@aroha-sdk/credentials 1.0.0 → 1.2.0

package/dist/credentials.d.ts

@@ -0,0 +1,53 @@
+/**
+ * Aroha Protocol — Human Credential System (Layer 1 extension)
+ *
+ * Human users are not DID-bearing agents. They authenticate to their Personal
+ * Agent (out of band — password, OAuth, passkey, etc.), which then issues them
+ * a short-lived signed credential. That credential travels in the body of any
+ * Aroha message the user triggers, letting provider agents verify who initiated
+ * the request and what they are allowed to do.
+ *
+ * The credential is signed by the issuing agent's Ed25519 private key using
+ * the same canonicalization rules as Aroha envelope proofs.
+ */
+import { type ArohaRole, type HumanCredential } from "./types.js";
+export type { HumanCredential } from "./types.js";
+export interface CredentialVerificationResult {
+    valid: boolean;
+    credential?: HumanCredential;
+    reason?: string;
+}
+/**
+ * Issue a signed HumanCredential.
+ *
+ * @param userId      Application user identifier
+ * @param roles       Roles to grant (e.g. ["human:user"])
+ * @param issuerDID   DID of the issuing agent (the Personal Agent)
+ * @param privateKey  Ed25519 private key of the issuing agent (32 bytes)
+ * @param ttlMs       Time-to-live in milliseconds (default: 1 hour)
+ * @param email       Optional email for display purposes
+ */
+export declare function issueHumanCredential(userId: string, roles: ArohaRole[], issuerDID: string, privateKey: Uint8Array, ttlMs?: number, email?: string): Promise<HumanCredential>;
+/**
+ * Serialize a HumanCredential to a compact base64url token suitable for
+ * embedding in a Aroha message body as `credentialToken`.
+ */
+export declare function serializeCredential(cred: HumanCredential): string;
+/**
+ * Deserialize a credentialToken back to a HumanCredential object.
+ * Returns null if the token is malformed.
+ */
+export declare function deserializeCredential(token: string): HumanCredential | null;
+/**
+ * Verify a HumanCredential.
+ *
+ * Checks:
+ *   1. Token is parseable
+ *   2. Expiry has not passed
+ *   3. Ed25519 signature is valid against the issuer's public key
+ *
+ * @param token       The base64url credentialToken from the message body
+ * @param issuerPublicKey  Ed25519 public key of the issuer DID (32 bytes)
+ */
+export declare function verifyHumanCredential(token: string, issuerPublicKey: Uint8Array): Promise<CredentialVerificationResult>;
+//# sourceMappingURL=credentials.d.ts.map

package/dist/credentials.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"credentials.d.ts","sourceRoot":"","sources":["../src/credentials.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAKH,OAAO,EAAE,KAAK,SAAS,EAAE,KAAK,eAAe,EAAE,MAAM,YAAY,CAAC;AAKlE,YAAY,EAAE,eAAe,EAAE,MAAM,YAAY,CAAC;AAElD,MAAM,WAAW,4BAA4B;IAC3C,KAAK,EAAE,OAAO,CAAC;IACf,UAAU,CAAC,EAAE,eAAe,CAAC;IAC7B,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAID;;;;;;;;;GASG;AACH,wBAAsB,oBAAoB,CACxC,MAAM,EAAE,MAAM,EACd,KAAK,EAAE,SAAS,EAAE,EAClB,SAAS,EAAE,MAAM,EACjB,UAAU,EAAE,UAAU,EACtB,KAAK,SAAY,EACjB,KAAK,CAAC,EAAE,MAAM,GACb,OAAO,CAAC,eAAe,CAAC,CAoB1B;AAED;;;GAGG;AACH,wBAAgB,mBAAmB,CAAC,IAAI,EAAE,eAAe,GAAG,MAAM,CAEjE;AAED;;;GAGG;AACH,wBAAgB,qBAAqB,CAAC,KAAK,EAAE,MAAM,GAAG,eAAe,GAAG,IAAI,CAM3E;AAID;;;;;;;;;;GAUG;AACH,wBAAsB,qBAAqB,CACzC,KAAK,EAAE,MAAM,EACb,eAAe,EAAE,UAAU,GAC1B,OAAO,CAAC,4BAA4B,CAAC,CAsBvC"}

package/dist/credentials.js

@@ -0,0 +1,117 @@
+/**
+ * Aroha Protocol — Human Credential System (Layer 1 extension)
+ *
+ * Human users are not DID-bearing agents. They authenticate to their Personal
+ * Agent (out of band — password, OAuth, passkey, etc.), which then issues them
+ * a short-lived signed credential. That credential travels in the body of any
+ * Aroha message the user triggers, letting provider agents verify who initiated
+ * the request and what they are allowed to do.
+ *
+ * The credential is signed by the issuing agent's Ed25519 private key using
+ * the same canonicalization rules as Aroha envelope proofs.
+ */
+import * as ed from "@noble/ed25519";
+import { sha512 } from "@noble/hashes/sha512";
+import { v4 as uuidv4 } from "uuid";
+ed.etc.sha512Sync = (...m) => sha512(...m);
+// ─── Issue ────────────────────────────────────────────────────────────────────
+/**
+ * Issue a signed HumanCredential.
+ *
+ * @param userId      Application user identifier
+ * @param roles       Roles to grant (e.g. ["human:user"])
+ * @param issuerDID   DID of the issuing agent (the Personal Agent)
+ * @param privateKey  Ed25519 private key of the issuing agent (32 bytes)
+ * @param ttlMs       Time-to-live in milliseconds (default: 1 hour)
+ * @param email       Optional email for display purposes
+ */
+export async function issueHumanCredential(userId, roles, issuerDID, privateKey, ttlMs = 3_600_000, email) {
+    const now = new Date();
+    const credential = {
+        credentialId: uuidv4(),
+        userId,
+        roles,
+        issuedAt: now.toISOString(),
+        expiresAt: new Date(now.getTime() + ttlMs).toISOString(),
+        issuerDID,
+        ...(email ? { email } : {}),
+    };
+    const canonical = canonicalizeCredential(credential);
+    const bytes = new TextEncoder().encode(canonical);
+    const sig = await ed.signAsync(bytes, privateKey);
+    return {
+        ...credential,
+        signature: Buffer.from(sig).toString("base64url"),
+    };
+}
+/**
+ * Serialize a HumanCredential to a compact base64url token suitable for
+ * embedding in a Aroha message body as `credentialToken`.
+ */
+export function serializeCredential(cred) {
+    return Buffer.from(JSON.stringify(cred)).toString("base64url");
+}
+/**
+ * Deserialize a credentialToken back to a HumanCredential object.
+ * Returns null if the token is malformed.
+ */
+export function deserializeCredential(token) {
+    try {
+        return JSON.parse(Buffer.from(token, "base64url").toString("utf8"));
+    }
+    catch {
+        return null;
+    }
+}
+// ─── Verify ───────────────────────────────────────────────────────────────────
+/**
+ * Verify a HumanCredential.
+ *
+ * Checks:
+ *   1. Token is parseable
+ *   2. Expiry has not passed
+ *   3. Ed25519 signature is valid against the issuer's public key
+ *
+ * @param token       The base64url credentialToken from the message body
+ * @param issuerPublicKey  Ed25519 public key of the issuer DID (32 bytes)
+ */
+export async function verifyHumanCredential(token, issuerPublicKey) {
+    const cred = deserializeCredential(token);
+    if (!cred) {
+        return { valid: false, reason: "Credential token is malformed" };
+    }
+    if (new Date(cred.expiresAt) < new Date()) {
+        return { valid: false, reason: `Credential expired at ${cred.expiresAt}` };
+    }
+    const { signature, ...body } = cred;
+    const canonical = canonicalizeCredential(body);
+    const bytes = new TextEncoder().encode(canonical);
+    try {
+        const sig = Buffer.from(signature, "base64url");
+        const ok = await ed.verifyAsync(sig, bytes, issuerPublicKey);
+        if (!ok)
+            return { valid: false, reason: "Credential signature invalid" };
+        return { valid: true, credential: cred };
+    }
+    catch {
+        return { valid: false, reason: "Credential signature verification threw an error" };
+    }
+}
+// ─── Canonicalization ─────────────────────────────────────────────────────────
+/** Canonical JSON for signing — excludes `signature`, sorts keys. */
+function canonicalizeCredential(cred) {
+    return JSON.stringify(sortKeysDeep(cred));
+}
+function sortKeysDeep(value) {
+    if (Array.isArray(value))
+        return value.map(sortKeysDeep);
+    if (value !== null && typeof value === "object") {
+        const sorted = {};
+        for (const key of Object.keys(value).sort()) {
+            sorted[key] = sortKeysDeep(value[key]);
+        }
+        return sorted;
+    }
+    return value;
+}
+//# sourceMappingURL=credentials.js.map

package/dist/credentials.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"credentials.js","sourceRoot":"","sources":["../src/credentials.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,KAAK,EAAE,MAAM,gBAAgB,CAAC;AACrC,OAAO,EAAE,MAAM,EAAE,MAAM,sBAAsB,CAAC;AAC9C,OAAO,EAAE,EAAE,IAAI,MAAM,EAAE,MAAM,MAAM,CAAC;AAGpC,EAAE,CAAC,GAAG,CAAC,UAAU,GAAG,CAAC,GAAG,CAA4B,EAAE,EAAE,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC;AAWtE,iFAAiF;AAEjF;;;;;;;;;GASG;AACH,MAAM,CAAC,KAAK,UAAU,oBAAoB,CACxC,MAAc,EACd,KAAkB,EAClB,SAAiB,EACjB,UAAsB,EACtB,KAAK,GAAG,SAAS,EACjB,KAAc;IAEd,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC;IACvB,MAAM,UAAU,GAAuC;QACrD,YAAY,EAAE,MAAM,EAAE;QACtB,MAAM;QACN,KAAK;QACL,QAAQ,EAAG,GAAG,CAAC,WAAW,EAAE;QAC5B,SAAS,EAAE,IAAI,IAAI,CAAC,GAAG,CAAC,OAAO,EAAE,GAAG,KAAK,CAAC,CAAC,WAAW,EAAE;QACxD,SAAS;QACT,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;KAC5B,CAAC;IAEF,MAAM,SAAS,GAAG,sBAAsB,CAAC,UAAU,CAAC,CAAC;IACrD,MAAM,KAAK,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;IAClD,MAAM,GAAG,GAAG,MAAM,EAAE,CAAC,SAAS,CAAC,KAAK,EAAE,UAAU,CAAC,CAAC;IAElD,OAAO;QACL,GAAG,UAAU;QACb,SAAS,EAAE,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC;KAClD,CAAC;AACJ,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,mBAAmB,CAAC,IAAqB;IACvD,OAAO,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;AACjE,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,qBAAqB,CAAC,KAAa;IACjD,IAAI,CAAC;QACH,OAAO,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,CAAC,KAAK,EAAE,WAAW,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAoB,CAAC;IACzF,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,iFAAiF;AAEjF;;;;;;;;;;GAUG;AACH,MAAM,CAAC,KAAK,UAAU,qBAAqB,CACzC,KAAa,EACb,eAA2B;IAE3B,MAAM,IAAI,GAAG,qBAAqB,CAAC,KAAK,CAAC,CAAC;IAC1C,IAAI,CAAC,IAAI,EAAE,CAAC;QACV,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,+BAA+B,EAAE,CAAC;IACnE,CAAC;IAED,IAAI,IAAI,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,GAAG,IAAI,IAAI,EAAE,EAAE,CAAC;QAC1C,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,yBAAyB,IAAI,CAAC,SAAS,EAAE,EAAE,CAAC;IAC7E,CAAC;IAED,MAAM,EAAE,SAAS,EAAE,GAAG,IAAI,EAAE,GAAG,IAAI,CAAC;IACpC,MAAM,SAAS,GAAG,sBAAsB,CAAC,IAAI,CAAC,CAAC;IAC/C,MAAM,KAAK,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;IAElD,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,MAAM,CAAC,IAAI,CAAC,SAAS,EAAE,WAAW,CAAC,CAAC;QAChD,MAAM,EAAE,GAAG,MAAM,EAAE,CAAC,WAAW,CAAC,GAAG,EAAE,KAAK,EAAE,eAAe,CAAC,CAAC;QAC7D,IAAI,CAAC,EAAE;YAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,8BAA8B,EAAE,CAAC;QACzE,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,UAAU,EAAE,IAAI,EAAE,CAAC;IAC3C,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,kDAAkD,EAAE,CAAC;IACtF,CAAC;AACH,CAAC;AAED,iFAAiF;AAEjF,qEAAqE;AACrE,SAAS,sBAAsB,CAAC,IAAwC;IACtE,OAAO,IAAI,CAAC,SAAS,CAAC,YAAY,CAAC,IAAI,CAAC,CAAC,CAAC;AAC5C,CAAC;AAED,SAAS,YAAY,CAAC,KAAc;IAClC,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC;QAAE,OAAO,KAAK,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC;IACzD,IAAI,KAAK,KAAK,IAAI,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;QAChD,MAAM,MAAM,GAA4B,EAAE,CAAC;QAC3C,KAAK,MAAM,GAAG,IAAI,MAAM,CAAC,IAAI,CAAC,KAAe,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC;YACtD,MAAM,CAAC,GAAG,CAAC,GAAG,YAAY,CAAE,KAAiC,CAAC,GAAG,CAAC,CAAC,CAAC;QACtE,CAAC;QACD,OAAO,MAAM,CAAC;IAChB,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC"}

package/dist/credentials.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=credentials.test.d.ts.map

package/dist/credentials.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"credentials.test.d.ts","sourceRoot":"","sources":["../src/credentials.test.ts"],"names":[],"mappings":""}

package/dist/credentials.test.js

@@ -0,0 +1,69 @@
+import { describe, it, expect } from "vitest";
+import * as ed from "@noble/ed25519";
+import { sha512 } from "@noble/hashes/sha512";
+import { issueHumanCredential, verifyHumanCredential, serializeCredential, deserializeCredential, } from "./credentials.js";
+import { ArohaRole } from "./types.js";
+ed.etc.sha512Sync = (...m) => sha512(...m);
+async function makeIssuer() {
+    const priv = ed.utils.randomPrivateKey();
+    const pub = await ed.getPublicKeyAsync(priv);
+    return { priv, pub, did: "did:aroha:issuer" };
+}
+describe("issueHumanCredential", () => {
+    it("issues a credential with correct fields", async () => {
+        const issuer = await makeIssuer();
+        const cred = await issueHumanCredential("user-123", [ArohaRole.HumanUser], issuer.did, issuer.priv, 3_600_000, "user@example.com");
+        expect(cred.userId).toBe("user-123");
+        expect(cred.roles).toContain(ArohaRole.HumanUser);
+        expect(cred.issuerDID).toBe(issuer.did);
+        expect(cred.email).toBe("user@example.com");
+        expect(cred.signature).toBeTruthy();
+        expect(new Date(cred.expiresAt) > new Date()).toBe(true);
+    });
+});
+describe("verifyHumanCredential", () => {
+    it("verifies a valid credential token", async () => {
+        const issuer = await makeIssuer();
+        const cred = await issueHumanCredential("user-456", [ArohaRole.HumanAdmin], issuer.did, issuer.priv);
+        const token = serializeCredential(cred);
+        const result = await verifyHumanCredential(token, issuer.pub);
+        expect(result.valid).toBe(true);
+        expect(result.credential?.userId).toBe("user-456");
+    });
+    it("rejects a token signed by a different key", async () => {
+        const issuer = await makeIssuer();
+        const otherIssuer = await makeIssuer();
+        const cred = await issueHumanCredential("user-789", [ArohaRole.HumanUser], issuer.did, issuer.priv);
+        const token = serializeCredential(cred);
+        const result = await verifyHumanCredential(token, otherIssuer.pub);
+        expect(result.valid).toBe(false);
+        expect(result.reason).toMatch(/invalid/i);
+    });
+    it("rejects a malformed token", async () => {
+        const issuer = await makeIssuer();
+        const result = await verifyHumanCredential("not-valid-base64url!!!", issuer.pub);
+        expect(result.valid).toBe(false);
+        expect(result.reason).toMatch(/malformed/i);
+    });
+    it("rejects an expired credential", async () => {
+        const issuer = await makeIssuer();
+        const cred = await issueHumanCredential("user-exp", [ArohaRole.HumanUser], issuer.did, issuer.priv, -1000);
+        const token = serializeCredential(cred);
+        const result = await verifyHumanCredential(token, issuer.pub);
+        expect(result.valid).toBe(false);
+        expect(result.reason).toMatch(/expired/i);
+    });
+});
+describe("serializeCredential / deserializeCredential", () => {
+    it("round-trips a credential", async () => {
+        const issuer = await makeIssuer();
+        const cred = await issueHumanCredential("round-trip", [ArohaRole.HumanReadonly], issuer.did, issuer.priv);
+        const token = serializeCredential(cred);
+        const decoded = deserializeCredential(token);
+        expect(decoded).toEqual(cred);
+    });
+    it("returns null for garbage input", () => {
+        expect(deserializeCredential("!!!")).toBeNull();
+    });
+});
+//# sourceMappingURL=credentials.test.js.map

package/dist/credentials.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"credentials.test.js","sourceRoot":"","sources":["../src/credentials.test.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAE,MAAM,QAAQ,CAAC;AAC9C,OAAO,KAAK,EAAE,MAAM,gBAAgB,CAAC;AACrC,OAAO,EAAE,MAAM,EAAE,MAAM,sBAAsB,CAAC;AAC9C,OAAO,EACL,oBAAoB,EACpB,qBAAqB,EACrB,mBAAmB,EACnB,qBAAqB,GACtB,MAAM,kBAAkB,CAAC;AAC1B,OAAO,EAAE,SAAS,EAAE,MAAM,YAAY,CAAC;AAEvC,EAAE,CAAC,GAAG,CAAC,UAAU,GAAG,CAAC,GAAG,CAA4B,EAAE,EAAE,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC;AAEtE,KAAK,UAAU,UAAU;IACvB,MAAM,IAAI,GAAG,EAAE,CAAC,KAAK,CAAC,gBAAgB,EAAE,CAAC;IACzC,MAAM,GAAG,GAAG,MAAM,EAAE,CAAC,iBAAiB,CAAC,IAAI,CAAC,CAAC;IAC7C,OAAO,EAAE,IAAI,EAAE,GAAG,EAAE,GAAG,EAAE,kBAAkB,EAAE,CAAC;AAChD,CAAC;AAED,QAAQ,CAAC,sBAAsB,EAAE,GAAG,EAAE;IACpC,EAAE,CAAC,yCAAyC,EAAE,KAAK,IAAI,EAAE;QACvD,MAAM,MAAM,GAAG,MAAM,UAAU,EAAE,CAAC;QAClC,MAAM,IAAI,GAAG,MAAM,oBAAoB,CACrC,UAAU,EACV,CAAC,SAAS,CAAC,SAAS,CAAC,EACrB,MAAM,CAAC,GAAG,EACV,MAAM,CAAC,IAAI,EACX,SAAS,EACT,kBAAkB,CACnB,CAAC;QAEF,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;QACrC,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,SAAS,CAAC,SAAS,CAAC,SAAS,CAAC,CAAC;QAClD,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QACxC,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,kBAAkB,CAAC,CAAC;QAC5C,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,UAAU,EAAE,CAAC;QACpC,MAAM,CAAC,IAAI,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,GAAG,IAAI,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAC3D,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,QAAQ,CAAC,uBAAuB,EAAE,GAAG,EAAE;IACrC,EAAE,CAAC,mCAAmC,EAAE,KAAK,IAAI,EAAE;QACjD,MAAM,MAAM,GAAG,MAAM,UAAU,EAAE,CAAC;QAClC,MAAM,IAAI,GAAG,MAAM,oBAAoB,CAAC,UAAU,EAAE,CAAC,SAAS,CAAC,UAAU,CAAC,EAAE,MAAM,CAAC,GAAG,EAAE,MAAM,CAAC,IAAI,CAAC,CAAC;QACrG,MAAM,KAAK,GAAG,mBAAmB,CAAC,IAAI,CAAC,CAAC;QAExC,MAAM,MAAM,GAAG,MAAM,qBAAqB,CAAC,KAAK,EAAE,MAAM,CAAC,GAAG,CAAC,CAAC;QAC9D,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAChC,MAAM,CAAC,MAAM,CAAC,UAAU,EAAE,MAAM,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;IACrD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,2CAA2C,EAAE,KAAK,IAAI,EAAE;QACzD,MAAM,MAAM,GAAG,MAAM,UAAU,EAAE,CAAC;QAClC,MAAM,WAAW,GAAG,MAAM,UAAU,EAAE,CAAC;QACvC,MAAM,IAAI,GAAG,MAAM,oBAAoB,CAAC,UAAU,EAAE,CAAC,SAAS,CAAC,SAAS,CAAC,EAAE,MAAM,CAAC,GAAG,EAAE,MAAM,CAAC,IAAI,CAAC,CAAC;QACpG,MAAM,KAAK,GAAG,mBAAmB,CAAC,IAAI,CAAC,CAAC;QAExC,MAAM,MAAM,GAAG,MAAM,qBAAqB,CAAC,KAAK,EAAE,WAAW,CAAC,GAAG,CAAC,CAAC;QACnE,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACjC,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC;IAC5C,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,2BAA2B,EAAE,KAAK,IAAI,EAAE;QACzC,MAAM,MAAM,GAAG,MAAM,UAAU,EAAE,CAAC;QAClC,MAAM,MAAM,GAAG,MAAM,qBAAqB,CAAC,wBAAwB,EAAE,MAAM,CAAC,GAAG,CAAC,CAAC;QACjF,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACjC,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,OAAO,CAAC,YAAY,CAAC,CAAC;IAC9C,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,+BAA+B,EAAE,KAAK,IAAI,EAAE;QAC7C,MAAM,MAAM,GAAG,MAAM,UAAU,EAAE,CAAC;QAClC,MAAM,IAAI,GAAG,MAAM,oBAAoB,CAAC,UAAU,EAAE,CAAC,SAAS,CAAC,SAAS,CAAC,EAAE,MAAM,CAAC,GAAG,EAAE,MAAM,CAAC,IAAI,EAAE,CAAC,IAAI,CAAC,CAAC;QAC3G,MAAM,KAAK,GAAG,mBAAmB,CAAC,IAAI,CAAC,CAAC;QAExC,MAAM,MAAM,GAAG,MAAM,qBAAqB,CAAC,KAAK,EAAE,MAAM,CAAC,GAAG,CAAC,CAAC;QAC9D,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACjC,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC;IAC5C,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,QAAQ,CAAC,6CAA6C,EAAE,GAAG,EAAE;IAC3D,EAAE,CAAC,0BAA0B,EAAE,KAAK,IAAI,EAAE;QACxC,MAAM,MAAM,GAAG,MAAM,UAAU,EAAE,CAAC;QAClC,MAAM,IAAI,GAAG,MAAM,oBAAoB,CAAC,YAAY,EAAE,CAAC,SAAS,CAAC,aAAa,CAAC,EAAE,MAAM,CAAC,GAAG,EAAE,MAAM,CAAC,IAAI,CAAC,CAAC;QAC1G,MAAM,KAAK,GAAG,mBAAmB,CAAC,IAAI,CAAC,CAAC;QACxC,MAAM,OAAO,GAAG,qBAAqB,CAAC,KAAK,CAAC,CAAC;QAC7C,MAAM,CAAC,OAAO,CAAC,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;IAChC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,gCAAgC,EAAE,GAAG,EAAE;QACxC,MAAM,CAAC,qBAAqB,CAAC,KAAK,CAAC,CAAC,CAAC,QAAQ,EAAE,CAAC;IAClD,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/index.d.ts

@@ -0,0 +1,7 @@
+export * from "./types.js";
+export * from "./credentials.js";
+export * from "./rbac.js";
+export * from "./registry.js";
+export * from "./middleware.js";
+export * from "./mandate.js";
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,cAAc,YAAY,CAAC;AAC3B,cAAc,kBAAkB,CAAC;AACjC,cAAc,WAAW,CAAC;AAC1B,cAAc,eAAe,CAAC;AAC9B,cAAc,iBAAiB,CAAC;AAChC,cAAc,cAAc,CAAC"}

package/dist/index.js

@@ -0,0 +1,7 @@
+export * from "./types.js";
+export * from "./credentials.js";
+export * from "./rbac.js";
+export * from "./registry.js";
+export * from "./middleware.js";
+export * from "./mandate.js";
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,cAAc,YAAY,CAAC;AAC3B,cAAc,kBAAkB,CAAC;AACjC,cAAc,WAAW,CAAC;AAC1B,cAAc,eAAe,CAAC;AAC9B,cAAc,iBAAiB,CAAC;AAChC,cAAc,cAAc,CAAC"}

package/dist/mandate.d.ts

@@ -0,0 +1,59 @@
+/**
+ * @aroha-sdk/credentials — ArohaMandateCredential
+ *
+ * Issues, attenuates, and verifies ArohaSpendingMandate tokens.
+ *
+ * The mandate chain enforces monotonic scope narrowing:
+ *   User → Intent Mandate (max budget)
+ *   Personal Agent → Cart Mandate (narrowed to specific service)
+ *   Provider Agent → Payment Mandate (single-transaction authorisation)
+ *
+ * Each mandate is Ed25519-signed by the grantor. The grantee carries the
+ * token in the ArohaSpendingMandate message body — the payment processor
+ * verifies the full chain without ever seeing the user's card number.
+ *
+ * References:
+ *   AP2 Protocol (Google) Intent/Cart/Payment Mandate pattern.
+ *   IETF draft-niyikiza-oauth-attenuating-agent-tokens (2024).
+ */
+import { type ArohaSpendingMandateBody, type SpendingConstraints } from "@aroha-sdk/core";
+export interface SignedMandate {
+    mandate: ArohaSpendingMandateBody;
+    /** base64url Ed25519 signature over the canonical mandate (proof). */
+    signature: string;
+    /** base64url serialised mandate + signature — embed in message body credentialToken. */
+    token: string;
+}
+export interface MandateVerificationResult {
+    valid: boolean;
+    mandate?: ArohaSpendingMandateBody;
+    reason?: string;
+}
+/**
+ * Issue a root Intent Mandate from a user to their personal agent.
+ *
+ * @param grantorDID   User's DID (or personal-agent acting on user's behalf)
+ * @param granteeDID   Personal agent's DID
+ * @param constraints  Maximum spend envelope — all downstream mandates must be ≤ these
+ * @param privateKey   Grantor's Ed25519 private key (32 bytes)
+ * @param ttlMs        Time-to-live in milliseconds (default: 1 hour)
+ */
+export declare function issueIntentMandate(grantorDID: string, granteeDID: string, constraints: SpendingConstraints, privateKey: Uint8Array, ttlMs?: number): Promise<SignedMandate>;
+/**
+ * Attenuate a mandate to a narrower Cart Mandate.
+ * Validates that the new constraints are a subset of the parent's constraints.
+ */
+export declare function attenuateToCart(parent: SignedMandate, granteeDID: string, narrowedConstraints: SpendingConstraints, grantorPrivateKey: Uint8Array, ttlMs?: number): Promise<SignedMandate>;
+/**
+ * Attenuate a Cart Mandate to a single-transaction Payment Mandate.
+ */
+export declare function attenuateToPayment(parent: SignedMandate, granteeDID: string, narrowedConstraints: SpendingConstraints, grantorPrivateKey: Uint8Array, ttlMs?: number): Promise<SignedMandate>;
+/**
+ * Verify a mandate token.
+ *
+ * @param token       The base64url mandate token from credentialToken field
+ * @param publicKey   Grantor's Ed25519 public key (32 bytes)
+ * @param expectedGrantee  If set, validates the grantee DID matches
+ */
+export declare function verifyMandate(token: string, publicKey: Uint8Array, expectedGrantee?: string): Promise<MandateVerificationResult>;
+//# sourceMappingURL=mandate.d.ts.map

package/dist/mandate.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"mandate.d.ts","sourceRoot":"","sources":["../src/mandate.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;GAiBG;AAKH,OAAO,EAAE,KAAK,wBAAwB,EAAE,KAAK,mBAAmB,EAAE,MAAM,iBAAiB,CAAC;AAI1F,MAAM,WAAW,aAAa;IAC5B,OAAO,EAAE,wBAAwB,CAAC;IAClC,sEAAsE;IACtE,SAAS,EAAE,MAAM,CAAC;IAClB,wFAAwF;IACxF,KAAK,EAAE,MAAM,CAAC;CACf;AAED,MAAM,WAAW,yBAAyB;IACxC,KAAK,EAAE,OAAO,CAAC;IACf,OAAO,CAAC,EAAE,wBAAwB,CAAC;IACnC,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAID;;;;;;;;GAQG;AACH,wBAAsB,kBAAkB,CACtC,UAAU,EAAE,MAAM,EAClB,UAAU,EAAE,MAAM,EAClB,WAAW,EAAE,mBAAmB,EAChC,UAAU,EAAE,UAAU,EACtB,KAAK,SAAY,GAChB,OAAO,CAAC,aAAa,CAAC,CAExB;AAED;;;GAGG;AACH,wBAAsB,eAAe,CACnC,MAAM,EAAE,aAAa,EACrB,UAAU,EAAE,MAAM,EAClB,mBAAmB,EAAE,mBAAmB,EACxC,iBAAiB,EAAE,UAAU,EAC7B,KAAK,CAAC,EAAE,MAAM,GACb,OAAO,CAAC,aAAa,CAAC,CAcxB;AAED;;GAEG;AACH,wBAAsB,kBAAkB,CACtC,MAAM,EAAE,aAAa,EACrB,UAAU,EAAE,MAAM,EAClB,mBAAmB,EAAE,mBAAmB,EACxC,iBAAiB,EAAE,UAAU,EAC7B,KAAK,CAAC,EAAE,MAAM,GACb,OAAO,CAAC,aAAa,CAAC,CAcxB;AAID;;;;;;GAMG;AACH,wBAAsB,aAAa,CACjC,KAAK,EAAE,MAAM,EACb,SAAS,EAAE,UAAU,EACrB,eAAe,CAAC,EAAE,MAAM,GACvB,OAAO,CAAC,yBAAyB,CAAC,CAgCpC"}

package/dist/mandate.js

@@ -0,0 +1,180 @@
+/**
+ * @aroha-sdk/credentials — ArohaMandateCredential
+ *
+ * Issues, attenuates, and verifies ArohaSpendingMandate tokens.
+ *
+ * The mandate chain enforces monotonic scope narrowing:
+ *   User → Intent Mandate (max budget)
+ *   Personal Agent → Cart Mandate (narrowed to specific service)
+ *   Provider Agent → Payment Mandate (single-transaction authorisation)
+ *
+ * Each mandate is Ed25519-signed by the grantor. The grantee carries the
+ * token in the ArohaSpendingMandate message body — the payment processor
+ * verifies the full chain without ever seeing the user's card number.
+ *
+ * References:
+ *   AP2 Protocol (Google) Intent/Cart/Payment Mandate pattern.
+ *   IETF draft-niyikiza-oauth-attenuating-agent-tokens (2024).
+ */
+import * as ed from "@noble/ed25519";
+import { sha512 } from "@noble/hashes/sha512";
+import { v4 as uuidv4 } from "uuid";
+ed.etc.sha512Sync = (...m) => sha512(...m);
+// ─── Issue ────────────────────────────────────────────────────────────────────
+/**
+ * Issue a root Intent Mandate from a user to their personal agent.
+ *
+ * @param grantorDID   User's DID (or personal-agent acting on user's behalf)
+ * @param granteeDID   Personal agent's DID
+ * @param constraints  Maximum spend envelope — all downstream mandates must be ≤ these
+ * @param privateKey   Grantor's Ed25519 private key (32 bytes)
+ * @param ttlMs        Time-to-live in milliseconds (default: 1 hour)
+ */
+export async function issueIntentMandate(grantorDID, granteeDID, constraints, privateKey, ttlMs = 3_600_000) {
+    return issueMandateInternal("intent", grantorDID, granteeDID, constraints, null, privateKey, ttlMs);
+}
+/**
+ * Attenuate a mandate to a narrower Cart Mandate.
+ * Validates that the new constraints are a subset of the parent's constraints.
+ */
+export async function attenuateToCart(parent, granteeDID, narrowedConstraints, grantorPrivateKey, ttlMs) {
+    assertNarrowing(parent.mandate.constraints, narrowedConstraints, parent.mandate.mandateTier, "cart");
+    const expiry = ttlMs
+        ? Math.min(new Date(parent.mandate.expiresAt).getTime(), Date.now() + ttlMs)
+        : new Date(parent.mandate.expiresAt).getTime();
+    return issueMandateInternal("cart", parent.mandate.grantee, granteeDID, narrowedConstraints, parent.mandate.mandateId, grantorPrivateKey, expiry - Date.now());
+}
+/**
+ * Attenuate a Cart Mandate to a single-transaction Payment Mandate.
+ */
+export async function attenuateToPayment(parent, granteeDID, narrowedConstraints, grantorPrivateKey, ttlMs) {
+    assertNarrowing(parent.mandate.constraints, narrowedConstraints, parent.mandate.mandateTier, "payment");
+    const expiry = ttlMs
+        ? Math.min(new Date(parent.mandate.expiresAt).getTime(), Date.now() + ttlMs)
+        : new Date(parent.mandate.expiresAt).getTime();
+    return issueMandateInternal("payment", parent.mandate.grantee, granteeDID, narrowedConstraints, parent.mandate.mandateId, grantorPrivateKey, expiry - Date.now());
+}
+// ─── Verify ───────────────────────────────────────────────────────────────────
+/**
+ * Verify a mandate token.
+ *
+ * @param token       The base64url mandate token from credentialToken field
+ * @param publicKey   Grantor's Ed25519 public key (32 bytes)
+ * @param expectedGrantee  If set, validates the grantee DID matches
+ */
+export async function verifyMandate(token, publicKey, expectedGrantee) {
+    let signed;
+    try {
+        signed = JSON.parse(Buffer.from(token, "base64url").toString("utf8"));
+    }
+    catch {
+        return { valid: false, reason: "Malformed token" };
+    }
+    const { mandate, signature } = signed;
+    // Expiry check
+    if (new Date(mandate.expiresAt) < new Date()) {
+        return { valid: false, reason: "Mandate expired" };
+    }
+    // Grantee check
+    if (expectedGrantee && mandate.grantee !== expectedGrantee) {
+        return { valid: false, reason: `Mandate grantee mismatch: expected ${expectedGrantee}` };
+    }
+    // Signature check
+    try {
+        const canonical = canonicalizeMandate(mandate);
+        const bytes = new TextEncoder().encode(canonical);
+        const sigBytes = Buffer.from(signature, "base64url");
+        const valid = await ed.verifyAsync(sigBytes, bytes, publicKey);
+        if (!valid)
+            return { valid: false, reason: "Invalid signature" };
+    }
+    catch {
+        return { valid: false, reason: "Signature verification error" };
+    }
+    return { valid: true, mandate };
+}
+// ─── Helpers ──────────────────────────────────────────────────────────────────
+async function issueMandateInternal(tier, grantorDID, granteeDID, constraints, parentMandateId, privateKey, ttlMs) {
+    const mandate = {
+        mandateTier: tier,
+        constraints,
+        grantee: granteeDID,
+        grantor: grantorDID,
+        expiresAt: new Date(Date.now() + ttlMs).toISOString(),
+        parentMandateId,
+        mandateId: uuidv4(),
+    };
+    const canonical = canonicalizeMandate(mandate);
+    const bytes = new TextEncoder().encode(canonical);
+    const sig = await ed.signAsync(bytes, privateKey);
+    const signature = Buffer.from(sig).toString("base64url");
+    const token = Buffer.from(JSON.stringify({ mandate, signature })).toString("base64url");
+    return { mandate, signature, token };
+}
+/** Canonical JSON — lexicographically sorted keys, no whitespace. */
+function canonicalizeMandate(mandate) {
+    return JSON.stringify(sortKeys(mandate));
+}
+function sortKeys(obj) {
+    if (Array.isArray(obj))
+        return obj.map(sortKeys);
+    if (obj !== null && typeof obj === "object") {
+        return Object.keys(obj)
+            .sort()
+            .reduce((acc, k) => {
+            acc[k] = sortKeys(obj[k]);
+            return acc;
+        }, {});
+    }
+    return obj;
+}
+/**
+ * Validate that a narrowed constraint set is a subset of the parent's.
+ * Throws if any narrowed value exceeds the parent's limit.
+ */
+function assertNarrowing(parent, child, parentTier, childTier) {
+    const prefix = `Cannot attenuate ${parentTier} → ${childTier}`;
+    if (child.spendLimitUsd > parent.spendLimitUsd) {
+        throw new Error(`${prefix}: child spendLimitUsd (${child.spendLimitUsd}) exceeds parent (${parent.spendLimitUsd})`);
+    }
+    if (parent.sessionLimitUsd !== undefined &&
+        child.sessionLimitUsd !== undefined &&
+        child.sessionLimitUsd > parent.sessionLimitUsd) {
+        throw new Error(`${prefix}: child sessionLimitUsd exceeds parent`);
+    }
+    if (parent.requireHumanApprovalAboveUsd !== undefined &&
+        child.requireHumanApprovalAboveUsd !== undefined &&
+        child.requireHumanApprovalAboveUsd > parent.requireHumanApprovalAboveUsd) {
+        throw new Error(`${prefix}: child approval threshold exceeds parent`);
+    }
+    if (parent.allowedMerchants != null && parent.allowedMerchants.length > 0) {
+        const parentSet = new Set(parent.allowedMerchants);
+        if (!child.allowedMerchants || child.allowedMerchants.length === 0) {
+            throw new Error(`${prefix}: parent restricts allowedMerchants but child sets none`);
+        }
+        for (const m of child.allowedMerchants) {
+            if (!parentSet.has(m)) {
+                throw new Error(`${prefix}: child allowedMerchants contains "${m}" not in parent`);
+            }
+        }
+    }
+    if (parent.merchantCategory !== undefined && parent.merchantCategory !== null) {
+        if (child.merchantCategory === null || child.merchantCategory === undefined) {
+            throw new Error(`${prefix}: child merchantCategory must not widen parent's "${parent.merchantCategory}" restriction`);
+        }
+        if (child.merchantCategory !== parent.merchantCategory) {
+            throw new Error(`${prefix}: child merchantCategory "${child.merchantCategory}" does not match parent "${parent.merchantCategory}"`);
+        }
+    }
+    if (parent.validUntil !== undefined && child.validUntil !== undefined) {
+        if (new Date(child.validUntil) > new Date(parent.validUntil)) {
+            throw new Error(`${prefix}: child validUntil (${child.validUntil}) extends beyond parent (${parent.validUntil})`);
+        }
+    }
+    if (parent.validFrom !== undefined && child.validFrom !== undefined) {
+        if (new Date(child.validFrom) < new Date(parent.validFrom)) {
+            throw new Error(`${prefix}: child validFrom (${child.validFrom}) precedes parent (${parent.validFrom})`);
+        }
+    }
+}
+//# sourceMappingURL=mandate.js.map

package/dist/mandate.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"mandate.js","sourceRoot":"","sources":["../src/mandate.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;GAiBG;AAEH,OAAO,KAAK,EAAE,MAAM,gBAAgB,CAAC;AACrC,OAAO,EAAE,MAAM,EAAE,MAAM,sBAAsB,CAAC;AAC9C,OAAO,EAAE,EAAE,IAAI,MAAM,EAAE,MAAM,MAAM,CAAC;AAGpC,EAAE,CAAC,GAAG,CAAC,UAAU,GAAG,CAAC,GAAG,CAA4B,EAAE,EAAE,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC;AAgBtE,iFAAiF;AAEjF;;;;;;;;GAQG;AACH,MAAM,CAAC,KAAK,UAAU,kBAAkB,CACtC,UAAkB,EAClB,UAAkB,EAClB,WAAgC,EAChC,UAAsB,EACtB,KAAK,GAAG,SAAS;IAEjB,OAAO,oBAAoB,CAAC,QAAQ,EAAE,UAAU,EAAE,UAAU,EAAE,WAAW,EAAE,IAAI,EAAE,UAAU,EAAE,KAAK,CAAC,CAAC;AACtG,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,eAAe,CACnC,MAAqB,EACrB,UAAkB,EAClB,mBAAwC,EACxC,iBAA6B,EAC7B,KAAc;IAEd,eAAe,CAAC,MAAM,CAAC,OAAO,CAAC,WAAW,EAAE,mBAAmB,EAAE,MAAM,CAAC,OAAO,CAAC,WAAW,EAAE,MAAM,CAAC,CAAC;IACrG,MAAM,MAAM,GAAG,KAAK;QAClB,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC,OAAO,EAAE,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,KAAK,CAAC;QAC5E,CAAC,CAAC,IAAI,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC,OAAO,EAAE,CAAC;IACjD,OAAO,oBAAoB,CACzB,MAAM,EACN,MAAM,CAAC,OAAO,CAAC,OAAO,EACtB,UAAU,EACV,mBAAmB,EACnB,MAAM,CAAC,OAAO,CAAC,SAAS,EACxB,iBAAiB,EACjB,MAAM,GAAG,IAAI,CAAC,GAAG,EAAE,CACpB,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,kBAAkB,CACtC,MAAqB,EACrB,UAAkB,EAClB,mBAAwC,EACxC,iBAA6B,EAC7B,KAAc;IAEd,eAAe,CAAC,MAAM,CAAC,OAAO,CAAC,WAAW,EAAE,mBAAmB,EAAE,MAAM,CAAC,OAAO,CAAC,WAAW,EAAE,SAAS,CAAC,CAAC;IACxG,MAAM,MAAM,GAAG,KAAK;QAClB,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC,OAAO,EAAE,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,KAAK,CAAC;QAC5E,CAAC,CAAC,IAAI,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC,OAAO,EAAE,CAAC;IACjD,OAAO,oBAAoB,CACzB,SAAS,EACT,MAAM,CAAC,OAAO,CAAC,OAAO,EACtB,UAAU,EACV,mBAAmB,EACnB,MAAM,CAAC,OAAO,CAAC,SAAS,EACxB,iBAAiB,EACjB,MAAM,GAAG,IAAI,CAAC,GAAG,EAAE,CACpB,CAAC;AACJ,CAAC;AAED,iFAAiF;AAEjF;;;;;;GAMG;AACH,MAAM,CAAC,KAAK,UAAU,aAAa,CACjC,KAAa,EACb,SAAqB,EACrB,eAAwB;IAExB,IAAI,MAAqB,CAAC;IAC1B,IAAI,CAAC;QACH,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,CAAC,KAAK,EAAE,WAAW,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAkB,CAAC;IACzF,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,iBAAiB,EAAE,CAAC;IACrD,CAAC;IAED,MAAM,EAAE,OAAO,EAAE,SAAS,EAAE,GAAG,MAAM,CAAC;IAEtC,eAAe;IACf,IAAI,IAAI,IAAI,CAAC,OAAO,CAAC,SAAS,CAAC,GAAG,IAAI,IAAI,EAAE,EAAE,CAAC;QAC7C,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,iBAAiB,EAAE,CAAC;IACrD,CAAC;IAED,gBAAgB;IAChB,IAAI,eAAe,IAAI,OAAO,CAAC,OAAO,KAAK,eAAe,EAAE,CAAC;QAC3D,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,sCAAsC,eAAe,EAAE,EAAE,CAAC;IAC3F,CAAC;IAED,kBAAkB;IAClB,IAAI,CAAC;QACH,MAAM,SAAS,GAAG,mBAAmB,CAAC,OAAO,CAAC,CAAC;QAC/C,MAAM,KAAK,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;QAClD,MAAM,QAAQ,GAAG,MAAM,CAAC,IAAI,CAAC,SAAS,EAAE,WAAW,CAAC,CAAC;QACrD,MAAM,KAAK,GAAG,MAAM,EAAE,CAAC,WAAW,CAAC,QAAQ,EAAE,KAAK,EAAE,SAAS,CAAC,CAAC;QAC/D,IAAI,CAAC,KAAK;YAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,mBAAmB,EAAE,CAAC;IACnE,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,8BAA8B,EAAE,CAAC;IAClE,CAAC;IAED,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC;AAClC,CAAC;AAED,iFAAiF;AAEjF,KAAK,UAAU,oBAAoB,CACjC,IAAmC,EACnC,UAAkB,EAClB,UAAkB,EAClB,WAAgC,EAChC,eAA8B,EAC9B,UAAsB,EACtB,KAAa;IAEb,MAAM,OAAO,GAA6B;QACxC,WAAW,EAAE,IAAI;QACjB,WAAW;QACX,OAAO,EAAE,UAAU;QACnB,OAAO,EAAE,UAAU;QACnB,SAAS,EAAE,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,KAAK,CAAC,CAAC,WAAW,EAAE;QACrD,eAAe;QACf,SAAS,EAAE,MAAM,EAAE;KACpB,CAAC;IAEF,MAAM,SAAS,GAAG,mBAAmB,CAAC,OAAO,CAAC,CAAC;IAC/C,MAAM,KAAK,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;IAClD,MAAM,GAAG,GAAG,MAAM,EAAE,CAAC,SAAS,CAAC,KAAK,EAAE,UAAU,CAAC,CAAC;IAClD,MAAM,SAAS,GAAG,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;IACzD,MAAM,KAAK,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,OAAO,EAAE,SAAS,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;IAExF,OAAO,EAAE,OAAO,EAAE,SAAS,EAAE,KAAK,EAAE,CAAC;AACvC,CAAC;AAED,qEAAqE;AACrE,SAAS,mBAAmB,CAAC,OAAiC;IAC5D,OAAO,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC;AAC3C,CAAC;AAED,SAAS,QAAQ,CAAC,GAAY;IAC5B,IAAI,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC;QAAE,OAAO,GAAG,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;IACjD,IAAI,GAAG,KAAK,IAAI,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;QAC5C,OAAO,MAAM,CAAC,IAAI,CAAC,GAA8B,CAAC;aAC/C,IAAI,EAAE;aACN,MAAM,CAAC,CAAC,GAAG,EAAE,CAAC,EAAE,EAAE;YAChB,GAA+B,CAAC,CAAC,CAAC,GAAG,QAAQ,CAAE,GAA+B,CAAC,CAAC,CAAC,CAAC,CAAC;YACpF,OAAO,GAAG,CAAC;QACb,CAAC,EAAE,EAA6B,CAAC,CAAC;IACtC,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED;;;GAGG;AACH,SAAS,eAAe,CACtB,MAA2B,EAC3B,KAA0B,EAC1B,UAAkB,EAClB,SAAiB;IAEjB,MAAM,MAAM,GAAG,oBAAoB,UAAU,MAAM,SAAS,EAAE,CAAC;IAE/D,IAAI,KAAK,CAAC,aAAa,GAAG,MAAM,CAAC,aAAa,EAAE,CAAC;QAC/C,MAAM,IAAI,KAAK,CAAC,GAAG,MAAM,0BAA0B,KAAK,CAAC,aAAa,qBAAqB,MAAM,CAAC,aAAa,GAAG,CAAC,CAAC;IACtH,CAAC;IAED,IACE,MAAM,CAAC,eAAe,KAAK,SAAS;QACpC,KAAK,CAAC,eAAe,KAAK,SAAS;QACnC,KAAK,CAAC,eAAe,GAAG,MAAM,CAAC,eAAe,EAC9C,CAAC;QACD,MAAM,IAAI,KAAK,CAAC,GAAG,MAAM,wCAAwC,CAAC,CAAC;IACrE,CAAC;IAED,IACE,MAAM,CAAC,4BAA4B,KAAK,SAAS;QACjD,KAAK,CAAC,4BAA4B,KAAK,SAAS;QAChD,KAAK,CAAC,4BAA4B,GAAG,MAAM,CAAC,4BAA4B,EACxE,CAAC;QACD,MAAM,IAAI,KAAK,CAAC,GAAG,MAAM,2CAA2C,CAAC,CAAC;IACxE,CAAC;IAED,IAAI,MAAM,CAAC,gBAAgB,IAAI,IAAI,IAAI,MAAM,CAAC,gBAAgB,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC1E,MAAM,SAAS,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,gBAAgB,CAAC,CAAC;QACnD,IAAI,CAAC,KAAK,CAAC,gBAAgB,IAAI,KAAK,CAAC,gBAAgB,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACnE,MAAM,IAAI,KAAK,CAAC,GAAG,MAAM,yDAAyD,CAAC,CAAC;QACtF,CAAC;QACD,KAAK,MAAM,CAAC,IAAI,KAAK,CAAC,gBAAgB,EAAE,CAAC;YACvC,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC;gBACtB,MAAM,IAAI,KAAK,CAAC,GAAG,MAAM,sCAAsC,CAAC,iBAAiB,CAAC,CAAC;YACrF,CAAC;QACH,CAAC;IACH,CAAC;IAED,IAAI,MAAM,CAAC,gBAAgB,KAAK,SAAS,IAAI,MAAM,CAAC,gBAAgB,KAAK,IAAI,EAAE,CAAC;QAC9E,IAAI,KAAK,CAAC,gBAAgB,KAAK,IAAI,IAAI,KAAK,CAAC,gBAAgB,KAAK,SAAS,EAAE,CAAC;YAC5E,MAAM,IAAI,KAAK,CAAC,GAAG,MAAM,qDAAqD,MAAM,CAAC,gBAAgB,eAAe,CAAC,CAAC;QACxH,CAAC;QACD,IAAI,KAAK,CAAC,gBAAgB,KAAK,MAAM,CAAC,gBAAgB,EAAE,CAAC;YACvD,MAAM,IAAI,KAAK,CAAC,GAAG,MAAM,6BAA6B,KAAK,CAAC,gBAAgB,4BAA4B,MAAM,CAAC,gBAAgB,GAAG,CAAC,CAAC;QACtI,CAAC;IACH,CAAC;IAED,IAAI,MAAM,CAAC,UAAU,KAAK,SAAS,IAAI,KAAK,CAAC,UAAU,KAAK,SAAS,EAAE,CAAC;QACtE,IAAI,IAAI,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,GAAG,IAAI,IAAI,CAAC,MAAM,CAAC,UAAU,CAAC,EAAE,CAAC;YAC7D,MAAM,IAAI,KAAK,CAAC,GAAG,MAAM,uBAAuB,KAAK,CAAC,UAAU,4BAA4B,MAAM,CAAC,UAAU,GAAG,CAAC,CAAC;QACpH,CAAC;IACH,CAAC;IAED,IAAI,MAAM,CAAC,SAAS,KAAK,SAAS,IAAI,KAAK,CAAC,SAAS,KAAK,SAAS,EAAE,CAAC;QACpE,IAAI,IAAI,IAAI,CAAC,KAAK,CAAC,SAAS,CAAC,GAAG,IAAI,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,EAAE,CAAC;YAC3D,MAAM,IAAI,KAAK,CAAC,GAAG,MAAM,sBAAsB,KAAK,CAAC,SAAS,sBAAsB,MAAM,CAAC,SAAS,GAAG,CAAC,CAAC;QAC3G,CAAC;IACH,CAAC;AACH,CAAC"}

package/dist/mandate.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=mandate.test.d.ts.map

package/dist/mandate.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"mandate.test.d.ts","sourceRoot":"","sources":["../src/mandate.test.ts"],"names":[],"mappings":""}