@attested-intelligence/aga-mcp-server 2.2.2 → 3.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (104) hide show
  1. package/DEPLOYMENT.md +111 -0
  2. package/LICENSE +21 -21
  3. package/README.md +59 -47
  4. package/SECURITY.md +59 -0
  5. package/THREAT_BOUNDARY.md +77 -0
  6. package/dist/core/behavioral.d.ts.map +1 -1
  7. package/dist/core/behavioral.js +11 -3
  8. package/dist/core/behavioral.js.map +1 -1
  9. package/dist/core/index.d.ts +0 -2
  10. package/dist/core/index.d.ts.map +1 -1
  11. package/dist/core/index.js +2 -2
  12. package/dist/core/index.js.map +1 -1
  13. package/dist/core/types.d.ts +1 -22
  14. package/dist/core/types.d.ts.map +1 -1
  15. package/dist/crypto/index.d.ts +0 -1
  16. package/dist/crypto/index.d.ts.map +1 -1
  17. package/dist/crypto/index.js +1 -1
  18. package/dist/crypto/index.js.map +1 -1
  19. package/dist/crypto/sign.d.ts.map +1 -1
  20. package/dist/crypto/sign.js +24 -23
  21. package/dist/crypto/sign.js.map +1 -1
  22. package/dist/middleware/governance.d.ts +22 -3
  23. package/dist/middleware/governance.d.ts.map +1 -1
  24. package/dist/middleware/governance.js +36 -28
  25. package/dist/middleware/governance.js.map +1 -1
  26. package/dist/proxy/index.d.ts.map +1 -1
  27. package/dist/proxy/index.js +26 -15
  28. package/dist/proxy/index.js.map +1 -1
  29. package/dist/proxy/server.d.ts +18 -45
  30. package/dist/proxy/server.d.ts.map +1 -1
  31. package/dist/proxy/server.js +77 -131
  32. package/dist/proxy/server.js.map +1 -1
  33. package/dist/sep/bundle.d.ts +60 -0
  34. package/dist/sep/bundle.d.ts.map +1 -0
  35. package/dist/sep/bundle.js +74 -0
  36. package/dist/sep/bundle.js.map +1 -0
  37. package/dist/sep/canonical.d.ts +28 -0
  38. package/dist/sep/canonical.d.ts.map +1 -0
  39. package/dist/sep/canonical.js +62 -0
  40. package/dist/sep/canonical.js.map +1 -0
  41. package/dist/sep/checkpoint.d.ts +15 -0
  42. package/dist/sep/checkpoint.d.ts.map +1 -0
  43. package/dist/sep/checkpoint.js +28 -0
  44. package/dist/sep/checkpoint.js.map +1 -0
  45. package/dist/sep/crypto.d.ts +20 -0
  46. package/dist/sep/crypto.d.ts.map +1 -0
  47. package/dist/sep/crypto.js +104 -0
  48. package/dist/sep/crypto.js.map +1 -0
  49. package/dist/sep/index.d.ts +14 -0
  50. package/dist/sep/index.d.ts.map +1 -0
  51. package/dist/sep/index.js +14 -0
  52. package/dist/sep/index.js.map +1 -0
  53. package/dist/sep/merkle.d.ts +11 -0
  54. package/dist/sep/merkle.d.ts.map +1 -0
  55. package/dist/sep/merkle.js +51 -0
  56. package/dist/sep/merkle.js.map +1 -0
  57. package/dist/sep/receipt.d.ts +64 -0
  58. package/dist/sep/receipt.d.ts.map +1 -0
  59. package/dist/sep/receipt.js +0 -0
  60. package/dist/sep/receipt.js.map +1 -0
  61. package/dist/sep/verify.d.ts +14 -0
  62. package/dist/sep/verify.d.ts.map +1 -0
  63. package/dist/sep/verify.js +158 -0
  64. package/dist/sep/verify.js.map +1 -0
  65. package/dist/server.d.ts.map +1 -1
  66. package/dist/server.js +83 -39
  67. package/dist/server.js.map +1 -1
  68. package/dist/storage/interface.d.ts +1 -4
  69. package/dist/storage/interface.d.ts.map +1 -1
  70. package/dist/storage/memory.d.ts +1 -5
  71. package/dist/storage/memory.d.ts.map +1 -1
  72. package/dist/storage/memory.js +0 -4
  73. package/dist/storage/memory.js.map +1 -1
  74. package/dist/storage/sqlite.d.ts +1 -4
  75. package/dist/storage/sqlite.d.ts.map +1 -1
  76. package/dist/storage/sqlite.js +0 -4
  77. package/dist/storage/sqlite.js.map +1 -1
  78. package/dist/utils/canonical.d.ts.map +1 -1
  79. package/dist/utils/canonical.js +11 -1
  80. package/dist/utils/canonical.js.map +1 -1
  81. package/dist/utils/timestamp.d.ts.map +1 -1
  82. package/dist/utils/timestamp.js +4 -1
  83. package/dist/utils/timestamp.js.map +1 -1
  84. package/dist/utils/uuid.d.ts +1 -0
  85. package/dist/utils/uuid.d.ts.map +1 -1
  86. package/dist/utils/uuid.js +3 -2
  87. package/dist/utils/uuid.js.map +1 -1
  88. package/package.json +87 -93
  89. package/dist/core/bundle.d.ts +0 -20
  90. package/dist/core/bundle.d.ts.map +0 -1
  91. package/dist/core/bundle.js +0 -45
  92. package/dist/core/bundle.js.map +0 -1
  93. package/dist/core/checkpoint.d.ts +0 -8
  94. package/dist/core/checkpoint.d.ts.map +0 -1
  95. package/dist/core/checkpoint.js +0 -21
  96. package/dist/core/checkpoint.js.map +0 -1
  97. package/dist/crypto/merkle.d.ts +0 -8
  98. package/dist/crypto/merkle.d.ts.map +0 -1
  99. package/dist/crypto/merkle.js +0 -42
  100. package/dist/crypto/merkle.js.map +0 -1
  101. package/dist/proxy/verify.d.ts +0 -28
  102. package/dist/proxy/verify.d.ts.map +0 -1
  103. package/dist/proxy/verify.js +0 -182
  104. package/dist/proxy/verify.js.map +0 -1
@@ -15,21 +15,27 @@
15
15
  */
16
16
  import * as net from 'node:net';
17
17
  import { EventEmitter } from 'node:events';
18
- import { generateKeyPair, pkToHex, signStr } from '../crypto/sign.js';
19
- import { bytesToHex, hexToBytes as utilHexToBytes } from '@noble/hashes/utils';
20
- import { sha256 } from '@noble/hashes/sha256';
21
- import { sha256Str } from '../crypto/hash.js';
22
- import { canonicalize } from '../utils/canonical.js';
23
18
  import { evaluate, resetRateLimits } from './evaluator.js';
24
19
  import { StdioBridge } from './stdio-bridge.js';
25
20
  import { PERMISSIVE } from './profiles.js';
26
- import { utcNow } from '../utils/timestamp.js';
27
- import { uuid } from '../utils/uuid.js';
21
+ // ONE canonical evidence engine (src/sep, node:crypto). The proxy no longer carries a
22
+ // parallel receipt/Merkle/canonical/@noble implementation; it records governed decisions
23
+ // through a SepGateway and exports the canonical SEP bundle, verified by the one verifier.
24
+ import { SepGateway, generateSigner, sha256Hex, canonicalize, safeArgumentsHash, } from '../sep/index.js';
25
+ // ── Proxy options ───────────────────────────────────────────
26
+ /** Benign MCP protocol methods forwarded WITHOUT a passthrough receipt (no side effects). */
27
+ export const DEFAULT_PASSTHROUGH_EXCLUDE = [
28
+ 'initialize', 'initialized', 'ping',
29
+ 'tools/list', 'prompts/list', 'resources/list', 'resources/templates/list',
30
+ 'logging/setLevel', 'completion/complete',
31
+ ];
28
32
  export class GovernanceProxy extends EventEmitter {
29
33
  server = null;
30
34
  bridge = null;
31
- // Crypto key - never leaves this process
32
- signingKP;
35
+ // Gateway signing key (node:crypto) never leaves this process.
36
+ signer;
37
+ // Canonical SEP evidence ledger: records + chain + Merkle + mandatory signed checkpoint.
38
+ sep;
33
39
  // State
34
40
  policy;
35
41
  port;
@@ -37,9 +43,8 @@ export class GovernanceProxy extends EventEmitter {
37
43
  upstreamOptions;
38
44
  upstreamUrl;
39
45
  gatewayId;
40
- // Receipt chain
41
- receipts = [];
42
- lastReceiptHash = '';
46
+ passthroughExclude;
47
+ denyMethods;
43
48
  policyHash = '';
44
49
  // Stats
45
50
  stats = { permitted: 0, denied: 0, total: 0, started_at: '' };
@@ -50,13 +55,17 @@ export class GovernanceProxy extends EventEmitter {
50
55
  this.upstreamOptions = options.upstream ?? null;
51
56
  this.upstreamUrl = options.upstreamUrl ?? null;
52
57
  this.gatewayId = options.gatewayId ?? 'aga-proxy';
53
- this.signingKP = generateKeyPair();
58
+ this.passthroughExclude = new Set(options.passthroughExclude ?? DEFAULT_PASSTHROUGH_EXCLUDE);
59
+ this.denyMethods = new Set(options.denyMethods ?? []);
60
+ this.signer = generateSigner().signer;
61
+ this.sep = new SepGateway({ gatewayId: this.gatewayId, signer: this.signer });
54
62
  }
55
63
  // ── Start / Stop ───────────────────────────────────────────
56
64
  async start() {
57
65
  if (this.started)
58
66
  throw new Error('Proxy already running');
59
- this.policyHash = sha256Str(canonicalize(this.policy));
67
+ this.policyHash = sha256Hex(canonicalize(this.policy));
68
+ this.sep.setPolicyReference(this.policyHash);
60
69
  // Start downstream bridge if configured
61
70
  if (this.upstreamOptions) {
62
71
  this.bridge = new StdioBridge(this.upstreamOptions);
@@ -66,6 +75,9 @@ export class GovernanceProxy extends EventEmitter {
66
75
  process.stderr.write(`[aga-proxy] Downstream exited with code ${code}\n`);
67
76
  });
68
77
  }
78
+ if (this.upstreamUrl && !this.bridge) {
79
+ process.stderr.write('[aga-proxy] HTTP upstream mode: the upstream URL is directly reachable — governance is BYPASSABLE unless the agent is network-isolated from it. Prefer stdio upstream. See DEPLOYMENT.md §1.\n');
80
+ }
69
81
  // Start TCP server
70
82
  this.server = net.createServer((socket) => this.handleConnection(socket));
71
83
  await new Promise((resolve, reject) => {
@@ -126,8 +138,23 @@ export class GovernanceProxy extends EventEmitter {
126
138
  }
127
139
  const requestId = parsed.id ?? null;
128
140
  const method = parsed.method;
129
- // Non-tools/call methods: forward transparently
141
+ // Non-tools/call methods: NOT policy-evaluated, but recorded for AUDITABILITY as a signed
142
+ // passthrough receipt so they are visible in the evidence bundle — unless they are benign
143
+ // protocol methods (excluded) or notifications. An optional denylist rejects known side-effecting
144
+ // methods. This buys VISIBILITY, not governance: the method still executes (unless denylisted),
145
+ // and a direct-to-upstream call still bypasses entirely. See THREAT_BOUNDARY.md §3.2.
130
146
  if (method !== 'tools/call') {
147
+ const m = method ?? '';
148
+ const passParams = parsed.params;
149
+ if (m && this.denyMethods.has(m)) {
150
+ const receipt = this.generateReceipt('(passthrough)', 'DENIED', `non-tools/call method on denylist: ${m}`, requestId, passParams, m);
151
+ this.respond(socket, { jsonrpc: '2.0', error: { code: -32600, message: `Method denied by policy: ${m}`, data: { receipt_id: receipt.receipt_id, decision: 'DENIED' } }, id: requestId });
152
+ return;
153
+ }
154
+ const benign = !m || m.startsWith('notifications/') || this.passthroughExclude.has(m);
155
+ if (!benign) {
156
+ this.generateReceipt('(passthrough)', 'PERMITTED', `forwarded, not policy-evaluated: ${m}`, requestId, passParams, m);
157
+ }
131
158
  if (this.bridge) {
132
159
  try {
133
160
  const response = await this.bridge.send(parsed);
@@ -177,9 +204,23 @@ export class GovernanceProxy extends EventEmitter {
177
204
  });
178
205
  return;
179
206
  }
207
+ // Fail-closed: arguments that cannot be canonicalized (depth-bomb / hostile payload) are
208
+ // DENIED and recorded — never silently dropped or forwarded. Done BEFORE policy evaluation
209
+ // so the evaluator never sees an unbounded structure either.
210
+ const { hash: argsHash, ok: argsOk } = safeArgumentsHash(toolArgs);
211
+ if (!argsOk) {
212
+ const receipt = this.generateReceipt(toolName, 'DENIED', 'fail-closed: arguments could not be canonicalized (too deeply nested or invalid)', requestId, undefined, 'tools/call', argsHash);
213
+ this.stats.denied++;
214
+ this.respond(socket, {
215
+ jsonrpc: '2.0',
216
+ error: { code: -32600, message: 'Tool denied: uncanonicalizable arguments', data: { receipt_id: receipt.receipt_id, decision: 'DENIED' } },
217
+ id: requestId,
218
+ });
219
+ return;
220
+ }
180
221
  // Evaluate against policy
181
222
  const decision = evaluate(this.policy, toolName, toolArgs);
182
- const receipt = this.generateReceipt(toolName, decision.allowed ? 'PERMITTED' : 'DENIED', decision.reason, requestId, toolArgs);
223
+ const receipt = this.generateReceipt(toolName, decision.allowed ? 'PERMITTED' : 'DENIED', decision.reason, requestId, toolArgs, 'tools/call', argsHash);
183
224
  if (!decision.allowed) {
184
225
  this.stats.denied++;
185
226
  this.respond(socket, {
@@ -223,102 +264,22 @@ export class GovernanceProxy extends EventEmitter {
223
264
  }
224
265
  }
225
266
  // ── Receipt generation (Ed25519-SHA256-JCS canonical format) ─
226
- generateReceipt(toolName, decision, reason, requestId, toolArgs) {
227
- const pubKeyHex = pkToHex(this.signingKP.publicKey);
228
- // Arguments hash tri-state per spec Section 3.5
229
- let argumentsHash;
230
- if (toolArgs === undefined) {
231
- argumentsHash = '';
232
- }
233
- else {
234
- argumentsHash = sha256Str(canonicalize(toolArgs));
235
- }
236
- const unsigned = {
237
- receipt_id: uuid(),
238
- receipt_version: '1.0',
239
- algorithm: 'Ed25519-SHA256-JCS',
240
- timestamp: utcNow(),
241
- request_id: requestId,
242
- method: 'tools/call',
267
+ /** Record a governed decision as a canonical SEP receipt via the shared engine. */
268
+ generateReceipt(toolName, decision, reason, requestId, toolArgs, method = 'tools/call', argsHashOverride) {
269
+ // SepGateway owns canonicalization, the arguments_hash tri-state, request_id coercion
270
+ // (string|null), chain linkage, and signing — one source of truth for receipt construction.
271
+ // safeArgumentsHash never throws (depth-bomb -> sentinel), so recording can never crash and
272
+ // silently drop a governed decision; callers may pass a precomputed hash to avoid re-hashing.
273
+ const argumentsHash = argsHashOverride ?? safeArgumentsHash(toolArgs).hash;
274
+ return this.sep.record({
243
275
  tool_name: toolName,
244
276
  decision,
245
277
  reason,
278
+ request_id: requestId,
279
+ method,
280
+ argumentsHash,
246
281
  policy_reference: this.policyHash,
247
- arguments_hash: argumentsHash,
248
- previous_receipt_hash: this.lastReceiptHash,
249
- gateway_id: this.gatewayId,
250
- public_key: pubKeyHex,
251
- };
252
- const sig = signStr(canonicalize(unsigned), this.signingKP.secretKey);
253
- const receipt = { ...unsigned, signature: bytesToHex(sig) };
254
- this.receipts.push(receipt);
255
- this.lastReceiptHash = sha256Str(canonicalize(receipt));
256
- return receipt;
257
- }
258
- // ── Merkle tree (binary, odd-node promotion, binary concat) ─
259
- merkleNodeHash(leftHex, rightHex) {
260
- const left = utilHexToBytes(leftHex);
261
- const right = utilHexToBytes(rightHex);
262
- const combined = new Uint8Array(left.length + right.length);
263
- combined.set(left, 0);
264
- combined.set(right, left.length);
265
- return bytesToHex(sha256(combined));
266
- }
267
- computeMerkleRoot(leaves) {
268
- if (leaves.length === 0)
269
- return '';
270
- if (leaves.length === 1)
271
- return leaves[0];
272
- let level = [...leaves];
273
- while (level.length > 1) {
274
- const next = [];
275
- for (let i = 0; i < level.length; i += 2) {
276
- if (i + 1 < level.length) {
277
- next.push(this.merkleNodeHash(level[i], level[i + 1]));
278
- }
279
- else {
280
- next.push(level[i]);
281
- }
282
- }
283
- level = next;
284
- }
285
- return level[0];
286
- }
287
- computeMerkleProof(leaves, leafIndex) {
288
- const siblings = [];
289
- const directions = [];
290
- let level = [...leaves];
291
- let idx = leafIndex;
292
- while (level.length > 1) {
293
- const next = [];
294
- for (let i = 0; i < level.length; i += 2) {
295
- if (i + 1 < level.length) {
296
- next.push(this.merkleNodeHash(level[i], level[i + 1]));
297
- }
298
- else {
299
- next.push(level[i]);
300
- }
301
- }
302
- if (idx % 2 === 0) {
303
- if (idx + 1 < level.length) {
304
- siblings.push(level[idx + 1]);
305
- directions.push('right');
306
- }
307
- }
308
- else {
309
- siblings.push(level[idx - 1]);
310
- directions.push('left');
311
- }
312
- idx = Math.floor(idx / 2);
313
- level = next;
314
- }
315
- return {
316
- leaf_hash: leaves[leafIndex],
317
- leaf_index: leafIndex,
318
- siblings,
319
- directions,
320
- merkle_root: level[0],
321
- };
282
+ });
322
283
  }
323
284
  // ── HTTP forwarding ────────────────────────────────────────
324
285
  async forwardHttp(body, socket, requestId) {
@@ -348,41 +309,26 @@ export class GovernanceProxy extends EventEmitter {
348
309
  // ── Public API ─────────────────────────────────────────────
349
310
  async switchPolicy(newPolicy) {
350
311
  this.policy = newPolicy;
351
- this.policyHash = sha256Str(canonicalize(newPolicy));
312
+ this.policyHash = sha256Hex(canonicalize(newPolicy));
313
+ this.sep.setPolicyReference(this.policyHash);
352
314
  resetRateLimits();
353
315
  this.emit('policy_switched');
354
316
  }
317
+ /** Export the canonical SEP evidence bundle (receipts + Merkle proofs + signed checkpoint). */
355
318
  exportBundle() {
356
- if (this.receipts.length === 0)
357
- throw new Error('No receipts');
358
- const leafHashes = this.receipts.map(r => sha256Str(canonicalize(r)));
359
- const root = this.computeMerkleRoot(leafHashes);
360
- const proofs = leafHashes.map((_, i) => this.computeMerkleProof(leafHashes, i));
361
- return {
362
- schema_version: '1.0',
363
- bundle_id: uuid(),
364
- algorithm: 'Ed25519-SHA256-JCS',
365
- generated_at: utcNow(),
366
- gateway_id: this.gatewayId,
367
- public_key: pkToHex(this.signingKP.publicKey),
368
- policy_reference: this.policyHash,
369
- receipts: this.receipts,
370
- merkle_root: root,
371
- merkle_proofs: proofs,
372
- offline_capable: true,
373
- };
319
+ return this.sep.exportBundle();
374
320
  }
375
321
  getStatus() {
376
322
  return {
377
323
  running: this.started,
378
324
  port: this.port,
379
325
  policy_mode: this.policy.mode,
380
- receipt_count: this.receipts.length,
326
+ receipt_count: this.sep.count,
381
327
  ...this.stats,
382
- public_key: pkToHex(this.signingKP.publicKey),
328
+ public_key: this.signer.publicKeyHex,
383
329
  };
384
330
  }
385
- getPublicKey() { return pkToHex(this.signingKP.publicKey); }
386
- getReceipts() { return this.receipts; }
331
+ getPublicKey() { return this.signer.publicKeyHex; }
332
+ getReceipts() { return [...this.sep.getReceipts()]; }
387
333
  }
388
334
  //# sourceMappingURL=server.js.map
@@ -1 +1 @@
1
- {"version":3,"file":"server.js","sourceRoot":"","sources":["../../src/proxy/server.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAEH,OAAO,KAAK,GAAG,MAAM,UAAU,CAAC;AAChC,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAC3C,OAAO,EAAE,eAAe,EAAE,OAAO,EAAE,OAAO,EAAE,MAAM,mBAAmB,CAAC;AACtE,OAAO,EAAE,UAAU,EAAE,UAAU,IAAI,cAAc,EAAE,MAAM,qBAAqB,CAAC;AAC/E,OAAO,EAAE,MAAM,EAAE,MAAM,sBAAsB,CAAC;AAC9C,OAAO,EAAE,SAAS,EAAE,MAAM,mBAAmB,CAAC;AAC9C,OAAO,EAAE,YAAY,EAAE,MAAM,uBAAuB,CAAC;AACrD,OAAO,EAAE,QAAQ,EAAE,eAAe,EAAE,MAAM,gBAAgB,CAAC;AAC3D,OAAO,EAAE,WAAW,EAA2B,MAAM,mBAAmB,CAAC;AACzE,OAAO,EAAE,UAAU,EAAE,MAAM,eAAe,CAAC;AAC3C,OAAO,EAAE,MAAM,EAAE,MAAM,uBAAuB,CAAC;AAC/C,OAAO,EAAE,IAAI,EAAE,MAAM,kBAAkB,CAAC;AAwDxC,MAAM,OAAO,eAAgB,SAAQ,YAAY;IACvC,MAAM,GAAsB,IAAI,CAAC;IACjC,MAAM,GAAuB,IAAI,CAAC;IAE1C,yCAAyC;IACjC,SAAS,CAAU;IAE3B,QAAQ;IACA,MAAM,CAAa;IACnB,IAAI,CAAS;IACb,OAAO,GAAG,KAAK,CAAC;IAChB,eAAe,CAA4B;IAC3C,WAAW,CAAgB;IAC3B,SAAS,CAAS;IAE1B,gBAAgB;IACR,QAAQ,GAAwB,EAAE,CAAC;IACnC,eAAe,GAAW,EAAE,CAAC;IAC7B,UAAU,GAAW,EAAE,CAAC;IAEhC,QAAQ;IACA,KAAK,GAAG,EAAE,SAAS,EAAE,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,KAAK,EAAE,CAAC,EAAE,UAAU,EAAE,EAAE,EAAE,CAAC;IAEtE,YAAY,UAA8B,EAAE;QAC1C,KAAK,EAAE,CAAC;QACR,IAAI,CAAC,IAAI,GAAG,OAAO,CAAC,IAAI,IAAI,KAAK,CAAC;QAClC,IAAI,CAAC,MAAM,GAAG,OAAO,CAAC,MAAM,IAAI,UAAU,CAAC;QAC3C,IAAI,CAAC,eAAe,GAAG,OAAO,CAAC,QAAQ,IAAI,IAAI,CAAC;QAChD,IAAI,CAAC,WAAW,GAAG,OAAO,CAAC,WAAW,IAAI,IAAI,CAAC;QAC/C,IAAI,CAAC,SAAS,GAAG,OAAO,CAAC,SAAS,IAAI,WAAW,CAAC;QAClD,IAAI,CAAC,SAAS,GAAG,eAAe,EAAE,CAAC;IACrC,CAAC;IAED,8DAA8D;IAE9D,KAAK,CAAC,KAAK;QACT,IAAI,IAAI,CAAC,OAAO;YAAE,MAAM,IAAI,KAAK,CAAC,uBAAuB,CAAC,CAAC;QAE3D,IAAI,CAAC,UAAU,GAAG,SAAS,CAAC,YAAY,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC;QAEvD,wCAAwC;QACxC,IAAI,IAAI,CAAC,eAAe,EAAE,CAAC;YACzB,IAAI,CAAC,MAAM,GAAG,IAAI,WAAW,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC;YACpD,MAAM,IAAI,CAAC,MAAM,CAAC,KAAK,EAAE,CAAC;YAC1B,IAAI,CAAC,MAAM,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,GAAG,EAAE,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC,CAAC;YAC1D,IAAI,CAAC,MAAM,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,IAAY,EAAE,EAAE;gBACtC,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,2CAA2C,IAAI,IAAI,CAAC,CAAC;YAC5E,CAAC,CAAC,CAAC;QACL,CAAC;QAED,mBAAmB;QACnB,IAAI,CAAC,MAAM,GAAG,GAAG,CAAC,YAAY,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,IAAI,CAAC,gBAAgB,CAAC,MAAM,CAAC,CAAC,CAAC;QAC1E,MAAM,IAAI,OAAO,CAAO,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;YAC1C,IAAI,CAAC,MAAO,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,EAAE,GAAG,EAAE,CAAC,OAAO,EAAE,CAAC,CAAC;YAChD,IAAI,CAAC,MAAO,CAAC,EAAE,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;QACnC,CAAC,CAAC,CAAC;QAEH,IAAI,CAAC,OAAO,GAAG,IAAI,CAAC;QACpB,IAAI,CAAC,KAAK,CAAC,UAAU,GAAG,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;QACjD,eAAe,EAAE,CAAC;QAClB,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,EAAE,IAAI,EAAE,IAAI,CAAC,IAAI,EAAE,CAAC,CAAC;IAC5C,CAAC;IAED,KAAK,CAAC,IAAI;QACR,IAAI,CAAC,IAAI,CAAC,OAAO;YAAE,OAAO;QAE1B,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC;YAChB,MAAM,IAAI,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC;YACzB,IAAI,CAAC,MAAM,GAAG,IAAI,CAAC;QACrB,CAAC;QAED,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC;YAChB,MAAM,IAAI,OAAO,CAAO,CAAC,OAAO,EAAE,EAAE;gBAClC,IAAI,CAAC,MAAO,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,OAAO,EAAE,CAAC,CAAC;YACtC,CAAC,CAAC,CAAC;YACH,IAAI,CAAC,MAAM,GAAG,IAAI,CAAC;QACrB,CAAC;QAED,IAAI,CAAC,OAAO,GAAG,KAAK,CAAC;QACrB,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;IACvB,CAAC;IAED,8DAA8D;IAEtD,gBAAgB,CAAC,MAAkB;QACzC,IAAI,MAAM,GAAG,EAAE,CAAC;QAEhB,MAAM,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,KAAK,EAAE,EAAE;YAC1B,MAAM,IAAI,KAAK,CAAC,QAAQ,EAAE,CAAC;YAC3B,MAAM,KAAK,GAAG,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;YACjC,MAAM,GAAG,KAAK,CAAC,GAAG,EAAE,IAAI,EAAE,CAAC;YAE3B,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;gBACzB,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;gBAC5B,IAAI,CAAC,OAAO;oBAAE,SAAS;gBACvB,IAAI,CAAC,aAAa,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;oBAChD,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,uCAAuC,GAAG,IAAI,CAAC,CAAC;gBACvE,CAAC,CAAC,CAAC;YACL,CAAC;QACH,CAAC,CAAC,CAAC;QAEH,MAAM,CAAC,EAAE,CAAC,OAAO,EAAE,GAAG,EAAE,GAA6B,CAAC,CAAC,CAAC;IAC1D,CAAC;IAEO,KAAK,CAAC,aAAa,CAAC,GAAW,EAAE,MAAkB;QACzD,IAAI,MAA+B,CAAC;QACpC,IAAI,CAAC;YACH,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAC3B,CAAC;QAAC,MAAM,CAAC;YACP,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,EAAE,IAAI,EAAE,CAAC,KAAK,EAAE,OAAO,EAAE,aAAa,EAAE,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC;YACpG,OAAO;QACT,CAAC;QAED,IAAI,MAAM,CAAC,OAAO,KAAK,KAAK,EAAE,CAAC;YAC7B,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,EAAE,IAAI,EAAE,CAAC,KAAK,EAAE,OAAO,EAAE,sCAAsC,EAAE,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC;YAC7H,OAAO;QACT,CAAC;QAED,MAAM,SAAS,GAAI,MAAM,CAAC,EAA6B,IAAI,IAAI,CAAC;QAChE,MAAM,MAAM,GAAG,MAAM,CAAC,MAA4B,CAAC;QAEnD,gDAAgD;QAChD,IAAI,MAAM,KAAK,YAAY,EAAE,CAAC;YAC5B,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC;gBAChB,IAAI,CAAC;oBACH,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;oBAChD,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;gBACjC,CAAC;gBAAC,OAAO,GAAG,EAAE,CAAC;oBACb,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE;wBACnB,OAAO,EAAE,KAAK;wBACd,KAAK,EAAE,EAAE,IAAI,EAAE,CAAC,KAAK,EAAE,OAAO,EAAE,qBAAqB,GAAG,EAAE,EAAE;wBAC5D,EAAE,EAAE,SAAS;qBACd,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;iBAAM,IAAI,IAAI,CAAC,WAAW,EAAE,CAAC;gBAC5B,MAAM,IAAI,CAAC,WAAW,CAAC,GAAG,EAAE,MAAM,EAAE,SAAS,CAAC,CAAC;YACjD,CAAC;iBAAM,CAAC;gBACN,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE;oBACnB,OAAO,EAAE,KAAK;oBACd,KAAK,EAAE,EAAE,IAAI,EAAE,CAAC,KAAK,EAAE,OAAO,EAAE,wBAAwB,EAAE;oBAC1D,EAAE,EAAE,SAAS;iBACd,CAAC,CAAC;YACL,CAAC;YACD,OAAO;QACT,CAAC;QAED,oCAAoC;QACpC,MAAM,IAAI,CAAC,iBAAiB,CAAC,MAAM,EAAE,MAAM,EAAE,SAAS,CAAC,CAAC;IAC1D,CAAC;IAED,8DAA8D;IAEtD,KAAK,CAAC,iBAAiB,CAC7B,MAA+B,EAC/B,MAAkB,EAClB,SAAiC;QAEjC,MAAM,MAAM,GAAG,MAAM,CAAC,MAA6C,CAAC;QACpE,MAAM,QAAQ,GAAG,MAAM,EAAE,IAA0B,CAAC;QACpD,MAAM,QAAQ,GAAG,MAAM,EAAE,SAAgD,CAAC;QAE1E,IAAI,CAAC,KAAK,CAAC,KAAK,EAAE,CAAC;QAEnB,4BAA4B;QAC5B,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,MAAM,OAAO,GAAG,IAAI,CAAC,eAAe,CAAC,SAAS,EAAE,QAAQ,EAAE,0CAA0C,EAAE,SAAS,EAAE,SAAS,CAAC,CAAC;YAC5H,IAAI,CAAC,KAAK,CAAC,MAAM,EAAE,CAAC;YACpB,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE;gBACnB,OAAO,EAAE,KAAK;gBACd,KAAK,EAAE;oBACL,IAAI,EAAE,CAAC,KAAK;oBACZ,OAAO,EAAE,mBAAmB;oBAC5B,IAAI,EAAE,EAAE,UAAU,EAAE,OAAO,CAAC,UAAU,EAAE,QAAQ,EAAE,QAAQ,EAAE;iBAC7D;gBACD,EAAE,EAAE,SAAS;aACd,CAAC,CAAC;YACH,OAAO;QACT,CAAC;QAED,0BAA0B;QAC1B,MAAM,QAAQ,GAAG,QAAQ,CAAC,IAAI,CAAC,MAAM,EAAE,QAAQ,EAAE,QAAQ,CAAC,CAAC;QAC3D,MAAM,OAAO,GAAG,IAAI,CAAC,eAAe,CAClC,QAAQ,EACR,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC,CAAC,QAAQ,EACzC,QAAQ,CAAC,MAAM,EACf,SAAS,EACT,QAAQ,CACT,CAAC;QAEF,IAAI,CAAC,QAAQ,CAAC,OAAO,EAAE,CAAC;YACtB,IAAI,CAAC,KAAK,CAAC,MAAM,EAAE,CAAC;YACpB,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE;gBACnB,OAAO,EAAE,KAAK;gBACd,KAAK,EAAE;oBACL,IAAI,EAAE,CAAC,KAAK;oBACZ,OAAO,EAAE,gBAAgB,QAAQ,CAAC,MAAM,EAAE;oBAC1C,IAAI,EAAE,EAAE,UAAU,EAAE,OAAO,CAAC,UAAU,EAAE,QAAQ,EAAE,QAAQ,EAAE,MAAM,EAAE,QAAQ,CAAC,MAAM,EAAE;iBACtF;gBACD,EAAE,EAAE,SAAS;aACd,CAAC,CAAC;YACH,OAAO;QACT,CAAC;QAED,oCAAoC;QACpC,IAAI,CAAC,KAAK,CAAC,SAAS,EAAE,CAAC;QAEvB,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC;YAChB,IAAI,CAAC;gBACH,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;gBAChD,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;YACjC,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE;oBACnB,OAAO,EAAE,KAAK;oBACd,KAAK,EAAE,EAAE,IAAI,EAAE,CAAC,KAAK,EAAE,OAAO,EAAE,qBAAqB,GAAG,EAAE,EAAE;oBAC5D,EAAE,EAAE,SAAS;iBACd,CAAC,CAAC;YACL,CAAC;QACH,CAAC;aAAM,IAAI,IAAI,CAAC,WAAW,EAAE,CAAC;YAC5B,MAAM,IAAI,CAAC,WAAW,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,EAAE,MAAM,EAAE,SAAS,CAAC,CAAC;QACpE,CAAC;aAAM,CAAC;YACN,iDAAiD;YACjD,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE;gBACnB,OAAO,EAAE,KAAK;gBACd,MAAM,EAAE;oBACN,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,SAAS,EAAE,IAAI,EAAE,UAAU,EAAE,OAAO,CAAC,UAAU,EAAE,IAAI,EAAE,QAAQ,EAAE,CAAC,EAAE,CAAC;iBACvH;gBACD,EAAE,EAAE,SAAS;aACd,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,gEAAgE;IAExD,eAAe,CACrB,QAAgB,EAChB,QAAgC,EAChC,MAAc,EACd,SAAiC,EACjC,QAA6C;QAE7C,MAAM,SAAS,GAAG,OAAO,CAAC,IAAI,CAAC,SAAS,CAAC,SAAS,CAAC,CAAC;QAEpD,gDAAgD;QAChD,IAAI,aAAqB,CAAC;QAC1B,IAAI,QAAQ,KAAK,SAAS,EAAE,CAAC;YAC3B,aAAa,GAAG,EAAE,CAAC;QACrB,CAAC;aAAM,CAAC;YACN,aAAa,GAAG,SAAS,CAAC,YAAY,CAAC,QAAQ,CAAC,CAAC,CAAC;QACpD,CAAC;QAED,MAAM,QAAQ,GAAG;YACf,UAAU,EAAE,IAAI,EAAE;YAClB,eAAe,EAAE,KAAK;YACtB,SAAS,EAAE,oBAAoB;YAC/B,SAAS,EAAE,MAAM,EAAE;YACnB,UAAU,EAAE,SAAS;YACrB,MAAM,EAAE,YAAY;YACpB,SAAS,EAAE,QAAQ;YACnB,QAAQ;YACR,MAAM;YACN,gBAAgB,EAAE,IAAI,CAAC,UAAU;YACjC,cAAc,EAAE,aAAa;YAC7B,qBAAqB,EAAE,IAAI,CAAC,eAAe;YAC3C,UAAU,EAAE,IAAI,CAAC,SAAS;YAC1B,UAAU,EAAE,SAAS;SACtB,CAAC;QAEF,MAAM,GAAG,GAAG,OAAO,CAAC,YAAY,CAAC,QAAQ,CAAC,EAAE,IAAI,CAAC,SAAS,CAAC,SAAS,CAAC,CAAC;QACtE,MAAM,OAAO,GAAsB,EAAE,GAAG,QAAQ,EAAE,SAAS,EAAE,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;QAE/E,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QAC5B,IAAI,CAAC,eAAe,GAAG,SAAS,CAAC,YAAY,CAAC,OAAO,CAAC,CAAC,CAAC;QAExD,OAAO,OAAO,CAAC;IACjB,CAAC;IAED,+DAA+D;IAEvD,cAAc,CAAC,OAAe,EAAE,QAAgB;QACtD,MAAM,IAAI,GAAG,cAAc,CAAC,OAAO,CAAC,CAAC;QACrC,MAAM,KAAK,GAAG,cAAc,CAAC,QAAQ,CAAC,CAAC;QACvC,MAAM,QAAQ,GAAG,IAAI,UAAU,CAAC,IAAI,CAAC,MAAM,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC;QAC5D,QAAQ,CAAC,GAAG,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC;QACtB,QAAQ,CAAC,GAAG,CAAC,KAAK,EAAE,IAAI,CAAC,MAAM,CAAC,CAAC;QACjC,OAAO,UAAU,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC;IACtC,CAAC;IAEO,iBAAiB,CAAC,MAAgB;QACxC,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO,EAAE,CAAC;QACnC,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO,MAAM,CAAC,CAAC,CAAC,CAAC;QAC1C,IAAI,KAAK,GAAG,CAAC,GAAG,MAAM,CAAC,CAAC;QACxB,OAAO,KAAK,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACxB,MAAM,IAAI,GAAa,EAAE,CAAC;YAC1B,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,IAAI,CAAC,EAAE,CAAC;gBACzC,IAAI,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC;oBACzB,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,cAAc,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,KAAK,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;gBACzD,CAAC;qBAAM,CAAC;oBACN,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;gBACtB,CAAC;YACH,CAAC;YACD,KAAK,GAAG,IAAI,CAAC;QACf,CAAC;QACD,OAAO,KAAK,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAEO,kBAAkB,CAAC,MAAgB,EAAE,SAAiB;QAC5D,MAAM,QAAQ,GAAa,EAAE,CAAC;QAC9B,MAAM,UAAU,GAAyB,EAAE,CAAC;QAC5C,IAAI,KAAK,GAAG,CAAC,GAAG,MAAM,CAAC,CAAC;QACxB,IAAI,GAAG,GAAG,SAAS,CAAC;QAEpB,OAAO,KAAK,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACxB,MAAM,IAAI,GAAa,EAAE,CAAC;YAC1B,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,IAAI,CAAC,EAAE,CAAC;gBACzC,IAAI,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC;oBACzB,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,cAAc,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,KAAK,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;gBACzD,CAAC;qBAAM,CAAC;oBACN,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;gBACtB,CAAC;YACH,CAAC;YACD,IAAI,GAAG,GAAG,CAAC,KAAK,CAAC,EAAE,CAAC;gBAClB,IAAI,GAAG,GAAG,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC;oBAC3B,QAAQ,CAAC,IAAI,CAAC,KAAK,CAAC,GAAG,GAAG,CAAC,CAAC,CAAC,CAAC;oBAC9B,UAAU,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;gBAC3B,CAAC;YACH,CAAC;iBAAM,CAAC;gBACN,QAAQ,CAAC,IAAI,CAAC,KAAK,CAAC,GAAG,GAAG,CAAC,CAAC,CAAC,CAAC;gBAC9B,UAAU,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;YAC1B,CAAC;YACD,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,GAAG,CAAC,CAAC,CAAC;YAC1B,KAAK,GAAG,IAAI,CAAC;QACf,CAAC;QAED,OAAO;YACL,SAAS,EAAE,MAAM,CAAC,SAAS,CAAC;YAC5B,UAAU,EAAE,SAAS;YACrB,QAAQ;YACR,UAAU;YACV,WAAW,EAAE,KAAK,CAAC,CAAC,CAAC;SACtB,CAAC;IACJ,CAAC;IAED,8DAA8D;IAEtD,KAAK,CAAC,WAAW,CAAC,IAAY,EAAE,MAAkB,EAAE,SAAiC;QAC3F,IAAI,CAAC;YACH,MAAM,IAAI,GAAG,MAAM,KAAK,CAAC,IAAI,CAAC,WAAY,EAAE;gBAC1C,MAAM,EAAE,MAAM;gBACd,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;gBAC/C,IAAI;aACL,CAAC,CAAC;YACH,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,IAAI,EAAE,CAAC;YAC/B,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE,IAA+B,CAAC,CAAC;QACxD,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE;gBACnB,OAAO,EAAE,KAAK;gBACd,KAAK,EAAE,EAAE,IAAI,EAAE,CAAC,KAAK,EAAE,OAAO,EAAE,wBAAwB,GAAG,EAAE,EAAE;gBAC/D,EAAE,EAAE,SAAS;aACd,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,8DAA8D;IAEtD,OAAO,CAAC,MAAkB,EAAE,GAA4B;QAC9D,IAAI,CAAC,MAAM,CAAC,SAAS,EAAE,CAAC;YACtB,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,GAAG,IAAI,CAAC,CAAC;QAC3C,CAAC;IACH,CAAC;IAED,8DAA8D;IAE9D,KAAK,CAAC,YAAY,CAAC,SAAqB;QACtC,IAAI,CAAC,MAAM,GAAG,SAAS,CAAC;QACxB,IAAI,CAAC,UAAU,GAAG,SAAS,CAAC,YAAY,CAAC,SAAS,CAAC,CAAC,CAAC;QACrD,eAAe,EAAE,CAAC;QAClB,IAAI,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAC;IAC/B,CAAC;IAED,YAAY;QACV,IAAI,IAAI,CAAC,QAAQ,CAAC,MAAM,KAAK,CAAC;YAAE,MAAM,IAAI,KAAK,CAAC,aAAa,CAAC,CAAC;QAE/D,MAAM,UAAU,GAAG,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,SAAS,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;QACtE,MAAM,IAAI,GAAG,IAAI,CAAC,iBAAiB,CAAC,UAAU,CAAC,CAAC;QAChD,MAAM,MAAM,GAAG,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,IAAI,CAAC,kBAAkB,CAAC,UAAU,EAAE,CAAC,CAAC,CAAC,CAAC;QAEhF,OAAO;YACL,cAAc,EAAE,KAAK;YACrB,SAAS,EAAE,IAAI,EAAE;YACjB,SAAS,EAAE,oBAAoB;YAC/B,YAAY,EAAE,MAAM,EAAE;YACtB,UAAU,EAAE,IAAI,CAAC,SAAS;YAC1B,UAAU,EAAE,OAAO,CAAC,IAAI,CAAC,SAAS,CAAC,SAAS,CAAC;YAC7C,gBAAgB,EAAE,IAAI,CAAC,UAAU;YACjC,QAAQ,EAAE,IAAI,CAAC,QAAQ;YACvB,WAAW,EAAE,IAAI;YACjB,aAAa,EAAE,MAAM;YACrB,eAAe,EAAE,IAAI;SACtB,CAAC;IACJ,CAAC;IAED,SAAS;QACP,OAAO;YACL,OAAO,EAAE,IAAI,CAAC,OAAO;YACrB,IAAI,EAAE,IAAI,CAAC,IAAI;YACf,WAAW,EAAE,IAAI,CAAC,MAAM,CAAC,IAAI;YAC7B,aAAa,EAAE,IAAI,CAAC,QAAQ,CAAC,MAAM;YACnC,GAAG,IAAI,CAAC,KAAK;YACb,UAAU,EAAE,OAAO,CAAC,IAAI,CAAC,SAAS,CAAC,SAAS,CAAC;SAC9C,CAAC;IACJ,CAAC;IAED,YAAY,KAAa,OAAO,OAAO,CAAC,IAAI,CAAC,SAAS,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC;IACpE,WAAW,KAA0B,OAAO,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC;CAC7D"}
1
+ {"version":3,"file":"server.js","sourceRoot":"","sources":["../../src/proxy/server.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAEH,OAAO,KAAK,GAAG,MAAM,UAAU,CAAC;AAChC,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAC3C,OAAO,EAAE,QAAQ,EAAE,eAAe,EAAE,MAAM,gBAAgB,CAAC;AAC3D,OAAO,EAAE,WAAW,EAA2B,MAAM,mBAAmB,CAAC;AACzE,OAAO,EAAE,UAAU,EAAE,MAAM,eAAe,CAAC;AAE3C,sFAAsF;AACtF,yFAAyF;AACzF,2FAA2F;AAC3F,OAAO,EACL,UAAU,EAAE,cAAc,EAAE,SAAS,EAAE,YAAY,EAAE,iBAAiB,GAEvE,MAAM,iBAAiB,CAAC;AAOzB,+DAA+D;AAE/D,6FAA6F;AAC7F,MAAM,CAAC,MAAM,2BAA2B,GAAG;IACzC,YAAY,EAAE,aAAa,EAAE,MAAM;IACnC,YAAY,EAAE,cAAc,EAAE,gBAAgB,EAAE,0BAA0B;IAC1E,kBAAkB,EAAE,qBAAqB;CAC1C,CAAC;AAcF,MAAM,OAAO,eAAgB,SAAQ,YAAY;IACvC,MAAM,GAAsB,IAAI,CAAC;IACjC,MAAM,GAAuB,IAAI,CAAC;IAE1C,iEAAiE;IACzD,MAAM,CAAY;IAC1B,yFAAyF;IACjF,GAAG,CAAa;IAExB,QAAQ;IACA,MAAM,CAAa;IACnB,IAAI,CAAS;IACb,OAAO,GAAG,KAAK,CAAC;IAChB,eAAe,CAA4B;IAC3C,WAAW,CAAgB;IAC3B,SAAS,CAAS;IAClB,kBAAkB,CAAc;IAChC,WAAW,CAAc;IAEzB,UAAU,GAAW,EAAE,CAAC;IAEhC,QAAQ;IACA,KAAK,GAAG,EAAE,SAAS,EAAE,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,KAAK,EAAE,CAAC,EAAE,UAAU,EAAE,EAAE,EAAE,CAAC;IAEtE,YAAY,UAA8B,EAAE;QAC1C,KAAK,EAAE,CAAC;QACR,IAAI,CAAC,IAAI,GAAG,OAAO,CAAC,IAAI,IAAI,KAAK,CAAC;QAClC,IAAI,CAAC,MAAM,GAAG,OAAO,CAAC,MAAM,IAAI,UAAU,CAAC;QAC3C,IAAI,CAAC,eAAe,GAAG,OAAO,CAAC,QAAQ,IAAI,IAAI,CAAC;QAChD,IAAI,CAAC,WAAW,GAAG,OAAO,CAAC,WAAW,IAAI,IAAI,CAAC;QAC/C,IAAI,CAAC,SAAS,GAAG,OAAO,CAAC,SAAS,IAAI,WAAW,CAAC;QAClD,IAAI,CAAC,kBAAkB,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,kBAAkB,IAAI,2BAA2B,CAAC,CAAC;QAC7F,IAAI,CAAC,WAAW,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,WAAW,IAAI,EAAE,CAAC,CAAC;QACtD,IAAI,CAAC,MAAM,GAAG,cAAc,EAAE,CAAC,MAAM,CAAC;QACtC,IAAI,CAAC,GAAG,GAAG,IAAI,UAAU,CAAC,EAAE,SAAS,EAAE,IAAI,CAAC,SAAS,EAAE,MAAM,EAAE,IAAI,CAAC,MAAM,EAAE,CAAC,CAAC;IAChF,CAAC;IAED,8DAA8D;IAE9D,KAAK,CAAC,KAAK;QACT,IAAI,IAAI,CAAC,OAAO;YAAE,MAAM,IAAI,KAAK,CAAC,uBAAuB,CAAC,CAAC;QAE3D,IAAI,CAAC,UAAU,GAAG,SAAS,CAAC,YAAY,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC;QACvD,IAAI,CAAC,GAAG,CAAC,kBAAkB,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;QAE7C,wCAAwC;QACxC,IAAI,IAAI,CAAC,eAAe,EAAE,CAAC;YACzB,IAAI,CAAC,MAAM,GAAG,IAAI,WAAW,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC;YACpD,MAAM,IAAI,CAAC,MAAM,CAAC,KAAK,EAAE,CAAC;YAC1B,IAAI,CAAC,MAAM,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,GAAG,EAAE,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC,CAAC;YAC1D,IAAI,CAAC,MAAM,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,IAAY,EAAE,EAAE;gBACtC,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,2CAA2C,IAAI,IAAI,CAAC,CAAC;YAC5E,CAAC,CAAC,CAAC;QACL,CAAC;QAED,IAAI,IAAI,CAAC,WAAW,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,CAAC;YACrC,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,gMAAgM,CAAC,CAAC;QACzN,CAAC;QAED,mBAAmB;QACnB,IAAI,CAAC,MAAM,GAAG,GAAG,CAAC,YAAY,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,IAAI,CAAC,gBAAgB,CAAC,MAAM,CAAC,CAAC,CAAC;QAC1E,MAAM,IAAI,OAAO,CAAO,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;YAC1C,IAAI,CAAC,MAAO,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,EAAE,GAAG,EAAE,CAAC,OAAO,EAAE,CAAC,CAAC;YAChD,IAAI,CAAC,MAAO,CAAC,EAAE,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;QACnC,CAAC,CAAC,CAAC;QAEH,IAAI,CAAC,OAAO,GAAG,IAAI,CAAC;QACpB,IAAI,CAAC,KAAK,CAAC,UAAU,GAAG,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;QACjD,eAAe,EAAE,CAAC;QAClB,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,EAAE,IAAI,EAAE,IAAI,CAAC,IAAI,EAAE,CAAC,CAAC;IAC5C,CAAC;IAED,KAAK,CAAC,IAAI;QACR,IAAI,CAAC,IAAI,CAAC,OAAO;YAAE,OAAO;QAE1B,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC;YAChB,MAAM,IAAI,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC;YACzB,IAAI,CAAC,MAAM,GAAG,IAAI,CAAC;QACrB,CAAC;QAED,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC;YAChB,MAAM,IAAI,OAAO,CAAO,CAAC,OAAO,EAAE,EAAE;gBAClC,IAAI,CAAC,MAAO,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,OAAO,EAAE,CAAC,CAAC;YACtC,CAAC,CAAC,CAAC;YACH,IAAI,CAAC,MAAM,GAAG,IAAI,CAAC;QACrB,CAAC;QAED,IAAI,CAAC,OAAO,GAAG,KAAK,CAAC;QACrB,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;IACvB,CAAC;IAED,8DAA8D;IAEtD,gBAAgB,CAAC,MAAkB;QACzC,IAAI,MAAM,GAAG,EAAE,CAAC;QAEhB,MAAM,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,KAAK,EAAE,EAAE;YAC1B,MAAM,IAAI,KAAK,CAAC,QAAQ,EAAE,CAAC;YAC3B,MAAM,KAAK,GAAG,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;YACjC,MAAM,GAAG,KAAK,CAAC,GAAG,EAAE,IAAI,EAAE,CAAC;YAE3B,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;gBACzB,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;gBAC5B,IAAI,CAAC,OAAO;oBAAE,SAAS;gBACvB,IAAI,CAAC,aAAa,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;oBAChD,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,uCAAuC,GAAG,IAAI,CAAC,CAAC;gBACvE,CAAC,CAAC,CAAC;YACL,CAAC;QACH,CAAC,CAAC,CAAC;QAEH,MAAM,CAAC,EAAE,CAAC,OAAO,EAAE,GAAG,EAAE,GAA6B,CAAC,CAAC,CAAC;IAC1D,CAAC;IAEO,KAAK,CAAC,aAAa,CAAC,GAAW,EAAE,MAAkB;QACzD,IAAI,MAA+B,CAAC;QACpC,IAAI,CAAC;YACH,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAC3B,CAAC;QAAC,MAAM,CAAC;YACP,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,EAAE,IAAI,EAAE,CAAC,KAAK,EAAE,OAAO,EAAE,aAAa,EAAE,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC;YACpG,OAAO;QACT,CAAC;QAED,IAAI,MAAM,CAAC,OAAO,KAAK,KAAK,EAAE,CAAC;YAC7B,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,EAAE,IAAI,EAAE,CAAC,KAAK,EAAE,OAAO,EAAE,sCAAsC,EAAE,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC;YAC7H,OAAO;QACT,CAAC;QAED,MAAM,SAAS,GAAI,MAAM,CAAC,EAA6B,IAAI,IAAI,CAAC;QAChE,MAAM,MAAM,GAAG,MAAM,CAAC,MAA4B,CAAC;QAEnD,0FAA0F;QAC1F,0FAA0F;QAC1F,kGAAkG;QAClG,gGAAgG;QAChG,sFAAsF;QACtF,IAAI,MAAM,KAAK,YAAY,EAAE,CAAC;YAC5B,MAAM,CAAC,GAAG,MAAM,IAAI,EAAE,CAAC;YACvB,MAAM,UAAU,GAAG,MAAM,CAAC,MAA6C,CAAC;YACxE,IAAI,CAAC,IAAI,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC;gBACjC,MAAM,OAAO,GAAG,IAAI,CAAC,eAAe,CAAC,eAAe,EAAE,QAAQ,EAAE,sCAAsC,CAAC,EAAE,EAAE,SAAS,EAAE,UAAU,EAAE,CAAC,CAAC,CAAC;gBACrI,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,EAAE,IAAI,EAAE,CAAC,KAAK,EAAE,OAAO,EAAE,4BAA4B,CAAC,EAAE,EAAE,IAAI,EAAE,EAAE,UAAU,EAAE,OAAO,CAAC,UAAU,EAAE,QAAQ,EAAE,QAAQ,EAAE,EAAE,EAAE,EAAE,EAAE,SAAS,EAAE,CAAC,CAAC;gBACzL,OAAO;YACT,CAAC;YACD,MAAM,MAAM,GAAG,CAAC,CAAC,IAAI,CAAC,CAAC,UAAU,CAAC,gBAAgB,CAAC,IAAI,IAAI,CAAC,kBAAkB,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;YACtF,IAAI,CAAC,MAAM,EAAE,CAAC;gBACZ,IAAI,CAAC,eAAe,CAAC,eAAe,EAAE,WAAW,EAAE,oCAAoC,CAAC,EAAE,EAAE,SAAS,EAAE,UAAU,EAAE,CAAC,CAAC,CAAC;YACxH,CAAC;YACD,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC;gBAChB,IAAI,CAAC;oBACH,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;oBAChD,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;gBACjC,CAAC;gBAAC,OAAO,GAAG,EAAE,CAAC;oBACb,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE;wBACnB,OAAO,EAAE,KAAK;wBACd,KAAK,EAAE,EAAE,IAAI,EAAE,CAAC,KAAK,EAAE,OAAO,EAAE,qBAAqB,GAAG,EAAE,EAAE;wBAC5D,EAAE,EAAE,SAAS;qBACd,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;iBAAM,IAAI,IAAI,CAAC,WAAW,EAAE,CAAC;gBAC5B,MAAM,IAAI,CAAC,WAAW,CAAC,GAAG,EAAE,MAAM,EAAE,SAAS,CAAC,CAAC;YACjD,CAAC;iBAAM,CAAC;gBACN,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE;oBACnB,OAAO,EAAE,KAAK;oBACd,KAAK,EAAE,EAAE,IAAI,EAAE,CAAC,KAAK,EAAE,OAAO,EAAE,wBAAwB,EAAE;oBAC1D,EAAE,EAAE,SAAS;iBACd,CAAC,CAAC;YACL,CAAC;YACD,OAAO;QACT,CAAC;QAED,oCAAoC;QACpC,MAAM,IAAI,CAAC,iBAAiB,CAAC,MAAM,EAAE,MAAM,EAAE,SAAS,CAAC,CAAC;IAC1D,CAAC;IAED,8DAA8D;IAEtD,KAAK,CAAC,iBAAiB,CAC7B,MAA+B,EAC/B,MAAkB,EAClB,SAAiC;QAEjC,MAAM,MAAM,GAAG,MAAM,CAAC,MAA6C,CAAC;QACpE,MAAM,QAAQ,GAAG,MAAM,EAAE,IAA0B,CAAC;QACpD,MAAM,QAAQ,GAAG,MAAM,EAAE,SAAgD,CAAC;QAE1E,IAAI,CAAC,KAAK,CAAC,KAAK,EAAE,CAAC;QAEnB,4BAA4B;QAC5B,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,MAAM,OAAO,GAAG,IAAI,CAAC,eAAe,CAAC,SAAS,EAAE,QAAQ,EAAE,0CAA0C,EAAE,SAAS,EAAE,SAAS,CAAC,CAAC;YAC5H,IAAI,CAAC,KAAK,CAAC,MAAM,EAAE,CAAC;YACpB,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE;gBACnB,OAAO,EAAE,KAAK;gBACd,KAAK,EAAE;oBACL,IAAI,EAAE,CAAC,KAAK;oBACZ,OAAO,EAAE,mBAAmB;oBAC5B,IAAI,EAAE,EAAE,UAAU,EAAE,OAAO,CAAC,UAAU,EAAE,QAAQ,EAAE,QAAQ,EAAE;iBAC7D;gBACD,EAAE,EAAE,SAAS;aACd,CAAC,CAAC;YACH,OAAO;QACT,CAAC;QAED,yFAAyF;QACzF,2FAA2F;QAC3F,6DAA6D;QAC7D,MAAM,EAAE,IAAI,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAE,GAAG,iBAAiB,CAAC,QAAQ,CAAC,CAAC;QACnE,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,MAAM,OAAO,GAAG,IAAI,CAAC,eAAe,CAAC,QAAQ,EAAE,QAAQ,EAAE,kFAAkF,EAAE,SAAS,EAAE,SAAS,EAAE,YAAY,EAAE,QAAQ,CAAC,CAAC;YAC3L,IAAI,CAAC,KAAK,CAAC,MAAM,EAAE,CAAC;YACpB,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE;gBACnB,OAAO,EAAE,KAAK;gBACd,KAAK,EAAE,EAAE,IAAI,EAAE,CAAC,KAAK,EAAE,OAAO,EAAE,0CAA0C,EAAE,IAAI,EAAE,EAAE,UAAU,EAAE,OAAO,CAAC,UAAU,EAAE,QAAQ,EAAE,QAAQ,EAAE,EAAE;gBAC1I,EAAE,EAAE,SAAS;aACd,CAAC,CAAC;YACH,OAAO;QACT,CAAC;QAED,0BAA0B;QAC1B,MAAM,QAAQ,GAAG,QAAQ,CAAC,IAAI,CAAC,MAAM,EAAE,QAAQ,EAAE,QAAQ,CAAC,CAAC;QAC3D,MAAM,OAAO,GAAG,IAAI,CAAC,eAAe,CAClC,QAAQ,EACR,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC,CAAC,QAAQ,EACzC,QAAQ,CAAC,MAAM,EACf,SAAS,EACT,QAAQ,EACR,YAAY,EACZ,QAAQ,CACT,CAAC;QAEF,IAAI,CAAC,QAAQ,CAAC,OAAO,EAAE,CAAC;YACtB,IAAI,CAAC,KAAK,CAAC,MAAM,EAAE,CAAC;YACpB,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE;gBACnB,OAAO,EAAE,KAAK;gBACd,KAAK,EAAE;oBACL,IAAI,EAAE,CAAC,KAAK;oBACZ,OAAO,EAAE,gBAAgB,QAAQ,CAAC,MAAM,EAAE;oBAC1C,IAAI,EAAE,EAAE,UAAU,EAAE,OAAO,CAAC,UAAU,EAAE,QAAQ,EAAE,QAAQ,EAAE,MAAM,EAAE,QAAQ,CAAC,MAAM,EAAE;iBACtF;gBACD,EAAE,EAAE,SAAS;aACd,CAAC,CAAC;YACH,OAAO;QACT,CAAC;QAED,oCAAoC;QACpC,IAAI,CAAC,KAAK,CAAC,SAAS,EAAE,CAAC;QAEvB,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC;YAChB,IAAI,CAAC;gBACH,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;gBAChD,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;YACjC,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE;oBACnB,OAAO,EAAE,KAAK;oBACd,KAAK,EAAE,EAAE,IAAI,EAAE,CAAC,KAAK,EAAE,OAAO,EAAE,qBAAqB,GAAG,EAAE,EAAE;oBAC5D,EAAE,EAAE,SAAS;iBACd,CAAC,CAAC;YACL,CAAC;QACH,CAAC;aAAM,IAAI,IAAI,CAAC,WAAW,EAAE,CAAC;YAC5B,MAAM,IAAI,CAAC,WAAW,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,EAAE,MAAM,EAAE,SAAS,CAAC,CAAC;QACpE,CAAC;aAAM,CAAC;YACN,iDAAiD;YACjD,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE;gBACnB,OAAO,EAAE,KAAK;gBACd,MAAM,EAAE;oBACN,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,SAAS,EAAE,IAAI,EAAE,UAAU,EAAE,OAAO,CAAC,UAAU,EAAE,IAAI,EAAE,QAAQ,EAAE,CAAC,EAAE,CAAC;iBACvH;gBACD,EAAE,EAAE,SAAS;aACd,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,gEAAgE;IAEhE,mFAAmF;IAC3E,eAAe,CACrB,QAAgB,EAChB,QAAgC,EAChC,MAAc,EACd,SAAiC,EACjC,QAA6C,EAC7C,SAAiB,YAAY,EAC7B,gBAAyB;QAEzB,sFAAsF;QACtF,4FAA4F;QAC5F,4FAA4F;QAC5F,8FAA8F;QAC9F,MAAM,aAAa,GAAG,gBAAgB,IAAI,iBAAiB,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC;QAC3E,OAAO,IAAI,CAAC,GAAG,CAAC,MAAM,CAAC;YACrB,SAAS,EAAE,QAAQ;YACnB,QAAQ;YACR,MAAM;YACN,UAAU,EAAE,SAAS;YACrB,MAAM;YACN,aAAa;YACb,gBAAgB,EAAE,IAAI,CAAC,UAAU;SAClC,CAAC,CAAC;IACL,CAAC;IAED,8DAA8D;IAEtD,KAAK,CAAC,WAAW,CAAC,IAAY,EAAE,MAAkB,EAAE,SAAiC;QAC3F,IAAI,CAAC;YACH,MAAM,IAAI,GAAG,MAAM,KAAK,CAAC,IAAI,CAAC,WAAY,EAAE;gBAC1C,MAAM,EAAE,MAAM;gBACd,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;gBAC/C,IAAI;aACL,CAAC,CAAC;YACH,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,IAAI,EAAE,CAAC;YAC/B,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE,IAA+B,CAAC,CAAC;QACxD,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE;gBACnB,OAAO,EAAE,KAAK;gBACd,KAAK,EAAE,EAAE,IAAI,EAAE,CAAC,KAAK,EAAE,OAAO,EAAE,wBAAwB,GAAG,EAAE,EAAE;gBAC/D,EAAE,EAAE,SAAS;aACd,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,8DAA8D;IAEtD,OAAO,CAAC,MAAkB,EAAE,GAA4B;QAC9D,IAAI,CAAC,MAAM,CAAC,SAAS,EAAE,CAAC;YACtB,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,GAAG,IAAI,CAAC,CAAC;QAC3C,CAAC;IACH,CAAC;IAED,8DAA8D;IAE9D,KAAK,CAAC,YAAY,CAAC,SAAqB;QACtC,IAAI,CAAC,MAAM,GAAG,SAAS,CAAC;QACxB,IAAI,CAAC,UAAU,GAAG,SAAS,CAAC,YAAY,CAAC,SAAS,CAAC,CAAC,CAAC;QACrD,IAAI,CAAC,GAAG,CAAC,kBAAkB,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;QAC7C,eAAe,EAAE,CAAC;QAClB,IAAI,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAC;IAC/B,CAAC;IAED,+FAA+F;IAC/F,YAAY;QACV,OAAO,IAAI,CAAC,GAAG,CAAC,YAAY,EAAE,CAAC;IACjC,CAAC;IAED,SAAS;QACP,OAAO;YACL,OAAO,EAAE,IAAI,CAAC,OAAO;YACrB,IAAI,EAAE,IAAI,CAAC,IAAI;YACf,WAAW,EAAE,IAAI,CAAC,MAAM,CAAC,IAAI;YAC7B,aAAa,EAAE,IAAI,CAAC,GAAG,CAAC,KAAK;YAC7B,GAAG,IAAI,CAAC,KAAK;YACb,UAAU,EAAE,IAAI,CAAC,MAAM,CAAC,YAAY;SACrC,CAAC;IACJ,CAAC;IAED,YAAY,KAAa,OAAO,IAAI,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC,CAAC;IAC3D,WAAW,KAAmB,OAAO,CAAC,GAAG,IAAI,CAAC,GAAG,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC,CAAC;CACpE"}
@@ -0,0 +1,60 @@
1
+ /**
2
+ * SEP Evidence Bundle + the stateful SepGateway that the MCP server tools and the proxy
3
+ * both build on. Single source of truth for evidence construction (CANONICAL_CONSTRUCTION_v2.md).
4
+ */
5
+ import type { SepSigner } from './crypto.js';
6
+ import { type SepReceipt, type Decision } from './receipt.js';
7
+ import { type MerkleProof } from './merkle.js';
8
+ import { type SignedCheckpoint } from './checkpoint.js';
9
+ export interface SepBundle {
10
+ schema_version: string;
11
+ bundle_id: string;
12
+ algorithm: string;
13
+ generated_at: string;
14
+ gateway_id: string;
15
+ public_key: string;
16
+ policy_reference: string;
17
+ receipts: SepReceipt[];
18
+ merkle_root: string;
19
+ merkle_proofs: MerkleProof[];
20
+ checkpoint: SignedCheckpoint;
21
+ offline_capable: boolean;
22
+ }
23
+ export interface SepGatewayOptions {
24
+ gatewayId: string;
25
+ signer: SepSigner;
26
+ policyReference?: string;
27
+ /** Injectable for deterministic tests; defaults to wall clock / random UUID. */
28
+ clock?: () => string;
29
+ idGen?: () => string;
30
+ }
31
+ export interface RecordInput {
32
+ tool_name: string;
33
+ decision: Decision;
34
+ reason: string;
35
+ arguments?: unknown;
36
+ argumentsHash?: string;
37
+ request_id?: string | number | null;
38
+ method?: string;
39
+ policy_reference?: string;
40
+ }
41
+ export declare class SepGateway {
42
+ private readonly gatewayId;
43
+ private readonly signer;
44
+ private policyReference;
45
+ private readonly clock;
46
+ private readonly idGen;
47
+ private readonly receipts;
48
+ private lastLeaf;
49
+ private lastTimestamp;
50
+ constructor(opts: SepGatewayOptions);
51
+ get publicKeyHex(): string;
52
+ get count(): number;
53
+ setPolicyReference(ref: string): void;
54
+ getReceipts(): readonly SepReceipt[];
55
+ /** Record a governed tool-call decision as a signed, chained SEP receipt. */
56
+ record(input: RecordInput): SepReceipt;
57
+ /** Assemble the canonical SEP evidence bundle (receipts + merkle + mandatory signed checkpoint). */
58
+ exportBundle(): SepBundle;
59
+ }
60
+ //# sourceMappingURL=bundle.d.ts.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"bundle.d.ts","sourceRoot":"","sources":["../../src/sep/bundle.ts"],"names":[],"mappings":"AAAA;;;GAGG;AACH,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,aAAa,CAAC;AAE7C,OAAO,EAEL,KAAK,UAAU,EAAE,KAAK,QAAQ,EAC/B,MAAM,cAAc,CAAC;AACtB,OAAO,EAA2B,KAAK,WAAW,EAAE,MAAM,aAAa,CAAC;AACxE,OAAO,EAAmB,KAAK,gBAAgB,EAAE,MAAM,iBAAiB,CAAC;AAEzE,MAAM,WAAW,SAAS;IACxB,cAAc,EAAE,MAAM,CAAC;IACvB,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;IAClB,YAAY,EAAE,MAAM,CAAC;IACrB,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,MAAM,CAAC;IACnB,gBAAgB,EAAE,MAAM,CAAC;IACzB,QAAQ,EAAE,UAAU,EAAE,CAAC;IACvB,WAAW,EAAE,MAAM,CAAC;IACpB,aAAa,EAAE,WAAW,EAAE,CAAC;IAC7B,UAAU,EAAE,gBAAgB,CAAC;IAC7B,eAAe,EAAE,OAAO,CAAC;CAC1B;AAED,MAAM,WAAW,iBAAiB;IAChC,SAAS,EAAE,MAAM,CAAC;IAClB,MAAM,EAAE,SAAS,CAAC;IAClB,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,gFAAgF;IAChF,KAAK,CAAC,EAAE,MAAM,MAAM,CAAC;IACrB,KAAK,CAAC,EAAE,MAAM,MAAM,CAAC;CACtB;AAED,MAAM,WAAW,WAAW;IAC1B,SAAS,EAAE,MAAM,CAAC;IAClB,QAAQ,EAAE,QAAQ,CAAC;IACnB,MAAM,EAAE,MAAM,CAAC;IACf,SAAS,CAAC,EAAE,OAAO,CAAC;IACpB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,UAAU,CAAC,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI,CAAC;IACpC,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,gBAAgB,CAAC,EAAE,MAAM,CAAC;CAC3B;AAED,qBAAa,UAAU;IACrB,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAS;IACnC,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAY;IACnC,OAAO,CAAC,eAAe,CAAS;IAChC,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAe;IACrC,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAe;IACrC,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAoB;IAC7C,OAAO,CAAC,QAAQ,CAAM;IACtB,OAAO,CAAC,aAAa,CAAM;gBAEf,IAAI,EAAE,iBAAiB;IAQnC,IAAI,YAAY,IAAI,MAAM,CAAqC;IAC/D,IAAI,KAAK,IAAI,MAAM,CAAiC;IACpD,kBAAkB,CAAC,GAAG,EAAE,MAAM,GAAG,IAAI;IACrC,WAAW,IAAI,SAAS,UAAU,EAAE;IAEpC,6EAA6E;IAC7E,MAAM,CAAC,KAAK,EAAE,WAAW,GAAG,UAAU;IA2BtC,oGAAoG;IACpG,YAAY,IAAI,SAAS;CAmB1B"}
@@ -0,0 +1,74 @@
1
+ import { newId } from './crypto.js';
2
+ import { SEP_ALGORITHM, buildReceipt, leafHash, } from './receipt.js';
3
+ import { merkleRoot, merkleProof } from './merkle.js';
4
+ import { buildCheckpoint } from './checkpoint.js';
5
+ export class SepGateway {
6
+ gatewayId;
7
+ signer;
8
+ policyReference;
9
+ clock;
10
+ idGen;
11
+ receipts = [];
12
+ lastLeaf = '';
13
+ lastTimestamp = '';
14
+ constructor(opts) {
15
+ this.gatewayId = opts.gatewayId;
16
+ this.signer = opts.signer;
17
+ this.policyReference = opts.policyReference ?? '';
18
+ this.clock = opts.clock ?? (() => new Date().toISOString());
19
+ this.idGen = opts.idGen ?? (() => newId('rcpt'));
20
+ }
21
+ get publicKeyHex() { return this.signer.publicKeyHex; }
22
+ get count() { return this.receipts.length; }
23
+ setPolicyReference(ref) { this.policyReference = ref; }
24
+ getReceipts() { return [...this.receipts]; }
25
+ /** Record a governed tool-call decision as a signed, chained SEP receipt. */
26
+ record(input) {
27
+ // Monotonic timestamp: if the wall clock steps backward (NTP correction, VM migration),
28
+ // clamp to the previous receipt's timestamp so the exported bundle always satisfies the
29
+ // verifier's non-decreasing-timestamp check — a legitimately-recorded decision must never
30
+ // land in a permanently-unverifiable bundle. ISO-8601 UTC strings compare chronologically.
31
+ const now = this.clock();
32
+ const timestamp = now >= this.lastTimestamp ? now : this.lastTimestamp;
33
+ const receipt = buildReceipt({
34
+ receipt_id: this.idGen(),
35
+ timestamp,
36
+ request_id: input.request_id ?? null,
37
+ method: input.method,
38
+ tool_name: input.tool_name,
39
+ decision: input.decision,
40
+ reason: input.reason,
41
+ policy_reference: input.policy_reference ?? this.policyReference,
42
+ arguments: input.arguments,
43
+ argumentsHash: input.argumentsHash,
44
+ previous_receipt_hash: this.lastLeaf,
45
+ gateway_id: this.gatewayId,
46
+ }, this.signer);
47
+ this.receipts.push(receipt);
48
+ this.lastLeaf = leafHash(receipt);
49
+ this.lastTimestamp = timestamp;
50
+ return receipt;
51
+ }
52
+ /** Assemble the canonical SEP evidence bundle (receipts + merkle + mandatory signed checkpoint). */
53
+ exportBundle() {
54
+ if (this.receipts.length === 0)
55
+ throw new Error('No receipts to export');
56
+ const leaves = this.receipts.map(leafHash);
57
+ const generated_at = this.clock();
58
+ return {
59
+ schema_version: '2.0',
60
+ bundle_id: this.idGen(),
61
+ algorithm: SEP_ALGORITHM,
62
+ generated_at,
63
+ gateway_id: this.gatewayId,
64
+ public_key: this.signer.publicKeyHex,
65
+ policy_reference: this.policyReference,
66
+ receipts: [...this.receipts],
67
+ merkle_root: merkleRoot(leaves),
68
+ merkle_proofs: leaves.map((_, i) => merkleProof(leaves, i)),
69
+ checkpoint: buildCheckpoint(this.receipts, this.gatewayId, generated_at, this.signer),
70
+ offline_capable: true,
71
+ };
72
+ }
73
+ }
74
+ //# sourceMappingURL=bundle.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"bundle.js","sourceRoot":"","sources":["../../src/sep/bundle.ts"],"names":[],"mappings":"AAKA,OAAO,EAAE,KAAK,EAAE,MAAM,aAAa,CAAC;AACpC,OAAO,EACL,aAAa,EAAE,YAAY,EAAE,QAAQ,GAEtC,MAAM,cAAc,CAAC;AACtB,OAAO,EAAE,UAAU,EAAE,WAAW,EAAoB,MAAM,aAAa,CAAC;AACxE,OAAO,EAAE,eAAe,EAAyB,MAAM,iBAAiB,CAAC;AAqCzE,MAAM,OAAO,UAAU;IACJ,SAAS,CAAS;IAClB,MAAM,CAAY;IAC3B,eAAe,CAAS;IACf,KAAK,CAAe;IACpB,KAAK,CAAe;IACpB,QAAQ,GAAiB,EAAE,CAAC;IACrC,QAAQ,GAAG,EAAE,CAAC;IACd,aAAa,GAAG,EAAE,CAAC;IAE3B,YAAY,IAAuB;QACjC,IAAI,CAAC,SAAS,GAAG,IAAI,CAAC,SAAS,CAAC;QAChC,IAAI,CAAC,MAAM,GAAG,IAAI,CAAC,MAAM,CAAC;QAC1B,IAAI,CAAC,eAAe,GAAG,IAAI,CAAC,eAAe,IAAI,EAAE,CAAC;QAClD,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,KAAK,IAAI,CAAC,GAAG,EAAE,CAAC,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC,CAAC;QAC5D,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,KAAK,IAAI,CAAC,GAAG,EAAE,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC;IACnD,CAAC;IAED,IAAI,YAAY,KAAa,OAAO,IAAI,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC,CAAC;IAC/D,IAAI,KAAK,KAAa,OAAO,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC;IACpD,kBAAkB,CAAC,GAAW,IAAU,IAAI,CAAC,eAAe,GAAG,GAAG,CAAC,CAAC,CAAC;IACrE,WAAW,KAA4B,OAAO,CAAC,GAAG,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC;IAEnE,6EAA6E;IAC7E,MAAM,CAAC,KAAkB;QACvB,wFAAwF;QACxF,wFAAwF;QACxF,0FAA0F;QAC1F,2FAA2F;QAC3F,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,EAAE,CAAC;QACzB,MAAM,SAAS,GAAG,GAAG,IAAI,IAAI,CAAC,aAAa,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,aAAa,CAAC;QACvE,MAAM,OAAO,GAAG,YAAY,CAAC;YAC3B,UAAU,EAAE,IAAI,CAAC,KAAK,EAAE;YACxB,SAAS;YACT,UAAU,EAAE,KAAK,CAAC,UAAU,IAAI,IAAI;YACpC,MAAM,EAAE,KAAK,CAAC,MAAM;YACpB,SAAS,EAAE,KAAK,CAAC,SAAS;YAC1B,QAAQ,EAAE,KAAK,CAAC,QAAQ;YACxB,MAAM,EAAE,KAAK,CAAC,MAAM;YACpB,gBAAgB,EAAE,KAAK,CAAC,gBAAgB,IAAI,IAAI,CAAC,eAAe;YAChE,SAAS,EAAE,KAAK,CAAC,SAAS;YAC1B,aAAa,EAAE,KAAK,CAAC,aAAa;YAClC,qBAAqB,EAAE,IAAI,CAAC,QAAQ;YACpC,UAAU,EAAE,IAAI,CAAC,SAAS;SAC3B,EAAE,IAAI,CAAC,MAAM,CAAC,CAAC;QAChB,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QAC5B,IAAI,CAAC,QAAQ,GAAG,QAAQ,CAAC,OAAO,CAAC,CAAC;QAClC,IAAI,CAAC,aAAa,GAAG,SAAS,CAAC;QAC/B,OAAO,OAAO,CAAC;IACjB,CAAC;IAED,oGAAoG;IACpG,YAAY;QACV,IAAI,IAAI,CAAC,QAAQ,CAAC,MAAM,KAAK,CAAC;YAAE,MAAM,IAAI,KAAK,CAAC,uBAAuB,CAAC,CAAC;QACzE,MAAM,MAAM,GAAG,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;QAC3C,MAAM,YAAY,GAAG,IAAI,CAAC,KAAK,EAAE,CAAC;QAClC,OAAO;YACL,cAAc,EAAE,KAAK;YACrB,SAAS,EAAE,IAAI,CAAC,KAAK,EAAE;YACvB,SAAS,EAAE,aAAa;YACxB,YAAY;YACZ,UAAU,EAAE,IAAI,CAAC,SAAS;YAC1B,UAAU,EAAE,IAAI,CAAC,MAAM,CAAC,YAAY;YACpC,gBAAgB,EAAE,IAAI,CAAC,eAAe;YACtC,QAAQ,EAAE,CAAC,GAAG,IAAI,CAAC,QAAQ,CAAC;YAC5B,WAAW,EAAE,UAAU,CAAC,MAAM,CAAC;YAC/B,aAAa,EAAE,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,WAAW,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC;YAC3D,UAAU,EAAE,eAAe,CAAC,IAAI,CAAC,QAAQ,EAAE,IAAI,CAAC,SAAS,EAAE,YAAY,EAAE,IAAI,CAAC,MAAM,CAAC;YACrF,eAAe,EAAE,IAAI;SACtB,CAAC;IACJ,CAAC;CACF"}
@@ -0,0 +1,28 @@
1
+ /**
2
+ * Canonical JSON for the AGA SEP profile (JCS-profile, sorted-key).
3
+ *
4
+ * Built by STRING CONCATENATION in lexicographic key order — BYTE-IDENTICAL to the normative
5
+ * reference verifier (aga-receipt-spec/verify/verify-sep.mjs §canon) and to the Python/Go
6
+ * stacks (all sort keys lexicographically). It deliberately does NOT route through
7
+ * `JSON.stringify` of a rebuilt object: V8 re-orders integer-like keys NUMERICALLY (own-property
8
+ * enumeration), so `{"22":..,"3":..}` would serialize as 3,22 here but 22,3 (lexicographic)
9
+ * everywhere else — a cross-stack divergence on legitimate data (e.g. a port map in tool args).
10
+ * Concatenation also keeps a "__proto__" key as an ordinary key (injective; no prototype-setter
11
+ * pitfall). `JSON.stringify` is used only for the atomic pieces (keys, string/number/bool/null
12
+ * leaves) so escaping matches JS exactly.
13
+ *
14
+ * Depth-bounded: input nested beyond MAX_CANON_DEPTH throws a CONTROLLED error well before a
15
+ * stack overflow, so emit/verify can fail closed instead of crashing (anti-DoS).
16
+ */
17
+ export declare const MAX_CANON_DEPTH = 100;
18
+ export declare function canonicalize(obj: unknown): string;
19
+ /**
20
+ * SEP escape hatch (emit-side only): every SIGNED RECEIPT field must be string | boolean | null,
21
+ * never a raw number — so the JCS-profile vs strict-RFC-8785 number-serialization gap can never
22
+ * diverge across language stacks. Verifiers do NOT apply this (they canonicalize whatever is present).
23
+ * Note: the signed checkpoint's `leaf_count` is a deliberate exception — it is a small non-negative
24
+ * integer the reference verifier compares numerically (`cp.leaf_count === receipts.length`), and small
25
+ * integers serialize identically under JSON.stringify and RFC-8785, so it carries no divergence risk.
26
+ */
27
+ export declare function assertSignedReceiptFieldsAreStrings(obj: Record<string, unknown>, where?: string): void;
28
+ //# sourceMappingURL=canonical.d.ts.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"canonical.d.ts","sourceRoot":"","sources":["../../src/sep/canonical.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AACH,eAAO,MAAM,eAAe,MAAM,CAAC;AAWnC,wBAAgB,YAAY,CAAC,GAAG,EAAE,OAAO,GAAG,MAAM,CAUjD;AAED;;;;;;;GAOG;AACH,wBAAgB,mCAAmC,CAAC,GAAG,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,KAAK,SAAY,GAAG,IAAI,CAWzG"}
@@ -0,0 +1,62 @@
1
+ /**
2
+ * Canonical JSON for the AGA SEP profile (JCS-profile, sorted-key).
3
+ *
4
+ * Built by STRING CONCATENATION in lexicographic key order — BYTE-IDENTICAL to the normative
5
+ * reference verifier (aga-receipt-spec/verify/verify-sep.mjs §canon) and to the Python/Go
6
+ * stacks (all sort keys lexicographically). It deliberately does NOT route through
7
+ * `JSON.stringify` of a rebuilt object: V8 re-orders integer-like keys NUMERICALLY (own-property
8
+ * enumeration), so `{"22":..,"3":..}` would serialize as 3,22 here but 22,3 (lexicographic)
9
+ * everywhere else — a cross-stack divergence on legitimate data (e.g. a port map in tool args).
10
+ * Concatenation also keeps a "__proto__" key as an ordinary key (injective; no prototype-setter
11
+ * pitfall). `JSON.stringify` is used only for the atomic pieces (keys, string/number/bool/null
12
+ * leaves) so escaping matches JS exactly.
13
+ *
14
+ * Depth-bounded: input nested beyond MAX_CANON_DEPTH throws a CONTROLLED error well before a
15
+ * stack overflow, so emit/verify can fail closed instead of crashing (anti-DoS).
16
+ */
17
+ export const MAX_CANON_DEPTH = 100;
18
+ /**
19
+ * Lone (unpaired) UTF-16 surrogate detector. A signed string carrying an unpaired surrogate is
20
+ * INVALID Unicode that Go/Python cannot UTF-8-encode (they reject the bundle). JS would otherwise
21
+ * map it to U+FFFD self-consistently and VERIFY — a cross-stack split. Rejecting it here (throw,
22
+ * caught by the verifier's never-throw try/catch -> FAILED) makes all six stacks reject it. Valid
23
+ * surrogate PAIRS (astral chars / emoji) are unaffected.
24
+ */
25
+ const LONE_SURROGATE = /[\uD800-\uDBFF](?![\uDC00-\uDFFF])|(?<![\uD800-\uDBFF])[\uDC00-\uDFFF]/;
26
+ export function canonicalize(obj) {
27
+ const rec = (o, depth) => {
28
+ if (depth > MAX_CANON_DEPTH)
29
+ throw new Error(`canonicalize: input nesting exceeds ${MAX_CANON_DEPTH} levels`);
30
+ if (typeof o === 'string' && LONE_SURROGATE.test(o))
31
+ throw new Error('canonicalize: lone surrogate');
32
+ if (o === null || typeof o !== 'object')
33
+ return JSON.stringify(o);
34
+ if (Array.isArray(o))
35
+ return '[' + o.map((v) => rec(v, depth + 1)).join(',') + ']';
36
+ const m = o;
37
+ return '{' + Object.keys(m).sort().map((k) => JSON.stringify(k) + ':' + rec(m[k], depth + 1)).join(',') + '}';
38
+ };
39
+ return rec(obj, 0);
40
+ }
41
+ /**
42
+ * SEP escape hatch (emit-side only): every SIGNED RECEIPT field must be string | boolean | null,
43
+ * never a raw number — so the JCS-profile vs strict-RFC-8785 number-serialization gap can never
44
+ * diverge across language stacks. Verifiers do NOT apply this (they canonicalize whatever is present).
45
+ * Note: the signed checkpoint's `leaf_count` is a deliberate exception — it is a small non-negative
46
+ * integer the reference verifier compares numerically (`cp.leaf_count === receipts.length`), and small
47
+ * integers serialize identically under JSON.stringify and RFC-8785, so it carries no divergence risk.
48
+ */
49
+ export function assertSignedReceiptFieldsAreStrings(obj, where = 'receipt') {
50
+ for (const [k, v] of Object.entries(obj)) {
51
+ if (v === null)
52
+ continue;
53
+ const t = typeof v;
54
+ if (t === 'number' || t === 'bigint') {
55
+ throw new Error(`SEP signed-field guard: ${where}.${k} is ${t}; signed receipt fields must be string|boolean|null (emit numbers as strings).`);
56
+ }
57
+ if (t === 'object') {
58
+ throw new Error(`SEP signed-field guard: ${where}.${k} is an object; SEP ${where} fields must be flat scalars.`);
59
+ }
60
+ }
61
+ }
62
+ //# sourceMappingURL=canonical.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"canonical.js","sourceRoot":"","sources":["../../src/sep/canonical.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AACH,MAAM,CAAC,MAAM,eAAe,GAAG,GAAG,CAAC;AAEnC;;;;;;GAMG;AACH,MAAM,cAAc,GAAG,wEAAwE,CAAC;AAEhG,MAAM,UAAU,YAAY,CAAC,GAAY;IACvC,MAAM,GAAG,GAAG,CAAC,CAAU,EAAE,KAAa,EAAU,EAAE;QAChD,IAAI,KAAK,GAAG,eAAe;YAAE,MAAM,IAAI,KAAK,CAAC,uCAAuC,eAAe,SAAS,CAAC,CAAC;QAC9G,IAAI,OAAO,CAAC,KAAK,QAAQ,IAAI,cAAc,CAAC,IAAI,CAAC,CAAC,CAAC;YAAE,MAAM,IAAI,KAAK,CAAC,8BAA8B,CAAC,CAAC;QACrG,IAAI,CAAC,KAAK,IAAI,IAAI,OAAO,CAAC,KAAK,QAAQ;YAAE,OAAO,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC;QAClE,IAAI,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC;YAAE,OAAO,GAAG,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,CAAC,CAAC,EAAE,KAAK,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,GAAG,CAAC;QACnF,MAAM,CAAC,GAAG,CAA4B,CAAC;QACvC,OAAO,GAAG,GAAG,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,GAAG,GAAG,GAAG,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,KAAK,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,GAAG,CAAC;IAChH,CAAC,CAAC;IACF,OAAO,GAAG,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC;AACrB,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,UAAU,mCAAmC,CAAC,GAA4B,EAAE,KAAK,GAAG,SAAS;IACjG,KAAK,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC;QACzC,IAAI,CAAC,KAAK,IAAI;YAAE,SAAS;QACzB,MAAM,CAAC,GAAG,OAAO,CAAC,CAAC;QACnB,IAAI,CAAC,KAAK,QAAQ,IAAI,CAAC,KAAK,QAAQ,EAAE,CAAC;YACrC,MAAM,IAAI,KAAK,CAAC,2BAA2B,KAAK,IAAI,CAAC,OAAO,CAAC,gFAAgF,CAAC,CAAC;QACjJ,CAAC;QACD,IAAI,CAAC,KAAK,QAAQ,EAAE,CAAC;YACnB,MAAM,IAAI,KAAK,CAAC,2BAA2B,KAAK,IAAI,CAAC,sBAAsB,KAAK,+BAA+B,CAAC,CAAC;QACnH,CAAC;IACH,CAAC;AACH,CAAC"}
@@ -0,0 +1,15 @@
1
+ import type { SepSigner } from './crypto.js';
2
+ import { type SepReceipt } from './receipt.js';
3
+ export interface SignedCheckpoint {
4
+ algorithm: string;
5
+ gateway_id: string;
6
+ generated_at: string;
7
+ head_leaf_hash: string;
8
+ leaf_count: number;
9
+ merkle_root: string;
10
+ signature: string;
11
+ }
12
+ /** The EXACT canonical field set of a signed SEP checkpoint (strict-schema floor in the verifier). */
13
+ export declare const SEP_CHECKPOINT_FIELDS: readonly ["algorithm", "gateway_id", "generated_at", "head_leaf_hash", "leaf_count", "merkle_root", "signature"];
14
+ export declare function buildCheckpoint(receipts: SepReceipt[], gatewayId: string, generatedAt: string, signer: SepSigner): SignedCheckpoint;
15
+ //# sourceMappingURL=checkpoint.d.ts.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"checkpoint.d.ts","sourceRoot":"","sources":["../../src/sep/checkpoint.ts"],"names":[],"mappings":"AAOA,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,aAAa,CAAC;AAC7C,OAAO,EAA2B,KAAK,UAAU,EAAE,MAAM,cAAc,CAAC;AAGxE,MAAM,WAAW,gBAAgB;IAC/B,SAAS,EAAE,MAAM,CAAC;IAClB,UAAU,EAAE,MAAM,CAAC;IACnB,YAAY,EAAE,MAAM,CAAC;IACrB,cAAc,EAAE,MAAM,CAAC;IACvB,UAAU,EAAE,MAAM,CAAC;IACnB,WAAW,EAAE,MAAM,CAAC;IACpB,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,sGAAsG;AACtG,eAAO,MAAM,qBAAqB,kHAExB,CAAC;AAEX,wBAAgB,eAAe,CAC7B,QAAQ,EAAE,UAAU,EAAE,EACtB,SAAS,EAAE,MAAM,EACjB,WAAW,EAAE,MAAM,EACnB,MAAM,EAAE,SAAS,GAChB,gBAAgB,CAYlB"}