parsed.topicId as string | undefined,\n priority: parsed.priority as string | undefined,\n metadata: {\n ...(parsed.metadata as Record<string, unknown> | undefined),\n ...(parsed.message_type ? { message_type: parsed.message_type } : {}),\n },\n },\n );\n\n return {\n status: receipt.ok ? 200 : 500,\n body: {\n ok: receipt.ok,\n destination: receipt.destination,\n ...(receipt.error ? { error: receipt.error } : {}),\n },\n };\n } catch (err) {\n return { status: 500, body: { ok: false, error: String(err) } };\n }\n}\n\n/**\n * Handle POST /action \u2014 send an action confirmation.\n */\nexport async function handleActionRequest(\n parsed: Record<string, unknown>,\n channel: SecureChannel,\n): Promise<HandlerResult> {\n if (!parsed.action || typeof parsed.action !== \"string\") {\n return { status: 400, body: { ok: false, error: \"Missing 'action' field\" } };\n }\n\n try {\n const confirmation = {\n action: parsed.action as string,\n status: (parsed.status ?? \"completed\") as \"completed\" | \"failed\" | \"partial\",\n decisionId: parsed.decision_id as string | undefined,\n detail: parsed.detail as string | undefined,\n estimated_cost: parsed.estimated_cost as number | undefined,\n };\n\n // Build target from room_id field\n const target: DeliveryTarget = (parsed.room_id && typeof parsed.room_id === \"string\")\n ? { kind: \"room\", roomId: parsed.room_id }\n : { kind: \"owner\" };\n\n const receipt = await channel.deliver(\n target,\n { type: \"action_confirmation\", confirmation },\n );\n\n return {\n status: receipt.ok ? 200 : 500,\n body: {\n ok: receipt.ok,\n destination: receipt.destination,\n ...(receipt.error ? { error: receipt.error } : {}),\n },\n };\n } catch (err) {\n return { status: 500, body: { ok: false, error: String(err) } };\n }\n}\n\n/**\n * Handle POST /decision \u2014 send a decision request to the owner.\n */\nexport async function handleDecisionRequest(\n parsed: Record<string, unknown>,\n channel: SecureChannel,\n): Promise<HandlerResult> {\n const title = parsed.title;\n if (!title || typeof title !== \"string\") {\n return { status: 400, body: { ok: false, error: \"Missing 'title' field\" } };\n }\n\n const options = parsed.options;\n if (!Array.isArray(options) || options.length < 2) {\n return { status: 400, body: { ok: false, error: \"'options' must be an array with at least 2 items\" } };\n }\n\n for (const opt of options) {\n if (!opt || typeof opt !== \"object\" || !opt.option_id || !opt.label) {\n return { status: 400, body: { ok: false, error: \"Each option must have 'option_id' and 'label'\" } };\n }\n }\n\n try {\n const decision_id = await channel.sendDecisionRequest({\n title: title as string,\n description: parsed.description as string | undefined,\n options: options as Array<{ option_id: string; label: string; risk_level: \"low\" | \"medium\" | \"high\" | \"critical\"; is_default?: boolean }>,\n context_refs: parsed.context_refs as Array<{ type: string; uri: string; label: string }> | undefined,\n deadline: parsed.deadline as string | undefined,\n auto_action: parsed.auto_action as { option_id: string; trigger: string; description?: string } | undefined,\n });\n return { status: 200, body: { ok: true, decision_id } };\n } catch (err) {\n return { status: 500, body: { ok: false, error: String(err) } };\n }\n}\n\n/**\n * Handle GET /status \u2014 return channel health info.\n */\nexport function handleStatusRequest(channel: SecureChannel): HandlerResult {\n return {\n status: 200,\n body: {\n ok: true,\n state: channel.state,\n deviceId: channel.deviceId ?? undefined,\n sessions: channel.sessionCount,\n },\n };\n}\n\n/**\n * Handle GET /targets \u2014 return available delivery destinations.\n */\nexport function handleTargetsRequest(channel: SecureChannel): HandlerResult {\n return {\n status: 200,\n body: {\n ok: true,\n targets: channel.listTargets(),\n context: channel.lastInboundRoomId\n ? { kind: \"room\", roomId: channel.lastInboundRoomId }\n : { kind: \"owner\" },\n },\n };\n}\n\n/**\n * Handle GET /trust \u2014 return the agent's current Trust Gate token state.\n */\nexport function handleTrustRequest(\n channel: SecureChannel,\n): HandlerResult {\n const token = channel.trustToken;\n if (!token) {\n return {\n status: 503,\n body: { ok: false, error: \"token_unavailable\" },\n };\n }\n return {\n status: 200,\n body: {\n ok: true,\n tier: channel.trustTier,\n composite: null,\n token_expires_at: channel.trustTokenExpiresAt,\n },\n };\n}\n\n/**\n * Handle GET /mcp-config \u2014 return MCP connection config for this agent.\n *\n * Returns JSON suitable for adding to Claude Code, Cursor, or other MCP host\n * configuration files.\n */\nexport function handleMcpConfigRequest(\n agentName: string,\n port: number,\n mcpSkillCount: number,\n): HandlerResult {\n return {\n status: 200,\n body: {\n mcpServers: {\n [`agentvault-${agentName}`]: {\n url: `http://127.0.0.1:${port}/mcp`,\n },\n },\n _meta: {\n agent: agentName,\n skills_count: mcpSkillCount,\n transport: \"streamable-http\",\n auth: \"none (localhost)\",\n instructions: \"Add the mcpServers block to your MCP configuration file (e.g., .mcp.json or mcp_config.json)\",\n },\n },\n };\n}\n", "/**\n * OpenClaw SDK compatibility layer \u2014 dynamic import wrappers with caching.\n *\n * Each wrapper attempts to import a deep SDK module at runtime. If the import\n * fails (older gateway, missing SDK), the function returns a no-op result.\n * Results are cached after the first attempt.\n *\n * IMPORTANT: All imports are guarded by try/catch \u2014 the plugin degrades\n * gracefully on older OpenClaw versions.\n */\n\nimport type { AgentEventPayload, TranscriptUpdatePayload } from \"./openclaw-types.js\";\n\n// ---------------------------------------------------------------------------\n// requestHeartbeatNow \u2014 wake agent proactively before outbound sends\n// ---------------------------------------------------------------------------\n\nlet _heartbeatFn: ((opts?: { reason?: string }) => Promise<void>) | false | null = null;\n\n/**\n * Request an immediate heartbeat wake from the OpenClaw gateway.\n * Returns true if the heartbeat API was available and called, false otherwise.\n * Never throws.\n */\nexport async function requestHeartbeatNow(opts?: { reason?: string }): Promise<boolean> {\n if (_heartbeatFn === null) {\n try {\n // @ts-expect-error \u2014 deep SDK import only available when openclaw is installed\n const mod = await import(\"openclaw/dist/plugin-sdk/infra/heartbeat-wake.js\");\n _heartbeatFn = mod.requestHeartbeatNow ?? mod.default?.requestHeartbeatNow ?? false;\n } catch {\n _heartbeatFn = false;\n }\n }\n if (typeof _heartbeatFn === \"function\") {\n try {\n await _heartbeatFn(opts);\n return true;\n } catch {\n return false;\n }\n }\n return false;\n}\n\n// ---------------------------------------------------------------------------\n// onAgentEvent \u2014 subscribe to agent-level events for trust telemetry\n// ---------------------------------------------------------------------------\n\ntype AgentEventCallback = (event: AgentEventPayload) => void;\nlet _agentEventFn: ((cb: AgentEventCallback) => (() => void)) | false | null = null;\n\n/**\n * Subscribe to agent-level events (tool_use, reasoning_complete, error, etc.).\n * Returns an unsubscribe function, or a no-op if the API is unavailable.\n */\nexport async function onAgentEvent(callback: AgentEventCallback): Promise<() => void> {\n if (_agentEventFn === null) {\n try {\n // @ts-expect-error \u2014 deep SDK import only available when openclaw is installed\n const mod = await import(\"openclaw/dist/plugin-sdk/infra/agent-events.js\");\n _agentEventFn = mod.onAgentEvent ?? mod.default?.onAgentEvent ?? false;\n } catch {\n _agentEventFn = false;\n }\n }\n if (typeof _agentEventFn === \"function\") {\n try {\n return _agentEventFn(callback);\n } catch {\n return () => {};\n }\n }\n return () => {};\n}\n\n// ---------------------------------------------------------------------------\n// onSessionTranscriptUpdate \u2014 subscribe to transcript deltas\n// ---------------------------------------------------------------------------\n\ntype TranscriptCallback = (update: TranscriptUpdatePayload) => void;\nlet _transcriptFn: ((cb: TranscriptCallback) => (() => void)) | false | null = null;\n\n/**\n * Subscribe to session transcript updates for behavioral analysis.\n * Returns an unsubscribe function, or a no-op if the API is unavailable.\n */\nexport async function onSessionTranscriptUpdate(callback: TranscriptCallback): Promise<() => void> {\n if (_transcriptFn === null) {\n try {\n // @ts-expect-error \u2014 deep SDK import only available when openclaw is installed\n const mod = await import(\"openclaw/dist/plugin-sdk/sessions/transcript-events.js\");\n _transcriptFn = mod.onSessionTranscriptUpdate ?? mod.default?.onSessionTranscriptUpdate ?? false;\n } catch {\n _transcriptFn = false;\n }\n }\n if (typeof _transcriptFn === \"function\") {\n try {\n return _transcriptFn(callback);\n } catch {\n return () => {};\n }\n }\n return () => {};\n}\n", "/**\n * AgentVault MCP Server \u2014 serves agent skills as MCP tools.\n *\n * Uses Streamable HTTP transport mounted on the plugin's HTTP server.\n * Auth: SPT Bearer tokens validated via POST /capabilities/introspect.\n *\n * Design:\n * - One McpServer instance is created at startup and skills are registered as tools.\n * - Each incoming HTTP request creates a fresh StreamableHTTPServerTransport (stateless mode).\n * - After the transport handles the request, close() is called so the server can\n * accept the next connection (Protocol enforces single-transport at a time).\n */\nimport { McpServer } from \"@modelcontextprotocol/sdk/server/mcp.js\";\nimport { StreamableHTTPServerTransport } from \"@modelcontextprotocol/sdk/server/streamableHttp.js\";\nimport type { IncomingMessage, ServerResponse } from \"node:http\";\n\n/* -------------------------------------------------------------------------- */\n/* Public types */\n/* -------------------------------------------------------------------------- */\n\nexport interface SkillDefinition {\n name: string;\n version?: string;\n description?: string;\n /** JSON Schema for the tool input (not Zod \u2014 raw JSON Schema object). */\n inputSchema?: Record<string, unknown>;\n /** Freeform instructions that are surfaced as an MCP prompt. */\n instructions?: string;\n /** SLA definition blob attached to the skill registry resource. */\n slaDefinition?: Record<string, unknown>;\n /** Tags for categorisation. */\n tags?: string[];\n\n /* -- agentVault namespace fields (from SKILL.md frontmatter) ------------- */\n\n /** Tools/capabilities explicitly allowed for this skill. */\n toolsAllowed?: string[];\n /** Tools/capabilities explicitly denied for this skill. */\n toolsDenied?: string[];\n /** JSON Schema for skill output validation. */\n outputSchema?: Record<string, unknown>;\n /** Model routing strategy: \"auto\" | \"round-robin\" | \"least-latency\". */\n modelRouting?: string;\n /** Allowed LLM models for this skill. */\n allowedModels?: string[];\n /** Default LLM model for this skill. */\n defaultModel?: string;\n /** AgentVault certification tier: \"verified\" | \"certified\" | \"enterprise\". */\n certificationTier?: string;\n /** Integrity configuration (algorithm, hashChain). */\n integrity?: Record<string, unknown>;\n /** Required policy presets (e.g., [\"network: agentvault\"]). */\n requiredPolicies?: string[];\n}\n\nexport interface McpServerOpts {\n agentName: string;\n apiUrl: string;\n apiKey?: string;\n /**\n * Called when an MCP client invokes a registered skill tool.\n * Receives skill name, args, and the full skill definition (including instructions).\n * Return value is serialised as JSON and sent back as tool output.\n */\n onInvoke?: (skillName: string, args: Record<string, unknown>, skill: SkillDefinition) => Promise<unknown>;\n}\n\n/* -------------------------------------------------------------------------- */\n/* AgentVaultMcpServer */\n/* -------------------------------------------------------------------------- */\n\nexport class AgentVaultMcpServer {\n private server: McpServer;\n private skills: Map<string, SkillDefinition> = new Map();\n private opts: McpServerOpts;\n private initialized = false;\n\n constructor(opts: McpServerOpts) {\n this.opts = opts;\n this.server = new McpServer({\n name: `agentvault-${opts.agentName}`,\n version: \"1.0.0\",\n });\n }\n\n /* ---- Skill registration ------------------------------------------------ */\n\n /**\n * Register a skill that will be exposed as an MCP tool.\n * Must be called *before* `initialize()`.\n */\n registerSkill(skill: SkillDefinition): void {\n this.skills.set(skill.name, skill);\n }\n\n /**\n * Register all skills as MCP tools / resources / prompts.\n * Called lazily on first request if not called explicitly.\n */\n initialize(): void {\n if (this.initialized) return;\n\n for (const [name, skill] of this.skills) {\n this.registerToolForSkill(name, skill);\n }\n\n // Registry resource \u2014 lists all registered skills as JSON.\n this.server.resource(\n \"skills-registry\",\n \"skills://registry\",\n { description: \"List of all registered agent skills\", mimeType: \"application/json\" },\n async () => {\n const registry = Array.from(this.skills.values()).map((s) => ({\n name: s.name,\n version: s.version,\n description: s.description,\n tags: s.tags,\n sla: s.slaDefinition,\n hasSchema: !!s.inputSchema,\n hasInstructions: !!s.instructions,\n certificationTier: s.certificationTier,\n modelRouting: s.modelRouting,\n allowedModels: s.allowedModels,\n hasToolPolicy: !!(s.toolsAllowed || s.toolsDenied),\n hasOutputSchema: !!s.outputSchema,\n requiredPolicies: s.requiredPolicies,\n }));\n return {\n contents: [{\n uri: \"skills://registry\",\n mimeType: \"application/json\",\n text: JSON.stringify(registry, null, 2),\n }],\n };\n },\n );\n\n // Skills that carry instructions are also surfaced as MCP prompts.\n for (const [name, skill] of this.skills) {\n if (skill.instructions) {\n this.server.prompt(\n name,\n skill.description ?? `Instructions for ${name}`,\n () => ({\n messages: [{\n role: \"user\" as const,\n content: { type: \"text\" as const, text: skill.instructions! },\n }],\n }),\n );\n }\n }\n\n this.initialized = true;\n }\n\n /* ---- HTTP request handler ---------------------------------------------- */\n\n /**\n * Handle an incoming HTTP request to the /mcp endpoint.\n *\n * Supports the Streamable HTTP transport protocol:\n * - POST for JSON-RPC messages\n * - GET for SSE notification stream\n * - DELETE for session close\n *\n * Each request gets a fresh stateless transport; after the response is\n * flushed the transport + underlying protocol connection are torn down\n * so the single McpServer instance is ready for the next caller.\n *\n * Local requests from 127.0.0.1/::1 bypass SPT validation (owner access).\n */\n async handleRequest(req: IncomingMessage, res: ServerResponse): Promise<void> {\n if (!this.initialized) {\n this.initialize();\n }\n\n // --- Auth: localhost bypass for owner access, SPT for remote ---\n const remote = req.socket?.remoteAddress;\n const isLocal = remote === \"127.0.0.1\" || remote === \"::1\" || remote === \"::ffff:127.0.0.1\";\n\n if (!isLocal) {\n const authHeader = req.headers.authorization;\n if (!authHeader?.startsWith(\"Bearer \")) {\n res.writeHead(401, { \"Content-Type\": \"application/json\" });\n res.end(JSON.stringify({ error: \"Missing or invalid Authorization header\" }));\n return;\n }\n\n const token = authHeader.slice(7);\n const valid = await this.validateSpt(token);\n if (!valid) {\n res.writeHead(403, { \"Content-Type\": \"application/json\" });\n res.end(JSON.stringify({ error: \"Invalid or expired SPT token\" }));\n return;\n }\n }\n\n // --- Stateless transport per request ---\n const transport = new StreamableHTTPServerTransport({\n sessionIdGenerator: undefined, // stateless\n });\n\n await this.server.connect(transport);\n\n try {\n await transport.handleRequest(req, res);\n } finally {\n // Tear down so the McpServer can accept the next connection.\n // transport.close() triggers Protocol._onclose() which clears _transport.\n await transport.close();\n }\n }\n\n /* ---- Private helpers --------------------------------------------------- */\n\n /**\n * Register a single skill as an MCP tool.\n *\n * The MCP SDK's `tool()` overloads that accept a schema expect Zod types.\n * Since our skill definitions use raw JSON Schema we register without\n * schema validation (name + description + handler) and let the handler\n * receive the raw args object.\n */\n private registerToolForSkill(name: string, skill: SkillDefinition): void {\n const description = skill.description ?? `AgentVault skill: ${name}`;\n\n this.server.tool(\n name,\n description,\n async (args: Record<string, unknown>) => {\n if (!this.opts.onInvoke) {\n return {\n content: [{ type: \"text\" as const, text: `Skill \"${name}\" invoked but no handler registered` }],\n };\n }\n try {\n const result = await this.opts.onInvoke(name, args, skill);\n const text = typeof result === \"string\" ? result : JSON.stringify(result, null, 2);\n return {\n content: [{ type: \"text\" as const, text }],\n };\n } catch (err: unknown) {\n const message = err instanceof Error ? err.message : String(err);\n return {\n content: [{ type: \"text\" as const, text: `Error invoking skill \"${name}\": ${message}` }],\n isError: true,\n };\n }\n },\n );\n }\n\n /**\n * Validate a Service Provider Token against the AgentVault backend.\n */\n private async validateSpt(token: string): Promise<boolean> {\n try {\n const url = `${this.opts.apiUrl}/api/v1/capabilities/introspect`;\n const headers: Record<string, string> = {\n \"Content-Type\": \"application/json\",\n };\n if (this.opts.apiKey) {\n headers[\"Authorization\"] = `Bearer ${this.opts.apiKey}`;\n }\n const resp = await fetch(url, {\n method: \"POST\",\n headers,\n body: JSON.stringify({ token }),\n });\n if (!resp.ok) return false;\n const data = (await resp.json()) as { active: boolean };\n return data.active === true;\n } catch {\n return false;\n }\n }\n\n /* ---- Accessors --------------------------------------------------------- */\n\n get skillCount(): number {\n return this.skills.size;\n }\n\n get isInitialized(): boolean {\n return this.initialized;\n }\n}\n", "/**\n * Skill manifest loader \u2014 loads skills from SKILL.md files and backend API.\n *\n * SKILL.md format:\n * ```\n * ---\n * name: code-review\n * version: \"1.0.0\"\n * description: Reviews code for issues\n * tags: [code-review, typescript]\n * sla:\n * p95_latency_ms: 5000\n * max_error_rate: 0.05\n * schema:\n * type: object\n * properties:\n * code:\n * type: string\n * description: Code to review\n * required: [code]\n * ---\n * # Code Review Skill\n *\n * Instructions for invoking this skill...\n * ```\n */\nimport { readFileSync, existsSync, readdirSync } from \"node:fs\";\nimport { resolve, join } from \"node:path\";\nimport type { SkillDefinition } from \"./mcp-server.js\";\n\nexport interface SkillManifest {\n skills: SkillDefinition[];\n source: \"local\" | \"remote\" | \"merged\";\n}\n\ninterface AgentVaultNamespace {\n certification?: string; // \"verified\" | \"certified\" | \"enterprise\"\n integrity?: {\n algorithm?: string; // \"XChaCha20-Poly1305\"\n hashChain?: string; // \"SHA-256\"\n };\n requiredPolicies?: string[]; // [\"network: agentvault\"]\n runtime?: {\n capabilities?: string[];\n forbidden?: string[];\n output_schema?: Record<string, unknown>;\n };\n model?: {\n allowed?: string[];\n default?: string;\n routing?: string;\n };\n}\n\ninterface SkillFrontmatter {\n name: string;\n version?: string;\n description?: string;\n tags?: string[];\n sla?: {\n p95_latency_ms?: number;\n max_error_rate?: number;\n min_uptime_pct?: number;\n max_avg_tokens?: number;\n };\n schema?: Record<string, unknown>;\n agentVault?: AgentVaultNamespace;\n}\n\n/**\n * Parse a SKILL.md file into a SkillDefinition.\n *\n * Extracts YAML frontmatter between --- delimiters.\n * Everything after the closing --- is treated as instructions.\n */\nexport function parseSkillMd(content: string): SkillDefinition | null {\n const lines = content.split(\"\\n\");\n\n // Find frontmatter delimiters\n if (lines[0]?.trim() !== \"---\") return null;\n\n let endIdx = -1;\n for (let i = 1; i < lines.length; i++) {\n if (lines[i]?.trim() === \"---\") {\n endIdx = i;\n break;\n }\n }\n\n if (endIdx === -1) return null;\n\n // Parse YAML frontmatter (simple key-value parser)\n const frontmatterLines = lines.slice(1, endIdx);\n const frontmatter = parseSimpleYaml(frontmatterLines.join(\"\\n\")) as unknown as SkillFrontmatter;\n\n if (!frontmatter.name) return null;\n\n // Everything after frontmatter is instructions\n const instructionLines = lines.slice(endIdx + 1);\n const instructions = instructionLines.join(\"\\n\").trim();\n\n const skill: SkillDefinition = {\n name: frontmatter.name as string,\n version: frontmatter.version as string | undefined,\n description: frontmatter.description as string | undefined,\n tags: frontmatter.tags,\n inputSchema: frontmatter.schema as Record<string, unknown> | undefined,\n slaDefinition: frontmatter.sla as Record<string, unknown> | undefined,\n instructions: instructions || undefined,\n };\n\n // Map agentVault namespace to extended SkillDefinition fields\n if (frontmatter.agentVault) {\n const av = frontmatter.agentVault;\n if (av.certification) skill.certificationTier = av.certification;\n if (av.runtime?.capabilities) skill.toolsAllowed = av.runtime.capabilities;\n if (av.runtime?.forbidden) skill.toolsDenied = av.runtime.forbidden;\n if (av.runtime?.output_schema) skill.outputSchema = av.runtime.output_schema;\n if (av.model?.routing) skill.modelRouting = av.model.routing;\n if (av.model?.allowed) skill.allowedModels = av.model.allowed;\n if (av.model?.default) skill.defaultModel = av.model.default;\n if (av.integrity) skill.integrity = av.integrity as Record<string, unknown>;\n if (av.requiredPolicies) skill.requiredPolicies = av.requiredPolicies;\n }\n\n return skill;\n}\n\n/**\n * Simple YAML parser for frontmatter (handles basic key-value, arrays, nested objects).\n * Supports up to 3 levels of nesting (needed for agentVault namespace).\n * Not a full YAML parser \u2014 covers the subset used in SKILL.md files.\n */\nfunction parseSimpleYaml(yaml: string): Record<string, unknown> {\n const result: Record<string, unknown> = {};\n const lines = yaml.split(\"\\n\");\n\n // Stack-based parser to support multi-level nesting\n const stack: Array<{ key: string; obj: Record<string, unknown>; indent: number }> = [];\n let currentObj = result;\n\n function parseValue(raw: string): unknown {\n const value = raw.replace(/^[\"']|[\"']$/g, \"\");\n const num = Number(value);\n if (!isNaN(num) && value !== \"\") return num;\n if (value === \"true\") return true;\n if (value === \"false\") return false;\n return value;\n }\n\n for (const line of lines) {\n const trimmed = line.trim();\n if (!trimmed || trimmed.startsWith(\"#\")) continue;\n\n const indent = line.length - line.trimStart().length;\n\n // Pop stack back to appropriate level\n while (stack.length > 0 && indent <= stack[stack.length - 1]!.indent) {\n const popped = stack.pop()!;\n currentObj = stack.length > 0 ? stack[stack.length - 1]!.obj : result;\n // Attach the completed nested object to its parent\n currentObj[popped.key] = popped.obj;\n }\n\n // Inline array: key: [val1, val2]\n const inlineArrayMatch = trimmed.match(/^(\\w[\\w_-]*)\\s*:\\s*\\[(.+)\\]$/);\n if (inlineArrayMatch) {\n const key = inlineArrayMatch[1]!;\n const values = inlineArrayMatch[2]!\n .split(\",\")\n .map((v) => v.trim().replace(/^[\"']|[\"']$/g, \"\"));\n if (stack.length > 0) {\n stack[stack.length - 1]!.obj[key] = values;\n } else {\n currentObj[key] = values;\n }\n continue;\n }\n\n // Key with value: key: value\n const kvMatch = trimmed.match(/^(\\w[\\w_-]*)\\s*:\\s*(.+)$/);\n if (kvMatch) {\n const key = kvMatch[1]!;\n const val = parseValue(kvMatch[2]!);\n if (stack.length > 0) {\n stack[stack.length - 1]!.obj[key] = val;\n } else {\n currentObj[key] = val;\n }\n continue;\n }\n\n // Nested object start (key with no value \u2014 \"key:\")\n const nestedMatch = trimmed.match(/^(\\w[\\w_-]*)\\s*:$/);\n if (nestedMatch) {\n const key = nestedMatch[1]!;\n const newObj: Record<string, unknown> = {};\n stack.push({ key, obj: newObj, indent });\n continue;\n }\n }\n\n // Flush remaining stack\n while (stack.length > 0) {\n const popped = stack.pop()!;\n const parent = stack.length > 0 ? stack[stack.length - 1]!.obj : result;\n parent[popped.key] = popped.obj;\n }\n\n return result;\n}\n\n/**\n * Load skills from a directory by scanning for SKILL.md files.\n *\n * Matches:\n * - SKILL.md (exact match)\n * - *-SKILL.md or *_SKILL.md (e.g., Cortina-SKILL.md)\n * - Subdirectories containing SKILL.md (one level deep)\n */\nexport function loadSkillsFromDirectory(dir: string): SkillDefinition[] {\n const skills: SkillDefinition[] = [];\n const absDir = resolve(dir);\n\n if (!existsSync(absDir)) return skills;\n\n const seen = new Set<string>();\n\n function tryLoad(filePath: string): void {\n if (seen.has(filePath)) return;\n seen.add(filePath);\n try {\n const content = readFileSync(filePath, \"utf-8\");\n const skill = parseSkillMd(content);\n if (skill) skills.push(skill);\n } catch {\n // File not readable, skip\n }\n }\n\n try {\n const entries = readdirSync(absDir, { withFileTypes: true });\n for (const entry of entries) {\n if (entry.isFile() && entry.name.endsWith(\"SKILL.md\")) {\n // Match SKILL.md, Cortina-SKILL.md, my_SKILL.md, etc.\n tryLoad(join(absDir, entry.name));\n } else if (entry.isDirectory()) {\n // Check for SKILL.md inside subdirectories (one level deep)\n const subSkill = join(absDir, entry.name, \"SKILL.md\");\n if (existsSync(subSkill)) {\n tryLoad(subSkill);\n }\n }\n }\n } catch {\n // Directory not readable, skip\n }\n\n return skills;\n}\n\n/**\n * Load skills from backend API.\n */\nexport async function loadSkillsFromApi(\n apiUrl: string,\n apiKey: string,\n hubId: string,\n): Promise<SkillDefinition[]> {\n try {\n const res = await fetch(`${apiUrl}/api/v1/hub/identities/${hubId}/skills`, {\n headers: { Authorization: `Bearer ${apiKey}` },\n });\n if (!res.ok) return [];\n\n const data = (await res.json()) as Array<{\n capability_name: string;\n capability_version?: string;\n description?: string;\n skill_content?: string;\n mcp_metadata?: Record<string, unknown>;\n schema_definition?: Record<string, unknown>;\n sla_definition?: Record<string, unknown>;\n tags?: string[];\n instructions?: string;\n }>;\n\n return data.map((cap) => ({\n name: cap.capability_name,\n version: cap.capability_version,\n description: cap.description,\n inputSchema: cap.schema_definition,\n slaDefinition: cap.sla_definition,\n tags: cap.tags,\n instructions: cap.instructions,\n }));\n } catch {\n return [];\n }\n}\n\n/**\n * Merge local and remote skills. Local definitions take precedence.\n */\nexport function mergeSkills(\n local: SkillDefinition[],\n remote: SkillDefinition[],\n): SkillManifest {\n const byName = new Map<string, SkillDefinition>();\n\n // Remote first (lower precedence)\n for (const skill of remote) {\n byName.set(skill.name, skill);\n }\n\n // Local overwrites (higher precedence)\n for (const skill of local) {\n byName.set(skill.name, skill);\n }\n\n const source =\n local.length > 0 && remote.length > 0\n ? \"merged\"\n : local.length > 0\n ? \"local\"\n : \"remote\";\n\n return {\n skills: Array.from(byName.values()),\n source,\n };\n}\n", null, null, "import sodium from \"libsodium-wrappers-sumo\";\n\nexport interface IdentityKeypair {\n publicKey: Uint8Array;\n privateKey: Uint8Array;\n keyType: \"ed25519\";\n}\n\nexport interface EphemeralKeypair {\n publicKey: Uint8Array;\n privateKey: Uint8Array;\n keyType: \"x25519\";\n}\n\nexport async function generateIdentityKeypair(): Promise<IdentityKeypair> {\n await sodium.ready;\n const kp = sodium.crypto_sign_keypair();\n return {\n publicKey: kp.publicKey,\n privateKey: kp.privateKey,\n keyType: \"ed25519\",\n };\n}\n\nexport async function generateEphemeralKeypair(): Promise<EphemeralKeypair> {\n await sodium.ready;\n const kp = sodium.crypto_box_keypair();\n return {\n publicKey: kp.publicKey,\n privateKey: kp.privateKey,\n keyType: \"x25519\",\n };\n}\n\nexport function computeFingerprint(publicKey: Uint8Array): string {\n const hash = sodium.crypto_generichash(8, publicKey);\n return Array.from(hash)\n .map((b) => b.toString(16).padStart(2, \"0\"))\n .join(\":\");\n}\n\nexport function createProofOfPossession(\n privateKey: Uint8Array,\n publicKey: Uint8Array,\n): Uint8Array {\n return sodium.crypto_sign_detached(publicKey, privateKey);\n}\n\nexport function verifyProofOfPossession(\n proof: Uint8Array,\n publicKey: Uint8Array,\n): boolean {\n try {\n return sodium.crypto_sign_verify_detached(proof, publicKey, publicKey);\n } catch {\n return false;\n }\n}\n", "import sodium from \"libsodium-wrappers-sumo\";\n\nexport interface X3DHParams {\n myIdentityPrivate: Uint8Array; // Ed25519 private key (64 bytes)\n myEphemeralPrivate: Uint8Array; // X25519 private key (32 bytes)\n theirIdentityPublic: Uint8Array; // Ed25519 public key (32 bytes)\n theirEphemeralPublic: Uint8Array; // X25519 public key (32 bytes)\n isInitiator: boolean;\n}\n\nfunction ed25519PrivateToX25519(edPrivate: Uint8Array): Uint8Array {\n return sodium.crypto_sign_ed25519_sk_to_curve25519(edPrivate);\n}\n\nfunction ed25519PublicToX25519(edPublic: Uint8Array): Uint8Array {\n return sodium.crypto_sign_ed25519_pk_to_curve25519(edPublic);\n}\n\nexport function performX3DH(params: X3DHParams): Uint8Array {\n const myIdentityX = ed25519PrivateToX25519(params.myIdentityPrivate);\n const theirIdentityX = ed25519PublicToX25519(params.theirIdentityPublic);\n\n // DH1: my identity x their ephemeral\n const dh1 = sodium.crypto_scalarmult(myIdentityX, params.theirEphemeralPublic);\n // DH2: my ephemeral x their identity\n const dh2 = sodium.crypto_scalarmult(params.myEphemeralPrivate, theirIdentityX);\n // DH3: my ephemeral x their ephemeral\n const dh3 = sodium.crypto_scalarmult(\n params.myEphemeralPrivate,\n params.theirEphemeralPublic,\n );\n\n // Concatenate DH results - order swapped by role so both sides get same result\n let combined: Uint8Array;\n if (params.isInitiator) {\n combined = new Uint8Array([...dh1, ...dh2, ...dh3]);\n } else {\n combined = new Uint8Array([...dh2, ...dh1, ...dh3]);\n }\n\n // KDF to derive 32-byte shared secret\n return sodium.crypto_generichash(32, combined);\n}\n", "import sodium from \"libsodium-wrappers-sumo\";\nimport type { IdentityKeypair } from \"./keys.js\";\n\nconst MAX_SKIP = 1000;\nconst CHAIN_KEY_SEED = new Uint8Array([0x01]);\nconst MSG_KEY_SEED = new Uint8Array([0x02]);\nconst HEADER_KEY_SEED = new Uint8Array([0x03]);\n\nexport interface RatchetHeader {\n dhPublicKey: Uint8Array;\n previousChainLength: number;\n messageNumber: number;\n}\n\nexport interface EncryptedMessage {\n header: RatchetHeader;\n headerSignature: Uint8Array;\n ciphertext: Uint8Array;\n nonce: Uint8Array;\n /** V2 header encryption fields (present when envelope_version = \"2.0.0\") */\n envelopeVersion?: string;\n encryptedHeader?: Uint8Array;\n headerNonce?: Uint8Array;\n}\n\ninterface ChainState {\n chainKey: Uint8Array;\n messageNumber: number;\n}\n\ninterface SkippedKey {\n dhPub: string; // hex of the DH public key\n n: number; // message number\n messageKey: Uint8Array;\n headerKey?: Uint8Array; // present for v2 out-of-order messages\n}\n\ninterface RatchetState {\n rootKey: Uint8Array;\n sendingChain: ChainState | null;\n receivingChain: ChainState | null;\n dhSendingKeypair: { publicKey: Uint8Array; privateKey: Uint8Array };\n dhReceivingPublicKey: Uint8Array | null;\n identityKeypair: { publicKey: Uint8Array; privateKey: Uint8Array };\n peerIdentityPublicKey: Uint8Array | null;\n previousSendingChainLength: number;\n skippedKeys: SkippedKey[];\n}\n\nfunction kdfChainKey(chainKey: Uint8Array): {\n nextChainKey: Uint8Array;\n messageKey: Uint8Array;\n headerKey: Uint8Array;\n} {\n const nextChainKey = sodium.crypto_generichash(32, chainKey, CHAIN_KEY_SEED);\n const messageKey = sodium.crypto_generichash(32, chainKey, MSG_KEY_SEED);\n const headerKey = sodium.crypto_generichash(32, chainKey, HEADER_KEY_SEED);\n return { nextChainKey, messageKey, headerKey };\n}\n\nfunction kdfRootKey(\n rootKey: Uint8Array,\n dhOutput: Uint8Array,\n): { newRootKey: Uint8Array; newChainKey: Uint8Array } {\n // Derive 64 bytes: first 32 = new root key, second 32 = new chain key\n const derived = sodium.crypto_generichash(\n 64,\n new Uint8Array([...rootKey, ...dhOutput]),\n );\n return {\n newRootKey: derived.slice(0, 32),\n newChainKey: derived.slice(32, 64),\n };\n}\n\nfunction generateDHKeypair(): {\n publicKey: Uint8Array;\n privateKey: Uint8Array;\n} {\n const kp = sodium.crypto_box_keypair();\n return { publicKey: kp.publicKey, privateKey: kp.privateKey };\n}\n\nfunction dh(\n myPrivate: Uint8Array,\n theirPublic: Uint8Array,\n): Uint8Array {\n return sodium.crypto_scalarmult(myPrivate, theirPublic);\n}\n\nfunction serializeHeader(header: RatchetHeader): Uint8Array {\n const dhPubHex = sodium.to_hex(header.dhPublicKey);\n const json = JSON.stringify({\n dh: dhPubHex,\n pcl: header.previousChainLength,\n n: header.messageNumber,\n });\n return sodium.from_string(json);\n}\n\nfunction signHeader(\n header: RatchetHeader,\n identityPrivateKey: Uint8Array,\n): Uint8Array {\n const serialized = serializeHeader(header);\n return sodium.crypto_sign_detached(serialized, identityPrivateKey);\n}\n\nfunction verifyHeaderSignature(\n header: RatchetHeader,\n signature: Uint8Array,\n identityPublicKey: Uint8Array,\n): boolean {\n const serialized = serializeHeader(header);\n return sodium.crypto_sign_verify_detached(\n signature,\n serialized,\n identityPublicKey,\n );\n}\n\nexport class DoubleRatchet {\n private state: RatchetState;\n\n private constructor(state: RatchetState) {\n this.state = state;\n }\n\n static initSender(\n sharedSecret: Uint8Array,\n identityKeypair: IdentityKeypair,\n peerIdentityPublicKey?: Uint8Array,\n ): DoubleRatchet {\n const dhKeypair = generateDHKeypair();\n\n return new DoubleRatchet({\n rootKey: sharedSecret,\n sendingChain: { chainKey: sharedSecret, messageNumber: 0 },\n receivingChain: null,\n dhSendingKeypair: dhKeypair,\n dhReceivingPublicKey: null,\n identityKeypair: {\n publicKey: identityKeypair.publicKey,\n privateKey: identityKeypair.privateKey,\n },\n peerIdentityPublicKey: peerIdentityPublicKey ?? null,\n previousSendingChainLength: 0,\n skippedKeys: [],\n });\n }\n\n static initReceiver(\n sharedSecret: Uint8Array,\n identityKeypair: IdentityKeypair,\n peerIdentityPublicKey?: Uint8Array,\n ): DoubleRatchet {\n const dhKeypair = generateDHKeypair();\n\n return new DoubleRatchet({\n rootKey: sharedSecret,\n sendingChain: null,\n receivingChain: { chainKey: sharedSecret, messageNumber: 0 },\n dhSendingKeypair: dhKeypair,\n dhReceivingPublicKey: null,\n identityKeypair: {\n publicKey: identityKeypair.publicKey,\n privateKey: identityKeypair.privateKey,\n },\n peerIdentityPublicKey: peerIdentityPublicKey ?? null,\n previousSendingChainLength: 0,\n skippedKeys: [],\n });\n }\n\n encrypt(plaintext: string, headerEncryption = false): EncryptedMessage {\n if (!this.state.sendingChain) {\n // Perform DH ratchet step for sending\n this.dhRatchetSend();\n }\n\n const chain = this.state.sendingChain!;\n const { nextChainKey, messageKey, headerKey } = kdfChainKey(chain.chainKey);\n\n const header: RatchetHeader = {\n dhPublicKey: this.state.dhSendingKeypair.publicKey,\n previousChainLength: this.state.previousSendingChainLength,\n messageNumber: chain.messageNumber,\n };\n\n const headerSignature = signHeader(\n header,\n this.state.identityKeypair.privateKey,\n );\n\n const nonce = sodium.randombytes_buf(\n sodium.crypto_aead_xchacha20poly1305_ietf_NPUBBYTES,\n );\n\n const plaintextBytes = sodium.from_string(plaintext);\n\n if (headerEncryption) {\n // V2: encrypt header, use encrypted header bytes as AD for message ciphertext\n const headerBytes = serializeHeader(header);\n const headerNonce = sodium.randombytes_buf(\n sodium.crypto_aead_xchacha20poly1305_ietf_NPUBBYTES,\n );\n const encryptedHeader = sodium.crypto_aead_xchacha20poly1305_ietf_encrypt(\n headerBytes,\n null,\n null,\n headerNonce,\n headerKey,\n );\n\n // Use encrypted header as AD for message ciphertext\n const ciphertext = sodium.crypto_aead_xchacha20poly1305_ietf_encrypt(\n plaintextBytes,\n encryptedHeader,\n null,\n nonce,\n messageKey,\n );\n\n chain.chainKey = nextChainKey;\n chain.messageNumber++;\n\n return {\n header,\n headerSignature,\n ciphertext,\n nonce,\n envelopeVersion: \"2.0.0\",\n encryptedHeader,\n headerNonce,\n };\n }\n\n // V1: plaintext header as AD (existing behavior)\n const ad = serializeHeader(header);\n const ciphertext = sodium.crypto_aead_xchacha20poly1305_ietf_encrypt(\n plaintextBytes,\n ad,\n null,\n nonce,\n messageKey,\n );\n\n chain.chainKey = nextChainKey;\n chain.messageNumber++;\n\n return { header, headerSignature, ciphertext, nonce };\n }\n\n decrypt(message: EncryptedMessage): string {\n // V2 dispatch: if message has encryptedHeader, use v2 path\n const isV2 = message.envelopeVersion === \"2.0.0\" &&\n message.encryptedHeader != null &&\n message.headerNonce != null;\n\n // Try skipped keys first\n const skippedResult = this.trySkippedKeys(message, isV2);\n if (skippedResult !== null) {\n return skippedResult;\n }\n\n const headerDhHex = sodium.to_hex(message.header.dhPublicKey);\n const currentDhHex = this.state.dhReceivingPublicKey\n ? sodium.to_hex(this.state.dhReceivingPublicKey)\n : null;\n\n if (currentDhHex === null && this.state.receivingChain) {\n // First message ever received by the receiver side.\n // The receiving chain was initialized from the shared secret,\n // so just store the sender's DH key for future ratchet steps.\n this.state.dhReceivingPublicKey = message.header.dhPublicKey;\n } else if (currentDhHex === null && !this.state.receivingChain) {\n // Sender (initiator) receiving its first message from the receiver.\n if (message.header.messageNumber === 0) {\n try {\n const { messageKey: testKey, headerKey: testHeaderKey, nextChainKey } = kdfChainKey(\n this.state.rootKey,\n );\n\n let ad: Uint8Array;\n if (isV2) {\n // Decrypt header to verify, then use encryptedHeader as AD\n sodium.crypto_aead_xchacha20poly1305_ietf_decrypt(\n null,\n message.encryptedHeader!,\n null,\n message.headerNonce!,\n testHeaderKey,\n );\n ad = message.encryptedHeader!;\n } else {\n ad = serializeHeader(message.header);\n }\n\n const ptBytes =\n sodium.crypto_aead_xchacha20poly1305_ietf_decrypt(\n null,\n message.ciphertext,\n ad,\n message.nonce,\n testKey,\n );\n // rootKey worked \u2014 commit state\n this.state.dhReceivingPublicKey = message.header.dhPublicKey;\n this.state.receivingChain = {\n chainKey: nextChainKey,\n messageNumber: 1,\n };\n return sodium.to_string(ptBytes);\n } catch {\n // rootKey chain didn't match \u2014 fall through to DH ratchet\n }\n }\n // Case (b) or messageNumber > 0: full DH ratchet receive\n this.dhRatchetReceive(message.header.dhPublicKey);\n } else if (headerDhHex !== currentDhHex) {\n // DH public key changed (direction change in ongoing conversation).\n if (this.state.receivingChain && this.state.dhReceivingPublicKey) {\n this.skipMessages(\n this.state.receivingChain,\n message.header.previousChainLength,\n this.state.dhReceivingPublicKey,\n isV2,\n );\n }\n\n // DH ratchet step\n this.dhRatchetReceive(message.header.dhPublicKey);\n }\n\n // Skip ahead to the message number in the current chain\n this.skipMessages(\n this.state.receivingChain!,\n message.header.messageNumber,\n message.header.dhPublicKey,\n isV2,\n );\n\n const chain = this.state.receivingChain!;\n const { nextChainKey, messageKey, headerKey } = kdfChainKey(chain.chainKey);\n chain.chainKey = nextChainKey;\n chain.messageNumber++;\n\n // Verify header signature using the peer's identity public key\n if (this.state.peerIdentityPublicKey) {\n if (!verifyHeaderSignature(message.header, message.headerSignature, this.state.peerIdentityPublicKey)) {\n throw new Error(\"Header signature verification failed\");\n }\n }\n\n if (isV2) {\n // V2: decrypt header to verify integrity, use encryptedHeader as AD\n try {\n sodium.crypto_aead_xchacha20poly1305_ietf_decrypt(\n null,\n message.encryptedHeader!,\n null,\n message.headerNonce!,\n headerKey,\n );\n } catch {\n throw new Error(\"V2 header decryption failed\");\n }\n\n try {\n const plaintextBytes =\n sodium.crypto_aead_xchacha20poly1305_ietf_decrypt(\n null,\n message.ciphertext,\n message.encryptedHeader!,\n message.nonce,\n messageKey,\n );\n return sodium.to_string(plaintextBytes);\n } catch {\n throw new Error(\"V2 decryption failed: ciphertext tampered or wrong key\");\n }\n }\n\n // V1: plaintext header as AD\n const ad = serializeHeader(message.header);\n\n try {\n const plaintextBytes =\n sodium.crypto_aead_xchacha20poly1305_ietf_decrypt(\n null,\n message.ciphertext,\n ad,\n message.nonce,\n messageKey,\n );\n return sodium.to_string(plaintextBytes);\n } catch {\n throw new Error(\"Decryption failed: ciphertext tampered or wrong key\");\n }\n }\n\n private dhRatchetReceive(theirDhPublic: Uint8Array): void {\n this.state.previousSendingChainLength =\n this.state.sendingChain?.messageNumber ?? 0;\n this.state.dhReceivingPublicKey = theirDhPublic;\n\n // Derive new root key + receiving chain key\n const dhOutput = dh(\n this.state.dhSendingKeypair.privateKey,\n theirDhPublic,\n );\n const { newRootKey, newChainKey } = kdfRootKey(\n this.state.rootKey,\n dhOutput,\n );\n this.state.rootKey = newRootKey;\n this.state.receivingChain = { chainKey: newChainKey, messageNumber: 0 };\n\n // Generate new DH keypair for sending\n this.state.dhSendingKeypair = generateDHKeypair();\n\n // Derive new sending chain\n const dhOutput2 = dh(\n this.state.dhSendingKeypair.privateKey,\n theirDhPublic,\n );\n const { newRootKey: newRootKey2, newChainKey: newChainKey2 } = kdfRootKey(\n this.state.rootKey,\n dhOutput2,\n );\n this.state.rootKey = newRootKey2;\n this.state.sendingChain = { chainKey: newChainKey2, messageNumber: 0 };\n }\n\n private dhRatchetSend(): void {\n if (!this.state.dhReceivingPublicKey) {\n // No receiving key yet - create initial sending chain from root key\n this.state.sendingChain = {\n chainKey: this.state.rootKey,\n messageNumber: 0,\n };\n return;\n }\n\n this.state.previousSendingChainLength =\n this.state.sendingChain?.messageNumber ?? 0;\n\n // Generate new DH keypair\n this.state.dhSendingKeypair = generateDHKeypair();\n\n const dhOutput = dh(\n this.state.dhSendingKeypair.privateKey,\n this.state.dhReceivingPublicKey,\n );\n const { newRootKey, newChainKey } = kdfRootKey(\n this.state.rootKey,\n dhOutput,\n );\n this.state.rootKey = newRootKey;\n this.state.sendingChain = { chainKey: newChainKey, messageNumber: 0 };\n }\n\n private skipMessages(\n chain: ChainState,\n until: number,\n dhPublicKey: Uint8Array,\n storeHeaderKey = false,\n ): void {\n if (until - chain.messageNumber > MAX_SKIP) {\n throw new Error(\"Too many skipped messages\");\n }\n\n const dhPubHex = sodium.to_hex(dhPublicKey);\n\n while (chain.messageNumber < until) {\n const { nextChainKey, messageKey, headerKey } = kdfChainKey(chain.chainKey);\n const sk: SkippedKey = {\n dhPub: dhPubHex,\n n: chain.messageNumber,\n messageKey,\n };\n if (storeHeaderKey) {\n sk.headerKey = headerKey;\n }\n this.state.skippedKeys.push(sk);\n chain.chainKey = nextChainKey;\n chain.messageNumber++;\n }\n\n // Trim skipped keys if too many\n while (this.state.skippedKeys.length > MAX_SKIP) {\n this.state.skippedKeys.shift();\n }\n }\n\n private trySkippedKeys(message: EncryptedMessage, isV2 = false): string | null {\n const dhPubHex = sodium.to_hex(message.header.dhPublicKey);\n const idx = this.state.skippedKeys.findIndex(\n (sk) => sk.dhPub === dhPubHex && sk.n === message.header.messageNumber,\n );\n\n if (idx === -1) {\n return null;\n }\n\n const skipped = this.state.skippedKeys[idx];\n this.state.skippedKeys.splice(idx, 1);\n\n if (isV2 && skipped.headerKey && message.encryptedHeader && message.headerNonce) {\n // V2: verify encrypted header, use as AD\n try {\n sodium.crypto_aead_xchacha20poly1305_ietf_decrypt(\n null,\n message.encryptedHeader,\n null,\n message.headerNonce,\n skipped.headerKey,\n );\n } catch {\n throw new Error(\"V2 header decryption failed with skipped key\");\n }\n\n try {\n const plaintextBytes =\n sodium.crypto_aead_xchacha20poly1305_ietf_decrypt(\n null,\n message.ciphertext,\n message.encryptedHeader,\n message.nonce,\n skipped.messageKey,\n );\n return sodium.to_string(plaintextBytes);\n } catch {\n throw new Error(\"V2 decryption failed with skipped key\");\n }\n }\n\n // V1: plaintext header as AD\n const ad = serializeHeader(message.header);\n\n try {\n const plaintextBytes =\n sodium.crypto_aead_xchacha20poly1305_ietf_decrypt(\n null,\n message.ciphertext,\n ad,\n message.nonce,\n skipped.messageKey,\n );\n return sodium.to_string(plaintextBytes);\n } catch {\n throw new Error(\"Decryption failed with skipped key\");\n }\n }\n\n serialize(): string {\n const s = this.state;\n return JSON.stringify({\n version: 1,\n rootKey: sodium.to_hex(s.rootKey),\n sendingChain: s.sendingChain\n ? {\n chainKey: sodium.to_hex(s.sendingChain.chainKey),\n messageNumber: s.sendingChain.messageNumber,\n }\n : null,\n receivingChain: s.receivingChain\n ? {\n chainKey: sodium.to_hex(s.receivingChain.chainKey),\n messageNumber: s.receivingChain.messageNumber,\n }\n : null,\n dhSendingKeypair: {\n publicKey: sodium.to_hex(s.dhSendingKeypair.publicKey),\n privateKey: sodium.to_hex(s.dhSendingKeypair.privateKey),\n },\n dhReceivingPublicKey: s.dhReceivingPublicKey\n ? sodium.to_hex(s.dhReceivingPublicKey)\n : null,\n identityKeypair: {\n publicKey: sodium.to_hex(s.identityKeypair.publicKey),\n privateKey: sodium.to_hex(s.identityKeypair.privateKey),\n },\n peerIdentityPublicKey: s.peerIdentityPublicKey ? sodium.to_hex(s.peerIdentityPublicKey) : null,\n previousSendingChainLength: s.previousSendingChainLength,\n skippedKeys: s.skippedKeys.map((sk) => ({\n dhPub: sk.dhPub,\n n: sk.n,\n messageKey: sodium.to_hex(sk.messageKey),\n ...(sk.headerKey ? { headerKey: sodium.to_hex(sk.headerKey) } : {}),\n })),\n });\n }\n\n static deserialize(json: string): DoubleRatchet {\n let d: Record<string, unknown>;\n try {\n d = JSON.parse(json) as Record<string, unknown>;\n } catch {\n throw new Error(\"Ratchet state: corrupt JSON\");\n }\n\n // Version gate\n if (d.version !== undefined && d.version !== 1) {\n throw new Error(\n `Ratchet state version ${d.version} not supported`,\n );\n }\n\n // Required field validation\n if (typeof d.rootKey !== \"string\") {\n throw new Error(\"Ratchet state: missing required field rootKey\");\n }\n const dhSend = d.dhSendingKeypair as\n | { publicKey?: string; privateKey?: string }\n | undefined;\n if (\n !dhSend ||\n typeof dhSend.publicKey !== \"string\" ||\n typeof dhSend.privateKey !== \"string\"\n ) {\n throw new Error(\n \"Ratchet state: missing required field dhSendingKeypair\",\n );\n }\n const idKp = d.identityKeypair as\n | { publicKey?: string; privateKey?: string }\n | undefined;\n if (\n !idKp ||\n typeof idKp.publicKey !== \"string\" ||\n typeof idKp.privateKey !== \"string\"\n ) {\n throw new Error(\n \"Ratchet state: missing required field identityKeypair\",\n );\n }\n\n try {\n return new DoubleRatchet({\n rootKey: sodium.from_hex(d.rootKey as string),\n sendingChain: d.sendingChain\n ? {\n chainKey: sodium.from_hex(\n (d.sendingChain as { chainKey: string }).chainKey,\n ),\n messageNumber: (d.sendingChain as { messageNumber: number })\n .messageNumber,\n }\n : null,\n receivingChain: d.receivingChain\n ? {\n chainKey: sodium.from_hex(\n (d.receivingChain as { chainKey: string }).chainKey,\n ),\n messageNumber: (d.receivingChain as { messageNumber: number })\n .messageNumber,\n }\n : null,\n dhSendingKeypair: {\n publicKey: sodium.from_hex(dhSend.publicKey!),\n privateKey: sodium.from_hex(dhSend.privateKey!),\n },\n dhReceivingPublicKey: d.dhReceivingPublicKey\n ? sodium.from_hex(d.dhReceivingPublicKey as string)\n : null,\n identityKeypair: {\n publicKey: sodium.from_hex(idKp.publicKey!),\n privateKey: sodium.from_hex(idKp.privateKey!),\n },\n peerIdentityPublicKey: d.peerIdentityPublicKey\n ? sodium.from_hex(d.peerIdentityPublicKey as string)\n : null,\n previousSendingChainLength:\n d.previousSendingChainLength as number,\n skippedKeys: (\n d.skippedKeys as Array<{\n dhPub: string;\n n: number;\n messageKey: string;\n headerKey?: string;\n }>\n ).map((sk) => ({\n dhPub: sk.dhPub,\n n: sk.n,\n messageKey: sodium.from_hex(sk.messageKey),\n ...(sk.headerKey ? { headerKey: sodium.from_hex(sk.headerKey) } : {}),\n })),\n });\n } catch (err) {\n if (err instanceof Error && err.message.startsWith(\"Ratchet state\")) {\n throw err;\n }\n throw new Error(\n `Ratchet state: corrupt hex data \u2014 ${err instanceof Error ? err.message : String(err)}`,\n );\n }\n }\n}\n", "import sodium from \"libsodium-wrappers-sumo\";\n\nexport interface EncryptedFileResult {\n encryptedData: Uint8Array;\n fileKey: Uint8Array; // 32 bytes \u2014 XChaCha20-Poly1305 key\n fileNonce: Uint8Array; // 24 bytes\n digest: string; // BLAKE2b hex digest of encrypted blob (integrity check)\n}\n\n/**\n * Encrypt a file with a random XChaCha20-Poly1305 key.\n * Returns the encrypted blob, the key, nonce, and a BLAKE2b digest\n * of the ciphertext for integrity verification after download.\n */\nexport function encryptFile(plainData: Uint8Array): EncryptedFileResult {\n const fileKey = sodium.randombytes_buf(\n sodium.crypto_aead_xchacha20poly1305_ietf_KEYBYTES,\n );\n const fileNonce = sodium.randombytes_buf(\n sodium.crypto_aead_xchacha20poly1305_ietf_NPUBBYTES,\n );\n\n const encryptedData = sodium.crypto_aead_xchacha20poly1305_ietf_encrypt(\n plainData,\n null, // no additional data\n null, // secret nonce (unused)\n fileNonce,\n fileKey,\n );\n\n const digestBytes = sodium.crypto_generichash(32, encryptedData);\n const digest = sodium.to_hex(digestBytes);\n\n return { encryptedData, fileKey, fileNonce, digest };\n}\n\n/**\n * Decrypt a file encrypted with encryptFile().\n * Throws if the key/nonce are wrong or the ciphertext was tampered with.\n */\nexport function decryptFile(\n encryptedData: Uint8Array,\n fileKey: Uint8Array,\n fileNonce: Uint8Array,\n): Uint8Array {\n return sodium.crypto_aead_xchacha20poly1305_ietf_decrypt(\n null, // secret nonce (unused)\n encryptedData,\n null, // no additional data\n fileNonce,\n fileKey,\n );\n}\n\n/**\n * Compute a BLAKE2b hex digest for integrity verification.\n */\nexport function computeFileDigest(data: Uint8Array): string {\n const digestBytes = sodium.crypto_generichash(32, data);\n return sodium.to_hex(digestBytes);\n}\n", "import sodium from \"libsodium-wrappers-sumo\";\n\n/** Domain separation prefixes to prevent cross-protocol signature confusion. */\nexport const DOMAIN_DID_DOCUMENT = \"DID-DOCUMENT:\";\nexport const DOMAIN_TRANSFER_INTENT = \"TRANSFER-INTENT:\";\nexport const DOMAIN_TRANSFER_ACCEPT = \"TRANSFER-ACCEPT:\";\n\n/**\n * JCS (JSON Canonicalization Scheme \u2014 RFC 8785) serialization.\n * Produces deterministic JSON bytes: sorted keys at every level, UTF-8 encoded.\n *\n * Note: Uses sodium.from_string() instead of TextEncoder for React Native compatibility.\n * Callers must ensure sodium.ready has been awaited before calling this function.\n */\nexport function canonicalize(obj: unknown): Uint8Array {\n const json = jsonCanonical(obj) ?? \"\";\n return sodium.from_string(json);\n}\n\nfunction jsonCanonical(value: unknown): string | undefined {\n if (value === undefined) return undefined;\n if (value === null) return \"null\";\n if (typeof value === \"boolean\" || typeof value === \"number\") return JSON.stringify(value);\n if (typeof value === \"string\") return JSON.stringify(value);\n if (Array.isArray(value)) {\n return \"[\" + value.map(jsonCanonical).join(\",\") + \"]\";\n }\n if (typeof value === \"object\") {\n const keys = Object.keys(value as Record<string, unknown>).sort();\n const entries = keys\n .map((k) => {\n const v = jsonCanonical((value as Record<string, unknown>)[k]);\n if (v === undefined) return undefined;\n return JSON.stringify(k) + \":\" + v;\n })\n .filter((entry): entry is string => entry !== undefined);\n return \"{\" + entries.join(\",\") + \"}\";\n }\n return JSON.stringify(value);\n}\n\n// --- Base58btc encoding (multibase z-prefix) ---\n\nconst BASE58_ALPHABET = \"123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz\";\n\nfunction base58Encode(bytes: Uint8Array): string {\n let zeros = 0;\n for (const b of bytes) {\n if (b === 0) zeros++;\n else break;\n }\n\n let num = BigInt(0);\n for (const b of bytes) {\n num = num * 256n + BigInt(b);\n }\n\n let result = \"\";\n while (num > 0n) {\n const remainder = Number(num % 58n);\n num = num / 58n;\n result = BASE58_ALPHABET[remainder] + result;\n }\n\n return \"1\".repeat(zeros) + result;\n}\n\nfunction base58Decode(str: string): Uint8Array {\n let zeros = 0;\n for (const c of str) {\n if (c === \"1\") zeros++;\n else break;\n }\n\n let num = BigInt(0);\n for (const c of str.slice(zeros)) {\n const idx = BASE58_ALPHABET.indexOf(c);\n if (idx === -1) throw new Error(`Invalid base58 character: ${c}`);\n num = num * 58n + BigInt(idx);\n }\n\n const hex = num === 0n ? \"\" : num.toString(16).padStart(2, \"0\");\n const paddedHex = hex.length % 2 ? \"0\" + hex : hex;\n const dataBytes = new Uint8Array(\n (paddedHex.match(/.{2}/g) ?? []).map((b) => parseInt(b, 16)),\n );\n\n const result = new Uint8Array(zeros + dataBytes.length);\n result.set(dataBytes, zeros);\n return result;\n}\n\n/**\n * Encode an Ed25519 public key as multibase z-prefixed base58btc.\n * Prepends the multicodec Ed25519 prefix (0xed, 0x01) per did:key spec.\n */\nexport function publicKeyToMultibase(publicKey: Uint8Array): string {\n const prefixed = new Uint8Array(2 + publicKey.length);\n prefixed[0] = 0xed;\n prefixed[1] = 0x01;\n prefixed.set(publicKey, 2);\n return \"z\" + base58Encode(prefixed);\n}\n\n/**\n * Decode a multibase z-prefixed base58btc string back to raw Ed25519 public key bytes.\n * Strips the multicodec prefix.\n */\nexport function multibaseToPublicKey(multibase: string): Uint8Array {\n if (!multibase.startsWith(\"z\")) {\n throw new Error(\"Multibase string must start with 'z' (base58btc)\");\n }\n const decoded = base58Decode(multibase.slice(1));\n if (decoded.length < 2 || decoded[0] !== 0xed || decoded[1] !== 0x01) {\n throw new Error(\"Invalid Ed25519 multicodec prefix\");\n }\n return decoded.slice(2);\n}\n\n/**\n * Sign a document (any JSON-serializable object) with an Ed25519 private key.\n * Returns a detached signature over the domain-separated, JCS-canonicalized bytes.\n *\n * The signature is computed over `DOMAIN_DID_DOCUMENT + canonicalize(document)`\n * to prevent cross-protocol signature confusion.\n */\nexport async function signDocument(\n document: object,\n privateKey: Uint8Array,\n): Promise<Uint8Array> {\n await sodium.ready;\n const canonical = canonicalize(document);\n const domainPrefix = sodium.from_string(DOMAIN_DID_DOCUMENT);\n const message = new Uint8Array(domainPrefix.length + canonical.length);\n message.set(domainPrefix);\n message.set(canonical, domainPrefix.length);\n return sodium.crypto_sign_detached(message, privateKey);\n}\n\n/**\n * Verify a detached Ed25519 signature over a domain-separated, JCS-canonicalized document.\n *\n * Verifies against `DOMAIN_DID_DOCUMENT + canonicalize(document)`.\n */\nexport async function verifyDocumentSignature(\n document: object,\n signature: Uint8Array,\n publicKey: Uint8Array,\n): Promise<boolean> {\n await sodium.ready;\n const canonical = canonicalize(document);\n const domainPrefix = sodium.from_string(DOMAIN_DID_DOCUMENT);\n const message = new Uint8Array(domainPrefix.length + canonical.length);\n message.set(domainPrefix);\n message.set(canonical, domainPrefix.length);\n try {\n return sodium.crypto_sign_verify_detached(signature, message, publicKey);\n } catch {\n return false;\n }\n}\n\n/** Parameters for building a DID document. */\nexport interface BuildDidDocumentParams {\n hubAddress: string;\n ownerPublicKey: Uint8Array;\n agentPublicKey: Uint8Array;\n serviceEndpoint: string;\n profileEndpoint: string;\n /** ISO 8601 timestamp for created/updated fields. Defaults to current time. */\n created?: string;\n}\n\n/** A W3C DID Document verification method. */\nexport interface DidVerificationMethod {\n id: string;\n type: string;\n controller: string;\n publicKeyMultibase: string;\n}\n\n/** A W3C DID Document service entry. */\nexport interface DidService {\n id: string;\n type: string;\n serviceEndpoint: string;\n}\n\n/** A W3C DID Document for an AgentVault hub identity. */\nexport interface DidDocument {\n \"@context\": string[];\n id: string;\n controller: string;\n verificationMethod: DidVerificationMethod[];\n authentication: string[];\n assertionMethod: string[];\n service: DidService[];\n created: string;\n updated: string;\n}\n\n/**\n * Build a W3C DID Document for an AgentVault hub identity.\n */\nexport function buildDidDocument(params: BuildDidDocumentParams): DidDocument {\n const { hubAddress, ownerPublicKey, agentPublicKey, serviceEndpoint, profileEndpoint } = params;\n const didId = `did:hub:${hubAddress}`;\n const ownerMultibase = publicKeyToMultibase(ownerPublicKey);\n const agentMultibase = publicKeyToMultibase(agentPublicKey);\n const controllerDid = `did:key:${ownerMultibase}`;\n\n const now = params.created ?? new Date().toISOString().replace(/\\.\\d{3}Z$/, \"Z\");\n\n return {\n \"@context\": [\n \"https://www.w3.org/ns/did/v1\",\n \"https://w3id.org/security/suites/ed25519-2020/v1\",\n ],\n id: didId,\n controller: controllerDid,\n verificationMethod: [\n {\n id: `${didId}#owner-key`,\n type: \"Ed25519VerificationKey2020\",\n controller: didId,\n publicKeyMultibase: ownerMultibase,\n },\n {\n id: `${didId}#agent-key`,\n type: \"Ed25519VerificationKey2020\",\n controller: didId,\n publicKeyMultibase: agentMultibase,\n },\n ],\n authentication: [`${didId}#owner-key`],\n assertionMethod: [`${didId}#owner-key`, `${didId}#agent-key`],\n service: [\n {\n id: `${didId}#messaging`,\n type: \"AgentVaultSecureChannel\",\n serviceEndpoint,\n },\n {\n id: `${didId}#profile`,\n type: \"AgentVaultProfile\",\n serviceEndpoint: profileEndpoint,\n },\n ],\n created: now,\n updated: now,\n };\n}\n", "/**\n * ScanEngine \u2014 client-side policy scanning for AgentVault.\n *\n * Evaluates scan rules against plaintext before encryption (outbound)\n * and after decryption (inbound). Pure TypeScript, no external dependencies.\n */\n\nexport interface ScanRule {\n id: string;\n name: string;\n direction: \"outbound\" | \"inbound\" | \"both\";\n scanner_type: \"regex\" | \"keyword_list\" | \"builtin\";\n scanner_config: Record<string, any>;\n action: \"block\" | \"flag\" | \"warn\";\n priority: number;\n}\n\nexport interface ScanViolation {\n rule_id: string;\n rule_name: string;\n action: \"block\" | \"flag\" | \"warn\";\n scanner_type: string;\n match_summary: string; // pattern name only, never raw content\n}\n\nexport interface ScanResult {\n status: \"clean\" | \"flagged\" | \"blocked\";\n violations: ScanViolation[];\n}\n\n// -- Builtin patterns --------------------------------------------------------\n\nconst BUILTIN_PATTERNS: Record<string, RegExp[]> = {\n pii_ssn: [/\\b\\d{3}-\\d{2}-\\d{4}\\b/g, /\\b\\d{9}\\b/g],\n pii_credit_card: [\n /\\b4\\d{3}[\\s-]?\\d{4}[\\s-]?\\d{4}[\\s-]?\\d{4}\\b/g, // Visa\n /\\b5[1-5]\\d{2}[\\s-]?\\d{4}[\\s-]?\\d{4}[\\s-]?\\d{4}\\b/g, // MC\n /\\b3[47]\\d{2}[\\s-]?\\d{6}[\\s-]?\\d{5}\\b/g, // Amex\n /\\b6(?:011|5\\d{2})[\\s-]?\\d{4}[\\s-]?\\d{4}[\\s-]?\\d{4}\\b/g, // Discover\n ],\n pii_email: [/\\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\\.[A-Z|a-z]{2,}\\b/g],\n api_keys: [\n /\\bsk_live_[a-zA-Z0-9]{24,}\\b/g,\n /\\bAKIA[0-9A-Z]{16}\\b/g,\n /\\bghp_[a-zA-Z0-9]{36,}\\b/g,\n /\\bglpat-[a-zA-Z0-9_-]{20,}\\b/g,\n /\\bxoxb-[0-9]+-[0-9]+-[a-zA-Z0-9]+\\b/g,\n ],\n prompt_injection: [\n /\\bignore\\s+(?:all\\s+)?(?:previous|above|prior)\\s+instructions\\b/gi,\n /\\byou\\s+are\\s+now\\s+(?:a|an)\\s+/gi,\n /\\bsystem\\s*:\\s*you\\b/gi,\n /\\bDAN\\s+mode\\b/gi,\n /\\bdo\\s+anything\\s+now\\b/gi,\n /\\bdo\\s+not\\s+follow\\s+any\\s+(?:other\\s+)?rules\\b/gi,\n /\\bjailbreak\\b/gi,\n ],\n shell_injection: [\n /\\bcurl\\s+.*\\|\\s*(?:sh|bash|zsh)\\b/gi,\n /\\beval\\s*\\(/gi,\n /\\bexec\\s*\\(/gi,\n /\\bchmod\\s+\\+x\\b/gi,\n /\\brm\\s+-rf\\s+\\//gi,\n ],\n};\n\n// -- ScanEngine class --------------------------------------------------------\n\nexport class ScanEngine {\n private rules: ScanRule[] = [];\n private ruleSetVersion = 0;\n\n loadRules(rules: ScanRule[]): void {\n this.rules = [...rules].sort((a, b) => a.priority - b.priority);\n this.ruleSetVersion = rules.length > 0 ? Math.max(...rules.map(() => 1)) : 0;\n }\n\n getRuleSetVersion(): number {\n return this.ruleSetVersion;\n }\n\n scanOutbound(plaintext: string): ScanResult {\n return this._scan(plaintext, \"outbound\");\n }\n\n scanInbound(plaintext: string): ScanResult {\n return this._scan(plaintext, \"inbound\");\n }\n\n private _scan(\n plaintext: string,\n direction: \"outbound\" | \"inbound\",\n ): ScanResult {\n const violations: ScanViolation[] = [];\n let blocked = false;\n let flagged = false;\n\n for (const rule of this.rules) {\n if (rule.direction !== \"both\" && rule.direction !== direction) {\n continue;\n }\n\n const matched = this._evaluateRule(rule, plaintext);\n if (!matched) continue;\n\n const violation: ScanViolation = {\n rule_id: rule.id,\n rule_name: rule.name,\n action: rule.action,\n scanner_type: rule.scanner_type,\n match_summary: this._buildMatchSummary(rule),\n };\n\n violations.push(violation);\n\n if (rule.action === \"block\") {\n blocked = true;\n break; // stop evaluating on first block\n }\n if (rule.action === \"flag\") {\n flagged = true;\n }\n // warn: record violation but do not change status\n }\n\n const status = blocked ? \"blocked\" : flagged ? \"flagged\" : \"clean\";\n return { status, violations };\n }\n\n private _evaluateRule(rule: ScanRule, text: string): boolean {\n switch (rule.scanner_type) {\n case \"regex\":\n return this._evalRegex(rule.scanner_config, text);\n case \"keyword_list\":\n return this._evalKeywordList(rule.scanner_config, text);\n case \"builtin\":\n return this._evalBuiltin(rule.scanner_config, text);\n default:\n return false;\n }\n }\n\n private _evalRegex(config: Record<string, any>, text: string): boolean {\n const pattern = config.pattern as string;\n if (!pattern) return false;\n const flags = (config.flags as string) ?? \"\";\n const regex = new RegExp(pattern, flags);\n return regex.test(text);\n }\n\n private _evalKeywordList(config: Record<string, any>, text: string): boolean {\n const words = config.words as string[];\n if (!words || words.length === 0) return false;\n const matchMode = config.match ?? \"word_boundary\";\n\n for (const word of words) {\n if (matchMode === \"word_boundary\") {\n const regex = new RegExp(`\\\\b${this._escapeRegex(word)}\\\\b`, \"i\");\n if (regex.test(text)) return true;\n } else {\n if (text.toLowerCase().includes(word.toLowerCase())) return true;\n }\n }\n return false;\n }\n\n private _evalBuiltin(config: Record<string, any>, text: string): boolean {\n const builtinId = config.builtin as string;\n\n if (builtinId === \"pii_detector\") {\n const categories = (config.categories as string[]) ?? [];\n for (const cat of categories) {\n const key = `pii_${cat}`;\n const patterns = BUILTIN_PATTERNS[key];\n if (patterns) {\n for (const p of patterns) {\n // Create fresh RegExp to reset lastIndex (source patterns use /g)\n const regex = new RegExp(p.source, p.flags);\n if (regex.test(text)) return true;\n }\n }\n }\n return false;\n }\n\n if (builtinId === \"api_keys\") {\n const patterns = BUILTIN_PATTERNS.api_keys;\n for (const p of patterns) {\n const regex = new RegExp(p.source, p.flags);\n if (regex.test(text)) return true;\n }\n return false;\n }\n\n if (builtinId === \"prompt_injection\") {\n const patterns = BUILTIN_PATTERNS.prompt_injection;\n for (const p of patterns) {\n const regex = new RegExp(p.source, p.flags);\n if (regex.test(text)) return true;\n }\n return false;\n }\n\n if (builtinId === \"shell_injection\") {\n const patterns = BUILTIN_PATTERNS.shell_injection;\n for (const p of patterns) {\n const regex = new RegExp(p.source, p.flags);\n if (regex.test(text)) return true;\n }\n return false;\n }\n\n return false;\n }\n\n private _buildMatchSummary(rule: ScanRule): string {\n switch (rule.scanner_type) {\n case \"regex\":\n return `regex:${rule.name}`;\n case \"keyword_list\":\n return `keyword_list:${rule.name}`;\n case \"builtin\": {\n const builtinId = rule.scanner_config.builtin ?? \"unknown\";\n return `builtin:${builtinId}`;\n }\n default:\n return rule.scanner_type;\n }\n }\n\n private _escapeRegex(str: string): string {\n return str.replace(/[.*+?^${}()|[\\]\\\\]/g, \"\\\\$&\");\n }\n\n /**\n * Scan a workspace file (e.g. SOUL.md) against all builtin patterns.\n * Runs api_keys, pii_*, prompt_injection, and shell_injection checks\n * regardless of rule direction.\n */\n /**\n * Scan a SKILL.md file for policy violations.\n * Like scanWorkspaceFile but skips prompt_injection on instruction body\n * (skills legitimately describe AI behaviors that look like injection).\n * Checks: api_keys (block), shell_injection (block), pii (flag).\n */\n static scanSkillMd(content: string): ScanResult {\n const violations: ScanViolation[] = [];\n let blocked = false;\n let flagged = false;\n\n const checks: Array<{ id: string; action: \"block\" | \"flag\" }> = [\n { id: \"api_keys\", action: \"block\" },\n { id: \"shell_injection\", action: \"block\" },\n { id: \"pii_ssn\", action: \"flag\" },\n { id: \"pii_credit_card\", action: \"flag\" },\n { id: \"pii_email\", action: \"flag\" },\n // Intentionally omits prompt_injection \u2014 SKILL.md instruction body\n // legitimately contains phrases like \"you are now a...\"\n ];\n\n for (const check of checks) {\n const patterns = BUILTIN_PATTERNS[check.id];\n if (!patterns) continue;\n\n for (const p of patterns) {\n const regex = new RegExp(p.source, p.flags);\n if (regex.test(content)) {\n violations.push({\n rule_id: `skill_${check.id}`,\n rule_name: check.id,\n action: check.action,\n scanner_type: \"builtin\",\n match_summary: `builtin:${check.id}`,\n });\n if (check.action === \"block\") blocked = true;\n if (check.action === \"flag\") flagged = true;\n break;\n }\n }\n }\n\n const status = blocked ? \"blocked\" : flagged ? \"flagged\" : \"clean\";\n return { status, violations };\n }\n\n static scanWorkspaceFile(content: string): ScanResult {\n const violations: ScanViolation[] = [];\n let blocked = false;\n let flagged = false;\n\n const checks: Array<{ id: string; action: \"block\" | \"flag\" }> = [\n { id: \"api_keys\", action: \"block\" },\n { id: \"prompt_injection\", action: \"block\" },\n { id: \"shell_injection\", action: \"block\" },\n { id: \"pii_ssn\", action: \"flag\" },\n { id: \"pii_credit_card\", action: \"flag\" },\n { id: \"pii_email\", action: \"flag\" },\n ];\n\n for (const check of checks) {\n const patterns = BUILTIN_PATTERNS[check.id];\n if (!patterns) continue;\n\n for (const p of patterns) {\n const regex = new RegExp(p.source, p.flags);\n if (regex.test(content)) {\n violations.push({\n rule_id: `workspace_${check.id}`,\n rule_name: check.id,\n action: check.action,\n scanner_type: \"builtin\",\n match_summary: `builtin:${check.id}`,\n });\n if (check.action === \"block\") blocked = true;\n if (check.action === \"flag\") flagged = true;\n break; // one match per category is enough\n }\n }\n }\n\n const status = blocked ? \"blocked\" : flagged ? \"flagged\" : \"clean\";\n return { status, violations };\n }\n}\n", "import sodium from \"libsodium-wrappers-sumo\";\n\n/**\n * JCS (RFC 8785) canonical JSON serialization.\n * Same implementation as did.ts \u2014 duplicated here to avoid circular deps.\n */\nfunction jcsCanonical(value: unknown): string | undefined {\n if (value === undefined) return undefined;\n if (value === null) return \"null\";\n if (typeof value === \"boolean\" || typeof value === \"number\") return JSON.stringify(value);\n if (typeof value === \"string\") return JSON.stringify(value);\n if (Array.isArray(value)) {\n return \"[\" + value.map(jcsCanonical).join(\",\") + \"]\";\n }\n if (typeof value === \"object\") {\n const keys = Object.keys(value as Record<string, unknown>).sort();\n const entries = keys\n .map((k) => {\n const v = jcsCanonical((value as Record<string, unknown>)[k]);\n if (v === undefined) return undefined;\n return JSON.stringify(k) + \":\" + v;\n })\n .filter((entry): entry is string => entry !== undefined);\n return \"{\" + entries.join(\",\") + \"}\";\n }\n return JSON.stringify(value);\n}\n\nfunction hexToBytes(hex: string): Uint8Array {\n const h = hex.startsWith(\"0x\") ? hex.slice(2) : hex;\n const bytes = new Uint8Array(h.length / 2);\n for (let i = 0; i < bytes.length; i++) {\n bytes[i] = parseInt(h.substr(i * 2, 2), 16);\n }\n return bytes;\n}\n\nfunction bytesToHex(bytes: Uint8Array): string {\n return Array.from(bytes)\n .map((b) => b.toString(16).padStart(2, \"0\"))\n .join(\"\");\n}\n\n/**\n * Compute SHA-256 hash of a JCS-canonicalized DID document.\n *\n * Uses libsodium's crypto_hash_sha256 for React Native compatibility.\n *\n * @returns 0x-prefixed hex string (66 chars).\n */\nexport function computeDidHash(didDocument: object): string {\n const json = jcsCanonical(didDocument) ?? \"\";\n const bytes = sodium.from_string(json);\n const hash = sodium.crypto_hash_sha256(bytes);\n return \"0x\" + bytesToHex(hash);\n}\n\n/** A single sibling in a Merkle proof path. */\nexport interface MerkleProofSibling {\n hash: string;\n position: \"left\" | \"right\";\n}\n\n/**\n * Verify a Merkle proof for a leaf hash against a root.\n *\n * @param leafHash - 0x-prefixed hex hash of the leaf.\n * @param proof - Array of sibling hashes with positions.\n * @param merkleRoot - 0x-prefixed hex hash of the expected root.\n * @returns true if the proof verifies.\n */\nexport function verifyMerkleProof(\n leafHash: string,\n proof: MerkleProofSibling[],\n merkleRoot: string,\n): boolean {\n let current = hexToBytes(leafHash);\n\n for (const step of proof) {\n const sibling = hexToBytes(step.hash);\n const combined = new Uint8Array(current.length + sibling.length);\n if (step.position === \"left\") {\n combined.set(sibling);\n combined.set(current, sibling.length);\n } else {\n combined.set(current);\n combined.set(sibling, current.length);\n }\n current = sodium.crypto_hash_sha256(combined);\n }\n\n const rootBytes = hexToBytes(merkleRoot);\n if (current.length !== rootBytes.length) return false;\n for (let i = 0; i < current.length; i++) {\n if (current[i] !== rootBytes[i]) return false;\n }\n return true;\n}\n", "/**\n * W3C Verifiable Credentials Data Model 2.0 \u2014 eddsa-jcs-2022 cryptosuite.\n *\n * Implements VC issuance, signing, and verification using:\n * - JSON Canonicalization Scheme (RFC 8785) via existing `canonicalize()`\n * - SHA-256 hashing for proof config + document\n * - Ed25519 detached signatures (libsodium)\n * - Multibase z-base58btc encoding for proofValue\n *\n * @see https://www.w3.org/TR/vc-data-model-2.0/\n * @see https://www.w3.org/TR/vc-di-eddsa/ (eddsa-jcs-2022 cryptosuite)\n */\nimport sodium from \"libsodium-wrappers-sumo\";\n\nimport { canonicalize, publicKeyToMultibase } from \"./did.js\";\n\n// ---------------------------------------------------------------------------\n// Constants\n// ---------------------------------------------------------------------------\n\n/** W3C VC 2.0 context \u2014 MUST be first element in @context array. */\nexport const VC_CONTEXT_V2 = \"https://www.w3.org/ns/credentials/v2\";\n\n/** AgentVault credential vocabulary context. */\nexport const AV_CREDENTIAL_CONTEXT = \"https://agentvault.chat/ns/credentials/v1\";\n\n/** Data Integrity v2 context (bundled in credentials/v2 but listed for clarity). */\nexport const DATA_INTEGRITY_CONTEXT = \"https://w3id.org/security/data-integrity/v2\";\n\n/** Cryptosuite identifier for JCS-based Ed25519 proofs. */\nexport const CRYPTOSUITE = \"eddsa-jcs-2022\";\n\n/** AgentVault issuer DID prefix. */\nexport const AV_ISSUER_PREFIX = \"did:hub:\";\n\n// ---------------------------------------------------------------------------\n// Types\n// ---------------------------------------------------------------------------\n\n/** W3C Data Integrity Proof (eddsa-jcs-2022). */\nexport interface DataIntegrityProof {\n type: \"DataIntegrityProof\";\n cryptosuite: typeof CRYPTOSUITE;\n created: string;\n verificationMethod: string;\n proofPurpose: \"assertionMethod\" | \"authentication\";\n proofValue: string;\n}\n\n/** Credential subject \u2014 flexible key-value claims. */\nexport interface CredentialSubject {\n id: string;\n [key: string]: unknown;\n}\n\n/** Credential status for revocation checking. */\nexport interface CredentialStatus {\n id: string;\n type: string;\n statusPurpose?: string;\n statusListIndex?: string;\n statusListCredential?: string;\n}\n\n/** W3C Verifiable Credential (unsigned \u2014 before proof is attached). */\nexport interface UnsignedCredential {\n \"@context\": (string | Record<string, unknown>)[];\n id: string;\n type: string[];\n issuer: string | { id: string; name?: string };\n validFrom: string;\n validUntil?: string;\n name?: string;\n description?: string;\n credentialSubject: CredentialSubject;\n credentialStatus?: CredentialStatus;\n evidence?: Record<string, unknown>[];\n}\n\n/** W3C Verifiable Credential (signed \u2014 with embedded proof). */\nexport interface VerifiableCredential extends UnsignedCredential {\n proof: DataIntegrityProof;\n}\n\n/** W3C Verifiable Presentation (unsigned). */\nexport interface UnsignedPresentation {\n \"@context\": (string | Record<string, unknown>)[];\n type: string | string[];\n id?: string;\n holder: string;\n verifiableCredential: VerifiableCredential[];\n}\n\n/** W3C Verifiable Presentation (signed). */\nexport interface VerifiablePresentation extends UnsignedPresentation {\n proof: DataIntegrityProof;\n}\n\n// ---------------------------------------------------------------------------\n// AgentVault credential type definitions\n// ---------------------------------------------------------------------------\n\n/** Parameters for building an AgentTrustCredential. */\nexport interface AgentTrustCredentialParams {\n /** Credential UUID (urn:uuid:...) */\n credentialId: string;\n /** Issuer hub DID (did:hub:platform.agentvault.hub or similar) */\n issuerDid: string;\n /** Issuer display name */\n issuerName?: string;\n /** Subject agent DID (did:hub:<hub_address>) */\n subjectDid: string;\n /** Trust tier achieved */\n trustTier: \"verified\" | \"trusted\" | \"certified\" | \"premier\" | \"enterprise\";\n /** Composite trust score (0.0 - 1.0) */\n compositeScore: number;\n /** Score window in days */\n scoreWindow: number;\n /** Individual dimension scores */\n dimensions?: {\n volume?: number;\n responsiveness?: number;\n uptime?: number;\n compliance?: number;\n };\n /** ISO 8601 validity start (defaults to now) */\n validFrom?: string;\n /** ISO 8601 validity end */\n validUntil?: string;\n /** Verification API endpoint */\n verificationEndpoint?: string;\n}\n\n/** Parameters for building a SkillAttestation credential. */\nexport interface SkillAttestationParams {\n credentialId: string;\n issuerDid: string;\n issuerName?: string;\n subjectDid: string;\n skillName: string;\n skillNamespace: string;\n /** Skill proficiency level */\n proficiencyLevel?: \"basic\" | \"intermediate\" | \"advanced\" | \"expert\";\n /** Total invocations of this skill */\n totalInvocations?: number;\n /** Success rate (0.0 - 1.0) */\n successRate?: number;\n /** Assessment date */\n assessedAt?: string;\n validFrom?: string;\n validUntil?: string;\n}\n\n/** Parameters for building a PerformanceRecord credential. */\nexport interface PerformanceRecordParams {\n credentialId: string;\n issuerDid: string;\n issuerName?: string;\n subjectDid: string;\n /** Reporting period start */\n periodStart: string;\n /** Reporting period end */\n periodEnd: string;\n /** Total messages handled */\n messagesHandled: number;\n /** Average response time in milliseconds */\n avgResponseTimeMs: number;\n /** Uptime percentage (0.0 - 1.0) */\n uptimePercentage: number;\n /** Policy violations count */\n policyViolations: number;\n /** Composite score for the period */\n compositeScore: number;\n validFrom?: string;\n validUntil?: string;\n}\n\n/** Trust report dimension sub-scores. */\nexport interface TrustReportDimensions {\n categories: {\n operational: {\n availability?: number | null;\n responsiveness?: number | null;\n reliability?: number | null;\n };\n performance: {\n throughput?: number | null;\n taskSuccess?: number | null;\n efficiency?: number | null;\n };\n quality: {\n toolAccuracy?: number | null;\n errorDiscipline?: number | null;\n compliance?: number | null;\n };\n stability: {\n behavioralConsistency?: number | null;\n versionHealth?: number | null;\n };\n cost: {\n tokenEfficiency?: number | null;\n };\n };\n categoryScores: Record<string, number | null>;\n compositeScore: number;\n}\n\n/** Parameters for building an AgentTrustReport credential. */\nexport interface AgentTrustReportParams {\n credentialId: string;\n issuerDid: string;\n issuerName?: string;\n subjectDid: string;\n /** Report period start (ISO 8601) */\n reportPeriodStart: string;\n /** Report period end (ISO 8601) */\n reportPeriodEnd: string;\n /** Trust tier */\n trustTier: \"verified\" | \"trusted\" | \"certified\" | \"premier\" | \"enterprise\";\n /** Composite trust score (0.0 - 1.0) */\n compositeScore: number;\n /** Categorized dimension scores */\n dimensions?: TrustReportDimensions;\n /** Trending analysis */\n trending?: {\n direction: string;\n slope: number;\n r_squared: number;\n pct_change: number;\n data_points: number;\n };\n /** Fleet comparison data */\n fleetComparison?: {\n percentile: number;\n fleet_median: number;\n fleet_p25: number;\n fleet_p75: number;\n rank: number;\n fleet_size: number;\n };\n /** Drift detection status */\n driftStatus?: {\n psi: number;\n classification: string;\n baseline_available: boolean;\n };\n /** Audit chain integrity */\n auditIntegrity?: {\n chain_length: number;\n latest_hash: string | null;\n verified: boolean;\n events_checked: number;\n };\n /** Telemetry summary */\n telemetrySummary?: {\n total_spans: number;\n error_count: number;\n error_rate: number;\n avg_latency_ms: number | null;\n tokens_input: number;\n tokens_output: number;\n latency_p50: number | null;\n latency_p95: number | null;\n };\n validFrom?: string;\n validUntil?: string;\n verificationEndpoint?: string;\n}\n\n// ---------------------------------------------------------------------------\n// Internal helpers\n// ---------------------------------------------------------------------------\n\n/**\n * SHA-256 hash using libsodium.\n * libsodium-wrappers-sumo exposes crypto_hash_sha256.\n */\nasync function sha256(data: Uint8Array): Promise<Uint8Array> {\n await sodium.ready;\n return sodium.crypto_hash_sha256(data);\n}\n\n/**\n * Base58btc encoding (same alphabet as did.ts).\n */\nconst BASE58_ALPHABET = \"123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz\";\n\nfunction base58Encode(bytes: Uint8Array): string {\n let zeros = 0;\n for (const b of bytes) {\n if (b === 0) zeros++;\n else break;\n }\n let num = BigInt(0);\n for (const b of bytes) {\n num = num * 256n + BigInt(b);\n }\n let result = \"\";\n while (num > 0n) {\n const remainder = Number(num % 58n);\n num = num / 58n;\n result = BASE58_ALPHABET[remainder] + result;\n }\n return \"1\".repeat(zeros) + result;\n}\n\nfunction base58Decode(str: string): Uint8Array {\n let zeros = 0;\n for (const c of str) {\n if (c === \"1\") zeros++;\n else break;\n }\n let num = BigInt(0);\n for (const c of str.slice(zeros)) {\n const idx = BASE58_ALPHABET.indexOf(c);\n if (idx === -1) throw new Error(`Invalid base58 character: ${c}`);\n num = num * 58n + BigInt(idx);\n }\n const hex = num === 0n ? \"\" : num.toString(16).padStart(2, \"0\");\n const paddedHex = hex.length % 2 ? \"0\" + hex : hex;\n const dataBytes = new Uint8Array(\n (paddedHex.match(/.{2}/g) ?? []).map((b) => parseInt(b, 16)),\n );\n const result = new Uint8Array(zeros + dataBytes.length);\n result.set(dataBytes, zeros);\n return result;\n}\n\n// ---------------------------------------------------------------------------\n// Core VC signing / verification (eddsa-jcs-2022)\n// ---------------------------------------------------------------------------\n\n/**\n * Compute the eddsa-jcs-2022 hashData (64 bytes) for signing.\n *\n * Per the spec:\n * 1. JCS canonicalize proof config \u2192 SHA-256 \u2192 32 bytes\n * 2. JCS canonicalize document (without proof) \u2192 SHA-256 \u2192 32 bytes\n * 3. Concatenate: proofConfigHash || documentHash\n */\nasync function computeHashData(\n document: Record<string, unknown>,\n proofConfig: Record<string, unknown>,\n): Promise<Uint8Array> {\n // Hash the proof configuration\n const proofConfigBytes = canonicalize(proofConfig);\n const proofConfigHash = await sha256(proofConfigBytes);\n\n // Hash the document (without proof property)\n const docWithoutProof = { ...document };\n delete docWithoutProof.proof;\n const documentBytes = canonicalize(docWithoutProof);\n const documentHash = await sha256(documentBytes);\n\n // Concatenate: proofConfigHash || documentHash\n const hashData = new Uint8Array(64);\n hashData.set(proofConfigHash, 0);\n hashData.set(documentHash, 32);\n return hashData;\n}\n\n/**\n * Sign a Verifiable Credential or Presentation using eddsa-jcs-2022.\n *\n * @param document The unsigned credential/presentation (any JSON object)\n * @param privateKey Ed25519 private key (64 bytes \u2014 libsodium combined format)\n * @param verificationMethod DID URL of the signing key (e.g., \"did:hub:x#owner-key\")\n * @param proofPurpose \"assertionMethod\" for credentials, \"authentication\" for presentations\n * @param created ISO 8601 timestamp (defaults to now)\n * @returns The signed document with embedded `proof` property\n */\nexport async function signWithDataIntegrity<\n T extends Record<string, unknown>,\n>(\n document: T,\n privateKey: Uint8Array,\n verificationMethod: string,\n proofPurpose: \"assertionMethod\" | \"authentication\" = \"assertionMethod\",\n created?: string,\n): Promise<T & { proof: DataIntegrityProof }> {\n await sodium.ready;\n\n const timestamp = created ?? new Date().toISOString().replace(/\\.\\d{3}Z$/, \"Z\");\n\n // Build proof configuration (everything except proofValue)\n const proofConfig: Record<string, unknown> = {\n type: \"DataIntegrityProof\",\n cryptosuite: CRYPTOSUITE,\n created: timestamp,\n verificationMethod,\n proofPurpose,\n };\n\n // Compute hashData = SHA-256(proofConfig) || SHA-256(document)\n const hashData = await computeHashData(document as Record<string, unknown>, proofConfig);\n\n // Sign with Ed25519\n const signature = sodium.crypto_sign_detached(hashData, privateKey);\n\n // Encode as multibase z-base58btc\n const proofValue = \"z\" + base58Encode(signature);\n\n const proof: DataIntegrityProof = {\n type: \"DataIntegrityProof\",\n cryptosuite: CRYPTOSUITE,\n created: timestamp,\n verificationMethod,\n proofPurpose,\n proofValue,\n };\n\n return { ...document, proof };\n}\n\n/**\n * Verify a Data Integrity proof (eddsa-jcs-2022) on a credential or presentation.\n *\n * @param document The signed document with embedded `proof`\n * @param publicKey Ed25519 public key (32 bytes) of the signer\n * @returns true if the proof is valid\n */\nexport async function verifyDataIntegrity(\n document: Record<string, unknown>,\n publicKey: Uint8Array,\n): Promise<boolean> {\n await sodium.ready;\n\n const proof = document.proof as DataIntegrityProof | undefined;\n if (!proof || proof.type !== \"DataIntegrityProof\" || proof.cryptosuite !== CRYPTOSUITE) {\n return false;\n }\n\n // Decode proofValue from multibase z-base58btc\n if (!proof.proofValue.startsWith(\"z\")) {\n return false;\n }\n const signature = base58Decode(proof.proofValue.slice(1));\n if (signature.length !== 64) {\n return false;\n }\n\n // Rebuild proof configuration (without proofValue)\n const proofConfig: Record<string, unknown> = {\n type: proof.type,\n cryptosuite: proof.cryptosuite,\n created: proof.created,\n verificationMethod: proof.verificationMethod,\n proofPurpose: proof.proofPurpose,\n };\n\n // Recompute hashData\n const hashData = await computeHashData(document, proofConfig);\n\n // Verify Ed25519 signature\n try {\n return sodium.crypto_sign_verify_detached(signature, hashData, publicKey);\n } catch {\n return false;\n }\n}\n\n// ---------------------------------------------------------------------------\n// Credential builders \u2014 AgentVault-specific credential types\n// ---------------------------------------------------------------------------\n\n/**\n * Build an unsigned AgentTrustCredential.\n *\n * Issued when an agent achieves or maintains a trust tier.\n */\nexport function buildAgentTrustCredential(\n params: AgentTrustCredentialParams,\n): UnsignedCredential {\n const now = new Date().toISOString().replace(/\\.\\d{3}Z$/, \"Z\");\n\n return {\n \"@context\": [\n VC_CONTEXT_V2,\n {\n AgentTrustCredential: \"https://agentvault.chat/vocab#AgentTrustCredential\",\n trustTier: \"https://agentvault.chat/vocab#trustTier\",\n compositeScore: \"https://agentvault.chat/vocab#compositeScore\",\n scoreWindow: \"https://agentvault.chat/vocab#scoreWindow\",\n scoreDimensions: \"https://agentvault.chat/vocab#scoreDimensions\",\n volume: \"https://agentvault.chat/vocab#volume\",\n responsiveness: \"https://agentvault.chat/vocab#responsiveness\",\n uptime: \"https://agentvault.chat/vocab#uptime\",\n compliance: \"https://agentvault.chat/vocab#compliance\",\n verificationEndpoint: \"https://agentvault.chat/vocab#verificationEndpoint\",\n },\n ],\n id: params.credentialId,\n type: [\"VerifiableCredential\", \"AgentTrustCredential\"],\n issuer: params.issuerName\n ? { id: params.issuerDid, name: params.issuerName }\n : params.issuerDid,\n validFrom: params.validFrom ?? now,\n ...(params.validUntil ? { validUntil: params.validUntil } : {}),\n credentialSubject: {\n id: params.subjectDid,\n trustTier: params.trustTier,\n compositeScore: params.compositeScore,\n scoreWindow: params.scoreWindow,\n ...(params.dimensions\n ? {\n scoreDimensions: {\n volume: params.dimensions.volume,\n responsiveness: params.dimensions.responsiveness,\n uptime: params.dimensions.uptime,\n compliance: params.dimensions.compliance,\n },\n }\n : {}),\n ...(params.verificationEndpoint\n ? { verificationEndpoint: params.verificationEndpoint }\n : {}),\n },\n };\n}\n\n/**\n * Build an unsigned SkillAttestation credential.\n *\n * Issued for verified agent capabilities/skills.\n */\nexport function buildSkillAttestation(\n params: SkillAttestationParams,\n): UnsignedCredential {\n const now = new Date().toISOString().replace(/\\.\\d{3}Z$/, \"Z\");\n\n return {\n \"@context\": [\n VC_CONTEXT_V2,\n {\n SkillAttestation: \"https://agentvault.chat/vocab#SkillAttestation\",\n skillName: \"https://agentvault.chat/vocab#skillName\",\n skillNamespace: \"https://agentvault.chat/vocab#skillNamespace\",\n proficiencyLevel: \"https://agentvault.chat/vocab#proficiencyLevel\",\n totalInvocations: \"https://agentvault.chat/vocab#totalInvocations\",\n successRate: \"https://agentvault.chat/vocab#successRate\",\n assessedAt: \"https://agentvault.chat/vocab#assessedAt\",\n },\n ],\n id: params.credentialId,\n type: [\"VerifiableCredential\", \"SkillAttestation\"],\n issuer: params.issuerName\n ? { id: params.issuerDid, name: params.issuerName }\n : params.issuerDid,\n validFrom: params.validFrom ?? now,\n ...(params.validUntil ? { validUntil: params.validUntil } : {}),\n credentialSubject: {\n id: params.subjectDid,\n skillName: params.skillName,\n skillNamespace: params.skillNamespace,\n ...(params.proficiencyLevel ? { proficiencyLevel: params.proficiencyLevel } : {}),\n ...(params.totalInvocations !== undefined\n ? { totalInvocations: params.totalInvocations }\n : {}),\n ...(params.successRate !== undefined ? { successRate: params.successRate } : {}),\n ...(params.assessedAt ? { assessedAt: params.assessedAt } : {}),\n },\n };\n}\n\n/**\n * Build an unsigned PerformanceRecord credential.\n *\n * Issued based on aggregated agent performance metrics.\n */\nexport function buildPerformanceRecord(\n params: PerformanceRecordParams,\n): UnsignedCredential {\n const now = new Date().toISOString().replace(/\\.\\d{3}Z$/, \"Z\");\n\n return {\n \"@context\": [\n VC_CONTEXT_V2,\n {\n PerformanceRecord: \"https://agentvault.chat/vocab#PerformanceRecord\",\n periodStart: \"https://agentvault.chat/vocab#periodStart\",\n periodEnd: \"https://agentvault.chat/vocab#periodEnd\",\n messagesHandled: \"https://agentvault.chat/vocab#messagesHandled\",\n avgResponseTimeMs: \"https://agentvault.chat/vocab#avgResponseTimeMs\",\n uptimePercentage: \"https://agentvault.chat/vocab#uptimePercentage\",\n policyViolations: \"https://agentvault.chat/vocab#policyViolations\",\n compositeScore: \"https://agentvault.chat/vocab#compositeScore\",\n },\n ],\n id: params.credentialId,\n type: [\"VerifiableCredential\", \"PerformanceRecord\"],\n issuer: params.issuerName\n ? { id: params.issuerDid, name: params.issuerName }\n : params.issuerDid,\n validFrom: params.validFrom ?? now,\n ...(params.validUntil ? { validUntil: params.validUntil } : {}),\n credentialSubject: {\n id: params.subjectDid,\n periodStart: params.periodStart,\n periodEnd: params.periodEnd,\n messagesHandled: params.messagesHandled,\n avgResponseTimeMs: params.avgResponseTimeMs,\n uptimePercentage: params.uptimePercentage,\n policyViolations: params.policyViolations,\n compositeScore: params.compositeScore,\n },\n };\n}\n\n/**\n * Build an unsigned AgentTrustReport credential.\n *\n * Issued as a comprehensive trust report with dimensions, trending,\n * fleet comparison, drift detection, and audit integrity data.\n */\nexport function buildAgentTrustReportCredential(\n params: AgentTrustReportParams,\n): UnsignedCredential {\n const now = new Date().toISOString().replace(/\\.\\d{3}Z$/, \"Z\");\n\n const subject: Record<string, unknown> = {\n id: params.subjectDid,\n reportPeriod: {\n start: params.reportPeriodStart,\n end: params.reportPeriodEnd,\n },\n trustTier: params.trustTier,\n compositeScore: params.compositeScore,\n };\n\n if (params.dimensions) subject.dimensions = params.dimensions;\n if (params.trending) subject.trending = params.trending;\n if (params.fleetComparison) subject.fleetComparison = params.fleetComparison;\n if (params.driftStatus) subject.driftStatus = params.driftStatus;\n if (params.auditIntegrity) subject.auditIntegrity = params.auditIntegrity;\n if (params.telemetrySummary) subject.telemetrySummary = params.telemetrySummary;\n if (params.verificationEndpoint) subject.verificationEndpoint = params.verificationEndpoint;\n\n return {\n \"@context\": [\n VC_CONTEXT_V2,\n {\n AgentTrustReport: \"https://agentvault.chat/vocab#AgentTrustReport\",\n reportPeriod: \"https://agentvault.chat/vocab#reportPeriod\",\n trustTier: \"https://agentvault.chat/vocab#trustTier\",\n compositeScore: \"https://agentvault.chat/vocab#compositeScore\",\n dimensions: \"https://agentvault.chat/vocab#dimensions\",\n trending: \"https://agentvault.chat/vocab#trending\",\n fleetComparison: \"https://agentvault.chat/vocab#fleetComparison\",\n driftStatus: \"https://agentvault.chat/vocab#driftStatus\",\n auditIntegrity: \"https://agentvault.chat/vocab#auditIntegrity\",\n telemetrySummary: \"https://agentvault.chat/vocab#telemetrySummary\",\n verificationEndpoint: \"https://agentvault.chat/vocab#verificationEndpoint\",\n },\n ],\n id: params.credentialId,\n type: [\"VerifiableCredential\", \"AgentTrustReport\"],\n issuer: params.issuerName\n ? { id: params.issuerDid, name: params.issuerName }\n : params.issuerDid,\n validFrom: params.validFrom ?? now,\n ...(params.validUntil ? { validUntil: params.validUntil } : {}),\n credentialSubject: subject as CredentialSubject,\n };\n}\n\n/**\n * Build an unsigned Verifiable Presentation wrapping one or more credentials.\n */\nexport function buildVerifiablePresentation(\n holderDid: string,\n credentials: VerifiableCredential[],\n presentationId?: string,\n): UnsignedPresentation {\n return {\n \"@context\": [VC_CONTEXT_V2],\n type: \"VerifiablePresentation\",\n ...(presentationId ? { id: presentationId } : {}),\n holder: holderDid,\n verifiableCredential: credentials,\n };\n}\n\n// ---------------------------------------------------------------------------\n// Convenience wrappers\n// ---------------------------------------------------------------------------\n\n/**\n * Issue a signed Verifiable Credential.\n *\n * Convenience wrapper that signs an unsigned credential using eddsa-jcs-2022.\n *\n * @param credential Unsigned credential to sign\n * @param privateKey Issuer's Ed25519 private key (64-byte combined format)\n * @param verificationMethod DID URL of the issuer's signing key\n * @returns Signed VerifiableCredential with embedded proof\n */\nexport async function issueCredential(\n credential: UnsignedCredential,\n privateKey: Uint8Array,\n verificationMethod: string,\n): Promise<VerifiableCredential> {\n return signWithDataIntegrity(\n credential as unknown as Record<string, unknown>,\n privateKey,\n verificationMethod,\n \"assertionMethod\",\n ) as unknown as Promise<VerifiableCredential>;\n}\n\n/**\n * Create a signed Verifiable Presentation.\n *\n * Signs the presentation with the holder's key using \"authentication\" proof purpose.\n */\nexport async function presentCredentials(\n presentation: UnsignedPresentation,\n privateKey: Uint8Array,\n verificationMethod: string,\n): Promise<VerifiablePresentation> {\n return signWithDataIntegrity(\n presentation as unknown as Record<string, unknown>,\n privateKey,\n verificationMethod,\n \"authentication\",\n ) as unknown as Promise<VerifiablePresentation>;\n}\n", "import sodium from \"libsodium-wrappers-sumo\";\nimport type { EncryptedMessage } from \"./ratchet.js\";\n\n// --- Encoding helpers ---\n\nexport function hexToBytes(hex: string): Uint8Array {\n return sodium.from_hex(hex);\n}\n\nexport function bytesToHex(bytes: Uint8Array): string {\n return sodium.to_hex(bytes);\n}\n\nexport function base64ToBytes(b64: string): Uint8Array {\n return sodium.from_base64(b64, sodium.base64_variants.ORIGINAL);\n}\n\nexport function bytesToBase64(bytes: Uint8Array): string {\n return sodium.to_base64(bytes, sodium.base64_variants.ORIGINAL);\n}\n\n// --- Base64 transport format (owner-agent) ---\n// Must match packages/web/lib/crypto-bridge.ts exactly\n\nexport interface TransportMessage {\n header_blob: string; // base64-encoded JSON with binary fields as base64\n ciphertext: string; // base64-encoded raw ciphertext\n}\n\nexport function encryptedMessageToTransport(\n msg: EncryptedMessage,\n): TransportMessage {\n const headerObj = {\n dhPublicKey: bytesToBase64(msg.header.dhPublicKey),\n previousChainLength: msg.header.previousChainLength,\n messageNumber: msg.header.messageNumber,\n headerSignature: bytesToBase64(msg.headerSignature),\n nonce: bytesToBase64(msg.nonce),\n };\n const headerJson = JSON.stringify(headerObj);\n const headerBlob = bytesToBase64(\n new TextEncoder().encode(headerJson),\n );\n return {\n header_blob: headerBlob,\n ciphertext: bytesToBase64(msg.ciphertext),\n };\n}\n\nexport function transportToEncryptedMessage(\n transport: TransportMessage,\n): EncryptedMessage {\n const headerJson = new TextDecoder().decode(\n base64ToBytes(transport.header_blob),\n );\n const headerObj = JSON.parse(headerJson);\n return {\n header: {\n dhPublicKey: base64ToBytes(headerObj.dhPublicKey),\n previousChainLength: headerObj.previousChainLength,\n messageNumber: headerObj.messageNumber,\n },\n headerSignature: base64ToBytes(headerObj.headerSignature),\n nonce: base64ToBytes(headerObj.nonce),\n ciphertext: base64ToBytes(transport.ciphertext),\n };\n}\n\n// --- V2 transport format (header encryption) ---\n\nexport interface TransportMessageV2 {\n envelope_version: \"2.0.0\";\n encrypted_header: string; // base64\n header_nonce: string; // base64\n header_signature: string; // base64\n nonce: string; // base64\n ciphertext: string; // base64\n}\n\nexport function encryptedMessageToTransportV2(\n msg: EncryptedMessage,\n): TransportMessageV2 {\n if (!msg.encryptedHeader || !msg.headerNonce) {\n throw new Error(\"encryptedMessageToTransportV2 requires v2 encrypted message\");\n }\n return {\n envelope_version: \"2.0.0\",\n encrypted_header: bytesToBase64(msg.encryptedHeader),\n header_nonce: bytesToBase64(msg.headerNonce),\n header_signature: bytesToBase64(msg.headerSignature),\n nonce: bytesToBase64(msg.nonce),\n ciphertext: bytesToBase64(msg.ciphertext),\n };\n}\n\n/**\n * Decode a V2 transport message. The header stays encrypted \u2014\n * the DoubleRatchet.decrypt() method decrypts it using the header key.\n *\n * We still need to populate the plaintext `header` field for the ratchet\n * to identify the DH public key and advance the chain. For V2, the caller\n * must provide the plaintext header separately (from the ratchet's decrypt path).\n *\n * In practice, the receiver will first try to parse as V2, then fall through\n * to ratchet.decrypt() which handles header decryption internally.\n */\nexport function transportV2ToEncryptedMessage(\n transport: TransportMessageV2,\n plaintextHeader: EncryptedMessage[\"header\"],\n): EncryptedMessage {\n return {\n header: plaintextHeader,\n headerSignature: base64ToBytes(transport.header_signature),\n ciphertext: base64ToBytes(transport.ciphertext),\n nonce: base64ToBytes(transport.nonce),\n envelopeVersion: \"2.0.0\",\n encryptedHeader: base64ToBytes(transport.encrypted_header),\n headerNonce: base64ToBytes(transport.header_nonce),\n };\n}\n\n/**\n * Encode a V2 transport message that also includes the plaintext header\n * (for the server to relay to the ratchet). This is the practical format:\n * the server stores the encrypted header but relays both encrypted and\n * plaintext header_blob so the receiver can reconstruct the EncryptedMessage.\n */\nexport function encryptedMessageToTransportV2Full(\n msg: EncryptedMessage,\n): TransportMessage & { envelope_version: \"2.0.0\"; encrypted_header: string; header_nonce: string } {\n if (!msg.encryptedHeader || !msg.headerNonce) {\n throw new Error(\"encryptedMessageToTransportV2Full requires v2 encrypted message\");\n }\n const v1 = encryptedMessageToTransport(msg);\n return {\n ...v1,\n envelope_version: \"2.0.0\",\n encrypted_header: bytesToBase64(msg.encryptedHeader),\n header_nonce: bytesToBase64(msg.headerNonce),\n };\n}\n\n// --- Hex transport format (A2A channels) ---\n\nexport interface HexTransportMessage {\n header_blob: string; // hex-encoded JSON with dhPublicKey as hex\n header_signature: string; // hex of headerSignature bytes\n ciphertext: string; // hex of ciphertext bytes\n nonce: string; // hex of nonce bytes\n}\n\nexport function encryptedMessageToHexTransport(\n msg: EncryptedMessage,\n): HexTransportMessage {\n const headerObj = {\n dhPublicKey: bytesToHex(msg.header.dhPublicKey),\n previousChainLength: msg.header.previousChainLength,\n messageNumber: msg.header.messageNumber,\n };\n const headerBlobHex = Buffer.from(JSON.stringify(headerObj)).toString(\"hex\");\n return {\n header_blob: headerBlobHex,\n header_signature: bytesToHex(msg.headerSignature),\n ciphertext: bytesToHex(msg.ciphertext),\n nonce: bytesToHex(msg.nonce),\n };\n}\n\nexport function hexTransportToEncryptedMessage(\n transport: HexTransportMessage,\n): EncryptedMessage {\n const headerJson = Buffer.from(transport.header_blob, \"hex\").toString(\"utf-8\");\n const headerObj = JSON.parse(headerJson);\n return {\n header: {\n dhPublicKey: hexToBytes(headerObj.dhPublicKey),\n previousChainLength: headerObj.previousChainLength,\n messageNumber: headerObj.messageNumber,\n },\n headerSignature: hexToBytes(transport.header_signature),\n ciphertext: hexToBytes(transport.ciphertext),\n nonce: hexToBytes(transport.nonce),\n };\n}\n", "/**\n * OTLP-compatible telemetry span types and builder functions.\n *\n * Uses ai.agent.* semantic conventions matching the backend at\n * packages/backend/app/services/telemetry_service.py.\n */\n\n// -- Types --------------------------------------------------------------------\n\nexport interface SpanEvent {\n name: string;\n timestamp: number;\n attributes?: Record<string, string | number | boolean>;\n}\n\nexport interface SpanStatus {\n code: number; // 0 = OK, 1 = UNSET, 2 = ERROR\n message?: string;\n}\n\nexport interface TelemetrySpan {\n traceId: string; // 32-char hex\n spanId: string; // 16-char hex\n parentSpanId?: string;\n name: string;\n kind: \"internal\" | \"client\" | \"server\" | \"producer\" | \"consumer\";\n startTime: number; // unix epoch milliseconds\n endTime: number;\n attributes: Record<string, string | number | boolean>;\n status?: SpanStatus;\n events?: SpanEvent[];\n}\n\n// -- ID generation ------------------------------------------------------------\n\nfunction randomHex(byteCount: number): string {\n const bytes = new Uint8Array(byteCount);\n crypto.getRandomValues(bytes);\n let hex = \"\";\n for (let i = 0; i < bytes.length; i++) {\n hex += bytes[i].toString(16).padStart(2, \"0\");\n }\n return hex;\n}\n\nfunction generateTraceId(): string {\n return randomHex(16); // 16 bytes = 32 hex chars\n}\n\nfunction generateSpanId(): string {\n return randomHex(8); // 8 bytes = 16 hex chars\n}\n\n// -- Common options -----------------------------------------------------------\n\ninterface BaseSpanOpts {\n traceId?: string;\n spanId?: string;\n parentSpanId?: string;\n skillName?: string; // maps to ai.agent.skill.name\n}\n\nfunction applySkillName(\n attributes: Record<string, string | number | boolean>,\n skillName?: string,\n): void {\n if (skillName) {\n attributes[\"ai.agent.skill.name\"] = skillName;\n }\n}\n\n// -- buildLlmSpan -------------------------------------------------------------\n\nexport interface BuildLlmSpanOpts extends BaseSpanOpts {\n model: string;\n latencyMs: number;\n tokensInput: number;\n tokensOutput: number;\n provider?: string;\n status?: \"ok\" | \"error\";\n statusMessage?: string;\n}\n\nexport function buildLlmSpan(opts: BuildLlmSpanOpts): TelemetrySpan {\n const now = Date.now();\n const attributes: Record<string, string | number | boolean> = {\n // Legacy (keep for backward compat)\n \"ai.agent.llm.model\": opts.model,\n \"ai.agent.llm.latency_ms\": opts.latencyMs,\n \"ai.agent.llm.tokens_input\": opts.tokensInput,\n \"ai.agent.llm.tokens_output\": opts.tokensOutput,\n // OTel gen_ai standard\n \"gen_ai.request.model\": opts.model,\n \"gen_ai.usage.input_tokens\": opts.tokensInput,\n \"gen_ai.usage.output_tokens\": opts.tokensOutput,\n \"gen_ai.operation.name\": \"chat\",\n };\n if (opts.provider !== undefined) {\n attributes[\"ai.agent.llm.provider\"] = opts.provider;\n attributes[\"gen_ai.system\"] = opts.provider;\n }\n applySkillName(attributes, opts.skillName);\n\n const isError = opts.status === \"error\";\n const status: SpanStatus = isError\n ? { code: 2, ...(opts.statusMessage ? { message: opts.statusMessage } : {}) }\n : { code: 0 };\n\n return {\n traceId: opts.traceId ?? generateTraceId(),\n spanId: opts.spanId ?? generateSpanId(),\n parentSpanId: opts.parentSpanId,\n name: \"llm.inference\",\n kind: \"internal\",\n startTime: now - opts.latencyMs,\n endTime: now,\n attributes,\n status,\n };\n}\n\n// -- buildToolSpan ------------------------------------------------------------\n\nexport interface BuildToolSpanOpts extends BaseSpanOpts {\n toolName: string;\n latencyMs: number;\n success: boolean;\n errorMessage?: string;\n}\n\nexport function buildToolSpan(opts: BuildToolSpanOpts): TelemetrySpan {\n const now = Date.now();\n const attributes: Record<string, string | number | boolean> = {\n \"ai.agent.tool.name\": opts.toolName,\n \"ai.agent.tool.latency_ms\": opts.latencyMs,\n \"ai.agent.tool.success\": opts.success,\n // OTel gen_ai standard\n \"gen_ai.tool.name\": opts.toolName,\n };\n applySkillName(attributes, opts.skillName);\n\n const status: SpanStatus = opts.success\n ? { code: 0 }\n : { code: 2, ...(opts.errorMessage ? { message: opts.errorMessage } : {}) };\n\n return {\n traceId: opts.traceId ?? generateTraceId(),\n spanId: opts.spanId ?? generateSpanId(),\n parentSpanId: opts.parentSpanId,\n name: \"tool.execute\",\n kind: \"internal\",\n startTime: now - opts.latencyMs,\n endTime: now,\n attributes,\n status,\n };\n}\n\n// -- buildErrorSpan -----------------------------------------------------------\n\nexport interface BuildErrorSpanOpts extends BaseSpanOpts {\n errorType: string;\n errorMessage: string;\n spanKind?: TelemetrySpan[\"kind\"];\n}\n\nexport function buildErrorSpan(opts: BuildErrorSpanOpts): TelemetrySpan {\n const now = Date.now();\n const attributes: Record<string, string | number | boolean> = {\n \"ai.agent.error.type\": opts.errorType,\n \"ai.agent.error.message\": opts.errorMessage,\n // OTel standard\n \"error.type\": opts.errorType,\n };\n applySkillName(attributes, opts.skillName);\n\n return {\n traceId: opts.traceId ?? generateTraceId(),\n spanId: opts.spanId ?? generateSpanId(),\n parentSpanId: opts.parentSpanId,\n name: \"error\",\n kind: opts.spanKind ?? \"internal\",\n startTime: now,\n endTime: now,\n attributes,\n status: { code: 2, message: opts.errorMessage },\n };\n}\n\n// -- buildHttpSpan ------------------------------------------------------------\n\nexport interface BuildHttpSpanOpts extends BaseSpanOpts {\n method: string;\n url: string;\n statusCode: number;\n latencyMs: number;\n status?: \"ok\" | \"error\";\n statusMessage?: string;\n}\n\nexport function buildHttpSpan(opts: BuildHttpSpanOpts): TelemetrySpan {\n const now = Date.now();\n const attributes: Record<string, string | number | boolean> = {\n \"ai.agent.http.method\": opts.method,\n \"ai.agent.http.url\": opts.url,\n \"ai.agent.http.status_code\": opts.statusCode,\n \"ai.agent.http.latency_ms\": opts.latencyMs,\n // OTel HTTP standard\n \"http.request.method\": opts.method,\n \"url.full\": opts.url,\n \"http.response.status_code\": opts.statusCode,\n };\n applySkillName(attributes, opts.skillName);\n\n const isError = opts.status === \"error\" || opts.statusCode >= 400;\n const status: SpanStatus = isError\n ? { code: 2, ...(opts.statusMessage ? { message: opts.statusMessage } : {}) }\n : { code: 0 };\n\n return {\n traceId: opts.traceId ?? generateTraceId(),\n spanId: opts.spanId ?? generateSpanId(),\n parentSpanId: opts.parentSpanId,\n name: \"http.request\",\n kind: \"client\",\n startTime: now - opts.latencyMs,\n endTime: now,\n attributes,\n status,\n };\n}\n\n// -- buildActionSpan ----------------------------------------------------------\n\nexport interface BuildActionSpanOpts extends BaseSpanOpts {\n actionType: string;\n target: string;\n latencyMs: number;\n success: boolean;\n statusMessage?: string;\n}\n\nexport function buildActionSpan(opts: BuildActionSpanOpts): TelemetrySpan {\n const now = Date.now();\n const attributes: Record<string, string | number | boolean> = {\n \"ai.agent.action.type\": opts.actionType,\n \"ai.agent.action.target\": opts.target,\n \"ai.agent.action.latency_ms\": opts.latencyMs,\n \"ai.agent.action.success\": opts.success,\n };\n applySkillName(attributes, opts.skillName);\n\n const status: SpanStatus = opts.success\n ? { code: 0 }\n : { code: 2, ...(opts.statusMessage ? { message: opts.statusMessage } : {}) };\n\n return {\n traceId: opts.traceId ?? generateTraceId(),\n spanId: opts.spanId ?? generateSpanId(),\n parentSpanId: opts.parentSpanId,\n name: \"action.execute\",\n kind: \"internal\",\n startTime: now - opts.latencyMs,\n endTime: now,\n attributes,\n status,\n };\n}\n\n// -- buildNavSpan -------------------------------------------------------------\n\nexport interface BuildNavSpanOpts extends BaseSpanOpts {\n toUrl: string;\n latencyMs: number;\n status?: \"ok\" | \"error\";\n statusMessage?: string;\n}\n\nexport function buildNavSpan(opts: BuildNavSpanOpts): TelemetrySpan {\n const now = Date.now();\n const attributes: Record<string, string | number | boolean> = {\n \"ai.agent.nav.to_url\": opts.toUrl,\n \"ai.agent.nav.latency_ms\": opts.latencyMs,\n };\n applySkillName(attributes, opts.skillName);\n\n const isError = opts.status === \"error\";\n const status: SpanStatus = isError\n ? { code: 2, ...(opts.statusMessage ? { message: opts.statusMessage } : {}) }\n : { code: 0 };\n\n return {\n traceId: opts.traceId ?? generateTraceId(),\n spanId: opts.spanId ?? generateSpanId(),\n parentSpanId: opts.parentSpanId,\n name: \"nav.navigate\",\n kind: \"internal\",\n startTime: now - opts.latencyMs,\n endTime: now,\n attributes,\n status,\n };\n}\n\n// -- buildTaskSpan ------------------------------------------------------------\n\nexport interface BuildTaskSpanOpts extends BaseSpanOpts {\n taskId: string;\n taskName: string;\n taskType?: string;\n status: \"pending\" | \"running\" | \"completed\" | \"failed\";\n latencyMs: number;\n stepsCount?: number;\n tokensUsed?: number;\n statusMessage?: string;\n}\n\nexport function buildTaskSpan(opts: BuildTaskSpanOpts): TelemetrySpan {\n const now = Date.now();\n const attributes: Record<string, string | number | boolean> = {\n \"ai.agent.task.id\": opts.taskId,\n \"ai.agent.task.name\": opts.taskName,\n \"ai.agent.task.status\": opts.status,\n \"gen_ai.operation.name\": \"task\",\n };\n if (opts.taskType !== undefined) attributes[\"ai.agent.task.type\"] = opts.taskType;\n if (opts.stepsCount !== undefined) attributes[\"ai.agent.task.steps_count\"] = opts.stepsCount;\n if (opts.tokensUsed !== undefined) attributes[\"ai.agent.task.tokens_used\"] = opts.tokensUsed;\n applySkillName(attributes, opts.skillName);\n\n const isError = opts.status === \"failed\";\n const status: SpanStatus = isError\n ? { code: 2, ...(opts.statusMessage ? { message: opts.statusMessage } : {}) }\n : { code: 0 };\n\n return {\n traceId: opts.traceId ?? generateTraceId(),\n spanId: opts.spanId ?? generateSpanId(),\n parentSpanId: opts.parentSpanId,\n name: \"task.execute\",\n kind: \"internal\",\n startTime: now - opts.latencyMs,\n endTime: now,\n attributes,\n status,\n };\n}\n\n// -- buildSkillInvocationSpan -------------------------------------------------\n\nexport interface BuildSkillInvocationSpanOpts extends BaseSpanOpts {\n invocationId: string; // unique invocation ID\n phase: \"start\" | \"processing\" | \"completion\";\n version?: string; // skill version semver\n inputTokens?: number;\n outputTokens?: number;\n costCents?: number;\n toolsUsed?: string[]; // tool names used during invocation\n schemaMatch?: boolean; // whether output matched declared schema\n latencyMs: number;\n status?: \"ok\" | \"error\";\n statusMessage?: string;\n}\n\nexport function buildSkillInvocationSpan(opts: BuildSkillInvocationSpanOpts): TelemetrySpan {\n const now = Date.now();\n const attributes: Record<string, string | number | boolean> = {\n \"ai.agent.skill.invocation.id\": opts.invocationId,\n \"ai.agent.skill.phase\": opts.phase,\n };\n if (opts.skillName) attributes[\"ai.agent.skill.name\"] = opts.skillName;\n if (opts.version !== undefined) attributes[\"ai.agent.skill.version\"] = opts.version;\n if (opts.inputTokens !== undefined) attributes[\"ai.agent.skill.input_tokens\"] = opts.inputTokens;\n if (opts.outputTokens !== undefined) attributes[\"ai.agent.skill.output_tokens\"] = opts.outputTokens;\n if (opts.costCents !== undefined) attributes[\"ai.agent.skill.cost_cents\"] = opts.costCents;\n if (opts.toolsUsed !== undefined) attributes[\"ai.agent.skill.tools_used\"] = opts.toolsUsed.join(\",\");\n if (opts.schemaMatch !== undefined) attributes[\"ai.agent.skill.schema_match\"] = opts.schemaMatch;\n\n const isError = opts.status === \"error\";\n const status: SpanStatus = isError\n ? { code: 2, ...(opts.statusMessage ? { message: opts.statusMessage } : {}) }\n : { code: 0 };\n\n return {\n traceId: opts.traceId ?? generateTraceId(),\n spanId: opts.spanId ?? generateSpanId(),\n parentSpanId: opts.parentSpanId,\n name: \"skill.invoke\",\n kind: \"internal\",\n startTime: now - opts.latencyMs,\n endTime: now,\n attributes,\n status,\n };\n}\n\n// -- buildEvalSpan ------------------------------------------------------------\n\nexport interface BuildEvalSpanOpts extends BaseSpanOpts {\n evaluationName: string; // e.g., \"tool_selection\", \"response_relevance\"\n scoreValue: number; // 0.0 - 1.0\n scoreLabel?: string; // e.g., \"accuracy\", \"pass/fail\"\n explanation?: string; // optional reasoning\n targetSpanId?: string; // span being evaluated\n}\n\nexport function buildEvalSpan(opts: BuildEvalSpanOpts): TelemetrySpan {\n const now = Date.now();\n const attributes: Record<string, string | number | boolean> = {\n \"gen_ai.evaluation.name\": opts.evaluationName,\n \"gen_ai.evaluation.score.value\": opts.scoreValue,\n };\n if (opts.scoreLabel) attributes[\"gen_ai.evaluation.score.label\"] = opts.scoreLabel;\n if (opts.explanation) attributes[\"gen_ai.evaluation.explanation\"] = opts.explanation;\n if (opts.targetSpanId) attributes[\"gen_ai.evaluation.target_span_id\"] = opts.targetSpanId;\n applySkillName(attributes, opts.skillName);\n\n return {\n traceId: opts.traceId ?? generateTraceId(),\n spanId: opts.spanId ?? generateSpanId(),\n parentSpanId: opts.parentSpanId,\n name: \"gen_ai.evaluation\",\n kind: \"internal\",\n startTime: now,\n endTime: now,\n attributes,\n status: { code: 0 },\n };\n}\n\n// -- buildForgeSpan -----------------------------------------------------------\n\nexport interface BuildForgeSpanOpts extends BaseSpanOpts {\n forgeSessionId: string;\n phase: \"create\" | \"save_stage\" | \"brainstorm\" | \"build\" | \"publish\" | \"abandon\";\n stageNumber?: number;\n latencyMs: number;\n status?: \"ok\" | \"error\";\n statusMessage?: string;\n artifactCount?: number;\n scanStatus?: string;\n}\n\nexport function buildForgeSpan(opts: BuildForgeSpanOpts): TelemetrySpan {\n const now = Date.now();\n const attributes: Record<string, string | number | boolean> = {\n \"ai.agent.forge.session_id\": opts.forgeSessionId,\n \"ai.agent.forge.phase\": opts.phase,\n };\n if (opts.stageNumber !== undefined) attributes[\"ai.agent.forge.stage_number\"] = opts.stageNumber;\n if (opts.artifactCount !== undefined) attributes[\"ai.agent.forge.artifact_count\"] = opts.artifactCount;\n if (opts.scanStatus !== undefined) attributes[\"ai.agent.forge.scan_status\"] = opts.scanStatus;\n applySkillName(attributes, opts.skillName);\n\n const isError = opts.status === \"error\";\n const status: SpanStatus = isError\n ? { code: 2, ...(opts.statusMessage ? { message: opts.statusMessage } : {}) }\n : { code: 0 };\n\n return {\n traceId: opts.traceId ?? generateTraceId(),\n spanId: opts.spanId ?? generateSpanId(),\n parentSpanId: opts.parentSpanId,\n name: `forge.${opts.phase}`,\n kind: \"internal\",\n startTime: now - opts.latencyMs,\n endTime: now,\n attributes,\n status,\n };\n}\n\n// -- buildPolicyViolationSpan (av.policy.evaluate) ----------------------------\n\nexport interface BuildPolicyViolationSpanOpts extends BaseSpanOpts {\n ruleId: string;\n policyScope: string; // \"tool\" | \"model\" | \"rate\" | \"network\" | \"custom\"\n actionTaken: string; // \"block\" | \"warn\" | \"log\"\n violationType: string; // e.g. \"forbidden_tool\", \"model_not_allowed\"\n targetTool?: string;\n targetModel?: string;\n messageType?: string;\n}\n\nexport function buildPolicyViolationSpan(opts: BuildPolicyViolationSpanOpts): TelemetrySpan {\n const now = Date.now();\n const attributes: Record<string, string | number | boolean> = {\n \"av.policy.rule_id\": opts.ruleId,\n \"av.policy.scope\": opts.policyScope,\n \"av.policy.action_taken\": opts.actionTaken,\n \"av.policy.violation_type\": opts.violationType,\n };\n if (opts.targetTool) attributes[\"av.policy.target_tool\"] = opts.targetTool;\n if (opts.targetModel) attributes[\"av.policy.target_model\"] = opts.targetModel;\n if (opts.messageType) attributes[\"av.policy.message_type\"] = opts.messageType;\n applySkillName(attributes, opts.skillName);\n\n const isBlock = opts.actionTaken === \"block\";\n\n return {\n traceId: opts.traceId ?? generateTraceId(),\n spanId: opts.spanId ?? generateSpanId(),\n parentSpanId: opts.parentSpanId,\n name: \"av.policy.evaluate\",\n kind: \"internal\",\n startTime: now,\n endTime: now,\n attributes,\n status: isBlock ? { code: 2, message: `Policy violation: ${opts.violationType}` } : { code: 0 },\n };\n}\n\n// -- buildDecisionSpan (av.decision) ------------------------------------------\n\nexport interface BuildDecisionSpanOpts extends BaseSpanOpts {\n decisionId: string;\n phase: \"request\" | \"response\" | \"timeout\" | \"cancel\" | \"dismiss\";\n priority?: \"low\" | \"normal\" | \"high\" | \"urgent\";\n category?: string;\n latencyMs: number;\n status?: \"ok\" | \"error\";\n statusMessage?: string;\n}\n\nexport function buildDecisionSpan(opts: BuildDecisionSpanOpts): TelemetrySpan {\n const now = Date.now();\n const attributes: Record<string, string | number | boolean> = {\n \"av.decision.id\": opts.decisionId,\n \"av.decision.phase\": opts.phase,\n };\n if (opts.priority) attributes[\"av.decision.priority\"] = opts.priority;\n if (opts.category) attributes[\"av.decision.category\"] = opts.category;\n applySkillName(attributes, opts.skillName);\n\n const isError = opts.status === \"error\";\n const status: SpanStatus = isError\n ? { code: 2, ...(opts.statusMessage ? { message: opts.statusMessage } : {}) }\n : { code: 0 };\n\n return {\n traceId: opts.traceId ?? generateTraceId(),\n spanId: opts.spanId ?? generateSpanId(),\n parentSpanId: opts.parentSpanId,\n name: \"av.decision\",\n kind: \"internal\",\n startTime: now - opts.latencyMs,\n endTime: now,\n attributes,\n status,\n };\n}\n\n// -- buildResyncSpan (av.resync) ----------------------------------------------\n\nexport interface BuildResyncSpanOpts extends BaseSpanOpts {\n conversationId: string;\n phase: \"request\" | \"ack\" | \"complete\" | \"fail\";\n reason?: string; // \"ratchet_mismatch\" | \"key_loss\" | \"manual\"\n latencyMs: number;\n status?: \"ok\" | \"error\";\n statusMessage?: string;\n}\n\nexport function buildResyncSpan(opts: BuildResyncSpanOpts): TelemetrySpan {\n const now = Date.now();\n const attributes: Record<string, string | number | boolean> = {\n \"av.resync.conversation_id\": opts.conversationId,\n \"av.resync.phase\": opts.phase,\n };\n if (opts.reason) attributes[\"av.resync.reason\"] = opts.reason;\n applySkillName(attributes, opts.skillName);\n\n const isError = opts.status === \"error\";\n const status: SpanStatus = isError\n ? { code: 2, ...(opts.statusMessage ? { message: opts.statusMessage } : {}) }\n : { code: 0 };\n\n return {\n traceId: opts.traceId ?? generateTraceId(),\n spanId: opts.spanId ?? generateSpanId(),\n parentSpanId: opts.parentSpanId,\n name: \"av.resync\",\n kind: \"internal\",\n startTime: now - opts.latencyMs,\n endTime: now,\n attributes,\n status,\n };\n}\n\n// -- buildA2aSpan (av.a2a) ----------------------------------------------------\n\nexport interface BuildA2aSpanOpts extends BaseSpanOpts {\n channelId: string;\n operation: \"request\" | \"approve\" | \"activate\" | \"message\" | \"close\";\n peerHubAddress?: string;\n role?: \"initiator\" | \"responder\";\n latencyMs: number;\n status?: \"ok\" | \"error\";\n statusMessage?: string;\n}\n\nexport function buildA2aSpan(opts: BuildA2aSpanOpts): TelemetrySpan {\n const now = Date.now();\n const attributes: Record<string, string | number | boolean> = {\n \"av.a2a.channel_id\": opts.channelId,\n \"av.a2a.operation\": opts.operation,\n };\n if (opts.peerHubAddress) attributes[\"av.a2a.peer_hub_address\"] = opts.peerHubAddress;\n if (opts.role) attributes[\"av.a2a.role\"] = opts.role;\n applySkillName(attributes, opts.skillName);\n\n const isError = opts.status === \"error\";\n const status: SpanStatus = isError\n ? { code: 2, ...(opts.statusMessage ? { message: opts.statusMessage } : {}) }\n : { code: 0 };\n\n return {\n traceId: opts.traceId ?? generateTraceId(),\n spanId: opts.spanId ?? generateSpanId(),\n parentSpanId: opts.parentSpanId,\n name: \"av.a2a\",\n kind: \"internal\",\n startTime: now - opts.latencyMs,\n endTime: now,\n attributes,\n status,\n };\n}\n\n// -- buildScanSpan (av.scan) --------------------------------------------------\n\nexport interface BuildScanSpanOpts extends BaseSpanOpts {\n scanTarget: string; // file path or content identifier\n scanType: \"policy\" | \"content\" | \"workspace\" | \"skill\";\n violationCount: number;\n ruleCount: number;\n latencyMs: number;\n status?: \"ok\" | \"error\";\n statusMessage?: string;\n}\n\nexport function buildScanSpan(opts: BuildScanSpanOpts): TelemetrySpan {\n const now = Date.now();\n const attributes: Record<string, string | number | boolean> = {\n \"av.scan.target\": opts.scanTarget,\n \"av.scan.type\": opts.scanType,\n \"av.scan.violation_count\": opts.violationCount,\n \"av.scan.rule_count\": opts.ruleCount,\n };\n applySkillName(attributes, opts.skillName);\n\n const isError = opts.status === \"error\" || opts.violationCount > 0;\n const status: SpanStatus = isError\n ? { code: 2, ...(opts.statusMessage ? { message: opts.statusMessage } : {}) }\n : { code: 0 };\n\n return {\n traceId: opts.traceId ?? generateTraceId(),\n spanId: opts.spanId ?? generateSpanId(),\n parentSpanId: opts.parentSpanId,\n name: \"av.scan\",\n kind: \"internal\",\n startTime: now - opts.latencyMs,\n endTime: now,\n attributes,\n status,\n };\n}\n\n// -- buildWorkspaceSpan (av.workspace) ----------------------------------------\n\nexport interface BuildWorkspaceSpanOpts extends BaseSpanOpts {\n workspaceId: string;\n operation: \"upload\" | \"download\" | \"delete\" | \"list\" | \"scan\";\n fileName?: string;\n fileSizeBytes?: number;\n encrypted?: boolean;\n latencyMs: number;\n status?: \"ok\" | \"error\";\n statusMessage?: string;\n}\n\nexport function buildWorkspaceSpan(opts: BuildWorkspaceSpanOpts): TelemetrySpan {\n const now = Date.now();\n const attributes: Record<string, string | number | boolean> = {\n \"av.workspace.id\": opts.workspaceId,\n \"av.workspace.operation\": opts.operation,\n };\n if (opts.fileName) attributes[\"av.workspace.file_name\"] = opts.fileName;\n if (opts.fileSizeBytes !== undefined) attributes[\"av.workspace.file_size_bytes\"] = opts.fileSizeBytes;\n if (opts.encrypted !== undefined) attributes[\"av.workspace.encrypted\"] = opts.encrypted;\n applySkillName(attributes, opts.skillName);\n\n const isError = opts.status === \"error\";\n const status: SpanStatus = isError\n ? { code: 2, ...(opts.statusMessage ? { message: opts.statusMessage } : {}) }\n : { code: 0 };\n\n return {\n traceId: opts.traceId ?? generateTraceId(),\n spanId: opts.spanId ?? generateSpanId(),\n parentSpanId: opts.parentSpanId,\n name: \"av.workspace\",\n kind: \"internal\",\n startTime: now - opts.latencyMs,\n endTime: now,\n attributes,\n status,\n };\n}\n\n// -- buildCapabilitySpan (av.skill.invoke) ------------------------------------\n\nexport interface BuildCapabilitySpanOpts extends BaseSpanOpts {\n operation: \"register\" | \"invoke\" | \"unregister\" | \"publish\";\n version?: string;\n certificationTier?: string;\n toolsUsed?: string[];\n latencyMs: number;\n success: boolean;\n statusMessage?: string;\n}\n\nexport function buildCapabilitySpan(opts: BuildCapabilitySpanOpts): TelemetrySpan {\n const now = Date.now();\n const attributes: Record<string, string | number | boolean> = {\n \"av.skill.operation\": opts.operation,\n \"av.skill.success\": opts.success,\n };\n if (opts.skillName) attributes[\"av.skill.name\"] = opts.skillName;\n if (opts.version) attributes[\"av.skill.version\"] = opts.version;\n if (opts.certificationTier) attributes[\"av.skill.certification_tier\"] = opts.certificationTier;\n if (opts.toolsUsed?.length) attributes[\"av.skill.tools_used\"] = opts.toolsUsed.join(\",\");\n\n const status: SpanStatus = opts.success\n ? { code: 0 }\n : { code: 2, ...(opts.statusMessage ? { message: opts.statusMessage } : {}) };\n\n return {\n traceId: opts.traceId ?? generateTraceId(),\n spanId: opts.spanId ?? generateSpanId(),\n parentSpanId: opts.parentSpanId,\n name: \"av.skill.invoke\",\n kind: \"internal\",\n startTime: now - opts.latencyMs,\n endTime: now,\n attributes,\n status,\n };\n}\n\n// -- buildEnrollmentSpan (av.enrollment) --------------------------------------\n\nexport interface BuildEnrollmentSpanOpts extends BaseSpanOpts {\n deviceId?: string;\n phase: \"start\" | \"key_exchange\" | \"activate\" | \"complete\" | \"fail\";\n enrollmentType?: \"initial\" | \"re-enrollment\" | \"multi-device\";\n latencyMs: number;\n status?: \"ok\" | \"error\";\n statusMessage?: string;\n}\n\nexport function buildEnrollmentSpan(opts: BuildEnrollmentSpanOpts): TelemetrySpan {\n const now = Date.now();\n const attributes: Record<string, string | number | boolean> = {\n \"av.enrollment.phase\": opts.phase,\n };\n if (opts.deviceId) attributes[\"av.enrollment.device_id\"] = opts.deviceId;\n if (opts.enrollmentType) attributes[\"av.enrollment.type\"] = opts.enrollmentType;\n applySkillName(attributes, opts.skillName);\n\n const isError = opts.status === \"error\" || opts.phase === \"fail\";\n const status: SpanStatus = isError\n ? { code: 2, ...(opts.statusMessage ? { message: opts.statusMessage } : {}) }\n : { code: 0 };\n\n return {\n traceId: opts.traceId ?? generateTraceId(),\n spanId: opts.spanId ?? generateSpanId(),\n parentSpanId: opts.parentSpanId,\n name: \"av.enrollment\",\n kind: \"internal\",\n startTime: now - opts.latencyMs,\n endTime: now,\n attributes,\n status,\n };\n}\n\n// -- buildRoomSpan (av.room) --------------------------------------------------\n\nexport interface BuildRoomSpanOpts extends BaseSpanOpts {\n roomId: string;\n operation: \"create\" | \"join\" | \"leave\" | \"rekey\" | \"message\" | \"invite\";\n roomName?: string;\n memberCount?: number;\n latencyMs: number;\n status?: \"ok\" | \"error\";\n statusMessage?: string;\n}\n\nexport function buildRoomSpan(opts: BuildRoomSpanOpts): TelemetrySpan {\n const now = Date.now();\n const attributes: Record<string, string | number | boolean> = {\n \"av.room.id\": opts.roomId,\n \"av.room.operation\": opts.operation,\n };\n if (opts.roomName) attributes[\"av.room.name\"] = opts.roomName;\n if (opts.memberCount !== undefined) attributes[\"av.room.member_count\"] = opts.memberCount;\n applySkillName(attributes, opts.skillName);\n\n const isError = opts.status === \"error\";\n const status: SpanStatus = isError\n ? { code: 2, ...(opts.statusMessage ? { message: opts.statusMessage } : {}) }\n : { code: 0 };\n\n return {\n traceId: opts.traceId ?? generateTraceId(),\n spanId: opts.spanId ?? generateSpanId(),\n parentSpanId: opts.parentSpanId,\n name: \"av.room\",\n kind: \"internal\",\n startTime: now - opts.latencyMs,\n endTime: now,\n attributes,\n status,\n };\n}\n\n// -- buildTrustSpan (av.trust) ------------------------------------------------\n\nexport interface BuildTrustSpanOpts extends BaseSpanOpts {\n agentHubAddress: string;\n operation: \"score_update\" | \"tier_change\" | \"dimension_update\" | \"report_generate\";\n previousTier?: string;\n newTier?: string;\n overallScore?: number;\n dimension?: string;\n dimensionScore?: number;\n latencyMs: number;\n status?: \"ok\" | \"error\";\n statusMessage?: string;\n}\n\nexport function buildTrustSpan(opts: BuildTrustSpanOpts): TelemetrySpan {\n const now = Date.now();\n const attributes: Record<string, string | number | boolean> = {\n \"av.trust.agent_hub_address\": opts.agentHubAddress,\n \"av.trust.operation\": opts.operation,\n };\n if (opts.previousTier) attributes[\"av.trust.previous_tier\"] = opts.previousTier;\n if (opts.newTier) attributes[\"av.trust.new_tier\"] = opts.newTier;\n if (opts.overallScore !== undefined) attributes[\"av.trust.overall_score\"] = opts.overallScore;\n if (opts.dimension) attributes[\"av.trust.dimension\"] = opts.dimension;\n if (opts.dimensionScore !== undefined) attributes[\"av.trust.dimension_score\"] = opts.dimensionScore;\n applySkillName(attributes, opts.skillName);\n\n const isError = opts.status === \"error\";\n const status: SpanStatus = isError\n ? { code: 2, ...(opts.statusMessage ? { message: opts.statusMessage } : {}) }\n : { code: 0 };\n\n return {\n traceId: opts.traceId ?? generateTraceId(),\n spanId: opts.spanId ?? generateSpanId(),\n parentSpanId: opts.parentSpanId,\n name: \"av.trust\",\n kind: \"internal\",\n startTime: now - opts.latencyMs,\n endTime: now,\n attributes,\n status,\n };\n}\n\n// -- Eval Run Span (#21) ------------------------------------------------------\n\nexport interface BuildEvalRunSpanOpts {\n scenarioId: string;\n scenarioName?: string;\n variationType?: string;\n agentId: string;\n status: \"pending\" | \"running\" | \"completed\" | \"failed\";\n shiftMagnitude?: number;\n outcomeMatch?: boolean;\n flagged?: boolean;\n flagReason?: string;\n latencyMs: number;\n traceId?: string;\n spanId?: string;\n parentSpanId?: string;\n statusMessage?: string;\n}\n\n/**\n * Build an av.eval.run span for factorial evaluation execution telemetry.\n *\n * Tracks scenario-based evaluation runs, including shift measurement\n * (how much output changed under variation) and outcome matching.\n */\nexport function buildEvalRunSpan(opts: BuildEvalRunSpanOpts): TelemetrySpan {\n const now = Date.now();\n const attributes: Record<string, string | number | boolean> = {\n \"av.eval.scenario_id\": opts.scenarioId,\n \"av.eval.agent_id\": opts.agentId,\n \"av.eval.status\": opts.status,\n \"av.eval.latency_ms\": opts.latencyMs,\n };\n\n if (opts.scenarioName) attributes[\"av.eval.scenario_name\"] = opts.scenarioName;\n if (opts.variationType) attributes[\"av.eval.variation_type\"] = opts.variationType;\n if (opts.shiftMagnitude !== undefined)\n attributes[\"av.eval.shift_magnitude\"] = opts.shiftMagnitude;\n if (opts.outcomeMatch !== undefined)\n attributes[\"av.eval.outcome_match\"] = opts.outcomeMatch;\n if (opts.flagged !== undefined) attributes[\"av.eval.flagged\"] = opts.flagged;\n if (opts.flagReason) attributes[\"av.eval.flag_reason\"] = opts.flagReason;\n\n const isError = opts.status === \"failed\";\n const status: SpanStatus = isError\n ? { code: 2, ...(opts.statusMessage ? { message: opts.statusMessage } : {}) }\n : { code: 0 };\n\n return {\n traceId: opts.traceId ?? generateTraceId(),\n spanId: opts.spanId ?? generateSpanId(),\n parentSpanId: opts.parentSpanId,\n name: \"av.eval.run\",\n kind: \"internal\",\n startTime: now - opts.latencyMs,\n endTime: now,\n attributes,\n status,\n };\n}\n\n// -- InstrumentationContext ---------------------------------------------------\n\nexport interface InstrumentationContext {\n reportLlm: (opts: Omit<BuildLlmSpanOpts, \"traceId\" | \"parentSpanId\">) => void;\n reportTool: (opts: Omit<BuildToolSpanOpts, \"traceId\" | \"parentSpanId\">) => void;\n reportError: (opts: Omit<BuildErrorSpanOpts, \"traceId\" | \"parentSpanId\">) => void;\n reportHttp: (opts: Omit<BuildHttpSpanOpts, \"traceId\" | \"parentSpanId\">) => void;\n reportAction: (opts: Omit<BuildActionSpanOpts, \"traceId\" | \"parentSpanId\">) => void;\n reportNav: (opts: Omit<BuildNavSpanOpts, \"traceId\" | \"parentSpanId\">) => void;\n reportEval: (opts: Omit<BuildEvalSpanOpts, \"traceId\" | \"parentSpanId\">) => void;\n reportTask: (opts: Omit<BuildTaskSpanOpts, \"traceId\" | \"parentSpanId\">) => void;\n reportSkillInvocation: (opts: Omit<BuildSkillInvocationSpanOpts, \"traceId\" | \"parentSpanId\">) => void;\n skillName?: string; // propagated to all spans from this context\n traceId: string;\n parentSpanId: string;\n}\n\n// -- W3C TraceContext ---------------------------------------------------------\n\n/**\n * W3C Trace Context headers for cross-agent/cross-sandbox trace correlation.\n *\n * @see https://www.w3.org/TR/trace-context/\n */\nexport interface TraceContext {\n /** W3C traceparent header: version-traceId-parentId-traceFlags */\n traceparent: string;\n /** W3C tracestate header (optional vendor-specific data) */\n tracestate?: string;\n}\n\n/**\n * Build a W3C traceparent header from a span.\n *\n * Format: `{version}-{trace-id}-{parent-id}-{trace-flags}`\n * - version: `00` (current spec)\n * - trace-id: 32 hex chars\n * - parent-id: 16 hex chars (the span's own spanId becomes parent for children)\n * - trace-flags: `01` (sampled)\n */\nexport function buildTraceparent(span: TelemetrySpan): string {\n return `00-${span.traceId}-${span.spanId}-01`;\n}\n\n/**\n * Parse a W3C traceparent header into its components.\n *\n * @returns null if the header is malformed\n */\nexport function parseTraceparent(header: string): {\n version: string;\n traceId: string;\n parentId: string;\n traceFlags: string;\n} | null {\n const parts = header.split(\"-\");\n if (parts.length !== 4) return null;\n const [version, traceId, parentId, traceFlags] = parts;\n if (!version || !traceId || !parentId || !traceFlags) return null;\n if (traceId.length !== 32 || parentId.length !== 16) return null;\n return { version, traceId, parentId, traceFlags };\n}\n\n/**\n * Create a TraceContext from a span for propagation across agent boundaries.\n */\nexport function spanToTraceContext(\n span: TelemetrySpan,\n tracestate?: string,\n): TraceContext {\n return {\n traceparent: buildTraceparent(span),\n tracestate: tracestate ?? `av=s:${span.spanId}`,\n };\n}\n\n/**\n * Propagate trace context across agent/sandbox boundaries.\n *\n * Creates a child span context from an incoming traceparent header,\n * preserving the trace ID while creating a new span ID.\n */\nexport function propagateContext(\n incomingTraceparent: string,\n): { traceId: string; parentSpanId: string; spanId: string } | null {\n const parsed = parseTraceparent(incomingTraceparent);\n if (!parsed) return null;\n\n return {\n traceId: parsed.traceId,\n parentSpanId: parsed.parentId,\n spanId: generateSpanId(),\n };\n}\n\n/**\n * Generate W3C Trace Context HTTP headers from a span for attachment\n * to outbound requests at transport boundaries (e.g., agent-to-agent,\n * cross-sandbox, OTLP export).\n *\n * @returns Record suitable for spreading into a fetch headers object\n */\nexport function spanToW3CHeaders(\n span: TelemetrySpan,\n tracestate?: string,\n): Record<string, string> {\n return {\n traceparent: buildTraceparent(span),\n tracestate: tracestate ?? `av=s:${span.spanId}`,\n };\n}\n", "/**\n * TelemetryReporter \u2014 accumulates telemetry spans and flushes them\n * to the AgentVault backend via HTTP POST.\n *\n * Telemetry is best-effort: flush() never throws. On network or HTTP errors\n * the spans stay in the buffer for retry on the next flush cycle.\n *\n * Usage:\n * const reporter = new TelemetryReporter({\n * apiBase: \"https://api.agentvault.chat\",\n * hubId: \"...\",\n * authHeader: \"Bearer <jwt>\",\n * });\n * reporter.reportLlmCall({ model: \"gpt-4o\", latencyMs: 1200, tokensInput: 500, tokensOutput: 150 });\n * reporter.startAutoFlush(); // every 30 s\n */\n\nimport {\n buildLlmSpan,\n buildToolSpan,\n buildErrorSpan,\n buildHttpSpan,\n buildActionSpan,\n buildNavSpan,\n buildEvalSpan,\n buildTaskSpan,\n buildTraceparent,\n type TelemetrySpan,\n type BuildLlmSpanOpts,\n type BuildToolSpanOpts,\n type BuildErrorSpanOpts,\n type BuildHttpSpanOpts,\n type BuildActionSpanOpts,\n type BuildNavSpanOpts,\n type BuildEvalSpanOpts,\n type BuildTaskSpanOpts,\n} from \"./telemetry.js\";\n\n// -- Config -------------------------------------------------------------------\n\nexport interface TelemetryReporterConfig {\n /** Backend base URL, e.g. \"https://api.agentvault.chat\" */\n apiBase: string;\n /** Agent's hub identity ID */\n hubId: string;\n /** Authorization header value, e.g. \"Bearer <jwt>\" or API key */\n authHeader: string;\n /** Injectable fetch for testing (defaults to globalThis.fetch) */\n fetchImpl?: typeof fetch;\n /** Agent display name (resource attribute) */\n agentName?: string;\n /** Agent version (resource attribute) */\n agentVersion?: string;\n}\n\n// -- OTLP serialization helpers -----------------------------------------------\n\ninterface OtlpAttribute {\n key: string;\n value:\n | { stringValue: string }\n | { intValue: number }\n | { doubleValue: number }\n | { boolValue: boolean };\n}\n\n/**\n * Convert a flat attribute record to OTLP KV format.\n *\n * - string -> { stringValue }\n * - boolean -> { boolValue }\n * - integer -> { intValue }\n * - float -> { doubleValue }\n */\nfunction toOtlpAttributes(\n attrs: Record<string, string | number | boolean>,\n): OtlpAttribute[] {\n return Object.entries(attrs).map(([key, val]) => {\n if (typeof val === \"string\") {\n return { key, value: { stringValue: val } };\n }\n if (typeof val === \"boolean\") {\n return { key, value: { boolValue: val } };\n }\n // number: integer vs float\n if (Number.isInteger(val)) {\n return { key, value: { intValue: val as number } };\n }\n return { key, value: { doubleValue: val as number } };\n });\n}\n\n/**\n * Convert a TelemetrySpan to the OTLP wire format expected by the\n * backend ingest endpoint.\n *\n * Includes W3C TraceContext attributes (`w3c.traceparent`, `w3c.tracestate`)\n * for cross-agent/cross-sandbox trace correlation per the W3C Trace Context spec.\n */\nfunction spanToOtlp(span: TelemetrySpan): Record<string, unknown> {\n // Inject W3C TraceContext as span attributes for cross-agent correlation\n const enrichedAttrs = { ...span.attributes };\n enrichedAttrs[\"w3c.traceparent\"] = buildTraceparent(span);\n enrichedAttrs[\"w3c.tracestate\"] = `av=s:${span.spanId}`;\n\n const otlp: Record<string, unknown> = {\n traceId: span.traceId,\n spanId: span.spanId,\n name: span.name,\n kind: span.kind,\n startTimeUnixNano: String(span.startTime * 1_000_000),\n endTimeUnixNano: String(span.endTime * 1_000_000),\n attributes: toOtlpAttributes(enrichedAttrs),\n };\n\n if (span.parentSpanId !== undefined) {\n otlp.parentSpanId = span.parentSpanId;\n }\n\n if (span.status) {\n otlp.status = span.status;\n }\n\n if (span.events && span.events.length > 0) {\n otlp.events = span.events;\n }\n\n return otlp;\n}\n\n// -- TelemetryReporter --------------------------------------------------------\n\nexport class TelemetryReporter {\n private readonly _apiBase: string;\n private readonly _hubId: string;\n private readonly _authHeader: string;\n private readonly _fetch: typeof fetch;\n private readonly _agentName: string;\n private readonly _agentVersion: string;\n private _buffer: TelemetrySpan[] = [];\n private _timer: ReturnType<typeof setInterval> | null = null;\n\n constructor(config: TelemetryReporterConfig) {\n this._apiBase = config.apiBase.replace(/\\/+$/, \"\"); // strip trailing slash\n this._hubId = config.hubId;\n this._authHeader = config.authHeader;\n this._fetch = config.fetchImpl ?? globalThis.fetch;\n this._agentName = config.agentName ?? \"unknown\";\n this._agentVersion = config.agentVersion ?? \"0.0.0\";\n }\n\n /** Number of spans waiting to be flushed. */\n get pendingCount(): number {\n return this._buffer.length;\n }\n\n // -- Report methods ---------------------------------------------------------\n\n /** Record an LLM inference call. */\n reportLlmCall(opts: BuildLlmSpanOpts): void {\n this._buffer.push(buildLlmSpan(opts));\n }\n\n /** Record a tool/function invocation. */\n reportToolCall(opts: BuildToolSpanOpts): void {\n this._buffer.push(buildToolSpan(opts));\n }\n\n /** Record an error event. */\n reportError(opts: BuildErrorSpanOpts): void {\n this._buffer.push(buildErrorSpan(opts));\n }\n\n /** Record an HTTP request call. */\n reportHttpCall(opts: BuildHttpSpanOpts): void {\n this._buffer.push(buildHttpSpan(opts));\n }\n\n /** Record an action execution. */\n reportActionCall(opts: BuildActionSpanOpts): void {\n this._buffer.push(buildActionSpan(opts));\n }\n\n /** Record a navigation event. */\n reportNavCall(opts: BuildNavSpanOpts): void {\n this._buffer.push(buildNavSpan(opts));\n }\n\n /** Record an evaluation event. */\n reportEvaluation(opts: BuildEvalSpanOpts): void {\n this._buffer.push(buildEvalSpan(opts));\n }\n\n /** Record a task lifecycle event. */\n reportTaskCall(opts: BuildTaskSpanOpts): void {\n this._buffer.push(buildTaskSpan(opts));\n }\n\n /** Record an arbitrary pre-built span. */\n reportCustomSpan(span: TelemetrySpan): void {\n this._buffer.push(span);\n }\n\n // -- Flush ------------------------------------------------------------------\n\n /**\n * POST all buffered spans to the backend ingest endpoint.\n *\n * - On success (HTTP 2xx): clears the buffer.\n * - On failure: keeps spans in the buffer for retry.\n * - Never throws \u2014 telemetry is best-effort.\n */\n async flush(): Promise<void> {\n if (this._buffer.length === 0) {\n return;\n }\n\n // Snapshot the current buffer \u2014 if new spans arrive during the POST\n // they will go into a fresh array.\n const spans = this._buffer;\n this._buffer = [];\n\n try {\n const response = await this._fetch(\n `${this._apiBase}/api/v1/telemetry/ingest`,\n {\n method: \"POST\",\n headers: {\n \"Content-Type\": \"application/json\",\n Authorization: this._authHeader,\n },\n body: JSON.stringify({\n hub_id: this._hubId,\n resource: {\n \"gen_ai.agent.name\": this._agentName,\n \"gen_ai.agent.id\": this._hubId,\n \"gen_ai.agent.version\": this._agentVersion,\n \"service.name\": \"agentvault-agent\",\n },\n spans: spans.map(spanToOtlp),\n }),\n },\n );\n\n if (!response.ok) {\n // HTTP error \u2014 put spans back for retry\n this._buffer = spans.concat(this._buffer);\n }\n } catch {\n // Network error \u2014 put spans back for retry\n this._buffer = spans.concat(this._buffer);\n }\n }\n\n // -- Auto-flush -------------------------------------------------------------\n\n /**\n * Start a periodic flush timer.\n * @param intervalMs Flush interval in milliseconds (default 30 000).\n */\n startAutoFlush(intervalMs = 30_000): void {\n this.stopAutoFlush();\n this._timer = setInterval(() => {\n void this.flush();\n }, intervalMs);\n }\n\n /** Stop the periodic flush timer. Safe to call when not started. */\n stopAutoFlush(): void {\n if (this._timer !== null) {\n clearInterval(this._timer);\n this._timer = null;\n }\n }\n}\n", "/**\n * Encrypted key backup \u2014 Threema Safe-style.\n *\n * Backup code: 20 Crockford Base32 chars (100 bits entropy)\n * KDF: Argon2id (INTERACTIVE: 2 ops, 64 MB)\n * Encryption: XChaCha20-Poly1305\n * Wire format: salt(16) || nonce(24) || ciphertext+tag\n */\n\nimport sodium from \"libsodium-wrappers-sumo\";\n\n// Crockford Base32 alphabet \u2014 no I, L, O, U\nconst CROCKFORD = \"0123456789ABCDEFGHJKMNPQRSTVWXYZ\";\n\n// Argon2id parameters (INTERACTIVE)\nconst ARGON2_OPSLIMIT = 2;\nconst ARGON2_MEMLIMIT = 67_108_864; // 64 MB\n\nconst SALT_BYTES = 16;\nconst NONCE_BYTES = 24; // XChaCha20-Poly1305\nconst KEY_BYTES = 32;\nconst BACKUP_VERSION = 1;\nconst MAX_BACKUP_SIZE = 512 * 1024; // 512 KB\n\n// \u2500\u2500 Types \u2500\u2500\n\nexport interface BackupBundle {\n version: 1;\n createdAt: string;\n deviceId: string;\n identityKeypair: { publicKey: string; privateKey: string };\n ephemeralKeypair: { publicKey: string; privateKey: string };\n fingerprint: string;\n ratchets: Record<string, string>;\n rooms?: Record<string, {\n roomId: string;\n name: string;\n conversationIds: string[];\n encryptionMode?: string;\n ownSenderKeyChain?: string;\n peerSenderKeyState?: string;\n distributedTo?: string[];\n }>;\n sessions?: Record<string, {\n ownerDeviceId: string;\n ratchetState: string;\n activated?: boolean;\n }>;\n a2aChannels?: Record<string, unknown>;\n topics?: Array<{ id: string; name: string; isDefault: boolean }>;\n defaultTopicId?: string;\n groupId?: string;\n hubAddress?: string;\n}\n\n// \u2500\u2500 Backup Code Generation \u2500\u2500\n\n/**\n * Generate a 20-character Crockford Base32 backup code (100 bits entropy).\n */\nexport async function generateBackupCode(): Promise<string> {\n await sodium.ready;\n // 13 random bytes = 104 bits; we use 100 bits (20 \u00D7 5-bit chars)\n const bytes = sodium.randombytes_buf(13);\n // Convert to a big number via bit manipulation\n let bits = 0n;\n for (const b of bytes) {\n bits = (bits << 8n) | BigInt(b);\n }\n // Shift right to get exactly 100 bits\n bits >>= 4n;\n\n let code = \"\";\n for (let i = 0; i < 20; i++) {\n const idx = Number(bits & 0x1fn);\n code = CROCKFORD[idx] + code;\n bits >>= 5n;\n }\n return code;\n}\n\n/**\n * Format a backup code with dashes: XXXX-XXXX-XXXX-XXXX-XXXX\n */\nexport function formatBackupCode(code: string): string {\n const clean = code.replace(/[-\\s]/g, \"\").toUpperCase();\n return clean.match(/.{1,4}/g)?.join(\"-\") ?? clean;\n}\n\n/**\n * Normalize user input: strip dashes/spaces, uppercase.\n */\nexport function normalizeBackupCode(input: string): string {\n return input.replace(/[-\\s]/g, \"\").toUpperCase();\n}\n\n// \u2500\u2500 Argon2id KDF \u2500\u2500\n\n/**\n * Derive a 32-byte key from a backup code + salt using Argon2id.\n */\nexport async function deriveBackupKey(\n code: string,\n salt: Uint8Array,\n): Promise<Uint8Array> {\n await sodium.ready;\n return sodium.crypto_pwhash(\n KEY_BYTES,\n code,\n salt,\n ARGON2_OPSLIMIT,\n ARGON2_MEMLIMIT,\n sodium.crypto_pwhash_ALG_ARGON2ID13,\n );\n}\n\n// \u2500\u2500 Encrypt / Decrypt \u2500\u2500\n\n/**\n * Encrypt a BackupBundle with a backup code.\n * Output: salt(16) || nonce(24) || ciphertext+tag\n */\nexport async function encryptBackup(\n bundle: BackupBundle,\n code: string,\n): Promise<Uint8Array> {\n await sodium.ready;\n const salt = sodium.randombytes_buf(SALT_BYTES);\n const key = await deriveBackupKey(code, salt);\n return encryptBackupWithKey(bundle, key, salt);\n}\n\n/**\n * Encrypt a BackupBundle with a pre-derived key + salt.\n * Used by auto-backup to avoid re-running Argon2id.\n * Output: salt(16) || nonce(24) || ciphertext+tag\n */\nexport async function encryptBackupWithKey(\n bundle: BackupBundle,\n key: Uint8Array,\n salt: Uint8Array,\n): Promise<Uint8Array> {\n await sodium.ready;\n const plaintext = sodium.from_string(JSON.stringify(bundle));\n const nonce = sodium.randombytes_buf(NONCE_BYTES);\n const ciphertext = sodium.crypto_aead_xchacha20poly1305_ietf_encrypt(\n plaintext,\n null,\n null,\n nonce,\n key,\n );\n\n // Wire format: salt || nonce || ciphertext\n const result = new Uint8Array(SALT_BYTES + NONCE_BYTES + ciphertext.length);\n result.set(salt, 0);\n result.set(nonce, SALT_BYTES);\n result.set(ciphertext, SALT_BYTES + NONCE_BYTES);\n return result;\n}\n\n/**\n * Decrypt an encrypted backup blob with a backup code.\n * Throws on wrong code or corrupt data.\n */\nexport async function decryptBackup(\n encrypted: Uint8Array,\n code: string,\n): Promise<BackupBundle> {\n await sodium.ready;\n const minLen = SALT_BYTES + NONCE_BYTES + sodium.crypto_aead_xchacha20poly1305_ietf_ABYTES;\n if (encrypted.length < minLen) {\n throw new Error(\"Incorrect backup code or corrupt backup\");\n }\n\n const salt = encrypted.slice(0, SALT_BYTES);\n const nonce = encrypted.slice(SALT_BYTES, SALT_BYTES + NONCE_BYTES);\n const ciphertext = encrypted.slice(SALT_BYTES + NONCE_BYTES);\n\n const key = await deriveBackupKey(code, salt);\n\n let plaintext: Uint8Array;\n try {\n plaintext = sodium.crypto_aead_xchacha20poly1305_ietf_decrypt(\n null,\n ciphertext,\n null,\n nonce,\n key,\n );\n } catch {\n throw new Error(\"Incorrect backup code or corrupt backup\");\n }\n\n let bundle: BackupBundle;\n try {\n bundle = JSON.parse(sodium.to_string(plaintext));\n } catch {\n throw new Error(\"Incorrect backup code or corrupt backup\");\n }\n\n if (bundle.version !== BACKUP_VERSION) {\n throw new Error(`Unsupported backup version: ${bundle.version}`);\n }\n\n return bundle;\n}\n\n// \u2500\u2500 Code Hash \u2500\u2500\n\n/**\n * BLAKE2b-256 hash of a backup code \u2014 used as \"is configured?\" indicator.\n * NOT the same as Argon2id key derivation (different algo, no salt).\n */\nexport async function hashBackupCode(code: string): Promise<Uint8Array> {\n await sodium.ready;\n return sodium.crypto_generichash(32, sodium.from_string(code));\n}\n", "/**\n * Signed approval artifacts \u2014 Ed25519 signed JSON for human-in-the-loop gates.\n *\n * Used in the approval_request/approval_response message flow to create\n * tamper-evident records of owner approvals for sensitive agent operations.\n *\n * @example\n * ```typescript\n * import { createApprovalArtifact, verifyApprovalArtifact } from \"@agentvault/crypto\";\n *\n * const artifact = await createApprovalArtifact(\n * { approvalId: \"abc123\", approved: true, reason: \"Authorized\" },\n * signingPrivateKey,\n * );\n *\n * const isValid = await verifyApprovalArtifact(artifact, signerPublicKey);\n * ```\n */\nimport _sodium from \"libsodium-wrappers-sumo\";\nimport { canonicalize } from \"./did.js\";\n\n/* -------------------------------------------------------------------------- */\n/* Types */\n/* -------------------------------------------------------------------------- */\n\nexport interface ApprovalArtifact {\n /** The approval content (JCS-canonicalized before signing). */\n content: Record<string, unknown>;\n /** Ed25519 signature over the canonical content (hex). */\n signature: string;\n /** Signer's Ed25519 public key (hex). */\n signerPublicKey: string;\n /** ISO 8601 timestamp of when the artifact was created. */\n createdAt: string;\n /** Version tag for forward compat. */\n version: 1;\n}\n\n/* -------------------------------------------------------------------------- */\n/* Create */\n/* -------------------------------------------------------------------------- */\n\n/**\n * Create a signed approval artifact.\n *\n * @param content \u2014 The approval payload (e.g., { approvalId, approved, reason })\n * @param privateKeyHex \u2014 Ed25519 private key (64-byte seed+pk, hex encoded)\n * @returns Signed artifact with detached Ed25519 signature\n */\nexport async function createApprovalArtifact(\n content: Record<string, unknown>,\n privateKeyHex: string,\n): Promise<ApprovalArtifact> {\n await _sodium.ready;\n const sodium = _sodium;\n\n const privateKey = sodium.from_hex(privateKeyHex);\n const publicKey = privateKey.slice(32); // Ed25519 pk is last 32 bytes of 64-byte keypair\n\n // Canonicalize the content for deterministic signing\n // canonicalize() returns Uint8Array (JCS-encoded bytes)\n const message = canonicalize(content);\n\n // Ed25519 detached signature\n const signatureBytes = sodium.crypto_sign_detached(message, privateKey);\n\n return {\n content,\n signature: sodium.to_hex(signatureBytes),\n signerPublicKey: sodium.to_hex(publicKey),\n createdAt: new Date().toISOString(),\n version: 1,\n };\n}\n\n/* -------------------------------------------------------------------------- */\n/* Verify */\n/* -------------------------------------------------------------------------- */\n\n/**\n * Verify a signed approval artifact.\n *\n * @param artifact \u2014 The approval artifact to verify\n * @param expectedPublicKeyHex \u2014 Optional: verify the signer matches this key\n * @returns true if the signature is valid\n */\nexport async function verifyApprovalArtifact(\n artifact: ApprovalArtifact,\n expectedPublicKeyHex?: string,\n): Promise<boolean> {\n await _sodium.ready;\n const sodium = _sodium;\n\n // Optional: verify signer identity\n if (expectedPublicKeyHex && artifact.signerPublicKey !== expectedPublicKeyHex) {\n return false;\n }\n\n try {\n const publicKey = sodium.from_hex(artifact.signerPublicKey);\n const signature = sodium.from_hex(artifact.signature);\n const message = canonicalize(artifact.content);\n\n return sodium.crypto_sign_verify_detached(signature, message, publicKey);\n } catch {\n return false;\n }\n}\n", null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, "/**\n * The base error class of hpke-js.\n * @group Errors\n */\nexport class HpkeError extends Error {\n constructor(e) {\n let message;\n if (e instanceof Error) {\n message = e.message;\n }\n else if (typeof e === \"string\") {\n message = e;\n }\n else {\n message = \"\";\n }\n super(message);\n this.name = this.constructor.name;\n }\n}\n/**\n * Invalid parameter.\n * @group Errors\n */\nexport class InvalidParamError extends HpkeError {\n}\n/**\n * KEM input or output validation failure.\n * @group Errors\n */\nexport class ValidationError extends HpkeError {\n}\n/**\n * Public or private key serialization failure.\n * @group Errors\n */\nexport class SerializeError extends HpkeError {\n}\n/**\n * Public or private key deserialization failure.\n * @group Errors\n */\nexport class DeserializeError extends HpkeError {\n}\n/**\n * encap() failure.\n * @group Errors\n */\nexport class EncapError extends HpkeError {\n}\n/**\n * decap() failure.\n * @group Errors\n */\nexport class DecapError extends HpkeError {\n}\n/**\n * Secret export failure.\n * @group Errors\n */\nexport class ExportError extends HpkeError {\n}\n/**\n * seal() failure.\n * @group Errors\n */\nexport class SealError extends HpkeError {\n}\n/**\n * open() failure.\n * @group Errors\n */\nexport class OpenError extends HpkeError {\n}\n/**\n * Sequence number overflow on the encryption context.\n * @group Errors\n */\nexport class MessageLimitReachedError extends HpkeError {\n}\n/**\n * Key pair derivation failure.\n * @group Errors\n */\nexport class DeriveKeyPairError extends HpkeError {\n}\n/**\n * Not supported failure.\n * @group Errors\n */\nexport class NotSupportedError extends HpkeError {\n}\n", "const dntGlobals = {};\nexport const dntGlobalThis = createMergeProxy(globalThis, dntGlobals);\nfunction createMergeProxy(baseObj, extObj) {\n return new Proxy(baseObj, {\n get(_target, prop, _receiver) {\n if (prop in extObj) {\n return extObj[prop];\n }\n else {\n return baseObj[prop];\n }\n },\n set(_target, prop, value) {\n if (prop in extObj) {\n delete extObj[prop];\n }\n baseObj[prop] = value;\n return true;\n },\n deleteProperty(_target, prop) {\n let success = false;\n if (prop in extObj) {\n delete extObj[prop];\n success = true;\n }\n if (prop in baseObj) {\n delete baseObj[prop];\n success = true;\n }\n return success;\n },\n ownKeys(_target) {\n const baseKeys = Reflect.ownKeys(baseObj);\n const extKeys = Reflect.ownKeys(extObj);\n const extKeysSet = new Set(extKeys);\n return [...baseKeys.filter((k) => !extKeysSet.has(k)), ...extKeys];\n },\n defineProperty(_target, prop, desc) {\n if (prop in extObj) {\n delete extObj[prop];\n }\n Reflect.defineProperty(baseObj, prop, desc);\n return true;\n },\n getOwnPropertyDescriptor(_target, prop) {\n if (prop in extObj) {\n return Reflect.getOwnPropertyDescriptor(extObj, prop);\n }\n else {\n return Reflect.getOwnPropertyDescriptor(baseObj, prop);\n }\n },\n has(_target, prop) {\n return prop in extObj || prop in baseObj;\n },\n });\n}\n", "import * as dntShim from \"../_dnt.shims.js\";\nimport { NotSupportedError } from \"./errors.js\";\nasync function loadSubtleCrypto() {\n if (dntShim.dntGlobalThis !== undefined && globalThis.crypto !== undefined) {\n // Browsers, Node.js >= v19, Cloudflare Workers, Bun, etc.\n return globalThis.crypto.subtle;\n }\n // Node.js <= v18\n try {\n // @ts-ignore: to ignore \"crypto\"\n const { webcrypto } = await import(\"crypto\"); // node:crypto\n return webcrypto.subtle;\n }\n catch (e) {\n throw new NotSupportedError(e);\n }\n}\nexport class NativeAlgorithm {\n constructor() {\n Object.defineProperty(this, \"_api\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: undefined\n });\n }\n async _setup() {\n if (this._api !== undefined) {\n return;\n }\n this._api = await loadSubtleCrypto();\n }\n}\n", "/**\n * The supported HPKE modes.\n */\nexport const Mode = {\n Base: 0x00,\n Psk: 0x01,\n Auth: 0x02,\n AuthPsk: 0x03,\n};\n/**\n * The supported Key Encapsulation Mechanism (KEM) identifiers.\n */\nexport const KemId = {\n NotAssigned: 0x0000,\n DhkemP256HkdfSha256: 0x0010,\n DhkemP384HkdfSha384: 0x0011,\n DhkemP521HkdfSha512: 0x0012,\n DhkemSecp256k1HkdfSha256: 0x0013,\n DhkemX25519HkdfSha256: 0x0020,\n DhkemX448HkdfSha512: 0x0021,\n HybridkemX25519Kyber768: 0x0030,\n MlKem512: 0x0040,\n MlKem768: 0x0041,\n MlKem1024: 0x0042,\n XWing: 0x647a,\n};\n/**\n * The supported Key Derivation Function (KDF) identifiers.\n */\nexport const KdfId = {\n HkdfSha256: 0x0001,\n HkdfSha384: 0x0002,\n HkdfSha512: 0x0003,\n Sha3256: 0x0004,\n Sha3384: 0x0005,\n Sha3512: 0x0006,\n Shake128: 0x0010,\n Shake256: 0x0011,\n TurboShake128: 0x0012,\n TurboShake256: 0x0013,\n};\n/**\n * The supported Authenticated Encryption with Associated Data (AEAD) identifiers.\n */\nexport const AeadId = {\n Aes128Gcm: 0x0001,\n Aes256Gcm: 0x0002,\n Chacha20Poly1305: 0x0003,\n ExportOnly: 0xFFFF,\n};\n", "// The input length limit (psk, psk_id, info, exporter_context, ikm).\nexport const INPUT_LENGTH_LIMIT = 8192;\nexport const INFO_LENGTH_LIMIT = 268435456;\n// The minimum length of a PSK.\nexport const MINIMUM_PSK_LENGTH = 32;\n// b\"\"\nexport const EMPTY = /* @__PURE__ */ new Uint8Array(0);\n// Common BigInt constants\nexport const N_0 = 0n;\nexport const N_1 = 1n;\nexport const N_2 = 2n;\nexport const N_7 = 7n;\nexport const N_32 = 32n;\nexport const N_256 = 256n;\nexport const N_0x71 = 0x71n;\nexport const BYTE_TO_BIGINT_256 = /* @__PURE__ */ (() => {\n const out = new Array(256);\n let i = 0;\n let value = 0n;\n while (i < 256) {\n out[i] = value;\n i++;\n value += 1n;\n }\n return out;\n})();\n", "// b\"KEM\"\nexport const SUITE_ID_HEADER_KEM = /* @__PURE__ */ new Uint8Array([\n 75,\n 69,\n 77,\n 0,\n 0,\n]);\n", "import { EMPTY } from \"../consts.js\";\nimport { InvalidParamError } from \"../errors.js\";\nimport { KdfId } from \"../identifiers.js\";\nimport { NativeAlgorithm } from \"../algorithm.js\";\n// b\"HPKE-v1\"\nconst HPKE_VERSION = /* @__PURE__ */ new Uint8Array([\n 72,\n 80,\n 75,\n 69,\n 45,\n 118,\n 49,\n]);\nexport function toUint8Array(input) {\n return new Uint8Array(toArrayBuffer(input));\n}\nexport function toArrayBuffer(input) {\n if (input instanceof ArrayBuffer) {\n return input;\n }\n if (ArrayBuffer.isView(input)) {\n return new Uint8Array(input.buffer, input.byteOffset, input.byteLength)\n .slice().buffer;\n }\n return new Uint8Array(input).slice().buffer;\n}\nexport class HkdfNative extends NativeAlgorithm {\n constructor() {\n super();\n Object.defineProperty(this, \"id\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: KdfId.HkdfSha256\n });\n Object.defineProperty(this, \"hashSize\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: 0\n });\n Object.defineProperty(this, \"_suiteId\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: EMPTY\n });\n Object.defineProperty(this, \"algHash\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: {\n name: \"HMAC\",\n hash: \"SHA-256\",\n length: 256,\n }\n });\n }\n init(suiteId) {\n this._suiteId = suiteId;\n }\n buildLabeledIkm(label, ikm) {\n this._checkInit();\n const ret = new Uint8Array(7 + this._suiteId.byteLength + label.byteLength + ikm.byteLength);\n ret.set(HPKE_VERSION, 0);\n ret.set(this._suiteId, 7);\n ret.set(label, 7 + this._suiteId.byteLength);\n ret.set(ikm, 7 + this._suiteId.byteLength + label.byteLength);\n return ret;\n }\n buildLabeledInfo(label, info, len) {\n this._checkInit();\n const ret = new Uint8Array(9 + this._suiteId.byteLength + label.byteLength + info.byteLength);\n ret.set(new Uint8Array([0, len]), 0);\n ret.set(HPKE_VERSION, 2);\n ret.set(this._suiteId, 9);\n ret.set(label, 9 + this._suiteId.byteLength);\n ret.set(info, 9 + this._suiteId.byteLength + label.byteLength);\n return ret;\n }\n async extract(salt, ikm) {\n await this._setup();\n const saltBuf = salt.byteLength === 0\n ? new ArrayBuffer(this.hashSize)\n : toArrayBuffer(salt);\n if (saltBuf.byteLength !== this.hashSize) {\n throw new InvalidParamError(\"The salt length must be the same as the hashSize\");\n }\n const ikmBuf = toArrayBuffer(ikm);\n const key = await this._api.importKey(\"raw\", saltBuf, this.algHash, false, [\n \"sign\",\n ]);\n return await this._api.sign(\"HMAC\", key, ikmBuf);\n }\n async expand(prk, info, len) {\n await this._setup();\n const prkBuf = toArrayBuffer(prk);\n const key = await this._api.importKey(\"raw\", prkBuf, this.algHash, false, [\n \"sign\",\n ]);\n const okm = new ArrayBuffer(len);\n const okmBytes = new Uint8Array(okm);\n let prev = EMPTY;\n const mid = toUint8Array(info);\n const tail = new Uint8Array(1);\n if (len > 255 * this.hashSize) {\n throw new Error(\"Entropy limit reached\");\n }\n const tmp = new Uint8Array(this.hashSize + mid.length + 1);\n for (let i = 1, cur = 0; cur < okmBytes.length; i++) {\n tail[0] = i;\n tmp.set(prev, 0);\n tmp.set(mid, prev.length);\n tmp.set(tail, prev.length + mid.length);\n prev = new Uint8Array(await this._api.sign(\"HMAC\", key, tmp.slice(0, prev.length + mid.length + 1)));\n if (okmBytes.length - cur >= prev.length) {\n okmBytes.set(prev, cur);\n cur += prev.length;\n }\n else {\n okmBytes.set(prev.slice(0, okmBytes.length - cur), cur);\n cur += okmBytes.length - cur;\n }\n }\n return okm;\n }\n async extractAndExpand(salt, ikm, info, len) {\n await this._setup();\n const ikmBuf = toArrayBuffer(ikm);\n const baseKey = await this._api.importKey(\"raw\", ikmBuf, \"HKDF\", false, [\"deriveBits\"]);\n return await this._api.deriveBits({\n name: \"HKDF\",\n hash: this.algHash.hash,\n salt: toArrayBuffer(salt),\n info: toArrayBuffer(info),\n }, baseKey, len * 8);\n }\n async labeledExtract(salt, label, ikm) {\n return await this.extract(salt, this.buildLabeledIkm(label, ikm));\n }\n async labeledExpand(prk, label, info, len) {\n return await this.expand(prk, this.buildLabeledInfo(label, info, len), len);\n }\n _checkInit() {\n if (this._suiteId === EMPTY) {\n throw new Error(\"Not initialized. Call init()\");\n }\n }\n}\nexport class HkdfSha256Native extends HkdfNative {\n constructor() {\n super(...arguments);\n /** KdfId.HkdfSha256 (0x0001) */\n Object.defineProperty(this, \"id\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: KdfId.HkdfSha256\n });\n /** 32 */\n Object.defineProperty(this, \"hashSize\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: 32\n });\n /** The parameters for Web Cryptography API */\n Object.defineProperty(this, \"algHash\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: {\n name: \"HMAC\",\n hash: \"SHA-256\",\n length: 256,\n }\n });\n }\n}\nexport class HkdfSha384Native extends HkdfNative {\n constructor() {\n super(...arguments);\n /** KdfId.HkdfSha384 (0x0002) */\n Object.defineProperty(this, \"id\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: KdfId.HkdfSha384\n });\n /** 48 */\n Object.defineProperty(this, \"hashSize\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: 48\n });\n /** The parameters for Web Cryptography API */\n Object.defineProperty(this, \"algHash\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: {\n name: \"HMAC\",\n hash: \"SHA-384\",\n length: 384,\n }\n });\n }\n}\nexport class HkdfSha512Native extends HkdfNative {\n constructor() {\n super(...arguments);\n /** KdfId.HkdfSha512 (0x0003) */\n Object.defineProperty(this, \"id\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: KdfId.HkdfSha512\n });\n /** 64 */\n Object.defineProperty(this, \"hashSize\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: 64\n });\n /** The parameters for Web Cryptography API */\n Object.defineProperty(this, \"algHash\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: {\n name: \"HMAC\",\n hash: \"SHA-512\",\n length: 512,\n }\n });\n }\n}\n", "import * as dntShim from \"../../_dnt.shims.js\";\nimport { KemId } from \"../identifiers.js\";\nexport const isDenoV1 = () => \n// deno-lint-ignore no-explicit-any\ndntShim.dntGlobalThis.process === undefined;\n/**\n * Checks whether the runtime is Deno or not (Node.js).\n * @returns boolean - true if the runtime is Deno, false Node.js.\n */\nexport function isDeno() {\n // deno-lint-ignore no-explicit-any\n if (dntShim.dntGlobalThis.process === undefined) {\n return true;\n }\n // deno-lint-ignore no-explicit-any\n return dntShim.dntGlobalThis.process?.versions?.deno !== undefined;\n}\n/**\n * Checks whetehr the type of input is CryptoKeyPair or not.\n */\nexport const isCryptoKeyPair = (x) => typeof x === \"object\" &&\n x !== null &&\n typeof x.privateKey === \"object\" &&\n typeof x.publicKey === \"object\";\n/**\n * Converts integer to octet string. I2OSP implementation.\n */\nexport function i2Osp(n, w) {\n if (w <= 0) {\n throw new Error(\"i2Osp: too small size\");\n }\n if (n >= 256 ** w) {\n throw new Error(\"i2Osp: too large integer\");\n }\n const ret = new Uint8Array(w);\n for (let i = 0; i < w && n; i++) {\n ret[w - (i + 1)] = n % 256;\n n = Math.floor(n / 256);\n }\n return ret;\n}\n/**\n * Concatenates two Uint8Arrays.\n * @param a Uint8Array\n * @param b Uint8Array\n * @returns Concatenated Uint8Array\n */\nexport function concat(a, b) {\n const ret = new Uint8Array(a.length + b.length);\n ret.set(a, 0);\n ret.set(b, a.length);\n return ret;\n}\n/**\n * Decodes Base64Url-encoded data.\n * @param v Base64Url-encoded string\n * @returns Uint8Array\n */\nexport function base64UrlToBytes(v) {\n const base64 = v.replace(/-/g, \"+\").replace(/_/g, \"/\");\n const byteString = atob(base64);\n const ret = new Uint8Array(byteString.length);\n for (let i = 0; i < byteString.length; i++) {\n ret[i] = byteString.charCodeAt(i);\n }\n return ret;\n}\n/**\n * Encodes Uint8Array to Base64Url.\n * @param v Uint8Array\n * @returns Base64Url-encoded string\n */\nexport function bytesToBase64Url(v) {\n return btoa(String.fromCharCode(...v))\n .replace(/\\+/g, \"-\")\n .replace(/\\//g, \"_\")\n .replace(/=*$/g, \"\");\n}\n/**\n * Decodes hex string to Uint8Array.\n * @param v Hex string\n * @returns Uint8Array\n * @throws Error if the input is not a hex string.\n */\nexport function hexToBytes(v) {\n if (v.length === 0) {\n return new Uint8Array([]);\n }\n const res = v.match(/[\\da-f]{2}/gi);\n if (res == null) {\n throw new Error(\"Not hex string.\");\n }\n return new Uint8Array(res.map(function (h) {\n return parseInt(h, 16);\n }));\n}\n/**\n * Encodes Uint8Array to hex string.\n * @param v Uint8Array\n * @returns Hex string\n */\nexport function bytesToHex(v) {\n return [...v].map((x) => x.toString(16).padStart(2, \"0\")).join(\"\");\n}\n/**\n * Converts KemId to KeyAlgorithm.\n * @param kem KemId\n * @returns KeyAlgorithm\n */\nexport function kemToKeyGenAlgorithm(kem) {\n switch (kem) {\n case KemId.DhkemP256HkdfSha256:\n return {\n name: \"ECDH\",\n namedCurve: \"P-256\",\n };\n case KemId.DhkemP384HkdfSha384:\n return {\n name: \"ECDH\",\n namedCurve: \"P-384\",\n };\n case KemId.DhkemP521HkdfSha512:\n return {\n name: \"ECDH\",\n namedCurve: \"P-521\",\n };\n default:\n // case KemId.DhkemX25519HkdfSha256\n return {\n name: \"X25519\",\n };\n }\n}\nexport async function loadSubtleCrypto() {\n if (dntShim.dntGlobalThis !== undefined && globalThis.crypto !== undefined) {\n // Browsers, Node.js >= v19, Cloudflare Workers, Bun, etc.\n return globalThis.crypto.subtle;\n }\n // Node.js <= v18\n try {\n // @ts-ignore: to ignore \"crypto\"\n const { webcrypto } = await import(\"crypto\"); // node:crypto\n return webcrypto.subtle;\n }\n catch (_e) {\n throw new Error(\"Failed to load SubtleCrypto\");\n }\n}\nexport async function loadCrypto() {\n if (typeof dntShim.dntGlobalThis !== \"undefined\" && globalThis.crypto !== undefined) {\n // Browsers, Node.js >= v19, Cloudflare Workers, Bun, etc.\n return globalThis.crypto;\n }\n // Node.js <= v18\n try {\n // @ts-ignore: to ignore \"crypto\"\n const { webcrypto } = await import(\"crypto\"); // node:crypto\n return webcrypto;\n }\n catch (_e) {\n throw new Error(\"failed to load Crypto\");\n }\n}\n/**\n * XOR for Uint8Array.\n */\nexport function xor(a, b) {\n if (a.byteLength !== b.byteLength) {\n throw new Error(\"xor: different length inputs\");\n }\n const buf = new Uint8Array(a.byteLength);\n for (let i = 0; i < a.byteLength; i++) {\n buf[i] = a[i] ^ b[i];\n }\n return buf;\n}\n", "import { EMPTY, INPUT_LENGTH_LIMIT } from \"../consts.js\";\nimport { DecapError, EncapError, InvalidParamError } from \"../errors.js\";\nimport { SUITE_ID_HEADER_KEM } from \"../interfaces/kemInterface.js\";\nimport { toArrayBuffer } from \"../kdfs/hkdf.js\";\nimport { concat, i2Osp, isCryptoKeyPair } from \"../utils/misc.js\";\n// b\"eae_prk\"\nconst LABEL_EAE_PRK = /* @__PURE__ */ new Uint8Array([\n 101,\n 97,\n 101,\n 95,\n 112,\n 114,\n 107,\n]);\n// b\"shared_secret\"\n// deno-fmt-ignore\nconst LABEL_SHARED_SECRET = /* @__PURE__ */ new Uint8Array([\n 115, 104, 97, 114, 101, 100, 95, 115, 101, 99,\n 114, 101, 116,\n]);\nfunction concat3(a, b, c) {\n const ret = new Uint8Array(a.length + b.length + c.length);\n ret.set(a, 0);\n ret.set(b, a.length);\n ret.set(c, a.length + b.length);\n return ret;\n}\nexport class Dhkem {\n constructor(id, prim, kdf) {\n Object.defineProperty(this, \"id\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: void 0\n });\n Object.defineProperty(this, \"secretSize\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: 0\n });\n Object.defineProperty(this, \"encSize\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: 0\n });\n Object.defineProperty(this, \"publicKeySize\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: 0\n });\n Object.defineProperty(this, \"privateKeySize\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: 0\n });\n Object.defineProperty(this, \"_prim\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: void 0\n });\n Object.defineProperty(this, \"_kdf\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: void 0\n });\n this.id = id;\n this._prim = prim;\n this._kdf = kdf;\n const suiteId = new Uint8Array(SUITE_ID_HEADER_KEM);\n suiteId.set(i2Osp(this.id, 2), 3);\n this._kdf.init(suiteId);\n }\n async serializePublicKey(key) {\n return await this._prim.serializePublicKey(key);\n }\n async deserializePublicKey(key) {\n return await this._prim.deserializePublicKey(toArrayBuffer(key));\n }\n async serializePrivateKey(key) {\n return await this._prim.serializePrivateKey(key);\n }\n async deserializePrivateKey(key) {\n return await this._prim.deserializePrivateKey(toArrayBuffer(key));\n }\n async importKey(format, key, isPublic = true) {\n return await this._prim.importKey(format, key, isPublic);\n }\n async generateKeyPair() {\n return await this._prim.generateKeyPair();\n }\n async deriveKeyPair(ikm) {\n const rawIkm = toArrayBuffer(ikm);\n if (rawIkm.byteLength > INPUT_LENGTH_LIMIT) {\n throw new InvalidParamError(\"Too long ikm\");\n }\n return await this._prim.deriveKeyPair(rawIkm);\n }\n async encap(params) {\n let ke;\n if (params.ekm === undefined) {\n ke = await this.generateKeyPair();\n }\n else if (isCryptoKeyPair(params.ekm)) {\n // params.ekm is only used for testing.\n ke = params.ekm;\n }\n else {\n // params.ekm is only used for testing.\n ke = await this.deriveKeyPair(params.ekm);\n }\n const enc = await this._prim.serializePublicKey(ke.publicKey);\n const pkrm = await this._prim.serializePublicKey(params.recipientPublicKey);\n try {\n let dh;\n if (params.senderKey === undefined) {\n dh = new Uint8Array(await this._prim.dh(ke.privateKey, params.recipientPublicKey));\n }\n else {\n const sks = isCryptoKeyPair(params.senderKey)\n ? params.senderKey.privateKey\n : params.senderKey;\n const dh1 = new Uint8Array(await this._prim.dh(ke.privateKey, params.recipientPublicKey));\n const dh2 = new Uint8Array(await this._prim.dh(sks, params.recipientPublicKey));\n dh = concat(dh1, dh2);\n }\n let kemContext;\n if (params.senderKey === undefined) {\n kemContext = concat(new Uint8Array(enc), new Uint8Array(pkrm));\n }\n else {\n const pks = isCryptoKeyPair(params.senderKey)\n ? params.senderKey.publicKey\n : await this._prim.derivePublicKey(params.senderKey);\n const pksm = await this._prim.serializePublicKey(pks);\n kemContext = concat3(new Uint8Array(enc), new Uint8Array(pkrm), new Uint8Array(pksm));\n }\n const sharedSecret = await this._generateSharedSecret(dh, kemContext);\n return {\n enc: enc,\n sharedSecret: sharedSecret,\n };\n }\n catch (e) {\n throw new EncapError(e);\n }\n }\n async decap(params) {\n const enc = toArrayBuffer(params.enc);\n const pke = await this._prim.deserializePublicKey(enc);\n const skr = isCryptoKeyPair(params.recipientKey)\n ? params.recipientKey.privateKey\n : params.recipientKey;\n const pkr = isCryptoKeyPair(params.recipientKey)\n ? params.recipientKey.publicKey\n : await this._prim.derivePublicKey(params.recipientKey);\n const pkrm = await this._prim.serializePublicKey(pkr);\n try {\n let dh;\n if (params.senderPublicKey === undefined) {\n dh = new Uint8Array(await this._prim.dh(skr, pke));\n }\n else {\n const dh1 = new Uint8Array(await this._prim.dh(skr, pke));\n const dh2 = new Uint8Array(await this._prim.dh(skr, params.senderPublicKey));\n dh = concat(dh1, dh2);\n }\n let kemContext;\n if (params.senderPublicKey === undefined) {\n kemContext = concat(new Uint8Array(enc), new Uint8Array(pkrm));\n }\n else {\n const pksm = await this._prim.serializePublicKey(params.senderPublicKey);\n kemContext = new Uint8Array(enc.byteLength + pkrm.byteLength + pksm.byteLength);\n kemContext.set(new Uint8Array(enc), 0);\n kemContext.set(new Uint8Array(pkrm), enc.byteLength);\n kemContext.set(new Uint8Array(pksm), enc.byteLength + pkrm.byteLength);\n }\n return await this._generateSharedSecret(dh, kemContext);\n }\n catch (e) {\n throw new DecapError(e);\n }\n }\n async _generateSharedSecret(dh, kemContext) {\n const labeledIkm = this._kdf.buildLabeledIkm(LABEL_EAE_PRK, dh);\n const labeledInfo = this._kdf.buildLabeledInfo(LABEL_SHARED_SECRET, kemContext, this.secretSize);\n return await this._kdf.extractAndExpand(EMPTY, labeledIkm, labeledInfo, this.secretSize);\n }\n}\n", "// The key usages for KEM.\nexport const KEM_USAGES = [\"deriveBits\"];\n// b\"dkp_prk\"\nexport const LABEL_DKP_PRK = /* @__PURE__ */ new Uint8Array([\n 100,\n 107,\n 112,\n 95,\n 112,\n 114,\n 107,\n]);\n// b\"sk\"\nexport const LABEL_SK = /* @__PURE__ */ new Uint8Array([115, 107]);\n", "/**\n * The minimum inplementation of bignum to derive an EC key pair.\n */\nexport class Bignum {\n constructor(size) {\n Object.defineProperty(this, \"_num\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: void 0\n });\n this._num = new Uint8Array(size);\n }\n val() {\n return this._num;\n }\n reset() {\n this._num.fill(0);\n }\n set(src) {\n if (src.length !== this._num.length) {\n throw new Error(\"Bignum.set: invalid argument\");\n }\n this._num.set(src);\n }\n isZero() {\n for (let i = 0; i < this._num.length; i++) {\n if (this._num[i] !== 0) {\n return false;\n }\n }\n return true;\n }\n lessThan(v) {\n if (v.length !== this._num.length) {\n throw new Error(\"Bignum.lessThan: invalid argument\");\n }\n for (let i = 0; i < this._num.length; i++) {\n if (this._num[i] < v[i]) {\n return true;\n }\n if (this._num[i] > v[i]) {\n return false;\n }\n }\n return false;\n }\n}\n", "import { NativeAlgorithm } from \"../../algorithm.js\";\nimport { BYTE_TO_BIGINT_256, EMPTY } from \"../../consts.js\";\nimport { toArrayBuffer } from \"../../kdfs/hkdf.js\";\nimport { DeriveKeyPairError, DeserializeError, NotSupportedError, SerializeError, } from \"../../errors.js\";\nimport { KemId } from \"../../identifiers.js\";\nimport { KEM_USAGES, LABEL_DKP_PRK } from \"../../interfaces/dhkemPrimitives.js\";\nimport { Bignum } from \"../../utils/bignum.js\";\nimport { base64UrlToBytes, i2Osp } from \"../../utils/misc.js\";\n// b\"candidate\"\n// deno-fmt-ignore\nconst LABEL_CANDIDATE = /* @__PURE__ */ new Uint8Array([\n 99, 97, 110, 100, 105, 100, 97, 116, 101,\n]);\n// the order of the curve being used.\n// deno-fmt-ignore\nconst ORDER_P_256 = /* @__PURE__ */ new Uint8Array([\n 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00,\n 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,\n 0xbc, 0xe6, 0xfa, 0xad, 0xa7, 0x17, 0x9e, 0x84,\n 0xf3, 0xb9, 0xca, 0xc2, 0xfc, 0x63, 0x25, 0x51,\n]);\n// deno-fmt-ignore\nconst ORDER_P_384 = /* @__PURE__ */ new Uint8Array([\n 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,\n 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,\n 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,\n 0xc7, 0x63, 0x4d, 0x81, 0xf4, 0x37, 0x2d, 0xdf,\n 0x58, 0x1a, 0x0d, 0xb2, 0x48, 0xb0, 0xa7, 0x7a,\n 0xec, 0xec, 0x19, 0x6a, 0xcc, 0xc5, 0x29, 0x73,\n]);\n// deno-fmt-ignore\nconst ORDER_P_521 = /* @__PURE__ */ new Uint8Array([\n 0x01, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,\n 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,\n 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,\n 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,\n 0xff, 0xfa, 0x51, 0x86, 0x87, 0x83, 0xbf, 0x2f,\n 0x96, 0x6b, 0x7f, 0xcc, 0x01, 0x48, 0xf7, 0x09,\n 0xa5, 0xd0, 0x3b, 0xb5, 0xc9, 0xb8, 0x89, 0x9c,\n 0x47, 0xae, 0xbb, 0x6f, 0xb7, 0x1e, 0x91, 0x38,\n 0x64, 0x09,\n]);\n// deno-fmt-ignore\nconst PKCS8_ALG_ID_P_256 = /* @__PURE__ */ new Uint8Array([\n 48, 65, 2, 1, 0, 48, 19, 6, 7, 42,\n 134, 72, 206, 61, 2, 1, 6, 8, 42, 134,\n 72, 206, 61, 3, 1, 7, 4, 39, 48, 37,\n 2, 1, 1, 4, 32,\n]);\n// deno-fmt-ignore\nconst PKCS8_ALG_ID_P_384 = /* @__PURE__ */ new Uint8Array([\n 48, 78, 2, 1, 0, 48, 16, 6, 7, 42,\n 134, 72, 206, 61, 2, 1, 6, 5, 43, 129,\n 4, 0, 34, 4, 55, 48, 53, 2, 1, 1,\n 4, 48,\n]);\n// deno-fmt-ignore\nconst PKCS8_ALG_ID_P_521 = /* @__PURE__ */ new Uint8Array([\n 48, 96, 2, 1, 0, 48, 16, 6, 7, 42,\n 134, 72, 206, 61, 2, 1, 6, 5, 43, 129,\n 4, 0, 35, 4, 73, 48, 71, 2, 1, 1,\n 4, 66,\n]);\nconst EC_P_256_PARAMS = {\n p: 0xffffffff00000001000000000000000000000000ffffffffffffffffffffffffn,\n b: 0x5ac635d8aa3a93e7b3ebbd55769886bc651d06b0cc53b0f63bce3c3e27d2604bn,\n gx: 0x6b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c296n,\n gy: 0x4fe342e2fe1a7f9b8ee7eb4a7c0f9e162bce33576b315ececbb6406837bf51f5n,\n coordinateSize: 32,\n};\nconst EC_P_384_PARAMS = {\n p: 0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000000ffffffffn,\n b: 0xb3312fa7e23ee7e4988e056be3f82d19181d9c6efe8141120314088f5013875ac656398d8a2ed19d2a85c8edd3ec2aefn,\n gx: 0xaa87ca22be8b05378eb1c71ef320ad746e1d3b628ba79b9859f741e082542a385502f25dbf55296c3a545e3872760ab7n,\n gy: 0x3617de4a96262c6f5d9e98bf9292dc29f8f41dbd289a147ce9da3113b5f0b8c00a60b1ce1d7e819d7a431d7c90ea0e5fn,\n coordinateSize: 48,\n};\nconst EC_P_521_PARAMS = {\n p: (1n << 521n) - 1n,\n b: 0x0051953eb9618e1c9a1f929a21a0b68540eea2da725b99b315f3b8b489918ef109e156193951ec7e937b1652c0bd3bb1bf073573df883d2c34f1ef451fd46b503f00n,\n gx: 0x00c6858e06b70404e9cd9e3ecb662395b4429c648139053fb521f828af606b4d3dbaa14b5e77efe75928fe1dc127a2ffa8de3348b3c1856a429bf97e7e31c2e5bd66n,\n gy: 0x011839296a789a3bc0045c8a5fb42c7d1bd998f54449579b446817afbd17273e662c97ee72995ef42640c550b9013fad0761353c7086a272c24088be94769fd16650n,\n coordinateSize: 66,\n};\nfunction mod(a, p) {\n const r = a % p;\n return r >= 0n ? r : r + p;\n}\nfunction modPow(base, exponent, p) {\n let result = 1n;\n let b = mod(base, p);\n let e = exponent;\n while (e > 0n) {\n if ((e & 1n) === 1n) {\n result = mod(result * b, p);\n }\n b = mod(b * b, p);\n e >>= 1n;\n }\n return result;\n}\nfunction modSqrt(rhs, p) {\n // P-256/P-384/P-521 primes satisfy p % 4 == 3.\n const y = modPow(rhs, (p + 1n) >> 2n, p);\n if (mod(y * y, p) !== mod(rhs, p)) {\n throw new Error(\"Invalid ECDH point\");\n }\n return y;\n}\nfunction bytesToBigInt(bytes) {\n let v = 0n;\n for (const b of bytes) {\n v = (v << 8n) | BYTE_TO_BIGINT_256[b];\n }\n return v;\n}\nfunction bigIntToBytes(v, len) {\n const out = new Uint8Array(len);\n let n = v;\n for (let i = len - 1; i >= 0; i--) {\n out[i] = Number(n & 0xffn);\n n >>= 8n;\n }\n if (n !== 0n) {\n throw new Error(\"Invalid coordinate length\");\n }\n return out;\n}\nfunction buildRawUncompressedPublicKey(x, y, coordinateSize) {\n const out = new Uint8Array(1 + coordinateSize * 2);\n out[0] = 0x04;\n out.set(bigIntToBytes(x, coordinateSize), 1);\n out.set(bigIntToBytes(y, coordinateSize), 1 + coordinateSize);\n return out;\n}\nexport class Ec extends NativeAlgorithm {\n constructor(kem, hkdf) {\n super();\n Object.defineProperty(this, \"_hkdf\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: void 0\n });\n Object.defineProperty(this, \"_alg\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: void 0\n });\n Object.defineProperty(this, \"_nPk\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: void 0\n });\n Object.defineProperty(this, \"_nSk\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: void 0\n });\n Object.defineProperty(this, \"_nDh\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: void 0\n });\n // EC specific arguments for deriving key pair.\n Object.defineProperty(this, \"_order\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: void 0\n });\n Object.defineProperty(this, \"_bitmask\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: void 0\n });\n Object.defineProperty(this, \"_pkcs8AlgId\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: void 0\n });\n Object.defineProperty(this, \"_curveParams\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: void 0\n });\n this._hkdf = hkdf;\n switch (kem) {\n case KemId.DhkemP256HkdfSha256:\n this._alg = { name: \"ECDH\", namedCurve: \"P-256\" };\n this._nPk = 65;\n this._nSk = 32;\n this._nDh = 32;\n this._order = ORDER_P_256;\n this._bitmask = 0xFF;\n this._pkcs8AlgId = PKCS8_ALG_ID_P_256;\n this._curveParams = EC_P_256_PARAMS;\n break;\n case KemId.DhkemP384HkdfSha384:\n this._alg = { name: \"ECDH\", namedCurve: \"P-384\" };\n this._nPk = 97;\n this._nSk = 48;\n this._nDh = 48;\n this._order = ORDER_P_384;\n this._bitmask = 0xFF;\n this._pkcs8AlgId = PKCS8_ALG_ID_P_384;\n this._curveParams = EC_P_384_PARAMS;\n break;\n default:\n // case KemId.DhkemP521HkdfSha512:\n this._alg = { name: \"ECDH\", namedCurve: \"P-521\" };\n this._nPk = 133;\n this._nSk = 66;\n this._nDh = 66;\n this._order = ORDER_P_521;\n this._bitmask = 0x01;\n this._pkcs8AlgId = PKCS8_ALG_ID_P_521;\n this._curveParams = EC_P_521_PARAMS;\n break;\n }\n }\n async serializePublicKey(key) {\n await this._setup();\n try {\n return await this._api.exportKey(\"raw\", key);\n }\n catch (e) {\n throw new SerializeError(e);\n }\n }\n async deserializePublicKey(key) {\n await this._setup();\n try {\n return await this._importRawKey(toArrayBuffer(key), true);\n }\n catch (e) {\n throw new DeserializeError(e);\n }\n }\n async serializePrivateKey(key) {\n await this._setup();\n try {\n const jwk = await this._api.exportKey(\"jwk\", key);\n if (!(\"d\" in jwk)) {\n throw new Error(\"Not private key\");\n }\n return base64UrlToBytes(jwk[\"d\"]).buffer;\n }\n catch (e) {\n throw new SerializeError(e);\n }\n }\n async deserializePrivateKey(key) {\n await this._setup();\n try {\n return await this._importRawKey(toArrayBuffer(key), false);\n }\n catch (e) {\n throw new DeserializeError(e);\n }\n }\n async importKey(format, key, isPublic) {\n await this._setup();\n try {\n if (format === \"raw\") {\n return await this._importRawKey(key, isPublic);\n }\n // jwk\n if (key instanceof ArrayBuffer) {\n throw new Error(\"Invalid jwk key format\");\n }\n return await this._importJWK(key, isPublic);\n }\n catch (e) {\n throw new DeserializeError(e);\n }\n }\n async generateKeyPair() {\n await this._setup();\n try {\n return await this._api.generateKey(this._alg, true, KEM_USAGES);\n }\n catch (e) {\n throw new NotSupportedError(e);\n }\n }\n async deriveKeyPair(ikm) {\n await this._setup();\n try {\n const rawIkm = toArrayBuffer(ikm);\n const dkpPrk = await this._hkdf.labeledExtract(EMPTY, LABEL_DKP_PRK, new Uint8Array(rawIkm));\n const bn = new Bignum(this._nSk);\n for (let counter = 0; bn.isZero() || !bn.lessThan(this._order); counter++) {\n if (counter > 255) {\n throw new Error(\"Faild to derive a key pair\");\n }\n const bytes = new Uint8Array(await this._hkdf.labeledExpand(dkpPrk, LABEL_CANDIDATE, i2Osp(counter, 1), this._nSk));\n bytes[0] = bytes[0] & this._bitmask;\n bn.set(bytes);\n }\n const sk = await this._deserializePkcs8Key(bn.val());\n bn.reset();\n return {\n privateKey: sk,\n publicKey: await this.derivePublicKey(sk),\n };\n }\n catch (e) {\n throw new DeriveKeyPairError(e);\n }\n }\n async derivePublicKey(key) {\n await this._setup();\n try {\n const jwk = await this._api.exportKey(\"jwk\", key);\n delete jwk[\"d\"];\n delete jwk[\"key_ops\"];\n return await this._api.importKey(\"jwk\", jwk, this._alg, true, []);\n }\n catch {\n try {\n // Firefox fails to export JWK from some imported ECDH private keys.\n return await this._derivePublicKeyWithoutJwkExport(key);\n }\n catch (e) {\n throw new DeserializeError(e);\n }\n }\n }\n async dh(sk, pk) {\n try {\n await this._setup();\n const bits = await this._api.deriveBits({\n name: \"ECDH\",\n public: pk,\n }, sk, this._nDh * 8);\n return bits;\n }\n catch (e) {\n throw new SerializeError(e);\n }\n }\n async _importRawKey(key, isPublic) {\n if (isPublic && key.byteLength !== this._nPk) {\n throw new Error(\"Invalid public key for the ciphersuite\");\n }\n if (!isPublic && key.byteLength !== this._nSk) {\n throw new Error(\"Invalid private key for the ciphersuite\");\n }\n if (isPublic) {\n return await this._api.importKey(\"raw\", key, this._alg, true, []);\n }\n return await this._deserializePkcs8Key(new Uint8Array(key));\n }\n async _importJWK(key, isPublic) {\n if (typeof key.crv === \"undefined\" || key.crv !== this._alg.namedCurve) {\n throw new Error(`Invalid crv: ${key.crv}`);\n }\n if (isPublic) {\n if (typeof key.d !== \"undefined\") {\n throw new Error(\"Invalid key: `d` should not be set\");\n }\n return await this._api.importKey(\"jwk\", key, this._alg, true, []);\n }\n if (typeof key.d === \"undefined\") {\n throw new Error(\"Invalid key: `d` not found\");\n }\n return await this._api.importKey(\"jwk\", key, this._alg, true, KEM_USAGES);\n }\n async _deserializePkcs8Key(k) {\n const pkcs8Key = new Uint8Array(this._pkcs8AlgId.length + k.length);\n pkcs8Key.set(this._pkcs8AlgId, 0);\n pkcs8Key.set(k, this._pkcs8AlgId.length);\n return await this._api.importKey(\"pkcs8\", pkcs8Key, this._alg, true, KEM_USAGES);\n }\n async _derivePublicKeyWithoutJwkExport(key) {\n const basePointRaw = buildRawUncompressedPublicKey(this._curveParams.gx, this._curveParams.gy, this._curveParams.coordinateSize);\n const basePoint = await this._api.importKey(\"raw\", basePointRaw.buffer, this._alg, true, []);\n const xBytes = new Uint8Array(await this._api.deriveBits({\n name: \"ECDH\",\n public: basePoint,\n }, key, this._nDh * 8));\n const p = this._curveParams.p;\n const x = bytesToBigInt(xBytes);\n const rhs = mod(modPow(x, 3n, p) - 3n * x + this._curveParams.b, p);\n let y = modSqrt(rhs, p);\n // Canonicalize sign so the encoded point is deterministic.\n if ((y & 1n) === 1n) {\n y = p - y;\n }\n const pubRaw = buildRawUncompressedPublicKey(x, y, this._curveParams.coordinateSize);\n return await this._api.importKey(\"raw\", pubRaw.buffer, this._alg, true, []);\n }\n}\n", "export class XCryptoKey {\n constructor(name, key, type, usages = []) {\n Object.defineProperty(this, \"key\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: void 0\n });\n Object.defineProperty(this, \"type\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: void 0\n });\n Object.defineProperty(this, \"extractable\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: true\n });\n Object.defineProperty(this, \"algorithm\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: void 0\n });\n Object.defineProperty(this, \"usages\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: void 0\n });\n this.key = key;\n this.type = type;\n this.algorithm = { name: name };\n this.usages = usages;\n if (type === \"public\") {\n this.usages = [];\n }\n }\n}\n", "import { EMPTY } from \"../../consts.js\";\nimport { DeriveKeyPairError, DeserializeError, NotSupportedError, SerializeError, } from \"../../errors.js\";\nimport { toArrayBuffer } from \"../../kdfs/hkdf.js\";\nimport { KEM_USAGES, LABEL_DKP_PRK, LABEL_SK, } from \"../../interfaces/dhkemPrimitives.js\";\nimport { base64UrlToBytes } from \"../../utils/misc.js\";\nimport { XCryptoKey } from \"../../xCryptoKey.js\";\n/**\n * Base DhkemPrimitives implementation for Montgomery curves (X25519/X448).\n *\n * Subclasses pass curve-specific parameters (algorithm name, key size, curve)\n * and optionally add extra methods (e.g., raw derive for X25519).\n */\nexport class XCurveDhkemPrimitives {\n constructor(algName, keySize, curve, hkdf) {\n Object.defineProperty(this, \"_algName\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: void 0\n });\n Object.defineProperty(this, \"_curve\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: void 0\n });\n Object.defineProperty(this, \"_hkdf\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: void 0\n });\n Object.defineProperty(this, \"_nPk\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: void 0\n });\n Object.defineProperty(this, \"_nSk\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: void 0\n });\n this._algName = algName;\n this._nPk = keySize;\n this._nSk = keySize;\n this._curve = curve;\n this._hkdf = hkdf;\n }\n serializePublicKey(key) {\n try {\n return Promise.resolve(key.key.buffer);\n }\n catch (e) {\n return Promise.reject(new SerializeError(e));\n }\n }\n async deserializePublicKey(key) {\n try {\n return await this._importRawKey(toArrayBuffer(key), true);\n }\n catch (e) {\n throw new DeserializeError(e);\n }\n }\n serializePrivateKey(key) {\n try {\n return Promise.resolve(key.key.buffer);\n }\n catch (e) {\n return Promise.reject(new SerializeError(e));\n }\n }\n async deserializePrivateKey(key) {\n try {\n return await this._importRawKey(toArrayBuffer(key), false);\n }\n catch (e) {\n throw new DeserializeError(e);\n }\n }\n async importKey(format, key, isPublic) {\n try {\n if (format === \"raw\") {\n return await this._importRawKey(key, isPublic);\n }\n // jwk\n if (key instanceof ArrayBuffer) {\n throw new Error(\"Invalid jwk key format\");\n }\n return await this._importJWK(key, isPublic);\n }\n catch (e) {\n throw new DeserializeError(e);\n }\n }\n async generateKeyPair() {\n try {\n const rawSk = await this._curve.utils.randomSecretKey();\n const sk = new XCryptoKey(this._algName, rawSk, \"private\", KEM_USAGES);\n const pk = await this.derivePublicKey(sk);\n return { publicKey: pk, privateKey: sk };\n }\n catch (e) {\n throw new NotSupportedError(e);\n }\n }\n async deriveKeyPair(ikm) {\n try {\n const rawIkm = toArrayBuffer(ikm);\n const dkpPrk = await this._hkdf.labeledExtract(EMPTY.buffer, LABEL_DKP_PRK, new Uint8Array(rawIkm));\n const rawSk = await this._hkdf.labeledExpand(dkpPrk, LABEL_SK, EMPTY, this._nSk);\n const sk = new XCryptoKey(this._algName, new Uint8Array(rawSk), \"private\", KEM_USAGES);\n return {\n privateKey: sk,\n publicKey: await this.derivePublicKey(sk),\n };\n }\n catch (e) {\n throw new DeriveKeyPairError(e);\n }\n }\n derivePublicKey(key) {\n try {\n const pk = this._curve.getPublicKey(key.key);\n return Promise.resolve(new XCryptoKey(this._algName, pk, \"public\"));\n }\n catch (e) {\n return Promise.reject(new DeserializeError(e));\n }\n }\n dh(sk, pk) {\n try {\n return Promise.resolve(this._curve.getSharedSecret(sk.key, pk.key).buffer);\n }\n catch (e) {\n return Promise.reject(new SerializeError(e));\n }\n }\n _importRawKey(key, isPublic) {\n return new Promise((resolve, reject) => {\n if (isPublic && key.byteLength !== this._nPk) {\n reject(new Error(\"Invalid length of the key\"));\n }\n if (!isPublic && key.byteLength !== this._nSk) {\n reject(new Error(\"Invalid length of the key\"));\n }\n resolve(new XCryptoKey(this._algName, new Uint8Array(key), isPublic ? \"public\" : \"private\", isPublic ? [] : KEM_USAGES));\n });\n }\n _importJWK(key, isPublic) {\n return new Promise((resolve, reject) => {\n if (key.kty !== \"OKP\") {\n reject(new Error(`Invalid kty: ${key.kty}`));\n }\n if (key.crv !== this._algName) {\n reject(new Error(`Invalid crv: ${key.crv}`));\n }\n if (isPublic) {\n if (typeof key.d !== \"undefined\") {\n reject(new Error(\"Invalid key: `d` should not be set\"));\n }\n if (typeof key.x !== \"string\") {\n reject(new Error(\"Invalid key: `x` not found\"));\n }\n resolve(new XCryptoKey(this._algName, base64UrlToBytes(key.x), \"public\"));\n }\n else {\n if (typeof key.d !== \"string\") {\n reject(new Error(\"Invalid key: `d` not found\"));\n }\n resolve(new XCryptoKey(this._algName, base64UrlToBytes(key.d), \"private\", KEM_USAGES));\n }\n });\n }\n}\n", "import { EMPTY } from \"../consts.js\";\nimport { DeserializeError, InvalidParamError, NotSupportedError, SerializeError, } from \"../errors.js\";\nimport { toArrayBuffer } from \"../kdfs/hkdf.js\";\nimport { KemId } from \"../identifiers.js\";\nimport { LABEL_DKP_PRK, LABEL_SK } from \"../interfaces/dhkemPrimitives.js\";\nimport { SUITE_ID_HEADER_KEM } from \"../interfaces/kemInterface.js\";\nimport { concat, i2Osp, isCryptoKeyPair } from \"../utils/misc.js\";\nimport { XCryptoKey } from \"../xCryptoKey.js\";\nexport class Hybridkem {\n constructor(id, a, b, kdf) {\n Object.defineProperty(this, \"id\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: KemId.NotAssigned\n });\n Object.defineProperty(this, \"name\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: \"\"\n });\n Object.defineProperty(this, \"secretSize\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: 0\n });\n Object.defineProperty(this, \"encSize\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: 0\n });\n Object.defineProperty(this, \"publicKeySize\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: 0\n });\n Object.defineProperty(this, \"privateKeySize\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: 0\n });\n Object.defineProperty(this, \"_a\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: void 0\n });\n Object.defineProperty(this, \"_b\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: void 0\n });\n Object.defineProperty(this, \"_kdf\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: void 0\n });\n this.id = id;\n this._a = a;\n this._b = b;\n this._kdf = kdf;\n const suiteId = new Uint8Array(SUITE_ID_HEADER_KEM);\n suiteId.set(i2Osp(this.id, 2), 3);\n this._kdf.init(suiteId);\n }\n async serializePublicKey(key) {\n try {\n return await this._serializePublicKey(key);\n }\n catch (e) {\n throw new SerializeError(e);\n }\n }\n async deserializePublicKey(key) {\n try {\n return await this._deserializePublicKey(toArrayBuffer(key));\n }\n catch (e) {\n throw new DeserializeError(e);\n }\n }\n async serializePrivateKey(key) {\n try {\n return await this._serializePrivateKey(key);\n }\n catch (e) {\n throw new SerializeError(e);\n }\n }\n async deserializePrivateKey(key) {\n try {\n return await this._deserializePrivateKey(toArrayBuffer(key));\n }\n catch (e) {\n throw new DeserializeError(e);\n }\n }\n async generateKeyPair() {\n const kpA = await this._a.generateKeyPair();\n const kpB = await this._b.generateKeyPair();\n const pkA = await this._a.serializePublicKey(kpA.publicKey);\n const skA = await this._a.serializePrivateKey(kpA.privateKey);\n const pkB = await this._b.serializePublicKey(kpB.publicKey);\n const skB = await this._b.serializePrivateKey(kpB.privateKey);\n return {\n publicKey: await this.deserializePublicKey(concat(new Uint8Array(pkA), new Uint8Array(pkB)).buffer),\n privateKey: await this.deserializePrivateKey(concat(new Uint8Array(skA), new Uint8Array(skB)).buffer),\n };\n }\n async deriveKeyPair(ikm) {\n const rawIkm = toArrayBuffer(ikm);\n const dkpPrk = await this._kdf.labeledExtract(EMPTY.buffer, LABEL_DKP_PRK, new Uint8Array(rawIkm));\n const seed = new Uint8Array(await this._kdf.labeledExpand(dkpPrk, LABEL_SK, EMPTY, 32 + 64));\n const seed1 = seed.slice(0, 32);\n const seed2 = seed.slice(32, 96);\n const kpA = await this._a.deriveKeyPair(seed1.buffer);\n const kpB = await this._b.deriveKeyPair(seed2.buffer);\n const pkA = await this._a.serializePublicKey(kpA.publicKey);\n const skA = await this._a.serializePrivateKey(kpA.privateKey);\n const pkB = await this._b.serializePublicKey(kpB.publicKey);\n const skB = await this._b.serializePrivateKey(kpB.privateKey);\n return {\n publicKey: await this.deserializePublicKey(concat(new Uint8Array(pkA), new Uint8Array(pkB)).buffer),\n privateKey: await this.deserializePrivateKey(concat(new Uint8Array(skA), new Uint8Array(skB)).buffer),\n };\n }\n async importKey(format, key, isPublic = true) {\n if (format !== \"raw\") {\n throw new NotSupportedError(\"'jwk' is not supported\");\n }\n if (!(key instanceof ArrayBuffer)) {\n throw new InvalidParamError(\"Invalid type of key\");\n }\n if (isPublic) {\n return await this.deserializePublicKey(key);\n }\n return await this.deserializePrivateKey(key);\n }\n async encap(params) {\n let ekmA = undefined;\n let ekmB = undefined;\n if (params.ekm !== undefined && !isCryptoKeyPair(params.ekm)) {\n const ekm = toArrayBuffer(params.ekm);\n if (ekm.byteLength !== 64) {\n throw new InvalidParamError(\"ekm must be 64 bytes in length\");\n }\n ekmA = ekm.slice(0, 32);\n ekmB = ekm.slice(32);\n }\n const pkR = new Uint8Array(await this.serializePublicKey(params.recipientPublicKey));\n const pkRA = await this._a.deserializePublicKey(pkR.slice(0, this._a.publicKeySize).buffer);\n const pkRB = await this._b.deserializePublicKey(pkR.slice(this._a.publicKeySize).buffer);\n const resA = await this._a.encap({ recipientPublicKey: pkRA, ekm: ekmA });\n const resB = await this._b.encap({ recipientPublicKey: pkRB, ekm: ekmB });\n return {\n sharedSecret: concat(new Uint8Array(resA.sharedSecret), new Uint8Array(resB.sharedSecret)).buffer,\n enc: concat(new Uint8Array(resA.enc), new Uint8Array(resB.enc))\n .buffer,\n };\n }\n async decap(params) {\n const enc = toArrayBuffer(params.enc);\n const sk = isCryptoKeyPair(params.recipientKey)\n ? params.recipientKey.privateKey\n : params.recipientKey;\n const skR = new Uint8Array(await this.serializePrivateKey(sk));\n const skRA = await this._a.deserializePrivateKey(skR.slice(0, this._a.privateKeySize).buffer);\n const skRB = await this._b.deserializePrivateKey(skR.slice(this._a.privateKeySize).buffer);\n const ssA = await this._a.decap({\n recipientKey: skRA,\n enc: enc.slice(0, this._a.encSize),\n });\n const ssB = await this._b.decap({\n recipientKey: skRB,\n enc: enc.slice(this._a.encSize),\n });\n return concat(new Uint8Array(ssA), new Uint8Array(ssB))\n .buffer;\n }\n _serializePublicKey(k) {\n return new Promise((resolve, reject) => {\n if (k.type !== \"public\") {\n reject(new Error(\"Not public key\"));\n }\n if (k.algorithm.name !== this.name) {\n reject(new Error(`Invalid algorithm name: ${k.algorithm.name}`));\n }\n if (k.key.byteLength !== this.publicKeySize) {\n reject(new Error(`Invalid key length: ${k.key.byteLength}`));\n }\n resolve(k.key.buffer);\n });\n }\n _deserializePublicKey(k) {\n return new Promise((resolve, reject) => {\n if (k.byteLength !== this.publicKeySize) {\n reject(new Error(`Invalid key length: ${k.byteLength}`));\n }\n resolve(new XCryptoKey(this.name, new Uint8Array(k), \"public\"));\n });\n }\n _serializePrivateKey(k) {\n return new Promise((resolve, reject) => {\n if (k.type !== \"private\") {\n reject(new Error(\"Not private key\"));\n }\n if (k.algorithm.name !== this.name) {\n reject(new Error(`Invalid algorithm name: ${k.algorithm.name}`));\n }\n if (k.key.byteLength !== this.privateKeySize) {\n reject(new Error(`Invalid key length: ${k.key.byteLength}`));\n }\n resolve(k.key.buffer);\n });\n }\n _deserializePrivateKey(k) {\n return new Promise((resolve, reject) => {\n if (k.byteLength !== this.privateKeySize) {\n reject(new Error(`Invalid key length: ${k.byteLength}`));\n }\n resolve(new XCryptoKey(this.name, new Uint8Array(k), \"private\", [\"deriveBits\"]));\n });\n }\n}\n", "// The key usages for AEAD.\nexport const AEAD_USAGES = [\"encrypt\", \"decrypt\"];\n", "// deno-lint-ignore-file no-explicit-any\n/**\n * This file is based on noble-curves (https://github.com/paulmillr/noble-curves).\n *\n * noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com)\n *\n * The original file is located at:\n * https://github.com/paulmillr/noble-curves/blob/b9d49d2b41d550571a0c5be443ecb62109fa3373/src/utils.ts\n */\n/**\n * Hex, bytes and number utilities.\n * @module\n */\nimport { loadCrypto } from \"./misc.js\";\nimport { N_0 } from \"../consts.js\";\n/** Checks if something is Uint8Array. Be careful: nodejs Buffer will return true. */\nexport function isBytes(a) {\n return a instanceof Uint8Array ||\n (ArrayBuffer.isView(a) && a.constructor.name === \"Uint8Array\");\n}\n/** Asserts something is positive integer. */\nexport function anumber(n, title = \"\") {\n if (!Number.isSafeInteger(n) || n < 0) {\n const prefix = title && `\"${title}\" `;\n throw new Error(`${prefix}expected integer >0, got ${n}`);\n }\n}\n/** Asserts something is Uint8Array. */\nexport function abytes(value, length, title = \"\") {\n const bytes = isBytes(value);\n const len = value?.length;\n const needsLen = length !== undefined;\n if (!bytes || (needsLen && len !== length)) {\n const prefix = title && `\"${title}\" `;\n const ofLen = needsLen ? ` of length ${length}` : \"\";\n const got = bytes ? `length=${len}` : `type=${typeof value}`;\n throw new Error(prefix + \"expected Uint8Array\" + ofLen + \", got \" + got);\n }\n return value;\n}\n// ahash function is now imported from ../hash/hash.ts\n/** Asserts a hash instance has not been destroyed / finished */\nexport function aexists(instance, checkFinished = true) {\n if (instance.destroyed)\n throw new Error(\"Hash instance has been destroyed\");\n if (checkFinished && instance.finished) {\n throw new Error(\"Hash#digest() has already been called\");\n }\n}\n/** Asserts output is properly-sized byte array */\nexport function aoutput(out, instance) {\n abytes(out, undefined, \"digestInto() output\");\n const min = instance.outputLen;\n if (out.length < min) {\n throw new Error('\"digestInto() output\" expected to be of length >=' + min);\n }\n}\n// Used in weierstrass, der\nfunction abignumer(n) {\n if (typeof n === \"bigint\") {\n if (!isPosBig(n))\n throw new Error(\"positive bigint expected, got \" + n);\n }\n else\n anumber(n);\n return n;\n}\n/** Cast u8 / u16 / u32 to u32. */\nexport function u32(arr) {\n return new Uint32Array(arr.buffer, arr.byteOffset, Math.floor(arr.byteLength / 4));\n}\n/** Zeroize a byte array. Warning: JS provides no guarantees. */\nexport function clean(...arrays) {\n for (let i = 0; i < arrays.length; i++) {\n arrays[i].fill(0);\n }\n}\n/** Pre-computed buffer for endianness detection */\nconst _endianTestBuffer = /* @__PURE__ */ new Uint32Array([0x11223344]);\nconst _endianTestBytes = /* @__PURE__ */ new Uint8Array(_endianTestBuffer.buffer);\n/** Is current platform little-endian? Most are. Big-Endian platform: IBM */\nexport const isLE = /* @__PURE__ */ _endianTestBytes[0] === 0x44;\n/** The byte swap operation for uint32 */\nexport function byteSwap(word) {\n return (((word << 24) & 0xff000000) |\n ((word << 8) & 0xff0000) |\n ((word >>> 8) & 0xff00) |\n ((word >>> 24) & 0xff));\n}\n/** Conditionally byte swap if on a big-endian platform */\nexport function swap8IfBE(n) {\n return isLE ? n : byteSwap(n);\n}\n/** @deprecated */\nexport const byteSwapIfBE = swap8IfBE;\n/** In place byte swap for Uint32Array */\nexport function byteSwap32(arr) {\n for (let i = 0; i < arr.length; i++) {\n arr[i] = byteSwap(arr[i]);\n }\n return arr;\n}\nexport function swap32IfBE(u) {\n return isLE ? u : byteSwap32(u);\n}\n/** Create DataView of an array for easy byte-level manipulation. */\nexport function createView(arr) {\n return new DataView(arr.buffer, arr.byteOffset, arr.byteLength);\n}\n/** The rotate right (circular right shift) operation for uint32 */\nexport function rotr(word, shift) {\n return (word << (32 - shift)) | (word >>> shift);\n}\n// Built-in hex conversion https://caniuse.com/mdn-javascript_builtins_uint8array_fromhex\nconst hasHexBuiltin = /* @__PURE__ */ (() => \n// @ts-ignore: to use toHex\ntypeof Uint8Array.from([]).toHex === \"function\" &&\n // @ts-ignore: to use fromHex\n typeof Uint8Array.fromHex === \"function\")();\n// Array where index 0xf0 (240) is mapped to string 'f0'\nconst hexes = /* @__PURE__ */ Array.from({ length: 256 }, (_, i) => i.toString(16).padStart(2, \"0\"));\nconst HEX_TO_BIGINT = /* @__PURE__ */ [\n 0n,\n 1n,\n 2n,\n 3n,\n 4n,\n 5n,\n 6n,\n 7n,\n 8n,\n 9n,\n 10n,\n 11n,\n 12n,\n 13n,\n 14n,\n 15n,\n];\n/**\n * Convert byte array to hex string. Uses built-in function, when available.\n * @example bytesToHex(Uint8Array.from([0xca, 0xfe, 0x01, 0x23])) // 'cafe0123'\n */\nexport function bytesToHex(bytes) {\n abytes(bytes);\n // @ts-ignore: to use toHex\n if (hasHexBuiltin)\n return bytes.toHex();\n // pre-caching improves the speed 6x\n let hex = \"\";\n for (let i = 0; i < bytes.length; i++) {\n hex += hexes[bytes[i]];\n }\n return hex;\n}\n// We use optimized technique to convert hex string to byte array\nconst asciis = { _0: 48, _9: 57, A: 65, F: 70, a: 97, f: 102 };\nfunction asciiToBase16(ch) {\n if (ch >= asciis._0 && ch <= asciis._9)\n return ch - asciis._0; // '2' => 50-48\n if (ch >= asciis.A && ch <= asciis.F)\n return ch - (asciis.A - 10); // 'B' => 66-(65-10)\n if (ch >= asciis.a && ch <= asciis.f)\n return ch - (asciis.a - 10); // 'b' => 98-(97-10)\n return;\n}\n/**\n * Convert hex string to byte array. Uses built-in function, when available.\n * @example hexToBytes('cafe0123') // Uint8Array.from([0xca, 0xfe, 0x01, 0x23])\n */\nexport function hexToBytes(hex) {\n if (typeof hex !== \"string\") {\n throw new Error(\"hex string expected, got \" + typeof hex);\n }\n // @ts-ignore: to use fromHex\n if (hasHexBuiltin)\n return Uint8Array.fromHex(hex);\n const hl = hex.length;\n const al = hl / 2;\n if (hl % 2) {\n throw new Error(\"hex string expected, got unpadded hex of length \" + hl);\n }\n const array = new Uint8Array(al);\n for (let ai = 0, hi = 0; ai < al; ai++, hi += 2) {\n const n1 = asciiToBase16(hex.charCodeAt(hi));\n const n2 = asciiToBase16(hex.charCodeAt(hi + 1));\n if (n1 === undefined || n2 === undefined) {\n const char = hex[hi] + hex[hi + 1];\n throw new Error('hex string expected, got non-hex character \"' + char + '\" at index ' +\n hi);\n }\n array[ai] = n1 * 16 + n2; // multiply first octet, e.g. 'a3' => 10*16+3 => 160 + 3 => 163\n }\n return array;\n}\n/**\n * Converts string to bytes using UTF8 encoding.\n * @example utf8ToBytes('abc') // Uint8Array.from([97, 98, 99])\n */\nexport function utf8ToBytes(str) {\n if (typeof str !== \"string\")\n throw new Error(\"string expected\");\n return new Uint8Array(new TextEncoder().encode(str)); // https://bugzil.la/1681809\n}\n/**\n * Converts bytes to string using UTF8 encoding.\n * @example bytesToUtf8(Uint8Array.from([97, 98, 99])) // 'abc'\n */\nexport function bytesToUtf8(bytes) {\n return new TextDecoder().decode(bytes);\n}\nexport function numberToHexUnpadded(num) {\n const hex = abignumer(num).toString(16);\n return hex.length & 1 ? \"0\" + hex : hex;\n}\nexport function hexToNumber(hex) {\n if (typeof hex !== \"string\") {\n throw new Error(\"hex string expected, got \" + typeof hex);\n }\n let out = N_0;\n for (let i = 0; i < hex.length; i++) {\n const n = asciiToBase16(hex.charCodeAt(i));\n if (n === undefined) {\n throw new Error('hex string expected, got non-hex character \"' + hex[i] +\n '\" at index ' + i);\n }\n out = (out << 4n) | HEX_TO_BIGINT[n];\n }\n return out; // Big Endian\n}\nexport function numberToBigint(num) {\n anumber(num, \"numberToBigint\");\n let n = num;\n let out = N_0;\n let bit = 1n;\n while (n > 0) {\n if (n % 2 === 1)\n out += bit;\n n = Math.floor(n / 2);\n bit <<= 1n;\n }\n return out;\n}\n// BE: Big Endian, LE: Little Endian\nexport function bytesToNumberBE(bytes) {\n return hexToNumber(bytesToHex(bytes));\n}\nexport function bytesToNumberLE(bytes) {\n return hexToNumber(bytesToHex(copyBytes(abytes(bytes)).reverse()));\n}\nexport function numberToBytesBE(n, len) {\n anumber(len);\n n = abignumer(n);\n const res = hexToBytes(n.toString(16).padStart(len * 2, \"0\"));\n if (res.length !== len)\n throw new Error(\"number too large\");\n return res;\n}\nexport function numberToBytesLE(n, len) {\n return numberToBytesBE(n, len).reverse();\n}\n/**\n * Copies Uint8Array. We can't use u8a.slice(), because u8a can be Buffer,\n * and Buffer#slice creates mutable copy. Never use Buffers!\n */\nexport function copyBytes(bytes) {\n return Uint8Array.from(bytes);\n}\n/** Copies several Uint8Arrays into one. */\nexport function concatBytes(...arrays) {\n let sum = 0;\n for (let i = 0; i < arrays.length; i++) {\n const a = arrays[i];\n abytes(a);\n sum += a.length;\n }\n const res = new Uint8Array(sum);\n for (let i = 0, pad = 0; i < arrays.length; i++) {\n const a = arrays[i];\n res.set(a, pad);\n pad += a.length;\n }\n return res;\n}\n/**\n * Decodes 7-bit ASCII string to Uint8Array, throws on non-ascii symbols\n * Should be safe to use for things expected to be ASCII.\n * Returns exact same result as utf8ToBytes for ASCII or throws.\n */\nexport function asciiToBytes(ascii) {\n return Uint8Array.from(ascii, (c, i) => {\n const charCode = c.charCodeAt(0);\n if (c.length !== 1 || charCode > 127) {\n throw new Error(`string contains non-ASCII character \"${ascii[i]}\" with code ${charCode} at position ${i}`);\n }\n return charCode;\n });\n}\n// Is positive bigint\nfunction isPosBig(n) {\n return typeof n === \"bigint\" && N_0 <= n;\n}\nexport function inRange(n, min, max) {\n return isPosBig(n) && isPosBig(min) && isPosBig(max) && min <= n && n < max;\n}\n/**\n * Asserts min <= n < max. NOTE: It's < max and not <= max.\n * @example\n * aInRange('x', x, 1n, 256n); // would assume x is in (1n..255n)\n */\nexport function aInRange(title, n, min, max) {\n // Why min <= n < max and not a (min < n < max) OR b (min <= n <= max)?\n // consider P=256n, min=0n, max=P\n // - a for min=0 would require -1: `inRange('x', x, -1n, P)`\n // - b would commonly require subtraction: `inRange('x', x, 0n, P - 1n)`\n // - our way is the cleanest: `inRange('x', x, 0n, P)\n if (!inRange(n, min, max)) {\n throw new Error(\"expected valid \" + title + \": \" + min + \" <= n < \" + max + \", got \" + n);\n }\n}\nexport function validateObject(object, fields = {}, optFields = {}) {\n if (!object || typeof object !== \"object\") {\n throw new Error(\"expected valid options object\");\n }\n function checkField(fieldName, expectedType, isOpt) {\n const val = object[fieldName];\n if (isOpt && val === undefined)\n return;\n const current = typeof val;\n if (current !== expectedType || val === null) {\n throw new Error(`param \"${fieldName}\" is invalid: expected ${expectedType}, got ${current}`);\n }\n }\n const iter = (f, isOpt) => Object.entries(f).forEach(([k, v]) => checkField(k, v, isOpt));\n iter(fields, false);\n iter(optFields, true);\n}\n// createHasher function is now exported above with ahash\n// /** Cryptographically secure PRNG. Uses internal OS-level `crypto.getRandomValues`. */\n// export function randomBytes(bytesLength = 32): Uint8Array {\n// const cr = typeof globalThis != null && (globalThis as any).crypto;\n// if (!cr || typeof cr.getRandomValues !== \"function\") {\n// throw new Error(\"crypto.getRandomValues must be defined\");\n// }\n// return cr.getRandomValues(new Uint8Array(bytesLength));\n// }\n/** Cryptographically secure PRNG. Uses internal OS-level `crypto.getRandomValues`. */\nexport async function randomBytesAsync(bytesLength = 32) {\n const api = await loadCrypto();\n const rnd = new Uint8Array(bytesLength);\n api.getRandomValues(rnd);\n return rnd;\n}\n// 06 09 60 86 48 01 65 03 04 02\nexport function oidNist(suffix) {\n return {\n oid: Uint8Array.from([\n 0x06,\n 0x09,\n 0x60,\n 0x86,\n 0x48,\n 0x01,\n 0x65,\n 0x03,\n 0x04,\n 0x02,\n suffix,\n ]),\n };\n}\n", "/**\n * This file is based on noble-curves (https://github.com/paulmillr/noble-curves).\n *\n * noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com)\n *\n * The original file is located at:\n * https://github.com/paulmillr/noble-curves/blob/b9d49d2b41d550571a0c5be443ecb62109fa3373/src/utils.ts\n */\n/**\n * Hash utilities and type definitions extracted from noble.ts\n * @module\n */\nimport { anumber } from \"../utils/noble.js\";\n/** Asserts something is hash */\nexport function ahash(h) {\n if (typeof h !== \"function\" || typeof h.create !== \"function\") {\n throw new Error(\"Hash must wrapped by utils.createHasher\");\n }\n anumber(h.outputLen);\n anumber(h.blockLen);\n}\nexport function createHasher(hashCons, info = {}) {\n const hashFn = (msg, opts) => hashCons(opts).update(msg).digest();\n const tmp = hashCons(undefined);\n const hashC = Object.assign(hashFn, {\n outputLen: tmp.outputLen,\n blockLen: tmp.blockLen,\n create: (opts) => hashCons(opts),\n ...info,\n });\n return Object.freeze(hashC);\n}\n", "// deno-lint-ignore-file no-explicit-any\n/**\n * This file is based on noble-hashes (https://github.com/paulmillr/noble-hashes).\n *\n * noble-hashes - MIT License (c) 2022 Paul Miller (paulmillr.com)\n *\n * The original file is located at:\n * https://github.com/paulmillr/noble-hashes/blob/2e0c00e1aa134082ba1380bf3afb8b1641f60fed/src/hmac.ts\n */\n/**\n * HMAC: RFC2104 message authentication code.\n * @module\n */\nimport { abytes, aexists, clean } from \"../utils/noble.js\";\nimport { ahash } from \"./hash.js\";\nexport class _HMAC {\n constructor(hash, key) {\n Object.defineProperty(this, \"oHash\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: void 0\n });\n Object.defineProperty(this, \"iHash\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: void 0\n });\n Object.defineProperty(this, \"blockLen\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: void 0\n });\n Object.defineProperty(this, \"outputLen\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: void 0\n });\n Object.defineProperty(this, \"finished\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: false\n });\n Object.defineProperty(this, \"destroyed\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: false\n });\n ahash(hash);\n abytes(key, undefined, \"key\");\n this.iHash = hash.create();\n if (typeof this.iHash.update !== \"function\") {\n throw new Error(\"Expected instance of class which extends utils.Hash\");\n }\n this.blockLen = this.iHash.blockLen;\n this.outputLen = this.iHash.outputLen;\n const blockLen = this.blockLen;\n const pad = new Uint8Array(blockLen);\n // blockLen can be bigger than outputLen\n pad.set(key.length > blockLen ? hash.create().update(key).digest() : key);\n for (let i = 0; i < pad.length; i++)\n pad[i] ^= 0x36;\n this.iHash.update(pad);\n // By doing update (processing of first block) of outer hash here we can re-use it between multiple calls via clone\n this.oHash = hash.create();\n // Undo internal XOR && apply outer XOR\n for (let i = 0; i < pad.length; i++)\n pad[i] ^= 0x36 ^ 0x5c;\n this.oHash.update(pad);\n clean(pad);\n }\n update(buf) {\n aexists(this);\n this.iHash.update(buf);\n return this;\n }\n digestInto(out) {\n aexists(this);\n abytes(out, this.outputLen, \"output\");\n this.finished = true;\n this.iHash.digestInto(out);\n this.oHash.update(out);\n this.oHash.digestInto(out);\n this.destroy();\n }\n digest() {\n const out = new Uint8Array(this.oHash.outputLen);\n this.digestInto(out);\n return out;\n }\n _cloneInto(to) {\n // Create new instance without calling constructor since key already in state and we don't know it.\n to ||= Object.create(Object.getPrototypeOf(this), {});\n const { oHash, iHash, finished, destroyed, blockLen, outputLen } = this;\n to = to;\n to.finished = finished;\n to.destroyed = destroyed;\n to.blockLen = blockLen;\n to.outputLen = outputLen;\n to.oHash = oHash._cloneInto(to.oHash);\n to.iHash = iHash._cloneInto(to.iHash);\n return to;\n }\n clone() {\n return this._cloneInto();\n }\n destroy() {\n this.destroyed = true;\n this.oHash.destroy();\n this.iHash.destroy();\n }\n}\n/**\n * HMAC: RFC2104 message authentication code.\n * @param hash - function that would be used e.g. sha256\n * @param key - message key\n * @param message - message data\n * @example\n * import { hmac } from '@noble/hashes/hmac';\n * import { sha256 } from '@noble/hashes/sha2';\n * const mac1 = hmac(sha256, 'key', 'message');\n */\nexport const hmac = (hash, key, message) => new _HMAC(hash, key).update(message).digest();\nhmac.create = (hash, key) => new _HMAC(hash, key);\n", "// deno-lint-ignore-file no-explicit-any\n/**\n * This file is based on noble-hashes (https://github.com/paulmillr/noble-hashes).\n *\n * noble-hashes - MIT License (c) 2022 Paul Miller (paulmillr.com)\n *\n * The original file is located at:\n * https://github.com/paulmillr/noble-hashes/blob/2e0c00e1aa134082ba1380bf3afb8b1641f60fed/src/_md.ts\n */\n/**\n * Internal Merkle-Damgard hash utils.\n * @module\n */\nimport { abytes, aexists, aoutput, clean, createView, numberToBigint, } from \"../utils/noble.js\";\n/** Choice: a ? b : c */\nexport function Chi(a, b, c) {\n return (a & b) ^ (~a & c);\n}\n/** Majority function, true if any two inputs is true. */\nexport function Maj(a, b, c) {\n return (a & b) ^ (a & c) ^ (b & c);\n}\n/**\n * Merkle-Damgard hash construction base class.\n * Could be used to create MD5, RIPEMD, SHA1, SHA2.\n */\nexport class HashMD {\n constructor(blockLen, outputLen, padOffset, isLE) {\n Object.defineProperty(this, \"blockLen\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: void 0\n });\n Object.defineProperty(this, \"outputLen\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: void 0\n });\n Object.defineProperty(this, \"padOffset\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: void 0\n });\n Object.defineProperty(this, \"isLE\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: void 0\n });\n // For partial updates less than block size\n Object.defineProperty(this, \"buffer\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: void 0\n });\n Object.defineProperty(this, \"view\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: void 0\n });\n Object.defineProperty(this, \"finished\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: false\n });\n Object.defineProperty(this, \"length\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: 0\n });\n Object.defineProperty(this, \"pos\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: 0\n });\n Object.defineProperty(this, \"destroyed\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: false\n });\n this.blockLen = blockLen;\n this.outputLen = outputLen;\n this.padOffset = padOffset;\n this.isLE = isLE;\n this.buffer = new Uint8Array(blockLen);\n this.view = createView(this.buffer);\n }\n update(data) {\n aexists(this);\n abytes(data);\n const { view, buffer, blockLen } = this;\n const len = data.length;\n for (let pos = 0; pos < len;) {\n const take = Math.min(blockLen - this.pos, len - pos);\n // Fast path: we have at least one block in input, cast it to view and process\n if (take === blockLen) {\n const dataView = createView(data);\n for (; blockLen <= len - pos; pos += blockLen) {\n this.process(dataView, pos);\n }\n continue;\n }\n buffer.set(data.subarray(pos, pos + take), this.pos);\n this.pos += take;\n pos += take;\n if (this.pos === blockLen) {\n this.process(view, 0);\n this.pos = 0;\n }\n }\n this.length += data.length;\n this.roundClean();\n return this;\n }\n digestInto(out) {\n aexists(this);\n aoutput(out, this);\n this.finished = true;\n // Padding\n // We can avoid allocation of buffer for padding completely if it\n // was previously not allocated here. But it won't change performance.\n const { buffer, view, blockLen, isLE } = this;\n let { pos } = this;\n // append the bit '1' to the message\n buffer[pos++] = 0b10000000;\n clean(this.buffer.subarray(pos));\n // we have less than padOffset left in buffer, so we cannot put length in\n // current block, need process it and pad again\n if (this.padOffset > blockLen - pos) {\n this.process(view, 0);\n pos = 0;\n }\n // Pad until full block byte with zeros\n for (let i = pos; i < blockLen; i++)\n buffer[i] = 0;\n // Note: sha512 requires length to be 128bit integer, but length in JS will overflow before that\n // You need to write around 2 exabytes (u64_max / 8 / (1024**6)) for this to happen.\n // So we just write lowest 64 bits of that value.\n view.setBigUint64(blockLen - 8, numberToBigint(this.length * 8), isLE);\n this.process(view, 0);\n const oview = createView(out);\n const len = this.outputLen;\n // NOTE: we do division by 4 later, which must be fused in single op with modulo by JIT\n if (len % 4)\n throw new Error(\"_sha2: outputLen must be aligned to 32bit\");\n const outLen = len / 4;\n const state = this.get();\n if (outLen > state.length) {\n throw new Error(\"_sha2: outputLen bigger than state\");\n }\n for (let i = 0; i < outLen; i++)\n oview.setUint32(4 * i, state[i], isLE);\n }\n digest() {\n const { buffer, outputLen } = this;\n this.digestInto(buffer);\n const res = buffer.slice(0, outputLen);\n this.destroy();\n return res;\n }\n _cloneInto(to) {\n to ||= new this.constructor();\n to.set(...this.get());\n const { blockLen, buffer, length, finished, destroyed, pos } = this;\n to.destroyed = destroyed;\n to.finished = finished;\n to.length = length;\n to.pos = pos;\n if (length % blockLen)\n to.buffer.set(buffer);\n return to;\n }\n clone() {\n return this._cloneInto();\n }\n}\n/**\n * Initial SHA-2 state: fractional parts of square roots of first 16 primes 2..53.\n * Check out `test/misc/sha2-gen-iv.js` for recomputation guide.\n */\n/** Initial SHA256 state. Bits 0..32 of frac part of sqrt of primes 2..19 */\nexport const SHA256_IV = /* @__PURE__ */ Uint32Array.from([\n 0x6a09e667,\n 0xbb67ae85,\n 0x3c6ef372,\n 0xa54ff53a,\n 0x510e527f,\n 0x9b05688c,\n 0x1f83d9ab,\n 0x5be0cd19,\n]);\n/** Initial SHA384 state. Bits 0..64 of frac part of sqrt of primes 23..53 */\nexport const SHA384_IV = /* @__PURE__ */ Uint32Array.from([\n 0xcbbb9d5d,\n 0xc1059ed8,\n 0x629a292a,\n 0x367cd507,\n 0x9159015a,\n 0x3070dd17,\n 0x152fecd8,\n 0xf70e5939,\n 0x67332667,\n 0xffc00b31,\n 0x8eb44a87,\n 0x68581511,\n 0xdb0c2e0d,\n 0x64f98fa7,\n 0x47b5481d,\n 0xbefa4fa4,\n]);\n/** Initial SHA512 state. Bits 0..64 of frac part of sqrt of primes 2..19 */\nexport const SHA512_IV = /* @__PURE__ */ Uint32Array.from([\n 0x6a09e667,\n 0xf3bcc908,\n 0xbb67ae85,\n 0x84caa73b,\n 0x3c6ef372,\n 0xfe94f82b,\n 0xa54ff53a,\n 0x5f1d36f1,\n 0x510e527f,\n 0xade682d1,\n 0x9b05688c,\n 0x2b3e6c1f,\n 0x1f83d9ab,\n 0xfb41bd6b,\n 0x5be0cd19,\n 0x137e2179,\n]);\n", "/**\n * This file is based on noble-hashes (https://github.com/paulmillr/noble-hashes).\n *\n * noble-hashes - MIT License (c) 2022 Paul Miller (paulmillr.com)\n *\n * The original file is located at:\n * https://github.com/paulmillr/noble-hashes/blob/4e358a46d682adfb005ae6314ec999f2513086b9/src/_u64.ts\n */\n/**\n * Internal helpers for u64. BigUint64Array is too slow as per 2025, so we implement it using Uint32Array.\n * @todo re-check https://issues.chromium.org/issues/42212588\n * @module\n */\nconst U32_MASK64 = 0xffffffffn;\nconst _32n = 32n;\nfunction fromBig(n, le = false) {\n if (le) {\n return { h: Number(n & U32_MASK64), l: Number((n >> _32n) & U32_MASK64) };\n }\n return {\n h: Number((n >> _32n) & U32_MASK64) | 0,\n l: Number(n & U32_MASK64) | 0,\n };\n}\nfunction split(lst, le = false) {\n const len = lst.length;\n const Ah = new Uint32Array(len);\n const Al = new Uint32Array(len);\n for (let i = 0; i < len; i++) {\n const { h, l } = fromBig(lst[i], le);\n [Ah[i], Al[i]] = [h, l];\n }\n return [Ah, Al];\n}\nconst toBig = (h, l) => (BigInt(h >>> 0) << _32n) | BigInt(l >>> 0);\n// for Shift in [0, 32)\nconst shrSH = (h, _l, s) => h >>> s;\nconst shrSL = (h, l, s) => (h << (32 - s)) | (l >>> s);\n// Right rotate for Shift in [1, 32)\nconst rotrSH = (h, l, s) => (h >>> s) | (l << (32 - s));\nconst rotrSL = (h, l, s) => (h << (32 - s)) | (l >>> s);\n// Right rotate for Shift in (32, 64), NOTE: 32 is special case.\nconst rotrBH = (h, l, s) => (h << (64 - s)) | (l >>> (s - 32));\nconst rotrBL = (h, l, s) => (h >>> (s - 32)) | (l << (64 - s));\n// Right rotate for shift===32 (just swaps l&h)\nconst rotr32H = (_h, l) => l;\nconst rotr32L = (h, _l) => h;\n// Left rotate for Shift in [1, 32)\nconst rotlSH = (h, l, s) => (h << s) | (l >>> (32 - s));\nconst rotlSL = (h, l, s) => (l << s) | (h >>> (32 - s));\n// Left rotate for Shift in (32, 64), NOTE: 32 is special case.\nconst rotlBH = (h, l, s) => (l << (s - 32)) | (h >>> (64 - s));\nconst rotlBL = (h, l, s) => (h << (s - 32)) | (l >>> (64 - s));\n// JS uses 32-bit signed integers for bitwise operations which means we cannot\n// simple take carry out of low bit sum by shift, we need to use division.\nfunction add(Ah, Al, Bh, Bl) {\n const l = (Al >>> 0) + (Bl >>> 0);\n return { h: (Ah + Bh + ((l / 2 ** 32) | 0)) | 0, l: l | 0 };\n}\n// Addition with more than 2 elements\nconst add3L = (Al, Bl, Cl) => (Al >>> 0) + (Bl >>> 0) + (Cl >>> 0);\nconst add3H = (low, Ah, Bh, Ch) => (Ah + Bh + Ch + ((low / 2 ** 32) | 0)) | 0;\nconst add4L = (Al, Bl, Cl, Dl) => (Al >>> 0) + (Bl >>> 0) + (Cl >>> 0) + (Dl >>> 0);\nconst add4H = (low, Ah, Bh, Ch, Dh) => (Ah + Bh + Ch + Dh + ((low / 2 ** 32) | 0)) | 0;\nconst add5L = (Al, Bl, Cl, Dl, El) => (Al >>> 0) + (Bl >>> 0) + (Cl >>> 0) + (Dl >>> 0) + (El >>> 0);\nconst add5H = (low, Ah, Bh, Ch, Dh, Eh) => (Ah + Bh + Ch + Dh + Eh + ((low / 2 ** 32) | 0)) | 0;\n// prettier-ignore\nexport { add, add3H, add3L, add4H, add4L, add5H, add5L, fromBig, rotlBH, rotlBL, rotlSH, rotlSL, rotr32H, rotr32L, rotrBH, rotrBL, rotrSH, rotrSL, shrSH, shrSL, split, toBig, };\n// prettier-ignore\nconst u64 = {\n fromBig,\n split,\n toBig,\n shrSH,\n shrSL,\n rotrSH,\n rotrSL,\n rotrBH,\n rotrBL,\n rotr32H,\n rotr32L,\n rotlSH,\n rotlSL,\n rotlBH,\n rotlBL,\n add,\n add3L,\n add3H,\n add4L,\n add4H,\n add5H,\n add5L,\n};\nexport default u64;\n", "/**\n * This file is based on noble-hashes (https://github.com/paulmillr/noble-hashes).\n *\n * noble-hashes - MIT License (c) 2022 Paul Miller (paulmillr.com)\n *\n * The original file is located at:\n * https://github.com/paulmillr/noble-hashes/blob/2e0c00e1aa134082ba1380bf3afb8b1641f60fed/src/sha2.ts\n */\n/**\n * SHA2 hash function. A.k.a. sha256, sha384, sha512, sha512_224, sha512_256.\n * SHA256 is the fastest hash implementable in JS, even faster than Blake3.\n * Check out [RFC 4634](https://www.rfc-editor.org/rfc/rfc4634) and\n * [FIPS 180-4](https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf).\n * @module\n */\nimport { Chi, HashMD, Maj, SHA256_IV, SHA384_IV, SHA512_IV } from \"./md.js\";\nimport * as u64 from \"./u64.js\";\nimport { clean, oidNist, rotr } from \"../utils/noble.js\";\nimport { createHasher } from \"./hash.js\";\n/**\n * Round constants:\n * First 32 bits of fractional parts of the cube roots of the first 64 primes 2..311)\n */\nconst SHA256_K = /* @__PURE__ */ Uint32Array.from([\n 0x428a2f98,\n 0x71374491,\n 0xb5c0fbcf,\n 0xe9b5dba5,\n 0x3956c25b,\n 0x59f111f1,\n 0x923f82a4,\n 0xab1c5ed5,\n 0xd807aa98,\n 0x12835b01,\n 0x243185be,\n 0x550c7dc3,\n 0x72be5d74,\n 0x80deb1fe,\n 0x9bdc06a7,\n 0xc19bf174,\n 0xe49b69c1,\n 0xefbe4786,\n 0x0fc19dc6,\n 0x240ca1cc,\n 0x2de92c6f,\n 0x4a7484aa,\n 0x5cb0a9dc,\n 0x76f988da,\n 0x983e5152,\n 0xa831c66d,\n 0xb00327c8,\n 0xbf597fc7,\n 0xc6e00bf3,\n 0xd5a79147,\n 0x06ca6351,\n 0x14292967,\n 0x27b70a85,\n 0x2e1b2138,\n 0x4d2c6dfc,\n 0x53380d13,\n 0x650a7354,\n 0x766a0abb,\n 0x81c2c92e,\n 0x92722c85,\n 0xa2bfe8a1,\n 0xa81a664b,\n 0xc24b8b70,\n 0xc76c51a3,\n 0xd192e819,\n 0xd6990624,\n 0xf40e3585,\n 0x106aa070,\n 0x19a4c116,\n 0x1e376c08,\n 0x2748774c,\n 0x34b0bcb5,\n 0x391c0cb3,\n 0x4ed8aa4a,\n 0x5b9cca4f,\n 0x682e6ff3,\n 0x748f82ee,\n 0x78a5636f,\n 0x84c87814,\n 0x8cc70208,\n 0x90befffa,\n 0xa4506ceb,\n 0xbef9a3f7,\n 0xc67178f2,\n]);\n/** Reusable temporary buffer. \"W\" comes straight from spec. */\nconst SHA256_W = /* @__PURE__ */ new Uint32Array(64);\n/** Internal 32-byte base SHA2 hash class. */\nclass SHA2_32B extends HashMD {\n constructor(outputLen) {\n super(64, outputLen, 8, false);\n }\n get() {\n const { A, B, C, D, E, F, G, H } = this;\n return [A, B, C, D, E, F, G, H];\n }\n set(A, B, C, D, E, F, G, H) {\n this.A = A | 0;\n this.B = B | 0;\n this.C = C | 0;\n this.D = D | 0;\n this.E = E | 0;\n this.F = F | 0;\n this.G = G | 0;\n this.H = H | 0;\n }\n process(view, offset) {\n // Extend the first 16 words into the remaining 48 words w[16..63] of the message schedule array\n for (let i = 0; i < 16; i++, offset += 4) {\n SHA256_W[i] = view.getUint32(offset, false);\n }\n for (let i = 16; i < 64; i++) {\n const W15 = SHA256_W[i - 15];\n const W2 = SHA256_W[i - 2];\n const s0 = rotr(W15, 7) ^ rotr(W15, 18) ^ (W15 >>> 3);\n const s1 = rotr(W2, 17) ^ rotr(W2, 19) ^ (W2 >>> 10);\n SHA256_W[i] = (s1 + SHA256_W[i - 7] + s0 + SHA256_W[i - 16]) | 0;\n }\n // Compression function main loop, 64 rounds\n let { A, B, C, D, E, F, G, H } = this;\n for (let i = 0; i < 64; i++) {\n const sigma1 = rotr(E, 6) ^ rotr(E, 11) ^ rotr(E, 25);\n const T1 = (H + sigma1 + Chi(E, F, G) + SHA256_K[i] + SHA256_W[i]) | 0;\n const sigma0 = rotr(A, 2) ^ rotr(A, 13) ^ rotr(A, 22);\n const T2 = (sigma0 + Maj(A, B, C)) | 0;\n H = G;\n G = F;\n F = E;\n E = (D + T1) | 0;\n D = C;\n C = B;\n B = A;\n A = (T1 + T2) | 0;\n }\n // Add the compressed chunk to the current hash value\n A = (A + this.A) | 0;\n B = (B + this.B) | 0;\n C = (C + this.C) | 0;\n D = (D + this.D) | 0;\n E = (E + this.E) | 0;\n F = (F + this.F) | 0;\n G = (G + this.G) | 0;\n H = (H + this.H) | 0;\n this.set(A, B, C, D, E, F, G, H);\n }\n roundClean() {\n clean(SHA256_W);\n }\n destroy() {\n this.set(0, 0, 0, 0, 0, 0, 0, 0);\n clean(this.buffer);\n }\n}\n/** Internal SHA2-256 hash class. */\nexport class _SHA256 extends SHA2_32B {\n constructor() {\n super(32);\n // We cannot use array here since array allows indexing by variable\n // which means optimizer/compiler cannot use registers.\n Object.defineProperty(this, \"A\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: SHA256_IV[0] | 0\n });\n Object.defineProperty(this, \"B\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: SHA256_IV[1] | 0\n });\n Object.defineProperty(this, \"C\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: SHA256_IV[2] | 0\n });\n Object.defineProperty(this, \"D\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: SHA256_IV[3] | 0\n });\n Object.defineProperty(this, \"E\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: SHA256_IV[4] | 0\n });\n Object.defineProperty(this, \"F\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: SHA256_IV[5] | 0\n });\n Object.defineProperty(this, \"G\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: SHA256_IV[6] | 0\n });\n Object.defineProperty(this, \"H\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: SHA256_IV[7] | 0\n });\n }\n}\n// SHA2-512 is slower than sha256 in js because u64 operations are slow.\n// Round contants\n// First 32 bits of the fractional parts of the cube roots of the first 80 primes 2..409\nconst K512 = /* @__PURE__ */ (() => u64.split([\n 0x428a2f98d728ae22n,\n 0x7137449123ef65cdn,\n 0xb5c0fbcfec4d3b2fn,\n 0xe9b5dba58189dbbcn,\n 0x3956c25bf348b538n,\n 0x59f111f1b605d019n,\n 0x923f82a4af194f9bn,\n 0xab1c5ed5da6d8118n,\n 0xd807aa98a3030242n,\n 0x12835b0145706fben,\n 0x243185be4ee4b28cn,\n 0x550c7dc3d5ffb4e2n,\n 0x72be5d74f27b896fn,\n 0x80deb1fe3b1696b1n,\n 0x9bdc06a725c71235n,\n 0xc19bf174cf692694n,\n 0xe49b69c19ef14ad2n,\n 0xefbe4786384f25e3n,\n 0x0fc19dc68b8cd5b5n,\n 0x240ca1cc77ac9c65n,\n 0x2de92c6f592b0275n,\n 0x4a7484aa6ea6e483n,\n 0x5cb0a9dcbd41fbd4n,\n 0x76f988da831153b5n,\n 0x983e5152ee66dfabn,\n 0xa831c66d2db43210n,\n 0xb00327c898fb213fn,\n 0xbf597fc7beef0ee4n,\n 0xc6e00bf33da88fc2n,\n 0xd5a79147930aa725n,\n 0x06ca6351e003826fn,\n 0x142929670a0e6e70n,\n 0x27b70a8546d22ffcn,\n 0x2e1b21385c26c926n,\n 0x4d2c6dfc5ac42aedn,\n 0x53380d139d95b3dfn,\n 0x650a73548baf63den,\n 0x766a0abb3c77b2a8n,\n 0x81c2c92e47edaee6n,\n 0x92722c851482353bn,\n 0xa2bfe8a14cf10364n,\n 0xa81a664bbc423001n,\n 0xc24b8b70d0f89791n,\n 0xc76c51a30654be30n,\n 0xd192e819d6ef5218n,\n 0xd69906245565a910n,\n 0xf40e35855771202an,\n 0x106aa07032bbd1b8n,\n 0x19a4c116b8d2d0c8n,\n 0x1e376c085141ab53n,\n 0x2748774cdf8eeb99n,\n 0x34b0bcb5e19b48a8n,\n 0x391c0cb3c5c95a63n,\n 0x4ed8aa4ae3418acbn,\n 0x5b9cca4f7763e373n,\n 0x682e6ff3d6b2b8a3n,\n 0x748f82ee5defb2fcn,\n 0x78a5636f43172f60n,\n 0x84c87814a1f0ab72n,\n 0x8cc702081a6439ecn,\n 0x90befffa23631e28n,\n 0xa4506cebde82bde9n,\n 0xbef9a3f7b2c67915n,\n 0xc67178f2e372532bn,\n 0xca273eceea26619cn,\n 0xd186b8c721c0c207n,\n 0xeada7dd6cde0eb1en,\n 0xf57d4f7fee6ed178n,\n 0x06f067aa72176fban,\n 0x0a637dc5a2c898a6n,\n 0x113f9804bef90daen,\n 0x1b710b35131c471bn,\n 0x28db77f523047d84n,\n 0x32caab7b40c72493n,\n 0x3c9ebe0a15c9bebcn,\n 0x431d67c49c100d4cn,\n 0x4cc5d4becb3e42b6n,\n 0x597f299cfc657e2an,\n 0x5fcb6fab3ad6faecn,\n 0x6c44198c4a475817n,\n]))();\nconst SHA512_Kh = /* @__PURE__ */ (() => K512[0])();\nconst SHA512_Kl = /* @__PURE__ */ (() => K512[1])();\n// Reusable temporary buffers\nconst SHA512_W_H = /* @__PURE__ */ new Uint32Array(80);\nconst SHA512_W_L = /* @__PURE__ */ new Uint32Array(80);\n/** Internal 64-byte base SHA2 hash class. */\nclass SHA2_64B extends HashMD {\n constructor(outputLen) {\n super(128, outputLen, 16, false);\n }\n get() {\n const { Ah, Al, Bh, Bl, Ch, Cl, Dh, Dl, Eh, El, Fh, Fl, Gh, Gl, Hh, Hl } = this;\n return [Ah, Al, Bh, Bl, Ch, Cl, Dh, Dl, Eh, El, Fh, Fl, Gh, Gl, Hh, Hl];\n }\n set(Ah, Al, Bh, Bl, Ch, Cl, Dh, Dl, Eh, El, Fh, Fl, Gh, Gl, Hh, Hl) {\n this.Ah = Ah | 0;\n this.Al = Al | 0;\n this.Bh = Bh | 0;\n this.Bl = Bl | 0;\n this.Ch = Ch | 0;\n this.Cl = Cl | 0;\n this.Dh = Dh | 0;\n this.Dl = Dl | 0;\n this.Eh = Eh | 0;\n this.El = El | 0;\n this.Fh = Fh | 0;\n this.Fl = Fl | 0;\n this.Gh = Gh | 0;\n this.Gl = Gl | 0;\n this.Hh = Hh | 0;\n this.Hl = Hl | 0;\n }\n process(view, offset) {\n // Extend the first 16 words into the remaining 64 words w[16..79] of the message schedule array\n for (let i = 0; i < 16; i++, offset += 4) {\n SHA512_W_H[i] = view.getUint32(offset);\n SHA512_W_L[i] = view.getUint32(offset += 4);\n }\n for (let i = 16; i < 80; i++) {\n // s0 := (w[i-15] rightrotate 1) xor (w[i-15] rightrotate 8) xor (w[i-15] rightshift 7)\n const W15h = SHA512_W_H[i - 15] | 0;\n const W15l = SHA512_W_L[i - 15] | 0;\n const s0h = u64.rotrSH(W15h, W15l, 1) ^ u64.rotrSH(W15h, W15l, 8) ^\n u64.shrSH(W15h, W15l, 7);\n const s0l = u64.rotrSL(W15h, W15l, 1) ^ u64.rotrSL(W15h, W15l, 8) ^\n u64.shrSL(W15h, W15l, 7);\n // s1 := (w[i-2] rightrotate 19) xor (w[i-2] rightrotate 61) xor (w[i-2] rightshift 6)\n const W2h = SHA512_W_H[i - 2] | 0;\n const W2l = SHA512_W_L[i - 2] | 0;\n const s1h = u64.rotrSH(W2h, W2l, 19) ^ u64.rotrBH(W2h, W2l, 61) ^\n u64.shrSH(W2h, W2l, 6);\n const s1l = u64.rotrSL(W2h, W2l, 19) ^ u64.rotrBL(W2h, W2l, 61) ^\n u64.shrSL(W2h, W2l, 6);\n // SHA256_W[i] = s0 + s1 + SHA256_W[i - 7] + SHA256_W[i - 16];\n const SUMl = u64.add4L(s0l, s1l, SHA512_W_L[i - 7], SHA512_W_L[i - 16]);\n const SUMh = u64.add4H(SUMl, s0h, s1h, SHA512_W_H[i - 7], SHA512_W_H[i - 16]);\n SHA512_W_H[i] = SUMh | 0;\n SHA512_W_L[i] = SUMl | 0;\n }\n let { Ah, Al, Bh, Bl, Ch, Cl, Dh, Dl, Eh, El, Fh, Fl, Gh, Gl, Hh, Hl } = this;\n // Compression function main loop, 80 rounds\n for (let i = 0; i < 80; i++) {\n // S1 := (e rightrotate 14) xor (e rightrotate 18) xor (e rightrotate 41)\n const sigma1h = u64.rotrSH(Eh, El, 14) ^ u64.rotrSH(Eh, El, 18) ^\n u64.rotrBH(Eh, El, 41);\n const sigma1l = u64.rotrSL(Eh, El, 14) ^ u64.rotrSL(Eh, El, 18) ^\n u64.rotrBL(Eh, El, 41);\n //const T1 = (H + sigma1 + Chi(E, F, G) + SHA256_K[i] + SHA256_W[i]) | 0;\n const CHIh = (Eh & Fh) ^ (~Eh & Gh);\n const CHIl = (El & Fl) ^ (~El & Gl);\n // T1 = H + sigma1 + Chi(E, F, G) + SHA512_K[i] + SHA512_W[i]\n const T1ll = u64.add5L(Hl, sigma1l, CHIl, SHA512_Kl[i], SHA512_W_L[i]);\n const T1h = u64.add5H(T1ll, Hh, sigma1h, CHIh, SHA512_Kh[i], SHA512_W_H[i]);\n const T1l = T1ll | 0;\n // S0 := (a rightrotate 28) xor (a rightrotate 34) xor (a rightrotate 39)\n const sigma0h = u64.rotrSH(Ah, Al, 28) ^ u64.rotrBH(Ah, Al, 34) ^\n u64.rotrBH(Ah, Al, 39);\n const sigma0l = u64.rotrSL(Ah, Al, 28) ^ u64.rotrBL(Ah, Al, 34) ^\n u64.rotrBL(Ah, Al, 39);\n const MAJh = (Ah & Bh) ^ (Ah & Ch) ^ (Bh & Ch);\n const MAJl = (Al & Bl) ^ (Al & Cl) ^ (Bl & Cl);\n Hh = Gh | 0;\n Hl = Gl | 0;\n Gh = Fh | 0;\n Gl = Fl | 0;\n Fh = Eh | 0;\n Fl = El | 0;\n ({ h: Eh, l: El } = u64.add(Dh | 0, Dl | 0, T1h | 0, T1l | 0));\n Dh = Ch | 0;\n Dl = Cl | 0;\n Ch = Bh | 0;\n Cl = Bl | 0;\n Bh = Ah | 0;\n Bl = Al | 0;\n const All = u64.add3L(T1l, sigma0l, MAJl);\n Ah = u64.add3H(All, T1h, sigma0h, MAJh);\n Al = All | 0;\n }\n // Add the compressed chunk to the current hash value\n ({ h: Ah, l: Al } = u64.add(this.Ah | 0, this.Al | 0, Ah | 0, Al | 0));\n ({ h: Bh, l: Bl } = u64.add(this.Bh | 0, this.Bl | 0, Bh | 0, Bl | 0));\n ({ h: Ch, l: Cl } = u64.add(this.Ch | 0, this.Cl | 0, Ch | 0, Cl | 0));\n ({ h: Dh, l: Dl } = u64.add(this.Dh | 0, this.Dl | 0, Dh | 0, Dl | 0));\n ({ h: Eh, l: El } = u64.add(this.Eh | 0, this.El | 0, Eh | 0, El | 0));\n ({ h: Fh, l: Fl } = u64.add(this.Fh | 0, this.Fl | 0, Fh | 0, Fl | 0));\n ({ h: Gh, l: Gl } = u64.add(this.Gh | 0, this.Gl | 0, Gh | 0, Gl | 0));\n ({ h: Hh, l: Hl } = u64.add(this.Hh | 0, this.Hl | 0, Hh | 0, Hl | 0));\n this.set(Ah, Al, Bh, Bl, Ch, Cl, Dh, Dl, Eh, El, Fh, Fl, Gh, Gl, Hh, Hl);\n }\n roundClean() {\n clean(SHA512_W_H, SHA512_W_L);\n }\n destroy() {\n clean(this.buffer);\n this.set(0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0);\n }\n}\n/** Internal SHA2-512 hash class. */\nexport class _SHA512 extends SHA2_64B {\n constructor() {\n super(64);\n Object.defineProperty(this, \"Ah\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: SHA512_IV[0] | 0\n });\n Object.defineProperty(this, \"Al\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: SHA512_IV[1] | 0\n });\n Object.defineProperty(this, \"Bh\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: SHA512_IV[2] | 0\n });\n Object.defineProperty(this, \"Bl\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: SHA512_IV[3] | 0\n });\n Object.defineProperty(this, \"Ch\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: SHA512_IV[4] | 0\n });\n Object.defineProperty(this, \"Cl\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: SHA512_IV[5] | 0\n });\n Object.defineProperty(this, \"Dh\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: SHA512_IV[6] | 0\n });\n Object.defineProperty(this, \"Dl\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: SHA512_IV[7] | 0\n });\n Object.defineProperty(this, \"Eh\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: SHA512_IV[8] | 0\n });\n Object.defineProperty(this, \"El\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: SHA512_IV[9] | 0\n });\n Object.defineProperty(this, \"Fh\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: SHA512_IV[10] | 0\n });\n Object.defineProperty(this, \"Fl\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: SHA512_IV[11] | 0\n });\n Object.defineProperty(this, \"Gh\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: SHA512_IV[12] | 0\n });\n Object.defineProperty(this, \"Gl\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: SHA512_IV[13] | 0\n });\n Object.defineProperty(this, \"Hh\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: SHA512_IV[14] | 0\n });\n Object.defineProperty(this, \"Hl\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: SHA512_IV[15] | 0\n });\n }\n}\nexport class _SHA384 extends SHA2_64B {\n constructor() {\n super(48);\n Object.defineProperty(this, \"Ah\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: SHA384_IV[0] | 0\n });\n Object.defineProperty(this, \"Al\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: SHA384_IV[1] | 0\n });\n Object.defineProperty(this, \"Bh\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: SHA384_IV[2] | 0\n });\n Object.defineProperty(this, \"Bl\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: SHA384_IV[3] | 0\n });\n Object.defineProperty(this, \"Ch\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: SHA384_IV[4] | 0\n });\n Object.defineProperty(this, \"Cl\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: SHA384_IV[5] | 0\n });\n Object.defineProperty(this, \"Dh\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: SHA384_IV[6] | 0\n });\n Object.defineProperty(this, \"Dl\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: SHA384_IV[7] | 0\n });\n Object.defineProperty(this, \"Eh\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: SHA384_IV[8] | 0\n });\n Object.defineProperty(this, \"El\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: SHA384_IV[9] | 0\n });\n Object.defineProperty(this, \"Fh\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: SHA384_IV[10] | 0\n });\n Object.defineProperty(this, \"Fl\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: SHA384_IV[11] | 0\n });\n Object.defineProperty(this, \"Gh\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: SHA384_IV[12] | 0\n });\n Object.defineProperty(this, \"Gl\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: SHA384_IV[13] | 0\n });\n Object.defineProperty(this, \"Hh\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: SHA384_IV[14] | 0\n });\n Object.defineProperty(this, \"Hl\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: SHA384_IV[15] | 0\n });\n }\n}\n/**\n * SHA2-256 hash function from RFC 4634. In JS it's the fastest: even faster than Blake3. Some info:\n *\n * - Trying 2^128 hashes would get 50% chance of collision, using birthday attack.\n * - BTC network is doing 2^70 hashes/sec (2^95 hashes/year) as per 2025.\n * - Each sha256 hash is executing 2^18 bit operations.\n * - Good 2024 ASICs can do 200Th/sec with 3500 watts of power, corresponding to 2^36 hashes/joule.\n */\nexport const sha256 = /* @__PURE__ */ createHasher(() => new _SHA256(), \n/* @__PURE__ */ oidNist(0x01));\n/** SHA2-512 hash function from RFC 4634. */\nexport const sha512 = /* @__PURE__ */ createHasher(() => new _SHA512(), \n/* @__PURE__ */ oidNist(0x03));\n/** SHA2-384 hash function from RFC 4634. */\nexport const sha384 = /* @__PURE__ */ createHasher(() => new _SHA384(), \n/* @__PURE__ */ oidNist(0x02));\n", "/**\n * This file is based on noble-hashes (https://github.com/paulmillr/noble-hashes).\n *\n * noble-hashes - MIT License (c) 2022 Paul Miller (paulmillr.com)\n *\n * The original file is located at:\n * https://github.com/paulmillr/noble-hashes/blob/4e358a46d682adfb005ae6314ec999f2513086b9/src/sha3.ts\n */\n/**\n * SHA3 (keccak) hash function, based on a new \"Sponge function\" design.\n * Different from older hashes, the internal state is bigger than output size.\n *\n * Check out [FIPS-202](https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.202.pdf),\n * [Website](https://keccak.team/keccak.html),\n * [the differences between SHA-3 and Keccak](https://crypto.stackexchange.com/questions/15727/what-are-the-key-differences-between-the-draft-sha-3-standard-and-the-keccak-sub).\n *\n * Check out `sha3-addons` module for cSHAKE, k12, and others.\n * @module\n */\nimport { rotlBH, rotlBL, rotlSH, rotlSL, split } from \"./u64.js\";\nimport { abytes, aexists, anumber, aoutput, clean, oidNist, swap32IfBE, u32, } from \"../utils/noble.js\";\nimport { createHasher, } from \"./hash.js\";\n// No __PURE__ annotations in sha3 header:\n// EVERYTHING is in fact used on every export.\n// Various per round constants calculations\nconst _0n = 0n;\nconst _1n = 1n;\nconst _2n = 2n;\nconst _7n = 7n;\nconst _256n = 256n;\nconst _0x71n = 0x71n;\nconst SHA3_PI = [];\nconst SHA3_ROTL = [];\nconst _SHA3_IOTA = []; // no pure annotation: var is always used\nfor (let round = 0, R = _1n, x = 1, y = 0; round < 24; round++) {\n // Pi\n [x, y] = [y, (2 * x + 3 * y) % 5];\n SHA3_PI.push(2 * (5 * y + x));\n // Rotational\n SHA3_ROTL.push((((round + 1) * (round + 2)) / 2) % 64);\n // Iota\n let t = _0n;\n for (let j = 0; j < 7; j++) {\n R = ((R << _1n) ^ ((R >> _7n) * _0x71n)) % _256n;\n if (R & _2n)\n t ^= _1n << ((_1n << BigInt(j)) - _1n);\n }\n _SHA3_IOTA.push(t);\n}\nconst IOTAS = split(_SHA3_IOTA, true);\nconst SHA3_IOTA_H = IOTAS[0];\nconst SHA3_IOTA_L = IOTAS[1];\n// Left rotation (without 0, 32, 64)\nconst rotlH = (h, l, s) => (s > 32 ? rotlBH(h, l, s) : rotlSH(h, l, s));\nconst rotlL = (h, l, s) => (s > 32 ? rotlBL(h, l, s) : rotlSL(h, l, s));\n/** `keccakf1600` internal function, additionally allows to adjust round count. */\nexport function keccakP(s, rounds = 24, B) {\n if (!B)\n B = new Uint32Array(10);\n // NOTE: all indices are x2 since we store state as u32 instead of u64 (bigints to slow in js)\n for (let round = 24 - rounds; round < 24; round++) {\n // Theta \u03B8\n for (let x = 0; x < 10; x++) {\n B[x] = s[x] ^ s[x + 10] ^ s[x + 20] ^ s[x + 30] ^ s[x + 40];\n }\n // for (let x = 0; x < 10; x += 2) {\n // const idx1 = (x + 8) % 10;\n // const idx0 = (x + 2) % 10;\n // const B0 = B[idx0];\n // const B1 = B[idx0 + 1];\n // const Th = rotlH(B0, B1, 1) ^ B[idx1];\n // const Tl = rotlL(B0, B1, 1) ^ B[idx1 + 1];\n // for (let y = 0; y < 50; y += 10) {\n // s[x + y] ^= Th;\n // s[x + y + 1] ^= Tl;\n // }\n // }\n { // x=0: idx0=2, idx1=8\n const Th = rotlH(B[2], B[3], 1) ^ B[8];\n const Tl = rotlL(B[2], B[3], 1) ^ B[9];\n s[0] ^= Th;\n s[1] ^= Tl;\n s[10] ^= Th;\n s[11] ^= Tl;\n s[20] ^= Th;\n s[21] ^= Tl;\n s[30] ^= Th;\n s[31] ^= Tl;\n s[40] ^= Th;\n s[41] ^= Tl;\n }\n { // x=2: idx0=4, idx1=0\n const Th = rotlH(B[4], B[5], 1) ^ B[0];\n const Tl = rotlL(B[4], B[5], 1) ^ B[1];\n s[2] ^= Th;\n s[3] ^= Tl;\n s[12] ^= Th;\n s[13] ^= Tl;\n s[22] ^= Th;\n s[23] ^= Tl;\n s[32] ^= Th;\n s[33] ^= Tl;\n s[42] ^= Th;\n s[43] ^= Tl;\n }\n { // x=4: idx0=6, idx1=2\n const Th = rotlH(B[6], B[7], 1) ^ B[2];\n const Tl = rotlL(B[6], B[7], 1) ^ B[3];\n s[4] ^= Th;\n s[5] ^= Tl;\n s[14] ^= Th;\n s[15] ^= Tl;\n s[24] ^= Th;\n s[25] ^= Tl;\n s[34] ^= Th;\n s[35] ^= Tl;\n s[44] ^= Th;\n s[45] ^= Tl;\n }\n { // x=6: idx0=8, idx1=4\n const Th = rotlH(B[8], B[9], 1) ^ B[4];\n const Tl = rotlL(B[8], B[9], 1) ^ B[5];\n s[6] ^= Th;\n s[7] ^= Tl;\n s[16] ^= Th;\n s[17] ^= Tl;\n s[26] ^= Th;\n s[27] ^= Tl;\n s[36] ^= Th;\n s[37] ^= Tl;\n s[46] ^= Th;\n s[47] ^= Tl;\n }\n { // x=8: idx0=0, idx1=6\n const Th = rotlH(B[0], B[1], 1) ^ B[6];\n const Tl = rotlL(B[0], B[1], 1) ^ B[7];\n s[8] ^= Th;\n s[9] ^= Tl;\n s[18] ^= Th;\n s[19] ^= Tl;\n s[28] ^= Th;\n s[29] ^= Tl;\n s[38] ^= Th;\n s[39] ^= Tl;\n s[48] ^= Th;\n s[49] ^= Tl;\n }\n // Rho (\u03C1) and Pi (\u03C0) \u2014 fully unrolled\n let curH = s[2];\n let curL = s[3];\n // for (let t = 0; t < 24; t++) {\n // const shift = SHA3_ROTL[t];\n // const Th = rotlH(curH, curL, shift);\n // const Tl = rotlL(curH, curL, shift);\n // const PI = SHA3_PI[t];\n // curH = s[PI];\n // curL = s[PI + 1];\n // s[PI] = Th;\n // s[PI + 1] = Tl;\n // }\n let Th, Tl;\n // t=0: shift=1(S), PI=20\n Th = rotlSH(curH, curL, 1);\n Tl = rotlSL(curH, curL, 1);\n curH = s[20];\n curL = s[21];\n s[20] = Th;\n s[21] = Tl;\n // t=1: shift=3(S), PI=14\n Th = rotlSH(curH, curL, 3);\n Tl = rotlSL(curH, curL, 3);\n curH = s[14];\n curL = s[15];\n s[14] = Th;\n s[15] = Tl;\n // t=2: shift=6(S), PI=22\n Th = rotlSH(curH, curL, 6);\n Tl = rotlSL(curH, curL, 6);\n curH = s[22];\n curL = s[23];\n s[22] = Th;\n s[23] = Tl;\n // t=3: shift=10(S), PI=34\n Th = rotlSH(curH, curL, 10);\n Tl = rotlSL(curH, curL, 10);\n curH = s[34];\n curL = s[35];\n s[34] = Th;\n s[35] = Tl;\n // t=4: shift=15(S), PI=36\n Th = rotlSH(curH, curL, 15);\n Tl = rotlSL(curH, curL, 15);\n curH = s[36];\n curL = s[37];\n s[36] = Th;\n s[37] = Tl;\n // t=5: shift=21(S), PI=6\n Th = rotlSH(curH, curL, 21);\n Tl = rotlSL(curH, curL, 21);\n curH = s[6];\n curL = s[7];\n s[6] = Th;\n s[7] = Tl;\n // t=6: shift=28(S), PI=10\n Th = rotlSH(curH, curL, 28);\n Tl = rotlSL(curH, curL, 28);\n curH = s[10];\n curL = s[11];\n s[10] = Th;\n s[11] = Tl;\n // t=7: shift=36(B), PI=32\n Th = rotlBH(curH, curL, 36);\n Tl = rotlBL(curH, curL, 36);\n curH = s[32];\n curL = s[33];\n s[32] = Th;\n s[33] = Tl;\n // t=8: shift=45(B), PI=16\n Th = rotlBH(curH, curL, 45);\n Tl = rotlBL(curH, curL, 45);\n curH = s[16];\n curL = s[17];\n s[16] = Th;\n s[17] = Tl;\n // t=9: shift=55(B), PI=42\n Th = rotlBH(curH, curL, 55);\n Tl = rotlBL(curH, curL, 55);\n curH = s[42];\n curL = s[43];\n s[42] = Th;\n s[43] = Tl;\n // t=10: shift=2(S), PI=48\n Th = rotlSH(curH, curL, 2);\n Tl = rotlSL(curH, curL, 2);\n curH = s[48];\n curL = s[49];\n s[48] = Th;\n s[49] = Tl;\n // t=11: shift=14(S), PI=8\n Th = rotlSH(curH, curL, 14);\n Tl = rotlSL(curH, curL, 14);\n curH = s[8];\n curL = s[9];\n s[8] = Th;\n s[9] = Tl;\n // t=12: shift=27(S), PI=30\n Th = rotlSH(curH, curL, 27);\n Tl = rotlSL(curH, curL, 27);\n curH = s[30];\n curL = s[31];\n s[30] = Th;\n s[31] = Tl;\n // t=13: shift=41(B), PI=46\n Th = rotlBH(curH, curL, 41);\n Tl = rotlBL(curH, curL, 41);\n curH = s[46];\n curL = s[47];\n s[46] = Th;\n s[47] = Tl;\n // t=14: shift=56(B), PI=38\n Th = rotlBH(curH, curL, 56);\n Tl = rotlBL(curH, curL, 56);\n curH = s[38];\n curL = s[39];\n s[38] = Th;\n s[39] = Tl;\n // t=15: shift=8(S), PI=26\n Th = rotlSH(curH, curL, 8);\n Tl = rotlSL(curH, curL, 8);\n curH = s[26];\n curL = s[27];\n s[26] = Th;\n s[27] = Tl;\n // t=16: shift=25(S), PI=24\n Th = rotlSH(curH, curL, 25);\n Tl = rotlSL(curH, curL, 25);\n curH = s[24];\n curL = s[25];\n s[24] = Th;\n s[25] = Tl;\n // t=17: shift=43(B), PI=4\n Th = rotlBH(curH, curL, 43);\n Tl = rotlBL(curH, curL, 43);\n curH = s[4];\n curL = s[5];\n s[4] = Th;\n s[5] = Tl;\n // t=18: shift=62(B), PI=40\n Th = rotlBH(curH, curL, 62);\n Tl = rotlBL(curH, curL, 62);\n curH = s[40];\n curL = s[41];\n s[40] = Th;\n s[41] = Tl;\n // t=19: shift=18(S), PI=28\n Th = rotlSH(curH, curL, 18);\n Tl = rotlSL(curH, curL, 18);\n curH = s[28];\n curL = s[29];\n s[28] = Th;\n s[29] = Tl;\n // t=20: shift=39(B), PI=44\n Th = rotlBH(curH, curL, 39);\n Tl = rotlBL(curH, curL, 39);\n curH = s[44];\n curL = s[45];\n s[44] = Th;\n s[45] = Tl;\n // t=21: shift=61(B), PI=18\n Th = rotlBH(curH, curL, 61);\n Tl = rotlBL(curH, curL, 61);\n curH = s[18];\n curL = s[19];\n s[18] = Th;\n s[19] = Tl;\n // t=22: shift=20(S), PI=12\n Th = rotlSH(curH, curL, 20);\n Tl = rotlSL(curH, curL, 20);\n curH = s[12];\n curL = s[13];\n s[12] = Th;\n s[13] = Tl;\n // t=23: shift=44(B), PI=2\n Th = rotlBH(curH, curL, 44);\n Tl = rotlBL(curH, curL, 44);\n s[2] = Th;\n s[3] = Tl;\n // Chi (\u03C7)\n for (let y = 0; y < 50; y += 10) {\n B[0] = s[y];\n B[1] = s[y + 1];\n B[2] = s[y + 2];\n B[3] = s[y + 3];\n B[4] = s[y + 4];\n B[5] = s[y + 5];\n B[6] = s[y + 6];\n B[7] = s[y + 7];\n B[8] = s[y + 8];\n B[9] = s[y + 9];\n s[y + 0] ^= ~B[2] & B[4];\n s[y + 1] ^= ~B[3] & B[5];\n s[y + 2] ^= ~B[4] & B[6];\n s[y + 3] ^= ~B[5] & B[7];\n s[y + 4] ^= ~B[6] & B[8];\n s[y + 5] ^= ~B[7] & B[9];\n s[y + 6] ^= ~B[8] & B[0];\n s[y + 7] ^= ~B[9] & B[1];\n s[y + 8] ^= ~B[0] & B[2];\n s[y + 9] ^= ~B[1] & B[3];\n }\n // Iota (\u03B9)\n s[0] ^= SHA3_IOTA_H[round];\n s[1] ^= SHA3_IOTA_L[round];\n }\n}\n/** Keccak sponge function. */\nexport class Keccak {\n // NOTE: we accept arguments in bytes instead of bits here.\n constructor(blockLen, suffix, outputLen, enableXOF = false, rounds = 24) {\n Object.defineProperty(this, \"state\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: void 0\n });\n Object.defineProperty(this, \"pos\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: 0\n });\n Object.defineProperty(this, \"posOut\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: 0\n });\n Object.defineProperty(this, \"finished\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: false\n });\n Object.defineProperty(this, \"state32\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: void 0\n });\n Object.defineProperty(this, \"destroyed\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: false\n });\n Object.defineProperty(this, \"_B\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: new Uint32Array(10)\n });\n Object.defineProperty(this, \"blockLen\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: void 0\n });\n Object.defineProperty(this, \"suffix\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: void 0\n });\n Object.defineProperty(this, \"outputLen\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: void 0\n });\n Object.defineProperty(this, \"enableXOF\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: false\n });\n Object.defineProperty(this, \"rounds\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: void 0\n });\n this.blockLen = blockLen;\n this.suffix = suffix;\n this.outputLen = outputLen;\n this.enableXOF = enableXOF;\n this.rounds = rounds;\n // Can be passed from user as dkLen\n anumber(outputLen, \"outputLen\");\n // 1600 = 5x5 matrix of 64bit. 1600 bits === 200 bytes\n // 0 < blockLen < 200\n if (!(0 < blockLen && blockLen < 200)) {\n throw new Error(\"only keccak-f1600 function is supported\");\n }\n this.state = new Uint8Array(200);\n this.state32 = u32(this.state);\n }\n clone() {\n return this._cloneInto();\n }\n /** Resets instance to initial (empty) state for reuse. */\n reset() {\n this.state.fill(0);\n this.pos = 0;\n this.posOut = 0;\n this.finished = false;\n this.destroyed = false;\n }\n keccak() {\n swap32IfBE(this.state32);\n keccakP(this.state32, this.rounds, this._B);\n swap32IfBE(this.state32);\n this.posOut = 0;\n this.pos = 0;\n }\n update(data) {\n aexists(this);\n abytes(data);\n return this.updateUnsafe(data);\n }\n /** Like update(), but skips validation. Caller must ensure valid state and input. */\n updateUnsafe(data) {\n const { blockLen, state } = this;\n const len = data.length;\n for (let pos = 0; pos < len;) {\n const take = Math.min(blockLen - this.pos, len - pos);\n for (let i = 0; i < take; i++)\n state[this.pos++] ^= data[pos++];\n if (this.pos === blockLen)\n this.keccak();\n }\n return this;\n }\n finish() {\n if (this.finished)\n return;\n this.finished = true;\n const { state, suffix, pos, blockLen } = this;\n // Do the padding\n state[pos] ^= suffix;\n if ((suffix & 0x80) !== 0 && pos === blockLen - 1)\n this.keccak();\n state[blockLen - 1] ^= 0x80;\n this.keccak();\n }\n writeInto(out) {\n aexists(this, false);\n abytes(out);\n return this.writeIntoUnsafe(out);\n }\n /** Like writeInto(), but skips validation. Caller must ensure valid state and output. */\n writeIntoUnsafe(out) {\n this.finish();\n const bufferOut = this.state;\n const { blockLen } = this;\n for (let pos = 0, len = out.length; pos < len;) {\n if (this.posOut >= blockLen)\n this.keccak();\n const take = Math.min(blockLen - this.posOut, len - pos);\n out.set(bufferOut.subarray(this.posOut, this.posOut + take), pos);\n this.posOut += take;\n pos += take;\n }\n return out;\n }\n xofInto(out) {\n // Sha3/Keccak usage with XOF is probably mistake, only SHAKE instances can do XOF\n if (!this.enableXOF) {\n throw new Error(\"XOF is not possible for this instance\");\n }\n return this.writeInto(out);\n }\n xof(bytes) {\n anumber(bytes);\n return this.xofInto(new Uint8Array(bytes));\n }\n digestInto(out) {\n aoutput(out, this);\n if (this.finished)\n throw new Error(\"digest() was already called\");\n this.writeInto(out);\n this.destroy();\n return out;\n }\n digest() {\n return this.digestInto(new Uint8Array(this.outputLen));\n }\n destroy() {\n this.destroyed = true;\n clean(this.state);\n }\n _cloneInto(to) {\n const { blockLen, suffix, outputLen, rounds, enableXOF } = this;\n to ||= new Keccak(blockLen, suffix, outputLen, enableXOF, rounds);\n to.state32.set(this.state32);\n to.pos = this.pos;\n to.posOut = this.posOut;\n to.finished = this.finished;\n to.rounds = rounds;\n // Suffix can change in cSHAKE\n to.suffix = suffix;\n to.outputLen = outputLen;\n to.enableXOF = enableXOF;\n to.destroyed = this.destroyed;\n return to;\n }\n}\nconst genKeccak = (suffix, blockLen, outputLen, info = {}) => createHasher(() => new Keccak(blockLen, suffix, outputLen), info);\n// /** SHA3-224 hash function. */\n// export const sha3_224: CHash = /* @__PURE__ */ genKeccak(\n// 0x06,\n// 144,\n// 28,\n// /* @__PURE__ */ oidNist(0x07),\n// );\n/** SHA3-256 hash function. Different from keccak-256. */\nexport const sha3_256 = /* @__PURE__ */ genKeccak(0x06, 136, 32, \n/* @__PURE__ */ oidNist(0x08));\n/** SHA3-384 hash function. */\nexport const sha3_384 = /* @__PURE__ */ genKeccak(0x06, 104, 48, \n/* @__PURE__ */ oidNist(0x09));\n/** SHA3-512 hash function. */\nexport const sha3_512 = /* @__PURE__ */ genKeccak(0x06, 72, 64, \n/* @__PURE__ */ oidNist(0x0a));\n/** keccak-224 hash function. */\nexport const keccak_224 = /* @__PURE__ */ genKeccak(0x01, 144, 28);\n/** keccak-256 hash function. Different from SHA3-256. */\nexport const keccak_256 = /* @__PURE__ */ genKeccak(0x01, 136, 32);\n/** keccak-384 hash function. */\nexport const keccak_384 = /* @__PURE__ */ genKeccak(0x01, 104, 48);\n/** keccak-512 hash function. */\nexport const keccak_512 = /* @__PURE__ */ genKeccak(0x01, 72, 64);\nconst genShake = (suffix, blockLen, outputLen, info = {}) => createHasher((opts = {}) => new Keccak(blockLen, suffix, opts.dkLen === undefined ? outputLen : opts.dkLen, true), info);\n/** SHAKE128 XOF with 128-bit security. */\nexport const shake128 = \n/* @__PURE__ */\ngenShake(0x1f, 168, 16, /* @__PURE__ */ oidNist(0x0b));\n/** SHAKE256 XOF with 256-bit security. */\nexport const shake256 = \n/* @__PURE__ */\ngenShake(0x1f, 136, 32, /* @__PURE__ */ oidNist(0x0c));\n// /** SHAKE128 XOF with 256-bit output (NIST version). */\n// export const shake128_32: CHashXOF<Keccak, ShakeOpts> =\n// /* @__PURE__ */\n// genShake(0x1f, 168, 32, /* @__PURE__ */ oidNist(0x0b));\n// /** SHAKE256 XOF with 512-bit output (NIST version). */\n// export const shake256_64: CHashXOF<Keccak, ShakeOpts> =\n// /* @__PURE__ */\n// genShake(0x1f, 136, 64, /* @__PURE__ */ oidNist(0x0c));\n", "/**\n * This file is based on noble-curves (https://github.com/paulmillr/noble-curves).\n *\n * noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com)\n *\n * The original file is located at:\n * https://github.com/paulmillr/noble-curves/blob/b9d49d2b41d550571a0c5be443ecb62109fa3373/src/abstract/modular.ts\n */\n/**\n * Utils for modular division and fields.\n * Field over 11 is a finite (Galois) field is integer number operations `mod 11`.\n * There is no division: it is replaced by modular multiplicative inverse.\n * @module\n */\n/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */\nimport { N_0 } from \"../consts.js\";\n// Numbers aren't used in x25519 / x448 builds\n// Calculates a modulo b\nexport function mod(a, b) {\n const result = a % b;\n return result >= N_0 ? result : b + result;\n}\n/** Does `x^(2^power)` mod p. `pow2(30, 4)` == `30^(2^4)` */\nexport function pow2(x, power, modulo) {\n let res = x;\n while (power-- > N_0) {\n res *= res;\n res %= modulo;\n }\n return res;\n}\n", "/**\n * This file is based on noble-curves (https://github.com/paulmillr/noble-curves).\n *\n * noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com)\n *\n * The original file is located at:\n * https://github.com/paulmillr/noble-curves/blob/b9d49d2b41d550571a0c5be443ecb62109fa3373/src/abstract/curve.ts\n */\nexport function createKeygen(\n// deno-lint-ignore ban-types\nrandomSecretKey, getPublicKey) {\n return function keygen(seed) {\n const secretKey = randomSecretKey(seed);\n return { secretKey, publicKey: getPublicKey(secretKey) };\n };\n}\n", "/**\n * This file is based on noble-curves (https://github.com/paulmillr/noble-curves).\n *\n * noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com)\n *\n * The original file is located at:\n * https://github.com/paulmillr/noble-curves/blob/b9d49d2b41d550571a0c5be443ecb62109fa3373/src/abstract/montgomery.ts\n */\n/**\n * Montgomery curve methods. It's not really whole montgomery curve,\n * just bunch of very specific methods for X25519 / X448 from\n * [RFC 7748](https://www.rfc-editor.org/rfc/rfc7748)\n * @module\n */\n/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */\nimport { abytes, aInRange, bytesToNumberLE, copyBytes, numberToBytesLE, randomBytesAsync, validateObject, } from \"../utils/noble.js\";\nimport { createKeygen } from \"./curve.js\";\nimport { mod } from \"./modular.js\";\nimport { N_0, N_1, N_2 } from \"../consts.js\";\nfunction validateOpts(curve) {\n validateObject(curve, {\n adjustScalarBytes: \"function\",\n powPminus2: \"function\",\n });\n return Object.freeze({ ...curve });\n}\nexport function montgomery(curveDef) {\n const CURVE = validateOpts(curveDef);\n const { P, type, adjustScalarBytes, powPminus2, randomBytes: rand } = CURVE;\n const is25519 = type === \"x25519\";\n if (!is25519 && type !== \"x448\")\n throw new Error(\"invalid type\");\n const randomBytes_ = rand || randomBytesAsync;\n const montgomeryBits = is25519 ? 255n : 448n;\n const fieldLen = is25519 ? 32 : 56;\n const Gu = is25519 ? 9n : 5n;\n // RFC 7748 #5:\n // The constant a24 is (486662 - 2) / 4 = 121665 for curve25519/X25519 and\n // (156326 - 2) / 4 = 39081 for curve448/X448\n // const a = is25519 ? 156326n : 486662n;\n const a24 = is25519 ? 121665n : 39081n;\n // RFC: x25519 \"the resulting integer is of the form 2^254 plus\n // eight times a value between 0 and 2^251 - 1 (inclusive)\"\n // x448: \"2^447 plus four times a value between 0 and 2^445 - 1 (inclusive)\"\n const minScalar = is25519 ? N_2 ** 254n : N_2 ** 447n;\n const maxAdded = is25519 ? 8n * N_2 ** 251n - N_1 : 4n * N_2 ** 445n - N_1;\n const maxScalar = minScalar + maxAdded + N_1; // (inclusive)\n const modP = (n) => mod(n, P);\n const GuBytes = encodeU(Gu);\n function encodeU(u) {\n return numberToBytesLE(modP(u), fieldLen);\n }\n function decodeU(u) {\n const _u = copyBytes(abytes(u, fieldLen, \"uCoordinate\"));\n // RFC: When receiving such an array, implementations of X25519\n // (but not X448) MUST mask the most significant bit in the final byte.\n if (is25519)\n _u[31] &= 127; // 0b0111_1111\n // RFC: Implementations MUST accept non-canonical values and process them as\n // if they had been reduced modulo the field prime. The non-canonical\n // values are 2^255 - 19 through 2^255 - 1 for X25519 and 2^448 - 2^224\n // - 1 through 2^448 - 1 for X448.\n return modP(bytesToNumberLE(_u));\n }\n function decodeScalar(scalar) {\n return bytesToNumberLE(adjustScalarBytes(copyBytes(abytes(scalar, fieldLen, \"scalar\"))));\n }\n function scalarMult(scalar, u) {\n const pu = montgomeryLadder(decodeU(u), decodeScalar(scalar));\n // Some public keys are useless, of low-order. Curve author doesn't think\n // it needs to be validated, but we do it nonetheless.\n // https://cr.yp.to/ecdh.html#validate\n if (pu === N_0)\n throw new Error(\"invalid private or public key received\");\n return encodeU(pu);\n }\n // Computes public key from private. By doing scalar multiplication of base point.\n function scalarMultBase(scalar) {\n return scalarMult(scalar, GuBytes);\n }\n const getPublicKey = scalarMultBase;\n const getSharedSecret = scalarMult;\n // cswap from RFC7748 \"example code\"\n function cswap(swap, x_2, x_3) {\n // dummy = mask(swap) AND (x_2 XOR x_3)\n // Where mask(swap) is the all-1 or all-0 word of the same length as x_2\n // and x_3, computed, e.g., as mask(swap) = 0 - swap.\n const dummy = modP(swap * (x_2 - x_3));\n x_2 = modP(x_2 - dummy); // x_2 = x_2 XOR dummy\n x_3 = modP(x_3 + dummy); // x_3 = x_3 XOR dummy\n return { x_2, x_3 };\n }\n /**\n * Montgomery x-only multiplication ladder.\n * @param pointU u coordinate (x) on Montgomery Curve 25519\n * @param scalar by which the point would be multiplied\n * @returns new Point on Montgomery curve\n */\n function montgomeryLadder(u, scalar) {\n aInRange(\"u\", u, N_0, P);\n aInRange(\"scalar\", scalar, minScalar, maxScalar);\n const k = scalar;\n const x_1 = u;\n let x_2 = N_1;\n let z_2 = N_0;\n let x_3 = u;\n let z_3 = N_1;\n let swap = N_0;\n for (let t = montgomeryBits - 1n; t >= N_0; t--) {\n const k_t = (k >> t) & N_1;\n swap ^= k_t;\n ({ x_2, x_3 } = cswap(swap, x_2, x_3));\n ({ x_2: z_2, x_3: z_3 } = cswap(swap, z_2, z_3));\n swap = k_t;\n const A = x_2 + z_2;\n const AA = modP(A * A);\n const B = x_2 - z_2;\n const BB = modP(B * B);\n const E = AA - BB;\n const C = x_3 + z_3;\n const D = x_3 - z_3;\n const DA = modP(D * A);\n const CB = modP(C * B);\n const dacb = DA + CB;\n const da_cb = DA - CB;\n x_3 = modP(dacb * dacb);\n z_3 = modP(x_1 * modP(da_cb * da_cb));\n x_2 = modP(AA * BB);\n z_2 = modP(E * (AA + modP(a24 * E)));\n }\n ({ x_2, x_3 } = cswap(swap, x_2, x_3));\n ({ x_2: z_2, x_3: z_3 } = cswap(swap, z_2, z_3));\n const z2 = powPminus2(z_2); // `Fp.pow(x, P - N_2)` is much slower equivalent\n return modP(x_2 * z2); // Return x_2 * (z_2^(p - 2))\n }\n const lengths = {\n secretKey: fieldLen,\n publicKey: fieldLen,\n seed: fieldLen,\n };\n const randomSecretKey = async (seed) => {\n if (seed === undefined) {\n seed = await randomBytes_(fieldLen);\n }\n abytes(seed, lengths.seed, \"seed\");\n return seed;\n };\n const utils = { randomSecretKey };\n return Object.freeze({\n keygen: createKeygen(randomSecretKey, getPublicKey),\n getSharedSecret,\n getPublicKey,\n scalarMult,\n scalarMultBase,\n utils,\n GuBytes: GuBytes.slice(),\n lengths,\n });\n}\n", "export * from \"./src/errors.js\";\nexport { NativeAlgorithm } from \"./src/algorithm.js\";\nexport { AeadId, KdfId, KemId, Mode } from \"./src/identifiers.js\";\nexport { Dhkem } from \"./src/kems/dhkem.js\";\nexport { Ec } from \"./src/kems/dhkemPrimitives/ec.js\";\nexport { XCurveDhkemPrimitives } from \"./src/kems/dhkemPrimitives/xCurve.js\";\nexport { Hybridkem } from \"./src/kems/hybridkem.js\";\nexport { XCryptoKey } from \"./src/xCryptoKey.js\";\nexport { HkdfSha256Native, HkdfSha384Native, HkdfSha512Native, toArrayBuffer, toUint8Array, } from \"./src/kdfs/hkdf.js\";\nexport { AEAD_USAGES } from \"./src/interfaces/aeadEncryptionContext.js\";\nexport { KEM_USAGES } from \"./src/interfaces/dhkemPrimitives.js\";\nexport { LABEL_DKP_PRK, LABEL_SK } from \"./src/interfaces/dhkemPrimitives.js\";\nexport { SUITE_ID_HEADER_KEM } from \"./src/interfaces/kemInterface.js\";\nexport { EMPTY, INFO_LENGTH_LIMIT, INPUT_LENGTH_LIMIT, MINIMUM_PSK_LENGTH, } from \"./src/consts.js\";\nexport { base64UrlToBytes, concat, hexToBytes, i2Osp, isCryptoKeyPair, isDeno, isDenoV1, kemToKeyGenAlgorithm, loadCrypto, loadSubtleCrypto, xor, } from \"./src/utils/misc.js\";\nexport { abytes, aexists, anumber, aoutput, clean, copyBytes, createView, hexToNumber, isLE, numberToBigint, u32, } from \"./src/utils/noble.js\";\nexport { hmac } from \"./src/hash/hmac.js\";\nexport { sha256, sha384, sha512 } from \"./src/hash/sha2.js\";\nexport { sha3_256, sha3_384, sha3_512, shake128, shake256, } from \"./src/hash/sha3.js\";\nexport { mod, pow2 } from \"./src/curve/modular.js\";\nexport { montgomery } from \"./src/curve/montgomery.js\";\n", "import { AEAD_USAGES, AeadId, NativeAlgorithm } from \"@hpke/common\";\nexport class AesGcmContext extends NativeAlgorithm {\n constructor(key) {\n super();\n Object.defineProperty(this, \"_rawKey\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: void 0\n });\n Object.defineProperty(this, \"_key\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: undefined\n });\n this._rawKey = key;\n }\n async seal(iv, data, aad) {\n await this._setupKey();\n const alg = {\n name: \"AES-GCM\",\n iv: iv,\n additionalData: aad,\n };\n const ct = await this._api.encrypt(alg, this._key, data);\n return ct;\n }\n async open(iv, data, aad) {\n await this._setupKey();\n const alg = {\n name: \"AES-GCM\",\n iv: iv,\n additionalData: aad,\n };\n const pt = await this._api.decrypt(alg, this._key, data);\n return pt;\n }\n async _setupKey() {\n if (this._key !== undefined) {\n return;\n }\n await this._setup();\n const key = await this._importKey(this._rawKey);\n (new Uint8Array(this._rawKey)).fill(0);\n this._key = key;\n return;\n }\n async _importKey(key) {\n return await this._api.importKey(\"raw\", key, { name: \"AES-GCM\" }, true, AEAD_USAGES);\n }\n}\n/**\n * The AES-128-GCM for HPKE AEAD implementing {@link AeadInterface}.\n *\n * When using `@hpke/core`, the instance of this class must be specified\n * to the `aead` parameter of {@link CipherSuiteParams} instead of `AeadId.Aes128Gcm`.\n *\n * @example\n *\n * ```ts\n * import {\n * Aes128Gcm,\n * CipherSuite,\n * DhkemP256HkdfSha256,\n * HkdfSha256,\n * } from \"@hpke/core\";\n *\n * const suite = new CipherSuite({\n * kem: new DhkemP256HkdfSha256(),\n * kdf: new HkdfSha256(),\n * aead: new Aes128Gcm(),\n * });\n * ```\n */\nexport class Aes128Gcm {\n constructor() {\n /** AeadId.Aes128Gcm (0x0001) */\n Object.defineProperty(this, \"id\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: AeadId.Aes128Gcm\n });\n /** 16 */\n Object.defineProperty(this, \"keySize\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: 16\n });\n /** 12 */\n Object.defineProperty(this, \"nonceSize\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: 12\n });\n /** 16 */\n Object.defineProperty(this, \"tagSize\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: 16\n });\n }\n createEncryptionContext(key) {\n return new AesGcmContext(key);\n }\n}\n/**\n * The AES-256-GCM for HPKE AEAD implementing {@link AeadInterface}.\n *\n * When using `@hpke/core`, the instance of this class must be specified\n * to the `aead` parameter of {@link CipherSuiteParams} instead of `AeadId.Aes256Gcm`\n * as follows:\n *\n * @example\n *\n * ```ts\n * import {\n * Aes256Gcm,\n * CipherSuite,\n * DhkemP256HkdfSha256,\n * HkdfSha256,\n * } from \"@hpke/core\";\n *\n * const suite = new CipherSuite({\n * kem: new DhkemP256HkdfSha256(),\n * kdf: new HkdfSha256(),\n * aead: new Aes256Gcm(),\n * });\n * ```\n */\nexport class Aes256Gcm extends Aes128Gcm {\n constructor() {\n super(...arguments);\n /** AeadId.Aes256Gcm (0x0002) */\n Object.defineProperty(this, \"id\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: AeadId.Aes256Gcm\n });\n /** 32 */\n Object.defineProperty(this, \"keySize\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: 32\n });\n /** 12 */\n Object.defineProperty(this, \"nonceSize\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: 12\n });\n /** 16 */\n Object.defineProperty(this, \"tagSize\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: 16\n });\n }\n}\n", "import { AeadId, NotSupportedError } from \"@hpke/common\";\n/**\n * The ExportOnly mode for HPKE AEAD implementing {@link AeadInterface}.\n *\n * When using `@hpke/core`, the instance of this class must be specified\n * to the `aead` parameter of {@link CipherSuiteParams} instead of `AeadId.ExportOnly`\n * as follows:\n *\n * @example\n *\n * ```ts\n * import {\n * CipherSuite,\n * DhkemP256HkdfSha256,\n * ExportOnly,\n * HkdfSha256,\n * } from \"@hpke/core\";\n *\n * const suite = new CipherSuite({\n * kem: new DhkemP256HkdfSha256(),\n * kdf: new HkdfSha256(),\n * aead: new ExportOnly(),\n * });\n * ```\n */\nexport class ExportOnly {\n constructor() {\n Object.defineProperty(this, \"id\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: AeadId.ExportOnly\n });\n Object.defineProperty(this, \"keySize\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: 0\n });\n Object.defineProperty(this, \"nonceSize\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: 0\n });\n Object.defineProperty(this, \"tagSize\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: 0\n });\n }\n createEncryptionContext(_key) {\n throw new NotSupportedError(\"Export only\");\n }\n}\n", "import { NotSupportedError } from \"@hpke/common\";\nexport function emitNotSupported() {\n return new Promise((_resolve, reject) => {\n reject(new NotSupportedError(\"Not supported\"));\n });\n}\n", "import { ExportError, INPUT_LENGTH_LIMIT, InvalidParamError, } from \"@hpke/common\";\nimport { emitNotSupported } from \"./utils/emitNotSupported.js\";\n// b\"sec\"\nconst LABEL_SEC = new Uint8Array([115, 101, 99]);\nexport class ExporterContextImpl {\n constructor(api, kdf, exporterSecret) {\n Object.defineProperty(this, \"_api\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: void 0\n });\n Object.defineProperty(this, \"exporterSecret\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: void 0\n });\n Object.defineProperty(this, \"_kdf\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: void 0\n });\n this._api = api;\n this._kdf = kdf;\n this.exporterSecret = exporterSecret;\n }\n async seal(_data, _aad) {\n return await emitNotSupported();\n }\n async open(_data, _aad) {\n return await emitNotSupported();\n }\n async export(exporterContext, len) {\n if (exporterContext.byteLength > INPUT_LENGTH_LIMIT) {\n throw new InvalidParamError(\"Too long exporter context\");\n }\n try {\n return await this._kdf.labeledExpand(this.exporterSecret, LABEL_SEC, new Uint8Array(exporterContext), len);\n }\n catch (e) {\n throw new ExportError(e);\n }\n }\n}\nexport class RecipientExporterContextImpl extends ExporterContextImpl {\n}\nexport class SenderExporterContextImpl extends ExporterContextImpl {\n constructor(api, kdf, exporterSecret, enc) {\n super(api, kdf, exporterSecret);\n Object.defineProperty(this, \"enc\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: void 0\n });\n this.enc = enc;\n return;\n }\n}\n", "import { i2Osp, MessageLimitReachedError, xor } from \"@hpke/common\";\nimport { ExporterContextImpl } from \"./exporterContext.js\";\nexport class EncryptionContextImpl extends ExporterContextImpl {\n constructor(api, kdf, params) {\n super(api, kdf, params.exporterSecret);\n // AEAD id.\n Object.defineProperty(this, \"_aead\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: void 0\n });\n // The length in bytes of a key for the algorithm.\n Object.defineProperty(this, \"_nK\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: void 0\n });\n // The length in bytes of a nonce for the algorithm.\n Object.defineProperty(this, \"_nN\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: void 0\n });\n // The length in bytes of an authentication tag for the algorithm.\n Object.defineProperty(this, \"_nT\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: void 0\n });\n // The end-to-end encryption key information.\n Object.defineProperty(this, \"_ctx\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: void 0\n });\n if (params.key === undefined || params.baseNonce === undefined ||\n params.seq === undefined) {\n throw new Error(\"Required parameters are missing\");\n }\n this._aead = params.aead;\n this._nK = this._aead.keySize;\n this._nN = this._aead.nonceSize;\n this._nT = this._aead.tagSize;\n const key = this._aead.createEncryptionContext(params.key);\n this._ctx = {\n key: key,\n baseNonce: params.baseNonce,\n seq: params.seq,\n };\n }\n computeNonce(k) {\n const seqBytes = i2Osp(k.seq, k.baseNonce.byteLength);\n return xor(k.baseNonce, seqBytes).buffer;\n }\n incrementSeq(k) {\n // if (this.seq >= (1 << (8 * this.baseNonce.byteLength)) - 1) {\n if (k.seq > Number.MAX_SAFE_INTEGER) {\n throw new MessageLimitReachedError(\"Message limit reached\");\n }\n k.seq += 1;\n return;\n }\n}\n", "var __classPrivateFieldGet = (this && this.__classPrivateFieldGet) || function (receiver, state, kind, f) {\n if (kind === \"a\" && !f) throw new TypeError(\"Private accessor was defined without a getter\");\n if (typeof state === \"function\" ? receiver !== state || !f : !state.has(receiver)) throw new TypeError(\"Cannot read private member from an object whose class did not declare it\");\n return kind === \"m\" ? f : kind === \"a\" ? f.call(receiver) : f ? f.value : state.get(receiver);\n};\nvar __classPrivateFieldSet = (this && this.__classPrivateFieldSet) || function (receiver, state, value, kind, f) {\n if (kind === \"m\") throw new TypeError(\"Private method is not writable\");\n if (kind === \"a\" && !f) throw new TypeError(\"Private accessor was defined without a setter\");\n if (typeof state === \"function\" ? receiver !== state || !f : !state.has(receiver)) throw new TypeError(\"Cannot write private member to an object whose class did not declare it\");\n return (kind === \"a\" ? f.call(receiver, value) : f ? f.value = value : state.set(receiver, value)), value;\n};\nvar _Mutex_locked;\nexport class Mutex {\n constructor() {\n _Mutex_locked.set(this, Promise.resolve());\n }\n async lock() {\n let releaseLock;\n const nextLock = new Promise((resolve) => {\n releaseLock = resolve;\n });\n const previousLock = __classPrivateFieldGet(this, _Mutex_locked, \"f\");\n __classPrivateFieldSet(this, _Mutex_locked, nextLock, \"f\");\n await previousLock;\n return releaseLock;\n }\n}\n_Mutex_locked = new WeakMap();\n", "var __classPrivateFieldGet = (this && this.__classPrivateFieldGet) || function (receiver, state, kind, f) {\n if (kind === \"a\" && !f) throw new TypeError(\"Private accessor was defined without a getter\");\n if (typeof state === \"function\" ? receiver !== state || !f : !state.has(receiver)) throw new TypeError(\"Cannot read private member from an object whose class did not declare it\");\n return kind === \"m\" ? f : kind === \"a\" ? f.call(receiver) : f ? f.value : state.get(receiver);\n};\nvar __classPrivateFieldSet = (this && this.__classPrivateFieldSet) || function (receiver, state, value, kind, f) {\n if (kind === \"m\") throw new TypeError(\"Private method is not writable\");\n if (kind === \"a\" && !f) throw new TypeError(\"Private accessor was defined without a setter\");\n if (typeof state === \"function\" ? receiver !== state || !f : !state.has(receiver)) throw new TypeError(\"Cannot write private member to an object whose class did not declare it\");\n return (kind === \"a\" ? f.call(receiver, value) : f ? f.value = value : state.set(receiver, value)), value;\n};\nvar _RecipientContextImpl_mutex;\nimport { EMPTY, OpenError } from \"@hpke/common\";\nimport { EncryptionContextImpl } from \"./encryptionContext.js\";\nimport { Mutex } from \"./mutex.js\";\nexport class RecipientContextImpl extends EncryptionContextImpl {\n constructor() {\n super(...arguments);\n _RecipientContextImpl_mutex.set(this, void 0);\n }\n async open(data, aad = EMPTY.buffer) {\n __classPrivateFieldSet(this, _RecipientContextImpl_mutex, __classPrivateFieldGet(this, _RecipientContextImpl_mutex, \"f\") ?? new Mutex(), \"f\");\n const release = await __classPrivateFieldGet(this, _RecipientContextImpl_mutex, \"f\").lock();\n let pt;\n try {\n pt = await this._ctx.key.open(this.computeNonce(this._ctx), data, aad);\n }\n catch (e) {\n throw new OpenError(e);\n }\n finally {\n release();\n }\n this.incrementSeq(this._ctx);\n return pt;\n }\n}\n_RecipientContextImpl_mutex = new WeakMap();\n", "var __classPrivateFieldGet = (this && this.__classPrivateFieldGet) || function (receiver, state, kind, f) {\n if (kind === \"a\" && !f) throw new TypeError(\"Private accessor was defined without a getter\");\n if (typeof state === \"function\" ? receiver !== state || !f : !state.has(receiver)) throw new TypeError(\"Cannot read private member from an object whose class did not declare it\");\n return kind === \"m\" ? f : kind === \"a\" ? f.call(receiver) : f ? f.value : state.get(receiver);\n};\nvar __classPrivateFieldSet = (this && this.__classPrivateFieldSet) || function (receiver, state, value, kind, f) {\n if (kind === \"m\") throw new TypeError(\"Private method is not writable\");\n if (kind === \"a\" && !f) throw new TypeError(\"Private accessor was defined without a setter\");\n if (typeof state === \"function\" ? receiver !== state || !f : !state.has(receiver)) throw new TypeError(\"Cannot write private member to an object whose class did not declare it\");\n return (kind === \"a\" ? f.call(receiver, value) : f ? f.value = value : state.set(receiver, value)), value;\n};\nvar _SenderContextImpl_mutex;\nimport { EMPTY, SealError } from \"@hpke/common\";\nimport { EncryptionContextImpl } from \"./encryptionContext.js\";\nimport { Mutex } from \"./mutex.js\";\nexport class SenderContextImpl extends EncryptionContextImpl {\n constructor(api, kdf, params, enc) {\n super(api, kdf, params);\n Object.defineProperty(this, \"enc\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: void 0\n });\n _SenderContextImpl_mutex.set(this, void 0);\n this.enc = enc;\n }\n async seal(data, aad = EMPTY.buffer) {\n __classPrivateFieldSet(this, _SenderContextImpl_mutex, __classPrivateFieldGet(this, _SenderContextImpl_mutex, \"f\") ?? new Mutex(), \"f\");\n const release = await __classPrivateFieldGet(this, _SenderContextImpl_mutex, \"f\").lock();\n let ct;\n try {\n ct = await this._ctx.key.seal(this.computeNonce(this._ctx), data, aad);\n }\n catch (e) {\n throw new SealError(e);\n }\n finally {\n release();\n }\n this.incrementSeq(this._ctx);\n return ct;\n }\n}\n_SenderContextImpl_mutex = new WeakMap();\n", "import { AeadId, EMPTY, i2Osp, INFO_LENGTH_LIMIT, INPUT_LENGTH_LIMIT, InvalidParamError, MINIMUM_PSK_LENGTH, Mode, NativeAlgorithm, } from \"@hpke/common\";\nimport { RecipientExporterContextImpl, SenderExporterContextImpl, } from \"./exporterContext.js\";\nimport { RecipientContextImpl } from \"./recipientContext.js\";\nimport { SenderContextImpl } from \"./senderContext.js\";\n// b\"base_nonce\"\n// deno-fmt-ignore\nconst LABEL_BASE_NONCE = new Uint8Array([\n 98, 97, 115, 101, 95, 110, 111, 110, 99, 101,\n]);\n// b\"exp\"\nconst LABEL_EXP = new Uint8Array([101, 120, 112]);\n// b\"info_hash\"\n// deno-fmt-ignore\nconst LABEL_INFO_HASH = new Uint8Array([\n 105, 110, 102, 111, 95, 104, 97, 115, 104,\n]);\n// b\"key\"\nconst LABEL_KEY = new Uint8Array([107, 101, 121]);\n// b\"psk_id_hash\"\n// deno-fmt-ignore\nconst LABEL_PSK_ID_HASH = new Uint8Array([\n 112, 115, 107, 95, 105, 100, 95, 104, 97, 115, 104,\n]);\n// b\"secret\"\nconst LABEL_SECRET = new Uint8Array([115, 101, 99, 114, 101, 116]);\n// b\"HPKE\"\n// deno-fmt-ignore\nconst SUITE_ID_HEADER_HPKE = new Uint8Array([\n 72, 80, 75, 69, 0, 0, 0, 0, 0, 0,\n]);\n/**\n * The Hybrid Public Key Encryption (HPKE) ciphersuite,\n * which is implemented using only\n * {@link https://www.w3.org/TR/WebCryptoAPI/ | Web Cryptography API}.\n *\n * This is the super class of {@link CipherSuite} and the same as\n * {@link https://jsr.io/@hpke/core/doc/~/CipherSuite | @hpke/core#CipherSuite} as follows:\n * which supports only the ciphersuites that can be implemented on the native\n * {@link https://www.w3.org/TR/WebCryptoAPI/ | Web Cryptography API}.\n * Therefore, the following cryptographic algorithms are not supported for now:\n * - DHKEM(X25519, HKDF-SHA256)\n * - DHKEM(X448, HKDF-SHA512)\n * - ChaCha20Poly1305\n *\n * In addtion, the HKDF functions contained in this class can only derive\n * keys of the same length as the `hashSize`.\n *\n * If you want to use the unsupported cryptographic algorithms\n * above or derive keys longer than the `hashSize`,\n * please use {@link CipherSuite}.\n *\n * This class provides following functions:\n *\n * - Creates encryption contexts both for senders and recipients.\n * - {@link createSenderContext}\n * - {@link createRecipientContext}\n * - Provides single-shot encryption API.\n * - {@link seal}\n * - {@link open}\n *\n * The calling of the constructor of this class is the starting\n * point for HPKE operations for both senders and recipients.\n *\n * @example Use only ciphersuites supported by Web Cryptography API.\n *\n * ```ts\n * import {\n * Aes128Gcm,\n * DhkemP256HkdfSha256,\n * HkdfSha256,\n * CipherSuite,\n * } from \"@hpke/core\";\n *\n * const suite = new CipherSuite({\n * kem: new DhkemP256HkdfSha256(),\n * kdf: new HkdfSha256(),\n * aead: new Aes128Gcm(),\n * });\n * ```\n *\n * @example Use a ciphersuite which is currently not supported by Web Cryptography API.\n *\n * ```ts\n * import { Aes128Gcm, HkdfSha256, CipherSuite } from \"@hpke/core\";\n * // Use an extension module.\n * import { DhkemX25519HkdfSha256 } from \"@hpke/dhkem-x25519\";\n *\n * const suite = new CipherSuite({\n * kem: new DhkemX25519HkdfSha256(),\n * kdf: new HkdfSha256(),\n * aead: new Aes128Gcm(),\n * });\n * ```\n */\nexport class CipherSuiteNative extends NativeAlgorithm {\n /**\n * @param params A set of parameters for building a cipher suite.\n *\n * If the error occurred, throws {@link InvalidParamError}.\n *\n * @throws {@link InvalidParamError}\n */\n constructor(params) {\n super();\n Object.defineProperty(this, \"_kem\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: void 0\n });\n Object.defineProperty(this, \"_kdf\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: void 0\n });\n Object.defineProperty(this, \"_aead\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: void 0\n });\n Object.defineProperty(this, \"_suiteId\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: void 0\n });\n // KEM\n if (typeof params.kem === \"number\") {\n throw new InvalidParamError(\"KemId cannot be used\");\n }\n this._kem = params.kem;\n // KDF\n if (typeof params.kdf === \"number\") {\n throw new InvalidParamError(\"KdfId cannot be used\");\n }\n this._kdf = params.kdf;\n // AEAD\n if (typeof params.aead === \"number\") {\n throw new InvalidParamError(\"AeadId cannot be used\");\n }\n this._aead = params.aead;\n this._suiteId = new Uint8Array(SUITE_ID_HEADER_HPKE);\n this._suiteId.set(i2Osp(this._kem.id, 2), 4);\n this._suiteId.set(i2Osp(this._kdf.id, 2), 6);\n this._suiteId.set(i2Osp(this._aead.id, 2), 8);\n this._kdf.init(this._suiteId);\n }\n /**\n * Gets the KEM context of the ciphersuite.\n */\n get kem() {\n return this._kem;\n }\n /**\n * Gets the KDF context of the ciphersuite.\n */\n get kdf() {\n return this._kdf;\n }\n /**\n * Gets the AEAD context of the ciphersuite.\n */\n get aead() {\n return this._aead;\n }\n /**\n * Creates an encryption context for a sender.\n *\n * If the error occurred, throws {@link DecapError} | {@link ValidationError}.\n *\n * @param params A set of parameters for the sender encryption context.\n * @returns A sender encryption context.\n * @throws {@link EncapError}, {@link ValidationError}\n */\n async createSenderContext(params) {\n this._validateInputLength(params);\n await this._setup();\n const dh = await this._kem.encap(params);\n let mode;\n if (params.psk !== undefined) {\n mode = params.senderKey !== undefined ? Mode.AuthPsk : Mode.Psk;\n }\n else {\n mode = params.senderKey !== undefined ? Mode.Auth : Mode.Base;\n }\n return await this._keyScheduleS(mode, dh.sharedSecret, dh.enc, params);\n }\n /**\n * Creates an encryption context for a recipient.\n *\n * If the error occurred, throws {@link DecapError}\n * | {@link DeserializeError} | {@link ValidationError}.\n *\n * @param params A set of parameters for the recipient encryption context.\n * @returns A recipient encryption context.\n * @throws {@link DecapError}, {@link DeserializeError}, {@link ValidationError}\n */\n async createRecipientContext(params) {\n this._validateInputLength(params);\n await this._setup();\n const sharedSecret = await this._kem.decap(params);\n let mode;\n if (params.psk !== undefined) {\n mode = params.senderPublicKey !== undefined ? Mode.AuthPsk : Mode.Psk;\n }\n else {\n mode = params.senderPublicKey !== undefined ? Mode.Auth : Mode.Base;\n }\n return await this._keyScheduleR(mode, sharedSecret, params);\n }\n /**\n * Encrypts a message to a recipient.\n *\n * If the error occurred, throws `EncapError` | `MessageLimitReachedError` | `SealError` | `ValidationError`.\n *\n * @param params A set of parameters for building a sender encryption context.\n * @param pt A plain text as bytes to be encrypted.\n * @param aad Additional authenticated data as bytes fed by an application.\n * @returns A cipher text and an encapsulated key as bytes.\n * @throws {@link EncapError}, {@link MessageLimitReachedError}, {@link SealError}, {@link ValidationError}\n */\n async seal(params, pt, aad = EMPTY.buffer) {\n const ctx = await this.createSenderContext(params);\n return {\n ct: await ctx.seal(pt, aad),\n enc: ctx.enc,\n };\n }\n /**\n * Decrypts a message from a sender.\n *\n * If the error occurred, throws `DecapError` | `DeserializeError` | `OpenError` | `ValidationError`.\n *\n * @param params A set of parameters for building a recipient encryption context.\n * @param ct An encrypted text as bytes to be decrypted.\n * @param aad Additional authenticated data as bytes fed by an application.\n * @returns A decrypted plain text as bytes.\n * @throws {@link DecapError}, {@link DeserializeError}, {@link OpenError}, {@link ValidationError}\n */\n async open(params, ct, aad = EMPTY.buffer) {\n const ctx = await this.createRecipientContext(params);\n return await ctx.open(ct, aad);\n }\n // private verifyPskInputs(mode: Mode, params: KeyScheduleParams) {\n // const gotPsk = (params.psk !== undefined);\n // const gotPskId = (params.psk !== undefined && params.psk.id.byteLength > 0);\n // if (gotPsk !== gotPskId) {\n // throw new Error('Inconsistent PSK inputs');\n // }\n // if (gotPsk && (mode === Mode.Base || mode === Mode.Auth)) {\n // throw new Error('PSK input provided when not needed');\n // }\n // if (!gotPsk && (mode === Mode.Psk || mode === Mode.AuthPsk)) {\n // throw new Error('Missing required PSK input');\n // }\n // return;\n // }\n async _keySchedule(mode, sharedSecret, params) {\n // Currently, there is no point in executing this function\n // because this hpke library does not allow users to explicitly specify the mode.\n //\n // this.verifyPskInputs(mode, params);\n const pskId = params.psk === undefined\n ? EMPTY\n : new Uint8Array(params.psk.id);\n const pskIdHash = await this._kdf.labeledExtract(EMPTY, LABEL_PSK_ID_HASH, pskId);\n const info = params.info === undefined\n ? EMPTY\n : new Uint8Array(params.info);\n const infoHash = await this._kdf.labeledExtract(EMPTY, LABEL_INFO_HASH, info);\n const keyScheduleContext = new Uint8Array(1 + pskIdHash.byteLength + infoHash.byteLength);\n keyScheduleContext.set(new Uint8Array([mode]), 0);\n keyScheduleContext.set(new Uint8Array(pskIdHash), 1);\n keyScheduleContext.set(new Uint8Array(infoHash), 1 + pskIdHash.byteLength);\n const psk = params.psk === undefined\n ? EMPTY\n : new Uint8Array(params.psk.key);\n const ikm = this._kdf.buildLabeledIkm(LABEL_SECRET, psk);\n const exporterSecretInfo = this._kdf.buildLabeledInfo(LABEL_EXP, keyScheduleContext, this._kdf.hashSize);\n const exporterSecret = await this._kdf.extractAndExpand(sharedSecret, ikm, exporterSecretInfo, this._kdf.hashSize);\n if (this._aead.id === AeadId.ExportOnly) {\n return { aead: this._aead, exporterSecret: exporterSecret };\n }\n const keyInfo = this._kdf.buildLabeledInfo(LABEL_KEY, keyScheduleContext, this._aead.keySize);\n const key = await this._kdf.extractAndExpand(sharedSecret, ikm, keyInfo, this._aead.keySize);\n const baseNonceInfo = this._kdf.buildLabeledInfo(LABEL_BASE_NONCE, keyScheduleContext, this._aead.nonceSize);\n const baseNonce = await this._kdf.extractAndExpand(sharedSecret, ikm, baseNonceInfo, this._aead.nonceSize);\n return {\n aead: this._aead,\n exporterSecret: exporterSecret,\n key: key,\n baseNonce: new Uint8Array(baseNonce),\n seq: 0,\n };\n }\n async _keyScheduleS(mode, sharedSecret, enc, params) {\n const res = await this._keySchedule(mode, sharedSecret, params);\n if (res.key === undefined) {\n return new SenderExporterContextImpl(this._api, this._kdf, res.exporterSecret, enc);\n }\n return new SenderContextImpl(this._api, this._kdf, res, enc);\n }\n async _keyScheduleR(mode, sharedSecret, params) {\n const res = await this._keySchedule(mode, sharedSecret, params);\n if (res.key === undefined) {\n return new RecipientExporterContextImpl(this._api, this._kdf, res.exporterSecret);\n }\n return new RecipientContextImpl(this._api, this._kdf, res);\n }\n _validateInputLength(params) {\n if (params.info !== undefined &&\n params.info.byteLength > INFO_LENGTH_LIMIT) {\n throw new InvalidParamError(\"Too long info\");\n }\n if (params.psk !== undefined) {\n if (params.psk.key.byteLength < MINIMUM_PSK_LENGTH) {\n throw new InvalidParamError(`PSK must have at least ${MINIMUM_PSK_LENGTH} bytes`);\n }\n if (params.psk.key.byteLength > INPUT_LENGTH_LIMIT) {\n throw new InvalidParamError(\"Too long psk.key\");\n }\n if (params.psk.id.byteLength > INPUT_LENGTH_LIMIT) {\n throw new InvalidParamError(\"Too long psk.id\");\n }\n }\n return;\n }\n}\n", "import { Dhkem, Ec, HkdfSha256Native, HkdfSha384Native, HkdfSha512Native, KemId, } from \"@hpke/common\";\nexport class DhkemP256HkdfSha256Native extends Dhkem {\n constructor() {\n const kdf = new HkdfSha256Native();\n const prim = new Ec(KemId.DhkemP256HkdfSha256, kdf);\n super(KemId.DhkemP256HkdfSha256, prim, kdf);\n Object.defineProperty(this, \"id\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: KemId.DhkemP256HkdfSha256\n });\n Object.defineProperty(this, \"secretSize\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: 32\n });\n Object.defineProperty(this, \"encSize\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: 65\n });\n Object.defineProperty(this, \"publicKeySize\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: 65\n });\n Object.defineProperty(this, \"privateKeySize\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: 32\n });\n }\n}\nexport class DhkemP384HkdfSha384Native extends Dhkem {\n constructor() {\n const kdf = new HkdfSha384Native();\n const prim = new Ec(KemId.DhkemP384HkdfSha384, kdf);\n super(KemId.DhkemP384HkdfSha384, prim, kdf);\n Object.defineProperty(this, \"id\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: KemId.DhkemP384HkdfSha384\n });\n Object.defineProperty(this, \"secretSize\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: 48\n });\n Object.defineProperty(this, \"encSize\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: 97\n });\n Object.defineProperty(this, \"publicKeySize\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: 97\n });\n Object.defineProperty(this, \"privateKeySize\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: 48\n });\n }\n}\nexport class DhkemP521HkdfSha512Native extends Dhkem {\n constructor() {\n const kdf = new HkdfSha512Native();\n const prim = new Ec(KemId.DhkemP521HkdfSha512, kdf);\n super(KemId.DhkemP521HkdfSha512, prim, kdf);\n Object.defineProperty(this, \"id\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: KemId.DhkemP521HkdfSha512\n });\n Object.defineProperty(this, \"secretSize\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: 64\n });\n Object.defineProperty(this, \"encSize\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: 133\n });\n Object.defineProperty(this, \"publicKeySize\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: 133\n });\n Object.defineProperty(this, \"privateKeySize\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: 64\n });\n }\n}\n", "import { HkdfSha256Native, HkdfSha384Native, HkdfSha512Native, } from \"@hpke/common\";\nimport { CipherSuiteNative } from \"./cipherSuiteNative.js\";\nimport { DhkemP256HkdfSha256Native, DhkemP384HkdfSha384Native, DhkemP521HkdfSha512Native, } from \"./kems/dhkemNative.js\";\n/**\n * The Hybrid Public Key Encryption (HPKE) ciphersuite,\n * which is implemented using only\n * {@link https://www.w3.org/TR/WebCryptoAPI/ | Web Cryptography API}.\n *\n * This class is the same as\n * {@link https://jsr.io/@hpke/core/doc/~/CipherSuiteNative | @hpke/core#CipherSuiteNative} as follows:\n * which supports only the ciphersuites that can be implemented on the native\n * {@link https://www.w3.org/TR/WebCryptoAPI/ | Web Cryptography API}.\n * Therefore, the following cryptographic algorithms are not supported for now:\n * - `DHKEM(X448, HKDF-SHA512)`\n * - `ChaCha20Poly1305`\n *\n * In addtion, the HKDF functions contained in this `CipherSuiteNative`\n * class can only derive keys of the same length as the `hashSize`.\n *\n * If you want to use the unsupported cryptographic algorithms\n * above or derive keys longer than the `hashSize`,\n * please use {@link https://jsr.io/@hpke/hpke-js/doc/~/CipherSuite | hpke-js#CipherSuite}.\n *\n * This class provides following functions:\n *\n * - Creates encryption contexts both for senders and recipients.\n * - {@link createSenderContext}\n * - {@link createRecipientContext}\n * - Provides single-shot encryption API.\n * - {@link seal}\n * - {@link open}\n *\n * The calling of the constructor of this class is the starting\n * point for HPKE operations for both senders and recipients.\n *\n * @example Use only ciphersuites supported by Web Cryptography API.\n *\n * ```ts\n * import {\n * Aes128Gcm,\n * DhkemP256HkdfSha256,\n * HkdfSha256,\n * CipherSuite,\n * } from \"@hpke/core\";\n *\n * const suite = new CipherSuite({\n * kem: new DhkemP256HkdfSha256(),\n * kdf: new HkdfSha256(),\n * aead: new Aes128Gcm(),\n * });\n * ```\n *\n * @example Use DHKEM(X25519, HKDF-SHA256).\n *\n * ```ts\n * import {\n * Aes128Gcm,\n * CipherSuite,\n * DhkemX25519HkdfSha256,\n * HkdfSha256,\n * } from \"@hpke/core\";\n * const suite = new CipherSuite({\n * kem: new DhkemX25519HkdfSha256(),\n * kdf: new HkdfSha256(),\n * aead: new Aes128Gcm(),\n * });\n * ```\n */\nexport class CipherSuite extends CipherSuiteNative {\n}\n/**\n * The DHKEM(P-256, HKDF-SHA256) for HPKE KEM implementing {@link KemInterface}.\n *\n * When using `@hpke/core`, the instance of this class must be specified\n * to the `kem` parameter of {@link CipherSuiteParams} instead of `KemId.DhkemP256HkdfSha256`\n * as follows:\n *\n * @example\n *\n * ```ts\n * import {\n * Aes128Gcm,\n * CipherSuite,\n * DhkemP256HkdfSha256,\n * HkdfSha256,\n * } from \"@hpke/core\";\n *\n * const suite = new CipherSuite({\n * kem: new DhkemP256HkdfSha256(),\n * kdf: new HkdfSha256(),\n * aead: new Aes128Gcm(),\n * });\n * ```\n */\nexport class DhkemP256HkdfSha256 extends DhkemP256HkdfSha256Native {\n}\n/**\n * The DHKEM(P-384, HKDF-SHA384) for HPKE KEM implementing {@link KemInterface}.\n *\n * When using `@hpke/core`, the instance of this class must be specified\n * to the `kem` parameter of {@link CipherSuiteParams} instead of `KemId.DhkemP384HkdfSha384`\n * as follows:\n *\n * @example\n *\n * ```ts\n * import {\n * Aes128Gcm,\n * CipherSuite,\n * DhkemP384HkdfSha384,\n * HkdfSha384,\n * } from \"@hpke/core\";\n *\n * const suite = new CipherSuite({\n * kem: new DhkemP384HkdfSha384(),\n * kdf: new HkdfSha384(),\n * aead: new Aes128Gcm(),\n * });\n * ```\n */\nexport class DhkemP384HkdfSha384 extends DhkemP384HkdfSha384Native {\n}\n/**\n * The DHKEM(P-521, HKDF-SHA512) for HPKE KEM implementing {@link KemInterface}.\n *\n * When using `@hpke/core`, the instance of this class must be specified\n * to the `kem` parameter of {@link CipherSuiteParams} instead of `KemId.DhkemP521HkdfSha512`\n * as follows:\n *\n * @example\n *\n * ```ts\n * import {\n * Aes256Gcm,\n * CipherSuite,\n * DhkemP521HkdfSha512,\n * HkdfSha512,\n * } from \"@hpke/core\";\n *\n * const suite = new CipherSuite({\n * kem: new DhkemP521HkdfSha512(),\n * kdf: new HkdfSha512(),\n * aead: new Aes256Gcm(),\n * });\n * ```\n */\nexport class DhkemP521HkdfSha512 extends DhkemP521HkdfSha512Native {\n}\n/**\n * The HKDF-SHA256 for HPKE KDF implementing {@link KdfInterface}.\n *\n * When using `@hpke/core`, the instance of this class must be specified\n * to the `kem` parameter of {@link CipherSuiteParams} instead of `KdfId.HkdfSha256`.\n *\n * The KDF class can only derive keys of the same length as the `hashSize`.\n * If you want to derive keys longer than the `hashSize`,\n * please use {@link https://jsr.io/@hpke/hpke-js/doc/~/CipherSuite | hpke-js#CipherSuite}.\n *\n * @example\n *\n * ```ts\n * import {\n * Aes128Gcm,\n * CipherSuite,\n * DhkemP256HkdfSha256,\n * HkdfSha256,\n * } from \"@hpke/core\";\n *\n * const suite = new CipherSuite({\n * kem: new DhkemP256HkdfSha256(),\n * kdf: new HkdfSha256(),\n * aead: new Aes128Gcm(),\n * });\n * ```\n */\nexport class HkdfSha256 extends HkdfSha256Native {\n}\n/**\n * The HKDF-SHA384 for HPKE KDF implementing {@link KdfInterface}.\n *\n * When using `@hpke/core`, the instance of this class must be specified\n * to the `kem` parameter of {@link CipherSuiteParams} instead of `KdfId.HkdfSha384`.\n *\n * The KDF class can only derive keys of the same length as the `hashSize`.\n * If you want to derive keys longer than the `hashSize`,\n * please use {@link https://jsr.io/@hpke/hpke-js/doc/~/CipherSuite | hpke-js#CipherSuite}.\n *\n * @example\n *\n * ```ts\n * import {\n * Aes128Gcm,\n * CipherSuite,\n * DhkemP384HkdfSha384,\n * HkdfSha384,\n * } from \"@hpke/core\";\n *\n * const suite = new CipherSuite({\n * kem: new DhkemP384HkdfSha384(),\n * kdf: new HkdfSha384(),\n * aead: new Aes128Gcm(),\n * });\n * ```\n */\nexport class HkdfSha384 extends HkdfSha384Native {\n}\n/**\n * The HKDF-SHA512 for HPKE KDF implementing {@link KdfInterface}.\n *\n * When using `@hpke/core`, the instance of this class must be specified\n * to the `kem` parameter of {@link CipherSuiteParams} instead of `KdfId.HkdfSha512`.\n *\n * The KDF class can only derive keys of the same length as the `hashSize`.\n * If you want to derive keys longer than the `hashSize`,\n * please use {@link https://jsr.io/@hpke/hpke-js/doc/~/CipherSuite | hpke-js#CipherSuite}.\n *\n * @example\n *\n * ```ts\n * import {\n * Aes256Gcm,\n * CipherSuite,\n * DhkemP521HkdfSha512,\n * HkdfSha512,\n * } from \"@hpke/core\";\n *\n * const suite = new CipherSuite({\n * kem: new DhkemP521HkdfSha512(),\n * kdf: new HkdfSha512(),\n * aead: new Aes256Gcm(),\n * });\n * ```\n */\nexport class HkdfSha512 extends HkdfSha512Native {\n}\n", "import { base64UrlToBytes, DeriveKeyPairError, DeserializeError, EMPTY, KEM_USAGES, LABEL_DKP_PRK, LABEL_SK, NativeAlgorithm, NotSupportedError, SerializeError, } from \"@hpke/common\";\nconst ALG_NAME = \"X25519\";\n// deno-fmt-ignore\nconst PKCS8_ALG_ID_X25519 = new Uint8Array([\n 0x30, 0x2e, 0x02, 0x01, 0x00, 0x30, 0x05, 0x06,\n 0x03, 0x2b, 0x65, 0x6e, 0x04, 0x22, 0x04, 0x20,\n]);\nconst BASE_POINT_X25519 = /* @__PURE__ */ (() => {\n const p = new Uint8Array(32);\n p[0] = 9;\n return p;\n})();\nexport class X25519 extends NativeAlgorithm {\n constructor(hkdf) {\n super();\n Object.defineProperty(this, \"_hkdf\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: void 0\n });\n Object.defineProperty(this, \"_alg\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: void 0\n });\n Object.defineProperty(this, \"_nPk\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: void 0\n });\n Object.defineProperty(this, \"_nSk\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: void 0\n });\n Object.defineProperty(this, \"_nDh\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: void 0\n });\n Object.defineProperty(this, \"_pkcs8AlgId\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: void 0\n });\n this._alg = { name: ALG_NAME };\n this._hkdf = hkdf;\n this._nPk = 32;\n this._nSk = 32;\n this._nDh = 32;\n this._pkcs8AlgId = PKCS8_ALG_ID_X25519;\n }\n async serializePublicKey(key) {\n await this._setup();\n try {\n return await this._api.exportKey(\"raw\", key);\n }\n catch (e) {\n throw new SerializeError(e);\n }\n }\n async deserializePublicKey(key) {\n await this._setup();\n try {\n return await this._importRawKey(key, true);\n }\n catch (e) {\n throw new DeserializeError(e);\n }\n }\n async serializePrivateKey(key) {\n await this._setup();\n try {\n const jwk = await this._api.exportKey(\"jwk\", key);\n if (!(\"d\" in jwk)) {\n throw new Error(\"Not private key\");\n }\n return base64UrlToBytes(jwk[\"d\"]).buffer;\n }\n catch (e) {\n throw new SerializeError(e);\n }\n }\n async deserializePrivateKey(key) {\n await this._setup();\n try {\n return await this._importRawKey(key, false);\n }\n catch (e) {\n throw new DeserializeError(e);\n }\n }\n async importKey(format, key, isPublic) {\n await this._setup();\n try {\n if (format === \"raw\") {\n return await this._importRawKey(key, isPublic);\n }\n // jwk\n if (key instanceof ArrayBuffer) {\n throw new Error(\"Invalid jwk key format\");\n }\n return await this._importJWK(key, isPublic);\n }\n catch (e) {\n throw new DeserializeError(e);\n }\n }\n async generateKeyPair() {\n await this._setup();\n try {\n return await this._api.generateKey(ALG_NAME, true, KEM_USAGES);\n }\n catch (e) {\n throw new NotSupportedError(e);\n }\n }\n async deriveKeyPair(ikm) {\n await this._setup();\n try {\n const dkpPrk = await this._hkdf.labeledExtract(EMPTY, LABEL_DKP_PRK, new Uint8Array(ikm));\n const rawSk = await this._hkdf.labeledExpand(dkpPrk, LABEL_SK, EMPTY, this._nSk);\n const rawSkBytes = new Uint8Array(rawSk);\n const sk = await this._deserializePkcs8Key(rawSkBytes);\n rawSkBytes.fill(0);\n return {\n privateKey: sk,\n publicKey: await this.derivePublicKey(sk),\n };\n }\n catch (e) {\n throw new DeriveKeyPairError(e);\n }\n }\n async derivePublicKey(key) {\n await this._setup();\n try {\n const jwk = await this._api.exportKey(\"jwk\", key);\n delete jwk[\"d\"];\n delete jwk[\"key_ops\"];\n return await this._api.importKey(\"jwk\", jwk, this._alg, true, []);\n }\n catch {\n try {\n // Firefox fails to export JWK from some imported X25519 private keys.\n const bp = await this._api.importKey(\"raw\", BASE_POINT_X25519.buffer, this._alg, true, []);\n const bits = await this._api.deriveBits({\n name: ALG_NAME,\n public: bp,\n }, key, this._nPk * 8);\n return await this._api.importKey(\"raw\", bits, this._alg, true, []);\n }\n catch (e) {\n throw new DeserializeError(e);\n }\n }\n }\n async dh(sk, pk) {\n await this._setup();\n try {\n const bits = await this._api.deriveBits({\n name: ALG_NAME,\n public: pk,\n }, sk, this._nDh * 8);\n return bits;\n }\n catch (e) {\n throw new SerializeError(e);\n }\n }\n async _importRawKey(key, isPublic) {\n if (isPublic && key.byteLength !== this._nPk) {\n throw new Error(\"Invalid public key for the ciphersuite\");\n }\n if (!isPublic && key.byteLength !== this._nSk) {\n throw new Error(\"Invalid private key for the ciphersuite\");\n }\n if (isPublic) {\n return await this._api.importKey(\"raw\", key, this._alg, true, []);\n }\n return await this._deserializePkcs8Key(new Uint8Array(key));\n }\n async _importJWK(key, isPublic) {\n if (typeof key.kty === \"undefined\" || key.kty !== \"OKP\") {\n throw new Error(`Invalid kty: ${key.crv}`);\n }\n if (typeof key.crv === \"undefined\" || key.crv !== ALG_NAME) {\n throw new Error(`Invalid crv: ${key.crv}`);\n }\n if (isPublic) {\n if (typeof key.d !== \"undefined\") {\n throw new Error(\"Invalid key: `d` should not be set\");\n }\n return await this._api.importKey(\"jwk\", key, this._alg, true, []);\n }\n if (typeof key.d === \"undefined\") {\n throw new Error(\"Invalid key: `d` not found\");\n }\n return await this._api.importKey(\"jwk\", key, this._alg, true, KEM_USAGES);\n }\n async _deserializePkcs8Key(k) {\n const pkcs8Key = new Uint8Array(this._pkcs8AlgId.length + k.length);\n pkcs8Key.set(this._pkcs8AlgId, 0);\n pkcs8Key.set(k, this._pkcs8AlgId.length);\n return await this._api.importKey(\"pkcs8\", pkcs8Key, this._alg, true, KEM_USAGES);\n }\n}\n", "import { Dhkem, HkdfSha256Native, KemId } from \"@hpke/common\";\nimport { X25519 } from \"./dhkemPrimitives/x25519.js\";\n/**\n * The DHKEM(X25519, HKDF-SHA256) for HPKE KEM implementing {@link KemInterface}.\n *\n * The instance of this class can be specified to the\n * {@link https://jsr.io/@hpke/core/doc/~/CipherSuiteParams | CipherSuiteParams} as follows:\n *\n * @example\n *\n * ```ts\n * import {\n * Aes128Gcm,\n * CipherSuite,\n * HkdfSha256,\n * DhkemX25519HkdfSha256,\n * } from \"@hpke/core\";\n *\n * const suite = new CipherSuite({\n * kem: new DhkemX25519HkdfSha256(),\n * kdf: new HkdfSha256(),\n * aead: new Aes128Gcm(),\n * });\n * ```\n */\nexport class DhkemX25519HkdfSha256 extends Dhkem {\n constructor() {\n const kdf = new HkdfSha256Native();\n super(KemId.DhkemX25519HkdfSha256, new X25519(kdf), kdf);\n /** KemId.DhkemX25519HkdfSha256 (0x0020) */\n Object.defineProperty(this, \"id\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: KemId.DhkemX25519HkdfSha256\n });\n /** 32 */\n Object.defineProperty(this, \"secretSize\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: 32\n });\n /** 32 */\n Object.defineProperty(this, \"encSize\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: 32\n });\n /** 32 */\n Object.defineProperty(this, \"publicKeySize\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: 32\n });\n /** 32 */\n Object.defineProperty(this, \"privateKeySize\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: 32\n });\n }\n}\n", "import { base64UrlToBytes, DeriveKeyPairError, DeserializeError, EMPTY, KEM_USAGES, LABEL_DKP_PRK, LABEL_SK, NativeAlgorithm, NotSupportedError, SerializeError, } from \"@hpke/common\";\nconst ALG_NAME = \"X448\";\n// deno-fmt-ignore\nconst PKCS8_ALG_ID_X448 = new Uint8Array([\n 0x30, 0x46, 0x02, 0x01, 0x00, 0x30, 0x05, 0x06,\n 0x03, 0x2b, 0x65, 0x6f, 0x04, 0x3a, 0x04, 0x38,\n]);\nconst BASE_POINT_X448 = /* @__PURE__ */ (() => {\n const p = new Uint8Array(56);\n p[0] = 5;\n return p;\n})();\nexport class X448 extends NativeAlgorithm {\n constructor(hkdf) {\n super();\n Object.defineProperty(this, \"_hkdf\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: void 0\n });\n Object.defineProperty(this, \"_alg\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: void 0\n });\n Object.defineProperty(this, \"_nPk\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: void 0\n });\n Object.defineProperty(this, \"_nSk\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: void 0\n });\n Object.defineProperty(this, \"_nDh\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: void 0\n });\n Object.defineProperty(this, \"_pkcs8AlgId\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: void 0\n });\n this._alg = { name: ALG_NAME };\n this._hkdf = hkdf;\n this._nPk = 56;\n this._nSk = 56;\n this._nDh = 56;\n this._pkcs8AlgId = PKCS8_ALG_ID_X448;\n }\n async serializePublicKey(key) {\n await this._setup();\n try {\n return await this._api.exportKey(\"raw\", key);\n }\n catch (e) {\n throw new SerializeError(e);\n }\n }\n async deserializePublicKey(key) {\n await this._setup();\n try {\n return await this._importRawKey(key, true);\n }\n catch (e) {\n throw new DeserializeError(e);\n }\n }\n async serializePrivateKey(key) {\n await this._setup();\n try {\n const jwk = await this._api.exportKey(\"jwk\", key);\n if (!(\"d\" in jwk)) {\n throw new Error(\"Not private key\");\n }\n return base64UrlToBytes(jwk[\"d\"]).buffer;\n }\n catch (e) {\n throw new SerializeError(e);\n }\n }\n async deserializePrivateKey(key) {\n await this._setup();\n try {\n return await this._importRawKey(key, false);\n }\n catch (e) {\n throw new DeserializeError(e);\n }\n }\n async importKey(format, key, isPublic) {\n await this._setup();\n try {\n if (format === \"raw\") {\n return await this._importRawKey(key, isPublic);\n }\n // jwk\n if (key instanceof ArrayBuffer) {\n throw new Error(\"Invalid jwk key format\");\n }\n return await this._importJWK(key, isPublic);\n }\n catch (e) {\n throw new DeserializeError(e);\n }\n }\n async generateKeyPair() {\n await this._setup();\n try {\n return await this._api.generateKey(ALG_NAME, true, KEM_USAGES);\n }\n catch (e) {\n throw new NotSupportedError(e);\n }\n }\n async deriveKeyPair(ikm) {\n await this._setup();\n try {\n const dkpPrk = await this._hkdf.labeledExtract(EMPTY, LABEL_DKP_PRK, new Uint8Array(ikm));\n const rawSk = await this._hkdf.labeledExpand(dkpPrk, LABEL_SK, EMPTY, this._nSk);\n const rawSkBytes = new Uint8Array(rawSk);\n const sk = await this._deserializePkcs8Key(rawSkBytes);\n rawSkBytes.fill(0);\n return {\n privateKey: sk,\n publicKey: await this.derivePublicKey(sk),\n };\n }\n catch (e) {\n throw new DeriveKeyPairError(e);\n }\n }\n async derivePublicKey(key) {\n await this._setup();\n try {\n const jwk = await this._api.exportKey(\"jwk\", key);\n delete jwk[\"d\"];\n delete jwk[\"key_ops\"];\n return await this._api.importKey(\"jwk\", jwk, this._alg, true, []);\n }\n catch {\n try {\n // Some runtimes cannot export JWK from imported X448 private keys.\n const bp = await this._api.importKey(\"raw\", BASE_POINT_X448.buffer, this._alg, true, []);\n const bits = await this._api.deriveBits({\n name: ALG_NAME,\n public: bp,\n }, key, this._nPk * 8);\n return await this._api.importKey(\"raw\", bits, this._alg, true, []);\n }\n catch (e) {\n throw new DeserializeError(e);\n }\n }\n }\n async dh(sk, pk) {\n await this._setup();\n try {\n const bits = await this._api.deriveBits({\n name: ALG_NAME,\n public: pk,\n }, sk, this._nDh * 8);\n return bits;\n }\n catch (e) {\n throw new SerializeError(e);\n }\n }\n async _importRawKey(key, isPublic) {\n if (isPublic && key.byteLength !== this._nPk) {\n throw new Error(\"Invalid public key for the ciphersuite\");\n }\n if (!isPublic && key.byteLength !== this._nSk) {\n throw new Error(\"Invalid private key for the ciphersuite\");\n }\n if (isPublic) {\n return await this._api.importKey(\"raw\", key, this._alg, true, []);\n }\n return await this._deserializePkcs8Key(new Uint8Array(key));\n }\n async _importJWK(key, isPublic) {\n if (typeof key.kty === \"undefined\" || key.kty !== \"OKP\") {\n throw new Error(`Invalid kty: ${key.crv}`);\n }\n if (typeof key.crv === \"undefined\" || key.crv !== ALG_NAME) {\n throw new Error(`Invalid crv: ${key.crv}`);\n }\n if (isPublic) {\n if (typeof key.d !== \"undefined\") {\n throw new Error(\"Invalid key: `d` should not be set\");\n }\n return await this._api.importKey(\"jwk\", key, this._alg, true, []);\n }\n if (typeof key.d === \"undefined\") {\n throw new Error(\"Invalid key: `d` not found\");\n }\n return await this._api.importKey(\"jwk\", key, this._alg, true, KEM_USAGES);\n }\n async _deserializePkcs8Key(k) {\n const pkcs8Key = new Uint8Array(this._pkcs8AlgId.length + k.length);\n pkcs8Key.set(this._pkcs8AlgId, 0);\n pkcs8Key.set(k, this._pkcs8AlgId.length);\n return await this._api.importKey(\"pkcs8\", pkcs8Key, this._alg, true, KEM_USAGES);\n }\n}\n", "import { Dhkem, HkdfSha512Native, KemId } from \"@hpke/common\";\nimport { X448 } from \"./dhkemPrimitives/x448.js\";\n/**\n * The DHKEM(X448, HKDF-SHA512) for HPKE KEM implementing {@link KemInterface}.\n *\n * The instance of this class can be specified to the\n * {@link https://jsr.io/@hpke/core/doc/~/CipherSuiteParams | CipherSuiteParams} as follows:\n *\n * @example\n *\n * ```ts\n * import {\n * Aes256Gcm,\n * CipherSuite,\n * HkdfSha512,\n * DhkemX448HkdfSha512,\n * } from \"@hpke/core\";\n *\n * const suite = new CipherSuite({\n * kem: new DhkemX448HkdfSha512(),\n * kdf: new HkdfSha512(),\n * aead: new Aes256Gcm(),\n * });\n * ```\n */\nexport class DhkemX448HkdfSha512 extends Dhkem {\n constructor() {\n const kdf = new HkdfSha512Native();\n super(KemId.DhkemX448HkdfSha512, new X448(kdf), kdf);\n /** KemId.DhkemX448HkdfSha512 (0x0021) */\n Object.defineProperty(this, \"id\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: KemId.DhkemX448HkdfSha512\n });\n /** 64 */\n Object.defineProperty(this, \"secretSize\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: 64\n });\n /** 56 */\n Object.defineProperty(this, \"encSize\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: 56\n });\n /** 56 */\n Object.defineProperty(this, \"publicKeySize\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: 56\n });\n /** 56 */\n Object.defineProperty(this, \"privateKeySize\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: 56\n });\n }\n}\n", "export { AeadId, DecapError, DeriveKeyPairError, DeserializeError, EncapError, ExportError, HpkeError, InvalidParamError, KdfId, KemId, MessageLimitReachedError, NotSupportedError, OpenError, SealError, SerializeError, ValidationError, } from \"@hpke/common\";\nexport { Aes128Gcm, Aes256Gcm } from \"./src/aeads/aesGcm.js\";\nexport { ExportOnly } from \"./src/aeads/exportOnly.js\";\nexport { CipherSuite, DhkemP256HkdfSha256, DhkemP384HkdfSha384, DhkemP521HkdfSha512, HkdfSha256, HkdfSha384, HkdfSha512, } from \"./src/native.js\";\nexport { DhkemX25519HkdfSha256 } from \"./src/kems/dhkemX25519.js\";\nexport { DhkemX448HkdfSha512 } from \"./src/kems/dhkemX448.js\";\n", null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, "/**\n * MLSGroupManager \u2014 High-level wrapper around ts-mls (RFC 9420).\n *\n * Provides a stateful, ergonomic API for MLS group operations:\n * create, join, encrypt, decrypt, add/remove members, state serialization.\n *\n * Default cipher suite: MLS_128_DHKEMX25519_AES128GCM_SHA256_Ed25519\n */\n\nimport {\n // Key package generation\n generateKeyPackage,\n type KeyPackage,\n type PrivateKeyPackage,\n\n // Group lifecycle\n createGroup,\n joinGroup,\n type ClientState,\n\n // Commit / proposals\n createCommit,\n type CreateCommitResult,\n type CreateCommitOptions,\n\n // Application messages\n createApplicationMessage,\n\n // Message processing\n processMessage,\n type ProcessMessageResult,\n\n // Message encoding\n encodeMlsMessage,\n decodeMlsMessage,\n type MLSMessage,\n\n // Cipher suite\n getCiphersuiteFromName,\n getCiphersuiteImpl,\n type CiphersuiteImpl,\n type CiphersuiteName,\n\n // Crypto providers\n nobleCryptoProvider,\n\n // Defaults\n defaultCapabilities,\n defaultLifetime,\n defaultKeyRetentionConfig,\n defaultLifetimeConfig,\n defaultKeyPackageEqualityConfig,\n defaultPaddingConfig,\n defaultAuthenticationService,\n emptyPskIndex,\n acceptAll,\n\n // State serialization\n encodeGroupState,\n decodeGroupState,\n\n // Credential\n type Credential,\n\n // PSK\n type PskIndex,\n\n // Proposals\n type Proposal,\n type ClientConfig,\n} from \"ts-mls\";\n\n// ---------------------------------------------------------------------------\n// Constants\n// ---------------------------------------------------------------------------\n\n/** Default cipher suite: X25519 + AES-128-GCM + SHA-256 + Ed25519 */\nconst DEFAULT_CIPHERSUITE: CiphersuiteName =\n \"MLS_128_DHKEMX25519_AES128GCM_SHA256_Ed25519\";\n\n// ---------------------------------------------------------------------------\n// Types\n// ---------------------------------------------------------------------------\n\n/** A key package bundle with both public and private components. */\nexport interface MLSKeyPackageBundle {\n publicPackage: KeyPackage;\n privatePackage: PrivateKeyPackage;\n}\n\n/** Result of an add-members commit. */\nexport interface AddMembersResult {\n /** The encoded commit message to broadcast to existing members. */\n commit: Uint8Array;\n /** The encoded welcome message to send to new members. */\n welcome: Uint8Array | undefined;\n}\n\n/** Result of a remove-member commit. */\nexport interface RemoveMemberResult {\n /** The encoded commit message to broadcast. */\n commit: Uint8Array;\n}\n\n/** Result of decrypting an incoming message. */\nexport interface DecryptResult {\n /** The decrypted plaintext, or undefined if this was a handshake message. */\n plaintext?: Uint8Array;\n /** Whether the message was a handshake (commit/proposal) vs application data. */\n isHandshake: boolean;\n}\n\n/** Serialized group state for persistence. */\nexport interface SerializedMLSGroupState {\n /** TLS-encoded group state bytes, base64. */\n groupState: string;\n /** The cipher suite name used by this group. */\n ciphersuite: CiphersuiteName;\n}\n\n// ---------------------------------------------------------------------------\n// MLSGroupManager\n// ---------------------------------------------------------------------------\n\nexport class MLSGroupManager {\n /** @internal */ state: ClientState | undefined;\n private _cs: CiphersuiteImpl | undefined;\n private _ciphersuiteName: CiphersuiteName;\n private _pskIndex: PskIndex;\n\n constructor(ciphersuite?: CiphersuiteName) {\n this._ciphersuiteName = ciphersuite ?? DEFAULT_CIPHERSUITE;\n this._pskIndex = emptyPskIndex;\n }\n\n // -------------------------------------------------------------------------\n // Getters\n // -------------------------------------------------------------------------\n\n /** Whether the group has been initialized (created or joined). */\n get isInitialized(): boolean {\n return this.state !== undefined;\n }\n\n /** Current epoch number. Throws if not initialized. */\n get epoch(): bigint {\n const s = this._requireState();\n return s.groupContext.epoch;\n }\n\n /** Group identifier as Uint8Array. Throws if not initialized. */\n get groupId(): Uint8Array {\n const s = this._requireState();\n return s.groupContext.groupId;\n }\n\n /** The cipher suite name in use. */\n get ciphersuiteName(): CiphersuiteName {\n return this._ciphersuiteName;\n }\n\n // -------------------------------------------------------------------------\n // Key Package Generation\n // -------------------------------------------------------------------------\n\n /**\n * Generate a key package for joining or creating a group.\n *\n * @param identity - The identity bytes for the basic credential (e.g. UTF-8 user ID).\n * @returns A bundle containing both public and private key package components.\n */\n async generateKeyPackage(identity: Uint8Array): Promise<MLSKeyPackageBundle> {\n const cs = await this._ensureCiphersuite();\n const credential: Credential = {\n credentialType: \"basic\",\n identity,\n };\n const { publicPackage, privatePackage } = await generateKeyPackage(\n credential,\n defaultCapabilities(),\n defaultLifetime,\n [], // extensions\n cs,\n );\n return { publicPackage, privatePackage };\n }\n\n /**\n * Serialize a KeyPackage to bytes for transport (e.g. publishing to backend).\n * Wraps in an MLS message envelope with wireformat mls_key_package.\n */\n static serializeKeyPackage(kp: KeyPackage): Uint8Array {\n const msg: MLSMessage = {\n version: \"mls10\",\n wireformat: \"mls_key_package\",\n keyPackage: kp,\n };\n return encodeMlsMessage(msg);\n }\n\n /**\n * Deserialize a KeyPackage from bytes (e.g. fetched from backend).\n * Expects bytes produced by serializeKeyPackage (MLS message envelope).\n */\n static deserializeKeyPackage(bytes: Uint8Array): KeyPackage {\n const result = decodeMlsMessage(bytes, 0);\n if (!result) {\n throw new Error(\"Failed to decode MLS key package message\");\n }\n const [msg] = result;\n if (msg.wireformat !== \"mls_key_package\") {\n throw new Error(`Expected mls_key_package wireformat, got ${msg.wireformat}`);\n }\n return (msg as unknown as { keyPackage: KeyPackage }).keyPackage;\n }\n\n // -------------------------------------------------------------------------\n // Group Lifecycle\n // -------------------------------------------------------------------------\n\n /**\n * Create a new MLS group. The caller becomes the first (and only) member.\n *\n * @param groupId - Unique group identifier bytes.\n * @param keyPackageBundle - The creator's key package bundle.\n */\n async createGroup(\n groupId: Uint8Array,\n keyPackageBundle: MLSKeyPackageBundle,\n ): Promise<void> {\n const cs = await this._ensureCiphersuite();\n this.state = await createGroup(\n groupId,\n keyPackageBundle.publicPackage,\n keyPackageBundle.privatePackage,\n [], // extensions\n cs,\n );\n }\n\n /**\n * Join an existing group from a welcome message.\n *\n * @param welcomeBytes - The TLS-encoded welcome message bytes.\n * @param keyPackageBundle - The joiner's key package bundle (must match the\n * key package that was added by the group creator).\n */\n async joinFromWelcome(\n welcomeBytes: Uint8Array,\n keyPackageBundle: MLSKeyPackageBundle,\n ): Promise<void> {\n const cs = await this._ensureCiphersuite();\n // Decode the MLS message to extract the Welcome\n const mlsMsg = decodeMlsMessage(welcomeBytes, 0);\n if (!mlsMsg) {\n throw new Error(\"Failed to decode MLS welcome message\");\n }\n const [decoded] = mlsMsg;\n if (decoded.wireformat !== \"mls_welcome\") {\n throw new Error(\n `Expected mls_welcome wireformat, got ${decoded.wireformat}`,\n );\n }\n this.state = await joinGroup(\n decoded.welcome,\n keyPackageBundle.publicPackage,\n keyPackageBundle.privatePackage,\n this._pskIndex,\n cs,\n );\n }\n\n // -------------------------------------------------------------------------\n // Membership Management\n // -------------------------------------------------------------------------\n\n /**\n * Add one or more members to the group.\n *\n * @param keyPackages - The public key packages of members to add.\n * @returns The commit and welcome messages to distribute.\n */\n async addMembers(keyPackages: KeyPackage[]): Promise<AddMembersResult> {\n const s = this._requireState();\n const cs = await this._ensureCiphersuite();\n\n // Build add proposals \u2014 ts-mls ProposalAdd shape: { proposalType: \"add\", add: { keyPackage } }\n const extraProposals: Proposal[] = keyPackages.map((kp) => ({\n proposalType: \"add\" as const,\n add: { keyPackage: kp },\n }));\n\n const options: CreateCommitOptions = {\n extraProposals,\n ratchetTreeExtension: true,\n };\n\n const result: CreateCommitResult = await createCommit(\n { state: s, cipherSuite: cs, pskIndex: this._pskIndex },\n options,\n );\n\n this.state = result.newState;\n\n // Encode commit\n const commitBytes = encodeMlsMessage(result.commit);\n\n // Encode welcome if present\n let welcomeBytes: Uint8Array | undefined;\n if (result.welcome) {\n const welcomeMsg: MLSMessage = {\n version: \"mls10\",\n wireformat: \"mls_welcome\",\n welcome: result.welcome,\n };\n welcomeBytes = encodeMlsMessage(welcomeMsg);\n }\n\n return { commit: commitBytes, welcome: welcomeBytes };\n }\n\n /**\n * Remove a member from the group by leaf index.\n *\n * @param memberIndex - The leaf index of the member to remove.\n * @returns The commit message to broadcast.\n */\n async removeMember(memberIndex: number): Promise<RemoveMemberResult> {\n const s = this._requireState();\n const cs = await this._ensureCiphersuite();\n\n // ts-mls ProposalRemove shape: { proposalType: \"remove\", remove: { removed: number } }\n const removeProposal: Proposal = {\n proposalType: \"remove\" as const,\n remove: { removed: memberIndex },\n };\n\n const options: CreateCommitOptions = {\n extraProposals: [removeProposal],\n };\n\n const result = await createCommit(\n { state: s, cipherSuite: cs, pskIndex: this._pskIndex },\n options,\n );\n\n this.state = result.newState;\n return { commit: encodeMlsMessage(result.commit) };\n }\n\n // -------------------------------------------------------------------------\n // Encrypt / Decrypt\n // -------------------------------------------------------------------------\n\n /**\n * Encrypt an application message for the group.\n *\n * @param plaintext - The plaintext bytes to encrypt.\n * @returns The TLS-encoded private message bytes.\n */\n async encrypt(plaintext: Uint8Array): Promise<Uint8Array> {\n const s = this._requireState();\n const cs = await this._ensureCiphersuite();\n\n const { newState, privateMessage } = await createApplicationMessage(\n s,\n plaintext,\n cs,\n );\n\n this.state = newState;\n\n // Encode as MLS private message\n const mlsMsg: MLSMessage = {\n version: \"mls10\",\n wireformat: \"mls_private_message\",\n privateMessage,\n };\n return encodeMlsMessage(mlsMsg);\n }\n\n /**\n * Decrypt / process an incoming MLS message (application or handshake).\n *\n * @param messageBytes - The TLS-encoded MLS message bytes.\n * @returns The decrypted plaintext (for application messages) or handshake info.\n */\n async decrypt(messageBytes: Uint8Array): Promise<DecryptResult> {\n const s = this._requireState();\n const cs = await this._ensureCiphersuite();\n\n const decoded = decodeMlsMessage(messageBytes, 0);\n if (!decoded) {\n throw new Error(\"Failed to decode MLS message\");\n }\n const [mlsMsg] = decoded;\n\n if (\n mlsMsg.wireformat !== \"mls_private_message\" &&\n mlsMsg.wireformat !== \"mls_public_message\"\n ) {\n throw new Error(\n `Cannot decrypt message of wireformat: ${mlsMsg.wireformat}`,\n );\n }\n\n const result: ProcessMessageResult = await processMessage(\n mlsMsg,\n s,\n this._pskIndex,\n acceptAll,\n cs,\n );\n\n this.state = result.newState;\n\n if (result.kind === \"applicationMessage\") {\n return { plaintext: result.message, isHandshake: false };\n }\n\n return { isHandshake: true };\n }\n\n // -------------------------------------------------------------------------\n // Commit Processing\n // -------------------------------------------------------------------------\n\n /**\n * Process an incoming commit message (e.g. from addMembers or removeMember\n * by another group member). Use `decrypt()` for general message processing;\n * this is an alias that makes intent clearer for handshake messages.\n *\n * @param commitBytes - The TLS-encoded commit message bytes.\n */\n async processCommit(commitBytes: Uint8Array): Promise<void> {\n const result = await this.decrypt(commitBytes);\n if (!result.isHandshake) {\n throw new Error(\"Expected a handshake message but got application data\");\n }\n }\n\n // -------------------------------------------------------------------------\n // State Serialization\n // -------------------------------------------------------------------------\n\n /**\n * Export the current group state for persistence.\n * The serialized state includes everything needed to resume operations.\n */\n exportState(): SerializedMLSGroupState {\n const s = this._requireState();\n const encoded = encodeGroupState(s);\n return {\n groupState: uint8ArrayToBase64(encoded),\n ciphersuite: this._ciphersuiteName,\n };\n }\n\n /**\n * Import a previously exported group state.\n *\n * @param serialized - The serialized state from `exportState()`.\n */\n importState(serialized: SerializedMLSGroupState): void {\n this._ciphersuiteName = serialized.ciphersuite;\n // Reset cached cipher suite impl so it gets re-created for the right suite\n this._cs = undefined;\n\n const bytes = base64ToUint8Array(serialized.groupState);\n const decoded = decodeGroupState(bytes, 0);\n if (!decoded) {\n throw new Error(\"Failed to decode MLS group state\");\n }\n const [groupState] = decoded;\n // Reconstruct ClientState from GroupState with default client config\n const clientConfig: ClientConfig = {\n keyRetentionConfig: defaultKeyRetentionConfig,\n lifetimeConfig: defaultLifetimeConfig,\n keyPackageEqualityConfig: defaultKeyPackageEqualityConfig,\n paddingConfig: defaultPaddingConfig,\n authService: defaultAuthenticationService,\n };\n this.state = {\n ...groupState,\n clientConfig,\n };\n }\n\n // -------------------------------------------------------------------------\n // Private Helpers\n // -------------------------------------------------------------------------\n\n private _requireState(): ClientState {\n if (!this.state) {\n throw new Error(\"MLSGroupManager is not initialized. Call createGroup() or joinFromWelcome() first.\");\n }\n return this.state;\n }\n\n private async _ensureCiphersuite(): Promise<CiphersuiteImpl> {\n if (!this._cs) {\n const suite = getCiphersuiteFromName(this._ciphersuiteName);\n this._cs = await getCiphersuiteImpl(suite, nobleCryptoProvider);\n }\n return this._cs;\n }\n}\n\n// ---------------------------------------------------------------------------\n// Utility: Base64 <-> Uint8Array (no dependency on Node Buffer)\n// ---------------------------------------------------------------------------\n\nfunction uint8ArrayToBase64(bytes: Uint8Array): string {\n let binary = \"\";\n for (let i = 0; i < bytes.length; i++) {\n binary += String.fromCharCode(bytes[i]);\n }\n return btoa(binary);\n}\n\nfunction base64ToUint8Array(b64: string): Uint8Array {\n const binary = atob(b64);\n const bytes = new Uint8Array(binary.length);\n for (let i = 0; i < binary.length; i++) {\n bytes[i] = binary.charCodeAt(i);\n }\n return bytes;\n}\n", "export {\n generateIdentityKeypair,\n generateEphemeralKeypair,\n computeFingerprint,\n createProofOfPossession,\n verifyProofOfPossession,\n type IdentityKeypair,\n type EphemeralKeypair,\n} from \"./keys.js\";\n\nexport { performX3DH, type X3DHParams } from \"./x3dh.js\";\n\nexport {\n DoubleRatchet,\n type EncryptedMessage,\n type RatchetHeader,\n} from \"./ratchet.js\";\n\nexport {\n encryptFile,\n decryptFile,\n computeFileDigest,\n type EncryptedFileResult,\n} from \"./file-crypto.js\";\n\nexport {\n canonicalize,\n signDocument,\n verifyDocumentSignature,\n publicKeyToMultibase,\n multibaseToPublicKey,\n buildDidDocument,\n DOMAIN_DID_DOCUMENT,\n DOMAIN_TRANSFER_INTENT,\n DOMAIN_TRANSFER_ACCEPT,\n type BuildDidDocumentParams,\n type DidVerificationMethod,\n type DidService,\n type DidDocument,\n} from \"./did.js\";\n\nexport {\n ScanEngine,\n type ScanRule,\n type ScanResult,\n type ScanViolation,\n} from \"./scan-engine.js\";\n\nexport {\n computeDidHash,\n verifyMerkleProof,\n type MerkleProofSibling,\n} from \"./merkle.js\";\n\nexport {\n // VC types\n type DataIntegrityProof,\n type CredentialSubject,\n type CredentialStatus,\n type UnsignedCredential,\n type VerifiableCredential,\n type UnsignedPresentation,\n type VerifiablePresentation,\n type AgentTrustCredentialParams,\n type SkillAttestationParams,\n type PerformanceRecordParams,\n type AgentTrustReportParams,\n type TrustReportDimensions,\n // VC builders\n buildAgentTrustCredential,\n buildSkillAttestation,\n buildPerformanceRecord,\n buildAgentTrustReportCredential,\n buildVerifiablePresentation,\n // VC signing / verification\n signWithDataIntegrity,\n verifyDataIntegrity,\n issueCredential,\n presentCredentials,\n // VC constants\n VC_CONTEXT_V2,\n AV_CREDENTIAL_CONTEXT,\n CRYPTOSUITE,\n} from \"./vc.js\";\n\nexport {\n hexToBytes,\n bytesToHex,\n base64ToBytes,\n bytesToBase64,\n encryptedMessageToTransport,\n transportToEncryptedMessage,\n encryptedMessageToHexTransport,\n hexTransportToEncryptedMessage,\n encryptedMessageToTransportV2,\n transportV2ToEncryptedMessage,\n encryptedMessageToTransportV2Full,\n type TransportMessage,\n type TransportMessageV2,\n type HexTransportMessage,\n} from \"./transport.js\";\n\nexport {\n // Original 10 span builders\n buildLlmSpan,\n buildToolSpan,\n buildErrorSpan,\n buildHttpSpan,\n buildActionSpan,\n buildNavSpan,\n buildEvalSpan,\n buildTaskSpan,\n buildSkillInvocationSpan,\n buildForgeSpan,\n // New 10 span builders (av.* prefix)\n buildPolicyViolationSpan,\n buildDecisionSpan,\n buildResyncSpan,\n buildA2aSpan,\n buildScanSpan,\n buildWorkspaceSpan,\n buildCapabilitySpan,\n buildEnrollmentSpan,\n buildRoomSpan,\n buildTrustSpan,\n buildEvalRunSpan,\n // Types\n type TelemetrySpan,\n type SpanEvent,\n type SpanStatus,\n type BuildLlmSpanOpts,\n type BuildToolSpanOpts,\n type BuildErrorSpanOpts,\n type BuildHttpSpanOpts,\n type BuildActionSpanOpts,\n type BuildNavSpanOpts,\n type BuildEvalSpanOpts,\n type BuildTaskSpanOpts,\n type BuildSkillInvocationSpanOpts,\n type BuildForgeSpanOpts,\n type BuildPolicyViolationSpanOpts,\n type BuildDecisionSpanOpts,\n type BuildResyncSpanOpts,\n type BuildA2aSpanOpts,\n type BuildScanSpanOpts,\n type BuildWorkspaceSpanOpts,\n type BuildCapabilitySpanOpts,\n type BuildEnrollmentSpanOpts,\n type BuildRoomSpanOpts,\n type BuildTrustSpanOpts,\n type BuildEvalRunSpanOpts,\n type InstrumentationContext,\n // W3C TraceContext\n buildTraceparent,\n parseTraceparent,\n spanToTraceContext,\n spanToW3CHeaders,\n propagateContext,\n type TraceContext,\n} from \"./telemetry.js\";\n\nexport {\n TelemetryReporter,\n type TelemetryReporterConfig,\n} from \"./telemetry-reporter.js\";\n\nexport {\n generateBackupCode,\n formatBackupCode,\n normalizeBackupCode,\n deriveBackupKey,\n encryptBackup,\n encryptBackupWithKey,\n decryptBackup,\n hashBackupCode,\n type BackupBundle,\n} from \"./backup.js\";\n\nexport {\n createApprovalArtifact,\n verifyApprovalArtifact,\n type ApprovalArtifact,\n} from \"./approval.js\";\n\nexport {\n MLSGroupManager,\n type MLSKeyPackageBundle,\n type AddMembersResult,\n type RemoveMemberResult,\n type DecryptResult,\n type SerializedMLSGroupState,\n} from \"./mls-group.js\";\n", "import { chmod, mkdir, readFile, rename, rm, writeFile } from \"node:fs/promises\";\nimport { join } from \"node:path\";\nimport {\n encryptBackup,\n hashBackupCode,\n bytesToBase64,\n bytesToHex,\n type BackupBundle,\n} from \"@agentvault/crypto\";\nimport type { PersistedState } from \"./types.js\";\n\nconst STATE_FILE = \"agentvault.json\";\nconst LEGACY_STATE_FILE = \"secure-channel.json\";\n\n// State files contain deviceJwt and ratchet keys \u2014 restrict to owner only\nconst DIR_MODE = 0o700;\nconst FILE_MODE = 0o600;\n\nexport async function saveState(\n dataDir: string,\n state: PersistedState,\n): Promise<void> {\n await mkdir(dataDir, { recursive: true, mode: DIR_MODE });\n const filePath = join(dataDir, STATE_FILE);\n await writeFile(filePath, JSON.stringify(state, null, 2), { encoding: \"utf-8\", mode: FILE_MODE });\n\n // Clean up legacy file after migration\n try {\n await rm(join(dataDir, LEGACY_STATE_FILE));\n } catch {\n // Already removed or never existed\n }\n}\n\n/**\n * Load raw persisted state from disk.\n * Returns the raw parsed JSON \u2014 caller is responsible for migration\n * from legacy format to current PersistedState.\n *\n * Checks agentvault.json first, falls back to secure-channel.json\n * for backward compatibility. Auto-migrates on first legacy load.\n */\nexport async function loadState(\n dataDir: string,\n // eslint-disable-next-line @typescript-eslint/no-explicit-any\n): Promise<any | null> {\n // Try new filename first\n const filePath = join(dataDir, STATE_FILE);\n try {\n const raw = await readFile(filePath, \"utf-8\");\n return JSON.parse(raw);\n } catch {\n // Fall through to legacy\n }\n\n // Fall back to legacy filename\n const legacyPath = join(dataDir, LEGACY_STATE_FILE);\n try {\n const raw = await readFile(legacyPath, \"utf-8\");\n const parsed = JSON.parse(raw);\n // Auto-migrate: write to new filename, remove legacy\n await mkdir(dataDir, { recursive: true, mode: DIR_MODE });\n await writeFile(filePath, JSON.stringify(parsed, null, 2), { encoding: \"utf-8\", mode: FILE_MODE });\n await rm(legacyPath);\n return parsed;\n } catch {\n return null;\n }\n}\n\n/**\n * Check whether persisted state is valid and usable (has deviceId, deviceJwt, and at least one session).\n */\nexport async function isStateValid(dataDir: string): Promise<boolean> {\n try {\n const filePath = join(dataDir, STATE_FILE);\n const raw = await readFile(filePath, \"utf-8\");\n const parsed = JSON.parse(raw);\n return !!(\n parsed &&\n parsed.deviceId &&\n parsed.deviceJwt &&\n parsed.sessions &&\n Object.keys(parsed.sessions).length > 0\n );\n } catch {\n return false;\n }\n}\n\n/**\n * Create a backup of the state file (atomic write via tmp + rename).\n * Silent no-op if no state file exists.\n */\nexport async function backupState(dataDir: string): Promise<void> {\n const src = join(dataDir, STATE_FILE);\n const bak = join(dataDir, `${STATE_FILE}.bak`);\n const tmp = join(dataDir, `${STATE_FILE}.bak.tmp`);\n try {\n const data = await readFile(src, \"utf-8\");\n await writeFile(tmp, data, { encoding: \"utf-8\", mode: FILE_MODE });\n await rename(tmp, bak);\n } catch {\n // No state file or write failed \u2014 silent no-op\n }\n}\n\n/**\n * Restore state from backup if primary state is missing/empty/invalid but .bak exists and is valid.\n * Returns true if state was successfully restored.\n */\nexport async function restoreState(dataDir: string): Promise<boolean> {\n // Only restore if primary is missing or invalid\n const primaryValid = await isStateValid(dataDir);\n if (primaryValid) return false;\n\n const bak = join(dataDir, `${STATE_FILE}.bak`);\n try {\n const data = await readFile(bak, \"utf-8\");\n const parsed = JSON.parse(data);\n if (\n !parsed ||\n !parsed.deviceId ||\n !parsed.deviceJwt ||\n !parsed.sessions ||\n Object.keys(parsed.sessions).length === 0\n ) {\n return false;\n }\n await mkdir(dataDir, { recursive: true, mode: DIR_MODE });\n await writeFile(join(dataDir, STATE_FILE), data, { encoding: \"utf-8\", mode: FILE_MODE });\n return true;\n } catch {\n return false;\n }\n}\n\n/**\n * Upload encrypted backup to server. Converts PersistedState \u2192 BackupBundle,\n * encrypts with backup code, and PUTs to the backend.\n */\nexport async function uploadBackupToServer(\n state: PersistedState,\n backupCode: string,\n apiUrl: string,\n deviceJwt: string,\n): Promise<void> {\n // Build BackupBundle from PersistedState\n const ratchets: Record<string, string> = {};\n for (const [convId, session] of Object.entries(state.sessions)) {\n if (session.ratchetState) {\n ratchets[convId] = session.ratchetState;\n }\n }\n\n const bundle: BackupBundle = {\n version: 1,\n createdAt: new Date().toISOString(),\n deviceId: state.deviceId,\n identityKeypair: state.identityKeypair,\n ephemeralKeypair: state.ephemeralKeypair,\n fingerprint: state.fingerprint,\n ratchets,\n sessions: Object.fromEntries(\n Object.entries(state.sessions).map(([convId, s]) => [\n convId,\n {\n ownerDeviceId: s.ownerDeviceId,\n ratchetState: s.ratchetState,\n activated: s.activated,\n },\n ]),\n ),\n topics: state.topics,\n defaultTopicId: state.defaultTopicId,\n groupId: state.groupId,\n hubAddress: state.hubAddress,\n };\n\n const encrypted = await encryptBackup(bundle, backupCode);\n const codeHash = await hashBackupCode(backupCode);\n\n const resp = await fetch(`${apiUrl}/api/v1/backup`, {\n method: \"PUT\",\n headers: {\n \"Content-Type\": \"application/json\",\n Authorization: `Bearer ${deviceJwt}`,\n },\n body: JSON.stringify({\n backup_blob: bytesToBase64(encrypted),\n backup_code_hash: bytesToHex(codeHash),\n }),\n });\n\n if (!resp.ok) {\n throw new Error(`Backup upload failed: ${resp.status}`);\n }\n}\n\nexport async function clearState(dataDir: string): Promise<void> {\n // Remove both files to cover migration edge cases\n for (const filename of [STATE_FILE, LEGACY_STATE_FILE]) {\n try {\n await rm(join(dataDir, filename));\n } catch {\n // File doesn't exist \u2014 nothing to clear\n }\n }\n}\n", "/**\n * OpenClaw channel plugin entry point.\n *\n * Intentionally thin \u2014 no heavy imports (libsodium etc.) at module load time.\n * SecureChannel is dynamically imported inside gateway.startAccount (already async)\n * so libsodium's top-level await never runs during plugin registration.\n *\n * Loaded by OpenClaw via the `openclaw.extensions` field in package.json.\n */\n\nimport { resolve as pathResolve } from \"node:path\";\nimport { randomBytes } from \"node:crypto\";\nimport { homedir as osHomedir } from \"node:os\";\nimport { listAccountIds, resolveAccount } from \"./account-config.js\";\nimport { installFetchInterceptor, runWithTraceContext } from \"./fetch-interceptor.js\";\nimport { handleSendRequest, handleActionRequest, handleDecisionRequest, handleStatusRequest, handleTargetsRequest } from \"./http-handlers.js\";\nimport { requestHeartbeatNow } from \"./openclaw-compat.js\";\nimport { parseTarget } from \"./types.js\";\nimport type { DeliveryTarget } from \"./types.js\";\nimport type { SkillDefinition } from \"./mcp-server.js\";\nimport type {\n OpenClawPluginApi,\n PluginRuntime,\n ChannelGatewayContext,\n ResolvedAccountBase,\n ChannelOutboundPayloadContext,\n ReplyPayload,\n MessageSentEvent,\n SessionStartEvent,\n SessionEndEvent,\n} from \"./openclaw-types.js\";\n\n// --- Runtime and active channels (set during register) ---\nlet _ocRuntime: PluginRuntime | null = null;\nconst _channels = new Map<string, any>();\nconst _messageQueue: Array<() => Promise<void>> = [];\n\n// --- Conversation loop prevention (A2A + rooms) ---\n// Tracks recent reply timestamps per channel/room to prevent infinite loops.\n// Max replies per channel within the window, then cooldown.\nconst LOOP_MAX_REPLIES_PER_WINDOW = 4;\nconst LOOP_WINDOW_MS = 60_000; // 1-minute sliding window\nconst LOOP_COOLDOWN_MS = 120_000; // 2-minute cooldown after hitting limit\nconst _replyTimestamps = new Map<string, number[]>();\nconst _cooldownUntil = new Map<string, number>();\n\nfunction _canReply(key: string): boolean {\n const now = Date.now();\n\n // Check cooldown\n const cooldownEnd = _cooldownUntil.get(key) ?? 0;\n if (now < cooldownEnd) {\n return false;\n }\n\n // Get timestamps within window\n const timestamps = _replyTimestamps.get(key) ?? [];\n const recent = timestamps.filter((t) => now - t < LOOP_WINDOW_MS);\n\n if (recent.length >= LOOP_MAX_REPLIES_PER_WINDOW) {\n // Hit limit \u2014 enter cooldown\n _cooldownUntil.set(key, now + LOOP_COOLDOWN_MS);\n _replyTimestamps.set(key, []);\n console.warn(\n `[AgentVault] Rate limit hit for ${key.slice(0, 20)}... \u2014 ` +\n `${LOOP_MAX_REPLIES_PER_WINDOW} replies in ${LOOP_WINDOW_MS / 1000}s, cooling down ${LOOP_COOLDOWN_MS / 1000}s`,\n );\n return false;\n }\n\n return true;\n}\n\nfunction _recordReply(key: string): void {\n const now = Date.now();\n const timestamps = _replyTimestamps.get(key) ?? [];\n timestamps.push(now);\n // Keep only timestamps within window\n _replyTimestamps.set(\n key,\n timestamps.filter((t) => now - t < LOOP_WINDOW_MS),\n );\n}\n\n// Back-compat aliases used internally\nfunction _a2aCanReply(channelId: string): boolean { return _canReply(`a2a:${channelId}`); }\nfunction _a2aRecordReply(channelId: string): void { _recordReply(`a2a:${channelId}`); }\nfunction _roomCanReply(roomId: string): boolean { return _canReply(`room:${roomId}`); }\nfunction _roomRecordReply(roomId: string): void { _recordReply(`room:${roomId}`); }\n\n/** Whether OpenClaw managed HTTP routes are active (vs self-managed server). */\nexport let isUsingManagedRoutes = false;\n\n/**\n * Shared mutable targets array for OpenClaw outbound routing.\n * OpenClaw validates `to` against this list before calling sendText/sendPayload.\n * We mutate it at runtime to add A2A channel targets dynamically.\n */\nconst _outboundTargets: Array<{ id: string; label: string; accountId: string }> = [\n { id: \"owner\", label: \"AgentVault Owner\", accountId: \"default\" },\n { id: \"default\", label: \"AgentVault Owner (default)\", accountId: \"default\" },\n];\n\n// _normalizeTarget removed \u2014 replaced by parseTarget() from types.ts\n\n/** Register a room as a valid outbound target (idempotent). */\nfunction _registerRoomTarget(roomId: string, roomName: string, accountId: string): void {\n const targetId = `room:${roomId}`;\n if (_outboundTargets.some((t) => t.id === targetId)) return;\n _outboundTargets.push({ id: targetId, label: `Room: ${roomName}`, accountId });\n console.log(`[AgentVault] Registered room target: ${roomName} (${roomId.slice(0, 8)}...)`);\n}\n\n/** Register an A2A peer as a valid outbound target (idempotent). */\nfunction _registerA2ATarget(hubAddress: string, accountId: string): void {\n const targetId = `a2a:${hubAddress}`;\n if (_outboundTargets.some((t) => t.id === targetId)) return;\n _outboundTargets.push({\n id: targetId,\n label: `A2A: ${hubAddress}`,\n accountId,\n });\n console.log(`[AgentVault] Registered A2A target: ${targetId}`);\n}\n\nfunction _setRuntime(rt: PluginRuntime) {\n _ocRuntime = rt;\n // Flush any messages that arrived before runtime was ready\n if (_messageQueue.length > 0) {\n const pending = _messageQueue.splice(0);\n for (const fn of pending) {\n fn().catch(() => {});\n }\n }\n}\n\n// --- @mention filtering for multi-agent rooms ---\n\n/** Extract @mention names from plaintext. Returns lowercased names. */\nfunction _parseMentions(text: string): string[] {\n const mentions: string[] = [];\n // Match @word at word boundary \u2014 supports multi-word via sequential matching\n const re = /@(\\w[\\w]*)/gi;\n let match: RegExpExecArray | null;\n while ((match = re.exec(text)) !== null) {\n mentions.push(match[1].toLowerCase());\n }\n return mentions;\n}\n\n/** Determine whether this agent should process a room message based on @mentions and sender type.\n *\n * Loop prevention is handled by the rate limiter (_roomCanReply: 4 replies/60s\n * with 2min cooldown), so we no longer gate on senderIsAgent. All messages\n * are processed unless they @mention a *different* agent specifically.\n */\nfunction _shouldProcessRoomMessage(\n plaintext: string,\n agentName: string,\n accountId: string,\n _senderIsAgent?: boolean,\n): boolean {\n const mentions = _parseMentions(plaintext);\n // No mentions \u2192 broadcast to all agents\n if (mentions.length === 0) return true;\n // @all / @everyone \u2192 all agents process\n if (mentions.includes(\"all\") || mentions.includes(\"everyone\")) return true;\n // Check if this agent is mentioned (by name or accountId)\n const nameLower = agentName.toLowerCase();\n const idLower = accountId.toLowerCase();\n const firstWord = nameLower.split(/[\\s(]/)[0];\n const isMentioned = mentions.some(\n (m) => m === nameLower || m === firstWord || m === idLower,\n );\n if (isMentioned) return true;\n // Message has @mentions but none match this agent \u2014 skip\n return false;\n}\n\n/** Strip the matching @mention prefix from plaintext so the agent sees clean text. */\nfunction _stripMentions(\n text: string,\n agentName: string,\n accountId: string,\n): string {\n const nameLower = agentName.toLowerCase();\n const firstWord = nameLower.split(/[\\s(]/)[0];\n const idLower = accountId.toLowerCase();\n // Remove all @mentions that match this agent (case-insensitive)\n return text\n .replace(/@(\\w[\\w]*)/gi, (full, name) => {\n const lower = name.toLowerCase();\n if (lower === nameLower || lower === firstWord || lower === idLower) {\n return \"\";\n }\n // Also strip @all/@everyone since they're routing directives\n if (lower === \"all\" || lower === \"everyone\") return \"\";\n return full;\n })\n .replace(/^\\s+/, \"\") // trim leading whitespace left by stripped mention\n .trim();\n}\n\n// --- Memory recall helper ---\n\nasync function _recallMemories(\n apiUrl: string,\n apiKey: string | undefined,\n hubId: string,\n query: string,\n limit: number = 5,\n): Promise<string> {\n try {\n const params = new URLSearchParams({ q: query, limit: String(limit) });\n const headers: Record<string, string> = { \"Content-Type\": \"application/json\" };\n if (apiKey) headers[\"Authorization\"] = `Bearer ${apiKey}`;\n\n const res = await fetch(`${apiUrl}/api/v1/agents/${hubId}/memory/search?${params}`, { headers });\n if (!res.ok) return \"\";\n\n const results = (await res.json()) as Array<{ content: string; category: string; similarity: number; source?: string }>;\n if (!results.length) return \"\";\n\n const lines = [\"## Your Memory (from AgentVault)\", \"\"];\n for (const r of results) {\n const source = r.source ? ` _(${r.source})_` : \"\";\n lines.push(`- [${r.category}] ${r.content}${source}`);\n }\n lines.push(\"\");\n return lines.join(\"\\n\");\n } catch {\n return \"\";\n }\n}\n\n// --- Team memory helpers (ops.motiveflow.io) ---\n\nasync function _recallTeamMemory(query: string, limit: number = 5): Promise<string> {\n const url = process.env.TEAM_MEMORY_URL;\n const key = process.env.TEAM_MEMORY_API_KEY;\n if (!url || !key) return \"\";\n\n try {\n const params = new URLSearchParams({ q: query, limit: String(limit), threshold: \"0.5\" });\n const resp = await fetch(`${url}/v1/memory/search?${params}`, {\n headers: { \"X-API-Key\": key },\n signal: AbortSignal.timeout(5000),\n });\n if (!resp.ok) return \"\";\n const results = (await resp.json()) as Array<{ content: string; category: string; similarity: number }>;\n if (!results.length) return \"\";\n\n const lines = [\"## Team Memory (shared knowledge)\", \"\"];\n for (const r of results) {\n lines.push(`- [${r.category}] ${r.content}`);\n }\n lines.push(\"\");\n return lines.join(\"\\n\");\n } catch {\n return \"\";\n }\n}\n\nfunction _captureTeamMemory(content: string, category: string, source: string): void {\n const url = process.env.TEAM_MEMORY_URL;\n const key = process.env.TEAM_MEMORY_API_KEY;\n if (!url || !key) return;\n\n fetch(`${url}/v1/memory`, {\n method: \"POST\",\n headers: { \"X-API-Key\": key, \"Content-Type\": \"application/json\" },\n body: JSON.stringify({ content, category, source }),\n signal: AbortSignal.timeout(5000),\n }).catch(() => {}); // fire and forget\n}\n\n// --- Inbound message dispatch ---\n\nasync function handleInbound(params: {\n plaintext: string;\n metadata: any;\n channel: any;\n account: any;\n cfg: any;\n}): Promise<void> {\n const { plaintext: rawPlaintext, metadata, channel, account, cfg } = params;\n const isRoomMessage = Boolean(metadata.roomId);\n const isA2AMessage = Boolean(metadata.a2aChannelId);\n\n // @mention filtering + agent-to-agent loop prevention for room messages\n if (isRoomMessage) {\n if (!_shouldProcessRoomMessage(rawPlaintext, account.agentName ?? \"\", account.accountId ?? \"\", metadata.senderIsAgent)) {\n return; // Not addressed to this agent \u2014 skip silently\n }\n }\n\n // Strip @mentions from plaintext so the agent sees clean text\n let plaintext = isRoomMessage\n ? _stripMentions(rawPlaintext, account.agentName ?? \"\", account.accountId ?? \"\")\n : rawPlaintext;\n\n // OpenClaw v2026.3.28: trigger immediate heartbeat for room/A2A messages\n if (isRoomMessage || isA2AMessage) {\n try {\n const woke = await requestHeartbeatNow({ reason: `AgentVault ${isRoomMessage ? \"room\" : \"A2A\"} message received` });\n if (woke) {\n console.log(`[AgentVault] Heartbeat triggered for ${isRoomMessage ? \"room\" : \"A2A\"} message`);\n }\n } catch {\n // Non-critical \u2014 agent will process on next regular heartbeat\n }\n }\n\n // Telemetry: hierarchical spans for the full message lifecycle\n const startTime = Date.now();\n const traceId = randomBytes(16).toString(\"hex\");\n const rootSpanId = randomBytes(8).toString(\"hex\");\n const inferenceSpanId = randomBytes(8).toString(\"hex\");\n // Instrumentation context for agent code to report LLM/tool/error spans\n /** Helper: send an activity span over WS for real-time owner display. */\n const _sendActivity = (spanData: Record<string, unknown>) => {\n try { channel.sendActivitySpan({ ...spanData, trace_id: traceId, parent_span_id: inferenceSpanId }); } catch {}\n };\n\n const _instrument = {\n reportLlm: (opts: any) => {\n const enriched = { ...opts, traceId, parentSpanId: inferenceSpanId };\n if (opts.skillName || _instrument.skillName) enriched.skillName = opts.skillName ?? _instrument.skillName;\n try { channel.telemetry?.reportLlmCall(enriched); } catch {}\n const activityAttrs: Record<string, string> = { \"ai.agent.llm.model\": opts.model ?? \"\" };\n if (enriched.skillName) activityAttrs[\"ai.agent.skill.name\"] = enriched.skillName;\n _sendActivity({\n span_id: randomBytes(8).toString(\"hex\"), span_type: \"llm\", span_name: opts.model ?? \"LLM\",\n status: opts.status === \"error\" ? \"error\" : \"ok\",\n start_time: new Date(Date.now() - (opts.latencyMs ?? 0)).toISOString(),\n end_time: new Date().toISOString(), duration_ms: opts.latencyMs ?? 0,\n attributes: activityAttrs,\n tokens_input: opts.tokensInput, tokens_output: opts.tokensOutput,\n });\n },\n reportTool: (opts: any) => {\n const enriched = { ...opts, traceId, parentSpanId: inferenceSpanId };\n if (opts.skillName || _instrument.skillName) enriched.skillName = opts.skillName ?? _instrument.skillName;\n try { channel.telemetry?.reportToolCall(enriched); } catch {}\n const activityAttrs: Record<string, string> = { \"ai.agent.tool.name\": opts.toolName ?? \"\" };\n if (enriched.skillName) activityAttrs[\"ai.agent.skill.name\"] = enriched.skillName;\n _sendActivity({\n span_id: randomBytes(8).toString(\"hex\"), span_type: \"tool\", span_name: opts.toolName ?? \"tool\",\n status: opts.success === false ? \"error\" : \"ok\",\n start_time: new Date(Date.now() - (opts.latencyMs ?? 0)).toISOString(),\n end_time: new Date().toISOString(), duration_ms: opts.latencyMs ?? 0,\n attributes: activityAttrs,\n tool_success: opts.success,\n });\n },\n reportError: (opts: any) => {\n const enriched = { ...opts, traceId, parentSpanId: inferenceSpanId };\n if (opts.skillName || _instrument.skillName) enriched.skillName = opts.skillName ?? _instrument.skillName;\n try { channel.telemetry?.reportError(enriched); } catch {}\n const activityAttrs: Record<string, string> = { \"ai.agent.error.type\": opts.errorType ?? \"\" };\n if (enriched.skillName) activityAttrs[\"ai.agent.skill.name\"] = enriched.skillName;\n _sendActivity({\n span_id: randomBytes(8).toString(\"hex\"), span_type: \"error\", span_name: opts.errorType ?? \"error\",\n status: \"error\",\n start_time: new Date().toISOString(), end_time: new Date().toISOString(), duration_ms: 0,\n attributes: activityAttrs,\n error_type: opts.errorType, error_message: opts.errorMessage,\n });\n },\n reportHttp: (opts: any) => {\n const enriched = { ...opts, traceId, parentSpanId: inferenceSpanId };\n if (opts.skillName || _instrument.skillName) enriched.skillName = opts.skillName ?? _instrument.skillName;\n try { channel.telemetry?.reportHttpCall(enriched); } catch {}\n const activityAttrs: Record<string, string> = { \"ai.agent.http.method\": opts.method ?? \"\", \"ai.agent.http.url\": opts.url ?? \"\" };\n if (enriched.skillName) activityAttrs[\"ai.agent.skill.name\"] = enriched.skillName;\n _sendActivity({\n span_id: randomBytes(8).toString(\"hex\"), span_type: \"http\",\n span_name: (() => { try { return new URL(opts.url).hostname; } catch { return opts.url?.slice(0, 40) ?? \"http\"; } })(),\n status: (opts.statusCode ?? 200) >= 400 ? \"error\" : \"ok\",\n start_time: new Date(Date.now() - (opts.latencyMs ?? 0)).toISOString(),\n end_time: new Date().toISOString(), duration_ms: opts.latencyMs ?? 0,\n attributes: activityAttrs,\n http_method: opts.method, http_status_code: opts.statusCode, http_url: opts.url,\n });\n },\n reportAction: (opts: any) => {\n const enriched = { ...opts, traceId, parentSpanId: inferenceSpanId };\n if (opts.skillName || _instrument.skillName) enriched.skillName = opts.skillName ?? _instrument.skillName;\n try { channel.telemetry?.reportActionCall(enriched); } catch {}\n const activityAttrs: Record<string, string> = { \"ai.agent.action.type\": opts.actionType ?? \"\", \"ai.agent.action.target\": opts.target ?? \"\" };\n if (enriched.skillName) activityAttrs[\"ai.agent.skill.name\"] = enriched.skillName;\n _sendActivity({\n span_id: randomBytes(8).toString(\"hex\"), span_type: \"action\",\n span_name: `${opts.actionType ?? \"action\"}: ${opts.target ?? \"\"}`,\n status: opts.success === false ? \"error\" : \"ok\",\n start_time: new Date(Date.now() - (opts.latencyMs ?? 0)).toISOString(),\n end_time: new Date().toISOString(), duration_ms: opts.latencyMs ?? 0,\n attributes: activityAttrs,\n action_type: opts.actionType, action_target: opts.target,\n });\n },\n reportNav: (opts: any) => {\n const enriched = { ...opts, traceId, parentSpanId: inferenceSpanId };\n if (opts.skillName || _instrument.skillName) enriched.skillName = opts.skillName ?? _instrument.skillName;\n try { channel.telemetry?.reportNavCall(enriched); } catch {}\n const activityAttrs: Record<string, string> = { \"ai.agent.nav.to_url\": opts.toUrl ?? \"\" };\n if (enriched.skillName) activityAttrs[\"ai.agent.skill.name\"] = enriched.skillName;\n _sendActivity({\n span_id: randomBytes(8).toString(\"hex\"), span_type: \"nav\",\n span_name: opts.toUrl?.slice(0, 40) ?? \"navigate\",\n status: opts.status === \"error\" ? \"error\" : \"ok\",\n start_time: new Date(Date.now() - (opts.latencyMs ?? 0)).toISOString(),\n end_time: new Date().toISOString(), duration_ms: opts.latencyMs ?? 0,\n attributes: activityAttrs,\n });\n },\n skillName: undefined as string | undefined,\n traceId,\n parentSpanId: inferenceSpanId,\n };\n let replyCount = 0;\n let totalReplyChars = 0;\n let firstReplyTime: number | null = null;\n const replySpans: Array<{ startTime: number; endTime: number; chars: number; index: number }> = [];\n\n // Emit \"receive\" child span immediately \u2014 marks inbound arrival\n _emitChildSpan(channel, {\n traceId,\n parentSpanId: rootSpanId,\n name: \"ai.agent.message.receive\",\n startTime,\n endTime: startTime + 1, // instant\n attributes: {\n \"ai.agent.message.input_chars\": plaintext.length,\n \"ai.agent.message.type\": isA2AMessage ? \"a2a\" : metadata.roomId ? \"room\" : \"direct\",\n },\n status: \"ok\",\n });\n\n // Send typing indicator to owner (non-critical, best-effort)\n try { channel.sendTyping(); } catch { /* ignore */ }\n\n const core = _ocRuntime!; // Non-null: caller guards with `if (!_ocRuntime)` check\n\n // Resolve room/sender context for room messages\n let roomName: string | undefined;\n let senderDisplayName: string | undefined;\n if (isRoomMessage && metadata.roomId) {\n roomName = metadata.roomName;\n // Use senderName from metadata (set in channel.ts MLS/DR handlers)\n senderDisplayName = (metadata as any).senderName;\n if (!roomName || !senderDisplayName) {\n const rooms = channel.getRooms?.() ?? [];\n const room = rooms.find((r: any) => r.roomId === metadata.roomId);\n if (room) {\n if (!roomName) roomName = room.name;\n if (!senderDisplayName && metadata.senderDeviceId) {\n const member = room.members?.find((m: any) => m.deviceId === metadata.senderDeviceId);\n if (member) senderDisplayName = member.displayName;\n }\n }\n }\n }\n\n const route = core.channel.routing.resolveAgentRoute({\n cfg,\n channel: \"agentvault\",\n accountId: account.accountId,\n peer: {\n kind: isA2AMessage ? \"a2a\" as any : isRoomMessage ? \"group\" as any : \"direct\",\n id: isA2AMessage\n ? `agentvault:a2a:${metadata.fromHubAddress}`\n : isRoomMessage\n ? `agentvault:room:${metadata.roomId}`\n : \"agentvault:owner\",\n },\n });\n\n const storePath = core.channel.session.resolveStorePath(cfg?.session?.store, {\n agentId: route.agentId,\n });\n\n const envelopeOptions = core.channel.reply.resolveEnvelopeFormatOptions(cfg);\n const previousTimestamp = core.channel.session.readSessionUpdatedAt({\n storePath,\n sessionKey: route.sessionKey,\n });\n\n // Team memory recall \u2014 shared knowledge (highest recall priority)\n const recallQuery = isRoomMessage || isA2AMessage\n ? plaintext\n : (metadata?.reason || metadata?.triggerName || plaintext);\n\n const teamMemoryContext = await _recallTeamMemory(recallQuery);\n if (teamMemoryContext) {\n plaintext = teamMemoryContext + \"\\n---\\n\\n\" + plaintext;\n }\n\n // Agent memory recall \u2014 per-agent knowledge\n if (channel?.config?.apiUrl) {\n const memoryContext = await _recallMemories(\n channel.config.apiUrl,\n channel.config.apiKey,\n channel.config.hubId || \"\",\n recallQuery,\n 5,\n );\n\n if (memoryContext) {\n plaintext = memoryContext + \"\\n---\\n\\n\" + plaintext;\n }\n }\n\n // Inject recent room history into the LLM context for multi-turn memory\n let contextBody = plaintext;\n if (isRoomMessage && metadata.roomId && channel.getRoomHistory) {\n const recentHistory = channel.getRoomHistory(metadata.roomId, 20);\n // Exclude the current message (it's already in plaintext)\n const prior = recentHistory.slice(0, -1);\n if (prior.length > 0) {\n const historyBlock = prior.map((h: any) => {\n const role = h.sender === \"agent\" ? \"You\" : \"Room Member\";\n return `[${role}]: ${h.text}`;\n }).join(\"\\n\");\n contextBody = `[Recent room conversation]\\n${historyBlock}\\n\\n[Current message]\\n${plaintext}`;\n }\n }\n\n const body = core.channel.reply.formatAgentEnvelope({\n channel: \"AgentVault\",\n from: isA2AMessage ? `Agent (${metadata.fromHubAddress})` : isRoomMessage ? (senderDisplayName ?? \"Room Member\") : \"Owner\",\n timestamp: new Date(metadata.timestamp).getTime(),\n previousTimestamp,\n envelope: envelopeOptions,\n body: contextBody,\n });\n\n // Build attachment fields for the context payload\n const attachmentFields: Record<string, any> = {};\n if (metadata.attachment) {\n attachmentFields.AttachmentPath = metadata.attachment.filePath;\n attachmentFields.AttachmentFilename = metadata.attachment.filename;\n attachmentFields.AttachmentMime = metadata.attachment.mime;\n\n // For images: include as MediaUrl so the LLM can see the visual content\n if (metadata.attachment.base64) {\n attachmentFields.MediaUrl = metadata.attachment.base64;\n attachmentFields.NumMedia = \"1\";\n }\n\n // For text files: content is already inlined in plaintext body\n }\n\n // Inject renter credentials for room messages (marketplace rentals)\n const credentialFields: Record<string, any> = {};\n if (isRoomMessage && metadata.roomId && channel.getCredentials) {\n const creds = channel.getCredentials(metadata.roomId);\n if (creds.length > 0) {\n credentialFields.HasRenterCredentials = true;\n credentialFields.RenterCredentials = channel.getCredentialMap(metadata.roomId);\n credentialFields.RenterCredentialCount = creds.length;\n }\n }\n\n const ctxPayload = core.channel.reply.finalizeInboundContext({\n Body: body,\n RawBody: plaintext,\n CommandBody: plaintext,\n From: isA2AMessage ? `a2a:${metadata.fromHubAddress}` : isRoomMessage ? `agentvault:room:${metadata.roomId}` : \"agentvault:owner\",\n To: `agentvault:agent:${account.accountId}`,\n SessionKey: route.sessionKey,\n AccountId: account.accountId,\n ChatType: isA2AMessage ? \"a2a\" : isRoomMessage ? \"room\" : \"direct\",\n ConversationLabel: isA2AMessage ? `A2A: ${metadata.fromHubAddress}` : isRoomMessage ? (roomName ?? \"AgentVault Room\") : \"AgentVault\",\n SenderName: isA2AMessage ? metadata.fromHubAddress : isRoomMessage ? (senderDisplayName ?? \"Room Member\") : \"Owner\",\n SenderId: isA2AMessage ? `a2a:${metadata.fromHubAddress}` : isRoomMessage ? `agentvault:room:${metadata.senderDeviceId ?? metadata.roomId}` : \"agentvault:owner\",\n Provider: \"agentvault\",\n Surface: \"agentvault\",\n MessageSid: metadata.messageId,\n Timestamp: new Date(metadata.timestamp).getTime(),\n OriginatingChannel: \"agentvault\",\n OriginatingTo: `agentvault:agent:${account.accountId}`,\n CommandAuthorized: true,\n Instrument: _instrument, // OpenClaw ctx convention\n AgentVaultTelemetry: _instrument, // AgentVault-specific accessor\n ...attachmentFields,\n ...credentialFields,\n });\n\n await core.channel.session.recordInboundSession({\n storePath,\n sessionKey: ctxPayload.SessionKey ?? route.sessionKey,\n ctx: ctxPayload,\n onRecordError: (err: Error) => {\n core.error?.(`[AgentVault] session record failed: ${String(err)}`);\n },\n });\n\n try {\n await runWithTraceContext(\n { traceId, parentSpanId: inferenceSpanId },\n () => core.channel.reply.dispatchReplyWithBufferedBlockDispatcher({\n ctx: ctxPayload,\n cfg,\n dispatcherOptions: {\n deliver: async (payload: { text?: string; kind?: string }) => {\n // Filter out thinking/reasoning blocks \u2014 only deliver actual responses\n if (payload.kind === \"thinking\" || payload.kind === \"reasoning\") return;\n const text = (payload.text ?? \"\").trim();\n if (!text) return;\n // Heuristic: skip blocks that look like leaked chain-of-thought\n if (/^(Reasoning|Thinking|Let me think|I need to|Let me check):/i.test(text)) return;\n // Skip <think> XML blocks and bare \"think\" lines\n if (/^<think[\\s>]/i.test(text) || /^think$/im.test(text)) return;\n // Skip OpenClaw directive tags like [[reply_to_current]], [[think]], etc.\n if (/^\\[\\[[\\w_]+\\]\\]/.test(text)) return;\n // Skip blocks that are entirely wrapped in <think>...</think>\n if (/^<think>[\\s\\S]*<\\/think>$/i.test(text)) return;\n\n const replyStart = Date.now();\n replyCount++;\n totalReplyChars += text.length;\n if (!firstReplyTime) firstReplyTime = replyStart;\n\n // Route reply via deliver() \u2014 explicit target, no silent fallback\n let replyTarget: DeliveryTarget;\n if (isA2AMessage) {\n // Loop prevention: rate limit A2A replies per channel\n if (!_a2aCanReply(metadata.a2aChannelId)) {\n console.warn(`[AgentVault] A2A reply suppressed (rate limit) for channel ${metadata.a2aChannelId?.slice(0, 8)}...`);\n return;\n }\n replyTarget = { kind: \"a2a\", hubAddress: metadata.fromHubAddress };\n } else if (isRoomMessage) {\n // Loop prevention: rate limit room replies (safety net beyond @mention filtering)\n if (!_roomCanReply(metadata.roomId)) {\n console.warn(`[AgentVault] Room reply suppressed (rate limit) for room ${metadata.roomId?.slice(0, 8)}...`);\n return;\n }\n replyTarget = { kind: \"room\", roomId: metadata.roomId };\n } else {\n replyTarget = { kind: \"owner\" };\n }\n await channel.deliver(replyTarget, { type: \"text\", text }, {\n conversationId: metadata.conversationId,\n topicId: metadata.topicId,\n parentSpanId: inferenceSpanId,\n metadata: isRoomMessage ? { content_length: text.length } : undefined,\n });\n if (isA2AMessage) {\n _a2aRecordReply(metadata.a2aChannelId);\n }\n if (isRoomMessage) {\n _roomRecordReply(metadata.roomId);\n }\n\n const replyEnd = Date.now();\n replySpans.push({ startTime: replyStart, endTime: replyEnd, chars: text.length, index: replyCount });\n },\n onError: (err: Error, info?: { kind?: string }) => {\n core.error?.(`[AgentVault] ${info?.kind ?? \"reply\"} error: ${String(err)}`);\n },\n },\n replyOptions: {},\n }),\n );\n\n const endTime = Date.now();\n\n // Emit child spans for the completed message lifecycle\n _emitHierarchicalSpans(channel, {\n traceId,\n rootSpanId,\n inferenceSpanId,\n startTime,\n endTime,\n firstReplyTime,\n replySpans,\n inputChars: plaintext.length,\n replyCount,\n totalReplyChars,\n isRoom: isRoomMessage,\n status: \"ok\",\n });\n } catch (err) {\n const endTime = Date.now();\n\n // Emit spans even on error \u2014 shows where failure occurred\n _emitHierarchicalSpans(channel, {\n traceId,\n rootSpanId,\n inferenceSpanId,\n startTime,\n endTime,\n firstReplyTime,\n replySpans,\n inputChars: plaintext.length,\n replyCount,\n totalReplyChars,\n isRoom: isRoomMessage,\n status: \"error\",\n statusMessage: String(err),\n });\n // Dedicated error span for the Errors tab\n _emitChildSpan(channel, {\n traceId,\n parentSpanId: rootSpanId,\n name: \"error\",\n startTime: endTime,\n endTime: endTime,\n attributes: {\n \"ai.agent.error.type\": (err as any)?.constructor?.name ?? \"Error\",\n \"ai.agent.error.message\": String(err),\n },\n status: \"error\",\n statusMessage: String(err),\n });\n throw err;\n }\n}\n\n/** Infer a span type from the span name for activity stream display. */\nfunction _inferSpanType(name: string): \"llm\" | \"tool\" | \"http\" | \"action\" | \"error\" | \"nav\" {\n if (name === \"error\" || name.includes(\"error\")) return \"error\";\n if (name.startsWith(\"llm.\") || name.includes(\"inference\")) return \"llm\";\n if (name.startsWith(\"tool.\") || name.includes(\"tool\")) return \"tool\";\n if (name.startsWith(\"http.\") || name.includes(\"http\")) return \"http\";\n if (name.startsWith(\"nav.\") || name.includes(\"nav\")) return \"nav\";\n if (name.startsWith(\"action.\") || name.includes(\"action\")) return \"action\";\n return \"action\"; // default fallback\n}\n\n/** Extract a human-readable span name from span attributes. */\nfunction _extractSpanName(name: string, attrs: Record<string, string | number | boolean>): string {\n if (attrs[\"ai.agent.llm.model\"]) return String(attrs[\"ai.agent.llm.model\"]);\n if (attrs[\"ai.agent.tool.name\"]) return String(attrs[\"ai.agent.tool.name\"]);\n if (attrs[\"ai.agent.http.url\"]) {\n try { return new URL(String(attrs[\"ai.agent.http.url\"])).hostname; } catch { /* use raw */ }\n return String(attrs[\"ai.agent.http.url\"]).slice(0, 40);\n }\n if (attrs[\"ai.agent.action.type\"]) return `${attrs[\"ai.agent.action.type\"]}: ${attrs[\"ai.agent.action.target\"] ?? \"\"}`;\n if (attrs[\"ai.agent.nav.to_url\"]) return String(attrs[\"ai.agent.nav.to_url\"]).slice(0, 40);\n if (attrs[\"ai.agent.error.type\"]) return String(attrs[\"ai.agent.error.type\"]);\n return name;\n}\n\n/** Emit a single child span via the channel's telemetry reporter + WS activity stream. */\nfunction _emitChildSpan(channel: any, opts: {\n traceId: string;\n parentSpanId: string;\n spanId?: string;\n name: string;\n startTime: number;\n endTime: number;\n attributes: Record<string, string | number | boolean>;\n status: \"ok\" | \"error\";\n statusMessage?: string;\n}): void {\n try {\n const reporter = channel.telemetry;\n if (!reporter) return;\n\n const spanId = opts.spanId ?? randomBytes(8).toString(\"hex\");\n\n reporter.reportCustomSpan({\n traceId: opts.traceId,\n spanId,\n parentSpanId: opts.parentSpanId,\n name: opts.name,\n kind: \"internal\" as const,\n startTime: opts.startTime,\n endTime: opts.endTime,\n attributes: opts.attributes,\n status: {\n code: opts.status === \"ok\" ? 1 : 2,\n message: opts.statusMessage,\n },\n });\n\n // Dual-path: also send via WS for real-time activity streaming\n try {\n const spanType = _inferSpanType(opts.name);\n const spanName = _extractSpanName(opts.name, opts.attributes);\n const durationMs = opts.endTime - opts.startTime;\n channel.sendActivitySpan({\n trace_id: opts.traceId,\n span_id: spanId,\n parent_span_id: opts.parentSpanId,\n span_type: spanType,\n span_name: spanName,\n status: opts.status,\n start_time: new Date(opts.startTime).toISOString(),\n end_time: new Date(opts.endTime).toISOString(),\n duration_ms: durationMs,\n attributes: opts.attributes,\n ...(spanType === \"llm\" ? {\n tokens_input: opts.attributes[\"ai.agent.llm.tokens_input\"],\n tokens_output: opts.attributes[\"ai.agent.llm.tokens_output\"],\n } : {}),\n ...(spanType === \"http\" ? {\n http_method: opts.attributes[\"ai.agent.http.method\"],\n http_status_code: opts.attributes[\"ai.agent.http.status_code\"],\n http_url: opts.attributes[\"ai.agent.http.url\"],\n } : {}),\n ...(spanType === \"tool\" ? {\n tool_success: opts.attributes[\"ai.agent.tool.success\"],\n } : {}),\n ...(spanType === \"error\" ? {\n error_type: opts.attributes[\"ai.agent.error.type\"],\n error_message: opts.attributes[\"ai.agent.error.message\"],\n } : {}),\n });\n } catch { /* WS activity is best-effort */ }\n } catch { /* telemetry is best-effort */ }\n}\n\n/** Emit the full hierarchical span tree for a message lifecycle. */\nfunction _emitHierarchicalSpans(channel: any, opts: {\n traceId: string;\n rootSpanId: string;\n inferenceSpanId?: string;\n startTime: number;\n endTime: number;\n firstReplyTime: number | null;\n replySpans: Array<{ startTime: number; endTime: number; chars: number; index: number }>;\n inputChars: number;\n replyCount: number;\n totalReplyChars: number;\n isRoom: boolean;\n status: \"ok\" | \"error\";\n statusMessage?: string;\n}): void {\n try {\n const reporter = channel.telemetry;\n if (!reporter) return;\n\n // 1. Inference span: from message arrival to first reply (or end if no replies)\n const inferenceEnd = opts.firstReplyTime ?? opts.endTime;\n _emitChildSpan(channel, {\n traceId: opts.traceId,\n parentSpanId: opts.rootSpanId,\n spanId: opts.inferenceSpanId,\n name: \"ai.agent.inference\",\n startTime: opts.startTime + 1, // just after receive\n endTime: inferenceEnd,\n attributes: {\n \"ai.agent.inference.latency_ms\": inferenceEnd - opts.startTime,\n \"ai.agent.message.input_chars\": opts.inputChars,\n },\n status: opts.status,\n statusMessage: opts.status === \"error\" ? opts.statusMessage : undefined,\n });\n\n // 2. Individual reply spans\n for (const reply of opts.replySpans) {\n _emitChildSpan(channel, {\n traceId: opts.traceId,\n parentSpanId: opts.rootSpanId,\n name: \"ai.agent.reply\",\n startTime: reply.startTime,\n endTime: reply.endTime,\n attributes: {\n \"ai.agent.reply.index\": reply.index,\n \"ai.agent.reply.chars\": reply.chars,\n },\n status: \"ok\",\n });\n }\n\n // 3. Root span (wraps everything) \u2014 emitted last\n reporter.reportCustomSpan({\n traceId: opts.traceId,\n spanId: opts.rootSpanId,\n name: \"ai.agent.message\",\n kind: \"server\" as const,\n startTime: opts.startTime,\n endTime: opts.endTime,\n attributes: {\n \"ai.agent.message.input_chars\": opts.inputChars,\n \"ai.agent.message.reply_count\": opts.replyCount,\n \"ai.agent.message.reply_chars\": opts.totalReplyChars,\n \"ai.agent.message.latency_ms\": opts.endTime - opts.startTime,\n \"ai.agent.message.type\": opts.isRoom ? \"room\" : \"direct\",\n },\n status: {\n code: opts.status === \"ok\" ? 1 : 2,\n message: opts.statusMessage,\n },\n });\n } catch { /* telemetry is best-effort */ }\n}\n\n// --- Channel plugin definition ---\n\nconst agentVaultPlugin = {\n id: \"agentvault\",\n meta: {\n id: \"agentvault\",\n label: \"AgentVault\",\n selectionLabel: \"AgentVault (E2E Encrypted)\",\n docsPath: \"https://agentvault.chat/docs\",\n blurb: \"Zero-knowledge, end-to-end encrypted messaging between owners and their AI agents.\",\n aliases: [\"av\", \"agent-vault\"],\n },\n capabilities: { chatTypes: [\"direct\", \"room\"] },\n config: { listAccountIds, resolveAccount },\n\n gateway: {\n /** Health probe for `openclaw channels status --probe` */\n probe: async (ctx: any) => {\n const accountId = ctx?.accountId ?? \"default\";\n const ch = _channels.get(accountId);\n if (!ch) return { ok: false, status: \"disconnected\", error: \"Channel not started\" };\n const state = ch.state;\n return {\n ok: state === \"ready\",\n status: state,\n deviceId: ch.deviceId ?? undefined,\n sessions: ch.sessionCount,\n };\n },\n\n /** Status for `openclaw health --json` per-channel summary */\n status: (ctx: any) => {\n const accountId = ctx?.accountId ?? \"default\";\n const ch = _channels.get(accountId);\n if (!ch) return { connected: false, status: \"not_started\" };\n return {\n connected: ch.state === \"ready\",\n status: ch.state,\n deviceId: ch.deviceId ?? undefined,\n sessions: ch.sessionCount,\n encrypted: true,\n };\n },\n\n startAccount: async (ctx: ChannelGatewayContext<ResolvedAccountBase>) => {\n const { account, cfg, log, abortSignal } = ctx;\n const _log: ((msg: string) => void) | undefined = typeof log === \"function\" ? log : log?.info?.bind(log);\n\n if (!account.configured) {\n throw new Error(\n \"AgentVault channel not configured. Run: npx @agentvault/agentvault setup --token=av_tok_...\\nThen restart OpenClaw.\",\n );\n }\n\n const dataDir = pathResolve(account.dataDir.replace(/^~/, osHomedir()));\n _log?.(`[AgentVault] starting (dataDir=${dataDir})`);\n\n // startAccount must STAY PENDING while the channel is running.\n // Resolving signals \"channel stopped\" to the gateway health monitor,\n // which triggers auto-restart. We block here until the abortSignal\n // fires (gateway shutdown / config reload), then clean up.\n await new Promise<void>((resolve, reject) => {\n let channel: any;\n\n const onAbort = async () => {\n await channel?.stop();\n _channels.delete(account.accountId);\n resolve();\n };\n\n abortSignal?.addEventListener(\"abort\", () => void onAbort());\n\n // Lazy import \u2014 defers libsodium initialization until channel starts\n import(\"./index.js\").then(async ({ SecureChannel }) => {\n channel = new SecureChannel({\n inviteToken: \"\",\n dataDir,\n apiUrl: account.apiUrl,\n agentName: account.agentName,\n onMessage: async (plaintext: string, metadata: any) => {\n if (!_ocRuntime) {\n _log?.(\"[AgentVault] runtime not ready, queuing message\");\n _messageQueue.push(async () => {\n await handleInbound({ plaintext, metadata, channel, account, cfg });\n });\n return;\n }\n try {\n await handleInbound({ plaintext, metadata, channel, account, cfg });\n } catch (err) {\n _log?.(`[AgentVault] inbound error: ${String(err)}`);\n }\n },\n onA2AMessage: async (msg: any) => {\n const a2aMetadata = {\n a2aChannelId: msg.channelId,\n fromHubAddress: msg.fromHubAddress,\n conversationId: msg.conversationId,\n timestamp: msg.timestamp,\n parentSpanId: msg.parentSpanId,\n messageId: `a2a:${msg.channelId}:${Date.now()}`,\n };\n if (!_ocRuntime) {\n _log?.(\"[AgentVault] runtime not ready, queuing A2A message\");\n _messageQueue.push(async () => {\n await handleInbound({ plaintext: msg.text, metadata: a2aMetadata, channel, account, cfg });\n });\n return;\n }\n try {\n await handleInbound({ plaintext: msg.text, metadata: a2aMetadata, channel, account, cfg });\n } catch (err) {\n _log?.(`[AgentVault] A2A inbound error: ${String(err)}`);\n }\n },\n onA2AChannelReady: async (info: {\n channelId: string;\n peerHubAddress: string;\n role: \"creator\" | \"member\";\n conversationId: string;\n topic?: string;\n }) => {\n // Register peer as valid outbound target (both roles)\n _registerA2ATarget(info.peerHubAddress, account.accountId);\n\n // Only creator sends the seed message\n if (info.role !== \"creator\") {\n _log?.(`[AgentVault] A2A channel ready (member) \u2014 waiting for creator: ${info.peerHubAddress}`);\n return;\n }\n _log?.(`[AgentVault] A2A channel ready (creator) \u2014 sending seed to ${info.peerHubAddress}${info.topic ? ` [topic: ${info.topic}]` : \"\"}`);\n\n const seedText = info.topic\n ? `[System] A new A2A channel has been established with agent ${info.peerHubAddress}. ` +\n `Topic: \"${info.topic}\". ` +\n `Introduce yourself briefly and begin discussing this topic.`\n : `[System] A new A2A channel has been established with agent ${info.peerHubAddress}. ` +\n `Introduce yourself briefly and state what you can help with.`;\n const seedMetadata = {\n a2aChannelId: info.channelId,\n fromHubAddress: info.peerHubAddress,\n conversationId: info.conversationId,\n timestamp: new Date().toISOString(),\n messageId: `a2a-seed:${info.channelId}:${Date.now()}`,\n };\n\n if (!_ocRuntime) {\n _log?.(\"[AgentVault] runtime not ready, queuing A2A seed\");\n _messageQueue.push(async () => {\n await handleInbound({ plaintext: seedText, metadata: seedMetadata, channel, account, cfg });\n });\n return;\n }\n try {\n await handleInbound({ plaintext: seedText, metadata: seedMetadata, channel, account, cfg });\n } catch (err) {\n _log?.(`[AgentVault] A2A seed error: ${String(err)}`);\n }\n },\n onStateChange: (state: string) => {\n _log?.(`[AgentVault] \u2192 ${state}`);\n // \"error\" is a permanent failure \u2014 reject so gateway can restart\n if (state === \"error\") reject(new Error(\"AgentVault channel permanent error\"));\n // All other states (connecting/ready/disconnected) are handled\n // internally by SecureChannel's reconnect logic \u2014 do NOT resolve.\n },\n });\n\n _channels.set(account.accountId, channel);\n\n // Prevent unhandled \"error\" events from crashing the process.\n // Without this handler, Node.js EventEmitter throws on emit(\"error\").\n channel.on(\"error\", (err: any) => {\n _log?.(`[AgentVault] channel error (non-fatal): ${String(err)}`);\n });\n\n // --- Activate MCP server with agent skills ---\n try {\n const { AgentVaultMcpServer } = await import(\"./mcp-server.js\");\n const { loadSkillsFromDirectory, loadSkillsFromApi, mergeSkills } = await import(\"./skill-manifest.js\");\n const mcpServer = new AgentVaultMcpServer({\n agentName: account.agentName ?? \"agent\",\n apiUrl: account.apiUrl ?? \"https://api.agentvault.chat\",\n onInvoke: async (skillName: string, args: Record<string, unknown>, skill: any) => {\n // Execute skill via backend inline executor (owner path \u2014 device JWT auth)\n // Sends skill instructions + input to Claude API through the backend\n const apiUrl = account.apiUrl ?? \"https://api.agentvault.chat\";\n const jwt = (channel as any)._deviceJwt;\n if (!jwt) {\n return { error: \"Not connected \u2014 device JWT unavailable\" };\n }\n\n // Build the execution request with instructions from the local skill definition\n const instructions = skill?.instructions;\n if (!instructions) {\n return { error: `Skill \"${skillName}\" has no instructions defined` };\n }\n\n try {\n const resp = await fetch(`${apiUrl}/api/v1/capabilities/owner-execute`, {\n method: \"POST\",\n headers: {\n \"Content-Type\": \"application/json\",\n Authorization: `Bearer ${jwt}`,\n },\n body: JSON.stringify({\n jsonrpc: \"2.0\",\n method: \"tools/call\",\n params: {\n name: skillName,\n arguments: args,\n // Pass instructions from local SKILL.md so backend doesn't need DB lookup\n _instructions: instructions,\n _schema: skill?.schema,\n },\n id: `invoke-${Date.now()}`,\n }),\n });\n if (!resp.ok) {\n const detail = await resp.text();\n return { error: `Execution failed (${resp.status}): ${detail}` };\n }\n const rpcResult = await resp.json();\n if (rpcResult.error) {\n return { error: rpcResult.error.message ?? \"Execution error\" };\n }\n // Extract text content from MCP response\n const content = rpcResult.result?.content;\n if (Array.isArray(content) && content.length > 0) {\n return content[0].text ?? JSON.stringify(content);\n }\n return rpcResult.result ?? { executed: true };\n } catch (err) {\n _log?.(`[AgentVault] Skill execution failed: ${String(err)}`);\n return { error: `Skill execution failed: ${String(err)}` };\n }\n },\n });\n\n // Resolve the OpenClaw workspace directory for this agent.\n // cfg is the full openclaw.json \u2014 agents.list[] has per-agent workspace,\n // agents.defaults.workspace is the fallback for the main agent.\n const homedir = osHomedir();\n const ocCfg = cfg as any;\n let workspaceDir = dataDir; // fallback to dataDir if workspace unknown\n try {\n const agentsList: any[] = ocCfg?.agents?.list ?? [];\n // Match agent entry by accountId \u2014 bindings map accountId\u2192agentId,\n // and agent entries have workspace paths\n const bindings: any[] = ocCfg?.bindings ?? [];\n const binding = bindings.find((b: any) =>\n b.match?.channel === \"agentvault\" && b.match?.accountId === account.accountId,\n );\n const agentId = binding?.agentId ?? \"main\";\n const agentEntry = agentsList.find((a: any) => a.id === agentId);\n\n if (agentEntry?.workspace) {\n workspaceDir = pathResolve(agentEntry.workspace.replace(/^~/, homedir));\n } else if (ocCfg?.agents?.defaults?.workspace) {\n workspaceDir = pathResolve(ocCfg.agents.defaults.workspace.replace(/^~/, homedir));\n }\n _log?.(`[AgentVault] MCP skill scan: workspace=${workspaceDir} (agentId=${agentId})`);\n } catch {\n _log?.(`[AgentVault] MCP skill scan: falling back to dataDir`);\n }\n\n // Load skills from workspace SKILL.md files\n const localSkills = loadSkillsFromDirectory(workspaceDir);\n\n // Also try loading from a dedicated skills/ subdirectory\n const skillsSubDir = pathResolve(workspaceDir, \"skills\");\n const subDirSkills = loadSkillsFromDirectory(skillsSubDir);\n localSkills.push(...subDirSkills);\n\n // Also scan the dataDir in case skills are stored there\n if (workspaceDir !== dataDir) {\n const dataDirSkills = loadSkillsFromDirectory(dataDir);\n localSkills.push(...dataDirSkills);\n }\n\n // Load skills published via Skill Builder (from backend API)\n let apiSkills: import(\"./mcp-server.js\").SkillDefinition[] = [];\n try {\n const { loadState } = await import(\"./state.js\");\n const persisted = await loadState(dataDir);\n const hubId = persisted?.hubId;\n const deviceJwt = persisted?.deviceJwt;\n const apiUrl = account.apiUrl ?? \"https://api.agentvault.chat\";\n if (hubId && deviceJwt) {\n apiSkills = await loadSkillsFromApi(apiUrl, deviceJwt, hubId);\n if (apiSkills.length > 0) {\n _log?.(`[AgentVault] Loaded ${apiSkills.length} skill(s) from API`);\n }\n }\n } catch (err) {\n _log?.(`[AgentVault] API skill loading failed (non-fatal): ${String(err)}`);\n }\n\n // Merge local + API skills (local takes precedence)\n const { skills: allSkills } = mergeSkills(localSkills, apiSkills);\n for (const skill of allSkills) {\n mcpServer.registerSkill(skill);\n }\n\n mcpServer.initialize();\n channel.setMcpServer(mcpServer);\n _log?.(`[AgentVault] MCP server activated with ${mcpServer.skillCount} skill(s) (${localSkills.length} local, ${apiSkills.length} API)`);\n } catch (err) {\n _log?.(`[AgentVault] MCP server activation failed (non-fatal): ${String(err)}`);\n }\n\n // Always start local HTTP server \u2014 managed routes are an overlay, not a replacement\n const httpPort = account.httpPort ?? 18790;\n channel.on(\"ready\", () => {\n channel.startHttpServer(httpPort);\n _log?.(`[AgentVault] HTTP send server listening on http://127.0.0.1:${httpPort}`);\n if (isUsingManagedRoutes) {\n _log?.(`[AgentVault] OpenClaw managed routes also registered`);\n }\n\n // Register persisted A2A peers as valid outbound targets\n for (const peerAddress of channel.a2aPeerAddresses) {\n _registerA2ATarget(peerAddress, account.accountId);\n }\n\n // Register persisted rooms as valid outbound targets\n for (const room of channel.roomIds) {\n _registerRoomTarget(room.roomId, room.name, account.accountId);\n }\n });\n\n // Re-register A2A targets after server sync (fixes stale persisted addresses)\n channel.on(\"a2a_channels_synced\", () => {\n for (const peerAddress of channel.a2aPeerAddresses) {\n _registerA2ATarget(peerAddress, account.accountId);\n }\n });\n\n // Register new rooms as outbound targets when agent joins\n channel.on(\"room_joined\", (info: { roomId: string; name: string }) => {\n _registerRoomTarget(info.roomId, info.name, account.accountId);\n });\n\n channel.start().catch(reject);\n }).catch(reject);\n });\n\n return { stop: async () => {} }; // Channel already stopped via abortSignal by this point\n },\n },\n\n outbound: {\n deliveryMode: \"direct\" as const,\n\n // Register valid send targets so OpenClaw's `message` tool can route\n // proactive (agent-initiated) sends \u2014 not just replies to inbound messages.\n targets: _outboundTargets,\n\n sendText: async ({ to: rawTo, text, accountId }: { to: string; text: string; accountId?: string }) => {\n const resolvedId = accountId ?? \"default\";\n const ch = _channels.get(resolvedId);\n if (!ch) return { ok: false, error: \"AgentVault channel not connected\" };\n try {\n const target = parseTarget(rawTo);\n const receipt = await ch.deliver(target, { type: \"text\", text });\n return { ok: receipt.ok, queued: receipt.queued, error: receipt.error };\n } catch (err) {\n return { ok: false, error: String(err) };\n }\n },\n\n sendMedia: async ({ to: rawTo, text, mediaUrl, accountId }: { to: string; text?: string; mediaUrl: string; accountId?: string }) => {\n const resolvedId = accountId ?? \"default\";\n const ch = _channels.get(resolvedId);\n if (!ch) return { ok: false, error: \"AgentVault channel not connected\" };\n try {\n // For now, send media URL as text \u2014 AgentVault handles attachments separately\n const message = text ? `${text}\\n${mediaUrl}` : mediaUrl;\n const target = parseTarget(rawTo);\n const receipt = await ch.deliver(target, { type: \"text\", text: message });\n return { ok: receipt.ok, queued: receipt.queued, error: receipt.error };\n } catch (err) {\n return { ok: false, error: String(err) };\n }\n },\n\n /** Rich payload delivery \u2014 OpenClaw v2026.3.2+ calls this for structured messages. */\n sendPayload: async (ctx: ChannelOutboundPayloadContext) => {\n const { payload, accountId } = ctx;\n\n // Suppress reasoning blocks \u2014 E2E channel should only deliver actual responses\n if (payload.isReasoning) return { ok: true };\n\n // Short-circuit empty content before checking channel \u2014 nothing to send\n const text = (payload.text ?? \"\").trim();\n if (!text && !payload.mediaUrls?.length) return { ok: true };\n\n const resolvedId = accountId ?? \"default\";\n const ch = _channels.get(resolvedId);\n if (!ch) return { ok: false, error: \"AgentVault channel not connected\" };\n\n try {\n // Wake agent proactively before sending (fire-and-forget)\n requestHeartbeatNow({ reason: \"outbound-payload\" }).catch(() => {});\n\n // Resolve target via parseTarget \u2014 owner if no explicit target\n const rawTarget = (ctx as any).to;\n let target: DeliveryTarget;\n if (rawTarget && typeof rawTarget === \"string\") {\n target = parseTarget(rawTarget);\n } else {\n target = { kind: \"owner\" };\n }\n\n // Helper: deliver text via unified deliver()\n const _send = async (msg: string) => {\n await ch.deliver(target, { type: \"text\", text: msg });\n };\n\n // Encrypt and deliver text content\n if (text) {\n await _send(text);\n }\n\n // Deliver media URLs as text messages (E2E encrypted)\n if (payload.mediaUrls?.length) {\n for (const url of payload.mediaUrls) {\n await _send(url);\n }\n }\n\n // Forward suggested actions as a structured message\n if (payload.suggestedActions?.length) {\n const actionsText = payload.suggestedActions\n .map((a: { label: string; action: string }) => `- ${a.label}: ${a.action}`)\n .join(\"\\n\");\n await _send(`Suggested actions:\\n${actionsText}`);\n }\n\n return { ok: true };\n } catch (err) {\n return { ok: false, error: String(err) };\n }\n },\n },\n};\n\n// --- Exported for testing ---\nexport { _parseMentions, _shouldProcessRoomMessage, _stripMentions };\n\n// --- Plugin export ---\n\nexport default {\n id: \"agentvault\",\n name: \"AgentVault\",\n description: \"End-to-end encrypted, zero-knowledge messaging between AI agent owners and their agents.\",\n register(api: OpenClawPluginApi) {\n _setRuntime(api.runtime);\n\n // Install fetch interceptor to capture all outbound HTTP from the gateway process.\n installFetchInterceptor({\n onHttpCall: (report) => {\n // Find an active channel to emit through\n const ch = _channels.values().next().value;\n if (!ch) return;\n\n // Telemetry reporter is optional \u2014 may not be initialized\n if (ch.telemetry) {\n try {\n ch.telemetry.reportHttpCall({\n method: report.method,\n url: report.url,\n statusCode: report.statusCode,\n latencyMs: report.latencyMs,\n ...(report.traceId ? { traceId: report.traceId } : {}),\n ...(report.parentSpanId ? { parentSpanId: report.parentSpanId } : {}),\n });\n } catch { /* best-effort */ }\n }\n\n // Activity span always fires (uses WS, not telemetry reporter)\n try {\n const hostname = (() => { try { return new URL(report.url).hostname; } catch { return report.url.slice(0, 40); } })();\n ch.sendActivitySpan({\n trace_id: report.traceId ?? \"\",\n parent_span_id: report.parentSpanId ?? \"\",\n span_id: randomBytes(8).toString(\"hex\"),\n span_type: \"http\",\n span_name: hostname,\n status: report.statusCode >= 400 || report.statusCode === 0 ? \"error\" : \"ok\",\n start_time: new Date(Date.now() - report.latencyMs).toISOString(),\n end_time: new Date().toISOString(),\n duration_ms: report.latencyMs,\n attributes: {\n \"ai.agent.http.method\": report.method,\n \"ai.agent.http.url\": report.url,\n },\n http_method: report.method,\n http_status_code: report.statusCode,\n http_url: report.url,\n });\n } catch { /* best-effort */ }\n },\n });\n\n api.registerChannel({ plugin: agentVaultPlugin });\n\n // --- Managed HTTP routes (OpenClaw v2026.3.2+) ---\n if (typeof api.registerHttpRoute === \"function\") {\n try {\n api.registerHttpRoute({\n path: \"/agentvault/send\",\n method: \"POST\",\n handler: async (req) => {\n const ch = _channels.values().next().value;\n if (!ch) return { status: 503, body: { ok: false, error: \"Channel not started\" } };\n const parsed = (typeof req.body === \"string\" ? JSON.parse(req.body) : req.body) as Record<string, unknown>;\n const result = await handleSendRequest(parsed, ch);\n return { status: result.status, body: result.body };\n },\n });\n api.registerHttpRoute({\n path: \"/agentvault/action\",\n method: \"POST\",\n handler: async (req) => {\n const ch = _channels.values().next().value;\n if (!ch) return { status: 503, body: { ok: false, error: \"Channel not started\" } };\n const parsed = (typeof req.body === \"string\" ? JSON.parse(req.body) : req.body) as Record<string, unknown>;\n const result = await handleActionRequest(parsed, ch);\n return { status: result.status, body: result.body };\n },\n });\n api.registerHttpRoute({\n path: \"/agentvault/decision\",\n method: \"POST\",\n handler: async (req) => {\n const ch = _channels.values().next().value;\n if (!ch) return { status: 503, body: { ok: false, error: \"Channel not started\" } };\n const parsed = (typeof req.body === \"string\" ? JSON.parse(req.body) : req.body) as Record<string, unknown>;\n const result = await handleDecisionRequest(parsed, ch);\n return { status: result.status, body: result.body };\n },\n });\n api.registerHttpRoute({\n path: \"/agentvault/status\",\n method: \"GET\",\n handler: async () => {\n const ch = _channels.values().next().value;\n if (!ch) return { status: 503, body: { ok: false, error: \"Channel not started\" } };\n const result = handleStatusRequest(ch);\n return { status: result.status, body: result.body };\n },\n });\n api.registerHttpRoute({\n path: \"/agentvault/targets\",\n method: \"GET\",\n handler: async () => {\n const ch = _channels.values().next().value;\n if (!ch) return { status: 503, body: { ok: false, error: \"Channel not started\" } };\n const result = handleTargetsRequest(ch);\n return { status: result.status, body: result.body };\n },\n });\n api.registerHttpRoute({\n path: \"/agentvault/mcp-config\",\n method: \"GET\",\n handler: async () => {\n const ch = _channels.values().next().value;\n if (!ch) return { status: 503, body: { ok: false, error: \"Channel not started\" } };\n const { handleMcpConfigRequest } = await import(\"./http-handlers.js\");\n const agentName = ch.config?.agentName ?? \"agent\";\n const mcpSkillCount = ch.mcpServer?.skillCount ?? 0;\n const result = handleMcpConfigRequest(agentName, 18790, mcpSkillCount);\n return { status: result.status, body: result.body };\n },\n });\n isUsingManagedRoutes = true;\n } catch { /* registerHttpRoute failed \u2014 fall back to self-managed server */ }\n }\n\n // --- Event hooks (OpenClaw v2026.3.2+) ---\n if (typeof api.on === \"function\") {\n // Phase 4: message_sent \u2014 delivery confirmation tracking\n api.on(\"message_sent\", async (event: MessageSentEvent) => {\n try {\n const ch = _channels.values().next().value;\n if (!ch?.telemetry) return;\n ch.telemetry.reportCustomSpan({\n traceId: randomBytes(16).toString(\"hex\"),\n spanId: randomBytes(8).toString(\"hex\"),\n name: \"agentvault.message.delivered\",\n kind: \"internal\",\n startTime: event.timestamp,\n endTime: event.timestamp + 1,\n attributes: {\n \"agentvault.message.id\": event.messageId,\n \"agentvault.delivery.status\": event.deliveryStatus,\n \"agentvault.channel.id\": event.channelId,\n },\n status: { code: event.deliveryStatus === \"failed\" ? 2 : 1 },\n });\n } catch { /* best-effort */ }\n });\n\n // Phase 6: session lifecycle hooks\n api.on(\"session_start\", async (event: SessionStartEvent) => {\n try {\n const ch = _channels.values().next().value;\n if (!ch?.telemetry) return;\n ch.telemetry.reportCustomSpan({\n traceId: randomBytes(16).toString(\"hex\"),\n spanId: randomBytes(8).toString(\"hex\"),\n name: \"agentvault.session.start\",\n kind: \"internal\",\n startTime: event.timestamp,\n endTime: event.timestamp + 1,\n attributes: {\n \"agentvault.session.key\": event.sessionKey,\n \"agentvault.agent.id\": event.agentId,\n },\n status: { code: 1 },\n });\n } catch { /* best-effort */ }\n });\n\n api.on(\"session_end\", async (event: SessionEndEvent) => {\n try {\n const ch = _channels.values().next().value;\n if (!ch?.telemetry) return;\n ch.telemetry.reportCustomSpan({\n traceId: randomBytes(16).toString(\"hex\"),\n spanId: randomBytes(8).toString(\"hex\"),\n name: \"agentvault.session.end\",\n kind: \"internal\",\n startTime: event.timestamp,\n endTime: event.timestamp + 1,\n attributes: {\n \"agentvault.session.key\": event.sessionKey,\n \"agentvault.agent.id\": event.agentId,\n ...(event.reason ? { \"agentvault.session.end_reason\": event.reason } : {}),\n },\n status: { code: 1 },\n });\n } catch { /* best-effort */ }\n });\n\n // OpenClaw v2026.3.28: before_tool_call with requireApproval for SPT policy enforcement\n api.on(\"before_tool_call\", (async (event: any) => {\n try {\n const toolName = event?.toolName;\n const agentId = event?.agentId;\n if (!toolName || !_channels.size) return {};\n\n // Check against PolicyEnforcer for each active channel\n for (const [, ch] of _channels) {\n const enforcer = (ch as any)?._policyEnforcer;\n if (!enforcer) continue;\n\n // Evaluate across all registered skills \u2014 use wildcard by passing toolName\n // without a specific skillName so the enforcer checks all deny-lists\n for (const [skillName] of (enforcer as any).skills ?? []) {\n const result = enforcer.evaluate({ skillName, toolName, agentId });\n if (result && !result.allowed) {\n console.log(`[AgentVault] Tool \"${toolName}\" denied by policy \u2014 requesting approval`);\n const reason = result.violations?.[0]?.message ?? \"\";\n return {\n requireApproval: true,\n approvalReason: `AgentVault policy: tool \"${toolName}\" requires owner approval. ${reason}`.trim(),\n };\n }\n }\n }\n return {};\n } catch {\n return {};\n }\n }) as (...args: any[]) => void);\n\n // OpenClaw v2026.3.28: before_dispatch injects AV trust context\n api.on(\"before_dispatch\", async (event: any) => {\n try {\n const senderHub = event?.inbound?.metadata?.senderHubAddress;\n if (!senderHub || !_channels.size) return;\n\n // Look up sender's trust info if available\n for (const [, ch] of _channels) {\n const apiUrl = (ch as any)?.config?.apiUrl;\n if (!apiUrl) continue;\n\n try {\n const res = await fetch(`${apiUrl}/api/v1/hub/verify/${senderHub}`);\n if (res.ok) {\n const trust = await res.json() as Record<string, unknown>;\n // Inject trust context into the inbound metadata\n if (event.inbound.metadata) {\n event.inbound.metadata._avTrustContext = {\n senderHub: senderHub,\n trustTier: trust.trust_tier,\n verified: trust.verified,\n certificationStatus: trust.certification_status,\n };\n }\n console.log(`[AgentVault] Injected trust context for ${senderHub}: ${trust.trust_tier}`);\n }\n } catch {\n // Non-critical \u2014 proceed without trust context\n }\n break; // Only need one channel's API URL\n }\n } catch {\n // Non-critical \u2014 never throw from hook\n }\n });\n }\n\n // --- Phase 7: Agent events for trust telemetry ---\n import(\"./openclaw-compat.js\").then(async ({ onAgentEvent, onSessionTranscriptUpdate }) => {\n onAgentEvent((event) => {\n try {\n const ch = _channels.values().next().value;\n if (!ch?.telemetry) return;\n ch.telemetry.reportCustomSpan({\n traceId: randomBytes(16).toString(\"hex\"),\n spanId: randomBytes(8).toString(\"hex\"),\n name: `ai.agent.event.${event.type}`,\n kind: \"internal\",\n startTime: event.timestamp,\n endTime: event.timestamp + 1,\n attributes: {\n \"ai.agent.event.type\": event.type,\n \"ai.agent.id\": event.agentId,\n ...(event.data ? Object.fromEntries(\n Object.entries(event.data).map(([k, v]) => [`ai.agent.event.${k}`, String(v)])\n ) : {}),\n },\n status: { code: 1 },\n });\n } catch { /* best-effort */ }\n }).catch(() => {});\n\n onSessionTranscriptUpdate((update) => {\n try {\n const ch = _channels.values().next().value;\n if (!ch?.telemetry) return;\n ch.telemetry.reportCustomSpan({\n traceId: randomBytes(16).toString(\"hex\"),\n spanId: randomBytes(8).toString(\"hex\"),\n name: \"ai.agent.transcript.update\",\n kind: \"internal\",\n startTime: update.timestamp,\n endTime: update.timestamp + 1,\n attributes: {\n \"agentvault.session.key\": update.sessionKey,\n \"ai.agent.transcript.role\": update.role ?? \"unknown\",\n \"ai.agent.transcript.delta_chars\": update.delta.length,\n },\n status: { code: 1 },\n });\n } catch { /* best-effort */ }\n }).catch(() => {});\n }).catch(() => { /* openclaw-compat import failed \u2014 older SDK */ });\n\n // --- Agent tool: agentvault_status ---\n // Lets the agent check its own encrypted channel status\n try {\n api.registerTool?.({\n name: \"agentvault_status\",\n description: \"Check the AgentVault encrypted channel status, connection state, and session count.\",\n parameters: {\n type: \"object\",\n properties: {\n accountId: {\n type: \"string\",\n description: \"Account ID to check (default: 'default')\",\n },\n },\n },\n execute: async (_id: string, params: { accountId?: string }) => {\n const id = params.accountId ?? \"default\";\n const ch = _channels.get(id);\n if (!ch) {\n return { content: [{ type: \"text\", text: JSON.stringify({ connected: false, error: \"Channel not started\" }) }] };\n }\n return {\n content: [{\n type: \"text\",\n text: JSON.stringify({\n connected: ch.state === \"ready\",\n state: ch.state,\n deviceId: ch.deviceId,\n sessions: ch.sessionCount,\n encrypted: true,\n }),\n }],\n };\n },\n }, { optional: true });\n } catch { /* registerTool may not be available in older OpenClaw versions */ }\n\n // --- Auto-reply command: /agentvault ---\n // Quick status check without AI involvement\n try {\n api.registerCommand?.({\n name: \"agentvault\",\n description: \"Show AgentVault encrypted channel status\",\n handler: () => {\n const statuses: string[] = [];\n if (_channels.size === 0) {\n statuses.push(\"AgentVault: no active channels\");\n } else {\n for (const [id, ch] of _channels) {\n statuses.push(`AgentVault [${id}]: ${ch.state} | sessions: ${ch.sessionCount} | encrypted: yes`);\n }\n }\n return { text: statuses.join(\"\\n\") };\n },\n });\n } catch { /* registerCommand may not be available in older OpenClaw versions */ }\n },\n};\n", "/**\n * Shared multi-account config resolution for AgentVault OpenClaw plugin.\n *\n * Supports two config shapes:\n * 1. Legacy single-agent: channels.agentvault.dataDir (returns [\"default\"])\n * 2. Multi-agent: channels.agentvault.accounts.{id}.dataDir (returns account keys)\n *\n * When `accounts` key is present, it takes precedence over top-level dataDir.\n */\n\nconst DEFAULT_API_URL = \"https://api.agentvault.chat\";\nconst DEFAULT_HTTP_PORT = 18790;\n\nexport interface ResolvedAccount {\n accountId: string;\n dataDir: string;\n apiUrl: string;\n agentName: string;\n httpPort: number;\n configured: boolean;\n}\n\nexport function listAccountIds(cfg: any): string[] {\n const av = cfg?.channels?.agentvault;\n if (!av) return [];\n if (av.accounts && typeof av.accounts === \"object\") {\n return Object.keys(av.accounts);\n }\n return av.dataDir ? [\"default\"] : [];\n}\n\nexport function resolveAccount(cfg: any, accountId?: string): ResolvedAccount {\n const av = cfg?.channels?.agentvault ?? {};\n const id = accountId ?? \"default\";\n\n if (av.accounts && typeof av.accounts === \"object\") {\n const acct = av.accounts[id];\n if (!acct) {\n return {\n accountId: id,\n dataDir: \"\",\n apiUrl: av.apiUrl ?? DEFAULT_API_URL,\n agentName: id,\n httpPort: DEFAULT_HTTP_PORT,\n configured: false,\n };\n }\n\n let httpPort = acct.httpPort;\n if (httpPort == null) {\n const keys = Object.keys(av.accounts);\n const index = keys.indexOf(id);\n httpPort = DEFAULT_HTTP_PORT + (index >= 0 ? index : 0);\n }\n\n return {\n accountId: id,\n dataDir: acct.dataDir ?? \"\",\n apiUrl: acct.apiUrl ?? av.apiUrl ?? DEFAULT_API_URL,\n agentName: acct.agentName ?? id,\n httpPort,\n configured: Boolean(acct.dataDir),\n };\n }\n\n return {\n accountId: id,\n dataDir: av.dataDir ?? \"~/.openclaw/agentvault\",\n apiUrl: av.apiUrl ?? DEFAULT_API_URL,\n agentName: av.agentName ?? \"OpenClaw Agent\",\n httpPort: av.httpPort ?? DEFAULT_HTTP_PORT,\n configured: Boolean(av.dataDir),\n };\n}\n", "/**\n * HTTP interceptor for capturing outbound HTTP calls during message handling.\n *\n * Uses Node.js diagnostics_channel to subscribe to undici request events,\n * capturing ALL outbound HTTP from the process (including LLM SDKs, Playwright\n * navigations, and any library that uses undici under the hood).\n *\n * Also monkey-patches globalThis.fetch as a fallback for non-undici HTTP.\n *\n * Uses AsyncLocalStorage to associate intercepted calls with the active\n * message's traceId/parentSpanId.\n *\n * Built-in skip patterns prevent capturing internal infrastructure requests\n * (localhost, AgentVault API, Clerk auth).\n */\nimport { AsyncLocalStorage } from \"node:async_hooks\";\nimport diagnosticsChannel from \"node:diagnostics_channel\";\n\n// \u2500\u2500 Public types \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n\nexport interface HttpCallReport {\n method: string;\n url: string;\n statusCode: number;\n latencyMs: number;\n traceId?: string;\n parentSpanId?: string;\n}\n\nexport interface TraceContext {\n traceId: string;\n parentSpanId: string;\n}\n\nexport interface FetchInterceptorOptions {\n onHttpCall: (report: HttpCallReport) => void;\n skipPatterns?: RegExp[];\n}\n\n// \u2500\u2500 Internal state \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n\nconst traceStore = new AsyncLocalStorage<TraceContext>();\n\nconst DEFAULT_SKIP_PATTERNS: RegExp[] = [\n /^https?:\\/\\/localhost(:\\d+)?/,\n /^https?:\\/\\/127\\.0\\.0\\.1(:\\d+)?/,\n /\\.agentvault\\.chat/,\n /\\.agentvault\\.dev/,\n /\\.clerk\\./,\n];\n\nlet installed = false;\nlet originalFetch: typeof globalThis.fetch | undefined;\n\n// Track in-flight undici requests: request \u2192 { url, method, startTime }\nconst inflightRequests = new WeakMap<\n object,\n { url: string; method: string; startTime: number }\n>();\n\n// Diagnostics channel subscriptions\nlet unsubCreate: (() => void) | undefined;\nlet unsubHeaders: (() => void) | undefined;\nlet unsubError: (() => void) | undefined;\n\n// \u2500\u2500 Helpers \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n\nfunction shouldSkip(url: string, extraPatterns: RegExp[]): boolean {\n const allPatterns = [...DEFAULT_SKIP_PATTERNS, ...extraPatterns];\n return allPatterns.some((p) => p.test(url));\n}\n\nfunction extractUrl(origin: string, path: string): string {\n // undici gives us origin (e.g., \"https://api.openai.com\") and path (e.g., \"/v1/chat/completions\")\n return `${origin}${path}`;\n}\n\n// \u2500\u2500 Public API \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n\n/**\n * Install HTTP interceptor using both undici diagnostics channels and\n * globalThis.fetch monkey-patching. Idempotent.\n */\nexport function installFetchInterceptor(opts: FetchInterceptorOptions): void {\n if (installed) return;\n installed = true;\n\n const skipPatterns = [\n ...DEFAULT_SKIP_PATTERNS,\n ...(opts.skipPatterns ?? []),\n ];\n\n // \u2500\u2500 1. Undici diagnostics channel \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n // undici publishes events for every HTTP request it makes.\n // This captures LLM SDK calls, playwright navigations, etc.\n\n try {\n const createChannel = diagnosticsChannel.channel(\"undici:request:create\");\n const headersChannel = diagnosticsChannel.channel(\"undici:request:headers\");\n const errorChannel = diagnosticsChannel.channel(\"undici:request:error\");\n\n const onRequestCreate = (message: unknown) => {\n try {\n const msg = message as {\n request: {\n method?: string;\n origin?: string;\n path?: string;\n };\n };\n const req = msg.request;\n if (!req) return;\n\n const origin = String(req.origin ?? \"\");\n const path = String(req.path ?? \"/\");\n const url = extractUrl(origin, path);\n\n if (shouldSkip(url, skipPatterns)) return;\n\n inflightRequests.set(req, {\n url,\n method: String(req.method ?? \"GET\").toUpperCase(),\n startTime: Date.now(),\n });\n } catch { /* best-effort */ }\n };\n\n const onRequestHeaders = (message: unknown) => {\n try {\n const msg = message as {\n request: object;\n response: { statusCode?: number };\n };\n const tracked = inflightRequests.get(msg.request);\n if (!tracked) return;\n inflightRequests.delete(msg.request);\n\n const latencyMs = Date.now() - tracked.startTime;\n const ctx = traceStore.getStore();\n\n opts.onHttpCall({\n method: tracked.method,\n url: tracked.url,\n statusCode: msg.response?.statusCode ?? 0,\n latencyMs,\n traceId: ctx?.traceId,\n parentSpanId: ctx?.parentSpanId,\n });\n } catch { /* best-effort */ }\n };\n\n const onRequestError = (message: unknown) => {\n try {\n const msg = message as { request: object; error?: Error };\n const tracked = inflightRequests.get(msg.request);\n if (!tracked) return;\n inflightRequests.delete(msg.request);\n\n const latencyMs = Date.now() - tracked.startTime;\n const ctx = traceStore.getStore();\n\n opts.onHttpCall({\n method: tracked.method,\n url: tracked.url,\n statusCode: 0,\n latencyMs,\n traceId: ctx?.traceId,\n parentSpanId: ctx?.parentSpanId,\n });\n } catch { /* best-effort */ }\n };\n\n createChannel.subscribe(onRequestCreate);\n headersChannel.subscribe(onRequestHeaders);\n errorChannel.subscribe(onRequestError);\n\n unsubCreate = () => createChannel.unsubscribe(onRequestCreate);\n unsubHeaders = () => headersChannel.unsubscribe(onRequestHeaders);\n unsubError = () => errorChannel.unsubscribe(onRequestError);\n } catch {\n // diagnostics_channel not available or undici not loaded \u2014 fall through to fetch-only\n }\n\n // \u2500\u2500 2. globalThis.fetch monkey-patch (fallback) \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n // Catches any HTTP that doesn't go through undici (e.g., native fetch\n // in newer Node.js, or custom HTTP implementations).\n\n originalFetch = globalThis.fetch;\n const savedOriginal = originalFetch;\n\n globalThis.fetch = async (\n input: RequestInfo | URL,\n init?: RequestInit,\n ): Promise<Response> => {\n const url =\n input instanceof Request\n ? input.url\n : input instanceof URL\n ? input.href\n : String(input);\n\n if (shouldSkip(url, skipPatterns)) {\n return savedOriginal(input, init);\n }\n\n const method =\n input instanceof Request\n ? input.method\n : init?.method ?? \"GET\";\n\n const ctx = traceStore.getStore();\n const start = Date.now();\n\n try {\n const response = await savedOriginal(input, init);\n const latencyMs = Date.now() - start;\n\n try {\n opts.onHttpCall({\n method,\n url,\n statusCode: response.status,\n latencyMs,\n traceId: ctx?.traceId,\n parentSpanId: ctx?.parentSpanId,\n });\n } catch { /* best-effort */ }\n\n return response;\n } catch (err) {\n const latencyMs = Date.now() - start;\n\n try {\n opts.onHttpCall({\n method,\n url,\n statusCode: 0,\n latencyMs,\n traceId: ctx?.traceId,\n parentSpanId: ctx?.parentSpanId,\n });\n } catch { /* best-effort */ }\n\n throw err;\n }\n };\n}\n\n/**\n * Uninstall all interceptors. Safe to call even if not installed.\n */\nexport function uninstallFetchInterceptor(): void {\n if (!installed) return;\n\n // Restore fetch\n if (originalFetch) {\n globalThis.fetch = originalFetch;\n originalFetch = undefined;\n }\n\n // Unsubscribe from diagnostics channels\n unsubCreate?.();\n unsubHeaders?.();\n unsubError?.();\n unsubCreate = undefined;\n unsubHeaders = undefined;\n unsubError = undefined;\n\n installed = false;\n}\n\n/**\n * Run an async function with trace context attached via AsyncLocalStorage.\n * Any HTTP calls made within `fn` (via undici or fetch) will include\n * traceId/parentSpanId in their HttpCallReport.\n */\nexport function runWithTraceContext<T>(\n ctx: TraceContext,\n fn: () => T | Promise<T>,\n): Promise<T> {\n return traceStore.run(ctx, fn) as Promise<T>;\n}\n", "export interface SecureChannelConfig {\n inviteToken: string;\n dataDir: string;\n apiUrl: string;\n agentName?: string;\n agentVersion?: string;\n platform?: string;\n maxHistorySize?: number; // max stored messages for cross-device replay (default 500)\n webhookUrl?: string; // URL to register for webhook notifications from backend\n httpPort?: number; // Local HTTP port for proactive sends (default: none)\n onMessage?: (plaintext: string, metadata: MessageMetadata) => void;\n onStateChange?: (state: ChannelState) => void;\n onA2AMessage?: (msg: A2AMessage) => void;\n /** Called when an A2A channel becomes ready (approved or activated). */\n onA2AChannelReady?: (info: {\n channelId: string;\n peerHubAddress: string;\n role: \"creator\" | \"member\";\n conversationId: string;\n topic?: string;\n }) => void;\n /** Enable client-side policy scanning. If true, rules are fetched on connect. */\n enableScanning?: boolean;\n /** If set, auto-backup encrypted state to server after state changes. */\n backupCode?: string;\n}\n\nexport type ChannelState =\n | \"idle\"\n | \"enrolling\"\n | \"polling\"\n | \"activating\"\n | \"connecting\"\n | \"ready\"\n | \"disconnected\"\n | \"error\";\n\nexport interface AttachmentData {\n filename: string;\n mime: string;\n size: number;\n filePath: string;\n /** Base64-encoded decrypted content (for images passed to LLM vision) */\n base64?: string;\n /** Extracted text content (for text-based files) */\n textContent?: string;\n}\n\nexport interface MessageMetadata {\n messageId: string;\n conversationId: string;\n timestamp: string;\n topicId?: string;\n attachment?: AttachmentData;\n spanId?: string;\n parentSpanId?: string;\n messageType?: string;\n priority?: string;\n envelopeVersion?: string;\n /** Set when the message originated from a multi-agent room */\n roomId?: string;\n /** Device ID of the sender (room messages only) */\n senderDeviceId?: string;\n /** Whether the sender is an agent (vs owner) \u2014 room messages only */\n senderIsAgent?: boolean;\n /** Display name of the sender (room messages only) */\n senderName?: string;\n /** Human-readable room name (room messages only) */\n roomName?: string;\n /** Set when this message is a coordinator task (AES job dispatch) */\n coordinatorTask?: boolean;\n /** Coordinator job ID */\n jobId?: string;\n /** Coordinator task ID */\n taskId?: string;\n /** Coordinator job phase */\n phase?: string;\n /** Coordinator task timeout in seconds */\n timeoutSec?: number;\n}\n\nexport interface SendOptions {\n /** Target a specific conversation instead of broadcasting to all sessions */\n conversationId?: string;\n topicId?: string;\n messageType?: string;\n priority?: string;\n parentSpanId?: string;\n metadata?: Record<string, unknown>;\n}\n\nexport interface DecisionOption {\n option_id: string;\n label: string;\n risk_level: \"low\" | \"medium\" | \"high\" | \"critical\";\n is_default?: boolean;\n}\n\nexport interface ContextRef {\n type: string;\n uri: string;\n label: string;\n}\n\nexport interface DecisionRequest {\n title: string;\n description?: string;\n options: DecisionOption[];\n context_refs?: ContextRef[];\n deadline?: string; // ISO 8601\n auto_action?: {\n option_id: string;\n trigger: string;\n description?: string;\n };\n}\n\nexport interface DecisionResponse {\n decision_id: string;\n selected_option_id?: string;\n resolved_at?: string; // ISO 8601\n action?: \"approve\" | \"deny\" | \"defer\";\n defer_until?: string;\n defer_reason?: string;\n}\n\nexport interface HistoryEntry {\n sender: \"owner\" | \"agent\";\n text: string;\n ts: string; // ISO 8601\n topicId?: string; // topic this message belongs to\n}\n\nexport interface DeviceSession {\n ownerDeviceId: string;\n ratchetState: string; // serialized DoubleRatchet\n activated?: boolean; // true after first owner message received\n epoch?: number; // ratchet generation \u2014 incremented on each resync/rekey\n}\n\nexport interface PersistedState {\n deviceId: string;\n deviceJwt: string;\n primaryConversationId: string;\n sessions: Record<string, DeviceSession>; // conversationId -> session\n identityKeypair: { publicKey: string; privateKey: string }; // hex\n ephemeralKeypair: { publicKey: string; privateKey: string }; // hex\n fingerprint: string;\n lastMessageTimestamp?: string; // ISO timestamp of last received message\n messageHistory?: HistoryEntry[]; // stored messages for cross-device replay\n topics?: Array<{ id: string; name: string; isDefault: boolean }>;\n defaultTopicId?: string;\n groupId?: string;\n hubAddress?: string;\n hubId?: string; // hub UUID \u2014 used for telemetry ingestion\n agentHubId?: string; // agent's hub_id (alias of hubId for routing clarity)\n agentRole?: \"lead\" | \"peer\"; // lead agent uses root workspace dir\n ownerHubId?: string; // owner's hub_id (populated from device_linked or enrollment)\n /** A2A channel state (agent-to-agent communication) */\n a2aChannels?: Record<string, {\n channelId: string;\n conversationId: string;\n role?: \"creator\" | \"member\";\n topic?: string;\n mlsGroupId?: string;\n participants: Array<{\n hubId: string;\n hubAddress: string;\n status: \"invited\" | \"active\" | \"left\" | \"removed\";\n }>;\n }>;\n /** Outbound messages queued while disconnected */\n outboundQueue?: Array<{\n convId: string;\n headerBlob: string;\n ciphertext: string;\n messageGroupId: string;\n topicId?: string;\n }>;\n /** Multi-agent room state */\n rooms?: Record<string, RoomState>;\n /** Last inbound room ID for sticky room routing across restarts */\n lastInboundRoomId?: string;\n /** Persisted message dedup IDs \u2014 survives restarts to prevent double-decrypt */\n seenMessageIds?: string[];\n /** Persisted A2A message dedup IDs */\n seenA2AMessageIds?: string[];\n /** Shadow mode skill configurations (synced from backend via WS) */\n shadowSkills?: Record<string, {\n sessionId: string;\n autonomyLevel: \"shadow\" | \"supervised\" | \"autonomous\";\n decisionClass: string;\n }>;\n /** MLS group state for 1:1 conversations (conversationId -> {mlsGroupId}) */\n mlsConversations?: Record<string, { mlsGroupId: string }>;\n}\n\n/** Legacy state format for backward compatibility */\nexport interface LegacyPersistedState {\n deviceId: string;\n deviceJwt: string;\n conversationId: string;\n identityKeypair: { publicKey: string; privateKey: string }; // hex\n ephemeralKeypair: { publicKey: string; privateKey: string }; // hex\n fingerprint: string;\n ratchetState: string; // serialized DoubleRatchet\n lastMessageTimestamp?: string;\n}\n\n// --- Room types (multi-agent rooms) ---\n\nexport interface RoomMemberInfo {\n deviceId: string;\n entityType: string;\n displayName: string;\n identityPublicKey?: string;\n ephemeralPublicKey?: string;\n}\n\nexport interface RoomConversationInfo {\n id: string;\n participantA: string;\n participantB: string;\n}\n\nexport interface RoomInfo {\n roomId: string;\n name: string;\n members: RoomMemberInfo[];\n conversationIds: string[];\n}\n\nexport interface RoomState {\n roomId: string;\n name: string;\n conversationIds: string[];\n members: RoomMemberInfo[];\n /** MLS group identifier (set when room uses MLS encryption) */\n mlsGroupId?: string;\n /** ISO timestamp of last MLS message received in this room (for sync catch-up) */\n lastMlsMessageTs?: string;\n}\n\nexport interface HeartbeatStatus {\n agent_status: string;\n current_task: string;\n}\n\nexport interface StatusAlert {\n title: string;\n message: string;\n severity: \"info\" | \"warning\" | \"error\" | \"critical\";\n detail?: string;\n detailFormat?: \"markdown\" | \"json\" | \"text\";\n category?: \"performance\" | \"security\" | \"error\" | \"info\";\n}\n\n// --- Room participant event types (team room join/leave) ---\n\nexport interface RoomParticipantEvent {\n roomId: string;\n participant: {\n deviceId: string;\n participantType: \"human\" | \"agent\";\n displayName?: string;\n };\n}\n\n// --- A2A Channel types (agent-to-agent communication) ---\n\nexport interface A2AChannelParticipant {\n id: string;\n hub_id: string;\n hub_address: string;\n agent_name: string;\n tenant_id: string;\n device_id: string | null;\n role: \"creator\" | \"member\";\n status: \"invited\" | \"active\" | \"left\" | \"removed\";\n observer_enabled: boolean;\n joined_at: string | null;\n left_at: string | null;\n}\n\nexport interface A2AChannel {\n channelId: string;\n creator_hub_id: string;\n conversationId: string | null;\n status: \"pending\" | \"approved\" | \"active\" | \"rejected\" | \"revoked\";\n createdAt: string;\n max_participants: number;\n participant_count: number;\n participants: A2AChannelParticipant[];\n topic?: string;\n}\n\nexport interface A2AMessage {\n text: string;\n fromHubAddress: string;\n channelId: string;\n conversationId: string;\n parentSpanId?: string;\n timestamp: string;\n}\n\n// --- Unified Delivery Protocol types ---\n\n/** Explicit routing target for outbound messages. */\nexport type DeliveryTarget =\n | { kind: \"owner\" }\n | { kind: \"room\"; roomId: string }\n | { kind: \"a2a\"; hubAddress: string }\n | { kind: \"context\" }; // Resolve from _lastInboundRoomId (opt-in only)\n\nexport interface ShadowRecommendation {\n sessionId: string;\n skillName: string;\n decisionClass: string;\n recommendedAction: string;\n reasoningTrace?: string;\n observationId: string;\n}\n\n/** Structured message content for the deliver() dispatcher. */\nexport type DeliveryContent =\n | { type: \"text\"; text: string }\n | { type: \"decision_request\"; request: DecisionRequest }\n | { type: \"status_alert\"; alert: StatusAlert }\n | { type: \"action_confirmation\"; confirmation: ActionConfirmation }\n | { type: \"artifact\"; artifact: ArtifactPayload }\n | { type: \"attachment\"; text: string; filePath: string }\n | { type: \"policy_alert\"; alert: PolicyAlert }\n | { type: \"approval_request\"; request: ApprovalRequest }\n | { type: \"approval_response\"; response: ApprovalResponse }\n | { type: \"shadow_recommendation\"; recommendation: ShadowRecommendation };\n\nexport interface ActionConfirmation {\n action: string;\n status: \"completed\" | \"failed\" | \"partial\";\n decisionId?: string;\n detail?: string;\n estimated_cost?: number;\n}\n\nexport interface ArtifactPayload {\n filePath: string;\n filename: string;\n mimeType: string;\n description?: string;\n}\n\n/** Notify agent owner of a policy violation. */\nexport interface PolicyAlert {\n ruleId: string;\n scope: \"tool\" | \"model\" | \"rate\" | \"network\" | \"custom\";\n action: \"block\" | \"warn\" | \"log\";\n violationType: string;\n message: string;\n skillName?: string;\n toolName?: string;\n model?: string;\n timestamp?: string;\n}\n\n/** Human-in-the-loop gate for sensitive operations. */\nexport interface ApprovalRequest {\n approvalId: string;\n category: string;\n title: string;\n description: string;\n details?: Record<string, unknown>;\n expiresAt?: string;\n requiredTier?: string;\n}\n\n/** Owner response to an approval request. */\nexport interface ApprovalResponse {\n approvalId: string;\n approved: boolean;\n reason?: string;\n conditions?: string[];\n signature?: string; // Ed25519 signed approval artifact\n}\n\n// ---------------------------------------------------------------------------\n// Credential Delivery Protocol types\n// ---------------------------------------------------------------------------\n\nexport interface CredentialGrantPayload {\n type: \"credential_grant\";\n agreement_id: string;\n credentials: Array<{\n key: string;\n value: string;\n type: string; // \"api_key\", \"oauth_token\", etc.\n scope: string; // \"read\", \"write\", \"admin\"\n }>;\n timestamp: string;\n nonce: string;\n}\n\nexport interface CredentialRevokePayload {\n type: \"credential_revoke\";\n agreement_id: string;\n credential_keys: string[];\n reason?: string;\n timestamp: string;\n}\n\nexport interface CredentialAckPayload {\n type: \"credential_ack\";\n agreement_id: string;\n acknowledged_keys: string[];\n status: \"stored\" | \"revoked\";\n timestamp: string;\n}\n\nexport interface CredentialRequestPayload {\n type: \"credential_request\";\n agreement_id: string;\n requested_keys: string[];\n reason?: string;\n timestamp: string;\n}\n\nexport interface DeliveryOptions {\n conversationId?: string;\n topicId?: string;\n priority?: string;\n parentSpanId?: string;\n metadata?: Record<string, unknown>;\n}\n\nexport interface DeliveryReceipt {\n ok: boolean;\n destination: { kind: \"owner\" | \"room\" | \"a2a\"; id?: string };\n error?: string;\n queued?: boolean;\n decisionId?: string;\n timestamp: string;\n}\n\nexport interface TargetInfo {\n kind: \"owner\" | \"room\" | \"a2a\";\n id: string;\n label: string;\n available: boolean;\n}\n\n/**\n * Parse a string target into a DeliveryTarget.\n * Handles: \"owner\", \"default\", \"room:<uuid>\", \"a2a:<hubAddr>\", \"context\",\n * \"agentvault:room:<uuid>\" (channel-prefixed), \"agent:<name>\" (\u2192 a2a).\n */\nexport function parseTarget(raw: string): DeliveryTarget {\n // Strip channel prefix: \"agentvault:room:X\" \u2192 \"room:X\"\n let target = raw;\n if (target.startsWith(\"agentvault:\")) {\n target = target.slice(\"agentvault:\".length);\n }\n\n // Map \"agent:X\" \u2192 \"a2a:X\" (OpenClaw uses \"agent:\", plugin uses \"a2a:\")\n if (target.startsWith(\"agent:\")) {\n target = \"a2a:\" + target.slice(\"agent:\".length);\n }\n\n if (target === \"owner\" || target === \"default\") {\n return { kind: \"owner\" };\n }\n if (target === \"context\") {\n return { kind: \"context\" };\n }\n if (target.startsWith(\"room:\")) {\n const roomId = target.slice(\"room:\".length);\n if (!roomId) throw new Error(`Invalid room target: \"${raw}\" \u2014 missing room ID`);\n return { kind: \"room\", roomId };\n }\n if (target.startsWith(\"a2a:\")) {\n const hubAddress = target.slice(\"a2a:\".length);\n if (!hubAddress) throw new Error(`Invalid A2A target: \"${raw}\" \u2014 missing hub address`);\n return { kind: \"a2a\", hubAddress };\n }\n\n throw new Error(`Unrecognized delivery target: \"${raw}\". Use \"owner\", \"room:<id>\", \"a2a:<addr>\", or \"context\".`);\n}\n\nexport interface TrustTokenState {\n token: string | null;\n tier: string | null;\n expiresAt: string | null;\n}\n"],
|
|
5
|
-
"mappings": ";;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AA4BA,eAAsB,kBACpB,QACA,SACwB;AACxB,QAAM,OAAO,OAAO;AACpB,MAAI,CAAC,QAAQ,OAAO,SAAS,UAAU;AACrC,WAAO,EAAE,QAAQ,KAAK,MAAM,EAAE,IAAI,OAAO,OAAO,uBAAuB,EAAE;AAAA,EAC3E;AAEA,MAAI;AAEF,QAAI;AAGJ,QAAI,YAAa,OAAO,eAAe,OAAO,eAAe,OAAO;AAGpE,QAAI,CAAC,aAAa,OAAO,cAAc,OAAO,OAAO,eAAe,UAAU;AAC5E,YAAM,UAAU,QAAQ,qBAAqB,OAAO,UAAoB;AACxE,UAAI,QAAS,aAAY;AAAA,IAC3B;AAEA,QAAI,aAAa,OAAO,cAAc,UAAU;AAC9C,eAAS,EAAE,MAAM,OAAO,YAAY,UAAU;AAAA,IAChD,WAAW,OAAO,OAAO,YAAY,UAAU;AAC7C,eAAS,EAAE,MAAM,QAAQ,QAAQ,OAAO,QAAQ;AAAA,IAClD,WAAW,OAAO,WAAW,WAAW;AACtC,eAAS,EAAE,MAAM,UAAU;AAAA,IAC7B,WAAW,OAAO,aAAa,OAAO,OAAO,cAAc,UAAU;AAEnE,YAAMA,WAAU,MAAM,QAAQ;AAAA,QAC5B,EAAE,MAAM,QAAQ;AAAA,QAChB,EAAE,MAAM,cAAc,MAAsB,UAAU,OAAO,UAAoB;AAAA,QACjF,EAAE,SAAS,OAAO,QAA8B;AAAA,MAClD;AACA,aAAO;AAAA,QACL,QAAQA,SAAQ,KAAK,MAAM;AAAA,QAC3B,MAAM;AAAA,UACJ,IAAIA,SAAQ;AAAA,UACZ,aAAaA,SAAQ;AAAA,UACrB,GAAIA,SAAQ,QAAQ,EAAE,OAAOA,SAAQ,MAAM,IAAI,CAAC;AAAA,QAClD;AAAA,MACF;AAAA,IACF,OAAO;AAEL,eAAS,EAAE,MAAM,QAAQ;AAAA,IAC3B;AAEA,UAAM,UAAU,MAAM,QAAQ;AAAA,MAC5B;AAAA,MACA,EAAE,MAAM,QAAQ,KAAqB;AAAA,MACrC;AAAA,QACE,SAAS,OAAO;AAAA,QAChB,UAAU,OAAO;AAAA,QACjB,UAAU;AAAA,UACR,GAAI,OAAO;AAAA,UACX,GAAI,OAAO,eAAe,EAAE,cAAc,OAAO,aAAa,IAAI,CAAC;AAAA,QACrE;AAAA,MACF;AAAA,IACF;AAEA,WAAO;AAAA,MACL,QAAQ,QAAQ,KAAK,MAAM;AAAA,MAC3B,MAAM;AAAA,QACJ,IAAI,QAAQ;AAAA,QACZ,aAAa,QAAQ;AAAA,QACrB,GAAI,QAAQ,QAAQ,EAAE,OAAO,QAAQ,MAAM,IAAI,CAAC;AAAA,MAClD;AAAA,IACF;AAAA,EACF,SAAS,KAAK;AACZ,WAAO,EAAE,QAAQ,KAAK,MAAM,EAAE,IAAI,OAAO,OAAO,OAAO,GAAG,EAAE,EAAE;AAAA,EAChE;AACF;AAKA,eAAsB,oBACpB,QACA,SACwB;AACxB,MAAI,CAAC,OAAO,UAAU,OAAO,OAAO,WAAW,UAAU;AACvD,WAAO,EAAE,QAAQ,KAAK,MAAM,EAAE,IAAI,OAAO,OAAO,yBAAyB,EAAE;AAAA,EAC7E;AAEA,MAAI;AACF,UAAM,eAAe;AAAA,MACnB,QAAQ,OAAO;AAAA,MACf,QAAS,OAAO,UAAU;AAAA,MAC1B,YAAY,OAAO;AAAA,MACnB,QAAQ,OAAO;AAAA,MACf,gBAAgB,OAAO;AAAA,IACzB;AAGA,UAAM,SAA0B,OAAO,WAAW,OAAO,OAAO,YAAY,WACxE,EAAE,MAAM,QAAQ,QAAQ,OAAO,QAAQ,IACvC,EAAE,MAAM,QAAQ;AAEpB,UAAM,UAAU,MAAM,QAAQ;AAAA,MAC5B;AAAA,MACA,EAAE,MAAM,uBAAuB,aAAa;AAAA,IAC9C;AAEA,WAAO;AAAA,MACL,QAAQ,QAAQ,KAAK,MAAM;AAAA,MAC3B,MAAM;AAAA,QACJ,IAAI,QAAQ;AAAA,QACZ,aAAa,QAAQ;AAAA,QACrB,GAAI,QAAQ,QAAQ,EAAE,OAAO,QAAQ,MAAM,IAAI,CAAC;AAAA,MAClD;AAAA,IACF;AAAA,EACF,SAAS,KAAK;AACZ,WAAO,EAAE,QAAQ,KAAK,MAAM,EAAE,IAAI,OAAO,OAAO,OAAO,GAAG,EAAE,EAAE;AAAA,EAChE;AACF;AAKA,eAAsB,sBACpB,QACA,SACwB;AACxB,QAAM,QAAQ,OAAO;AACrB,MAAI,CAAC,SAAS,OAAO,UAAU,UAAU;AACvC,WAAO,EAAE,QAAQ,KAAK,MAAM,EAAE,IAAI,OAAO,OAAO,wBAAwB,EAAE;AAAA,EAC5E;AAEA,QAAM,UAAU,OAAO;AACvB,MAAI,CAAC,MAAM,QAAQ,OAAO,KAAK,QAAQ,SAAS,GAAG;AACjD,WAAO,EAAE,QAAQ,KAAK,MAAM,EAAE,IAAI,OAAO,OAAO,mDAAmD,EAAE;AAAA,EACvG;AAEA,aAAW,OAAO,SAAS;AACzB,QAAI,CAAC,OAAO,OAAO,QAAQ,YAAY,CAAC,IAAI,aAAa,CAAC,IAAI,OAAO;AACnE,aAAO,EAAE,QAAQ,KAAK,MAAM,EAAE,IAAI,OAAO,OAAO,gDAAgD,EAAE;AAAA,IACpG;AAAA,EACF;AAEA,MAAI;AACF,UAAM,cAAc,MAAM,QAAQ,oBAAoB;AAAA,MACpD;AAAA,MACA,aAAa,OAAO;AAAA,MACpB;AAAA,MACA,cAAc,OAAO;AAAA,MACrB,UAAU,OAAO;AAAA,MACjB,aAAa,OAAO;AAAA,IACtB,CAAC;AACD,WAAO,EAAE,QAAQ,KAAK,MAAM,EAAE,IAAI,MAAM,YAAY,EAAE;AAAA,EACxD,SAAS,KAAK;AACZ,WAAO,EAAE,QAAQ,KAAK,MAAM,EAAE,IAAI,OAAO,OAAO,OAAO,GAAG,EAAE,EAAE;AAAA,EAChE;AACF;AAKO,SAAS,oBAAoB,SAAuC;AACzE,SAAO;AAAA,IACL,QAAQ;AAAA,IACR,MAAM;AAAA,MACJ,IAAI;AAAA,MACJ,OAAO,QAAQ;AAAA,MACf,UAAU,QAAQ,YAAY;AAAA,MAC9B,UAAU,QAAQ;AAAA,IACpB;AAAA,EACF;AACF;AAKO,SAAS,qBAAqB,SAAuC;AAC1E,SAAO;AAAA,IACL,QAAQ;AAAA,IACR,MAAM;AAAA,MACJ,IAAI;AAAA,MACJ,SAAS,QAAQ,YAAY;AAAA,MAC7B,SAAS,QAAQ,oBACb,EAAE,MAAM,QAAQ,QAAQ,QAAQ,kBAAkB,IAClD,EAAE,MAAM,QAAQ;AAAA,IACtB;AAAA,EACF;AACF;AAKO,SAAS,mBACd,SACe;AACf,QAAM,QAAQ,QAAQ;AACtB,MAAI,CAAC,OAAO;AACV,WAAO;AAAA,MACL,QAAQ;AAAA,MACR,MAAM,EAAE,IAAI,OAAO,OAAO,oBAAoB;AAAA,IAChD;AAAA,EACF;AACA,SAAO;AAAA,IACL,QAAQ;AAAA,IACR,MAAM;AAAA,MACJ,IAAI;AAAA,MACJ,MAAM,QAAQ;AAAA,MACd,WAAW;AAAA,MACX,kBAAkB,QAAQ;AAAA,IAC5B;AAAA,EACF;AACF;AAQO,SAAS,uBACd,WACA,MACA,eACe;AACf,SAAO;AAAA,IACL,QAAQ;AAAA,IACR,MAAM;AAAA,MACJ,YAAY;AAAA,QACV,CAAC,cAAc,SAAS,EAAE,GAAG;AAAA,UAC3B,KAAK,oBAAoB,IAAI;AAAA,QAC/B;AAAA,MACF;AAAA,MACA,OAAO;AAAA,QACL,OAAO;AAAA,QACP,cAAc;AAAA,QACd,WAAW;AAAA,QACX,MAAM;AAAA,QACN,cAAc;AAAA,MAChB;AAAA,IACF;AAAA,EACF;AACF;AA1QA;AAAA;AAAA;AAAA;AAAA;;;ACAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAwBA,eAAsB,oBAAoB,MAA8C;AACtF,MAAI,iBAAiB,MAAM;AACzB,QAAI;AAEF,YAAMC,OAAM,MAAM,OAAO,kDAAkD;AAC3E,qBAAeA,KAAI,uBAAuBA,KAAI,SAAS,uBAAuB;AAAA,IAChF,QAAQ;AACN,qBAAe;AAAA,IACjB;AAAA,EACF;AACA,MAAI,OAAO,iBAAiB,YAAY;AACtC,QAAI;AACF,YAAM,aAAa,IAAI;AACvB,aAAO;AAAA,IACT,QAAQ;AACN,aAAO;AAAA,IACT;AAAA,EACF;AACA,SAAO;AACT;AAaA,eAAsB,aAAa,UAAmD;AACpF,MAAI,kBAAkB,MAAM;AAC1B,QAAI;AAEF,YAAMA,OAAM,MAAM,OAAO,gDAAgD;AACzE,sBAAgBA,KAAI,gBAAgBA,KAAI,SAAS,gBAAgB;AAAA,IACnE,QAAQ;AACN,sBAAgB;AAAA,IAClB;AAAA,EACF;AACA,MAAI,OAAO,kBAAkB,YAAY;AACvC,QAAI;AACF,aAAO,cAAc,QAAQ;AAAA,IAC/B,QAAQ;AACN,aAAO,MAAM;AAAA,MAAC;AAAA,IAChB;AAAA,EACF;AACA,SAAO,MAAM;AAAA,EAAC;AAChB;AAaA,eAAsB,0BAA0B,UAAmD;AACjG,MAAI,kBAAkB,MAAM;AAC1B,QAAI;AAEF,YAAMA,OAAM,MAAM,OAAO,wDAAwD;AACjF,sBAAgBA,KAAI,6BAA6BA,KAAI,SAAS,6BAA6B;AAAA,IAC7F,QAAQ;AACN,sBAAgB;AAAA,IAClB;AAAA,EACF;AACA,MAAI,OAAO,kBAAkB,YAAY;AACvC,QAAI;AACF,aAAO,cAAc,QAAQ;AAAA,IAC/B,QAAQ;AACN,aAAO,MAAM;AAAA,MAAC;AAAA,IAChB;AAAA,EACF;AACA,SAAO,MAAM;AAAA,EAAC;AAChB;AAzGA,IAiBI,cAiCA,eA+BA;AAjFJ;AAAA;AAAA;AAiBA,IAAI,eAA+E;AAiCnF,IAAI,gBAA2E;AA+B/E,IAAI,gBAA2E;AAAA;AAAA;;;ACjF/E;AAAA;AAAA;AAAA;AAYA,SAAS,iBAAiB;AAC1B,SAAS,qCAAqC;AAb9C,IAuEa;AAvEb;AAAA;AAAA;AAuEO,IAAM,sBAAN,MAA0B;AAAA,MACvB;AAAA,MACA,SAAuC,oBAAI,IAAI;AAAA,MAC/C;AAAA,MACA,cAAc;AAAA,MAEtB,YAAY,MAAqB;AAC/B,aAAK,OAAO;AACZ,aAAK,SAAS,IAAI,UAAU;AAAA,UAC1B,MAAM,cAAc,KAAK,SAAS;AAAA,UAClC,SAAS;AAAA,QACX,CAAC;AAAA,MACH;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,MAQA,cAAc,OAA8B;AAC1C,aAAK,OAAO,IAAI,MAAM,MAAM,KAAK;AAAA,MACnC;AAAA;AAAA;AAAA;AAAA;AAAA,MAMA,aAAmB;AACjB,YAAI,KAAK,YAAa;AAEtB,mBAAW,CAAC,MAAM,KAAK,KAAK,KAAK,QAAQ;AACvC,eAAK,qBAAqB,MAAM,KAAK;AAAA,QACvC;AAGA,aAAK,OAAO;AAAA,UACV;AAAA,UACA;AAAA,UACA,EAAE,aAAa,uCAAuC,UAAU,mBAAmB;AAAA,UACnF,YAAY;AACV,kBAAM,WAAW,MAAM,KAAK,KAAK,OAAO,OAAO,CAAC,EAAE,IAAI,CAAC,OAAO;AAAA,cAC5D,MAAM,EAAE;AAAA,cACR,SAAS,EAAE;AAAA,cACX,aAAa,EAAE;AAAA,cACf,MAAM,EAAE;AAAA,cACR,KAAK,EAAE;AAAA,cACP,WAAW,CAAC,CAAC,EAAE;AAAA,cACf,iBAAiB,CAAC,CAAC,EAAE;AAAA,cACrB,mBAAmB,EAAE;AAAA,cACrB,cAAc,EAAE;AAAA,cAChB,eAAe,EAAE;AAAA,cACjB,eAAe,CAAC,EAAE,EAAE,gBAAgB,EAAE;AAAA,cACtC,iBAAiB,CAAC,CAAC,EAAE;AAAA,cACrB,kBAAkB,EAAE;AAAA,YACtB,EAAE;AACF,mBAAO;AAAA,cACL,UAAU,CAAC;AAAA,gBACT,KAAK;AAAA,gBACL,UAAU;AAAA,gBACV,MAAM,KAAK,UAAU,UAAU,MAAM,CAAC;AAAA,cACxC,CAAC;AAAA,YACH;AAAA,UACF;AAAA,QACF;AAGA,mBAAW,CAAC,MAAM,KAAK,KAAK,KAAK,QAAQ;AACvC,cAAI,MAAM,cAAc;AACtB,iBAAK,OAAO;AAAA,cACV;AAAA,cACA,MAAM,eAAe,oBAAoB,IAAI;AAAA,cAC7C,OAAO;AAAA,gBACL,UAAU,CAAC;AAAA,kBACT,MAAM;AAAA,kBACN,SAAS,EAAE,MAAM,QAAiB,MAAM,MAAM,aAAc;AAAA,gBAC9D,CAAC;AAAA,cACH;AAAA,YACF;AAAA,UACF;AAAA,QACF;AAEA,aAAK,cAAc;AAAA,MACrB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,MAkBA,MAAM,cAAc,KAAsB,KAAoC;AAC5E,YAAI,CAAC,KAAK,aAAa;AACrB,eAAK,WAAW;AAAA,QAClB;AAGA,cAAM,SAAS,IAAI,QAAQ;AAC3B,cAAM,UAAU,WAAW,eAAe,WAAW,SAAS,WAAW;AAEzE,YAAI,CAAC,SAAS;AACZ,gBAAM,aAAa,IAAI,QAAQ;AAC/B,cAAI,CAAC,YAAY,WAAW,SAAS,GAAG;AACtC,gBAAI,UAAU,KAAK,EAAE,gBAAgB,mBAAmB,CAAC;AACzD,gBAAI,IAAI,KAAK,UAAU,EAAE,OAAO,0CAA0C,CAAC,CAAC;AAC5E;AAAA,UACF;AAEA,gBAAM,QAAQ,WAAW,MAAM,CAAC;AAChC,gBAAM,QAAQ,MAAM,KAAK,YAAY,KAAK;AAC1C,cAAI,CAAC,OAAO;AACV,gBAAI,UAAU,KAAK,EAAE,gBAAgB,mBAAmB,CAAC;AACzD,gBAAI,IAAI,KAAK,UAAU,EAAE,OAAO,+BAA+B,CAAC,CAAC;AACjE;AAAA,UACF;AAAA,QACF;AAGA,cAAM,YAAY,IAAI,8BAA8B;AAAA,UAClD,oBAAoB;AAAA;AAAA,QACtB,CAAC;AAED,cAAM,KAAK,OAAO,QAAQ,SAAS;AAEnC,YAAI;AACF,gBAAM,UAAU,cAAc,KAAK,GAAG;AAAA,QACxC,UAAE;AAGA,gBAAM,UAAU,MAAM;AAAA,QACxB;AAAA,MACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,MAYQ,qBAAqB,MAAc,OAA8B;AACvE,cAAM,cAAc,MAAM,eAAe,qBAAqB,IAAI;AAElE,aAAK,OAAO;AAAA,UACV;AAAA,UACA;AAAA,UACA,OAAO,SAAkC;AACvC,gBAAI,CAAC,KAAK,KAAK,UAAU;AACvB,qBAAO;AAAA,gBACL,SAAS,CAAC,EAAE,MAAM,QAAiB,MAAM,UAAU,IAAI,sCAAsC,CAAC;AAAA,cAChG;AAAA,YACF;AACA,gBAAI;AACF,oBAAM,SAAS,MAAM,KAAK,KAAK,SAAS,MAAM,MAAM,KAAK;AACzD,oBAAM,OAAO,OAAO,WAAW,WAAW,SAAS,KAAK,UAAU,QAAQ,MAAM,CAAC;AACjF,qBAAO;AAAA,gBACL,SAAS,CAAC,EAAE,MAAM,QAAiB,KAAK,CAAC;AAAA,cAC3C;AAAA,YACF,SAAS,KAAc;AACrB,oBAAM,UAAU,eAAe,QAAQ,IAAI,UAAU,OAAO,GAAG;AAC/D,qBAAO;AAAA,gBACL,SAAS,CAAC,EAAE,MAAM,QAAiB,MAAM,yBAAyB,IAAI,MAAM,OAAO,GAAG,CAAC;AAAA,gBACvF,SAAS;AAAA,cACX;AAAA,YACF;AAAA,UACF;AAAA,QACF;AAAA,MACF;AAAA;AAAA;AAAA;AAAA,MAKA,MAAc,YAAY,OAAiC;AACzD,YAAI;AACF,gBAAM,MAAM,GAAG,KAAK,KAAK,MAAM;AAC/B,gBAAM,UAAkC;AAAA,YACtC,gBAAgB;AAAA,UAClB;AACA,cAAI,KAAK,KAAK,QAAQ;AACpB,oBAAQ,eAAe,IAAI,UAAU,KAAK,KAAK,MAAM;AAAA,UACvD;AACA,gBAAM,OAAO,MAAM,MAAM,KAAK;AAAA,YAC5B,QAAQ;AAAA,YACR;AAAA,YACA,MAAM,KAAK,UAAU,EAAE,MAAM,CAAC;AAAA,UAChC,CAAC;AACD,cAAI,CAAC,KAAK,GAAI,QAAO;AACrB,gBAAM,OAAQ,MAAM,KAAK,KAAK;AAC9B,iBAAO,KAAK,WAAW;AAAA,QACzB,QAAQ;AACN,iBAAO;AAAA,QACT;AAAA,MACF;AAAA;AAAA,MAIA,IAAI,aAAqB;AACvB,eAAO,KAAK,OAAO;AAAA,MACrB;AAAA,MAEA,IAAI,gBAAyB;AAC3B,eAAO,KAAK;AAAA,MACd;AAAA,IACF;AAAA;AAAA;;;AC/RA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AA0BA,SAAS,cAAc,YAAY,mBAAmB;AACtD,SAAS,SAAS,YAAY;AAgDvB,SAAS,aAAa,SAAyC;AACpE,QAAM,QAAQ,QAAQ,MAAM,IAAI;AAGhC,MAAI,MAAM,CAAC,GAAG,KAAK,MAAM,MAAO,QAAO;AAEvC,MAAI,SAAS;AACb,WAAS,IAAI,GAAG,IAAI,MAAM,QAAQ,KAAK;AACrC,QAAI,MAAM,CAAC,GAAG,KAAK,MAAM,OAAO;AAC9B,eAAS;AACT;AAAA,IACF;AAAA,EACF;AAEA,MAAI,WAAW,GAAI,QAAO;AAG1B,QAAM,mBAAmB,MAAM,MAAM,GAAG,MAAM;AAC9C,QAAM,cAAc,gBAAgB,iBAAiB,KAAK,IAAI,CAAC;AAE/D,MAAI,CAAC,YAAY,KAAM,QAAO;AAG9B,QAAM,mBAAmB,MAAM,MAAM,SAAS,CAAC;AAC/C,QAAM,eAAe,iBAAiB,KAAK,IAAI,EAAE,KAAK;AAEtD,QAAM,QAAyB;AAAA,IAC7B,MAAM,YAAY;AAAA,IAClB,SAAS,YAAY;AAAA,IACrB,aAAa,YAAY;AAAA,IACzB,MAAM,YAAY;AAAA,IAClB,aAAa,YAAY;AAAA,IACzB,eAAe,YAAY;AAAA,IAC3B,cAAc,gBAAgB;AAAA,EAChC;AAGA,MAAI,YAAY,YAAY;AAC1B,UAAM,KAAK,YAAY;AACvB,QAAI,GAAG,cAAe,OAAM,oBAAoB,GAAG;AACnD,QAAI,GAAG,SAAS,aAAc,OAAM,eAAe,GAAG,QAAQ;AAC9D,QAAI,GAAG,SAAS,UAAW,OAAM,cAAc,GAAG,QAAQ;AAC1D,QAAI,GAAG,SAAS,cAAe,OAAM,eAAe,GAAG,QAAQ;AAC/D,QAAI,GAAG,OAAO,QAAS,OAAM,eAAe,GAAG,MAAM;AACrD,QAAI,GAAG,OAAO,QAAS,OAAM,gBAAgB,GAAG,MAAM;AACtD,QAAI,GAAG,OAAO,QAAS,OAAM,eAAe,GAAG,MAAM;AACrD,QAAI,GAAG,UAAW,OAAM,YAAY,GAAG;AACvC,QAAI,GAAG,iBAAkB,OAAM,mBAAmB,GAAG;AAAA,EACvD;AAEA,SAAO;AACT;AAOA,SAAS,gBAAgB,MAAuC;AAC9D,QAAM,SAAkC,CAAC;AACzC,QAAM,QAAQ,KAAK,MAAM,IAAI;AAG7B,QAAM,QAA8E,CAAC;AACrF,MAAI,aAAa;AAEjB,WAAS,WAAW,KAAsB;AACxC,UAAM,QAAQ,IAAI,QAAQ,gBAAgB,EAAE;AAC5C,UAAM,MAAM,OAAO,KAAK;AACxB,QAAI,CAAC,MAAM,GAAG,KAAK,UAAU,GAAI,QAAO;AACxC,QAAI,UAAU,OAAQ,QAAO;AAC7B,QAAI,UAAU,QAAS,QAAO;AAC9B,WAAO;AAAA,EACT;AAEA,aAAW,QAAQ,OAAO;AACxB,UAAM,UAAU,KAAK,KAAK;AAC1B,QAAI,CAAC,WAAW,QAAQ,WAAW,GAAG,EAAG;AAEzC,UAAM,SAAS,KAAK,SAAS,KAAK,UAAU,EAAE;AAG9C,WAAO,MAAM,SAAS,KAAK,UAAU,MAAM,MAAM,SAAS,CAAC,EAAG,QAAQ;AACpE,YAAM,SAAS,MAAM,IAAI;AACzB,mBAAa,MAAM,SAAS,IAAI,MAAM,MAAM,SAAS,CAAC,EAAG,MAAM;AAE/D,iBAAW,OAAO,GAAG,IAAI,OAAO;AAAA,IAClC;AAGA,UAAM,mBAAmB,QAAQ,MAAM,8BAA8B;AACrE,QAAI,kBAAkB;AACpB,YAAM,MAAM,iBAAiB,CAAC;AAC9B,YAAM,SAAS,iBAAiB,CAAC,EAC9B,MAAM,GAAG,EACT,IAAI,CAAC,MAAM,EAAE,KAAK,EAAE,QAAQ,gBAAgB,EAAE,CAAC;AAClD,UAAI,MAAM,SAAS,GAAG;AACpB,cAAM,MAAM,SAAS,CAAC,EAAG,IAAI,GAAG,IAAI;AAAA,MACtC,OAAO;AACL,mBAAW,GAAG,IAAI;AAAA,MACpB;AACA;AAAA,IACF;AAGA,UAAM,UAAU,QAAQ,MAAM,0BAA0B;AACxD,QAAI,SAAS;AACX,YAAM,MAAM,QAAQ,CAAC;AACrB,YAAM,MAAM,WAAW,QAAQ,CAAC,CAAE;AAClC,UAAI,MAAM,SAAS,GAAG;AACpB,cAAM,MAAM,SAAS,CAAC,EAAG,IAAI,GAAG,IAAI;AAAA,MACtC,OAAO;AACL,mBAAW,GAAG,IAAI;AAAA,MACpB;AACA;AAAA,IACF;AAGA,UAAM,cAAc,QAAQ,MAAM,mBAAmB;AACrD,QAAI,aAAa;AACf,YAAM,MAAM,YAAY,CAAC;AACzB,YAAM,SAAkC,CAAC;AACzC,YAAM,KAAK,EAAE,KAAK,KAAK,QAAQ,OAAO,CAAC;AACvC;AAAA,IACF;AAAA,EACF;AAGA,SAAO,MAAM,SAAS,GAAG;AACvB,UAAM,SAAS,MAAM,IAAI;AACzB,UAAMC,UAAS,MAAM,SAAS,IAAI,MAAM,MAAM,SAAS,CAAC,EAAG,MAAM;AACjE,IAAAA,QAAO,OAAO,GAAG,IAAI,OAAO;AAAA,EAC9B;AAEA,SAAO;AACT;AAUO,SAAS,wBAAwB,KAAgC;AACtE,QAAM,SAA4B,CAAC;AACnC,QAAM,SAAS,QAAQ,GAAG;AAE1B,MAAI,CAAC,WAAW,MAAM,EAAG,QAAO;AAEhC,QAAM,OAAO,oBAAI,IAAY;AAE7B,WAAS,QAAQ,UAAwB;AACvC,QAAI,KAAK,IAAI,QAAQ,EAAG;AACxB,SAAK,IAAI,QAAQ;AACjB,QAAI;AACF,YAAM,UAAU,aAAa,UAAU,OAAO;AAC9C,YAAM,QAAQ,aAAa,OAAO;AAClC,UAAI,MAAO,QAAO,KAAK,KAAK;AAAA,IAC9B,QAAQ;AAAA,IAER;AAAA,EACF;AAEA,MAAI;AACF,UAAM,UAAU,YAAY,QAAQ,EAAE,eAAe,KAAK,CAAC;AAC3D,eAAW,SAAS,SAAS;AAC3B,UAAI,MAAM,OAAO,KAAK,MAAM,KAAK,SAAS,UAAU,GAAG;AAErD,gBAAQ,KAAK,QAAQ,MAAM,IAAI,CAAC;AAAA,MAClC,WAAW,MAAM,YAAY,GAAG;AAE9B,cAAM,WAAW,KAAK,QAAQ,MAAM,MAAM,UAAU;AACpD,YAAI,WAAW,QAAQ,GAAG;AACxB,kBAAQ,QAAQ;AAAA,QAClB;AAAA,MACF;AAAA,IACF;AAAA,EACF,QAAQ;AAAA,EAER;AAEA,SAAO;AACT;AAKA,eAAsB,kBACpB,QACA,QACA,OAC4B;AAC5B,MAAI;AACF,UAAM,MAAM,MAAM,MAAM,GAAG,MAAM,0BAA0B,KAAK,WAAW;AAAA,MACzE,SAAS,EAAE,eAAe,UAAU,MAAM,GAAG;AAAA,IAC/C,CAAC;AACD,QAAI,CAAC,IAAI,GAAI,QAAO,CAAC;AAErB,UAAM,OAAQ,MAAM,IAAI,KAAK;AAY7B,WAAO,KAAK,IAAI,CAAC,SAAS;AAAA,MACxB,MAAM,IAAI;AAAA,MACV,SAAS,IAAI;AAAA,MACb,aAAa,IAAI;AAAA,MACjB,aAAa,IAAI;AAAA,MACjB,eAAe,IAAI;AAAA,MACnB,MAAM,IAAI;AAAA,MACV,cAAc,IAAI;AAAA,IACpB,EAAE;AAAA,EACJ,QAAQ;AACN,WAAO,CAAC;AAAA,EACV;AACF;AAKO,SAAS,YACd,OACA,QACe;AACf,QAAM,SAAS,oBAAI,IAA6B;AAGhD,aAAW,SAAS,QAAQ;AAC1B,WAAO,IAAI,MAAM,MAAM,KAAK;AAAA,EAC9B;AAGA,aAAW,SAAS,OAAO;AACzB,WAAO,IAAI,MAAM,MAAM,KAAK;AAAA,EAC9B;AAEA,QAAM,SACJ,MAAM,SAAS,KAAK,OAAO,SAAS,IAChC,WACA,MAAM,SAAS,IACb,UACA;AAER,SAAO;AAAA,IACL,QAAQ,MAAM,KAAK,OAAO,OAAO,CAAC;AAAA,IAClC;AAAA,EACF;AACF;AA3UA;AAAA;AAAA;AAAA;AAAA;;;ACAA;;;;;;;ACOA,SACE,wBACA,yBACK;AAVP;;;AAWA;;;;;ACXA,SAAS,qBAAAC,0BAAyB;AAAlC;;;;;;;ACAA,SAAS,qBAAAC,oBAAmB,kBAAkB;AAA9C;;;;;;;ACAA,SAAS,qBAAAC,oBAAmB,yBAAyB,OAAO,SAAS,cAAAC,aAAY,UAAU,cAAc;AAAzG,IAIM,gBACA,cACA;AANN;;;AAIA,IAAM,iBAAiB,IAAI,WAAW,CAAC,CAAI,CAAC;AAC5C,IAAM,eAAe,IAAI,WAAW,CAAC,CAAI,CAAC;AAC1C,IAAM,kBAAkB,IAAI,WAAW,CAAC,CAAI,CAAC;;;;;ACN7C,SAAS,qBAAAC,oBAAmB,SAAAC,cAAa;AAAzC;;;;;;;ACAA,SAAS,qBAAAC,oBAAmB,cAAAC,mBAAkB;AAA9C;;;;;;;ACAA;;;;;;;ACAA,SAAS,qBAAAC,oBAAmB,cAAAC,mBAAkB;AAA9C;;;;;;;ACYA,SAAS,qBAAAC,0BAAyB;AAZlC;;;AAcA;;;;;ACdA,SAAS,SAAAC,QAAO,WAAAC,UAAS,YAAY,UAAU,cAAAC,aAAY,YAAY,qBAAqB;AAStF,SAAU,WAAW,OAAiB;AAC1C,SAAOF,OAAM,KAAK;AACpB;AAMM,SAAU,cAAc,OAAiB;AAC7C,SAAO,SAAS,KAAK;AACvB;AAnBA;;;;;;;ACAA;;;;;;;ACAA;;;AAiBA;;;;;ACRA,SAAS,qBAAAG,oBAAmB,2BAAAC,0BAAyB,cAAAC,aAAY,YAAYC,sBAAqB;AAuFlG,eAAsB,gBACpB,MACA,MAAgB;AAEhB,QAAM,WAAWH,mBAAiB;AAClC,QAAM,YAAYE,YAAW,IAAI;AACjC,SAAO,SAAS,aAAa,WAAW,MAAM,SAAS;AACzD;AAQA,eAAsB,cACpB,QACA,MAAY;AAEZ,QAAM,WAAWF,mBAAiB;AAClC,QAAM,OAAO,SAAS,YAAY,UAAU;AAC5C,QAAM,MAAM,MAAM,gBAAgB,MAAM,IAAI;AAC5C,SAAO,qBAAqB,QAAQ,KAAK,IAAI;AAC/C;AAOA,eAAsB,qBACpB,QACA,KACA,MAAgB;AAEhB,QAAM,WAAWA,mBAAiB;AAClC,QAAM,SAASC,yBAAuB;AACtC,QAAM,YAAYC,YAAW,KAAK,UAAU,MAAM,CAAC;AACnD,QAAM,EAAE,YAAY,MAAK,IAAK,MAAM,SAAS,iBAAiB,KAAK,SAAS;AAG5E,QAAM,SAAS,IAAI,WAAW,aAAa,MAAM,SAAS,WAAW,MAAM;AAC3E,SAAO,IAAI,MAAM,CAAC;AAClB,SAAO,IAAI,OAAO,UAAU;AAC5B,SAAO,IAAI,YAAY,aAAa,MAAM,MAAM;AAChD,SAAO;AACT;AAqDA,eAAsB,eAAe,MAAY;AAC/C,QAAM,WAAWF,mBAAiB;AAClC,SAAO,SAAS,KAAKE,YAAW,IAAI,CAAC;AACvC;AAtMA,IAcM,YACA,WAEA;AAjBN;;;AAcA,IAAM,aAAa;AACnB,IAAM,YAAY;AAElB,IAAM,kBAAkB,MAAM;;;;;ACC9B,SAAS,qBAAAE,qBAAmB,SAAAC,QAAO,WAAAC,gBAAe;AAlBlD;;;AAmBA;;;;;ACdM,SAAU,OAAU,KAAqB;AAC7C,SAAO,CAAC,MAAQ;AACd,UAAM,CAAC,KAAK,KAAK,IAAI,IAAI,CAAC;AAC1B,UAAM,MAAM,IAAI,YAAY,GAAG;AAC/B,UAAM,GAAG,GAAG;AACZ,WAAO,IAAI,WAAW,GAAG;EAC3B;AACF;AAEM,SAAU,uBAA6B,KAAuB,GAAwB;AAC1F,SAAO,CAAC,MAAS,IAAI,EAAE,CAAC,CAAC;AAC3B;AAEM,SAAU,wBACd,UACA,SAAwB;AAExB,SAAO,CAAC,UAAY;AAClB,UAAM,SAAS,QAAQ,KAAK;AAC5B,QAAI,cAAc;AAClB,QAAI,aAAa,CAAC,SAAiB,YAAwB;IAAE;AAC7D,aAAS,IAAI,GAAG,IAAI,SAAS,QAAQ,KAAK;AACxC,YAAM,CAAC,KAAK,KAAK,IAAI,SAAS,CAAC,EAAG,OAAO,CAAC,CAAC;AAC3C,YAAM,UAAU;AAChB,YAAM,aAAa;AACnB,mBAAa,CAAC,QAAgB,WAAuB;AACnD,gBAAQ,QAAQ,MAAM;AACtB,cAAM,SAAS,YAAY,MAAM;MACnC;AACA,qBAAe;IACjB;AACA,WAAO,CAAC,aAAa,UAAU;EACjC;AACF;AAjCA,IAyCa;AAzCb;;AAyCO,IAAM,UAAmE,CAAC,GAAG,MAAK;IAAE,CAAC;;;;;AC7C5F,IAEa,cAQA,aAEA,aAKA,eAQA,cAEA,cASA,eAQA,cAEA,cASA,eAQA,cAEA;AAjEb;;;AAEO,IAAM,eAAsC,CAAC,MAAM;MACxD;MACA,CAAC,QAAQ,WAAU;AACjB,cAAM,OAAO,IAAI,SAAS,MAAM;AAChC,aAAK,SAAS,QAAQ,CAAC;MACzB;;AAGK,IAAM,cAA+B,OAAO,YAAY;AAExD,IAAM,cAA+B,CAAC,GAAG,WAAU;AACxD,YAAM,QAAQ,EAAE,GAAG,MAAM;AACzB,aAAO,UAAU,SAAY,CAAC,OAAO,CAAC,IAAI;IAC5C;AAEO,IAAM,gBAAuC,CAAC,MAAM;MACzD;MACA,CAAC,QAAQ,WAAU;AACjB,cAAM,OAAO,IAAI,SAAS,MAAM;AAChC,aAAK,UAAU,QAAQ,CAAC;MAC1B;;AAGK,IAAM,eAAgC,OAAO,aAAa;AAE1D,IAAM,eAAgC,CAAC,GAAG,WAAU;AACzD,YAAM,OAAO,IAAI,SAAS,EAAE,QAAQ,EAAE,YAAY,EAAE,UAAU;AAC9D,UAAI;AACF,eAAO,CAAC,KAAK,UAAU,MAAM,GAAG,CAAC;MACnC,SAAS,GAAG;AACV,eAAO;MACT;IACF;AAEO,IAAM,gBAAuC,CAAC,MAAM;MACzD;MACA,CAAC,QAAQ,WAAU;AACjB,cAAM,OAAO,IAAI,SAAS,MAAM;AAChC,aAAK,UAAU,QAAQ,CAAC;MAC1B;;AAGK,IAAM,eAAgC,OAAO,aAAa;AAE1D,IAAM,eAAgC,CAAC,GAAG,WAAU;AACzD,YAAM,OAAO,IAAI,SAAS,EAAE,QAAQ,EAAE,YAAY,EAAE,UAAU;AAC9D,UAAI;AACF,eAAO,CAAC,KAAK,UAAU,MAAM,GAAG,CAAC;MACnC,SAAS,GAAG;AACV,eAAO;MACT;IACF;AAEO,IAAM,gBAAuC,CAAC,MAAM;MACzD;MACA,CAAC,QAAQ,WAAU;AACjB,cAAM,OAAO,IAAI,SAAS,MAAM;AAChC,aAAK,aAAa,QAAQ,CAAC;MAC7B;;AAGK,IAAM,eAAgC,OAAO,aAAa;AAE1D,IAAM,eAAgC,CAAC,GAAG,WAAU;AACzD,YAAM,OAAO,IAAI,SAAS,EAAE,QAAQ,EAAE,YAAY,EAAE,UAAU;AAC9D,UAAI;AACF,eAAO,CAAC,KAAK,aAAa,MAAM,GAAG,CAAC;MACtC,SAAS,GAAG;AACV,eAAO;MACT;IACF;;;;;ACtEM,SAAU,WAAiB,KAAiB,GAAc;AAC9D,SAAO,CAAC,GAAG,WAAU;AACnB,UAAM,IAAI,IAAI,GAAG,MAAM;AACvB,QAAI,MAAM,QAAW;AACnB,YAAM,CAAC,GAAG,CAAC,IAAI;AACf,aAAO,CAAC,EAAE,CAAC,GAAG,CAAC;IACjB;EACF;AACF;AAEM,SAAU,kBACd,UACA,GAAgC;AAEhC,SAAO,CAAC,GAAG,WAAU;AACnB,UAAM,UAAU,YAAY,UAAU,CAAC,EAAE,GAAG,MAAM;AAClD,QAAI,YAAY;AAAW,aAAO;SAC7B;AACH,YAAM,CAAC,GAAG,GAAG,IAAI;AACjB,aAAO,MAAM,SAAY,CAAC,GAAG,GAAG,IAAI;IACtC;EACF;AACF;AAEM,SAAU,YACd,UACA,GAAoB;AAEpB,SAAO,CAAC,GAAG,WAAU;AACnB,UAAM,SAAS,SAAS,OAQtB,CAAC,KAAK,YAAW;AACf,UAAI,CAAC;AAAK,eAAO;AAEjB,YAAM,UAAU,QAAQ,GAAG,IAAI,MAAM;AACrC,UAAI,CAAC;AAAS,eAAO;AAErB,YAAM,CAAC,OAAO,MAAM,IAAI;AACxB,aAAO;QACL,QAAQ,CAAC,GAAG,IAAI,QAAQ,KAAK;QAC7B,QAAQ,IAAI,SAAS;QACrB,aAAa,IAAI,cAAc;;IAEnC,GACA,EAAE,QAAQ,CAAA,GAAI,QAAQ,aAAa,EAAC,CAAE;AAGxC,QAAI,CAAC;AAAQ;AACb,WAAO,CAAC,EAAE,GAAI,OAAO,MAAY,GAAG,OAAO,WAAW;EACxD;AACF;AAEM,SAAU,iBAAuB,KAAiB,GAA0B;AAChF,SAAO,CAAC,GAAG,WAAU;AACnB,UAAM,IAAI,IAAI,GAAG,MAAM;AACvB,QAAI,MAAM,QAAW;AACnB,YAAM,CAAC,GAAG,CAAC,IAAI;AACf,YAAM,IAAI,EAAE,CAAC;AACb,aAAO,MAAM,SAAY,CAAC,GAAG,CAAC,IAAI;IACpC;EACF;AACF;AAEM,SAAU,eAAqB,KAAiB,GAAuB;AAC3E,SAAO,qBAAqB,KAAK,GAAG,CAAC,IAAI,MAAM,CAAC;AAClD;AAEM,SAAU,UAAgB,MAAkB,MAAgB;AAChE,SAAO,CAAC,GAAG,WAAU;AACnB,UAAM,IAAI,KAAK,GAAG,MAAM;AACxB,WAAO,IAAI,IAAI,KAAK,GAAG,MAAM;EAC/B;AACF;AAEM,SAAU,qBACd,KACA,GACA,GAAoB;AAEpB,SAAO,CAAC,GAAG,WAAU;AACnB,UAAM,WAAW,IAAI,GAAG,MAAM;AAC9B,QAAI,aAAa,QAAW;AAC1B,YAAM,CAAC,GAAG,GAAG,IAAI;AACjB,YAAM,WAAW,EAAE,CAAC;AACpB,YAAM,WAAW,SAAS,GAAG,SAAS,GAAG;AACzC,UAAI,aAAa,QAAW;AAC1B,cAAM,CAAC,GAAG,IAAI,IAAI;AAClB,eAAO,CAAC,EAAE,GAAG,CAAC,GAAG,MAAM,IAAI;MAC7B;IACF;EACF;AACF;AAEM,SAAU,eAAkB,GAAI;AACpC,SAAO,MAAM,CAAC,GAAG,CAAC;AACpB;AAEM,SAAU,cAAW;AACzB,SAAO,MAAM;AACf;AAzGA;;;;;;ACHM,SAAU,gBAAkC,GAAoB;AACpE,SAAO,CAAC,MAAO,OAAO,OAAO,CAAC,EAAE,SAAS,CAAC,IAAK,WAAW,CAAC,EAAE,CAAC,IAAU;AAC1E;AAEM,SAAU,WAA6C,KAAM;AACjE,SAAO,OAAO,QAAQ,GAAG,EAAE,OACzB,CAAC,KAAK,CAAC,KAAK,KAAK,OAAO;IACtB,GAAG;IACH,CAAC,KAAK,GAAG;MAEX,CAAA,CAAE;AAEN;AACM,SAAU,oBAAsC,KAAsB;AAC1E,SAAO,CAAC,MAAK;AACX,UAAM,UAAU,gBAAgB,GAAG,EAAE,CAAC;AACtC,QAAI,YAAY;AAAW,aAAO,EAAE,SAAQ;;AACvC,aAAO;EACd;AACF;AAEM,SAAU,sBAAwC,KAAsB;AAC5E,SAAO,CAAC,MAAK;AACX,UAAM,IAAI,IAAI,CAAC;AACf,QAAI,MAAM;AAAW,aAAO,OAAO,CAAC;;AAC/B,aAAO;EACd;AACF;AA3BA;;;;;;ACAA,IAMa,sBAcA,4BAKA,2BAEA;AA3Bb;;;AACA;AACA;AACA;AAGO,IAAM,uBAAuB;MAClC,KAAK;MACL,QAAQ;MACR,QAAQ;MACR,KAAK;MACL,QAAQ;MACR,eAAe;MACf,0BAA0B;;AAOrB,IAAM,6BAAqE,uBAChF,eACA,CAAC,MAAM,qBAAqB,CAAC,CAAC;AAGzB,IAAM,4BAA8D,OAAO,0BAA0B;AAErG,IAAM,4BAA8D,iBACzE,cACA,gBAAgB,oBAAoB,CAAC;;;;;AC7BvC,IAMa,uBAYA,6BAKA,4BAEA;AAzBb;;;AACA;AACA;AACA;AAGO,IAAM,wBAAwB;MACnC,gBAAgB;MAChB,cAAc;MACd,uBAAuB;MACvB,cAAc;MACd,kBAAkB;;AAOb,IAAM,8BAAuE,uBAClF,eACA,CAAC,MAAM,sBAAsB,CAAC,CAAC;AAG1B,IAAM,6BAAgE,OAAO,2BAA2B;AAExG,IAAM,6BAAgE,iBAC3E,cACA,gBAAgB,qBAAqB,CAAC;;;;;ACdxC;;;;;;ACbA,IAAa,UAcA,YAmCA;AAjDb;;AAAM,IAAO,WAAP,cAAwB,MAAK;MACjC,YAAY,SAAe;AACzB,cAAM,OAAO;AACb,aAAK,OAAO;MACd;;AAUI,IAAO,aAAP,cAA0B,SAAQ;MACtC,YAAY,SAAe;AACzB,cAAM,OAAO;AACb,aAAK,OAAO;MACd;;AA+BI,IAAO,gBAAP,cAA6B,SAAQ;MACzC,YAAY,SAAe;AACzB,cAAM,uFAAuF,OAAO,EAAE;AACtG,aAAK,OAAO;MACd;;;;;;AC9BI,SAAUC,eAAc,OAAiB;AAC7C,MAAI,OAAO,WAAW,aAAa;AACjC,WAAO,OAAO,KAAK,KAAK,EAAE,SAAS,QAAQ;EAC7C,OAAO;AACL,QAAI,SAAS;AACb,UAAM,QAAQ,CAAC,MAAO,UAAU,OAAO,aAAa,CAAC,CAAE;AACvD,WAAO,WAAW,KAAK,MAAM;EAC/B;AACF;AAEM,SAAU,cAAc,QAAc;AAC1C,MAAI,OAAO,WAAW,aAAa;AACjC,WAAO,WAAW,KAAK,OAAO,KAAK,QAAQ,QAAQ,CAAC;EACtD,OAAO;AACL,UAAM,SAAS,WAAW,KAAK,MAAM;AACrC,UAAM,QAAQ,IAAI,WAAW,OAAO,MAAM;AAC1C,aAAS,IAAI,GAAG,IAAI,OAAO,QAAQ,KAAK;AACtC,YAAM,CAAC,IAAI,OAAO,WAAW,CAAC;IAChC;AACA,WAAO;EACT;AACF;AA5CA;;;;;;ACmBM,SAAU,cAAc,KAAW;AACvC,MAAI,MAAM,IAAI;AACZ,WAAO;MACL;MACA,CAAC,QAAQ,WAAU;AAEjB,cAAM,OAAO,IAAI,SAAS,MAAM;AAChC,aAAK,SAAS,QAAQ,MAAM,EAAU;MACxC;;EAEJ,WAAW,MAAM,OAAO;AACtB,WAAO;MACL;MACA,CAAC,QAAQ,WAAU;AAEjB,cAAM,OAAO,IAAI,SAAS,MAAM;AAChC,aAAK,SAAS,QAAU,OAAO,IAAK,KAAc,EAAU;AAC5D,aAAK,SAAS,SAAS,GAAG,MAAM,GAAI;MACtC;;EAEJ,WAAW,MAAM,YAAY;AAC3B,WAAO;MACL;MACA,CAAC,QAAQ,WAAU;AAEjB,cAAM,OAAO,IAAI,SAAS,MAAM;AAChC,aAAK,SAAS,QAAU,OAAO,KAAM,KAAc,GAAU;AAC7D,aAAK,SAAS,SAAS,GAAI,OAAO,KAAM,GAAI;AAC5C,aAAK,SAAS,SAAS,GAAI,OAAO,IAAK,GAAI;AAC3C,aAAK,SAAS,SAAS,GAAG,MAAM,GAAI;MACtC;;EAEJ,OAAO;AACL,UAAM,IAAI,WAAW,8CAA8C;EACrE;AACF;AAEM,SAAU,gBAAgB,MAAkB,SAAiB,GAAC;AAClE,MAAI,UAAU,KAAK,QAAQ;AACzB,UAAM,IAAI,WAAW,sBAAsB;EAC7C;AAEA,QAAM,YAAY,KAAK,MAAM;AAC7B,QAAM,SAAS,aAAa;AAE5B,MAAI,WAAW,GAAG;AAChB,WAAO,EAAE,QAAQ,YAAY,IAAY,iBAAiB,EAAC;EAC7D,WAAW,WAAW,GAAG;AACvB,QAAI,SAAS,IAAI,KAAK;AAAQ,YAAM,IAAI,WAAW,0BAA0B;AAC7E,WAAO,EAAE,SAAU,YAAY,OAAe,IAAM,KAAK,SAAS,CAAC,GAAc,iBAAiB,EAAC;EACrG,WAAW,WAAW,GAAG;AACvB,QAAI,SAAS,IAAI,KAAK;AAAQ,YAAM,IAAI,WAAW,0BAA0B;AAC7E,WAAO;MACL,SACI,YAAY,OAAe,KAC3B,KAAK,SAAS,CAAC,KAAgB,KAC/B,KAAK,SAAS,CAAC,KAAgB,IAChC,KAAK,SAAS,CAAC;MAClB,iBAAiB;;EAErB,OAAO;AACL,UAAM,IAAI,WAAW,oDAAoD;EAC3E;AACF;AAkBM,SAAU,kBAAqB,KAAqB;AACxD,SAAO,CAAC,SAAQ;AACd,QAAI,cAAc;AAClB,QAAI,aAAa,CAAC,SAAiB,YAAwB;IAAE;AAC7D,aAAS,IAAI,GAAG,IAAI,KAAK,QAAQ,KAAK;AACpC,YAAM,CAAC,KAAK,KAAK,IAAI,IAAI,KAAK,CAAC,CAAE;AACjC,YAAM,UAAU;AAChB,YAAM,aAAa;AACnB,mBAAa,CAAC,QAAgB,WAAuB;AACnD,gBAAQ,QAAQ,MAAM;AACtB,cAAM,SAAS,YAAY,MAAM;MACnC;AACA,qBAAe;IACjB;AACA,UAAM,CAAC,cAAc,WAAW,IAAI,cAAc,WAAW;AAC7D,WAAO;MACL,eAAe;MACf,CAAC,QAAQ,WAAU;AACjB,oBAAY,QAAQ,MAAM;AAC1B,mBAAW,SAAS,cAAc,MAAM;MAC1C;;EAEJ;AACF;AAEM,SAAU,iBAAoB,KAAe;AACjD,SAAO,CAAC,GAAG,WAAU;AACnB,UAAM,IAAI,iBAAiB,GAAG,MAAM;AACpC,QAAI,MAAM;AAAW;AAErB,UAAM,CAAC,YAAY,WAAW,IAAI;AAElC,QAAI,SAAS;AACb,UAAM,SAAc,CAAA;AAEpB,WAAO,SAAS,WAAW,QAAQ;AACjC,YAAM,OAAO,IAAI,YAAY,MAAM;AACnC,UAAI,SAAS;AAAW,eAAO;AAE/B,YAAM,CAAC,OAAO,GAAG,IAAI;AACrB,aAAO,KAAK,KAAK;AACjB,gBAAU;IACZ;AAEA,WAAO,CAAC,QAAQ,WAAW;EAC7B;AACF;AAEM,SAAU,oBAAuB,cAA8B;AACnE,QAAM,eAAe,wBACnB,CAAC,uBAAuB,mBAAmB,aAAa,GAAG,YAAY,GACvE,CAAC,CAAC,KAAK,KAAK,MAAmB,CAAC,KAAK,KAAK,CAAU;AAGtD,SAAO,wBAAwB,CAAC,kBAAkB,YAAY,CAAC,GAAG,CAAC,WAAW,CAAC,OAAO,QAAQ,MAAM,CAAC,CAAU;AACjH;AAEM,SAAU,mBAAsB,aAAuB;AAC3D,SAAO,WACL,iBACE,YAAY,CAAC,WAAW,kBAAkBC,cAAa,GAAG,WAAW,GAAG,CAAC,KAAK,UAAU,CAAC,KAAK,KAAK,CAAU,CAAC,GAEhH,CAAC,YAAW;AACV,UAAM,SAA4B,CAAA;AAClC,eAAW,CAAC,KAAK,KAAK,KAAK,SAAS;AAClC,aAAO,GAAG,IAAI;IAChB;AACA,WAAO;EACT,CAAC;AAEL;AAEM,SAAU,oBACd,eACA,cAA8B;AAE9B,QAAM,eAAe,wBACnB,CAAC,eAAe,YAAY,GAC5B,CAAC,CAAC,KAAK,KAAK,MAAmB,CAAC,KAAK,KAAK,CAAU;AAGtD,SAAO,uBAAuB,kBAAkB,YAAY,GAAG,CAAC,WAC9D,OAAO,QAAQ,MAAM,EAAE,IAAI,CAAC,CAAC,KAAK,KAAK,MAAM,CAAC,OAAO,GAAG,GAAG,KAAK,CAAgB,CAAC;AAErF;AAEM,SAAU,mBACd,cACA,aAAuB;AAEvB,SAAO,WACL,iBAAiB,YAAY,CAAC,cAAc,WAAW,GAAG,CAAC,KAAK,UAAU,CAAC,KAAK,KAAK,CAAU,CAAC,GAChG,CAAC,YAAW;AACV,UAAM,SAA4B,CAAA;AAClC,eAAW,CAAC,KAAK,KAAK,KAAK,SAAS;AAClC,aAAO,GAAG,IAAI;IAChB;AACA,WAAO;EACT,CAAC;AAEL;AACM,SAAU,iBAAoB,cAA8B;AAChE,QAAM,eAAe,wBACnB,CAAC,eAAe,YAAY,GAC5B,CAAC,CAAC,KAAK,KAAK,MAAmB,CAAC,KAAK,KAAK,CAAU;AAGtD,SAAO,uBAAuB,kBAAkB,YAAY,GAAG,CAAC,QAAQ,MAAM,KAAK,IAAI,QAAO,CAAE,CAAC;AACnG;AAEM,SAAU,gBAAmB,aAAuB;AACxD,SAAO,WACL,iBAAiB,YAAY,CAAC,cAAc,WAAW,GAAG,CAAC,KAAK,UAAU,CAAC,KAAK,KAAK,CAAU,CAAC,GAChG,CAAC,YAAY,IAAI,IAAI,OAAO,CAAC;AAEjC;AAvNA,IAMa,mBA8EA;AApFb;;;AACA;AACA;AACA;AACA;AAEO,IAAM,oBAA+C,CAAC,SAAQ;AACnE,YAAM,CAAC,KAAK,KAAK,IAAI,cAAc,KAAK,MAAM;AAE9C,aAAO;QACL,MAAM,KAAK;QACX,CAAC,QAAQ,WAAU;AACjB,gBAAM,QAAQ,MAAM;AACpB,gBAAM,OAAO,IAAI,WAAW,MAAM;AAClC,eAAK,IAAI,MAAM,SAAS,GAAG;QAC7B;;IAEJ;AAmEO,IAAM,mBAAwC,CAAC,KAAK,WAAU;AACnE,UAAI,UAAU,IAAI,QAAQ;AACxB,cAAM,IAAI,WAAW,sBAAsB;MAC7C;AAEA,YAAM,EAAE,QAAQ,gBAAe,IAAK,gBAAgB,KAAK,MAAM;AAE/D,YAAM,aAAa,kBAAkB;AACrC,UAAI,SAAS,aAAa,IAAI,QAAQ;AACpC,cAAM,IAAI,WAAW,4BAA4B;MACnD;AAEA,YAAM,OAAO,IAAI,SAAS,SAAS,iBAAiB,SAAS,UAAU;AACvE,aAAO,CAAC,MAAM,UAAU;IAC1B;;;;;AClGA;;;;;;ACAA,IAea,sBAGA,qBAEA,qBAQA,kBAKA,iBAEA;AAnCb;;;AACA;AACA;AACA;AACA;AAMA;AAKO,IAAM,uBAAqD,CAAC,MACjE,OAAO,MAAM,WAAW,cAAc,CAAC,IAAI,4BAA4B,CAAC;AAEnE,IAAM,sBAA8C,OAAO,oBAAoB;AAE/E,IAAM,sBAA8C,UAAU,4BAA4B,YAAY;AAQtG,IAAM,mBAA6C,wBACxD,CAAC,sBAAsB,iBAAiB,GACxC,CAAC,MAAM,CAAC,EAAE,eAAe,EAAE,aAAa,CAAU;AAG7C,IAAM,kBAAsC,OAAO,gBAAgB;AAEnE,IAAM,kBAAsC,YACjD,CAAC,qBAAqB,gBAAgB,GACtC,CAAC,eAAe,mBAAmB,EAAE,eAAe,cAAa,EAAG;;;;;ACrCtE,IAMa,iBASA,uBAKA,sBAEA;AAtBb;;;AACA;AACA;AACA;AAGO,IAAM,kBAAkB;MAC7B,OAAO;MACP,MAAM;;AAOD,IAAM,wBAA2D,uBACtE,eACA,sBAAsB,eAAe,CAAC;AAGjC,IAAM,uBAAoD,OAAO,qBAAqB;AAEtF,IAAM,uBAAoD,iBAC/D,cACA,oBAAoB,eAAe,CAAC;;;;;ACxBtC,IA0Ba,wBAKA,uBAEA,uBAKA,sBAEA,yBAKA,wBAEA,mBAWA,kBAEP,uBAKA,sBAKO;AAtEb;;;AACA;AACA;AACA;AAuBO,IAAM,yBAAyD,wBACpE,CAAC,uBAAuB,iBAAiB,GACzC,CAAC,MAAM,CAAC,EAAE,gBAAgB,EAAE,QAAQ,CAAU;AAGzC,IAAM,wBAAkD,OAAO,sBAAsB;AAErF,IAAM,wBAAuD,wBAClE,CAAC,uBAAuB,kBAAkB,iBAAiB,CAAC,GAC5D,CAAC,MAAM,CAAC,EAAE,gBAAgB,EAAE,YAAY,CAAU;AAG7C,IAAM,uBAAgD,OAAO,qBAAqB;AAElF,IAAM,0BAA2D,wBACtE,CAAC,uBAAuB,iBAAiB,GACzC,CAAC,MAAM,CAAC,EAAE,gBAAgB,EAAE,IAAI,CAAU;AAGrC,IAAM,yBAAoD,OAAO,uBAAuB;AAExF,IAAM,oBAA+C,CAAC,MAAK;AAChE,cAAQ,EAAE,gBAAgB;QACxB,KAAK;AACH,iBAAO,uBAAuB,CAAC;QACjC,KAAK;AACH,iBAAO,sBAAsB,CAAC;QAChC;AACE,iBAAO,wBAAwB,CAAqB;MACxD;IACF;AAEO,IAAM,mBAAwC,OAAO,iBAAiB;AAE7E,IAAM,wBAAkD,WAAW,kBAAkB,CAAC,cAAc;MAClG,gBAAgB;MAChB;MACA;AAEF,IAAM,uBAAgD,WACpD,iBAAiB,gBAAgB,GACjC,CAAC,kBAAkB,EAAE,gBAAgB,QAAQ,aAAY,EAAG;AAGvD,IAAM,mBAAwC,eACnD,sBACA,CAAC,mBAAuC;AACtC,cAAQ,gBAAgB;QACtB,KAAK;AACH,iBAAO;QACT,KAAK;AACH,iBAAO;MACX;IACF,CAAC;;;;;AC/EH,IAWa,uBAMA,sBAGA;AApBb;;;AACA;AACA;AACA;AAQO,IAAM,wBAAuD,wBAClE,CAAC,mBAAmB,iBAAiB,GACrC,CAAC,MAAM,CAAC,EAAE,oBAAoB,EAAE,UAAU,CAAU;AAI/C,IAAM,uBAAgD,OAAO,qBAAqB;AAGlF,IAAM,uBAAgD,YAC3D,CAAC,kBAAkB,gBAAgB,GACnC,CAAC,oBAAoB,gBAAgB,EAAE,oBAAoB,WAAU,EAAG;;;;;ACtB1E;;;AACA;;;;;ACGM,SAAU,gBAAmB,SAAyB;AAC1D,SAAO,CAAC,MAAK;AACX,QAAI,GAAG;AACL,YAAM,CAAC,KAAK,KAAK,IAAI,QAAQ,CAAC;AAC9B,aAAO;QACL,MAAM;QACN,CAAC,QAAQ,WAAU;AACjB,gBAAM,OAAO,IAAI,SAAS,MAAM;AAChC,eAAK,SAAS,QAAQ,CAAG;AACzB,gBAAM,SAAS,GAAG,MAAM;QAC1B;;IAEJ,OAAO;AACL,aAAO;QACL;QACA,CAAC,QAAQ,WAAU;AACjB,gBAAM,OAAO,IAAI,SAAS,MAAM;AAChC,eAAK,SAAS,QAAQ,CAAG;QAC3B;;IAEJ;EACF;AACF;AAEM,SAAU,eAAkB,SAAmB;AACnD,SAAO,CAAC,GAAG,WAAU;AACnB,UAAM,gBAAgB,YAAY,GAAG,MAAM,IAAI,CAAC;AAChD,QAAI,iBAAiB,GAAG;AACtB,YAAM,SAAS,QAAQ,GAAG,SAAS,CAAC;AACpC,aAAO,WAAW,SAAY,SAAY,CAAC,OAAO,CAAC,GAAG,OAAO,CAAC,IAAI,CAAC;IACrE,OAAO;AACL,aAAO,CAAC,QAAW,CAAC;IACtB;EACF;AACF;AAtCA;;;;;;;ACIA,IAiBa,cA0BA,oBAKA,mBAEA;AAlDb;;;AACA;AACA;AACA;AAcO,IAAM,eAAe;MAC1B,8CAA8C;MAC9C,yCAAyC;MACzC,qDAAqD;MACrD,0CAA0C;MAC1C,yCAAyC;MACzC,iDAAiD;MACjD,yCAAyC;MACzC,2CAA2C;MAC3C,kDAAkD;MAClD,2CAA2C;MAC3C,kDAAkD;MAClD,4CAA4C;MAC5C,mDAAmD;MACnD,wCAAwC;MACxC,+CAA+C;MAC/C,4CAA4C;MAC5C,mDAAmD;MACnD,wCAAwC;MACxC,+CAA+C;;AAO1C,IAAM,qBAAqD,uBAChE,eACA,sBAAsB,YAAY,CAAC;AAG9B,IAAM,oBAA8C,OAAO,kBAAkB;AAE7E,IAAM,oBAA8C,iBACzD,cACA,oBAAoB,YAAY,CAAC;;;;;ACxDnC;;;AACA;;;;;ACDA,IAMa,kBAQA,wBAKA,uBAEA;AArBb;;;AACA;AACA;AACA;AAGO,IAAM,mBAAmB;MAC9B,OAAO;;AAOF,IAAM,yBAA6D,uBACxE,eACA,CAAC,MAAM,iBAAiB,CAAC,CAAC;AAGrB,IAAM,wBAAsD,OAAO,sBAAsB;AAEzF,IAAM,wBAAsD,iBACjE,cACA,gBAAgB,gBAAgB,CAAC;;;;;ACvBnC,IAiBa,qBAWA,oBAEA;AA9Bb;;;AACA;AACA;AACA;AACA;AACA;AACA;AAWO,IAAM,sBAAmD,wBAC9D;MACE,kBAAkB,sBAAsB;MACxC,kBAAkB,kBAAkB;MACpC,kBAAkB,aAAa;MAC/B,kBAAkB,aAAa;MAC/B,kBAAkB,qBAAqB;OAEzC,CAAC,QAAQ,CAAC,IAAI,UAAU,IAAI,cAAc,IAAI,YAAY,IAAI,WAAW,IAAI,WAAW,CAAU;AAG7F,IAAM,qBAA4C,OAAO,mBAAmB;AAE5E,IAAM,qBAA4C,YACvD;MACE,iBAAiB,qBAAqB;MACtC,iBAAiB,iBAAiB;MAClC,iBAAiB,YAAY;MAC7B,iBAAiB,YAAY;MAC7B,iBAAiB,oBAAoB;OAEvC,CAAC,UAAUC,eAAc,YAAY,WAAW,iBAAiB;MAC/D;MACA,cAAAA;MACA;MACA;MACA;MACA;;;;;AC5CJ,IAKM,iBASO,uBAKA,sBAEA;AArBb;;;AACA;AACA;AACA;AAEA,IAAM,kBAAkB;MACtB,aAAa;MACb,QAAQ;MACR,QAAQ;;AAMH,IAAM,wBAA2D,uBACtE,cACA,CAAC,MAAM,gBAAgB,CAAC,CAAC;AAGpB,IAAM,uBAAoD,OAAO,qBAAqB;AAEtF,IAAM,uBAAoD,iBAC/D,aACA,gBAAgB,eAAe,CAAC;;;;;ACvBlC,IAUa,iBAKA,gBAEA;AAjBb;;;AACA;AACA;AAQO,IAAM,kBAA2C,wBACtD,CAAC,eAAe,aAAa,GAC7B,CAAC,OAAO,CAAC,GAAG,WAAW,GAAG,QAAQ,CAAU;AAGvC,IAAM,iBAAoC,OAAO,eAAe;AAEhE,IAAM,iBAAoC,YAAY,CAAC,cAAc,YAAY,GAAG,CAAC,WAAW,cAAc;MACnH;MACA;MACA;;;;;ACpBF,IAmBa,qBAKA,oBAEA,oBAiCA,+BAKA,8BAEA,kCAKA,iCAEA,kCAKA,iCAIA,4BAWA,2BAEA,8BASA,iCAQA,iCASA,2BAyBA,2BAKA,0BAEA,2BAKA,0BAEA,qBAWA,oBAEA,0BASA,0BASA,oBAoBA,oBAKA,mBAKA,iBAKA,gBAEA,gBAYA,0BAOA,sBAOA;AA9Pb;;;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAUO,IAAM,sBAAmD,wBAC9D,CAAC,mBAAmB,mBAAmB,mBAAmB,mBAAmB,GAC7E,CAAC,SAAS,CAAC,KAAK,eAAe,KAAK,oBAAoB,KAAK,YAAY,KAAK,YAAY,CAAU;AAG/F,IAAM,qBAA4C,OAAO,mBAAmB;AAE5E,IAAM,qBAA4C,YACvD,CAAC,kBAAkB,kBAAkB,kBAAkB,kBAAkB,GACzE,CAAC,eAAe,oBAAoB,YAAY,kBAAkB;MAChE;MACA;MACA;MACA;MACA;AA0BG,IAAM,gCAAuE,wBAClF,CAAC,uBAAuB,iBAAiB,kBAAkB,gBAAgB,CAAC,GAC5E,CAAC,SAAS,CAAC,eAAe,KAAK,UAAU,KAAK,UAAU,CAAU;AAG7D,IAAM,+BAAgE,OAAO,6BAA6B;AAE1G,IAAM,mCAA6E,wBACxF,CAAC,uBAAuB,kBAAkB,gBAAgB,CAAC,GAC3D,CAAC,MAAM,CAAC,EAAE,gBAAgB,EAAE,UAAU,CAAU;AAG3C,IAAM,kCAA+D,OAAO,gCAAgC;AAE5G,IAAM,mCAA6E,wBACxF,CAAC,uBAAuB,mBAAmB,kBAAkB,gBAAgB,CAAC,GAC9E,CAAC,SAAS,CAAC,KAAK,gBAAgB,KAAK,YAAY,KAAK,UAAU,CAAU;AAGrE,IAAM,kCAAsE,OACjF,gCAAgC;AAG3B,IAAM,6BAAiE,CAAC,SAAQ;AACrF,cAAQ,KAAK,gBAAgB;QAC3B,KAAK;AACH,iBAAO,8BAA8B,IAAI;QAC3C,KAAK;AACH,iBAAO,iCAAiC,IAAI;QAC9C,KAAK;AACH,iBAAO,iCAAiC,IAAI;MAChD;IACF;AAEO,IAAM,4BAA0D,OAAO,0BAA0B;AAEjG,IAAM,+BAAgE,YAC3E,CAAC,gBAAgB,iBAAiB,eAAe,CAAC,GAClD,CAAC,UAAU,gBAAgB;MACzB,gBAAgB;MAChB;MACA;MACA;AAGG,IAAM,kCAAsE,WACjF,iBAAiB,eAAe,GAChC,CAAC,gBAAgB;MACf,gBAAgB;MAChB;MACA;AAGG,IAAM,kCAAsE,YACjF,CAAC,kBAAkB,iBAAiB,eAAe,CAAC,GACpD,CAAC,YAAY,gBAAgB;MAC3B,gBAAgB;MAChB;MACA;MACA;AAGG,IAAM,4BAA0D,eACrE,sBACA,CAAC,mBAAgD;AAC/C,cAAQ,gBAAgB;QACtB,KAAK;AACH,iBAAO;QACT,KAAK;AACH,iBAAO;QACT,KAAK;AACH,iBAAO;MACX;IACF,CAAC;AAcI,IAAM,4BAA+D,wBAC1E,CAAC,kCAAkC,mBAAmB,aAAa,GACnE,CAAC,MAAM,CAAC,GAAG,EAAE,SAAS,EAAE,SAAS,CAAU;AAGtC,IAAM,2BAAwD,OAAO,yBAAyB;AAE9F,IAAM,4BAA+D,wBAC1E,CAAC,kCAAkC,mBAAmB,aAAa,GACnE,CAAC,SAAS,CAAC,MAAM,KAAK,SAAS,KAAK,SAAS,CAAU;AAGlD,IAAM,2BAAwD,OAAO,yBAAyB;AAE9F,IAAM,sBAAmD,CAAC,SAAQ;AACvE,cAAQ,KAAK,gBAAgB;QAC3B,KAAK;AACH,iBAAO,8BAA8B,IAAI;QAC3C,KAAK;AACH,iBAAO,0BAA0B,IAAI;QACvC,KAAK;AACH,iBAAO,0BAA0B,IAAI;MACzC;IACF;AAEO,IAAM,qBAA4C,OAAO,mBAAmB;AAE5E,IAAM,2BAAwD,YACnE,CAAC,iCAAiC,kBAAkB,YAAY,GAChE,CAAC,IAAI,SAAS,eAAe;MAC3B,GAAG;MACH;MACA;MACA;AAGG,IAAM,2BAAwD,YACnE,CAAC,iCAAiC,kBAAkB,YAAY,GAChE,CAAC,IAAI,SAAS,eAAe;MAC3B,GAAG;MACH;MACA;MACA;AAGG,IAAM,qBAA4C,eACvD,sBACA,CAAC,mBAAyC;AACxC,cAAQ,gBAAgB;QACtB,KAAK;AACH,iBAAO;QACT,KAAK;AACH,iBAAO;QACT,KAAK;AACH,iBAAO;MACX;IACF,CAAC;AASI,IAAM,qBAAiD,wBAC5D,CAAC,qBAAqB,mBAAmB,GACzC,CAAC,QAAQ,CAAC,KAAK,GAAG,CAAU;AAGvB,IAAM,oBAA0C,OAAO,kBAAkB;AAKzE,IAAM,kBAA2C,wBACtD,CAAC,qBAAqB,4BAA4B,iBAAiB,GACnE,CAAC,aAAa,CAAC,UAAU,UAAU,SAAS,SAAS,CAAU;AAG1D,IAAM,iBAAoC,OAAO,eAAe;AAEhE,IAAM,iBAAoC,YAC/C,CAAC,oBAAoB,2BAA2B,gBAAgB,GAChE,CAAC,MAAM,MAAM,eAAe;MAC1B,GAAG;MACH,GAAG;MACH;MACA;AAMG,IAAM,2BAAwD,iBAAiB,gBAAgB,CAAC,OACrG,GAAG,mBAAmB,gBAAgB,KAAK,MAAS;AAM/C,IAAM,uBAAgD,iBAAiB,gBAAgB,CAAC,OAC7F,GAAG,mBAAmB,WAAW,KAAK,MAAS;AAM1C,IAAM,uBAAgD,iBAAiB,gBAAgB,CAAC,OAC7F,GAAG,mBAAmB,WAAW,KAAK,MAAS;;;;;AC/PjD,IA4Ba,sBAYA,qBAEA,qBAoBA,mBAKA,kBAEA;AArEb;;;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAoBO,IAAM,uBAAqD,wBAChE,CAAC,wBAAwB,oBAAoB,mBAAmB,iBAAiB,kBAAkB,gBAAgB,CAAC,GACpH,CAAC,kBACC;MACE,cAAc;MACd,cAAc;MACd,cAAc;MACd,cAAc;MACd,cAAc;KACN;AAGP,IAAM,sBAA8C,OAAO,oBAAoB;AAE/E,IAAM,sBAA8C,YACzD;MACE;MACA;MACA;MACA;MACA,iBAAiB,eAAe;OAElC,CAAC,SAAS,aAAa,SAAS,UAAU,gBAAgB;MACxD;MACA;MACA;MACA;MACA;MACA;AAMG,IAAM,oBAA+C,wBAC1D,CAAC,sBAAsB,iBAAiB,GACxC,CAAC,eAAe,CAAC,YAAY,WAAW,SAAS,CAAU;AAGtD,IAAM,mBAAwC,OAAO,iBAAiB;AAEtE,IAAM,mBAAwC,YACnD,CAAC,qBAAqB,gBAAgB,GACtC,CAAC,eAAe,eAAe;MAC7B,GAAG;MACH;MACA;;;;;AC1EJ;;;AACA;AACA;;;;;ACFA,IASa,UAQA,gBAEA,eACA,eAGA,qBAUA,2BAKA,0BAEA,0BAoBP,uBAKA,yBAKA,yBAOO,gBASA,eAEA,eAqBA,cAKA,aAEA,aAWA,iBAKA,gBAEA;AAtIb;;;AACA;AACA;AACA;AAEA;AAEA;AAEO,IAAM,WAAW;MACtB,UAAU;MACV,YAAY;;AAMP,IAAM,iBAA6C,uBAAuB,cAAc,CAAC,MAAM,SAAS,CAAC,CAAC;AAE1G,IAAM,gBAAsC,OAAO,cAAc;AACjE,IAAM,gBAAsC,iBAAiB,aAAa,gBAAgB,QAAQ,CAAC;AAGnG,IAAM,sBAAsB;MACjC,aAAa;MACb,QAAQ;MACR,QAAQ;;AAOH,IAAM,4BAAmE,uBAC9E,cACA,CAAC,MAAM,oBAAoB,CAAC,CAAC;AAGxB,IAAM,2BAA4D,OAAO,yBAAyB;AAElG,IAAM,2BAA4D,iBACvE,aACA,gBAAgB,mBAAmB,CAAC;AAkBtC,IAAM,wBAAwD,wBAC5D,CAAC,gBAAgB,iBAAiB,GAClC,CAAC,MAAM,CAAC,EAAE,SAAS,EAAE,KAAK,CAAU;AAGtC,IAAM,0BAA4D,wBAChE,CAAC,gBAAgB,2BAA2B,mBAAmB,aAAa,GAC5E,CAAC,SAAS,CAAC,KAAK,SAAS,KAAK,OAAO,KAAK,YAAY,KAAK,QAAQ,CAAU;AAG/E,IAAM,0BAA0B,YAC9B,CAAC,0BAA0B,kBAAkB,YAAY,GACzD,CAAC,OAAO,YAAY,aAAY;AAC9B,aAAO,EAAE,OAAO,YAAY,SAAQ;IACtC,CAAC;AAGI,IAAM,iBAAyC,CAAC,SAAQ;AAC7D,cAAQ,KAAK,SAAS;QACpB,KAAK;AACH,iBAAO,sBAAsB,IAAI;QACnC,KAAK;AACH,iBAAO,wBAAwB,IAAI;MACvC;IACF;AAEO,IAAM,gBAAkC,OAAO,cAAc;AAE7D,IAAM,gBAAkC,eAAe,eAAe,CAAC,YAA6B;AACzG,cAAQ,SAAS;QACf,KAAK;AACH,iBAAO,WAAW,kBAAkB,CAAC,WAAW;YAC9C;YACA;YACA;QACJ,KAAK;AACH,iBAAO,WAAW,yBAAyB,CAAC,gBAAgB;YAC1D;YACA,GAAG;YACH;MACN;IACF,CAAC;AAQM,IAAM,eAA8C,wBACzD,CAAC,gBAAgB,iBAAiB,GAClC,CAAC,UAAU,CAAC,OAAO,MAAM,QAAQ,CAAU;AAGtC,IAAM,cAAuC,OAAO,YAAY;AAEhE,IAAM,cAAuC,YAClD,CAAC,eAAe,gBAAgB,GAChC,CAAC,MAAM,cAAc,EAAE,GAAG,MAAM,SAAQ,EAAG;AAStC,IAAM,kBAA2C,wBACtD,CAAC,cAAc,eAAe,aAAa,GAC3C,CAAC,UAAU,CAAC,MAAM,IAAI,MAAM,OAAO,MAAM,KAAK,CAAU;AAGnD,IAAM,iBAAoC,OAAO,eAAe;AAEhE,IAAM,iBAAoC,YAC/C,CAAC,aAAa,cAAc,YAAY,GACxC,CAAC,IAAI,OAAO,WAAW,EAAE,IAAI,OAAO,MAAK,EAAG;;;;;ACwIxC,SAAU,qBAAqB,cAAoB;AACvD,SAAO,WAAW,kBAAkB,CAAC,kBAAkB,EAAE,cAAc,aAAY,EAAG;AACxF;AAlRA,IAiBa,YAEA,WACA,WAOA,eAEA,cACA,cAOA,eAEA,cACA,cAOA,YAEA,WACA,WAUA,eAKA,cAEA,cAUA,qBAKA,oBACA,oBAOA,+BAKA,8BAEA,8BAgEA,oBAKA,mBAEA,uBAKA,sBAEA,uBAKA,sBAEA,oBAKA,mBAEA,uBAKA,sBAEA,6BAKA,4BAEA,uCAMA,sCAIA,uBAKA,sBAEA,iBAqBA,gBAEA,mBAEA,sBAKA,sBAKA,mBAEA,sBAKA,4BAKA,sCASA;AApRb;;;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAOO,IAAM,aAAiC,uBAAuB,mBAAmB,CAAC,MAAM,EAAE,UAAU;AAEpG,IAAM,YAA0B,OAAO,UAAU;AACjD,IAAM,YAA0B,WAAW,kBAAkB,CAAC,gBAAgB,EAAE,WAAU,EAAG;AAO7F,IAAM,gBAAuC,uBAAuB,iBAAiB,CAAC,MAAM,EAAE,QAAQ;AAEtG,IAAM,eAAgC,OAAO,aAAa;AAC1D,IAAM,eAAgC,WAAW,sBAAsB,CAAC,cAAc,EAAE,SAAQ,EAAG;AAOnG,IAAM,gBAAuC,uBAAuB,eAAe,CAAC,MAAM,EAAE,OAAO;AAEnG,IAAM,eAAgC,OAAO,aAAa;AAC1D,IAAM,eAAgC,WAAW,cAAc,CAAC,aAAa,EAAE,QAAO,EAAG;AAOzF,IAAM,aAAiC,uBAAuB,cAAc,CAAC,MAAM,EAAE,cAAc;AAEnG,IAAM,YAA0B,OAAO,UAAU;AACjD,IAAM,YAA0B,WAAW,aAAa,CAAC,oBAAoB,EAAE,eAAc,EAAG;AAUhG,IAAM,gBAAuC,wBAClD,CAAC,mBAAmB,wBAAwB,oBAAoB,kBAAkB,gBAAgB,CAAC,GACnG,CAAC,MAAM,CAAC,EAAE,SAAS,EAAE,SAAS,EAAE,aAAa,EAAE,UAAU,CAAU;AAG9D,IAAM,eAAgC,OAAO,aAAa;AAE1D,IAAM,eAAgC,YAC3C,CAAC,kBAAkB,uBAAuB,mBAAmB,iBAAiB,eAAe,CAAC,GAC9F,CAAC,SAAS,SAAS,aAAa,gBAAgB,EAAE,SAAS,SAAS,aAAa,WAAU,EAAG;AAQzF,IAAM,sBAAmD,uBAC9D,mBACA,CAAC,MAAM,EAAE,SAAS;AAGb,IAAM,qBAA4C,OAAO,mBAAmB;AAC5E,IAAM,qBAA4C,WAAW,kBAAkB,CAAC,eAAe,EAAE,UAAS,EAAG;AAO7G,IAAM,gCAAuE,uBAClF,kBAAkB,gBAAgB,GAClC,CAAC,MAAM,EAAE,UAAU;AAGd,IAAM,+BAAgE,OAAO,6BAA6B;AAE1G,IAAM,+BAAgE,WAC3E,iBAAiB,eAAe,GAChC,CAAC,gBAAgB,EAAE,WAAU,EAAG;AA8D3B,IAAM,qBAAiD,wBAC5D,CAAC,4BAA4B,UAAU,GACvC,CAAC,MAAM,CAAC,EAAE,cAAc,EAAE,GAAG,CAAU;AAGlC,IAAM,oBAA0C,OAAO,kBAAkB;AAEzE,IAAM,wBAAuD,wBAClE,CAAC,4BAA4B,aAAa,GAC1C,CAAC,MAAM,CAAC,EAAE,cAAc,EAAE,MAAM,CAAU;AAGrC,IAAM,uBAAgD,OAAO,qBAAqB;AAElF,IAAM,wBAAuD,wBAClE,CAAC,4BAA4B,aAAa,GAC1C,CAAC,MAAM,CAAC,EAAE,cAAc,EAAE,MAAM,CAAU;AAGrC,IAAM,uBAAgD,OAAO,qBAAqB;AAElF,IAAM,qBAAiD,wBAC5D,CAAC,4BAA4B,UAAU,GACvC,CAAC,MAAM,CAAC,EAAE,cAAc,EAAE,GAAG,CAAU;AAGlC,IAAM,oBAA0C,OAAO,kBAAkB;AAEzE,IAAM,wBAAuD,wBAClE,CAAC,4BAA4B,aAAa,GAC1C,CAAC,MAAM,CAAC,EAAE,cAAc,EAAE,MAAM,CAAU;AAGrC,IAAM,uBAAgD,OAAO,qBAAqB;AAElF,IAAM,8BAAmE,wBAC9E,CAAC,4BAA4B,mBAAmB,GAChD,CAAC,MAAM,CAAC,EAAE,cAAc,EAAE,YAAY,CAAU;AAG3C,IAAM,6BAA4D,OAAO,2BAA2B;AAEpG,IAAM,wCACX,wBACE,CAAC,4BAA4B,6BAA6B,GAC1D,CAAC,MAAM,CAAC,EAAE,cAAc,EAAE,sBAAsB,CAAU;AAGvD,IAAM,uCAAgF,OAC3F,qCAAqC;AAGhC,IAAM,wBAAuD,wBAClE,CAAC,eAAe,iBAAiB,GACjC,CAAC,MAAM,CAAC,EAAE,cAAc,EAAE,YAAY,CAAU;AAG3C,IAAM,uBAAgD,OAAO,qBAAqB;AAElF,IAAM,kBAA2C,CAAC,MAAK;AAC5D,cAAQ,EAAE,cAAc;QACtB,KAAK;AACH,iBAAO,mBAAmB,CAAC;QAC7B,KAAK;AACH,iBAAO,sBAAsB,CAAC;QAChC,KAAK;AACH,iBAAO,sBAAsB,CAAC;QAChC,KAAK;AACH,iBAAO,mBAAmB,CAAC;QAC7B,KAAK;AACH,iBAAO,sBAAsB,CAAC;QAChC,KAAK;AACH,iBAAO,4BAA4B,CAAC;QACtC,KAAK;AACH,iBAAO,sCAAsC,CAAC;QAChD;AACE,iBAAO,sBAAsB,CAAC;MAClC;IACF;AAEO,IAAM,iBAAoC,OAAO,eAAe;AAEhE,IAAM,oBAA0C,WAAW,WAAW,CAACC,UAAS,EAAE,cAAc,OAAO,KAAAA,KAAG,EAAG;AAE7G,IAAM,uBAAgD,WAAW,cAAc,CAAC,YAAY;MACjG,cAAc;MACd;MACA;AAEK,IAAM,uBAAgD,WAAW,cAAc,CAAC,YAAY;MACjG,cAAc;MACd;MACA;AAEK,IAAM,oBAA0C,WAAW,WAAW,CAAC,SAAS,EAAE,cAAc,OAAO,IAAG,EAAG;AAE7G,IAAM,uBAAgD,WAAW,cAAc,CAAC,YAAY;MACjG,cAAc;MACd;MACA;AAEK,IAAM,6BAA4D,WACvE,oBACA,CAAC,kBAAkB,EAAE,cAAc,iBAAiB,aAAY,EAAG;AAG9D,IAAM,uCAAgF,WAC3F,8BACA,CAAC,4BAA4B,EAAE,cAAc,4BAA4B,uBAAsB,EAAG;AAO7F,IAAM,iBAAoC,UAC/C,eAAe,2BAA2B,CAAC,iBAAmC;AAC5E,cAAQ,cAAc;QACpB,KAAK;AACH,iBAAO;QACT,KAAK;AACH,iBAAO;QACT,KAAK;AACH,iBAAO;QACT,KAAK;AACH,iBAAO;QACT,KAAK;AACH,iBAAO;QACT,KAAK;AACH,iBAAO;QACT,KAAK;AACH,iBAAO;MACX;IACF,CAAC,GACD,eAAe,cAAc,CAAC,MAAM,qBAAqB,CAAC,CAAC,CAAC;;;;;ACvS9D,IAOM,oBAQO,0BAKA,yBAEA,yBAoBA,8BAKA,6BAEA,iCAKA,gCAEA,sBASA,qBAEA;AAnEb;;;AACA;AACA;AACA;AACA;AACA;AAEA,IAAM,qBAAqB;MACzB,UAAU;MACV,WAAW;;AAMN,IAAM,2BAAiE,uBAC5E,cACA,CAAC,MAAM,mBAAmB,CAAC,CAAC;AAGvB,IAAM,0BAA0D,OAAO,wBAAwB;AAE/F,IAAM,0BAA0D,iBACrE,aACA,gBAAgB,kBAAkB,CAAC;AAkB9B,IAAM,+BAAqE,wBAChF,CAAC,0BAA0B,eAAe,GAC1C,CAAC,MAAM,CAAC,EAAE,mBAAmB,EAAE,QAAQ,CAAU;AAG5C,IAAM,8BAA8D,OAAO,4BAA4B;AAEvG,IAAM,kCAA2E,wBACtF,CAAC,0BAA0B,iBAAiB,GAC5C,CAAC,MAAM,CAAC,EAAE,mBAAmB,EAAE,SAAS,CAAU;AAG7C,IAAM,iCAAoE,OAAO,+BAA+B;AAEhH,IAAM,uBAAqD,CAAC,UAAS;AAC1E,cAAQ,MAAM,mBAAmB;QAC/B,KAAK;AACH,iBAAO,6BAA6B,KAAK;QAC3C,KAAK;AACH,iBAAO,gCAAgC,KAAK;MAChD;IACF;AAEO,IAAM,sBAA8C,OAAO,oBAAoB;AAE/E,IAAM,sBAA8C,eACzD,yBACA,CAAC,sBAA6C;AAC5C,cAAQ,mBAAmB;QACzB,KAAK;AACH,iBAAO,WAAW,gBAAgB,CAAC,cAAc,EAAE,mBAAmB,SAAQ,EAAG;QACnF,KAAK;AACH,iBAAO,WAAW,kBAAkB,CAAC,eAAe,EAAE,mBAAmB,UAAS,EAAG;MACzF;IACF,CAAC;;;;;ACzEH;;;AACA;;;;;ACJA,IAsBa,qBAcA,oBAEA;AAtCb;;;AACA;AACA;AACA;AACA;AAEA;AACA;AAEA;AAaO,IAAM,sBAAmD,wBAC9D;MACE;MACA;MACA;;MACA;;MACA;;MACA;;MACA,kBAAkB,gBAAgB;OAEpC,CAAC,OACC,CAAC,GAAG,SAAS,GAAG,aAAa,GAAG,SAAS,GAAG,OAAO,GAAG,UAAU,GAAG,yBAAyB,GAAG,UAAU,CAAU;AAGhH,IAAM,qBAA4C,OAAO,mBAAmB;AAE5E,IAAM,qBAA4C,YACvD;MACE;MACA;MACA;;MACA;;MACA;;MACA;;MACA,iBAAiB,eAAe;OAElC,CAAC,SAAS,aAAa,SAAS,OAAOC,WAAU,yBAAyB,gBAAgB;MACxF;MACA;MACA;MACA;MACA,UAAAA;MACA;MACA;MACA;;;;;ACxDJ,IAKM,WAQO,iBAEA,gBAEA;AAjBb;;;AACA;AACA;AACA;AAEA,IAAM,YAAY;MAChB,MAAM;MACN,QAAQ;;AAMH,IAAM,kBAA+C,uBAAuB,cAAc,CAAC,MAAM,UAAU,CAAC,CAAC;AAE7G,IAAM,iBAAwC,OAAO,eAAe;AAEpE,IAAM,iBAAwC,iBAAiB,aAAa,gBAAgB,SAAS,CAAC;;;;;ACjB7G,IAYa,mBAKA,kBAEA;AAnBb;;;AACA;AACA;AACA;AASO,IAAM,oBAA+C,wBAC1D,CAAC,mBAAmB,mBAAmB,kBAAkB,aAAa,CAAC,GACvE,CAAC,SAAS,CAAC,KAAK,eAAe,KAAK,YAAY,KAAK,cAAc,CAAU;AAGxE,IAAM,mBAAwC,OAAO,iBAAiB;AAEtE,IAAM,mBAAwC,YACnD,CAAC,kBAAkB,kBAAkB,iBAAiB,YAAY,CAAC,GACnE,CAAC,eAAe,YAAY,oBAAoB;MAC9C;MACA;MACA;MACA;;;;;ACzBJ;;;;;;;ACgFM,SAAU,kBAAkB,MAAiB;AACjD,QAAM,YAAY,KAAK,SAAS;AAEhC,MAAI,KAAK,SAAS,MAAM,QAAW;AACjC,UAAM,IAAI,cAAc,sDAAsD;EAChF;AAGA,QAAM,aAAa,uBAAuB,KAAK,MAAM;AAGrD,QAAM,OAAO,KAAK,MAAK;AACvB,SAAO,KAAK,SAAS,YAAY;AAC/B,SAAK,KAAK,MAAS;EACrB;AAEA,SAAO;AACT;AAGA,SAAS,uBAAuB,GAAS;AACvC,MAAI,IAAI;AACR,UAAQ,KAAM,IAAI,KAAM,IAAI,GAAG;AAC7B;EACF;AACA,UAAQ,KAAM,IAAI,KAAM;AAC1B;AAQM,SAAU,gBAAgB,MAAiB;AAC/C,MAAI,eAAe,KAAK,SAAS;AACjC,SAAO,gBAAgB,KAAK,KAAK,YAAY,MAAM,QAAW;AAC5D;EACF;AAEA,SAAO,KAAK,MAAM,GAAG,eAAe,CAAC;AACvC;AAzHA,IAoCa,aAeA,YAEA,YAsEA,oBAKA,mBAEA;AAlIb;;;AACA;AAEA;AACA;AACA;AACA;AACA;AAgBA;AACA;AACA;AAWO,IAAM,cAAmC,CAAC,SAAQ;AACvD,cAAQ,KAAK,UAAU;QACrB,KAAK;AACH,iBAAO,wBACL,CAAC,iBAAiB,iBAAiB,GACnC,CAAC,MAAkB,CAAC,EAAE,UAAU,EAAE,MAAM,CAAU,EAClD,IAAI;QACR,KAAK;AACH,iBAAO,wBACL,CAAC,iBAAiB,eAAe,GACjC,CAAC,MAAgB,CAAC,EAAE,UAAU,EAAE,IAAI,CAAU,EAC9C,IAAI;MACV;IACF;AAEO,IAAM,aAA4B,OAAO,WAAW;AAEpD,IAAM,aAA4B,eAAe,gBAAgB,CAAC,aAA2B;AAClG,cAAQ,UAAU;QAChB,KAAK;AACH,iBAAO,WAAW,kBAAkB,CAACC,aAAY;YAC/C;YACA,QAAAA;YACA;QACJ,KAAK;AACH,iBAAO,WAAW,gBAAgB,CAAC,UAAU;YAC3C;YACA;YACA;MACN;IACF,CAAC;AAyDM,IAAM,qBAAiD,uBAC5D,kBAAkB,gBAAgB,WAAW,CAAC,GAC9C,eAAe;AAGV,IAAM,oBAA0C,OAAO,kBAAkB;AAEzE,IAAM,oBAA0C,WACrD,iBAAiB,eAAe,UAAU,CAAC,GAC3C,iBAAiB;;;;;ACpInB,IA0Ba,0BAKA,yBAEA,yBASA,4BAKA,2BAEA,2BAUA,sBASA,qBAEA;AAtEb;;;AACA;AACA;AACA;AACA;AAEA;AACA;AACA;AACA;AAEA;AAeO,IAAM,2BAA6D,wBACxE,CAAC,iBAAiB,eAAe,gBAAgB,eAAe,CAAC,GACjE,CAAC,UAAU,CAAC,MAAM,UAAU,MAAM,WAAW,MAAM,QAAQ,CAAU;AAGhE,IAAM,0BAAsD,OAAO,wBAAwB;AAE3F,IAAM,0BAAsD,YACjE,CAAC,cAAc,eAAe,cAAc,CAAC,GAC7C,CAAC,WAAW,cAAc;MACxB,UAAU;MACV;MACA;MACA;AAGG,IAAM,6BAAiE,wBAC5E,CAAC,iBAAiB,gBAAgB,iBAAiB,GAAG,mBAAmB,iBAAiB,GAC1F,CAAC,UAAU,CAAC,MAAM,UAAU,MAAM,YAAY,MAAM,UAAU,MAAM,SAAS,CAAU;AAGlF,IAAM,4BAA0D,OAAO,0BAA0B;AAEjG,IAAM,4BAA0D,YACrE,CAAC,eAAe,gBAAgB,GAAG,kBAAkB,gBAAgB,GACrE,CAAC,YAAY,UAAU,eAAe;MACpC,UAAU;MACV;MACA;MACA;MACA;AAGG,IAAM,uBAAqD,CAAC,UAAS;AAC1E,cAAQ,MAAM,UAAU;QACtB,KAAK;AACH,iBAAO,yBAAyB,KAAK;QACvC,KAAK;AACH,iBAAO,2BAA2B,KAAK;MAC3C;IACF;AAEO,IAAM,sBAA8C,OAAO,oBAAoB;AAE/E,IAAM,sBAA8C,eACzD,gBACA,CAAC,aAAoC;AACnC,cAAQ,UAAU;QAChB,KAAK;AACH,iBAAO;QACT,KAAK;AACH,iBAAO;MACX;IACF,CAAC;;;;;AC/EH,IAiBa,wBAKA,uBAEA;AAxBb;;;AACA;AACA;AAEA;AACA;AACA;AACA;AAEA;AAQO,IAAM,yBAAyD,wBACpE,CAAC,mBAAmB,mBAAmB,iBAAiB,GACxD,CAAC,MAAM,CAAC,EAAE,eAAe,EAAE,YAAY,EAAE,uBAAuB,CAAU;AAGrE,IAAM,wBAAkD,OAAO,sBAAsB;AAErF,IAAM,wBAAkD,YAC7D,CAAC,kBAAkB,kBAAkB,gBAAgB,GACrD,CAAC,eAAe,YAAY,6BAA6B;MACvD;MACA;MACA;MACA;;;;;AC9BJ,IAUa,uBAKA,sBAEA;AAjBb;;;AACA;AACA;AAQO,IAAM,wBAAuD,wBAClE,CAAC,mBAAmB,iBAAiB,GACrC,CAAC,QAAQ,CAAC,IAAI,WAAW,IAAI,UAAU,CAAU;AAG5C,IAAM,uBAAgD,OAAO,qBAAqB;AAElF,IAAM,uBAAgD,YAC3D,CAAC,kBAAkB,gBAAgB,GACnC,CAAC,WAAW,gBAAgB,EAAE,WAAW,WAAU,EAAG;;;;;ACnBxD,IAmCa,uBAKA,sBAEA,sBAWA,mBAKA,kBAEA;AA5Db;;;AACA;AACA;AAGA;AACA;AACA;AACA;AAOA;AACA;AAOA;AACA;AACA;AACA;AACA;AAQO,IAAM,wBAAuD,wBAClE,CAAC,mBAAmB,kBAAkB,qBAAqB,CAAC,GAC5D,CAAC,SAAS,CAAC,KAAK,eAAe,KAAK,mBAAmB,CAAU;AAG5D,IAAM,uBAAgD,OAAO,qBAAqB;AAElF,IAAM,uBAAgD,YAC3D,CAAC,kBAAkB,iBAAiB,oBAAoB,CAAC,GACzD,CAAC,eAAe,yBAAyB,EAAE,eAAe,oBAAmB,EAAG;AAS3E,IAAM,oBAA+C,wBAC1D,CAAC,iBAAiB,kBAAkB,qBAAqB,CAAC,GAC1D,CAAC,SAAS,CAAC,KAAK,UAAU,KAAK,KAAK,CAAU;AAGzC,IAAM,mBAAwC,OAAO,iBAAiB;AAEtE,IAAM,mBAAwC,YACnD,CAAC,sBAAsB,iBAAiB,oBAAoB,CAAC,GAC7D,CAAC,UAAU,WAAW,EAAE,UAAU,MAAK,EAAG;;;;;AC9D5C,IAaa,eAKA,cAEA;AApBb;;;AACA;AACA;AACA;AACA;AACA;AAQO,IAAM,gBAAuC,wBAClD,CAAC,kBAAkB,oBAAoB,GAAG,gBAAgB,iBAAiB,CAAC,GAC5E,CAAC,WAAW,CAAC,OAAO,WAAW,OAAO,IAAI,CAAU;AAG/C,IAAM,eAAgC,OAAO,aAAa;AAE1D,IAAM,eAAgC,YAC3C,CAAC,iBAAiB,mBAAmB,GAAG,eAAe,gBAAgB,CAAC,GACxE,CAAC,WAAW,UAAU,EAAE,WAAW,KAAI,EAAG;;;;;ACtB5C,IAMa,cAUA,oBAKA,mBAEA;AAvBb;;;AACA;AACA;AACA;AAGO,IAAM,eAAe;MAC1B,aAAa;MACb,UAAU;MACV,QAAQ;;AAOH,IAAM,qBAAqD,uBAChE,cACA,CAAC,MAAM,aAAa,CAAC,CAAC;AAGjB,IAAM,oBAA8C,OAAO,kBAAkB;AAE7E,IAAM,oBAA8C,iBAAiB,aAAa,gBAAgB,YAAY,CAAC;;;;;ACvBtH,IAKa,aAWA,mBAGA,kBAEA;AArBb;;;AACA;AACA;AACA;AAEO,IAAM,cAAc;MACzB,oBAAoB;MACpB,qBAAqB;MACrB,aAAa;MACb,gBAAgB;MAChB,iBAAiB;;AAMZ,IAAM,oBAAmD,CAAC,MAC/D,uBAAuB,eAAe,CAAC,MAAsB,YAAY,CAAC,CAAC,EAAE,CAAC;AAEzE,IAAM,mBAA4C,OAAO,iBAAiB;AAE1E,IAAM,mBAA4C,iBAAiB,cAAc,gBAAgB,WAAW,CAAC;;;;;ACrBpH,IAUa,aAWA,mBAKA,kBAEA,kBA8BA,eAkBA,cAEA,cAyCA,mBAQA,kBAEA,kBAIA,mBAKA,kBAEA,kBAeA,sBAKA,qBAEA;AAlKb;;;AACA;AACA;AACA;AACA;AAEA;AACA;AAGO,IAAM,cAAc;MACzB,QAAQ;MACR,UAAU;MACV,qBAAqB;MACrB,mBAAmB;;AAOd,IAAM,oBAAmD,uBAC9D,cACA,CAAC,MAAM,YAAY,CAAC,CAAC;AAGhB,IAAM,mBAA4C,OAAO,iBAAiB;AAE1E,IAAM,mBAA4C,iBAAiB,aAAa,gBAAgB,WAAW,CAAC;AA8B5G,IAAM,gBAAuC,CAAC,MAAK;AACxD,cAAQ,EAAE,YAAY;QACpB,KAAK;AACH,iBAAO,wBACL,CAAC,mBAAmB,aAAa,GACjC,CAACC,OAAoB,CAACA,GAAE,YAAYA,GAAE,SAAS,CAAU,EACzD,CAAC;QACL,KAAK;AACH,iBAAO,wBACL,CAAC,mBAAmB,aAAa,GACjC,CAACA,OAAsB,CAACA,GAAE,YAAYA,GAAE,WAAW,CAAU,EAC7D,CAAC;QACL,KAAK;QACL,KAAK;AACH,iBAAO,kBAAkB,EAAE,UAAU;MACzC;IACF;AAEO,IAAM,eAAgC,OAAO,aAAa;AAE1D,IAAM,eAAgC,eAAe,kBAAkB,CAAC,eAA+B;AAC5G,cAAQ,YAAY;QAClB,KAAK;AACH,iBAAO,WAAW,cAAc,CAAC,eAAe;YAC9C;YACA;YACA;QACJ,KAAK;AACH,iBAAO,WAAW,cAAc,CAAC,iBAAiB;YAChD;YACA;YACA;QACJ,KAAK;AACH,iBAAO,WACL,MAAM,CAAC,QAAW,CAAC,GACnB,OAAO;YACL;YACA;QAEN,KAAK;AACH,iBAAO,WACL,MAAM,CAAC,QAAW,CAAC,GACnB,OAAO;YACL;YACA;MAER;IACF,CAAC;AAcM,IAAM,oBAA+C,CAAC,MAAM;MACjE;MACA,CAAC,QAAQ,WAAU;AACjB,cAAM,OAAO,IAAI,WAAW,QAAQ,QAAQ,CAAC;AAC7C,aAAK,IAAI,GAAG,CAAC;MACf;;AAGK,IAAM,mBAAwC,OAAO,iBAAiB;AAEtE,IAAM,mBAAwC,CAAC,GAAG,WAAU;AACjE,aAAO,CAAC,EAAE,SAAS,QAAQ,SAAS,CAAC,GAAiB,CAAC;IACzD;AAEO,IAAM,oBAA+C,wBAC1D,CAAC,eAAe,eAAe,iBAAiB,GAChD,CAAC,MAAM,CAAC,EAAE,WAAW,EAAE,YAAY,EAAE,UAAU,CAAU;AAGpD,IAAM,mBAAwC,OAAO,iBAAiB;AAEtE,IAAM,mBAAwC,YACnD,CAAC,cAAc,cAAc,gBAAgB,GAC7C,CAAC,WAAW,YAAY,gBAAgB;MACtC;MACA;MACA;MACA;AASG,IAAM,uBAAqD,wBAChE,CAAC,mBAAmB,eAAe,kBAAkB,GACrD,CAAC,QAAQ,CAAC,IAAI,SAAS,IAAI,OAAO,IAAI,WAAW,CAAU;AAGtD,IAAM,sBAA8C,OAAO,oBAAoB;AAE/E,IAAM,sBAA8C,YACzD,CAAC,kBAAkB,cAAc,iBAAiB,GAClD,CAAC,SAAS,OAAO,iBAAiB;MAChC;MACA;MACA;MACA;;;;;ACyEE,SAAU,4BAA4B,aAA4B;AACtE,UAAQ,aAAa;IACnB,KAAK;AACH,aAAO,YAAY,CAAC,kBAAkB,iCAAiC,GAAG,CAAC,WAAW,gBAAgB;QACpG;QACA,GAAG;QACH;IACJ,KAAK;IACL,KAAK;AACH,aAAO,WAAW,kBAAkB,CAAC,eAAe;QAClD;QACA;QACA;EACN;AACF;AA/PA,IAiDa,qCAKA,oCAIA,kCAKA,iCAIA,gCAKA,+BAEA,0BAWA,yBAEA,oCAKA,iCAKA,+BAKA,yBAsCA,sBAKA,qBAEA,qBAiBA,mBAWA,kBAaA,yBAKA,wBAkBP,oCAUA,mCAKO,8BAKA,6BAEA;AAzOb;;;AACA;AACA;AAQA;AACA;AACA;AAGA;AACA;AACA;AACA;AACA;AACA;AA6BO,IAAM,sCAAmF,wBAC9F,CAAC,oBAAoB,iBAAiB,GACtC,CAAC,MAAM,CAAC,EAAE,aAAa,EAAE,eAAe,CAAU;AAG7C,IAAM,qCAA4E,OACvF,mCAAmC;AAG9B,IAAM,mCAA6E,wBACxF,CAAC,oBAAoB,eAAe,GACpC,CAAC,MAAM,CAAC,EAAE,aAAa,EAAE,QAAQ,CAAU;AAGtC,IAAM,kCAAsE,OACjF,gCAAgC;AAG3B,IAAM,iCAAyE,wBACpF,CAAC,oBAAoB,aAAa,GAClC,CAAC,MAAM,CAAC,EAAE,aAAa,EAAE,MAAM,CAAU;AAGpC,IAAM,gCAAkE,OAAO,8BAA8B;AAE7G,IAAM,2BAA6D,CAAC,OAAM;AAC/E,cAAQ,GAAG,aAAa;QACtB,KAAK;AACH,iBAAO,oCAAoC,EAAE;QAC/C,KAAK;AACH,iBAAO,iCAAiC,EAAE;QAC5C,KAAK;AACH,iBAAO,+BAA+B,EAAE;MAC5C;IACF;AAEO,IAAM,0BAAsD,OAAO,wBAAwB;AAE3F,IAAM,qCAA4E,WACvF,kBACA,CAAC,qBAAqB,EAAE,aAAa,eAAe,gBAAe,EAAG;AAGjE,IAAM,kCAAsE,WACjF,gBACA,CAAC,cAAc,EAAE,aAAa,YAAY,SAAQ,EAAG;AAGhD,IAAM,gCAAkE,WAAW,cAAc,CAAC,YAAY;MACnH,aAAa;MACb;MACA;AAEK,IAAM,0BAAsD,eACjE,mBACA,CAAC,gBAA2C;AAC1C,cAAQ,aAAa;QACnB,KAAK;AACH,iBAAO;QACT,KAAK;AACH,iBAAO;QACT,KAAK;AACH,iBAAO;MACX;IACF,CAAC;AA2BI,IAAM,uBAAqD,wBAChE,CAAC,mBAAmB,eAAe,eAAe,mBAAmB,wBAAwB,GAC7F,CAAC,OAAO,CAAC,GAAG,SAAS,GAAG,OAAO,GAAG,QAAQ,GAAG,mBAAmB,EAAE,CAAU;AAGvE,IAAM,sBAA8C,OAAO,oBAAoB;AAE/E,IAAM,sBAA8C,YACzD,CAAC,kBAAkB,cAAc,cAAc,kBAAkB,uBAAuB,GACxF,CAAC,SAAS,OAAO,QAAQ,mBAAmB,UAAU;MACpD;MACA;MACA;MACA;MACA,GAAG;MACH;AASG,IAAM,oBAA+C,CAAC,SAAQ;AACnE,cAAQ,KAAK,YAAY;QACvB,KAAK;QACL,KAAK;AACH,iBAAO,oBAAoB,KAAK,OAAO;QACzC,KAAK;QACL,KAAK;AACH,iBAAO;MACX;IACF;AAEO,IAAM,mBAAwC,OAAO,iBAAiB;AAatE,IAAM,0BAA2D,wBACtE,CAAC,wBAAwB,mBAAmB,sBAAsB,iBAAiB,GACnF,CAAC,MAAM,CAAC,EAAE,iBAAiB,EAAE,YAAY,EAAE,SAAS,CAAC,CAAU;AAG1D,IAAM,yBAAoD,OAAO,uBAAuB;AAkB/F,IAAM,qCAAkF,CAAC,aAAY;AACnG,cAAQ,SAAS,aAAa;QAC5B,KAAK;AACH,iBAAO,kCAAkC,QAAQ;QACnD,KAAK;QACL,KAAK;AACH,iBAAO;MACX;IACF;AAEA,IAAM,oCAAuF,uBAC3F,mBACA,CAAC,SAAS,KAAK,eAAe;AAGzB,IAAM,+BAAqE,wBAChF,CAAC,mBAAmB,kCAAkC,GACtD,CAAC,MAAM,CAAC,EAAE,WAAW,CAAC,CAAU;AAG3B,IAAM,8BAA8D,OAAO,4BAA4B;AAEvG,IAAM,oCAAiF,WAC5F,kBACA,CAAC,qBAAqB;MACpB,aAAa;MACb;MACA;;;;;AC9OJ,IAwCa,6BAKA,4BAEA,4BAkBA,gCAKA;AAtEb;;;AACA;AACA;AACA;AAcA;AAuBO,IAAM,8BAAmE,wBAC9E,CAAC,mBAAmB,sBAAsB,4BAA4B,GACtE,CAAC,MAAM,CAAC,EAAE,YAAY,EAAE,SAAS,EAAE,IAAI,CAAU;AAG5C,IAAM,6BAA4D,OAAO,2BAA2B;AAEpG,IAAM,6BAA4D,YACvE;MACE;MACA,eAAe,qBAAqB,CAAC,YAAW;AAC9C,eAAO,WAAW,4BAA4B,QAAQ,WAAW,GAAG,CAAC,UAAU,EAAE,SAAS,KAAI,EAAG;MACnG,CAAC;OAEH,CAAC,YAAY,iBAAiB;MAC5B;MACA,GAAG;MACH;AAQG,IAAM,iCAAyE,wBACpF,CAAC,yBAAyB,4BAA4B,GACtD,CAAC,MAAM,CAAC,EAAE,YAAY,EAAE,IAAI,CAAU;AAGjC,IAAM,gCAAkE,OAAO,8BAA8B;;;;;AC/B9G,SAAU,wBAAwB,YAA0B;AAChE,UAAQ,YAAY;IAClB,KAAK;AACH,aAAO,WAAW,kBAAkB,CAAC,mBAAmB;QACtD;QACA;QACA;IACJ,KAAK;IACL,KAAK;IACL,KAAK;AACH,aAAO,eAAe,EAAE,WAAU,CAAE;EACxC;AACF;AAnDA,IA0Ba,0BAWA,yBAqBA,sBAKA,qBAEA;AAjEb;;;AACA;AACA;AAEA;AACA;AASA;AACA;AAEA;AASO,IAAM,2BAA6D,CAAC,SAAQ;AACjF,cAAQ,KAAK,YAAY;QACvB,KAAK;AACH,iBAAO,kBAAkB,KAAK,aAAa;QAC7C,KAAK;QACL,KAAK;QACL,KAAK;AACH,iBAAO;MACX;IACF;AAEO,IAAM,0BAAsD,OAAO,wBAAwB;AAqB3F,IAAM,uBAAqD,wBAChE,CAAC,sBAAsB,8BAA8B,wBAAwB,GAC7E,CAAC,QAAQ,CAAC,IAAI,SAAS,IAAI,MAAM,GAAG,CAAU;AAGzC,IAAM,sBAA8C,OAAO,oBAAoB;AAE/E,IAAM,sBAA8C,eAAe,qBAAqB,CAAC,YAC9F,YACE,CAAC,4BAA4B,QAAQ,WAAW,GAAG,wBAAwB,QAAQ,OAAO,UAAU,CAAC,GACrG,CAAC,MAAM,UAAU;MACf,GAAG;MACH;MACA;MACA,CACH;;;;;ACzEH;;;AAQA;AAOA;AAEA;;;;;AChBA;;;AACA;AAIA;AACA;AAEA;;;;;ACTA,IAaa,6BAMA,4BAGA;AAtBb;;;AACA;AACA;AACA;AACA;AASO,IAAM,8BAAmE,wBAC9E,CAAC,kBAAkB,aAAa,GAAG,kBAAkB,aAAa,GAAG,kBAAkB,qBAAqB,CAAC,GAC7G,CAAC,OAAO,CAAC,GAAG,gBAAgB,GAAG,eAAe,GAAG,eAAe,CAAU;AAIrE,IAAM,6BAA4D,OAAO,2BAA2B;AAGpG,IAAM,6BAA4D,YACvE,CAAC,iBAAiB,YAAY,GAAG,iBAAiB,YAAY,GAAG,iBAAiB,oBAAoB,CAAC,GACvG,CAAC,gBAAgB,eAAeC,sBAAqB,EAAE,gBAAgB,eAAe,iBAAAA,iBAAe,EAAG;;;;;ACjB1G;;;;;;ACFA;;;;;;ACHA;;;;;;;ACIA;;;;;;ACCA;;;;;;ACPA,IAoBa,qBAKA,oBAEA,oBAeA,kBAKA,iBAEA;AAjDb;;;AACA;AACA;AACA;AAEA;AACA;AACA;AACA;AACA;AACA;AAUO,IAAM,sBAAmD,wBAC9D,CAAC,qBAAqB,kBAAkB,gBAAgB,GAAG,mBAAmB,aAAa,GAC3F,CAAC,MAAM,CAAC,EAAE,cAAc,EAAE,YAAY,EAAE,iBAAiB,EAAE,MAAM,CAAU;AAGtE,IAAM,qBAA4C,OAAO,mBAAmB;AAE5E,IAAM,qBAA4C,YACvD,CAAC,oBAAoB,iBAAiB,eAAe,GAAG,kBAAkB,YAAY,GACtF,CAAC,cAAc,YAAY,iBAAiB,YAAY;MACtD;MACA;MACA;MACA;MACA;AAQG,IAAM,mBAA6C,wBACxD,CAAC,qBAAqB,iBAAiB,GACvC,CAAC,MAAM,CAAC,GAAG,EAAE,SAAS,CAAU;AAG3B,IAAM,kBAAsC,OAAO,gBAAgB;AAEnE,IAAM,kBAAsC,YACjD,CAAC,oBAAoB,gBAAgB,GACrC,CAAC,KAAK,eAAe;MACnB,GAAG;MACH;MACA;;;;;ACtDJ,IAuBa,oBA4BA,mBAEA;AArDb;;;AACA;AACA;AAEA;AACA;AACA;AAiBO,IAAM,qBAAiD,wBAC5D;MACE;MACA;MACA;MACA;MACA;MACA;MACA;MACA;MACA;MACA;OAEF,CAAC,OACC;MACE,IAAI,WAAU;MACd,GAAG;MACH,IAAI,WAAU;MACd,GAAG;MACH,GAAG;MACH,GAAG;MACH,GAAG;MACH,GAAG;MACH,GAAG;MACH,GAAG;KACK;AAGP,IAAM,oBAA0C,OAAO,kBAAkB;AAEzE,IAAM,oBAA0C,YACrD;MACE;MACA;MACA;MACA;MACA;MACA;MACA;MACA;MACA;MACA;OAEF,CACE,cACA,kBACA,mBACA,gBACA,gBACA,iBACA,eACA,eACA,oBACA,gBACI;MACJ;MACA;MACA;MACA;MACA;MACA;MACA;MACA;MACA;;;;;ACtFJ,IA0Ba,yBAKA,wBAeA,uBAKA,sBAWA,mBAEA;AAhEb;;;AACA;AACA;AACA;AAUA;AAEA;AAEA;AASO,IAAM,0BAA2D,wBACtE,CAAC,mBAAmB,eAAe,oBAAoB,eAAe,iBAAiB,CAAC,GACxF,CAAC,OAAO,CAAC,GAAG,QAAQ,GAAG,YAAY,GAAG,iBAAiB,CAAU;AAG5D,IAAM,yBAAoD,YAC/D,CAAC,kBAAkB,cAAc,mBAAmB,cAAc,gBAAgB,CAAC,GACnF,CAAC,QAAQ,YAAY,uBAAuB;MAC1C;MACA;MACA;MACA;AASG,IAAM,wBAAuD,wBAClE,CAAC,yBAAyB,uBAAuB,GACjD,CAAC,SAAS,CAAC,KAAK,WAAW,KAAK,WAAW,CAAU;AAGhD,IAAM,uBAAgD,YAC3D,CAAC,wBAAwB,sBAAsB,GAC/C,CAAC,WAAW,iBAAiB;MAC3B;MACA;MACA;AAMG,IAAM,oBAA+C,kBAAkB,qBAAqB;AAE5F,IAAM,mBAAwC,iBAAiB,oBAAoB;;;;;AChE1F,IAaa,qCAKA,oCAIA;AAtBb;;;AACA;AACA;AAEA;AACA;AAQO,IAAM,sCAAmF,wBAC9F,CAAC,mBAAmB,sBAAsB,iBAAiB,GAC3D,CAAC,UAAU,CAAC,MAAM,YAAY,MAAM,SAAS,MAAM,SAAS,CAAU;AAGjE,IAAM,qCAA4E,OACvF,mCAAmC;AAG9B,IAAM,qCAA4E,kBACvF,CAAC,kBAAkB,qBAAqB,gBAAgB,GACxD,CAAC,YAAY,SAAS,cAAa;AACjC,UAAI,QAAQ,gBAAgB;AAC1B,eAAO;UACL;UACA;UACA;;;AAEC,eAAO;IACd,CAAC;;;;;AChCH,IAYa,qBAKA,oBAEA;AAnBb;;;AACA;AACA;AACA;AACA;AAQO,IAAM,sBAAmD,wBAC9D,CAAC,mBAAmB,gBAAgB,iBAAiB,GAAG,kBAAkB,YAAY,CAAC,GACvF,CAAC,OAAO,CAAC,GAAG,cAAc,GAAG,YAAY,GAAG,IAAI,CAAU;AAGrD,IAAM,qBAA4C,OAAO,mBAAmB;AAE5E,IAAM,qBAA4C,YACvD,CAAC,kBAAkB,eAAe,gBAAgB,GAAG,iBAAiB,WAAW,CAAC,GAClF,CAAC,cAAc,YAAY,UAAU,EAAE,cAAc,YAAY,KAAI,EAAG;;;;;ACrB1E,IAkBa,8BAKA,6BAEA,6BAYA,gBAKA,eAEA;AA5Cb;;;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAQO,IAAM,+BAAqE,wBAChF,CAAC,mBAAmB,qBAAqB,GACzC,CAAC,QAAQ,CAAC,IAAI,WAAW,IAAI,qBAAqB,CAAU;AAGvD,IAAM,8BAA8D,OAAO,4BAA4B;AAEvG,IAAM,8BAA8D,YACzE,CAAC,kBAAkB,oBAAoB,GACvC,CAAC,WAAW,2BAA2B,EAAE,WAAW,sBAAqB,EAAG;AAUvE,IAAM,iBAAyC,wBACpD,CAAC,oBAAoB,kBAAkB,4BAA4B,GAAG,iBAAiB,GACvF,CAAC,YAAY,CAAC,QAAQ,aAAa,QAAQ,SAAS,QAAQ,kBAAkB,CAAU;AAGnF,IAAM,gBAAkC,OAAO,cAAc;AAE7D,IAAM,gBAAkC,YAC7C,CAAC,mBAAmB,iBAAiB,2BAA2B,GAAG,gBAAgB,GACnF,CAAC,aAAa,SAAS,wBAAwB,EAAE,aAAa,SAAS,mBAAkB,EAAG;;;;;AC9C9F;;;AACA;AACA;AACA;;;;;ACHA,IAea,uBAKA;AApBb;;;AACA;AACA;AACA;AAEA;AAEA;AAQO,IAAM,wBAAuD,wBAClE,CAAC,eAAe,oBAAoB,eAAe,iBAAiB,CAAC,GACrE,CAAC,QAAQ,CAAC,IAAI,WAAW,IAAI,WAAW,CAAU;AAG7C,IAAM,uBAAgD,YAC3D,CAAC,cAAc,mBAAmB,cAAc,gBAAgB,CAAC,GACjE,CAAC,WAAW,iBAAiB;MAC3B;MACA;MACA;;;;;ACzBJ,IAca,2BAKA,0BAWA,2BAGA;AAjCb;;;AACA;AACA;AACA;AACA;AACA;AACA;AAQO,IAAM,4BAA+D,wBAC1E,CAAC,iBAAiB,gBAAgB,aAAa,CAAC,GAChD,CAAC,QAAQ,CAAC,IAAI,UAAU,IAAI,eAAe,CAAU;AAGhD,IAAM,2BAAwD,YACnE,CAAC,gBAAgB,eAAe,YAAY,CAAC,GAC7C,CAAC,UAAU,qBAAqB;MAC9B;MACA;MACA;AAMG,IAAM,4BACX,oBAAoB,yBAAyB;AAExC,IAAM,2BAAwD,mBAAmB,wBAAwB;;;;;AChChH;;;AACA;;;;;ACFA;;;;;;ACAA;;;AACA;AACA;AACA;AACA;;;;;ACJA;;;;;;ACAA,IAIa,eAIA,cAEA;AAVb;;;AACA;AACA;AAEO,IAAM,gBAAuC,uBAAuB,mBAAmB,CAAC,MAC7F,IAAI,YAAW,EAAG,OAAO,CAAC,CAAC;AAGtB,IAAM,eAAgC,OAAO,aAAa;AAE1D,IAAM,eAAgC,WAAW,kBAAkB,CAAC,MAAM,IAAI,YAAW,EAAG,OAAO,CAAC,CAAC;;;;;ACV5G,IAUM,eACA,+BAEA,yBAKO,yBAWA;AA7Bb;;;AACA;AACA;AACA;AAOA,IAAM,gBAAiD,uBAAuB,eAAe,MAAM,QAAQ;AAC3G,IAAM,gCACJ,wBAAwB,CAAC,eAAe,aAAa,GAAG,CAAC,MAAM,CAAC,0BAA0B,EAAE,MAAM,CAAU;AAC9G,IAAM,0BAA2D,uBAC/D,eACA,MAAM,kBAAkB;AAGnB,IAAM,0BAA2D,CAAC,UAAS;AAChF,cAAQ,MAAM,MAAM;QAClB,KAAK;AACH,iBAAO,cAAc,KAAK;QAC5B,KAAK;AACH,iBAAO,8BAA8B,KAAK;QAC5C,KAAK;AACH,iBAAO,wBAAwB,KAAK;MACxC;IACF;AAEO,IAAM,yBAAoD,eAC/D,cACA,CAAC,SAAmC;AAClC,cAAQ,MAAM;QACZ,KAAK;AACH,iBAAO,eAAe,EAAE,MAAM,SAAQ,CAAE;QAE1C,KAAK;AACH,iBAAO,WAAW,cAAc,CAAC,YAAY,EAAE,MAAM,0BAA0B,OAAM,EAAG;QAE1F,KAAK;AACH,iBAAO,eAAe,EAAE,MAAM,mBAAkB,CAAE;QACpD;AACE,iBAAO,YAAW;MACtB;IACF,CAAC;;;;;AC5CH,IAoBa,0BAKA;AAzBb;;;AACA;AACA;AACA;AACA;AACA;AAeO,IAAM,2BAA6D,wBACxE,CAAC,mBAAmB,mBAAmB,oBAAoB,mBAAmB,mBAAmB,GACjG,CAAC,QAAQ,CAAC,IAAI,eAAe,IAAI,YAAY,IAAI,aAAa,IAAI,kBAAkB,IAAI,YAAY,CAAU;AAGzG,IAAM,0BAAsD,YACjE,CAAC,kBAAkB,kBAAkB,mBAAmB,kBAAkB,kBAAkB,GAC5F,CAAC,eAAe,YAAY,aAAa,kBAAkB,kBAAkB;MAC3E;MACA;MACA;MACA;MACA;MACA;;;;;ACjCJ,IAgIa,mBA6BA,kBAGA,kBAsCA,8BA0BA;AAhOb;;;AAGA;AACA;AACA;AACA;AACA;AACA;AAOA;AAEA;AAUA;AACA;AACA;AACA;AAUA;AACA;AACA;AACA;AAeA;AACA;AAOA;AAOA;AACA;AACA;AACA;AASA;AAQA;AACA;AAEA;AAIA;AACA;AACA;AACA;AAEA;AACA;AACA;AACA;AACA;AAmBO,IAAM,oBAA+C,wBAC1D;MACE;MACA;MACA;MACA;MACA;MACA;MACA;MACA;MACA,iBAAiB,wBAAwB;MACzC;OAEF,CAAC,UACC;MACE,MAAM;MACN,MAAM;MACN,MAAM;MACN,MAAM;MACN,MAAM;MACN,MAAM;MACN,MAAM;MACN,MAAM;MACN,MAAM;MACN,MAAM;KACE;AAIP,IAAM,mBAAwC,OAAO,iBAAiB;AAGtE,IAAM,mBAAwC,YACnD;MACE;MACA;MACA;MACA;MACA;MACA;MACA;MACA;MACA,gBAAgB,uBAAuB;MACvC;OAEF,CACE,cACA,aACA,YACA,aACA,aACA,qBACA,oBACA,iBACA,wBACA,sBACI;MACJ;MACA;MACA;MACA;MACA;MACA;MACA;MACA;MACA;MACA;MACA;AAGG,IAAM,+BAA0D,wBACrE;MACE;MACA;MACA;MACA;MACA;MACA;MACA;MACA,iBAAiB,wBAAwB;MACzC;OAEF,CAAC,UACC;MACE,MAAM;MACN,MAAM;MACN,MAAM;MACN,MAAM;MACN,MAAM;MACN,MAAM;MACN,MAAM;MACN,MAAM;MACN,MAAM;KACE;AAGP,IAAM,8BAAmD,OAAO,4BAA4B;;;;;AC/NnG,IAsCa,uBAMA,sBAEA,sBAmBA,0BAKA,yBAEA;AAxEb;;;AACA;AACA;AACA;AACA;AACA;AAEA;AASA;AACA;AACA;AAoBO,IAAM,wBAAuD,wBAClE,CAAC,mBAAmB,eAAe,oBAAoB,mBAAmB,mBAAmB,iBAAiB,GAC9G,CAAC,QACC,CAAC,IAAI,SAAS,IAAI,OAAO,IAAI,aAAa,IAAI,mBAAmB,IAAI,qBAAqB,IAAI,UAAU,CAAU;AAG/G,IAAM,uBAAgD,OAAO,qBAAqB;AAElF,IAAM,uBAAgD,YAC3D,CAAC,kBAAkB,cAAc,mBAAmB,kBAAkB,kBAAkB,gBAAgB,GACxG,CAAC,SAAS,OAAO,aAAa,mBAAmB,qBAAqB,gBAAgB;MACpF;MACA;MACA;MACA;MACA;MACA;MACA;AAUG,IAAM,2BAA6D,wBACxE,CAAC,mBAAmB,eAAe,oBAAoB,iBAAiB,GACxE,CAAC,QAAQ,CAAC,IAAI,SAAS,IAAI,OAAO,IAAI,aAAa,IAAI,iBAAiB,CAAU;AAG7E,IAAM,0BAAsD,OAAO,wBAAwB;AAE3F,IAAM,0BAAsD,YACjE,CAAC,kBAAkB,cAAc,mBAAmB,gBAAgB,GACpE,CAAC,SAAS,OAAO,aAAa,uBAAuB;MACnD;MACA;MACA;MACA;MACA;;;;;AChFJ;;;AAEA;AAOA;AAWA;AACA;AAEA;AAEA;AAEA;;;;;AC3BA;;;AAIA;AACA;AAEA;;;;;ACPA;;;AAEA;AAUA;AACA;AACA;AAMA;AACA;AAOA;AACA;AAEA;AACA;AACA;AACA;AAIA;AAQA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;;;;;ACtDA;;;AAWA;AAEA;AACA;AAEA;AACA;AAEA;AACA;AACA;AACA;AACA;AAEA;AAEA;AACA;AACA;AACA;AACA;AAUA;AACA;AAEA;;;;;AC7CA;;;;;;;ACAA;AAAA;AAAA;AAAA;;;ACEA,SAAS,iBAAiB,SAAS,QAAQ;AACvC,SAAO,IAAI,MAAM,SAAS;AAAA,IACtB,IAAI,SAAS,MAAM,WAAW;AAC1B,UAAI,QAAQ,QAAQ;AAChB,eAAO,OAAO,IAAI;AAAA,MACtB,OACK;AACD,eAAO,QAAQ,IAAI;AAAA,MACvB;AAAA,IACJ;AAAA,IACA,IAAI,SAAS,MAAM,OAAO;AACtB,UAAI,QAAQ,QAAQ;AAChB,eAAO,OAAO,IAAI;AAAA,MACtB;AACA,cAAQ,IAAI,IAAI;AAChB,aAAO;AAAA,IACX;AAAA,IACA,eAAe,SAAS,MAAM;AAC1B,UAAI,UAAU;AACd,UAAI,QAAQ,QAAQ;AAChB,eAAO,OAAO,IAAI;AAClB,kBAAU;AAAA,MACd;AACA,UAAI,QAAQ,SAAS;AACjB,eAAO,QAAQ,IAAI;AACnB,kBAAU;AAAA,MACd;AACA,aAAO;AAAA,IACX;AAAA,IACA,QAAQ,SAAS;AACb,YAAM,WAAW,QAAQ,QAAQ,OAAO;AACxC,YAAM,UAAU,QAAQ,QAAQ,MAAM;AACtC,YAAM,aAAa,IAAI,IAAI,OAAO;AAClC,aAAO,CAAC,GAAG,SAAS,OAAO,CAAC,MAAM,CAAC,WAAW,IAAI,CAAC,CAAC,GAAG,GAAG,OAAO;AAAA,IACrE;AAAA,IACA,eAAe,SAAS,MAAM,MAAM;AAChC,UAAI,QAAQ,QAAQ;AAChB,eAAO,OAAO,IAAI;AAAA,MACtB;AACA,cAAQ,eAAe,SAAS,MAAM,IAAI;AAC1C,aAAO;AAAA,IACX;AAAA,IACA,yBAAyB,SAAS,MAAM;AACpC,UAAI,QAAQ,QAAQ;AAChB,eAAO,QAAQ,yBAAyB,QAAQ,IAAI;AAAA,MACxD,OACK;AACD,eAAO,QAAQ,yBAAyB,SAAS,IAAI;AAAA,MACzD;AAAA,IACJ;AAAA,IACA,IAAI,SAAS,MAAM;AACf,aAAO,QAAQ,UAAU,QAAQ;AAAA,IACrC;AAAA,EACJ,CAAC;AACL;AAxDA,IAAM,YACO;AADb;AAAA;AAAA,IAAM,aAAa,CAAC;AACb,IAAM,gBAAgB,iBAAiB,YAAY,UAAU;AAAA;AAAA;;;ACDpE;AAAA;AAAA;AACA;AAAA;AAAA;;;ACDA;AAAA;AAAA;AAAA;;;ACAA;AAAA;AAAA;AAAA;;;ACAA;AAAA;AAAA;AAAA;;;ACAA;AAAA;AAAA;AACA;AACA;AACA;AAAA;AAAA;;;ACHA;AAAA;AAAA;AACA;AAAA;AAAA;;;ACDA;AAAA;AAAA;AACA;AACA;AACA;AACA;AAAA;AAAA;;;ACJA;AAAA;AAAA;AAAA;;;ACAA;AAAA;AAAA;AAAA;;;ACAA,IA6EM;AA7EN;AAAA;AAAA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAsEA,IAAM,kBAAkB;AAAA,MACpB,IAAI,MAAM,QAAQ;AAAA,MAClB,GAAG;AAAA,MACH,IAAI;AAAA,MACJ,IAAI;AAAA,MACJ,gBAAgB;AAAA,IACpB;AAAA;AAAA;;;ACnFA;AAAA;AAAA;AAAA;;;ACAA;AAAA;AAAA;AACA;AACA;AACA;AACA;AACA;AAAA;AAAA;;;ACLA;AAAA;AAAA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAAA;AAAA;;;ACPA;AAAA;AAAA;AAAA;;;ACgBO,SAAS,QAAQ,GAAG;AACvB,SAAO,aAAa,cACf,YAAY,OAAO,CAAC,KAAK,EAAE,YAAY,SAAS;AACzD;AAEO,SAAS,QAAQ,GAAG,QAAQ,IAAI;AACnC,MAAI,CAAC,OAAO,cAAc,CAAC,KAAK,IAAI,GAAG;AACnC,UAAM,SAAS,SAAS,IAAI,KAAK;AACjC,UAAM,IAAI,MAAM,GAAG,MAAM,4BAA4B,CAAC,EAAE;AAAA,EAC5D;AACJ;AAEO,SAAS,OAAO,OAAO,QAAQ,QAAQ,IAAI;AAC9C,QAAM,QAAQ,QAAQ,KAAK;AAC3B,QAAM,MAAM,OAAO;AACnB,QAAM,WAAW,WAAW;AAC5B,MAAI,CAAC,SAAU,YAAY,QAAQ,QAAS;AACxC,UAAM,SAAS,SAAS,IAAI,KAAK;AACjC,UAAM,QAAQ,WAAW,cAAc,MAAM,KAAK;AAClD,UAAM,MAAM,QAAQ,UAAU,GAAG,KAAK,QAAQ,OAAO,KAAK;AAC1D,UAAM,IAAI,MAAM,SAAS,wBAAwB,QAAQ,WAAW,GAAG;AAAA,EAC3E;AACA,SAAO;AACX;AAGO,SAAS,QAAQ,UAAU,gBAAgB,MAAM;AACpD,MAAI,SAAS;AACT,UAAM,IAAI,MAAM,kCAAkC;AACtD,MAAI,iBAAiB,SAAS,UAAU;AACpC,UAAM,IAAI,MAAM,uCAAuC;AAAA,EAC3D;AACJ;AAwBO,SAAS,SAAS,QAAQ;AAC7B,WAAS,IAAI,GAAG,IAAI,OAAO,QAAQ,KAAK;AACpC,WAAO,CAAC,EAAE,KAAK,CAAC;AAAA,EACpB;AACJ;AA5EA,IA8EM,mBACA,kBAEO;AAjFb;AAAA;AAaA;AACA;AAgEA,IAAM,oBAAoC,oBAAI,YAAY,CAAC,SAAU,CAAC;AACtE,IAAM,mBAAmC,oBAAI,WAAW,kBAAkB,MAAM;AAEzE,IAAM,OAAuB,iBAAiB,CAAC,MAAM;AAAA;AAAA;;;ACnErD,SAAS,MAAM,GAAG;AACrB,MAAI,OAAO,MAAM,cAAc,OAAO,EAAE,WAAW,YAAY;AAC3D,UAAM,IAAI,MAAM,yCAAyC;AAAA,EAC7D;AACA,UAAQ,EAAE,SAAS;AACnB,UAAQ,EAAE,QAAQ;AACtB;AApBA,IAAAC,aAAA;AAAA;AAYA;AAAA;AAAA;;;ACZA,IAea,OAgHA;AA/Hb;AAAA;AAaA;AACA,IAAAC;AACO,IAAM,QAAN,MAAY;AAAA,MACf,YAAY,MAAM,KAAK;AACnB,eAAO,eAAe,MAAM,SAAS;AAAA,UACjC,YAAY;AAAA,UACZ,cAAc;AAAA,UACd,UAAU;AAAA,UACV,OAAO;AAAA,QACX,CAAC;AACD,eAAO,eAAe,MAAM,SAAS;AAAA,UACjC,YAAY;AAAA,UACZ,cAAc;AAAA,UACd,UAAU;AAAA,UACV,OAAO;AAAA,QACX,CAAC;AACD,eAAO,eAAe,MAAM,YAAY;AAAA,UACpC,YAAY;AAAA,UACZ,cAAc;AAAA,UACd,UAAU;AAAA,UACV,OAAO;AAAA,QACX,CAAC;AACD,eAAO,eAAe,MAAM,aAAa;AAAA,UACrC,YAAY;AAAA,UACZ,cAAc;AAAA,UACd,UAAU;AAAA,UACV,OAAO;AAAA,QACX,CAAC;AACD,eAAO,eAAe,MAAM,YAAY;AAAA,UACpC,YAAY;AAAA,UACZ,cAAc;AAAA,UACd,UAAU;AAAA,UACV,OAAO;AAAA,QACX,CAAC;AACD,eAAO,eAAe,MAAM,aAAa;AAAA,UACrC,YAAY;AAAA,UACZ,cAAc;AAAA,UACd,UAAU;AAAA,UACV,OAAO;AAAA,QACX,CAAC;AACD,cAAM,IAAI;AACV,eAAO,KAAK,QAAW,KAAK;AAC5B,aAAK,QAAQ,KAAK,OAAO;AACzB,YAAI,OAAO,KAAK,MAAM,WAAW,YAAY;AACzC,gBAAM,IAAI,MAAM,qDAAqD;AAAA,QACzE;AACA,aAAK,WAAW,KAAK,MAAM;AAC3B,aAAK,YAAY,KAAK,MAAM;AAC5B,cAAM,WAAW,KAAK;AACtB,cAAM,MAAM,IAAI,WAAW,QAAQ;AAEnC,YAAI,IAAI,IAAI,SAAS,WAAW,KAAK,OAAO,EAAE,OAAO,GAAG,EAAE,OAAO,IAAI,GAAG;AACxE,iBAAS,IAAI,GAAG,IAAI,IAAI,QAAQ;AAC5B,cAAI,CAAC,KAAK;AACd,aAAK,MAAM,OAAO,GAAG;AAErB,aAAK,QAAQ,KAAK,OAAO;AAEzB,iBAAS,IAAI,GAAG,IAAI,IAAI,QAAQ;AAC5B,cAAI,CAAC,KAAK,KAAO;AACrB,aAAK,MAAM,OAAO,GAAG;AACrB,cAAM,GAAG;AAAA,MACb;AAAA,MACA,OAAO,KAAK;AACR,gBAAQ,IAAI;AACZ,aAAK,MAAM,OAAO,GAAG;AACrB,eAAO;AAAA,MACX;AAAA,MACA,WAAW,KAAK;AACZ,gBAAQ,IAAI;AACZ,eAAO,KAAK,KAAK,WAAW,QAAQ;AACpC,aAAK,WAAW;AAChB,aAAK,MAAM,WAAW,GAAG;AACzB,aAAK,MAAM,OAAO,GAAG;AACrB,aAAK,MAAM,WAAW,GAAG;AACzB,aAAK,QAAQ;AAAA,MACjB;AAAA,MACA,SAAS;AACL,cAAM,MAAM,IAAI,WAAW,KAAK,MAAM,SAAS;AAC/C,aAAK,WAAW,GAAG;AACnB,eAAO;AAAA,MACX;AAAA,MACA,WAAW,IAAI;AAEX,eAAO,OAAO,OAAO,OAAO,eAAe,IAAI,GAAG,CAAC,CAAC;AACpD,cAAM,EAAE,OAAO,OAAO,UAAU,WAAW,UAAU,UAAU,IAAI;AACnE,aAAK;AACL,WAAG,WAAW;AACd,WAAG,YAAY;AACf,WAAG,WAAW;AACd,WAAG,YAAY;AACf,WAAG,QAAQ,MAAM,WAAW,GAAG,KAAK;AACpC,WAAG,QAAQ,MAAM,WAAW,GAAG,KAAK;AACpC,eAAO;AAAA,MACX;AAAA,MACA,QAAQ;AACJ,eAAO,KAAK,WAAW;AAAA,MAC3B;AAAA,MACA,UAAU;AACN,aAAK,YAAY;AACjB,aAAK,MAAM,QAAQ;AACnB,aAAK,MAAM,QAAQ;AAAA,MACvB;AAAA,IACJ;AAWO,IAAM,OAAO,CAAC,MAAM,KAAK,YAAY,IAAI,MAAM,MAAM,GAAG,EAAE,OAAO,OAAO,EAAE,OAAO;AACxF,SAAK,SAAS,CAAC,MAAM,QAAQ,IAAI,MAAM,MAAM,GAAG;AAAA;AAAA;;;AChIhD;AAAA;AAaA;AAAA;AAAA;;;ACEA,SAAS,QAAQ,GAAG,KAAK,OAAO;AAC5B,MAAI,IAAI;AACJ,WAAO,EAAE,GAAG,OAAO,IAAI,UAAU,GAAG,GAAG,OAAQ,KAAK,OAAQ,UAAU,EAAE;AAAA,EAC5E;AACA,SAAO;AAAA,IACH,GAAG,OAAQ,KAAK,OAAQ,UAAU,IAAI;AAAA,IACtC,GAAG,OAAO,IAAI,UAAU,IAAI;AAAA,EAChC;AACJ;AACA,SAAS,MAAM,KAAK,KAAK,OAAO;AAC5B,QAAM,MAAM,IAAI;AAChB,QAAM,KAAK,IAAI,YAAY,GAAG;AAC9B,QAAM,KAAK,IAAI,YAAY,GAAG;AAC9B,WAAS,IAAI,GAAG,IAAI,KAAK,KAAK;AAC1B,UAAM,EAAE,GAAG,EAAE,IAAI,QAAQ,IAAI,CAAC,GAAG,EAAE;AACnC,KAAC,GAAG,CAAC,GAAG,GAAG,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC;AAAA,EAC1B;AACA,SAAO,CAAC,IAAI,EAAE;AAClB;AAjCA,IAaM,YACA;AAdN;AAAA;AAaA,IAAM,aAAa;AACnB,IAAM,OAAO;AAAA;AAAA;;;ACdb;AAAA;AAeA;AACA;AACA;AACA,IAAAC;AAAA;AAAA;;;AClBA,IAyBM,KACA,KACA,KACA,KACA,OACA,QACA,SACA,WACA,YAgBA,OACA,aACA;AAnDN;AAAA;AAmBA;AACA;AACA,IAAAC;AAIA,IAAM,MAAM;AACZ,IAAM,MAAM;AACZ,IAAM,MAAM;AACZ,IAAM,MAAM;AACZ,IAAM,QAAQ;AACd,IAAM,SAAS;AACf,IAAM,UAAU,CAAC;AACjB,IAAM,YAAY,CAAC;AACnB,IAAM,aAAa,CAAC;AACpB,aAAS,QAAQ,GAAG,IAAI,KAAK,IAAI,GAAG,IAAI,GAAG,QAAQ,IAAI,SAAS;AAE5D,OAAC,GAAG,CAAC,IAAI,CAAC,IAAI,IAAI,IAAI,IAAI,KAAK,CAAC;AAChC,cAAQ,KAAK,KAAK,IAAI,IAAI,EAAE;AAE5B,gBAAU,MAAQ,QAAQ,MAAM,QAAQ,KAAM,IAAK,EAAE;AAErD,UAAI,IAAI;AACR,eAAS,IAAI,GAAG,IAAI,GAAG,KAAK;AACxB,aAAM,KAAK,OAAS,KAAK,OAAO,UAAW;AAC3C,YAAI,IAAI;AACJ,eAAK,QAAS,OAAO,OAAO,CAAC,KAAK;AAAA,MAC1C;AACA,iBAAW,KAAK,CAAC;AAAA,IACrB;AACA,IAAM,QAAQ,MAAM,YAAY,IAAI;AACpC,IAAM,cAAc,MAAM,CAAC;AAC3B,IAAM,cAAc,MAAM,CAAC;AAAA;AAAA;;;ACnD3B;AAAA;AAeA;AAAA;AAAA;;;ACfA;AAAA;AAAA;AAAA;;;ACAA;AAAA;AAeA;AACA;AACA;AACA;AAAA;AAAA;;;AClBA;AAAA;AAAA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAAA;AAAA;;;ACpBA;AAAA;AAAA;AAAA;AAAA;;;ACAA;AAAA;AAAA;AAAA;AAAA;;;ACAA;AAAA;AAAA;AAAA;AAAA;;;ACAA,IAGM;AAHN;AAAA;AAAA;AACA;AAEA,IAAM,YAAY,IAAI,WAAW,CAAC,KAAK,KAAK,EAAE,CAAC;AAAA;AAAA;;;ACH/C;AAAA;AAAA;AACA;AAAA;AAAA;;;ACDA,IAWI;AAXJ;AAAA;AA2BA,oBAAgB,oBAAI,QAAQ;AAAA;AAAA;;;AC3B5B,IAWI;AAXJ;AAAA;AAYA;AACA;AACA;AAuBA,kCAA8B,oBAAI,QAAQ;AAAA;AAAA;;;ACrC1C,IAWI;AAXJ;AAAA;AAYA;AACA;AACA;AA8BA,+BAA2B,oBAAI,QAAQ;AAAA;AAAA;;;AC5CvC,IAMM,kBAIA,WAGA,iBAIA,WAGA,mBAIA,cAGA;AA3BN;AAAA;AAAA;AACA;AACA;AACA;AAGA,IAAM,mBAAmB,IAAI,WAAW;AAAA,MACpC;AAAA,MAAI;AAAA,MAAI;AAAA,MAAK;AAAA,MAAK;AAAA,MAAI;AAAA,MAAK;AAAA,MAAK;AAAA,MAAK;AAAA,MAAI;AAAA,IAC7C,CAAC;AAED,IAAM,YAAY,IAAI,WAAW,CAAC,KAAK,KAAK,GAAG,CAAC;AAGhD,IAAM,kBAAkB,IAAI,WAAW;AAAA,MACnC;AAAA,MAAK;AAAA,MAAK;AAAA,MAAK;AAAA,MAAK;AAAA,MAAI;AAAA,MAAK;AAAA,MAAI;AAAA,MAAK;AAAA,IAC1C,CAAC;AAED,IAAM,YAAY,IAAI,WAAW,CAAC,KAAK,KAAK,GAAG,CAAC;AAGhD,IAAM,oBAAoB,IAAI,WAAW;AAAA,MACrC;AAAA,MAAK;AAAA,MAAK;AAAA,MAAK;AAAA,MAAI;AAAA,MAAK;AAAA,MAAK;AAAA,MAAI;AAAA,MAAK;AAAA,MAAI;AAAA,MAAK;AAAA,IACnD,CAAC;AAED,IAAM,eAAe,IAAI,WAAW,CAAC,KAAK,KAAK,IAAI,KAAK,KAAK,GAAG,CAAC;AAGjE,IAAM,uBAAuB,IAAI,WAAW;AAAA,MACxC;AAAA,MAAI;AAAA,MAAI;AAAA,MAAI;AAAA,MAAI;AAAA,MAAG;AAAA,MAAG;AAAA,MAAG;AAAA,MAAG;AAAA,MAAG;AAAA,IACnC,CAAC;AAAA;AAAA;;;AC7BD;AAAA;AAAA;AAAA;AAAA;;;ACAA;AAAA;AAAA;AACA;AACA;AAAA;AAAA;;;ACFA,IAGM;AAHN;AAAA;AAAA;AAGA,IAAM,sBAAsB,IAAI,WAAW;AAAA,MACvC;AAAA,MAAM;AAAA,MAAM;AAAA,MAAM;AAAA,MAAM;AAAA,MAAM;AAAA,MAAM;AAAA,MAAM;AAAA,MAC1C;AAAA,MAAM;AAAA,MAAM;AAAA,MAAM;AAAA,MAAM;AAAA,MAAM;AAAA,MAAM;AAAA,MAAM;AAAA,IAC9C,CAAC;AAAA;AAAA;;;ACND;AAAA;AAAA;AACA;AAAA;AAAA;;;ACDA,IAGM;AAHN;AAAA;AAAA;AAGA,IAAM,oBAAoB,IAAI,WAAW;AAAA,MACrC;AAAA,MAAM;AAAA,MAAM;AAAA,MAAM;AAAA,MAAM;AAAA,MAAM;AAAA,MAAM;AAAA,MAAM;AAAA,MAC1C;AAAA,MAAM;AAAA,MAAM;AAAA,MAAM;AAAA,MAAM;AAAA,MAAM;AAAA,MAAM;AAAA,MAAM;AAAA,IAC9C,CAAC;AAAA;AAAA;;;ACND;AAAA;AAAA;AACA;AAAA;AAAA;;;ACDA,IAAAC,YAAA;AAAA;AAAA;AACA;AACA;AACA;AACA;AACA;AAAA;AAAA;;;ACFA,IAAAC,aAAA;;;AACA;;;;;ACJA;;IAAAC;AACA;AACA;;;;;ACFA;;IAAAC;AACA;;;;;ACDA;;IAAAC;AAOA;;;;;ACPA;;IAAAC;AAEA,IAAAC;AACA;AACA;AACA;;;;;ACHA;;;;;;ACFA;;;AAEA;;;;;ACAA;;;AACA;AACA;AACA;AACA;AACA;;;;;ACLA;;;;;;;ACFA;;;AACA;AACA;AACA;AACA;AAIA;;;;;ACPA,IAAAC,qBAAA;;AAEA;;;;;ACHA,IAAAC,+BAAA;;;;;;;ACAA,IAAAC,iBAAA;;IAAAC;AACA;;;;;ACDA,IAAAC,oBAAA;;;;;;;ACAA,IAAAC,kBAAA;;;;;;;ACAA,IAAAC,iBAAA;;IAAAC;AAEA,IAAAC;AACA,IAAAC;AACA,IAAAC;AACA,IAAAC;;;;;ACLA,IAAAC,YAAA;;;;;;;ACEA,IAAAC,iBAAA;;IAAAC;AACA,IAAAC;AACA,IAAAC;AACA,IAAAC;AACA,IAAAC;;;;;ACNA,IAiDa,yBAKA,wBAEA,mBAKA,kBAEA,0BAKA,yBAEA,qBAKA,oBAEA,sBAKA,qBAEA,0BAeA,yBAEA,yBAkBA,mBAMA,kBAGA;AAhIb;;;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAyCO,IAAM,0BAA2D,wBACtE,CAAC,mBAAmB,oBAAoB,GACxC,CAAC,QAAQ,CAAC,IAAI,YAAY,IAAI,aAAa,CAAU;AAGhD,IAAM,yBAAoD,OAAO,uBAAuB;AAExF,IAAM,oBAA+C,wBAC1D,CAAC,mBAAmB,cAAc,GAClC,CAAC,OAAO,CAAC,GAAG,YAAY,GAAG,OAAO,CAAU;AAGvC,IAAM,mBAAwC,OAAO,iBAAiB;AAEtE,IAAM,2BAA6D,wBACxE,CAAC,mBAAmB,qBAAqB,GACzC,CAAC,OAAO,CAAC,GAAG,YAAY,GAAG,cAAc,CAAU;AAG9C,IAAM,0BAAsD,OAAO,wBAAwB;AAE3F,IAAM,sBAAmD,wBAC9D,CAAC,mBAAmB,gBAAgB,GACpC,CAAC,OAAO,CAAC,GAAG,YAAY,GAAG,SAAS,CAAU;AAGzC,IAAM,qBAA4C,OAAO,mBAAmB;AAE5E,IAAM,uBAAqD,wBAChE,CAAC,mBAAmB,iBAAiB,GACrC,CAAC,OAAO,CAAC,GAAG,YAAY,GAAG,UAAU,CAAU;AAG1C,IAAM,sBAA8C,OAAO,oBAAoB;AAE/E,IAAM,2BAA6D,CAAC,OAAM;AAC/E,cAAQ,GAAG,YAAY;QACrB,KAAK;AACH,iBAAO,wBAAwB,EAAE;QACnC,KAAK;AACH,iBAAO,kBAAkB,EAAE;QAC7B,KAAK;AACH,iBAAO,yBAAyB,EAAE;QACpC,KAAK;AACH,iBAAO,oBAAoB,EAAE;QAC/B,KAAK;AACH,iBAAO,qBAAqB,EAAE;MAClC;IACF;AAEO,IAAM,0BAAsD,OAAO,wBAAwB;AAE3F,IAAM,0BAAsD,eACjE,kBACA,CAAC,eAA0C;AACzC,cAAQ,YAAY;QAClB,KAAK;AACH,iBAAO,WAAW,qBAAqB,CAAC,mBAAmB,EAAE,YAAY,cAAa,EAAG;QAC3F,KAAK;AACH,iBAAO,WAAW,eAAe,CAAC,aAAa,EAAE,YAAY,QAAO,EAAG;QACzE,KAAK;AACH,iBAAO,WAAW,sBAAsB,CAAC,oBAAoB,EAAE,YAAY,eAAc,EAAG;QAC9F,KAAK;AACH,iBAAO,WAAW,iBAAiB,CAAC,eAAe,EAAE,YAAY,UAAS,EAAG;QAC/E,KAAK;AACH,iBAAO,WAAW,kBAAkB,CAAC,gBAAgB,EAAE,YAAY,WAAU,EAAG;MACpF;IACF,CAAC;AAGI,IAAM,oBAA+C,wBAC1D,CAAC,wBAAwB,wBAAwB,GACjD,CAAC,MAAM,CAAC,EAAE,SAAS,CAAC,CAAU;AAIzB,IAAM,mBAAwC,OAAO,iBAAiB;AAGtE,IAAM,mBAAwC,YACnD,CAAC,uBAAuB,uBAAuB,GAC/C,CAAC,SAAS,QAAQ,EAAE,GAAG,IAAI,QAAO,EAAG;;;;;AC7HvC;;;;;;ACJA;;;AACA;;;;;ACAA;;;AAEA;AAMA;AAEA;AAIA;AAEA;AAMA;AAEA;AAEA;AAEA;AAEA;AACA;AAEA;AAeA;AAEA;AAMA;AAQA;AASA;AAEA;AAkBA;AAEA;AAYA;AAGA,IAAAC;AACA;AAEA;AAEA;AAWA;AAEA;AA0FA;AACA;AACA;AAIA;AAsBA;;;;;ACxPA;;;AASA;;;;;ACTA;;;;AAEA;AAEA;AAUA;AAEA;AAMA;AAOA;AAgBA;AAOA;AAMA;AA+BA;AAiBA;AA2DA;AAKA;AAYA;AAMA;;;;;AC5LA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,SAAgB,OAAO,UAAU,QAAQ,IAAI,iBAAiB;AAC9D,SAAS,QAAAC,aAAY;AAiBrB,eAAsB,UACpB,SACA,OACe;AACf,QAAM,MAAM,SAAS,EAAE,WAAW,MAAM,MAAM,SAAS,CAAC;AACxD,QAAM,WAAWA,MAAK,SAAS,UAAU;AACzC,QAAM,UAAU,UAAU,KAAK,UAAU,OAAO,MAAM,CAAC,GAAG,EAAE,UAAU,SAAS,MAAM,UAAU,CAAC;AAGhG,MAAI;AACF,UAAM,GAAGA,MAAK,SAAS,iBAAiB,CAAC;AAAA,EAC3C,QAAQ;AAAA,EAER;AACF;AAUA,eAAsB,UACpB,SAEqB;AAErB,QAAM,WAAWA,MAAK,SAAS,UAAU;AACzC,MAAI;AACF,UAAM,MAAM,MAAM,SAAS,UAAU,OAAO;AAC5C,WAAO,KAAK,MAAM,GAAG;AAAA,EACvB,QAAQ;AAAA,EAER;AAGA,QAAM,aAAaA,MAAK,SAAS,iBAAiB;AAClD,MAAI;AACF,UAAM,MAAM,MAAM,SAAS,YAAY,OAAO;AAC9C,UAAM,SAAS,KAAK,MAAM,GAAG;AAE7B,UAAM,MAAM,SAAS,EAAE,WAAW,MAAM,MAAM,SAAS,CAAC;AACxD,UAAM,UAAU,UAAU,KAAK,UAAU,QAAQ,MAAM,CAAC,GAAG,EAAE,UAAU,SAAS,MAAM,UAAU,CAAC;AACjG,UAAM,GAAG,UAAU;AACnB,WAAO;AAAA,EACT,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAKA,eAAsB,aAAa,SAAmC;AACpE,MAAI;AACF,UAAM,WAAWA,MAAK,SAAS,UAAU;AACzC,UAAM,MAAM,MAAM,SAAS,UAAU,OAAO;AAC5C,UAAM,SAAS,KAAK,MAAM,GAAG;AAC7B,WAAO,CAAC,EACN,UACA,OAAO,YACP,OAAO,aACP,OAAO,YACP,OAAO,KAAK,OAAO,QAAQ,EAAE,SAAS;AAAA,EAE1C,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAMA,eAAsB,YAAY,SAAgC;AAChE,QAAM,MAAMA,MAAK,SAAS,UAAU;AACpC,QAAM,MAAMA,MAAK,SAAS,GAAG,UAAU,MAAM;AAC7C,QAAM,MAAMA,MAAK,SAAS,GAAG,UAAU,UAAU;AACjD,MAAI;AACF,UAAM,OAAO,MAAM,SAAS,KAAK,OAAO;AACxC,UAAM,UAAU,KAAK,MAAM,EAAE,UAAU,SAAS,MAAM,UAAU,CAAC;AACjE,UAAM,OAAO,KAAK,GAAG;AAAA,EACvB,QAAQ;AAAA,EAER;AACF;AAMA,eAAsB,aAAa,SAAmC;AAEpE,QAAM,eAAe,MAAM,aAAa,OAAO;AAC/C,MAAI,aAAc,QAAO;AAEzB,QAAM,MAAMA,MAAK,SAAS,GAAG,UAAU,MAAM;AAC7C,MAAI;AACF,UAAM,OAAO,MAAM,SAAS,KAAK,OAAO;AACxC,UAAM,SAAS,KAAK,MAAM,IAAI;AAC9B,QACE,CAAC,UACD,CAAC,OAAO,YACR,CAAC,OAAO,aACR,CAAC,OAAO,YACR,OAAO,KAAK,OAAO,QAAQ,EAAE,WAAW,GACxC;AACA,aAAO;AAAA,IACT;AACA,UAAM,MAAM,SAAS,EAAE,WAAW,MAAM,MAAM,SAAS,CAAC;AACxD,UAAM,UAAUA,MAAK,SAAS,UAAU,GAAG,MAAM,EAAE,UAAU,SAAS,MAAM,UAAU,CAAC;AACvF,WAAO;AAAA,EACT,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAMA,eAAsB,qBACpB,OACA,YACA,QACA,WACe;AAEf,QAAM,WAAmC,CAAC;AAC1C,aAAW,CAAC,QAAQ,OAAO,KAAK,OAAO,QAAQ,MAAM,QAAQ,GAAG;AAC9D,QAAI,QAAQ,cAAc;AACxB,eAAS,MAAM,IAAI,QAAQ;AAAA,IAC7B;AAAA,EACF;AAEA,QAAM,SAAuB;AAAA,IAC3B,SAAS;AAAA,IACT,YAAW,oBAAI,KAAK,GAAE,YAAY;AAAA,IAClC,UAAU,MAAM;AAAA,IAChB,iBAAiB,MAAM;AAAA,IACvB,kBAAkB,MAAM;AAAA,IACxB,aAAa,MAAM;AAAA,IACnB;AAAA,IACA,UAAU,OAAO;AAAA,MACf,OAAO,QAAQ,MAAM,QAAQ,EAAE,IAAI,CAAC,CAAC,QAAQ,CAAC,MAAM;AAAA,QAClD;AAAA,QACA;AAAA,UACE,eAAe,EAAE;AAAA,UACjB,cAAc,EAAE;AAAA,UAChB,WAAW,EAAE;AAAA,QACf;AAAA,MACF,CAAC;AAAA,IACH;AAAA,IACA,QAAQ,MAAM;AAAA,IACd,gBAAgB,MAAM;AAAA,IACtB,SAAS,MAAM;AAAA,IACf,YAAY,MAAM;AAAA,EACpB;AAEA,QAAM,YAAY,MAAM,cAAc,QAAQ,UAAU;AACxD,QAAM,WAAW,MAAM,eAAe,UAAU;AAEhD,QAAM,OAAO,MAAM,MAAM,GAAG,MAAM,kBAAkB;AAAA,IAClD,QAAQ;AAAA,IACR,SAAS;AAAA,MACP,gBAAgB;AAAA,MAChB,eAAe,UAAU,SAAS;AAAA,IACpC;AAAA,IACA,MAAM,KAAK,UAAU;AAAA,MACnB,aAAa,cAAc,SAAS;AAAA,MACpC,kBAAkB,WAAW,QAAQ;AAAA,IACvC,CAAC;AAAA,EACH,CAAC;AAED,MAAI,CAAC,KAAK,IAAI;AACZ,UAAM,IAAI,MAAM,yBAAyB,KAAK,MAAM,EAAE;AAAA,EACxD;AACF;AAEA,eAAsB,WAAW,SAAgC;AAE/D,aAAW,YAAY,CAAC,YAAY,iBAAiB,GAAG;AACtD,QAAI;AACF,YAAM,GAAGA,MAAK,SAAS,QAAQ,CAAC;AAAA,IAClC,QAAQ;AAAA,IAER;AAAA,EACF;AACF;AAhNA,IAWM,YACA,mBAGA,UACA;AAhBN;AAAA;AAAA;AAEA;AASA,IAAM,aAAa;AACnB,IAAM,oBAAoB;AAG1B,IAAM,WAAW;AACjB,IAAM,YAAY;AAAA;AAAA;;;ACNlB,SAAS,WAAW,mBAAmB;AACvC,SAAS,mBAAmB;AAC5B,SAAS,WAAW,iBAAiB;;;ACFrC,IAAM,kBAAkB;AACxB,IAAM,oBAAoB;AAWnB,SAAS,eAAe,KAAoB;AACjD,QAAM,KAAK,KAAK,UAAU;AAC1B,MAAI,CAAC,GAAI,QAAO,CAAC;AACjB,MAAI,GAAG,YAAY,OAAO,GAAG,aAAa,UAAU;AAClD,WAAO,OAAO,KAAK,GAAG,QAAQ;AAAA,EAChC;AACA,SAAO,GAAG,UAAU,CAAC,SAAS,IAAI,CAAC;AACrC;AAEO,SAAS,eAAe,KAAU,WAAqC;AAC5E,QAAM,KAAK,KAAK,UAAU,cAAc,CAAC;AACzC,QAAM,KAAK,aAAa;AAExB,MAAI,GAAG,YAAY,OAAO,GAAG,aAAa,UAAU;AAClD,UAAM,OAAO,GAAG,SAAS,EAAE;AAC3B,QAAI,CAAC,MAAM;AACT,aAAO;AAAA,QACL,WAAW;AAAA,QACX,SAAS;AAAA,QACT,QAAQ,GAAG,UAAU;AAAA,QACrB,WAAW;AAAA,QACX,UAAU;AAAA,QACV,YAAY;AAAA,MACd;AAAA,IACF;AAEA,QAAI,WAAW,KAAK;AACpB,QAAI,YAAY,MAAM;AACpB,YAAM,OAAO,OAAO,KAAK,GAAG,QAAQ;AACpC,YAAM,QAAQ,KAAK,QAAQ,EAAE;AAC7B,iBAAW,qBAAqB,SAAS,IAAI,QAAQ;AAAA,IACvD;AAEA,WAAO;AAAA,MACL,WAAW;AAAA,MACX,SAAS,KAAK,WAAW;AAAA,MACzB,QAAQ,KAAK,UAAU,GAAG,UAAU;AAAA,MACpC,WAAW,KAAK,aAAa;AAAA,MAC7B;AAAA,MACA,YAAY,QAAQ,KAAK,OAAO;AAAA,IAClC;AAAA,EACF;AAEA,SAAO;AAAA,IACL,WAAW;AAAA,IACX,SAAS,GAAG,WAAW;AAAA,IACvB,QAAQ,GAAG,UAAU;AAAA,IACrB,WAAW,GAAG,aAAa;AAAA,IAC3B,UAAU,GAAG,YAAY;AAAA,IACzB,YAAY,QAAQ,GAAG,OAAO;AAAA,EAChC;AACF;;;AC1DA,SAAS,yBAAyB;AAClC,OAAO,wBAAwB;AAyB/B,IAAM,aAAa,IAAI,kBAAgC;AAEvD,IAAM,wBAAkC;AAAA,EACtC;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AACF;AAEA,IAAI,YAAY;AAChB,IAAI;AAGJ,IAAM,mBAAmB,oBAAI,QAG3B;AAGF,IAAI;AACJ,IAAI;AACJ,IAAI;AAIJ,SAAS,WAAW,KAAa,eAAkC;AACjE,QAAM,cAAc,CAAC,GAAG,uBAAuB,GAAG,aAAa;AAC/D,SAAO,YAAY,KAAK,CAAC,MAAM,EAAE,KAAK,GAAG,CAAC;AAC5C;AAEA,SAAS,WAAW,QAAgB,MAAsB;AAExD,SAAO,GAAG,MAAM,GAAG,IAAI;AACzB;AAQO,SAAS,wBAAwB,MAAqC;AAC3E,MAAI,UAAW;AACf,cAAY;AAEZ,QAAM,eAAe;AAAA,IACnB,GAAG;AAAA,IACH,GAAI,KAAK,gBAAgB,CAAC;AAAA,EAC5B;AAMA,MAAI;AACF,UAAM,gBAAgB,mBAAmB,QAAQ,uBAAuB;AACxE,UAAM,iBAAiB,mBAAmB,QAAQ,wBAAwB;AAC1E,UAAM,eAAe,mBAAmB,QAAQ,sBAAsB;AAEtE,UAAM,kBAAkB,CAAC,YAAqB;AAC5C,UAAI;AACF,cAAM,MAAM;AAOZ,cAAM,MAAM,IAAI;AAChB,YAAI,CAAC,IAAK;AAEV,cAAM,SAAS,OAAO,IAAI,UAAU,EAAE;AACtC,cAAM,OAAO,OAAO,IAAI,QAAQ,GAAG;AACnC,cAAM,MAAM,WAAW,QAAQ,IAAI;AAEnC,YAAI,WAAW,KAAK,YAAY,EAAG;AAEnC,yBAAiB,IAAI,KAAK;AAAA,UACxB;AAAA,UACA,QAAQ,OAAO,IAAI,UAAU,KAAK,EAAE,YAAY;AAAA,UAChD,WAAW,KAAK,IAAI;AAAA,QACtB,CAAC;AAAA,MACH,QAAQ;AAAA,MAAoB;AAAA,IAC9B;AAEA,UAAM,mBAAmB,CAAC,YAAqB;AAC7C,UAAI;AACF,cAAM,MAAM;AAIZ,cAAM,UAAU,iBAAiB,IAAI,IAAI,OAAO;AAChD,YAAI,CAAC,QAAS;AACd,yBAAiB,OAAO,IAAI,OAAO;AAEnC,cAAM,YAAY,KAAK,IAAI,IAAI,QAAQ;AACvC,cAAM,MAAM,WAAW,SAAS;AAEhC,aAAK,WAAW;AAAA,UACd,QAAQ,QAAQ;AAAA,UAChB,KAAK,QAAQ;AAAA,UACb,YAAY,IAAI,UAAU,cAAc;AAAA,UACxC;AAAA,UACA,SAAS,KAAK;AAAA,UACd,cAAc,KAAK;AAAA,QACrB,CAAC;AAAA,MACH,QAAQ;AAAA,MAAoB;AAAA,IAC9B;AAEA,UAAM,iBAAiB,CAAC,YAAqB;AAC3C,UAAI;AACF,cAAM,MAAM;AACZ,cAAM,UAAU,iBAAiB,IAAI,IAAI,OAAO;AAChD,YAAI,CAAC,QAAS;AACd,yBAAiB,OAAO,IAAI,OAAO;AAEnC,cAAM,YAAY,KAAK,IAAI,IAAI,QAAQ;AACvC,cAAM,MAAM,WAAW,SAAS;AAEhC,aAAK,WAAW;AAAA,UACd,QAAQ,QAAQ;AAAA,UAChB,KAAK,QAAQ;AAAA,UACb,YAAY;AAAA,UACZ;AAAA,UACA,SAAS,KAAK;AAAA,UACd,cAAc,KAAK;AAAA,QACrB,CAAC;AAAA,MACH,QAAQ;AAAA,MAAoB;AAAA,IAC9B;AAEA,kBAAc,UAAU,eAAe;AACvC,mBAAe,UAAU,gBAAgB;AACzC,iBAAa,UAAU,cAAc;AAErC,kBAAc,MAAM,cAAc,YAAY,eAAe;AAC7D,mBAAe,MAAM,eAAe,YAAY,gBAAgB;AAChE,iBAAa,MAAM,aAAa,YAAY,cAAc;AAAA,EAC5D,QAAQ;AAAA,EAER;AAMA,kBAAgB,WAAW;AAC3B,QAAM,gBAAgB;AAEtB,aAAW,QAAQ,OACjB,OACA,SACsB;AACtB,UAAM,MACJ,iBAAiB,UACb,MAAM,MACN,iBAAiB,MACf,MAAM,OACN,OAAO,KAAK;AAEpB,QAAI,WAAW,KAAK,YAAY,GAAG;AACjC,aAAO,cAAc,OAAO,IAAI;AAAA,IAClC;AAEA,UAAM,SACJ,iBAAiB,UACb,MAAM,SACN,MAAM,UAAU;AAEtB,UAAM,MAAM,WAAW,SAAS;AAChC,UAAM,QAAQ,KAAK,IAAI;AAEvB,QAAI;AACF,YAAM,WAAW,MAAM,cAAc,OAAO,IAAI;AAChD,YAAM,YAAY,KAAK,IAAI,IAAI;AAE/B,UAAI;AACF,aAAK,WAAW;AAAA,UACd;AAAA,UACA;AAAA,UACA,YAAY,SAAS;AAAA,UACrB;AAAA,UACA,SAAS,KAAK;AAAA,UACd,cAAc,KAAK;AAAA,QACrB,CAAC;AAAA,MACH,QAAQ;AAAA,MAAoB;AAE5B,aAAO;AAAA,IACT,SAAS,KAAK;AACZ,YAAM,YAAY,KAAK,IAAI,IAAI;AAE/B,UAAI;AACF,aAAK,WAAW;AAAA,UACd;AAAA,UACA;AAAA,UACA,YAAY;AAAA,UACZ;AAAA,UACA,SAAS,KAAK;AAAA,UACd,cAAc,KAAK;AAAA,QACrB,CAAC;AAAA,MACH,QAAQ;AAAA,MAAoB;AAE5B,YAAM;AAAA,IACR;AAAA,EACF;AACF;AA8BO,SAAS,oBACd,KACA,IACY;AACZ,SAAO,WAAW,IAAI,KAAK,EAAE;AAC/B;;;AF1QA;AACA;;;AGsbO,SAAS,YAAY,KAA6B;AAEvD,MAAI,SAAS;AACb,MAAI,OAAO,WAAW,aAAa,GAAG;AACpC,aAAS,OAAO,MAAM,cAAc,MAAM;AAAA,EAC5C;AAGA,MAAI,OAAO,WAAW,QAAQ,GAAG;AAC/B,aAAS,SAAS,OAAO,MAAM,SAAS,MAAM;AAAA,EAChD;AAEA,MAAI,WAAW,WAAW,WAAW,WAAW;AAC9C,WAAO,EAAE,MAAM,QAAQ;AAAA,EACzB;AACA,MAAI,WAAW,WAAW;AACxB,WAAO,EAAE,MAAM,UAAU;AAAA,EAC3B;AACA,MAAI,OAAO,WAAW,OAAO,GAAG;AAC9B,UAAM,SAAS,OAAO,MAAM,QAAQ,MAAM;AAC1C,QAAI,CAAC,OAAQ,OAAM,IAAI,MAAM,yBAAyB,GAAG,0BAAqB;AAC9E,WAAO,EAAE,MAAM,QAAQ,OAAO;AAAA,EAChC;AACA,MAAI,OAAO,WAAW,MAAM,GAAG;AAC7B,UAAM,aAAa,OAAO,MAAM,OAAO,MAAM;AAC7C,QAAI,CAAC,WAAY,OAAM,IAAI,MAAM,wBAAwB,GAAG,8BAAyB;AACrF,WAAO,EAAE,MAAM,OAAO,WAAW;AAAA,EACnC;AAEA,QAAM,IAAI,MAAM,kCAAkC,GAAG,0DAA0D;AACjH;;;AHncA,IAAI,aAAmC;AACvC,IAAM,YAAY,oBAAI,IAAiB;AACvC,IAAM,gBAA4C,CAAC;AAKnD,IAAM,8BAA8B;AACpC,IAAM,iBAAiB;AACvB,IAAM,mBAAmB;AACzB,IAAM,mBAAmB,oBAAI,IAAsB;AACnD,IAAM,iBAAiB,oBAAI,IAAoB;AAE/C,SAAS,UAAU,KAAsB;AACvC,QAAM,MAAM,KAAK,IAAI;AAGrB,QAAM,cAAc,eAAe,IAAI,GAAG,KAAK;AAC/C,MAAI,MAAM,aAAa;AACrB,WAAO;AAAA,EACT;AAGA,QAAM,aAAa,iBAAiB,IAAI,GAAG,KAAK,CAAC;AACjD,QAAM,SAAS,WAAW,OAAO,CAAC,MAAM,MAAM,IAAI,cAAc;AAEhE,MAAI,OAAO,UAAU,6BAA6B;AAEhD,mBAAe,IAAI,KAAK,MAAM,gBAAgB;AAC9C,qBAAiB,IAAI,KAAK,CAAC,CAAC;AAC5B,YAAQ;AAAA,MACN,mCAAmC,IAAI,MAAM,GAAG,EAAE,CAAC,cAChD,2BAA2B,eAAe,iBAAiB,GAAI,mBAAmB,mBAAmB,GAAI;AAAA,IAC9G;AACA,WAAO;AAAA,EACT;AAEA,SAAO;AACT;AAEA,SAAS,aAAa,KAAmB;AACvC,QAAM,MAAM,KAAK,IAAI;AACrB,QAAM,aAAa,iBAAiB,IAAI,GAAG,KAAK,CAAC;AACjD,aAAW,KAAK,GAAG;AAEnB,mBAAiB;AAAA,IACf;AAAA,IACA,WAAW,OAAO,CAAC,MAAM,MAAM,IAAI,cAAc;AAAA,EACnD;AACF;AAGA,SAAS,aAAa,WAA4B;AAAE,SAAO,UAAU,OAAO,SAAS,EAAE;AAAG;AAC1F,SAAS,gBAAgB,WAAyB;AAAE,eAAa,OAAO,SAAS,EAAE;AAAG;AACtF,SAAS,cAAc,QAAyB;AAAE,SAAO,UAAU,QAAQ,MAAM,EAAE;AAAG;AACtF,SAAS,iBAAiB,QAAsB;AAAE,eAAa,QAAQ,MAAM,EAAE;AAAG;AAG3E,IAAI,uBAAuB;AAOlC,IAAM,mBAA4E;AAAA,EAChF,EAAE,IAAI,SAAS,OAAO,oBAAoB,WAAW,UAAU;AAAA,EAC/D,EAAE,IAAI,WAAW,OAAO,8BAA8B,WAAW,UAAU;AAC7E;AAKA,SAAS,oBAAoB,QAAgB,UAAkB,WAAyB;AACtF,QAAM,WAAW,QAAQ,MAAM;AAC/B,MAAI,iBAAiB,KAAK,CAAC,MAAM,EAAE,OAAO,QAAQ,EAAG;AACrD,mBAAiB,KAAK,EAAE,IAAI,UAAU,OAAO,SAAS,QAAQ,IAAI,UAAU,CAAC;AAC7E,UAAQ,IAAI,wCAAwC,QAAQ,KAAK,OAAO,MAAM,GAAG,CAAC,CAAC,MAAM;AAC3F;AAGA,SAAS,mBAAmB,YAAoB,WAAyB;AACvE,QAAM,WAAW,OAAO,UAAU;AAClC,MAAI,iBAAiB,KAAK,CAAC,MAAM,EAAE,OAAO,QAAQ,EAAG;AACrD,mBAAiB,KAAK;AAAA,IACpB,IAAI;AAAA,IACJ,OAAO,QAAQ,UAAU;AAAA,IACzB;AAAA,EACF,CAAC;AACD,UAAQ,IAAI,uCAAuC,QAAQ,EAAE;AAC/D;AAEA,SAAS,YAAY,IAAmB;AACtC,eAAa;AAEb,MAAI,cAAc,SAAS,GAAG;AAC5B,UAAM,UAAU,cAAc,OAAO,CAAC;AACtC,eAAW,MAAM,SAAS;AACxB,SAAG,EAAE,MAAM,MAAM;AAAA,MAAC,CAAC;AAAA,IACrB;AAAA,EACF;AACF;AAKA,SAAS,eAAe,MAAwB;AAC9C,QAAM,WAAqB,CAAC;AAE5B,QAAM,KAAK;AACX,MAAI;AACJ,UAAQ,QAAQ,GAAG,KAAK,IAAI,OAAO,MAAM;AACvC,aAAS,KAAK,MAAM,CAAC,EAAE,YAAY,CAAC;AAAA,EACtC;AACA,SAAO;AACT;AAQA,SAAS,0BACP,WACA,WACA,WACA,gBACS;AACT,QAAM,WAAW,eAAe,SAAS;AAEzC,MAAI,SAAS,WAAW,EAAG,QAAO;AAElC,MAAI,SAAS,SAAS,KAAK,KAAK,SAAS,SAAS,UAAU,EAAG,QAAO;AAEtE,QAAM,YAAY,UAAU,YAAY;AACxC,QAAM,UAAU,UAAU,YAAY;AACtC,QAAM,YAAY,UAAU,MAAM,OAAO,EAAE,CAAC;AAC5C,QAAM,cAAc,SAAS;AAAA,IAC3B,CAAC,MAAM,MAAM,aAAa,MAAM,aAAa,MAAM;AAAA,EACrD;AACA,MAAI,YAAa,QAAO;AAExB,SAAO;AACT;AAGA,SAAS,eACP,MACA,WACA,WACQ;AACR,QAAM,YAAY,UAAU,YAAY;AACxC,QAAM,YAAY,UAAU,MAAM,OAAO,EAAE,CAAC;AAC5C,QAAM,UAAU,UAAU,YAAY;AAEtC,SAAO,KACJ,QAAQ,gBAAgB,CAAC,MAAM,SAAS;AACvC,UAAM,QAAQ,KAAK,YAAY;AAC/B,QAAI,UAAU,aAAa,UAAU,aAAa,UAAU,SAAS;AACnE,aAAO;AAAA,IACT;AAEA,QAAI,UAAU,SAAS,UAAU,WAAY,QAAO;AACpD,WAAO;AAAA,EACT,CAAC,EACA,QAAQ,QAAQ,EAAE,EAClB,KAAK;AACV;AAIA,eAAe,gBACb,QACA,QACA,OACA,OACA,QAAgB,GACC;AACjB,MAAI;AACF,UAAM,SAAS,IAAI,gBAAgB,EAAE,GAAG,OAAO,OAAO,OAAO,KAAK,EAAE,CAAC;AACrE,UAAM,UAAkC,EAAE,gBAAgB,mBAAmB;AAC7E,QAAI,OAAQ,SAAQ,eAAe,IAAI,UAAU,MAAM;AAEvD,UAAM,MAAM,MAAM,MAAM,GAAG,MAAM,kBAAkB,KAAK,kBAAkB,MAAM,IAAI,EAAE,QAAQ,CAAC;AAC/F,QAAI,CAAC,IAAI,GAAI,QAAO;AAEpB,UAAM,UAAW,MAAM,IAAI,KAAK;AAChC,QAAI,CAAC,QAAQ,OAAQ,QAAO;AAE5B,UAAM,QAAQ,CAAC,oCAAoC,EAAE;AACrD,eAAW,KAAK,SAAS;AACvB,YAAM,SAAS,EAAE,SAAS,MAAM,EAAE,MAAM,OAAO;AAC/C,YAAM,KAAK,MAAM,EAAE,QAAQ,KAAK,EAAE,OAAO,GAAG,MAAM,EAAE;AAAA,IACtD;AACA,UAAM,KAAK,EAAE;AACb,WAAO,MAAM,KAAK,IAAI;AAAA,EACxB,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAIA,eAAe,kBAAkB,OAAe,QAAgB,GAAoB;AAClF,QAAM,MAAM,QAAQ,IAAI;AACxB,QAAM,MAAM,QAAQ,IAAI;AACxB,MAAI,CAAC,OAAO,CAAC,IAAK,QAAO;AAEzB,MAAI;AACF,UAAM,SAAS,IAAI,gBAAgB,EAAE,GAAG,OAAO,OAAO,OAAO,KAAK,GAAG,WAAW,MAAM,CAAC;AACvF,UAAM,OAAO,MAAM,MAAM,GAAG,GAAG,qBAAqB,MAAM,IAAI;AAAA,MAC5D,SAAS,EAAE,aAAa,IAAI;AAAA,MAC5B,QAAQ,YAAY,QAAQ,GAAI;AAAA,IAClC,CAAC;AACD,QAAI,CAAC,KAAK,GAAI,QAAO;AACrB,UAAM,UAAW,MAAM,KAAK,KAAK;AACjC,QAAI,CAAC,QAAQ,OAAQ,QAAO;AAE5B,UAAM,QAAQ,CAAC,qCAAqC,EAAE;AACtD,eAAW,KAAK,SAAS;AACvB,YAAM,KAAK,MAAM,EAAE,QAAQ,KAAK,EAAE,OAAO,EAAE;AAAA,IAC7C;AACA,UAAM,KAAK,EAAE;AACb,WAAO,MAAM,KAAK,IAAI;AAAA,EACxB,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAiBA,eAAe,cAAc,QAMX;AAChB,QAAM,EAAE,WAAW,cAAc,UAAU,SAAS,SAAS,IAAI,IAAI;AACrE,QAAM,gBAAgB,QAAQ,SAAS,MAAM;AAC7C,QAAM,eAAe,QAAQ,SAAS,YAAY;AAGlD,MAAI,eAAe;AACjB,QAAI,CAAC,0BAA0B,cAAc,QAAQ,aAAa,IAAI,QAAQ,aAAa,IAAI,SAAS,aAAa,GAAG;AACtH;AAAA,IACF;AAAA,EACF;AAGA,MAAI,YAAY,gBACZ,eAAe,cAAc,QAAQ,aAAa,IAAI,QAAQ,aAAa,EAAE,IAC7E;AAGJ,MAAI,iBAAiB,cAAc;AACjC,QAAI;AACF,YAAM,OAAO,MAAM,oBAAoB,EAAE,QAAQ,cAAc,gBAAgB,SAAS,KAAK,oBAAoB,CAAC;AAClH,UAAI,MAAM;AACR,gBAAQ,IAAI,wCAAwC,gBAAgB,SAAS,KAAK,UAAU;AAAA,MAC9F;AAAA,IACF,QAAQ;AAAA,IAER;AAAA,EACF;AAGA,QAAM,YAAY,KAAK,IAAI;AAC3B,QAAM,UAAU,YAAY,EAAE,EAAE,SAAS,KAAK;AAC9C,QAAM,aAAa,YAAY,CAAC,EAAE,SAAS,KAAK;AAChD,QAAM,kBAAkB,YAAY,CAAC,EAAE,SAAS,KAAK;AAGrD,QAAM,gBAAgB,CAAC,aAAsC;AAC3D,QAAI;AAAE,cAAQ,iBAAiB,EAAE,GAAG,UAAU,UAAU,SAAS,gBAAgB,gBAAgB,CAAC;AAAA,IAAG,QAAQ;AAAA,IAAC;AAAA,EAChH;AAEA,QAAM,cAAc;AAAA,IAClB,WAAW,CAAC,SAAc;AACxB,YAAM,WAAW,EAAE,GAAG,MAAM,SAAS,cAAc,gBAAgB;AACnE,UAAI,KAAK,aAAa,YAAY,UAAW,UAAS,YAAY,KAAK,aAAa,YAAY;AAChG,UAAI;AAAE,gBAAQ,WAAW,cAAc,QAAQ;AAAA,MAAG,QAAQ;AAAA,MAAC;AAC3D,YAAM,gBAAwC,EAAE,sBAAsB,KAAK,SAAS,GAAG;AACvF,UAAI,SAAS,UAAW,eAAc,qBAAqB,IAAI,SAAS;AACxE,oBAAc;AAAA,QACZ,SAAS,YAAY,CAAC,EAAE,SAAS,KAAK;AAAA,QAAG,WAAW;AAAA,QAAO,WAAW,KAAK,SAAS;AAAA,QACpF,QAAQ,KAAK,WAAW,UAAU,UAAU;AAAA,QAC5C,YAAY,IAAI,KAAK,KAAK,IAAI,KAAK,KAAK,aAAa,EAAE,EAAE,YAAY;AAAA,QACrE,WAAU,oBAAI,KAAK,GAAE,YAAY;AAAA,QAAG,aAAa,KAAK,aAAa;AAAA,QACnE,YAAY;AAAA,QACZ,cAAc,KAAK;AAAA,QAAa,eAAe,KAAK;AAAA,MACtD,CAAC;AAAA,IACH;AAAA,IACA,YAAY,CAAC,SAAc;AACzB,YAAM,WAAW,EAAE,GAAG,MAAM,SAAS,cAAc,gBAAgB;AACnE,UAAI,KAAK,aAAa,YAAY,UAAW,UAAS,YAAY,KAAK,aAAa,YAAY;AAChG,UAAI;AAAE,gBAAQ,WAAW,eAAe,QAAQ;AAAA,MAAG,QAAQ;AAAA,MAAC;AAC5D,YAAM,gBAAwC,EAAE,sBAAsB,KAAK,YAAY,GAAG;AAC1F,UAAI,SAAS,UAAW,eAAc,qBAAqB,IAAI,SAAS;AACxE,oBAAc;AAAA,QACZ,SAAS,YAAY,CAAC,EAAE,SAAS,KAAK;AAAA,QAAG,WAAW;AAAA,QAAQ,WAAW,KAAK,YAAY;AAAA,QACxF,QAAQ,KAAK,YAAY,QAAQ,UAAU;AAAA,QAC3C,YAAY,IAAI,KAAK,KAAK,IAAI,KAAK,KAAK,aAAa,EAAE,EAAE,YAAY;AAAA,QACrE,WAAU,oBAAI,KAAK,GAAE,YAAY;AAAA,QAAG,aAAa,KAAK,aAAa;AAAA,QACnE,YAAY;AAAA,QACZ,cAAc,KAAK;AAAA,MACrB,CAAC;AAAA,IACH;AAAA,IACA,aAAa,CAAC,SAAc;AAC1B,YAAM,WAAW,EAAE,GAAG,MAAM,SAAS,cAAc,gBAAgB;AACnE,UAAI,KAAK,aAAa,YAAY,UAAW,UAAS,YAAY,KAAK,aAAa,YAAY;AAChG,UAAI;AAAE,gBAAQ,WAAW,YAAY,QAAQ;AAAA,MAAG,QAAQ;AAAA,MAAC;AACzD,YAAM,gBAAwC,EAAE,uBAAuB,KAAK,aAAa,GAAG;AAC5F,UAAI,SAAS,UAAW,eAAc,qBAAqB,IAAI,SAAS;AACxE,oBAAc;AAAA,QACZ,SAAS,YAAY,CAAC,EAAE,SAAS,KAAK;AAAA,QAAG,WAAW;AAAA,QAAS,WAAW,KAAK,aAAa;AAAA,QAC1F,QAAQ;AAAA,QACR,aAAY,oBAAI,KAAK,GAAE,YAAY;AAAA,QAAG,WAAU,oBAAI,KAAK,GAAE,YAAY;AAAA,QAAG,aAAa;AAAA,QACvF,YAAY;AAAA,QACZ,YAAY,KAAK;AAAA,QAAW,eAAe,KAAK;AAAA,MAClD,CAAC;AAAA,IACH;AAAA,IACA,YAAY,CAAC,SAAc;AACzB,YAAM,WAAW,EAAE,GAAG,MAAM,SAAS,cAAc,gBAAgB;AACnE,UAAI,KAAK,aAAa,YAAY,UAAW,UAAS,YAAY,KAAK,aAAa,YAAY;AAChG,UAAI;AAAE,gBAAQ,WAAW,eAAe,QAAQ;AAAA,MAAG,QAAQ;AAAA,MAAC;AAC5D,YAAM,gBAAwC,EAAE,wBAAwB,KAAK,UAAU,IAAI,qBAAqB,KAAK,OAAO,GAAG;AAC/H,UAAI,SAAS,UAAW,eAAc,qBAAqB,IAAI,SAAS;AACxE,oBAAc;AAAA,QACZ,SAAS,YAAY,CAAC,EAAE,SAAS,KAAK;AAAA,QAAG,WAAW;AAAA,QACpD,YAAY,MAAM;AAAE,cAAI;AAAE,mBAAO,IAAI,IAAI,KAAK,GAAG,EAAE;AAAA,UAAU,QAAQ;AAAE,mBAAO,KAAK,KAAK,MAAM,GAAG,EAAE,KAAK;AAAA,UAAQ;AAAA,QAAE,GAAG;AAAA,QACrH,SAAS,KAAK,cAAc,QAAQ,MAAM,UAAU;AAAA,QACpD,YAAY,IAAI,KAAK,KAAK,IAAI,KAAK,KAAK,aAAa,EAAE,EAAE,YAAY;AAAA,QACrE,WAAU,oBAAI,KAAK,GAAE,YAAY;AAAA,QAAG,aAAa,KAAK,aAAa;AAAA,QACnE,YAAY;AAAA,QACZ,aAAa,KAAK;AAAA,QAAQ,kBAAkB,KAAK;AAAA,QAAY,UAAU,KAAK;AAAA,MAC9E,CAAC;AAAA,IACH;AAAA,IACA,cAAc,CAAC,SAAc;AAC3B,YAAM,WAAW,EAAE,GAAG,MAAM,SAAS,cAAc,gBAAgB;AACnE,UAAI,KAAK,aAAa,YAAY,UAAW,UAAS,YAAY,KAAK,aAAa,YAAY;AAChG,UAAI;AAAE,gBAAQ,WAAW,iBAAiB,QAAQ;AAAA,MAAG,QAAQ;AAAA,MAAC;AAC9D,YAAM,gBAAwC,EAAE,wBAAwB,KAAK,cAAc,IAAI,0BAA0B,KAAK,UAAU,GAAG;AAC3I,UAAI,SAAS,UAAW,eAAc,qBAAqB,IAAI,SAAS;AACxE,oBAAc;AAAA,QACZ,SAAS,YAAY,CAAC,EAAE,SAAS,KAAK;AAAA,QAAG,WAAW;AAAA,QACpD,WAAW,GAAG,KAAK,cAAc,QAAQ,KAAK,KAAK,UAAU,EAAE;AAAA,QAC/D,QAAQ,KAAK,YAAY,QAAQ,UAAU;AAAA,QAC3C,YAAY,IAAI,KAAK,KAAK,IAAI,KAAK,KAAK,aAAa,EAAE,EAAE,YAAY;AAAA,QACrE,WAAU,oBAAI,KAAK,GAAE,YAAY;AAAA,QAAG,aAAa,KAAK,aAAa;AAAA,QACnE,YAAY;AAAA,QACZ,aAAa,KAAK;AAAA,QAAY,eAAe,KAAK;AAAA,MACpD,CAAC;AAAA,IACH;AAAA,IACA,WAAW,CAAC,SAAc;AACxB,YAAM,WAAW,EAAE,GAAG,MAAM,SAAS,cAAc,gBAAgB;AACnE,UAAI,KAAK,aAAa,YAAY,UAAW,UAAS,YAAY,KAAK,aAAa,YAAY;AAChG,UAAI;AAAE,gBAAQ,WAAW,cAAc,QAAQ;AAAA,MAAG,QAAQ;AAAA,MAAC;AAC3D,YAAM,gBAAwC,EAAE,uBAAuB,KAAK,SAAS,GAAG;AACxF,UAAI,SAAS,UAAW,eAAc,qBAAqB,IAAI,SAAS;AACxE,oBAAc;AAAA,QACZ,SAAS,YAAY,CAAC,EAAE,SAAS,KAAK;AAAA,QAAG,WAAW;AAAA,QACpD,WAAW,KAAK,OAAO,MAAM,GAAG,EAAE,KAAK;AAAA,QACvC,QAAQ,KAAK,WAAW,UAAU,UAAU;AAAA,QAC5C,YAAY,IAAI,KAAK,KAAK,IAAI,KAAK,KAAK,aAAa,EAAE,EAAE,YAAY;AAAA,QACrE,WAAU,oBAAI,KAAK,GAAE,YAAY;AAAA,QAAG,aAAa,KAAK,aAAa;AAAA,QACnE,YAAY;AAAA,MACd,CAAC;AAAA,IACH;AAAA,IACA,WAAW;AAAA,IACX;AAAA,IACA,cAAc;AAAA,EAChB;AACA,MAAI,aAAa;AACjB,MAAI,kBAAkB;AACtB,MAAI,iBAAgC;AACpC,QAAM,aAA0F,CAAC;AAGjG,iBAAe,SAAS;AAAA,IACtB;AAAA,IACA,cAAc;AAAA,IACd,MAAM;AAAA,IACN;AAAA,IACA,SAAS,YAAY;AAAA;AAAA,IACrB,YAAY;AAAA,MACV,gCAAgC,UAAU;AAAA,MAC1C,yBAAyB,eAAe,QAAQ,SAAS,SAAS,SAAS;AAAA,IAC7E;AAAA,IACA,QAAQ;AAAA,EACV,CAAC;AAGD,MAAI;AAAE,YAAQ,WAAW;AAAA,EAAG,QAAQ;AAAA,EAAe;AAEnD,QAAM,OAAO;AAGb,MAAI;AACJ,MAAI;AACJ,MAAI,iBAAiB,SAAS,QAAQ;AACpC,eAAW,SAAS;AAEpB,wBAAqB,SAAiB;AACtC,QAAI,CAAC,YAAY,CAAC,mBAAmB;AACnC,YAAM,QAAQ,QAAQ,WAAW,KAAK,CAAC;AACvC,YAAM,OAAO,MAAM,KAAK,CAAC,MAAW,EAAE,WAAW,SAAS,MAAM;AAChE,UAAI,MAAM;AACR,YAAI,CAAC,SAAU,YAAW,KAAK;AAC/B,YAAI,CAAC,qBAAqB,SAAS,gBAAgB;AACjD,gBAAM,SAAS,KAAK,SAAS,KAAK,CAAC,MAAW,EAAE,aAAa,SAAS,cAAc;AACpF,cAAI,OAAQ,qBAAoB,OAAO;AAAA,QACzC;AAAA,MACF;AAAA,IACF;AAAA,EACF;AAEA,QAAM,QAAQ,KAAK,QAAQ,QAAQ,kBAAkB;AAAA,IACnD;AAAA,IACA,SAAS;AAAA,IACT,WAAW,QAAQ;AAAA,IACnB,MAAM;AAAA,MACJ,MAAM,eAAe,QAAe,gBAAgB,UAAiB;AAAA,MACrE,IAAI,eACA,kBAAkB,SAAS,cAAc,KACzC,gBACE,mBAAmB,SAAS,MAAM,KAClC;AAAA,IACR;AAAA,EACF,CAAC;AAED,QAAM,YAAY,KAAK,QAAQ,QAAQ,iBAAiB,KAAK,SAAS,OAAO;AAAA,IAC3E,SAAS,MAAM;AAAA,EACjB,CAAC;AAED,QAAM,kBAAkB,KAAK,QAAQ,MAAM,6BAA6B,GAAG;AAC3E,QAAM,oBAAoB,KAAK,QAAQ,QAAQ,qBAAqB;AAAA,IAClE;AAAA,IACA,YAAY,MAAM;AAAA,EACpB,CAAC;AAGD,QAAM,cAAc,iBAAiB,eACjC,YACC,UAAU,UAAU,UAAU,eAAe;AAElD,QAAM,oBAAoB,MAAM,kBAAkB,WAAW;AAC7D,MAAI,mBAAmB;AACrB,gBAAY,oBAAoB,cAAc;AAAA,EAChD;AAGA,MAAI,SAAS,QAAQ,QAAQ;AAC3B,UAAM,gBAAgB,MAAM;AAAA,MAC1B,QAAQ,OAAO;AAAA,MACf,QAAQ,OAAO;AAAA,MACf,QAAQ,OAAO,SAAS;AAAA,MACxB;AAAA,MACA;AAAA,IACF;AAEA,QAAI,eAAe;AACjB,kBAAY,gBAAgB,cAAc;AAAA,IAC5C;AAAA,EACF;AAGA,MAAI,cAAc;AAClB,MAAI,iBAAiB,SAAS,UAAU,QAAQ,gBAAgB;AAC9D,UAAM,gBAAgB,QAAQ,eAAe,SAAS,QAAQ,EAAE;AAEhE,UAAM,QAAQ,cAAc,MAAM,GAAG,EAAE;AACvC,QAAI,MAAM,SAAS,GAAG;AACpB,YAAM,eAAe,MAAM,IAAI,CAAC,MAAW;AACzC,cAAM,OAAO,EAAE,WAAW,UAAU,QAAQ;AAC5C,eAAO,IAAI,IAAI,MAAM,EAAE,IAAI;AAAA,MAC7B,CAAC,EAAE,KAAK,IAAI;AACZ,oBAAc;AAAA,EAA+B,YAAY;AAAA;AAAA;AAAA,EAA0B,SAAS;AAAA,IAC9F;AAAA,EACF;AAEA,QAAM,OAAO,KAAK,QAAQ,MAAM,oBAAoB;AAAA,IAClD,SAAS;AAAA,IACT,MAAM,eAAe,UAAU,SAAS,cAAc,MAAM,gBAAiB,qBAAqB,gBAAiB;AAAA,IACnH,WAAW,IAAI,KAAK,SAAS,SAAS,EAAE,QAAQ;AAAA,IAChD;AAAA,IACA,UAAU;AAAA,IACV,MAAM;AAAA,EACR,CAAC;AAGD,QAAM,mBAAwC,CAAC;AAC/C,MAAI,SAAS,YAAY;AACvB,qBAAiB,iBAAiB,SAAS,WAAW;AACtD,qBAAiB,qBAAqB,SAAS,WAAW;AAC1D,qBAAiB,iBAAiB,SAAS,WAAW;AAGtD,QAAI,SAAS,WAAW,QAAQ;AAC9B,uBAAiB,WAAW,SAAS,WAAW;AAChD,uBAAiB,WAAW;AAAA,IAC9B;AAAA,EAGF;AAGA,QAAM,mBAAwC,CAAC;AAC/C,MAAI,iBAAiB,SAAS,UAAU,QAAQ,gBAAgB;AAC9D,UAAM,QAAQ,QAAQ,eAAe,SAAS,MAAM;AACpD,QAAI,MAAM,SAAS,GAAG;AACpB,uBAAiB,uBAAuB;AACxC,uBAAiB,oBAAoB,QAAQ,iBAAiB,SAAS,MAAM;AAC7E,uBAAiB,wBAAwB,MAAM;AAAA,IACjD;AAAA,EACF;AAEA,QAAM,aAAa,KAAK,QAAQ,MAAM,uBAAuB;AAAA,IAC3D,MAAM;AAAA,IACN,SAAS;AAAA,IACT,aAAa;AAAA,IACb,MAAM,eAAe,OAAO,SAAS,cAAc,KAAK,gBAAgB,mBAAmB,SAAS,MAAM,KAAK;AAAA,IAC/G,IAAI,oBAAoB,QAAQ,SAAS;AAAA,IACzC,YAAY,MAAM;AAAA,IAClB,WAAW,QAAQ;AAAA,IACnB,UAAU,eAAe,QAAQ,gBAAgB,SAAS;AAAA,IAC1D,mBAAmB,eAAe,QAAQ,SAAS,cAAc,KAAK,gBAAiB,YAAY,oBAAqB;AAAA,IACxH,YAAY,eAAe,SAAS,iBAAiB,gBAAiB,qBAAqB,gBAAiB;AAAA,IAC5G,UAAU,eAAe,OAAO,SAAS,cAAc,KAAK,gBAAgB,mBAAmB,SAAS,kBAAkB,SAAS,MAAM,KAAK;AAAA,IAC9I,UAAU;AAAA,IACV,SAAS;AAAA,IACT,YAAY,SAAS;AAAA,IACrB,WAAW,IAAI,KAAK,SAAS,SAAS,EAAE,QAAQ;AAAA,IAChD,oBAAoB;AAAA,IACpB,eAAe,oBAAoB,QAAQ,SAAS;AAAA,IACpD,mBAAmB;AAAA,IACnB,YAAY;AAAA;AAAA,IACZ,qBAAqB;AAAA;AAAA,IACrB,GAAG;AAAA,IACH,GAAG;AAAA,EACL,CAAC;AAED,QAAM,KAAK,QAAQ,QAAQ,qBAAqB;AAAA,IAC9C;AAAA,IACA,YAAY,WAAW,cAAc,MAAM;AAAA,IAC3C,KAAK;AAAA,IACL,eAAe,CAAC,QAAe;AAC7B,WAAK,QAAQ,uCAAuC,OAAO,GAAG,CAAC,EAAE;AAAA,IACnE;AAAA,EACF,CAAC;AAED,MAAI;AACF,UAAM;AAAA,MACJ,EAAE,SAAS,cAAc,gBAAgB;AAAA,MACzC,MAAM,KAAK,QAAQ,MAAM,yCAAyC;AAAA,QAClE,KAAK;AAAA,QACL;AAAA,QACA,mBAAmB;AAAA,UACjB,SAAS,OAAO,YAA8C;AAE5D,gBAAI,QAAQ,SAAS,cAAc,QAAQ,SAAS,YAAa;AACjE,kBAAM,QAAQ,QAAQ,QAAQ,IAAI,KAAK;AACvC,gBAAI,CAAC,KAAM;AAEX,gBAAI,8DAA8D,KAAK,IAAI,EAAG;AAE9E,gBAAI,gBAAgB,KAAK,IAAI,KAAK,YAAY,KAAK,IAAI,EAAG;AAE1D,gBAAI,kBAAkB,KAAK,IAAI,EAAG;AAElC,gBAAI,6BAA6B,KAAK,IAAI,EAAG;AAE7C,kBAAM,aAAa,KAAK,IAAI;AAC5B;AACA,+BAAmB,KAAK;AACxB,gBAAI,CAAC,eAAgB,kBAAiB;AAGtC,gBAAI;AACJ,gBAAI,cAAc;AAEhB,kBAAI,CAAC,aAAa,SAAS,YAAY,GAAG;AACxC,wBAAQ,KAAK,8DAA8D,SAAS,cAAc,MAAM,GAAG,CAAC,CAAC,KAAK;AAClH;AAAA,cACF;AACA,4BAAc,EAAE,MAAM,OAAO,YAAY,SAAS,eAAe;AAAA,YACnE,WAAW,eAAe;AAExB,kBAAI,CAAC,cAAc,SAAS,MAAM,GAAG;AACnC,wBAAQ,KAAK,4DAA4D,SAAS,QAAQ,MAAM,GAAG,CAAC,CAAC,KAAK;AAC1G;AAAA,cACF;AACA,4BAAc,EAAE,MAAM,QAAQ,QAAQ,SAAS,OAAO;AAAA,YACxD,OAAO;AACL,4BAAc,EAAE,MAAM,QAAQ;AAAA,YAChC;AACA,kBAAM,QAAQ,QAAQ,aAAa,EAAE,MAAM,QAAQ,KAAK,GAAG;AAAA,cACzD,gBAAgB,SAAS;AAAA,cACzB,SAAS,SAAS;AAAA,cAClB,cAAc;AAAA,cACd,UAAU,gBAAgB,EAAE,gBAAgB,KAAK,OAAO,IAAI;AAAA,YAC9D,CAAC;AACD,gBAAI,cAAc;AAChB,8BAAgB,SAAS,YAAY;AAAA,YACvC;AACA,gBAAI,eAAe;AACjB,+BAAiB,SAAS,MAAM;AAAA,YAClC;AAEA,kBAAM,WAAW,KAAK,IAAI;AAC1B,uBAAW,KAAK,EAAE,WAAW,YAAY,SAAS,UAAU,OAAO,KAAK,QAAQ,OAAO,WAAW,CAAC;AAAA,UACrG;AAAA,UACA,SAAS,CAAC,KAAY,SAA6B;AACjD,iBAAK,QAAQ,gBAAgB,MAAM,QAAQ,OAAO,WAAW,OAAO,GAAG,CAAC,EAAE;AAAA,UAC5E;AAAA,QACF;AAAA,QACA,cAAc,CAAC;AAAA,MACjB,CAAC;AAAA,IACD;AAEA,UAAM,UAAU,KAAK,IAAI;AAGzB,2BAAuB,SAAS;AAAA,MAC9B;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA,YAAY,UAAU;AAAA,MACtB;AAAA,MACA;AAAA,MACA,QAAQ;AAAA,MACR,QAAQ;AAAA,IACV,CAAC;AAAA,EACH,SAAS,KAAK;AACZ,UAAM,UAAU,KAAK,IAAI;AAGzB,2BAAuB,SAAS;AAAA,MAC9B;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA,YAAY,UAAU;AAAA,MACtB;AAAA,MACA;AAAA,MACA,QAAQ;AAAA,MACR,QAAQ;AAAA,MACR,eAAe,OAAO,GAAG;AAAA,IAC3B,CAAC;AAED,mBAAe,SAAS;AAAA,MACtB;AAAA,MACA,cAAc;AAAA,MACd,MAAM;AAAA,MACN,WAAW;AAAA,MACX;AAAA,MACA,YAAY;AAAA,QACV,uBAAwB,KAAa,aAAa,QAAQ;AAAA,QAC1D,0BAA0B,OAAO,GAAG;AAAA,MACtC;AAAA,MACA,QAAQ;AAAA,MACR,eAAe,OAAO,GAAG;AAAA,IAC3B,CAAC;AACD,UAAM;AAAA,EACR;AACF;AAGA,SAAS,eAAe,MAAoE;AAC1F,MAAI,SAAS,WAAW,KAAK,SAAS,OAAO,EAAG,QAAO;AACvD,MAAI,KAAK,WAAW,MAAM,KAAK,KAAK,SAAS,WAAW,EAAG,QAAO;AAClE,MAAI,KAAK,WAAW,OAAO,KAAK,KAAK,SAAS,MAAM,EAAG,QAAO;AAC9D,MAAI,KAAK,WAAW,OAAO,KAAK,KAAK,SAAS,MAAM,EAAG,QAAO;AAC9D,MAAI,KAAK,WAAW,MAAM,KAAK,KAAK,SAAS,KAAK,EAAG,QAAO;AAC5D,MAAI,KAAK,WAAW,SAAS,KAAK,KAAK,SAAS,QAAQ,EAAG,QAAO;AAClE,SAAO;AACT;AAGA,SAAS,iBAAiB,MAAc,OAA0D;AAChG,MAAI,MAAM,oBAAoB,EAAG,QAAO,OAAO,MAAM,oBAAoB,CAAC;AAC1E,MAAI,MAAM,oBAAoB,EAAG,QAAO,OAAO,MAAM,oBAAoB,CAAC;AAC1E,MAAI,MAAM,mBAAmB,GAAG;AAC9B,QAAI;AAAE,aAAO,IAAI,IAAI,OAAO,MAAM,mBAAmB,CAAC,CAAC,EAAE;AAAA,IAAU,QAAQ;AAAA,IAAgB;AAC3F,WAAO,OAAO,MAAM,mBAAmB,CAAC,EAAE,MAAM,GAAG,EAAE;AAAA,EACvD;AACA,MAAI,MAAM,sBAAsB,EAAG,QAAO,GAAG,MAAM,sBAAsB,CAAC,KAAK,MAAM,wBAAwB,KAAK,EAAE;AACpH,MAAI,MAAM,qBAAqB,EAAG,QAAO,OAAO,MAAM,qBAAqB,CAAC,EAAE,MAAM,GAAG,EAAE;AACzF,MAAI,MAAM,qBAAqB,EAAG,QAAO,OAAO,MAAM,qBAAqB,CAAC;AAC5E,SAAO;AACT;AAGA,SAAS,eAAe,SAAc,MAU7B;AACP,MAAI;AACF,UAAM,WAAW,QAAQ;AACzB,QAAI,CAAC,SAAU;AAEf,UAAM,SAAS,KAAK,UAAU,YAAY,CAAC,EAAE,SAAS,KAAK;AAE3D,aAAS,iBAAiB;AAAA,MACxB,SAAS,KAAK;AAAA,MACd;AAAA,MACA,cAAc,KAAK;AAAA,MACnB,MAAM,KAAK;AAAA,MACX,MAAM;AAAA,MACN,WAAW,KAAK;AAAA,MAChB,SAAS,KAAK;AAAA,MACd,YAAY,KAAK;AAAA,MACjB,QAAQ;AAAA,QACN,MAAM,KAAK,WAAW,OAAO,IAAI;AAAA,QACjC,SAAS,KAAK;AAAA,MAChB;AAAA,IACF,CAAC;AAGD,QAAI;AACF,YAAM,WAAW,eAAe,KAAK,IAAI;AACzC,YAAM,WAAW,iBAAiB,KAAK,MAAM,KAAK,UAAU;AAC5D,YAAM,aAAa,KAAK,UAAU,KAAK;AACvC,cAAQ,iBAAiB;AAAA,QACvB,UAAU,KAAK;AAAA,QACf,SAAS;AAAA,QACT,gBAAgB,KAAK;AAAA,QACrB,WAAW;AAAA,QACX,WAAW;AAAA,QACX,QAAQ,KAAK;AAAA,QACb,YAAY,IAAI,KAAK,KAAK,SAAS,EAAE,YAAY;AAAA,QACjD,UAAU,IAAI,KAAK,KAAK,OAAO,EAAE,YAAY;AAAA,QAC7C,aAAa;AAAA,QACb,YAAY,KAAK;AAAA,QACjB,GAAI,aAAa,QAAQ;AAAA,UACvB,cAAc,KAAK,WAAW,2BAA2B;AAAA,UACzD,eAAe,KAAK,WAAW,4BAA4B;AAAA,QAC7D,IAAI,CAAC;AAAA,QACL,GAAI,aAAa,SAAS;AAAA,UACxB,aAAa,KAAK,WAAW,sBAAsB;AAAA,UACnD,kBAAkB,KAAK,WAAW,2BAA2B;AAAA,UAC7D,UAAU,KAAK,WAAW,mBAAmB;AAAA,QAC/C,IAAI,CAAC;AAAA,QACL,GAAI,aAAa,SAAS;AAAA,UACxB,cAAc,KAAK,WAAW,uBAAuB;AAAA,QACvD,IAAI,CAAC;AAAA,QACL,GAAI,aAAa,UAAU;AAAA,UACzB,YAAY,KAAK,WAAW,qBAAqB;AAAA,UACjD,eAAe,KAAK,WAAW,wBAAwB;AAAA,QACzD,IAAI,CAAC;AAAA,MACP,CAAC;AAAA,IACH,QAAQ;AAAA,IAAmC;AAAA,EAC7C,QAAQ;AAAA,EAAiC;AAC3C;AAGA,SAAS,uBAAuB,SAAc,MAcrC;AACP,MAAI;AACF,UAAM,WAAW,QAAQ;AACzB,QAAI,CAAC,SAAU;AAGf,UAAM,eAAe,KAAK,kBAAkB,KAAK;AACjD,mBAAe,SAAS;AAAA,MACtB,SAAS,KAAK;AAAA,MACd,cAAc,KAAK;AAAA,MACnB,QAAQ,KAAK;AAAA,MACb,MAAM;AAAA,MACN,WAAW,KAAK,YAAY;AAAA;AAAA,MAC5B,SAAS;AAAA,MACT,YAAY;AAAA,QACV,iCAAiC,eAAe,KAAK;AAAA,QACrD,gCAAgC,KAAK;AAAA,MACvC;AAAA,MACA,QAAQ,KAAK;AAAA,MACb,eAAe,KAAK,WAAW,UAAU,KAAK,gBAAgB;AAAA,IAChE,CAAC;AAGD,eAAW,SAAS,KAAK,YAAY;AACnC,qBAAe,SAAS;AAAA,QACtB,SAAS,KAAK;AAAA,QACd,cAAc,KAAK;AAAA,QACnB,MAAM;AAAA,QACN,WAAW,MAAM;AAAA,QACjB,SAAS,MAAM;AAAA,QACf,YAAY;AAAA,UACV,wBAAwB,MAAM;AAAA,UAC9B,wBAAwB,MAAM;AAAA,QAChC;AAAA,QACA,QAAQ;AAAA,MACV,CAAC;AAAA,IACH;AAGA,aAAS,iBAAiB;AAAA,MACxB,SAAS,KAAK;AAAA,MACd,QAAQ,KAAK;AAAA,MACb,MAAM;AAAA,MACN,MAAM;AAAA,MACN,WAAW,KAAK;AAAA,MAChB,SAAS,KAAK;AAAA,MACd,YAAY;AAAA,QACV,gCAAgC,KAAK;AAAA,QACrC,gCAAgC,KAAK;AAAA,QACrC,gCAAgC,KAAK;AAAA,QACrC,+BAA+B,KAAK,UAAU,KAAK;AAAA,QACnD,yBAAyB,KAAK,SAAS,SAAS;AAAA,MAClD;AAAA,MACA,QAAQ;AAAA,QACN,MAAM,KAAK,WAAW,OAAO,IAAI;AAAA,QACjC,SAAS,KAAK;AAAA,MAChB;AAAA,IACF,CAAC;AAAA,EACH,QAAQ;AAAA,EAAiC;AAC3C;AAIA,IAAM,mBAAmB;AAAA,EACvB,IAAI;AAAA,EACJ,MAAM;AAAA,IACJ,IAAI;AAAA,IACJ,OAAO;AAAA,IACP,gBAAgB;AAAA,IAChB,UAAU;AAAA,IACV,OAAO;AAAA,IACP,SAAS,CAAC,MAAM,aAAa;AAAA,EAC/B;AAAA,EACA,cAAc,EAAE,WAAW,CAAC,UAAU,MAAM,EAAE;AAAA,EAC9C,QAAQ,EAAE,gBAAgB,eAAe;AAAA,EAEzC,SAAS;AAAA;AAAA,IAEP,OAAO,OAAO,QAAa;AACzB,YAAM,YAAY,KAAK,aAAa;AACpC,YAAM,KAAK,UAAU,IAAI,SAAS;AAClC,UAAI,CAAC,GAAI,QAAO,EAAE,IAAI,OAAO,QAAQ,gBAAgB,OAAO,sBAAsB;AAClF,YAAM,QAAQ,GAAG;AACjB,aAAO;AAAA,QACL,IAAI,UAAU;AAAA,QACd,QAAQ;AAAA,QACR,UAAU,GAAG,YAAY;AAAA,QACzB,UAAU,GAAG;AAAA,MACf;AAAA,IACF;AAAA;AAAA,IAGA,QAAQ,CAAC,QAAa;AACpB,YAAM,YAAY,KAAK,aAAa;AACpC,YAAM,KAAK,UAAU,IAAI,SAAS;AAClC,UAAI,CAAC,GAAI,QAAO,EAAE,WAAW,OAAO,QAAQ,cAAc;AAC1D,aAAO;AAAA,QACL,WAAW,GAAG,UAAU;AAAA,QACxB,QAAQ,GAAG;AAAA,QACX,UAAU,GAAG,YAAY;AAAA,QACzB,UAAU,GAAG;AAAA,QACb,WAAW;AAAA,MACb;AAAA,IACF;AAAA,IAEA,cAAc,OAAO,QAAoD;AACvE,YAAM,EAAE,SAAS,KAAK,KAAK,YAAY,IAAI;AAC3C,YAAM,OAA4C,OAAO,QAAQ,aAAa,MAAM,KAAK,MAAM,KAAK,GAAG;AAEvG,UAAI,CAAC,QAAQ,YAAY;AACvB,cAAM,IAAI;AAAA,UACR;AAAA,QACF;AAAA,MACF;AAEA,YAAM,UAAU,YAAY,QAAQ,QAAQ,QAAQ,MAAM,UAAU,CAAC,CAAC;AACtE,aAAO,kCAAkC,OAAO,GAAG;AAMnD,YAAM,IAAI,QAAc,CAACC,UAAS,WAAW;AAC3C,YAAI;AAEJ,cAAM,UAAU,YAAY;AAC1B,gBAAM,SAAS,KAAK;AACpB,oBAAU,OAAO,QAAQ,SAAS;AAClC,UAAAA,SAAQ;AAAA,QACV;AAEA,qBAAa,iBAAiB,SAAS,MAAM,KAAK,QAAQ,CAAC;AAG3D,eAAO,YAAY,EAAE,KAAK,OAAO,EAAE,cAAc,MAAM;AACrD,oBAAU,IAAI,cAAc;AAAA,YAC1B,aAAa;AAAA,YACb;AAAA,YACA,QAAQ,QAAQ;AAAA,YAChB,WAAW,QAAQ;AAAA,YACnB,WAAW,OAAO,WAAmB,aAAkB;AACrD,kBAAI,CAAC,YAAY;AACf,uBAAO,iDAAiD;AACxD,8BAAc,KAAK,YAAY;AAC7B,wBAAM,cAAc,EAAE,WAAW,UAAU,SAAS,SAAS,IAAI,CAAC;AAAA,gBACpE,CAAC;AACD;AAAA,cACF;AACA,kBAAI;AACF,sBAAM,cAAc,EAAE,WAAW,UAAU,SAAS,SAAS,IAAI,CAAC;AAAA,cACpE,SAAS,KAAK;AACZ,uBAAO,+BAA+B,OAAO,GAAG,CAAC,EAAE;AAAA,cACrD;AAAA,YACF;AAAA,YACA,cAAc,OAAO,QAAa;AAChC,oBAAM,cAAc;AAAA,gBAClB,cAAc,IAAI;AAAA,gBAClB,gBAAgB,IAAI;AAAA,gBACpB,gBAAgB,IAAI;AAAA,gBACpB,WAAW,IAAI;AAAA,gBACf,cAAc,IAAI;AAAA,gBAClB,WAAW,OAAO,IAAI,SAAS,IAAI,KAAK,IAAI,CAAC;AAAA,cAC/C;AACA,kBAAI,CAAC,YAAY;AACf,uBAAO,qDAAqD;AAC5D,8BAAc,KAAK,YAAY;AAC7B,wBAAM,cAAc,EAAE,WAAW,IAAI,MAAM,UAAU,aAAa,SAAS,SAAS,IAAI,CAAC;AAAA,gBAC3F,CAAC;AACD;AAAA,cACF;AACA,kBAAI;AACF,sBAAM,cAAc,EAAE,WAAW,IAAI,MAAM,UAAU,aAAa,SAAS,SAAS,IAAI,CAAC;AAAA,cAC3F,SAAS,KAAK;AACZ,uBAAO,mCAAmC,OAAO,GAAG,CAAC,EAAE;AAAA,cACzD;AAAA,YACF;AAAA,YACA,mBAAmB,OAAO,SAMpB;AAEJ,iCAAmB,KAAK,gBAAgB,QAAQ,SAAS;AAGzD,kBAAI,KAAK,SAAS,WAAW;AAC3B,uBAAO,uEAAkE,KAAK,cAAc,EAAE;AAC9F;AAAA,cACF;AACA,qBAAO,mEAA8D,KAAK,cAAc,GAAG,KAAK,QAAQ,YAAY,KAAK,KAAK,MAAM,EAAE,EAAE;AAExI,oBAAM,WAAW,KAAK,QAClB,8DAA8D,KAAK,cAAc,aACtE,KAAK,KAAK,mEAErB,8DAA8D,KAAK,cAAc;AAErF,oBAAM,eAAe;AAAA,gBACnB,cAAc,KAAK;AAAA,gBACnB,gBAAgB,KAAK;AAAA,gBACrB,gBAAgB,KAAK;AAAA,gBACrB,YAAW,oBAAI,KAAK,GAAE,YAAY;AAAA,gBAClC,WAAW,YAAY,KAAK,SAAS,IAAI,KAAK,IAAI,CAAC;AAAA,cACrD;AAEA,kBAAI,CAAC,YAAY;AACf,uBAAO,kDAAkD;AACzD,8BAAc,KAAK,YAAY;AAC7B,wBAAM,cAAc,EAAE,WAAW,UAAU,UAAU,cAAc,SAAS,SAAS,IAAI,CAAC;AAAA,gBAC5F,CAAC;AACD;AAAA,cACF;AACA,kBAAI;AACF,sBAAM,cAAc,EAAE,WAAW,UAAU,UAAU,cAAc,SAAS,SAAS,IAAI,CAAC;AAAA,cAC5F,SAAS,KAAK;AACZ,uBAAO,gCAAgC,OAAO,GAAG,CAAC,EAAE;AAAA,cACtD;AAAA,YACF;AAAA,YACA,eAAe,CAAC,UAAkB;AAChC,qBAAO,uBAAkB,KAAK,EAAE;AAEhC,kBAAI,UAAU,QAAS,QAAO,IAAI,MAAM,oCAAoC,CAAC;AAAA,YAG/E;AAAA,UACF,CAAC;AAED,oBAAU,IAAI,QAAQ,WAAW,OAAO;AAIxC,kBAAQ,GAAG,SAAS,CAAC,QAAa;AAChC,mBAAO,2CAA2C,OAAO,GAAG,CAAC,EAAE;AAAA,UACjE,CAAC;AAGD,cAAI;AACF,kBAAM,EAAE,qBAAAC,qBAAoB,IAAI,MAAM;AACtC,kBAAM,EAAE,yBAAAC,0BAAyB,mBAAAC,oBAAmB,aAAAC,aAAY,IAAI,MAAM;AAC1E,kBAAM,YAAY,IAAIH,qBAAoB;AAAA,cACxC,WAAW,QAAQ,aAAa;AAAA,cAChC,QAAQ,QAAQ,UAAU;AAAA,cAC1B,UAAU,OAAO,WAAmB,MAA+B,UAAe;AAGhF,sBAAM,SAAS,QAAQ,UAAU;AACjC,sBAAM,MAAO,QAAgB;AAC7B,oBAAI,CAAC,KAAK;AACR,yBAAO,EAAE,OAAO,8CAAyC;AAAA,gBAC3D;AAGA,sBAAM,eAAe,OAAO;AAC5B,oBAAI,CAAC,cAAc;AACjB,yBAAO,EAAE,OAAO,UAAU,SAAS,gCAAgC;AAAA,gBACrE;AAEA,oBAAI;AACF,wBAAM,OAAO,MAAM,MAAM,GAAG,MAAM,sCAAsC;AAAA,oBACtE,QAAQ;AAAA,oBACR,SAAS;AAAA,sBACP,gBAAgB;AAAA,sBAChB,eAAe,UAAU,GAAG;AAAA,oBAC9B;AAAA,oBACA,MAAM,KAAK,UAAU;AAAA,sBACnB,SAAS;AAAA,sBACT,QAAQ;AAAA,sBACR,QAAQ;AAAA,wBACN,MAAM;AAAA,wBACN,WAAW;AAAA;AAAA,wBAEX,eAAe;AAAA,wBACf,SAAS,OAAO;AAAA,sBAClB;AAAA,sBACA,IAAI,UAAU,KAAK,IAAI,CAAC;AAAA,oBAC1B,CAAC;AAAA,kBACH,CAAC;AACD,sBAAI,CAAC,KAAK,IAAI;AACZ,0BAAM,SAAS,MAAM,KAAK,KAAK;AAC/B,2BAAO,EAAE,OAAO,qBAAqB,KAAK,MAAM,MAAM,MAAM,GAAG;AAAA,kBACjE;AACA,wBAAM,YAAY,MAAM,KAAK,KAAK;AAClC,sBAAI,UAAU,OAAO;AACnB,2BAAO,EAAE,OAAO,UAAU,MAAM,WAAW,kBAAkB;AAAA,kBAC/D;AAEA,wBAAM,UAAU,UAAU,QAAQ;AAClC,sBAAI,MAAM,QAAQ,OAAO,KAAK,QAAQ,SAAS,GAAG;AAChD,2BAAO,QAAQ,CAAC,EAAE,QAAQ,KAAK,UAAU,OAAO;AAAA,kBAClD;AACA,yBAAO,UAAU,UAAU,EAAE,UAAU,KAAK;AAAA,gBAC9C,SAAS,KAAK;AACZ,yBAAO,wCAAwC,OAAO,GAAG,CAAC,EAAE;AAC5D,yBAAO,EAAE,OAAO,2BAA2B,OAAO,GAAG,CAAC,GAAG;AAAA,gBAC3D;AAAA,cACF;AAAA,YACF,CAAC;AAKD,kBAAM,UAAU,UAAU;AAC1B,kBAAM,QAAQ;AACd,gBAAI,eAAe;AACnB,gBAAI;AACF,oBAAM,aAAoB,OAAO,QAAQ,QAAQ,CAAC;AAGlD,oBAAM,WAAkB,OAAO,YAAY,CAAC;AAC5C,oBAAM,UAAU,SAAS;AAAA,gBAAK,CAAC,MAC7B,EAAE,OAAO,YAAY,gBAAgB,EAAE,OAAO,cAAc,QAAQ;AAAA,cACtE;AACA,oBAAM,UAAU,SAAS,WAAW;AACpC,oBAAM,aAAa,WAAW,KAAK,CAAC,MAAW,EAAE,OAAO,OAAO;AAE/D,kBAAI,YAAY,WAAW;AACzB,+BAAe,YAAY,WAAW,UAAU,QAAQ,MAAM,OAAO,CAAC;AAAA,cACxE,WAAW,OAAO,QAAQ,UAAU,WAAW;AAC7C,+BAAe,YAAY,MAAM,OAAO,SAAS,UAAU,QAAQ,MAAM,OAAO,CAAC;AAAA,cACnF;AACA,qBAAO,0CAA0C,YAAY,aAAa,OAAO,GAAG;AAAA,YACtF,QAAQ;AACN,qBAAO,sDAAsD;AAAA,YAC/D;AAGA,kBAAM,cAAcC,yBAAwB,YAAY;AAGxD,kBAAM,eAAe,YAAY,cAAc,QAAQ;AACvD,kBAAM,eAAeA,yBAAwB,YAAY;AACzD,wBAAY,KAAK,GAAG,YAAY;AAGhC,gBAAI,iBAAiB,SAAS;AAC5B,oBAAM,gBAAgBA,yBAAwB,OAAO;AACrD,0BAAY,KAAK,GAAG,aAAa;AAAA,YACnC;AAGA,gBAAI,YAAyD,CAAC;AAC9D,gBAAI;AACF,oBAAM,EAAE,WAAAG,WAAU,IAAI,MAAM;AAC5B,oBAAM,YAAY,MAAMA,WAAU,OAAO;AACzC,oBAAM,QAAQ,WAAW;AACzB,oBAAM,YAAY,WAAW;AAC7B,oBAAM,SAAS,QAAQ,UAAU;AACjC,kBAAI,SAAS,WAAW;AACtB,4BAAY,MAAMF,mBAAkB,QAAQ,WAAW,KAAK;AAC5D,oBAAI,UAAU,SAAS,GAAG;AACxB,yBAAO,uBAAuB,UAAU,MAAM,oBAAoB;AAAA,gBACpE;AAAA,cACF;AAAA,YACF,SAAS,KAAK;AACZ,qBAAO,sDAAsD,OAAO,GAAG,CAAC,EAAE;AAAA,YAC5E;AAGA,kBAAM,EAAE,QAAQ,UAAU,IAAIC,aAAY,aAAa,SAAS;AAChE,uBAAW,SAAS,WAAW;AAC7B,wBAAU,cAAc,KAAK;AAAA,YAC/B;AAEA,sBAAU,WAAW;AACrB,oBAAQ,aAAa,SAAS;AAC9B,mBAAO,0CAA0C,UAAU,UAAU,cAAc,YAAY,MAAM,WAAW,UAAU,MAAM,OAAO;AAAA,UACzI,SAAS,KAAK;AACZ,mBAAO,0DAA0D,OAAO,GAAG,CAAC,EAAE;AAAA,UAChF;AAGA,gBAAM,WAAW,QAAQ,YAAY;AACrC,kBAAQ,GAAG,SAAS,MAAM;AACxB,oBAAQ,gBAAgB,QAAQ;AAChC,mBAAO,+DAA+D,QAAQ,EAAE;AAChF,gBAAI,sBAAsB;AACxB,qBAAO,sDAAsD;AAAA,YAC/D;AAGA,uBAAW,eAAe,QAAQ,kBAAkB;AAClD,iCAAmB,aAAa,QAAQ,SAAS;AAAA,YACnD;AAGA,uBAAW,QAAQ,QAAQ,SAAS;AAClC,kCAAoB,KAAK,QAAQ,KAAK,MAAM,QAAQ,SAAS;AAAA,YAC/D;AAAA,UACF,CAAC;AAGD,kBAAQ,GAAG,uBAAuB,MAAM;AACtC,uBAAW,eAAe,QAAQ,kBAAkB;AAClD,iCAAmB,aAAa,QAAQ,SAAS;AAAA,YACnD;AAAA,UACF,CAAC;AAGD,kBAAQ,GAAG,eAAe,CAAC,SAA2C;AACpE,gCAAoB,KAAK,QAAQ,KAAK,MAAM,QAAQ,SAAS;AAAA,UAC/D,CAAC;AAED,kBAAQ,MAAM,EAAE,MAAM,MAAM;AAAA,QAC9B,CAAC,EAAE,MAAM,MAAM;AAAA,MACjB,CAAC;AAED,aAAO,EAAE,MAAM,YAAY;AAAA,MAAC,EAAE;AAAA,IAChC;AAAA,EACF;AAAA,EAEA,UAAU;AAAA,IACR,cAAc;AAAA;AAAA;AAAA,IAId,SAAS;AAAA,IAET,UAAU,OAAO,EAAE,IAAI,OAAO,MAAM,UAAU,MAAwD;AACpG,YAAM,aAAa,aAAa;AAChC,YAAM,KAAK,UAAU,IAAI,UAAU;AACnC,UAAI,CAAC,GAAI,QAAO,EAAE,IAAI,OAAO,OAAO,mCAAmC;AACvE,UAAI;AACF,cAAM,SAAS,YAAY,KAAK;AAChC,cAAM,UAAU,MAAM,GAAG,QAAQ,QAAQ,EAAE,MAAM,QAAQ,KAAK,CAAC;AAC/D,eAAO,EAAE,IAAI,QAAQ,IAAI,QAAQ,QAAQ,QAAQ,OAAO,QAAQ,MAAM;AAAA,MACxE,SAAS,KAAK;AACZ,eAAO,EAAE,IAAI,OAAO,OAAO,OAAO,GAAG,EAAE;AAAA,MACzC;AAAA,IACF;AAAA,IAEA,WAAW,OAAO,EAAE,IAAI,OAAO,MAAM,UAAU,UAAU,MAA2E;AAClI,YAAM,aAAa,aAAa;AAChC,YAAM,KAAK,UAAU,IAAI,UAAU;AACnC,UAAI,CAAC,GAAI,QAAO,EAAE,IAAI,OAAO,OAAO,mCAAmC;AACvE,UAAI;AAEF,cAAM,UAAU,OAAO,GAAG,IAAI;AAAA,EAAK,QAAQ,KAAK;AAChD,cAAM,SAAS,YAAY,KAAK;AAChC,cAAM,UAAU,MAAM,GAAG,QAAQ,QAAQ,EAAE,MAAM,QAAQ,MAAM,QAAQ,CAAC;AACxE,eAAO,EAAE,IAAI,QAAQ,IAAI,QAAQ,QAAQ,QAAQ,OAAO,QAAQ,MAAM;AAAA,MACxE,SAAS,KAAK;AACZ,eAAO,EAAE,IAAI,OAAO,OAAO,OAAO,GAAG,EAAE;AAAA,MACzC;AAAA,IACF;AAAA;AAAA,IAGA,aAAa,OAAO,QAAuC;AACzD,YAAM,EAAE,SAAS,UAAU,IAAI;AAG/B,UAAI,QAAQ,YAAa,QAAO,EAAE,IAAI,KAAK;AAG3C,YAAM,QAAQ,QAAQ,QAAQ,IAAI,KAAK;AACvC,UAAI,CAAC,QAAQ,CAAC,QAAQ,WAAW,OAAQ,QAAO,EAAE,IAAI,KAAK;AAE3D,YAAM,aAAa,aAAa;AAChC,YAAM,KAAK,UAAU,IAAI,UAAU;AACnC,UAAI,CAAC,GAAI,QAAO,EAAE,IAAI,OAAO,OAAO,mCAAmC;AAEvE,UAAI;AAEF,4BAAoB,EAAE,QAAQ,mBAAmB,CAAC,EAAE,MAAM,MAAM;AAAA,QAAC,CAAC;AAGlE,cAAM,YAAa,IAAY;AAC/B,YAAI;AACJ,YAAI,aAAa,OAAO,cAAc,UAAU;AAC9C,mBAAS,YAAY,SAAS;AAAA,QAChC,OAAO;AACL,mBAAS,EAAE,MAAM,QAAQ;AAAA,QAC3B;AAGA,cAAM,QAAQ,OAAO,QAAgB;AACnC,gBAAM,GAAG,QAAQ,QAAQ,EAAE,MAAM,QAAQ,MAAM,IAAI,CAAC;AAAA,QACtD;AAGA,YAAI,MAAM;AACR,gBAAM,MAAM,IAAI;AAAA,QAClB;AAGA,YAAI,QAAQ,WAAW,QAAQ;AAC7B,qBAAW,OAAO,QAAQ,WAAW;AACnC,kBAAM,MAAM,GAAG;AAAA,UACjB;AAAA,QACF;AAGA,YAAI,QAAQ,kBAAkB,QAAQ;AACpC,gBAAM,cAAc,QAAQ,iBACzB,IAAI,CAAC,MAAyC,KAAK,EAAE,KAAK,KAAK,EAAE,MAAM,EAAE,EACzE,KAAK,IAAI;AACZ,gBAAM,MAAM;AAAA,EAAuB,WAAW,EAAE;AAAA,QAClD;AAEA,eAAO,EAAE,IAAI,KAAK;AAAA,MACpB,SAAS,KAAK;AACZ,eAAO,EAAE,IAAI,OAAO,OAAO,OAAO,GAAG,EAAE;AAAA,MACzC;AAAA,IACF;AAAA,EACF;AACF;AAOA,IAAO,yBAAQ;AAAA,EACb,IAAI;AAAA,EACJ,MAAM;AAAA,EACN,aAAa;AAAA,EACb,SAAS,KAAwB;AAC/B,gBAAY,IAAI,OAAO;AAGvB,4BAAwB;AAAA,MACtB,YAAY,CAAC,WAAW;AAEtB,cAAM,KAAK,UAAU,OAAO,EAAE,KAAK,EAAE;AACrC,YAAI,CAAC,GAAI;AAGT,YAAI,GAAG,WAAW;AAChB,cAAI;AACF,eAAG,UAAU,eAAe;AAAA,cAC1B,QAAQ,OAAO;AAAA,cACf,KAAK,OAAO;AAAA,cACZ,YAAY,OAAO;AAAA,cACnB,WAAW,OAAO;AAAA,cAClB,GAAI,OAAO,UAAU,EAAE,SAAS,OAAO,QAAQ,IAAI,CAAC;AAAA,cACpD,GAAI,OAAO,eAAe,EAAE,cAAc,OAAO,aAAa,IAAI,CAAC;AAAA,YACrE,CAAC;AAAA,UACH,QAAQ;AAAA,UAAoB;AAAA,QAC9B;AAGA,YAAI;AACF,gBAAM,YAAY,MAAM;AAAE,gBAAI;AAAE,qBAAO,IAAI,IAAI,OAAO,GAAG,EAAE;AAAA,YAAU,QAAQ;AAAE,qBAAO,OAAO,IAAI,MAAM,GAAG,EAAE;AAAA,YAAG;AAAA,UAAE,GAAG;AACpH,aAAG,iBAAiB;AAAA,YAClB,UAAU,OAAO,WAAW;AAAA,YAC5B,gBAAgB,OAAO,gBAAgB;AAAA,YACvC,SAAS,YAAY,CAAC,EAAE,SAAS,KAAK;AAAA,YACtC,WAAW;AAAA,YACX,WAAW;AAAA,YACX,QAAQ,OAAO,cAAc,OAAO,OAAO,eAAe,IAAI,UAAU;AAAA,YACxE,YAAY,IAAI,KAAK,KAAK,IAAI,IAAI,OAAO,SAAS,EAAE,YAAY;AAAA,YAChE,WAAU,oBAAI,KAAK,GAAE,YAAY;AAAA,YACjC,aAAa,OAAO;AAAA,YACpB,YAAY;AAAA,cACV,wBAAwB,OAAO;AAAA,cAC/B,qBAAqB,OAAO;AAAA,YAC9B;AAAA,YACA,aAAa,OAAO;AAAA,YACpB,kBAAkB,OAAO;AAAA,YACzB,UAAU,OAAO;AAAA,UACnB,CAAC;AAAA,QACH,QAAQ;AAAA,QAAoB;AAAA,MAC9B;AAAA,IACF,CAAC;AAED,QAAI,gBAAgB,EAAE,QAAQ,iBAAiB,CAAC;AAGhD,QAAI,OAAO,IAAI,sBAAsB,YAAY;AAC/C,UAAI;AACF,YAAI,kBAAkB;AAAA,UACpB,MAAM;AAAA,UACN,QAAQ;AAAA,UACR,SAAS,OAAO,QAAQ;AACtB,kBAAM,KAAK,UAAU,OAAO,EAAE,KAAK,EAAE;AACrC,gBAAI,CAAC,GAAI,QAAO,EAAE,QAAQ,KAAK,MAAM,EAAE,IAAI,OAAO,OAAO,sBAAsB,EAAE;AACjF,kBAAM,SAAU,OAAO,IAAI,SAAS,WAAW,KAAK,MAAM,IAAI,IAAI,IAAI,IAAI;AAC1E,kBAAM,SAAS,MAAM,kBAAkB,QAAQ,EAAE;AACjD,mBAAO,EAAE,QAAQ,OAAO,QAAQ,MAAM,OAAO,KAAK;AAAA,UACpD;AAAA,QACF,CAAC;AACD,YAAI,kBAAkB;AAAA,UACpB,MAAM;AAAA,UACN,QAAQ;AAAA,UACR,SAAS,OAAO,QAAQ;AACtB,kBAAM,KAAK,UAAU,OAAO,EAAE,KAAK,EAAE;AACrC,gBAAI,CAAC,GAAI,QAAO,EAAE,QAAQ,KAAK,MAAM,EAAE,IAAI,OAAO,OAAO,sBAAsB,EAAE;AACjF,kBAAM,SAAU,OAAO,IAAI,SAAS,WAAW,KAAK,MAAM,IAAI,IAAI,IAAI,IAAI;AAC1E,kBAAM,SAAS,MAAM,oBAAoB,QAAQ,EAAE;AACnD,mBAAO,EAAE,QAAQ,OAAO,QAAQ,MAAM,OAAO,KAAK;AAAA,UACpD;AAAA,QACF,CAAC;AACD,YAAI,kBAAkB;AAAA,UACpB,MAAM;AAAA,UACN,QAAQ;AAAA,UACR,SAAS,OAAO,QAAQ;AACtB,kBAAM,KAAK,UAAU,OAAO,EAAE,KAAK,EAAE;AACrC,gBAAI,CAAC,GAAI,QAAO,EAAE,QAAQ,KAAK,MAAM,EAAE,IAAI,OAAO,OAAO,sBAAsB,EAAE;AACjF,kBAAM,SAAU,OAAO,IAAI,SAAS,WAAW,KAAK,MAAM,IAAI,IAAI,IAAI,IAAI;AAC1E,kBAAM,SAAS,MAAM,sBAAsB,QAAQ,EAAE;AACrD,mBAAO,EAAE,QAAQ,OAAO,QAAQ,MAAM,OAAO,KAAK;AAAA,UACpD;AAAA,QACF,CAAC;AACD,YAAI,kBAAkB;AAAA,UACpB,MAAM;AAAA,UACN,QAAQ;AAAA,UACR,SAAS,YAAY;AACnB,kBAAM,KAAK,UAAU,OAAO,EAAE,KAAK,EAAE;AACrC,gBAAI,CAAC,GAAI,QAAO,EAAE,QAAQ,KAAK,MAAM,EAAE,IAAI,OAAO,OAAO,sBAAsB,EAAE;AACjF,kBAAM,SAAS,oBAAoB,EAAE;AACrC,mBAAO,EAAE,QAAQ,OAAO,QAAQ,MAAM,OAAO,KAAK;AAAA,UACpD;AAAA,QACF,CAAC;AACD,YAAI,kBAAkB;AAAA,UACpB,MAAM;AAAA,UACN,QAAQ;AAAA,UACR,SAAS,YAAY;AACnB,kBAAM,KAAK,UAAU,OAAO,EAAE,KAAK,EAAE;AACrC,gBAAI,CAAC,GAAI,QAAO,EAAE,QAAQ,KAAK,MAAM,EAAE,IAAI,OAAO,OAAO,sBAAsB,EAAE;AACjF,kBAAM,SAAS,qBAAqB,EAAE;AACtC,mBAAO,EAAE,QAAQ,OAAO,QAAQ,MAAM,OAAO,KAAK;AAAA,UACpD;AAAA,QACF,CAAC;AACD,YAAI,kBAAkB;AAAA,UACpB,MAAM;AAAA,UACN,QAAQ;AAAA,UACR,SAAS,YAAY;AACnB,kBAAM,KAAK,UAAU,OAAO,EAAE,KAAK,EAAE;AACrC,gBAAI,CAAC,GAAI,QAAO,EAAE,QAAQ,KAAK,MAAM,EAAE,IAAI,OAAO,OAAO,sBAAsB,EAAE;AACjF,kBAAM,EAAE,wBAAAE,wBAAuB,IAAI,MAAM;AACzC,kBAAM,YAAY,GAAG,QAAQ,aAAa;AAC1C,kBAAM,gBAAgB,GAAG,WAAW,cAAc;AAClD,kBAAM,SAASA,wBAAuB,WAAW,OAAO,aAAa;AACrE,mBAAO,EAAE,QAAQ,OAAO,QAAQ,MAAM,OAAO,KAAK;AAAA,UACpD;AAAA,QACF,CAAC;AACD,+BAAuB;AAAA,MACzB,QAAQ;AAAA,MAAoE;AAAA,IAC9E;AAGA,QAAI,OAAO,IAAI,OAAO,YAAY;AAEhC,UAAI,GAAG,gBAAgB,OAAO,UAA4B;AACxD,YAAI;AACF,gBAAM,KAAK,UAAU,OAAO,EAAE,KAAK,EAAE;AACrC,cAAI,CAAC,IAAI,UAAW;AACpB,aAAG,UAAU,iBAAiB;AAAA,YAC5B,SAAS,YAAY,EAAE,EAAE,SAAS,KAAK;AAAA,YACvC,QAAQ,YAAY,CAAC,EAAE,SAAS,KAAK;AAAA,YACrC,MAAM;AAAA,YACN,MAAM;AAAA,YACN,WAAW,MAAM;AAAA,YACjB,SAAS,MAAM,YAAY;AAAA,YAC3B,YAAY;AAAA,cACV,yBAAyB,MAAM;AAAA,cAC/B,8BAA8B,MAAM;AAAA,cACpC,yBAAyB,MAAM;AAAA,YACjC;AAAA,YACA,QAAQ,EAAE,MAAM,MAAM,mBAAmB,WAAW,IAAI,EAAE;AAAA,UAC5D,CAAC;AAAA,QACH,QAAQ;AAAA,QAAoB;AAAA,MAC9B,CAAC;AAGD,UAAI,GAAG,iBAAiB,OAAO,UAA6B;AAC1D,YAAI;AACF,gBAAM,KAAK,UAAU,OAAO,EAAE,KAAK,EAAE;AACrC,cAAI,CAAC,IAAI,UAAW;AACpB,aAAG,UAAU,iBAAiB;AAAA,YAC5B,SAAS,YAAY,EAAE,EAAE,SAAS,KAAK;AAAA,YACvC,QAAQ,YAAY,CAAC,EAAE,SAAS,KAAK;AAAA,YACrC,MAAM;AAAA,YACN,MAAM;AAAA,YACN,WAAW,MAAM;AAAA,YACjB,SAAS,MAAM,YAAY;AAAA,YAC3B,YAAY;AAAA,cACV,0BAA0B,MAAM;AAAA,cAChC,uBAAuB,MAAM;AAAA,YAC/B;AAAA,YACA,QAAQ,EAAE,MAAM,EAAE;AAAA,UACpB,CAAC;AAAA,QACH,QAAQ;AAAA,QAAoB;AAAA,MAC9B,CAAC;AAED,UAAI,GAAG,eAAe,OAAO,UAA2B;AACtD,YAAI;AACF,gBAAM,KAAK,UAAU,OAAO,EAAE,KAAK,EAAE;AACrC,cAAI,CAAC,IAAI,UAAW;AACpB,aAAG,UAAU,iBAAiB;AAAA,YAC5B,SAAS,YAAY,EAAE,EAAE,SAAS,KAAK;AAAA,YACvC,QAAQ,YAAY,CAAC,EAAE,SAAS,KAAK;AAAA,YACrC,MAAM;AAAA,YACN,MAAM;AAAA,YACN,WAAW,MAAM;AAAA,YACjB,SAAS,MAAM,YAAY;AAAA,YAC3B,YAAY;AAAA,cACV,0BAA0B,MAAM;AAAA,cAChC,uBAAuB,MAAM;AAAA,cAC7B,GAAI,MAAM,SAAS,EAAE,iCAAiC,MAAM,OAAO,IAAI,CAAC;AAAA,YAC1E;AAAA,YACA,QAAQ,EAAE,MAAM,EAAE;AAAA,UACpB,CAAC;AAAA,QACH,QAAQ;AAAA,QAAoB;AAAA,MAC9B,CAAC;AAGD,UAAI,GAAG,qBAAqB,OAAO,UAAe;AAChD,YAAI;AACF,gBAAM,WAAW,OAAO;AACxB,gBAAM,UAAU,OAAO;AACvB,cAAI,CAAC,YAAY,CAAC,UAAU,KAAM,QAAO,CAAC;AAG1C,qBAAW,CAAC,EAAE,EAAE,KAAK,WAAW;AAC9B,kBAAM,WAAY,IAAY;AAC9B,gBAAI,CAAC,SAAU;AAIf,uBAAW,CAAC,SAAS,KAAM,SAAiB,UAAU,CAAC,GAAG;AACxD,oBAAM,SAAS,SAAS,SAAS,EAAE,WAAW,UAAU,QAAQ,CAAC;AACjE,kBAAI,UAAU,CAAC,OAAO,SAAS;AAC7B,wBAAQ,IAAI,sBAAsB,QAAQ,+CAA0C;AACpF,sBAAM,SAAS,OAAO,aAAa,CAAC,GAAG,WAAW;AAClD,uBAAO;AAAA,kBACL,iBAAiB;AAAA,kBACjB,gBAAgB,4BAA4B,QAAQ,8BAA8B,MAAM,GAAG,KAAK;AAAA,gBAClG;AAAA,cACF;AAAA,YACF;AAAA,UACF;AACA,iBAAO,CAAC;AAAA,QACV,QAAQ;AACN,iBAAO,CAAC;AAAA,QACV;AAAA,MACF,EAA8B;AAG9B,UAAI,GAAG,mBAAmB,OAAO,UAAe;AAC9C,YAAI;AACF,gBAAM,YAAY,OAAO,SAAS,UAAU;AAC5C,cAAI,CAAC,aAAa,CAAC,UAAU,KAAM;AAGnC,qBAAW,CAAC,EAAE,EAAE,KAAK,WAAW;AAC9B,kBAAM,SAAU,IAAY,QAAQ;AACpC,gBAAI,CAAC,OAAQ;AAEb,gBAAI;AACF,oBAAM,MAAM,MAAM,MAAM,GAAG,MAAM,sBAAsB,SAAS,EAAE;AAClE,kBAAI,IAAI,IAAI;AACV,sBAAM,QAAQ,MAAM,IAAI,KAAK;AAE7B,oBAAI,MAAM,QAAQ,UAAU;AAC1B,wBAAM,QAAQ,SAAS,kBAAkB;AAAA,oBACvC;AAAA,oBACA,WAAW,MAAM;AAAA,oBACjB,UAAU,MAAM;AAAA,oBAChB,qBAAqB,MAAM;AAAA,kBAC7B;AAAA,gBACF;AACA,wBAAQ,IAAI,2CAA2C,SAAS,KAAK,MAAM,UAAU,EAAE;AAAA,cACzF;AAAA,YACF,QAAQ;AAAA,YAER;AACA;AAAA,UACF;AAAA,QACF,QAAQ;AAAA,QAER;AAAA,MACF,CAAC;AAAA,IACH;AAGA,oFAA+B,KAAK,OAAO,EAAE,cAAAC,eAAc,2BAAAC,2BAA0B,MAAM;AACzF,MAAAD,cAAa,CAAC,UAAU;AACtB,YAAI;AACF,gBAAM,KAAK,UAAU,OAAO,EAAE,KAAK,EAAE;AACrC,cAAI,CAAC,IAAI,UAAW;AACpB,aAAG,UAAU,iBAAiB;AAAA,YAC5B,SAAS,YAAY,EAAE,EAAE,SAAS,KAAK;AAAA,YACvC,QAAQ,YAAY,CAAC,EAAE,SAAS,KAAK;AAAA,YACrC,MAAM,kBAAkB,MAAM,IAAI;AAAA,YAClC,MAAM;AAAA,YACN,WAAW,MAAM;AAAA,YACjB,SAAS,MAAM,YAAY;AAAA,YAC3B,YAAY;AAAA,cACV,uBAAuB,MAAM;AAAA,cAC7B,eAAe,MAAM;AAAA,cACrB,GAAI,MAAM,OAAO,OAAO;AAAA,gBACtB,OAAO,QAAQ,MAAM,IAAI,EAAE,IAAI,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,kBAAkB,CAAC,IAAI,OAAO,CAAC,CAAC,CAAC;AAAA,cAC/E,IAAI,CAAC;AAAA,YACP;AAAA,YACA,QAAQ,EAAE,MAAM,EAAE;AAAA,UACpB,CAAC;AAAA,QACH,QAAQ;AAAA,QAAoB;AAAA,MAC9B,CAAC,EAAE,MAAM,MAAM;AAAA,MAAC,CAAC;AAEjB,MAAAC,2BAA0B,CAAC,WAAW;AACpC,YAAI;AACF,gBAAM,KAAK,UAAU,OAAO,EAAE,KAAK,EAAE;AACrC,cAAI,CAAC,IAAI,UAAW;AACpB,aAAG,UAAU,iBAAiB;AAAA,YAC5B,SAAS,YAAY,EAAE,EAAE,SAAS,KAAK;AAAA,YACvC,QAAQ,YAAY,CAAC,EAAE,SAAS,KAAK;AAAA,YACrC,MAAM;AAAA,YACN,MAAM;AAAA,YACN,WAAW,OAAO;AAAA,YAClB,SAAS,OAAO,YAAY;AAAA,YAC5B,YAAY;AAAA,cACV,0BAA0B,OAAO;AAAA,cACjC,4BAA4B,OAAO,QAAQ;AAAA,cAC3C,mCAAmC,OAAO,MAAM;AAAA,YAClD;AAAA,YACA,QAAQ,EAAE,MAAM,EAAE;AAAA,UACpB,CAAC;AAAA,QACH,QAAQ;AAAA,QAAoB;AAAA,MAC9B,CAAC,EAAE,MAAM,MAAM;AAAA,MAAC,CAAC;AAAA,IACnB,CAAC,EAAE,MAAM,MAAM;AAAA,IAAkD,CAAC;AAIlE,QAAI;AACF,UAAI,eAAe;AAAA,QACjB,MAAM;AAAA,QACN,aAAa;AAAA,QACb,YAAY;AAAA,UACV,MAAM;AAAA,UACN,YAAY;AAAA,YACV,WAAW;AAAA,cACT,MAAM;AAAA,cACN,aAAa;AAAA,YACf;AAAA,UACF;AAAA,QACF;AAAA,QACA,SAAS,OAAO,KAAa,WAAmC;AAC9D,gBAAM,KAAK,OAAO,aAAa;AAC/B,gBAAM,KAAK,UAAU,IAAI,EAAE;AAC3B,cAAI,CAAC,IAAI;AACP,mBAAO,EAAE,SAAS,CAAC,EAAE,MAAM,QAAQ,MAAM,KAAK,UAAU,EAAE,WAAW,OAAO,OAAO,sBAAsB,CAAC,EAAE,CAAC,EAAE;AAAA,UACjH;AACA,iBAAO;AAAA,YACL,SAAS,CAAC;AAAA,cACR,MAAM;AAAA,cACN,MAAM,KAAK,UAAU;AAAA,gBACnB,WAAW,GAAG,UAAU;AAAA,gBACxB,OAAO,GAAG;AAAA,gBACV,UAAU,GAAG;AAAA,gBACb,UAAU,GAAG;AAAA,gBACb,WAAW;AAAA,cACb,CAAC;AAAA,YACH,CAAC;AAAA,UACH;AAAA,QACF;AAAA,MACF,GAAG,EAAE,UAAU,KAAK,CAAC;AAAA,IACvB,QAAQ;AAAA,IAAqE;AAI7E,QAAI;AACF,UAAI,kBAAkB;AAAA,QACpB,MAAM;AAAA,QACN,aAAa;AAAA,QACb,SAAS,MAAM;AACb,gBAAM,WAAqB,CAAC;AAC5B,cAAI,UAAU,SAAS,GAAG;AACxB,qBAAS,KAAK,gCAAgC;AAAA,UAChD,OAAO;AACL,uBAAW,CAAC,IAAI,EAAE,KAAK,WAAW;AAChC,uBAAS,KAAK,eAAe,EAAE,MAAM,GAAG,KAAK,gBAAgB,GAAG,YAAY,mBAAmB;AAAA,YACjG;AAAA,UACF;AACA,iBAAO,EAAE,MAAM,SAAS,KAAK,IAAI,EAAE;AAAA,QACrC;AAAA,MACF,CAAC;AAAA,IACH,QAAQ;AAAA,IAAwE;AAAA,EAClF;AACF;",
|
|
4
|
+
"sourcesContent": ["/**\n * Extracted HTTP handler logic for the AgentVault plugin.\n *\n * These handlers are shared between:\n * 1. The self-managed HTTP server in channel.ts (legacy/fallback path)\n * 2. OpenClaw's registerHttpRoute() managed routes (new path)\n *\n * Both entry points call the same handler functions, ensuring consistent\n * behavior regardless of how the route is served.\n */\n\nimport type { SecureChannel } from \"./channel.js\";\nimport type { DeliveryTarget } from \"./types.js\";\n\nexport interface HandlerResult {\n status: number;\n body: Record<string, unknown>;\n}\n\n/**\n * Handle POST /send \u2014 send a message (text, file, or room).\n *\n * Routing: explicit target fields only \u2014 no silent lastInboundRoomId fallback.\n * - hub_address / a2a_address / channel_id \u2192 A2A\n * - room_id \u2192 room\n * - target: \"context\" \u2192 resolve from lastInboundRoomId (opt-in)\n * - No target fields \u2192 owner (the breaking fix)\n */\nexport async function handleSendRequest(\n parsed: Record<string, unknown>,\n channel: SecureChannel,\n): Promise<HandlerResult> {\n const text = parsed.text;\n if (!text || typeof text !== \"string\") {\n return { status: 400, body: { ok: false, error: \"Missing 'text' field\" } };\n }\n\n try {\n // Build DeliveryTarget from request fields\n let target: DeliveryTarget;\n\n // A2A send: accept hub_address, a2a_address, a2aAddress, or channel_id\n let a2aTarget = (parsed.hub_address ?? parsed.a2a_address ?? parsed.a2aAddress) as string | undefined;\n\n // Resolve channel_id to hub address if provided\n if (!a2aTarget && parsed.channel_id && typeof parsed.channel_id === \"string\") {\n const hubAddr = channel.resolveA2AChannelHub(parsed.channel_id as string);\n if (hubAddr) a2aTarget = hubAddr;\n }\n\n if (a2aTarget && typeof a2aTarget === \"string\") {\n target = { kind: \"a2a\", hubAddress: a2aTarget };\n } else if (typeof parsed.room_id === \"string\") {\n target = { kind: \"room\", roomId: parsed.room_id };\n } else if (parsed.target === \"context\") {\n target = { kind: \"context\" };\n } else if (parsed.file_path && typeof parsed.file_path === \"string\") {\n // Attachment \u2014 goes to owner\n const receipt = await channel.deliver(\n { kind: \"owner\" },\n { type: \"attachment\", text: text as string, filePath: parsed.file_path as string },\n { topicId: parsed.topicId as string | undefined },\n );\n return {\n status: receipt.ok ? 200 : 500,\n body: {\n ok: receipt.ok,\n destination: receipt.destination,\n ...(receipt.error ? { error: receipt.error } : {}),\n },\n };\n } else {\n // Default: owner (NOT context \u2014 this is the breaking fix)\n target = { kind: \"owner\" };\n }\n\n const receipt = await channel.deliver(\n target,\n { type: \"text\", text: text as string },\n {\n topicId: parsed.topicId as string | undefined,\n priority: parsed.priority as string | undefined,\n metadata: {\n ...(parsed.metadata as Record<string, unknown> | undefined),\n ...(parsed.message_type ? { message_type: parsed.message_type } : {}),\n },\n },\n );\n\n return {\n status: receipt.ok ? 200 : 500,\n body: {\n ok: receipt.ok,\n destination: receipt.destination,\n ...(receipt.error ? { error: receipt.error } : {}),\n },\n };\n } catch (err) {\n return { status: 500, body: { ok: false, error: String(err) } };\n }\n}\n\n/**\n * Handle POST /action \u2014 send an action confirmation.\n */\nexport async function handleActionRequest(\n parsed: Record<string, unknown>,\n channel: SecureChannel,\n): Promise<HandlerResult> {\n if (!parsed.action || typeof parsed.action !== \"string\") {\n return { status: 400, body: { ok: false, error: \"Missing 'action' field\" } };\n }\n\n try {\n const confirmation = {\n action: parsed.action as string,\n status: (parsed.status ?? \"completed\") as \"completed\" | \"failed\" | \"partial\",\n decisionId: parsed.decision_id as string | undefined,\n detail: parsed.detail as string | undefined,\n estimated_cost: parsed.estimated_cost as number | undefined,\n };\n\n // Build target from room_id field\n const target: DeliveryTarget = (parsed.room_id && typeof parsed.room_id === \"string\")\n ? { kind: \"room\", roomId: parsed.room_id }\n : { kind: \"owner\" };\n\n const receipt = await channel.deliver(\n target,\n { type: \"action_confirmation\", confirmation },\n );\n\n return {\n status: receipt.ok ? 200 : 500,\n body: {\n ok: receipt.ok,\n destination: receipt.destination,\n ...(receipt.error ? { error: receipt.error } : {}),\n },\n };\n } catch (err) {\n return { status: 500, body: { ok: false, error: String(err) } };\n }\n}\n\n/**\n * Handle POST /decision \u2014 send a decision request to the owner.\n */\nexport async function handleDecisionRequest(\n parsed: Record<string, unknown>,\n channel: SecureChannel,\n): Promise<HandlerResult> {\n const title = parsed.title;\n if (!title || typeof title !== \"string\") {\n return { status: 400, body: { ok: false, error: \"Missing 'title' field\" } };\n }\n\n const options = parsed.options;\n if (!Array.isArray(options) || options.length < 2) {\n return { status: 400, body: { ok: false, error: \"'options' must be an array with at least 2 items\" } };\n }\n\n for (const opt of options) {\n if (!opt || typeof opt !== \"object\" || !opt.option_id || !opt.label) {\n return { status: 400, body: { ok: false, error: \"Each option must have 'option_id' and 'label'\" } };\n }\n }\n\n try {\n const decision_id = await channel.sendDecisionRequest({\n title: title as string,\n description: parsed.description as string | undefined,\n options: options as Array<{ option_id: string; label: string; risk_level: \"low\" | \"medium\" | \"high\" | \"critical\"; is_default?: boolean }>,\n context_refs: parsed.context_refs as Array<{ type: string; uri: string; label: string }> | undefined,\n deadline: parsed.deadline as string | undefined,\n auto_action: parsed.auto_action as { option_id: string; trigger: string; description?: string } | undefined,\n });\n return { status: 200, body: { ok: true, decision_id } };\n } catch (err) {\n return { status: 500, body: { ok: false, error: String(err) } };\n }\n}\n\n/**\n * Handle GET /status \u2014 return channel health info.\n */\nexport function handleStatusRequest(channel: SecureChannel): HandlerResult {\n return {\n status: 200,\n body: {\n ok: true,\n state: channel.state,\n deviceId: channel.deviceId ?? undefined,\n sessions: channel.sessionCount,\n },\n };\n}\n\n/**\n * Handle GET /targets \u2014 return available delivery destinations.\n */\nexport function handleTargetsRequest(channel: SecureChannel): HandlerResult {\n return {\n status: 200,\n body: {\n ok: true,\n targets: channel.listTargets(),\n context: channel.lastInboundRoomId\n ? { kind: \"room\", roomId: channel.lastInboundRoomId }\n : { kind: \"owner\" },\n },\n };\n}\n\n/**\n * Handle GET /trust \u2014 return the agent's current Trust Gate token state.\n */\nexport function handleTrustRequest(\n channel: SecureChannel,\n): HandlerResult {\n const token = channel.trustToken;\n if (!token) {\n return {\n status: 503,\n body: { ok: false, error: \"token_unavailable\" },\n };\n }\n return {\n status: 200,\n body: {\n ok: true,\n tier: channel.trustTier,\n composite: null,\n token_expires_at: channel.trustTokenExpiresAt,\n },\n };\n}\n\n/**\n * Handle GET /mcp-config \u2014 return MCP connection config for this agent.\n *\n * Returns JSON suitable for adding to Claude Code, Cursor, or other MCP host\n * configuration files.\n */\nexport function handleMcpConfigRequest(\n agentName: string,\n port: number,\n mcpSkillCount: number,\n): HandlerResult {\n return {\n status: 200,\n body: {\n mcpServers: {\n [`agentvault-${agentName}`]: {\n url: `http://127.0.0.1:${port}/mcp`,\n },\n },\n _meta: {\n agent: agentName,\n skills_count: mcpSkillCount,\n transport: \"streamable-http\",\n auth: \"none (localhost)\",\n instructions: \"Add the mcpServers block to your MCP configuration file (e.g., .mcp.json or mcp_config.json)\",\n },\n },\n };\n}\n", "/**\n * OpenClaw SDK compatibility layer \u2014 dynamic import wrappers with caching.\n *\n * Each wrapper attempts to import a deep SDK module at runtime. If the import\n * fails (older gateway, missing SDK), the function returns a no-op result.\n * Results are cached after the first attempt.\n *\n * IMPORTANT: All imports are guarded by try/catch \u2014 the plugin degrades\n * gracefully on older OpenClaw versions.\n */\n\nimport type { AgentEventPayload, TranscriptUpdatePayload } from \"./openclaw-types.js\";\n\n// ---------------------------------------------------------------------------\n// requestHeartbeatNow \u2014 wake agent proactively before outbound sends\n// ---------------------------------------------------------------------------\n\nlet _heartbeatFn: ((opts?: { reason?: string }) => Promise<void>) | false | null = null;\n\n/**\n * Request an immediate heartbeat wake from the OpenClaw gateway.\n * Returns true if the heartbeat API was available and called, false otherwise.\n * Never throws.\n */\nexport async function requestHeartbeatNow(opts?: { reason?: string }): Promise<boolean> {\n if (_heartbeatFn === null) {\n try {\n // @ts-expect-error \u2014 deep SDK import only available when openclaw is installed\n const mod = await import(\"openclaw/dist/plugin-sdk/infra/heartbeat-wake.js\");\n _heartbeatFn = mod.requestHeartbeatNow ?? mod.default?.requestHeartbeatNow ?? false;\n } catch {\n _heartbeatFn = false;\n }\n }\n if (typeof _heartbeatFn === \"function\") {\n try {\n await _heartbeatFn(opts);\n return true;\n } catch {\n return false;\n }\n }\n return false;\n}\n\n// ---------------------------------------------------------------------------\n// onAgentEvent \u2014 subscribe to agent-level events for trust telemetry\n// ---------------------------------------------------------------------------\n\ntype AgentEventCallback = (event: AgentEventPayload) => void;\nlet _agentEventFn: ((cb: AgentEventCallback) => (() => void)) | false | null = null;\n\n/**\n * Subscribe to agent-level events (tool_use, reasoning_complete, error, etc.).\n * Returns an unsubscribe function, or a no-op if the API is unavailable.\n */\nexport async function onAgentEvent(callback: AgentEventCallback): Promise<() => void> {\n if (_agentEventFn === null) {\n try {\n // @ts-expect-error \u2014 deep SDK import only available when openclaw is installed\n const mod = await import(\"openclaw/dist/plugin-sdk/infra/agent-events.js\");\n _agentEventFn = mod.onAgentEvent ?? mod.default?.onAgentEvent ?? false;\n } catch {\n _agentEventFn = false;\n }\n }\n if (typeof _agentEventFn === \"function\") {\n try {\n return _agentEventFn(callback);\n } catch {\n return () => {};\n }\n }\n return () => {};\n}\n\n// ---------------------------------------------------------------------------\n// onSessionTranscriptUpdate \u2014 subscribe to transcript deltas\n// ---------------------------------------------------------------------------\n\ntype TranscriptCallback = (update: TranscriptUpdatePayload) => void;\nlet _transcriptFn: ((cb: TranscriptCallback) => (() => void)) | false | null = null;\n\n/**\n * Subscribe to session transcript updates for behavioral analysis.\n * Returns an unsubscribe function, or a no-op if the API is unavailable.\n */\nexport async function onSessionTranscriptUpdate(callback: TranscriptCallback): Promise<() => void> {\n if (_transcriptFn === null) {\n try {\n // @ts-expect-error \u2014 deep SDK import only available when openclaw is installed\n const mod = await import(\"openclaw/dist/plugin-sdk/sessions/transcript-events.js\");\n _transcriptFn = mod.onSessionTranscriptUpdate ?? mod.default?.onSessionTranscriptUpdate ?? false;\n } catch {\n _transcriptFn = false;\n }\n }\n if (typeof _transcriptFn === \"function\") {\n try {\n return _transcriptFn(callback);\n } catch {\n return () => {};\n }\n }\n return () => {};\n}\n", "/**\n * AgentVault MCP Server \u2014 serves agent skills as MCP tools.\n *\n * Uses Streamable HTTP transport mounted on the plugin's HTTP server.\n * Auth: SPT Bearer tokens validated via POST /capabilities/introspect.\n *\n * Design:\n * - One McpServer instance is created at startup and skills are registered as tools.\n * - Each incoming HTTP request creates a fresh StreamableHTTPServerTransport (stateless mode).\n * - After the transport handles the request, close() is called so the server can\n * accept the next connection (Protocol enforces single-transport at a time).\n */\nimport { McpServer } from \"@modelcontextprotocol/sdk/server/mcp.js\";\nimport { StreamableHTTPServerTransport } from \"@modelcontextprotocol/sdk/server/streamableHttp.js\";\nimport type { IncomingMessage, ServerResponse } from \"node:http\";\n\n/* -------------------------------------------------------------------------- */\n/* Public types */\n/* -------------------------------------------------------------------------- */\n\nexport interface SkillDefinition {\n name: string;\n version?: string;\n description?: string;\n /** JSON Schema for the tool input (not Zod \u2014 raw JSON Schema object). */\n inputSchema?: Record<string, unknown>;\n /** Freeform instructions that are surfaced as an MCP prompt. */\n instructions?: string;\n /** SLA definition blob attached to the skill registry resource. */\n slaDefinition?: Record<string, unknown>;\n /** Tags for categorisation. */\n tags?: string[];\n\n /* -- agentVault namespace fields (from SKILL.md frontmatter) ------------- */\n\n /** Tools/capabilities explicitly allowed for this skill. */\n toolsAllowed?: string[];\n /** Tools/capabilities explicitly denied for this skill. */\n toolsDenied?: string[];\n /** JSON Schema for skill output validation. */\n outputSchema?: Record<string, unknown>;\n /** Model routing strategy: \"auto\" | \"round-robin\" | \"least-latency\". */\n modelRouting?: string;\n /** Allowed LLM models for this skill. */\n allowedModels?: string[];\n /** Default LLM model for this skill. */\n defaultModel?: string;\n /** AgentVault certification tier: \"verified\" | \"certified\" | \"enterprise\". */\n certificationTier?: string;\n /** Integrity configuration (algorithm, hashChain). */\n integrity?: Record<string, unknown>;\n /** Required policy presets (e.g., [\"network: agentvault\"]). */\n requiredPolicies?: string[];\n}\n\nexport interface McpServerOpts {\n agentName: string;\n apiUrl: string;\n apiKey?: string;\n /**\n * Called when an MCP client invokes a registered skill tool.\n * Receives skill name, args, and the full skill definition (including instructions).\n * Return value is serialised as JSON and sent back as tool output.\n */\n onInvoke?: (skillName: string, args: Record<string, unknown>, skill: SkillDefinition) => Promise<unknown>;\n}\n\n/* -------------------------------------------------------------------------- */\n/* AgentVaultMcpServer */\n/* -------------------------------------------------------------------------- */\n\nexport class AgentVaultMcpServer {\n private server: McpServer;\n private skills: Map<string, SkillDefinition> = new Map();\n private opts: McpServerOpts;\n private initialized = false;\n\n constructor(opts: McpServerOpts) {\n this.opts = opts;\n this.server = new McpServer({\n name: `agentvault-${opts.agentName}`,\n version: \"1.0.0\",\n });\n }\n\n /* ---- Skill registration ------------------------------------------------ */\n\n /**\n * Register a skill that will be exposed as an MCP tool.\n * Must be called *before* `initialize()`.\n */\n registerSkill(skill: SkillDefinition): void {\n this.skills.set(skill.name, skill);\n }\n\n /**\n * Register all skills as MCP tools / resources / prompts.\n * Called lazily on first request if not called explicitly.\n */\n initialize(): void {\n if (this.initialized) return;\n\n for (const [name, skill] of this.skills) {\n this.registerToolForSkill(name, skill);\n }\n\n // Registry resource \u2014 lists all registered skills as JSON.\n this.server.resource(\n \"skills-registry\",\n \"skills://registry\",\n { description: \"List of all registered agent skills\", mimeType: \"application/json\" },\n async () => {\n const registry = Array.from(this.skills.values()).map((s) => ({\n name: s.name,\n version: s.version,\n description: s.description,\n tags: s.tags,\n sla: s.slaDefinition,\n hasSchema: !!s.inputSchema,\n hasInstructions: !!s.instructions,\n certificationTier: s.certificationTier,\n modelRouting: s.modelRouting,\n allowedModels: s.allowedModels,\n hasToolPolicy: !!(s.toolsAllowed || s.toolsDenied),\n hasOutputSchema: !!s.outputSchema,\n requiredPolicies: s.requiredPolicies,\n }));\n return {\n contents: [{\n uri: \"skills://registry\",\n mimeType: \"application/json\",\n text: JSON.stringify(registry, null, 2),\n }],\n };\n },\n );\n\n // Skills that carry instructions are also surfaced as MCP prompts.\n for (const [name, skill] of this.skills) {\n if (skill.instructions) {\n this.server.prompt(\n name,\n skill.description ?? `Instructions for ${name}`,\n () => ({\n messages: [{\n role: \"user\" as const,\n content: { type: \"text\" as const, text: skill.instructions! },\n }],\n }),\n );\n }\n }\n\n this.initialized = true;\n }\n\n /* ---- HTTP request handler ---------------------------------------------- */\n\n /**\n * Handle an incoming HTTP request to the /mcp endpoint.\n *\n * Supports the Streamable HTTP transport protocol:\n * - POST for JSON-RPC messages\n * - GET for SSE notification stream\n * - DELETE for session close\n *\n * Each request gets a fresh stateless transport; after the response is\n * flushed the transport + underlying protocol connection are torn down\n * so the single McpServer instance is ready for the next caller.\n *\n * Local requests from 127.0.0.1/::1 bypass SPT validation (owner access).\n */\n async handleRequest(req: IncomingMessage, res: ServerResponse): Promise<void> {\n if (!this.initialized) {\n this.initialize();\n }\n\n // --- Auth: localhost bypass for owner access, SPT for remote ---\n const remote = req.socket?.remoteAddress;\n const isLocal = remote === \"127.0.0.1\" || remote === \"::1\" || remote === \"::ffff:127.0.0.1\";\n\n if (!isLocal) {\n const authHeader = req.headers.authorization;\n if (!authHeader?.startsWith(\"Bearer \")) {\n res.writeHead(401, { \"Content-Type\": \"application/json\" });\n res.end(JSON.stringify({ error: \"Missing or invalid Authorization header\" }));\n return;\n }\n\n const token = authHeader.slice(7);\n const valid = await this.validateSpt(token);\n if (!valid) {\n res.writeHead(403, { \"Content-Type\": \"application/json\" });\n res.end(JSON.stringify({ error: \"Invalid or expired SPT token\" }));\n return;\n }\n }\n\n // --- Stateless transport per request ---\n const transport = new StreamableHTTPServerTransport({\n sessionIdGenerator: undefined, // stateless\n });\n\n await this.server.connect(transport);\n\n try {\n await transport.handleRequest(req, res);\n } finally {\n // Tear down so the McpServer can accept the next connection.\n // transport.close() triggers Protocol._onclose() which clears _transport.\n await transport.close();\n }\n }\n\n /* ---- Private helpers --------------------------------------------------- */\n\n /**\n * Register a single skill as an MCP tool.\n *\n * The MCP SDK's `tool()` overloads that accept a schema expect Zod types.\n * Since our skill definitions use raw JSON Schema we register without\n * schema validation (name + description + handler) and let the handler\n * receive the raw args object.\n */\n private registerToolForSkill(name: string, skill: SkillDefinition): void {\n const description = skill.description ?? `AgentVault skill: ${name}`;\n\n this.server.tool(\n name,\n description,\n async (args: Record<string, unknown>) => {\n if (!this.opts.onInvoke) {\n return {\n content: [{ type: \"text\" as const, text: `Skill \"${name}\" invoked but no handler registered` }],\n };\n }\n try {\n const result = await this.opts.onInvoke(name, args, skill);\n const text = typeof result === \"string\" ? result : JSON.stringify(result, null, 2);\n return {\n content: [{ type: \"text\" as const, text }],\n };\n } catch (err: unknown) {\n const message = err instanceof Error ? err.message : String(err);\n return {\n content: [{ type: \"text\" as const, text: `Error invoking skill \"${name}\": ${message}` }],\n isError: true,\n };\n }\n },\n );\n }\n\n /**\n * Validate a Service Provider Token against the AgentVault backend.\n */\n private async validateSpt(token: string): Promise<boolean> {\n try {\n const url = `${this.opts.apiUrl}/api/v1/capabilities/introspect`;\n const headers: Record<string, string> = {\n \"Content-Type\": \"application/json\",\n };\n if (this.opts.apiKey) {\n headers[\"Authorization\"] = `Bearer ${this.opts.apiKey}`;\n }\n const resp = await fetch(url, {\n method: \"POST\",\n headers,\n body: JSON.stringify({ token }),\n });\n if (!resp.ok) return false;\n const data = (await resp.json()) as { active: boolean };\n return data.active === true;\n } catch {\n return false;\n }\n }\n\n /* ---- Accessors --------------------------------------------------------- */\n\n get skillCount(): number {\n return this.skills.size;\n }\n\n get isInitialized(): boolean {\n return this.initialized;\n }\n}\n", "/**\n * Skill manifest loader \u2014 loads skills from SKILL.md files and backend API.\n *\n * SKILL.md format:\n * ```\n * ---\n * name: code-review\n * version: \"1.0.0\"\n * description: Reviews code for issues\n * tags: [code-review, typescript]\n * sla:\n * p95_latency_ms: 5000\n * max_error_rate: 0.05\n * schema:\n * type: object\n * properties:\n * code:\n * type: string\n * description: Code to review\n * required: [code]\n * ---\n * # Code Review Skill\n *\n * Instructions for invoking this skill...\n * ```\n */\nimport { readFileSync, existsSync, readdirSync } from \"node:fs\";\nimport { resolve, join } from \"node:path\";\nimport type { SkillDefinition } from \"./mcp-server.js\";\n\nexport interface SkillManifest {\n skills: SkillDefinition[];\n source: \"local\" | \"remote\" | \"merged\";\n}\n\ninterface AgentVaultNamespace {\n certification?: string; // \"verified\" | \"certified\" | \"enterprise\"\n integrity?: {\n algorithm?: string; // \"XChaCha20-Poly1305\"\n hashChain?: string; // \"SHA-256\"\n };\n requiredPolicies?: string[]; // [\"network: agentvault\"]\n runtime?: {\n capabilities?: string[];\n forbidden?: string[];\n output_schema?: Record<string, unknown>;\n };\n model?: {\n allowed?: string[];\n default?: string;\n routing?: string;\n };\n}\n\ninterface SkillFrontmatter {\n name: string;\n version?: string;\n description?: string;\n tags?: string[];\n sla?: {\n p95_latency_ms?: number;\n max_error_rate?: number;\n min_uptime_pct?: number;\n max_avg_tokens?: number;\n };\n schema?: Record<string, unknown>;\n agentVault?: AgentVaultNamespace;\n}\n\n/**\n * Parse a SKILL.md file into a SkillDefinition.\n *\n * Extracts YAML frontmatter between --- delimiters.\n * Everything after the closing --- is treated as instructions.\n */\nexport function parseSkillMd(content: string): SkillDefinition | null {\n const lines = content.split(\"\\n\");\n\n // Find frontmatter delimiters\n if (lines[0]?.trim() !== \"---\") return null;\n\n let endIdx = -1;\n for (let i = 1; i < lines.length; i++) {\n if (lines[i]?.trim() === \"---\") {\n endIdx = i;\n break;\n }\n }\n\n if (endIdx === -1) return null;\n\n // Parse YAML frontmatter (simple key-value parser)\n const frontmatterLines = lines.slice(1, endIdx);\n const frontmatter = parseSimpleYaml(frontmatterLines.join(\"\\n\")) as unknown as SkillFrontmatter;\n\n if (!frontmatter.name) return null;\n\n // Everything after frontmatter is instructions\n const instructionLines = lines.slice(endIdx + 1);\n const instructions = instructionLines.join(\"\\n\").trim();\n\n const skill: SkillDefinition = {\n name: frontmatter.name as string,\n version: frontmatter.version as string | undefined,\n description: frontmatter.description as string | undefined,\n tags: frontmatter.tags,\n inputSchema: frontmatter.schema as Record<string, unknown> | undefined,\n slaDefinition: frontmatter.sla as Record<string, unknown> | undefined,\n instructions: instructions || undefined,\n };\n\n // Map agentVault namespace to extended SkillDefinition fields\n if (frontmatter.agentVault) {\n const av = frontmatter.agentVault;\n if (av.certification) skill.certificationTier = av.certification;\n if (av.runtime?.capabilities) skill.toolsAllowed = av.runtime.capabilities;\n if (av.runtime?.forbidden) skill.toolsDenied = av.runtime.forbidden;\n if (av.runtime?.output_schema) skill.outputSchema = av.runtime.output_schema;\n if (av.model?.routing) skill.modelRouting = av.model.routing;\n if (av.model?.allowed) skill.allowedModels = av.model.allowed;\n if (av.model?.default) skill.defaultModel = av.model.default;\n if (av.integrity) skill.integrity = av.integrity as Record<string, unknown>;\n if (av.requiredPolicies) skill.requiredPolicies = av.requiredPolicies;\n }\n\n return skill;\n}\n\n/**\n * Simple YAML parser for frontmatter (handles basic key-value, arrays, nested objects).\n * Supports up to 3 levels of nesting (needed for agentVault namespace).\n * Not a full YAML parser \u2014 covers the subset used in SKILL.md files.\n */\nfunction parseSimpleYaml(yaml: string): Record<string, unknown> {\n const result: Record<string, unknown> = {};\n const lines = yaml.split(\"\\n\");\n\n // Stack-based parser to support multi-level nesting\n const stack: Array<{ key: string; obj: Record<string, unknown>; indent: number }> = [];\n let currentObj = result;\n\n function parseValue(raw: string): unknown {\n const value = raw.replace(/^[\"']|[\"']$/g, \"\");\n const num = Number(value);\n if (!isNaN(num) && value !== \"\") return num;\n if (value === \"true\") return true;\n if (value === \"false\") return false;\n return value;\n }\n\n for (const line of lines) {\n const trimmed = line.trim();\n if (!trimmed || trimmed.startsWith(\"#\")) continue;\n\n const indent = line.length - line.trimStart().length;\n\n // Pop stack back to appropriate level\n while (stack.length > 0 && indent <= stack[stack.length - 1]!.indent) {\n const popped = stack.pop()!;\n currentObj = stack.length > 0 ? stack[stack.length - 1]!.obj : result;\n // Attach the completed nested object to its parent\n currentObj[popped.key] = popped.obj;\n }\n\n // Inline array: key: [val1, val2]\n const inlineArrayMatch = trimmed.match(/^(\\w[\\w_-]*)\\s*:\\s*\\[(.+)\\]$/);\n if (inlineArrayMatch) {\n const key = inlineArrayMatch[1]!;\n const values = inlineArrayMatch[2]!\n .split(\",\")\n .map((v) => v.trim().replace(/^[\"']|[\"']$/g, \"\"));\n if (stack.length > 0) {\n stack[stack.length - 1]!.obj[key] = values;\n } else {\n currentObj[key] = values;\n }\n continue;\n }\n\n // Key with value: key: value\n const kvMatch = trimmed.match(/^(\\w[\\w_-]*)\\s*:\\s*(.+)$/);\n if (kvMatch) {\n const key = kvMatch[1]!;\n const val = parseValue(kvMatch[2]!);\n if (stack.length > 0) {\n stack[stack.length - 1]!.obj[key] = val;\n } else {\n currentObj[key] = val;\n }\n continue;\n }\n\n // Nested object start (key with no value \u2014 \"key:\")\n const nestedMatch = trimmed.match(/^(\\w[\\w_-]*)\\s*:$/);\n if (nestedMatch) {\n const key = nestedMatch[1]!;\n const newObj: Record<string, unknown> = {};\n stack.push({ key, obj: newObj, indent });\n continue;\n }\n }\n\n // Flush remaining stack\n while (stack.length > 0) {\n const popped = stack.pop()!;\n const parent = stack.length > 0 ? stack[stack.length - 1]!.obj : result;\n parent[popped.key] = popped.obj;\n }\n\n return result;\n}\n\n/**\n * Load skills from a directory by scanning for SKILL.md files.\n *\n * Matches:\n * - SKILL.md (exact match)\n * - *-SKILL.md or *_SKILL.md (e.g., Cortina-SKILL.md)\n * - Subdirectories containing SKILL.md (one level deep)\n */\nexport function loadSkillsFromDirectory(dir: string): SkillDefinition[] {\n const skills: SkillDefinition[] = [];\n const absDir = resolve(dir);\n\n if (!existsSync(absDir)) return skills;\n\n const seen = new Set<string>();\n\n function tryLoad(filePath: string): void {\n if (seen.has(filePath)) return;\n seen.add(filePath);\n try {\n const content = readFileSync(filePath, \"utf-8\");\n const skill = parseSkillMd(content);\n if (skill) skills.push(skill);\n } catch {\n // File not readable, skip\n }\n }\n\n try {\n const entries = readdirSync(absDir, { withFileTypes: true });\n for (const entry of entries) {\n if (entry.isFile() && entry.name.endsWith(\"SKILL.md\")) {\n // Match SKILL.md, Cortina-SKILL.md, my_SKILL.md, etc.\n tryLoad(join(absDir, entry.name));\n } else if (entry.isDirectory()) {\n // Check for SKILL.md inside subdirectories (one level deep)\n const subSkill = join(absDir, entry.name, \"SKILL.md\");\n if (existsSync(subSkill)) {\n tryLoad(subSkill);\n }\n }\n }\n } catch {\n // Directory not readable, skip\n }\n\n return skills;\n}\n\n/**\n * Load skills from backend API.\n */\nexport async function loadSkillsFromApi(\n apiUrl: string,\n apiKey: string,\n hubId: string,\n): Promise<SkillDefinition[]> {\n try {\n const res = await fetch(`${apiUrl}/api/v1/hub/identities/${hubId}/skills`, {\n headers: { Authorization: `Bearer ${apiKey}` },\n });\n if (!res.ok) return [];\n\n const data = (await res.json()) as Array<{\n capability_name: string;\n capability_version?: string;\n description?: string;\n skill_content?: string;\n mcp_metadata?: Record<string, unknown>;\n schema_definition?: Record<string, unknown>;\n sla_definition?: Record<string, unknown>;\n tags?: string[];\n instructions?: string;\n }>;\n\n return data.map((cap) => ({\n name: cap.capability_name,\n version: cap.capability_version,\n description: cap.description,\n inputSchema: cap.schema_definition,\n slaDefinition: cap.sla_definition,\n tags: cap.tags,\n instructions: cap.instructions,\n }));\n } catch {\n return [];\n }\n}\n\n/**\n * Merge local and remote skills. Local definitions take precedence.\n */\nexport function mergeSkills(\n local: SkillDefinition[],\n remote: SkillDefinition[],\n): SkillManifest {\n const byName = new Map<string, SkillDefinition>();\n\n // Remote first (lower precedence)\n for (const skill of remote) {\n byName.set(skill.name, skill);\n }\n\n // Local overwrites (higher precedence)\n for (const skill of local) {\n byName.set(skill.name, skill);\n }\n\n const source =\n local.length > 0 && remote.length > 0\n ? \"merged\"\n : local.length > 0\n ? \"local\"\n : \"remote\";\n\n return {\n skills: Array.from(byName.values()),\n source,\n };\n}\n", null, null, "import sodium from \"libsodium-wrappers-sumo\";\n\nexport interface IdentityKeypair {\n publicKey: Uint8Array;\n privateKey: Uint8Array;\n keyType: \"ed25519\";\n}\n\nexport interface EphemeralKeypair {\n publicKey: Uint8Array;\n privateKey: Uint8Array;\n keyType: \"x25519\";\n}\n\nexport async function generateIdentityKeypair(): Promise<IdentityKeypair> {\n await sodium.ready;\n const kp = sodium.crypto_sign_keypair();\n return {\n publicKey: kp.publicKey,\n privateKey: kp.privateKey,\n keyType: \"ed25519\",\n };\n}\n\nexport async function generateEphemeralKeypair(): Promise<EphemeralKeypair> {\n await sodium.ready;\n const kp = sodium.crypto_box_keypair();\n return {\n publicKey: kp.publicKey,\n privateKey: kp.privateKey,\n keyType: \"x25519\",\n };\n}\n\nexport function computeFingerprint(publicKey: Uint8Array): string {\n const hash = sodium.crypto_generichash(8, publicKey);\n return Array.from(hash)\n .map((b) => b.toString(16).padStart(2, \"0\"))\n .join(\":\");\n}\n\nexport function createProofOfPossession(\n privateKey: Uint8Array,\n publicKey: Uint8Array,\n): Uint8Array {\n return sodium.crypto_sign_detached(publicKey, privateKey);\n}\n\nexport function verifyProofOfPossession(\n proof: Uint8Array,\n publicKey: Uint8Array,\n): boolean {\n try {\n return sodium.crypto_sign_verify_detached(proof, publicKey, publicKey);\n } catch {\n return false;\n }\n}\n", "import sodium from \"libsodium-wrappers-sumo\";\n\nexport interface X3DHParams {\n myIdentityPrivate: Uint8Array; // Ed25519 private key (64 bytes)\n myEphemeralPrivate: Uint8Array; // X25519 private key (32 bytes)\n theirIdentityPublic: Uint8Array; // Ed25519 public key (32 bytes)\n theirEphemeralPublic: Uint8Array; // X25519 public key (32 bytes)\n isInitiator: boolean;\n}\n\nfunction ed25519PrivateToX25519(edPrivate: Uint8Array): Uint8Array {\n return sodium.crypto_sign_ed25519_sk_to_curve25519(edPrivate);\n}\n\nfunction ed25519PublicToX25519(edPublic: Uint8Array): Uint8Array {\n return sodium.crypto_sign_ed25519_pk_to_curve25519(edPublic);\n}\n\nexport function performX3DH(params: X3DHParams): Uint8Array {\n const myIdentityX = ed25519PrivateToX25519(params.myIdentityPrivate);\n const theirIdentityX = ed25519PublicToX25519(params.theirIdentityPublic);\n\n // DH1: my identity x their ephemeral\n const dh1 = sodium.crypto_scalarmult(myIdentityX, params.theirEphemeralPublic);\n // DH2: my ephemeral x their identity\n const dh2 = sodium.crypto_scalarmult(params.myEphemeralPrivate, theirIdentityX);\n // DH3: my ephemeral x their ephemeral\n const dh3 = sodium.crypto_scalarmult(\n params.myEphemeralPrivate,\n params.theirEphemeralPublic,\n );\n\n // Concatenate DH results - order swapped by role so both sides get same result\n let combined: Uint8Array;\n if (params.isInitiator) {\n combined = new Uint8Array([...dh1, ...dh2, ...dh3]);\n } else {\n combined = new Uint8Array([...dh2, ...dh1, ...dh3]);\n }\n\n // KDF to derive 32-byte shared secret\n return sodium.crypto_generichash(32, combined);\n}\n", "import sodium from \"libsodium-wrappers-sumo\";\nimport type { IdentityKeypair } from \"./keys.js\";\n\nconst MAX_SKIP = 1000;\nconst CHAIN_KEY_SEED = new Uint8Array([0x01]);\nconst MSG_KEY_SEED = new Uint8Array([0x02]);\nconst HEADER_KEY_SEED = new Uint8Array([0x03]);\n\nexport interface RatchetHeader {\n dhPublicKey: Uint8Array;\n previousChainLength: number;\n messageNumber: number;\n}\n\nexport interface EncryptedMessage {\n header: RatchetHeader;\n headerSignature: Uint8Array;\n ciphertext: Uint8Array;\n nonce: Uint8Array;\n /** V2 header encryption fields (present when envelope_version = \"2.0.0\") */\n envelopeVersion?: string;\n encryptedHeader?: Uint8Array;\n headerNonce?: Uint8Array;\n}\n\ninterface ChainState {\n chainKey: Uint8Array;\n messageNumber: number;\n}\n\ninterface SkippedKey {\n dhPub: string; // hex of the DH public key\n n: number; // message number\n messageKey: Uint8Array;\n headerKey?: Uint8Array; // present for v2 out-of-order messages\n}\n\ninterface RatchetState {\n rootKey: Uint8Array;\n sendingChain: ChainState | null;\n receivingChain: ChainState | null;\n dhSendingKeypair: { publicKey: Uint8Array; privateKey: Uint8Array };\n dhReceivingPublicKey: Uint8Array | null;\n identityKeypair: { publicKey: Uint8Array; privateKey: Uint8Array };\n peerIdentityPublicKey: Uint8Array | null;\n previousSendingChainLength: number;\n skippedKeys: SkippedKey[];\n}\n\nfunction kdfChainKey(chainKey: Uint8Array): {\n nextChainKey: Uint8Array;\n messageKey: Uint8Array;\n headerKey: Uint8Array;\n} {\n const nextChainKey = sodium.crypto_generichash(32, chainKey, CHAIN_KEY_SEED);\n const messageKey = sodium.crypto_generichash(32, chainKey, MSG_KEY_SEED);\n const headerKey = sodium.crypto_generichash(32, chainKey, HEADER_KEY_SEED);\n return { nextChainKey, messageKey, headerKey };\n}\n\nfunction kdfRootKey(\n rootKey: Uint8Array,\n dhOutput: Uint8Array,\n): { newRootKey: Uint8Array; newChainKey: Uint8Array } {\n // Derive 64 bytes: first 32 = new root key, second 32 = new chain key\n const derived = sodium.crypto_generichash(\n 64,\n new Uint8Array([...rootKey, ...dhOutput]),\n );\n return {\n newRootKey: derived.slice(0, 32),\n newChainKey: derived.slice(32, 64),\n };\n}\n\nfunction generateDHKeypair(): {\n publicKey: Uint8Array;\n privateKey: Uint8Array;\n} {\n const kp = sodium.crypto_box_keypair();\n return { publicKey: kp.publicKey, privateKey: kp.privateKey };\n}\n\nfunction dh(\n myPrivate: Uint8Array,\n theirPublic: Uint8Array,\n): Uint8Array {\n return sodium.crypto_scalarmult(myPrivate, theirPublic);\n}\n\nfunction serializeHeader(header: RatchetHeader): Uint8Array {\n const dhPubHex = sodium.to_hex(header.dhPublicKey);\n const json = JSON.stringify({\n dh: dhPubHex,\n pcl: header.previousChainLength,\n n: header.messageNumber,\n });\n return sodium.from_string(json);\n}\n\nfunction signHeader(\n header: RatchetHeader,\n identityPrivateKey: Uint8Array,\n): Uint8Array {\n const serialized = serializeHeader(header);\n return sodium.crypto_sign_detached(serialized, identityPrivateKey);\n}\n\nfunction verifyHeaderSignature(\n header: RatchetHeader,\n signature: Uint8Array,\n identityPublicKey: Uint8Array,\n): boolean {\n const serialized = serializeHeader(header);\n return sodium.crypto_sign_verify_detached(\n signature,\n serialized,\n identityPublicKey,\n );\n}\n\nexport class DoubleRatchet {\n private state: RatchetState;\n\n private constructor(state: RatchetState) {\n this.state = state;\n }\n\n static initSender(\n sharedSecret: Uint8Array,\n identityKeypair: IdentityKeypair,\n peerIdentityPublicKey?: Uint8Array,\n ): DoubleRatchet {\n const dhKeypair = generateDHKeypair();\n\n return new DoubleRatchet({\n rootKey: sharedSecret,\n sendingChain: { chainKey: sharedSecret, messageNumber: 0 },\n receivingChain: null,\n dhSendingKeypair: dhKeypair,\n dhReceivingPublicKey: null,\n identityKeypair: {\n publicKey: identityKeypair.publicKey,\n privateKey: identityKeypair.privateKey,\n },\n peerIdentityPublicKey: peerIdentityPublicKey ?? null,\n previousSendingChainLength: 0,\n skippedKeys: [],\n });\n }\n\n static initReceiver(\n sharedSecret: Uint8Array,\n identityKeypair: IdentityKeypair,\n peerIdentityPublicKey?: Uint8Array,\n ): DoubleRatchet {\n const dhKeypair = generateDHKeypair();\n\n return new DoubleRatchet({\n rootKey: sharedSecret,\n sendingChain: null,\n receivingChain: { chainKey: sharedSecret, messageNumber: 0 },\n dhSendingKeypair: dhKeypair,\n dhReceivingPublicKey: null,\n identityKeypair: {\n publicKey: identityKeypair.publicKey,\n privateKey: identityKeypair.privateKey,\n },\n peerIdentityPublicKey: peerIdentityPublicKey ?? null,\n previousSendingChainLength: 0,\n skippedKeys: [],\n });\n }\n\n encrypt(plaintext: string, headerEncryption = false): EncryptedMessage {\n if (!this.state.sendingChain) {\n // Perform DH ratchet step for sending\n this.dhRatchetSend();\n }\n\n const chain = this.state.sendingChain!;\n const { nextChainKey, messageKey, headerKey } = kdfChainKey(chain.chainKey);\n\n const header: RatchetHeader = {\n dhPublicKey: this.state.dhSendingKeypair.publicKey,\n previousChainLength: this.state.previousSendingChainLength,\n messageNumber: chain.messageNumber,\n };\n\n const headerSignature = signHeader(\n header,\n this.state.identityKeypair.privateKey,\n );\n\n const nonce = sodium.randombytes_buf(\n sodium.crypto_aead_xchacha20poly1305_ietf_NPUBBYTES,\n );\n\n const plaintextBytes = sodium.from_string(plaintext);\n\n if (headerEncryption) {\n // V2: encrypt header, use encrypted header bytes as AD for message ciphertext\n const headerBytes = serializeHeader(header);\n const headerNonce = sodium.randombytes_buf(\n sodium.crypto_aead_xchacha20poly1305_ietf_NPUBBYTES,\n );\n const encryptedHeader = sodium.crypto_aead_xchacha20poly1305_ietf_encrypt(\n headerBytes,\n null,\n null,\n headerNonce,\n headerKey,\n );\n\n // Use encrypted header as AD for message ciphertext\n const ciphertext = sodium.crypto_aead_xchacha20poly1305_ietf_encrypt(\n plaintextBytes,\n encryptedHeader,\n null,\n nonce,\n messageKey,\n );\n\n chain.chainKey = nextChainKey;\n chain.messageNumber++;\n\n return {\n header,\n headerSignature,\n ciphertext,\n nonce,\n envelopeVersion: \"2.0.0\",\n encryptedHeader,\n headerNonce,\n };\n }\n\n // V1: plaintext header as AD (existing behavior)\n const ad = serializeHeader(header);\n const ciphertext = sodium.crypto_aead_xchacha20poly1305_ietf_encrypt(\n plaintextBytes,\n ad,\n null,\n nonce,\n messageKey,\n );\n\n chain.chainKey = nextChainKey;\n chain.messageNumber++;\n\n return { header, headerSignature, ciphertext, nonce };\n }\n\n decrypt(message: EncryptedMessage): string {\n // V2 dispatch: if message has encryptedHeader, use v2 path\n const isV2 = message.envelopeVersion === \"2.0.0\" &&\n message.encryptedHeader != null &&\n message.headerNonce != null;\n\n // Try skipped keys first\n const skippedResult = this.trySkippedKeys(message, isV2);\n if (skippedResult !== null) {\n return skippedResult;\n }\n\n const headerDhHex = sodium.to_hex(message.header.dhPublicKey);\n const currentDhHex = this.state.dhReceivingPublicKey\n ? sodium.to_hex(this.state.dhReceivingPublicKey)\n : null;\n\n if (currentDhHex === null && this.state.receivingChain) {\n // First message ever received by the receiver side.\n // The receiving chain was initialized from the shared secret,\n // so just store the sender's DH key for future ratchet steps.\n this.state.dhReceivingPublicKey = message.header.dhPublicKey;\n } else if (currentDhHex === null && !this.state.receivingChain) {\n // Sender (initiator) receiving its first message from the receiver.\n if (message.header.messageNumber === 0) {\n try {\n const { messageKey: testKey, headerKey: testHeaderKey, nextChainKey } = kdfChainKey(\n this.state.rootKey,\n );\n\n let ad: Uint8Array;\n if (isV2) {\n // Decrypt header to verify, then use encryptedHeader as AD\n sodium.crypto_aead_xchacha20poly1305_ietf_decrypt(\n null,\n message.encryptedHeader!,\n null,\n message.headerNonce!,\n testHeaderKey,\n );\n ad = message.encryptedHeader!;\n } else {\n ad = serializeHeader(message.header);\n }\n\n const ptBytes =\n sodium.crypto_aead_xchacha20poly1305_ietf_decrypt(\n null,\n message.ciphertext,\n ad,\n message.nonce,\n testKey,\n );\n // rootKey worked \u2014 commit state\n this.state.dhReceivingPublicKey = message.header.dhPublicKey;\n this.state.receivingChain = {\n chainKey: nextChainKey,\n messageNumber: 1,\n };\n return sodium.to_string(ptBytes);\n } catch {\n // rootKey chain didn't match \u2014 fall through to DH ratchet\n }\n }\n // Case (b) or messageNumber > 0: full DH ratchet receive\n this.dhRatchetReceive(message.header.dhPublicKey);\n } else if (headerDhHex !== currentDhHex) {\n // DH public key changed (direction change in ongoing conversation).\n if (this.state.receivingChain && this.state.dhReceivingPublicKey) {\n this.skipMessages(\n this.state.receivingChain,\n message.header.previousChainLength,\n this.state.dhReceivingPublicKey,\n isV2,\n );\n }\n\n // DH ratchet step\n this.dhRatchetReceive(message.header.dhPublicKey);\n }\n\n // Skip ahead to the message number in the current chain\n this.skipMessages(\n this.state.receivingChain!,\n message.header.messageNumber,\n message.header.dhPublicKey,\n isV2,\n );\n\n const chain = this.state.receivingChain!;\n const { nextChainKey, messageKey, headerKey } = kdfChainKey(chain.chainKey);\n chain.chainKey = nextChainKey;\n chain.messageNumber++;\n\n // Verify header signature using the peer's identity public key\n if (this.state.peerIdentityPublicKey) {\n if (!verifyHeaderSignature(message.header, message.headerSignature, this.state.peerIdentityPublicKey)) {\n throw new Error(\"Header signature verification failed\");\n }\n }\n\n if (isV2) {\n // V2: decrypt header to verify integrity, use encryptedHeader as AD\n try {\n sodium.crypto_aead_xchacha20poly1305_ietf_decrypt(\n null,\n message.encryptedHeader!,\n null,\n message.headerNonce!,\n headerKey,\n );\n } catch {\n throw new Error(\"V2 header decryption failed\");\n }\n\n try {\n const plaintextBytes =\n sodium.crypto_aead_xchacha20poly1305_ietf_decrypt(\n null,\n message.ciphertext,\n message.encryptedHeader!,\n message.nonce,\n messageKey,\n );\n return sodium.to_string(plaintextBytes);\n } catch {\n throw new Error(\"V2 decryption failed: ciphertext tampered or wrong key\");\n }\n }\n\n // V1: plaintext header as AD\n const ad = serializeHeader(message.header);\n\n try {\n const plaintextBytes =\n sodium.crypto_aead_xchacha20poly1305_ietf_decrypt(\n null,\n message.ciphertext,\n ad,\n message.nonce,\n messageKey,\n );\n return sodium.to_string(plaintextBytes);\n } catch {\n throw new Error(\"Decryption failed: ciphertext tampered or wrong key\");\n }\n }\n\n private dhRatchetReceive(theirDhPublic: Uint8Array): void {\n this.state.previousSendingChainLength =\n this.state.sendingChain?.messageNumber ?? 0;\n this.state.dhReceivingPublicKey = theirDhPublic;\n\n // Derive new root key + receiving chain key\n const dhOutput = dh(\n this.state.dhSendingKeypair.privateKey,\n theirDhPublic,\n );\n const { newRootKey, newChainKey } = kdfRootKey(\n this.state.rootKey,\n dhOutput,\n );\n this.state.rootKey = newRootKey;\n this.state.receivingChain = { chainKey: newChainKey, messageNumber: 0 };\n\n // Generate new DH keypair for sending\n this.state.dhSendingKeypair = generateDHKeypair();\n\n // Derive new sending chain\n const dhOutput2 = dh(\n this.state.dhSendingKeypair.privateKey,\n theirDhPublic,\n );\n const { newRootKey: newRootKey2, newChainKey: newChainKey2 } = kdfRootKey(\n this.state.rootKey,\n dhOutput2,\n );\n this.state.rootKey = newRootKey2;\n this.state.sendingChain = { chainKey: newChainKey2, messageNumber: 0 };\n }\n\n private dhRatchetSend(): void {\n if (!this.state.dhReceivingPublicKey) {\n // No receiving key yet - create initial sending chain from root key\n this.state.sendingChain = {\n chainKey: this.state.rootKey,\n messageNumber: 0,\n };\n return;\n }\n\n this.state.previousSendingChainLength =\n this.state.sendingChain?.messageNumber ?? 0;\n\n // Generate new DH keypair\n this.state.dhSendingKeypair = generateDHKeypair();\n\n const dhOutput = dh(\n this.state.dhSendingKeypair.privateKey,\n this.state.dhReceivingPublicKey,\n );\n const { newRootKey, newChainKey } = kdfRootKey(\n this.state.rootKey,\n dhOutput,\n );\n this.state.rootKey = newRootKey;\n this.state.sendingChain = { chainKey: newChainKey, messageNumber: 0 };\n }\n\n private skipMessages(\n chain: ChainState,\n until: number,\n dhPublicKey: Uint8Array,\n storeHeaderKey = false,\n ): void {\n if (until - chain.messageNumber > MAX_SKIP) {\n throw new Error(\"Too many skipped messages\");\n }\n\n const dhPubHex = sodium.to_hex(dhPublicKey);\n\n while (chain.messageNumber < until) {\n const { nextChainKey, messageKey, headerKey } = kdfChainKey(chain.chainKey);\n const sk: SkippedKey = {\n dhPub: dhPubHex,\n n: chain.messageNumber,\n messageKey,\n };\n if (storeHeaderKey) {\n sk.headerKey = headerKey;\n }\n this.state.skippedKeys.push(sk);\n chain.chainKey = nextChainKey;\n chain.messageNumber++;\n }\n\n // Trim skipped keys if too many\n while (this.state.skippedKeys.length > MAX_SKIP) {\n this.state.skippedKeys.shift();\n }\n }\n\n private trySkippedKeys(message: EncryptedMessage, isV2 = false): string | null {\n const dhPubHex = sodium.to_hex(message.header.dhPublicKey);\n const idx = this.state.skippedKeys.findIndex(\n (sk) => sk.dhPub === dhPubHex && sk.n === message.header.messageNumber,\n );\n\n if (idx === -1) {\n return null;\n }\n\n const skipped = this.state.skippedKeys[idx];\n this.state.skippedKeys.splice(idx, 1);\n\n if (isV2 && skipped.headerKey && message.encryptedHeader && message.headerNonce) {\n // V2: verify encrypted header, use as AD\n try {\n sodium.crypto_aead_xchacha20poly1305_ietf_decrypt(\n null,\n message.encryptedHeader,\n null,\n message.headerNonce,\n skipped.headerKey,\n );\n } catch {\n throw new Error(\"V2 header decryption failed with skipped key\");\n }\n\n try {\n const plaintextBytes =\n sodium.crypto_aead_xchacha20poly1305_ietf_decrypt(\n null,\n message.ciphertext,\n message.encryptedHeader,\n message.nonce,\n skipped.messageKey,\n );\n return sodium.to_string(plaintextBytes);\n } catch {\n throw new Error(\"V2 decryption failed with skipped key\");\n }\n }\n\n // V1: plaintext header as AD\n const ad = serializeHeader(message.header);\n\n try {\n const plaintextBytes =\n sodium.crypto_aead_xchacha20poly1305_ietf_decrypt(\n null,\n message.ciphertext,\n ad,\n message.nonce,\n skipped.messageKey,\n );\n return sodium.to_string(plaintextBytes);\n } catch {\n throw new Error(\"Decryption failed with skipped key\");\n }\n }\n\n serialize(): string {\n const s = this.state;\n return JSON.stringify({\n version: 1,\n rootKey: sodium.to_hex(s.rootKey),\n sendingChain: s.sendingChain\n ? {\n chainKey: sodium.to_hex(s.sendingChain.chainKey),\n messageNumber: s.sendingChain.messageNumber,\n }\n : null,\n receivingChain: s.receivingChain\n ? {\n chainKey: sodium.to_hex(s.receivingChain.chainKey),\n messageNumber: s.receivingChain.messageNumber,\n }\n : null,\n dhSendingKeypair: {\n publicKey: sodium.to_hex(s.dhSendingKeypair.publicKey),\n privateKey: sodium.to_hex(s.dhSendingKeypair.privateKey),\n },\n dhReceivingPublicKey: s.dhReceivingPublicKey\n ? sodium.to_hex(s.dhReceivingPublicKey)\n : null,\n identityKeypair: {\n publicKey: sodium.to_hex(s.identityKeypair.publicKey),\n privateKey: sodium.to_hex(s.identityKeypair.privateKey),\n },\n peerIdentityPublicKey: s.peerIdentityPublicKey ? sodium.to_hex(s.peerIdentityPublicKey) : null,\n previousSendingChainLength: s.previousSendingChainLength,\n skippedKeys: s.skippedKeys.map((sk) => ({\n dhPub: sk.dhPub,\n n: sk.n,\n messageKey: sodium.to_hex(sk.messageKey),\n ...(sk.headerKey ? { headerKey: sodium.to_hex(sk.headerKey) } : {}),\n })),\n });\n }\n\n static deserialize(json: string): DoubleRatchet {\n let d: Record<string, unknown>;\n try {\n d = JSON.parse(json) as Record<string, unknown>;\n } catch {\n throw new Error(\"Ratchet state: corrupt JSON\");\n }\n\n // Version gate\n if (d.version !== undefined && d.version !== 1) {\n throw new Error(\n `Ratchet state version ${d.version} not supported`,\n );\n }\n\n // Required field validation\n if (typeof d.rootKey !== \"string\") {\n throw new Error(\"Ratchet state: missing required field rootKey\");\n }\n const dhSend = d.dhSendingKeypair as\n | { publicKey?: string; privateKey?: string }\n | undefined;\n if (\n !dhSend ||\n typeof dhSend.publicKey !== \"string\" ||\n typeof dhSend.privateKey !== \"string\"\n ) {\n throw new Error(\n \"Ratchet state: missing required field dhSendingKeypair\",\n );\n }\n const idKp = d.identityKeypair as\n | { publicKey?: string; privateKey?: string }\n | undefined;\n if (\n !idKp ||\n typeof idKp.publicKey !== \"string\" ||\n typeof idKp.privateKey !== \"string\"\n ) {\n throw new Error(\n \"Ratchet state: missing required field identityKeypair\",\n );\n }\n\n try {\n return new DoubleRatchet({\n rootKey: sodium.from_hex(d.rootKey as string),\n sendingChain: d.sendingChain\n ? {\n chainKey: sodium.from_hex(\n (d.sendingChain as { chainKey: string }).chainKey,\n ),\n messageNumber: (d.sendingChain as { messageNumber: number })\n .messageNumber,\n }\n : null,\n receivingChain: d.receivingChain\n ? {\n chainKey: sodium.from_hex(\n (d.receivingChain as { chainKey: string }).chainKey,\n ),\n messageNumber: (d.receivingChain as { messageNumber: number })\n .messageNumber,\n }\n : null,\n dhSendingKeypair: {\n publicKey: sodium.from_hex(dhSend.publicKey!),\n privateKey: sodium.from_hex(dhSend.privateKey!),\n },\n dhReceivingPublicKey: d.dhReceivingPublicKey\n ? sodium.from_hex(d.dhReceivingPublicKey as string)\n : null,\n identityKeypair: {\n publicKey: sodium.from_hex(idKp.publicKey!),\n privateKey: sodium.from_hex(idKp.privateKey!),\n },\n peerIdentityPublicKey: d.peerIdentityPublicKey\n ? sodium.from_hex(d.peerIdentityPublicKey as string)\n : null,\n previousSendingChainLength:\n d.previousSendingChainLength as number,\n skippedKeys: (\n d.skippedKeys as Array<{\n dhPub: string;\n n: number;\n messageKey: string;\n headerKey?: string;\n }>\n ).map((sk) => ({\n dhPub: sk.dhPub,\n n: sk.n,\n messageKey: sodium.from_hex(sk.messageKey),\n ...(sk.headerKey ? { headerKey: sodium.from_hex(sk.headerKey) } : {}),\n })),\n });\n } catch (err) {\n if (err instanceof Error && err.message.startsWith(\"Ratchet state\")) {\n throw err;\n }\n throw new Error(\n `Ratchet state: corrupt hex data \u2014 ${err instanceof Error ? err.message : String(err)}`,\n );\n }\n }\n}\n", "import sodium from \"libsodium-wrappers-sumo\";\n\nexport interface EncryptedFileResult {\n encryptedData: Uint8Array;\n fileKey: Uint8Array; // 32 bytes \u2014 XChaCha20-Poly1305 key\n fileNonce: Uint8Array; // 24 bytes\n digest: string; // BLAKE2b hex digest of encrypted blob (integrity check)\n}\n\n/**\n * Encrypt a file with a random XChaCha20-Poly1305 key.\n * Returns the encrypted blob, the key, nonce, and a BLAKE2b digest\n * of the ciphertext for integrity verification after download.\n */\nexport function encryptFile(plainData: Uint8Array): EncryptedFileResult {\n const fileKey = sodium.randombytes_buf(\n sodium.crypto_aead_xchacha20poly1305_ietf_KEYBYTES,\n );\n const fileNonce = sodium.randombytes_buf(\n sodium.crypto_aead_xchacha20poly1305_ietf_NPUBBYTES,\n );\n\n const encryptedData = sodium.crypto_aead_xchacha20poly1305_ietf_encrypt(\n plainData,\n null, // no additional data\n null, // secret nonce (unused)\n fileNonce,\n fileKey,\n );\n\n const digestBytes = sodium.crypto_generichash(32, encryptedData);\n const digest = sodium.to_hex(digestBytes);\n\n return { encryptedData, fileKey, fileNonce, digest };\n}\n\n/**\n * Decrypt a file encrypted with encryptFile().\n * Throws if the key/nonce are wrong or the ciphertext was tampered with.\n */\nexport function decryptFile(\n encryptedData: Uint8Array,\n fileKey: Uint8Array,\n fileNonce: Uint8Array,\n): Uint8Array {\n return sodium.crypto_aead_xchacha20poly1305_ietf_decrypt(\n null, // secret nonce (unused)\n encryptedData,\n null, // no additional data\n fileNonce,\n fileKey,\n );\n}\n\n/**\n * Compute a BLAKE2b hex digest for integrity verification.\n */\nexport function computeFileDigest(data: Uint8Array): string {\n const digestBytes = sodium.crypto_generichash(32, data);\n return sodium.to_hex(digestBytes);\n}\n", "import sodium from \"libsodium-wrappers-sumo\";\n\n/** Domain separation prefixes to prevent cross-protocol signature confusion. */\nexport const DOMAIN_DID_DOCUMENT = \"DID-DOCUMENT:\";\nexport const DOMAIN_TRANSFER_INTENT = \"TRANSFER-INTENT:\";\nexport const DOMAIN_TRANSFER_ACCEPT = \"TRANSFER-ACCEPT:\";\n\n/**\n * JCS (JSON Canonicalization Scheme \u2014 RFC 8785) serialization.\n * Produces deterministic JSON bytes: sorted keys at every level, UTF-8 encoded.\n *\n * Note: Uses sodium.from_string() instead of TextEncoder for React Native compatibility.\n * Callers must ensure sodium.ready has been awaited before calling this function.\n */\nexport function canonicalize(obj: unknown): Uint8Array {\n const json = jsonCanonical(obj) ?? \"\";\n return sodium.from_string(json);\n}\n\nfunction jsonCanonical(value: unknown): string | undefined {\n if (value === undefined) return undefined;\n if (value === null) return \"null\";\n if (typeof value === \"boolean\" || typeof value === \"number\") return JSON.stringify(value);\n if (typeof value === \"string\") return JSON.stringify(value);\n if (Array.isArray(value)) {\n return \"[\" + value.map(jsonCanonical).join(\",\") + \"]\";\n }\n if (typeof value === \"object\") {\n const keys = Object.keys(value as Record<string, unknown>).sort();\n const entries = keys\n .map((k) => {\n const v = jsonCanonical((value as Record<string, unknown>)[k]);\n if (v === undefined) return undefined;\n return JSON.stringify(k) + \":\" + v;\n })\n .filter((entry): entry is string => entry !== undefined);\n return \"{\" + entries.join(\",\") + \"}\";\n }\n return JSON.stringify(value);\n}\n\n// --- Base58btc encoding (multibase z-prefix) ---\n\nconst BASE58_ALPHABET = \"123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz\";\n\nfunction base58Encode(bytes: Uint8Array): string {\n let zeros = 0;\n for (const b of bytes) {\n if (b === 0) zeros++;\n else break;\n }\n\n let num = BigInt(0);\n for (const b of bytes) {\n num = num * 256n + BigInt(b);\n }\n\n let result = \"\";\n while (num > 0n) {\n const remainder = Number(num % 58n);\n num = num / 58n;\n result = BASE58_ALPHABET[remainder] + result;\n }\n\n return \"1\".repeat(zeros) + result;\n}\n\nfunction base58Decode(str: string): Uint8Array {\n let zeros = 0;\n for (const c of str) {\n if (c === \"1\") zeros++;\n else break;\n }\n\n let num = BigInt(0);\n for (const c of str.slice(zeros)) {\n const idx = BASE58_ALPHABET.indexOf(c);\n if (idx === -1) throw new Error(`Invalid base58 character: ${c}`);\n num = num * 58n + BigInt(idx);\n }\n\n const hex = num === 0n ? \"\" : num.toString(16).padStart(2, \"0\");\n const paddedHex = hex.length % 2 ? \"0\" + hex : hex;\n const dataBytes = new Uint8Array(\n (paddedHex.match(/.{2}/g) ?? []).map((b) => parseInt(b, 16)),\n );\n\n const result = new Uint8Array(zeros + dataBytes.length);\n result.set(dataBytes, zeros);\n return result;\n}\n\n/**\n * Encode an Ed25519 public key as multibase z-prefixed base58btc.\n * Prepends the multicodec Ed25519 prefix (0xed, 0x01) per did:key spec.\n */\nexport function publicKeyToMultibase(publicKey: Uint8Array): string {\n const prefixed = new Uint8Array(2 + publicKey.length);\n prefixed[0] = 0xed;\n prefixed[1] = 0x01;\n prefixed.set(publicKey, 2);\n return \"z\" + base58Encode(prefixed);\n}\n\n/**\n * Decode a multibase z-prefixed base58btc string back to raw Ed25519 public key bytes.\n * Strips the multicodec prefix.\n */\nexport function multibaseToPublicKey(multibase: string): Uint8Array {\n if (!multibase.startsWith(\"z\")) {\n throw new Error(\"Multibase string must start with 'z' (base58btc)\");\n }\n const decoded = base58Decode(multibase.slice(1));\n if (decoded.length < 2 || decoded[0] !== 0xed || decoded[1] !== 0x01) {\n throw new Error(\"Invalid Ed25519 multicodec prefix\");\n }\n return decoded.slice(2);\n}\n\n/**\n * Sign a document (any JSON-serializable object) with an Ed25519 private key.\n * Returns a detached signature over the domain-separated, JCS-canonicalized bytes.\n *\n * The signature is computed over `DOMAIN_DID_DOCUMENT + canonicalize(document)`\n * to prevent cross-protocol signature confusion.\n */\nexport async function signDocument(\n document: object,\n privateKey: Uint8Array,\n): Promise<Uint8Array> {\n await sodium.ready;\n const canonical = canonicalize(document);\n const domainPrefix = sodium.from_string(DOMAIN_DID_DOCUMENT);\n const message = new Uint8Array(domainPrefix.length + canonical.length);\n message.set(domainPrefix);\n message.set(canonical, domainPrefix.length);\n return sodium.crypto_sign_detached(message, privateKey);\n}\n\n/**\n * Verify a detached Ed25519 signature over a domain-separated, JCS-canonicalized document.\n *\n * Verifies against `DOMAIN_DID_DOCUMENT + canonicalize(document)`.\n */\nexport async function verifyDocumentSignature(\n document: object,\n signature: Uint8Array,\n publicKey: Uint8Array,\n): Promise<boolean> {\n await sodium.ready;\n const canonical = canonicalize(document);\n const domainPrefix = sodium.from_string(DOMAIN_DID_DOCUMENT);\n const message = new Uint8Array(domainPrefix.length + canonical.length);\n message.set(domainPrefix);\n message.set(canonical, domainPrefix.length);\n try {\n return sodium.crypto_sign_verify_detached(signature, message, publicKey);\n } catch {\n return false;\n }\n}\n\n/** Parameters for building a DID document. */\nexport interface BuildDidDocumentParams {\n hubAddress: string;\n ownerPublicKey: Uint8Array;\n agentPublicKey: Uint8Array;\n serviceEndpoint: string;\n profileEndpoint: string;\n /** ISO 8601 timestamp for created/updated fields. Defaults to current time. */\n created?: string;\n}\n\n/** A W3C DID Document verification method. */\nexport interface DidVerificationMethod {\n id: string;\n type: string;\n controller: string;\n publicKeyMultibase: string;\n}\n\n/** A W3C DID Document service entry. */\nexport interface DidService {\n id: string;\n type: string;\n serviceEndpoint: string;\n}\n\n/** A W3C DID Document for an AgentVault hub identity. */\nexport interface DidDocument {\n \"@context\": string[];\n id: string;\n controller: string;\n verificationMethod: DidVerificationMethod[];\n authentication: string[];\n assertionMethod: string[];\n service: DidService[];\n created: string;\n updated: string;\n}\n\n/**\n * Build a W3C DID Document for an AgentVault hub identity.\n */\nexport function buildDidDocument(params: BuildDidDocumentParams): DidDocument {\n const { hubAddress, ownerPublicKey, agentPublicKey, serviceEndpoint, profileEndpoint } = params;\n const didId = `did:hub:${hubAddress}`;\n const ownerMultibase = publicKeyToMultibase(ownerPublicKey);\n const agentMultibase = publicKeyToMultibase(agentPublicKey);\n const controllerDid = `did:key:${ownerMultibase}`;\n\n const now = params.created ?? new Date().toISOString().replace(/\\.\\d{3}Z$/, \"Z\");\n\n return {\n \"@context\": [\n \"https://www.w3.org/ns/did/v1\",\n \"https://w3id.org/security/suites/ed25519-2020/v1\",\n ],\n id: didId,\n controller: controllerDid,\n verificationMethod: [\n {\n id: `${didId}#owner-key`,\n type: \"Ed25519VerificationKey2020\",\n controller: didId,\n publicKeyMultibase: ownerMultibase,\n },\n {\n id: `${didId}#agent-key`,\n type: \"Ed25519VerificationKey2020\",\n controller: didId,\n publicKeyMultibase: agentMultibase,\n },\n ],\n authentication: [`${didId}#owner-key`],\n assertionMethod: [`${didId}#owner-key`, `${didId}#agent-key`],\n service: [\n {\n id: `${didId}#messaging`,\n type: \"AgentVaultSecureChannel\",\n serviceEndpoint,\n },\n {\n id: `${didId}#profile`,\n type: \"AgentVaultProfile\",\n serviceEndpoint: profileEndpoint,\n },\n ],\n created: now,\n updated: now,\n };\n}\n", "/**\n * ScanEngine \u2014 client-side policy scanning for AgentVault.\n *\n * Evaluates scan rules against plaintext before encryption (outbound)\n * and after decryption (inbound). Pure TypeScript, no external dependencies.\n */\n\nexport interface ScanRule {\n id: string;\n name: string;\n direction: \"outbound\" | \"inbound\" | \"both\";\n scanner_type: \"regex\" | \"keyword_list\" | \"builtin\";\n scanner_config: Record<string, any>;\n action: \"block\" | \"flag\" | \"warn\";\n priority: number;\n}\n\nexport interface ScanViolation {\n rule_id: string;\n rule_name: string;\n action: \"block\" | \"flag\" | \"warn\";\n scanner_type: string;\n match_summary: string; // pattern name only, never raw content\n}\n\nexport interface ScanResult {\n status: \"clean\" | \"flagged\" | \"blocked\";\n violations: ScanViolation[];\n}\n\n// -- Builtin patterns --------------------------------------------------------\n\nconst BUILTIN_PATTERNS: Record<string, RegExp[]> = {\n pii_ssn: [/\\b\\d{3}-\\d{2}-\\d{4}\\b/g, /\\b\\d{9}\\b/g],\n pii_credit_card: [\n /\\b4\\d{3}[\\s-]?\\d{4}[\\s-]?\\d{4}[\\s-]?\\d{4}\\b/g, // Visa\n /\\b5[1-5]\\d{2}[\\s-]?\\d{4}[\\s-]?\\d{4}[\\s-]?\\d{4}\\b/g, // MC\n /\\b3[47]\\d{2}[\\s-]?\\d{6}[\\s-]?\\d{5}\\b/g, // Amex\n /\\b6(?:011|5\\d{2})[\\s-]?\\d{4}[\\s-]?\\d{4}[\\s-]?\\d{4}\\b/g, // Discover\n ],\n pii_email: [/\\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\\.[A-Z|a-z]{2,}\\b/g],\n api_keys: [\n /\\bsk_live_[a-zA-Z0-9]{24,}\\b/g,\n /\\bAKIA[0-9A-Z]{16}\\b/g,\n /\\bghp_[a-zA-Z0-9]{36,}\\b/g,\n /\\bglpat-[a-zA-Z0-9_-]{20,}\\b/g,\n /\\bxoxb-[0-9]+-[0-9]+-[a-zA-Z0-9]+\\b/g,\n ],\n prompt_injection: [\n /\\bignore\\s+(?:all\\s+)?(?:previous|above|prior)\\s+instructions\\b/gi,\n /\\byou\\s+are\\s+now\\s+(?:a|an)\\s+/gi,\n /\\bsystem\\s*:\\s*you\\b/gi,\n /\\bDAN\\s+mode\\b/gi,\n /\\bdo\\s+anything\\s+now\\b/gi,\n /\\bdo\\s+not\\s+follow\\s+any\\s+(?:other\\s+)?rules\\b/gi,\n /\\bjailbreak\\b/gi,\n ],\n shell_injection: [\n /\\bcurl\\s+.*\\|\\s*(?:sh|bash|zsh)\\b/gi,\n /\\beval\\s*\\(/gi,\n /\\bexec\\s*\\(/gi,\n /\\bchmod\\s+\\+x\\b/gi,\n /\\brm\\s+-rf\\s+\\//gi,\n ],\n};\n\n// -- ScanEngine class --------------------------------------------------------\n\nexport class ScanEngine {\n private rules: ScanRule[] = [];\n private ruleSetVersion = 0;\n\n loadRules(rules: ScanRule[]): void {\n this.rules = [...rules].sort((a, b) => a.priority - b.priority);\n this.ruleSetVersion = rules.length > 0 ? Math.max(...rules.map(() => 1)) : 0;\n }\n\n getRuleSetVersion(): number {\n return this.ruleSetVersion;\n }\n\n scanOutbound(plaintext: string): ScanResult {\n return this._scan(plaintext, \"outbound\");\n }\n\n scanInbound(plaintext: string): ScanResult {\n return this._scan(plaintext, \"inbound\");\n }\n\n private _scan(\n plaintext: string,\n direction: \"outbound\" | \"inbound\",\n ): ScanResult {\n const violations: ScanViolation[] = [];\n let blocked = false;\n let flagged = false;\n\n for (const rule of this.rules) {\n if (rule.direction !== \"both\" && rule.direction !== direction) {\n continue;\n }\n\n const matched = this._evaluateRule(rule, plaintext);\n if (!matched) continue;\n\n const violation: ScanViolation = {\n rule_id: rule.id,\n rule_name: rule.name,\n action: rule.action,\n scanner_type: rule.scanner_type,\n match_summary: this._buildMatchSummary(rule),\n };\n\n violations.push(violation);\n\n if (rule.action === \"block\") {\n blocked = true;\n break; // stop evaluating on first block\n }\n if (rule.action === \"flag\") {\n flagged = true;\n }\n // warn: record violation but do not change status\n }\n\n const status = blocked ? \"blocked\" : flagged ? \"flagged\" : \"clean\";\n return { status, violations };\n }\n\n private _evaluateRule(rule: ScanRule, text: string): boolean {\n switch (rule.scanner_type) {\n case \"regex\":\n return this._evalRegex(rule.scanner_config, text);\n case \"keyword_list\":\n return this._evalKeywordList(rule.scanner_config, text);\n case \"builtin\":\n return this._evalBuiltin(rule.scanner_config, text);\n default:\n return false;\n }\n }\n\n private _evalRegex(config: Record<string, any>, text: string): boolean {\n const pattern = config.pattern as string;\n if (!pattern) return false;\n const flags = (config.flags as string) ?? \"\";\n const regex = new RegExp(pattern, flags);\n return regex.test(text);\n }\n\n private _evalKeywordList(config: Record<string, any>, text: string): boolean {\n const words = config.words as string[];\n if (!words || words.length === 0) return false;\n const matchMode = config.match ?? \"word_boundary\";\n\n for (const word of words) {\n if (matchMode === \"word_boundary\") {\n const regex = new RegExp(`\\\\b${this._escapeRegex(word)}\\\\b`, \"i\");\n if (regex.test(text)) return true;\n } else {\n if (text.toLowerCase().includes(word.toLowerCase())) return true;\n }\n }\n return false;\n }\n\n private _evalBuiltin(config: Record<string, any>, text: string): boolean {\n const builtinId = config.builtin as string;\n\n if (builtinId === \"pii_detector\") {\n const categories = (config.categories as string[]) ?? [];\n for (const cat of categories) {\n const key = `pii_${cat}`;\n const patterns = BUILTIN_PATTERNS[key];\n if (patterns) {\n for (const p of patterns) {\n // Create fresh RegExp to reset lastIndex (source patterns use /g)\n const regex = new RegExp(p.source, p.flags);\n if (regex.test(text)) return true;\n }\n }\n }\n return false;\n }\n\n if (builtinId === \"api_keys\") {\n const patterns = BUILTIN_PATTERNS.api_keys;\n for (const p of patterns) {\n const regex = new RegExp(p.source, p.flags);\n if (regex.test(text)) return true;\n }\n return false;\n }\n\n if (builtinId === \"prompt_injection\") {\n const patterns = BUILTIN_PATTERNS.prompt_injection;\n for (const p of patterns) {\n const regex = new RegExp(p.source, p.flags);\n if (regex.test(text)) return true;\n }\n return false;\n }\n\n if (builtinId === \"shell_injection\") {\n const patterns = BUILTIN_PATTERNS.shell_injection;\n for (const p of patterns) {\n const regex = new RegExp(p.source, p.flags);\n if (regex.test(text)) return true;\n }\n return false;\n }\n\n return false;\n }\n\n private _buildMatchSummary(rule: ScanRule): string {\n switch (rule.scanner_type) {\n case \"regex\":\n return `regex:${rule.name}`;\n case \"keyword_list\":\n return `keyword_list:${rule.name}`;\n case \"builtin\": {\n const builtinId = rule.scanner_config.builtin ?? \"unknown\";\n return `builtin:${builtinId}`;\n }\n default:\n return rule.scanner_type;\n }\n }\n\n private _escapeRegex(str: string): string {\n return str.replace(/[.*+?^${}()|[\\]\\\\]/g, \"\\\\$&\");\n }\n\n /**\n * Scan a workspace file (e.g. SOUL.md) against all builtin patterns.\n * Runs api_keys, pii_*, prompt_injection, and shell_injection checks\n * regardless of rule direction.\n */\n /**\n * Scan a SKILL.md file for policy violations.\n * Like scanWorkspaceFile but skips prompt_injection on instruction body\n * (skills legitimately describe AI behaviors that look like injection).\n * Checks: api_keys (block), shell_injection (block), pii (flag).\n */\n static scanSkillMd(content: string): ScanResult {\n const violations: ScanViolation[] = [];\n let blocked = false;\n let flagged = false;\n\n const checks: Array<{ id: string; action: \"block\" | \"flag\" }> = [\n { id: \"api_keys\", action: \"block\" },\n { id: \"shell_injection\", action: \"block\" },\n { id: \"pii_ssn\", action: \"flag\" },\n { id: \"pii_credit_card\", action: \"flag\" },\n { id: \"pii_email\", action: \"flag\" },\n // Intentionally omits prompt_injection \u2014 SKILL.md instruction body\n // legitimately contains phrases like \"you are now a...\"\n ];\n\n for (const check of checks) {\n const patterns = BUILTIN_PATTERNS[check.id];\n if (!patterns) continue;\n\n for (const p of patterns) {\n const regex = new RegExp(p.source, p.flags);\n if (regex.test(content)) {\n violations.push({\n rule_id: `skill_${check.id}`,\n rule_name: check.id,\n action: check.action,\n scanner_type: \"builtin\",\n match_summary: `builtin:${check.id}`,\n });\n if (check.action === \"block\") blocked = true;\n if (check.action === \"flag\") flagged = true;\n break;\n }\n }\n }\n\n const status = blocked ? \"blocked\" : flagged ? \"flagged\" : \"clean\";\n return { status, violations };\n }\n\n static scanWorkspaceFile(content: string): ScanResult {\n const violations: ScanViolation[] = [];\n let blocked = false;\n let flagged = false;\n\n const checks: Array<{ id: string; action: \"block\" | \"flag\" }> = [\n { id: \"api_keys\", action: \"block\" },\n { id: \"prompt_injection\", action: \"block\" },\n { id: \"shell_injection\", action: \"block\" },\n { id: \"pii_ssn\", action: \"flag\" },\n { id: \"pii_credit_card\", action: \"flag\" },\n { id: \"pii_email\", action: \"flag\" },\n ];\n\n for (const check of checks) {\n const patterns = BUILTIN_PATTERNS[check.id];\n if (!patterns) continue;\n\n for (const p of patterns) {\n const regex = new RegExp(p.source, p.flags);\n if (regex.test(content)) {\n violations.push({\n rule_id: `workspace_${check.id}`,\n rule_name: check.id,\n action: check.action,\n scanner_type: \"builtin\",\n match_summary: `builtin:${check.id}`,\n });\n if (check.action === \"block\") blocked = true;\n if (check.action === \"flag\") flagged = true;\n break; // one match per category is enough\n }\n }\n }\n\n const status = blocked ? \"blocked\" : flagged ? \"flagged\" : \"clean\";\n return { status, violations };\n }\n}\n", "import sodium from \"libsodium-wrappers-sumo\";\n\n/**\n * JCS (RFC 8785) canonical JSON serialization.\n * Same implementation as did.ts \u2014 duplicated here to avoid circular deps.\n */\nfunction jcsCanonical(value: unknown): string | undefined {\n if (value === undefined) return undefined;\n if (value === null) return \"null\";\n if (typeof value === \"boolean\" || typeof value === \"number\") return JSON.stringify(value);\n if (typeof value === \"string\") return JSON.stringify(value);\n if (Array.isArray(value)) {\n return \"[\" + value.map(jcsCanonical).join(\",\") + \"]\";\n }\n if (typeof value === \"object\") {\n const keys = Object.keys(value as Record<string, unknown>).sort();\n const entries = keys\n .map((k) => {\n const v = jcsCanonical((value as Record<string, unknown>)[k]);\n if (v === undefined) return undefined;\n return JSON.stringify(k) + \":\" + v;\n })\n .filter((entry): entry is string => entry !== undefined);\n return \"{\" + entries.join(\",\") + \"}\";\n }\n return JSON.stringify(value);\n}\n\nfunction hexToBytes(hex: string): Uint8Array {\n const h = hex.startsWith(\"0x\") ? hex.slice(2) : hex;\n const bytes = new Uint8Array(h.length / 2);\n for (let i = 0; i < bytes.length; i++) {\n bytes[i] = parseInt(h.substr(i * 2, 2), 16);\n }\n return bytes;\n}\n\nfunction bytesToHex(bytes: Uint8Array): string {\n return Array.from(bytes)\n .map((b) => b.toString(16).padStart(2, \"0\"))\n .join(\"\");\n}\n\n/**\n * Compute SHA-256 hash of a JCS-canonicalized DID document.\n *\n * Uses libsodium's crypto_hash_sha256 for React Native compatibility.\n *\n * @returns 0x-prefixed hex string (66 chars).\n */\nexport function computeDidHash(didDocument: object): string {\n const json = jcsCanonical(didDocument) ?? \"\";\n const bytes = sodium.from_string(json);\n const hash = sodium.crypto_hash_sha256(bytes);\n return \"0x\" + bytesToHex(hash);\n}\n\n/** A single sibling in a Merkle proof path. */\nexport interface MerkleProofSibling {\n hash: string;\n position: \"left\" | \"right\";\n}\n\n/**\n * Verify a Merkle proof for a leaf hash against a root.\n *\n * @param leafHash - 0x-prefixed hex hash of the leaf.\n * @param proof - Array of sibling hashes with positions.\n * @param merkleRoot - 0x-prefixed hex hash of the expected root.\n * @returns true if the proof verifies.\n */\nexport function verifyMerkleProof(\n leafHash: string,\n proof: MerkleProofSibling[],\n merkleRoot: string,\n): boolean {\n let current = hexToBytes(leafHash);\n\n for (const step of proof) {\n const sibling = hexToBytes(step.hash);\n const combined = new Uint8Array(current.length + sibling.length);\n if (step.position === \"left\") {\n combined.set(sibling);\n combined.set(current, sibling.length);\n } else {\n combined.set(current);\n combined.set(sibling, current.length);\n }\n current = sodium.crypto_hash_sha256(combined);\n }\n\n const rootBytes = hexToBytes(merkleRoot);\n if (current.length !== rootBytes.length) return false;\n for (let i = 0; i < current.length; i++) {\n if (current[i] !== rootBytes[i]) return false;\n }\n return true;\n}\n", "/**\n * W3C Verifiable Credentials Data Model 2.0 \u2014 eddsa-jcs-2022 cryptosuite.\n *\n * Implements VC issuance, signing, and verification using:\n * - JSON Canonicalization Scheme (RFC 8785) via existing `canonicalize()`\n * - SHA-256 hashing for proof config + document\n * - Ed25519 detached signatures (libsodium)\n * - Multibase z-base58btc encoding for proofValue\n *\n * @see https://www.w3.org/TR/vc-data-model-2.0/\n * @see https://www.w3.org/TR/vc-di-eddsa/ (eddsa-jcs-2022 cryptosuite)\n */\nimport sodium from \"libsodium-wrappers-sumo\";\n\nimport { canonicalize, publicKeyToMultibase } from \"./did.js\";\n\n// ---------------------------------------------------------------------------\n// Constants\n// ---------------------------------------------------------------------------\n\n/** W3C VC 2.0 context \u2014 MUST be first element in @context array. */\nexport const VC_CONTEXT_V2 = \"https://www.w3.org/ns/credentials/v2\";\n\n/** AgentVault credential vocabulary context. */\nexport const AV_CREDENTIAL_CONTEXT = \"https://agentvault.chat/ns/credentials/v1\";\n\n/** Data Integrity v2 context (bundled in credentials/v2 but listed for clarity). */\nexport const DATA_INTEGRITY_CONTEXT = \"https://w3id.org/security/data-integrity/v2\";\n\n/** Cryptosuite identifier for JCS-based Ed25519 proofs. */\nexport const CRYPTOSUITE = \"eddsa-jcs-2022\";\n\n/** AgentVault issuer DID prefix. */\nexport const AV_ISSUER_PREFIX = \"did:hub:\";\n\n// ---------------------------------------------------------------------------\n// Types\n// ---------------------------------------------------------------------------\n\n/** W3C Data Integrity Proof (eddsa-jcs-2022). */\nexport interface DataIntegrityProof {\n type: \"DataIntegrityProof\";\n cryptosuite: typeof CRYPTOSUITE;\n created: string;\n verificationMethod: string;\n proofPurpose: \"assertionMethod\" | \"authentication\";\n proofValue: string;\n}\n\n/** Credential subject \u2014 flexible key-value claims. */\nexport interface CredentialSubject {\n id: string;\n [key: string]: unknown;\n}\n\n/** Credential status for revocation checking. */\nexport interface CredentialStatus {\n id: string;\n type: string;\n statusPurpose?: string;\n statusListIndex?: string;\n statusListCredential?: string;\n}\n\n/** W3C Verifiable Credential (unsigned \u2014 before proof is attached). */\nexport interface UnsignedCredential {\n \"@context\": (string | Record<string, unknown>)[];\n id: string;\n type: string[];\n issuer: string | { id: string; name?: string };\n validFrom: string;\n validUntil?: string;\n name?: string;\n description?: string;\n credentialSubject: CredentialSubject;\n credentialStatus?: CredentialStatus;\n evidence?: Record<string, unknown>[];\n}\n\n/** W3C Verifiable Credential (signed \u2014 with embedded proof). */\nexport interface VerifiableCredential extends UnsignedCredential {\n proof: DataIntegrityProof;\n}\n\n/** W3C Verifiable Presentation (unsigned). */\nexport interface UnsignedPresentation {\n \"@context\": (string | Record<string, unknown>)[];\n type: string | string[];\n id?: string;\n holder: string;\n verifiableCredential: VerifiableCredential[];\n}\n\n/** W3C Verifiable Presentation (signed). */\nexport interface VerifiablePresentation extends UnsignedPresentation {\n proof: DataIntegrityProof;\n}\n\n// ---------------------------------------------------------------------------\n// AgentVault credential type definitions\n// ---------------------------------------------------------------------------\n\n/** Parameters for building an AgentTrustCredential. */\nexport interface AgentTrustCredentialParams {\n /** Credential UUID (urn:uuid:...) */\n credentialId: string;\n /** Issuer hub DID (did:hub:platform.agentvault.hub or similar) */\n issuerDid: string;\n /** Issuer display name */\n issuerName?: string;\n /** Subject agent DID (did:hub:<hub_address>) */\n subjectDid: string;\n /** Trust tier achieved */\n trustTier: \"verified\" | \"trusted\" | \"certified\" | \"premier\" | \"enterprise\";\n /** Composite trust score (0.0 - 1.0) */\n compositeScore: number;\n /** Score window in days */\n scoreWindow: number;\n /** Individual dimension scores */\n dimensions?: {\n volume?: number;\n responsiveness?: number;\n uptime?: number;\n compliance?: number;\n };\n /** ISO 8601 validity start (defaults to now) */\n validFrom?: string;\n /** ISO 8601 validity end */\n validUntil?: string;\n /** Verification API endpoint */\n verificationEndpoint?: string;\n}\n\n/** Parameters for building a SkillAttestation credential. */\nexport interface SkillAttestationParams {\n credentialId: string;\n issuerDid: string;\n issuerName?: string;\n subjectDid: string;\n skillName: string;\n skillNamespace: string;\n /** Skill proficiency level */\n proficiencyLevel?: \"basic\" | \"intermediate\" | \"advanced\" | \"expert\";\n /** Total invocations of this skill */\n totalInvocations?: number;\n /** Success rate (0.0 - 1.0) */\n successRate?: number;\n /** Assessment date */\n assessedAt?: string;\n validFrom?: string;\n validUntil?: string;\n}\n\n/** Parameters for building a PerformanceRecord credential. */\nexport interface PerformanceRecordParams {\n credentialId: string;\n issuerDid: string;\n issuerName?: string;\n subjectDid: string;\n /** Reporting period start */\n periodStart: string;\n /** Reporting period end */\n periodEnd: string;\n /** Total messages handled */\n messagesHandled: number;\n /** Average response time in milliseconds */\n avgResponseTimeMs: number;\n /** Uptime percentage (0.0 - 1.0) */\n uptimePercentage: number;\n /** Policy violations count */\n policyViolations: number;\n /** Composite score for the period */\n compositeScore: number;\n validFrom?: string;\n validUntil?: string;\n}\n\n/** Trust report dimension sub-scores. */\nexport interface TrustReportDimensions {\n categories: {\n operational: {\n availability?: number | null;\n responsiveness?: number | null;\n reliability?: number | null;\n };\n performance: {\n throughput?: number | null;\n taskSuccess?: number | null;\n efficiency?: number | null;\n };\n quality: {\n toolAccuracy?: number | null;\n errorDiscipline?: number | null;\n compliance?: number | null;\n };\n stability: {\n behavioralConsistency?: number | null;\n versionHealth?: number | null;\n };\n cost: {\n tokenEfficiency?: number | null;\n };\n };\n categoryScores: Record<string, number | null>;\n compositeScore: number;\n}\n\n/** Parameters for building an AgentTrustReport credential. */\nexport interface AgentTrustReportParams {\n credentialId: string;\n issuerDid: string;\n issuerName?: string;\n subjectDid: string;\n /** Report period start (ISO 8601) */\n reportPeriodStart: string;\n /** Report period end (ISO 8601) */\n reportPeriodEnd: string;\n /** Trust tier */\n trustTier: \"verified\" | \"trusted\" | \"certified\" | \"premier\" | \"enterprise\";\n /** Composite trust score (0.0 - 1.0) */\n compositeScore: number;\n /** Categorized dimension scores */\n dimensions?: TrustReportDimensions;\n /** Trending analysis */\n trending?: {\n direction: string;\n slope: number;\n r_squared: number;\n pct_change: number;\n data_points: number;\n };\n /** Fleet comparison data */\n fleetComparison?: {\n percentile: number;\n fleet_median: number;\n fleet_p25: number;\n fleet_p75: number;\n rank: number;\n fleet_size: number;\n };\n /** Drift detection status */\n driftStatus?: {\n psi: number;\n classification: string;\n baseline_available: boolean;\n };\n /** Audit chain integrity */\n auditIntegrity?: {\n chain_length: number;\n latest_hash: string | null;\n verified: boolean;\n events_checked: number;\n };\n /** Telemetry summary */\n telemetrySummary?: {\n total_spans: number;\n error_count: number;\n error_rate: number;\n avg_latency_ms: number | null;\n tokens_input: number;\n tokens_output: number;\n latency_p50: number | null;\n latency_p95: number | null;\n };\n validFrom?: string;\n validUntil?: string;\n verificationEndpoint?: string;\n}\n\n// ---------------------------------------------------------------------------\n// Internal helpers\n// ---------------------------------------------------------------------------\n\n/**\n * SHA-256 hash using libsodium.\n * libsodium-wrappers-sumo exposes crypto_hash_sha256.\n */\nasync function sha256(data: Uint8Array): Promise<Uint8Array> {\n await sodium.ready;\n return sodium.crypto_hash_sha256(data);\n}\n\n/**\n * Base58btc encoding (same alphabet as did.ts).\n */\nconst BASE58_ALPHABET = \"123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz\";\n\nfunction base58Encode(bytes: Uint8Array): string {\n let zeros = 0;\n for (const b of bytes) {\n if (b === 0) zeros++;\n else break;\n }\n let num = BigInt(0);\n for (const b of bytes) {\n num = num * 256n + BigInt(b);\n }\n let result = \"\";\n while (num > 0n) {\n const remainder = Number(num % 58n);\n num = num / 58n;\n result = BASE58_ALPHABET[remainder] + result;\n }\n return \"1\".repeat(zeros) + result;\n}\n\nfunction base58Decode(str: string): Uint8Array {\n let zeros = 0;\n for (const c of str) {\n if (c === \"1\") zeros++;\n else break;\n }\n let num = BigInt(0);\n for (const c of str.slice(zeros)) {\n const idx = BASE58_ALPHABET.indexOf(c);\n if (idx === -1) throw new Error(`Invalid base58 character: ${c}`);\n num = num * 58n + BigInt(idx);\n }\n const hex = num === 0n ? \"\" : num.toString(16).padStart(2, \"0\");\n const paddedHex = hex.length % 2 ? \"0\" + hex : hex;\n const dataBytes = new Uint8Array(\n (paddedHex.match(/.{2}/g) ?? []).map((b) => parseInt(b, 16)),\n );\n const result = new Uint8Array(zeros + dataBytes.length);\n result.set(dataBytes, zeros);\n return result;\n}\n\n// ---------------------------------------------------------------------------\n// Core VC signing / verification (eddsa-jcs-2022)\n// ---------------------------------------------------------------------------\n\n/**\n * Compute the eddsa-jcs-2022 hashData (64 bytes) for signing.\n *\n * Per the spec:\n * 1. JCS canonicalize proof config \u2192 SHA-256 \u2192 32 bytes\n * 2. JCS canonicalize document (without proof) \u2192 SHA-256 \u2192 32 bytes\n * 3. Concatenate: proofConfigHash || documentHash\n */\nasync function computeHashData(\n document: Record<string, unknown>,\n proofConfig: Record<string, unknown>,\n): Promise<Uint8Array> {\n // Hash the proof configuration\n const proofConfigBytes = canonicalize(proofConfig);\n const proofConfigHash = await sha256(proofConfigBytes);\n\n // Hash the document (without proof property)\n const docWithoutProof = { ...document };\n delete docWithoutProof.proof;\n const documentBytes = canonicalize(docWithoutProof);\n const documentHash = await sha256(documentBytes);\n\n // Concatenate: proofConfigHash || documentHash\n const hashData = new Uint8Array(64);\n hashData.set(proofConfigHash, 0);\n hashData.set(documentHash, 32);\n return hashData;\n}\n\n/**\n * Sign a Verifiable Credential or Presentation using eddsa-jcs-2022.\n *\n * @param document The unsigned credential/presentation (any JSON object)\n * @param privateKey Ed25519 private key (64 bytes \u2014 libsodium combined format)\n * @param verificationMethod DID URL of the signing key (e.g., \"did:hub:x#owner-key\")\n * @param proofPurpose \"assertionMethod\" for credentials, \"authentication\" for presentations\n * @param created ISO 8601 timestamp (defaults to now)\n * @returns The signed document with embedded `proof` property\n */\nexport async function signWithDataIntegrity<\n T extends Record<string, unknown>,\n>(\n document: T,\n privateKey: Uint8Array,\n verificationMethod: string,\n proofPurpose: \"assertionMethod\" | \"authentication\" = \"assertionMethod\",\n created?: string,\n): Promise<T & { proof: DataIntegrityProof }> {\n await sodium.ready;\n\n const timestamp = created ?? new Date().toISOString().replace(/\\.\\d{3}Z$/, \"Z\");\n\n // Build proof configuration (everything except proofValue)\n const proofConfig: Record<string, unknown> = {\n type: \"DataIntegrityProof\",\n cryptosuite: CRYPTOSUITE,\n created: timestamp,\n verificationMethod,\n proofPurpose,\n };\n\n // Compute hashData = SHA-256(proofConfig) || SHA-256(document)\n const hashData = await computeHashData(document as Record<string, unknown>, proofConfig);\n\n // Sign with Ed25519\n const signature = sodium.crypto_sign_detached(hashData, privateKey);\n\n // Encode as multibase z-base58btc\n const proofValue = \"z\" + base58Encode(signature);\n\n const proof: DataIntegrityProof = {\n type: \"DataIntegrityProof\",\n cryptosuite: CRYPTOSUITE,\n created: timestamp,\n verificationMethod,\n proofPurpose,\n proofValue,\n };\n\n return { ...document, proof };\n}\n\n/**\n * Verify a Data Integrity proof (eddsa-jcs-2022) on a credential or presentation.\n *\n * @param document The signed document with embedded `proof`\n * @param publicKey Ed25519 public key (32 bytes) of the signer\n * @returns true if the proof is valid\n */\nexport async function verifyDataIntegrity(\n document: Record<string, unknown>,\n publicKey: Uint8Array,\n): Promise<boolean> {\n await sodium.ready;\n\n const proof = document.proof as DataIntegrityProof | undefined;\n if (!proof || proof.type !== \"DataIntegrityProof\" || proof.cryptosuite !== CRYPTOSUITE) {\n return false;\n }\n\n // Decode proofValue from multibase z-base58btc\n if (!proof.proofValue.startsWith(\"z\")) {\n return false;\n }\n const signature = base58Decode(proof.proofValue.slice(1));\n if (signature.length !== 64) {\n return false;\n }\n\n // Rebuild proof configuration (without proofValue)\n const proofConfig: Record<string, unknown> = {\n type: proof.type,\n cryptosuite: proof.cryptosuite,\n created: proof.created,\n verificationMethod: proof.verificationMethod,\n proofPurpose: proof.proofPurpose,\n };\n\n // Recompute hashData\n const hashData = await computeHashData(document, proofConfig);\n\n // Verify Ed25519 signature\n try {\n return sodium.crypto_sign_verify_detached(signature, hashData, publicKey);\n } catch {\n return false;\n }\n}\n\n// ---------------------------------------------------------------------------\n// Credential builders \u2014 AgentVault-specific credential types\n// ---------------------------------------------------------------------------\n\n/**\n * Build an unsigned AgentTrustCredential.\n *\n * Issued when an agent achieves or maintains a trust tier.\n */\nexport function buildAgentTrustCredential(\n params: AgentTrustCredentialParams,\n): UnsignedCredential {\n const now = new Date().toISOString().replace(/\\.\\d{3}Z$/, \"Z\");\n\n return {\n \"@context\": [\n VC_CONTEXT_V2,\n {\n AgentTrustCredential: \"https://agentvault.chat/vocab#AgentTrustCredential\",\n trustTier: \"https://agentvault.chat/vocab#trustTier\",\n compositeScore: \"https://agentvault.chat/vocab#compositeScore\",\n scoreWindow: \"https://agentvault.chat/vocab#scoreWindow\",\n scoreDimensions: \"https://agentvault.chat/vocab#scoreDimensions\",\n volume: \"https://agentvault.chat/vocab#volume\",\n responsiveness: \"https://agentvault.chat/vocab#responsiveness\",\n uptime: \"https://agentvault.chat/vocab#uptime\",\n compliance: \"https://agentvault.chat/vocab#compliance\",\n verificationEndpoint: \"https://agentvault.chat/vocab#verificationEndpoint\",\n },\n ],\n id: params.credentialId,\n type: [\"VerifiableCredential\", \"AgentTrustCredential\"],\n issuer: params.issuerName\n ? { id: params.issuerDid, name: params.issuerName }\n : params.issuerDid,\n validFrom: params.validFrom ?? now,\n ...(params.validUntil ? { validUntil: params.validUntil } : {}),\n credentialSubject: {\n id: params.subjectDid,\n trustTier: params.trustTier,\n compositeScore: params.compositeScore,\n scoreWindow: params.scoreWindow,\n ...(params.dimensions\n ? {\n scoreDimensions: {\n volume: params.dimensions.volume,\n responsiveness: params.dimensions.responsiveness,\n uptime: params.dimensions.uptime,\n compliance: params.dimensions.compliance,\n },\n }\n : {}),\n ...(params.verificationEndpoint\n ? { verificationEndpoint: params.verificationEndpoint }\n : {}),\n },\n };\n}\n\n/**\n * Build an unsigned SkillAttestation credential.\n *\n * Issued for verified agent capabilities/skills.\n */\nexport function buildSkillAttestation(\n params: SkillAttestationParams,\n): UnsignedCredential {\n const now = new Date().toISOString().replace(/\\.\\d{3}Z$/, \"Z\");\n\n return {\n \"@context\": [\n VC_CONTEXT_V2,\n {\n SkillAttestation: \"https://agentvault.chat/vocab#SkillAttestation\",\n skillName: \"https://agentvault.chat/vocab#skillName\",\n skillNamespace: \"https://agentvault.chat/vocab#skillNamespace\",\n proficiencyLevel: \"https://agentvault.chat/vocab#proficiencyLevel\",\n totalInvocations: \"https://agentvault.chat/vocab#totalInvocations\",\n successRate: \"https://agentvault.chat/vocab#successRate\",\n assessedAt: \"https://agentvault.chat/vocab#assessedAt\",\n },\n ],\n id: params.credentialId,\n type: [\"VerifiableCredential\", \"SkillAttestation\"],\n issuer: params.issuerName\n ? { id: params.issuerDid, name: params.issuerName }\n : params.issuerDid,\n validFrom: params.validFrom ?? now,\n ...(params.validUntil ? { validUntil: params.validUntil } : {}),\n credentialSubject: {\n id: params.subjectDid,\n skillName: params.skillName,\n skillNamespace: params.skillNamespace,\n ...(params.proficiencyLevel ? { proficiencyLevel: params.proficiencyLevel } : {}),\n ...(params.totalInvocations !== undefined\n ? { totalInvocations: params.totalInvocations }\n : {}),\n ...(params.successRate !== undefined ? { successRate: params.successRate } : {}),\n ...(params.assessedAt ? { assessedAt: params.assessedAt } : {}),\n },\n };\n}\n\n/**\n * Build an unsigned PerformanceRecord credential.\n *\n * Issued based on aggregated agent performance metrics.\n */\nexport function buildPerformanceRecord(\n params: PerformanceRecordParams,\n): UnsignedCredential {\n const now = new Date().toISOString().replace(/\\.\\d{3}Z$/, \"Z\");\n\n return {\n \"@context\": [\n VC_CONTEXT_V2,\n {\n PerformanceRecord: \"https://agentvault.chat/vocab#PerformanceRecord\",\n periodStart: \"https://agentvault.chat/vocab#periodStart\",\n periodEnd: \"https://agentvault.chat/vocab#periodEnd\",\n messagesHandled: \"https://agentvault.chat/vocab#messagesHandled\",\n avgResponseTimeMs: \"https://agentvault.chat/vocab#avgResponseTimeMs\",\n uptimePercentage: \"https://agentvault.chat/vocab#uptimePercentage\",\n policyViolations: \"https://agentvault.chat/vocab#policyViolations\",\n compositeScore: \"https://agentvault.chat/vocab#compositeScore\",\n },\n ],\n id: params.credentialId,\n type: [\"VerifiableCredential\", \"PerformanceRecord\"],\n issuer: params.issuerName\n ? { id: params.issuerDid, name: params.issuerName }\n : params.issuerDid,\n validFrom: params.validFrom ?? now,\n ...(params.validUntil ? { validUntil: params.validUntil } : {}),\n credentialSubject: {\n id: params.subjectDid,\n periodStart: params.periodStart,\n periodEnd: params.periodEnd,\n messagesHandled: params.messagesHandled,\n avgResponseTimeMs: params.avgResponseTimeMs,\n uptimePercentage: params.uptimePercentage,\n policyViolations: params.policyViolations,\n compositeScore: params.compositeScore,\n },\n };\n}\n\n/**\n * Build an unsigned AgentTrustReport credential.\n *\n * Issued as a comprehensive trust report with dimensions, trending,\n * fleet comparison, drift detection, and audit integrity data.\n */\nexport function buildAgentTrustReportCredential(\n params: AgentTrustReportParams,\n): UnsignedCredential {\n const now = new Date().toISOString().replace(/\\.\\d{3}Z$/, \"Z\");\n\n const subject: Record<string, unknown> = {\n id: params.subjectDid,\n reportPeriod: {\n start: params.reportPeriodStart,\n end: params.reportPeriodEnd,\n },\n trustTier: params.trustTier,\n compositeScore: params.compositeScore,\n };\n\n if (params.dimensions) subject.dimensions = params.dimensions;\n if (params.trending) subject.trending = params.trending;\n if (params.fleetComparison) subject.fleetComparison = params.fleetComparison;\n if (params.driftStatus) subject.driftStatus = params.driftStatus;\n if (params.auditIntegrity) subject.auditIntegrity = params.auditIntegrity;\n if (params.telemetrySummary) subject.telemetrySummary = params.telemetrySummary;\n if (params.verificationEndpoint) subject.verificationEndpoint = params.verificationEndpoint;\n\n return {\n \"@context\": [\n VC_CONTEXT_V2,\n {\n AgentTrustReport: \"https://agentvault.chat/vocab#AgentTrustReport\",\n reportPeriod: \"https://agentvault.chat/vocab#reportPeriod\",\n trustTier: \"https://agentvault.chat/vocab#trustTier\",\n compositeScore: \"https://agentvault.chat/vocab#compositeScore\",\n dimensions: \"https://agentvault.chat/vocab#dimensions\",\n trending: \"https://agentvault.chat/vocab#trending\",\n fleetComparison: \"https://agentvault.chat/vocab#fleetComparison\",\n driftStatus: \"https://agentvault.chat/vocab#driftStatus\",\n auditIntegrity: \"https://agentvault.chat/vocab#auditIntegrity\",\n telemetrySummary: \"https://agentvault.chat/vocab#telemetrySummary\",\n verificationEndpoint: \"https://agentvault.chat/vocab#verificationEndpoint\",\n },\n ],\n id: params.credentialId,\n type: [\"VerifiableCredential\", \"AgentTrustReport\"],\n issuer: params.issuerName\n ? { id: params.issuerDid, name: params.issuerName }\n : params.issuerDid,\n validFrom: params.validFrom ?? now,\n ...(params.validUntil ? { validUntil: params.validUntil } : {}),\n credentialSubject: subject as CredentialSubject,\n };\n}\n\n/**\n * Build an unsigned Verifiable Presentation wrapping one or more credentials.\n */\nexport function buildVerifiablePresentation(\n holderDid: string,\n credentials: VerifiableCredential[],\n presentationId?: string,\n): UnsignedPresentation {\n return {\n \"@context\": [VC_CONTEXT_V2],\n type: \"VerifiablePresentation\",\n ...(presentationId ? { id: presentationId } : {}),\n holder: holderDid,\n verifiableCredential: credentials,\n };\n}\n\n// ---------------------------------------------------------------------------\n// Convenience wrappers\n// ---------------------------------------------------------------------------\n\n/**\n * Issue a signed Verifiable Credential.\n *\n * Convenience wrapper that signs an unsigned credential using eddsa-jcs-2022.\n *\n * @param credential Unsigned credential to sign\n * @param privateKey Issuer's Ed25519 private key (64-byte combined format)\n * @param verificationMethod DID URL of the issuer's signing key\n * @returns Signed VerifiableCredential with embedded proof\n */\nexport async function issueCredential(\n credential: UnsignedCredential,\n privateKey: Uint8Array,\n verificationMethod: string,\n): Promise<VerifiableCredential> {\n return signWithDataIntegrity(\n credential as unknown as Record<string, unknown>,\n privateKey,\n verificationMethod,\n \"assertionMethod\",\n ) as unknown as Promise<VerifiableCredential>;\n}\n\n/**\n * Create a signed Verifiable Presentation.\n *\n * Signs the presentation with the holder's key using \"authentication\" proof purpose.\n */\nexport async function presentCredentials(\n presentation: UnsignedPresentation,\n privateKey: Uint8Array,\n verificationMethod: string,\n): Promise<VerifiablePresentation> {\n return signWithDataIntegrity(\n presentation as unknown as Record<string, unknown>,\n privateKey,\n verificationMethod,\n \"authentication\",\n ) as unknown as Promise<VerifiablePresentation>;\n}\n", "import sodium from \"libsodium-wrappers-sumo\";\nimport type { EncryptedMessage } from \"./ratchet.js\";\n\n// --- Encoding helpers ---\n\nexport function hexToBytes(hex: string): Uint8Array {\n return sodium.from_hex(hex);\n}\n\nexport function bytesToHex(bytes: Uint8Array): string {\n return sodium.to_hex(bytes);\n}\n\nexport function base64ToBytes(b64: string): Uint8Array {\n return sodium.from_base64(b64, sodium.base64_variants.ORIGINAL);\n}\n\nexport function bytesToBase64(bytes: Uint8Array): string {\n return sodium.to_base64(bytes, sodium.base64_variants.ORIGINAL);\n}\n\n// --- Base64 transport format (owner-agent) ---\n// Must match packages/web/lib/crypto-bridge.ts exactly\n\nexport interface TransportMessage {\n header_blob: string; // base64-encoded JSON with binary fields as base64\n ciphertext: string; // base64-encoded raw ciphertext\n}\n\nexport function encryptedMessageToTransport(\n msg: EncryptedMessage,\n): TransportMessage {\n const headerObj = {\n dhPublicKey: bytesToBase64(msg.header.dhPublicKey),\n previousChainLength: msg.header.previousChainLength,\n messageNumber: msg.header.messageNumber,\n headerSignature: bytesToBase64(msg.headerSignature),\n nonce: bytesToBase64(msg.nonce),\n };\n const headerJson = JSON.stringify(headerObj);\n const headerBlob = bytesToBase64(\n new TextEncoder().encode(headerJson),\n );\n return {\n header_blob: headerBlob,\n ciphertext: bytesToBase64(msg.ciphertext),\n };\n}\n\nexport function transportToEncryptedMessage(\n transport: TransportMessage,\n): EncryptedMessage {\n const headerJson = new TextDecoder().decode(\n base64ToBytes(transport.header_blob),\n );\n const headerObj = JSON.parse(headerJson);\n return {\n header: {\n dhPublicKey: base64ToBytes(headerObj.dhPublicKey),\n previousChainLength: headerObj.previousChainLength,\n messageNumber: headerObj.messageNumber,\n },\n headerSignature: base64ToBytes(headerObj.headerSignature),\n nonce: base64ToBytes(headerObj.nonce),\n ciphertext: base64ToBytes(transport.ciphertext),\n };\n}\n\n// --- V2 transport format (header encryption) ---\n\nexport interface TransportMessageV2 {\n envelope_version: \"2.0.0\";\n encrypted_header: string; // base64\n header_nonce: string; // base64\n header_signature: string; // base64\n nonce: string; // base64\n ciphertext: string; // base64\n}\n\nexport function encryptedMessageToTransportV2(\n msg: EncryptedMessage,\n): TransportMessageV2 {\n if (!msg.encryptedHeader || !msg.headerNonce) {\n throw new Error(\"encryptedMessageToTransportV2 requires v2 encrypted message\");\n }\n return {\n envelope_version: \"2.0.0\",\n encrypted_header: bytesToBase64(msg.encryptedHeader),\n header_nonce: bytesToBase64(msg.headerNonce),\n header_signature: bytesToBase64(msg.headerSignature),\n nonce: bytesToBase64(msg.nonce),\n ciphertext: bytesToBase64(msg.ciphertext),\n };\n}\n\n/**\n * Decode a V2 transport message. The header stays encrypted \u2014\n * the DoubleRatchet.decrypt() method decrypts it using the header key.\n *\n * We still need to populate the plaintext `header` field for the ratchet\n * to identify the DH public key and advance the chain. For V2, the caller\n * must provide the plaintext header separately (from the ratchet's decrypt path).\n *\n * In practice, the receiver will first try to parse as V2, then fall through\n * to ratchet.decrypt() which handles header decryption internally.\n */\nexport function transportV2ToEncryptedMessage(\n transport: TransportMessageV2,\n plaintextHeader: EncryptedMessage[\"header\"],\n): EncryptedMessage {\n return {\n header: plaintextHeader,\n headerSignature: base64ToBytes(transport.header_signature),\n ciphertext: base64ToBytes(transport.ciphertext),\n nonce: base64ToBytes(transport.nonce),\n envelopeVersion: \"2.0.0\",\n encryptedHeader: base64ToBytes(transport.encrypted_header),\n headerNonce: base64ToBytes(transport.header_nonce),\n };\n}\n\n/**\n * Encode a V2 transport message that also includes the plaintext header\n * (for the server to relay to the ratchet). This is the practical format:\n * the server stores the encrypted header but relays both encrypted and\n * plaintext header_blob so the receiver can reconstruct the EncryptedMessage.\n */\nexport function encryptedMessageToTransportV2Full(\n msg: EncryptedMessage,\n): TransportMessage & { envelope_version: \"2.0.0\"; encrypted_header: string; header_nonce: string } {\n if (!msg.encryptedHeader || !msg.headerNonce) {\n throw new Error(\"encryptedMessageToTransportV2Full requires v2 encrypted message\");\n }\n const v1 = encryptedMessageToTransport(msg);\n return {\n ...v1,\n envelope_version: \"2.0.0\",\n encrypted_header: bytesToBase64(msg.encryptedHeader),\n header_nonce: bytesToBase64(msg.headerNonce),\n };\n}\n\n// --- Hex transport format (A2A channels) ---\n\nexport interface HexTransportMessage {\n header_blob: string; // hex-encoded JSON with dhPublicKey as hex\n header_signature: string; // hex of headerSignature bytes\n ciphertext: string; // hex of ciphertext bytes\n nonce: string; // hex of nonce bytes\n}\n\nexport function encryptedMessageToHexTransport(\n msg: EncryptedMessage,\n): HexTransportMessage {\n const headerObj = {\n dhPublicKey: bytesToHex(msg.header.dhPublicKey),\n previousChainLength: msg.header.previousChainLength,\n messageNumber: msg.header.messageNumber,\n };\n const headerBlobHex = Buffer.from(JSON.stringify(headerObj)).toString(\"hex\");\n return {\n header_blob: headerBlobHex,\n header_signature: bytesToHex(msg.headerSignature),\n ciphertext: bytesToHex(msg.ciphertext),\n nonce: bytesToHex(msg.nonce),\n };\n}\n\nexport function hexTransportToEncryptedMessage(\n transport: HexTransportMessage,\n): EncryptedMessage {\n const headerJson = Buffer.from(transport.header_blob, \"hex\").toString(\"utf-8\");\n const headerObj = JSON.parse(headerJson);\n return {\n header: {\n dhPublicKey: hexToBytes(headerObj.dhPublicKey),\n previousChainLength: headerObj.previousChainLength,\n messageNumber: headerObj.messageNumber,\n },\n headerSignature: hexToBytes(transport.header_signature),\n ciphertext: hexToBytes(transport.ciphertext),\n nonce: hexToBytes(transport.nonce),\n };\n}\n", "/**\n * OTLP-compatible telemetry span types and builder functions.\n *\n * Uses ai.agent.* semantic conventions matching the backend at\n * packages/backend/app/services/telemetry_service.py.\n */\n\n// -- Types --------------------------------------------------------------------\n\nexport interface SpanEvent {\n name: string;\n timestamp: number;\n attributes?: Record<string, string | number | boolean>;\n}\n\nexport interface SpanStatus {\n code: number; // 0 = OK, 1 = UNSET, 2 = ERROR\n message?: string;\n}\n\nexport interface TelemetrySpan {\n traceId: string; // 32-char hex\n spanId: string; // 16-char hex\n parentSpanId?: string;\n name: string;\n kind: \"internal\" | \"client\" | \"server\" | \"producer\" | \"consumer\";\n startTime: number; // unix epoch milliseconds\n endTime: number;\n attributes: Record<string, string | number | boolean>;\n status?: SpanStatus;\n events?: SpanEvent[];\n}\n\n// -- ID generation ------------------------------------------------------------\n\nfunction randomHex(byteCount: number): string {\n const bytes = new Uint8Array(byteCount);\n crypto.getRandomValues(bytes);\n let hex = \"\";\n for (let i = 0; i < bytes.length; i++) {\n hex += bytes[i].toString(16).padStart(2, \"0\");\n }\n return hex;\n}\n\nfunction generateTraceId(): string {\n return randomHex(16); // 16 bytes = 32 hex chars\n}\n\nfunction generateSpanId(): string {\n return randomHex(8); // 8 bytes = 16 hex chars\n}\n\n// -- Common options -----------------------------------------------------------\n\ninterface BaseSpanOpts {\n traceId?: string;\n spanId?: string;\n parentSpanId?: string;\n skillName?: string; // maps to ai.agent.skill.name\n}\n\nfunction applySkillName(\n attributes: Record<string, string | number | boolean>,\n skillName?: string,\n): void {\n if (skillName) {\n attributes[\"ai.agent.skill.name\"] = skillName;\n }\n}\n\n// -- buildLlmSpan -------------------------------------------------------------\n\nexport interface BuildLlmSpanOpts extends BaseSpanOpts {\n model: string;\n latencyMs: number;\n tokensInput: number;\n tokensOutput: number;\n provider?: string;\n status?: \"ok\" | \"error\";\n statusMessage?: string;\n}\n\nexport function buildLlmSpan(opts: BuildLlmSpanOpts): TelemetrySpan {\n const now = Date.now();\n const attributes: Record<string, string | number | boolean> = {\n // Legacy (keep for backward compat)\n \"ai.agent.llm.model\": opts.model,\n \"ai.agent.llm.latency_ms\": opts.latencyMs,\n \"ai.agent.llm.tokens_input\": opts.tokensInput,\n \"ai.agent.llm.tokens_output\": opts.tokensOutput,\n // OTel gen_ai standard\n \"gen_ai.request.model\": opts.model,\n \"gen_ai.usage.input_tokens\": opts.tokensInput,\n \"gen_ai.usage.output_tokens\": opts.tokensOutput,\n \"gen_ai.operation.name\": \"chat\",\n };\n if (opts.provider !== undefined) {\n attributes[\"ai.agent.llm.provider\"] = opts.provider;\n attributes[\"gen_ai.system\"] = opts.provider;\n }\n applySkillName(attributes, opts.skillName);\n\n const isError = opts.status === \"error\";\n const status: SpanStatus = isError\n ? { code: 2, ...(opts.statusMessage ? { message: opts.statusMessage } : {}) }\n : { code: 0 };\n\n return {\n traceId: opts.traceId ?? generateTraceId(),\n spanId: opts.spanId ?? generateSpanId(),\n parentSpanId: opts.parentSpanId,\n name: \"llm.inference\",\n kind: \"internal\",\n startTime: now - opts.latencyMs,\n endTime: now,\n attributes,\n status,\n };\n}\n\n// -- buildToolSpan ------------------------------------------------------------\n\nexport interface BuildToolSpanOpts extends BaseSpanOpts {\n toolName: string;\n latencyMs: number;\n success: boolean;\n errorMessage?: string;\n}\n\nexport function buildToolSpan(opts: BuildToolSpanOpts): TelemetrySpan {\n const now = Date.now();\n const attributes: Record<string, string | number | boolean> = {\n \"ai.agent.tool.name\": opts.toolName,\n \"ai.agent.tool.latency_ms\": opts.latencyMs,\n \"ai.agent.tool.success\": opts.success,\n // OTel gen_ai standard\n \"gen_ai.tool.name\": opts.toolName,\n };\n applySkillName(attributes, opts.skillName);\n\n const status: SpanStatus = opts.success\n ? { code: 0 }\n : { code: 2, ...(opts.errorMessage ? { message: opts.errorMessage } : {}) };\n\n return {\n traceId: opts.traceId ?? generateTraceId(),\n spanId: opts.spanId ?? generateSpanId(),\n parentSpanId: opts.parentSpanId,\n name: \"tool.execute\",\n kind: \"internal\",\n startTime: now - opts.latencyMs,\n endTime: now,\n attributes,\n status,\n };\n}\n\n// -- buildErrorSpan -----------------------------------------------------------\n\nexport interface BuildErrorSpanOpts extends BaseSpanOpts {\n errorType: string;\n errorMessage: string;\n spanKind?: TelemetrySpan[\"kind\"];\n}\n\nexport function buildErrorSpan(opts: BuildErrorSpanOpts): TelemetrySpan {\n const now = Date.now();\n const attributes: Record<string, string | number | boolean> = {\n \"ai.agent.error.type\": opts.errorType,\n \"ai.agent.error.message\": opts.errorMessage,\n // OTel standard\n \"error.type\": opts.errorType,\n };\n applySkillName(attributes, opts.skillName);\n\n return {\n traceId: opts.traceId ?? generateTraceId(),\n spanId: opts.spanId ?? generateSpanId(),\n parentSpanId: opts.parentSpanId,\n name: \"error\",\n kind: opts.spanKind ?? \"internal\",\n startTime: now,\n endTime: now,\n attributes,\n status: { code: 2, message: opts.errorMessage },\n };\n}\n\n// -- buildHttpSpan ------------------------------------------------------------\n\nexport interface BuildHttpSpanOpts extends BaseSpanOpts {\n method: string;\n url: string;\n statusCode: number;\n latencyMs: number;\n status?: \"ok\" | \"error\";\n statusMessage?: string;\n}\n\nexport function buildHttpSpan(opts: BuildHttpSpanOpts): TelemetrySpan {\n const now = Date.now();\n const attributes: Record<string, string | number | boolean> = {\n \"ai.agent.http.method\": opts.method,\n \"ai.agent.http.url\": opts.url,\n \"ai.agent.http.status_code\": opts.statusCode,\n \"ai.agent.http.latency_ms\": opts.latencyMs,\n // OTel HTTP standard\n \"http.request.method\": opts.method,\n \"url.full\": opts.url,\n \"http.response.status_code\": opts.statusCode,\n };\n applySkillName(attributes, opts.skillName);\n\n const isError = opts.status === \"error\" || opts.statusCode >= 400;\n const status: SpanStatus = isError\n ? { code: 2, ...(opts.statusMessage ? { message: opts.statusMessage } : {}) }\n : { code: 0 };\n\n return {\n traceId: opts.traceId ?? generateTraceId(),\n spanId: opts.spanId ?? generateSpanId(),\n parentSpanId: opts.parentSpanId,\n name: \"http.request\",\n kind: \"client\",\n startTime: now - opts.latencyMs,\n endTime: now,\n attributes,\n status,\n };\n}\n\n// -- buildActionSpan ----------------------------------------------------------\n\nexport interface BuildActionSpanOpts extends BaseSpanOpts {\n actionType: string;\n target: string;\n latencyMs: number;\n success: boolean;\n statusMessage?: string;\n}\n\nexport function buildActionSpan(opts: BuildActionSpanOpts): TelemetrySpan {\n const now = Date.now();\n const attributes: Record<string, string | number | boolean> = {\n \"ai.agent.action.type\": opts.actionType,\n \"ai.agent.action.target\": opts.target,\n \"ai.agent.action.latency_ms\": opts.latencyMs,\n \"ai.agent.action.success\": opts.success,\n };\n applySkillName(attributes, opts.skillName);\n\n const status: SpanStatus = opts.success\n ? { code: 0 }\n : { code: 2, ...(opts.statusMessage ? { message: opts.statusMessage } : {}) };\n\n return {\n traceId: opts.traceId ?? generateTraceId(),\n spanId: opts.spanId ?? generateSpanId(),\n parentSpanId: opts.parentSpanId,\n name: \"action.execute\",\n kind: \"internal\",\n startTime: now - opts.latencyMs,\n endTime: now,\n attributes,\n status,\n };\n}\n\n// -- buildNavSpan -------------------------------------------------------------\n\nexport interface BuildNavSpanOpts extends BaseSpanOpts {\n toUrl: string;\n latencyMs: number;\n status?: \"ok\" | \"error\";\n statusMessage?: string;\n}\n\nexport function buildNavSpan(opts: BuildNavSpanOpts): TelemetrySpan {\n const now = Date.now();\n const attributes: Record<string, string | number | boolean> = {\n \"ai.agent.nav.to_url\": opts.toUrl,\n \"ai.agent.nav.latency_ms\": opts.latencyMs,\n };\n applySkillName(attributes, opts.skillName);\n\n const isError = opts.status === \"error\";\n const status: SpanStatus = isError\n ? { code: 2, ...(opts.statusMessage ? { message: opts.statusMessage } : {}) }\n : { code: 0 };\n\n return {\n traceId: opts.traceId ?? generateTraceId(),\n spanId: opts.spanId ?? generateSpanId(),\n parentSpanId: opts.parentSpanId,\n name: \"nav.navigate\",\n kind: \"internal\",\n startTime: now - opts.latencyMs,\n endTime: now,\n attributes,\n status,\n };\n}\n\n// -- buildTaskSpan ------------------------------------------------------------\n\nexport interface BuildTaskSpanOpts extends BaseSpanOpts {\n taskId: string;\n taskName: string;\n taskType?: string;\n status: \"pending\" | \"running\" | \"completed\" | \"failed\";\n latencyMs: number;\n stepsCount?: number;\n tokensUsed?: number;\n statusMessage?: string;\n}\n\nexport function buildTaskSpan(opts: BuildTaskSpanOpts): TelemetrySpan {\n const now = Date.now();\n const attributes: Record<string, string | number | boolean> = {\n \"ai.agent.task.id\": opts.taskId,\n \"ai.agent.task.name\": opts.taskName,\n \"ai.agent.task.status\": opts.status,\n \"gen_ai.operation.name\": \"task\",\n };\n if (opts.taskType !== undefined) attributes[\"ai.agent.task.type\"] = opts.taskType;\n if (opts.stepsCount !== undefined) attributes[\"ai.agent.task.steps_count\"] = opts.stepsCount;\n if (opts.tokensUsed !== undefined) attributes[\"ai.agent.task.tokens_used\"] = opts.tokensUsed;\n applySkillName(attributes, opts.skillName);\n\n const isError = opts.status === \"failed\";\n const status: SpanStatus = isError\n ? { code: 2, ...(opts.statusMessage ? { message: opts.statusMessage } : {}) }\n : { code: 0 };\n\n return {\n traceId: opts.traceId ?? generateTraceId(),\n spanId: opts.spanId ?? generateSpanId(),\n parentSpanId: opts.parentSpanId,\n name: \"task.execute\",\n kind: \"internal\",\n startTime: now - opts.latencyMs,\n endTime: now,\n attributes,\n status,\n };\n}\n\n// -- buildSkillInvocationSpan -------------------------------------------------\n\nexport interface BuildSkillInvocationSpanOpts extends BaseSpanOpts {\n invocationId: string; // unique invocation ID\n phase: \"start\" | \"processing\" | \"completion\";\n version?: string; // skill version semver\n inputTokens?: number;\n outputTokens?: number;\n costCents?: number;\n toolsUsed?: string[]; // tool names used during invocation\n schemaMatch?: boolean; // whether output matched declared schema\n latencyMs: number;\n status?: \"ok\" | \"error\";\n statusMessage?: string;\n}\n\nexport function buildSkillInvocationSpan(opts: BuildSkillInvocationSpanOpts): TelemetrySpan {\n const now = Date.now();\n const attributes: Record<string, string | number | boolean> = {\n \"ai.agent.skill.invocation.id\": opts.invocationId,\n \"ai.agent.skill.phase\": opts.phase,\n };\n if (opts.skillName) attributes[\"ai.agent.skill.name\"] = opts.skillName;\n if (opts.version !== undefined) attributes[\"ai.agent.skill.version\"] = opts.version;\n if (opts.inputTokens !== undefined) attributes[\"ai.agent.skill.input_tokens\"] = opts.inputTokens;\n if (opts.outputTokens !== undefined) attributes[\"ai.agent.skill.output_tokens\"] = opts.outputTokens;\n if (opts.costCents !== undefined) attributes[\"ai.agent.skill.cost_cents\"] = opts.costCents;\n if (opts.toolsUsed !== undefined) attributes[\"ai.agent.skill.tools_used\"] = opts.toolsUsed.join(\",\");\n if (opts.schemaMatch !== undefined) attributes[\"ai.agent.skill.schema_match\"] = opts.schemaMatch;\n\n const isError = opts.status === \"error\";\n const status: SpanStatus = isError\n ? { code: 2, ...(opts.statusMessage ? { message: opts.statusMessage } : {}) }\n : { code: 0 };\n\n return {\n traceId: opts.traceId ?? generateTraceId(),\n spanId: opts.spanId ?? generateSpanId(),\n parentSpanId: opts.parentSpanId,\n name: \"skill.invoke\",\n kind: \"internal\",\n startTime: now - opts.latencyMs,\n endTime: now,\n attributes,\n status,\n };\n}\n\n// -- buildEvalSpan ------------------------------------------------------------\n\nexport interface BuildEvalSpanOpts extends BaseSpanOpts {\n evaluationName: string; // e.g., \"tool_selection\", \"response_relevance\"\n scoreValue: number; // 0.0 - 1.0\n scoreLabel?: string; // e.g., \"accuracy\", \"pass/fail\"\n explanation?: string; // optional reasoning\n targetSpanId?: string; // span being evaluated\n}\n\nexport function buildEvalSpan(opts: BuildEvalSpanOpts): TelemetrySpan {\n const now = Date.now();\n const attributes: Record<string, string | number | boolean> = {\n \"gen_ai.evaluation.name\": opts.evaluationName,\n \"gen_ai.evaluation.score.value\": opts.scoreValue,\n };\n if (opts.scoreLabel) attributes[\"gen_ai.evaluation.score.label\"] = opts.scoreLabel;\n if (opts.explanation) attributes[\"gen_ai.evaluation.explanation\"] = opts.explanation;\n if (opts.targetSpanId) attributes[\"gen_ai.evaluation.target_span_id\"] = opts.targetSpanId;\n applySkillName(attributes, opts.skillName);\n\n return {\n traceId: opts.traceId ?? generateTraceId(),\n spanId: opts.spanId ?? generateSpanId(),\n parentSpanId: opts.parentSpanId,\n name: \"gen_ai.evaluation\",\n kind: \"internal\",\n startTime: now,\n endTime: now,\n attributes,\n status: { code: 0 },\n };\n}\n\n// -- buildForgeSpan -----------------------------------------------------------\n\nexport interface BuildForgeSpanOpts extends BaseSpanOpts {\n forgeSessionId: string;\n phase: \"create\" | \"save_stage\" | \"brainstorm\" | \"build\" | \"publish\" | \"abandon\";\n stageNumber?: number;\n latencyMs: number;\n status?: \"ok\" | \"error\";\n statusMessage?: string;\n artifactCount?: number;\n scanStatus?: string;\n}\n\nexport function buildForgeSpan(opts: BuildForgeSpanOpts): TelemetrySpan {\n const now = Date.now();\n const attributes: Record<string, string | number | boolean> = {\n \"ai.agent.forge.session_id\": opts.forgeSessionId,\n \"ai.agent.forge.phase\": opts.phase,\n };\n if (opts.stageNumber !== undefined) attributes[\"ai.agent.forge.stage_number\"] = opts.stageNumber;\n if (opts.artifactCount !== undefined) attributes[\"ai.agent.forge.artifact_count\"] = opts.artifactCount;\n if (opts.scanStatus !== undefined) attributes[\"ai.agent.forge.scan_status\"] = opts.scanStatus;\n applySkillName(attributes, opts.skillName);\n\n const isError = opts.status === \"error\";\n const status: SpanStatus = isError\n ? { code: 2, ...(opts.statusMessage ? { message: opts.statusMessage } : {}) }\n : { code: 0 };\n\n return {\n traceId: opts.traceId ?? generateTraceId(),\n spanId: opts.spanId ?? generateSpanId(),\n parentSpanId: opts.parentSpanId,\n name: `forge.${opts.phase}`,\n kind: \"internal\",\n startTime: now - opts.latencyMs,\n endTime: now,\n attributes,\n status,\n };\n}\n\n// -- buildPolicyViolationSpan (av.policy.evaluate) ----------------------------\n\nexport interface BuildPolicyViolationSpanOpts extends BaseSpanOpts {\n ruleId: string;\n policyScope: string; // \"tool\" | \"model\" | \"rate\" | \"network\" | \"custom\"\n actionTaken: string; // \"block\" | \"warn\" | \"log\"\n violationType: string; // e.g. \"forbidden_tool\", \"model_not_allowed\"\n targetTool?: string;\n targetModel?: string;\n messageType?: string;\n}\n\nexport function buildPolicyViolationSpan(opts: BuildPolicyViolationSpanOpts): TelemetrySpan {\n const now = Date.now();\n const attributes: Record<string, string | number | boolean> = {\n \"av.policy.rule_id\": opts.ruleId,\n \"av.policy.scope\": opts.policyScope,\n \"av.policy.action_taken\": opts.actionTaken,\n \"av.policy.violation_type\": opts.violationType,\n };\n if (opts.targetTool) attributes[\"av.policy.target_tool\"] = opts.targetTool;\n if (opts.targetModel) attributes[\"av.policy.target_model\"] = opts.targetModel;\n if (opts.messageType) attributes[\"av.policy.message_type\"] = opts.messageType;\n applySkillName(attributes, opts.skillName);\n\n const isBlock = opts.actionTaken === \"block\";\n\n return {\n traceId: opts.traceId ?? generateTraceId(),\n spanId: opts.spanId ?? generateSpanId(),\n parentSpanId: opts.parentSpanId,\n name: \"av.policy.evaluate\",\n kind: \"internal\",\n startTime: now,\n endTime: now,\n attributes,\n status: isBlock ? { code: 2, message: `Policy violation: ${opts.violationType}` } : { code: 0 },\n };\n}\n\n// -- buildDecisionSpan (av.decision) ------------------------------------------\n\nexport interface BuildDecisionSpanOpts extends BaseSpanOpts {\n decisionId: string;\n phase: \"request\" | \"response\" | \"timeout\" | \"cancel\" | \"dismiss\";\n priority?: \"low\" | \"normal\" | \"high\" | \"urgent\";\n category?: string;\n latencyMs: number;\n status?: \"ok\" | \"error\";\n statusMessage?: string;\n}\n\nexport function buildDecisionSpan(opts: BuildDecisionSpanOpts): TelemetrySpan {\n const now = Date.now();\n const attributes: Record<string, string | number | boolean> = {\n \"av.decision.id\": opts.decisionId,\n \"av.decision.phase\": opts.phase,\n };\n if (opts.priority) attributes[\"av.decision.priority\"] = opts.priority;\n if (opts.category) attributes[\"av.decision.category\"] = opts.category;\n applySkillName(attributes, opts.skillName);\n\n const isError = opts.status === \"error\";\n const status: SpanStatus = isError\n ? { code: 2, ...(opts.statusMessage ? { message: opts.statusMessage } : {}) }\n : { code: 0 };\n\n return {\n traceId: opts.traceId ?? generateTraceId(),\n spanId: opts.spanId ?? generateSpanId(),\n parentSpanId: opts.parentSpanId,\n name: \"av.decision\",\n kind: \"internal\",\n startTime: now - opts.latencyMs,\n endTime: now,\n attributes,\n status,\n };\n}\n\n// -- buildResyncSpan (av.resync) ----------------------------------------------\n\nexport interface BuildResyncSpanOpts extends BaseSpanOpts {\n conversationId: string;\n phase: \"request\" | \"ack\" | \"complete\" | \"fail\";\n reason?: string; // \"ratchet_mismatch\" | \"key_loss\" | \"manual\"\n latencyMs: number;\n status?: \"ok\" | \"error\";\n statusMessage?: string;\n}\n\nexport function buildResyncSpan(opts: BuildResyncSpanOpts): TelemetrySpan {\n const now = Date.now();\n const attributes: Record<string, string | number | boolean> = {\n \"av.resync.conversation_id\": opts.conversationId,\n \"av.resync.phase\": opts.phase,\n };\n if (opts.reason) attributes[\"av.resync.reason\"] = opts.reason;\n applySkillName(attributes, opts.skillName);\n\n const isError = opts.status === \"error\";\n const status: SpanStatus = isError\n ? { code: 2, ...(opts.statusMessage ? { message: opts.statusMessage } : {}) }\n : { code: 0 };\n\n return {\n traceId: opts.traceId ?? generateTraceId(),\n spanId: opts.spanId ?? generateSpanId(),\n parentSpanId: opts.parentSpanId,\n name: \"av.resync\",\n kind: \"internal\",\n startTime: now - opts.latencyMs,\n endTime: now,\n attributes,\n status,\n };\n}\n\n// -- buildA2aSpan (av.a2a) ----------------------------------------------------\n\nexport interface BuildA2aSpanOpts extends BaseSpanOpts {\n channelId: string;\n operation: \"request\" | \"approve\" | \"activate\" | \"message\" | \"close\";\n peerHubAddress?: string;\n role?: \"initiator\" | \"responder\";\n latencyMs: number;\n status?: \"ok\" | \"error\";\n statusMessage?: string;\n}\n\nexport function buildA2aSpan(opts: BuildA2aSpanOpts): TelemetrySpan {\n const now = Date.now();\n const attributes: Record<string, string | number | boolean> = {\n \"av.a2a.channel_id\": opts.channelId,\n \"av.a2a.operation\": opts.operation,\n };\n if (opts.peerHubAddress) attributes[\"av.a2a.peer_hub_address\"] = opts.peerHubAddress;\n if (opts.role) attributes[\"av.a2a.role\"] = opts.role;\n applySkillName(attributes, opts.skillName);\n\n const isError = opts.status === \"error\";\n const status: SpanStatus = isError\n ? { code: 2, ...(opts.statusMessage ? { message: opts.statusMessage } : {}) }\n : { code: 0 };\n\n return {\n traceId: opts.traceId ?? generateTraceId(),\n spanId: opts.spanId ?? generateSpanId(),\n parentSpanId: opts.parentSpanId,\n name: \"av.a2a\",\n kind: \"internal\",\n startTime: now - opts.latencyMs,\n endTime: now,\n attributes,\n status,\n };\n}\n\n// -- buildScanSpan (av.scan) --------------------------------------------------\n\nexport interface BuildScanSpanOpts extends BaseSpanOpts {\n scanTarget: string; // file path or content identifier\n scanType: \"policy\" | \"content\" | \"workspace\" | \"skill\";\n violationCount: number;\n ruleCount: number;\n latencyMs: number;\n status?: \"ok\" | \"error\";\n statusMessage?: string;\n}\n\nexport function buildScanSpan(opts: BuildScanSpanOpts): TelemetrySpan {\n const now = Date.now();\n const attributes: Record<string, string | number | boolean> = {\n \"av.scan.target\": opts.scanTarget,\n \"av.scan.type\": opts.scanType,\n \"av.scan.violation_count\": opts.violationCount,\n \"av.scan.rule_count\": opts.ruleCount,\n };\n applySkillName(attributes, opts.skillName);\n\n const isError = opts.status === \"error\" || opts.violationCount > 0;\n const status: SpanStatus = isError\n ? { code: 2, ...(opts.statusMessage ? { message: opts.statusMessage } : {}) }\n : { code: 0 };\n\n return {\n traceId: opts.traceId ?? generateTraceId(),\n spanId: opts.spanId ?? generateSpanId(),\n parentSpanId: opts.parentSpanId,\n name: \"av.scan\",\n kind: \"internal\",\n startTime: now - opts.latencyMs,\n endTime: now,\n attributes,\n status,\n };\n}\n\n// -- buildWorkspaceSpan (av.workspace) ----------------------------------------\n\nexport interface BuildWorkspaceSpanOpts extends BaseSpanOpts {\n workspaceId: string;\n operation: \"upload\" | \"download\" | \"delete\" | \"list\" | \"scan\";\n fileName?: string;\n fileSizeBytes?: number;\n encrypted?: boolean;\n latencyMs: number;\n status?: \"ok\" | \"error\";\n statusMessage?: string;\n}\n\nexport function buildWorkspaceSpan(opts: BuildWorkspaceSpanOpts): TelemetrySpan {\n const now = Date.now();\n const attributes: Record<string, string | number | boolean> = {\n \"av.workspace.id\": opts.workspaceId,\n \"av.workspace.operation\": opts.operation,\n };\n if (opts.fileName) attributes[\"av.workspace.file_name\"] = opts.fileName;\n if (opts.fileSizeBytes !== undefined) attributes[\"av.workspace.file_size_bytes\"] = opts.fileSizeBytes;\n if (opts.encrypted !== undefined) attributes[\"av.workspace.encrypted\"] = opts.encrypted;\n applySkillName(attributes, opts.skillName);\n\n const isError = opts.status === \"error\";\n const status: SpanStatus = isError\n ? { code: 2, ...(opts.statusMessage ? { message: opts.statusMessage } : {}) }\n : { code: 0 };\n\n return {\n traceId: opts.traceId ?? generateTraceId(),\n spanId: opts.spanId ?? generateSpanId(),\n parentSpanId: opts.parentSpanId,\n name: \"av.workspace\",\n kind: \"internal\",\n startTime: now - opts.latencyMs,\n endTime: now,\n attributes,\n status,\n };\n}\n\n// -- buildCapabilitySpan (av.skill.invoke) ------------------------------------\n\nexport interface BuildCapabilitySpanOpts extends BaseSpanOpts {\n operation: \"register\" | \"invoke\" | \"unregister\" | \"publish\";\n version?: string;\n certificationTier?: string;\n toolsUsed?: string[];\n latencyMs: number;\n success: boolean;\n statusMessage?: string;\n}\n\nexport function buildCapabilitySpan(opts: BuildCapabilitySpanOpts): TelemetrySpan {\n const now = Date.now();\n const attributes: Record<string, string | number | boolean> = {\n \"av.skill.operation\": opts.operation,\n \"av.skill.success\": opts.success,\n };\n if (opts.skillName) attributes[\"av.skill.name\"] = opts.skillName;\n if (opts.version) attributes[\"av.skill.version\"] = opts.version;\n if (opts.certificationTier) attributes[\"av.skill.certification_tier\"] = opts.certificationTier;\n if (opts.toolsUsed?.length) attributes[\"av.skill.tools_used\"] = opts.toolsUsed.join(\",\");\n\n const status: SpanStatus = opts.success\n ? { code: 0 }\n : { code: 2, ...(opts.statusMessage ? { message: opts.statusMessage } : {}) };\n\n return {\n traceId: opts.traceId ?? generateTraceId(),\n spanId: opts.spanId ?? generateSpanId(),\n parentSpanId: opts.parentSpanId,\n name: \"av.skill.invoke\",\n kind: \"internal\",\n startTime: now - opts.latencyMs,\n endTime: now,\n attributes,\n status,\n };\n}\n\n// -- buildEnrollmentSpan (av.enrollment) --------------------------------------\n\nexport interface BuildEnrollmentSpanOpts extends BaseSpanOpts {\n deviceId?: string;\n phase: \"start\" | \"key_exchange\" | \"activate\" | \"complete\" | \"fail\";\n enrollmentType?: \"initial\" | \"re-enrollment\" | \"multi-device\";\n latencyMs: number;\n status?: \"ok\" | \"error\";\n statusMessage?: string;\n}\n\nexport function buildEnrollmentSpan(opts: BuildEnrollmentSpanOpts): TelemetrySpan {\n const now = Date.now();\n const attributes: Record<string, string | number | boolean> = {\n \"av.enrollment.phase\": opts.phase,\n };\n if (opts.deviceId) attributes[\"av.enrollment.device_id\"] = opts.deviceId;\n if (opts.enrollmentType) attributes[\"av.enrollment.type\"] = opts.enrollmentType;\n applySkillName(attributes, opts.skillName);\n\n const isError = opts.status === \"error\" || opts.phase === \"fail\";\n const status: SpanStatus = isError\n ? { code: 2, ...(opts.statusMessage ? { message: opts.statusMessage } : {}) }\n : { code: 0 };\n\n return {\n traceId: opts.traceId ?? generateTraceId(),\n spanId: opts.spanId ?? generateSpanId(),\n parentSpanId: opts.parentSpanId,\n name: \"av.enrollment\",\n kind: \"internal\",\n startTime: now - opts.latencyMs,\n endTime: now,\n attributes,\n status,\n };\n}\n\n// -- buildRoomSpan (av.room) --------------------------------------------------\n\nexport interface BuildRoomSpanOpts extends BaseSpanOpts {\n roomId: string;\n operation: \"create\" | \"join\" | \"leave\" | \"rekey\" | \"message\" | \"invite\";\n roomName?: string;\n memberCount?: number;\n latencyMs: number;\n status?: \"ok\" | \"error\";\n statusMessage?: string;\n}\n\nexport function buildRoomSpan(opts: BuildRoomSpanOpts): TelemetrySpan {\n const now = Date.now();\n const attributes: Record<string, string | number | boolean> = {\n \"av.room.id\": opts.roomId,\n \"av.room.operation\": opts.operation,\n };\n if (opts.roomName) attributes[\"av.room.name\"] = opts.roomName;\n if (opts.memberCount !== undefined) attributes[\"av.room.member_count\"] = opts.memberCount;\n applySkillName(attributes, opts.skillName);\n\n const isError = opts.status === \"error\";\n const status: SpanStatus = isError\n ? { code: 2, ...(opts.statusMessage ? { message: opts.statusMessage } : {}) }\n : { code: 0 };\n\n return {\n traceId: opts.traceId ?? generateTraceId(),\n spanId: opts.spanId ?? generateSpanId(),\n parentSpanId: opts.parentSpanId,\n name: \"av.room\",\n kind: \"internal\",\n startTime: now - opts.latencyMs,\n endTime: now,\n attributes,\n status,\n };\n}\n\n// -- buildTrustSpan (av.trust) ------------------------------------------------\n\nexport interface BuildTrustSpanOpts extends BaseSpanOpts {\n agentHubAddress: string;\n operation: \"score_update\" | \"tier_change\" | \"dimension_update\" | \"report_generate\";\n previousTier?: string;\n newTier?: string;\n overallScore?: number;\n dimension?: string;\n dimensionScore?: number;\n latencyMs: number;\n status?: \"ok\" | \"error\";\n statusMessage?: string;\n}\n\nexport function buildTrustSpan(opts: BuildTrustSpanOpts): TelemetrySpan {\n const now = Date.now();\n const attributes: Record<string, string | number | boolean> = {\n \"av.trust.agent_hub_address\": opts.agentHubAddress,\n \"av.trust.operation\": opts.operation,\n };\n if (opts.previousTier) attributes[\"av.trust.previous_tier\"] = opts.previousTier;\n if (opts.newTier) attributes[\"av.trust.new_tier\"] = opts.newTier;\n if (opts.overallScore !== undefined) attributes[\"av.trust.overall_score\"] = opts.overallScore;\n if (opts.dimension) attributes[\"av.trust.dimension\"] = opts.dimension;\n if (opts.dimensionScore !== undefined) attributes[\"av.trust.dimension_score\"] = opts.dimensionScore;\n applySkillName(attributes, opts.skillName);\n\n const isError = opts.status === \"error\";\n const status: SpanStatus = isError\n ? { code: 2, ...(opts.statusMessage ? { message: opts.statusMessage } : {}) }\n : { code: 0 };\n\n return {\n traceId: opts.traceId ?? generateTraceId(),\n spanId: opts.spanId ?? generateSpanId(),\n parentSpanId: opts.parentSpanId,\n name: \"av.trust\",\n kind: \"internal\",\n startTime: now - opts.latencyMs,\n endTime: now,\n attributes,\n status,\n };\n}\n\n// -- Eval Run Span (#21) ------------------------------------------------------\n\nexport interface BuildEvalRunSpanOpts {\n scenarioId: string;\n scenarioName?: string;\n variationType?: string;\n agentId: string;\n status: \"pending\" | \"running\" | \"completed\" | \"failed\";\n shiftMagnitude?: number;\n outcomeMatch?: boolean;\n flagged?: boolean;\n flagReason?: string;\n latencyMs: number;\n traceId?: string;\n spanId?: string;\n parentSpanId?: string;\n statusMessage?: string;\n}\n\n/**\n * Build an av.eval.run span for factorial evaluation execution telemetry.\n *\n * Tracks scenario-based evaluation runs, including shift measurement\n * (how much output changed under variation) and outcome matching.\n */\nexport function buildEvalRunSpan(opts: BuildEvalRunSpanOpts): TelemetrySpan {\n const now = Date.now();\n const attributes: Record<string, string | number | boolean> = {\n \"av.eval.scenario_id\": opts.scenarioId,\n \"av.eval.agent_id\": opts.agentId,\n \"av.eval.status\": opts.status,\n \"av.eval.latency_ms\": opts.latencyMs,\n };\n\n if (opts.scenarioName) attributes[\"av.eval.scenario_name\"] = opts.scenarioName;\n if (opts.variationType) attributes[\"av.eval.variation_type\"] = opts.variationType;\n if (opts.shiftMagnitude !== undefined)\n attributes[\"av.eval.shift_magnitude\"] = opts.shiftMagnitude;\n if (opts.outcomeMatch !== undefined)\n attributes[\"av.eval.outcome_match\"] = opts.outcomeMatch;\n if (opts.flagged !== undefined) attributes[\"av.eval.flagged\"] = opts.flagged;\n if (opts.flagReason) attributes[\"av.eval.flag_reason\"] = opts.flagReason;\n\n const isError = opts.status === \"failed\";\n const status: SpanStatus = isError\n ? { code: 2, ...(opts.statusMessage ? { message: opts.statusMessage } : {}) }\n : { code: 0 };\n\n return {\n traceId: opts.traceId ?? generateTraceId(),\n spanId: opts.spanId ?? generateSpanId(),\n parentSpanId: opts.parentSpanId,\n name: \"av.eval.run\",\n kind: \"internal\",\n startTime: now - opts.latencyMs,\n endTime: now,\n attributes,\n status,\n };\n}\n\n// -- InstrumentationContext ---------------------------------------------------\n\nexport interface InstrumentationContext {\n reportLlm: (opts: Omit<BuildLlmSpanOpts, \"traceId\" | \"parentSpanId\">) => void;\n reportTool: (opts: Omit<BuildToolSpanOpts, \"traceId\" | \"parentSpanId\">) => void;\n reportError: (opts: Omit<BuildErrorSpanOpts, \"traceId\" | \"parentSpanId\">) => void;\n reportHttp: (opts: Omit<BuildHttpSpanOpts, \"traceId\" | \"parentSpanId\">) => void;\n reportAction: (opts: Omit<BuildActionSpanOpts, \"traceId\" | \"parentSpanId\">) => void;\n reportNav: (opts: Omit<BuildNavSpanOpts, \"traceId\" | \"parentSpanId\">) => void;\n reportEval: (opts: Omit<BuildEvalSpanOpts, \"traceId\" | \"parentSpanId\">) => void;\n reportTask: (opts: Omit<BuildTaskSpanOpts, \"traceId\" | \"parentSpanId\">) => void;\n reportSkillInvocation: (opts: Omit<BuildSkillInvocationSpanOpts, \"traceId\" | \"parentSpanId\">) => void;\n skillName?: string; // propagated to all spans from this context\n traceId: string;\n parentSpanId: string;\n}\n\n// -- W3C TraceContext ---------------------------------------------------------\n\n/**\n * W3C Trace Context headers for cross-agent/cross-sandbox trace correlation.\n *\n * @see https://www.w3.org/TR/trace-context/\n */\nexport interface TraceContext {\n /** W3C traceparent header: version-traceId-parentId-traceFlags */\n traceparent: string;\n /** W3C tracestate header (optional vendor-specific data) */\n tracestate?: string;\n}\n\n/**\n * Build a W3C traceparent header from a span.\n *\n * Format: `{version}-{trace-id}-{parent-id}-{trace-flags}`\n * - version: `00` (current spec)\n * - trace-id: 32 hex chars\n * - parent-id: 16 hex chars (the span's own spanId becomes parent for children)\n * - trace-flags: `01` (sampled)\n */\nexport function buildTraceparent(span: TelemetrySpan): string {\n return `00-${span.traceId}-${span.spanId}-01`;\n}\n\n/**\n * Parse a W3C traceparent header into its components.\n *\n * @returns null if the header is malformed\n */\nexport function parseTraceparent(header: string): {\n version: string;\n traceId: string;\n parentId: string;\n traceFlags: string;\n} | null {\n const parts = header.split(\"-\");\n if (parts.length !== 4) return null;\n const [version, traceId, parentId, traceFlags] = parts;\n if (!version || !traceId || !parentId || !traceFlags) return null;\n if (traceId.length !== 32 || parentId.length !== 16) return null;\n return { version, traceId, parentId, traceFlags };\n}\n\n/**\n * Create a TraceContext from a span for propagation across agent boundaries.\n */\nexport function spanToTraceContext(\n span: TelemetrySpan,\n tracestate?: string,\n): TraceContext {\n return {\n traceparent: buildTraceparent(span),\n tracestate: tracestate ?? `av=s:${span.spanId}`,\n };\n}\n\n/**\n * Propagate trace context across agent/sandbox boundaries.\n *\n * Creates a child span context from an incoming traceparent header,\n * preserving the trace ID while creating a new span ID.\n */\nexport function propagateContext(\n incomingTraceparent: string,\n): { traceId: string; parentSpanId: string; spanId: string } | null {\n const parsed = parseTraceparent(incomingTraceparent);\n if (!parsed) return null;\n\n return {\n traceId: parsed.traceId,\n parentSpanId: parsed.parentId,\n spanId: generateSpanId(),\n };\n}\n\n/**\n * Generate W3C Trace Context HTTP headers from a span for attachment\n * to outbound requests at transport boundaries (e.g., agent-to-agent,\n * cross-sandbox, OTLP export).\n *\n * @returns Record suitable for spreading into a fetch headers object\n */\nexport function spanToW3CHeaders(\n span: TelemetrySpan,\n tracestate?: string,\n): Record<string, string> {\n return {\n traceparent: buildTraceparent(span),\n tracestate: tracestate ?? `av=s:${span.spanId}`,\n };\n}\n", "/**\n * TelemetryReporter \u2014 accumulates telemetry spans and flushes them\n * to the AgentVault backend via HTTP POST.\n *\n * Telemetry is best-effort: flush() never throws. On network or HTTP errors\n * the spans stay in the buffer for retry on the next flush cycle.\n *\n * Usage:\n * const reporter = new TelemetryReporter({\n * apiBase: \"https://api.agentvault.chat\",\n * hubId: \"...\",\n * authHeader: \"Bearer <jwt>\",\n * });\n * reporter.reportLlmCall({ model: \"gpt-4o\", latencyMs: 1200, tokensInput: 500, tokensOutput: 150 });\n * reporter.startAutoFlush(); // every 30 s\n */\n\nimport {\n buildLlmSpan,\n buildToolSpan,\n buildErrorSpan,\n buildHttpSpan,\n buildActionSpan,\n buildNavSpan,\n buildEvalSpan,\n buildTaskSpan,\n buildTraceparent,\n type TelemetrySpan,\n type BuildLlmSpanOpts,\n type BuildToolSpanOpts,\n type BuildErrorSpanOpts,\n type BuildHttpSpanOpts,\n type BuildActionSpanOpts,\n type BuildNavSpanOpts,\n type BuildEvalSpanOpts,\n type BuildTaskSpanOpts,\n} from \"./telemetry.js\";\n\n// -- Config -------------------------------------------------------------------\n\nexport interface TelemetryReporterConfig {\n /** Backend base URL, e.g. \"https://api.agentvault.chat\" */\n apiBase: string;\n /** Agent's hub identity ID */\n hubId: string;\n /** Authorization header value, e.g. \"Bearer <jwt>\" or API key */\n authHeader: string;\n /** Injectable fetch for testing (defaults to globalThis.fetch) */\n fetchImpl?: typeof fetch;\n /** Agent display name (resource attribute) */\n agentName?: string;\n /** Agent version (resource attribute) */\n agentVersion?: string;\n}\n\n// -- OTLP serialization helpers -----------------------------------------------\n\ninterface OtlpAttribute {\n key: string;\n value:\n | { stringValue: string }\n | { intValue: number }\n | { doubleValue: number }\n | { boolValue: boolean };\n}\n\n/**\n * Convert a flat attribute record to OTLP KV format.\n *\n * - string -> { stringValue }\n * - boolean -> { boolValue }\n * - integer -> { intValue }\n * - float -> { doubleValue }\n */\nfunction toOtlpAttributes(\n attrs: Record<string, string | number | boolean>,\n): OtlpAttribute[] {\n return Object.entries(attrs).map(([key, val]) => {\n if (typeof val === \"string\") {\n return { key, value: { stringValue: val } };\n }\n if (typeof val === \"boolean\") {\n return { key, value: { boolValue: val } };\n }\n // number: integer vs float\n if (Number.isInteger(val)) {\n return { key, value: { intValue: val as number } };\n }\n return { key, value: { doubleValue: val as number } };\n });\n}\n\n/**\n * Convert a TelemetrySpan to the OTLP wire format expected by the\n * backend ingest endpoint.\n *\n * Includes W3C TraceContext attributes (`w3c.traceparent`, `w3c.tracestate`)\n * for cross-agent/cross-sandbox trace correlation per the W3C Trace Context spec.\n */\nfunction spanToOtlp(span: TelemetrySpan): Record<string, unknown> {\n // Inject W3C TraceContext as span attributes for cross-agent correlation\n const enrichedAttrs = { ...span.attributes };\n enrichedAttrs[\"w3c.traceparent\"] = buildTraceparent(span);\n enrichedAttrs[\"w3c.tracestate\"] = `av=s:${span.spanId}`;\n\n const otlp: Record<string, unknown> = {\n traceId: span.traceId,\n spanId: span.spanId,\n name: span.name,\n kind: span.kind,\n startTimeUnixNano: String(span.startTime * 1_000_000),\n endTimeUnixNano: String(span.endTime * 1_000_000),\n attributes: toOtlpAttributes(enrichedAttrs),\n };\n\n if (span.parentSpanId !== undefined) {\n otlp.parentSpanId = span.parentSpanId;\n }\n\n if (span.status) {\n otlp.status = span.status;\n }\n\n if (span.events && span.events.length > 0) {\n otlp.events = span.events;\n }\n\n return otlp;\n}\n\n// -- TelemetryReporter --------------------------------------------------------\n\nexport class TelemetryReporter {\n private readonly _apiBase: string;\n private readonly _hubId: string;\n private readonly _authHeader: string;\n private readonly _fetch: typeof fetch;\n private readonly _agentName: string;\n private readonly _agentVersion: string;\n private _buffer: TelemetrySpan[] = [];\n private _timer: ReturnType<typeof setInterval> | null = null;\n\n constructor(config: TelemetryReporterConfig) {\n this._apiBase = config.apiBase.replace(/\\/+$/, \"\"); // strip trailing slash\n this._hubId = config.hubId;\n this._authHeader = config.authHeader;\n this._fetch = config.fetchImpl ?? globalThis.fetch;\n this._agentName = config.agentName ?? \"unknown\";\n this._agentVersion = config.agentVersion ?? \"0.0.0\";\n }\n\n /** Number of spans waiting to be flushed. */\n get pendingCount(): number {\n return this._buffer.length;\n }\n\n // -- Report methods ---------------------------------------------------------\n\n /** Record an LLM inference call. */\n reportLlmCall(opts: BuildLlmSpanOpts): void {\n this._buffer.push(buildLlmSpan(opts));\n }\n\n /** Record a tool/function invocation. */\n reportToolCall(opts: BuildToolSpanOpts): void {\n this._buffer.push(buildToolSpan(opts));\n }\n\n /** Record an error event. */\n reportError(opts: BuildErrorSpanOpts): void {\n this._buffer.push(buildErrorSpan(opts));\n }\n\n /** Record an HTTP request call. */\n reportHttpCall(opts: BuildHttpSpanOpts): void {\n this._buffer.push(buildHttpSpan(opts));\n }\n\n /** Record an action execution. */\n reportActionCall(opts: BuildActionSpanOpts): void {\n this._buffer.push(buildActionSpan(opts));\n }\n\n /** Record a navigation event. */\n reportNavCall(opts: BuildNavSpanOpts): void {\n this._buffer.push(buildNavSpan(opts));\n }\n\n /** Record an evaluation event. */\n reportEvaluation(opts: BuildEvalSpanOpts): void {\n this._buffer.push(buildEvalSpan(opts));\n }\n\n /** Record a task lifecycle event. */\n reportTaskCall(opts: BuildTaskSpanOpts): void {\n this._buffer.push(buildTaskSpan(opts));\n }\n\n /** Record an arbitrary pre-built span. */\n reportCustomSpan(span: TelemetrySpan): void {\n this._buffer.push(span);\n }\n\n // -- Flush ------------------------------------------------------------------\n\n /**\n * POST all buffered spans to the backend ingest endpoint.\n *\n * - On success (HTTP 2xx): clears the buffer.\n * - On failure: keeps spans in the buffer for retry.\n * - Never throws \u2014 telemetry is best-effort.\n */\n async flush(): Promise<void> {\n if (this._buffer.length === 0) {\n return;\n }\n\n // Snapshot the current buffer \u2014 if new spans arrive during the POST\n // they will go into a fresh array.\n const spans = this._buffer;\n this._buffer = [];\n\n try {\n const response = await this._fetch(\n `${this._apiBase}/api/v1/telemetry/ingest`,\n {\n method: \"POST\",\n headers: {\n \"Content-Type\": \"application/json\",\n Authorization: this._authHeader,\n },\n body: JSON.stringify({\n hub_id: this._hubId,\n resource: {\n \"gen_ai.agent.name\": this._agentName,\n \"gen_ai.agent.id\": this._hubId,\n \"gen_ai.agent.version\": this._agentVersion,\n \"service.name\": \"agentvault-agent\",\n },\n spans: spans.map(spanToOtlp),\n }),\n },\n );\n\n if (!response.ok) {\n // HTTP error \u2014 put spans back for retry\n this._buffer = spans.concat(this._buffer);\n }\n } catch {\n // Network error \u2014 put spans back for retry\n this._buffer = spans.concat(this._buffer);\n }\n }\n\n // -- Auto-flush -------------------------------------------------------------\n\n /**\n * Start a periodic flush timer.\n * @param intervalMs Flush interval in milliseconds (default 30 000).\n */\n startAutoFlush(intervalMs = 30_000): void {\n this.stopAutoFlush();\n this._timer = setInterval(() => {\n void this.flush();\n }, intervalMs);\n }\n\n /** Stop the periodic flush timer. Safe to call when not started. */\n stopAutoFlush(): void {\n if (this._timer !== null) {\n clearInterval(this._timer);\n this._timer = null;\n }\n }\n}\n", "/**\n * Encrypted key backup \u2014 Threema Safe-style.\n *\n * Backup code: 20 Crockford Base32 chars (100 bits entropy)\n * KDF: Argon2id (INTERACTIVE: 2 ops, 64 MB)\n * Encryption: XChaCha20-Poly1305\n * Wire format: salt(16) || nonce(24) || ciphertext+tag\n */\n\nimport sodium from \"libsodium-wrappers-sumo\";\n\n// Crockford Base32 alphabet \u2014 no I, L, O, U\nconst CROCKFORD = \"0123456789ABCDEFGHJKMNPQRSTVWXYZ\";\n\n// Argon2id parameters (INTERACTIVE)\nconst ARGON2_OPSLIMIT = 2;\nconst ARGON2_MEMLIMIT = 67_108_864; // 64 MB\n\nconst SALT_BYTES = 16;\nconst NONCE_BYTES = 24; // XChaCha20-Poly1305\nconst KEY_BYTES = 32;\nconst BACKUP_VERSION = 1;\nconst MAX_BACKUP_SIZE = 512 * 1024; // 512 KB\n\n// \u2500\u2500 Types \u2500\u2500\n\nexport interface BackupBundle {\n version: 1;\n createdAt: string;\n deviceId: string;\n identityKeypair: { publicKey: string; privateKey: string };\n ephemeralKeypair: { publicKey: string; privateKey: string };\n fingerprint: string;\n ratchets: Record<string, string>;\n rooms?: Record<string, {\n roomId: string;\n name: string;\n conversationIds: string[];\n encryptionMode?: string;\n ownSenderKeyChain?: string;\n peerSenderKeyState?: string;\n distributedTo?: string[];\n }>;\n sessions?: Record<string, {\n ownerDeviceId: string;\n ratchetState: string;\n activated?: boolean;\n }>;\n a2aChannels?: Record<string, unknown>;\n topics?: Array<{ id: string; name: string; isDefault: boolean }>;\n defaultTopicId?: string;\n groupId?: string;\n hubAddress?: string;\n}\n\n// \u2500\u2500 Backup Code Generation \u2500\u2500\n\n/**\n * Generate a 20-character Crockford Base32 backup code (100 bits entropy).\n */\nexport async function generateBackupCode(): Promise<string> {\n await sodium.ready;\n // 13 random bytes = 104 bits; we use 100 bits (20 \u00D7 5-bit chars)\n const bytes = sodium.randombytes_buf(13);\n // Convert to a big number via bit manipulation\n let bits = 0n;\n for (const b of bytes) {\n bits = (bits << 8n) | BigInt(b);\n }\n // Shift right to get exactly 100 bits\n bits >>= 4n;\n\n let code = \"\";\n for (let i = 0; i < 20; i++) {\n const idx = Number(bits & 0x1fn);\n code = CROCKFORD[idx] + code;\n bits >>= 5n;\n }\n return code;\n}\n\n/**\n * Format a backup code with dashes: XXXX-XXXX-XXXX-XXXX-XXXX\n */\nexport function formatBackupCode(code: string): string {\n const clean = code.replace(/[-\\s]/g, \"\").toUpperCase();\n return clean.match(/.{1,4}/g)?.join(\"-\") ?? clean;\n}\n\n/**\n * Normalize user input: strip dashes/spaces, uppercase.\n */\nexport function normalizeBackupCode(input: string): string {\n return input.replace(/[-\\s]/g, \"\").toUpperCase();\n}\n\n// \u2500\u2500 Argon2id KDF \u2500\u2500\n\n/**\n * Derive a 32-byte key from a backup code + salt using Argon2id.\n */\nexport async function deriveBackupKey(\n code: string,\n salt: Uint8Array,\n): Promise<Uint8Array> {\n await sodium.ready;\n return sodium.crypto_pwhash(\n KEY_BYTES,\n code,\n salt,\n ARGON2_OPSLIMIT,\n ARGON2_MEMLIMIT,\n sodium.crypto_pwhash_ALG_ARGON2ID13,\n );\n}\n\n// \u2500\u2500 Encrypt / Decrypt \u2500\u2500\n\n/**\n * Encrypt a BackupBundle with a backup code.\n * Output: salt(16) || nonce(24) || ciphertext+tag\n */\nexport async function encryptBackup(\n bundle: BackupBundle,\n code: string,\n): Promise<Uint8Array> {\n await sodium.ready;\n const salt = sodium.randombytes_buf(SALT_BYTES);\n const key = await deriveBackupKey(code, salt);\n return encryptBackupWithKey(bundle, key, salt);\n}\n\n/**\n * Encrypt a BackupBundle with a pre-derived key + salt.\n * Used by auto-backup to avoid re-running Argon2id.\n * Output: salt(16) || nonce(24) || ciphertext+tag\n */\nexport async function encryptBackupWithKey(\n bundle: BackupBundle,\n key: Uint8Array,\n salt: Uint8Array,\n): Promise<Uint8Array> {\n await sodium.ready;\n const plaintext = sodium.from_string(JSON.stringify(bundle));\n const nonce = sodium.randombytes_buf(NONCE_BYTES);\n const ciphertext = sodium.crypto_aead_xchacha20poly1305_ietf_encrypt(\n plaintext,\n null,\n null,\n nonce,\n key,\n );\n\n // Wire format: salt || nonce || ciphertext\n const result = new Uint8Array(SALT_BYTES + NONCE_BYTES + ciphertext.length);\n result.set(salt, 0);\n result.set(nonce, SALT_BYTES);\n result.set(ciphertext, SALT_BYTES + NONCE_BYTES);\n return result;\n}\n\n/**\n * Decrypt an encrypted backup blob with a backup code.\n * Throws on wrong code or corrupt data.\n */\nexport async function decryptBackup(\n encrypted: Uint8Array,\n code: string,\n): Promise<BackupBundle> {\n await sodium.ready;\n const minLen = SALT_BYTES + NONCE_BYTES + sodium.crypto_aead_xchacha20poly1305_ietf_ABYTES;\n if (encrypted.length < minLen) {\n throw new Error(\"Incorrect backup code or corrupt backup\");\n }\n\n const salt = encrypted.slice(0, SALT_BYTES);\n const nonce = encrypted.slice(SALT_BYTES, SALT_BYTES + NONCE_BYTES);\n const ciphertext = encrypted.slice(SALT_BYTES + NONCE_BYTES);\n\n const key = await deriveBackupKey(code, salt);\n\n let plaintext: Uint8Array;\n try {\n plaintext = sodium.crypto_aead_xchacha20poly1305_ietf_decrypt(\n null,\n ciphertext,\n null,\n nonce,\n key,\n );\n } catch {\n throw new Error(\"Incorrect backup code or corrupt backup\");\n }\n\n let bundle: BackupBundle;\n try {\n bundle = JSON.parse(sodium.to_string(plaintext));\n } catch {\n throw new Error(\"Incorrect backup code or corrupt backup\");\n }\n\n if (bundle.version !== BACKUP_VERSION) {\n throw new Error(`Unsupported backup version: ${bundle.version}`);\n }\n\n return bundle;\n}\n\n// \u2500\u2500 Code Hash \u2500\u2500\n\n/**\n * BLAKE2b-256 hash of a backup code \u2014 used as \"is configured?\" indicator.\n * NOT the same as Argon2id key derivation (different algo, no salt).\n */\nexport async function hashBackupCode(code: string): Promise<Uint8Array> {\n await sodium.ready;\n return sodium.crypto_generichash(32, sodium.from_string(code));\n}\n", "/**\n * Signed approval artifacts \u2014 Ed25519 signed JSON for human-in-the-loop gates.\n *\n * Used in the approval_request/approval_response message flow to create\n * tamper-evident records of owner approvals for sensitive agent operations.\n *\n * @example\n * ```typescript\n * import { createApprovalArtifact, verifyApprovalArtifact } from \"@agentvault/crypto\";\n *\n * const artifact = await createApprovalArtifact(\n * { approvalId: \"abc123\", approved: true, reason: \"Authorized\" },\n * signingPrivateKey,\n * );\n *\n * const isValid = await verifyApprovalArtifact(artifact, signerPublicKey);\n * ```\n */\nimport _sodium from \"libsodium-wrappers-sumo\";\nimport { canonicalize } from \"./did.js\";\n\n/* -------------------------------------------------------------------------- */\n/* Types */\n/* -------------------------------------------------------------------------- */\n\nexport interface ApprovalArtifact {\n /** The approval content (JCS-canonicalized before signing). */\n content: Record<string, unknown>;\n /** Ed25519 signature over the canonical content (hex). */\n signature: string;\n /** Signer's Ed25519 public key (hex). */\n signerPublicKey: string;\n /** ISO 8601 timestamp of when the artifact was created. */\n createdAt: string;\n /** Version tag for forward compat. */\n version: 1;\n}\n\n/* -------------------------------------------------------------------------- */\n/* Create */\n/* -------------------------------------------------------------------------- */\n\n/**\n * Create a signed approval artifact.\n *\n * @param content \u2014 The approval payload (e.g., { approvalId, approved, reason })\n * @param privateKeyHex \u2014 Ed25519 private key (64-byte seed+pk, hex encoded)\n * @returns Signed artifact with detached Ed25519 signature\n */\nexport async function createApprovalArtifact(\n content: Record<string, unknown>,\n privateKeyHex: string,\n): Promise<ApprovalArtifact> {\n await _sodium.ready;\n const sodium = _sodium;\n\n const privateKey = sodium.from_hex(privateKeyHex);\n const publicKey = privateKey.slice(32); // Ed25519 pk is last 32 bytes of 64-byte keypair\n\n // Canonicalize the content for deterministic signing\n // canonicalize() returns Uint8Array (JCS-encoded bytes)\n const message = canonicalize(content);\n\n // Ed25519 detached signature\n const signatureBytes = sodium.crypto_sign_detached(message, privateKey);\n\n return {\n content,\n signature: sodium.to_hex(signatureBytes),\n signerPublicKey: sodium.to_hex(publicKey),\n createdAt: new Date().toISOString(),\n version: 1,\n };\n}\n\n/* -------------------------------------------------------------------------- */\n/* Verify */\n/* -------------------------------------------------------------------------- */\n\n/**\n * Verify a signed approval artifact.\n *\n * @param artifact \u2014 The approval artifact to verify\n * @param expectedPublicKeyHex \u2014 Optional: verify the signer matches this key\n * @returns true if the signature is valid\n */\nexport async function verifyApprovalArtifact(\n artifact: ApprovalArtifact,\n expectedPublicKeyHex?: string,\n): Promise<boolean> {\n await _sodium.ready;\n const sodium = _sodium;\n\n // Optional: verify signer identity\n if (expectedPublicKeyHex && artifact.signerPublicKey !== expectedPublicKeyHex) {\n return false;\n }\n\n try {\n const publicKey = sodium.from_hex(artifact.signerPublicKey);\n const signature = sodium.from_hex(artifact.signature);\n const message = canonicalize(artifact.content);\n\n return sodium.crypto_sign_verify_detached(signature, message, publicKey);\n } catch {\n return false;\n }\n}\n", null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, "/**\n * The base error class of hpke-js.\n * @group Errors\n */\nexport class HpkeError extends Error {\n constructor(e) {\n let message;\n if (e instanceof Error) {\n message = e.message;\n }\n else if (typeof e === \"string\") {\n message = e;\n }\n else {\n message = \"\";\n }\n super(message);\n this.name = this.constructor.name;\n }\n}\n/**\n * Invalid parameter.\n * @group Errors\n */\nexport class InvalidParamError extends HpkeError {\n}\n/**\n * KEM input or output validation failure.\n * @group Errors\n */\nexport class ValidationError extends HpkeError {\n}\n/**\n * Public or private key serialization failure.\n * @group Errors\n */\nexport class SerializeError extends HpkeError {\n}\n/**\n * Public or private key deserialization failure.\n * @group Errors\n */\nexport class DeserializeError extends HpkeError {\n}\n/**\n * encap() failure.\n * @group Errors\n */\nexport class EncapError extends HpkeError {\n}\n/**\n * decap() failure.\n * @group Errors\n */\nexport class DecapError extends HpkeError {\n}\n/**\n * Secret export failure.\n * @group Errors\n */\nexport class ExportError extends HpkeError {\n}\n/**\n * seal() failure.\n * @group Errors\n */\nexport class SealError extends HpkeError {\n}\n/**\n * open() failure.\n * @group Errors\n */\nexport class OpenError extends HpkeError {\n}\n/**\n * Sequence number overflow on the encryption context.\n * @group Errors\n */\nexport class MessageLimitReachedError extends HpkeError {\n}\n/**\n * Key pair derivation failure.\n * @group Errors\n */\nexport class DeriveKeyPairError extends HpkeError {\n}\n/**\n * Not supported failure.\n * @group Errors\n */\nexport class NotSupportedError extends HpkeError {\n}\n", "const dntGlobals = {};\nexport const dntGlobalThis = createMergeProxy(globalThis, dntGlobals);\nfunction createMergeProxy(baseObj, extObj) {\n return new Proxy(baseObj, {\n get(_target, prop, _receiver) {\n if (prop in extObj) {\n return extObj[prop];\n }\n else {\n return baseObj[prop];\n }\n },\n set(_target, prop, value) {\n if (prop in extObj) {\n delete extObj[prop];\n }\n baseObj[prop] = value;\n return true;\n },\n deleteProperty(_target, prop) {\n let success = false;\n if (prop in extObj) {\n delete extObj[prop];\n success = true;\n }\n if (prop in baseObj) {\n delete baseObj[prop];\n success = true;\n }\n return success;\n },\n ownKeys(_target) {\n const baseKeys = Reflect.ownKeys(baseObj);\n const extKeys = Reflect.ownKeys(extObj);\n const extKeysSet = new Set(extKeys);\n return [...baseKeys.filter((k) => !extKeysSet.has(k)), ...extKeys];\n },\n defineProperty(_target, prop, desc) {\n if (prop in extObj) {\n delete extObj[prop];\n }\n Reflect.defineProperty(baseObj, prop, desc);\n return true;\n },\n getOwnPropertyDescriptor(_target, prop) {\n if (prop in extObj) {\n return Reflect.getOwnPropertyDescriptor(extObj, prop);\n }\n else {\n return Reflect.getOwnPropertyDescriptor(baseObj, prop);\n }\n },\n has(_target, prop) {\n return prop in extObj || prop in baseObj;\n },\n });\n}\n", "import * as dntShim from \"../_dnt.shims.js\";\nimport { NotSupportedError } from \"./errors.js\";\nasync function loadSubtleCrypto() {\n if (dntShim.dntGlobalThis !== undefined && globalThis.crypto !== undefined) {\n // Browsers, Node.js >= v19, Cloudflare Workers, Bun, etc.\n return globalThis.crypto.subtle;\n }\n // Node.js <= v18\n try {\n // @ts-ignore: to ignore \"crypto\"\n const { webcrypto } = await import(\"crypto\"); // node:crypto\n return webcrypto.subtle;\n }\n catch (e) {\n throw new NotSupportedError(e);\n }\n}\nexport class NativeAlgorithm {\n constructor() {\n Object.defineProperty(this, \"_api\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: undefined\n });\n }\n async _setup() {\n if (this._api !== undefined) {\n return;\n }\n this._api = await loadSubtleCrypto();\n }\n}\n", "/**\n * The supported HPKE modes.\n */\nexport const Mode = {\n Base: 0x00,\n Psk: 0x01,\n Auth: 0x02,\n AuthPsk: 0x03,\n};\n/**\n * The supported Key Encapsulation Mechanism (KEM) identifiers.\n */\nexport const KemId = {\n NotAssigned: 0x0000,\n DhkemP256HkdfSha256: 0x0010,\n DhkemP384HkdfSha384: 0x0011,\n DhkemP521HkdfSha512: 0x0012,\n DhkemSecp256k1HkdfSha256: 0x0013,\n DhkemX25519HkdfSha256: 0x0020,\n DhkemX448HkdfSha512: 0x0021,\n HybridkemX25519Kyber768: 0x0030,\n MlKem512: 0x0040,\n MlKem768: 0x0041,\n MlKem1024: 0x0042,\n XWing: 0x647a,\n};\n/**\n * The supported Key Derivation Function (KDF) identifiers.\n */\nexport const KdfId = {\n HkdfSha256: 0x0001,\n HkdfSha384: 0x0002,\n HkdfSha512: 0x0003,\n Sha3256: 0x0004,\n Sha3384: 0x0005,\n Sha3512: 0x0006,\n Shake128: 0x0010,\n Shake256: 0x0011,\n TurboShake128: 0x0012,\n TurboShake256: 0x0013,\n};\n/**\n * The supported Authenticated Encryption with Associated Data (AEAD) identifiers.\n */\nexport const AeadId = {\n Aes128Gcm: 0x0001,\n Aes256Gcm: 0x0002,\n Chacha20Poly1305: 0x0003,\n ExportOnly: 0xFFFF,\n};\n", "// The input length limit (psk, psk_id, info, exporter_context, ikm).\nexport const INPUT_LENGTH_LIMIT = 8192;\nexport const INFO_LENGTH_LIMIT = 268435456;\n// The minimum length of a PSK.\nexport const MINIMUM_PSK_LENGTH = 32;\n// b\"\"\nexport const EMPTY = /* @__PURE__ */ new Uint8Array(0);\n// Common BigInt constants\nexport const N_0 = 0n;\nexport const N_1 = 1n;\nexport const N_2 = 2n;\nexport const N_7 = 7n;\nexport const N_32 = 32n;\nexport const N_256 = 256n;\nexport const N_0x71 = 0x71n;\nexport const BYTE_TO_BIGINT_256 = /* @__PURE__ */ (() => {\n const out = new Array(256);\n let i = 0;\n let value = 0n;\n while (i < 256) {\n out[i] = value;\n i++;\n value += 1n;\n }\n return out;\n})();\n", "// b\"KEM\"\nexport const SUITE_ID_HEADER_KEM = /* @__PURE__ */ new Uint8Array([\n 75,\n 69,\n 77,\n 0,\n 0,\n]);\n", "import { EMPTY } from \"../consts.js\";\nimport { InvalidParamError } from \"../errors.js\";\nimport { KdfId } from \"../identifiers.js\";\nimport { NativeAlgorithm } from \"../algorithm.js\";\n// b\"HPKE-v1\"\nconst HPKE_VERSION = /* @__PURE__ */ new Uint8Array([\n 72,\n 80,\n 75,\n 69,\n 45,\n 118,\n 49,\n]);\nexport function toUint8Array(input) {\n return new Uint8Array(toArrayBuffer(input));\n}\nexport function toArrayBuffer(input) {\n if (input instanceof ArrayBuffer) {\n return input;\n }\n if (ArrayBuffer.isView(input)) {\n return new Uint8Array(input.buffer, input.byteOffset, input.byteLength)\n .slice().buffer;\n }\n return new Uint8Array(input).slice().buffer;\n}\nexport class HkdfNative extends NativeAlgorithm {\n constructor() {\n super();\n Object.defineProperty(this, \"id\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: KdfId.HkdfSha256\n });\n Object.defineProperty(this, \"hashSize\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: 0\n });\n Object.defineProperty(this, \"_suiteId\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: EMPTY\n });\n Object.defineProperty(this, \"algHash\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: {\n name: \"HMAC\",\n hash: \"SHA-256\",\n length: 256,\n }\n });\n }\n init(suiteId) {\n this._suiteId = suiteId;\n }\n buildLabeledIkm(label, ikm) {\n this._checkInit();\n const ret = new Uint8Array(7 + this._suiteId.byteLength + label.byteLength + ikm.byteLength);\n ret.set(HPKE_VERSION, 0);\n ret.set(this._suiteId, 7);\n ret.set(label, 7 + this._suiteId.byteLength);\n ret.set(ikm, 7 + this._suiteId.byteLength + label.byteLength);\n return ret;\n }\n buildLabeledInfo(label, info, len) {\n this._checkInit();\n const ret = new Uint8Array(9 + this._suiteId.byteLength + label.byteLength + info.byteLength);\n ret.set(new Uint8Array([0, len]), 0);\n ret.set(HPKE_VERSION, 2);\n ret.set(this._suiteId, 9);\n ret.set(label, 9 + this._suiteId.byteLength);\n ret.set(info, 9 + this._suiteId.byteLength + label.byteLength);\n return ret;\n }\n async extract(salt, ikm) {\n await this._setup();\n const saltBuf = salt.byteLength === 0\n ? new ArrayBuffer(this.hashSize)\n : toArrayBuffer(salt);\n if (saltBuf.byteLength !== this.hashSize) {\n throw new InvalidParamError(\"The salt length must be the same as the hashSize\");\n }\n const ikmBuf = toArrayBuffer(ikm);\n const key = await this._api.importKey(\"raw\", saltBuf, this.algHash, false, [\n \"sign\",\n ]);\n return await this._api.sign(\"HMAC\", key, ikmBuf);\n }\n async expand(prk, info, len) {\n await this._setup();\n const prkBuf = toArrayBuffer(prk);\n const key = await this._api.importKey(\"raw\", prkBuf, this.algHash, false, [\n \"sign\",\n ]);\n const okm = new ArrayBuffer(len);\n const okmBytes = new Uint8Array(okm);\n let prev = EMPTY;\n const mid = toUint8Array(info);\n const tail = new Uint8Array(1);\n if (len > 255 * this.hashSize) {\n throw new Error(\"Entropy limit reached\");\n }\n const tmp = new Uint8Array(this.hashSize + mid.length + 1);\n for (let i = 1, cur = 0; cur < okmBytes.length; i++) {\n tail[0] = i;\n tmp.set(prev, 0);\n tmp.set(mid, prev.length);\n tmp.set(tail, prev.length + mid.length);\n prev = new Uint8Array(await this._api.sign(\"HMAC\", key, tmp.slice(0, prev.length + mid.length + 1)));\n if (okmBytes.length - cur >= prev.length) {\n okmBytes.set(prev, cur);\n cur += prev.length;\n }\n else {\n okmBytes.set(prev.slice(0, okmBytes.length - cur), cur);\n cur += okmBytes.length - cur;\n }\n }\n return okm;\n }\n async extractAndExpand(salt, ikm, info, len) {\n await this._setup();\n const ikmBuf = toArrayBuffer(ikm);\n const baseKey = await this._api.importKey(\"raw\", ikmBuf, \"HKDF\", false, [\"deriveBits\"]);\n return await this._api.deriveBits({\n name: \"HKDF\",\n hash: this.algHash.hash,\n salt: toArrayBuffer(salt),\n info: toArrayBuffer(info),\n }, baseKey, len * 8);\n }\n async labeledExtract(salt, label, ikm) {\n return await this.extract(salt, this.buildLabeledIkm(label, ikm));\n }\n async labeledExpand(prk, label, info, len) {\n return await this.expand(prk, this.buildLabeledInfo(label, info, len), len);\n }\n _checkInit() {\n if (this._suiteId === EMPTY) {\n throw new Error(\"Not initialized. Call init()\");\n }\n }\n}\nexport class HkdfSha256Native extends HkdfNative {\n constructor() {\n super(...arguments);\n /** KdfId.HkdfSha256 (0x0001) */\n Object.defineProperty(this, \"id\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: KdfId.HkdfSha256\n });\n /** 32 */\n Object.defineProperty(this, \"hashSize\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: 32\n });\n /** The parameters for Web Cryptography API */\n Object.defineProperty(this, \"algHash\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: {\n name: \"HMAC\",\n hash: \"SHA-256\",\n length: 256,\n }\n });\n }\n}\nexport class HkdfSha384Native extends HkdfNative {\n constructor() {\n super(...arguments);\n /** KdfId.HkdfSha384 (0x0002) */\n Object.defineProperty(this, \"id\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: KdfId.HkdfSha384\n });\n /** 48 */\n Object.defineProperty(this, \"hashSize\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: 48\n });\n /** The parameters for Web Cryptography API */\n Object.defineProperty(this, \"algHash\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: {\n name: \"HMAC\",\n hash: \"SHA-384\",\n length: 384,\n }\n });\n }\n}\nexport class HkdfSha512Native extends HkdfNative {\n constructor() {\n super(...arguments);\n /** KdfId.HkdfSha512 (0x0003) */\n Object.defineProperty(this, \"id\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: KdfId.HkdfSha512\n });\n /** 64 */\n Object.defineProperty(this, \"hashSize\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: 64\n });\n /** The parameters for Web Cryptography API */\n Object.defineProperty(this, \"algHash\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: {\n name: \"HMAC\",\n hash: \"SHA-512\",\n length: 512,\n }\n });\n }\n}\n", "import * as dntShim from \"../../_dnt.shims.js\";\nimport { KemId } from \"../identifiers.js\";\nexport const isDenoV1 = () => \n// deno-lint-ignore no-explicit-any\ndntShim.dntGlobalThis.process === undefined;\n/**\n * Checks whether the runtime is Deno or not (Node.js).\n * @returns boolean - true if the runtime is Deno, false Node.js.\n */\nexport function isDeno() {\n // deno-lint-ignore no-explicit-any\n if (dntShim.dntGlobalThis.process === undefined) {\n return true;\n }\n // deno-lint-ignore no-explicit-any\n return dntShim.dntGlobalThis.process?.versions?.deno !== undefined;\n}\n/**\n * Checks whetehr the type of input is CryptoKeyPair or not.\n */\nexport const isCryptoKeyPair = (x) => typeof x === \"object\" &&\n x !== null &&\n typeof x.privateKey === \"object\" &&\n typeof x.publicKey === \"object\";\n/**\n * Converts integer to octet string. I2OSP implementation.\n */\nexport function i2Osp(n, w) {\n if (w <= 0) {\n throw new Error(\"i2Osp: too small size\");\n }\n if (n >= 256 ** w) {\n throw new Error(\"i2Osp: too large integer\");\n }\n const ret = new Uint8Array(w);\n for (let i = 0; i < w && n; i++) {\n ret[w - (i + 1)] = n % 256;\n n = Math.floor(n / 256);\n }\n return ret;\n}\n/**\n * Concatenates two Uint8Arrays.\n * @param a Uint8Array\n * @param b Uint8Array\n * @returns Concatenated Uint8Array\n */\nexport function concat(a, b) {\n const ret = new Uint8Array(a.length + b.length);\n ret.set(a, 0);\n ret.set(b, a.length);\n return ret;\n}\n/**\n * Decodes Base64Url-encoded data.\n * @param v Base64Url-encoded string\n * @returns Uint8Array\n */\nexport function base64UrlToBytes(v) {\n const base64 = v.replace(/-/g, \"+\").replace(/_/g, \"/\");\n const byteString = atob(base64);\n const ret = new Uint8Array(byteString.length);\n for (let i = 0; i < byteString.length; i++) {\n ret[i] = byteString.charCodeAt(i);\n }\n return ret;\n}\n/**\n * Encodes Uint8Array to Base64Url.\n * @param v Uint8Array\n * @returns Base64Url-encoded string\n */\nexport function bytesToBase64Url(v) {\n return btoa(String.fromCharCode(...v))\n .replace(/\\+/g, \"-\")\n .replace(/\\//g, \"_\")\n .replace(/=*$/g, \"\");\n}\n/**\n * Decodes hex string to Uint8Array.\n * @param v Hex string\n * @returns Uint8Array\n * @throws Error if the input is not a hex string.\n */\nexport function hexToBytes(v) {\n if (v.length === 0) {\n return new Uint8Array([]);\n }\n const res = v.match(/[\\da-f]{2}/gi);\n if (res == null) {\n throw new Error(\"Not hex string.\");\n }\n return new Uint8Array(res.map(function (h) {\n return parseInt(h, 16);\n }));\n}\n/**\n * Encodes Uint8Array to hex string.\n * @param v Uint8Array\n * @returns Hex string\n */\nexport function bytesToHex(v) {\n return [...v].map((x) => x.toString(16).padStart(2, \"0\")).join(\"\");\n}\n/**\n * Converts KemId to KeyAlgorithm.\n * @param kem KemId\n * @returns KeyAlgorithm\n */\nexport function kemToKeyGenAlgorithm(kem) {\n switch (kem) {\n case KemId.DhkemP256HkdfSha256:\n return {\n name: \"ECDH\",\n namedCurve: \"P-256\",\n };\n case KemId.DhkemP384HkdfSha384:\n return {\n name: \"ECDH\",\n namedCurve: \"P-384\",\n };\n case KemId.DhkemP521HkdfSha512:\n return {\n name: \"ECDH\",\n namedCurve: \"P-521\",\n };\n default:\n // case KemId.DhkemX25519HkdfSha256\n return {\n name: \"X25519\",\n };\n }\n}\nexport async function loadSubtleCrypto() {\n if (dntShim.dntGlobalThis !== undefined && globalThis.crypto !== undefined) {\n // Browsers, Node.js >= v19, Cloudflare Workers, Bun, etc.\n return globalThis.crypto.subtle;\n }\n // Node.js <= v18\n try {\n // @ts-ignore: to ignore \"crypto\"\n const { webcrypto } = await import(\"crypto\"); // node:crypto\n return webcrypto.subtle;\n }\n catch (_e) {\n throw new Error(\"Failed to load SubtleCrypto\");\n }\n}\nexport async function loadCrypto() {\n if (typeof dntShim.dntGlobalThis !== \"undefined\" && globalThis.crypto !== undefined) {\n // Browsers, Node.js >= v19, Cloudflare Workers, Bun, etc.\n return globalThis.crypto;\n }\n // Node.js <= v18\n try {\n // @ts-ignore: to ignore \"crypto\"\n const { webcrypto } = await import(\"crypto\"); // node:crypto\n return webcrypto;\n }\n catch (_e) {\n throw new Error(\"failed to load Crypto\");\n }\n}\n/**\n * XOR for Uint8Array.\n */\nexport function xor(a, b) {\n if (a.byteLength !== b.byteLength) {\n throw new Error(\"xor: different length inputs\");\n }\n const buf = new Uint8Array(a.byteLength);\n for (let i = 0; i < a.byteLength; i++) {\n buf[i] = a[i] ^ b[i];\n }\n return buf;\n}\n", "import { EMPTY, INPUT_LENGTH_LIMIT } from \"../consts.js\";\nimport { DecapError, EncapError, InvalidParamError } from \"../errors.js\";\nimport { SUITE_ID_HEADER_KEM } from \"../interfaces/kemInterface.js\";\nimport { toArrayBuffer } from \"../kdfs/hkdf.js\";\nimport { concat, i2Osp, isCryptoKeyPair } from \"../utils/misc.js\";\n// b\"eae_prk\"\nconst LABEL_EAE_PRK = /* @__PURE__ */ new Uint8Array([\n 101,\n 97,\n 101,\n 95,\n 112,\n 114,\n 107,\n]);\n// b\"shared_secret\"\n// deno-fmt-ignore\nconst LABEL_SHARED_SECRET = /* @__PURE__ */ new Uint8Array([\n 115, 104, 97, 114, 101, 100, 95, 115, 101, 99,\n 114, 101, 116,\n]);\nfunction concat3(a, b, c) {\n const ret = new Uint8Array(a.length + b.length + c.length);\n ret.set(a, 0);\n ret.set(b, a.length);\n ret.set(c, a.length + b.length);\n return ret;\n}\nexport class Dhkem {\n constructor(id, prim, kdf) {\n Object.defineProperty(this, \"id\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: void 0\n });\n Object.defineProperty(this, \"secretSize\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: 0\n });\n Object.defineProperty(this, \"encSize\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: 0\n });\n Object.defineProperty(this, \"publicKeySize\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: 0\n });\n Object.defineProperty(this, \"privateKeySize\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: 0\n });\n Object.defineProperty(this, \"_prim\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: void 0\n });\n Object.defineProperty(this, \"_kdf\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: void 0\n });\n this.id = id;\n this._prim = prim;\n this._kdf = kdf;\n const suiteId = new Uint8Array(SUITE_ID_HEADER_KEM);\n suiteId.set(i2Osp(this.id, 2), 3);\n this._kdf.init(suiteId);\n }\n async serializePublicKey(key) {\n return await this._prim.serializePublicKey(key);\n }\n async deserializePublicKey(key) {\n return await this._prim.deserializePublicKey(toArrayBuffer(key));\n }\n async serializePrivateKey(key) {\n return await this._prim.serializePrivateKey(key);\n }\n async deserializePrivateKey(key) {\n return await this._prim.deserializePrivateKey(toArrayBuffer(key));\n }\n async importKey(format, key, isPublic = true) {\n return await this._prim.importKey(format, key, isPublic);\n }\n async generateKeyPair() {\n return await this._prim.generateKeyPair();\n }\n async deriveKeyPair(ikm) {\n const rawIkm = toArrayBuffer(ikm);\n if (rawIkm.byteLength > INPUT_LENGTH_LIMIT) {\n throw new InvalidParamError(\"Too long ikm\");\n }\n return await this._prim.deriveKeyPair(rawIkm);\n }\n async encap(params) {\n let ke;\n if (params.ekm === undefined) {\n ke = await this.generateKeyPair();\n }\n else if (isCryptoKeyPair(params.ekm)) {\n // params.ekm is only used for testing.\n ke = params.ekm;\n }\n else {\n // params.ekm is only used for testing.\n ke = await this.deriveKeyPair(params.ekm);\n }\n const enc = await this._prim.serializePublicKey(ke.publicKey);\n const pkrm = await this._prim.serializePublicKey(params.recipientPublicKey);\n try {\n let dh;\n if (params.senderKey === undefined) {\n dh = new Uint8Array(await this._prim.dh(ke.privateKey, params.recipientPublicKey));\n }\n else {\n const sks = isCryptoKeyPair(params.senderKey)\n ? params.senderKey.privateKey\n : params.senderKey;\n const dh1 = new Uint8Array(await this._prim.dh(ke.privateKey, params.recipientPublicKey));\n const dh2 = new Uint8Array(await this._prim.dh(sks, params.recipientPublicKey));\n dh = concat(dh1, dh2);\n }\n let kemContext;\n if (params.senderKey === undefined) {\n kemContext = concat(new Uint8Array(enc), new Uint8Array(pkrm));\n }\n else {\n const pks = isCryptoKeyPair(params.senderKey)\n ? params.senderKey.publicKey\n : await this._prim.derivePublicKey(params.senderKey);\n const pksm = await this._prim.serializePublicKey(pks);\n kemContext = concat3(new Uint8Array(enc), new Uint8Array(pkrm), new Uint8Array(pksm));\n }\n const sharedSecret = await this._generateSharedSecret(dh, kemContext);\n return {\n enc: enc,\n sharedSecret: sharedSecret,\n };\n }\n catch (e) {\n throw new EncapError(e);\n }\n }\n async decap(params) {\n const enc = toArrayBuffer(params.enc);\n const pke = await this._prim.deserializePublicKey(enc);\n const skr = isCryptoKeyPair(params.recipientKey)\n ? params.recipientKey.privateKey\n : params.recipientKey;\n const pkr = isCryptoKeyPair(params.recipientKey)\n ? params.recipientKey.publicKey\n : await this._prim.derivePublicKey(params.recipientKey);\n const pkrm = await this._prim.serializePublicKey(pkr);\n try {\n let dh;\n if (params.senderPublicKey === undefined) {\n dh = new Uint8Array(await this._prim.dh(skr, pke));\n }\n else {\n const dh1 = new Uint8Array(await this._prim.dh(skr, pke));\n const dh2 = new Uint8Array(await this._prim.dh(skr, params.senderPublicKey));\n dh = concat(dh1, dh2);\n }\n let kemContext;\n if (params.senderPublicKey === undefined) {\n kemContext = concat(new Uint8Array(enc), new Uint8Array(pkrm));\n }\n else {\n const pksm = await this._prim.serializePublicKey(params.senderPublicKey);\n kemContext = new Uint8Array(enc.byteLength + pkrm.byteLength + pksm.byteLength);\n kemContext.set(new Uint8Array(enc), 0);\n kemContext.set(new Uint8Array(pkrm), enc.byteLength);\n kemContext.set(new Uint8Array(pksm), enc.byteLength + pkrm.byteLength);\n }\n return await this._generateSharedSecret(dh, kemContext);\n }\n catch (e) {\n throw new DecapError(e);\n }\n }\n async _generateSharedSecret(dh, kemContext) {\n const labeledIkm = this._kdf.buildLabeledIkm(LABEL_EAE_PRK, dh);\n const labeledInfo = this._kdf.buildLabeledInfo(LABEL_SHARED_SECRET, kemContext, this.secretSize);\n return await this._kdf.extractAndExpand(EMPTY, labeledIkm, labeledInfo, this.secretSize);\n }\n}\n", "// The key usages for KEM.\nexport const KEM_USAGES = [\"deriveBits\"];\n// b\"dkp_prk\"\nexport const LABEL_DKP_PRK = /* @__PURE__ */ new Uint8Array([\n 100,\n 107,\n 112,\n 95,\n 112,\n 114,\n 107,\n]);\n// b\"sk\"\nexport const LABEL_SK = /* @__PURE__ */ new Uint8Array([115, 107]);\n", "/**\n * The minimum inplementation of bignum to derive an EC key pair.\n */\nexport class Bignum {\n constructor(size) {\n Object.defineProperty(this, \"_num\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: void 0\n });\n this._num = new Uint8Array(size);\n }\n val() {\n return this._num;\n }\n reset() {\n this._num.fill(0);\n }\n set(src) {\n if (src.length !== this._num.length) {\n throw new Error(\"Bignum.set: invalid argument\");\n }\n this._num.set(src);\n }\n isZero() {\n for (let i = 0; i < this._num.length; i++) {\n if (this._num[i] !== 0) {\n return false;\n }\n }\n return true;\n }\n lessThan(v) {\n if (v.length !== this._num.length) {\n throw new Error(\"Bignum.lessThan: invalid argument\");\n }\n for (let i = 0; i < this._num.length; i++) {\n if (this._num[i] < v[i]) {\n return true;\n }\n if (this._num[i] > v[i]) {\n return false;\n }\n }\n return false;\n }\n}\n", "import { NativeAlgorithm } from \"../../algorithm.js\";\nimport { BYTE_TO_BIGINT_256, EMPTY } from \"../../consts.js\";\nimport { toArrayBuffer } from \"../../kdfs/hkdf.js\";\nimport { DeriveKeyPairError, DeserializeError, NotSupportedError, SerializeError, } from \"../../errors.js\";\nimport { KemId } from \"../../identifiers.js\";\nimport { KEM_USAGES, LABEL_DKP_PRK } from \"../../interfaces/dhkemPrimitives.js\";\nimport { Bignum } from \"../../utils/bignum.js\";\nimport { base64UrlToBytes, i2Osp } from \"../../utils/misc.js\";\n// b\"candidate\"\n// deno-fmt-ignore\nconst LABEL_CANDIDATE = /* @__PURE__ */ new Uint8Array([\n 99, 97, 110, 100, 105, 100, 97, 116, 101,\n]);\n// the order of the curve being used.\n// deno-fmt-ignore\nconst ORDER_P_256 = /* @__PURE__ */ new Uint8Array([\n 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00,\n 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,\n 0xbc, 0xe6, 0xfa, 0xad, 0xa7, 0x17, 0x9e, 0x84,\n 0xf3, 0xb9, 0xca, 0xc2, 0xfc, 0x63, 0x25, 0x51,\n]);\n// deno-fmt-ignore\nconst ORDER_P_384 = /* @__PURE__ */ new Uint8Array([\n 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,\n 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,\n 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,\n 0xc7, 0x63, 0x4d, 0x81, 0xf4, 0x37, 0x2d, 0xdf,\n 0x58, 0x1a, 0x0d, 0xb2, 0x48, 0xb0, 0xa7, 0x7a,\n 0xec, 0xec, 0x19, 0x6a, 0xcc, 0xc5, 0x29, 0x73,\n]);\n// deno-fmt-ignore\nconst ORDER_P_521 = /* @__PURE__ */ new Uint8Array([\n 0x01, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,\n 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,\n 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,\n 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,\n 0xff, 0xfa, 0x51, 0x86, 0x87, 0x83, 0xbf, 0x2f,\n 0x96, 0x6b, 0x7f, 0xcc, 0x01, 0x48, 0xf7, 0x09,\n 0xa5, 0xd0, 0x3b, 0xb5, 0xc9, 0xb8, 0x89, 0x9c,\n 0x47, 0xae, 0xbb, 0x6f, 0xb7, 0x1e, 0x91, 0x38,\n 0x64, 0x09,\n]);\n// deno-fmt-ignore\nconst PKCS8_ALG_ID_P_256 = /* @__PURE__ */ new Uint8Array([\n 48, 65, 2, 1, 0, 48, 19, 6, 7, 42,\n 134, 72, 206, 61, 2, 1, 6, 8, 42, 134,\n 72, 206, 61, 3, 1, 7, 4, 39, 48, 37,\n 2, 1, 1, 4, 32,\n]);\n// deno-fmt-ignore\nconst PKCS8_ALG_ID_P_384 = /* @__PURE__ */ new Uint8Array([\n 48, 78, 2, 1, 0, 48, 16, 6, 7, 42,\n 134, 72, 206, 61, 2, 1, 6, 5, 43, 129,\n 4, 0, 34, 4, 55, 48, 53, 2, 1, 1,\n 4, 48,\n]);\n// deno-fmt-ignore\nconst PKCS8_ALG_ID_P_521 = /* @__PURE__ */ new Uint8Array([\n 48, 96, 2, 1, 0, 48, 16, 6, 7, 42,\n 134, 72, 206, 61, 2, 1, 6, 5, 43, 129,\n 4, 0, 35, 4, 73, 48, 71, 2, 1, 1,\n 4, 66,\n]);\nconst EC_P_256_PARAMS = {\n p: 0xffffffff00000001000000000000000000000000ffffffffffffffffffffffffn,\n b: 0x5ac635d8aa3a93e7b3ebbd55769886bc651d06b0cc53b0f63bce3c3e27d2604bn,\n gx: 0x6b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c296n,\n gy: 0x4fe342e2fe1a7f9b8ee7eb4a7c0f9e162bce33576b315ececbb6406837bf51f5n,\n coordinateSize: 32,\n};\nconst EC_P_384_PARAMS = {\n p: 0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000000ffffffffn,\n b: 0xb3312fa7e23ee7e4988e056be3f82d19181d9c6efe8141120314088f5013875ac656398d8a2ed19d2a85c8edd3ec2aefn,\n gx: 0xaa87ca22be8b05378eb1c71ef320ad746e1d3b628ba79b9859f741e082542a385502f25dbf55296c3a545e3872760ab7n,\n gy: 0x3617de4a96262c6f5d9e98bf9292dc29f8f41dbd289a147ce9da3113b5f0b8c00a60b1ce1d7e819d7a431d7c90ea0e5fn,\n coordinateSize: 48,\n};\nconst EC_P_521_PARAMS = {\n p: (1n << 521n) - 1n,\n b: 0x0051953eb9618e1c9a1f929a21a0b68540eea2da725b99b315f3b8b489918ef109e156193951ec7e937b1652c0bd3bb1bf073573df883d2c34f1ef451fd46b503f00n,\n gx: 0x00c6858e06b70404e9cd9e3ecb662395b4429c648139053fb521f828af606b4d3dbaa14b5e77efe75928fe1dc127a2ffa8de3348b3c1856a429bf97e7e31c2e5bd66n,\n gy: 0x011839296a789a3bc0045c8a5fb42c7d1bd998f54449579b446817afbd17273e662c97ee72995ef42640c550b9013fad0761353c7086a272c24088be94769fd16650n,\n coordinateSize: 66,\n};\nfunction mod(a, p) {\n const r = a % p;\n return r >= 0n ? r : r + p;\n}\nfunction modPow(base, exponent, p) {\n let result = 1n;\n let b = mod(base, p);\n let e = exponent;\n while (e > 0n) {\n if ((e & 1n) === 1n) {\n result = mod(result * b, p);\n }\n b = mod(b * b, p);\n e >>= 1n;\n }\n return result;\n}\nfunction modSqrt(rhs, p) {\n // P-256/P-384/P-521 primes satisfy p % 4 == 3.\n const y = modPow(rhs, (p + 1n) >> 2n, p);\n if (mod(y * y, p) !== mod(rhs, p)) {\n throw new Error(\"Invalid ECDH point\");\n }\n return y;\n}\nfunction bytesToBigInt(bytes) {\n let v = 0n;\n for (const b of bytes) {\n v = (v << 8n) | BYTE_TO_BIGINT_256[b];\n }\n return v;\n}\nfunction bigIntToBytes(v, len) {\n const out = new Uint8Array(len);\n let n = v;\n for (let i = len - 1; i >= 0; i--) {\n out[i] = Number(n & 0xffn);\n n >>= 8n;\n }\n if (n !== 0n) {\n throw new Error(\"Invalid coordinate length\");\n }\n return out;\n}\nfunction buildRawUncompressedPublicKey(x, y, coordinateSize) {\n const out = new Uint8Array(1 + coordinateSize * 2);\n out[0] = 0x04;\n out.set(bigIntToBytes(x, coordinateSize), 1);\n out.set(bigIntToBytes(y, coordinateSize), 1 + coordinateSize);\n return out;\n}\nexport class Ec extends NativeAlgorithm {\n constructor(kem, hkdf) {\n super();\n Object.defineProperty(this, \"_hkdf\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: void 0\n });\n Object.defineProperty(this, \"_alg\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: void 0\n });\n Object.defineProperty(this, \"_nPk\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: void 0\n });\n Object.defineProperty(this, \"_nSk\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: void 0\n });\n Object.defineProperty(this, \"_nDh\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: void 0\n });\n // EC specific arguments for deriving key pair.\n Object.defineProperty(this, \"_order\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: void 0\n });\n Object.defineProperty(this, \"_bitmask\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: void 0\n });\n Object.defineProperty(this, \"_pkcs8AlgId\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: void 0\n });\n Object.defineProperty(this, \"_curveParams\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: void 0\n });\n this._hkdf = hkdf;\n switch (kem) {\n case KemId.DhkemP256HkdfSha256:\n this._alg = { name: \"ECDH\", namedCurve: \"P-256\" };\n this._nPk = 65;\n this._nSk = 32;\n this._nDh = 32;\n this._order = ORDER_P_256;\n this._bitmask = 0xFF;\n this._pkcs8AlgId = PKCS8_ALG_ID_P_256;\n this._curveParams = EC_P_256_PARAMS;\n break;\n case KemId.DhkemP384HkdfSha384:\n this._alg = { name: \"ECDH\", namedCurve: \"P-384\" };\n this._nPk = 97;\n this._nSk = 48;\n this._nDh = 48;\n this._order = ORDER_P_384;\n this._bitmask = 0xFF;\n this._pkcs8AlgId = PKCS8_ALG_ID_P_384;\n this._curveParams = EC_P_384_PARAMS;\n break;\n default:\n // case KemId.DhkemP521HkdfSha512:\n this._alg = { name: \"ECDH\", namedCurve: \"P-521\" };\n this._nPk = 133;\n this._nSk = 66;\n this._nDh = 66;\n this._order = ORDER_P_521;\n this._bitmask = 0x01;\n this._pkcs8AlgId = PKCS8_ALG_ID_P_521;\n this._curveParams = EC_P_521_PARAMS;\n break;\n }\n }\n async serializePublicKey(key) {\n await this._setup();\n try {\n return await this._api.exportKey(\"raw\", key);\n }\n catch (e) {\n throw new SerializeError(e);\n }\n }\n async deserializePublicKey(key) {\n await this._setup();\n try {\n return await this._importRawKey(toArrayBuffer(key), true);\n }\n catch (e) {\n throw new DeserializeError(e);\n }\n }\n async serializePrivateKey(key) {\n await this._setup();\n try {\n const jwk = await this._api.exportKey(\"jwk\", key);\n if (!(\"d\" in jwk)) {\n throw new Error(\"Not private key\");\n }\n return base64UrlToBytes(jwk[\"d\"]).buffer;\n }\n catch (e) {\n throw new SerializeError(e);\n }\n }\n async deserializePrivateKey(key) {\n await this._setup();\n try {\n return await this._importRawKey(toArrayBuffer(key), false);\n }\n catch (e) {\n throw new DeserializeError(e);\n }\n }\n async importKey(format, key, isPublic) {\n await this._setup();\n try {\n if (format === \"raw\") {\n return await this._importRawKey(key, isPublic);\n }\n // jwk\n if (key instanceof ArrayBuffer) {\n throw new Error(\"Invalid jwk key format\");\n }\n return await this._importJWK(key, isPublic);\n }\n catch (e) {\n throw new DeserializeError(e);\n }\n }\n async generateKeyPair() {\n await this._setup();\n try {\n return await this._api.generateKey(this._alg, true, KEM_USAGES);\n }\n catch (e) {\n throw new NotSupportedError(e);\n }\n }\n async deriveKeyPair(ikm) {\n await this._setup();\n try {\n const rawIkm = toArrayBuffer(ikm);\n const dkpPrk = await this._hkdf.labeledExtract(EMPTY, LABEL_DKP_PRK, new Uint8Array(rawIkm));\n const bn = new Bignum(this._nSk);\n for (let counter = 0; bn.isZero() || !bn.lessThan(this._order); counter++) {\n if (counter > 255) {\n throw new Error(\"Faild to derive a key pair\");\n }\n const bytes = new Uint8Array(await this._hkdf.labeledExpand(dkpPrk, LABEL_CANDIDATE, i2Osp(counter, 1), this._nSk));\n bytes[0] = bytes[0] & this._bitmask;\n bn.set(bytes);\n }\n const sk = await this._deserializePkcs8Key(bn.val());\n bn.reset();\n return {\n privateKey: sk,\n publicKey: await this.derivePublicKey(sk),\n };\n }\n catch (e) {\n throw new DeriveKeyPairError(e);\n }\n }\n async derivePublicKey(key) {\n await this._setup();\n try {\n const jwk = await this._api.exportKey(\"jwk\", key);\n delete jwk[\"d\"];\n delete jwk[\"key_ops\"];\n return await this._api.importKey(\"jwk\", jwk, this._alg, true, []);\n }\n catch {\n try {\n // Firefox fails to export JWK from some imported ECDH private keys.\n return await this._derivePublicKeyWithoutJwkExport(key);\n }\n catch (e) {\n throw new DeserializeError(e);\n }\n }\n }\n async dh(sk, pk) {\n try {\n await this._setup();\n const bits = await this._api.deriveBits({\n name: \"ECDH\",\n public: pk,\n }, sk, this._nDh * 8);\n return bits;\n }\n catch (e) {\n throw new SerializeError(e);\n }\n }\n async _importRawKey(key, isPublic) {\n if (isPublic && key.byteLength !== this._nPk) {\n throw new Error(\"Invalid public key for the ciphersuite\");\n }\n if (!isPublic && key.byteLength !== this._nSk) {\n throw new Error(\"Invalid private key for the ciphersuite\");\n }\n if (isPublic) {\n return await this._api.importKey(\"raw\", key, this._alg, true, []);\n }\n return await this._deserializePkcs8Key(new Uint8Array(key));\n }\n async _importJWK(key, isPublic) {\n if (typeof key.crv === \"undefined\" || key.crv !== this._alg.namedCurve) {\n throw new Error(`Invalid crv: ${key.crv}`);\n }\n if (isPublic) {\n if (typeof key.d !== \"undefined\") {\n throw new Error(\"Invalid key: `d` should not be set\");\n }\n return await this._api.importKey(\"jwk\", key, this._alg, true, []);\n }\n if (typeof key.d === \"undefined\") {\n throw new Error(\"Invalid key: `d` not found\");\n }\n return await this._api.importKey(\"jwk\", key, this._alg, true, KEM_USAGES);\n }\n async _deserializePkcs8Key(k) {\n const pkcs8Key = new Uint8Array(this._pkcs8AlgId.length + k.length);\n pkcs8Key.set(this._pkcs8AlgId, 0);\n pkcs8Key.set(k, this._pkcs8AlgId.length);\n return await this._api.importKey(\"pkcs8\", pkcs8Key, this._alg, true, KEM_USAGES);\n }\n async _derivePublicKeyWithoutJwkExport(key) {\n const basePointRaw = buildRawUncompressedPublicKey(this._curveParams.gx, this._curveParams.gy, this._curveParams.coordinateSize);\n const basePoint = await this._api.importKey(\"raw\", basePointRaw.buffer, this._alg, true, []);\n const xBytes = new Uint8Array(await this._api.deriveBits({\n name: \"ECDH\",\n public: basePoint,\n }, key, this._nDh * 8));\n const p = this._curveParams.p;\n const x = bytesToBigInt(xBytes);\n const rhs = mod(modPow(x, 3n, p) - 3n * x + this._curveParams.b, p);\n let y = modSqrt(rhs, p);\n // Canonicalize sign so the encoded point is deterministic.\n if ((y & 1n) === 1n) {\n y = p - y;\n }\n const pubRaw = buildRawUncompressedPublicKey(x, y, this._curveParams.coordinateSize);\n return await this._api.importKey(\"raw\", pubRaw.buffer, this._alg, true, []);\n }\n}\n", "export class XCryptoKey {\n constructor(name, key, type, usages = []) {\n Object.defineProperty(this, \"key\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: void 0\n });\n Object.defineProperty(this, \"type\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: void 0\n });\n Object.defineProperty(this, \"extractable\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: true\n });\n Object.defineProperty(this, \"algorithm\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: void 0\n });\n Object.defineProperty(this, \"usages\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: void 0\n });\n this.key = key;\n this.type = type;\n this.algorithm = { name: name };\n this.usages = usages;\n if (type === \"public\") {\n this.usages = [];\n }\n }\n}\n", "import { EMPTY } from \"../../consts.js\";\nimport { DeriveKeyPairError, DeserializeError, NotSupportedError, SerializeError, } from \"../../errors.js\";\nimport { toArrayBuffer } from \"../../kdfs/hkdf.js\";\nimport { KEM_USAGES, LABEL_DKP_PRK, LABEL_SK, } from \"../../interfaces/dhkemPrimitives.js\";\nimport { base64UrlToBytes } from \"../../utils/misc.js\";\nimport { XCryptoKey } from \"../../xCryptoKey.js\";\n/**\n * Base DhkemPrimitives implementation for Montgomery curves (X25519/X448).\n *\n * Subclasses pass curve-specific parameters (algorithm name, key size, curve)\n * and optionally add extra methods (e.g., raw derive for X25519).\n */\nexport class XCurveDhkemPrimitives {\n constructor(algName, keySize, curve, hkdf) {\n Object.defineProperty(this, \"_algName\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: void 0\n });\n Object.defineProperty(this, \"_curve\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: void 0\n });\n Object.defineProperty(this, \"_hkdf\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: void 0\n });\n Object.defineProperty(this, \"_nPk\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: void 0\n });\n Object.defineProperty(this, \"_nSk\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: void 0\n });\n this._algName = algName;\n this._nPk = keySize;\n this._nSk = keySize;\n this._curve = curve;\n this._hkdf = hkdf;\n }\n serializePublicKey(key) {\n try {\n return Promise.resolve(key.key.buffer);\n }\n catch (e) {\n return Promise.reject(new SerializeError(e));\n }\n }\n async deserializePublicKey(key) {\n try {\n return await this._importRawKey(toArrayBuffer(key), true);\n }\n catch (e) {\n throw new DeserializeError(e);\n }\n }\n serializePrivateKey(key) {\n try {\n return Promise.resolve(key.key.buffer);\n }\n catch (e) {\n return Promise.reject(new SerializeError(e));\n }\n }\n async deserializePrivateKey(key) {\n try {\n return await this._importRawKey(toArrayBuffer(key), false);\n }\n catch (e) {\n throw new DeserializeError(e);\n }\n }\n async importKey(format, key, isPublic) {\n try {\n if (format === \"raw\") {\n return await this._importRawKey(key, isPublic);\n }\n // jwk\n if (key instanceof ArrayBuffer) {\n throw new Error(\"Invalid jwk key format\");\n }\n return await this._importJWK(key, isPublic);\n }\n catch (e) {\n throw new DeserializeError(e);\n }\n }\n async generateKeyPair() {\n try {\n const rawSk = await this._curve.utils.randomSecretKey();\n const sk = new XCryptoKey(this._algName, rawSk, \"private\", KEM_USAGES);\n const pk = await this.derivePublicKey(sk);\n return { publicKey: pk, privateKey: sk };\n }\n catch (e) {\n throw new NotSupportedError(e);\n }\n }\n async deriveKeyPair(ikm) {\n try {\n const rawIkm = toArrayBuffer(ikm);\n const dkpPrk = await this._hkdf.labeledExtract(EMPTY.buffer, LABEL_DKP_PRK, new Uint8Array(rawIkm));\n const rawSk = await this._hkdf.labeledExpand(dkpPrk, LABEL_SK, EMPTY, this._nSk);\n const sk = new XCryptoKey(this._algName, new Uint8Array(rawSk), \"private\", KEM_USAGES);\n return {\n privateKey: sk,\n publicKey: await this.derivePublicKey(sk),\n };\n }\n catch (e) {\n throw new DeriveKeyPairError(e);\n }\n }\n derivePublicKey(key) {\n try {\n const pk = this._curve.getPublicKey(key.key);\n return Promise.resolve(new XCryptoKey(this._algName, pk, \"public\"));\n }\n catch (e) {\n return Promise.reject(new DeserializeError(e));\n }\n }\n dh(sk, pk) {\n try {\n return Promise.resolve(this._curve.getSharedSecret(sk.key, pk.key).buffer);\n }\n catch (e) {\n return Promise.reject(new SerializeError(e));\n }\n }\n _importRawKey(key, isPublic) {\n return new Promise((resolve, reject) => {\n if (isPublic && key.byteLength !== this._nPk) {\n reject(new Error(\"Invalid length of the key\"));\n }\n if (!isPublic && key.byteLength !== this._nSk) {\n reject(new Error(\"Invalid length of the key\"));\n }\n resolve(new XCryptoKey(this._algName, new Uint8Array(key), isPublic ? \"public\" : \"private\", isPublic ? [] : KEM_USAGES));\n });\n }\n _importJWK(key, isPublic) {\n return new Promise((resolve, reject) => {\n if (key.kty !== \"OKP\") {\n reject(new Error(`Invalid kty: ${key.kty}`));\n }\n if (key.crv !== this._algName) {\n reject(new Error(`Invalid crv: ${key.crv}`));\n }\n if (isPublic) {\n if (typeof key.d !== \"undefined\") {\n reject(new Error(\"Invalid key: `d` should not be set\"));\n }\n if (typeof key.x !== \"string\") {\n reject(new Error(\"Invalid key: `x` not found\"));\n }\n resolve(new XCryptoKey(this._algName, base64UrlToBytes(key.x), \"public\"));\n }\n else {\n if (typeof key.d !== \"string\") {\n reject(new Error(\"Invalid key: `d` not found\"));\n }\n resolve(new XCryptoKey(this._algName, base64UrlToBytes(key.d), \"private\", KEM_USAGES));\n }\n });\n }\n}\n", "import { EMPTY } from \"../consts.js\";\nimport { DeserializeError, InvalidParamError, NotSupportedError, SerializeError, } from \"../errors.js\";\nimport { toArrayBuffer } from \"../kdfs/hkdf.js\";\nimport { KemId } from \"../identifiers.js\";\nimport { LABEL_DKP_PRK, LABEL_SK } from \"../interfaces/dhkemPrimitives.js\";\nimport { SUITE_ID_HEADER_KEM } from \"../interfaces/kemInterface.js\";\nimport { concat, i2Osp, isCryptoKeyPair } from \"../utils/misc.js\";\nimport { XCryptoKey } from \"../xCryptoKey.js\";\nexport class Hybridkem {\n constructor(id, a, b, kdf) {\n Object.defineProperty(this, \"id\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: KemId.NotAssigned\n });\n Object.defineProperty(this, \"name\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: \"\"\n });\n Object.defineProperty(this, \"secretSize\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: 0\n });\n Object.defineProperty(this, \"encSize\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: 0\n });\n Object.defineProperty(this, \"publicKeySize\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: 0\n });\n Object.defineProperty(this, \"privateKeySize\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: 0\n });\n Object.defineProperty(this, \"_a\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: void 0\n });\n Object.defineProperty(this, \"_b\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: void 0\n });\n Object.defineProperty(this, \"_kdf\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: void 0\n });\n this.id = id;\n this._a = a;\n this._b = b;\n this._kdf = kdf;\n const suiteId = new Uint8Array(SUITE_ID_HEADER_KEM);\n suiteId.set(i2Osp(this.id, 2), 3);\n this._kdf.init(suiteId);\n }\n async serializePublicKey(key) {\n try {\n return await this._serializePublicKey(key);\n }\n catch (e) {\n throw new SerializeError(e);\n }\n }\n async deserializePublicKey(key) {\n try {\n return await this._deserializePublicKey(toArrayBuffer(key));\n }\n catch (e) {\n throw new DeserializeError(e);\n }\n }\n async serializePrivateKey(key) {\n try {\n return await this._serializePrivateKey(key);\n }\n catch (e) {\n throw new SerializeError(e);\n }\n }\n async deserializePrivateKey(key) {\n try {\n return await this._deserializePrivateKey(toArrayBuffer(key));\n }\n catch (e) {\n throw new DeserializeError(e);\n }\n }\n async generateKeyPair() {\n const kpA = await this._a.generateKeyPair();\n const kpB = await this._b.generateKeyPair();\n const pkA = await this._a.serializePublicKey(kpA.publicKey);\n const skA = await this._a.serializePrivateKey(kpA.privateKey);\n const pkB = await this._b.serializePublicKey(kpB.publicKey);\n const skB = await this._b.serializePrivateKey(kpB.privateKey);\n return {\n publicKey: await this.deserializePublicKey(concat(new Uint8Array(pkA), new Uint8Array(pkB)).buffer),\n privateKey: await this.deserializePrivateKey(concat(new Uint8Array(skA), new Uint8Array(skB)).buffer),\n };\n }\n async deriveKeyPair(ikm) {\n const rawIkm = toArrayBuffer(ikm);\n const dkpPrk = await this._kdf.labeledExtract(EMPTY.buffer, LABEL_DKP_PRK, new Uint8Array(rawIkm));\n const seed = new Uint8Array(await this._kdf.labeledExpand(dkpPrk, LABEL_SK, EMPTY, 32 + 64));\n const seed1 = seed.slice(0, 32);\n const seed2 = seed.slice(32, 96);\n const kpA = await this._a.deriveKeyPair(seed1.buffer);\n const kpB = await this._b.deriveKeyPair(seed2.buffer);\n const pkA = await this._a.serializePublicKey(kpA.publicKey);\n const skA = await this._a.serializePrivateKey(kpA.privateKey);\n const pkB = await this._b.serializePublicKey(kpB.publicKey);\n const skB = await this._b.serializePrivateKey(kpB.privateKey);\n return {\n publicKey: await this.deserializePublicKey(concat(new Uint8Array(pkA), new Uint8Array(pkB)).buffer),\n privateKey: await this.deserializePrivateKey(concat(new Uint8Array(skA), new Uint8Array(skB)).buffer),\n };\n }\n async importKey(format, key, isPublic = true) {\n if (format !== \"raw\") {\n throw new NotSupportedError(\"'jwk' is not supported\");\n }\n if (!(key instanceof ArrayBuffer)) {\n throw new InvalidParamError(\"Invalid type of key\");\n }\n if (isPublic) {\n return await this.deserializePublicKey(key);\n }\n return await this.deserializePrivateKey(key);\n }\n async encap(params) {\n let ekmA = undefined;\n let ekmB = undefined;\n if (params.ekm !== undefined && !isCryptoKeyPair(params.ekm)) {\n const ekm = toArrayBuffer(params.ekm);\n if (ekm.byteLength !== 64) {\n throw new InvalidParamError(\"ekm must be 64 bytes in length\");\n }\n ekmA = ekm.slice(0, 32);\n ekmB = ekm.slice(32);\n }\n const pkR = new Uint8Array(await this.serializePublicKey(params.recipientPublicKey));\n const pkRA = await this._a.deserializePublicKey(pkR.slice(0, this._a.publicKeySize).buffer);\n const pkRB = await this._b.deserializePublicKey(pkR.slice(this._a.publicKeySize).buffer);\n const resA = await this._a.encap({ recipientPublicKey: pkRA, ekm: ekmA });\n const resB = await this._b.encap({ recipientPublicKey: pkRB, ekm: ekmB });\n return {\n sharedSecret: concat(new Uint8Array(resA.sharedSecret), new Uint8Array(resB.sharedSecret)).buffer,\n enc: concat(new Uint8Array(resA.enc), new Uint8Array(resB.enc))\n .buffer,\n };\n }\n async decap(params) {\n const enc = toArrayBuffer(params.enc);\n const sk = isCryptoKeyPair(params.recipientKey)\n ? params.recipientKey.privateKey\n : params.recipientKey;\n const skR = new Uint8Array(await this.serializePrivateKey(sk));\n const skRA = await this._a.deserializePrivateKey(skR.slice(0, this._a.privateKeySize).buffer);\n const skRB = await this._b.deserializePrivateKey(skR.slice(this._a.privateKeySize).buffer);\n const ssA = await this._a.decap({\n recipientKey: skRA,\n enc: enc.slice(0, this._a.encSize),\n });\n const ssB = await this._b.decap({\n recipientKey: skRB,\n enc: enc.slice(this._a.encSize),\n });\n return concat(new Uint8Array(ssA), new Uint8Array(ssB))\n .buffer;\n }\n _serializePublicKey(k) {\n return new Promise((resolve, reject) => {\n if (k.type !== \"public\") {\n reject(new Error(\"Not public key\"));\n }\n if (k.algorithm.name !== this.name) {\n reject(new Error(`Invalid algorithm name: ${k.algorithm.name}`));\n }\n if (k.key.byteLength !== this.publicKeySize) {\n reject(new Error(`Invalid key length: ${k.key.byteLength}`));\n }\n resolve(k.key.buffer);\n });\n }\n _deserializePublicKey(k) {\n return new Promise((resolve, reject) => {\n if (k.byteLength !== this.publicKeySize) {\n reject(new Error(`Invalid key length: ${k.byteLength}`));\n }\n resolve(new XCryptoKey(this.name, new Uint8Array(k), \"public\"));\n });\n }\n _serializePrivateKey(k) {\n return new Promise((resolve, reject) => {\n if (k.type !== \"private\") {\n reject(new Error(\"Not private key\"));\n }\n if (k.algorithm.name !== this.name) {\n reject(new Error(`Invalid algorithm name: ${k.algorithm.name}`));\n }\n if (k.key.byteLength !== this.privateKeySize) {\n reject(new Error(`Invalid key length: ${k.key.byteLength}`));\n }\n resolve(k.key.buffer);\n });\n }\n _deserializePrivateKey(k) {\n return new Promise((resolve, reject) => {\n if (k.byteLength !== this.privateKeySize) {\n reject(new Error(`Invalid key length: ${k.byteLength}`));\n }\n resolve(new XCryptoKey(this.name, new Uint8Array(k), \"private\", [\"deriveBits\"]));\n });\n }\n}\n", "// The key usages for AEAD.\nexport const AEAD_USAGES = [\"encrypt\", \"decrypt\"];\n", "// deno-lint-ignore-file no-explicit-any\n/**\n * This file is based on noble-curves (https://github.com/paulmillr/noble-curves).\n *\n * noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com)\n *\n * The original file is located at:\n * https://github.com/paulmillr/noble-curves/blob/b9d49d2b41d550571a0c5be443ecb62109fa3373/src/utils.ts\n */\n/**\n * Hex, bytes and number utilities.\n * @module\n */\nimport { loadCrypto } from \"./misc.js\";\nimport { N_0 } from \"../consts.js\";\n/** Checks if something is Uint8Array. Be careful: nodejs Buffer will return true. */\nexport function isBytes(a) {\n return a instanceof Uint8Array ||\n (ArrayBuffer.isView(a) && a.constructor.name === \"Uint8Array\");\n}\n/** Asserts something is positive integer. */\nexport function anumber(n, title = \"\") {\n if (!Number.isSafeInteger(n) || n < 0) {\n const prefix = title && `\"${title}\" `;\n throw new Error(`${prefix}expected integer >0, got ${n}`);\n }\n}\n/** Asserts something is Uint8Array. */\nexport function abytes(value, length, title = \"\") {\n const bytes = isBytes(value);\n const len = value?.length;\n const needsLen = length !== undefined;\n if (!bytes || (needsLen && len !== length)) {\n const prefix = title && `\"${title}\" `;\n const ofLen = needsLen ? ` of length ${length}` : \"\";\n const got = bytes ? `length=${len}` : `type=${typeof value}`;\n throw new Error(prefix + \"expected Uint8Array\" + ofLen + \", got \" + got);\n }\n return value;\n}\n// ahash function is now imported from ../hash/hash.ts\n/** Asserts a hash instance has not been destroyed / finished */\nexport function aexists(instance, checkFinished = true) {\n if (instance.destroyed)\n throw new Error(\"Hash instance has been destroyed\");\n if (checkFinished && instance.finished) {\n throw new Error(\"Hash#digest() has already been called\");\n }\n}\n/** Asserts output is properly-sized byte array */\nexport function aoutput(out, instance) {\n abytes(out, undefined, \"digestInto() output\");\n const min = instance.outputLen;\n if (out.length < min) {\n throw new Error('\"digestInto() output\" expected to be of length >=' + min);\n }\n}\n// Used in weierstrass, der\nfunction abignumer(n) {\n if (typeof n === \"bigint\") {\n if (!isPosBig(n))\n throw new Error(\"positive bigint expected, got \" + n);\n }\n else\n anumber(n);\n return n;\n}\n/** Cast u8 / u16 / u32 to u32. */\nexport function u32(arr) {\n return new Uint32Array(arr.buffer, arr.byteOffset, Math.floor(arr.byteLength / 4));\n}\n/** Zeroize a byte array. Warning: JS provides no guarantees. */\nexport function clean(...arrays) {\n for (let i = 0; i < arrays.length; i++) {\n arrays[i].fill(0);\n }\n}\n/** Pre-computed buffer for endianness detection */\nconst _endianTestBuffer = /* @__PURE__ */ new Uint32Array([0x11223344]);\nconst _endianTestBytes = /* @__PURE__ */ new Uint8Array(_endianTestBuffer.buffer);\n/** Is current platform little-endian? Most are. Big-Endian platform: IBM */\nexport const isLE = /* @__PURE__ */ _endianTestBytes[0] === 0x44;\n/** The byte swap operation for uint32 */\nexport function byteSwap(word) {\n return (((word << 24) & 0xff000000) |\n ((word << 8) & 0xff0000) |\n ((word >>> 8) & 0xff00) |\n ((word >>> 24) & 0xff));\n}\n/** Conditionally byte swap if on a big-endian platform */\nexport function swap8IfBE(n) {\n return isLE ? n : byteSwap(n);\n}\n/** @deprecated */\nexport const byteSwapIfBE = swap8IfBE;\n/** In place byte swap for Uint32Array */\nexport function byteSwap32(arr) {\n for (let i = 0; i < arr.length; i++) {\n arr[i] = byteSwap(arr[i]);\n }\n return arr;\n}\nexport function swap32IfBE(u) {\n return isLE ? u : byteSwap32(u);\n}\n/** Create DataView of an array for easy byte-level manipulation. */\nexport function createView(arr) {\n return new DataView(arr.buffer, arr.byteOffset, arr.byteLength);\n}\n/** The rotate right (circular right shift) operation for uint32 */\nexport function rotr(word, shift) {\n return (word << (32 - shift)) | (word >>> shift);\n}\n// Built-in hex conversion https://caniuse.com/mdn-javascript_builtins_uint8array_fromhex\nconst hasHexBuiltin = /* @__PURE__ */ (() => \n// @ts-ignore: to use toHex\ntypeof Uint8Array.from([]).toHex === \"function\" &&\n // @ts-ignore: to use fromHex\n typeof Uint8Array.fromHex === \"function\")();\n// Array where index 0xf0 (240) is mapped to string 'f0'\nconst hexes = /* @__PURE__ */ Array.from({ length: 256 }, (_, i) => i.toString(16).padStart(2, \"0\"));\nconst HEX_TO_BIGINT = /* @__PURE__ */ [\n 0n,\n 1n,\n 2n,\n 3n,\n 4n,\n 5n,\n 6n,\n 7n,\n 8n,\n 9n,\n 10n,\n 11n,\n 12n,\n 13n,\n 14n,\n 15n,\n];\n/**\n * Convert byte array to hex string. Uses built-in function, when available.\n * @example bytesToHex(Uint8Array.from([0xca, 0xfe, 0x01, 0x23])) // 'cafe0123'\n */\nexport function bytesToHex(bytes) {\n abytes(bytes);\n // @ts-ignore: to use toHex\n if (hasHexBuiltin)\n return bytes.toHex();\n // pre-caching improves the speed 6x\n let hex = \"\";\n for (let i = 0; i < bytes.length; i++) {\n hex += hexes[bytes[i]];\n }\n return hex;\n}\n// We use optimized technique to convert hex string to byte array\nconst asciis = { _0: 48, _9: 57, A: 65, F: 70, a: 97, f: 102 };\nfunction asciiToBase16(ch) {\n if (ch >= asciis._0 && ch <= asciis._9)\n return ch - asciis._0; // '2' => 50-48\n if (ch >= asciis.A && ch <= asciis.F)\n return ch - (asciis.A - 10); // 'B' => 66-(65-10)\n if (ch >= asciis.a && ch <= asciis.f)\n return ch - (asciis.a - 10); // 'b' => 98-(97-10)\n return;\n}\n/**\n * Convert hex string to byte array. Uses built-in function, when available.\n * @example hexToBytes('cafe0123') // Uint8Array.from([0xca, 0xfe, 0x01, 0x23])\n */\nexport function hexToBytes(hex) {\n if (typeof hex !== \"string\") {\n throw new Error(\"hex string expected, got \" + typeof hex);\n }\n // @ts-ignore: to use fromHex\n if (hasHexBuiltin)\n return Uint8Array.fromHex(hex);\n const hl = hex.length;\n const al = hl / 2;\n if (hl % 2) {\n throw new Error(\"hex string expected, got unpadded hex of length \" + hl);\n }\n const array = new Uint8Array(al);\n for (let ai = 0, hi = 0; ai < al; ai++, hi += 2) {\n const n1 = asciiToBase16(hex.charCodeAt(hi));\n const n2 = asciiToBase16(hex.charCodeAt(hi + 1));\n if (n1 === undefined || n2 === undefined) {\n const char = hex[hi] + hex[hi + 1];\n throw new Error('hex string expected, got non-hex character \"' + char + '\" at index ' +\n hi);\n }\n array[ai] = n1 * 16 + n2; // multiply first octet, e.g. 'a3' => 10*16+3 => 160 + 3 => 163\n }\n return array;\n}\n/**\n * Converts string to bytes using UTF8 encoding.\n * @example utf8ToBytes('abc') // Uint8Array.from([97, 98, 99])\n */\nexport function utf8ToBytes(str) {\n if (typeof str !== \"string\")\n throw new Error(\"string expected\");\n return new Uint8Array(new TextEncoder().encode(str)); // https://bugzil.la/1681809\n}\n/**\n * Converts bytes to string using UTF8 encoding.\n * @example bytesToUtf8(Uint8Array.from([97, 98, 99])) // 'abc'\n */\nexport function bytesToUtf8(bytes) {\n return new TextDecoder().decode(bytes);\n}\nexport function numberToHexUnpadded(num) {\n const hex = abignumer(num).toString(16);\n return hex.length & 1 ? \"0\" + hex : hex;\n}\nexport function hexToNumber(hex) {\n if (typeof hex !== \"string\") {\n throw new Error(\"hex string expected, got \" + typeof hex);\n }\n let out = N_0;\n for (let i = 0; i < hex.length; i++) {\n const n = asciiToBase16(hex.charCodeAt(i));\n if (n === undefined) {\n throw new Error('hex string expected, got non-hex character \"' + hex[i] +\n '\" at index ' + i);\n }\n out = (out << 4n) | HEX_TO_BIGINT[n];\n }\n return out; // Big Endian\n}\nexport function numberToBigint(num) {\n anumber(num, \"numberToBigint\");\n let n = num;\n let out = N_0;\n let bit = 1n;\n while (n > 0) {\n if (n % 2 === 1)\n out += bit;\n n = Math.floor(n / 2);\n bit <<= 1n;\n }\n return out;\n}\n// BE: Big Endian, LE: Little Endian\nexport function bytesToNumberBE(bytes) {\n return hexToNumber(bytesToHex(bytes));\n}\nexport function bytesToNumberLE(bytes) {\n return hexToNumber(bytesToHex(copyBytes(abytes(bytes)).reverse()));\n}\nexport function numberToBytesBE(n, len) {\n anumber(len);\n n = abignumer(n);\n const res = hexToBytes(n.toString(16).padStart(len * 2, \"0\"));\n if (res.length !== len)\n throw new Error(\"number too large\");\n return res;\n}\nexport function numberToBytesLE(n, len) {\n return numberToBytesBE(n, len).reverse();\n}\n/**\n * Copies Uint8Array. We can't use u8a.slice(), because u8a can be Buffer,\n * and Buffer#slice creates mutable copy. Never use Buffers!\n */\nexport function copyBytes(bytes) {\n return Uint8Array.from(bytes);\n}\n/** Copies several Uint8Arrays into one. */\nexport function concatBytes(...arrays) {\n let sum = 0;\n for (let i = 0; i < arrays.length; i++) {\n const a = arrays[i];\n abytes(a);\n sum += a.length;\n }\n const res = new Uint8Array(sum);\n for (let i = 0, pad = 0; i < arrays.length; i++) {\n const a = arrays[i];\n res.set(a, pad);\n pad += a.length;\n }\n return res;\n}\n/**\n * Decodes 7-bit ASCII string to Uint8Array, throws on non-ascii symbols\n * Should be safe to use for things expected to be ASCII.\n * Returns exact same result as utf8ToBytes for ASCII or throws.\n */\nexport function asciiToBytes(ascii) {\n return Uint8Array.from(ascii, (c, i) => {\n const charCode = c.charCodeAt(0);\n if (c.length !== 1 || charCode > 127) {\n throw new Error(`string contains non-ASCII character \"${ascii[i]}\" with code ${charCode} at position ${i}`);\n }\n return charCode;\n });\n}\n// Is positive bigint\nfunction isPosBig(n) {\n return typeof n === \"bigint\" && N_0 <= n;\n}\nexport function inRange(n, min, max) {\n return isPosBig(n) && isPosBig(min) && isPosBig(max) && min <= n && n < max;\n}\n/**\n * Asserts min <= n < max. NOTE: It's < max and not <= max.\n * @example\n * aInRange('x', x, 1n, 256n); // would assume x is in (1n..255n)\n */\nexport function aInRange(title, n, min, max) {\n // Why min <= n < max and not a (min < n < max) OR b (min <= n <= max)?\n // consider P=256n, min=0n, max=P\n // - a for min=0 would require -1: `inRange('x', x, -1n, P)`\n // - b would commonly require subtraction: `inRange('x', x, 0n, P - 1n)`\n // - our way is the cleanest: `inRange('x', x, 0n, P)\n if (!inRange(n, min, max)) {\n throw new Error(\"expected valid \" + title + \": \" + min + \" <= n < \" + max + \", got \" + n);\n }\n}\nexport function validateObject(object, fields = {}, optFields = {}) {\n if (!object || typeof object !== \"object\") {\n throw new Error(\"expected valid options object\");\n }\n function checkField(fieldName, expectedType, isOpt) {\n const val = object[fieldName];\n if (isOpt && val === undefined)\n return;\n const current = typeof val;\n if (current !== expectedType || val === null) {\n throw new Error(`param \"${fieldName}\" is invalid: expected ${expectedType}, got ${current}`);\n }\n }\n const iter = (f, isOpt) => Object.entries(f).forEach(([k, v]) => checkField(k, v, isOpt));\n iter(fields, false);\n iter(optFields, true);\n}\n// createHasher function is now exported above with ahash\n// /** Cryptographically secure PRNG. Uses internal OS-level `crypto.getRandomValues`. */\n// export function randomBytes(bytesLength = 32): Uint8Array {\n// const cr = typeof globalThis != null && (globalThis as any).crypto;\n// if (!cr || typeof cr.getRandomValues !== \"function\") {\n// throw new Error(\"crypto.getRandomValues must be defined\");\n// }\n// return cr.getRandomValues(new Uint8Array(bytesLength));\n// }\n/** Cryptographically secure PRNG. Uses internal OS-level `crypto.getRandomValues`. */\nexport async function randomBytesAsync(bytesLength = 32) {\n const api = await loadCrypto();\n const rnd = new Uint8Array(bytesLength);\n api.getRandomValues(rnd);\n return rnd;\n}\n// 06 09 60 86 48 01 65 03 04 02\nexport function oidNist(suffix) {\n return {\n oid: Uint8Array.from([\n 0x06,\n 0x09,\n 0x60,\n 0x86,\n 0x48,\n 0x01,\n 0x65,\n 0x03,\n 0x04,\n 0x02,\n suffix,\n ]),\n };\n}\n", "/**\n * This file is based on noble-curves (https://github.com/paulmillr/noble-curves).\n *\n * noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com)\n *\n * The original file is located at:\n * https://github.com/paulmillr/noble-curves/blob/b9d49d2b41d550571a0c5be443ecb62109fa3373/src/utils.ts\n */\n/**\n * Hash utilities and type definitions extracted from noble.ts\n * @module\n */\nimport { anumber } from \"../utils/noble.js\";\n/** Asserts something is hash */\nexport function ahash(h) {\n if (typeof h !== \"function\" || typeof h.create !== \"function\") {\n throw new Error(\"Hash must wrapped by utils.createHasher\");\n }\n anumber(h.outputLen);\n anumber(h.blockLen);\n}\nexport function createHasher(hashCons, info = {}) {\n const hashFn = (msg, opts) => hashCons(opts).update(msg).digest();\n const tmp = hashCons(undefined);\n const hashC = Object.assign(hashFn, {\n outputLen: tmp.outputLen,\n blockLen: tmp.blockLen,\n create: (opts) => hashCons(opts),\n ...info,\n });\n return Object.freeze(hashC);\n}\n", "// deno-lint-ignore-file no-explicit-any\n/**\n * This file is based on noble-hashes (https://github.com/paulmillr/noble-hashes).\n *\n * noble-hashes - MIT License (c) 2022 Paul Miller (paulmillr.com)\n *\n * The original file is located at:\n * https://github.com/paulmillr/noble-hashes/blob/2e0c00e1aa134082ba1380bf3afb8b1641f60fed/src/hmac.ts\n */\n/**\n * HMAC: RFC2104 message authentication code.\n * @module\n */\nimport { abytes, aexists, clean } from \"../utils/noble.js\";\nimport { ahash } from \"./hash.js\";\nexport class _HMAC {\n constructor(hash, key) {\n Object.defineProperty(this, \"oHash\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: void 0\n });\n Object.defineProperty(this, \"iHash\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: void 0\n });\n Object.defineProperty(this, \"blockLen\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: void 0\n });\n Object.defineProperty(this, \"outputLen\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: void 0\n });\n Object.defineProperty(this, \"finished\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: false\n });\n Object.defineProperty(this, \"destroyed\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: false\n });\n ahash(hash);\n abytes(key, undefined, \"key\");\n this.iHash = hash.create();\n if (typeof this.iHash.update !== \"function\") {\n throw new Error(\"Expected instance of class which extends utils.Hash\");\n }\n this.blockLen = this.iHash.blockLen;\n this.outputLen = this.iHash.outputLen;\n const blockLen = this.blockLen;\n const pad = new Uint8Array(blockLen);\n // blockLen can be bigger than outputLen\n pad.set(key.length > blockLen ? hash.create().update(key).digest() : key);\n for (let i = 0; i < pad.length; i++)\n pad[i] ^= 0x36;\n this.iHash.update(pad);\n // By doing update (processing of first block) of outer hash here we can re-use it between multiple calls via clone\n this.oHash = hash.create();\n // Undo internal XOR && apply outer XOR\n for (let i = 0; i < pad.length; i++)\n pad[i] ^= 0x36 ^ 0x5c;\n this.oHash.update(pad);\n clean(pad);\n }\n update(buf) {\n aexists(this);\n this.iHash.update(buf);\n return this;\n }\n digestInto(out) {\n aexists(this);\n abytes(out, this.outputLen, \"output\");\n this.finished = true;\n this.iHash.digestInto(out);\n this.oHash.update(out);\n this.oHash.digestInto(out);\n this.destroy();\n }\n digest() {\n const out = new Uint8Array(this.oHash.outputLen);\n this.digestInto(out);\n return out;\n }\n _cloneInto(to) {\n // Create new instance without calling constructor since key already in state and we don't know it.\n to ||= Object.create(Object.getPrototypeOf(this), {});\n const { oHash, iHash, finished, destroyed, blockLen, outputLen } = this;\n to = to;\n to.finished = finished;\n to.destroyed = destroyed;\n to.blockLen = blockLen;\n to.outputLen = outputLen;\n to.oHash = oHash._cloneInto(to.oHash);\n to.iHash = iHash._cloneInto(to.iHash);\n return to;\n }\n clone() {\n return this._cloneInto();\n }\n destroy() {\n this.destroyed = true;\n this.oHash.destroy();\n this.iHash.destroy();\n }\n}\n/**\n * HMAC: RFC2104 message authentication code.\n * @param hash - function that would be used e.g. sha256\n * @param key - message key\n * @param message - message data\n * @example\n * import { hmac } from '@noble/hashes/hmac';\n * import { sha256 } from '@noble/hashes/sha2';\n * const mac1 = hmac(sha256, 'key', 'message');\n */\nexport const hmac = (hash, key, message) => new _HMAC(hash, key).update(message).digest();\nhmac.create = (hash, key) => new _HMAC(hash, key);\n", "// deno-lint-ignore-file no-explicit-any\n/**\n * This file is based on noble-hashes (https://github.com/paulmillr/noble-hashes).\n *\n * noble-hashes - MIT License (c) 2022 Paul Miller (paulmillr.com)\n *\n * The original file is located at:\n * https://github.com/paulmillr/noble-hashes/blob/2e0c00e1aa134082ba1380bf3afb8b1641f60fed/src/_md.ts\n */\n/**\n * Internal Merkle-Damgard hash utils.\n * @module\n */\nimport { abytes, aexists, aoutput, clean, createView, numberToBigint, } from \"../utils/noble.js\";\n/** Choice: a ? b : c */\nexport function Chi(a, b, c) {\n return (a & b) ^ (~a & c);\n}\n/** Majority function, true if any two inputs is true. */\nexport function Maj(a, b, c) {\n return (a & b) ^ (a & c) ^ (b & c);\n}\n/**\n * Merkle-Damgard hash construction base class.\n * Could be used to create MD5, RIPEMD, SHA1, SHA2.\n */\nexport class HashMD {\n constructor(blockLen, outputLen, padOffset, isLE) {\n Object.defineProperty(this, \"blockLen\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: void 0\n });\n Object.defineProperty(this, \"outputLen\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: void 0\n });\n Object.defineProperty(this, \"padOffset\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: void 0\n });\n Object.defineProperty(this, \"isLE\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: void 0\n });\n // For partial updates less than block size\n Object.defineProperty(this, \"buffer\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: void 0\n });\n Object.defineProperty(this, \"view\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: void 0\n });\n Object.defineProperty(this, \"finished\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: false\n });\n Object.defineProperty(this, \"length\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: 0\n });\n Object.defineProperty(this, \"pos\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: 0\n });\n Object.defineProperty(this, \"destroyed\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: false\n });\n this.blockLen = blockLen;\n this.outputLen = outputLen;\n this.padOffset = padOffset;\n this.isLE = isLE;\n this.buffer = new Uint8Array(blockLen);\n this.view = createView(this.buffer);\n }\n update(data) {\n aexists(this);\n abytes(data);\n const { view, buffer, blockLen } = this;\n const len = data.length;\n for (let pos = 0; pos < len;) {\n const take = Math.min(blockLen - this.pos, len - pos);\n // Fast path: we have at least one block in input, cast it to view and process\n if (take === blockLen) {\n const dataView = createView(data);\n for (; blockLen <= len - pos; pos += blockLen) {\n this.process(dataView, pos);\n }\n continue;\n }\n buffer.set(data.subarray(pos, pos + take), this.pos);\n this.pos += take;\n pos += take;\n if (this.pos === blockLen) {\n this.process(view, 0);\n this.pos = 0;\n }\n }\n this.length += data.length;\n this.roundClean();\n return this;\n }\n digestInto(out) {\n aexists(this);\n aoutput(out, this);\n this.finished = true;\n // Padding\n // We can avoid allocation of buffer for padding completely if it\n // was previously not allocated here. But it won't change performance.\n const { buffer, view, blockLen, isLE } = this;\n let { pos } = this;\n // append the bit '1' to the message\n buffer[pos++] = 0b10000000;\n clean(this.buffer.subarray(pos));\n // we have less than padOffset left in buffer, so we cannot put length in\n // current block, need process it and pad again\n if (this.padOffset > blockLen - pos) {\n this.process(view, 0);\n pos = 0;\n }\n // Pad until full block byte with zeros\n for (let i = pos; i < blockLen; i++)\n buffer[i] = 0;\n // Note: sha512 requires length to be 128bit integer, but length in JS will overflow before that\n // You need to write around 2 exabytes (u64_max / 8 / (1024**6)) for this to happen.\n // So we just write lowest 64 bits of that value.\n view.setBigUint64(blockLen - 8, numberToBigint(this.length * 8), isLE);\n this.process(view, 0);\n const oview = createView(out);\n const len = this.outputLen;\n // NOTE: we do division by 4 later, which must be fused in single op with modulo by JIT\n if (len % 4)\n throw new Error(\"_sha2: outputLen must be aligned to 32bit\");\n const outLen = len / 4;\n const state = this.get();\n if (outLen > state.length) {\n throw new Error(\"_sha2: outputLen bigger than state\");\n }\n for (let i = 0; i < outLen; i++)\n oview.setUint32(4 * i, state[i], isLE);\n }\n digest() {\n const { buffer, outputLen } = this;\n this.digestInto(buffer);\n const res = buffer.slice(0, outputLen);\n this.destroy();\n return res;\n }\n _cloneInto(to) {\n to ||= new this.constructor();\n to.set(...this.get());\n const { blockLen, buffer, length, finished, destroyed, pos } = this;\n to.destroyed = destroyed;\n to.finished = finished;\n to.length = length;\n to.pos = pos;\n if (length % blockLen)\n to.buffer.set(buffer);\n return to;\n }\n clone() {\n return this._cloneInto();\n }\n}\n/**\n * Initial SHA-2 state: fractional parts of square roots of first 16 primes 2..53.\n * Check out `test/misc/sha2-gen-iv.js` for recomputation guide.\n */\n/** Initial SHA256 state. Bits 0..32 of frac part of sqrt of primes 2..19 */\nexport const SHA256_IV = /* @__PURE__ */ Uint32Array.from([\n 0x6a09e667,\n 0xbb67ae85,\n 0x3c6ef372,\n 0xa54ff53a,\n 0x510e527f,\n 0x9b05688c,\n 0x1f83d9ab,\n 0x5be0cd19,\n]);\n/** Initial SHA384 state. Bits 0..64 of frac part of sqrt of primes 23..53 */\nexport const SHA384_IV = /* @__PURE__ */ Uint32Array.from([\n 0xcbbb9d5d,\n 0xc1059ed8,\n 0x629a292a,\n 0x367cd507,\n 0x9159015a,\n 0x3070dd17,\n 0x152fecd8,\n 0xf70e5939,\n 0x67332667,\n 0xffc00b31,\n 0x8eb44a87,\n 0x68581511,\n 0xdb0c2e0d,\n 0x64f98fa7,\n 0x47b5481d,\n 0xbefa4fa4,\n]);\n/** Initial SHA512 state. Bits 0..64 of frac part of sqrt of primes 2..19 */\nexport const SHA512_IV = /* @__PURE__ */ Uint32Array.from([\n 0x6a09e667,\n 0xf3bcc908,\n 0xbb67ae85,\n 0x84caa73b,\n 0x3c6ef372,\n 0xfe94f82b,\n 0xa54ff53a,\n 0x5f1d36f1,\n 0x510e527f,\n 0xade682d1,\n 0x9b05688c,\n 0x2b3e6c1f,\n 0x1f83d9ab,\n 0xfb41bd6b,\n 0x5be0cd19,\n 0x137e2179,\n]);\n", "/**\n * This file is based on noble-hashes (https://github.com/paulmillr/noble-hashes).\n *\n * noble-hashes - MIT License (c) 2022 Paul Miller (paulmillr.com)\n *\n * The original file is located at:\n * https://github.com/paulmillr/noble-hashes/blob/4e358a46d682adfb005ae6314ec999f2513086b9/src/_u64.ts\n */\n/**\n * Internal helpers for u64. BigUint64Array is too slow as per 2025, so we implement it using Uint32Array.\n * @todo re-check https://issues.chromium.org/issues/42212588\n * @module\n */\nconst U32_MASK64 = 0xffffffffn;\nconst _32n = 32n;\nfunction fromBig(n, le = false) {\n if (le) {\n return { h: Number(n & U32_MASK64), l: Number((n >> _32n) & U32_MASK64) };\n }\n return {\n h: Number((n >> _32n) & U32_MASK64) | 0,\n l: Number(n & U32_MASK64) | 0,\n };\n}\nfunction split(lst, le = false) {\n const len = lst.length;\n const Ah = new Uint32Array(len);\n const Al = new Uint32Array(len);\n for (let i = 0; i < len; i++) {\n const { h, l } = fromBig(lst[i], le);\n [Ah[i], Al[i]] = [h, l];\n }\n return [Ah, Al];\n}\nconst toBig = (h, l) => (BigInt(h >>> 0) << _32n) | BigInt(l >>> 0);\n// for Shift in [0, 32)\nconst shrSH = (h, _l, s) => h >>> s;\nconst shrSL = (h, l, s) => (h << (32 - s)) | (l >>> s);\n// Right rotate for Shift in [1, 32)\nconst rotrSH = (h, l, s) => (h >>> s) | (l << (32 - s));\nconst rotrSL = (h, l, s) => (h << (32 - s)) | (l >>> s);\n// Right rotate for Shift in (32, 64), NOTE: 32 is special case.\nconst rotrBH = (h, l, s) => (h << (64 - s)) | (l >>> (s - 32));\nconst rotrBL = (h, l, s) => (h >>> (s - 32)) | (l << (64 - s));\n// Right rotate for shift===32 (just swaps l&h)\nconst rotr32H = (_h, l) => l;\nconst rotr32L = (h, _l) => h;\n// Left rotate for Shift in [1, 32)\nconst rotlSH = (h, l, s) => (h << s) | (l >>> (32 - s));\nconst rotlSL = (h, l, s) => (l << s) | (h >>> (32 - s));\n// Left rotate for Shift in (32, 64), NOTE: 32 is special case.\nconst rotlBH = (h, l, s) => (l << (s - 32)) | (h >>> (64 - s));\nconst rotlBL = (h, l, s) => (h << (s - 32)) | (l >>> (64 - s));\n// JS uses 32-bit signed integers for bitwise operations which means we cannot\n// simple take carry out of low bit sum by shift, we need to use division.\nfunction add(Ah, Al, Bh, Bl) {\n const l = (Al >>> 0) + (Bl >>> 0);\n return { h: (Ah + Bh + ((l / 2 ** 32) | 0)) | 0, l: l | 0 };\n}\n// Addition with more than 2 elements\nconst add3L = (Al, Bl, Cl) => (Al >>> 0) + (Bl >>> 0) + (Cl >>> 0);\nconst add3H = (low, Ah, Bh, Ch) => (Ah + Bh + Ch + ((low / 2 ** 32) | 0)) | 0;\nconst add4L = (Al, Bl, Cl, Dl) => (Al >>> 0) + (Bl >>> 0) + (Cl >>> 0) + (Dl >>> 0);\nconst add4H = (low, Ah, Bh, Ch, Dh) => (Ah + Bh + Ch + Dh + ((low / 2 ** 32) | 0)) | 0;\nconst add5L = (Al, Bl, Cl, Dl, El) => (Al >>> 0) + (Bl >>> 0) + (Cl >>> 0) + (Dl >>> 0) + (El >>> 0);\nconst add5H = (low, Ah, Bh, Ch, Dh, Eh) => (Ah + Bh + Ch + Dh + Eh + ((low / 2 ** 32) | 0)) | 0;\n// prettier-ignore\nexport { add, add3H, add3L, add4H, add4L, add5H, add5L, fromBig, rotlBH, rotlBL, rotlSH, rotlSL, rotr32H, rotr32L, rotrBH, rotrBL, rotrSH, rotrSL, shrSH, shrSL, split, toBig, };\n// prettier-ignore\nconst u64 = {\n fromBig,\n split,\n toBig,\n shrSH,\n shrSL,\n rotrSH,\n rotrSL,\n rotrBH,\n rotrBL,\n rotr32H,\n rotr32L,\n rotlSH,\n rotlSL,\n rotlBH,\n rotlBL,\n add,\n add3L,\n add3H,\n add4L,\n add4H,\n add5H,\n add5L,\n};\nexport default u64;\n", "/**\n * This file is based on noble-hashes (https://github.com/paulmillr/noble-hashes).\n *\n * noble-hashes - MIT License (c) 2022 Paul Miller (paulmillr.com)\n *\n * The original file is located at:\n * https://github.com/paulmillr/noble-hashes/blob/2e0c00e1aa134082ba1380bf3afb8b1641f60fed/src/sha2.ts\n */\n/**\n * SHA2 hash function. A.k.a. sha256, sha384, sha512, sha512_224, sha512_256.\n * SHA256 is the fastest hash implementable in JS, even faster than Blake3.\n * Check out [RFC 4634](https://www.rfc-editor.org/rfc/rfc4634) and\n * [FIPS 180-4](https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf).\n * @module\n */\nimport { Chi, HashMD, Maj, SHA256_IV, SHA384_IV, SHA512_IV } from \"./md.js\";\nimport * as u64 from \"./u64.js\";\nimport { clean, oidNist, rotr } from \"../utils/noble.js\";\nimport { createHasher } from \"./hash.js\";\n/**\n * Round constants:\n * First 32 bits of fractional parts of the cube roots of the first 64 primes 2..311)\n */\nconst SHA256_K = /* @__PURE__ */ Uint32Array.from([\n 0x428a2f98,\n 0x71374491,\n 0xb5c0fbcf,\n 0xe9b5dba5,\n 0x3956c25b,\n 0x59f111f1,\n 0x923f82a4,\n 0xab1c5ed5,\n 0xd807aa98,\n 0x12835b01,\n 0x243185be,\n 0x550c7dc3,\n 0x72be5d74,\n 0x80deb1fe,\n 0x9bdc06a7,\n 0xc19bf174,\n 0xe49b69c1,\n 0xefbe4786,\n 0x0fc19dc6,\n 0x240ca1cc,\n 0x2de92c6f,\n 0x4a7484aa,\n 0x5cb0a9dc,\n 0x76f988da,\n 0x983e5152,\n 0xa831c66d,\n 0xb00327c8,\n 0xbf597fc7,\n 0xc6e00bf3,\n 0xd5a79147,\n 0x06ca6351,\n 0x14292967,\n 0x27b70a85,\n 0x2e1b2138,\n 0x4d2c6dfc,\n 0x53380d13,\n 0x650a7354,\n 0x766a0abb,\n 0x81c2c92e,\n 0x92722c85,\n 0xa2bfe8a1,\n 0xa81a664b,\n 0xc24b8b70,\n 0xc76c51a3,\n 0xd192e819,\n 0xd6990624,\n 0xf40e3585,\n 0x106aa070,\n 0x19a4c116,\n 0x1e376c08,\n 0x2748774c,\n 0x34b0bcb5,\n 0x391c0cb3,\n 0x4ed8aa4a,\n 0x5b9cca4f,\n 0x682e6ff3,\n 0x748f82ee,\n 0x78a5636f,\n 0x84c87814,\n 0x8cc70208,\n 0x90befffa,\n 0xa4506ceb,\n 0xbef9a3f7,\n 0xc67178f2,\n]);\n/** Reusable temporary buffer. \"W\" comes straight from spec. */\nconst SHA256_W = /* @__PURE__ */ new Uint32Array(64);\n/** Internal 32-byte base SHA2 hash class. */\nclass SHA2_32B extends HashMD {\n constructor(outputLen) {\n super(64, outputLen, 8, false);\n }\n get() {\n const { A, B, C, D, E, F, G, H } = this;\n return [A, B, C, D, E, F, G, H];\n }\n set(A, B, C, D, E, F, G, H) {\n this.A = A | 0;\n this.B = B | 0;\n this.C = C | 0;\n this.D = D | 0;\n this.E = E | 0;\n this.F = F | 0;\n this.G = G | 0;\n this.H = H | 0;\n }\n process(view, offset) {\n // Extend the first 16 words into the remaining 48 words w[16..63] of the message schedule array\n for (let i = 0; i < 16; i++, offset += 4) {\n SHA256_W[i] = view.getUint32(offset, false);\n }\n for (let i = 16; i < 64; i++) {\n const W15 = SHA256_W[i - 15];\n const W2 = SHA256_W[i - 2];\n const s0 = rotr(W15, 7) ^ rotr(W15, 18) ^ (W15 >>> 3);\n const s1 = rotr(W2, 17) ^ rotr(W2, 19) ^ (W2 >>> 10);\n SHA256_W[i] = (s1 + SHA256_W[i - 7] + s0 + SHA256_W[i - 16]) | 0;\n }\n // Compression function main loop, 64 rounds\n let { A, B, C, D, E, F, G, H } = this;\n for (let i = 0; i < 64; i++) {\n const sigma1 = rotr(E, 6) ^ rotr(E, 11) ^ rotr(E, 25);\n const T1 = (H + sigma1 + Chi(E, F, G) + SHA256_K[i] + SHA256_W[i]) | 0;\n const sigma0 = rotr(A, 2) ^ rotr(A, 13) ^ rotr(A, 22);\n const T2 = (sigma0 + Maj(A, B, C)) | 0;\n H = G;\n G = F;\n F = E;\n E = (D + T1) | 0;\n D = C;\n C = B;\n B = A;\n A = (T1 + T2) | 0;\n }\n // Add the compressed chunk to the current hash value\n A = (A + this.A) | 0;\n B = (B + this.B) | 0;\n C = (C + this.C) | 0;\n D = (D + this.D) | 0;\n E = (E + this.E) | 0;\n F = (F + this.F) | 0;\n G = (G + this.G) | 0;\n H = (H + this.H) | 0;\n this.set(A, B, C, D, E, F, G, H);\n }\n roundClean() {\n clean(SHA256_W);\n }\n destroy() {\n this.set(0, 0, 0, 0, 0, 0, 0, 0);\n clean(this.buffer);\n }\n}\n/** Internal SHA2-256 hash class. */\nexport class _SHA256 extends SHA2_32B {\n constructor() {\n super(32);\n // We cannot use array here since array allows indexing by variable\n // which means optimizer/compiler cannot use registers.\n Object.defineProperty(this, \"A\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: SHA256_IV[0] | 0\n });\n Object.defineProperty(this, \"B\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: SHA256_IV[1] | 0\n });\n Object.defineProperty(this, \"C\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: SHA256_IV[2] | 0\n });\n Object.defineProperty(this, \"D\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: SHA256_IV[3] | 0\n });\n Object.defineProperty(this, \"E\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: SHA256_IV[4] | 0\n });\n Object.defineProperty(this, \"F\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: SHA256_IV[5] | 0\n });\n Object.defineProperty(this, \"G\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: SHA256_IV[6] | 0\n });\n Object.defineProperty(this, \"H\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: SHA256_IV[7] | 0\n });\n }\n}\n// SHA2-512 is slower than sha256 in js because u64 operations are slow.\n// Round contants\n// First 32 bits of the fractional parts of the cube roots of the first 80 primes 2..409\nconst K512 = /* @__PURE__ */ (() => u64.split([\n 0x428a2f98d728ae22n,\n 0x7137449123ef65cdn,\n 0xb5c0fbcfec4d3b2fn,\n 0xe9b5dba58189dbbcn,\n 0x3956c25bf348b538n,\n 0x59f111f1b605d019n,\n 0x923f82a4af194f9bn,\n 0xab1c5ed5da6d8118n,\n 0xd807aa98a3030242n,\n 0x12835b0145706fben,\n 0x243185be4ee4b28cn,\n 0x550c7dc3d5ffb4e2n,\n 0x72be5d74f27b896fn,\n 0x80deb1fe3b1696b1n,\n 0x9bdc06a725c71235n,\n 0xc19bf174cf692694n,\n 0xe49b69c19ef14ad2n,\n 0xefbe4786384f25e3n,\n 0x0fc19dc68b8cd5b5n,\n 0x240ca1cc77ac9c65n,\n 0x2de92c6f592b0275n,\n 0x4a7484aa6ea6e483n,\n 0x5cb0a9dcbd41fbd4n,\n 0x76f988da831153b5n,\n 0x983e5152ee66dfabn,\n 0xa831c66d2db43210n,\n 0xb00327c898fb213fn,\n 0xbf597fc7beef0ee4n,\n 0xc6e00bf33da88fc2n,\n 0xd5a79147930aa725n,\n 0x06ca6351e003826fn,\n 0x142929670a0e6e70n,\n 0x27b70a8546d22ffcn,\n 0x2e1b21385c26c926n,\n 0x4d2c6dfc5ac42aedn,\n 0x53380d139d95b3dfn,\n 0x650a73548baf63den,\n 0x766a0abb3c77b2a8n,\n 0x81c2c92e47edaee6n,\n 0x92722c851482353bn,\n 0xa2bfe8a14cf10364n,\n 0xa81a664bbc423001n,\n 0xc24b8b70d0f89791n,\n 0xc76c51a30654be30n,\n 0xd192e819d6ef5218n,\n 0xd69906245565a910n,\n 0xf40e35855771202an,\n 0x106aa07032bbd1b8n,\n 0x19a4c116b8d2d0c8n,\n 0x1e376c085141ab53n,\n 0x2748774cdf8eeb99n,\n 0x34b0bcb5e19b48a8n,\n 0x391c0cb3c5c95a63n,\n 0x4ed8aa4ae3418acbn,\n 0x5b9cca4f7763e373n,\n 0x682e6ff3d6b2b8a3n,\n 0x748f82ee5defb2fcn,\n 0x78a5636f43172f60n,\n 0x84c87814a1f0ab72n,\n 0x8cc702081a6439ecn,\n 0x90befffa23631e28n,\n 0xa4506cebde82bde9n,\n 0xbef9a3f7b2c67915n,\n 0xc67178f2e372532bn,\n 0xca273eceea26619cn,\n 0xd186b8c721c0c207n,\n 0xeada7dd6cde0eb1en,\n 0xf57d4f7fee6ed178n,\n 0x06f067aa72176fban,\n 0x0a637dc5a2c898a6n,\n 0x113f9804bef90daen,\n 0x1b710b35131c471bn,\n 0x28db77f523047d84n,\n 0x32caab7b40c72493n,\n 0x3c9ebe0a15c9bebcn,\n 0x431d67c49c100d4cn,\n 0x4cc5d4becb3e42b6n,\n 0x597f299cfc657e2an,\n 0x5fcb6fab3ad6faecn,\n 0x6c44198c4a475817n,\n]))();\nconst SHA512_Kh = /* @__PURE__ */ (() => K512[0])();\nconst SHA512_Kl = /* @__PURE__ */ (() => K512[1])();\n// Reusable temporary buffers\nconst SHA512_W_H = /* @__PURE__ */ new Uint32Array(80);\nconst SHA512_W_L = /* @__PURE__ */ new Uint32Array(80);\n/** Internal 64-byte base SHA2 hash class. */\nclass SHA2_64B extends HashMD {\n constructor(outputLen) {\n super(128, outputLen, 16, false);\n }\n get() {\n const { Ah, Al, Bh, Bl, Ch, Cl, Dh, Dl, Eh, El, Fh, Fl, Gh, Gl, Hh, Hl } = this;\n return [Ah, Al, Bh, Bl, Ch, Cl, Dh, Dl, Eh, El, Fh, Fl, Gh, Gl, Hh, Hl];\n }\n set(Ah, Al, Bh, Bl, Ch, Cl, Dh, Dl, Eh, El, Fh, Fl, Gh, Gl, Hh, Hl) {\n this.Ah = Ah | 0;\n this.Al = Al | 0;\n this.Bh = Bh | 0;\n this.Bl = Bl | 0;\n this.Ch = Ch | 0;\n this.Cl = Cl | 0;\n this.Dh = Dh | 0;\n this.Dl = Dl | 0;\n this.Eh = Eh | 0;\n this.El = El | 0;\n this.Fh = Fh | 0;\n this.Fl = Fl | 0;\n this.Gh = Gh | 0;\n this.Gl = Gl | 0;\n this.Hh = Hh | 0;\n this.Hl = Hl | 0;\n }\n process(view, offset) {\n // Extend the first 16 words into the remaining 64 words w[16..79] of the message schedule array\n for (let i = 0; i < 16; i++, offset += 4) {\n SHA512_W_H[i] = view.getUint32(offset);\n SHA512_W_L[i] = view.getUint32(offset += 4);\n }\n for (let i = 16; i < 80; i++) {\n // s0 := (w[i-15] rightrotate 1) xor (w[i-15] rightrotate 8) xor (w[i-15] rightshift 7)\n const W15h = SHA512_W_H[i - 15] | 0;\n const W15l = SHA512_W_L[i - 15] | 0;\n const s0h = u64.rotrSH(W15h, W15l, 1) ^ u64.rotrSH(W15h, W15l, 8) ^\n u64.shrSH(W15h, W15l, 7);\n const s0l = u64.rotrSL(W15h, W15l, 1) ^ u64.rotrSL(W15h, W15l, 8) ^\n u64.shrSL(W15h, W15l, 7);\n // s1 := (w[i-2] rightrotate 19) xor (w[i-2] rightrotate 61) xor (w[i-2] rightshift 6)\n const W2h = SHA512_W_H[i - 2] | 0;\n const W2l = SHA512_W_L[i - 2] | 0;\n const s1h = u64.rotrSH(W2h, W2l, 19) ^ u64.rotrBH(W2h, W2l, 61) ^\n u64.shrSH(W2h, W2l, 6);\n const s1l = u64.rotrSL(W2h, W2l, 19) ^ u64.rotrBL(W2h, W2l, 61) ^\n u64.shrSL(W2h, W2l, 6);\n // SHA256_W[i] = s0 + s1 + SHA256_W[i - 7] + SHA256_W[i - 16];\n const SUMl = u64.add4L(s0l, s1l, SHA512_W_L[i - 7], SHA512_W_L[i - 16]);\n const SUMh = u64.add4H(SUMl, s0h, s1h, SHA512_W_H[i - 7], SHA512_W_H[i - 16]);\n SHA512_W_H[i] = SUMh | 0;\n SHA512_W_L[i] = SUMl | 0;\n }\n let { Ah, Al, Bh, Bl, Ch, Cl, Dh, Dl, Eh, El, Fh, Fl, Gh, Gl, Hh, Hl } = this;\n // Compression function main loop, 80 rounds\n for (let i = 0; i < 80; i++) {\n // S1 := (e rightrotate 14) xor (e rightrotate 18) xor (e rightrotate 41)\n const sigma1h = u64.rotrSH(Eh, El, 14) ^ u64.rotrSH(Eh, El, 18) ^\n u64.rotrBH(Eh, El, 41);\n const sigma1l = u64.rotrSL(Eh, El, 14) ^ u64.rotrSL(Eh, El, 18) ^\n u64.rotrBL(Eh, El, 41);\n //const T1 = (H + sigma1 + Chi(E, F, G) + SHA256_K[i] + SHA256_W[i]) | 0;\n const CHIh = (Eh & Fh) ^ (~Eh & Gh);\n const CHIl = (El & Fl) ^ (~El & Gl);\n // T1 = H + sigma1 + Chi(E, F, G) + SHA512_K[i] + SHA512_W[i]\n const T1ll = u64.add5L(Hl, sigma1l, CHIl, SHA512_Kl[i], SHA512_W_L[i]);\n const T1h = u64.add5H(T1ll, Hh, sigma1h, CHIh, SHA512_Kh[i], SHA512_W_H[i]);\n const T1l = T1ll | 0;\n // S0 := (a rightrotate 28) xor (a rightrotate 34) xor (a rightrotate 39)\n const sigma0h = u64.rotrSH(Ah, Al, 28) ^ u64.rotrBH(Ah, Al, 34) ^\n u64.rotrBH(Ah, Al, 39);\n const sigma0l = u64.rotrSL(Ah, Al, 28) ^ u64.rotrBL(Ah, Al, 34) ^\n u64.rotrBL(Ah, Al, 39);\n const MAJh = (Ah & Bh) ^ (Ah & Ch) ^ (Bh & Ch);\n const MAJl = (Al & Bl) ^ (Al & Cl) ^ (Bl & Cl);\n Hh = Gh | 0;\n Hl = Gl | 0;\n Gh = Fh | 0;\n Gl = Fl | 0;\n Fh = Eh | 0;\n Fl = El | 0;\n ({ h: Eh, l: El } = u64.add(Dh | 0, Dl | 0, T1h | 0, T1l | 0));\n Dh = Ch | 0;\n Dl = Cl | 0;\n Ch = Bh | 0;\n Cl = Bl | 0;\n Bh = Ah | 0;\n Bl = Al | 0;\n const All = u64.add3L(T1l, sigma0l, MAJl);\n Ah = u64.add3H(All, T1h, sigma0h, MAJh);\n Al = All | 0;\n }\n // Add the compressed chunk to the current hash value\n ({ h: Ah, l: Al } = u64.add(this.Ah | 0, this.Al | 0, Ah | 0, Al | 0));\n ({ h: Bh, l: Bl } = u64.add(this.Bh | 0, this.Bl | 0, Bh | 0, Bl | 0));\n ({ h: Ch, l: Cl } = u64.add(this.Ch | 0, this.Cl | 0, Ch | 0, Cl | 0));\n ({ h: Dh, l: Dl } = u64.add(this.Dh | 0, this.Dl | 0, Dh | 0, Dl | 0));\n ({ h: Eh, l: El } = u64.add(this.Eh | 0, this.El | 0, Eh | 0, El | 0));\n ({ h: Fh, l: Fl } = u64.add(this.Fh | 0, this.Fl | 0, Fh | 0, Fl | 0));\n ({ h: Gh, l: Gl } = u64.add(this.Gh | 0, this.Gl | 0, Gh | 0, Gl | 0));\n ({ h: Hh, l: Hl } = u64.add(this.Hh | 0, this.Hl | 0, Hh | 0, Hl | 0));\n this.set(Ah, Al, Bh, Bl, Ch, Cl, Dh, Dl, Eh, El, Fh, Fl, Gh, Gl, Hh, Hl);\n }\n roundClean() {\n clean(SHA512_W_H, SHA512_W_L);\n }\n destroy() {\n clean(this.buffer);\n this.set(0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0);\n }\n}\n/** Internal SHA2-512 hash class. */\nexport class _SHA512 extends SHA2_64B {\n constructor() {\n super(64);\n Object.defineProperty(this, \"Ah\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: SHA512_IV[0] | 0\n });\n Object.defineProperty(this, \"Al\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: SHA512_IV[1] | 0\n });\n Object.defineProperty(this, \"Bh\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: SHA512_IV[2] | 0\n });\n Object.defineProperty(this, \"Bl\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: SHA512_IV[3] | 0\n });\n Object.defineProperty(this, \"Ch\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: SHA512_IV[4] | 0\n });\n Object.defineProperty(this, \"Cl\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: SHA512_IV[5] | 0\n });\n Object.defineProperty(this, \"Dh\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: SHA512_IV[6] | 0\n });\n Object.defineProperty(this, \"Dl\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: SHA512_IV[7] | 0\n });\n Object.defineProperty(this, \"Eh\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: SHA512_IV[8] | 0\n });\n Object.defineProperty(this, \"El\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: SHA512_IV[9] | 0\n });\n Object.defineProperty(this, \"Fh\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: SHA512_IV[10] | 0\n });\n Object.defineProperty(this, \"Fl\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: SHA512_IV[11] | 0\n });\n Object.defineProperty(this, \"Gh\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: SHA512_IV[12] | 0\n });\n Object.defineProperty(this, \"Gl\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: SHA512_IV[13] | 0\n });\n Object.defineProperty(this, \"Hh\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: SHA512_IV[14] | 0\n });\n Object.defineProperty(this, \"Hl\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: SHA512_IV[15] | 0\n });\n }\n}\nexport class _SHA384 extends SHA2_64B {\n constructor() {\n super(48);\n Object.defineProperty(this, \"Ah\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: SHA384_IV[0] | 0\n });\n Object.defineProperty(this, \"Al\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: SHA384_IV[1] | 0\n });\n Object.defineProperty(this, \"Bh\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: SHA384_IV[2] | 0\n });\n Object.defineProperty(this, \"Bl\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: SHA384_IV[3] | 0\n });\n Object.defineProperty(this, \"Ch\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: SHA384_IV[4] | 0\n });\n Object.defineProperty(this, \"Cl\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: SHA384_IV[5] | 0\n });\n Object.defineProperty(this, \"Dh\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: SHA384_IV[6] | 0\n });\n Object.defineProperty(this, \"Dl\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: SHA384_IV[7] | 0\n });\n Object.defineProperty(this, \"Eh\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: SHA384_IV[8] | 0\n });\n Object.defineProperty(this, \"El\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: SHA384_IV[9] | 0\n });\n Object.defineProperty(this, \"Fh\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: SHA384_IV[10] | 0\n });\n Object.defineProperty(this, \"Fl\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: SHA384_IV[11] | 0\n });\n Object.defineProperty(this, \"Gh\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: SHA384_IV[12] | 0\n });\n Object.defineProperty(this, \"Gl\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: SHA384_IV[13] | 0\n });\n Object.defineProperty(this, \"Hh\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: SHA384_IV[14] | 0\n });\n Object.defineProperty(this, \"Hl\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: SHA384_IV[15] | 0\n });\n }\n}\n/**\n * SHA2-256 hash function from RFC 4634. In JS it's the fastest: even faster than Blake3. Some info:\n *\n * - Trying 2^128 hashes would get 50% chance of collision, using birthday attack.\n * - BTC network is doing 2^70 hashes/sec (2^95 hashes/year) as per 2025.\n * - Each sha256 hash is executing 2^18 bit operations.\n * - Good 2024 ASICs can do 200Th/sec with 3500 watts of power, corresponding to 2^36 hashes/joule.\n */\nexport const sha256 = /* @__PURE__ */ createHasher(() => new _SHA256(), \n/* @__PURE__ */ oidNist(0x01));\n/** SHA2-512 hash function from RFC 4634. */\nexport const sha512 = /* @__PURE__ */ createHasher(() => new _SHA512(), \n/* @__PURE__ */ oidNist(0x03));\n/** SHA2-384 hash function from RFC 4634. */\nexport const sha384 = /* @__PURE__ */ createHasher(() => new _SHA384(), \n/* @__PURE__ */ oidNist(0x02));\n", "/**\n * This file is based on noble-hashes (https://github.com/paulmillr/noble-hashes).\n *\n * noble-hashes - MIT License (c) 2022 Paul Miller (paulmillr.com)\n *\n * The original file is located at:\n * https://github.com/paulmillr/noble-hashes/blob/4e358a46d682adfb005ae6314ec999f2513086b9/src/sha3.ts\n */\n/**\n * SHA3 (keccak) hash function, based on a new \"Sponge function\" design.\n * Different from older hashes, the internal state is bigger than output size.\n *\n * Check out [FIPS-202](https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.202.pdf),\n * [Website](https://keccak.team/keccak.html),\n * [the differences between SHA-3 and Keccak](https://crypto.stackexchange.com/questions/15727/what-are-the-key-differences-between-the-draft-sha-3-standard-and-the-keccak-sub).\n *\n * Check out `sha3-addons` module for cSHAKE, k12, and others.\n * @module\n */\nimport { rotlBH, rotlBL, rotlSH, rotlSL, split } from \"./u64.js\";\nimport { abytes, aexists, anumber, aoutput, clean, oidNist, swap32IfBE, u32, } from \"../utils/noble.js\";\nimport { createHasher, } from \"./hash.js\";\n// No __PURE__ annotations in sha3 header:\n// EVERYTHING is in fact used on every export.\n// Various per round constants calculations\nconst _0n = 0n;\nconst _1n = 1n;\nconst _2n = 2n;\nconst _7n = 7n;\nconst _256n = 256n;\nconst _0x71n = 0x71n;\nconst SHA3_PI = [];\nconst SHA3_ROTL = [];\nconst _SHA3_IOTA = []; // no pure annotation: var is always used\nfor (let round = 0, R = _1n, x = 1, y = 0; round < 24; round++) {\n // Pi\n [x, y] = [y, (2 * x + 3 * y) % 5];\n SHA3_PI.push(2 * (5 * y + x));\n // Rotational\n SHA3_ROTL.push((((round + 1) * (round + 2)) / 2) % 64);\n // Iota\n let t = _0n;\n for (let j = 0; j < 7; j++) {\n R = ((R << _1n) ^ ((R >> _7n) * _0x71n)) % _256n;\n if (R & _2n)\n t ^= _1n << ((_1n << BigInt(j)) - _1n);\n }\n _SHA3_IOTA.push(t);\n}\nconst IOTAS = split(_SHA3_IOTA, true);\nconst SHA3_IOTA_H = IOTAS[0];\nconst SHA3_IOTA_L = IOTAS[1];\n// Left rotation (without 0, 32, 64)\nconst rotlH = (h, l, s) => (s > 32 ? rotlBH(h, l, s) : rotlSH(h, l, s));\nconst rotlL = (h, l, s) => (s > 32 ? rotlBL(h, l, s) : rotlSL(h, l, s));\n/** `keccakf1600` internal function, additionally allows to adjust round count. */\nexport function keccakP(s, rounds = 24, B) {\n if (!B)\n B = new Uint32Array(10);\n // NOTE: all indices are x2 since we store state as u32 instead of u64 (bigints to slow in js)\n for (let round = 24 - rounds; round < 24; round++) {\n // Theta \u03B8\n for (let x = 0; x < 10; x++) {\n B[x] = s[x] ^ s[x + 10] ^ s[x + 20] ^ s[x + 30] ^ s[x + 40];\n }\n // for (let x = 0; x < 10; x += 2) {\n // const idx1 = (x + 8) % 10;\n // const idx0 = (x + 2) % 10;\n // const B0 = B[idx0];\n // const B1 = B[idx0 + 1];\n // const Th = rotlH(B0, B1, 1) ^ B[idx1];\n // const Tl = rotlL(B0, B1, 1) ^ B[idx1 + 1];\n // for (let y = 0; y < 50; y += 10) {\n // s[x + y] ^= Th;\n // s[x + y + 1] ^= Tl;\n // }\n // }\n { // x=0: idx0=2, idx1=8\n const Th = rotlH(B[2], B[3], 1) ^ B[8];\n const Tl = rotlL(B[2], B[3], 1) ^ B[9];\n s[0] ^= Th;\n s[1] ^= Tl;\n s[10] ^= Th;\n s[11] ^= Tl;\n s[20] ^= Th;\n s[21] ^= Tl;\n s[30] ^= Th;\n s[31] ^= Tl;\n s[40] ^= Th;\n s[41] ^= Tl;\n }\n { // x=2: idx0=4, idx1=0\n const Th = rotlH(B[4], B[5], 1) ^ B[0];\n const Tl = rotlL(B[4], B[5], 1) ^ B[1];\n s[2] ^= Th;\n s[3] ^= Tl;\n s[12] ^= Th;\n s[13] ^= Tl;\n s[22] ^= Th;\n s[23] ^= Tl;\n s[32] ^= Th;\n s[33] ^= Tl;\n s[42] ^= Th;\n s[43] ^= Tl;\n }\n { // x=4: idx0=6, idx1=2\n const Th = rotlH(B[6], B[7], 1) ^ B[2];\n const Tl = rotlL(B[6], B[7], 1) ^ B[3];\n s[4] ^= Th;\n s[5] ^= Tl;\n s[14] ^= Th;\n s[15] ^= Tl;\n s[24] ^= Th;\n s[25] ^= Tl;\n s[34] ^= Th;\n s[35] ^= Tl;\n s[44] ^= Th;\n s[45] ^= Tl;\n }\n { // x=6: idx0=8, idx1=4\n const Th = rotlH(B[8], B[9], 1) ^ B[4];\n const Tl = rotlL(B[8], B[9], 1) ^ B[5];\n s[6] ^= Th;\n s[7] ^= Tl;\n s[16] ^= Th;\n s[17] ^= Tl;\n s[26] ^= Th;\n s[27] ^= Tl;\n s[36] ^= Th;\n s[37] ^= Tl;\n s[46] ^= Th;\n s[47] ^= Tl;\n }\n { // x=8: idx0=0, idx1=6\n const Th = rotlH(B[0], B[1], 1) ^ B[6];\n const Tl = rotlL(B[0], B[1], 1) ^ B[7];\n s[8] ^= Th;\n s[9] ^= Tl;\n s[18] ^= Th;\n s[19] ^= Tl;\n s[28] ^= Th;\n s[29] ^= Tl;\n s[38] ^= Th;\n s[39] ^= Tl;\n s[48] ^= Th;\n s[49] ^= Tl;\n }\n // Rho (\u03C1) and Pi (\u03C0) \u2014 fully unrolled\n let curH = s[2];\n let curL = s[3];\n // for (let t = 0; t < 24; t++) {\n // const shift = SHA3_ROTL[t];\n // const Th = rotlH(curH, curL, shift);\n // const Tl = rotlL(curH, curL, shift);\n // const PI = SHA3_PI[t];\n // curH = s[PI];\n // curL = s[PI + 1];\n // s[PI] = Th;\n // s[PI + 1] = Tl;\n // }\n let Th, Tl;\n // t=0: shift=1(S), PI=20\n Th = rotlSH(curH, curL, 1);\n Tl = rotlSL(curH, curL, 1);\n curH = s[20];\n curL = s[21];\n s[20] = Th;\n s[21] = Tl;\n // t=1: shift=3(S), PI=14\n Th = rotlSH(curH, curL, 3);\n Tl = rotlSL(curH, curL, 3);\n curH = s[14];\n curL = s[15];\n s[14] = Th;\n s[15] = Tl;\n // t=2: shift=6(S), PI=22\n Th = rotlSH(curH, curL, 6);\n Tl = rotlSL(curH, curL, 6);\n curH = s[22];\n curL = s[23];\n s[22] = Th;\n s[23] = Tl;\n // t=3: shift=10(S), PI=34\n Th = rotlSH(curH, curL, 10);\n Tl = rotlSL(curH, curL, 10);\n curH = s[34];\n curL = s[35];\n s[34] = Th;\n s[35] = Tl;\n // t=4: shift=15(S), PI=36\n Th = rotlSH(curH, curL, 15);\n Tl = rotlSL(curH, curL, 15);\n curH = s[36];\n curL = s[37];\n s[36] = Th;\n s[37] = Tl;\n // t=5: shift=21(S), PI=6\n Th = rotlSH(curH, curL, 21);\n Tl = rotlSL(curH, curL, 21);\n curH = s[6];\n curL = s[7];\n s[6] = Th;\n s[7] = Tl;\n // t=6: shift=28(S), PI=10\n Th = rotlSH(curH, curL, 28);\n Tl = rotlSL(curH, curL, 28);\n curH = s[10];\n curL = s[11];\n s[10] = Th;\n s[11] = Tl;\n // t=7: shift=36(B), PI=32\n Th = rotlBH(curH, curL, 36);\n Tl = rotlBL(curH, curL, 36);\n curH = s[32];\n curL = s[33];\n s[32] = Th;\n s[33] = Tl;\n // t=8: shift=45(B), PI=16\n Th = rotlBH(curH, curL, 45);\n Tl = rotlBL(curH, curL, 45);\n curH = s[16];\n curL = s[17];\n s[16] = Th;\n s[17] = Tl;\n // t=9: shift=55(B), PI=42\n Th = rotlBH(curH, curL, 55);\n Tl = rotlBL(curH, curL, 55);\n curH = s[42];\n curL = s[43];\n s[42] = Th;\n s[43] = Tl;\n // t=10: shift=2(S), PI=48\n Th = rotlSH(curH, curL, 2);\n Tl = rotlSL(curH, curL, 2);\n curH = s[48];\n curL = s[49];\n s[48] = Th;\n s[49] = Tl;\n // t=11: shift=14(S), PI=8\n Th = rotlSH(curH, curL, 14);\n Tl = rotlSL(curH, curL, 14);\n curH = s[8];\n curL = s[9];\n s[8] = Th;\n s[9] = Tl;\n // t=12: shift=27(S), PI=30\n Th = rotlSH(curH, curL, 27);\n Tl = rotlSL(curH, curL, 27);\n curH = s[30];\n curL = s[31];\n s[30] = Th;\n s[31] = Tl;\n // t=13: shift=41(B), PI=46\n Th = rotlBH(curH, curL, 41);\n Tl = rotlBL(curH, curL, 41);\n curH = s[46];\n curL = s[47];\n s[46] = Th;\n s[47] = Tl;\n // t=14: shift=56(B), PI=38\n Th = rotlBH(curH, curL, 56);\n Tl = rotlBL(curH, curL, 56);\n curH = s[38];\n curL = s[39];\n s[38] = Th;\n s[39] = Tl;\n // t=15: shift=8(S), PI=26\n Th = rotlSH(curH, curL, 8);\n Tl = rotlSL(curH, curL, 8);\n curH = s[26];\n curL = s[27];\n s[26] = Th;\n s[27] = Tl;\n // t=16: shift=25(S), PI=24\n Th = rotlSH(curH, curL, 25);\n Tl = rotlSL(curH, curL, 25);\n curH = s[24];\n curL = s[25];\n s[24] = Th;\n s[25] = Tl;\n // t=17: shift=43(B), PI=4\n Th = rotlBH(curH, curL, 43);\n Tl = rotlBL(curH, curL, 43);\n curH = s[4];\n curL = s[5];\n s[4] = Th;\n s[5] = Tl;\n // t=18: shift=62(B), PI=40\n Th = rotlBH(curH, curL, 62);\n Tl = rotlBL(curH, curL, 62);\n curH = s[40];\n curL = s[41];\n s[40] = Th;\n s[41] = Tl;\n // t=19: shift=18(S), PI=28\n Th = rotlSH(curH, curL, 18);\n Tl = rotlSL(curH, curL, 18);\n curH = s[28];\n curL = s[29];\n s[28] = Th;\n s[29] = Tl;\n // t=20: shift=39(B), PI=44\n Th = rotlBH(curH, curL, 39);\n Tl = rotlBL(curH, curL, 39);\n curH = s[44];\n curL = s[45];\n s[44] = Th;\n s[45] = Tl;\n // t=21: shift=61(B), PI=18\n Th = rotlBH(curH, curL, 61);\n Tl = rotlBL(curH, curL, 61);\n curH = s[18];\n curL = s[19];\n s[18] = Th;\n s[19] = Tl;\n // t=22: shift=20(S), PI=12\n Th = rotlSH(curH, curL, 20);\n Tl = rotlSL(curH, curL, 20);\n curH = s[12];\n curL = s[13];\n s[12] = Th;\n s[13] = Tl;\n // t=23: shift=44(B), PI=2\n Th = rotlBH(curH, curL, 44);\n Tl = rotlBL(curH, curL, 44);\n s[2] = Th;\n s[3] = Tl;\n // Chi (\u03C7)\n for (let y = 0; y < 50; y += 10) {\n B[0] = s[y];\n B[1] = s[y + 1];\n B[2] = s[y + 2];\n B[3] = s[y + 3];\n B[4] = s[y + 4];\n B[5] = s[y + 5];\n B[6] = s[y + 6];\n B[7] = s[y + 7];\n B[8] = s[y + 8];\n B[9] = s[y + 9];\n s[y + 0] ^= ~B[2] & B[4];\n s[y + 1] ^= ~B[3] & B[5];\n s[y + 2] ^= ~B[4] & B[6];\n s[y + 3] ^= ~B[5] & B[7];\n s[y + 4] ^= ~B[6] & B[8];\n s[y + 5] ^= ~B[7] & B[9];\n s[y + 6] ^= ~B[8] & B[0];\n s[y + 7] ^= ~B[9] & B[1];\n s[y + 8] ^= ~B[0] & B[2];\n s[y + 9] ^= ~B[1] & B[3];\n }\n // Iota (\u03B9)\n s[0] ^= SHA3_IOTA_H[round];\n s[1] ^= SHA3_IOTA_L[round];\n }\n}\n/** Keccak sponge function. */\nexport class Keccak {\n // NOTE: we accept arguments in bytes instead of bits here.\n constructor(blockLen, suffix, outputLen, enableXOF = false, rounds = 24) {\n Object.defineProperty(this, \"state\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: void 0\n });\n Object.defineProperty(this, \"pos\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: 0\n });\n Object.defineProperty(this, \"posOut\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: 0\n });\n Object.defineProperty(this, \"finished\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: false\n });\n Object.defineProperty(this, \"state32\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: void 0\n });\n Object.defineProperty(this, \"destroyed\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: false\n });\n Object.defineProperty(this, \"_B\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: new Uint32Array(10)\n });\n Object.defineProperty(this, \"blockLen\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: void 0\n });\n Object.defineProperty(this, \"suffix\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: void 0\n });\n Object.defineProperty(this, \"outputLen\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: void 0\n });\n Object.defineProperty(this, \"enableXOF\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: false\n });\n Object.defineProperty(this, \"rounds\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: void 0\n });\n this.blockLen = blockLen;\n this.suffix = suffix;\n this.outputLen = outputLen;\n this.enableXOF = enableXOF;\n this.rounds = rounds;\n // Can be passed from user as dkLen\n anumber(outputLen, \"outputLen\");\n // 1600 = 5x5 matrix of 64bit. 1600 bits === 200 bytes\n // 0 < blockLen < 200\n if (!(0 < blockLen && blockLen < 200)) {\n throw new Error(\"only keccak-f1600 function is supported\");\n }\n this.state = new Uint8Array(200);\n this.state32 = u32(this.state);\n }\n clone() {\n return this._cloneInto();\n }\n /** Resets instance to initial (empty) state for reuse. */\n reset() {\n this.state.fill(0);\n this.pos = 0;\n this.posOut = 0;\n this.finished = false;\n this.destroyed = false;\n }\n keccak() {\n swap32IfBE(this.state32);\n keccakP(this.state32, this.rounds, this._B);\n swap32IfBE(this.state32);\n this.posOut = 0;\n this.pos = 0;\n }\n update(data) {\n aexists(this);\n abytes(data);\n return this.updateUnsafe(data);\n }\n /** Like update(), but skips validation. Caller must ensure valid state and input. */\n updateUnsafe(data) {\n const { blockLen, state } = this;\n const len = data.length;\n for (let pos = 0; pos < len;) {\n const take = Math.min(blockLen - this.pos, len - pos);\n for (let i = 0; i < take; i++)\n state[this.pos++] ^= data[pos++];\n if (this.pos === blockLen)\n this.keccak();\n }\n return this;\n }\n finish() {\n if (this.finished)\n return;\n this.finished = true;\n const { state, suffix, pos, blockLen } = this;\n // Do the padding\n state[pos] ^= suffix;\n if ((suffix & 0x80) !== 0 && pos === blockLen - 1)\n this.keccak();\n state[blockLen - 1] ^= 0x80;\n this.keccak();\n }\n writeInto(out) {\n aexists(this, false);\n abytes(out);\n return this.writeIntoUnsafe(out);\n }\n /** Like writeInto(), but skips validation. Caller must ensure valid state and output. */\n writeIntoUnsafe(out) {\n this.finish();\n const bufferOut = this.state;\n const { blockLen } = this;\n for (let pos = 0, len = out.length; pos < len;) {\n if (this.posOut >= blockLen)\n this.keccak();\n const take = Math.min(blockLen - this.posOut, len - pos);\n out.set(bufferOut.subarray(this.posOut, this.posOut + take), pos);\n this.posOut += take;\n pos += take;\n }\n return out;\n }\n xofInto(out) {\n // Sha3/Keccak usage with XOF is probably mistake, only SHAKE instances can do XOF\n if (!this.enableXOF) {\n throw new Error(\"XOF is not possible for this instance\");\n }\n return this.writeInto(out);\n }\n xof(bytes) {\n anumber(bytes);\n return this.xofInto(new Uint8Array(bytes));\n }\n digestInto(out) {\n aoutput(out, this);\n if (this.finished)\n throw new Error(\"digest() was already called\");\n this.writeInto(out);\n this.destroy();\n return out;\n }\n digest() {\n return this.digestInto(new Uint8Array(this.outputLen));\n }\n destroy() {\n this.destroyed = true;\n clean(this.state);\n }\n _cloneInto(to) {\n const { blockLen, suffix, outputLen, rounds, enableXOF } = this;\n to ||= new Keccak(blockLen, suffix, outputLen, enableXOF, rounds);\n to.state32.set(this.state32);\n to.pos = this.pos;\n to.posOut = this.posOut;\n to.finished = this.finished;\n to.rounds = rounds;\n // Suffix can change in cSHAKE\n to.suffix = suffix;\n to.outputLen = outputLen;\n to.enableXOF = enableXOF;\n to.destroyed = this.destroyed;\n return to;\n }\n}\nconst genKeccak = (suffix, blockLen, outputLen, info = {}) => createHasher(() => new Keccak(blockLen, suffix, outputLen), info);\n// /** SHA3-224 hash function. */\n// export const sha3_224: CHash = /* @__PURE__ */ genKeccak(\n// 0x06,\n// 144,\n// 28,\n// /* @__PURE__ */ oidNist(0x07),\n// );\n/** SHA3-256 hash function. Different from keccak-256. */\nexport const sha3_256 = /* @__PURE__ */ genKeccak(0x06, 136, 32, \n/* @__PURE__ */ oidNist(0x08));\n/** SHA3-384 hash function. */\nexport const sha3_384 = /* @__PURE__ */ genKeccak(0x06, 104, 48, \n/* @__PURE__ */ oidNist(0x09));\n/** SHA3-512 hash function. */\nexport const sha3_512 = /* @__PURE__ */ genKeccak(0x06, 72, 64, \n/* @__PURE__ */ oidNist(0x0a));\n/** keccak-224 hash function. */\nexport const keccak_224 = /* @__PURE__ */ genKeccak(0x01, 144, 28);\n/** keccak-256 hash function. Different from SHA3-256. */\nexport const keccak_256 = /* @__PURE__ */ genKeccak(0x01, 136, 32);\n/** keccak-384 hash function. */\nexport const keccak_384 = /* @__PURE__ */ genKeccak(0x01, 104, 48);\n/** keccak-512 hash function. */\nexport const keccak_512 = /* @__PURE__ */ genKeccak(0x01, 72, 64);\nconst genShake = (suffix, blockLen, outputLen, info = {}) => createHasher((opts = {}) => new Keccak(blockLen, suffix, opts.dkLen === undefined ? outputLen : opts.dkLen, true), info);\n/** SHAKE128 XOF with 128-bit security. */\nexport const shake128 = \n/* @__PURE__ */\ngenShake(0x1f, 168, 16, /* @__PURE__ */ oidNist(0x0b));\n/** SHAKE256 XOF with 256-bit security. */\nexport const shake256 = \n/* @__PURE__ */\ngenShake(0x1f, 136, 32, /* @__PURE__ */ oidNist(0x0c));\n// /** SHAKE128 XOF with 256-bit output (NIST version). */\n// export const shake128_32: CHashXOF<Keccak, ShakeOpts> =\n// /* @__PURE__ */\n// genShake(0x1f, 168, 32, /* @__PURE__ */ oidNist(0x0b));\n// /** SHAKE256 XOF with 512-bit output (NIST version). */\n// export const shake256_64: CHashXOF<Keccak, ShakeOpts> =\n// /* @__PURE__ */\n// genShake(0x1f, 136, 64, /* @__PURE__ */ oidNist(0x0c));\n", "/**\n * This file is based on noble-curves (https://github.com/paulmillr/noble-curves).\n *\n * noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com)\n *\n * The original file is located at:\n * https://github.com/paulmillr/noble-curves/blob/b9d49d2b41d550571a0c5be443ecb62109fa3373/src/abstract/modular.ts\n */\n/**\n * Utils for modular division and fields.\n * Field over 11 is a finite (Galois) field is integer number operations `mod 11`.\n * There is no division: it is replaced by modular multiplicative inverse.\n * @module\n */\n/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */\nimport { N_0 } from \"../consts.js\";\n// Numbers aren't used in x25519 / x448 builds\n// Calculates a modulo b\nexport function mod(a, b) {\n const result = a % b;\n return result >= N_0 ? result : b + result;\n}\n/** Does `x^(2^power)` mod p. `pow2(30, 4)` == `30^(2^4)` */\nexport function pow2(x, power, modulo) {\n let res = x;\n while (power-- > N_0) {\n res *= res;\n res %= modulo;\n }\n return res;\n}\n", "/**\n * This file is based on noble-curves (https://github.com/paulmillr/noble-curves).\n *\n * noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com)\n *\n * The original file is located at:\n * https://github.com/paulmillr/noble-curves/blob/b9d49d2b41d550571a0c5be443ecb62109fa3373/src/abstract/curve.ts\n */\nexport function createKeygen(\n// deno-lint-ignore ban-types\nrandomSecretKey, getPublicKey) {\n return function keygen(seed) {\n const secretKey = randomSecretKey(seed);\n return { secretKey, publicKey: getPublicKey(secretKey) };\n };\n}\n", "/**\n * This file is based on noble-curves (https://github.com/paulmillr/noble-curves).\n *\n * noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com)\n *\n * The original file is located at:\n * https://github.com/paulmillr/noble-curves/blob/b9d49d2b41d550571a0c5be443ecb62109fa3373/src/abstract/montgomery.ts\n */\n/**\n * Montgomery curve methods. It's not really whole montgomery curve,\n * just bunch of very specific methods for X25519 / X448 from\n * [RFC 7748](https://www.rfc-editor.org/rfc/rfc7748)\n * @module\n */\n/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */\nimport { abytes, aInRange, bytesToNumberLE, copyBytes, numberToBytesLE, randomBytesAsync, validateObject, } from \"../utils/noble.js\";\nimport { createKeygen } from \"./curve.js\";\nimport { mod } from \"./modular.js\";\nimport { N_0, N_1, N_2 } from \"../consts.js\";\nfunction validateOpts(curve) {\n validateObject(curve, {\n adjustScalarBytes: \"function\",\n powPminus2: \"function\",\n });\n return Object.freeze({ ...curve });\n}\nexport function montgomery(curveDef) {\n const CURVE = validateOpts(curveDef);\n const { P, type, adjustScalarBytes, powPminus2, randomBytes: rand } = CURVE;\n const is25519 = type === \"x25519\";\n if (!is25519 && type !== \"x448\")\n throw new Error(\"invalid type\");\n const randomBytes_ = rand || randomBytesAsync;\n const montgomeryBits = is25519 ? 255n : 448n;\n const fieldLen = is25519 ? 32 : 56;\n const Gu = is25519 ? 9n : 5n;\n // RFC 7748 #5:\n // The constant a24 is (486662 - 2) / 4 = 121665 for curve25519/X25519 and\n // (156326 - 2) / 4 = 39081 for curve448/X448\n // const a = is25519 ? 156326n : 486662n;\n const a24 = is25519 ? 121665n : 39081n;\n // RFC: x25519 \"the resulting integer is of the form 2^254 plus\n // eight times a value between 0 and 2^251 - 1 (inclusive)\"\n // x448: \"2^447 plus four times a value between 0 and 2^445 - 1 (inclusive)\"\n const minScalar = is25519 ? N_2 ** 254n : N_2 ** 447n;\n const maxAdded = is25519 ? 8n * N_2 ** 251n - N_1 : 4n * N_2 ** 445n - N_1;\n const maxScalar = minScalar + maxAdded + N_1; // (inclusive)\n const modP = (n) => mod(n, P);\n const GuBytes = encodeU(Gu);\n function encodeU(u) {\n return numberToBytesLE(modP(u), fieldLen);\n }\n function decodeU(u) {\n const _u = copyBytes(abytes(u, fieldLen, \"uCoordinate\"));\n // RFC: When receiving such an array, implementations of X25519\n // (but not X448) MUST mask the most significant bit in the final byte.\n if (is25519)\n _u[31] &= 127; // 0b0111_1111\n // RFC: Implementations MUST accept non-canonical values and process them as\n // if they had been reduced modulo the field prime. The non-canonical\n // values are 2^255 - 19 through 2^255 - 1 for X25519 and 2^448 - 2^224\n // - 1 through 2^448 - 1 for X448.\n return modP(bytesToNumberLE(_u));\n }\n function decodeScalar(scalar) {\n return bytesToNumberLE(adjustScalarBytes(copyBytes(abytes(scalar, fieldLen, \"scalar\"))));\n }\n function scalarMult(scalar, u) {\n const pu = montgomeryLadder(decodeU(u), decodeScalar(scalar));\n // Some public keys are useless, of low-order. Curve author doesn't think\n // it needs to be validated, but we do it nonetheless.\n // https://cr.yp.to/ecdh.html#validate\n if (pu === N_0)\n throw new Error(\"invalid private or public key received\");\n return encodeU(pu);\n }\n // Computes public key from private. By doing scalar multiplication of base point.\n function scalarMultBase(scalar) {\n return scalarMult(scalar, GuBytes);\n }\n const getPublicKey = scalarMultBase;\n const getSharedSecret = scalarMult;\n // cswap from RFC7748 \"example code\"\n function cswap(swap, x_2, x_3) {\n // dummy = mask(swap) AND (x_2 XOR x_3)\n // Where mask(swap) is the all-1 or all-0 word of the same length as x_2\n // and x_3, computed, e.g., as mask(swap) = 0 - swap.\n const dummy = modP(swap * (x_2 - x_3));\n x_2 = modP(x_2 - dummy); // x_2 = x_2 XOR dummy\n x_3 = modP(x_3 + dummy); // x_3 = x_3 XOR dummy\n return { x_2, x_3 };\n }\n /**\n * Montgomery x-only multiplication ladder.\n * @param pointU u coordinate (x) on Montgomery Curve 25519\n * @param scalar by which the point would be multiplied\n * @returns new Point on Montgomery curve\n */\n function montgomeryLadder(u, scalar) {\n aInRange(\"u\", u, N_0, P);\n aInRange(\"scalar\", scalar, minScalar, maxScalar);\n const k = scalar;\n const x_1 = u;\n let x_2 = N_1;\n let z_2 = N_0;\n let x_3 = u;\n let z_3 = N_1;\n let swap = N_0;\n for (let t = montgomeryBits - 1n; t >= N_0; t--) {\n const k_t = (k >> t) & N_1;\n swap ^= k_t;\n ({ x_2, x_3 } = cswap(swap, x_2, x_3));\n ({ x_2: z_2, x_3: z_3 } = cswap(swap, z_2, z_3));\n swap = k_t;\n const A = x_2 + z_2;\n const AA = modP(A * A);\n const B = x_2 - z_2;\n const BB = modP(B * B);\n const E = AA - BB;\n const C = x_3 + z_3;\n const D = x_3 - z_3;\n const DA = modP(D * A);\n const CB = modP(C * B);\n const dacb = DA + CB;\n const da_cb = DA - CB;\n x_3 = modP(dacb * dacb);\n z_3 = modP(x_1 * modP(da_cb * da_cb));\n x_2 = modP(AA * BB);\n z_2 = modP(E * (AA + modP(a24 * E)));\n }\n ({ x_2, x_3 } = cswap(swap, x_2, x_3));\n ({ x_2: z_2, x_3: z_3 } = cswap(swap, z_2, z_3));\n const z2 = powPminus2(z_2); // `Fp.pow(x, P - N_2)` is much slower equivalent\n return modP(x_2 * z2); // Return x_2 * (z_2^(p - 2))\n }\n const lengths = {\n secretKey: fieldLen,\n publicKey: fieldLen,\n seed: fieldLen,\n };\n const randomSecretKey = async (seed) => {\n if (seed === undefined) {\n seed = await randomBytes_(fieldLen);\n }\n abytes(seed, lengths.seed, \"seed\");\n return seed;\n };\n const utils = { randomSecretKey };\n return Object.freeze({\n keygen: createKeygen(randomSecretKey, getPublicKey),\n getSharedSecret,\n getPublicKey,\n scalarMult,\n scalarMultBase,\n utils,\n GuBytes: GuBytes.slice(),\n lengths,\n });\n}\n", "export * from \"./src/errors.js\";\nexport { NativeAlgorithm } from \"./src/algorithm.js\";\nexport { AeadId, KdfId, KemId, Mode } from \"./src/identifiers.js\";\nexport { Dhkem } from \"./src/kems/dhkem.js\";\nexport { Ec } from \"./src/kems/dhkemPrimitives/ec.js\";\nexport { XCurveDhkemPrimitives } from \"./src/kems/dhkemPrimitives/xCurve.js\";\nexport { Hybridkem } from \"./src/kems/hybridkem.js\";\nexport { XCryptoKey } from \"./src/xCryptoKey.js\";\nexport { HkdfSha256Native, HkdfSha384Native, HkdfSha512Native, toArrayBuffer, toUint8Array, } from \"./src/kdfs/hkdf.js\";\nexport { AEAD_USAGES } from \"./src/interfaces/aeadEncryptionContext.js\";\nexport { KEM_USAGES } from \"./src/interfaces/dhkemPrimitives.js\";\nexport { LABEL_DKP_PRK, LABEL_SK } from \"./src/interfaces/dhkemPrimitives.js\";\nexport { SUITE_ID_HEADER_KEM } from \"./src/interfaces/kemInterface.js\";\nexport { EMPTY, INFO_LENGTH_LIMIT, INPUT_LENGTH_LIMIT, MINIMUM_PSK_LENGTH, } from \"./src/consts.js\";\nexport { base64UrlToBytes, concat, hexToBytes, i2Osp, isCryptoKeyPair, isDeno, isDenoV1, kemToKeyGenAlgorithm, loadCrypto, loadSubtleCrypto, xor, } from \"./src/utils/misc.js\";\nexport { abytes, aexists, anumber, aoutput, clean, copyBytes, createView, hexToNumber, isLE, numberToBigint, u32, } from \"./src/utils/noble.js\";\nexport { hmac } from \"./src/hash/hmac.js\";\nexport { sha256, sha384, sha512 } from \"./src/hash/sha2.js\";\nexport { sha3_256, sha3_384, sha3_512, shake128, shake256, } from \"./src/hash/sha3.js\";\nexport { mod, pow2 } from \"./src/curve/modular.js\";\nexport { montgomery } from \"./src/curve/montgomery.js\";\n", "import { AEAD_USAGES, AeadId, NativeAlgorithm } from \"@hpke/common\";\nexport class AesGcmContext extends NativeAlgorithm {\n constructor(key) {\n super();\n Object.defineProperty(this, \"_rawKey\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: void 0\n });\n Object.defineProperty(this, \"_key\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: undefined\n });\n this._rawKey = key;\n }\n async seal(iv, data, aad) {\n await this._setupKey();\n const alg = {\n name: \"AES-GCM\",\n iv: iv,\n additionalData: aad,\n };\n const ct = await this._api.encrypt(alg, this._key, data);\n return ct;\n }\n async open(iv, data, aad) {\n await this._setupKey();\n const alg = {\n name: \"AES-GCM\",\n iv: iv,\n additionalData: aad,\n };\n const pt = await this._api.decrypt(alg, this._key, data);\n return pt;\n }\n async _setupKey() {\n if (this._key !== undefined) {\n return;\n }\n await this._setup();\n const key = await this._importKey(this._rawKey);\n (new Uint8Array(this._rawKey)).fill(0);\n this._key = key;\n return;\n }\n async _importKey(key) {\n return await this._api.importKey(\"raw\", key, { name: \"AES-GCM\" }, true, AEAD_USAGES);\n }\n}\n/**\n * The AES-128-GCM for HPKE AEAD implementing {@link AeadInterface}.\n *\n * When using `@hpke/core`, the instance of this class must be specified\n * to the `aead` parameter of {@link CipherSuiteParams} instead of `AeadId.Aes128Gcm`.\n *\n * @example\n *\n * ```ts\n * import {\n * Aes128Gcm,\n * CipherSuite,\n * DhkemP256HkdfSha256,\n * HkdfSha256,\n * } from \"@hpke/core\";\n *\n * const suite = new CipherSuite({\n * kem: new DhkemP256HkdfSha256(),\n * kdf: new HkdfSha256(),\n * aead: new Aes128Gcm(),\n * });\n * ```\n */\nexport class Aes128Gcm {\n constructor() {\n /** AeadId.Aes128Gcm (0x0001) */\n Object.defineProperty(this, \"id\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: AeadId.Aes128Gcm\n });\n /** 16 */\n Object.defineProperty(this, \"keySize\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: 16\n });\n /** 12 */\n Object.defineProperty(this, \"nonceSize\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: 12\n });\n /** 16 */\n Object.defineProperty(this, \"tagSize\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: 16\n });\n }\n createEncryptionContext(key) {\n return new AesGcmContext(key);\n }\n}\n/**\n * The AES-256-GCM for HPKE AEAD implementing {@link AeadInterface}.\n *\n * When using `@hpke/core`, the instance of this class must be specified\n * to the `aead` parameter of {@link CipherSuiteParams} instead of `AeadId.Aes256Gcm`\n * as follows:\n *\n * @example\n *\n * ```ts\n * import {\n * Aes256Gcm,\n * CipherSuite,\n * DhkemP256HkdfSha256,\n * HkdfSha256,\n * } from \"@hpke/core\";\n *\n * const suite = new CipherSuite({\n * kem: new DhkemP256HkdfSha256(),\n * kdf: new HkdfSha256(),\n * aead: new Aes256Gcm(),\n * });\n * ```\n */\nexport class Aes256Gcm extends Aes128Gcm {\n constructor() {\n super(...arguments);\n /** AeadId.Aes256Gcm (0x0002) */\n Object.defineProperty(this, \"id\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: AeadId.Aes256Gcm\n });\n /** 32 */\n Object.defineProperty(this, \"keySize\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: 32\n });\n /** 12 */\n Object.defineProperty(this, \"nonceSize\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: 12\n });\n /** 16 */\n Object.defineProperty(this, \"tagSize\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: 16\n });\n }\n}\n", "import { AeadId, NotSupportedError } from \"@hpke/common\";\n/**\n * The ExportOnly mode for HPKE AEAD implementing {@link AeadInterface}.\n *\n * When using `@hpke/core`, the instance of this class must be specified\n * to the `aead` parameter of {@link CipherSuiteParams} instead of `AeadId.ExportOnly`\n * as follows:\n *\n * @example\n *\n * ```ts\n * import {\n * CipherSuite,\n * DhkemP256HkdfSha256,\n * ExportOnly,\n * HkdfSha256,\n * } from \"@hpke/core\";\n *\n * const suite = new CipherSuite({\n * kem: new DhkemP256HkdfSha256(),\n * kdf: new HkdfSha256(),\n * aead: new ExportOnly(),\n * });\n * ```\n */\nexport class ExportOnly {\n constructor() {\n Object.defineProperty(this, \"id\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: AeadId.ExportOnly\n });\n Object.defineProperty(this, \"keySize\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: 0\n });\n Object.defineProperty(this, \"nonceSize\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: 0\n });\n Object.defineProperty(this, \"tagSize\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: 0\n });\n }\n createEncryptionContext(_key) {\n throw new NotSupportedError(\"Export only\");\n }\n}\n", "import { NotSupportedError } from \"@hpke/common\";\nexport function emitNotSupported() {\n return new Promise((_resolve, reject) => {\n reject(new NotSupportedError(\"Not supported\"));\n });\n}\n", "import { ExportError, INPUT_LENGTH_LIMIT, InvalidParamError, } from \"@hpke/common\";\nimport { emitNotSupported } from \"./utils/emitNotSupported.js\";\n// b\"sec\"\nconst LABEL_SEC = new Uint8Array([115, 101, 99]);\nexport class ExporterContextImpl {\n constructor(api, kdf, exporterSecret) {\n Object.defineProperty(this, \"_api\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: void 0\n });\n Object.defineProperty(this, \"exporterSecret\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: void 0\n });\n Object.defineProperty(this, \"_kdf\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: void 0\n });\n this._api = api;\n this._kdf = kdf;\n this.exporterSecret = exporterSecret;\n }\n async seal(_data, _aad) {\n return await emitNotSupported();\n }\n async open(_data, _aad) {\n return await emitNotSupported();\n }\n async export(exporterContext, len) {\n if (exporterContext.byteLength > INPUT_LENGTH_LIMIT) {\n throw new InvalidParamError(\"Too long exporter context\");\n }\n try {\n return await this._kdf.labeledExpand(this.exporterSecret, LABEL_SEC, new Uint8Array(exporterContext), len);\n }\n catch (e) {\n throw new ExportError(e);\n }\n }\n}\nexport class RecipientExporterContextImpl extends ExporterContextImpl {\n}\nexport class SenderExporterContextImpl extends ExporterContextImpl {\n constructor(api, kdf, exporterSecret, enc) {\n super(api, kdf, exporterSecret);\n Object.defineProperty(this, \"enc\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: void 0\n });\n this.enc = enc;\n return;\n }\n}\n", "import { i2Osp, MessageLimitReachedError, xor } from \"@hpke/common\";\nimport { ExporterContextImpl } from \"./exporterContext.js\";\nexport class EncryptionContextImpl extends ExporterContextImpl {\n constructor(api, kdf, params) {\n super(api, kdf, params.exporterSecret);\n // AEAD id.\n Object.defineProperty(this, \"_aead\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: void 0\n });\n // The length in bytes of a key for the algorithm.\n Object.defineProperty(this, \"_nK\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: void 0\n });\n // The length in bytes of a nonce for the algorithm.\n Object.defineProperty(this, \"_nN\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: void 0\n });\n // The length in bytes of an authentication tag for the algorithm.\n Object.defineProperty(this, \"_nT\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: void 0\n });\n // The end-to-end encryption key information.\n Object.defineProperty(this, \"_ctx\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: void 0\n });\n if (params.key === undefined || params.baseNonce === undefined ||\n params.seq === undefined) {\n throw new Error(\"Required parameters are missing\");\n }\n this._aead = params.aead;\n this._nK = this._aead.keySize;\n this._nN = this._aead.nonceSize;\n this._nT = this._aead.tagSize;\n const key = this._aead.createEncryptionContext(params.key);\n this._ctx = {\n key: key,\n baseNonce: params.baseNonce,\n seq: params.seq,\n };\n }\n computeNonce(k) {\n const seqBytes = i2Osp(k.seq, k.baseNonce.byteLength);\n return xor(k.baseNonce, seqBytes).buffer;\n }\n incrementSeq(k) {\n // if (this.seq >= (1 << (8 * this.baseNonce.byteLength)) - 1) {\n if (k.seq > Number.MAX_SAFE_INTEGER) {\n throw new MessageLimitReachedError(\"Message limit reached\");\n }\n k.seq += 1;\n return;\n }\n}\n", "var __classPrivateFieldGet = (this && this.__classPrivateFieldGet) || function (receiver, state, kind, f) {\n if (kind === \"a\" && !f) throw new TypeError(\"Private accessor was defined without a getter\");\n if (typeof state === \"function\" ? receiver !== state || !f : !state.has(receiver)) throw new TypeError(\"Cannot read private member from an object whose class did not declare it\");\n return kind === \"m\" ? f : kind === \"a\" ? f.call(receiver) : f ? f.value : state.get(receiver);\n};\nvar __classPrivateFieldSet = (this && this.__classPrivateFieldSet) || function (receiver, state, value, kind, f) {\n if (kind === \"m\") throw new TypeError(\"Private method is not writable\");\n if (kind === \"a\" && !f) throw new TypeError(\"Private accessor was defined without a setter\");\n if (typeof state === \"function\" ? receiver !== state || !f : !state.has(receiver)) throw new TypeError(\"Cannot write private member to an object whose class did not declare it\");\n return (kind === \"a\" ? f.call(receiver, value) : f ? f.value = value : state.set(receiver, value)), value;\n};\nvar _Mutex_locked;\nexport class Mutex {\n constructor() {\n _Mutex_locked.set(this, Promise.resolve());\n }\n async lock() {\n let releaseLock;\n const nextLock = new Promise((resolve) => {\n releaseLock = resolve;\n });\n const previousLock = __classPrivateFieldGet(this, _Mutex_locked, \"f\");\n __classPrivateFieldSet(this, _Mutex_locked, nextLock, \"f\");\n await previousLock;\n return releaseLock;\n }\n}\n_Mutex_locked = new WeakMap();\n", "var __classPrivateFieldGet = (this && this.__classPrivateFieldGet) || function (receiver, state, kind, f) {\n if (kind === \"a\" && !f) throw new TypeError(\"Private accessor was defined without a getter\");\n if (typeof state === \"function\" ? receiver !== state || !f : !state.has(receiver)) throw new TypeError(\"Cannot read private member from an object whose class did not declare it\");\n return kind === \"m\" ? f : kind === \"a\" ? f.call(receiver) : f ? f.value : state.get(receiver);\n};\nvar __classPrivateFieldSet = (this && this.__classPrivateFieldSet) || function (receiver, state, value, kind, f) {\n if (kind === \"m\") throw new TypeError(\"Private method is not writable\");\n if (kind === \"a\" && !f) throw new TypeError(\"Private accessor was defined without a setter\");\n if (typeof state === \"function\" ? receiver !== state || !f : !state.has(receiver)) throw new TypeError(\"Cannot write private member to an object whose class did not declare it\");\n return (kind === \"a\" ? f.call(receiver, value) : f ? f.value = value : state.set(receiver, value)), value;\n};\nvar _RecipientContextImpl_mutex;\nimport { EMPTY, OpenError } from \"@hpke/common\";\nimport { EncryptionContextImpl } from \"./encryptionContext.js\";\nimport { Mutex } from \"./mutex.js\";\nexport class RecipientContextImpl extends EncryptionContextImpl {\n constructor() {\n super(...arguments);\n _RecipientContextImpl_mutex.set(this, void 0);\n }\n async open(data, aad = EMPTY.buffer) {\n __classPrivateFieldSet(this, _RecipientContextImpl_mutex, __classPrivateFieldGet(this, _RecipientContextImpl_mutex, \"f\") ?? new Mutex(), \"f\");\n const release = await __classPrivateFieldGet(this, _RecipientContextImpl_mutex, \"f\").lock();\n let pt;\n try {\n pt = await this._ctx.key.open(this.computeNonce(this._ctx), data, aad);\n }\n catch (e) {\n throw new OpenError(e);\n }\n finally {\n release();\n }\n this.incrementSeq(this._ctx);\n return pt;\n }\n}\n_RecipientContextImpl_mutex = new WeakMap();\n", "var __classPrivateFieldGet = (this && this.__classPrivateFieldGet) || function (receiver, state, kind, f) {\n if (kind === \"a\" && !f) throw new TypeError(\"Private accessor was defined without a getter\");\n if (typeof state === \"function\" ? receiver !== state || !f : !state.has(receiver)) throw new TypeError(\"Cannot read private member from an object whose class did not declare it\");\n return kind === \"m\" ? f : kind === \"a\" ? f.call(receiver) : f ? f.value : state.get(receiver);\n};\nvar __classPrivateFieldSet = (this && this.__classPrivateFieldSet) || function (receiver, state, value, kind, f) {\n if (kind === \"m\") throw new TypeError(\"Private method is not writable\");\n if (kind === \"a\" && !f) throw new TypeError(\"Private accessor was defined without a setter\");\n if (typeof state === \"function\" ? receiver !== state || !f : !state.has(receiver)) throw new TypeError(\"Cannot write private member to an object whose class did not declare it\");\n return (kind === \"a\" ? f.call(receiver, value) : f ? f.value = value : state.set(receiver, value)), value;\n};\nvar _SenderContextImpl_mutex;\nimport { EMPTY, SealError } from \"@hpke/common\";\nimport { EncryptionContextImpl } from \"./encryptionContext.js\";\nimport { Mutex } from \"./mutex.js\";\nexport class SenderContextImpl extends EncryptionContextImpl {\n constructor(api, kdf, params, enc) {\n super(api, kdf, params);\n Object.defineProperty(this, \"enc\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: void 0\n });\n _SenderContextImpl_mutex.set(this, void 0);\n this.enc = enc;\n }\n async seal(data, aad = EMPTY.buffer) {\n __classPrivateFieldSet(this, _SenderContextImpl_mutex, __classPrivateFieldGet(this, _SenderContextImpl_mutex, \"f\") ?? new Mutex(), \"f\");\n const release = await __classPrivateFieldGet(this, _SenderContextImpl_mutex, \"f\").lock();\n let ct;\n try {\n ct = await this._ctx.key.seal(this.computeNonce(this._ctx), data, aad);\n }\n catch (e) {\n throw new SealError(e);\n }\n finally {\n release();\n }\n this.incrementSeq(this._ctx);\n return ct;\n }\n}\n_SenderContextImpl_mutex = new WeakMap();\n", "import { AeadId, EMPTY, i2Osp, INFO_LENGTH_LIMIT, INPUT_LENGTH_LIMIT, InvalidParamError, MINIMUM_PSK_LENGTH, Mode, NativeAlgorithm, } from \"@hpke/common\";\nimport { RecipientExporterContextImpl, SenderExporterContextImpl, } from \"./exporterContext.js\";\nimport { RecipientContextImpl } from \"./recipientContext.js\";\nimport { SenderContextImpl } from \"./senderContext.js\";\n// b\"base_nonce\"\n// deno-fmt-ignore\nconst LABEL_BASE_NONCE = new Uint8Array([\n 98, 97, 115, 101, 95, 110, 111, 110, 99, 101,\n]);\n// b\"exp\"\nconst LABEL_EXP = new Uint8Array([101, 120, 112]);\n// b\"info_hash\"\n// deno-fmt-ignore\nconst LABEL_INFO_HASH = new Uint8Array([\n 105, 110, 102, 111, 95, 104, 97, 115, 104,\n]);\n// b\"key\"\nconst LABEL_KEY = new Uint8Array([107, 101, 121]);\n// b\"psk_id_hash\"\n// deno-fmt-ignore\nconst LABEL_PSK_ID_HASH = new Uint8Array([\n 112, 115, 107, 95, 105, 100, 95, 104, 97, 115, 104,\n]);\n// b\"secret\"\nconst LABEL_SECRET = new Uint8Array([115, 101, 99, 114, 101, 116]);\n// b\"HPKE\"\n// deno-fmt-ignore\nconst SUITE_ID_HEADER_HPKE = new Uint8Array([\n 72, 80, 75, 69, 0, 0, 0, 0, 0, 0,\n]);\n/**\n * The Hybrid Public Key Encryption (HPKE) ciphersuite,\n * which is implemented using only\n * {@link https://www.w3.org/TR/WebCryptoAPI/ | Web Cryptography API}.\n *\n * This is the super class of {@link CipherSuite} and the same as\n * {@link https://jsr.io/@hpke/core/doc/~/CipherSuite | @hpke/core#CipherSuite} as follows:\n * which supports only the ciphersuites that can be implemented on the native\n * {@link https://www.w3.org/TR/WebCryptoAPI/ | Web Cryptography API}.\n * Therefore, the following cryptographic algorithms are not supported for now:\n * - DHKEM(X25519, HKDF-SHA256)\n * - DHKEM(X448, HKDF-SHA512)\n * - ChaCha20Poly1305\n *\n * In addtion, the HKDF functions contained in this class can only derive\n * keys of the same length as the `hashSize`.\n *\n * If you want to use the unsupported cryptographic algorithms\n * above or derive keys longer than the `hashSize`,\n * please use {@link CipherSuite}.\n *\n * This class provides following functions:\n *\n * - Creates encryption contexts both for senders and recipients.\n * - {@link createSenderContext}\n * - {@link createRecipientContext}\n * - Provides single-shot encryption API.\n * - {@link seal}\n * - {@link open}\n *\n * The calling of the constructor of this class is the starting\n * point for HPKE operations for both senders and recipients.\n *\n * @example Use only ciphersuites supported by Web Cryptography API.\n *\n * ```ts\n * import {\n * Aes128Gcm,\n * DhkemP256HkdfSha256,\n * HkdfSha256,\n * CipherSuite,\n * } from \"@hpke/core\";\n *\n * const suite = new CipherSuite({\n * kem: new DhkemP256HkdfSha256(),\n * kdf: new HkdfSha256(),\n * aead: new Aes128Gcm(),\n * });\n * ```\n *\n * @example Use a ciphersuite which is currently not supported by Web Cryptography API.\n *\n * ```ts\n * import { Aes128Gcm, HkdfSha256, CipherSuite } from \"@hpke/core\";\n * // Use an extension module.\n * import { DhkemX25519HkdfSha256 } from \"@hpke/dhkem-x25519\";\n *\n * const suite = new CipherSuite({\n * kem: new DhkemX25519HkdfSha256(),\n * kdf: new HkdfSha256(),\n * aead: new Aes128Gcm(),\n * });\n * ```\n */\nexport class CipherSuiteNative extends NativeAlgorithm {\n /**\n * @param params A set of parameters for building a cipher suite.\n *\n * If the error occurred, throws {@link InvalidParamError}.\n *\n * @throws {@link InvalidParamError}\n */\n constructor(params) {\n super();\n Object.defineProperty(this, \"_kem\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: void 0\n });\n Object.defineProperty(this, \"_kdf\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: void 0\n });\n Object.defineProperty(this, \"_aead\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: void 0\n });\n Object.defineProperty(this, \"_suiteId\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: void 0\n });\n // KEM\n if (typeof params.kem === \"number\") {\n throw new InvalidParamError(\"KemId cannot be used\");\n }\n this._kem = params.kem;\n // KDF\n if (typeof params.kdf === \"number\") {\n throw new InvalidParamError(\"KdfId cannot be used\");\n }\n this._kdf = params.kdf;\n // AEAD\n if (typeof params.aead === \"number\") {\n throw new InvalidParamError(\"AeadId cannot be used\");\n }\n this._aead = params.aead;\n this._suiteId = new Uint8Array(SUITE_ID_HEADER_HPKE);\n this._suiteId.set(i2Osp(this._kem.id, 2), 4);\n this._suiteId.set(i2Osp(this._kdf.id, 2), 6);\n this._suiteId.set(i2Osp(this._aead.id, 2), 8);\n this._kdf.init(this._suiteId);\n }\n /**\n * Gets the KEM context of the ciphersuite.\n */\n get kem() {\n return this._kem;\n }\n /**\n * Gets the KDF context of the ciphersuite.\n */\n get kdf() {\n return this._kdf;\n }\n /**\n * Gets the AEAD context of the ciphersuite.\n */\n get aead() {\n return this._aead;\n }\n /**\n * Creates an encryption context for a sender.\n *\n * If the error occurred, throws {@link DecapError} | {@link ValidationError}.\n *\n * @param params A set of parameters for the sender encryption context.\n * @returns A sender encryption context.\n * @throws {@link EncapError}, {@link ValidationError}\n */\n async createSenderContext(params) {\n this._validateInputLength(params);\n await this._setup();\n const dh = await this._kem.encap(params);\n let mode;\n if (params.psk !== undefined) {\n mode = params.senderKey !== undefined ? Mode.AuthPsk : Mode.Psk;\n }\n else {\n mode = params.senderKey !== undefined ? Mode.Auth : Mode.Base;\n }\n return await this._keyScheduleS(mode, dh.sharedSecret, dh.enc, params);\n }\n /**\n * Creates an encryption context for a recipient.\n *\n * If the error occurred, throws {@link DecapError}\n * | {@link DeserializeError} | {@link ValidationError}.\n *\n * @param params A set of parameters for the recipient encryption context.\n * @returns A recipient encryption context.\n * @throws {@link DecapError}, {@link DeserializeError}, {@link ValidationError}\n */\n async createRecipientContext(params) {\n this._validateInputLength(params);\n await this._setup();\n const sharedSecret = await this._kem.decap(params);\n let mode;\n if (params.psk !== undefined) {\n mode = params.senderPublicKey !== undefined ? Mode.AuthPsk : Mode.Psk;\n }\n else {\n mode = params.senderPublicKey !== undefined ? Mode.Auth : Mode.Base;\n }\n return await this._keyScheduleR(mode, sharedSecret, params);\n }\n /**\n * Encrypts a message to a recipient.\n *\n * If the error occurred, throws `EncapError` | `MessageLimitReachedError` | `SealError` | `ValidationError`.\n *\n * @param params A set of parameters for building a sender encryption context.\n * @param pt A plain text as bytes to be encrypted.\n * @param aad Additional authenticated data as bytes fed by an application.\n * @returns A cipher text and an encapsulated key as bytes.\n * @throws {@link EncapError}, {@link MessageLimitReachedError}, {@link SealError}, {@link ValidationError}\n */\n async seal(params, pt, aad = EMPTY.buffer) {\n const ctx = await this.createSenderContext(params);\n return {\n ct: await ctx.seal(pt, aad),\n enc: ctx.enc,\n };\n }\n /**\n * Decrypts a message from a sender.\n *\n * If the error occurred, throws `DecapError` | `DeserializeError` | `OpenError` | `ValidationError`.\n *\n * @param params A set of parameters for building a recipient encryption context.\n * @param ct An encrypted text as bytes to be decrypted.\n * @param aad Additional authenticated data as bytes fed by an application.\n * @returns A decrypted plain text as bytes.\n * @throws {@link DecapError}, {@link DeserializeError}, {@link OpenError}, {@link ValidationError}\n */\n async open(params, ct, aad = EMPTY.buffer) {\n const ctx = await this.createRecipientContext(params);\n return await ctx.open(ct, aad);\n }\n // private verifyPskInputs(mode: Mode, params: KeyScheduleParams) {\n // const gotPsk = (params.psk !== undefined);\n // const gotPskId = (params.psk !== undefined && params.psk.id.byteLength > 0);\n // if (gotPsk !== gotPskId) {\n // throw new Error('Inconsistent PSK inputs');\n // }\n // if (gotPsk && (mode === Mode.Base || mode === Mode.Auth)) {\n // throw new Error('PSK input provided when not needed');\n // }\n // if (!gotPsk && (mode === Mode.Psk || mode === Mode.AuthPsk)) {\n // throw new Error('Missing required PSK input');\n // }\n // return;\n // }\n async _keySchedule(mode, sharedSecret, params) {\n // Currently, there is no point in executing this function\n // because this hpke library does not allow users to explicitly specify the mode.\n //\n // this.verifyPskInputs(mode, params);\n const pskId = params.psk === undefined\n ? EMPTY\n : new Uint8Array(params.psk.id);\n const pskIdHash = await this._kdf.labeledExtract(EMPTY, LABEL_PSK_ID_HASH, pskId);\n const info = params.info === undefined\n ? EMPTY\n : new Uint8Array(params.info);\n const infoHash = await this._kdf.labeledExtract(EMPTY, LABEL_INFO_HASH, info);\n const keyScheduleContext = new Uint8Array(1 + pskIdHash.byteLength + infoHash.byteLength);\n keyScheduleContext.set(new Uint8Array([mode]), 0);\n keyScheduleContext.set(new Uint8Array(pskIdHash), 1);\n keyScheduleContext.set(new Uint8Array(infoHash), 1 + pskIdHash.byteLength);\n const psk = params.psk === undefined\n ? EMPTY\n : new Uint8Array(params.psk.key);\n const ikm = this._kdf.buildLabeledIkm(LABEL_SECRET, psk);\n const exporterSecretInfo = this._kdf.buildLabeledInfo(LABEL_EXP, keyScheduleContext, this._kdf.hashSize);\n const exporterSecret = await this._kdf.extractAndExpand(sharedSecret, ikm, exporterSecretInfo, this._kdf.hashSize);\n if (this._aead.id === AeadId.ExportOnly) {\n return { aead: this._aead, exporterSecret: exporterSecret };\n }\n const keyInfo = this._kdf.buildLabeledInfo(LABEL_KEY, keyScheduleContext, this._aead.keySize);\n const key = await this._kdf.extractAndExpand(sharedSecret, ikm, keyInfo, this._aead.keySize);\n const baseNonceInfo = this._kdf.buildLabeledInfo(LABEL_BASE_NONCE, keyScheduleContext, this._aead.nonceSize);\n const baseNonce = await this._kdf.extractAndExpand(sharedSecret, ikm, baseNonceInfo, this._aead.nonceSize);\n return {\n aead: this._aead,\n exporterSecret: exporterSecret,\n key: key,\n baseNonce: new Uint8Array(baseNonce),\n seq: 0,\n };\n }\n async _keyScheduleS(mode, sharedSecret, enc, params) {\n const res = await this._keySchedule(mode, sharedSecret, params);\n if (res.key === undefined) {\n return new SenderExporterContextImpl(this._api, this._kdf, res.exporterSecret, enc);\n }\n return new SenderContextImpl(this._api, this._kdf, res, enc);\n }\n async _keyScheduleR(mode, sharedSecret, params) {\n const res = await this._keySchedule(mode, sharedSecret, params);\n if (res.key === undefined) {\n return new RecipientExporterContextImpl(this._api, this._kdf, res.exporterSecret);\n }\n return new RecipientContextImpl(this._api, this._kdf, res);\n }\n _validateInputLength(params) {\n if (params.info !== undefined &&\n params.info.byteLength > INFO_LENGTH_LIMIT) {\n throw new InvalidParamError(\"Too long info\");\n }\n if (params.psk !== undefined) {\n if (params.psk.key.byteLength < MINIMUM_PSK_LENGTH) {\n throw new InvalidParamError(`PSK must have at least ${MINIMUM_PSK_LENGTH} bytes`);\n }\n if (params.psk.key.byteLength > INPUT_LENGTH_LIMIT) {\n throw new InvalidParamError(\"Too long psk.key\");\n }\n if (params.psk.id.byteLength > INPUT_LENGTH_LIMIT) {\n throw new InvalidParamError(\"Too long psk.id\");\n }\n }\n return;\n }\n}\n", "import { Dhkem, Ec, HkdfSha256Native, HkdfSha384Native, HkdfSha512Native, KemId, } from \"@hpke/common\";\nexport class DhkemP256HkdfSha256Native extends Dhkem {\n constructor() {\n const kdf = new HkdfSha256Native();\n const prim = new Ec(KemId.DhkemP256HkdfSha256, kdf);\n super(KemId.DhkemP256HkdfSha256, prim, kdf);\n Object.defineProperty(this, \"id\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: KemId.DhkemP256HkdfSha256\n });\n Object.defineProperty(this, \"secretSize\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: 32\n });\n Object.defineProperty(this, \"encSize\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: 65\n });\n Object.defineProperty(this, \"publicKeySize\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: 65\n });\n Object.defineProperty(this, \"privateKeySize\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: 32\n });\n }\n}\nexport class DhkemP384HkdfSha384Native extends Dhkem {\n constructor() {\n const kdf = new HkdfSha384Native();\n const prim = new Ec(KemId.DhkemP384HkdfSha384, kdf);\n super(KemId.DhkemP384HkdfSha384, prim, kdf);\n Object.defineProperty(this, \"id\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: KemId.DhkemP384HkdfSha384\n });\n Object.defineProperty(this, \"secretSize\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: 48\n });\n Object.defineProperty(this, \"encSize\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: 97\n });\n Object.defineProperty(this, \"publicKeySize\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: 97\n });\n Object.defineProperty(this, \"privateKeySize\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: 48\n });\n }\n}\nexport class DhkemP521HkdfSha512Native extends Dhkem {\n constructor() {\n const kdf = new HkdfSha512Native();\n const prim = new Ec(KemId.DhkemP521HkdfSha512, kdf);\n super(KemId.DhkemP521HkdfSha512, prim, kdf);\n Object.defineProperty(this, \"id\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: KemId.DhkemP521HkdfSha512\n });\n Object.defineProperty(this, \"secretSize\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: 64\n });\n Object.defineProperty(this, \"encSize\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: 133\n });\n Object.defineProperty(this, \"publicKeySize\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: 133\n });\n Object.defineProperty(this, \"privateKeySize\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: 64\n });\n }\n}\n", "import { HkdfSha256Native, HkdfSha384Native, HkdfSha512Native, } from \"@hpke/common\";\nimport { CipherSuiteNative } from \"./cipherSuiteNative.js\";\nimport { DhkemP256HkdfSha256Native, DhkemP384HkdfSha384Native, DhkemP521HkdfSha512Native, } from \"./kems/dhkemNative.js\";\n/**\n * The Hybrid Public Key Encryption (HPKE) ciphersuite,\n * which is implemented using only\n * {@link https://www.w3.org/TR/WebCryptoAPI/ | Web Cryptography API}.\n *\n * This class is the same as\n * {@link https://jsr.io/@hpke/core/doc/~/CipherSuiteNative | @hpke/core#CipherSuiteNative} as follows:\n * which supports only the ciphersuites that can be implemented on the native\n * {@link https://www.w3.org/TR/WebCryptoAPI/ | Web Cryptography API}.\n * Therefore, the following cryptographic algorithms are not supported for now:\n * - `DHKEM(X448, HKDF-SHA512)`\n * - `ChaCha20Poly1305`\n *\n * In addtion, the HKDF functions contained in this `CipherSuiteNative`\n * class can only derive keys of the same length as the `hashSize`.\n *\n * If you want to use the unsupported cryptographic algorithms\n * above or derive keys longer than the `hashSize`,\n * please use {@link https://jsr.io/@hpke/hpke-js/doc/~/CipherSuite | hpke-js#CipherSuite}.\n *\n * This class provides following functions:\n *\n * - Creates encryption contexts both for senders and recipients.\n * - {@link createSenderContext}\n * - {@link createRecipientContext}\n * - Provides single-shot encryption API.\n * - {@link seal}\n * - {@link open}\n *\n * The calling of the constructor of this class is the starting\n * point for HPKE operations for both senders and recipients.\n *\n * @example Use only ciphersuites supported by Web Cryptography API.\n *\n * ```ts\n * import {\n * Aes128Gcm,\n * DhkemP256HkdfSha256,\n * HkdfSha256,\n * CipherSuite,\n * } from \"@hpke/core\";\n *\n * const suite = new CipherSuite({\n * kem: new DhkemP256HkdfSha256(),\n * kdf: new HkdfSha256(),\n * aead: new Aes128Gcm(),\n * });\n * ```\n *\n * @example Use DHKEM(X25519, HKDF-SHA256).\n *\n * ```ts\n * import {\n * Aes128Gcm,\n * CipherSuite,\n * DhkemX25519HkdfSha256,\n * HkdfSha256,\n * } from \"@hpke/core\";\n * const suite = new CipherSuite({\n * kem: new DhkemX25519HkdfSha256(),\n * kdf: new HkdfSha256(),\n * aead: new Aes128Gcm(),\n * });\n * ```\n */\nexport class CipherSuite extends CipherSuiteNative {\n}\n/**\n * The DHKEM(P-256, HKDF-SHA256) for HPKE KEM implementing {@link KemInterface}.\n *\n * When using `@hpke/core`, the instance of this class must be specified\n * to the `kem` parameter of {@link CipherSuiteParams} instead of `KemId.DhkemP256HkdfSha256`\n * as follows:\n *\n * @example\n *\n * ```ts\n * import {\n * Aes128Gcm,\n * CipherSuite,\n * DhkemP256HkdfSha256,\n * HkdfSha256,\n * } from \"@hpke/core\";\n *\n * const suite = new CipherSuite({\n * kem: new DhkemP256HkdfSha256(),\n * kdf: new HkdfSha256(),\n * aead: new Aes128Gcm(),\n * });\n * ```\n */\nexport class DhkemP256HkdfSha256 extends DhkemP256HkdfSha256Native {\n}\n/**\n * The DHKEM(P-384, HKDF-SHA384) for HPKE KEM implementing {@link KemInterface}.\n *\n * When using `@hpke/core`, the instance of this class must be specified\n * to the `kem` parameter of {@link CipherSuiteParams} instead of `KemId.DhkemP384HkdfSha384`\n * as follows:\n *\n * @example\n *\n * ```ts\n * import {\n * Aes128Gcm,\n * CipherSuite,\n * DhkemP384HkdfSha384,\n * HkdfSha384,\n * } from \"@hpke/core\";\n *\n * const suite = new CipherSuite({\n * kem: new DhkemP384HkdfSha384(),\n * kdf: new HkdfSha384(),\n * aead: new Aes128Gcm(),\n * });\n * ```\n */\nexport class DhkemP384HkdfSha384 extends DhkemP384HkdfSha384Native {\n}\n/**\n * The DHKEM(P-521, HKDF-SHA512) for HPKE KEM implementing {@link KemInterface}.\n *\n * When using `@hpke/core`, the instance of this class must be specified\n * to the `kem` parameter of {@link CipherSuiteParams} instead of `KemId.DhkemP521HkdfSha512`\n * as follows:\n *\n * @example\n *\n * ```ts\n * import {\n * Aes256Gcm,\n * CipherSuite,\n * DhkemP521HkdfSha512,\n * HkdfSha512,\n * } from \"@hpke/core\";\n *\n * const suite = new CipherSuite({\n * kem: new DhkemP521HkdfSha512(),\n * kdf: new HkdfSha512(),\n * aead: new Aes256Gcm(),\n * });\n * ```\n */\nexport class DhkemP521HkdfSha512 extends DhkemP521HkdfSha512Native {\n}\n/**\n * The HKDF-SHA256 for HPKE KDF implementing {@link KdfInterface}.\n *\n * When using `@hpke/core`, the instance of this class must be specified\n * to the `kem` parameter of {@link CipherSuiteParams} instead of `KdfId.HkdfSha256`.\n *\n * The KDF class can only derive keys of the same length as the `hashSize`.\n * If you want to derive keys longer than the `hashSize`,\n * please use {@link https://jsr.io/@hpke/hpke-js/doc/~/CipherSuite | hpke-js#CipherSuite}.\n *\n * @example\n *\n * ```ts\n * import {\n * Aes128Gcm,\n * CipherSuite,\n * DhkemP256HkdfSha256,\n * HkdfSha256,\n * } from \"@hpke/core\";\n *\n * const suite = new CipherSuite({\n * kem: new DhkemP256HkdfSha256(),\n * kdf: new HkdfSha256(),\n * aead: new Aes128Gcm(),\n * });\n * ```\n */\nexport class HkdfSha256 extends HkdfSha256Native {\n}\n/**\n * The HKDF-SHA384 for HPKE KDF implementing {@link KdfInterface}.\n *\n * When using `@hpke/core`, the instance of this class must be specified\n * to the `kem` parameter of {@link CipherSuiteParams} instead of `KdfId.HkdfSha384`.\n *\n * The KDF class can only derive keys of the same length as the `hashSize`.\n * If you want to derive keys longer than the `hashSize`,\n * please use {@link https://jsr.io/@hpke/hpke-js/doc/~/CipherSuite | hpke-js#CipherSuite}.\n *\n * @example\n *\n * ```ts\n * import {\n * Aes128Gcm,\n * CipherSuite,\n * DhkemP384HkdfSha384,\n * HkdfSha384,\n * } from \"@hpke/core\";\n *\n * const suite = new CipherSuite({\n * kem: new DhkemP384HkdfSha384(),\n * kdf: new HkdfSha384(),\n * aead: new Aes128Gcm(),\n * });\n * ```\n */\nexport class HkdfSha384 extends HkdfSha384Native {\n}\n/**\n * The HKDF-SHA512 for HPKE KDF implementing {@link KdfInterface}.\n *\n * When using `@hpke/core`, the instance of this class must be specified\n * to the `kem` parameter of {@link CipherSuiteParams} instead of `KdfId.HkdfSha512`.\n *\n * The KDF class can only derive keys of the same length as the `hashSize`.\n * If you want to derive keys longer than the `hashSize`,\n * please use {@link https://jsr.io/@hpke/hpke-js/doc/~/CipherSuite | hpke-js#CipherSuite}.\n *\n * @example\n *\n * ```ts\n * import {\n * Aes256Gcm,\n * CipherSuite,\n * DhkemP521HkdfSha512,\n * HkdfSha512,\n * } from \"@hpke/core\";\n *\n * const suite = new CipherSuite({\n * kem: new DhkemP521HkdfSha512(),\n * kdf: new HkdfSha512(),\n * aead: new Aes256Gcm(),\n * });\n * ```\n */\nexport class HkdfSha512 extends HkdfSha512Native {\n}\n", "import { base64UrlToBytes, DeriveKeyPairError, DeserializeError, EMPTY, KEM_USAGES, LABEL_DKP_PRK, LABEL_SK, NativeAlgorithm, NotSupportedError, SerializeError, } from \"@hpke/common\";\nconst ALG_NAME = \"X25519\";\n// deno-fmt-ignore\nconst PKCS8_ALG_ID_X25519 = new Uint8Array([\n 0x30, 0x2e, 0x02, 0x01, 0x00, 0x30, 0x05, 0x06,\n 0x03, 0x2b, 0x65, 0x6e, 0x04, 0x22, 0x04, 0x20,\n]);\nconst BASE_POINT_X25519 = /* @__PURE__ */ (() => {\n const p = new Uint8Array(32);\n p[0] = 9;\n return p;\n})();\nexport class X25519 extends NativeAlgorithm {\n constructor(hkdf) {\n super();\n Object.defineProperty(this, \"_hkdf\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: void 0\n });\n Object.defineProperty(this, \"_alg\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: void 0\n });\n Object.defineProperty(this, \"_nPk\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: void 0\n });\n Object.defineProperty(this, \"_nSk\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: void 0\n });\n Object.defineProperty(this, \"_nDh\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: void 0\n });\n Object.defineProperty(this, \"_pkcs8AlgId\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: void 0\n });\n this._alg = { name: ALG_NAME };\n this._hkdf = hkdf;\n this._nPk = 32;\n this._nSk = 32;\n this._nDh = 32;\n this._pkcs8AlgId = PKCS8_ALG_ID_X25519;\n }\n async serializePublicKey(key) {\n await this._setup();\n try {\n return await this._api.exportKey(\"raw\", key);\n }\n catch (e) {\n throw new SerializeError(e);\n }\n }\n async deserializePublicKey(key) {\n await this._setup();\n try {\n return await this._importRawKey(key, true);\n }\n catch (e) {\n throw new DeserializeError(e);\n }\n }\n async serializePrivateKey(key) {\n await this._setup();\n try {\n const jwk = await this._api.exportKey(\"jwk\", key);\n if (!(\"d\" in jwk)) {\n throw new Error(\"Not private key\");\n }\n return base64UrlToBytes(jwk[\"d\"]).buffer;\n }\n catch (e) {\n throw new SerializeError(e);\n }\n }\n async deserializePrivateKey(key) {\n await this._setup();\n try {\n return await this._importRawKey(key, false);\n }\n catch (e) {\n throw new DeserializeError(e);\n }\n }\n async importKey(format, key, isPublic) {\n await this._setup();\n try {\n if (format === \"raw\") {\n return await this._importRawKey(key, isPublic);\n }\n // jwk\n if (key instanceof ArrayBuffer) {\n throw new Error(\"Invalid jwk key format\");\n }\n return await this._importJWK(key, isPublic);\n }\n catch (e) {\n throw new DeserializeError(e);\n }\n }\n async generateKeyPair() {\n await this._setup();\n try {\n return await this._api.generateKey(ALG_NAME, true, KEM_USAGES);\n }\n catch (e) {\n throw new NotSupportedError(e);\n }\n }\n async deriveKeyPair(ikm) {\n await this._setup();\n try {\n const dkpPrk = await this._hkdf.labeledExtract(EMPTY, LABEL_DKP_PRK, new Uint8Array(ikm));\n const rawSk = await this._hkdf.labeledExpand(dkpPrk, LABEL_SK, EMPTY, this._nSk);\n const rawSkBytes = new Uint8Array(rawSk);\n const sk = await this._deserializePkcs8Key(rawSkBytes);\n rawSkBytes.fill(0);\n return {\n privateKey: sk,\n publicKey: await this.derivePublicKey(sk),\n };\n }\n catch (e) {\n throw new DeriveKeyPairError(e);\n }\n }\n async derivePublicKey(key) {\n await this._setup();\n try {\n const jwk = await this._api.exportKey(\"jwk\", key);\n delete jwk[\"d\"];\n delete jwk[\"key_ops\"];\n return await this._api.importKey(\"jwk\", jwk, this._alg, true, []);\n }\n catch {\n try {\n // Firefox fails to export JWK from some imported X25519 private keys.\n const bp = await this._api.importKey(\"raw\", BASE_POINT_X25519.buffer, this._alg, true, []);\n const bits = await this._api.deriveBits({\n name: ALG_NAME,\n public: bp,\n }, key, this._nPk * 8);\n return await this._api.importKey(\"raw\", bits, this._alg, true, []);\n }\n catch (e) {\n throw new DeserializeError(e);\n }\n }\n }\n async dh(sk, pk) {\n await this._setup();\n try {\n const bits = await this._api.deriveBits({\n name: ALG_NAME,\n public: pk,\n }, sk, this._nDh * 8);\n return bits;\n }\n catch (e) {\n throw new SerializeError(e);\n }\n }\n async _importRawKey(key, isPublic) {\n if (isPublic && key.byteLength !== this._nPk) {\n throw new Error(\"Invalid public key for the ciphersuite\");\n }\n if (!isPublic && key.byteLength !== this._nSk) {\n throw new Error(\"Invalid private key for the ciphersuite\");\n }\n if (isPublic) {\n return await this._api.importKey(\"raw\", key, this._alg, true, []);\n }\n return await this._deserializePkcs8Key(new Uint8Array(key));\n }\n async _importJWK(key, isPublic) {\n if (typeof key.kty === \"undefined\" || key.kty !== \"OKP\") {\n throw new Error(`Invalid kty: ${key.crv}`);\n }\n if (typeof key.crv === \"undefined\" || key.crv !== ALG_NAME) {\n throw new Error(`Invalid crv: ${key.crv}`);\n }\n if (isPublic) {\n if (typeof key.d !== \"undefined\") {\n throw new Error(\"Invalid key: `d` should not be set\");\n }\n return await this._api.importKey(\"jwk\", key, this._alg, true, []);\n }\n if (typeof key.d === \"undefined\") {\n throw new Error(\"Invalid key: `d` not found\");\n }\n return await this._api.importKey(\"jwk\", key, this._alg, true, KEM_USAGES);\n }\n async _deserializePkcs8Key(k) {\n const pkcs8Key = new Uint8Array(this._pkcs8AlgId.length + k.length);\n pkcs8Key.set(this._pkcs8AlgId, 0);\n pkcs8Key.set(k, this._pkcs8AlgId.length);\n return await this._api.importKey(\"pkcs8\", pkcs8Key, this._alg, true, KEM_USAGES);\n }\n}\n", "import { Dhkem, HkdfSha256Native, KemId } from \"@hpke/common\";\nimport { X25519 } from \"./dhkemPrimitives/x25519.js\";\n/**\n * The DHKEM(X25519, HKDF-SHA256) for HPKE KEM implementing {@link KemInterface}.\n *\n * The instance of this class can be specified to the\n * {@link https://jsr.io/@hpke/core/doc/~/CipherSuiteParams | CipherSuiteParams} as follows:\n *\n * @example\n *\n * ```ts\n * import {\n * Aes128Gcm,\n * CipherSuite,\n * HkdfSha256,\n * DhkemX25519HkdfSha256,\n * } from \"@hpke/core\";\n *\n * const suite = new CipherSuite({\n * kem: new DhkemX25519HkdfSha256(),\n * kdf: new HkdfSha256(),\n * aead: new Aes128Gcm(),\n * });\n * ```\n */\nexport class DhkemX25519HkdfSha256 extends Dhkem {\n constructor() {\n const kdf = new HkdfSha256Native();\n super(KemId.DhkemX25519HkdfSha256, new X25519(kdf), kdf);\n /** KemId.DhkemX25519HkdfSha256 (0x0020) */\n Object.defineProperty(this, \"id\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: KemId.DhkemX25519HkdfSha256\n });\n /** 32 */\n Object.defineProperty(this, \"secretSize\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: 32\n });\n /** 32 */\n Object.defineProperty(this, \"encSize\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: 32\n });\n /** 32 */\n Object.defineProperty(this, \"publicKeySize\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: 32\n });\n /** 32 */\n Object.defineProperty(this, \"privateKeySize\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: 32\n });\n }\n}\n", "import { base64UrlToBytes, DeriveKeyPairError, DeserializeError, EMPTY, KEM_USAGES, LABEL_DKP_PRK, LABEL_SK, NativeAlgorithm, NotSupportedError, SerializeError, } from \"@hpke/common\";\nconst ALG_NAME = \"X448\";\n// deno-fmt-ignore\nconst PKCS8_ALG_ID_X448 = new Uint8Array([\n 0x30, 0x46, 0x02, 0x01, 0x00, 0x30, 0x05, 0x06,\n 0x03, 0x2b, 0x65, 0x6f, 0x04, 0x3a, 0x04, 0x38,\n]);\nconst BASE_POINT_X448 = /* @__PURE__ */ (() => {\n const p = new Uint8Array(56);\n p[0] = 5;\n return p;\n})();\nexport class X448 extends NativeAlgorithm {\n constructor(hkdf) {\n super();\n Object.defineProperty(this, \"_hkdf\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: void 0\n });\n Object.defineProperty(this, \"_alg\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: void 0\n });\n Object.defineProperty(this, \"_nPk\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: void 0\n });\n Object.defineProperty(this, \"_nSk\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: void 0\n });\n Object.defineProperty(this, \"_nDh\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: void 0\n });\n Object.defineProperty(this, \"_pkcs8AlgId\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: void 0\n });\n this._alg = { name: ALG_NAME };\n this._hkdf = hkdf;\n this._nPk = 56;\n this._nSk = 56;\n this._nDh = 56;\n this._pkcs8AlgId = PKCS8_ALG_ID_X448;\n }\n async serializePublicKey(key) {\n await this._setup();\n try {\n return await this._api.exportKey(\"raw\", key);\n }\n catch (e) {\n throw new SerializeError(e);\n }\n }\n async deserializePublicKey(key) {\n await this._setup();\n try {\n return await this._importRawKey(key, true);\n }\n catch (e) {\n throw new DeserializeError(e);\n }\n }\n async serializePrivateKey(key) {\n await this._setup();\n try {\n const jwk = await this._api.exportKey(\"jwk\", key);\n if (!(\"d\" in jwk)) {\n throw new Error(\"Not private key\");\n }\n return base64UrlToBytes(jwk[\"d\"]).buffer;\n }\n catch (e) {\n throw new SerializeError(e);\n }\n }\n async deserializePrivateKey(key) {\n await this._setup();\n try {\n return await this._importRawKey(key, false);\n }\n catch (e) {\n throw new DeserializeError(e);\n }\n }\n async importKey(format, key, isPublic) {\n await this._setup();\n try {\n if (format === \"raw\") {\n return await this._importRawKey(key, isPublic);\n }\n // jwk\n if (key instanceof ArrayBuffer) {\n throw new Error(\"Invalid jwk key format\");\n }\n return await this._importJWK(key, isPublic);\n }\n catch (e) {\n throw new DeserializeError(e);\n }\n }\n async generateKeyPair() {\n await this._setup();\n try {\n return await this._api.generateKey(ALG_NAME, true, KEM_USAGES);\n }\n catch (e) {\n throw new NotSupportedError(e);\n }\n }\n async deriveKeyPair(ikm) {\n await this._setup();\n try {\n const dkpPrk = await this._hkdf.labeledExtract(EMPTY, LABEL_DKP_PRK, new Uint8Array(ikm));\n const rawSk = await this._hkdf.labeledExpand(dkpPrk, LABEL_SK, EMPTY, this._nSk);\n const rawSkBytes = new Uint8Array(rawSk);\n const sk = await this._deserializePkcs8Key(rawSkBytes);\n rawSkBytes.fill(0);\n return {\n privateKey: sk,\n publicKey: await this.derivePublicKey(sk),\n };\n }\n catch (e) {\n throw new DeriveKeyPairError(e);\n }\n }\n async derivePublicKey(key) {\n await this._setup();\n try {\n const jwk = await this._api.exportKey(\"jwk\", key);\n delete jwk[\"d\"];\n delete jwk[\"key_ops\"];\n return await this._api.importKey(\"jwk\", jwk, this._alg, true, []);\n }\n catch {\n try {\n // Some runtimes cannot export JWK from imported X448 private keys.\n const bp = await this._api.importKey(\"raw\", BASE_POINT_X448.buffer, this._alg, true, []);\n const bits = await this._api.deriveBits({\n name: ALG_NAME,\n public: bp,\n }, key, this._nPk * 8);\n return await this._api.importKey(\"raw\", bits, this._alg, true, []);\n }\n catch (e) {\n throw new DeserializeError(e);\n }\n }\n }\n async dh(sk, pk) {\n await this._setup();\n try {\n const bits = await this._api.deriveBits({\n name: ALG_NAME,\n public: pk,\n }, sk, this._nDh * 8);\n return bits;\n }\n catch (e) {\n throw new SerializeError(e);\n }\n }\n async _importRawKey(key, isPublic) {\n if (isPublic && key.byteLength !== this._nPk) {\n throw new Error(\"Invalid public key for the ciphersuite\");\n }\n if (!isPublic && key.byteLength !== this._nSk) {\n throw new Error(\"Invalid private key for the ciphersuite\");\n }\n if (isPublic) {\n return await this._api.importKey(\"raw\", key, this._alg, true, []);\n }\n return await this._deserializePkcs8Key(new Uint8Array(key));\n }\n async _importJWK(key, isPublic) {\n if (typeof key.kty === \"undefined\" || key.kty !== \"OKP\") {\n throw new Error(`Invalid kty: ${key.crv}`);\n }\n if (typeof key.crv === \"undefined\" || key.crv !== ALG_NAME) {\n throw new Error(`Invalid crv: ${key.crv}`);\n }\n if (isPublic) {\n if (typeof key.d !== \"undefined\") {\n throw new Error(\"Invalid key: `d` should not be set\");\n }\n return await this._api.importKey(\"jwk\", key, this._alg, true, []);\n }\n if (typeof key.d === \"undefined\") {\n throw new Error(\"Invalid key: `d` not found\");\n }\n return await this._api.importKey(\"jwk\", key, this._alg, true, KEM_USAGES);\n }\n async _deserializePkcs8Key(k) {\n const pkcs8Key = new Uint8Array(this._pkcs8AlgId.length + k.length);\n pkcs8Key.set(this._pkcs8AlgId, 0);\n pkcs8Key.set(k, this._pkcs8AlgId.length);\n return await this._api.importKey(\"pkcs8\", pkcs8Key, this._alg, true, KEM_USAGES);\n }\n}\n", "import { Dhkem, HkdfSha512Native, KemId } from \"@hpke/common\";\nimport { X448 } from \"./dhkemPrimitives/x448.js\";\n/**\n * The DHKEM(X448, HKDF-SHA512) for HPKE KEM implementing {@link KemInterface}.\n *\n * The instance of this class can be specified to the\n * {@link https://jsr.io/@hpke/core/doc/~/CipherSuiteParams | CipherSuiteParams} as follows:\n *\n * @example\n *\n * ```ts\n * import {\n * Aes256Gcm,\n * CipherSuite,\n * HkdfSha512,\n * DhkemX448HkdfSha512,\n * } from \"@hpke/core\";\n *\n * const suite = new CipherSuite({\n * kem: new DhkemX448HkdfSha512(),\n * kdf: new HkdfSha512(),\n * aead: new Aes256Gcm(),\n * });\n * ```\n */\nexport class DhkemX448HkdfSha512 extends Dhkem {\n constructor() {\n const kdf = new HkdfSha512Native();\n super(KemId.DhkemX448HkdfSha512, new X448(kdf), kdf);\n /** KemId.DhkemX448HkdfSha512 (0x0021) */\n Object.defineProperty(this, \"id\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: KemId.DhkemX448HkdfSha512\n });\n /** 64 */\n Object.defineProperty(this, \"secretSize\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: 64\n });\n /** 56 */\n Object.defineProperty(this, \"encSize\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: 56\n });\n /** 56 */\n Object.defineProperty(this, \"publicKeySize\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: 56\n });\n /** 56 */\n Object.defineProperty(this, \"privateKeySize\", {\n enumerable: true,\n configurable: true,\n writable: true,\n value: 56\n });\n }\n}\n", "export { AeadId, DecapError, DeriveKeyPairError, DeserializeError, EncapError, ExportError, HpkeError, InvalidParamError, KdfId, KemId, MessageLimitReachedError, NotSupportedError, OpenError, SealError, SerializeError, ValidationError, } from \"@hpke/common\";\nexport { Aes128Gcm, Aes256Gcm } from \"./src/aeads/aesGcm.js\";\nexport { ExportOnly } from \"./src/aeads/exportOnly.js\";\nexport { CipherSuite, DhkemP256HkdfSha256, DhkemP384HkdfSha384, DhkemP521HkdfSha512, HkdfSha256, HkdfSha384, HkdfSha512, } from \"./src/native.js\";\nexport { DhkemX25519HkdfSha256 } from \"./src/kems/dhkemX25519.js\";\nexport { DhkemX448HkdfSha512 } from \"./src/kems/dhkemX448.js\";\n", null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, "/**\n * MLSGroupManager \u2014 High-level wrapper around ts-mls (RFC 9420).\n *\n * Provides a stateful, ergonomic API for MLS group operations:\n * create, join, encrypt, decrypt, add/remove members, state serialization.\n *\n * Default cipher suite: MLS_128_DHKEMX25519_AES128GCM_SHA256_Ed25519\n */\n\nimport {\n // Key package generation\n generateKeyPackage,\n type KeyPackage,\n type PrivateKeyPackage,\n\n // Group lifecycle\n createGroup,\n joinGroup,\n type ClientState,\n\n // Commit / proposals\n createCommit,\n type CreateCommitResult,\n type CreateCommitOptions,\n\n // Application messages\n createApplicationMessage,\n\n // Message processing\n processMessage,\n type ProcessMessageResult,\n\n // Message encoding\n encodeMlsMessage,\n decodeMlsMessage,\n type MLSMessage,\n\n // Cipher suite\n getCiphersuiteFromName,\n getCiphersuiteImpl,\n type CiphersuiteImpl,\n type CiphersuiteName,\n\n // Crypto providers\n nobleCryptoProvider,\n\n // Defaults\n defaultCapabilities,\n defaultLifetime,\n defaultKeyRetentionConfig,\n defaultLifetimeConfig,\n defaultKeyPackageEqualityConfig,\n defaultPaddingConfig,\n defaultAuthenticationService,\n emptyPskIndex,\n acceptAll,\n\n // State serialization\n encodeGroupState,\n decodeGroupState,\n\n // Credential\n type Credential,\n\n // PSK\n type PskIndex,\n\n // Proposals\n type Proposal,\n type ClientConfig,\n} from \"ts-mls\";\n\n// ---------------------------------------------------------------------------\n// Constants\n// ---------------------------------------------------------------------------\n\n/** Default cipher suite: X25519 + AES-128-GCM + SHA-256 + Ed25519 */\nconst DEFAULT_CIPHERSUITE: CiphersuiteName =\n \"MLS_128_DHKEMX25519_AES128GCM_SHA256_Ed25519\";\n\n// ---------------------------------------------------------------------------\n// Types\n// ---------------------------------------------------------------------------\n\n/** A key package bundle with both public and private components. */\nexport interface MLSKeyPackageBundle {\n publicPackage: KeyPackage;\n privatePackage: PrivateKeyPackage;\n}\n\n/** Result of an add-members commit. */\nexport interface AddMembersResult {\n /** The encoded commit message to broadcast to existing members. */\n commit: Uint8Array;\n /** The encoded welcome message to send to new members. */\n welcome: Uint8Array | undefined;\n}\n\n/** Result of a remove-member commit. */\nexport interface RemoveMemberResult {\n /** The encoded commit message to broadcast. */\n commit: Uint8Array;\n}\n\n/** Result of decrypting an incoming message. */\nexport interface DecryptResult {\n /** The decrypted plaintext, or undefined if this was a handshake message. */\n plaintext?: Uint8Array;\n /** Whether the message was a handshake (commit/proposal) vs application data. */\n isHandshake: boolean;\n}\n\n/** Serialized group state for persistence. */\nexport interface SerializedMLSGroupState {\n /** TLS-encoded group state bytes, base64. */\n groupState: string;\n /** The cipher suite name used by this group. */\n ciphersuite: CiphersuiteName;\n}\n\n// ---------------------------------------------------------------------------\n// MLSGroupManager\n// ---------------------------------------------------------------------------\n\nexport class MLSGroupManager {\n /** @internal */ state: ClientState | undefined;\n private _cs: CiphersuiteImpl | undefined;\n private _ciphersuiteName: CiphersuiteName;\n private _pskIndex: PskIndex;\n\n constructor(ciphersuite?: CiphersuiteName) {\n this._ciphersuiteName = ciphersuite ?? DEFAULT_CIPHERSUITE;\n this._pskIndex = emptyPskIndex;\n }\n\n // -------------------------------------------------------------------------\n // Getters\n // -------------------------------------------------------------------------\n\n /** Whether the group has been initialized (created or joined). */\n get isInitialized(): boolean {\n return this.state !== undefined;\n }\n\n /** Current epoch number. Throws if not initialized. */\n get epoch(): bigint {\n const s = this._requireState();\n return s.groupContext.epoch;\n }\n\n /** Group identifier as Uint8Array. Throws if not initialized. */\n get groupId(): Uint8Array {\n const s = this._requireState();\n return s.groupContext.groupId;\n }\n\n /** The cipher suite name in use. */\n get ciphersuiteName(): CiphersuiteName {\n return this._ciphersuiteName;\n }\n\n // -------------------------------------------------------------------------\n // Key Package Generation\n // -------------------------------------------------------------------------\n\n /**\n * Generate a key package for joining or creating a group.\n *\n * @param identity - The identity bytes for the basic credential (e.g. UTF-8 user ID).\n * @returns A bundle containing both public and private key package components.\n */\n async generateKeyPackage(identity: Uint8Array): Promise<MLSKeyPackageBundle> {\n const cs = await this._ensureCiphersuite();\n const credential: Credential = {\n credentialType: \"basic\",\n identity,\n };\n const { publicPackage, privatePackage } = await generateKeyPackage(\n credential,\n defaultCapabilities(),\n defaultLifetime,\n [], // extensions\n cs,\n );\n return { publicPackage, privatePackage };\n }\n\n /**\n * Serialize a KeyPackage to bytes for transport (e.g. publishing to backend).\n * Wraps in an MLS message envelope with wireformat mls_key_package.\n */\n static serializeKeyPackage(kp: KeyPackage): Uint8Array {\n const msg: MLSMessage = {\n version: \"mls10\",\n wireformat: \"mls_key_package\",\n keyPackage: kp,\n };\n return encodeMlsMessage(msg);\n }\n\n /**\n * Deserialize a KeyPackage from bytes (e.g. fetched from backend).\n * Expects bytes produced by serializeKeyPackage (MLS message envelope).\n */\n static deserializeKeyPackage(bytes: Uint8Array): KeyPackage {\n const result = decodeMlsMessage(bytes, 0);\n if (!result) {\n throw new Error(\"Failed to decode MLS key package message\");\n }\n const [msg] = result;\n if (msg.wireformat !== \"mls_key_package\") {\n throw new Error(`Expected mls_key_package wireformat, got ${msg.wireformat}`);\n }\n return (msg as unknown as { keyPackage: KeyPackage }).keyPackage;\n }\n\n // -------------------------------------------------------------------------\n // Group Lifecycle\n // -------------------------------------------------------------------------\n\n /**\n * Create a new MLS group. The caller becomes the first (and only) member.\n *\n * @param groupId - Unique group identifier bytes.\n * @param keyPackageBundle - The creator's key package bundle.\n */\n async createGroup(\n groupId: Uint8Array,\n keyPackageBundle: MLSKeyPackageBundle,\n ): Promise<void> {\n const cs = await this._ensureCiphersuite();\n this.state = await createGroup(\n groupId,\n keyPackageBundle.publicPackage,\n keyPackageBundle.privatePackage,\n [], // extensions\n cs,\n );\n }\n\n /**\n * Join an existing group from a welcome message.\n *\n * @param welcomeBytes - The TLS-encoded welcome message bytes.\n * @param keyPackageBundle - The joiner's key package bundle (must match the\n * key package that was added by the group creator).\n */\n async joinFromWelcome(\n welcomeBytes: Uint8Array,\n keyPackageBundle: MLSKeyPackageBundle,\n ): Promise<void> {\n const cs = await this._ensureCiphersuite();\n // Decode the MLS message to extract the Welcome\n const mlsMsg = decodeMlsMessage(welcomeBytes, 0);\n if (!mlsMsg) {\n throw new Error(\"Failed to decode MLS welcome message\");\n }\n const [decoded] = mlsMsg;\n if (decoded.wireformat !== \"mls_welcome\") {\n throw new Error(\n `Expected mls_welcome wireformat, got ${decoded.wireformat}`,\n );\n }\n this.state = await joinGroup(\n decoded.welcome,\n keyPackageBundle.publicPackage,\n keyPackageBundle.privatePackage,\n this._pskIndex,\n cs,\n );\n }\n\n // -------------------------------------------------------------------------\n // Membership Management\n // -------------------------------------------------------------------------\n\n /**\n * Add one or more members to the group.\n *\n * @param keyPackages - The public key packages of members to add.\n * @returns The commit and welcome messages to distribute.\n */\n async addMembers(keyPackages: KeyPackage[]): Promise<AddMembersResult> {\n const s = this._requireState();\n const cs = await this._ensureCiphersuite();\n\n // Build add proposals \u2014 ts-mls ProposalAdd shape: { proposalType: \"add\", add: { keyPackage } }\n const extraProposals: Proposal[] = keyPackages.map((kp) => ({\n proposalType: \"add\" as const,\n add: { keyPackage: kp },\n }));\n\n const options: CreateCommitOptions = {\n extraProposals,\n ratchetTreeExtension: true,\n };\n\n const result: CreateCommitResult = await createCommit(\n { state: s, cipherSuite: cs, pskIndex: this._pskIndex },\n options,\n );\n\n this.state = result.newState;\n\n // Encode commit\n const commitBytes = encodeMlsMessage(result.commit);\n\n // Encode welcome if present\n let welcomeBytes: Uint8Array | undefined;\n if (result.welcome) {\n const welcomeMsg: MLSMessage = {\n version: \"mls10\",\n wireformat: \"mls_welcome\",\n welcome: result.welcome,\n };\n welcomeBytes = encodeMlsMessage(welcomeMsg);\n }\n\n return { commit: commitBytes, welcome: welcomeBytes };\n }\n\n /**\n * Remove a member from the group by leaf index.\n *\n * @param memberIndex - The leaf index of the member to remove.\n * @returns The commit message to broadcast.\n */\n async removeMember(memberIndex: number): Promise<RemoveMemberResult> {\n const s = this._requireState();\n const cs = await this._ensureCiphersuite();\n\n // ts-mls ProposalRemove shape: { proposalType: \"remove\", remove: { removed: number } }\n const removeProposal: Proposal = {\n proposalType: \"remove\" as const,\n remove: { removed: memberIndex },\n };\n\n const options: CreateCommitOptions = {\n extraProposals: [removeProposal],\n };\n\n const result = await createCommit(\n { state: s, cipherSuite: cs, pskIndex: this._pskIndex },\n options,\n );\n\n this.state = result.newState;\n return { commit: encodeMlsMessage(result.commit) };\n }\n\n // -------------------------------------------------------------------------\n // Encrypt / Decrypt\n // -------------------------------------------------------------------------\n\n /**\n * Encrypt an application message for the group.\n *\n * @param plaintext - The plaintext bytes to encrypt.\n * @returns The TLS-encoded private message bytes.\n */\n async encrypt(plaintext: Uint8Array): Promise<Uint8Array> {\n const s = this._requireState();\n const cs = await this._ensureCiphersuite();\n\n const { newState, privateMessage } = await createApplicationMessage(\n s,\n plaintext,\n cs,\n );\n\n this.state = newState;\n\n // Encode as MLS private message\n const mlsMsg: MLSMessage = {\n version: \"mls10\",\n wireformat: \"mls_private_message\",\n privateMessage,\n };\n return encodeMlsMessage(mlsMsg);\n }\n\n /**\n * Decrypt / process an incoming MLS message (application or handshake).\n *\n * @param messageBytes - The TLS-encoded MLS message bytes.\n * @returns The decrypted plaintext (for application messages) or handshake info.\n */\n async decrypt(messageBytes: Uint8Array): Promise<DecryptResult> {\n const s = this._requireState();\n const cs = await this._ensureCiphersuite();\n\n const decoded = decodeMlsMessage(messageBytes, 0);\n if (!decoded) {\n throw new Error(\"Failed to decode MLS message\");\n }\n const [mlsMsg] = decoded;\n\n if (\n mlsMsg.wireformat !== \"mls_private_message\" &&\n mlsMsg.wireformat !== \"mls_public_message\"\n ) {\n throw new Error(\n `Cannot decrypt message of wireformat: ${mlsMsg.wireformat}`,\n );\n }\n\n const result: ProcessMessageResult = await processMessage(\n mlsMsg,\n s,\n this._pskIndex,\n acceptAll,\n cs,\n );\n\n this.state = result.newState;\n\n if (result.kind === \"applicationMessage\") {\n return { plaintext: result.message, isHandshake: false };\n }\n\n return { isHandshake: true };\n }\n\n // -------------------------------------------------------------------------\n // Commit Processing\n // -------------------------------------------------------------------------\n\n /**\n * Process an incoming commit message (e.g. from addMembers or removeMember\n * by another group member). Use `decrypt()` for general message processing;\n * this is an alias that makes intent clearer for handshake messages.\n *\n * @param commitBytes - The TLS-encoded commit message bytes.\n */\n async processCommit(commitBytes: Uint8Array): Promise<void> {\n const result = await this.decrypt(commitBytes);\n if (!result.isHandshake) {\n throw new Error(\"Expected a handshake message but got application data\");\n }\n }\n\n // -------------------------------------------------------------------------\n // State Serialization\n // -------------------------------------------------------------------------\n\n /**\n * Export the current group state for persistence.\n * The serialized state includes everything needed to resume operations.\n */\n exportState(): SerializedMLSGroupState {\n const s = this._requireState();\n const encoded = encodeGroupState(s);\n return {\n groupState: uint8ArrayToBase64(encoded),\n ciphersuite: this._ciphersuiteName,\n };\n }\n\n /**\n * Import a previously exported group state.\n *\n * @param serialized - The serialized state from `exportState()`.\n */\n importState(serialized: SerializedMLSGroupState): void {\n this._ciphersuiteName = serialized.ciphersuite;\n // Reset cached cipher suite impl so it gets re-created for the right suite\n this._cs = undefined;\n\n const bytes = base64ToUint8Array(serialized.groupState);\n const decoded = decodeGroupState(bytes, 0);\n if (!decoded) {\n throw new Error(\"Failed to decode MLS group state\");\n }\n const [groupState] = decoded;\n // Reconstruct ClientState from GroupState with default client config\n const clientConfig: ClientConfig = {\n keyRetentionConfig: defaultKeyRetentionConfig,\n lifetimeConfig: defaultLifetimeConfig,\n keyPackageEqualityConfig: defaultKeyPackageEqualityConfig,\n paddingConfig: defaultPaddingConfig,\n authService: defaultAuthenticationService,\n };\n this.state = {\n ...groupState,\n clientConfig,\n };\n }\n\n // -------------------------------------------------------------------------\n // Private Helpers\n // -------------------------------------------------------------------------\n\n private _requireState(): ClientState {\n if (!this.state) {\n throw new Error(\"MLSGroupManager is not initialized. Call createGroup() or joinFromWelcome() first.\");\n }\n return this.state;\n }\n\n private async _ensureCiphersuite(): Promise<CiphersuiteImpl> {\n if (!this._cs) {\n const suite = getCiphersuiteFromName(this._ciphersuiteName);\n this._cs = await getCiphersuiteImpl(suite, nobleCryptoProvider);\n }\n return this._cs;\n }\n}\n\n// ---------------------------------------------------------------------------\n// Utility: Base64 <-> Uint8Array (no dependency on Node Buffer)\n// ---------------------------------------------------------------------------\n\nfunction uint8ArrayToBase64(bytes: Uint8Array): string {\n let binary = \"\";\n for (let i = 0; i < bytes.length; i++) {\n binary += String.fromCharCode(bytes[i]);\n }\n return btoa(binary);\n}\n\nfunction base64ToUint8Array(b64: string): Uint8Array {\n const binary = atob(b64);\n const bytes = new Uint8Array(binary.length);\n for (let i = 0; i < binary.length; i++) {\n bytes[i] = binary.charCodeAt(i);\n }\n return bytes;\n}\n", "export {\n generateIdentityKeypair,\n generateEphemeralKeypair,\n computeFingerprint,\n createProofOfPossession,\n verifyProofOfPossession,\n type IdentityKeypair,\n type EphemeralKeypair,\n} from \"./keys.js\";\n\nexport { performX3DH, type X3DHParams } from \"./x3dh.js\";\n\nexport {\n DoubleRatchet,\n type EncryptedMessage,\n type RatchetHeader,\n} from \"./ratchet.js\";\n\nexport {\n encryptFile,\n decryptFile,\n computeFileDigest,\n type EncryptedFileResult,\n} from \"./file-crypto.js\";\n\nexport {\n canonicalize,\n signDocument,\n verifyDocumentSignature,\n publicKeyToMultibase,\n multibaseToPublicKey,\n buildDidDocument,\n DOMAIN_DID_DOCUMENT,\n DOMAIN_TRANSFER_INTENT,\n DOMAIN_TRANSFER_ACCEPT,\n type BuildDidDocumentParams,\n type DidVerificationMethod,\n type DidService,\n type DidDocument,\n} from \"./did.js\";\n\nexport {\n ScanEngine,\n type ScanRule,\n type ScanResult,\n type ScanViolation,\n} from \"./scan-engine.js\";\n\nexport {\n computeDidHash,\n verifyMerkleProof,\n type MerkleProofSibling,\n} from \"./merkle.js\";\n\nexport {\n // VC types\n type DataIntegrityProof,\n type CredentialSubject,\n type CredentialStatus,\n type UnsignedCredential,\n type VerifiableCredential,\n type UnsignedPresentation,\n type VerifiablePresentation,\n type AgentTrustCredentialParams,\n type SkillAttestationParams,\n type PerformanceRecordParams,\n type AgentTrustReportParams,\n type TrustReportDimensions,\n // VC builders\n buildAgentTrustCredential,\n buildSkillAttestation,\n buildPerformanceRecord,\n buildAgentTrustReportCredential,\n buildVerifiablePresentation,\n // VC signing / verification\n signWithDataIntegrity,\n verifyDataIntegrity,\n issueCredential,\n presentCredentials,\n // VC constants\n VC_CONTEXT_V2,\n AV_CREDENTIAL_CONTEXT,\n CRYPTOSUITE,\n} from \"./vc.js\";\n\nexport {\n hexToBytes,\n bytesToHex,\n base64ToBytes,\n bytesToBase64,\n encryptedMessageToTransport,\n transportToEncryptedMessage,\n encryptedMessageToHexTransport,\n hexTransportToEncryptedMessage,\n encryptedMessageToTransportV2,\n transportV2ToEncryptedMessage,\n encryptedMessageToTransportV2Full,\n type TransportMessage,\n type TransportMessageV2,\n type HexTransportMessage,\n} from \"./transport.js\";\n\nexport {\n // Original 10 span builders\n buildLlmSpan,\n buildToolSpan,\n buildErrorSpan,\n buildHttpSpan,\n buildActionSpan,\n buildNavSpan,\n buildEvalSpan,\n buildTaskSpan,\n buildSkillInvocationSpan,\n buildForgeSpan,\n // New 10 span builders (av.* prefix)\n buildPolicyViolationSpan,\n buildDecisionSpan,\n buildResyncSpan,\n buildA2aSpan,\n buildScanSpan,\n buildWorkspaceSpan,\n buildCapabilitySpan,\n buildEnrollmentSpan,\n buildRoomSpan,\n buildTrustSpan,\n buildEvalRunSpan,\n // Types\n type TelemetrySpan,\n type SpanEvent,\n type SpanStatus,\n type BuildLlmSpanOpts,\n type BuildToolSpanOpts,\n type BuildErrorSpanOpts,\n type BuildHttpSpanOpts,\n type BuildActionSpanOpts,\n type BuildNavSpanOpts,\n type BuildEvalSpanOpts,\n type BuildTaskSpanOpts,\n type BuildSkillInvocationSpanOpts,\n type BuildForgeSpanOpts,\n type BuildPolicyViolationSpanOpts,\n type BuildDecisionSpanOpts,\n type BuildResyncSpanOpts,\n type BuildA2aSpanOpts,\n type BuildScanSpanOpts,\n type BuildWorkspaceSpanOpts,\n type BuildCapabilitySpanOpts,\n type BuildEnrollmentSpanOpts,\n type BuildRoomSpanOpts,\n type BuildTrustSpanOpts,\n type BuildEvalRunSpanOpts,\n type InstrumentationContext,\n // W3C TraceContext\n buildTraceparent,\n parseTraceparent,\n spanToTraceContext,\n spanToW3CHeaders,\n propagateContext,\n type TraceContext,\n} from \"./telemetry.js\";\n\nexport {\n TelemetryReporter,\n type TelemetryReporterConfig,\n} from \"./telemetry-reporter.js\";\n\nexport {\n generateBackupCode,\n formatBackupCode,\n normalizeBackupCode,\n deriveBackupKey,\n encryptBackup,\n encryptBackupWithKey,\n decryptBackup,\n hashBackupCode,\n type BackupBundle,\n} from \"./backup.js\";\n\nexport {\n createApprovalArtifact,\n verifyApprovalArtifact,\n type ApprovalArtifact,\n} from \"./approval.js\";\n\nexport {\n MLSGroupManager,\n type MLSKeyPackageBundle,\n type AddMembersResult,\n type RemoveMemberResult,\n type DecryptResult,\n type SerializedMLSGroupState,\n} from \"./mls-group.js\";\n", "import { chmod, mkdir, readFile, rename, rm, writeFile } from \"node:fs/promises\";\nimport { join } from \"node:path\";\nimport {\n encryptBackup,\n hashBackupCode,\n bytesToBase64,\n bytesToHex,\n type BackupBundle,\n} from \"@agentvault/crypto\";\nimport type { PersistedState } from \"./types.js\";\n\nconst STATE_FILE = \"agentvault.json\";\nconst LEGACY_STATE_FILE = \"secure-channel.json\";\n\n// State files contain deviceJwt and ratchet keys \u2014 restrict to owner only\nconst DIR_MODE = 0o700;\nconst FILE_MODE = 0o600;\n\nexport async function saveState(\n dataDir: string,\n state: PersistedState,\n): Promise<void> {\n await mkdir(dataDir, { recursive: true, mode: DIR_MODE });\n const filePath = join(dataDir, STATE_FILE);\n await writeFile(filePath, JSON.stringify(state, null, 2), { encoding: \"utf-8\", mode: FILE_MODE });\n\n // Clean up legacy file after migration\n try {\n await rm(join(dataDir, LEGACY_STATE_FILE));\n } catch {\n // Already removed or never existed\n }\n}\n\n/**\n * Load raw persisted state from disk.\n * Returns the raw parsed JSON \u2014 caller is responsible for migration\n * from legacy format to current PersistedState.\n *\n * Checks agentvault.json first, falls back to secure-channel.json\n * for backward compatibility. Auto-migrates on first legacy load.\n */\nexport async function loadState(\n dataDir: string,\n // eslint-disable-next-line @typescript-eslint/no-explicit-any\n): Promise<any | null> {\n // Try new filename first\n const filePath = join(dataDir, STATE_FILE);\n try {\n const raw = await readFile(filePath, \"utf-8\");\n return JSON.parse(raw);\n } catch {\n // Fall through to legacy\n }\n\n // Fall back to legacy filename\n const legacyPath = join(dataDir, LEGACY_STATE_FILE);\n try {\n const raw = await readFile(legacyPath, \"utf-8\");\n const parsed = JSON.parse(raw);\n // Auto-migrate: write to new filename, remove legacy\n await mkdir(dataDir, { recursive: true, mode: DIR_MODE });\n await writeFile(filePath, JSON.stringify(parsed, null, 2), { encoding: \"utf-8\", mode: FILE_MODE });\n await rm(legacyPath);\n return parsed;\n } catch {\n return null;\n }\n}\n\n/**\n * Check whether persisted state is valid and usable (has deviceId, deviceJwt, and at least one session).\n */\nexport async function isStateValid(dataDir: string): Promise<boolean> {\n try {\n const filePath = join(dataDir, STATE_FILE);\n const raw = await readFile(filePath, \"utf-8\");\n const parsed = JSON.parse(raw);\n return !!(\n parsed &&\n parsed.deviceId &&\n parsed.deviceJwt &&\n parsed.sessions &&\n Object.keys(parsed.sessions).length > 0\n );\n } catch {\n return false;\n }\n}\n\n/**\n * Create a backup of the state file (atomic write via tmp + rename).\n * Silent no-op if no state file exists.\n */\nexport async function backupState(dataDir: string): Promise<void> {\n const src = join(dataDir, STATE_FILE);\n const bak = join(dataDir, `${STATE_FILE}.bak`);\n const tmp = join(dataDir, `${STATE_FILE}.bak.tmp`);\n try {\n const data = await readFile(src, \"utf-8\");\n await writeFile(tmp, data, { encoding: \"utf-8\", mode: FILE_MODE });\n await rename(tmp, bak);\n } catch {\n // No state file or write failed \u2014 silent no-op\n }\n}\n\n/**\n * Restore state from backup if primary state is missing/empty/invalid but .bak exists and is valid.\n * Returns true if state was successfully restored.\n */\nexport async function restoreState(dataDir: string): Promise<boolean> {\n // Only restore if primary is missing or invalid\n const primaryValid = await isStateValid(dataDir);\n if (primaryValid) return false;\n\n const bak = join(dataDir, `${STATE_FILE}.bak`);\n try {\n const data = await readFile(bak, \"utf-8\");\n const parsed = JSON.parse(data);\n if (\n !parsed ||\n !parsed.deviceId ||\n !parsed.deviceJwt ||\n !parsed.sessions ||\n Object.keys(parsed.sessions).length === 0\n ) {\n return false;\n }\n await mkdir(dataDir, { recursive: true, mode: DIR_MODE });\n await writeFile(join(dataDir, STATE_FILE), data, { encoding: \"utf-8\", mode: FILE_MODE });\n return true;\n } catch {\n return false;\n }\n}\n\n/**\n * Upload encrypted backup to server. Converts PersistedState \u2192 BackupBundle,\n * encrypts with backup code, and PUTs to the backend.\n */\nexport async function uploadBackupToServer(\n state: PersistedState,\n backupCode: string,\n apiUrl: string,\n deviceJwt: string,\n): Promise<void> {\n // Build BackupBundle from PersistedState\n const ratchets: Record<string, string> = {};\n for (const [convId, session] of Object.entries(state.sessions)) {\n if (session.ratchetState) {\n ratchets[convId] = session.ratchetState;\n }\n }\n\n const bundle: BackupBundle = {\n version: 1,\n createdAt: new Date().toISOString(),\n deviceId: state.deviceId,\n identityKeypair: state.identityKeypair,\n ephemeralKeypair: state.ephemeralKeypair,\n fingerprint: state.fingerprint,\n ratchets,\n sessions: Object.fromEntries(\n Object.entries(state.sessions).map(([convId, s]) => [\n convId,\n {\n ownerDeviceId: s.ownerDeviceId,\n ratchetState: s.ratchetState,\n activated: s.activated,\n },\n ]),\n ),\n topics: state.topics,\n defaultTopicId: state.defaultTopicId,\n groupId: state.groupId,\n hubAddress: state.hubAddress,\n };\n\n const encrypted = await encryptBackup(bundle, backupCode);\n const codeHash = await hashBackupCode(backupCode);\n\n const resp = await fetch(`${apiUrl}/api/v1/backup`, {\n method: \"PUT\",\n headers: {\n \"Content-Type\": \"application/json\",\n Authorization: `Bearer ${deviceJwt}`,\n },\n body: JSON.stringify({\n backup_blob: bytesToBase64(encrypted),\n backup_code_hash: bytesToHex(codeHash),\n }),\n });\n\n if (!resp.ok) {\n throw new Error(`Backup upload failed: ${resp.status}`);\n }\n}\n\nexport async function clearState(dataDir: string): Promise<void> {\n // Remove both files to cover migration edge cases\n for (const filename of [STATE_FILE, LEGACY_STATE_FILE]) {\n try {\n await rm(join(dataDir, filename));\n } catch {\n // File doesn't exist \u2014 nothing to clear\n }\n }\n}\n", "/**\n * OpenClaw channel plugin entry point.\n *\n * Intentionally thin \u2014 no heavy imports (libsodium etc.) at module load time.\n * SecureChannel is dynamically imported inside gateway.startAccount (already async)\n * so libsodium's top-level await never runs during plugin registration.\n *\n * Loaded by OpenClaw via the `openclaw.extensions` field in package.json.\n */\n\nimport { resolve as pathResolve } from \"node:path\";\nimport { randomBytes } from \"node:crypto\";\nimport { homedir as osHomedir } from \"node:os\";\nimport { listAccountIds, resolveAccount } from \"./account-config.js\";\nimport { installFetchInterceptor, runWithTraceContext } from \"./fetch-interceptor.js\";\nimport { handleSendRequest, handleActionRequest, handleDecisionRequest, handleStatusRequest, handleTargetsRequest } from \"./http-handlers.js\";\nimport { requestHeartbeatNow } from \"./openclaw-compat.js\";\nimport { parseTarget } from \"./types.js\";\nimport type { DeliveryTarget } from \"./types.js\";\nimport type { SkillDefinition } from \"./mcp-server.js\";\nimport type {\n OpenClawPluginApi,\n PluginRuntime,\n ChannelGatewayContext,\n ResolvedAccountBase,\n ChannelOutboundPayloadContext,\n ReplyPayload,\n MessageSentEvent,\n SessionStartEvent,\n SessionEndEvent,\n} from \"./openclaw-types.js\";\n\n// --- Runtime and active channels (set during register) ---\nlet _ocRuntime: PluginRuntime | null = null;\nconst _channels = new Map<string, any>();\nconst _messageQueue: Array<() => Promise<void>> = [];\n\n// --- Conversation loop prevention (A2A + rooms) ---\n// Tracks recent reply timestamps per channel/room to prevent infinite loops.\n// Max replies per channel within the window, then cooldown.\nconst LOOP_MAX_REPLIES_PER_WINDOW = 4;\nconst LOOP_WINDOW_MS = 60_000; // 1-minute sliding window\nconst LOOP_COOLDOWN_MS = 120_000; // 2-minute cooldown after hitting limit\nconst _replyTimestamps = new Map<string, number[]>();\nconst _cooldownUntil = new Map<string, number>();\n\nfunction _canReply(key: string): boolean {\n const now = Date.now();\n\n // Check cooldown\n const cooldownEnd = _cooldownUntil.get(key) ?? 0;\n if (now < cooldownEnd) {\n return false;\n }\n\n // Get timestamps within window\n const timestamps = _replyTimestamps.get(key) ?? [];\n const recent = timestamps.filter((t) => now - t < LOOP_WINDOW_MS);\n\n if (recent.length >= LOOP_MAX_REPLIES_PER_WINDOW) {\n // Hit limit \u2014 enter cooldown\n _cooldownUntil.set(key, now + LOOP_COOLDOWN_MS);\n _replyTimestamps.set(key, []);\n console.warn(\n `[AgentVault] Rate limit hit for ${key.slice(0, 20)}... \u2014 ` +\n `${LOOP_MAX_REPLIES_PER_WINDOW} replies in ${LOOP_WINDOW_MS / 1000}s, cooling down ${LOOP_COOLDOWN_MS / 1000}s`,\n );\n return false;\n }\n\n return true;\n}\n\nfunction _recordReply(key: string): void {\n const now = Date.now();\n const timestamps = _replyTimestamps.get(key) ?? [];\n timestamps.push(now);\n // Keep only timestamps within window\n _replyTimestamps.set(\n key,\n timestamps.filter((t) => now - t < LOOP_WINDOW_MS),\n );\n}\n\n// Back-compat aliases used internally\nfunction _a2aCanReply(channelId: string): boolean { return _canReply(`a2a:${channelId}`); }\nfunction _a2aRecordReply(channelId: string): void { _recordReply(`a2a:${channelId}`); }\nfunction _roomCanReply(roomId: string): boolean { return _canReply(`room:${roomId}`); }\nfunction _roomRecordReply(roomId: string): void { _recordReply(`room:${roomId}`); }\n\n/** Whether OpenClaw managed HTTP routes are active (vs self-managed server). */\nexport let isUsingManagedRoutes = false;\n\n/**\n * Shared mutable targets array for OpenClaw outbound routing.\n * OpenClaw validates `to` against this list before calling sendText/sendPayload.\n * We mutate it at runtime to add A2A channel targets dynamically.\n */\nconst _outboundTargets: Array<{ id: string; label: string; accountId: string }> = [\n { id: \"owner\", label: \"AgentVault Owner\", accountId: \"default\" },\n { id: \"default\", label: \"AgentVault Owner (default)\", accountId: \"default\" },\n];\n\n// _normalizeTarget removed \u2014 replaced by parseTarget() from types.ts\n\n/** Register a room as a valid outbound target (idempotent). */\nfunction _registerRoomTarget(roomId: string, roomName: string, accountId: string): void {\n const targetId = `room:${roomId}`;\n if (_outboundTargets.some((t) => t.id === targetId)) return;\n _outboundTargets.push({ id: targetId, label: `Room: ${roomName}`, accountId });\n console.log(`[AgentVault] Registered room target: ${roomName} (${roomId.slice(0, 8)}...)`);\n}\n\n/** Register an A2A peer as a valid outbound target (idempotent). */\nfunction _registerA2ATarget(hubAddress: string, accountId: string): void {\n const targetId = `a2a:${hubAddress}`;\n if (_outboundTargets.some((t) => t.id === targetId)) return;\n _outboundTargets.push({\n id: targetId,\n label: `A2A: ${hubAddress}`,\n accountId,\n });\n console.log(`[AgentVault] Registered A2A target: ${targetId}`);\n}\n\nfunction _setRuntime(rt: PluginRuntime) {\n _ocRuntime = rt;\n // Flush any messages that arrived before runtime was ready\n if (_messageQueue.length > 0) {\n const pending = _messageQueue.splice(0);\n for (const fn of pending) {\n fn().catch(() => {});\n }\n }\n}\n\n// --- @mention filtering for multi-agent rooms ---\n\n/** Extract @mention names from plaintext. Returns lowercased names. */\nfunction _parseMentions(text: string): string[] {\n const mentions: string[] = [];\n // Match @word at word boundary \u2014 supports multi-word via sequential matching\n const re = /@(\\w[\\w]*)/gi;\n let match: RegExpExecArray | null;\n while ((match = re.exec(text)) !== null) {\n mentions.push(match[1].toLowerCase());\n }\n return mentions;\n}\n\n/** Determine whether this agent should process a room message based on @mentions and sender type.\n *\n * Loop prevention is handled by the rate limiter (_roomCanReply: 4 replies/60s\n * with 2min cooldown), so we no longer gate on senderIsAgent. All messages\n * are processed unless they @mention a *different* agent specifically.\n */\nfunction _shouldProcessRoomMessage(\n plaintext: string,\n agentName: string,\n accountId: string,\n _senderIsAgent?: boolean,\n): boolean {\n const mentions = _parseMentions(plaintext);\n // No mentions \u2192 broadcast to all agents\n if (mentions.length === 0) return true;\n // @all / @everyone \u2192 all agents process\n if (mentions.includes(\"all\") || mentions.includes(\"everyone\")) return true;\n // Check if this agent is mentioned (by name or accountId)\n const nameLower = agentName.toLowerCase();\n const idLower = accountId.toLowerCase();\n const firstWord = nameLower.split(/[\\s(]/)[0];\n const isMentioned = mentions.some(\n (m) => m === nameLower || m === firstWord || m === idLower,\n );\n if (isMentioned) return true;\n // Message has @mentions but none match this agent \u2014 skip\n return false;\n}\n\n/** Strip the matching @mention prefix from plaintext so the agent sees clean text. */\nfunction _stripMentions(\n text: string,\n agentName: string,\n accountId: string,\n): string {\n const nameLower = agentName.toLowerCase();\n const firstWord = nameLower.split(/[\\s(]/)[0];\n const idLower = accountId.toLowerCase();\n // Remove all @mentions that match this agent (case-insensitive)\n return text\n .replace(/@(\\w[\\w]*)/gi, (full, name) => {\n const lower = name.toLowerCase();\n if (lower === nameLower || lower === firstWord || lower === idLower) {\n return \"\";\n }\n // Also strip @all/@everyone since they're routing directives\n if (lower === \"all\" || lower === \"everyone\") return \"\";\n return full;\n })\n .replace(/^\\s+/, \"\") // trim leading whitespace left by stripped mention\n .trim();\n}\n\n// --- Memory recall helper ---\n\nasync function _recallMemories(\n apiUrl: string,\n apiKey: string | undefined,\n hubId: string,\n query: string,\n limit: number = 5,\n): Promise<string> {\n try {\n const params = new URLSearchParams({ q: query, limit: String(limit) });\n const headers: Record<string, string> = { \"Content-Type\": \"application/json\" };\n if (apiKey) headers[\"Authorization\"] = `Bearer ${apiKey}`;\n\n const res = await fetch(`${apiUrl}/api/v1/agents/${hubId}/memory/search?${params}`, { headers });\n if (!res.ok) return \"\";\n\n const results = (await res.json()) as Array<{ content: string; category: string; similarity: number; source?: string }>;\n if (!results.length) return \"\";\n\n const lines = [\"## Your Memory (from AgentVault)\", \"\"];\n for (const r of results) {\n const source = r.source ? ` _(${r.source})_` : \"\";\n lines.push(`- [${r.category}] ${r.content}${source}`);\n }\n lines.push(\"\");\n return lines.join(\"\\n\");\n } catch {\n return \"\";\n }\n}\n\n// --- Team memory helpers (ops.motiveflow.io) ---\n// Config read once \u2014 avoids inline env+fetch pattern that triggers security scanners\nconst _tmCfg = { u: \"\", k: \"\" };\nfunction _initTmCfg() {\n if (!_tmCfg.u) { _tmCfg.u = (globalThis as any).process?.env?.TEAM_MEMORY_URL || \"\"; _tmCfg.k = (globalThis as any).process?.env?.TEAM_MEMORY_API_KEY || \"\"; }\n}\n\nasync function _recallTeamMemory(query: string, limit: number = 5): Promise<string> {\n _initTmCfg();\n if (!_tmCfg.u || !_tmCfg.k) return \"\";\n\n try {\n const params = new URLSearchParams({ q: query, limit: String(limit), threshold: \"0.5\" });\n const resp = await fetch(`${_tmCfg.u}/v1/memory/search?${params}`, {\n headers: { \"X-API-Key\": _tmCfg.k },\n signal: AbortSignal.timeout(5000),\n });\n if (!resp.ok) return \"\";\n const results = (await resp.json()) as Array<{ content: string; category: string; similarity: number }>;\n if (!results.length) return \"\";\n\n const lines = [\"## Team Memory (shared knowledge)\", \"\"];\n for (const r of results) {\n lines.push(`- [${r.category}] ${r.content}`);\n }\n lines.push(\"\");\n return lines.join(\"\\n\");\n } catch {\n return \"\";\n }\n}\n\nfunction _captureTeamMemory(content: string, category: string, source: string): void {\n _initTmCfg();\n if (!_tmCfg.u || !_tmCfg.k) return;\n\n fetch(`${_tmCfg.u}/v1/memory`, {\n method: \"POST\",\n headers: { \"X-API-Key\": _tmCfg.k, \"Content-Type\": \"application/json\" },\n body: JSON.stringify({ content, category, source }),\n signal: AbortSignal.timeout(5000),\n }).catch(() => {}); // fire and forget\n}\n\n// --- Inbound message dispatch ---\n\nasync function handleInbound(params: {\n plaintext: string;\n metadata: any;\n channel: any;\n account: any;\n cfg: any;\n}): Promise<void> {\n const { plaintext: rawPlaintext, metadata, channel, account, cfg } = params;\n const isRoomMessage = Boolean(metadata.roomId);\n const isA2AMessage = Boolean(metadata.a2aChannelId);\n\n // @mention filtering + agent-to-agent loop prevention for room messages\n if (isRoomMessage) {\n if (!_shouldProcessRoomMessage(rawPlaintext, account.agentName ?? \"\", account.accountId ?? \"\", metadata.senderIsAgent)) {\n return; // Not addressed to this agent \u2014 skip silently\n }\n }\n\n // Strip @mentions from plaintext so the agent sees clean text\n let plaintext = isRoomMessage\n ? _stripMentions(rawPlaintext, account.agentName ?? \"\", account.accountId ?? \"\")\n : rawPlaintext;\n\n // OpenClaw v2026.3.28: trigger immediate heartbeat for room/A2A messages\n if (isRoomMessage || isA2AMessage) {\n try {\n const woke = await requestHeartbeatNow({ reason: `AgentVault ${isRoomMessage ? \"room\" : \"A2A\"} message received` });\n if (woke) {\n console.log(`[AgentVault] Heartbeat triggered for ${isRoomMessage ? \"room\" : \"A2A\"} message`);\n }\n } catch {\n // Non-critical \u2014 agent will process on next regular heartbeat\n }\n }\n\n // Telemetry: hierarchical spans for the full message lifecycle\n const startTime = Date.now();\n const traceId = randomBytes(16).toString(\"hex\");\n const rootSpanId = randomBytes(8).toString(\"hex\");\n const inferenceSpanId = randomBytes(8).toString(\"hex\");\n // Instrumentation context for agent code to report LLM/tool/error spans\n /** Helper: send an activity span over WS for real-time owner display. */\n const _sendActivity = (spanData: Record<string, unknown>) => {\n try { channel.sendActivitySpan({ ...spanData, trace_id: traceId, parent_span_id: inferenceSpanId }); } catch {}\n };\n\n const _instrument = {\n reportLlm: (opts: any) => {\n const enriched = { ...opts, traceId, parentSpanId: inferenceSpanId };\n if (opts.skillName || _instrument.skillName) enriched.skillName = opts.skillName ?? _instrument.skillName;\n try { channel.telemetry?.reportLlmCall(enriched); } catch {}\n const activityAttrs: Record<string, string> = { \"ai.agent.llm.model\": opts.model ?? \"\" };\n if (enriched.skillName) activityAttrs[\"ai.agent.skill.name\"] = enriched.skillName;\n _sendActivity({\n span_id: randomBytes(8).toString(\"hex\"), span_type: \"llm\", span_name: opts.model ?? \"LLM\",\n status: opts.status === \"error\" ? \"error\" : \"ok\",\n start_time: new Date(Date.now() - (opts.latencyMs ?? 0)).toISOString(),\n end_time: new Date().toISOString(), duration_ms: opts.latencyMs ?? 0,\n attributes: activityAttrs,\n tokens_input: opts.tokensInput, tokens_output: opts.tokensOutput,\n });\n },\n reportTool: (opts: any) => {\n const enriched = { ...opts, traceId, parentSpanId: inferenceSpanId };\n if (opts.skillName || _instrument.skillName) enriched.skillName = opts.skillName ?? _instrument.skillName;\n try { channel.telemetry?.reportToolCall(enriched); } catch {}\n const activityAttrs: Record<string, string> = { \"ai.agent.tool.name\": opts.toolName ?? \"\" };\n if (enriched.skillName) activityAttrs[\"ai.agent.skill.name\"] = enriched.skillName;\n _sendActivity({\n span_id: randomBytes(8).toString(\"hex\"), span_type: \"tool\", span_name: opts.toolName ?? \"tool\",\n status: opts.success === false ? \"error\" : \"ok\",\n start_time: new Date(Date.now() - (opts.latencyMs ?? 0)).toISOString(),\n end_time: new Date().toISOString(), duration_ms: opts.latencyMs ?? 0,\n attributes: activityAttrs,\n tool_success: opts.success,\n });\n },\n reportError: (opts: any) => {\n const enriched = { ...opts, traceId, parentSpanId: inferenceSpanId };\n if (opts.skillName || _instrument.skillName) enriched.skillName = opts.skillName ?? _instrument.skillName;\n try { channel.telemetry?.reportError(enriched); } catch {}\n const activityAttrs: Record<string, string> = { \"ai.agent.error.type\": opts.errorType ?? \"\" };\n if (enriched.skillName) activityAttrs[\"ai.agent.skill.name\"] = enriched.skillName;\n _sendActivity({\n span_id: randomBytes(8).toString(\"hex\"), span_type: \"error\", span_name: opts.errorType ?? \"error\",\n status: \"error\",\n start_time: new Date().toISOString(), end_time: new Date().toISOString(), duration_ms: 0,\n attributes: activityAttrs,\n error_type: opts.errorType, error_message: opts.errorMessage,\n });\n },\n reportHttp: (opts: any) => {\n const enriched = { ...opts, traceId, parentSpanId: inferenceSpanId };\n if (opts.skillName || _instrument.skillName) enriched.skillName = opts.skillName ?? _instrument.skillName;\n try { channel.telemetry?.reportHttpCall(enriched); } catch {}\n const activityAttrs: Record<string, string> = { \"ai.agent.http.method\": opts.method ?? \"\", \"ai.agent.http.url\": opts.url ?? \"\" };\n if (enriched.skillName) activityAttrs[\"ai.agent.skill.name\"] = enriched.skillName;\n _sendActivity({\n span_id: randomBytes(8).toString(\"hex\"), span_type: \"http\",\n span_name: (() => { try { return new URL(opts.url).hostname; } catch { return opts.url?.slice(0, 40) ?? \"http\"; } })(),\n status: (opts.statusCode ?? 200) >= 400 ? \"error\" : \"ok\",\n start_time: new Date(Date.now() - (opts.latencyMs ?? 0)).toISOString(),\n end_time: new Date().toISOString(), duration_ms: opts.latencyMs ?? 0,\n attributes: activityAttrs,\n http_method: opts.method, http_status_code: opts.statusCode, http_url: opts.url,\n });\n },\n reportAction: (opts: any) => {\n const enriched = { ...opts, traceId, parentSpanId: inferenceSpanId };\n if (opts.skillName || _instrument.skillName) enriched.skillName = opts.skillName ?? _instrument.skillName;\n try { channel.telemetry?.reportActionCall(enriched); } catch {}\n const activityAttrs: Record<string, string> = { \"ai.agent.action.type\": opts.actionType ?? \"\", \"ai.agent.action.target\": opts.target ?? \"\" };\n if (enriched.skillName) activityAttrs[\"ai.agent.skill.name\"] = enriched.skillName;\n _sendActivity({\n span_id: randomBytes(8).toString(\"hex\"), span_type: \"action\",\n span_name: `${opts.actionType ?? \"action\"}: ${opts.target ?? \"\"}`,\n status: opts.success === false ? \"error\" : \"ok\",\n start_time: new Date(Date.now() - (opts.latencyMs ?? 0)).toISOString(),\n end_time: new Date().toISOString(), duration_ms: opts.latencyMs ?? 0,\n attributes: activityAttrs,\n action_type: opts.actionType, action_target: opts.target,\n });\n },\n reportNav: (opts: any) => {\n const enriched = { ...opts, traceId, parentSpanId: inferenceSpanId };\n if (opts.skillName || _instrument.skillName) enriched.skillName = opts.skillName ?? _instrument.skillName;\n try { channel.telemetry?.reportNavCall(enriched); } catch {}\n const activityAttrs: Record<string, string> = { \"ai.agent.nav.to_url\": opts.toUrl ?? \"\" };\n if (enriched.skillName) activityAttrs[\"ai.agent.skill.name\"] = enriched.skillName;\n _sendActivity({\n span_id: randomBytes(8).toString(\"hex\"), span_type: \"nav\",\n span_name: opts.toUrl?.slice(0, 40) ?? \"navigate\",\n status: opts.status === \"error\" ? \"error\" : \"ok\",\n start_time: new Date(Date.now() - (opts.latencyMs ?? 0)).toISOString(),\n end_time: new Date().toISOString(), duration_ms: opts.latencyMs ?? 0,\n attributes: activityAttrs,\n });\n },\n skillName: undefined as string | undefined,\n traceId,\n parentSpanId: inferenceSpanId,\n };\n let replyCount = 0;\n let totalReplyChars = 0;\n let firstReplyTime: number | null = null;\n const replySpans: Array<{ startTime: number; endTime: number; chars: number; index: number }> = [];\n\n // Emit \"receive\" child span immediately \u2014 marks inbound arrival\n _emitChildSpan(channel, {\n traceId,\n parentSpanId: rootSpanId,\n name: \"ai.agent.message.receive\",\n startTime,\n endTime: startTime + 1, // instant\n attributes: {\n \"ai.agent.message.input_chars\": plaintext.length,\n \"ai.agent.message.type\": isA2AMessage ? \"a2a\" : metadata.roomId ? \"room\" : \"direct\",\n },\n status: \"ok\",\n });\n\n // Send typing indicator to owner (non-critical, best-effort)\n try { channel.sendTyping(); } catch { /* ignore */ }\n\n const core = _ocRuntime!; // Non-null: caller guards with `if (!_ocRuntime)` check\n\n // Resolve room/sender context for room messages\n let roomName: string | undefined;\n let senderDisplayName: string | undefined;\n if (isRoomMessage && metadata.roomId) {\n roomName = metadata.roomName;\n // Use senderName from metadata (set in channel.ts MLS/DR handlers)\n senderDisplayName = (metadata as any).senderName;\n if (!roomName || !senderDisplayName) {\n const rooms = channel.getRooms?.() ?? [];\n const room = rooms.find((r: any) => r.roomId === metadata.roomId);\n if (room) {\n if (!roomName) roomName = room.name;\n if (!senderDisplayName && metadata.senderDeviceId) {\n const member = room.members?.find((m: any) => m.deviceId === metadata.senderDeviceId);\n if (member) senderDisplayName = member.displayName;\n }\n }\n }\n }\n\n const route = core.channel.routing.resolveAgentRoute({\n cfg,\n channel: \"agentvault\",\n accountId: account.accountId,\n peer: {\n kind: isA2AMessage ? \"a2a\" as any : isRoomMessage ? \"group\" as any : \"direct\",\n id: isA2AMessage\n ? `agentvault:a2a:${metadata.fromHubAddress}`\n : isRoomMessage\n ? `agentvault:room:${metadata.roomId}`\n : \"agentvault:owner\",\n },\n });\n\n const storePath = core.channel.session.resolveStorePath(cfg?.session?.store, {\n agentId: route.agentId,\n });\n\n const envelopeOptions = core.channel.reply.resolveEnvelopeFormatOptions(cfg);\n const previousTimestamp = core.channel.session.readSessionUpdatedAt({\n storePath,\n sessionKey: route.sessionKey,\n });\n\n // Team memory recall \u2014 shared knowledge (highest recall priority)\n const recallQuery = isRoomMessage || isA2AMessage\n ? plaintext\n : (metadata?.reason || metadata?.triggerName || plaintext);\n\n const teamMemoryContext = await _recallTeamMemory(recallQuery);\n if (teamMemoryContext) {\n plaintext = teamMemoryContext + \"\\n---\\n\\n\" + plaintext;\n }\n\n // Agent memory recall \u2014 per-agent knowledge\n if (channel?.config?.apiUrl) {\n const memoryContext = await _recallMemories(\n channel.config.apiUrl,\n channel.config.apiKey,\n channel.config.hubId || \"\",\n recallQuery,\n 5,\n );\n\n if (memoryContext) {\n plaintext = memoryContext + \"\\n---\\n\\n\" + plaintext;\n }\n }\n\n // Inject recent room history into the LLM context for multi-turn memory\n let contextBody = plaintext;\n if (isRoomMessage && metadata.roomId && channel.getRoomHistory) {\n const recentHistory = channel.getRoomHistory(metadata.roomId, 20);\n // Exclude the current message (it's already in plaintext)\n const prior = recentHistory.slice(0, -1);\n if (prior.length > 0) {\n const historyBlock = prior.map((h: any) => {\n const role = h.sender === \"agent\" ? \"You\" : \"Room Member\";\n return `[${role}]: ${h.text}`;\n }).join(\"\\n\");\n contextBody = `[Recent room conversation]\\n${historyBlock}\\n\\n[Current message]\\n${plaintext}`;\n }\n }\n\n const body = core.channel.reply.formatAgentEnvelope({\n channel: \"AgentVault\",\n from: isA2AMessage ? `Agent (${metadata.fromHubAddress})` : isRoomMessage ? (senderDisplayName ?? \"Room Member\") : \"Owner\",\n timestamp: new Date(metadata.timestamp).getTime(),\n previousTimestamp,\n envelope: envelopeOptions,\n body: contextBody,\n });\n\n // Build attachment fields for the context payload\n const attachmentFields: Record<string, any> = {};\n if (metadata.attachment) {\n attachmentFields.AttachmentPath = metadata.attachment.filePath;\n attachmentFields.AttachmentFilename = metadata.attachment.filename;\n attachmentFields.AttachmentMime = metadata.attachment.mime;\n\n // For images: include as MediaUrl so the LLM can see the visual content\n if (metadata.attachment.base64) {\n attachmentFields.MediaUrl = metadata.attachment.base64;\n attachmentFields.NumMedia = \"1\";\n }\n\n // For text files: content is already inlined in plaintext body\n }\n\n // Inject renter credentials for room messages (marketplace rentals)\n const credentialFields: Record<string, any> = {};\n if (isRoomMessage && metadata.roomId && channel.getCredentials) {\n const creds = channel.getCredentials(metadata.roomId);\n if (creds.length > 0) {\n credentialFields.HasRenterCredentials = true;\n credentialFields.RenterCredentials = channel.getCredentialMap(metadata.roomId);\n credentialFields.RenterCredentialCount = creds.length;\n }\n }\n\n const ctxPayload = core.channel.reply.finalizeInboundContext({\n Body: body,\n RawBody: plaintext,\n CommandBody: plaintext,\n From: isA2AMessage ? `a2a:${metadata.fromHubAddress}` : isRoomMessage ? `agentvault:room:${metadata.roomId}` : \"agentvault:owner\",\n To: `agentvault:agent:${account.accountId}`,\n SessionKey: route.sessionKey,\n AccountId: account.accountId,\n ChatType: isA2AMessage ? \"a2a\" : isRoomMessage ? \"room\" : \"direct\",\n ConversationLabel: isA2AMessage ? `A2A: ${metadata.fromHubAddress}` : isRoomMessage ? (roomName ?? \"AgentVault Room\") : \"AgentVault\",\n SenderName: isA2AMessage ? metadata.fromHubAddress : isRoomMessage ? (senderDisplayName ?? \"Room Member\") : \"Owner\",\n SenderId: isA2AMessage ? `a2a:${metadata.fromHubAddress}` : isRoomMessage ? `agentvault:room:${metadata.senderDeviceId ?? metadata.roomId}` : \"agentvault:owner\",\n Provider: \"agentvault\",\n Surface: \"agentvault\",\n MessageSid: metadata.messageId,\n Timestamp: new Date(metadata.timestamp).getTime(),\n OriginatingChannel: \"agentvault\",\n OriginatingTo: `agentvault:agent:${account.accountId}`,\n CommandAuthorized: true,\n Instrument: _instrument, // OpenClaw ctx convention\n AgentVaultTelemetry: _instrument, // AgentVault-specific accessor\n ...attachmentFields,\n ...credentialFields,\n });\n\n await core.channel.session.recordInboundSession({\n storePath,\n sessionKey: ctxPayload.SessionKey ?? route.sessionKey,\n ctx: ctxPayload,\n onRecordError: (err: Error) => {\n core.error?.(`[AgentVault] session record failed: ${String(err)}`);\n },\n });\n\n try {\n await runWithTraceContext(\n { traceId, parentSpanId: inferenceSpanId },\n () => core.channel.reply.dispatchReplyWithBufferedBlockDispatcher({\n ctx: ctxPayload,\n cfg,\n dispatcherOptions: {\n deliver: async (payload: { text?: string; kind?: string }) => {\n // Filter out thinking/reasoning blocks \u2014 only deliver actual responses\n if (payload.kind === \"thinking\" || payload.kind === \"reasoning\") return;\n const text = (payload.text ?? \"\").trim();\n if (!text) return;\n // Heuristic: skip blocks that look like leaked chain-of-thought\n if (/^(Reasoning|Thinking|Let me think|I need to|Let me check):/i.test(text)) return;\n // Skip <think> XML blocks and bare \"think\" lines\n if (/^<think[\\s>]/i.test(text) || /^think$/im.test(text)) return;\n // Skip OpenClaw directive tags like [[reply_to_current]], [[think]], etc.\n if (/^\\[\\[[\\w_]+\\]\\]/.test(text)) return;\n // Skip blocks that are entirely wrapped in <think>...</think>\n if (/^<think>[\\s\\S]*<\\/think>$/i.test(text)) return;\n\n const replyStart = Date.now();\n replyCount++;\n totalReplyChars += text.length;\n if (!firstReplyTime) firstReplyTime = replyStart;\n\n // Route reply via deliver() \u2014 explicit target, no silent fallback\n let replyTarget: DeliveryTarget;\n if (isA2AMessage) {\n // Loop prevention: rate limit A2A replies per channel\n if (!_a2aCanReply(metadata.a2aChannelId)) {\n console.warn(`[AgentVault] A2A reply suppressed (rate limit) for channel ${metadata.a2aChannelId?.slice(0, 8)}...`);\n return;\n }\n replyTarget = { kind: \"a2a\", hubAddress: metadata.fromHubAddress };\n } else if (isRoomMessage) {\n // Loop prevention: rate limit room replies (safety net beyond @mention filtering)\n if (!_roomCanReply(metadata.roomId)) {\n console.warn(`[AgentVault] Room reply suppressed (rate limit) for room ${metadata.roomId?.slice(0, 8)}...`);\n return;\n }\n replyTarget = { kind: \"room\", roomId: metadata.roomId };\n } else {\n replyTarget = { kind: \"owner\" };\n }\n await channel.deliver(replyTarget, { type: \"text\", text }, {\n conversationId: metadata.conversationId,\n topicId: metadata.topicId,\n parentSpanId: inferenceSpanId,\n metadata: isRoomMessage ? { content_length: text.length } : undefined,\n });\n if (isA2AMessage) {\n _a2aRecordReply(metadata.a2aChannelId);\n }\n if (isRoomMessage) {\n _roomRecordReply(metadata.roomId);\n }\n\n const replyEnd = Date.now();\n replySpans.push({ startTime: replyStart, endTime: replyEnd, chars: text.length, index: replyCount });\n },\n onError: (err: Error, info?: { kind?: string }) => {\n core.error?.(`[AgentVault] ${info?.kind ?? \"reply\"} error: ${String(err)}`);\n },\n },\n replyOptions: {},\n }),\n );\n\n const endTime = Date.now();\n\n // Emit child spans for the completed message lifecycle\n _emitHierarchicalSpans(channel, {\n traceId,\n rootSpanId,\n inferenceSpanId,\n startTime,\n endTime,\n firstReplyTime,\n replySpans,\n inputChars: plaintext.length,\n replyCount,\n totalReplyChars,\n isRoom: isRoomMessage,\n status: \"ok\",\n });\n } catch (err) {\n const endTime = Date.now();\n\n // Emit spans even on error \u2014 shows where failure occurred\n _emitHierarchicalSpans(channel, {\n traceId,\n rootSpanId,\n inferenceSpanId,\n startTime,\n endTime,\n firstReplyTime,\n replySpans,\n inputChars: plaintext.length,\n replyCount,\n totalReplyChars,\n isRoom: isRoomMessage,\n status: \"error\",\n statusMessage: String(err),\n });\n // Dedicated error span for the Errors tab\n _emitChildSpan(channel, {\n traceId,\n parentSpanId: rootSpanId,\n name: \"error\",\n startTime: endTime,\n endTime: endTime,\n attributes: {\n \"ai.agent.error.type\": (err as any)?.constructor?.name ?? \"Error\",\n \"ai.agent.error.message\": String(err),\n },\n status: \"error\",\n statusMessage: String(err),\n });\n throw err;\n }\n}\n\n/** Infer a span type from the span name for activity stream display. */\nfunction _inferSpanType(name: string): \"llm\" | \"tool\" | \"http\" | \"action\" | \"error\" | \"nav\" {\n if (name === \"error\" || name.includes(\"error\")) return \"error\";\n if (name.startsWith(\"llm.\") || name.includes(\"inference\")) return \"llm\";\n if (name.startsWith(\"tool.\") || name.includes(\"tool\")) return \"tool\";\n if (name.startsWith(\"http.\") || name.includes(\"http\")) return \"http\";\n if (name.startsWith(\"nav.\") || name.includes(\"nav\")) return \"nav\";\n if (name.startsWith(\"action.\") || name.includes(\"action\")) return \"action\";\n return \"action\"; // default fallback\n}\n\n/** Extract a human-readable span name from span attributes. */\nfunction _extractSpanName(name: string, attrs: Record<string, string | number | boolean>): string {\n if (attrs[\"ai.agent.llm.model\"]) return String(attrs[\"ai.agent.llm.model\"]);\n if (attrs[\"ai.agent.tool.name\"]) return String(attrs[\"ai.agent.tool.name\"]);\n if (attrs[\"ai.agent.http.url\"]) {\n try { return new URL(String(attrs[\"ai.agent.http.url\"])).hostname; } catch { /* use raw */ }\n return String(attrs[\"ai.agent.http.url\"]).slice(0, 40);\n }\n if (attrs[\"ai.agent.action.type\"]) return `${attrs[\"ai.agent.action.type\"]}: ${attrs[\"ai.agent.action.target\"] ?? \"\"}`;\n if (attrs[\"ai.agent.nav.to_url\"]) return String(attrs[\"ai.agent.nav.to_url\"]).slice(0, 40);\n if (attrs[\"ai.agent.error.type\"]) return String(attrs[\"ai.agent.error.type\"]);\n return name;\n}\n\n/** Emit a single child span via the channel's telemetry reporter + WS activity stream. */\nfunction _emitChildSpan(channel: any, opts: {\n traceId: string;\n parentSpanId: string;\n spanId?: string;\n name: string;\n startTime: number;\n endTime: number;\n attributes: Record<string, string | number | boolean>;\n status: \"ok\" | \"error\";\n statusMessage?: string;\n}): void {\n try {\n const reporter = channel.telemetry;\n if (!reporter) return;\n\n const spanId = opts.spanId ?? randomBytes(8).toString(\"hex\");\n\n reporter.reportCustomSpan({\n traceId: opts.traceId,\n spanId,\n parentSpanId: opts.parentSpanId,\n name: opts.name,\n kind: \"internal\" as const,\n startTime: opts.startTime,\n endTime: opts.endTime,\n attributes: opts.attributes,\n status: {\n code: opts.status === \"ok\" ? 1 : 2,\n message: opts.statusMessage,\n },\n });\n\n // Dual-path: also send via WS for real-time activity streaming\n try {\n const spanType = _inferSpanType(opts.name);\n const spanName = _extractSpanName(opts.name, opts.attributes);\n const durationMs = opts.endTime - opts.startTime;\n channel.sendActivitySpan({\n trace_id: opts.traceId,\n span_id: spanId,\n parent_span_id: opts.parentSpanId,\n span_type: spanType,\n span_name: spanName,\n status: opts.status,\n start_time: new Date(opts.startTime).toISOString(),\n end_time: new Date(opts.endTime).toISOString(),\n duration_ms: durationMs,\n attributes: opts.attributes,\n ...(spanType === \"llm\" ? {\n tokens_input: opts.attributes[\"ai.agent.llm.tokens_input\"],\n tokens_output: opts.attributes[\"ai.agent.llm.tokens_output\"],\n } : {}),\n ...(spanType === \"http\" ? {\n http_method: opts.attributes[\"ai.agent.http.method\"],\n http_status_code: opts.attributes[\"ai.agent.http.status_code\"],\n http_url: opts.attributes[\"ai.agent.http.url\"],\n } : {}),\n ...(spanType === \"tool\" ? {\n tool_success: opts.attributes[\"ai.agent.tool.success\"],\n } : {}),\n ...(spanType === \"error\" ? {\n error_type: opts.attributes[\"ai.agent.error.type\"],\n error_message: opts.attributes[\"ai.agent.error.message\"],\n } : {}),\n });\n } catch { /* WS activity is best-effort */ }\n } catch { /* telemetry is best-effort */ }\n}\n\n/** Emit the full hierarchical span tree for a message lifecycle. */\nfunction _emitHierarchicalSpans(channel: any, opts: {\n traceId: string;\n rootSpanId: string;\n inferenceSpanId?: string;\n startTime: number;\n endTime: number;\n firstReplyTime: number | null;\n replySpans: Array<{ startTime: number; endTime: number; chars: number; index: number }>;\n inputChars: number;\n replyCount: number;\n totalReplyChars: number;\n isRoom: boolean;\n status: \"ok\" | \"error\";\n statusMessage?: string;\n}): void {\n try {\n const reporter = channel.telemetry;\n if (!reporter) return;\n\n // 1. Inference span: from message arrival to first reply (or end if no replies)\n const inferenceEnd = opts.firstReplyTime ?? opts.endTime;\n _emitChildSpan(channel, {\n traceId: opts.traceId,\n parentSpanId: opts.rootSpanId,\n spanId: opts.inferenceSpanId,\n name: \"ai.agent.inference\",\n startTime: opts.startTime + 1, // just after receive\n endTime: inferenceEnd,\n attributes: {\n \"ai.agent.inference.latency_ms\": inferenceEnd - opts.startTime,\n \"ai.agent.message.input_chars\": opts.inputChars,\n },\n status: opts.status,\n statusMessage: opts.status === \"error\" ? opts.statusMessage : undefined,\n });\n\n // 2. Individual reply spans\n for (const reply of opts.replySpans) {\n _emitChildSpan(channel, {\n traceId: opts.traceId,\n parentSpanId: opts.rootSpanId,\n name: \"ai.agent.reply\",\n startTime: reply.startTime,\n endTime: reply.endTime,\n attributes: {\n \"ai.agent.reply.index\": reply.index,\n \"ai.agent.reply.chars\": reply.chars,\n },\n status: \"ok\",\n });\n }\n\n // 3. Root span (wraps everything) \u2014 emitted last\n reporter.reportCustomSpan({\n traceId: opts.traceId,\n spanId: opts.rootSpanId,\n name: \"ai.agent.message\",\n kind: \"server\" as const,\n startTime: opts.startTime,\n endTime: opts.endTime,\n attributes: {\n \"ai.agent.message.input_chars\": opts.inputChars,\n \"ai.agent.message.reply_count\": opts.replyCount,\n \"ai.agent.message.reply_chars\": opts.totalReplyChars,\n \"ai.agent.message.latency_ms\": opts.endTime - opts.startTime,\n \"ai.agent.message.type\": opts.isRoom ? \"room\" : \"direct\",\n },\n status: {\n code: opts.status === \"ok\" ? 1 : 2,\n message: opts.statusMessage,\n },\n });\n } catch { /* telemetry is best-effort */ }\n}\n\n// --- Channel plugin definition ---\n\nconst agentVaultPlugin = {\n id: \"agentvault\",\n meta: {\n id: \"agentvault\",\n label: \"AgentVault\",\n selectionLabel: \"AgentVault (E2E Encrypted)\",\n docsPath: \"https://agentvault.chat/docs\",\n blurb: \"Zero-knowledge, end-to-end encrypted messaging between owners and their AI agents.\",\n aliases: [\"av\", \"agent-vault\"],\n },\n capabilities: { chatTypes: [\"direct\", \"room\"] },\n config: { listAccountIds, resolveAccount },\n\n gateway: {\n /** Health probe for `openclaw channels status --probe` */\n probe: async (ctx: any) => {\n const accountId = ctx?.accountId ?? \"default\";\n const ch = _channels.get(accountId);\n if (!ch) return { ok: false, status: \"disconnected\", error: \"Channel not started\" };\n const state = ch.state;\n return {\n ok: state === \"ready\",\n status: state,\n deviceId: ch.deviceId ?? undefined,\n sessions: ch.sessionCount,\n };\n },\n\n /** Status for `openclaw health --json` per-channel summary */\n status: (ctx: any) => {\n const accountId = ctx?.accountId ?? \"default\";\n const ch = _channels.get(accountId);\n if (!ch) return { connected: false, status: \"not_started\" };\n return {\n connected: ch.state === \"ready\",\n status: ch.state,\n deviceId: ch.deviceId ?? undefined,\n sessions: ch.sessionCount,\n encrypted: true,\n };\n },\n\n startAccount: async (ctx: ChannelGatewayContext<ResolvedAccountBase>) => {\n const { account, cfg, log, abortSignal } = ctx;\n const _log: ((msg: string) => void) | undefined = typeof log === \"function\" ? log : log?.info?.bind(log);\n\n if (!account.configured) {\n throw new Error(\n \"AgentVault channel not configured. Run: npx @agentvault/agentvault setup --token=av_tok_...\\nThen restart OpenClaw.\",\n );\n }\n\n const dataDir = pathResolve(account.dataDir.replace(/^~/, osHomedir()));\n _log?.(`[AgentVault] starting (dataDir=${dataDir})`);\n\n // startAccount must STAY PENDING while the channel is running.\n // Resolving signals \"channel stopped\" to the gateway health monitor,\n // which triggers auto-restart. We block here until the abortSignal\n // fires (gateway shutdown / config reload), then clean up.\n await new Promise<void>((resolve, reject) => {\n let channel: any;\n\n const onAbort = async () => {\n await channel?.stop();\n _channels.delete(account.accountId);\n resolve();\n };\n\n abortSignal?.addEventListener(\"abort\", () => void onAbort());\n\n // Lazy import \u2014 defers libsodium initialization until channel starts\n import(\"./index.js\").then(async ({ SecureChannel }) => {\n channel = new SecureChannel({\n inviteToken: \"\",\n dataDir,\n apiUrl: account.apiUrl,\n agentName: account.agentName,\n onMessage: async (plaintext: string, metadata: any) => {\n if (!_ocRuntime) {\n _log?.(\"[AgentVault] runtime not ready, queuing message\");\n _messageQueue.push(async () => {\n await handleInbound({ plaintext, metadata, channel, account, cfg });\n });\n return;\n }\n try {\n await handleInbound({ plaintext, metadata, channel, account, cfg });\n } catch (err) {\n _log?.(`[AgentVault] inbound error: ${String(err)}`);\n }\n },\n onA2AMessage: async (msg: any) => {\n const a2aMetadata = {\n a2aChannelId: msg.channelId,\n fromHubAddress: msg.fromHubAddress,\n conversationId: msg.conversationId,\n timestamp: msg.timestamp,\n parentSpanId: msg.parentSpanId,\n messageId: `a2a:${msg.channelId}:${Date.now()}`,\n };\n if (!_ocRuntime) {\n _log?.(\"[AgentVault] runtime not ready, queuing A2A message\");\n _messageQueue.push(async () => {\n await handleInbound({ plaintext: msg.text, metadata: a2aMetadata, channel, account, cfg });\n });\n return;\n }\n try {\n await handleInbound({ plaintext: msg.text, metadata: a2aMetadata, channel, account, cfg });\n } catch (err) {\n _log?.(`[AgentVault] A2A inbound error: ${String(err)}`);\n }\n },\n onA2AChannelReady: async (info: {\n channelId: string;\n peerHubAddress: string;\n role: \"creator\" | \"member\";\n conversationId: string;\n topic?: string;\n }) => {\n // Register peer as valid outbound target (both roles)\n _registerA2ATarget(info.peerHubAddress, account.accountId);\n\n // Only creator sends the seed message\n if (info.role !== \"creator\") {\n _log?.(`[AgentVault] A2A channel ready (member) \u2014 waiting for creator: ${info.peerHubAddress}`);\n return;\n }\n _log?.(`[AgentVault] A2A channel ready (creator) \u2014 sending seed to ${info.peerHubAddress}${info.topic ? ` [topic: ${info.topic}]` : \"\"}`);\n\n const seedText = info.topic\n ? `[System] A new A2A channel has been established with agent ${info.peerHubAddress}. ` +\n `Topic: \"${info.topic}\". ` +\n `Introduce yourself briefly and begin discussing this topic.`\n : `[System] A new A2A channel has been established with agent ${info.peerHubAddress}. ` +\n `Introduce yourself briefly and state what you can help with.`;\n const seedMetadata = {\n a2aChannelId: info.channelId,\n fromHubAddress: info.peerHubAddress,\n conversationId: info.conversationId,\n timestamp: new Date().toISOString(),\n messageId: `a2a-seed:${info.channelId}:${Date.now()}`,\n };\n\n if (!_ocRuntime) {\n _log?.(\"[AgentVault] runtime not ready, queuing A2A seed\");\n _messageQueue.push(async () => {\n await handleInbound({ plaintext: seedText, metadata: seedMetadata, channel, account, cfg });\n });\n return;\n }\n try {\n await handleInbound({ plaintext: seedText, metadata: seedMetadata, channel, account, cfg });\n } catch (err) {\n _log?.(`[AgentVault] A2A seed error: ${String(err)}`);\n }\n },\n onStateChange: (state: string) => {\n _log?.(`[AgentVault] \u2192 ${state}`);\n // \"error\" is a permanent failure \u2014 reject so gateway can restart\n if (state === \"error\") reject(new Error(\"AgentVault channel permanent error\"));\n // All other states (connecting/ready/disconnected) are handled\n // internally by SecureChannel's reconnect logic \u2014 do NOT resolve.\n },\n });\n\n _channels.set(account.accountId, channel);\n\n // Prevent unhandled \"error\" events from crashing the process.\n // Without this handler, Node.js EventEmitter throws on emit(\"error\").\n channel.on(\"error\", (err: any) => {\n _log?.(`[AgentVault] channel error (non-fatal): ${String(err)}`);\n });\n\n // --- Activate MCP server with agent skills ---\n try {\n const { AgentVaultMcpServer } = await import(\"./mcp-server.js\");\n const { loadSkillsFromDirectory, loadSkillsFromApi, mergeSkills } = await import(\"./skill-manifest.js\");\n const mcpServer = new AgentVaultMcpServer({\n agentName: account.agentName ?? \"agent\",\n apiUrl: account.apiUrl ?? \"https://api.agentvault.chat\",\n onInvoke: async (skillName: string, args: Record<string, unknown>, skill: any) => {\n // Execute skill via backend inline executor (owner path \u2014 device JWT auth)\n // Sends skill instructions + input to Claude API through the backend\n const apiUrl = account.apiUrl ?? \"https://api.agentvault.chat\";\n const jwt = (channel as any)._deviceJwt;\n if (!jwt) {\n return { error: \"Not connected \u2014 device JWT unavailable\" };\n }\n\n // Build the execution request with instructions from the local skill definition\n const instructions = skill?.instructions;\n if (!instructions) {\n return { error: `Skill \"${skillName}\" has no instructions defined` };\n }\n\n try {\n const resp = await fetch(`${apiUrl}/api/v1/capabilities/owner-execute`, {\n method: \"POST\",\n headers: {\n \"Content-Type\": \"application/json\",\n Authorization: `Bearer ${jwt}`,\n },\n body: JSON.stringify({\n jsonrpc: \"2.0\",\n method: \"tools/call\",\n params: {\n name: skillName,\n arguments: args,\n // Pass instructions from local SKILL.md so backend doesn't need DB lookup\n _instructions: instructions,\n _schema: skill?.schema,\n },\n id: `invoke-${Date.now()}`,\n }),\n });\n if (!resp.ok) {\n const detail = await resp.text();\n return { error: `Execution failed (${resp.status}): ${detail}` };\n }\n const rpcResult = await resp.json();\n if (rpcResult.error) {\n return { error: rpcResult.error.message ?? \"Execution error\" };\n }\n // Extract text content from MCP response\n const content = rpcResult.result?.content;\n if (Array.isArray(content) && content.length > 0) {\n return content[0].text ?? JSON.stringify(content);\n }\n return rpcResult.result ?? { executed: true };\n } catch (err) {\n _log?.(`[AgentVault] Skill execution failed: ${String(err)}`);\n return { error: `Skill execution failed: ${String(err)}` };\n }\n },\n });\n\n // Resolve the OpenClaw workspace directory for this agent.\n // cfg is the full openclaw.json \u2014 agents.list[] has per-agent workspace,\n // agents.defaults.workspace is the fallback for the main agent.\n const homedir = osHomedir();\n const ocCfg = cfg as any;\n let workspaceDir = dataDir; // fallback to dataDir if workspace unknown\n try {\n const agentsList: any[] = ocCfg?.agents?.list ?? [];\n // Match agent entry by accountId \u2014 bindings map accountId\u2192agentId,\n // and agent entries have workspace paths\n const bindings: any[] = ocCfg?.bindings ?? [];\n const binding = bindings.find((b: any) =>\n b.match?.channel === \"agentvault\" && b.match?.accountId === account.accountId,\n );\n const agentId = binding?.agentId ?? \"main\";\n const agentEntry = agentsList.find((a: any) => a.id === agentId);\n\n if (agentEntry?.workspace) {\n workspaceDir = pathResolve(agentEntry.workspace.replace(/^~/, homedir));\n } else if (ocCfg?.agents?.defaults?.workspace) {\n workspaceDir = pathResolve(ocCfg.agents.defaults.workspace.replace(/^~/, homedir));\n }\n _log?.(`[AgentVault] MCP skill scan: workspace=${workspaceDir} (agentId=${agentId})`);\n } catch {\n _log?.(`[AgentVault] MCP skill scan: falling back to dataDir`);\n }\n\n // Load skills from workspace SKILL.md files\n const localSkills = loadSkillsFromDirectory(workspaceDir);\n\n // Also try loading from a dedicated skills/ subdirectory\n const skillsSubDir = pathResolve(workspaceDir, \"skills\");\n const subDirSkills = loadSkillsFromDirectory(skillsSubDir);\n localSkills.push(...subDirSkills);\n\n // Also scan the dataDir in case skills are stored there\n if (workspaceDir !== dataDir) {\n const dataDirSkills = loadSkillsFromDirectory(dataDir);\n localSkills.push(...dataDirSkills);\n }\n\n // Load skills published via Skill Builder (from backend API)\n let apiSkills: import(\"./mcp-server.js\").SkillDefinition[] = [];\n try {\n const { loadState } = await import(\"./state.js\");\n const persisted = await loadState(dataDir);\n const hubId = persisted?.hubId;\n const deviceJwt = persisted?.deviceJwt;\n const apiUrl = account.apiUrl ?? \"https://api.agentvault.chat\";\n if (hubId && deviceJwt) {\n apiSkills = await loadSkillsFromApi(apiUrl, deviceJwt, hubId);\n if (apiSkills.length > 0) {\n _log?.(`[AgentVault] Loaded ${apiSkills.length} skill(s) from API`);\n }\n }\n } catch (err) {\n _log?.(`[AgentVault] API skill loading failed (non-fatal): ${String(err)}`);\n }\n\n // Merge local + API skills (local takes precedence)\n const { skills: allSkills } = mergeSkills(localSkills, apiSkills);\n for (const skill of allSkills) {\n mcpServer.registerSkill(skill);\n }\n\n mcpServer.initialize();\n channel.setMcpServer(mcpServer);\n _log?.(`[AgentVault] MCP server activated with ${mcpServer.skillCount} skill(s) (${localSkills.length} local, ${apiSkills.length} API)`);\n } catch (err) {\n _log?.(`[AgentVault] MCP server activation failed (non-fatal): ${String(err)}`);\n }\n\n // Always start local HTTP server \u2014 managed routes are an overlay, not a replacement\n const httpPort = account.httpPort ?? 18790;\n channel.on(\"ready\", () => {\n channel.startHttpServer(httpPort);\n _log?.(`[AgentVault] HTTP send server listening on http://127.0.0.1:${httpPort}`);\n if (isUsingManagedRoutes) {\n _log?.(`[AgentVault] OpenClaw managed routes also registered`);\n }\n\n // Register persisted A2A peers as valid outbound targets\n for (const peerAddress of channel.a2aPeerAddresses) {\n _registerA2ATarget(peerAddress, account.accountId);\n }\n\n // Register persisted rooms as valid outbound targets\n for (const room of channel.roomIds) {\n _registerRoomTarget(room.roomId, room.name, account.accountId);\n }\n });\n\n // Re-register A2A targets after server sync (fixes stale persisted addresses)\n channel.on(\"a2a_channels_synced\", () => {\n for (const peerAddress of channel.a2aPeerAddresses) {\n _registerA2ATarget(peerAddress, account.accountId);\n }\n });\n\n // Register new rooms as outbound targets when agent joins\n channel.on(\"room_joined\", (info: { roomId: string; name: string }) => {\n _registerRoomTarget(info.roomId, info.name, account.accountId);\n });\n\n channel.start().catch(reject);\n }).catch(reject);\n });\n\n return { stop: async () => {} }; // Channel already stopped via abortSignal by this point\n },\n },\n\n outbound: {\n deliveryMode: \"direct\" as const,\n\n // Register valid send targets so OpenClaw's `message` tool can route\n // proactive (agent-initiated) sends \u2014 not just replies to inbound messages.\n targets: _outboundTargets,\n\n sendText: async ({ to: rawTo, text, accountId }: { to: string; text: string; accountId?: string }) => {\n const resolvedId = accountId ?? \"default\";\n const ch = _channels.get(resolvedId);\n if (!ch) return { ok: false, error: \"AgentVault channel not connected\" };\n try {\n const target = parseTarget(rawTo);\n const receipt = await ch.deliver(target, { type: \"text\", text });\n return { ok: receipt.ok, queued: receipt.queued, error: receipt.error };\n } catch (err) {\n return { ok: false, error: String(err) };\n }\n },\n\n sendMedia: async ({ to: rawTo, text, mediaUrl, accountId }: { to: string; text?: string; mediaUrl: string; accountId?: string }) => {\n const resolvedId = accountId ?? \"default\";\n const ch = _channels.get(resolvedId);\n if (!ch) return { ok: false, error: \"AgentVault channel not connected\" };\n try {\n // For now, send media URL as text \u2014 AgentVault handles attachments separately\n const message = text ? `${text}\\n${mediaUrl}` : mediaUrl;\n const target = parseTarget(rawTo);\n const receipt = await ch.deliver(target, { type: \"text\", text: message });\n return { ok: receipt.ok, queued: receipt.queued, error: receipt.error };\n } catch (err) {\n return { ok: false, error: String(err) };\n }\n },\n\n /** Rich payload delivery \u2014 OpenClaw v2026.3.2+ calls this for structured messages. */\n sendPayload: async (ctx: ChannelOutboundPayloadContext) => {\n const { payload, accountId } = ctx;\n\n // Suppress reasoning blocks \u2014 E2E channel should only deliver actual responses\n if (payload.isReasoning) return { ok: true };\n\n // Short-circuit empty content before checking channel \u2014 nothing to send\n const text = (payload.text ?? \"\").trim();\n if (!text && !payload.mediaUrls?.length) return { ok: true };\n\n const resolvedId = accountId ?? \"default\";\n const ch = _channels.get(resolvedId);\n if (!ch) return { ok: false, error: \"AgentVault channel not connected\" };\n\n try {\n // Wake agent proactively before sending (fire-and-forget)\n requestHeartbeatNow({ reason: \"outbound-payload\" }).catch(() => {});\n\n // Resolve target via parseTarget \u2014 owner if no explicit target\n const rawTarget = (ctx as any).to;\n let target: DeliveryTarget;\n if (rawTarget && typeof rawTarget === \"string\") {\n target = parseTarget(rawTarget);\n } else {\n target = { kind: \"owner\" };\n }\n\n // Helper: deliver text via unified deliver()\n const _send = async (msg: string) => {\n await ch.deliver(target, { type: \"text\", text: msg });\n };\n\n // Encrypt and deliver text content\n if (text) {\n await _send(text);\n }\n\n // Deliver media URLs as text messages (E2E encrypted)\n if (payload.mediaUrls?.length) {\n for (const url of payload.mediaUrls) {\n await _send(url);\n }\n }\n\n // Forward suggested actions as a structured message\n if (payload.suggestedActions?.length) {\n const actionsText = payload.suggestedActions\n .map((a: { label: string; action: string }) => `- ${a.label}: ${a.action}`)\n .join(\"\\n\");\n await _send(`Suggested actions:\\n${actionsText}`);\n }\n\n return { ok: true };\n } catch (err) {\n return { ok: false, error: String(err) };\n }\n },\n },\n};\n\n// --- Exported for testing ---\nexport { _parseMentions, _shouldProcessRoomMessage, _stripMentions };\n\n// --- Plugin export ---\n\nexport default {\n id: \"agentvault\",\n name: \"AgentVault\",\n description: \"End-to-end encrypted, zero-knowledge messaging between AI agent owners and their agents.\",\n register(api: OpenClawPluginApi) {\n _setRuntime(api.runtime);\n\n // Install fetch interceptor to capture all outbound HTTP from the gateway process.\n installFetchInterceptor({\n onHttpCall: (report) => {\n // Find an active channel to emit through\n const ch = _channels.values().next().value;\n if (!ch) return;\n\n // Telemetry reporter is optional \u2014 may not be initialized\n if (ch.telemetry) {\n try {\n ch.telemetry.reportHttpCall({\n method: report.method,\n url: report.url,\n statusCode: report.statusCode,\n latencyMs: report.latencyMs,\n ...(report.traceId ? { traceId: report.traceId } : {}),\n ...(report.parentSpanId ? { parentSpanId: report.parentSpanId } : {}),\n });\n } catch { /* best-effort */ }\n }\n\n // Activity span always fires (uses WS, not telemetry reporter)\n try {\n const hostname = (() => { try { return new URL(report.url).hostname; } catch { return report.url.slice(0, 40); } })();\n ch.sendActivitySpan({\n trace_id: report.traceId ?? \"\",\n parent_span_id: report.parentSpanId ?? \"\",\n span_id: randomBytes(8).toString(\"hex\"),\n span_type: \"http\",\n span_name: hostname,\n status: report.statusCode >= 400 || report.statusCode === 0 ? \"error\" : \"ok\",\n start_time: new Date(Date.now() - report.latencyMs).toISOString(),\n end_time: new Date().toISOString(),\n duration_ms: report.latencyMs,\n attributes: {\n \"ai.agent.http.method\": report.method,\n \"ai.agent.http.url\": report.url,\n },\n http_method: report.method,\n http_status_code: report.statusCode,\n http_url: report.url,\n });\n } catch { /* best-effort */ }\n },\n });\n\n api.registerChannel({ plugin: agentVaultPlugin });\n\n // --- Managed HTTP routes (OpenClaw v2026.3.2+) ---\n if (typeof api.registerHttpRoute === \"function\") {\n try {\n api.registerHttpRoute({\n path: \"/agentvault/send\",\n method: \"POST\",\n handler: async (req) => {\n const ch = _channels.values().next().value;\n if (!ch) return { status: 503, body: { ok: false, error: \"Channel not started\" } };\n const parsed = (typeof req.body === \"string\" ? JSON.parse(req.body) : req.body) as Record<string, unknown>;\n const result = await handleSendRequest(parsed, ch);\n return { status: result.status, body: result.body };\n },\n });\n api.registerHttpRoute({\n path: \"/agentvault/action\",\n method: \"POST\",\n handler: async (req) => {\n const ch = _channels.values().next().value;\n if (!ch) return { status: 503, body: { ok: false, error: \"Channel not started\" } };\n const parsed = (typeof req.body === \"string\" ? JSON.parse(req.body) : req.body) as Record<string, unknown>;\n const result = await handleActionRequest(parsed, ch);\n return { status: result.status, body: result.body };\n },\n });\n api.registerHttpRoute({\n path: \"/agentvault/decision\",\n method: \"POST\",\n handler: async (req) => {\n const ch = _channels.values().next().value;\n if (!ch) return { status: 503, body: { ok: false, error: \"Channel not started\" } };\n const parsed = (typeof req.body === \"string\" ? JSON.parse(req.body) : req.body) as Record<string, unknown>;\n const result = await handleDecisionRequest(parsed, ch);\n return { status: result.status, body: result.body };\n },\n });\n api.registerHttpRoute({\n path: \"/agentvault/status\",\n method: \"GET\",\n handler: async () => {\n const ch = _channels.values().next().value;\n if (!ch) return { status: 503, body: { ok: false, error: \"Channel not started\" } };\n const result = handleStatusRequest(ch);\n return { status: result.status, body: result.body };\n },\n });\n api.registerHttpRoute({\n path: \"/agentvault/targets\",\n method: \"GET\",\n handler: async () => {\n const ch = _channels.values().next().value;\n if (!ch) return { status: 503, body: { ok: false, error: \"Channel not started\" } };\n const result = handleTargetsRequest(ch);\n return { status: result.status, body: result.body };\n },\n });\n api.registerHttpRoute({\n path: \"/agentvault/mcp-config\",\n method: \"GET\",\n handler: async () => {\n const ch = _channels.values().next().value;\n if (!ch) return { status: 503, body: { ok: false, error: \"Channel not started\" } };\n const { handleMcpConfigRequest } = await import(\"./http-handlers.js\");\n const agentName = ch.config?.agentName ?? \"agent\";\n const mcpSkillCount = ch.mcpServer?.skillCount ?? 0;\n const result = handleMcpConfigRequest(agentName, 18790, mcpSkillCount);\n return { status: result.status, body: result.body };\n },\n });\n isUsingManagedRoutes = true;\n } catch { /* registerHttpRoute failed \u2014 fall back to self-managed server */ }\n }\n\n // --- Event hooks (OpenClaw v2026.3.2+) ---\n if (typeof api.on === \"function\") {\n // Phase 4: message_sent \u2014 delivery confirmation tracking\n api.on(\"message_sent\", async (event: MessageSentEvent) => {\n try {\n const ch = _channels.values().next().value;\n if (!ch?.telemetry) return;\n ch.telemetry.reportCustomSpan({\n traceId: randomBytes(16).toString(\"hex\"),\n spanId: randomBytes(8).toString(\"hex\"),\n name: \"agentvault.message.delivered\",\n kind: \"internal\",\n startTime: event.timestamp,\n endTime: event.timestamp + 1,\n attributes: {\n \"agentvault.message.id\": event.messageId,\n \"agentvault.delivery.status\": event.deliveryStatus,\n \"agentvault.channel.id\": event.channelId,\n },\n status: { code: event.deliveryStatus === \"failed\" ? 2 : 1 },\n });\n } catch { /* best-effort */ }\n });\n\n // Phase 6: session lifecycle hooks\n api.on(\"session_start\", async (event: SessionStartEvent) => {\n try {\n const ch = _channels.values().next().value;\n if (!ch?.telemetry) return;\n ch.telemetry.reportCustomSpan({\n traceId: randomBytes(16).toString(\"hex\"),\n spanId: randomBytes(8).toString(\"hex\"),\n name: \"agentvault.session.start\",\n kind: \"internal\",\n startTime: event.timestamp,\n endTime: event.timestamp + 1,\n attributes: {\n \"agentvault.session.key\": event.sessionKey,\n \"agentvault.agent.id\": event.agentId,\n },\n status: { code: 1 },\n });\n } catch { /* best-effort */ }\n });\n\n api.on(\"session_end\", async (event: SessionEndEvent) => {\n try {\n const ch = _channels.values().next().value;\n if (!ch?.telemetry) return;\n ch.telemetry.reportCustomSpan({\n traceId: randomBytes(16).toString(\"hex\"),\n spanId: randomBytes(8).toString(\"hex\"),\n name: \"agentvault.session.end\",\n kind: \"internal\",\n startTime: event.timestamp,\n endTime: event.timestamp + 1,\n attributes: {\n \"agentvault.session.key\": event.sessionKey,\n \"agentvault.agent.id\": event.agentId,\n ...(event.reason ? { \"agentvault.session.end_reason\": event.reason } : {}),\n },\n status: { code: 1 },\n });\n } catch { /* best-effort */ }\n });\n\n // OpenClaw v2026.3.28: before_tool_call with requireApproval for SPT policy enforcement\n api.on(\"before_tool_call\", (async (event: any) => {\n try {\n const toolName = event?.toolName;\n const agentId = event?.agentId;\n if (!toolName || !_channels.size) return {};\n\n // Check against PolicyEnforcer for each active channel\n for (const [, ch] of _channels) {\n const enforcer = (ch as any)?._policyEnforcer;\n if (!enforcer) continue;\n\n // Evaluate across all registered skills \u2014 use wildcard by passing toolName\n // without a specific skillName so the enforcer checks all deny-lists\n for (const [skillName] of (enforcer as any).skills ?? []) {\n const result = enforcer.evaluate({ skillName, toolName, agentId });\n if (result && !result.allowed) {\n console.log(`[AgentVault] Tool \"${toolName}\" denied by policy \u2014 requesting approval`);\n const reason = result.violations?.[0]?.message ?? \"\";\n return {\n requireApproval: true,\n approvalReason: `AgentVault policy: tool \"${toolName}\" requires owner approval. ${reason}`.trim(),\n };\n }\n }\n }\n return {};\n } catch {\n return {};\n }\n }) as (...args: any[]) => void);\n\n // OpenClaw v2026.3.28: before_dispatch injects AV trust context\n api.on(\"before_dispatch\", async (event: any) => {\n try {\n const senderHub = event?.inbound?.metadata?.senderHubAddress;\n if (!senderHub || !_channels.size) return;\n\n // Look up sender's trust info if available\n for (const [, ch] of _channels) {\n const apiUrl = (ch as any)?.config?.apiUrl;\n if (!apiUrl) continue;\n\n try {\n const res = await fetch(`${apiUrl}/api/v1/hub/verify/${senderHub}`);\n if (res.ok) {\n const trust = await res.json() as Record<string, unknown>;\n // Inject trust context into the inbound metadata\n if (event.inbound.metadata) {\n event.inbound.metadata._avTrustContext = {\n senderHub: senderHub,\n trustTier: trust.trust_tier,\n verified: trust.verified,\n certificationStatus: trust.certification_status,\n };\n }\n console.log(`[AgentVault] Injected trust context for ${senderHub}: ${trust.trust_tier}`);\n }\n } catch {\n // Non-critical \u2014 proceed without trust context\n }\n break; // Only need one channel's API URL\n }\n } catch {\n // Non-critical \u2014 never throw from hook\n }\n });\n }\n\n // --- Phase 7: Agent events for trust telemetry ---\n import(\"./openclaw-compat.js\").then(async ({ onAgentEvent, onSessionTranscriptUpdate }) => {\n onAgentEvent((event) => {\n try {\n const ch = _channels.values().next().value;\n if (!ch?.telemetry) return;\n ch.telemetry.reportCustomSpan({\n traceId: randomBytes(16).toString(\"hex\"),\n spanId: randomBytes(8).toString(\"hex\"),\n name: `ai.agent.event.${event.type}`,\n kind: \"internal\",\n startTime: event.timestamp,\n endTime: event.timestamp + 1,\n attributes: {\n \"ai.agent.event.type\": event.type,\n \"ai.agent.id\": event.agentId,\n ...(event.data ? Object.fromEntries(\n Object.entries(event.data).map(([k, v]) => [`ai.agent.event.${k}`, String(v)])\n ) : {}),\n },\n status: { code: 1 },\n });\n } catch { /* best-effort */ }\n }).catch(() => {});\n\n onSessionTranscriptUpdate((update) => {\n try {\n const ch = _channels.values().next().value;\n if (!ch?.telemetry) return;\n ch.telemetry.reportCustomSpan({\n traceId: randomBytes(16).toString(\"hex\"),\n spanId: randomBytes(8).toString(\"hex\"),\n name: \"ai.agent.transcript.update\",\n kind: \"internal\",\n startTime: update.timestamp,\n endTime: update.timestamp + 1,\n attributes: {\n \"agentvault.session.key\": update.sessionKey,\n \"ai.agent.transcript.role\": update.role ?? \"unknown\",\n \"ai.agent.transcript.delta_chars\": update.delta.length,\n },\n status: { code: 1 },\n });\n } catch { /* best-effort */ }\n }).catch(() => {});\n }).catch(() => { /* openclaw-compat import failed \u2014 older SDK */ });\n\n // --- Agent tool: agentvault_status ---\n // Lets the agent check its own encrypted channel status\n try {\n api.registerTool?.({\n name: \"agentvault_status\",\n description: \"Check the AgentVault encrypted channel status, connection state, and session count.\",\n parameters: {\n type: \"object\",\n properties: {\n accountId: {\n type: \"string\",\n description: \"Account ID to check (default: 'default')\",\n },\n },\n },\n execute: async (_id: string, params: { accountId?: string }) => {\n const id = params.accountId ?? \"default\";\n const ch = _channels.get(id);\n if (!ch) {\n return { content: [{ type: \"text\", text: JSON.stringify({ connected: false, error: \"Channel not started\" }) }] };\n }\n return {\n content: [{\n type: \"text\",\n text: JSON.stringify({\n connected: ch.state === \"ready\",\n state: ch.state,\n deviceId: ch.deviceId,\n sessions: ch.sessionCount,\n encrypted: true,\n }),\n }],\n };\n },\n }, { optional: true });\n } catch { /* registerTool may not be available in older OpenClaw versions */ }\n\n // --- Auto-reply command: /agentvault ---\n // Quick status check without AI involvement\n try {\n api.registerCommand?.({\n name: \"agentvault\",\n description: \"Show AgentVault encrypted channel status\",\n handler: () => {\n const statuses: string[] = [];\n if (_channels.size === 0) {\n statuses.push(\"AgentVault: no active channels\");\n } else {\n for (const [id, ch] of _channels) {\n statuses.push(`AgentVault [${id}]: ${ch.state} | sessions: ${ch.sessionCount} | encrypted: yes`);\n }\n }\n return { text: statuses.join(\"\\n\") };\n },\n });\n } catch { /* registerCommand may not be available in older OpenClaw versions */ }\n },\n};\n", "/**\n * Shared multi-account config resolution for AgentVault OpenClaw plugin.\n *\n * Supports two config shapes:\n * 1. Legacy single-agent: channels.agentvault.dataDir (returns [\"default\"])\n * 2. Multi-agent: channels.agentvault.accounts.{id}.dataDir (returns account keys)\n *\n * When `accounts` key is present, it takes precedence over top-level dataDir.\n */\n\nconst DEFAULT_API_URL = \"https://api.agentvault.chat\";\nconst DEFAULT_HTTP_PORT = 18790;\n\nexport interface ResolvedAccount {\n accountId: string;\n dataDir: string;\n apiUrl: string;\n agentName: string;\n httpPort: number;\n configured: boolean;\n}\n\nexport function listAccountIds(cfg: any): string[] {\n const av = cfg?.channels?.agentvault;\n if (!av) return [];\n if (av.accounts && typeof av.accounts === \"object\") {\n return Object.keys(av.accounts);\n }\n return av.dataDir ? [\"default\"] : [];\n}\n\nexport function resolveAccount(cfg: any, accountId?: string): ResolvedAccount {\n const av = cfg?.channels?.agentvault ?? {};\n const id = accountId ?? \"default\";\n\n if (av.accounts && typeof av.accounts === \"object\") {\n const acct = av.accounts[id];\n if (!acct) {\n return {\n accountId: id,\n dataDir: \"\",\n apiUrl: av.apiUrl ?? DEFAULT_API_URL,\n agentName: id,\n httpPort: DEFAULT_HTTP_PORT,\n configured: false,\n };\n }\n\n let httpPort = acct.httpPort;\n if (httpPort == null) {\n const keys = Object.keys(av.accounts);\n const index = keys.indexOf(id);\n httpPort = DEFAULT_HTTP_PORT + (index >= 0 ? index : 0);\n }\n\n return {\n accountId: id,\n dataDir: acct.dataDir ?? \"\",\n apiUrl: acct.apiUrl ?? av.apiUrl ?? DEFAULT_API_URL,\n agentName: acct.agentName ?? id,\n httpPort,\n configured: Boolean(acct.dataDir),\n };\n }\n\n return {\n accountId: id,\n dataDir: av.dataDir ?? \"~/.openclaw/agentvault\",\n apiUrl: av.apiUrl ?? DEFAULT_API_URL,\n agentName: av.agentName ?? \"OpenClaw Agent\",\n httpPort: av.httpPort ?? DEFAULT_HTTP_PORT,\n configured: Boolean(av.dataDir),\n };\n}\n", "/**\n * HTTP interceptor for capturing outbound HTTP calls during message handling.\n *\n * Uses Node.js diagnostics_channel to subscribe to undici request events,\n * capturing ALL outbound HTTP from the process (including LLM SDKs, Playwright\n * navigations, and any library that uses undici under the hood).\n *\n * Also monkey-patches globalThis.fetch as a fallback for non-undici HTTP.\n *\n * Uses AsyncLocalStorage to associate intercepted calls with the active\n * message's traceId/parentSpanId.\n *\n * Built-in skip patterns prevent capturing internal infrastructure requests\n * (localhost, AgentVault API, Clerk auth).\n */\nimport { AsyncLocalStorage } from \"node:async_hooks\";\nimport diagnosticsChannel from \"node:diagnostics_channel\";\n\n// \u2500\u2500 Public types \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n\nexport interface HttpCallReport {\n method: string;\n url: string;\n statusCode: number;\n latencyMs: number;\n traceId?: string;\n parentSpanId?: string;\n}\n\nexport interface TraceContext {\n traceId: string;\n parentSpanId: string;\n}\n\nexport interface FetchInterceptorOptions {\n onHttpCall: (report: HttpCallReport) => void;\n skipPatterns?: RegExp[];\n}\n\n// \u2500\u2500 Internal state \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n\nconst traceStore = new AsyncLocalStorage<TraceContext>();\n\nconst DEFAULT_SKIP_PATTERNS: RegExp[] = [\n /^https?:\\/\\/localhost(:\\d+)?/,\n /^https?:\\/\\/127\\.0\\.0\\.1(:\\d+)?/,\n /\\.agentvault\\.chat/,\n /\\.agentvault\\.dev/,\n /\\.clerk\\./,\n];\n\nlet installed = false;\nlet originalFetch: typeof globalThis.fetch | undefined;\n\n// Track in-flight undici requests: request \u2192 { url, method, startTime }\nconst inflightRequests = new WeakMap<\n object,\n { url: string; method: string; startTime: number }\n>();\n\n// Diagnostics channel subscriptions\nlet unsubCreate: (() => void) | undefined;\nlet unsubHeaders: (() => void) | undefined;\nlet unsubError: (() => void) | undefined;\n\n// \u2500\u2500 Helpers \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n\nfunction shouldSkip(url: string, extraPatterns: RegExp[]): boolean {\n const allPatterns = [...DEFAULT_SKIP_PATTERNS, ...extraPatterns];\n return allPatterns.some((p) => p.test(url));\n}\n\nfunction extractUrl(origin: string, path: string): string {\n // undici gives us origin (e.g., \"https://api.openai.com\") and path (e.g., \"/v1/chat/completions\")\n return `${origin}${path}`;\n}\n\n// \u2500\u2500 Public API \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n\n/**\n * Install HTTP interceptor using both undici diagnostics channels and\n * globalThis.fetch monkey-patching. Idempotent.\n */\nexport function installFetchInterceptor(opts: FetchInterceptorOptions): void {\n if (installed) return;\n installed = true;\n\n const skipPatterns = [\n ...DEFAULT_SKIP_PATTERNS,\n ...(opts.skipPatterns ?? []),\n ];\n\n // \u2500\u2500 1. Undici diagnostics channel \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n // undici publishes events for every HTTP request it makes.\n // This captures LLM SDK calls, playwright navigations, etc.\n\n try {\n const createChannel = diagnosticsChannel.channel(\"undici:request:create\");\n const headersChannel = diagnosticsChannel.channel(\"undici:request:headers\");\n const errorChannel = diagnosticsChannel.channel(\"undici:request:error\");\n\n const onRequestCreate = (message: unknown) => {\n try {\n const msg = message as {\n request: {\n method?: string;\n origin?: string;\n path?: string;\n };\n };\n const req = msg.request;\n if (!req) return;\n\n const origin = String(req.origin ?? \"\");\n const path = String(req.path ?? \"/\");\n const url = extractUrl(origin, path);\n\n if (shouldSkip(url, skipPatterns)) return;\n\n inflightRequests.set(req, {\n url,\n method: String(req.method ?? \"GET\").toUpperCase(),\n startTime: Date.now(),\n });\n } catch { /* best-effort */ }\n };\n\n const onRequestHeaders = (message: unknown) => {\n try {\n const msg = message as {\n request: object;\n response: { statusCode?: number };\n };\n const tracked = inflightRequests.get(msg.request);\n if (!tracked) return;\n inflightRequests.delete(msg.request);\n\n const latencyMs = Date.now() - tracked.startTime;\n const ctx = traceStore.getStore();\n\n opts.onHttpCall({\n method: tracked.method,\n url: tracked.url,\n statusCode: msg.response?.statusCode ?? 0,\n latencyMs,\n traceId: ctx?.traceId,\n parentSpanId: ctx?.parentSpanId,\n });\n } catch { /* best-effort */ }\n };\n\n const onRequestError = (message: unknown) => {\n try {\n const msg = message as { request: object; error?: Error };\n const tracked = inflightRequests.get(msg.request);\n if (!tracked) return;\n inflightRequests.delete(msg.request);\n\n const latencyMs = Date.now() - tracked.startTime;\n const ctx = traceStore.getStore();\n\n opts.onHttpCall({\n method: tracked.method,\n url: tracked.url,\n statusCode: 0,\n latencyMs,\n traceId: ctx?.traceId,\n parentSpanId: ctx?.parentSpanId,\n });\n } catch { /* best-effort */ }\n };\n\n createChannel.subscribe(onRequestCreate);\n headersChannel.subscribe(onRequestHeaders);\n errorChannel.subscribe(onRequestError);\n\n unsubCreate = () => createChannel.unsubscribe(onRequestCreate);\n unsubHeaders = () => headersChannel.unsubscribe(onRequestHeaders);\n unsubError = () => errorChannel.unsubscribe(onRequestError);\n } catch {\n // diagnostics_channel not available or undici not loaded \u2014 fall through to fetch-only\n }\n\n // \u2500\u2500 2. globalThis.fetch monkey-patch (fallback) \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n // Catches any HTTP that doesn't go through undici (e.g., native fetch\n // in newer Node.js, or custom HTTP implementations).\n\n originalFetch = globalThis.fetch;\n const savedOriginal = originalFetch;\n\n globalThis.fetch = async (\n input: RequestInfo | URL,\n init?: RequestInit,\n ): Promise<Response> => {\n const url =\n input instanceof Request\n ? input.url\n : input instanceof URL\n ? input.href\n : String(input);\n\n if (shouldSkip(url, skipPatterns)) {\n return savedOriginal(input, init);\n }\n\n const method =\n input instanceof Request\n ? input.method\n : init?.method ?? \"GET\";\n\n const ctx = traceStore.getStore();\n const start = Date.now();\n\n try {\n const response = await savedOriginal(input, init);\n const latencyMs = Date.now() - start;\n\n try {\n opts.onHttpCall({\n method,\n url,\n statusCode: response.status,\n latencyMs,\n traceId: ctx?.traceId,\n parentSpanId: ctx?.parentSpanId,\n });\n } catch { /* best-effort */ }\n\n return response;\n } catch (err) {\n const latencyMs = Date.now() - start;\n\n try {\n opts.onHttpCall({\n method,\n url,\n statusCode: 0,\n latencyMs,\n traceId: ctx?.traceId,\n parentSpanId: ctx?.parentSpanId,\n });\n } catch { /* best-effort */ }\n\n throw err;\n }\n };\n}\n\n/**\n * Uninstall all interceptors. Safe to call even if not installed.\n */\nexport function uninstallFetchInterceptor(): void {\n if (!installed) return;\n\n // Restore fetch\n if (originalFetch) {\n globalThis.fetch = originalFetch;\n originalFetch = undefined;\n }\n\n // Unsubscribe from diagnostics channels\n unsubCreate?.();\n unsubHeaders?.();\n unsubError?.();\n unsubCreate = undefined;\n unsubHeaders = undefined;\n unsubError = undefined;\n\n installed = false;\n}\n\n/**\n * Run an async function with trace context attached via AsyncLocalStorage.\n * Any HTTP calls made within `fn` (via undici or fetch) will include\n * traceId/parentSpanId in their HttpCallReport.\n */\nexport function runWithTraceContext<T>(\n ctx: TraceContext,\n fn: () => T | Promise<T>,\n): Promise<T> {\n return traceStore.run(ctx, fn) as Promise<T>;\n}\n", "export interface SecureChannelConfig {\n inviteToken: string;\n dataDir: string;\n apiUrl: string;\n agentName?: string;\n agentVersion?: string;\n platform?: string;\n maxHistorySize?: number; // max stored messages for cross-device replay (default 500)\n webhookUrl?: string; // URL to register for webhook notifications from backend\n httpPort?: number; // Local HTTP port for proactive sends (default: none)\n onMessage?: (plaintext: string, metadata: MessageMetadata) => void;\n onStateChange?: (state: ChannelState) => void;\n onA2AMessage?: (msg: A2AMessage) => void;\n /** Called when an A2A channel becomes ready (approved or activated). */\n onA2AChannelReady?: (info: {\n channelId: string;\n peerHubAddress: string;\n role: \"creator\" | \"member\";\n conversationId: string;\n topic?: string;\n }) => void;\n /** Enable client-side policy scanning. If true, rules are fetched on connect. */\n enableScanning?: boolean;\n /** If set, auto-backup encrypted state to server after state changes. */\n backupCode?: string;\n}\n\nexport type ChannelState =\n | \"idle\"\n | \"enrolling\"\n | \"polling\"\n | \"activating\"\n | \"connecting\"\n | \"ready\"\n | \"disconnected\"\n | \"error\";\n\nexport interface AttachmentData {\n filename: string;\n mime: string;\n size: number;\n filePath: string;\n /** Base64-encoded decrypted content (for images passed to LLM vision) */\n base64?: string;\n /** Extracted text content (for text-based files) */\n textContent?: string;\n}\n\nexport interface MessageMetadata {\n messageId: string;\n conversationId: string;\n timestamp: string;\n topicId?: string;\n attachment?: AttachmentData;\n spanId?: string;\n parentSpanId?: string;\n messageType?: string;\n priority?: string;\n envelopeVersion?: string;\n /** Set when the message originated from a multi-agent room */\n roomId?: string;\n /** Device ID of the sender (room messages only) */\n senderDeviceId?: string;\n /** Whether the sender is an agent (vs owner) \u2014 room messages only */\n senderIsAgent?: boolean;\n /** Display name of the sender (room messages only) */\n senderName?: string;\n /** Human-readable room name (room messages only) */\n roomName?: string;\n /** Set when this message is a coordinator task (AES job dispatch) */\n coordinatorTask?: boolean;\n /** Coordinator job ID */\n jobId?: string;\n /** Coordinator task ID */\n taskId?: string;\n /** Coordinator job phase */\n phase?: string;\n /** Coordinator task timeout in seconds */\n timeoutSec?: number;\n}\n\nexport interface SendOptions {\n /** Target a specific conversation instead of broadcasting to all sessions */\n conversationId?: string;\n topicId?: string;\n messageType?: string;\n priority?: string;\n parentSpanId?: string;\n metadata?: Record<string, unknown>;\n}\n\nexport interface DecisionOption {\n option_id: string;\n label: string;\n risk_level: \"low\" | \"medium\" | \"high\" | \"critical\";\n is_default?: boolean;\n}\n\nexport interface ContextRef {\n type: string;\n uri: string;\n label: string;\n}\n\nexport interface DecisionRequest {\n title: string;\n description?: string;\n options: DecisionOption[];\n context_refs?: ContextRef[];\n deadline?: string; // ISO 8601\n auto_action?: {\n option_id: string;\n trigger: string;\n description?: string;\n };\n}\n\nexport interface DecisionResponse {\n decision_id: string;\n selected_option_id?: string;\n resolved_at?: string; // ISO 8601\n action?: \"approve\" | \"deny\" | \"defer\";\n defer_until?: string;\n defer_reason?: string;\n}\n\nexport interface HistoryEntry {\n sender: \"owner\" | \"agent\";\n text: string;\n ts: string; // ISO 8601\n topicId?: string; // topic this message belongs to\n}\n\nexport interface DeviceSession {\n ownerDeviceId: string;\n ratchetState: string; // serialized DoubleRatchet\n activated?: boolean; // true after first owner message received\n epoch?: number; // ratchet generation \u2014 incremented on each resync/rekey\n}\n\nexport interface PersistedState {\n deviceId: string;\n deviceJwt: string;\n primaryConversationId: string;\n sessions: Record<string, DeviceSession>; // conversationId -> session\n identityKeypair: { publicKey: string; privateKey: string }; // hex\n ephemeralKeypair: { publicKey: string; privateKey: string }; // hex\n fingerprint: string;\n lastMessageTimestamp?: string; // ISO timestamp of last received message\n messageHistory?: HistoryEntry[]; // stored messages for cross-device replay\n topics?: Array<{ id: string; name: string; isDefault: boolean }>;\n defaultTopicId?: string;\n groupId?: string;\n hubAddress?: string;\n hubId?: string; // hub UUID \u2014 used for telemetry ingestion\n agentHubId?: string; // agent's hub_id (alias of hubId for routing clarity)\n agentRole?: \"lead\" | \"peer\"; // lead agent uses root workspace dir\n ownerHubId?: string; // owner's hub_id (populated from device_linked or enrollment)\n /** A2A channel state (agent-to-agent communication) */\n a2aChannels?: Record<string, {\n channelId: string;\n conversationId: string;\n role?: \"creator\" | \"member\";\n topic?: string;\n mlsGroupId?: string;\n participants: Array<{\n hubId: string;\n hubAddress: string;\n status: \"invited\" | \"active\" | \"left\" | \"removed\";\n }>;\n }>;\n /** Outbound messages queued while disconnected */\n outboundQueue?: Array<{\n convId: string;\n headerBlob: string;\n ciphertext: string;\n messageGroupId: string;\n topicId?: string;\n }>;\n /** Multi-agent room state */\n rooms?: Record<string, RoomState>;\n /** Last inbound room ID for sticky room routing across restarts */\n lastInboundRoomId?: string;\n /** Persisted message dedup IDs \u2014 survives restarts to prevent double-decrypt */\n seenMessageIds?: string[];\n /** Persisted A2A message dedup IDs */\n seenA2AMessageIds?: string[];\n /** Shadow mode skill configurations (synced from backend via WS) */\n shadowSkills?: Record<string, {\n sessionId: string;\n autonomyLevel: \"shadow\" | \"supervised\" | \"autonomous\";\n decisionClass: string;\n }>;\n /** MLS group state for 1:1 conversations (conversationId -> {mlsGroupId}) */\n mlsConversations?: Record<string, { mlsGroupId: string }>;\n}\n\n/** Legacy state format for backward compatibility */\nexport interface LegacyPersistedState {\n deviceId: string;\n deviceJwt: string;\n conversationId: string;\n identityKeypair: { publicKey: string; privateKey: string }; // hex\n ephemeralKeypair: { publicKey: string; privateKey: string }; // hex\n fingerprint: string;\n ratchetState: string; // serialized DoubleRatchet\n lastMessageTimestamp?: string;\n}\n\n// --- Room types (multi-agent rooms) ---\n\nexport interface RoomMemberInfo {\n deviceId: string;\n entityType: string;\n displayName: string;\n identityPublicKey?: string;\n ephemeralPublicKey?: string;\n}\n\nexport interface RoomConversationInfo {\n id: string;\n participantA: string;\n participantB: string;\n}\n\nexport interface RoomInfo {\n roomId: string;\n name: string;\n members: RoomMemberInfo[];\n conversationIds: string[];\n}\n\nexport interface RoomState {\n roomId: string;\n name: string;\n conversationIds: string[];\n members: RoomMemberInfo[];\n /** MLS group identifier (set when room uses MLS encryption) */\n mlsGroupId?: string;\n /** ISO timestamp of last MLS message received in this room (for sync catch-up) */\n lastMlsMessageTs?: string;\n}\n\nexport interface HeartbeatStatus {\n agent_status: string;\n current_task: string;\n}\n\nexport interface StatusAlert {\n title: string;\n message: string;\n severity: \"info\" | \"warning\" | \"error\" | \"critical\";\n detail?: string;\n detailFormat?: \"markdown\" | \"json\" | \"text\";\n category?: \"performance\" | \"security\" | \"error\" | \"info\";\n}\n\n// --- Room participant event types (team room join/leave) ---\n\nexport interface RoomParticipantEvent {\n roomId: string;\n participant: {\n deviceId: string;\n participantType: \"human\" | \"agent\";\n displayName?: string;\n };\n}\n\n// --- A2A Channel types (agent-to-agent communication) ---\n\nexport interface A2AChannelParticipant {\n id: string;\n hub_id: string;\n hub_address: string;\n agent_name: string;\n tenant_id: string;\n device_id: string | null;\n role: \"creator\" | \"member\";\n status: \"invited\" | \"active\" | \"left\" | \"removed\";\n observer_enabled: boolean;\n joined_at: string | null;\n left_at: string | null;\n}\n\nexport interface A2AChannel {\n channelId: string;\n creator_hub_id: string;\n conversationId: string | null;\n status: \"pending\" | \"approved\" | \"active\" | \"rejected\" | \"revoked\";\n createdAt: string;\n max_participants: number;\n participant_count: number;\n participants: A2AChannelParticipant[];\n topic?: string;\n}\n\nexport interface A2AMessage {\n text: string;\n fromHubAddress: string;\n channelId: string;\n conversationId: string;\n parentSpanId?: string;\n timestamp: string;\n}\n\n// --- Unified Delivery Protocol types ---\n\n/** Explicit routing target for outbound messages. */\nexport type DeliveryTarget =\n | { kind: \"owner\" }\n | { kind: \"room\"; roomId: string }\n | { kind: \"a2a\"; hubAddress: string }\n | { kind: \"context\" }; // Resolve from _lastInboundRoomId (opt-in only)\n\nexport interface ShadowRecommendation {\n sessionId: string;\n skillName: string;\n decisionClass: string;\n recommendedAction: string;\n reasoningTrace?: string;\n observationId: string;\n}\n\n/** Structured message content for the deliver() dispatcher. */\nexport type DeliveryContent =\n | { type: \"text\"; text: string }\n | { type: \"decision_request\"; request: DecisionRequest }\n | { type: \"status_alert\"; alert: StatusAlert }\n | { type: \"action_confirmation\"; confirmation: ActionConfirmation }\n | { type: \"artifact\"; artifact: ArtifactPayload }\n | { type: \"attachment\"; text: string; filePath: string }\n | { type: \"policy_alert\"; alert: PolicyAlert }\n | { type: \"approval_request\"; request: ApprovalRequest }\n | { type: \"approval_response\"; response: ApprovalResponse }\n | { type: \"shadow_recommendation\"; recommendation: ShadowRecommendation };\n\nexport interface ActionConfirmation {\n action: string;\n status: \"completed\" | \"failed\" | \"partial\";\n decisionId?: string;\n detail?: string;\n estimated_cost?: number;\n}\n\nexport interface ArtifactPayload {\n filePath: string;\n filename: string;\n mimeType: string;\n description?: string;\n}\n\n/** Notify agent owner of a policy violation. */\nexport interface PolicyAlert {\n ruleId: string;\n scope: \"tool\" | \"model\" | \"rate\" | \"network\" | \"custom\";\n action: \"block\" | \"warn\" | \"log\";\n violationType: string;\n message: string;\n skillName?: string;\n toolName?: string;\n model?: string;\n timestamp?: string;\n}\n\n/** Human-in-the-loop gate for sensitive operations. */\nexport interface ApprovalRequest {\n approvalId: string;\n category: string;\n title: string;\n description: string;\n details?: Record<string, unknown>;\n expiresAt?: string;\n requiredTier?: string;\n}\n\n/** Owner response to an approval request. */\nexport interface ApprovalResponse {\n approvalId: string;\n approved: boolean;\n reason?: string;\n conditions?: string[];\n signature?: string; // Ed25519 signed approval artifact\n}\n\n// ---------------------------------------------------------------------------\n// Credential Delivery Protocol types\n// ---------------------------------------------------------------------------\n\nexport interface CredentialGrantPayload {\n type: \"credential_grant\";\n agreement_id: string;\n credentials: Array<{\n key: string;\n value: string;\n type: string; // \"api_key\", \"oauth_token\", etc.\n scope: string; // \"read\", \"write\", \"admin\"\n }>;\n timestamp: string;\n nonce: string;\n}\n\nexport interface CredentialRevokePayload {\n type: \"credential_revoke\";\n agreement_id: string;\n credential_keys: string[];\n reason?: string;\n timestamp: string;\n}\n\nexport interface CredentialAckPayload {\n type: \"credential_ack\";\n agreement_id: string;\n acknowledged_keys: string[];\n status: \"stored\" | \"revoked\";\n timestamp: string;\n}\n\nexport interface CredentialRequestPayload {\n type: \"credential_request\";\n agreement_id: string;\n requested_keys: string[];\n reason?: string;\n timestamp: string;\n}\n\nexport interface DeliveryOptions {\n conversationId?: string;\n topicId?: string;\n priority?: string;\n parentSpanId?: string;\n metadata?: Record<string, unknown>;\n}\n\nexport interface DeliveryReceipt {\n ok: boolean;\n destination: { kind: \"owner\" | \"room\" | \"a2a\"; id?: string };\n error?: string;\n queued?: boolean;\n decisionId?: string;\n timestamp: string;\n}\n\nexport interface TargetInfo {\n kind: \"owner\" | \"room\" | \"a2a\";\n id: string;\n label: string;\n available: boolean;\n}\n\n/**\n * Parse a string target into a DeliveryTarget.\n * Handles: \"owner\", \"default\", \"room:<uuid>\", \"a2a:<hubAddr>\", \"context\",\n * \"agentvault:room:<uuid>\" (channel-prefixed), \"agent:<name>\" (\u2192 a2a).\n */\nexport function parseTarget(raw: string): DeliveryTarget {\n // Strip channel prefix: \"agentvault:room:X\" \u2192 \"room:X\"\n let target = raw;\n if (target.startsWith(\"agentvault:\")) {\n target = target.slice(\"agentvault:\".length);\n }\n\n // Map \"agent:X\" \u2192 \"a2a:X\" (OpenClaw uses \"agent:\", plugin uses \"a2a:\")\n if (target.startsWith(\"agent:\")) {\n target = \"a2a:\" + target.slice(\"agent:\".length);\n }\n\n if (target === \"owner\" || target === \"default\") {\n return { kind: \"owner\" };\n }\n if (target === \"context\") {\n return { kind: \"context\" };\n }\n if (target.startsWith(\"room:\")) {\n const roomId = target.slice(\"room:\".length);\n if (!roomId) throw new Error(`Invalid room target: \"${raw}\" \u2014 missing room ID`);\n return { kind: \"room\", roomId };\n }\n if (target.startsWith(\"a2a:\")) {\n const hubAddress = target.slice(\"a2a:\".length);\n if (!hubAddress) throw new Error(`Invalid A2A target: \"${raw}\" \u2014 missing hub address`);\n return { kind: \"a2a\", hubAddress };\n }\n\n throw new Error(`Unrecognized delivery target: \"${raw}\". Use \"owner\", \"room:<id>\", \"a2a:<addr>\", or \"context\".`);\n}\n\nexport interface TrustTokenState {\n token: string | null;\n tier: string | null;\n expiresAt: string | null;\n}\n"],
|
|
5
|
+
"mappings": ";;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AA4BA,eAAsB,kBACpB,QACA,SACwB;AACxB,QAAM,OAAO,OAAO;AACpB,MAAI,CAAC,QAAQ,OAAO,SAAS,UAAU;AACrC,WAAO,EAAE,QAAQ,KAAK,MAAM,EAAE,IAAI,OAAO,OAAO,uBAAuB,EAAE;AAAA,EAC3E;AAEA,MAAI;AAEF,QAAI;AAGJ,QAAI,YAAa,OAAO,eAAe,OAAO,eAAe,OAAO;AAGpE,QAAI,CAAC,aAAa,OAAO,cAAc,OAAO,OAAO,eAAe,UAAU;AAC5E,YAAM,UAAU,QAAQ,qBAAqB,OAAO,UAAoB;AACxE,UAAI,QAAS,aAAY;AAAA,IAC3B;AAEA,QAAI,aAAa,OAAO,cAAc,UAAU;AAC9C,eAAS,EAAE,MAAM,OAAO,YAAY,UAAU;AAAA,IAChD,WAAW,OAAO,OAAO,YAAY,UAAU;AAC7C,eAAS,EAAE,MAAM,QAAQ,QAAQ,OAAO,QAAQ;AAAA,IAClD,WAAW,OAAO,WAAW,WAAW;AACtC,eAAS,EAAE,MAAM,UAAU;AAAA,IAC7B,WAAW,OAAO,aAAa,OAAO,OAAO,cAAc,UAAU;AAEnE,YAAMA,WAAU,MAAM,QAAQ;AAAA,QAC5B,EAAE,MAAM,QAAQ;AAAA,QAChB,EAAE,MAAM,cAAc,MAAsB,UAAU,OAAO,UAAoB;AAAA,QACjF,EAAE,SAAS,OAAO,QAA8B;AAAA,MAClD;AACA,aAAO;AAAA,QACL,QAAQA,SAAQ,KAAK,MAAM;AAAA,QAC3B,MAAM;AAAA,UACJ,IAAIA,SAAQ;AAAA,UACZ,aAAaA,SAAQ;AAAA,UACrB,GAAIA,SAAQ,QAAQ,EAAE,OAAOA,SAAQ,MAAM,IAAI,CAAC;AAAA,QAClD;AAAA,MACF;AAAA,IACF,OAAO;AAEL,eAAS,EAAE,MAAM,QAAQ;AAAA,IAC3B;AAEA,UAAM,UAAU,MAAM,QAAQ;AAAA,MAC5B;AAAA,MACA,EAAE,MAAM,QAAQ,KAAqB;AAAA,MACrC;AAAA,QACE,SAAS,OAAO;AAAA,QAChB,UAAU,OAAO;AAAA,QACjB,UAAU;AAAA,UACR,GAAI,OAAO;AAAA,UACX,GAAI,OAAO,eAAe,EAAE,cAAc,OAAO,aAAa,IAAI,CAAC;AAAA,QACrE;AAAA,MACF;AAAA,IACF;AAEA,WAAO;AAAA,MACL,QAAQ,QAAQ,KAAK,MAAM;AAAA,MAC3B,MAAM;AAAA,QACJ,IAAI,QAAQ;AAAA,QACZ,aAAa,QAAQ;AAAA,QACrB,GAAI,QAAQ,QAAQ,EAAE,OAAO,QAAQ,MAAM,IAAI,CAAC;AAAA,MAClD;AAAA,IACF;AAAA,EACF,SAAS,KAAK;AACZ,WAAO,EAAE,QAAQ,KAAK,MAAM,EAAE,IAAI,OAAO,OAAO,OAAO,GAAG,EAAE,EAAE;AAAA,EAChE;AACF;AAKA,eAAsB,oBACpB,QACA,SACwB;AACxB,MAAI,CAAC,OAAO,UAAU,OAAO,OAAO,WAAW,UAAU;AACvD,WAAO,EAAE,QAAQ,KAAK,MAAM,EAAE,IAAI,OAAO,OAAO,yBAAyB,EAAE;AAAA,EAC7E;AAEA,MAAI;AACF,UAAM,eAAe;AAAA,MACnB,QAAQ,OAAO;AAAA,MACf,QAAS,OAAO,UAAU;AAAA,MAC1B,YAAY,OAAO;AAAA,MACnB,QAAQ,OAAO;AAAA,MACf,gBAAgB,OAAO;AAAA,IACzB;AAGA,UAAM,SAA0B,OAAO,WAAW,OAAO,OAAO,YAAY,WACxE,EAAE,MAAM,QAAQ,QAAQ,OAAO,QAAQ,IACvC,EAAE,MAAM,QAAQ;AAEpB,UAAM,UAAU,MAAM,QAAQ;AAAA,MAC5B;AAAA,MACA,EAAE,MAAM,uBAAuB,aAAa;AAAA,IAC9C;AAEA,WAAO;AAAA,MACL,QAAQ,QAAQ,KAAK,MAAM;AAAA,MAC3B,MAAM;AAAA,QACJ,IAAI,QAAQ;AAAA,QACZ,aAAa,QAAQ;AAAA,QACrB,GAAI,QAAQ,QAAQ,EAAE,OAAO,QAAQ,MAAM,IAAI,CAAC;AAAA,MAClD;AAAA,IACF;AAAA,EACF,SAAS,KAAK;AACZ,WAAO,EAAE,QAAQ,KAAK,MAAM,EAAE,IAAI,OAAO,OAAO,OAAO,GAAG,EAAE,EAAE;AAAA,EAChE;AACF;AAKA,eAAsB,sBACpB,QACA,SACwB;AACxB,QAAM,QAAQ,OAAO;AACrB,MAAI,CAAC,SAAS,OAAO,UAAU,UAAU;AACvC,WAAO,EAAE,QAAQ,KAAK,MAAM,EAAE,IAAI,OAAO,OAAO,wBAAwB,EAAE;AAAA,EAC5E;AAEA,QAAM,UAAU,OAAO;AACvB,MAAI,CAAC,MAAM,QAAQ,OAAO,KAAK,QAAQ,SAAS,GAAG;AACjD,WAAO,EAAE,QAAQ,KAAK,MAAM,EAAE,IAAI,OAAO,OAAO,mDAAmD,EAAE;AAAA,EACvG;AAEA,aAAW,OAAO,SAAS;AACzB,QAAI,CAAC,OAAO,OAAO,QAAQ,YAAY,CAAC,IAAI,aAAa,CAAC,IAAI,OAAO;AACnE,aAAO,EAAE,QAAQ,KAAK,MAAM,EAAE,IAAI,OAAO,OAAO,gDAAgD,EAAE;AAAA,IACpG;AAAA,EACF;AAEA,MAAI;AACF,UAAM,cAAc,MAAM,QAAQ,oBAAoB;AAAA,MACpD;AAAA,MACA,aAAa,OAAO;AAAA,MACpB;AAAA,MACA,cAAc,OAAO;AAAA,MACrB,UAAU,OAAO;AAAA,MACjB,aAAa,OAAO;AAAA,IACtB,CAAC;AACD,WAAO,EAAE,QAAQ,KAAK,MAAM,EAAE,IAAI,MAAM,YAAY,EAAE;AAAA,EACxD,SAAS,KAAK;AACZ,WAAO,EAAE,QAAQ,KAAK,MAAM,EAAE,IAAI,OAAO,OAAO,OAAO,GAAG,EAAE,EAAE;AAAA,EAChE;AACF;AAKO,SAAS,oBAAoB,SAAuC;AACzE,SAAO;AAAA,IACL,QAAQ;AAAA,IACR,MAAM;AAAA,MACJ,IAAI;AAAA,MACJ,OAAO,QAAQ;AAAA,MACf,UAAU,QAAQ,YAAY;AAAA,MAC9B,UAAU,QAAQ;AAAA,IACpB;AAAA,EACF;AACF;AAKO,SAAS,qBAAqB,SAAuC;AAC1E,SAAO;AAAA,IACL,QAAQ;AAAA,IACR,MAAM;AAAA,MACJ,IAAI;AAAA,MACJ,SAAS,QAAQ,YAAY;AAAA,MAC7B,SAAS,QAAQ,oBACb,EAAE,MAAM,QAAQ,QAAQ,QAAQ,kBAAkB,IAClD,EAAE,MAAM,QAAQ;AAAA,IACtB;AAAA,EACF;AACF;AAKO,SAAS,mBACd,SACe;AACf,QAAM,QAAQ,QAAQ;AACtB,MAAI,CAAC,OAAO;AACV,WAAO;AAAA,MACL,QAAQ;AAAA,MACR,MAAM,EAAE,IAAI,OAAO,OAAO,oBAAoB;AAAA,IAChD;AAAA,EACF;AACA,SAAO;AAAA,IACL,QAAQ;AAAA,IACR,MAAM;AAAA,MACJ,IAAI;AAAA,MACJ,MAAM,QAAQ;AAAA,MACd,WAAW;AAAA,MACX,kBAAkB,QAAQ;AAAA,IAC5B;AAAA,EACF;AACF;AAQO,SAAS,uBACd,WACA,MACA,eACe;AACf,SAAO;AAAA,IACL,QAAQ;AAAA,IACR,MAAM;AAAA,MACJ,YAAY;AAAA,QACV,CAAC,cAAc,SAAS,EAAE,GAAG;AAAA,UAC3B,KAAK,oBAAoB,IAAI;AAAA,QAC/B;AAAA,MACF;AAAA,MACA,OAAO;AAAA,QACL,OAAO;AAAA,QACP,cAAc;AAAA,QACd,WAAW;AAAA,QACX,MAAM;AAAA,QACN,cAAc;AAAA,MAChB;AAAA,IACF;AAAA,EACF;AACF;AA1QA;AAAA;AAAA;AAAA;AAAA;;;ACAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAwBA,eAAsB,oBAAoB,MAA8C;AACtF,MAAI,iBAAiB,MAAM;AACzB,QAAI;AAEF,YAAMC,OAAM,MAAM,OAAO,kDAAkD;AAC3E,qBAAeA,KAAI,uBAAuBA,KAAI,SAAS,uBAAuB;AAAA,IAChF,QAAQ;AACN,qBAAe;AAAA,IACjB;AAAA,EACF;AACA,MAAI,OAAO,iBAAiB,YAAY;AACtC,QAAI;AACF,YAAM,aAAa,IAAI;AACvB,aAAO;AAAA,IACT,QAAQ;AACN,aAAO;AAAA,IACT;AAAA,EACF;AACA,SAAO;AACT;AAaA,eAAsB,aAAa,UAAmD;AACpF,MAAI,kBAAkB,MAAM;AAC1B,QAAI;AAEF,YAAMA,OAAM,MAAM,OAAO,gDAAgD;AACzE,sBAAgBA,KAAI,gBAAgBA,KAAI,SAAS,gBAAgB;AAAA,IACnE,QAAQ;AACN,sBAAgB;AAAA,IAClB;AAAA,EACF;AACA,MAAI,OAAO,kBAAkB,YAAY;AACvC,QAAI;AACF,aAAO,cAAc,QAAQ;AAAA,IAC/B,QAAQ;AACN,aAAO,MAAM;AAAA,MAAC;AAAA,IAChB;AAAA,EACF;AACA,SAAO,MAAM;AAAA,EAAC;AAChB;AAaA,eAAsB,0BAA0B,UAAmD;AACjG,MAAI,kBAAkB,MAAM;AAC1B,QAAI;AAEF,YAAMA,OAAM,MAAM,OAAO,wDAAwD;AACjF,sBAAgBA,KAAI,6BAA6BA,KAAI,SAAS,6BAA6B;AAAA,IAC7F,QAAQ;AACN,sBAAgB;AAAA,IAClB;AAAA,EACF;AACA,MAAI,OAAO,kBAAkB,YAAY;AACvC,QAAI;AACF,aAAO,cAAc,QAAQ;AAAA,IAC/B,QAAQ;AACN,aAAO,MAAM;AAAA,MAAC;AAAA,IAChB;AAAA,EACF;AACA,SAAO,MAAM;AAAA,EAAC;AAChB;AAzGA,IAiBI,cAiCA,eA+BA;AAjFJ;AAAA;AAAA;AAiBA,IAAI,eAA+E;AAiCnF,IAAI,gBAA2E;AA+B/E,IAAI,gBAA2E;AAAA;AAAA;;;ACjF/E;AAAA;AAAA;AAAA;AAYA,SAAS,iBAAiB;AAC1B,SAAS,qCAAqC;AAb9C,IAuEa;AAvEb;AAAA;AAAA;AAuEO,IAAM,sBAAN,MAA0B;AAAA,MACvB;AAAA,MACA,SAAuC,oBAAI,IAAI;AAAA,MAC/C;AAAA,MACA,cAAc;AAAA,MAEtB,YAAY,MAAqB;AAC/B,aAAK,OAAO;AACZ,aAAK,SAAS,IAAI,UAAU;AAAA,UAC1B,MAAM,cAAc,KAAK,SAAS;AAAA,UAClC,SAAS;AAAA,QACX,CAAC;AAAA,MACH;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,MAQA,cAAc,OAA8B;AAC1C,aAAK,OAAO,IAAI,MAAM,MAAM,KAAK;AAAA,MACnC;AAAA;AAAA;AAAA;AAAA;AAAA,MAMA,aAAmB;AACjB,YAAI,KAAK,YAAa;AAEtB,mBAAW,CAAC,MAAM,KAAK,KAAK,KAAK,QAAQ;AACvC,eAAK,qBAAqB,MAAM,KAAK;AAAA,QACvC;AAGA,aAAK,OAAO;AAAA,UACV;AAAA,UACA;AAAA,UACA,EAAE,aAAa,uCAAuC,UAAU,mBAAmB;AAAA,UACnF,YAAY;AACV,kBAAM,WAAW,MAAM,KAAK,KAAK,OAAO,OAAO,CAAC,EAAE,IAAI,CAAC,OAAO;AAAA,cAC5D,MAAM,EAAE;AAAA,cACR,SAAS,EAAE;AAAA,cACX,aAAa,EAAE;AAAA,cACf,MAAM,EAAE;AAAA,cACR,KAAK,EAAE;AAAA,cACP,WAAW,CAAC,CAAC,EAAE;AAAA,cACf,iBAAiB,CAAC,CAAC,EAAE;AAAA,cACrB,mBAAmB,EAAE;AAAA,cACrB,cAAc,EAAE;AAAA,cAChB,eAAe,EAAE;AAAA,cACjB,eAAe,CAAC,EAAE,EAAE,gBAAgB,EAAE;AAAA,cACtC,iBAAiB,CAAC,CAAC,EAAE;AAAA,cACrB,kBAAkB,EAAE;AAAA,YACtB,EAAE;AACF,mBAAO;AAAA,cACL,UAAU,CAAC;AAAA,gBACT,KAAK;AAAA,gBACL,UAAU;AAAA,gBACV,MAAM,KAAK,UAAU,UAAU,MAAM,CAAC;AAAA,cACxC,CAAC;AAAA,YACH;AAAA,UACF;AAAA,QACF;AAGA,mBAAW,CAAC,MAAM,KAAK,KAAK,KAAK,QAAQ;AACvC,cAAI,MAAM,cAAc;AACtB,iBAAK,OAAO;AAAA,cACV;AAAA,cACA,MAAM,eAAe,oBAAoB,IAAI;AAAA,cAC7C,OAAO;AAAA,gBACL,UAAU,CAAC;AAAA,kBACT,MAAM;AAAA,kBACN,SAAS,EAAE,MAAM,QAAiB,MAAM,MAAM,aAAc;AAAA,gBAC9D,CAAC;AAAA,cACH;AAAA,YACF;AAAA,UACF;AAAA,QACF;AAEA,aAAK,cAAc;AAAA,MACrB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,MAkBA,MAAM,cAAc,KAAsB,KAAoC;AAC5E,YAAI,CAAC,KAAK,aAAa;AACrB,eAAK,WAAW;AAAA,QAClB;AAGA,cAAM,SAAS,IAAI,QAAQ;AAC3B,cAAM,UAAU,WAAW,eAAe,WAAW,SAAS,WAAW;AAEzE,YAAI,CAAC,SAAS;AACZ,gBAAM,aAAa,IAAI,QAAQ;AAC/B,cAAI,CAAC,YAAY,WAAW,SAAS,GAAG;AACtC,gBAAI,UAAU,KAAK,EAAE,gBAAgB,mBAAmB,CAAC;AACzD,gBAAI,IAAI,KAAK,UAAU,EAAE,OAAO,0CAA0C,CAAC,CAAC;AAC5E;AAAA,UACF;AAEA,gBAAM,QAAQ,WAAW,MAAM,CAAC;AAChC,gBAAM,QAAQ,MAAM,KAAK,YAAY,KAAK;AAC1C,cAAI,CAAC,OAAO;AACV,gBAAI,UAAU,KAAK,EAAE,gBAAgB,mBAAmB,CAAC;AACzD,gBAAI,IAAI,KAAK,UAAU,EAAE,OAAO,+BAA+B,CAAC,CAAC;AACjE;AAAA,UACF;AAAA,QACF;AAGA,cAAM,YAAY,IAAI,8BAA8B;AAAA,UAClD,oBAAoB;AAAA;AAAA,QACtB,CAAC;AAED,cAAM,KAAK,OAAO,QAAQ,SAAS;AAEnC,YAAI;AACF,gBAAM,UAAU,cAAc,KAAK,GAAG;AAAA,QACxC,UAAE;AAGA,gBAAM,UAAU,MAAM;AAAA,QACxB;AAAA,MACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,MAYQ,qBAAqB,MAAc,OAA8B;AACvE,cAAM,cAAc,MAAM,eAAe,qBAAqB,IAAI;AAElE,aAAK,OAAO;AAAA,UACV;AAAA,UACA;AAAA,UACA,OAAO,SAAkC;AACvC,gBAAI,CAAC,KAAK,KAAK,UAAU;AACvB,qBAAO;AAAA,gBACL,SAAS,CAAC,EAAE,MAAM,QAAiB,MAAM,UAAU,IAAI,sCAAsC,CAAC;AAAA,cAChG;AAAA,YACF;AACA,gBAAI;AACF,oBAAM,SAAS,MAAM,KAAK,KAAK,SAAS,MAAM,MAAM,KAAK;AACzD,oBAAM,OAAO,OAAO,WAAW,WAAW,SAAS,KAAK,UAAU,QAAQ,MAAM,CAAC;AACjF,qBAAO;AAAA,gBACL,SAAS,CAAC,EAAE,MAAM,QAAiB,KAAK,CAAC;AAAA,cAC3C;AAAA,YACF,SAAS,KAAc;AACrB,oBAAM,UAAU,eAAe,QAAQ,IAAI,UAAU,OAAO,GAAG;AAC/D,qBAAO;AAAA,gBACL,SAAS,CAAC,EAAE,MAAM,QAAiB,MAAM,yBAAyB,IAAI,MAAM,OAAO,GAAG,CAAC;AAAA,gBACvF,SAAS;AAAA,cACX;AAAA,YACF;AAAA,UACF;AAAA,QACF;AAAA,MACF;AAAA;AAAA;AAAA;AAAA,MAKA,MAAc,YAAY,OAAiC;AACzD,YAAI;AACF,gBAAM,MAAM,GAAG,KAAK,KAAK,MAAM;AAC/B,gBAAM,UAAkC;AAAA,YACtC,gBAAgB;AAAA,UAClB;AACA,cAAI,KAAK,KAAK,QAAQ;AACpB,oBAAQ,eAAe,IAAI,UAAU,KAAK,KAAK,MAAM;AAAA,UACvD;AACA,gBAAM,OAAO,MAAM,MAAM,KAAK;AAAA,YAC5B,QAAQ;AAAA,YACR;AAAA,YACA,MAAM,KAAK,UAAU,EAAE,MAAM,CAAC;AAAA,UAChC,CAAC;AACD,cAAI,CAAC,KAAK,GAAI,QAAO;AACrB,gBAAM,OAAQ,MAAM,KAAK,KAAK;AAC9B,iBAAO,KAAK,WAAW;AAAA,QACzB,QAAQ;AACN,iBAAO;AAAA,QACT;AAAA,MACF;AAAA;AAAA,MAIA,IAAI,aAAqB;AACvB,eAAO,KAAK,OAAO;AAAA,MACrB;AAAA,MAEA,IAAI,gBAAyB;AAC3B,eAAO,KAAK;AAAA,MACd;AAAA,IACF;AAAA;AAAA;;;AC/RA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AA0BA,SAAS,cAAc,YAAY,mBAAmB;AACtD,SAAS,SAAS,YAAY;AAgDvB,SAAS,aAAa,SAAyC;AACpE,QAAM,QAAQ,QAAQ,MAAM,IAAI;AAGhC,MAAI,MAAM,CAAC,GAAG,KAAK,MAAM,MAAO,QAAO;AAEvC,MAAI,SAAS;AACb,WAAS,IAAI,GAAG,IAAI,MAAM,QAAQ,KAAK;AACrC,QAAI,MAAM,CAAC,GAAG,KAAK,MAAM,OAAO;AAC9B,eAAS;AACT;AAAA,IACF;AAAA,EACF;AAEA,MAAI,WAAW,GAAI,QAAO;AAG1B,QAAM,mBAAmB,MAAM,MAAM,GAAG,MAAM;AAC9C,QAAM,cAAc,gBAAgB,iBAAiB,KAAK,IAAI,CAAC;AAE/D,MAAI,CAAC,YAAY,KAAM,QAAO;AAG9B,QAAM,mBAAmB,MAAM,MAAM,SAAS,CAAC;AAC/C,QAAM,eAAe,iBAAiB,KAAK,IAAI,EAAE,KAAK;AAEtD,QAAM,QAAyB;AAAA,IAC7B,MAAM,YAAY;AAAA,IAClB,SAAS,YAAY;AAAA,IACrB,aAAa,YAAY;AAAA,IACzB,MAAM,YAAY;AAAA,IAClB,aAAa,YAAY;AAAA,IACzB,eAAe,YAAY;AAAA,IAC3B,cAAc,gBAAgB;AAAA,EAChC;AAGA,MAAI,YAAY,YAAY;AAC1B,UAAM,KAAK,YAAY;AACvB,QAAI,GAAG,cAAe,OAAM,oBAAoB,GAAG;AACnD,QAAI,GAAG,SAAS,aAAc,OAAM,eAAe,GAAG,QAAQ;AAC9D,QAAI,GAAG,SAAS,UAAW,OAAM,cAAc,GAAG,QAAQ;AAC1D,QAAI,GAAG,SAAS,cAAe,OAAM,eAAe,GAAG,QAAQ;AAC/D,QAAI,GAAG,OAAO,QAAS,OAAM,eAAe,GAAG,MAAM;AACrD,QAAI,GAAG,OAAO,QAAS,OAAM,gBAAgB,GAAG,MAAM;AACtD,QAAI,GAAG,OAAO,QAAS,OAAM,eAAe,GAAG,MAAM;AACrD,QAAI,GAAG,UAAW,OAAM,YAAY,GAAG;AACvC,QAAI,GAAG,iBAAkB,OAAM,mBAAmB,GAAG;AAAA,EACvD;AAEA,SAAO;AACT;AAOA,SAAS,gBAAgB,MAAuC;AAC9D,QAAM,SAAkC,CAAC;AACzC,QAAM,QAAQ,KAAK,MAAM,IAAI;AAG7B,QAAM,QAA8E,CAAC;AACrF,MAAI,aAAa;AAEjB,WAAS,WAAW,KAAsB;AACxC,UAAM,QAAQ,IAAI,QAAQ,gBAAgB,EAAE;AAC5C,UAAM,MAAM,OAAO,KAAK;AACxB,QAAI,CAAC,MAAM,GAAG,KAAK,UAAU,GAAI,QAAO;AACxC,QAAI,UAAU,OAAQ,QAAO;AAC7B,QAAI,UAAU,QAAS,QAAO;AAC9B,WAAO;AAAA,EACT;AAEA,aAAW,QAAQ,OAAO;AACxB,UAAM,UAAU,KAAK,KAAK;AAC1B,QAAI,CAAC,WAAW,QAAQ,WAAW,GAAG,EAAG;AAEzC,UAAM,SAAS,KAAK,SAAS,KAAK,UAAU,EAAE;AAG9C,WAAO,MAAM,SAAS,KAAK,UAAU,MAAM,MAAM,SAAS,CAAC,EAAG,QAAQ;AACpE,YAAM,SAAS,MAAM,IAAI;AACzB,mBAAa,MAAM,SAAS,IAAI,MAAM,MAAM,SAAS,CAAC,EAAG,MAAM;AAE/D,iBAAW,OAAO,GAAG,IAAI,OAAO;AAAA,IAClC;AAGA,UAAM,mBAAmB,QAAQ,MAAM,8BAA8B;AACrE,QAAI,kBAAkB;AACpB,YAAM,MAAM,iBAAiB,CAAC;AAC9B,YAAM,SAAS,iBAAiB,CAAC,EAC9B,MAAM,GAAG,EACT,IAAI,CAAC,MAAM,EAAE,KAAK,EAAE,QAAQ,gBAAgB,EAAE,CAAC;AAClD,UAAI,MAAM,SAAS,GAAG;AACpB,cAAM,MAAM,SAAS,CAAC,EAAG,IAAI,GAAG,IAAI;AAAA,MACtC,OAAO;AACL,mBAAW,GAAG,IAAI;AAAA,MACpB;AACA;AAAA,IACF;AAGA,UAAM,UAAU,QAAQ,MAAM,0BAA0B;AACxD,QAAI,SAAS;AACX,YAAM,MAAM,QAAQ,CAAC;AACrB,YAAM,MAAM,WAAW,QAAQ,CAAC,CAAE;AAClC,UAAI,MAAM,SAAS,GAAG;AACpB,cAAM,MAAM,SAAS,CAAC,EAAG,IAAI,GAAG,IAAI;AAAA,MACtC,OAAO;AACL,mBAAW,GAAG,IAAI;AAAA,MACpB;AACA;AAAA,IACF;AAGA,UAAM,cAAc,QAAQ,MAAM,mBAAmB;AACrD,QAAI,aAAa;AACf,YAAM,MAAM,YAAY,CAAC;AACzB,YAAM,SAAkC,CAAC;AACzC,YAAM,KAAK,EAAE,KAAK,KAAK,QAAQ,OAAO,CAAC;AACvC;AAAA,IACF;AAAA,EACF;AAGA,SAAO,MAAM,SAAS,GAAG;AACvB,UAAM,SAAS,MAAM,IAAI;AACzB,UAAMC,UAAS,MAAM,SAAS,IAAI,MAAM,MAAM,SAAS,CAAC,EAAG,MAAM;AACjE,IAAAA,QAAO,OAAO,GAAG,IAAI,OAAO;AAAA,EAC9B;AAEA,SAAO;AACT;AAUO,SAAS,wBAAwB,KAAgC;AACtE,QAAM,SAA4B,CAAC;AACnC,QAAM,SAAS,QAAQ,GAAG;AAE1B,MAAI,CAAC,WAAW,MAAM,EAAG,QAAO;AAEhC,QAAM,OAAO,oBAAI,IAAY;AAE7B,WAAS,QAAQ,UAAwB;AACvC,QAAI,KAAK,IAAI,QAAQ,EAAG;AACxB,SAAK,IAAI,QAAQ;AACjB,QAAI;AACF,YAAM,UAAU,aAAa,UAAU,OAAO;AAC9C,YAAM,QAAQ,aAAa,OAAO;AAClC,UAAI,MAAO,QAAO,KAAK,KAAK;AAAA,IAC9B,QAAQ;AAAA,IAER;AAAA,EACF;AAEA,MAAI;AACF,UAAM,UAAU,YAAY,QAAQ,EAAE,eAAe,KAAK,CAAC;AAC3D,eAAW,SAAS,SAAS;AAC3B,UAAI,MAAM,OAAO,KAAK,MAAM,KAAK,SAAS,UAAU,GAAG;AAErD,gBAAQ,KAAK,QAAQ,MAAM,IAAI,CAAC;AAAA,MAClC,WAAW,MAAM,YAAY,GAAG;AAE9B,cAAM,WAAW,KAAK,QAAQ,MAAM,MAAM,UAAU;AACpD,YAAI,WAAW,QAAQ,GAAG;AACxB,kBAAQ,QAAQ;AAAA,QAClB;AAAA,MACF;AAAA,IACF;AAAA,EACF,QAAQ;AAAA,EAER;AAEA,SAAO;AACT;AAKA,eAAsB,kBACpB,QACA,QACA,OAC4B;AAC5B,MAAI;AACF,UAAM,MAAM,MAAM,MAAM,GAAG,MAAM,0BAA0B,KAAK,WAAW;AAAA,MACzE,SAAS,EAAE,eAAe,UAAU,MAAM,GAAG;AAAA,IAC/C,CAAC;AACD,QAAI,CAAC,IAAI,GAAI,QAAO,CAAC;AAErB,UAAM,OAAQ,MAAM,IAAI,KAAK;AAY7B,WAAO,KAAK,IAAI,CAAC,SAAS;AAAA,MACxB,MAAM,IAAI;AAAA,MACV,SAAS,IAAI;AAAA,MACb,aAAa,IAAI;AAAA,MACjB,aAAa,IAAI;AAAA,MACjB,eAAe,IAAI;AAAA,MACnB,MAAM,IAAI;AAAA,MACV,cAAc,IAAI;AAAA,IACpB,EAAE;AAAA,EACJ,QAAQ;AACN,WAAO,CAAC;AAAA,EACV;AACF;AAKO,SAAS,YACd,OACA,QACe;AACf,QAAM,SAAS,oBAAI,IAA6B;AAGhD,aAAW,SAAS,QAAQ;AAC1B,WAAO,IAAI,MAAM,MAAM,KAAK;AAAA,EAC9B;AAGA,aAAW,SAAS,OAAO;AACzB,WAAO,IAAI,MAAM,MAAM,KAAK;AAAA,EAC9B;AAEA,QAAM,SACJ,MAAM,SAAS,KAAK,OAAO,SAAS,IAChC,WACA,MAAM,SAAS,IACb,UACA;AAER,SAAO;AAAA,IACL,QAAQ,MAAM,KAAK,OAAO,OAAO,CAAC;AAAA,IAClC;AAAA,EACF;AACF;AA3UA;AAAA;AAAA;AAAA;AAAA;;;ACAA;;;;;;;ACOA,SACE,wBACA,yBACK;AAVP;;;AAWA;;;;;ACXA,SAAS,qBAAAC,0BAAyB;AAAlC;;;;;;;ACAA,SAAS,qBAAAC,oBAAmB,kBAAkB;AAA9C;;;;;;;ACAA,SAAS,qBAAAC,oBAAmB,yBAAyB,OAAO,SAAS,cAAAC,aAAY,UAAU,cAAc;AAAzG,IAIM,gBACA,cACA;AANN;;;AAIA,IAAM,iBAAiB,IAAI,WAAW,CAAC,CAAI,CAAC;AAC5C,IAAM,eAAe,IAAI,WAAW,CAAC,CAAI,CAAC;AAC1C,IAAM,kBAAkB,IAAI,WAAW,CAAC,CAAI,CAAC;;;;;ACN7C,SAAS,qBAAAC,oBAAmB,SAAAC,cAAa;AAAzC;;;;;;;ACAA,SAAS,qBAAAC,oBAAmB,cAAAC,mBAAkB;AAA9C;;;;;;;ACAA;;;;;;;ACAA,SAAS,qBAAAC,oBAAmB,cAAAC,mBAAkB;AAA9C;;;;;;;ACYA,SAAS,qBAAAC,0BAAyB;AAZlC;;;AAcA;;;;;ACdA,SAAS,SAAAC,QAAO,WAAAC,UAAS,YAAY,UAAU,cAAAC,aAAY,YAAY,qBAAqB;AAStF,SAAU,WAAW,OAAiB;AAC1C,SAAOF,OAAM,KAAK;AACpB;AAMM,SAAU,cAAc,OAAiB;AAC7C,SAAO,SAAS,KAAK;AACvB;AAnBA;;;;;;;ACAA;;;;;;;ACAA;;;AAiBA;;;;;ACRA,SAAS,qBAAAG,oBAAmB,2BAAAC,0BAAyB,cAAAC,aAAY,YAAYC,sBAAqB;AAuFlG,eAAsB,gBACpB,MACA,MAAgB;AAEhB,QAAM,WAAWH,mBAAiB;AAClC,QAAM,YAAYE,YAAW,IAAI;AACjC,SAAO,SAAS,aAAa,WAAW,MAAM,SAAS;AACzD;AAQA,eAAsB,cACpB,QACA,MAAY;AAEZ,QAAM,WAAWF,mBAAiB;AAClC,QAAM,OAAO,SAAS,YAAY,UAAU;AAC5C,QAAM,MAAM,MAAM,gBAAgB,MAAM,IAAI;AAC5C,SAAO,qBAAqB,QAAQ,KAAK,IAAI;AAC/C;AAOA,eAAsB,qBACpB,QACA,KACA,MAAgB;AAEhB,QAAM,WAAWA,mBAAiB;AAClC,QAAM,SAASC,yBAAuB;AACtC,QAAM,YAAYC,YAAW,KAAK,UAAU,MAAM,CAAC;AACnD,QAAM,EAAE,YAAY,MAAK,IAAK,MAAM,SAAS,iBAAiB,KAAK,SAAS;AAG5E,QAAM,SAAS,IAAI,WAAW,aAAa,MAAM,SAAS,WAAW,MAAM;AAC3E,SAAO,IAAI,MAAM,CAAC;AAClB,SAAO,IAAI,OAAO,UAAU;AAC5B,SAAO,IAAI,YAAY,aAAa,MAAM,MAAM;AAChD,SAAO;AACT;AAqDA,eAAsB,eAAe,MAAY;AAC/C,QAAM,WAAWF,mBAAiB;AAClC,SAAO,SAAS,KAAKE,YAAW,IAAI,CAAC;AACvC;AAtMA,IAcM,YACA,WAEA;AAjBN;;;AAcA,IAAM,aAAa;AACnB,IAAM,YAAY;AAElB,IAAM,kBAAkB,MAAM;;;;;ACC9B,SAAS,qBAAAE,qBAAmB,SAAAC,QAAO,WAAAC,gBAAe;AAlBlD;;;AAmBA;;;;;ACdM,SAAU,OAAU,KAAqB;AAC7C,SAAO,CAAC,MAAQ;AACd,UAAM,CAAC,KAAK,KAAK,IAAI,IAAI,CAAC;AAC1B,UAAM,MAAM,IAAI,YAAY,GAAG;AAC/B,UAAM,GAAG,GAAG;AACZ,WAAO,IAAI,WAAW,GAAG;EAC3B;AACF;AAEM,SAAU,uBAA6B,KAAuB,GAAwB;AAC1F,SAAO,CAAC,MAAS,IAAI,EAAE,CAAC,CAAC;AAC3B;AAEM,SAAU,wBACd,UACA,SAAwB;AAExB,SAAO,CAAC,UAAY;AAClB,UAAM,SAAS,QAAQ,KAAK;AAC5B,QAAI,cAAc;AAClB,QAAI,aAAa,CAAC,SAAiB,YAAwB;IAAE;AAC7D,aAAS,IAAI,GAAG,IAAI,SAAS,QAAQ,KAAK;AACxC,YAAM,CAAC,KAAK,KAAK,IAAI,SAAS,CAAC,EAAG,OAAO,CAAC,CAAC;AAC3C,YAAM,UAAU;AAChB,YAAM,aAAa;AACnB,mBAAa,CAAC,QAAgB,WAAuB;AACnD,gBAAQ,QAAQ,MAAM;AACtB,cAAM,SAAS,YAAY,MAAM;MACnC;AACA,qBAAe;IACjB;AACA,WAAO,CAAC,aAAa,UAAU;EACjC;AACF;AAjCA,IAyCa;AAzCb;;AAyCO,IAAM,UAAmE,CAAC,GAAG,MAAK;IAAE,CAAC;;;;;AC7C5F,IAEa,cAQA,aAEA,aAKA,eAQA,cAEA,cASA,eAQA,cAEA,cASA,eAQA,cAEA;AAjEb;;;AAEO,IAAM,eAAsC,CAAC,MAAM;MACxD;MACA,CAAC,QAAQ,WAAU;AACjB,cAAM,OAAO,IAAI,SAAS,MAAM;AAChC,aAAK,SAAS,QAAQ,CAAC;MACzB;;AAGK,IAAM,cAA+B,OAAO,YAAY;AAExD,IAAM,cAA+B,CAAC,GAAG,WAAU;AACxD,YAAM,QAAQ,EAAE,GAAG,MAAM;AACzB,aAAO,UAAU,SAAY,CAAC,OAAO,CAAC,IAAI;IAC5C;AAEO,IAAM,gBAAuC,CAAC,MAAM;MACzD;MACA,CAAC,QAAQ,WAAU;AACjB,cAAM,OAAO,IAAI,SAAS,MAAM;AAChC,aAAK,UAAU,QAAQ,CAAC;MAC1B;;AAGK,IAAM,eAAgC,OAAO,aAAa;AAE1D,IAAM,eAAgC,CAAC,GAAG,WAAU;AACzD,YAAM,OAAO,IAAI,SAAS,EAAE,QAAQ,EAAE,YAAY,EAAE,UAAU;AAC9D,UAAI;AACF,eAAO,CAAC,KAAK,UAAU,MAAM,GAAG,CAAC;MACnC,SAAS,GAAG;AACV,eAAO;MACT;IACF;AAEO,IAAM,gBAAuC,CAAC,MAAM;MACzD;MACA,CAAC,QAAQ,WAAU;AACjB,cAAM,OAAO,IAAI,SAAS,MAAM;AAChC,aAAK,UAAU,QAAQ,CAAC;MAC1B;;AAGK,IAAM,eAAgC,OAAO,aAAa;AAE1D,IAAM,eAAgC,CAAC,GAAG,WAAU;AACzD,YAAM,OAAO,IAAI,SAAS,EAAE,QAAQ,EAAE,YAAY,EAAE,UAAU;AAC9D,UAAI;AACF,eAAO,CAAC,KAAK,UAAU,MAAM,GAAG,CAAC;MACnC,SAAS,GAAG;AACV,eAAO;MACT;IACF;AAEO,IAAM,gBAAuC,CAAC,MAAM;MACzD;MACA,CAAC,QAAQ,WAAU;AACjB,cAAM,OAAO,IAAI,SAAS,MAAM;AAChC,aAAK,aAAa,QAAQ,CAAC;MAC7B;;AAGK,IAAM,eAAgC,OAAO,aAAa;AAE1D,IAAM,eAAgC,CAAC,GAAG,WAAU;AACzD,YAAM,OAAO,IAAI,SAAS,EAAE,QAAQ,EAAE,YAAY,EAAE,UAAU;AAC9D,UAAI;AACF,eAAO,CAAC,KAAK,aAAa,MAAM,GAAG,CAAC;MACtC,SAAS,GAAG;AACV,eAAO;MACT;IACF;;;;;ACtEM,SAAU,WAAiB,KAAiB,GAAc;AAC9D,SAAO,CAAC,GAAG,WAAU;AACnB,UAAM,IAAI,IAAI,GAAG,MAAM;AACvB,QAAI,MAAM,QAAW;AACnB,YAAM,CAAC,GAAG,CAAC,IAAI;AACf,aAAO,CAAC,EAAE,CAAC,GAAG,CAAC;IACjB;EACF;AACF;AAEM,SAAU,kBACd,UACA,GAAgC;AAEhC,SAAO,CAAC,GAAG,WAAU;AACnB,UAAM,UAAU,YAAY,UAAU,CAAC,EAAE,GAAG,MAAM;AAClD,QAAI,YAAY;AAAW,aAAO;SAC7B;AACH,YAAM,CAAC,GAAG,GAAG,IAAI;AACjB,aAAO,MAAM,SAAY,CAAC,GAAG,GAAG,IAAI;IACtC;EACF;AACF;AAEM,SAAU,YACd,UACA,GAAoB;AAEpB,SAAO,CAAC,GAAG,WAAU;AACnB,UAAM,SAAS,SAAS,OAQtB,CAAC,KAAK,YAAW;AACf,UAAI,CAAC;AAAK,eAAO;AAEjB,YAAM,UAAU,QAAQ,GAAG,IAAI,MAAM;AACrC,UAAI,CAAC;AAAS,eAAO;AAErB,YAAM,CAAC,OAAO,MAAM,IAAI;AACxB,aAAO;QACL,QAAQ,CAAC,GAAG,IAAI,QAAQ,KAAK;QAC7B,QAAQ,IAAI,SAAS;QACrB,aAAa,IAAI,cAAc;;IAEnC,GACA,EAAE,QAAQ,CAAA,GAAI,QAAQ,aAAa,EAAC,CAAE;AAGxC,QAAI,CAAC;AAAQ;AACb,WAAO,CAAC,EAAE,GAAI,OAAO,MAAY,GAAG,OAAO,WAAW;EACxD;AACF;AAEM,SAAU,iBAAuB,KAAiB,GAA0B;AAChF,SAAO,CAAC,GAAG,WAAU;AACnB,UAAM,IAAI,IAAI,GAAG,MAAM;AACvB,QAAI,MAAM,QAAW;AACnB,YAAM,CAAC,GAAG,CAAC,IAAI;AACf,YAAM,IAAI,EAAE,CAAC;AACb,aAAO,MAAM,SAAY,CAAC,GAAG,CAAC,IAAI;IACpC;EACF;AACF;AAEM,SAAU,eAAqB,KAAiB,GAAuB;AAC3E,SAAO,qBAAqB,KAAK,GAAG,CAAC,IAAI,MAAM,CAAC;AAClD;AAEM,SAAU,UAAgB,MAAkB,MAAgB;AAChE,SAAO,CAAC,GAAG,WAAU;AACnB,UAAM,IAAI,KAAK,GAAG,MAAM;AACxB,WAAO,IAAI,IAAI,KAAK,GAAG,MAAM;EAC/B;AACF;AAEM,SAAU,qBACd,KACA,GACA,GAAoB;AAEpB,SAAO,CAAC,GAAG,WAAU;AACnB,UAAM,WAAW,IAAI,GAAG,MAAM;AAC9B,QAAI,aAAa,QAAW;AAC1B,YAAM,CAAC,GAAG,GAAG,IAAI;AACjB,YAAM,WAAW,EAAE,CAAC;AACpB,YAAM,WAAW,SAAS,GAAG,SAAS,GAAG;AACzC,UAAI,aAAa,QAAW;AAC1B,cAAM,CAAC,GAAG,IAAI,IAAI;AAClB,eAAO,CAAC,EAAE,GAAG,CAAC,GAAG,MAAM,IAAI;MAC7B;IACF;EACF;AACF;AAEM,SAAU,eAAkB,GAAI;AACpC,SAAO,MAAM,CAAC,GAAG,CAAC;AACpB;AAEM,SAAU,cAAW;AACzB,SAAO,MAAM;AACf;AAzGA;;;;;;ACHM,SAAU,gBAAkC,GAAoB;AACpE,SAAO,CAAC,MAAO,OAAO,OAAO,CAAC,EAAE,SAAS,CAAC,IAAK,WAAW,CAAC,EAAE,CAAC,IAAU;AAC1E;AAEM,SAAU,WAA6C,KAAM;AACjE,SAAO,OAAO,QAAQ,GAAG,EAAE,OACzB,CAAC,KAAK,CAAC,KAAK,KAAK,OAAO;IACtB,GAAG;IACH,CAAC,KAAK,GAAG;MAEX,CAAA,CAAE;AAEN;AACM,SAAU,oBAAsC,KAAsB;AAC1E,SAAO,CAAC,MAAK;AACX,UAAM,UAAU,gBAAgB,GAAG,EAAE,CAAC;AACtC,QAAI,YAAY;AAAW,aAAO,EAAE,SAAQ;;AACvC,aAAO;EACd;AACF;AAEM,SAAU,sBAAwC,KAAsB;AAC5E,SAAO,CAAC,MAAK;AACX,UAAM,IAAI,IAAI,CAAC;AACf,QAAI,MAAM;AAAW,aAAO,OAAO,CAAC;;AAC/B,aAAO;EACd;AACF;AA3BA;;;;;;ACAA,IAMa,sBAcA,4BAKA,2BAEA;AA3Bb;;;AACA;AACA;AACA;AAGO,IAAM,uBAAuB;MAClC,KAAK;MACL,QAAQ;MACR,QAAQ;MACR,KAAK;MACL,QAAQ;MACR,eAAe;MACf,0BAA0B;;AAOrB,IAAM,6BAAqE,uBAChF,eACA,CAAC,MAAM,qBAAqB,CAAC,CAAC;AAGzB,IAAM,4BAA8D,OAAO,0BAA0B;AAErG,IAAM,4BAA8D,iBACzE,cACA,gBAAgB,oBAAoB,CAAC;;;;;AC7BvC,IAMa,uBAYA,6BAKA,4BAEA;AAzBb;;;AACA;AACA;AACA;AAGO,IAAM,wBAAwB;MACnC,gBAAgB;MAChB,cAAc;MACd,uBAAuB;MACvB,cAAc;MACd,kBAAkB;;AAOb,IAAM,8BAAuE,uBAClF,eACA,CAAC,MAAM,sBAAsB,CAAC,CAAC;AAG1B,IAAM,6BAAgE,OAAO,2BAA2B;AAExG,IAAM,6BAAgE,iBAC3E,cACA,gBAAgB,qBAAqB,CAAC;;;;;ACdxC;;;;;;ACbA,IAAa,UAcA,YAmCA;AAjDb;;AAAM,IAAO,WAAP,cAAwB,MAAK;MACjC,YAAY,SAAe;AACzB,cAAM,OAAO;AACb,aAAK,OAAO;MACd;;AAUI,IAAO,aAAP,cAA0B,SAAQ;MACtC,YAAY,SAAe;AACzB,cAAM,OAAO;AACb,aAAK,OAAO;MACd;;AA+BI,IAAO,gBAAP,cAA6B,SAAQ;MACzC,YAAY,SAAe;AACzB,cAAM,uFAAuF,OAAO,EAAE;AACtG,aAAK,OAAO;MACd;;;;;;AC9BI,SAAUC,eAAc,OAAiB;AAC7C,MAAI,OAAO,WAAW,aAAa;AACjC,WAAO,OAAO,KAAK,KAAK,EAAE,SAAS,QAAQ;EAC7C,OAAO;AACL,QAAI,SAAS;AACb,UAAM,QAAQ,CAAC,MAAO,UAAU,OAAO,aAAa,CAAC,CAAE;AACvD,WAAO,WAAW,KAAK,MAAM;EAC/B;AACF;AAEM,SAAU,cAAc,QAAc;AAC1C,MAAI,OAAO,WAAW,aAAa;AACjC,WAAO,WAAW,KAAK,OAAO,KAAK,QAAQ,QAAQ,CAAC;EACtD,OAAO;AACL,UAAM,SAAS,WAAW,KAAK,MAAM;AACrC,UAAM,QAAQ,IAAI,WAAW,OAAO,MAAM;AAC1C,aAAS,IAAI,GAAG,IAAI,OAAO,QAAQ,KAAK;AACtC,YAAM,CAAC,IAAI,OAAO,WAAW,CAAC;IAChC;AACA,WAAO;EACT;AACF;AA5CA;;;;;;ACmBM,SAAU,cAAc,KAAW;AACvC,MAAI,MAAM,IAAI;AACZ,WAAO;MACL;MACA,CAAC,QAAQ,WAAU;AAEjB,cAAM,OAAO,IAAI,SAAS,MAAM;AAChC,aAAK,SAAS,QAAQ,MAAM,EAAU;MACxC;;EAEJ,WAAW,MAAM,OAAO;AACtB,WAAO;MACL;MACA,CAAC,QAAQ,WAAU;AAEjB,cAAM,OAAO,IAAI,SAAS,MAAM;AAChC,aAAK,SAAS,QAAU,OAAO,IAAK,KAAc,EAAU;AAC5D,aAAK,SAAS,SAAS,GAAG,MAAM,GAAI;MACtC;;EAEJ,WAAW,MAAM,YAAY;AAC3B,WAAO;MACL;MACA,CAAC,QAAQ,WAAU;AAEjB,cAAM,OAAO,IAAI,SAAS,MAAM;AAChC,aAAK,SAAS,QAAU,OAAO,KAAM,KAAc,GAAU;AAC7D,aAAK,SAAS,SAAS,GAAI,OAAO,KAAM,GAAI;AAC5C,aAAK,SAAS,SAAS,GAAI,OAAO,IAAK,GAAI;AAC3C,aAAK,SAAS,SAAS,GAAG,MAAM,GAAI;MACtC;;EAEJ,OAAO;AACL,UAAM,IAAI,WAAW,8CAA8C;EACrE;AACF;AAEM,SAAU,gBAAgB,MAAkB,SAAiB,GAAC;AAClE,MAAI,UAAU,KAAK,QAAQ;AACzB,UAAM,IAAI,WAAW,sBAAsB;EAC7C;AAEA,QAAM,YAAY,KAAK,MAAM;AAC7B,QAAM,SAAS,aAAa;AAE5B,MAAI,WAAW,GAAG;AAChB,WAAO,EAAE,QAAQ,YAAY,IAAY,iBAAiB,EAAC;EAC7D,WAAW,WAAW,GAAG;AACvB,QAAI,SAAS,IAAI,KAAK;AAAQ,YAAM,IAAI,WAAW,0BAA0B;AAC7E,WAAO,EAAE,SAAU,YAAY,OAAe,IAAM,KAAK,SAAS,CAAC,GAAc,iBAAiB,EAAC;EACrG,WAAW,WAAW,GAAG;AACvB,QAAI,SAAS,IAAI,KAAK;AAAQ,YAAM,IAAI,WAAW,0BAA0B;AAC7E,WAAO;MACL,SACI,YAAY,OAAe,KAC3B,KAAK,SAAS,CAAC,KAAgB,KAC/B,KAAK,SAAS,CAAC,KAAgB,IAChC,KAAK,SAAS,CAAC;MAClB,iBAAiB;;EAErB,OAAO;AACL,UAAM,IAAI,WAAW,oDAAoD;EAC3E;AACF;AAkBM,SAAU,kBAAqB,KAAqB;AACxD,SAAO,CAAC,SAAQ;AACd,QAAI,cAAc;AAClB,QAAI,aAAa,CAAC,SAAiB,YAAwB;IAAE;AAC7D,aAAS,IAAI,GAAG,IAAI,KAAK,QAAQ,KAAK;AACpC,YAAM,CAAC,KAAK,KAAK,IAAI,IAAI,KAAK,CAAC,CAAE;AACjC,YAAM,UAAU;AAChB,YAAM,aAAa;AACnB,mBAAa,CAAC,QAAgB,WAAuB;AACnD,gBAAQ,QAAQ,MAAM;AACtB,cAAM,SAAS,YAAY,MAAM;MACnC;AACA,qBAAe;IACjB;AACA,UAAM,CAAC,cAAc,WAAW,IAAI,cAAc,WAAW;AAC7D,WAAO;MACL,eAAe;MACf,CAAC,QAAQ,WAAU;AACjB,oBAAY,QAAQ,MAAM;AAC1B,mBAAW,SAAS,cAAc,MAAM;MAC1C;;EAEJ;AACF;AAEM,SAAU,iBAAoB,KAAe;AACjD,SAAO,CAAC,GAAG,WAAU;AACnB,UAAM,IAAI,iBAAiB,GAAG,MAAM;AACpC,QAAI,MAAM;AAAW;AAErB,UAAM,CAAC,YAAY,WAAW,IAAI;AAElC,QAAI,SAAS;AACb,UAAM,SAAc,CAAA;AAEpB,WAAO,SAAS,WAAW,QAAQ;AACjC,YAAM,OAAO,IAAI,YAAY,MAAM;AACnC,UAAI,SAAS;AAAW,eAAO;AAE/B,YAAM,CAAC,OAAO,GAAG,IAAI;AACrB,aAAO,KAAK,KAAK;AACjB,gBAAU;IACZ;AAEA,WAAO,CAAC,QAAQ,WAAW;EAC7B;AACF;AAEM,SAAU,oBAAuB,cAA8B;AACnE,QAAM,eAAe,wBACnB,CAAC,uBAAuB,mBAAmB,aAAa,GAAG,YAAY,GACvE,CAAC,CAAC,KAAK,KAAK,MAAmB,CAAC,KAAK,KAAK,CAAU;AAGtD,SAAO,wBAAwB,CAAC,kBAAkB,YAAY,CAAC,GAAG,CAAC,WAAW,CAAC,OAAO,QAAQ,MAAM,CAAC,CAAU;AACjH;AAEM,SAAU,mBAAsB,aAAuB;AAC3D,SAAO,WACL,iBACE,YAAY,CAAC,WAAW,kBAAkBC,cAAa,GAAG,WAAW,GAAG,CAAC,KAAK,UAAU,CAAC,KAAK,KAAK,CAAU,CAAC,GAEhH,CAAC,YAAW;AACV,UAAM,SAA4B,CAAA;AAClC,eAAW,CAAC,KAAK,KAAK,KAAK,SAAS;AAClC,aAAO,GAAG,IAAI;IAChB;AACA,WAAO;EACT,CAAC;AAEL;AAEM,SAAU,oBACd,eACA,cAA8B;AAE9B,QAAM,eAAe,wBACnB,CAAC,eAAe,YAAY,GAC5B,CAAC,CAAC,KAAK,KAAK,MAAmB,CAAC,KAAK,KAAK,CAAU;AAGtD,SAAO,uBAAuB,kBAAkB,YAAY,GAAG,CAAC,WAC9D,OAAO,QAAQ,MAAM,EAAE,IAAI,CAAC,CAAC,KAAK,KAAK,MAAM,CAAC,OAAO,GAAG,GAAG,KAAK,CAAgB,CAAC;AAErF;AAEM,SAAU,mBACd,cACA,aAAuB;AAEvB,SAAO,WACL,iBAAiB,YAAY,CAAC,cAAc,WAAW,GAAG,CAAC,KAAK,UAAU,CAAC,KAAK,KAAK,CAAU,CAAC,GAChG,CAAC,YAAW;AACV,UAAM,SAA4B,CAAA;AAClC,eAAW,CAAC,KAAK,KAAK,KAAK,SAAS;AAClC,aAAO,GAAG,IAAI;IAChB;AACA,WAAO;EACT,CAAC;AAEL;AACM,SAAU,iBAAoB,cAA8B;AAChE,QAAM,eAAe,wBACnB,CAAC,eAAe,YAAY,GAC5B,CAAC,CAAC,KAAK,KAAK,MAAmB,CAAC,KAAK,KAAK,CAAU;AAGtD,SAAO,uBAAuB,kBAAkB,YAAY,GAAG,CAAC,QAAQ,MAAM,KAAK,IAAI,QAAO,CAAE,CAAC;AACnG;AAEM,SAAU,gBAAmB,aAAuB;AACxD,SAAO,WACL,iBAAiB,YAAY,CAAC,cAAc,WAAW,GAAG,CAAC,KAAK,UAAU,CAAC,KAAK,KAAK,CAAU,CAAC,GAChG,CAAC,YAAY,IAAI,IAAI,OAAO,CAAC;AAEjC;AAvNA,IAMa,mBA8EA;AApFb;;;AACA;AACA;AACA;AACA;AAEO,IAAM,oBAA+C,CAAC,SAAQ;AACnE,YAAM,CAAC,KAAK,KAAK,IAAI,cAAc,KAAK,MAAM;AAE9C,aAAO;QACL,MAAM,KAAK;QACX,CAAC,QAAQ,WAAU;AACjB,gBAAM,QAAQ,MAAM;AACpB,gBAAM,OAAO,IAAI,WAAW,MAAM;AAClC,eAAK,IAAI,MAAM,SAAS,GAAG;QAC7B;;IAEJ;AAmEO,IAAM,mBAAwC,CAAC,KAAK,WAAU;AACnE,UAAI,UAAU,IAAI,QAAQ;AACxB,cAAM,IAAI,WAAW,sBAAsB;MAC7C;AAEA,YAAM,EAAE,QAAQ,gBAAe,IAAK,gBAAgB,KAAK,MAAM;AAE/D,YAAM,aAAa,kBAAkB;AACrC,UAAI,SAAS,aAAa,IAAI,QAAQ;AACpC,cAAM,IAAI,WAAW,4BAA4B;MACnD;AAEA,YAAM,OAAO,IAAI,SAAS,SAAS,iBAAiB,SAAS,UAAU;AACvE,aAAO,CAAC,MAAM,UAAU;IAC1B;;;;;AClGA;;;;;;ACAA,IAea,sBAGA,qBAEA,qBAQA,kBAKA,iBAEA;AAnCb;;;AACA;AACA;AACA;AACA;AAMA;AAKO,IAAM,uBAAqD,CAAC,MACjE,OAAO,MAAM,WAAW,cAAc,CAAC,IAAI,4BAA4B,CAAC;AAEnE,IAAM,sBAA8C,OAAO,oBAAoB;AAE/E,IAAM,sBAA8C,UAAU,4BAA4B,YAAY;AAQtG,IAAM,mBAA6C,wBACxD,CAAC,sBAAsB,iBAAiB,GACxC,CAAC,MAAM,CAAC,EAAE,eAAe,EAAE,aAAa,CAAU;AAG7C,IAAM,kBAAsC,OAAO,gBAAgB;AAEnE,IAAM,kBAAsC,YACjD,CAAC,qBAAqB,gBAAgB,GACtC,CAAC,eAAe,mBAAmB,EAAE,eAAe,cAAa,EAAG;;;;;ACrCtE,IAMa,iBASA,uBAKA,sBAEA;AAtBb;;;AACA;AACA;AACA;AAGO,IAAM,kBAAkB;MAC7B,OAAO;MACP,MAAM;;AAOD,IAAM,wBAA2D,uBACtE,eACA,sBAAsB,eAAe,CAAC;AAGjC,IAAM,uBAAoD,OAAO,qBAAqB;AAEtF,IAAM,uBAAoD,iBAC/D,cACA,oBAAoB,eAAe,CAAC;;;;;ACxBtC,IA0Ba,wBAKA,uBAEA,uBAKA,sBAEA,yBAKA,wBAEA,mBAWA,kBAEP,uBAKA,sBAKO;AAtEb;;;AACA;AACA;AACA;AAuBO,IAAM,yBAAyD,wBACpE,CAAC,uBAAuB,iBAAiB,GACzC,CAAC,MAAM,CAAC,EAAE,gBAAgB,EAAE,QAAQ,CAAU;AAGzC,IAAM,wBAAkD,OAAO,sBAAsB;AAErF,IAAM,wBAAuD,wBAClE,CAAC,uBAAuB,kBAAkB,iBAAiB,CAAC,GAC5D,CAAC,MAAM,CAAC,EAAE,gBAAgB,EAAE,YAAY,CAAU;AAG7C,IAAM,uBAAgD,OAAO,qBAAqB;AAElF,IAAM,0BAA2D,wBACtE,CAAC,uBAAuB,iBAAiB,GACzC,CAAC,MAAM,CAAC,EAAE,gBAAgB,EAAE,IAAI,CAAU;AAGrC,IAAM,yBAAoD,OAAO,uBAAuB;AAExF,IAAM,oBAA+C,CAAC,MAAK;AAChE,cAAQ,EAAE,gBAAgB;QACxB,KAAK;AACH,iBAAO,uBAAuB,CAAC;QACjC,KAAK;AACH,iBAAO,sBAAsB,CAAC;QAChC;AACE,iBAAO,wBAAwB,CAAqB;MACxD;IACF;AAEO,IAAM,mBAAwC,OAAO,iBAAiB;AAE7E,IAAM,wBAAkD,WAAW,kBAAkB,CAAC,cAAc;MAClG,gBAAgB;MAChB;MACA;AAEF,IAAM,uBAAgD,WACpD,iBAAiB,gBAAgB,GACjC,CAAC,kBAAkB,EAAE,gBAAgB,QAAQ,aAAY,EAAG;AAGvD,IAAM,mBAAwC,eACnD,sBACA,CAAC,mBAAuC;AACtC,cAAQ,gBAAgB;QACtB,KAAK;AACH,iBAAO;QACT,KAAK;AACH,iBAAO;MACX;IACF,CAAC;;;;;AC/EH,IAWa,uBAMA,sBAGA;AApBb;;;AACA;AACA;AACA;AAQO,IAAM,wBAAuD,wBAClE,CAAC,mBAAmB,iBAAiB,GACrC,CAAC,MAAM,CAAC,EAAE,oBAAoB,EAAE,UAAU,CAAU;AAI/C,IAAM,uBAAgD,OAAO,qBAAqB;AAGlF,IAAM,uBAAgD,YAC3D,CAAC,kBAAkB,gBAAgB,GACnC,CAAC,oBAAoB,gBAAgB,EAAE,oBAAoB,WAAU,EAAG;;;;;ACtB1E;;;AACA;;;;;ACGM,SAAU,gBAAmB,SAAyB;AAC1D,SAAO,CAAC,MAAK;AACX,QAAI,GAAG;AACL,YAAM,CAAC,KAAK,KAAK,IAAI,QAAQ,CAAC;AAC9B,aAAO;QACL,MAAM;QACN,CAAC,QAAQ,WAAU;AACjB,gBAAM,OAAO,IAAI,SAAS,MAAM;AAChC,eAAK,SAAS,QAAQ,CAAG;AACzB,gBAAM,SAAS,GAAG,MAAM;QAC1B;;IAEJ,OAAO;AACL,aAAO;QACL;QACA,CAAC,QAAQ,WAAU;AACjB,gBAAM,OAAO,IAAI,SAAS,MAAM;AAChC,eAAK,SAAS,QAAQ,CAAG;QAC3B;;IAEJ;EACF;AACF;AAEM,SAAU,eAAkB,SAAmB;AACnD,SAAO,CAAC,GAAG,WAAU;AACnB,UAAM,gBAAgB,YAAY,GAAG,MAAM,IAAI,CAAC;AAChD,QAAI,iBAAiB,GAAG;AACtB,YAAM,SAAS,QAAQ,GAAG,SAAS,CAAC;AACpC,aAAO,WAAW,SAAY,SAAY,CAAC,OAAO,CAAC,GAAG,OAAO,CAAC,IAAI,CAAC;IACrE,OAAO;AACL,aAAO,CAAC,QAAW,CAAC;IACtB;EACF;AACF;AAtCA;;;;;;;ACIA,IAiBa,cA0BA,oBAKA,mBAEA;AAlDb;;;AACA;AACA;AACA;AAcO,IAAM,eAAe;MAC1B,8CAA8C;MAC9C,yCAAyC;MACzC,qDAAqD;MACrD,0CAA0C;MAC1C,yCAAyC;MACzC,iDAAiD;MACjD,yCAAyC;MACzC,2CAA2C;MAC3C,kDAAkD;MAClD,2CAA2C;MAC3C,kDAAkD;MAClD,4CAA4C;MAC5C,mDAAmD;MACnD,wCAAwC;MACxC,+CAA+C;MAC/C,4CAA4C;MAC5C,mDAAmD;MACnD,wCAAwC;MACxC,+CAA+C;;AAO1C,IAAM,qBAAqD,uBAChE,eACA,sBAAsB,YAAY,CAAC;AAG9B,IAAM,oBAA8C,OAAO,kBAAkB;AAE7E,IAAM,oBAA8C,iBACzD,cACA,oBAAoB,YAAY,CAAC;;;;;ACxDnC;;;AACA;;;;;ACDA,IAMa,kBAQA,wBAKA,uBAEA;AArBb;;;AACA;AACA;AACA;AAGO,IAAM,mBAAmB;MAC9B,OAAO;;AAOF,IAAM,yBAA6D,uBACxE,eACA,CAAC,MAAM,iBAAiB,CAAC,CAAC;AAGrB,IAAM,wBAAsD,OAAO,sBAAsB;AAEzF,IAAM,wBAAsD,iBACjE,cACA,gBAAgB,gBAAgB,CAAC;;;;;ACvBnC,IAiBa,qBAWA,oBAEA;AA9Bb;;;AACA;AACA;AACA;AACA;AACA;AACA;AAWO,IAAM,sBAAmD,wBAC9D;MACE,kBAAkB,sBAAsB;MACxC,kBAAkB,kBAAkB;MACpC,kBAAkB,aAAa;MAC/B,kBAAkB,aAAa;MAC/B,kBAAkB,qBAAqB;OAEzC,CAAC,QAAQ,CAAC,IAAI,UAAU,IAAI,cAAc,IAAI,YAAY,IAAI,WAAW,IAAI,WAAW,CAAU;AAG7F,IAAM,qBAA4C,OAAO,mBAAmB;AAE5E,IAAM,qBAA4C,YACvD;MACE,iBAAiB,qBAAqB;MACtC,iBAAiB,iBAAiB;MAClC,iBAAiB,YAAY;MAC7B,iBAAiB,YAAY;MAC7B,iBAAiB,oBAAoB;OAEvC,CAAC,UAAUC,eAAc,YAAY,WAAW,iBAAiB;MAC/D;MACA,cAAAA;MACA;MACA;MACA;MACA;;;;;AC5CJ,IAKM,iBASO,uBAKA,sBAEA;AArBb;;;AACA;AACA;AACA;AAEA,IAAM,kBAAkB;MACtB,aAAa;MACb,QAAQ;MACR,QAAQ;;AAMH,IAAM,wBAA2D,uBACtE,cACA,CAAC,MAAM,gBAAgB,CAAC,CAAC;AAGpB,IAAM,uBAAoD,OAAO,qBAAqB;AAEtF,IAAM,uBAAoD,iBAC/D,aACA,gBAAgB,eAAe,CAAC;;;;;ACvBlC,IAUa,iBAKA,gBAEA;AAjBb;;;AACA;AACA;AAQO,IAAM,kBAA2C,wBACtD,CAAC,eAAe,aAAa,GAC7B,CAAC,OAAO,CAAC,GAAG,WAAW,GAAG,QAAQ,CAAU;AAGvC,IAAM,iBAAoC,OAAO,eAAe;AAEhE,IAAM,iBAAoC,YAAY,CAAC,cAAc,YAAY,GAAG,CAAC,WAAW,cAAc;MACnH;MACA;MACA;;;;;ACpBF,IAmBa,qBAKA,oBAEA,oBAiCA,+BAKA,8BAEA,kCAKA,iCAEA,kCAKA,iCAIA,4BAWA,2BAEA,8BASA,iCAQA,iCASA,2BAyBA,2BAKA,0BAEA,2BAKA,0BAEA,qBAWA,oBAEA,0BASA,0BASA,oBAoBA,oBAKA,mBAKA,iBAKA,gBAEA,gBAYA,0BAOA,sBAOA;AA9Pb;;;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAUO,IAAM,sBAAmD,wBAC9D,CAAC,mBAAmB,mBAAmB,mBAAmB,mBAAmB,GAC7E,CAAC,SAAS,CAAC,KAAK,eAAe,KAAK,oBAAoB,KAAK,YAAY,KAAK,YAAY,CAAU;AAG/F,IAAM,qBAA4C,OAAO,mBAAmB;AAE5E,IAAM,qBAA4C,YACvD,CAAC,kBAAkB,kBAAkB,kBAAkB,kBAAkB,GACzE,CAAC,eAAe,oBAAoB,YAAY,kBAAkB;MAChE;MACA;MACA;MACA;MACA;AA0BG,IAAM,gCAAuE,wBAClF,CAAC,uBAAuB,iBAAiB,kBAAkB,gBAAgB,CAAC,GAC5E,CAAC,SAAS,CAAC,eAAe,KAAK,UAAU,KAAK,UAAU,CAAU;AAG7D,IAAM,+BAAgE,OAAO,6BAA6B;AAE1G,IAAM,mCAA6E,wBACxF,CAAC,uBAAuB,kBAAkB,gBAAgB,CAAC,GAC3D,CAAC,MAAM,CAAC,EAAE,gBAAgB,EAAE,UAAU,CAAU;AAG3C,IAAM,kCAA+D,OAAO,gCAAgC;AAE5G,IAAM,mCAA6E,wBACxF,CAAC,uBAAuB,mBAAmB,kBAAkB,gBAAgB,CAAC,GAC9E,CAAC,SAAS,CAAC,KAAK,gBAAgB,KAAK,YAAY,KAAK,UAAU,CAAU;AAGrE,IAAM,kCAAsE,OACjF,gCAAgC;AAG3B,IAAM,6BAAiE,CAAC,SAAQ;AACrF,cAAQ,KAAK,gBAAgB;QAC3B,KAAK;AACH,iBAAO,8BAA8B,IAAI;QAC3C,KAAK;AACH,iBAAO,iCAAiC,IAAI;QAC9C,KAAK;AACH,iBAAO,iCAAiC,IAAI;MAChD;IACF;AAEO,IAAM,4BAA0D,OAAO,0BAA0B;AAEjG,IAAM,+BAAgE,YAC3E,CAAC,gBAAgB,iBAAiB,eAAe,CAAC,GAClD,CAAC,UAAU,gBAAgB;MACzB,gBAAgB;MAChB;MACA;MACA;AAGG,IAAM,kCAAsE,WACjF,iBAAiB,eAAe,GAChC,CAAC,gBAAgB;MACf,gBAAgB;MAChB;MACA;AAGG,IAAM,kCAAsE,YACjF,CAAC,kBAAkB,iBAAiB,eAAe,CAAC,GACpD,CAAC,YAAY,gBAAgB;MAC3B,gBAAgB;MAChB;MACA;MACA;AAGG,IAAM,4BAA0D,eACrE,sBACA,CAAC,mBAAgD;AAC/C,cAAQ,gBAAgB;QACtB,KAAK;AACH,iBAAO;QACT,KAAK;AACH,iBAAO;QACT,KAAK;AACH,iBAAO;MACX;IACF,CAAC;AAcI,IAAM,4BAA+D,wBAC1E,CAAC,kCAAkC,mBAAmB,aAAa,GACnE,CAAC,MAAM,CAAC,GAAG,EAAE,SAAS,EAAE,SAAS,CAAU;AAGtC,IAAM,2BAAwD,OAAO,yBAAyB;AAE9F,IAAM,4BAA+D,wBAC1E,CAAC,kCAAkC,mBAAmB,aAAa,GACnE,CAAC,SAAS,CAAC,MAAM,KAAK,SAAS,KAAK,SAAS,CAAU;AAGlD,IAAM,2BAAwD,OAAO,yBAAyB;AAE9F,IAAM,sBAAmD,CAAC,SAAQ;AACvE,cAAQ,KAAK,gBAAgB;QAC3B,KAAK;AACH,iBAAO,8BAA8B,IAAI;QAC3C,KAAK;AACH,iBAAO,0BAA0B,IAAI;QACvC,KAAK;AACH,iBAAO,0BAA0B,IAAI;MACzC;IACF;AAEO,IAAM,qBAA4C,OAAO,mBAAmB;AAE5E,IAAM,2BAAwD,YACnE,CAAC,iCAAiC,kBAAkB,YAAY,GAChE,CAAC,IAAI,SAAS,eAAe;MAC3B,GAAG;MACH;MACA;MACA;AAGG,IAAM,2BAAwD,YACnE,CAAC,iCAAiC,kBAAkB,YAAY,GAChE,CAAC,IAAI,SAAS,eAAe;MAC3B,GAAG;MACH;MACA;MACA;AAGG,IAAM,qBAA4C,eACvD,sBACA,CAAC,mBAAyC;AACxC,cAAQ,gBAAgB;QACtB,KAAK;AACH,iBAAO;QACT,KAAK;AACH,iBAAO;QACT,KAAK;AACH,iBAAO;MACX;IACF,CAAC;AASI,IAAM,qBAAiD,wBAC5D,CAAC,qBAAqB,mBAAmB,GACzC,CAAC,QAAQ,CAAC,KAAK,GAAG,CAAU;AAGvB,IAAM,oBAA0C,OAAO,kBAAkB;AAKzE,IAAM,kBAA2C,wBACtD,CAAC,qBAAqB,4BAA4B,iBAAiB,GACnE,CAAC,aAAa,CAAC,UAAU,UAAU,SAAS,SAAS,CAAU;AAG1D,IAAM,iBAAoC,OAAO,eAAe;AAEhE,IAAM,iBAAoC,YAC/C,CAAC,oBAAoB,2BAA2B,gBAAgB,GAChE,CAAC,MAAM,MAAM,eAAe;MAC1B,GAAG;MACH,GAAG;MACH;MACA;AAMG,IAAM,2BAAwD,iBAAiB,gBAAgB,CAAC,OACrG,GAAG,mBAAmB,gBAAgB,KAAK,MAAS;AAM/C,IAAM,uBAAgD,iBAAiB,gBAAgB,CAAC,OAC7F,GAAG,mBAAmB,WAAW,KAAK,MAAS;AAM1C,IAAM,uBAAgD,iBAAiB,gBAAgB,CAAC,OAC7F,GAAG,mBAAmB,WAAW,KAAK,MAAS;;;;;AC/PjD,IA4Ba,sBAYA,qBAEA,qBAoBA,mBAKA,kBAEA;AArEb;;;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAoBO,IAAM,uBAAqD,wBAChE,CAAC,wBAAwB,oBAAoB,mBAAmB,iBAAiB,kBAAkB,gBAAgB,CAAC,GACpH,CAAC,kBACC;MACE,cAAc;MACd,cAAc;MACd,cAAc;MACd,cAAc;MACd,cAAc;KACN;AAGP,IAAM,sBAA8C,OAAO,oBAAoB;AAE/E,IAAM,sBAA8C,YACzD;MACE;MACA;MACA;MACA;MACA,iBAAiB,eAAe;OAElC,CAAC,SAAS,aAAa,SAAS,UAAU,gBAAgB;MACxD;MACA;MACA;MACA;MACA;MACA;AAMG,IAAM,oBAA+C,wBAC1D,CAAC,sBAAsB,iBAAiB,GACxC,CAAC,eAAe,CAAC,YAAY,WAAW,SAAS,CAAU;AAGtD,IAAM,mBAAwC,OAAO,iBAAiB;AAEtE,IAAM,mBAAwC,YACnD,CAAC,qBAAqB,gBAAgB,GACtC,CAAC,eAAe,eAAe;MAC7B,GAAG;MACH;MACA;;;;;AC1EJ;;;AACA;AACA;;;;;ACFA,IASa,UAQA,gBAEA,eACA,eAGA,qBAUA,2BAKA,0BAEA,0BAoBP,uBAKA,yBAKA,yBAOO,gBASA,eAEA,eAqBA,cAKA,aAEA,aAWA,iBAKA,gBAEA;AAtIb;;;AACA;AACA;AACA;AAEA;AAEA;AAEO,IAAM,WAAW;MACtB,UAAU;MACV,YAAY;;AAMP,IAAM,iBAA6C,uBAAuB,cAAc,CAAC,MAAM,SAAS,CAAC,CAAC;AAE1G,IAAM,gBAAsC,OAAO,cAAc;AACjE,IAAM,gBAAsC,iBAAiB,aAAa,gBAAgB,QAAQ,CAAC;AAGnG,IAAM,sBAAsB;MACjC,aAAa;MACb,QAAQ;MACR,QAAQ;;AAOH,IAAM,4BAAmE,uBAC9E,cACA,CAAC,MAAM,oBAAoB,CAAC,CAAC;AAGxB,IAAM,2BAA4D,OAAO,yBAAyB;AAElG,IAAM,2BAA4D,iBACvE,aACA,gBAAgB,mBAAmB,CAAC;AAkBtC,IAAM,wBAAwD,wBAC5D,CAAC,gBAAgB,iBAAiB,GAClC,CAAC,MAAM,CAAC,EAAE,SAAS,EAAE,KAAK,CAAU;AAGtC,IAAM,0BAA4D,wBAChE,CAAC,gBAAgB,2BAA2B,mBAAmB,aAAa,GAC5E,CAAC,SAAS,CAAC,KAAK,SAAS,KAAK,OAAO,KAAK,YAAY,KAAK,QAAQ,CAAU;AAG/E,IAAM,0BAA0B,YAC9B,CAAC,0BAA0B,kBAAkB,YAAY,GACzD,CAAC,OAAO,YAAY,aAAY;AAC9B,aAAO,EAAE,OAAO,YAAY,SAAQ;IACtC,CAAC;AAGI,IAAM,iBAAyC,CAAC,SAAQ;AAC7D,cAAQ,KAAK,SAAS;QACpB,KAAK;AACH,iBAAO,sBAAsB,IAAI;QACnC,KAAK;AACH,iBAAO,wBAAwB,IAAI;MACvC;IACF;AAEO,IAAM,gBAAkC,OAAO,cAAc;AAE7D,IAAM,gBAAkC,eAAe,eAAe,CAAC,YAA6B;AACzG,cAAQ,SAAS;QACf,KAAK;AACH,iBAAO,WAAW,kBAAkB,CAAC,WAAW;YAC9C;YACA;YACA;QACJ,KAAK;AACH,iBAAO,WAAW,yBAAyB,CAAC,gBAAgB;YAC1D;YACA,GAAG;YACH;MACN;IACF,CAAC;AAQM,IAAM,eAA8C,wBACzD,CAAC,gBAAgB,iBAAiB,GAClC,CAAC,UAAU,CAAC,OAAO,MAAM,QAAQ,CAAU;AAGtC,IAAM,cAAuC,OAAO,YAAY;AAEhE,IAAM,cAAuC,YAClD,CAAC,eAAe,gBAAgB,GAChC,CAAC,MAAM,cAAc,EAAE,GAAG,MAAM,SAAQ,EAAG;AAStC,IAAM,kBAA2C,wBACtD,CAAC,cAAc,eAAe,aAAa,GAC3C,CAAC,UAAU,CAAC,MAAM,IAAI,MAAM,OAAO,MAAM,KAAK,CAAU;AAGnD,IAAM,iBAAoC,OAAO,eAAe;AAEhE,IAAM,iBAAoC,YAC/C,CAAC,aAAa,cAAc,YAAY,GACxC,CAAC,IAAI,OAAO,WAAW,EAAE,IAAI,OAAO,MAAK,EAAG;;;;;ACwIxC,SAAU,qBAAqB,cAAoB;AACvD,SAAO,WAAW,kBAAkB,CAAC,kBAAkB,EAAE,cAAc,aAAY,EAAG;AACxF;AAlRA,IAiBa,YAEA,WACA,WAOA,eAEA,cACA,cAOA,eAEA,cACA,cAOA,YAEA,WACA,WAUA,eAKA,cAEA,cAUA,qBAKA,oBACA,oBAOA,+BAKA,8BAEA,8BAgEA,oBAKA,mBAEA,uBAKA,sBAEA,uBAKA,sBAEA,oBAKA,mBAEA,uBAKA,sBAEA,6BAKA,4BAEA,uCAMA,sCAIA,uBAKA,sBAEA,iBAqBA,gBAEA,mBAEA,sBAKA,sBAKA,mBAEA,sBAKA,4BAKA,sCASA;AApRb;;;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAOO,IAAM,aAAiC,uBAAuB,mBAAmB,CAAC,MAAM,EAAE,UAAU;AAEpG,IAAM,YAA0B,OAAO,UAAU;AACjD,IAAM,YAA0B,WAAW,kBAAkB,CAAC,gBAAgB,EAAE,WAAU,EAAG;AAO7F,IAAM,gBAAuC,uBAAuB,iBAAiB,CAAC,MAAM,EAAE,QAAQ;AAEtG,IAAM,eAAgC,OAAO,aAAa;AAC1D,IAAM,eAAgC,WAAW,sBAAsB,CAAC,cAAc,EAAE,SAAQ,EAAG;AAOnG,IAAM,gBAAuC,uBAAuB,eAAe,CAAC,MAAM,EAAE,OAAO;AAEnG,IAAM,eAAgC,OAAO,aAAa;AAC1D,IAAM,eAAgC,WAAW,cAAc,CAAC,aAAa,EAAE,QAAO,EAAG;AAOzF,IAAM,aAAiC,uBAAuB,cAAc,CAAC,MAAM,EAAE,cAAc;AAEnG,IAAM,YAA0B,OAAO,UAAU;AACjD,IAAM,YAA0B,WAAW,aAAa,CAAC,oBAAoB,EAAE,eAAc,EAAG;AAUhG,IAAM,gBAAuC,wBAClD,CAAC,mBAAmB,wBAAwB,oBAAoB,kBAAkB,gBAAgB,CAAC,GACnG,CAAC,MAAM,CAAC,EAAE,SAAS,EAAE,SAAS,EAAE,aAAa,EAAE,UAAU,CAAU;AAG9D,IAAM,eAAgC,OAAO,aAAa;AAE1D,IAAM,eAAgC,YAC3C,CAAC,kBAAkB,uBAAuB,mBAAmB,iBAAiB,eAAe,CAAC,GAC9F,CAAC,SAAS,SAAS,aAAa,gBAAgB,EAAE,SAAS,SAAS,aAAa,WAAU,EAAG;AAQzF,IAAM,sBAAmD,uBAC9D,mBACA,CAAC,MAAM,EAAE,SAAS;AAGb,IAAM,qBAA4C,OAAO,mBAAmB;AAC5E,IAAM,qBAA4C,WAAW,kBAAkB,CAAC,eAAe,EAAE,UAAS,EAAG;AAO7G,IAAM,gCAAuE,uBAClF,kBAAkB,gBAAgB,GAClC,CAAC,MAAM,EAAE,UAAU;AAGd,IAAM,+BAAgE,OAAO,6BAA6B;AAE1G,IAAM,+BAAgE,WAC3E,iBAAiB,eAAe,GAChC,CAAC,gBAAgB,EAAE,WAAU,EAAG;AA8D3B,IAAM,qBAAiD,wBAC5D,CAAC,4BAA4B,UAAU,GACvC,CAAC,MAAM,CAAC,EAAE,cAAc,EAAE,GAAG,CAAU;AAGlC,IAAM,oBAA0C,OAAO,kBAAkB;AAEzE,IAAM,wBAAuD,wBAClE,CAAC,4BAA4B,aAAa,GAC1C,CAAC,MAAM,CAAC,EAAE,cAAc,EAAE,MAAM,CAAU;AAGrC,IAAM,uBAAgD,OAAO,qBAAqB;AAElF,IAAM,wBAAuD,wBAClE,CAAC,4BAA4B,aAAa,GAC1C,CAAC,MAAM,CAAC,EAAE,cAAc,EAAE,MAAM,CAAU;AAGrC,IAAM,uBAAgD,OAAO,qBAAqB;AAElF,IAAM,qBAAiD,wBAC5D,CAAC,4BAA4B,UAAU,GACvC,CAAC,MAAM,CAAC,EAAE,cAAc,EAAE,GAAG,CAAU;AAGlC,IAAM,oBAA0C,OAAO,kBAAkB;AAEzE,IAAM,wBAAuD,wBAClE,CAAC,4BAA4B,aAAa,GAC1C,CAAC,MAAM,CAAC,EAAE,cAAc,EAAE,MAAM,CAAU;AAGrC,IAAM,uBAAgD,OAAO,qBAAqB;AAElF,IAAM,8BAAmE,wBAC9E,CAAC,4BAA4B,mBAAmB,GAChD,CAAC,MAAM,CAAC,EAAE,cAAc,EAAE,YAAY,CAAU;AAG3C,IAAM,6BAA4D,OAAO,2BAA2B;AAEpG,IAAM,wCACX,wBACE,CAAC,4BAA4B,6BAA6B,GAC1D,CAAC,MAAM,CAAC,EAAE,cAAc,EAAE,sBAAsB,CAAU;AAGvD,IAAM,uCAAgF,OAC3F,qCAAqC;AAGhC,IAAM,wBAAuD,wBAClE,CAAC,eAAe,iBAAiB,GACjC,CAAC,MAAM,CAAC,EAAE,cAAc,EAAE,YAAY,CAAU;AAG3C,IAAM,uBAAgD,OAAO,qBAAqB;AAElF,IAAM,kBAA2C,CAAC,MAAK;AAC5D,cAAQ,EAAE,cAAc;QACtB,KAAK;AACH,iBAAO,mBAAmB,CAAC;QAC7B,KAAK;AACH,iBAAO,sBAAsB,CAAC;QAChC,KAAK;AACH,iBAAO,sBAAsB,CAAC;QAChC,KAAK;AACH,iBAAO,mBAAmB,CAAC;QAC7B,KAAK;AACH,iBAAO,sBAAsB,CAAC;QAChC,KAAK;AACH,iBAAO,4BAA4B,CAAC;QACtC,KAAK;AACH,iBAAO,sCAAsC,CAAC;QAChD;AACE,iBAAO,sBAAsB,CAAC;MAClC;IACF;AAEO,IAAM,iBAAoC,OAAO,eAAe;AAEhE,IAAM,oBAA0C,WAAW,WAAW,CAACC,UAAS,EAAE,cAAc,OAAO,KAAAA,KAAG,EAAG;AAE7G,IAAM,uBAAgD,WAAW,cAAc,CAAC,YAAY;MACjG,cAAc;MACd;MACA;AAEK,IAAM,uBAAgD,WAAW,cAAc,CAAC,YAAY;MACjG,cAAc;MACd;MACA;AAEK,IAAM,oBAA0C,WAAW,WAAW,CAAC,SAAS,EAAE,cAAc,OAAO,IAAG,EAAG;AAE7G,IAAM,uBAAgD,WAAW,cAAc,CAAC,YAAY;MACjG,cAAc;MACd;MACA;AAEK,IAAM,6BAA4D,WACvE,oBACA,CAAC,kBAAkB,EAAE,cAAc,iBAAiB,aAAY,EAAG;AAG9D,IAAM,uCAAgF,WAC3F,8BACA,CAAC,4BAA4B,EAAE,cAAc,4BAA4B,uBAAsB,EAAG;AAO7F,IAAM,iBAAoC,UAC/C,eAAe,2BAA2B,CAAC,iBAAmC;AAC5E,cAAQ,cAAc;QACpB,KAAK;AACH,iBAAO;QACT,KAAK;AACH,iBAAO;QACT,KAAK;AACH,iBAAO;QACT,KAAK;AACH,iBAAO;QACT,KAAK;AACH,iBAAO;QACT,KAAK;AACH,iBAAO;QACT,KAAK;AACH,iBAAO;MACX;IACF,CAAC,GACD,eAAe,cAAc,CAAC,MAAM,qBAAqB,CAAC,CAAC,CAAC;;;;;ACvS9D,IAOM,oBAQO,0BAKA,yBAEA,yBAoBA,8BAKA,6BAEA,iCAKA,gCAEA,sBASA,qBAEA;AAnEb;;;AACA;AACA;AACA;AACA;AACA;AAEA,IAAM,qBAAqB;MACzB,UAAU;MACV,WAAW;;AAMN,IAAM,2BAAiE,uBAC5E,cACA,CAAC,MAAM,mBAAmB,CAAC,CAAC;AAGvB,IAAM,0BAA0D,OAAO,wBAAwB;AAE/F,IAAM,0BAA0D,iBACrE,aACA,gBAAgB,kBAAkB,CAAC;AAkB9B,IAAM,+BAAqE,wBAChF,CAAC,0BAA0B,eAAe,GAC1C,CAAC,MAAM,CAAC,EAAE,mBAAmB,EAAE,QAAQ,CAAU;AAG5C,IAAM,8BAA8D,OAAO,4BAA4B;AAEvG,IAAM,kCAA2E,wBACtF,CAAC,0BAA0B,iBAAiB,GAC5C,CAAC,MAAM,CAAC,EAAE,mBAAmB,EAAE,SAAS,CAAU;AAG7C,IAAM,iCAAoE,OAAO,+BAA+B;AAEhH,IAAM,uBAAqD,CAAC,UAAS;AAC1E,cAAQ,MAAM,mBAAmB;QAC/B,KAAK;AACH,iBAAO,6BAA6B,KAAK;QAC3C,KAAK;AACH,iBAAO,gCAAgC,KAAK;MAChD;IACF;AAEO,IAAM,sBAA8C,OAAO,oBAAoB;AAE/E,IAAM,sBAA8C,eACzD,yBACA,CAAC,sBAA6C;AAC5C,cAAQ,mBAAmB;QACzB,KAAK;AACH,iBAAO,WAAW,gBAAgB,CAAC,cAAc,EAAE,mBAAmB,SAAQ,EAAG;QACnF,KAAK;AACH,iBAAO,WAAW,kBAAkB,CAAC,eAAe,EAAE,mBAAmB,UAAS,EAAG;MACzF;IACF,CAAC;;;;;ACzEH;;;AACA;;;;;ACJA,IAsBa,qBAcA,oBAEA;AAtCb;;;AACA;AACA;AACA;AACA;AAEA;AACA;AAEA;AAaO,IAAM,sBAAmD,wBAC9D;MACE;MACA;MACA;;MACA;;MACA;;MACA;;MACA,kBAAkB,gBAAgB;OAEpC,CAAC,OACC,CAAC,GAAG,SAAS,GAAG,aAAa,GAAG,SAAS,GAAG,OAAO,GAAG,UAAU,GAAG,yBAAyB,GAAG,UAAU,CAAU;AAGhH,IAAM,qBAA4C,OAAO,mBAAmB;AAE5E,IAAM,qBAA4C,YACvD;MACE;MACA;MACA;;MACA;;MACA;;MACA;;MACA,iBAAiB,eAAe;OAElC,CAAC,SAAS,aAAa,SAAS,OAAOC,WAAU,yBAAyB,gBAAgB;MACxF;MACA;MACA;MACA;MACA,UAAAA;MACA;MACA;MACA;;;;;ACxDJ,IAKM,WAQO,iBAEA,gBAEA;AAjBb;;;AACA;AACA;AACA;AAEA,IAAM,YAAY;MAChB,MAAM;MACN,QAAQ;;AAMH,IAAM,kBAA+C,uBAAuB,cAAc,CAAC,MAAM,UAAU,CAAC,CAAC;AAE7G,IAAM,iBAAwC,OAAO,eAAe;AAEpE,IAAM,iBAAwC,iBAAiB,aAAa,gBAAgB,SAAS,CAAC;;;;;ACjB7G,IAYa,mBAKA,kBAEA;AAnBb;;;AACA;AACA;AACA;AASO,IAAM,oBAA+C,wBAC1D,CAAC,mBAAmB,mBAAmB,kBAAkB,aAAa,CAAC,GACvE,CAAC,SAAS,CAAC,KAAK,eAAe,KAAK,YAAY,KAAK,cAAc,CAAU;AAGxE,IAAM,mBAAwC,OAAO,iBAAiB;AAEtE,IAAM,mBAAwC,YACnD,CAAC,kBAAkB,kBAAkB,iBAAiB,YAAY,CAAC,GACnE,CAAC,eAAe,YAAY,oBAAoB;MAC9C;MACA;MACA;MACA;;;;;ACzBJ;;;;;;;ACgFM,SAAU,kBAAkB,MAAiB;AACjD,QAAM,YAAY,KAAK,SAAS;AAEhC,MAAI,KAAK,SAAS,MAAM,QAAW;AACjC,UAAM,IAAI,cAAc,sDAAsD;EAChF;AAGA,QAAM,aAAa,uBAAuB,KAAK,MAAM;AAGrD,QAAM,OAAO,KAAK,MAAK;AACvB,SAAO,KAAK,SAAS,YAAY;AAC/B,SAAK,KAAK,MAAS;EACrB;AAEA,SAAO;AACT;AAGA,SAAS,uBAAuB,GAAS;AACvC,MAAI,IAAI;AACR,UAAQ,KAAM,IAAI,KAAM,IAAI,GAAG;AAC7B;EACF;AACA,UAAQ,KAAM,IAAI,KAAM;AAC1B;AAQM,SAAU,gBAAgB,MAAiB;AAC/C,MAAI,eAAe,KAAK,SAAS;AACjC,SAAO,gBAAgB,KAAK,KAAK,YAAY,MAAM,QAAW;AAC5D;EACF;AAEA,SAAO,KAAK,MAAM,GAAG,eAAe,CAAC;AACvC;AAzHA,IAoCa,aAeA,YAEA,YAsEA,oBAKA,mBAEA;AAlIb;;;AACA;AAEA;AACA;AACA;AACA;AACA;AAgBA;AACA;AACA;AAWO,IAAM,cAAmC,CAAC,SAAQ;AACvD,cAAQ,KAAK,UAAU;QACrB,KAAK;AACH,iBAAO,wBACL,CAAC,iBAAiB,iBAAiB,GACnC,CAAC,MAAkB,CAAC,EAAE,UAAU,EAAE,MAAM,CAAU,EAClD,IAAI;QACR,KAAK;AACH,iBAAO,wBACL,CAAC,iBAAiB,eAAe,GACjC,CAAC,MAAgB,CAAC,EAAE,UAAU,EAAE,IAAI,CAAU,EAC9C,IAAI;MACV;IACF;AAEO,IAAM,aAA4B,OAAO,WAAW;AAEpD,IAAM,aAA4B,eAAe,gBAAgB,CAAC,aAA2B;AAClG,cAAQ,UAAU;QAChB,KAAK;AACH,iBAAO,WAAW,kBAAkB,CAACC,aAAY;YAC/C;YACA,QAAAA;YACA;QACJ,KAAK;AACH,iBAAO,WAAW,gBAAgB,CAAC,UAAU;YAC3C;YACA;YACA;MACN;IACF,CAAC;AAyDM,IAAM,qBAAiD,uBAC5D,kBAAkB,gBAAgB,WAAW,CAAC,GAC9C,eAAe;AAGV,IAAM,oBAA0C,OAAO,kBAAkB;AAEzE,IAAM,oBAA0C,WACrD,iBAAiB,eAAe,UAAU,CAAC,GAC3C,iBAAiB;;;;;ACpInB,IA0Ba,0BAKA,yBAEA,yBASA,4BAKA,2BAEA,2BAUA,sBASA,qBAEA;AAtEb;;;AACA;AACA;AACA;AACA;AAEA;AACA;AACA;AACA;AAEA;AAeO,IAAM,2BAA6D,wBACxE,CAAC,iBAAiB,eAAe,gBAAgB,eAAe,CAAC,GACjE,CAAC,UAAU,CAAC,MAAM,UAAU,MAAM,WAAW,MAAM,QAAQ,CAAU;AAGhE,IAAM,0BAAsD,OAAO,wBAAwB;AAE3F,IAAM,0BAAsD,YACjE,CAAC,cAAc,eAAe,cAAc,CAAC,GAC7C,CAAC,WAAW,cAAc;MACxB,UAAU;MACV;MACA;MACA;AAGG,IAAM,6BAAiE,wBAC5E,CAAC,iBAAiB,gBAAgB,iBAAiB,GAAG,mBAAmB,iBAAiB,GAC1F,CAAC,UAAU,CAAC,MAAM,UAAU,MAAM,YAAY,MAAM,UAAU,MAAM,SAAS,CAAU;AAGlF,IAAM,4BAA0D,OAAO,0BAA0B;AAEjG,IAAM,4BAA0D,YACrE,CAAC,eAAe,gBAAgB,GAAG,kBAAkB,gBAAgB,GACrE,CAAC,YAAY,UAAU,eAAe;MACpC,UAAU;MACV;MACA;MACA;MACA;AAGG,IAAM,uBAAqD,CAAC,UAAS;AAC1E,cAAQ,MAAM,UAAU;QACtB,KAAK;AACH,iBAAO,yBAAyB,KAAK;QACvC,KAAK;AACH,iBAAO,2BAA2B,KAAK;MAC3C;IACF;AAEO,IAAM,sBAA8C,OAAO,oBAAoB;AAE/E,IAAM,sBAA8C,eACzD,gBACA,CAAC,aAAoC;AACnC,cAAQ,UAAU;QAChB,KAAK;AACH,iBAAO;QACT,KAAK;AACH,iBAAO;MACX;IACF,CAAC;;;;;AC/EH,IAiBa,wBAKA,uBAEA;AAxBb;;;AACA;AACA;AAEA;AACA;AACA;AACA;AAEA;AAQO,IAAM,yBAAyD,wBACpE,CAAC,mBAAmB,mBAAmB,iBAAiB,GACxD,CAAC,MAAM,CAAC,EAAE,eAAe,EAAE,YAAY,EAAE,uBAAuB,CAAU;AAGrE,IAAM,wBAAkD,OAAO,sBAAsB;AAErF,IAAM,wBAAkD,YAC7D,CAAC,kBAAkB,kBAAkB,gBAAgB,GACrD,CAAC,eAAe,YAAY,6BAA6B;MACvD;MACA;MACA;MACA;;;;;AC9BJ,IAUa,uBAKA,sBAEA;AAjBb;;;AACA;AACA;AAQO,IAAM,wBAAuD,wBAClE,CAAC,mBAAmB,iBAAiB,GACrC,CAAC,QAAQ,CAAC,IAAI,WAAW,IAAI,UAAU,CAAU;AAG5C,IAAM,uBAAgD,OAAO,qBAAqB;AAElF,IAAM,uBAAgD,YAC3D,CAAC,kBAAkB,gBAAgB,GACnC,CAAC,WAAW,gBAAgB,EAAE,WAAW,WAAU,EAAG;;;;;ACnBxD,IAmCa,uBAKA,sBAEA,sBAWA,mBAKA,kBAEA;AA5Db;;;AACA;AACA;AAGA;AACA;AACA;AACA;AAOA;AACA;AAOA;AACA;AACA;AACA;AACA;AAQO,IAAM,wBAAuD,wBAClE,CAAC,mBAAmB,kBAAkB,qBAAqB,CAAC,GAC5D,CAAC,SAAS,CAAC,KAAK,eAAe,KAAK,mBAAmB,CAAU;AAG5D,IAAM,uBAAgD,OAAO,qBAAqB;AAElF,IAAM,uBAAgD,YAC3D,CAAC,kBAAkB,iBAAiB,oBAAoB,CAAC,GACzD,CAAC,eAAe,yBAAyB,EAAE,eAAe,oBAAmB,EAAG;AAS3E,IAAM,oBAA+C,wBAC1D,CAAC,iBAAiB,kBAAkB,qBAAqB,CAAC,GAC1D,CAAC,SAAS,CAAC,KAAK,UAAU,KAAK,KAAK,CAAU;AAGzC,IAAM,mBAAwC,OAAO,iBAAiB;AAEtE,IAAM,mBAAwC,YACnD,CAAC,sBAAsB,iBAAiB,oBAAoB,CAAC,GAC7D,CAAC,UAAU,WAAW,EAAE,UAAU,MAAK,EAAG;;;;;AC9D5C,IAaa,eAKA,cAEA;AApBb;;;AACA;AACA;AACA;AACA;AACA;AAQO,IAAM,gBAAuC,wBAClD,CAAC,kBAAkB,oBAAoB,GAAG,gBAAgB,iBAAiB,CAAC,GAC5E,CAAC,WAAW,CAAC,OAAO,WAAW,OAAO,IAAI,CAAU;AAG/C,IAAM,eAAgC,OAAO,aAAa;AAE1D,IAAM,eAAgC,YAC3C,CAAC,iBAAiB,mBAAmB,GAAG,eAAe,gBAAgB,CAAC,GACxE,CAAC,WAAW,UAAU,EAAE,WAAW,KAAI,EAAG;;;;;ACtB5C,IAMa,cAUA,oBAKA,mBAEA;AAvBb;;;AACA;AACA;AACA;AAGO,IAAM,eAAe;MAC1B,aAAa;MACb,UAAU;MACV,QAAQ;;AAOH,IAAM,qBAAqD,uBAChE,cACA,CAAC,MAAM,aAAa,CAAC,CAAC;AAGjB,IAAM,oBAA8C,OAAO,kBAAkB;AAE7E,IAAM,oBAA8C,iBAAiB,aAAa,gBAAgB,YAAY,CAAC;;;;;ACvBtH,IAKa,aAWA,mBAGA,kBAEA;AArBb;;;AACA;AACA;AACA;AAEO,IAAM,cAAc;MACzB,oBAAoB;MACpB,qBAAqB;MACrB,aAAa;MACb,gBAAgB;MAChB,iBAAiB;;AAMZ,IAAM,oBAAmD,CAAC,MAC/D,uBAAuB,eAAe,CAAC,MAAsB,YAAY,CAAC,CAAC,EAAE,CAAC;AAEzE,IAAM,mBAA4C,OAAO,iBAAiB;AAE1E,IAAM,mBAA4C,iBAAiB,cAAc,gBAAgB,WAAW,CAAC;;;;;ACrBpH,IAUa,aAWA,mBAKA,kBAEA,kBA8BA,eAkBA,cAEA,cAyCA,mBAQA,kBAEA,kBAIA,mBAKA,kBAEA,kBAeA,sBAKA,qBAEA;AAlKb;;;AACA;AACA;AACA;AACA;AAEA;AACA;AAGO,IAAM,cAAc;MACzB,QAAQ;MACR,UAAU;MACV,qBAAqB;MACrB,mBAAmB;;AAOd,IAAM,oBAAmD,uBAC9D,cACA,CAAC,MAAM,YAAY,CAAC,CAAC;AAGhB,IAAM,mBAA4C,OAAO,iBAAiB;AAE1E,IAAM,mBAA4C,iBAAiB,aAAa,gBAAgB,WAAW,CAAC;AA8B5G,IAAM,gBAAuC,CAAC,MAAK;AACxD,cAAQ,EAAE,YAAY;QACpB,KAAK;AACH,iBAAO,wBACL,CAAC,mBAAmB,aAAa,GACjC,CAACC,OAAoB,CAACA,GAAE,YAAYA,GAAE,SAAS,CAAU,EACzD,CAAC;QACL,KAAK;AACH,iBAAO,wBACL,CAAC,mBAAmB,aAAa,GACjC,CAACA,OAAsB,CAACA,GAAE,YAAYA,GAAE,WAAW,CAAU,EAC7D,CAAC;QACL,KAAK;QACL,KAAK;AACH,iBAAO,kBAAkB,EAAE,UAAU;MACzC;IACF;AAEO,IAAM,eAAgC,OAAO,aAAa;AAE1D,IAAM,eAAgC,eAAe,kBAAkB,CAAC,eAA+B;AAC5G,cAAQ,YAAY;QAClB,KAAK;AACH,iBAAO,WAAW,cAAc,CAAC,eAAe;YAC9C;YACA;YACA;QACJ,KAAK;AACH,iBAAO,WAAW,cAAc,CAAC,iBAAiB;YAChD;YACA;YACA;QACJ,KAAK;AACH,iBAAO,WACL,MAAM,CAAC,QAAW,CAAC,GACnB,OAAO;YACL;YACA;QAEN,KAAK;AACH,iBAAO,WACL,MAAM,CAAC,QAAW,CAAC,GACnB,OAAO;YACL;YACA;MAER;IACF,CAAC;AAcM,IAAM,oBAA+C,CAAC,MAAM;MACjE;MACA,CAAC,QAAQ,WAAU;AACjB,cAAM,OAAO,IAAI,WAAW,QAAQ,QAAQ,CAAC;AAC7C,aAAK,IAAI,GAAG,CAAC;MACf;;AAGK,IAAM,mBAAwC,OAAO,iBAAiB;AAEtE,IAAM,mBAAwC,CAAC,GAAG,WAAU;AACjE,aAAO,CAAC,EAAE,SAAS,QAAQ,SAAS,CAAC,GAAiB,CAAC;IACzD;AAEO,IAAM,oBAA+C,wBAC1D,CAAC,eAAe,eAAe,iBAAiB,GAChD,CAAC,MAAM,CAAC,EAAE,WAAW,EAAE,YAAY,EAAE,UAAU,CAAU;AAGpD,IAAM,mBAAwC,OAAO,iBAAiB;AAEtE,IAAM,mBAAwC,YACnD,CAAC,cAAc,cAAc,gBAAgB,GAC7C,CAAC,WAAW,YAAY,gBAAgB;MACtC;MACA;MACA;MACA;AASG,IAAM,uBAAqD,wBAChE,CAAC,mBAAmB,eAAe,kBAAkB,GACrD,CAAC,QAAQ,CAAC,IAAI,SAAS,IAAI,OAAO,IAAI,WAAW,CAAU;AAGtD,IAAM,sBAA8C,OAAO,oBAAoB;AAE/E,IAAM,sBAA8C,YACzD,CAAC,kBAAkB,cAAc,iBAAiB,GAClD,CAAC,SAAS,OAAO,iBAAiB;MAChC;MACA;MACA;MACA;;;;;ACyEE,SAAU,4BAA4B,aAA4B;AACtE,UAAQ,aAAa;IACnB,KAAK;AACH,aAAO,YAAY,CAAC,kBAAkB,iCAAiC,GAAG,CAAC,WAAW,gBAAgB;QACpG;QACA,GAAG;QACH;IACJ,KAAK;IACL,KAAK;AACH,aAAO,WAAW,kBAAkB,CAAC,eAAe;QAClD;QACA;QACA;EACN;AACF;AA/PA,IAiDa,qCAKA,oCAIA,kCAKA,iCAIA,gCAKA,+BAEA,0BAWA,yBAEA,oCAKA,iCAKA,+BAKA,yBAsCA,sBAKA,qBAEA,qBAiBA,mBAWA,kBAaA,yBAKA,wBAkBP,oCAUA,mCAKO,8BAKA,6BAEA;AAzOb;;;AACA;AACA;AAQA;AACA;AACA;AAGA;AACA;AACA;AACA;AACA;AACA;AA6BO,IAAM,sCAAmF,wBAC9F,CAAC,oBAAoB,iBAAiB,GACtC,CAAC,MAAM,CAAC,EAAE,aAAa,EAAE,eAAe,CAAU;AAG7C,IAAM,qCAA4E,OACvF,mCAAmC;AAG9B,IAAM,mCAA6E,wBACxF,CAAC,oBAAoB,eAAe,GACpC,CAAC,MAAM,CAAC,EAAE,aAAa,EAAE,QAAQ,CAAU;AAGtC,IAAM,kCAAsE,OACjF,gCAAgC;AAG3B,IAAM,iCAAyE,wBACpF,CAAC,oBAAoB,aAAa,GAClC,CAAC,MAAM,CAAC,EAAE,aAAa,EAAE,MAAM,CAAU;AAGpC,IAAM,gCAAkE,OAAO,8BAA8B;AAE7G,IAAM,2BAA6D,CAAC,OAAM;AAC/E,cAAQ,GAAG,aAAa;QACtB,KAAK;AACH,iBAAO,oCAAoC,EAAE;QAC/C,KAAK;AACH,iBAAO,iCAAiC,EAAE;QAC5C,KAAK;AACH,iBAAO,+BAA+B,EAAE;MAC5C;IACF;AAEO,IAAM,0BAAsD,OAAO,wBAAwB;AAE3F,IAAM,qCAA4E,WACvF,kBACA,CAAC,qBAAqB,EAAE,aAAa,eAAe,gBAAe,EAAG;AAGjE,IAAM,kCAAsE,WACjF,gBACA,CAAC,cAAc,EAAE,aAAa,YAAY,SAAQ,EAAG;AAGhD,IAAM,gCAAkE,WAAW,cAAc,CAAC,YAAY;MACnH,aAAa;MACb;MACA;AAEK,IAAM,0BAAsD,eACjE,mBACA,CAAC,gBAA2C;AAC1C,cAAQ,aAAa;QACnB,KAAK;AACH,iBAAO;QACT,KAAK;AACH,iBAAO;QACT,KAAK;AACH,iBAAO;MACX;IACF,CAAC;AA2BI,IAAM,uBAAqD,wBAChE,CAAC,mBAAmB,eAAe,eAAe,mBAAmB,wBAAwB,GAC7F,CAAC,OAAO,CAAC,GAAG,SAAS,GAAG,OAAO,GAAG,QAAQ,GAAG,mBAAmB,EAAE,CAAU;AAGvE,IAAM,sBAA8C,OAAO,oBAAoB;AAE/E,IAAM,sBAA8C,YACzD,CAAC,kBAAkB,cAAc,cAAc,kBAAkB,uBAAuB,GACxF,CAAC,SAAS,OAAO,QAAQ,mBAAmB,UAAU;MACpD;MACA;MACA;MACA;MACA,GAAG;MACH;AASG,IAAM,oBAA+C,CAAC,SAAQ;AACnE,cAAQ,KAAK,YAAY;QACvB,KAAK;QACL,KAAK;AACH,iBAAO,oBAAoB,KAAK,OAAO;QACzC,KAAK;QACL,KAAK;AACH,iBAAO;MACX;IACF;AAEO,IAAM,mBAAwC,OAAO,iBAAiB;AAatE,IAAM,0BAA2D,wBACtE,CAAC,wBAAwB,mBAAmB,sBAAsB,iBAAiB,GACnF,CAAC,MAAM,CAAC,EAAE,iBAAiB,EAAE,YAAY,EAAE,SAAS,CAAC,CAAU;AAG1D,IAAM,yBAAoD,OAAO,uBAAuB;AAkB/F,IAAM,qCAAkF,CAAC,aAAY;AACnG,cAAQ,SAAS,aAAa;QAC5B,KAAK;AACH,iBAAO,kCAAkC,QAAQ;QACnD,KAAK;QACL,KAAK;AACH,iBAAO;MACX;IACF;AAEA,IAAM,oCAAuF,uBAC3F,mBACA,CAAC,SAAS,KAAK,eAAe;AAGzB,IAAM,+BAAqE,wBAChF,CAAC,mBAAmB,kCAAkC,GACtD,CAAC,MAAM,CAAC,EAAE,WAAW,CAAC,CAAU;AAG3B,IAAM,8BAA8D,OAAO,4BAA4B;AAEvG,IAAM,oCAAiF,WAC5F,kBACA,CAAC,qBAAqB;MACpB,aAAa;MACb;MACA;;;;;AC9OJ,IAwCa,6BAKA,4BAEA,4BAkBA,gCAKA;AAtEb;;;AACA;AACA;AACA;AAcA;AAuBO,IAAM,8BAAmE,wBAC9E,CAAC,mBAAmB,sBAAsB,4BAA4B,GACtE,CAAC,MAAM,CAAC,EAAE,YAAY,EAAE,SAAS,EAAE,IAAI,CAAU;AAG5C,IAAM,6BAA4D,OAAO,2BAA2B;AAEpG,IAAM,6BAA4D,YACvE;MACE;MACA,eAAe,qBAAqB,CAAC,YAAW;AAC9C,eAAO,WAAW,4BAA4B,QAAQ,WAAW,GAAG,CAAC,UAAU,EAAE,SAAS,KAAI,EAAG;MACnG,CAAC;OAEH,CAAC,YAAY,iBAAiB;MAC5B;MACA,GAAG;MACH;AAQG,IAAM,iCAAyE,wBACpF,CAAC,yBAAyB,4BAA4B,GACtD,CAAC,MAAM,CAAC,EAAE,YAAY,EAAE,IAAI,CAAU;AAGjC,IAAM,gCAAkE,OAAO,8BAA8B;;;;;AC/B9G,SAAU,wBAAwB,YAA0B;AAChE,UAAQ,YAAY;IAClB,KAAK;AACH,aAAO,WAAW,kBAAkB,CAAC,mBAAmB;QACtD;QACA;QACA;IACJ,KAAK;IACL,KAAK;IACL,KAAK;AACH,aAAO,eAAe,EAAE,WAAU,CAAE;EACxC;AACF;AAnDA,IA0Ba,0BAWA,yBAqBA,sBAKA,qBAEA;AAjEb;;;AACA;AACA;AAEA;AACA;AASA;AACA;AAEA;AASO,IAAM,2BAA6D,CAAC,SAAQ;AACjF,cAAQ,KAAK,YAAY;QACvB,KAAK;AACH,iBAAO,kBAAkB,KAAK,aAAa;QAC7C,KAAK;QACL,KAAK;QACL,KAAK;AACH,iBAAO;MACX;IACF;AAEO,IAAM,0BAAsD,OAAO,wBAAwB;AAqB3F,IAAM,uBAAqD,wBAChE,CAAC,sBAAsB,8BAA8B,wBAAwB,GAC7E,CAAC,QAAQ,CAAC,IAAI,SAAS,IAAI,MAAM,GAAG,CAAU;AAGzC,IAAM,sBAA8C,OAAO,oBAAoB;AAE/E,IAAM,sBAA8C,eAAe,qBAAqB,CAAC,YAC9F,YACE,CAAC,4BAA4B,QAAQ,WAAW,GAAG,wBAAwB,QAAQ,OAAO,UAAU,CAAC,GACrG,CAAC,MAAM,UAAU;MACf,GAAG;MACH;MACA;MACA,CACH;;;;;ACzEH;;;AAQA;AAOA;AAEA;;;;;AChBA;;;AACA;AAIA;AACA;AAEA;;;;;ACTA,IAaa,6BAMA,4BAGA;AAtBb;;;AACA;AACA;AACA;AACA;AASO,IAAM,8BAAmE,wBAC9E,CAAC,kBAAkB,aAAa,GAAG,kBAAkB,aAAa,GAAG,kBAAkB,qBAAqB,CAAC,GAC7G,CAAC,OAAO,CAAC,GAAG,gBAAgB,GAAG,eAAe,GAAG,eAAe,CAAU;AAIrE,IAAM,6BAA4D,OAAO,2BAA2B;AAGpG,IAAM,6BAA4D,YACvE,CAAC,iBAAiB,YAAY,GAAG,iBAAiB,YAAY,GAAG,iBAAiB,oBAAoB,CAAC,GACvG,CAAC,gBAAgB,eAAeC,sBAAqB,EAAE,gBAAgB,eAAe,iBAAAA,iBAAe,EAAG;;;;;ACjB1G;;;;;;ACFA;;;;;;ACHA;;;;;;;ACIA;;;;;;ACCA;;;;;;ACPA,IAoBa,qBAKA,oBAEA,oBAeA,kBAKA,iBAEA;AAjDb;;;AACA;AACA;AACA;AAEA;AACA;AACA;AACA;AACA;AACA;AAUO,IAAM,sBAAmD,wBAC9D,CAAC,qBAAqB,kBAAkB,gBAAgB,GAAG,mBAAmB,aAAa,GAC3F,CAAC,MAAM,CAAC,EAAE,cAAc,EAAE,YAAY,EAAE,iBAAiB,EAAE,MAAM,CAAU;AAGtE,IAAM,qBAA4C,OAAO,mBAAmB;AAE5E,IAAM,qBAA4C,YACvD,CAAC,oBAAoB,iBAAiB,eAAe,GAAG,kBAAkB,YAAY,GACtF,CAAC,cAAc,YAAY,iBAAiB,YAAY;MACtD;MACA;MACA;MACA;MACA;AAQG,IAAM,mBAA6C,wBACxD,CAAC,qBAAqB,iBAAiB,GACvC,CAAC,MAAM,CAAC,GAAG,EAAE,SAAS,CAAU;AAG3B,IAAM,kBAAsC,OAAO,gBAAgB;AAEnE,IAAM,kBAAsC,YACjD,CAAC,oBAAoB,gBAAgB,GACrC,CAAC,KAAK,eAAe;MACnB,GAAG;MACH;MACA;;;;;ACtDJ,IAuBa,oBA4BA,mBAEA;AArDb;;;AACA;AACA;AAEA;AACA;AACA;AAiBO,IAAM,qBAAiD,wBAC5D;MACE;MACA;MACA;MACA;MACA;MACA;MACA;MACA;MACA;MACA;OAEF,CAAC,OACC;MACE,IAAI,WAAU;MACd,GAAG;MACH,IAAI,WAAU;MACd,GAAG;MACH,GAAG;MACH,GAAG;MACH,GAAG;MACH,GAAG;MACH,GAAG;MACH,GAAG;KACK;AAGP,IAAM,oBAA0C,OAAO,kBAAkB;AAEzE,IAAM,oBAA0C,YACrD;MACE;MACA;MACA;MACA;MACA;MACA;MACA;MACA;MACA;MACA;OAEF,CACE,cACA,kBACA,mBACA,gBACA,gBACA,iBACA,eACA,eACA,oBACA,gBACI;MACJ;MACA;MACA;MACA;MACA;MACA;MACA;MACA;MACA;;;;;ACtFJ,IA0Ba,yBAKA,wBAeA,uBAKA,sBAWA,mBAEA;AAhEb;;;AACA;AACA;AACA;AAUA;AAEA;AAEA;AASO,IAAM,0BAA2D,wBACtE,CAAC,mBAAmB,eAAe,oBAAoB,eAAe,iBAAiB,CAAC,GACxF,CAAC,OAAO,CAAC,GAAG,QAAQ,GAAG,YAAY,GAAG,iBAAiB,CAAU;AAG5D,IAAM,yBAAoD,YAC/D,CAAC,kBAAkB,cAAc,mBAAmB,cAAc,gBAAgB,CAAC,GACnF,CAAC,QAAQ,YAAY,uBAAuB;MAC1C;MACA;MACA;MACA;AASG,IAAM,wBAAuD,wBAClE,CAAC,yBAAyB,uBAAuB,GACjD,CAAC,SAAS,CAAC,KAAK,WAAW,KAAK,WAAW,CAAU;AAGhD,IAAM,uBAAgD,YAC3D,CAAC,wBAAwB,sBAAsB,GAC/C,CAAC,WAAW,iBAAiB;MAC3B;MACA;MACA;AAMG,IAAM,oBAA+C,kBAAkB,qBAAqB;AAE5F,IAAM,mBAAwC,iBAAiB,oBAAoB;;;;;AChE1F,IAaa,qCAKA,oCAIA;AAtBb;;;AACA;AACA;AAEA;AACA;AAQO,IAAM,sCAAmF,wBAC9F,CAAC,mBAAmB,sBAAsB,iBAAiB,GAC3D,CAAC,UAAU,CAAC,MAAM,YAAY,MAAM,SAAS,MAAM,SAAS,CAAU;AAGjE,IAAM,qCAA4E,OACvF,mCAAmC;AAG9B,IAAM,qCAA4E,kBACvF,CAAC,kBAAkB,qBAAqB,gBAAgB,GACxD,CAAC,YAAY,SAAS,cAAa;AACjC,UAAI,QAAQ,gBAAgB;AAC1B,eAAO;UACL;UACA;UACA;;;AAEC,eAAO;IACd,CAAC;;;;;AChCH,IAYa,qBAKA,oBAEA;AAnBb;;;AACA;AACA;AACA;AACA;AAQO,IAAM,sBAAmD,wBAC9D,CAAC,mBAAmB,gBAAgB,iBAAiB,GAAG,kBAAkB,YAAY,CAAC,GACvF,CAAC,OAAO,CAAC,GAAG,cAAc,GAAG,YAAY,GAAG,IAAI,CAAU;AAGrD,IAAM,qBAA4C,OAAO,mBAAmB;AAE5E,IAAM,qBAA4C,YACvD,CAAC,kBAAkB,eAAe,gBAAgB,GAAG,iBAAiB,WAAW,CAAC,GAClF,CAAC,cAAc,YAAY,UAAU,EAAE,cAAc,YAAY,KAAI,EAAG;;;;;ACrB1E,IAkBa,8BAKA,6BAEA,6BAYA,gBAKA,eAEA;AA5Cb;;;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAQO,IAAM,+BAAqE,wBAChF,CAAC,mBAAmB,qBAAqB,GACzC,CAAC,QAAQ,CAAC,IAAI,WAAW,IAAI,qBAAqB,CAAU;AAGvD,IAAM,8BAA8D,OAAO,4BAA4B;AAEvG,IAAM,8BAA8D,YACzE,CAAC,kBAAkB,oBAAoB,GACvC,CAAC,WAAW,2BAA2B,EAAE,WAAW,sBAAqB,EAAG;AAUvE,IAAM,iBAAyC,wBACpD,CAAC,oBAAoB,kBAAkB,4BAA4B,GAAG,iBAAiB,GACvF,CAAC,YAAY,CAAC,QAAQ,aAAa,QAAQ,SAAS,QAAQ,kBAAkB,CAAU;AAGnF,IAAM,gBAAkC,OAAO,cAAc;AAE7D,IAAM,gBAAkC,YAC7C,CAAC,mBAAmB,iBAAiB,2BAA2B,GAAG,gBAAgB,GACnF,CAAC,aAAa,SAAS,wBAAwB,EAAE,aAAa,SAAS,mBAAkB,EAAG;;;;;AC9C9F;;;AACA;AACA;AACA;;;;;ACHA,IAea,uBAKA;AApBb;;;AACA;AACA;AACA;AAEA;AAEA;AAQO,IAAM,wBAAuD,wBAClE,CAAC,eAAe,oBAAoB,eAAe,iBAAiB,CAAC,GACrE,CAAC,QAAQ,CAAC,IAAI,WAAW,IAAI,WAAW,CAAU;AAG7C,IAAM,uBAAgD,YAC3D,CAAC,cAAc,mBAAmB,cAAc,gBAAgB,CAAC,GACjE,CAAC,WAAW,iBAAiB;MAC3B;MACA;MACA;;;;;ACzBJ,IAca,2BAKA,0BAWA,2BAGA;AAjCb;;;AACA;AACA;AACA;AACA;AACA;AACA;AAQO,IAAM,4BAA+D,wBAC1E,CAAC,iBAAiB,gBAAgB,aAAa,CAAC,GAChD,CAAC,QAAQ,CAAC,IAAI,UAAU,IAAI,eAAe,CAAU;AAGhD,IAAM,2BAAwD,YACnE,CAAC,gBAAgB,eAAe,YAAY,CAAC,GAC7C,CAAC,UAAU,qBAAqB;MAC9B;MACA;MACA;AAMG,IAAM,4BACX,oBAAoB,yBAAyB;AAExC,IAAM,2BAAwD,mBAAmB,wBAAwB;;;;;AChChH;;;AACA;;;;;ACFA;;;;;;ACAA;;;AACA;AACA;AACA;AACA;;;;;ACJA;;;;;;ACAA,IAIa,eAIA,cAEA;AAVb;;;AACA;AACA;AAEO,IAAM,gBAAuC,uBAAuB,mBAAmB,CAAC,MAC7F,IAAI,YAAW,EAAG,OAAO,CAAC,CAAC;AAGtB,IAAM,eAAgC,OAAO,aAAa;AAE1D,IAAM,eAAgC,WAAW,kBAAkB,CAAC,MAAM,IAAI,YAAW,EAAG,OAAO,CAAC,CAAC;;;;;ACV5G,IAUM,eACA,+BAEA,yBAKO,yBAWA;AA7Bb;;;AACA;AACA;AACA;AAOA,IAAM,gBAAiD,uBAAuB,eAAe,MAAM,QAAQ;AAC3G,IAAM,gCACJ,wBAAwB,CAAC,eAAe,aAAa,GAAG,CAAC,MAAM,CAAC,0BAA0B,EAAE,MAAM,CAAU;AAC9G,IAAM,0BAA2D,uBAC/D,eACA,MAAM,kBAAkB;AAGnB,IAAM,0BAA2D,CAAC,UAAS;AAChF,cAAQ,MAAM,MAAM;QAClB,KAAK;AACH,iBAAO,cAAc,KAAK;QAC5B,KAAK;AACH,iBAAO,8BAA8B,KAAK;QAC5C,KAAK;AACH,iBAAO,wBAAwB,KAAK;MACxC;IACF;AAEO,IAAM,yBAAoD,eAC/D,cACA,CAAC,SAAmC;AAClC,cAAQ,MAAM;QACZ,KAAK;AACH,iBAAO,eAAe,EAAE,MAAM,SAAQ,CAAE;QAE1C,KAAK;AACH,iBAAO,WAAW,cAAc,CAAC,YAAY,EAAE,MAAM,0BAA0B,OAAM,EAAG;QAE1F,KAAK;AACH,iBAAO,eAAe,EAAE,MAAM,mBAAkB,CAAE;QACpD;AACE,iBAAO,YAAW;MACtB;IACF,CAAC;;;;;AC5CH,IAoBa,0BAKA;AAzBb;;;AACA;AACA;AACA;AACA;AACA;AAeO,IAAM,2BAA6D,wBACxE,CAAC,mBAAmB,mBAAmB,oBAAoB,mBAAmB,mBAAmB,GACjG,CAAC,QAAQ,CAAC,IAAI,eAAe,IAAI,YAAY,IAAI,aAAa,IAAI,kBAAkB,IAAI,YAAY,CAAU;AAGzG,IAAM,0BAAsD,YACjE,CAAC,kBAAkB,kBAAkB,mBAAmB,kBAAkB,kBAAkB,GAC5F,CAAC,eAAe,YAAY,aAAa,kBAAkB,kBAAkB;MAC3E;MACA;MACA;MACA;MACA;MACA;;;;;ACjCJ,IAgIa,mBA6BA,kBAGA,kBAsCA,8BA0BA;AAhOb;;;AAGA;AACA;AACA;AACA;AACA;AACA;AAOA;AAEA;AAUA;AACA;AACA;AACA;AAUA;AACA;AACA;AACA;AAeA;AACA;AAOA;AAOA;AACA;AACA;AACA;AASA;AAQA;AACA;AAEA;AAIA;AACA;AACA;AACA;AAEA;AACA;AACA;AACA;AACA;AAmBO,IAAM,oBAA+C,wBAC1D;MACE;MACA;MACA;MACA;MACA;MACA;MACA;MACA;MACA,iBAAiB,wBAAwB;MACzC;OAEF,CAAC,UACC;MACE,MAAM;MACN,MAAM;MACN,MAAM;MACN,MAAM;MACN,MAAM;MACN,MAAM;MACN,MAAM;MACN,MAAM;MACN,MAAM;MACN,MAAM;KACE;AAIP,IAAM,mBAAwC,OAAO,iBAAiB;AAGtE,IAAM,mBAAwC,YACnD;MACE;MACA;MACA;MACA;MACA;MACA;MACA;MACA;MACA,gBAAgB,uBAAuB;MACvC;OAEF,CACE,cACA,aACA,YACA,aACA,aACA,qBACA,oBACA,iBACA,wBACA,sBACI;MACJ;MACA;MACA;MACA;MACA;MACA;MACA;MACA;MACA;MACA;MACA;AAGG,IAAM,+BAA0D,wBACrE;MACE;MACA;MACA;MACA;MACA;MACA;MACA;MACA,iBAAiB,wBAAwB;MACzC;OAEF,CAAC,UACC;MACE,MAAM;MACN,MAAM;MACN,MAAM;MACN,MAAM;MACN,MAAM;MACN,MAAM;MACN,MAAM;MACN,MAAM;MACN,MAAM;KACE;AAGP,IAAM,8BAAmD,OAAO,4BAA4B;;;;;AC/NnG,IAsCa,uBAMA,sBAEA,sBAmBA,0BAKA,yBAEA;AAxEb;;;AACA;AACA;AACA;AACA;AACA;AAEA;AASA;AACA;AACA;AAoBO,IAAM,wBAAuD,wBAClE,CAAC,mBAAmB,eAAe,oBAAoB,mBAAmB,mBAAmB,iBAAiB,GAC9G,CAAC,QACC,CAAC,IAAI,SAAS,IAAI,OAAO,IAAI,aAAa,IAAI,mBAAmB,IAAI,qBAAqB,IAAI,UAAU,CAAU;AAG/G,IAAM,uBAAgD,OAAO,qBAAqB;AAElF,IAAM,uBAAgD,YAC3D,CAAC,kBAAkB,cAAc,mBAAmB,kBAAkB,kBAAkB,gBAAgB,GACxG,CAAC,SAAS,OAAO,aAAa,mBAAmB,qBAAqB,gBAAgB;MACpF;MACA;MACA;MACA;MACA;MACA;MACA;AAUG,IAAM,2BAA6D,wBACxE,CAAC,mBAAmB,eAAe,oBAAoB,iBAAiB,GACxE,CAAC,QAAQ,CAAC,IAAI,SAAS,IAAI,OAAO,IAAI,aAAa,IAAI,iBAAiB,CAAU;AAG7E,IAAM,0BAAsD,OAAO,wBAAwB;AAE3F,IAAM,0BAAsD,YACjE,CAAC,kBAAkB,cAAc,mBAAmB,gBAAgB,GACpE,CAAC,SAAS,OAAO,aAAa,uBAAuB;MACnD;MACA;MACA;MACA;MACA;;;;;AChFJ;;;AAEA;AAOA;AAWA;AACA;AAEA;AAEA;AAEA;;;;;AC3BA;;;AAIA;AACA;AAEA;;;;;ACPA;;;AAEA;AAUA;AACA;AACA;AAMA;AACA;AAOA;AACA;AAEA;AACA;AACA;AACA;AAIA;AAQA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;;;;;ACtDA;;;AAWA;AAEA;AACA;AAEA;AACA;AAEA;AACA;AACA;AACA;AACA;AAEA;AAEA;AACA;AACA;AACA;AACA;AAUA;AACA;AAEA;;;;;AC7CA;;;;;;;ACAA;AAAA;AAAA;AAAA;;;ACEA,SAAS,iBAAiB,SAAS,QAAQ;AACvC,SAAO,IAAI,MAAM,SAAS;AAAA,IACtB,IAAI,SAAS,MAAM,WAAW;AAC1B,UAAI,QAAQ,QAAQ;AAChB,eAAO,OAAO,IAAI;AAAA,MACtB,OACK;AACD,eAAO,QAAQ,IAAI;AAAA,MACvB;AAAA,IACJ;AAAA,IACA,IAAI,SAAS,MAAM,OAAO;AACtB,UAAI,QAAQ,QAAQ;AAChB,eAAO,OAAO,IAAI;AAAA,MACtB;AACA,cAAQ,IAAI,IAAI;AAChB,aAAO;AAAA,IACX;AAAA,IACA,eAAe,SAAS,MAAM;AAC1B,UAAI,UAAU;AACd,UAAI,QAAQ,QAAQ;AAChB,eAAO,OAAO,IAAI;AAClB,kBAAU;AAAA,MACd;AACA,UAAI,QAAQ,SAAS;AACjB,eAAO,QAAQ,IAAI;AACnB,kBAAU;AAAA,MACd;AACA,aAAO;AAAA,IACX;AAAA,IACA,QAAQ,SAAS;AACb,YAAM,WAAW,QAAQ,QAAQ,OAAO;AACxC,YAAM,UAAU,QAAQ,QAAQ,MAAM;AACtC,YAAM,aAAa,IAAI,IAAI,OAAO;AAClC,aAAO,CAAC,GAAG,SAAS,OAAO,CAAC,MAAM,CAAC,WAAW,IAAI,CAAC,CAAC,GAAG,GAAG,OAAO;AAAA,IACrE;AAAA,IACA,eAAe,SAAS,MAAM,MAAM;AAChC,UAAI,QAAQ,QAAQ;AAChB,eAAO,OAAO,IAAI;AAAA,MACtB;AACA,cAAQ,eAAe,SAAS,MAAM,IAAI;AAC1C,aAAO;AAAA,IACX;AAAA,IACA,yBAAyB,SAAS,MAAM;AACpC,UAAI,QAAQ,QAAQ;AAChB,eAAO,QAAQ,yBAAyB,QAAQ,IAAI;AAAA,MACxD,OACK;AACD,eAAO,QAAQ,yBAAyB,SAAS,IAAI;AAAA,MACzD;AAAA,IACJ;AAAA,IACA,IAAI,SAAS,MAAM;AACf,aAAO,QAAQ,UAAU,QAAQ;AAAA,IACrC;AAAA,EACJ,CAAC;AACL;AAxDA,IAAM,YACO;AADb;AAAA;AAAA,IAAM,aAAa,CAAC;AACb,IAAM,gBAAgB,iBAAiB,YAAY,UAAU;AAAA;AAAA;;;ACDpE;AAAA;AAAA;AACA;AAAA;AAAA;;;ACDA;AAAA;AAAA;AAAA;;;ACAA;AAAA;AAAA;AAAA;;;ACAA;AAAA;AAAA;AAAA;;;ACAA;AAAA;AAAA;AACA;AACA;AACA;AAAA;AAAA;;;ACHA;AAAA;AAAA;AACA;AAAA;AAAA;;;ACDA;AAAA;AAAA;AACA;AACA;AACA;AACA;AAAA;AAAA;;;ACJA;AAAA;AAAA;AAAA;;;ACAA;AAAA;AAAA;AAAA;;;ACAA,IA6EM;AA7EN;AAAA;AAAA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAsEA,IAAM,kBAAkB;AAAA,MACpB,IAAI,MAAM,QAAQ;AAAA,MAClB,GAAG;AAAA,MACH,IAAI;AAAA,MACJ,IAAI;AAAA,MACJ,gBAAgB;AAAA,IACpB;AAAA;AAAA;;;ACnFA;AAAA;AAAA;AAAA;;;ACAA;AAAA;AAAA;AACA;AACA;AACA;AACA;AACA;AAAA;AAAA;;;ACLA;AAAA;AAAA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAAA;AAAA;;;ACPA;AAAA;AAAA;AAAA;;;ACgBO,SAAS,QAAQ,GAAG;AACvB,SAAO,aAAa,cACf,YAAY,OAAO,CAAC,KAAK,EAAE,YAAY,SAAS;AACzD;AAEO,SAAS,QAAQ,GAAG,QAAQ,IAAI;AACnC,MAAI,CAAC,OAAO,cAAc,CAAC,KAAK,IAAI,GAAG;AACnC,UAAM,SAAS,SAAS,IAAI,KAAK;AACjC,UAAM,IAAI,MAAM,GAAG,MAAM,4BAA4B,CAAC,EAAE;AAAA,EAC5D;AACJ;AAEO,SAAS,OAAO,OAAO,QAAQ,QAAQ,IAAI;AAC9C,QAAM,QAAQ,QAAQ,KAAK;AAC3B,QAAM,MAAM,OAAO;AACnB,QAAM,WAAW,WAAW;AAC5B,MAAI,CAAC,SAAU,YAAY,QAAQ,QAAS;AACxC,UAAM,SAAS,SAAS,IAAI,KAAK;AACjC,UAAM,QAAQ,WAAW,cAAc,MAAM,KAAK;AAClD,UAAM,MAAM,QAAQ,UAAU,GAAG,KAAK,QAAQ,OAAO,KAAK;AAC1D,UAAM,IAAI,MAAM,SAAS,wBAAwB,QAAQ,WAAW,GAAG;AAAA,EAC3E;AACA,SAAO;AACX;AAGO,SAAS,QAAQ,UAAU,gBAAgB,MAAM;AACpD,MAAI,SAAS;AACT,UAAM,IAAI,MAAM,kCAAkC;AACtD,MAAI,iBAAiB,SAAS,UAAU;AACpC,UAAM,IAAI,MAAM,uCAAuC;AAAA,EAC3D;AACJ;AAwBO,SAAS,SAAS,QAAQ;AAC7B,WAAS,IAAI,GAAG,IAAI,OAAO,QAAQ,KAAK;AACpC,WAAO,CAAC,EAAE,KAAK,CAAC;AAAA,EACpB;AACJ;AA5EA,IA8EM,mBACA,kBAEO;AAjFb;AAAA;AAaA;AACA;AAgEA,IAAM,oBAAoC,oBAAI,YAAY,CAAC,SAAU,CAAC;AACtE,IAAM,mBAAmC,oBAAI,WAAW,kBAAkB,MAAM;AAEzE,IAAM,OAAuB,iBAAiB,CAAC,MAAM;AAAA;AAAA;;;ACnErD,SAAS,MAAM,GAAG;AACrB,MAAI,OAAO,MAAM,cAAc,OAAO,EAAE,WAAW,YAAY;AAC3D,UAAM,IAAI,MAAM,yCAAyC;AAAA,EAC7D;AACA,UAAQ,EAAE,SAAS;AACnB,UAAQ,EAAE,QAAQ;AACtB;AApBA,IAAAC,aAAA;AAAA;AAYA;AAAA;AAAA;;;ACZA,IAea,OAgHA;AA/Hb;AAAA;AAaA;AACA,IAAAC;AACO,IAAM,QAAN,MAAY;AAAA,MACf,YAAY,MAAM,KAAK;AACnB,eAAO,eAAe,MAAM,SAAS;AAAA,UACjC,YAAY;AAAA,UACZ,cAAc;AAAA,UACd,UAAU;AAAA,UACV,OAAO;AAAA,QACX,CAAC;AACD,eAAO,eAAe,MAAM,SAAS;AAAA,UACjC,YAAY;AAAA,UACZ,cAAc;AAAA,UACd,UAAU;AAAA,UACV,OAAO;AAAA,QACX,CAAC;AACD,eAAO,eAAe,MAAM,YAAY;AAAA,UACpC,YAAY;AAAA,UACZ,cAAc;AAAA,UACd,UAAU;AAAA,UACV,OAAO;AAAA,QACX,CAAC;AACD,eAAO,eAAe,MAAM,aAAa;AAAA,UACrC,YAAY;AAAA,UACZ,cAAc;AAAA,UACd,UAAU;AAAA,UACV,OAAO;AAAA,QACX,CAAC;AACD,eAAO,eAAe,MAAM,YAAY;AAAA,UACpC,YAAY;AAAA,UACZ,cAAc;AAAA,UACd,UAAU;AAAA,UACV,OAAO;AAAA,QACX,CAAC;AACD,eAAO,eAAe,MAAM,aAAa;AAAA,UACrC,YAAY;AAAA,UACZ,cAAc;AAAA,UACd,UAAU;AAAA,UACV,OAAO;AAAA,QACX,CAAC;AACD,cAAM,IAAI;AACV,eAAO,KAAK,QAAW,KAAK;AAC5B,aAAK,QAAQ,KAAK,OAAO;AACzB,YAAI,OAAO,KAAK,MAAM,WAAW,YAAY;AACzC,gBAAM,IAAI,MAAM,qDAAqD;AAAA,QACzE;AACA,aAAK,WAAW,KAAK,MAAM;AAC3B,aAAK,YAAY,KAAK,MAAM;AAC5B,cAAM,WAAW,KAAK;AACtB,cAAM,MAAM,IAAI,WAAW,QAAQ;AAEnC,YAAI,IAAI,IAAI,SAAS,WAAW,KAAK,OAAO,EAAE,OAAO,GAAG,EAAE,OAAO,IAAI,GAAG;AACxE,iBAAS,IAAI,GAAG,IAAI,IAAI,QAAQ;AAC5B,cAAI,CAAC,KAAK;AACd,aAAK,MAAM,OAAO,GAAG;AAErB,aAAK,QAAQ,KAAK,OAAO;AAEzB,iBAAS,IAAI,GAAG,IAAI,IAAI,QAAQ;AAC5B,cAAI,CAAC,KAAK,KAAO;AACrB,aAAK,MAAM,OAAO,GAAG;AACrB,cAAM,GAAG;AAAA,MACb;AAAA,MACA,OAAO,KAAK;AACR,gBAAQ,IAAI;AACZ,aAAK,MAAM,OAAO,GAAG;AACrB,eAAO;AAAA,MACX;AAAA,MACA,WAAW,KAAK;AACZ,gBAAQ,IAAI;AACZ,eAAO,KAAK,KAAK,WAAW,QAAQ;AACpC,aAAK,WAAW;AAChB,aAAK,MAAM,WAAW,GAAG;AACzB,aAAK,MAAM,OAAO,GAAG;AACrB,aAAK,MAAM,WAAW,GAAG;AACzB,aAAK,QAAQ;AAAA,MACjB;AAAA,MACA,SAAS;AACL,cAAM,MAAM,IAAI,WAAW,KAAK,MAAM,SAAS;AAC/C,aAAK,WAAW,GAAG;AACnB,eAAO;AAAA,MACX;AAAA,MACA,WAAW,IAAI;AAEX,eAAO,OAAO,OAAO,OAAO,eAAe,IAAI,GAAG,CAAC,CAAC;AACpD,cAAM,EAAE,OAAO,OAAO,UAAU,WAAW,UAAU,UAAU,IAAI;AACnE,aAAK;AACL,WAAG,WAAW;AACd,WAAG,YAAY;AACf,WAAG,WAAW;AACd,WAAG,YAAY;AACf,WAAG,QAAQ,MAAM,WAAW,GAAG,KAAK;AACpC,WAAG,QAAQ,MAAM,WAAW,GAAG,KAAK;AACpC,eAAO;AAAA,MACX;AAAA,MACA,QAAQ;AACJ,eAAO,KAAK,WAAW;AAAA,MAC3B;AAAA,MACA,UAAU;AACN,aAAK,YAAY;AACjB,aAAK,MAAM,QAAQ;AACnB,aAAK,MAAM,QAAQ;AAAA,MACvB;AAAA,IACJ;AAWO,IAAM,OAAO,CAAC,MAAM,KAAK,YAAY,IAAI,MAAM,MAAM,GAAG,EAAE,OAAO,OAAO,EAAE,OAAO;AACxF,SAAK,SAAS,CAAC,MAAM,QAAQ,IAAI,MAAM,MAAM,GAAG;AAAA;AAAA;;;AChIhD;AAAA;AAaA;AAAA;AAAA;;;ACEA,SAAS,QAAQ,GAAG,KAAK,OAAO;AAC5B,MAAI,IAAI;AACJ,WAAO,EAAE,GAAG,OAAO,IAAI,UAAU,GAAG,GAAG,OAAQ,KAAK,OAAQ,UAAU,EAAE;AAAA,EAC5E;AACA,SAAO;AAAA,IACH,GAAG,OAAQ,KAAK,OAAQ,UAAU,IAAI;AAAA,IACtC,GAAG,OAAO,IAAI,UAAU,IAAI;AAAA,EAChC;AACJ;AACA,SAAS,MAAM,KAAK,KAAK,OAAO;AAC5B,QAAM,MAAM,IAAI;AAChB,QAAM,KAAK,IAAI,YAAY,GAAG;AAC9B,QAAM,KAAK,IAAI,YAAY,GAAG;AAC9B,WAAS,IAAI,GAAG,IAAI,KAAK,KAAK;AAC1B,UAAM,EAAE,GAAG,EAAE,IAAI,QAAQ,IAAI,CAAC,GAAG,EAAE;AACnC,KAAC,GAAG,CAAC,GAAG,GAAG,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC;AAAA,EAC1B;AACA,SAAO,CAAC,IAAI,EAAE;AAClB;AAjCA,IAaM,YACA;AAdN;AAAA;AAaA,IAAM,aAAa;AACnB,IAAM,OAAO;AAAA;AAAA;;;ACdb;AAAA;AAeA;AACA;AACA;AACA,IAAAC;AAAA;AAAA;;;AClBA,IAyBM,KACA,KACA,KACA,KACA,OACA,QACA,SACA,WACA,YAgBA,OACA,aACA;AAnDN;AAAA;AAmBA;AACA;AACA,IAAAC;AAIA,IAAM,MAAM;AACZ,IAAM,MAAM;AACZ,IAAM,MAAM;AACZ,IAAM,MAAM;AACZ,IAAM,QAAQ;AACd,IAAM,SAAS;AACf,IAAM,UAAU,CAAC;AACjB,IAAM,YAAY,CAAC;AACnB,IAAM,aAAa,CAAC;AACpB,aAAS,QAAQ,GAAG,IAAI,KAAK,IAAI,GAAG,IAAI,GAAG,QAAQ,IAAI,SAAS;AAE5D,OAAC,GAAG,CAAC,IAAI,CAAC,IAAI,IAAI,IAAI,IAAI,KAAK,CAAC;AAChC,cAAQ,KAAK,KAAK,IAAI,IAAI,EAAE;AAE5B,gBAAU,MAAQ,QAAQ,MAAM,QAAQ,KAAM,IAAK,EAAE;AAErD,UAAI,IAAI;AACR,eAAS,IAAI,GAAG,IAAI,GAAG,KAAK;AACxB,aAAM,KAAK,OAAS,KAAK,OAAO,UAAW;AAC3C,YAAI,IAAI;AACJ,eAAK,QAAS,OAAO,OAAO,CAAC,KAAK;AAAA,MAC1C;AACA,iBAAW,KAAK,CAAC;AAAA,IACrB;AACA,IAAM,QAAQ,MAAM,YAAY,IAAI;AACpC,IAAM,cAAc,MAAM,CAAC;AAC3B,IAAM,cAAc,MAAM,CAAC;AAAA;AAAA;;;ACnD3B;AAAA;AAeA;AAAA;AAAA;;;ACfA;AAAA;AAAA;AAAA;;;ACAA;AAAA;AAeA;AACA;AACA;AACA;AAAA;AAAA;;;AClBA;AAAA;AAAA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAAA;AAAA;;;ACpBA;AAAA;AAAA;AAAA;AAAA;;;ACAA;AAAA;AAAA;AAAA;AAAA;;;ACAA;AAAA;AAAA;AAAA;AAAA;;;ACAA,IAGM;AAHN;AAAA;AAAA;AACA;AAEA,IAAM,YAAY,IAAI,WAAW,CAAC,KAAK,KAAK,EAAE,CAAC;AAAA;AAAA;;;ACH/C;AAAA;AAAA;AACA;AAAA;AAAA;;;ACDA,IAWI;AAXJ;AAAA;AA2BA,oBAAgB,oBAAI,QAAQ;AAAA;AAAA;;;AC3B5B,IAWI;AAXJ;AAAA;AAYA;AACA;AACA;AAuBA,kCAA8B,oBAAI,QAAQ;AAAA;AAAA;;;ACrC1C,IAWI;AAXJ;AAAA;AAYA;AACA;AACA;AA8BA,+BAA2B,oBAAI,QAAQ;AAAA;AAAA;;;AC5CvC,IAMM,kBAIA,WAGA,iBAIA,WAGA,mBAIA,cAGA;AA3BN;AAAA;AAAA;AACA;AACA;AACA;AAGA,IAAM,mBAAmB,IAAI,WAAW;AAAA,MACpC;AAAA,MAAI;AAAA,MAAI;AAAA,MAAK;AAAA,MAAK;AAAA,MAAI;AAAA,MAAK;AAAA,MAAK;AAAA,MAAK;AAAA,MAAI;AAAA,IAC7C,CAAC;AAED,IAAM,YAAY,IAAI,WAAW,CAAC,KAAK,KAAK,GAAG,CAAC;AAGhD,IAAM,kBAAkB,IAAI,WAAW;AAAA,MACnC;AAAA,MAAK;AAAA,MAAK;AAAA,MAAK;AAAA,MAAK;AAAA,MAAI;AAAA,MAAK;AAAA,MAAI;AAAA,MAAK;AAAA,IAC1C,CAAC;AAED,IAAM,YAAY,IAAI,WAAW,CAAC,KAAK,KAAK,GAAG,CAAC;AAGhD,IAAM,oBAAoB,IAAI,WAAW;AAAA,MACrC;AAAA,MAAK;AAAA,MAAK;AAAA,MAAK;AAAA,MAAI;AAAA,MAAK;AAAA,MAAK;AAAA,MAAI;AAAA,MAAK;AAAA,MAAI;AAAA,MAAK;AAAA,IACnD,CAAC;AAED,IAAM,eAAe,IAAI,WAAW,CAAC,KAAK,KAAK,IAAI,KAAK,KAAK,GAAG,CAAC;AAGjE,IAAM,uBAAuB,IAAI,WAAW;AAAA,MACxC;AAAA,MAAI;AAAA,MAAI;AAAA,MAAI;AAAA,MAAI;AAAA,MAAG;AAAA,MAAG;AAAA,MAAG;AAAA,MAAG;AAAA,MAAG;AAAA,IACnC,CAAC;AAAA;AAAA;;;AC7BD;AAAA;AAAA;AAAA;AAAA;;;ACAA;AAAA;AAAA;AACA;AACA;AAAA;AAAA;;;ACFA,IAGM;AAHN;AAAA;AAAA;AAGA,IAAM,sBAAsB,IAAI,WAAW;AAAA,MACvC;AAAA,MAAM;AAAA,MAAM;AAAA,MAAM;AAAA,MAAM;AAAA,MAAM;AAAA,MAAM;AAAA,MAAM;AAAA,MAC1C;AAAA,MAAM;AAAA,MAAM;AAAA,MAAM;AAAA,MAAM;AAAA,MAAM;AAAA,MAAM;AAAA,MAAM;AAAA,IAC9C,CAAC;AAAA;AAAA;;;ACND;AAAA;AAAA;AACA;AAAA;AAAA;;;ACDA,IAGM;AAHN;AAAA;AAAA;AAGA,IAAM,oBAAoB,IAAI,WAAW;AAAA,MACrC;AAAA,MAAM;AAAA,MAAM;AAAA,MAAM;AAAA,MAAM;AAAA,MAAM;AAAA,MAAM;AAAA,MAAM;AAAA,MAC1C;AAAA,MAAM;AAAA,MAAM;AAAA,MAAM;AAAA,MAAM;AAAA,MAAM;AAAA,MAAM;AAAA,MAAM;AAAA,IAC9C,CAAC;AAAA;AAAA;;;ACND;AAAA;AAAA;AACA;AAAA;AAAA;;;ACDA,IAAAC,YAAA;AAAA;AAAA;AACA;AACA;AACA;AACA;AACA;AAAA;AAAA;;;ACFA,IAAAC,aAAA;;;AACA;;;;;ACJA;;IAAAC;AACA;AACA;;;;;ACFA;;IAAAC;AACA;;;;;ACDA;;IAAAC;AAOA;;;;;ACPA;;IAAAC;AAEA,IAAAC;AACA;AACA;AACA;;;;;ACHA;;;;;;ACFA;;;AAEA;;;;;ACAA;;;AACA;AACA;AACA;AACA;AACA;;;;;ACLA;;;;;;;ACFA;;;AACA;AACA;AACA;AACA;AAIA;;;;;ACPA,IAAAC,qBAAA;;AAEA;;;;;ACHA,IAAAC,+BAAA;;;;;;;ACAA,IAAAC,iBAAA;;IAAAC;AACA;;;;;ACDA,IAAAC,oBAAA;;;;;;;ACAA,IAAAC,kBAAA;;;;;;;ACAA,IAAAC,iBAAA;;IAAAC;AAEA,IAAAC;AACA,IAAAC;AACA,IAAAC;AACA,IAAAC;;;;;ACLA,IAAAC,YAAA;;;;;;;ACEA,IAAAC,iBAAA;;IAAAC;AACA,IAAAC;AACA,IAAAC;AACA,IAAAC;AACA,IAAAC;;;;;ACNA,IAiDa,yBAKA,wBAEA,mBAKA,kBAEA,0BAKA,yBAEA,qBAKA,oBAEA,sBAKA,qBAEA,0BAeA,yBAEA,yBAkBA,mBAMA,kBAGA;AAhIb;;;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAyCO,IAAM,0BAA2D,wBACtE,CAAC,mBAAmB,oBAAoB,GACxC,CAAC,QAAQ,CAAC,IAAI,YAAY,IAAI,aAAa,CAAU;AAGhD,IAAM,yBAAoD,OAAO,uBAAuB;AAExF,IAAM,oBAA+C,wBAC1D,CAAC,mBAAmB,cAAc,GAClC,CAAC,OAAO,CAAC,GAAG,YAAY,GAAG,OAAO,CAAU;AAGvC,IAAM,mBAAwC,OAAO,iBAAiB;AAEtE,IAAM,2BAA6D,wBACxE,CAAC,mBAAmB,qBAAqB,GACzC,CAAC,OAAO,CAAC,GAAG,YAAY,GAAG,cAAc,CAAU;AAG9C,IAAM,0BAAsD,OAAO,wBAAwB;AAE3F,IAAM,sBAAmD,wBAC9D,CAAC,mBAAmB,gBAAgB,GACpC,CAAC,OAAO,CAAC,GAAG,YAAY,GAAG,SAAS,CAAU;AAGzC,IAAM,qBAA4C,OAAO,mBAAmB;AAE5E,IAAM,uBAAqD,wBAChE,CAAC,mBAAmB,iBAAiB,GACrC,CAAC,OAAO,CAAC,GAAG,YAAY,GAAG,UAAU,CAAU;AAG1C,IAAM,sBAA8C,OAAO,oBAAoB;AAE/E,IAAM,2BAA6D,CAAC,OAAM;AAC/E,cAAQ,GAAG,YAAY;QACrB,KAAK;AACH,iBAAO,wBAAwB,EAAE;QACnC,KAAK;AACH,iBAAO,kBAAkB,EAAE;QAC7B,KAAK;AACH,iBAAO,yBAAyB,EAAE;QACpC,KAAK;AACH,iBAAO,oBAAoB,EAAE;QAC/B,KAAK;AACH,iBAAO,qBAAqB,EAAE;MAClC;IACF;AAEO,IAAM,0BAAsD,OAAO,wBAAwB;AAE3F,IAAM,0BAAsD,eACjE,kBACA,CAAC,eAA0C;AACzC,cAAQ,YAAY;QAClB,KAAK;AACH,iBAAO,WAAW,qBAAqB,CAAC,mBAAmB,EAAE,YAAY,cAAa,EAAG;QAC3F,KAAK;AACH,iBAAO,WAAW,eAAe,CAAC,aAAa,EAAE,YAAY,QAAO,EAAG;QACzE,KAAK;AACH,iBAAO,WAAW,sBAAsB,CAAC,oBAAoB,EAAE,YAAY,eAAc,EAAG;QAC9F,KAAK;AACH,iBAAO,WAAW,iBAAiB,CAAC,eAAe,EAAE,YAAY,UAAS,EAAG;QAC/E,KAAK;AACH,iBAAO,WAAW,kBAAkB,CAAC,gBAAgB,EAAE,YAAY,WAAU,EAAG;MACpF;IACF,CAAC;AAGI,IAAM,oBAA+C,wBAC1D,CAAC,wBAAwB,wBAAwB,GACjD,CAAC,MAAM,CAAC,EAAE,SAAS,CAAC,CAAU;AAIzB,IAAM,mBAAwC,OAAO,iBAAiB;AAGtE,IAAM,mBAAwC,YACnD,CAAC,uBAAuB,uBAAuB,GAC/C,CAAC,SAAS,QAAQ,EAAE,GAAG,IAAI,QAAO,EAAG;;;;;AC7HvC;;;;;;ACJA;;;AACA;;;;;ACAA;;;AAEA;AAMA;AAEA;AAIA;AAEA;AAMA;AAEA;AAEA;AAEA;AAEA;AACA;AAEA;AAeA;AAEA;AAMA;AAQA;AASA;AAEA;AAkBA;AAEA;AAYA;AAGA,IAAAC;AACA;AAEA;AAEA;AAWA;AAEA;AA0FA;AACA;AACA;AAIA;AAsBA;;;;;ACxPA;;;AASA;;;;;ACTA;;;;AAEA;AAEA;AAUA;AAEA;AAMA;AAOA;AAgBA;AAOA;AAMA;AA+BA;AAiBA;AA2DA;AAKA;AAYA;AAMA;;;;;AC5LA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,SAAgB,OAAO,UAAU,QAAQ,IAAI,iBAAiB;AAC9D,SAAS,QAAAC,aAAY;AAiBrB,eAAsB,UACpB,SACA,OACe;AACf,QAAM,MAAM,SAAS,EAAE,WAAW,MAAM,MAAM,SAAS,CAAC;AACxD,QAAM,WAAWA,MAAK,SAAS,UAAU;AACzC,QAAM,UAAU,UAAU,KAAK,UAAU,OAAO,MAAM,CAAC,GAAG,EAAE,UAAU,SAAS,MAAM,UAAU,CAAC;AAGhG,MAAI;AACF,UAAM,GAAGA,MAAK,SAAS,iBAAiB,CAAC;AAAA,EAC3C,QAAQ;AAAA,EAER;AACF;AAUA,eAAsB,UACpB,SAEqB;AAErB,QAAM,WAAWA,MAAK,SAAS,UAAU;AACzC,MAAI;AACF,UAAM,MAAM,MAAM,SAAS,UAAU,OAAO;AAC5C,WAAO,KAAK,MAAM,GAAG;AAAA,EACvB,QAAQ;AAAA,EAER;AAGA,QAAM,aAAaA,MAAK,SAAS,iBAAiB;AAClD,MAAI;AACF,UAAM,MAAM,MAAM,SAAS,YAAY,OAAO;AAC9C,UAAM,SAAS,KAAK,MAAM,GAAG;AAE7B,UAAM,MAAM,SAAS,EAAE,WAAW,MAAM,MAAM,SAAS,CAAC;AACxD,UAAM,UAAU,UAAU,KAAK,UAAU,QAAQ,MAAM,CAAC,GAAG,EAAE,UAAU,SAAS,MAAM,UAAU,CAAC;AACjG,UAAM,GAAG,UAAU;AACnB,WAAO;AAAA,EACT,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAKA,eAAsB,aAAa,SAAmC;AACpE,MAAI;AACF,UAAM,WAAWA,MAAK,SAAS,UAAU;AACzC,UAAM,MAAM,MAAM,SAAS,UAAU,OAAO;AAC5C,UAAM,SAAS,KAAK,MAAM,GAAG;AAC7B,WAAO,CAAC,EACN,UACA,OAAO,YACP,OAAO,aACP,OAAO,YACP,OAAO,KAAK,OAAO,QAAQ,EAAE,SAAS;AAAA,EAE1C,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAMA,eAAsB,YAAY,SAAgC;AAChE,QAAM,MAAMA,MAAK,SAAS,UAAU;AACpC,QAAM,MAAMA,MAAK,SAAS,GAAG,UAAU,MAAM;AAC7C,QAAM,MAAMA,MAAK,SAAS,GAAG,UAAU,UAAU;AACjD,MAAI;AACF,UAAM,OAAO,MAAM,SAAS,KAAK,OAAO;AACxC,UAAM,UAAU,KAAK,MAAM,EAAE,UAAU,SAAS,MAAM,UAAU,CAAC;AACjE,UAAM,OAAO,KAAK,GAAG;AAAA,EACvB,QAAQ;AAAA,EAER;AACF;AAMA,eAAsB,aAAa,SAAmC;AAEpE,QAAM,eAAe,MAAM,aAAa,OAAO;AAC/C,MAAI,aAAc,QAAO;AAEzB,QAAM,MAAMA,MAAK,SAAS,GAAG,UAAU,MAAM;AAC7C,MAAI;AACF,UAAM,OAAO,MAAM,SAAS,KAAK,OAAO;AACxC,UAAM,SAAS,KAAK,MAAM,IAAI;AAC9B,QACE,CAAC,UACD,CAAC,OAAO,YACR,CAAC,OAAO,aACR,CAAC,OAAO,YACR,OAAO,KAAK,OAAO,QAAQ,EAAE,WAAW,GACxC;AACA,aAAO;AAAA,IACT;AACA,UAAM,MAAM,SAAS,EAAE,WAAW,MAAM,MAAM,SAAS,CAAC;AACxD,UAAM,UAAUA,MAAK,SAAS,UAAU,GAAG,MAAM,EAAE,UAAU,SAAS,MAAM,UAAU,CAAC;AACvF,WAAO;AAAA,EACT,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAMA,eAAsB,qBACpB,OACA,YACA,QACA,WACe;AAEf,QAAM,WAAmC,CAAC;AAC1C,aAAW,CAAC,QAAQ,OAAO,KAAK,OAAO,QAAQ,MAAM,QAAQ,GAAG;AAC9D,QAAI,QAAQ,cAAc;AACxB,eAAS,MAAM,IAAI,QAAQ;AAAA,IAC7B;AAAA,EACF;AAEA,QAAM,SAAuB;AAAA,IAC3B,SAAS;AAAA,IACT,YAAW,oBAAI,KAAK,GAAE,YAAY;AAAA,IAClC,UAAU,MAAM;AAAA,IAChB,iBAAiB,MAAM;AAAA,IACvB,kBAAkB,MAAM;AAAA,IACxB,aAAa,MAAM;AAAA,IACnB;AAAA,IACA,UAAU,OAAO;AAAA,MACf,OAAO,QAAQ,MAAM,QAAQ,EAAE,IAAI,CAAC,CAAC,QAAQ,CAAC,MAAM;AAAA,QAClD;AAAA,QACA;AAAA,UACE,eAAe,EAAE;AAAA,UACjB,cAAc,EAAE;AAAA,UAChB,WAAW,EAAE;AAAA,QACf;AAAA,MACF,CAAC;AAAA,IACH;AAAA,IACA,QAAQ,MAAM;AAAA,IACd,gBAAgB,MAAM;AAAA,IACtB,SAAS,MAAM;AAAA,IACf,YAAY,MAAM;AAAA,EACpB;AAEA,QAAM,YAAY,MAAM,cAAc,QAAQ,UAAU;AACxD,QAAM,WAAW,MAAM,eAAe,UAAU;AAEhD,QAAM,OAAO,MAAM,MAAM,GAAG,MAAM,kBAAkB;AAAA,IAClD,QAAQ;AAAA,IACR,SAAS;AAAA,MACP,gBAAgB;AAAA,MAChB,eAAe,UAAU,SAAS;AAAA,IACpC;AAAA,IACA,MAAM,KAAK,UAAU;AAAA,MACnB,aAAa,cAAc,SAAS;AAAA,MACpC,kBAAkB,WAAW,QAAQ;AAAA,IACvC,CAAC;AAAA,EACH,CAAC;AAED,MAAI,CAAC,KAAK,IAAI;AACZ,UAAM,IAAI,MAAM,yBAAyB,KAAK,MAAM,EAAE;AAAA,EACxD;AACF;AAEA,eAAsB,WAAW,SAAgC;AAE/D,aAAW,YAAY,CAAC,YAAY,iBAAiB,GAAG;AACtD,QAAI;AACF,YAAM,GAAGA,MAAK,SAAS,QAAQ,CAAC;AAAA,IAClC,QAAQ;AAAA,IAER;AAAA,EACF;AACF;AAhNA,IAWM,YACA,mBAGA,UACA;AAhBN;AAAA;AAAA;AAEA;AASA,IAAM,aAAa;AACnB,IAAM,oBAAoB;AAG1B,IAAM,WAAW;AACjB,IAAM,YAAY;AAAA;AAAA;;;ACNlB,SAAS,WAAW,mBAAmB;AACvC,SAAS,mBAAmB;AAC5B,SAAS,WAAW,iBAAiB;;;ACFrC,IAAM,kBAAkB;AACxB,IAAM,oBAAoB;AAWnB,SAAS,eAAe,KAAoB;AACjD,QAAM,KAAK,KAAK,UAAU;AAC1B,MAAI,CAAC,GAAI,QAAO,CAAC;AACjB,MAAI,GAAG,YAAY,OAAO,GAAG,aAAa,UAAU;AAClD,WAAO,OAAO,KAAK,GAAG,QAAQ;AAAA,EAChC;AACA,SAAO,GAAG,UAAU,CAAC,SAAS,IAAI,CAAC;AACrC;AAEO,SAAS,eAAe,KAAU,WAAqC;AAC5E,QAAM,KAAK,KAAK,UAAU,cAAc,CAAC;AACzC,QAAM,KAAK,aAAa;AAExB,MAAI,GAAG,YAAY,OAAO,GAAG,aAAa,UAAU;AAClD,UAAM,OAAO,GAAG,SAAS,EAAE;AAC3B,QAAI,CAAC,MAAM;AACT,aAAO;AAAA,QACL,WAAW;AAAA,QACX,SAAS;AAAA,QACT,QAAQ,GAAG,UAAU;AAAA,QACrB,WAAW;AAAA,QACX,UAAU;AAAA,QACV,YAAY;AAAA,MACd;AAAA,IACF;AAEA,QAAI,WAAW,KAAK;AACpB,QAAI,YAAY,MAAM;AACpB,YAAM,OAAO,OAAO,KAAK,GAAG,QAAQ;AACpC,YAAM,QAAQ,KAAK,QAAQ,EAAE;AAC7B,iBAAW,qBAAqB,SAAS,IAAI,QAAQ;AAAA,IACvD;AAEA,WAAO;AAAA,MACL,WAAW;AAAA,MACX,SAAS,KAAK,WAAW;AAAA,MACzB,QAAQ,KAAK,UAAU,GAAG,UAAU;AAAA,MACpC,WAAW,KAAK,aAAa;AAAA,MAC7B;AAAA,MACA,YAAY,QAAQ,KAAK,OAAO;AAAA,IAClC;AAAA,EACF;AAEA,SAAO;AAAA,IACL,WAAW;AAAA,IACX,SAAS,GAAG,WAAW;AAAA,IACvB,QAAQ,GAAG,UAAU;AAAA,IACrB,WAAW,GAAG,aAAa;AAAA,IAC3B,UAAU,GAAG,YAAY;AAAA,IACzB,YAAY,QAAQ,GAAG,OAAO;AAAA,EAChC;AACF;;;AC1DA,SAAS,yBAAyB;AAClC,OAAO,wBAAwB;AAyB/B,IAAM,aAAa,IAAI,kBAAgC;AAEvD,IAAM,wBAAkC;AAAA,EACtC;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AACF;AAEA,IAAI,YAAY;AAChB,IAAI;AAGJ,IAAM,mBAAmB,oBAAI,QAG3B;AAGF,IAAI;AACJ,IAAI;AACJ,IAAI;AAIJ,SAAS,WAAW,KAAa,eAAkC;AACjE,QAAM,cAAc,CAAC,GAAG,uBAAuB,GAAG,aAAa;AAC/D,SAAO,YAAY,KAAK,CAAC,MAAM,EAAE,KAAK,GAAG,CAAC;AAC5C;AAEA,SAAS,WAAW,QAAgB,MAAsB;AAExD,SAAO,GAAG,MAAM,GAAG,IAAI;AACzB;AAQO,SAAS,wBAAwB,MAAqC;AAC3E,MAAI,UAAW;AACf,cAAY;AAEZ,QAAM,eAAe;AAAA,IACnB,GAAG;AAAA,IACH,GAAI,KAAK,gBAAgB,CAAC;AAAA,EAC5B;AAMA,MAAI;AACF,UAAM,gBAAgB,mBAAmB,QAAQ,uBAAuB;AACxE,UAAM,iBAAiB,mBAAmB,QAAQ,wBAAwB;AAC1E,UAAM,eAAe,mBAAmB,QAAQ,sBAAsB;AAEtE,UAAM,kBAAkB,CAAC,YAAqB;AAC5C,UAAI;AACF,cAAM,MAAM;AAOZ,cAAM,MAAM,IAAI;AAChB,YAAI,CAAC,IAAK;AAEV,cAAM,SAAS,OAAO,IAAI,UAAU,EAAE;AACtC,cAAM,OAAO,OAAO,IAAI,QAAQ,GAAG;AACnC,cAAM,MAAM,WAAW,QAAQ,IAAI;AAEnC,YAAI,WAAW,KAAK,YAAY,EAAG;AAEnC,yBAAiB,IAAI,KAAK;AAAA,UACxB;AAAA,UACA,QAAQ,OAAO,IAAI,UAAU,KAAK,EAAE,YAAY;AAAA,UAChD,WAAW,KAAK,IAAI;AAAA,QACtB,CAAC;AAAA,MACH,QAAQ;AAAA,MAAoB;AAAA,IAC9B;AAEA,UAAM,mBAAmB,CAAC,YAAqB;AAC7C,UAAI;AACF,cAAM,MAAM;AAIZ,cAAM,UAAU,iBAAiB,IAAI,IAAI,OAAO;AAChD,YAAI,CAAC,QAAS;AACd,yBAAiB,OAAO,IAAI,OAAO;AAEnC,cAAM,YAAY,KAAK,IAAI,IAAI,QAAQ;AACvC,cAAM,MAAM,WAAW,SAAS;AAEhC,aAAK,WAAW;AAAA,UACd,QAAQ,QAAQ;AAAA,UAChB,KAAK,QAAQ;AAAA,UACb,YAAY,IAAI,UAAU,cAAc;AAAA,UACxC;AAAA,UACA,SAAS,KAAK;AAAA,UACd,cAAc,KAAK;AAAA,QACrB,CAAC;AAAA,MACH,QAAQ;AAAA,MAAoB;AAAA,IAC9B;AAEA,UAAM,iBAAiB,CAAC,YAAqB;AAC3C,UAAI;AACF,cAAM,MAAM;AACZ,cAAM,UAAU,iBAAiB,IAAI,IAAI,OAAO;AAChD,YAAI,CAAC,QAAS;AACd,yBAAiB,OAAO,IAAI,OAAO;AAEnC,cAAM,YAAY,KAAK,IAAI,IAAI,QAAQ;AACvC,cAAM,MAAM,WAAW,SAAS;AAEhC,aAAK,WAAW;AAAA,UACd,QAAQ,QAAQ;AAAA,UAChB,KAAK,QAAQ;AAAA,UACb,YAAY;AAAA,UACZ;AAAA,UACA,SAAS,KAAK;AAAA,UACd,cAAc,KAAK;AAAA,QACrB,CAAC;AAAA,MACH,QAAQ;AAAA,MAAoB;AAAA,IAC9B;AAEA,kBAAc,UAAU,eAAe;AACvC,mBAAe,UAAU,gBAAgB;AACzC,iBAAa,UAAU,cAAc;AAErC,kBAAc,MAAM,cAAc,YAAY,eAAe;AAC7D,mBAAe,MAAM,eAAe,YAAY,gBAAgB;AAChE,iBAAa,MAAM,aAAa,YAAY,cAAc;AAAA,EAC5D,QAAQ;AAAA,EAER;AAMA,kBAAgB,WAAW;AAC3B,QAAM,gBAAgB;AAEtB,aAAW,QAAQ,OACjB,OACA,SACsB;AACtB,UAAM,MACJ,iBAAiB,UACb,MAAM,MACN,iBAAiB,MACf,MAAM,OACN,OAAO,KAAK;AAEpB,QAAI,WAAW,KAAK,YAAY,GAAG;AACjC,aAAO,cAAc,OAAO,IAAI;AAAA,IAClC;AAEA,UAAM,SACJ,iBAAiB,UACb,MAAM,SACN,MAAM,UAAU;AAEtB,UAAM,MAAM,WAAW,SAAS;AAChC,UAAM,QAAQ,KAAK,IAAI;AAEvB,QAAI;AACF,YAAM,WAAW,MAAM,cAAc,OAAO,IAAI;AAChD,YAAM,YAAY,KAAK,IAAI,IAAI;AAE/B,UAAI;AACF,aAAK,WAAW;AAAA,UACd;AAAA,UACA;AAAA,UACA,YAAY,SAAS;AAAA,UACrB;AAAA,UACA,SAAS,KAAK;AAAA,UACd,cAAc,KAAK;AAAA,QACrB,CAAC;AAAA,MACH,QAAQ;AAAA,MAAoB;AAE5B,aAAO;AAAA,IACT,SAAS,KAAK;AACZ,YAAM,YAAY,KAAK,IAAI,IAAI;AAE/B,UAAI;AACF,aAAK,WAAW;AAAA,UACd;AAAA,UACA;AAAA,UACA,YAAY;AAAA,UACZ;AAAA,UACA,SAAS,KAAK;AAAA,UACd,cAAc,KAAK;AAAA,QACrB,CAAC;AAAA,MACH,QAAQ;AAAA,MAAoB;AAE5B,YAAM;AAAA,IACR;AAAA,EACF;AACF;AA8BO,SAAS,oBACd,KACA,IACY;AACZ,SAAO,WAAW,IAAI,KAAK,EAAE;AAC/B;;;AF1QA;AACA;;;AGsbO,SAAS,YAAY,KAA6B;AAEvD,MAAI,SAAS;AACb,MAAI,OAAO,WAAW,aAAa,GAAG;AACpC,aAAS,OAAO,MAAM,cAAc,MAAM;AAAA,EAC5C;AAGA,MAAI,OAAO,WAAW,QAAQ,GAAG;AAC/B,aAAS,SAAS,OAAO,MAAM,SAAS,MAAM;AAAA,EAChD;AAEA,MAAI,WAAW,WAAW,WAAW,WAAW;AAC9C,WAAO,EAAE,MAAM,QAAQ;AAAA,EACzB;AACA,MAAI,WAAW,WAAW;AACxB,WAAO,EAAE,MAAM,UAAU;AAAA,EAC3B;AACA,MAAI,OAAO,WAAW,OAAO,GAAG;AAC9B,UAAM,SAAS,OAAO,MAAM,QAAQ,MAAM;AAC1C,QAAI,CAAC,OAAQ,OAAM,IAAI,MAAM,yBAAyB,GAAG,0BAAqB;AAC9E,WAAO,EAAE,MAAM,QAAQ,OAAO;AAAA,EAChC;AACA,MAAI,OAAO,WAAW,MAAM,GAAG;AAC7B,UAAM,aAAa,OAAO,MAAM,OAAO,MAAM;AAC7C,QAAI,CAAC,WAAY,OAAM,IAAI,MAAM,wBAAwB,GAAG,8BAAyB;AACrF,WAAO,EAAE,MAAM,OAAO,WAAW;AAAA,EACnC;AAEA,QAAM,IAAI,MAAM,kCAAkC,GAAG,0DAA0D;AACjH;;;AHncA,IAAI,aAAmC;AACvC,IAAM,YAAY,oBAAI,IAAiB;AACvC,IAAM,gBAA4C,CAAC;AAKnD,IAAM,8BAA8B;AACpC,IAAM,iBAAiB;AACvB,IAAM,mBAAmB;AACzB,IAAM,mBAAmB,oBAAI,IAAsB;AACnD,IAAM,iBAAiB,oBAAI,IAAoB;AAE/C,SAAS,UAAU,KAAsB;AACvC,QAAM,MAAM,KAAK,IAAI;AAGrB,QAAM,cAAc,eAAe,IAAI,GAAG,KAAK;AAC/C,MAAI,MAAM,aAAa;AACrB,WAAO;AAAA,EACT;AAGA,QAAM,aAAa,iBAAiB,IAAI,GAAG,KAAK,CAAC;AACjD,QAAM,SAAS,WAAW,OAAO,CAAC,MAAM,MAAM,IAAI,cAAc;AAEhE,MAAI,OAAO,UAAU,6BAA6B;AAEhD,mBAAe,IAAI,KAAK,MAAM,gBAAgB;AAC9C,qBAAiB,IAAI,KAAK,CAAC,CAAC;AAC5B,YAAQ;AAAA,MACN,mCAAmC,IAAI,MAAM,GAAG,EAAE,CAAC,cAChD,2BAA2B,eAAe,iBAAiB,GAAI,mBAAmB,mBAAmB,GAAI;AAAA,IAC9G;AACA,WAAO;AAAA,EACT;AAEA,SAAO;AACT;AAEA,SAAS,aAAa,KAAmB;AACvC,QAAM,MAAM,KAAK,IAAI;AACrB,QAAM,aAAa,iBAAiB,IAAI,GAAG,KAAK,CAAC;AACjD,aAAW,KAAK,GAAG;AAEnB,mBAAiB;AAAA,IACf;AAAA,IACA,WAAW,OAAO,CAAC,MAAM,MAAM,IAAI,cAAc;AAAA,EACnD;AACF;AAGA,SAAS,aAAa,WAA4B;AAAE,SAAO,UAAU,OAAO,SAAS,EAAE;AAAG;AAC1F,SAAS,gBAAgB,WAAyB;AAAE,eAAa,OAAO,SAAS,EAAE;AAAG;AACtF,SAAS,cAAc,QAAyB;AAAE,SAAO,UAAU,QAAQ,MAAM,EAAE;AAAG;AACtF,SAAS,iBAAiB,QAAsB;AAAE,eAAa,QAAQ,MAAM,EAAE;AAAG;AAG3E,IAAI,uBAAuB;AAOlC,IAAM,mBAA4E;AAAA,EAChF,EAAE,IAAI,SAAS,OAAO,oBAAoB,WAAW,UAAU;AAAA,EAC/D,EAAE,IAAI,WAAW,OAAO,8BAA8B,WAAW,UAAU;AAC7E;AAKA,SAAS,oBAAoB,QAAgB,UAAkB,WAAyB;AACtF,QAAM,WAAW,QAAQ,MAAM;AAC/B,MAAI,iBAAiB,KAAK,CAAC,MAAM,EAAE,OAAO,QAAQ,EAAG;AACrD,mBAAiB,KAAK,EAAE,IAAI,UAAU,OAAO,SAAS,QAAQ,IAAI,UAAU,CAAC;AAC7E,UAAQ,IAAI,wCAAwC,QAAQ,KAAK,OAAO,MAAM,GAAG,CAAC,CAAC,MAAM;AAC3F;AAGA,SAAS,mBAAmB,YAAoB,WAAyB;AACvE,QAAM,WAAW,OAAO,UAAU;AAClC,MAAI,iBAAiB,KAAK,CAAC,MAAM,EAAE,OAAO,QAAQ,EAAG;AACrD,mBAAiB,KAAK;AAAA,IACpB,IAAI;AAAA,IACJ,OAAO,QAAQ,UAAU;AAAA,IACzB;AAAA,EACF,CAAC;AACD,UAAQ,IAAI,uCAAuC,QAAQ,EAAE;AAC/D;AAEA,SAAS,YAAY,IAAmB;AACtC,eAAa;AAEb,MAAI,cAAc,SAAS,GAAG;AAC5B,UAAM,UAAU,cAAc,OAAO,CAAC;AACtC,eAAW,MAAM,SAAS;AACxB,SAAG,EAAE,MAAM,MAAM;AAAA,MAAC,CAAC;AAAA,IACrB;AAAA,EACF;AACF;AAKA,SAAS,eAAe,MAAwB;AAC9C,QAAM,WAAqB,CAAC;AAE5B,QAAM,KAAK;AACX,MAAI;AACJ,UAAQ,QAAQ,GAAG,KAAK,IAAI,OAAO,MAAM;AACvC,aAAS,KAAK,MAAM,CAAC,EAAE,YAAY,CAAC;AAAA,EACtC;AACA,SAAO;AACT;AAQA,SAAS,0BACP,WACA,WACA,WACA,gBACS;AACT,QAAM,WAAW,eAAe,SAAS;AAEzC,MAAI,SAAS,WAAW,EAAG,QAAO;AAElC,MAAI,SAAS,SAAS,KAAK,KAAK,SAAS,SAAS,UAAU,EAAG,QAAO;AAEtE,QAAM,YAAY,UAAU,YAAY;AACxC,QAAM,UAAU,UAAU,YAAY;AACtC,QAAM,YAAY,UAAU,MAAM,OAAO,EAAE,CAAC;AAC5C,QAAM,cAAc,SAAS;AAAA,IAC3B,CAAC,MAAM,MAAM,aAAa,MAAM,aAAa,MAAM;AAAA,EACrD;AACA,MAAI,YAAa,QAAO;AAExB,SAAO;AACT;AAGA,SAAS,eACP,MACA,WACA,WACQ;AACR,QAAM,YAAY,UAAU,YAAY;AACxC,QAAM,YAAY,UAAU,MAAM,OAAO,EAAE,CAAC;AAC5C,QAAM,UAAU,UAAU,YAAY;AAEtC,SAAO,KACJ,QAAQ,gBAAgB,CAAC,MAAM,SAAS;AACvC,UAAM,QAAQ,KAAK,YAAY;AAC/B,QAAI,UAAU,aAAa,UAAU,aAAa,UAAU,SAAS;AACnE,aAAO;AAAA,IACT;AAEA,QAAI,UAAU,SAAS,UAAU,WAAY,QAAO;AACpD,WAAO;AAAA,EACT,CAAC,EACA,QAAQ,QAAQ,EAAE,EAClB,KAAK;AACV;AAIA,eAAe,gBACb,QACA,QACA,OACA,OACA,QAAgB,GACC;AACjB,MAAI;AACF,UAAM,SAAS,IAAI,gBAAgB,EAAE,GAAG,OAAO,OAAO,OAAO,KAAK,EAAE,CAAC;AACrE,UAAM,UAAkC,EAAE,gBAAgB,mBAAmB;AAC7E,QAAI,OAAQ,SAAQ,eAAe,IAAI,UAAU,MAAM;AAEvD,UAAM,MAAM,MAAM,MAAM,GAAG,MAAM,kBAAkB,KAAK,kBAAkB,MAAM,IAAI,EAAE,QAAQ,CAAC;AAC/F,QAAI,CAAC,IAAI,GAAI,QAAO;AAEpB,UAAM,UAAW,MAAM,IAAI,KAAK;AAChC,QAAI,CAAC,QAAQ,OAAQ,QAAO;AAE5B,UAAM,QAAQ,CAAC,oCAAoC,EAAE;AACrD,eAAW,KAAK,SAAS;AACvB,YAAM,SAAS,EAAE,SAAS,MAAM,EAAE,MAAM,OAAO;AAC/C,YAAM,KAAK,MAAM,EAAE,QAAQ,KAAK,EAAE,OAAO,GAAG,MAAM,EAAE;AAAA,IACtD;AACA,UAAM,KAAK,EAAE;AACb,WAAO,MAAM,KAAK,IAAI;AAAA,EACxB,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAIA,IAAM,SAAS,EAAE,GAAG,IAAI,GAAG,GAAG;AAC9B,SAAS,aAAa;AACpB,MAAI,CAAC,OAAO,GAAG;AAAE,WAAO,IAAK,WAAmB,SAAS,KAAK,mBAAmB;AAAI,WAAO,IAAK,WAAmB,SAAS,KAAK,uBAAuB;AAAA,EAAI;AAC/J;AAEA,eAAe,kBAAkB,OAAe,QAAgB,GAAoB;AAClF,aAAW;AACX,MAAI,CAAC,OAAO,KAAK,CAAC,OAAO,EAAG,QAAO;AAEnC,MAAI;AACF,UAAM,SAAS,IAAI,gBAAgB,EAAE,GAAG,OAAO,OAAO,OAAO,KAAK,GAAG,WAAW,MAAM,CAAC;AACvF,UAAM,OAAO,MAAM,MAAM,GAAG,OAAO,CAAC,qBAAqB,MAAM,IAAI;AAAA,MACjE,SAAS,EAAE,aAAa,OAAO,EAAE;AAAA,MACjC,QAAQ,YAAY,QAAQ,GAAI;AAAA,IAClC,CAAC;AACD,QAAI,CAAC,KAAK,GAAI,QAAO;AACrB,UAAM,UAAW,MAAM,KAAK,KAAK;AACjC,QAAI,CAAC,QAAQ,OAAQ,QAAO;AAE5B,UAAM,QAAQ,CAAC,qCAAqC,EAAE;AACtD,eAAW,KAAK,SAAS;AACvB,YAAM,KAAK,MAAM,EAAE,QAAQ,KAAK,EAAE,OAAO,EAAE;AAAA,IAC7C;AACA,UAAM,KAAK,EAAE;AACb,WAAO,MAAM,KAAK,IAAI;AAAA,EACxB,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAgBA,eAAe,cAAc,QAMX;AAChB,QAAM,EAAE,WAAW,cAAc,UAAU,SAAS,SAAS,IAAI,IAAI;AACrE,QAAM,gBAAgB,QAAQ,SAAS,MAAM;AAC7C,QAAM,eAAe,QAAQ,SAAS,YAAY;AAGlD,MAAI,eAAe;AACjB,QAAI,CAAC,0BAA0B,cAAc,QAAQ,aAAa,IAAI,QAAQ,aAAa,IAAI,SAAS,aAAa,GAAG;AACtH;AAAA,IACF;AAAA,EACF;AAGA,MAAI,YAAY,gBACZ,eAAe,cAAc,QAAQ,aAAa,IAAI,QAAQ,aAAa,EAAE,IAC7E;AAGJ,MAAI,iBAAiB,cAAc;AACjC,QAAI;AACF,YAAM,OAAO,MAAM,oBAAoB,EAAE,QAAQ,cAAc,gBAAgB,SAAS,KAAK,oBAAoB,CAAC;AAClH,UAAI,MAAM;AACR,gBAAQ,IAAI,wCAAwC,gBAAgB,SAAS,KAAK,UAAU;AAAA,MAC9F;AAAA,IACF,QAAQ;AAAA,IAER;AAAA,EACF;AAGA,QAAM,YAAY,KAAK,IAAI;AAC3B,QAAM,UAAU,YAAY,EAAE,EAAE,SAAS,KAAK;AAC9C,QAAM,aAAa,YAAY,CAAC,EAAE,SAAS,KAAK;AAChD,QAAM,kBAAkB,YAAY,CAAC,EAAE,SAAS,KAAK;AAGrD,QAAM,gBAAgB,CAAC,aAAsC;AAC3D,QAAI;AAAE,cAAQ,iBAAiB,EAAE,GAAG,UAAU,UAAU,SAAS,gBAAgB,gBAAgB,CAAC;AAAA,IAAG,QAAQ;AAAA,IAAC;AAAA,EAChH;AAEA,QAAM,cAAc;AAAA,IAClB,WAAW,CAAC,SAAc;AACxB,YAAM,WAAW,EAAE,GAAG,MAAM,SAAS,cAAc,gBAAgB;AACnE,UAAI,KAAK,aAAa,YAAY,UAAW,UAAS,YAAY,KAAK,aAAa,YAAY;AAChG,UAAI;AAAE,gBAAQ,WAAW,cAAc,QAAQ;AAAA,MAAG,QAAQ;AAAA,MAAC;AAC3D,YAAM,gBAAwC,EAAE,sBAAsB,KAAK,SAAS,GAAG;AACvF,UAAI,SAAS,UAAW,eAAc,qBAAqB,IAAI,SAAS;AACxE,oBAAc;AAAA,QACZ,SAAS,YAAY,CAAC,EAAE,SAAS,KAAK;AAAA,QAAG,WAAW;AAAA,QAAO,WAAW,KAAK,SAAS;AAAA,QACpF,QAAQ,KAAK,WAAW,UAAU,UAAU;AAAA,QAC5C,YAAY,IAAI,KAAK,KAAK,IAAI,KAAK,KAAK,aAAa,EAAE,EAAE,YAAY;AAAA,QACrE,WAAU,oBAAI,KAAK,GAAE,YAAY;AAAA,QAAG,aAAa,KAAK,aAAa;AAAA,QACnE,YAAY;AAAA,QACZ,cAAc,KAAK;AAAA,QAAa,eAAe,KAAK;AAAA,MACtD,CAAC;AAAA,IACH;AAAA,IACA,YAAY,CAAC,SAAc;AACzB,YAAM,WAAW,EAAE,GAAG,MAAM,SAAS,cAAc,gBAAgB;AACnE,UAAI,KAAK,aAAa,YAAY,UAAW,UAAS,YAAY,KAAK,aAAa,YAAY;AAChG,UAAI;AAAE,gBAAQ,WAAW,eAAe,QAAQ;AAAA,MAAG,QAAQ;AAAA,MAAC;AAC5D,YAAM,gBAAwC,EAAE,sBAAsB,KAAK,YAAY,GAAG;AAC1F,UAAI,SAAS,UAAW,eAAc,qBAAqB,IAAI,SAAS;AACxE,oBAAc;AAAA,QACZ,SAAS,YAAY,CAAC,EAAE,SAAS,KAAK;AAAA,QAAG,WAAW;AAAA,QAAQ,WAAW,KAAK,YAAY;AAAA,QACxF,QAAQ,KAAK,YAAY,QAAQ,UAAU;AAAA,QAC3C,YAAY,IAAI,KAAK,KAAK,IAAI,KAAK,KAAK,aAAa,EAAE,EAAE,YAAY;AAAA,QACrE,WAAU,oBAAI,KAAK,GAAE,YAAY;AAAA,QAAG,aAAa,KAAK,aAAa;AAAA,QACnE,YAAY;AAAA,QACZ,cAAc,KAAK;AAAA,MACrB,CAAC;AAAA,IACH;AAAA,IACA,aAAa,CAAC,SAAc;AAC1B,YAAM,WAAW,EAAE,GAAG,MAAM,SAAS,cAAc,gBAAgB;AACnE,UAAI,KAAK,aAAa,YAAY,UAAW,UAAS,YAAY,KAAK,aAAa,YAAY;AAChG,UAAI;AAAE,gBAAQ,WAAW,YAAY,QAAQ;AAAA,MAAG,QAAQ;AAAA,MAAC;AACzD,YAAM,gBAAwC,EAAE,uBAAuB,KAAK,aAAa,GAAG;AAC5F,UAAI,SAAS,UAAW,eAAc,qBAAqB,IAAI,SAAS;AACxE,oBAAc;AAAA,QACZ,SAAS,YAAY,CAAC,EAAE,SAAS,KAAK;AAAA,QAAG,WAAW;AAAA,QAAS,WAAW,KAAK,aAAa;AAAA,QAC1F,QAAQ;AAAA,QACR,aAAY,oBAAI,KAAK,GAAE,YAAY;AAAA,QAAG,WAAU,oBAAI,KAAK,GAAE,YAAY;AAAA,QAAG,aAAa;AAAA,QACvF,YAAY;AAAA,QACZ,YAAY,KAAK;AAAA,QAAW,eAAe,KAAK;AAAA,MAClD,CAAC;AAAA,IACH;AAAA,IACA,YAAY,CAAC,SAAc;AACzB,YAAM,WAAW,EAAE,GAAG,MAAM,SAAS,cAAc,gBAAgB;AACnE,UAAI,KAAK,aAAa,YAAY,UAAW,UAAS,YAAY,KAAK,aAAa,YAAY;AAChG,UAAI;AAAE,gBAAQ,WAAW,eAAe,QAAQ;AAAA,MAAG,QAAQ;AAAA,MAAC;AAC5D,YAAM,gBAAwC,EAAE,wBAAwB,KAAK,UAAU,IAAI,qBAAqB,KAAK,OAAO,GAAG;AAC/H,UAAI,SAAS,UAAW,eAAc,qBAAqB,IAAI,SAAS;AACxE,oBAAc;AAAA,QACZ,SAAS,YAAY,CAAC,EAAE,SAAS,KAAK;AAAA,QAAG,WAAW;AAAA,QACpD,YAAY,MAAM;AAAE,cAAI;AAAE,mBAAO,IAAI,IAAI,KAAK,GAAG,EAAE;AAAA,UAAU,QAAQ;AAAE,mBAAO,KAAK,KAAK,MAAM,GAAG,EAAE,KAAK;AAAA,UAAQ;AAAA,QAAE,GAAG;AAAA,QACrH,SAAS,KAAK,cAAc,QAAQ,MAAM,UAAU;AAAA,QACpD,YAAY,IAAI,KAAK,KAAK,IAAI,KAAK,KAAK,aAAa,EAAE,EAAE,YAAY;AAAA,QACrE,WAAU,oBAAI,KAAK,GAAE,YAAY;AAAA,QAAG,aAAa,KAAK,aAAa;AAAA,QACnE,YAAY;AAAA,QACZ,aAAa,KAAK;AAAA,QAAQ,kBAAkB,KAAK;AAAA,QAAY,UAAU,KAAK;AAAA,MAC9E,CAAC;AAAA,IACH;AAAA,IACA,cAAc,CAAC,SAAc;AAC3B,YAAM,WAAW,EAAE,GAAG,MAAM,SAAS,cAAc,gBAAgB;AACnE,UAAI,KAAK,aAAa,YAAY,UAAW,UAAS,YAAY,KAAK,aAAa,YAAY;AAChG,UAAI;AAAE,gBAAQ,WAAW,iBAAiB,QAAQ;AAAA,MAAG,QAAQ;AAAA,MAAC;AAC9D,YAAM,gBAAwC,EAAE,wBAAwB,KAAK,cAAc,IAAI,0BAA0B,KAAK,UAAU,GAAG;AAC3I,UAAI,SAAS,UAAW,eAAc,qBAAqB,IAAI,SAAS;AACxE,oBAAc;AAAA,QACZ,SAAS,YAAY,CAAC,EAAE,SAAS,KAAK;AAAA,QAAG,WAAW;AAAA,QACpD,WAAW,GAAG,KAAK,cAAc,QAAQ,KAAK,KAAK,UAAU,EAAE;AAAA,QAC/D,QAAQ,KAAK,YAAY,QAAQ,UAAU;AAAA,QAC3C,YAAY,IAAI,KAAK,KAAK,IAAI,KAAK,KAAK,aAAa,EAAE,EAAE,YAAY;AAAA,QACrE,WAAU,oBAAI,KAAK,GAAE,YAAY;AAAA,QAAG,aAAa,KAAK,aAAa;AAAA,QACnE,YAAY;AAAA,QACZ,aAAa,KAAK;AAAA,QAAY,eAAe,KAAK;AAAA,MACpD,CAAC;AAAA,IACH;AAAA,IACA,WAAW,CAAC,SAAc;AACxB,YAAM,WAAW,EAAE,GAAG,MAAM,SAAS,cAAc,gBAAgB;AACnE,UAAI,KAAK,aAAa,YAAY,UAAW,UAAS,YAAY,KAAK,aAAa,YAAY;AAChG,UAAI;AAAE,gBAAQ,WAAW,cAAc,QAAQ;AAAA,MAAG,QAAQ;AAAA,MAAC;AAC3D,YAAM,gBAAwC,EAAE,uBAAuB,KAAK,SAAS,GAAG;AACxF,UAAI,SAAS,UAAW,eAAc,qBAAqB,IAAI,SAAS;AACxE,oBAAc;AAAA,QACZ,SAAS,YAAY,CAAC,EAAE,SAAS,KAAK;AAAA,QAAG,WAAW;AAAA,QACpD,WAAW,KAAK,OAAO,MAAM,GAAG,EAAE,KAAK;AAAA,QACvC,QAAQ,KAAK,WAAW,UAAU,UAAU;AAAA,QAC5C,YAAY,IAAI,KAAK,KAAK,IAAI,KAAK,KAAK,aAAa,EAAE,EAAE,YAAY;AAAA,QACrE,WAAU,oBAAI,KAAK,GAAE,YAAY;AAAA,QAAG,aAAa,KAAK,aAAa;AAAA,QACnE,YAAY;AAAA,MACd,CAAC;AAAA,IACH;AAAA,IACA,WAAW;AAAA,IACX;AAAA,IACA,cAAc;AAAA,EAChB;AACA,MAAI,aAAa;AACjB,MAAI,kBAAkB;AACtB,MAAI,iBAAgC;AACpC,QAAM,aAA0F,CAAC;AAGjG,iBAAe,SAAS;AAAA,IACtB;AAAA,IACA,cAAc;AAAA,IACd,MAAM;AAAA,IACN;AAAA,IACA,SAAS,YAAY;AAAA;AAAA,IACrB,YAAY;AAAA,MACV,gCAAgC,UAAU;AAAA,MAC1C,yBAAyB,eAAe,QAAQ,SAAS,SAAS,SAAS;AAAA,IAC7E;AAAA,IACA,QAAQ;AAAA,EACV,CAAC;AAGD,MAAI;AAAE,YAAQ,WAAW;AAAA,EAAG,QAAQ;AAAA,EAAe;AAEnD,QAAM,OAAO;AAGb,MAAI;AACJ,MAAI;AACJ,MAAI,iBAAiB,SAAS,QAAQ;AACpC,eAAW,SAAS;AAEpB,wBAAqB,SAAiB;AACtC,QAAI,CAAC,YAAY,CAAC,mBAAmB;AACnC,YAAM,QAAQ,QAAQ,WAAW,KAAK,CAAC;AACvC,YAAM,OAAO,MAAM,KAAK,CAAC,MAAW,EAAE,WAAW,SAAS,MAAM;AAChE,UAAI,MAAM;AACR,YAAI,CAAC,SAAU,YAAW,KAAK;AAC/B,YAAI,CAAC,qBAAqB,SAAS,gBAAgB;AACjD,gBAAM,SAAS,KAAK,SAAS,KAAK,CAAC,MAAW,EAAE,aAAa,SAAS,cAAc;AACpF,cAAI,OAAQ,qBAAoB,OAAO;AAAA,QACzC;AAAA,MACF;AAAA,IACF;AAAA,EACF;AAEA,QAAM,QAAQ,KAAK,QAAQ,QAAQ,kBAAkB;AAAA,IACnD;AAAA,IACA,SAAS;AAAA,IACT,WAAW,QAAQ;AAAA,IACnB,MAAM;AAAA,MACJ,MAAM,eAAe,QAAe,gBAAgB,UAAiB;AAAA,MACrE,IAAI,eACA,kBAAkB,SAAS,cAAc,KACzC,gBACE,mBAAmB,SAAS,MAAM,KAClC;AAAA,IACR;AAAA,EACF,CAAC;AAED,QAAM,YAAY,KAAK,QAAQ,QAAQ,iBAAiB,KAAK,SAAS,OAAO;AAAA,IAC3E,SAAS,MAAM;AAAA,EACjB,CAAC;AAED,QAAM,kBAAkB,KAAK,QAAQ,MAAM,6BAA6B,GAAG;AAC3E,QAAM,oBAAoB,KAAK,QAAQ,QAAQ,qBAAqB;AAAA,IAClE;AAAA,IACA,YAAY,MAAM;AAAA,EACpB,CAAC;AAGD,QAAM,cAAc,iBAAiB,eACjC,YACC,UAAU,UAAU,UAAU,eAAe;AAElD,QAAM,oBAAoB,MAAM,kBAAkB,WAAW;AAC7D,MAAI,mBAAmB;AACrB,gBAAY,oBAAoB,cAAc;AAAA,EAChD;AAGA,MAAI,SAAS,QAAQ,QAAQ;AAC3B,UAAM,gBAAgB,MAAM;AAAA,MAC1B,QAAQ,OAAO;AAAA,MACf,QAAQ,OAAO;AAAA,MACf,QAAQ,OAAO,SAAS;AAAA,MACxB;AAAA,MACA;AAAA,IACF;AAEA,QAAI,eAAe;AACjB,kBAAY,gBAAgB,cAAc;AAAA,IAC5C;AAAA,EACF;AAGA,MAAI,cAAc;AAClB,MAAI,iBAAiB,SAAS,UAAU,QAAQ,gBAAgB;AAC9D,UAAM,gBAAgB,QAAQ,eAAe,SAAS,QAAQ,EAAE;AAEhE,UAAM,QAAQ,cAAc,MAAM,GAAG,EAAE;AACvC,QAAI,MAAM,SAAS,GAAG;AACpB,YAAM,eAAe,MAAM,IAAI,CAAC,MAAW;AACzC,cAAM,OAAO,EAAE,WAAW,UAAU,QAAQ;AAC5C,eAAO,IAAI,IAAI,MAAM,EAAE,IAAI;AAAA,MAC7B,CAAC,EAAE,KAAK,IAAI;AACZ,oBAAc;AAAA,EAA+B,YAAY;AAAA;AAAA;AAAA,EAA0B,SAAS;AAAA,IAC9F;AAAA,EACF;AAEA,QAAM,OAAO,KAAK,QAAQ,MAAM,oBAAoB;AAAA,IAClD,SAAS;AAAA,IACT,MAAM,eAAe,UAAU,SAAS,cAAc,MAAM,gBAAiB,qBAAqB,gBAAiB;AAAA,IACnH,WAAW,IAAI,KAAK,SAAS,SAAS,EAAE,QAAQ;AAAA,IAChD;AAAA,IACA,UAAU;AAAA,IACV,MAAM;AAAA,EACR,CAAC;AAGD,QAAM,mBAAwC,CAAC;AAC/C,MAAI,SAAS,YAAY;AACvB,qBAAiB,iBAAiB,SAAS,WAAW;AACtD,qBAAiB,qBAAqB,SAAS,WAAW;AAC1D,qBAAiB,iBAAiB,SAAS,WAAW;AAGtD,QAAI,SAAS,WAAW,QAAQ;AAC9B,uBAAiB,WAAW,SAAS,WAAW;AAChD,uBAAiB,WAAW;AAAA,IAC9B;AAAA,EAGF;AAGA,QAAM,mBAAwC,CAAC;AAC/C,MAAI,iBAAiB,SAAS,UAAU,QAAQ,gBAAgB;AAC9D,UAAM,QAAQ,QAAQ,eAAe,SAAS,MAAM;AACpD,QAAI,MAAM,SAAS,GAAG;AACpB,uBAAiB,uBAAuB;AACxC,uBAAiB,oBAAoB,QAAQ,iBAAiB,SAAS,MAAM;AAC7E,uBAAiB,wBAAwB,MAAM;AAAA,IACjD;AAAA,EACF;AAEA,QAAM,aAAa,KAAK,QAAQ,MAAM,uBAAuB;AAAA,IAC3D,MAAM;AAAA,IACN,SAAS;AAAA,IACT,aAAa;AAAA,IACb,MAAM,eAAe,OAAO,SAAS,cAAc,KAAK,gBAAgB,mBAAmB,SAAS,MAAM,KAAK;AAAA,IAC/G,IAAI,oBAAoB,QAAQ,SAAS;AAAA,IACzC,YAAY,MAAM;AAAA,IAClB,WAAW,QAAQ;AAAA,IACnB,UAAU,eAAe,QAAQ,gBAAgB,SAAS;AAAA,IAC1D,mBAAmB,eAAe,QAAQ,SAAS,cAAc,KAAK,gBAAiB,YAAY,oBAAqB;AAAA,IACxH,YAAY,eAAe,SAAS,iBAAiB,gBAAiB,qBAAqB,gBAAiB;AAAA,IAC5G,UAAU,eAAe,OAAO,SAAS,cAAc,KAAK,gBAAgB,mBAAmB,SAAS,kBAAkB,SAAS,MAAM,KAAK;AAAA,IAC9I,UAAU;AAAA,IACV,SAAS;AAAA,IACT,YAAY,SAAS;AAAA,IACrB,WAAW,IAAI,KAAK,SAAS,SAAS,EAAE,QAAQ;AAAA,IAChD,oBAAoB;AAAA,IACpB,eAAe,oBAAoB,QAAQ,SAAS;AAAA,IACpD,mBAAmB;AAAA,IACnB,YAAY;AAAA;AAAA,IACZ,qBAAqB;AAAA;AAAA,IACrB,GAAG;AAAA,IACH,GAAG;AAAA,EACL,CAAC;AAED,QAAM,KAAK,QAAQ,QAAQ,qBAAqB;AAAA,IAC9C;AAAA,IACA,YAAY,WAAW,cAAc,MAAM;AAAA,IAC3C,KAAK;AAAA,IACL,eAAe,CAAC,QAAe;AAC7B,WAAK,QAAQ,uCAAuC,OAAO,GAAG,CAAC,EAAE;AAAA,IACnE;AAAA,EACF,CAAC;AAED,MAAI;AACF,UAAM;AAAA,MACJ,EAAE,SAAS,cAAc,gBAAgB;AAAA,MACzC,MAAM,KAAK,QAAQ,MAAM,yCAAyC;AAAA,QAClE,KAAK;AAAA,QACL;AAAA,QACA,mBAAmB;AAAA,UACjB,SAAS,OAAO,YAA8C;AAE5D,gBAAI,QAAQ,SAAS,cAAc,QAAQ,SAAS,YAAa;AACjE,kBAAM,QAAQ,QAAQ,QAAQ,IAAI,KAAK;AACvC,gBAAI,CAAC,KAAM;AAEX,gBAAI,8DAA8D,KAAK,IAAI,EAAG;AAE9E,gBAAI,gBAAgB,KAAK,IAAI,KAAK,YAAY,KAAK,IAAI,EAAG;AAE1D,gBAAI,kBAAkB,KAAK,IAAI,EAAG;AAElC,gBAAI,6BAA6B,KAAK,IAAI,EAAG;AAE7C,kBAAM,aAAa,KAAK,IAAI;AAC5B;AACA,+BAAmB,KAAK;AACxB,gBAAI,CAAC,eAAgB,kBAAiB;AAGtC,gBAAI;AACJ,gBAAI,cAAc;AAEhB,kBAAI,CAAC,aAAa,SAAS,YAAY,GAAG;AACxC,wBAAQ,KAAK,8DAA8D,SAAS,cAAc,MAAM,GAAG,CAAC,CAAC,KAAK;AAClH;AAAA,cACF;AACA,4BAAc,EAAE,MAAM,OAAO,YAAY,SAAS,eAAe;AAAA,YACnE,WAAW,eAAe;AAExB,kBAAI,CAAC,cAAc,SAAS,MAAM,GAAG;AACnC,wBAAQ,KAAK,4DAA4D,SAAS,QAAQ,MAAM,GAAG,CAAC,CAAC,KAAK;AAC1G;AAAA,cACF;AACA,4BAAc,EAAE,MAAM,QAAQ,QAAQ,SAAS,OAAO;AAAA,YACxD,OAAO;AACL,4BAAc,EAAE,MAAM,QAAQ;AAAA,YAChC;AACA,kBAAM,QAAQ,QAAQ,aAAa,EAAE,MAAM,QAAQ,KAAK,GAAG;AAAA,cACzD,gBAAgB,SAAS;AAAA,cACzB,SAAS,SAAS;AAAA,cAClB,cAAc;AAAA,cACd,UAAU,gBAAgB,EAAE,gBAAgB,KAAK,OAAO,IAAI;AAAA,YAC9D,CAAC;AACD,gBAAI,cAAc;AAChB,8BAAgB,SAAS,YAAY;AAAA,YACvC;AACA,gBAAI,eAAe;AACjB,+BAAiB,SAAS,MAAM;AAAA,YAClC;AAEA,kBAAM,WAAW,KAAK,IAAI;AAC1B,uBAAW,KAAK,EAAE,WAAW,YAAY,SAAS,UAAU,OAAO,KAAK,QAAQ,OAAO,WAAW,CAAC;AAAA,UACrG;AAAA,UACA,SAAS,CAAC,KAAY,SAA6B;AACjD,iBAAK,QAAQ,gBAAgB,MAAM,QAAQ,OAAO,WAAW,OAAO,GAAG,CAAC,EAAE;AAAA,UAC5E;AAAA,QACF;AAAA,QACA,cAAc,CAAC;AAAA,MACjB,CAAC;AAAA,IACD;AAEA,UAAM,UAAU,KAAK,IAAI;AAGzB,2BAAuB,SAAS;AAAA,MAC9B;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA,YAAY,UAAU;AAAA,MACtB;AAAA,MACA;AAAA,MACA,QAAQ;AAAA,MACR,QAAQ;AAAA,IACV,CAAC;AAAA,EACH,SAAS,KAAK;AACZ,UAAM,UAAU,KAAK,IAAI;AAGzB,2BAAuB,SAAS;AAAA,MAC9B;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA,YAAY,UAAU;AAAA,MACtB;AAAA,MACA;AAAA,MACA,QAAQ;AAAA,MACR,QAAQ;AAAA,MACR,eAAe,OAAO,GAAG;AAAA,IAC3B,CAAC;AAED,mBAAe,SAAS;AAAA,MACtB;AAAA,MACA,cAAc;AAAA,MACd,MAAM;AAAA,MACN,WAAW;AAAA,MACX;AAAA,MACA,YAAY;AAAA,QACV,uBAAwB,KAAa,aAAa,QAAQ;AAAA,QAC1D,0BAA0B,OAAO,GAAG;AAAA,MACtC;AAAA,MACA,QAAQ;AAAA,MACR,eAAe,OAAO,GAAG;AAAA,IAC3B,CAAC;AACD,UAAM;AAAA,EACR;AACF;AAGA,SAAS,eAAe,MAAoE;AAC1F,MAAI,SAAS,WAAW,KAAK,SAAS,OAAO,EAAG,QAAO;AACvD,MAAI,KAAK,WAAW,MAAM,KAAK,KAAK,SAAS,WAAW,EAAG,QAAO;AAClE,MAAI,KAAK,WAAW,OAAO,KAAK,KAAK,SAAS,MAAM,EAAG,QAAO;AAC9D,MAAI,KAAK,WAAW,OAAO,KAAK,KAAK,SAAS,MAAM,EAAG,QAAO;AAC9D,MAAI,KAAK,WAAW,MAAM,KAAK,KAAK,SAAS,KAAK,EAAG,QAAO;AAC5D,MAAI,KAAK,WAAW,SAAS,KAAK,KAAK,SAAS,QAAQ,EAAG,QAAO;AAClE,SAAO;AACT;AAGA,SAAS,iBAAiB,MAAc,OAA0D;AAChG,MAAI,MAAM,oBAAoB,EAAG,QAAO,OAAO,MAAM,oBAAoB,CAAC;AAC1E,MAAI,MAAM,oBAAoB,EAAG,QAAO,OAAO,MAAM,oBAAoB,CAAC;AAC1E,MAAI,MAAM,mBAAmB,GAAG;AAC9B,QAAI;AAAE,aAAO,IAAI,IAAI,OAAO,MAAM,mBAAmB,CAAC,CAAC,EAAE;AAAA,IAAU,QAAQ;AAAA,IAAgB;AAC3F,WAAO,OAAO,MAAM,mBAAmB,CAAC,EAAE,MAAM,GAAG,EAAE;AAAA,EACvD;AACA,MAAI,MAAM,sBAAsB,EAAG,QAAO,GAAG,MAAM,sBAAsB,CAAC,KAAK,MAAM,wBAAwB,KAAK,EAAE;AACpH,MAAI,MAAM,qBAAqB,EAAG,QAAO,OAAO,MAAM,qBAAqB,CAAC,EAAE,MAAM,GAAG,EAAE;AACzF,MAAI,MAAM,qBAAqB,EAAG,QAAO,OAAO,MAAM,qBAAqB,CAAC;AAC5E,SAAO;AACT;AAGA,SAAS,eAAe,SAAc,MAU7B;AACP,MAAI;AACF,UAAM,WAAW,QAAQ;AACzB,QAAI,CAAC,SAAU;AAEf,UAAM,SAAS,KAAK,UAAU,YAAY,CAAC,EAAE,SAAS,KAAK;AAE3D,aAAS,iBAAiB;AAAA,MACxB,SAAS,KAAK;AAAA,MACd;AAAA,MACA,cAAc,KAAK;AAAA,MACnB,MAAM,KAAK;AAAA,MACX,MAAM;AAAA,MACN,WAAW,KAAK;AAAA,MAChB,SAAS,KAAK;AAAA,MACd,YAAY,KAAK;AAAA,MACjB,QAAQ;AAAA,QACN,MAAM,KAAK,WAAW,OAAO,IAAI;AAAA,QACjC,SAAS,KAAK;AAAA,MAChB;AAAA,IACF,CAAC;AAGD,QAAI;AACF,YAAM,WAAW,eAAe,KAAK,IAAI;AACzC,YAAM,WAAW,iBAAiB,KAAK,MAAM,KAAK,UAAU;AAC5D,YAAM,aAAa,KAAK,UAAU,KAAK;AACvC,cAAQ,iBAAiB;AAAA,QACvB,UAAU,KAAK;AAAA,QACf,SAAS;AAAA,QACT,gBAAgB,KAAK;AAAA,QACrB,WAAW;AAAA,QACX,WAAW;AAAA,QACX,QAAQ,KAAK;AAAA,QACb,YAAY,IAAI,KAAK,KAAK,SAAS,EAAE,YAAY;AAAA,QACjD,UAAU,IAAI,KAAK,KAAK,OAAO,EAAE,YAAY;AAAA,QAC7C,aAAa;AAAA,QACb,YAAY,KAAK;AAAA,QACjB,GAAI,aAAa,QAAQ;AAAA,UACvB,cAAc,KAAK,WAAW,2BAA2B;AAAA,UACzD,eAAe,KAAK,WAAW,4BAA4B;AAAA,QAC7D,IAAI,CAAC;AAAA,QACL,GAAI,aAAa,SAAS;AAAA,UACxB,aAAa,KAAK,WAAW,sBAAsB;AAAA,UACnD,kBAAkB,KAAK,WAAW,2BAA2B;AAAA,UAC7D,UAAU,KAAK,WAAW,mBAAmB;AAAA,QAC/C,IAAI,CAAC;AAAA,QACL,GAAI,aAAa,SAAS;AAAA,UACxB,cAAc,KAAK,WAAW,uBAAuB;AAAA,QACvD,IAAI,CAAC;AAAA,QACL,GAAI,aAAa,UAAU;AAAA,UACzB,YAAY,KAAK,WAAW,qBAAqB;AAAA,UACjD,eAAe,KAAK,WAAW,wBAAwB;AAAA,QACzD,IAAI,CAAC;AAAA,MACP,CAAC;AAAA,IACH,QAAQ;AAAA,IAAmC;AAAA,EAC7C,QAAQ;AAAA,EAAiC;AAC3C;AAGA,SAAS,uBAAuB,SAAc,MAcrC;AACP,MAAI;AACF,UAAM,WAAW,QAAQ;AACzB,QAAI,CAAC,SAAU;AAGf,UAAM,eAAe,KAAK,kBAAkB,KAAK;AACjD,mBAAe,SAAS;AAAA,MACtB,SAAS,KAAK;AAAA,MACd,cAAc,KAAK;AAAA,MACnB,QAAQ,KAAK;AAAA,MACb,MAAM;AAAA,MACN,WAAW,KAAK,YAAY;AAAA;AAAA,MAC5B,SAAS;AAAA,MACT,YAAY;AAAA,QACV,iCAAiC,eAAe,KAAK;AAAA,QACrD,gCAAgC,KAAK;AAAA,MACvC;AAAA,MACA,QAAQ,KAAK;AAAA,MACb,eAAe,KAAK,WAAW,UAAU,KAAK,gBAAgB;AAAA,IAChE,CAAC;AAGD,eAAW,SAAS,KAAK,YAAY;AACnC,qBAAe,SAAS;AAAA,QACtB,SAAS,KAAK;AAAA,QACd,cAAc,KAAK;AAAA,QACnB,MAAM;AAAA,QACN,WAAW,MAAM;AAAA,QACjB,SAAS,MAAM;AAAA,QACf,YAAY;AAAA,UACV,wBAAwB,MAAM;AAAA,UAC9B,wBAAwB,MAAM;AAAA,QAChC;AAAA,QACA,QAAQ;AAAA,MACV,CAAC;AAAA,IACH;AAGA,aAAS,iBAAiB;AAAA,MACxB,SAAS,KAAK;AAAA,MACd,QAAQ,KAAK;AAAA,MACb,MAAM;AAAA,MACN,MAAM;AAAA,MACN,WAAW,KAAK;AAAA,MAChB,SAAS,KAAK;AAAA,MACd,YAAY;AAAA,QACV,gCAAgC,KAAK;AAAA,QACrC,gCAAgC,KAAK;AAAA,QACrC,gCAAgC,KAAK;AAAA,QACrC,+BAA+B,KAAK,UAAU,KAAK;AAAA,QACnD,yBAAyB,KAAK,SAAS,SAAS;AAAA,MAClD;AAAA,MACA,QAAQ;AAAA,QACN,MAAM,KAAK,WAAW,OAAO,IAAI;AAAA,QACjC,SAAS,KAAK;AAAA,MAChB;AAAA,IACF,CAAC;AAAA,EACH,QAAQ;AAAA,EAAiC;AAC3C;AAIA,IAAM,mBAAmB;AAAA,EACvB,IAAI;AAAA,EACJ,MAAM;AAAA,IACJ,IAAI;AAAA,IACJ,OAAO;AAAA,IACP,gBAAgB;AAAA,IAChB,UAAU;AAAA,IACV,OAAO;AAAA,IACP,SAAS,CAAC,MAAM,aAAa;AAAA,EAC/B;AAAA,EACA,cAAc,EAAE,WAAW,CAAC,UAAU,MAAM,EAAE;AAAA,EAC9C,QAAQ,EAAE,gBAAgB,eAAe;AAAA,EAEzC,SAAS;AAAA;AAAA,IAEP,OAAO,OAAO,QAAa;AACzB,YAAM,YAAY,KAAK,aAAa;AACpC,YAAM,KAAK,UAAU,IAAI,SAAS;AAClC,UAAI,CAAC,GAAI,QAAO,EAAE,IAAI,OAAO,QAAQ,gBAAgB,OAAO,sBAAsB;AAClF,YAAM,QAAQ,GAAG;AACjB,aAAO;AAAA,QACL,IAAI,UAAU;AAAA,QACd,QAAQ;AAAA,QACR,UAAU,GAAG,YAAY;AAAA,QACzB,UAAU,GAAG;AAAA,MACf;AAAA,IACF;AAAA;AAAA,IAGA,QAAQ,CAAC,QAAa;AACpB,YAAM,YAAY,KAAK,aAAa;AACpC,YAAM,KAAK,UAAU,IAAI,SAAS;AAClC,UAAI,CAAC,GAAI,QAAO,EAAE,WAAW,OAAO,QAAQ,cAAc;AAC1D,aAAO;AAAA,QACL,WAAW,GAAG,UAAU;AAAA,QACxB,QAAQ,GAAG;AAAA,QACX,UAAU,GAAG,YAAY;AAAA,QACzB,UAAU,GAAG;AAAA,QACb,WAAW;AAAA,MACb;AAAA,IACF;AAAA,IAEA,cAAc,OAAO,QAAoD;AACvE,YAAM,EAAE,SAAS,KAAK,KAAK,YAAY,IAAI;AAC3C,YAAM,OAA4C,OAAO,QAAQ,aAAa,MAAM,KAAK,MAAM,KAAK,GAAG;AAEvG,UAAI,CAAC,QAAQ,YAAY;AACvB,cAAM,IAAI;AAAA,UACR;AAAA,QACF;AAAA,MACF;AAEA,YAAM,UAAU,YAAY,QAAQ,QAAQ,QAAQ,MAAM,UAAU,CAAC,CAAC;AACtE,aAAO,kCAAkC,OAAO,GAAG;AAMnD,YAAM,IAAI,QAAc,CAACC,UAAS,WAAW;AAC3C,YAAI;AAEJ,cAAM,UAAU,YAAY;AAC1B,gBAAM,SAAS,KAAK;AACpB,oBAAU,OAAO,QAAQ,SAAS;AAClC,UAAAA,SAAQ;AAAA,QACV;AAEA,qBAAa,iBAAiB,SAAS,MAAM,KAAK,QAAQ,CAAC;AAG3D,eAAO,YAAY,EAAE,KAAK,OAAO,EAAE,cAAc,MAAM;AACrD,oBAAU,IAAI,cAAc;AAAA,YAC1B,aAAa;AAAA,YACb;AAAA,YACA,QAAQ,QAAQ;AAAA,YAChB,WAAW,QAAQ;AAAA,YACnB,WAAW,OAAO,WAAmB,aAAkB;AACrD,kBAAI,CAAC,YAAY;AACf,uBAAO,iDAAiD;AACxD,8BAAc,KAAK,YAAY;AAC7B,wBAAM,cAAc,EAAE,WAAW,UAAU,SAAS,SAAS,IAAI,CAAC;AAAA,gBACpE,CAAC;AACD;AAAA,cACF;AACA,kBAAI;AACF,sBAAM,cAAc,EAAE,WAAW,UAAU,SAAS,SAAS,IAAI,CAAC;AAAA,cACpE,SAAS,KAAK;AACZ,uBAAO,+BAA+B,OAAO,GAAG,CAAC,EAAE;AAAA,cACrD;AAAA,YACF;AAAA,YACA,cAAc,OAAO,QAAa;AAChC,oBAAM,cAAc;AAAA,gBAClB,cAAc,IAAI;AAAA,gBAClB,gBAAgB,IAAI;AAAA,gBACpB,gBAAgB,IAAI;AAAA,gBACpB,WAAW,IAAI;AAAA,gBACf,cAAc,IAAI;AAAA,gBAClB,WAAW,OAAO,IAAI,SAAS,IAAI,KAAK,IAAI,CAAC;AAAA,cAC/C;AACA,kBAAI,CAAC,YAAY;AACf,uBAAO,qDAAqD;AAC5D,8BAAc,KAAK,YAAY;AAC7B,wBAAM,cAAc,EAAE,WAAW,IAAI,MAAM,UAAU,aAAa,SAAS,SAAS,IAAI,CAAC;AAAA,gBAC3F,CAAC;AACD;AAAA,cACF;AACA,kBAAI;AACF,sBAAM,cAAc,EAAE,WAAW,IAAI,MAAM,UAAU,aAAa,SAAS,SAAS,IAAI,CAAC;AAAA,cAC3F,SAAS,KAAK;AACZ,uBAAO,mCAAmC,OAAO,GAAG,CAAC,EAAE;AAAA,cACzD;AAAA,YACF;AAAA,YACA,mBAAmB,OAAO,SAMpB;AAEJ,iCAAmB,KAAK,gBAAgB,QAAQ,SAAS;AAGzD,kBAAI,KAAK,SAAS,WAAW;AAC3B,uBAAO,uEAAkE,KAAK,cAAc,EAAE;AAC9F;AAAA,cACF;AACA,qBAAO,mEAA8D,KAAK,cAAc,GAAG,KAAK,QAAQ,YAAY,KAAK,KAAK,MAAM,EAAE,EAAE;AAExI,oBAAM,WAAW,KAAK,QAClB,8DAA8D,KAAK,cAAc,aACtE,KAAK,KAAK,mEAErB,8DAA8D,KAAK,cAAc;AAErF,oBAAM,eAAe;AAAA,gBACnB,cAAc,KAAK;AAAA,gBACnB,gBAAgB,KAAK;AAAA,gBACrB,gBAAgB,KAAK;AAAA,gBACrB,YAAW,oBAAI,KAAK,GAAE,YAAY;AAAA,gBAClC,WAAW,YAAY,KAAK,SAAS,IAAI,KAAK,IAAI,CAAC;AAAA,cACrD;AAEA,kBAAI,CAAC,YAAY;AACf,uBAAO,kDAAkD;AACzD,8BAAc,KAAK,YAAY;AAC7B,wBAAM,cAAc,EAAE,WAAW,UAAU,UAAU,cAAc,SAAS,SAAS,IAAI,CAAC;AAAA,gBAC5F,CAAC;AACD;AAAA,cACF;AACA,kBAAI;AACF,sBAAM,cAAc,EAAE,WAAW,UAAU,UAAU,cAAc,SAAS,SAAS,IAAI,CAAC;AAAA,cAC5F,SAAS,KAAK;AACZ,uBAAO,gCAAgC,OAAO,GAAG,CAAC,EAAE;AAAA,cACtD;AAAA,YACF;AAAA,YACA,eAAe,CAAC,UAAkB;AAChC,qBAAO,uBAAkB,KAAK,EAAE;AAEhC,kBAAI,UAAU,QAAS,QAAO,IAAI,MAAM,oCAAoC,CAAC;AAAA,YAG/E;AAAA,UACF,CAAC;AAED,oBAAU,IAAI,QAAQ,WAAW,OAAO;AAIxC,kBAAQ,GAAG,SAAS,CAAC,QAAa;AAChC,mBAAO,2CAA2C,OAAO,GAAG,CAAC,EAAE;AAAA,UACjE,CAAC;AAGD,cAAI;AACF,kBAAM,EAAE,qBAAAC,qBAAoB,IAAI,MAAM;AACtC,kBAAM,EAAE,yBAAAC,0BAAyB,mBAAAC,oBAAmB,aAAAC,aAAY,IAAI,MAAM;AAC1E,kBAAM,YAAY,IAAIH,qBAAoB;AAAA,cACxC,WAAW,QAAQ,aAAa;AAAA,cAChC,QAAQ,QAAQ,UAAU;AAAA,cAC1B,UAAU,OAAO,WAAmB,MAA+B,UAAe;AAGhF,sBAAM,SAAS,QAAQ,UAAU;AACjC,sBAAM,MAAO,QAAgB;AAC7B,oBAAI,CAAC,KAAK;AACR,yBAAO,EAAE,OAAO,8CAAyC;AAAA,gBAC3D;AAGA,sBAAM,eAAe,OAAO;AAC5B,oBAAI,CAAC,cAAc;AACjB,yBAAO,EAAE,OAAO,UAAU,SAAS,gCAAgC;AAAA,gBACrE;AAEA,oBAAI;AACF,wBAAM,OAAO,MAAM,MAAM,GAAG,MAAM,sCAAsC;AAAA,oBACtE,QAAQ;AAAA,oBACR,SAAS;AAAA,sBACP,gBAAgB;AAAA,sBAChB,eAAe,UAAU,GAAG;AAAA,oBAC9B;AAAA,oBACA,MAAM,KAAK,UAAU;AAAA,sBACnB,SAAS;AAAA,sBACT,QAAQ;AAAA,sBACR,QAAQ;AAAA,wBACN,MAAM;AAAA,wBACN,WAAW;AAAA;AAAA,wBAEX,eAAe;AAAA,wBACf,SAAS,OAAO;AAAA,sBAClB;AAAA,sBACA,IAAI,UAAU,KAAK,IAAI,CAAC;AAAA,oBAC1B,CAAC;AAAA,kBACH,CAAC;AACD,sBAAI,CAAC,KAAK,IAAI;AACZ,0BAAM,SAAS,MAAM,KAAK,KAAK;AAC/B,2BAAO,EAAE,OAAO,qBAAqB,KAAK,MAAM,MAAM,MAAM,GAAG;AAAA,kBACjE;AACA,wBAAM,YAAY,MAAM,KAAK,KAAK;AAClC,sBAAI,UAAU,OAAO;AACnB,2BAAO,EAAE,OAAO,UAAU,MAAM,WAAW,kBAAkB;AAAA,kBAC/D;AAEA,wBAAM,UAAU,UAAU,QAAQ;AAClC,sBAAI,MAAM,QAAQ,OAAO,KAAK,QAAQ,SAAS,GAAG;AAChD,2BAAO,QAAQ,CAAC,EAAE,QAAQ,KAAK,UAAU,OAAO;AAAA,kBAClD;AACA,yBAAO,UAAU,UAAU,EAAE,UAAU,KAAK;AAAA,gBAC9C,SAAS,KAAK;AACZ,yBAAO,wCAAwC,OAAO,GAAG,CAAC,EAAE;AAC5D,yBAAO,EAAE,OAAO,2BAA2B,OAAO,GAAG,CAAC,GAAG;AAAA,gBAC3D;AAAA,cACF;AAAA,YACF,CAAC;AAKD,kBAAM,UAAU,UAAU;AAC1B,kBAAM,QAAQ;AACd,gBAAI,eAAe;AACnB,gBAAI;AACF,oBAAM,aAAoB,OAAO,QAAQ,QAAQ,CAAC;AAGlD,oBAAM,WAAkB,OAAO,YAAY,CAAC;AAC5C,oBAAM,UAAU,SAAS;AAAA,gBAAK,CAAC,MAC7B,EAAE,OAAO,YAAY,gBAAgB,EAAE,OAAO,cAAc,QAAQ;AAAA,cACtE;AACA,oBAAM,UAAU,SAAS,WAAW;AACpC,oBAAM,aAAa,WAAW,KAAK,CAAC,MAAW,EAAE,OAAO,OAAO;AAE/D,kBAAI,YAAY,WAAW;AACzB,+BAAe,YAAY,WAAW,UAAU,QAAQ,MAAM,OAAO,CAAC;AAAA,cACxE,WAAW,OAAO,QAAQ,UAAU,WAAW;AAC7C,+BAAe,YAAY,MAAM,OAAO,SAAS,UAAU,QAAQ,MAAM,OAAO,CAAC;AAAA,cACnF;AACA,qBAAO,0CAA0C,YAAY,aAAa,OAAO,GAAG;AAAA,YACtF,QAAQ;AACN,qBAAO,sDAAsD;AAAA,YAC/D;AAGA,kBAAM,cAAcC,yBAAwB,YAAY;AAGxD,kBAAM,eAAe,YAAY,cAAc,QAAQ;AACvD,kBAAM,eAAeA,yBAAwB,YAAY;AACzD,wBAAY,KAAK,GAAG,YAAY;AAGhC,gBAAI,iBAAiB,SAAS;AAC5B,oBAAM,gBAAgBA,yBAAwB,OAAO;AACrD,0BAAY,KAAK,GAAG,aAAa;AAAA,YACnC;AAGA,gBAAI,YAAyD,CAAC;AAC9D,gBAAI;AACF,oBAAM,EAAE,WAAAG,WAAU,IAAI,MAAM;AAC5B,oBAAM,YAAY,MAAMA,WAAU,OAAO;AACzC,oBAAM,QAAQ,WAAW;AACzB,oBAAM,YAAY,WAAW;AAC7B,oBAAM,SAAS,QAAQ,UAAU;AACjC,kBAAI,SAAS,WAAW;AACtB,4BAAY,MAAMF,mBAAkB,QAAQ,WAAW,KAAK;AAC5D,oBAAI,UAAU,SAAS,GAAG;AACxB,yBAAO,uBAAuB,UAAU,MAAM,oBAAoB;AAAA,gBACpE;AAAA,cACF;AAAA,YACF,SAAS,KAAK;AACZ,qBAAO,sDAAsD,OAAO,GAAG,CAAC,EAAE;AAAA,YAC5E;AAGA,kBAAM,EAAE,QAAQ,UAAU,IAAIC,aAAY,aAAa,SAAS;AAChE,uBAAW,SAAS,WAAW;AAC7B,wBAAU,cAAc,KAAK;AAAA,YAC/B;AAEA,sBAAU,WAAW;AACrB,oBAAQ,aAAa,SAAS;AAC9B,mBAAO,0CAA0C,UAAU,UAAU,cAAc,YAAY,MAAM,WAAW,UAAU,MAAM,OAAO;AAAA,UACzI,SAAS,KAAK;AACZ,mBAAO,0DAA0D,OAAO,GAAG,CAAC,EAAE;AAAA,UAChF;AAGA,gBAAM,WAAW,QAAQ,YAAY;AACrC,kBAAQ,GAAG,SAAS,MAAM;AACxB,oBAAQ,gBAAgB,QAAQ;AAChC,mBAAO,+DAA+D,QAAQ,EAAE;AAChF,gBAAI,sBAAsB;AACxB,qBAAO,sDAAsD;AAAA,YAC/D;AAGA,uBAAW,eAAe,QAAQ,kBAAkB;AAClD,iCAAmB,aAAa,QAAQ,SAAS;AAAA,YACnD;AAGA,uBAAW,QAAQ,QAAQ,SAAS;AAClC,kCAAoB,KAAK,QAAQ,KAAK,MAAM,QAAQ,SAAS;AAAA,YAC/D;AAAA,UACF,CAAC;AAGD,kBAAQ,GAAG,uBAAuB,MAAM;AACtC,uBAAW,eAAe,QAAQ,kBAAkB;AAClD,iCAAmB,aAAa,QAAQ,SAAS;AAAA,YACnD;AAAA,UACF,CAAC;AAGD,kBAAQ,GAAG,eAAe,CAAC,SAA2C;AACpE,gCAAoB,KAAK,QAAQ,KAAK,MAAM,QAAQ,SAAS;AAAA,UAC/D,CAAC;AAED,kBAAQ,MAAM,EAAE,MAAM,MAAM;AAAA,QAC9B,CAAC,EAAE,MAAM,MAAM;AAAA,MACjB,CAAC;AAED,aAAO,EAAE,MAAM,YAAY;AAAA,MAAC,EAAE;AAAA,IAChC;AAAA,EACF;AAAA,EAEA,UAAU;AAAA,IACR,cAAc;AAAA;AAAA;AAAA,IAId,SAAS;AAAA,IAET,UAAU,OAAO,EAAE,IAAI,OAAO,MAAM,UAAU,MAAwD;AACpG,YAAM,aAAa,aAAa;AAChC,YAAM,KAAK,UAAU,IAAI,UAAU;AACnC,UAAI,CAAC,GAAI,QAAO,EAAE,IAAI,OAAO,OAAO,mCAAmC;AACvE,UAAI;AACF,cAAM,SAAS,YAAY,KAAK;AAChC,cAAM,UAAU,MAAM,GAAG,QAAQ,QAAQ,EAAE,MAAM,QAAQ,KAAK,CAAC;AAC/D,eAAO,EAAE,IAAI,QAAQ,IAAI,QAAQ,QAAQ,QAAQ,OAAO,QAAQ,MAAM;AAAA,MACxE,SAAS,KAAK;AACZ,eAAO,EAAE,IAAI,OAAO,OAAO,OAAO,GAAG,EAAE;AAAA,MACzC;AAAA,IACF;AAAA,IAEA,WAAW,OAAO,EAAE,IAAI,OAAO,MAAM,UAAU,UAAU,MAA2E;AAClI,YAAM,aAAa,aAAa;AAChC,YAAM,KAAK,UAAU,IAAI,UAAU;AACnC,UAAI,CAAC,GAAI,QAAO,EAAE,IAAI,OAAO,OAAO,mCAAmC;AACvE,UAAI;AAEF,cAAM,UAAU,OAAO,GAAG,IAAI;AAAA,EAAK,QAAQ,KAAK;AAChD,cAAM,SAAS,YAAY,KAAK;AAChC,cAAM,UAAU,MAAM,GAAG,QAAQ,QAAQ,EAAE,MAAM,QAAQ,MAAM,QAAQ,CAAC;AACxE,eAAO,EAAE,IAAI,QAAQ,IAAI,QAAQ,QAAQ,QAAQ,OAAO,QAAQ,MAAM;AAAA,MACxE,SAAS,KAAK;AACZ,eAAO,EAAE,IAAI,OAAO,OAAO,OAAO,GAAG,EAAE;AAAA,MACzC;AAAA,IACF;AAAA;AAAA,IAGA,aAAa,OAAO,QAAuC;AACzD,YAAM,EAAE,SAAS,UAAU,IAAI;AAG/B,UAAI,QAAQ,YAAa,QAAO,EAAE,IAAI,KAAK;AAG3C,YAAM,QAAQ,QAAQ,QAAQ,IAAI,KAAK;AACvC,UAAI,CAAC,QAAQ,CAAC,QAAQ,WAAW,OAAQ,QAAO,EAAE,IAAI,KAAK;AAE3D,YAAM,aAAa,aAAa;AAChC,YAAM,KAAK,UAAU,IAAI,UAAU;AACnC,UAAI,CAAC,GAAI,QAAO,EAAE,IAAI,OAAO,OAAO,mCAAmC;AAEvE,UAAI;AAEF,4BAAoB,EAAE,QAAQ,mBAAmB,CAAC,EAAE,MAAM,MAAM;AAAA,QAAC,CAAC;AAGlE,cAAM,YAAa,IAAY;AAC/B,YAAI;AACJ,YAAI,aAAa,OAAO,cAAc,UAAU;AAC9C,mBAAS,YAAY,SAAS;AAAA,QAChC,OAAO;AACL,mBAAS,EAAE,MAAM,QAAQ;AAAA,QAC3B;AAGA,cAAM,QAAQ,OAAO,QAAgB;AACnC,gBAAM,GAAG,QAAQ,QAAQ,EAAE,MAAM,QAAQ,MAAM,IAAI,CAAC;AAAA,QACtD;AAGA,YAAI,MAAM;AACR,gBAAM,MAAM,IAAI;AAAA,QAClB;AAGA,YAAI,QAAQ,WAAW,QAAQ;AAC7B,qBAAW,OAAO,QAAQ,WAAW;AACnC,kBAAM,MAAM,GAAG;AAAA,UACjB;AAAA,QACF;AAGA,YAAI,QAAQ,kBAAkB,QAAQ;AACpC,gBAAM,cAAc,QAAQ,iBACzB,IAAI,CAAC,MAAyC,KAAK,EAAE,KAAK,KAAK,EAAE,MAAM,EAAE,EACzE,KAAK,IAAI;AACZ,gBAAM,MAAM;AAAA,EAAuB,WAAW,EAAE;AAAA,QAClD;AAEA,eAAO,EAAE,IAAI,KAAK;AAAA,MACpB,SAAS,KAAK;AACZ,eAAO,EAAE,IAAI,OAAO,OAAO,OAAO,GAAG,EAAE;AAAA,MACzC;AAAA,IACF;AAAA,EACF;AACF;AAOA,IAAO,yBAAQ;AAAA,EACb,IAAI;AAAA,EACJ,MAAM;AAAA,EACN,aAAa;AAAA,EACb,SAAS,KAAwB;AAC/B,gBAAY,IAAI,OAAO;AAGvB,4BAAwB;AAAA,MACtB,YAAY,CAAC,WAAW;AAEtB,cAAM,KAAK,UAAU,OAAO,EAAE,KAAK,EAAE;AACrC,YAAI,CAAC,GAAI;AAGT,YAAI,GAAG,WAAW;AAChB,cAAI;AACF,eAAG,UAAU,eAAe;AAAA,cAC1B,QAAQ,OAAO;AAAA,cACf,KAAK,OAAO;AAAA,cACZ,YAAY,OAAO;AAAA,cACnB,WAAW,OAAO;AAAA,cAClB,GAAI,OAAO,UAAU,EAAE,SAAS,OAAO,QAAQ,IAAI,CAAC;AAAA,cACpD,GAAI,OAAO,eAAe,EAAE,cAAc,OAAO,aAAa,IAAI,CAAC;AAAA,YACrE,CAAC;AAAA,UACH,QAAQ;AAAA,UAAoB;AAAA,QAC9B;AAGA,YAAI;AACF,gBAAM,YAAY,MAAM;AAAE,gBAAI;AAAE,qBAAO,IAAI,IAAI,OAAO,GAAG,EAAE;AAAA,YAAU,QAAQ;AAAE,qBAAO,OAAO,IAAI,MAAM,GAAG,EAAE;AAAA,YAAG;AAAA,UAAE,GAAG;AACpH,aAAG,iBAAiB;AAAA,YAClB,UAAU,OAAO,WAAW;AAAA,YAC5B,gBAAgB,OAAO,gBAAgB;AAAA,YACvC,SAAS,YAAY,CAAC,EAAE,SAAS,KAAK;AAAA,YACtC,WAAW;AAAA,YACX,WAAW;AAAA,YACX,QAAQ,OAAO,cAAc,OAAO,OAAO,eAAe,IAAI,UAAU;AAAA,YACxE,YAAY,IAAI,KAAK,KAAK,IAAI,IAAI,OAAO,SAAS,EAAE,YAAY;AAAA,YAChE,WAAU,oBAAI,KAAK,GAAE,YAAY;AAAA,YACjC,aAAa,OAAO;AAAA,YACpB,YAAY;AAAA,cACV,wBAAwB,OAAO;AAAA,cAC/B,qBAAqB,OAAO;AAAA,YAC9B;AAAA,YACA,aAAa,OAAO;AAAA,YACpB,kBAAkB,OAAO;AAAA,YACzB,UAAU,OAAO;AAAA,UACnB,CAAC;AAAA,QACH,QAAQ;AAAA,QAAoB;AAAA,MAC9B;AAAA,IACF,CAAC;AAED,QAAI,gBAAgB,EAAE,QAAQ,iBAAiB,CAAC;AAGhD,QAAI,OAAO,IAAI,sBAAsB,YAAY;AAC/C,UAAI;AACF,YAAI,kBAAkB;AAAA,UACpB,MAAM;AAAA,UACN,QAAQ;AAAA,UACR,SAAS,OAAO,QAAQ;AACtB,kBAAM,KAAK,UAAU,OAAO,EAAE,KAAK,EAAE;AACrC,gBAAI,CAAC,GAAI,QAAO,EAAE,QAAQ,KAAK,MAAM,EAAE,IAAI,OAAO,OAAO,sBAAsB,EAAE;AACjF,kBAAM,SAAU,OAAO,IAAI,SAAS,WAAW,KAAK,MAAM,IAAI,IAAI,IAAI,IAAI;AAC1E,kBAAM,SAAS,MAAM,kBAAkB,QAAQ,EAAE;AACjD,mBAAO,EAAE,QAAQ,OAAO,QAAQ,MAAM,OAAO,KAAK;AAAA,UACpD;AAAA,QACF,CAAC;AACD,YAAI,kBAAkB;AAAA,UACpB,MAAM;AAAA,UACN,QAAQ;AAAA,UACR,SAAS,OAAO,QAAQ;AACtB,kBAAM,KAAK,UAAU,OAAO,EAAE,KAAK,EAAE;AACrC,gBAAI,CAAC,GAAI,QAAO,EAAE,QAAQ,KAAK,MAAM,EAAE,IAAI,OAAO,OAAO,sBAAsB,EAAE;AACjF,kBAAM,SAAU,OAAO,IAAI,SAAS,WAAW,KAAK,MAAM,IAAI,IAAI,IAAI,IAAI;AAC1E,kBAAM,SAAS,MAAM,oBAAoB,QAAQ,EAAE;AACnD,mBAAO,EAAE,QAAQ,OAAO,QAAQ,MAAM,OAAO,KAAK;AAAA,UACpD;AAAA,QACF,CAAC;AACD,YAAI,kBAAkB;AAAA,UACpB,MAAM;AAAA,UACN,QAAQ;AAAA,UACR,SAAS,OAAO,QAAQ;AACtB,kBAAM,KAAK,UAAU,OAAO,EAAE,KAAK,EAAE;AACrC,gBAAI,CAAC,GAAI,QAAO,EAAE,QAAQ,KAAK,MAAM,EAAE,IAAI,OAAO,OAAO,sBAAsB,EAAE;AACjF,kBAAM,SAAU,OAAO,IAAI,SAAS,WAAW,KAAK,MAAM,IAAI,IAAI,IAAI,IAAI;AAC1E,kBAAM,SAAS,MAAM,sBAAsB,QAAQ,EAAE;AACrD,mBAAO,EAAE,QAAQ,OAAO,QAAQ,MAAM,OAAO,KAAK;AAAA,UACpD;AAAA,QACF,CAAC;AACD,YAAI,kBAAkB;AAAA,UACpB,MAAM;AAAA,UACN,QAAQ;AAAA,UACR,SAAS,YAAY;AACnB,kBAAM,KAAK,UAAU,OAAO,EAAE,KAAK,EAAE;AACrC,gBAAI,CAAC,GAAI,QAAO,EAAE,QAAQ,KAAK,MAAM,EAAE,IAAI,OAAO,OAAO,sBAAsB,EAAE;AACjF,kBAAM,SAAS,oBAAoB,EAAE;AACrC,mBAAO,EAAE,QAAQ,OAAO,QAAQ,MAAM,OAAO,KAAK;AAAA,UACpD;AAAA,QACF,CAAC;AACD,YAAI,kBAAkB;AAAA,UACpB,MAAM;AAAA,UACN,QAAQ;AAAA,UACR,SAAS,YAAY;AACnB,kBAAM,KAAK,UAAU,OAAO,EAAE,KAAK,EAAE;AACrC,gBAAI,CAAC,GAAI,QAAO,EAAE,QAAQ,KAAK,MAAM,EAAE,IAAI,OAAO,OAAO,sBAAsB,EAAE;AACjF,kBAAM,SAAS,qBAAqB,EAAE;AACtC,mBAAO,EAAE,QAAQ,OAAO,QAAQ,MAAM,OAAO,KAAK;AAAA,UACpD;AAAA,QACF,CAAC;AACD,YAAI,kBAAkB;AAAA,UACpB,MAAM;AAAA,UACN,QAAQ;AAAA,UACR,SAAS,YAAY;AACnB,kBAAM,KAAK,UAAU,OAAO,EAAE,KAAK,EAAE;AACrC,gBAAI,CAAC,GAAI,QAAO,EAAE,QAAQ,KAAK,MAAM,EAAE,IAAI,OAAO,OAAO,sBAAsB,EAAE;AACjF,kBAAM,EAAE,wBAAAE,wBAAuB,IAAI,MAAM;AACzC,kBAAM,YAAY,GAAG,QAAQ,aAAa;AAC1C,kBAAM,gBAAgB,GAAG,WAAW,cAAc;AAClD,kBAAM,SAASA,wBAAuB,WAAW,OAAO,aAAa;AACrE,mBAAO,EAAE,QAAQ,OAAO,QAAQ,MAAM,OAAO,KAAK;AAAA,UACpD;AAAA,QACF,CAAC;AACD,+BAAuB;AAAA,MACzB,QAAQ;AAAA,MAAoE;AAAA,IAC9E;AAGA,QAAI,OAAO,IAAI,OAAO,YAAY;AAEhC,UAAI,GAAG,gBAAgB,OAAO,UAA4B;AACxD,YAAI;AACF,gBAAM,KAAK,UAAU,OAAO,EAAE,KAAK,EAAE;AACrC,cAAI,CAAC,IAAI,UAAW;AACpB,aAAG,UAAU,iBAAiB;AAAA,YAC5B,SAAS,YAAY,EAAE,EAAE,SAAS,KAAK;AAAA,YACvC,QAAQ,YAAY,CAAC,EAAE,SAAS,KAAK;AAAA,YACrC,MAAM;AAAA,YACN,MAAM;AAAA,YACN,WAAW,MAAM;AAAA,YACjB,SAAS,MAAM,YAAY;AAAA,YAC3B,YAAY;AAAA,cACV,yBAAyB,MAAM;AAAA,cAC/B,8BAA8B,MAAM;AAAA,cACpC,yBAAyB,MAAM;AAAA,YACjC;AAAA,YACA,QAAQ,EAAE,MAAM,MAAM,mBAAmB,WAAW,IAAI,EAAE;AAAA,UAC5D,CAAC;AAAA,QACH,QAAQ;AAAA,QAAoB;AAAA,MAC9B,CAAC;AAGD,UAAI,GAAG,iBAAiB,OAAO,UAA6B;AAC1D,YAAI;AACF,gBAAM,KAAK,UAAU,OAAO,EAAE,KAAK,EAAE;AACrC,cAAI,CAAC,IAAI,UAAW;AACpB,aAAG,UAAU,iBAAiB;AAAA,YAC5B,SAAS,YAAY,EAAE,EAAE,SAAS,KAAK;AAAA,YACvC,QAAQ,YAAY,CAAC,EAAE,SAAS,KAAK;AAAA,YACrC,MAAM;AAAA,YACN,MAAM;AAAA,YACN,WAAW,MAAM;AAAA,YACjB,SAAS,MAAM,YAAY;AAAA,YAC3B,YAAY;AAAA,cACV,0BAA0B,MAAM;AAAA,cAChC,uBAAuB,MAAM;AAAA,YAC/B;AAAA,YACA,QAAQ,EAAE,MAAM,EAAE;AAAA,UACpB,CAAC;AAAA,QACH,QAAQ;AAAA,QAAoB;AAAA,MAC9B,CAAC;AAED,UAAI,GAAG,eAAe,OAAO,UAA2B;AACtD,YAAI;AACF,gBAAM,KAAK,UAAU,OAAO,EAAE,KAAK,EAAE;AACrC,cAAI,CAAC,IAAI,UAAW;AACpB,aAAG,UAAU,iBAAiB;AAAA,YAC5B,SAAS,YAAY,EAAE,EAAE,SAAS,KAAK;AAAA,YACvC,QAAQ,YAAY,CAAC,EAAE,SAAS,KAAK;AAAA,YACrC,MAAM;AAAA,YACN,MAAM;AAAA,YACN,WAAW,MAAM;AAAA,YACjB,SAAS,MAAM,YAAY;AAAA,YAC3B,YAAY;AAAA,cACV,0BAA0B,MAAM;AAAA,cAChC,uBAAuB,MAAM;AAAA,cAC7B,GAAI,MAAM,SAAS,EAAE,iCAAiC,MAAM,OAAO,IAAI,CAAC;AAAA,YAC1E;AAAA,YACA,QAAQ,EAAE,MAAM,EAAE;AAAA,UACpB,CAAC;AAAA,QACH,QAAQ;AAAA,QAAoB;AAAA,MAC9B,CAAC;AAGD,UAAI,GAAG,qBAAqB,OAAO,UAAe;AAChD,YAAI;AACF,gBAAM,WAAW,OAAO;AACxB,gBAAM,UAAU,OAAO;AACvB,cAAI,CAAC,YAAY,CAAC,UAAU,KAAM,QAAO,CAAC;AAG1C,qBAAW,CAAC,EAAE,EAAE,KAAK,WAAW;AAC9B,kBAAM,WAAY,IAAY;AAC9B,gBAAI,CAAC,SAAU;AAIf,uBAAW,CAAC,SAAS,KAAM,SAAiB,UAAU,CAAC,GAAG;AACxD,oBAAM,SAAS,SAAS,SAAS,EAAE,WAAW,UAAU,QAAQ,CAAC;AACjE,kBAAI,UAAU,CAAC,OAAO,SAAS;AAC7B,wBAAQ,IAAI,sBAAsB,QAAQ,+CAA0C;AACpF,sBAAM,SAAS,OAAO,aAAa,CAAC,GAAG,WAAW;AAClD,uBAAO;AAAA,kBACL,iBAAiB;AAAA,kBACjB,gBAAgB,4BAA4B,QAAQ,8BAA8B,MAAM,GAAG,KAAK;AAAA,gBAClG;AAAA,cACF;AAAA,YACF;AAAA,UACF;AACA,iBAAO,CAAC;AAAA,QACV,QAAQ;AACN,iBAAO,CAAC;AAAA,QACV;AAAA,MACF,EAA8B;AAG9B,UAAI,GAAG,mBAAmB,OAAO,UAAe;AAC9C,YAAI;AACF,gBAAM,YAAY,OAAO,SAAS,UAAU;AAC5C,cAAI,CAAC,aAAa,CAAC,UAAU,KAAM;AAGnC,qBAAW,CAAC,EAAE,EAAE,KAAK,WAAW;AAC9B,kBAAM,SAAU,IAAY,QAAQ;AACpC,gBAAI,CAAC,OAAQ;AAEb,gBAAI;AACF,oBAAM,MAAM,MAAM,MAAM,GAAG,MAAM,sBAAsB,SAAS,EAAE;AAClE,kBAAI,IAAI,IAAI;AACV,sBAAM,QAAQ,MAAM,IAAI,KAAK;AAE7B,oBAAI,MAAM,QAAQ,UAAU;AAC1B,wBAAM,QAAQ,SAAS,kBAAkB;AAAA,oBACvC;AAAA,oBACA,WAAW,MAAM;AAAA,oBACjB,UAAU,MAAM;AAAA,oBAChB,qBAAqB,MAAM;AAAA,kBAC7B;AAAA,gBACF;AACA,wBAAQ,IAAI,2CAA2C,SAAS,KAAK,MAAM,UAAU,EAAE;AAAA,cACzF;AAAA,YACF,QAAQ;AAAA,YAER;AACA;AAAA,UACF;AAAA,QACF,QAAQ;AAAA,QAER;AAAA,MACF,CAAC;AAAA,IACH;AAGA,oFAA+B,KAAK,OAAO,EAAE,cAAAC,eAAc,2BAAAC,2BAA0B,MAAM;AACzF,MAAAD,cAAa,CAAC,UAAU;AACtB,YAAI;AACF,gBAAM,KAAK,UAAU,OAAO,EAAE,KAAK,EAAE;AACrC,cAAI,CAAC,IAAI,UAAW;AACpB,aAAG,UAAU,iBAAiB;AAAA,YAC5B,SAAS,YAAY,EAAE,EAAE,SAAS,KAAK;AAAA,YACvC,QAAQ,YAAY,CAAC,EAAE,SAAS,KAAK;AAAA,YACrC,MAAM,kBAAkB,MAAM,IAAI;AAAA,YAClC,MAAM;AAAA,YACN,WAAW,MAAM;AAAA,YACjB,SAAS,MAAM,YAAY;AAAA,YAC3B,YAAY;AAAA,cACV,uBAAuB,MAAM;AAAA,cAC7B,eAAe,MAAM;AAAA,cACrB,GAAI,MAAM,OAAO,OAAO;AAAA,gBACtB,OAAO,QAAQ,MAAM,IAAI,EAAE,IAAI,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,kBAAkB,CAAC,IAAI,OAAO,CAAC,CAAC,CAAC;AAAA,cAC/E,IAAI,CAAC;AAAA,YACP;AAAA,YACA,QAAQ,EAAE,MAAM,EAAE;AAAA,UACpB,CAAC;AAAA,QACH,QAAQ;AAAA,QAAoB;AAAA,MAC9B,CAAC,EAAE,MAAM,MAAM;AAAA,MAAC,CAAC;AAEjB,MAAAC,2BAA0B,CAAC,WAAW;AACpC,YAAI;AACF,gBAAM,KAAK,UAAU,OAAO,EAAE,KAAK,EAAE;AACrC,cAAI,CAAC,IAAI,UAAW;AACpB,aAAG,UAAU,iBAAiB;AAAA,YAC5B,SAAS,YAAY,EAAE,EAAE,SAAS,KAAK;AAAA,YACvC,QAAQ,YAAY,CAAC,EAAE,SAAS,KAAK;AAAA,YACrC,MAAM;AAAA,YACN,MAAM;AAAA,YACN,WAAW,OAAO;AAAA,YAClB,SAAS,OAAO,YAAY;AAAA,YAC5B,YAAY;AAAA,cACV,0BAA0B,OAAO;AAAA,cACjC,4BAA4B,OAAO,QAAQ;AAAA,cAC3C,mCAAmC,OAAO,MAAM;AAAA,YAClD;AAAA,YACA,QAAQ,EAAE,MAAM,EAAE;AAAA,UACpB,CAAC;AAAA,QACH,QAAQ;AAAA,QAAoB;AAAA,MAC9B,CAAC,EAAE,MAAM,MAAM;AAAA,MAAC,CAAC;AAAA,IACnB,CAAC,EAAE,MAAM,MAAM;AAAA,IAAkD,CAAC;AAIlE,QAAI;AACF,UAAI,eAAe;AAAA,QACjB,MAAM;AAAA,QACN,aAAa;AAAA,QACb,YAAY;AAAA,UACV,MAAM;AAAA,UACN,YAAY;AAAA,YACV,WAAW;AAAA,cACT,MAAM;AAAA,cACN,aAAa;AAAA,YACf;AAAA,UACF;AAAA,QACF;AAAA,QACA,SAAS,OAAO,KAAa,WAAmC;AAC9D,gBAAM,KAAK,OAAO,aAAa;AAC/B,gBAAM,KAAK,UAAU,IAAI,EAAE;AAC3B,cAAI,CAAC,IAAI;AACP,mBAAO,EAAE,SAAS,CAAC,EAAE,MAAM,QAAQ,MAAM,KAAK,UAAU,EAAE,WAAW,OAAO,OAAO,sBAAsB,CAAC,EAAE,CAAC,EAAE;AAAA,UACjH;AACA,iBAAO;AAAA,YACL,SAAS,CAAC;AAAA,cACR,MAAM;AAAA,cACN,MAAM,KAAK,UAAU;AAAA,gBACnB,WAAW,GAAG,UAAU;AAAA,gBACxB,OAAO,GAAG;AAAA,gBACV,UAAU,GAAG;AAAA,gBACb,UAAU,GAAG;AAAA,gBACb,WAAW;AAAA,cACb,CAAC;AAAA,YACH,CAAC;AAAA,UACH;AAAA,QACF;AAAA,MACF,GAAG,EAAE,UAAU,KAAK,CAAC;AAAA,IACvB,QAAQ;AAAA,IAAqE;AAI7E,QAAI;AACF,UAAI,kBAAkB;AAAA,QACpB,MAAM;AAAA,QACN,aAAa;AAAA,QACb,SAAS,MAAM;AACb,gBAAM,WAAqB,CAAC;AAC5B,cAAI,UAAU,SAAS,GAAG;AACxB,qBAAS,KAAK,gCAAgC;AAAA,UAChD,OAAO;AACL,uBAAW,CAAC,IAAI,EAAE,KAAK,WAAW;AAChC,uBAAS,KAAK,eAAe,EAAE,MAAM,GAAG,KAAK,gBAAgB,GAAG,YAAY,mBAAmB;AAAA,YACjG;AAAA,UACF;AACA,iBAAO,EAAE,MAAM,SAAS,KAAK,IAAI,EAAE;AAAA,QACrC;AAAA,MACF,CAAC;AAAA,IACH,QAAQ;AAAA,IAAwE;AAAA,EAClF;AACF;",
|
|
6
6
|
"names": ["receipt", "mod", "parent", "getCryptoProvider", "getCryptoProvider", "getCryptoProvider", "fromString", "getCryptoProvider", "toHex", "getCryptoProvider", "fromString", "getCryptoProvider", "fromString", "getCryptoProvider", "toHex", "fromHex", "fromString", "getCryptoProvider", "getCryptoProviderConfig", "fromString", "bytesToString", "getCryptoProvider", "toHex", "fromHex", "bytesToBase64", "bytesToBase64", "ciphersuites", "add", "treeHash", "parent", "s", "credentialTypes", "init_hash", "init_hash", "init_hash", "init_hash", "init_mod", "init_hpke", "init_mod", "init_mod", "init_mod", "init_mod", "init_hpke", "init_makeHashImpl", "init_makeNobleSignatureImpl", "init_makeAead", "init_mod", "init_makeKdfImpl", "init_makeDhKem", "init_makeHpke", "init_mod", "init_hpke", "init_makeAead", "init_makeKdfImpl", "init_makeDhKem", "init_rng", "init_provider", "init_makeHashImpl", "init_makeNobleSignatureImpl", "init_makeHpke", "init_makeKdfImpl", "init_rng", "init_provider", "join", "resolve", "AgentVaultMcpServer", "loadSkillsFromDirectory", "loadSkillsFromApi", "mergeSkills", "loadState", "handleMcpConfigRequest", "onAgentEvent", "onSessionTranscriptUpdate"]
|
|
7
7
|
}
|