@attested-intelligence/aga-mcp-server 2.2.2 → 3.0.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/DEPLOYMENT.md +111 -0
- package/LICENSE +21 -21
- package/README.md +59 -47
- package/SECURITY.md +59 -0
- package/THREAT_BOUNDARY.md +77 -0
- package/dist/core/behavioral.d.ts.map +1 -1
- package/dist/core/behavioral.js +11 -3
- package/dist/core/behavioral.js.map +1 -1
- package/dist/core/index.d.ts +0 -2
- package/dist/core/index.d.ts.map +1 -1
- package/dist/core/index.js +2 -2
- package/dist/core/index.js.map +1 -1
- package/dist/core/types.d.ts +1 -22
- package/dist/core/types.d.ts.map +1 -1
- package/dist/crypto/index.d.ts +0 -1
- package/dist/crypto/index.d.ts.map +1 -1
- package/dist/crypto/index.js +1 -1
- package/dist/crypto/index.js.map +1 -1
- package/dist/crypto/sign.d.ts.map +1 -1
- package/dist/crypto/sign.js +24 -23
- package/dist/crypto/sign.js.map +1 -1
- package/dist/middleware/governance.d.ts +22 -3
- package/dist/middleware/governance.d.ts.map +1 -1
- package/dist/middleware/governance.js +36 -28
- package/dist/middleware/governance.js.map +1 -1
- package/dist/proxy/index.d.ts.map +1 -1
- package/dist/proxy/index.js +26 -15
- package/dist/proxy/index.js.map +1 -1
- package/dist/proxy/server.d.ts +18 -45
- package/dist/proxy/server.d.ts.map +1 -1
- package/dist/proxy/server.js +77 -131
- package/dist/proxy/server.js.map +1 -1
- package/dist/sep/bundle.d.ts +60 -0
- package/dist/sep/bundle.d.ts.map +1 -0
- package/dist/sep/bundle.js +74 -0
- package/dist/sep/bundle.js.map +1 -0
- package/dist/sep/canonical.d.ts +28 -0
- package/dist/sep/canonical.d.ts.map +1 -0
- package/dist/sep/canonical.js +62 -0
- package/dist/sep/canonical.js.map +1 -0
- package/dist/sep/checkpoint.d.ts +15 -0
- package/dist/sep/checkpoint.d.ts.map +1 -0
- package/dist/sep/checkpoint.js +28 -0
- package/dist/sep/checkpoint.js.map +1 -0
- package/dist/sep/crypto.d.ts +20 -0
- package/dist/sep/crypto.d.ts.map +1 -0
- package/dist/sep/crypto.js +104 -0
- package/dist/sep/crypto.js.map +1 -0
- package/dist/sep/index.d.ts +14 -0
- package/dist/sep/index.d.ts.map +1 -0
- package/dist/sep/index.js +14 -0
- package/dist/sep/index.js.map +1 -0
- package/dist/sep/merkle.d.ts +11 -0
- package/dist/sep/merkle.d.ts.map +1 -0
- package/dist/sep/merkle.js +51 -0
- package/dist/sep/merkle.js.map +1 -0
- package/dist/sep/receipt.d.ts +64 -0
- package/dist/sep/receipt.d.ts.map +1 -0
- package/dist/sep/receipt.js +0 -0
- package/dist/sep/receipt.js.map +1 -0
- package/dist/sep/verify.d.ts +14 -0
- package/dist/sep/verify.d.ts.map +1 -0
- package/dist/sep/verify.js +158 -0
- package/dist/sep/verify.js.map +1 -0
- package/dist/server.d.ts.map +1 -1
- package/dist/server.js +83 -39
- package/dist/server.js.map +1 -1
- package/dist/storage/interface.d.ts +1 -4
- package/dist/storage/interface.d.ts.map +1 -1
- package/dist/storage/memory.d.ts +1 -5
- package/dist/storage/memory.d.ts.map +1 -1
- package/dist/storage/memory.js +0 -4
- package/dist/storage/memory.js.map +1 -1
- package/dist/storage/sqlite.d.ts +1 -4
- package/dist/storage/sqlite.d.ts.map +1 -1
- package/dist/storage/sqlite.js +0 -4
- package/dist/storage/sqlite.js.map +1 -1
- package/dist/utils/canonical.d.ts.map +1 -1
- package/dist/utils/canonical.js +11 -1
- package/dist/utils/canonical.js.map +1 -1
- package/dist/utils/timestamp.d.ts.map +1 -1
- package/dist/utils/timestamp.js +4 -1
- package/dist/utils/timestamp.js.map +1 -1
- package/dist/utils/uuid.d.ts +1 -0
- package/dist/utils/uuid.d.ts.map +1 -1
- package/dist/utils/uuid.js +3 -2
- package/dist/utils/uuid.js.map +1 -1
- package/package.json +87 -93
- package/dist/core/bundle.d.ts +0 -20
- package/dist/core/bundle.d.ts.map +0 -1
- package/dist/core/bundle.js +0 -45
- package/dist/core/bundle.js.map +0 -1
- package/dist/core/checkpoint.d.ts +0 -8
- package/dist/core/checkpoint.d.ts.map +0 -1
- package/dist/core/checkpoint.js +0 -21
- package/dist/core/checkpoint.js.map +0 -1
- package/dist/crypto/merkle.d.ts +0 -8
- package/dist/crypto/merkle.d.ts.map +0 -1
- package/dist/crypto/merkle.js +0 -42
- package/dist/crypto/merkle.js.map +0 -1
- package/dist/proxy/verify.d.ts +0 -28
- package/dist/proxy/verify.d.ts.map +0 -1
- package/dist/proxy/verify.js +0 -182
- package/dist/proxy/verify.js.map +0 -1
package/dist/proxy/server.js
CHANGED
|
@@ -15,21 +15,27 @@
|
|
|
15
15
|
*/
|
|
16
16
|
import * as net from 'node:net';
|
|
17
17
|
import { EventEmitter } from 'node:events';
|
|
18
|
-
import { generateKeyPair, pkToHex, signStr } from '../crypto/sign.js';
|
|
19
|
-
import { bytesToHex, hexToBytes as utilHexToBytes } from '@noble/hashes/utils';
|
|
20
|
-
import { sha256 } from '@noble/hashes/sha256';
|
|
21
|
-
import { sha256Str } from '../crypto/hash.js';
|
|
22
|
-
import { canonicalize } from '../utils/canonical.js';
|
|
23
18
|
import { evaluate, resetRateLimits } from './evaluator.js';
|
|
24
19
|
import { StdioBridge } from './stdio-bridge.js';
|
|
25
20
|
import { PERMISSIVE } from './profiles.js';
|
|
26
|
-
|
|
27
|
-
|
|
21
|
+
// ONE canonical evidence engine (src/sep, node:crypto). The proxy no longer carries a
|
|
22
|
+
// parallel receipt/Merkle/canonical/@noble implementation; it records governed decisions
|
|
23
|
+
// through a SepGateway and exports the canonical SEP bundle, verified by the one verifier.
|
|
24
|
+
import { SepGateway, generateSigner, sha256Hex, canonicalize, safeArgumentsHash, } from '../sep/index.js';
|
|
25
|
+
// ── Proxy options ───────────────────────────────────────────
|
|
26
|
+
/** Benign MCP protocol methods forwarded WITHOUT a passthrough receipt (no side effects). */
|
|
27
|
+
export const DEFAULT_PASSTHROUGH_EXCLUDE = [
|
|
28
|
+
'initialize', 'initialized', 'ping',
|
|
29
|
+
'tools/list', 'prompts/list', 'resources/list', 'resources/templates/list',
|
|
30
|
+
'logging/setLevel', 'completion/complete',
|
|
31
|
+
];
|
|
28
32
|
export class GovernanceProxy extends EventEmitter {
|
|
29
33
|
server = null;
|
|
30
34
|
bridge = null;
|
|
31
|
-
//
|
|
32
|
-
|
|
35
|
+
// Gateway signing key (node:crypto) — never leaves this process.
|
|
36
|
+
signer;
|
|
37
|
+
// Canonical SEP evidence ledger: records + chain + Merkle + mandatory signed checkpoint.
|
|
38
|
+
sep;
|
|
33
39
|
// State
|
|
34
40
|
policy;
|
|
35
41
|
port;
|
|
@@ -37,9 +43,8 @@ export class GovernanceProxy extends EventEmitter {
|
|
|
37
43
|
upstreamOptions;
|
|
38
44
|
upstreamUrl;
|
|
39
45
|
gatewayId;
|
|
40
|
-
|
|
41
|
-
|
|
42
|
-
lastReceiptHash = '';
|
|
46
|
+
passthroughExclude;
|
|
47
|
+
denyMethods;
|
|
43
48
|
policyHash = '';
|
|
44
49
|
// Stats
|
|
45
50
|
stats = { permitted: 0, denied: 0, total: 0, started_at: '' };
|
|
@@ -50,13 +55,17 @@ export class GovernanceProxy extends EventEmitter {
|
|
|
50
55
|
this.upstreamOptions = options.upstream ?? null;
|
|
51
56
|
this.upstreamUrl = options.upstreamUrl ?? null;
|
|
52
57
|
this.gatewayId = options.gatewayId ?? 'aga-proxy';
|
|
53
|
-
this.
|
|
58
|
+
this.passthroughExclude = new Set(options.passthroughExclude ?? DEFAULT_PASSTHROUGH_EXCLUDE);
|
|
59
|
+
this.denyMethods = new Set(options.denyMethods ?? []);
|
|
60
|
+
this.signer = generateSigner().signer;
|
|
61
|
+
this.sep = new SepGateway({ gatewayId: this.gatewayId, signer: this.signer });
|
|
54
62
|
}
|
|
55
63
|
// ── Start / Stop ───────────────────────────────────────────
|
|
56
64
|
async start() {
|
|
57
65
|
if (this.started)
|
|
58
66
|
throw new Error('Proxy already running');
|
|
59
|
-
this.policyHash =
|
|
67
|
+
this.policyHash = sha256Hex(canonicalize(this.policy));
|
|
68
|
+
this.sep.setPolicyReference(this.policyHash);
|
|
60
69
|
// Start downstream bridge if configured
|
|
61
70
|
if (this.upstreamOptions) {
|
|
62
71
|
this.bridge = new StdioBridge(this.upstreamOptions);
|
|
@@ -66,6 +75,9 @@ export class GovernanceProxy extends EventEmitter {
|
|
|
66
75
|
process.stderr.write(`[aga-proxy] Downstream exited with code ${code}\n`);
|
|
67
76
|
});
|
|
68
77
|
}
|
|
78
|
+
if (this.upstreamUrl && !this.bridge) {
|
|
79
|
+
process.stderr.write('[aga-proxy] HTTP upstream mode: the upstream URL is directly reachable — governance is BYPASSABLE unless the agent is network-isolated from it. Prefer stdio upstream. See DEPLOYMENT.md §1.\n');
|
|
80
|
+
}
|
|
69
81
|
// Start TCP server
|
|
70
82
|
this.server = net.createServer((socket) => this.handleConnection(socket));
|
|
71
83
|
await new Promise((resolve, reject) => {
|
|
@@ -126,8 +138,23 @@ export class GovernanceProxy extends EventEmitter {
|
|
|
126
138
|
}
|
|
127
139
|
const requestId = parsed.id ?? null;
|
|
128
140
|
const method = parsed.method;
|
|
129
|
-
// Non-tools/call methods:
|
|
141
|
+
// Non-tools/call methods: NOT policy-evaluated, but recorded for AUDITABILITY as a signed
|
|
142
|
+
// passthrough receipt so they are visible in the evidence bundle — unless they are benign
|
|
143
|
+
// protocol methods (excluded) or notifications. An optional denylist rejects known side-effecting
|
|
144
|
+
// methods. This buys VISIBILITY, not governance: the method still executes (unless denylisted),
|
|
145
|
+
// and a direct-to-upstream call still bypasses entirely. See THREAT_BOUNDARY.md §3.2.
|
|
130
146
|
if (method !== 'tools/call') {
|
|
147
|
+
const m = method ?? '';
|
|
148
|
+
const passParams = parsed.params;
|
|
149
|
+
if (m && this.denyMethods.has(m)) {
|
|
150
|
+
const receipt = this.generateReceipt('(passthrough)', 'DENIED', `non-tools/call method on denylist: ${m}`, requestId, passParams, m);
|
|
151
|
+
this.respond(socket, { jsonrpc: '2.0', error: { code: -32600, message: `Method denied by policy: ${m}`, data: { receipt_id: receipt.receipt_id, decision: 'DENIED' } }, id: requestId });
|
|
152
|
+
return;
|
|
153
|
+
}
|
|
154
|
+
const benign = !m || m.startsWith('notifications/') || this.passthroughExclude.has(m);
|
|
155
|
+
if (!benign) {
|
|
156
|
+
this.generateReceipt('(passthrough)', 'PERMITTED', `forwarded, not policy-evaluated: ${m}`, requestId, passParams, m);
|
|
157
|
+
}
|
|
131
158
|
if (this.bridge) {
|
|
132
159
|
try {
|
|
133
160
|
const response = await this.bridge.send(parsed);
|
|
@@ -177,9 +204,23 @@ export class GovernanceProxy extends EventEmitter {
|
|
|
177
204
|
});
|
|
178
205
|
return;
|
|
179
206
|
}
|
|
207
|
+
// Fail-closed: arguments that cannot be canonicalized (depth-bomb / hostile payload) are
|
|
208
|
+
// DENIED and recorded — never silently dropped or forwarded. Done BEFORE policy evaluation
|
|
209
|
+
// so the evaluator never sees an unbounded structure either.
|
|
210
|
+
const { hash: argsHash, ok: argsOk } = safeArgumentsHash(toolArgs);
|
|
211
|
+
if (!argsOk) {
|
|
212
|
+
const receipt = this.generateReceipt(toolName, 'DENIED', 'fail-closed: arguments could not be canonicalized (too deeply nested or invalid)', requestId, undefined, 'tools/call', argsHash);
|
|
213
|
+
this.stats.denied++;
|
|
214
|
+
this.respond(socket, {
|
|
215
|
+
jsonrpc: '2.0',
|
|
216
|
+
error: { code: -32600, message: 'Tool denied: uncanonicalizable arguments', data: { receipt_id: receipt.receipt_id, decision: 'DENIED' } },
|
|
217
|
+
id: requestId,
|
|
218
|
+
});
|
|
219
|
+
return;
|
|
220
|
+
}
|
|
180
221
|
// Evaluate against policy
|
|
181
222
|
const decision = evaluate(this.policy, toolName, toolArgs);
|
|
182
|
-
const receipt = this.generateReceipt(toolName, decision.allowed ? 'PERMITTED' : 'DENIED', decision.reason, requestId, toolArgs);
|
|
223
|
+
const receipt = this.generateReceipt(toolName, decision.allowed ? 'PERMITTED' : 'DENIED', decision.reason, requestId, toolArgs, 'tools/call', argsHash);
|
|
183
224
|
if (!decision.allowed) {
|
|
184
225
|
this.stats.denied++;
|
|
185
226
|
this.respond(socket, {
|
|
@@ -223,102 +264,22 @@ export class GovernanceProxy extends EventEmitter {
|
|
|
223
264
|
}
|
|
224
265
|
}
|
|
225
266
|
// ── Receipt generation (Ed25519-SHA256-JCS canonical format) ─
|
|
226
|
-
|
|
227
|
-
|
|
228
|
-
//
|
|
229
|
-
|
|
230
|
-
|
|
231
|
-
|
|
232
|
-
|
|
233
|
-
|
|
234
|
-
argumentsHash = sha256Str(canonicalize(toolArgs));
|
|
235
|
-
}
|
|
236
|
-
const unsigned = {
|
|
237
|
-
receipt_id: uuid(),
|
|
238
|
-
receipt_version: '1.0',
|
|
239
|
-
algorithm: 'Ed25519-SHA256-JCS',
|
|
240
|
-
timestamp: utcNow(),
|
|
241
|
-
request_id: requestId,
|
|
242
|
-
method: 'tools/call',
|
|
267
|
+
/** Record a governed decision as a canonical SEP receipt via the shared engine. */
|
|
268
|
+
generateReceipt(toolName, decision, reason, requestId, toolArgs, method = 'tools/call', argsHashOverride) {
|
|
269
|
+
// SepGateway owns canonicalization, the arguments_hash tri-state, request_id coercion
|
|
270
|
+
// (string|null), chain linkage, and signing — one source of truth for receipt construction.
|
|
271
|
+
// safeArgumentsHash never throws (depth-bomb -> sentinel), so recording can never crash and
|
|
272
|
+
// silently drop a governed decision; callers may pass a precomputed hash to avoid re-hashing.
|
|
273
|
+
const argumentsHash = argsHashOverride ?? safeArgumentsHash(toolArgs).hash;
|
|
274
|
+
return this.sep.record({
|
|
243
275
|
tool_name: toolName,
|
|
244
276
|
decision,
|
|
245
277
|
reason,
|
|
278
|
+
request_id: requestId,
|
|
279
|
+
method,
|
|
280
|
+
argumentsHash,
|
|
246
281
|
policy_reference: this.policyHash,
|
|
247
|
-
|
|
248
|
-
previous_receipt_hash: this.lastReceiptHash,
|
|
249
|
-
gateway_id: this.gatewayId,
|
|
250
|
-
public_key: pubKeyHex,
|
|
251
|
-
};
|
|
252
|
-
const sig = signStr(canonicalize(unsigned), this.signingKP.secretKey);
|
|
253
|
-
const receipt = { ...unsigned, signature: bytesToHex(sig) };
|
|
254
|
-
this.receipts.push(receipt);
|
|
255
|
-
this.lastReceiptHash = sha256Str(canonicalize(receipt));
|
|
256
|
-
return receipt;
|
|
257
|
-
}
|
|
258
|
-
// ── Merkle tree (binary, odd-node promotion, binary concat) ─
|
|
259
|
-
merkleNodeHash(leftHex, rightHex) {
|
|
260
|
-
const left = utilHexToBytes(leftHex);
|
|
261
|
-
const right = utilHexToBytes(rightHex);
|
|
262
|
-
const combined = new Uint8Array(left.length + right.length);
|
|
263
|
-
combined.set(left, 0);
|
|
264
|
-
combined.set(right, left.length);
|
|
265
|
-
return bytesToHex(sha256(combined));
|
|
266
|
-
}
|
|
267
|
-
computeMerkleRoot(leaves) {
|
|
268
|
-
if (leaves.length === 0)
|
|
269
|
-
return '';
|
|
270
|
-
if (leaves.length === 1)
|
|
271
|
-
return leaves[0];
|
|
272
|
-
let level = [...leaves];
|
|
273
|
-
while (level.length > 1) {
|
|
274
|
-
const next = [];
|
|
275
|
-
for (let i = 0; i < level.length; i += 2) {
|
|
276
|
-
if (i + 1 < level.length) {
|
|
277
|
-
next.push(this.merkleNodeHash(level[i], level[i + 1]));
|
|
278
|
-
}
|
|
279
|
-
else {
|
|
280
|
-
next.push(level[i]);
|
|
281
|
-
}
|
|
282
|
-
}
|
|
283
|
-
level = next;
|
|
284
|
-
}
|
|
285
|
-
return level[0];
|
|
286
|
-
}
|
|
287
|
-
computeMerkleProof(leaves, leafIndex) {
|
|
288
|
-
const siblings = [];
|
|
289
|
-
const directions = [];
|
|
290
|
-
let level = [...leaves];
|
|
291
|
-
let idx = leafIndex;
|
|
292
|
-
while (level.length > 1) {
|
|
293
|
-
const next = [];
|
|
294
|
-
for (let i = 0; i < level.length; i += 2) {
|
|
295
|
-
if (i + 1 < level.length) {
|
|
296
|
-
next.push(this.merkleNodeHash(level[i], level[i + 1]));
|
|
297
|
-
}
|
|
298
|
-
else {
|
|
299
|
-
next.push(level[i]);
|
|
300
|
-
}
|
|
301
|
-
}
|
|
302
|
-
if (idx % 2 === 0) {
|
|
303
|
-
if (idx + 1 < level.length) {
|
|
304
|
-
siblings.push(level[idx + 1]);
|
|
305
|
-
directions.push('right');
|
|
306
|
-
}
|
|
307
|
-
}
|
|
308
|
-
else {
|
|
309
|
-
siblings.push(level[idx - 1]);
|
|
310
|
-
directions.push('left');
|
|
311
|
-
}
|
|
312
|
-
idx = Math.floor(idx / 2);
|
|
313
|
-
level = next;
|
|
314
|
-
}
|
|
315
|
-
return {
|
|
316
|
-
leaf_hash: leaves[leafIndex],
|
|
317
|
-
leaf_index: leafIndex,
|
|
318
|
-
siblings,
|
|
319
|
-
directions,
|
|
320
|
-
merkle_root: level[0],
|
|
321
|
-
};
|
|
282
|
+
});
|
|
322
283
|
}
|
|
323
284
|
// ── HTTP forwarding ────────────────────────────────────────
|
|
324
285
|
async forwardHttp(body, socket, requestId) {
|
|
@@ -348,41 +309,26 @@ export class GovernanceProxy extends EventEmitter {
|
|
|
348
309
|
// ── Public API ─────────────────────────────────────────────
|
|
349
310
|
async switchPolicy(newPolicy) {
|
|
350
311
|
this.policy = newPolicy;
|
|
351
|
-
this.policyHash =
|
|
312
|
+
this.policyHash = sha256Hex(canonicalize(newPolicy));
|
|
313
|
+
this.sep.setPolicyReference(this.policyHash);
|
|
352
314
|
resetRateLimits();
|
|
353
315
|
this.emit('policy_switched');
|
|
354
316
|
}
|
|
317
|
+
/** Export the canonical SEP evidence bundle (receipts + Merkle proofs + signed checkpoint). */
|
|
355
318
|
exportBundle() {
|
|
356
|
-
|
|
357
|
-
throw new Error('No receipts');
|
|
358
|
-
const leafHashes = this.receipts.map(r => sha256Str(canonicalize(r)));
|
|
359
|
-
const root = this.computeMerkleRoot(leafHashes);
|
|
360
|
-
const proofs = leafHashes.map((_, i) => this.computeMerkleProof(leafHashes, i));
|
|
361
|
-
return {
|
|
362
|
-
schema_version: '1.0',
|
|
363
|
-
bundle_id: uuid(),
|
|
364
|
-
algorithm: 'Ed25519-SHA256-JCS',
|
|
365
|
-
generated_at: utcNow(),
|
|
366
|
-
gateway_id: this.gatewayId,
|
|
367
|
-
public_key: pkToHex(this.signingKP.publicKey),
|
|
368
|
-
policy_reference: this.policyHash,
|
|
369
|
-
receipts: this.receipts,
|
|
370
|
-
merkle_root: root,
|
|
371
|
-
merkle_proofs: proofs,
|
|
372
|
-
offline_capable: true,
|
|
373
|
-
};
|
|
319
|
+
return this.sep.exportBundle();
|
|
374
320
|
}
|
|
375
321
|
getStatus() {
|
|
376
322
|
return {
|
|
377
323
|
running: this.started,
|
|
378
324
|
port: this.port,
|
|
379
325
|
policy_mode: this.policy.mode,
|
|
380
|
-
receipt_count: this.
|
|
326
|
+
receipt_count: this.sep.count,
|
|
381
327
|
...this.stats,
|
|
382
|
-
public_key:
|
|
328
|
+
public_key: this.signer.publicKeyHex,
|
|
383
329
|
};
|
|
384
330
|
}
|
|
385
|
-
getPublicKey() { return
|
|
386
|
-
getReceipts() { return this.
|
|
331
|
+
getPublicKey() { return this.signer.publicKeyHex; }
|
|
332
|
+
getReceipts() { return [...this.sep.getReceipts()]; }
|
|
387
333
|
}
|
|
388
334
|
//# sourceMappingURL=server.js.map
|
package/dist/proxy/server.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"server.js","sourceRoot":"","sources":["../../src/proxy/server.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAEH,OAAO,KAAK,GAAG,MAAM,UAAU,CAAC;AAChC,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAC3C,OAAO,EAAE,eAAe,EAAE,OAAO,EAAE,OAAO,EAAE,MAAM,mBAAmB,CAAC;AACtE,OAAO,EAAE,UAAU,EAAE,UAAU,IAAI,cAAc,EAAE,MAAM,qBAAqB,CAAC;AAC/E,OAAO,EAAE,MAAM,EAAE,MAAM,sBAAsB,CAAC;AAC9C,OAAO,EAAE,SAAS,EAAE,MAAM,mBAAmB,CAAC;AAC9C,OAAO,EAAE,YAAY,EAAE,MAAM,uBAAuB,CAAC;AACrD,OAAO,EAAE,QAAQ,EAAE,eAAe,EAAE,MAAM,gBAAgB,CAAC;AAC3D,OAAO,EAAE,WAAW,EAA2B,MAAM,mBAAmB,CAAC;AACzE,OAAO,EAAE,UAAU,EAAE,MAAM,eAAe,CAAC;AAC3C,OAAO,EAAE,MAAM,EAAE,MAAM,uBAAuB,CAAC;AAC/C,OAAO,EAAE,IAAI,EAAE,MAAM,kBAAkB,CAAC;AAwDxC,MAAM,OAAO,eAAgB,SAAQ,YAAY;IACvC,MAAM,GAAsB,IAAI,CAAC;IACjC,MAAM,GAAuB,IAAI,CAAC;IAE1C,yCAAyC;IACjC,SAAS,CAAU;IAE3B,QAAQ;IACA,MAAM,CAAa;IACnB,IAAI,CAAS;IACb,OAAO,GAAG,KAAK,CAAC;IAChB,eAAe,CAA4B;IAC3C,WAAW,CAAgB;IAC3B,SAAS,CAAS;IAE1B,gBAAgB;IACR,QAAQ,GAAwB,EAAE,CAAC;IACnC,eAAe,GAAW,EAAE,CAAC;IAC7B,UAAU,GAAW,EAAE,CAAC;IAEhC,QAAQ;IACA,KAAK,GAAG,EAAE,SAAS,EAAE,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,KAAK,EAAE,CAAC,EAAE,UAAU,EAAE,EAAE,EAAE,CAAC;IAEtE,YAAY,UAA8B,EAAE;QAC1C,KAAK,EAAE,CAAC;QACR,IAAI,CAAC,IAAI,GAAG,OAAO,CAAC,IAAI,IAAI,KAAK,CAAC;QAClC,IAAI,CAAC,MAAM,GAAG,OAAO,CAAC,MAAM,IAAI,UAAU,CAAC;QAC3C,IAAI,CAAC,eAAe,GAAG,OAAO,CAAC,QAAQ,IAAI,IAAI,CAAC;QAChD,IAAI,CAAC,WAAW,GAAG,OAAO,CAAC,WAAW,IAAI,IAAI,CAAC;QAC/C,IAAI,CAAC,SAAS,GAAG,OAAO,CAAC,SAAS,IAAI,WAAW,CAAC;QAClD,IAAI,CAAC,SAAS,GAAG,eAAe,EAAE,CAAC;IACrC,CAAC;IAED,8DAA8D;IAE9D,KAAK,CAAC,KAAK;QACT,IAAI,IAAI,CAAC,OAAO;YAAE,MAAM,IAAI,KAAK,CAAC,uBAAuB,CAAC,CAAC;QAE3D,IAAI,CAAC,UAAU,GAAG,SAAS,CAAC,YAAY,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC;QAEvD,wCAAwC;QACxC,IAAI,IAAI,CAAC,eAAe,EAAE,CAAC;YACzB,IAAI,CAAC,MAAM,GAAG,IAAI,WAAW,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC;YACpD,MAAM,IAAI,CAAC,MAAM,CAAC,KAAK,EAAE,CAAC;YAC1B,IAAI,CAAC,MAAM,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,GAAG,EAAE,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC,CAAC;YAC1D,IAAI,CAAC,MAAM,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,IAAY,EAAE,EAAE;gBACtC,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,2CAA2C,IAAI,IAAI,CAAC,CAAC;YAC5E,CAAC,CAAC,CAAC;QACL,CAAC;QAED,mBAAmB;QACnB,IAAI,CAAC,MAAM,GAAG,GAAG,CAAC,YAAY,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,IAAI,CAAC,gBAAgB,CAAC,MAAM,CAAC,CAAC,CAAC;QAC1E,MAAM,IAAI,OAAO,CAAO,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;YAC1C,IAAI,CAAC,MAAO,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,EAAE,GAAG,EAAE,CAAC,OAAO,EAAE,CAAC,CAAC;YAChD,IAAI,CAAC,MAAO,CAAC,EAAE,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;QACnC,CAAC,CAAC,CAAC;QAEH,IAAI,CAAC,OAAO,GAAG,IAAI,CAAC;QACpB,IAAI,CAAC,KAAK,CAAC,UAAU,GAAG,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;QACjD,eAAe,EAAE,CAAC;QAClB,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,EAAE,IAAI,EAAE,IAAI,CAAC,IAAI,EAAE,CAAC,CAAC;IAC5C,CAAC;IAED,KAAK,CAAC,IAAI;QACR,IAAI,CAAC,IAAI,CAAC,OAAO;YAAE,OAAO;QAE1B,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC;YAChB,MAAM,IAAI,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC;YACzB,IAAI,CAAC,MAAM,GAAG,IAAI,CAAC;QACrB,CAAC;QAED,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC;YAChB,MAAM,IAAI,OAAO,CAAO,CAAC,OAAO,EAAE,EAAE;gBAClC,IAAI,CAAC,MAAO,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,OAAO,EAAE,CAAC,CAAC;YACtC,CAAC,CAAC,CAAC;YACH,IAAI,CAAC,MAAM,GAAG,IAAI,CAAC;QACrB,CAAC;QAED,IAAI,CAAC,OAAO,GAAG,KAAK,CAAC;QACrB,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;IACvB,CAAC;IAED,8DAA8D;IAEtD,gBAAgB,CAAC,MAAkB;QACzC,IAAI,MAAM,GAAG,EAAE,CAAC;QAEhB,MAAM,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,KAAK,EAAE,EAAE;YAC1B,MAAM,IAAI,KAAK,CAAC,QAAQ,EAAE,CAAC;YAC3B,MAAM,KAAK,GAAG,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;YACjC,MAAM,GAAG,KAAK,CAAC,GAAG,EAAE,IAAI,EAAE,CAAC;YAE3B,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;gBACzB,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;gBAC5B,IAAI,CAAC,OAAO;oBAAE,SAAS;gBACvB,IAAI,CAAC,aAAa,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;oBAChD,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,uCAAuC,GAAG,IAAI,CAAC,CAAC;gBACvE,CAAC,CAAC,CAAC;YACL,CAAC;QACH,CAAC,CAAC,CAAC;QAEH,MAAM,CAAC,EAAE,CAAC,OAAO,EAAE,GAAG,EAAE,GAA6B,CAAC,CAAC,CAAC;IAC1D,CAAC;IAEO,KAAK,CAAC,aAAa,CAAC,GAAW,EAAE,MAAkB;QACzD,IAAI,MAA+B,CAAC;QACpC,IAAI,CAAC;YACH,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAC3B,CAAC;QAAC,MAAM,CAAC;YACP,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,EAAE,IAAI,EAAE,CAAC,KAAK,EAAE,OAAO,EAAE,aAAa,EAAE,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC;YACpG,OAAO;QACT,CAAC;QAED,IAAI,MAAM,CAAC,OAAO,KAAK,KAAK,EAAE,CAAC;YAC7B,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,EAAE,IAAI,EAAE,CAAC,KAAK,EAAE,OAAO,EAAE,sCAAsC,EAAE,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC;YAC7H,OAAO;QACT,CAAC;QAED,MAAM,SAAS,GAAI,MAAM,CAAC,EAA6B,IAAI,IAAI,CAAC;QAChE,MAAM,MAAM,GAAG,MAAM,CAAC,MAA4B,CAAC;QAEnD,gDAAgD;QAChD,IAAI,MAAM,KAAK,YAAY,EAAE,CAAC;YAC5B,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC;gBAChB,IAAI,CAAC;oBACH,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;oBAChD,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;gBACjC,CAAC;gBAAC,OAAO,GAAG,EAAE,CAAC;oBACb,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE;wBACnB,OAAO,EAAE,KAAK;wBACd,KAAK,EAAE,EAAE,IAAI,EAAE,CAAC,KAAK,EAAE,OAAO,EAAE,qBAAqB,GAAG,EAAE,EAAE;wBAC5D,EAAE,EAAE,SAAS;qBACd,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;iBAAM,IAAI,IAAI,CAAC,WAAW,EAAE,CAAC;gBAC5B,MAAM,IAAI,CAAC,WAAW,CAAC,GAAG,EAAE,MAAM,EAAE,SAAS,CAAC,CAAC;YACjD,CAAC;iBAAM,CAAC;gBACN,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE;oBACnB,OAAO,EAAE,KAAK;oBACd,KAAK,EAAE,EAAE,IAAI,EAAE,CAAC,KAAK,EAAE,OAAO,EAAE,wBAAwB,EAAE;oBAC1D,EAAE,EAAE,SAAS;iBACd,CAAC,CAAC;YACL,CAAC;YACD,OAAO;QACT,CAAC;QAED,oCAAoC;QACpC,MAAM,IAAI,CAAC,iBAAiB,CAAC,MAAM,EAAE,MAAM,EAAE,SAAS,CAAC,CAAC;IAC1D,CAAC;IAED,8DAA8D;IAEtD,KAAK,CAAC,iBAAiB,CAC7B,MAA+B,EAC/B,MAAkB,EAClB,SAAiC;QAEjC,MAAM,MAAM,GAAG,MAAM,CAAC,MAA6C,CAAC;QACpE,MAAM,QAAQ,GAAG,MAAM,EAAE,IAA0B,CAAC;QACpD,MAAM,QAAQ,GAAG,MAAM,EAAE,SAAgD,CAAC;QAE1E,IAAI,CAAC,KAAK,CAAC,KAAK,EAAE,CAAC;QAEnB,4BAA4B;QAC5B,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,MAAM,OAAO,GAAG,IAAI,CAAC,eAAe,CAAC,SAAS,EAAE,QAAQ,EAAE,0CAA0C,EAAE,SAAS,EAAE,SAAS,CAAC,CAAC;YAC5H,IAAI,CAAC,KAAK,CAAC,MAAM,EAAE,CAAC;YACpB,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE;gBACnB,OAAO,EAAE,KAAK;gBACd,KAAK,EAAE;oBACL,IAAI,EAAE,CAAC,KAAK;oBACZ,OAAO,EAAE,mBAAmB;oBAC5B,IAAI,EAAE,EAAE,UAAU,EAAE,OAAO,CAAC,UAAU,EAAE,QAAQ,EAAE,QAAQ,EAAE;iBAC7D;gBACD,EAAE,EAAE,SAAS;aACd,CAAC,CAAC;YACH,OAAO;QACT,CAAC;QAED,0BAA0B;QAC1B,MAAM,QAAQ,GAAG,QAAQ,CAAC,IAAI,CAAC,MAAM,EAAE,QAAQ,EAAE,QAAQ,CAAC,CAAC;QAC3D,MAAM,OAAO,GAAG,IAAI,CAAC,eAAe,CAClC,QAAQ,EACR,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC,CAAC,QAAQ,EACzC,QAAQ,CAAC,MAAM,EACf,SAAS,EACT,QAAQ,CACT,CAAC;QAEF,IAAI,CAAC,QAAQ,CAAC,OAAO,EAAE,CAAC;YACtB,IAAI,CAAC,KAAK,CAAC,MAAM,EAAE,CAAC;YACpB,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE;gBACnB,OAAO,EAAE,KAAK;gBACd,KAAK,EAAE;oBACL,IAAI,EAAE,CAAC,KAAK;oBACZ,OAAO,EAAE,gBAAgB,QAAQ,CAAC,MAAM,EAAE;oBAC1C,IAAI,EAAE,EAAE,UAAU,EAAE,OAAO,CAAC,UAAU,EAAE,QAAQ,EAAE,QAAQ,EAAE,MAAM,EAAE,QAAQ,CAAC,MAAM,EAAE;iBACtF;gBACD,EAAE,EAAE,SAAS;aACd,CAAC,CAAC;YACH,OAAO;QACT,CAAC;QAED,oCAAoC;QACpC,IAAI,CAAC,KAAK,CAAC,SAAS,EAAE,CAAC;QAEvB,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC;YAChB,IAAI,CAAC;gBACH,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;gBAChD,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;YACjC,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE;oBACnB,OAAO,EAAE,KAAK;oBACd,KAAK,EAAE,EAAE,IAAI,EAAE,CAAC,KAAK,EAAE,OAAO,EAAE,qBAAqB,GAAG,EAAE,EAAE;oBAC5D,EAAE,EAAE,SAAS;iBACd,CAAC,CAAC;YACL,CAAC;QACH,CAAC;aAAM,IAAI,IAAI,CAAC,WAAW,EAAE,CAAC;YAC5B,MAAM,IAAI,CAAC,WAAW,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,EAAE,MAAM,EAAE,SAAS,CAAC,CAAC;QACpE,CAAC;aAAM,CAAC;YACN,iDAAiD;YACjD,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE;gBACnB,OAAO,EAAE,KAAK;gBACd,MAAM,EAAE;oBACN,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,SAAS,EAAE,IAAI,EAAE,UAAU,EAAE,OAAO,CAAC,UAAU,EAAE,IAAI,EAAE,QAAQ,EAAE,CAAC,EAAE,CAAC;iBACvH;gBACD,EAAE,EAAE,SAAS;aACd,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,gEAAgE;IAExD,eAAe,CACrB,QAAgB,EAChB,QAAgC,EAChC,MAAc,EACd,SAAiC,EACjC,QAA6C;QAE7C,MAAM,SAAS,GAAG,OAAO,CAAC,IAAI,CAAC,SAAS,CAAC,SAAS,CAAC,CAAC;QAEpD,gDAAgD;QAChD,IAAI,aAAqB,CAAC;QAC1B,IAAI,QAAQ,KAAK,SAAS,EAAE,CAAC;YAC3B,aAAa,GAAG,EAAE,CAAC;QACrB,CAAC;aAAM,CAAC;YACN,aAAa,GAAG,SAAS,CAAC,YAAY,CAAC,QAAQ,CAAC,CAAC,CAAC;QACpD,CAAC;QAED,MAAM,QAAQ,GAAG;YACf,UAAU,EAAE,IAAI,EAAE;YAClB,eAAe,EAAE,KAAK;YACtB,SAAS,EAAE,oBAAoB;YAC/B,SAAS,EAAE,MAAM,EAAE;YACnB,UAAU,EAAE,SAAS;YACrB,MAAM,EAAE,YAAY;YACpB,SAAS,EAAE,QAAQ;YACnB,QAAQ;YACR,MAAM;YACN,gBAAgB,EAAE,IAAI,CAAC,UAAU;YACjC,cAAc,EAAE,aAAa;YAC7B,qBAAqB,EAAE,IAAI,CAAC,eAAe;YAC3C,UAAU,EAAE,IAAI,CAAC,SAAS;YAC1B,UAAU,EAAE,SAAS;SACtB,CAAC;QAEF,MAAM,GAAG,GAAG,OAAO,CAAC,YAAY,CAAC,QAAQ,CAAC,EAAE,IAAI,CAAC,SAAS,CAAC,SAAS,CAAC,CAAC;QACtE,MAAM,OAAO,GAAsB,EAAE,GAAG,QAAQ,EAAE,SAAS,EAAE,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;QAE/E,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QAC5B,IAAI,CAAC,eAAe,GAAG,SAAS,CAAC,YAAY,CAAC,OAAO,CAAC,CAAC,CAAC;QAExD,OAAO,OAAO,CAAC;IACjB,CAAC;IAED,+DAA+D;IAEvD,cAAc,CAAC,OAAe,EAAE,QAAgB;QACtD,MAAM,IAAI,GAAG,cAAc,CAAC,OAAO,CAAC,CAAC;QACrC,MAAM,KAAK,GAAG,cAAc,CAAC,QAAQ,CAAC,CAAC;QACvC,MAAM,QAAQ,GAAG,IAAI,UAAU,CAAC,IAAI,CAAC,MAAM,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC;QAC5D,QAAQ,CAAC,GAAG,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC;QACtB,QAAQ,CAAC,GAAG,CAAC,KAAK,EAAE,IAAI,CAAC,MAAM,CAAC,CAAC;QACjC,OAAO,UAAU,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC;IACtC,CAAC;IAEO,iBAAiB,CAAC,MAAgB;QACxC,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO,EAAE,CAAC;QACnC,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO,MAAM,CAAC,CAAC,CAAC,CAAC;QAC1C,IAAI,KAAK,GAAG,CAAC,GAAG,MAAM,CAAC,CAAC;QACxB,OAAO,KAAK,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACxB,MAAM,IAAI,GAAa,EAAE,CAAC;YAC1B,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,IAAI,CAAC,EAAE,CAAC;gBACzC,IAAI,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC;oBACzB,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,cAAc,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,KAAK,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;gBACzD,CAAC;qBAAM,CAAC;oBACN,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;gBACtB,CAAC;YACH,CAAC;YACD,KAAK,GAAG,IAAI,CAAC;QACf,CAAC;QACD,OAAO,KAAK,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAEO,kBAAkB,CAAC,MAAgB,EAAE,SAAiB;QAC5D,MAAM,QAAQ,GAAa,EAAE,CAAC;QAC9B,MAAM,UAAU,GAAyB,EAAE,CAAC;QAC5C,IAAI,KAAK,GAAG,CAAC,GAAG,MAAM,CAAC,CAAC;QACxB,IAAI,GAAG,GAAG,SAAS,CAAC;QAEpB,OAAO,KAAK,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACxB,MAAM,IAAI,GAAa,EAAE,CAAC;YAC1B,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,IAAI,CAAC,EAAE,CAAC;gBACzC,IAAI,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC;oBACzB,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,cAAc,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,KAAK,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;gBACzD,CAAC;qBAAM,CAAC;oBACN,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;gBACtB,CAAC;YACH,CAAC;YACD,IAAI,GAAG,GAAG,CAAC,KAAK,CAAC,EAAE,CAAC;gBAClB,IAAI,GAAG,GAAG,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC;oBAC3B,QAAQ,CAAC,IAAI,CAAC,KAAK,CAAC,GAAG,GAAG,CAAC,CAAC,CAAC,CAAC;oBAC9B,UAAU,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;gBAC3B,CAAC;YACH,CAAC;iBAAM,CAAC;gBACN,QAAQ,CAAC,IAAI,CAAC,KAAK,CAAC,GAAG,GAAG,CAAC,CAAC,CAAC,CAAC;gBAC9B,UAAU,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;YAC1B,CAAC;YACD,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,GAAG,CAAC,CAAC,CAAC;YAC1B,KAAK,GAAG,IAAI,CAAC;QACf,CAAC;QAED,OAAO;YACL,SAAS,EAAE,MAAM,CAAC,SAAS,CAAC;YAC5B,UAAU,EAAE,SAAS;YACrB,QAAQ;YACR,UAAU;YACV,WAAW,EAAE,KAAK,CAAC,CAAC,CAAC;SACtB,CAAC;IACJ,CAAC;IAED,8DAA8D;IAEtD,KAAK,CAAC,WAAW,CAAC,IAAY,EAAE,MAAkB,EAAE,SAAiC;QAC3F,IAAI,CAAC;YACH,MAAM,IAAI,GAAG,MAAM,KAAK,CAAC,IAAI,CAAC,WAAY,EAAE;gBAC1C,MAAM,EAAE,MAAM;gBACd,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;gBAC/C,IAAI;aACL,CAAC,CAAC;YACH,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,IAAI,EAAE,CAAC;YAC/B,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE,IAA+B,CAAC,CAAC;QACxD,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE;gBACnB,OAAO,EAAE,KAAK;gBACd,KAAK,EAAE,EAAE,IAAI,EAAE,CAAC,KAAK,EAAE,OAAO,EAAE,wBAAwB,GAAG,EAAE,EAAE;gBAC/D,EAAE,EAAE,SAAS;aACd,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,8DAA8D;IAEtD,OAAO,CAAC,MAAkB,EAAE,GAA4B;QAC9D,IAAI,CAAC,MAAM,CAAC,SAAS,EAAE,CAAC;YACtB,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,GAAG,IAAI,CAAC,CAAC;QAC3C,CAAC;IACH,CAAC;IAED,8DAA8D;IAE9D,KAAK,CAAC,YAAY,CAAC,SAAqB;QACtC,IAAI,CAAC,MAAM,GAAG,SAAS,CAAC;QACxB,IAAI,CAAC,UAAU,GAAG,SAAS,CAAC,YAAY,CAAC,SAAS,CAAC,CAAC,CAAC;QACrD,eAAe,EAAE,CAAC;QAClB,IAAI,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAC;IAC/B,CAAC;IAED,YAAY;QACV,IAAI,IAAI,CAAC,QAAQ,CAAC,MAAM,KAAK,CAAC;YAAE,MAAM,IAAI,KAAK,CAAC,aAAa,CAAC,CAAC;QAE/D,MAAM,UAAU,GAAG,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,SAAS,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;QACtE,MAAM,IAAI,GAAG,IAAI,CAAC,iBAAiB,CAAC,UAAU,CAAC,CAAC;QAChD,MAAM,MAAM,GAAG,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,IAAI,CAAC,kBAAkB,CAAC,UAAU,EAAE,CAAC,CAAC,CAAC,CAAC;QAEhF,OAAO;YACL,cAAc,EAAE,KAAK;YACrB,SAAS,EAAE,IAAI,EAAE;YACjB,SAAS,EAAE,oBAAoB;YAC/B,YAAY,EAAE,MAAM,EAAE;YACtB,UAAU,EAAE,IAAI,CAAC,SAAS;YAC1B,UAAU,EAAE,OAAO,CAAC,IAAI,CAAC,SAAS,CAAC,SAAS,CAAC;YAC7C,gBAAgB,EAAE,IAAI,CAAC,UAAU;YACjC,QAAQ,EAAE,IAAI,CAAC,QAAQ;YACvB,WAAW,EAAE,IAAI;YACjB,aAAa,EAAE,MAAM;YACrB,eAAe,EAAE,IAAI;SACtB,CAAC;IACJ,CAAC;IAED,SAAS;QACP,OAAO;YACL,OAAO,EAAE,IAAI,CAAC,OAAO;YACrB,IAAI,EAAE,IAAI,CAAC,IAAI;YACf,WAAW,EAAE,IAAI,CAAC,MAAM,CAAC,IAAI;YAC7B,aAAa,EAAE,IAAI,CAAC,QAAQ,CAAC,MAAM;YACnC,GAAG,IAAI,CAAC,KAAK;YACb,UAAU,EAAE,OAAO,CAAC,IAAI,CAAC,SAAS,CAAC,SAAS,CAAC;SAC9C,CAAC;IACJ,CAAC;IAED,YAAY,KAAa,OAAO,OAAO,CAAC,IAAI,CAAC,SAAS,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC;IACpE,WAAW,KAA0B,OAAO,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC;CAC7D"}
|
|
1
|
+
{"version":3,"file":"server.js","sourceRoot":"","sources":["../../src/proxy/server.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAEH,OAAO,KAAK,GAAG,MAAM,UAAU,CAAC;AAChC,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAC3C,OAAO,EAAE,QAAQ,EAAE,eAAe,EAAE,MAAM,gBAAgB,CAAC;AAC3D,OAAO,EAAE,WAAW,EAA2B,MAAM,mBAAmB,CAAC;AACzE,OAAO,EAAE,UAAU,EAAE,MAAM,eAAe,CAAC;AAE3C,sFAAsF;AACtF,yFAAyF;AACzF,2FAA2F;AAC3F,OAAO,EACL,UAAU,EAAE,cAAc,EAAE,SAAS,EAAE,YAAY,EAAE,iBAAiB,GAEvE,MAAM,iBAAiB,CAAC;AAOzB,+DAA+D;AAE/D,6FAA6F;AAC7F,MAAM,CAAC,MAAM,2BAA2B,GAAG;IACzC,YAAY,EAAE,aAAa,EAAE,MAAM;IACnC,YAAY,EAAE,cAAc,EAAE,gBAAgB,EAAE,0BAA0B;IAC1E,kBAAkB,EAAE,qBAAqB;CAC1C,CAAC;AAcF,MAAM,OAAO,eAAgB,SAAQ,YAAY;IACvC,MAAM,GAAsB,IAAI,CAAC;IACjC,MAAM,GAAuB,IAAI,CAAC;IAE1C,iEAAiE;IACzD,MAAM,CAAY;IAC1B,yFAAyF;IACjF,GAAG,CAAa;IAExB,QAAQ;IACA,MAAM,CAAa;IACnB,IAAI,CAAS;IACb,OAAO,GAAG,KAAK,CAAC;IAChB,eAAe,CAA4B;IAC3C,WAAW,CAAgB;IAC3B,SAAS,CAAS;IAClB,kBAAkB,CAAc;IAChC,WAAW,CAAc;IAEzB,UAAU,GAAW,EAAE,CAAC;IAEhC,QAAQ;IACA,KAAK,GAAG,EAAE,SAAS,EAAE,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,KAAK,EAAE,CAAC,EAAE,UAAU,EAAE,EAAE,EAAE,CAAC;IAEtE,YAAY,UAA8B,EAAE;QAC1C,KAAK,EAAE,CAAC;QACR,IAAI,CAAC,IAAI,GAAG,OAAO,CAAC,IAAI,IAAI,KAAK,CAAC;QAClC,IAAI,CAAC,MAAM,GAAG,OAAO,CAAC,MAAM,IAAI,UAAU,CAAC;QAC3C,IAAI,CAAC,eAAe,GAAG,OAAO,CAAC,QAAQ,IAAI,IAAI,CAAC;QAChD,IAAI,CAAC,WAAW,GAAG,OAAO,CAAC,WAAW,IAAI,IAAI,CAAC;QAC/C,IAAI,CAAC,SAAS,GAAG,OAAO,CAAC,SAAS,IAAI,WAAW,CAAC;QAClD,IAAI,CAAC,kBAAkB,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,kBAAkB,IAAI,2BAA2B,CAAC,CAAC;QAC7F,IAAI,CAAC,WAAW,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,WAAW,IAAI,EAAE,CAAC,CAAC;QACtD,IAAI,CAAC,MAAM,GAAG,cAAc,EAAE,CAAC,MAAM,CAAC;QACtC,IAAI,CAAC,GAAG,GAAG,IAAI,UAAU,CAAC,EAAE,SAAS,EAAE,IAAI,CAAC,SAAS,EAAE,MAAM,EAAE,IAAI,CAAC,MAAM,EAAE,CAAC,CAAC;IAChF,CAAC;IAED,8DAA8D;IAE9D,KAAK,CAAC,KAAK;QACT,IAAI,IAAI,CAAC,OAAO;YAAE,MAAM,IAAI,KAAK,CAAC,uBAAuB,CAAC,CAAC;QAE3D,IAAI,CAAC,UAAU,GAAG,SAAS,CAAC,YAAY,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC;QACvD,IAAI,CAAC,GAAG,CAAC,kBAAkB,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;QAE7C,wCAAwC;QACxC,IAAI,IAAI,CAAC,eAAe,EAAE,CAAC;YACzB,IAAI,CAAC,MAAM,GAAG,IAAI,WAAW,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC;YACpD,MAAM,IAAI,CAAC,MAAM,CAAC,KAAK,EAAE,CAAC;YAC1B,IAAI,CAAC,MAAM,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,GAAG,EAAE,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC,CAAC;YAC1D,IAAI,CAAC,MAAM,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,IAAY,EAAE,EAAE;gBACtC,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,2CAA2C,IAAI,IAAI,CAAC,CAAC;YAC5E,CAAC,CAAC,CAAC;QACL,CAAC;QAED,IAAI,IAAI,CAAC,WAAW,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,CAAC;YACrC,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,gMAAgM,CAAC,CAAC;QACzN,CAAC;QAED,mBAAmB;QACnB,IAAI,CAAC,MAAM,GAAG,GAAG,CAAC,YAAY,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,IAAI,CAAC,gBAAgB,CAAC,MAAM,CAAC,CAAC,CAAC;QAC1E,MAAM,IAAI,OAAO,CAAO,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;YAC1C,IAAI,CAAC,MAAO,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,EAAE,GAAG,EAAE,CAAC,OAAO,EAAE,CAAC,CAAC;YAChD,IAAI,CAAC,MAAO,CAAC,EAAE,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;QACnC,CAAC,CAAC,CAAC;QAEH,IAAI,CAAC,OAAO,GAAG,IAAI,CAAC;QACpB,IAAI,CAAC,KAAK,CAAC,UAAU,GAAG,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;QACjD,eAAe,EAAE,CAAC;QAClB,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,EAAE,IAAI,EAAE,IAAI,CAAC,IAAI,EAAE,CAAC,CAAC;IAC5C,CAAC;IAED,KAAK,CAAC,IAAI;QACR,IAAI,CAAC,IAAI,CAAC,OAAO;YAAE,OAAO;QAE1B,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC;YAChB,MAAM,IAAI,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC;YACzB,IAAI,CAAC,MAAM,GAAG,IAAI,CAAC;QACrB,CAAC;QAED,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC;YAChB,MAAM,IAAI,OAAO,CAAO,CAAC,OAAO,EAAE,EAAE;gBAClC,IAAI,CAAC,MAAO,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,OAAO,EAAE,CAAC,CAAC;YACtC,CAAC,CAAC,CAAC;YACH,IAAI,CAAC,MAAM,GAAG,IAAI,CAAC;QACrB,CAAC;QAED,IAAI,CAAC,OAAO,GAAG,KAAK,CAAC;QACrB,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;IACvB,CAAC;IAED,8DAA8D;IAEtD,gBAAgB,CAAC,MAAkB;QACzC,IAAI,MAAM,GAAG,EAAE,CAAC;QAEhB,MAAM,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,KAAK,EAAE,EAAE;YAC1B,MAAM,IAAI,KAAK,CAAC,QAAQ,EAAE,CAAC;YAC3B,MAAM,KAAK,GAAG,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;YACjC,MAAM,GAAG,KAAK,CAAC,GAAG,EAAE,IAAI,EAAE,CAAC;YAE3B,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;gBACzB,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;gBAC5B,IAAI,CAAC,OAAO;oBAAE,SAAS;gBACvB,IAAI,CAAC,aAAa,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;oBAChD,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,uCAAuC,GAAG,IAAI,CAAC,CAAC;gBACvE,CAAC,CAAC,CAAC;YACL,CAAC;QACH,CAAC,CAAC,CAAC;QAEH,MAAM,CAAC,EAAE,CAAC,OAAO,EAAE,GAAG,EAAE,GAA6B,CAAC,CAAC,CAAC;IAC1D,CAAC;IAEO,KAAK,CAAC,aAAa,CAAC,GAAW,EAAE,MAAkB;QACzD,IAAI,MAA+B,CAAC;QACpC,IAAI,CAAC;YACH,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAC3B,CAAC;QAAC,MAAM,CAAC;YACP,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,EAAE,IAAI,EAAE,CAAC,KAAK,EAAE,OAAO,EAAE,aAAa,EAAE,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC;YACpG,OAAO;QACT,CAAC;QAED,IAAI,MAAM,CAAC,OAAO,KAAK,KAAK,EAAE,CAAC;YAC7B,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,EAAE,IAAI,EAAE,CAAC,KAAK,EAAE,OAAO,EAAE,sCAAsC,EAAE,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC;YAC7H,OAAO;QACT,CAAC;QAED,MAAM,SAAS,GAAI,MAAM,CAAC,EAA6B,IAAI,IAAI,CAAC;QAChE,MAAM,MAAM,GAAG,MAAM,CAAC,MAA4B,CAAC;QAEnD,0FAA0F;QAC1F,0FAA0F;QAC1F,kGAAkG;QAClG,gGAAgG;QAChG,sFAAsF;QACtF,IAAI,MAAM,KAAK,YAAY,EAAE,CAAC;YAC5B,MAAM,CAAC,GAAG,MAAM,IAAI,EAAE,CAAC;YACvB,MAAM,UAAU,GAAG,MAAM,CAAC,MAA6C,CAAC;YACxE,IAAI,CAAC,IAAI,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC;gBACjC,MAAM,OAAO,GAAG,IAAI,CAAC,eAAe,CAAC,eAAe,EAAE,QAAQ,EAAE,sCAAsC,CAAC,EAAE,EAAE,SAAS,EAAE,UAAU,EAAE,CAAC,CAAC,CAAC;gBACrI,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,EAAE,IAAI,EAAE,CAAC,KAAK,EAAE,OAAO,EAAE,4BAA4B,CAAC,EAAE,EAAE,IAAI,EAAE,EAAE,UAAU,EAAE,OAAO,CAAC,UAAU,EAAE,QAAQ,EAAE,QAAQ,EAAE,EAAE,EAAE,EAAE,EAAE,SAAS,EAAE,CAAC,CAAC;gBACzL,OAAO;YACT,CAAC;YACD,MAAM,MAAM,GAAG,CAAC,CAAC,IAAI,CAAC,CAAC,UAAU,CAAC,gBAAgB,CAAC,IAAI,IAAI,CAAC,kBAAkB,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;YACtF,IAAI,CAAC,MAAM,EAAE,CAAC;gBACZ,IAAI,CAAC,eAAe,CAAC,eAAe,EAAE,WAAW,EAAE,oCAAoC,CAAC,EAAE,EAAE,SAAS,EAAE,UAAU,EAAE,CAAC,CAAC,CAAC;YACxH,CAAC;YACD,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC;gBAChB,IAAI,CAAC;oBACH,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;oBAChD,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;gBACjC,CAAC;gBAAC,OAAO,GAAG,EAAE,CAAC;oBACb,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE;wBACnB,OAAO,EAAE,KAAK;wBACd,KAAK,EAAE,EAAE,IAAI,EAAE,CAAC,KAAK,EAAE,OAAO,EAAE,qBAAqB,GAAG,EAAE,EAAE;wBAC5D,EAAE,EAAE,SAAS;qBACd,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;iBAAM,IAAI,IAAI,CAAC,WAAW,EAAE,CAAC;gBAC5B,MAAM,IAAI,CAAC,WAAW,CAAC,GAAG,EAAE,MAAM,EAAE,SAAS,CAAC,CAAC;YACjD,CAAC;iBAAM,CAAC;gBACN,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE;oBACnB,OAAO,EAAE,KAAK;oBACd,KAAK,EAAE,EAAE,IAAI,EAAE,CAAC,KAAK,EAAE,OAAO,EAAE,wBAAwB,EAAE;oBAC1D,EAAE,EAAE,SAAS;iBACd,CAAC,CAAC;YACL,CAAC;YACD,OAAO;QACT,CAAC;QAED,oCAAoC;QACpC,MAAM,IAAI,CAAC,iBAAiB,CAAC,MAAM,EAAE,MAAM,EAAE,SAAS,CAAC,CAAC;IAC1D,CAAC;IAED,8DAA8D;IAEtD,KAAK,CAAC,iBAAiB,CAC7B,MAA+B,EAC/B,MAAkB,EAClB,SAAiC;QAEjC,MAAM,MAAM,GAAG,MAAM,CAAC,MAA6C,CAAC;QACpE,MAAM,QAAQ,GAAG,MAAM,EAAE,IAA0B,CAAC;QACpD,MAAM,QAAQ,GAAG,MAAM,EAAE,SAAgD,CAAC;QAE1E,IAAI,CAAC,KAAK,CAAC,KAAK,EAAE,CAAC;QAEnB,4BAA4B;QAC5B,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,MAAM,OAAO,GAAG,IAAI,CAAC,eAAe,CAAC,SAAS,EAAE,QAAQ,EAAE,0CAA0C,EAAE,SAAS,EAAE,SAAS,CAAC,CAAC;YAC5H,IAAI,CAAC,KAAK,CAAC,MAAM,EAAE,CAAC;YACpB,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE;gBACnB,OAAO,EAAE,KAAK;gBACd,KAAK,EAAE;oBACL,IAAI,EAAE,CAAC,KAAK;oBACZ,OAAO,EAAE,mBAAmB;oBAC5B,IAAI,EAAE,EAAE,UAAU,EAAE,OAAO,CAAC,UAAU,EAAE,QAAQ,EAAE,QAAQ,EAAE;iBAC7D;gBACD,EAAE,EAAE,SAAS;aACd,CAAC,CAAC;YACH,OAAO;QACT,CAAC;QAED,yFAAyF;QACzF,2FAA2F;QAC3F,6DAA6D;QAC7D,MAAM,EAAE,IAAI,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAE,GAAG,iBAAiB,CAAC,QAAQ,CAAC,CAAC;QACnE,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,MAAM,OAAO,GAAG,IAAI,CAAC,eAAe,CAAC,QAAQ,EAAE,QAAQ,EAAE,kFAAkF,EAAE,SAAS,EAAE,SAAS,EAAE,YAAY,EAAE,QAAQ,CAAC,CAAC;YAC3L,IAAI,CAAC,KAAK,CAAC,MAAM,EAAE,CAAC;YACpB,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE;gBACnB,OAAO,EAAE,KAAK;gBACd,KAAK,EAAE,EAAE,IAAI,EAAE,CAAC,KAAK,EAAE,OAAO,EAAE,0CAA0C,EAAE,IAAI,EAAE,EAAE,UAAU,EAAE,OAAO,CAAC,UAAU,EAAE,QAAQ,EAAE,QAAQ,EAAE,EAAE;gBAC1I,EAAE,EAAE,SAAS;aACd,CAAC,CAAC;YACH,OAAO;QACT,CAAC;QAED,0BAA0B;QAC1B,MAAM,QAAQ,GAAG,QAAQ,CAAC,IAAI,CAAC,MAAM,EAAE,QAAQ,EAAE,QAAQ,CAAC,CAAC;QAC3D,MAAM,OAAO,GAAG,IAAI,CAAC,eAAe,CAClC,QAAQ,EACR,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC,CAAC,QAAQ,EACzC,QAAQ,CAAC,MAAM,EACf,SAAS,EACT,QAAQ,EACR,YAAY,EACZ,QAAQ,CACT,CAAC;QAEF,IAAI,CAAC,QAAQ,CAAC,OAAO,EAAE,CAAC;YACtB,IAAI,CAAC,KAAK,CAAC,MAAM,EAAE,CAAC;YACpB,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE;gBACnB,OAAO,EAAE,KAAK;gBACd,KAAK,EAAE;oBACL,IAAI,EAAE,CAAC,KAAK;oBACZ,OAAO,EAAE,gBAAgB,QAAQ,CAAC,MAAM,EAAE;oBAC1C,IAAI,EAAE,EAAE,UAAU,EAAE,OAAO,CAAC,UAAU,EAAE,QAAQ,EAAE,QAAQ,EAAE,MAAM,EAAE,QAAQ,CAAC,MAAM,EAAE;iBACtF;gBACD,EAAE,EAAE,SAAS;aACd,CAAC,CAAC;YACH,OAAO;QACT,CAAC;QAED,oCAAoC;QACpC,IAAI,CAAC,KAAK,CAAC,SAAS,EAAE,CAAC;QAEvB,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC;YAChB,IAAI,CAAC;gBACH,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;gBAChD,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;YACjC,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE;oBACnB,OAAO,EAAE,KAAK;oBACd,KAAK,EAAE,EAAE,IAAI,EAAE,CAAC,KAAK,EAAE,OAAO,EAAE,qBAAqB,GAAG,EAAE,EAAE;oBAC5D,EAAE,EAAE,SAAS;iBACd,CAAC,CAAC;YACL,CAAC;QACH,CAAC;aAAM,IAAI,IAAI,CAAC,WAAW,EAAE,CAAC;YAC5B,MAAM,IAAI,CAAC,WAAW,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,EAAE,MAAM,EAAE,SAAS,CAAC,CAAC;QACpE,CAAC;aAAM,CAAC;YACN,iDAAiD;YACjD,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE;gBACnB,OAAO,EAAE,KAAK;gBACd,MAAM,EAAE;oBACN,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,SAAS,EAAE,IAAI,EAAE,UAAU,EAAE,OAAO,CAAC,UAAU,EAAE,IAAI,EAAE,QAAQ,EAAE,CAAC,EAAE,CAAC;iBACvH;gBACD,EAAE,EAAE,SAAS;aACd,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,gEAAgE;IAEhE,mFAAmF;IAC3E,eAAe,CACrB,QAAgB,EAChB,QAAgC,EAChC,MAAc,EACd,SAAiC,EACjC,QAA6C,EAC7C,SAAiB,YAAY,EAC7B,gBAAyB;QAEzB,sFAAsF;QACtF,4FAA4F;QAC5F,4FAA4F;QAC5F,8FAA8F;QAC9F,MAAM,aAAa,GAAG,gBAAgB,IAAI,iBAAiB,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC;QAC3E,OAAO,IAAI,CAAC,GAAG,CAAC,MAAM,CAAC;YACrB,SAAS,EAAE,QAAQ;YACnB,QAAQ;YACR,MAAM;YACN,UAAU,EAAE,SAAS;YACrB,MAAM;YACN,aAAa;YACb,gBAAgB,EAAE,IAAI,CAAC,UAAU;SAClC,CAAC,CAAC;IACL,CAAC;IAED,8DAA8D;IAEtD,KAAK,CAAC,WAAW,CAAC,IAAY,EAAE,MAAkB,EAAE,SAAiC;QAC3F,IAAI,CAAC;YACH,MAAM,IAAI,GAAG,MAAM,KAAK,CAAC,IAAI,CAAC,WAAY,EAAE;gBAC1C,MAAM,EAAE,MAAM;gBACd,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;gBAC/C,IAAI;aACL,CAAC,CAAC;YACH,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,IAAI,EAAE,CAAC;YAC/B,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE,IAA+B,CAAC,CAAC;QACxD,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE;gBACnB,OAAO,EAAE,KAAK;gBACd,KAAK,EAAE,EAAE,IAAI,EAAE,CAAC,KAAK,EAAE,OAAO,EAAE,wBAAwB,GAAG,EAAE,EAAE;gBAC/D,EAAE,EAAE,SAAS;aACd,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,8DAA8D;IAEtD,OAAO,CAAC,MAAkB,EAAE,GAA4B;QAC9D,IAAI,CAAC,MAAM,CAAC,SAAS,EAAE,CAAC;YACtB,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,GAAG,IAAI,CAAC,CAAC;QAC3C,CAAC;IACH,CAAC;IAED,8DAA8D;IAE9D,KAAK,CAAC,YAAY,CAAC,SAAqB;QACtC,IAAI,CAAC,MAAM,GAAG,SAAS,CAAC;QACxB,IAAI,CAAC,UAAU,GAAG,SAAS,CAAC,YAAY,CAAC,SAAS,CAAC,CAAC,CAAC;QACrD,IAAI,CAAC,GAAG,CAAC,kBAAkB,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;QAC7C,eAAe,EAAE,CAAC;QAClB,IAAI,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAC;IAC/B,CAAC;IAED,+FAA+F;IAC/F,YAAY;QACV,OAAO,IAAI,CAAC,GAAG,CAAC,YAAY,EAAE,CAAC;IACjC,CAAC;IAED,SAAS;QACP,OAAO;YACL,OAAO,EAAE,IAAI,CAAC,OAAO;YACrB,IAAI,EAAE,IAAI,CAAC,IAAI;YACf,WAAW,EAAE,IAAI,CAAC,MAAM,CAAC,IAAI;YAC7B,aAAa,EAAE,IAAI,CAAC,GAAG,CAAC,KAAK;YAC7B,GAAG,IAAI,CAAC,KAAK;YACb,UAAU,EAAE,IAAI,CAAC,MAAM,CAAC,YAAY;SACrC,CAAC;IACJ,CAAC;IAED,YAAY,KAAa,OAAO,IAAI,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC,CAAC;IAC3D,WAAW,KAAmB,OAAO,CAAC,GAAG,IAAI,CAAC,GAAG,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC,CAAC;CACpE"}
|
|
@@ -0,0 +1,60 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* SEP Evidence Bundle + the stateful SepGateway that the MCP server tools and the proxy
|
|
3
|
+
* both build on. Single source of truth for evidence construction (CANONICAL_CONSTRUCTION_v2.md).
|
|
4
|
+
*/
|
|
5
|
+
import type { SepSigner } from './crypto.js';
|
|
6
|
+
import { type SepReceipt, type Decision } from './receipt.js';
|
|
7
|
+
import { type MerkleProof } from './merkle.js';
|
|
8
|
+
import { type SignedCheckpoint } from './checkpoint.js';
|
|
9
|
+
export interface SepBundle {
|
|
10
|
+
schema_version: string;
|
|
11
|
+
bundle_id: string;
|
|
12
|
+
algorithm: string;
|
|
13
|
+
generated_at: string;
|
|
14
|
+
gateway_id: string;
|
|
15
|
+
public_key: string;
|
|
16
|
+
policy_reference: string;
|
|
17
|
+
receipts: SepReceipt[];
|
|
18
|
+
merkle_root: string;
|
|
19
|
+
merkle_proofs: MerkleProof[];
|
|
20
|
+
checkpoint: SignedCheckpoint;
|
|
21
|
+
offline_capable: boolean;
|
|
22
|
+
}
|
|
23
|
+
export interface SepGatewayOptions {
|
|
24
|
+
gatewayId: string;
|
|
25
|
+
signer: SepSigner;
|
|
26
|
+
policyReference?: string;
|
|
27
|
+
/** Injectable for deterministic tests; defaults to wall clock / random UUID. */
|
|
28
|
+
clock?: () => string;
|
|
29
|
+
idGen?: () => string;
|
|
30
|
+
}
|
|
31
|
+
export interface RecordInput {
|
|
32
|
+
tool_name: string;
|
|
33
|
+
decision: Decision;
|
|
34
|
+
reason: string;
|
|
35
|
+
arguments?: unknown;
|
|
36
|
+
argumentsHash?: string;
|
|
37
|
+
request_id?: string | number | null;
|
|
38
|
+
method?: string;
|
|
39
|
+
policy_reference?: string;
|
|
40
|
+
}
|
|
41
|
+
export declare class SepGateway {
|
|
42
|
+
private readonly gatewayId;
|
|
43
|
+
private readonly signer;
|
|
44
|
+
private policyReference;
|
|
45
|
+
private readonly clock;
|
|
46
|
+
private readonly idGen;
|
|
47
|
+
private readonly receipts;
|
|
48
|
+
private lastLeaf;
|
|
49
|
+
private lastTimestamp;
|
|
50
|
+
constructor(opts: SepGatewayOptions);
|
|
51
|
+
get publicKeyHex(): string;
|
|
52
|
+
get count(): number;
|
|
53
|
+
setPolicyReference(ref: string): void;
|
|
54
|
+
getReceipts(): readonly SepReceipt[];
|
|
55
|
+
/** Record a governed tool-call decision as a signed, chained SEP receipt. */
|
|
56
|
+
record(input: RecordInput): SepReceipt;
|
|
57
|
+
/** Assemble the canonical SEP evidence bundle (receipts + merkle + mandatory signed checkpoint). */
|
|
58
|
+
exportBundle(): SepBundle;
|
|
59
|
+
}
|
|
60
|
+
//# sourceMappingURL=bundle.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"bundle.d.ts","sourceRoot":"","sources":["../../src/sep/bundle.ts"],"names":[],"mappings":"AAAA;;;GAGG;AACH,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,aAAa,CAAC;AAE7C,OAAO,EAEL,KAAK,UAAU,EAAE,KAAK,QAAQ,EAC/B,MAAM,cAAc,CAAC;AACtB,OAAO,EAA2B,KAAK,WAAW,EAAE,MAAM,aAAa,CAAC;AACxE,OAAO,EAAmB,KAAK,gBAAgB,EAAE,MAAM,iBAAiB,CAAC;AAEzE,MAAM,WAAW,SAAS;IACxB,cAAc,EAAE,MAAM,CAAC;IACvB,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;IAClB,YAAY,EAAE,MAAM,CAAC;IACrB,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,MAAM,CAAC;IACnB,gBAAgB,EAAE,MAAM,CAAC;IACzB,QAAQ,EAAE,UAAU,EAAE,CAAC;IACvB,WAAW,EAAE,MAAM,CAAC;IACpB,aAAa,EAAE,WAAW,EAAE,CAAC;IAC7B,UAAU,EAAE,gBAAgB,CAAC;IAC7B,eAAe,EAAE,OAAO,CAAC;CAC1B;AAED,MAAM,WAAW,iBAAiB;IAChC,SAAS,EAAE,MAAM,CAAC;IAClB,MAAM,EAAE,SAAS,CAAC;IAClB,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,gFAAgF;IAChF,KAAK,CAAC,EAAE,MAAM,MAAM,CAAC;IACrB,KAAK,CAAC,EAAE,MAAM,MAAM,CAAC;CACtB;AAED,MAAM,WAAW,WAAW;IAC1B,SAAS,EAAE,MAAM,CAAC;IAClB,QAAQ,EAAE,QAAQ,CAAC;IACnB,MAAM,EAAE,MAAM,CAAC;IACf,SAAS,CAAC,EAAE,OAAO,CAAC;IACpB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,UAAU,CAAC,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI,CAAC;IACpC,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,gBAAgB,CAAC,EAAE,MAAM,CAAC;CAC3B;AAED,qBAAa,UAAU;IACrB,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAS;IACnC,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAY;IACnC,OAAO,CAAC,eAAe,CAAS;IAChC,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAe;IACrC,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAe;IACrC,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAoB;IAC7C,OAAO,CAAC,QAAQ,CAAM;IACtB,OAAO,CAAC,aAAa,CAAM;gBAEf,IAAI,EAAE,iBAAiB;IAQnC,IAAI,YAAY,IAAI,MAAM,CAAqC;IAC/D,IAAI,KAAK,IAAI,MAAM,CAAiC;IACpD,kBAAkB,CAAC,GAAG,EAAE,MAAM,GAAG,IAAI;IACrC,WAAW,IAAI,SAAS,UAAU,EAAE;IAEpC,6EAA6E;IAC7E,MAAM,CAAC,KAAK,EAAE,WAAW,GAAG,UAAU;IA2BtC,oGAAoG;IACpG,YAAY,IAAI,SAAS;CAmB1B"}
|
|
@@ -0,0 +1,74 @@
|
|
|
1
|
+
import { newId } from './crypto.js';
|
|
2
|
+
import { SEP_ALGORITHM, buildReceipt, leafHash, } from './receipt.js';
|
|
3
|
+
import { merkleRoot, merkleProof } from './merkle.js';
|
|
4
|
+
import { buildCheckpoint } from './checkpoint.js';
|
|
5
|
+
export class SepGateway {
|
|
6
|
+
gatewayId;
|
|
7
|
+
signer;
|
|
8
|
+
policyReference;
|
|
9
|
+
clock;
|
|
10
|
+
idGen;
|
|
11
|
+
receipts = [];
|
|
12
|
+
lastLeaf = '';
|
|
13
|
+
lastTimestamp = '';
|
|
14
|
+
constructor(opts) {
|
|
15
|
+
this.gatewayId = opts.gatewayId;
|
|
16
|
+
this.signer = opts.signer;
|
|
17
|
+
this.policyReference = opts.policyReference ?? '';
|
|
18
|
+
this.clock = opts.clock ?? (() => new Date().toISOString());
|
|
19
|
+
this.idGen = opts.idGen ?? (() => newId('rcpt'));
|
|
20
|
+
}
|
|
21
|
+
get publicKeyHex() { return this.signer.publicKeyHex; }
|
|
22
|
+
get count() { return this.receipts.length; }
|
|
23
|
+
setPolicyReference(ref) { this.policyReference = ref; }
|
|
24
|
+
getReceipts() { return [...this.receipts]; }
|
|
25
|
+
/** Record a governed tool-call decision as a signed, chained SEP receipt. */
|
|
26
|
+
record(input) {
|
|
27
|
+
// Monotonic timestamp: if the wall clock steps backward (NTP correction, VM migration),
|
|
28
|
+
// clamp to the previous receipt's timestamp so the exported bundle always satisfies the
|
|
29
|
+
// verifier's non-decreasing-timestamp check — a legitimately-recorded decision must never
|
|
30
|
+
// land in a permanently-unverifiable bundle. ISO-8601 UTC strings compare chronologically.
|
|
31
|
+
const now = this.clock();
|
|
32
|
+
const timestamp = now >= this.lastTimestamp ? now : this.lastTimestamp;
|
|
33
|
+
const receipt = buildReceipt({
|
|
34
|
+
receipt_id: this.idGen(),
|
|
35
|
+
timestamp,
|
|
36
|
+
request_id: input.request_id ?? null,
|
|
37
|
+
method: input.method,
|
|
38
|
+
tool_name: input.tool_name,
|
|
39
|
+
decision: input.decision,
|
|
40
|
+
reason: input.reason,
|
|
41
|
+
policy_reference: input.policy_reference ?? this.policyReference,
|
|
42
|
+
arguments: input.arguments,
|
|
43
|
+
argumentsHash: input.argumentsHash,
|
|
44
|
+
previous_receipt_hash: this.lastLeaf,
|
|
45
|
+
gateway_id: this.gatewayId,
|
|
46
|
+
}, this.signer);
|
|
47
|
+
this.receipts.push(receipt);
|
|
48
|
+
this.lastLeaf = leafHash(receipt);
|
|
49
|
+
this.lastTimestamp = timestamp;
|
|
50
|
+
return receipt;
|
|
51
|
+
}
|
|
52
|
+
/** Assemble the canonical SEP evidence bundle (receipts + merkle + mandatory signed checkpoint). */
|
|
53
|
+
exportBundle() {
|
|
54
|
+
if (this.receipts.length === 0)
|
|
55
|
+
throw new Error('No receipts to export');
|
|
56
|
+
const leaves = this.receipts.map(leafHash);
|
|
57
|
+
const generated_at = this.clock();
|
|
58
|
+
return {
|
|
59
|
+
schema_version: '2.0',
|
|
60
|
+
bundle_id: this.idGen(),
|
|
61
|
+
algorithm: SEP_ALGORITHM,
|
|
62
|
+
generated_at,
|
|
63
|
+
gateway_id: this.gatewayId,
|
|
64
|
+
public_key: this.signer.publicKeyHex,
|
|
65
|
+
policy_reference: this.policyReference,
|
|
66
|
+
receipts: [...this.receipts],
|
|
67
|
+
merkle_root: merkleRoot(leaves),
|
|
68
|
+
merkle_proofs: leaves.map((_, i) => merkleProof(leaves, i)),
|
|
69
|
+
checkpoint: buildCheckpoint(this.receipts, this.gatewayId, generated_at, this.signer),
|
|
70
|
+
offline_capable: true,
|
|
71
|
+
};
|
|
72
|
+
}
|
|
73
|
+
}
|
|
74
|
+
//# sourceMappingURL=bundle.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"bundle.js","sourceRoot":"","sources":["../../src/sep/bundle.ts"],"names":[],"mappings":"AAKA,OAAO,EAAE,KAAK,EAAE,MAAM,aAAa,CAAC;AACpC,OAAO,EACL,aAAa,EAAE,YAAY,EAAE,QAAQ,GAEtC,MAAM,cAAc,CAAC;AACtB,OAAO,EAAE,UAAU,EAAE,WAAW,EAAoB,MAAM,aAAa,CAAC;AACxE,OAAO,EAAE,eAAe,EAAyB,MAAM,iBAAiB,CAAC;AAqCzE,MAAM,OAAO,UAAU;IACJ,SAAS,CAAS;IAClB,MAAM,CAAY;IAC3B,eAAe,CAAS;IACf,KAAK,CAAe;IACpB,KAAK,CAAe;IACpB,QAAQ,GAAiB,EAAE,CAAC;IACrC,QAAQ,GAAG,EAAE,CAAC;IACd,aAAa,GAAG,EAAE,CAAC;IAE3B,YAAY,IAAuB;QACjC,IAAI,CAAC,SAAS,GAAG,IAAI,CAAC,SAAS,CAAC;QAChC,IAAI,CAAC,MAAM,GAAG,IAAI,CAAC,MAAM,CAAC;QAC1B,IAAI,CAAC,eAAe,GAAG,IAAI,CAAC,eAAe,IAAI,EAAE,CAAC;QAClD,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,KAAK,IAAI,CAAC,GAAG,EAAE,CAAC,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC,CAAC;QAC5D,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,KAAK,IAAI,CAAC,GAAG,EAAE,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC;IACnD,CAAC;IAED,IAAI,YAAY,KAAa,OAAO,IAAI,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC,CAAC;IAC/D,IAAI,KAAK,KAAa,OAAO,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC;IACpD,kBAAkB,CAAC,GAAW,IAAU,IAAI,CAAC,eAAe,GAAG,GAAG,CAAC,CAAC,CAAC;IACrE,WAAW,KAA4B,OAAO,CAAC,GAAG,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC;IAEnE,6EAA6E;IAC7E,MAAM,CAAC,KAAkB;QACvB,wFAAwF;QACxF,wFAAwF;QACxF,0FAA0F;QAC1F,2FAA2F;QAC3F,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,EAAE,CAAC;QACzB,MAAM,SAAS,GAAG,GAAG,IAAI,IAAI,CAAC,aAAa,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,aAAa,CAAC;QACvE,MAAM,OAAO,GAAG,YAAY,CAAC;YAC3B,UAAU,EAAE,IAAI,CAAC,KAAK,EAAE;YACxB,SAAS;YACT,UAAU,EAAE,KAAK,CAAC,UAAU,IAAI,IAAI;YACpC,MAAM,EAAE,KAAK,CAAC,MAAM;YACpB,SAAS,EAAE,KAAK,CAAC,SAAS;YAC1B,QAAQ,EAAE,KAAK,CAAC,QAAQ;YACxB,MAAM,EAAE,KAAK,CAAC,MAAM;YACpB,gBAAgB,EAAE,KAAK,CAAC,gBAAgB,IAAI,IAAI,CAAC,eAAe;YAChE,SAAS,EAAE,KAAK,CAAC,SAAS;YAC1B,aAAa,EAAE,KAAK,CAAC,aAAa;YAClC,qBAAqB,EAAE,IAAI,CAAC,QAAQ;YACpC,UAAU,EAAE,IAAI,CAAC,SAAS;SAC3B,EAAE,IAAI,CAAC,MAAM,CAAC,CAAC;QAChB,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QAC5B,IAAI,CAAC,QAAQ,GAAG,QAAQ,CAAC,OAAO,CAAC,CAAC;QAClC,IAAI,CAAC,aAAa,GAAG,SAAS,CAAC;QAC/B,OAAO,OAAO,CAAC;IACjB,CAAC;IAED,oGAAoG;IACpG,YAAY;QACV,IAAI,IAAI,CAAC,QAAQ,CAAC,MAAM,KAAK,CAAC;YAAE,MAAM,IAAI,KAAK,CAAC,uBAAuB,CAAC,CAAC;QACzE,MAAM,MAAM,GAAG,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;QAC3C,MAAM,YAAY,GAAG,IAAI,CAAC,KAAK,EAAE,CAAC;QAClC,OAAO;YACL,cAAc,EAAE,KAAK;YACrB,SAAS,EAAE,IAAI,CAAC,KAAK,EAAE;YACvB,SAAS,EAAE,aAAa;YACxB,YAAY;YACZ,UAAU,EAAE,IAAI,CAAC,SAAS;YAC1B,UAAU,EAAE,IAAI,CAAC,MAAM,CAAC,YAAY;YACpC,gBAAgB,EAAE,IAAI,CAAC,eAAe;YACtC,QAAQ,EAAE,CAAC,GAAG,IAAI,CAAC,QAAQ,CAAC;YAC5B,WAAW,EAAE,UAAU,CAAC,MAAM,CAAC;YAC/B,aAAa,EAAE,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,WAAW,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC;YAC3D,UAAU,EAAE,eAAe,CAAC,IAAI,CAAC,QAAQ,EAAE,IAAI,CAAC,SAAS,EAAE,YAAY,EAAE,IAAI,CAAC,MAAM,CAAC;YACrF,eAAe,EAAE,IAAI;SACtB,CAAC;IACJ,CAAC;CACF"}
|
|
@@ -0,0 +1,28 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Canonical JSON for the AGA SEP profile (JCS-profile, sorted-key).
|
|
3
|
+
*
|
|
4
|
+
* Built by STRING CONCATENATION in lexicographic key order — BYTE-IDENTICAL to the normative
|
|
5
|
+
* reference verifier (aga-receipt-spec/verify/verify-sep.mjs §canon) and to the Python/Go
|
|
6
|
+
* stacks (all sort keys lexicographically). It deliberately does NOT route through
|
|
7
|
+
* `JSON.stringify` of a rebuilt object: V8 re-orders integer-like keys NUMERICALLY (own-property
|
|
8
|
+
* enumeration), so `{"22":..,"3":..}` would serialize as 3,22 here but 22,3 (lexicographic)
|
|
9
|
+
* everywhere else — a cross-stack divergence on legitimate data (e.g. a port map in tool args).
|
|
10
|
+
* Concatenation also keeps a "__proto__" key as an ordinary key (injective; no prototype-setter
|
|
11
|
+
* pitfall). `JSON.stringify` is used only for the atomic pieces (keys, string/number/bool/null
|
|
12
|
+
* leaves) so escaping matches JS exactly.
|
|
13
|
+
*
|
|
14
|
+
* Depth-bounded: input nested beyond MAX_CANON_DEPTH throws a CONTROLLED error well before a
|
|
15
|
+
* stack overflow, so emit/verify can fail closed instead of crashing (anti-DoS).
|
|
16
|
+
*/
|
|
17
|
+
export declare const MAX_CANON_DEPTH = 100;
|
|
18
|
+
export declare function canonicalize(obj: unknown): string;
|
|
19
|
+
/**
|
|
20
|
+
* SEP escape hatch (emit-side only): every SIGNED RECEIPT field must be string | boolean | null,
|
|
21
|
+
* never a raw number — so the JCS-profile vs strict-RFC-8785 number-serialization gap can never
|
|
22
|
+
* diverge across language stacks. Verifiers do NOT apply this (they canonicalize whatever is present).
|
|
23
|
+
* Note: the signed checkpoint's `leaf_count` is a deliberate exception — it is a small non-negative
|
|
24
|
+
* integer the reference verifier compares numerically (`cp.leaf_count === receipts.length`), and small
|
|
25
|
+
* integers serialize identically under JSON.stringify and RFC-8785, so it carries no divergence risk.
|
|
26
|
+
*/
|
|
27
|
+
export declare function assertSignedReceiptFieldsAreStrings(obj: Record<string, unknown>, where?: string): void;
|
|
28
|
+
//# sourceMappingURL=canonical.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"canonical.d.ts","sourceRoot":"","sources":["../../src/sep/canonical.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AACH,eAAO,MAAM,eAAe,MAAM,CAAC;AAWnC,wBAAgB,YAAY,CAAC,GAAG,EAAE,OAAO,GAAG,MAAM,CAUjD;AAED;;;;;;;GAOG;AACH,wBAAgB,mCAAmC,CAAC,GAAG,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,KAAK,SAAY,GAAG,IAAI,CAWzG"}
|
|
@@ -0,0 +1,62 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Canonical JSON for the AGA SEP profile (JCS-profile, sorted-key).
|
|
3
|
+
*
|
|
4
|
+
* Built by STRING CONCATENATION in lexicographic key order — BYTE-IDENTICAL to the normative
|
|
5
|
+
* reference verifier (aga-receipt-spec/verify/verify-sep.mjs §canon) and to the Python/Go
|
|
6
|
+
* stacks (all sort keys lexicographically). It deliberately does NOT route through
|
|
7
|
+
* `JSON.stringify` of a rebuilt object: V8 re-orders integer-like keys NUMERICALLY (own-property
|
|
8
|
+
* enumeration), so `{"22":..,"3":..}` would serialize as 3,22 here but 22,3 (lexicographic)
|
|
9
|
+
* everywhere else — a cross-stack divergence on legitimate data (e.g. a port map in tool args).
|
|
10
|
+
* Concatenation also keeps a "__proto__" key as an ordinary key (injective; no prototype-setter
|
|
11
|
+
* pitfall). `JSON.stringify` is used only for the atomic pieces (keys, string/number/bool/null
|
|
12
|
+
* leaves) so escaping matches JS exactly.
|
|
13
|
+
*
|
|
14
|
+
* Depth-bounded: input nested beyond MAX_CANON_DEPTH throws a CONTROLLED error well before a
|
|
15
|
+
* stack overflow, so emit/verify can fail closed instead of crashing (anti-DoS).
|
|
16
|
+
*/
|
|
17
|
+
export const MAX_CANON_DEPTH = 100;
|
|
18
|
+
/**
|
|
19
|
+
* Lone (unpaired) UTF-16 surrogate detector. A signed string carrying an unpaired surrogate is
|
|
20
|
+
* INVALID Unicode that Go/Python cannot UTF-8-encode (they reject the bundle). JS would otherwise
|
|
21
|
+
* map it to U+FFFD self-consistently and VERIFY — a cross-stack split. Rejecting it here (throw,
|
|
22
|
+
* caught by the verifier's never-throw try/catch -> FAILED) makes all six stacks reject it. Valid
|
|
23
|
+
* surrogate PAIRS (astral chars / emoji) are unaffected.
|
|
24
|
+
*/
|
|
25
|
+
const LONE_SURROGATE = /[\uD800-\uDBFF](?![\uDC00-\uDFFF])|(?<![\uD800-\uDBFF])[\uDC00-\uDFFF]/;
|
|
26
|
+
export function canonicalize(obj) {
|
|
27
|
+
const rec = (o, depth) => {
|
|
28
|
+
if (depth > MAX_CANON_DEPTH)
|
|
29
|
+
throw new Error(`canonicalize: input nesting exceeds ${MAX_CANON_DEPTH} levels`);
|
|
30
|
+
if (typeof o === 'string' && LONE_SURROGATE.test(o))
|
|
31
|
+
throw new Error('canonicalize: lone surrogate');
|
|
32
|
+
if (o === null || typeof o !== 'object')
|
|
33
|
+
return JSON.stringify(o);
|
|
34
|
+
if (Array.isArray(o))
|
|
35
|
+
return '[' + o.map((v) => rec(v, depth + 1)).join(',') + ']';
|
|
36
|
+
const m = o;
|
|
37
|
+
return '{' + Object.keys(m).sort().map((k) => JSON.stringify(k) + ':' + rec(m[k], depth + 1)).join(',') + '}';
|
|
38
|
+
};
|
|
39
|
+
return rec(obj, 0);
|
|
40
|
+
}
|
|
41
|
+
/**
|
|
42
|
+
* SEP escape hatch (emit-side only): every SIGNED RECEIPT field must be string | boolean | null,
|
|
43
|
+
* never a raw number — so the JCS-profile vs strict-RFC-8785 number-serialization gap can never
|
|
44
|
+
* diverge across language stacks. Verifiers do NOT apply this (they canonicalize whatever is present).
|
|
45
|
+
* Note: the signed checkpoint's `leaf_count` is a deliberate exception — it is a small non-negative
|
|
46
|
+
* integer the reference verifier compares numerically (`cp.leaf_count === receipts.length`), and small
|
|
47
|
+
* integers serialize identically under JSON.stringify and RFC-8785, so it carries no divergence risk.
|
|
48
|
+
*/
|
|
49
|
+
export function assertSignedReceiptFieldsAreStrings(obj, where = 'receipt') {
|
|
50
|
+
for (const [k, v] of Object.entries(obj)) {
|
|
51
|
+
if (v === null)
|
|
52
|
+
continue;
|
|
53
|
+
const t = typeof v;
|
|
54
|
+
if (t === 'number' || t === 'bigint') {
|
|
55
|
+
throw new Error(`SEP signed-field guard: ${where}.${k} is ${t}; signed receipt fields must be string|boolean|null (emit numbers as strings).`);
|
|
56
|
+
}
|
|
57
|
+
if (t === 'object') {
|
|
58
|
+
throw new Error(`SEP signed-field guard: ${where}.${k} is an object; SEP ${where} fields must be flat scalars.`);
|
|
59
|
+
}
|
|
60
|
+
}
|
|
61
|
+
}
|
|
62
|
+
//# sourceMappingURL=canonical.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"canonical.js","sourceRoot":"","sources":["../../src/sep/canonical.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AACH,MAAM,CAAC,MAAM,eAAe,GAAG,GAAG,CAAC;AAEnC;;;;;;GAMG;AACH,MAAM,cAAc,GAAG,wEAAwE,CAAC;AAEhG,MAAM,UAAU,YAAY,CAAC,GAAY;IACvC,MAAM,GAAG,GAAG,CAAC,CAAU,EAAE,KAAa,EAAU,EAAE;QAChD,IAAI,KAAK,GAAG,eAAe;YAAE,MAAM,IAAI,KAAK,CAAC,uCAAuC,eAAe,SAAS,CAAC,CAAC;QAC9G,IAAI,OAAO,CAAC,KAAK,QAAQ,IAAI,cAAc,CAAC,IAAI,CAAC,CAAC,CAAC;YAAE,MAAM,IAAI,KAAK,CAAC,8BAA8B,CAAC,CAAC;QACrG,IAAI,CAAC,KAAK,IAAI,IAAI,OAAO,CAAC,KAAK,QAAQ;YAAE,OAAO,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC;QAClE,IAAI,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC;YAAE,OAAO,GAAG,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,CAAC,CAAC,EAAE,KAAK,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,GAAG,CAAC;QACnF,MAAM,CAAC,GAAG,CAA4B,CAAC;QACvC,OAAO,GAAG,GAAG,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,GAAG,GAAG,GAAG,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,KAAK,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,GAAG,CAAC;IAChH,CAAC,CAAC;IACF,OAAO,GAAG,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC;AACrB,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,UAAU,mCAAmC,CAAC,GAA4B,EAAE,KAAK,GAAG,SAAS;IACjG,KAAK,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC;QACzC,IAAI,CAAC,KAAK,IAAI;YAAE,SAAS;QACzB,MAAM,CAAC,GAAG,OAAO,CAAC,CAAC;QACnB,IAAI,CAAC,KAAK,QAAQ,IAAI,CAAC,KAAK,QAAQ,EAAE,CAAC;YACrC,MAAM,IAAI,KAAK,CAAC,2BAA2B,KAAK,IAAI,CAAC,OAAO,CAAC,gFAAgF,CAAC,CAAC;QACjJ,CAAC;QACD,IAAI,CAAC,KAAK,QAAQ,EAAE,CAAC;YACnB,MAAM,IAAI,KAAK,CAAC,2BAA2B,KAAK,IAAI,CAAC,sBAAsB,KAAK,+BAA+B,CAAC,CAAC;QACnH,CAAC;IACH,CAAC;AACH,CAAC"}
|
|
@@ -0,0 +1,15 @@
|
|
|
1
|
+
import type { SepSigner } from './crypto.js';
|
|
2
|
+
import { type SepReceipt } from './receipt.js';
|
|
3
|
+
export interface SignedCheckpoint {
|
|
4
|
+
algorithm: string;
|
|
5
|
+
gateway_id: string;
|
|
6
|
+
generated_at: string;
|
|
7
|
+
head_leaf_hash: string;
|
|
8
|
+
leaf_count: number;
|
|
9
|
+
merkle_root: string;
|
|
10
|
+
signature: string;
|
|
11
|
+
}
|
|
12
|
+
/** The EXACT canonical field set of a signed SEP checkpoint (strict-schema floor in the verifier). */
|
|
13
|
+
export declare const SEP_CHECKPOINT_FIELDS: readonly ["algorithm", "gateway_id", "generated_at", "head_leaf_hash", "leaf_count", "merkle_root", "signature"];
|
|
14
|
+
export declare function buildCheckpoint(receipts: SepReceipt[], gatewayId: string, generatedAt: string, signer: SepSigner): SignedCheckpoint;
|
|
15
|
+
//# sourceMappingURL=checkpoint.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"checkpoint.d.ts","sourceRoot":"","sources":["../../src/sep/checkpoint.ts"],"names":[],"mappings":"AAOA,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,aAAa,CAAC;AAC7C,OAAO,EAA2B,KAAK,UAAU,EAAE,MAAM,cAAc,CAAC;AAGxE,MAAM,WAAW,gBAAgB;IAC/B,SAAS,EAAE,MAAM,CAAC;IAClB,UAAU,EAAE,MAAM,CAAC;IACnB,YAAY,EAAE,MAAM,CAAC;IACrB,cAAc,EAAE,MAAM,CAAC;IACvB,UAAU,EAAE,MAAM,CAAC;IACnB,WAAW,EAAE,MAAM,CAAC;IACpB,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,sGAAsG;AACtG,eAAO,MAAM,qBAAqB,kHAExB,CAAC;AAEX,wBAAgB,eAAe,CAC7B,QAAQ,EAAE,UAAU,EAAE,EACtB,SAAS,EAAE,MAAM,EACjB,WAAW,EAAE,MAAM,EACnB,MAAM,EAAE,SAAS,GAChB,gBAAgB,CAYlB"}
|