@attested-intelligence/aga-mcp-server 3.0.1 → 3.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (48) hide show
  1. package/DEPLOYMENT.md +2 -2
  2. package/README.md +8 -10
  3. package/THREAT_BOUNDARY.md +9 -9
  4. package/dist/proxy/evaluator.d.ts.map +1 -1
  5. package/dist/proxy/evaluator.js +4 -1
  6. package/dist/proxy/evaluator.js.map +1 -1
  7. package/dist/proxy/index.d.ts.map +1 -1
  8. package/dist/proxy/index.js +4 -1
  9. package/dist/proxy/index.js.map +1 -1
  10. package/dist/proxy/server.d.ts +1 -0
  11. package/dist/proxy/server.d.ts.map +1 -1
  12. package/dist/proxy/server.js +23 -5
  13. package/dist/proxy/server.js.map +1 -1
  14. package/dist/proxy/stdio-bridge.d.ts.map +1 -1
  15. package/dist/proxy/stdio-bridge.js +10 -0
  16. package/dist/proxy/stdio-bridge.js.map +1 -1
  17. package/dist/sep/bundle.js +2 -2
  18. package/dist/sep/bundle.js.map +1 -1
  19. package/dist/sep/checkpoint.d.ts.map +1 -1
  20. package/dist/sep/checkpoint.js +2 -2
  21. package/dist/sep/checkpoint.js.map +1 -1
  22. package/dist/sep/crypto.d.ts +2 -0
  23. package/dist/sep/crypto.d.ts.map +1 -1
  24. package/dist/sep/crypto.js +1 -1
  25. package/dist/sep/crypto.js.map +1 -1
  26. package/dist/sep/hybrid.d.ts +60 -0
  27. package/dist/sep/hybrid.d.ts.map +1 -0
  28. package/dist/sep/hybrid.js +189 -0
  29. package/dist/sep/hybrid.js.map +1 -0
  30. package/dist/sep/index.d.ts +4 -1
  31. package/dist/sep/index.d.ts.map +1 -1
  32. package/dist/sep/index.js +3 -0
  33. package/dist/sep/index.js.map +1 -1
  34. package/dist/sep/policy-ref.d.ts +8 -0
  35. package/dist/sep/policy-ref.d.ts.map +1 -0
  36. package/dist/sep/policy-ref.js +14 -0
  37. package/dist/sep/policy-ref.js.map +1 -0
  38. package/dist/sep/profiles.d.ts +22 -0
  39. package/dist/sep/profiles.d.ts.map +1 -0
  40. package/dist/sep/profiles.js +56 -0
  41. package/dist/sep/profiles.js.map +1 -0
  42. package/dist/sep/receipt.js +0 -0
  43. package/dist/sep/receipt.js.map +1 -1
  44. package/dist/sep/verify.d.ts +8 -3
  45. package/dist/sep/verify.d.ts.map +1 -1
  46. package/dist/sep/verify.js +67 -49
  47. package/dist/sep/verify.js.map +1 -1
  48. package/package.json +28 -7
@@ -1,21 +1,27 @@
1
1
  /**
2
- * SEP §6 verifier — a faithful TypeScript port of the normative reference
3
- * aga-receipt-spec/verify/verify-sep.mjs. Same six steps, same semantics, same crypto
4
- * (node:crypto), so its verdicts match the reference byte-for-byte. See SPEC_PRECEDENCE.md.
2
+ * SEP §6 verifier — the ONE agile + hardened verifier (ALGORITHM_AGILITY_SPEC.md).
3
+ *
4
+ * The six-step construction and the H1–H11 hardening below are a faithful port of the normative
5
+ * reference aga-receipt-spec/verify/verify-sep.mjs and are PROFILE-INVARIANT. Only the signature
6
+ * primitive and the key well-formedness are dispatched per profile (./profiles): v1 Ed25519
7
+ * (node:crypto) and v2 ML-DSA-65+Ed25519 composite (AND-verify). The verdict is a trichotomy:
8
+ * VERIFIED (exit 0) | FAILED (exit 1) | UNSUPPORTED_PROFILE (exit 3).
9
+ * UNSUPPORTED_PROFILE is returned — with NO soundness claim — when the bundle declares a registered
10
+ * profile this verifier does not implement (e.g. a v1-only build handed a v2 bundle). An UNKNOWN /
11
+ * unregistered algorithm is FAILED, never a false VERIFIED, never a partial verify.
5
12
  */
6
13
  import { canonicalize } from './canonical.js';
7
- import { sha256Hex, wellFormedKey, verifyHex, isHex } from './crypto.js';
14
+ import { sha256Hex, isHex } from './crypto.js';
8
15
  import { nodeHash } from './merkle.js';
9
- import { SEP_ALGORITHM, SEP_RECEIPT_FIELDS } from './receipt.js';
16
+ import { SEP_RECEIPT_FIELDS } from './receipt.js';
10
17
  import { SEP_CHECKPOINT_FIELDS } from './checkpoint.js';
18
+ import { isRegisteredProfile, validPublicKeyForProfile, verifyForProfile, ALL_PROFILES, REGISTERED_PROFILES, } from './profiles.js';
11
19
  const leaf = (r) => sha256Hex(canonicalize(r));
12
20
  const strip = (o, f) => Object.fromEntries(Object.entries(o).filter(([k]) => k !== f));
13
21
  /**
14
- * Canonical SEP timestamp validation (cross-stack unified). A timestamp is VALID iff it
15
- * matches the EXACT fixed-width UTC form Date.prototype.toISOString() emits AND its calendar
16
- * fields are in range — computed with PURE INTEGER ARITHMETIC, no Date/parser, so every
17
- * verifier reaches a byte-identical verdict. Uses the literal [0-9] class (not \d, which
18
- * matches Unicode digits and would diverge from the other stacks).
22
+ * Canonical SEP timestamp validation (cross-stack unified). A timestamp is VALID iff it matches the
23
+ * EXACT fixed-width UTC form Date.prototype.toISOString() emits AND its calendar fields are in range —
24
+ * pure integer arithmetic, no Date/parser, so every verifier reaches a byte-identical verdict.
19
25
  */
20
26
  const TS_RE = /^[0-9]{4}-[0-9]{2}-[0-9]{2}T[0-9]{2}:[0-9]{2}:[0-9]{2}\.[0-9]{3}Z$/;
21
27
  const isLeap = (y) => y % 4 === 0 && (y % 100 !== 0 || y % 400 === 0);
@@ -36,10 +42,9 @@ const isValidTimestamp = (ts) => {
36
42
  && second >= 0 && second <= 59;
37
43
  };
38
44
  /**
39
- * Strict-schema floor: the object must carry EXACTLY the canonical fields — no extra,
40
- * unknown, or "__proto__"-injected keys (Object.keys counts a JSON-parsed "__proto__" as
41
- * an own key, so a 16th key fails the count). This is the cross-stack-robust rule: every
42
- * conformant verifier rejects the identical bundles.
45
+ * Strict-schema floor: the object must carry EXACTLY the canonical fields — no extra, unknown, or
46
+ * "__proto__"-injected keys (Object.keys counts a JSON-parsed "__proto__" as an own key, so a 16th
47
+ * key fails the count). Cross-stack-robust: every conformant verifier rejects the identical bundles.
43
48
  */
44
49
  const hasExactKeys = (o, fields) => {
45
50
  if (!o || typeof o !== 'object' || Array.isArray(o))
@@ -47,24 +52,41 @@ const hasExactKeys = (o, fields) => {
47
52
  const keys = Object.keys(o);
48
53
  return keys.length === fields.length && fields.every((f) => Object.prototype.hasOwnProperty.call(o, f));
49
54
  };
50
- export function verifySepBundle(bundle, expectedPublicKey) {
51
- // Robust contract: a malformed/hostile bundle (e.g. a receipt with a deeply-nested value
52
- // that overflows the depth-bounded canonicalize) yields FAILED, never a thrown exception.
53
- const pinned = isHex(expectedPublicKey, 64);
55
+ export function verifySepBundle(bundle, expectedPublicKey, opts) {
56
+ const supported = opts?.supportedProfiles ?? ALL_PROFILES;
57
+ const algorithm = typeof bundle?.algorithm === 'string' ? bundle.algorithm : '';
58
+ // Trichotomy: a REGISTERED profile this verifier does not implement -> UNSUPPORTED_PROFILE. No
59
+ // soundness claim is made (the verifier neither passes nor fails the bundle's content). An unknown /
60
+ // unregistered algorithm falls through to the structural floor below and FAILS.
61
+ if (isRegisteredProfile(algorithm) && !supported.includes(algorithm)) {
62
+ return {
63
+ verdict: 'UNSUPPORTED_PROFILE',
64
+ summary: `UNSUPPORTED_PROFILE — this verifier does not implement profile '${algorithm}' (v${REGISTERED_PROFILES[algorithm]}); no soundness claim is made`,
65
+ issuerVerified: false,
66
+ pinned: false,
67
+ steps: [{ name: 'profile_support', ok: false }],
68
+ };
69
+ }
70
+ // Robust contract: a malformed/hostile bundle yields FAILED, never a thrown exception.
71
+ let pinned = false;
54
72
  try {
55
73
  const steps = [];
56
74
  const add = (name, ok) => { steps.push({ name, ok }); return ok; };
57
75
  const receipts = Array.isArray(bundle?.receipts) ? bundle.receipts : [];
58
76
  const proofs = Array.isArray(bundle?.merkle_proofs) ? bundle.merkle_proofs : [];
59
77
  const pub = bundle?.public_key;
60
- // §6.1 structural floor incl. STRICT receipt schema (exactly the canonical fields;
61
- // rejects extra/unknown keys and "__proto__" injection on every signed receipt).
62
- add('structural', bundle?.algorithm === SEP_ALGORITHM && wellFormedKey(pub)
78
+ // A pin is honored only if it is well-formed for the bundle's (supported, registered) profile;
79
+ // a malformed pin is an integrity-only check (pinned=false), never a silent provenance pass.
80
+ pinned = isRegisteredProfile(algorithm) && supported.includes(algorithm)
81
+ && typeof expectedPublicKey === 'string' && validPublicKeyForProfile(algorithm, expectedPublicKey);
82
+ // §6.1 structural floor — supported registered profile + profile-valid key + STRICT receipt schema
83
+ // (exactly the canonical fields; rejects extra/unknown keys and "__proto__" injection).
84
+ add('structural', isRegisteredProfile(algorithm) && supported.includes(algorithm) && validPublicKeyForProfile(algorithm, pub)
63
85
  && receipts.length > 0 && proofs.length === receipts.length
64
86
  && receipts.every((r) => hasExactKeys(r, SEP_RECEIPT_FIELDS)));
65
- // §6.2 receipt signatures (against the bundle key; provenance handled in §6.6)
66
- add('receipt_signatures', receipts.length > 0 && receipts.every((r) => verifyHex(pub, canonicalize(strip(r, 'signature')), r.signature)));
67
- // §6.3 chain + ordering
87
+ // §6.2 receipt signatures, verified under the bundle's profile primitive (provenance is §6.6)
88
+ add('receipt_signatures', receipts.length > 0 && receipts.every((r) => verifyForProfile(algorithm, pub, canonicalize(strip(r, 'signature')), r.signature)));
89
+ // §6.3 chain + ordering — canonical fixed-width timestamps, non-decreasing (lexicographic compare)
68
90
  const leaves = receipts.map(leaf);
69
91
  let chain = receipts.length > 0;
70
92
  let prevTs = null;
@@ -72,9 +94,6 @@ export function verifySepBundle(bundle, expectedPublicKey) {
72
94
  const expectPrev = i === 0 ? '' : leaves[i - 1];
73
95
  if ((receipts[i].previous_receipt_hash || '') !== expectPrev)
74
96
  chain = false;
75
- // Canonical timestamps: each must match the fixed-width UTC form and be calendar-valid
76
- // (pure integer arithmetic, no Date parser). Because the form is fixed-width zero-padded
77
- // UTC, non-decreasing ordering is a PLAIN STRING (lexicographic) compare; EQUAL allowed.
78
97
  const ts = receipts[i].timestamp;
79
98
  if (!isValidTimestamp(ts))
80
99
  chain = false;
@@ -85,7 +104,10 @@ export function verifySepBundle(bundle, expectedPublicKey) {
85
104
  }
86
105
  }
87
106
  add('chain_and_ordering', chain);
88
- // §6.4 merkle: recompute leaf from content, walk proof, single root, index bijection
107
+ // §6.4 merkle: recompute leaf from content, walk proof, single root, index bijection. directions is
108
+ // UNSIGNED — require a well-formed array of EXACTLY "left"/"right" tokens (same length as siblings),
109
+ // and each sibling a lowercase 64-hex (an uppercase sibling decodes to the same bytes and would VERIFY
110
+ // on a case-insensitive stack while Python FAILS — the cross-stack split this guard closes).
89
111
  let root = null;
90
112
  let merkle = proofs.length === receipts.length && proofs.length > 0;
91
113
  const seen = new Set();
@@ -96,18 +118,14 @@ export function verifySepBundle(bundle, expectedPublicKey) {
96
118
  if (recomputed === null || recomputed !== p.leaf_hash)
97
119
  merkle = false;
98
120
  let cur = p.leaf_hash;
99
- // directions is UNSIGNED, so it must be a well-formed array of EXACTLY "left"/"right" tokens
100
- // (same length as siblings). Otherwise the merkle step FAILS — without this, JS/Go would treat a
101
- // rewritten token (e.g. "right"->"RIGHT") as a "right" fallthrough and still walk to the correct
102
- // root and VERIFY, while Python FAILS: a cross-stack disagreement. (Matches Python's strictness.)
103
121
  const sib = Array.isArray(p.siblings) ? p.siblings : [];
104
122
  const dir = Array.isArray(p.directions) ? p.directions : [];
105
- if (dir.length !== sib.length || !dir.every((d) => d === 'left' || d === 'right'))
123
+ if (dir.length !== sib.length || !dir.every((d) => d === 'left' || d === 'right') || !sib.every((s) => isHex(s, 64)))
106
124
  merkle = false;
107
125
  for (let j = 0; j < sib.length; j++)
108
126
  cur = dir[j] === 'left' ? nodeHash(sib[j], cur) : nodeHash(cur, sib[j]);
109
127
  if (p.merkle_root !== cur)
110
- merkle = false; // the proof's own claimed root must match what it walks to (L-7)
128
+ merkle = false; // the proof's own claimed root must match what it walks to
111
129
  if (root === null)
112
130
  root = cur;
113
131
  else if (root !== cur)
@@ -115,40 +133,40 @@ export function verifySepBundle(bundle, expectedPublicKey) {
115
133
  }
116
134
  const bijection = seen.size === receipts.length && [...seen].every((n) => Number.isInteger(n) && n >= 0 && n < receipts.length);
117
135
  add('merkle_and_bijection', merkle && bijection);
118
- // §6.5 mandatory signed checkpoint — STRICT schema (exactly the canonical fields) + the
119
- // bound algorithm value, then signature + root/count/head binding.
136
+ // §6.5 mandatory signed checkpoint — STRICT schema (exactly the canonical fields) + the SAME profile
137
+ // as the bundle, then signature (profile primitive) + root/count/head binding.
120
138
  const cp = bundle?.checkpoint;
121
139
  let cpOk = false;
122
140
  if (hasExactKeys(cp, SEP_CHECKPOINT_FIELDS)) {
123
- cpOk = cp.algorithm === SEP_ALGORITHM
124
- && verifyHex(pub, canonicalize(strip(cp, 'signature')), cp.signature)
141
+ cpOk = cp.algorithm === algorithm
142
+ && verifyForProfile(algorithm, pub, canonicalize(strip(cp, 'signature')), cp.signature)
125
143
  && root !== null && cp.merkle_root === root
126
144
  && cp.leaf_count === receipts.length
127
145
  && cp.head_leaf_hash === (leaves.length ? leaves[leaves.length - 1] : '');
128
146
  }
129
147
  add('signed_checkpoint', cpOk);
130
- // §6.5b cross-field consistency: per-receipt identity + the UNSIGNED envelope must agree
131
- // with the signed/recomputed values, so nothing outside the signed objects can mislead a
132
- // consumer that reads the envelope (M-1/M-2/L-3).
148
+ // §6.5b cross-field consistency: per-receipt identity + the UNSIGNED envelope must agree with the
149
+ // signed/recomputed values, so nothing outside the signed objects can mislead an envelope reader.
133
150
  const cpGatewayId = (cp && typeof cp === 'object') ? cp.gateway_id : undefined;
134
151
  const cpGeneratedAt = (cp && typeof cp === 'object') ? cp.generated_at : undefined;
135
152
  add('envelope_consistency', receipts.length > 0
136
- && receipts.every((r) => r.public_key === pub) // every receipt is signed under the bundle key (L-3)
137
- && receipts.every((r) => r.gateway_id === bundle?.gateway_id) // receipts ↔ envelope gateway_id
138
- && cpGatewayId === bundle?.gateway_id // checkpoint ↔ envelope gateway_id (M-2)
139
- && bundle?.generated_at === cpGeneratedAt // envelope generated_at ↔ signed checkpoint (T6)
140
- && root !== null && bundle?.merkle_root === root); // envelope merkle_root ↔ recomputed (M-1)
141
- // §6.6 provenance (only when a key is pinned)
153
+ && receipts.every((r) => r.public_key === pub)
154
+ && receipts.every((r) => r.gateway_id === bundle?.gateway_id)
155
+ && cpGatewayId === bundle?.gateway_id
156
+ && bundle?.generated_at === cpGeneratedAt
157
+ && root !== null && bundle?.merkle_root === root);
158
+ // §6.6 provenance (only when a well-formed key is pinned)
142
159
  const issuerVerified = pinned && pub === expectedPublicKey;
143
160
  if (pinned)
144
161
  add('gateway_key_match', issuerVerified);
145
162
  const verdict = steps.every((s) => s.ok) ? 'VERIFIED' : 'FAILED';
146
163
  const failed = steps.filter((s) => !s.ok).map((s) => s.name);
164
+ const profileTag = `${algorithm} (v${REGISTERED_PROFILES[algorithm] ?? '?'})`;
147
165
  const summary = verdict === 'FAILED'
148
166
  ? `FAILED — bundle did not verify (failed: ${failed.join(', ') || 'unknown'})`
149
167
  : pinned
150
- ? 'VERIFIED (provenance verified — issued by the pinned gateway key)'
151
- : 'VERIFIED (integrity only — NOT provenance; pass the gateway key to prove who issued it)';
168
+ ? `VERIFIED (${profileTag}; provenance verified — issued by the pinned gateway key)`
169
+ : `VERIFIED (${profileTag}; integrity only — NOT provenance; pass the gateway key to prove who issued it)`;
152
170
  return { verdict, summary, issuerVerified, pinned, steps };
153
171
  }
154
172
  catch (e) {
@@ -1 +1 @@
1
- {"version":3,"file":"verify.js","sourceRoot":"","sources":["../../src/sep/verify.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AACH,OAAO,EAAE,YAAY,EAAE,MAAM,gBAAgB,CAAC;AAC9C,OAAO,EAAE,SAAS,EAAE,aAAa,EAAE,SAAS,EAAE,KAAK,EAAE,MAAM,aAAa,CAAC;AACzE,OAAO,EAAE,QAAQ,EAAE,MAAM,aAAa,CAAC;AACvC,OAAO,EAAE,aAAa,EAAE,kBAAkB,EAAE,MAAM,cAAc,CAAC;AACjE,OAAO,EAAE,qBAAqB,EAAE,MAAM,iBAAiB,CAAC;AAYxD,MAAM,IAAI,GAAG,CAAC,CAAU,EAAU,EAAE,CAAC,SAAS,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC,CAAC;AAChE,MAAM,KAAK,GAAG,CAAC,CAA0B,EAAE,CAAS,EAA2B,EAAE,CAC/E,MAAM,CAAC,WAAW,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;AAEjE;;;;;;GAMG;AACH,MAAM,KAAK,GAAG,oEAAoE,CAAC;AACnF,MAAM,MAAM,GAAG,CAAC,CAAS,EAAW,EAAE,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,GAAG,GAAG,KAAK,CAAC,IAAI,CAAC,GAAG,GAAG,KAAK,CAAC,CAAC,CAAC;AACvF,MAAM,WAAW,GAAG,CAAC,CAAS,EAAE,CAAS,EAAU,EAAE,CACnD,CAAC,EAAE,EAAE,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,EAAE,EAAE,EAAE,EAAE,EAAE,EAAE,EAAE,EAAE,EAAE,EAAE,EAAE,EAAE,EAAE,EAAE,EAAE,EAAE,EAAE,EAAE,EAAE,EAAE,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;AAC3E,MAAM,gBAAgB,GAAG,CAAC,EAAW,EAAW,EAAE;IAChD,IAAI,OAAO,EAAE,KAAK,QAAQ,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC;QAAE,OAAO,KAAK,CAAC;IAC5D,MAAM,IAAI,GAAG,MAAM,CAAC,EAAE,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;IACpC,MAAM,KAAK,GAAG,MAAM,CAAC,EAAE,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;IACrC,MAAM,GAAG,GAAG,MAAM,CAAC,EAAE,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC;IACpC,MAAM,IAAI,GAAG,MAAM,CAAC,EAAE,CAAC,KAAK,CAAC,EAAE,EAAE,EAAE,CAAC,CAAC,CAAC;IACtC,MAAM,MAAM,GAAG,MAAM,CAAC,EAAE,CAAC,KAAK,CAAC,EAAE,EAAE,EAAE,CAAC,CAAC,CAAC;IACxC,MAAM,MAAM,GAAG,MAAM,CAAC,EAAE,CAAC,KAAK,CAAC,EAAE,EAAE,EAAE,CAAC,CAAC,CAAC;IACxC,OAAO,KAAK,IAAI,CAAC,IAAI,KAAK,IAAI,EAAE;WAC3B,GAAG,IAAI,CAAC,IAAI,GAAG,IAAI,WAAW,CAAC,IAAI,EAAE,KAAK,CAAC;WAC3C,IAAI,IAAI,CAAC,IAAI,IAAI,IAAI,EAAE;WACvB,MAAM,IAAI,CAAC,IAAI,MAAM,IAAI,EAAE;WAC3B,MAAM,IAAI,CAAC,IAAI,MAAM,IAAI,EAAE,CAAC;AACnC,CAAC,CAAC;AAEF;;;;;GAKG;AACH,MAAM,YAAY,GAAG,CAAC,CAAU,EAAE,MAAyB,EAAW,EAAE;IACtE,IAAI,CAAC,CAAC,IAAI,OAAO,CAAC,KAAK,QAAQ,IAAI,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC;QAAE,OAAO,KAAK,CAAC;IAClE,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,CAA4B,CAAC,CAAC;IACvD,OAAO,IAAI,CAAC,MAAM,KAAK,MAAM,CAAC,MAAM,IAAI,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,MAAM,CAAC,SAAS,CAAC,cAAc,CAAC,IAAI,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;AAC1G,CAAC,CAAC;AAEF,MAAM,UAAU,eAAe,CAAC,MAAW,EAAE,iBAA0B;IACrE,yFAAyF;IACzF,0FAA0F;IAC1F,MAAM,MAAM,GAAG,KAAK,CAAC,iBAAiB,EAAE,EAAE,CAAC,CAAC;IAC5C,IAAI,CAAC;QACL,MAAM,KAAK,GAAiB,EAAE,CAAC;QAC/B,MAAM,GAAG,GAAG,CAAC,IAAY,EAAE,EAAW,EAAW,EAAE,GAAG,KAAK,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC,CAAC;QAC7F,MAAM,QAAQ,GAAU,KAAK,CAAC,OAAO,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,EAAE,CAAC;QAC/E,MAAM,MAAM,GAAU,KAAK,CAAC,OAAO,CAAC,MAAM,EAAE,aAAa,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,aAAa,CAAC,CAAC,CAAC,EAAE,CAAC;QACvF,MAAM,GAAG,GAAW,MAAM,EAAE,UAAU,CAAC;QAEvC,qFAAqF;QACrF,iFAAiF;QACjF,GAAG,CAAC,YAAY,EACd,MAAM,EAAE,SAAS,KAAK,aAAa,IAAI,aAAa,CAAC,GAAG,CAAC;eACtD,QAAQ,CAAC,MAAM,GAAG,CAAC,IAAI,MAAM,CAAC,MAAM,KAAK,QAAQ,CAAC,MAAM;eACxD,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,YAAY,CAAC,CAAC,EAAE,kBAAkB,CAAC,CAAC,CAAC,CAAC;QAEjE,+EAA+E;QAC/E,GAAG,CAAC,oBAAoB,EAAE,QAAQ,CAAC,MAAM,GAAG,CAAC,IAAI,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,SAAS,CAAC,GAAG,EAAE,YAAY,CAAC,KAAK,CAAC,CAAC,EAAE,WAAW,CAAC,CAAC,EAAE,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC;QAE1I,wBAAwB;QACxB,MAAM,MAAM,GAAG,QAAQ,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;QAClC,IAAI,KAAK,GAAG,QAAQ,CAAC,MAAM,GAAG,CAAC,CAAC;QAChC,IAAI,MAAM,GAAkB,IAAI,CAAC;QACjC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,QAAQ,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YACzC,MAAM,UAAU,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;YAChD,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,qBAAqB,IAAI,EAAE,CAAC,KAAK,UAAU;gBAAE,KAAK,GAAG,KAAK,CAAC;YAC5E,uFAAuF;YACvF,yFAAyF;YACzF,yFAAyF;YACzF,MAAM,EAAE,GAAG,QAAQ,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;YACjC,IAAI,CAAC,gBAAgB,CAAC,EAAE,CAAC;gBAAE,KAAK,GAAG,KAAK,CAAC;iBACpC,CAAC;gBAAC,IAAI,MAAM,KAAK,IAAI,IAAI,EAAE,GAAG,MAAM;oBAAE,KAAK,GAAG,KAAK,CAAC;gBAAC,MAAM,GAAG,EAAE,CAAC;YAAC,CAAC;QAC1E,CAAC;QACD,GAAG,CAAC,oBAAoB,EAAE,KAAK,CAAC,CAAC;QAEjC,qFAAqF;QACrF,IAAI,IAAI,GAAkB,IAAI,CAAC;QAC/B,IAAI,MAAM,GAAG,MAAM,CAAC,MAAM,KAAK,QAAQ,CAAC,MAAM,IAAI,MAAM,CAAC,MAAM,GAAG,CAAC,CAAC;QACpE,MAAM,IAAI,GAAG,IAAI,GAAG,EAAU,CAAC;QAC/B,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YACvC,MAAM,CAAC,GAAG,MAAM,CAAC,CAAC,CAAC,CAAC;YACpB,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC;YACvB,MAAM,UAAU,GAAG,QAAQ,CAAC,CAAC,CAAC,UAAU,CAAC,KAAK,SAAS,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;YACtF,IAAI,UAAU,KAAK,IAAI,IAAI,UAAU,KAAK,CAAC,CAAC,SAAS;gBAAE,MAAM,GAAG,KAAK,CAAC;YACtE,IAAI,GAAG,GAAG,CAAC,CAAC,SAAS,CAAC;YACtB,6FAA6F;YAC7F,iGAAiG;YACjG,iGAAiG;YACjG,kGAAkG;YAClG,MAAM,GAAG,GAAa,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,EAAE,CAAC;YAClE,MAAM,GAAG,GAAa,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,EAAE,CAAC;YACtE,IAAI,GAAG,CAAC,MAAM,KAAK,GAAG,CAAC,MAAM,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,KAAK,MAAM,IAAI,CAAC,KAAK,OAAO,CAAC;gBAAE,MAAM,GAAG,KAAK,CAAC;YAClG,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,GAAG,CAAC,MAAM,EAAE,CAAC,EAAE;gBAAE,GAAG,GAAG,GAAG,CAAC,CAAC,CAAC,KAAK,MAAM,CAAC,CAAC,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;YAC7G,IAAI,CAAC,CAAC,WAAW,KAAK,GAAG;gBAAE,MAAM,GAAG,KAAK,CAAC,CAAU,iEAAiE;YACrH,IAAI,IAAI,KAAK,IAAI;gBAAE,IAAI,GAAG,GAAG,CAAC;iBAAM,IAAI,IAAI,KAAK,GAAG;gBAAE,MAAM,GAAG,KAAK,CAAC;QACvE,CAAC;QACD,MAAM,SAAS,GAAG,IAAI,CAAC,IAAI,KAAK,QAAQ,CAAC,MAAM,IAAI,CAAC,GAAG,IAAI,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC;QAChI,GAAG,CAAC,sBAAsB,EAAE,MAAM,IAAI,SAAS,CAAC,CAAC;QAEjD,wFAAwF;QACxF,mEAAmE;QACnE,MAAM,EAAE,GAAG,MAAM,EAAE,UAAU,CAAC;QAC9B,IAAI,IAAI,GAAG,KAAK,CAAC;QACjB,IAAI,YAAY,CAAC,EAAE,EAAE,qBAAqB,CAAC,EAAE,CAAC;YAC5C,IAAI,GAAG,EAAE,CAAC,SAAS,KAAK,aAAa;mBAChC,SAAS,CAAC,GAAG,EAAE,YAAY,CAAC,KAAK,CAAC,EAAE,EAAE,WAAW,CAAC,CAAC,EAAE,EAAE,CAAC,SAAS,CAAC;mBAClE,IAAI,KAAK,IAAI,IAAI,EAAE,CAAC,WAAW,KAAK,IAAI;mBACxC,EAAE,CAAC,UAAU,KAAK,QAAQ,CAAC,MAAM;mBACjC,EAAE,CAAC,cAAc,KAAK,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;QAC9E,CAAC;QACD,GAAG,CAAC,mBAAmB,EAAE,IAAI,CAAC,CAAC;QAE/B,yFAAyF;QACzF,yFAAyF;QACzF,kDAAkD;QAClD,MAAM,WAAW,GAAG,CAAC,EAAE,IAAI,OAAO,EAAE,KAAK,QAAQ,CAAC,CAAC,CAAC,CAAE,EAA8B,CAAC,UAAU,CAAC,CAAC,CAAC,SAAS,CAAC;QAC5G,MAAM,aAAa,GAAG,CAAC,EAAE,IAAI,OAAO,EAAE,KAAK,QAAQ,CAAC,CAAC,CAAC,CAAE,EAA8B,CAAC,YAAY,CAAC,CAAC,CAAC,SAAS,CAAC;QAChH,GAAG,CAAC,sBAAsB,EACxB,QAAQ,CAAC,MAAM,GAAG,CAAC;eAChB,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,UAAU,KAAK,GAAG,CAAC,CAAe,qDAAqD;eAC/G,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,UAAU,KAAK,MAAM,EAAE,UAAU,CAAC,CAAC,iCAAiC;eAC5F,WAAW,KAAK,MAAM,EAAE,UAAU,CAAyB,yCAAyC;eACpG,MAAM,EAAE,YAAY,KAAK,aAAa,CAAqB,iDAAiD;eAC5G,IAAI,KAAK,IAAI,IAAI,MAAM,EAAE,WAAW,KAAK,IAAI,CAAC,CAAC,CAAY,0CAA0C;QAE1G,8CAA8C;QAC9C,MAAM,cAAc,GAAG,MAAM,IAAI,GAAG,KAAK,iBAAiB,CAAC;QAC3D,IAAI,MAAM;YAAE,GAAG,CAAC,mBAAmB,EAAE,cAAc,CAAC,CAAC;QAErD,MAAM,OAAO,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,QAAQ,CAAC;QACjE,MAAM,MAAM,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC;QAC7D,MAAM,OAAO,GAAG,OAAO,KAAK,QAAQ;YAClC,CAAC,CAAC,2CAA2C,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,SAAS,GAAG;YAC9E,CAAC,CAAC,MAAM;gBACN,CAAC,CAAC,mEAAmE;gBACrE,CAAC,CAAC,yFAAyF,CAAC;QAChG,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,cAAc,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC;IAC3D,CAAC;IAAC,OAAO,CAAC,EAAE,CAAC;QACX,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,OAAO,EAAE,kDAAkD,MAAM,CAAC,CAAC,CAAC,GAAG,EAAE,cAAc,EAAE,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC,EAAE,IAAI,EAAE,oBAAoB,EAAE,EAAE,EAAE,KAAK,EAAE,CAAC,EAAE,CAAC;IAC3L,CAAC;AACH,CAAC"}
1
+ {"version":3,"file":"verify.js","sourceRoot":"","sources":["../../src/sep/verify.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AACH,OAAO,EAAE,YAAY,EAAE,MAAM,gBAAgB,CAAC;AAC9C,OAAO,EAAE,SAAS,EAAE,KAAK,EAAE,MAAM,aAAa,CAAC;AAC/C,OAAO,EAAE,QAAQ,EAAE,MAAM,aAAa,CAAC;AACvC,OAAO,EAAE,kBAAkB,EAAE,MAAM,cAAc,CAAC;AAClD,OAAO,EAAE,qBAAqB,EAAE,MAAM,iBAAiB,CAAC;AACxD,OAAO,EACL,mBAAmB,EAAE,wBAAwB,EAAE,gBAAgB,EAAE,YAAY,EAAE,mBAAmB,GACnG,MAAM,eAAe,CAAC;AAiBvB,MAAM,IAAI,GAAG,CAAC,CAAU,EAAU,EAAE,CAAC,SAAS,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC,CAAC;AAChE,MAAM,KAAK,GAAG,CAAC,CAA0B,EAAE,CAAS,EAA2B,EAAE,CAC/E,MAAM,CAAC,WAAW,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;AAEjE;;;;GAIG;AACH,MAAM,KAAK,GAAG,oEAAoE,CAAC;AACnF,MAAM,MAAM,GAAG,CAAC,CAAS,EAAW,EAAE,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,GAAG,GAAG,KAAK,CAAC,IAAI,CAAC,GAAG,GAAG,KAAK,CAAC,CAAC,CAAC;AACvF,MAAM,WAAW,GAAG,CAAC,CAAS,EAAE,CAAS,EAAU,EAAE,CACnD,CAAC,EAAE,EAAE,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,EAAE,EAAE,EAAE,EAAE,EAAE,EAAE,EAAE,EAAE,EAAE,EAAE,EAAE,EAAE,EAAE,EAAE,EAAE,EAAE,EAAE,EAAE,EAAE,EAAE,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;AAC3E,MAAM,gBAAgB,GAAG,CAAC,EAAW,EAAW,EAAE;IAChD,IAAI,OAAO,EAAE,KAAK,QAAQ,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC;QAAE,OAAO,KAAK,CAAC;IAC5D,MAAM,IAAI,GAAG,MAAM,CAAC,EAAE,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;IACpC,MAAM,KAAK,GAAG,MAAM,CAAC,EAAE,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;IACrC,MAAM,GAAG,GAAG,MAAM,CAAC,EAAE,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC;IACpC,MAAM,IAAI,GAAG,MAAM,CAAC,EAAE,CAAC,KAAK,CAAC,EAAE,EAAE,EAAE,CAAC,CAAC,CAAC;IACtC,MAAM,MAAM,GAAG,MAAM,CAAC,EAAE,CAAC,KAAK,CAAC,EAAE,EAAE,EAAE,CAAC,CAAC,CAAC;IACxC,MAAM,MAAM,GAAG,MAAM,CAAC,EAAE,CAAC,KAAK,CAAC,EAAE,EAAE,EAAE,CAAC,CAAC,CAAC;IACxC,OAAO,KAAK,IAAI,CAAC,IAAI,KAAK,IAAI,EAAE;WAC3B,GAAG,IAAI,CAAC,IAAI,GAAG,IAAI,WAAW,CAAC,IAAI,EAAE,KAAK,CAAC;WAC3C,IAAI,IAAI,CAAC,IAAI,IAAI,IAAI,EAAE;WACvB,MAAM,IAAI,CAAC,IAAI,MAAM,IAAI,EAAE;WAC3B,MAAM,IAAI,CAAC,IAAI,MAAM,IAAI,EAAE,CAAC;AACnC,CAAC,CAAC;AAEF;;;;GAIG;AACH,MAAM,YAAY,GAAG,CAAC,CAAU,EAAE,MAAyB,EAAW,EAAE;IACtE,IAAI,CAAC,CAAC,IAAI,OAAO,CAAC,KAAK,QAAQ,IAAI,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC;QAAE,OAAO,KAAK,CAAC;IAClE,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,CAA4B,CAAC,CAAC;IACvD,OAAO,IAAI,CAAC,MAAM,KAAK,MAAM,CAAC,MAAM,IAAI,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,MAAM,CAAC,SAAS,CAAC,cAAc,CAAC,IAAI,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;AAC1G,CAAC,CAAC;AAEF,MAAM,UAAU,eAAe,CAAC,MAAW,EAAE,iBAA0B,EAAE,IAAoB;IAC3F,MAAM,SAAS,GAAG,IAAI,EAAE,iBAAiB,IAAI,YAAY,CAAC;IAC1D,MAAM,SAAS,GAAW,OAAO,MAAM,EAAE,SAAS,KAAK,QAAQ,CAAC,CAAC,CAAE,MAAM,CAAC,SAAoB,CAAC,CAAC,CAAC,EAAE,CAAC;IAEpG,+FAA+F;IAC/F,qGAAqG;IACrG,gFAAgF;IAChF,IAAI,mBAAmB,CAAC,SAAS,CAAC,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,SAAS,CAAC,EAAE,CAAC;QACrE,OAAO;YACL,OAAO,EAAE,qBAAqB;YAC9B,OAAO,EAAE,mEAAmE,SAAS,OAAO,mBAAmB,CAAC,SAAS,CAAC,+BAA+B;YACzJ,cAAc,EAAE,KAAK;YACrB,MAAM,EAAE,KAAK;YACb,KAAK,EAAE,CAAC,EAAE,IAAI,EAAE,iBAAiB,EAAE,EAAE,EAAE,KAAK,EAAE,CAAC;SAChD,CAAC;IACJ,CAAC;IAED,uFAAuF;IACvF,IAAI,MAAM,GAAG,KAAK,CAAC;IACnB,IAAI,CAAC;QACH,MAAM,KAAK,GAAiB,EAAE,CAAC;QAC/B,MAAM,GAAG,GAAG,CAAC,IAAY,EAAE,EAAW,EAAW,EAAE,GAAG,KAAK,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC,CAAC;QAC7F,MAAM,QAAQ,GAAU,KAAK,CAAC,OAAO,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,EAAE,CAAC;QAC/E,MAAM,MAAM,GAAU,KAAK,CAAC,OAAO,CAAC,MAAM,EAAE,aAAa,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,aAAa,CAAC,CAAC,CAAC,EAAE,CAAC;QACvF,MAAM,GAAG,GAAW,MAAM,EAAE,UAAU,CAAC;QAEvC,+FAA+F;QAC/F,6FAA6F;QAC7F,MAAM,GAAG,mBAAmB,CAAC,SAAS,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,SAAS,CAAC;eACnE,OAAO,iBAAiB,KAAK,QAAQ,IAAI,wBAAwB,CAAC,SAAS,EAAE,iBAAiB,CAAC,CAAC;QAErG,mGAAmG;QACnG,wFAAwF;QACxF,GAAG,CAAC,YAAY,EACd,mBAAmB,CAAC,SAAS,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,SAAS,CAAC,IAAI,wBAAwB,CAAC,SAAS,EAAE,GAAG,CAAC;eACxG,QAAQ,CAAC,MAAM,GAAG,CAAC,IAAI,MAAM,CAAC,MAAM,KAAK,QAAQ,CAAC,MAAM;eACxD,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,YAAY,CAAC,CAAC,EAAE,kBAAkB,CAAC,CAAC,CAAC,CAAC;QAEjE,8FAA8F;QAC9F,GAAG,CAAC,oBAAoB,EAAE,QAAQ,CAAC,MAAM,GAAG,CAAC,IAAI,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,gBAAgB,CAAC,SAAS,EAAE,GAAG,EAAE,YAAY,CAAC,KAAK,CAAC,CAAC,EAAE,WAAW,CAAC,CAAC,EAAE,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC;QAE5J,mGAAmG;QACnG,MAAM,MAAM,GAAG,QAAQ,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;QAClC,IAAI,KAAK,GAAG,QAAQ,CAAC,MAAM,GAAG,CAAC,CAAC;QAChC,IAAI,MAAM,GAAkB,IAAI,CAAC;QACjC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,QAAQ,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YACzC,MAAM,UAAU,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;YAChD,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,qBAAqB,IAAI,EAAE,CAAC,KAAK,UAAU;gBAAE,KAAK,GAAG,KAAK,CAAC;YAC5E,MAAM,EAAE,GAAG,QAAQ,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;YACjC,IAAI,CAAC,gBAAgB,CAAC,EAAE,CAAC;gBAAE,KAAK,GAAG,KAAK,CAAC;iBACpC,CAAC;gBAAC,IAAI,MAAM,KAAK,IAAI,IAAI,EAAE,GAAG,MAAM;oBAAE,KAAK,GAAG,KAAK,CAAC;gBAAC,MAAM,GAAG,EAAE,CAAC;YAAC,CAAC;QAC1E,CAAC;QACD,GAAG,CAAC,oBAAoB,EAAE,KAAK,CAAC,CAAC;QAEjC,oGAAoG;QACpG,qGAAqG;QACrG,uGAAuG;QACvG,6FAA6F;QAC7F,IAAI,IAAI,GAAkB,IAAI,CAAC;QAC/B,IAAI,MAAM,GAAG,MAAM,CAAC,MAAM,KAAK,QAAQ,CAAC,MAAM,IAAI,MAAM,CAAC,MAAM,GAAG,CAAC,CAAC;QACpE,MAAM,IAAI,GAAG,IAAI,GAAG,EAAU,CAAC;QAC/B,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YACvC,MAAM,CAAC,GAAG,MAAM,CAAC,CAAC,CAAC,CAAC;YACpB,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC;YACvB,MAAM,UAAU,GAAG,QAAQ,CAAC,CAAC,CAAC,UAAU,CAAC,KAAK,SAAS,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;YACtF,IAAI,UAAU,KAAK,IAAI,IAAI,UAAU,KAAK,CAAC,CAAC,SAAS;gBAAE,MAAM,GAAG,KAAK,CAAC;YACtE,IAAI,GAAG,GAAG,CAAC,CAAC,SAAS,CAAC;YACtB,MAAM,GAAG,GAAa,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,EAAE,CAAC;YAClE,MAAM,GAAG,GAAa,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,EAAE,CAAC;YACtE,IAAI,GAAG,CAAC,MAAM,KAAK,GAAG,CAAC,MAAM,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,KAAK,MAAM,IAAI,CAAC,KAAK,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;gBAAE,MAAM,GAAG,KAAK,CAAC;YACrI,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,GAAG,CAAC,MAAM,EAAE,CAAC,EAAE;gBAAE,GAAG,GAAG,GAAG,CAAC,CAAC,CAAC,KAAK,MAAM,CAAC,CAAC,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;YAC7G,IAAI,CAAC,CAAC,WAAW,KAAK,GAAG;gBAAE,MAAM,GAAG,KAAK,CAAC,CAAU,2DAA2D;YAC/G,IAAI,IAAI,KAAK,IAAI;gBAAE,IAAI,GAAG,GAAG,CAAC;iBAAM,IAAI,IAAI,KAAK,GAAG;gBAAE,MAAM,GAAG,KAAK,CAAC;QACvE,CAAC;QACD,MAAM,SAAS,GAAG,IAAI,CAAC,IAAI,KAAK,QAAQ,CAAC,MAAM,IAAI,CAAC,GAAG,IAAI,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC;QAChI,GAAG,CAAC,sBAAsB,EAAE,MAAM,IAAI,SAAS,CAAC,CAAC;QAEjD,qGAAqG;QACrG,+EAA+E;QAC/E,MAAM,EAAE,GAAG,MAAM,EAAE,UAAU,CAAC;QAC9B,IAAI,IAAI,GAAG,KAAK,CAAC;QACjB,IAAI,YAAY,CAAC,EAAE,EAAE,qBAAqB,CAAC,EAAE,CAAC;YAC5C,IAAI,GAAG,EAAE,CAAC,SAAS,KAAK,SAAS;mBAC5B,gBAAgB,CAAC,SAAS,EAAE,GAAG,EAAE,YAAY,CAAC,KAAK,CAAC,EAAE,EAAE,WAAW,CAAC,CAAC,EAAE,EAAE,CAAC,SAAS,CAAC;mBACpF,IAAI,KAAK,IAAI,IAAI,EAAE,CAAC,WAAW,KAAK,IAAI;mBACxC,EAAE,CAAC,UAAU,KAAK,QAAQ,CAAC,MAAM;mBACjC,EAAE,CAAC,cAAc,KAAK,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;QAC9E,CAAC;QACD,GAAG,CAAC,mBAAmB,EAAE,IAAI,CAAC,CAAC;QAE/B,kGAAkG;QAClG,kGAAkG;QAClG,MAAM,WAAW,GAAG,CAAC,EAAE,IAAI,OAAO,EAAE,KAAK,QAAQ,CAAC,CAAC,CAAC,CAAE,EAA8B,CAAC,UAAU,CAAC,CAAC,CAAC,SAAS,CAAC;QAC5G,MAAM,aAAa,GAAG,CAAC,EAAE,IAAI,OAAO,EAAE,KAAK,QAAQ,CAAC,CAAC,CAAC,CAAE,EAA8B,CAAC,YAAY,CAAC,CAAC,CAAC,SAAS,CAAC;QAChH,GAAG,CAAC,sBAAsB,EACxB,QAAQ,CAAC,MAAM,GAAG,CAAC;eAChB,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,UAAU,KAAK,GAAG,CAAC;eAC3C,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,UAAU,KAAK,MAAM,EAAE,UAAU,CAAC;eAC1D,WAAW,KAAK,MAAM,EAAE,UAAU;eAClC,MAAM,EAAE,YAAY,KAAK,aAAa;eACtC,IAAI,KAAK,IAAI,IAAI,MAAM,EAAE,WAAW,KAAK,IAAI,CAAC,CAAC;QAEpD,0DAA0D;QAC1D,MAAM,cAAc,GAAG,MAAM,IAAI,GAAG,KAAK,iBAAiB,CAAC;QAC3D,IAAI,MAAM;YAAE,GAAG,CAAC,mBAAmB,EAAE,cAAc,CAAC,CAAC;QAErD,MAAM,OAAO,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,QAAQ,CAAC;QACjE,MAAM,MAAM,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC;QAC7D,MAAM,UAAU,GAAG,GAAG,SAAS,MAAM,mBAAmB,CAAC,SAAS,CAAC,IAAI,GAAG,GAAG,CAAC;QAC9E,MAAM,OAAO,GAAG,OAAO,KAAK,QAAQ;YAClC,CAAC,CAAC,2CAA2C,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,SAAS,GAAG;YAC9E,CAAC,CAAC,MAAM;gBACN,CAAC,CAAC,aAAa,UAAU,2DAA2D;gBACpF,CAAC,CAAC,aAAa,UAAU,iFAAiF,CAAC;QAC/G,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,cAAc,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC;IAC7D,CAAC;IAAC,OAAO,CAAC,EAAE,CAAC;QACX,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,OAAO,EAAE,kDAAkD,MAAM,CAAC,CAAC,CAAC,GAAG,EAAE,cAAc,EAAE,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC,EAAE,IAAI,EAAE,oBAAoB,EAAE,EAAE,EAAE,KAAK,EAAE,CAAC,EAAE,CAAC;IAC3L,CAAC;AACH,CAAC"}
package/package.json CHANGED
@@ -1,7 +1,7 @@
1
1
  {
2
2
  "name": "@attested-intelligence/aga-mcp-server",
3
- "version": "3.0.1",
4
- "description": "MCP server for cryptographic AI agent governance. Seal policy artifacts, enforce at runtime, prove with signed receipts and offline-verifiable evidence bundles.",
3
+ "version": "3.3.0",
4
+ "description": "MCP governance proxy and evidence engine for AI agent tool calls: evaluate each call against a sealed policy, permit or deny it at the proxy boundary, and prove every decision with signed, offline-verifiable evidence bundles.",
5
5
  "author": "Attested Intelligence Holdings LLC",
6
6
  "license": "MIT",
7
7
  "homepage": "https://attestedintelligence.com/technology",
@@ -15,6 +15,21 @@
15
15
  "type": "module",
16
16
  "main": "dist/index.js",
17
17
  "types": "dist/index.d.ts",
18
+ "exports": {
19
+ ".": {
20
+ "types": "./dist/index.d.ts",
21
+ "default": "./dist/index.js"
22
+ },
23
+ "./verify": {
24
+ "types": "./dist/sep/verify.d.ts",
25
+ "default": "./dist/sep/verify.js"
26
+ },
27
+ "./sep": {
28
+ "types": "./dist/sep/index.d.ts",
29
+ "default": "./dist/sep/index.js"
30
+ },
31
+ "./package.json": "./package.json"
32
+ },
18
33
  "files": [
19
34
  "dist/",
20
35
  "README.md",
@@ -39,28 +54,35 @@
39
54
  "test:proxy": "vitest run tests/proxy/",
40
55
  "test:conformance": "node fixtures/run-conformance.mjs",
41
56
  "conformance:cross-stack": "node fixtures/cross-stack/run-all-stacks.mjs",
57
+ "conformance:cross-stack-v2": "node fixtures/cross-stack/run-v2-stacks.mjs",
42
58
  "check:pack": "node scripts/check-pack.mjs",
43
59
  "check": "npm run build && npm run lint && npm run test && npm run test:conformance && npm run check:pack",
44
60
  "proxy": "tsx src/proxy/index.ts",
45
61
  "proxy:start": "tsx src/proxy/index.ts start",
46
62
  "demo": "tsx scripts/demo.ts",
47
63
  "benchmark": "tsx scripts/benchmark.ts",
48
- "verify": "cd independent-verifier && npm test",
64
+ "verify": "cd independent-verifier && npm ci --no-audit --no-fund && npm test",
49
65
  "lint": "tsc --noEmit",
50
66
  "prepublishOnly": "npm run build && npm run test && npm run test:conformance && npm run check:pack"
51
67
  },
52
68
  "dependencies": {
53
- "@modelcontextprotocol/sdk": "^1.12.0",
54
- "@noble/hashes": "^1.7.0",
69
+ "@modelcontextprotocol/sdk": "^1.29.0",
70
+ "@noble/ed25519": "2.1.0",
71
+ "@noble/hashes": "1.6.1",
72
+ "@noble/post-quantum": "0.6.1",
55
73
  "commander": "^14.0.3",
56
74
  "zod": "^3.24.0"
57
75
  },
58
76
  "optionalDependencies": {
59
77
  "better-sqlite3": "^11.7.0"
60
78
  },
79
+ "overrides": {
80
+ "hono": ">=4.12.25"
81
+ },
61
82
  "devDependencies": {
62
83
  "@types/better-sqlite3": "^7.6.12",
63
84
  "@types/node": "^22.10.0",
85
+ "canonicalize": "^2.1.0",
64
86
  "tsx": "^4.19.0",
65
87
  "typescript": "^5.7.0",
66
88
  "vitest": "^2.1.0"
@@ -77,8 +99,7 @@
77
99
  "agentic-ai",
78
100
  "attestation",
79
101
  "governance",
80
- "cryptographic-enforcement",
81
- "runtime-integrity",
102
+ "policy-proxy",
82
103
  "evidence-bundles",
83
104
  "ed25519",
84
105
  "policy-artifacts",