@attest-dev/sdk 0.1.0-beta.1

package/dist/mcp.js

@@ -0,0 +1,599 @@
+"use strict";
+/**
+ * @attest-dev/sdk/mcp — Attest credential enforcement middleware for MCP servers.
+ *
+ * Wraps any MCP server instance and enforces Attest credential checking on
+ * every tool call before the underlying handler executes.
+ *
+ * ## Two-line integration
+ *
+ * ```ts
+ * import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
+ * import { withAttest } from "@attest-dev/sdk/mcp";
+ *
+ * const server = new McpServer({ name: "my-tools", version: "1.0.0" });
+ * const protectedServer = withAttest(server, {
+ *   issuerUri: "https://api.attest.dev",
+ * });
+ *
+ * // Register tools exactly as before — every call is now credential-gated.
+ * protectedServer.tool("send_email", "Send an email", schema, handler);
+ * ```
+ *
+ * ## How it works
+ *
+ * `withAttest` monkey-patches `server.tool()` so each registered handler is
+ * wrapped with a credential check closure.  On every tool call the closure:
+ *
+ * 1. Extracts the Attest JWT from `extra.authInfo.token` (set by the MCP
+ *    auth middleware) or `extra.meta?.attest_token`.
+ * 2. Verifies the JWT offline against the issuer's JWKS (cached per TTL).
+ * 3. Maps the tool name to a Attest scope string via `scopeForTool()`.
+ * 4. Confirms the credential's `att_scope` covers the required scope.
+ * 5. Calls the Attest revocation endpoint to confirm the JTI is still live.
+ * 6. If all checks pass, executes the original handler.
+ * 7. If any check fails, returns a structured `attest_violation` error.
+ * 8. Fire-and-forgets an audit event to the Attest server regardless of
+ *    outcome.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.scopeForTool = scopeForTool;
+exports.withAttest = withAttest;
+exports.getAttestContext = getAttestContext;
+exports.getAttestScopes = getAttestScopes;
+const jose_1 = require("jose");
+// ── scopeForTool ──────────────────────────────────────────────────────────────
+/**
+ * Maps an MCP tool name to a Attest scope string using a convention-based
+ * approach.  The tool name is split on the first underscore: the part before
+ * becomes the action; the rest (joined with `:`) becomes the resource.
+ *
+ * Action aliases:
+ * - `create`, `update`, `write`, `put`, `patch` → `write`
+ * - `remove`, `destroy`                         → `delete`
+ * - `run`, `invoke`                             → `execute`
+ * - `get`, `fetch`, `list`, `search`, `query`   → `read`
+ *
+ * @example
+ * scopeForTool("send_email")          // "email:send"
+ * scopeForTool("read_file")           // "file:read"
+ * scopeForTool("delete_calendar_event") // "calendar_event:delete"
+ * scopeForTool("create_user")         // "user:write"
+ * scopeForTool("run_query")           // "query:execute"
+ */
+function scopeForTool(toolName, overrides) {
+    if (overrides?.[toolName])
+        return overrides[toolName];
+    const idx = toolName.indexOf('_');
+    if (idx === -1) {
+        // No underscore — treat the whole name as both resource and action.
+        return `${toolName}:execute`;
+    }
+    const rawAction = toolName.slice(0, idx).toLowerCase();
+    const resource = toolName.slice(idx + 1).toLowerCase();
+    const action = normaliseAction(rawAction);
+    return `${resource}:${action}`;
+}
+const ACTION_ALIASES = {
+    // write
+    create: 'write',
+    update: 'write',
+    put: 'write',
+    patch: 'write',
+    set: 'write',
+    upsert: 'write',
+    // delete
+    remove: 'delete',
+    destroy: 'delete',
+    // execute
+    run: 'execute',
+    invoke: 'execute',
+    call: 'execute',
+    // read
+    get: 'read',
+    fetch: 'read',
+    list: 'read',
+    search: 'read',
+    query: 'read',
+    find: 'read',
+    lookup: 'read',
+};
+function normaliseAction(raw) {
+    return ACTION_ALIASES[raw] ?? raw;
+}
+/**
+ * Thin wrapper around `jose`'s `createRemoteJWKSet` that respects the
+ * configured cache TTL.  A new key-set is created when the TTL expires,
+ * which forces a JWKS re-fetch on the next verification.
+ */
+class JwksCache {
+    issuerUri;
+    ttlMs;
+    keySet = null;
+    createdAt = 0;
+    constructor(issuerUri, ttlSeconds) {
+        this.issuerUri = issuerUri.replace(/\/$/, '');
+        this.ttlMs = ttlSeconds * 1000;
+    }
+    get() {
+        const now = Date.now();
+        if (this.keySet === null || now - this.createdAt > this.ttlMs) {
+            this.keySet = (0, jose_1.createRemoteJWKSet)(new URL(`${this.issuerUri}/.well-known/jwks.json`), 
+            // jose's internal cache is effectively bypassed by recreating the key
+            // set on TTL expiry — fine for our use-case.
+            { cacheMaxAge: this.ttlMs });
+            this.createdAt = now;
+        }
+        return this.keySet;
+    }
+}
+/**
+ * Short-lived in-process cache for revocation status.
+ * Reduces network calls to the Attest server on hot paths.
+ */
+class RevocationCache {
+    cache = new Map();
+    ttlMs;
+    issuerUri;
+    constructor(issuerUri, ttlSeconds) {
+        this.issuerUri = issuerUri.replace(/\/$/, '');
+        this.ttlMs = ttlSeconds * 1000;
+    }
+    async isRevoked(jti) {
+        const now = Date.now();
+        const cached = this.cache.get(jti);
+        if (cached !== undefined && now < cached.expiresAt) {
+            return cached.revoked;
+        }
+        const revoked = await this.fetchRevocationStatus(jti);
+        if (this.ttlMs > 0) {
+            this.cache.set(jti, { revoked, expiresAt: now + this.ttlMs });
+        }
+        return revoked;
+    }
+    /** Evict a JTI immediately (e.g. after a revocation call). */
+    evict(jti) {
+        this.cache.delete(jti);
+    }
+    async fetchRevocationStatus(jti) {
+        try {
+            const res = await fetch(`${this.issuerUri}/v1/revoked/${encodeURIComponent(jti)}`);
+            if (!res.ok)
+                return false; // fail-open on network error
+            const body = (await res.json());
+            return body.revoked === true;
+        }
+        catch {
+            // Fail-open: don't block tools because the revocation endpoint is down.
+            return false;
+        }
+    }
+}
+function isScopeGranted(grantedScope, requiredScope) {
+    const [reqResource, reqAction] = requiredScope.split(':');
+    if (!reqResource || !reqAction)
+        return false;
+    return grantedScope.some(entry => {
+        const [resource, action] = entry.split(':');
+        if (!resource || !action)
+            return false;
+        const resourceOk = resource === '*' || resource === reqResource;
+        const actionOk = action === '*' || action === reqAction;
+        return resourceOk && actionOk;
+    });
+}
+// ── Token extraction ──────────────────────────────────────────────────────────
+/**
+ * Pulls the raw JWT string from an MCP tool call's `extra` argument.
+ *
+ * Lookup order:
+ * 1. `extra.authInfo.token`       — set by the MCP auth middleware (preferred)
+ * 2. `extra.meta.attest_token`   — explicit pass-through from the agent
+ * 3. `extra.meta.authorization`   — raw "Bearer <token>" header value
+ *
+ * Returns `null` when no credential can be found.
+ */
+function extractToken(extra) {
+    // 1. Standard MCP auth middleware path.
+    if (extra.authInfo?.token)
+        return extra.authInfo.token;
+    const meta = extra.meta;
+    if (!meta)
+        return null;
+    // 2. Explicit attest_token field.
+    if (typeof meta['attest_token'] === 'string' && meta['attest_token']) {
+        return meta['attest_token'];
+    }
+    // 3. Raw Authorization header forwarded via meta.
+    if (typeof meta['authorization'] === 'string') {
+        const auth = meta['authorization'];
+        if (auth.startsWith('Bearer '))
+            return auth.slice(7).trim();
+        return auth.trim() || null;
+    }
+    return null;
+}
+/**
+ * Fire-and-forget audit event to the Attest server.
+ *
+ * Delivery is async and never blocks the tool call.  On failure, errors are
+ * surfaced in priority order:
+ *   1. `onAuditError(error, payload)`   — caller handles retry / fallback log
+ *   2. `onViolation({ reason: "audit_failure", ... })` — surfaces to monitoring
+ *   3. `console.warn`                   — last resort, never silently dropped
+ */
+function fireAudit(issuerUri, payload, onAuditError, onViolation) {
+    void fetch(`${issuerUri}/v1/audit`, {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify(payload),
+    })
+        .then(async (res) => {
+        if (!res.ok) {
+            // Non-2xx is also a delivery failure — treat it the same as a network error.
+            let body = '';
+            try {
+                body = await res.text();
+            }
+            catch { /* ignore */ }
+            throw new Error(`Attest audit endpoint returned ${res.status}: ${body}`);
+        }
+    })
+        .catch((err) => {
+        const error = err instanceof Error ? err : new Error(String(err));
+        if (onAuditError) {
+            onAuditError(error, payload);
+            return;
+        }
+        if (onViolation) {
+            onViolation({
+                toolName: payload.agent_id,
+                requiredScope: '',
+                grantedScope: payload.scope,
+                reason: 'audit_failure',
+                ...(payload.jti ? { jti: payload.jti } : {}),
+                ...(payload.att_tid ? { taskId: payload.att_tid } : {}),
+                timestamp: new Date().toISOString(),
+            });
+            return;
+        }
+        // Last resort: never silently drop an audit failure.
+        console.warn('[attest] Audit delivery failed — configure onAuditError for structured handling.', { jti: payload.jti, agent_id: payload.agent_id, error: error.message });
+    });
+}
+// ── Core enforcer ─────────────────────────────────────────────────────────────
+class AttestEnforcer {
+    issuerUri;
+    requireCredential;
+    onViolation;
+    onAuditError;
+    toolScopeMap;
+    jwks;
+    revocations;
+    constructor(opts) {
+        this.issuerUri = opts.issuerUri.replace(/\/$/, '');
+        this.requireCredential = opts.requireCredential ?? true;
+        this.onViolation = opts.onViolation;
+        this.onAuditError = opts.onAuditError;
+        this.toolScopeMap = opts.toolScopeMap;
+        this.jwks = new JwksCache(this.issuerUri, opts.jwksCacheTTL ?? 3600);
+        this.revocations = new RevocationCache(this.issuerUri, opts.revocationCacheTTL ?? 10);
+    }
+    /**
+     * Resolve the scope string for a tool, preferring an explicit override
+     * over the automatic `scopeForTool()` mapping.
+     */
+    resolveScope(toolName, explicit) {
+        return explicit ?? scopeForTool(toolName, this.toolScopeMap);
+    }
+    /**
+     * Checks the credential in `extra` for `toolName`.
+     *
+     * @param resolvedScope Pre-resolved scope string (from `resolveScope`).
+     * @returns `null` when the check passes; a `AttestViolationError` otherwise.
+     */
+    async check(toolName, extra, resolvedScope) {
+        const requiredScope = resolvedScope;
+        const rawToken = extractToken(extra);
+        // ── 1. No credential ────────────────────────────────────────────────────
+        if (!rawToken) {
+            return this.violate(toolName, {
+                reason: 'no_credential',
+                detail: `Tool "${toolName}" requires a Attest credential (scope: ${requiredScope}). Provide an Authorization: Bearer <token> header.`,
+                requiredScope,
+                grantedScope: [],
+            });
+        }
+        // ── 2. Decode (without verification) to read claims for error messages ──
+        let raw;
+        try {
+            raw = (0, jose_1.decodeJwt)(rawToken);
+        }
+        catch {
+            return this.violate(toolName, {
+                reason: 'invalid_credential',
+                detail: 'The provided credential could not be decoded as a JWT.',
+                requiredScope,
+                grantedScope: [],
+            });
+        }
+        const jti = raw.jti;
+        const taskId = raw.att_tid;
+        const grantedScope = raw.att_scope ?? [];
+        // ── 3. Verify signature + expiry via JWKS ───────────────────────────────
+        try {
+            await (0, jose_1.jwtVerify)(rawToken, this.jwks.get(), { algorithms: ['RS256'] });
+        }
+        catch (err) {
+            const isExpiry = err instanceof Error && err.message.toLowerCase().includes('exp');
+            return this.violate(toolName, {
+                reason: isExpiry ? 'credential_expired' : 'invalid_credential',
+                detail: isExpiry
+                    ? `Credential (jti: ${jti}) has expired.`
+                    : `Credential signature verification failed: ${String(err)}`,
+                requiredScope,
+                grantedScope,
+                ...(jti !== undefined ? { jti } : {}),
+                ...(taskId !== undefined ? { taskId } : {}),
+            });
+        }
+        // ── 4. Scope check ──────────────────────────────────────────────────────
+        if (!isScopeGranted(grantedScope, requiredScope)) {
+            const result = this.violate(toolName, {
+                reason: 'scope_violation',
+                detail: `Credential (jti: ${jti}) grants [${grantedScope.join(', ')}] ` +
+                    `but tool "${toolName}" requires "${requiredScope}".`,
+                requiredScope,
+                grantedScope,
+                ...(jti !== undefined ? { jti } : {}),
+                ...(taskId !== undefined ? { taskId } : {}),
+            });
+            fireAudit(this.issuerUri, {
+                event_type: 'verified',
+                jti: jti ?? 'unknown',
+                ...(taskId !== undefined ? { att_tid: taskId } : {}),
+                ...(raw.att_uid !== undefined ? { att_uid: raw.att_uid } : {}),
+                agent_id: `mcp:${toolName}`,
+                scope: grantedScope,
+                meta: { outcome: 'scope_violation', required_scope: requiredScope },
+            }, this.onAuditError, this.onViolation);
+            return result;
+        }
+        // ── 5. Revocation check ─────────────────────────────────────────────────
+        if (jti) {
+            const revoked = await this.revocations.isRevoked(jti);
+            if (revoked) {
+                const result = this.violate(toolName, {
+                    reason: 'credential_revoked',
+                    detail: `Credential (jti: ${jti}) has been revoked.`,
+                    requiredScope,
+                    grantedScope,
+                    jti,
+                    ...(taskId !== undefined ? { taskId } : {}),
+                });
+                fireAudit(this.issuerUri, {
+                    event_type: 'revoked',
+                    jti,
+                    ...(taskId !== undefined ? { att_tid: taskId } : {}),
+                    ...(raw.att_uid !== undefined ? { att_uid: raw.att_uid } : {}),
+                    agent_id: `mcp:${toolName}`,
+                    scope: grantedScope,
+                    meta: { outcome: 'blocked_revoked' },
+                }, this.onAuditError, this.onViolation);
+                return result;
+            }
+        }
+        // ── 6. All checks passed — log and allow ────────────────────────────────
+        fireAudit(this.issuerUri, {
+            event_type: 'verified',
+            jti: jti ?? 'unknown',
+            ...(taskId !== undefined ? { att_tid: taskId } : {}),
+            ...(raw.att_uid !== undefined ? { att_uid: raw.att_uid } : {}),
+            agent_id: `mcp:${toolName}`,
+            scope: grantedScope,
+            meta: { outcome: 'allowed', required_scope: requiredScope },
+        }, this.onAuditError, this.onViolation);
+        return null;
+    }
+    violate(toolName, opts) {
+        const event = {
+            toolName,
+            requiredScope: opts.requiredScope,
+            grantedScope: opts.grantedScope,
+            reason: opts.reason,
+            timestamp: new Date().toISOString(),
+            ...(opts.jti !== undefined ? { jti: opts.jti } : {}),
+            ...(opts.taskId !== undefined ? { taskId: opts.taskId } : {}),
+        };
+        this.onViolation?.(event);
+        if (!this.requireCredential) {
+            // Permissive mode: log the violation but let the call through.
+            return null;
+        }
+        return {
+            error: 'attest_violation',
+            reason: opts.reason,
+            detail: opts.detail,
+            ...(opts.jti !== undefined ? { jti: opts.jti } : {}),
+            ...(opts.taskId !== undefined ? { taskId: opts.taskId } : {}),
+        };
+    }
+}
+// ── Scope registry ────────────────────────────────────────────────────────────
+// Maps each patched server instance → its tool-name-to-scope registry.
+// WeakMap so patched servers can be GC'd without leaking.
+const scopeRegistries = new WeakMap();
+// ── withAttest ───────────────────────────────────────────────────────────────
+/**
+ * Wraps an MCP server instance and enforces Attest credential checking on
+ * every tool call.
+ *
+ * Returns the **same** server object with its `tool()` method patched in place,
+ * typed as the original server type so all other methods remain accessible.
+ *
+ * @param server  Any object with a `tool()` method (e.g. `new McpServer(...)`).
+ * @param options Attest enforcement options.
+ * @returns       The patched server (same reference, same type).
+ *
+ * @example
+ * ```ts
+ * import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
+ * import { withAttest } from "@attest-dev/sdk/mcp";
+ *
+ * const server = new McpServer({ name: "my-tools", version: "1.0.0" });
+ * const protectedServer = withAttest(server, {
+ *   issuerUri: "https://api.attest.dev",
+ * });
+ *
+ * protectedServer.tool("send_email", schema, async (args, extra) => {
+ *   // Only reached when the caller holds a valid credential
+ *   // with "email:send" in its att_scope.
+ *   return { content: [{ type: "text", text: "sent!" }] };
+ * });
+ * ```
+ */
+function withAttest(server, options) {
+    const enforcer = new AttestEnforcer(options);
+    const registry = new Map();
+    scopeRegistries.set(server, registry);
+    const originalTool = server.tool.bind(server);
+    // Replace server.tool with our intercepting wrapper.
+    // The MCP SDK's McpServer.tool() has two overloads:
+    //   tool(name, schema, handler)
+    //   tool(name, description, schema, handler)
+    // We additionally support an optional trailing AttestToolOptions object:
+    //   tool(name, schema, handler, { requiredScope: "..." })
+    //   tool(name, description, schema, handler, { requiredScope: "..." })
+    // That object is consumed here and stripped before forwarding to the SDK.
+    server.tool = function attestTool(...args) {
+        const patched = patchToolArgs(enforcer, registry, args);
+        return originalTool(...patched);
+    };
+    return server;
+}
+/**
+ * Detects the handler function and optional trailing `AttestToolOptions` in
+ * the `tool()` argument list, wraps the handler with credential enforcement,
+ * strips the options object (the MCP SDK doesn't know about it), and returns
+ * the patched argument array ready to forward to the original `tool()`.
+ */
+function patchToolArgs(enforcer, registry, args) {
+    if (args.length === 0)
+        return args;
+    // Detect optional trailing AttestToolOptions.
+    // It's a plain object (not a function, not an array, not null) that may
+    // carry { requiredScope?: string }.  The handler is always a function and
+    // always comes before the options if options are present.
+    let coreArgs = args;
+    let explicitScope;
+    const last = args[args.length - 1];
+    if (last !== null &&
+        typeof last === 'object' &&
+        !Array.isArray(last) &&
+        typeof last['requiredScope'] !== 'function') {
+        // Candidate options object — check the one before it is a function.
+        const penultimate = args[args.length - 2];
+        if (typeof penultimate === 'function') {
+            const opts = last;
+            explicitScope = opts.requiredScope;
+            coreArgs = args.slice(0, -1); // strip options before forwarding
+        }
+    }
+    const handlerArg = coreArgs[coreArgs.length - 1];
+    if (typeof handlerArg !== 'function')
+        return coreArgs;
+    // Tool name is always the first argument.
+    const toolName = typeof coreArgs[0] === 'string' ? coreArgs[0] : '<unknown>';
+    // Resolve and record the scope for this tool.
+    const resolvedScope = enforcer.resolveScope(toolName, explicitScope);
+    registry.set(toolName, resolvedScope);
+    const original = handlerArg;
+    const wrapped = async (params, extra) => {
+        const violation = await enforcer.check(toolName, extra, resolvedScope);
+        if (violation !== null) {
+            return {
+                content: [{ type: 'text', text: JSON.stringify(violation, null, 2) }],
+                isError: true,
+            };
+        }
+        return original(params, extra);
+    };
+    Object.defineProperty(wrapped, 'name', { value: `attest:${toolName}` });
+    return [...coreArgs.slice(0, -1), wrapped];
+}
+// ── Convenience re-export of AttestContext builder ───────────────────────────
+/**
+ * Decodes the Attest JWT in `extra` and returns a typed `AttestContext`
+ * without performing any cryptographic verification.
+ *
+ * Useful inside tool handlers when you want to read the credential's claims
+ * (e.g. `att_uid`, `att_tid`) after `withAttest` has already enforced them.
+ *
+ * @returns `null` when no Attest credential is present.
+ *
+ * @example
+ * ```ts
+ * protectedServer.tool("send_email", schema, async (args, extra) => {
+ *   const ctx = getAttestContext(extra);
+ *   console.log("acting on behalf of", ctx?.att_uid);
+ *   ...
+ * });
+ * ```
+ */
+function getAttestContext(extra) {
+    const token = extractToken(extra);
+    if (!token)
+        return null;
+    try {
+        const claims = (0, jose_1.decodeJwt)(token);
+        return {
+            jti: claims.jti ?? '',
+            att_tid: claims.att_tid ?? '',
+            att_depth: claims.att_depth ?? 0,
+            att_scope: claims.att_scope ?? [],
+            att_uid: claims.att_uid ?? '',
+            token,
+        };
+    }
+    catch {
+        return null;
+    }
+}
+/**
+ * Returns the scope registry for a server that has been wrapped with
+ * `withAttest` — a map of every registered tool name to its resolved
+ * Attest scope string.
+ *
+ * Use this to build a scope discovery endpoint so credential issuers can
+ * query what scopes a server requires without out-of-band coordination.
+ *
+ * @example
+ * ```ts
+ * // Express / Hono / any HTTP framework:
+ * app.get("/.well-known/attest-scopes", (_req, res) => {
+ *   res.json({ tools: getAttestScopes(protectedServer) });
+ * });
+ *
+ * // Response:
+ * // {
+ * //   "tools": {
+ * //     "send_email":      "email:send",
+ * //     "read_file":       "file:read",
+ * //     "gh_create_issue": "github:write"
+ * //   }
+ * // }
+ * ```
+ *
+ * Tools that have not yet been registered (i.e. `server.tool()` hasn't been
+ * called for them yet) will not appear in the result.  Call this after all
+ * tools are registered, not during server startup.
+ *
+ * @returns A plain `Record<string, string>` safe to serialize directly as JSON.
+ */
+function getAttestScopes(server) {
+    const registry = scopeRegistries.get(server);
+    if (!registry)
+        return {};
+    return Object.fromEntries(registry);
+}
+//# sourceMappingURL=mcp.js.map

package/dist/mcp.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"mcp.js","sourceRoot":"","sources":["../src/mcp.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAoCG;;AAgOH,oCAcC;AAkeD,gCAqBC;AA8FD,4CAiBC;AAiCD,0CAIC;AAv3BD,+BAAgE;AA0MhE,iFAAiF;AAEjF;;;;;;;;;;;;;;;;;GAiBG;AACH,SAAgB,YAAY,CAAC,QAAgB,EAAE,SAAkC;IAC/E,IAAI,SAAS,EAAE,CAAC,QAAQ,CAAC;QAAE,OAAO,SAAS,CAAC,QAAQ,CAAE,CAAC;IAEvD,MAAM,GAAG,GAAG,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;IAClC,IAAI,GAAG,KAAK,CAAC,CAAC,EAAE,CAAC;QACf,oEAAoE;QACpE,OAAO,GAAG,QAAQ,UAAU,CAAC;IAC/B,CAAC;IAED,MAAM,SAAS,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC,WAAW,EAAE,CAAC;IACvD,MAAM,QAAQ,GAAG,QAAQ,CAAC,KAAK,CAAC,GAAG,GAAG,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC;IAEvD,MAAM,MAAM,GAAG,eAAe,CAAC,SAAS,CAAC,CAAC;IAC1C,OAAO,GAAG,QAAQ,IAAI,MAAM,EAAE,CAAC;AACjC,CAAC;AAED,MAAM,cAAc,GAA2B;IAC7C,QAAQ;IACR,MAAM,EAAE,OAAO;IACf,MAAM,EAAE,OAAO;IACf,GAAG,EAAE,OAAO;IACZ,KAAK,EAAE,OAAO;IACd,GAAG,EAAE,OAAO;IACZ,MAAM,EAAE,OAAO;IACf,SAAS;IACT,MAAM,EAAE,QAAQ;IAChB,OAAO,EAAE,QAAQ;IACjB,UAAU;IACV,GAAG,EAAE,SAAS;IACd,MAAM,EAAE,SAAS;IACjB,IAAI,EAAE,SAAS;IACf,OAAO;IACP,GAAG,EAAE,MAAM;IACX,KAAK,EAAE,MAAM;IACb,IAAI,EAAE,MAAM;IACZ,MAAM,EAAE,MAAM;IACd,KAAK,EAAE,MAAM;IACb,IAAI,EAAE,MAAM;IACZ,MAAM,EAAE,MAAM;CACf,CAAC;AAEF,SAAS,eAAe,CAAC,GAAW;IAClC,OAAO,cAAc,CAAC,GAAG,CAAC,IAAI,GAAG,CAAC;AACpC,CAAC;AAMD;;;;GAIG;AACH,MAAM,SAAS;IACI,SAAS,CAAS;IAClB,KAAK,CAAS;IACvB,MAAM,GAAwB,IAAI,CAAC;IACnC,SAAS,GAAG,CAAC,CAAC;IAEtB,YAAY,SAAiB,EAAE,UAAkB;QAC/C,IAAI,CAAC,SAAS,GAAG,SAAS,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;QAC9C,IAAI,CAAC,KAAK,GAAG,UAAU,GAAG,IAAI,CAAC;IACjC,CAAC;IAED,GAAG;QACD,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACvB,IAAI,IAAI,CAAC,MAAM,KAAK,IAAI,IAAI,GAAG,GAAG,IAAI,CAAC,SAAS,GAAG,IAAI,CAAC,KAAK,EAAE,CAAC;YAC9D,IAAI,CAAC,MAAM,GAAG,IAAA,yBAAkB,EAC9B,IAAI,GAAG,CAAC,GAAG,IAAI,CAAC,SAAS,wBAAwB,CAAC;YAClD,sEAAsE;YACtE,6CAA6C;YAC7C,EAAE,WAAW,EAAE,IAAI,CAAC,KAAK,EAAE,CAC5B,CAAC;YACF,IAAI,CAAC,SAAS,GAAG,GAAG,CAAC;QACvB,CAAC;QACD,OAAO,IAAI,CAAC,MAAM,CAAC;IACrB,CAAC;CACF;AASD;;;GAGG;AACH,MAAM,eAAe;IACF,KAAK,GAAG,IAAI,GAAG,EAA2B,CAAC;IAC3C,KAAK,CAAS;IACd,SAAS,CAAS;IAEnC,YAAY,SAAiB,EAAE,UAAkB;QAC/C,IAAI,CAAC,SAAS,GAAG,SAAS,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;QAC9C,IAAI,CAAC,KAAK,GAAG,UAAU,GAAG,IAAI,CAAC;IACjC,CAAC;IAED,KAAK,CAAC,SAAS,CAAC,GAAW;QACzB,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACvB,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;QACnC,IAAI,MAAM,KAAK,SAAS,IAAI,GAAG,GAAG,MAAM,CAAC,SAAS,EAAE,CAAC;YACnD,OAAO,MAAM,CAAC,OAAO,CAAC;QACxB,CAAC;QAED,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,qBAAqB,CAAC,GAAG,CAAC,CAAC;QACtD,IAAI,IAAI,CAAC,KAAK,GAAG,CAAC,EAAE,CAAC;YACnB,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,GAAG,EAAE,EAAE,OAAO,EAAE,SAAS,EAAE,GAAG,GAAG,IAAI,CAAC,KAAK,EAAE,CAAC,CAAC;QAChE,CAAC;QACD,OAAO,OAAO,CAAC;IACjB,CAAC;IAED,8DAA8D;IAC9D,KAAK,CAAC,GAAW;QACf,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;IACzB,CAAC;IAEO,KAAK,CAAC,qBAAqB,CAAC,GAAW;QAC7C,IAAI,CAAC;YACH,MAAM,GAAG,GAAG,MAAM,KAAK,CACrB,GAAG,IAAI,CAAC,SAAS,eAAe,kBAAkB,CAAC,GAAG,CAAC,EAAE,CAC1D,CAAC;YACF,IAAI,CAAC,GAAG,CAAC,EAAE;gBAAE,OAAO,KAAK,CAAC,CAAC,6BAA6B;YACxD,MAAM,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAA0B,CAAC;YACzD,OAAO,IAAI,CAAC,OAAO,KAAK,IAAI,CAAC;QAC/B,CAAC;QAAC,MAAM,CAAC;YACP,wEAAwE;YACxE,OAAO,KAAK,CAAC;QACf,CAAC;IACH,CAAC;CACF;AAiBD,SAAS,cAAc,CAAC,YAAsB,EAAE,aAAqB;IACnE,MAAM,CAAC,WAAW,EAAE,SAAS,CAAC,GAAG,aAAa,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC1D,IAAI,CAAC,WAAW,IAAI,CAAC,SAAS;QAAE,OAAO,KAAK,CAAC;IAE7C,OAAO,YAAY,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE;QAC/B,MAAM,CAAC,QAAQ,EAAE,MAAM,CAAC,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAC5C,IAAI,CAAC,QAAQ,IAAI,CAAC,MAAM;YAAE,OAAO,KAAK,CAAC;QACvC,MAAM,UAAU,GAAG,QAAQ,KAAK,GAAG,IAAI,QAAQ,KAAK,WAAW,CAAC;QAChE,MAAM,QAAQ,GAAG,MAAM,KAAK,GAAG,IAAI,MAAM,KAAK,SAAS,CAAC;QACxD,OAAO,UAAU,IAAI,QAAQ,CAAC;IAChC,CAAC,CAAC,CAAC;AACL,CAAC;AAED,iFAAiF;AAEjF;;;;;;;;;GASG;AACH,SAAS,YAAY,CAAC,KAAsB;IAC1C,wCAAwC;IACxC,IAAI,KAAK,CAAC,QAAQ,EAAE,KAAK;QAAE,OAAO,KAAK,CAAC,QAAQ,CAAC,KAAK,CAAC;IAEvD,MAAM,IAAI,GAAG,KAAK,CAAC,IAAI,CAAC;IACxB,IAAI,CAAC,IAAI;QAAE,OAAO,IAAI,CAAC;IAEvB,kCAAkC;IAClC,IAAI,OAAO,IAAI,CAAC,cAAc,CAAC,KAAK,QAAQ,IAAI,IAAI,CAAC,cAAc,CAAC,EAAE,CAAC;QACrE,OAAO,IAAI,CAAC,cAAc,CAAC,CAAC;IAC9B,CAAC;IAED,kDAAkD;IAClD,IAAI,OAAO,IAAI,CAAC,eAAe,CAAC,KAAK,QAAQ,EAAE,CAAC;QAC9C,MAAM,IAAI,GAAG,IAAI,CAAC,eAAe,CAAC,CAAC;QACnC,IAAI,IAAI,CAAC,UAAU,CAAC,SAAS,CAAC;YAAE,OAAO,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;QAC5D,OAAO,IAAI,CAAC,IAAI,EAAE,IAAI,IAAI,CAAC;IAC7B,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC;AAmBD;;;;;;;;GAQG;AACH,SAAS,SAAS,CAChB,SAAiB,EACjB,OAAqB,EACrB,YAAuE,EACvE,WAA+D;IAE/D,KAAK,KAAK,CAAC,GAAG,SAAS,WAAW,EAAE;QAClC,MAAM,EAAE,MAAM;QACd,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;QAC/C,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC;KAC9B,CAAC;SACC,IAAI,CAAC,KAAK,EAAE,GAAG,EAAE,EAAE;QAClB,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;YACZ,6EAA6E;YAC7E,IAAI,IAAI,GAAG,EAAE,CAAC;YACd,IAAI,CAAC;gBAAC,IAAI,GAAG,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC;YAAC,CAAC;YAAC,MAAM,CAAC,CAAC,YAAY,CAAC,CAAC;YACvD,MAAM,IAAI,KAAK,CAAC,kCAAkC,GAAG,CAAC,MAAM,KAAK,IAAI,EAAE,CAAC,CAAC;QAC3E,CAAC;IACH,CAAC,CAAC;SACD,KAAK,CAAC,CAAC,GAAY,EAAE,EAAE;QACtB,MAAM,KAAK,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC;QAElE,IAAI,YAAY,EAAE,CAAC;YACjB,YAAY,CAAC,KAAK,EAAE,OAAO,CAAC,CAAC;YAC7B,OAAO;QACT,CAAC;QAED,IAAI,WAAW,EAAE,CAAC;YAChB,WAAW,CAAC;gBACV,QAAQ,EAAE,OAAO,CAAC,QAAQ;gBAC1B,aAAa,EAAE,EAAE;gBACjB,YAAY,EAAE,OAAO,CAAC,KAAK;gBAC3B,MAAM,EAAE,eAAe;gBACvB,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,GAAG,EAAE,OAAO,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;gBAC5C,GAAG,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,MAAM,EAAE,OAAO,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;gBACvD,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;aACpC,CAAC,CAAC;YACH,OAAO;QACT,CAAC;QAED,qDAAqD;QACrD,OAAO,CAAC,IAAI,CACV,kFAAkF,EAClF,EAAE,GAAG,EAAE,OAAO,CAAC,GAAG,EAAE,QAAQ,EAAE,OAAO,CAAC,QAAQ,EAAE,KAAK,EAAE,KAAK,CAAC,OAAO,EAAE,CACvE,CAAC;IACJ,CAAC,CAAC,CAAC;AACP,CAAC;AAED,iFAAiF;AAEjF,MAAM,cAAc;IACD,SAAS,CAAS;IAClB,iBAAiB,CAAU;IAC3B,WAAW,CAAqD;IAChE,YAAY,CAA4D;IACxE,YAAY,CAAqC;IAEjD,IAAI,CAAY;IAChB,WAAW,CAAkB;IAE9C,YAAY,IAAsB;QAChC,IAAI,CAAC,SAAS,GAAG,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;QACnD,IAAI,CAAC,iBAAiB,GAAG,IAAI,CAAC,iBAAiB,IAAI,IAAI,CAAC;QACxD,IAAI,CAAC,WAAW,GAAG,IAAI,CAAC,WAAW,CAAC;QACpC,IAAI,CAAC,YAAY,GAAG,IAAI,CAAC,YAAY,CAAC;QACtC,IAAI,CAAC,YAAY,GAAG,IAAI,CAAC,YAAY,CAAC;QACtC,IAAI,CAAC,IAAI,GAAG,IAAI,SAAS,CAAC,IAAI,CAAC,SAAS,EAAE,IAAI,CAAC,YAAY,IAAI,IAAI,CAAC,CAAC;QACrE,IAAI,CAAC,WAAW,GAAG,IAAI,eAAe,CAAC,IAAI,CAAC,SAAS,EAAE,IAAI,CAAC,kBAAkB,IAAI,EAAE,CAAC,CAAC;IACxF,CAAC;IAED;;;OAGG;IACH,YAAY,CAAC,QAAgB,EAAE,QAAiB;QAC9C,OAAO,QAAQ,IAAI,YAAY,CAAC,QAAQ,EAAE,IAAI,CAAC,YAAY,CAAC,CAAC;IAC/D,CAAC;IAED;;;;;OAKG;IACH,KAAK,CAAC,KAAK,CACT,QAAgB,EAChB,KAAsB,EACtB,aAAqB;QAErB,MAAM,aAAa,GAAG,aAAa,CAAC;QACpC,MAAM,QAAQ,GAAG,YAAY,CAAC,KAAK,CAAC,CAAC;QAErC,2EAA2E;QAC3E,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,OAAO,IAAI,CAAC,OAAO,CAAC,QAAQ,EAAE;gBAC5B,MAAM,EAAE,eAAe;gBACvB,MAAM,EAAE,SAAS,QAAQ,0CAA0C,aAAa,qDAAqD;gBACrI,aAAa;gBACb,YAAY,EAAE,EAAE;aACjB,CAAC,CAAC;QACL,CAAC;QAED,2EAA2E;QAC3E,IAAI,GAAc,CAAC;QACnB,IAAI,CAAC;YACH,GAAG,GAAG,IAAA,gBAAS,EAAC,QAAQ,CAAyB,CAAC;QACpD,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,IAAI,CAAC,OAAO,CAAC,QAAQ,EAAE;gBAC5B,MAAM,EAAE,oBAAoB;gBAC5B,MAAM,EAAE,wDAAwD;gBAChE,aAAa;gBACb,YAAY,EAAE,EAAE;aACjB,CAAC,CAAC;QACL,CAAC;QAED,MAAM,GAAG,GAAG,GAAG,CAAC,GAAG,CAAC;QACpB,MAAM,MAAM,GAAG,GAAG,CAAC,OAAO,CAAC;QAC3B,MAAM,YAAY,GAAG,GAAG,CAAC,SAAS,IAAI,EAAE,CAAC;QAEzC,2EAA2E;QAC3E,IAAI,CAAC;YACH,MAAM,IAAA,gBAAS,EAAC,QAAQ,EAAE,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,EAAE,EAAE,UAAU,EAAE,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC;QACxE,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,QAAQ,GACZ,GAAG,YAAY,KAAK,IAAI,GAAG,CAAC,OAAO,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;YACpE,OAAO,IAAI,CAAC,OAAO,CAAC,QAAQ,EAAE;gBAC5B,MAAM,EAAE,QAAQ,CAAC,CAAC,CAAC,oBAAoB,CAAC,CAAC,CAAC,oBAAoB;gBAC9D,MAAM,EAAE,QAAQ;oBACd,CAAC,CAAC,oBAAoB,GAAG,gBAAgB;oBACzC,CAAC,CAAC,6CAA6C,MAAM,CAAC,GAAG,CAAC,EAAE;gBAC9D,aAAa;gBACb,YAAY;gBACZ,GAAG,CAAC,GAAG,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,GAAG,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;gBACrC,GAAG,CAAC,MAAM,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,MAAM,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;aAC5C,CAAC,CAAC;QACL,CAAC;QAED,2EAA2E;QAC3E,IAAI,CAAC,cAAc,CAAC,YAAY,EAAE,aAAa,CAAC,EAAE,CAAC;YACjD,MAAM,MAAM,GAAG,IAAI,CAAC,OAAO,CAAC,QAAQ,EAAE;gBACpC,MAAM,EAAE,iBAAiB;gBACzB,MAAM,EACJ,oBAAoB,GAAG,aAAa,YAAY,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI;oBAC/D,aAAa,QAAQ,eAAe,aAAa,IAAI;gBACvD,aAAa;gBACb,YAAY;gBACZ,GAAG,CAAC,GAAG,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,GAAG,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;gBACrC,GAAG,CAAC,MAAM,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,MAAM,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;aAC5C,CAAC,CAAC;YACH,SAAS,CAAC,IAAI,CAAC,SAAS,EAAE;gBACxB,UAAU,EAAE,UAAU;gBACtB,GAAG,EAAE,GAAG,IAAI,SAAS;gBACrB,GAAG,CAAC,MAAM,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,OAAO,EAAE,MAAM,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;gBACpD,GAAG,CAAC,GAAG,CAAC,OAAO,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,OAAO,EAAE,GAAG,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;gBAC9D,QAAQ,EAAE,OAAO,QAAQ,EAAE;gBAC3B,KAAK,EAAE,YAAY;gBACnB,IAAI,EAAE,EAAE,OAAO,EAAE,iBAAiB,EAAE,cAAc,EAAE,aAAa,EAAE;aACpE,EAAE,IAAI,CAAC,YAAY,EAAE,IAAI,CAAC,WAAW,CAAC,CAAC;YACxC,OAAO,MAAM,CAAC;QAChB,CAAC;QAED,2EAA2E;QAC3E,IAAI,GAAG,EAAE,CAAC;YACR,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,WAAW,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC;YACtD,IAAI,OAAO,EAAE,CAAC;gBACZ,MAAM,MAAM,GAAG,IAAI,CAAC,OAAO,CAAC,QAAQ,EAAE;oBACpC,MAAM,EAAE,oBAAoB;oBAC5B,MAAM,EAAE,oBAAoB,GAAG,qBAAqB;oBACpD,aAAa;oBACb,YAAY;oBACZ,GAAG;oBACH,GAAG,CAAC,MAAM,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,MAAM,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;iBAC5C,CAAC,CAAC;gBACH,SAAS,CAAC,IAAI,CAAC,SAAS,EAAE;oBACxB,UAAU,EAAE,SAAS;oBACrB,GAAG;oBACH,GAAG,CAAC,MAAM,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,OAAO,EAAE,MAAM,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;oBACpD,GAAG,CAAC,GAAG,CAAC,OAAO,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,OAAO,EAAE,GAAG,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;oBAC9D,QAAQ,EAAE,OAAO,QAAQ,EAAE;oBAC3B,KAAK,EAAE,YAAY;oBACnB,IAAI,EAAE,EAAE,OAAO,EAAE,iBAAiB,EAAE;iBACrC,EAAE,IAAI,CAAC,YAAY,EAAE,IAAI,CAAC,WAAW,CAAC,CAAC;gBACxC,OAAO,MAAM,CAAC;YAChB,CAAC;QACH,CAAC;QAED,2EAA2E;QAC3E,SAAS,CAAC,IAAI,CAAC,SAAS,EAAE;YACxB,UAAU,EAAE,UAAU;YACtB,GAAG,EAAE,GAAG,IAAI,SAAS;YACrB,GAAG,CAAC,MAAM,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,OAAO,EAAE,MAAM,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;YACpD,GAAG,CAAC,GAAG,CAAC,OAAO,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,OAAO,EAAE,GAAG,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;YAC9D,QAAQ,EAAE,OAAO,QAAQ,EAAE;YAC3B,KAAK,EAAE,YAAY;YACnB,IAAI,EAAE,EAAE,OAAO,EAAE,SAAS,EAAE,cAAc,EAAE,aAAa,EAAE;SAC5D,EAAE,IAAI,CAAC,YAAY,EAAE,IAAI,CAAC,WAAW,CAAC,CAAC;QACxC,OAAO,IAAI,CAAC;IACd,CAAC;IAEO,OAAO,CACb,QAAgB,EAChB,IAOC;QAED,MAAM,KAAK,GAAwB;YACjC,QAAQ;YACR,aAAa,EAAE,IAAI,CAAC,aAAa;YACjC,YAAY,EAAE,IAAI,CAAC,YAAY;YAC/B,MAAM,EAAE,IAAI,CAAC,MAAM;YACnB,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;YACnC,GAAG,CAAC,IAAI,CAAC,GAAG,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,GAAG,EAAE,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;YACpD,GAAG,CAAC,IAAI,CAAC,MAAM,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,MAAM,EAAE,IAAI,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;SAC9D,CAAC;QAEF,IAAI,CAAC,WAAW,EAAE,CAAC,KAAK,CAAC,CAAC;QAE1B,IAAI,CAAC,IAAI,CAAC,iBAAiB,EAAE,CAAC;YAC5B,+DAA+D;YAC/D,OAAO,IAAI,CAAC;QACd,CAAC;QAED,OAAO;YACL,KAAK,EAAE,kBAAkB;YACzB,MAAM,EAAE,IAAI,CAAC,MAAM;YACnB,MAAM,EAAE,IAAI,CAAC,MAAM;YACnB,GAAG,CAAC,IAAI,CAAC,GAAG,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,GAAG,EAAE,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;YACpD,GAAG,CAAC,IAAI,CAAC,MAAM,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,MAAM,EAAE,IAAI,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;SAC9D,CAAC;IACJ,CAAC;CACF;AAED,iFAAiF;AAEjF,uEAAuE;AACvE,0DAA0D;AAC1D,MAAM,eAAe,GAAG,IAAI,OAAO,EAAsC,CAAC;AAE1E,gFAAgF;AAEhF;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2BG;AACH,SAAgB,UAAU,CAA0B,MAAS,EAAE,OAAyB;IACtF,MAAM,QAAQ,GAAG,IAAI,cAAc,CAAC,OAAO,CAAC,CAAC;IAC7C,MAAM,QAAQ,GAAG,IAAI,GAAG,EAAkB,CAAC;IAC3C,eAAe,CAAC,GAAG,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;IAEtC,MAAM,YAAY,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,CAAoC,CAAC;IAEjF,qDAAqD;IACrD,oDAAoD;IACpD,gCAAgC;IAChC,6CAA6C;IAC7C,yEAAyE;IACzE,0DAA0D;IAC1D,uEAAuE;IACvE,0EAA0E;IAC1E,MAAM,CAAC,IAAI,GAAG,SAAS,UAAU,CAAC,GAAG,IAAe;QAClD,MAAM,OAAO,GAAG,aAAa,CAAC,QAAQ,EAAE,QAAQ,EAAE,IAAI,CAAC,CAAC;QACxD,OAAO,YAAY,CAAC,GAAG,OAAO,CAAC,CAAC;IAClC,CAAC,CAAC;IAEF,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;;;;GAKG;AACH,SAAS,aAAa,CACpB,QAAwB,EACxB,QAA6B,EAC7B,IAAe;IAEf,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IAEnC,8CAA8C;IAC9C,wEAAwE;IACxE,0EAA0E;IAC1E,0DAA0D;IAC1D,IAAI,QAAQ,GAAG,IAAI,CAAC;IACpB,IAAI,aAAiC,CAAC;IAEtC,MAAM,IAAI,GAAG,IAAI,CAAC,IAAI,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;IACnC,IACE,IAAI,KAAK,IAAI;QACb,OAAO,IAAI,KAAK,QAAQ;QACxB,CAAC,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC;QACpB,OAAQ,IAAgC,CAAC,eAAe,CAAC,KAAK,UAAU,EACxE,CAAC;QACD,oEAAoE;QACpE,MAAM,WAAW,GAAG,IAAI,CAAC,IAAI,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;QAC1C,IAAI,OAAO,WAAW,KAAK,UAAU,EAAE,CAAC;YACtC,MAAM,IAAI,GAAG,IAAyB,CAAC;YACvC,aAAa,GAAG,IAAI,CAAC,aAAa,CAAC;YACnC,QAAQ,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,kCAAkC;QAClE,CAAC;IACH,CAAC;IAED,MAAM,UAAU,GAAG,QAAQ,CAAC,QAAQ,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;IACjD,IAAI,OAAO,UAAU,KAAK,UAAU;QAAE,OAAO,QAAQ,CAAC;IAEtD,0CAA0C;IAC1C,MAAM,QAAQ,GAAG,OAAO,QAAQ,CAAC,CAAC,CAAC,KAAK,QAAQ,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,WAAW,CAAC;IAE7E,8CAA8C;IAC9C,MAAM,aAAa,GAAG,QAAQ,CAAC,YAAY,CAAC,QAAQ,EAAE,aAAa,CAAC,CAAC;IACrE,QAAQ,CAAC,GAAG,CAAC,QAAQ,EAAE,aAAa,CAAC,CAAC;IAEtC,MAAM,QAAQ,GAAG,UAGc,CAAC;IAEhC,MAAM,OAAO,GAAG,KAAK,EACnB,MAAe,EACf,KAAsB,EACM,EAAE;QAC9B,MAAM,SAAS,GAAG,MAAM,QAAQ,CAAC,KAAK,CAAC,QAAQ,EAAE,KAAK,EAAE,aAAa,CAAC,CAAC;QAEvE,IAAI,SAAS,KAAK,IAAI,EAAE,CAAC;YACvB,OAAO;gBACL,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC,EAAE,CAAC;gBACrE,OAAO,EAAE,IAAI;aACd,CAAC;QACJ,CAAC;QAED,OAAO,QAAQ,CAAC,MAAM,EAAE,KAAK,CAAC,CAAC;IACjC,CAAC,CAAC;IAEF,MAAM,CAAC,cAAc,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE,KAAK,EAAE,UAAU,QAAQ,EAAE,EAAE,CAAC,CAAC;IAExE,OAAO,CAAC,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,OAAO,CAAC,CAAC;AAC7C,CAAC;AAED,gFAAgF;AAEhF;;;;;;;;;;;;;;;;;GAiBG;AACH,SAAgB,gBAAgB,CAAC,KAAsB;IACrD,MAAM,KAAK,GAAG,YAAY,CAAC,KAAK,CAAC,CAAC;IAClC,IAAI,CAAC,KAAK;QAAE,OAAO,IAAI,CAAC;IAExB,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,IAAA,gBAAS,EAAC,KAAK,CAAyB,CAAC;QACxD,OAAO;YACL,GAAG,EAAE,MAAM,CAAC,GAAG,IAAI,EAAE;YACrB,OAAO,EAAE,MAAM,CAAC,OAAO,IAAI,EAAE;YAC7B,SAAS,EAAE,MAAM,CAAC,SAAS,IAAI,CAAC;YAChC,SAAS,EAAE,MAAM,CAAC,SAAS,IAAI,EAAE;YACjC,OAAO,EAAE,MAAM,CAAC,OAAO,IAAI,EAAE;YAC7B,KAAK;SACN,CAAC;IACJ,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA8BG;AACH,SAAgB,eAAe,CAAC,MAAqB;IACnD,MAAM,QAAQ,GAAG,eAAe,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;IAC7C,IAAI,CAAC,QAAQ;QAAE,OAAO,EAAE,CAAC;IACzB,OAAO,MAAM,CAAC,WAAW,CAAC,QAAQ,CAAC,CAAC;AACtC,CAAC"}

package/package.json

@@ -0,0 +1,38 @@
+{
+  "name": "@attest-dev/sdk",
+  "version": "0.1.0-beta.1",
+  "description": "TypeScript SDK for the Attest cryptographic agent credential service",
+  "main": "dist/index.js",
+  "types": "dist/index.d.ts",
+  "exports": {
+    ".": {
+      "require": "./dist/index.js",
+      "types": "./dist/index.d.ts"
+    },
+    "./mcp": {
+      "require": "./dist/mcp.js",
+      "types": "./dist/mcp.d.ts"
+    }
+  },
+  "scripts": {
+    "build": "tsc",
+    "typecheck": "tsc --noEmit",
+    "prepublishOnly": "tsc"
+  },
+  "files": [
+    "dist",
+    "README.md"
+  ],
+  "keywords": ["attest", "jwt", "agent", "credentials", "delegation", "ai-safety"],
+  "license": "Apache-2.0",
+  "dependencies": {
+    "jose": "^5.9.6"
+  },
+  "devDependencies": {
+    "@types/node": "^20.14.0",
+    "typescript": "^5.4.5"
+  },
+  "engines": {
+    "node": ">=18"
+  }
+}