npm - @astrasyncai/verification-gateway - Versions diffs - 2.4.11 → 2.4.14 - Mend

@astrasyncai/verification-gateway 2.4.11 → 2.4.14

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (91) hide show

package/dist/adapter-interface/interface.d.mts +2 -2
package/dist/adapter-interface/interface.d.ts +2 -2
package/dist/adapters/express.d.mts +2 -2
package/dist/adapters/express.d.ts +2 -2
package/dist/adapters/express.js +129 -36
package/dist/adapters/express.js.map +1 -1
package/dist/adapters/express.mjs +129 -36
package/dist/adapters/express.mjs.map +1 -1
package/dist/adapters/mcp.d.mts +26 -4
package/dist/adapters/mcp.d.ts +26 -4
package/dist/adapters/mcp.js +94 -28
package/dist/adapters/mcp.js.map +1 -1
package/dist/adapters/mcp.mjs +94 -28
package/dist/adapters/mcp.mjs.map +1 -1
package/dist/adapters/nextjs.d.mts +2 -2
package/dist/adapters/nextjs.d.ts +2 -2
package/dist/adapters/nextjs.js +75 -29
package/dist/adapters/nextjs.js.map +1 -1
package/dist/adapters/nextjs.mjs +75 -29
package/dist/adapters/nextjs.mjs.map +1 -1
package/dist/adapters/sdk.d.mts +2 -2
package/dist/adapters/sdk.d.ts +2 -2
package/dist/adapters/sdk.js +45 -22
package/dist/adapters/sdk.js.map +1 -1
package/dist/adapters/sdk.mjs +45 -22
package/dist/adapters/sdk.mjs.map +1 -1
package/dist/agent/index.d.mts +2 -2
package/dist/agent/index.d.ts +2 -2
package/dist/agent/index.js +29 -0
package/dist/agent/index.js.map +1 -1
package/dist/agent/index.mjs +29 -0
package/dist/agent/index.mjs.map +1 -1
package/dist/browser/background.js +86 -24
package/dist/browser/background.js.map +1 -1
package/dist/browser/background.mjs +86 -24
package/dist/browser/background.mjs.map +1 -1
package/dist/browser/browser-adapter.d.mts +2 -2
package/dist/browser/browser-adapter.d.ts +2 -2
package/dist/cli/index.d.mts +2 -2
package/dist/cli/index.d.ts +2 -2
package/dist/cursor/cursor-adapter.d.mts +2 -2
package/dist/cursor/cursor-adapter.d.ts +2 -2
package/dist/cursor/extension.d.mts +2 -2
package/dist/cursor/extension.d.ts +2 -2
package/dist/cursor/extension.js +86 -24
package/dist/cursor/extension.js.map +1 -1
package/dist/cursor/extension.mjs +86 -24
package/dist/cursor/extension.mjs.map +1 -1
package/dist/{express-C1ePFB7n.d.ts → express-CrfwoNAR.d.ts} +1 -1
package/dist/{express-4WStX3PV.d.mts → express-ienhAXps.d.mts} +1 -1
package/dist/gateway/gateway.d.mts +2 -2
package/dist/gateway/gateway.d.ts +2 -2
package/dist/gateway/gateway.js +86 -24
package/dist/gateway/gateway.js.map +1 -1
package/dist/gateway/gateway.mjs +86 -24
package/dist/gateway/gateway.mjs.map +1 -1
package/dist/git-trigger/git-hooks.d.mts +2 -2
package/dist/git-trigger/git-hooks.d.ts +2 -2
package/dist/{index-ChPX4WHl.d.mts → index-B5e2IDWU.d.mts} +1 -1
package/dist/{index-CzJMCgEy.d.ts → index-CCdZxvAr.d.ts} +71 -6
package/dist/{index-D8IEntil.d.mts → index-CEg_WG6y.d.mts} +71 -6
package/dist/{index-Cjm-zBeZ.d.ts → index-DC5f8eoQ.d.ts} +1 -1
package/dist/index.d.mts +7 -7
package/dist/index.d.ts +7 -7
package/dist/index.js +344 -73
package/dist/index.js.map +1 -1
package/dist/index.mjs +344 -73
package/dist/index.mjs.map +1 -1
package/dist/local-evaluator/evaluator.d.mts +2 -2
package/dist/local-evaluator/evaluator.d.ts +2 -2
package/dist/local-evaluator/evaluator.js +12 -2
package/dist/local-evaluator/evaluator.js.map +1 -1
package/dist/local-evaluator/evaluator.mjs +12 -2
package/dist/local-evaluator/evaluator.mjs.map +1 -1
package/dist/{nextjs-BIORS__0.d.ts → nextjs-66R1KW8e.d.ts} +1 -1
package/dist/{nextjs-CjzHdaXA.d.mts → nextjs-DSpisQst.d.mts} +1 -1
package/dist/{sdk-Chhz-FcT.d.mts → sdk-5U_CBRpr.d.mts} +1 -1
package/dist/{sdk-CqTEQAc6.d.ts → sdk-Bm8np66n.d.ts} +1 -1
package/dist/transport/index.d.mts +2 -2
package/dist/transport/index.d.ts +2 -2
package/dist/transport/index.js +146 -28
package/dist/transport/index.js.map +1 -1
package/dist/transport/index.mjs +146 -28
package/dist/transport/index.mjs.map +1 -1
package/dist/{types-L15pYd2c.d.mts → types-B3USs-Kx.d.mts} +42 -1
package/dist/{types-L15pYd2c.d.ts → types-B3USs-Kx.d.ts} +42 -1
package/dist/{types-DNK2BgIf.d.mts → types-CgDCUfo8.d.mts} +1 -1
package/dist/{types-DoWIuzfj.d.ts → types-R5N4ET6x.d.ts} +1 -1
package/dist/ui/index.d.mts +1 -1
package/dist/ui/index.d.ts +1 -1
package/package.json +1 -1

package/dist/transport/index.mjs.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"sources":["../../src/transport/http.ts","../../src/transport/a2a.ts","../../src/transport/mcp.ts","../../src/transport/purpose-mapping.ts","../../src/transport/transaction-value.ts","../../src/transport/rfc9421.ts","../../src/transport/rfc9421-verify.ts","../../src/transport/ucp.ts","../../src/transport/acp.ts","../../src/transport/vi.ts","../../src/transport/stripe-webhook.ts","../../src/transport/constraint-eval.ts","../../src/transport/identity-binding.ts","../../src/transport/ap2.ts","../../src/transport/ap2-verify.ts","../../src/transport/acp-verify.ts","../../src/transport/mpp.ts","../../src/transport/mpp-verify.ts","../../src/transport/x402.ts","../../src/transport/vi-verify.ts","../../src/transport/commerce-pipeline.ts","../../src/transport/extractor-registry.ts","../../src/transport/registry/visa.ts","../../src/transport/registry/mastercard.ts","../../src/transport/registry/web-bot-auth.ts","../../src/transport/index.ts"],"sourcesContent":["/*\n HTTP Transport Adapter\n \n Maps AstraSync credentials to/from HTTP headers (X-Astra-* convention).\n /\n\nimport type { AstraSyncCredentials } from '../types';\n\nconst HEADER_PREFIX = 'X-Astra-';\n\n/\n Inject AstraSync credentials into HTTP headers.\n /\nexport function setHttpHeaders(\n headers: Record<string, string>,\n credentials: AstraSyncCredentials,\n): Record<string, string> {\n const result = { ...headers };\n\n result[`${HEADER_PREFIX}ID`] = credentials.agentId;\n\n if (credentials.verifyUrl) {\n result[`${HEADER_PREFIX}Verify`] = credentials.verifyUrl;\n }\n\n if (credentials.challengeUrl) {\n result[`${HEADER_PREFIX}Challenge`] = credentials.challengeUrl;\n }\n\n if (credentials.pdlss?.purpose) {\n const purposeValue = credentials.pdlss.purpose.action\n ? `${credentials.pdlss.purpose.category}:${credentials.pdlss.purpose.action}`\n : credentials.pdlss.purpose.category;\n result[`${HEADER_PREFIX}Purpose`] = purposeValue;\n }\n\n if (credentials.pdlss?.duration?.maxSessionDuration) {\n result[`${HEADER_PREFIX}Duration`] = String(credentials.pdlss.duration.maxSessionDuration);\n }\n\n if (credentials.pdlss?.scope?.jurisdiction) {\n result[`${HEADER_PREFIX}Scope`] = credentials.pdlss.scope.jurisdiction;\n }\n\n return result;\n}\n\n/\n Extract AstraSync credentials from HTTP headers.\n /\nexport function extractHttpCredentials(\n headers: Record<string, string \| string[] \| undefined>,\n): AstraSyncCredentials \| null {\n const getValue = (key: string): string \| undefined => {\n const v = headers[key] ?? headers[key.toLowerCase()];\n return Array.isArray(v) ? v[0] : v;\n };\n\n const agentId = getValue(`${HEADER_PREFIX}ID`) ?? getValue('x-astra-id');\n if (!agentId) return null;\n\n const credentials: AstraSyncCredentials = { agentId };\n\n const verifyUrl = getValue(`${HEADER_PREFIX}Verify`) ?? getValue('x-astra-verify');\n if (verifyUrl) credentials.verifyUrl = verifyUrl;\n\n const challengeUrl = getValue(`${HEADER_PREFIX}Challenge`) ?? getValue('x-astra-challenge');\n if (challengeUrl) credentials.challengeUrl = challengeUrl;\n\n const purpose = getValue(`${HEADER_PREFIX}Purpose`) ?? getValue('x-astra-purpose');\n if (purpose) {\n const [category, action] = purpose.split(':');\n credentials.pdlss = {\n ...credentials.pdlss,\n purpose: { category, action },\n };\n }\n\n const duration = getValue(`${HEADER_PREFIX}Duration`) ?? getValue('x-astra-duration');\n if (duration) {\n credentials.pdlss = {\n ...credentials.pdlss,\n duration: { maxSessionDuration: parseInt(duration, 10) },\n };\n }\n\n const scope = getValue(`${HEADER_PREFIX}Scope`) ?? getValue('x-astra-scope');\n if (scope) {\n credentials.pdlss = {\n ...credentials.pdlss,\n scope: { jurisdiction: scope },\n };\n }\n\n return credentials;\n}\n","/\n A2A (Agent-to-Agent) Transport Adapter\n \n Maps AstraSync credentials to/from A2A task metadata.astrasync block.\n /\n\nimport type { AstraSyncCredentials } from '../types';\n\ninterface A2ATask {\n metadata?: Record<string, unknown>;\n [key: string]: unknown;\n}\n\ninterface AstraSyncMetadata {\n agentId: string;\n verifyUrl?: string;\n challengeUrl?: string;\n purpose?: { category: string; action?: string };\n duration?: { maxSessionDuration?: number };\n scope?: { jurisdiction?: string };\n}\n\n/\n Add AstraSync credentials to an A2A task's metadata block.\n /\nexport function setA2AMetadata(\n task: A2ATask,\n credentials: AstraSyncCredentials,\n): A2ATask {\n const astrasync: AstraSyncMetadata = {\n agentId: credentials.agentId,\n };\n\n if (credentials.verifyUrl) astrasync.verifyUrl = credentials.verifyUrl;\n if (credentials.challengeUrl) astrasync.challengeUrl = credentials.challengeUrl;\n if (credentials.pdlss?.purpose) astrasync.purpose = credentials.pdlss.purpose;\n if (credentials.pdlss?.duration) astrasync.duration = credentials.pdlss.duration;\n if (credentials.pdlss?.scope) astrasync.scope = credentials.pdlss.scope;\n\n return {\n ...task,\n metadata: {\n ...task.metadata,\n astrasync,\n },\n };\n}\n\n/\n Extract AstraSync credentials from an A2A task's metadata block.\n /\nexport function extractA2ACredentials(task: A2ATask): AstraSyncCredentials \| null {\n const meta = task.metadata?.astrasync as AstraSyncMetadata \| undefined;\n if (!meta?.agentId) return null;\n\n const credentials: AstraSyncCredentials = {\n agentId: meta.agentId,\n };\n\n if (meta.verifyUrl) credentials.verifyUrl = meta.verifyUrl;\n if (meta.challengeUrl) credentials.challengeUrl = meta.challengeUrl;\n\n if (meta.purpose \|\| meta.duration \|\| meta.scope) {\n credentials.pdlss = {};\n if (meta.purpose) credentials.pdlss.purpose = meta.purpose;\n if (meta.duration) credentials.pdlss.duration = meta.duration;\n if (meta.scope) credentials.pdlss.scope = meta.scope;\n }\n\n return credentials;\n}\n","/\n MCP (Model Context Protocol) Transport Adapter\n \n Maps AstraSync credentials to/from MCP params._meta.astrasync block.\n /\n\nimport type { AstraSyncCredentials } from '../types';\n\ninterface McpParams {\n _meta?: Record<string, unknown>;\n [key: string]: unknown;\n}\n\ninterface AstraSyncMeta {\n agentId: string;\n verifyUrl?: string;\n challengeUrl?: string;\n purpose?: { category: string; action?: string };\n duration?: { maxSessionDuration?: number };\n scope?: { jurisdiction?: string };\n}\n\n/\n Add AstraSync credentials to MCP params' _meta block.\n /\nexport function setMcpMeta(\n params: McpParams,\n credentials: AstraSyncCredentials,\n): McpParams {\n const astrasync: AstraSyncMeta = {\n agentId: credentials.agentId,\n };\n\n if (credentials.verifyUrl) astrasync.verifyUrl = credentials.verifyUrl;\n if (credentials.challengeUrl) astrasync.challengeUrl = credentials.challengeUrl;\n if (credentials.pdlss?.purpose) astrasync.purpose = credentials.pdlss.purpose;\n if (credentials.pdlss?.duration) astrasync.duration = credentials.pdlss.duration;\n if (credentials.pdlss?.scope) astrasync.scope = credentials.pdlss.scope;\n\n return {\n ...params,\n _meta: {\n ...params._meta,\n astrasync,\n },\n };\n}\n\n/\n Extract AstraSync credentials from MCP params' _meta block.\n /\nexport function extractMcpCredentials(params: McpParams): AstraSyncCredentials \| null {\n const meta = params._meta?.astrasync as AstraSyncMeta \| undefined;\n if (!meta?.agentId) return null;\n\n const credentials: AstraSyncCredentials = {\n agentId: meta.agentId,\n };\n\n if (meta.verifyUrl) credentials.verifyUrl = meta.verifyUrl;\n if (meta.challengeUrl) credentials.challengeUrl = meta.challengeUrl;\n\n if (meta.purpose \|\| meta.duration \|\| meta.scope) {\n credentials.pdlss = {};\n if (meta.purpose) credentials.pdlss.purpose = meta.purpose;\n if (meta.duration) credentials.pdlss.duration = meta.duration;\n if (meta.scope) credentials.pdlss.scope = meta.scope;\n }\n\n return credentials;\n}\n","/\n Protocol request -> AstraSync PDLSS purpose category mapping.\n \n Per spec v2.6 §7.4.3 commerce purpose mapping table, extended with MPP + x402\n * entries (April 2026 protocol landscape).\n /\n\nexport type CommercePurpose =\n \| 'commerce.checkout.create'\n \| 'commerce.checkout.update'\n \| 'commerce.checkout.confirm'\n \| 'commerce.checkout.cancel'\n \| 'commerce.payment.execute'\n \| 'commerce.payment.stream'\n \| 'commerce.delegation.intent'\n \| 'commerce.delegation.checkout'\n \| 'commerce.delegation.payment'\n \| 'commerce.identity_probe'\n \| 'commerce.browsing';\n\nconst UCP_ROUTES: Array<{ method: string; pattern: RegExp; purpose: CommercePurpose }> = [\n { method: 'POST', pattern: /^\\/checkout[-_]sessions\\/?$/, purpose: 'commerce.checkout.create' },\n {\n method: 'PUT',\n pattern: /^\\/checkout[-_]sessions\\/[^/]+\\/?$/,\n purpose: 'commerce.checkout.update',\n },\n {\n method: 'POST',\n pattern: /^\\/checkout[-_]sessions\\/[^/]+\\/complete\\/?$/,\n purpose: 'commerce.payment.execute',\n },\n {\n method: 'POST',\n pattern: /^\\/checkout[-_]sessions\\/[^/]+\\/cancel\\/?$/,\n purpose: 'commerce.checkout.cancel',\n },\n];\n\nconst ACP_ROUTES: Array<{ method: string; pattern: RegExp; purpose: CommercePurpose }> = [\n { method: 'POST', pattern: /^\\/checkout_sessions\\/?$/, purpose: 'commerce.checkout.create' },\n {\n method: 'POST',\n pattern: /^\\/checkout_sessions\\/[^/]+\\/?$/,\n purpose: 'commerce.checkout.update',\n },\n {\n method: 'POST',\n pattern: /^\\/checkout_sessions\\/[^/]+\\/complete\\/?$/,\n purpose: 'commerce.payment.execute',\n },\n {\n method: 'POST',\n pattern: /^\\/checkout_sessions\\/[^/]+\\/cancel\\/?$/,\n purpose: 'commerce.checkout.cancel',\n },\n {\n method: 'POST',\n pattern: /^\\/agentic_commerce\\/delegate_payment\\/?$/,\n purpose: 'commerce.delegation.payment',\n },\n];\n\nexport function mapUCPRequestToPurpose(method: string, path: string): CommercePurpose \| null {\n const normalizedMethod = method.toUpperCase();\n const normalizedPath = stripQuery(path);\n for (const route of UCP_ROUTES) {\n if (route.method === normalizedMethod && route.pattern.test(normalizedPath)) {\n return route.purpose;\n }\n }\n return null;\n}\n\nexport function mapACPRequestToPurpose(method: string, path: string): CommercePurpose \| null {\n const normalizedMethod = method.toUpperCase();\n const normalizedPath = stripQuery(path);\n for (const route of ACP_ROUTES) {\n if (route.method === normalizedMethod && route.pattern.test(normalizedPath)) {\n return route.purpose;\n }\n }\n return null;\n}\n\nexport type AP2MandateType = 'intent_mandate' \| 'cart_mandate' \| 'payment_mandate';\nexport function mapAP2MandateToPurpose(mandateType: AP2MandateType): CommercePurpose {\n switch (mandateType) {\n case 'intent_mandate':\n return 'commerce.delegation.intent';\n case 'cart_mandate':\n return 'commerce.checkout.confirm';\n case 'payment_mandate':\n return 'commerce.payment.execute';\n }\n}\n\nexport type VIMandateType = 'checkout' \| 'payment' \| 'checkout.open' \| 'payment.open';\nexport function mapVIMandateToPurpose(mandateType: VIMandateType): CommercePurpose {\n switch (mandateType) {\n case 'checkout':\n return 'commerce.checkout.confirm';\n case 'payment':\n return 'commerce.payment.execute';\n case 'checkout.open':\n return 'commerce.delegation.checkout';\n case 'payment.open':\n return 'commerce.delegation.payment';\n }\n}\n\nexport type RFC9421Tag = 'browse' \| 'purchase' \| undefined;\nexport function mapRFC9421TagToPurpose(tag: RFC9421Tag): CommercePurpose {\n if (tag === 'purchase') return 'commerce.payment.execute';\n return 'commerce.browsing';\n}\n\nexport type MPPIntent = 'charge' \| 'session';\nexport function mapMPPRequestToPurpose(\n intent: MPPIntent \| undefined,\n amount: number \| undefined\n): CommercePurpose {\n if (typeof amount === 'number' && amount === 0) return 'commerce.identity_probe';\n if (intent === 'session') return 'commerce.payment.stream';\n return 'commerce.payment.execute';\n}\n\nexport function mapX402RequestToPurpose(amount: number \| undefined): CommercePurpose {\n if (typeof amount === 'number' && amount === 0) return 'commerce.identity_probe';\n return 'commerce.payment.execute';\n}\n\nfunction stripQuery(path: string): string {\n const q = path.indexOf('?');\n return q === -1 ? path : path.slice(0, q);\n}\n\n/\n Informational Stripe webhook events surfaced as trust signals on\n * `CommerceContext.trustSignals` but NOT routed to a PDLSS purpose.\n /\nexport const STRIPE_WEBHOOK_INFORMATIONAL_EVENTS = [\n 'payment_intent.succeeded',\n 'payment_intent.payment_failed',\n 'charge.refunded',\n 'checkout.session.completed',\n 'customer.subscription.created',\n] as const;\nexport type StripeWebhookInformationalEvent = (typeof STRIPE_WEBHOOK_INFORMATIONAL_EVENTS)[number];\n\nexport function isStripeWebhookInformational(eventType: string): boolean {\n return (STRIPE_WEBHOOK_INFORMATIONAL_EVENTS as readonly string[]).includes(eventType);\n}\n","/\n Per-protocol transaction-value normalization.\n \n Each protocol encodes amount/currency differently. This module produces a\n * uniform `TransactionValueContext` with `source` recording the extraction\n * path so trace logs can show where the value came from.\n \n Amount unit: \"major units\" (dollars/euros/etc. for fiat; native unit for\n * tokens — we do NOT convert across currencies). UCP/ACP totals are in\n * cents, so we divide by 100. MPP/x402/VI pass through as declared.\n /\n\nexport interface TransactionValueContext {\n protocol: 'vi' \| 'ap2' \| 'ucp' \| 'acp' \| 'mpp' \| 'x402' \| 'agentpay' \| 'tap';\n amount: number;\n currency: string;\n source: string;\n}\n\nexport function extractUCPTransactionValue(input: {\n totals?: Array<{ type?: string; amount?: number; currency?: string }>;\n}): TransactionValueContext \| null {\n const totals = input.totals ?? [];\n const total = totals.find((t) => t.type === 'total') ?? totals[0];\n if (!total \|\| typeof total.amount !== 'number' \|\| !total.currency) return null;\n return {\n protocol: 'ucp',\n amount: total.amount / 100,\n currency: total.currency,\n source: `totals[type=${total.type ?? 'unknown'}].amount`,\n };\n}\n\nexport function extractACPTransactionValue(input: {\n totals?: Array<{ type?: string; amount?: number; currency?: string }>;\n}): TransactionValueContext \| null {\n const totals = input.totals ?? [];\n const total = totals.find((t) => t.type === 'total') ?? totals[0];\n if (!total \|\| typeof total.amount !== 'number' \|\| !total.currency) return null;\n return {\n protocol: 'acp',\n amount: total.amount / 100,\n currency: total.currency,\n source: `totals[type=${total.type ?? 'unknown'}].amount`,\n };\n}\n\nexport interface VIClaimsForValue {\n constraints?: {\n paymentAmount?: { currency?: string; min?: number; max?: number };\n };\n l3aPaymentAmount?: { currency?: string; amount?: number };\n}\n\nexport function extractVITransactionValue(\n claims: VIClaimsForValue\n): TransactionValueContext \| null {\n const l3a = claims.l3aPaymentAmount;\n if (l3a && typeof l3a.amount === 'number' && l3a.currency) {\n return {\n protocol: 'vi',\n amount: l3a.amount,\n currency: l3a.currency,\n source: 'L3a.payment.amount',\n };\n }\n const bound = claims.constraints?.paymentAmount;\n if (bound && typeof bound.max === 'number' && bound.currency) {\n return {\n protocol: 'vi',\n amount: bound.max,\n currency: bound.currency,\n source: 'L2.payment.constraints.amount.max',\n };\n }\n return null;\n}\n\nexport interface AP2PaymentMandateForValue {\n payment_details_total?: { amount?: { value?: string \| number; currency?: string } };\n}\n\nexport function extractAP2TransactionValue(\n mandate: AP2PaymentMandateForValue \| undefined\n): TransactionValueContext \| null {\n const amt = mandate?.payment_details_total?.amount;\n if (!amt \|\| !amt.currency) return null;\n const n = typeof amt.value === 'string' ? Number(amt.value) : amt.value;\n if (typeof n !== 'number' \|\| !Number.isFinite(n)) return null;\n return {\n protocol: 'ap2',\n amount: n,\n currency: amt.currency,\n source: 'payment_mandate.payment_details_total.amount',\n };\n}\n\nexport interface MPPChallengeForValue {\n method?: string;\n request?: { amount?: number; currency?: string } & Record<string, unknown>;\n}\n\nexport function extractMPPTransactionValue(\n challenge: MPPChallengeForValue\n): TransactionValueContext \| null {\n const req = challenge.request;\n if (!req \|\| typeof req.amount !== 'number' \|\| !req.currency) return null;\n return {\n protocol: 'mpp',\n amount: req.amount,\n currency: req.currency,\n source: `challenge.request.amount (method=${challenge.method ?? 'unknown'})`,\n };\n}\n\nexport interface X402RequestForValue {\n maxAmountRequired?: number;\n amount?: number;\n asset?: string;\n currency?: string;\n}\n\nexport function extractX402TransactionValue(\n req: X402RequestForValue\n): TransactionValueContext \| null {\n const amount = req.maxAmountRequired ?? req.amount;\n const currency = req.currency ?? req.asset;\n if (typeof amount !== 'number' \|\| !currency) return null;\n return {\n protocol: 'x402',\n amount,\n currency,\n source: req.maxAmountRequired !== undefined ? 'maxAmountRequired' : 'amount',\n };\n}\n","/\n RFC 9421 HTTP Message Signatures parser.\n \n Wraps `structured-headers` (transitive dep of http-message-signatures) to\n * parse the Signature-Input and Signature Dictionary headers per RFC 9421 §2.\n \n Produces structured metadata (kid, algorithm, covered components, tag,\n * created/expires/nonce, signature bytes) without verifying the signature —\n * verification lives in rfc9421-verify.ts.\n \n Shared by:\n * - Agent Pay (Mastercard) — kid resolves via Mastercard Agent Registry\n * - TAP (Visa) — kid resolves via Visa JWKS\n * - Web Bot Auth (generic transport substrate) — kid resolves via\n * /.well-known/http-message-signatures-directory\n /\n\nimport { parseDictionary } from 'structured-headers';\n\nexport interface RFC9421SignatureParams {\n /* The label identifying the signature in the Dictionary header (e.g. \"sig1\"). /\n label: string;\n /* Key ID used to look up the verifying key in the relevant registry. /\n kid: string;\n /* Algorithm declared in the Signature-Input params (e.g. \"ecdsa-p256-sha256\", \"ed25519\"). /\n alg?: string;\n /* Covered components, in order, per RFC 9421 §2.1. /\n covered: string[];\n /* Base64url-encoded signature bytes extracted from the paired Signature header. /\n signatureBase64: string;\n /* Unix seconds when the signature was created. /\n created?: number;\n /* Unix seconds when the signature expires. /\n expires?: number;\n /* Nonce (opaque string) for replay protection. /\n nonce?: string;\n /* Tag parameter. For Agent Pay/TAP this is \"browse\" or \"purchase\"; undefined otherwise. /\n tag?: 'browse' \| 'purchase' \| string;\n}\n\nexport interface ParsedRFC9421 {\n signatures: RFC9421SignatureParams[];\n}\n\n/\n Parse the RFC 9421 Signature-Input and Signature headers from a request or response.\n * Returns all signatures present (a single message may carry multiple labelled signatures).\n \n Returns null if either header is missing or malformed.\n /\nexport function parseRFC9421(\n headers: Record<string, string \| string[] \| undefined>\n): ParsedRFC9421 \| null {\n const sigInput = readHeader(headers, 'signature-input');\n const sig = readHeader(headers, 'signature');\n if (!sigInput \|\| !sig) return null;\n\n let inputDict;\n let sigDict;\n try {\n inputDict = parseDictionary(sigInput);\n sigDict = parseDictionary(sig);\n } catch {\n return null;\n }\n\n const signatures: RFC9421SignatureParams[] = [];\n\n for (const [label, entry] of inputDict) {\n // entry.value is the inner list of covered components; entry[1] is the params Map.\n const innerList = Array.isArray(entry)\n ? entry[0]\n : (entry as { value?: unknown; params?: unknown }).value;\n const params = Array.isArray(entry)\n ? entry[1]\n : (entry as { value?: unknown; params?: unknown }).params;\n if (!Array.isArray(innerList) \|\| !params) continue;\n\n const covered: string[] = [];\n for (const item of innerList as Array<[unknown, Map<string, unknown>]>) {\n const [bare] = Array.isArray(item) ? item : [item];\n if (typeof bare === 'string') covered.push(bare);\n else if (bare && typeof bare === 'object' && 'toString' in bare) covered.push(String(bare));\n }\n\n const paramsMap = params as Map<string, unknown>;\n const kid = coerceString(paramsMap.get('keyid'));\n if (!kid) continue;\n\n const sigEntry = sigDict.get(label);\n if (!sigEntry) continue;\n\n const sigBare = Array.isArray(sigEntry) ? sigEntry[0] : (sigEntry as { value?: unknown }).value;\n const signatureBase64 = extractBase64(sigBare);\n if (!signatureBase64) continue;\n\n signatures.push({\n label,\n kid,\n alg: coerceString(paramsMap.get('alg')),\n covered,\n signatureBase64,\n created: coerceNumber(paramsMap.get('created')),\n expires: coerceNumber(paramsMap.get('expires')),\n nonce: coerceString(paramsMap.get('nonce')),\n tag: coerceString(paramsMap.get('tag')),\n });\n }\n\n if (signatures.length === 0) return null;\n return { signatures };\n}\n\nfunction readHeader(\n headers: Record<string, string \| string[] \| undefined>,\n name: string\n): string \| null {\n for (const key of Object.keys(headers)) {\n if (key.toLowerCase() === name) {\n const raw = headers[key];\n if (typeof raw === 'string') return raw;\n if (Array.isArray(raw)) return raw.join(', ');\n return null;\n }\n }\n return null;\n}\n\nfunction coerceString(value: unknown): string \| undefined {\n if (typeof value === 'string') return value;\n if (value == null) return undefined;\n if (typeof value === 'object' && 'toString' in (value as object)) {\n const s = String(value);\n return s.length > 0 ? s : undefined;\n }\n return undefined;\n}\n\nfunction coerceNumber(value: unknown): number \| undefined {\n if (typeof value === 'number' && Number.isFinite(value)) return value;\n if (typeof value === 'bigint') return Number(value);\n return undefined;\n}\n\nfunction extractBase64(value: unknown): string \| null {\n if (value instanceof Uint8Array) return bufferToBase64(value);\n if (value instanceof ArrayBuffer) return bufferToBase64(new Uint8Array(value));\n if (ArrayBuffer.isView(value)) {\n const v = value as ArrayBufferView;\n return bufferToBase64(new Uint8Array(v.buffer, v.byteOffset, v.byteLength));\n }\n if (typeof value === 'string') {\n if (value.startsWith(':') && value.endsWith(':')) return value.slice(1, -1);\n return value;\n }\n return null;\n}\n\nfunction bufferToBase64(bytes: Uint8Array): string {\n return Buffer.from(bytes).toString('base64');\n}\n","/\n RFC 9421 HTTP Message Signatures verification.\n \n Wraps http-message-signatures (dhensby) verifyMessage() with a RegistryResolver\n * hook for kid → JWK lookup. Library handles canonicalization + ES256/EdDSA/\n * HMAC/RSA verification; we supply the key-finding callback and policy around\n * clock skew.\n \n Shared by:\n * - Agent Pay (Mastercard) — resolver = createMastercardRegistry\n * - TAP (Visa) — resolver = createVisaRegistry\n * - Web Bot Auth (generic) — resolver = createWebBotAuthRegistry\n /\n\nimport { httpbis, type VerifierFinder, type VerifyingKey } from 'http-message-signatures';\nimport type { JWK } from 'jose';\nimport type { RegistryResolver } from './registry/types';\n\nexport interface RFC9421VerifyRequest {\n method: string;\n url: string;\n headers: Record<string, string \| string[]>;\n body?: string;\n}\n\nexport interface RFC9421VerifyOptions {\n resolver: RegistryResolver;\n /* Seconds of tolerance around created/expires. Default 300. /\n clockSkewSec?: number;\n /* Injectable for deterministic tests. /\n now?: () => number;\n}\n\nexport interface RFC9421VerifyResult {\n ok: boolean;\n kid?: string;\n registry?: RegistryResolver['name'];\n algorithm?: string;\n error?: string;\n}\n\nexport async function verifyRFC9421(\n request: RFC9421VerifyRequest,\n options: RFC9421VerifyOptions\n): Promise<RFC9421VerifyResult> {\n const { resolver } = options;\n const tolerance = options.clockSkewSec ?? 300;\n const nowSec = options.now ? options.now() : Math.floor(Date.now() / 1000);\n\n let resolvedKid: string \| undefined;\n let resolvedAlg: string \| undefined;\n\n const keyLookup: VerifierFinder = async (parameters) => {\n const kid = typeof parameters.keyid === 'string' ? parameters.keyid : undefined;\n if (!kid) return null;\n resolvedKid = kid;\n const alg = typeof parameters.alg === 'string' ? parameters.alg : undefined;\n if (alg) resolvedAlg = alg;\n\n const origin = safeOrigin(request.url);\n const jwk = await resolver.resolve(kid, { origin, algorithm: alg });\n if (!jwk) return null;\n\n // Check clock-skew on this specific signature's created/expires.\n // SignatureParameters may carry Date, number, or ISO string per library.\n const created = toUnixSeconds(parameters.created);\n const expires = toUnixSeconds(parameters.expires);\n if (created !== undefined && Math.abs(nowSec - created) > tolerance) return null;\n if (expires !== undefined && nowSec > expires + tolerance) return null;\n\n return jwkToVerifyingKey(kid, jwk, alg);\n };\n\n try {\n const result = await httpbis.verifyMessage(\n {\n keyLookup,\n },\n normalizeRequest(request)\n );\n if (result === true) {\n return {\n ok: true,\n kid: resolvedKid,\n registry: resolver.name,\n algorithm: resolvedAlg,\n };\n }\n return {\n ok: false,\n kid: resolvedKid,\n registry: resolver.name,\n algorithm: resolvedAlg,\n error: result === false ? 'signature invalid' : 'no signature found',\n };\n } catch (err) {\n return {\n ok: false,\n kid: resolvedKid,\n registry: resolver.name,\n algorithm: resolvedAlg,\n error: err instanceof Error ? err.message : 'verification error',\n };\n }\n}\n\nfunction normalizeRequest(request: RFC9421VerifyRequest): {\n method: string;\n url: string;\n headers: Record<string, string \| string[]>;\n} {\n return {\n method: request.method.toUpperCase(),\n url: request.url,\n headers: request.headers,\n };\n}\n\nfunction safeOrigin(url: string): string \| undefined {\n try {\n return new URL(url).origin;\n } catch {\n return undefined;\n }\n}\n\nasync function jwkToVerifyingKey(\n id: string,\n jwk: JWK,\n alg: string \| undefined\n): Promise<VerifyingKey> {\n const algorithm = alg ?? inferAlgFromJwk(jwk);\n const { subtle } = await getCrypto();\n const importAlg = webCryptoImportAlgFor(algorithm);\n const verifyAlg = webCryptoAlgFor(algorithm);\n if (!importAlg \|\| !verifyAlg) {\n return {\n id,\n algs: alg ? [alg] : undefined,\n verify: async () => false,\n };\n }\n const key = await subtle.importKey('jwk', jwk as JsonWebKey, importAlg, false, ['verify']);\n\n return {\n id,\n algs: alg ? [alg] : undefined,\n verify: async (data: Buffer, signature: Buffer): Promise<boolean> => {\n try {\n return await subtle.verify(verifyAlg, key, toArrayBuffer(signature), toArrayBuffer(data));\n } catch {\n return false;\n }\n },\n };\n}\n\nfunction inferAlgFromJwk(jwk: JWK): string {\n if (jwk.kty === 'OKP' && jwk.crv === 'Ed25519') return 'ed25519';\n if (jwk.kty === 'EC' && jwk.crv === 'P-256') return 'ecdsa-p256-sha256';\n if (jwk.kty === 'EC' && jwk.crv === 'P-384') return 'ecdsa-p384-sha384';\n if (jwk.kty === 'RSA') return 'rsa-v1_5-sha256';\n return 'ecdsa-p256-sha256';\n}\n\nfunction webCryptoAlgFor(\n rfc9421Alg: string\n): AlgorithmIdentifier \| EcdsaParams \| RsaPssParams \| null {\n switch (rfc9421Alg) {\n case 'ed25519':\n return { name: 'Ed25519' };\n case 'ecdsa-p256-sha256':\n return { name: 'ECDSA', hash: 'SHA-256' };\n case 'ecdsa-p384-sha384':\n return { name: 'ECDSA', hash: 'SHA-384' };\n case 'rsa-v1_5-sha256':\n return { name: 'RSASSA-PKCS1-v1_5' };\n case 'rsa-pss-sha512':\n return { name: 'RSA-PSS', saltLength: 64 };\n default:\n return null;\n }\n}\n\nfunction webCryptoImportAlgFor(\n rfc9421Alg: string\n): AlgorithmIdentifier \| EcKeyImportParams \| RsaHashedImportParams \| null {\n switch (rfc9421Alg) {\n case 'ed25519':\n return { name: 'Ed25519' };\n case 'ecdsa-p256-sha256':\n return { name: 'ECDSA', namedCurve: 'P-256' };\n case 'ecdsa-p384-sha384':\n return { name: 'ECDSA', namedCurve: 'P-384' };\n case 'rsa-v1_5-sha256':\n return { name: 'RSASSA-PKCS1-v1_5', hash: 'SHA-256' };\n case 'rsa-pss-sha512':\n return { name: 'RSA-PSS', hash: 'SHA-512' };\n default:\n return null;\n }\n}\n\nfunction toArrayBuffer(buf: Buffer): ArrayBuffer {\n const out = new ArrayBuffer(buf.byteLength);\n new Uint8Array(out).set(buf);\n return out;\n}\n\nfunction toUnixSeconds(v: unknown): number \| undefined {\n if (typeof v === 'number' && Number.isFinite(v)) return v;\n if (v instanceof Date) return Math.floor(v.getTime() / 1000);\n if (typeof v === 'string') {\n const parsed = Date.parse(v);\n if (Number.isFinite(parsed)) return Math.floor(parsed / 1000);\n }\n return undefined;\n}\n\nasync function getCrypto(): Promise<{ subtle: SubtleCrypto }> {\n if (typeof globalThis.crypto !== 'undefined' && globalThis.crypto.subtle) {\n return { subtle: globalThis.crypto.subtle };\n }\n // Node fallback\n const nodeCrypto = await import('node:crypto');\n return { subtle: nodeCrypto.webcrypto.subtle as SubtleCrypto };\n}\n","/\n UCP (Universal Commerce Protocol) checkout session extractor.\n \n Google + Shopify spec (ucp.dev). Extracts checkout session context from\n * incoming HTTP requests and, at registration time, validates the\n * `/.well-known/ucp` manifest via AJV against the mirrored JSON schema.\n /\n\nimport { mapUCPRequestToPurpose, type CommercePurpose } from './purpose-mapping';\n\nexport interface UCPTotal {\n type?: string;\n amount?: number;\n currency?: string;\n}\n\nexport interface UCPCheckoutContext {\n sessionId?: string;\n endpoint: string;\n purpose: CommercePurpose \| null;\n merchantDomain?: string;\n totals?: UCPTotal[];\n paymentMethod?: string;\n manifestUrl?: string;\n}\n\nexport interface UCPRequestLike {\n method: string;\n url: string;\n headers?: Record<string, string \| string[] \| undefined>;\n body?: unknown;\n}\n\nexport function extractUCPContext(request: UCPRequestLike): UCPCheckoutContext \| null {\n const { method, url } = request;\n if (!method \|\| !url) return null;\n\n const parsedUrl = safeParseUrl(url);\n const path = parsedUrl?.pathname ?? url.split('?')[0];\n\n const purpose = mapUCPRequestToPurpose(method, path);\n const endpoint = `${method.toUpperCase()} ${path}`;\n const sessionId = extractSessionId(path);\n\n const body = (request.body ?? {}) as Record<string, unknown>;\n const totals = Array.isArray(body.totals) ? (body.totals as UCPTotal[]) : undefined;\n const paymentMethod = coerceString(body.payment_method ?? body.paymentMethod);\n const manifestUrl = coerceString(body.manifest_url ?? body.manifestUrl);\n\n const merchantDomain = extractMerchantDomain(body, parsedUrl);\n\n return {\n sessionId,\n endpoint,\n purpose,\n merchantDomain,\n totals,\n paymentMethod,\n manifestUrl,\n };\n}\n\n/\n Fetch and parse a UCP manifest at registration time. Returns parsed JSON\n * on success, null on any failure (network, parse, timeout). Does NOT throw.\n \n Schema validation is a separate step — see `validateUCPManifest`.\n /\nexport async function fetchUCPManifest(\n manifestUrl: string,\n options: { timeoutMs?: number } = {}\n): Promise<unknown \| null> {\n const timeoutMs = options.timeoutMs ?? 3000;\n const controller = new AbortController();\n const timer = setTimeout(() => controller.abort(), timeoutMs);\n try {\n const res = await fetch(manifestUrl, { signal: controller.signal });\n if (!res.ok) return null;\n return await res.json();\n } catch {\n return null;\n } finally {\n clearTimeout(timer);\n }\n}\n\n/\n Validate a UCP manifest against the minimal shape we care about.\n \n The full UCP manifest schema lives upstream (ucp.dev) and is out of scope\n * to mirror here exhaustively. This function checks the structural guarantees\n * we depend on: required top-level fields (version, capabilities, endpoints).\n \n For full schema validation, consumers can pass their own AJV compiled\n * validator via `options.validator`.\n /\nexport interface UCPManifestValidationResult {\n ok: boolean;\n errors: string[];\n}\n\nexport function validateUCPManifest(\n manifest: unknown,\n options: { validator?: (m: unknown) => { ok: boolean; errors: string[] } } = {}\n): UCPManifestValidationResult {\n if (options.validator) return options.validator(manifest);\n\n const errors: string[] = [];\n if (!manifest \|\| typeof manifest !== 'object') {\n return { ok: false, errors: ['manifest is not an object'] };\n }\n const m = manifest as Record<string, unknown>;\n if (typeof m.version !== 'string') errors.push('version is required and must be a string');\n if (!Array.isArray(m.capabilities)) errors.push('capabilities must be an array');\n if (!m.endpoints \|\| typeof m.endpoints !== 'object') errors.push('endpoints must be an object');\n return { ok: errors.length === 0, errors };\n}\n\nfunction safeParseUrl(url: string): URL \| null {\n try {\n return new URL(url, 'http://placeholder.invalid');\n } catch {\n return null;\n }\n}\n\nfunction extractSessionId(path: string): string \| undefined {\n const match = path.match(/\\/checkout[-_]sessions\\/([^/?#]+)/);\n return match?.[1];\n}\n\nfunction extractMerchantDomain(\n body: Record<string, unknown>,\n parsedUrl: URL \| null\n): string \| undefined {\n const explicit = coerceString(body.merchant_domain ?? body.merchantDomain);\n if (explicit) return explicit;\n if (parsedUrl && parsedUrl.hostname !== 'placeholder.invalid') return parsedUrl.hostname;\n return undefined;\n}\n\nfunction coerceString(v: unknown): string \| undefined {\n return typeof v === 'string' && v.length > 0 ? v : undefined;\n}\n","/\n ACP (Agentic Commerce Protocol) request extractor.\n \n Co-maintained by OpenAI + Stripe. Spec at agenticcommerce.dev.\n \n Extracts ACP request context from HTTP requests:\n * - Multi-header parsing: Signature, Timestamp, Idempotency-Key,\n * Authorization: Bearer, API-Version\n * - Endpoint classification: Agentic Checkout (checkout_sessions.) vs\n Delegate Payment (agentic_commerce/delegate_payment)\n * - Payment token detection: spt_* (Stripe SharedPaymentToken),\n * vt_* (ACP vault token), unknown\n * - Totals + merchant extraction from body\n \n No signature verification here — see acp-verify.ts.\n /\n\nimport { mapACPRequestToPurpose, type CommercePurpose } from './purpose-mapping';\n\nexport type ACPEndpoint =\n \| 'checkout_sessions.create'\n \| 'checkout_sessions.update'\n \| 'checkout_sessions.complete'\n \| 'checkout_sessions.cancel'\n \| 'delegate_payment'\n \| 'unknown';\n\nexport type ACPPaymentTokenType = 'stripe-spt' \| 'acp-vt' \| 'other' \| null;\n\nexport interface ACPTotal {\n type?: string;\n amount?: number;\n currency?: string;\n}\n\nexport interface ACPRequestContext {\n endpoint: ACPEndpoint;\n purpose: CommercePurpose \| null;\n sessionId?: string;\n merchantId?: string;\n apiVersion?: string;\n bearer?: string;\n signatureHeader?: string;\n timestampHeader?: string;\n idempotencyKey?: string;\n paymentToken?: {\n raw?: string;\n type: ACPPaymentTokenType;\n provider?: string;\n };\n totals?: ACPTotal[];\n fulfillmentOption?: string;\n rawBody?: string;\n}\n\nexport interface ACPRequestLike {\n method: string;\n url: string;\n headers?: Record<string, string \| string[] \| undefined>;\n body?: unknown;\n rawBody?: string;\n}\n\nexport function extractACPContext(request: ACPRequestLike): ACPRequestContext \| null {\n const { method, url } = request;\n if (!method \|\| !url) return null;\n\n const path = stripQuery(url.startsWith('http') ? new URL(url).pathname : url);\n\n const endpoint = classifyEndpoint(method, path);\n const purpose = mapACPRequestToPurpose(method, path);\n const sessionId = extractSessionId(path);\n\n const headers = request.headers ?? {};\n const signatureHeader = readHeader(headers, 'signature');\n const timestampHeader = readHeader(headers, 'timestamp');\n const idempotencyKey = readHeader(headers, 'idempotency-key');\n const apiVersion = readHeader(headers, 'api-version');\n const bearer = extractBearer(readHeader(headers, 'authorization'));\n\n const body = (request.body ?? {}) as Record<string, unknown>;\n const merchantId = coerceString(body.merchant_id ?? body.merchantId);\n const totals = Array.isArray(body.totals) ? (body.totals as ACPTotal[]) : undefined;\n const fulfillmentOption = extractFulfillmentOption(body);\n\n const paymentToken = extractPaymentToken(body);\n\n return {\n endpoint,\n purpose,\n sessionId,\n merchantId,\n apiVersion,\n bearer,\n signatureHeader,\n timestampHeader,\n idempotencyKey,\n paymentToken,\n totals,\n fulfillmentOption,\n rawBody: request.rawBody,\n };\n}\n\nfunction classifyEndpoint(method: string, path: string): ACPEndpoint {\n const m = method.toUpperCase();\n if (m !== 'POST') return 'unknown';\n if (/^\\/agentic_commerce\\/delegate_payment\\/?$/.test(path)) return 'delegate_payment';\n if (/^\\/checkout_sessions\\/?$/.test(path)) return 'checkout_sessions.create';\n if (/^\\/checkout_sessions\\/[^/]+\\/?$/.test(path)) return 'checkout_sessions.update';\n if (/^\\/checkout_sessions\\/[^/]+\\/complete\\/?$/.test(path)) return 'checkout_sessions.complete';\n if (/^\\/checkout_sessions\\/[^/]+\\/cancel\\/?$/.test(path)) return 'checkout_sessions.cancel';\n return 'unknown';\n}\n\nfunction extractSessionId(path: string): string \| undefined {\n const match = path.match(/\\/checkout_sessions\\/([^/?#]+)/);\n return match?.[1];\n}\n\nfunction extractBearer(authHeader: string \| undefined): string \| undefined {\n if (!authHeader) return undefined;\n const match = authHeader.match(/^Bearer\\s+(.+)$/i);\n return match ? match[1].trim() : undefined;\n}\n\nfunction extractPaymentToken(body: Record<string, unknown>): ACPRequestContext['paymentToken'] {\n const paymentData = body.payment_data as Record<string, unknown> \| undefined;\n if (!paymentData) return undefined;\n const raw = coerceString(paymentData.token);\n const provider = coerceString(paymentData.provider);\n if (!raw) return { raw: undefined, type: null, provider };\n const type = classifyPaymentToken(raw);\n return { raw, type, provider };\n}\n\nfunction classifyPaymentToken(token: string): ACPPaymentTokenType {\n if (token.startsWith('spt_')) return 'stripe-spt';\n if (token.startsWith('vt_')) return 'acp-vt';\n return 'other';\n}\n\nfunction extractFulfillmentOption(body: Record<string, unknown>): string \| undefined {\n const direct = coerceString(body.fulfillment_option ?? body.fulfillmentOption);\n if (direct) return direct;\n const options = body.fulfillment_options;\n if (Array.isArray(options) && options.length > 0) {\n const first = options[0];\n if (first && typeof first === 'object') {\n const id = coerceString((first as Record<string, unknown>).id);\n if (id) return id;\n }\n }\n return undefined;\n}\n\nfunction readHeader(\n headers: Record<string, string \| string[] \| undefined>,\n name: string\n): string \| undefined {\n for (const key of Object.keys(headers)) {\n if (key.toLowerCase() === name) {\n const raw = headers[key];\n if (typeof raw === 'string') return raw;\n if (Array.isArray(raw)) return raw[0];\n }\n }\n return undefined;\n}\n\nfunction stripQuery(path: string): string {\n const q = path.indexOf('?');\n return q === -1 ? path : path.slice(0, q);\n}\n\nfunction coerceString(v: unknown): string \| undefined {\n return typeof v === 'string' && v.length > 0 ? v : undefined;\n}\n","/\n VI (Verifiable Intent) SD-JWT extraction.\n \n Open-sourced 5 March 2026 by Mastercard + Google (v0.1-draft).\n * VI is a 3-layer SD-JWT chain:\n * L1 — issuer → wallet (credential provider)\n * L2 — user → agent (cnf.jwk binding to L3 agent key)\n * L3 — agent → merchant (payment or checkout mandate, split into L3a / L3b\n * cross-referenced via transaction_id)\n \n This module does EXTRACTION ONLY — it decodes SD-JWT structure and pulls\n * out the mandate type, kid, executionMode, 8 constraint types, checkoutHash\n * (constraint type 8), transactionId, and raw layers for later verification.\n \n Signature verification lives in vi-verify.ts; this module uses @sd-jwt's\n * sync decoder with a SHA-256 hasher for structural parsing only.\n /\n\nimport { splitSdJwt, decodeSdJwtSync } from '@sd-jwt/decode';\nimport { createHash } from 'node:crypto';\nimport type { VIMandateType } from './purpose-mapping';\n\nexport type { VIMandateType };\nexport type VIExecutionMode = 'Immediate' \| 'Autonomous' \| 'Both';\n\nexport interface VIAllowedParty {\n id?: string;\n name?: string;\n website?: string;\n}\n\nexport interface VILineItem {\n id?: string;\n acceptableItems?: string[];\n quantity?: number;\n}\n\nexport interface VIPaymentAmount {\n currency?: string;\n min?: number;\n max?: number;\n}\n\nexport interface VIBudgetLimit {\n currency?: string;\n max?: number;\n}\n\nexport interface VIRecurrence {\n frequency?: string;\n startDate?: string;\n endDate?: string;\n maxOccurrences?: number;\n}\n\nexport interface VIConstraints {\n allowedMerchants?: VIAllowedParty[];\n allowedPayees?: VIAllowedParty[];\n lineItems?: VILineItem[];\n paymentAmount?: VIPaymentAmount;\n budgetLimit?: VIBudgetLimit;\n recurrence?: VIRecurrence;\n agentRecurrence?: VIRecurrence;\n}\n\nexport interface VIExtractedClaims {\n mandateType: VIMandateType;\n kid?: string;\n executionMode?: VIExecutionMode;\n credentialProvider?: string;\n constraints: VIConstraints;\n /* VI constraint type 8 — SHA-256 of the paired L2 checkout disclosure. /\n checkoutHash?: string;\n transactionId?: string;\n rawLayers: { l1?: string; l2?: string; l3?: string };\n}\n\n/\n Extract VI claims from a compact SD-JWT string.\n \n Input shape:\n * <jwt>~<disclosure1>~<disclosure2>~...~<kbJwt?>\n \n Returns null if parsing fails at any layer. Does not verify signatures.\n /\nexport function extractVIClaims(sdJwtCompact: string): VIExtractedClaims \| null {\n if (!sdJwtCompact \|\| typeof sdJwtCompact !== 'string') return null;\n\n let decoded;\n try {\n decoded = decodeSdJwtSync(sdJwtCompact, sha256Sync);\n } catch {\n return null;\n }\n\n const split = safeSplit(sdJwtCompact);\n\n const payload = (decoded.jwt?.payload ?? {}) as Record<string, unknown>;\n const disclosures = decoded.disclosures ?? [];\n\n // Apply disclosures onto payload to resolve _sd references.\n // Disclosure from @sd-jwt/utils has { key, value, digest() } where digest is\n // a function — we only need key+value here, so narrow via a structural cast.\n const claims = applyDisclosures(\n payload,\n disclosures as unknown as Array<{ key?: string; value?: unknown }>\n );\n\n const mandateType = coerceMandateType(\n claims.mandate_type ?? claims.mandateType ?? payload.mandate_type ?? payload.mandateType\n );\n if (!mandateType) return null;\n\n const kid = coerceString(\n (decoded.jwt?.header as Record<string, unknown> \| undefined)?.kid ?? claims.kid ?? payload.kid\n );\n\n const executionMode = coerceExecutionMode(claims.execution_mode ?? claims.executionMode);\n const credentialProvider = coerceString(claims.iss ?? payload.iss);\n\n const constraints = extractConstraints(\n (claims.constraints ?? claims.default_constraints ?? {}) as Record<string, unknown>\n );\n\n const transactionId = coerceString(claims.transaction_id ?? claims.transactionId);\n const checkoutHash = coerceString(\n claims.checkout_hash ??\n claims.conditional_transaction_id ??\n (claims.payment_reference as Record<string, unknown> \| undefined)?.checkout_hash\n );\n\n return {\n mandateType,\n kid,\n executionMode,\n credentialProvider,\n constraints,\n checkoutHash,\n transactionId,\n rawLayers: split,\n };\n}\n\nfunction safeSplit(compact: string): { l1?: string; l2?: string; l3?: string } {\n try {\n const { jwt, kbJwt } = splitSdJwt(compact);\n // VI layering maps loosely: the outer JWT is L3 (agent mandate), KB-JWT\n // (if present) is the key-binding proof, and disclosures carry L2/L1 fragments.\n return { l3: jwt, l2: kbJwt };\n } catch {\n return {};\n }\n}\n\nfunction applyDisclosures(\n payload: Record<string, unknown>,\n disclosures: Array<{ key?: string; value?: unknown }>\n): Record<string, unknown> {\n const result: Record<string, unknown> = { ...payload };\n for (const d of disclosures) {\n if (d.key && d.value !== undefined && !(d.key in result)) {\n result[d.key] = d.value;\n }\n }\n return result;\n}\n\nfunction extractConstraints(raw: Record<string, unknown>): VIConstraints {\n return {\n allowedMerchants: toAllowedPartyArray(raw.allowed_merchants ?? raw.allowedMerchants),\n allowedPayees: toAllowedPartyArray(raw.allowed_payees ?? raw.allowedPayees),\n lineItems: toLineItemArray(raw.line_items ?? raw.lineItems),\n paymentAmount: toPaymentAmount(raw.payment_amount ?? raw.paymentAmount),\n budgetLimit: toBudgetLimit(raw.budget_limit ?? raw.budgetLimit ?? raw.budget),\n recurrence: toRecurrence(raw.recurrence),\n agentRecurrence: toRecurrence(raw.agent_recurrence ?? raw.agentRecurrence),\n };\n}\n\nfunction toAllowedPartyArray(v: unknown): VIAllowedParty[] \| undefined {\n if (!Array.isArray(v)) return undefined;\n const out: VIAllowedParty[] = [];\n for (const item of v) {\n if (item && typeof item === 'object') {\n const r = item as Record<string, unknown>;\n out.push({\n id: coerceString(r.id),\n name: coerceString(r.name),\n website: coerceString(r.website),\n });\n }\n }\n return out.length > 0 ? out : undefined;\n}\n\nfunction toLineItemArray(v: unknown): VILineItem[] \| undefined {\n if (!Array.isArray(v)) return undefined;\n const out: VILineItem[] = [];\n for (const item of v) {\n if (item && typeof item === 'object') {\n const r = item as Record<string, unknown>;\n const acc = r.acceptable_items ?? r.acceptableItems;\n out.push({\n id: coerceString(r.id),\n acceptableItems: Array.isArray(acc)\n ? (acc.filter((a) => typeof a === 'string') as string[])\n : undefined,\n quantity: coerceNumber(r.quantity),\n });\n }\n }\n return out.length > 0 ? out : undefined;\n}\n\nfunction toPaymentAmount(v: unknown): VIPaymentAmount \| undefined {\n if (!v \|\| typeof v !== 'object') return undefined;\n const r = v as Record<string, unknown>;\n return {\n currency: coerceString(r.currency),\n min: coerceNumber(r.min),\n max: coerceNumber(r.max),\n };\n}\n\nfunction toBudgetLimit(v: unknown): VIBudgetLimit \| undefined {\n if (!v \|\| typeof v !== 'object') return undefined;\n const r = v as Record<string, unknown>;\n return {\n currency: coerceString(r.currency),\n max: coerceNumber(r.max),\n };\n}\n\nfunction toRecurrence(v: unknown): VIRecurrence \| undefined {\n if (!v \|\| typeof v !== 'object') return undefined;\n const r = v as Record<string, unknown>;\n return {\n frequency: coerceString(r.frequency),\n startDate: coerceString(r.start_date ?? r.startDate),\n endDate: coerceString(r.end_date ?? r.endDate),\n maxOccurrences: coerceNumber(r.max_occurrences ?? r.maxOccurrences),\n };\n}\n\nfunction coerceMandateType(v: unknown): VIMandateType \| null {\n if (v === 'checkout' \|\| v === 'payment' \|\| v === 'checkout.open' \|\| v === 'payment.open') {\n return v;\n }\n return null;\n}\n\nfunction coerceExecutionMode(v: unknown): VIExecutionMode \| undefined {\n return v === 'Immediate' \|\| v === 'Autonomous' \|\| v === 'Both' ? v : undefined;\n}\n\nfunction coerceString(v: unknown): string \| undefined {\n return typeof v === 'string' && v.length > 0 ? v : undefined;\n}\n\nfunction coerceNumber(v: unknown): number \| undefined {\n if (typeof v === 'number' && Number.isFinite(v)) return v;\n if (typeof v === 'string') {\n const n = Number(v);\n return Number.isFinite(n) ? n : undefined;\n }\n return undefined;\n}\n\nfunction sha256Sync(data: string \| ArrayBuffer): Uint8Array {\n const buf =\n typeof data === 'string' ? Buffer.from(data, 'utf-8') : Buffer.from(new Uint8Array(data));\n const hash = createHash('sha256').update(buf).digest();\n return new Uint8Array(hash.buffer, hash.byteOffset, hash.byteLength);\n}\n","/\n Stripe webhook HMAC-SHA256 verifier (inline).\n \n Stripe-Signature header format: \"t=TIMESTAMP,v1=HEX_SIGNATURE\"\n * - t: unix seconds when Stripe signed the webhook\n * - v1: HMAC-SHA256(webhook_secret, `${t}.${payload}`) as hex\n \n Multiple v1 signatures can coexist during secret rotation; any match wins.\n * Default tolerance on timestamp age: 300s (matches Stripe's own default).\n \n Documented at docs.stripe.com — we intentionally inline ~25 LOC rather\n * than pull in the full stripe npm package (MIT but 600KB+ with deps).\n /\n\nimport { createHmac, timingSafeEqual } from 'node:crypto';\n\nexport interface VerifyStripeWebhookResult {\n ok: boolean;\n timestamp?: number;\n error?: string;\n}\n\nexport interface VerifyStripeWebhookOptions {\n toleranceSec?: number;\n /* Injectable for deterministic tests. /\n now?: () => number;\n}\n\nexport function verifyStripeWebhook(\n payload: string,\n signatureHeader: string \| undefined,\n secret: string,\n options: VerifyStripeWebhookOptions = {}\n): VerifyStripeWebhookResult {\n if (!signatureHeader) return { ok: false, error: 'missing Stripe-Signature header' };\n if (!secret) return { ok: false, error: 'missing webhook secret' };\n\n const parsed = parseStripeSignature(signatureHeader);\n if (!parsed.timestamp) return { ok: false, error: 'malformed Stripe-Signature (missing t=)' };\n if (parsed.v1Signatures.length === 0) {\n return { ok: false, error: 'malformed Stripe-Signature (no v1=)' };\n }\n\n const tolerance = options.toleranceSec ?? 300;\n const now = options.now ? options.now() : Math.floor(Date.now() / 1000);\n if (Math.abs(now - parsed.timestamp) > tolerance) {\n return {\n ok: false,\n timestamp: parsed.timestamp,\n error: `timestamp outside tolerance (${tolerance}s)`,\n };\n }\n\n const signedPayload = `${parsed.timestamp}.${payload}`;\n const expected = createHmac('sha256', secret).update(signedPayload).digest();\n\n for (const candidateHex of parsed.v1Signatures) {\n const candidate = hexToBuffer(candidateHex);\n if (!candidate) continue;\n if (candidate.length !== expected.length) continue;\n if (timingSafeEqual(candidate, expected)) {\n return { ok: true, timestamp: parsed.timestamp };\n }\n }\n\n return { ok: false, timestamp: parsed.timestamp, error: 'signature mismatch' };\n}\n\ninterface ParsedStripeSignature {\n timestamp: number \| null;\n v1Signatures: string[];\n}\n\nfunction parseStripeSignature(header: string): ParsedStripeSignature {\n let timestamp: number \| null = null;\n const v1Signatures: string[] = [];\n for (const part of header.split(',')) {\n const [rawKey, rawValue] = part.split('=');\n if (!rawKey \|\| !rawValue) continue;\n const key = rawKey.trim();\n const value = rawValue.trim();\n if (key === 't') {\n const n = Number(value);\n if (Number.isFinite(n)) timestamp = n;\n } else if (key === 'v1') {\n v1Signatures.push(value);\n }\n }\n return { timestamp, v1Signatures };\n}\n\nfunction hexToBuffer(hex: string): Buffer \| null {\n if (!/^[0-9a-fA-F]+$/.test(hex) \|\| hex.length % 2 !== 0) return null;\n return Buffer.from(hex, 'hex');\n}\n","/\n PDLSS constraint evaluation.\n \n Evaluates VI constraint types 1-4 (merchant/payee allowlists, line items,\n * payment amount) + MPP/x402 payment-method allowlist + spending-limit\n * against a transaction context.\n \n Types 5/6/7 (budget, recurrence, agent_recurrence) extract through but\n * enforcement is deferred to the cross-merchant budget service (§3.3.15,\n * separate PR). This module returns per-constraint {ok, reason} results\n * so a policy layer can decide hard-deny vs trust-signal.\n /\n\nimport type { VIConstraints, VIAllowedParty, VILineItem, VIPaymentAmount } from './vi';\n\nexport interface TransactionContext {\n amount?: number;\n currency?: string;\n merchant?: { id?: string; website?: string };\n payee?: { id?: string; website?: string };\n lineItems?: Array<{ id?: string; quantity?: number }>;\n /* For MPP / x402 payment-method enforcement. /\n paymentMethod?: string;\n}\n\nexport type ConstraintKey = 'merchant' \| 'payee' \| 'lineItems' \| 'amount' \| 'paymentMethod';\n\nexport interface ConstraintResult {\n ok: boolean;\n reason?: string;\n}\n\nexport interface ConstraintEvalResult {\n ok: boolean;\n results: Record<string, ConstraintResult>;\n reasons: string[];\n}\n\nexport interface VIConstraintEvalInput {\n constraints: VIConstraints;\n transaction: TransactionContext;\n}\n\nexport function evaluateVIConstraints(input: VIConstraintEvalInput): ConstraintEvalResult {\n const { constraints, transaction } = input;\n const results: Record<string, ConstraintResult> = {};\n\n if (constraints.allowedMerchants && constraints.allowedMerchants.length > 0) {\n results.merchant = evaluateAllowlist(\n 'merchant',\n constraints.allowedMerchants,\n transaction.merchant\n );\n }\n\n if (constraints.allowedPayees && constraints.allowedPayees.length > 0) {\n results.payee = evaluateAllowlist('payee', constraints.allowedPayees, transaction.payee);\n }\n\n if (constraints.lineItems && constraints.lineItems.length > 0) {\n results.lineItems = evaluateLineItems(constraints.lineItems, transaction.lineItems ?? []);\n }\n\n if (constraints.paymentAmount) {\n results.amount = evaluatePaymentAmount(constraints.paymentAmount, transaction);\n }\n\n const reasons: string[] = [];\n let ok = true;\n for (const [key, r] of Object.entries(results)) {\n if (!r.ok) {\n ok = false;\n reasons.push(r.reason ?? `${key} failed`);\n }\n }\n\n return { ok, results, reasons };\n}\n\nexport interface PaymentMethodAllowlistInput {\n allowedMethods?: string[];\n requestedMethod?: string;\n}\n\nexport function evaluatePaymentMethodAllowlist(\n input: PaymentMethodAllowlistInput\n): ConstraintResult {\n const allow = input.allowedMethods ?? [];\n if (allow.length === 0) return { ok: true };\n if (!input.requestedMethod) {\n return { ok: false, reason: 'no payment method in request; allowlist configured' };\n }\n const lowered = input.requestedMethod.toLowerCase();\n const allowed = allow.some((m) => m.toLowerCase() === lowered);\n if (!allowed) {\n return {\n ok: false,\n reason: `payment method \"${input.requestedMethod}\" not in allowlist [${allow.join(', ')}]`,\n };\n }\n return { ok: true };\n}\n\nexport interface SpendingLimitInput {\n limit?: { amount?: number; currency?: string };\n requested?: { amount?: number; currency?: string };\n}\n\nexport function evaluateSpendingLimit(input: SpendingLimitInput): ConstraintResult {\n const { limit, requested } = input;\n if (!limit \|\| typeof limit.amount !== 'number') return { ok: true };\n if (!requested \|\| typeof requested.amount !== 'number') return { ok: true };\n if (limit.currency && requested.currency && limit.currency !== requested.currency) {\n return {\n ok: false,\n reason: `currency mismatch: limit ${limit.currency} vs requested ${requested.currency}`,\n };\n }\n if (requested.amount > limit.amount) {\n return {\n ok: false,\n reason:\n `requested ${requested.amount} ${requested.currency ?? ''} exceeds limit ${limit.amount} ${limit.currency ?? ''}`.trim(),\n };\n }\n return { ok: true };\n}\n\nfunction evaluateAllowlist(\n kind: 'merchant' \| 'payee',\n allowlist: VIAllowedParty[],\n actual: { id?: string; website?: string } \| undefined\n): ConstraintResult {\n if (!actual \|\| (!actual.id && !actual.website)) {\n return { ok: false, reason: `no ${kind} in transaction; allowlist configured` };\n }\n for (const entry of allowlist) {\n if (entry.id && actual.id && entry.id === actual.id) return { ok: true };\n if (entry.website && actual.website && domainsMatch(entry.website, actual.website)) {\n return { ok: true };\n }\n }\n const allowedDescriptors = allowlist.map(describeParty).join(', ');\n const actualDescriptor = describeParty(actual);\n return {\n ok: false,\n reason: `${kind} ${actualDescriptor} not in allowlist [${allowedDescriptors}]`,\n };\n}\n\nfunction evaluateLineItems(\n allowlist: VILineItem[],\n actualItems: Array<{ id?: string; quantity?: number }>\n): ConstraintResult {\n if (actualItems.length === 0) {\n return { ok: false, reason: 'no line items in transaction; allowlist configured' };\n }\n const reasons: string[] = [];\n for (const item of actualItems) {\n const match = allowlist.find(\n (a) => (a.id && a.id === item.id) \|\| (a.acceptableItems ?? []).includes(item.id ?? '')\n );\n if (!match) {\n reasons.push(`line item \"${item.id ?? '(unnamed)'}\" not in allowlist`);\n continue;\n }\n if (\n typeof match.quantity === 'number' &&\n typeof item.quantity === 'number' &&\n item.quantity > match.quantity\n ) {\n reasons.push(\n `line item \"${item.id}\" quantity ${item.quantity} exceeds allowed ${match.quantity}`\n );\n }\n }\n return reasons.length === 0 ? { ok: true } : { ok: false, reason: reasons.join('; ') };\n}\n\nfunction evaluatePaymentAmount(\n bound: VIPaymentAmount,\n transaction: TransactionContext\n): ConstraintResult {\n if (typeof transaction.amount !== 'number') {\n return { ok: false, reason: 'no amount in transaction; paymentAmount bound configured' };\n }\n if (bound.currency && transaction.currency && bound.currency !== transaction.currency) {\n return {\n ok: false,\n reason: `currency mismatch: bound ${bound.currency} vs transaction ${transaction.currency}`,\n };\n }\n if (typeof bound.min === 'number' && transaction.amount < bound.min) {\n return {\n ok: false,\n reason: `amount ${transaction.amount} below min ${bound.min}`,\n };\n }\n if (typeof bound.max === 'number' && transaction.amount > bound.max) {\n return {\n ok: false,\n reason: `amount ${transaction.amount} above max ${bound.max}`,\n };\n }\n return { ok: true };\n}\n\nfunction domainsMatch(allow: string, actual: string): boolean {\n const a = normalizeDomain(allow);\n const b = normalizeDomain(actual);\n return a === b \|\| b.endsWith(`.${a}`);\n}\n\nfunction normalizeDomain(value: string): string {\n try {\n const withScheme = /^https?:\\/\\//.test(value) ? value : `https://${value}`;\n return new URL(withScheme).hostname.toLowerCase();\n } catch {\n return value.toLowerCase();\n }\n}\n\nfunction describeParty(party: { id?: string; name?: string; website?: string }): string {\n if (party.id) return `id:${party.id}`;\n if (party.website) return party.website;\n if (party.name) return party.name;\n return '(unnamed)';\n}\n","/\n Cross-protocol agent identity binding.\n \n Every commerce layer claims an agent identity differently:\n * - VI L3 kid (SD-JWT header)\n * - AP2 agent_id (mandate payload)\n * - ACP Authorization: Bearer token (merchant-issued pre-shared)\n * - MPP Credential `source` field (DID or chain-native key)\n * - x402 client wallet address\n * - RFC 9421 kid (Agent Pay / TAP / Web Bot Auth)\n \n This module maps any such claim to a single AstraSync agent via a\n * caller-supplied resolver (typically delegates to the counterparty service),\n * then flags whether multiple claims on the same request resolve to different\n * agents (a trust signal for PDLSS).\n \n This is AstraSync whitespace — no vendor owns multi-protocol identity\n * unification.\n /\n\nexport interface IdentityClaim {\n /* Originating protocol label: 'vi' \| 'ap2' \| 'acp' \| 'mpp' \| 'x402' \| 'agentpay' \| 'tap' \| 'webbotauth' /\n protocol: string;\n /* Claim field name, e.g. 'kid', 'agent_id', 'source', 'bearer'. /\n field: string;\n /* Claim value as presented on the wire. /\n value: string;\n}\n\nexport interface IdentityBindingResult {\n claims: IdentityClaim[];\n mappedAstraSyncAgentId?: string;\n /\n True when two or more claims resolve to different AstraSync agents.\n * Surfaced as a trust signal rather than an auto-deny — legitimate flows\n * (e.g. delegate payments) can legitimately carry multiple identities.\n /\n mismatchAcrossLayers: boolean;\n /* Per-claim resolution result for audit / debugging. /\n resolutions: Array<{ claim: IdentityClaim; agentId: string \| null }>;\n}\n\nexport type IdentityResolver = (claim: IdentityClaim) => Promise<string \| null>;\n\nexport async function bindIdentity(\n claims: IdentityClaim[],\n resolver: IdentityResolver\n): Promise<IdentityBindingResult> {\n const resolutions: Array<{ claim: IdentityClaim; agentId: string \| null }> = [];\n for (const claim of claims) {\n if (!claim.value) {\n resolutions.push({ claim, agentId: null });\n continue;\n }\n const agentId = await resolver(claim);\n resolutions.push({ claim, agentId });\n }\n\n const resolvedIds = resolutions\n .map((r) => r.agentId)\n .filter((id): id is string => typeof id === 'string' && id.length > 0);\n\n const unique = Array.from(new Set(resolvedIds));\n const mismatchAcrossLayers = unique.length > 1;\n const mappedAstraSyncAgentId = unique.length === 1 ? unique[0] : undefined;\n\n return {\n claims,\n mappedAstraSyncAgentId,\n mismatchAcrossLayers,\n resolutions,\n };\n}\n\n/\n Helper constructors — keep protocol/field strings consistent across the\n * codebase and make tests readable.\n /\nexport const claim = {\n viKid: (value: string): IdentityClaim => ({ protocol: 'vi', field: 'kid', value }),\n ap2AgentId: (value: string): IdentityClaim => ({ protocol: 'ap2', field: 'agent_id', value }),\n acpBearer: (value: string): IdentityClaim => ({ protocol: 'acp', field: 'bearer', value }),\n mppSource: (value: string): IdentityClaim => ({ protocol: 'mpp', field: 'source', value }),\n x402Wallet: (value: string): IdentityClaim => ({ protocol: 'x402', field: 'wallet', value }),\n agentPayKid: (value: string): IdentityClaim => ({ protocol: 'agentpay', field: 'kid', value }),\n tapKid: (value: string): IdentityClaim => ({ protocol: 'tap', field: 'kid', value }),\n webBotAuthKid: (value: string): IdentityClaim => ({\n protocol: 'webbotauth',\n field: 'kid',\n value,\n }),\n};\n","/\n AP2 (Agent Payments Protocol) mandate extraction.\n \n Google-led, launched 3 April 2026 with 60+ partners (Mastercard, PayPal,\n * Coinbase, AmEx, Revolut, UnionPay, ...). AP2 ships three mandate types as\n * SD-JWTs in series:\n * - intent_mandate — user declares intent (amount, merchant category, etc.)\n * - cart_mandate — user approves a cart (specific items, totals)\n * - payment_mandate — authorizes the actual payment rail\n \n Mandates are cross-referenced via ids; each is an SD-JWT over ES256 (or\n * equivalent). We decode via @sd-jwt/decode and extract the AP2-specific\n * shape — verification lives in ap2-verify.ts.\n /\n\nimport { decodeSdJwtSync } from '@sd-jwt/decode';\nimport { createHash } from 'node:crypto';\nimport type { AP2MandateType } from './purpose-mapping';\n\nexport type { AP2MandateType };\n\nexport interface AP2PaymentDetailsTotal {\n amount?: { value?: string \| number; currency?: string };\n label?: string;\n}\n\nexport interface AP2IntentMandateClaims {\n type: 'intent_mandate';\n agent_id?: string;\n user_id?: string;\n merchant_category?: string;\n allowedMerchantDomains?: string[];\n paymentMethods?: string[];\n expires?: string;\n payment_details_total?: AP2PaymentDetailsTotal;\n raw: Record<string, unknown>;\n}\n\nexport interface AP2CartMandateClaims {\n type: 'cart_mandate';\n agent_id?: string;\n intent_mandate_id?: string;\n merchant_id?: string;\n line_items?: Array<{\n id?: string;\n quantity?: number;\n price?: { value?: string \| number; currency?: string };\n }>;\n payment_details_total?: AP2PaymentDetailsTotal;\n expires?: string;\n raw: Record<string, unknown>;\n}\n\nexport interface AP2PaymentMandateClaims {\n type: 'payment_mandate';\n agent_id?: string;\n cart_mandate_id?: string;\n payment_method?: string;\n payment_details_total?: AP2PaymentDetailsTotal;\n credential_provider?: string;\n raw: Record<string, unknown>;\n}\n\nexport type AP2MandateClaims =\n \| AP2IntentMandateClaims\n \| AP2CartMandateClaims\n \| AP2PaymentMandateClaims;\n\nexport interface AP2MandateTriple {\n intent?: AP2IntentMandateClaims;\n cart?: AP2CartMandateClaims;\n payment?: AP2PaymentMandateClaims;\n rawLayers: { intentJwt?: string; cartJwt?: string; paymentJwt?: string };\n}\n\n/\n Extract a single AP2 mandate from a compact SD-JWT.\n * Returns null if the SD-JWT is malformed or lacks a recognized type field.\n /\nexport function extractAP2Mandate(sdJwtCompact: string): AP2MandateClaims \| null {\n if (!sdJwtCompact \|\| typeof sdJwtCompact !== 'string') return null;\n\n let decoded;\n try {\n decoded = decodeSdJwtSync(sdJwtCompact, sha256Sync);\n } catch {\n return null;\n }\n\n const payload = (decoded.jwt?.payload ?? {}) as Record<string, unknown>;\n const disclosures = decoded.disclosures ?? [];\n const claims = applyDisclosures(\n payload,\n disclosures as unknown as Array<{ key?: string; value?: unknown }>\n );\n\n const type = coerceMandateType(claims.type ?? claims.mandate_type ?? claims.mandateType);\n if (!type) return null;\n\n if (type === 'intent_mandate') return buildIntent(claims);\n if (type === 'cart_mandate') return buildCart(claims);\n return buildPayment(claims);\n}\n\nexport interface AP2MandateTripleInput {\n intent?: string;\n cart?: string;\n payment?: string;\n}\n\n/\n Extract an intent / cart / payment triple, returning whichever are present.\n * Does NOT enforce cross-reference consistency — that's ap2-verify.ts's job.\n /\nexport function extractAP2Mandates(input: AP2MandateTripleInput): AP2MandateTriple {\n const intent = input.intent\n ? (extractAP2Mandate(input.intent) as AP2IntentMandateClaims \| null)\n : null;\n const cart = input.cart ? (extractAP2Mandate(input.cart) as AP2CartMandateClaims \| null) : null;\n const payment = input.payment\n ? (extractAP2Mandate(input.payment) as AP2PaymentMandateClaims \| null)\n : null;\n return {\n intent: intent ?? undefined,\n cart: cart ?? undefined,\n payment: payment ?? undefined,\n rawLayers: {\n intentJwt: input.intent,\n cartJwt: input.cart,\n paymentJwt: input.payment,\n },\n };\n}\n\nfunction buildIntent(claims: Record<string, unknown>): AP2IntentMandateClaims {\n return {\n type: 'intent_mandate',\n agent_id: coerceString(claims.agent_id ?? claims.agentId),\n user_id: coerceString(claims.user_id ?? claims.userId ?? claims.sub),\n merchant_category: coerceString(claims.merchant_category ?? claims.merchantCategory),\n allowedMerchantDomains: toStringArray(\n claims.allowed_merchant_domains ?? claims.allowedMerchantDomains\n ),\n paymentMethods: toStringArray(claims.payment_methods ?? claims.paymentMethods),\n expires: coerceString(claims.expires ?? claims.exp),\n payment_details_total: toPaymentDetails(claims.payment_details_total ?? claims.total),\n raw: claims,\n };\n}\n\nfunction buildCart(claims: Record<string, unknown>): AP2CartMandateClaims {\n return {\n type: 'cart_mandate',\n agent_id: coerceString(claims.agent_id ?? claims.agentId),\n intent_mandate_id: coerceString(claims.intent_mandate_id ?? claims.intentMandateId),\n merchant_id: coerceString(claims.merchant_id ?? claims.merchantId),\n line_items: toLineItems(claims.line_items ?? claims.lineItems),\n payment_details_total: toPaymentDetails(claims.payment_details_total ?? claims.total),\n expires: coerceString(claims.expires ?? claims.exp),\n raw: claims,\n };\n}\n\nfunction buildPayment(claims: Record<string, unknown>): AP2PaymentMandateClaims {\n return {\n type: 'payment_mandate',\n agent_id: coerceString(claims.agent_id ?? claims.agentId),\n cart_mandate_id: coerceString(claims.cart_mandate_id ?? claims.cartMandateId),\n payment_method: coerceString(claims.payment_method ?? claims.paymentMethod),\n payment_details_total: toPaymentDetails(claims.payment_details_total ?? claims.total),\n credential_provider: coerceString(claims.credential_provider ?? claims.credentialProvider),\n raw: claims,\n };\n}\n\nfunction toPaymentDetails(v: unknown): AP2PaymentDetailsTotal \| undefined {\n if (!v \|\| typeof v !== 'object') return undefined;\n const r = v as Record<string, unknown>;\n const amount = r.amount as Record<string, unknown> \| undefined;\n return {\n amount: amount\n ? {\n value: coerceStringOrNumber(amount.value),\n currency: coerceString(amount.currency),\n }\n : undefined,\n label: coerceString(r.label),\n };\n}\n\nfunction toLineItems(v: unknown): AP2CartMandateClaims['line_items'] {\n if (!Array.isArray(v)) return undefined;\n const items: NonNullable<AP2CartMandateClaims['line_items']> = [];\n for (const item of v) {\n if (!item \|\| typeof item !== 'object') continue;\n const r = item as Record<string, unknown>;\n const price = r.price as Record<string, unknown> \| undefined;\n items.push({\n id: coerceString(r.id),\n quantity: coerceNumber(r.quantity),\n price: price\n ? {\n value: coerceStringOrNumber(price.value),\n currency: coerceString(price.currency),\n }\n : undefined,\n });\n }\n return items.length > 0 ? items : undefined;\n}\n\nfunction toStringArray(v: unknown): string[] \| undefined {\n if (!Array.isArray(v)) return undefined;\n const out = v.filter((i): i is string => typeof i === 'string' && i.length > 0);\n return out.length > 0 ? out : undefined;\n}\n\nfunction applyDisclosures(\n payload: Record<string, unknown>,\n disclosures: Array<{ key?: string; value?: unknown }>\n): Record<string, unknown> {\n const result: Record<string, unknown> = { ...payload };\n for (const d of disclosures) {\n if (d.key && d.value !== undefined && !(d.key in result)) {\n result[d.key] = d.value;\n }\n }\n return result;\n}\n\nfunction coerceMandateType(v: unknown): AP2MandateType \| null {\n if (v === 'intent_mandate' \|\| v === 'cart_mandate' \|\| v === 'payment_mandate') return v;\n return null;\n}\n\nfunction coerceString(v: unknown): string \| undefined {\n return typeof v === 'string' && v.length > 0 ? v : undefined;\n}\n\nfunction coerceNumber(v: unknown): number \| undefined {\n if (typeof v === 'number' && Number.isFinite(v)) return v;\n if (typeof v === 'string') {\n const n = Number(v);\n return Number.isFinite(n) ? n : undefined;\n }\n return undefined;\n}\n\nfunction coerceStringOrNumber(v: unknown): string \| number \| undefined {\n if (typeof v === 'number' && Number.isFinite(v)) return v;\n if (typeof v === 'string' && v.length > 0) return v;\n return undefined;\n}\n\nfunction sha256Sync(data: string \| ArrayBuffer): Uint8Array {\n const buf =\n typeof data === 'string' ? Buffer.from(data, 'utf-8') : Buffer.from(new Uint8Array(data));\n const hash = createHash('sha256').update(buf).digest();\n return new Uint8Array(hash.buffer, hash.byteOffset, hash.byteLength);\n}\n","/\n AP2 mandate chain verification.\n \n Checks the cross-reference consistency of an intent → cart → payment\n * triple. Does NOT verify cryptographic signatures here (that's a call to\n * @sd-jwt/core which needs the agent's / CP's public key; expose via a\n * verifier callback so pipeline can plug in the right resolver).\n \n Rules (per AP2 spec v0.1-draft):\n * - cart.intent_mandate_id must equal the intent mandate's canonical id (if present)\n * - payment.cart_mandate_id must equal the cart mandate's canonical id (if present)\n * - agent_id must match across all three layers\n * - payment_method in payment mandate must be in intent.paymentMethods (if declared)\n * - cart totals must not exceed intent totals (if both declared in same currency)\n * - no mandate may be expired (beyond clock skew)\n /\n\nimport type { AP2MandateTriple } from './ap2';\n\nexport interface AP2VerifyInput {\n triple: AP2MandateTriple;\n clockSkewSec?: number;\n now?: () => number;\n}\n\nexport interface AP2ChainResult {\n ok: boolean;\n checks: {\n intentPresent: boolean;\n cartRefOk: boolean;\n paymentRefOk: boolean;\n agentIdContinuity: boolean;\n paymentMethodAllowed: boolean;\n totalsConsistent: boolean;\n expiryOk: boolean;\n };\n agentId?: string;\n errors: string[];\n}\n\nexport function verifyAP2Chain(input: AP2VerifyInput): AP2ChainResult {\n const { triple } = input;\n const errors: string[] = [];\n\n const intentPresent = triple.intent !== undefined;\n const cartRefOk = checkCartRef(triple, errors);\n const paymentRefOk = checkPaymentRef(triple, errors);\n const { ok: agentIdContinuity, agentId } = checkAgentContinuity(triple, errors);\n const paymentMethodAllowed = checkPaymentMethod(triple, errors);\n const totalsConsistent = checkTotals(triple, errors);\n const expiryOk = checkExpiries(triple, input.clockSkewSec ?? 300, input.now, errors);\n\n const ok =\n cartRefOk &&\n paymentRefOk &&\n agentIdContinuity &&\n paymentMethodAllowed &&\n totalsConsistent &&\n expiryOk;\n\n return {\n ok,\n checks: {\n intentPresent,\n cartRefOk,\n paymentRefOk,\n agentIdContinuity,\n paymentMethodAllowed,\n totalsConsistent,\n expiryOk,\n },\n agentId,\n errors,\n };\n}\n\nfunction checkCartRef(triple: AP2MandateTriple, errors: string[]): boolean {\n const cart = triple.cart;\n if (!cart) return true;\n if (!cart.intent_mandate_id) return true;\n const intentId = triple.intent?.raw?.id as string \| undefined;\n if (intentId && cart.intent_mandate_id !== intentId) {\n errors.push(\n `cart.intent_mandate_id (${cart.intent_mandate_id}) does not match intent.id (${intentId})`\n );\n return false;\n }\n return true;\n}\n\nfunction checkPaymentRef(triple: AP2MandateTriple, errors: string[]): boolean {\n const payment = triple.payment;\n if (!payment) return true;\n if (!payment.cart_mandate_id) return true;\n const cartId = triple.cart?.raw?.id as string \| undefined;\n if (cartId && payment.cart_mandate_id !== cartId) {\n errors.push(\n `payment.cart_mandate_id (${payment.cart_mandate_id}) does not match cart.id (${cartId})`\n );\n return false;\n }\n return true;\n}\n\nfunction checkAgentContinuity(\n triple: AP2MandateTriple,\n errors: string[]\n): { ok: boolean; agentId?: string } {\n const ids = [triple.intent?.agent_id, triple.cart?.agent_id, triple.payment?.agent_id].filter(\n (id): id is string => typeof id === 'string' && id.length > 0\n );\n if (ids.length === 0) return { ok: true };\n const unique = new Set(ids);\n if (unique.size > 1) {\n errors.push(`agent_id mismatch across mandates: ${Array.from(unique).join(', ')}`);\n return { ok: false, agentId: undefined };\n }\n return { ok: true, agentId: ids[0] };\n}\n\nfunction checkPaymentMethod(triple: AP2MandateTriple, errors: string[]): boolean {\n const paymentMethod = triple.payment?.payment_method;\n const allowed = triple.intent?.paymentMethods;\n if (!paymentMethod \|\| !allowed \|\| allowed.length === 0) return true;\n if (!allowed.includes(paymentMethod)) {\n errors.push(\n `payment_method \"${paymentMethod}\" not in intent.paymentMethods [${allowed.join(', ')}]`\n );\n return false;\n }\n return true;\n}\n\nfunction checkTotals(triple: AP2MandateTriple, errors: string[]): boolean {\n const intentTotal = toNumericAmount(triple.intent?.payment_details_total);\n const cartTotal = toNumericAmount(triple.cart?.payment_details_total);\n const paymentTotal = toNumericAmount(triple.payment?.payment_details_total);\n\n if (intentTotal && cartTotal && intentTotal.currency === cartTotal.currency) {\n if (cartTotal.value > intentTotal.value) {\n errors.push(\n `cart total ${cartTotal.value} ${cartTotal.currency} exceeds intent cap ${intentTotal.value}`\n );\n return false;\n }\n }\n if (cartTotal && paymentTotal && cartTotal.currency === paymentTotal.currency) {\n if (paymentTotal.value > cartTotal.value) {\n errors.push(\n `payment total ${paymentTotal.value} ${paymentTotal.currency} exceeds cart total ${cartTotal.value}`\n );\n return false;\n }\n }\n return true;\n}\n\nfunction checkExpiries(\n triple: AP2MandateTriple,\n toleranceSec: number,\n nowFn: (() => number) \| undefined,\n errors: string[]\n): boolean {\n const now = nowFn ? nowFn() : Math.floor(Date.now() / 1000);\n let ok = true;\n for (const [name, mandate] of [\n ['intent', triple.intent],\n ['cart', triple.cart],\n ] as const) {\n if (!mandate?.expires) continue;\n const parsed = parseExpiry(mandate.expires);\n if (parsed === null) {\n errors.push(`${name}.expires unparseable`);\n ok = false;\n continue;\n }\n if (now > parsed + toleranceSec) {\n errors.push(`${name} mandate expired at ${mandate.expires}`);\n ok = false;\n }\n }\n return ok;\n}\n\nfunction toNumericAmount(\n total: import('./ap2').AP2PaymentDetailsTotal \| undefined\n): { value: number; currency: string } \| null {\n if (!total?.amount?.value \|\| !total.amount.currency) return null;\n const n =\n typeof total.amount.value === 'string' ? Number(total.amount.value) : total.amount.value;\n if (!Number.isFinite(n)) return null;\n return { value: n, currency: total.amount.currency };\n}\n\nfunction parseExpiry(value: string): number \| null {\n const asInt = Number(value);\n if (Number.isFinite(asInt) && asInt > 0) {\n return asInt >= 1e12 ? Math.floor(asInt / 1000) : Math.floor(asInt);\n }\n const parsedDate = Date.parse(value);\n if (Number.isFinite(parsedDate)) return Math.floor(parsedDate / 1000);\n return null;\n}\n","/\n ACP detached-JSON-signature verifier.\n \n ACP (Agentic Commerce Protocol, OpenAI + Stripe) uses detached JSON\n * signatures over request bodies. The public signature algorithm is NOT\n * specified in open docs as of April 2026 (docs.stripe.com/agentic-commerce/\n is Private Preview). We implement Ed25519 and ES256 candidates against\n * whichever public key the caller supplies, and report algorithm-unsupported\n * as a trust signal rather than a hard fail so policy can weight it.\n \n Timestamp freshness (>300s default) IS a hard fail — prevents replay.\n \n Bearer-token → AstraSync agent binding is delegated to caller-supplied\n * resolver (typically the counterparty service).\n /\n\nimport type { JWK } from 'jose';\n\nexport type ACPSignatureAlgorithm = 'ed25519' \| 'es256' \| 'unsupported';\n\nexport interface ACPVerifyInput {\n /* Raw request body over which the signature was computed. /\n rawBody: string;\n /* Value of the Signature header. Expected to be base64 (either standard or url). /\n signatureHeader?: string;\n /* Value of the Timestamp header (unix seconds as string, or ISO 8601). /\n timestampHeader?: string;\n /* Candidate public keys to try. First matching algorithm wins. /\n candidateKeys: Array<{ jwk: JWK; alg?: ACPSignatureAlgorithm \| string }>;\n /* Clock skew tolerance in seconds (default 300). /\n clockSkewSec?: number;\n /* Injectable now for tests. /\n now?: () => number;\n}\n\nexport interface ACPVerifyResult {\n ok: boolean;\n algorithm?: ACPSignatureAlgorithm;\n error?: string;\n /* True when timestamp is outside tolerance. /\n timestampStale?: boolean;\n}\n\nexport async function verifyACPSignature(input: ACPVerifyInput): Promise<ACPVerifyResult> {\n if (!input.signatureHeader) {\n return { ok: false, error: 'missing Signature header' };\n }\n\n const freshness = checkTimestamp(input.timestampHeader, input.clockSkewSec ?? 300, input.now);\n if (!freshness.ok) {\n return { ok: false, error: freshness.error, timestampStale: true };\n }\n\n const signatureBytes = decodeBase64(input.signatureHeader);\n if (!signatureBytes) {\n return { ok: false, error: 'signature header is not valid base64' };\n }\n\n const bodyBytes = new TextEncoder().encode(input.rawBody);\n const { subtle } = await getSubtle();\n\n for (const candidate of input.candidateKeys) {\n const declaredAlg = normalizeAlgorithm(candidate.alg);\n const algsToTry: ACPSignatureAlgorithm[] =\n declaredAlg && declaredAlg !== 'unsupported' ? [declaredAlg] : ['ed25519', 'es256'];\n\n for (const alg of algsToTry) {\n try {\n const verified = await tryVerify(subtle, candidate.jwk, signatureBytes, bodyBytes, alg);\n if (verified) return { ok: true, algorithm: alg };\n } catch {\n // swallow per-candidate errors; try next algorithm/candidate\n }\n }\n }\n\n return {\n ok: false,\n algorithm: 'unsupported',\n error: 'no candidate key verified the signature under Ed25519 or ES256',\n };\n}\n\nasync function tryVerify(\n subtle: SubtleCrypto,\n jwk: JWK,\n signature: Uint8Array,\n body: Uint8Array,\n alg: ACPSignatureAlgorithm\n): Promise<boolean> {\n if (alg === 'ed25519') {\n if (jwk.kty !== 'OKP' \|\| jwk.crv !== 'Ed25519') return false;\n const key = await subtle.importKey('jwk', jwk as JsonWebKey, { name: 'Ed25519' }, false, [\n 'verify',\n ]);\n return await subtle.verify({ name: 'Ed25519' }, key, toBuf(signature), toBuf(body));\n }\n if (alg === 'es256') {\n if (jwk.kty !== 'EC' \|\| jwk.crv !== 'P-256') return false;\n const key = await subtle.importKey(\n 'jwk',\n jwk as JsonWebKey,\n { name: 'ECDSA', namedCurve: 'P-256' },\n false,\n ['verify']\n );\n return await subtle.verify(\n { name: 'ECDSA', hash: 'SHA-256' },\n key,\n toBuf(signature),\n toBuf(body)\n );\n }\n return false;\n}\n\nfunction toBuf(bytes: Uint8Array): ArrayBuffer {\n const out = new ArrayBuffer(bytes.byteLength);\n new Uint8Array(out).set(bytes);\n return out;\n}\n\nfunction checkTimestamp(\n headerValue: string \| undefined,\n toleranceSec: number,\n nowFn?: () => number\n): { ok: true } \| { ok: false; error: string } {\n if (!headerValue) return { ok: false, error: 'missing Timestamp header' };\n const ts = parseTimestamp(headerValue);\n if (ts === null) return { ok: false, error: 'unparseable Timestamp header' };\n const now = nowFn ? nowFn() : Math.floor(Date.now() / 1000);\n if (Math.abs(now - ts) > toleranceSec) {\n return { ok: false, error: `timestamp outside ${toleranceSec}s tolerance` };\n }\n return { ok: true };\n}\n\nfunction parseTimestamp(value: string): number \| null {\n const asInt = Number(value);\n if (Number.isFinite(asInt) && asInt > 0) {\n // Treat >= 1e12 as milliseconds; otherwise seconds.\n return asInt >= 1e12 ? Math.floor(asInt / 1000) : Math.floor(asInt);\n }\n const parsedDate = Date.parse(value);\n if (Number.isFinite(parsedDate)) return Math.floor(parsedDate / 1000);\n return null;\n}\n\nfunction normalizeAlgorithm(alg: string \| undefined): ACPSignatureAlgorithm \| undefined {\n if (!alg) return undefined;\n const lowered = alg.toLowerCase();\n if (lowered === 'ed25519' \|\| lowered === 'eddsa') return 'ed25519';\n if (lowered === 'es256' \|\| lowered.startsWith('ecdsa-p256')) return 'es256';\n return 'unsupported';\n}\n\nfunction decodeBase64(value: string): Uint8Array \| null {\n try {\n // Accept either standard base64 or url-safe; jose and node both accept both via Buffer.\n const normalized = value.replace(/-/g, '+').replace(/_/g, '/');\n const pad = normalized.length % 4 === 0 ? '' : '='.repeat(4 - (normalized.length % 4));\n return new Uint8Array(Buffer.from(normalized + pad, 'base64'));\n } catch {\n return null;\n }\n}\n\nasync function getSubtle(): Promise<{ subtle: SubtleCrypto }> {\n if (typeof globalThis.crypto !== 'undefined' && globalThis.crypto.subtle) {\n return { subtle: globalThis.crypto.subtle };\n }\n const nodeCrypto = await import('node:crypto');\n return { subtle: nodeCrypto.webcrypto.subtle as SubtleCrypto };\n}\n","/\n MPP (Machine Payments Protocol) extractor.\n \n Wraps mppx (wevm) — pinned to 0.5.13, wrapped behind this adapter so\n * upgrades localise here. MPP launched March 18 2026 (Stripe + Tempo +\n * Paradigm), IETF draft-ryan-httpauth-payment-01.\n \n Flow:\n * Client → GET /resource\n * Server → 402 + WWW-Authenticate: Payment id=..., realm=..., method=tempo\|stripe\|...\n * Client → GET /resource with Authorization: Payment <base64url-json credential>\n * Server → 200 + Payment-Receipt: <base64url-json receipt>\n \n What we extract:\n * - Challenge: id, realm, method, intent, request{amount,currency,...}, expires, digest\n * - Credential: challenge + source (DID/chain-key) + payload (method-specific)\n * - Receipt: challengeId, method, reference (tx hash / pi_... ID), settlement\n * - Multi-method 402 offers (may be multiple WWW-Authenticate headers)\n \n What we do NOT verify here (pass-through):\n * - HMAC challenge binding (requires merchant's MPP_SECRET_KEY)\n * - Payment proof cryptography (Tempo tx sig, Stripe SPT, Lightning preimage)\n * — each requires upstream connectivity\n \n Verification (expiry + BodyDigest + source extraction) in mpp-verify.ts.\n /\n\nimport { Challenge, Credential, Receipt } from 'mppx';\n\nexport interface MPPChallengeSummary {\n id: string;\n realm: string;\n method: string;\n intent: string;\n /* Method-specific request data (amount, currency, recipient, etc.) /\n request: Record<string, unknown>;\n expires?: string;\n digest?: string;\n description?: string;\n opaque?: Record<string, string>;\n}\n\nexport interface MPPCredentialSummary {\n challenge: MPPChallengeSummary;\n /* DID or chain-native key identifying the payer. /\n source?: string;\n /* Method-specific payment proof (Tempo tx, SPT, Lightning preimage, etc.). /\n payload: unknown;\n}\n\nexport interface MPPReceiptSummary {\n method?: string;\n reference?: string;\n externalId?: string;\n status?: string;\n timestamp?: string;\n raw: Record<string, unknown>;\n}\n\nexport type MPPKind = 'challenge' \| 'credential' \| 'receipt' \| 'error' \| 'unknown';\n\nexport interface MPPRequestContext {\n kind: MPPKind;\n /* For 402 responses: one or more challenge offers. /\n challenges?: MPPChallengeSummary[];\n /* For requests with Authorization: Payment header. /\n credential?: MPPCredentialSummary;\n /* For 200 responses with Payment-Receipt header. /\n receipt?: MPPReceiptSummary;\n /* For problem+json error responses. /\n error?: { type?: string; title?: string; detail?: string };\n /* Detected payment methods offered (for multi-method 402). /\n offeredMethods?: string[];\n /* Raw body captured for BodyDigest verification in mpp-verify.ts. /\n rawBody?: string;\n}\n\nexport interface MPPRequestLike {\n method: string;\n url: string;\n headers: Record<string, string \| string[] \| undefined>;\n body?: unknown;\n rawBody?: string;\n}\n\nexport interface MPPResponseLike {\n status: number;\n headers: Record<string, string \| string[] \| undefined>;\n body?: unknown;\n rawBody?: string;\n}\n\n/\n Extract MPP context from an agent → merchant request.\n * Looks for `Authorization: Payment <credential>` header.\n /\nexport function extractMPPFromRequest(request: MPPRequestLike): MPPRequestContext \| null {\n const auth = readHeader(request.headers, 'authorization');\n if (!auth \|\| !/^\\sPayment\\s+/i.test(auth)) return null;\n\n try {\n const credential = Credential.deserialize(auth);\n return {\n kind: 'credential',\n credential: {\n challenge: summarizeChallenge(credential.challenge),\n source: credential.source,\n payload: credential.payload,\n },\n rawBody: request.rawBody,\n };\n } catch {\n return { kind: 'error', error: { type: 'invalid-credential-encoding' } };\n }\n}\n\n/*\n Extract MPP context from a merchant → agent response.\n * Handles 402 (challenge offers), 200 (receipt), 4xx (problem+json errors).\n /\nexport function extractMPPFromResponse(response: MPPResponseLike): MPPRequestContext \| null {\n if (response.status === 402) {\n const challenges = collectChallenges(response);\n if (challenges.length === 0) return null;\n const methods = Array.from(new Set(challenges.map((c) => c.method)));\n return {\n kind: 'challenge',\n challenges,\n offeredMethods: methods,\n };\n }\n\n const receiptHeader = readHeader(response.headers, 'payment-receipt');\n if (receiptHeader) {\n try {\n const parsed = Receipt.deserialize(receiptHeader);\n const r = parsed as unknown as Record<string, unknown>;\n return {\n kind: 'receipt',\n receipt: {\n method: coerceString(r.method),\n reference: coerceString(r.reference),\n externalId: coerceString(r.externalId ?? r.external_id),\n status: coerceString(r.status),\n timestamp: coerceString(r.timestamp),\n raw: r,\n },\n };\n } catch {\n return { kind: 'error', error: { type: 'invalid-receipt-encoding' } };\n }\n }\n\n const contentType = readHeader(response.headers, 'content-type');\n if (contentType && /application\\/problem\\+json/i.test(contentType)) {\n const body =\n typeof response.body === 'object' && response.body !== null\n ? (response.body as Record<string, unknown>)\n : {};\n return {\n kind: 'error',\n error: {\n type: coerceString(body.type),\n title: coerceString(body.title),\n detail: coerceString(body.detail),\n },\n };\n }\n\n return null;\n}\n\n/\n Extract from either a request OR a response, auto-detecting which has MPP\n * artifacts. Convenience for pipeline callers.\n /\nexport function extractMPPContext(\n message:\n \| { request: MPPRequestLike }\n \| { response: MPPResponseLike }\n \| (MPPRequestLike & Partial<MPPResponseLike>)\n): MPPRequestContext \| null {\n if ('request' in message) return extractMPPFromRequest(message.request);\n if ('response' in message) return extractMPPFromResponse(message.response);\n if (typeof (message as MPPResponseLike).status === 'number') {\n return extractMPPFromResponse(message as MPPResponseLike);\n }\n return extractMPPFromRequest(message as MPPRequestLike);\n}\n\nfunction collectChallenges(response: MPPResponseLike): MPPChallengeSummary[] {\n const wwwAuth = readHeader(response.headers, 'www-authenticate');\n if (!wwwAuth) return [];\n const headers = new Headers();\n headers.set('www-authenticate', wwwAuth);\n\n const out: MPPChallengeSummary[] = [];\n try {\n const list = Challenge.fromHeadersList(headers);\n for (const ch of list) {\n out.push(summarizeChallenge(ch as unknown as Challenge.Challenge));\n }\n } catch {\n // fall through with empty list\n }\n return out;\n}\n\nfunction summarizeChallenge(\n ch: Challenge.Challenge \| Record<string, unknown>\n): MPPChallengeSummary {\n const raw = ch as Record<string, unknown>;\n return {\n id: coerceString(raw.id) ?? '',\n realm: coerceString(raw.realm) ?? '',\n method: coerceString(raw.method) ?? '',\n intent: coerceString(raw.intent) ?? '',\n request: (raw.request as Record<string, unknown>) ?? {},\n expires: coerceString(raw.expires),\n digest: coerceString(raw.digest),\n description: coerceString(raw.description),\n opaque: raw.opaque as Record<string, string> \| undefined,\n };\n}\n\nfunction readHeader(\n headers: Record<string, string \| string[] \| undefined>,\n name: string\n): string \| undefined {\n for (const key of Object.keys(headers)) {\n if (key.toLowerCase() === name) {\n const raw = headers[key];\n if (typeof raw === 'string') return raw;\n if (Array.isArray(raw)) return raw.join(', ');\n }\n }\n return undefined;\n}\n\nfunction coerceString(v: unknown): string \| undefined {\n return typeof v === 'string' && v.length > 0 ? v : undefined;\n}\n","/\n MPP verification — expiry + optional BodyDigest + source extraction.\n \n We do NOT verify the challenge's HMAC binding (needs merchant's secret)\n * or the cryptographic payment proof (per-method, requires upstream\n * connectivity). Those are the merchant's / settlement layer's job.\n \n Our job: structural correctness, expiry policy, tamper detection via\n * optional BodyDigest, and identity extraction for PDLSS binding.\n /\n\nimport { BodyDigest } from 'mppx';\nimport type { MPPRequestContext } from './mpp';\n\nexport interface MPPVerifyInput {\n context: MPPRequestContext;\n /* Raw request body to validate BodyDigest against, if the challenge declares one. /\n rawBody?: string;\n /* Seconds of clock-skew tolerance on challenge.expires. Default 300. /\n clockSkewSec?: number;\n /* Injectable for deterministic tests. /\n now?: () => number;\n}\n\nexport interface MPPVerifyResult {\n ok: boolean;\n expiryOk: boolean;\n bodyDigestOk: boolean \| null;\n source?: string;\n method?: string;\n error?: string;\n}\n\nexport function verifyMPP(input: MPPVerifyInput): MPPVerifyResult {\n const { context } = input;\n const tolerance = input.clockSkewSec ?? 300;\n const nowSec = input.now ? input.now() : Math.floor(Date.now() / 1000);\n\n // Extract the challenge under test — for credential flow, from inside the\n // wrapped challenge; for bare challenge flow, from context.challenges[0].\n const challenge = context.credential?.challenge ?? (context.challenges && context.challenges[0]);\n const source = context.credential?.source;\n const method = challenge?.method;\n\n let expiryOk = true;\n if (challenge?.expires) {\n const parsedExpiry = Date.parse(challenge.expires);\n if (!Number.isFinite(parsedExpiry)) {\n return {\n ok: false,\n expiryOk: false,\n bodyDigestOk: null,\n source,\n method,\n error: 'unparseable challenge.expires',\n };\n }\n const expiresSec = Math.floor(parsedExpiry / 1000);\n if (nowSec > expiresSec + tolerance) {\n expiryOk = false;\n }\n }\n\n let bodyDigestOk: boolean \| null = null;\n if (challenge?.digest && input.rawBody !== undefined) {\n try {\n if (!/^sha-256=/.test(challenge.digest)) {\n bodyDigestOk = false;\n } else {\n bodyDigestOk = BodyDigest.verify(challenge.digest as `sha-256=${string}`, input.rawBody);\n }\n } catch {\n bodyDigestOk = false;\n }\n }\n\n const ok = expiryOk && (bodyDigestOk === null \|\| bodyDigestOk === true);\n const errors: string[] = [];\n if (!expiryOk) errors.push('challenge expired');\n if (bodyDigestOk === false) errors.push('body digest mismatch');\n\n return {\n ok,\n expiryOk,\n bodyDigestOk,\n source,\n method,\n error: errors.length > 0 ? errors.join('; ') : undefined,\n };\n}\n","/\n x402 (Coinbase / Linux Foundation x402 Foundation) extractor.\n \n Wraps @x402/core's schema parsers. x402 Foundation launched April 2 2026\n * with v2 adding network-agnostic identifiers + multiple facilitators +\n * Bazaar discovery. MPP (Machine Payments Protocol) is the IETF-formalised\n * superset of x402; this module normalizes x402 output to MPP-shape so\n * downstream pipeline code is uniform.\n \n Where x402 lives on the wire:\n * - 402 response body (v2) OR `X-PAYMENT-REQUIRED` header (v1) — PaymentRequired\n * - Request body (v2) OR `X-PAYMENT` header (v1, base64) — PaymentPayload\n /\n\nimport {\n validatePaymentRequired,\n validatePaymentPayload,\n type PaymentRequired,\n type PaymentPayload,\n type PaymentRequirements,\n} from '@x402/core/schemas';\nimport { safeBase64Decode } from '@x402/core/utils';\n\nexport type X402Kind = 'required' \| 'payload' \| 'error' \| 'unknown';\n\nexport interface X402RequirementsSummary {\n scheme: string;\n network: string;\n asset: string;\n /* Normalized to string for v1/v2 compat — v1 uses maxAmountRequired, v2 uses amount. /\n amount: string;\n payTo: string;\n maxTimeoutSeconds?: number;\n resource?: string;\n description?: string;\n}\n\nexport interface X402RequestContext {\n kind: X402Kind;\n version: 1 \| 2 \| null;\n /* For 402 responses: the PaymentRequired body. /\n paymentRequired?: {\n resource: string;\n accepts: X402RequirementsSummary[];\n extensions?: Record<string, unknown>;\n error?: string;\n };\n /* For request body (v2) or X-PAYMENT header (v1 base64): the PaymentPayload. /\n paymentPayload?: {\n scheme: string;\n network: string;\n /* Free-form per-scheme payload (e.g. EIP-3009 authorization, Solana tx). /\n payload: Record<string, unknown>;\n extensions?: Record<string, unknown>;\n };\n error?: { type: string; detail?: string };\n /* Whether this was parsed from a header (v1 back-compat) or body (v2). /\n source: 'header' \| 'body' \| null;\n}\n\nexport interface X402RequestLike {\n method?: string;\n url?: string;\n headers?: Record<string, string \| string[] \| undefined>;\n body?: unknown;\n}\n\nexport interface X402ResponseLike {\n status?: number;\n headers?: Record<string, string \| string[] \| undefined>;\n body?: unknown;\n}\n\n/\n Extract x402 PaymentPayload from an agent → merchant request.\n * Checks v2 body (if it parses as PaymentPayload) and v1 X-PAYMENT header.\n /\nexport function extractX402FromRequest(request: X402RequestLike): X402RequestContext \| null {\n const headerValue = readHeader(request.headers, 'x-payment');\n\n // v2 body path first\n if (request.body && typeof request.body === 'object') {\n const parsed = tryParsePayload(request.body);\n if (parsed) return buildPayloadContext(parsed, 'body');\n }\n\n // v1 header path\n if (headerValue) {\n try {\n const decoded = safeBase64Decode(headerValue);\n if (decoded) {\n const json = JSON.parse(decoded);\n const parsed = tryParsePayload(json);\n if (parsed) return buildPayloadContext(parsed, 'header');\n }\n } catch {\n return {\n kind: 'error',\n version: 1,\n source: 'header',\n error: { type: 'invalid-x402-payload' },\n };\n }\n }\n\n return null;\n}\n\n/\n Extract x402 PaymentRequired from a merchant → agent 402 response.\n /\nexport function extractX402FromResponse(response: X402ResponseLike): X402RequestContext \| null {\n if (response.status !== 402) return null;\n\n // v2 body path\n if (response.body && typeof response.body === 'object') {\n const parsed = tryParseRequired(response.body);\n if (parsed) return buildRequiredContext(parsed, 'body');\n }\n\n // v1 header path\n const headerValue = readHeader(response.headers, 'x-payment-required');\n if (headerValue) {\n try {\n const decoded = safeBase64Decode(headerValue);\n if (decoded) {\n const json = JSON.parse(decoded);\n const parsed = tryParseRequired(json);\n if (parsed) return buildRequiredContext(parsed, 'header');\n }\n } catch {\n return {\n kind: 'error',\n version: 1,\n source: 'header',\n error: { type: 'invalid-x402-required' },\n };\n }\n }\n\n return null;\n}\n\nexport function extractX402Context(\n message:\n \| { request: X402RequestLike }\n \| { response: X402ResponseLike }\n \| (X402RequestLike & Partial<X402ResponseLike>)\n): X402RequestContext \| null {\n if ('request' in message) return extractX402FromRequest(message.request);\n if ('response' in message) return extractX402FromResponse(message.response);\n if (typeof (message as X402ResponseLike).status === 'number') {\n return extractX402FromResponse(message as X402ResponseLike);\n }\n return extractX402FromRequest(message as X402RequestLike);\n}\n\nfunction tryParseRequired(data: unknown): PaymentRequired \| null {\n try {\n return validatePaymentRequired(data);\n } catch {\n return null;\n }\n}\n\nfunction tryParsePayload(data: unknown): PaymentPayload \| null {\n try {\n return validatePaymentPayload(data);\n } catch {\n return null;\n }\n}\n\nfunction buildRequiredContext(\n parsed: PaymentRequired,\n source: 'header' \| 'body'\n): X402RequestContext {\n const asRecord = parsed as unknown as Record<string, unknown>;\n const version = coerceVersion(asRecord.x402Version);\n const accepts = (asRecord.accepts as PaymentRequirements[] \| undefined) ?? [];\n return {\n kind: 'required',\n version,\n source,\n paymentRequired: {\n resource: resolveResource(asRecord.resource),\n accepts: accepts.map(summarizeRequirement),\n extensions: asRecord.extensions as Record<string, unknown> \| undefined,\n error: typeof asRecord.error === 'string' ? asRecord.error : undefined,\n },\n };\n}\n\nfunction buildPayloadContext(\n parsed: PaymentPayload,\n source: 'header' \| 'body'\n): X402RequestContext {\n const asRecord = parsed as unknown as Record<string, unknown>;\n const version = coerceVersion(asRecord.x402Version);\n const accepted = asRecord.accepted as PaymentRequirements \| undefined;\n const payload = (asRecord.payload as Record<string, unknown>) ?? {};\n return {\n kind: 'payload',\n version,\n source,\n paymentPayload: {\n scheme: accepted?.scheme ?? (typeof asRecord.scheme === 'string' ? asRecord.scheme : ''),\n network: accepted?.network ?? (typeof asRecord.network === 'string' ? asRecord.network : ''),\n payload,\n extensions: asRecord.extensions as Record<string, unknown> \| undefined,\n },\n };\n}\n\nfunction summarizeRequirement(req: PaymentRequirements): X402RequirementsSummary {\n const r = req as unknown as Record<string, unknown>;\n const amount = (r.amount ?? r.maxAmountRequired ?? '0') as string;\n return {\n scheme: (r.scheme as string) ?? '',\n network: (r.network as string) ?? '',\n asset: (r.asset as string) ?? '',\n amount: String(amount),\n payTo: (r.payTo as string) ?? '',\n maxTimeoutSeconds: typeof r.maxTimeoutSeconds === 'number' ? r.maxTimeoutSeconds : undefined,\n resource: typeof r.resource === 'string' ? r.resource : undefined,\n description: typeof r.description === 'string' ? r.description : undefined,\n };\n}\n\nfunction resolveResource(v: unknown): string {\n if (typeof v === 'string') return v;\n if (v && typeof v === 'object' && 'url' in v && typeof (v as { url: unknown }).url === 'string') {\n return (v as { url: string }).url;\n }\n return '';\n}\n\nfunction coerceVersion(v: unknown): 1 \| 2 \| null {\n if (v === 1 \|\| v === 2) return v;\n return null;\n}\n\nfunction readHeader(\n headers: Record<string, string \| string[] \| undefined> \| undefined,\n name: string\n): string \| undefined {\n if (!headers) return undefined;\n for (const key of Object.keys(headers)) {\n if (key.toLowerCase() === name) {\n const raw = headers[key];\n if (typeof raw === 'string') return raw;\n if (Array.isArray(raw)) return raw[0];\n }\n }\n return undefined;\n}\n","/\n VI (Verifiable Intent) 3-layer SD-JWT chain verification.\n \n VI chains: L1 (credential provider → wallet) → L2 (user → agent) → L3\n * (agent → merchant). L3 itself can split into L3a (payment mandate) + L3b\n * (checkout mandate) cross-referenced via transaction_id, with L3b carrying\n * a checkout_hash (VI constraint type 8) that must match SHA-256 of the L2\n * checkout disclosure.\n \n Signature primitives are delegated to @sd-jwt/core (via our extractor);\n * cnf.jwk chain-walking + cross-references + checkout_hash binding is\n * AstraSync-specific composition logic — that's the whitespace here.\n \n This module does NOT re-verify selective-disclosure hashes (the extractor\n * already applied them via @sd-jwt/decode). It DOES verify:\n * - cnf.jwk in L1 payload points to L2's signing key (thumbprint match)\n * - cnf.jwk in L2 payload points to L3's signing key\n * - L3a.transaction_id === L3b.transaction_id (when both present)\n * - L3b.checkout_hash === SHA-256(L2 canonical checkout disclosure) — type 8\n * - mandate-level `exp` is not in the past (beyond clock skew)\n \n Cryptographic signature verification on each layer uses the verifier\n * callback the caller supplies (e.g. resolves via @sd-jwt/core with the\n * right JWK from the L1 issuer's JWKS).\n /\n\nimport { createHash, webcrypto } from 'node:crypto';\nimport type { JWK } from 'jose';\n\nexport interface VILayer {\n /* Compact SD-JWT / JWS for this layer. /\n compact: string;\n /* Decoded JWT payload (already disclosure-merged). /\n payload: Record<string, unknown>;\n /* Decoded JWT header. /\n header: Record<string, unknown>;\n}\n\nexport interface VIVerifyInput {\n /\n Layers in chain order. L1 may be omitted when the caller has already\n * resolved the chain via a trusted wallet binding.\n /\n layers: {\n l1?: VILayer;\n l2: VILayer;\n l3a?: VILayer;\n l3b?: VILayer;\n };\n /\n Verifier callback invoked per layer. Should return true iff the layer's\n * JWS signature verifies against the resolved public key (for L2 this is\n * L1's cnf.jwk; for L3 this is L2's cnf.jwk; for L1 this is the issuer's\n * JWKS per `iss` claim).\n /\n verifySignature: (layer: VILayer, expectedKey: JWK \| null) => Promise<boolean>;\n clockSkewSec?: number;\n now?: () => number;\n}\n\nexport interface VIVerifyResult {\n ok: boolean;\n checks: {\n l1SigOk: boolean \| null;\n l2SigOk: boolean;\n l3aSigOk: boolean \| null;\n l3bSigOk: boolean \| null;\n l1BindsL2: boolean;\n l2BindsL3: boolean;\n l3aL3bTxnIdMatch: boolean \| null;\n checkoutHashOk: boolean \| null;\n expiryOk: boolean;\n };\n errors: string[];\n}\n\nexport async function verifyVIChain(input: VIVerifyInput): Promise<VIVerifyResult> {\n const errors: string[] = [];\n const tolerance = input.clockSkewSec ?? 300;\n const now = input.now ? input.now() : Math.floor(Date.now() / 1000);\n const { l1, l2, l3a, l3b } = input.layers;\n\n // Signature verification ---------------------------------\n const l1SigOk = l1 ? await input.verifySignature(l1, null) : null;\n if (l1 && !l1SigOk) errors.push('L1 signature invalid');\n\n const l1Cnf = extractCnfJwk(l1?.payload);\n const l2SigOk = await input.verifySignature(l2, l1Cnf ?? null);\n if (!l2SigOk) errors.push('L2 signature invalid');\n\n const l2Cnf = extractCnfJwk(l2.payload);\n const l3aSigOk = l3a ? await input.verifySignature(l3a, l2Cnf ?? null) : null;\n if (l3a && !l3aSigOk) errors.push('L3a signature invalid');\n const l3bSigOk = l3b ? await input.verifySignature(l3b, l2Cnf ?? null) : null;\n if (l3b && !l3bSigOk) errors.push('L3b signature invalid');\n\n // cnf.jwk binding ----------------------------------------\n let l1BindsL2 = true;\n if (l1Cnf) {\n const l2KeyFromHeader = await jwkForLayer(l2);\n l1BindsL2 = l2KeyFromHeader ? await thumbprintsMatch(l1Cnf, l2KeyFromHeader) : false;\n if (!l1BindsL2) errors.push('L1.cnf.jwk does not bind L2 signing key');\n }\n\n let l2BindsL3 = true;\n if (l2Cnf && (l3a \|\| l3b)) {\n const l3Layer = l3a ?? l3b!;\n const l3KeyFromHeader = await jwkForLayer(l3Layer);\n l2BindsL3 = l3KeyFromHeader ? await thumbprintsMatch(l2Cnf, l3KeyFromHeader) : false;\n if (!l2BindsL3) errors.push('L2.cnf.jwk does not bind L3 signing key');\n }\n\n // L3a/L3b cross-reference --------------------------------\n let l3aL3bTxnIdMatch: boolean \| null = null;\n if (l3a && l3b) {\n const a = coerceString(l3a.payload.transaction_id ?? l3a.payload.transactionId);\n const b = coerceString(l3b.payload.transaction_id ?? l3b.payload.transactionId);\n if (a && b) {\n l3aL3bTxnIdMatch = a === b;\n if (!l3aL3bTxnIdMatch) {\n errors.push(`L3a.transaction_id (${a}) does not match L3b.transaction_id (${b})`);\n }\n }\n }\n\n // checkout_hash (VI constraint type 8) -------------------\n let checkoutHashOk: boolean \| null = null;\n if (l3b) {\n const declaredHash = coerceString(\n l3b.payload.checkout_hash ??\n l3b.payload.conditional_transaction_id ??\n (l3b.payload.payment_reference as Record<string, unknown> \| undefined)?.checkout_hash\n );\n if (declaredHash) {\n const computed = computeCheckoutHashFromL2(l2);\n checkoutHashOk = computed ? declaredHash === computed : false;\n if (!checkoutHashOk) {\n errors.push('L3b.checkout_hash does not match SHA-256 of L2 checkout disclosure');\n }\n }\n }\n\n // Expiry policy ------------------------------------------\n const expiryOk = checkExpiryAcross([l1, l2, l3a, l3b], tolerance, now, errors);\n\n const ok =\n l1SigOk !== false &&\n l2SigOk &&\n l3aSigOk !== false &&\n l3bSigOk !== false &&\n l1BindsL2 &&\n l2BindsL3 &&\n l3aL3bTxnIdMatch !== false &&\n checkoutHashOk !== false &&\n expiryOk;\n\n return {\n ok,\n checks: {\n l1SigOk,\n l2SigOk,\n l3aSigOk,\n l3bSigOk,\n l1BindsL2,\n l2BindsL3,\n l3aL3bTxnIdMatch,\n checkoutHashOk,\n expiryOk,\n },\n errors,\n };\n}\n\nfunction extractCnfJwk(payload: Record<string, unknown> \| undefined): JWK \| null {\n if (!payload) return null;\n const cnf = payload.cnf as Record<string, unknown> \| undefined;\n if (!cnf) return null;\n const jwk = cnf.jwk as JWK \| undefined;\n return jwk ?? null;\n}\n\nasync function jwkForLayer(layer: VILayer): Promise<JWK \| null> {\n // Prefer explicit cnf.jwk in the header, then payload; fallback to null.\n const fromHeader = extractCnfJwk(layer.header);\n if (fromHeader) return fromHeader;\n const fromPayload = extractCnfJwk(layer.payload);\n return fromPayload;\n}\n\nasync function thumbprintsMatch(a: JWK, b: JWK): Promise<boolean> {\n try {\n const ta = await jwkThumbprint(a);\n const tb = await jwkThumbprint(b);\n return ta === tb;\n } catch {\n return false;\n }\n}\n\n// RFC 7638 thumbprint: SHA-256 over the canonical JSON of required JWK members.\nasync function jwkThumbprint(jwk: JWK): Promise<string> {\n const canonical = canonicalJwk(jwk);\n const bytes = new TextEncoder().encode(JSON.stringify(canonical));\n const subtle = webcrypto.subtle as SubtleCrypto;\n const buffer = await new Promise<ArrayBuffer>((resolve, reject) => {\n const source = new ArrayBuffer(bytes.byteLength);\n new Uint8Array(source).set(bytes);\n subtle.digest('SHA-256', source).then(resolve).catch(reject);\n });\n return Buffer.from(new Uint8Array(buffer)).toString('base64url').replace(/=+$/, '');\n}\n\nfunction canonicalJwk(jwk: JWK): Record<string, string> {\n // Per RFC 7638: members must appear in lexicographic order; only required\n // fields per kty are included.\n if (jwk.kty === 'EC') {\n return { crv: jwk.crv ?? '', kty: 'EC', x: jwk.x ?? '', y: jwk.y ?? '' };\n }\n if (jwk.kty === 'OKP') {\n return { crv: jwk.crv ?? '', kty: 'OKP', x: jwk.x ?? '' };\n }\n if (jwk.kty === 'RSA') {\n return { e: jwk.e ?? '', kty: 'RSA', n: jwk.n ?? '' };\n }\n return { kty: jwk.kty ?? '' };\n}\n\nfunction computeCheckoutHashFromL2(l2: VILayer): string \| null {\n const checkoutDisclosure = (l2.payload.checkout ?? l2.payload.checkout_mandate) as unknown;\n if (!checkoutDisclosure) return null;\n const canonical = canonicalStringify(checkoutDisclosure);\n const hash = createHash('sha256').update(canonical).digest('base64url').replace(/=+$/, '');\n return hash;\n}\n\nfunction canonicalStringify(value: unknown): string {\n if (value === null \|\| typeof value !== 'object') return JSON.stringify(value);\n if (Array.isArray(value)) return '[' + value.map(canonicalStringify).join(',') + ']';\n const entries = Object.entries(value as Record<string, unknown>).sort(([a], [b]) =>\n a < b ? -1 : a > b ? 1 : 0\n );\n return (\n '{' + entries.map(([k, v]) => JSON.stringify(k) + ':' + canonicalStringify(v)).join(',') + '}'\n );\n}\n\nfunction checkExpiryAcross(\n layers: Array<VILayer \| undefined>,\n toleranceSec: number,\n nowSec: number,\n errors: string[]\n): boolean {\n let ok = true;\n const names = ['L1', 'L2', 'L3a', 'L3b'];\n layers.forEach((layer, idx) => {\n if (!layer) return;\n const exp = toUnixSeconds(layer.payload.exp ?? layer.payload.expires);\n if (exp === undefined) return;\n if (nowSec > exp + toleranceSec) {\n errors.push(`${names[idx]} mandate expired at ${exp}`);\n ok = false;\n }\n });\n return ok;\n}\n\nfunction toUnixSeconds(v: unknown): number \| undefined {\n if (typeof v === 'number' && Number.isFinite(v)) return v;\n if (typeof v === 'string') {\n const asInt = Number(v);\n if (Number.isFinite(asInt) && asInt > 0) {\n return asInt >= 1e12 ? Math.floor(asInt / 1000) : Math.floor(asInt);\n }\n const parsed = Date.parse(v);\n if (Number.isFinite(parsed)) return Math.floor(parsed / 1000);\n }\n return undefined;\n}\n\nfunction coerceString(v: unknown): string \| undefined {\n return typeof v === 'string' && v.length > 0 ? v : undefined;\n}\n","/\n Commerce pipeline orchestrator.\n \n Ties together extractors + verifiers + identity binding + constraint\n * evaluation + trust signals into a single CommerceContext result.\n \n This is AstraSync whitespace: the orchestration over the library-backed\n * primitives. PR 3's Commerce Shield Lambda will call this per request;\n * the admin playground page will call it ad-hoc.\n \n Policy:\n * - Hard-deny (ok=false) on bad signatures, expired mandates, constraint\n * failures, identity cannot be bound.\n * - Trust signal (ok remains policy-driven) on ACP algorithm unsupported,\n * Stripe webhook HMAC fail, payment-token type unknown, cross-layer\n * identity mismatch.\n /\n\nimport type { ACPRequestContext } from './acp';\nimport { verifyACPSignature, type ACPVerifyResult } from './acp-verify';\nimport type { AP2MandateTriple } from './ap2';\nimport { verifyAP2Chain, type AP2ChainResult } from './ap2-verify';\nimport {\n evaluateVIConstraints,\n evaluatePaymentMethodAllowlist,\n evaluateSpendingLimit,\n type ConstraintEvalResult,\n type TransactionContext,\n} from './constraint-eval';\nimport { bindIdentity, type IdentityClaim, type IdentityResolver } from './identity-binding';\nimport { verifyMPP, type MPPVerifyResult } from './mpp-verify';\nimport type { MPPRequestContext } from './mpp';\nimport {\n mapACPRequestToPurpose,\n mapMPPRequestToPurpose,\n mapRFC9421TagToPurpose,\n mapUCPRequestToPurpose,\n mapVIMandateToPurpose,\n mapX402RequestToPurpose,\n type CommercePurpose,\n} from './purpose-mapping';\nimport {\n verifyRFC9421,\n type RFC9421VerifyResult,\n type RFC9421VerifyRequest,\n} from './rfc9421-verify';\nimport { verifyStripeWebhook, type VerifyStripeWebhookResult } from './stripe-webhook';\nimport {\n extractACPTransactionValue,\n extractMPPTransactionValue,\n extractUCPTransactionValue,\n extractVITransactionValue,\n extractX402TransactionValue,\n type TransactionValueContext,\n} from './transaction-value';\nimport type { UCPCheckoutContext } from './ucp';\nimport { verifyVIChain, type VIVerifyInput, type VIVerifyResult } from './vi-verify';\nimport type { VIExtractedClaims } from './vi';\nimport type { X402RequestContext } from './x402';\n\nexport type CommerceProtocol = 'vi' \| 'ap2' \| 'ucp' \| 'acp' \| 'agentpay' \| 'tap' \| 'mpp' \| 'x402';\n\nexport interface CommercePipelineInput {\n protocol: CommerceProtocol;\n vi?: { claims: VIExtractedClaims; verifyInput?: VIVerifyInput };\n ap2?: { triple: AP2MandateTriple };\n ucp?: UCPCheckoutContext;\n acp?: {\n context: ACPRequestContext;\n verifyInput?: Parameters<typeof verifyACPSignature>[0];\n };\n rfc9421?: {\n request: RFC9421VerifyRequest;\n tag?: 'browse' \| 'purchase' \| string;\n verifyOptions: Parameters<typeof verifyRFC9421>[1];\n };\n mpp?: { context: MPPRequestContext; rawBody?: string };\n x402?: X402RequestContext;\n stripeWebhook?: { payload: string; signatureHeader: string; secret: string };\n transaction?: TransactionContext;\n registeredConstraints?: {\n allowedPaymentMethods?: string[];\n spendingLimit?: { amount?: number; currency?: string };\n };\n identityResolver?: IdentityResolver;\n clockSkewSec?: number;\n now?: () => number;\n}\n\nexport interface CommerceSignatureStack {\n vi?: VIVerifyResult;\n ap2?: AP2ChainResult;\n acp?: ACPVerifyResult;\n rfc9421?: RFC9421VerifyResult;\n mpp?: MPPVerifyResult;\n stripeWebhook?: VerifyStripeWebhookResult;\n}\n\nexport interface CommerceContext {\n protocol: CommerceProtocol;\n purpose: CommercePurpose \| null;\n transactionValue?: TransactionValueContext;\n signatures: CommerceSignatureStack;\n identity?: {\n claims: IdentityClaim[];\n mappedAstraSyncAgentId?: string;\n mismatchAcrossLayers: boolean;\n };\n paymentToken?: {\n present: boolean;\n type: 'stripe-spt' \| 'acp-vt' \| 'tempo-tx' \| 'other' \| null;\n };\n mppMethodsOffered?: string[];\n constraints?: ConstraintEvalResult;\n receipt?: {\n method?: string;\n reference?: string;\n status?: string;\n timestamp?: string;\n };\n trustSignals: string[];\n timings: { extractMs: number; verifyMs: number; evalMs: number };\n /* False when any hard-deny rule fires. /\n ok: boolean;\n}\n\nexport async function runCommercePipeline(input: CommercePipelineInput): Promise<CommerceContext> {\n const trustSignals: string[] = [];\n const signatures: CommerceSignatureStack = {};\n const timings = { extractMs: 0, verifyMs: 0, evalMs: 0 };\n\n const extractStart = performance.now();\n const purpose = resolvePurpose(input);\n const transactionValue = resolveTransactionValue(input);\n const identityClaims = collectIdentityClaims(input);\n const paymentToken = resolvePaymentToken(input);\n timings.extractMs = Math.round(performance.now() - extractStart);\n\n const verifyStart = performance.now();\n let hardDeny = false;\n\n if (input.vi?.verifyInput) {\n signatures.vi = await verifyVIChain(input.vi.verifyInput);\n if (!signatures.vi.ok) hardDeny = true;\n }\n\n if (input.ap2) {\n signatures.ap2 = verifyAP2Chain({\n triple: input.ap2.triple,\n clockSkewSec: input.clockSkewSec,\n now: input.now,\n });\n if (!signatures.ap2.ok) hardDeny = true;\n }\n\n if (input.acp?.verifyInput) {\n signatures.acp = await verifyACPSignature(input.acp.verifyInput);\n if (!signatures.acp.ok && signatures.acp.timestampStale) hardDeny = true;\n if (signatures.acp.algorithm === 'unsupported') {\n trustSignals.push('acp-signature-algorithm-unsupported');\n } else if (!signatures.acp.ok) {\n hardDeny = true;\n }\n }\n\n if (input.rfc9421) {\n signatures.rfc9421 = await verifyRFC9421(input.rfc9421.request, input.rfc9421.verifyOptions);\n if (!signatures.rfc9421.ok) hardDeny = true;\n }\n\n if (input.mpp) {\n signatures.mpp = verifyMPP({\n context: input.mpp.context,\n rawBody: input.mpp.rawBody,\n clockSkewSec: input.clockSkewSec,\n now: input.now,\n });\n if (!signatures.mpp.ok) hardDeny = true;\n if (input.mpp.context.credential?.source) {\n trustSignals.push(`mpp-source-${shortSource(input.mpp.context.credential.source)}`);\n }\n }\n\n if (input.stripeWebhook) {\n signatures.stripeWebhook = verifyStripeWebhook(\n input.stripeWebhook.payload,\n input.stripeWebhook.signatureHeader,\n input.stripeWebhook.secret,\n { now: input.now ? () => input.now!() : undefined }\n );\n if (!signatures.stripeWebhook.ok) {\n trustSignals.push('stripe-webhook-hmac-failed');\n }\n }\n timings.verifyMs = Math.round(performance.now() - verifyStart);\n\n let identity: CommerceContext['identity'];\n if (input.identityResolver && identityClaims.length > 0) {\n const bound = await bindIdentity(identityClaims, input.identityResolver);\n identity = {\n claims: identityClaims,\n mappedAstraSyncAgentId: bound.mappedAstraSyncAgentId,\n mismatchAcrossLayers: bound.mismatchAcrossLayers,\n };\n if (bound.mismatchAcrossLayers) trustSignals.push('identity-mismatch-across-layers');\n } else if (identityClaims.length > 0) {\n identity = {\n claims: identityClaims,\n mappedAstraSyncAgentId: undefined,\n mismatchAcrossLayers: false,\n };\n }\n\n const evalStart = performance.now();\n const constraints = runConstraintEval(input);\n if (constraints && !constraints.ok) hardDeny = true;\n timings.evalMs = Math.round(performance.now() - evalStart);\n\n if (paymentToken?.type === 'stripe-spt') trustSignals.push('stripe-spt-present');\n if (paymentToken?.type === 'acp-vt') trustSignals.push('acp-vault-token-present');\n if (paymentToken?.type === 'tempo-tx') trustSignals.push('tempo-transaction-present');\n\n const mppReceipt = input.mpp?.context.receipt;\n\n return {\n protocol: input.protocol,\n purpose,\n transactionValue,\n signatures,\n identity,\n paymentToken,\n mppMethodsOffered: input.mpp?.context.offeredMethods,\n constraints,\n receipt: mppReceipt\n ? {\n method: mppReceipt.method,\n reference: mppReceipt.reference,\n status: mppReceipt.status,\n timestamp: mppReceipt.timestamp,\n }\n : undefined,\n trustSignals,\n timings,\n ok: !hardDeny,\n };\n}\n\nfunction resolvePurpose(input: CommercePipelineInput): CommercePurpose \| null {\n if (input.vi?.claims.mandateType) {\n return mapVIMandateToPurpose(input.vi.claims.mandateType);\n }\n if (input.ap2?.triple.payment) return 'commerce.payment.execute';\n if (input.ap2?.triple.cart) return 'commerce.checkout.confirm';\n if (input.ap2?.triple.intent) return 'commerce.delegation.intent';\n if (input.ucp?.endpoint) {\n const [method, path] = input.ucp.endpoint.split(' ');\n return mapUCPRequestToPurpose(method ?? 'POST', path ?? '/');\n }\n if (input.acp?.context.endpoint) {\n // Extractor classifies as 'checkout_sessions.create\|update\|complete\|cancel'\n // or 'delegate_payment'. Route each to the correct purpose.\n switch (input.acp.context.endpoint) {\n case 'checkout_sessions.create':\n return 'commerce.checkout.create';\n case 'checkout_sessions.update':\n return 'commerce.checkout.update';\n case 'checkout_sessions.complete':\n return 'commerce.payment.execute';\n case 'checkout_sessions.cancel':\n return 'commerce.checkout.cancel';\n case 'delegate_payment':\n return 'commerce.delegation.payment';\n default:\n return mapACPRequestToPurpose('POST', '/checkout_sessions');\n }\n }\n if (input.rfc9421?.tag) {\n return mapRFC9421TagToPurpose(\n input.rfc9421.tag === 'browse' \|\| input.rfc9421.tag === 'purchase'\n ? (input.rfc9421.tag as 'browse' \| 'purchase')\n : undefined\n );\n }\n if (input.mpp?.context.credential?.challenge \|\| input.mpp?.context.challenges?.[0]) {\n const challenge = input.mpp.context.credential?.challenge ?? input.mpp.context.challenges?.[0];\n const amount = parseFloat(String(challenge?.request?.amount ?? 'NaN'));\n return mapMPPRequestToPurpose(\n challenge?.intent === 'session' ? 'session' : 'charge',\n Number.isFinite(amount) ? amount : undefined\n );\n }\n if (input.x402?.paymentRequired) {\n const amt = input.x402.paymentRequired.accepts[0]?.amount;\n return mapX402RequestToPurpose(Number(amt));\n }\n if (input.x402?.paymentPayload) return 'commerce.payment.execute';\n return null;\n}\n\nfunction resolveTransactionValue(\n input: CommercePipelineInput\n): TransactionValueContext \| undefined {\n if (input.vi?.claims) {\n const v = extractVITransactionValue({\n constraints: input.vi.claims.constraints,\n l3aPaymentAmount: (input.vi.claims.constraints.paymentAmount &&\n typeof input.vi.claims.constraints.paymentAmount.max === 'number'\n ? {\n amount: input.vi.claims.constraints.paymentAmount.max,\n currency: input.vi.claims.constraints.paymentAmount.currency,\n }\n : undefined) as { amount?: number; currency?: string } \| undefined,\n });\n if (v) return v;\n }\n if (input.ucp?.totals) {\n const v = extractUCPTransactionValue({ totals: input.ucp.totals });\n if (v) return v;\n }\n if (input.acp?.context.totals) {\n const v = extractACPTransactionValue({ totals: input.acp.context.totals });\n if (v) return v;\n }\n if (input.mpp?.context.credential?.challenge) {\n const ch = input.mpp.context.credential.challenge;\n const v = extractMPPTransactionValue({ method: ch.method, request: ch.request });\n if (v) return v;\n }\n if (input.x402?.paymentRequired) {\n const first = input.x402.paymentRequired.accepts[0];\n if (first) {\n const v = extractX402TransactionValue({\n maxAmountRequired: Number(first.amount),\n asset: first.asset,\n });\n if (v) return v;\n }\n }\n return undefined;\n}\n\nfunction collectIdentityClaims(input: CommercePipelineInput): IdentityClaim[] {\n const claims: IdentityClaim[] = [];\n if (input.vi?.claims.kid)\n claims.push({ protocol: 'vi', field: 'kid', value: input.vi.claims.kid });\n if (input.ap2?.triple) {\n const agentId =\n input.ap2.triple.intent?.agent_id ??\n input.ap2.triple.cart?.agent_id ??\n input.ap2.triple.payment?.agent_id;\n if (agentId) claims.push({ protocol: 'ap2', field: 'agent_id', value: agentId });\n }\n if (input.acp?.context.bearer) {\n claims.push({ protocol: 'acp', field: 'bearer', value: input.acp.context.bearer });\n }\n if (input.mpp?.context.credential?.source) {\n claims.push({ protocol: 'mpp', field: 'source', value: input.mpp.context.credential.source });\n }\n if (input.rfc9421) {\n // For RFC 9421 the kid is recorded after verify (result.kid); not collected here.\n }\n return claims;\n}\n\nfunction resolvePaymentToken(input: CommercePipelineInput): CommerceContext['paymentToken'] {\n if (input.acp?.context.paymentToken?.type) {\n return { present: true, type: input.acp.context.paymentToken.type };\n }\n const mppMethod = input.mpp?.context.credential?.challenge?.method;\n if (mppMethod === 'tempo') return { present: true, type: 'tempo-tx' };\n if (mppMethod === 'stripe') return { present: true, type: 'stripe-spt' };\n return undefined;\n}\n\nfunction runConstraintEval(input: CommercePipelineInput): ConstraintEvalResult \| undefined {\n const transaction = input.transaction ?? {};\n const results: ConstraintEvalResult['results'] = {};\n const reasons: string[] = [];\n let hasAny = false;\n\n if (input.vi?.claims) {\n const viResult = evaluateVIConstraints({\n constraints: input.vi.claims.constraints,\n transaction,\n });\n for (const [k, v] of Object.entries(viResult.results)) {\n results[k] = v;\n if (!v.ok && v.reason) reasons.push(v.reason);\n }\n if (Object.keys(viResult.results).length > 0) hasAny = true;\n }\n\n const registered = input.registeredConstraints;\n if (registered?.allowedPaymentMethods) {\n const pm = evaluatePaymentMethodAllowlist({\n allowedMethods: registered.allowedPaymentMethods,\n requestedMethod: transaction.paymentMethod,\n });\n results.paymentMethod = pm;\n if (!pm.ok && pm.reason) reasons.push(pm.reason);\n hasAny = true;\n }\n if (registered?.spendingLimit) {\n const sp = evaluateSpendingLimit({\n limit: registered.spendingLimit,\n requested: { amount: transaction.amount, currency: transaction.currency },\n });\n results.spendingLimit = sp;\n if (!sp.ok && sp.reason) reasons.push(sp.reason);\n hasAny = true;\n }\n\n if (!hasAny) return undefined;\n return { ok: reasons.length === 0, results, reasons };\n}\n\nfunction shortSource(source: string): string {\n // Take first 16 chars sans scheme for trust-signal label readability.\n return source.replace(/^did:[a-z0-9]+:/, '').slice(0, 16);\n}\n","/\n Pluggable extractor registry for PR 3 Commerce Shield Lambda@Edge.\n \n Built-in extractors (VI, UCP, ACP, RFC 9421, MPP, x402, Stripe webhook)\n * are NOT auto-registered. PR 3 Lambda imports this module, picks the set\n * it wants, and calls registerTransportExtractor() for each.\n \n Re-registering by name replaces the prior extractor (idempotent).\n /\n\nexport interface ExtractorRequestLike {\n method?: string;\n url?: string;\n headers?: Record<string, string \| string[] \| undefined>;\n body?: unknown;\n}\n\nexport interface TransportExtractor<T = unknown> {\n readonly name: string;\n match(request: ExtractorRequestLike): boolean;\n extract(request: ExtractorRequestLike): T \| Promise<T> \| null;\n}\n\nconst registry = new Map<string, TransportExtractor>();\n\nexport function registerTransportExtractor<T>(extractor: TransportExtractor<T>): void {\n if (!extractor \|\| typeof extractor.name !== 'string' \|\| extractor.name.length === 0) {\n throw new Error('registerTransportExtractor: extractor must have a non-empty name');\n }\n registry.set(extractor.name, extractor as TransportExtractor);\n}\n\nexport function getTransportExtractors(): ReadonlyArray<TransportExtractor> {\n return Array.from(registry.values());\n}\n\nexport function getTransportExtractor(name: string): TransportExtractor \| undefined {\n return registry.get(name);\n}\n\nexport function clearTransportExtractors(): void {\n registry.clear();\n}\n\n/\n Helper: run all matching extractors against a request and return their\n * extracted contexts keyed by extractor name. Skips extractors whose\n * `match()` returns false.\n /\nexport async function runMatchingExtractors(\n request: ExtractorRequestLike\n): Promise<Record<string, unknown>> {\n const out: Record<string, unknown> = {};\n for (const extractor of registry.values()) {\n if (!extractor.match(request)) continue;\n const result = await extractor.extract(request);\n if (result !== null && result !== undefined) out[extractor.name] = result;\n }\n return out;\n}\n","/\n Visa JWKS registry resolver.\n \n Default endpoint: https://mcp.visa.com/.well-known/jwks (per Visa TAP spec).\n * Wraps jose.createRemoteJWKSet which handles caching + rotation natively.\n /\n\nimport { createRemoteJWKSet, type JWK } from 'jose';\nimport type { RegistryResolver, ResolveContext } from './types';\n\nconst DEFAULT_VISA_JWKS_URL = 'https://mcp.visa.com/.well-known/jwks';\n\nexport interface VisaRegistryOptions {\n jwksUrl?: string;\n cacheMaxAge?: number;\n cooldownDuration?: number;\n}\n\nexport function createVisaRegistry(options: VisaRegistryOptions = {}): RegistryResolver {\n const url = new URL(options.jwksUrl ?? DEFAULT_VISA_JWKS_URL);\n const jwks = createRemoteJWKSet(url, {\n cacheMaxAge: options.cacheMaxAge,\n cooldownDuration: options.cooldownDuration,\n });\n\n return {\n name: 'visa',\n async resolve(kid: string, context?: ResolveContext): Promise<JWK \| null> {\n if (!kid) return null;\n try {\n const key = await jwks({\n kid,\n alg: context?.algorithm ?? 'ES256',\n typ: 'JWT',\n });\n return exportJwkFromKeyLike(key);\n } catch {\n return null;\n }\n },\n };\n}\n\nasync function exportJwkFromKeyLike(keyLike: unknown): Promise<JWK \| null> {\n if (!keyLike) return null;\n // jose returns KeyObject or CryptoKey — both export via exportJWK at caller side.\n // Runtime shape check: if it already looks like a JWK, pass through.\n if (typeof keyLike === 'object' && 'kty' in (keyLike as object)) {\n return keyLike as JWK;\n }\n const { exportJWK } = await import('jose');\n try {\n return await exportJWK(keyLike as Parameters<typeof exportJWK>[0]);\n } catch {\n return null;\n }\n}\n","/\n Mastercard Agent Registry resolver — STUB.\n \n Mastercard Agent Pay is behind partnership (pilots Feb 2026, GA Q2 2026).\n * No public Agent Registry URL or open-source resolver exists as of April\n * 2026. This resolver accepts an optional `registryUrl` and, when absent,\n * returns null with a single one-time console.warn so callers can plumb\n * the flow end-to-end without a live registry.\n \n When Mastercard ships a public resolver or when a commercial relationship\n * provides a registry URL, pass it via `MastercardRegistryOptions.registryUrl`.\n * Response shape expected: { keys: JWK[] } (JWKS-style).\n /\n\nimport type { JWK } from 'jose';\nimport type { RegistryResolver } from './types';\n\nexport interface MastercardRegistryOptions {\n /* Partnership-provided registry URL. Without it, the resolver is inert. /\n registryUrl?: string;\n /* Cache TTL in seconds. Default 3600. /\n cacheTtlSec?: number;\n /* Fetch fn override for testing. /\n fetch?: typeof fetch;\n /* Silence the one-time warn (testing only). /\n silent?: boolean;\n}\n\ninterface CachedKey {\n jwk: JWK;\n expiresAt: number;\n}\n\nexport function createMastercardRegistry(\n options: MastercardRegistryOptions = {}\n): RegistryResolver {\n const cache = new Map<string, CachedKey>();\n const ttlSec = options.cacheTtlSec ?? 3600;\n const fetchFn = options.fetch ?? globalThis.fetch;\n let warned = false;\n\n return {\n name: 'mastercard',\n async resolve(kid: string): Promise<JWK \| null> {\n if (!kid) return null;\n\n if (!options.registryUrl) {\n if (!warned && !options.silent) {\n warned = true;\n // eslint-disable-next-line no-console\n console.warn(\n '[mastercard-registry] registryUrl not configured — key resolution disabled. ' +\n 'Kid lookups will return null until a partnership registry is supplied.'\n );\n }\n return null;\n }\n\n const cached = cache.get(kid);\n if (cached && cached.expiresAt > Date.now()) return cached.jwk;\n\n try {\n const res = await fetchFn(options.registryUrl);\n if (!res.ok) return null;\n const body = (await res.json()) as { keys?: JWK[] };\n const keys = body.keys ?? [];\n for (const k of keys) {\n if (k.kid === kid) {\n cache.set(kid, { jwk: k, expiresAt: Date.now() + ttlSec 1000 });\n return k;\n }\n }\n return null;\n } catch {\n return null;\n }\n },\n };\n}\n","/*\n Web Bot Auth registry resolver.\n \n IETF draft-meunier-web-bot-auth-architecture-05 + draft-meunier-http-\n * message-signatures-directory-01. Shared transport substrate under TAP,\n * Agent Pay, and Cloudflare Pay Per Crawl.\n \n Fetches a Web Bot Auth signature directory\n * (default: `<origin>/.well-known/http-message-signatures-directory`).\n * Shape per spec is a JWKS with Ed25519 keys.\n \n Wraps Cloudflare's `web-bot-auth` npm package where feasible; for raw\n * directory fetch + kid matching we use fetch + JSON since web-bot-auth's\n * higher-level API assumes a full request to verify.\n /\n\nimport type { JWK } from 'jose';\nimport type { RegistryResolver, ResolveContext } from './types';\n\nconst DIRECTORY_PATH = '/.well-known/http-message-signatures-directory';\n\nexport interface WebBotAuthRegistryOptions {\n /\n Optional explicit directory URL. When omitted, the resolver derives one\n * from `ResolveContext.origin` (e.g. the request URL's origin at verify time).\n /\n directoryUrl?: string;\n cacheTtlSec?: number;\n fetch?: typeof fetch;\n}\n\ninterface DirectoryCache {\n keys: JWK[];\n expiresAt: number;\n}\n\nexport function createWebBotAuthRegistry(\n options: WebBotAuthRegistryOptions = {}\n): RegistryResolver {\n const cache = new Map<string, DirectoryCache>();\n const ttlSec = options.cacheTtlSec ?? 3600;\n const fetchFn = options.fetch ?? globalThis.fetch;\n\n return {\n name: 'web-bot-auth',\n async resolve(kid: string, context?: ResolveContext): Promise<JWK \| null> {\n if (!kid) return null;\n\n const directoryUrl = resolveDirectoryUrl(options.directoryUrl, context?.origin);\n if (!directoryUrl) return null;\n\n const cached = cache.get(directoryUrl);\n const now = Date.now();\n if (cached && cached.expiresAt > now) {\n return findKeyByKid(cached.keys, kid);\n }\n\n try {\n const res = await fetchFn(directoryUrl);\n if (!res.ok) return null;\n const body = (await res.json()) as { keys?: JWK[] };\n const keys = body.keys ?? [];\n cache.set(directoryUrl, { keys, expiresAt: now + ttlSec 1000 });\n return findKeyByKid(keys, kid);\n } catch {\n return null;\n }\n },\n };\n}\n\nfunction resolveDirectoryUrl(\n explicit: string \| undefined,\n origin: string \| undefined\n): string \| null {\n if (explicit) return explicit;\n if (!origin) return null;\n try {\n const url = new URL(origin);\n return `${url.origin}${DIRECTORY_PATH}`;\n } catch {\n return null;\n }\n}\n\nfunction findKeyByKid(keys: JWK[], kid: string): JWK \| null {\n for (const k of keys) {\n if (k.kid === kid) return k;\n }\n return null;\n}\n","/*\n Cross-Protocol Transport Module\n \n Provides adapters for injecting/extracting AstraSync credentials\n * across HTTP, A2A, and MCP protocols.\n /\n\nimport type { AstraSyncCredentials, ProtocolTransport } from '../types';\nimport { setHttpHeaders, extractHttpCredentials } from './http';\nimport { setA2AMetadata, extractA2ACredentials } from './a2a';\nimport { setMcpMeta, extractMcpCredentials } from './mcp';\n\nexport { setHttpHeaders, extractHttpCredentials } from './http';\nexport { setA2AMetadata, extractA2ACredentials } from './a2a';\nexport { setMcpMeta, extractMcpCredentials } from './mcp';\n\n// Commerce protocol extractors + verifiers (PR 4+5)\nexport from './purpose-mapping';\nexport * from './transaction-value';\nexport * from './rfc9421';\nexport * from './rfc9421-verify';\nexport * from './ucp';\nexport * from './acp';\nexport * from './vi';\nexport * from './stripe-webhook';\nexport * from './constraint-eval';\nexport * from './identity-binding';\nexport * from './ap2';\nexport * from './ap2-verify';\nexport * from './acp-verify';\nexport * from './mpp';\nexport * from './mpp-verify';\nexport * from './x402';\nexport * from './vi-verify';\nexport * from './commerce-pipeline';\nexport * from './extractor-registry';\nexport * from './registry/types';\nexport { createVisaRegistry } from './registry/visa';\nexport { createMastercardRegistry } from './registry/mastercard';\nexport { createWebBotAuthRegistry } from './registry/web-bot-auth';\n\n/*\n Auto-detect protocol from request/context shape.\n /\nexport function detectProtocol(context: Record<string, unknown>): ProtocolTransport {\n // A2A: has metadata block with task-like structure\n if (context.metadata && typeof context.metadata === 'object') {\n return 'a2a';\n }\n\n // MCP: has _meta block (MCP convention)\n if (context._meta && typeof context._meta === 'object') {\n return 'mcp';\n }\n\n // Default to HTTP\n return 'http';\n}\n\n/\n Apply credentials to any protocol target.\n /\nexport function applyCredentials(\n protocol: ProtocolTransport,\n target: Record<string, unknown>,\n credentials: AstraSyncCredentials\n): Record<string, unknown> {\n switch (protocol) {\n case 'http':\n return setHttpHeaders(target as Record<string, string>, credentials);\n case 'a2a':\n return setA2AMetadata(target, credentials);\n case 'mcp':\n return setMcpMeta(target, credentials);\n default:\n return target;\n }\n}\n\n/\n Extract credentials from any protocol context.\n */\nexport function extractCredentialsFromProtocol(\n protocol: ProtocolTransport,\n context: Record<string, unknown>\n): AstraSyncCredentials \| null {\n switch (protocol) {\n case 'http':\n return extractHttpCredentials(context as Record<string, string \| string[] \| undefined>);\n case 'a2a':\n return extractA2ACredentials(context);\n case 'mcp':\n return extractMcpCredentials(context);\n default:\n return null;\n }\n}\n"],"mappings":";AAQA,IAAM,gBAAgB;AAKf,SAAS,eACd,SACA,aACwB;AACxB,QAAM,SAAS,EAAE,GAAG,QAAQ;AAE5B,SAAO,GAAG,aAAa,IAAI,IAAI,YAAY;AAE3C,MAAI,YAAY,WAAW;AACzB,WAAO,GAAG,aAAa,QAAQ,IAAI,YAAY;AAAA,EACjD;AAEA,MAAI,YAAY,cAAc;AAC5B,WAAO,GAAG,aAAa,WAAW,IAAI,YAAY;AAAA,EACpD;AAEA,MAAI,YAAY,OAAO,SAAS;AAC9B,UAAM,eAAe,YAAY,MAAM,QAAQ,SAC3C,GAAG,YAAY,MAAM,QAAQ,QAAQ,IAAI,YAAY,MAAM,QAAQ,MAAM,KACzE,YAAY,MAAM,QAAQ;AAC9B,WAAO,GAAG,aAAa,SAAS,IAAI;AAAA,EACtC;AAEA,MAAI,YAAY,OAAO,UAAU,oBAAoB;AACnD,WAAO,GAAG,aAAa,UAAU,IAAI,OAAO,YAAY,MAAM,SAAS,kBAAkB;AAAA,EAC3F;AAEA,MAAI,YAAY,OAAO,OAAO,cAAc;AAC1C,WAAO,GAAG,aAAa,OAAO,IAAI,YAAY,MAAM,MAAM;AAAA,EAC5D;AAEA,SAAO;AACT;AAKO,SAAS,uBACd,SAC6B;AAC7B,QAAM,WAAW,CAAC,QAAoC;AACpD,UAAM,IAAI,QAAQ,GAAG,KAAK,QAAQ,IAAI,YAAY,CAAC;AACnD,WAAO,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC,IAAI;AAAA,EACnC;AAEA,QAAM,UAAU,SAAS,GAAG,aAAa,IAAI,KAAK,SAAS,YAAY;AACvE,MAAI,CAAC,QAAS,QAAO;AAErB,QAAM,cAAoC,EAAE,QAAQ;AAEpD,QAAM,YAAY,SAAS,GAAG,aAAa,QAAQ,KAAK,SAAS,gBAAgB;AACjF,MAAI,UAAW,aAAY,YAAY;AAEvC,QAAM,eAAe,SAAS,GAAG,aAAa,WAAW,KAAK,SAAS,mBAAmB;AAC1F,MAAI,aAAc,aAAY,eAAe;AAE7C,QAAM,UAAU,SAAS,GAAG,aAAa,SAAS,KAAK,SAAS,iBAAiB;AACjF,MAAI,SAAS;AACX,UAAM,CAAC,UAAU,MAAM,IAAI,QAAQ,MAAM,GAAG;AAC5C,gBAAY,QAAQ;AAAA,MAClB,GAAG,YAAY;AAAA,MACf,SAAS,EAAE,UAAU,OAAO;AAAA,IAC9B;AAAA,EACF;AAEA,QAAM,WAAW,SAAS,GAAG,aAAa,UAAU,KAAK,SAAS,kBAAkB;AACpF,MAAI,UAAU;AACZ,gBAAY,QAAQ;AAAA,MAClB,GAAG,YAAY;AAAA,MACf,UAAU,EAAE,oBAAoB,SAAS,UAAU,EAAE,EAAE;AAAA,IACzD;AAAA,EACF;AAEA,QAAM,QAAQ,SAAS,GAAG,aAAa,OAAO,KAAK,SAAS,eAAe;AAC3E,MAAI,OAAO;AACT,gBAAY,QAAQ;AAAA,MAClB,GAAG,YAAY;AAAA,MACf,OAAO,EAAE,cAAc,MAAM;AAAA,IAC/B;AAAA,EACF;AAEA,SAAO;AACT;;;ACtEO,SAAS,eACd,MACA,aACS;AACT,QAAM,YAA+B;AAAA,IACnC,SAAS,YAAY;AAAA,EACvB;AAEA,MAAI,YAAY,UAAW,WAAU,YAAY,YAAY;AAC7D,MAAI,YAAY,aAAc,WAAU,eAAe,YAAY;AACnE,MAAI,YAAY,OAAO,QAAS,WAAU,UAAU,YAAY,MAAM;AACtE,MAAI,YAAY,OAAO,SAAU,WAAU,WAAW,YAAY,MAAM;AACxE,MAAI,YAAY,OAAO,MAAO,WAAU,QAAQ,YAAY,MAAM;AAElE,SAAO;AAAA,IACL,GAAG;AAAA,IACH,UAAU;AAAA,MACR,GAAG,KAAK;AAAA,MACR;AAAA,IACF;AAAA,EACF;AACF;AAKO,SAAS,sBAAsB,MAA4C;AAChF,QAAM,OAAO,KAAK,UAAU;AAC5B,MAAI,CAAC,MAAM,QAAS,QAAO;AAE3B,QAAM,cAAoC;AAAA,IACxC,SAAS,KAAK;AAAA,EAChB;AAEA,MAAI,KAAK,UAAW,aAAY,YAAY,KAAK;AACjD,MAAI,KAAK,aAAc,aAAY,eAAe,KAAK;AAEvD,MAAI,KAAK,WAAW,KAAK,YAAY,KAAK,OAAO;AAC/C,gBAAY,QAAQ,CAAC;AACrB,QAAI,KAAK,QAAS,aAAY,MAAM,UAAU,KAAK;AACnD,QAAI,KAAK,SAAU,aAAY,MAAM,WAAW,KAAK;AACrD,QAAI,KAAK,MAAO,aAAY,MAAM,QAAQ,KAAK;AAAA,EACjD;AAEA,SAAO;AACT;;;AC7CO,SAAS,WACd,QACA,aACW;AACX,QAAM,YAA2B;AAAA,IAC/B,SAAS,YAAY;AAAA,EACvB;AAEA,MAAI,YAAY,UAAW,WAAU,YAAY,YAAY;AAC7D,MAAI,YAAY,aAAc,WAAU,eAAe,YAAY;AACnE,MAAI,YAAY,OAAO,QAAS,WAAU,UAAU,YAAY,MAAM;AACtE,MAAI,YAAY,OAAO,SAAU,WAAU,WAAW,YAAY,MAAM;AACxE,MAAI,YAAY,OAAO,MAAO,WAAU,QAAQ,YAAY,MAAM;AAElE,SAAO;AAAA,IACL,GAAG;AAAA,IACH,OAAO;AAAA,MACL,GAAG,OAAO;AAAA,MACV;AAAA,IACF;AAAA,EACF;AACF;AAKO,SAAS,sBAAsB,QAAgD;AACpF,QAAM,OAAO,OAAO,OAAO;AAC3B,MAAI,CAAC,MAAM,QAAS,QAAO;AAE3B,QAAM,cAAoC;AAAA,IACxC,SAAS,KAAK;AAAA,EAChB;AAEA,MAAI,KAAK,UAAW,aAAY,YAAY,KAAK;AACjD,MAAI,KAAK,aAAc,aAAY,eAAe,KAAK;AAEvD,MAAI,KAAK,WAAW,KAAK,YAAY,KAAK,OAAO;AAC/C,gBAAY,QAAQ,CAAC;AACrB,QAAI,KAAK,QAAS,aAAY,MAAM,UAAU,KAAK;AACnD,QAAI,KAAK,SAAU,aAAY,MAAM,WAAW,KAAK;AACrD,QAAI,KAAK,MAAO,aAAY,MAAM,QAAQ,KAAK;AAAA,EACjD;AAEA,SAAO;AACT;;;AClDA,IAAM,aAAmF;AAAA,EACvF,EAAE,QAAQ,QAAQ,SAAS,+BAA+B,SAAS,2BAA2B;AAAA,EAC9F;AAAA,IACE,QAAQ;AAAA,IACR,SAAS;AAAA,IACT,SAAS;AAAA,EACX;AAAA,EACA;AAAA,IACE,QAAQ;AAAA,IACR,SAAS;AAAA,IACT,SAAS;AAAA,EACX;AAAA,EACA;AAAA,IACE,QAAQ;AAAA,IACR,SAAS;AAAA,IACT,SAAS;AAAA,EACX;AACF;AAEA,IAAM,aAAmF;AAAA,EACvF,EAAE,QAAQ,QAAQ,SAAS,4BAA4B,SAAS,2BAA2B;AAAA,EAC3F;AAAA,IACE,QAAQ;AAAA,IACR,SAAS;AAAA,IACT,SAAS;AAAA,EACX;AAAA,EACA;AAAA,IACE,QAAQ;AAAA,IACR,SAAS;AAAA,IACT,SAAS;AAAA,EACX;AAAA,EACA;AAAA,IACE,QAAQ;AAAA,IACR,SAAS;AAAA,IACT,SAAS;AAAA,EACX;AAAA,EACA;AAAA,IACE,QAAQ;AAAA,IACR,SAAS;AAAA,IACT,SAAS;AAAA,EACX;AACF;AAEO,SAAS,uBAAuB,QAAgB,MAAsC;AAC3F,QAAM,mBAAmB,OAAO,YAAY;AAC5C,QAAM,iBAAiB,WAAW,IAAI;AACtC,aAAW,SAAS,YAAY;AAC9B,QAAI,MAAM,WAAW,oBAAoB,MAAM,QAAQ,KAAK,cAAc,GAAG;AAC3E,aAAO,MAAM;AAAA,IACf;AAAA,EACF;AACA,SAAO;AACT;AAEO,SAAS,uBAAuB,QAAgB,MAAsC;AAC3F,QAAM,mBAAmB,OAAO,YAAY;AAC5C,QAAM,iBAAiB,WAAW,IAAI;AACtC,aAAW,SAAS,YAAY;AAC9B,QAAI,MAAM,WAAW,oBAAoB,MAAM,QAAQ,KAAK,cAAc,GAAG;AAC3E,aAAO,MAAM;AAAA,IACf;AAAA,EACF;AACA,SAAO;AACT;AAGO,SAAS,uBAAuB,aAA8C;AACnF,UAAQ,aAAa;AAAA,IACnB,KAAK;AACH,aAAO;AAAA,IACT,KAAK;AACH,aAAO;AAAA,IACT,KAAK;AACH,aAAO;AAAA,EACX;AACF;AAGO,SAAS,sBAAsB,aAA6C;AACjF,UAAQ,aAAa;AAAA,IACnB,KAAK;AACH,aAAO;AAAA,IACT,KAAK;AACH,aAAO;AAAA,IACT,KAAK;AACH,aAAO;AAAA,IACT,KAAK;AACH,aAAO;AAAA,EACX;AACF;AAGO,SAAS,uBAAuB,KAAkC;AACvE,MAAI,QAAQ,WAAY,QAAO;AAC/B,SAAO;AACT;AAGO,SAAS,uBACd,QACA,QACiB;AACjB,MAAI,OAAO,WAAW,YAAY,WAAW,EAAG,QAAO;AACvD,MAAI,WAAW,UAAW,QAAO;AACjC,SAAO;AACT;AAEO,SAAS,wBAAwB,QAA6C;AACnF,MAAI,OAAO,WAAW,YAAY,WAAW,EAAG,QAAO;AACvD,SAAO;AACT;AAEA,SAAS,WAAW,MAAsB;AACxC,QAAM,IAAI,KAAK,QAAQ,GAAG;AAC1B,SAAO,MAAM,KAAK,OAAO,KAAK,MAAM,GAAG,CAAC;AAC1C;AAMO,IAAM,sCAAsC;AAAA,EACjD;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AACF;AAGO,SAAS,6BAA6B,WAA4B;AACvE,SAAQ,oCAA0D,SAAS,SAAS;AACtF;;;ACrIO,SAAS,2BAA2B,OAER;AACjC,QAAM,SAAS,MAAM,UAAU,CAAC;AAChC,QAAM,QAAQ,OAAO,KAAK,CAAC,MAAM,EAAE,SAAS,OAAO,KAAK,OAAO,CAAC;AAChE,MAAI,CAAC,SAAS,OAAO,MAAM,WAAW,YAAY,CAAC,MAAM,SAAU,QAAO;AAC1E,SAAO;AAAA,IACL,UAAU;AAAA,IACV,QAAQ,MAAM,SAAS;AAAA,IACvB,UAAU,MAAM;AAAA,IAChB,QAAQ,eAAe,MAAM,QAAQ,SAAS;AAAA,EAChD;AACF;AAEO,SAAS,2BAA2B,OAER;AACjC,QAAM,SAAS,MAAM,UAAU,CAAC;AAChC,QAAM,QAAQ,OAAO,KAAK,CAAC,MAAM,EAAE,SAAS,OAAO,KAAK,OAAO,CAAC;AAChE,MAAI,CAAC,SAAS,OAAO,MAAM,WAAW,YAAY,CAAC,MAAM,SAAU,QAAO;AAC1E,SAAO;AAAA,IACL,UAAU;AAAA,IACV,QAAQ,MAAM,SAAS;AAAA,IACvB,UAAU,MAAM;AAAA,IAChB,QAAQ,eAAe,MAAM,QAAQ,SAAS;AAAA,EAChD;AACF;AASO,SAAS,0BACd,QACgC;AAChC,QAAM,MAAM,OAAO;AACnB,MAAI,OAAO,OAAO,IAAI,WAAW,YAAY,IAAI,UAAU;AACzD,WAAO;AAAA,MACL,UAAU;AAAA,MACV,QAAQ,IAAI;AAAA,MACZ,UAAU,IAAI;AAAA,MACd,QAAQ;AAAA,IACV;AAAA,EACF;AACA,QAAM,QAAQ,OAAO,aAAa;AAClC,MAAI,SAAS,OAAO,MAAM,QAAQ,YAAY,MAAM,UAAU;AAC5D,WAAO;AAAA,MACL,UAAU;AAAA,MACV,QAAQ,MAAM;AAAA,MACd,UAAU,MAAM;AAAA,MAChB,QAAQ;AAAA,IACV;AAAA,EACF;AACA,SAAO;AACT;AAMO,SAAS,2BACd,SACgC;AAChC,QAAM,MAAM,SAAS,uBAAuB;AAC5C,MAAI,CAAC,OAAO,CAAC,IAAI,SAAU,QAAO;AAClC,QAAM,IAAI,OAAO,IAAI,UAAU,WAAW,OAAO,IAAI,KAAK,IAAI,IAAI;AAClE,MAAI,OAAO,MAAM,YAAY,CAAC,OAAO,SAAS,CAAC,EAAG,QAAO;AACzD,SAAO;AAAA,IACL,UAAU;AAAA,IACV,QAAQ;AAAA,IACR,UAAU,IAAI;AAAA,IACd,QAAQ;AAAA,EACV;AACF;AAOO,SAAS,2BACd,WACgC;AAChC,QAAM,MAAM,UAAU;AACtB,MAAI,CAAC,OAAO,OAAO,IAAI,WAAW,YAAY,CAAC,IAAI,SAAU,QAAO;AACpE,SAAO;AAAA,IACL,UAAU;AAAA,IACV,QAAQ,IAAI;AAAA,IACZ,UAAU,IAAI;AAAA,IACd,QAAQ,oCAAoC,UAAU,UAAU,SAAS;AAAA,EAC3E;AACF;AASO,SAAS,4BACd,KACgC;AAChC,QAAM,SAAS,IAAI,qBAAqB,IAAI;AAC5C,QAAM,WAAW,IAAI,YAAY,IAAI;AACrC,MAAI,OAAO,WAAW,YAAY,CAAC,SAAU,QAAO;AACpD,SAAO;AAAA,IACL,UAAU;AAAA,IACV;AAAA,IACA;AAAA,IACA,QAAQ,IAAI,sBAAsB,SAAY,sBAAsB;AAAA,EACtE;AACF;;;ACrHA,SAAS,uBAAuB;AAiCzB,SAAS,aACd,SACsB;AACtB,QAAM,WAAW,WAAW,SAAS,iBAAiB;AACtD,QAAM,MAAM,WAAW,SAAS,WAAW;AAC3C,MAAI,CAAC,YAAY,CAAC,IAAK,QAAO;AAE9B,MAAI;AACJ,MAAI;AACJ,MAAI;AACF,gBAAY,gBAAgB,QAAQ;AACpC,cAAU,gBAAgB,GAAG;AAAA,EAC/B,QAAQ;AACN,WAAO;AAAA,EACT;AAEA,QAAM,aAAuC,CAAC;AAE9C,aAAW,CAAC,OAAO,KAAK,KAAK,WAAW;AAEtC,UAAM,YAAY,MAAM,QAAQ,KAAK,IACjC,MAAM,CAAC,IACN,MAAgD;AACrD,UAAM,SAAS,MAAM,QAAQ,KAAK,IAC9B,MAAM,CAAC,IACN,MAAgD;AACrD,QAAI,CAAC,MAAM,QAAQ,SAAS,KAAK,CAAC,OAAQ;AAE1C,UAAM,UAAoB,CAAC;AAC3B,eAAW,QAAQ,WAAqD;AACtE,YAAM,CAAC,IAAI,IAAI,MAAM,QAAQ,IAAI,IAAI,OAAO,CAAC,IAAI;AACjD,UAAI,OAAO,SAAS,SAAU,SAAQ,KAAK,IAAI;AAAA,eACtC,QAAQ,OAAO,SAAS,YAAY,cAAc,KAAM,SAAQ,KAAK,OAAO,IAAI,CAAC;AAAA,IAC5F;AAEA,UAAM,YAAY;AAClB,UAAM,MAAM,aAAa,UAAU,IAAI,OAAO,CAAC;AAC/C,QAAI,CAAC,IAAK;AAEV,UAAM,WAAW,QAAQ,IAAI,KAAK;AAClC,QAAI,CAAC,SAAU;AAEf,UAAM,UAAU,MAAM,QAAQ,QAAQ,IAAI,SAAS,CAAC,IAAK,SAAiC;AAC1F,UAAM,kBAAkB,cAAc,OAAO;AAC7C,QAAI,CAAC,gBAAiB;AAEtB,eAAW,KAAK;AAAA,MACd;AAAA,MACA;AAAA,MACA,KAAK,aAAa,UAAU,IAAI,KAAK,CAAC;AAAA,MACtC;AAAA,MACA;AAAA,MACA,SAAS,aAAa,UAAU,IAAI,SAAS,CAAC;AAAA,MAC9C,SAAS,aAAa,UAAU,IAAI,SAAS,CAAC;AAAA,MAC9C,OAAO,aAAa,UAAU,IAAI,OAAO,CAAC;AAAA,MAC1C,KAAK,aAAa,UAAU,IAAI,KAAK,CAAC;AAAA,IACxC,CAAC;AAAA,EACH;AAEA,MAAI,WAAW,WAAW,EAAG,QAAO;AACpC,SAAO,EAAE,WAAW;AACtB;AAEA,SAAS,WACP,SACA,MACe;AACf,aAAW,OAAO,OAAO,KAAK,OAAO,GAAG;AACtC,QAAI,IAAI,YAAY,MAAM,MAAM;AAC9B,YAAM,MAAM,QAAQ,GAAG;AACvB,UAAI,OAAO,QAAQ,SAAU,QAAO;AACpC,UAAI,MAAM,QAAQ,GAAG,EAAG,QAAO,IAAI,KAAK,IAAI;AAC5C,aAAO;AAAA,IACT;AAAA,EACF;AACA,SAAO;AACT;AAEA,SAAS,aAAa,OAAoC;AACxD,MAAI,OAAO,UAAU,SAAU,QAAO;AACtC,MAAI,SAAS,KAAM,QAAO;AAC1B,MAAI,OAAO,UAAU,YAAY,cAAe,OAAkB;AAChE,UAAM,IAAI,OAAO,KAAK;AACtB,WAAO,EAAE,SAAS,IAAI,IAAI;AAAA,EAC5B;AACA,SAAO;AACT;AAEA,SAAS,aAAa,OAAoC;AACxD,MAAI,OAAO,UAAU,YAAY,OAAO,SAAS,KAAK,EAAG,QAAO;AAChE,MAAI,OAAO,UAAU,SAAU,QAAO,OAAO,KAAK;AAClD,SAAO;AACT;AAEA,SAAS,cAAc,OAA+B;AACpD,MAAI,iBAAiB,WAAY,QAAO,eAAe,KAAK;AAC5D,MAAI,iBAAiB,YAAa,QAAO,eAAe,IAAI,WAAW,KAAK,CAAC;AAC7E,MAAI,YAAY,OAAO,KAAK,GAAG;AAC7B,UAAM,IAAI;AACV,WAAO,eAAe,IAAI,WAAW,EAAE,QAAQ,EAAE,YAAY,EAAE,UAAU,CAAC;AAAA,EAC5E;AACA,MAAI,OAAO,UAAU,UAAU;AAC7B,QAAI,MAAM,WAAW,GAAG,KAAK,MAAM,SAAS,GAAG,EAAG,QAAO,MAAM,MAAM,GAAG,EAAE;AAC1E,WAAO;AAAA,EACT;AACA,SAAO;AACT;AAEA,SAAS,eAAe,OAA2B;AACjD,SAAO,OAAO,KAAK,KAAK,EAAE,SAAS,QAAQ;AAC7C;;;AClJA,SAAS,eAAuD;AA2BhE,eAAsB,cACpB,SACA,SAC8B;AAC9B,QAAM,EAAE,SAAS,IAAI;AACrB,QAAM,YAAY,QAAQ,gBAAgB;AAC1C,QAAM,SAAS,QAAQ,MAAM,QAAQ,IAAI,IAAI,KAAK,MAAM,KAAK,IAAI,IAAI,GAAI;AAEzE,MAAI;AACJ,MAAI;AAEJ,QAAM,YAA4B,OAAO,eAAe;AACtD,UAAM,MAAM,OAAO,WAAW,UAAU,WAAW,WAAW,QAAQ;AACtE,QAAI,CAAC,IAAK,QAAO;AACjB,kBAAc;AACd,UAAM,MAAM,OAAO,WAAW,QAAQ,WAAW,WAAW,MAAM;AAClE,QAAI,IAAK,eAAc;AAEvB,UAAM,SAAS,WAAW,QAAQ,GAAG;AACrC,UAAM,MAAM,MAAM,SAAS,QAAQ,KAAK,EAAE,QAAQ,WAAW,IAAI,CAAC;AAClE,QAAI,CAAC,IAAK,QAAO;AAIjB,UAAM,UAAU,cAAc,WAAW,OAAO;AAChD,UAAM,UAAU,cAAc,WAAW,OAAO;AAChD,QAAI,YAAY,UAAa,KAAK,IAAI,SAAS,OAAO,IAAI,UAAW,QAAO;AAC5E,QAAI,YAAY,UAAa,SAAS,UAAU,UAAW,QAAO;AAElE,WAAO,kBAAkB,KAAK,KAAK,GAAG;AAAA,EACxC;AAEA,MAAI;AACF,UAAM,SAAS,MAAM,QAAQ;AAAA,MAC3B;AAAA,QACE;AAAA,MACF;AAAA,MACA,iBAAiB,OAAO;AAAA,IAC1B;AACA,QAAI,WAAW,MAAM;AACnB,aAAO;AAAA,QACL,IAAI;AAAA,QACJ,KAAK;AAAA,QACL,UAAU,SAAS;AAAA,QACnB,WAAW;AAAA,MACb;AAAA,IACF;AACA,WAAO;AAAA,MACL,IAAI;AAAA,MACJ,KAAK;AAAA,MACL,UAAU,SAAS;AAAA,MACnB,WAAW;AAAA,MACX,OAAO,WAAW,QAAQ,sBAAsB;AAAA,IAClD;AAAA,EACF,SAAS,KAAK;AACZ,WAAO;AAAA,MACL,IAAI;AAAA,MACJ,KAAK;AAAA,MACL,UAAU,SAAS;AAAA,MACnB,WAAW;AAAA,MACX,OAAO,eAAe,QAAQ,IAAI,UAAU;AAAA,IAC9C;AAAA,EACF;AACF;AAEA,SAAS,iBAAiB,SAIxB;AACA,SAAO;AAAA,IACL,QAAQ,QAAQ,OAAO,YAAY;AAAA,IACnC,KAAK,QAAQ;AAAA,IACb,SAAS,QAAQ;AAAA,EACnB;AACF;AAEA,SAAS,WAAW,KAAiC;AACnD,MAAI;AACF,WAAO,IAAI,IAAI,GAAG,EAAE;AAAA,EACtB,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAEA,eAAe,kBACb,IACA,KACA,KACuB;AACvB,QAAM,YAAY,OAAO,gBAAgB,GAAG;AAC5C,QAAM,EAAE,OAAO,IAAI,MAAM,UAAU;AACnC,QAAM,YAAY,sBAAsB,SAAS;AACjD,QAAM,YAAY,gBAAgB,SAAS;AAC3C,MAAI,CAAC,aAAa,CAAC,WAAW;AAC5B,WAAO;AAAA,MACL;AAAA,MACA,MAAM,MAAM,CAAC,GAAG,IAAI;AAAA,MACpB,QAAQ,YAAY;AAAA,IACtB;AAAA,EACF;AACA,QAAM,MAAM,MAAM,OAAO,UAAU,OAAO,KAAmB,WAAW,OAAO,CAAC,QAAQ,CAAC;AAEzF,SAAO;AAAA,IACL;AAAA,IACA,MAAM,MAAM,CAAC,GAAG,IAAI;AAAA,IACpB,QAAQ,OAAO,MAAc,cAAwC;AACnE,UAAI;AACF,eAAO,MAAM,OAAO,OAAO,WAAW,KAAK,cAAc,SAAS,GAAG,cAAc,IAAI,CAAC;AAAA,MAC1F,QAAQ;AACN,eAAO;AAAA,MACT;AAAA,IACF;AAAA,EACF;AACF;AAEA,SAAS,gBAAgB,KAAkB;AACzC,MAAI,IAAI,QAAQ,SAAS,IAAI,QAAQ,UAAW,QAAO;AACvD,MAAI,IAAI,QAAQ,QAAQ,IAAI,QAAQ,QAAS,QAAO;AACpD,MAAI,IAAI,QAAQ,QAAQ,IAAI,QAAQ,QAAS,QAAO;AACpD,MAAI,IAAI,QAAQ,MAAO,QAAO;AAC9B,SAAO;AACT;AAEA,SAAS,gBACP,YACyD;AACzD,UAAQ,YAAY;AAAA,IAClB,KAAK;AACH,aAAO,EAAE,MAAM,UAAU;AAAA,IAC3B,KAAK;AACH,aAAO,EAAE,MAAM,SAAS,MAAM,UAAU;AAAA,IAC1C,KAAK;AACH,aAAO,EAAE,MAAM,SAAS,MAAM,UAAU;AAAA,IAC1C,KAAK;AACH,aAAO,EAAE,MAAM,oBAAoB;AAAA,IACrC,KAAK;AACH,aAAO,EAAE,MAAM,WAAW,YAAY,GAAG;AAAA,IAC3C;AACE,aAAO;AAAA,EACX;AACF;AAEA,SAAS,sBACP,YACwE;AACxE,UAAQ,YAAY;AAAA,IAClB,KAAK;AACH,aAAO,EAAE,MAAM,UAAU;AAAA,IAC3B,KAAK;AACH,aAAO,EAAE,MAAM,SAAS,YAAY,QAAQ;AAAA,IAC9C,KAAK;AACH,aAAO,EAAE,MAAM,SAAS,YAAY,QAAQ;AAAA,IAC9C,KAAK;AACH,aAAO,EAAE,MAAM,qBAAqB,MAAM,UAAU;AAAA,IACtD,KAAK;AACH,aAAO,EAAE,MAAM,WAAW,MAAM,UAAU;AAAA,IAC5C;AACE,aAAO;AAAA,EACX;AACF;AAEA,SAAS,cAAc,KAA0B;AAC/C,QAAM,MAAM,IAAI,YAAY,IAAI,UAAU;AAC1C,MAAI,WAAW,GAAG,EAAE,IAAI,GAAG;AAC3B,SAAO;AACT;AAEA,SAAS,cAAc,GAAgC;AACrD,MAAI,OAAO,MAAM,YAAY,OAAO,SAAS,CAAC,EAAG,QAAO;AACxD,MAAI,aAAa,KAAM,QAAO,KAAK,MAAM,EAAE,QAAQ,IAAI,GAAI;AAC3D,MAAI,OAAO,MAAM,UAAU;AACzB,UAAM,SAAS,KAAK,MAAM,CAAC;AAC3B,QAAI,OAAO,SAAS,MAAM,EAAG,QAAO,KAAK,MAAM,SAAS,GAAI;AAAA,EAC9D;AACA,SAAO;AACT;AAEA,eAAe,YAA+C;AAC5D,MAAI,OAAO,WAAW,WAAW,eAAe,WAAW,OAAO,QAAQ;AACxE,WAAO,EAAE,QAAQ,WAAW,OAAO,OAAO;AAAA,EAC5C;AAEA,QAAM,aAAa,MAAM,OAAO,QAAa;AAC7C,SAAO,EAAE,QAAQ,WAAW,UAAU,OAAuB;AAC/D;;;ACjMO,SAAS,kBAAkB,SAAoD;AACpF,QAAM,EAAE,QAAQ,IAAI,IAAI;AACxB,MAAI,CAAC,UAAU,CAAC,IAAK,QAAO;AAE5B,QAAM,YAAY,aAAa,GAAG;AAClC,QAAM,OAAO,WAAW,YAAY,IAAI,MAAM,GAAG,EAAE,CAAC;AAEpD,QAAM,UAAU,uBAAuB,QAAQ,IAAI;AACnD,QAAM,WAAW,GAAG,OAAO,YAAY,CAAC,IAAI,IAAI;AAChD,QAAM,YAAY,iBAAiB,IAAI;AAEvC,QAAM,OAAQ,QAAQ,QAAQ,CAAC;AAC/B,QAAM,SAAS,MAAM,QAAQ,KAAK,MAAM,IAAK,KAAK,SAAwB;AAC1E,QAAM,gBAAgBA,cAAa,KAAK,kBAAkB,KAAK,aAAa;AAC5E,QAAM,cAAcA,cAAa,KAAK,gBAAgB,KAAK,WAAW;AAEtE,QAAM,iBAAiB,sBAAsB,MAAM,SAAS;AAE5D,SAAO;AAAA,IACL;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,EACF;AACF;AAQA,eAAsB,iBACpB,aACA,UAAkC,CAAC,GACV;AACzB,QAAM,YAAY,QAAQ,aAAa;AACvC,QAAM,aAAa,IAAI,gBAAgB;AACvC,QAAM,QAAQ,WAAW,MAAM,WAAW,MAAM,GAAG,SAAS;AAC5D,MAAI;AACF,UAAM,MAAM,MAAM,MAAM,aAAa,EAAE,QAAQ,WAAW,OAAO,CAAC;AAClE,QAAI,CAAC,IAAI,GAAI,QAAO;AACpB,WAAO,MAAM,IAAI,KAAK;AAAA,EACxB,QAAQ;AACN,WAAO;AAAA,EACT,UAAE;AACA,iBAAa,KAAK;AAAA,EACpB;AACF;AAiBO,SAAS,oBACd,UACA,UAA6E,CAAC,GACjD;AAC7B,MAAI,QAAQ,UAAW,QAAO,QAAQ,UAAU,QAAQ;AAExD,QAAM,SAAmB,CAAC;AAC1B,MAAI,CAAC,YAAY,OAAO,aAAa,UAAU;AAC7C,WAAO,EAAE,IAAI,OAAO,QAAQ,CAAC,2BAA2B,EAAE;AAAA,EAC5D;AACA,QAAM,IAAI;AACV,MAAI,OAAO,EAAE,YAAY,SAAU,QAAO,KAAK,0CAA0C;AACzF,MAAI,CAAC,MAAM,QAAQ,EAAE,YAAY,EAAG,QAAO,KAAK,+BAA+B;AAC/E,MAAI,CAAC,EAAE,aAAa,OAAO,EAAE,cAAc,SAAU,QAAO,KAAK,6BAA6B;AAC9F,SAAO,EAAE,IAAI,OAAO,WAAW,GAAG,OAAO;AAC3C;AAEA,SAAS,aAAa,KAAyB;AAC7C,MAAI;AACF,WAAO,IAAI,IAAI,KAAK,4BAA4B;AAAA,EAClD,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAEA,SAAS,iBAAiB,MAAkC;AAC1D,QAAM,QAAQ,KAAK,MAAM,mCAAmC;AAC5D,SAAO,QAAQ,CAAC;AAClB;AAEA,SAAS,sBACP,MACA,WACoB;AACpB,QAAM,WAAWA,cAAa,KAAK,mBAAmB,KAAK,cAAc;AACzE,MAAI,SAAU,QAAO;AACrB,MAAI,aAAa,UAAU,aAAa,sBAAuB,QAAO,UAAU;AAChF,SAAO;AACT;AAEA,SAASA,cAAa,GAAgC;AACpD,SAAO,OAAO,MAAM,YAAY,EAAE,SAAS,IAAI,IAAI;AACrD;;;AChFO,SAAS,kBAAkB,SAAmD;AACnF,QAAM,EAAE,QAAQ,IAAI,IAAI;AACxB,MAAI,CAAC,UAAU,CAAC,IAAK,QAAO;AAE5B,QAAM,OAAOC,YAAW,IAAI,WAAW,MAAM,IAAI,IAAI,IAAI,GAAG,EAAE,WAAW,GAAG;AAE5E,QAAM,WAAW,iBAAiB,QAAQ,IAAI;AAC9C,QAAM,UAAU,uBAAuB,QAAQ,IAAI;AACnD,QAAM,YAAYC,kBAAiB,IAAI;AAEvC,QAAM,UAAU,QAAQ,WAAW,CAAC;AACpC,QAAM,kBAAkBC,YAAW,SAAS,WAAW;AACvD,QAAM,kBAAkBA,YAAW,SAAS,WAAW;AACvD,QAAM,iBAAiBA,YAAW,SAAS,iBAAiB;AAC5D,QAAM,aAAaA,YAAW,SAAS,aAAa;AACpD,QAAM,SAAS,cAAcA,YAAW,SAAS,eAAe,CAAC;AAEjE,QAAM,OAAQ,QAAQ,QAAQ,CAAC;AAC/B,QAAM,aAAaC,cAAa,KAAK,eAAe,KAAK,UAAU;AACnE,QAAM,SAAS,MAAM,QAAQ,KAAK,MAAM,IAAK,KAAK,SAAwB;AAC1E,QAAM,oBAAoB,yBAAyB,IAAI;AAEvD,QAAM,eAAe,oBAAoB,IAAI;AAE7C,SAAO;AAAA,IACL;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA,SAAS,QAAQ;AAAA,EACnB;AACF;AAEA,SAAS,iBAAiB,QAAgB,MAA2B;AACnE,QAAM,IAAI,OAAO,YAAY;AAC7B,MAAI,MAAM,OAAQ,QAAO;AACzB,MAAI,4CAA4C,KAAK,IAAI,EAAG,QAAO;AACnE,MAAI,2BAA2B,KAAK,IAAI,EAAG,QAAO;AAClD,MAAI,kCAAkC,KAAK,IAAI,EAAG,QAAO;AACzD,MAAI,4CAA4C,KAAK,IAAI,EAAG,QAAO;AACnE,MAAI,0CAA0C,KAAK,IAAI,EAAG,QAAO;AACjE,SAAO;AACT;AAEA,SAASF,kBAAiB,MAAkC;AAC1D,QAAM,QAAQ,KAAK,MAAM,gCAAgC;AACzD,SAAO,QAAQ,CAAC;AAClB;AAEA,SAAS,cAAc,YAAoD;AACzE,MAAI,CAAC,WAAY,QAAO;AACxB,QAAM,QAAQ,WAAW,MAAM,kBAAkB;AACjD,SAAO,QAAQ,MAAM,CAAC,EAAE,KAAK,IAAI;AACnC;AAEA,SAAS,oBAAoB,MAAkE;AAC7F,QAAM,cAAc,KAAK;AACzB,MAAI,CAAC,YAAa,QAAO;AACzB,QAAM,MAAME,cAAa,YAAY,KAAK;AAC1C,QAAM,WAAWA,cAAa,YAAY,QAAQ;AAClD,MAAI,CAAC,IAAK,QAAO,EAAE,KAAK,QAAW,MAAM,MAAM,SAAS;AACxD,QAAM,OAAO,qBAAqB,GAAG;AACrC,SAAO,EAAE,KAAK,MAAM,SAAS;AAC/B;AAEA,SAAS,qBAAqB,OAAoC;AAChE,MAAI,MAAM,WAAW,MAAM,EAAG,QAAO;AACrC,MAAI,MAAM,WAAW,KAAK,EAAG,QAAO;AACpC,SAAO;AACT;AAEA,SAAS,yBAAyB,MAAmD;AACnF,QAAM,SAASA,cAAa,KAAK,sBAAsB,KAAK,iBAAiB;AAC7E,MAAI,OAAQ,QAAO;AACnB,QAAM,UAAU,KAAK;AACrB,MAAI,MAAM,QAAQ,OAAO,KAAK,QAAQ,SAAS,GAAG;AAChD,UAAM,QAAQ,QAAQ,CAAC;AACvB,QAAI,SAAS,OAAO,UAAU,UAAU;AACtC,YAAM,KAAKA,cAAc,MAAkC,EAAE;AAC7D,UAAI,GAAI,QAAO;AAAA,IACjB;AAAA,EACF;AACA,SAAO;AACT;AAEA,SAASD,YACP,SACA,MACoB;AACpB,aAAW,OAAO,OAAO,KAAK,OAAO,GAAG;AACtC,QAAI,IAAI,YAAY,MAAM,MAAM;AAC9B,YAAM,MAAM,QAAQ,GAAG;AACvB,UAAI,OAAO,QAAQ,SAAU,QAAO;AACpC,UAAI,MAAM,QAAQ,GAAG,EAAG,QAAO,IAAI,CAAC;AAAA,IACtC;AAAA,EACF;AACA,SAAO;AACT;AAEA,SAASF,YAAW,MAAsB;AACxC,QAAM,IAAI,KAAK,QAAQ,GAAG;AAC1B,SAAO,MAAM,KAAK,OAAO,KAAK,MAAM,GAAG,CAAC;AAC1C;AAEA,SAASG,cAAa,GAAgC;AACpD,SAAO,OAAO,MAAM,YAAY,EAAE,SAAS,IAAI,IAAI;AACrD;;;AC/JA,SAAS,YAAY,uBAAuB;AAC5C,SAAS,kBAAkB;AAkEpB,SAAS,gBAAgB,cAAgD;AAC9E,MAAI,CAAC,gBAAgB,OAAO,iBAAiB,SAAU,QAAO;AAE9D,MAAI;AACJ,MAAI;AACF,cAAU,gBAAgB,cAAc,UAAU;AAAA,EACpD,QAAQ;AACN,WAAO;AAAA,EACT;AAEA,QAAM,QAAQ,UAAU,YAAY;AAEpC,QAAM,UAAW,QAAQ,KAAK,WAAW,CAAC;AAC1C,QAAM,cAAc,QAAQ,eAAe,CAAC;AAK5C,QAAM,SAAS;AAAA,IACb;AAAA,IACA;AAAA,EACF;AAEA,QAAM,cAAc;AAAA,IAClB,OAAO,gBAAgB,OAAO,eAAe,QAAQ,gBAAgB,QAAQ;AAAA,EAC/E;AACA,MAAI,CAAC,YAAa,QAAO;AAEzB,QAAM,MAAMC;AAAA,IACT,QAAQ,KAAK,QAAgD,OAAO,OAAO,OAAO,QAAQ;AAAA,EAC7F;AAEA,QAAM,gBAAgB,oBAAoB,OAAO,kBAAkB,OAAO,aAAa;AACvF,QAAM,qBAAqBA,cAAa,OAAO,OAAO,QAAQ,GAAG;AAEjE,QAAM,cAAc;AAAA,IACjB,OAAO,eAAe,OAAO,uBAAuB,CAAC;AAAA,EACxD;AAEA,QAAM,gBAAgBA,cAAa,OAAO,kBAAkB,OAAO,aAAa;AAChF,QAAM,eAAeA;AAAA,IACnB,OAAO,iBACL,OAAO,8BACN,OAAO,mBAA2D;AAAA,EACvE;AAEA,SAAO;AAAA,IACL;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA,WAAW;AAAA,EACb;AACF;AAEA,SAAS,UAAU,SAA4D;AAC7E,MAAI;AACF,UAAM,EAAE,KAAK,MAAM,IAAI,WAAW,OAAO;AAGzC,WAAO,EAAE,IAAI,KAAK,IAAI,MAAM;AAAA,EAC9B,QAAQ;AACN,WAAO,CAAC;AAAA,EACV;AACF;AAEA,SAAS,iBACP,SACA,aACyB;AACzB,QAAM,SAAkC,EAAE,GAAG,QAAQ;AACrD,aAAW,KAAK,aAAa;AAC3B,QAAI,EAAE,OAAO,EAAE,UAAU,UAAa,EAAE,EAAE,OAAO,SAAS;AACxD,aAAO,EAAE,GAAG,IAAI,EAAE;AAAA,IACpB;AAAA,EACF;AACA,SAAO;AACT;AAEA,SAAS,mBAAmB,KAA6C;AACvE,SAAO;AAAA,IACL,kBAAkB,oBAAoB,IAAI,qBAAqB,IAAI,gBAAgB;AAAA,IACnF,eAAe,oBAAoB,IAAI,kBAAkB,IAAI,aAAa;AAAA,IAC1E,WAAW,gBAAgB,IAAI,cAAc,IAAI,SAAS;AAAA,IAC1D,eAAe,gBAAgB,IAAI,kBAAkB,IAAI,aAAa;AAAA,IACtE,aAAa,cAAc,IAAI,gBAAgB,IAAI,eAAe,IAAI,MAAM;AAAA,IAC5E,YAAY,aAAa,IAAI,UAAU;AAAA,IACvC,iBAAiB,aAAa,IAAI,oBAAoB,IAAI,eAAe;AAAA,EAC3E;AACF;AAEA,SAAS,oBAAoB,GAA0C;AACrE,MAAI,CAAC,MAAM,QAAQ,CAAC,EAAG,QAAO;AAC9B,QAAM,MAAwB,CAAC;AAC/B,aAAW,QAAQ,GAAG;AACpB,QAAI,QAAQ,OAAO,SAAS,UAAU;AACpC,YAAM,IAAI;AACV,UAAI,KAAK;AAAA,QACP,IAAIA,cAAa,EAAE,EAAE;AAAA,QACrB,MAAMA,cAAa,EAAE,IAAI;AAAA,QACzB,SAASA,cAAa,EAAE,OAAO;AAAA,MACjC,CAAC;AAAA,IACH;AAAA,EACF;AACA,SAAO,IAAI,SAAS,IAAI,MAAM;AAChC;AAEA,SAAS,gBAAgB,GAAsC;AAC7D,MAAI,CAAC,MAAM,QAAQ,CAAC,EAAG,QAAO;AAC9B,QAAM,MAAoB,CAAC;AAC3B,aAAW,QAAQ,GAAG;AACpB,QAAI,QAAQ,OAAO,SAAS,UAAU;AACpC,YAAM,IAAI;AACV,YAAM,MAAM,EAAE,oBAAoB,EAAE;AACpC,UAAI,KAAK;AAAA,QACP,IAAIA,cAAa,EAAE,EAAE;AAAA,QACrB,iBAAiB,MAAM,QAAQ,GAAG,IAC7B,IAAI,OAAO,CAAC,MAAM,OAAO,MAAM,QAAQ,IACxC;AAAA,QACJ,UAAUC,cAAa,EAAE,QAAQ;AAAA,MACnC,CAAC;AAAA,IACH;AAAA,EACF;AACA,SAAO,IAAI,SAAS,IAAI,MAAM;AAChC;AAEA,SAAS,gBAAgB,GAAyC;AAChE,MAAI,CAAC,KAAK,OAAO,MAAM,SAAU,QAAO;AACxC,QAAM,IAAI;AACV,SAAO;AAAA,IACL,UAAUD,cAAa,EAAE,QAAQ;AAAA,IACjC,KAAKC,cAAa,EAAE,GAAG;AAAA,IACvB,KAAKA,cAAa,EAAE,GAAG;AAAA,EACzB;AACF;AAEA,SAAS,cAAc,GAAuC;AAC5D,MAAI,CAAC,KAAK,OAAO,MAAM,SAAU,QAAO;AACxC,QAAM,IAAI;AACV,SAAO;AAAA,IACL,UAAUD,cAAa,EAAE,QAAQ;AAAA,IACjC,KAAKC,cAAa,EAAE,GAAG;AAAA,EACzB;AACF;AAEA,SAAS,aAAa,GAAsC;AAC1D,MAAI,CAAC,KAAK,OAAO,MAAM,SAAU,QAAO;AACxC,QAAM,IAAI;AACV,SAAO;AAAA,IACL,WAAWD,cAAa,EAAE,SAAS;AAAA,IACnC,WAAWA,cAAa,EAAE,cAAc,EAAE,SAAS;AAAA,IACnD,SAASA,cAAa,EAAE,YAAY,EAAE,OAAO;AAAA,IAC7C,gBAAgBC,cAAa,EAAE,mBAAmB,EAAE,cAAc;AAAA,EACpE;AACF;AAEA,SAAS,kBAAkB,GAAkC;AAC3D,MAAI,MAAM,cAAc,MAAM,aAAa,MAAM,mBAAmB,MAAM,gBAAgB;AACxF,WAAO;AAAA,EACT;AACA,SAAO;AACT;AAEA,SAAS,oBAAoB,GAAyC;AACpE,SAAO,MAAM,eAAe,MAAM,gBAAgB,MAAM,SAAS,IAAI;AACvE;AAEA,SAASD,cAAa,GAAgC;AACpD,SAAO,OAAO,MAAM,YAAY,EAAE,SAAS,IAAI,IAAI;AACrD;AAEA,SAASC,cAAa,GAAgC;AACpD,MAAI,OAAO,MAAM,YAAY,OAAO,SAAS,CAAC,EAAG,QAAO;AACxD,MAAI,OAAO,MAAM,UAAU;AACzB,UAAM,IAAI,OAAO,CAAC;AAClB,WAAO,OAAO,SAAS,CAAC,IAAI,IAAI;AAAA,EAClC;AACA,SAAO;AACT;AAEA,SAAS,WAAW,MAAwC;AAC1D,QAAM,MACJ,OAAO,SAAS,WAAW,OAAO,KAAK,MAAM,OAAO,IAAI,OAAO,KAAK,IAAI,WAAW,IAAI,CAAC;AAC1F,QAAM,OAAO,WAAW,QAAQ,EAAE,OAAO,GAAG,EAAE,OAAO;AACrD,SAAO,IAAI,WAAW,KAAK,QAAQ,KAAK,YAAY,KAAK,UAAU;AACrE;;;ACnQA,SAAS,YAAY,uBAAuB;AAcrC,SAAS,oBACd,SACA,iBACA,QACA,UAAsC,CAAC,GACZ;AAC3B,MAAI,CAAC,gBAAiB,QAAO,EAAE,IAAI,OAAO,OAAO,kCAAkC;AACnF,MAAI,CAAC,OAAQ,QAAO,EAAE,IAAI,OAAO,OAAO,yBAAyB;AAEjE,QAAM,SAAS,qBAAqB,eAAe;AACnD,MAAI,CAAC,OAAO,UAAW,QAAO,EAAE,IAAI,OAAO,OAAO,0CAA0C;AAC5F,MAAI,OAAO,aAAa,WAAW,GAAG;AACpC,WAAO,EAAE,IAAI,OAAO,OAAO,sCAAsC;AAAA,EACnE;AAEA,QAAM,YAAY,QAAQ,gBAAgB;AAC1C,QAAM,MAAM,QAAQ,MAAM,QAAQ,IAAI,IAAI,KAAK,MAAM,KAAK,IAAI,IAAI,GAAI;AACtE,MAAI,KAAK,IAAI,MAAM,OAAO,SAAS,IAAI,WAAW;AAChD,WAAO;AAAA,MACL,IAAI;AAAA,MACJ,WAAW,OAAO;AAAA,MAClB,OAAO,gCAAgC,SAAS;AAAA,IAClD;AAAA,EACF;AAEA,QAAM,gBAAgB,GAAG,OAAO,SAAS,IAAI,OAAO;AACpD,QAAM,WAAW,WAAW,UAAU,MAAM,EAAE,OAAO,aAAa,EAAE,OAAO;AAE3E,aAAW,gBAAgB,OAAO,cAAc;AAC9C,UAAM,YAAY,YAAY,YAAY;AAC1C,QAAI,CAAC,UAAW;AAChB,QAAI,UAAU,WAAW,SAAS,OAAQ;AAC1C,QAAI,gBAAgB,WAAW,QAAQ,GAAG;AACxC,aAAO,EAAE,IAAI,MAAM,WAAW,OAAO,UAAU;AAAA,IACjD;AAAA,EACF;AAEA,SAAO,EAAE,IAAI,OAAO,WAAW,OAAO,WAAW,OAAO,qBAAqB;AAC/E;AAOA,SAAS,qBAAqB,QAAuC;AACnE,MAAI,YAA2B;AAC/B,QAAM,eAAyB,CAAC;AAChC,aAAW,QAAQ,OAAO,MAAM,GAAG,GAAG;AACpC,UAAM,CAAC,QAAQ,QAAQ,IAAI,KAAK,MAAM,GAAG;AACzC,QAAI,CAAC,UAAU,CAAC,SAAU;AAC1B,UAAM,MAAM,OAAO,KAAK;AACxB,UAAM,QAAQ,SAAS,KAAK;AAC5B,QAAI,QAAQ,KAAK;AACf,YAAM,IAAI,OAAO,KAAK;AACtB,UAAI,OAAO,SAAS,CAAC,EAAG,aAAY;AAAA,IACtC,WAAW,QAAQ,MAAM;AACvB,mBAAa,KAAK,KAAK;AAAA,IACzB;AAAA,EACF;AACA,SAAO,EAAE,WAAW,aAAa;AACnC;AAEA,SAAS,YAAY,KAA4B;AAC/C,MAAI,CAAC,iBAAiB,KAAK,GAAG,KAAK,IAAI,SAAS,MAAM,EAAG,QAAO;AAChE,SAAO,OAAO,KAAK,KAAK,KAAK;AAC/B;;;ACnDO,SAAS,sBAAsB,OAAoD;AACxF,QAAM,EAAE,aAAa,YAAY,IAAI;AACrC,QAAM,UAA4C,CAAC;AAEnD,MAAI,YAAY,oBAAoB,YAAY,iBAAiB,SAAS,GAAG;AAC3E,YAAQ,WAAW;AAAA,MACjB;AAAA,MACA,YAAY;AAAA,MACZ,YAAY;AAAA,IACd;AAAA,EACF;AAEA,MAAI,YAAY,iBAAiB,YAAY,cAAc,SAAS,GAAG;AACrE,YAAQ,QAAQ,kBAAkB,SAAS,YAAY,eAAe,YAAY,KAAK;AAAA,EACzF;AAEA,MAAI,YAAY,aAAa,YAAY,UAAU,SAAS,GAAG;AAC7D,YAAQ,YAAY,kBAAkB,YAAY,WAAW,YAAY,aAAa,CAAC,CAAC;AAAA,EAC1F;AAEA,MAAI,YAAY,eAAe;AAC7B,YAAQ,SAAS,sBAAsB,YAAY,eAAe,WAAW;AAAA,EAC/E;AAEA,QAAM,UAAoB,CAAC;AAC3B,MAAI,KAAK;AACT,aAAW,CAAC,KAAK,CAAC,KAAK,OAAO,QAAQ,OAAO,GAAG;AAC9C,QAAI,CAAC,EAAE,IAAI;AACT,WAAK;AACL,cAAQ,KAAK,EAAE,UAAU,GAAG,GAAG,SAAS;AAAA,IAC1C;AAAA,EACF;AAEA,SAAO,EAAE,IAAI,SAAS,QAAQ;AAChC;AAOO,SAAS,+BACd,OACkB;AAClB,QAAM,QAAQ,MAAM,kBAAkB,CAAC;AACvC,MAAI,MAAM,WAAW,EAAG,QAAO,EAAE,IAAI,KAAK;AAC1C,MAAI,CAAC,MAAM,iBAAiB;AAC1B,WAAO,EAAE,IAAI,OAAO,QAAQ,qDAAqD;AAAA,EACnF;AACA,QAAM,UAAU,MAAM,gBAAgB,YAAY;AAClD,QAAM,UAAU,MAAM,KAAK,CAAC,MAAM,EAAE,YAAY,MAAM,OAAO;AAC7D,MAAI,CAAC,SAAS;AACZ,WAAO;AAAA,MACL,IAAI;AAAA,MACJ,QAAQ,mBAAmB,MAAM,eAAe,uBAAuB,MAAM,KAAK,IAAI,CAAC;AAAA,IACzF;AAAA,EACF;AACA,SAAO,EAAE,IAAI,KAAK;AACpB;AAOO,SAAS,sBAAsB,OAA6C;AACjF,QAAM,EAAE,OAAO,UAAU,IAAI;AAC7B,MAAI,CAAC,SAAS,OAAO,MAAM,WAAW,SAAU,QAAO,EAAE,IAAI,KAAK;AAClE,MAAI,CAAC,aAAa,OAAO,UAAU,WAAW,SAAU,QAAO,EAAE,IAAI,KAAK;AAC1E,MAAI,MAAM,YAAY,UAAU,YAAY,MAAM,aAAa,UAAU,UAAU;AACjF,WAAO;AAAA,MACL,IAAI;AAAA,MACJ,QAAQ,4BAA4B,MAAM,QAAQ,iBAAiB,UAAU,QAAQ;AAAA,IACvF;AAAA,EACF;AACA,MAAI,UAAU,SAAS,MAAM,QAAQ;AACnC,WAAO;AAAA,MACL,IAAI;AAAA,MACJ,QACE,aAAa,UAAU,MAAM,IAAI,UAAU,YAAY,EAAE,kBAAkB,MAAM,MAAM,IAAI,MAAM,YAAY,EAAE,GAAG,KAAK;AAAA,IAC3H;AAAA,EACF;AACA,SAAO,EAAE,IAAI,KAAK;AACpB;AAEA,SAAS,kBACP,MACA,WACA,QACkB;AAClB,MAAI,CAAC,UAAW,CAAC,OAAO,MAAM,CAAC,OAAO,SAAU;AAC9C,WAAO,EAAE,IAAI,OAAO,QAAQ,MAAM,IAAI,wCAAwC;AAAA,EAChF;AACA,aAAW,SAAS,WAAW;AAC7B,QAAI,MAAM,MAAM,OAAO,MAAM,MAAM,OAAO,OAAO,GAAI,QAAO,EAAE,IAAI,KAAK;AACvE,QAAI,MAAM,WAAW,OAAO,WAAW,aAAa,MAAM,SAAS,OAAO,OAAO,GAAG;AAClF,aAAO,EAAE,IAAI,KAAK;AAAA,IACpB;AAAA,EACF;AACA,QAAM,qBAAqB,UAAU,IAAI,aAAa,EAAE,KAAK,IAAI;AACjE,QAAM,mBAAmB,cAAc,MAAM;AAC7C,SAAO;AAAA,IACL,IAAI;AAAA,IACJ,QAAQ,GAAG,IAAI,IAAI,gBAAgB,sBAAsB,kBAAkB;AAAA,EAC7E;AACF;AAEA,SAAS,kBACP,WACA,aACkB;AAClB,MAAI,YAAY,WAAW,GAAG;AAC5B,WAAO,EAAE,IAAI,OAAO,QAAQ,qDAAqD;AAAA,EACnF;AACA,QAAM,UAAoB,CAAC;AAC3B,aAAW,QAAQ,aAAa;AAC9B,UAAM,QAAQ,UAAU;AAAA,MACtB,CAAC,MAAO,EAAE,MAAM,EAAE,OAAO,KAAK,OAAQ,EAAE,mBAAmB,CAAC,GAAG,SAAS,KAAK,MAAM,EAAE;AAAA,IACvF;AACA,QAAI,CAAC,OAAO;AACV,cAAQ,KAAK,cAAc,KAAK,MAAM,WAAW,oBAAoB;AACrE;AAAA,IACF;AACA,QACE,OAAO,MAAM,aAAa,YAC1B,OAAO,KAAK,aAAa,YACzB,KAAK,WAAW,MAAM,UACtB;AACA,cAAQ;AAAA,QACN,cAAc,KAAK,EAAE,cAAc,KAAK,QAAQ,oBAAoB,MAAM,QAAQ;AAAA,MACpF;AAAA,IACF;AAAA,EACF;AACA,SAAO,QAAQ,WAAW,IAAI,EAAE,IAAI,KAAK,IAAI,EAAE,IAAI,OAAO,QAAQ,QAAQ,KAAK,IAAI,EAAE;AACvF;AAEA,SAAS,sBACP,OACA,aACkB;AAClB,MAAI,OAAO,YAAY,WAAW,UAAU;AAC1C,WAAO,EAAE,IAAI,OAAO,QAAQ,2DAA2D;AAAA,EACzF;AACA,MAAI,MAAM,YAAY,YAAY,YAAY,MAAM,aAAa,YAAY,UAAU;AACrF,WAAO;AAAA,MACL,IAAI;AAAA,MACJ,QAAQ,4BAA4B,MAAM,QAAQ,mBAAmB,YAAY,QAAQ;AAAA,IAC3F;AAAA,EACF;AACA,MAAI,OAAO,MAAM,QAAQ,YAAY,YAAY,SAAS,MAAM,KAAK;AACnE,WAAO;AAAA,MACL,IAAI;AAAA,MACJ,QAAQ,UAAU,YAAY,MAAM,cAAc,MAAM,GAAG;AAAA,IAC7D;AAAA,EACF;AACA,MAAI,OAAO,MAAM,QAAQ,YAAY,YAAY,SAAS,MAAM,KAAK;AACnE,WAAO;AAAA,MACL,IAAI;AAAA,MACJ,QAAQ,UAAU,YAAY,MAAM,cAAc,MAAM,GAAG;AAAA,IAC7D;AAAA,EACF;AACA,SAAO,EAAE,IAAI,KAAK;AACpB;AAEA,SAAS,aAAa,OAAe,QAAyB;AAC5D,QAAM,IAAI,gBAAgB,KAAK;AAC/B,QAAM,IAAI,gBAAgB,MAAM;AAChC,SAAO,MAAM,KAAK,EAAE,SAAS,IAAI,CAAC,EAAE;AACtC;AAEA,SAAS,gBAAgB,OAAuB;AAC9C,MAAI;AACF,UAAM,aAAa,eAAe,KAAK,KAAK,IAAI,QAAQ,WAAW,KAAK;AACxE,WAAO,IAAI,IAAI,UAAU,EAAE,SAAS,YAAY;AAAA,EAClD,QAAQ;AACN,WAAO,MAAM,YAAY;AAAA,EAC3B;AACF;AAEA,SAAS,cAAc,OAAiE;AACtF,MAAI,MAAM,GAAI,QAAO,MAAM,MAAM,EAAE;AACnC,MAAI,MAAM,QAAS,QAAO,MAAM;AAChC,MAAI,MAAM,KAAM,QAAO,MAAM;AAC7B,SAAO;AACT;;;ACvLA,eAAsB,aACpB,QACA,UACgC;AAChC,QAAM,cAAuE,CAAC;AAC9E,aAAWC,UAAS,QAAQ;AAC1B,QAAI,CAACA,OAAM,OAAO;AAChB,kBAAY,KAAK,EAAE,OAAAA,QAAO,SAAS,KAAK,CAAC;AACzC;AAAA,IACF;AACA,UAAM,UAAU,MAAM,SAASA,MAAK;AACpC,gBAAY,KAAK,EAAE,OAAAA,QAAO,QAAQ,CAAC;AAAA,EACrC;AAEA,QAAM,cAAc,YACjB,IAAI,CAAC,MAAM,EAAE,OAAO,EACpB,OAAO,CAAC,OAAqB,OAAO,OAAO,YAAY,GAAG,SAAS,CAAC;AAEvE,QAAM,SAAS,MAAM,KAAK,IAAI,IAAI,WAAW,CAAC;AAC9C,QAAM,uBAAuB,OAAO,SAAS;AAC7C,QAAM,yBAAyB,OAAO,WAAW,IAAI,OAAO,CAAC,IAAI;AAEjE,SAAO;AAAA,IACL;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,EACF;AACF;AAMO,IAAM,QAAQ;AAAA,EACnB,OAAO,CAAC,WAAkC,EAAE,UAAU,MAAM,OAAO,OAAO,MAAM;AAAA,EAChF,YAAY,CAAC,WAAkC,EAAE,UAAU,OAAO,OAAO,YAAY,MAAM;AAAA,EAC3F,WAAW,CAAC,WAAkC,EAAE,UAAU,OAAO,OAAO,UAAU,MAAM;AAAA,EACxF,WAAW,CAAC,WAAkC,EAAE,UAAU,OAAO,OAAO,UAAU,MAAM;AAAA,EACxF,YAAY,CAAC,WAAkC,EAAE,UAAU,QAAQ,OAAO,UAAU,MAAM;AAAA,EAC1F,aAAa,CAAC,WAAkC,EAAE,UAAU,YAAY,OAAO,OAAO,MAAM;AAAA,EAC5F,QAAQ,CAAC,WAAkC,EAAE,UAAU,OAAO,OAAO,OAAO,MAAM;AAAA,EAClF,eAAe,CAAC,WAAkC;AAAA,IAChD,UAAU;AAAA,IACV,OAAO;AAAA,IACP;AAAA,EACF;AACF;;;AC5EA,SAAS,mBAAAC,wBAAuB;AAChC,SAAS,cAAAC,mBAAkB;AA+DpB,SAAS,kBAAkB,cAA+C;AAC/E,MAAI,CAAC,gBAAgB,OAAO,iBAAiB,SAAU,QAAO;AAE9D,MAAI;AACJ,MAAI;AACF,cAAUD,iBAAgB,cAAcE,WAAU;AAAA,EACpD,QAAQ;AACN,WAAO;AAAA,EACT;AAEA,QAAM,UAAW,QAAQ,KAAK,WAAW,CAAC;AAC1C,QAAM,cAAc,QAAQ,eAAe,CAAC;AAC5C,QAAM,SAASC;AAAA,IACb;AAAA,IACA;AAAA,EACF;AAEA,QAAM,OAAOC,mBAAkB,OAAO,QAAQ,OAAO,gBAAgB,OAAO,WAAW;AACvF,MAAI,CAAC,KAAM,QAAO;AAElB,MAAI,SAAS,iBAAkB,QAAO,YAAY,MAAM;AACxD,MAAI,SAAS,eAAgB,QAAO,UAAU,MAAM;AACpD,SAAO,aAAa,MAAM;AAC5B;AAYO,SAAS,mBAAmB,OAAgD;AACjF,QAAM,SAAS,MAAM,SAChB,kBAAkB,MAAM,MAAM,IAC/B;AACJ,QAAM,OAAO,MAAM,OAAQ,kBAAkB,MAAM,IAAI,IAAoC;AAC3F,QAAM,UAAU,MAAM,UACjB,kBAAkB,MAAM,OAAO,IAChC;AACJ,SAAO;AAAA,IACL,QAAQ,UAAU;AAAA,IAClB,MAAM,QAAQ;AAAA,IACd,SAAS,WAAW;AAAA,IACpB,WAAW;AAAA,MACT,WAAW,MAAM;AAAA,MACjB,SAAS,MAAM;AAAA,MACf,YAAY,MAAM;AAAA,IACpB;AAAA,EACF;AACF;AAEA,SAAS,YAAY,QAAyD;AAC5E,SAAO;AAAA,IACL,MAAM;AAAA,IACN,UAAUC,cAAa,OAAO,YAAY,OAAO,OAAO;AAAA,IACxD,SAASA,cAAa,OAAO,WAAW,OAAO,UAAU,OAAO,GAAG;AAAA,IACnE,mBAAmBA,cAAa,OAAO,qBAAqB,OAAO,gBAAgB;AAAA,IACnF,wBAAwB;AAAA,MACtB,OAAO,4BAA4B,OAAO;AAAA,IAC5C;AAAA,IACA,gBAAgB,cAAc,OAAO,mBAAmB,OAAO,cAAc;AAAA,IAC7E,SAASA,cAAa,OAAO,WAAW,OAAO,GAAG;AAAA,IAClD,uBAAuB,iBAAiB,OAAO,yBAAyB,OAAO,KAAK;AAAA,IACpF,KAAK;AAAA,EACP;AACF;AAEA,SAAS,UAAU,QAAuD;AACxE,SAAO;AAAA,IACL,MAAM;AAAA,IACN,UAAUA,cAAa,OAAO,YAAY,OAAO,OAAO;AAAA,IACxD,mBAAmBA,cAAa,OAAO,qBAAqB,OAAO,eAAe;AAAA,IAClF,aAAaA,cAAa,OAAO,eAAe,OAAO,UAAU;AAAA,IACjE,YAAY,YAAY,OAAO,cAAc,OAAO,SAAS;AAAA,IAC7D,uBAAuB,iBAAiB,OAAO,yBAAyB,OAAO,KAAK;AAAA,IACpF,SAASA,cAAa,OAAO,WAAW,OAAO,GAAG;AAAA,IAClD,KAAK;AAAA,EACP;AACF;AAEA,SAAS,aAAa,QAA0D;AAC9E,SAAO;AAAA,IACL,MAAM;AAAA,IACN,UAAUA,cAAa,OAAO,YAAY,OAAO,OAAO;AAAA,IACxD,iBAAiBA,cAAa,OAAO,mBAAmB,OAAO,aAAa;AAAA,IAC5E,gBAAgBA,cAAa,OAAO,kBAAkB,OAAO,aAAa;AAAA,IAC1E,uBAAuB,iBAAiB,OAAO,yBAAyB,OAAO,KAAK;AAAA,IACpF,qBAAqBA,cAAa,OAAO,uBAAuB,OAAO,kBAAkB;AAAA,IACzF,KAAK;AAAA,EACP;AACF;AAEA,SAAS,iBAAiB,GAAgD;AACxE,MAAI,CAAC,KAAK,OAAO,MAAM,SAAU,QAAO;AACxC,QAAM,IAAI;AACV,QAAM,SAAS,EAAE;AACjB,SAAO;AAAA,IACL,QAAQ,SACJ;AAAA,MACE,OAAO,qBAAqB,OAAO,KAAK;AAAA,MACxC,UAAUA,cAAa,OAAO,QAAQ;AAAA,IACxC,IACA;AAAA,IACJ,OAAOA,cAAa,EAAE,KAAK;AAAA,EAC7B;AACF;AAEA,SAAS,YAAY,GAAgD;AACnE,MAAI,CAAC,MAAM,QAAQ,CAAC,EAAG,QAAO;AAC9B,QAAM,QAAyD,CAAC;AAChE,aAAW,QAAQ,GAAG;AACpB,QAAI,CAAC,QAAQ,OAAO,SAAS,SAAU;AACvC,UAAM,IAAI;AACV,UAAM,QAAQ,EAAE;AAChB,UAAM,KAAK;AAAA,MACT,IAAIA,cAAa,EAAE,EAAE;AAAA,MACrB,UAAUC,cAAa,EAAE,QAAQ;AAAA,MACjC,OAAO,QACH;AAAA,QACE,OAAO,qBAAqB,MAAM,KAAK;AAAA,QACvC,UAAUD,cAAa,MAAM,QAAQ;AAAA,MACvC,IACA;AAAA,IACN,CAAC;AAAA,EACH;AACA,SAAO,MAAM,SAAS,IAAI,QAAQ;AACpC;AAEA,SAAS,cAAc,GAAkC;AACvD,MAAI,CAAC,MAAM,QAAQ,CAAC,EAAG,QAAO;AAC9B,QAAM,MAAM,EAAE,OAAO,CAAC,MAAmB,OAAO,MAAM,YAAY,EAAE,SAAS,CAAC;AAC9E,SAAO,IAAI,SAAS,IAAI,MAAM;AAChC;AAEA,SAASF,kBACP,SACA,aACyB;AACzB,QAAM,SAAkC,EAAE,GAAG,QAAQ;AACrD,aAAW,KAAK,aAAa;AAC3B,QAAI,EAAE,OAAO,EAAE,UAAU,UAAa,EAAE,EAAE,OAAO,SAAS;AACxD,aAAO,EAAE,GAAG,IAAI,EAAE;AAAA,IACpB;AAAA,EACF;AACA,SAAO;AACT;AAEA,SAASC,mBAAkB,GAAmC;AAC5D,MAAI,MAAM,oBAAoB,MAAM,kBAAkB,MAAM,kBAAmB,QAAO;AACtF,SAAO;AACT;AAEA,SAASC,cAAa,GAAgC;AACpD,SAAO,OAAO,MAAM,YAAY,EAAE,SAAS,IAAI,IAAI;AACrD;AAEA,SAASC,cAAa,GAAgC;AACpD,MAAI,OAAO,MAAM,YAAY,OAAO,SAAS,CAAC,EAAG,QAAO;AACxD,MAAI,OAAO,MAAM,UAAU;AACzB,UAAM,IAAI,OAAO,CAAC;AAClB,WAAO,OAAO,SAAS,CAAC,IAAI,IAAI;AAAA,EAClC;AACA,SAAO;AACT;AAEA,SAAS,qBAAqB,GAAyC;AACrE,MAAI,OAAO,MAAM,YAAY,OAAO,SAAS,CAAC,EAAG,QAAO;AACxD,MAAI,OAAO,MAAM,YAAY,EAAE,SAAS,EAAG,QAAO;AAClD,SAAO;AACT;AAEA,SAASJ,YAAW,MAAwC;AAC1D,QAAM,MACJ,OAAO,SAAS,WAAW,OAAO,KAAK,MAAM,OAAO,IAAI,OAAO,KAAK,IAAI,WAAW,IAAI,CAAC;AAC1F,QAAM,OAAOD,YAAW,QAAQ,EAAE,OAAO,GAAG,EAAE,OAAO;AACrD,SAAO,IAAI,WAAW,KAAK,QAAQ,KAAK,YAAY,KAAK,UAAU;AACrE;;;AC3NO,SAAS,eAAe,OAAuC;AACpE,QAAM,EAAE,OAAO,IAAI;AACnB,QAAM,SAAmB,CAAC;AAE1B,QAAM,gBAAgB,OAAO,WAAW;AACxC,QAAM,YAAY,aAAa,QAAQ,MAAM;AAC7C,QAAM,eAAe,gBAAgB,QAAQ,MAAM;AACnD,QAAM,EAAE,IAAI,mBAAmB,QAAQ,IAAI,qBAAqB,QAAQ,MAAM;AAC9E,QAAM,uBAAuB,mBAAmB,QAAQ,MAAM;AAC9D,QAAM,mBAAmB,YAAY,QAAQ,MAAM;AACnD,QAAM,WAAW,cAAc,QAAQ,MAAM,gBAAgB,KAAK,MAAM,KAAK,MAAM;AAEnF,QAAM,KACJ,aACA,gBACA,qBACA,wBACA,oBACA;AAEF,SAAO;AAAA,IACL;AAAA,IACA,QAAQ;AAAA,MACN;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,IACF;AAAA,IACA;AAAA,IACA;AAAA,EACF;AACF;AAEA,SAAS,aAAa,QAA0B,QAA2B;AACzE,QAAM,OAAO,OAAO;AACpB,MAAI,CAAC,KAAM,QAAO;AAClB,MAAI,CAAC,KAAK,kBAAmB,QAAO;AACpC,QAAM,WAAW,OAAO,QAAQ,KAAK;AACrC,MAAI,YAAY,KAAK,sBAAsB,UAAU;AACnD,WAAO;AAAA,MACL,2BAA2B,KAAK,iBAAiB,+BAA+B,QAAQ;AAAA,IAC1F;AACA,WAAO;AAAA,EACT;AACA,SAAO;AACT;AAEA,SAAS,gBAAgB,QAA0B,QAA2B;AAC5E,QAAM,UAAU,OAAO;AACvB,MAAI,CAAC,QAAS,QAAO;AACrB,MAAI,CAAC,QAAQ,gBAAiB,QAAO;AACrC,QAAM,SAAS,OAAO,MAAM,KAAK;AACjC,MAAI,UAAU,QAAQ,oBAAoB,QAAQ;AAChD,WAAO;AAAA,MACL,4BAA4B,QAAQ,eAAe,6BAA6B,MAAM;AAAA,IACxF;AACA,WAAO;AAAA,EACT;AACA,SAAO;AACT;AAEA,SAAS,qBACP,QACA,QACmC;AACnC,QAAM,MAAM,CAAC,OAAO,QAAQ,UAAU,OAAO,MAAM,UAAU,OAAO,SAAS,QAAQ,EAAE;AAAA,IACrF,CAAC,OAAqB,OAAO,OAAO,YAAY,GAAG,SAAS;AAAA,EAC9D;AACA,MAAI,IAAI,WAAW,EAAG,QAAO,EAAE,IAAI,KAAK;AACxC,QAAM,SAAS,IAAI,IAAI,GAAG;AAC1B,MAAI,OAAO,OAAO,GAAG;AACnB,WAAO,KAAK,sCAAsC,MAAM,KAAK,MAAM,EAAE,KAAK,IAAI,CAAC,EAAE;AACjF,WAAO,EAAE,IAAI,OAAO,SAAS,OAAU;AAAA,EACzC;AACA,SAAO,EAAE,IAAI,MAAM,SAAS,IAAI,CAAC,EAAE;AACrC;AAEA,SAAS,mBAAmB,QAA0B,QAA2B;AAC/E,QAAM,gBAAgB,OAAO,SAAS;AACtC,QAAM,UAAU,OAAO,QAAQ;AAC/B,MAAI,CAAC,iBAAiB,CAAC,WAAW,QAAQ,WAAW,EAAG,QAAO;AAC/D,MAAI,CAAC,QAAQ,SAAS,aAAa,GAAG;AACpC,WAAO;AAAA,MACL,mBAAmB,aAAa,mCAAmC,QAAQ,KAAK,IAAI,CAAC;AAAA,IACvF;AACA,WAAO;AAAA,EACT;AACA,SAAO;AACT;AAEA,SAAS,YAAY,QAA0B,QAA2B;AACxE,QAAM,cAAc,gBAAgB,OAAO,QAAQ,qBAAqB;AACxE,QAAM,YAAY,gBAAgB,OAAO,MAAM,qBAAqB;AACpE,QAAM,eAAe,gBAAgB,OAAO,SAAS,qBAAqB;AAE1E,MAAI,eAAe,aAAa,YAAY,aAAa,UAAU,UAAU;AAC3E,QAAI,UAAU,QAAQ,YAAY,OAAO;AACvC,aAAO;AAAA,QACL,cAAc,UAAU,KAAK,IAAI,UAAU,QAAQ,uBAAuB,YAAY,KAAK;AAAA,MAC7F;AACA,aAAO;AAAA,IACT;AAAA,EACF;AACA,MAAI,aAAa,gBAAgB,UAAU,aAAa,aAAa,UAAU;AAC7E,QAAI,aAAa,QAAQ,UAAU,OAAO;AACxC,aAAO;AAAA,QACL,iBAAiB,aAAa,KAAK,IAAI,aAAa,QAAQ,uBAAuB,UAAU,KAAK;AAAA,MACpG;AACA,aAAO;AAAA,IACT;AAAA,EACF;AACA,SAAO;AACT;AAEA,SAAS,cACP,QACA,cACA,OACA,QACS;AACT,QAAM,MAAM,QAAQ,MAAM,IAAI,KAAK,MAAM,KAAK,IAAI,IAAI,GAAI;AAC1D,MAAI,KAAK;AACT,aAAW,CAAC,MAAM,OAAO,KAAK;AAAA,IAC5B,CAAC,UAAU,OAAO,MAAM;AAAA,IACxB,CAAC,QAAQ,OAAO,IAAI;AAAA,EACtB,GAAY;AACV,QAAI,CAAC,SAAS,QAAS;AACvB,UAAM,SAAS,YAAY,QAAQ,OAAO;AAC1C,QAAI,WAAW,MAAM;AACnB,aAAO,KAAK,GAAG,IAAI,sBAAsB;AACzC,WAAK;AACL;AAAA,IACF;AACA,QAAI,MAAM,SAAS,cAAc;AAC/B,aAAO,KAAK,GAAG,IAAI,uBAAuB,QAAQ,OAAO,EAAE;AAC3D,WAAK;AAAA,IACP;AAAA,EACF;AACA,SAAO;AACT;AAEA,SAAS,gBACP,OAC4C;AAC5C,MAAI,CAAC,OAAO,QAAQ,SAAS,CAAC,MAAM,OAAO,SAAU,QAAO;AAC5D,QAAM,IACJ,OAAO,MAAM,OAAO,UAAU,WAAW,OAAO,MAAM,OAAO,KAAK,IAAI,MAAM,OAAO;AACrF,MAAI,CAAC,OAAO,SAAS,CAAC,EAAG,QAAO;AAChC,SAAO,EAAE,OAAO,GAAG,UAAU,MAAM,OAAO,SAAS;AACrD;AAEA,SAAS,YAAY,OAA8B;AACjD,QAAM,QAAQ,OAAO,KAAK;AAC1B,MAAI,OAAO,SAAS,KAAK,KAAK,QAAQ,GAAG;AACvC,WAAO,SAAS,OAAO,KAAK,MAAM,QAAQ,GAAI,IAAI,KAAK,MAAM,KAAK;AAAA,EACpE;AACA,QAAM,aAAa,KAAK,MAAM,KAAK;AACnC,MAAI,OAAO,SAAS,UAAU,EAAG,QAAO,KAAK,MAAM,aAAa,GAAI;AACpE,SAAO;AACT;;;AC/JA,eAAsB,mBAAmB,OAAiD;AACxF,MAAI,CAAC,MAAM,iBAAiB;AAC1B,WAAO,EAAE,IAAI,OAAO,OAAO,2BAA2B;AAAA,EACxD;AAEA,QAAM,YAAY,eAAe,MAAM,iBAAiB,MAAM,gBAAgB,KAAK,MAAM,GAAG;AAC5F,MAAI,CAAC,UAAU,IAAI;AACjB,WAAO,EAAE,IAAI,OAAO,OAAO,UAAU,OAAO,gBAAgB,KAAK;AAAA,EACnE;AAEA,QAAM,iBAAiB,aAAa,MAAM,eAAe;AACzD,MAAI,CAAC,gBAAgB;AACnB,WAAO,EAAE,IAAI,OAAO,OAAO,uCAAuC;AAAA,EACpE;AAEA,QAAM,YAAY,IAAI,YAAY,EAAE,OAAO,MAAM,OAAO;AACxD,QAAM,EAAE,OAAO,IAAI,MAAM,UAAU;AAEnC,aAAW,aAAa,MAAM,eAAe;AAC3C,UAAM,cAAc,mBAAmB,UAAU,GAAG;AACpD,UAAM,YACJ,eAAe,gBAAgB,gBAAgB,CAAC,WAAW,IAAI,CAAC,WAAW,OAAO;AAEpF,eAAW,OAAO,WAAW;AAC3B,UAAI;AACF,cAAM,WAAW,MAAM,UAAU,QAAQ,UAAU,KAAK,gBAAgB,WAAW,GAAG;AACtF,YAAI,SAAU,QAAO,EAAE,IAAI,MAAM,WAAW,IAAI;AAAA,MAClD,QAAQ;AAAA,MAER;AAAA,IACF;AAAA,EACF;AAEA,SAAO;AAAA,IACL,IAAI;AAAA,IACJ,WAAW;AAAA,IACX,OAAO;AAAA,EACT;AACF;AAEA,eAAe,UACb,QACA,KACA,WACA,MACA,KACkB;AAClB,MAAI,QAAQ,WAAW;AACrB,QAAI,IAAI,QAAQ,SAAS,IAAI,QAAQ,UAAW,QAAO;AACvD,UAAM,MAAM,MAAM,OAAO,UAAU,OAAO,KAAmB,EAAE,MAAM,UAAU,GAAG,OAAO;AAAA,MACvF;AAAA,IACF,CAAC;AACD,WAAO,MAAM,OAAO,OAAO,EAAE,MAAM,UAAU,GAAG,KAAK,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC;AAAA,EACpF;AACA,MAAI,QAAQ,SAAS;AACnB,QAAI,IAAI,QAAQ,QAAQ,IAAI,QAAQ,QAAS,QAAO;AACpD,UAAM,MAAM,MAAM,OAAO;AAAA,MACvB;AAAA,MACA;AAAA,MACA,EAAE,MAAM,SAAS,YAAY,QAAQ;AAAA,MACrC;AAAA,MACA,CAAC,QAAQ;AAAA,IACX;AACA,WAAO,MAAM,OAAO;AAAA,MAClB,EAAE,MAAM,SAAS,MAAM,UAAU;AAAA,MACjC;AAAA,MACA,MAAM,SAAS;AAAA,MACf,MAAM,IAAI;AAAA,IACZ;AAAA,EACF;AACA,SAAO;AACT;AAEA,SAAS,MAAM,OAAgC;AAC7C,QAAM,MAAM,IAAI,YAAY,MAAM,UAAU;AAC5C,MAAI,WAAW,GAAG,EAAE,IAAI,KAAK;AAC7B,SAAO;AACT;AAEA,SAAS,eACP,aACA,cACA,OAC6C;AAC7C,MAAI,CAAC,YAAa,QAAO,EAAE,IAAI,OAAO,OAAO,2BAA2B;AACxE,QAAM,KAAK,eAAe,WAAW;AACrC,MAAI,OAAO,KAAM,QAAO,EAAE,IAAI,OAAO,OAAO,+BAA+B;AAC3E,QAAM,MAAM,QAAQ,MAAM,IAAI,KAAK,MAAM,KAAK,IAAI,IAAI,GAAI;AAC1D,MAAI,KAAK,IAAI,MAAM,EAAE,IAAI,cAAc;AACrC,WAAO,EAAE,IAAI,OAAO,OAAO,qBAAqB,YAAY,cAAc;AAAA,EAC5E;AACA,SAAO,EAAE,IAAI,KAAK;AACpB;AAEA,SAAS,eAAe,OAA8B;AACpD,QAAM,QAAQ,OAAO,KAAK;AAC1B,MAAI,OAAO,SAAS,KAAK,KAAK,QAAQ,GAAG;AAEvC,WAAO,SAAS,OAAO,KAAK,MAAM,QAAQ,GAAI,IAAI,KAAK,MAAM,KAAK;AAAA,EACpE;AACA,QAAM,aAAa,KAAK,MAAM,KAAK;AACnC,MAAI,OAAO,SAAS,UAAU,EAAG,QAAO,KAAK,MAAM,aAAa,GAAI;AACpE,SAAO;AACT;AAEA,SAAS,mBAAmB,KAA4D;AACtF,MAAI,CAAC,IAAK,QAAO;AACjB,QAAM,UAAU,IAAI,YAAY;AAChC,MAAI,YAAY,aAAa,YAAY,QAAS,QAAO;AACzD,MAAI,YAAY,WAAW,QAAQ,WAAW,YAAY,EAAG,QAAO;AACpE,SAAO;AACT;AAEA,SAAS,aAAa,OAAkC;AACtD,MAAI;AAEF,UAAM,aAAa,MAAM,QAAQ,MAAM,GAAG,EAAE,QAAQ,MAAM,GAAG;AAC7D,UAAM,MAAM,WAAW,SAAS,MAAM,IAAI,KAAK,IAAI,OAAO,IAAK,WAAW,SAAS,CAAE;AACrF,WAAO,IAAI,WAAW,OAAO,KAAK,aAAa,KAAK,QAAQ,CAAC;AAAA,EAC/D,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAEA,eAAe,YAA+C;AAC5D,MAAI,OAAO,WAAW,WAAW,eAAe,WAAW,OAAO,QAAQ;AACxE,WAAO,EAAE,QAAQ,WAAW,OAAO,OAAO;AAAA,EAC5C;AACA,QAAM,aAAa,MAAM,OAAO,QAAa;AAC7C,SAAO,EAAE,QAAQ,WAAW,UAAU,OAAuB;AAC/D;;;AClJA,SAAS,WAAW,YAAY,eAAe;AAqExC,SAAS,sBAAsB,SAAmD;AACvF,QAAM,OAAOM,YAAW,QAAQ,SAAS,eAAe;AACxD,MAAI,CAAC,QAAQ,CAAC,kBAAkB,KAAK,IAAI,EAAG,QAAO;AAEnD,MAAI;AACF,UAAM,aAAa,WAAW,YAAY,IAAI;AAC9C,WAAO;AAAA,MACL,MAAM;AAAA,MACN,YAAY;AAAA,QACV,WAAW,mBAAmB,WAAW,SAAS;AAAA,QAClD,QAAQ,WAAW;AAAA,QACnB,SAAS,WAAW;AAAA,MACtB;AAAA,MACA,SAAS,QAAQ;AAAA,IACnB;AAAA,EACF,QAAQ;AACN,WAAO,EAAE,MAAM,SAAS,OAAO,EAAE,MAAM,8BAA8B,EAAE;AAAA,EACzE;AACF;AAMO,SAAS,uBAAuB,UAAqD;AAC1F,MAAI,SAAS,WAAW,KAAK;AAC3B,UAAM,aAAa,kBAAkB,QAAQ;AAC7C,QAAI,WAAW,WAAW,EAAG,QAAO;AACpC,UAAM,UAAU,MAAM,KAAK,IAAI,IAAI,WAAW,IAAI,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;AACnE,WAAO;AAAA,MACL,MAAM;AAAA,MACN;AAAA,MACA,gBAAgB;AAAA,IAClB;AAAA,EACF;AAEA,QAAM,gBAAgBA,YAAW,SAAS,SAAS,iBAAiB;AACpE,MAAI,eAAe;AACjB,QAAI;AACF,YAAM,SAAS,QAAQ,YAAY,aAAa;AAChD,YAAM,IAAI;AACV,aAAO;AAAA,QACL,MAAM;AAAA,QACN,SAAS;AAAA,UACP,QAAQC,cAAa,EAAE,MAAM;AAAA,UAC7B,WAAWA,cAAa,EAAE,SAAS;AAAA,UACnC,YAAYA,cAAa,EAAE,cAAc,EAAE,WAAW;AAAA,UACtD,QAAQA,cAAa,EAAE,MAAM;AAAA,UAC7B,WAAWA,cAAa,EAAE,SAAS;AAAA,UACnC,KAAK;AAAA,QACP;AAAA,MACF;AAAA,IACF,QAAQ;AACN,aAAO,EAAE,MAAM,SAAS,OAAO,EAAE,MAAM,2BAA2B,EAAE;AAAA,IACtE;AAAA,EACF;AAEA,QAAM,cAAcD,YAAW,SAAS,SAAS,cAAc;AAC/D,MAAI,eAAe,8BAA8B,KAAK,WAAW,GAAG;AAClE,UAAM,OACJ,OAAO,SAAS,SAAS,YAAY,SAAS,SAAS,OAClD,SAAS,OACV,CAAC;AACP,WAAO;AAAA,MACL,MAAM;AAAA,MACN,OAAO;AAAA,QACL,MAAMC,cAAa,KAAK,IAAI;AAAA,QAC5B,OAAOA,cAAa,KAAK,KAAK;AAAA,QAC9B,QAAQA,cAAa,KAAK,MAAM;AAAA,MAClC;AAAA,IACF;AAAA,EACF;AAEA,SAAO;AACT;AAMO,SAAS,kBACd,SAI0B;AAC1B,MAAI,aAAa,QAAS,QAAO,sBAAsB,QAAQ,OAAO;AACtE,MAAI,cAAc,QAAS,QAAO,uBAAuB,QAAQ,QAAQ;AACzE,MAAI,OAAQ,QAA4B,WAAW,UAAU;AAC3D,WAAO,uBAAuB,OAA0B;AAAA,EAC1D;AACA,SAAO,sBAAsB,OAAyB;AACxD;AAEA,SAAS,kBAAkB,UAAkD;AAC3E,QAAM,UAAUD,YAAW,SAAS,SAAS,kBAAkB;AAC/D,MAAI,CAAC,QAAS,QAAO,CAAC;AACtB,QAAM,UAAU,IAAI,QAAQ;AAC5B,UAAQ,IAAI,oBAAoB,OAAO;AAEvC,QAAM,MAA6B,CAAC;AACpC,MAAI;AACF,UAAM,OAAO,UAAU,gBAAgB,OAAO;AAC9C,eAAW,MAAM,MAAM;AACrB,UAAI,KAAK,mBAAmB,EAAoC,CAAC;AAAA,IACnE;AAAA,EACF,QAAQ;AAAA,EAER;AACA,SAAO;AACT;AAEA,SAAS,mBACP,IACqB;AACrB,QAAM,MAAM;AACZ,SAAO;AAAA,IACL,IAAIC,cAAa,IAAI,EAAE,KAAK;AAAA,IAC5B,OAAOA,cAAa,IAAI,KAAK,KAAK;AAAA,IAClC,QAAQA,cAAa,IAAI,MAAM,KAAK;AAAA,IACpC,QAAQA,cAAa,IAAI,MAAM,KAAK;AAAA,IACpC,SAAU,IAAI,WAAuC,CAAC;AAAA,IACtD,SAASA,cAAa,IAAI,OAAO;AAAA,IACjC,QAAQA,cAAa,IAAI,MAAM;AAAA,IAC/B,aAAaA,cAAa,IAAI,WAAW;AAAA,IACzC,QAAQ,IAAI;AAAA,EACd;AACF;AAEA,SAASD,YACP,SACA,MACoB;AACpB,aAAW,OAAO,OAAO,KAAK,OAAO,GAAG;AACtC,QAAI,IAAI,YAAY,MAAM,MAAM;AAC9B,YAAM,MAAM,QAAQ,GAAG;AACvB,UAAI,OAAO,QAAQ,SAAU,QAAO;AACpC,UAAI,MAAM,QAAQ,GAAG,EAAG,QAAO,IAAI,KAAK,IAAI;AAAA,IAC9C;AAAA,EACF;AACA,SAAO;AACT;AAEA,SAASC,cAAa,GAAgC;AACpD,SAAO,OAAO,MAAM,YAAY,EAAE,SAAS,IAAI,IAAI;AACrD;;;ACtOA,SAAS,kBAAkB;AAsBpB,SAAS,UAAU,OAAwC;AAChE,QAAM,EAAE,QAAQ,IAAI;AACpB,QAAM,YAAY,MAAM,gBAAgB;AACxC,QAAM,SAAS,MAAM,MAAM,MAAM,IAAI,IAAI,KAAK,MAAM,KAAK,IAAI,IAAI,GAAI;AAIrE,QAAM,YAAY,QAAQ,YAAY,cAAc,QAAQ,cAAc,QAAQ,WAAW,CAAC;AAC9F,QAAM,SAAS,QAAQ,YAAY;AACnC,QAAM,SAAS,WAAW;AAE1B,MAAI,WAAW;AACf,MAAI,WAAW,SAAS;AACtB,UAAM,eAAe,KAAK,MAAM,UAAU,OAAO;AACjD,QAAI,CAAC,OAAO,SAAS,YAAY,GAAG;AAClC,aAAO;AAAA,QACL,IAAI;AAAA,QACJ,UAAU;AAAA,QACV,cAAc;AAAA,QACd;AAAA,QACA;AAAA,QACA,OAAO;AAAA,MACT;AAAA,IACF;AACA,UAAM,aAAa,KAAK,MAAM,eAAe,GAAI;AACjD,QAAI,SAAS,aAAa,WAAW;AACnC,iBAAW;AAAA,IACb;AAAA,EACF;AAEA,MAAI,eAA+B;AACnC,MAAI,WAAW,UAAU,MAAM,YAAY,QAAW;AACpD,QAAI;AACF,UAAI,CAAC,YAAY,KAAK,UAAU,MAAM,GAAG;AACvC,uBAAe;AAAA,MACjB,OAAO;AACL,uBAAe,WAAW,OAAO,UAAU,QAA+B,MAAM,OAAO;AAAA,MACzF;AAAA,IACF,QAAQ;AACN,qBAAe;AAAA,IACjB;AAAA,EACF;AAEA,QAAM,KAAK,aAAa,iBAAiB,QAAQ,iBAAiB;AAClE,QAAM,SAAmB,CAAC;AAC1B,MAAI,CAAC,SAAU,QAAO,KAAK,mBAAmB;AAC9C,MAAI,iBAAiB,MAAO,QAAO,KAAK,sBAAsB;AAE9D,SAAO;AAAA,IACL;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA,OAAO,OAAO,SAAS,IAAI,OAAO,KAAK,IAAI,IAAI;AAAA,EACjD;AACF;;;AC3EA;AAAA,EACE;AAAA,EACA;AAAA,OAIK;AACP,SAAS,wBAAwB;AAwD1B,SAAS,uBAAuB,SAAqD;AAC1F,QAAM,cAAcC,YAAW,QAAQ,SAAS,WAAW;AAG3D,MAAI,QAAQ,QAAQ,OAAO,QAAQ,SAAS,UAAU;AACpD,UAAM,SAAS,gBAAgB,QAAQ,IAAI;AAC3C,QAAI,OAAQ,QAAO,oBAAoB,QAAQ,MAAM;AAAA,EACvD;AAGA,MAAI,aAAa;AACf,QAAI;AACF,YAAM,UAAU,iBAAiB,WAAW;AAC5C,UAAI,SAAS;AACX,cAAM,OAAO,KAAK,MAAM,OAAO;AAC/B,cAAM,SAAS,gBAAgB,IAAI;AACnC,YAAI,OAAQ,QAAO,oBAAoB,QAAQ,QAAQ;AAAA,MACzD;AAAA,IACF,QAAQ;AACN,aAAO;AAAA,QACL,MAAM;AAAA,QACN,SAAS;AAAA,QACT,QAAQ;AAAA,QACR,OAAO,EAAE,MAAM,uBAAuB;AAAA,MACxC;AAAA,IACF;AAAA,EACF;AAEA,SAAO;AACT;AAKO,SAAS,wBAAwB,UAAuD;AAC7F,MAAI,SAAS,WAAW,IAAK,QAAO;AAGpC,MAAI,SAAS,QAAQ,OAAO,SAAS,SAAS,UAAU;AACtD,UAAM,SAAS,iBAAiB,SAAS,IAAI;AAC7C,QAAI,OAAQ,QAAO,qBAAqB,QAAQ,MAAM;AAAA,EACxD;AAGA,QAAM,cAAcA,YAAW,SAAS,SAAS,oBAAoB;AACrE,MAAI,aAAa;AACf,QAAI;AACF,YAAM,UAAU,iBAAiB,WAAW;AAC5C,UAAI,SAAS;AACX,cAAM,OAAO,KAAK,MAAM,OAAO;AAC/B,cAAM,SAAS,iBAAiB,IAAI;AACpC,YAAI,OAAQ,QAAO,qBAAqB,QAAQ,QAAQ;AAAA,MAC1D;AAAA,IACF,QAAQ;AACN,aAAO;AAAA,QACL,MAAM;AAAA,QACN,SAAS;AAAA,QACT,QAAQ;AAAA,QACR,OAAO,EAAE,MAAM,wBAAwB;AAAA,MACzC;AAAA,IACF;AAAA,EACF;AAEA,SAAO;AACT;AAEO,SAAS,mBACd,SAI2B;AAC3B,MAAI,aAAa,QAAS,QAAO,uBAAuB,QAAQ,OAAO;AACvE,MAAI,cAAc,QAAS,QAAO,wBAAwB,QAAQ,QAAQ;AAC1E,MAAI,OAAQ,QAA6B,WAAW,UAAU;AAC5D,WAAO,wBAAwB,OAA2B;AAAA,EAC5D;AACA,SAAO,uBAAuB,OAA0B;AAC1D;AAEA,SAAS,iBAAiB,MAAuC;AAC/D,MAAI;AACF,WAAO,wBAAwB,IAAI;AAAA,EACrC,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAEA,SAAS,gBAAgB,MAAsC;AAC7D,MAAI;AACF,WAAO,uBAAuB,IAAI;AAAA,EACpC,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAEA,SAAS,qBACP,QACA,QACoB;AACpB,QAAM,WAAW;AACjB,QAAM,UAAU,cAAc,SAAS,WAAW;AAClD,QAAM,UAAW,SAAS,WAAiD,CAAC;AAC5E,SAAO;AAAA,IACL,MAAM;AAAA,IACN;AAAA,IACA;AAAA,IACA,iBAAiB;AAAA,MACf,UAAU,gBAAgB,SAAS,QAAQ;AAAA,MAC3C,SAAS,QAAQ,IAAI,oBAAoB;AAAA,MACzC,YAAY,SAAS;AAAA,MACrB,OAAO,OAAO,SAAS,UAAU,WAAW,SAAS,QAAQ;AAAA,IAC/D;AAAA,EACF;AACF;AAEA,SAAS,oBACP,QACA,QACoB;AACpB,QAAM,WAAW;AACjB,QAAM,UAAU,cAAc,SAAS,WAAW;AAClD,QAAM,WAAW,SAAS;AAC1B,QAAM,UAAW,SAAS,WAAuC,CAAC;AAClE,SAAO;AAAA,IACL,MAAM;AAAA,IACN;AAAA,IACA;AAAA,IACA,gBAAgB;AAAA,MACd,QAAQ,UAAU,WAAW,OAAO,SAAS,WAAW,WAAW,SAAS,SAAS;AAAA,MACrF,SAAS,UAAU,YAAY,OAAO,SAAS,YAAY,WAAW,SAAS,UAAU;AAAA,MACzF;AAAA,MACA,YAAY,SAAS;AAAA,IACvB;AAAA,EACF;AACF;AAEA,SAAS,qBAAqB,KAAmD;AAC/E,QAAM,IAAI;AACV,QAAM,SAAU,EAAE,UAAU,EAAE,qBAAqB;AACnD,SAAO;AAAA,IACL,QAAS,EAAE,UAAqB;AAAA,IAChC,SAAU,EAAE,WAAsB;AAAA,IAClC,OAAQ,EAAE,SAAoB;AAAA,IAC9B,QAAQ,OAAO,MAAM;AAAA,IACrB,OAAQ,EAAE,SAAoB;AAAA,IAC9B,mBAAmB,OAAO,EAAE,sBAAsB,WAAW,EAAE,oBAAoB;AAAA,IACnF,UAAU,OAAO,EAAE,aAAa,WAAW,EAAE,WAAW;AAAA,IACxD,aAAa,OAAO,EAAE,gBAAgB,WAAW,EAAE,cAAc;AAAA,EACnE;AACF;AAEA,SAAS,gBAAgB,GAAoB;AAC3C,MAAI,OAAO,MAAM,SAAU,QAAO;AAClC,MAAI,KAAK,OAAO,MAAM,YAAY,SAAS,KAAK,OAAQ,EAAuB,QAAQ,UAAU;AAC/F,WAAQ,EAAsB;AAAA,EAChC;AACA,SAAO;AACT;AAEA,SAAS,cAAc,GAA0B;AAC/C,MAAI,MAAM,KAAK,MAAM,EAAG,QAAO;AAC/B,SAAO;AACT;AAEA,SAASA,YACP,SACA,MACoB;AACpB,MAAI,CAAC,QAAS,QAAO;AACrB,aAAW,OAAO,OAAO,KAAK,OAAO,GAAG;AACtC,QAAI,IAAI,YAAY,MAAM,MAAM;AAC9B,YAAM,MAAM,QAAQ,GAAG;AACvB,UAAI,OAAO,QAAQ,SAAU,QAAO;AACpC,UAAI,MAAM,QAAQ,GAAG,EAAG,QAAO,IAAI,CAAC;AAAA,IACtC;AAAA,EACF;AACA,SAAO;AACT;;;ACrOA,SAAS,cAAAC,aAAY,iBAAiB;AAkDtC,eAAsB,cAAc,OAA+C;AACjF,QAAM,SAAmB,CAAC;AAC1B,QAAM,YAAY,MAAM,gBAAgB;AACxC,QAAM,MAAM,MAAM,MAAM,MAAM,IAAI,IAAI,KAAK,MAAM,KAAK,IAAI,IAAI,GAAI;AAClE,QAAM,EAAE,IAAI,IAAI,KAAK,IAAI,IAAI,MAAM;AAGnC,QAAM,UAAU,KAAK,MAAM,MAAM,gBAAgB,IAAI,IAAI,IAAI;AAC7D,MAAI,MAAM,CAAC,QAAS,QAAO,KAAK,sBAAsB;AAEtD,QAAM,QAAQ,cAAc,IAAI,OAAO;AACvC,QAAM,UAAU,MAAM,MAAM,gBAAgB,IAAI,SAAS,IAAI;AAC7D,MAAI,CAAC,QAAS,QAAO,KAAK,sBAAsB;AAEhD,QAAM,QAAQ,cAAc,GAAG,OAAO;AACtC,QAAM,WAAW,MAAM,MAAM,MAAM,gBAAgB,KAAK,SAAS,IAAI,IAAI;AACzE,MAAI,OAAO,CAAC,SAAU,QAAO,KAAK,uBAAuB;AACzD,QAAM,WAAW,MAAM,MAAM,MAAM,gBAAgB,KAAK,SAAS,IAAI,IAAI;AACzE,MAAI,OAAO,CAAC,SAAU,QAAO,KAAK,uBAAuB;AAGzD,MAAI,YAAY;AAChB,MAAI,OAAO;AACT,UAAM,kBAAkB,MAAM,YAAY,EAAE;AAC5C,gBAAY,kBAAkB,MAAM,iBAAiB,OAAO,eAAe,IAAI;AAC/E,QAAI,CAAC,UAAW,QAAO,KAAK,yCAAyC;AAAA,EACvE;AAEA,MAAI,YAAY;AAChB,MAAI,UAAU,OAAO,MAAM;AACzB,UAAM,UAAU,OAAO;AACvB,UAAM,kBAAkB,MAAM,YAAY,OAAO;AACjD,gBAAY,kBAAkB,MAAM,iBAAiB,OAAO,eAAe,IAAI;AAC/E,QAAI,CAAC,UAAW,QAAO,KAAK,yCAAyC;AAAA,EACvE;AAGA,MAAI,mBAAmC;AACvC,MAAI,OAAO,KAAK;AACd,UAAM,IAAIC,cAAa,IAAI,QAAQ,kBAAkB,IAAI,QAAQ,aAAa;AAC9E,UAAM,IAAIA,cAAa,IAAI,QAAQ,kBAAkB,IAAI,QAAQ,aAAa;AAC9E,QAAI,KAAK,GAAG;AACV,yBAAmB,MAAM;AACzB,UAAI,CAAC,kBAAkB;AACrB,eAAO,KAAK,uBAAuB,CAAC,wCAAwC,CAAC,GAAG;AAAA,MAClF;AAAA,IACF;AAAA,EACF;AAGA,MAAI,iBAAiC;AACrC,MAAI,KAAK;AACP,UAAM,eAAeA;AAAA,MACnB,IAAI,QAAQ,iBACV,IAAI,QAAQ,8BACX,IAAI,QAAQ,mBAA2D;AAAA,IAC5E;AACA,QAAI,cAAc;AAChB,YAAM,WAAW,0BAA0B,EAAE;AAC7C,uBAAiB,WAAW,iBAAiB,WAAW;AACxD,UAAI,CAAC,gBAAgB;AACnB,eAAO,KAAK,oEAAoE;AAAA,MAClF;AAAA,IACF;AAAA,EACF;AAGA,QAAM,WAAW,kBAAkB,CAAC,IAAI,IAAI,KAAK,GAAG,GAAG,WAAW,KAAK,MAAM;AAE7E,QAAM,KACJ,YAAY,SACZ,WACA,aAAa,SACb,aAAa,SACb,aACA,aACA,qBAAqB,SACrB,mBAAmB,SACnB;AAEF,SAAO;AAAA,IACL;AAAA,IACA,QAAQ;AAAA,MACN;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,IACF;AAAA,IACA;AAAA,EACF;AACF;AAEA,SAAS,cAAc,SAA0D;AAC/E,MAAI,CAAC,QAAS,QAAO;AACrB,QAAM,MAAM,QAAQ;AACpB,MAAI,CAAC,IAAK,QAAO;AACjB,QAAM,MAAM,IAAI;AAChB,SAAO,OAAO;AAChB;AAEA,eAAe,YAAY,OAAqC;AAE9D,QAAM,aAAa,cAAc,MAAM,MAAM;AAC7C,MAAI,WAAY,QAAO;AACvB,QAAM,cAAc,cAAc,MAAM,OAAO;AAC/C,SAAO;AACT;AAEA,eAAe,iBAAiB,GAAQ,GAA0B;AAChE,MAAI;AACF,UAAM,KAAK,MAAM,cAAc,CAAC;AAChC,UAAM,KAAK,MAAM,cAAc,CAAC;AAChC,WAAO,OAAO;AAAA,EAChB,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAGA,eAAe,cAAc,KAA2B;AACtD,QAAM,YAAY,aAAa,GAAG;AAClC,QAAM,QAAQ,IAAI,YAAY,EAAE,OAAO,KAAK,UAAU,SAAS,CAAC;AAChE,QAAM,SAAS,UAAU;AACzB,QAAM,SAAS,MAAM,IAAI,QAAqB,CAAC,SAAS,WAAW;AACjE,UAAM,SAAS,IAAI,YAAY,MAAM,UAAU;AAC/C,QAAI,WAAW,MAAM,EAAE,IAAI,KAAK;AAChC,WAAO,OAAO,WAAW,MAAM,EAAE,KAAK,OAAO,EAAE,MAAM,MAAM;AAAA,EAC7D,CAAC;AACD,SAAO,OAAO,KAAK,IAAI,WAAW,MAAM,CAAC,EAAE,SAAS,WAAW,EAAE,QAAQ,OAAO,EAAE;AACpF;AAEA,SAAS,aAAa,KAAkC;AAGtD,MAAI,IAAI,QAAQ,MAAM;AACpB,WAAO,EAAE,KAAK,IAAI,OAAO,IAAI,KAAK,MAAM,GAAG,IAAI,KAAK,IAAI,GAAG,IAAI,KAAK,GAAG;AAAA,EACzE;AACA,MAAI,IAAI,QAAQ,OAAO;AACrB,WAAO,EAAE,KAAK,IAAI,OAAO,IAAI,KAAK,OAAO,GAAG,IAAI,KAAK,GAAG;AAAA,EAC1D;AACA,MAAI,IAAI,QAAQ,OAAO;AACrB,WAAO,EAAE,GAAG,IAAI,KAAK,IAAI,KAAK,OAAO,GAAG,IAAI,KAAK,GAAG;AAAA,EACtD;AACA,SAAO,EAAE,KAAK,IAAI,OAAO,GAAG;AAC9B;AAEA,SAAS,0BAA0B,IAA4B;AAC7D,QAAM,qBAAsB,GAAG,QAAQ,YAAY,GAAG,QAAQ;AAC9D,MAAI,CAAC,mBAAoB,QAAO;AAChC,QAAM,YAAY,mBAAmB,kBAAkB;AACvD,QAAM,OAAOD,YAAW,QAAQ,EAAE,OAAO,SAAS,EAAE,OAAO,WAAW,EAAE,QAAQ,OAAO,EAAE;AACzF,SAAO;AACT;AAEA,SAAS,mBAAmB,OAAwB;AAClD,MAAI,UAAU,QAAQ,OAAO,UAAU,SAAU,QAAO,KAAK,UAAU,KAAK;AAC5E,MAAI,MAAM,QAAQ,KAAK,EAAG,QAAO,MAAM,MAAM,IAAI,kBAAkB,EAAE,KAAK,GAAG,IAAI;AACjF,QAAM,UAAU,OAAO,QAAQ,KAAgC,EAAE;AAAA,IAAK,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,MAC5E,IAAI,IAAI,KAAK,IAAI,IAAI,IAAI;AAAA,EAC3B;AACA,SACE,MAAM,QAAQ,IAAI,CAAC,CAAC,GAAG,CAAC,MAAM,KAAK,UAAU,CAAC,IAAI,MAAM,mBAAmB,CAAC,CAAC,EAAE,KAAK,GAAG,IAAI;AAE/F;AAEA,SAAS,kBACP,QACA,cACA,QACA,QACS;AACT,MAAI,KAAK;AACT,QAAM,QAAQ,CAAC,MAAM,MAAM,OAAO,KAAK;AACvC,SAAO,QAAQ,CAAC,OAAO,QAAQ;AAC7B,QAAI,CAAC,MAAO;AACZ,UAAM,MAAME,eAAc,MAAM,QAAQ,OAAO,MAAM,QAAQ,OAAO;AACpE,QAAI,QAAQ,OAAW;AACvB,QAAI,SAAS,MAAM,cAAc;AAC/B,aAAO,KAAK,GAAG,MAAM,GAAG,CAAC,uBAAuB,GAAG,EAAE;AACrD,WAAK;AAAA,IACP;AAAA,EACF,CAAC;AACD,SAAO;AACT;AAEA,SAASA,eAAc,GAAgC;AACrD,MAAI,OAAO,MAAM,YAAY,OAAO,SAAS,CAAC,EAAG,QAAO;AACxD,MAAI,OAAO,MAAM,UAAU;AACzB,UAAM,QAAQ,OAAO,CAAC;AACtB,QAAI,OAAO,SAAS,KAAK,KAAK,QAAQ,GAAG;AACvC,aAAO,SAAS,OAAO,KAAK,MAAM,QAAQ,GAAI,IAAI,KAAK,MAAM,KAAK;AAAA,IACpE;AACA,UAAM,SAAS,KAAK,MAAM,CAAC;AAC3B,QAAI,OAAO,SAAS,MAAM,EAAG,QAAO,KAAK,MAAM,SAAS,GAAI;AAAA,EAC9D;AACA,SAAO;AACT;AAEA,SAASD,cAAa,GAAgC;AACpD,SAAO,OAAO,MAAM,YAAY,EAAE,SAAS,IAAI,IAAI;AACrD;;;AC3JA,eAAsB,oBAAoB,OAAwD;AAChG,QAAM,eAAyB,CAAC;AAChC,QAAM,aAAqC,CAAC;AAC5C,QAAM,UAAU,EAAE,WAAW,GAAG,UAAU,GAAG,QAAQ,EAAE;AAEvD,QAAM,eAAe,YAAY,IAAI;AACrC,QAAM,UAAU,eAAe,KAAK;AACpC,QAAM,mBAAmB,wBAAwB,KAAK;AACtD,QAAM,iBAAiB,sBAAsB,KAAK;AAClD,QAAM,eAAe,oBAAoB,KAAK;AAC9C,UAAQ,YAAY,KAAK,MAAM,YAAY,IAAI,IAAI,YAAY;AAE/D,QAAM,cAAc,YAAY,IAAI;AACpC,MAAI,WAAW;AAEf,MAAI,MAAM,IAAI,aAAa;AACzB,eAAW,KAAK,MAAM,cAAc,MAAM,GAAG,WAAW;AACxD,QAAI,CAAC,WAAW,GAAG,GAAI,YAAW;AAAA,EACpC;AAEA,MAAI,MAAM,KAAK;AACb,eAAW,MAAM,eAAe;AAAA,MAC9B,QAAQ,MAAM,IAAI;AAAA,MAClB,cAAc,MAAM;AAAA,MACpB,KAAK,MAAM;AAAA,IACb,CAAC;AACD,QAAI,CAAC,WAAW,IAAI,GAAI,YAAW;AAAA,EACrC;AAEA,MAAI,MAAM,KAAK,aAAa;AAC1B,eAAW,MAAM,MAAM,mBAAmB,MAAM,IAAI,WAAW;AAC/D,QAAI,CAAC,WAAW,IAAI,MAAM,WAAW,IAAI,eAAgB,YAAW;AACpE,QAAI,WAAW,IAAI,cAAc,eAAe;AAC9C,mBAAa,KAAK,qCAAqC;AAAA,IACzD,WAAW,CAAC,WAAW,IAAI,IAAI;AAC7B,iBAAW;AAAA,IACb;AAAA,EACF;AAEA,MAAI,MAAM,SAAS;AACjB,eAAW,UAAU,MAAM,cAAc,MAAM,QAAQ,SAAS,MAAM,QAAQ,aAAa;AAC3F,QAAI,CAAC,WAAW,QAAQ,GAAI,YAAW;AAAA,EACzC;AAEA,MAAI,MAAM,KAAK;AACb,eAAW,MAAM,UAAU;AAAA,MACzB,SAAS,MAAM,IAAI;AAAA,MACnB,SAAS,MAAM,IAAI;AAAA,MACnB,cAAc,MAAM;AAAA,MACpB,KAAK,MAAM;AAAA,IACb,CAAC;AACD,QAAI,CAAC,WAAW,IAAI,GAAI,YAAW;AACnC,QAAI,MAAM,IAAI,QAAQ,YAAY,QAAQ;AACxC,mBAAa,KAAK,cAAc,YAAY,MAAM,IAAI,QAAQ,WAAW,MAAM,CAAC,EAAE;AAAA,IACpF;AAAA,EACF;AAEA,MAAI,MAAM,eAAe;AACvB,eAAW,gBAAgB;AAAA,MACzB,MAAM,cAAc;AAAA,MACpB,MAAM,cAAc;AAAA,MACpB,MAAM,cAAc;AAAA,MACpB,EAAE,KAAK,MAAM,MAAM,MAAM,MAAM,IAAK,IAAI,OAAU;AAAA,IACpD;AACA,QAAI,CAAC,WAAW,cAAc,IAAI;AAChC,mBAAa,KAAK,4BAA4B;AAAA,IAChD;AAAA,EACF;AACA,UAAQ,WAAW,KAAK,MAAM,YAAY,IAAI,IAAI,WAAW;AAE7D,MAAI;AACJ,MAAI,MAAM,oBAAoB,eAAe,SAAS,GAAG;AACvD,UAAM,QAAQ,MAAM,aAAa,gBAAgB,MAAM,gBAAgB;AACvE,eAAW;AAAA,MACT,QAAQ;AAAA,MACR,wBAAwB,MAAM;AAAA,MAC9B,sBAAsB,MAAM;AAAA,IAC9B;AACA,QAAI,MAAM,qBAAsB,cAAa,KAAK,iCAAiC;AAAA,EACrF,WAAW,eAAe,SAAS,GAAG;AACpC,eAAW;AAAA,MACT,QAAQ;AAAA,MACR,wBAAwB;AAAA,MACxB,sBAAsB;AAAA,IACxB;AAAA,EACF;AAEA,QAAM,YAAY,YAAY,IAAI;AAClC,QAAM,cAAc,kBAAkB,KAAK;AAC3C,MAAI,eAAe,CAAC,YAAY,GAAI,YAAW;AAC/C,UAAQ,SAAS,KAAK,MAAM,YAAY,IAAI,IAAI,SAAS;AAEzD,MAAI,cAAc,SAAS,aAAc,cAAa,KAAK,oBAAoB;AAC/E,MAAI,cAAc,SAAS,SAAU,cAAa,KAAK,yBAAyB;AAChF,MAAI,cAAc,SAAS,WAAY,cAAa,KAAK,2BAA2B;AAEpF,QAAM,aAAa,MAAM,KAAK,QAAQ;AAEtC,SAAO;AAAA,IACL,UAAU,MAAM;AAAA,IAChB;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA,mBAAmB,MAAM,KAAK,QAAQ;AAAA,IACtC;AAAA,IACA,SAAS,aACL;AAAA,MACE,QAAQ,WAAW;AAAA,MACnB,WAAW,WAAW;AAAA,MACtB,QAAQ,WAAW;AAAA,MACnB,WAAW,WAAW;AAAA,IACxB,IACA;AAAA,IACJ;AAAA,IACA;AAAA,IACA,IAAI,CAAC;AAAA,EACP;AACF;AAEA,SAAS,eAAe,OAAsD;AAC5E,MAAI,MAAM,IAAI,OAAO,aAAa;AAChC,WAAO,sBAAsB,MAAM,GAAG,OAAO,WAAW;AAAA,EAC1D;AACA,MAAI,MAAM,KAAK,OAAO,QAAS,QAAO;AACtC,MAAI,MAAM,KAAK,OAAO,KAAM,QAAO;AACnC,MAAI,MAAM,KAAK,OAAO,OAAQ,QAAO;AACrC,MAAI,MAAM,KAAK,UAAU;AACvB,UAAM,CAAC,QAAQ,IAAI,IAAI,MAAM,IAAI,SAAS,MAAM,GAAG;AACnD,WAAO,uBAAuB,UAAU,QAAQ,QAAQ,GAAG;AAAA,EAC7D;AACA,MAAI,MAAM,KAAK,QAAQ,UAAU;AAG/B,YAAQ,MAAM,IAAI,QAAQ,UAAU;AAAA,MAClC,KAAK;AACH,eAAO;AAAA,MACT,KAAK;AACH,eAAO;AAAA,MACT,KAAK;AACH,eAAO;AAAA,MACT,KAAK;AACH,eAAO;AAAA,MACT,KAAK;AACH,eAAO;AAAA,MACT;AACE,eAAO,uBAAuB,QAAQ,oBAAoB;AAAA,IAC9D;AAAA,EACF;AACA,MAAI,MAAM,SAAS,KAAK;AACtB,WAAO;AAAA,MACL,MAAM,QAAQ,QAAQ,YAAY,MAAM,QAAQ,QAAQ,aACnD,MAAM,QAAQ,MACf;AAAA,IACN;AAAA,EACF;AACA,MAAI,MAAM,KAAK,QAAQ,YAAY,aAAa,MAAM,KAAK,QAAQ,aAAa,CAAC,GAAG;AAClF,UAAM,YAAY,MAAM,IAAI,QAAQ,YAAY,aAAa,MAAM,IAAI,QAAQ,aAAa,CAAC;AAC7F,UAAM,SAAS,WAAW,OAAO,WAAW,SAAS,UAAU,KAAK,CAAC;AACrE,WAAO;AAAA,MACL,WAAW,WAAW,YAAY,YAAY;AAAA,MAC9C,OAAO,SAAS,MAAM,IAAI,SAAS;AAAA,IACrC;AAAA,EACF;AACA,MAAI,MAAM,MAAM,iBAAiB;AAC/B,UAAM,MAAM,MAAM,KAAK,gBAAgB,QAAQ,CAAC,GAAG;AACnD,WAAO,wBAAwB,OAAO,GAAG,CAAC;AAAA,EAC5C;AACA,MAAI,MAAM,MAAM,eAAgB,QAAO;AACvC,SAAO;AACT;AAEA,SAAS,wBACP,OACqC;AACrC,MAAI,MAAM,IAAI,QAAQ;AACpB,UAAM,IAAI,0BAA0B;AAAA,MAClC,aAAa,MAAM,GAAG,OAAO;AAAA,MAC7B,kBAAmB,MAAM,GAAG,OAAO,YAAY,iBAC/C,OAAO,MAAM,GAAG,OAAO,YAAY,cAAc,QAAQ,WACrD;AAAA,QACE,QAAQ,MAAM,GAAG,OAAO,YAAY,cAAc;AAAA,QAClD,UAAU,MAAM,GAAG,OAAO,YAAY,cAAc;AAAA,MACtD,IACA;AAAA,IACN,CAAC;AACD,QAAI,EAAG,QAAO;AAAA,EAChB;AACA,MAAI,MAAM,KAAK,QAAQ;AACrB,UAAM,IAAI,2BAA2B,EAAE,QAAQ,MAAM,IAAI,OAAO,CAAC;AACjE,QAAI,EAAG,QAAO;AAAA,EAChB;AACA,MAAI,MAAM,KAAK,QAAQ,QAAQ;AAC7B,UAAM,IAAI,2BAA2B,EAAE,QAAQ,MAAM,IAAI,QAAQ,OAAO,CAAC;AACzE,QAAI,EAAG,QAAO;AAAA,EAChB;AACA,MAAI,MAAM,KAAK,QAAQ,YAAY,WAAW;AAC5C,UAAM,KAAK,MAAM,IAAI,QAAQ,WAAW;AACxC,UAAM,IAAI,2BAA2B,EAAE,QAAQ,GAAG,QAAQ,SAAS,GAAG,QAAQ,CAAC;AAC/E,QAAI,EAAG,QAAO;AAAA,EAChB;AACA,MAAI,MAAM,MAAM,iBAAiB;AAC/B,UAAM,QAAQ,MAAM,KAAK,gBAAgB,QAAQ,CAAC;AAClD,QAAI,OAAO;AACT,YAAM,IAAI,4BAA4B;AAAA,QACpC,mBAAmB,OAAO,MAAM,MAAM;AAAA,QACtC,OAAO,MAAM;AAAA,MACf,CAAC;AACD,UAAI,EAAG,QAAO;AAAA,IAChB;AAAA,EACF;AACA,SAAO;AACT;AAEA,SAAS,sBAAsB,OAA+C;AAC5E,QAAM,SAA0B,CAAC;AACjC,MAAI,MAAM,IAAI,OAAO;AACnB,WAAO,KAAK,EAAE,UAAU,MAAM,OAAO,OAAO,OAAO,MAAM,GAAG,OAAO,IAAI,CAAC;AAC1E,MAAI,MAAM,KAAK,QAAQ;AACrB,UAAM,UACJ,MAAM,IAAI,OAAO,QAAQ,YACzB,MAAM,IAAI,OAAO,MAAM,YACvB,MAAM,IAAI,OAAO,SAAS;AAC5B,QAAI,QAAS,QAAO,KAAK,EAAE,UAAU,OAAO,OAAO,YAAY,OAAO,QAAQ,CAAC;AAAA,EACjF;AACA,MAAI,MAAM,KAAK,QAAQ,QAAQ;AAC7B,WAAO,KAAK,EAAE,UAAU,OAAO,OAAO,UAAU,OAAO,MAAM,IAAI,QAAQ,OAAO,CAAC;AAAA,EACnF;AACA,MAAI,MAAM,KAAK,QAAQ,YAAY,QAAQ;AACzC,WAAO,KAAK,EAAE,UAAU,OAAO,OAAO,UAAU,OAAO,MAAM,IAAI,QAAQ,WAAW,OAAO,CAAC;AAAA,EAC9F;AACA,MAAI,MAAM,SAAS;AAAA,EAEnB;AACA,SAAO;AACT;AAEA,SAAS,oBAAoB,OAA+D;AAC1F,MAAI,MAAM,KAAK,QAAQ,cAAc,MAAM;AACzC,WAAO,EAAE,SAAS,MAAM,MAAM,MAAM,IAAI,QAAQ,aAAa,KAAK;AAAA,EACpE;AACA,QAAM,YAAY,MAAM,KAAK,QAAQ,YAAY,WAAW;AAC5D,MAAI,cAAc,QAAS,QAAO,EAAE,SAAS,MAAM,MAAM,WAAW;AACpE,MAAI,cAAc,SAAU,QAAO,EAAE,SAAS,MAAM,MAAM,aAAa;AACvE,SAAO;AACT;AAEA,SAAS,kBAAkB,OAAgE;AACzF,QAAM,cAAc,MAAM,eAAe,CAAC;AAC1C,QAAM,UAA2C,CAAC;AAClD,QAAM,UAAoB,CAAC;AAC3B,MAAI,SAAS;AAEb,MAAI,MAAM,IAAI,QAAQ;AACpB,UAAM,WAAW,sBAAsB;AAAA,MACrC,aAAa,MAAM,GAAG,OAAO;AAAA,MAC7B;AAAA,IACF,CAAC;AACD,eAAW,CAAC,GAAG,CAAC,KAAK,OAAO,QAAQ,SAAS,OAAO,GAAG;AACrD,cAAQ,CAAC,IAAI;AACb,UAAI,CAAC,EAAE,MAAM,EAAE,OAAQ,SAAQ,KAAK,EAAE,MAAM;AAAA,IAC9C;AACA,QAAI,OAAO,KAAK,SAAS,OAAO,EAAE,SAAS,EAAG,UAAS;AAAA,EACzD;AAEA,QAAM,aAAa,MAAM;AACzB,MAAI,YAAY,uBAAuB;AACrC,UAAM,KAAK,+BAA+B;AAAA,MACxC,gBAAgB,WAAW;AAAA,MAC3B,iBAAiB,YAAY;AAAA,IAC/B,CAAC;AACD,YAAQ,gBAAgB;AACxB,QAAI,CAAC,GAAG,MAAM,GAAG,OAAQ,SAAQ,KAAK,GAAG,MAAM;AAC/C,aAAS;AAAA,EACX;AACA,MAAI,YAAY,eAAe;AAC7B,UAAM,KAAK,sBAAsB;AAAA,MAC/B,OAAO,WAAW;AAAA,MAClB,WAAW,EAAE,QAAQ,YAAY,QAAQ,UAAU,YAAY,SAAS;AAAA,IAC1E,CAAC;AACD,YAAQ,gBAAgB;AACxB,QAAI,CAAC,GAAG,MAAM,GAAG,OAAQ,SAAQ,KAAK,GAAG,MAAM;AAC/C,aAAS;AAAA,EACX;AAEA,MAAI,CAAC,OAAQ,QAAO;AACpB,SAAO,EAAE,IAAI,QAAQ,WAAW,GAAG,SAAS,QAAQ;AACtD;AAEA,SAAS,YAAY,QAAwB;AAE3C,SAAO,OAAO,QAAQ,mBAAmB,EAAE,EAAE,MAAM,GAAG,EAAE;AAC1D;;;AC5YA,IAAM,WAAW,oBAAI,IAAgC;AAE9C,SAAS,2BAA8B,WAAwC;AACpF,MAAI,CAAC,aAAa,OAAO,UAAU,SAAS,YAAY,UAAU,KAAK,WAAW,GAAG;AACnF,UAAM,IAAI,MAAM,kEAAkE;AAAA,EACpF;AACA,WAAS,IAAI,UAAU,MAAM,SAA+B;AAC9D;AAEO,SAAS,yBAA4D;AAC1E,SAAO,MAAM,KAAK,SAAS,OAAO,CAAC;AACrC;AAEO,SAAS,sBAAsB,MAA8C;AAClF,SAAO,SAAS,IAAI,IAAI;AAC1B;AAEO,SAAS,2BAAiC;AAC/C,WAAS,MAAM;AACjB;AAOA,eAAsB,sBACpB,SACkC;AAClC,QAAM,MAA+B,CAAC;AACtC,aAAW,aAAa,SAAS,OAAO,GAAG;AACzC,QAAI,CAAC,UAAU,MAAM,OAAO,EAAG;AAC/B,UAAM,SAAS,MAAM,UAAU,QAAQ,OAAO;AAC9C,QAAI,WAAW,QAAQ,WAAW,OAAW,KAAI,UAAU,IAAI,IAAI;AAAA,EACrE;AACA,SAAO;AACT;;;ACpDA,SAAS,0BAAoC;AAG7C,IAAM,wBAAwB;AAQvB,SAAS,mBAAmB,UAA+B,CAAC,GAAqB;AACtF,QAAM,MAAM,IAAI,IAAI,QAAQ,WAAW,qBAAqB;AAC5D,QAAM,OAAO,mBAAmB,KAAK;AAAA,IACnC,aAAa,QAAQ;AAAA,IACrB,kBAAkB,QAAQ;AAAA,EAC5B,CAAC;AAED,SAAO;AAAA,IACL,MAAM;AAAA,IACN,MAAM,QAAQ,KAAa,SAA+C;AACxE,UAAI,CAAC,IAAK,QAAO;AACjB,UAAI;AACF,cAAM,MAAM,MAAM,KAAK;AAAA,UACrB;AAAA,UACA,KAAK,SAAS,aAAa;AAAA,UAC3B,KAAK;AAAA,QACP,CAAC;AACD,eAAO,qBAAqB,GAAG;AAAA,MACjC,QAAQ;AACN,eAAO;AAAA,MACT;AAAA,IACF;AAAA,EACF;AACF;AAEA,eAAe,qBAAqB,SAAuC;AACzE,MAAI,CAAC,QAAS,QAAO;AAGrB,MAAI,OAAO,YAAY,YAAY,SAAU,SAAoB;AAC/D,WAAO;AAAA,EACT;AACA,QAAM,EAAE,UAAU,IAAI,MAAM,OAAO,MAAM;AACzC,MAAI;AACF,WAAO,MAAM,UAAU,OAA0C;AAAA,EACnE,QAAQ;AACN,WAAO;AAAA,EACT;AACF;;;ACvBO,SAAS,yBACd,UAAqC,CAAC,GACpB;AAClB,QAAM,QAAQ,oBAAI,IAAuB;AACzC,QAAM,SAAS,QAAQ,eAAe;AACtC,QAAM,UAAU,QAAQ,SAAS,WAAW;AAC5C,MAAI,SAAS;AAEb,SAAO;AAAA,IACL,MAAM;AAAA,IACN,MAAM,QAAQ,KAAkC;AAC9C,UAAI,CAAC,IAAK,QAAO;AAEjB,UAAI,CAAC,QAAQ,aAAa;AACxB,YAAI,CAAC,UAAU,CAAC,QAAQ,QAAQ;AAC9B,mBAAS;AAET,kBAAQ;AAAA,YACN;AAAA,UAEF;AAAA,QACF;AACA,eAAO;AAAA,MACT;AAEA,YAAM,SAAS,MAAM,IAAI,GAAG;AAC5B,UAAI,UAAU,OAAO,YAAY,KAAK,IAAI,EAAG,QAAO,OAAO;AAE3D,UAAI;AACF,cAAM,MAAM,MAAM,QAAQ,QAAQ,WAAW;AAC7C,YAAI,CAAC,IAAI,GAAI,QAAO;AACpB,cAAM,OAAQ,MAAM,IAAI,KAAK;AAC7B,cAAM,OAAO,KAAK,QAAQ,CAAC;AAC3B,mBAAW,KAAK,MAAM;AACpB,cAAI,EAAE,QAAQ,KAAK;AACjB,kBAAM,IAAI,KAAK,EAAE,KAAK,GAAG,WAAW,KAAK,IAAI,IAAI,SAAS,IAAK,CAAC;AAChE,mBAAO;AAAA,UACT;AAAA,QACF;AACA,eAAO;AAAA,MACT,QAAQ;AACN,eAAO;AAAA,MACT;AAAA,IACF;AAAA,EACF;AACF;;;AC3DA,IAAM,iBAAiB;AAiBhB,SAAS,yBACd,UAAqC,CAAC,GACpB;AAClB,QAAM,QAAQ,oBAAI,IAA4B;AAC9C,QAAM,SAAS,QAAQ,eAAe;AACtC,QAAM,UAAU,QAAQ,SAAS,WAAW;AAE5C,SAAO;AAAA,IACL,MAAM;AAAA,IACN,MAAM,QAAQ,KAAa,SAA+C;AACxE,UAAI,CAAC,IAAK,QAAO;AAEjB,YAAM,eAAe,oBAAoB,QAAQ,cAAc,SAAS,MAAM;AAC9E,UAAI,CAAC,aAAc,QAAO;AAE1B,YAAM,SAAS,MAAM,IAAI,YAAY;AACrC,YAAM,MAAM,KAAK,IAAI;AACrB,UAAI,UAAU,OAAO,YAAY,KAAK;AACpC,eAAO,aAAa,OAAO,MAAM,GAAG;AAAA,MACtC;AAEA,UAAI;AACF,cAAM,MAAM,MAAM,QAAQ,YAAY;AACtC,YAAI,CAAC,IAAI,GAAI,QAAO;AACpB,cAAM,OAAQ,MAAM,IAAI,KAAK;AAC7B,cAAM,OAAO,KAAK,QAAQ,CAAC;AAC3B,cAAM,IAAI,cAAc,EAAE,MAAM,WAAW,MAAM,SAAS,IAAK,CAAC;AAChE,eAAO,aAAa,MAAM,GAAG;AAAA,MAC/B,QAAQ;AACN,eAAO;AAAA,MACT;AAAA,IACF;AAAA,EACF;AACF;AAEA,SAAS,oBACP,UACA,QACe;AACf,MAAI,SAAU,QAAO;AACrB,MAAI,CAAC,OAAQ,QAAO;AACpB,MAAI;AACF,UAAM,MAAM,IAAI,IAAI,MAAM;AAC1B,WAAO,GAAG,IAAI,MAAM,GAAG,cAAc;AAAA,EACvC,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAEA,SAAS,aAAa,MAAa,KAAyB;AAC1D,aAAW,KAAK,MAAM;AACpB,QAAI,EAAE,QAAQ,IAAK,QAAO;AAAA,EAC5B;AACA,SAAO;AACT;;;AC9CO,SAAS,eAAe,SAAqD;AAElF,MAAI,QAAQ,YAAY,OAAO,QAAQ,aAAa,UAAU;AAC5D,WAAO;AAAA,EACT;AAGA,MAAI,QAAQ,SAAS,OAAO,QAAQ,UAAU,UAAU;AACtD,WAAO;AAAA,EACT;AAGA,SAAO;AACT;AAKO,SAAS,iBACd,UACA,QACA,aACyB;AACzB,UAAQ,UAAU;AAAA,IAChB,KAAK;AACH,aAAO,eAAe,QAAkC,WAAW;AAAA,IACrE,KAAK;AACH,aAAO,eAAe,QAAQ,WAAW;AAAA,IAC3C,KAAK;AACH,aAAO,WAAW,QAAQ,WAAW;AAAA,IACvC;AACE,aAAO;AAAA,EACX;AACF;AAKO,SAAS,+BACd,UACA,SAC6B;AAC7B,UAAQ,UAAU;AAAA,IAChB,KAAK;AACH,aAAO,uBAAuB,OAAwD;AAAA,IACxF,KAAK;AACH,aAAO,sBAAsB,OAAO;AAAA,IACtC,KAAK;AACH,aAAO,sBAAsB,OAAO;AAAA,IACtC;AACE,aAAO;AAAA,EACX;AACF;","names":["coerceString","stripQuery","extractSessionId","readHeader","coerceString","coerceString","coerceNumber","claim","decodeSdJwtSync","createHash","sha256Sync","applyDisclosures","coerceMandateType","coerceString","coerceNumber","readHeader","coerceString","readHeader","createHash","coerceString","toUnixSeconds"]}
1	+ {"version":3,"sources":["../../src/transport/http.ts","../../src/transport/a2a.ts","../../src/transport/mcp.ts","../../src/transport/purpose-mapping.ts","../../src/transport/transaction-value.ts","../../src/transport/rfc9421.ts","../../src/transport/rfc9421-verify.ts","../../src/transport/nonce-store.ts","../../src/transport/ucp.ts","../../src/transport/acp.ts","../../src/transport/vi.ts","../../src/transport/stripe-webhook.ts","../../src/transport/constraint-eval.ts","../../src/transport/identity-binding.ts","../../src/transport/ap2.ts","../../src/transport/ap2-verify.ts","../../src/transport/acp-verify.ts","../../src/transport/mpp.ts","../../src/transport/mpp-verify.ts","../../src/transport/x402.ts","../../src/transport/vi-verify.ts","../../src/transport/commerce-pipeline.ts","../../src/transport/extractor-registry.ts","../../src/transport/registry/visa.ts","../../src/transport/registry/mastercard.ts","../../src/transport/registry/web-bot-auth.ts","../../src/transport/index.ts"],"sourcesContent":["/*\n HTTP Transport Adapter\n \n Maps AstraSync credentials to/from HTTP headers (X-Astra-* convention).\n /\n\nimport type { AstraSyncCredentials } from '../types';\n\nconst HEADER_PREFIX = 'X-Astra-';\n\n/\n Inject AstraSync credentials into HTTP headers.\n /\nexport function setHttpHeaders(\n headers: Record<string, string>,\n credentials: AstraSyncCredentials,\n): Record<string, string> {\n const result = { ...headers };\n\n result[`${HEADER_PREFIX}ID`] = credentials.agentId;\n\n if (credentials.verifyUrl) {\n result[`${HEADER_PREFIX}Verify`] = credentials.verifyUrl;\n }\n\n if (credentials.challengeUrl) {\n result[`${HEADER_PREFIX}Challenge`] = credentials.challengeUrl;\n }\n\n if (credentials.pdlss?.purpose) {\n const purposeValue = credentials.pdlss.purpose.action\n ? `${credentials.pdlss.purpose.category}:${credentials.pdlss.purpose.action}`\n : credentials.pdlss.purpose.category;\n result[`${HEADER_PREFIX}Purpose`] = purposeValue;\n }\n\n if (credentials.pdlss?.duration?.maxSessionDuration) {\n result[`${HEADER_PREFIX}Duration`] = String(credentials.pdlss.duration.maxSessionDuration);\n }\n\n if (credentials.pdlss?.scope?.jurisdiction) {\n result[`${HEADER_PREFIX}Scope`] = credentials.pdlss.scope.jurisdiction;\n }\n\n return result;\n}\n\n/\n Extract AstraSync credentials from HTTP headers.\n /\nexport function extractHttpCredentials(\n headers: Record<string, string \| string[] \| undefined>,\n): AstraSyncCredentials \| null {\n const getValue = (key: string): string \| undefined => {\n const v = headers[key] ?? headers[key.toLowerCase()];\n return Array.isArray(v) ? v[0] : v;\n };\n\n const agentId = getValue(`${HEADER_PREFIX}ID`) ?? getValue('x-astra-id');\n if (!agentId) return null;\n\n const credentials: AstraSyncCredentials = { agentId };\n\n const verifyUrl = getValue(`${HEADER_PREFIX}Verify`) ?? getValue('x-astra-verify');\n if (verifyUrl) credentials.verifyUrl = verifyUrl;\n\n const challengeUrl = getValue(`${HEADER_PREFIX}Challenge`) ?? getValue('x-astra-challenge');\n if (challengeUrl) credentials.challengeUrl = challengeUrl;\n\n const purpose = getValue(`${HEADER_PREFIX}Purpose`) ?? getValue('x-astra-purpose');\n if (purpose) {\n const [category, action] = purpose.split(':');\n credentials.pdlss = {\n ...credentials.pdlss,\n purpose: { category, action },\n };\n }\n\n const duration = getValue(`${HEADER_PREFIX}Duration`) ?? getValue('x-astra-duration');\n if (duration) {\n credentials.pdlss = {\n ...credentials.pdlss,\n duration: { maxSessionDuration: parseInt(duration, 10) },\n };\n }\n\n const scope = getValue(`${HEADER_PREFIX}Scope`) ?? getValue('x-astra-scope');\n if (scope) {\n credentials.pdlss = {\n ...credentials.pdlss,\n scope: { jurisdiction: scope },\n };\n }\n\n return credentials;\n}\n","/\n A2A (Agent-to-Agent) Transport Adapter\n \n Maps AstraSync credentials to/from A2A task metadata.astrasync block.\n /\n\nimport type { AstraSyncCredentials } from '../types';\n\ninterface A2ATask {\n metadata?: Record<string, unknown>;\n [key: string]: unknown;\n}\n\ninterface AstraSyncMetadata {\n agentId: string;\n verifyUrl?: string;\n challengeUrl?: string;\n purpose?: { category: string; action?: string };\n duration?: { maxSessionDuration?: number };\n scope?: { jurisdiction?: string };\n}\n\n/\n Add AstraSync credentials to an A2A task's metadata block.\n /\nexport function setA2AMetadata(\n task: A2ATask,\n credentials: AstraSyncCredentials,\n): A2ATask {\n const astrasync: AstraSyncMetadata = {\n agentId: credentials.agentId,\n };\n\n if (credentials.verifyUrl) astrasync.verifyUrl = credentials.verifyUrl;\n if (credentials.challengeUrl) astrasync.challengeUrl = credentials.challengeUrl;\n if (credentials.pdlss?.purpose) astrasync.purpose = credentials.pdlss.purpose;\n if (credentials.pdlss?.duration) astrasync.duration = credentials.pdlss.duration;\n if (credentials.pdlss?.scope) astrasync.scope = credentials.pdlss.scope;\n\n return {\n ...task,\n metadata: {\n ...task.metadata,\n astrasync,\n },\n };\n}\n\n/\n Extract AstraSync credentials from an A2A task's metadata block.\n /\nexport function extractA2ACredentials(task: A2ATask): AstraSyncCredentials \| null {\n const meta = task.metadata?.astrasync as AstraSyncMetadata \| undefined;\n if (!meta?.agentId) return null;\n\n const credentials: AstraSyncCredentials = {\n agentId: meta.agentId,\n };\n\n if (meta.verifyUrl) credentials.verifyUrl = meta.verifyUrl;\n if (meta.challengeUrl) credentials.challengeUrl = meta.challengeUrl;\n\n if (meta.purpose \|\| meta.duration \|\| meta.scope) {\n credentials.pdlss = {};\n if (meta.purpose) credentials.pdlss.purpose = meta.purpose;\n if (meta.duration) credentials.pdlss.duration = meta.duration;\n if (meta.scope) credentials.pdlss.scope = meta.scope;\n }\n\n return credentials;\n}\n","/\n MCP (Model Context Protocol) Transport Adapter\n \n Maps AstraSync credentials to/from MCP params._meta.astrasync block.\n /\n\nimport type { AstraSyncCredentials } from '../types';\n\ninterface McpParams {\n _meta?: Record<string, unknown>;\n [key: string]: unknown;\n}\n\ninterface AstraSyncMeta {\n agentId: string;\n verifyUrl?: string;\n challengeUrl?: string;\n purpose?: { category: string; action?: string };\n duration?: { maxSessionDuration?: number };\n scope?: { jurisdiction?: string };\n}\n\n/\n Add AstraSync credentials to MCP params' _meta block.\n /\nexport function setMcpMeta(\n params: McpParams,\n credentials: AstraSyncCredentials,\n): McpParams {\n const astrasync: AstraSyncMeta = {\n agentId: credentials.agentId,\n };\n\n if (credentials.verifyUrl) astrasync.verifyUrl = credentials.verifyUrl;\n if (credentials.challengeUrl) astrasync.challengeUrl = credentials.challengeUrl;\n if (credentials.pdlss?.purpose) astrasync.purpose = credentials.pdlss.purpose;\n if (credentials.pdlss?.duration) astrasync.duration = credentials.pdlss.duration;\n if (credentials.pdlss?.scope) astrasync.scope = credentials.pdlss.scope;\n\n return {\n ...params,\n _meta: {\n ...params._meta,\n astrasync,\n },\n };\n}\n\n/\n Extract AstraSync credentials from MCP params' _meta block.\n /\nexport function extractMcpCredentials(params: McpParams): AstraSyncCredentials \| null {\n const meta = params._meta?.astrasync as AstraSyncMeta \| undefined;\n if (!meta?.agentId) return null;\n\n const credentials: AstraSyncCredentials = {\n agentId: meta.agentId,\n };\n\n if (meta.verifyUrl) credentials.verifyUrl = meta.verifyUrl;\n if (meta.challengeUrl) credentials.challengeUrl = meta.challengeUrl;\n\n if (meta.purpose \|\| meta.duration \|\| meta.scope) {\n credentials.pdlss = {};\n if (meta.purpose) credentials.pdlss.purpose = meta.purpose;\n if (meta.duration) credentials.pdlss.duration = meta.duration;\n if (meta.scope) credentials.pdlss.scope = meta.scope;\n }\n\n return credentials;\n}\n","/\n Protocol request -> AstraSync PDLSS purpose category mapping.\n \n Per spec v2.6 §7.4.3 commerce purpose mapping table, extended with MPP + x402\n * entries (April 2026 protocol landscape).\n /\n\nexport type CommercePurpose =\n \| 'commerce.checkout.create'\n \| 'commerce.checkout.update'\n \| 'commerce.checkout.confirm'\n \| 'commerce.checkout.cancel'\n \| 'commerce.payment.execute'\n \| 'commerce.payment.stream'\n \| 'commerce.delegation.intent'\n \| 'commerce.delegation.checkout'\n \| 'commerce.delegation.payment'\n \| 'commerce.identity_probe'\n \| 'commerce.browsing';\n\nconst UCP_ROUTES: Array<{ method: string; pattern: RegExp; purpose: CommercePurpose }> = [\n { method: 'POST', pattern: /^\\/checkout[-_]sessions\\/?$/, purpose: 'commerce.checkout.create' },\n {\n method: 'PUT',\n pattern: /^\\/checkout[-_]sessions\\/[^/]+\\/?$/,\n purpose: 'commerce.checkout.update',\n },\n {\n method: 'POST',\n pattern: /^\\/checkout[-_]sessions\\/[^/]+\\/complete\\/?$/,\n purpose: 'commerce.payment.execute',\n },\n {\n method: 'POST',\n pattern: /^\\/checkout[-_]sessions\\/[^/]+\\/cancel\\/?$/,\n purpose: 'commerce.checkout.cancel',\n },\n];\n\nconst ACP_ROUTES: Array<{ method: string; pattern: RegExp; purpose: CommercePurpose }> = [\n { method: 'POST', pattern: /^\\/checkout_sessions\\/?$/, purpose: 'commerce.checkout.create' },\n {\n method: 'POST',\n pattern: /^\\/checkout_sessions\\/[^/]+\\/?$/,\n purpose: 'commerce.checkout.update',\n },\n {\n method: 'POST',\n pattern: /^\\/checkout_sessions\\/[^/]+\\/complete\\/?$/,\n purpose: 'commerce.payment.execute',\n },\n {\n method: 'POST',\n pattern: /^\\/checkout_sessions\\/[^/]+\\/cancel\\/?$/,\n purpose: 'commerce.checkout.cancel',\n },\n {\n method: 'POST',\n pattern: /^\\/agentic_commerce\\/delegate_payment\\/?$/,\n purpose: 'commerce.delegation.payment',\n },\n];\n\nexport function mapUCPRequestToPurpose(method: string, path: string): CommercePurpose \| null {\n const normalizedMethod = method.toUpperCase();\n const normalizedPath = stripQuery(path);\n for (const route of UCP_ROUTES) {\n if (route.method === normalizedMethod && route.pattern.test(normalizedPath)) {\n return route.purpose;\n }\n }\n return null;\n}\n\nexport function mapACPRequestToPurpose(method: string, path: string): CommercePurpose \| null {\n const normalizedMethod = method.toUpperCase();\n const normalizedPath = stripQuery(path);\n for (const route of ACP_ROUTES) {\n if (route.method === normalizedMethod && route.pattern.test(normalizedPath)) {\n return route.purpose;\n }\n }\n return null;\n}\n\nexport type AP2MandateType = 'intent_mandate' \| 'cart_mandate' \| 'payment_mandate';\nexport function mapAP2MandateToPurpose(mandateType: AP2MandateType): CommercePurpose {\n switch (mandateType) {\n case 'intent_mandate':\n return 'commerce.delegation.intent';\n case 'cart_mandate':\n return 'commerce.checkout.confirm';\n case 'payment_mandate':\n return 'commerce.payment.execute';\n }\n}\n\nexport type VIMandateType = 'checkout' \| 'payment' \| 'checkout.open' \| 'payment.open';\nexport function mapVIMandateToPurpose(mandateType: VIMandateType): CommercePurpose {\n switch (mandateType) {\n case 'checkout':\n return 'commerce.checkout.confirm';\n case 'payment':\n return 'commerce.payment.execute';\n case 'checkout.open':\n return 'commerce.delegation.checkout';\n case 'payment.open':\n return 'commerce.delegation.payment';\n }\n}\n\nexport type RFC9421Tag = 'browse' \| 'purchase' \| undefined;\nexport function mapRFC9421TagToPurpose(tag: RFC9421Tag): CommercePurpose {\n if (tag === 'purchase') return 'commerce.payment.execute';\n return 'commerce.browsing';\n}\n\nexport type MPPIntent = 'charge' \| 'session';\nexport function mapMPPRequestToPurpose(\n intent: MPPIntent \| undefined,\n amount: number \| undefined\n): CommercePurpose {\n if (typeof amount === 'number' && amount === 0) return 'commerce.identity_probe';\n if (intent === 'session') return 'commerce.payment.stream';\n return 'commerce.payment.execute';\n}\n\nexport function mapX402RequestToPurpose(amount: number \| undefined): CommercePurpose {\n if (typeof amount === 'number' && amount === 0) return 'commerce.identity_probe';\n return 'commerce.payment.execute';\n}\n\nfunction stripQuery(path: string): string {\n const q = path.indexOf('?');\n return q === -1 ? path : path.slice(0, q);\n}\n\n/\n Informational Stripe webhook events surfaced as trust signals on\n * `CommerceContext.trustSignals` but NOT routed to a PDLSS purpose.\n /\nexport const STRIPE_WEBHOOK_INFORMATIONAL_EVENTS = [\n 'payment_intent.succeeded',\n 'payment_intent.payment_failed',\n 'charge.refunded',\n 'checkout.session.completed',\n 'customer.subscription.created',\n] as const;\nexport type StripeWebhookInformationalEvent = (typeof STRIPE_WEBHOOK_INFORMATIONAL_EVENTS)[number];\n\nexport function isStripeWebhookInformational(eventType: string): boolean {\n return (STRIPE_WEBHOOK_INFORMATIONAL_EVENTS as readonly string[]).includes(eventType);\n}\n","/\n Per-protocol transaction-value normalization.\n \n Each protocol encodes amount/currency differently. This module produces a\n * uniform `TransactionValueContext` with `source` recording the extraction\n * path so trace logs can show where the value came from.\n \n Amount unit: \"major units\" (dollars/euros/etc. for fiat; native unit for\n * tokens — we do NOT convert across currencies). UCP/ACP totals are in\n * cents, so we divide by 100. MPP/x402/VI pass through as declared.\n /\n\nexport interface TransactionValueContext {\n protocol: 'vi' \| 'ap2' \| 'ucp' \| 'acp' \| 'mpp' \| 'x402' \| 'agentpay' \| 'tap';\n amount: number;\n currency: string;\n source: string;\n}\n\nexport function extractUCPTransactionValue(input: {\n totals?: Array<{ type?: string; amount?: number; currency?: string }>;\n}): TransactionValueContext \| null {\n const totals = input.totals ?? [];\n const total = totals.find((t) => t.type === 'total') ?? totals[0];\n if (!total \|\| typeof total.amount !== 'number' \|\| !total.currency) return null;\n return {\n protocol: 'ucp',\n amount: total.amount / 100,\n currency: total.currency,\n source: `totals[type=${total.type ?? 'unknown'}].amount`,\n };\n}\n\nexport function extractACPTransactionValue(input: {\n totals?: Array<{ type?: string; amount?: number; currency?: string }>;\n}): TransactionValueContext \| null {\n const totals = input.totals ?? [];\n const total = totals.find((t) => t.type === 'total') ?? totals[0];\n if (!total \|\| typeof total.amount !== 'number' \|\| !total.currency) return null;\n return {\n protocol: 'acp',\n amount: total.amount / 100,\n currency: total.currency,\n source: `totals[type=${total.type ?? 'unknown'}].amount`,\n };\n}\n\nexport interface VIClaimsForValue {\n constraints?: {\n paymentAmount?: { currency?: string; min?: number; max?: number };\n };\n l3aPaymentAmount?: { currency?: string; amount?: number };\n}\n\nexport function extractVITransactionValue(\n claims: VIClaimsForValue\n): TransactionValueContext \| null {\n const l3a = claims.l3aPaymentAmount;\n if (l3a && typeof l3a.amount === 'number' && l3a.currency) {\n return {\n protocol: 'vi',\n amount: l3a.amount,\n currency: l3a.currency,\n source: 'L3a.payment.amount',\n };\n }\n const bound = claims.constraints?.paymentAmount;\n if (bound && typeof bound.max === 'number' && bound.currency) {\n return {\n protocol: 'vi',\n amount: bound.max,\n currency: bound.currency,\n source: 'L2.payment.constraints.amount.max',\n };\n }\n return null;\n}\n\nexport interface AP2PaymentMandateForValue {\n payment_details_total?: { amount?: { value?: string \| number; currency?: string } };\n}\n\nexport function extractAP2TransactionValue(\n mandate: AP2PaymentMandateForValue \| undefined\n): TransactionValueContext \| null {\n const amt = mandate?.payment_details_total?.amount;\n if (!amt \|\| !amt.currency) return null;\n const n = typeof amt.value === 'string' ? Number(amt.value) : amt.value;\n if (typeof n !== 'number' \|\| !Number.isFinite(n)) return null;\n return {\n protocol: 'ap2',\n amount: n,\n currency: amt.currency,\n source: 'payment_mandate.payment_details_total.amount',\n };\n}\n\nexport interface MPPChallengeForValue {\n method?: string;\n request?: { amount?: number; currency?: string } & Record<string, unknown>;\n}\n\nexport function extractMPPTransactionValue(\n challenge: MPPChallengeForValue\n): TransactionValueContext \| null {\n const req = challenge.request;\n if (!req \|\| typeof req.amount !== 'number' \|\| !req.currency) return null;\n return {\n protocol: 'mpp',\n amount: req.amount,\n currency: req.currency,\n source: `challenge.request.amount (method=${challenge.method ?? 'unknown'})`,\n };\n}\n\nexport interface X402RequestForValue {\n maxAmountRequired?: number;\n amount?: number;\n asset?: string;\n currency?: string;\n}\n\nexport function extractX402TransactionValue(\n req: X402RequestForValue\n): TransactionValueContext \| null {\n const amount = req.maxAmountRequired ?? req.amount;\n const currency = req.currency ?? req.asset;\n if (typeof amount !== 'number' \|\| !currency) return null;\n return {\n protocol: 'x402',\n amount,\n currency,\n source: req.maxAmountRequired !== undefined ? 'maxAmountRequired' : 'amount',\n };\n}\n","/\n RFC 9421 HTTP Message Signatures parser.\n \n Wraps `structured-headers` (transitive dep of http-message-signatures) to\n * parse the Signature-Input and Signature Dictionary headers per RFC 9421 §2.\n \n Produces structured metadata (kid, algorithm, covered components, tag,\n * created/expires/nonce, signature bytes) without verifying the signature —\n * verification lives in rfc9421-verify.ts.\n \n Shared by:\n * - Agent Pay (Mastercard) — kid resolves via Mastercard Agent Registry\n * - TAP (Visa) — kid resolves via Visa JWKS\n * - Web Bot Auth (generic transport substrate) — kid resolves via\n * /.well-known/http-message-signatures-directory\n /\n\nimport { parseDictionary } from 'structured-headers';\n\nexport interface RFC9421SignatureParams {\n /* The label identifying the signature in the Dictionary header (e.g. \"sig1\"). /\n label: string;\n /* Key ID used to look up the verifying key in the relevant registry. /\n kid: string;\n /* Algorithm declared in the Signature-Input params (e.g. \"ecdsa-p256-sha256\", \"ed25519\"). /\n alg?: string;\n /* Covered components, in order, per RFC 9421 §2.1. /\n covered: string[];\n /* Base64url-encoded signature bytes extracted from the paired Signature header. /\n signatureBase64: string;\n /* Unix seconds when the signature was created. /\n created?: number;\n /* Unix seconds when the signature expires. /\n expires?: number;\n /* Nonce (opaque string) for replay protection. /\n nonce?: string;\n /* Tag parameter. For Agent Pay/TAP this is \"browse\" or \"purchase\"; undefined otherwise. /\n tag?: 'browse' \| 'purchase' \| string;\n}\n\nexport interface ParsedRFC9421 {\n signatures: RFC9421SignatureParams[];\n}\n\n/\n Parse the RFC 9421 Signature-Input and Signature headers from a request or response.\n * Returns all signatures present (a single message may carry multiple labelled signatures).\n \n Returns null if either header is missing or malformed.\n /\nexport function parseRFC9421(\n headers: Record<string, string \| string[] \| undefined>\n): ParsedRFC9421 \| null {\n const sigInput = readHeader(headers, 'signature-input');\n const sig = readHeader(headers, 'signature');\n if (!sigInput \|\| !sig) return null;\n\n let inputDict;\n let sigDict;\n try {\n inputDict = parseDictionary(sigInput);\n sigDict = parseDictionary(sig);\n } catch {\n return null;\n }\n\n const signatures: RFC9421SignatureParams[] = [];\n\n for (const [label, entry] of inputDict) {\n // entry.value is the inner list of covered components; entry[1] is the params Map.\n const innerList = Array.isArray(entry)\n ? entry[0]\n : (entry as { value?: unknown; params?: unknown }).value;\n const params = Array.isArray(entry)\n ? entry[1]\n : (entry as { value?: unknown; params?: unknown }).params;\n if (!Array.isArray(innerList) \|\| !params) continue;\n\n const covered: string[] = [];\n for (const item of innerList as Array<[unknown, Map<string, unknown>]>) {\n const [bare] = Array.isArray(item) ? item : [item];\n if (typeof bare === 'string') covered.push(bare);\n else if (bare && typeof bare === 'object' && 'toString' in bare) covered.push(String(bare));\n }\n\n const paramsMap = params as Map<string, unknown>;\n const kid = coerceString(paramsMap.get('keyid'));\n if (!kid) continue;\n\n const sigEntry = sigDict.get(label);\n if (!sigEntry) continue;\n\n const sigBare = Array.isArray(sigEntry) ? sigEntry[0] : (sigEntry as { value?: unknown }).value;\n const signatureBase64 = extractBase64(sigBare);\n if (!signatureBase64) continue;\n\n signatures.push({\n label,\n kid,\n alg: coerceString(paramsMap.get('alg')),\n covered,\n signatureBase64,\n created: coerceNumber(paramsMap.get('created')),\n expires: coerceNumber(paramsMap.get('expires')),\n nonce: coerceString(paramsMap.get('nonce')),\n tag: coerceString(paramsMap.get('tag')),\n });\n }\n\n if (signatures.length === 0) return null;\n return { signatures };\n}\n\nfunction readHeader(\n headers: Record<string, string \| string[] \| undefined>,\n name: string\n): string \| null {\n for (const key of Object.keys(headers)) {\n if (key.toLowerCase() === name) {\n const raw = headers[key];\n if (typeof raw === 'string') return raw;\n if (Array.isArray(raw)) return raw.join(', ');\n return null;\n }\n }\n return null;\n}\n\nfunction coerceString(value: unknown): string \| undefined {\n if (typeof value === 'string') return value;\n if (value == null) return undefined;\n if (typeof value === 'object' && 'toString' in (value as object)) {\n const s = String(value);\n return s.length > 0 ? s : undefined;\n }\n return undefined;\n}\n\nfunction coerceNumber(value: unknown): number \| undefined {\n if (typeof value === 'number' && Number.isFinite(value)) return value;\n if (typeof value === 'bigint') return Number(value);\n return undefined;\n}\n\nfunction extractBase64(value: unknown): string \| null {\n if (value instanceof Uint8Array) return bufferToBase64(value);\n if (value instanceof ArrayBuffer) return bufferToBase64(new Uint8Array(value));\n if (ArrayBuffer.isView(value)) {\n const v = value as ArrayBufferView;\n return bufferToBase64(new Uint8Array(v.buffer, v.byteOffset, v.byteLength));\n }\n if (typeof value === 'string') {\n if (value.startsWith(':') && value.endsWith(':')) return value.slice(1, -1);\n return value;\n }\n return null;\n}\n\nfunction bufferToBase64(bytes: Uint8Array): string {\n return Buffer.from(bytes).toString('base64');\n}\n","/\n RFC 9421 HTTP Message Signatures verification.\n \n Wraps http-message-signatures (dhensby) verifyMessage() with a RegistryResolver\n * hook for kid → JWK lookup. Library handles canonicalization + ES256/EdDSA/\n * HMAC/RSA verification; we supply the key-finding callback and policy around\n * clock skew.\n \n Shared by:\n * - Agent Pay (Mastercard) — resolver = createMastercardRegistry\n * - TAP (Visa) — resolver = createVisaRegistry\n * - Web Bot Auth (generic) — resolver = createWebBotAuthRegistry\n /\n\nimport { httpbis, type VerifierFinder, type VerifyingKey } from 'http-message-signatures';\nimport type { JWK } from 'jose';\nimport type { RegistryResolver } from './registry/types';\nimport { defaultNonceStore, type NonceStore } from './nonce-store';\n\nexport interface RFC9421VerifyRequest {\n method: string;\n url: string;\n headers: Record<string, string \| string[]>;\n body?: string;\n}\n\nexport interface RFC9421VerifyOptions {\n resolver: RegistryResolver;\n /* Seconds of tolerance around created/expires. Default 60 (audit F-A1-05 tightening from 300). /\n clockSkewSec?: number;\n /* Injectable for deterministic tests. /\n now?: () => number;\n /* Optional replay-protection store. Defaults to in-process LRU. Audit F-A1-05. /\n nonceStore?: NonceStore;\n}\n\nexport interface RFC9421VerifyResult {\n ok: boolean;\n kid?: string;\n registry?: RegistryResolver['name'];\n algorithm?: string;\n error?: string;\n}\n\nexport async function verifyRFC9421(\n request: RFC9421VerifyRequest,\n options: RFC9421VerifyOptions\n): Promise<RFC9421VerifyResult> {\n const { resolver } = options;\n const tolerance = options.clockSkewSec ?? 60;\n const nowSec = options.now ? options.now() : Math.floor(Date.now() / 1000);\n const nonceStore = options.nonceStore ?? defaultNonceStore;\n\n let resolvedKid: string \| undefined;\n let resolvedAlg: string \| undefined;\n let replayDetected = false;\n\n const keyLookup: VerifierFinder = async (parameters) => {\n const kid = typeof parameters.keyid === 'string' ? parameters.keyid : undefined;\n if (!kid) return null;\n resolvedKid = kid;\n const alg = typeof parameters.alg === 'string' ? parameters.alg : undefined;\n if (alg) resolvedAlg = alg;\n\n const origin = safeOrigin(request.url);\n const jwk = await resolver.resolve(kid, { origin, algorithm: alg });\n if (!jwk) return null;\n\n // Check clock-skew on this specific signature's created/expires.\n // SignatureParameters may carry Date, number, or ISO string per library.\n const created = toUnixSeconds(parameters.created);\n const expires = toUnixSeconds(parameters.expires);\n if (created !== undefined && Math.abs(nowSec - created) > tolerance) return null;\n if (expires !== undefined && nowSec > expires + tolerance) return null;\n\n // Audit F-A1-05: replay protection. RFC 9421 signatures include a\n // `nonce` parameter (optional but recommended for replay-sensitive\n // contexts). When present, register kid+nonce; reject duplicates\n // within the expiry window.\n const nonce = typeof parameters.nonce === 'string' ? parameters.nonce : undefined;\n if (nonce) {\n const expiresAtMs = (expires !== undefined ? expires + tolerance : nowSec + tolerance) 1000;\n if (nonceStore.seen(`rfc9421:${kid}:${nonce}`, expiresAtMs)) {\n replayDetected = true;\n return null;\n }\n }\n\n return jwkToVerifyingKey(kid, jwk, alg);\n };\n\n try {\n const result = await httpbis.verifyMessage(\n {\n keyLookup,\n },\n normalizeRequest(request)\n );\n if (result === true) {\n return {\n ok: true,\n kid: resolvedKid,\n registry: resolver.name,\n algorithm: resolvedAlg,\n };\n }\n return {\n ok: false,\n kid: resolvedKid,\n registry: resolver.name,\n algorithm: resolvedAlg,\n error: replayDetected\n ? 'RFC9421 signature replay — already seen within tolerance window'\n : result === false\n ? 'signature invalid'\n : 'no signature found',\n };\n } catch (err) {\n return {\n ok: false,\n kid: resolvedKid,\n registry: resolver.name,\n algorithm: resolvedAlg,\n error: err instanceof Error ? err.message : 'verification error',\n };\n }\n}\n\nfunction normalizeRequest(request: RFC9421VerifyRequest): {\n method: string;\n url: string;\n headers: Record<string, string \| string[]>;\n} {\n return {\n method: request.method.toUpperCase(),\n url: request.url,\n headers: request.headers,\n };\n}\n\nfunction safeOrigin(url: string): string \| undefined {\n try {\n return new URL(url).origin;\n } catch {\n return undefined;\n }\n}\n\nasync function jwkToVerifyingKey(\n id: string,\n jwk: JWK,\n alg: string \| undefined\n): Promise<VerifyingKey> {\n const algorithm = alg ?? inferAlgFromJwk(jwk);\n const { subtle } = await getCrypto();\n const importAlg = webCryptoImportAlgFor(algorithm);\n const verifyAlg = webCryptoAlgFor(algorithm);\n if (!importAlg \|\| !verifyAlg) {\n return {\n id,\n algs: alg ? [alg] : undefined,\n verify: async () => false,\n };\n }\n const key = await subtle.importKey('jwk', jwk as JsonWebKey, importAlg, false, ['verify']);\n\n return {\n id,\n algs: alg ? [alg] : undefined,\n verify: async (data: Buffer, signature: Buffer): Promise<boolean> => {\n try {\n return await subtle.verify(verifyAlg, key, toArrayBuffer(signature), toArrayBuffer(data));\n } catch {\n return false;\n }\n },\n };\n}\n\nfunction inferAlgFromJwk(jwk: JWK): string {\n if (jwk.kty === 'OKP' && jwk.crv === 'Ed25519') return 'ed25519';\n if (jwk.kty === 'EC' && jwk.crv === 'P-256') return 'ecdsa-p256-sha256';\n if (jwk.kty === 'EC' && jwk.crv === 'P-384') return 'ecdsa-p384-sha384';\n if (jwk.kty === 'RSA') return 'rsa-v1_5-sha256';\n return 'ecdsa-p256-sha256';\n}\n\nfunction webCryptoAlgFor(\n rfc9421Alg: string\n): AlgorithmIdentifier \| EcdsaParams \| RsaPssParams \| null {\n switch (rfc9421Alg) {\n case 'ed25519':\n return { name: 'Ed25519' };\n case 'ecdsa-p256-sha256':\n return { name: 'ECDSA', hash: 'SHA-256' };\n case 'ecdsa-p384-sha384':\n return { name: 'ECDSA', hash: 'SHA-384' };\n case 'rsa-v1_5-sha256':\n return { name: 'RSASSA-PKCS1-v1_5' };\n case 'rsa-pss-sha512':\n return { name: 'RSA-PSS', saltLength: 64 };\n default:\n return null;\n }\n}\n\nfunction webCryptoImportAlgFor(\n rfc9421Alg: string\n): AlgorithmIdentifier \| EcKeyImportParams \| RsaHashedImportParams \| null {\n switch (rfc9421Alg) {\n case 'ed25519':\n return { name: 'Ed25519' };\n case 'ecdsa-p256-sha256':\n return { name: 'ECDSA', namedCurve: 'P-256' };\n case 'ecdsa-p384-sha384':\n return { name: 'ECDSA', namedCurve: 'P-384' };\n case 'rsa-v1_5-sha256':\n return { name: 'RSASSA-PKCS1-v1_5', hash: 'SHA-256' };\n case 'rsa-pss-sha512':\n return { name: 'RSA-PSS', hash: 'SHA-512' };\n default:\n return null;\n }\n}\n\nfunction toArrayBuffer(buf: Buffer): ArrayBuffer {\n const out = new ArrayBuffer(buf.byteLength);\n new Uint8Array(out).set(buf);\n return out;\n}\n\nfunction toUnixSeconds(v: unknown): number \| undefined {\n if (typeof v === 'number' && Number.isFinite(v)) return v;\n if (v instanceof Date) return Math.floor(v.getTime() / 1000);\n if (typeof v === 'string') {\n const parsed = Date.parse(v);\n if (Number.isFinite(parsed)) return Math.floor(parsed / 1000);\n }\n return undefined;\n}\n\nasync function getCrypto(): Promise<{ subtle: SubtleCrypto }> {\n if (typeof globalThis.crypto !== 'undefined' && globalThis.crypto.subtle) {\n return { subtle: globalThis.crypto.subtle };\n }\n // Node fallback\n const nodeCrypto = await import('node:crypto');\n return { subtle: nodeCrypto.webcrypto.subtle as SubtleCrypto };\n}\n","/*\n Shared nonce/signature replay-protection store for transport verifiers.\n \n Audit F-A1-05: every transport-signature verifier (RFC9421, VI, AP2, ACP,\n * MPP) validates a created/expires window but none consult a seen-nonce\n * cache. Any captured signed request can be replayed within the (default\n * 300s, now tightened to 60s) tolerance window.\n \n This module ships a bounded in-memory LRU as the default. Production\n * deployments with multi-pod horizontal scaling SHOULD pass a shared store\n * (Redis-backed) via the verifier options to make replay protection global\n * rather than per-pod.\n \n The store interface is intentionally minimal: a single `seen(key,\n * expiresAt)` method that returns true iff the key was already recorded\n * (i.e. caller should reject as a replay). Callers compose the key from\n * whichever identifiers are unique to the signature (kid + nonce + sig\n * digest, typically).\n /\n\nexport interface NonceStore {\n /\n Record `key` as seen. Returns true iff the key was ALREADY present —\n * i.e. caller should reject the request as a replay. Returns false on\n * first sighting (caller should proceed).\n \n `expiresAtMs` is a hint for the store to evict entries that can no\n * longer cause harm (their signature window has elapsed).\n /\n seen(key: string, expiresAtMs: number): boolean;\n}\n\n/\n Default in-memory LRU. Per-process, lost on restart. Suitable for\n * single-pod deploys and for development; production multi-pod deploys\n * should pass a shared store.\n \n Capacity-bounded: once the limit is reached, the oldest entry is dropped\n * even if it hasn't yet expired. The limit (default 10k entries) is large\n * enough that meaningful replay windows shouldn't approach it; if a\n * deployment is hitting it, that's a signal to migrate to Redis.\n \n Also runs a lazy sweep on each `seen` call to evict entries past their\n * `expiresAtMs` — keeps memory bounded under burst load.\n /\nexport class InMemoryNonceStore implements NonceStore {\n private readonly entries = new Map<string, number>();\n private readonly capacity: number;\n private lastSweepMs = 0;\n\n constructor(capacity = 10_000) {\n this.capacity = capacity;\n }\n\n seen(key: string, expiresAtMs: number): boolean {\n const nowMs = Date.now();\n\n // Lazy sweep: at most once per second, walk expired entries.\n if (nowMs - this.lastSweepMs > 1000) {\n for (const [k, exp] of this.entries) {\n if (exp <= nowMs) this.entries.delete(k);\n }\n this.lastSweepMs = nowMs;\n }\n\n const existing = this.entries.get(key);\n if (existing !== undefined && existing > nowMs) {\n return true; // replay\n }\n\n // First sighting (or stale entry) — record + evict oldest if over capacity.\n if (this.entries.size >= this.capacity) {\n const oldest = this.entries.keys().next().value;\n if (oldest !== undefined) this.entries.delete(oldest);\n }\n this.entries.set(key, expiresAtMs);\n return false;\n }\n}\n\n/\n Process-wide singleton instance for convenience. Verifiers that don't\n * receive an explicit nonceStore in their options fall back to this.\n \n Memory-bounded at 10k entries by default; sufficient for a single pod\n * handling thousands of requests/sec where signatures only carry value\n * within their (60s default) expiry window.\n /\nexport const defaultNonceStore = new InMemoryNonceStore();\n","/\n UCP (Universal Commerce Protocol) checkout session extractor.\n \n Google + Shopify spec (ucp.dev). Extracts checkout session context from\n * incoming HTTP requests and, at registration time, validates the\n * `/.well-known/ucp` manifest via AJV against the mirrored JSON schema.\n /\n\nimport { mapUCPRequestToPurpose, type CommercePurpose } from './purpose-mapping';\n\nexport interface UCPTotal {\n type?: string;\n amount?: number;\n currency?: string;\n}\n\nexport interface UCPCheckoutContext {\n sessionId?: string;\n endpoint: string;\n purpose: CommercePurpose \| null;\n merchantDomain?: string;\n totals?: UCPTotal[];\n paymentMethod?: string;\n manifestUrl?: string;\n}\n\nexport interface UCPRequestLike {\n method: string;\n url: string;\n headers?: Record<string, string \| string[] \| undefined>;\n body?: unknown;\n}\n\nexport function extractUCPContext(request: UCPRequestLike): UCPCheckoutContext \| null {\n const { method, url } = request;\n if (!method \|\| !url) return null;\n\n const parsedUrl = safeParseUrl(url);\n const path = parsedUrl?.pathname ?? url.split('?')[0];\n\n const purpose = mapUCPRequestToPurpose(method, path);\n const endpoint = `${method.toUpperCase()} ${path}`;\n const sessionId = extractSessionId(path);\n\n const body = (request.body ?? {}) as Record<string, unknown>;\n const totals = Array.isArray(body.totals) ? (body.totals as UCPTotal[]) : undefined;\n const paymentMethod = coerceString(body.payment_method ?? body.paymentMethod);\n const manifestUrl = coerceString(body.manifest_url ?? body.manifestUrl);\n\n const merchantDomain = extractMerchantDomain(body, parsedUrl);\n\n return {\n sessionId,\n endpoint,\n purpose,\n merchantDomain,\n totals,\n paymentMethod,\n manifestUrl,\n };\n}\n\n/\n Fetch and parse a UCP manifest at registration time. Returns parsed JSON\n * on success, null on any failure (network, parse, timeout). Does NOT throw.\n \n Schema validation is a separate step — see `validateUCPManifest`.\n /\nexport async function fetchUCPManifest(\n manifestUrl: string,\n options: { timeoutMs?: number } = {}\n): Promise<unknown \| null> {\n const timeoutMs = options.timeoutMs ?? 3000;\n const controller = new AbortController();\n const timer = setTimeout(() => controller.abort(), timeoutMs);\n try {\n const res = await fetch(manifestUrl, { signal: controller.signal });\n if (!res.ok) return null;\n return await res.json();\n } catch {\n return null;\n } finally {\n clearTimeout(timer);\n }\n}\n\n/\n Validate a UCP manifest against the minimal shape we care about.\n \n The full UCP manifest schema lives upstream (ucp.dev) and is out of scope\n * to mirror here exhaustively. This function checks the structural guarantees\n * we depend on: required top-level fields (version, capabilities, endpoints).\n \n For full schema validation, consumers can pass their own AJV compiled\n * validator via `options.validator`.\n /\nexport interface UCPManifestValidationResult {\n ok: boolean;\n errors: string[];\n}\n\nexport function validateUCPManifest(\n manifest: unknown,\n options: { validator?: (m: unknown) => { ok: boolean; errors: string[] } } = {}\n): UCPManifestValidationResult {\n if (options.validator) return options.validator(manifest);\n\n const errors: string[] = [];\n if (!manifest \|\| typeof manifest !== 'object') {\n return { ok: false, errors: ['manifest is not an object'] };\n }\n const m = manifest as Record<string, unknown>;\n if (typeof m.version !== 'string') errors.push('version is required and must be a string');\n if (!Array.isArray(m.capabilities)) errors.push('capabilities must be an array');\n if (!m.endpoints \|\| typeof m.endpoints !== 'object') errors.push('endpoints must be an object');\n return { ok: errors.length === 0, errors };\n}\n\nfunction safeParseUrl(url: string): URL \| null {\n try {\n return new URL(url, 'http://placeholder.invalid');\n } catch {\n return null;\n }\n}\n\nfunction extractSessionId(path: string): string \| undefined {\n const match = path.match(/\\/checkout[-_]sessions\\/([^/?#]+)/);\n return match?.[1];\n}\n\nfunction extractMerchantDomain(\n body: Record<string, unknown>,\n parsedUrl: URL \| null\n): string \| undefined {\n const explicit = coerceString(body.merchant_domain ?? body.merchantDomain);\n if (explicit) return explicit;\n if (parsedUrl && parsedUrl.hostname !== 'placeholder.invalid') return parsedUrl.hostname;\n return undefined;\n}\n\nfunction coerceString(v: unknown): string \| undefined {\n return typeof v === 'string' && v.length > 0 ? v : undefined;\n}\n","/\n ACP (Agentic Commerce Protocol) request extractor.\n \n Co-maintained by OpenAI + Stripe. Spec at agenticcommerce.dev.\n \n Extracts ACP request context from HTTP requests:\n * - Multi-header parsing: Signature, Timestamp, Idempotency-Key,\n * Authorization: Bearer, API-Version\n * - Endpoint classification: Agentic Checkout (checkout_sessions.) vs\n Delegate Payment (agentic_commerce/delegate_payment)\n * - Payment token detection: spt_* (Stripe SharedPaymentToken),\n * vt_* (ACP vault token), unknown\n * - Totals + merchant extraction from body\n \n No signature verification here — see acp-verify.ts.\n /\n\nimport { mapACPRequestToPurpose, type CommercePurpose } from './purpose-mapping';\n\nexport type ACPEndpoint =\n \| 'checkout_sessions.create'\n \| 'checkout_sessions.update'\n \| 'checkout_sessions.complete'\n \| 'checkout_sessions.cancel'\n \| 'delegate_payment'\n \| 'unknown';\n\nexport type ACPPaymentTokenType = 'stripe-spt' \| 'acp-vt' \| 'other' \| null;\n\nexport interface ACPTotal {\n type?: string;\n amount?: number;\n currency?: string;\n}\n\nexport interface ACPRequestContext {\n endpoint: ACPEndpoint;\n purpose: CommercePurpose \| null;\n sessionId?: string;\n merchantId?: string;\n apiVersion?: string;\n bearer?: string;\n signatureHeader?: string;\n timestampHeader?: string;\n idempotencyKey?: string;\n paymentToken?: {\n raw?: string;\n type: ACPPaymentTokenType;\n provider?: string;\n };\n totals?: ACPTotal[];\n fulfillmentOption?: string;\n rawBody?: string;\n}\n\nexport interface ACPRequestLike {\n method: string;\n url: string;\n headers?: Record<string, string \| string[] \| undefined>;\n body?: unknown;\n rawBody?: string;\n}\n\nexport function extractACPContext(request: ACPRequestLike): ACPRequestContext \| null {\n const { method, url } = request;\n if (!method \|\| !url) return null;\n\n const path = stripQuery(url.startsWith('http') ? new URL(url).pathname : url);\n\n const endpoint = classifyEndpoint(method, path);\n const purpose = mapACPRequestToPurpose(method, path);\n const sessionId = extractSessionId(path);\n\n const headers = request.headers ?? {};\n const signatureHeader = readHeader(headers, 'signature');\n const timestampHeader = readHeader(headers, 'timestamp');\n const idempotencyKey = readHeader(headers, 'idempotency-key');\n const apiVersion = readHeader(headers, 'api-version');\n const bearer = extractBearer(readHeader(headers, 'authorization'));\n\n const body = (request.body ?? {}) as Record<string, unknown>;\n const merchantId = coerceString(body.merchant_id ?? body.merchantId);\n const totals = Array.isArray(body.totals) ? (body.totals as ACPTotal[]) : undefined;\n const fulfillmentOption = extractFulfillmentOption(body);\n\n const paymentToken = extractPaymentToken(body);\n\n return {\n endpoint,\n purpose,\n sessionId,\n merchantId,\n apiVersion,\n bearer,\n signatureHeader,\n timestampHeader,\n idempotencyKey,\n paymentToken,\n totals,\n fulfillmentOption,\n rawBody: request.rawBody,\n };\n}\n\nfunction classifyEndpoint(method: string, path: string): ACPEndpoint {\n const m = method.toUpperCase();\n if (m !== 'POST') return 'unknown';\n if (/^\\/agentic_commerce\\/delegate_payment\\/?$/.test(path)) return 'delegate_payment';\n if (/^\\/checkout_sessions\\/?$/.test(path)) return 'checkout_sessions.create';\n if (/^\\/checkout_sessions\\/[^/]+\\/?$/.test(path)) return 'checkout_sessions.update';\n if (/^\\/checkout_sessions\\/[^/]+\\/complete\\/?$/.test(path)) return 'checkout_sessions.complete';\n if (/^\\/checkout_sessions\\/[^/]+\\/cancel\\/?$/.test(path)) return 'checkout_sessions.cancel';\n return 'unknown';\n}\n\nfunction extractSessionId(path: string): string \| undefined {\n const match = path.match(/\\/checkout_sessions\\/([^/?#]+)/);\n return match?.[1];\n}\n\nfunction extractBearer(authHeader: string \| undefined): string \| undefined {\n if (!authHeader) return undefined;\n const match = authHeader.match(/^Bearer\\s+(.+)$/i);\n return match ? match[1].trim() : undefined;\n}\n\nfunction extractPaymentToken(body: Record<string, unknown>): ACPRequestContext['paymentToken'] {\n const paymentData = body.payment_data as Record<string, unknown> \| undefined;\n if (!paymentData) return undefined;\n const raw = coerceString(paymentData.token);\n const provider = coerceString(paymentData.provider);\n if (!raw) return { raw: undefined, type: null, provider };\n const type = classifyPaymentToken(raw);\n return { raw, type, provider };\n}\n\nfunction classifyPaymentToken(token: string): ACPPaymentTokenType {\n if (token.startsWith('spt_')) return 'stripe-spt';\n if (token.startsWith('vt_')) return 'acp-vt';\n return 'other';\n}\n\nfunction extractFulfillmentOption(body: Record<string, unknown>): string \| undefined {\n const direct = coerceString(body.fulfillment_option ?? body.fulfillmentOption);\n if (direct) return direct;\n const options = body.fulfillment_options;\n if (Array.isArray(options) && options.length > 0) {\n const first = options[0];\n if (first && typeof first === 'object') {\n const id = coerceString((first as Record<string, unknown>).id);\n if (id) return id;\n }\n }\n return undefined;\n}\n\nfunction readHeader(\n headers: Record<string, string \| string[] \| undefined>,\n name: string\n): string \| undefined {\n for (const key of Object.keys(headers)) {\n if (key.toLowerCase() === name) {\n const raw = headers[key];\n if (typeof raw === 'string') return raw;\n if (Array.isArray(raw)) return raw[0];\n }\n }\n return undefined;\n}\n\nfunction stripQuery(path: string): string {\n const q = path.indexOf('?');\n return q === -1 ? path : path.slice(0, q);\n}\n\nfunction coerceString(v: unknown): string \| undefined {\n return typeof v === 'string' && v.length > 0 ? v : undefined;\n}\n","/\n VI (Verifiable Intent) SD-JWT extraction.\n \n Open-sourced 5 March 2026 by Mastercard + Google (v0.1-draft).\n * VI is a 3-layer SD-JWT chain:\n * L1 — issuer → wallet (credential provider)\n * L2 — user → agent (cnf.jwk binding to L3 agent key)\n * L3 — agent → merchant (payment or checkout mandate, split into L3a / L3b\n * cross-referenced via transaction_id)\n \n This module does EXTRACTION ONLY — it decodes SD-JWT structure and pulls\n * out the mandate type, kid, executionMode, 8 constraint types, checkoutHash\n * (constraint type 8), transactionId, and raw layers for later verification.\n \n Signature verification lives in vi-verify.ts; this module uses @sd-jwt's\n * sync decoder with a SHA-256 hasher for structural parsing only.\n /\n\nimport { splitSdJwt, decodeSdJwtSync } from '@sd-jwt/decode';\nimport { createHash } from 'node:crypto';\nimport type { VIMandateType } from './purpose-mapping';\n\nexport type { VIMandateType };\nexport type VIExecutionMode = 'Immediate' \| 'Autonomous' \| 'Both';\n\nexport interface VIAllowedParty {\n id?: string;\n name?: string;\n website?: string;\n}\n\nexport interface VILineItem {\n id?: string;\n acceptableItems?: string[];\n quantity?: number;\n}\n\nexport interface VIPaymentAmount {\n currency?: string;\n min?: number;\n max?: number;\n}\n\nexport interface VIBudgetLimit {\n currency?: string;\n max?: number;\n}\n\nexport interface VIRecurrence {\n frequency?: string;\n startDate?: string;\n endDate?: string;\n maxOccurrences?: number;\n}\n\nexport interface VIConstraints {\n allowedMerchants?: VIAllowedParty[];\n allowedPayees?: VIAllowedParty[];\n lineItems?: VILineItem[];\n paymentAmount?: VIPaymentAmount;\n budgetLimit?: VIBudgetLimit;\n recurrence?: VIRecurrence;\n agentRecurrence?: VIRecurrence;\n}\n\nexport interface VIExtractedClaims {\n mandateType: VIMandateType;\n kid?: string;\n executionMode?: VIExecutionMode;\n credentialProvider?: string;\n constraints: VIConstraints;\n /* VI constraint type 8 — SHA-256 of the paired L2 checkout disclosure. /\n checkoutHash?: string;\n transactionId?: string;\n rawLayers: { l1?: string; l2?: string; l3?: string };\n}\n\n/\n Extract VI claims from a compact SD-JWT string.\n \n Input shape:\n * <jwt>~<disclosure1>~<disclosure2>~...~<kbJwt?>\n \n Returns null if parsing fails at any layer. Does not verify signatures.\n /\nexport function extractVIClaims(sdJwtCompact: string): VIExtractedClaims \| null {\n if (!sdJwtCompact \|\| typeof sdJwtCompact !== 'string') return null;\n\n let decoded;\n try {\n decoded = decodeSdJwtSync(sdJwtCompact, sha256Sync);\n } catch {\n return null;\n }\n\n const split = safeSplit(sdJwtCompact);\n\n const payload = (decoded.jwt?.payload ?? {}) as Record<string, unknown>;\n const disclosures = decoded.disclosures ?? [];\n\n // Apply disclosures onto payload to resolve _sd references.\n // Disclosure from @sd-jwt/utils has { key, value, digest() } where digest is\n // a function — we only need key+value here, so narrow via a structural cast.\n const claims = applyDisclosures(\n payload,\n disclosures as unknown as Array<{ key?: string; value?: unknown }>\n );\n\n const mandateType = coerceMandateType(\n claims.mandate_type ?? claims.mandateType ?? payload.mandate_type ?? payload.mandateType\n );\n if (!mandateType) return null;\n\n const kid = coerceString(\n (decoded.jwt?.header as Record<string, unknown> \| undefined)?.kid ?? claims.kid ?? payload.kid\n );\n\n const executionMode = coerceExecutionMode(claims.execution_mode ?? claims.executionMode);\n const credentialProvider = coerceString(claims.iss ?? payload.iss);\n\n const constraints = extractConstraints(\n (claims.constraints ?? claims.default_constraints ?? {}) as Record<string, unknown>\n );\n\n const transactionId = coerceString(claims.transaction_id ?? claims.transactionId);\n const checkoutHash = coerceString(\n claims.checkout_hash ??\n claims.conditional_transaction_id ??\n (claims.payment_reference as Record<string, unknown> \| undefined)?.checkout_hash\n );\n\n return {\n mandateType,\n kid,\n executionMode,\n credentialProvider,\n constraints,\n checkoutHash,\n transactionId,\n rawLayers: split,\n };\n}\n\nfunction safeSplit(compact: string): { l1?: string; l2?: string; l3?: string } {\n try {\n const { jwt, kbJwt } = splitSdJwt(compact);\n // VI layering maps loosely: the outer JWT is L3 (agent mandate), KB-JWT\n // (if present) is the key-binding proof, and disclosures carry L2/L1 fragments.\n return { l3: jwt, l2: kbJwt };\n } catch {\n return {};\n }\n}\n\nfunction applyDisclosures(\n payload: Record<string, unknown>,\n disclosures: Array<{ key?: string; value?: unknown }>\n): Record<string, unknown> {\n const result: Record<string, unknown> = { ...payload };\n for (const d of disclosures) {\n if (d.key && d.value !== undefined && !(d.key in result)) {\n result[d.key] = d.value;\n }\n }\n return result;\n}\n\nfunction extractConstraints(raw: Record<string, unknown>): VIConstraints {\n return {\n allowedMerchants: toAllowedPartyArray(raw.allowed_merchants ?? raw.allowedMerchants),\n allowedPayees: toAllowedPartyArray(raw.allowed_payees ?? raw.allowedPayees),\n lineItems: toLineItemArray(raw.line_items ?? raw.lineItems),\n paymentAmount: toPaymentAmount(raw.payment_amount ?? raw.paymentAmount),\n budgetLimit: toBudgetLimit(raw.budget_limit ?? raw.budgetLimit ?? raw.budget),\n recurrence: toRecurrence(raw.recurrence),\n agentRecurrence: toRecurrence(raw.agent_recurrence ?? raw.agentRecurrence),\n };\n}\n\nfunction toAllowedPartyArray(v: unknown): VIAllowedParty[] \| undefined {\n if (!Array.isArray(v)) return undefined;\n const out: VIAllowedParty[] = [];\n for (const item of v) {\n if (item && typeof item === 'object') {\n const r = item as Record<string, unknown>;\n out.push({\n id: coerceString(r.id),\n name: coerceString(r.name),\n website: coerceString(r.website),\n });\n }\n }\n return out.length > 0 ? out : undefined;\n}\n\nfunction toLineItemArray(v: unknown): VILineItem[] \| undefined {\n if (!Array.isArray(v)) return undefined;\n const out: VILineItem[] = [];\n for (const item of v) {\n if (item && typeof item === 'object') {\n const r = item as Record<string, unknown>;\n const acc = r.acceptable_items ?? r.acceptableItems;\n out.push({\n id: coerceString(r.id),\n acceptableItems: Array.isArray(acc)\n ? (acc.filter((a) => typeof a === 'string') as string[])\n : undefined,\n quantity: coerceNumber(r.quantity),\n });\n }\n }\n return out.length > 0 ? out : undefined;\n}\n\nfunction toPaymentAmount(v: unknown): VIPaymentAmount \| undefined {\n if (!v \|\| typeof v !== 'object') return undefined;\n const r = v as Record<string, unknown>;\n return {\n currency: coerceString(r.currency),\n min: coerceNumber(r.min),\n max: coerceNumber(r.max),\n };\n}\n\nfunction toBudgetLimit(v: unknown): VIBudgetLimit \| undefined {\n if (!v \|\| typeof v !== 'object') return undefined;\n const r = v as Record<string, unknown>;\n return {\n currency: coerceString(r.currency),\n max: coerceNumber(r.max),\n };\n}\n\nfunction toRecurrence(v: unknown): VIRecurrence \| undefined {\n if (!v \|\| typeof v !== 'object') return undefined;\n const r = v as Record<string, unknown>;\n return {\n frequency: coerceString(r.frequency),\n startDate: coerceString(r.start_date ?? r.startDate),\n endDate: coerceString(r.end_date ?? r.endDate),\n maxOccurrences: coerceNumber(r.max_occurrences ?? r.maxOccurrences),\n };\n}\n\nfunction coerceMandateType(v: unknown): VIMandateType \| null {\n if (v === 'checkout' \|\| v === 'payment' \|\| v === 'checkout.open' \|\| v === 'payment.open') {\n return v;\n }\n return null;\n}\n\nfunction coerceExecutionMode(v: unknown): VIExecutionMode \| undefined {\n return v === 'Immediate' \|\| v === 'Autonomous' \|\| v === 'Both' ? v : undefined;\n}\n\nfunction coerceString(v: unknown): string \| undefined {\n return typeof v === 'string' && v.length > 0 ? v : undefined;\n}\n\nfunction coerceNumber(v: unknown): number \| undefined {\n if (typeof v === 'number' && Number.isFinite(v)) return v;\n if (typeof v === 'string') {\n const n = Number(v);\n return Number.isFinite(n) ? n : undefined;\n }\n return undefined;\n}\n\nfunction sha256Sync(data: string \| ArrayBuffer): Uint8Array {\n const buf =\n typeof data === 'string' ? Buffer.from(data, 'utf-8') : Buffer.from(new Uint8Array(data));\n const hash = createHash('sha256').update(buf).digest();\n return new Uint8Array(hash.buffer, hash.byteOffset, hash.byteLength);\n}\n","/\n Stripe webhook HMAC-SHA256 verifier (inline).\n \n Stripe-Signature header format: \"t=TIMESTAMP,v1=HEX_SIGNATURE\"\n * - t: unix seconds when Stripe signed the webhook\n * - v1: HMAC-SHA256(webhook_secret, `${t}.${payload}`) as hex\n \n Multiple v1 signatures can coexist during secret rotation; any match wins.\n * Default tolerance on timestamp age: 300s (matches Stripe's own default).\n \n Documented at docs.stripe.com — we intentionally inline ~25 LOC rather\n * than pull in the full stripe npm package (MIT but 600KB+ with deps).\n /\n\nimport { createHmac, timingSafeEqual } from 'node:crypto';\n\nexport interface VerifyStripeWebhookResult {\n ok: boolean;\n timestamp?: number;\n error?: string;\n}\n\nexport interface VerifyStripeWebhookOptions {\n toleranceSec?: number;\n /* Injectable for deterministic tests. /\n now?: () => number;\n}\n\nexport function verifyStripeWebhook(\n payload: string,\n signatureHeader: string \| undefined,\n secret: string,\n options: VerifyStripeWebhookOptions = {}\n): VerifyStripeWebhookResult {\n if (!signatureHeader) return { ok: false, error: 'missing Stripe-Signature header' };\n if (!secret) return { ok: false, error: 'missing webhook secret' };\n\n const parsed = parseStripeSignature(signatureHeader);\n if (!parsed.timestamp) return { ok: false, error: 'malformed Stripe-Signature (missing t=)' };\n if (parsed.v1Signatures.length === 0) {\n return { ok: false, error: 'malformed Stripe-Signature (no v1=)' };\n }\n\n const tolerance = options.toleranceSec ?? 300;\n const now = options.now ? options.now() : Math.floor(Date.now() / 1000);\n if (Math.abs(now - parsed.timestamp) > tolerance) {\n return {\n ok: false,\n timestamp: parsed.timestamp,\n error: `timestamp outside tolerance (${tolerance}s)`,\n };\n }\n\n const signedPayload = `${parsed.timestamp}.${payload}`;\n const expected = createHmac('sha256', secret).update(signedPayload).digest();\n\n for (const candidateHex of parsed.v1Signatures) {\n const candidate = hexToBuffer(candidateHex);\n if (!candidate) continue;\n if (candidate.length !== expected.length) continue;\n if (timingSafeEqual(candidate, expected)) {\n return { ok: true, timestamp: parsed.timestamp };\n }\n }\n\n return { ok: false, timestamp: parsed.timestamp, error: 'signature mismatch' };\n}\n\ninterface ParsedStripeSignature {\n timestamp: number \| null;\n v1Signatures: string[];\n}\n\nfunction parseStripeSignature(header: string): ParsedStripeSignature {\n let timestamp: number \| null = null;\n const v1Signatures: string[] = [];\n for (const part of header.split(',')) {\n const [rawKey, rawValue] = part.split('=');\n if (!rawKey \|\| !rawValue) continue;\n const key = rawKey.trim();\n const value = rawValue.trim();\n if (key === 't') {\n const n = Number(value);\n if (Number.isFinite(n)) timestamp = n;\n } else if (key === 'v1') {\n v1Signatures.push(value);\n }\n }\n return { timestamp, v1Signatures };\n}\n\nfunction hexToBuffer(hex: string): Buffer \| null {\n if (!/^[0-9a-fA-F]+$/.test(hex) \|\| hex.length % 2 !== 0) return null;\n return Buffer.from(hex, 'hex');\n}\n","/\n PDLSS constraint evaluation.\n \n Evaluates VI constraint types 1-4 (merchant/payee allowlists, line items,\n * payment amount) + MPP/x402 payment-method allowlist + spending-limit\n * against a transaction context.\n \n Types 5/6/7 (budget, recurrence, agent_recurrence) extract through but\n * enforcement is deferred to the cross-merchant budget service (§3.3.15,\n * separate PR). This module returns per-constraint {ok, reason} results\n * so a policy layer can decide hard-deny vs trust-signal.\n /\n\nimport type { VIConstraints, VIAllowedParty, VILineItem, VIPaymentAmount } from './vi';\n\nexport interface TransactionContext {\n amount?: number;\n currency?: string;\n merchant?: { id?: string; website?: string };\n payee?: { id?: string; website?: string };\n lineItems?: Array<{ id?: string; quantity?: number }>;\n /* For MPP / x402 payment-method enforcement. /\n paymentMethod?: string;\n}\n\nexport type ConstraintKey = 'merchant' \| 'payee' \| 'lineItems' \| 'amount' \| 'paymentMethod';\n\nexport interface ConstraintResult {\n ok: boolean;\n reason?: string;\n}\n\nexport interface ConstraintEvalResult {\n ok: boolean;\n results: Record<string, ConstraintResult>;\n reasons: string[];\n}\n\nexport interface VIConstraintEvalInput {\n constraints: VIConstraints;\n transaction: TransactionContext;\n}\n\nexport function evaluateVIConstraints(input: VIConstraintEvalInput): ConstraintEvalResult {\n const { constraints, transaction } = input;\n const results: Record<string, ConstraintResult> = {};\n\n if (constraints.allowedMerchants && constraints.allowedMerchants.length > 0) {\n results.merchant = evaluateAllowlist(\n 'merchant',\n constraints.allowedMerchants,\n transaction.merchant\n );\n }\n\n if (constraints.allowedPayees && constraints.allowedPayees.length > 0) {\n results.payee = evaluateAllowlist('payee', constraints.allowedPayees, transaction.payee);\n }\n\n if (constraints.lineItems && constraints.lineItems.length > 0) {\n results.lineItems = evaluateLineItems(constraints.lineItems, transaction.lineItems ?? []);\n }\n\n if (constraints.paymentAmount) {\n results.amount = evaluatePaymentAmount(constraints.paymentAmount, transaction);\n }\n\n const reasons: string[] = [];\n let ok = true;\n for (const [key, r] of Object.entries(results)) {\n if (!r.ok) {\n ok = false;\n reasons.push(r.reason ?? `${key} failed`);\n }\n }\n\n return { ok, results, reasons };\n}\n\nexport interface PaymentMethodAllowlistInput {\n allowedMethods?: string[];\n requestedMethod?: string;\n}\n\nexport function evaluatePaymentMethodAllowlist(\n input: PaymentMethodAllowlistInput\n): ConstraintResult {\n const allow = input.allowedMethods ?? [];\n if (allow.length === 0) return { ok: true };\n if (!input.requestedMethod) {\n return { ok: false, reason: 'no payment method in request; allowlist configured' };\n }\n const lowered = input.requestedMethod.toLowerCase();\n const allowed = allow.some((m) => m.toLowerCase() === lowered);\n if (!allowed) {\n return {\n ok: false,\n reason: `payment method \"${input.requestedMethod}\" not in allowlist [${allow.join(', ')}]`,\n };\n }\n return { ok: true };\n}\n\nexport interface SpendingLimitInput {\n limit?: { amount?: number; currency?: string };\n requested?: { amount?: number; currency?: string };\n}\n\nexport function evaluateSpendingLimit(input: SpendingLimitInput): ConstraintResult {\n const { limit, requested } = input;\n if (!limit \|\| typeof limit.amount !== 'number') return { ok: true };\n if (!requested \|\| typeof requested.amount !== 'number') return { ok: true };\n if (limit.currency && requested.currency && limit.currency !== requested.currency) {\n return {\n ok: false,\n reason: `currency mismatch: limit ${limit.currency} vs requested ${requested.currency}`,\n };\n }\n if (requested.amount > limit.amount) {\n return {\n ok: false,\n reason:\n `requested ${requested.amount} ${requested.currency ?? ''} exceeds limit ${limit.amount} ${limit.currency ?? ''}`.trim(),\n };\n }\n return { ok: true };\n}\n\nfunction evaluateAllowlist(\n kind: 'merchant' \| 'payee',\n allowlist: VIAllowedParty[],\n actual: { id?: string; website?: string } \| undefined\n): ConstraintResult {\n if (!actual \|\| (!actual.id && !actual.website)) {\n return { ok: false, reason: `no ${kind} in transaction; allowlist configured` };\n }\n for (const entry of allowlist) {\n if (entry.id && actual.id && entry.id === actual.id) return { ok: true };\n if (entry.website && actual.website && domainsMatch(entry.website, actual.website)) {\n return { ok: true };\n }\n }\n const allowedDescriptors = allowlist.map(describeParty).join(', ');\n const actualDescriptor = describeParty(actual);\n return {\n ok: false,\n reason: `${kind} ${actualDescriptor} not in allowlist [${allowedDescriptors}]`,\n };\n}\n\nfunction evaluateLineItems(\n allowlist: VILineItem[],\n actualItems: Array<{ id?: string; quantity?: number }>\n): ConstraintResult {\n if (actualItems.length === 0) {\n return { ok: false, reason: 'no line items in transaction; allowlist configured' };\n }\n const reasons: string[] = [];\n for (const item of actualItems) {\n const match = allowlist.find(\n (a) => (a.id && a.id === item.id) \|\| (a.acceptableItems ?? []).includes(item.id ?? '')\n );\n if (!match) {\n reasons.push(`line item \"${item.id ?? '(unnamed)'}\" not in allowlist`);\n continue;\n }\n if (\n typeof match.quantity === 'number' &&\n typeof item.quantity === 'number' &&\n item.quantity > match.quantity\n ) {\n reasons.push(\n `line item \"${item.id}\" quantity ${item.quantity} exceeds allowed ${match.quantity}`\n );\n }\n }\n return reasons.length === 0 ? { ok: true } : { ok: false, reason: reasons.join('; ') };\n}\n\nfunction evaluatePaymentAmount(\n bound: VIPaymentAmount,\n transaction: TransactionContext\n): ConstraintResult {\n if (typeof transaction.amount !== 'number') {\n return { ok: false, reason: 'no amount in transaction; paymentAmount bound configured' };\n }\n if (bound.currency && transaction.currency && bound.currency !== transaction.currency) {\n return {\n ok: false,\n reason: `currency mismatch: bound ${bound.currency} vs transaction ${transaction.currency}`,\n };\n }\n if (typeof bound.min === 'number' && transaction.amount < bound.min) {\n return {\n ok: false,\n reason: `amount ${transaction.amount} below min ${bound.min}`,\n };\n }\n if (typeof bound.max === 'number' && transaction.amount > bound.max) {\n return {\n ok: false,\n reason: `amount ${transaction.amount} above max ${bound.max}`,\n };\n }\n return { ok: true };\n}\n\nfunction domainsMatch(allow: string, actual: string): boolean {\n const a = normalizeDomain(allow);\n const b = normalizeDomain(actual);\n return a === b \|\| b.endsWith(`.${a}`);\n}\n\nfunction normalizeDomain(value: string): string {\n try {\n const withScheme = /^https?:\\/\\//.test(value) ? value : `https://${value}`;\n return new URL(withScheme).hostname.toLowerCase();\n } catch {\n return value.toLowerCase();\n }\n}\n\nfunction describeParty(party: { id?: string; name?: string; website?: string }): string {\n if (party.id) return `id:${party.id}`;\n if (party.website) return party.website;\n if (party.name) return party.name;\n return '(unnamed)';\n}\n","/\n Cross-protocol agent identity binding.\n \n Every commerce layer claims an agent identity differently:\n * - VI L3 kid (SD-JWT header)\n * - AP2 agent_id (mandate payload)\n * - ACP Authorization: Bearer token (merchant-issued pre-shared)\n * - MPP Credential `source` field (DID or chain-native key)\n * - x402 client wallet address\n * - RFC 9421 kid (Agent Pay / TAP / Web Bot Auth)\n \n This module maps any such claim to a single AstraSync agent via a\n * caller-supplied resolver (typically delegates to the counterparty service),\n * then flags whether multiple claims on the same request resolve to different\n * agents (a trust signal for PDLSS).\n \n This is AstraSync whitespace — no vendor owns multi-protocol identity\n * unification.\n /\n\nexport interface IdentityClaim {\n /* Originating protocol label: 'vi' \| 'ap2' \| 'acp' \| 'mpp' \| 'x402' \| 'agentpay' \| 'tap' \| 'webbotauth' /\n protocol: string;\n /* Claim field name, e.g. 'kid', 'agent_id', 'source', 'bearer'. /\n field: string;\n /* Claim value as presented on the wire. /\n value: string;\n}\n\nexport interface IdentityBindingResult {\n claims: IdentityClaim[];\n mappedAstraSyncAgentId?: string;\n /\n True when two or more claims resolve to different AstraSync agents.\n * Surfaced as a trust signal rather than an auto-deny — legitimate flows\n * (e.g. delegate payments) can legitimately carry multiple identities.\n /\n mismatchAcrossLayers: boolean;\n /* Per-claim resolution result for audit / debugging. /\n resolutions: Array<{ claim: IdentityClaim; agentId: string \| null }>;\n}\n\nexport type IdentityResolver = (claim: IdentityClaim) => Promise<string \| null>;\n\nexport async function bindIdentity(\n claims: IdentityClaim[],\n resolver: IdentityResolver\n): Promise<IdentityBindingResult> {\n const resolutions: Array<{ claim: IdentityClaim; agentId: string \| null }> = [];\n for (const claim of claims) {\n if (!claim.value) {\n resolutions.push({ claim, agentId: null });\n continue;\n }\n const agentId = await resolver(claim);\n resolutions.push({ claim, agentId });\n }\n\n const resolvedIds = resolutions\n .map((r) => r.agentId)\n .filter((id): id is string => typeof id === 'string' && id.length > 0);\n\n const unique = Array.from(new Set(resolvedIds));\n const mismatchAcrossLayers = unique.length > 1;\n const mappedAstraSyncAgentId = unique.length === 1 ? unique[0] : undefined;\n\n return {\n claims,\n mappedAstraSyncAgentId,\n mismatchAcrossLayers,\n resolutions,\n };\n}\n\n/\n Helper constructors — keep protocol/field strings consistent across the\n * codebase and make tests readable.\n /\nexport const claim = {\n viKid: (value: string): IdentityClaim => ({ protocol: 'vi', field: 'kid', value }),\n ap2AgentId: (value: string): IdentityClaim => ({ protocol: 'ap2', field: 'agent_id', value }),\n acpBearer: (value: string): IdentityClaim => ({ protocol: 'acp', field: 'bearer', value }),\n mppSource: (value: string): IdentityClaim => ({ protocol: 'mpp', field: 'source', value }),\n x402Wallet: (value: string): IdentityClaim => ({ protocol: 'x402', field: 'wallet', value }),\n agentPayKid: (value: string): IdentityClaim => ({ protocol: 'agentpay', field: 'kid', value }),\n tapKid: (value: string): IdentityClaim => ({ protocol: 'tap', field: 'kid', value }),\n webBotAuthKid: (value: string): IdentityClaim => ({\n protocol: 'webbotauth',\n field: 'kid',\n value,\n }),\n};\n","/\n AP2 (Agent Payments Protocol) mandate extraction.\n \n Google-led, launched 3 April 2026 with 60+ partners (Mastercard, PayPal,\n * Coinbase, AmEx, Revolut, UnionPay, ...). AP2 ships three mandate types as\n * SD-JWTs in series:\n * - intent_mandate — user declares intent (amount, merchant category, etc.)\n * - cart_mandate — user approves a cart (specific items, totals)\n * - payment_mandate — authorizes the actual payment rail\n \n Mandates are cross-referenced via ids; each is an SD-JWT over ES256 (or\n * equivalent). We decode via @sd-jwt/decode and extract the AP2-specific\n * shape — verification lives in ap2-verify.ts.\n /\n\nimport { decodeSdJwtSync } from '@sd-jwt/decode';\nimport { createHash } from 'node:crypto';\nimport type { AP2MandateType } from './purpose-mapping';\n\nexport type { AP2MandateType };\n\nexport interface AP2PaymentDetailsTotal {\n amount?: { value?: string \| number; currency?: string };\n label?: string;\n}\n\nexport interface AP2IntentMandateClaims {\n type: 'intent_mandate';\n agent_id?: string;\n user_id?: string;\n merchant_category?: string;\n allowedMerchantDomains?: string[];\n paymentMethods?: string[];\n expires?: string;\n payment_details_total?: AP2PaymentDetailsTotal;\n raw: Record<string, unknown>;\n}\n\nexport interface AP2CartMandateClaims {\n type: 'cart_mandate';\n agent_id?: string;\n intent_mandate_id?: string;\n merchant_id?: string;\n line_items?: Array<{\n id?: string;\n quantity?: number;\n price?: { value?: string \| number; currency?: string };\n }>;\n payment_details_total?: AP2PaymentDetailsTotal;\n expires?: string;\n raw: Record<string, unknown>;\n}\n\nexport interface AP2PaymentMandateClaims {\n type: 'payment_mandate';\n agent_id?: string;\n cart_mandate_id?: string;\n payment_method?: string;\n payment_details_total?: AP2PaymentDetailsTotal;\n credential_provider?: string;\n raw: Record<string, unknown>;\n}\n\nexport type AP2MandateClaims =\n \| AP2IntentMandateClaims\n \| AP2CartMandateClaims\n \| AP2PaymentMandateClaims;\n\nexport interface AP2MandateTriple {\n intent?: AP2IntentMandateClaims;\n cart?: AP2CartMandateClaims;\n payment?: AP2PaymentMandateClaims;\n rawLayers: { intentJwt?: string; cartJwt?: string; paymentJwt?: string };\n}\n\n/\n Extract a single AP2 mandate from a compact SD-JWT.\n * Returns null if the SD-JWT is malformed or lacks a recognized type field.\n /\nexport function extractAP2Mandate(sdJwtCompact: string): AP2MandateClaims \| null {\n if (!sdJwtCompact \|\| typeof sdJwtCompact !== 'string') return null;\n\n let decoded;\n try {\n decoded = decodeSdJwtSync(sdJwtCompact, sha256Sync);\n } catch {\n return null;\n }\n\n const payload = (decoded.jwt?.payload ?? {}) as Record<string, unknown>;\n const disclosures = decoded.disclosures ?? [];\n const claims = applyDisclosures(\n payload,\n disclosures as unknown as Array<{ key?: string; value?: unknown }>\n );\n\n const type = coerceMandateType(claims.type ?? claims.mandate_type ?? claims.mandateType);\n if (!type) return null;\n\n if (type === 'intent_mandate') return buildIntent(claims);\n if (type === 'cart_mandate') return buildCart(claims);\n return buildPayment(claims);\n}\n\nexport interface AP2MandateTripleInput {\n intent?: string;\n cart?: string;\n payment?: string;\n}\n\n/\n Extract an intent / cart / payment triple, returning whichever are present.\n * Does NOT enforce cross-reference consistency — that's ap2-verify.ts's job.\n /\nexport function extractAP2Mandates(input: AP2MandateTripleInput): AP2MandateTriple {\n const intent = input.intent\n ? (extractAP2Mandate(input.intent) as AP2IntentMandateClaims \| null)\n : null;\n const cart = input.cart ? (extractAP2Mandate(input.cart) as AP2CartMandateClaims \| null) : null;\n const payment = input.payment\n ? (extractAP2Mandate(input.payment) as AP2PaymentMandateClaims \| null)\n : null;\n return {\n intent: intent ?? undefined,\n cart: cart ?? undefined,\n payment: payment ?? undefined,\n rawLayers: {\n intentJwt: input.intent,\n cartJwt: input.cart,\n paymentJwt: input.payment,\n },\n };\n}\n\nfunction buildIntent(claims: Record<string, unknown>): AP2IntentMandateClaims {\n return {\n type: 'intent_mandate',\n agent_id: coerceString(claims.agent_id ?? claims.agentId),\n user_id: coerceString(claims.user_id ?? claims.userId ?? claims.sub),\n merchant_category: coerceString(claims.merchant_category ?? claims.merchantCategory),\n allowedMerchantDomains: toStringArray(\n claims.allowed_merchant_domains ?? claims.allowedMerchantDomains\n ),\n paymentMethods: toStringArray(claims.payment_methods ?? claims.paymentMethods),\n expires: coerceString(claims.expires ?? claims.exp),\n payment_details_total: toPaymentDetails(claims.payment_details_total ?? claims.total),\n raw: claims,\n };\n}\n\nfunction buildCart(claims: Record<string, unknown>): AP2CartMandateClaims {\n return {\n type: 'cart_mandate',\n agent_id: coerceString(claims.agent_id ?? claims.agentId),\n intent_mandate_id: coerceString(claims.intent_mandate_id ?? claims.intentMandateId),\n merchant_id: coerceString(claims.merchant_id ?? claims.merchantId),\n line_items: toLineItems(claims.line_items ?? claims.lineItems),\n payment_details_total: toPaymentDetails(claims.payment_details_total ?? claims.total),\n expires: coerceString(claims.expires ?? claims.exp),\n raw: claims,\n };\n}\n\nfunction buildPayment(claims: Record<string, unknown>): AP2PaymentMandateClaims {\n return {\n type: 'payment_mandate',\n agent_id: coerceString(claims.agent_id ?? claims.agentId),\n cart_mandate_id: coerceString(claims.cart_mandate_id ?? claims.cartMandateId),\n payment_method: coerceString(claims.payment_method ?? claims.paymentMethod),\n payment_details_total: toPaymentDetails(claims.payment_details_total ?? claims.total),\n credential_provider: coerceString(claims.credential_provider ?? claims.credentialProvider),\n raw: claims,\n };\n}\n\nfunction toPaymentDetails(v: unknown): AP2PaymentDetailsTotal \| undefined {\n if (!v \|\| typeof v !== 'object') return undefined;\n const r = v as Record<string, unknown>;\n const amount = r.amount as Record<string, unknown> \| undefined;\n return {\n amount: amount\n ? {\n value: coerceStringOrNumber(amount.value),\n currency: coerceString(amount.currency),\n }\n : undefined,\n label: coerceString(r.label),\n };\n}\n\nfunction toLineItems(v: unknown): AP2CartMandateClaims['line_items'] {\n if (!Array.isArray(v)) return undefined;\n const items: NonNullable<AP2CartMandateClaims['line_items']> = [];\n for (const item of v) {\n if (!item \|\| typeof item !== 'object') continue;\n const r = item as Record<string, unknown>;\n const price = r.price as Record<string, unknown> \| undefined;\n items.push({\n id: coerceString(r.id),\n quantity: coerceNumber(r.quantity),\n price: price\n ? {\n value: coerceStringOrNumber(price.value),\n currency: coerceString(price.currency),\n }\n : undefined,\n });\n }\n return items.length > 0 ? items : undefined;\n}\n\nfunction toStringArray(v: unknown): string[] \| undefined {\n if (!Array.isArray(v)) return undefined;\n const out = v.filter((i): i is string => typeof i === 'string' && i.length > 0);\n return out.length > 0 ? out : undefined;\n}\n\nfunction applyDisclosures(\n payload: Record<string, unknown>,\n disclosures: Array<{ key?: string; value?: unknown }>\n): Record<string, unknown> {\n const result: Record<string, unknown> = { ...payload };\n for (const d of disclosures) {\n if (d.key && d.value !== undefined && !(d.key in result)) {\n result[d.key] = d.value;\n }\n }\n return result;\n}\n\nfunction coerceMandateType(v: unknown): AP2MandateType \| null {\n if (v === 'intent_mandate' \|\| v === 'cart_mandate' \|\| v === 'payment_mandate') return v;\n return null;\n}\n\nfunction coerceString(v: unknown): string \| undefined {\n return typeof v === 'string' && v.length > 0 ? v : undefined;\n}\n\nfunction coerceNumber(v: unknown): number \| undefined {\n if (typeof v === 'number' && Number.isFinite(v)) return v;\n if (typeof v === 'string') {\n const n = Number(v);\n return Number.isFinite(n) ? n : undefined;\n }\n return undefined;\n}\n\nfunction coerceStringOrNumber(v: unknown): string \| number \| undefined {\n if (typeof v === 'number' && Number.isFinite(v)) return v;\n if (typeof v === 'string' && v.length > 0) return v;\n return undefined;\n}\n\nfunction sha256Sync(data: string \| ArrayBuffer): Uint8Array {\n const buf =\n typeof data === 'string' ? Buffer.from(data, 'utf-8') : Buffer.from(new Uint8Array(data));\n const hash = createHash('sha256').update(buf).digest();\n return new Uint8Array(hash.buffer, hash.byteOffset, hash.byteLength);\n}\n","/\n AP2 mandate chain verification.\n \n Checks the cross-reference consistency of an intent → cart → payment\n * triple. Does NOT verify cryptographic signatures here (that's a call to\n * @sd-jwt/core which needs the agent's / CP's public key; expose via a\n * verifier callback so pipeline can plug in the right resolver).\n \n Rules (per AP2 spec v0.1-draft):\n * - cart.intent_mandate_id must equal the intent mandate's canonical id (if present)\n * - payment.cart_mandate_id must equal the cart mandate's canonical id (if present)\n * - agent_id must match across all three layers\n * - payment_method in payment mandate must be in intent.paymentMethods (if declared)\n * - cart totals must not exceed intent totals (if both declared in same currency)\n * - no mandate may be expired (beyond clock skew)\n /\n\nimport type { AP2MandateTriple } from './ap2';\nimport { defaultNonceStore, type NonceStore } from './nonce-store';\n\nexport interface AP2VerifyInput {\n triple: AP2MandateTriple;\n /\n Clock skew tolerance in seconds for expiry checks. Default 60s (audit\n * F-A1-05 tightening from the previous 300s default).\n /\n clockSkewSec?: number;\n now?: () => number;\n /\n Optional replay-protection store. Defaults to in-process LRU. When the\n * payment mandate carries an id, this verifier registers it as seen so\n * the same payment mandate replayed within the expiry window is rejected.\n * Audit F-A1-05.\n /\n nonceStore?: NonceStore;\n}\n\nexport interface AP2ChainResult {\n ok: boolean;\n checks: {\n intentPresent: boolean;\n cartRefOk: boolean;\n paymentRefOk: boolean;\n agentIdContinuity: boolean;\n paymentMethodAllowed: boolean;\n totalsConsistent: boolean;\n expiryOk: boolean;\n };\n agentId?: string;\n errors: string[];\n}\n\nexport function verifyAP2Chain(input: AP2VerifyInput): AP2ChainResult {\n const { triple } = input;\n const errors: string[] = [];\n const toleranceSec = input.clockSkewSec ?? 60;\n const nonceStore = input.nonceStore ?? defaultNonceStore;\n\n const intentPresent = triple.intent !== undefined;\n const cartRefOk = checkCartRef(triple, errors);\n const paymentRefOk = checkPaymentRef(triple, errors);\n const { ok: agentIdContinuity, agentId } = checkAgentContinuity(triple, errors);\n const paymentMethodAllowed = checkPaymentMethod(triple, errors);\n const totalsConsistent = checkTotals(triple, errors);\n const expiryOk = checkExpiries(triple, toleranceSec, input.now, errors);\n\n // Audit F-A1-05: replay protection. Register the payment mandate id (or\n // cart mandate id as fallback) so the same triple replayed within the\n // expiry window is rejected. Window matches the tolerance.\n let replayOk = true;\n const replayId = triple.payment?.raw?.id ?? triple.cart?.raw?.id;\n if (typeof replayId === 'string' && replayId.length > 0) {\n const now = input.now ? input.now() : Math.floor(Date.now() / 1000);\n const expiresAt = (now + toleranceSec) 1000;\n if (nonceStore.seen(`ap2:${replayId}`, expiresAt)) {\n errors.push(`AP2 chain replay — mandate ${replayId} already seen within tolerance window`);\n replayOk = false;\n }\n }\n\n const ok =\n cartRefOk &&\n paymentRefOk &&\n agentIdContinuity &&\n paymentMethodAllowed &&\n totalsConsistent &&\n expiryOk &&\n replayOk;\n\n return {\n ok,\n checks: {\n intentPresent,\n cartRefOk,\n paymentRefOk,\n agentIdContinuity,\n paymentMethodAllowed,\n totalsConsistent,\n expiryOk,\n },\n agentId,\n errors,\n };\n}\n\nfunction checkCartRef(triple: AP2MandateTriple, errors: string[]): boolean {\n const cart = triple.cart;\n if (!cart) return true;\n if (!cart.intent_mandate_id) return true;\n const intentId = triple.intent?.raw?.id as string \| undefined;\n if (intentId && cart.intent_mandate_id !== intentId) {\n errors.push(\n `cart.intent_mandate_id (${cart.intent_mandate_id}) does not match intent.id (${intentId})`\n );\n return false;\n }\n return true;\n}\n\nfunction checkPaymentRef(triple: AP2MandateTriple, errors: string[]): boolean {\n const payment = triple.payment;\n if (!payment) return true;\n if (!payment.cart_mandate_id) return true;\n const cartId = triple.cart?.raw?.id as string \| undefined;\n if (cartId && payment.cart_mandate_id !== cartId) {\n errors.push(\n `payment.cart_mandate_id (${payment.cart_mandate_id}) does not match cart.id (${cartId})`\n );\n return false;\n }\n return true;\n}\n\nfunction checkAgentContinuity(\n triple: AP2MandateTriple,\n errors: string[]\n): { ok: boolean; agentId?: string } {\n // Audit F-A1-03: previously returned ok: true when ids.length === 0,\n // letting agent_id-stripped triples pass. Now: at least one of the three\n // mandates must declare an agent_id. (If only some declare it, the unique\n // check still enforces consistency.)\n const ids = [triple.intent?.agent_id, triple.cart?.agent_id, triple.payment?.agent_id].filter(\n (id): id is string => typeof id === 'string' && id.length > 0\n );\n if (ids.length === 0) {\n errors.push('agent_id missing across all three mandates (intent/cart/payment)');\n return { ok: false };\n }\n const unique = new Set(ids);\n if (unique.size > 1) {\n errors.push(`agent_id mismatch across mandates: ${Array.from(unique).join(', ')}`);\n return { ok: false, agentId: undefined };\n }\n return { ok: true, agentId: ids[0] };\n}\n\nfunction checkPaymentMethod(triple: AP2MandateTriple, errors: string[]): boolean {\n const allowed = triple.intent?.paymentMethods;\n if (!allowed \|\| allowed.length === 0) return true;\n // Audit F-A1-03: previously returned ok: true when payment_method missing,\n // letting strip-the-field attacks bypass the intent's paymentMethods\n // allowlist. Now: when payment mandate IS PRESENT, it MUST carry a\n // payment_method that the intent's allowlist authorises. Cart-only\n // flows (no payment mandate yet) are legitimate per AP2 spec — those\n // are exercised when the payment mandate is later signed; the\n // allowlist check fires at THAT point.\n if (!triple.payment) return true;\n const paymentMethod = triple.payment.payment_method;\n if (!paymentMethod) {\n errors.push(\n `payment.payment_method missing but intent declares allowlist [${allowed.join(', ')}]`\n );\n return false;\n }\n if (!allowed.includes(paymentMethod)) {\n errors.push(\n `payment_method \"${paymentMethod}\" not in intent.paymentMethods [${allowed.join(', ')}]`\n );\n return false;\n }\n return true;\n}\n\nfunction checkTotals(triple: AP2MandateTriple, errors: string[]): boolean {\n const intentTotal = toNumericAmount(triple.intent?.payment_details_total);\n const cartTotal = toNumericAmount(triple.cart?.payment_details_total);\n const paymentTotal = toNumericAmount(triple.payment?.payment_details_total);\n\n if (intentTotal && cartTotal && intentTotal.currency === cartTotal.currency) {\n if (cartTotal.value > intentTotal.value) {\n errors.push(\n `cart total ${cartTotal.value} ${cartTotal.currency} exceeds intent cap ${intentTotal.value}`\n );\n return false;\n }\n }\n if (cartTotal && paymentTotal && cartTotal.currency === paymentTotal.currency) {\n if (paymentTotal.value > cartTotal.value) {\n errors.push(\n `payment total ${paymentTotal.value} ${paymentTotal.currency} exceeds cart total ${cartTotal.value}`\n );\n return false;\n }\n }\n return true;\n}\n\nfunction checkExpiries(\n triple: AP2MandateTriple,\n toleranceSec: number,\n nowFn: (() => number) \| undefined,\n errors: string[]\n): boolean {\n const now = nowFn ? nowFn() : Math.floor(Date.now() / 1000);\n let ok = true;\n\n // Audit F-A1-03: previously iterated only intent + cart; payment was\n // omitted, so expired payment mandates passed verification. Now includes\n // all three layers. AP2PaymentMandateClaims doesn't have a typed\n // `expires` field today (only intent/cart do); read from `raw.expires`\n // for payment as a defensive measure.\n const layers: Array<readonly [string, string \| undefined]> = [\n ['intent', triple.intent?.expires],\n ['cart', triple.cart?.expires],\n [\n 'payment',\n typeof triple.payment?.raw?.expires === 'string'\n ? (triple.payment.raw.expires as string)\n : typeof triple.payment?.raw?.exp === 'string'\n ? (triple.payment.raw.exp as string)\n : undefined,\n ],\n ];\n\n for (const [name, expires] of layers) {\n if (!expires) continue;\n const parsed = parseExpiry(expires);\n if (parsed === null) {\n errors.push(`${name}.expires unparseable`);\n ok = false;\n continue;\n }\n if (now > parsed + toleranceSec) {\n errors.push(`${name} mandate expired at ${expires}`);\n ok = false;\n }\n }\n return ok;\n}\n\nfunction toNumericAmount(\n total: import('./ap2').AP2PaymentDetailsTotal \| undefined\n): { value: number; currency: string } \| null {\n if (!total?.amount?.value \|\| !total.amount.currency) return null;\n const n =\n typeof total.amount.value === 'string' ? Number(total.amount.value) : total.amount.value;\n if (!Number.isFinite(n)) return null;\n return { value: n, currency: total.amount.currency };\n}\n\nfunction parseExpiry(value: string): number \| null {\n const asInt = Number(value);\n if (Number.isFinite(asInt) && asInt > 0) {\n return asInt >= 1e12 ? Math.floor(asInt / 1000) : Math.floor(asInt);\n }\n const parsedDate = Date.parse(value);\n if (Number.isFinite(parsedDate)) return Math.floor(parsedDate / 1000);\n return null;\n}\n","/*\n ACP detached-JSON-signature verifier.\n \n ACP (Agentic Commerce Protocol, OpenAI + Stripe) uses detached JSON\n * signatures over request bodies. The public signature algorithm is NOT\n * specified in open docs as of April 2026 (docs.stripe.com/agentic-commerce/\n is Private Preview). We implement Ed25519 and ES256 candidates against\n * whichever public key the caller supplies, and report algorithm-unsupported\n * as a trust signal rather than a hard fail so policy can weight it.\n \n Timestamp freshness (>300s default) IS a hard fail — prevents replay.\n \n Bearer-token → AstraSync agent binding is delegated to caller-supplied\n * resolver (typically the counterparty service).\n /\n\nimport type { JWK } from 'jose';\nimport { defaultNonceStore, type NonceStore } from './nonce-store';\n\nexport type ACPSignatureAlgorithm = 'ed25519' \| 'es256' \| 'unsupported';\n\nexport interface ACPVerifyInput {\n /* Raw request body over which the signature was computed. /\n rawBody: string;\n /* Value of the Signature header. Expected to be base64 (either standard or url). /\n signatureHeader?: string;\n /* Value of the Timestamp header (unix seconds as string, or ISO 8601). /\n timestampHeader?: string;\n /* Candidate public keys to try. First matching algorithm wins. /\n candidateKeys: Array<{ jwk: JWK; alg?: ACPSignatureAlgorithm \| string }>;\n /* Clock skew tolerance in seconds (default 60, audit F-A1-05 tightening from 300). /\n clockSkewSec?: number;\n /* Injectable now for tests. /\n now?: () => number;\n /* Optional replay-protection store. Defaults to in-process LRU. Audit F-A1-05. /\n nonceStore?: NonceStore;\n}\n\nexport interface ACPVerifyResult {\n ok: boolean;\n algorithm?: ACPSignatureAlgorithm;\n error?: string;\n /* True when timestamp is outside tolerance. /\n timestampStale?: boolean;\n}\n\nexport async function verifyACPSignature(input: ACPVerifyInput): Promise<ACPVerifyResult> {\n if (!input.signatureHeader) {\n return { ok: false, error: 'missing Signature header' };\n }\n\n const tolerance = input.clockSkewSec ?? 60;\n const nonceStore = input.nonceStore ?? defaultNonceStore;\n\n const freshness = checkTimestamp(input.timestampHeader, tolerance, input.now);\n if (!freshness.ok) {\n return { ok: false, error: freshness.error, timestampStale: true };\n }\n\n // Audit F-A1-05: replay protection. Header comment claimed \"Timestamp\n // freshness IS a hard fail — prevents replay\" but implementation didn't\n // enforce it. Key on (signature header, timestamp) so the same signature\n // submitted twice within tolerance is rejected.\n const nowSec = input.now ? input.now() : Math.floor(Date.now() / 1000);\n const expiresAtMs = (nowSec + tolerance) 1000;\n const replayKey = `acp:${input.signatureHeader}:${input.timestampHeader ?? ''}`;\n if (nonceStore.seen(replayKey, expiresAtMs)) {\n return {\n ok: false,\n error: 'ACP signature replay — already seen within tolerance window',\n };\n }\n\n const signatureBytes = decodeBase64(input.signatureHeader);\n if (!signatureBytes) {\n return { ok: false, error: 'signature header is not valid base64' };\n }\n\n const bodyBytes = new TextEncoder().encode(input.rawBody);\n const { subtle } = await getSubtle();\n\n for (const candidate of input.candidateKeys) {\n const declaredAlg = normalizeAlgorithm(candidate.alg);\n const algsToTry: ACPSignatureAlgorithm[] =\n declaredAlg && declaredAlg !== 'unsupported' ? [declaredAlg] : ['ed25519', 'es256'];\n\n for (const alg of algsToTry) {\n try {\n const verified = await tryVerify(subtle, candidate.jwk, signatureBytes, bodyBytes, alg);\n if (verified) return { ok: true, algorithm: alg };\n } catch {\n // swallow per-candidate errors; try next algorithm/candidate\n }\n }\n }\n\n return {\n ok: false,\n algorithm: 'unsupported',\n error: 'no candidate key verified the signature under Ed25519 or ES256',\n };\n}\n\nasync function tryVerify(\n subtle: SubtleCrypto,\n jwk: JWK,\n signature: Uint8Array,\n body: Uint8Array,\n alg: ACPSignatureAlgorithm\n): Promise<boolean> {\n if (alg === 'ed25519') {\n if (jwk.kty !== 'OKP' \|\| jwk.crv !== 'Ed25519') return false;\n const key = await subtle.importKey('jwk', jwk as JsonWebKey, { name: 'Ed25519' }, false, [\n 'verify',\n ]);\n return await subtle.verify({ name: 'Ed25519' }, key, toBuf(signature), toBuf(body));\n }\n if (alg === 'es256') {\n if (jwk.kty !== 'EC' \|\| jwk.crv !== 'P-256') return false;\n const key = await subtle.importKey(\n 'jwk',\n jwk as JsonWebKey,\n { name: 'ECDSA', namedCurve: 'P-256' },\n false,\n ['verify']\n );\n return await subtle.verify(\n { name: 'ECDSA', hash: 'SHA-256' },\n key,\n toBuf(signature),\n toBuf(body)\n );\n }\n return false;\n}\n\nfunction toBuf(bytes: Uint8Array): ArrayBuffer {\n const out = new ArrayBuffer(bytes.byteLength);\n new Uint8Array(out).set(bytes);\n return out;\n}\n\nfunction checkTimestamp(\n headerValue: string \| undefined,\n toleranceSec: number,\n nowFn?: () => number\n): { ok: true } \| { ok: false; error: string } {\n if (!headerValue) return { ok: false, error: 'missing Timestamp header' };\n const ts = parseTimestamp(headerValue);\n if (ts === null) return { ok: false, error: 'unparseable Timestamp header' };\n const now = nowFn ? nowFn() : Math.floor(Date.now() / 1000);\n if (Math.abs(now - ts) > toleranceSec) {\n return { ok: false, error: `timestamp outside ${toleranceSec}s tolerance` };\n }\n return { ok: true };\n}\n\nfunction parseTimestamp(value: string): number \| null {\n const asInt = Number(value);\n if (Number.isFinite(asInt) && asInt > 0) {\n // Treat >= 1e12 as milliseconds; otherwise seconds.\n return asInt >= 1e12 ? Math.floor(asInt / 1000) : Math.floor(asInt);\n }\n const parsedDate = Date.parse(value);\n if (Number.isFinite(parsedDate)) return Math.floor(parsedDate / 1000);\n return null;\n}\n\nfunction normalizeAlgorithm(alg: string \| undefined): ACPSignatureAlgorithm \| undefined {\n if (!alg) return undefined;\n const lowered = alg.toLowerCase();\n if (lowered === 'ed25519' \|\| lowered === 'eddsa') return 'ed25519';\n if (lowered === 'es256' \|\| lowered.startsWith('ecdsa-p256')) return 'es256';\n return 'unsupported';\n}\n\nfunction decodeBase64(value: string): Uint8Array \| null {\n try {\n // Accept either standard base64 or url-safe; jose and node both accept both via Buffer.\n const normalized = value.replace(/-/g, '+').replace(/_/g, '/');\n const pad = normalized.length % 4 === 0 ? '' : '='.repeat(4 - (normalized.length % 4));\n return new Uint8Array(Buffer.from(normalized + pad, 'base64'));\n } catch {\n return null;\n }\n}\n\nasync function getSubtle(): Promise<{ subtle: SubtleCrypto }> {\n if (typeof globalThis.crypto !== 'undefined' && globalThis.crypto.subtle) {\n return { subtle: globalThis.crypto.subtle };\n }\n const nodeCrypto = await import('node:crypto');\n return { subtle: nodeCrypto.webcrypto.subtle as SubtleCrypto };\n}\n","/*\n MPP (Machine Payments Protocol) extractor.\n \n Wraps mppx (wevm) — pinned to 0.5.13, wrapped behind this adapter so\n * upgrades localise here. MPP launched March 18 2026 (Stripe + Tempo +\n * Paradigm), IETF draft-ryan-httpauth-payment-01.\n \n Flow:\n * Client → GET /resource\n * Server → 402 + WWW-Authenticate: Payment id=..., realm=..., method=tempo\|stripe\|...\n * Client → GET /resource with Authorization: Payment <base64url-json credential>\n * Server → 200 + Payment-Receipt: <base64url-json receipt>\n \n What we extract:\n * - Challenge: id, realm, method, intent, request{amount,currency,...}, expires, digest\n * - Credential: challenge + source (DID/chain-key) + payload (method-specific)\n * - Receipt: challengeId, method, reference (tx hash / pi_... ID), settlement\n * - Multi-method 402 offers (may be multiple WWW-Authenticate headers)\n \n What we do NOT verify here (pass-through):\n * - HMAC challenge binding (requires merchant's MPP_SECRET_KEY)\n * - Payment proof cryptography (Tempo tx sig, Stripe SPT, Lightning preimage)\n * — each requires upstream connectivity\n \n Verification (expiry + BodyDigest + source extraction) in mpp-verify.ts.\n /\n\nimport { Challenge, Credential, Receipt } from 'mppx';\n\nexport interface MPPChallengeSummary {\n id: string;\n realm: string;\n method: string;\n intent: string;\n /* Method-specific request data (amount, currency, recipient, etc.) /\n request: Record<string, unknown>;\n expires?: string;\n digest?: string;\n description?: string;\n opaque?: Record<string, string>;\n}\n\nexport interface MPPCredentialSummary {\n challenge: MPPChallengeSummary;\n /* DID or chain-native key identifying the payer. /\n source?: string;\n /* Method-specific payment proof (Tempo tx, SPT, Lightning preimage, etc.). /\n payload: unknown;\n}\n\nexport interface MPPReceiptSummary {\n method?: string;\n reference?: string;\n externalId?: string;\n status?: string;\n timestamp?: string;\n raw: Record<string, unknown>;\n}\n\nexport type MPPKind = 'challenge' \| 'credential' \| 'receipt' \| 'error' \| 'unknown';\n\nexport interface MPPRequestContext {\n kind: MPPKind;\n /* For 402 responses: one or more challenge offers. /\n challenges?: MPPChallengeSummary[];\n /* For requests with Authorization: Payment header. /\n credential?: MPPCredentialSummary;\n /* For 200 responses with Payment-Receipt header. /\n receipt?: MPPReceiptSummary;\n /* For problem+json error responses. /\n error?: { type?: string; title?: string; detail?: string };\n /* Detected payment methods offered (for multi-method 402). /\n offeredMethods?: string[];\n /* Raw body captured for BodyDigest verification in mpp-verify.ts. /\n rawBody?: string;\n}\n\nexport interface MPPRequestLike {\n method: string;\n url: string;\n headers: Record<string, string \| string[] \| undefined>;\n body?: unknown;\n rawBody?: string;\n}\n\nexport interface MPPResponseLike {\n status: number;\n headers: Record<string, string \| string[] \| undefined>;\n body?: unknown;\n rawBody?: string;\n}\n\n/\n Extract MPP context from an agent → merchant request.\n * Looks for `Authorization: Payment <credential>` header.\n /\nexport function extractMPPFromRequest(request: MPPRequestLike): MPPRequestContext \| null {\n const auth = readHeader(request.headers, 'authorization');\n if (!auth \|\| !/^\\sPayment\\s+/i.test(auth)) return null;\n\n try {\n const credential = Credential.deserialize(auth);\n return {\n kind: 'credential',\n credential: {\n challenge: summarizeChallenge(credential.challenge),\n source: credential.source,\n payload: credential.payload,\n },\n rawBody: request.rawBody,\n };\n } catch {\n return { kind: 'error', error: { type: 'invalid-credential-encoding' } };\n }\n}\n\n/*\n Extract MPP context from a merchant → agent response.\n * Handles 402 (challenge offers), 200 (receipt), 4xx (problem+json errors).\n /\nexport function extractMPPFromResponse(response: MPPResponseLike): MPPRequestContext \| null {\n if (response.status === 402) {\n const challenges = collectChallenges(response);\n if (challenges.length === 0) return null;\n const methods = Array.from(new Set(challenges.map((c) => c.method)));\n return {\n kind: 'challenge',\n challenges,\n offeredMethods: methods,\n };\n }\n\n const receiptHeader = readHeader(response.headers, 'payment-receipt');\n if (receiptHeader) {\n try {\n const parsed = Receipt.deserialize(receiptHeader);\n const r = parsed as unknown as Record<string, unknown>;\n return {\n kind: 'receipt',\n receipt: {\n method: coerceString(r.method),\n reference: coerceString(r.reference),\n externalId: coerceString(r.externalId ?? r.external_id),\n status: coerceString(r.status),\n timestamp: coerceString(r.timestamp),\n raw: r,\n },\n };\n } catch {\n return { kind: 'error', error: { type: 'invalid-receipt-encoding' } };\n }\n }\n\n const contentType = readHeader(response.headers, 'content-type');\n if (contentType && /application\\/problem\\+json/i.test(contentType)) {\n const body =\n typeof response.body === 'object' && response.body !== null\n ? (response.body as Record<string, unknown>)\n : {};\n return {\n kind: 'error',\n error: {\n type: coerceString(body.type),\n title: coerceString(body.title),\n detail: coerceString(body.detail),\n },\n };\n }\n\n return null;\n}\n\n/\n Extract from either a request OR a response, auto-detecting which has MPP\n * artifacts. Convenience for pipeline callers.\n /\nexport function extractMPPContext(\n message:\n \| { request: MPPRequestLike }\n \| { response: MPPResponseLike }\n \| (MPPRequestLike & Partial<MPPResponseLike>)\n): MPPRequestContext \| null {\n if ('request' in message) return extractMPPFromRequest(message.request);\n if ('response' in message) return extractMPPFromResponse(message.response);\n if (typeof (message as MPPResponseLike).status === 'number') {\n return extractMPPFromResponse(message as MPPResponseLike);\n }\n return extractMPPFromRequest(message as MPPRequestLike);\n}\n\nfunction collectChallenges(response: MPPResponseLike): MPPChallengeSummary[] {\n const wwwAuth = readHeader(response.headers, 'www-authenticate');\n if (!wwwAuth) return [];\n const headers = new Headers();\n headers.set('www-authenticate', wwwAuth);\n\n const out: MPPChallengeSummary[] = [];\n try {\n const list = Challenge.fromHeadersList(headers);\n for (const ch of list) {\n out.push(summarizeChallenge(ch as unknown as Challenge.Challenge));\n }\n } catch {\n // fall through with empty list\n }\n return out;\n}\n\nfunction summarizeChallenge(\n ch: Challenge.Challenge \| Record<string, unknown>\n): MPPChallengeSummary {\n const raw = ch as Record<string, unknown>;\n return {\n id: coerceString(raw.id) ?? '',\n realm: coerceString(raw.realm) ?? '',\n method: coerceString(raw.method) ?? '',\n intent: coerceString(raw.intent) ?? '',\n request: (raw.request as Record<string, unknown>) ?? {},\n expires: coerceString(raw.expires),\n digest: coerceString(raw.digest),\n description: coerceString(raw.description),\n opaque: raw.opaque as Record<string, string> \| undefined,\n };\n}\n\nfunction readHeader(\n headers: Record<string, string \| string[] \| undefined>,\n name: string\n): string \| undefined {\n for (const key of Object.keys(headers)) {\n if (key.toLowerCase() === name) {\n const raw = headers[key];\n if (typeof raw === 'string') return raw;\n if (Array.isArray(raw)) return raw.join(', ');\n }\n }\n return undefined;\n}\n\nfunction coerceString(v: unknown): string \| undefined {\n return typeof v === 'string' && v.length > 0 ? v : undefined;\n}\n","/\n MPP verification — expiry + optional BodyDigest + source extraction.\n \n We do NOT verify the challenge's HMAC binding (needs merchant's secret)\n * or the cryptographic payment proof (per-method, requires upstream\n * connectivity). Those are the merchant's / settlement layer's job.\n \n Our job: structural correctness, expiry policy, tamper detection via\n * optional BodyDigest, and identity extraction for PDLSS binding.\n /\n\nimport { BodyDigest } from 'mppx';\nimport type { MPPRequestContext } from './mpp';\nimport { defaultNonceStore, type NonceStore } from './nonce-store';\n\nexport interface MPPVerifyInput {\n context: MPPRequestContext;\n /* Raw request body to validate BodyDigest against, if the challenge declares one. /\n rawBody?: string;\n /* Seconds of clock-skew tolerance on challenge.expires. Default 60 (audit F-A1-05). /\n clockSkewSec?: number;\n /* Injectable for deterministic tests. /\n now?: () => number;\n /* Optional replay-protection store. Defaults to in-process LRU. Audit F-A1-05. /\n nonceStore?: NonceStore;\n}\n\nexport interface MPPVerifyResult {\n ok: boolean;\n expiryOk: boolean;\n bodyDigestOk: boolean \| null;\n source?: string;\n method?: string;\n error?: string;\n}\n\nexport function verifyMPP(input: MPPVerifyInput): MPPVerifyResult {\n const { context } = input;\n const tolerance = input.clockSkewSec ?? 60;\n const nowSec = input.now ? input.now() : Math.floor(Date.now() / 1000);\n const nonceStore = input.nonceStore ?? defaultNonceStore;\n\n // Extract the challenge under test — for credential flow, from inside the\n // wrapped challenge; for bare challenge flow, from context.challenges[0].\n const challenge = context.credential?.challenge ?? (context.challenges && context.challenges[0]);\n const source = context.credential?.source;\n const method = challenge?.method;\n\n let expiryOk = true;\n if (challenge?.expires) {\n const parsedExpiry = Date.parse(challenge.expires);\n if (!Number.isFinite(parsedExpiry)) {\n return {\n ok: false,\n expiryOk: false,\n bodyDigestOk: null,\n source,\n method,\n error: 'unparseable challenge.expires',\n };\n }\n const expiresSec = Math.floor(parsedExpiry / 1000);\n if (nowSec > expiresSec + tolerance) {\n expiryOk = false;\n }\n }\n\n // Audit F-A1-04: previously when rawBody was present but the challenge\n // omitted `digest`, bodyDigestOk stayed `null` and was treated as OK.\n // Attacker could strip the digest field from the challenge and tamper\n // with body. Now: when rawBody is present, digest is REQUIRED.\n let bodyDigestOk: boolean \| null = null;\n if (input.rawBody !== undefined) {\n if (!challenge?.digest) {\n bodyDigestOk = false;\n } else {\n try {\n if (!/^sha-256=/.test(challenge.digest)) {\n bodyDigestOk = false;\n } else {\n bodyDigestOk = BodyDigest.verify(challenge.digest as `sha-256=${string}`, input.rawBody);\n }\n } catch {\n bodyDigestOk = false;\n }\n }\n }\n\n // Audit F-A1-05: replay protection. Use challenge nonce + digest as\n // replay key when available; fall back to digest alone. Window matches\n // the expiry tolerance.\n let replayOk = true;\n if (challenge?.digest && expiryOk) {\n const replayKey = `mpp:${challenge.digest}:${(challenge as { nonce?: string }).nonce ?? ''}`;\n const expiresAt = (nowSec + tolerance) 1000;\n if (nonceStore.seen(replayKey, expiresAt)) {\n replayOk = false;\n }\n }\n\n const ok = expiryOk && (bodyDigestOk === null \|\| bodyDigestOk === true) && replayOk;\n const errors: string[] = [];\n if (!expiryOk) errors.push('challenge expired');\n if (bodyDigestOk === false) {\n errors.push(\n input.rawBody !== undefined && !challenge?.digest\n ? 'body digest required when rawBody present'\n : 'body digest mismatch'\n );\n }\n if (!replayOk) errors.push('MPP challenge replay — already seen within tolerance window');\n\n return {\n ok,\n expiryOk,\n bodyDigestOk,\n source,\n method,\n error: errors.length > 0 ? errors.join('; ') : undefined,\n };\n}\n","/*\n x402 (Coinbase / Linux Foundation x402 Foundation) extractor.\n \n Wraps @x402/core's schema parsers. x402 Foundation launched April 2 2026\n * with v2 adding network-agnostic identifiers + multiple facilitators +\n * Bazaar discovery. MPP (Machine Payments Protocol) is the IETF-formalised\n * superset of x402; this module normalizes x402 output to MPP-shape so\n * downstream pipeline code is uniform.\n \n Where x402 lives on the wire:\n * - 402 response body (v2) OR `X-PAYMENT-REQUIRED` header (v1) — PaymentRequired\n * - Request body (v2) OR `X-PAYMENT` header (v1, base64) — PaymentPayload\n /\n\nimport {\n validatePaymentRequired,\n validatePaymentPayload,\n type PaymentRequired,\n type PaymentPayload,\n type PaymentRequirements,\n} from '@x402/core/schemas';\nimport { safeBase64Decode } from '@x402/core/utils';\n\nexport type X402Kind = 'required' \| 'payload' \| 'error' \| 'unknown';\n\nexport interface X402RequirementsSummary {\n scheme: string;\n network: string;\n asset: string;\n /* Normalized to string for v1/v2 compat — v1 uses maxAmountRequired, v2 uses amount. /\n amount: string;\n payTo: string;\n maxTimeoutSeconds?: number;\n resource?: string;\n description?: string;\n}\n\nexport interface X402RequestContext {\n kind: X402Kind;\n version: 1 \| 2 \| null;\n /* For 402 responses: the PaymentRequired body. /\n paymentRequired?: {\n resource: string;\n accepts: X402RequirementsSummary[];\n extensions?: Record<string, unknown>;\n error?: string;\n };\n /* For request body (v2) or X-PAYMENT header (v1 base64): the PaymentPayload. /\n paymentPayload?: {\n scheme: string;\n network: string;\n /* Free-form per-scheme payload (e.g. EIP-3009 authorization, Solana tx). /\n payload: Record<string, unknown>;\n extensions?: Record<string, unknown>;\n };\n error?: { type: string; detail?: string };\n /* Whether this was parsed from a header (v1 back-compat) or body (v2). /\n source: 'header' \| 'body' \| null;\n}\n\nexport interface X402RequestLike {\n method?: string;\n url?: string;\n headers?: Record<string, string \| string[] \| undefined>;\n body?: unknown;\n}\n\nexport interface X402ResponseLike {\n status?: number;\n headers?: Record<string, string \| string[] \| undefined>;\n body?: unknown;\n}\n\n/\n Extract x402 PaymentPayload from an agent → merchant request.\n * Checks v2 body (if it parses as PaymentPayload) and v1 X-PAYMENT header.\n /\nexport function extractX402FromRequest(request: X402RequestLike): X402RequestContext \| null {\n const headerValue = readHeader(request.headers, 'x-payment');\n\n // v2 body path first\n if (request.body && typeof request.body === 'object') {\n const parsed = tryParsePayload(request.body);\n if (parsed) return buildPayloadContext(parsed, 'body');\n }\n\n // v1 header path\n if (headerValue) {\n try {\n const decoded = safeBase64Decode(headerValue);\n if (decoded) {\n const json = JSON.parse(decoded);\n const parsed = tryParsePayload(json);\n if (parsed) return buildPayloadContext(parsed, 'header');\n }\n } catch {\n return {\n kind: 'error',\n version: 1,\n source: 'header',\n error: { type: 'invalid-x402-payload' },\n };\n }\n }\n\n return null;\n}\n\n/\n Extract x402 PaymentRequired from a merchant → agent 402 response.\n /\nexport function extractX402FromResponse(response: X402ResponseLike): X402RequestContext \| null {\n if (response.status !== 402) return null;\n\n // v2 body path\n if (response.body && typeof response.body === 'object') {\n const parsed = tryParseRequired(response.body);\n if (parsed) return buildRequiredContext(parsed, 'body');\n }\n\n // v1 header path\n const headerValue = readHeader(response.headers, 'x-payment-required');\n if (headerValue) {\n try {\n const decoded = safeBase64Decode(headerValue);\n if (decoded) {\n const json = JSON.parse(decoded);\n const parsed = tryParseRequired(json);\n if (parsed) return buildRequiredContext(parsed, 'header');\n }\n } catch {\n return {\n kind: 'error',\n version: 1,\n source: 'header',\n error: { type: 'invalid-x402-required' },\n };\n }\n }\n\n return null;\n}\n\nexport function extractX402Context(\n message:\n \| { request: X402RequestLike }\n \| { response: X402ResponseLike }\n \| (X402RequestLike & Partial<X402ResponseLike>)\n): X402RequestContext \| null {\n if ('request' in message) return extractX402FromRequest(message.request);\n if ('response' in message) return extractX402FromResponse(message.response);\n if (typeof (message as X402ResponseLike).status === 'number') {\n return extractX402FromResponse(message as X402ResponseLike);\n }\n return extractX402FromRequest(message as X402RequestLike);\n}\n\nfunction tryParseRequired(data: unknown): PaymentRequired \| null {\n try {\n return validatePaymentRequired(data);\n } catch {\n return null;\n }\n}\n\nfunction tryParsePayload(data: unknown): PaymentPayload \| null {\n try {\n return validatePaymentPayload(data);\n } catch {\n return null;\n }\n}\n\nfunction buildRequiredContext(\n parsed: PaymentRequired,\n source: 'header' \| 'body'\n): X402RequestContext {\n const asRecord = parsed as unknown as Record<string, unknown>;\n const version = coerceVersion(asRecord.x402Version);\n const accepts = (asRecord.accepts as PaymentRequirements[] \| undefined) ?? [];\n return {\n kind: 'required',\n version,\n source,\n paymentRequired: {\n resource: resolveResource(asRecord.resource),\n accepts: accepts.map(summarizeRequirement),\n extensions: asRecord.extensions as Record<string, unknown> \| undefined,\n error: typeof asRecord.error === 'string' ? asRecord.error : undefined,\n },\n };\n}\n\nfunction buildPayloadContext(\n parsed: PaymentPayload,\n source: 'header' \| 'body'\n): X402RequestContext {\n const asRecord = parsed as unknown as Record<string, unknown>;\n const version = coerceVersion(asRecord.x402Version);\n const accepted = asRecord.accepted as PaymentRequirements \| undefined;\n const payload = (asRecord.payload as Record<string, unknown>) ?? {};\n return {\n kind: 'payload',\n version,\n source,\n paymentPayload: {\n scheme: accepted?.scheme ?? (typeof asRecord.scheme === 'string' ? asRecord.scheme : ''),\n network: accepted?.network ?? (typeof asRecord.network === 'string' ? asRecord.network : ''),\n payload,\n extensions: asRecord.extensions as Record<string, unknown> \| undefined,\n },\n };\n}\n\nfunction summarizeRequirement(req: PaymentRequirements): X402RequirementsSummary {\n const r = req as unknown as Record<string, unknown>;\n const amount = (r.amount ?? r.maxAmountRequired ?? '0') as string;\n return {\n scheme: (r.scheme as string) ?? '',\n network: (r.network as string) ?? '',\n asset: (r.asset as string) ?? '',\n amount: String(amount),\n payTo: (r.payTo as string) ?? '',\n maxTimeoutSeconds: typeof r.maxTimeoutSeconds === 'number' ? r.maxTimeoutSeconds : undefined,\n resource: typeof r.resource === 'string' ? r.resource : undefined,\n description: typeof r.description === 'string' ? r.description : undefined,\n };\n}\n\nfunction resolveResource(v: unknown): string {\n if (typeof v === 'string') return v;\n if (v && typeof v === 'object' && 'url' in v && typeof (v as { url: unknown }).url === 'string') {\n return (v as { url: string }).url;\n }\n return '';\n}\n\nfunction coerceVersion(v: unknown): 1 \| 2 \| null {\n if (v === 1 \|\| v === 2) return v;\n return null;\n}\n\nfunction readHeader(\n headers: Record<string, string \| string[] \| undefined> \| undefined,\n name: string\n): string \| undefined {\n if (!headers) return undefined;\n for (const key of Object.keys(headers)) {\n if (key.toLowerCase() === name) {\n const raw = headers[key];\n if (typeof raw === 'string') return raw;\n if (Array.isArray(raw)) return raw[0];\n }\n }\n return undefined;\n}\n","/\n VI (Verifiable Intent) 3-layer SD-JWT chain verification.\n \n VI chains: L1 (credential provider → wallet) → L2 (user → agent) → L3\n * (agent → merchant). L3 itself can split into L3a (payment mandate) + L3b\n * (checkout mandate) cross-referenced via transaction_id, with L3b carrying\n * a checkout_hash (VI constraint type 8) that must match SHA-256 of the L2\n * checkout disclosure.\n \n Signature primitives are delegated to @sd-jwt/core (via our extractor);\n * cnf.jwk chain-walking + cross-references + checkout_hash binding is\n * AstraSync-specific composition logic — that's the whitespace here.\n \n This module does NOT re-verify selective-disclosure hashes (the extractor\n * already applied them via @sd-jwt/decode). It DOES verify:\n * - cnf.jwk in L1 payload points to L2's signing key (thumbprint match)\n * - cnf.jwk in L2 payload points to L3's signing key\n * - L3a.transaction_id === L3b.transaction_id (when both present)\n * - L3b.checkout_hash === SHA-256(L2 canonical checkout disclosure) — type 8\n * - mandate-level `exp` is not in the past (beyond clock skew)\n \n Cryptographic signature verification on each layer uses the verifier\n * callback the caller supplies (e.g. resolves via @sd-jwt/core with the\n * right JWK from the L1 issuer's JWKS).\n /\n\nimport { createHash, webcrypto } from 'node:crypto';\nimport type { JWK } from 'jose';\nimport { defaultNonceStore, type NonceStore } from './nonce-store';\n\nexport interface VILayer {\n /* Compact SD-JWT / JWS for this layer. /\n compact: string;\n /* Decoded JWT payload (already disclosure-merged). /\n payload: Record<string, unknown>;\n /* Decoded JWT header. /\n header: Record<string, unknown>;\n}\n\nexport interface VIVerifyInput {\n /\n Layers in chain order. L1 is REQUIRED by default (audit F-A1-02) —\n * without L1 there is no chain root and L2 can be verified against any\n * attacker-supplied key. Callers who have resolved L2's signing key by\n * a trusted out-of-band mechanism (wallet binding, prior protocol step)\n * MUST set `allowUnboundChain: true` AND supply `expectedL2Key`.\n /\n layers: {\n l1?: VILayer;\n l2: VILayer;\n l3a?: VILayer;\n l3b?: VILayer;\n };\n /\n Verifier callback invoked per layer. Should return true iff the layer's\n * JWS signature verifies against the resolved public key (for L2 this is\n * L1's cnf.jwk; for L3 this is L2's cnf.jwk; for L1 this is the issuer's\n * JWKS per `iss` claim).\n /\n verifySignature: (layer: VILayer, expectedKey: JWK \| null) => Promise<boolean>;\n /\n Clock skew tolerance in seconds for expiry checks. Default 60s (audit\n * F-A1-05 tightening from the previous 300s default).\n /\n clockSkewSec?: number;\n now?: () => number;\n /\n Explicit opt-in to verify a chain with L1 omitted. Audit F-A1-02 fix\n * — defaults to false. When true, `expectedL2Key` MUST also be supplied\n * (used as the expected signing key for L2 verification).\n /\n allowUnboundChain?: boolean;\n /* Required when allowUnboundChain === true. /\n expectedL2Key?: JWK;\n /* Optional replay-protection store. Defaults to in-process LRU. /\n nonceStore?: NonceStore;\n}\n\nexport interface VIVerifyResult {\n ok: boolean;\n checks: {\n l1SigOk: boolean \| null;\n l2SigOk: boolean;\n l3aSigOk: boolean \| null;\n l3bSigOk: boolean \| null;\n l1BindsL2: boolean;\n l2BindsL3: boolean;\n l3aL3bTxnIdMatch: boolean \| null;\n checkoutHashOk: boolean \| null;\n expiryOk: boolean;\n };\n errors: string[];\n}\n\nexport async function verifyVIChain(input: VIVerifyInput): Promise<VIVerifyResult> {\n const errors: string[] = [];\n const tolerance = input.clockSkewSec ?? 60;\n const now = input.now ? input.now() : Math.floor(Date.now() / 1000);\n const { l1, l2, l3a, l3b } = input.layers;\n const nonceStore = input.nonceStore ?? defaultNonceStore;\n\n // Audit F-A1-02: L1 is required unless caller explicitly opts into an\n // unbound chain AND supplies the expected L2 signing key. Otherwise L2\n // would be verified against null, which most verifier callbacks\n // interpret as \"use the JWK in the JWS header\" — accepting any\n // attacker-supplied key.\n if (!l1) {\n if (!input.allowUnboundChain) {\n errors.push(\n 'L1 missing — chain root unbound (set allowUnboundChain + expectedL2Key to override)'\n );\n } else if (!input.expectedL2Key) {\n errors.push('allowUnboundChain set but expectedL2Key missing');\n }\n }\n\n // Signature verification ---------------------------------\n const l1SigOk = l1 ? await input.verifySignature(l1, null) : null;\n if (l1 && !l1SigOk) errors.push('L1 signature invalid');\n\n const l1Cnf = extractCnfJwk(l1?.payload);\n // Use L1's cnf.jwk when L1 present; otherwise (opt-in unbound chain) use\n // the caller-supplied expectedL2Key. Never null — F-A1-02.\n const l2ExpectedKey: JWK \| null = l1Cnf ?? input.expectedL2Key ?? null;\n const l2SigOk = await input.verifySignature(l2, l2ExpectedKey);\n if (!l2SigOk) errors.push('L2 signature invalid');\n\n // Audit F-A1-05: replay protection on L2 signature. Use the compact JWS\n // as the nonce key; the signature is unique per request. Window matches\n // tolerance (denied replays past the window are already rejected by\n // expiry check, so we don't need to retain entries longer).\n if (l2SigOk) {\n const replayKey = `vi:l2:${l2.compact}`;\n const expiresAt = now 1000 + tolerance * 1000;\n if (nonceStore.seen(replayKey, expiresAt)) {\n errors.push('L2 signature replay — already seen within tolerance window');\n }\n }\n\n const l2Cnf = extractCnfJwk(l2.payload);\n const l3aSigOk = l3a ? await input.verifySignature(l3a, l2Cnf ?? null) : null;\n if (l3a && !l3aSigOk) errors.push('L3a signature invalid');\n const l3bSigOk = l3b ? await input.verifySignature(l3b, l2Cnf ?? null) : null;\n if (l3b && !l3bSigOk) errors.push('L3b signature invalid');\n\n // cnf.jwk binding ----------------------------------------\n let l1BindsL2 = true;\n if (l1Cnf) {\n const l2KeyFromHeader = await jwkForLayer(l2);\n l1BindsL2 = l2KeyFromHeader ? await thumbprintsMatch(l1Cnf, l2KeyFromHeader) : false;\n if (!l1BindsL2) errors.push('L1.cnf.jwk does not bind L2 signing key');\n }\n\n let l2BindsL3 = true;\n if (l2Cnf && (l3a \|\| l3b)) {\n const l3Layer = l3a ?? l3b!;\n const l3KeyFromHeader = await jwkForLayer(l3Layer);\n l2BindsL3 = l3KeyFromHeader ? await thumbprintsMatch(l2Cnf, l3KeyFromHeader) : false;\n if (!l2BindsL3) errors.push('L2.cnf.jwk does not bind L3 signing key');\n }\n\n // L3a/L3b cross-reference --------------------------------\n let l3aL3bTxnIdMatch: boolean \| null = null;\n if (l3a && l3b) {\n const a = coerceString(l3a.payload.transaction_id ?? l3a.payload.transactionId);\n const b = coerceString(l3b.payload.transaction_id ?? l3b.payload.transactionId);\n if (a && b) {\n l3aL3bTxnIdMatch = a === b;\n if (!l3aL3bTxnIdMatch) {\n errors.push(`L3a.transaction_id (${a}) does not match L3b.transaction_id (${b})`);\n }\n }\n }\n\n // checkout_hash (VI constraint type 8) -------------------\n let checkoutHashOk: boolean \| null = null;\n if (l3b) {\n const declaredHash = coerceString(\n l3b.payload.checkout_hash ??\n l3b.payload.conditional_transaction_id ??\n (l3b.payload.payment_reference as Record<string, unknown> \| undefined)?.checkout_hash\n );\n if (declaredHash) {\n const computed = computeCheckoutHashFromL2(l2);\n checkoutHashOk = computed ? declaredHash === computed : false;\n if (!checkoutHashOk) {\n errors.push('L3b.checkout_hash does not match SHA-256 of L2 checkout disclosure');\n }\n }\n }\n\n // Expiry policy ------------------------------------------\n const expiryOk = checkExpiryAcross([l1, l2, l3a, l3b], tolerance, now, errors);\n\n // Audit F-A1-02 + F-A1-05: ok also requires the chain-root + replay\n // checks above to have passed (errors array captures both). Previously\n // `ok` was derived purely from individual check booleans, so the L1-\n // required errors and replay-detected errors didn't gate it.\n const noUnboundChainOrReplayErrors = !errors.some(\n (e) =>\n e.startsWith('L1 missing') \|\|\n e.startsWith('allowUnboundChain set') \|\|\n e.startsWith('L2 signature replay')\n );\n\n const ok =\n l1SigOk !== false &&\n l2SigOk &&\n l3aSigOk !== false &&\n l3bSigOk !== false &&\n l1BindsL2 &&\n l2BindsL3 &&\n l3aL3bTxnIdMatch !== false &&\n checkoutHashOk !== false &&\n expiryOk &&\n noUnboundChainOrReplayErrors;\n\n return {\n ok,\n checks: {\n l1SigOk,\n l2SigOk,\n l3aSigOk,\n l3bSigOk,\n l1BindsL2,\n l2BindsL3,\n l3aL3bTxnIdMatch,\n checkoutHashOk,\n expiryOk,\n },\n errors,\n };\n}\n\nfunction extractCnfJwk(payload: Record<string, unknown> \| undefined): JWK \| null {\n if (!payload) return null;\n const cnf = payload.cnf as Record<string, unknown> \| undefined;\n if (!cnf) return null;\n const jwk = cnf.jwk as JWK \| undefined;\n return jwk ?? null;\n}\n\nasync function jwkForLayer(layer: VILayer): Promise<JWK \| null> {\n // Prefer explicit cnf.jwk in the header, then payload; fallback to null.\n const fromHeader = extractCnfJwk(layer.header);\n if (fromHeader) return fromHeader;\n const fromPayload = extractCnfJwk(layer.payload);\n return fromPayload;\n}\n\nasync function thumbprintsMatch(a: JWK, b: JWK): Promise<boolean> {\n try {\n const ta = await jwkThumbprint(a);\n const tb = await jwkThumbprint(b);\n return ta === tb;\n } catch {\n return false;\n }\n}\n\n// RFC 7638 thumbprint: SHA-256 over the canonical JSON of required JWK members.\nasync function jwkThumbprint(jwk: JWK): Promise<string> {\n const canonical = canonicalJwk(jwk);\n const bytes = new TextEncoder().encode(JSON.stringify(canonical));\n const subtle = webcrypto.subtle as SubtleCrypto;\n const buffer = await new Promise<ArrayBuffer>((resolve, reject) => {\n const source = new ArrayBuffer(bytes.byteLength);\n new Uint8Array(source).set(bytes);\n subtle.digest('SHA-256', source).then(resolve).catch(reject);\n });\n return Buffer.from(new Uint8Array(buffer)).toString('base64url').replace(/=+$/, '');\n}\n\nfunction canonicalJwk(jwk: JWK): Record<string, string> {\n // Per RFC 7638: members must appear in lexicographic order; only required\n // fields per kty are included.\n if (jwk.kty === 'EC') {\n return { crv: jwk.crv ?? '', kty: 'EC', x: jwk.x ?? '', y: jwk.y ?? '' };\n }\n if (jwk.kty === 'OKP') {\n return { crv: jwk.crv ?? '', kty: 'OKP', x: jwk.x ?? '' };\n }\n if (jwk.kty === 'RSA') {\n return { e: jwk.e ?? '', kty: 'RSA', n: jwk.n ?? '' };\n }\n return { kty: jwk.kty ?? '' };\n}\n\nfunction computeCheckoutHashFromL2(l2: VILayer): string \| null {\n const checkoutDisclosure = (l2.payload.checkout ?? l2.payload.checkout_mandate) as unknown;\n if (!checkoutDisclosure) return null;\n const canonical = canonicalStringify(checkoutDisclosure);\n const hash = createHash('sha256').update(canonical).digest('base64url').replace(/=+$/, '');\n return hash;\n}\n\nfunction canonicalStringify(value: unknown): string {\n if (value === null \|\| typeof value !== 'object') return JSON.stringify(value);\n if (Array.isArray(value)) return '[' + value.map(canonicalStringify).join(',') + ']';\n const entries = Object.entries(value as Record<string, unknown>).sort(([a], [b]) =>\n a < b ? -1 : a > b ? 1 : 0\n );\n return (\n '{' + entries.map(([k, v]) => JSON.stringify(k) + ':' + canonicalStringify(v)).join(',') + '}'\n );\n}\n\nfunction checkExpiryAcross(\n layers: Array<VILayer \| undefined>,\n toleranceSec: number,\n nowSec: number,\n errors: string[]\n): boolean {\n let ok = true;\n const names = ['L1', 'L2', 'L3a', 'L3b'];\n layers.forEach((layer, idx) => {\n if (!layer) return;\n const exp = toUnixSeconds(layer.payload.exp ?? layer.payload.expires);\n if (exp === undefined) return;\n if (nowSec > exp + toleranceSec) {\n errors.push(`${names[idx]} mandate expired at ${exp}`);\n ok = false;\n }\n });\n return ok;\n}\n\nfunction toUnixSeconds(v: unknown): number \| undefined {\n if (typeof v === 'number' && Number.isFinite(v)) return v;\n if (typeof v === 'string') {\n const asInt = Number(v);\n if (Number.isFinite(asInt) && asInt > 0) {\n return asInt >= 1e12 ? Math.floor(asInt / 1000) : Math.floor(asInt);\n }\n const parsed = Date.parse(v);\n if (Number.isFinite(parsed)) return Math.floor(parsed / 1000);\n }\n return undefined;\n}\n\nfunction coerceString(v: unknown): string \| undefined {\n return typeof v === 'string' && v.length > 0 ? v : undefined;\n}\n","/*\n Commerce pipeline orchestrator.\n \n Ties together extractors + verifiers + identity binding + constraint\n * evaluation + trust signals into a single CommerceContext result.\n \n This is AstraSync whitespace: the orchestration over the library-backed\n * primitives. PR 3's Commerce Shield Lambda will call this per request;\n * the admin playground page will call it ad-hoc.\n \n Policy:\n * - Hard-deny (ok=false) on bad signatures, expired mandates, constraint\n * failures, identity cannot be bound.\n * - Trust signal (ok remains policy-driven) on ACP algorithm unsupported,\n * Stripe webhook HMAC fail, payment-token type unknown, cross-layer\n * identity mismatch.\n /\n\nimport type { ACPRequestContext } from './acp';\nimport { verifyACPSignature, type ACPVerifyResult } from './acp-verify';\nimport type { AP2MandateTriple } from './ap2';\nimport { verifyAP2Chain, type AP2ChainResult } from './ap2-verify';\nimport {\n evaluateVIConstraints,\n evaluatePaymentMethodAllowlist,\n evaluateSpendingLimit,\n type ConstraintEvalResult,\n type TransactionContext,\n} from './constraint-eval';\nimport { bindIdentity, type IdentityClaim, type IdentityResolver } from './identity-binding';\nimport { verifyMPP, type MPPVerifyResult } from './mpp-verify';\nimport type { MPPRequestContext } from './mpp';\nimport {\n mapACPRequestToPurpose,\n mapMPPRequestToPurpose,\n mapRFC9421TagToPurpose,\n mapUCPRequestToPurpose,\n mapVIMandateToPurpose,\n mapX402RequestToPurpose,\n type CommercePurpose,\n} from './purpose-mapping';\nimport {\n verifyRFC9421,\n type RFC9421VerifyResult,\n type RFC9421VerifyRequest,\n} from './rfc9421-verify';\nimport { verifyStripeWebhook, type VerifyStripeWebhookResult } from './stripe-webhook';\nimport {\n extractACPTransactionValue,\n extractMPPTransactionValue,\n extractUCPTransactionValue,\n extractVITransactionValue,\n extractX402TransactionValue,\n type TransactionValueContext,\n} from './transaction-value';\nimport type { UCPCheckoutContext } from './ucp';\nimport { verifyVIChain, type VIVerifyInput, type VIVerifyResult } from './vi-verify';\nimport type { VIExtractedClaims } from './vi';\nimport type { X402RequestContext } from './x402';\n\nexport type CommerceProtocol = 'vi' \| 'ap2' \| 'ucp' \| 'acp' \| 'agentpay' \| 'tap' \| 'mpp' \| 'x402';\n\nexport interface CommercePipelineInput {\n protocol: CommerceProtocol;\n vi?: { claims: VIExtractedClaims; verifyInput?: VIVerifyInput };\n ap2?: { triple: AP2MandateTriple };\n ucp?: UCPCheckoutContext;\n acp?: {\n context: ACPRequestContext;\n verifyInput?: Parameters<typeof verifyACPSignature>[0];\n };\n rfc9421?: {\n request: RFC9421VerifyRequest;\n tag?: 'browse' \| 'purchase' \| string;\n verifyOptions: Parameters<typeof verifyRFC9421>[1];\n };\n mpp?: { context: MPPRequestContext; rawBody?: string };\n x402?: X402RequestContext;\n stripeWebhook?: { payload: string; signatureHeader: string; secret: string };\n transaction?: TransactionContext;\n registeredConstraints?: {\n allowedPaymentMethods?: string[];\n spendingLimit?: { amount?: number; currency?: string };\n };\n identityResolver?: IdentityResolver;\n clockSkewSec?: number;\n now?: () => number;\n}\n\nexport interface CommerceSignatureStack {\n vi?: VIVerifyResult;\n ap2?: AP2ChainResult;\n acp?: ACPVerifyResult;\n rfc9421?: RFC9421VerifyResult;\n mpp?: MPPVerifyResult;\n stripeWebhook?: VerifyStripeWebhookResult;\n}\n\nexport interface CommerceContext {\n protocol: CommerceProtocol;\n purpose: CommercePurpose \| null;\n transactionValue?: TransactionValueContext;\n signatures: CommerceSignatureStack;\n identity?: {\n claims: IdentityClaim[];\n mappedAstraSyncAgentId?: string;\n mismatchAcrossLayers: boolean;\n };\n paymentToken?: {\n present: boolean;\n type: 'stripe-spt' \| 'acp-vt' \| 'tempo-tx' \| 'other' \| null;\n };\n mppMethodsOffered?: string[];\n constraints?: ConstraintEvalResult;\n receipt?: {\n method?: string;\n reference?: string;\n status?: string;\n timestamp?: string;\n };\n trustSignals: string[];\n timings: { extractMs: number; verifyMs: number; evalMs: number };\n /* False when any hard-deny rule fires. /\n ok: boolean;\n}\n\nexport async function runCommercePipeline(input: CommercePipelineInput): Promise<CommerceContext> {\n const trustSignals: string[] = [];\n const signatures: CommerceSignatureStack = {};\n const timings = { extractMs: 0, verifyMs: 0, evalMs: 0 };\n\n const extractStart = performance.now();\n const purpose = resolvePurpose(input);\n const transactionValue = resolveTransactionValue(input);\n const identityClaims = collectIdentityClaims(input);\n const paymentToken = resolvePaymentToken(input);\n timings.extractMs = Math.round(performance.now() - extractStart);\n\n const verifyStart = performance.now();\n let hardDeny = false;\n\n if (input.vi?.verifyInput) {\n signatures.vi = await verifyVIChain(input.vi.verifyInput);\n if (!signatures.vi.ok) hardDeny = true;\n }\n\n if (input.ap2) {\n signatures.ap2 = verifyAP2Chain({\n triple: input.ap2.triple,\n clockSkewSec: input.clockSkewSec,\n now: input.now,\n });\n if (!signatures.ap2.ok) hardDeny = true;\n }\n\n if (input.acp?.verifyInput) {\n signatures.acp = await verifyACPSignature(input.acp.verifyInput);\n if (!signatures.acp.ok && signatures.acp.timestampStale) hardDeny = true;\n if (signatures.acp.algorithm === 'unsupported') {\n trustSignals.push('acp-signature-algorithm-unsupported');\n } else if (!signatures.acp.ok) {\n hardDeny = true;\n }\n }\n\n if (input.rfc9421) {\n signatures.rfc9421 = await verifyRFC9421(input.rfc9421.request, input.rfc9421.verifyOptions);\n if (!signatures.rfc9421.ok) hardDeny = true;\n }\n\n if (input.mpp) {\n signatures.mpp = verifyMPP({\n context: input.mpp.context,\n rawBody: input.mpp.rawBody,\n clockSkewSec: input.clockSkewSec,\n now: input.now,\n });\n if (!signatures.mpp.ok) hardDeny = true;\n if (input.mpp.context.credential?.source) {\n trustSignals.push(`mpp-source-${shortSource(input.mpp.context.credential.source)}`);\n }\n }\n\n if (input.stripeWebhook) {\n signatures.stripeWebhook = verifyStripeWebhook(\n input.stripeWebhook.payload,\n input.stripeWebhook.signatureHeader,\n input.stripeWebhook.secret,\n { now: input.now ? () => input.now!() : undefined }\n );\n if (!signatures.stripeWebhook.ok) {\n trustSignals.push('stripe-webhook-hmac-failed');\n }\n }\n timings.verifyMs = Math.round(performance.now() - verifyStart);\n\n let identity: CommerceContext['identity'];\n if (input.identityResolver && identityClaims.length > 0) {\n const bound = await bindIdentity(identityClaims, input.identityResolver);\n identity = {\n claims: identityClaims,\n mappedAstraSyncAgentId: bound.mappedAstraSyncAgentId,\n mismatchAcrossLayers: bound.mismatchAcrossLayers,\n };\n if (bound.mismatchAcrossLayers) trustSignals.push('identity-mismatch-across-layers');\n } else if (identityClaims.length > 0) {\n identity = {\n claims: identityClaims,\n mappedAstraSyncAgentId: undefined,\n mismatchAcrossLayers: false,\n };\n }\n\n const evalStart = performance.now();\n const constraints = runConstraintEval(input);\n if (constraints && !constraints.ok) hardDeny = true;\n timings.evalMs = Math.round(performance.now() - evalStart);\n\n if (paymentToken?.type === 'stripe-spt') trustSignals.push('stripe-spt-present');\n if (paymentToken?.type === 'acp-vt') trustSignals.push('acp-vault-token-present');\n if (paymentToken?.type === 'tempo-tx') trustSignals.push('tempo-transaction-present');\n\n const mppReceipt = input.mpp?.context.receipt;\n\n return {\n protocol: input.protocol,\n purpose,\n transactionValue,\n signatures,\n identity,\n paymentToken,\n mppMethodsOffered: input.mpp?.context.offeredMethods,\n constraints,\n receipt: mppReceipt\n ? {\n method: mppReceipt.method,\n reference: mppReceipt.reference,\n status: mppReceipt.status,\n timestamp: mppReceipt.timestamp,\n }\n : undefined,\n trustSignals,\n timings,\n ok: !hardDeny,\n };\n}\n\nfunction resolvePurpose(input: CommercePipelineInput): CommercePurpose \| null {\n if (input.vi?.claims.mandateType) {\n return mapVIMandateToPurpose(input.vi.claims.mandateType);\n }\n if (input.ap2?.triple.payment) return 'commerce.payment.execute';\n if (input.ap2?.triple.cart) return 'commerce.checkout.confirm';\n if (input.ap2?.triple.intent) return 'commerce.delegation.intent';\n if (input.ucp?.endpoint) {\n const [method, path] = input.ucp.endpoint.split(' ');\n return mapUCPRequestToPurpose(method ?? 'POST', path ?? '/');\n }\n if (input.acp?.context.endpoint) {\n // Extractor classifies as 'checkout_sessions.create\|update\|complete\|cancel'\n // or 'delegate_payment'. Route each to the correct purpose.\n switch (input.acp.context.endpoint) {\n case 'checkout_sessions.create':\n return 'commerce.checkout.create';\n case 'checkout_sessions.update':\n return 'commerce.checkout.update';\n case 'checkout_sessions.complete':\n return 'commerce.payment.execute';\n case 'checkout_sessions.cancel':\n return 'commerce.checkout.cancel';\n case 'delegate_payment':\n return 'commerce.delegation.payment';\n default:\n return mapACPRequestToPurpose('POST', '/checkout_sessions');\n }\n }\n if (input.rfc9421?.tag) {\n return mapRFC9421TagToPurpose(\n input.rfc9421.tag === 'browse' \|\| input.rfc9421.tag === 'purchase'\n ? (input.rfc9421.tag as 'browse' \| 'purchase')\n : undefined\n );\n }\n if (input.mpp?.context.credential?.challenge \|\| input.mpp?.context.challenges?.[0]) {\n const challenge = input.mpp.context.credential?.challenge ?? input.mpp.context.challenges?.[0];\n const amount = parseFloat(String(challenge?.request?.amount ?? 'NaN'));\n return mapMPPRequestToPurpose(\n challenge?.intent === 'session' ? 'session' : 'charge',\n Number.isFinite(amount) ? amount : undefined\n );\n }\n if (input.x402?.paymentRequired) {\n const amt = input.x402.paymentRequired.accepts[0]?.amount;\n return mapX402RequestToPurpose(Number(amt));\n }\n if (input.x402?.paymentPayload) return 'commerce.payment.execute';\n return null;\n}\n\nfunction resolveTransactionValue(\n input: CommercePipelineInput\n): TransactionValueContext \| undefined {\n if (input.vi?.claims) {\n const v = extractVITransactionValue({\n constraints: input.vi.claims.constraints,\n l3aPaymentAmount: (input.vi.claims.constraints.paymentAmount &&\n typeof input.vi.claims.constraints.paymentAmount.max === 'number'\n ? {\n amount: input.vi.claims.constraints.paymentAmount.max,\n currency: input.vi.claims.constraints.paymentAmount.currency,\n }\n : undefined) as { amount?: number; currency?: string } \| undefined,\n });\n if (v) return v;\n }\n if (input.ucp?.totals) {\n const v = extractUCPTransactionValue({ totals: input.ucp.totals });\n if (v) return v;\n }\n if (input.acp?.context.totals) {\n const v = extractACPTransactionValue({ totals: input.acp.context.totals });\n if (v) return v;\n }\n if (input.mpp?.context.credential?.challenge) {\n const ch = input.mpp.context.credential.challenge;\n const v = extractMPPTransactionValue({ method: ch.method, request: ch.request });\n if (v) return v;\n }\n if (input.x402?.paymentRequired) {\n const first = input.x402.paymentRequired.accepts[0];\n if (first) {\n const v = extractX402TransactionValue({\n maxAmountRequired: Number(first.amount),\n asset: first.asset,\n });\n if (v) return v;\n }\n }\n return undefined;\n}\n\nfunction collectIdentityClaims(input: CommercePipelineInput): IdentityClaim[] {\n const claims: IdentityClaim[] = [];\n if (input.vi?.claims.kid)\n claims.push({ protocol: 'vi', field: 'kid', value: input.vi.claims.kid });\n if (input.ap2?.triple) {\n const agentId =\n input.ap2.triple.intent?.agent_id ??\n input.ap2.triple.cart?.agent_id ??\n input.ap2.triple.payment?.agent_id;\n if (agentId) claims.push({ protocol: 'ap2', field: 'agent_id', value: agentId });\n }\n if (input.acp?.context.bearer) {\n claims.push({ protocol: 'acp', field: 'bearer', value: input.acp.context.bearer });\n }\n if (input.mpp?.context.credential?.source) {\n claims.push({ protocol: 'mpp', field: 'source', value: input.mpp.context.credential.source });\n }\n if (input.rfc9421) {\n // For RFC 9421 the kid is recorded after verify (result.kid); not collected here.\n }\n return claims;\n}\n\nfunction resolvePaymentToken(input: CommercePipelineInput): CommerceContext['paymentToken'] {\n if (input.acp?.context.paymentToken?.type) {\n return { present: true, type: input.acp.context.paymentToken.type };\n }\n const mppMethod = input.mpp?.context.credential?.challenge?.method;\n if (mppMethod === 'tempo') return { present: true, type: 'tempo-tx' };\n if (mppMethod === 'stripe') return { present: true, type: 'stripe-spt' };\n return undefined;\n}\n\nfunction runConstraintEval(input: CommercePipelineInput): ConstraintEvalResult \| undefined {\n const transaction = input.transaction ?? {};\n const results: ConstraintEvalResult['results'] = {};\n const reasons: string[] = [];\n let hasAny = false;\n\n if (input.vi?.claims) {\n const viResult = evaluateVIConstraints({\n constraints: input.vi.claims.constraints,\n transaction,\n });\n for (const [k, v] of Object.entries(viResult.results)) {\n results[k] = v;\n if (!v.ok && v.reason) reasons.push(v.reason);\n }\n if (Object.keys(viResult.results).length > 0) hasAny = true;\n }\n\n const registered = input.registeredConstraints;\n if (registered?.allowedPaymentMethods) {\n const pm = evaluatePaymentMethodAllowlist({\n allowedMethods: registered.allowedPaymentMethods,\n requestedMethod: transaction.paymentMethod,\n });\n results.paymentMethod = pm;\n if (!pm.ok && pm.reason) reasons.push(pm.reason);\n hasAny = true;\n }\n if (registered?.spendingLimit) {\n const sp = evaluateSpendingLimit({\n limit: registered.spendingLimit,\n requested: { amount: transaction.amount, currency: transaction.currency },\n });\n results.spendingLimit = sp;\n if (!sp.ok && sp.reason) reasons.push(sp.reason);\n hasAny = true;\n }\n\n if (!hasAny) return undefined;\n return { ok: reasons.length === 0, results, reasons };\n}\n\nfunction shortSource(source: string): string {\n // Take first 16 chars sans scheme for trust-signal label readability.\n return source.replace(/^did:[a-z0-9]+:/, '').slice(0, 16);\n}\n","/\n Pluggable extractor registry for PR 3 Commerce Shield Lambda@Edge.\n \n Built-in extractors (VI, UCP, ACP, RFC 9421, MPP, x402, Stripe webhook)\n * are NOT auto-registered. PR 3 Lambda imports this module, picks the set\n * it wants, and calls registerTransportExtractor() for each.\n \n Re-registering by name replaces the prior extractor (idempotent).\n /\n\nexport interface ExtractorRequestLike {\n method?: string;\n url?: string;\n headers?: Record<string, string \| string[] \| undefined>;\n body?: unknown;\n}\n\nexport interface TransportExtractor<T = unknown> {\n readonly name: string;\n match(request: ExtractorRequestLike): boolean;\n extract(request: ExtractorRequestLike): T \| Promise<T> \| null;\n}\n\nconst registry = new Map<string, TransportExtractor>();\n\nexport function registerTransportExtractor<T>(extractor: TransportExtractor<T>): void {\n if (!extractor \|\| typeof extractor.name !== 'string' \|\| extractor.name.length === 0) {\n throw new Error('registerTransportExtractor: extractor must have a non-empty name');\n }\n registry.set(extractor.name, extractor as TransportExtractor);\n}\n\nexport function getTransportExtractors(): ReadonlyArray<TransportExtractor> {\n return Array.from(registry.values());\n}\n\nexport function getTransportExtractor(name: string): TransportExtractor \| undefined {\n return registry.get(name);\n}\n\nexport function clearTransportExtractors(): void {\n registry.clear();\n}\n\n/\n Helper: run all matching extractors against a request and return their\n * extracted contexts keyed by extractor name. Skips extractors whose\n * `match()` returns false.\n /\nexport async function runMatchingExtractors(\n request: ExtractorRequestLike\n): Promise<Record<string, unknown>> {\n const out: Record<string, unknown> = {};\n for (const extractor of registry.values()) {\n if (!extractor.match(request)) continue;\n const result = await extractor.extract(request);\n if (result !== null && result !== undefined) out[extractor.name] = result;\n }\n return out;\n}\n","/\n Visa JWKS registry resolver.\n \n Default endpoint: https://mcp.visa.com/.well-known/jwks (per Visa TAP spec).\n * Wraps jose.createRemoteJWKSet which handles caching + rotation natively.\n /\n\nimport { createRemoteJWKSet, type JWK } from 'jose';\nimport type { RegistryResolver, ResolveContext } from './types';\n\nconst DEFAULT_VISA_JWKS_URL = 'https://mcp.visa.com/.well-known/jwks';\n\nexport interface VisaRegistryOptions {\n jwksUrl?: string;\n cacheMaxAge?: number;\n cooldownDuration?: number;\n}\n\nexport function createVisaRegistry(options: VisaRegistryOptions = {}): RegistryResolver {\n const url = new URL(options.jwksUrl ?? DEFAULT_VISA_JWKS_URL);\n const jwks = createRemoteJWKSet(url, {\n cacheMaxAge: options.cacheMaxAge,\n cooldownDuration: options.cooldownDuration,\n });\n\n return {\n name: 'visa',\n async resolve(kid: string, context?: ResolveContext): Promise<JWK \| null> {\n if (!kid) return null;\n try {\n const key = await jwks({\n kid,\n alg: context?.algorithm ?? 'ES256',\n typ: 'JWT',\n });\n return exportJwkFromKeyLike(key);\n } catch {\n return null;\n }\n },\n };\n}\n\nasync function exportJwkFromKeyLike(keyLike: unknown): Promise<JWK \| null> {\n if (!keyLike) return null;\n // jose returns KeyObject or CryptoKey — both export via exportJWK at caller side.\n // Runtime shape check: if it already looks like a JWK, pass through.\n if (typeof keyLike === 'object' && 'kty' in (keyLike as object)) {\n return keyLike as JWK;\n }\n const { exportJWK } = await import('jose');\n try {\n return await exportJWK(keyLike as Parameters<typeof exportJWK>[0]);\n } catch {\n return null;\n }\n}\n","/\n Mastercard Agent Registry resolver — STUB.\n \n Mastercard Agent Pay is behind partnership (pilots Feb 2026, GA Q2 2026).\n * No public Agent Registry URL or open-source resolver exists as of April\n * 2026. This resolver accepts an optional `registryUrl` and, when absent,\n * returns null with a single one-time console.warn so callers can plumb\n * the flow end-to-end without a live registry.\n \n When Mastercard ships a public resolver or when a commercial relationship\n * provides a registry URL, pass it via `MastercardRegistryOptions.registryUrl`.\n * Response shape expected: { keys: JWK[] } (JWKS-style).\n /\n\nimport type { JWK } from 'jose';\nimport type { RegistryResolver } from './types';\n\nexport interface MastercardRegistryOptions {\n /* Partnership-provided registry URL. Without it, the resolver is inert. /\n registryUrl?: string;\n /* Cache TTL in seconds. Default 3600. /\n cacheTtlSec?: number;\n /* Fetch fn override for testing. /\n fetch?: typeof fetch;\n /* Silence the one-time warn (testing only). /\n silent?: boolean;\n}\n\ninterface CachedKey {\n jwk: JWK;\n expiresAt: number;\n}\n\nexport function createMastercardRegistry(\n options: MastercardRegistryOptions = {}\n): RegistryResolver {\n const cache = new Map<string, CachedKey>();\n const ttlSec = options.cacheTtlSec ?? 3600;\n const fetchFn = options.fetch ?? globalThis.fetch;\n let warned = false;\n\n return {\n name: 'mastercard',\n async resolve(kid: string): Promise<JWK \| null> {\n if (!kid) return null;\n\n if (!options.registryUrl) {\n if (!warned && !options.silent) {\n warned = true;\n // eslint-disable-next-line no-console\n console.warn(\n '[mastercard-registry] registryUrl not configured — key resolution disabled. ' +\n 'Kid lookups will return null until a partnership registry is supplied.'\n );\n }\n return null;\n }\n\n const cached = cache.get(kid);\n if (cached && cached.expiresAt > Date.now()) return cached.jwk;\n\n try {\n const res = await fetchFn(options.registryUrl);\n if (!res.ok) return null;\n const body = (await res.json()) as { keys?: JWK[] };\n const keys = body.keys ?? [];\n for (const k of keys) {\n if (k.kid === kid) {\n cache.set(kid, { jwk: k, expiresAt: Date.now() + ttlSec 1000 });\n return k;\n }\n }\n return null;\n } catch {\n return null;\n }\n },\n };\n}\n","/*\n Web Bot Auth registry resolver.\n \n IETF draft-meunier-web-bot-auth-architecture-05 + draft-meunier-http-\n * message-signatures-directory-01. Shared transport substrate under TAP,\n * Agent Pay, and Cloudflare Pay Per Crawl.\n \n Fetches a Web Bot Auth signature directory\n * (default: `<origin>/.well-known/http-message-signatures-directory`).\n * Shape per spec is a JWKS with Ed25519 keys.\n \n Wraps Cloudflare's `web-bot-auth` npm package where feasible; for raw\n * directory fetch + kid matching we use fetch + JSON since web-bot-auth's\n * higher-level API assumes a full request to verify.\n /\n\nimport type { JWK } from 'jose';\nimport type { RegistryResolver, ResolveContext } from './types';\n\nconst DIRECTORY_PATH = '/.well-known/http-message-signatures-directory';\n\nexport interface WebBotAuthRegistryOptions {\n /\n Optional explicit directory URL. When omitted, the resolver derives one\n * from `ResolveContext.origin` (e.g. the request URL's origin at verify time).\n /\n directoryUrl?: string;\n cacheTtlSec?: number;\n fetch?: typeof fetch;\n}\n\ninterface DirectoryCache {\n keys: JWK[];\n expiresAt: number;\n}\n\nexport function createWebBotAuthRegistry(\n options: WebBotAuthRegistryOptions = {}\n): RegistryResolver {\n const cache = new Map<string, DirectoryCache>();\n const ttlSec = options.cacheTtlSec ?? 3600;\n const fetchFn = options.fetch ?? globalThis.fetch;\n\n return {\n name: 'web-bot-auth',\n async resolve(kid: string, context?: ResolveContext): Promise<JWK \| null> {\n if (!kid) return null;\n\n const directoryUrl = resolveDirectoryUrl(options.directoryUrl, context?.origin);\n if (!directoryUrl) return null;\n\n const cached = cache.get(directoryUrl);\n const now = Date.now();\n if (cached && cached.expiresAt > now) {\n return findKeyByKid(cached.keys, kid);\n }\n\n try {\n const res = await fetchFn(directoryUrl);\n if (!res.ok) return null;\n const body = (await res.json()) as { keys?: JWK[] };\n const keys = body.keys ?? [];\n cache.set(directoryUrl, { keys, expiresAt: now + ttlSec 1000 });\n return findKeyByKid(keys, kid);\n } catch {\n return null;\n }\n },\n };\n}\n\nfunction resolveDirectoryUrl(\n explicit: string \| undefined,\n origin: string \| undefined\n): string \| null {\n if (explicit) return explicit;\n if (!origin) return null;\n try {\n const url = new URL(origin);\n return `${url.origin}${DIRECTORY_PATH}`;\n } catch {\n return null;\n }\n}\n\nfunction findKeyByKid(keys: JWK[], kid: string): JWK \| null {\n for (const k of keys) {\n if (k.kid === kid) return k;\n }\n return null;\n}\n","/*\n Cross-Protocol Transport Module\n \n Provides adapters for injecting/extracting AstraSync credentials\n * across HTTP, A2A, and MCP protocols.\n /\n\nimport type { AstraSyncCredentials, ProtocolTransport } from '../types';\nimport { setHttpHeaders, extractHttpCredentials } from './http';\nimport { setA2AMetadata, extractA2ACredentials } from './a2a';\nimport { setMcpMeta, extractMcpCredentials } from './mcp';\n\nexport { setHttpHeaders, extractHttpCredentials } from './http';\nexport { setA2AMetadata, extractA2ACredentials } from './a2a';\nexport { setMcpMeta, extractMcpCredentials } from './mcp';\n\n// Commerce protocol extractors + verifiers (PR 4+5)\nexport from './purpose-mapping';\nexport * from './transaction-value';\nexport * from './rfc9421';\nexport * from './rfc9421-verify';\nexport * from './ucp';\nexport * from './acp';\nexport * from './vi';\nexport * from './stripe-webhook';\nexport * from './constraint-eval';\nexport * from './identity-binding';\nexport * from './ap2';\nexport * from './ap2-verify';\nexport * from './acp-verify';\nexport * from './mpp';\nexport * from './mpp-verify';\nexport * from './x402';\nexport * from './vi-verify';\nexport * from './commerce-pipeline';\nexport * from './extractor-registry';\nexport * from './registry/types';\nexport { createVisaRegistry } from './registry/visa';\nexport { createMastercardRegistry } from './registry/mastercard';\nexport { createWebBotAuthRegistry } from './registry/web-bot-auth';\n\n/*\n Auto-detect protocol from request/context shape.\n /\nexport function detectProtocol(context: Record<string, unknown>): ProtocolTransport {\n // A2A: has metadata block with task-like structure\n if (context.metadata && typeof context.metadata === 'object') {\n return 'a2a';\n }\n\n // MCP: has _meta block (MCP convention)\n if (context._meta && typeof context._meta === 'object') {\n return 'mcp';\n }\n\n // Default to HTTP\n return 'http';\n}\n\n/\n Apply credentials to any protocol target.\n /\nexport function applyCredentials(\n protocol: ProtocolTransport,\n target: Record<string, unknown>,\n credentials: AstraSyncCredentials\n): Record<string, unknown> {\n switch (protocol) {\n case 'http':\n return setHttpHeaders(target as Record<string, string>, credentials);\n case 'a2a':\n return setA2AMetadata(target, credentials);\n case 'mcp':\n return setMcpMeta(target, credentials);\n default:\n return target;\n }\n}\n\n/\n Extract credentials from any protocol context.\n */\nexport function extractCredentialsFromProtocol(\n protocol: ProtocolTransport,\n context: Record<string, unknown>\n): AstraSyncCredentials \| null {\n switch (protocol) {\n case 'http':\n return extractHttpCredentials(context as Record<string, string \| string[] \| undefined>);\n case 'a2a':\n return extractA2ACredentials(context);\n case 'mcp':\n return extractMcpCredentials(context);\n default:\n return null;\n }\n}\n"],"mappings":";AAQA,IAAM,gBAAgB;AAKf,SAAS,eACd,SACA,aACwB;AACxB,QAAM,SAAS,EAAE,GAAG,QAAQ;AAE5B,SAAO,GAAG,aAAa,IAAI,IAAI,YAAY;AAE3C,MAAI,YAAY,WAAW;AACzB,WAAO,GAAG,aAAa,QAAQ,IAAI,YAAY;AAAA,EACjD;AAEA,MAAI,YAAY,cAAc;AAC5B,WAAO,GAAG,aAAa,WAAW,IAAI,YAAY;AAAA,EACpD;AAEA,MAAI,YAAY,OAAO,SAAS;AAC9B,UAAM,eAAe,YAAY,MAAM,QAAQ,SAC3C,GAAG,YAAY,MAAM,QAAQ,QAAQ,IAAI,YAAY,MAAM,QAAQ,MAAM,KACzE,YAAY,MAAM,QAAQ;AAC9B,WAAO,GAAG,aAAa,SAAS,IAAI;AAAA,EACtC;AAEA,MAAI,YAAY,OAAO,UAAU,oBAAoB;AACnD,WAAO,GAAG,aAAa,UAAU,IAAI,OAAO,YAAY,MAAM,SAAS,kBAAkB;AAAA,EAC3F;AAEA,MAAI,YAAY,OAAO,OAAO,cAAc;AAC1C,WAAO,GAAG,aAAa,OAAO,IAAI,YAAY,MAAM,MAAM;AAAA,EAC5D;AAEA,SAAO;AACT;AAKO,SAAS,uBACd,SAC6B;AAC7B,QAAM,WAAW,CAAC,QAAoC;AACpD,UAAM,IAAI,QAAQ,GAAG,KAAK,QAAQ,IAAI,YAAY,CAAC;AACnD,WAAO,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC,IAAI;AAAA,EACnC;AAEA,QAAM,UAAU,SAAS,GAAG,aAAa,IAAI,KAAK,SAAS,YAAY;AACvE,MAAI,CAAC,QAAS,QAAO;AAErB,QAAM,cAAoC,EAAE,QAAQ;AAEpD,QAAM,YAAY,SAAS,GAAG,aAAa,QAAQ,KAAK,SAAS,gBAAgB;AACjF,MAAI,UAAW,aAAY,YAAY;AAEvC,QAAM,eAAe,SAAS,GAAG,aAAa,WAAW,KAAK,SAAS,mBAAmB;AAC1F,MAAI,aAAc,aAAY,eAAe;AAE7C,QAAM,UAAU,SAAS,GAAG,aAAa,SAAS,KAAK,SAAS,iBAAiB;AACjF,MAAI,SAAS;AACX,UAAM,CAAC,UAAU,MAAM,IAAI,QAAQ,MAAM,GAAG;AAC5C,gBAAY,QAAQ;AAAA,MAClB,GAAG,YAAY;AAAA,MACf,SAAS,EAAE,UAAU,OAAO;AAAA,IAC9B;AAAA,EACF;AAEA,QAAM,WAAW,SAAS,GAAG,aAAa,UAAU,KAAK,SAAS,kBAAkB;AACpF,MAAI,UAAU;AACZ,gBAAY,QAAQ;AAAA,MAClB,GAAG,YAAY;AAAA,MACf,UAAU,EAAE,oBAAoB,SAAS,UAAU,EAAE,EAAE;AAAA,IACzD;AAAA,EACF;AAEA,QAAM,QAAQ,SAAS,GAAG,aAAa,OAAO,KAAK,SAAS,eAAe;AAC3E,MAAI,OAAO;AACT,gBAAY,QAAQ;AAAA,MAClB,GAAG,YAAY;AAAA,MACf,OAAO,EAAE,cAAc,MAAM;AAAA,IAC/B;AAAA,EACF;AAEA,SAAO;AACT;;;ACtEO,SAAS,eACd,MACA,aACS;AACT,QAAM,YAA+B;AAAA,IACnC,SAAS,YAAY;AAAA,EACvB;AAEA,MAAI,YAAY,UAAW,WAAU,YAAY,YAAY;AAC7D,MAAI,YAAY,aAAc,WAAU,eAAe,YAAY;AACnE,MAAI,YAAY,OAAO,QAAS,WAAU,UAAU,YAAY,MAAM;AACtE,MAAI,YAAY,OAAO,SAAU,WAAU,WAAW,YAAY,MAAM;AACxE,MAAI,YAAY,OAAO,MAAO,WAAU,QAAQ,YAAY,MAAM;AAElE,SAAO;AAAA,IACL,GAAG;AAAA,IACH,UAAU;AAAA,MACR,GAAG,KAAK;AAAA,MACR;AAAA,IACF;AAAA,EACF;AACF;AAKO,SAAS,sBAAsB,MAA4C;AAChF,QAAM,OAAO,KAAK,UAAU;AAC5B,MAAI,CAAC,MAAM,QAAS,QAAO;AAE3B,QAAM,cAAoC;AAAA,IACxC,SAAS,KAAK;AAAA,EAChB;AAEA,MAAI,KAAK,UAAW,aAAY,YAAY,KAAK;AACjD,MAAI,KAAK,aAAc,aAAY,eAAe,KAAK;AAEvD,MAAI,KAAK,WAAW,KAAK,YAAY,KAAK,OAAO;AAC/C,gBAAY,QAAQ,CAAC;AACrB,QAAI,KAAK,QAAS,aAAY,MAAM,UAAU,KAAK;AACnD,QAAI,KAAK,SAAU,aAAY,MAAM,WAAW,KAAK;AACrD,QAAI,KAAK,MAAO,aAAY,MAAM,QAAQ,KAAK;AAAA,EACjD;AAEA,SAAO;AACT;;;AC7CO,SAAS,WACd,QACA,aACW;AACX,QAAM,YAA2B;AAAA,IAC/B,SAAS,YAAY;AAAA,EACvB;AAEA,MAAI,YAAY,UAAW,WAAU,YAAY,YAAY;AAC7D,MAAI,YAAY,aAAc,WAAU,eAAe,YAAY;AACnE,MAAI,YAAY,OAAO,QAAS,WAAU,UAAU,YAAY,MAAM;AACtE,MAAI,YAAY,OAAO,SAAU,WAAU,WAAW,YAAY,MAAM;AACxE,MAAI,YAAY,OAAO,MAAO,WAAU,QAAQ,YAAY,MAAM;AAElE,SAAO;AAAA,IACL,GAAG;AAAA,IACH,OAAO;AAAA,MACL,GAAG,OAAO;AAAA,MACV;AAAA,IACF;AAAA,EACF;AACF;AAKO,SAAS,sBAAsB,QAAgD;AACpF,QAAM,OAAO,OAAO,OAAO;AAC3B,MAAI,CAAC,MAAM,QAAS,QAAO;AAE3B,QAAM,cAAoC;AAAA,IACxC,SAAS,KAAK;AAAA,EAChB;AAEA,MAAI,KAAK,UAAW,aAAY,YAAY,KAAK;AACjD,MAAI,KAAK,aAAc,aAAY,eAAe,KAAK;AAEvD,MAAI,KAAK,WAAW,KAAK,YAAY,KAAK,OAAO;AAC/C,gBAAY,QAAQ,CAAC;AACrB,QAAI,KAAK,QAAS,aAAY,MAAM,UAAU,KAAK;AACnD,QAAI,KAAK,SAAU,aAAY,MAAM,WAAW,KAAK;AACrD,QAAI,KAAK,MAAO,aAAY,MAAM,QAAQ,KAAK;AAAA,EACjD;AAEA,SAAO;AACT;;;AClDA,IAAM,aAAmF;AAAA,EACvF,EAAE,QAAQ,QAAQ,SAAS,+BAA+B,SAAS,2BAA2B;AAAA,EAC9F;AAAA,IACE,QAAQ;AAAA,IACR,SAAS;AAAA,IACT,SAAS;AAAA,EACX;AAAA,EACA;AAAA,IACE,QAAQ;AAAA,IACR,SAAS;AAAA,IACT,SAAS;AAAA,EACX;AAAA,EACA;AAAA,IACE,QAAQ;AAAA,IACR,SAAS;AAAA,IACT,SAAS;AAAA,EACX;AACF;AAEA,IAAM,aAAmF;AAAA,EACvF,EAAE,QAAQ,QAAQ,SAAS,4BAA4B,SAAS,2BAA2B;AAAA,EAC3F;AAAA,IACE,QAAQ;AAAA,IACR,SAAS;AAAA,IACT,SAAS;AAAA,EACX;AAAA,EACA;AAAA,IACE,QAAQ;AAAA,IACR,SAAS;AAAA,IACT,SAAS;AAAA,EACX;AAAA,EACA;AAAA,IACE,QAAQ;AAAA,IACR,SAAS;AAAA,IACT,SAAS;AAAA,EACX;AAAA,EACA;AAAA,IACE,QAAQ;AAAA,IACR,SAAS;AAAA,IACT,SAAS;AAAA,EACX;AACF;AAEO,SAAS,uBAAuB,QAAgB,MAAsC;AAC3F,QAAM,mBAAmB,OAAO,YAAY;AAC5C,QAAM,iBAAiB,WAAW,IAAI;AACtC,aAAW,SAAS,YAAY;AAC9B,QAAI,MAAM,WAAW,oBAAoB,MAAM,QAAQ,KAAK,cAAc,GAAG;AAC3E,aAAO,MAAM;AAAA,IACf;AAAA,EACF;AACA,SAAO;AACT;AAEO,SAAS,uBAAuB,QAAgB,MAAsC;AAC3F,QAAM,mBAAmB,OAAO,YAAY;AAC5C,QAAM,iBAAiB,WAAW,IAAI;AACtC,aAAW,SAAS,YAAY;AAC9B,QAAI,MAAM,WAAW,oBAAoB,MAAM,QAAQ,KAAK,cAAc,GAAG;AAC3E,aAAO,MAAM;AAAA,IACf;AAAA,EACF;AACA,SAAO;AACT;AAGO,SAAS,uBAAuB,aAA8C;AACnF,UAAQ,aAAa;AAAA,IACnB,KAAK;AACH,aAAO;AAAA,IACT,KAAK;AACH,aAAO;AAAA,IACT,KAAK;AACH,aAAO;AAAA,EACX;AACF;AAGO,SAAS,sBAAsB,aAA6C;AACjF,UAAQ,aAAa;AAAA,IACnB,KAAK;AACH,aAAO;AAAA,IACT,KAAK;AACH,aAAO;AAAA,IACT,KAAK;AACH,aAAO;AAAA,IACT,KAAK;AACH,aAAO;AAAA,EACX;AACF;AAGO,SAAS,uBAAuB,KAAkC;AACvE,MAAI,QAAQ,WAAY,QAAO;AAC/B,SAAO;AACT;AAGO,SAAS,uBACd,QACA,QACiB;AACjB,MAAI,OAAO,WAAW,YAAY,WAAW,EAAG,QAAO;AACvD,MAAI,WAAW,UAAW,QAAO;AACjC,SAAO;AACT;AAEO,SAAS,wBAAwB,QAA6C;AACnF,MAAI,OAAO,WAAW,YAAY,WAAW,EAAG,QAAO;AACvD,SAAO;AACT;AAEA,SAAS,WAAW,MAAsB;AACxC,QAAM,IAAI,KAAK,QAAQ,GAAG;AAC1B,SAAO,MAAM,KAAK,OAAO,KAAK,MAAM,GAAG,CAAC;AAC1C;AAMO,IAAM,sCAAsC;AAAA,EACjD;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AACF;AAGO,SAAS,6BAA6B,WAA4B;AACvE,SAAQ,oCAA0D,SAAS,SAAS;AACtF;;;ACrIO,SAAS,2BAA2B,OAER;AACjC,QAAM,SAAS,MAAM,UAAU,CAAC;AAChC,QAAM,QAAQ,OAAO,KAAK,CAAC,MAAM,EAAE,SAAS,OAAO,KAAK,OAAO,CAAC;AAChE,MAAI,CAAC,SAAS,OAAO,MAAM,WAAW,YAAY,CAAC,MAAM,SAAU,QAAO;AAC1E,SAAO;AAAA,IACL,UAAU;AAAA,IACV,QAAQ,MAAM,SAAS;AAAA,IACvB,UAAU,MAAM;AAAA,IAChB,QAAQ,eAAe,MAAM,QAAQ,SAAS;AAAA,EAChD;AACF;AAEO,SAAS,2BAA2B,OAER;AACjC,QAAM,SAAS,MAAM,UAAU,CAAC;AAChC,QAAM,QAAQ,OAAO,KAAK,CAAC,MAAM,EAAE,SAAS,OAAO,KAAK,OAAO,CAAC;AAChE,MAAI,CAAC,SAAS,OAAO,MAAM,WAAW,YAAY,CAAC,MAAM,SAAU,QAAO;AAC1E,SAAO;AAAA,IACL,UAAU;AAAA,IACV,QAAQ,MAAM,SAAS;AAAA,IACvB,UAAU,MAAM;AAAA,IAChB,QAAQ,eAAe,MAAM,QAAQ,SAAS;AAAA,EAChD;AACF;AASO,SAAS,0BACd,QACgC;AAChC,QAAM,MAAM,OAAO;AACnB,MAAI,OAAO,OAAO,IAAI,WAAW,YAAY,IAAI,UAAU;AACzD,WAAO;AAAA,MACL,UAAU;AAAA,MACV,QAAQ,IAAI;AAAA,MACZ,UAAU,IAAI;AAAA,MACd,QAAQ;AAAA,IACV;AAAA,EACF;AACA,QAAM,QAAQ,OAAO,aAAa;AAClC,MAAI,SAAS,OAAO,MAAM,QAAQ,YAAY,MAAM,UAAU;AAC5D,WAAO;AAAA,MACL,UAAU;AAAA,MACV,QAAQ,MAAM;AAAA,MACd,UAAU,MAAM;AAAA,MAChB,QAAQ;AAAA,IACV;AAAA,EACF;AACA,SAAO;AACT;AAMO,SAAS,2BACd,SACgC;AAChC,QAAM,MAAM,SAAS,uBAAuB;AAC5C,MAAI,CAAC,OAAO,CAAC,IAAI,SAAU,QAAO;AAClC,QAAM,IAAI,OAAO,IAAI,UAAU,WAAW,OAAO,IAAI,KAAK,IAAI,IAAI;AAClE,MAAI,OAAO,MAAM,YAAY,CAAC,OAAO,SAAS,CAAC,EAAG,QAAO;AACzD,SAAO;AAAA,IACL,UAAU;AAAA,IACV,QAAQ;AAAA,IACR,UAAU,IAAI;AAAA,IACd,QAAQ;AAAA,EACV;AACF;AAOO,SAAS,2BACd,WACgC;AAChC,QAAM,MAAM,UAAU;AACtB,MAAI,CAAC,OAAO,OAAO,IAAI,WAAW,YAAY,CAAC,IAAI,SAAU,QAAO;AACpE,SAAO;AAAA,IACL,UAAU;AAAA,IACV,QAAQ,IAAI;AAAA,IACZ,UAAU,IAAI;AAAA,IACd,QAAQ,oCAAoC,UAAU,UAAU,SAAS;AAAA,EAC3E;AACF;AASO,SAAS,4BACd,KACgC;AAChC,QAAM,SAAS,IAAI,qBAAqB,IAAI;AAC5C,QAAM,WAAW,IAAI,YAAY,IAAI;AACrC,MAAI,OAAO,WAAW,YAAY,CAAC,SAAU,QAAO;AACpD,SAAO;AAAA,IACL,UAAU;AAAA,IACV;AAAA,IACA;AAAA,IACA,QAAQ,IAAI,sBAAsB,SAAY,sBAAsB;AAAA,EACtE;AACF;;;ACrHA,SAAS,uBAAuB;AAiCzB,SAAS,aACd,SACsB;AACtB,QAAM,WAAW,WAAW,SAAS,iBAAiB;AACtD,QAAM,MAAM,WAAW,SAAS,WAAW;AAC3C,MAAI,CAAC,YAAY,CAAC,IAAK,QAAO;AAE9B,MAAI;AACJ,MAAI;AACJ,MAAI;AACF,gBAAY,gBAAgB,QAAQ;AACpC,cAAU,gBAAgB,GAAG;AAAA,EAC/B,QAAQ;AACN,WAAO;AAAA,EACT;AAEA,QAAM,aAAuC,CAAC;AAE9C,aAAW,CAAC,OAAO,KAAK,KAAK,WAAW;AAEtC,UAAM,YAAY,MAAM,QAAQ,KAAK,IACjC,MAAM,CAAC,IACN,MAAgD;AACrD,UAAM,SAAS,MAAM,QAAQ,KAAK,IAC9B,MAAM,CAAC,IACN,MAAgD;AACrD,QAAI,CAAC,MAAM,QAAQ,SAAS,KAAK,CAAC,OAAQ;AAE1C,UAAM,UAAoB,CAAC;AAC3B,eAAW,QAAQ,WAAqD;AACtE,YAAM,CAAC,IAAI,IAAI,MAAM,QAAQ,IAAI,IAAI,OAAO,CAAC,IAAI;AACjD,UAAI,OAAO,SAAS,SAAU,SAAQ,KAAK,IAAI;AAAA,eACtC,QAAQ,OAAO,SAAS,YAAY,cAAc,KAAM,SAAQ,KAAK,OAAO,IAAI,CAAC;AAAA,IAC5F;AAEA,UAAM,YAAY;AAClB,UAAM,MAAM,aAAa,UAAU,IAAI,OAAO,CAAC;AAC/C,QAAI,CAAC,IAAK;AAEV,UAAM,WAAW,QAAQ,IAAI,KAAK;AAClC,QAAI,CAAC,SAAU;AAEf,UAAM,UAAU,MAAM,QAAQ,QAAQ,IAAI,SAAS,CAAC,IAAK,SAAiC;AAC1F,UAAM,kBAAkB,cAAc,OAAO;AAC7C,QAAI,CAAC,gBAAiB;AAEtB,eAAW,KAAK;AAAA,MACd;AAAA,MACA;AAAA,MACA,KAAK,aAAa,UAAU,IAAI,KAAK,CAAC;AAAA,MACtC;AAAA,MACA;AAAA,MACA,SAAS,aAAa,UAAU,IAAI,SAAS,CAAC;AAAA,MAC9C,SAAS,aAAa,UAAU,IAAI,SAAS,CAAC;AAAA,MAC9C,OAAO,aAAa,UAAU,IAAI,OAAO,CAAC;AAAA,MAC1C,KAAK,aAAa,UAAU,IAAI,KAAK,CAAC;AAAA,IACxC,CAAC;AAAA,EACH;AAEA,MAAI,WAAW,WAAW,EAAG,QAAO;AACpC,SAAO,EAAE,WAAW;AACtB;AAEA,SAAS,WACP,SACA,MACe;AACf,aAAW,OAAO,OAAO,KAAK,OAAO,GAAG;AACtC,QAAI,IAAI,YAAY,MAAM,MAAM;AAC9B,YAAM,MAAM,QAAQ,GAAG;AACvB,UAAI,OAAO,QAAQ,SAAU,QAAO;AACpC,UAAI,MAAM,QAAQ,GAAG,EAAG,QAAO,IAAI,KAAK,IAAI;AAC5C,aAAO;AAAA,IACT;AAAA,EACF;AACA,SAAO;AACT;AAEA,SAAS,aAAa,OAAoC;AACxD,MAAI,OAAO,UAAU,SAAU,QAAO;AACtC,MAAI,SAAS,KAAM,QAAO;AAC1B,MAAI,OAAO,UAAU,YAAY,cAAe,OAAkB;AAChE,UAAM,IAAI,OAAO,KAAK;AACtB,WAAO,EAAE,SAAS,IAAI,IAAI;AAAA,EAC5B;AACA,SAAO;AACT;AAEA,SAAS,aAAa,OAAoC;AACxD,MAAI,OAAO,UAAU,YAAY,OAAO,SAAS,KAAK,EAAG,QAAO;AAChE,MAAI,OAAO,UAAU,SAAU,QAAO,OAAO,KAAK;AAClD,SAAO;AACT;AAEA,SAAS,cAAc,OAA+B;AACpD,MAAI,iBAAiB,WAAY,QAAO,eAAe,KAAK;AAC5D,MAAI,iBAAiB,YAAa,QAAO,eAAe,IAAI,WAAW,KAAK,CAAC;AAC7E,MAAI,YAAY,OAAO,KAAK,GAAG;AAC7B,UAAM,IAAI;AACV,WAAO,eAAe,IAAI,WAAW,EAAE,QAAQ,EAAE,YAAY,EAAE,UAAU,CAAC;AAAA,EAC5E;AACA,MAAI,OAAO,UAAU,UAAU;AAC7B,QAAI,MAAM,WAAW,GAAG,KAAK,MAAM,SAAS,GAAG,EAAG,QAAO,MAAM,MAAM,GAAG,EAAE;AAC1E,WAAO;AAAA,EACT;AACA,SAAO;AACT;AAEA,SAAS,eAAe,OAA2B;AACjD,SAAO,OAAO,KAAK,KAAK,EAAE,SAAS,QAAQ;AAC7C;;;AClJA,SAAS,eAAuD;;;AC+BzD,IAAM,qBAAN,MAA+C;AAAA,EAKpD,YAAY,WAAW,KAAQ;AAJ/B,SAAiB,UAAU,oBAAI,IAAoB;AAEnD,SAAQ,cAAc;AAGpB,SAAK,WAAW;AAAA,EAClB;AAAA,EAEA,KAAK,KAAa,aAA8B;AAC9C,UAAM,QAAQ,KAAK,IAAI;AAGvB,QAAI,QAAQ,KAAK,cAAc,KAAM;AACnC,iBAAW,CAAC,GAAG,GAAG,KAAK,KAAK,SAAS;AACnC,YAAI,OAAO,MAAO,MAAK,QAAQ,OAAO,CAAC;AAAA,MACzC;AACA,WAAK,cAAc;AAAA,IACrB;AAEA,UAAM,WAAW,KAAK,QAAQ,IAAI,GAAG;AACrC,QAAI,aAAa,UAAa,WAAW,OAAO;AAC9C,aAAO;AAAA,IACT;AAGA,QAAI,KAAK,QAAQ,QAAQ,KAAK,UAAU;AACtC,YAAM,SAAS,KAAK,QAAQ,KAAK,EAAE,KAAK,EAAE;AAC1C,UAAI,WAAW,OAAW,MAAK,QAAQ,OAAO,MAAM;AAAA,IACtD;AACA,SAAK,QAAQ,IAAI,KAAK,WAAW;AACjC,WAAO;AAAA,EACT;AACF;AAUO,IAAM,oBAAoB,IAAI,mBAAmB;;;AD5CxD,eAAsB,cACpB,SACA,SAC8B;AAC9B,QAAM,EAAE,SAAS,IAAI;AACrB,QAAM,YAAY,QAAQ,gBAAgB;AAC1C,QAAM,SAAS,QAAQ,MAAM,QAAQ,IAAI,IAAI,KAAK,MAAM,KAAK,IAAI,IAAI,GAAI;AACzE,QAAM,aAAa,QAAQ,cAAc;AAEzC,MAAI;AACJ,MAAI;AACJ,MAAI,iBAAiB;AAErB,QAAM,YAA4B,OAAO,eAAe;AACtD,UAAM,MAAM,OAAO,WAAW,UAAU,WAAW,WAAW,QAAQ;AACtE,QAAI,CAAC,IAAK,QAAO;AACjB,kBAAc;AACd,UAAM,MAAM,OAAO,WAAW,QAAQ,WAAW,WAAW,MAAM;AAClE,QAAI,IAAK,eAAc;AAEvB,UAAM,SAAS,WAAW,QAAQ,GAAG;AACrC,UAAM,MAAM,MAAM,SAAS,QAAQ,KAAK,EAAE,QAAQ,WAAW,IAAI,CAAC;AAClE,QAAI,CAAC,IAAK,QAAO;AAIjB,UAAM,UAAU,cAAc,WAAW,OAAO;AAChD,UAAM,UAAU,cAAc,WAAW,OAAO;AAChD,QAAI,YAAY,UAAa,KAAK,IAAI,SAAS,OAAO,IAAI,UAAW,QAAO;AAC5E,QAAI,YAAY,UAAa,SAAS,UAAU,UAAW,QAAO;AAMlE,UAAM,QAAQ,OAAO,WAAW,UAAU,WAAW,WAAW,QAAQ;AACxE,QAAI,OAAO;AACT,YAAM,eAAe,YAAY,SAAY,UAAU,YAAY,SAAS,aAAa;AACzF,UAAI,WAAW,KAAK,WAAW,GAAG,IAAI,KAAK,IAAI,WAAW,GAAG;AAC3D,yBAAiB;AACjB,eAAO;AAAA,MACT;AAAA,IACF;AAEA,WAAO,kBAAkB,KAAK,KAAK,GAAG;AAAA,EACxC;AAEA,MAAI;AACF,UAAM,SAAS,MAAM,QAAQ;AAAA,MAC3B;AAAA,QACE;AAAA,MACF;AAAA,MACA,iBAAiB,OAAO;AAAA,IAC1B;AACA,QAAI,WAAW,MAAM;AACnB,aAAO;AAAA,QACL,IAAI;AAAA,QACJ,KAAK;AAAA,QACL,UAAU,SAAS;AAAA,QACnB,WAAW;AAAA,MACb;AAAA,IACF;AACA,WAAO;AAAA,MACL,IAAI;AAAA,MACJ,KAAK;AAAA,MACL,UAAU,SAAS;AAAA,MACnB,WAAW;AAAA,MACX,OAAO,iBACH,yEACA,WAAW,QACT,sBACA;AAAA,IACR;AAAA,EACF,SAAS,KAAK;AACZ,WAAO;AAAA,MACL,IAAI;AAAA,MACJ,KAAK;AAAA,MACL,UAAU,SAAS;AAAA,MACnB,WAAW;AAAA,MACX,OAAO,eAAe,QAAQ,IAAI,UAAU;AAAA,IAC9C;AAAA,EACF;AACF;AAEA,SAAS,iBAAiB,SAIxB;AACA,SAAO;AAAA,IACL,QAAQ,QAAQ,OAAO,YAAY;AAAA,IACnC,KAAK,QAAQ;AAAA,IACb,SAAS,QAAQ;AAAA,EACnB;AACF;AAEA,SAAS,WAAW,KAAiC;AACnD,MAAI;AACF,WAAO,IAAI,IAAI,GAAG,EAAE;AAAA,EACtB,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAEA,eAAe,kBACb,IACA,KACA,KACuB;AACvB,QAAM,YAAY,OAAO,gBAAgB,GAAG;AAC5C,QAAM,EAAE,OAAO,IAAI,MAAM,UAAU;AACnC,QAAM,YAAY,sBAAsB,SAAS;AACjD,QAAM,YAAY,gBAAgB,SAAS;AAC3C,MAAI,CAAC,aAAa,CAAC,WAAW;AAC5B,WAAO;AAAA,MACL;AAAA,MACA,MAAM,MAAM,CAAC,GAAG,IAAI;AAAA,MACpB,QAAQ,YAAY;AAAA,IACtB;AAAA,EACF;AACA,QAAM,MAAM,MAAM,OAAO,UAAU,OAAO,KAAmB,WAAW,OAAO,CAAC,QAAQ,CAAC;AAEzF,SAAO;AAAA,IACL;AAAA,IACA,MAAM,MAAM,CAAC,GAAG,IAAI;AAAA,IACpB,QAAQ,OAAO,MAAc,cAAwC;AACnE,UAAI;AACF,eAAO,MAAM,OAAO,OAAO,WAAW,KAAK,cAAc,SAAS,GAAG,cAAc,IAAI,CAAC;AAAA,MAC1F,QAAQ;AACN,eAAO;AAAA,MACT;AAAA,IACF;AAAA,EACF;AACF;AAEA,SAAS,gBAAgB,KAAkB;AACzC,MAAI,IAAI,QAAQ,SAAS,IAAI,QAAQ,UAAW,QAAO;AACvD,MAAI,IAAI,QAAQ,QAAQ,IAAI,QAAQ,QAAS,QAAO;AACpD,MAAI,IAAI,QAAQ,QAAQ,IAAI,QAAQ,QAAS,QAAO;AACpD,MAAI,IAAI,QAAQ,MAAO,QAAO;AAC9B,SAAO;AACT;AAEA,SAAS,gBACP,YACyD;AACzD,UAAQ,YAAY;AAAA,IAClB,KAAK;AACH,aAAO,EAAE,MAAM,UAAU;AAAA,IAC3B,KAAK;AACH,aAAO,EAAE,MAAM,SAAS,MAAM,UAAU;AAAA,IAC1C,KAAK;AACH,aAAO,EAAE,MAAM,SAAS,MAAM,UAAU;AAAA,IAC1C,KAAK;AACH,aAAO,EAAE,MAAM,oBAAoB;AAAA,IACrC,KAAK;AACH,aAAO,EAAE,MAAM,WAAW,YAAY,GAAG;AAAA,IAC3C;AACE,aAAO;AAAA,EACX;AACF;AAEA,SAAS,sBACP,YACwE;AACxE,UAAQ,YAAY;AAAA,IAClB,KAAK;AACH,aAAO,EAAE,MAAM,UAAU;AAAA,IAC3B,KAAK;AACH,aAAO,EAAE,MAAM,SAAS,YAAY,QAAQ;AAAA,IAC9C,KAAK;AACH,aAAO,EAAE,MAAM,SAAS,YAAY,QAAQ;AAAA,IAC9C,KAAK;AACH,aAAO,EAAE,MAAM,qBAAqB,MAAM,UAAU;AAAA,IACtD,KAAK;AACH,aAAO,EAAE,MAAM,WAAW,MAAM,UAAU;AAAA,IAC5C;AACE,aAAO;AAAA,EACX;AACF;AAEA,SAAS,cAAc,KAA0B;AAC/C,QAAM,MAAM,IAAI,YAAY,IAAI,UAAU;AAC1C,MAAI,WAAW,GAAG,EAAE,IAAI,GAAG;AAC3B,SAAO;AACT;AAEA,SAAS,cAAc,GAAgC;AACrD,MAAI,OAAO,MAAM,YAAY,OAAO,SAAS,CAAC,EAAG,QAAO;AACxD,MAAI,aAAa,KAAM,QAAO,KAAK,MAAM,EAAE,QAAQ,IAAI,GAAI;AAC3D,MAAI,OAAO,MAAM,UAAU;AACzB,UAAM,SAAS,KAAK,MAAM,CAAC;AAC3B,QAAI,OAAO,SAAS,MAAM,EAAG,QAAO,KAAK,MAAM,SAAS,GAAI;AAAA,EAC9D;AACA,SAAO;AACT;AAEA,eAAe,YAA+C;AAC5D,MAAI,OAAO,WAAW,WAAW,eAAe,WAAW,OAAO,QAAQ;AACxE,WAAO,EAAE,QAAQ,WAAW,OAAO,OAAO;AAAA,EAC5C;AAEA,QAAM,aAAa,MAAM,OAAO,QAAa;AAC7C,SAAO,EAAE,QAAQ,WAAW,UAAU,OAAuB;AAC/D;;;AEvNO,SAAS,kBAAkB,SAAoD;AACpF,QAAM,EAAE,QAAQ,IAAI,IAAI;AACxB,MAAI,CAAC,UAAU,CAAC,IAAK,QAAO;AAE5B,QAAM,YAAY,aAAa,GAAG;AAClC,QAAM,OAAO,WAAW,YAAY,IAAI,MAAM,GAAG,EAAE,CAAC;AAEpD,QAAM,UAAU,uBAAuB,QAAQ,IAAI;AACnD,QAAM,WAAW,GAAG,OAAO,YAAY,CAAC,IAAI,IAAI;AAChD,QAAM,YAAY,iBAAiB,IAAI;AAEvC,QAAM,OAAQ,QAAQ,QAAQ,CAAC;AAC/B,QAAM,SAAS,MAAM,QAAQ,KAAK,MAAM,IAAK,KAAK,SAAwB;AAC1E,QAAM,gBAAgBA,cAAa,KAAK,kBAAkB,KAAK,aAAa;AAC5E,QAAM,cAAcA,cAAa,KAAK,gBAAgB,KAAK,WAAW;AAEtE,QAAM,iBAAiB,sBAAsB,MAAM,SAAS;AAE5D,SAAO;AAAA,IACL;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,EACF;AACF;AAQA,eAAsB,iBACpB,aACA,UAAkC,CAAC,GACV;AACzB,QAAM,YAAY,QAAQ,aAAa;AACvC,QAAM,aAAa,IAAI,gBAAgB;AACvC,QAAM,QAAQ,WAAW,MAAM,WAAW,MAAM,GAAG,SAAS;AAC5D,MAAI;AACF,UAAM,MAAM,MAAM,MAAM,aAAa,EAAE,QAAQ,WAAW,OAAO,CAAC;AAClE,QAAI,CAAC,IAAI,GAAI,QAAO;AACpB,WAAO,MAAM,IAAI,KAAK;AAAA,EACxB,QAAQ;AACN,WAAO;AAAA,EACT,UAAE;AACA,iBAAa,KAAK;AAAA,EACpB;AACF;AAiBO,SAAS,oBACd,UACA,UAA6E,CAAC,GACjD;AAC7B,MAAI,QAAQ,UAAW,QAAO,QAAQ,UAAU,QAAQ;AAExD,QAAM,SAAmB,CAAC;AAC1B,MAAI,CAAC,YAAY,OAAO,aAAa,UAAU;AAC7C,WAAO,EAAE,IAAI,OAAO,QAAQ,CAAC,2BAA2B,EAAE;AAAA,EAC5D;AACA,QAAM,IAAI;AACV,MAAI,OAAO,EAAE,YAAY,SAAU,QAAO,KAAK,0CAA0C;AACzF,MAAI,CAAC,MAAM,QAAQ,EAAE,YAAY,EAAG,QAAO,KAAK,+BAA+B;AAC/E,MAAI,CAAC,EAAE,aAAa,OAAO,EAAE,cAAc,SAAU,QAAO,KAAK,6BAA6B;AAC9F,SAAO,EAAE,IAAI,OAAO,WAAW,GAAG,OAAO;AAC3C;AAEA,SAAS,aAAa,KAAyB;AAC7C,MAAI;AACF,WAAO,IAAI,IAAI,KAAK,4BAA4B;AAAA,EAClD,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAEA,SAAS,iBAAiB,MAAkC;AAC1D,QAAM,QAAQ,KAAK,MAAM,mCAAmC;AAC5D,SAAO,QAAQ,CAAC;AAClB;AAEA,SAAS,sBACP,MACA,WACoB;AACpB,QAAM,WAAWA,cAAa,KAAK,mBAAmB,KAAK,cAAc;AACzE,MAAI,SAAU,QAAO;AACrB,MAAI,aAAa,UAAU,aAAa,sBAAuB,QAAO,UAAU;AAChF,SAAO;AACT;AAEA,SAASA,cAAa,GAAgC;AACpD,SAAO,OAAO,MAAM,YAAY,EAAE,SAAS,IAAI,IAAI;AACrD;;;AChFO,SAAS,kBAAkB,SAAmD;AACnF,QAAM,EAAE,QAAQ,IAAI,IAAI;AACxB,MAAI,CAAC,UAAU,CAAC,IAAK,QAAO;AAE5B,QAAM,OAAOC,YAAW,IAAI,WAAW,MAAM,IAAI,IAAI,IAAI,GAAG,EAAE,WAAW,GAAG;AAE5E,QAAM,WAAW,iBAAiB,QAAQ,IAAI;AAC9C,QAAM,UAAU,uBAAuB,QAAQ,IAAI;AACnD,QAAM,YAAYC,kBAAiB,IAAI;AAEvC,QAAM,UAAU,QAAQ,WAAW,CAAC;AACpC,QAAM,kBAAkBC,YAAW,SAAS,WAAW;AACvD,QAAM,kBAAkBA,YAAW,SAAS,WAAW;AACvD,QAAM,iBAAiBA,YAAW,SAAS,iBAAiB;AAC5D,QAAM,aAAaA,YAAW,SAAS,aAAa;AACpD,QAAM,SAAS,cAAcA,YAAW,SAAS,eAAe,CAAC;AAEjE,QAAM,OAAQ,QAAQ,QAAQ,CAAC;AAC/B,QAAM,aAAaC,cAAa,KAAK,eAAe,KAAK,UAAU;AACnE,QAAM,SAAS,MAAM,QAAQ,KAAK,MAAM,IAAK,KAAK,SAAwB;AAC1E,QAAM,oBAAoB,yBAAyB,IAAI;AAEvD,QAAM,eAAe,oBAAoB,IAAI;AAE7C,SAAO;AAAA,IACL;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA,SAAS,QAAQ;AAAA,EACnB;AACF;AAEA,SAAS,iBAAiB,QAAgB,MAA2B;AACnE,QAAM,IAAI,OAAO,YAAY;AAC7B,MAAI,MAAM,OAAQ,QAAO;AACzB,MAAI,4CAA4C,KAAK,IAAI,EAAG,QAAO;AACnE,MAAI,2BAA2B,KAAK,IAAI,EAAG,QAAO;AAClD,MAAI,kCAAkC,KAAK,IAAI,EAAG,QAAO;AACzD,MAAI,4CAA4C,KAAK,IAAI,EAAG,QAAO;AACnE,MAAI,0CAA0C,KAAK,IAAI,EAAG,QAAO;AACjE,SAAO;AACT;AAEA,SAASF,kBAAiB,MAAkC;AAC1D,QAAM,QAAQ,KAAK,MAAM,gCAAgC;AACzD,SAAO,QAAQ,CAAC;AAClB;AAEA,SAAS,cAAc,YAAoD;AACzE,MAAI,CAAC,WAAY,QAAO;AACxB,QAAM,QAAQ,WAAW,MAAM,kBAAkB;AACjD,SAAO,QAAQ,MAAM,CAAC,EAAE,KAAK,IAAI;AACnC;AAEA,SAAS,oBAAoB,MAAkE;AAC7F,QAAM,cAAc,KAAK;AACzB,MAAI,CAAC,YAAa,QAAO;AACzB,QAAM,MAAME,cAAa,YAAY,KAAK;AAC1C,QAAM,WAAWA,cAAa,YAAY,QAAQ;AAClD,MAAI,CAAC,IAAK,QAAO,EAAE,KAAK,QAAW,MAAM,MAAM,SAAS;AACxD,QAAM,OAAO,qBAAqB,GAAG;AACrC,SAAO,EAAE,KAAK,MAAM,SAAS;AAC/B;AAEA,SAAS,qBAAqB,OAAoC;AAChE,MAAI,MAAM,WAAW,MAAM,EAAG,QAAO;AACrC,MAAI,MAAM,WAAW,KAAK,EAAG,QAAO;AACpC,SAAO;AACT;AAEA,SAAS,yBAAyB,MAAmD;AACnF,QAAM,SAASA,cAAa,KAAK,sBAAsB,KAAK,iBAAiB;AAC7E,MAAI,OAAQ,QAAO;AACnB,QAAM,UAAU,KAAK;AACrB,MAAI,MAAM,QAAQ,OAAO,KAAK,QAAQ,SAAS,GAAG;AAChD,UAAM,QAAQ,QAAQ,CAAC;AACvB,QAAI,SAAS,OAAO,UAAU,UAAU;AACtC,YAAM,KAAKA,cAAc,MAAkC,EAAE;AAC7D,UAAI,GAAI,QAAO;AAAA,IACjB;AAAA,EACF;AACA,SAAO;AACT;AAEA,SAASD,YACP,SACA,MACoB;AACpB,aAAW,OAAO,OAAO,KAAK,OAAO,GAAG;AACtC,QAAI,IAAI,YAAY,MAAM,MAAM;AAC9B,YAAM,MAAM,QAAQ,GAAG;AACvB,UAAI,OAAO,QAAQ,SAAU,QAAO;AACpC,UAAI,MAAM,QAAQ,GAAG,EAAG,QAAO,IAAI,CAAC;AAAA,IACtC;AAAA,EACF;AACA,SAAO;AACT;AAEA,SAASF,YAAW,MAAsB;AACxC,QAAM,IAAI,KAAK,QAAQ,GAAG;AAC1B,SAAO,MAAM,KAAK,OAAO,KAAK,MAAM,GAAG,CAAC;AAC1C;AAEA,SAASG,cAAa,GAAgC;AACpD,SAAO,OAAO,MAAM,YAAY,EAAE,SAAS,IAAI,IAAI;AACrD;;;AC/JA,SAAS,YAAY,uBAAuB;AAC5C,SAAS,kBAAkB;AAkEpB,SAAS,gBAAgB,cAAgD;AAC9E,MAAI,CAAC,gBAAgB,OAAO,iBAAiB,SAAU,QAAO;AAE9D,MAAI;AACJ,MAAI;AACF,cAAU,gBAAgB,cAAc,UAAU;AAAA,EACpD,QAAQ;AACN,WAAO;AAAA,EACT;AAEA,QAAM,QAAQ,UAAU,YAAY;AAEpC,QAAM,UAAW,QAAQ,KAAK,WAAW,CAAC;AAC1C,QAAM,cAAc,QAAQ,eAAe,CAAC;AAK5C,QAAM,SAAS;AAAA,IACb;AAAA,IACA;AAAA,EACF;AAEA,QAAM,cAAc;AAAA,IAClB,OAAO,gBAAgB,OAAO,eAAe,QAAQ,gBAAgB,QAAQ;AAAA,EAC/E;AACA,MAAI,CAAC,YAAa,QAAO;AAEzB,QAAM,MAAMC;AAAA,IACT,QAAQ,KAAK,QAAgD,OAAO,OAAO,OAAO,QAAQ;AAAA,EAC7F;AAEA,QAAM,gBAAgB,oBAAoB,OAAO,kBAAkB,OAAO,aAAa;AACvF,QAAM,qBAAqBA,cAAa,OAAO,OAAO,QAAQ,GAAG;AAEjE,QAAM,cAAc;AAAA,IACjB,OAAO,eAAe,OAAO,uBAAuB,CAAC;AAAA,EACxD;AAEA,QAAM,gBAAgBA,cAAa,OAAO,kBAAkB,OAAO,aAAa;AAChF,QAAM,eAAeA;AAAA,IACnB,OAAO,iBACL,OAAO,8BACN,OAAO,mBAA2D;AAAA,EACvE;AAEA,SAAO;AAAA,IACL;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA,WAAW;AAAA,EACb;AACF;AAEA,SAAS,UAAU,SAA4D;AAC7E,MAAI;AACF,UAAM,EAAE,KAAK,MAAM,IAAI,WAAW,OAAO;AAGzC,WAAO,EAAE,IAAI,KAAK,IAAI,MAAM;AAAA,EAC9B,QAAQ;AACN,WAAO,CAAC;AAAA,EACV;AACF;AAEA,SAAS,iBACP,SACA,aACyB;AACzB,QAAM,SAAkC,EAAE,GAAG,QAAQ;AACrD,aAAW,KAAK,aAAa;AAC3B,QAAI,EAAE,OAAO,EAAE,UAAU,UAAa,EAAE,EAAE,OAAO,SAAS;AACxD,aAAO,EAAE,GAAG,IAAI,EAAE;AAAA,IACpB;AAAA,EACF;AACA,SAAO;AACT;AAEA,SAAS,mBAAmB,KAA6C;AACvE,SAAO;AAAA,IACL,kBAAkB,oBAAoB,IAAI,qBAAqB,IAAI,gBAAgB;AAAA,IACnF,eAAe,oBAAoB,IAAI,kBAAkB,IAAI,aAAa;AAAA,IAC1E,WAAW,gBAAgB,IAAI,cAAc,IAAI,SAAS;AAAA,IAC1D,eAAe,gBAAgB,IAAI,kBAAkB,IAAI,aAAa;AAAA,IACtE,aAAa,cAAc,IAAI,gBAAgB,IAAI,eAAe,IAAI,MAAM;AAAA,IAC5E,YAAY,aAAa,IAAI,UAAU;AAAA,IACvC,iBAAiB,aAAa,IAAI,oBAAoB,IAAI,eAAe;AAAA,EAC3E;AACF;AAEA,SAAS,oBAAoB,GAA0C;AACrE,MAAI,CAAC,MAAM,QAAQ,CAAC,EAAG,QAAO;AAC9B,QAAM,MAAwB,CAAC;AAC/B,aAAW,QAAQ,GAAG;AACpB,QAAI,QAAQ,OAAO,SAAS,UAAU;AACpC,YAAM,IAAI;AACV,UAAI,KAAK;AAAA,QACP,IAAIA,cAAa,EAAE,EAAE;AAAA,QACrB,MAAMA,cAAa,EAAE,IAAI;AAAA,QACzB,SAASA,cAAa,EAAE,OAAO;AAAA,MACjC,CAAC;AAAA,IACH;AAAA,EACF;AACA,SAAO,IAAI,SAAS,IAAI,MAAM;AAChC;AAEA,SAAS,gBAAgB,GAAsC;AAC7D,MAAI,CAAC,MAAM,QAAQ,CAAC,EAAG,QAAO;AAC9B,QAAM,MAAoB,CAAC;AAC3B,aAAW,QAAQ,GAAG;AACpB,QAAI,QAAQ,OAAO,SAAS,UAAU;AACpC,YAAM,IAAI;AACV,YAAM,MAAM,EAAE,oBAAoB,EAAE;AACpC,UAAI,KAAK;AAAA,QACP,IAAIA,cAAa,EAAE,EAAE;AAAA,QACrB,iBAAiB,MAAM,QAAQ,GAAG,IAC7B,IAAI,OAAO,CAAC,MAAM,OAAO,MAAM,QAAQ,IACxC;AAAA,QACJ,UAAUC,cAAa,EAAE,QAAQ;AAAA,MACnC,CAAC;AAAA,IACH;AAAA,EACF;AACA,SAAO,IAAI,SAAS,IAAI,MAAM;AAChC;AAEA,SAAS,gBAAgB,GAAyC;AAChE,MAAI,CAAC,KAAK,OAAO,MAAM,SAAU,QAAO;AACxC,QAAM,IAAI;AACV,SAAO;AAAA,IACL,UAAUD,cAAa,EAAE,QAAQ;AAAA,IACjC,KAAKC,cAAa,EAAE,GAAG;AAAA,IACvB,KAAKA,cAAa,EAAE,GAAG;AAAA,EACzB;AACF;AAEA,SAAS,cAAc,GAAuC;AAC5D,MAAI,CAAC,KAAK,OAAO,MAAM,SAAU,QAAO;AACxC,QAAM,IAAI;AACV,SAAO;AAAA,IACL,UAAUD,cAAa,EAAE,QAAQ;AAAA,IACjC,KAAKC,cAAa,EAAE,GAAG;AAAA,EACzB;AACF;AAEA,SAAS,aAAa,GAAsC;AAC1D,MAAI,CAAC,KAAK,OAAO,MAAM,SAAU,QAAO;AACxC,QAAM,IAAI;AACV,SAAO;AAAA,IACL,WAAWD,cAAa,EAAE,SAAS;AAAA,IACnC,WAAWA,cAAa,EAAE,cAAc,EAAE,SAAS;AAAA,IACnD,SAASA,cAAa,EAAE,YAAY,EAAE,OAAO;AAAA,IAC7C,gBAAgBC,cAAa,EAAE,mBAAmB,EAAE,cAAc;AAAA,EACpE;AACF;AAEA,SAAS,kBAAkB,GAAkC;AAC3D,MAAI,MAAM,cAAc,MAAM,aAAa,MAAM,mBAAmB,MAAM,gBAAgB;AACxF,WAAO;AAAA,EACT;AACA,SAAO;AACT;AAEA,SAAS,oBAAoB,GAAyC;AACpE,SAAO,MAAM,eAAe,MAAM,gBAAgB,MAAM,SAAS,IAAI;AACvE;AAEA,SAASD,cAAa,GAAgC;AACpD,SAAO,OAAO,MAAM,YAAY,EAAE,SAAS,IAAI,IAAI;AACrD;AAEA,SAASC,cAAa,GAAgC;AACpD,MAAI,OAAO,MAAM,YAAY,OAAO,SAAS,CAAC,EAAG,QAAO;AACxD,MAAI,OAAO,MAAM,UAAU;AACzB,UAAM,IAAI,OAAO,CAAC;AAClB,WAAO,OAAO,SAAS,CAAC,IAAI,IAAI;AAAA,EAClC;AACA,SAAO;AACT;AAEA,SAAS,WAAW,MAAwC;AAC1D,QAAM,MACJ,OAAO,SAAS,WAAW,OAAO,KAAK,MAAM,OAAO,IAAI,OAAO,KAAK,IAAI,WAAW,IAAI,CAAC;AAC1F,QAAM,OAAO,WAAW,QAAQ,EAAE,OAAO,GAAG,EAAE,OAAO;AACrD,SAAO,IAAI,WAAW,KAAK,QAAQ,KAAK,YAAY,KAAK,UAAU;AACrE;;;ACnQA,SAAS,YAAY,uBAAuB;AAcrC,SAAS,oBACd,SACA,iBACA,QACA,UAAsC,CAAC,GACZ;AAC3B,MAAI,CAAC,gBAAiB,QAAO,EAAE,IAAI,OAAO,OAAO,kCAAkC;AACnF,MAAI,CAAC,OAAQ,QAAO,EAAE,IAAI,OAAO,OAAO,yBAAyB;AAEjE,QAAM,SAAS,qBAAqB,eAAe;AACnD,MAAI,CAAC,OAAO,UAAW,QAAO,EAAE,IAAI,OAAO,OAAO,0CAA0C;AAC5F,MAAI,OAAO,aAAa,WAAW,GAAG;AACpC,WAAO,EAAE,IAAI,OAAO,OAAO,sCAAsC;AAAA,EACnE;AAEA,QAAM,YAAY,QAAQ,gBAAgB;AAC1C,QAAM,MAAM,QAAQ,MAAM,QAAQ,IAAI,IAAI,KAAK,MAAM,KAAK,IAAI,IAAI,GAAI;AACtE,MAAI,KAAK,IAAI,MAAM,OAAO,SAAS,IAAI,WAAW;AAChD,WAAO;AAAA,MACL,IAAI;AAAA,MACJ,WAAW,OAAO;AAAA,MAClB,OAAO,gCAAgC,SAAS;AAAA,IAClD;AAAA,EACF;AAEA,QAAM,gBAAgB,GAAG,OAAO,SAAS,IAAI,OAAO;AACpD,QAAM,WAAW,WAAW,UAAU,MAAM,EAAE,OAAO,aAAa,EAAE,OAAO;AAE3E,aAAW,gBAAgB,OAAO,cAAc;AAC9C,UAAM,YAAY,YAAY,YAAY;AAC1C,QAAI,CAAC,UAAW;AAChB,QAAI,UAAU,WAAW,SAAS,OAAQ;AAC1C,QAAI,gBAAgB,WAAW,QAAQ,GAAG;AACxC,aAAO,EAAE,IAAI,MAAM,WAAW,OAAO,UAAU;AAAA,IACjD;AAAA,EACF;AAEA,SAAO,EAAE,IAAI,OAAO,WAAW,OAAO,WAAW,OAAO,qBAAqB;AAC/E;AAOA,SAAS,qBAAqB,QAAuC;AACnE,MAAI,YAA2B;AAC/B,QAAM,eAAyB,CAAC;AAChC,aAAW,QAAQ,OAAO,MAAM,GAAG,GAAG;AACpC,UAAM,CAAC,QAAQ,QAAQ,IAAI,KAAK,MAAM,GAAG;AACzC,QAAI,CAAC,UAAU,CAAC,SAAU;AAC1B,UAAM,MAAM,OAAO,KAAK;AACxB,UAAM,QAAQ,SAAS,KAAK;AAC5B,QAAI,QAAQ,KAAK;AACf,YAAM,IAAI,OAAO,KAAK;AACtB,UAAI,OAAO,SAAS,CAAC,EAAG,aAAY;AAAA,IACtC,WAAW,QAAQ,MAAM;AACvB,mBAAa,KAAK,KAAK;AAAA,IACzB;AAAA,EACF;AACA,SAAO,EAAE,WAAW,aAAa;AACnC;AAEA,SAAS,YAAY,KAA4B;AAC/C,MAAI,CAAC,iBAAiB,KAAK,GAAG,KAAK,IAAI,SAAS,MAAM,EAAG,QAAO;AAChE,SAAO,OAAO,KAAK,KAAK,KAAK;AAC/B;;;ACnDO,SAAS,sBAAsB,OAAoD;AACxF,QAAM,EAAE,aAAa,YAAY,IAAI;AACrC,QAAM,UAA4C,CAAC;AAEnD,MAAI,YAAY,oBAAoB,YAAY,iBAAiB,SAAS,GAAG;AAC3E,YAAQ,WAAW;AAAA,MACjB;AAAA,MACA,YAAY;AAAA,MACZ,YAAY;AAAA,IACd;AAAA,EACF;AAEA,MAAI,YAAY,iBAAiB,YAAY,cAAc,SAAS,GAAG;AACrE,YAAQ,QAAQ,kBAAkB,SAAS,YAAY,eAAe,YAAY,KAAK;AAAA,EACzF;AAEA,MAAI,YAAY,aAAa,YAAY,UAAU,SAAS,GAAG;AAC7D,YAAQ,YAAY,kBAAkB,YAAY,WAAW,YAAY,aAAa,CAAC,CAAC;AAAA,EAC1F;AAEA,MAAI,YAAY,eAAe;AAC7B,YAAQ,SAAS,sBAAsB,YAAY,eAAe,WAAW;AAAA,EAC/E;AAEA,QAAM,UAAoB,CAAC;AAC3B,MAAI,KAAK;AACT,aAAW,CAAC,KAAK,CAAC,KAAK,OAAO,QAAQ,OAAO,GAAG;AAC9C,QAAI,CAAC,EAAE,IAAI;AACT,WAAK;AACL,cAAQ,KAAK,EAAE,UAAU,GAAG,GAAG,SAAS;AAAA,IAC1C;AAAA,EACF;AAEA,SAAO,EAAE,IAAI,SAAS,QAAQ;AAChC;AAOO,SAAS,+BACd,OACkB;AAClB,QAAM,QAAQ,MAAM,kBAAkB,CAAC;AACvC,MAAI,MAAM,WAAW,EAAG,QAAO,EAAE,IAAI,KAAK;AAC1C,MAAI,CAAC,MAAM,iBAAiB;AAC1B,WAAO,EAAE,IAAI,OAAO,QAAQ,qDAAqD;AAAA,EACnF;AACA,QAAM,UAAU,MAAM,gBAAgB,YAAY;AAClD,QAAM,UAAU,MAAM,KAAK,CAAC,MAAM,EAAE,YAAY,MAAM,OAAO;AAC7D,MAAI,CAAC,SAAS;AACZ,WAAO;AAAA,MACL,IAAI;AAAA,MACJ,QAAQ,mBAAmB,MAAM,eAAe,uBAAuB,MAAM,KAAK,IAAI,CAAC;AAAA,IACzF;AAAA,EACF;AACA,SAAO,EAAE,IAAI,KAAK;AACpB;AAOO,SAAS,sBAAsB,OAA6C;AACjF,QAAM,EAAE,OAAO,UAAU,IAAI;AAC7B,MAAI,CAAC,SAAS,OAAO,MAAM,WAAW,SAAU,QAAO,EAAE,IAAI,KAAK;AAClE,MAAI,CAAC,aAAa,OAAO,UAAU,WAAW,SAAU,QAAO,EAAE,IAAI,KAAK;AAC1E,MAAI,MAAM,YAAY,UAAU,YAAY,MAAM,aAAa,UAAU,UAAU;AACjF,WAAO;AAAA,MACL,IAAI;AAAA,MACJ,QAAQ,4BAA4B,MAAM,QAAQ,iBAAiB,UAAU,QAAQ;AAAA,IACvF;AAAA,EACF;AACA,MAAI,UAAU,SAAS,MAAM,QAAQ;AACnC,WAAO;AAAA,MACL,IAAI;AAAA,MACJ,QACE,aAAa,UAAU,MAAM,IAAI,UAAU,YAAY,EAAE,kBAAkB,MAAM,MAAM,IAAI,MAAM,YAAY,EAAE,GAAG,KAAK;AAAA,IAC3H;AAAA,EACF;AACA,SAAO,EAAE,IAAI,KAAK;AACpB;AAEA,SAAS,kBACP,MACA,WACA,QACkB;AAClB,MAAI,CAAC,UAAW,CAAC,OAAO,MAAM,CAAC,OAAO,SAAU;AAC9C,WAAO,EAAE,IAAI,OAAO,QAAQ,MAAM,IAAI,wCAAwC;AAAA,EAChF;AACA,aAAW,SAAS,WAAW;AAC7B,QAAI,MAAM,MAAM,OAAO,MAAM,MAAM,OAAO,OAAO,GAAI,QAAO,EAAE,IAAI,KAAK;AACvE,QAAI,MAAM,WAAW,OAAO,WAAW,aAAa,MAAM,SAAS,OAAO,OAAO,GAAG;AAClF,aAAO,EAAE,IAAI,KAAK;AAAA,IACpB;AAAA,EACF;AACA,QAAM,qBAAqB,UAAU,IAAI,aAAa,EAAE,KAAK,IAAI;AACjE,QAAM,mBAAmB,cAAc,MAAM;AAC7C,SAAO;AAAA,IACL,IAAI;AAAA,IACJ,QAAQ,GAAG,IAAI,IAAI,gBAAgB,sBAAsB,kBAAkB;AAAA,EAC7E;AACF;AAEA,SAAS,kBACP,WACA,aACkB;AAClB,MAAI,YAAY,WAAW,GAAG;AAC5B,WAAO,EAAE,IAAI,OAAO,QAAQ,qDAAqD;AAAA,EACnF;AACA,QAAM,UAAoB,CAAC;AAC3B,aAAW,QAAQ,aAAa;AAC9B,UAAM,QAAQ,UAAU;AAAA,MACtB,CAAC,MAAO,EAAE,MAAM,EAAE,OAAO,KAAK,OAAQ,EAAE,mBAAmB,CAAC,GAAG,SAAS,KAAK,MAAM,EAAE;AAAA,IACvF;AACA,QAAI,CAAC,OAAO;AACV,cAAQ,KAAK,cAAc,KAAK,MAAM,WAAW,oBAAoB;AACrE;AAAA,IACF;AACA,QACE,OAAO,MAAM,aAAa,YAC1B,OAAO,KAAK,aAAa,YACzB,KAAK,WAAW,MAAM,UACtB;AACA,cAAQ;AAAA,QACN,cAAc,KAAK,EAAE,cAAc,KAAK,QAAQ,oBAAoB,MAAM,QAAQ;AAAA,MACpF;AAAA,IACF;AAAA,EACF;AACA,SAAO,QAAQ,WAAW,IAAI,EAAE,IAAI,KAAK,IAAI,EAAE,IAAI,OAAO,QAAQ,QAAQ,KAAK,IAAI,EAAE;AACvF;AAEA,SAAS,sBACP,OACA,aACkB;AAClB,MAAI,OAAO,YAAY,WAAW,UAAU;AAC1C,WAAO,EAAE,IAAI,OAAO,QAAQ,2DAA2D;AAAA,EACzF;AACA,MAAI,MAAM,YAAY,YAAY,YAAY,MAAM,aAAa,YAAY,UAAU;AACrF,WAAO;AAAA,MACL,IAAI;AAAA,MACJ,QAAQ,4BAA4B,MAAM,QAAQ,mBAAmB,YAAY,QAAQ;AAAA,IAC3F;AAAA,EACF;AACA,MAAI,OAAO,MAAM,QAAQ,YAAY,YAAY,SAAS,MAAM,KAAK;AACnE,WAAO;AAAA,MACL,IAAI;AAAA,MACJ,QAAQ,UAAU,YAAY,MAAM,cAAc,MAAM,GAAG;AAAA,IAC7D;AAAA,EACF;AACA,MAAI,OAAO,MAAM,QAAQ,YAAY,YAAY,SAAS,MAAM,KAAK;AACnE,WAAO;AAAA,MACL,IAAI;AAAA,MACJ,QAAQ,UAAU,YAAY,MAAM,cAAc,MAAM,GAAG;AAAA,IAC7D;AAAA,EACF;AACA,SAAO,EAAE,IAAI,KAAK;AACpB;AAEA,SAAS,aAAa,OAAe,QAAyB;AAC5D,QAAM,IAAI,gBAAgB,KAAK;AAC/B,QAAM,IAAI,gBAAgB,MAAM;AAChC,SAAO,MAAM,KAAK,EAAE,SAAS,IAAI,CAAC,EAAE;AACtC;AAEA,SAAS,gBAAgB,OAAuB;AAC9C,MAAI;AACF,UAAM,aAAa,eAAe,KAAK,KAAK,IAAI,QAAQ,WAAW,KAAK;AACxE,WAAO,IAAI,IAAI,UAAU,EAAE,SAAS,YAAY;AAAA,EAClD,QAAQ;AACN,WAAO,MAAM,YAAY;AAAA,EAC3B;AACF;AAEA,SAAS,cAAc,OAAiE;AACtF,MAAI,MAAM,GAAI,QAAO,MAAM,MAAM,EAAE;AACnC,MAAI,MAAM,QAAS,QAAO,MAAM;AAChC,MAAI,MAAM,KAAM,QAAO,MAAM;AAC7B,SAAO;AACT;;;ACvLA,eAAsB,aACpB,QACA,UACgC;AAChC,QAAM,cAAuE,CAAC;AAC9E,aAAWC,UAAS,QAAQ;AAC1B,QAAI,CAACA,OAAM,OAAO;AAChB,kBAAY,KAAK,EAAE,OAAAA,QAAO,SAAS,KAAK,CAAC;AACzC;AAAA,IACF;AACA,UAAM,UAAU,MAAM,SAASA,MAAK;AACpC,gBAAY,KAAK,EAAE,OAAAA,QAAO,QAAQ,CAAC;AAAA,EACrC;AAEA,QAAM,cAAc,YACjB,IAAI,CAAC,MAAM,EAAE,OAAO,EACpB,OAAO,CAAC,OAAqB,OAAO,OAAO,YAAY,GAAG,SAAS,CAAC;AAEvE,QAAM,SAAS,MAAM,KAAK,IAAI,IAAI,WAAW,CAAC;AAC9C,QAAM,uBAAuB,OAAO,SAAS;AAC7C,QAAM,yBAAyB,OAAO,WAAW,IAAI,OAAO,CAAC,IAAI;AAEjE,SAAO;AAAA,IACL;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,EACF;AACF;AAMO,IAAM,QAAQ;AAAA,EACnB,OAAO,CAAC,WAAkC,EAAE,UAAU,MAAM,OAAO,OAAO,MAAM;AAAA,EAChF,YAAY,CAAC,WAAkC,EAAE,UAAU,OAAO,OAAO,YAAY,MAAM;AAAA,EAC3F,WAAW,CAAC,WAAkC,EAAE,UAAU,OAAO,OAAO,UAAU,MAAM;AAAA,EACxF,WAAW,CAAC,WAAkC,EAAE,UAAU,OAAO,OAAO,UAAU,MAAM;AAAA,EACxF,YAAY,CAAC,WAAkC,EAAE,UAAU,QAAQ,OAAO,UAAU,MAAM;AAAA,EAC1F,aAAa,CAAC,WAAkC,EAAE,UAAU,YAAY,OAAO,OAAO,MAAM;AAAA,EAC5F,QAAQ,CAAC,WAAkC,EAAE,UAAU,OAAO,OAAO,OAAO,MAAM;AAAA,EAClF,eAAe,CAAC,WAAkC;AAAA,IAChD,UAAU;AAAA,IACV,OAAO;AAAA,IACP;AAAA,EACF;AACF;;;AC5EA,SAAS,mBAAAC,wBAAuB;AAChC,SAAS,cAAAC,mBAAkB;AA+DpB,SAAS,kBAAkB,cAA+C;AAC/E,MAAI,CAAC,gBAAgB,OAAO,iBAAiB,SAAU,QAAO;AAE9D,MAAI;AACJ,MAAI;AACF,cAAUD,iBAAgB,cAAcE,WAAU;AAAA,EACpD,QAAQ;AACN,WAAO;AAAA,EACT;AAEA,QAAM,UAAW,QAAQ,KAAK,WAAW,CAAC;AAC1C,QAAM,cAAc,QAAQ,eAAe,CAAC;AAC5C,QAAM,SAASC;AAAA,IACb;AAAA,IACA;AAAA,EACF;AAEA,QAAM,OAAOC,mBAAkB,OAAO,QAAQ,OAAO,gBAAgB,OAAO,WAAW;AACvF,MAAI,CAAC,KAAM,QAAO;AAElB,MAAI,SAAS,iBAAkB,QAAO,YAAY,MAAM;AACxD,MAAI,SAAS,eAAgB,QAAO,UAAU,MAAM;AACpD,SAAO,aAAa,MAAM;AAC5B;AAYO,SAAS,mBAAmB,OAAgD;AACjF,QAAM,SAAS,MAAM,SAChB,kBAAkB,MAAM,MAAM,IAC/B;AACJ,QAAM,OAAO,MAAM,OAAQ,kBAAkB,MAAM,IAAI,IAAoC;AAC3F,QAAM,UAAU,MAAM,UACjB,kBAAkB,MAAM,OAAO,IAChC;AACJ,SAAO;AAAA,IACL,QAAQ,UAAU;AAAA,IAClB,MAAM,QAAQ;AAAA,IACd,SAAS,WAAW;AAAA,IACpB,WAAW;AAAA,MACT,WAAW,MAAM;AAAA,MACjB,SAAS,MAAM;AAAA,MACf,YAAY,MAAM;AAAA,IACpB;AAAA,EACF;AACF;AAEA,SAAS,YAAY,QAAyD;AAC5E,SAAO;AAAA,IACL,MAAM;AAAA,IACN,UAAUC,cAAa,OAAO,YAAY,OAAO,OAAO;AAAA,IACxD,SAASA,cAAa,OAAO,WAAW,OAAO,UAAU,OAAO,GAAG;AAAA,IACnE,mBAAmBA,cAAa,OAAO,qBAAqB,OAAO,gBAAgB;AAAA,IACnF,wBAAwB;AAAA,MACtB,OAAO,4BAA4B,OAAO;AAAA,IAC5C;AAAA,IACA,gBAAgB,cAAc,OAAO,mBAAmB,OAAO,cAAc;AAAA,IAC7E,SAASA,cAAa,OAAO,WAAW,OAAO,GAAG;AAAA,IAClD,uBAAuB,iBAAiB,OAAO,yBAAyB,OAAO,KAAK;AAAA,IACpF,KAAK;AAAA,EACP;AACF;AAEA,SAAS,UAAU,QAAuD;AACxE,SAAO;AAAA,IACL,MAAM;AAAA,IACN,UAAUA,cAAa,OAAO,YAAY,OAAO,OAAO;AAAA,IACxD,mBAAmBA,cAAa,OAAO,qBAAqB,OAAO,eAAe;AAAA,IAClF,aAAaA,cAAa,OAAO,eAAe,OAAO,UAAU;AAAA,IACjE,YAAY,YAAY,OAAO,cAAc,OAAO,SAAS;AAAA,IAC7D,uBAAuB,iBAAiB,OAAO,yBAAyB,OAAO,KAAK;AAAA,IACpF,SAASA,cAAa,OAAO,WAAW,OAAO,GAAG;AAAA,IAClD,KAAK;AAAA,EACP;AACF;AAEA,SAAS,aAAa,QAA0D;AAC9E,SAAO;AAAA,IACL,MAAM;AAAA,IACN,UAAUA,cAAa,OAAO,YAAY,OAAO,OAAO;AAAA,IACxD,iBAAiBA,cAAa,OAAO,mBAAmB,OAAO,aAAa;AAAA,IAC5E,gBAAgBA,cAAa,OAAO,kBAAkB,OAAO,aAAa;AAAA,IAC1E,uBAAuB,iBAAiB,OAAO,yBAAyB,OAAO,KAAK;AAAA,IACpF,qBAAqBA,cAAa,OAAO,uBAAuB,OAAO,kBAAkB;AAAA,IACzF,KAAK;AAAA,EACP;AACF;AAEA,SAAS,iBAAiB,GAAgD;AACxE,MAAI,CAAC,KAAK,OAAO,MAAM,SAAU,QAAO;AACxC,QAAM,IAAI;AACV,QAAM,SAAS,EAAE;AACjB,SAAO;AAAA,IACL,QAAQ,SACJ;AAAA,MACE,OAAO,qBAAqB,OAAO,KAAK;AAAA,MACxC,UAAUA,cAAa,OAAO,QAAQ;AAAA,IACxC,IACA;AAAA,IACJ,OAAOA,cAAa,EAAE,KAAK;AAAA,EAC7B;AACF;AAEA,SAAS,YAAY,GAAgD;AACnE,MAAI,CAAC,MAAM,QAAQ,CAAC,EAAG,QAAO;AAC9B,QAAM,QAAyD,CAAC;AAChE,aAAW,QAAQ,GAAG;AACpB,QAAI,CAAC,QAAQ,OAAO,SAAS,SAAU;AACvC,UAAM,IAAI;AACV,UAAM,QAAQ,EAAE;AAChB,UAAM,KAAK;AAAA,MACT,IAAIA,cAAa,EAAE,EAAE;AAAA,MACrB,UAAUC,cAAa,EAAE,QAAQ;AAAA,MACjC,OAAO,QACH;AAAA,QACE,OAAO,qBAAqB,MAAM,KAAK;AAAA,QACvC,UAAUD,cAAa,MAAM,QAAQ;AAAA,MACvC,IACA;AAAA,IACN,CAAC;AAAA,EACH;AACA,SAAO,MAAM,SAAS,IAAI,QAAQ;AACpC;AAEA,SAAS,cAAc,GAAkC;AACvD,MAAI,CAAC,MAAM,QAAQ,CAAC,EAAG,QAAO;AAC9B,QAAM,MAAM,EAAE,OAAO,CAAC,MAAmB,OAAO,MAAM,YAAY,EAAE,SAAS,CAAC;AAC9E,SAAO,IAAI,SAAS,IAAI,MAAM;AAChC;AAEA,SAASF,kBACP,SACA,aACyB;AACzB,QAAM,SAAkC,EAAE,GAAG,QAAQ;AACrD,aAAW,KAAK,aAAa;AAC3B,QAAI,EAAE,OAAO,EAAE,UAAU,UAAa,EAAE,EAAE,OAAO,SAAS;AACxD,aAAO,EAAE,GAAG,IAAI,EAAE;AAAA,IACpB;AAAA,EACF;AACA,SAAO;AACT;AAEA,SAASC,mBAAkB,GAAmC;AAC5D,MAAI,MAAM,oBAAoB,MAAM,kBAAkB,MAAM,kBAAmB,QAAO;AACtF,SAAO;AACT;AAEA,SAASC,cAAa,GAAgC;AACpD,SAAO,OAAO,MAAM,YAAY,EAAE,SAAS,IAAI,IAAI;AACrD;AAEA,SAASC,cAAa,GAAgC;AACpD,MAAI,OAAO,MAAM,YAAY,OAAO,SAAS,CAAC,EAAG,QAAO;AACxD,MAAI,OAAO,MAAM,UAAU;AACzB,UAAM,IAAI,OAAO,CAAC;AAClB,WAAO,OAAO,SAAS,CAAC,IAAI,IAAI;AAAA,EAClC;AACA,SAAO;AACT;AAEA,SAAS,qBAAqB,GAAyC;AACrE,MAAI,OAAO,MAAM,YAAY,OAAO,SAAS,CAAC,EAAG,QAAO;AACxD,MAAI,OAAO,MAAM,YAAY,EAAE,SAAS,EAAG,QAAO;AAClD,SAAO;AACT;AAEA,SAASJ,YAAW,MAAwC;AAC1D,QAAM,MACJ,OAAO,SAAS,WAAW,OAAO,KAAK,MAAM,OAAO,IAAI,OAAO,KAAK,IAAI,WAAW,IAAI,CAAC;AAC1F,QAAM,OAAOD,YAAW,QAAQ,EAAE,OAAO,GAAG,EAAE,OAAO;AACrD,SAAO,IAAI,WAAW,KAAK,QAAQ,KAAK,YAAY,KAAK,UAAU;AACrE;;;AC/MO,SAAS,eAAe,OAAuC;AACpE,QAAM,EAAE,OAAO,IAAI;AACnB,QAAM,SAAmB,CAAC;AAC1B,QAAM,eAAe,MAAM,gBAAgB;AAC3C,QAAM,aAAa,MAAM,cAAc;AAEvC,QAAM,gBAAgB,OAAO,WAAW;AACxC,QAAM,YAAY,aAAa,QAAQ,MAAM;AAC7C,QAAM,eAAe,gBAAgB,QAAQ,MAAM;AACnD,QAAM,EAAE,IAAI,mBAAmB,QAAQ,IAAI,qBAAqB,QAAQ,MAAM;AAC9E,QAAM,uBAAuB,mBAAmB,QAAQ,MAAM;AAC9D,QAAM,mBAAmB,YAAY,QAAQ,MAAM;AACnD,QAAM,WAAW,cAAc,QAAQ,cAAc,MAAM,KAAK,MAAM;AAKtE,MAAI,WAAW;AACf,QAAM,WAAW,OAAO,SAAS,KAAK,MAAM,OAAO,MAAM,KAAK;AAC9D,MAAI,OAAO,aAAa,YAAY,SAAS,SAAS,GAAG;AACvD,UAAM,MAAM,MAAM,MAAM,MAAM,IAAI,IAAI,KAAK,MAAM,KAAK,IAAI,IAAI,GAAI;AAClE,UAAM,aAAa,MAAM,gBAAgB;AACzC,QAAI,WAAW,KAAK,OAAO,QAAQ,IAAI,SAAS,GAAG;AACjD,aAAO,KAAK,mCAA8B,QAAQ,uCAAuC;AACzF,iBAAW;AAAA,IACb;AAAA,EACF;AAEA,QAAM,KACJ,aACA,gBACA,qBACA,wBACA,oBACA,YACA;AAEF,SAAO;AAAA,IACL;AAAA,IACA,QAAQ;AAAA,MACN;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,IACF;AAAA,IACA;AAAA,IACA;AAAA,EACF;AACF;AAEA,SAAS,aAAa,QAA0B,QAA2B;AACzE,QAAM,OAAO,OAAO;AACpB,MAAI,CAAC,KAAM,QAAO;AAClB,MAAI,CAAC,KAAK,kBAAmB,QAAO;AACpC,QAAM,WAAW,OAAO,QAAQ,KAAK;AACrC,MAAI,YAAY,KAAK,sBAAsB,UAAU;AACnD,WAAO;AAAA,MACL,2BAA2B,KAAK,iBAAiB,+BAA+B,QAAQ;AAAA,IAC1F;AACA,WAAO;AAAA,EACT;AACA,SAAO;AACT;AAEA,SAAS,gBAAgB,QAA0B,QAA2B;AAC5E,QAAM,UAAU,OAAO;AACvB,MAAI,CAAC,QAAS,QAAO;AACrB,MAAI,CAAC,QAAQ,gBAAiB,QAAO;AACrC,QAAM,SAAS,OAAO,MAAM,KAAK;AACjC,MAAI,UAAU,QAAQ,oBAAoB,QAAQ;AAChD,WAAO;AAAA,MACL,4BAA4B,QAAQ,eAAe,6BAA6B,MAAM;AAAA,IACxF;AACA,WAAO;AAAA,EACT;AACA,SAAO;AACT;AAEA,SAAS,qBACP,QACA,QACmC;AAKnC,QAAM,MAAM,CAAC,OAAO,QAAQ,UAAU,OAAO,MAAM,UAAU,OAAO,SAAS,QAAQ,EAAE;AAAA,IACrF,CAAC,OAAqB,OAAO,OAAO,YAAY,GAAG,SAAS;AAAA,EAC9D;AACA,MAAI,IAAI,WAAW,GAAG;AACpB,WAAO,KAAK,kEAAkE;AAC9E,WAAO,EAAE,IAAI,MAAM;AAAA,EACrB;AACA,QAAM,SAAS,IAAI,IAAI,GAAG;AAC1B,MAAI,OAAO,OAAO,GAAG;AACnB,WAAO,KAAK,sCAAsC,MAAM,KAAK,MAAM,EAAE,KAAK,IAAI,CAAC,EAAE;AACjF,WAAO,EAAE,IAAI,OAAO,SAAS,OAAU;AAAA,EACzC;AACA,SAAO,EAAE,IAAI,MAAM,SAAS,IAAI,CAAC,EAAE;AACrC;AAEA,SAAS,mBAAmB,QAA0B,QAA2B;AAC/E,QAAM,UAAU,OAAO,QAAQ;AAC/B,MAAI,CAAC,WAAW,QAAQ,WAAW,EAAG,QAAO;AAQ7C,MAAI,CAAC,OAAO,QAAS,QAAO;AAC5B,QAAM,gBAAgB,OAAO,QAAQ;AACrC,MAAI,CAAC,eAAe;AAClB,WAAO;AAAA,MACL,iEAAiE,QAAQ,KAAK,IAAI,CAAC;AAAA,IACrF;AACA,WAAO;AAAA,EACT;AACA,MAAI,CAAC,QAAQ,SAAS,aAAa,GAAG;AACpC,WAAO;AAAA,MACL,mBAAmB,aAAa,mCAAmC,QAAQ,KAAK,IAAI,CAAC;AAAA,IACvF;AACA,WAAO;AAAA,EACT;AACA,SAAO;AACT;AAEA,SAAS,YAAY,QAA0B,QAA2B;AACxE,QAAM,cAAc,gBAAgB,OAAO,QAAQ,qBAAqB;AACxE,QAAM,YAAY,gBAAgB,OAAO,MAAM,qBAAqB;AACpE,QAAM,eAAe,gBAAgB,OAAO,SAAS,qBAAqB;AAE1E,MAAI,eAAe,aAAa,YAAY,aAAa,UAAU,UAAU;AAC3E,QAAI,UAAU,QAAQ,YAAY,OAAO;AACvC,aAAO;AAAA,QACL,cAAc,UAAU,KAAK,IAAI,UAAU,QAAQ,uBAAuB,YAAY,KAAK;AAAA,MAC7F;AACA,aAAO;AAAA,IACT;AAAA,EACF;AACA,MAAI,aAAa,gBAAgB,UAAU,aAAa,aAAa,UAAU;AAC7E,QAAI,aAAa,QAAQ,UAAU,OAAO;AACxC,aAAO;AAAA,QACL,iBAAiB,aAAa,KAAK,IAAI,aAAa,QAAQ,uBAAuB,UAAU,KAAK;AAAA,MACpG;AACA,aAAO;AAAA,IACT;AAAA,EACF;AACA,SAAO;AACT;AAEA,SAAS,cACP,QACA,cACA,OACA,QACS;AACT,QAAM,MAAM,QAAQ,MAAM,IAAI,KAAK,MAAM,KAAK,IAAI,IAAI,GAAI;AAC1D,MAAI,KAAK;AAOT,QAAM,SAAuD;AAAA,IAC3D,CAAC,UAAU,OAAO,QAAQ,OAAO;AAAA,IACjC,CAAC,QAAQ,OAAO,MAAM,OAAO;AAAA,IAC7B;AAAA,MACE;AAAA,MACA,OAAO,OAAO,SAAS,KAAK,YAAY,WACnC,OAAO,QAAQ,IAAI,UACpB,OAAO,OAAO,SAAS,KAAK,QAAQ,WACjC,OAAO,QAAQ,IAAI,MACpB;AAAA,IACR;AAAA,EACF;AAEA,aAAW,CAAC,MAAM,OAAO,KAAK,QAAQ;AACpC,QAAI,CAAC,QAAS;AACd,UAAM,SAAS,YAAY,OAAO;AAClC,QAAI,WAAW,MAAM;AACnB,aAAO,KAAK,GAAG,IAAI,sBAAsB;AACzC,WAAK;AACL;AAAA,IACF;AACA,QAAI,MAAM,SAAS,cAAc;AAC/B,aAAO,KAAK,GAAG,IAAI,uBAAuB,OAAO,EAAE;AACnD,WAAK;AAAA,IACP;AAAA,EACF;AACA,SAAO;AACT;AAEA,SAAS,gBACP,OAC4C;AAC5C,MAAI,CAAC,OAAO,QAAQ,SAAS,CAAC,MAAM,OAAO,SAAU,QAAO;AAC5D,QAAM,IACJ,OAAO,MAAM,OAAO,UAAU,WAAW,OAAO,MAAM,OAAO,KAAK,IAAI,MAAM,OAAO;AACrF,MAAI,CAAC,OAAO,SAAS,CAAC,EAAG,QAAO;AAChC,SAAO,EAAE,OAAO,GAAG,UAAU,MAAM,OAAO,SAAS;AACrD;AAEA,SAAS,YAAY,OAA8B;AACjD,QAAM,QAAQ,OAAO,KAAK;AAC1B,MAAI,OAAO,SAAS,KAAK,KAAK,QAAQ,GAAG;AACvC,WAAO,SAAS,OAAO,KAAK,MAAM,QAAQ,GAAI,IAAI,KAAK,MAAM,KAAK;AAAA,EACpE;AACA,QAAM,aAAa,KAAK,MAAM,KAAK;AACnC,MAAI,OAAO,SAAS,UAAU,EAAG,QAAO,KAAK,MAAM,aAAa,GAAI;AACpE,SAAO;AACT;;;AC9NA,eAAsB,mBAAmB,OAAiD;AACxF,MAAI,CAAC,MAAM,iBAAiB;AAC1B,WAAO,EAAE,IAAI,OAAO,OAAO,2BAA2B;AAAA,EACxD;AAEA,QAAM,YAAY,MAAM,gBAAgB;AACxC,QAAM,aAAa,MAAM,cAAc;AAEvC,QAAM,YAAY,eAAe,MAAM,iBAAiB,WAAW,MAAM,GAAG;AAC5E,MAAI,CAAC,UAAU,IAAI;AACjB,WAAO,EAAE,IAAI,OAAO,OAAO,UAAU,OAAO,gBAAgB,KAAK;AAAA,EACnE;AAMA,QAAM,SAAS,MAAM,MAAM,MAAM,IAAI,IAAI,KAAK,MAAM,KAAK,IAAI,IAAI,GAAI;AACrE,QAAM,eAAe,SAAS,aAAa;AAC3C,QAAM,YAAY,OAAO,MAAM,eAAe,IAAI,MAAM,mBAAmB,EAAE;AAC7E,MAAI,WAAW,KAAK,WAAW,WAAW,GAAG;AAC3C,WAAO;AAAA,MACL,IAAI;AAAA,MACJ,OAAO;AAAA,IACT;AAAA,EACF;AAEA,QAAM,iBAAiB,aAAa,MAAM,eAAe;AACzD,MAAI,CAAC,gBAAgB;AACnB,WAAO,EAAE,IAAI,OAAO,OAAO,uCAAuC;AAAA,EACpE;AAEA,QAAM,YAAY,IAAI,YAAY,EAAE,OAAO,MAAM,OAAO;AACxD,QAAM,EAAE,OAAO,IAAI,MAAM,UAAU;AAEnC,aAAW,aAAa,MAAM,eAAe;AAC3C,UAAM,cAAc,mBAAmB,UAAU,GAAG;AACpD,UAAM,YACJ,eAAe,gBAAgB,gBAAgB,CAAC,WAAW,IAAI,CAAC,WAAW,OAAO;AAEpF,eAAW,OAAO,WAAW;AAC3B,UAAI;AACF,cAAM,WAAW,MAAM,UAAU,QAAQ,UAAU,KAAK,gBAAgB,WAAW,GAAG;AACtF,YAAI,SAAU,QAAO,EAAE,IAAI,MAAM,WAAW,IAAI;AAAA,MAClD,QAAQ;AAAA,MAER;AAAA,IACF;AAAA,EACF;AAEA,SAAO;AAAA,IACL,IAAI;AAAA,IACJ,WAAW;AAAA,IACX,OAAO;AAAA,EACT;AACF;AAEA,eAAe,UACb,QACA,KACA,WACA,MACA,KACkB;AAClB,MAAI,QAAQ,WAAW;AACrB,QAAI,IAAI,QAAQ,SAAS,IAAI,QAAQ,UAAW,QAAO;AACvD,UAAM,MAAM,MAAM,OAAO,UAAU,OAAO,KAAmB,EAAE,MAAM,UAAU,GAAG,OAAO;AAAA,MACvF;AAAA,IACF,CAAC;AACD,WAAO,MAAM,OAAO,OAAO,EAAE,MAAM,UAAU,GAAG,KAAK,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC;AAAA,EACpF;AACA,MAAI,QAAQ,SAAS;AACnB,QAAI,IAAI,QAAQ,QAAQ,IAAI,QAAQ,QAAS,QAAO;AACpD,UAAM,MAAM,MAAM,OAAO;AAAA,MACvB;AAAA,MACA;AAAA,MACA,EAAE,MAAM,SAAS,YAAY,QAAQ;AAAA,MACrC;AAAA,MACA,CAAC,QAAQ;AAAA,IACX;AACA,WAAO,MAAM,OAAO;AAAA,MAClB,EAAE,MAAM,SAAS,MAAM,UAAU;AAAA,MACjC;AAAA,MACA,MAAM,SAAS;AAAA,MACf,MAAM,IAAI;AAAA,IACZ;AAAA,EACF;AACA,SAAO;AACT;AAEA,SAAS,MAAM,OAAgC;AAC7C,QAAM,MAAM,IAAI,YAAY,MAAM,UAAU;AAC5C,MAAI,WAAW,GAAG,EAAE,IAAI,KAAK;AAC7B,SAAO;AACT;AAEA,SAAS,eACP,aACA,cACA,OAC6C;AAC7C,MAAI,CAAC,YAAa,QAAO,EAAE,IAAI,OAAO,OAAO,2BAA2B;AACxE,QAAM,KAAK,eAAe,WAAW;AACrC,MAAI,OAAO,KAAM,QAAO,EAAE,IAAI,OAAO,OAAO,+BAA+B;AAC3E,QAAM,MAAM,QAAQ,MAAM,IAAI,KAAK,MAAM,KAAK,IAAI,IAAI,GAAI;AAC1D,MAAI,KAAK,IAAI,MAAM,EAAE,IAAI,cAAc;AACrC,WAAO,EAAE,IAAI,OAAO,OAAO,qBAAqB,YAAY,cAAc;AAAA,EAC5E;AACA,SAAO,EAAE,IAAI,KAAK;AACpB;AAEA,SAAS,eAAe,OAA8B;AACpD,QAAM,QAAQ,OAAO,KAAK;AAC1B,MAAI,OAAO,SAAS,KAAK,KAAK,QAAQ,GAAG;AAEvC,WAAO,SAAS,OAAO,KAAK,MAAM,QAAQ,GAAI,IAAI,KAAK,MAAM,KAAK;AAAA,EACpE;AACA,QAAM,aAAa,KAAK,MAAM,KAAK;AACnC,MAAI,OAAO,SAAS,UAAU,EAAG,QAAO,KAAK,MAAM,aAAa,GAAI;AACpE,SAAO;AACT;AAEA,SAAS,mBAAmB,KAA4D;AACtF,MAAI,CAAC,IAAK,QAAO;AACjB,QAAM,UAAU,IAAI,YAAY;AAChC,MAAI,YAAY,aAAa,YAAY,QAAS,QAAO;AACzD,MAAI,YAAY,WAAW,QAAQ,WAAW,YAAY,EAAG,QAAO;AACpE,SAAO;AACT;AAEA,SAAS,aAAa,OAAkC;AACtD,MAAI;AAEF,UAAM,aAAa,MAAM,QAAQ,MAAM,GAAG,EAAE,QAAQ,MAAM,GAAG;AAC7D,UAAM,MAAM,WAAW,SAAS,MAAM,IAAI,KAAK,IAAI,OAAO,IAAK,WAAW,SAAS,CAAE;AACrF,WAAO,IAAI,WAAW,OAAO,KAAK,aAAa,KAAK,QAAQ,CAAC;AAAA,EAC/D,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAEA,eAAe,YAA+C;AAC5D,MAAI,OAAO,WAAW,WAAW,eAAe,WAAW,OAAO,QAAQ;AACxE,WAAO,EAAE,QAAQ,WAAW,OAAO,OAAO;AAAA,EAC5C;AACA,QAAM,aAAa,MAAM,OAAO,QAAa;AAC7C,SAAO,EAAE,QAAQ,WAAW,UAAU,OAAuB;AAC/D;;;ACtKA,SAAS,WAAW,YAAY,eAAe;AAqExC,SAAS,sBAAsB,SAAmD;AACvF,QAAM,OAAOM,YAAW,QAAQ,SAAS,eAAe;AACxD,MAAI,CAAC,QAAQ,CAAC,kBAAkB,KAAK,IAAI,EAAG,QAAO;AAEnD,MAAI;AACF,UAAM,aAAa,WAAW,YAAY,IAAI;AAC9C,WAAO;AAAA,MACL,MAAM;AAAA,MACN,YAAY;AAAA,QACV,WAAW,mBAAmB,WAAW,SAAS;AAAA,QAClD,QAAQ,WAAW;AAAA,QACnB,SAAS,WAAW;AAAA,MACtB;AAAA,MACA,SAAS,QAAQ;AAAA,IACnB;AAAA,EACF,QAAQ;AACN,WAAO,EAAE,MAAM,SAAS,OAAO,EAAE,MAAM,8BAA8B,EAAE;AAAA,EACzE;AACF;AAMO,SAAS,uBAAuB,UAAqD;AAC1F,MAAI,SAAS,WAAW,KAAK;AAC3B,UAAM,aAAa,kBAAkB,QAAQ;AAC7C,QAAI,WAAW,WAAW,EAAG,QAAO;AACpC,UAAM,UAAU,MAAM,KAAK,IAAI,IAAI,WAAW,IAAI,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;AACnE,WAAO;AAAA,MACL,MAAM;AAAA,MACN;AAAA,MACA,gBAAgB;AAAA,IAClB;AAAA,EACF;AAEA,QAAM,gBAAgBA,YAAW,SAAS,SAAS,iBAAiB;AACpE,MAAI,eAAe;AACjB,QAAI;AACF,YAAM,SAAS,QAAQ,YAAY,aAAa;AAChD,YAAM,IAAI;AACV,aAAO;AAAA,QACL,MAAM;AAAA,QACN,SAAS;AAAA,UACP,QAAQC,cAAa,EAAE,MAAM;AAAA,UAC7B,WAAWA,cAAa,EAAE,SAAS;AAAA,UACnC,YAAYA,cAAa,EAAE,cAAc,EAAE,WAAW;AAAA,UACtD,QAAQA,cAAa,EAAE,MAAM;AAAA,UAC7B,WAAWA,cAAa,EAAE,SAAS;AAAA,UACnC,KAAK;AAAA,QACP;AAAA,MACF;AAAA,IACF,QAAQ;AACN,aAAO,EAAE,MAAM,SAAS,OAAO,EAAE,MAAM,2BAA2B,EAAE;AAAA,IACtE;AAAA,EACF;AAEA,QAAM,cAAcD,YAAW,SAAS,SAAS,cAAc;AAC/D,MAAI,eAAe,8BAA8B,KAAK,WAAW,GAAG;AAClE,UAAM,OACJ,OAAO,SAAS,SAAS,YAAY,SAAS,SAAS,OAClD,SAAS,OACV,CAAC;AACP,WAAO;AAAA,MACL,MAAM;AAAA,MACN,OAAO;AAAA,QACL,MAAMC,cAAa,KAAK,IAAI;AAAA,QAC5B,OAAOA,cAAa,KAAK,KAAK;AAAA,QAC9B,QAAQA,cAAa,KAAK,MAAM;AAAA,MAClC;AAAA,IACF;AAAA,EACF;AAEA,SAAO;AACT;AAMO,SAAS,kBACd,SAI0B;AAC1B,MAAI,aAAa,QAAS,QAAO,sBAAsB,QAAQ,OAAO;AACtE,MAAI,cAAc,QAAS,QAAO,uBAAuB,QAAQ,QAAQ;AACzE,MAAI,OAAQ,QAA4B,WAAW,UAAU;AAC3D,WAAO,uBAAuB,OAA0B;AAAA,EAC1D;AACA,SAAO,sBAAsB,OAAyB;AACxD;AAEA,SAAS,kBAAkB,UAAkD;AAC3E,QAAM,UAAUD,YAAW,SAAS,SAAS,kBAAkB;AAC/D,MAAI,CAAC,QAAS,QAAO,CAAC;AACtB,QAAM,UAAU,IAAI,QAAQ;AAC5B,UAAQ,IAAI,oBAAoB,OAAO;AAEvC,QAAM,MAA6B,CAAC;AACpC,MAAI;AACF,UAAM,OAAO,UAAU,gBAAgB,OAAO;AAC9C,eAAW,MAAM,MAAM;AACrB,UAAI,KAAK,mBAAmB,EAAoC,CAAC;AAAA,IACnE;AAAA,EACF,QAAQ;AAAA,EAER;AACA,SAAO;AACT;AAEA,SAAS,mBACP,IACqB;AACrB,QAAM,MAAM;AACZ,SAAO;AAAA,IACL,IAAIC,cAAa,IAAI,EAAE,KAAK;AAAA,IAC5B,OAAOA,cAAa,IAAI,KAAK,KAAK;AAAA,IAClC,QAAQA,cAAa,IAAI,MAAM,KAAK;AAAA,IACpC,QAAQA,cAAa,IAAI,MAAM,KAAK;AAAA,IACpC,SAAU,IAAI,WAAuC,CAAC;AAAA,IACtD,SAASA,cAAa,IAAI,OAAO;AAAA,IACjC,QAAQA,cAAa,IAAI,MAAM;AAAA,IAC/B,aAAaA,cAAa,IAAI,WAAW;AAAA,IACzC,QAAQ,IAAI;AAAA,EACd;AACF;AAEA,SAASD,YACP,SACA,MACoB;AACpB,aAAW,OAAO,OAAO,KAAK,OAAO,GAAG;AACtC,QAAI,IAAI,YAAY,MAAM,MAAM;AAC9B,YAAM,MAAM,QAAQ,GAAG;AACvB,UAAI,OAAO,QAAQ,SAAU,QAAO;AACpC,UAAI,MAAM,QAAQ,GAAG,EAAG,QAAO,IAAI,KAAK,IAAI;AAAA,IAC9C;AAAA,EACF;AACA,SAAO;AACT;AAEA,SAASC,cAAa,GAAgC;AACpD,SAAO,OAAO,MAAM,YAAY,EAAE,SAAS,IAAI,IAAI;AACrD;;;ACtOA,SAAS,kBAAkB;AAyBpB,SAAS,UAAU,OAAwC;AAChE,QAAM,EAAE,QAAQ,IAAI;AACpB,QAAM,YAAY,MAAM,gBAAgB;AACxC,QAAM,SAAS,MAAM,MAAM,MAAM,IAAI,IAAI,KAAK,MAAM,KAAK,IAAI,IAAI,GAAI;AACrE,QAAM,aAAa,MAAM,cAAc;AAIvC,QAAM,YAAY,QAAQ,YAAY,cAAc,QAAQ,cAAc,QAAQ,WAAW,CAAC;AAC9F,QAAM,SAAS,QAAQ,YAAY;AACnC,QAAM,SAAS,WAAW;AAE1B,MAAI,WAAW;AACf,MAAI,WAAW,SAAS;AACtB,UAAM,eAAe,KAAK,MAAM,UAAU,OAAO;AACjD,QAAI,CAAC,OAAO,SAAS,YAAY,GAAG;AAClC,aAAO;AAAA,QACL,IAAI;AAAA,QACJ,UAAU;AAAA,QACV,cAAc;AAAA,QACd;AAAA,QACA;AAAA,QACA,OAAO;AAAA,MACT;AAAA,IACF;AACA,UAAM,aAAa,KAAK,MAAM,eAAe,GAAI;AACjD,QAAI,SAAS,aAAa,WAAW;AACnC,iBAAW;AAAA,IACb;AAAA,EACF;AAMA,MAAI,eAA+B;AACnC,MAAI,MAAM,YAAY,QAAW;AAC/B,QAAI,CAAC,WAAW,QAAQ;AACtB,qBAAe;AAAA,IACjB,OAAO;AACL,UAAI;AACF,YAAI,CAAC,YAAY,KAAK,UAAU,MAAM,GAAG;AACvC,yBAAe;AAAA,QACjB,OAAO;AACL,yBAAe,WAAW,OAAO,UAAU,QAA+B,MAAM,OAAO;AAAA,QACzF;AAAA,MACF,QAAQ;AACN,uBAAe;AAAA,MACjB;AAAA,IACF;AAAA,EACF;AAKA,MAAI,WAAW;AACf,MAAI,WAAW,UAAU,UAAU;AACjC,UAAM,YAAY,OAAO,UAAU,MAAM,IAAK,UAAiC,SAAS,EAAE;AAC1F,UAAM,aAAa,SAAS,aAAa;AACzC,QAAI,WAAW,KAAK,WAAW,SAAS,GAAG;AACzC,iBAAW;AAAA,IACb;AAAA,EACF;AAEA,QAAM,KAAK,aAAa,iBAAiB,QAAQ,iBAAiB,SAAS;AAC3E,QAAM,SAAmB,CAAC;AAC1B,MAAI,CAAC,SAAU,QAAO,KAAK,mBAAmB;AAC9C,MAAI,iBAAiB,OAAO;AAC1B,WAAO;AAAA,MACL,MAAM,YAAY,UAAa,CAAC,WAAW,SACvC,8CACA;AAAA,IACN;AAAA,EACF;AACA,MAAI,CAAC,SAAU,QAAO,KAAK,kEAA6D;AAExF,SAAO;AAAA,IACL;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA,OAAO,OAAO,SAAS,IAAI,OAAO,KAAK,IAAI,IAAI;AAAA,EACjD;AACF;;;AC1GA;AAAA,EACE;AAAA,EACA;AAAA,OAIK;AACP,SAAS,wBAAwB;AAwD1B,SAAS,uBAAuB,SAAqD;AAC1F,QAAM,cAAcC,YAAW,QAAQ,SAAS,WAAW;AAG3D,MAAI,QAAQ,QAAQ,OAAO,QAAQ,SAAS,UAAU;AACpD,UAAM,SAAS,gBAAgB,QAAQ,IAAI;AAC3C,QAAI,OAAQ,QAAO,oBAAoB,QAAQ,MAAM;AAAA,EACvD;AAGA,MAAI,aAAa;AACf,QAAI;AACF,YAAM,UAAU,iBAAiB,WAAW;AAC5C,UAAI,SAAS;AACX,cAAM,OAAO,KAAK,MAAM,OAAO;AAC/B,cAAM,SAAS,gBAAgB,IAAI;AACnC,YAAI,OAAQ,QAAO,oBAAoB,QAAQ,QAAQ;AAAA,MACzD;AAAA,IACF,QAAQ;AACN,aAAO;AAAA,QACL,MAAM;AAAA,QACN,SAAS;AAAA,QACT,QAAQ;AAAA,QACR,OAAO,EAAE,MAAM,uBAAuB;AAAA,MACxC;AAAA,IACF;AAAA,EACF;AAEA,SAAO;AACT;AAKO,SAAS,wBAAwB,UAAuD;AAC7F,MAAI,SAAS,WAAW,IAAK,QAAO;AAGpC,MAAI,SAAS,QAAQ,OAAO,SAAS,SAAS,UAAU;AACtD,UAAM,SAAS,iBAAiB,SAAS,IAAI;AAC7C,QAAI,OAAQ,QAAO,qBAAqB,QAAQ,MAAM;AAAA,EACxD;AAGA,QAAM,cAAcA,YAAW,SAAS,SAAS,oBAAoB;AACrE,MAAI,aAAa;AACf,QAAI;AACF,YAAM,UAAU,iBAAiB,WAAW;AAC5C,UAAI,SAAS;AACX,cAAM,OAAO,KAAK,MAAM,OAAO;AAC/B,cAAM,SAAS,iBAAiB,IAAI;AACpC,YAAI,OAAQ,QAAO,qBAAqB,QAAQ,QAAQ;AAAA,MAC1D;AAAA,IACF,QAAQ;AACN,aAAO;AAAA,QACL,MAAM;AAAA,QACN,SAAS;AAAA,QACT,QAAQ;AAAA,QACR,OAAO,EAAE,MAAM,wBAAwB;AAAA,MACzC;AAAA,IACF;AAAA,EACF;AAEA,SAAO;AACT;AAEO,SAAS,mBACd,SAI2B;AAC3B,MAAI,aAAa,QAAS,QAAO,uBAAuB,QAAQ,OAAO;AACvE,MAAI,cAAc,QAAS,QAAO,wBAAwB,QAAQ,QAAQ;AAC1E,MAAI,OAAQ,QAA6B,WAAW,UAAU;AAC5D,WAAO,wBAAwB,OAA2B;AAAA,EAC5D;AACA,SAAO,uBAAuB,OAA0B;AAC1D;AAEA,SAAS,iBAAiB,MAAuC;AAC/D,MAAI;AACF,WAAO,wBAAwB,IAAI;AAAA,EACrC,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAEA,SAAS,gBAAgB,MAAsC;AAC7D,MAAI;AACF,WAAO,uBAAuB,IAAI;AAAA,EACpC,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAEA,SAAS,qBACP,QACA,QACoB;AACpB,QAAM,WAAW;AACjB,QAAM,UAAU,cAAc,SAAS,WAAW;AAClD,QAAM,UAAW,SAAS,WAAiD,CAAC;AAC5E,SAAO;AAAA,IACL,MAAM;AAAA,IACN;AAAA,IACA;AAAA,IACA,iBAAiB;AAAA,MACf,UAAU,gBAAgB,SAAS,QAAQ;AAAA,MAC3C,SAAS,QAAQ,IAAI,oBAAoB;AAAA,MACzC,YAAY,SAAS;AAAA,MACrB,OAAO,OAAO,SAAS,UAAU,WAAW,SAAS,QAAQ;AAAA,IAC/D;AAAA,EACF;AACF;AAEA,SAAS,oBACP,QACA,QACoB;AACpB,QAAM,WAAW;AACjB,QAAM,UAAU,cAAc,SAAS,WAAW;AAClD,QAAM,WAAW,SAAS;AAC1B,QAAM,UAAW,SAAS,WAAuC,CAAC;AAClE,SAAO;AAAA,IACL,MAAM;AAAA,IACN;AAAA,IACA;AAAA,IACA,gBAAgB;AAAA,MACd,QAAQ,UAAU,WAAW,OAAO,SAAS,WAAW,WAAW,SAAS,SAAS;AAAA,MACrF,SAAS,UAAU,YAAY,OAAO,SAAS,YAAY,WAAW,SAAS,UAAU;AAAA,MACzF;AAAA,MACA,YAAY,SAAS;AAAA,IACvB;AAAA,EACF;AACF;AAEA,SAAS,qBAAqB,KAAmD;AAC/E,QAAM,IAAI;AACV,QAAM,SAAU,EAAE,UAAU,EAAE,qBAAqB;AACnD,SAAO;AAAA,IACL,QAAS,EAAE,UAAqB;AAAA,IAChC,SAAU,EAAE,WAAsB;AAAA,IAClC,OAAQ,EAAE,SAAoB;AAAA,IAC9B,QAAQ,OAAO,MAAM;AAAA,IACrB,OAAQ,EAAE,SAAoB;AAAA,IAC9B,mBAAmB,OAAO,EAAE,sBAAsB,WAAW,EAAE,oBAAoB;AAAA,IACnF,UAAU,OAAO,EAAE,aAAa,WAAW,EAAE,WAAW;AAAA,IACxD,aAAa,OAAO,EAAE,gBAAgB,WAAW,EAAE,cAAc;AAAA,EACnE;AACF;AAEA,SAAS,gBAAgB,GAAoB;AAC3C,MAAI,OAAO,MAAM,SAAU,QAAO;AAClC,MAAI,KAAK,OAAO,MAAM,YAAY,SAAS,KAAK,OAAQ,EAAuB,QAAQ,UAAU;AAC/F,WAAQ,EAAsB;AAAA,EAChC;AACA,SAAO;AACT;AAEA,SAAS,cAAc,GAA0B;AAC/C,MAAI,MAAM,KAAK,MAAM,EAAG,QAAO;AAC/B,SAAO;AACT;AAEA,SAASA,YACP,SACA,MACoB;AACpB,MAAI,CAAC,QAAS,QAAO;AACrB,aAAW,OAAO,OAAO,KAAK,OAAO,GAAG;AACtC,QAAI,IAAI,YAAY,MAAM,MAAM;AAC9B,YAAM,MAAM,QAAQ,GAAG;AACvB,UAAI,OAAO,QAAQ,SAAU,QAAO;AACpC,UAAI,MAAM,QAAQ,GAAG,EAAG,QAAO,IAAI,CAAC;AAAA,IACtC;AAAA,EACF;AACA,SAAO;AACT;;;ACrOA,SAAS,cAAAC,aAAY,iBAAiB;AAoEtC,eAAsB,cAAc,OAA+C;AACjF,QAAM,SAAmB,CAAC;AAC1B,QAAM,YAAY,MAAM,gBAAgB;AACxC,QAAM,MAAM,MAAM,MAAM,MAAM,IAAI,IAAI,KAAK,MAAM,KAAK,IAAI,IAAI,GAAI;AAClE,QAAM,EAAE,IAAI,IAAI,KAAK,IAAI,IAAI,MAAM;AACnC,QAAM,aAAa,MAAM,cAAc;AAOvC,MAAI,CAAC,IAAI;AACP,QAAI,CAAC,MAAM,mBAAmB;AAC5B,aAAO;AAAA,QACL;AAAA,MACF;AAAA,IACF,WAAW,CAAC,MAAM,eAAe;AAC/B,aAAO,KAAK,iDAAiD;AAAA,IAC/D;AAAA,EACF;AAGA,QAAM,UAAU,KAAK,MAAM,MAAM,gBAAgB,IAAI,IAAI,IAAI;AAC7D,MAAI,MAAM,CAAC,QAAS,QAAO,KAAK,sBAAsB;AAEtD,QAAM,QAAQ,cAAc,IAAI,OAAO;AAGvC,QAAM,gBAA4B,SAAS,MAAM,iBAAiB;AAClE,QAAM,UAAU,MAAM,MAAM,gBAAgB,IAAI,aAAa;AAC7D,MAAI,CAAC,QAAS,QAAO,KAAK,sBAAsB;AAMhD,MAAI,SAAS;AACX,UAAM,YAAY,SAAS,GAAG,OAAO;AACrC,UAAM,YAAY,MAAM,MAAO,YAAY;AAC3C,QAAI,WAAW,KAAK,WAAW,SAAS,GAAG;AACzC,aAAO,KAAK,iEAA4D;AAAA,IAC1E;AAAA,EACF;AAEA,QAAM,QAAQ,cAAc,GAAG,OAAO;AACtC,QAAM,WAAW,MAAM,MAAM,MAAM,gBAAgB,KAAK,SAAS,IAAI,IAAI;AACzE,MAAI,OAAO,CAAC,SAAU,QAAO,KAAK,uBAAuB;AACzD,QAAM,WAAW,MAAM,MAAM,MAAM,gBAAgB,KAAK,SAAS,IAAI,IAAI;AACzE,MAAI,OAAO,CAAC,SAAU,QAAO,KAAK,uBAAuB;AAGzD,MAAI,YAAY;AAChB,MAAI,OAAO;AACT,UAAM,kBAAkB,MAAM,YAAY,EAAE;AAC5C,gBAAY,kBAAkB,MAAM,iBAAiB,OAAO,eAAe,IAAI;AAC/E,QAAI,CAAC,UAAW,QAAO,KAAK,yCAAyC;AAAA,EACvE;AAEA,MAAI,YAAY;AAChB,MAAI,UAAU,OAAO,MAAM;AACzB,UAAM,UAAU,OAAO;AACvB,UAAM,kBAAkB,MAAM,YAAY,OAAO;AACjD,gBAAY,kBAAkB,MAAM,iBAAiB,OAAO,eAAe,IAAI;AAC/E,QAAI,CAAC,UAAW,QAAO,KAAK,yCAAyC;AAAA,EACvE;AAGA,MAAI,mBAAmC;AACvC,MAAI,OAAO,KAAK;AACd,UAAM,IAAIC,cAAa,IAAI,QAAQ,kBAAkB,IAAI,QAAQ,aAAa;AAC9E,UAAM,IAAIA,cAAa,IAAI,QAAQ,kBAAkB,IAAI,QAAQ,aAAa;AAC9E,QAAI,KAAK,GAAG;AACV,yBAAmB,MAAM;AACzB,UAAI,CAAC,kBAAkB;AACrB,eAAO,KAAK,uBAAuB,CAAC,wCAAwC,CAAC,GAAG;AAAA,MAClF;AAAA,IACF;AAAA,EACF;AAGA,MAAI,iBAAiC;AACrC,MAAI,KAAK;AACP,UAAM,eAAeA;AAAA,MACnB,IAAI,QAAQ,iBACV,IAAI,QAAQ,8BACX,IAAI,QAAQ,mBAA2D;AAAA,IAC5E;AACA,QAAI,cAAc;AAChB,YAAM,WAAW,0BAA0B,EAAE;AAC7C,uBAAiB,WAAW,iBAAiB,WAAW;AACxD,UAAI,CAAC,gBAAgB;AACnB,eAAO,KAAK,oEAAoE;AAAA,MAClF;AAAA,IACF;AAAA,EACF;AAGA,QAAM,WAAW,kBAAkB,CAAC,IAAI,IAAI,KAAK,GAAG,GAAG,WAAW,KAAK,MAAM;AAM7E,QAAM,+BAA+B,CAAC,OAAO;AAAA,IAC3C,CAAC,MACC,EAAE,WAAW,YAAY,KACzB,EAAE,WAAW,uBAAuB,KACpC,EAAE,WAAW,qBAAqB;AAAA,EACtC;AAEA,QAAM,KACJ,YAAY,SACZ,WACA,aAAa,SACb,aAAa,SACb,aACA,aACA,qBAAqB,SACrB,mBAAmB,SACnB,YACA;AAEF,SAAO;AAAA,IACL;AAAA,IACA,QAAQ;AAAA,MACN;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,IACF;AAAA,IACA;AAAA,EACF;AACF;AAEA,SAAS,cAAc,SAA0D;AAC/E,MAAI,CAAC,QAAS,QAAO;AACrB,QAAM,MAAM,QAAQ;AACpB,MAAI,CAAC,IAAK,QAAO;AACjB,QAAM,MAAM,IAAI;AAChB,SAAO,OAAO;AAChB;AAEA,eAAe,YAAY,OAAqC;AAE9D,QAAM,aAAa,cAAc,MAAM,MAAM;AAC7C,MAAI,WAAY,QAAO;AACvB,QAAM,cAAc,cAAc,MAAM,OAAO;AAC/C,SAAO;AACT;AAEA,eAAe,iBAAiB,GAAQ,GAA0B;AAChE,MAAI;AACF,UAAM,KAAK,MAAM,cAAc,CAAC;AAChC,UAAM,KAAK,MAAM,cAAc,CAAC;AAChC,WAAO,OAAO;AAAA,EAChB,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAGA,eAAe,cAAc,KAA2B;AACtD,QAAM,YAAY,aAAa,GAAG;AAClC,QAAM,QAAQ,IAAI,YAAY,EAAE,OAAO,KAAK,UAAU,SAAS,CAAC;AAChE,QAAM,SAAS,UAAU;AACzB,QAAM,SAAS,MAAM,IAAI,QAAqB,CAAC,SAAS,WAAW;AACjE,UAAM,SAAS,IAAI,YAAY,MAAM,UAAU;AAC/C,QAAI,WAAW,MAAM,EAAE,IAAI,KAAK;AAChC,WAAO,OAAO,WAAW,MAAM,EAAE,KAAK,OAAO,EAAE,MAAM,MAAM;AAAA,EAC7D,CAAC;AACD,SAAO,OAAO,KAAK,IAAI,WAAW,MAAM,CAAC,EAAE,SAAS,WAAW,EAAE,QAAQ,OAAO,EAAE;AACpF;AAEA,SAAS,aAAa,KAAkC;AAGtD,MAAI,IAAI,QAAQ,MAAM;AACpB,WAAO,EAAE,KAAK,IAAI,OAAO,IAAI,KAAK,MAAM,GAAG,IAAI,KAAK,IAAI,GAAG,IAAI,KAAK,GAAG;AAAA,EACzE;AACA,MAAI,IAAI,QAAQ,OAAO;AACrB,WAAO,EAAE,KAAK,IAAI,OAAO,IAAI,KAAK,OAAO,GAAG,IAAI,KAAK,GAAG;AAAA,EAC1D;AACA,MAAI,IAAI,QAAQ,OAAO;AACrB,WAAO,EAAE,GAAG,IAAI,KAAK,IAAI,KAAK,OAAO,GAAG,IAAI,KAAK,GAAG;AAAA,EACtD;AACA,SAAO,EAAE,KAAK,IAAI,OAAO,GAAG;AAC9B;AAEA,SAAS,0BAA0B,IAA4B;AAC7D,QAAM,qBAAsB,GAAG,QAAQ,YAAY,GAAG,QAAQ;AAC9D,MAAI,CAAC,mBAAoB,QAAO;AAChC,QAAM,YAAY,mBAAmB,kBAAkB;AACvD,QAAM,OAAOC,YAAW,QAAQ,EAAE,OAAO,SAAS,EAAE,OAAO,WAAW,EAAE,QAAQ,OAAO,EAAE;AACzF,SAAO;AACT;AAEA,SAAS,mBAAmB,OAAwB;AAClD,MAAI,UAAU,QAAQ,OAAO,UAAU,SAAU,QAAO,KAAK,UAAU,KAAK;AAC5E,MAAI,MAAM,QAAQ,KAAK,EAAG,QAAO,MAAM,MAAM,IAAI,kBAAkB,EAAE,KAAK,GAAG,IAAI;AACjF,QAAM,UAAU,OAAO,QAAQ,KAAgC,EAAE;AAAA,IAAK,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,MAC5E,IAAI,IAAI,KAAK,IAAI,IAAI,IAAI;AAAA,EAC3B;AACA,SACE,MAAM,QAAQ,IAAI,CAAC,CAAC,GAAG,CAAC,MAAM,KAAK,UAAU,CAAC,IAAI,MAAM,mBAAmB,CAAC,CAAC,EAAE,KAAK,GAAG,IAAI;AAE/F;AAEA,SAAS,kBACP,QACA,cACA,QACA,QACS;AACT,MAAI,KAAK;AACT,QAAM,QAAQ,CAAC,MAAM,MAAM,OAAO,KAAK;AACvC,SAAO,QAAQ,CAAC,OAAO,QAAQ;AAC7B,QAAI,CAAC,MAAO;AACZ,UAAM,MAAMC,eAAc,MAAM,QAAQ,OAAO,MAAM,QAAQ,OAAO;AACpE,QAAI,QAAQ,OAAW;AACvB,QAAI,SAAS,MAAM,cAAc;AAC/B,aAAO,KAAK,GAAG,MAAM,GAAG,CAAC,uBAAuB,GAAG,EAAE;AACrD,WAAK;AAAA,IACP;AAAA,EACF,CAAC;AACD,SAAO;AACT;AAEA,SAASA,eAAc,GAAgC;AACrD,MAAI,OAAO,MAAM,YAAY,OAAO,SAAS,CAAC,EAAG,QAAO;AACxD,MAAI,OAAO,MAAM,UAAU;AACzB,UAAM,QAAQ,OAAO,CAAC;AACtB,QAAI,OAAO,SAAS,KAAK,KAAK,QAAQ,GAAG;AACvC,aAAO,SAAS,OAAO,KAAK,MAAM,QAAQ,GAAI,IAAI,KAAK,MAAM,KAAK;AAAA,IACpE;AACA,UAAM,SAAS,KAAK,MAAM,CAAC;AAC3B,QAAI,OAAO,SAAS,MAAM,EAAG,QAAO,KAAK,MAAM,SAAS,GAAI;AAAA,EAC9D;AACA,SAAO;AACT;AAEA,SAASF,cAAa,GAAgC;AACpD,SAAO,OAAO,MAAM,YAAY,EAAE,SAAS,IAAI,IAAI;AACrD;;;ACxNA,eAAsB,oBAAoB,OAAwD;AAChG,QAAM,eAAyB,CAAC;AAChC,QAAM,aAAqC,CAAC;AAC5C,QAAM,UAAU,EAAE,WAAW,GAAG,UAAU,GAAG,QAAQ,EAAE;AAEvD,QAAM,eAAe,YAAY,IAAI;AACrC,QAAM,UAAU,eAAe,KAAK;AACpC,QAAM,mBAAmB,wBAAwB,KAAK;AACtD,QAAM,iBAAiB,sBAAsB,KAAK;AAClD,QAAM,eAAe,oBAAoB,KAAK;AAC9C,UAAQ,YAAY,KAAK,MAAM,YAAY,IAAI,IAAI,YAAY;AAE/D,QAAM,cAAc,YAAY,IAAI;AACpC,MAAI,WAAW;AAEf,MAAI,MAAM,IAAI,aAAa;AACzB,eAAW,KAAK,MAAM,cAAc,MAAM,GAAG,WAAW;AACxD,QAAI,CAAC,WAAW,GAAG,GAAI,YAAW;AAAA,EACpC;AAEA,MAAI,MAAM,KAAK;AACb,eAAW,MAAM,eAAe;AAAA,MAC9B,QAAQ,MAAM,IAAI;AAAA,MAClB,cAAc,MAAM;AAAA,MACpB,KAAK,MAAM;AAAA,IACb,CAAC;AACD,QAAI,CAAC,WAAW,IAAI,GAAI,YAAW;AAAA,EACrC;AAEA,MAAI,MAAM,KAAK,aAAa;AAC1B,eAAW,MAAM,MAAM,mBAAmB,MAAM,IAAI,WAAW;AAC/D,QAAI,CAAC,WAAW,IAAI,MAAM,WAAW,IAAI,eAAgB,YAAW;AACpE,QAAI,WAAW,IAAI,cAAc,eAAe;AAC9C,mBAAa,KAAK,qCAAqC;AAAA,IACzD,WAAW,CAAC,WAAW,IAAI,IAAI;AAC7B,iBAAW;AAAA,IACb;AAAA,EACF;AAEA,MAAI,MAAM,SAAS;AACjB,eAAW,UAAU,MAAM,cAAc,MAAM,QAAQ,SAAS,MAAM,QAAQ,aAAa;AAC3F,QAAI,CAAC,WAAW,QAAQ,GAAI,YAAW;AAAA,EACzC;AAEA,MAAI,MAAM,KAAK;AACb,eAAW,MAAM,UAAU;AAAA,MACzB,SAAS,MAAM,IAAI;AAAA,MACnB,SAAS,MAAM,IAAI;AAAA,MACnB,cAAc,MAAM;AAAA,MACpB,KAAK,MAAM;AAAA,IACb,CAAC;AACD,QAAI,CAAC,WAAW,IAAI,GAAI,YAAW;AACnC,QAAI,MAAM,IAAI,QAAQ,YAAY,QAAQ;AACxC,mBAAa,KAAK,cAAc,YAAY,MAAM,IAAI,QAAQ,WAAW,MAAM,CAAC,EAAE;AAAA,IACpF;AAAA,EACF;AAEA,MAAI,MAAM,eAAe;AACvB,eAAW,gBAAgB;AAAA,MACzB,MAAM,cAAc;AAAA,MACpB,MAAM,cAAc;AAAA,MACpB,MAAM,cAAc;AAAA,MACpB,EAAE,KAAK,MAAM,MAAM,MAAM,MAAM,IAAK,IAAI,OAAU;AAAA,IACpD;AACA,QAAI,CAAC,WAAW,cAAc,IAAI;AAChC,mBAAa,KAAK,4BAA4B;AAAA,IAChD;AAAA,EACF;AACA,UAAQ,WAAW,KAAK,MAAM,YAAY,IAAI,IAAI,WAAW;AAE7D,MAAI;AACJ,MAAI,MAAM,oBAAoB,eAAe,SAAS,GAAG;AACvD,UAAM,QAAQ,MAAM,aAAa,gBAAgB,MAAM,gBAAgB;AACvE,eAAW;AAAA,MACT,QAAQ;AAAA,MACR,wBAAwB,MAAM;AAAA,MAC9B,sBAAsB,MAAM;AAAA,IAC9B;AACA,QAAI,MAAM,qBAAsB,cAAa,KAAK,iCAAiC;AAAA,EACrF,WAAW,eAAe,SAAS,GAAG;AACpC,eAAW;AAAA,MACT,QAAQ;AAAA,MACR,wBAAwB;AAAA,MACxB,sBAAsB;AAAA,IACxB;AAAA,EACF;AAEA,QAAM,YAAY,YAAY,IAAI;AAClC,QAAM,cAAc,kBAAkB,KAAK;AAC3C,MAAI,eAAe,CAAC,YAAY,GAAI,YAAW;AAC/C,UAAQ,SAAS,KAAK,MAAM,YAAY,IAAI,IAAI,SAAS;AAEzD,MAAI,cAAc,SAAS,aAAc,cAAa,KAAK,oBAAoB;AAC/E,MAAI,cAAc,SAAS,SAAU,cAAa,KAAK,yBAAyB;AAChF,MAAI,cAAc,SAAS,WAAY,cAAa,KAAK,2BAA2B;AAEpF,QAAM,aAAa,MAAM,KAAK,QAAQ;AAEtC,SAAO;AAAA,IACL,UAAU,MAAM;AAAA,IAChB;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA,mBAAmB,MAAM,KAAK,QAAQ;AAAA,IACtC;AAAA,IACA,SAAS,aACL;AAAA,MACE,QAAQ,WAAW;AAAA,MACnB,WAAW,WAAW;AAAA,MACtB,QAAQ,WAAW;AAAA,MACnB,WAAW,WAAW;AAAA,IACxB,IACA;AAAA,IACJ;AAAA,IACA;AAAA,IACA,IAAI,CAAC;AAAA,EACP;AACF;AAEA,SAAS,eAAe,OAAsD;AAC5E,MAAI,MAAM,IAAI,OAAO,aAAa;AAChC,WAAO,sBAAsB,MAAM,GAAG,OAAO,WAAW;AAAA,EAC1D;AACA,MAAI,MAAM,KAAK,OAAO,QAAS,QAAO;AACtC,MAAI,MAAM,KAAK,OAAO,KAAM,QAAO;AACnC,MAAI,MAAM,KAAK,OAAO,OAAQ,QAAO;AACrC,MAAI,MAAM,KAAK,UAAU;AACvB,UAAM,CAAC,QAAQ,IAAI,IAAI,MAAM,IAAI,SAAS,MAAM,GAAG;AACnD,WAAO,uBAAuB,UAAU,QAAQ,QAAQ,GAAG;AAAA,EAC7D;AACA,MAAI,MAAM,KAAK,QAAQ,UAAU;AAG/B,YAAQ,MAAM,IAAI,QAAQ,UAAU;AAAA,MAClC,KAAK;AACH,eAAO;AAAA,MACT,KAAK;AACH,eAAO;AAAA,MACT,KAAK;AACH,eAAO;AAAA,MACT,KAAK;AACH,eAAO;AAAA,MACT,KAAK;AACH,eAAO;AAAA,MACT;AACE,eAAO,uBAAuB,QAAQ,oBAAoB;AAAA,IAC9D;AAAA,EACF;AACA,MAAI,MAAM,SAAS,KAAK;AACtB,WAAO;AAAA,MACL,MAAM,QAAQ,QAAQ,YAAY,MAAM,QAAQ,QAAQ,aACnD,MAAM,QAAQ,MACf;AAAA,IACN;AAAA,EACF;AACA,MAAI,MAAM,KAAK,QAAQ,YAAY,aAAa,MAAM,KAAK,QAAQ,aAAa,CAAC,GAAG;AAClF,UAAM,YAAY,MAAM,IAAI,QAAQ,YAAY,aAAa,MAAM,IAAI,QAAQ,aAAa,CAAC;AAC7F,UAAM,SAAS,WAAW,OAAO,WAAW,SAAS,UAAU,KAAK,CAAC;AACrE,WAAO;AAAA,MACL,WAAW,WAAW,YAAY,YAAY;AAAA,MAC9C,OAAO,SAAS,MAAM,IAAI,SAAS;AAAA,IACrC;AAAA,EACF;AACA,MAAI,MAAM,MAAM,iBAAiB;AAC/B,UAAM,MAAM,MAAM,KAAK,gBAAgB,QAAQ,CAAC,GAAG;AACnD,WAAO,wBAAwB,OAAO,GAAG,CAAC;AAAA,EAC5C;AACA,MAAI,MAAM,MAAM,eAAgB,QAAO;AACvC,SAAO;AACT;AAEA,SAAS,wBACP,OACqC;AACrC,MAAI,MAAM,IAAI,QAAQ;AACpB,UAAM,IAAI,0BAA0B;AAAA,MAClC,aAAa,MAAM,GAAG,OAAO;AAAA,MAC7B,kBAAmB,MAAM,GAAG,OAAO,YAAY,iBAC/C,OAAO,MAAM,GAAG,OAAO,YAAY,cAAc,QAAQ,WACrD;AAAA,QACE,QAAQ,MAAM,GAAG,OAAO,YAAY,cAAc;AAAA,QAClD,UAAU,MAAM,GAAG,OAAO,YAAY,cAAc;AAAA,MACtD,IACA;AAAA,IACN,CAAC;AACD,QAAI,EAAG,QAAO;AAAA,EAChB;AACA,MAAI,MAAM,KAAK,QAAQ;AACrB,UAAM,IAAI,2BAA2B,EAAE,QAAQ,MAAM,IAAI,OAAO,CAAC;AACjE,QAAI,EAAG,QAAO;AAAA,EAChB;AACA,MAAI,MAAM,KAAK,QAAQ,QAAQ;AAC7B,UAAM,IAAI,2BAA2B,EAAE,QAAQ,MAAM,IAAI,QAAQ,OAAO,CAAC;AACzE,QAAI,EAAG,QAAO;AAAA,EAChB;AACA,MAAI,MAAM,KAAK,QAAQ,YAAY,WAAW;AAC5C,UAAM,KAAK,MAAM,IAAI,QAAQ,WAAW;AACxC,UAAM,IAAI,2BAA2B,EAAE,QAAQ,GAAG,QAAQ,SAAS,GAAG,QAAQ,CAAC;AAC/E,QAAI,EAAG,QAAO;AAAA,EAChB;AACA,MAAI,MAAM,MAAM,iBAAiB;AAC/B,UAAM,QAAQ,MAAM,KAAK,gBAAgB,QAAQ,CAAC;AAClD,QAAI,OAAO;AACT,YAAM,IAAI,4BAA4B;AAAA,QACpC,mBAAmB,OAAO,MAAM,MAAM;AAAA,QACtC,OAAO,MAAM;AAAA,MACf,CAAC;AACD,UAAI,EAAG,QAAO;AAAA,IAChB;AAAA,EACF;AACA,SAAO;AACT;AAEA,SAAS,sBAAsB,OAA+C;AAC5E,QAAM,SAA0B,CAAC;AACjC,MAAI,MAAM,IAAI,OAAO;AACnB,WAAO,KAAK,EAAE,UAAU,MAAM,OAAO,OAAO,OAAO,MAAM,GAAG,OAAO,IAAI,CAAC;AAC1E,MAAI,MAAM,KAAK,QAAQ;AACrB,UAAM,UACJ,MAAM,IAAI,OAAO,QAAQ,YACzB,MAAM,IAAI,OAAO,MAAM,YACvB,MAAM,IAAI,OAAO,SAAS;AAC5B,QAAI,QAAS,QAAO,KAAK,EAAE,UAAU,OAAO,OAAO,YAAY,OAAO,QAAQ,CAAC;AAAA,EACjF;AACA,MAAI,MAAM,KAAK,QAAQ,QAAQ;AAC7B,WAAO,KAAK,EAAE,UAAU,OAAO,OAAO,UAAU,OAAO,MAAM,IAAI,QAAQ,OAAO,CAAC;AAAA,EACnF;AACA,MAAI,MAAM,KAAK,QAAQ,YAAY,QAAQ;AACzC,WAAO,KAAK,EAAE,UAAU,OAAO,OAAO,UAAU,OAAO,MAAM,IAAI,QAAQ,WAAW,OAAO,CAAC;AAAA,EAC9F;AACA,MAAI,MAAM,SAAS;AAAA,EAEnB;AACA,SAAO;AACT;AAEA,SAAS,oBAAoB,OAA+D;AAC1F,MAAI,MAAM,KAAK,QAAQ,cAAc,MAAM;AACzC,WAAO,EAAE,SAAS,MAAM,MAAM,MAAM,IAAI,QAAQ,aAAa,KAAK;AAAA,EACpE;AACA,QAAM,YAAY,MAAM,KAAK,QAAQ,YAAY,WAAW;AAC5D,MAAI,cAAc,QAAS,QAAO,EAAE,SAAS,MAAM,MAAM,WAAW;AACpE,MAAI,cAAc,SAAU,QAAO,EAAE,SAAS,MAAM,MAAM,aAAa;AACvE,SAAO;AACT;AAEA,SAAS,kBAAkB,OAAgE;AACzF,QAAM,cAAc,MAAM,eAAe,CAAC;AAC1C,QAAM,UAA2C,CAAC;AAClD,QAAM,UAAoB,CAAC;AAC3B,MAAI,SAAS;AAEb,MAAI,MAAM,IAAI,QAAQ;AACpB,UAAM,WAAW,sBAAsB;AAAA,MACrC,aAAa,MAAM,GAAG,OAAO;AAAA,MAC7B;AAAA,IACF,CAAC;AACD,eAAW,CAAC,GAAG,CAAC,KAAK,OAAO,QAAQ,SAAS,OAAO,GAAG;AACrD,cAAQ,CAAC,IAAI;AACb,UAAI,CAAC,EAAE,MAAM,EAAE,OAAQ,SAAQ,KAAK,EAAE,MAAM;AAAA,IAC9C;AACA,QAAI,OAAO,KAAK,SAAS,OAAO,EAAE,SAAS,EAAG,UAAS;AAAA,EACzD;AAEA,QAAM,aAAa,MAAM;AACzB,MAAI,YAAY,uBAAuB;AACrC,UAAM,KAAK,+BAA+B;AAAA,MACxC,gBAAgB,WAAW;AAAA,MAC3B,iBAAiB,YAAY;AAAA,IAC/B,CAAC;AACD,YAAQ,gBAAgB;AACxB,QAAI,CAAC,GAAG,MAAM,GAAG,OAAQ,SAAQ,KAAK,GAAG,MAAM;AAC/C,aAAS;AAAA,EACX;AACA,MAAI,YAAY,eAAe;AAC7B,UAAM,KAAK,sBAAsB;AAAA,MAC/B,OAAO,WAAW;AAAA,MAClB,WAAW,EAAE,QAAQ,YAAY,QAAQ,UAAU,YAAY,SAAS;AAAA,IAC1E,CAAC;AACD,YAAQ,gBAAgB;AACxB,QAAI,CAAC,GAAG,MAAM,GAAG,OAAQ,SAAQ,KAAK,GAAG,MAAM;AAC/C,aAAS;AAAA,EACX;AAEA,MAAI,CAAC,OAAQ,QAAO;AACpB,SAAO,EAAE,IAAI,QAAQ,WAAW,GAAG,SAAS,QAAQ;AACtD;AAEA,SAAS,YAAY,QAAwB;AAE3C,SAAO,OAAO,QAAQ,mBAAmB,EAAE,EAAE,MAAM,GAAG,EAAE;AAC1D;;;AC5YA,IAAM,WAAW,oBAAI,IAAgC;AAE9C,SAAS,2BAA8B,WAAwC;AACpF,MAAI,CAAC,aAAa,OAAO,UAAU,SAAS,YAAY,UAAU,KAAK,WAAW,GAAG;AACnF,UAAM,IAAI,MAAM,kEAAkE;AAAA,EACpF;AACA,WAAS,IAAI,UAAU,MAAM,SAA+B;AAC9D;AAEO,SAAS,yBAA4D;AAC1E,SAAO,MAAM,KAAK,SAAS,OAAO,CAAC;AACrC;AAEO,SAAS,sBAAsB,MAA8C;AAClF,SAAO,SAAS,IAAI,IAAI;AAC1B;AAEO,SAAS,2BAAiC;AAC/C,WAAS,MAAM;AACjB;AAOA,eAAsB,sBACpB,SACkC;AAClC,QAAM,MAA+B,CAAC;AACtC,aAAW,aAAa,SAAS,OAAO,GAAG;AACzC,QAAI,CAAC,UAAU,MAAM,OAAO,EAAG;AAC/B,UAAM,SAAS,MAAM,UAAU,QAAQ,OAAO;AAC9C,QAAI,WAAW,QAAQ,WAAW,OAAW,KAAI,UAAU,IAAI,IAAI;AAAA,EACrE;AACA,SAAO;AACT;;;ACpDA,SAAS,0BAAoC;AAG7C,IAAM,wBAAwB;AAQvB,SAAS,mBAAmB,UAA+B,CAAC,GAAqB;AACtF,QAAM,MAAM,IAAI,IAAI,QAAQ,WAAW,qBAAqB;AAC5D,QAAM,OAAO,mBAAmB,KAAK;AAAA,IACnC,aAAa,QAAQ;AAAA,IACrB,kBAAkB,QAAQ;AAAA,EAC5B,CAAC;AAED,SAAO;AAAA,IACL,MAAM;AAAA,IACN,MAAM,QAAQ,KAAa,SAA+C;AACxE,UAAI,CAAC,IAAK,QAAO;AACjB,UAAI;AACF,cAAM,MAAM,MAAM,KAAK;AAAA,UACrB;AAAA,UACA,KAAK,SAAS,aAAa;AAAA,UAC3B,KAAK;AAAA,QACP,CAAC;AACD,eAAO,qBAAqB,GAAG;AAAA,MACjC,QAAQ;AACN,eAAO;AAAA,MACT;AAAA,IACF;AAAA,EACF;AACF;AAEA,eAAe,qBAAqB,SAAuC;AACzE,MAAI,CAAC,QAAS,QAAO;AAGrB,MAAI,OAAO,YAAY,YAAY,SAAU,SAAoB;AAC/D,WAAO;AAAA,EACT;AACA,QAAM,EAAE,UAAU,IAAI,MAAM,OAAO,MAAM;AACzC,MAAI;AACF,WAAO,MAAM,UAAU,OAA0C;AAAA,EACnE,QAAQ;AACN,WAAO;AAAA,EACT;AACF;;;ACvBO,SAAS,yBACd,UAAqC,CAAC,GACpB;AAClB,QAAM,QAAQ,oBAAI,IAAuB;AACzC,QAAM,SAAS,QAAQ,eAAe;AACtC,QAAM,UAAU,QAAQ,SAAS,WAAW;AAC5C,MAAI,SAAS;AAEb,SAAO;AAAA,IACL,MAAM;AAAA,IACN,MAAM,QAAQ,KAAkC;AAC9C,UAAI,CAAC,IAAK,QAAO;AAEjB,UAAI,CAAC,QAAQ,aAAa;AACxB,YAAI,CAAC,UAAU,CAAC,QAAQ,QAAQ;AAC9B,mBAAS;AAET,kBAAQ;AAAA,YACN;AAAA,UAEF;AAAA,QACF;AACA,eAAO;AAAA,MACT;AAEA,YAAM,SAAS,MAAM,IAAI,GAAG;AAC5B,UAAI,UAAU,OAAO,YAAY,KAAK,IAAI,EAAG,QAAO,OAAO;AAE3D,UAAI;AACF,cAAM,MAAM,MAAM,QAAQ,QAAQ,WAAW;AAC7C,YAAI,CAAC,IAAI,GAAI,QAAO;AACpB,cAAM,OAAQ,MAAM,IAAI,KAAK;AAC7B,cAAM,OAAO,KAAK,QAAQ,CAAC;AAC3B,mBAAW,KAAK,MAAM;AACpB,cAAI,EAAE,QAAQ,KAAK;AACjB,kBAAM,IAAI,KAAK,EAAE,KAAK,GAAG,WAAW,KAAK,IAAI,IAAI,SAAS,IAAK,CAAC;AAChE,mBAAO;AAAA,UACT;AAAA,QACF;AACA,eAAO;AAAA,MACT,QAAQ;AACN,eAAO;AAAA,MACT;AAAA,IACF;AAAA,EACF;AACF;;;AC3DA,IAAM,iBAAiB;AAiBhB,SAAS,yBACd,UAAqC,CAAC,GACpB;AAClB,QAAM,QAAQ,oBAAI,IAA4B;AAC9C,QAAM,SAAS,QAAQ,eAAe;AACtC,QAAM,UAAU,QAAQ,SAAS,WAAW;AAE5C,SAAO;AAAA,IACL,MAAM;AAAA,IACN,MAAM,QAAQ,KAAa,SAA+C;AACxE,UAAI,CAAC,IAAK,QAAO;AAEjB,YAAM,eAAe,oBAAoB,QAAQ,cAAc,SAAS,MAAM;AAC9E,UAAI,CAAC,aAAc,QAAO;AAE1B,YAAM,SAAS,MAAM,IAAI,YAAY;AACrC,YAAM,MAAM,KAAK,IAAI;AACrB,UAAI,UAAU,OAAO,YAAY,KAAK;AACpC,eAAO,aAAa,OAAO,MAAM,GAAG;AAAA,MACtC;AAEA,UAAI;AACF,cAAM,MAAM,MAAM,QAAQ,YAAY;AACtC,YAAI,CAAC,IAAI,GAAI,QAAO;AACpB,cAAM,OAAQ,MAAM,IAAI,KAAK;AAC7B,cAAM,OAAO,KAAK,QAAQ,CAAC;AAC3B,cAAM,IAAI,cAAc,EAAE,MAAM,WAAW,MAAM,SAAS,IAAK,CAAC;AAChE,eAAO,aAAa,MAAM,GAAG;AAAA,MAC/B,QAAQ;AACN,eAAO;AAAA,MACT;AAAA,IACF;AAAA,EACF;AACF;AAEA,SAAS,oBACP,UACA,QACe;AACf,MAAI,SAAU,QAAO;AACrB,MAAI,CAAC,OAAQ,QAAO;AACpB,MAAI;AACF,UAAM,MAAM,IAAI,IAAI,MAAM;AAC1B,WAAO,GAAG,IAAI,MAAM,GAAG,cAAc;AAAA,EACvC,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAEA,SAAS,aAAa,MAAa,KAAyB;AAC1D,aAAW,KAAK,MAAM;AACpB,QAAI,EAAE,QAAQ,IAAK,QAAO;AAAA,EAC5B;AACA,SAAO;AACT;;;AC9CO,SAAS,eAAe,SAAqD;AAElF,MAAI,QAAQ,YAAY,OAAO,QAAQ,aAAa,UAAU;AAC5D,WAAO;AAAA,EACT;AAGA,MAAI,QAAQ,SAAS,OAAO,QAAQ,UAAU,UAAU;AACtD,WAAO;AAAA,EACT;AAGA,SAAO;AACT;AAKO,SAAS,iBACd,UACA,QACA,aACyB;AACzB,UAAQ,UAAU;AAAA,IAChB,KAAK;AACH,aAAO,eAAe,QAAkC,WAAW;AAAA,IACrE,KAAK;AACH,aAAO,eAAe,QAAQ,WAAW;AAAA,IAC3C,KAAK;AACH,aAAO,WAAW,QAAQ,WAAW;AAAA,IACvC;AACE,aAAO;AAAA,EACX;AACF;AAKO,SAAS,+BACd,UACA,SAC6B;AAC7B,UAAQ,UAAU;AAAA,IAChB,KAAK;AACH,aAAO,uBAAuB,OAAwD;AAAA,IACxF,KAAK;AACH,aAAO,sBAAsB,OAAO;AAAA,IACtC,KAAK;AACH,aAAO,sBAAsB,OAAO;AAAA,IACtC;AACE,aAAO;AAAA,EACX;AACF;","names":["coerceString","stripQuery","extractSessionId","readHeader","coerceString","coerceString","coerceNumber","claim","decodeSdJwtSync","createHash","sha256Sync","applyDisclosures","coerceMandateType","coerceString","coerceNumber","readHeader","coerceString","readHeader","createHash","coerceString","createHash","toUnixSeconds"]}