@aztec/wallet-sdk 4.0.0-nightly.20260108 → 4.0.0-nightly.20260111

package/README.md

@@ -9,6 +9,7 @@ All types and utilities needed for wallet integration are exported from `@aztec/
 ```typescript
 import type {
   ChainInfo,
+  ConnectRequest,
   DiscoveryRequest,
   DiscoveryResponse,
   WalletInfo,
@@ -18,15 +19,30 @@ import type {
 import { ChainInfoSchema, WalletSchema, jsonStringify } from '@aztec/wallet-sdk/manager';
 ```
 
+Cryptographic utilities for secure channel establishment are exported from `@aztec/wallet-sdk/crypto`:
+
+```typescript
+import type { EncryptedPayload, ExportedPublicKey } from '@aztec/wallet-sdk/crypto';
+import {
+  decrypt,
+  deriveSharedKey,
+  encrypt,
+  exportPublicKey,
+  generateKeyPair,
+  importPublicKey,
+} from '@aztec/wallet-sdk/crypto';
+```
+
 ## Overview
 
-The Wallet SDK uses a **request-based discovery** model:
+The Wallet SDK uses a **request-based discovery** model with **end-to-end encryption**:
 
 1. **dApp requests wallets** for a specific chain/version via `WalletManager.getAvailableWallets({ chainInfo })`
 2. **SDK broadcasts** a discovery message with chain information
-3. **Your wallet responds** ONLY if it supports that specific network
+3. **Your wallet responds** with its ECDH public key ONLY if it supports that specific network
 4. **dApp receives** only compatible wallets
-5. **dApp calls wallet methods** which your wallet handles and responds to
+5. **dApp establishes secure channel** via ECDH key exchange (see [Secure Channel](#secure-channel))
+6. **All subsequent communication** is encrypted using AES-256-GCM
 
 ### Transport Mechanisms
 
@@ -116,7 +132,19 @@ If your wallet supports the network, respond with your wallet information:
 ```typescript
 import { jsonStringify } from '@aztec/wallet-sdk/manager';
 
-function respondToDiscovery(requestId: string) {
+// Your wallet should generate a key pair on initialization.
+// This keypair should be recreated each session
+let walletKeyPair: CryptoKeyPair;
+
+async function initializeWallet() {
+  // Generate ECDH key pair for secure channel establishment
+  walletKeyPair = await generateKeyPair();
+}
+
+async function respondToDiscovery(requestId: string) {
+  // Export the public key for sharing with dApps
+  const publicKey = await exportPublicKey(walletKeyPair.publicKey);
+
   const response = {
     type: 'aztec-wallet-discovery-response',
     requestId,
@@ -125,6 +153,7 @@ function respondToDiscovery(requestId: string) {
       name: 'My Aztec Wallet', // Display name
       icon: 'https://example.com/icon.png', // Optional icon URL
       version: '1.0.0', // Wallet version
+      publicKey, // ECDH public key for secure channel (required)
     },
   };
 
@@ -142,154 +171,184 @@ function respondToDiscovery(requestId: string) {
 - Both the SDK and wallets must parse incoming JSON strings
 - Always use `jsonStringify` from `@aztec/foundation/json-rpc` for sending messages
 - Always parse incoming messages with `JSON.parse` and the proper schemas
+- The `publicKey` field is required for secure channel establishment
 
-## Message Format
+## Secure Channel
 
-### Wallet Method Request
+After discovery, the dApp establishes a secure encrypted channel with your wallet using ECDH key exchange and AES-256-GCM encryption. This ensures all wallet method calls and responses are encrypted end-to-end.
 
-After discovery, dApps will call wallet methods. These arrive as:
+### Security Model
 
-```typescript
-{
-  type: string,                    // Wallet method name from the Wallet interface
-  messageId: string,               // UUID for tracking this request
-  args: unknown[],                 // Method arguments
-  chainInfo: {
-    chainId: Fr,                   // Same chain that was used in discovery
-    version: Fr
-  },
-  appId: string,                   // Application identifier
-  walletId: string                 // Your wallet's ID (from discovery response)
-}
-```
+- **ECDH Key Exchange**: Uses P-256 (secp256r1) elliptic curve for key agreement
+- **AES-256-GCM Encryption**: All messages after channel establishment are encrypted
+- **Per-Session Keys**: Each connection derives a unique shared secret
+- **MessageChannel (Extension wallets)**: Uses a private MessagePort for communication, not visible to other page scripts
 
-Example method calls:
+### 1. Handle Connection Requests
 
-- `type: 'getAccounts'` - Get list of accounts
-- `type: 'getChainInfo'` - Get chain information
-- `type: 'sendTx'` - Send a transaction
-- `type: 'registerContract'` - Register a contract instance
-
-### Wallet Method Response
-
-Your wallet must respond with:
+When a dApp connects, it sends a `ConnectRequest` containing its ECDH public key:
 
 ```typescript
-{
-  messageId: string,               // MUST match the request's messageId
-  result?: unknown,                // Method result (if successful)
-  error?: unknown,                 // Error (if failed)
-  walletId: string                 // Your wallet's ID
+interface ConnectRequest {
+  type: 'aztec-wallet-connect';
+  walletId: string; // Your wallet's ID
+  appId: string; // Application identifier
+  publicKey: ExportedPublicKey; // dApp's ECDH public key
 }
 ```
 
-## Handling Wallet Methods
-
-### 1. Set Up Message Listener
-
 **Extension wallet example:**
 
 ```typescript
-window.addEventListener('message', event => {
-  if (event.source !== window) {
-    return;
-  }
+import { decrypt, deriveSharedKey, encrypt, importPublicKey } from '@aztec/wallet-sdk/crypto';
 
-  let data;
-  try {
-    data = JSON.parse(event.data);
-  } catch {
-    return; // Not a valid JSON message
-  }
+// Store connections by appId
+const connections = new Map<string, { sharedKey: CryptoKey }>();
 
-  // Handle discovery
-  if (data.type === 'aztec-wallet-discovery') {
-    handleDiscovery(data);
-    return;
-  }
+window.addEventListener('message', async event => {
+  if (event.source !== window) return;
+
+  const data = JSON.parse(event.data);
 
-  // Handle wallet methods
-  if (data.messageId && data.type && data.walletId === 'my-aztec-wallet') {
-    handleWalletMethod(data);
+  if (data.type === 'aztec-wallet-connect') {
+    await handleConnect(data, event.ports[0]);
   }
 });
 
-// Using WebSocket:
-// websocket.on('message', (message) => {
-//   const data = JSON.parse(message);
-//   if (data.type === 'aztec-wallet-discovery') {
-//     handleDiscovery(data);
-//   } else if (data.messageId && data.type) {
-//     handleWalletMethod(data);
-//   }
-// });
+async function handleConnect(request: ConnectRequest, port: MessagePort) {
+  // Import dApp's public key
+  const dappPublicKey = await importPublicKey(request.publicKey);
+
+  // Derive shared secret using our private key and dApp's public key
+  const sharedKey = await deriveSharedKey(walletKeyPair.privateKey, dappPublicKey);
+
+  // Store the connection
+  connections.set(request.appId, { sharedKey });
+
+  // Set up encrypted message handler on the MessagePort
+  port.onmessage = async event => {
+    await handleEncryptedMessage(request.appId, event.data);
+  };
+
+  port.start();
+}
 ```
 
-### 2. Route to Wallet Implementation
+### 2. Handle Encrypted Messages
+
+All wallet method calls arrive as encrypted payloads:
 
 ```typescript
-import { ChainInfoSchema } from '@aztec/wallet-sdk/manager';
+interface EncryptedPayload {
+  iv: string; // Base64-encoded initialization vector
+  ciphertext: string; // Base64-encoded encrypted data
+}
+```
 
-async function handleWalletMethod(message: any) {
-  const { type, messageId, args, chainInfo, appId, walletId } = message;
+Decrypt incoming messages and encrypt responses:
 
-  try {
-    // Parse and validate chain info
-    const parsedChainInfo = ChainInfoSchema.parse(chainInfo);
+```typescript
+async function handleEncryptedMessage(appId: string, encrypted: EncryptedPayload) {
+  const connection = connections.get(appId);
+  if (!connection) {
+    console.error('Unknown connection');
+    return;
+  }
 
-    // Get the wallet instance for this chain
-    const wallet = await getWalletForChain(parsedChainInfo);
+  try {
+    // Decrypt the incoming message
+    const message = await decrypt<WalletMessage>(connection.sharedKey, encrypted);
 
-    // Verify the method exists on the Wallet interface
-    if (typeof wallet[type] !== 'function') {
-      throw new Error(`Unknown wallet method: ${type}`);
-    }
+    const { type, messageId, args, chainInfo, walletId } = message;
 
-    // Call the wallet method
+    // Process the wallet method call
+    const wallet = await getWalletForChain(chainInfo);
     const result = await wallet[type](...args);
 
-    // Send success response
-    sendResponse(messageId, walletId, result);
+    // Create response
+    const response: WalletResponse = {
+      messageId,
+      result,
+      walletId,
+    };
+
+    // Encrypt and send the response
+    const encryptedResponse = await encrypt(connection.sharedKey, response);
+    sendEncryptedResponse(appId, encryptedResponse);
   } catch (error) {
-    // Send error response
-    sendError(messageId, walletId, error);
+    // Send encrypted error response
+    const errorResponse: WalletResponse = {
+      messageId: message?.messageId ?? '',
+      error: { message: error.message },
+      walletId: message?.walletId ?? '',
+    };
+
+    const encryptedError = await encrypt(connection.sharedKey, errorResponse);
+    sendEncryptedResponse(appId, encryptedError);
   }
 }
 ```
 
-### 3. Send Response
+### 3. Extension Wallet Architecture
 
-**Extension wallet example:**
+For browser extension wallets, the recommended architecture separates concerns:
 
-```typescript
-import { jsonStringify } from '@aztec/wallet-sdk/manager';
+```
+┌─────────────┐    window.postMessage    ┌─────────────────┐    browser.runtime   ┌──────────────────┐
+│   dApp      │◄────────────────────────►│  Content Script │◄────────────────────►│ Background Script│
+│ (web page)  │    (discovery only)      │  (message relay)│    (encrypted msgs)  │ (decrypt+process)│
+└─────────────┘                          └─────────────────┘                      └──────────────────┘
+       │                                            │
+       │         MessagePort (private channel)      │
+       └────────────────────────────────────────────┘
+                (encrypted wallet method calls)
+```
 
-function sendResponse(messageId: string, walletId: string, result: unknown) {
-  const response = {
-    messageId,
-    result,
-    walletId,
-  };
+**Security benefits:**
 
-  // Send as JSON string
-  window.postMessage(jsonStringify(response), '*');
-}
+- Content script never has access to private keys or shared secrets
+- All cryptographic operations happen in the background script (service worker)
+- MessagePort provides a private channel not visible to other page scripts
+- Only the initial connection handshake uses `window.postMessage`
 
-function sendError(messageId: string, walletId: string, error: Error) {
-  const response = {
-    messageId,
-    error: {
-      message: error.message,
-      stack: error.stack,
-    },
-    walletId,
-  };
+## Message Format
 
-  window.postMessage(jsonStringify(response), '*');
+### Wallet Method Request
+
+After discovery, dApps will call wallet methods. These arrive as:
+
+```typescript
+{
+  type: string,                    // Wallet method name from the Wallet interface
+  messageId: string,               // UUID for tracking this request
+  args: unknown[],                 // Method arguments
+  chainInfo: {
+    chainId: Fr,                   // Same chain that was used in discovery
+    version: Fr
+  },
+  appId: string,                   // Application identifier
+  walletId: string                 // Your wallet's ID (from discovery response)
 }
+```
 
-// Using WebSocket:
-// websocket.send(jsonStringify({ messageId, result, walletId }));
+Example method calls:
+
+- `type: 'getAccounts'` - Get list of accounts
+- `type: 'getChainInfo'` - Get chain information
+- `type: 'sendTx'` - Send a transaction
+- `type: 'registerContract'` - Register a contract instance
+
+### Wallet Method Response
+
+Your wallet must respond with:
+
+```typescript
+{
+  messageId: string,               // MUST match the request's messageId
+  result?: unknown,                // Method result (if successful)
+  error?: unknown,                 // Error (if failed)
+  walletId: string                 // Your wallet's ID
+}
 ```
 
 ## Parsing Messages
@@ -331,37 +390,12 @@ Always send error responses with this structure:
 
 ### Common Error Scenarios
 
-```typescript
-import { ChainInfoSchema } from '@aztec/wallet-sdk/manager';
-
-async function handleWalletMethod(message: any) {
-  const { type, messageId, args, chainInfo, walletId } = message;
-
-  try {
-    // 1. Parse and validate chain info
-    const parsedChainInfo = ChainInfoSchema.parse(chainInfo);
+Common errors to handle within the encrypted message handler:
 
-    // 2. Check network support
-    if (!isNetworkSupported(parsedChainInfo)) {
-      throw new Error('Network not supported by wallet');
-    }
-
-    // 3. Get wallet instance
-    const wallet = await getWalletForChain(parsedChainInfo);
-
-    // 4. Validate method exists
-    if (typeof wallet[type] !== 'function') {
-      throw new Error(`Unknown wallet method: ${type}`);
-    }
-
-    // 5. Execute method
-    const result = await wallet[type](...args);
-    sendResponse(messageId, walletId, result);
-  } catch (error) {
-    sendError(messageId, walletId, error);
-  }
-}
-```
+- **Network not supported**: Chain info doesn't match wallet's supported networks
+- **Unknown method**: The requested wallet method doesn't exist
+- **Invalid arguments**: Method arguments fail validation
+- **User rejection**: User declined the transaction or action
 
 ### User Rejection Handling
 

package/dest/crypto.d.ts

@@ -0,0 +1,146 @@
+/**
+ * Exported public key in JWK format for transmission over untrusted channels.
+ *
+ * Contains only the public components of an ECDH P-256 key, safe to share.
+ */
+export interface ExportedPublicKey {
+    /** Key type - always "EC" for elliptic curve */
+    kty: string;
+    /** Curve name - always "P-256" */
+    crv: string;
+    /** X coordinate (base64url encoded) */
+    x: string;
+    /** Y coordinate (base64url encoded) */
+    y: string;
+}
+/**
+ * Encrypted message payload containing ciphertext and initialization vector.
+ *
+ * Both fields are base64-encoded for safe transmission as JSON.
+ */
+export interface EncryptedPayload {
+    /** Initialization vector (base64 encoded, 12 bytes) */
+    iv: string;
+    /** Ciphertext (base64 encoded) */
+    ciphertext: string;
+}
+/**
+ * ECDH key pair for secure communication.
+ *
+ * The private key should never be exported or transmitted.
+ * The public key can be exported via {@link exportPublicKey} for exchange.
+ */
+export interface SecureKeyPair {
+    /** Public key - safe to share */
+    publicKey: CryptoKey;
+    /** Private key - keep secret, used for key derivation */
+    privateKey: CryptoKey;
+}
+/**
+ * Generates an ECDH P-256 key pair for key exchange.
+ *
+ * The generated key pair can be used to derive a shared secret with another
+ * party's public key using {@link deriveSharedKey}.
+ *
+ * @returns A new ECDH key pair
+ *
+ * @example
+ * ```typescript
+ * const keyPair = await generateKeyPair();
+ * const publicKey = await exportPublicKey(keyPair.publicKey);
+ * // Send publicKey to the other party
+ * ```
+ */
+export declare function generateKeyPair(): Promise<SecureKeyPair>;
+/**
+ * Exports a public key to JWK format for transmission.
+ *
+ * The exported key contains only public components and is safe to transmit
+ * over untrusted channels.
+ *
+ * @param publicKey - The CryptoKey public key to export
+ * @returns The public key in JWK format
+ *
+ * @example
+ * ```typescript
+ * const keyPair = await generateKeyPair();
+ * const exported = await exportPublicKey(keyPair.publicKey);
+ * // exported can be JSON serialized and sent to another party
+ * ```
+ */
+export declare function exportPublicKey(publicKey: CryptoKey): Promise<ExportedPublicKey>;
+/**
+ * Imports a public key from JWK format.
+ *
+ * Used to import the other party's public key for deriving a shared secret.
+ *
+ * @param exported - The public key in JWK format
+ * @returns A CryptoKey that can be used with {@link deriveSharedKey}
+ *
+ * @example
+ * ```typescript
+ * // Receive exported public key from other party
+ * const theirPublicKey = await importPublicKey(receivedPublicKey);
+ * const sharedKey = await deriveSharedKey(myPrivateKey, theirPublicKey);
+ * ```
+ */
+export declare function importPublicKey(exported: ExportedPublicKey): Promise<CryptoKey>;
+/**
+ * Derives a shared AES-256-GCM key from ECDH key exchange.
+ *
+ * Both parties will derive the same shared key when using their own private key
+ * and the other party's public key. This is the core of ECDH key agreement.
+ *
+ * @param privateKey - Your ECDH private key
+ * @param publicKey - The other party's ECDH public key
+ * @returns An AES-256-GCM key for encryption/decryption
+ *
+ * @example
+ * ```typescript
+ * // Both parties derive the same key
+ * const sharedKeyA = await deriveSharedKey(privateKeyA, publicKeyB);
+ * const sharedKeyB = await deriveSharedKey(privateKeyB, publicKeyA);
+ * // sharedKeyA and sharedKeyB are equivalent
+ * ```
+ */
+export declare function deriveSharedKey(privateKey: CryptoKey, publicKey: CryptoKey): Promise<CryptoKey>;
+/**
+ * Encrypts data using AES-256-GCM.
+ *
+ * The data is JSON serialized before encryption. A random 12-byte IV is
+ * generated for each encryption operation.
+ *
+ * AES-GCM provides both confidentiality and authenticity - any tampering
+ * with the ciphertext will cause decryption to fail.
+ *
+ * @param key - The AES-GCM key (from {@link deriveSharedKey})
+ * @param data - The data to encrypt (will be JSON serialized)
+ * @returns The encrypted payload with IV and ciphertext
+ *
+ * @example
+ * ```typescript
+ * const encrypted = await encrypt(sharedKey, { action: 'transfer', amount: 100 });
+ * // encrypted.iv and encrypted.ciphertext are base64 strings
+ * ```
+ */
+export declare function encrypt(key: CryptoKey, data: unknown): Promise<EncryptedPayload>;
+/**
+ * Decrypts data using AES-256-GCM.
+ *
+ * The decrypted data is JSON parsed before returning.
+ *
+ * @typeParam T - The expected type of the decrypted data
+ * @param key - The AES-GCM key (from {@link deriveSharedKey})
+ * @param payload - The encrypted payload from {@link encrypt}
+ * @returns The decrypted and parsed data
+ *
+ * @throws Error if decryption fails (wrong key or tampered ciphertext)
+ *
+ * @example
+ * ```typescript
+ * const decrypted = await decrypt<{ action: string; amount: number }>(sharedKey, encrypted);
+ * console.log(decrypted.action); // 'transfer'
+ * ```
+ */
+export declare function decrypt<T = unknown>(key: CryptoKey, payload: EncryptedPayload): Promise<T>;
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiY3J5cHRvLmQudHMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi9zcmMvY3J5cHRvLnRzIl0sIm5hbWVzIjpbXSwibWFwcGluZ3MiOiJBQW1DQTs7OztHQUlHO0FBQ0gsTUFBTSxXQUFXLGlCQUFpQjtJQUNoQyxnREFBZ0Q7SUFDaEQsR0FBRyxFQUFFLE1BQU0sQ0FBQztJQUNaLGtDQUFrQztJQUNsQyxHQUFHLEVBQUUsTUFBTSxDQUFDO0lBQ1osdUNBQXVDO0lBQ3ZDLENBQUMsRUFBRSxNQUFNLENBQUM7SUFDVix1Q0FBdUM7SUFDdkMsQ0FBQyxFQUFFLE1BQU0sQ0FBQztDQUNYO0FBRUQ7Ozs7R0FJRztBQUNILE1BQU0sV0FBVyxnQkFBZ0I7SUFDL0IsdURBQXVEO0lBQ3ZELEVBQUUsRUFBRSxNQUFNLENBQUM7SUFDWCxrQ0FBa0M7SUFDbEMsVUFBVSxFQUFFLE1BQU0sQ0FBQztDQUNwQjtBQUVEOzs7OztHQUtHO0FBQ0gsTUFBTSxXQUFXLGFBQWE7SUFDNUIsaUNBQWlDO0lBQ2pDLFNBQVMsRUFBRSxTQUFTLENBQUM7SUFDckIseURBQXlEO0lBQ3pELFVBQVUsRUFBRSxTQUFTLENBQUM7Q0FDdkI7QUFFRDs7Ozs7Ozs7Ozs7Ozs7R0FjRztBQUNILHdCQUFzQixlQUFlLElBQUksT0FBTyxDQUFDLGFBQWEsQ0FBQyxDQWE5RDtBQUVEOzs7Ozs7Ozs7Ozs7Ozs7R0FlRztBQUNILHdCQUFzQixlQUFlLENBQUMsU0FBUyxFQUFFLFNBQVMsR0FBRyxPQUFPLENBQUMsaUJBQWlCLENBQUMsQ0FRdEY7QUFFRDs7Ozs7Ozs7Ozs7Ozs7R0FjRztBQUNILHdCQUFnQixlQUFlLENBQUMsUUFBUSxFQUFFLGlCQUFpQixHQUFHLE9BQU8sQ0FBQyxTQUFTLENBQUMsQ0FnQi9FO0FBRUQ7Ozs7Ozs7Ozs7Ozs7Ozs7O0dBaUJHO0FBQ0gsd0JBQWdCLGVBQWUsQ0FBQyxVQUFVLEVBQUUsU0FBUyxFQUFFLFNBQVMsRUFBRSxTQUFTLEdBQUcsT0FBTyxDQUFDLFNBQVMsQ0FBQyxDQWMvRjtBQUVEOzs7Ozs7Ozs7Ozs7Ozs7Ozs7R0FrQkc7QUFDSCx3QkFBc0IsT0FBTyxDQUFDLEdBQUcsRUFBRSxTQUFTLEVBQUUsSUFBSSxFQUFFLE9BQU8sR0FBRyxPQUFPLENBQUMsZ0JBQWdCLENBQUMsQ0FVdEY7QUFFRDs7Ozs7Ozs7Ozs7Ozs7Ozs7R0FpQkc7QUFDSCx3QkFBc0IsT0FBTyxDQUFDLENBQUMsR0FBRyxPQUFPLEVBQUUsR0FBRyxFQUFFLFNBQVMsRUFBRSxPQUFPLEVBQUUsZ0JBQWdCLEdBQUcsT0FBTyxDQUFDLENBQUMsQ0FBQyxDQVFoRyJ9

package/dest/crypto.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"crypto.d.ts","sourceRoot":"","sources":["../src/crypto.ts"],"names":[],"mappings":"AAmCA;;;;GAIG;AACH,MAAM,WAAW,iBAAiB;IAChC,gDAAgD;IAChD,GAAG,EAAE,MAAM,CAAC;IACZ,kCAAkC;IAClC,GAAG,EAAE,MAAM,CAAC;IACZ,uCAAuC;IACvC,CAAC,EAAE,MAAM,CAAC;IACV,uCAAuC;IACvC,CAAC,EAAE,MAAM,CAAC;CACX;AAED;;;;GAIG;AACH,MAAM,WAAW,gBAAgB;IAC/B,uDAAuD;IACvD,EAAE,EAAE,MAAM,CAAC;IACX,kCAAkC;IAClC,UAAU,EAAE,MAAM,CAAC;CACpB;AAED;;;;;GAKG;AACH,MAAM,WAAW,aAAa;IAC5B,iCAAiC;IACjC,SAAS,EAAE,SAAS,CAAC;IACrB,yDAAyD;IACzD,UAAU,EAAE,SAAS,CAAC;CACvB;AAED;;;;;;;;;;;;;;GAcG;AACH,wBAAsB,eAAe,IAAI,OAAO,CAAC,aAAa,CAAC,CAa9D;AAED;;;;;;;;;;;;;;;GAeG;AACH,wBAAsB,eAAe,CAAC,SAAS,EAAE,SAAS,GAAG,OAAO,CAAC,iBAAiB,CAAC,CAQtF;AAED;;;;;;;;;;;;;;GAcG;AACH,wBAAgB,eAAe,CAAC,QAAQ,EAAE,iBAAiB,GAAG,OAAO,CAAC,SAAS,CAAC,CAgB/E;AAED;;;;;;;;;;;;;;;;;GAiBG;AACH,wBAAgB,eAAe,CAAC,UAAU,EAAE,SAAS,EAAE,SAAS,EAAE,SAAS,GAAG,OAAO,CAAC,SAAS,CAAC,CAc/F;AAED;;;;;;;;;;;;;;;;;;GAkBG;AACH,wBAAsB,OAAO,CAAC,GAAG,EAAE,SAAS,EAAE,IAAI,EAAE,OAAO,GAAG,OAAO,CAAC,gBAAgB,CAAC,CAUtF;AAED;;;;;;;;;;;;;;;;;GAiBG;AACH,wBAAsB,OAAO,CAAC,CAAC,GAAG,OAAO,EAAE,GAAG,EAAE,SAAS,EAAE,OAAO,EAAE,gBAAgB,GAAG,OAAO,CAAC,CAAC,CAAC,CAQhG"}