@attest-dev/sdk 0.1.0-beta.1

package/README.md

@@ -0,0 +1,119 @@
+# @attest-dev/sdk
+
+TypeScript SDK for [Attest](https://github.com/attest-dev/attest) — cryptographic credentials for AI agent pipelines.
+
+Attest issues RS256-signed JWTs to agents carrying scope, delegation lineage, and task provenance. Every handoff narrows scope, every action is auditable, and the entire task tree can be revoked in one call.
+
+> **Beta** — self-host the [Attest server](https://github.com/attest-dev/attest) or point at your own instance. Hosted service coming soon.
+
+## Install
+
+```bash
+npm install @attest-dev/sdk@beta
+```
+
+## Quickstart
+
+```ts
+import { AttestClient } from "@attest-dev/sdk";
+
+const client = new AttestClient({
+  baseUrl: "http://localhost:8080",
+  apiKey:  "your-api-key",
+});
+
+// Issue a root credential for an orchestrator agent
+const { token, claims } = await client.issue({
+  agent_id:    "orchestrator-v1",
+  user_id:     "usr_alice",
+  scope:       ["research:read", "gmail:send"],
+  instruction: "Research competitors and email the board",
+});
+
+// Delegate a narrowed credential to a sub-agent
+const { token: childToken } = await client.delegate({
+  parent_token: token,
+  child_agent:  "email-agent-v1",
+  child_scope:  ["gmail:send"],   // must be a subset of parent — enforced server-side
+});
+
+// Verify offline (no network call after JWKS is fetched once)
+const jwks   = await client.fetchJWKS();
+const result = await client.verify(childToken, jwks);
+console.log(result.valid, result.warnings);
+
+// Revoke the entire task tree in one call
+await client.revoke(claims.jti);
+
+// Retrieve the tamper-evident audit chain
+const chain = await client.audit(claims.att_tid);
+chain.events.forEach(e => console.log(e.event_type, e.jti, e.created_at));
+```
+
+## MCP middleware
+
+Enforce Attest credentials on every tool call in an MCP server — two lines:
+
+```ts
+import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
+import { withAttest } from "@attest-dev/sdk/mcp";
+
+const server = new McpServer({ name: "my-tools", version: "1.0.0" });
+const protectedServer = withAttest(server, {
+  issuerUri: "http://localhost:8080",
+});
+
+// Register tools exactly as before — every call is now credential-gated
+protectedServer.tool("send_email", schema, handler);
+```
+
+Tool names map to scope strings automatically (`send_email` → `email:send`, `read_file` → `file:read`). Override per tool:
+
+```ts
+protectedServer.tool("gh_create_issue", schema, handler, {
+  requiredScope: "github:write",
+});
+```
+
+Expose a discovery endpoint so orchestrators know what scopes to request:
+
+```ts
+import { getAttestScopes } from "@attest-dev/sdk/mcp";
+
+app.get("/.well-known/attest-scopes", (_req, res) => {
+  res.json({ tools: getAttestScopes(protectedServer) });
+});
+```
+
+See [`mcp/README.md`](./mcp/README.md) for the full MCP middleware reference.
+
+## Scope syntax
+
+Scopes follow `resource:action`. Either field may be `*` as a wildcard.
+
+| Expression | Meaning |
+|---|---|
+| `gmail:send` | Send via Gmail only |
+| `gmail:*` | All Gmail actions |
+| `*:read` | Read access to any resource |
+| `*:*` | Full access (root credentials only) |
+
+Delegation enforces that child scope is a strict subset of parent scope — server-side, cryptographically.
+
+## Self-hosting
+
+```bash
+# Clone and start (Docker required)
+git clone https://github.com/attest-dev/attest
+cd attest
+docker compose up
+
+# Or run without Docker (ephemeral key, in-memory storage)
+cd server && go run ./cmd/attest
+```
+
+Server starts on `http://localhost:8080`.
+
+## License
+
+Apache-2.0

package/dist/index.d.ts

@@ -0,0 +1,127 @@
+/**
+ * @attest-dev/sdk — TypeScript client for the Attest credential service.
+ *
+ * Offline JWT verification uses `jose` (no network call needed after
+ * fetchJWKS). All network calls go through the Attest server REST API.
+ */
+import { type JWTPayload } from 'jose';
+/** Standard JWT claims plus every att_* Attest extension. */
+export interface AttestClaims extends JWTPayload {
+    /** Task tree ID shared across the entire delegation chain. */
+    att_tid: string;
+    /** Parent credential jti (absent on root credentials). */
+    att_pid?: string;
+    /** Delegation depth (0 = root). */
+    att_depth: number;
+    /** Granted permission scopes in "resource:action" form. */
+    att_scope: string[];
+    /** SHA-256 hex of the original instruction that initiated the task. */
+    att_intent: string;
+    /** Ordered jti ancestry list from root to this credential. */
+    att_chain: string[];
+    /** Human principal who initiated the task. */
+    att_uid: string;
+}
+/** A root credential returned by issue(). */
+export interface AttestToken {
+    token: string;
+    claims: AttestClaims;
+}
+/** A delegated child credential returned by delegate(). */
+export interface DelegatedToken {
+    token: string;
+    claims: AttestClaims;
+}
+/** Returned by verify(). Valid is false if any check fails. */
+export interface VerifyResult {
+    valid: boolean;
+    claims?: AttestClaims;
+    warnings: string[];
+}
+/** A complete audit trail for a task tree. */
+export interface AuditChain {
+    taskId: string;
+    events: AuditEvent[];
+}
+/** A single entry in the audit log. */
+export interface AuditEvent {
+    id?: number;
+    prev_hash: string;
+    entry_hash: string;
+    event_type: 'issued' | 'delegated' | 'verified' | 'revoked' | 'expired';
+    jti: string;
+    att_tid: string;
+    att_uid: string;
+    agent_id: string;
+    scope: string[];
+    meta?: Record<string, string>;
+    created_at: string;
+}
+/** Subset of a JWKS response sufficient for RS256 verification. */
+export interface JWKSResponse {
+    keys: JWK[];
+}
+export interface JWK {
+    kty: string;
+    use?: string;
+    alg?: string;
+    n: string;
+    e: string;
+    kid?: string;
+}
+/** Parameters for issuing a root credential. */
+export interface IssueParams {
+    agent_id: string;
+    user_id: string;
+    scope: string[];
+    instruction: string;
+    ttl_seconds?: number;
+}
+/** Parameters for delegating to a child agent. */
+export interface DelegateParams {
+    parent_token: string;
+    child_agent: string;
+    child_scope: string[];
+    ttl_seconds?: number;
+}
+export declare class AttestClient {
+    private readonly baseUrl;
+    private readonly headers;
+    constructor({ baseUrl, apiKey }: {
+        baseUrl?: string;
+        apiKey: string;
+    });
+    /** Issue a root credential for the given agent and instruction. */
+    issue(params: IssueParams): Promise<AttestToken>;
+    /** Delegate a narrowed child credential from a parent token. */
+    delegate(params: DelegateParams): Promise<DelegatedToken>;
+    /**
+     * Offline verification — validates RS256 signature, expiry, chain length
+     * (must equal depth + 1), and chain tail (must equal jti).
+     *
+     * Pass a JWKSResponse previously fetched with fetchJWKS(). No network call
+     * is made during verification itself.
+     */
+    verify(token: string, jwks: JWKSResponse): Promise<VerifyResult>;
+    /** Revoke a credential and cascade to all descendants. */
+    revoke(jti: string, revokedBy?: string): Promise<void>;
+    /** Fetch the full audit chain for a task tree. */
+    audit(taskId: string): Promise<AuditChain>;
+    /** Fetch the server's public key set for offline verification. */
+    fetchJWKS(): Promise<JWKSResponse>;
+}
+/**
+ * Returns true if every entry in childScope is covered by at least one entry
+ * in parentScope. Wildcards ("*") match any resource or action.
+ *
+ * @example
+ * isScopeSubset(["gmail:*"], ["gmail:send"])         // true
+ * isScopeSubset(["gmail:send"], ["database:delete"]) // false
+ */
+export declare function isScopeSubset(parentScope: string[], childScope: string[]): boolean;
+/**
+ * Decodes a Attest JWT without verifying the signature.
+ * Use verify() for trusted access to claims.
+ */
+export declare function decodeToken(token: string): AttestClaims;
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAIL,KAAK,UAAU,EAChB,MAAM,MAAM,CAAC;AAId,6DAA6D;AAC7D,MAAM,WAAW,YAAa,SAAQ,UAAU;IAC9C,8DAA8D;IAC9D,OAAO,EAAE,MAAM,CAAC;IAChB,0DAA0D;IAC1D,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,mCAAmC;IACnC,SAAS,EAAE,MAAM,CAAC;IAClB,2DAA2D;IAC3D,SAAS,EAAE,MAAM,EAAE,CAAC;IACpB,uEAAuE;IACvE,UAAU,EAAE,MAAM,CAAC;IACnB,8DAA8D;IAC9D,SAAS,EAAE,MAAM,EAAE,CAAC;IACpB,8CAA8C;IAC9C,OAAO,EAAE,MAAM,CAAC;CACjB;AAED,6CAA6C;AAC7C,MAAM,WAAW,WAAW;IAC1B,KAAK,EAAE,MAAM,CAAC;IACd,MAAM,EAAE,YAAY,CAAC;CACtB;AAED,2DAA2D;AAC3D,MAAM,WAAW,cAAc;IAC7B,KAAK,EAAE,MAAM,CAAC;IACd,MAAM,EAAE,YAAY,CAAC;CACtB;AAED,+DAA+D;AAC/D,MAAM,WAAW,YAAY;IAC3B,KAAK,EAAE,OAAO,CAAC;IACf,MAAM,CAAC,EAAE,YAAY,CAAC;IACtB,QAAQ,EAAE,MAAM,EAAE,CAAC;CACpB;AAED,8CAA8C;AAC9C,MAAM,WAAW,UAAU;IACzB,MAAM,EAAE,MAAM,CAAC;IACf,MAAM,EAAE,UAAU,EAAE,CAAC;CACtB;AAED,uCAAuC;AACvC,MAAM,WAAW,UAAU;IACzB,EAAE,CAAC,EAAE,MAAM,CAAC;IACZ,SAAS,EAAE,MAAM,CAAC;IAClB,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,QAAQ,GAAG,WAAW,GAAG,UAAU,GAAG,SAAS,GAAG,SAAS,CAAC;IACxE,GAAG,EAAE,MAAM,CAAC;IACZ,OAAO,EAAE,MAAM,CAAC;IAChB,OAAO,EAAE,MAAM,CAAC;IAChB,QAAQ,EAAE,MAAM,CAAC;IACjB,KAAK,EAAE,MAAM,EAAE,CAAC;IAChB,IAAI,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAC9B,UAAU,EAAE,MAAM,CAAC;CACpB;AAED,mEAAmE;AACnE,MAAM,WAAW,YAAY;IAC3B,IAAI,EAAE,GAAG,EAAE,CAAC;CACb;AAED,MAAM,WAAW,GAAG;IAClB,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,CAAC,EAAE,MAAM,CAAC;IACV,CAAC,EAAE,MAAM,CAAC;IACV,GAAG,CAAC,EAAE,MAAM,CAAC;CACd;AAED,gDAAgD;AAChD,MAAM,WAAW,WAAW;IAC1B,QAAQ,EAAE,MAAM,CAAC;IACjB,OAAO,EAAE,MAAM,CAAC;IAChB,KAAK,EAAE,MAAM,EAAE,CAAC;IAChB,WAAW,EAAE,MAAM,CAAC;IACpB,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB;AAED,kDAAkD;AAClD,MAAM,WAAW,cAAc;IAC7B,YAAY,EAAE,MAAM,CAAC;IACrB,WAAW,EAAE,MAAM,CAAC;IACpB,WAAW,EAAE,MAAM,EAAE,CAAC;IACtB,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB;AAID,qBAAa,YAAY;IACvB,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAS;IACjC,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAyB;gBAErC,EAAE,OAAiC,EAAE,MAAM,EAAE,EAAE;QAAE,OAAO,CAAC,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,CAAA;KAAE;IAQ/F,mEAAmE;IAC7D,KAAK,CAAC,MAAM,EAAE,WAAW,GAAG,OAAO,CAAC,WAAW,CAAC;IAUtD,gEAAgE;IAC1D,QAAQ,CAAC,MAAM,EAAE,cAAc,GAAG,OAAO,CAAC,cAAc,CAAC;IAU/D;;;;;;OAMG;IACG,MAAM,CAAC,KAAK,EAAE,MAAM,EAAE,IAAI,EAAE,YAAY,GAAG,OAAO,CAAC,YAAY,CAAC;IAwCtE,0DAA0D;IACpD,MAAM,CAAC,GAAG,EAAE,MAAM,EAAE,SAAS,SAAQ,GAAG,OAAO,CAAC,IAAI,CAAC;IAS3D,kDAAkD;IAC5C,KAAK,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,CAAC;IAUhD,kEAAkE;IAC5D,SAAS,IAAI,OAAO,CAAC,YAAY,CAAC;CAOzC;AAID;;;;;;;GAOG;AACH,wBAAgB,aAAa,CAAC,WAAW,EAAE,MAAM,EAAE,EAAE,UAAU,EAAE,MAAM,EAAE,GAAG,OAAO,CAgBlF;AAED;;;GAGG;AACH,wBAAgB,WAAW,CAAC,KAAK,EAAE,MAAM,GAAG,YAAY,CAEvD"}

package/dist/index.js

@@ -0,0 +1,167 @@
+"use strict";
+/**
+ * @attest-dev/sdk — TypeScript client for the Attest credential service.
+ *
+ * Offline JWT verification uses `jose` (no network call needed after
+ * fetchJWKS). All network calls go through the Attest server REST API.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AttestClient = void 0;
+exports.isScopeSubset = isScopeSubset;
+exports.decodeToken = decodeToken;
+const jose_1 = require("jose");
+// ── AttestClient ─────────────────────────────────────────────────────────────
+class AttestClient {
+    baseUrl;
+    headers;
+    constructor({ baseUrl = 'http://localhost:8080', apiKey }) {
+        this.baseUrl = baseUrl.replace(/\/$/, '');
+        this.headers = {
+            'Content-Type': 'application/json',
+            Authorization: `Bearer ${apiKey}`,
+        };
+    }
+    /** Issue a root credential for the given agent and instruction. */
+    async issue(params) {
+        const res = await fetch(`${this.baseUrl}/v1/credentials`, {
+            method: 'POST',
+            headers: this.headers,
+            body: JSON.stringify(params),
+        });
+        if (!res.ok)
+            await throwFromResponse(res);
+        return res.json();
+    }
+    /** Delegate a narrowed child credential from a parent token. */
+    async delegate(params) {
+        const res = await fetch(`${this.baseUrl}/v1/credentials/delegate`, {
+            method: 'POST',
+            headers: this.headers,
+            body: JSON.stringify(params),
+        });
+        if (!res.ok)
+            await throwFromResponse(res);
+        return res.json();
+    }
+    /**
+     * Offline verification — validates RS256 signature, expiry, chain length
+     * (must equal depth + 1), and chain tail (must equal jti).
+     *
+     * Pass a JWKSResponse previously fetched with fetchJWKS(). No network call
+     * is made during verification itself.
+     */
+    async verify(token, jwks) {
+        const warnings = [];
+        // Build a JWKS key source from the raw key objects by round-tripping
+        // through a data URL so jose can parse it without a network request.
+        const jwksData = JSON.stringify(jwks);
+        const dataUrl = `data:application/json,${encodeURIComponent(jwksData)}`;
+        let payload;
+        try {
+            const keySet = (0, jose_1.createRemoteJWKSet)(new URL(dataUrl));
+            const { payload: raw } = await (0, jose_1.jwtVerify)(token, keySet, {
+                algorithms: ['RS256'],
+            });
+            payload = raw;
+        }
+        catch (err) {
+            return { valid: false, warnings: [`signature/expiry check failed: ${String(err)}`] };
+        }
+        // Chain length must equal depth + 1 (root depth=0 → chain=[jti]).
+        const expectedLen = (payload.att_depth ?? 0) + 1;
+        if (!payload.att_chain || payload.att_chain.length !== expectedLen) {
+            warnings.push(`chain length ${payload.att_chain?.length} does not match depth ${payload.att_depth} (expected ${expectedLen})`);
+        }
+        // Chain tail must match jti.
+        const chain = payload.att_chain ?? [];
+        if (chain.length > 0 && chain[chain.length - 1] !== payload.jti) {
+            warnings.push(`chain tail "${chain[chain.length - 1]}" does not match jti "${payload.jti}"`);
+        }
+        return {
+            valid: warnings.length === 0,
+            claims: payload,
+            warnings,
+        };
+    }
+    /** Revoke a credential and cascade to all descendants. */
+    async revoke(jti, revokedBy = 'sdk') {
+        const res = await fetch(`${this.baseUrl}/v1/credentials/${encodeURIComponent(jti)}`, {
+            method: 'DELETE',
+            headers: this.headers,
+            body: JSON.stringify({ revoked_by: revokedBy }),
+        });
+        if (!res.ok && res.status !== 204)
+            await throwFromResponse(res);
+    }
+    /** Fetch the full audit chain for a task tree. */
+    async audit(taskId) {
+        const res = await fetch(`${this.baseUrl}/v1/tasks/${encodeURIComponent(taskId)}/audit`, { headers: this.headers });
+        if (!res.ok)
+            await throwFromResponse(res);
+        const events = (await res.json());
+        return { taskId, events };
+    }
+    /** Fetch the server's public key set for offline verification. */
+    async fetchJWKS() {
+        const res = await fetch(`${this.baseUrl}/.well-known/jwks.json`, {
+            headers: this.headers,
+        });
+        if (!res.ok)
+            await throwFromResponse(res);
+        return res.json();
+    }
+}
+exports.AttestClient = AttestClient;
+// ── Exported utilities ────────────────────────────────────────────────────────
+/**
+ * Returns true if every entry in childScope is covered by at least one entry
+ * in parentScope. Wildcards ("*") match any resource or action.
+ *
+ * @example
+ * isScopeSubset(["gmail:*"], ["gmail:send"])         // true
+ * isScopeSubset(["gmail:send"], ["database:delete"]) // false
+ */
+function isScopeSubset(parentScope, childScope) {
+    for (const childEntry of childScope) {
+        const child = parseScope(childEntry);
+        if (!child)
+            return false;
+        const covered = parentScope.some(parentEntry => {
+            const parent = parseScope(parentEntry);
+            if (!parent)
+                return false;
+            const resourceOK = parent.resource === '*' || parent.resource === child.resource;
+            const actionOK = parent.action === '*' || parent.action === child.action;
+            return resourceOK && actionOK;
+        });
+        if (!covered)
+            return false;
+    }
+    return true;
+}
+/**
+ * Decodes a Attest JWT without verifying the signature.
+ * Use verify() for trusted access to claims.
+ */
+function decodeToken(token) {
+    return (0, jose_1.decodeJwt)(token);
+}
+function parseScope(s) {
+    const parts = s.split(':');
+    if (parts.length !== 2 || !parts[0] || !parts[1])
+        return null;
+    return { resource: parts[0], action: parts[1] };
+}
+async function throwFromResponse(res) {
+    let message = `HTTP ${res.status}`;
+    try {
+        const body = (await res.json());
+        if (body.error)
+            message += `: ${body.error}`;
+    }
+    catch {
+        // ignore parse failure
+    }
+    throw new Error(message);
+}
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";AAAA;;;;;GAKG;;;AAgOH,sCAgBC;AAMD,kCAEC;AAtPD,+BAKc;AA6Fd,gFAAgF;AAEhF,MAAa,YAAY;IACN,OAAO,CAAS;IAChB,OAAO,CAAyB;IAEjD,YAAY,EAAE,OAAO,GAAG,uBAAuB,EAAE,MAAM,EAAwC;QAC7F,IAAI,CAAC,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;QAC1C,IAAI,CAAC,OAAO,GAAG;YACb,cAAc,EAAE,kBAAkB;YAClC,aAAa,EAAE,UAAU,MAAM,EAAE;SAClC,CAAC;IACJ,CAAC;IAED,mEAAmE;IACnE,KAAK,CAAC,KAAK,CAAC,MAAmB;QAC7B,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,IAAI,CAAC,OAAO,iBAAiB,EAAE;YACxD,MAAM,EAAE,MAAM;YACd,OAAO,EAAE,IAAI,CAAC,OAAO;YACrB,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC;SAC7B,CAAC,CAAC;QACH,IAAI,CAAC,GAAG,CAAC,EAAE;YAAE,MAAM,iBAAiB,CAAC,GAAG,CAAC,CAAC;QAC1C,OAAO,GAAG,CAAC,IAAI,EAA0B,CAAC;IAC5C,CAAC;IAED,gEAAgE;IAChE,KAAK,CAAC,QAAQ,CAAC,MAAsB;QACnC,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,IAAI,CAAC,OAAO,0BAA0B,EAAE;YACjE,MAAM,EAAE,MAAM;YACd,OAAO,EAAE,IAAI,CAAC,OAAO;YACrB,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC;SAC7B,CAAC,CAAC;QACH,IAAI,CAAC,GAAG,CAAC,EAAE;YAAE,MAAM,iBAAiB,CAAC,GAAG,CAAC,CAAC;QAC1C,OAAO,GAAG,CAAC,IAAI,EAA6B,CAAC;IAC/C,CAAC;IAED;;;;;;OAMG;IACH,KAAK,CAAC,MAAM,CAAC,KAAa,EAAE,IAAkB;QAC5C,MAAM,QAAQ,GAAa,EAAE,CAAC;QAE9B,qEAAqE;QACrE,qEAAqE;QACrE,MAAM,QAAQ,GAAG,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC;QACtC,MAAM,OAAO,GAAG,yBAAyB,kBAAkB,CAAC,QAAQ,CAAC,EAAE,CAAC;QAExE,IAAI,OAAqB,CAAC;QAC1B,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,IAAA,yBAAkB,EAAC,IAAI,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC;YACpD,MAAM,EAAE,OAAO,EAAE,GAAG,EAAE,GAAG,MAAM,IAAA,gBAAS,EAAC,KAAK,EAAE,MAAM,EAAE;gBACtD,UAAU,EAAE,CAAC,OAAO,CAAC;aACtB,CAAC,CAAC;YACH,OAAO,GAAG,GAA8B,CAAC;QAC3C,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,QAAQ,EAAE,CAAC,kCAAkC,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC,EAAE,CAAC;QACvF,CAAC;QAED,kEAAkE;QAClE,MAAM,WAAW,GAAG,CAAC,OAAO,CAAC,SAAS,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC;QACjD,IAAI,CAAC,OAAO,CAAC,SAAS,IAAI,OAAO,CAAC,SAAS,CAAC,MAAM,KAAK,WAAW,EAAE,CAAC;YACnE,QAAQ,CAAC,IAAI,CACX,gBAAgB,OAAO,CAAC,SAAS,EAAE,MAAM,yBAAyB,OAAO,CAAC,SAAS,cAAc,WAAW,GAAG,CAChH,CAAC;QACJ,CAAC;QAED,6BAA6B;QAC7B,MAAM,KAAK,GAAG,OAAO,CAAC,SAAS,IAAI,EAAE,CAAC;QACtC,IAAI,KAAK,CAAC,MAAM,GAAG,CAAC,IAAI,KAAK,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC,KAAK,OAAO,CAAC,GAAG,EAAE,CAAC;YAChE,QAAQ,CAAC,IAAI,CAAC,eAAe,KAAK,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC,yBAAyB,OAAO,CAAC,GAAG,GAAG,CAAC,CAAC;QAC/F,CAAC;QAED,OAAO;YACL,KAAK,EAAE,QAAQ,CAAC,MAAM,KAAK,CAAC;YAC5B,MAAM,EAAE,OAAO;YACf,QAAQ;SACT,CAAC;IACJ,CAAC;IAED,0DAA0D;IAC1D,KAAK,CAAC,MAAM,CAAC,GAAW,EAAE,SAAS,GAAG,KAAK;QACzC,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,IAAI,CAAC,OAAO,mBAAmB,kBAAkB,CAAC,GAAG,CAAC,EAAE,EAAE;YACnF,MAAM,EAAE,QAAQ;YAChB,OAAO,EAAE,IAAI,CAAC,OAAO;YACrB,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,UAAU,EAAE,SAAS,EAAE,CAAC;SAChD,CAAC,CAAC;QACH,IAAI,CAAC,GAAG,CAAC,EAAE,IAAI,GAAG,CAAC,MAAM,KAAK,GAAG;YAAE,MAAM,iBAAiB,CAAC,GAAG,CAAC,CAAC;IAClE,CAAC;IAED,kDAAkD;IAClD,KAAK,CAAC,KAAK,CAAC,MAAc;QACxB,MAAM,GAAG,GAAG,MAAM,KAAK,CACrB,GAAG,IAAI,CAAC,OAAO,aAAa,kBAAkB,CAAC,MAAM,CAAC,QAAQ,EAC9D,EAAE,OAAO,EAAE,IAAI,CAAC,OAAO,EAAE,CAC1B,CAAC;QACF,IAAI,CAAC,GAAG,CAAC,EAAE;YAAE,MAAM,iBAAiB,CAAC,GAAG,CAAC,CAAC;QAC1C,MAAM,MAAM,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAAiB,CAAC;QAClD,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,CAAC;IAC5B,CAAC;IAED,kEAAkE;IAClE,KAAK,CAAC,SAAS;QACb,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,IAAI,CAAC,OAAO,wBAAwB,EAAE;YAC/D,OAAO,EAAE,IAAI,CAAC,OAAO;SACtB,CAAC,CAAC;QACH,IAAI,CAAC,GAAG,CAAC,EAAE;YAAE,MAAM,iBAAiB,CAAC,GAAG,CAAC,CAAC;QAC1C,OAAO,GAAG,CAAC,IAAI,EAA2B,CAAC;IAC7C,CAAC;CACF;AA9GD,oCA8GC;AAED,iFAAiF;AAEjF;;;;;;;GAOG;AACH,SAAgB,aAAa,CAAC,WAAqB,EAAE,UAAoB;IACvE,KAAK,MAAM,UAAU,IAAI,UAAU,EAAE,CAAC;QACpC,MAAM,KAAK,GAAG,UAAU,CAAC,UAAU,CAAC,CAAC;QACrC,IAAI,CAAC,KAAK;YAAE,OAAO,KAAK,CAAC;QAEzB,MAAM,OAAO,GAAG,WAAW,CAAC,IAAI,CAAC,WAAW,CAAC,EAAE;YAC7C,MAAM,MAAM,GAAG,UAAU,CAAC,WAAW,CAAC,CAAC;YACvC,IAAI,CAAC,MAAM;gBAAE,OAAO,KAAK,CAAC;YAC1B,MAAM,UAAU,GAAG,MAAM,CAAC,QAAQ,KAAK,GAAG,IAAI,MAAM,CAAC,QAAQ,KAAK,KAAK,CAAC,QAAQ,CAAC;YACjF,MAAM,QAAQ,GAAG,MAAM,CAAC,MAAM,KAAK,GAAG,IAAI,MAAM,CAAC,MAAM,KAAK,KAAK,CAAC,MAAM,CAAC;YACzE,OAAO,UAAU,IAAI,QAAQ,CAAC;QAChC,CAAC,CAAC,CAAC;QAEH,IAAI,CAAC,OAAO;YAAE,OAAO,KAAK,CAAC;IAC7B,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;GAGG;AACH,SAAgB,WAAW,CAAC,KAAa;IACvC,OAAO,IAAA,gBAAS,EAAC,KAAK,CAA4B,CAAC;AACrD,CAAC;AASD,SAAS,UAAU,CAAC,CAAS;IAC3B,MAAM,KAAK,GAAG,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC3B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC;QAAE,OAAO,IAAI,CAAC;IAC9D,OAAO,EAAE,QAAQ,EAAE,KAAK,CAAC,CAAC,CAAC,EAAE,MAAM,EAAE,KAAK,CAAC,CAAC,CAAC,EAAE,CAAC;AAClD,CAAC;AAED,KAAK,UAAU,iBAAiB,CAAC,GAAa;IAC5C,IAAI,OAAO,GAAG,QAAQ,GAAG,CAAC,MAAM,EAAE,CAAC;IACnC,IAAI,CAAC;QACH,MAAM,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAAuB,CAAC;QACtD,IAAI,IAAI,CAAC,KAAK;YAAE,OAAO,IAAI,KAAK,IAAI,CAAC,KAAK,EAAE,CAAC;IAC/C,CAAC;IAAC,MAAM,CAAC;QACP,uBAAuB;IACzB,CAAC;IACD,MAAM,IAAI,KAAK,CAAC,OAAO,CAAC,CAAC;AAC3B,CAAC"}