@aroha-sdk/core 1.0.0 → 1.2.0

package/dist/identity/did.d.ts

@@ -0,0 +1,139 @@
+/**
+ * Aroha DID (Decentralized Identifier) implementation.
+ *
+ * DID format:  did:aroha:<unique-id>
+ * Spec:        W3C DID Core 1.0 (https://www.w3.org/TR/did-core/)
+ *
+ * A DID Document contains:
+ *   - Verification methods (public keys)
+ *   - Authentication references
+ *   - Service endpoints (Aroha agent endpoint)
+ */
+export interface VerificationMethod {
+    id: string;
+    type: "Ed25519VerificationKey2020";
+    controller: string;
+    /** Base58-encoded public key with multibase prefix 'z' */
+    publicKeyMultibase: string;
+}
+export interface ServiceEndpoint {
+    id: string;
+    type: "ArohaEndpoint";
+    serviceEndpoint: string;
+}
+export interface KeyRotationRecord {
+    /** ISO8601 — when the rotation was announced. */
+    rotatedAt: string;
+    /** ISO8601 — earliest time the new key becomes trusted (rotatedAt + coolDownHours). */
+    trustAfter: string;
+    /** Multibase pubkey of the replaced (predecessor) key. */
+    predecessorKey: string;
+    /** SHA-256 hex of the new key. */
+    newKeyHash: string;
+    /**
+     * Ed25519 signature over `predecessorKey || newKeyHash || rotatedAt`,
+     * signed by the predecessor key. Proves voluntary key rotation.
+     */
+    predecessorSignature: string;
+}
+export interface RevokedKeyRecord {
+    /** Multibase public key that was revoked. */
+    keyMultibase: string;
+    /** ISO8601 — when revocation was announced. */
+    revokedAt: string;
+    /** Human-readable reason (e.g. "Compromised — see incident #42"). */
+    reason: string;
+    /**
+     * Ed25519 signature over `keyMultibase || revokedAt || reason`
+     * signed by the key being revoked. Proves intentional revocation.
+     */
+    selfSignature?: string;
+}
+export interface DIDDocument {
+    "@context": string[];
+    id: string;
+    verificationMethod: VerificationMethod[];
+    authentication: string[];
+    assertionMethod: string[];
+    keyAgreement: string[];
+    service: ServiceEndpoint[];
+    created: string;
+    updated: string;
+    /** Rotation history (newest-first). Present only after at least one rotation. */
+    keyHistory?: KeyRotationRecord[];
+    /** Keys that have been explicitly revoked and must never be trusted. */
+    revokedKeys?: RevokedKeyRecord[];
+}
+export interface AgentKeyPair {
+    did: string;
+    privateKey: Uint8Array;
+    publicKey: Uint8Array;
+    document: DIDDocument;
+}
+export declare function toMultibase(bytes: Uint8Array): string;
+export declare function fromMultibase(multibase: string): Uint8Array;
+export interface GenerateDIDOptions {
+    /**
+     * Optional tenant namespace — produces did:aroha:<namespace>.<agentId>.
+     * Must match /^[a-z0-9-]+$/.
+     */
+    namespace?: string;
+}
+/**
+ * Generate a new Aroha DID with a fresh Ed25519 keypair.
+ *
+ * @param agentId  Human-readable identifier (e.g. "expedia-flights-v2")
+ * @param endpoint Aroha endpoint URL for the agent
+ * @param options  Optional generation options (e.g. namespace for multi-tenancy)
+ */
+export declare function generateDID(agentId: string, endpoint: string, options?: GenerateDIDOptions): Promise<AgentKeyPair>;
+/**
+ * Reconstruct a DID Document from an existing keypair.
+ * Used when loading a saved agent identity from storage.
+ */
+export declare function buildDIDDocument(agentId: string, publicKey: Uint8Array, endpoint: string, created: string): DIDDocument;
+/**
+ * Extract public key bytes from a DID Document's first verification method.
+ * Throws if a key rotation cool-down window is still active.
+ */
+export declare function extractPublicKey(doc: DIDDocument): Uint8Array;
+/**
+ * Extract the Aroha service endpoint URL from a DID Document.
+ */
+export declare function extractEndpoint(doc: DIDDocument): string;
+/**
+ * Rotate to a new keypair for a did:aroha: identity.
+ * The predecessor key signs the rotation record.
+ * The new key is not trusted until coolDownHours have elapsed.
+ */
+export declare function rotateDIDKey(current: AgentKeyPair, coolDownHours?: number): Promise<AgentKeyPair>;
+/**
+ * Emergency key revocation — immediately marks the current key as revoked
+ * and rotates to a new keypair with NO cooldown period.
+ *
+ * Use when a private key is known or suspected to be compromised.
+ * After calling this, publish the updated DID Document immediately.
+ *
+ * @param current  The current agent keypair (needed to sign the revocation)
+ * @param reason   Human-readable reason for revocation
+ */
+export declare function revokeKey(current: AgentKeyPair, reason: string): Promise<AgentKeyPair>;
+/**
+ * Verify a revocation record's self-signature.
+ * Returns true if the signature is valid — i.e., the holder of the revoked
+ * key intentionally created this record.
+ *
+ * @param record     The RevokedKeyRecord to verify
+ * @param publicKey  The public key that was revoked (to verify against)
+ */
+export declare function verifyRevocation(record: RevokedKeyRecord, publicKey: Uint8Array): Promise<boolean>;
+/**
+ * Extract the namespace from a namespaced DID.
+ * Returns null for un-namespaced DIDs.
+ *
+ * Example:
+ *   extractNamespace("did:aroha:acme-corp.invoice-processor") → "acme-corp"
+ *   extractNamespace("did:aroha:flight-agent")                → null
+ */
+export declare function extractNamespace(did: string): string | null;
+//# sourceMappingURL=did.d.ts.map

package/dist/identity/did.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"did.d.ts","sourceRoot":"","sources":["../../src/identity/did.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAYH,MAAM,WAAW,kBAAkB;IACjC,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,4BAA4B,CAAC;IACnC,UAAU,EAAE,MAAM,CAAC;IACnB,0DAA0D;IAC1D,kBAAkB,EAAE,MAAM,CAAC;CAC5B;AAED,MAAM,WAAW,eAAe;IAC9B,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,eAAe,CAAC;IACtB,eAAe,EAAE,MAAM,CAAC;CACzB;AAED,MAAM,WAAW,iBAAiB;IAChC,iDAAiD;IACjD,SAAS,EAAE,MAAM,CAAC;IAClB,uFAAuF;IACvF,UAAU,EAAE,MAAM,CAAC;IACnB,0DAA0D;IAC1D,cAAc,EAAE,MAAM,CAAC;IACvB,kCAAkC;IAClC,UAAU,EAAE,MAAM,CAAC;IACnB;;;OAGG;IACH,oBAAoB,EAAE,MAAM,CAAC;CAC9B;AAED,MAAM,WAAW,gBAAgB;IAC/B,6CAA6C;IAC7C,YAAY,EAAE,MAAM,CAAC;IACrB,+CAA+C;IAC/C,SAAS,EAAE,MAAM,CAAC;IAClB,qEAAqE;IACrE,MAAM,EAAE,MAAM,CAAC;IACf;;;OAGG;IACH,aAAa,CAAC,EAAE,MAAM,CAAC;CACxB;AAED,MAAM,WAAW,WAAW;IAC1B,UAAU,EAAE,MAAM,EAAE,CAAC;IACrB,EAAE,EAAE,MAAM,CAAC;IACX,kBAAkB,EAAE,kBAAkB,EAAE,CAAC;IACzC,cAAc,EAAE,MAAM,EAAE,CAAC;IACzB,eAAe,EAAE,MAAM,EAAE,CAAC;IAC1B,YAAY,EAAE,MAAM,EAAE,CAAC;IACvB,OAAO,EAAE,eAAe,EAAE,CAAC;IAC3B,OAAO,EAAE,MAAM,CAAC;IAChB,OAAO,EAAE,MAAM,CAAC;IAChB,iFAAiF;IACjF,UAAU,CAAC,EAAE,iBAAiB,EAAE,CAAC;IACjC,wEAAwE;IACxE,WAAW,CAAC,EAAE,gBAAgB,EAAE,CAAC;CAClC;AAED,MAAM,WAAW,YAAY;IAC3B,GAAG,EAAE,MAAM,CAAC;IACZ,UAAU,EAAE,UAAU,CAAC;IACvB,SAAS,EAAE,UAAU,CAAC;IACtB,QAAQ,EAAE,WAAW,CAAC;CACvB;AAoCD,wBAAgB,WAAW,CAAC,KAAK,EAAE,UAAU,GAAG,MAAM,CAErD;AAED,wBAAgB,aAAa,CAAC,SAAS,EAAE,MAAM,GAAG,UAAU,CAK3D;AAID,MAAM,WAAW,kBAAkB;IACjC;;;OAGG;IACH,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAED;;;;;;GAMG;AACH,wBAAsB,WAAW,CAC/B,OAAO,EAAE,MAAM,EACf,QAAQ,EAAE,MAAM,EAChB,OAAO,GAAE,kBAAuB,GAC/B,OAAO,CAAC,YAAY,CAAC,CA2CvB;AAED;;;GAGG;AACH,wBAAgB,gBAAgB,CAC9B,OAAO,EAAE,MAAM,EACf,SAAS,EAAE,UAAU,EACrB,QAAQ,EAAE,MAAM,EAChB,OAAO,EAAE,MAAM,GACd,WAAW,CAgCb;AAED;;;GAGG;AACH,wBAAgB,gBAAgB,CAAC,GAAG,EAAE,WAAW,GAAG,UAAU,CAyB7D;AAED;;GAEG;AACH,wBAAgB,eAAe,CAAC,GAAG,EAAE,WAAW,GAAG,MAAM,CAIxD;AAQD;;;;GAIG;AACH,wBAAsB,YAAY,CAChC,OAAO,EAAE,YAAY,EACrB,aAAa,SAAK,GACjB,OAAO,CAAC,YAAY,CAAC,CAwCvB;AAED;;;;;;;;;GASG;AACH,wBAAsB,SAAS,CAC7B,OAAO,EAAE,YAAY,EACrB,MAAM,EAAE,MAAM,GACb,OAAO,CAAC,YAAY,CAAC,CAmCvB;AAED;;;;;;;GAOG;AACH,wBAAsB,gBAAgB,CACpC,MAAM,EAAE,gBAAgB,EACxB,SAAS,EAAE,UAAU,GACpB,OAAO,CAAC,OAAO,CAAC,CAWlB;AAED;;;;;;;GAOG;AACH,wBAAgB,gBAAgB,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI,CAI3D"}

package/dist/identity/did.js

@@ -0,0 +1,291 @@
+/**
+ * Aroha DID (Decentralized Identifier) implementation.
+ *
+ * DID format:  did:aroha:<unique-id>
+ * Spec:        W3C DID Core 1.0 (https://www.w3.org/TR/did-core/)
+ *
+ * A DID Document contains:
+ *   - Verification methods (public keys)
+ *   - Authentication references
+ *   - Service endpoints (Aroha agent endpoint)
+ */
+import * as ed from "@noble/ed25519";
+import { sha256 } from "@noble/hashes/sha256";
+import { sha512 } from "@noble/hashes/sha512";
+import { bytesToHex } from "@noble/hashes/utils";
+// noble/ed25519 v2 requires sha512 sync
+ed.etc.sha512Sync = (...m) => sha512(...m);
+// ─── Base58 encoding (multibase 'z' prefix) ───────────────────────────────────
+const BASE58_ALPHABET = "123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz";
+function encodeBase58(bytes) {
+    let num = BigInt("0x" + bytesToHex(bytes));
+    const digits = [];
+    while (num > 0n) {
+        digits.push(Number(num % 58n));
+        num /= 58n;
+    }
+    // leading zeros
+    for (const b of bytes) {
+        if (b !== 0)
+            break;
+        digits.push(0);
+    }
+    return digits
+        .reverse()
+        .map((d) => BASE58_ALPHABET[d])
+        .join("");
+}
+function decodeBase58(s) {
+    let num = 0n;
+    for (const c of s) {
+        const idx = BASE58_ALPHABET.indexOf(c);
+        if (idx < 0)
+            throw new Error(`Invalid base58 character: ${c}`);
+        num = num * 58n + BigInt(idx);
+    }
+    const hex = num.toString(16).padStart(64, "0");
+    return Uint8Array.from(Buffer.from(hex, "hex"));
+}
+export function toMultibase(bytes) {
+    return "z" + encodeBase58(bytes);
+}
+export function fromMultibase(multibase) {
+    if (!multibase.startsWith("z")) {
+        throw new Error("Only base58btc multibase (prefix 'z') is supported");
+    }
+    return decodeBase58(multibase.slice(1));
+}
+/**
+ * Generate a new Aroha DID with a fresh Ed25519 keypair.
+ *
+ * @param agentId  Human-readable identifier (e.g. "expedia-flights-v2")
+ * @param endpoint Aroha endpoint URL for the agent
+ * @param options  Optional generation options (e.g. namespace for multi-tenancy)
+ */
+export async function generateDID(agentId, endpoint, options = {}) {
+    const { namespace } = options;
+    if (namespace && !/^[a-z0-9-]+$/.test(namespace)) {
+        throw new Error(`Invalid namespace "${namespace}" — must match /^[a-z0-9-]+$/`);
+    }
+    const qualifiedId = namespace ? `${namespace}.${agentId}` : agentId;
+    const privateKey = ed.utils.randomPrivateKey();
+    const publicKey = await ed.getPublicKeyAsync(privateKey);
+    const did = `did:aroha:${qualifiedId}`;
+    const now = new Date().toISOString();
+    const keyId = `${did}#key-1`;
+    const document = {
+        "@context": [
+            "https://www.w3.org/ns/did/v1",
+            "https://w3id.org/security/suites/ed25519-2020/v1",
+        ],
+        id: did,
+        verificationMethod: [
+            {
+                id: keyId,
+                type: "Ed25519VerificationKey2020",
+                controller: did,
+                publicKeyMultibase: toMultibase(publicKey),
+            },
+        ],
+        authentication: [keyId],
+        assertionMethod: [keyId],
+        keyAgreement: [keyId],
+        service: [
+            {
+                id: `${did}#aroha`,
+                type: "ArohaEndpoint",
+                serviceEndpoint: endpoint,
+            },
+        ],
+        created: now,
+        updated: now,
+    };
+    return { did, privateKey, publicKey, document };
+}
+/**
+ * Reconstruct a DID Document from an existing keypair.
+ * Used when loading a saved agent identity from storage.
+ */
+export function buildDIDDocument(agentId, publicKey, endpoint, created) {
+    const did = `did:aroha:${agentId}`;
+    const keyId = `${did}#key-1`;
+    const now = new Date().toISOString();
+    return {
+        "@context": [
+            "https://www.w3.org/ns/did/v1",
+            "https://w3id.org/security/suites/ed25519-2020/v1",
+        ],
+        id: did,
+        verificationMethod: [
+            {
+                id: keyId,
+                type: "Ed25519VerificationKey2020",
+                controller: did,
+                publicKeyMultibase: toMultibase(publicKey),
+            },
+        ],
+        authentication: [keyId],
+        assertionMethod: [keyId],
+        keyAgreement: [keyId],
+        service: [
+            {
+                id: `${did}#aroha`,
+                type: "ArohaEndpoint",
+                serviceEndpoint: endpoint,
+            },
+        ],
+        created,
+        updated: now,
+    };
+}
+/**
+ * Extract public key bytes from a DID Document's first verification method.
+ * Throws if a key rotation cool-down window is still active.
+ */
+export function extractPublicKey(doc) {
+    const vm = doc.verificationMethod[0];
+    if (!vm)
+        throw new Error(`DID ${doc.id} has no verification methods`);
+    // Check if the current key has been explicitly revoked
+    if (doc.revokedKeys && doc.revokedKeys.length > 0) {
+        const currentKeyMultibase = vm.publicKeyMultibase;
+        const revoked = doc.revokedKeys.find(r => r.keyMultibase === currentKeyMultibase);
+        if (revoked) {
+            throw new Error(`DID ${doc.id} key ${currentKeyMultibase.slice(0, 12)}... was revoked at ${revoked.revokedAt}: ${revoked.reason}`);
+        }
+    }
+    if (doc.keyHistory && doc.keyHistory.length > 0) {
+        const latest = doc.keyHistory[0];
+        if (new Date() < new Date(latest.trustAfter)) {
+            throw new Error(`DID ${doc.id} key rotation cool-down active until ${latest.trustAfter}`);
+        }
+    }
+    return fromMultibase(vm.publicKeyMultibase);
+}
+/**
+ * Extract the Aroha service endpoint URL from a DID Document.
+ */
+export function extractEndpoint(doc) {
+    const svc = doc.service.find((s) => s.type === "ArohaEndpoint");
+    if (!svc)
+        throw new Error(`DID ${doc.id} has no ArohaEndpoint service`);
+    return svc.serviceEndpoint;
+}
+// ─── Key rotation ─────────────────────────────────────────────────────────────
+function keyCommitmentHash(publicKey) {
+    return bytesToHex(sha256(publicKey));
+}
+/**
+ * Rotate to a new keypair for a did:aroha: identity.
+ * The predecessor key signs the rotation record.
+ * The new key is not trusted until coolDownHours have elapsed.
+ */
+export async function rotateDIDKey(current, coolDownHours = 24) {
+    const newPrivateKey = ed.utils.randomPrivateKey();
+    const newPublicKey = await ed.getPublicKeyAsync(newPrivateKey);
+    const oldPubMultibase = toMultibase(current.publicKey);
+    const now = new Date();
+    const trustAfter = new Date(now.getTime() + coolDownHours * 3_600_000);
+    const newKeyHash = keyCommitmentHash(newPublicKey);
+    // Payload format matches verifyKeyRotation in web-did.ts:
+    // predecessorKey (multibase) + newKeyHash (hex) + rotatedAt (ISO8601)
+    const payload = new TextEncoder().encode(oldPubMultibase + newKeyHash + now.toISOString());
+    const sig = await ed.signAsync(payload, current.privateKey);
+    const rotation = {
+        rotatedAt: now.toISOString(),
+        trustAfter: trustAfter.toISOString(),
+        predecessorKey: oldPubMultibase,
+        newKeyHash,
+        predecessorSignature: Buffer.from(sig).toString("base64url"),
+    };
+    const keyId = `${current.did}#key-1`;
+    const newDoc = {
+        ...current.document,
+        verificationMethod: [
+            {
+                id: keyId,
+                type: "Ed25519VerificationKey2020",
+                controller: current.did,
+                publicKeyMultibase: toMultibase(newPublicKey),
+            },
+        ],
+        updated: now.toISOString(),
+        keyHistory: [rotation, ...(current.document.keyHistory ?? [])],
+    };
+    return { did: current.did, privateKey: newPrivateKey, publicKey: newPublicKey, document: newDoc };
+}
+/**
+ * Emergency key revocation — immediately marks the current key as revoked
+ * and rotates to a new keypair with NO cooldown period.
+ *
+ * Use when a private key is known or suspected to be compromised.
+ * After calling this, publish the updated DID Document immediately.
+ *
+ * @param current  The current agent keypair (needed to sign the revocation)
+ * @param reason   Human-readable reason for revocation
+ */
+export async function revokeKey(current, reason) {
+    const newPrivateKey = ed.utils.randomPrivateKey();
+    const newPublicKey = await ed.getPublicKeyAsync(newPrivateKey);
+    const now = new Date().toISOString();
+    const oldKeyMultibase = toMultibase(current.publicKey);
+    // Sign revocation with the key being revoked (proves intentional)
+    const payload = new TextEncoder().encode(oldKeyMultibase + now + reason);
+    const sig = await ed.signAsync(payload, current.privateKey);
+    const revokedRecord = {
+        keyMultibase: oldKeyMultibase,
+        revokedAt: now,
+        reason,
+        selfSignature: Buffer.from(sig).toString("base64url"),
+    };
+    const keyId = `${current.did}#key-1`;
+    const newDoc = {
+        ...current.document,
+        verificationMethod: [
+            {
+                id: keyId,
+                type: "Ed25519VerificationKey2020",
+                controller: current.did,
+                publicKeyMultibase: toMultibase(newPublicKey),
+            },
+        ],
+        updated: now,
+        // No keyHistory entry — no cooldown, immediate trust of new key
+        revokedKeys: [revokedRecord, ...(current.document.revokedKeys ?? [])],
+    };
+    return { did: current.did, privateKey: newPrivateKey, publicKey: newPublicKey, document: newDoc };
+}
+/**
+ * Verify a revocation record's self-signature.
+ * Returns true if the signature is valid — i.e., the holder of the revoked
+ * key intentionally created this record.
+ *
+ * @param record     The RevokedKeyRecord to verify
+ * @param publicKey  The public key that was revoked (to verify against)
+ */
+export async function verifyRevocation(record, publicKey) {
+    if (!record.selfSignature)
+        return false;
+    try {
+        const payload = new TextEncoder().encode(record.keyMultibase + record.revokedAt + record.reason);
+        const sig = Buffer.from(record.selfSignature, "base64url");
+        return await ed.verifyAsync(sig, payload, publicKey);
+    }
+    catch {
+        return false;
+    }
+}
+/**
+ * Extract the namespace from a namespaced DID.
+ * Returns null for un-namespaced DIDs.
+ *
+ * Example:
+ *   extractNamespace("did:aroha:acme-corp.invoice-processor") → "acme-corp"
+ *   extractNamespace("did:aroha:flight-agent")                → null
+ */
+export function extractNamespace(did) {
+    const suffix = did.replace("did:aroha:", "");
+    const dotIndex = suffix.indexOf(".");
+    return dotIndex >= 0 ? suffix.slice(0, dotIndex) : null;
+}
+//# sourceMappingURL=did.js.map

package/dist/identity/did.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"did.js","sourceRoot":"","sources":["../../src/identity/did.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,KAAK,EAAE,MAAM,gBAAgB,CAAC;AACrC,OAAO,EAAE,MAAM,EAAE,MAAM,sBAAsB,CAAC;AAC9C,OAAO,EAAE,MAAM,EAAE,MAAM,sBAAsB,CAAC;AAC9C,OAAO,EAAE,UAAU,EAAe,MAAM,qBAAqB,CAAC;AAE9D,wCAAwC;AACxC,EAAE,CAAC,GAAG,CAAC,UAAU,GAAG,CAAC,GAAG,CAA4B,EAAE,EAAE,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC;AAuEtE,iFAAiF;AAEjF,MAAM,eAAe,GACnB,4DAA4D,CAAC;AAE/D,SAAS,YAAY,CAAC,KAAiB;IACrC,IAAI,GAAG,GAAG,MAAM,CAAC,IAAI,GAAG,UAAU,CAAC,KAAK,CAAC,CAAC,CAAC;IAC3C,MAAM,MAAM,GAAa,EAAE,CAAC;IAC5B,OAAO,GAAG,GAAG,EAAE,EAAE,CAAC;QAChB,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,GAAG,GAAG,GAAG,CAAC,CAAC,CAAC;QAC/B,GAAG,IAAI,GAAG,CAAC;IACb,CAAC;IACD,gBAAgB;IAChB,KAAK,MAAM,CAAC,IAAI,KAAK,EAAE,CAAC;QACtB,IAAI,CAAC,KAAK,CAAC;YAAE,MAAM;QACnB,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IACjB,CAAC;IACD,OAAO,MAAM;SACV,OAAO,EAAE;SACT,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC;SAC9B,IAAI,CAAC,EAAE,CAAC,CAAC;AACd,CAAC;AAED,SAAS,YAAY,CAAC,CAAS;IAC7B,IAAI,GAAG,GAAG,EAAE,CAAC;IACb,KAAK,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC;QAClB,MAAM,GAAG,GAAG,eAAe,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC;QACvC,IAAI,GAAG,GAAG,CAAC;YAAE,MAAM,IAAI,KAAK,CAAC,6BAA6B,CAAC,EAAE,CAAC,CAAC;QAC/D,GAAG,GAAG,GAAG,GAAG,GAAG,GAAG,MAAM,CAAC,GAAG,CAAC,CAAC;IAChC,CAAC;IACD,MAAM,GAAG,GAAG,GAAG,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,EAAE,EAAE,GAAG,CAAC,CAAC;IAC/C,OAAO,UAAU,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC,CAAC;AAClD,CAAC;AAED,MAAM,UAAU,WAAW,CAAC,KAAiB;IAC3C,OAAO,GAAG,GAAG,YAAY,CAAC,KAAK,CAAC,CAAC;AACnC,CAAC;AAED,MAAM,UAAU,aAAa,CAAC,SAAiB;IAC7C,IAAI,CAAC,SAAS,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;QAC/B,MAAM,IAAI,KAAK,CAAC,oDAAoD,CAAC,CAAC;IACxE,CAAC;IACD,OAAO,YAAY,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;AAC1C,CAAC;AAYD;;;;;;GAMG;AACH,MAAM,CAAC,KAAK,UAAU,WAAW,CAC/B,OAAe,EACf,QAAgB,EAChB,UAA8B,EAAE;IAEhC,MAAM,EAAE,SAAS,EAAE,GAAG,OAAO,CAAC;IAC9B,IAAI,SAAS,IAAI,CAAC,cAAc,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,CAAC;QACjD,MAAM,IAAI,KAAK,CAAC,sBAAsB,SAAS,+BAA+B,CAAC,CAAC;IAClF,CAAC;IACD,MAAM,WAAW,GAAG,SAAS,CAAC,CAAC,CAAC,GAAG,SAAS,IAAI,OAAO,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC;IAEpE,MAAM,UAAU,GAAG,EAAE,CAAC,KAAK,CAAC,gBAAgB,EAAE,CAAC;IAC/C,MAAM,SAAS,GAAG,MAAM,EAAE,CAAC,iBAAiB,CAAC,UAAU,CAAC,CAAC;IAEzD,MAAM,GAAG,GAAG,aAAa,WAAW,EAAE,CAAC;IACvC,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;IACrC,MAAM,KAAK,GAAG,GAAG,GAAG,QAAQ,CAAC;IAE7B,MAAM,QAAQ,GAAgB;QAC5B,UAAU,EAAE;YACV,8BAA8B;YAC9B,kDAAkD;SACnD;QACD,EAAE,EAAE,GAAG;QACP,kBAAkB,EAAE;YAClB;gBACE,EAAE,EAAE,KAAK;gBACT,IAAI,EAAE,4BAA4B;gBAClC,UAAU,EAAE,GAAG;gBACf,kBAAkB,EAAE,WAAW,CAAC,SAAS,CAAC;aAC3C;SACF;QACD,cAAc,EAAE,CAAC,KAAK,CAAC;QACvB,eAAe,EAAE,CAAC,KAAK,CAAC;QACxB,YAAY,EAAE,CAAC,KAAK,CAAC;QACrB,OAAO,EAAE;YACP;gBACE,EAAE,EAAE,GAAG,GAAG,QAAQ;gBAClB,IAAI,EAAE,eAAe;gBACrB,eAAe,EAAE,QAAQ;aAC1B;SACF;QACD,OAAO,EAAE,GAAG;QACZ,OAAO,EAAE,GAAG;KACb,CAAC;IAEF,OAAO,EAAE,GAAG,EAAE,UAAU,EAAE,SAAS,EAAE,QAAQ,EAAE,CAAC;AAClD,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,gBAAgB,CAC9B,OAAe,EACf,SAAqB,EACrB,QAAgB,EAChB,OAAe;IAEf,MAAM,GAAG,GAAG,aAAa,OAAO,EAAE,CAAC;IACnC,MAAM,KAAK,GAAG,GAAG,GAAG,QAAQ,CAAC;IAC7B,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;IAErC,OAAO;QACL,UAAU,EAAE;YACV,8BAA8B;YAC9B,kDAAkD;SACnD;QACD,EAAE,EAAE,GAAG;QACP,kBAAkB,EAAE;YAClB;gBACE,EAAE,EAAE,KAAK;gBACT,IAAI,EAAE,4BAA4B;gBAClC,UAAU,EAAE,GAAG;gBACf,kBAAkB,EAAE,WAAW,CAAC,SAAS,CAAC;aAC3C;SACF;QACD,cAAc,EAAE,CAAC,KAAK,CAAC;QACvB,eAAe,EAAE,CAAC,KAAK,CAAC;QACxB,YAAY,EAAE,CAAC,KAAK,CAAC;QACrB,OAAO,EAAE;YACP;gBACE,EAAE,EAAE,GAAG,GAAG,QAAQ;gBAClB,IAAI,EAAE,eAAe;gBACrB,eAAe,EAAE,QAAQ;aAC1B;SACF;QACD,OAAO;QACP,OAAO,EAAE,GAAG;KACb,CAAC;AACJ,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,gBAAgB,CAAC,GAAgB;IAC/C,MAAM,EAAE,GAAG,GAAG,CAAC,kBAAkB,CAAC,CAAC,CAAC,CAAC;IACrC,IAAI,CAAC,EAAE;QAAE,MAAM,IAAI,KAAK,CAAC,OAAO,GAAG,CAAC,EAAE,8BAA8B,CAAC,CAAC;IAEtE,uDAAuD;IACvD,IAAI,GAAG,CAAC,WAAW,IAAI,GAAG,CAAC,WAAW,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAClD,MAAM,mBAAmB,GAAG,EAAE,CAAC,kBAAkB,CAAC;QAClD,MAAM,OAAO,GAAG,GAAG,CAAC,WAAW,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,YAAY,KAAK,mBAAmB,CAAC,CAAC;QAClF,IAAI,OAAO,EAAE,CAAC;YACZ,MAAM,IAAI,KAAK,CACb,OAAO,GAAG,CAAC,EAAE,QAAQ,mBAAmB,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,sBAAsB,OAAO,CAAC,SAAS,KAAK,OAAO,CAAC,MAAM,EAAE,CAClH,CAAC;QACJ,CAAC;IACH,CAAC;IAED,IAAI,GAAG,CAAC,UAAU,IAAI,GAAG,CAAC,UAAU,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAChD,MAAM,MAAM,GAAG,GAAG,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC;QACjC,IAAI,IAAI,IAAI,EAAE,GAAG,IAAI,IAAI,CAAC,MAAM,CAAC,UAAU,CAAC,EAAE,CAAC;YAC7C,MAAM,IAAI,KAAK,CACb,OAAO,GAAG,CAAC,EAAE,wCAAwC,MAAM,CAAC,UAAU,EAAE,CACzE,CAAC;QACJ,CAAC;IACH,CAAC;IAED,OAAO,aAAa,CAAC,EAAE,CAAC,kBAAkB,CAAC,CAAC;AAC9C,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,eAAe,CAAC,GAAgB;IAC9C,MAAM,GAAG,GAAG,GAAG,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,eAAe,CAAC,CAAC;IAChE,IAAI,CAAC,GAAG;QAAE,MAAM,IAAI,KAAK,CAAC,OAAO,GAAG,CAAC,EAAE,+BAA+B,CAAC,CAAC;IACxE,OAAO,GAAG,CAAC,eAAe,CAAC;AAC7B,CAAC;AAED,iFAAiF;AAEjF,SAAS,iBAAiB,CAAC,SAAqB;IAC9C,OAAO,UAAU,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,CAAC;AACvC,CAAC;AAED;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,YAAY,CAChC,OAAqB,EACrB,aAAa,GAAG,EAAE;IAElB,MAAM,aAAa,GAAG,EAAE,CAAC,KAAK,CAAC,gBAAgB,EAAE,CAAC;IAClD,MAAM,YAAY,GAAG,MAAM,EAAE,CAAC,iBAAiB,CAAC,aAAa,CAAC,CAAC;IAE/D,MAAM,eAAe,GAAG,WAAW,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;IACvD,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC;IACvB,MAAM,UAAU,GAAG,IAAI,IAAI,CAAC,GAAG,CAAC,OAAO,EAAE,GAAG,aAAa,GAAG,SAAS,CAAC,CAAC;IAEvE,MAAM,UAAU,GAAG,iBAAiB,CAAC,YAAY,CAAC,CAAC;IACnD,0DAA0D;IAC1D,sEAAsE;IACtE,MAAM,OAAO,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CACtC,eAAe,GAAG,UAAU,GAAG,GAAG,CAAC,WAAW,EAAE,CACjD,CAAC;IACF,MAAM,GAAG,GAAG,MAAM,EAAE,CAAC,SAAS,CAAC,OAAO,EAAE,OAAO,CAAC,UAAU,CAAC,CAAC;IAE5D,MAAM,QAAQ,GAAsB;QAClC,SAAS,EAAE,GAAG,CAAC,WAAW,EAAE;QAC5B,UAAU,EAAE,UAAU,CAAC,WAAW,EAAE;QACpC,cAAc,EAAE,eAAe;QAC/B,UAAU;QACV,oBAAoB,EAAE,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC;KAC7D,CAAC;IAEF,MAAM,KAAK,GAAG,GAAG,OAAO,CAAC,GAAG,QAAQ,CAAC;IACrC,MAAM,MAAM,GAAgB;QAC1B,GAAG,OAAO,CAAC,QAAQ;QACnB,kBAAkB,EAAE;YAClB;gBACE,EAAE,EAAE,KAAK;gBACT,IAAI,EAAE,4BAA4B;gBAClC,UAAU,EAAE,OAAO,CAAC,GAAG;gBACvB,kBAAkB,EAAE,WAAW,CAAC,YAAY,CAAC;aAC9C;SACF;QACD,OAAO,EAAE,GAAG,CAAC,WAAW,EAAE;QAC1B,UAAU,EAAE,CAAC,QAAQ,EAAE,GAAG,CAAC,OAAO,CAAC,QAAQ,CAAC,UAAU,IAAI,EAAE,CAAC,CAAC;KAC/D,CAAC;IAEF,OAAO,EAAE,GAAG,EAAE,OAAO,CAAC,GAAG,EAAE,UAAU,EAAE,aAAa,EAAE,SAAS,EAAE,YAAY,EAAE,QAAQ,EAAE,MAAM,EAAE,CAAC;AACpG,CAAC;AAED;;;;;;;;;GASG;AACH,MAAM,CAAC,KAAK,UAAU,SAAS,CAC7B,OAAqB,EACrB,MAAc;IAEd,MAAM,aAAa,GAAG,EAAE,CAAC,KAAK,CAAC,gBAAgB,EAAE,CAAC;IAClD,MAAM,YAAY,GAAG,MAAM,EAAE,CAAC,iBAAiB,CAAC,aAAa,CAAC,CAAC;IAE/D,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;IACrC,MAAM,eAAe,GAAG,WAAW,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;IAEvD,kEAAkE;IAClE,MAAM,OAAO,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,eAAe,GAAG,GAAG,GAAG,MAAM,CAAC,CAAC;IACzE,MAAM,GAAG,GAAG,MAAM,EAAE,CAAC,SAAS,CAAC,OAAO,EAAE,OAAO,CAAC,UAAU,CAAC,CAAC;IAE5D,MAAM,aAAa,GAAqB;QACtC,YAAY,EAAE,eAAe;QAC7B,SAAS,EAAE,GAAG;QACd,MAAM;QACN,aAAa,EAAE,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC;KACtD,CAAC;IAEF,MAAM,KAAK,GAAG,GAAG,OAAO,CAAC,GAAG,QAAQ,CAAC;IACrC,MAAM,MAAM,GAAgB;QAC1B,GAAG,OAAO,CAAC,QAAQ;QACnB,kBAAkB,EAAE;YAClB;gBACE,EAAE,EAAE,KAAK;gBACT,IAAI,EAAE,4BAA4B;gBAClC,UAAU,EAAE,OAAO,CAAC,GAAG;gBACvB,kBAAkB,EAAE,WAAW,CAAC,YAAY,CAAC;aAC9C;SACF;QACD,OAAO,EAAE,GAAG;QACZ,gEAAgE;QAChE,WAAW,EAAE,CAAC,aAAa,EAAE,GAAG,CAAC,OAAO,CAAC,QAAQ,CAAC,WAAW,IAAI,EAAE,CAAC,CAAC;KACtE,CAAC;IAEF,OAAO,EAAE,GAAG,EAAE,OAAO,CAAC,GAAG,EAAE,UAAU,EAAE,aAAa,EAAE,SAAS,EAAE,YAAY,EAAE,QAAQ,EAAE,MAAM,EAAE,CAAC;AACpG,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,CAAC,KAAK,UAAU,gBAAgB,CACpC,MAAwB,EACxB,SAAqB;IAErB,IAAI,CAAC,MAAM,CAAC,aAAa;QAAE,OAAO,KAAK,CAAC;IACxC,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CACtC,MAAM,CAAC,YAAY,GAAG,MAAM,CAAC,SAAS,GAAG,MAAM,CAAC,MAAM,CACvD,CAAC;QACF,MAAM,GAAG,GAAG,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,aAAa,EAAE,WAAW,CAAC,CAAC;QAC3D,OAAO,MAAM,EAAE,CAAC,WAAW,CAAC,GAAG,EAAE,OAAO,EAAE,SAAS,CAAC,CAAC;IACvD,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,UAAU,gBAAgB,CAAC,GAAW;IAC1C,MAAM,MAAM,GAAG,GAAG,CAAC,OAAO,CAAC,YAAY,EAAE,EAAE,CAAC,CAAC;IAC7C,MAAM,QAAQ,GAAG,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;IACrC,OAAO,QAAQ,IAAI,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,EAAE,QAAQ,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;AAC1D,CAAC"}

package/dist/identity/index.d.ts

@@ -0,0 +1,5 @@
+export * from "./did.js";
+export * from "./credentials.js";
+export * from "./web-did.js";
+export * from "./did-cache.js";
+//# sourceMappingURL=index.d.ts.map

package/dist/identity/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/identity/index.ts"],"names":[],"mappings":"AAAA,cAAc,UAAU,CAAC;AACzB,cAAc,kBAAkB,CAAC;AACjC,cAAc,cAAc,CAAC;AAC7B,cAAc,gBAAgB,CAAC"}

package/dist/identity/index.js

@@ -0,0 +1,5 @@
+export * from "./did.js";
+export * from "./credentials.js";
+export * from "./web-did.js";
+export * from "./did-cache.js";
+//# sourceMappingURL=index.js.map

package/dist/identity/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/identity/index.ts"],"names":[],"mappings":"AAAA,cAAc,UAAU,CAAC;AACzB,cAAc,kBAAkB,CAAC;AACjC,cAAc,cAAc,CAAC;AAC7B,cAAc,gBAAgB,CAAC"}

package/dist/identity/web-did.d.ts

@@ -0,0 +1,131 @@
+/**
+ * Aroha Web-Native Identity — did:aroha-web:
+ *
+ * A DNS-anchored DID method that requires NO central Aroha registry.
+ * Identity is verified by TWO independent channels simultaneously:
+ *
+ *   1. HTTPS — DID Document served at:
+ *      https://{domain}/.well-known/aroha/agents/{path}/did.json
+ *
+ *   2. DNS TXT — Key-commitment record at:
+ *      _aroha.{domain} IN TXT "v=aroha1; path={path}; keyhash={sha256 of pubkey}"
+ *
+ * Both channels must agree. Domain hijacking via HTTPS alone is insufficient —
+ * the attacker would also need to control DNS to forge the key-commitment.
+ * This is a meaningful security upgrade over single-channel HTTPS identity
+ * (did:wba, did:web).
+ *
+ * Key rotation:
+ *   Rotations are cryptographically chained — the new key is signed by the old
+ *   key and a 24-hour cool-down window is enforced before the new key is trusted.
+ *   The rotation record is embedded in the DID Document under `keyHistory`.
+ *
+ * DID format:
+ *   did:aroha-web:{domain}[:{path}]
+ *   e.g. did:aroha-web:stripe.com:payments-agent
+ *        did:aroha-web:internal.example.corp:invoicing
+ *
+ * Resolution produces the same DIDDocument format as did:aroha: — full
+ * interoperability with the rest of the Aroha stack.
+ */
+import { type DIDDocument, type AgentKeyPair, type KeyRotationRecord } from "./did.js";
+export interface WebDIDDocument extends DIDDocument {
+    /** Two-factor verification metadata. */
+    arohaWeb: {
+        domain: string;
+        path: string;
+        /** SHA-256 hex of the active public key — must match DNS TXT. */
+        keyCommitmentHash: string;
+        /** Rotation chain (newest-first). Null if this is the genesis key. */
+        keyHistory: KeyRotationRecord[];
+    };
+}
+export { type KeyRotationRecord } from "./did.js";
+export interface WebAgentKeyPair extends AgentKeyPair {
+    /** The DNS TXT record value to publish at _aroha.{domain}. */
+    dnsTXTRecord: string;
+    /** The URL where the DID Document should be served. */
+    wellKnownUrl: string;
+    /** The full typed document (superset of DIDDocument). */
+    webDocument: WebDIDDocument;
+}
+export interface WebDIDResolutionResult {
+    document: WebDIDDocument;
+    /** True if DNS TXT key-commitment matched the document. */
+    dnsVerified: boolean;
+    /** True if the active key's cool-down window has passed. */
+    keyTrusted: boolean;
+    /** Reason if keyTrusted is false. */
+    trustReason?: string;
+}
+/** Parse `did:aroha-web:domain[:path]` into its components. */
+export declare function parseWebDID(did: string): {
+    domain: string;
+    path: string;
+};
+export declare function buildWebDID(domain: string, path: string): string;
+export declare function isWebDID(did: string): boolean;
+/**
+ * The HTTP path at which the DID Document should be served.
+ * e.g. `did:aroha-web:stripe.com:payments` → `/.well-known/aroha/agents/payments/did.json`
+ */
+export declare function wellKnownPath(did: string): string;
+/**
+ * The full HTTPS URL for a given did:aroha-web: identifier.
+ */
+export declare function wellKnownUrl(did: string): string;
+/**
+ * Returns the DNS TXT record VALUE (not the full DNS record) for the
+ * key-commitment. Publish at: `_aroha.{domain} IN TXT "{this value}"`
+ *
+ * Format: `v=aroha1; path={path}; keyhash={sha256hex}`
+ */
+export declare function dnsTXTValue(did: string, publicKey: Uint8Array): string;
+/** Parse a DNS TXT value back to its fields. Returns null if invalid. */
+export declare function parseDNSTXT(txt: string): {
+    path: string;
+    keyhash: string;
+} | null;
+export declare function keyCommitmentHash(publicKey: Uint8Array): string;
+/**
+ * Generate a new did:aroha-web: identity.
+ *
+ * Returns the key pair, the DID Document to serve at the well-known path,
+ * the DNS TXT value to publish, and the well-known URL.
+ *
+ * @param domain    The company domain (e.g. "stripe.com")
+ * @param path      Agent identifier within the domain (e.g. "payments-agent")
+ * @param endpoint  The Aroha HTTP endpoint URL (e.g. "https://agents.stripe.com/aroha/v1")
+ */
+export declare function generateWebAgent(domain: string, path: string, endpoint?: string): Promise<WebAgentKeyPair>;
+/**
+ * Rotate to a new key pair. The old key signs a rotation record that is
+ * embedded in the new DID Document. The new key is not trusted until
+ * `coolDownHours` (default 24h) after the rotation is announced.
+ *
+ * Publish the returned `webDocument` at the well-known URL and update the
+ * DNS TXT record with `dnsTXTRecord` to complete the rotation.
+ */
+export declare function rotateKey(current: WebAgentKeyPair, coolDownHours?: number): Promise<WebAgentKeyPair>;
+/**
+ * Resolve a did:aroha-web: identifier.
+ *
+ * Fetches the DID Document over HTTPS and, if `verifyDNS` is true,
+ * also verifies the DNS TXT key-commitment. Both must match for full
+ * two-factor verification.
+ *
+ * In Node.js server environments, pass a custom `dnsResolver` to perform
+ * the DNS TXT lookup. In browser or edge environments, set `verifyDNS: false`
+ * (single-channel HTTPS-only, same security as did:wba).
+ *
+ * @param did          The did:aroha-web: identifier to resolve
+ * @param verifyDNS    Whether to check the DNS TXT record (default: true)
+ * @param dnsResolver  Optional custom DNS TXT resolver
+ */
+export declare function resolveWebDID(did: string, verifyDNS?: boolean, dnsResolver?: (domain: string) => Promise<string[]>, fetchTimeoutMs?: number): Promise<WebDIDResolutionResult>;
+/**
+ * Verify a key rotation record — confirms the predecessor key signed the
+ * rotation event voluntarily (prevents unauthorized key replacement).
+ */
+export declare function verifyKeyRotation(rotation: KeyRotationRecord): Promise<boolean>;
+//# sourceMappingURL=web-did.d.ts.map

package/dist/identity/web-did.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"web-did.d.ts","sourceRoot":"","sources":["../../src/identity/web-did.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA6BG;AAMH,OAAO,EACL,KAAK,WAAW,EAChB,KAAK,YAAY,EAEjB,KAAK,iBAAiB,EAGvB,MAAM,UAAU,CAAC;AAMlB,MAAM,WAAW,cAAe,SAAQ,WAAW;IACjD,wCAAwC;IACxC,QAAQ,EAAE;QACR,MAAM,EAAE,MAAM,CAAC;QACf,IAAI,EAAE,MAAM,CAAC;QACb,iEAAiE;QACjE,iBAAiB,EAAE,MAAM,CAAC;QAC1B,sEAAsE;QACtE,UAAU,EAAE,iBAAiB,EAAE,CAAC;KACjC,CAAC;CACH;AAED,OAAO,EAAE,KAAK,iBAAiB,EAAE,MAAM,UAAU,CAAC;AAElD,MAAM,WAAW,eAAgB,SAAQ,YAAY;IACnD,8DAA8D;IAC9D,YAAY,EAAE,MAAM,CAAC;IACrB,uDAAuD;IACvD,YAAY,EAAE,MAAM,CAAC;IACrB,yDAAyD;IACzD,WAAW,EAAE,cAAc,CAAC;CAC7B;AAED,MAAM,WAAW,sBAAsB;IACrC,QAAQ,EAAE,cAAc,CAAC;IACzB,2DAA2D;IAC3D,WAAW,EAAE,OAAO,CAAC;IACrB,4DAA4D;IAC5D,UAAU,EAAE,OAAO,CAAC;IACpB,qCAAqC;IACrC,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB;AAID,+DAA+D;AAC/D,wBAAgB,WAAW,CAAC,GAAG,EAAE,MAAM,GAAG;IAAE,MAAM,EAAE,MAAM,CAAC;IAAC,IAAI,EAAE,MAAM,CAAA;CAAE,CAczE;AAED,wBAAgB,WAAW,CAAC,MAAM,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,MAAM,CAGhE;AAED,wBAAgB,QAAQ,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAE7C;AAID;;;GAGG;AACH,wBAAgB,aAAa,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,CAGjD;AAED;;GAEG;AACH,wBAAgB,YAAY,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,CAGhD;AAID;;;;;GAKG;AACH,wBAAgB,WAAW,CAAC,GAAG,EAAE,MAAM,EAAE,SAAS,EAAE,UAAU,GAAG,MAAM,CAItE;AAED,yEAAyE;AACzE,wBAAgB,WAAW,CAAC,GAAG,EAAE,MAAM,GAAG;IAAE,IAAI,EAAE,MAAM,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,GAAG,IAAI,CAUjF;AAID,wBAAgB,iBAAiB,CAAC,SAAS,EAAE,UAAU,GAAG,MAAM,CAE/D;AAID;;;;;;;;;GASG;AACH,wBAAsB,gBAAgB,CACpC,MAAM,EAAE,MAAM,EACd,IAAI,EAAE,MAAM,EACZ,QAAQ,CAAC,EAAE,MAAM,GAChB,OAAO,CAAC,eAAe,CAAC,CAwD1B;AAID;;;;;;;GAOG;AACH,wBAAsB,SAAS,CAC7B,OAAO,EAAE,eAAe,EACxB,aAAa,SAAK,GACjB,OAAO,CAAC,eAAe,CAAC,CAuD1B;AAID;;;;;;;;;;;;;;GAcG;AACH,wBAAsB,aAAa,CACjC,GAAG,EAAE,MAAM,EACX,SAAS,UAAO,EAChB,WAAW,CAAC,EAAE,CAAC,MAAM,EAAE,MAAM,KAAK,OAAO,CAAC,MAAM,EAAE,CAAC,EACnD,cAAc,SAAS,GACtB,OAAO,CAAC,sBAAsB,CAAC,CAiFjC;AAED;;;GAGG;AACH,wBAAsB,iBAAiB,CAAC,QAAQ,EAAE,iBAAiB,GAAG,OAAO,CAAC,OAAO,CAAC,CAYrF"}