npm - @astrasyncai/verification-gateway - Versions diffs - 1.1.0 → 2.0.0 - Mend

@astrasyncai/verification-gateway 1.1.0 → 2.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (101) hide show

package/dist/adapter-interface/interface.d.mts +71 -0
package/dist/adapter-interface/interface.d.ts +71 -0
package/dist/adapter-interface/interface.js +36 -0
package/dist/adapter-interface/interface.js.map +1 -0
package/dist/adapter-interface/interface.mjs +10 -0
package/dist/adapter-interface/interface.mjs.map +1 -0
package/dist/adapter-interface/purpose-mapping.d.mts +28 -0
package/dist/adapter-interface/purpose-mapping.d.ts +28 -0
package/dist/adapter-interface/purpose-mapping.js +117 -0
package/dist/adapter-interface/purpose-mapping.js.map +1 -0
package/dist/adapter-interface/purpose-mapping.mjs +89 -0
package/dist/adapter-interface/purpose-mapping.mjs.map +1 -0
package/dist/adapters/express.d.mts +2 -2
package/dist/adapters/express.d.ts +2 -2
package/dist/adapters/express.js +6 -7
package/dist/adapters/express.js.map +1 -1
package/dist/adapters/express.mjs +6 -7
package/dist/adapters/express.mjs.map +1 -1
package/dist/adapters/nextjs.d.mts +2 -2
package/dist/adapters/nextjs.d.ts +2 -2
package/dist/adapters/nextjs.js +5 -7
package/dist/adapters/nextjs.js.map +1 -1
package/dist/adapters/nextjs.mjs +5 -7
package/dist/adapters/nextjs.mjs.map +1 -1
package/dist/adapters/sdk.d.mts +2 -2
package/dist/adapters/sdk.d.ts +2 -2
package/dist/adapters/sdk.js +6 -2
package/dist/adapters/sdk.js.map +1 -1
package/dist/adapters/sdk.mjs +6 -2
package/dist/adapters/sdk.mjs.map +1 -1
package/dist/agent/index.d.mts +2 -0
package/dist/agent/index.d.ts +2 -0
package/dist/agent/index.js +354 -0
package/dist/agent/index.js.map +1 -0
package/dist/agent/index.mjs +323 -0
package/dist/agent/index.mjs.map +1 -0
package/dist/browser/browser-adapter.d.mts +106 -0
package/dist/browser/browser-adapter.d.ts +106 -0
package/dist/browser/browser-adapter.js +286 -0
package/dist/browser/browser-adapter.js.map +1 -0
package/dist/browser/browser-adapter.mjs +259 -0
package/dist/browser/browser-adapter.mjs.map +1 -0
package/dist/cli/index.d.mts +241 -0
package/dist/cli/index.d.ts +241 -0
package/dist/cli/index.js +3734 -0
package/dist/cli/index.js.map +1 -0
package/dist/cli/index.mjs +3688 -0
package/dist/cli/index.mjs.map +1 -0
package/dist/cursor/cursor-adapter.d.mts +92 -0
package/dist/cursor/cursor-adapter.d.ts +92 -0
package/dist/cursor/cursor-adapter.js +273 -0
package/dist/cursor/cursor-adapter.js.map +1 -0
package/dist/cursor/cursor-adapter.mjs +246 -0
package/dist/cursor/cursor-adapter.mjs.map +1 -0
package/dist/{express-BoayLpqq.d.mts → express-Cp4eg77F.d.mts} +1 -1
package/dist/{express-BGZiLINd.d.ts → express-DIEyq1Tz.d.ts} +1 -1
package/dist/gateway/gateway.d.mts +70 -0
package/dist/gateway/gateway.d.ts +70 -0
package/dist/gateway/gateway.js +3726 -0
package/dist/gateway/gateway.js.map +1 -0
package/dist/gateway/gateway.mjs +3706 -0
package/dist/gateway/gateway.mjs.map +1 -0
package/dist/git-trigger/git-hooks.d.mts +69 -0
package/dist/git-trigger/git-hooks.d.ts +69 -0
package/dist/git-trigger/git-hooks.js +244 -0
package/dist/git-trigger/git-hooks.js.map +1 -0
package/dist/git-trigger/git-hooks.mjs +221 -0
package/dist/git-trigger/git-hooks.mjs.map +1 -0
package/dist/index-BhTbGU-o.d.mts +206 -0
package/dist/index-Bhfxq9xI.d.ts +206 -0
package/dist/index-CNkmHmpi.d.ts +89 -0
package/dist/index-CoLebmwv.d.mts +89 -0
package/dist/index.d.mts +8 -295
package/dist/index.d.ts +8 -295
package/dist/index.js +17 -16
package/dist/index.js.map +1 -1
package/dist/index.mjs +17 -16
package/dist/index.mjs.map +1 -1
package/dist/local-evaluator/evaluator.d.mts +55 -0
package/dist/local-evaluator/evaluator.d.ts +55 -0
package/dist/local-evaluator/evaluator.js +272 -0
package/dist/local-evaluator/evaluator.js.map +1 -0
package/dist/local-evaluator/evaluator.mjs +244 -0
package/dist/local-evaluator/evaluator.mjs.map +1 -0
package/dist/{nextjs-DTCS5Sw8.d.ts → nextjs-Cag7libc.d.ts} +1 -1
package/dist/{nextjs-BNbHm5Ui.d.mts → nextjs-_C_FcJY5.d.mts} +1 -1
package/dist/{sdk-9TKZzhxE.d.ts → sdk-CMPDFUjo.d.ts} +3 -1
package/dist/{sdk-VAFRmdt7.d.mts → sdk-DAJahT3p.d.mts} +3 -1
package/dist/transport/index.d.mts +2 -0
package/dist/transport/index.d.ts +2 -0
package/dist/transport/index.js +211 -0
package/dist/transport/index.js.map +1 -0
package/dist/transport/index.mjs +176 -0
package/dist/transport/index.mjs.map +1 -0
package/dist/{types-cA_xfFU7.d.mts → types-Bf8pML07.d.mts} +1 -1
package/dist/{types-cA_xfFU7.d.ts → types-Bf8pML07.d.ts} +1 -1
package/dist/types-BvpGdsv1.d.mts +153 -0
package/dist/types-Ce2mFJkO.d.ts +153 -0
package/dist/ui/index.d.mts +1 -1
package/dist/ui/index.d.ts +1 -1
package/package.json +46 -1

package/dist/index.js CHANGED Viewed

@@ -631,6 +631,7 @@ function createMiddleware(options) {
         return;
       }
       const purpose = customExtractPurpose ? customExtractPurpose(req) : defaultExtractPurpose(req);
+      const counterpartyUrl = config.counterpartyUrl || `${req.protocol}://${req.get("host")}`;
       const shouldRecordDecisions = recordDecisions !== false;
       const result = await verify(config, {
         credentials,
@@ -639,7 +640,9 @@ function createMiddleware(options) {
         resource: req.path,
         clientIp: req.ip,
         userAgent: req.headers["user-agent"],
-        createSession: shouldRecordDecisions
+        createSession: shouldRecordDecisions,
+        counterpartyUrl,
+        counterpartyType: config.counterpartyType || "api"
       });
       req.agentVerification = result;
       const sessionId = result.sessionId;
@@ -678,17 +681,13 @@ function createMiddleware(options) {
 function requireAccess(minAccessLevel, options) {
   return createMiddleware({
     ...options,
-    routes: [
-      { pattern: "*", method: "*", minAccessLevel }
-    ]
+    routes: [{ pattern: "*", method: "*", minAccessLevel }]
   });
 }
 function verifyOnly(options) {
   return createMiddleware({
     ...options,
-    routes: [
-      { pattern: "*", method: "*", minAccessLevel: "none" }
-    ]
+    routes: [{ pattern: "*", method: "*", minAccessLevel: "none" }]
   });
 }
@@ -900,12 +899,7 @@ function generateCommerceShieldHtml(result, options) {
   `.trim();
 }
 function createMiddleware2(options) {
-  const {
-    routes = [],
-    skipPaths = [],
-    showCommerceShield = true,
-    ...config
-  } = options;
+  const { routes = [], skipPaths = [], showCommerceShield = true, ...config } = options;
   return async function middleware(request) {
     const { NextResponse } = await import("next/server");
     const pathname = request.nextUrl.pathname;
@@ -958,6 +952,7 @@ function createMiddleware2(options) {
       const registerUrl = result2.guidance?.registrationUrl || "/register";
       return NextResponse.redirect(new URL(registerUrl, request.url));
     }
+    const counterpartyUrl = config.counterpartyUrl || request.nextUrl.origin;
     const purpose = request.headers.get("x-purpose") || inferPurpose(request.method);
     const result = await verify(config, {
       credentials,
@@ -965,7 +960,9 @@ function createMiddleware2(options) {
       action: request.method.toLowerCase(),
       resource: pathname,
       clientIp: request.headers.get("x-forwarded-for")?.split(",")[0]?.trim() || void 0,
-      userAgent: request.headers.get("user-agent") || void 0
+      userAgent: request.headers.get("user-agent") || void 0,
+      counterpartyUrl,
+      counterpartyType: config.counterpartyType || "website"
     });
     if (!hasMinimumAccess(result.accessLevel, routeConfig.minAccessLevel)) {
       if (pathname.startsWith("/api/")) {
@@ -1028,7 +1025,9 @@ var VerificationGatewayClient = class {
       minTrustScoreForFull: options.minTrustScoreForFull,
       cacheTtl: options.cacheTtl,
       debug: options.debug,
-      customHeaders: options.customHeaders
+      customHeaders: options.customHeaders,
+      counterpartyUrl: options.counterpartyUrl,
+      counterpartyType: options.counterpartyType
     };
     this.timeout = options.timeout || 1e4;
     this.retryConfig = options.retry || { maxRetries: 3, backoffMs: 1e3 };
@@ -1054,7 +1053,9 @@ var VerificationGatewayClient = class {
         currency: options.currency,
         isSubAgentRequest: options.isSubAgentRequest,
         parentAgentId: options.parentAgentId,
-        subAgentDepth: options.subAgentDepth
+        subAgentDepth: options.subAgentDepth,
+        counterpartyUrl: options.counterpartyUrl,
+        counterpartyType: options.counterpartyType
       })
     );
   }

package/dist/index.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"sources":["../src/index.ts","../src/access-levels.ts","../src/verify.ts","../src/adapters/express.ts","../src/transport/http.ts","../src/adapters/nextjs.ts","../src/adapters/sdk.ts","../src/transport/index.ts","../src/transport/a2a.ts","../src/transport/mcp.ts","../src/agent/index.ts","../src/agent/client.ts","../src/agent/challenge-handler.ts","../src/agent/pdlss-formatter.ts","../src/agent/decision-client.ts"],"sourcesContent":["/*\n AstraSync Universal Verification Gateway\n \n A single verification library for any system to verify AI agents.\n * One codebase, multiple deployment targets.\n \n @example\n * ```typescript\n * import { verify, extractCredentials } from '@astrasyncai/verification-gateway';\n \n const credentials = extractCredentials(request.headers);\n * const result = await verify(config, { credentials, purpose: 'data-access' });\n \n if (result.verified && result.accessLevel !== 'none') {\n * // Grant access based on result.accessLevel\n * }\n * ```\n \n @packageDocumentation\n /\n\n// Core types\nexport type {\n TrustLevel,\n AccessLevel,\n CounterpartyType,\n AgentCredentials,\n GatewayConfig,\n VerifiedAgent,\n VerifiedDeveloper,\n VerifiedOrganization,\n PDLSSInfo,\n GuidanceInfo,\n VerificationResult,\n VerificationRequest,\n RouteAccessConfig,\n ExpressMiddlewareOptions,\n NextJsMiddlewareOptions,\n SDKOptions,\n CommerceShieldProps,\n // Handshake Protocol v10 types\n TokenGuidance,\n RuntimeChallengeResult,\n EnhancedVerificationResult,\n AstraSyncCredentials,\n ProtocolTransport,\n} from './types';\n\n// Access level utilities\nexport {\n ACCESS_LEVEL_HIERARCHY,\n ACCESS_LEVEL_DESCRIPTIONS,\n DEFAULT_TRUST_THRESHOLDS,\n TRUST_LEVEL_RANGES,\n getTrustLevel,\n hasMinimumAccess,\n getAccessLevelForScore,\n determineAccessLevel,\n getCapabilities,\n} from './access-levels';\n\nexport type { AccessCapabilities } from './access-levels';\n\n// Core verification functions\nexport { verify, quickVerify, extractCredentials, hasCredentials, clearCache } from './verify';\n\n// Re-export adapters for convenience (tree-shakeable)\nexport as express from './adapters/express';\nexport * as nextjs from './adapters/nextjs';\nexport * as sdk from './adapters/sdk';\n\n// Cross-protocol transport adapters\nexport * as transport from './transport';\n\n// Agent-side SDK\nexport * as agent from './agent';\nexport { AgentClient } from './agent/client';\nexport { ChallengeHandler } from './agent/challenge-handler';\nexport { recordDecision } from './agent/decision-client';\n\n// Version\nexport const VERSION = '2.0.0';\n","/*\n AstraSync Universal Verification Gateway - Access Level Definitions\n \n Defines the hierarchy and capabilities of each access level.\n /\n\nimport type { AccessLevel, TrustLevel } from './types';\n\n/\n Access level hierarchy (higher number = more access)\n /\nexport const ACCESS_LEVEL_HIERARCHY: Record<AccessLevel, number> = {\n none: 0,\n guidance: 1,\n 'read-only': 2,\n standard: 3,\n full: 4,\n internal: 5,\n};\n\n/\n Access level descriptions for UI\n /\nexport const ACCESS_LEVEL_DESCRIPTIONS: Record<AccessLevel, string> = {\n none: 'No access - credentials required',\n guidance: 'Guidance mode - registration information provided',\n 'read-only': 'Read-only access - can browse but not modify',\n standard: 'Standard access - normal operations per PDLSS policy',\n full: 'Full access - all operations for high-trust agents',\n internal: 'Internal access - organization member privileges',\n};\n\n/\n Default trust score thresholds for access levels\n /\nexport const DEFAULT_TRUST_THRESHOLDS: Record<AccessLevel, number> = {\n none: 0,\n guidance: 0,\n 'read-only': 20,\n standard: 40,\n full: 70,\n internal: 0, // Internal is based on org membership, not score\n};\n\n/\n Trust level score ranges\n /\nexport const TRUST_LEVEL_RANGES: Record<TrustLevel, { min: number; max: number }> = {\n BRONZE: { min: 0, max: 39 },\n SILVER: { min: 40, max: 59 },\n GOLD: { min: 60, max: 79 },\n PLATINUM: { min: 80, max: 100 },\n};\n\n/\n Determine trust level from score\n /\nexport function getTrustLevel(score: number): TrustLevel {\n if (score >= 80) return 'PLATINUM';\n if (score >= 60) return 'GOLD';\n if (score >= 40) return 'SILVER';\n return 'BRONZE';\n}\n\n/\n Check if access level A is greater than or equal to access level B\n /\nexport function hasMinimumAccess(actual: AccessLevel, required: AccessLevel): boolean {\n return ACCESS_LEVEL_HIERARCHY[actual] >= ACCESS_LEVEL_HIERARCHY[required];\n}\n\n/\n Get the highest access level for a given trust score\n /\nexport function getAccessLevelForScore(\n trustScore: number,\n thresholds: Record<AccessLevel, number> = DEFAULT_TRUST_THRESHOLDS\n): AccessLevel {\n if (trustScore >= thresholds.full) return 'full';\n if (trustScore >= thresholds.standard) return 'standard';\n if (trustScore >= thresholds['read-only']) return 'read-only';\n return 'guidance';\n}\n\n/\n Determine access level from verification result\n /\nexport function determineAccessLevel(\n verified: boolean,\n trustScore: number,\n isOrgMember: boolean,\n customThresholds?: Partial<Record<AccessLevel, number>>\n): AccessLevel {\n if (!verified) {\n return 'guidance';\n }\n\n if (isOrgMember) {\n return 'internal';\n }\n\n const thresholds = {\n ...DEFAULT_TRUST_THRESHOLDS,\n ...customThresholds,\n };\n\n return getAccessLevelForScore(trustScore, thresholds);\n}\n\n/\n Access capabilities per level\n /\nexport interface AccessCapabilities {\n canRead: boolean;\n canWrite: boolean;\n canDelete: boolean;\n canAdmin: boolean;\n canAccessInternal: boolean;\n maxTransactionValue?: number;\n allowedPurposes?: string[];\n}\n\n/\n Get capabilities for an access level\n /\nexport function getCapabilities(accessLevel: AccessLevel): AccessCapabilities {\n switch (accessLevel) {\n case 'none':\n return {\n canRead: false,\n canWrite: false,\n canDelete: false,\n canAdmin: false,\n canAccessInternal: false,\n };\n case 'guidance':\n return {\n canRead: false,\n canWrite: false,\n canDelete: false,\n canAdmin: false,\n canAccessInternal: false,\n };\n case 'read-only':\n return {\n canRead: true,\n canWrite: false,\n canDelete: false,\n canAdmin: false,\n canAccessInternal: false,\n };\n case 'standard':\n return {\n canRead: true,\n canWrite: true,\n canDelete: false,\n canAdmin: false,\n canAccessInternal: false,\n };\n case 'full':\n return {\n canRead: true,\n canWrite: true,\n canDelete: true,\n canAdmin: false,\n canAccessInternal: false,\n };\n case 'internal':\n return {\n canRead: true,\n canWrite: true,\n canDelete: true,\n canAdmin: true,\n canAccessInternal: true,\n };\n default:\n return {\n canRead: false,\n canWrite: false,\n canDelete: false,\n canAdmin: false,\n canAccessInternal: false,\n };\n }\n}\n","/\n AstraSync Universal Verification Gateway - Core Verification Logic\n \n This module handles the core verification logic, calling the AstraSync API\n * and processing the response into a standardized VerificationResult.\n /\n\nimport type {\n GatewayConfig,\n AgentCredentials,\n VerificationRequest,\n VerificationResult,\n VerifiedAgent,\n VerifiedDeveloper,\n VerifiedOrganization,\n PDLSSInfo,\n GuidanceInfo,\n AccessLevel,\n EnhancedVerificationResult,\n TokenGuidance,\n RuntimeChallengeResult,\n} from './types';\nimport { determineAccessLevel, getTrustLevel, ACCESS_LEVEL_HIERARCHY } from './access-levels';\n\n/\n Default configuration values\n /\nconst DEFAULT_CONFIG: Partial<GatewayConfig> = {\n apiBaseUrl: 'https://api.astrasync.ai',\n defaultAccessLevel: 'guidance',\n minTrustScore: 40,\n minTrustScoreForFull: 70,\n cacheTtl: 300, // 5 minutes\n debug: false,\n};\n\n/\n Simple in-memory cache for verification results\n /\nconst verificationCache = new Map<string, { result: VerificationResult; expiresAt: number }>();\n\n/\n Generate cache key from credentials\n /\nfunction getCacheKey(credentials: AgentCredentials): string {\n return `${credentials.astraId \|\| ''}-${credentials.apiKey \|\| ''}-${credentials.jwt \|\| ''}`;\n}\n\n/\n Check if cached result is still valid\n /\nfunction getCachedResult(credentials: AgentCredentials): VerificationResult \| null {\n const key = getCacheKey(credentials);\n const cached = verificationCache.get(key);\n\n if (cached && cached.expiresAt > Date.now()) {\n return cached.result;\n }\n\n if (cached) {\n verificationCache.delete(key);\n }\n\n return null;\n}\n\n/\n Cache a verification result\n /\nfunction cacheResult(credentials: AgentCredentials, result: VerificationResult, ttlSeconds: number): void {\n const key = getCacheKey(credentials);\n verificationCache.set(key, {\n result,\n expiresAt: Date.now() + ttlSeconds 1000,\n });\n}\n\n/*\n Clear the verification cache\n /\nexport function clearCache(): void {\n verificationCache.clear();\n}\n\n/\n Extract agent credentials from various sources\n /\nexport function extractCredentials(\n headers: Record<string, string \| string[] \| undefined>,\n query?: Record<string, string \| undefined>\n): AgentCredentials {\n const credentials: AgentCredentials = {};\n\n // Check for ASTRA-ID in headers (case-insensitive)\n const astraIdHeader = headers['x-astra-id'] \|\| headers['X-Astra-Id'] \|\| headers['X-ASTRA-ID'];\n if (astraIdHeader) {\n credentials.astraId = Array.isArray(astraIdHeader) ? astraIdHeader[0] : astraIdHeader;\n }\n\n // Check for API key in headers\n const apiKeyHeader = headers['x-api-key'] \|\| headers['X-Api-Key'] \|\| headers['X-API-KEY'];\n if (apiKeyHeader) {\n credentials.apiKey = Array.isArray(apiKeyHeader) ? apiKeyHeader[0] : apiKeyHeader;\n }\n\n // Check Authorization header for Bearer token\n const authHeader = headers['authorization'] \|\| headers['Authorization'];\n if (authHeader) {\n const authValue = Array.isArray(authHeader) ? authHeader[0] : authHeader;\n credentials.authorizationHeader = authValue;\n\n if (authValue.startsWith('Bearer ')) {\n credentials.jwt = authValue.slice(7);\n }\n }\n\n // Check query parameters as fallback\n if (query) {\n if (query.astraId && !credentials.astraId) {\n credentials.astraId = query.astraId;\n }\n if (query.apiKey && !credentials.apiKey) {\n credentials.apiKey = query.apiKey;\n }\n }\n\n return credentials;\n}\n\n/\n Check if credentials are present\n /\nexport function hasCredentials(credentials: AgentCredentials): boolean {\n return !!(credentials.astraId \|\| credentials.apiKey \|\| credentials.jwt);\n}\n\n/\n Create guidance response for unverified agents\n /\nfunction createGuidanceResponse(config: GatewayConfig, reason?: string): VerificationResult {\n const guidance: GuidanceInfo = {\n message: 'This service verifies AI agents before granting access. Please register your agent with AstraSync.',\n registrationUrl: `${config.apiBaseUrl.replace('/api', '')}/register`,\n documentationUrl: `${config.apiBaseUrl.replace('/api', '')}/docs/agent-access`,\n steps: [\n 'Register for an AstraSync account',\n 'Create and register your agent',\n 'Add your ASTRA-ID to request headers',\n 'Retry your request',\n ],\n };\n\n return {\n verified: false,\n accessLevel: 'guidance',\n guidance,\n denialReasons: reason ? [reason] : ['No valid agent credentials provided'],\n verifiedAt: new Date(),\n };\n}\n\n/\n Call the AstraSync verify-access API\n /\nasync function callVerifyAccessAPI(\n config: GatewayConfig,\n request: VerificationRequest\n): Promise<{\n success: boolean;\n access?: {\n allowed: boolean;\n reason?: string;\n requiresStepUp?: boolean;\n requiresApproval?: boolean;\n appliedPolicy?: {\n boundaryId: string;\n boundaryName: string;\n policyId: string;\n policyVersion: string;\n };\n pdlss?: {\n purposeAllowed: boolean;\n withinDuration: boolean;\n withinLimits: boolean;\n scopeAllowed: boolean;\n selfInstantiationAllowed: boolean;\n };\n counterparty?: {\n id: string;\n name: string;\n trustScoreRequirement: number;\n };\n };\n agent?: {\n kyaAgentId: string;\n astraId: string;\n name: string;\n trustScore: number;\n trustLevel: string;\n agentStatus: string;\n blockchainStatus: string;\n };\n developer?: {\n kyaOwnerId: string;\n fullName: string;\n email: string;\n identityVerified: boolean;\n trustScore: number;\n };\n organization?: {\n name: string;\n verified: boolean;\n trustScore: number;\n };\n error?: string;\n}> {\n const { credentials, ...requestData } = request;\n\n // Build the request body\n const body: Record<string, unknown> = {\n agentId: credentials.astraId,\n purpose: requestData.purpose \|\| 'general',\n };\n\n // Add optional fields\n if (requestData.action) body.action = requestData.action;\n if (requestData.resourceType) body.resourceType = requestData.resourceType;\n if (requestData.resource) body.resource = requestData.resource;\n if (requestData.jurisdiction) body.jurisdiction = requestData.jurisdiction;\n if (requestData.transactionValue) body.transactionValue = requestData.transactionValue;\n if (requestData.currency) body.currency = requestData.currency;\n if (requestData.isSubAgentRequest) body.isSubAgentRequest = requestData.isSubAgentRequest;\n if (requestData.parentAgentId) body.parentAgentId = requestData.parentAgentId;\n if (requestData.subAgentDepth !== undefined) body.subAgentDepth = requestData.subAgentDepth;\n // Handshake Protocol v10 additions\n if (requestData.enableRuntimeChallenge) body.enableRuntimeChallenge = requestData.enableRuntimeChallenge;\n if (requestData.createSession) body.createSession = requestData.createSession;\n if (requestData.counterpartyType) body.counterpartyType = requestData.counterpartyType;\n if (requestData.counterpartyUrl) body.counterpartyUrl = requestData.counterpartyUrl;\n if (requestData.runtimeChallengeOptions) body.runtimeChallengeOptions = requestData.runtimeChallengeOptions;\n\n // Build headers\n const headers: Record<string, string> = {\n 'Content-Type': 'application/json',\n ...config.customHeaders,\n };\n\n if (config.apiKey) {\n headers['X-API-Key'] = config.apiKey;\n }\n\n if (credentials.authorizationHeader) {\n headers['Authorization'] = credentials.authorizationHeader;\n }\n\n try {\n const response = await fetch(`${config.apiBaseUrl}/agents/verify-access`, {\n method: 'POST',\n headers,\n body: JSON.stringify(body),\n });\n\n const data = await response.json();\n\n if (!response.ok) {\n return {\n success: false,\n error: data.message \|\| data.error \|\| `API returned ${response.status}`,\n };\n }\n\n return data;\n } catch (error) {\n const message = error instanceof Error ? error.message : 'Unknown error';\n return {\n success: false,\n error: `Failed to call verify-access API: ${message}`,\n };\n }\n}\n\n/\n Main verification function\n /\nexport async function verify(\n config: GatewayConfig,\n request: VerificationRequest\n): Promise<VerificationResult> {\n const mergedConfig = { ...DEFAULT_CONFIG, ...config };\n\n // Check for credentials\n if (!hasCredentials(request.credentials)) {\n return createGuidanceResponse(mergedConfig, 'No agent credentials provided');\n }\n\n // Check cache first\n if (mergedConfig.cacheTtl && mergedConfig.cacheTtl > 0) {\n const cached = getCachedResult(request.credentials);\n if (cached) {\n if (mergedConfig.debug) {\n console.log('[VerificationGateway] Returning cached result');\n }\n return cached;\n }\n }\n\n // Inject counterparty info from config if not already set in request\n const enrichedRequest = { ...request };\n if (!enrichedRequest.counterpartyUrl && mergedConfig.counterpartyUrl) {\n enrichedRequest.counterpartyUrl = mergedConfig.counterpartyUrl;\n }\n if (!enrichedRequest.counterpartyType && mergedConfig.counterpartyType) {\n enrichedRequest.counterpartyType = mergedConfig.counterpartyType;\n }\n\n // Call the API\n if (mergedConfig.debug) {\n console.log('[VerificationGateway] Calling verify-access API');\n }\n\n const apiResponse = await callVerifyAccessAPI(mergedConfig, enrichedRequest);\n\n // Handle API errors\n if (!apiResponse.success) {\n return createGuidanceResponse(mergedConfig, apiResponse.error);\n }\n\n // Check access result\n if (!apiResponse.access?.allowed) {\n const result: EnhancedVerificationResult = {\n verified: false,\n accessLevel: 'guidance',\n denialReasons: apiResponse.access?.reason ? [apiResponse.access.reason] : ['Access denied'],\n requiresStepUp: apiResponse.access?.requiresStepUp,\n requiresApproval: apiResponse.access?.requiresApproval,\n guidance: {\n message: apiResponse.access?.reason \|\| 'Access denied by PDLSS policy',\n registrationUrl: `${mergedConfig.apiBaseUrl?.replace('/api', '')}/register`,\n documentationUrl: `${mergedConfig.apiBaseUrl?.replace('/api', '')}/docs/pdlss`,\n },\n verifiedAt: new Date(),\n // Extract sessionId so decisions can be recorded for denials too\n sessionId: (apiResponse as Record<string, unknown>).sessionId as string \| undefined,\n recommendation: (apiResponse as Record<string, unknown>).recommendation as EnhancedVerificationResult['recommendation'],\n recommendationReasons: (apiResponse as Record<string, unknown>).recommendationReasons as string[] \| undefined,\n };\n\n return result;\n }\n\n // Build successful result\n const agent: VerifiedAgent \| undefined = apiResponse.agent\n ? {\n astraId: apiResponse.agent.astraId,\n name: apiResponse.agent.name,\n trustScore: apiResponse.agent.trustScore,\n trustLevel: getTrustLevel(apiResponse.agent.trustScore),\n blockchainVerified: apiResponse.agent.blockchainStatus === 'verified',\n status: apiResponse.agent.agentStatus as VerifiedAgent['status'],\n }\n : undefined;\n\n const developer: VerifiedDeveloper \| undefined = apiResponse.developer\n ? {\n astradId: apiResponse.developer.kyaOwnerId,\n name: apiResponse.developer.fullName,\n trustScore: apiResponse.developer.trustScore \|\| 0,\n verified: apiResponse.developer.identityVerified,\n }\n : undefined;\n\n const organization: VerifiedOrganization \| undefined = apiResponse.organization\n ? {\n name: apiResponse.organization.name,\n verified: apiResponse.organization.verified,\n trustScore: apiResponse.organization.trustScore,\n }\n : undefined;\n\n const pdlss: PDLSSInfo \| undefined = apiResponse.access?.pdlss\n ? {\n purposeAllowed: apiResponse.access.pdlss.purposeAllowed,\n withinDuration: apiResponse.access.pdlss.withinDuration,\n withinLimits: apiResponse.access.pdlss.withinLimits,\n scopeAllowed: apiResponse.access.pdlss.scopeAllowed,\n selfInstantiationAllowed: apiResponse.access.pdlss.selfInstantiationAllowed,\n appliedPolicy: apiResponse.access.appliedPolicy,\n }\n : undefined;\n\n // Determine access level based on trust score\n const trustScore = agent?.trustScore \|\| 0;\n const isOrgMember = false; // TODO: Check if agent belongs to same org as counterparty\n const accessLevel: AccessLevel = determineAccessLevel(\n true,\n trustScore,\n isOrgMember,\n {\n 'read-only': 20,\n standard: mergedConfig.minTrustScore \|\| 40,\n full: mergedConfig.minTrustScoreForFull \|\| 70,\n }\n );\n\n const result: EnhancedVerificationResult = {\n verified: true,\n accessLevel,\n agent,\n developer,\n organization,\n pdlss,\n requiresStepUp: apiResponse.access?.requiresStepUp,\n requiresApproval: apiResponse.access?.requiresApproval,\n verifiedAt: new Date(),\n cacheTtl: mergedConfig.cacheTtl,\n // Handshake Protocol v10 enhanced fields (present when backend returns them)\n sessionId: (apiResponse as Record<string, unknown>).sessionId as string \| undefined,\n runtimeChallenge: (apiResponse as Record<string, unknown>).runtimeChallenge as RuntimeChallengeResult \| undefined,\n tokenGuidance: (apiResponse as Record<string, unknown>).tokenGuidance as TokenGuidance \| undefined,\n recommendation: (apiResponse as Record<string, unknown>).recommendation as EnhancedVerificationResult['recommendation'],\n recommendationReasons: (apiResponse as Record<string, unknown>).recommendationReasons as string[] \| undefined,\n };\n\n // Enforce AstraSync recommendation\n if (result.recommendation === 'deny') {\n result.verified = false;\n result.accessLevel = 'none';\n result.denialReasons = result.recommendationReasons \|\| ['Access denied by AstraSync recommendation'];\n if (result.runtimeChallenge) {\n result.guidance = {\n message: `Verification failed: ${result.runtimeChallenge.reason \|\| 'runtime challenge failed'}`,\n registrationUrl: `${mergedConfig.apiBaseUrl?.replace('/api', '')}/register`,\n documentationUrl: `${mergedConfig.apiBaseUrl?.replace('/api', '')}/docs/runtime-challenge`,\n };\n }\n } else if (result.recommendation === 'step_up_required') {\n result.requiresStepUp = true;\n if (ACCESS_LEVEL_HIERARCHY[result.accessLevel] > ACCESS_LEVEL_HIERARCHY['read-only']) {\n result.accessLevel = 'read-only';\n }\n result.denialReasons = result.recommendationReasons \|\| ['Step-up verification required'];\n }\n\n // Cache the result (skip caching denials — agent may fix challenge endpoint and retry)\n if (mergedConfig.cacheTtl && mergedConfig.cacheTtl > 0 && result.recommendation !== 'deny') {\n cacheResult(request.credentials, result, mergedConfig.cacheTtl);\n }\n\n return result;\n}\n\n/\n Record a counterparty's grant/deny decision for a verification session.\n * Fire-and-forget — errors are silently swallowed.\n /\nexport async function recordDecision(\n config: GatewayConfig,\n sessionId: string,\n decision: 'granted' \| 'denied',\n reason?: string,\n): Promise<void> {\n const headers: Record<string, string> = { 'Content-Type': 'application/json' };\n if (config.apiKey) headers['X-API-Key'] = config.apiKey;\n\n await fetch(`${config.apiBaseUrl}/agents/verify-access/${sessionId}/decision`, {\n method: 'POST',\n headers,\n body: JSON.stringify({ decision, reason }),\n }).catch(() => { / fire-and-forget / });\n}\n\n/\n Verify an agent AND automatically record the grant/deny decision.\n \n This is the recommended entry point for counterparties that call verify()\n * directly (e.g. MCP servers) rather than using createMiddleware().\n * It adds createSession: true, then fire-and-forgets the decision.\n /\nexport async function verifyAndRecord(\n config: GatewayConfig,\n request: VerificationRequest,\n): Promise<VerificationResult> {\n const mergedConfig = { ...DEFAULT_CONFIG, ...config };\n const result = await verify(mergedConfig, { ...request, createSession: true });\n const sessionId = (result as EnhancedVerificationResult).sessionId;\n\n if (sessionId) {\n if (result.verified) {\n recordDecision(mergedConfig, sessionId, 'granted').catch(() => {});\n } else {\n recordDecision(mergedConfig, sessionId, 'denied', result.denialReasons?.[0]).catch(() => {});\n }\n }\n\n return result;\n}\n\n/\n Quick verification - just check if credentials are valid\n /\nexport async function quickVerify(\n config: GatewayConfig,\n credentials: AgentCredentials\n): Promise<{ verified: boolean; accessLevel: AccessLevel; reason?: string }> {\n const result = await verify(config, {\n credentials,\n purpose: 'verification',\n });\n\n return {\n verified: result.verified,\n accessLevel: result.accessLevel,\n reason: result.denialReasons?.[0],\n };\n}\n","/\n AstraSync Universal Verification Gateway - Express Middleware\n \n Express.js middleware for verifying AI agents on API endpoints.\n \n @example\n * ```typescript\n * import express from 'express';\n * import { createMiddleware } from '@astrasyncai/verification-gateway/express';\n \n const app = express();\n \n app.use(createMiddleware({\n * apiBaseUrl: 'https://api.astrasync.ai',\n * routes: [\n * { pattern: '/api/public/', method: '', minAccessLevel: 'none' },\n * { pattern: '/api/data/', method: 'GET', minAccessLevel: 'read-only' },\n { pattern: '/api/data/', method: '', minAccessLevel: 'standard' },\n * { pattern: '/api/admin/', method: '', minAccessLevel: 'internal' },\n * ],\n * }));\n * ```\n /\n\nimport type { Request, Response, NextFunction, RequestHandler } from 'express';\nimport type {\n ExpressMiddlewareOptions,\n AgentCredentials,\n VerificationResult,\n EnhancedVerificationResult,\n RouteAccessConfig,\n AccessLevel,\n AstraSyncCredentials,\n} from '../types';\nimport { verify, extractCredentials, hasCredentials, recordDecision } from '../verify';\nimport { hasMinimumAccess } from '../access-levels';\nimport { extractHttpCredentials } from '../transport/http';\n\n/\n Extend Express Request with verification result\n /\ndeclare global {\n // eslint-disable-next-line @typescript-eslint/no-namespace\n namespace Express {\n interface Request {\n agentVerification?: VerificationResult;\n }\n }\n}\n\n/\n Default credential extractor\n /\nfunction defaultExtractCredentials(req: Request): AgentCredentials {\n return extractCredentials(\n req.headers as Record<string, string \| string[] \| undefined>,\n req.query as Record<string, string \| undefined>\n );\n}\n\n/\n Extract extended AstraSync credentials (X-Astra-* headers) from Express request.\n * Returns null if no AstraSync headers are present.\n /\nexport function extractAstraSyncCredentials(req: Request): AstraSyncCredentials \| null {\n return extractHttpCredentials(req.headers as Record<string, string \| string[] \| undefined>);\n}\n\n/\n Default purpose extractor\n /\nfunction defaultExtractPurpose(req: Request): string \| undefined {\n // Try to get purpose from header\n const purposeHeader = req.headers['x-purpose'] \|\| req.headers['X-Purpose'];\n if (purposeHeader) {\n return Array.isArray(purposeHeader) ? purposeHeader[0] : purposeHeader;\n }\n\n // Try to get from query\n if (req.query.purpose && typeof req.query.purpose === 'string') {\n return req.query.purpose;\n }\n\n // Infer from method\n switch (req.method) {\n case 'GET':\n return 'read';\n case 'POST':\n return 'create';\n case 'PUT':\n case 'PATCH':\n return 'update';\n case 'DELETE':\n return 'delete';\n default:\n return 'general';\n }\n}\n\n/\n Match a route pattern against a path\n /\nfunction matchRoute(pattern: string, path: string): boolean {\n // Convert pattern to regex\n const regexPattern = pattern\n .replace(/\\/g, '.')\n .replace(/\\//g, '\\\\/');\n\n const regex = new RegExp(`^${regexPattern}$`);\n return regex.test(path);\n}\n\n/\n Find the route configuration for a request\n /\nfunction findRouteConfig(\n routes: RouteAccessConfig[],\n path: string,\n method: string\n): RouteAccessConfig \| undefined {\n return routes.find((route) => {\n const methodMatches = route.method === '' \|\| route.method.toUpperCase() === method.toUpperCase();\n const pathMatches = matchRoute(route.pattern, path);\n return methodMatches && pathMatches;\n });\n}\n\n/*\n Default denied handler\n /\nfunction defaultOnDenied(\n result: VerificationResult,\n _req: Request,\n res: Response\n): void {\n const statusCode = result.verified ? 403 : 401;\n\n res.status(statusCode).json({\n success: false,\n error: {\n code: result.verified ? 'INSUFFICIENT_ACCESS' : 'UNAUTHORIZED',\n message: result.denialReasons?.[0] \|\| 'Access denied',\n accessLevel: result.accessLevel,\n guidance: result.guidance,\n },\n });\n}\n\n/\n Create Express middleware for agent verification\n /\nexport function createMiddleware(options: ExpressMiddlewareOptions): RequestHandler {\n const {\n routes = [],\n extractCredentials: customExtractCredentials,\n extractPurpose: customExtractPurpose,\n skipPaths = [],\n onDenied = defaultOnDenied,\n recordDecisions,\n ...config\n } = options;\n\n return async (req: Request, res: Response, next: NextFunction): Promise<void> => {\n try {\n // Check if path should be skipped\n const shouldSkip = skipPaths.some((pattern) => matchRoute(pattern, req.path));\n if (shouldSkip) {\n return next();\n }\n\n // Find route configuration\n const routeConfig = findRouteConfig(routes, req.path, req.method);\n\n // If no route config, skip verification (allow through)\n if (!routeConfig) {\n return next();\n }\n\n // If route requires 'none' access, skip verification\n if (routeConfig.minAccessLevel === 'none') {\n return next();\n }\n\n // Extract credentials\n const credentials = customExtractCredentials\n ? customExtractCredentials(req)\n : defaultExtractCredentials(req);\n\n // If no credentials and access required, deny\n if (!hasCredentials(credentials) && routeConfig.minAccessLevel !== 'guidance') {\n const result: VerificationResult = {\n verified: false,\n accessLevel: 'none',\n denialReasons: ['No agent credentials provided'],\n guidance: {\n message: 'This endpoint requires agent verification. Please provide your ASTRA-ID.',\n registrationUrl: `${config.apiBaseUrl?.replace('/api', '')}/register`,\n documentationUrl: `${config.apiBaseUrl?.replace('/api', '')}/docs/agent-access`,\n },\n verifiedAt: new Date(),\n };\n\n req.agentVerification = result;\n onDenied(result, req, res);\n return;\n }\n\n // Extract purpose\n const purpose = customExtractPurpose\n ? customExtractPurpose(req)\n : defaultExtractPurpose(req);\n\n // Verify the agent\n const shouldRecordDecisions = recordDecisions !== false;\n const result = await verify(config, {\n credentials,\n purpose,\n action: req.method.toLowerCase(),\n resource: req.path,\n clientIp: req.ip,\n userAgent: req.headers['user-agent'],\n createSession: shouldRecordDecisions,\n });\n\n // Attach result to request\n req.agentVerification = result;\n const sessionId = (result as EnhancedVerificationResult).sessionId;\n\n // Check if access level is sufficient\n if (!hasMinimumAccess(result.accessLevel, routeConfig.minAccessLevel)) {\n if (shouldRecordDecisions && sessionId) {\n recordDecision(config, sessionId, 'denied', result.denialReasons?.[0]).catch(() => {});\n }\n onDenied(result, req, res);\n return;\n }\n\n // Check trust score requirement if specified\n if (routeConfig.minTrustScore && result.agent) {\n if (result.agent.trustScore < routeConfig.minTrustScore) {\n result.denialReasons = [\n `Trust score ${result.agent.trustScore} is below required ${routeConfig.minTrustScore}`,\n ];\n if (shouldRecordDecisions && sessionId) {\n recordDecision(config, sessionId, 'denied', result.denialReasons[0]).catch(() => {});\n }\n onDenied(result, req, res);\n return;\n }\n }\n\n // All checks passed — record grant decision\n if (shouldRecordDecisions && sessionId) {\n recordDecision(config, sessionId, 'granted').catch(() => {});\n }\n next();\n } catch (error) {\n // Log error and continue (fail open by default)\n console.error('[VerificationGateway] Middleware error:', error);\n next();\n }\n };\n}\n\n/\n Create a middleware that requires a specific access level\n /\nexport function requireAccess(minAccessLevel: AccessLevel, options: ExpressMiddlewareOptions): RequestHandler {\n return createMiddleware({\n ...options,\n routes: [\n { pattern: '', method: '', minAccessLevel },\n ],\n });\n}\n\n/\n Create a middleware that only verifies (doesn't block)\n /\nexport function verifyOnly(options: Omit<ExpressMiddlewareOptions, 'routes' \| 'onDenied'>): RequestHandler {\n return createMiddleware({\n ...options,\n routes: [\n { pattern: '', method: '', minAccessLevel: 'none' },\n ],\n });\n}\n","/\n HTTP Transport Adapter\n \n Maps AstraSync credentials to/from HTTP headers (X-Astra-* convention).\n /\n\nimport type { AstraSyncCredentials } from '../types';\n\nconst HEADER_PREFIX = 'X-Astra-';\n\n/\n Inject AstraSync credentials into HTTP headers.\n /\nexport function setHttpHeaders(\n headers: Record<string, string>,\n credentials: AstraSyncCredentials,\n): Record<string, string> {\n const result = { ...headers };\n\n result[`${HEADER_PREFIX}ID`] = credentials.agentId;\n\n if (credentials.verifyUrl) {\n result[`${HEADER_PREFIX}Verify`] = credentials.verifyUrl;\n }\n\n if (credentials.challengeUrl) {\n result[`${HEADER_PREFIX}Challenge`] = credentials.challengeUrl;\n }\n\n if (credentials.pdlss?.purpose) {\n const purposeValue = credentials.pdlss.purpose.action\n ? `${credentials.pdlss.purpose.category}:${credentials.pdlss.purpose.action}`\n : credentials.pdlss.purpose.category;\n result[`${HEADER_PREFIX}Purpose`] = purposeValue;\n }\n\n if (credentials.pdlss?.duration?.maxSessionDuration) {\n result[`${HEADER_PREFIX}Duration`] = String(credentials.pdlss.duration.maxSessionDuration);\n }\n\n if (credentials.pdlss?.scope?.jurisdiction) {\n result[`${HEADER_PREFIX}Scope`] = credentials.pdlss.scope.jurisdiction;\n }\n\n return result;\n}\n\n/\n Extract AstraSync credentials from HTTP headers.\n /\nexport function extractHttpCredentials(\n headers: Record<string, string \| string[] \| undefined>,\n): AstraSyncCredentials \| null {\n const getValue = (key: string): string \| undefined => {\n const v = headers[key] ?? headers[key.toLowerCase()];\n return Array.isArray(v) ? v[0] : v;\n };\n\n const agentId = getValue(`${HEADER_PREFIX}ID`) ?? getValue('x-astra-id');\n if (!agentId) return null;\n\n const credentials: AstraSyncCredentials = { agentId };\n\n const verifyUrl = getValue(`${HEADER_PREFIX}Verify`) ?? getValue('x-astra-verify');\n if (verifyUrl) credentials.verifyUrl = verifyUrl;\n\n const challengeUrl = getValue(`${HEADER_PREFIX}Challenge`) ?? getValue('x-astra-challenge');\n if (challengeUrl) credentials.challengeUrl = challengeUrl;\n\n const purpose = getValue(`${HEADER_PREFIX}Purpose`) ?? getValue('x-astra-purpose');\n if (purpose) {\n const [category, action] = purpose.split(':');\n credentials.pdlss = {\n ...credentials.pdlss,\n purpose: { category, action },\n };\n }\n\n const duration = getValue(`${HEADER_PREFIX}Duration`) ?? getValue('x-astra-duration');\n if (duration) {\n credentials.pdlss = {\n ...credentials.pdlss,\n duration: { maxSessionDuration: parseInt(duration, 10) },\n };\n }\n\n const scope = getValue(`${HEADER_PREFIX}Scope`) ?? getValue('x-astra-scope');\n if (scope) {\n credentials.pdlss = {\n ...credentials.pdlss,\n scope: { jurisdiction: scope },\n };\n }\n\n return credentials;\n}\n","/\n AstraSync Universal Verification Gateway - Next.js Middleware\n \n Next.js middleware for verifying AI agents on web applications.\n * Supports Commerce Shield overlay for unverified agents.\n \n @example\n * ```typescript\n * // middleware.ts\n * import { createMiddleware } from '@astrasyncai/verification-gateway/nextjs';\n \n export const middleware = createMiddleware({\n * apiBaseUrl: 'https://api.astrasync.ai',\n * showCommerceShield: true,\n * routes: [\n * { pattern: '/api/public/', method: '', minAccessLevel: 'none' },\n * { pattern: '/api/', method: '', minAccessLevel: 'standard' },\n * { pattern: '/dashboard/', method: '', minAccessLevel: 'read-only' },\n * ],\n * });\n \n export const config = {\n * matcher: ['/api/:path', '/dashboard/:path'],\n * };\n * ```\n /\n\nimport type { NextRequest } from 'next/server';\nimport type {\n NextJsMiddlewareOptions,\n AgentCredentials,\n VerificationResult,\n RouteAccessConfig,\n} from '../types';\nimport { verify, hasCredentials } from '../verify';\nimport { hasMinimumAccess } from '../access-levels';\n\n/\n Extract credentials from Next.js request\n /\nfunction extractCredentialsFromNextRequest(request: NextRequest): AgentCredentials {\n const credentials: AgentCredentials = {};\n\n // Check for ASTRA-ID in headers\n const astraId = request.headers.get('x-astra-id') \|\| request.headers.get('X-Astra-Id');\n if (astraId) {\n credentials.astraId = astraId;\n }\n\n // Check for API key\n const apiKey = request.headers.get('x-api-key') \|\| request.headers.get('X-Api-Key');\n if (apiKey) {\n credentials.apiKey = apiKey;\n }\n\n // Check Authorization header\n const authHeader = request.headers.get('authorization');\n if (authHeader) {\n credentials.authorizationHeader = authHeader;\n if (authHeader.startsWith('Bearer ')) {\n credentials.jwt = authHeader.slice(7);\n }\n }\n\n // Check query parameters\n const url = new URL(request.url);\n const astraIdParam = url.searchParams.get('astraId');\n const apiKeyParam = url.searchParams.get('apiKey');\n\n if (astraIdParam && !credentials.astraId) {\n credentials.astraId = astraIdParam;\n }\n if (apiKeyParam && !credentials.apiKey) {\n credentials.apiKey = apiKeyParam;\n }\n\n return credentials;\n}\n\n/\n Match a route pattern against a path\n /\nfunction matchRoute(pattern: string, path: string): boolean {\n const regexPattern = pattern\n .replace(/\\/g, '.')\n .replace(/\\//g, '\\\\/');\n\n const regex = new RegExp(`^${regexPattern}$`);\n return regex.test(path);\n}\n\n/\n Find the route configuration for a request\n /\nfunction findRouteConfig(\n routes: RouteAccessConfig[],\n path: string,\n method: string\n): RouteAccessConfig \| undefined {\n return routes.find((route) => {\n const methodMatches = route.method === '' \|\| route.method.toUpperCase() === method.toUpperCase();\n const pathMatches = matchRoute(route.pattern, path);\n return methodMatches && pathMatches;\n });\n}\n\n/*\n Infer purpose from request method\n /\nfunction inferPurpose(method: string): string {\n switch (method.toUpperCase()) {\n case 'GET':\n return 'read';\n case 'POST':\n return 'create';\n case 'PUT':\n case 'PATCH':\n return 'update';\n case 'DELETE':\n return 'delete';\n default:\n return 'general';\n }\n}\n\n/\n Generate Commerce Shield HTML response\n /\nfunction generateCommerceShieldHtml(\n result: VerificationResult,\n options: NextJsMiddlewareOptions\n): string {\n const title = options.commerceShield?.title \|\| 'AstraSync Agent Verification';\n const message = options.commerceShield?.message \|\|\n result.guidance?.message \|\|\n 'This site verifies AI agents before granting access. We noticed you\\'re visiting without AstraSync credentials.';\n const registrationUrl = result.guidance?.registrationUrl \|\| 'https://astrasync.ai/register';\n const docsUrl = result.guidance?.documentationUrl \|\| 'https://astrasync.ai/docs/agent-access';\n const allowGuest = options.commerceShield?.allowGuestAccess ?? true;\n\n return `\n<!DOCTYPE html>\n<html lang=\"en\">\n<head>\n <meta charset=\"UTF-8\">\n <meta name=\"viewport\" content=\"width=device-width, initial-scale=1.0\">\n <title>${title}</title>\n <style>\n {\n box-sizing: border-box;\n margin: 0;\n padding: 0;\n }\n body {\n font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, Oxygen, Ubuntu, sans-serif;\n background: linear-gradient(135deg, #1a1a2e 0%, #16213e 100%);\n min-height: 100vh;\n display: flex;\n align-items: center;\n justify-content: center;\n padding: 20px;\n }\n .shield-container {\n background: rgba(255, 255, 255, 0.95);\n border-radius: 16px;\n box-shadow: 0 25px 50px -12px rgba(0, 0, 0, 0.5);\n max-width: 480px;\n width: 100%;\n padding: 40px;\n text-align: center;\n }\n .shield-icon {\n font-size: 48px;\n margin-bottom: 20px;\n }\n .shield-title {\n font-size: 24px;\n font-weight: 700;\n color: #1a1a2e;\n margin-bottom: 16px;\n }\n .shield-message {\n color: #4a5568;\n line-height: 1.6;\n margin-bottom: 24px;\n }\n .shield-steps {\n text-align: left;\n background: #f7fafc;\n border-radius: 8px;\n padding: 20px;\n margin-bottom: 24px;\n }\n .shield-steps h3 {\n font-size: 14px;\n font-weight: 600;\n color: #2d3748;\n margin-bottom: 12px;\n }\n .shield-steps ol {\n padding-left: 20px;\n color: #4a5568;\n }\n .shield-steps li {\n margin-bottom: 8px;\n }\n .shield-buttons {\n display: flex;\n flex-direction: column;\n gap: 12px;\n }\n .btn {\n display: inline-block;\n padding: 14px 24px;\n border-radius: 8px;\n font-weight: 600;\n text-decoration: none;\n transition: all 0.2s;\n cursor: pointer;\n border: none;\n font-size: 16px;\n }\n .btn-primary {\n background: linear-gradient(135deg, #6366f1 0%, #4f46e5 100%);\n color: white;\n }\n .btn-primary:hover {\n transform: translateY(-2px);\n box-shadow: 0 4px 12px rgba(99, 102, 241, 0.4);\n }\n .btn-secondary {\n background: #e2e8f0;\n color: #4a5568;\n }\n .btn-secondary:hover {\n background: #cbd5e0;\n }\n .shield-footer {\n margin-top: 24px;\n font-size: 14px;\n color: #718096;\n }\n .shield-footer a {\n color: #6366f1;\n text-decoration: none;\n }\n .shield-footer a:hover {\n text-decoration: underline;\n }\n </style>\n</head>\n<body>\n <div class=\"shield-container\">\n <div class=\"shield-icon\">🛡️</div>\n <h1 class=\"shield-title\">${title}</h1>\n <p class=\"shield-message\">${message}</p>\n\n <div class=\"shield-steps\">\n <h3>To get verified access:</h3>\n <ol>\n <li>Register at <a href=\"${registrationUrl}\">astrasync.ai/register</a></li>\n <li>Create and register your agent</li>\n <li>Add your ASTRA-ID to request headers</li>\n <li>Refresh this page</li>\n </ol>\n </div>\n\n <div class=\"shield-buttons\">\n <a href=\"${registrationUrl}\" class=\"btn btn-primary\">Register Now</a>\n ${allowGuest ? '<button onclick=\"window.location.reload()\" class=\"btn btn-secondary\">Continue as Guest (Limited)</button>' : ''}\n </div>\n\n <p class=\"shield-footer\">\n Learn more: <a href=\"${docsUrl}\">Agent Access Documentation</a>\n </p>\n </div>\n</body>\n</html>\n `.trim();\n}\n\n/*\n Create Next.js middleware for agent verification\n /\nexport function createMiddleware(options: NextJsMiddlewareOptions) {\n const {\n routes = [],\n skipPaths = [],\n showCommerceShield = true,\n ...config\n } = options;\n\n return async function middleware(request: NextRequest) {\n // Dynamic import NextResponse to avoid build issues\n const { NextResponse } = await import('next/server');\n\n const pathname = request.nextUrl.pathname;\n\n // Check if path should be skipped\n const shouldSkip = skipPaths.some((pattern) => matchRoute(pattern, pathname));\n if (shouldSkip) {\n return NextResponse.next();\n }\n\n // Find route configuration\n const routeConfig = findRouteConfig(routes, pathname, request.method);\n\n // If no route config, allow through\n if (!routeConfig) {\n return NextResponse.next();\n }\n\n // If route requires 'none' access, allow through\n if (routeConfig.minAccessLevel === 'none') {\n return NextResponse.next();\n }\n\n // Extract credentials\n const credentials = extractCredentialsFromNextRequest(request);\n\n // If no credentials and not just guidance level\n if (!hasCredentials(credentials) && routeConfig.minAccessLevel !== 'guidance') {\n const result: VerificationResult = {\n verified: false,\n accessLevel: 'none',\n denialReasons: ['No agent credentials provided'],\n guidance: {\n message: 'This page requires agent verification.',\n registrationUrl: `${config.apiBaseUrl?.replace('/api', '')}/register`,\n documentationUrl: `${config.apiBaseUrl?.replace('/api', '')}/docs/agent-access`,\n },\n verifiedAt: new Date(),\n };\n\n // For API routes, return JSON\n if (pathname.startsWith('/api/')) {\n return NextResponse.json(\n {\n success: false,\n error: {\n code: 'UNAUTHORIZED',\n message: 'No agent credentials provided',\n guidance: result.guidance,\n },\n },\n { status: 401 }\n );\n }\n\n // For web pages, show Commerce Shield\n if (showCommerceShield) {\n return new NextResponse(generateCommerceShieldHtml(result, options), {\n status: 200,\n headers: {\n 'Content-Type': 'text/html',\n 'X-AstraSync-Verification': 'commerce-shield',\n },\n });\n }\n\n // Otherwise redirect to login/register\n const registerUrl = result.guidance?.registrationUrl \|\| '/register';\n return NextResponse.redirect(new URL(registerUrl, request.url));\n }\n\n // Verify the agent\n const purpose = request.headers.get('x-purpose') \|\| inferPurpose(request.method);\n const result = await verify(config, {\n credentials,\n purpose,\n action: request.method.toLowerCase(),\n resource: pathname,\n clientIp: request.headers.get('x-forwarded-for')?.split(',')[0]?.trim() \|\| undefined,\n userAgent: request.headers.get('user-agent') \|\| undefined,\n });\n\n // Check if access level is sufficient\n if (!hasMinimumAccess(result.accessLevel, routeConfig.minAccessLevel)) {\n // For API routes, return JSON\n if (pathname.startsWith('/api/')) {\n return NextResponse.json(\n {\n success: false,\n error: {\n code: result.verified ? 'INSUFFICIENT_ACCESS' : 'UNAUTHORIZED',\n message: result.denialReasons?.[0] \|\| 'Access denied',\n accessLevel: result.accessLevel,\n required: routeConfig.minAccessLevel,\n guidance: result.guidance,\n },\n },\n { status: result.verified ? 403 : 401 }\n );\n }\n\n // For web pages, show Commerce Shield\n if (showCommerceShield) {\n return new NextResponse(generateCommerceShieldHtml(result, options), {\n status: 200,\n headers: {\n 'Content-Type': 'text/html',\n 'X-AstraSync-Verification': 'commerce-shield',\n },\n });\n }\n\n // Redirect to unauthorized page\n return NextResponse.redirect(new URL('/unauthorized', request.url));\n }\n\n // All checks passed - continue with verification info in headers\n const response = NextResponse.next();\n\n // Add verification info to response headers\n response.headers.set('X-AstraSync-Verified', result.verified.toString());\n response.headers.set('X-AstraSync-Access-Level', result.accessLevel);\n\n if (result.agent) {\n response.headers.set('X-AstraSync-Agent-Id', result.agent.astraId);\n response.headers.set('X-AstraSync-Trust-Score', result.agent.trustScore.toString());\n }\n\n return response;\n };\n}\n\n/\n Helper to create matcher config\n /\nexport function createMatcherConfig(paths: string[]): { matcher: string[] } {\n return { matcher: paths };\n}\n","/\n AstraSync Universal Verification Gateway - SDK Adapter\n \n Direct SDK for verifying agents in any JavaScript/TypeScript environment.\n * Useful for agent-to-agent verification, serverless functions, or custom integrations.\n \n @example\n * ```typescript\n * import { createClient } from '@astrasyncai/verification-gateway/sdk';\n \n const gateway = createClient({\n * apiBaseUrl: 'https://api.astrasync.ai',\n * });\n \n // Verify another agent before interacting\n * const result = await gateway.verify({\n * astraId: 'ASTRA-abc123',\n * purpose: 'data-exchange',\n * });\n \n if (result.verified && result.accessLevel !== 'none') {\n * // Safe to interact with this agent\n * }\n * ```\n /\n\nimport type {\n SDKOptions,\n AgentCredentials,\n VerificationResult,\n AccessLevel,\n GatewayConfig,\n} from '../types';\nimport { verify as coreVerify, quickVerify as coreQuickVerify, clearCache } from '../verify';\nimport { getTrustLevel, hasMinimumAccess, getCapabilities } from '../access-levels';\nimport type { AccessCapabilities } from '../access-levels';\n\n/\n Verification Gateway SDK Client\n /\nexport class VerificationGatewayClient {\n private config: GatewayConfig;\n private timeout: number;\n private retryConfig: { maxRetries: number; backoffMs: number };\n\n constructor(options: SDKOptions) {\n this.config = {\n apiBaseUrl: options.apiBaseUrl,\n apiKey: options.apiKey,\n defaultAccessLevel: options.defaultAccessLevel,\n minTrustScore: options.minTrustScore,\n minTrustScoreForFull: options.minTrustScoreForFull,\n cacheTtl: options.cacheTtl,\n debug: options.debug,\n customHeaders: options.customHeaders,\n };\n\n this.timeout = options.timeout \|\| 10000;\n this.retryConfig = options.retry \|\| { maxRetries: 3, backoffMs: 1000 };\n }\n\n /\n Full verification with all details\n /\n async verify(options: {\n astraId?: string;\n apiKey?: string;\n jwt?: string;\n purpose?: string;\n action?: string;\n resourceType?: string;\n resource?: string;\n jurisdiction?: string;\n transactionValue?: number;\n currency?: string;\n isSubAgentRequest?: boolean;\n parentAgentId?: string;\n subAgentDepth?: number;\n }): Promise<VerificationResult> {\n const credentials: AgentCredentials = {\n astraId: options.astraId,\n apiKey: options.apiKey,\n jwt: options.jwt,\n };\n\n return this.executeWithRetry(() =>\n coreVerify(this.config, {\n credentials,\n purpose: options.purpose,\n action: options.action,\n resourceType: options.resourceType,\n resource: options.resource,\n jurisdiction: options.jurisdiction,\n transactionValue: options.transactionValue,\n currency: options.currency,\n isSubAgentRequest: options.isSubAgentRequest,\n parentAgentId: options.parentAgentId,\n subAgentDepth: options.subAgentDepth,\n })\n );\n }\n\n /\n Quick verification - just check if credentials are valid\n /\n async quickVerify(credentials: {\n astraId?: string;\n apiKey?: string;\n jwt?: string;\n }): Promise<{ verified: boolean; accessLevel: AccessLevel; reason?: string }> {\n return this.executeWithRetry(() => coreQuickVerify(this.config, credentials));\n }\n\n /\n Check if an agent has a specific access level\n /\n async hasAccess(\n credentials: { astraId?: string; apiKey?: string; jwt?: string },\n requiredLevel: AccessLevel\n ): Promise<boolean> {\n const result = await this.quickVerify(credentials);\n return hasMinimumAccess(result.accessLevel, requiredLevel);\n }\n\n /\n Get capabilities for a verified agent\n /\n async getCapabilities(credentials: {\n astraId?: string;\n apiKey?: string;\n jwt?: string;\n }): Promise<AccessCapabilities> {\n const result = await this.quickVerify(credentials);\n return getCapabilities(result.accessLevel);\n }\n\n /\n Verify a specific ASTRA-ID\n /\n async verifyAstraId(\n astraId: string,\n options?: {\n purpose?: string;\n action?: string;\n }\n ): Promise<VerificationResult> {\n return this.verify({\n astraId,\n purpose: options?.purpose,\n action: options?.action,\n });\n }\n\n /\n Verify using an API key\n /\n async verifyApiKey(\n apiKey: string,\n options?: {\n purpose?: string;\n action?: string;\n }\n ): Promise<VerificationResult> {\n return this.verify({\n apiKey,\n purpose: options?.purpose,\n action: options?.action,\n });\n }\n\n /\n Clear the verification cache\n /\n clearCache(): void {\n clearCache();\n }\n\n /\n Execute a function with retry logic\n /\n private async executeWithRetry<T>(fn: () => Promise<T>): Promise<T> {\n let lastError: Error \| null = null;\n\n for (let attempt = 0; attempt <= this.retryConfig.maxRetries; attempt++) {\n try {\n // Add timeout\n const result = await Promise.race([\n fn(),\n new Promise<never>((_, reject) =>\n setTimeout(() => reject(new Error('Request timeout')), this.timeout)\n ),\n ]);\n\n return result;\n } catch (error) {\n lastError = error instanceof Error ? error : new Error(String(error));\n\n // Don't retry on last attempt\n if (attempt < this.retryConfig.maxRetries) {\n // Exponential backoff\n const backoff = this.retryConfig.backoffMs Math.pow(2, attempt);\n await new Promise((resolve) => setTimeout(resolve, backoff));\n }\n }\n }\n\n throw lastError \|\| new Error('Verification failed after retries');\n }\n}\n\n/*\n Create a new SDK client\n /\nexport function createClient(options: SDKOptions): VerificationGatewayClient {\n return new VerificationGatewayClient(options);\n}\n\n/\n One-shot verification without creating a client\n /\nexport async function verifyOnce(\n options: SDKOptions & {\n astraId?: string;\n apiKey?: string;\n jwt?: string;\n purpose?: string;\n action?: string;\n }\n): Promise<VerificationResult> {\n const client = createClient(options);\n return client.verify(options);\n}\n\n// Re-export utilities for convenience\nexport { getTrustLevel, hasMinimumAccess, getCapabilities };\n","/\n Cross-Protocol Transport Module\n \n Provides adapters for injecting/extracting AstraSync credentials\n * across HTTP, A2A, and MCP protocols.\n /\n\nimport type { AstraSyncCredentials, ProtocolTransport } from '../types';\nimport { setHttpHeaders, extractHttpCredentials } from './http';\nimport { setA2AMetadata, extractA2ACredentials } from './a2a';\nimport { setMcpMeta, extractMcpCredentials } from './mcp';\n\nexport { setHttpHeaders, extractHttpCredentials } from './http';\nexport { setA2AMetadata, extractA2ACredentials } from './a2a';\nexport { setMcpMeta, extractMcpCredentials } from './mcp';\n\n/\n Auto-detect protocol from request/context shape.\n /\nexport function detectProtocol(context: Record<string, unknown>): ProtocolTransport {\n // A2A: has metadata block with task-like structure\n if (context.metadata && typeof context.metadata === 'object') {\n return 'a2a';\n }\n\n // MCP: has _meta block (MCP convention)\n if (context._meta && typeof context._meta === 'object') {\n return 'mcp';\n }\n\n // Default to HTTP\n return 'http';\n}\n\n/\n Apply credentials to any protocol target.\n /\nexport function applyCredentials(\n protocol: ProtocolTransport,\n target: Record<string, unknown>,\n credentials: AstraSyncCredentials,\n): Record<string, unknown> {\n switch (protocol) {\n case 'http':\n return setHttpHeaders(target as Record<string, string>, credentials);\n case 'a2a':\n return setA2AMetadata(target, credentials);\n case 'mcp':\n return setMcpMeta(target, credentials);\n default:\n return target;\n }\n}\n\n/\n Extract credentials from any protocol context.\n /\nexport function extractCredentialsFromProtocol(\n protocol: ProtocolTransport,\n context: Record<string, unknown>,\n): AstraSyncCredentials \| null {\n switch (protocol) {\n case 'http':\n return extractHttpCredentials(context as Record<string, string \| string[] \| undefined>);\n case 'a2a':\n return extractA2ACredentials(context);\n case 'mcp':\n return extractMcpCredentials(context);\n default:\n return null;\n }\n}\n","/\n A2A (Agent-to-Agent) Transport Adapter\n \n Maps AstraSync credentials to/from A2A task metadata.astrasync block.\n /\n\nimport type { AstraSyncCredentials } from '../types';\n\ninterface A2ATask {\n metadata?: Record<string, unknown>;\n [key: string]: unknown;\n}\n\ninterface AstraSyncMetadata {\n agentId: string;\n verifyUrl?: string;\n challengeUrl?: string;\n purpose?: { category: string; action?: string };\n duration?: { maxSessionDuration?: number };\n scope?: { jurisdiction?: string };\n}\n\n/\n Add AstraSync credentials to an A2A task's metadata block.\n /\nexport function setA2AMetadata(\n task: A2ATask,\n credentials: AstraSyncCredentials,\n): A2ATask {\n const astrasync: AstraSyncMetadata = {\n agentId: credentials.agentId,\n };\n\n if (credentials.verifyUrl) astrasync.verifyUrl = credentials.verifyUrl;\n if (credentials.challengeUrl) astrasync.challengeUrl = credentials.challengeUrl;\n if (credentials.pdlss?.purpose) astrasync.purpose = credentials.pdlss.purpose;\n if (credentials.pdlss?.duration) astrasync.duration = credentials.pdlss.duration;\n if (credentials.pdlss?.scope) astrasync.scope = credentials.pdlss.scope;\n\n return {\n ...task,\n metadata: {\n ...task.metadata,\n astrasync,\n },\n };\n}\n\n/\n Extract AstraSync credentials from an A2A task's metadata block.\n /\nexport function extractA2ACredentials(task: A2ATask): AstraSyncCredentials \| null {\n const meta = task.metadata?.astrasync as AstraSyncMetadata \| undefined;\n if (!meta?.agentId) return null;\n\n const credentials: AstraSyncCredentials = {\n agentId: meta.agentId,\n };\n\n if (meta.verifyUrl) credentials.verifyUrl = meta.verifyUrl;\n if (meta.challengeUrl) credentials.challengeUrl = meta.challengeUrl;\n\n if (meta.purpose \|\| meta.duration \|\| meta.scope) {\n credentials.pdlss = {};\n if (meta.purpose) credentials.pdlss.purpose = meta.purpose;\n if (meta.duration) credentials.pdlss.duration = meta.duration;\n if (meta.scope) credentials.pdlss.scope = meta.scope;\n }\n\n return credentials;\n}\n","/\n MCP (Model Context Protocol) Transport Adapter\n \n Maps AstraSync credentials to/from MCP params._meta.astrasync block.\n /\n\nimport type { AstraSyncCredentials } from '../types';\n\ninterface McpParams {\n _meta?: Record<string, unknown>;\n [key: string]: unknown;\n}\n\ninterface AstraSyncMeta {\n agentId: string;\n verifyUrl?: string;\n challengeUrl?: string;\n purpose?: { category: string; action?: string };\n duration?: { maxSessionDuration?: number };\n scope?: { jurisdiction?: string };\n}\n\n/\n Add AstraSync credentials to MCP params' _meta block.\n /\nexport function setMcpMeta(\n params: McpParams,\n credentials: AstraSyncCredentials,\n): McpParams {\n const astrasync: AstraSyncMeta = {\n agentId: credentials.agentId,\n };\n\n if (credentials.verifyUrl) astrasync.verifyUrl = credentials.verifyUrl;\n if (credentials.challengeUrl) astrasync.challengeUrl = credentials.challengeUrl;\n if (credentials.pdlss?.purpose) astrasync.purpose = credentials.pdlss.purpose;\n if (credentials.pdlss?.duration) astrasync.duration = credentials.pdlss.duration;\n if (credentials.pdlss?.scope) astrasync.scope = credentials.pdlss.scope;\n\n return {\n ...params,\n _meta: {\n ...params._meta,\n astrasync,\n },\n };\n}\n\n/\n Extract AstraSync credentials from MCP params' _meta block.\n /\nexport function extractMcpCredentials(params: McpParams): AstraSyncCredentials \| null {\n const meta = params._meta?.astrasync as AstraSyncMeta \| undefined;\n if (!meta?.agentId) return null;\n\n const credentials: AstraSyncCredentials = {\n agentId: meta.agentId,\n };\n\n if (meta.verifyUrl) credentials.verifyUrl = meta.verifyUrl;\n if (meta.challengeUrl) credentials.challengeUrl = meta.challengeUrl;\n\n if (meta.purpose \|\| meta.duration \|\| meta.scope) {\n credentials.pdlss = {};\n if (meta.purpose) credentials.pdlss.purpose = meta.purpose;\n if (meta.duration) credentials.pdlss.duration = meta.duration;\n if (meta.scope) credentials.pdlss.scope = meta.scope;\n }\n\n return credentials;\n}\n","/\n Agent-Side SDK Module\n \n Tools for AI agents to present credentials, handle challenges,\n * and interact with the AstraSync verification protocol.\n /\n\nexport { AgentClient } from './client';\nexport { ChallengeHandler } from './challenge-handler';\nexport { formatPDLSSForTransport, parsePDLSSFromTransport } from './pdlss-formatter';\nexport type { PDLSSConfig, TransportPDLSS } from './pdlss-formatter';\nexport { recordDecision } from './decision-client';\n","/\n AgentClient — Credential Presentation\n \n Agent-side SDK for automatically injecting AstraSync credentials\n * into outgoing requests across all supported protocols.\n /\n\nimport type { AstraSyncCredentials, ProtocolTransport } from '../types';\nimport { setHttpHeaders } from '../transport/http';\nimport { setA2AMetadata } from '../transport/a2a';\nimport { setMcpMeta } from '../transport/mcp';\nimport { applyCredentials } from '../transport';\n\ninterface AgentClientConfig {\n agentId: string;\n verifyUrl?: string;\n challengeUrl?: string;\n pdlss?: AstraSyncCredentials['pdlss'];\n}\n\ninterface FetchOptions extends RequestInit {\n purpose?: string;\n action?: string;\n}\n\nexport class AgentClient {\n private credentials: AstraSyncCredentials;\n\n constructor(config: AgentClientConfig) {\n this.credentials = {\n agentId: config.agentId,\n verifyUrl: config.verifyUrl ?? 'https://api.astrasync.ai/agents/verify-access',\n challengeUrl: config.challengeUrl,\n pdlss: config.pdlss,\n };\n }\n\n /\n Make an HTTP request with AstraSync headers automatically injected.\n /\n async fetch(url: string, options?: FetchOptions): Promise<Response> {\n const { purpose, action, ...fetchOptions } = options ?? {};\n\n // Build credentials with optional overrides\n const creds: AstraSyncCredentials = { ...this.credentials };\n if (purpose) {\n creds.pdlss = {\n ...creds.pdlss,\n purpose: { category: purpose, action },\n };\n }\n\n // Inject AstraSync headers\n const existingHeaders: Record<string, string> = {};\n if (fetchOptions.headers) {\n if (fetchOptions.headers instanceof Headers) {\n fetchOptions.headers.forEach((value, key) => {\n existingHeaders[key] = value;\n });\n } else if (Array.isArray(fetchOptions.headers)) {\n for (const [key, value] of fetchOptions.headers) {\n existingHeaders[key] = value;\n }\n } else {\n Object.assign(existingHeaders, fetchOptions.headers);\n }\n }\n\n const enrichedHeaders = setHttpHeaders(existingHeaders, creds);\n\n return fetch(url, {\n ...fetchOptions,\n headers: enrichedHeaders,\n });\n }\n\n /\n Prepare A2A task metadata with AstraSync credentials.\n /\n prepareA2AMetadata(\n task: Record<string, unknown>,\n overrides?: { purpose?: string; action?: string },\n ): Record<string, unknown> {\n const creds = this.buildCredentials(overrides);\n return setA2AMetadata(task, creds);\n }\n\n /\n Prepare MCP params with AstraSync _meta.\n /\n prepareMcpMeta(\n params: Record<string, unknown>,\n overrides?: { purpose?: string; action?: string },\n ): Record<string, unknown> {\n const creds = this.buildCredentials(overrides);\n return setMcpMeta(params, creds);\n }\n\n /\n Generic: apply credentials to any protocol.\n /\n applyCredentials(\n protocol: ProtocolTransport,\n target: Record<string, unknown>,\n overrides?: { purpose?: string; action?: string },\n ): Record<string, unknown> {\n const creds = this.buildCredentials(overrides);\n return applyCredentials(protocol, target, creds);\n }\n\n private buildCredentials(overrides?: { purpose?: string; action?: string }): AstraSyncCredentials {\n if (!overrides?.purpose) return this.credentials;\n\n return {\n ...this.credentials,\n pdlss: {\n ...this.credentials.pdlss,\n purpose: { category: overrides.purpose, action: overrides.action },\n },\n };\n }\n}\n","/\n ChallengeHandler — Agent-Side Runtime Challenge Responder\n \n Handles incoming runtime challenges from AstraSync's verification service.\n * Agents register pending counterparties before initiating contact,\n * then this handler validates and responds to challenges.\n /\n\ninterface ChallengePayload {\n challengeId: string;\n type: string;\n counterpartyId?: string \| null;\n counterpartyUrl?: string \| null;\n question?: string;\n issuedAt: string;\n expiresAt: string;\n}\n\ninterface ChallengeResponse {\n status: number;\n body: {\n challengeId: string;\n acknowledged: boolean;\n pendingCounterparties: string[];\n respondedAt: string;\n error?: string;\n };\n}\n\ninterface ChallengeHandlerConfig {\n agentId: string;\n}\n\nexport class ChallengeHandler {\n private agentId: string;\n private pendingCounterparties: Set<string> = new Set();\n\n constructor(config: ChallengeHandlerConfig) {\n this.agentId = config.agentId;\n }\n\n /\n Register a counterparty as pending (before initiating contact).\n /\n registerPending(counterpartyId: string): void {\n this.pendingCounterparties.add(counterpartyId);\n }\n\n /\n Remove a counterparty from pending list (after interaction complete).\n /\n removePending(counterpartyId: string): void {\n this.pendingCounterparties.delete(counterpartyId);\n }\n\n /\n Get current pending counterparties list.\n /\n getPendingList(): string[] {\n return [...this.pendingCounterparties];\n }\n\n /\n Express middleware for the challenge endpoint.\n * Mount at: app.post('/astrasync/challenge', handler.expressMiddleware())\n /\n expressMiddleware(): (req: { body: unknown }, res: { status: (code: number) => { json: (body: unknown) => void } }) => void {\n return (req, res) => {\n const result = this.handleChallenge(req.body);\n res.status(result.status).json(result.body);\n };\n }\n\n /\n Generic handler (framework-agnostic).\n * Returns { status, body } for the caller to send.\n /\n handleChallenge(body: unknown): ChallengeResponse {\n // Validate payload shape\n if (!body \|\| typeof body !== 'object') {\n return {\n status: 400,\n body: {\n challengeId: '',\n acknowledged: false,\n pendingCounterparties: [],\n respondedAt: new Date().toISOString(),\n error: 'Invalid challenge payload',\n },\n };\n }\n\n const payload = body as ChallengePayload;\n\n if (!payload.challengeId \|\| !payload.issuedAt \|\| !payload.expiresAt) {\n return {\n status: 400,\n body: {\n challengeId: payload.challengeId ?? '',\n acknowledged: false,\n pendingCounterparties: [],\n respondedAt: new Date().toISOString(),\n error: 'Missing required challenge fields',\n },\n };\n }\n\n // Check if challenge has expired\n const now = new Date();\n const expiresAt = new Date(payload.expiresAt);\n if (now > expiresAt) {\n return {\n status: 410,\n body: {\n challengeId: payload.challengeId,\n acknowledged: false,\n pendingCounterparties: [],\n respondedAt: now.toISOString(),\n error: 'Challenge has expired',\n },\n };\n }\n\n // Respond with current pending list\n return {\n status: 200,\n body: {\n challengeId: payload.challengeId,\n acknowledged: true,\n pendingCounterparties: this.getPendingList(),\n respondedAt: now.toISOString(),\n },\n };\n }\n}\n","/\n PDLSS Formatter — Transport Format Conversion\n \n Converts between full PDLSS boundaries and compact transport format\n * used in HTTP headers, A2A metadata, and MCP _meta blocks.\n /\n\nimport type { AstraSyncCredentials } from '../types';\n\n/\n Full PDLSS configuration (as returned by the backend).\n /\nexport interface PDLSSConfig {\n purpose?: {\n categories?: string[];\n allowedActions?: string[];\n deniedActions?: string[];\n };\n duration?: {\n maxSessionDuration?: number;\n ttl?: number;\n allowedDays?: number[];\n allowedHours?: { start: number; end: number };\n };\n limits?: {\n autonomousThreshold?: number;\n stepUpThreshold?: number;\n approvalThreshold?: number;\n currency?: string;\n };\n scope?: {\n jurisdictions?: string[];\n resources?: string[];\n resourceTypes?: string[];\n };\n selfInstantiation?: {\n allowed: boolean;\n maxDepth?: number;\n maxSubAgents?: number;\n };\n}\n\n/\n Compact transport format (embedded in headers/metadata).\n /\nexport type TransportPDLSS = NonNullable<AstraSyncCredentials['pdlss']>;\n\n/\n Convert full PDLSS boundaries into compact transport format.\n * Used by AgentClient when building credential headers/metadata.\n /\nexport function formatPDLSSForTransport(pdlss: PDLSSConfig): TransportPDLSS {\n const transport: TransportPDLSS = {};\n\n // Purpose: pick the primary category and first allowed action\n if (pdlss.purpose?.categories?.length) {\n transport.purpose = {\n category: pdlss.purpose.categories[0],\n action: pdlss.purpose.allowedActions?.[0],\n };\n }\n\n // Duration: use the shorter of maxSessionDuration and ttl\n if (pdlss.duration) {\n const candidates: number[] = [];\n if (pdlss.duration.maxSessionDuration) candidates.push(pdlss.duration.maxSessionDuration);\n if (pdlss.duration.ttl) candidates.push(pdlss.duration.ttl);\n if (candidates.length > 0) {\n transport.duration = { maxSessionDuration: Math.min(...candidates) };\n }\n }\n\n // Scope: use the primary jurisdiction\n if (pdlss.scope?.jurisdictions?.length) {\n transport.scope = { jurisdiction: pdlss.scope.jurisdictions[0] };\n }\n\n return transport;\n}\n\n/\n Parse transport format back into full PDLSS config.\n * Used by counterparty-side when receiving credentials.\n /\nexport function parsePDLSSFromTransport(transport: TransportPDLSS): PDLSSConfig {\n const pdlss: PDLSSConfig = {};\n\n if (transport.purpose) {\n pdlss.purpose = {\n categories: [transport.purpose.category],\n allowedActions: transport.purpose.action ? [transport.purpose.action] : undefined,\n };\n }\n\n if (transport.duration) {\n pdlss.duration = {\n maxSessionDuration: transport.duration.maxSessionDuration,\n };\n }\n\n if (transport.scope) {\n pdlss.scope = {\n jurisdictions: transport.scope.jurisdiction ? [transport.scope.jurisdiction] : undefined,\n };\n }\n\n return pdlss;\n}\n","/\n Decision Client — Counterparty-Side Decision Recording\n \n Helper for counterparties to record their grant/deny decisions\n * back to AstraSync after receiving a verification result.\n /\n\nimport type { GatewayConfig } from '../types';\n\ninterface RecordDecisionParams {\n sessionId: string;\n decision: 'granted' \| 'denied';\n reason?: string;\n tokenIssued?: boolean;\n auditId?: string;\n}\n\ninterface RecordDecisionResult {\n recorded: boolean;\n blockchainTxHash?: string;\n}\n\n/\n Record a counterparty's grant/deny decision for a verification session.\n * POST to /agents/verify-access/:sessionId/decision\n */\nexport async function recordDecision(\n config: GatewayConfig,\n params: RecordDecisionParams,\n): Promise<RecordDecisionResult> {\n const { sessionId, ...body } = params;\n const baseUrl = config.apiBaseUrl.replace(/\\/$/, '');\n const url = `${baseUrl}/agents/verify-access/${encodeURIComponent(sessionId)}/decision`;\n\n const headers: Record<string, string> = {\n 'Content-Type': 'application/json',\n };\n\n if (config.apiKey) {\n headers['Authorization'] = `Bearer ${config.apiKey}`;\n }\n\n if (config.customHeaders) {\n Object.assign(headers, config.customHeaders);\n }\n\n const response = await fetch(url, {\n method: 'POST',\n headers,\n body: JSON.stringify(body),\n });\n\n if (!response.ok) {\n const errorText = await response.text().catch(() => 'Unknown error');\n throw new Error(\n `Failed to record decision for session ${sessionId}: ${response.status} ${errorText}`,\n );\n }\n\n const result = await response.json();\n\n return {\n recorded: result.recorded ?? true,\n blockchainTxHash: result.blockchainTxHash,\n };\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,wBAAAA;AAAA,EAAA;AAAA;AAAA;AAAA;AAAA;;;ACWO,IAAM,yBAAsD;AAAA,EACjE,MAAM;AAAA,EACN,UAAU;AAAA,EACV,aAAa;AAAA,EACb,UAAU;AAAA,EACV,MAAM;AAAA,EACN,UAAU;AACZ;AAKO,IAAM,4BAAyD;AAAA,EACpE,MAAM;AAAA,EACN,UAAU;AAAA,EACV,aAAa;AAAA,EACb,UAAU;AAAA,EACV,MAAM;AAAA,EACN,UAAU;AACZ;AAKO,IAAM,2BAAwD;AAAA,EACnE,MAAM;AAAA,EACN,UAAU;AAAA,EACV,aAAa;AAAA,EACb,UAAU;AAAA,EACV,MAAM;AAAA,EACN,UAAU;AAAA;AACZ;AAKO,IAAM,qBAAuE;AAAA,EAClF,QAAQ,EAAE,KAAK,GAAG,KAAK,GAAG;AAAA,EAC1B,QAAQ,EAAE,KAAK,IAAI,KAAK,GAAG;AAAA,EAC3B,MAAM,EAAE,KAAK,IAAI,KAAK,GAAG;AAAA,EACzB,UAAU,EAAE,KAAK,IAAI,KAAK,IAAI;AAChC;AAKO,SAAS,cAAc,OAA2B;AACvD,MAAI,SAAS,GAAI,QAAO;AACxB,MAAI,SAAS,GAAI,QAAO;AACxB,MAAI,SAAS,GAAI,QAAO;AACxB,SAAO;AACT;AAKO,SAAS,iBAAiB,QAAqB,UAAgC;AACpF,SAAO,uBAAuB,MAAM,KAAK,uBAAuB,QAAQ;AAC1E;AAKO,SAAS,uBACd,YACA,aAA0C,0BAC7B;AACb,MAAI,cAAc,WAAW,KAAM,QAAO;AAC1C,MAAI,cAAc,WAAW,SAAU,QAAO;AAC9C,MAAI,cAAc,WAAW,WAAW,EAAG,QAAO;AAClD,SAAO;AACT;AAKO,SAAS,qBACd,UACA,YACA,aACA,kBACa;AACb,MAAI,CAAC,UAAU;AACb,WAAO;AAAA,EACT;AAEA,MAAI,aAAa;AACf,WAAO;AAAA,EACT;AAEA,QAAM,aAAa;AAAA,IACjB,GAAG;AAAA,IACH,GAAG;AAAA,EACL;AAEA,SAAO,uBAAuB,YAAY,UAAU;AACtD;AAkBO,SAAS,gBAAgB,aAA8C;AAC5E,UAAQ,aAAa;AAAA,IACnB,KAAK;AACH,aAAO;AAAA,QACL,SAAS;AAAA,QACT,UAAU;AAAA,QACV,WAAW;AAAA,QACX,UAAU;AAAA,QACV,mBAAmB;AAAA,MACrB;AAAA,IACF,KAAK;AACH,aAAO;AAAA,QACL,SAAS;AAAA,QACT,UAAU;AAAA,QACV,WAAW;AAAA,QACX,UAAU;AAAA,QACV,mBAAmB;AAAA,MACrB;AAAA,IACF,KAAK;AACH,aAAO;AAAA,QACL,SAAS;AAAA,QACT,UAAU;AAAA,QACV,WAAW;AAAA,QACX,UAAU;AAAA,QACV,mBAAmB;AAAA,MACrB;AAAA,IACF,KAAK;AACH,aAAO;AAAA,QACL,SAAS;AAAA,QACT,UAAU;AAAA,QACV,WAAW;AAAA,QACX,UAAU;AAAA,QACV,mBAAmB;AAAA,MACrB;AAAA,IACF,KAAK;AACH,aAAO;AAAA,QACL,SAAS;AAAA,QACT,UAAU;AAAA,QACV,WAAW;AAAA,QACX,UAAU;AAAA,QACV,mBAAmB;AAAA,MACrB;AAAA,IACF,KAAK;AACH,aAAO;AAAA,QACL,SAAS;AAAA,QACT,UAAU;AAAA,QACV,WAAW;AAAA,QACX,UAAU;AAAA,QACV,mBAAmB;AAAA,MACrB;AAAA,IACF;AACE,aAAO;AAAA,QACL,SAAS;AAAA,QACT,UAAU;AAAA,QACV,WAAW;AAAA,QACX,UAAU;AAAA,QACV,mBAAmB;AAAA,MACrB;AAAA,EACJ;AACF;;;AC7JA,IAAM,iBAAyC;AAAA,EAC7C,YAAY;AAAA,EACZ,oBAAoB;AAAA,EACpB,eAAe;AAAA,EACf,sBAAsB;AAAA,EACtB,UAAU;AAAA;AAAA,EACV,OAAO;AACT;AAKA,IAAM,oBAAoB,oBAAI,IAA+D;AAK7F,SAAS,YAAY,aAAuC;AAC1D,SAAO,GAAG,YAAY,WAAW,EAAE,IAAI,YAAY,UAAU,EAAE,IAAI,YAAY,OAAO,EAAE;AAC1F;AAKA,SAAS,gBAAgB,aAA0D;AACjF,QAAM,MAAM,YAAY,WAAW;AACnC,QAAM,SAAS,kBAAkB,IAAI,GAAG;AAExC,MAAI,UAAU,OAAO,YAAY,KAAK,IAAI,GAAG;AAC3C,WAAO,OAAO;AAAA,EAChB;AAEA,MAAI,QAAQ;AACV,sBAAkB,OAAO,GAAG;AAAA,EAC9B;AAEA,SAAO;AACT;AAKA,SAAS,YAAY,aAA+B,QAA4B,YAA0B;AACxG,QAAM,MAAM,YAAY,WAAW;AACnC,oBAAkB,IAAI,KAAK;AAAA,IACzB;AAAA,IACA,WAAW,KAAK,IAAI,IAAI,aAAa;AAAA,EACvC,CAAC;AACH;AAKO,SAAS,aAAmB;AACjC,oBAAkB,MAAM;AAC1B;AAKO,SAAS,mBACd,SACA,OACkB;AAClB,QAAM,cAAgC,CAAC;AAGvC,QAAM,gBAAgB,QAAQ,YAAY,KAAK,QAAQ,YAAY,KAAK,QAAQ,YAAY;AAC5F,MAAI,eAAe;AACjB,gBAAY,UAAU,MAAM,QAAQ,aAAa,IAAI,cAAc,CAAC,IAAI;AAAA,EAC1E;AAGA,QAAM,eAAe,QAAQ,WAAW,KAAK,QAAQ,WAAW,KAAK,QAAQ,WAAW;AACxF,MAAI,cAAc;AAChB,gBAAY,SAAS,MAAM,QAAQ,YAAY,IAAI,aAAa,CAAC,IAAI;AAAA,EACvE;AAGA,QAAM,aAAa,QAAQ,eAAe,KAAK,QAAQ,eAAe;AACtE,MAAI,YAAY;AACd,UAAM,YAAY,MAAM,QAAQ,UAAU,IAAI,WAAW,CAAC,IAAI;AAC9D,gBAAY,sBAAsB;AAElC,QAAI,UAAU,WAAW,SAAS,GAAG;AACnC,kBAAY,MAAM,UAAU,MAAM,CAAC;AAAA,IACrC;AAAA,EACF;AAGA,MAAI,OAAO;AACT,QAAI,MAAM,WAAW,CAAC,YAAY,SAAS;AACzC,kBAAY,UAAU,MAAM;AAAA,IAC9B;AACA,QAAI,MAAM,UAAU,CAAC,YAAY,QAAQ;AACvC,kBAAY,SAAS,MAAM;AAAA,IAC7B;AAAA,EACF;AAEA,SAAO;AACT;AAKO,SAAS,eAAe,aAAwC;AACrE,SAAO,CAAC,EAAE,YAAY,WAAW,YAAY,UAAU,YAAY;AACrE;AAKA,SAAS,uBAAuB,QAAuB,QAAqC;AAC1F,QAAM,WAAyB;AAAA,IAC7B,SAAS;AAAA,IACT,iBAAiB,GAAG,OAAO,WAAW,QAAQ,QAAQ,EAAE,CAAC;AAAA,IACzD,kBAAkB,GAAG,OAAO,WAAW,QAAQ,QAAQ,EAAE,CAAC;AAAA,IAC1D,OAAO;AAAA,MACL;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,IACF;AAAA,EACF;AAEA,SAAO;AAAA,IACL,UAAU;AAAA,IACV,aAAa;AAAA,IACb;AAAA,IACA,eAAe,SAAS,CAAC,MAAM,IAAI,CAAC,qCAAqC;AAAA,IACzE,YAAY,oBAAI,KAAK;AAAA,EACvB;AACF;AAKA,eAAe,oBACb,QACA,SAiDC;AACD,QAAM,EAAE,aAAa,GAAG,YAAY,IAAI;AAGxC,QAAM,OAAgC;AAAA,IACpC,SAAS,YAAY;AAAA,IACrB,SAAS,YAAY,WAAW;AAAA,EAClC;AAGA,MAAI,YAAY,OAAQ,MAAK,SAAS,YAAY;AAClD,MAAI,YAAY,aAAc,MAAK,eAAe,YAAY;AAC9D,MAAI,YAAY,SAAU,MAAK,WAAW,YAAY;AACtD,MAAI,YAAY,aAAc,MAAK,eAAe,YAAY;AAC9D,MAAI,YAAY,iBAAkB,MAAK,mBAAmB,YAAY;AACtE,MAAI,YAAY,SAAU,MAAK,WAAW,YAAY;AACtD,MAAI,YAAY,kBAAmB,MAAK,oBAAoB,YAAY;AACxE,MAAI,YAAY,cAAe,MAAK,gBAAgB,YAAY;AAChE,MAAI,YAAY,kBAAkB,OAAW,MAAK,gBAAgB,YAAY;AAE9E,MAAI,YAAY,uBAAwB,MAAK,yBAAyB,YAAY;AAClF,MAAI,YAAY,cAAe,MAAK,gBAAgB,YAAY;AAChE,MAAI,YAAY,iBAAkB,MAAK,mBAAmB,YAAY;AACtE,MAAI,YAAY,gBAAiB,MAAK,kBAAkB,YAAY;AACpE,MAAI,YAAY,wBAAyB,MAAK,0BAA0B,YAAY;AAGpF,QAAM,UAAkC;AAAA,IACtC,gBAAgB;AAAA,IAChB,GAAG,OAAO;AAAA,EACZ;AAEA,MAAI,OAAO,QAAQ;AACjB,YAAQ,WAAW,IAAI,OAAO;AAAA,EAChC;AAEA,MAAI,YAAY,qBAAqB;AACnC,YAAQ,eAAe,IAAI,YAAY;AAAA,EACzC;AAEA,MAAI;AACF,UAAM,WAAW,MAAM,MAAM,GAAG,OAAO,UAAU,yBAAyB;AAAA,MACxE,QAAQ;AAAA,MACR;AAAA,MACA,MAAM,KAAK,UAAU,IAAI;AAAA,IAC3B,CAAC;AAED,UAAM,OAAO,MAAM,SAAS,KAAK;AAEjC,QAAI,CAAC,SAAS,IAAI;AAChB,aAAO;AAAA,QACL,SAAS;AAAA,QACT,OAAO,KAAK,WAAW,KAAK,SAAS,gBAAgB,SAAS,MAAM;AAAA,MACtE;AAAA,IACF;AAEA,WAAO;AAAA,EACT,SAAS,OAAO;AACd,UAAM,UAAU,iBAAiB,QAAQ,MAAM,UAAU;AACzD,WAAO;AAAA,MACL,SAAS;AAAA,MACT,OAAO,qCAAqC,OAAO;AAAA,IACrD;AAAA,EACF;AACF;AAKA,eAAsB,OACpB,QACA,SAC6B;AAC7B,QAAM,eAAe,EAAE,GAAG,gBAAgB,GAAG,OAAO;AAGpD,MAAI,CAAC,eAAe,QAAQ,WAAW,GAAG;AACxC,WAAO,uBAAuB,cAAc,+BAA+B;AAAA,EAC7E;AAGA,MAAI,aAAa,YAAY,aAAa,WAAW,GAAG;AACtD,UAAM,SAAS,gBAAgB,QAAQ,WAAW;AAClD,QAAI,QAAQ;AACV,UAAI,aAAa,OAAO;AACtB,gBAAQ,IAAI,+CAA+C;AAAA,MAC7D;AACA,aAAO;AAAA,IACT;AAAA,EACF;AAGA,QAAM,kBAAkB,EAAE,GAAG,QAAQ;AACrC,MAAI,CAAC,gBAAgB,mBAAmB,aAAa,iBAAiB;AACpE,oBAAgB,kBAAkB,aAAa;AAAA,EACjD;AACA,MAAI,CAAC,gBAAgB,oBAAoB,aAAa,kBAAkB;AACtE,oBAAgB,mBAAmB,aAAa;AAAA,EAClD;AAGA,MAAI,aAAa,OAAO;AACtB,YAAQ,IAAI,iDAAiD;AAAA,EAC/D;AAEA,QAAM,cAAc,MAAM,oBAAoB,cAAc,eAAe;AAG3E,MAAI,CAAC,YAAY,SAAS;AACxB,WAAO,uBAAuB,cAAc,YAAY,KAAK;AAAA,EAC/D;AAGA,MAAI,CAAC,YAAY,QAAQ,SAAS;AAChC,UAAMC,UAAqC;AAAA,MACzC,UAAU;AAAA,MACV,aAAa;AAAA,MACb,eAAe,YAAY,QAAQ,SAAS,CAAC,YAAY,OAAO,MAAM,IAAI,CAAC,eAAe;AAAA,MAC1F,gBAAgB,YAAY,QAAQ;AAAA,MACpC,kBAAkB,YAAY,QAAQ;AAAA,MACtC,UAAU;AAAA,QACR,SAAS,YAAY,QAAQ,UAAU;AAAA,QACvC,iBAAiB,GAAG,aAAa,YAAY,QAAQ,QAAQ,EAAE,CAAC;AAAA,QAChE,kBAAkB,GAAG,aAAa,YAAY,QAAQ,QAAQ,EAAE,CAAC;AAAA,MACnE;AAAA,MACA,YAAY,oBAAI,KAAK;AAAA;AAAA,MAErB,WAAY,YAAwC;AAAA,MACpD,gBAAiB,YAAwC;AAAA,MACzD,uBAAwB,YAAwC;AAAA,IAClE;AAEA,WAAOA;AAAA,EACT;AAGA,QAAM,QAAmC,YAAY,QACjD;AAAA,IACE,SAAS,YAAY,MAAM;AAAA,IAC3B,MAAM,YAAY,MAAM;AAAA,IACxB,YAAY,YAAY,MAAM;AAAA,IAC9B,YAAY,cAAc,YAAY,MAAM,UAAU;AAAA,IACtD,oBAAoB,YAAY,MAAM,qBAAqB;AAAA,IAC3D,QAAQ,YAAY,MAAM;AAAA,EAC5B,IACA;AAEJ,QAAM,YAA2C,YAAY,YACzD;AAAA,IACE,UAAU,YAAY,UAAU;AAAA,IAChC,MAAM,YAAY,UAAU;AAAA,IAC5B,YAAY,YAAY,UAAU,cAAc;AAAA,IAChD,UAAU,YAAY,UAAU;AAAA,EAClC,IACA;AAEJ,QAAM,eAAiD,YAAY,eAC/D;AAAA,IACE,MAAM,YAAY,aAAa;AAAA,IAC/B,UAAU,YAAY,aAAa;AAAA,IACnC,YAAY,YAAY,aAAa;AAAA,EACvC,IACA;AAEJ,QAAM,QAA+B,YAAY,QAAQ,QACrD;AAAA,IACE,gBAAgB,YAAY,OAAO,MAAM;AAAA,IACzC,gBAAgB,YAAY,OAAO,MAAM;AAAA,IACzC,cAAc,YAAY,OAAO,MAAM;AAAA,IACvC,cAAc,YAAY,OAAO,MAAM;AAAA,IACvC,0BAA0B,YAAY,OAAO,MAAM;AAAA,IACnD,eAAe,YAAY,OAAO;AAAA,EACpC,IACA;AAGJ,QAAM,aAAa,OAAO,cAAc;AACxC,QAAM,cAAc;AACpB,QAAM,cAA2B;AAAA,IAC/B;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,MACE,aAAa;AAAA,MACb,UAAU,aAAa,iBAAiB;AAAA,MACxC,MAAM,aAAa,wBAAwB;AAAA,IAC7C;AAAA,EACF;AAEA,QAAM,SAAqC;AAAA,IACzC,UAAU;AAAA,IACV;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA,gBAAgB,YAAY,QAAQ;AAAA,IACpC,kBAAkB,YAAY,QAAQ;AAAA,IACtC,YAAY,oBAAI,KAAK;AAAA,IACrB,UAAU,aAAa;AAAA;AAAA,IAEvB,WAAY,YAAwC;AAAA,IACpD,kBAAmB,YAAwC;AAAA,IAC3D,eAAgB,YAAwC;AAAA,IACxD,gBAAiB,YAAwC;AAAA,IACzD,uBAAwB,YAAwC;AAAA,EAClE;AAGA,MAAI,OAAO,mBAAmB,QAAQ;AACpC,WAAO,WAAW;AAClB,WAAO,cAAc;AACrB,WAAO,gBAAgB,OAAO,yBAAyB,CAAC,2CAA2C;AACnG,QAAI,OAAO,kBAAkB;AAC3B,aAAO,WAAW;AAAA,QAChB,SAAS,wBAAwB,OAAO,iBAAiB,UAAU,0BAA0B;AAAA,QAC7F,iBAAiB,GAAG,aAAa,YAAY,QAAQ,QAAQ,EAAE,CAAC;AAAA,QAChE,kBAAkB,GAAG,aAAa,YAAY,QAAQ,QAAQ,EAAE,CAAC;AAAA,MACnE;AAAA,IACF;AAAA,EACF,WAAW,OAAO,mBAAmB,oBAAoB;AACvD,WAAO,iBAAiB;AACxB,QAAI,uBAAuB,OAAO,WAAW,IAAI,uBAAuB,WAAW,GAAG;AACpF,aAAO,cAAc;AAAA,IACvB;AACA,WAAO,gBAAgB,OAAO,yBAAyB,CAAC,+BAA+B;AAAA,EACzF;AAGA,MAAI,aAAa,YAAY,aAAa,WAAW,KAAK,OAAO,mBAAmB,QAAQ;AAC1F,gBAAY,QAAQ,aAAa,QAAQ,aAAa,QAAQ;AAAA,EAChE;AAEA,SAAO;AACT;AAMA,eAAsB,eACpB,QACA,WACA,UACA,QACe;AACf,QAAM,UAAkC,EAAE,gBAAgB,mBAAmB;AAC7E,MAAI,OAAO,OAAQ,SAAQ,WAAW,IAAI,OAAO;AAEjD,QAAM,MAAM,GAAG,OAAO,UAAU,yBAAyB,SAAS,aAAa;AAAA,IAC7E,QAAQ;AAAA,IACR;AAAA,IACA,MAAM,KAAK,UAAU,EAAE,UAAU,OAAO,CAAC;AAAA,EAC3C,CAAC,EAAE,MAAM,MAAM;AAAA,EAAwB,CAAC;AAC1C;AA+BA,eAAsB,YACpB,QACA,aAC2E;AAC3E,QAAM,SAAS,MAAM,OAAO,QAAQ;AAAA,IAClC;AAAA,IACA,SAAS;AAAA,EACX,CAAC;AAED,SAAO;AAAA,IACL,UAAU,OAAO;AAAA,IACjB,aAAa,OAAO;AAAA,IACpB,QAAQ,OAAO,gBAAgB,CAAC;AAAA,EAClC;AACF;;;AClgBA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;;ACQA,IAAM,gBAAgB;AAKf,SAAS,eACd,SACA,aACwB;AACxB,QAAM,SAAS,EAAE,GAAG,QAAQ;AAE5B,SAAO,GAAG,aAAa,IAAI,IAAI,YAAY;AAE3C,MAAI,YAAY,WAAW;AACzB,WAAO,GAAG,aAAa,QAAQ,IAAI,YAAY;AAAA,EACjD;AAEA,MAAI,YAAY,cAAc;AAC5B,WAAO,GAAG,aAAa,WAAW,IAAI,YAAY;AAAA,EACpD;AAEA,MAAI,YAAY,OAAO,SAAS;AAC9B,UAAM,eAAe,YAAY,MAAM,QAAQ,SAC3C,GAAG,YAAY,MAAM,QAAQ,QAAQ,IAAI,YAAY,MAAM,QAAQ,MAAM,KACzE,YAAY,MAAM,QAAQ;AAC9B,WAAO,GAAG,aAAa,SAAS,IAAI;AAAA,EACtC;AAEA,MAAI,YAAY,OAAO,UAAU,oBAAoB;AACnD,WAAO,GAAG,aAAa,UAAU,IAAI,OAAO,YAAY,MAAM,SAAS,kBAAkB;AAAA,EAC3F;AAEA,MAAI,YAAY,OAAO,OAAO,cAAc;AAC1C,WAAO,GAAG,aAAa,OAAO,IAAI,YAAY,MAAM,MAAM;AAAA,EAC5D;AAEA,SAAO;AACT;AAKO,SAAS,uBACd,SAC6B;AAC7B,QAAM,WAAW,CAAC,QAAoC;AACpD,UAAM,IAAI,QAAQ,GAAG,KAAK,QAAQ,IAAI,YAAY,CAAC;AACnD,WAAO,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC,IAAI;AAAA,EACnC;AAEA,QAAM,UAAU,SAAS,GAAG,aAAa,IAAI,KAAK,SAAS,YAAY;AACvE,MAAI,CAAC,QAAS,QAAO;AAErB,QAAM,cAAoC,EAAE,QAAQ;AAEpD,QAAM,YAAY,SAAS,GAAG,aAAa,QAAQ,KAAK,SAAS,gBAAgB;AACjF,MAAI,UAAW,aAAY,YAAY;AAEvC,QAAM,eAAe,SAAS,GAAG,aAAa,WAAW,KAAK,SAAS,mBAAmB;AAC1F,MAAI,aAAc,aAAY,eAAe;AAE7C,QAAM,UAAU,SAAS,GAAG,aAAa,SAAS,KAAK,SAAS,iBAAiB;AACjF,MAAI,SAAS;AACX,UAAM,CAAC,UAAU,MAAM,IAAI,QAAQ,MAAM,GAAG;AAC5C,gBAAY,QAAQ;AAAA,MAClB,GAAG,YAAY;AAAA,MACf,SAAS,EAAE,UAAU,OAAO;AAAA,IAC9B;AAAA,EACF;AAEA,QAAM,WAAW,SAAS,GAAG,aAAa,UAAU,KAAK,SAAS,kBAAkB;AACpF,MAAI,UAAU;AACZ,gBAAY,QAAQ;AAAA,MAClB,GAAG,YAAY;AAAA,MACf,UAAU,EAAE,oBAAoB,SAAS,UAAU,EAAE,EAAE;AAAA,IACzD;AAAA,EACF;AAEA,QAAM,QAAQ,SAAS,GAAG,aAAa,OAAO,KAAK,SAAS,eAAe;AAC3E,MAAI,OAAO;AACT,gBAAY,QAAQ;AAAA,MAClB,GAAG,YAAY;AAAA,MACf,OAAO,EAAE,cAAc,MAAM;AAAA,IAC/B;AAAA,EACF;AAEA,SAAO;AACT;;;AD1CA,SAAS,0BAA0B,KAAgC;AACjE,SAAO;AAAA,IACL,IAAI;AAAA,IACJ,IAAI;AAAA,EACN;AACF;AAMO,SAAS,4BAA4B,KAA2C;AACrF,SAAO,uBAAuB,IAAI,OAAwD;AAC5F;AAKA,SAAS,sBAAsB,KAAkC;AAE/D,QAAM,gBAAgB,IAAI,QAAQ,WAAW,KAAK,IAAI,QAAQ,WAAW;AACzE,MAAI,eAAe;AACjB,WAAO,MAAM,QAAQ,aAAa,IAAI,cAAc,CAAC,IAAI;AAAA,EAC3D;AAGA,MAAI,IAAI,MAAM,WAAW,OAAO,IAAI,MAAM,YAAY,UAAU;AAC9D,WAAO,IAAI,MAAM;AAAA,EACnB;AAGA,UAAQ,IAAI,QAAQ;AAAA,IAClB,KAAK;AACH,aAAO;AAAA,IACT,KAAK;AACH,aAAO;AAAA,IACT,KAAK;AAAA,IACL,KAAK;AACH,aAAO;AAAA,IACT,KAAK;AACH,aAAO;AAAA,IACT;AACE,aAAO;AAAA,EACX;AACF;AAKA,SAAS,WAAW,SAAiB,MAAuB;AAE1D,QAAM,eAAe,QAClB,QAAQ,OAAO,IAAI,EACnB,QAAQ,OAAO,KAAK;AAEvB,QAAM,QAAQ,IAAI,OAAO,IAAI,YAAY,GAAG;AAC5C,SAAO,MAAM,KAAK,IAAI;AACxB;AAKA,SAAS,gBACP,QACA,MACA,QAC+B;AAC/B,SAAO,OAAO,KAAK,CAAC,UAAU;AAC5B,UAAM,gBAAgB,MAAM,WAAW,OAAO,MAAM,OAAO,YAAY,MAAM,OAAO,YAAY;AAChG,UAAM,cAAc,WAAW,MAAM,SAAS,IAAI;AAClD,WAAO,iBAAiB;AAAA,EAC1B,CAAC;AACH;AAKA,SAAS,gBACP,QACA,MACA,KACM;AACN,QAAM,aAAa,OAAO,WAAW,MAAM;AAE3C,MAAI,OAAO,UAAU,EAAE,KAAK;AAAA,IAC1B,SAAS;AAAA,IACT,OAAO;AAAA,MACL,MAAM,OAAO,WAAW,wBAAwB;AAAA,MAChD,SAAS,OAAO,gBAAgB,CAAC,KAAK;AAAA,MACtC,aAAa,OAAO;AAAA,MACpB,UAAU,OAAO;AAAA,IACnB;AAAA,EACF,CAAC;AACH;AAKO,SAAS,iBAAiB,SAAmD;AAClF,QAAM;AAAA,IACJ,SAAS,CAAC;AAAA,IACV,oBAAoB;AAAA,IACpB,gBAAgB;AAAA,IAChB,YAAY,CAAC;AAAA,IACb,WAAW;AAAA,IACX;AAAA,IACA,GAAG;AAAA,EACL,IAAI;AAEJ,SAAO,OAAO,KAAc,KAAe,SAAsC;AAC/E,QAAI;AAEF,YAAM,aAAa,UAAU,KAAK,CAAC,YAAY,WAAW,SAAS,IAAI,IAAI,CAAC;AAC5E,UAAI,YAAY;AACd,eAAO,KAAK;AAAA,MACd;AAGA,YAAM,cAAc,gBAAgB,QAAQ,IAAI,MAAM,IAAI,MAAM;AAGhE,UAAI,CAAC,aAAa;AAChB,eAAO,KAAK;AAAA,MACd;AAGA,UAAI,YAAY,mBAAmB,QAAQ;AACzC,eAAO,KAAK;AAAA,MACd;AAGA,YAAM,cAAc,2BAChB,yBAAyB,GAAG,IAC5B,0BAA0B,GAAG;AAGjC,UAAI,CAAC,eAAe,WAAW,KAAK,YAAY,mBAAmB,YAAY;AAC7E,cAAMC,UAA6B;AAAA,UACjC,UAAU;AAAA,UACV,aAAa;AAAA,UACb,eAAe,CAAC,+BAA+B;AAAA,UAC/C,UAAU;AAAA,YACR,SAAS;AAAA,YACT,iBAAiB,GAAG,OAAO,YAAY,QAAQ,QAAQ,EAAE,CAAC;AAAA,YAC1D,kBAAkB,GAAG,OAAO,YAAY,QAAQ,QAAQ,EAAE,CAAC;AAAA,UAC7D;AAAA,UACA,YAAY,oBAAI,KAAK;AAAA,QACvB;AAEA,YAAI,oBAAoBA;AACxB,iBAASA,SAAQ,KAAK,GAAG;AACzB;AAAA,MACF;AAGA,YAAM,UAAU,uBACZ,qBAAqB,GAAG,IACxB,sBAAsB,GAAG;AAG7B,YAAM,wBAAwB,oBAAoB;AAClD,YAAM,SAAS,MAAM,OAAO,QAAQ;AAAA,QAClC;AAAA,QACA;AAAA,QACA,QAAQ,IAAI,OAAO,YAAY;AAAA,QAC/B,UAAU,IAAI;AAAA,QACd,UAAU,IAAI;AAAA,QACd,WAAW,IAAI,QAAQ,YAAY;AAAA,QACnC,eAAe;AAAA,MACjB,CAAC;AAGD,UAAI,oBAAoB;AACxB,YAAM,YAAa,OAAsC;AAGzD,UAAI,CAAC,iBAAiB,OAAO,aAAa,YAAY,cAAc,GAAG;AACrE,YAAI,yBAAyB,WAAW;AACtC,yBAAe,QAAQ,WAAW,UAAU,OAAO,gBAAgB,CAAC,CAAC,EAAE,MAAM,MAAM;AAAA,UAAC,CAAC;AAAA,QACvF;AACA,iBAAS,QAAQ,KAAK,GAAG;AACzB;AAAA,MACF;AAGA,UAAI,YAAY,iBAAiB,OAAO,OAAO;AAC7C,YAAI,OAAO,MAAM,aAAa,YAAY,eAAe;AACvD,iBAAO,gBAAgB;AAAA,YACrB,eAAe,OAAO,MAAM,UAAU,sBAAsB,YAAY,aAAa;AAAA,UACvF;AACA,cAAI,yBAAyB,WAAW;AACtC,2BAAe,QAAQ,WAAW,UAAU,OAAO,cAAc,CAAC,CAAC,EAAE,MAAM,MAAM;AAAA,YAAC,CAAC;AAAA,UACrF;AACA,mBAAS,QAAQ,KAAK,GAAG;AACzB;AAAA,QACF;AAAA,MACF;AAGA,UAAI,yBAAyB,WAAW;AACtC,uBAAe,QAAQ,WAAW,SAAS,EAAE,MAAM,MAAM;AAAA,QAAC,CAAC;AAAA,MAC7D;AACA,WAAK;AAAA,IACP,SAAS,OAAO;AAEd,cAAQ,MAAM,2CAA2C,KAAK;AAC9D,WAAK;AAAA,IACP;AAAA,EACF;AACF;AAKO,SAAS,cAAc,gBAA6B,SAAmD;AAC5G,SAAO,iBAAiB;AAAA,IACtB,GAAG;AAAA,IACH,QAAQ;AAAA,MACN,EAAE,SAAS,KAAK,QAAQ,KAAK,eAAe;AAAA,IAC9C;AAAA,EACF,CAAC;AACH;AAKO,SAAS,WAAW,SAAgF;AACzG,SAAO,iBAAiB;AAAA,IACtB,GAAG;AAAA,IACH,QAAQ;AAAA,MACN,EAAE,SAAS,KAAK,QAAQ,KAAK,gBAAgB,OAAO;AAAA,IACtD;AAAA,EACF,CAAC;AACH;;;AE9RA;AAAA;AAAA;AAAA,0BAAAC;AAAA;AAwCA,SAAS,kCAAkC,SAAwC;AACjF,QAAM,cAAgC,CAAC;AAGvC,QAAM,UAAU,QAAQ,QAAQ,IAAI,YAAY,KAAK,QAAQ,QAAQ,IAAI,YAAY;AACrF,MAAI,SAAS;AACX,gBAAY,UAAU;AAAA,EACxB;AAGA,QAAM,SAAS,QAAQ,QAAQ,IAAI,WAAW,KAAK,QAAQ,QAAQ,IAAI,WAAW;AAClF,MAAI,QAAQ;AACV,gBAAY,SAAS;AAAA,EACvB;AAGA,QAAM,aAAa,QAAQ,QAAQ,IAAI,eAAe;AACtD,MAAI,YAAY;AACd,gBAAY,sBAAsB;AAClC,QAAI,WAAW,WAAW,SAAS,GAAG;AACpC,kBAAY,MAAM,WAAW,MAAM,CAAC;AAAA,IACtC;AAAA,EACF;AAGA,QAAM,MAAM,IAAI,IAAI,QAAQ,GAAG;AAC/B,QAAM,eAAe,IAAI,aAAa,IAAI,SAAS;AACnD,QAAM,cAAc,IAAI,aAAa,IAAI,QAAQ;AAEjD,MAAI,gBAAgB,CAAC,YAAY,SAAS;AACxC,gBAAY,UAAU;AAAA,EACxB;AACA,MAAI,eAAe,CAAC,YAAY,QAAQ;AACtC,gBAAY,SAAS;AAAA,EACvB;AAEA,SAAO;AACT;AAKA,SAASC,YAAW,SAAiB,MAAuB;AAC1D,QAAM,eAAe,QAClB,QAAQ,OAAO,IAAI,EACnB,QAAQ,OAAO,KAAK;AAEvB,QAAM,QAAQ,IAAI,OAAO,IAAI,YAAY,GAAG;AAC5C,SAAO,MAAM,KAAK,IAAI;AACxB;AAKA,SAASC,iBACP,QACA,MACA,QAC+B;AAC/B,SAAO,OAAO,KAAK,CAAC,UAAU;AAC5B,UAAM,gBAAgB,MAAM,WAAW,OAAO,MAAM,OAAO,YAAY,MAAM,OAAO,YAAY;AAChG,UAAM,cAAcD,YAAW,MAAM,SAAS,IAAI;AAClD,WAAO,iBAAiB;AAAA,EAC1B,CAAC;AACH;AAKA,SAAS,aAAa,QAAwB;AAC5C,UAAQ,OAAO,YAAY,GAAG;AAAA,IAC5B,KAAK;AACH,aAAO;AAAA,IACT,KAAK;AACH,aAAO;AAAA,IACT,KAAK;AAAA,IACL,KAAK;AACH,aAAO;AAAA,IACT,KAAK;AACH,aAAO;AAAA,IACT;AACE,aAAO;AAAA,EACX;AACF;AAKA,SAAS,2BACP,QACA,SACQ;AACR,QAAM,QAAQ,QAAQ,gBAAgB,SAAS;AAC/C,QAAM,UAAU,QAAQ,gBAAgB,WACtC,OAAO,UAAU,WACjB;AACF,QAAM,kBAAkB,OAAO,UAAU,mBAAmB;AAC5D,QAAM,UAAU,OAAO,UAAU,oBAAoB;AACrD,QAAM,aAAa,QAAQ,gBAAgB,oBAAoB;AAE/D,SAAO;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,WAME,KAAK;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,+BA4Ge,KAAK;AAAA,gCACJ,OAAO;AAAA;AAAA;AAAA;AAAA;AAAA,mCAKJ,eAAe;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,iBAQjC,eAAe;AAAA,QACxB,aAAa,8GAA8G,EAAE;AAAA;AAAA;AAAA;AAAA,6BAIxG,OAAO;AAAA;AAAA;AAAA;AAAA;AAAA,IAKhC,KAAK;AACT;AAKO,SAASE,kBAAiB,SAAkC;AACjE,QAAM;AAAA,IACJ,SAAS,CAAC;AAAA,IACV,YAAY,CAAC;AAAA,IACb,qBAAqB;AAAA,IACrB,GAAG;AAAA,EACL,IAAI;AAEJ,SAAO,eAAe,WAAW,SAAsB;AAErD,UAAM,EAAE,aAAa,IAAI,MAAM,OAAO,aAAa;AAEnD,UAAM,WAAW,QAAQ,QAAQ;AAGjC,UAAM,aAAa,UAAU,KAAK,CAAC,YAAYF,YAAW,SAAS,QAAQ,CAAC;AAC5E,QAAI,YAAY;AACd,aAAO,aAAa,KAAK;AAAA,IAC3B;AAGA,UAAM,cAAcC,iBAAgB,QAAQ,UAAU,QAAQ,MAAM;AAGpE,QAAI,CAAC,aAAa;AAChB,aAAO,aAAa,KAAK;AAAA,IAC3B;AAGA,QAAI,YAAY,mBAAmB,QAAQ;AACzC,aAAO,aAAa,KAAK;AAAA,IAC3B;AAGA,UAAM,cAAc,kCAAkC,OAAO;AAG7D,QAAI,CAAC,eAAe,WAAW,KAAK,YAAY,mBAAmB,YAAY;AAC7E,YAAME,UAA6B;AAAA,QACjC,UAAU;AAAA,QACV,aAAa;AAAA,QACb,eAAe,CAAC,+BAA+B;AAAA,QAC/C,UAAU;AAAA,UACR,SAAS;AAAA,UACT,iBAAiB,GAAG,OAAO,YAAY,QAAQ,QAAQ,EAAE,CAAC;AAAA,UAC1D,kBAAkB,GAAG,OAAO,YAAY,QAAQ,QAAQ,EAAE,CAAC;AAAA,QAC7D;AAAA,QACA,YAAY,oBAAI,KAAK;AAAA,MACvB;AAGA,UAAI,SAAS,WAAW,OAAO,GAAG;AAChC,eAAO,aAAa;AAAA,UAClB;AAAA,YACE,SAAS;AAAA,YACT,OAAO;AAAA,cACL,MAAM;AAAA,cACN,SAAS;AAAA,cACT,UAAUA,QAAO;AAAA,YACnB;AAAA,UACF;AAAA,UACA,EAAE,QAAQ,IAAI;AAAA,QAChB;AAAA,MACF;AAGA,UAAI,oBAAoB;AACtB,eAAO,IAAI,aAAa,2BAA2BA,SAAQ,OAAO,GAAG;AAAA,UACnE,QAAQ;AAAA,UACR,SAAS;AAAA,YACP,gBAAgB;AAAA,YAChB,4BAA4B;AAAA,UAC9B;AAAA,QACF,CAAC;AAAA,MACH;AAGA,YAAM,cAAcA,QAAO,UAAU,mBAAmB;AACxD,aAAO,aAAa,SAAS,IAAI,IAAI,aAAa,QAAQ,GAAG,CAAC;AAAA,IAChE;AAGA,UAAM,UAAU,QAAQ,QAAQ,IAAI,WAAW,KAAK,aAAa,QAAQ,MAAM;AAC/E,UAAM,SAAS,MAAM,OAAO,QAAQ;AAAA,MAClC;AAAA,MACA;AAAA,MACA,QAAQ,QAAQ,OAAO,YAAY;AAAA,MACnC,UAAU;AAAA,MACV,UAAU,QAAQ,QAAQ,IAAI,iBAAiB,GAAG,MAAM,GAAG,EAAE,CAAC,GAAG,KAAK,KAAK;AAAA,MAC3E,WAAW,QAAQ,QAAQ,IAAI,YAAY,KAAK;AAAA,IAClD,CAAC;AAGD,QAAI,CAAC,iBAAiB,OAAO,aAAa,YAAY,cAAc,GAAG;AAErE,UAAI,SAAS,WAAW,OAAO,GAAG;AAChC,eAAO,aAAa;AAAA,UAClB;AAAA,YACE,SAAS;AAAA,YACT,OAAO;AAAA,cACL,MAAM,OAAO,WAAW,wBAAwB;AAAA,cAChD,SAAS,OAAO,gBAAgB,CAAC,KAAK;AAAA,cACtC,aAAa,OAAO;AAAA,cACpB,UAAU,YAAY;AAAA,cACtB,UAAU,OAAO;AAAA,YACnB;AAAA,UACF;AAAA,UACA,EAAE,QAAQ,OAAO,WAAW,MAAM,IAAI;AAAA,QACxC;AAAA,MACF;AAGA,UAAI,oBAAoB;AACtB,eAAO,IAAI,aAAa,2BAA2B,QAAQ,OAAO,GAAG;AAAA,UACnE,QAAQ;AAAA,UACR,SAAS;AAAA,YACP,gBAAgB;AAAA,YAChB,4BAA4B;AAAA,UAC9B;AAAA,QACF,CAAC;AAAA,MACH;AAGA,aAAO,aAAa,SAAS,IAAI,IAAI,iBAAiB,QAAQ,GAAG,CAAC;AAAA,IACpE;AAGA,UAAM,WAAW,aAAa,KAAK;AAGnC,aAAS,QAAQ,IAAI,wBAAwB,OAAO,SAAS,SAAS,CAAC;AACvE,aAAS,QAAQ,IAAI,4BAA4B,OAAO,WAAW;AAEnE,QAAI,OAAO,OAAO;AAChB,eAAS,QAAQ,IAAI,wBAAwB,OAAO,MAAM,OAAO;AACjE,eAAS,QAAQ,IAAI,2BAA2B,OAAO,MAAM,WAAW,SAAS,CAAC;AAAA,IACpF;AAEA,WAAO;AAAA,EACT;AACF;AAKO,SAAS,oBAAoB,OAAwC;AAC1E,SAAO,EAAE,SAAS,MAAM;AAC1B;;;AC/aA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAwCO,IAAM,4BAAN,MAAgC;AAAA,EAKrC,YAAY,SAAqB;AAC/B,SAAK,SAAS;AAAA,MACZ,YAAY,QAAQ;AAAA,MACpB,QAAQ,QAAQ;AAAA,MAChB,oBAAoB,QAAQ;AAAA,MAC5B,eAAe,QAAQ;AAAA,MACvB,sBAAsB,QAAQ;AAAA,MAC9B,UAAU,QAAQ;AAAA,MAClB,OAAO,QAAQ;AAAA,MACf,eAAe,QAAQ;AAAA,IACzB;AAEA,SAAK,UAAU,QAAQ,WAAW;AAClC,SAAK,cAAc,QAAQ,SAAS,EAAE,YAAY,GAAG,WAAW,IAAK;AAAA,EACvE;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,OAAO,SAcmB;AAC9B,UAAM,cAAgC;AAAA,MACpC,SAAS,QAAQ;AAAA,MACjB,QAAQ,QAAQ;AAAA,MAChB,KAAK,QAAQ;AAAA,IACf;AAEA,WAAO,KAAK;AAAA,MAAiB,MAC3B,OAAW,KAAK,QAAQ;AAAA,QACtB;AAAA,QACA,SAAS,QAAQ;AAAA,QACjB,QAAQ,QAAQ;AAAA,QAChB,cAAc,QAAQ;AAAA,QACtB,UAAU,QAAQ;AAAA,QAClB,cAAc,QAAQ;AAAA,QACtB,kBAAkB,QAAQ;AAAA,QAC1B,UAAU,QAAQ;AAAA,QAClB,mBAAmB,QAAQ;AAAA,QAC3B,eAAe,QAAQ;AAAA,QACvB,eAAe,QAAQ;AAAA,MACzB,CAAC;AAAA,IACH;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,YAAY,aAI4D;AAC5E,WAAO,KAAK,iBAAiB,MAAM,YAAgB,KAAK,QAAQ,WAAW,CAAC;AAAA,EAC9E;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,UACJ,aACA,eACkB;AAClB,UAAM,SAAS,MAAM,KAAK,YAAY,WAAW;AACjD,WAAO,iBAAiB,OAAO,aAAa,aAAa;AAAA,EAC3D;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,gBAAgB,aAIU;AAC9B,UAAM,SAAS,MAAM,KAAK,YAAY,WAAW;AACjD,WAAO,gBAAgB,OAAO,WAAW;AAAA,EAC3C;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,cACJ,SACA,SAI6B;AAC7B,WAAO,KAAK,OAAO;AAAA,MACjB;AAAA,MACA,SAAS,SAAS;AAAA,MAClB,QAAQ,SAAS;AAAA,IACnB,CAAC;AAAA,EACH;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,aACJ,QACA,SAI6B;AAC7B,WAAO,KAAK,OAAO;AAAA,MACjB;AAAA,MACA,SAAS,SAAS;AAAA,MAClB,QAAQ,SAAS;AAAA,IACnB,CAAC;AAAA,EACH;AAAA;AAAA;AAAA;AAAA,EAKA,aAAmB;AACjB,eAAW;AAAA,EACb;AAAA;AAAA;AAAA;AAAA,EAKA,MAAc,iBAAoB,IAAkC;AAClE,QAAI,YAA0B;AAE9B,aAAS,UAAU,GAAG,WAAW,KAAK,YAAY,YAAY,WAAW;AACvE,UAAI;AAEF,cAAM,SAAS,MAAM,QAAQ,KAAK;AAAA,UAChC,GAAG;AAAA,UACH,IAAI;AAAA,YAAe,CAAC,GAAG,WACrB,WAAW,MAAM,OAAO,IAAI,MAAM,iBAAiB,CAAC,GAAG,KAAK,OAAO;AAAA,UACrE;AAAA,QACF,CAAC;AAED,eAAO;AAAA,MACT,SAAS,OAAO;AACd,oBAAY,iBAAiB,QAAQ,QAAQ,IAAI,MAAM,OAAO,KAAK,CAAC;AAGpE,YAAI,UAAU,KAAK,YAAY,YAAY;AAEzC,gBAAM,UAAU,KAAK,YAAY,YAAY,KAAK,IAAI,GAAG,OAAO;AAChE,gBAAM,IAAI,QAAQ,CAAC,YAAY,WAAW,SAAS,OAAO,CAAC;AAAA,QAC7D;AAAA,MACF;AAAA,IACF;AAEA,UAAM,aAAa,IAAI,MAAM,mCAAmC;AAAA,EAClE;AACF;AAKO,SAAS,aAAa,SAAgD;AAC3E,SAAO,IAAI,0BAA0B,OAAO;AAC9C;AAKA,eAAsB,WACpB,SAO6B;AAC7B,QAAM,SAAS,aAAa,OAAO;AACnC,SAAO,OAAO,OAAO,OAAO;AAC9B;;;ACvOA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;;ACyBO,SAAS,eACd,MACA,aACS;AACT,QAAM,YAA+B;AAAA,IACnC,SAAS,YAAY;AAAA,EACvB;AAEA,MAAI,YAAY,UAAW,WAAU,YAAY,YAAY;AAC7D,MAAI,YAAY,aAAc,WAAU,eAAe,YAAY;AACnE,MAAI,YAAY,OAAO,QAAS,WAAU,UAAU,YAAY,MAAM;AACtE,MAAI,YAAY,OAAO,SAAU,WAAU,WAAW,YAAY,MAAM;AACxE,MAAI,YAAY,OAAO,MAAO,WAAU,QAAQ,YAAY,MAAM;AAElE,SAAO;AAAA,IACL,GAAG;AAAA,IACH,UAAU;AAAA,MACR,GAAG,KAAK;AAAA,MACR;AAAA,IACF;AAAA,EACF;AACF;AAKO,SAAS,sBAAsB,MAA4C;AAChF,QAAM,OAAO,KAAK,UAAU;AAC5B,MAAI,CAAC,MAAM,QAAS,QAAO;AAE3B,QAAM,cAAoC;AAAA,IACxC,SAAS,KAAK;AAAA,EAChB;AAEA,MAAI,KAAK,UAAW,aAAY,YAAY,KAAK;AACjD,MAAI,KAAK,aAAc,aAAY,eAAe,KAAK;AAEvD,MAAI,KAAK,WAAW,KAAK,YAAY,KAAK,OAAO;AAC/C,gBAAY,QAAQ,CAAC;AACrB,QAAI,KAAK,QAAS,aAAY,MAAM,UAAU,KAAK;AACnD,QAAI,KAAK,SAAU,aAAY,MAAM,WAAW,KAAK;AACrD,QAAI,KAAK,MAAO,aAAY,MAAM,QAAQ,KAAK;AAAA,EACjD;AAEA,SAAO;AACT;;;AC7CO,SAAS,WACd,QACA,aACW;AACX,QAAM,YAA2B;AAAA,IAC/B,SAAS,YAAY;AAAA,EACvB;AAEA,MAAI,YAAY,UAAW,WAAU,YAAY,YAAY;AAC7D,MAAI,YAAY,aAAc,WAAU,eAAe,YAAY;AACnE,MAAI,YAAY,OAAO,QAAS,WAAU,UAAU,YAAY,MAAM;AACtE,MAAI,YAAY,OAAO,SAAU,WAAU,WAAW,YAAY,MAAM;AACxE,MAAI,YAAY,OAAO,MAAO,WAAU,QAAQ,YAAY,MAAM;AAElE,SAAO;AAAA,IACL,GAAG;AAAA,IACH,OAAO;AAAA,MACL,GAAG,OAAO;AAAA,MACV;AAAA,IACF;AAAA,EACF;AACF;AAKO,SAAS,sBAAsB,QAAgD;AACpF,QAAM,OAAO,OAAO,OAAO;AAC3B,MAAI,CAAC,MAAM,QAAS,QAAO;AAE3B,QAAM,cAAoC;AAAA,IACxC,SAAS,KAAK;AAAA,EAChB;AAEA,MAAI,KAAK,UAAW,aAAY,YAAY,KAAK;AACjD,MAAI,KAAK,aAAc,aAAY,eAAe,KAAK;AAEvD,MAAI,KAAK,WAAW,KAAK,YAAY,KAAK,OAAO;AAC/C,gBAAY,QAAQ,CAAC;AACrB,QAAI,KAAK,QAAS,aAAY,MAAM,UAAU,KAAK;AACnD,QAAI,KAAK,SAAU,aAAY,MAAM,WAAW,KAAK;AACrD,QAAI,KAAK,MAAO,aAAY,MAAM,QAAQ,KAAK;AAAA,EACjD;AAEA,SAAO;AACT;;;AFnDO,SAAS,eAAe,SAAqD;AAElF,MAAI,QAAQ,YAAY,OAAO,QAAQ,aAAa,UAAU;AAC5D,WAAO;AAAA,EACT;AAGA,MAAI,QAAQ,SAAS,OAAO,QAAQ,UAAU,UAAU;AACtD,WAAO;AAAA,EACT;AAGA,SAAO;AACT;AAKO,SAAS,iBACd,UACA,QACA,aACyB;AACzB,UAAQ,UAAU;AAAA,IAChB,KAAK;AACH,aAAO,eAAe,QAAkC,WAAW;AAAA,IACrE,KAAK;AACH,aAAO,eAAe,QAAQ,WAAW;AAAA,IAC3C,KAAK;AACH,aAAO,WAAW,QAAQ,WAAW;AAAA,IACvC;AACE,aAAO;AAAA,EACX;AACF;AAKO,SAAS,+BACd,UACA,SAC6B;AAC7B,UAAQ,UAAU;AAAA,IAChB,KAAK;AACH,aAAO,uBAAuB,OAAwD;AAAA,IACxF,KAAK;AACH,aAAO,sBAAsB,OAAO;AAAA,IACtC,KAAK;AACH,aAAO,sBAAsB,OAAO;AAAA,IACtC;AACE,aAAO;AAAA,EACX;AACF;;;AGvEA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,wBAAAC;AAAA;;;ACyBO,IAAM,cAAN,MAAkB;AAAA,EAGvB,YAAY,QAA2B;AACrC,SAAK,cAAc;AAAA,MACjB,SAAS,OAAO;AAAA,MAChB,WAAW,OAAO,aAAa;AAAA,MAC/B,cAAc,OAAO;AAAA,MACrB,OAAO,OAAO;AAAA,IAChB;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,MAAM,KAAa,SAA2C;AAClE,UAAM,EAAE,SAAS,QAAQ,GAAG,aAAa,IAAI,WAAW,CAAC;AAGzD,UAAM,QAA8B,EAAE,GAAG,KAAK,YAAY;AAC1D,QAAI,SAAS;AACX,YAAM,QAAQ;AAAA,QACZ,GAAG,MAAM;AAAA,QACT,SAAS,EAAE,UAAU,SAAS,OAAO;AAAA,MACvC;AAAA,IACF;AAGA,UAAM,kBAA0C,CAAC;AACjD,QAAI,aAAa,SAAS;AACxB,UAAI,aAAa,mBAAmB,SAAS;AAC3C,qBAAa,QAAQ,QAAQ,CAAC,OAAO,QAAQ;AAC3C,0BAAgB,GAAG,IAAI;AAAA,QACzB,CAAC;AAAA,MACH,WAAW,MAAM,QAAQ,aAAa,OAAO,GAAG;AAC9C,mBAAW,CAAC,KAAK,KAAK,KAAK,aAAa,SAAS;AAC/C,0BAAgB,GAAG,IAAI;AAAA,QACzB;AAAA,MACF,OAAO;AACL,eAAO,OAAO,iBAAiB,aAAa,OAAO;AAAA,MACrD;AAAA,IACF;AAEA,UAAM,kBAAkB,eAAe,iBAAiB,KAAK;AAE7D,WAAO,MAAM,KAAK;AAAA,MAChB,GAAG;AAAA,MACH,SAAS;AAAA,IACX,CAAC;AAAA,EACH;AAAA;AAAA;AAAA;AAAA,EAKA,mBACE,MACA,WACyB;AACzB,UAAM,QAAQ,KAAK,iBAAiB,SAAS;AAC7C,WAAO,eAAe,MAAM,KAAK;AAAA,EACnC;AAAA;AAAA;AAAA;AAAA,EAKA,eACE,QACA,WACyB;AACzB,UAAM,QAAQ,KAAK,iBAAiB,SAAS;AAC7C,WAAO,WAAW,QAAQ,KAAK;AAAA,EACjC;AAAA;AAAA;AAAA;AAAA,EAKA,iBACE,UACA,QACA,WACyB;AACzB,UAAM,QAAQ,KAAK,iBAAiB,SAAS;AAC7C,WAAO,iBAAiB,UAAU,QAAQ,KAAK;AAAA,EACjD;AAAA,EAEQ,iBAAiB,WAAyE;AAChG,QAAI,CAAC,WAAW,QAAS,QAAO,KAAK;AAErC,WAAO;AAAA,MACL,GAAG,KAAK;AAAA,MACR,OAAO;AAAA,QACL,GAAG,KAAK,YAAY;AAAA,QACpB,SAAS,EAAE,UAAU,UAAU,SAAS,QAAQ,UAAU,OAAO;AAAA,MACnE;AAAA,IACF;AAAA,EACF;AACF;;;ACxFO,IAAM,mBAAN,MAAuB;AAAA,EAI5B,YAAY,QAAgC;AAF5C,SAAQ,wBAAqC,oBAAI,IAAI;AAGnD,SAAK,UAAU,OAAO;AAAA,EACxB;AAAA;AAAA;AAAA;AAAA,EAKA,gBAAgB,gBAA8B;AAC5C,SAAK,sBAAsB,IAAI,cAAc;AAAA,EAC/C;AAAA;AAAA;AAAA;AAAA,EAKA,cAAc,gBAA8B;AAC1C,SAAK,sBAAsB,OAAO,cAAc;AAAA,EAClD;AAAA;AAAA;AAAA;AAAA,EAKA,iBAA2B;AACzB,WAAO,CAAC,GAAG,KAAK,qBAAqB;AAAA,EACvC;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,oBAA4H;AAC1H,WAAO,CAAC,KAAK,QAAQ;AACnB,YAAM,SAAS,KAAK,gBAAgB,IAAI,IAAI;AAC5C,UAAI,OAAO,OAAO,MAAM,EAAE,KAAK,OAAO,IAAI;AAAA,IAC5C;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,gBAAgB,MAAkC;AAEhD,QAAI,CAAC,QAAQ,OAAO,SAAS,UAAU;AACrC,aAAO;AAAA,QACL,QAAQ;AAAA,QACR,MAAM;AAAA,UACJ,aAAa;AAAA,UACb,cAAc;AAAA,UACd,uBAAuB,CAAC;AAAA,UACxB,cAAa,oBAAI,KAAK,GAAE,YAAY;AAAA,UACpC,OAAO;AAAA,QACT;AAAA,MACF;AAAA,IACF;AAEA,UAAM,UAAU;AAEhB,QAAI,CAAC,QAAQ,eAAe,CAAC,QAAQ,YAAY,CAAC,QAAQ,WAAW;AACnE,aAAO;AAAA,QACL,QAAQ;AAAA,QACR,MAAM;AAAA,UACJ,aAAa,QAAQ,eAAe;AAAA,UACpC,cAAc;AAAA,UACd,uBAAuB,CAAC;AAAA,UACxB,cAAa,oBAAI,KAAK,GAAE,YAAY;AAAA,UACpC,OAAO;AAAA,QACT;AAAA,MACF;AAAA,IACF;AAGA,UAAM,MAAM,oBAAI,KAAK;AACrB,UAAM,YAAY,IAAI,KAAK,QAAQ,SAAS;AAC5C,QAAI,MAAM,WAAW;AACnB,aAAO;AAAA,QACL,QAAQ;AAAA,QACR,MAAM;AAAA,UACJ,aAAa,QAAQ;AAAA,UACrB,cAAc;AAAA,UACd,uBAAuB,CAAC;AAAA,UACxB,aAAa,IAAI,YAAY;AAAA,UAC7B,OAAO;AAAA,QACT;AAAA,MACF;AAAA,IACF;AAGA,WAAO;AAAA,MACL,QAAQ;AAAA,MACR,MAAM;AAAA,QACJ,aAAa,QAAQ;AAAA,QACrB,cAAc;AAAA,QACd,uBAAuB,KAAK,eAAe;AAAA,QAC3C,aAAa,IAAI,YAAY;AAAA,MAC/B;AAAA,IACF;AAAA,EACF;AACF;;;ACnFO,SAAS,wBAAwB,OAAoC;AAC1E,QAAM,YAA4B,CAAC;AAGnC,MAAI,MAAM,SAAS,YAAY,QAAQ;AACrC,cAAU,UAAU;AAAA,MAClB,UAAU,MAAM,QAAQ,WAAW,CAAC;AAAA,MACpC,QAAQ,MAAM,QAAQ,iBAAiB,CAAC;AAAA,IAC1C;AAAA,EACF;AAGA,MAAI,MAAM,UAAU;AAClB,UAAM,aAAuB,CAAC;AAC9B,QAAI,MAAM,SAAS,mBAAoB,YAAW,KAAK,MAAM,SAAS,kBAAkB;AACxF,QAAI,MAAM,SAAS,IAAK,YAAW,KAAK,MAAM,SAAS,GAAG;AAC1D,QAAI,WAAW,SAAS,GAAG;AACzB,gBAAU,WAAW,EAAE,oBAAoB,KAAK,IAAI,GAAG,UAAU,EAAE;AAAA,IACrE;AAAA,EACF;AAGA,MAAI,MAAM,OAAO,eAAe,QAAQ;AACtC,cAAU,QAAQ,EAAE,cAAc,MAAM,MAAM,cAAc,CAAC,EAAE;AAAA,EACjE;AAEA,SAAO;AACT;AAMO,SAAS,wBAAwB,WAAwC;AAC9E,QAAM,QAAqB,CAAC;AAE5B,MAAI,UAAU,SAAS;AACrB,UAAM,UAAU;AAAA,MACd,YAAY,CAAC,UAAU,QAAQ,QAAQ;AAAA,MACvC,gBAAgB,UAAU,QAAQ,SAAS,CAAC,UAAU,QAAQ,MAAM,IAAI;AAAA,IAC1E;AAAA,EACF;AAEA,MAAI,UAAU,UAAU;AACtB,UAAM,WAAW;AAAA,MACf,oBAAoB,UAAU,SAAS;AAAA,IACzC;AAAA,EACF;AAEA,MAAI,UAAU,OAAO;AACnB,UAAM,QAAQ;AAAA,MACZ,eAAe,UAAU,MAAM,eAAe,CAAC,UAAU,MAAM,YAAY,IAAI;AAAA,IACjF;AAAA,EACF;AAEA,SAAO;AACT;;;ACjFA,eAAsBC,gBACpB,QACA,QAC+B;AAC/B,QAAM,EAAE,WAAW,GAAG,KAAK,IAAI;AAC/B,QAAM,UAAU,OAAO,WAAW,QAAQ,OAAO,EAAE;AACnD,QAAM,MAAM,GAAG,OAAO,yBAAyB,mBAAmB,SAAS,CAAC;AAE5E,QAAM,UAAkC;AAAA,IACtC,gBAAgB;AAAA,EAClB;AAEA,MAAI,OAAO,QAAQ;AACjB,YAAQ,eAAe,IAAI,UAAU,OAAO,MAAM;AAAA,EACpD;AAEA,MAAI,OAAO,eAAe;AACxB,WAAO,OAAO,SAAS,OAAO,aAAa;AAAA,EAC7C;AAEA,QAAM,WAAW,MAAM,MAAM,KAAK;AAAA,IAChC,QAAQ;AAAA,IACR;AAAA,IACA,MAAM,KAAK,UAAU,IAAI;AAAA,EAC3B,CAAC;AAED,MAAI,CAAC,SAAS,IAAI;AAChB,UAAM,YAAY,MAAM,SAAS,KAAK,EAAE,MAAM,MAAM,eAAe;AACnE,UAAM,IAAI;AAAA,MACR,yCAAyC,SAAS,KAAK,SAAS,MAAM,IAAI,SAAS;AAAA,IACrF;AAAA,EACF;AAEA,QAAM,SAAS,MAAM,SAAS,KAAK;AAEnC,SAAO;AAAA,IACL,UAAU,OAAO,YAAY;AAAA,IAC7B,kBAAkB,OAAO;AAAA,EAC3B;AACF;;;AdgBO,IAAM,UAAU;","names":["recordDecision","result","result","createMiddleware","matchRoute","findRouteConfig","createMiddleware","result","recordDecision","recordDecision"]}
1	+ {"version":3,"sources":["../src/index.ts","../src/access-levels.ts","../src/verify.ts","../src/adapters/express.ts","../src/transport/http.ts","../src/adapters/nextjs.ts","../src/adapters/sdk.ts","../src/transport/index.ts","../src/transport/a2a.ts","../src/transport/mcp.ts","../src/agent/index.ts","../src/agent/client.ts","../src/agent/challenge-handler.ts","../src/agent/pdlss-formatter.ts","../src/agent/decision-client.ts"],"sourcesContent":["/*\n AstraSync Universal Verification Gateway\n \n A single verification library for any system to verify AI agents.\n * One codebase, multiple deployment targets.\n \n @example\n * ```typescript\n * import { verify, extractCredentials } from '@astrasyncai/verification-gateway';\n \n const credentials = extractCredentials(request.headers);\n * const result = await verify(config, { credentials, purpose: 'data-access' });\n \n if (result.verified && result.accessLevel !== 'none') {\n * // Grant access based on result.accessLevel\n * }\n * ```\n \n @packageDocumentation\n /\n\n// Core types\nexport type {\n TrustLevel,\n AccessLevel,\n CounterpartyType,\n AgentCredentials,\n GatewayConfig,\n VerifiedAgent,\n VerifiedDeveloper,\n VerifiedOrganization,\n PDLSSInfo,\n GuidanceInfo,\n VerificationResult,\n VerificationRequest,\n RouteAccessConfig,\n ExpressMiddlewareOptions,\n NextJsMiddlewareOptions,\n SDKOptions,\n CommerceShieldProps,\n // Handshake Protocol v10 types\n TokenGuidance,\n RuntimeChallengeResult,\n EnhancedVerificationResult,\n AstraSyncCredentials,\n ProtocolTransport,\n} from './types';\n\n// Access level utilities\nexport {\n ACCESS_LEVEL_HIERARCHY,\n ACCESS_LEVEL_DESCRIPTIONS,\n DEFAULT_TRUST_THRESHOLDS,\n TRUST_LEVEL_RANGES,\n getTrustLevel,\n hasMinimumAccess,\n getAccessLevelForScore,\n determineAccessLevel,\n getCapabilities,\n} from './access-levels';\n\nexport type { AccessCapabilities } from './access-levels';\n\n// Core verification functions\nexport { verify, quickVerify, extractCredentials, hasCredentials, clearCache } from './verify';\n\n// Re-export adapters for convenience (tree-shakeable)\nexport as express from './adapters/express';\nexport * as nextjs from './adapters/nextjs';\nexport * as sdk from './adapters/sdk';\n\n// Cross-protocol transport adapters\nexport * as transport from './transport';\n\n// Agent-side SDK\nexport * as agent from './agent';\nexport { AgentClient } from './agent/client';\nexport { ChallengeHandler } from './agent/challenge-handler';\nexport { recordDecision } from './agent/decision-client';\n\n// Version\nexport const VERSION = '2.0.0';\n","/*\n AstraSync Universal Verification Gateway - Access Level Definitions\n \n Defines the hierarchy and capabilities of each access level.\n /\n\nimport type { AccessLevel, TrustLevel } from './types';\n\n/\n Access level hierarchy (higher number = more access)\n /\nexport const ACCESS_LEVEL_HIERARCHY: Record<AccessLevel, number> = {\n none: 0,\n guidance: 1,\n 'read-only': 2,\n standard: 3,\n full: 4,\n internal: 5,\n};\n\n/\n Access level descriptions for UI\n /\nexport const ACCESS_LEVEL_DESCRIPTIONS: Record<AccessLevel, string> = {\n none: 'No access - credentials required',\n guidance: 'Guidance mode - registration information provided',\n 'read-only': 'Read-only access - can browse but not modify',\n standard: 'Standard access - normal operations per PDLSS policy',\n full: 'Full access - all operations for high-trust agents',\n internal: 'Internal access - organization member privileges',\n};\n\n/\n Default trust score thresholds for access levels\n /\nexport const DEFAULT_TRUST_THRESHOLDS: Record<AccessLevel, number> = {\n none: 0,\n guidance: 0,\n 'read-only': 20,\n standard: 40,\n full: 70,\n internal: 0, // Internal is based on org membership, not score\n};\n\n/\n Trust level score ranges\n /\nexport const TRUST_LEVEL_RANGES: Record<TrustLevel, { min: number; max: number }> = {\n BRONZE: { min: 0, max: 39 },\n SILVER: { min: 40, max: 59 },\n GOLD: { min: 60, max: 79 },\n PLATINUM: { min: 80, max: 100 },\n};\n\n/\n Determine trust level from score\n /\nexport function getTrustLevel(score: number): TrustLevel {\n if (score >= 80) return 'PLATINUM';\n if (score >= 60) return 'GOLD';\n if (score >= 40) return 'SILVER';\n return 'BRONZE';\n}\n\n/\n Check if access level A is greater than or equal to access level B\n /\nexport function hasMinimumAccess(actual: AccessLevel, required: AccessLevel): boolean {\n return ACCESS_LEVEL_HIERARCHY[actual] >= ACCESS_LEVEL_HIERARCHY[required];\n}\n\n/\n Get the highest access level for a given trust score\n /\nexport function getAccessLevelForScore(\n trustScore: number,\n thresholds: Record<AccessLevel, number> = DEFAULT_TRUST_THRESHOLDS\n): AccessLevel {\n if (trustScore >= thresholds.full) return 'full';\n if (trustScore >= thresholds.standard) return 'standard';\n if (trustScore >= thresholds['read-only']) return 'read-only';\n return 'guidance';\n}\n\n/\n Determine access level from verification result\n /\nexport function determineAccessLevel(\n verified: boolean,\n trustScore: number,\n isOrgMember: boolean,\n customThresholds?: Partial<Record<AccessLevel, number>>\n): AccessLevel {\n if (!verified) {\n return 'guidance';\n }\n\n if (isOrgMember) {\n return 'internal';\n }\n\n const thresholds = {\n ...DEFAULT_TRUST_THRESHOLDS,\n ...customThresholds,\n };\n\n return getAccessLevelForScore(trustScore, thresholds);\n}\n\n/\n Access capabilities per level\n /\nexport interface AccessCapabilities {\n canRead: boolean;\n canWrite: boolean;\n canDelete: boolean;\n canAdmin: boolean;\n canAccessInternal: boolean;\n maxTransactionValue?: number;\n allowedPurposes?: string[];\n}\n\n/\n Get capabilities for an access level\n /\nexport function getCapabilities(accessLevel: AccessLevel): AccessCapabilities {\n switch (accessLevel) {\n case 'none':\n return {\n canRead: false,\n canWrite: false,\n canDelete: false,\n canAdmin: false,\n canAccessInternal: false,\n };\n case 'guidance':\n return {\n canRead: false,\n canWrite: false,\n canDelete: false,\n canAdmin: false,\n canAccessInternal: false,\n };\n case 'read-only':\n return {\n canRead: true,\n canWrite: false,\n canDelete: false,\n canAdmin: false,\n canAccessInternal: false,\n };\n case 'standard':\n return {\n canRead: true,\n canWrite: true,\n canDelete: false,\n canAdmin: false,\n canAccessInternal: false,\n };\n case 'full':\n return {\n canRead: true,\n canWrite: true,\n canDelete: true,\n canAdmin: false,\n canAccessInternal: false,\n };\n case 'internal':\n return {\n canRead: true,\n canWrite: true,\n canDelete: true,\n canAdmin: true,\n canAccessInternal: true,\n };\n default:\n return {\n canRead: false,\n canWrite: false,\n canDelete: false,\n canAdmin: false,\n canAccessInternal: false,\n };\n }\n}\n","/\n AstraSync Universal Verification Gateway - Core Verification Logic\n \n This module handles the core verification logic, calling the AstraSync API\n * and processing the response into a standardized VerificationResult.\n /\n\nimport type {\n GatewayConfig,\n AgentCredentials,\n VerificationRequest,\n VerificationResult,\n VerifiedAgent,\n VerifiedDeveloper,\n VerifiedOrganization,\n PDLSSInfo,\n GuidanceInfo,\n AccessLevel,\n EnhancedVerificationResult,\n TokenGuidance,\n RuntimeChallengeResult,\n} from './types';\nimport { determineAccessLevel, getTrustLevel, ACCESS_LEVEL_HIERARCHY } from './access-levels';\n\n/\n Default configuration values\n /\nconst DEFAULT_CONFIG: Partial<GatewayConfig> = {\n apiBaseUrl: 'https://api.astrasync.ai',\n defaultAccessLevel: 'guidance',\n minTrustScore: 40,\n minTrustScoreForFull: 70,\n cacheTtl: 300, // 5 minutes\n debug: false,\n};\n\n/\n Simple in-memory cache for verification results\n /\nconst verificationCache = new Map<string, { result: VerificationResult; expiresAt: number }>();\n\n/\n Generate cache key from credentials\n /\nfunction getCacheKey(credentials: AgentCredentials): string {\n return `${credentials.astraId \|\| ''}-${credentials.apiKey \|\| ''}-${credentials.jwt \|\| ''}`;\n}\n\n/\n Check if cached result is still valid\n /\nfunction getCachedResult(credentials: AgentCredentials): VerificationResult \| null {\n const key = getCacheKey(credentials);\n const cached = verificationCache.get(key);\n\n if (cached && cached.expiresAt > Date.now()) {\n return cached.result;\n }\n\n if (cached) {\n verificationCache.delete(key);\n }\n\n return null;\n}\n\n/\n Cache a verification result\n /\nfunction cacheResult(credentials: AgentCredentials, result: VerificationResult, ttlSeconds: number): void {\n const key = getCacheKey(credentials);\n verificationCache.set(key, {\n result,\n expiresAt: Date.now() + ttlSeconds 1000,\n });\n}\n\n/*\n Clear the verification cache\n /\nexport function clearCache(): void {\n verificationCache.clear();\n}\n\n/\n Extract agent credentials from various sources\n /\nexport function extractCredentials(\n headers: Record<string, string \| string[] \| undefined>,\n query?: Record<string, string \| undefined>\n): AgentCredentials {\n const credentials: AgentCredentials = {};\n\n // Check for ASTRA-ID in headers (case-insensitive)\n const astraIdHeader = headers['x-astra-id'] \|\| headers['X-Astra-Id'] \|\| headers['X-ASTRA-ID'];\n if (astraIdHeader) {\n credentials.astraId = Array.isArray(astraIdHeader) ? astraIdHeader[0] : astraIdHeader;\n }\n\n // Check for API key in headers\n const apiKeyHeader = headers['x-api-key'] \|\| headers['X-Api-Key'] \|\| headers['X-API-KEY'];\n if (apiKeyHeader) {\n credentials.apiKey = Array.isArray(apiKeyHeader) ? apiKeyHeader[0] : apiKeyHeader;\n }\n\n // Check Authorization header for Bearer token\n const authHeader = headers['authorization'] \|\| headers['Authorization'];\n if (authHeader) {\n const authValue = Array.isArray(authHeader) ? authHeader[0] : authHeader;\n credentials.authorizationHeader = authValue;\n\n if (authValue.startsWith('Bearer ')) {\n credentials.jwt = authValue.slice(7);\n }\n }\n\n // Check query parameters as fallback\n if (query) {\n if (query.astraId && !credentials.astraId) {\n credentials.astraId = query.astraId;\n }\n if (query.apiKey && !credentials.apiKey) {\n credentials.apiKey = query.apiKey;\n }\n }\n\n return credentials;\n}\n\n/\n Check if credentials are present\n /\nexport function hasCredentials(credentials: AgentCredentials): boolean {\n return !!(credentials.astraId \|\| credentials.apiKey \|\| credentials.jwt);\n}\n\n/\n Create guidance response for unverified agents\n /\nfunction createGuidanceResponse(config: GatewayConfig, reason?: string): VerificationResult {\n const guidance: GuidanceInfo = {\n message: 'This service verifies AI agents before granting access. Please register your agent with AstraSync.',\n registrationUrl: `${config.apiBaseUrl.replace('/api', '')}/register`,\n documentationUrl: `${config.apiBaseUrl.replace('/api', '')}/docs/agent-access`,\n steps: [\n 'Register for an AstraSync account',\n 'Create and register your agent',\n 'Add your ASTRA-ID to request headers',\n 'Retry your request',\n ],\n };\n\n return {\n verified: false,\n accessLevel: 'guidance',\n guidance,\n denialReasons: reason ? [reason] : ['No valid agent credentials provided'],\n verifiedAt: new Date(),\n };\n}\n\n/\n Call the AstraSync verify-access API\n /\nasync function callVerifyAccessAPI(\n config: GatewayConfig,\n request: VerificationRequest\n): Promise<{\n success: boolean;\n access?: {\n allowed: boolean;\n reason?: string;\n requiresStepUp?: boolean;\n requiresApproval?: boolean;\n appliedPolicy?: {\n boundaryId: string;\n boundaryName: string;\n policyId: string;\n policyVersion: string;\n };\n pdlss?: {\n purposeAllowed: boolean;\n withinDuration: boolean;\n withinLimits: boolean;\n scopeAllowed: boolean;\n selfInstantiationAllowed: boolean;\n };\n counterparty?: {\n id: string;\n name: string;\n trustScoreRequirement: number;\n };\n };\n agent?: {\n kyaAgentId: string;\n astraId: string;\n name: string;\n trustScore: number;\n trustLevel: string;\n agentStatus: string;\n blockchainStatus: string;\n };\n developer?: {\n kyaOwnerId: string;\n fullName: string;\n email: string;\n identityVerified: boolean;\n trustScore: number;\n };\n organization?: {\n name: string;\n verified: boolean;\n trustScore: number;\n };\n error?: string;\n}> {\n const { credentials, ...requestData } = request;\n\n // Build the request body\n const body: Record<string, unknown> = {\n agentId: credentials.astraId,\n purpose: requestData.purpose \|\| 'general',\n };\n\n // Add optional fields\n if (requestData.action) body.action = requestData.action;\n if (requestData.resourceType) body.resourceType = requestData.resourceType;\n if (requestData.resource) body.resource = requestData.resource;\n if (requestData.jurisdiction) body.jurisdiction = requestData.jurisdiction;\n if (requestData.transactionValue) body.transactionValue = requestData.transactionValue;\n if (requestData.currency) body.currency = requestData.currency;\n if (requestData.isSubAgentRequest) body.isSubAgentRequest = requestData.isSubAgentRequest;\n if (requestData.parentAgentId) body.parentAgentId = requestData.parentAgentId;\n if (requestData.subAgentDepth !== undefined) body.subAgentDepth = requestData.subAgentDepth;\n // Handshake Protocol v10 additions\n if (requestData.enableRuntimeChallenge) body.enableRuntimeChallenge = requestData.enableRuntimeChallenge;\n if (requestData.createSession) body.createSession = requestData.createSession;\n if (requestData.counterpartyType) body.counterpartyType = requestData.counterpartyType;\n if (requestData.counterpartyUrl) body.counterpartyUrl = requestData.counterpartyUrl;\n if (requestData.runtimeChallengeOptions) body.runtimeChallengeOptions = requestData.runtimeChallengeOptions;\n\n // Build headers\n const headers: Record<string, string> = {\n 'Content-Type': 'application/json',\n ...config.customHeaders,\n };\n\n if (config.apiKey) {\n headers['X-API-Key'] = config.apiKey;\n }\n\n if (credentials.authorizationHeader) {\n headers['Authorization'] = credentials.authorizationHeader;\n }\n\n try {\n const response = await fetch(`${config.apiBaseUrl}/agents/verify-access`, {\n method: 'POST',\n headers,\n body: JSON.stringify(body),\n });\n\n const data = await response.json();\n\n if (!response.ok) {\n return {\n success: false,\n error: data.message \|\| data.error \|\| `API returned ${response.status}`,\n };\n }\n\n return data;\n } catch (error) {\n const message = error instanceof Error ? error.message : 'Unknown error';\n return {\n success: false,\n error: `Failed to call verify-access API: ${message}`,\n };\n }\n}\n\n/\n Main verification function\n /\nexport async function verify(\n config: GatewayConfig,\n request: VerificationRequest\n): Promise<VerificationResult> {\n const mergedConfig = { ...DEFAULT_CONFIG, ...config };\n\n // Check for credentials\n if (!hasCredentials(request.credentials)) {\n return createGuidanceResponse(mergedConfig, 'No agent credentials provided');\n }\n\n // Check cache first\n if (mergedConfig.cacheTtl && mergedConfig.cacheTtl > 0) {\n const cached = getCachedResult(request.credentials);\n if (cached) {\n if (mergedConfig.debug) {\n console.log('[VerificationGateway] Returning cached result');\n }\n return cached;\n }\n }\n\n // Inject counterparty info from config if not already set in request\n const enrichedRequest = { ...request };\n if (!enrichedRequest.counterpartyUrl && mergedConfig.counterpartyUrl) {\n enrichedRequest.counterpartyUrl = mergedConfig.counterpartyUrl;\n }\n if (!enrichedRequest.counterpartyType && mergedConfig.counterpartyType) {\n enrichedRequest.counterpartyType = mergedConfig.counterpartyType;\n }\n\n // Call the API\n if (mergedConfig.debug) {\n console.log('[VerificationGateway] Calling verify-access API');\n }\n\n const apiResponse = await callVerifyAccessAPI(mergedConfig, enrichedRequest);\n\n // Handle API errors\n if (!apiResponse.success) {\n return createGuidanceResponse(mergedConfig, apiResponse.error);\n }\n\n // Check access result\n if (!apiResponse.access?.allowed) {\n const result: EnhancedVerificationResult = {\n verified: false,\n accessLevel: 'guidance',\n denialReasons: apiResponse.access?.reason ? [apiResponse.access.reason] : ['Access denied'],\n requiresStepUp: apiResponse.access?.requiresStepUp,\n requiresApproval: apiResponse.access?.requiresApproval,\n guidance: {\n message: apiResponse.access?.reason \|\| 'Access denied by PDLSS policy',\n registrationUrl: `${mergedConfig.apiBaseUrl?.replace('/api', '')}/register`,\n documentationUrl: `${mergedConfig.apiBaseUrl?.replace('/api', '')}/docs/pdlss`,\n },\n verifiedAt: new Date(),\n // Extract sessionId so decisions can be recorded for denials too\n sessionId: (apiResponse as Record<string, unknown>).sessionId as string \| undefined,\n recommendation: (apiResponse as Record<string, unknown>).recommendation as EnhancedVerificationResult['recommendation'],\n recommendationReasons: (apiResponse as Record<string, unknown>).recommendationReasons as string[] \| undefined,\n };\n\n return result;\n }\n\n // Build successful result\n const agent: VerifiedAgent \| undefined = apiResponse.agent\n ? {\n astraId: apiResponse.agent.astraId,\n name: apiResponse.agent.name,\n trustScore: apiResponse.agent.trustScore,\n trustLevel: getTrustLevel(apiResponse.agent.trustScore),\n blockchainVerified: apiResponse.agent.blockchainStatus === 'verified',\n status: apiResponse.agent.agentStatus as VerifiedAgent['status'],\n }\n : undefined;\n\n const developer: VerifiedDeveloper \| undefined = apiResponse.developer\n ? {\n astradId: apiResponse.developer.kyaOwnerId,\n name: apiResponse.developer.fullName,\n trustScore: apiResponse.developer.trustScore \|\| 0,\n verified: apiResponse.developer.identityVerified,\n }\n : undefined;\n\n const organization: VerifiedOrganization \| undefined = apiResponse.organization\n ? {\n name: apiResponse.organization.name,\n verified: apiResponse.organization.verified,\n trustScore: apiResponse.organization.trustScore,\n }\n : undefined;\n\n const pdlss: PDLSSInfo \| undefined = apiResponse.access?.pdlss\n ? {\n purposeAllowed: apiResponse.access.pdlss.purposeAllowed,\n withinDuration: apiResponse.access.pdlss.withinDuration,\n withinLimits: apiResponse.access.pdlss.withinLimits,\n scopeAllowed: apiResponse.access.pdlss.scopeAllowed,\n selfInstantiationAllowed: apiResponse.access.pdlss.selfInstantiationAllowed,\n appliedPolicy: apiResponse.access.appliedPolicy,\n }\n : undefined;\n\n // Determine access level based on trust score\n const trustScore = agent?.trustScore \|\| 0;\n const isOrgMember = false; // TODO: Check if agent belongs to same org as counterparty\n const accessLevel: AccessLevel = determineAccessLevel(\n true,\n trustScore,\n isOrgMember,\n {\n 'read-only': 20,\n standard: mergedConfig.minTrustScore \|\| 40,\n full: mergedConfig.minTrustScoreForFull \|\| 70,\n }\n );\n\n const result: EnhancedVerificationResult = {\n verified: true,\n accessLevel,\n agent,\n developer,\n organization,\n pdlss,\n requiresStepUp: apiResponse.access?.requiresStepUp,\n requiresApproval: apiResponse.access?.requiresApproval,\n verifiedAt: new Date(),\n cacheTtl: mergedConfig.cacheTtl,\n // Handshake Protocol v10 enhanced fields (present when backend returns them)\n sessionId: (apiResponse as Record<string, unknown>).sessionId as string \| undefined,\n runtimeChallenge: (apiResponse as Record<string, unknown>).runtimeChallenge as RuntimeChallengeResult \| undefined,\n tokenGuidance: (apiResponse as Record<string, unknown>).tokenGuidance as TokenGuidance \| undefined,\n recommendation: (apiResponse as Record<string, unknown>).recommendation as EnhancedVerificationResult['recommendation'],\n recommendationReasons: (apiResponse as Record<string, unknown>).recommendationReasons as string[] \| undefined,\n };\n\n // Enforce AstraSync recommendation\n if (result.recommendation === 'deny') {\n result.verified = false;\n result.accessLevel = 'none';\n result.denialReasons = result.recommendationReasons \|\| ['Access denied by AstraSync recommendation'];\n if (result.runtimeChallenge) {\n result.guidance = {\n message: `Verification failed: ${result.runtimeChallenge.reason \|\| 'runtime challenge failed'}`,\n registrationUrl: `${mergedConfig.apiBaseUrl?.replace('/api', '')}/register`,\n documentationUrl: `${mergedConfig.apiBaseUrl?.replace('/api', '')}/docs/runtime-challenge`,\n };\n }\n } else if (result.recommendation === 'step_up_required') {\n result.requiresStepUp = true;\n if (ACCESS_LEVEL_HIERARCHY[result.accessLevel] > ACCESS_LEVEL_HIERARCHY['read-only']) {\n result.accessLevel = 'read-only';\n }\n result.denialReasons = result.recommendationReasons \|\| ['Step-up verification required'];\n }\n\n // Cache the result (skip caching denials — agent may fix challenge endpoint and retry)\n if (mergedConfig.cacheTtl && mergedConfig.cacheTtl > 0 && result.recommendation !== 'deny') {\n cacheResult(request.credentials, result, mergedConfig.cacheTtl);\n }\n\n return result;\n}\n\n/\n Record a counterparty's grant/deny decision for a verification session.\n * Fire-and-forget — errors are silently swallowed.\n /\nexport async function recordDecision(\n config: GatewayConfig,\n sessionId: string,\n decision: 'granted' \| 'denied',\n reason?: string,\n): Promise<void> {\n const headers: Record<string, string> = { 'Content-Type': 'application/json' };\n if (config.apiKey) headers['X-API-Key'] = config.apiKey;\n\n await fetch(`${config.apiBaseUrl}/agents/verify-access/${sessionId}/decision`, {\n method: 'POST',\n headers,\n body: JSON.stringify({ decision, reason }),\n }).catch(() => { / fire-and-forget / });\n}\n\n/\n Verify an agent AND automatically record the grant/deny decision.\n \n This is the recommended entry point for counterparties that call verify()\n * directly (e.g. MCP servers) rather than using createMiddleware().\n * It adds createSession: true, then fire-and-forgets the decision.\n /\nexport async function verifyAndRecord(\n config: GatewayConfig,\n request: VerificationRequest,\n): Promise<VerificationResult> {\n const mergedConfig = { ...DEFAULT_CONFIG, ...config };\n const result = await verify(mergedConfig, { ...request, createSession: true });\n const sessionId = (result as EnhancedVerificationResult).sessionId;\n\n if (sessionId) {\n if (result.verified) {\n recordDecision(mergedConfig, sessionId, 'granted').catch(() => {});\n } else {\n recordDecision(mergedConfig, sessionId, 'denied', result.denialReasons?.[0]).catch(() => {});\n }\n }\n\n return result;\n}\n\n/\n Quick verification - just check if credentials are valid\n /\nexport async function quickVerify(\n config: GatewayConfig,\n credentials: AgentCredentials\n): Promise<{ verified: boolean; accessLevel: AccessLevel; reason?: string }> {\n const result = await verify(config, {\n credentials,\n purpose: 'verification',\n });\n\n return {\n verified: result.verified,\n accessLevel: result.accessLevel,\n reason: result.denialReasons?.[0],\n };\n}\n","/\n AstraSync Universal Verification Gateway - Express Middleware\n \n Express.js middleware for verifying AI agents on API endpoints.\n \n @example\n * ```typescript\n * import express from 'express';\n * import { createMiddleware } from '@astrasyncai/verification-gateway/express';\n \n const app = express();\n \n app.use(createMiddleware({\n * apiBaseUrl: 'https://api.astrasync.ai',\n * routes: [\n * { pattern: '/api/public/', method: '', minAccessLevel: 'none' },\n * { pattern: '/api/data/', method: 'GET', minAccessLevel: 'read-only' },\n { pattern: '/api/data/', method: '', minAccessLevel: 'standard' },\n * { pattern: '/api/admin/', method: '', minAccessLevel: 'internal' },\n * ],\n * }));\n * ```\n /\n\nimport type { Request, Response, NextFunction, RequestHandler } from 'express';\nimport type {\n ExpressMiddlewareOptions,\n AgentCredentials,\n VerificationResult,\n EnhancedVerificationResult,\n RouteAccessConfig,\n AccessLevel,\n AstraSyncCredentials,\n} from '../types';\nimport { verify, extractCredentials, hasCredentials, recordDecision } from '../verify';\nimport { hasMinimumAccess } from '../access-levels';\nimport { extractHttpCredentials } from '../transport/http';\n\n/\n Extend Express Request with verification result\n /\ndeclare global {\n // eslint-disable-next-line @typescript-eslint/no-namespace\n namespace Express {\n interface Request {\n agentVerification?: VerificationResult;\n }\n }\n}\n\n/\n Default credential extractor\n /\nfunction defaultExtractCredentials(req: Request): AgentCredentials {\n return extractCredentials(\n req.headers as Record<string, string \| string[] \| undefined>,\n req.query as Record<string, string \| undefined>\n );\n}\n\n/\n Extract extended AstraSync credentials (X-Astra-* headers) from Express request.\n * Returns null if no AstraSync headers are present.\n /\nexport function extractAstraSyncCredentials(req: Request): AstraSyncCredentials \| null {\n return extractHttpCredentials(req.headers as Record<string, string \| string[] \| undefined>);\n}\n\n/\n Default purpose extractor\n /\nfunction defaultExtractPurpose(req: Request): string \| undefined {\n // Try to get purpose from header\n const purposeHeader = req.headers['x-purpose'] \|\| req.headers['X-Purpose'];\n if (purposeHeader) {\n return Array.isArray(purposeHeader) ? purposeHeader[0] : purposeHeader;\n }\n\n // Try to get from query\n if (req.query.purpose && typeof req.query.purpose === 'string') {\n return req.query.purpose;\n }\n\n // Infer from method\n switch (req.method) {\n case 'GET':\n return 'read';\n case 'POST':\n return 'create';\n case 'PUT':\n case 'PATCH':\n return 'update';\n case 'DELETE':\n return 'delete';\n default:\n return 'general';\n }\n}\n\n/\n Match a route pattern against a path\n /\nfunction matchRoute(pattern: string, path: string): boolean {\n // Convert pattern to regex\n const regexPattern = pattern.replace(/\\/g, '.').replace(/\\//g, '\\\\/');\n\n const regex = new RegExp(`^${regexPattern}$`);\n return regex.test(path);\n}\n\n/\n Find the route configuration for a request\n /\nfunction findRouteConfig(\n routes: RouteAccessConfig[],\n path: string,\n method: string\n): RouteAccessConfig \| undefined {\n return routes.find((route) => {\n const methodMatches =\n route.method === '' \|\| route.method.toUpperCase() === method.toUpperCase();\n const pathMatches = matchRoute(route.pattern, path);\n return methodMatches && pathMatches;\n });\n}\n\n/*\n Default denied handler\n /\nfunction defaultOnDenied(result: VerificationResult, _req: Request, res: Response): void {\n const statusCode = result.verified ? 403 : 401;\n\n res.status(statusCode).json({\n success: false,\n error: {\n code: result.verified ? 'INSUFFICIENT_ACCESS' : 'UNAUTHORIZED',\n message: result.denialReasons?.[0] \|\| 'Access denied',\n accessLevel: result.accessLevel,\n guidance: result.guidance,\n },\n });\n}\n\n/\n Create Express middleware for agent verification\n /\nexport function createMiddleware(options: ExpressMiddlewareOptions): RequestHandler {\n const {\n routes = [],\n extractCredentials: customExtractCredentials,\n extractPurpose: customExtractPurpose,\n skipPaths = [],\n onDenied = defaultOnDenied,\n recordDecisions,\n ...config\n } = options;\n\n return async (req: Request, res: Response, next: NextFunction): Promise<void> => {\n try {\n // Check if path should be skipped\n const shouldSkip = skipPaths.some((pattern) => matchRoute(pattern, req.path));\n if (shouldSkip) {\n return next();\n }\n\n // Find route configuration\n const routeConfig = findRouteConfig(routes, req.path, req.method);\n\n // If no route config, skip verification (allow through)\n if (!routeConfig) {\n return next();\n }\n\n // If route requires 'none' access, skip verification\n if (routeConfig.minAccessLevel === 'none') {\n return next();\n }\n\n // Extract credentials\n const credentials = customExtractCredentials\n ? customExtractCredentials(req)\n : defaultExtractCredentials(req);\n\n // If no credentials and access required, deny\n if (!hasCredentials(credentials) && routeConfig.minAccessLevel !== 'guidance') {\n const result: VerificationResult = {\n verified: false,\n accessLevel: 'none',\n denialReasons: ['No agent credentials provided'],\n guidance: {\n message: 'This endpoint requires agent verification. Please provide your ASTRA-ID.',\n registrationUrl: `${config.apiBaseUrl?.replace('/api', '')}/register`,\n documentationUrl: `${config.apiBaseUrl?.replace('/api', '')}/docs/agent-access`,\n },\n verifiedAt: new Date(),\n };\n\n req.agentVerification = result;\n onDenied(result, req, res);\n return;\n }\n\n // Extract purpose\n const purpose = customExtractPurpose ? customExtractPurpose(req) : defaultExtractPurpose(req);\n\n // Auto-detect counterparty URL from the request if not explicitly configured.\n // Since the SDK is installed at this endpoint, we always know the origin.\n const counterpartyUrl = config.counterpartyUrl \|\| `${req.protocol}://${req.get('host')}`;\n\n // Verify the agent\n const shouldRecordDecisions = recordDecisions !== false;\n const result = await verify(config, {\n credentials,\n purpose,\n action: req.method.toLowerCase(),\n resource: req.path,\n clientIp: req.ip,\n userAgent: req.headers['user-agent'],\n createSession: shouldRecordDecisions,\n counterpartyUrl,\n counterpartyType: config.counterpartyType \|\| 'api',\n });\n\n // Attach result to request\n req.agentVerification = result;\n const sessionId = (result as EnhancedVerificationResult).sessionId;\n\n // Check if access level is sufficient\n if (!hasMinimumAccess(result.accessLevel, routeConfig.minAccessLevel)) {\n if (shouldRecordDecisions && sessionId) {\n recordDecision(config, sessionId, 'denied', result.denialReasons?.[0]).catch(() => {});\n }\n onDenied(result, req, res);\n return;\n }\n\n // Check trust score requirement if specified\n if (routeConfig.minTrustScore && result.agent) {\n if (result.agent.trustScore < routeConfig.minTrustScore) {\n result.denialReasons = [\n `Trust score ${result.agent.trustScore} is below required ${routeConfig.minTrustScore}`,\n ];\n if (shouldRecordDecisions && sessionId) {\n recordDecision(config, sessionId, 'denied', result.denialReasons[0]).catch(() => {});\n }\n onDenied(result, req, res);\n return;\n }\n }\n\n // All checks passed — record grant decision\n if (shouldRecordDecisions && sessionId) {\n recordDecision(config, sessionId, 'granted').catch(() => {});\n }\n next();\n } catch (error) {\n // Log error and continue (fail open by default)\n console.error('[VerificationGateway] Middleware error:', error);\n next();\n }\n };\n}\n\n/\n Create a middleware that requires a specific access level\n /\nexport function requireAccess(\n minAccessLevel: AccessLevel,\n options: ExpressMiddlewareOptions\n): RequestHandler {\n return createMiddleware({\n ...options,\n routes: [{ pattern: '', method: '', minAccessLevel }],\n });\n}\n\n/\n Create a middleware that only verifies (doesn't block)\n /\nexport function verifyOnly(\n options: Omit<ExpressMiddlewareOptions, 'routes' \| 'onDenied'>\n): RequestHandler {\n return createMiddleware({\n ...options,\n routes: [{ pattern: '', method: '', minAccessLevel: 'none' }],\n });\n}\n","/\n HTTP Transport Adapter\n \n Maps AstraSync credentials to/from HTTP headers (X-Astra-* convention).\n /\n\nimport type { AstraSyncCredentials } from '../types';\n\nconst HEADER_PREFIX = 'X-Astra-';\n\n/\n Inject AstraSync credentials into HTTP headers.\n /\nexport function setHttpHeaders(\n headers: Record<string, string>,\n credentials: AstraSyncCredentials,\n): Record<string, string> {\n const result = { ...headers };\n\n result[`${HEADER_PREFIX}ID`] = credentials.agentId;\n\n if (credentials.verifyUrl) {\n result[`${HEADER_PREFIX}Verify`] = credentials.verifyUrl;\n }\n\n if (credentials.challengeUrl) {\n result[`${HEADER_PREFIX}Challenge`] = credentials.challengeUrl;\n }\n\n if (credentials.pdlss?.purpose) {\n const purposeValue = credentials.pdlss.purpose.action\n ? `${credentials.pdlss.purpose.category}:${credentials.pdlss.purpose.action}`\n : credentials.pdlss.purpose.category;\n result[`${HEADER_PREFIX}Purpose`] = purposeValue;\n }\n\n if (credentials.pdlss?.duration?.maxSessionDuration) {\n result[`${HEADER_PREFIX}Duration`] = String(credentials.pdlss.duration.maxSessionDuration);\n }\n\n if (credentials.pdlss?.scope?.jurisdiction) {\n result[`${HEADER_PREFIX}Scope`] = credentials.pdlss.scope.jurisdiction;\n }\n\n return result;\n}\n\n/\n Extract AstraSync credentials from HTTP headers.\n /\nexport function extractHttpCredentials(\n headers: Record<string, string \| string[] \| undefined>,\n): AstraSyncCredentials \| null {\n const getValue = (key: string): string \| undefined => {\n const v = headers[key] ?? headers[key.toLowerCase()];\n return Array.isArray(v) ? v[0] : v;\n };\n\n const agentId = getValue(`${HEADER_PREFIX}ID`) ?? getValue('x-astra-id');\n if (!agentId) return null;\n\n const credentials: AstraSyncCredentials = { agentId };\n\n const verifyUrl = getValue(`${HEADER_PREFIX}Verify`) ?? getValue('x-astra-verify');\n if (verifyUrl) credentials.verifyUrl = verifyUrl;\n\n const challengeUrl = getValue(`${HEADER_PREFIX}Challenge`) ?? getValue('x-astra-challenge');\n if (challengeUrl) credentials.challengeUrl = challengeUrl;\n\n const purpose = getValue(`${HEADER_PREFIX}Purpose`) ?? getValue('x-astra-purpose');\n if (purpose) {\n const [category, action] = purpose.split(':');\n credentials.pdlss = {\n ...credentials.pdlss,\n purpose: { category, action },\n };\n }\n\n const duration = getValue(`${HEADER_PREFIX}Duration`) ?? getValue('x-astra-duration');\n if (duration) {\n credentials.pdlss = {\n ...credentials.pdlss,\n duration: { maxSessionDuration: parseInt(duration, 10) },\n };\n }\n\n const scope = getValue(`${HEADER_PREFIX}Scope`) ?? getValue('x-astra-scope');\n if (scope) {\n credentials.pdlss = {\n ...credentials.pdlss,\n scope: { jurisdiction: scope },\n };\n }\n\n return credentials;\n}\n","/\n AstraSync Universal Verification Gateway - Next.js Middleware\n \n Next.js middleware for verifying AI agents on web applications.\n * Supports Commerce Shield overlay for unverified agents.\n \n @example\n * ```typescript\n * // middleware.ts\n * import { createMiddleware } from '@astrasyncai/verification-gateway/nextjs';\n \n export const middleware = createMiddleware({\n * apiBaseUrl: 'https://api.astrasync.ai',\n * showCommerceShield: true,\n * routes: [\n * { pattern: '/api/public/', method: '', minAccessLevel: 'none' },\n * { pattern: '/api/', method: '', minAccessLevel: 'standard' },\n * { pattern: '/dashboard/', method: '', minAccessLevel: 'read-only' },\n * ],\n * });\n \n export const config = {\n * matcher: ['/api/:path', '/dashboard/:path'],\n * };\n * ```\n /\n\nimport type { NextRequest } from 'next/server';\nimport type {\n NextJsMiddlewareOptions,\n AgentCredentials,\n VerificationResult,\n RouteAccessConfig,\n} from '../types';\nimport { verify, hasCredentials } from '../verify';\nimport { hasMinimumAccess } from '../access-levels';\n\n/\n Extract credentials from Next.js request\n /\nfunction extractCredentialsFromNextRequest(request: NextRequest): AgentCredentials {\n const credentials: AgentCredentials = {};\n\n // Check for ASTRA-ID in headers\n const astraId = request.headers.get('x-astra-id') \|\| request.headers.get('X-Astra-Id');\n if (astraId) {\n credentials.astraId = astraId;\n }\n\n // Check for API key\n const apiKey = request.headers.get('x-api-key') \|\| request.headers.get('X-Api-Key');\n if (apiKey) {\n credentials.apiKey = apiKey;\n }\n\n // Check Authorization header\n const authHeader = request.headers.get('authorization');\n if (authHeader) {\n credentials.authorizationHeader = authHeader;\n if (authHeader.startsWith('Bearer ')) {\n credentials.jwt = authHeader.slice(7);\n }\n }\n\n // Check query parameters\n const url = new URL(request.url);\n const astraIdParam = url.searchParams.get('astraId');\n const apiKeyParam = url.searchParams.get('apiKey');\n\n if (astraIdParam && !credentials.astraId) {\n credentials.astraId = astraIdParam;\n }\n if (apiKeyParam && !credentials.apiKey) {\n credentials.apiKey = apiKeyParam;\n }\n\n return credentials;\n}\n\n/\n Match a route pattern against a path\n /\nfunction matchRoute(pattern: string, path: string): boolean {\n const regexPattern = pattern.replace(/\\/g, '.').replace(/\\//g, '\\\\/');\n\n const regex = new RegExp(`^${regexPattern}$`);\n return regex.test(path);\n}\n\n/\n Find the route configuration for a request\n /\nfunction findRouteConfig(\n routes: RouteAccessConfig[],\n path: string,\n method: string\n): RouteAccessConfig \| undefined {\n return routes.find((route) => {\n const methodMatches =\n route.method === '' \|\| route.method.toUpperCase() === method.toUpperCase();\n const pathMatches = matchRoute(route.pattern, path);\n return methodMatches && pathMatches;\n });\n}\n\n/*\n Infer purpose from request method\n /\nfunction inferPurpose(method: string): string {\n switch (method.toUpperCase()) {\n case 'GET':\n return 'read';\n case 'POST':\n return 'create';\n case 'PUT':\n case 'PATCH':\n return 'update';\n case 'DELETE':\n return 'delete';\n default:\n return 'general';\n }\n}\n\n/\n Generate Commerce Shield HTML response\n /\nfunction generateCommerceShieldHtml(\n result: VerificationResult,\n options: NextJsMiddlewareOptions\n): string {\n const title = options.commerceShield?.title \|\| 'AstraSync Agent Verification';\n const message =\n options.commerceShield?.message \|\|\n result.guidance?.message \|\|\n \"This site verifies AI agents before granting access. We noticed you're visiting without AstraSync credentials.\";\n const registrationUrl = result.guidance?.registrationUrl \|\| 'https://astrasync.ai/register';\n const docsUrl = result.guidance?.documentationUrl \|\| 'https://astrasync.ai/docs/agent-access';\n const allowGuest = options.commerceShield?.allowGuestAccess ?? true;\n\n return `\n<!DOCTYPE html>\n<html lang=\"en\">\n<head>\n <meta charset=\"UTF-8\">\n <meta name=\"viewport\" content=\"width=device-width, initial-scale=1.0\">\n <title>${title}</title>\n <style>\n {\n box-sizing: border-box;\n margin: 0;\n padding: 0;\n }\n body {\n font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, Oxygen, Ubuntu, sans-serif;\n background: linear-gradient(135deg, #1a1a2e 0%, #16213e 100%);\n min-height: 100vh;\n display: flex;\n align-items: center;\n justify-content: center;\n padding: 20px;\n }\n .shield-container {\n background: rgba(255, 255, 255, 0.95);\n border-radius: 16px;\n box-shadow: 0 25px 50px -12px rgba(0, 0, 0, 0.5);\n max-width: 480px;\n width: 100%;\n padding: 40px;\n text-align: center;\n }\n .shield-icon {\n font-size: 48px;\n margin-bottom: 20px;\n }\n .shield-title {\n font-size: 24px;\n font-weight: 700;\n color: #1a1a2e;\n margin-bottom: 16px;\n }\n .shield-message {\n color: #4a5568;\n line-height: 1.6;\n margin-bottom: 24px;\n }\n .shield-steps {\n text-align: left;\n background: #f7fafc;\n border-radius: 8px;\n padding: 20px;\n margin-bottom: 24px;\n }\n .shield-steps h3 {\n font-size: 14px;\n font-weight: 600;\n color: #2d3748;\n margin-bottom: 12px;\n }\n .shield-steps ol {\n padding-left: 20px;\n color: #4a5568;\n }\n .shield-steps li {\n margin-bottom: 8px;\n }\n .shield-buttons {\n display: flex;\n flex-direction: column;\n gap: 12px;\n }\n .btn {\n display: inline-block;\n padding: 14px 24px;\n border-radius: 8px;\n font-weight: 600;\n text-decoration: none;\n transition: all 0.2s;\n cursor: pointer;\n border: none;\n font-size: 16px;\n }\n .btn-primary {\n background: linear-gradient(135deg, #6366f1 0%, #4f46e5 100%);\n color: white;\n }\n .btn-primary:hover {\n transform: translateY(-2px);\n box-shadow: 0 4px 12px rgba(99, 102, 241, 0.4);\n }\n .btn-secondary {\n background: #e2e8f0;\n color: #4a5568;\n }\n .btn-secondary:hover {\n background: #cbd5e0;\n }\n .shield-footer {\n margin-top: 24px;\n font-size: 14px;\n color: #718096;\n }\n .shield-footer a {\n color: #6366f1;\n text-decoration: none;\n }\n .shield-footer a:hover {\n text-decoration: underline;\n }\n </style>\n</head>\n<body>\n <div class=\"shield-container\">\n <div class=\"shield-icon\">🛡️</div>\n <h1 class=\"shield-title\">${title}</h1>\n <p class=\"shield-message\">${message}</p>\n\n <div class=\"shield-steps\">\n <h3>To get verified access:</h3>\n <ol>\n <li>Register at <a href=\"${registrationUrl}\">astrasync.ai/register</a></li>\n <li>Create and register your agent</li>\n <li>Add your ASTRA-ID to request headers</li>\n <li>Refresh this page</li>\n </ol>\n </div>\n\n <div class=\"shield-buttons\">\n <a href=\"${registrationUrl}\" class=\"btn btn-primary\">Register Now</a>\n ${allowGuest ? '<button onclick=\"window.location.reload()\" class=\"btn btn-secondary\">Continue as Guest (Limited)</button>' : ''}\n </div>\n\n <p class=\"shield-footer\">\n Learn more: <a href=\"${docsUrl}\">Agent Access Documentation</a>\n </p>\n </div>\n</body>\n</html>\n `.trim();\n}\n\n/*\n Create Next.js middleware for agent verification\n /\nexport function createMiddleware(options: NextJsMiddlewareOptions) {\n const { routes = [], skipPaths = [], showCommerceShield = true, ...config } = options;\n\n return async function middleware(request: NextRequest) {\n // Dynamic import NextResponse to avoid build issues\n const { NextResponse } = await import('next/server');\n\n const pathname = request.nextUrl.pathname;\n\n // Check if path should be skipped\n const shouldSkip = skipPaths.some((pattern) => matchRoute(pattern, pathname));\n if (shouldSkip) {\n return NextResponse.next();\n }\n\n // Find route configuration\n const routeConfig = findRouteConfig(routes, pathname, request.method);\n\n // If no route config, allow through\n if (!routeConfig) {\n return NextResponse.next();\n }\n\n // If route requires 'none' access, allow through\n if (routeConfig.minAccessLevel === 'none') {\n return NextResponse.next();\n }\n\n // Extract credentials\n const credentials = extractCredentialsFromNextRequest(request);\n\n // If no credentials and not just guidance level\n if (!hasCredentials(credentials) && routeConfig.minAccessLevel !== 'guidance') {\n const result: VerificationResult = {\n verified: false,\n accessLevel: 'none',\n denialReasons: ['No agent credentials provided'],\n guidance: {\n message: 'This page requires agent verification.',\n registrationUrl: `${config.apiBaseUrl?.replace('/api', '')}/register`,\n documentationUrl: `${config.apiBaseUrl?.replace('/api', '')}/docs/agent-access`,\n },\n verifiedAt: new Date(),\n };\n\n // For API routes, return JSON\n if (pathname.startsWith('/api/')) {\n return NextResponse.json(\n {\n success: false,\n error: {\n code: 'UNAUTHORIZED',\n message: 'No agent credentials provided',\n guidance: result.guidance,\n },\n },\n { status: 401 }\n );\n }\n\n // For web pages, show Commerce Shield\n if (showCommerceShield) {\n return new NextResponse(generateCommerceShieldHtml(result, options), {\n status: 200,\n headers: {\n 'Content-Type': 'text/html',\n 'X-AstraSync-Verification': 'commerce-shield',\n },\n });\n }\n\n // Otherwise redirect to login/register\n const registerUrl = result.guidance?.registrationUrl \|\| '/register';\n return NextResponse.redirect(new URL(registerUrl, request.url));\n }\n\n // Auto-detect counterparty URL from the request if not explicitly configured.\n // Since the SDK is installed at this endpoint, we always know the origin.\n const counterpartyUrl = config.counterpartyUrl \|\| request.nextUrl.origin;\n\n // Verify the agent\n const purpose = request.headers.get('x-purpose') \|\| inferPurpose(request.method);\n const result = await verify(config, {\n credentials,\n purpose,\n action: request.method.toLowerCase(),\n resource: pathname,\n clientIp: request.headers.get('x-forwarded-for')?.split(',')[0]?.trim() \|\| undefined,\n userAgent: request.headers.get('user-agent') \|\| undefined,\n counterpartyUrl,\n counterpartyType: config.counterpartyType \|\| 'website',\n });\n\n // Check if access level is sufficient\n if (!hasMinimumAccess(result.accessLevel, routeConfig.minAccessLevel)) {\n // For API routes, return JSON\n if (pathname.startsWith('/api/')) {\n return NextResponse.json(\n {\n success: false,\n error: {\n code: result.verified ? 'INSUFFICIENT_ACCESS' : 'UNAUTHORIZED',\n message: result.denialReasons?.[0] \|\| 'Access denied',\n accessLevel: result.accessLevel,\n required: routeConfig.minAccessLevel,\n guidance: result.guidance,\n },\n },\n { status: result.verified ? 403 : 401 }\n );\n }\n\n // For web pages, show Commerce Shield\n if (showCommerceShield) {\n return new NextResponse(generateCommerceShieldHtml(result, options), {\n status: 200,\n headers: {\n 'Content-Type': 'text/html',\n 'X-AstraSync-Verification': 'commerce-shield',\n },\n });\n }\n\n // Redirect to unauthorized page\n return NextResponse.redirect(new URL('/unauthorized', request.url));\n }\n\n // All checks passed - continue with verification info in headers\n const response = NextResponse.next();\n\n // Add verification info to response headers\n response.headers.set('X-AstraSync-Verified', result.verified.toString());\n response.headers.set('X-AstraSync-Access-Level', result.accessLevel);\n\n if (result.agent) {\n response.headers.set('X-AstraSync-Agent-Id', result.agent.astraId);\n response.headers.set('X-AstraSync-Trust-Score', result.agent.trustScore.toString());\n }\n\n return response;\n };\n}\n\n/\n Helper to create matcher config\n /\nexport function createMatcherConfig(paths: string[]): { matcher: string[] } {\n return { matcher: paths };\n}\n","/\n AstraSync Universal Verification Gateway - SDK Adapter\n \n Direct SDK for verifying agents in any JavaScript/TypeScript environment.\n * Useful for agent-to-agent verification, serverless functions, or custom integrations.\n \n @example\n * ```typescript\n * import { createClient } from '@astrasyncai/verification-gateway/sdk';\n \n const gateway = createClient({\n * apiBaseUrl: 'https://api.astrasync.ai',\n * });\n \n // Verify another agent before interacting\n * const result = await gateway.verify({\n * astraId: 'ASTRA-abc123',\n * purpose: 'data-exchange',\n * });\n \n if (result.verified && result.accessLevel !== 'none') {\n * // Safe to interact with this agent\n * }\n * ```\n /\n\nimport type {\n SDKOptions,\n AgentCredentials,\n VerificationResult,\n VerificationRequest,\n AccessLevel,\n GatewayConfig,\n} from '../types';\nimport { verify as coreVerify, quickVerify as coreQuickVerify, clearCache } from '../verify';\nimport { getTrustLevel, hasMinimumAccess, getCapabilities } from '../access-levels';\nimport type { AccessCapabilities } from '../access-levels';\n\n/\n Verification Gateway SDK Client\n /\nexport class VerificationGatewayClient {\n private config: GatewayConfig;\n private timeout: number;\n private retryConfig: { maxRetries: number; backoffMs: number };\n\n constructor(options: SDKOptions) {\n this.config = {\n apiBaseUrl: options.apiBaseUrl,\n apiKey: options.apiKey,\n defaultAccessLevel: options.defaultAccessLevel,\n minTrustScore: options.minTrustScore,\n minTrustScoreForFull: options.minTrustScoreForFull,\n cacheTtl: options.cacheTtl,\n debug: options.debug,\n customHeaders: options.customHeaders,\n counterpartyUrl: options.counterpartyUrl,\n counterpartyType: options.counterpartyType,\n };\n\n this.timeout = options.timeout \|\| 10000;\n this.retryConfig = options.retry \|\| { maxRetries: 3, backoffMs: 1000 };\n }\n\n /\n Full verification with all details\n /\n async verify(options: {\n astraId?: string;\n apiKey?: string;\n jwt?: string;\n purpose?: string;\n action?: string;\n resourceType?: string;\n resource?: string;\n jurisdiction?: string;\n transactionValue?: number;\n currency?: string;\n isSubAgentRequest?: boolean;\n parentAgentId?: string;\n subAgentDepth?: number;\n counterpartyUrl?: string;\n counterpartyType?: string;\n }): Promise<VerificationResult> {\n const credentials: AgentCredentials = {\n astraId: options.astraId,\n apiKey: options.apiKey,\n jwt: options.jwt,\n };\n\n return this.executeWithRetry(() =>\n coreVerify(this.config, {\n credentials,\n purpose: options.purpose,\n action: options.action,\n resourceType: options.resourceType,\n resource: options.resource,\n jurisdiction: options.jurisdiction,\n transactionValue: options.transactionValue,\n currency: options.currency,\n isSubAgentRequest: options.isSubAgentRequest,\n parentAgentId: options.parentAgentId,\n subAgentDepth: options.subAgentDepth,\n counterpartyUrl: options.counterpartyUrl,\n counterpartyType: options.counterpartyType as VerificationRequest['counterpartyType'],\n })\n );\n }\n\n /\n Quick verification - just check if credentials are valid\n /\n async quickVerify(credentials: {\n astraId?: string;\n apiKey?: string;\n jwt?: string;\n }): Promise<{ verified: boolean; accessLevel: AccessLevel; reason?: string }> {\n return this.executeWithRetry(() => coreQuickVerify(this.config, credentials));\n }\n\n /\n Check if an agent has a specific access level\n /\n async hasAccess(\n credentials: { astraId?: string; apiKey?: string; jwt?: string },\n requiredLevel: AccessLevel\n ): Promise<boolean> {\n const result = await this.quickVerify(credentials);\n return hasMinimumAccess(result.accessLevel, requiredLevel);\n }\n\n /\n Get capabilities for a verified agent\n /\n async getCapabilities(credentials: {\n astraId?: string;\n apiKey?: string;\n jwt?: string;\n }): Promise<AccessCapabilities> {\n const result = await this.quickVerify(credentials);\n return getCapabilities(result.accessLevel);\n }\n\n /\n Verify a specific ASTRA-ID\n /\n async verifyAstraId(\n astraId: string,\n options?: {\n purpose?: string;\n action?: string;\n }\n ): Promise<VerificationResult> {\n return this.verify({\n astraId,\n purpose: options?.purpose,\n action: options?.action,\n });\n }\n\n /\n Verify using an API key\n /\n async verifyApiKey(\n apiKey: string,\n options?: {\n purpose?: string;\n action?: string;\n }\n ): Promise<VerificationResult> {\n return this.verify({\n apiKey,\n purpose: options?.purpose,\n action: options?.action,\n });\n }\n\n /\n Clear the verification cache\n /\n clearCache(): void {\n clearCache();\n }\n\n /\n Execute a function with retry logic\n /\n private async executeWithRetry<T>(fn: () => Promise<T>): Promise<T> {\n let lastError: Error \| null = null;\n\n for (let attempt = 0; attempt <= this.retryConfig.maxRetries; attempt++) {\n try {\n // Add timeout\n const result = await Promise.race([\n fn(),\n new Promise<never>((_, reject) =>\n setTimeout(() => reject(new Error('Request timeout')), this.timeout)\n ),\n ]);\n\n return result;\n } catch (error) {\n lastError = error instanceof Error ? error : new Error(String(error));\n\n // Don't retry on last attempt\n if (attempt < this.retryConfig.maxRetries) {\n // Exponential backoff\n const backoff = this.retryConfig.backoffMs Math.pow(2, attempt);\n await new Promise((resolve) => setTimeout(resolve, backoff));\n }\n }\n }\n\n throw lastError \|\| new Error('Verification failed after retries');\n }\n}\n\n/*\n Create a new SDK client\n /\nexport function createClient(options: SDKOptions): VerificationGatewayClient {\n return new VerificationGatewayClient(options);\n}\n\n/\n One-shot verification without creating a client\n /\nexport async function verifyOnce(\n options: SDKOptions & {\n astraId?: string;\n apiKey?: string;\n jwt?: string;\n purpose?: string;\n action?: string;\n }\n): Promise<VerificationResult> {\n const client = createClient(options);\n return client.verify(options);\n}\n\n// Re-export utilities for convenience\nexport { getTrustLevel, hasMinimumAccess, getCapabilities };\n","/\n Cross-Protocol Transport Module\n \n Provides adapters for injecting/extracting AstraSync credentials\n * across HTTP, A2A, and MCP protocols.\n /\n\nimport type { AstraSyncCredentials, ProtocolTransport } from '../types';\nimport { setHttpHeaders, extractHttpCredentials } from './http';\nimport { setA2AMetadata, extractA2ACredentials } from './a2a';\nimport { setMcpMeta, extractMcpCredentials } from './mcp';\n\nexport { setHttpHeaders, extractHttpCredentials } from './http';\nexport { setA2AMetadata, extractA2ACredentials } from './a2a';\nexport { setMcpMeta, extractMcpCredentials } from './mcp';\n\n/\n Auto-detect protocol from request/context shape.\n /\nexport function detectProtocol(context: Record<string, unknown>): ProtocolTransport {\n // A2A: has metadata block with task-like structure\n if (context.metadata && typeof context.metadata === 'object') {\n return 'a2a';\n }\n\n // MCP: has _meta block (MCP convention)\n if (context._meta && typeof context._meta === 'object') {\n return 'mcp';\n }\n\n // Default to HTTP\n return 'http';\n}\n\n/\n Apply credentials to any protocol target.\n /\nexport function applyCredentials(\n protocol: ProtocolTransport,\n target: Record<string, unknown>,\n credentials: AstraSyncCredentials,\n): Record<string, unknown> {\n switch (protocol) {\n case 'http':\n return setHttpHeaders(target as Record<string, string>, credentials);\n case 'a2a':\n return setA2AMetadata(target, credentials);\n case 'mcp':\n return setMcpMeta(target, credentials);\n default:\n return target;\n }\n}\n\n/\n Extract credentials from any protocol context.\n /\nexport function extractCredentialsFromProtocol(\n protocol: ProtocolTransport,\n context: Record<string, unknown>,\n): AstraSyncCredentials \| null {\n switch (protocol) {\n case 'http':\n return extractHttpCredentials(context as Record<string, string \| string[] \| undefined>);\n case 'a2a':\n return extractA2ACredentials(context);\n case 'mcp':\n return extractMcpCredentials(context);\n default:\n return null;\n }\n}\n","/\n A2A (Agent-to-Agent) Transport Adapter\n \n Maps AstraSync credentials to/from A2A task metadata.astrasync block.\n /\n\nimport type { AstraSyncCredentials } from '../types';\n\ninterface A2ATask {\n metadata?: Record<string, unknown>;\n [key: string]: unknown;\n}\n\ninterface AstraSyncMetadata {\n agentId: string;\n verifyUrl?: string;\n challengeUrl?: string;\n purpose?: { category: string; action?: string };\n duration?: { maxSessionDuration?: number };\n scope?: { jurisdiction?: string };\n}\n\n/\n Add AstraSync credentials to an A2A task's metadata block.\n /\nexport function setA2AMetadata(\n task: A2ATask,\n credentials: AstraSyncCredentials,\n): A2ATask {\n const astrasync: AstraSyncMetadata = {\n agentId: credentials.agentId,\n };\n\n if (credentials.verifyUrl) astrasync.verifyUrl = credentials.verifyUrl;\n if (credentials.challengeUrl) astrasync.challengeUrl = credentials.challengeUrl;\n if (credentials.pdlss?.purpose) astrasync.purpose = credentials.pdlss.purpose;\n if (credentials.pdlss?.duration) astrasync.duration = credentials.pdlss.duration;\n if (credentials.pdlss?.scope) astrasync.scope = credentials.pdlss.scope;\n\n return {\n ...task,\n metadata: {\n ...task.metadata,\n astrasync,\n },\n };\n}\n\n/\n Extract AstraSync credentials from an A2A task's metadata block.\n /\nexport function extractA2ACredentials(task: A2ATask): AstraSyncCredentials \| null {\n const meta = task.metadata?.astrasync as AstraSyncMetadata \| undefined;\n if (!meta?.agentId) return null;\n\n const credentials: AstraSyncCredentials = {\n agentId: meta.agentId,\n };\n\n if (meta.verifyUrl) credentials.verifyUrl = meta.verifyUrl;\n if (meta.challengeUrl) credentials.challengeUrl = meta.challengeUrl;\n\n if (meta.purpose \|\| meta.duration \|\| meta.scope) {\n credentials.pdlss = {};\n if (meta.purpose) credentials.pdlss.purpose = meta.purpose;\n if (meta.duration) credentials.pdlss.duration = meta.duration;\n if (meta.scope) credentials.pdlss.scope = meta.scope;\n }\n\n return credentials;\n}\n","/\n MCP (Model Context Protocol) Transport Adapter\n \n Maps AstraSync credentials to/from MCP params._meta.astrasync block.\n /\n\nimport type { AstraSyncCredentials } from '../types';\n\ninterface McpParams {\n _meta?: Record<string, unknown>;\n [key: string]: unknown;\n}\n\ninterface AstraSyncMeta {\n agentId: string;\n verifyUrl?: string;\n challengeUrl?: string;\n purpose?: { category: string; action?: string };\n duration?: { maxSessionDuration?: number };\n scope?: { jurisdiction?: string };\n}\n\n/\n Add AstraSync credentials to MCP params' _meta block.\n /\nexport function setMcpMeta(\n params: McpParams,\n credentials: AstraSyncCredentials,\n): McpParams {\n const astrasync: AstraSyncMeta = {\n agentId: credentials.agentId,\n };\n\n if (credentials.verifyUrl) astrasync.verifyUrl = credentials.verifyUrl;\n if (credentials.challengeUrl) astrasync.challengeUrl = credentials.challengeUrl;\n if (credentials.pdlss?.purpose) astrasync.purpose = credentials.pdlss.purpose;\n if (credentials.pdlss?.duration) astrasync.duration = credentials.pdlss.duration;\n if (credentials.pdlss?.scope) astrasync.scope = credentials.pdlss.scope;\n\n return {\n ...params,\n _meta: {\n ...params._meta,\n astrasync,\n },\n };\n}\n\n/\n Extract AstraSync credentials from MCP params' _meta block.\n /\nexport function extractMcpCredentials(params: McpParams): AstraSyncCredentials \| null {\n const meta = params._meta?.astrasync as AstraSyncMeta \| undefined;\n if (!meta?.agentId) return null;\n\n const credentials: AstraSyncCredentials = {\n agentId: meta.agentId,\n };\n\n if (meta.verifyUrl) credentials.verifyUrl = meta.verifyUrl;\n if (meta.challengeUrl) credentials.challengeUrl = meta.challengeUrl;\n\n if (meta.purpose \|\| meta.duration \|\| meta.scope) {\n credentials.pdlss = {};\n if (meta.purpose) credentials.pdlss.purpose = meta.purpose;\n if (meta.duration) credentials.pdlss.duration = meta.duration;\n if (meta.scope) credentials.pdlss.scope = meta.scope;\n }\n\n return credentials;\n}\n","/\n Agent-Side SDK Module\n \n Tools for AI agents to present credentials, handle challenges,\n * and interact with the AstraSync verification protocol.\n /\n\nexport { AgentClient } from './client';\nexport { ChallengeHandler } from './challenge-handler';\nexport { formatPDLSSForTransport, parsePDLSSFromTransport } from './pdlss-formatter';\nexport type { PDLSSConfig, TransportPDLSS } from './pdlss-formatter';\nexport { recordDecision } from './decision-client';\n","/\n AgentClient — Credential Presentation\n \n Agent-side SDK for automatically injecting AstraSync credentials\n * into outgoing requests across all supported protocols.\n /\n\nimport type { AstraSyncCredentials, ProtocolTransport } from '../types';\nimport { setHttpHeaders } from '../transport/http';\nimport { setA2AMetadata } from '../transport/a2a';\nimport { setMcpMeta } from '../transport/mcp';\nimport { applyCredentials } from '../transport';\n\ninterface AgentClientConfig {\n agentId: string;\n verifyUrl?: string;\n challengeUrl?: string;\n pdlss?: AstraSyncCredentials['pdlss'];\n}\n\ninterface FetchOptions extends RequestInit {\n purpose?: string;\n action?: string;\n}\n\nexport class AgentClient {\n private credentials: AstraSyncCredentials;\n\n constructor(config: AgentClientConfig) {\n this.credentials = {\n agentId: config.agentId,\n verifyUrl: config.verifyUrl ?? 'https://api.astrasync.ai/agents/verify-access',\n challengeUrl: config.challengeUrl,\n pdlss: config.pdlss,\n };\n }\n\n /\n Make an HTTP request with AstraSync headers automatically injected.\n /\n async fetch(url: string, options?: FetchOptions): Promise<Response> {\n const { purpose, action, ...fetchOptions } = options ?? {};\n\n // Build credentials with optional overrides\n const creds: AstraSyncCredentials = { ...this.credentials };\n if (purpose) {\n creds.pdlss = {\n ...creds.pdlss,\n purpose: { category: purpose, action },\n };\n }\n\n // Inject AstraSync headers\n const existingHeaders: Record<string, string> = {};\n if (fetchOptions.headers) {\n if (fetchOptions.headers instanceof Headers) {\n fetchOptions.headers.forEach((value, key) => {\n existingHeaders[key] = value;\n });\n } else if (Array.isArray(fetchOptions.headers)) {\n for (const [key, value] of fetchOptions.headers) {\n existingHeaders[key] = value;\n }\n } else {\n Object.assign(existingHeaders, fetchOptions.headers);\n }\n }\n\n const enrichedHeaders = setHttpHeaders(existingHeaders, creds);\n\n return fetch(url, {\n ...fetchOptions,\n headers: enrichedHeaders,\n });\n }\n\n /\n Prepare A2A task metadata with AstraSync credentials.\n /\n prepareA2AMetadata(\n task: Record<string, unknown>,\n overrides?: { purpose?: string; action?: string },\n ): Record<string, unknown> {\n const creds = this.buildCredentials(overrides);\n return setA2AMetadata(task, creds);\n }\n\n /\n Prepare MCP params with AstraSync _meta.\n /\n prepareMcpMeta(\n params: Record<string, unknown>,\n overrides?: { purpose?: string; action?: string },\n ): Record<string, unknown> {\n const creds = this.buildCredentials(overrides);\n return setMcpMeta(params, creds);\n }\n\n /\n Generic: apply credentials to any protocol.\n /\n applyCredentials(\n protocol: ProtocolTransport,\n target: Record<string, unknown>,\n overrides?: { purpose?: string; action?: string },\n ): Record<string, unknown> {\n const creds = this.buildCredentials(overrides);\n return applyCredentials(protocol, target, creds);\n }\n\n private buildCredentials(overrides?: { purpose?: string; action?: string }): AstraSyncCredentials {\n if (!overrides?.purpose) return this.credentials;\n\n return {\n ...this.credentials,\n pdlss: {\n ...this.credentials.pdlss,\n purpose: { category: overrides.purpose, action: overrides.action },\n },\n };\n }\n}\n","/\n ChallengeHandler — Agent-Side Runtime Challenge Responder\n \n Handles incoming runtime challenges from AstraSync's verification service.\n * Agents register pending counterparties before initiating contact,\n * then this handler validates and responds to challenges.\n /\n\ninterface ChallengePayload {\n challengeId: string;\n type: string;\n counterpartyId?: string \| null;\n counterpartyUrl?: string \| null;\n question?: string;\n issuedAt: string;\n expiresAt: string;\n}\n\ninterface ChallengeResponse {\n status: number;\n body: {\n challengeId: string;\n acknowledged: boolean;\n pendingCounterparties: string[];\n respondedAt: string;\n error?: string;\n };\n}\n\ninterface ChallengeHandlerConfig {\n agentId: string;\n}\n\nexport class ChallengeHandler {\n private agentId: string;\n private pendingCounterparties: Set<string> = new Set();\n\n constructor(config: ChallengeHandlerConfig) {\n this.agentId = config.agentId;\n }\n\n /\n Register a counterparty as pending (before initiating contact).\n /\n registerPending(counterpartyId: string): void {\n this.pendingCounterparties.add(counterpartyId);\n }\n\n /\n Remove a counterparty from pending list (after interaction complete).\n /\n removePending(counterpartyId: string): void {\n this.pendingCounterparties.delete(counterpartyId);\n }\n\n /\n Get current pending counterparties list.\n /\n getPendingList(): string[] {\n return [...this.pendingCounterparties];\n }\n\n /\n Express middleware for the challenge endpoint.\n * Mount at: app.post('/astrasync/challenge', handler.expressMiddleware())\n /\n expressMiddleware(): (req: { body: unknown }, res: { status: (code: number) => { json: (body: unknown) => void } }) => void {\n return (req, res) => {\n const result = this.handleChallenge(req.body);\n res.status(result.status).json(result.body);\n };\n }\n\n /\n Generic handler (framework-agnostic).\n * Returns { status, body } for the caller to send.\n /\n handleChallenge(body: unknown): ChallengeResponse {\n // Validate payload shape\n if (!body \|\| typeof body !== 'object') {\n return {\n status: 400,\n body: {\n challengeId: '',\n acknowledged: false,\n pendingCounterparties: [],\n respondedAt: new Date().toISOString(),\n error: 'Invalid challenge payload',\n },\n };\n }\n\n const payload = body as ChallengePayload;\n\n if (!payload.challengeId \|\| !payload.issuedAt \|\| !payload.expiresAt) {\n return {\n status: 400,\n body: {\n challengeId: payload.challengeId ?? '',\n acknowledged: false,\n pendingCounterparties: [],\n respondedAt: new Date().toISOString(),\n error: 'Missing required challenge fields',\n },\n };\n }\n\n // Check if challenge has expired\n const now = new Date();\n const expiresAt = new Date(payload.expiresAt);\n if (now > expiresAt) {\n return {\n status: 410,\n body: {\n challengeId: payload.challengeId,\n acknowledged: false,\n pendingCounterparties: [],\n respondedAt: now.toISOString(),\n error: 'Challenge has expired',\n },\n };\n }\n\n // Respond with current pending list\n return {\n status: 200,\n body: {\n challengeId: payload.challengeId,\n acknowledged: true,\n pendingCounterparties: this.getPendingList(),\n respondedAt: now.toISOString(),\n },\n };\n }\n}\n","/\n PDLSS Formatter — Transport Format Conversion\n \n Converts between full PDLSS boundaries and compact transport format\n * used in HTTP headers, A2A metadata, and MCP _meta blocks.\n /\n\nimport type { AstraSyncCredentials } from '../types';\n\n/\n Full PDLSS configuration (as returned by the backend).\n /\nexport interface PDLSSConfig {\n purpose?: {\n categories?: string[];\n allowedActions?: string[];\n deniedActions?: string[];\n };\n duration?: {\n maxSessionDuration?: number;\n ttl?: number;\n allowedDays?: number[];\n allowedHours?: { start: number; end: number };\n };\n limits?: {\n autonomousThreshold?: number;\n stepUpThreshold?: number;\n approvalThreshold?: number;\n currency?: string;\n };\n scope?: {\n jurisdictions?: string[];\n resources?: string[];\n resourceTypes?: string[];\n };\n selfInstantiation?: {\n allowed: boolean;\n maxDepth?: number;\n maxSubAgents?: number;\n };\n}\n\n/\n Compact transport format (embedded in headers/metadata).\n /\nexport type TransportPDLSS = NonNullable<AstraSyncCredentials['pdlss']>;\n\n/\n Convert full PDLSS boundaries into compact transport format.\n * Used by AgentClient when building credential headers/metadata.\n /\nexport function formatPDLSSForTransport(pdlss: PDLSSConfig): TransportPDLSS {\n const transport: TransportPDLSS = {};\n\n // Purpose: pick the primary category and first allowed action\n if (pdlss.purpose?.categories?.length) {\n transport.purpose = {\n category: pdlss.purpose.categories[0],\n action: pdlss.purpose.allowedActions?.[0],\n };\n }\n\n // Duration: use the shorter of maxSessionDuration and ttl\n if (pdlss.duration) {\n const candidates: number[] = [];\n if (pdlss.duration.maxSessionDuration) candidates.push(pdlss.duration.maxSessionDuration);\n if (pdlss.duration.ttl) candidates.push(pdlss.duration.ttl);\n if (candidates.length > 0) {\n transport.duration = { maxSessionDuration: Math.min(...candidates) };\n }\n }\n\n // Scope: use the primary jurisdiction\n if (pdlss.scope?.jurisdictions?.length) {\n transport.scope = { jurisdiction: pdlss.scope.jurisdictions[0] };\n }\n\n return transport;\n}\n\n/\n Parse transport format back into full PDLSS config.\n * Used by counterparty-side when receiving credentials.\n /\nexport function parsePDLSSFromTransport(transport: TransportPDLSS): PDLSSConfig {\n const pdlss: PDLSSConfig = {};\n\n if (transport.purpose) {\n pdlss.purpose = {\n categories: [transport.purpose.category],\n allowedActions: transport.purpose.action ? [transport.purpose.action] : undefined,\n };\n }\n\n if (transport.duration) {\n pdlss.duration = {\n maxSessionDuration: transport.duration.maxSessionDuration,\n };\n }\n\n if (transport.scope) {\n pdlss.scope = {\n jurisdictions: transport.scope.jurisdiction ? [transport.scope.jurisdiction] : undefined,\n };\n }\n\n return pdlss;\n}\n","/\n Decision Client — Counterparty-Side Decision Recording\n \n Helper for counterparties to record their grant/deny decisions\n * back to AstraSync after receiving a verification result.\n /\n\nimport type { GatewayConfig } from '../types';\n\ninterface RecordDecisionParams {\n sessionId: string;\n decision: 'granted' \| 'denied';\n reason?: string;\n tokenIssued?: boolean;\n auditId?: string;\n}\n\ninterface RecordDecisionResult {\n recorded: boolean;\n blockchainTxHash?: string;\n}\n\n/\n Record a counterparty's grant/deny decision for a verification session.\n * POST to /agents/verify-access/:sessionId/decision\n */\nexport async function recordDecision(\n config: GatewayConfig,\n params: RecordDecisionParams,\n): Promise<RecordDecisionResult> {\n const { sessionId, ...body } = params;\n const baseUrl = config.apiBaseUrl.replace(/\\/$/, '');\n const url = `${baseUrl}/agents/verify-access/${encodeURIComponent(sessionId)}/decision`;\n\n const headers: Record<string, string> = {\n 'Content-Type': 'application/json',\n };\n\n if (config.apiKey) {\n headers['Authorization'] = `Bearer ${config.apiKey}`;\n }\n\n if (config.customHeaders) {\n Object.assign(headers, config.customHeaders);\n }\n\n const response = await fetch(url, {\n method: 'POST',\n headers,\n body: JSON.stringify(body),\n });\n\n if (!response.ok) {\n const errorText = await response.text().catch(() => 'Unknown error');\n throw new Error(\n `Failed to record decision for session ${sessionId}: ${response.status} ${errorText}`,\n );\n }\n\n const result = await response.json();\n\n return {\n recorded: result.recorded ?? true,\n blockchainTxHash: result.blockchainTxHash,\n };\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,wBAAAA;AAAA,EAAA;AAAA;AAAA;AAAA;AAAA;;;ACWO,IAAM,yBAAsD;AAAA,EACjE,MAAM;AAAA,EACN,UAAU;AAAA,EACV,aAAa;AAAA,EACb,UAAU;AAAA,EACV,MAAM;AAAA,EACN,UAAU;AACZ;AAKO,IAAM,4BAAyD;AAAA,EACpE,MAAM;AAAA,EACN,UAAU;AAAA,EACV,aAAa;AAAA,EACb,UAAU;AAAA,EACV,MAAM;AAAA,EACN,UAAU;AACZ;AAKO,IAAM,2BAAwD;AAAA,EACnE,MAAM;AAAA,EACN,UAAU;AAAA,EACV,aAAa;AAAA,EACb,UAAU;AAAA,EACV,MAAM;AAAA,EACN,UAAU;AAAA;AACZ;AAKO,IAAM,qBAAuE;AAAA,EAClF,QAAQ,EAAE,KAAK,GAAG,KAAK,GAAG;AAAA,EAC1B,QAAQ,EAAE,KAAK,IAAI,KAAK,GAAG;AAAA,EAC3B,MAAM,EAAE,KAAK,IAAI,KAAK,GAAG;AAAA,EACzB,UAAU,EAAE,KAAK,IAAI,KAAK,IAAI;AAChC;AAKO,SAAS,cAAc,OAA2B;AACvD,MAAI,SAAS,GAAI,QAAO;AACxB,MAAI,SAAS,GAAI,QAAO;AACxB,MAAI,SAAS,GAAI,QAAO;AACxB,SAAO;AACT;AAKO,SAAS,iBAAiB,QAAqB,UAAgC;AACpF,SAAO,uBAAuB,MAAM,KAAK,uBAAuB,QAAQ;AAC1E;AAKO,SAAS,uBACd,YACA,aAA0C,0BAC7B;AACb,MAAI,cAAc,WAAW,KAAM,QAAO;AAC1C,MAAI,cAAc,WAAW,SAAU,QAAO;AAC9C,MAAI,cAAc,WAAW,WAAW,EAAG,QAAO;AAClD,SAAO;AACT;AAKO,SAAS,qBACd,UACA,YACA,aACA,kBACa;AACb,MAAI,CAAC,UAAU;AACb,WAAO;AAAA,EACT;AAEA,MAAI,aAAa;AACf,WAAO;AAAA,EACT;AAEA,QAAM,aAAa;AAAA,IACjB,GAAG;AAAA,IACH,GAAG;AAAA,EACL;AAEA,SAAO,uBAAuB,YAAY,UAAU;AACtD;AAkBO,SAAS,gBAAgB,aAA8C;AAC5E,UAAQ,aAAa;AAAA,IACnB,KAAK;AACH,aAAO;AAAA,QACL,SAAS;AAAA,QACT,UAAU;AAAA,QACV,WAAW;AAAA,QACX,UAAU;AAAA,QACV,mBAAmB;AAAA,MACrB;AAAA,IACF,KAAK;AACH,aAAO;AAAA,QACL,SAAS;AAAA,QACT,UAAU;AAAA,QACV,WAAW;AAAA,QACX,UAAU;AAAA,QACV,mBAAmB;AAAA,MACrB;AAAA,IACF,KAAK;AACH,aAAO;AAAA,QACL,SAAS;AAAA,QACT,UAAU;AAAA,QACV,WAAW;AAAA,QACX,UAAU;AAAA,QACV,mBAAmB;AAAA,MACrB;AAAA,IACF,KAAK;AACH,aAAO;AAAA,QACL,SAAS;AAAA,QACT,UAAU;AAAA,QACV,WAAW;AAAA,QACX,UAAU;AAAA,QACV,mBAAmB;AAAA,MACrB;AAAA,IACF,KAAK;AACH,aAAO;AAAA,QACL,SAAS;AAAA,QACT,UAAU;AAAA,QACV,WAAW;AAAA,QACX,UAAU;AAAA,QACV,mBAAmB;AAAA,MACrB;AAAA,IACF,KAAK;AACH,aAAO;AAAA,QACL,SAAS;AAAA,QACT,UAAU;AAAA,QACV,WAAW;AAAA,QACX,UAAU;AAAA,QACV,mBAAmB;AAAA,MACrB;AAAA,IACF;AACE,aAAO;AAAA,QACL,SAAS;AAAA,QACT,UAAU;AAAA,QACV,WAAW;AAAA,QACX,UAAU;AAAA,QACV,mBAAmB;AAAA,MACrB;AAAA,EACJ;AACF;;;AC7JA,IAAM,iBAAyC;AAAA,EAC7C,YAAY;AAAA,EACZ,oBAAoB;AAAA,EACpB,eAAe;AAAA,EACf,sBAAsB;AAAA,EACtB,UAAU;AAAA;AAAA,EACV,OAAO;AACT;AAKA,IAAM,oBAAoB,oBAAI,IAA+D;AAK7F,SAAS,YAAY,aAAuC;AAC1D,SAAO,GAAG,YAAY,WAAW,EAAE,IAAI,YAAY,UAAU,EAAE,IAAI,YAAY,OAAO,EAAE;AAC1F;AAKA,SAAS,gBAAgB,aAA0D;AACjF,QAAM,MAAM,YAAY,WAAW;AACnC,QAAM,SAAS,kBAAkB,IAAI,GAAG;AAExC,MAAI,UAAU,OAAO,YAAY,KAAK,IAAI,GAAG;AAC3C,WAAO,OAAO;AAAA,EAChB;AAEA,MAAI,QAAQ;AACV,sBAAkB,OAAO,GAAG;AAAA,EAC9B;AAEA,SAAO;AACT;AAKA,SAAS,YAAY,aAA+B,QAA4B,YAA0B;AACxG,QAAM,MAAM,YAAY,WAAW;AACnC,oBAAkB,IAAI,KAAK;AAAA,IACzB;AAAA,IACA,WAAW,KAAK,IAAI,IAAI,aAAa;AAAA,EACvC,CAAC;AACH;AAKO,SAAS,aAAmB;AACjC,oBAAkB,MAAM;AAC1B;AAKO,SAAS,mBACd,SACA,OACkB;AAClB,QAAM,cAAgC,CAAC;AAGvC,QAAM,gBAAgB,QAAQ,YAAY,KAAK,QAAQ,YAAY,KAAK,QAAQ,YAAY;AAC5F,MAAI,eAAe;AACjB,gBAAY,UAAU,MAAM,QAAQ,aAAa,IAAI,cAAc,CAAC,IAAI;AAAA,EAC1E;AAGA,QAAM,eAAe,QAAQ,WAAW,KAAK,QAAQ,WAAW,KAAK,QAAQ,WAAW;AACxF,MAAI,cAAc;AAChB,gBAAY,SAAS,MAAM,QAAQ,YAAY,IAAI,aAAa,CAAC,IAAI;AAAA,EACvE;AAGA,QAAM,aAAa,QAAQ,eAAe,KAAK,QAAQ,eAAe;AACtE,MAAI,YAAY;AACd,UAAM,YAAY,MAAM,QAAQ,UAAU,IAAI,WAAW,CAAC,IAAI;AAC9D,gBAAY,sBAAsB;AAElC,QAAI,UAAU,WAAW,SAAS,GAAG;AACnC,kBAAY,MAAM,UAAU,MAAM,CAAC;AAAA,IACrC;AAAA,EACF;AAGA,MAAI,OAAO;AACT,QAAI,MAAM,WAAW,CAAC,YAAY,SAAS;AACzC,kBAAY,UAAU,MAAM;AAAA,IAC9B;AACA,QAAI,MAAM,UAAU,CAAC,YAAY,QAAQ;AACvC,kBAAY,SAAS,MAAM;AAAA,IAC7B;AAAA,EACF;AAEA,SAAO;AACT;AAKO,SAAS,eAAe,aAAwC;AACrE,SAAO,CAAC,EAAE,YAAY,WAAW,YAAY,UAAU,YAAY;AACrE;AAKA,SAAS,uBAAuB,QAAuB,QAAqC;AAC1F,QAAM,WAAyB;AAAA,IAC7B,SAAS;AAAA,IACT,iBAAiB,GAAG,OAAO,WAAW,QAAQ,QAAQ,EAAE,CAAC;AAAA,IACzD,kBAAkB,GAAG,OAAO,WAAW,QAAQ,QAAQ,EAAE,CAAC;AAAA,IAC1D,OAAO;AAAA,MACL;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,IACF;AAAA,EACF;AAEA,SAAO;AAAA,IACL,UAAU;AAAA,IACV,aAAa;AAAA,IACb;AAAA,IACA,eAAe,SAAS,CAAC,MAAM,IAAI,CAAC,qCAAqC;AAAA,IACzE,YAAY,oBAAI,KAAK;AAAA,EACvB;AACF;AAKA,eAAe,oBACb,QACA,SAiDC;AACD,QAAM,EAAE,aAAa,GAAG,YAAY,IAAI;AAGxC,QAAM,OAAgC;AAAA,IACpC,SAAS,YAAY;AAAA,IACrB,SAAS,YAAY,WAAW;AAAA,EAClC;AAGA,MAAI,YAAY,OAAQ,MAAK,SAAS,YAAY;AAClD,MAAI,YAAY,aAAc,MAAK,eAAe,YAAY;AAC9D,MAAI,YAAY,SAAU,MAAK,WAAW,YAAY;AACtD,MAAI,YAAY,aAAc,MAAK,eAAe,YAAY;AAC9D,MAAI,YAAY,iBAAkB,MAAK,mBAAmB,YAAY;AACtE,MAAI,YAAY,SAAU,MAAK,WAAW,YAAY;AACtD,MAAI,YAAY,kBAAmB,MAAK,oBAAoB,YAAY;AACxE,MAAI,YAAY,cAAe,MAAK,gBAAgB,YAAY;AAChE,MAAI,YAAY,kBAAkB,OAAW,MAAK,gBAAgB,YAAY;AAE9E,MAAI,YAAY,uBAAwB,MAAK,yBAAyB,YAAY;AAClF,MAAI,YAAY,cAAe,MAAK,gBAAgB,YAAY;AAChE,MAAI,YAAY,iBAAkB,MAAK,mBAAmB,YAAY;AACtE,MAAI,YAAY,gBAAiB,MAAK,kBAAkB,YAAY;AACpE,MAAI,YAAY,wBAAyB,MAAK,0BAA0B,YAAY;AAGpF,QAAM,UAAkC;AAAA,IACtC,gBAAgB;AAAA,IAChB,GAAG,OAAO;AAAA,EACZ;AAEA,MAAI,OAAO,QAAQ;AACjB,YAAQ,WAAW,IAAI,OAAO;AAAA,EAChC;AAEA,MAAI,YAAY,qBAAqB;AACnC,YAAQ,eAAe,IAAI,YAAY;AAAA,EACzC;AAEA,MAAI;AACF,UAAM,WAAW,MAAM,MAAM,GAAG,OAAO,UAAU,yBAAyB;AAAA,MACxE,QAAQ;AAAA,MACR;AAAA,MACA,MAAM,KAAK,UAAU,IAAI;AAAA,IAC3B,CAAC;AAED,UAAM,OAAO,MAAM,SAAS,KAAK;AAEjC,QAAI,CAAC,SAAS,IAAI;AAChB,aAAO;AAAA,QACL,SAAS;AAAA,QACT,OAAO,KAAK,WAAW,KAAK,SAAS,gBAAgB,SAAS,MAAM;AAAA,MACtE;AAAA,IACF;AAEA,WAAO;AAAA,EACT,SAAS,OAAO;AACd,UAAM,UAAU,iBAAiB,QAAQ,MAAM,UAAU;AACzD,WAAO;AAAA,MACL,SAAS;AAAA,MACT,OAAO,qCAAqC,OAAO;AAAA,IACrD;AAAA,EACF;AACF;AAKA,eAAsB,OACpB,QACA,SAC6B;AAC7B,QAAM,eAAe,EAAE,GAAG,gBAAgB,GAAG,OAAO;AAGpD,MAAI,CAAC,eAAe,QAAQ,WAAW,GAAG;AACxC,WAAO,uBAAuB,cAAc,+BAA+B;AAAA,EAC7E;AAGA,MAAI,aAAa,YAAY,aAAa,WAAW,GAAG;AACtD,UAAM,SAAS,gBAAgB,QAAQ,WAAW;AAClD,QAAI,QAAQ;AACV,UAAI,aAAa,OAAO;AACtB,gBAAQ,IAAI,+CAA+C;AAAA,MAC7D;AACA,aAAO;AAAA,IACT;AAAA,EACF;AAGA,QAAM,kBAAkB,EAAE,GAAG,QAAQ;AACrC,MAAI,CAAC,gBAAgB,mBAAmB,aAAa,iBAAiB;AACpE,oBAAgB,kBAAkB,aAAa;AAAA,EACjD;AACA,MAAI,CAAC,gBAAgB,oBAAoB,aAAa,kBAAkB;AACtE,oBAAgB,mBAAmB,aAAa;AAAA,EAClD;AAGA,MAAI,aAAa,OAAO;AACtB,YAAQ,IAAI,iDAAiD;AAAA,EAC/D;AAEA,QAAM,cAAc,MAAM,oBAAoB,cAAc,eAAe;AAG3E,MAAI,CAAC,YAAY,SAAS;AACxB,WAAO,uBAAuB,cAAc,YAAY,KAAK;AAAA,EAC/D;AAGA,MAAI,CAAC,YAAY,QAAQ,SAAS;AAChC,UAAMC,UAAqC;AAAA,MACzC,UAAU;AAAA,MACV,aAAa;AAAA,MACb,eAAe,YAAY,QAAQ,SAAS,CAAC,YAAY,OAAO,MAAM,IAAI,CAAC,eAAe;AAAA,MAC1F,gBAAgB,YAAY,QAAQ;AAAA,MACpC,kBAAkB,YAAY,QAAQ;AAAA,MACtC,UAAU;AAAA,QACR,SAAS,YAAY,QAAQ,UAAU;AAAA,QACvC,iBAAiB,GAAG,aAAa,YAAY,QAAQ,QAAQ,EAAE,CAAC;AAAA,QAChE,kBAAkB,GAAG,aAAa,YAAY,QAAQ,QAAQ,EAAE,CAAC;AAAA,MACnE;AAAA,MACA,YAAY,oBAAI,KAAK;AAAA;AAAA,MAErB,WAAY,YAAwC;AAAA,MACpD,gBAAiB,YAAwC;AAAA,MACzD,uBAAwB,YAAwC;AAAA,IAClE;AAEA,WAAOA;AAAA,EACT;AAGA,QAAM,QAAmC,YAAY,QACjD;AAAA,IACE,SAAS,YAAY,MAAM;AAAA,IAC3B,MAAM,YAAY,MAAM;AAAA,IACxB,YAAY,YAAY,MAAM;AAAA,IAC9B,YAAY,cAAc,YAAY,MAAM,UAAU;AAAA,IACtD,oBAAoB,YAAY,MAAM,qBAAqB;AAAA,IAC3D,QAAQ,YAAY,MAAM;AAAA,EAC5B,IACA;AAEJ,QAAM,YAA2C,YAAY,YACzD;AAAA,IACE,UAAU,YAAY,UAAU;AAAA,IAChC,MAAM,YAAY,UAAU;AAAA,IAC5B,YAAY,YAAY,UAAU,cAAc;AAAA,IAChD,UAAU,YAAY,UAAU;AAAA,EAClC,IACA;AAEJ,QAAM,eAAiD,YAAY,eAC/D;AAAA,IACE,MAAM,YAAY,aAAa;AAAA,IAC/B,UAAU,YAAY,aAAa;AAAA,IACnC,YAAY,YAAY,aAAa;AAAA,EACvC,IACA;AAEJ,QAAM,QAA+B,YAAY,QAAQ,QACrD;AAAA,IACE,gBAAgB,YAAY,OAAO,MAAM;AAAA,IACzC,gBAAgB,YAAY,OAAO,MAAM;AAAA,IACzC,cAAc,YAAY,OAAO,MAAM;AAAA,IACvC,cAAc,YAAY,OAAO,MAAM;AAAA,IACvC,0BAA0B,YAAY,OAAO,MAAM;AAAA,IACnD,eAAe,YAAY,OAAO;AAAA,EACpC,IACA;AAGJ,QAAM,aAAa,OAAO,cAAc;AACxC,QAAM,cAAc;AACpB,QAAM,cAA2B;AAAA,IAC/B;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,MACE,aAAa;AAAA,MACb,UAAU,aAAa,iBAAiB;AAAA,MACxC,MAAM,aAAa,wBAAwB;AAAA,IAC7C;AAAA,EACF;AAEA,QAAM,SAAqC;AAAA,IACzC,UAAU;AAAA,IACV;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA,gBAAgB,YAAY,QAAQ;AAAA,IACpC,kBAAkB,YAAY,QAAQ;AAAA,IACtC,YAAY,oBAAI,KAAK;AAAA,IACrB,UAAU,aAAa;AAAA;AAAA,IAEvB,WAAY,YAAwC;AAAA,IACpD,kBAAmB,YAAwC;AAAA,IAC3D,eAAgB,YAAwC;AAAA,IACxD,gBAAiB,YAAwC;AAAA,IACzD,uBAAwB,YAAwC;AAAA,EAClE;AAGA,MAAI,OAAO,mBAAmB,QAAQ;AACpC,WAAO,WAAW;AAClB,WAAO,cAAc;AACrB,WAAO,gBAAgB,OAAO,yBAAyB,CAAC,2CAA2C;AACnG,QAAI,OAAO,kBAAkB;AAC3B,aAAO,WAAW;AAAA,QAChB,SAAS,wBAAwB,OAAO,iBAAiB,UAAU,0BAA0B;AAAA,QAC7F,iBAAiB,GAAG,aAAa,YAAY,QAAQ,QAAQ,EAAE,CAAC;AAAA,QAChE,kBAAkB,GAAG,aAAa,YAAY,QAAQ,QAAQ,EAAE,CAAC;AAAA,MACnE;AAAA,IACF;AAAA,EACF,WAAW,OAAO,mBAAmB,oBAAoB;AACvD,WAAO,iBAAiB;AACxB,QAAI,uBAAuB,OAAO,WAAW,IAAI,uBAAuB,WAAW,GAAG;AACpF,aAAO,cAAc;AAAA,IACvB;AACA,WAAO,gBAAgB,OAAO,yBAAyB,CAAC,+BAA+B;AAAA,EACzF;AAGA,MAAI,aAAa,YAAY,aAAa,WAAW,KAAK,OAAO,mBAAmB,QAAQ;AAC1F,gBAAY,QAAQ,aAAa,QAAQ,aAAa,QAAQ;AAAA,EAChE;AAEA,SAAO;AACT;AAMA,eAAsB,eACpB,QACA,WACA,UACA,QACe;AACf,QAAM,UAAkC,EAAE,gBAAgB,mBAAmB;AAC7E,MAAI,OAAO,OAAQ,SAAQ,WAAW,IAAI,OAAO;AAEjD,QAAM,MAAM,GAAG,OAAO,UAAU,yBAAyB,SAAS,aAAa;AAAA,IAC7E,QAAQ;AAAA,IACR;AAAA,IACA,MAAM,KAAK,UAAU,EAAE,UAAU,OAAO,CAAC;AAAA,EAC3C,CAAC,EAAE,MAAM,MAAM;AAAA,EAAwB,CAAC;AAC1C;AA+BA,eAAsB,YACpB,QACA,aAC2E;AAC3E,QAAM,SAAS,MAAM,OAAO,QAAQ;AAAA,IAClC;AAAA,IACA,SAAS;AAAA,EACX,CAAC;AAED,SAAO;AAAA,IACL,UAAU,OAAO;AAAA,IACjB,aAAa,OAAO;AAAA,IACpB,QAAQ,OAAO,gBAAgB,CAAC;AAAA,EAClC;AACF;;;AClgBA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;;ACQA,IAAM,gBAAgB;AAKf,SAAS,eACd,SACA,aACwB;AACxB,QAAM,SAAS,EAAE,GAAG,QAAQ;AAE5B,SAAO,GAAG,aAAa,IAAI,IAAI,YAAY;AAE3C,MAAI,YAAY,WAAW;AACzB,WAAO,GAAG,aAAa,QAAQ,IAAI,YAAY;AAAA,EACjD;AAEA,MAAI,YAAY,cAAc;AAC5B,WAAO,GAAG,aAAa,WAAW,IAAI,YAAY;AAAA,EACpD;AAEA,MAAI,YAAY,OAAO,SAAS;AAC9B,UAAM,eAAe,YAAY,MAAM,QAAQ,SAC3C,GAAG,YAAY,MAAM,QAAQ,QAAQ,IAAI,YAAY,MAAM,QAAQ,MAAM,KACzE,YAAY,MAAM,QAAQ;AAC9B,WAAO,GAAG,aAAa,SAAS,IAAI;AAAA,EACtC;AAEA,MAAI,YAAY,OAAO,UAAU,oBAAoB;AACnD,WAAO,GAAG,aAAa,UAAU,IAAI,OAAO,YAAY,MAAM,SAAS,kBAAkB;AAAA,EAC3F;AAEA,MAAI,YAAY,OAAO,OAAO,cAAc;AAC1C,WAAO,GAAG,aAAa,OAAO,IAAI,YAAY,MAAM,MAAM;AAAA,EAC5D;AAEA,SAAO;AACT;AAKO,SAAS,uBACd,SAC6B;AAC7B,QAAM,WAAW,CAAC,QAAoC;AACpD,UAAM,IAAI,QAAQ,GAAG,KAAK,QAAQ,IAAI,YAAY,CAAC;AACnD,WAAO,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC,IAAI;AAAA,EACnC;AAEA,QAAM,UAAU,SAAS,GAAG,aAAa,IAAI,KAAK,SAAS,YAAY;AACvE,MAAI,CAAC,QAAS,QAAO;AAErB,QAAM,cAAoC,EAAE,QAAQ;AAEpD,QAAM,YAAY,SAAS,GAAG,aAAa,QAAQ,KAAK,SAAS,gBAAgB;AACjF,MAAI,UAAW,aAAY,YAAY;AAEvC,QAAM,eAAe,SAAS,GAAG,aAAa,WAAW,KAAK,SAAS,mBAAmB;AAC1F,MAAI,aAAc,aAAY,eAAe;AAE7C,QAAM,UAAU,SAAS,GAAG,aAAa,SAAS,KAAK,SAAS,iBAAiB;AACjF,MAAI,SAAS;AACX,UAAM,CAAC,UAAU,MAAM,IAAI,QAAQ,MAAM,GAAG;AAC5C,gBAAY,QAAQ;AAAA,MAClB,GAAG,YAAY;AAAA,MACf,SAAS,EAAE,UAAU,OAAO;AAAA,IAC9B;AAAA,EACF;AAEA,QAAM,WAAW,SAAS,GAAG,aAAa,UAAU,KAAK,SAAS,kBAAkB;AACpF,MAAI,UAAU;AACZ,gBAAY,QAAQ;AAAA,MAClB,GAAG,YAAY;AAAA,MACf,UAAU,EAAE,oBAAoB,SAAS,UAAU,EAAE,EAAE;AAAA,IACzD;AAAA,EACF;AAEA,QAAM,QAAQ,SAAS,GAAG,aAAa,OAAO,KAAK,SAAS,eAAe;AAC3E,MAAI,OAAO;AACT,gBAAY,QAAQ;AAAA,MAClB,GAAG,YAAY;AAAA,MACf,OAAO,EAAE,cAAc,MAAM;AAAA,IAC/B;AAAA,EACF;AAEA,SAAO;AACT;;;AD1CA,SAAS,0BAA0B,KAAgC;AACjE,SAAO;AAAA,IACL,IAAI;AAAA,IACJ,IAAI;AAAA,EACN;AACF;AAMO,SAAS,4BAA4B,KAA2C;AACrF,SAAO,uBAAuB,IAAI,OAAwD;AAC5F;AAKA,SAAS,sBAAsB,KAAkC;AAE/D,QAAM,gBAAgB,IAAI,QAAQ,WAAW,KAAK,IAAI,QAAQ,WAAW;AACzE,MAAI,eAAe;AACjB,WAAO,MAAM,QAAQ,aAAa,IAAI,cAAc,CAAC,IAAI;AAAA,EAC3D;AAGA,MAAI,IAAI,MAAM,WAAW,OAAO,IAAI,MAAM,YAAY,UAAU;AAC9D,WAAO,IAAI,MAAM;AAAA,EACnB;AAGA,UAAQ,IAAI,QAAQ;AAAA,IAClB,KAAK;AACH,aAAO;AAAA,IACT,KAAK;AACH,aAAO;AAAA,IACT,KAAK;AAAA,IACL,KAAK;AACH,aAAO;AAAA,IACT,KAAK;AACH,aAAO;AAAA,IACT;AACE,aAAO;AAAA,EACX;AACF;AAKA,SAAS,WAAW,SAAiB,MAAuB;AAE1D,QAAM,eAAe,QAAQ,QAAQ,OAAO,IAAI,EAAE,QAAQ,OAAO,KAAK;AAEtE,QAAM,QAAQ,IAAI,OAAO,IAAI,YAAY,GAAG;AAC5C,SAAO,MAAM,KAAK,IAAI;AACxB;AAKA,SAAS,gBACP,QACA,MACA,QAC+B;AAC/B,SAAO,OAAO,KAAK,CAAC,UAAU;AAC5B,UAAM,gBACJ,MAAM,WAAW,OAAO,MAAM,OAAO,YAAY,MAAM,OAAO,YAAY;AAC5E,UAAM,cAAc,WAAW,MAAM,SAAS,IAAI;AAClD,WAAO,iBAAiB;AAAA,EAC1B,CAAC;AACH;AAKA,SAAS,gBAAgB,QAA4B,MAAe,KAAqB;AACvF,QAAM,aAAa,OAAO,WAAW,MAAM;AAE3C,MAAI,OAAO,UAAU,EAAE,KAAK;AAAA,IAC1B,SAAS;AAAA,IACT,OAAO;AAAA,MACL,MAAM,OAAO,WAAW,wBAAwB;AAAA,MAChD,SAAS,OAAO,gBAAgB,CAAC,KAAK;AAAA,MACtC,aAAa,OAAO;AAAA,MACpB,UAAU,OAAO;AAAA,IACnB;AAAA,EACF,CAAC;AACH;AAKO,SAAS,iBAAiB,SAAmD;AAClF,QAAM;AAAA,IACJ,SAAS,CAAC;AAAA,IACV,oBAAoB;AAAA,IACpB,gBAAgB;AAAA,IAChB,YAAY,CAAC;AAAA,IACb,WAAW;AAAA,IACX;AAAA,IACA,GAAG;AAAA,EACL,IAAI;AAEJ,SAAO,OAAO,KAAc,KAAe,SAAsC;AAC/E,QAAI;AAEF,YAAM,aAAa,UAAU,KAAK,CAAC,YAAY,WAAW,SAAS,IAAI,IAAI,CAAC;AAC5E,UAAI,YAAY;AACd,eAAO,KAAK;AAAA,MACd;AAGA,YAAM,cAAc,gBAAgB,QAAQ,IAAI,MAAM,IAAI,MAAM;AAGhE,UAAI,CAAC,aAAa;AAChB,eAAO,KAAK;AAAA,MACd;AAGA,UAAI,YAAY,mBAAmB,QAAQ;AACzC,eAAO,KAAK;AAAA,MACd;AAGA,YAAM,cAAc,2BAChB,yBAAyB,GAAG,IAC5B,0BAA0B,GAAG;AAGjC,UAAI,CAAC,eAAe,WAAW,KAAK,YAAY,mBAAmB,YAAY;AAC7E,cAAMC,UAA6B;AAAA,UACjC,UAAU;AAAA,UACV,aAAa;AAAA,UACb,eAAe,CAAC,+BAA+B;AAAA,UAC/C,UAAU;AAAA,YACR,SAAS;AAAA,YACT,iBAAiB,GAAG,OAAO,YAAY,QAAQ,QAAQ,EAAE,CAAC;AAAA,YAC1D,kBAAkB,GAAG,OAAO,YAAY,QAAQ,QAAQ,EAAE,CAAC;AAAA,UAC7D;AAAA,UACA,YAAY,oBAAI,KAAK;AAAA,QACvB;AAEA,YAAI,oBAAoBA;AACxB,iBAASA,SAAQ,KAAK,GAAG;AACzB;AAAA,MACF;AAGA,YAAM,UAAU,uBAAuB,qBAAqB,GAAG,IAAI,sBAAsB,GAAG;AAI5F,YAAM,kBAAkB,OAAO,mBAAmB,GAAG,IAAI,QAAQ,MAAM,IAAI,IAAI,MAAM,CAAC;AAGtF,YAAM,wBAAwB,oBAAoB;AAClD,YAAM,SAAS,MAAM,OAAO,QAAQ;AAAA,QAClC;AAAA,QACA;AAAA,QACA,QAAQ,IAAI,OAAO,YAAY;AAAA,QAC/B,UAAU,IAAI;AAAA,QACd,UAAU,IAAI;AAAA,QACd,WAAW,IAAI,QAAQ,YAAY;AAAA,QACnC,eAAe;AAAA,QACf;AAAA,QACA,kBAAkB,OAAO,oBAAoB;AAAA,MAC/C,CAAC;AAGD,UAAI,oBAAoB;AACxB,YAAM,YAAa,OAAsC;AAGzD,UAAI,CAAC,iBAAiB,OAAO,aAAa,YAAY,cAAc,GAAG;AACrE,YAAI,yBAAyB,WAAW;AACtC,yBAAe,QAAQ,WAAW,UAAU,OAAO,gBAAgB,CAAC,CAAC,EAAE,MAAM,MAAM;AAAA,UAAC,CAAC;AAAA,QACvF;AACA,iBAAS,QAAQ,KAAK,GAAG;AACzB;AAAA,MACF;AAGA,UAAI,YAAY,iBAAiB,OAAO,OAAO;AAC7C,YAAI,OAAO,MAAM,aAAa,YAAY,eAAe;AACvD,iBAAO,gBAAgB;AAAA,YACrB,eAAe,OAAO,MAAM,UAAU,sBAAsB,YAAY,aAAa;AAAA,UACvF;AACA,cAAI,yBAAyB,WAAW;AACtC,2BAAe,QAAQ,WAAW,UAAU,OAAO,cAAc,CAAC,CAAC,EAAE,MAAM,MAAM;AAAA,YAAC,CAAC;AAAA,UACrF;AACA,mBAAS,QAAQ,KAAK,GAAG;AACzB;AAAA,QACF;AAAA,MACF;AAGA,UAAI,yBAAyB,WAAW;AACtC,uBAAe,QAAQ,WAAW,SAAS,EAAE,MAAM,MAAM;AAAA,QAAC,CAAC;AAAA,MAC7D;AACA,WAAK;AAAA,IACP,SAAS,OAAO;AAEd,cAAQ,MAAM,2CAA2C,KAAK;AAC9D,WAAK;AAAA,IACP;AAAA,EACF;AACF;AAKO,SAAS,cACd,gBACA,SACgB;AAChB,SAAO,iBAAiB;AAAA,IACtB,GAAG;AAAA,IACH,QAAQ,CAAC,EAAE,SAAS,KAAK,QAAQ,KAAK,eAAe,CAAC;AAAA,EACxD,CAAC;AACH;AAKO,SAAS,WACd,SACgB;AAChB,SAAO,iBAAiB;AAAA,IACtB,GAAG;AAAA,IACH,QAAQ,CAAC,EAAE,SAAS,KAAK,QAAQ,KAAK,gBAAgB,OAAO,CAAC;AAAA,EAChE,CAAC;AACH;;;AE9RA;AAAA;AAAA;AAAA,0BAAAC;AAAA;AAwCA,SAAS,kCAAkC,SAAwC;AACjF,QAAM,cAAgC,CAAC;AAGvC,QAAM,UAAU,QAAQ,QAAQ,IAAI,YAAY,KAAK,QAAQ,QAAQ,IAAI,YAAY;AACrF,MAAI,SAAS;AACX,gBAAY,UAAU;AAAA,EACxB;AAGA,QAAM,SAAS,QAAQ,QAAQ,IAAI,WAAW,KAAK,QAAQ,QAAQ,IAAI,WAAW;AAClF,MAAI,QAAQ;AACV,gBAAY,SAAS;AAAA,EACvB;AAGA,QAAM,aAAa,QAAQ,QAAQ,IAAI,eAAe;AACtD,MAAI,YAAY;AACd,gBAAY,sBAAsB;AAClC,QAAI,WAAW,WAAW,SAAS,GAAG;AACpC,kBAAY,MAAM,WAAW,MAAM,CAAC;AAAA,IACtC;AAAA,EACF;AAGA,QAAM,MAAM,IAAI,IAAI,QAAQ,GAAG;AAC/B,QAAM,eAAe,IAAI,aAAa,IAAI,SAAS;AACnD,QAAM,cAAc,IAAI,aAAa,IAAI,QAAQ;AAEjD,MAAI,gBAAgB,CAAC,YAAY,SAAS;AACxC,gBAAY,UAAU;AAAA,EACxB;AACA,MAAI,eAAe,CAAC,YAAY,QAAQ;AACtC,gBAAY,SAAS;AAAA,EACvB;AAEA,SAAO;AACT;AAKA,SAASC,YAAW,SAAiB,MAAuB;AAC1D,QAAM,eAAe,QAAQ,QAAQ,OAAO,IAAI,EAAE,QAAQ,OAAO,KAAK;AAEtE,QAAM,QAAQ,IAAI,OAAO,IAAI,YAAY,GAAG;AAC5C,SAAO,MAAM,KAAK,IAAI;AACxB;AAKA,SAASC,iBACP,QACA,MACA,QAC+B;AAC/B,SAAO,OAAO,KAAK,CAAC,UAAU;AAC5B,UAAM,gBACJ,MAAM,WAAW,OAAO,MAAM,OAAO,YAAY,MAAM,OAAO,YAAY;AAC5E,UAAM,cAAcD,YAAW,MAAM,SAAS,IAAI;AAClD,WAAO,iBAAiB;AAAA,EAC1B,CAAC;AACH;AAKA,SAAS,aAAa,QAAwB;AAC5C,UAAQ,OAAO,YAAY,GAAG;AAAA,IAC5B,KAAK;AACH,aAAO;AAAA,IACT,KAAK;AACH,aAAO;AAAA,IACT,KAAK;AAAA,IACL,KAAK;AACH,aAAO;AAAA,IACT,KAAK;AACH,aAAO;AAAA,IACT;AACE,aAAO;AAAA,EACX;AACF;AAKA,SAAS,2BACP,QACA,SACQ;AACR,QAAM,QAAQ,QAAQ,gBAAgB,SAAS;AAC/C,QAAM,UACJ,QAAQ,gBAAgB,WACxB,OAAO,UAAU,WACjB;AACF,QAAM,kBAAkB,OAAO,UAAU,mBAAmB;AAC5D,QAAM,UAAU,OAAO,UAAU,oBAAoB;AACrD,QAAM,aAAa,QAAQ,gBAAgB,oBAAoB;AAE/D,SAAO;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,WAME,KAAK;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,+BA4Ge,KAAK;AAAA,gCACJ,OAAO;AAAA;AAAA;AAAA;AAAA;AAAA,mCAKJ,eAAe;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,iBAQjC,eAAe;AAAA,QACxB,aAAa,8GAA8G,EAAE;AAAA;AAAA;AAAA;AAAA,6BAIxG,OAAO;AAAA;AAAA;AAAA;AAAA;AAAA,IAKhC,KAAK;AACT;AAKO,SAASE,kBAAiB,SAAkC;AACjE,QAAM,EAAE,SAAS,CAAC,GAAG,YAAY,CAAC,GAAG,qBAAqB,MAAM,GAAG,OAAO,IAAI;AAE9E,SAAO,eAAe,WAAW,SAAsB;AAErD,UAAM,EAAE,aAAa,IAAI,MAAM,OAAO,aAAa;AAEnD,UAAM,WAAW,QAAQ,QAAQ;AAGjC,UAAM,aAAa,UAAU,KAAK,CAAC,YAAYF,YAAW,SAAS,QAAQ,CAAC;AAC5E,QAAI,YAAY;AACd,aAAO,aAAa,KAAK;AAAA,IAC3B;AAGA,UAAM,cAAcC,iBAAgB,QAAQ,UAAU,QAAQ,MAAM;AAGpE,QAAI,CAAC,aAAa;AAChB,aAAO,aAAa,KAAK;AAAA,IAC3B;AAGA,QAAI,YAAY,mBAAmB,QAAQ;AACzC,aAAO,aAAa,KAAK;AAAA,IAC3B;AAGA,UAAM,cAAc,kCAAkC,OAAO;AAG7D,QAAI,CAAC,eAAe,WAAW,KAAK,YAAY,mBAAmB,YAAY;AAC7E,YAAME,UAA6B;AAAA,QACjC,UAAU;AAAA,QACV,aAAa;AAAA,QACb,eAAe,CAAC,+BAA+B;AAAA,QAC/C,UAAU;AAAA,UACR,SAAS;AAAA,UACT,iBAAiB,GAAG,OAAO,YAAY,QAAQ,QAAQ,EAAE,CAAC;AAAA,UAC1D,kBAAkB,GAAG,OAAO,YAAY,QAAQ,QAAQ,EAAE,CAAC;AAAA,QAC7D;AAAA,QACA,YAAY,oBAAI,KAAK;AAAA,MACvB;AAGA,UAAI,SAAS,WAAW,OAAO,GAAG;AAChC,eAAO,aAAa;AAAA,UAClB;AAAA,YACE,SAAS;AAAA,YACT,OAAO;AAAA,cACL,MAAM;AAAA,cACN,SAAS;AAAA,cACT,UAAUA,QAAO;AAAA,YACnB;AAAA,UACF;AAAA,UACA,EAAE,QAAQ,IAAI;AAAA,QAChB;AAAA,MACF;AAGA,UAAI,oBAAoB;AACtB,eAAO,IAAI,aAAa,2BAA2BA,SAAQ,OAAO,GAAG;AAAA,UACnE,QAAQ;AAAA,UACR,SAAS;AAAA,YACP,gBAAgB;AAAA,YAChB,4BAA4B;AAAA,UAC9B;AAAA,QACF,CAAC;AAAA,MACH;AAGA,YAAM,cAAcA,QAAO,UAAU,mBAAmB;AACxD,aAAO,aAAa,SAAS,IAAI,IAAI,aAAa,QAAQ,GAAG,CAAC;AAAA,IAChE;AAIA,UAAM,kBAAkB,OAAO,mBAAmB,QAAQ,QAAQ;AAGlE,UAAM,UAAU,QAAQ,QAAQ,IAAI,WAAW,KAAK,aAAa,QAAQ,MAAM;AAC/E,UAAM,SAAS,MAAM,OAAO,QAAQ;AAAA,MAClC;AAAA,MACA;AAAA,MACA,QAAQ,QAAQ,OAAO,YAAY;AAAA,MACnC,UAAU;AAAA,MACV,UAAU,QAAQ,QAAQ,IAAI,iBAAiB,GAAG,MAAM,GAAG,EAAE,CAAC,GAAG,KAAK,KAAK;AAAA,MAC3E,WAAW,QAAQ,QAAQ,IAAI,YAAY,KAAK;AAAA,MAChD;AAAA,MACA,kBAAkB,OAAO,oBAAoB;AAAA,IAC/C,CAAC;AAGD,QAAI,CAAC,iBAAiB,OAAO,aAAa,YAAY,cAAc,GAAG;AAErE,UAAI,SAAS,WAAW,OAAO,GAAG;AAChC,eAAO,aAAa;AAAA,UAClB;AAAA,YACE,SAAS;AAAA,YACT,OAAO;AAAA,cACL,MAAM,OAAO,WAAW,wBAAwB;AAAA,cAChD,SAAS,OAAO,gBAAgB,CAAC,KAAK;AAAA,cACtC,aAAa,OAAO;AAAA,cACpB,UAAU,YAAY;AAAA,cACtB,UAAU,OAAO;AAAA,YACnB;AAAA,UACF;AAAA,UACA,EAAE,QAAQ,OAAO,WAAW,MAAM,IAAI;AAAA,QACxC;AAAA,MACF;AAGA,UAAI,oBAAoB;AACtB,eAAO,IAAI,aAAa,2BAA2B,QAAQ,OAAO,GAAG;AAAA,UACnE,QAAQ;AAAA,UACR,SAAS;AAAA,YACP,gBAAgB;AAAA,YAChB,4BAA4B;AAAA,UAC9B;AAAA,QACF,CAAC;AAAA,MACH;AAGA,aAAO,aAAa,SAAS,IAAI,IAAI,iBAAiB,QAAQ,GAAG,CAAC;AAAA,IACpE;AAGA,UAAM,WAAW,aAAa,KAAK;AAGnC,aAAS,QAAQ,IAAI,wBAAwB,OAAO,SAAS,SAAS,CAAC;AACvE,aAAS,QAAQ,IAAI,4BAA4B,OAAO,WAAW;AAEnE,QAAI,OAAO,OAAO;AAChB,eAAS,QAAQ,IAAI,wBAAwB,OAAO,MAAM,OAAO;AACjE,eAAS,QAAQ,IAAI,2BAA2B,OAAO,MAAM,WAAW,SAAS,CAAC;AAAA,IACpF;AAEA,WAAO;AAAA,EACT;AACF;AAKO,SAAS,oBAAoB,OAAwC;AAC1E,SAAO,EAAE,SAAS,MAAM;AAC1B;;;AChbA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAyCO,IAAM,4BAAN,MAAgC;AAAA,EAKrC,YAAY,SAAqB;AAC/B,SAAK,SAAS;AAAA,MACZ,YAAY,QAAQ;AAAA,MACpB,QAAQ,QAAQ;AAAA,MAChB,oBAAoB,QAAQ;AAAA,MAC5B,eAAe,QAAQ;AAAA,MACvB,sBAAsB,QAAQ;AAAA,MAC9B,UAAU,QAAQ;AAAA,MAClB,OAAO,QAAQ;AAAA,MACf,eAAe,QAAQ;AAAA,MACvB,iBAAiB,QAAQ;AAAA,MACzB,kBAAkB,QAAQ;AAAA,IAC5B;AAEA,SAAK,UAAU,QAAQ,WAAW;AAClC,SAAK,cAAc,QAAQ,SAAS,EAAE,YAAY,GAAG,WAAW,IAAK;AAAA,EACvE;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,OAAO,SAgBmB;AAC9B,UAAM,cAAgC;AAAA,MACpC,SAAS,QAAQ;AAAA,MACjB,QAAQ,QAAQ;AAAA,MAChB,KAAK,QAAQ;AAAA,IACf;AAEA,WAAO,KAAK;AAAA,MAAiB,MAC3B,OAAW,KAAK,QAAQ;AAAA,QACtB;AAAA,QACA,SAAS,QAAQ;AAAA,QACjB,QAAQ,QAAQ;AAAA,QAChB,cAAc,QAAQ;AAAA,QACtB,UAAU,QAAQ;AAAA,QAClB,cAAc,QAAQ;AAAA,QACtB,kBAAkB,QAAQ;AAAA,QAC1B,UAAU,QAAQ;AAAA,QAClB,mBAAmB,QAAQ;AAAA,QAC3B,eAAe,QAAQ;AAAA,QACvB,eAAe,QAAQ;AAAA,QACvB,iBAAiB,QAAQ;AAAA,QACzB,kBAAkB,QAAQ;AAAA,MAC5B,CAAC;AAAA,IACH;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,YAAY,aAI4D;AAC5E,WAAO,KAAK,iBAAiB,MAAM,YAAgB,KAAK,QAAQ,WAAW,CAAC;AAAA,EAC9E;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,UACJ,aACA,eACkB;AAClB,UAAM,SAAS,MAAM,KAAK,YAAY,WAAW;AACjD,WAAO,iBAAiB,OAAO,aAAa,aAAa;AAAA,EAC3D;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,gBAAgB,aAIU;AAC9B,UAAM,SAAS,MAAM,KAAK,YAAY,WAAW;AACjD,WAAO,gBAAgB,OAAO,WAAW;AAAA,EAC3C;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,cACJ,SACA,SAI6B;AAC7B,WAAO,KAAK,OAAO;AAAA,MACjB;AAAA,MACA,SAAS,SAAS;AAAA,MAClB,QAAQ,SAAS;AAAA,IACnB,CAAC;AAAA,EACH;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,aACJ,QACA,SAI6B;AAC7B,WAAO,KAAK,OAAO;AAAA,MACjB;AAAA,MACA,SAAS,SAAS;AAAA,MAClB,QAAQ,SAAS;AAAA,IACnB,CAAC;AAAA,EACH;AAAA;AAAA;AAAA;AAAA,EAKA,aAAmB;AACjB,eAAW;AAAA,EACb;AAAA;AAAA;AAAA;AAAA,EAKA,MAAc,iBAAoB,IAAkC;AAClE,QAAI,YAA0B;AAE9B,aAAS,UAAU,GAAG,WAAW,KAAK,YAAY,YAAY,WAAW;AACvE,UAAI;AAEF,cAAM,SAAS,MAAM,QAAQ,KAAK;AAAA,UAChC,GAAG;AAAA,UACH,IAAI;AAAA,YAAe,CAAC,GAAG,WACrB,WAAW,MAAM,OAAO,IAAI,MAAM,iBAAiB,CAAC,GAAG,KAAK,OAAO;AAAA,UACrE;AAAA,QACF,CAAC;AAED,eAAO;AAAA,MACT,SAAS,OAAO;AACd,oBAAY,iBAAiB,QAAQ,QAAQ,IAAI,MAAM,OAAO,KAAK,CAAC;AAGpE,YAAI,UAAU,KAAK,YAAY,YAAY;AAEzC,gBAAM,UAAU,KAAK,YAAY,YAAY,KAAK,IAAI,GAAG,OAAO;AAChE,gBAAM,IAAI,QAAQ,CAAC,YAAY,WAAW,SAAS,OAAO,CAAC;AAAA,QAC7D;AAAA,MACF;AAAA,IACF;AAEA,UAAM,aAAa,IAAI,MAAM,mCAAmC;AAAA,EAClE;AACF;AAKO,SAAS,aAAa,SAAgD;AAC3E,SAAO,IAAI,0BAA0B,OAAO;AAC9C;AAKA,eAAsB,WACpB,SAO6B;AAC7B,QAAM,SAAS,aAAa,OAAO;AACnC,SAAO,OAAO,OAAO,OAAO;AAC9B;;;AC9OA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;;ACyBO,SAAS,eACd,MACA,aACS;AACT,QAAM,YAA+B;AAAA,IACnC,SAAS,YAAY;AAAA,EACvB;AAEA,MAAI,YAAY,UAAW,WAAU,YAAY,YAAY;AAC7D,MAAI,YAAY,aAAc,WAAU,eAAe,YAAY;AACnE,MAAI,YAAY,OAAO,QAAS,WAAU,UAAU,YAAY,MAAM;AACtE,MAAI,YAAY,OAAO,SAAU,WAAU,WAAW,YAAY,MAAM;AACxE,MAAI,YAAY,OAAO,MAAO,WAAU,QAAQ,YAAY,MAAM;AAElE,SAAO;AAAA,IACL,GAAG;AAAA,IACH,UAAU;AAAA,MACR,GAAG,KAAK;AAAA,MACR;AAAA,IACF;AAAA,EACF;AACF;AAKO,SAAS,sBAAsB,MAA4C;AAChF,QAAM,OAAO,KAAK,UAAU;AAC5B,MAAI,CAAC,MAAM,QAAS,QAAO;AAE3B,QAAM,cAAoC;AAAA,IACxC,SAAS,KAAK;AAAA,EAChB;AAEA,MAAI,KAAK,UAAW,aAAY,YAAY,KAAK;AACjD,MAAI,KAAK,aAAc,aAAY,eAAe,KAAK;AAEvD,MAAI,KAAK,WAAW,KAAK,YAAY,KAAK,OAAO;AAC/C,gBAAY,QAAQ,CAAC;AACrB,QAAI,KAAK,QAAS,aAAY,MAAM,UAAU,KAAK;AACnD,QAAI,KAAK,SAAU,aAAY,MAAM,WAAW,KAAK;AACrD,QAAI,KAAK,MAAO,aAAY,MAAM,QAAQ,KAAK;AAAA,EACjD;AAEA,SAAO;AACT;;;AC7CO,SAAS,WACd,QACA,aACW;AACX,QAAM,YAA2B;AAAA,IAC/B,SAAS,YAAY;AAAA,EACvB;AAEA,MAAI,YAAY,UAAW,WAAU,YAAY,YAAY;AAC7D,MAAI,YAAY,aAAc,WAAU,eAAe,YAAY;AACnE,MAAI,YAAY,OAAO,QAAS,WAAU,UAAU,YAAY,MAAM;AACtE,MAAI,YAAY,OAAO,SAAU,WAAU,WAAW,YAAY,MAAM;AACxE,MAAI,YAAY,OAAO,MAAO,WAAU,QAAQ,YAAY,MAAM;AAElE,SAAO;AAAA,IACL,GAAG;AAAA,IACH,OAAO;AAAA,MACL,GAAG,OAAO;AAAA,MACV;AAAA,IACF;AAAA,EACF;AACF;AAKO,SAAS,sBAAsB,QAAgD;AACpF,QAAM,OAAO,OAAO,OAAO;AAC3B,MAAI,CAAC,MAAM,QAAS,QAAO;AAE3B,QAAM,cAAoC;AAAA,IACxC,SAAS,KAAK;AAAA,EAChB;AAEA,MAAI,KAAK,UAAW,aAAY,YAAY,KAAK;AACjD,MAAI,KAAK,aAAc,aAAY,eAAe,KAAK;AAEvD,MAAI,KAAK,WAAW,KAAK,YAAY,KAAK,OAAO;AAC/C,gBAAY,QAAQ,CAAC;AACrB,QAAI,KAAK,QAAS,aAAY,MAAM,UAAU,KAAK;AACnD,QAAI,KAAK,SAAU,aAAY,MAAM,WAAW,KAAK;AACrD,QAAI,KAAK,MAAO,aAAY,MAAM,QAAQ,KAAK;AAAA,EACjD;AAEA,SAAO;AACT;;;AFnDO,SAAS,eAAe,SAAqD;AAElF,MAAI,QAAQ,YAAY,OAAO,QAAQ,aAAa,UAAU;AAC5D,WAAO;AAAA,EACT;AAGA,MAAI,QAAQ,SAAS,OAAO,QAAQ,UAAU,UAAU;AACtD,WAAO;AAAA,EACT;AAGA,SAAO;AACT;AAKO,SAAS,iBACd,UACA,QACA,aACyB;AACzB,UAAQ,UAAU;AAAA,IAChB,KAAK;AACH,aAAO,eAAe,QAAkC,WAAW;AAAA,IACrE,KAAK;AACH,aAAO,eAAe,QAAQ,WAAW;AAAA,IAC3C,KAAK;AACH,aAAO,WAAW,QAAQ,WAAW;AAAA,IACvC;AACE,aAAO;AAAA,EACX;AACF;AAKO,SAAS,+BACd,UACA,SAC6B;AAC7B,UAAQ,UAAU;AAAA,IAChB,KAAK;AACH,aAAO,uBAAuB,OAAwD;AAAA,IACxF,KAAK;AACH,aAAO,sBAAsB,OAAO;AAAA,IACtC,KAAK;AACH,aAAO,sBAAsB,OAAO;AAAA,IACtC;AACE,aAAO;AAAA,EACX;AACF;;;AGvEA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,wBAAAC;AAAA;;;ACyBO,IAAM,cAAN,MAAkB;AAAA,EAGvB,YAAY,QAA2B;AACrC,SAAK,cAAc;AAAA,MACjB,SAAS,OAAO;AAAA,MAChB,WAAW,OAAO,aAAa;AAAA,MAC/B,cAAc,OAAO;AAAA,MACrB,OAAO,OAAO;AAAA,IAChB;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,MAAM,KAAa,SAA2C;AAClE,UAAM,EAAE,SAAS,QAAQ,GAAG,aAAa,IAAI,WAAW,CAAC;AAGzD,UAAM,QAA8B,EAAE,GAAG,KAAK,YAAY;AAC1D,QAAI,SAAS;AACX,YAAM,QAAQ;AAAA,QACZ,GAAG,MAAM;AAAA,QACT,SAAS,EAAE,UAAU,SAAS,OAAO;AAAA,MACvC;AAAA,IACF;AAGA,UAAM,kBAA0C,CAAC;AACjD,QAAI,aAAa,SAAS;AACxB,UAAI,aAAa,mBAAmB,SAAS;AAC3C,qBAAa,QAAQ,QAAQ,CAAC,OAAO,QAAQ;AAC3C,0BAAgB,GAAG,IAAI;AAAA,QACzB,CAAC;AAAA,MACH,WAAW,MAAM,QAAQ,aAAa,OAAO,GAAG;AAC9C,mBAAW,CAAC,KAAK,KAAK,KAAK,aAAa,SAAS;AAC/C,0BAAgB,GAAG,IAAI;AAAA,QACzB;AAAA,MACF,OAAO;AACL,eAAO,OAAO,iBAAiB,aAAa,OAAO;AAAA,MACrD;AAAA,IACF;AAEA,UAAM,kBAAkB,eAAe,iBAAiB,KAAK;AAE7D,WAAO,MAAM,KAAK;AAAA,MAChB,GAAG;AAAA,MACH,SAAS;AAAA,IACX,CAAC;AAAA,EACH;AAAA;AAAA;AAAA;AAAA,EAKA,mBACE,MACA,WACyB;AACzB,UAAM,QAAQ,KAAK,iBAAiB,SAAS;AAC7C,WAAO,eAAe,MAAM,KAAK;AAAA,EACnC;AAAA;AAAA;AAAA;AAAA,EAKA,eACE,QACA,WACyB;AACzB,UAAM,QAAQ,KAAK,iBAAiB,SAAS;AAC7C,WAAO,WAAW,QAAQ,KAAK;AAAA,EACjC;AAAA;AAAA;AAAA;AAAA,EAKA,iBACE,UACA,QACA,WACyB;AACzB,UAAM,QAAQ,KAAK,iBAAiB,SAAS;AAC7C,WAAO,iBAAiB,UAAU,QAAQ,KAAK;AAAA,EACjD;AAAA,EAEQ,iBAAiB,WAAyE;AAChG,QAAI,CAAC,WAAW,QAAS,QAAO,KAAK;AAErC,WAAO;AAAA,MACL,GAAG,KAAK;AAAA,MACR,OAAO;AAAA,QACL,GAAG,KAAK,YAAY;AAAA,QACpB,SAAS,EAAE,UAAU,UAAU,SAAS,QAAQ,UAAU,OAAO;AAAA,MACnE;AAAA,IACF;AAAA,EACF;AACF;;;ACxFO,IAAM,mBAAN,MAAuB;AAAA,EAI5B,YAAY,QAAgC;AAF5C,SAAQ,wBAAqC,oBAAI,IAAI;AAGnD,SAAK,UAAU,OAAO;AAAA,EACxB;AAAA;AAAA;AAAA;AAAA,EAKA,gBAAgB,gBAA8B;AAC5C,SAAK,sBAAsB,IAAI,cAAc;AAAA,EAC/C;AAAA;AAAA;AAAA;AAAA,EAKA,cAAc,gBAA8B;AAC1C,SAAK,sBAAsB,OAAO,cAAc;AAAA,EAClD;AAAA;AAAA;AAAA;AAAA,EAKA,iBAA2B;AACzB,WAAO,CAAC,GAAG,KAAK,qBAAqB;AAAA,EACvC;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,oBAA4H;AAC1H,WAAO,CAAC,KAAK,QAAQ;AACnB,YAAM,SAAS,KAAK,gBAAgB,IAAI,IAAI;AAC5C,UAAI,OAAO,OAAO,MAAM,EAAE,KAAK,OAAO,IAAI;AAAA,IAC5C;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,gBAAgB,MAAkC;AAEhD,QAAI,CAAC,QAAQ,OAAO,SAAS,UAAU;AACrC,aAAO;AAAA,QACL,QAAQ;AAAA,QACR,MAAM;AAAA,UACJ,aAAa;AAAA,UACb,cAAc;AAAA,UACd,uBAAuB,CAAC;AAAA,UACxB,cAAa,oBAAI,KAAK,GAAE,YAAY;AAAA,UACpC,OAAO;AAAA,QACT;AAAA,MACF;AAAA,IACF;AAEA,UAAM,UAAU;AAEhB,QAAI,CAAC,QAAQ,eAAe,CAAC,QAAQ,YAAY,CAAC,QAAQ,WAAW;AACnE,aAAO;AAAA,QACL,QAAQ;AAAA,QACR,MAAM;AAAA,UACJ,aAAa,QAAQ,eAAe;AAAA,UACpC,cAAc;AAAA,UACd,uBAAuB,CAAC;AAAA,UACxB,cAAa,oBAAI,KAAK,GAAE,YAAY;AAAA,UACpC,OAAO;AAAA,QACT;AAAA,MACF;AAAA,IACF;AAGA,UAAM,MAAM,oBAAI,KAAK;AACrB,UAAM,YAAY,IAAI,KAAK,QAAQ,SAAS;AAC5C,QAAI,MAAM,WAAW;AACnB,aAAO;AAAA,QACL,QAAQ;AAAA,QACR,MAAM;AAAA,UACJ,aAAa,QAAQ;AAAA,UACrB,cAAc;AAAA,UACd,uBAAuB,CAAC;AAAA,UACxB,aAAa,IAAI,YAAY;AAAA,UAC7B,OAAO;AAAA,QACT;AAAA,MACF;AAAA,IACF;AAGA,WAAO;AAAA,MACL,QAAQ;AAAA,MACR,MAAM;AAAA,QACJ,aAAa,QAAQ;AAAA,QACrB,cAAc;AAAA,QACd,uBAAuB,KAAK,eAAe;AAAA,QAC3C,aAAa,IAAI,YAAY;AAAA,MAC/B;AAAA,IACF;AAAA,EACF;AACF;;;ACnFO,SAAS,wBAAwB,OAAoC;AAC1E,QAAM,YAA4B,CAAC;AAGnC,MAAI,MAAM,SAAS,YAAY,QAAQ;AACrC,cAAU,UAAU;AAAA,MAClB,UAAU,MAAM,QAAQ,WAAW,CAAC;AAAA,MACpC,QAAQ,MAAM,QAAQ,iBAAiB,CAAC;AAAA,IAC1C;AAAA,EACF;AAGA,MAAI,MAAM,UAAU;AAClB,UAAM,aAAuB,CAAC;AAC9B,QAAI,MAAM,SAAS,mBAAoB,YAAW,KAAK,MAAM,SAAS,kBAAkB;AACxF,QAAI,MAAM,SAAS,IAAK,YAAW,KAAK,MAAM,SAAS,GAAG;AAC1D,QAAI,WAAW,SAAS,GAAG;AACzB,gBAAU,WAAW,EAAE,oBAAoB,KAAK,IAAI,GAAG,UAAU,EAAE;AAAA,IACrE;AAAA,EACF;AAGA,MAAI,MAAM,OAAO,eAAe,QAAQ;AACtC,cAAU,QAAQ,EAAE,cAAc,MAAM,MAAM,cAAc,CAAC,EAAE;AAAA,EACjE;AAEA,SAAO;AACT;AAMO,SAAS,wBAAwB,WAAwC;AAC9E,QAAM,QAAqB,CAAC;AAE5B,MAAI,UAAU,SAAS;AACrB,UAAM,UAAU;AAAA,MACd,YAAY,CAAC,UAAU,QAAQ,QAAQ;AAAA,MACvC,gBAAgB,UAAU,QAAQ,SAAS,CAAC,UAAU,QAAQ,MAAM,IAAI;AAAA,IAC1E;AAAA,EACF;AAEA,MAAI,UAAU,UAAU;AACtB,UAAM,WAAW;AAAA,MACf,oBAAoB,UAAU,SAAS;AAAA,IACzC;AAAA,EACF;AAEA,MAAI,UAAU,OAAO;AACnB,UAAM,QAAQ;AAAA,MACZ,eAAe,UAAU,MAAM,eAAe,CAAC,UAAU,MAAM,YAAY,IAAI;AAAA,IACjF;AAAA,EACF;AAEA,SAAO;AACT;;;ACjFA,eAAsBC,gBACpB,QACA,QAC+B;AAC/B,QAAM,EAAE,WAAW,GAAG,KAAK,IAAI;AAC/B,QAAM,UAAU,OAAO,WAAW,QAAQ,OAAO,EAAE;AACnD,QAAM,MAAM,GAAG,OAAO,yBAAyB,mBAAmB,SAAS,CAAC;AAE5E,QAAM,UAAkC;AAAA,IACtC,gBAAgB;AAAA,EAClB;AAEA,MAAI,OAAO,QAAQ;AACjB,YAAQ,eAAe,IAAI,UAAU,OAAO,MAAM;AAAA,EACpD;AAEA,MAAI,OAAO,eAAe;AACxB,WAAO,OAAO,SAAS,OAAO,aAAa;AAAA,EAC7C;AAEA,QAAM,WAAW,MAAM,MAAM,KAAK;AAAA,IAChC,QAAQ;AAAA,IACR;AAAA,IACA,MAAM,KAAK,UAAU,IAAI;AAAA,EAC3B,CAAC;AAED,MAAI,CAAC,SAAS,IAAI;AAChB,UAAM,YAAY,MAAM,SAAS,KAAK,EAAE,MAAM,MAAM,eAAe;AACnE,UAAM,IAAI;AAAA,MACR,yCAAyC,SAAS,KAAK,SAAS,MAAM,IAAI,SAAS;AAAA,IACrF;AAAA,EACF;AAEA,QAAM,SAAS,MAAM,SAAS,KAAK;AAEnC,SAAO;AAAA,IACL,UAAU,OAAO,YAAY;AAAA,IAC7B,kBAAkB,OAAO;AAAA,EAC3B;AACF;;;AdgBO,IAAM,UAAU;","names":["recordDecision","result","result","createMiddleware","matchRoute","findRouteConfig","createMiddleware","result","recordDecision","recordDecision"]}