npm - @babylonlabs-io/ts-sdk - Versions diffs - 0.48.4 → 0.49.0 - Mend

@babylonlabs-io/ts-sdk 0.48.4 → 0.49.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (54) hide show

package/dist/primeVpAuth-Brl_bnBH.cjs.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"primeVpAuth-Brl_bnBH.cjs","sources":["../src/tbv/core/clients/eth/contract-address-resolver.ts","../src/tbv/core/clients/eth/protocol-params-reader.ts","../src/tbv/core/clients/eth/signer-set-reader.ts","../src/tbv/core/clients/eth/types.ts","../src/tbv/core/clients/vault-provider/validators.ts","../src/tbv/core/clients/vault-provider/api.ts","../src/tbv/core/clients/vault-provider/batchAttribution.ts","../src/tbv/core/clients/vault-provider/batchPoll.ts","../src/tbv/core/clients/vault-provider/auth/bip322Verify.ts","../src/tbv/core/clients/vault-provider/auth/cbor.ts","../src/tbv/core/clients/vault-provider/auth/serverIdentity.ts","../src/tbv/core/clients/vault-provider/auth/gatedMethods.ts","../src/tbv/core/clients/vault-provider/auth/innerTokenClient.ts","../src/tbv/core/clients/vault-provider/auth/cborDecode.ts","../src/tbv/core/clients/vault-provider/auth/verifyDepositorCwt.ts","../src/tbv/core/clients/vault-provider/auth/tokenProvider.ts","../src/tbv/core/clients/vault-provider/auth/tokenRegistry.ts","../src/tbv/core/clients/vault-provider/auth/createAuthenticatedVpClient.ts","../src/tbv/core/clients/vault-provider/auth/primeVpAuth.ts"],"sourcesContent":["/**\n * Contract Address Resolver\n *\n * Resolves ProtocolParams and ApplicationRegistry contract addresses\n * from the BTCVaultRegistry contract. These addresses are needed to\n * construct the SDK's contract readers.\n *\n * @module clients/eth/contract-address-resolver\n */\n\nimport type { Address, PublicClient } from \"viem\";\n\nimport { BTCVaultRegistryABI } from \"../../contracts/abis/BTCVaultRegistry.abi\";\n\nexport interface ProtocolAddresses {\n /** Address of the ProtocolParams contract */\n protocolParams: Address;\n /** Address of the ApplicationRegistry contract */\n applicationRegistry: Address;\n}\n\n/**\n * Resolve ProtocolParams and ApplicationRegistry addresses from BTCVaultRegistry.\n *\n * Uses a single multicall for atomicity and efficiency.\n *\n * @param publicClient - viem PublicClient instance\n * @param btcVaultRegistryAddress - Address of the BTCVaultRegistry contract\n * @returns Resolved contract addresses\n */\nexport async function resolveProtocolAddresses(\n publicClient: PublicClient,\n btcVaultRegistryAddress: Address,\n): Promise<ProtocolAddresses> {\n const [protocolParams, applicationRegistry] = await publicClient.multicall({\n contracts: [\n {\n address: btcVaultRegistryAddress,\n abi: BTCVaultRegistryABI,\n functionName: \"protocolParams\",\n },\n {\n address: btcVaultRegistryAddress,\n abi: BTCVaultRegistryABI,\n functionName: \"applicationRegistry\",\n },\n ],\n allowFailure: false,\n });\n\n return {\n protocolParams: protocolParams as Address,\n applicationRegistry: applicationRegistry as Address,\n };\n}\n","/**\n * Concrete ProtocolParams reader using viem's readContract and multicall.\n *\n * This is an optional utility — callers can use their own implementation\n * of the ProtocolParamsReader interface.\n */\n\nimport type { Abi, Address, Hex, PublicClient } from \"viem\";\n\nimport { ProtocolParamsABI } from \"../../contracts/abis/ProtocolParams.abi\";\nimport {\n assertValidOffchainParamsVersion,\n validateOffchainParams,\n validatePegInConfiguration,\n validateTBVProtocolParams,\n} from \"./protocol-params-validation\";\nimport type {\n AllOffchainParamsData,\n OnSkippedOffchainParamsVersion,\n PegInConfiguration,\n ProtocolParamsReader,\n TBVProtocolParams,\n VersionedOffchainParams,\n} from \"./types\";\n\n/**\n * Maximum value for a Solidity uint16.\n * PeginLogic.sol casts timelockAssert to uint16, so values above this are invalid.\n */\nconst UINT16_MAX = 65535;\n\n\n/**\n * Raw shape viem returns for VersionedOffchainParams struct.\n * viem resolves ABI struct outputs to named objects (not tuples).\n */\ninterface RawOffchainParams {\n timelockAssert: bigint;\n timelockChallengeAssert: bigint;\n securityCouncilKeys: readonly Hex[];\n councilQuorum: number;\n feeRate: bigint;\n babeTotalInstances: number;\n babeInstancesToFinalize: number;\n minVpCommissionBps: number;\n tRefund: number;\n tStale: number;\n minPeginFeeRate: bigint;\n proverCircuitVersion: number;\n minPrepeginDepth: number;\n}\n\n/** Raw shape viem returns for TBVProtocolParams struct. */\ninterface RawTBVParams {\n minimumPegInAmount: bigint;\n maxPegInAmount: bigint;\n pegInAckTimeout: bigint;\n pegInActivationTimeout: bigint;\n maxHtlcOutputCount: number;\n expiredPegInGraceBlocks: bigint;\n}\n\n/** Map viem struct result to VersionedOffchainParams. */\nfunction mapOffchainParams(result: RawOffchainParams): VersionedOffchainParams {\n return {\n timelockAssert: result.timelockAssert,\n timelockChallengeAssert: result.timelockChallengeAssert,\n securityCouncilKeys: [...result.securityCouncilKeys],\n councilQuorum: result.councilQuorum,\n feeRate: result.feeRate,\n babeTotalInstances: result.babeTotalInstances,\n babeInstancesToFinalize: result.babeInstancesToFinalize,\n minVpCommissionBps: result.minVpCommissionBps,\n tRefund: result.tRefund,\n tStale: result.tStale,\n minPeginFeeRate: result.minPeginFeeRate,\n proverCircuitVersion: result.proverCircuitVersion,\n minPrepeginDepth: result.minPrepeginDepth,\n };\n}\n\n/** Map viem struct result to TBVProtocolParams. */\nfunction mapTBVParams(result: RawTBVParams): TBVProtocolParams {\n return {\n minimumPegInAmount: result.minimumPegInAmount,\n maxPegInAmount: result.maxPegInAmount,\n pegInAckTimeout: result.pegInAckTimeout,\n pegInActivationTimeout: result.pegInActivationTimeout,\n maxHtlcOutputCount: result.maxHtlcOutputCount,\n expiredPegInGraceBlocks: result.expiredPegInGraceBlocks,\n };\n}\n\n/**\n * Derive timelockPegin from timelockAssert.\n *\n * Matches PeginLogic.sol: `uint16(timelockAssert)`.\n * The contract validates `timelockAssert <= type(uint16).max` on write,\n * but we enforce the same bound here to reject invalid values early\n * rather than silently truncating.\n *\n * @throws if timelockAssert exceeds uint16 max (65535)\n */\nfunction deriveTimelockPegin(timelockAssert: bigint): number {\n if (timelockAssert > BigInt(UINT16_MAX)) {\n throw new Error(\n `timelockAssert value ${timelockAssert} exceeds uint16 max (${UINT16_MAX})`,\n );\n }\n return Number(timelockAssert);\n}\n\n/**\n * Concrete protocol params reader using viem.\n *\n * Every read method runs the matching validator from\n * `protocol-params-validation` before returning, so callers don't have to\n * remember to validate.\n *\n * Usage:\n * ```ts\n * const reader = new ViemProtocolParamsReader(publicClient, protocolParamsAddress);\n * const config = await reader.getPegInConfiguration();\n * ```\n */\nexport class ViemProtocolParamsReader implements ProtocolParamsReader {\n constructor(\n private publicClient: PublicClient,\n private contractAddress: Address,\n ) {}\n\n async getTBVProtocolParams(): Promise<TBVProtocolParams> {\n const result = (await this.publicClient.readContract({\n address: this.contractAddress,\n abi: ProtocolParamsABI,\n functionName: \"getTBVProtocolParams\",\n })) as RawTBVParams;\n\n const params = mapTBVParams(result);\n validateTBVProtocolParams(params);\n return params;\n }\n\n async getLatestOffchainParams(): Promise<VersionedOffchainParams> {\n const result = (await this.publicClient.readContract({\n address: this.contractAddress,\n abi: ProtocolParamsABI,\n functionName: \"getLatestOffchainParams\",\n })) as RawOffchainParams;\n\n const params = mapOffchainParams(result);\n validateOffchainParams(params);\n return params;\n }\n\n async getOffchainParamsByVersion(\n version: number,\n ): Promise<VersionedOffchainParams> {\n const result = (await this.publicClient.readContract({\n address: this.contractAddress,\n abi: ProtocolParamsABI,\n functionName: \"getOffchainParamsByVersion\",\n args: [version],\n })) as RawOffchainParams;\n\n const params = mapOffchainParams(result);\n validateOffchainParams(params);\n return params;\n }\n\n async getLatestOffchainParamsVersion(): Promise<number> {\n const raw = await this.publicClient.readContract({\n address: this.contractAddress,\n abi: ProtocolParamsABI,\n functionName: \"latestOffchainParamsVersion\",\n });\n const version = Number(raw);\n assertValidOffchainParamsVersion(version);\n return version;\n }\n\n async getTimelockPeginByVersion(version: number): Promise<number> {\n const params = await this.getOffchainParamsByVersion(version);\n return deriveTimelockPegin(params.timelockAssert);\n }\n\n /**\n * Read TBV protocol params, latest offchain params, and the latest version\n * label atomically via multicall. The version is paired with the params so\n * that a governance update between separate reads cannot let JS build BTC\n * scripts with version N params while the contract registers the vault\n * under version N+1.\n */\n async getPegInConfiguration(): Promise<PegInConfiguration> {\n const results = await this.publicClient.multicall({\n contracts: [\n {\n address: this.contractAddress,\n abi: ProtocolParamsABI,\n functionName: \"getTBVProtocolParams\",\n },\n {\n address: this.contractAddress,\n abi: ProtocolParamsABI,\n functionName: \"getLatestOffchainParams\",\n },\n {\n address: this.contractAddress,\n abi: ProtocolParamsABI,\n functionName: \"latestOffchainParamsVersion\",\n },\n ],\n allowFailure: false,\n });\n\n const tbvParams = mapTBVParams(results[0] as RawTBVParams);\n const offchainParams = mapOffchainParams(results[1] as RawOffchainParams);\n const offchainParamsVersion = Number(results[2]);\n\n const config: PegInConfiguration = {\n minimumPegInAmount: tbvParams.minimumPegInAmount,\n maxPegInAmount: tbvParams.maxPegInAmount,\n pegInAckTimeout: tbvParams.pegInAckTimeout,\n pegInActivationTimeout: tbvParams.pegInActivationTimeout,\n maxHtlcOutputCount: tbvParams.maxHtlcOutputCount,\n expiredPegInGraceBlocks: tbvParams.expiredPegInGraceBlocks,\n timelockPegin: deriveTimelockPegin(offchainParams.timelockAssert),\n timelockRefund: offchainParams.tRefund,\n minVpCommissionBps: offchainParams.minVpCommissionBps,\n offchainParams,\n offchainParamsVersion,\n };\n\n validatePegInConfiguration(config);\n return config;\n }\n\n /**\n * Fetch every historical offchain params version in a single multicall.\n * Iterates 1..latestVersion and calls `getOffchainParamsByVersion` for each.\n * Versions whose payload fails validation are skipped (not included in the\n * returned map) so a single bad historical version doesn't block the\n * lookup of the rest.\n *\n * @param onSkippedVersion - optional observer invoked once per skipped\n * version. Use to log/telemeter without coupling the SDK to a logger.\n */\n async fetchAllOffchainParams(\n onSkippedVersion?: OnSkippedOffchainParamsVersion,\n ): Promise<AllOffchainParamsData> {\n const latestVersion = await this.getLatestOffchainParamsVersion();\n if (latestVersion === 0) {\n return { byVersion: new Map(), latestVersion: 0 };\n }\n\n const versions = Array.from({ length: latestVersion }, (_, i) => i + 1);\n const contracts = versions.map((v) => ({\n address: this.contractAddress,\n abi: ProtocolParamsABI as Abi,\n functionName: \"getOffchainParamsByVersion\" as const,\n args: [v] as const,\n }));\n\n const results = await this.publicClient.multicall({\n contracts,\n allowFailure: false,\n });\n\n const byVersion = new Map<number, VersionedOffchainParams>();\n for (let i = 0; i < versions.length; i++) {\n const params = mapOffchainParams(results[i] as RawOffchainParams);\n try {\n validateOffchainParams(params);\n byVersion.set(versions[i], params);\n } catch (error) {\n // A malformed historical version mustn't block lookup of the rest.\n // Surface the skip to the caller's observer if one was supplied.\n onSkippedVersion?.(\n versions[i],\n error instanceof Error ? error : new Error(String(error)),\n );\n }\n }\n\n return { byVersion, latestVersion };\n }\n}\n","/**\n * Concrete signer-set readers for vault keepers and universal challengers.\n *\n * These are optional utilities — callers can use their own implementations\n * of the VaultKeeperReader and UniversalChallengerReader interfaces.\n */\n\nimport type { Address, Hex, PublicClient } from \"viem\";\n\nimport { ApplicationRegistryABI } from \"../../contracts/abis/ApplicationRegistry.abi\";\nimport { ProtocolParamsABI } from \"../../contracts/abis/ProtocolParams.abi\";\nimport type {\n AddressBTCKeyPair,\n UniversalChallengerReader,\n VaultKeeperReader,\n} from \"./types\";\n\n/** Map viem tuple array to AddressBTCKeyPair[]. */\nfunction mapKeyPairs(\n result: readonly { ethAddress: Address; btcPubKey: Hex }[],\n): AddressBTCKeyPair[] {\n return result.map((pair) => ({\n ethAddress: pair.ethAddress,\n btcPubKey: pair.btcPubKey,\n }));\n}\n\n/**\n * Reads vault keepers from the ApplicationRegistry contract.\n *\n * Usage:\n * ```ts\n * const reader = new ViemVaultKeeperReader(publicClient, applicationRegistryAddress);\n * const keepers = await reader.getCurrentVaultKeepers(appEntryPoint);\n * ```\n */\nexport class ViemVaultKeeperReader implements VaultKeeperReader {\n constructor(\n private publicClient: PublicClient,\n private contractAddress: Address,\n ) {}\n\n async getVaultKeepersByVersion(\n appEntryPoint: Address,\n version: number,\n ): Promise<AddressBTCKeyPair[]> {\n const result = (await this.publicClient.readContract({\n address: this.contractAddress,\n abi: ApplicationRegistryABI,\n functionName: \"getVaultKeepersByVersion\",\n args: [appEntryPoint, version],\n })) as readonly { ethAddress: Address; btcPubKey: Hex }[];\n\n return mapKeyPairs(result);\n }\n\n async getCurrentVaultKeepers(\n appEntryPoint: Address,\n ): Promise<AddressBTCKeyPair[]> {\n const result = (await this.publicClient.readContract({\n address: this.contractAddress,\n abi: ApplicationRegistryABI,\n functionName: \"getCurrentVaultKeepers\",\n args: [appEntryPoint],\n })) as readonly { ethAddress: Address; btcPubKey: Hex }[];\n\n return mapKeyPairs(result);\n }\n\n async getCurrentVaultKeepersVersion(\n appEntryPoint: Address,\n ): Promise<number> {\n const result = (await this.publicClient.readContract({\n address: this.contractAddress,\n abi: ApplicationRegistryABI,\n functionName: \"getCurrentVaultKeepersVersion\",\n args: [appEntryPoint],\n })) as number;\n\n return result;\n }\n}\n\n/**\n * Reads universal challengers from the ProtocolParams contract.\n *\n * Usage:\n * ```ts\n * const reader = new ViemUniversalChallengerReader(publicClient, protocolParamsAddress);\n * const challengers = await reader.getCurrentUniversalChallengers();\n * ```\n */\nexport class ViemUniversalChallengerReader implements UniversalChallengerReader {\n constructor(\n private publicClient: PublicClient,\n private contractAddress: Address,\n ) {}\n\n async getUniversalChallengersByVersion(\n version: number,\n ): Promise<AddressBTCKeyPair[]> {\n const result = (await this.publicClient.readContract({\n address: this.contractAddress,\n abi: ProtocolParamsABI,\n functionName: \"getUniversalChallengersByVersion\",\n args: [version],\n })) as readonly { ethAddress: Address; btcPubKey: Hex }[];\n\n return mapKeyPairs(result);\n }\n\n async getCurrentUniversalChallengers(): Promise<AddressBTCKeyPair[]> {\n const result = (await this.publicClient.readContract({\n address: this.contractAddress,\n abi: ProtocolParamsABI,\n functionName: \"getCurrentUniversalChallengers\",\n })) as readonly { ethAddress: Address; btcPubKey: Hex }[];\n\n return mapKeyPairs(result);\n }\n\n async getLatestUniversalChallengersVersion(): Promise<number> {\n const result = (await this.publicClient.readContract({\n address: this.contractAddress,\n abi: ProtocolParamsABI,\n functionName: \"latestUniversalChallengersVersion\",\n })) as number;\n\n return result;\n }\n}\n","/**\n * Types and interfaces for ETH contract readers.\n *\n * These are optional utilities — callers can use them or build their own.\n * Core service functions never import from this module.\n */\n\nimport type { Address, Hex } from \"viem\";\n\n// ============================================================================\n// Vault Registry Types\n// ============================================================================\n\ndeclare const onChainBtcPubkeyBrand: unique symbol;\n\n/**\n * 64-char lowercase hex (no `0x`) x-only BTC pubkey sourced from the\n * on-chain BTCVaultRegistry. The only legitimate producer is\n * {@link VaultRegistryReader.getVaultProviderBtcPubKey}.\n *\n * @stability frozen\n */\nexport type OnChainBtcPubkey = string & {\n readonly [onChainBtcPubkeyBrand]: true;\n};\n\n/**\n * Mirrors `IBTCVaultRegistry.BTCVaultStatus` in BTCVaultRegistry.sol exactly.\n * Use this when consuming `status` from `getVaultBasicInfo` /\n * `getBtcVaultBasicInfo`.\n *\n * Do NOT confuse with the app-side `ContractStatus` enum\n * (`services/deposit/peginState.ts`) — that one is for the indexer and\n * extends this with values 5-7, reassigning 4 to LIQUIDATED. Reading an\n * on-chain status through `ContractStatus[n]` for labels will mislabel\n * Expired(4) as LIQUIDATED.\n */\nexport enum OnChainBtcVaultStatus {\n PENDING = 0,\n VERIFIED = 1,\n ACTIVE = 2,\n REDEEMED = 3,\n EXPIRED = 4,\n}\n\n/** Basic vault info from BTCVaultRegistry.getBtcVaultBasicInfo */\nexport interface VaultBasicInfo {\n depositor: Address;\n depositorBtcPubKey: Hex;\n amount: bigint;\n vaultProvider: Address;\n status: number;\n applicationEntryPoint: Address;\n createdAt: bigint;\n}\n\n/** Protocol info from BTCVaultRegistry.getBtcVaultProtocolInfo */\nexport interface VaultProtocolInfo {\n depositorSignedPeginTx: Hex;\n universalChallengersVersion: number;\n appVaultKeepersVersion: number;\n offchainParamsVersion: number;\n verifiedAt: bigint;\n depositorWotsPkHash: Hex;\n hashlock: Hex;\n htlcVout: number;\n depositorPopSignature: Hex;\n prePeginTxHash: Hex;\n vaultProviderCommissionBps: number;\n /** Block deadline (uint256) for depositor reclaim. TODO(#1690): wire to refund flow. */\n claimExpiredUntil: bigint;\n /** Vault core version (uint16) stamped at registration. VP-side gating only — see #1690. */\n vaultCoreVersion: number;\n}\n\n/** Combined vault data (basic + protocol) */\nexport interface VaultData {\n basic: VaultBasicInfo;\n protocol: VaultProtocolInfo;\n}\n\n/** Interface for reading vault data from the BTCVaultRegistry contract. */\nexport interface VaultRegistryReader {\n getVaultBasicInfo(vaultId: Hex): Promise<VaultBasicInfo>;\n getVaultProtocolInfo(vaultId: Hex): Promise<VaultProtocolInfo>;\n getProtocolInfoBatch(vaultIds: readonly Hex[]): Promise<VaultProtocolInfo[]>;\n getVaultData(vaultId: Hex): Promise<VaultData>;\n getVaultProviderBtcPubKey(vpAddress: Address): Promise<OnChainBtcPubkey>;\n /** Read the protocol pegin fee (in wei) for a given vault provider. */\n getPegInFee(vaultProvider: Address): Promise<bigint>;\n /**\n * Read a vault provider's current commission in basis points.\n *\n * Validates the contract-enforced `[0, 9999]` range — an out-of-range\n * value signals a wrong contract address or ABI drift, not a real rate.\n */\n getVaultProviderCommission(vaultProvider: Address): Promise<number>;\n /**\n * Read `offchainParamsVersion` for many vaults in a single multicall.\n * Returns versions in the same order as the input. Throws if any vault\n * is missing on-chain.\n */\n getOffchainParamsVersionsByVaultIds(\n vaultIds: readonly Hex[],\n ): Promise<number[]>;\n}\n\n// ============================================================================\n// Protocol Params Types (from IProtocolParams.sol)\n// ============================================================================\n\n/**\n * TBV protocol parameters from the ProtocolParams contract.\n * Matches Solidity struct `IProtocolParams.TBVProtocolParams` exactly.\n *\n * All uint64 amounts use bigint (satoshi values can exceed 2^53).\n * uint8 uses number (bounded, max 255).\n */\nexport interface TBVProtocolParams {\n minimumPegInAmount: bigint;\n maxPegInAmount: bigint;\n pegInAckTimeout: bigint;\n pegInActivationTimeout: bigint;\n maxHtlcOutputCount: number;\n /**\n * Number of blocks added to the activation deadline as a grace window\n * during which a depositor may still reclaim an expired pegin via the\n * HTLC preimage. Source: `IProtocolParams.TBVProtocolParams.expiredPegInGraceBlocks`.\n */\n expiredPegInGraceBlocks: bigint;\n}\n\n/**\n * Versioned offchain parameters from the ProtocolParams contract.\n * Matches Solidity struct `IProtocolParams.VersionedOffchainParams` exactly.\n *\n * bigint for: uint256 timelocks, uint64 fee rates/amounts.\n * number for: uint8/uint16/uint32 fields (bounded, safe for JS arithmetic).\n */\nexport interface VersionedOffchainParams {\n timelockAssert: bigint;\n timelockChallengeAssert: bigint;\n securityCouncilKeys: Hex[];\n councilQuorum: number;\n feeRate: bigint;\n babeTotalInstances: number;\n babeInstancesToFinalize: number;\n minVpCommissionBps: number;\n tRefund: number;\n tStale: number;\n minPeginFeeRate: bigint;\n proverCircuitVersion: number;\n minPrepeginDepth: number;\n}\n\n/**\n * Combined peg-in configuration read atomically via multicall.\n * Prevents TOCTOU inconsistency if governance updates params between reads.\n */\nexport interface PegInConfiguration {\n minimumPegInAmount: bigint;\n maxPegInAmount: bigint;\n pegInAckTimeout: bigint;\n pegInActivationTimeout: bigint;\n maxHtlcOutputCount: number;\n expiredPegInGraceBlocks: bigint;\n timelockPegin: number;\n timelockRefund: number;\n minVpCommissionBps: number;\n offchainParams: VersionedOffchainParams;\n /**\n * Version label paired atomically with `offchainParams`.\n * Read in the same multicall as the params struct so that, if a parameter\n * update lands between separate reads, the script-construction code and\n * the version label stay consistent.\n */\n offchainParamsVersion: number;\n}\n\n/**\n * All offchain params snapshots indexed by version, plus the latest version\n * number known when the snapshot was taken. Used by consumers that need to\n * resolve any historical version (e.g. signing for an existing vault locked\n * to an older version).\n */\nexport interface AllOffchainParamsData {\n byVersion: Map<number, VersionedOffchainParams>;\n latestVersion: number;\n}\n\n/**\n * Optional observer invoked by `fetchAllOffchainParams` when a historical\n * version fails validation. Called once per skipped version so callers can\n * log/telemeter without coupling the SDK to a specific logger.\n */\nexport type OnSkippedOffchainParamsVersion = (\n version: number,\n error: Error,\n) => void;\n\n/** Interface for reading protocol parameters from the ProtocolParams contract. */\nexport interface ProtocolParamsReader {\n getTBVProtocolParams(): Promise<TBVProtocolParams>;\n getOffchainParamsByVersion(version: number): Promise<VersionedOffchainParams>;\n getLatestOffchainParams(): Promise<VersionedOffchainParams>;\n getLatestOffchainParamsVersion(): Promise<number>;\n getTimelockPeginByVersion(version: number): Promise<number>;\n getPegInConfiguration(): Promise<PegInConfiguration>;\n fetchAllOffchainParams(\n onSkippedVersion?: OnSkippedOffchainParamsVersion,\n ): Promise<AllOffchainParamsData>;\n}\n\n// ============================================================================\n// Signer-Set Types (from BTCVaultTypes.sol)\n// ============================================================================\n\n/**\n * Matches Solidity struct `BTCVaultTypes.AddressBTCKeyPair` exactly.\n * Used for vault keepers and universal challengers.\n */\nexport interface AddressBTCKeyPair {\n ethAddress: Address;\n btcPubKey: Hex;\n}\n\n/** Interface for reading vault keepers from the ApplicationRegistry contract. */\nexport interface VaultKeeperReader {\n getVaultKeepersByVersion(\n appEntryPoint: Address,\n version: number,\n ): Promise<AddressBTCKeyPair[]>;\n getCurrentVaultKeepers(\n appEntryPoint: Address,\n ): Promise<AddressBTCKeyPair[]>;\n getCurrentVaultKeepersVersion(appEntryPoint: Address): Promise<number>;\n}\n\n/** Interface for reading universal challengers from the ProtocolParams contract. */\nexport interface UniversalChallengerReader {\n getUniversalChallengersByVersion(\n version: number,\n ): Promise<AddressBTCKeyPair[]>;\n getCurrentUniversalChallengers(): Promise<AddressBTCKeyPair[]>;\n getLatestUniversalChallengersVersion(): Promise<number>;\n}\n","/**\n * Runtime validation for vault provider RPC responses.\n *\n * All VP RPC methods return untyped JSON that TypeScript generics cast without\n * inspection. These validators check the critical top-level fields and\n * security-relevant values (status, txids, pubkeys). Optional progress\n * sub-fields (gc_data, ack_collection, claimer_graphs) are NOT validated\n * since they are informational and not used for signing or transaction\n * construction. Only `progress.presigning` sub-fields are checked.\n */\n\nimport { CHALLENGE_ASSERT_CONNECTORS_PER_CHALLENGER } from \"../../primitives/psbt/constants\";\nimport {\n COMPRESSED_PUBKEY_HEX_LEN,\n X_ONLY_PUBKEY_HEX_LEN,\n} from \"../../primitives/utils/bitcoin\";\nimport { HEX_RE } from \"../../utils/validation\";\n\nimport { DaemonStatus } from \"./types\";\nimport type {\n BatchGetPeginStatusResponse,\n BatchGetPegoutStatusResponse,\n GetPeginStatusResponse,\n GetPegoutStatusResponse,\n RequestDepositorClaimerArtifactsResponse,\n RequestDepositorPresignTransactionsResponse,\n} from \"./types\";\n\nconst DAEMON_STATUS_VALUES = new Set<string>(Object.values(DaemonStatus));\n\nconst VP_ERROR_PREVIEW_MAX_LEN = 200;\n\nfunction preview(value: unknown): string {\n return (\n JSON.stringify(value)?.slice(0, VP_ERROR_PREVIEW_MAX_LEN) ?? \"undefined\"\n );\n}\n\nconst VP_VALIDATION_USER_MESSAGE =\n \"The vault provider returned an unexpected response. Please try again or contact support.\";\n\n/**\n * Thrown when a VP RPC response fails runtime validation.\n *\n * `.message` is a user-facing string safe to display in the UI.\n * `.detail` contains the technical reason, suitable for logging.\n */\nexport class VpResponseValidationError extends Error {\n readonly detail: string;\n\n constructor(detail: string) {\n super(VP_VALIDATION_USER_MESSAGE);\n this.name = \"VpResponseValidationError\";\n this.detail = detail;\n }\n}\n\n/** Expected length (in hex chars) of a Bitcoin transaction ID (32 bytes). */\nconst TXID_HEX_LEN = 64;\n\nfunction isNonEmptyHex(value: unknown): value is string {\n return typeof value === \"string\" && value.length > 0 && HEX_RE.test(value);\n}\n\nfunction isNonEmptyString(value: unknown): value is string {\n return typeof value === \"string\" && value.length > 0;\n}\n\nfunction assertNonEmptyHex(value: unknown, field: string): void {\n if (!isNonEmptyHex(value)) {\n throw new VpResponseValidationError(\n `VP response validation failed: \"${field}\" must be a non-empty hex string, got ${preview(value)}`,\n );\n }\n}\n\nfunction assertNonEmptyString(value: unknown, field: string): void {\n if (!isNonEmptyString(value)) {\n throw new VpResponseValidationError(\n `VP response validation failed: \"${field}\" must be a non-empty string, got ${preview(value)}`,\n );\n }\n}\n\n/**\n * Accept both x-only (64-char) and compressed (66-char) pubkeys from VP responses.\n * The signing code normalizes to x-only via processPublicKeyToXOnly().\n */\nfunction assertBtcPubkey(value: unknown, field: string): void {\n if (\n !isNonEmptyHex(value) ||\n (value.length !== X_ONLY_PUBKEY_HEX_LEN &&\n value.length !== COMPRESSED_PUBKEY_HEX_LEN)\n ) {\n throw new VpResponseValidationError(\n `VP response validation failed: \"${field}\" must be a ${X_ONLY_PUBKEY_HEX_LEN} or ${COMPRESSED_PUBKEY_HEX_LEN}-char hex string (BTC pubkey), got ${preview(value)}`,\n );\n }\n}\n\n/**\n * Validate the optional presigning progress fields returned inside PeginProgressDetails.\n */\nfunction validatePresigningProgressFields(\n progress: Record<string, unknown>,\n): void {\n const presigning = progress.presigning;\n if (presigning === undefined || presigning === null) return;\n if (typeof presigning !== \"object\" || Array.isArray(presigning)) {\n throw new VpResponseValidationError(\n `VP response validation failed: \"progress.presigning\" must be an object if present`,\n );\n }\n\n const p = presigning as Record<string, unknown>;\n\n if (\n p.depositor_graph_created !== undefined &&\n typeof p.depositor_graph_created !== \"boolean\"\n ) {\n throw new VpResponseValidationError(\n `VP response validation failed: \"progress.presigning.depositor_graph_created\" must be a boolean if present, got ${preview(p.depositor_graph_created)}`,\n );\n }\n\n if (\n p.vk_challenger_presigning_completed !== undefined &&\n typeof p.vk_challenger_presigning_completed !== \"number\"\n ) {\n throw new VpResponseValidationError(\n `VP response validation failed: \"progress.presigning.vk_challenger_presigning_completed\" must be a number if present, got ${preview(p.vk_challenger_presigning_completed)}`,\n );\n }\n\n if (\n p.vk_challenger_presigning_total !== undefined &&\n typeof p.vk_challenger_presigning_total !== \"number\"\n ) {\n throw new VpResponseValidationError(\n `VP response validation failed: \"progress.presigning.vk_challenger_presigning_total\" must be a number if present, got ${preview(p.vk_challenger_presigning_total)}`,\n );\n }\n}\n\n/**\n * Validate a getPeginStatus response.\n *\n * Throws if the status field is not a recognized DaemonStatus value.\n */\nexport function validateGetPeginStatusResponse(\n response: unknown,\n): asserts response is GetPeginStatusResponse {\n if (response === null || typeof response !== \"object\") {\n throw new VpResponseValidationError(\n `VP response validation failed: getPeginStatus response is not an object`,\n );\n }\n\n const r = response as Record<string, unknown>;\n\n if (!isNonEmptyHex(r.pegin_txid) || r.pegin_txid.length !== TXID_HEX_LEN) {\n throw new VpResponseValidationError(\n `VP response validation failed: \"pegin_txid\" must be a ${TXID_HEX_LEN}-char hex string (txid), got ${preview(r.pegin_txid)}`,\n );\n }\n\n if (typeof r.status !== \"string\") {\n throw new VpResponseValidationError(\n `VP response validation failed: \"status\" must be a string`,\n );\n }\n\n if (!DAEMON_STATUS_VALUES.has(r.status)) {\n throw new VpResponseValidationError(\n `VP response validation failed: unrecognized status \"${r.status}\". Expected one of: ${[...DAEMON_STATUS_VALUES].join(\", \")}`,\n );\n }\n\n if (\n r.progress === null ||\n typeof r.progress !== \"object\" ||\n Array.isArray(r.progress)\n ) {\n throw new VpResponseValidationError(\n `VP response validation failed: \"progress\" must be an object`,\n );\n }\n\n validatePresigningProgressFields(r.progress as Record<string, unknown>);\n\n if (typeof r.health_info !== \"string\") {\n throw new VpResponseValidationError(\n `VP response validation failed: \"health_info\" must be a string`,\n );\n }\n\n if (r.last_error !== undefined && typeof r.last_error !== \"string\") {\n throw new VpResponseValidationError(\n `VP response validation failed: \"last_error\" must be a string if present, got ${preview(r.last_error)}`,\n );\n }\n}\n\n/**\n * Validate a requestDepositorPresignTransactions response.\n */\nexport function validateRequestDepositorPresignTransactionsResponse(\n response: unknown,\n): asserts response is RequestDepositorPresignTransactionsResponse {\n if (response === null || typeof response !== \"object\") {\n throw new VpResponseValidationError(\n `VP response validation failed: requestDepositorPresignTransactions response is not an object`,\n );\n }\n\n const r = response as Record<string, unknown>;\n\n if (!Array.isArray(r.txs)) {\n throw new VpResponseValidationError(\n `VP response validation failed: \"txs\" must be an array`,\n );\n }\n\n for (let i = 0; i < r.txs.length; i++) {\n validateClaimerTransactions(r.txs[i], `txs[${i}]`);\n }\n\n if (r.depositor_graph === null || typeof r.depositor_graph !== \"object\") {\n throw new VpResponseValidationError(\n `VP response validation failed: \"depositor_graph\" must be an object`,\n );\n }\n\n validateDepositorGraphTransactions(\n r.depositor_graph as Record<string, unknown>,\n );\n}\n\nfunction validateTransactionData(value: unknown, field: string): void {\n if (value === null || typeof value !== \"object\") {\n throw new VpResponseValidationError(\n `VP response validation failed: \"${field}\" must be an object`,\n );\n }\n const tx = value as Record<string, unknown>;\n assertNonEmptyHex(tx.tx_hex, `${field}.tx_hex`);\n}\n\nfunction validateClaimerTransactions(value: unknown, field: string): void {\n if (value === null || typeof value !== \"object\") {\n throw new VpResponseValidationError(\n `VP response validation failed: \"${field}\" must be an object`,\n );\n }\n\n const tx = value as Record<string, unknown>;\n\n assertBtcPubkey(tx.claimer_pubkey, `${field}.claimer_pubkey`);\n validateTransactionData(tx.claim_tx, `${field}.claim_tx`);\n validateTransactionData(tx.assert_tx, `${field}.assert_tx`);\n validateTransactionData(tx.payout_tx, `${field}.payout_tx`);\n assertNonEmptyString(tx.payout_psbt, `${field}.payout_psbt`);\n}\n\nfunction validateChallengeAssertConnectorData(\n value: unknown,\n field: string,\n): void {\n if (value === null || typeof value !== \"object\") {\n throw new VpResponseValidationError(\n `VP response validation failed: \"${field}\" must be an object`,\n );\n }\n\n const c = value as Record<string, unknown>;\n assertNonEmptyString(c.wots_pks_json, `${field}.wots_pks_json`);\n assertNonEmptyString(c.gc_wots_keys_json, `${field}.gc_wots_keys_json`);\n}\n\nfunction validatePresignDataPerChallenger(value: unknown, field: string): void {\n if (value === null || typeof value !== \"object\") {\n throw new VpResponseValidationError(\n `VP response validation failed: \"${field}\" must be an object`,\n );\n }\n\n const d = value as Record<string, unknown>;\n\n assertBtcPubkey(d.challenger_pubkey, `${field}.challenger_pubkey`);\n validateTransactionData(\n d.challenge_assert_x_tx,\n `${field}.challenge_assert_x_tx`,\n );\n validateTransactionData(\n d.challenge_assert_y_tx,\n `${field}.challenge_assert_y_tx`,\n );\n validateTransactionData(d.nopayout_tx, `${field}.nopayout_tx`);\n assertNonEmptyString(d.nopayout_psbt, `${field}.nopayout_psbt`);\n\n if (!Array.isArray(d.challenge_assert_connectors)) {\n throw new VpResponseValidationError(\n `VP response validation failed: \"${field}.challenge_assert_connectors\" must be an array`,\n );\n }\n\n if (\n d.challenge_assert_connectors.length !==\n CHALLENGE_ASSERT_CONNECTORS_PER_CHALLENGER\n ) {\n throw new VpResponseValidationError(\n `VP response validation failed: \"${field}.challenge_assert_connectors\" must have exactly ${CHALLENGE_ASSERT_CONNECTORS_PER_CHALLENGER} entries, got ${d.challenge_assert_connectors.length}`,\n );\n }\n\n for (let i = 0; i < d.challenge_assert_connectors.length; i++) {\n validateChallengeAssertConnectorData(\n d.challenge_assert_connectors[i],\n `${field}.challenge_assert_connectors[${i}]`,\n );\n }\n\n if (!Array.isArray(d.output_label_hashes)) {\n throw new VpResponseValidationError(\n `VP response validation failed: \"${field}.output_label_hashes\" must be an array`,\n );\n }\n\n for (let i = 0; i < d.output_label_hashes.length; i++) {\n assertNonEmptyHex(\n d.output_label_hashes[i],\n `${field}.output_label_hashes[${i}]`,\n );\n }\n}\n\n/**\n * Validate a requestDepositorClaimerArtifacts response.\n */\nexport function validateRequestDepositorClaimerArtifactsResponse(\n response: unknown,\n): asserts response is RequestDepositorClaimerArtifactsResponse {\n if (response === null || typeof response !== \"object\") {\n throw new VpResponseValidationError(\n `VP response validation failed: requestDepositorClaimerArtifacts response is not an object`,\n );\n }\n\n const r = response as Record<string, unknown>;\n\n if (!isNonEmptyString(r.tx_graph_json)) {\n throw new VpResponseValidationError(\n `VP response validation failed: \"tx_graph_json\" must be a non-empty string, got ${preview(r.tx_graph_json)}`,\n );\n }\n\n if (!isNonEmptyHex(r.verifying_key_hex)) {\n throw new VpResponseValidationError(\n `VP response validation failed: \"verifying_key_hex\" must be a non-empty hex string, got ${preview(r.verifying_key_hex)}`,\n );\n }\n\n if (\n r.babe_sessions === null ||\n typeof r.babe_sessions !== \"object\" ||\n Array.isArray(r.babe_sessions)\n ) {\n throw new VpResponseValidationError(\n `VP response validation failed: \"babe_sessions\" must be an object`,\n );\n }\n\n const sessionEntries = Object.entries(\n r.babe_sessions as Record<string, unknown>,\n );\n if (sessionEntries.length === 0) {\n throw new VpResponseValidationError(\n `VP response validation failed: \"babe_sessions\" must contain at least one challenger entry`,\n );\n }\n\n for (const [key, session] of sessionEntries) {\n assertBtcPubkey(key, `babe_sessions[\"${key}\"]`);\n if (session === null || typeof session !== \"object\") {\n throw new VpResponseValidationError(\n `VP response validation failed: \"babe_sessions.${key}\" must be an object`,\n );\n }\n const s = session as Record<string, unknown>;\n if (!isNonEmptyHex(s.decryptor_artifacts_hex)) {\n throw new VpResponseValidationError(\n `VP response validation failed: \"babe_sessions.${key}.decryptor_artifacts_hex\" must be a non-empty hex string, got ${preview(s.decryptor_artifacts_hex)}`,\n );\n }\n }\n}\n\n/**\n * Validate a single pegout status payload. Embedded by\n * `validateBatchGetPegoutStatusResponse`. Mirrors btc-vault\n * `crates/vaultd/src/rpc/server/pegout_status.rs::GetPegoutStatusResponse`.\n */\nexport function validateGetPegoutStatusResponse(\n response: unknown,\n): asserts response is GetPegoutStatusResponse {\n if (response === null || typeof response !== \"object\") {\n throw new VpResponseValidationError(\n `VP response validation failed: pegout status payload is not an object`,\n );\n }\n\n const r = response as Record<string, unknown>;\n\n if (!isNonEmptyHex(r.pegin_txid) || r.pegin_txid.length !== TXID_HEX_LEN) {\n throw new VpResponseValidationError(\n `VP response validation failed: \"pegin_txid\" must be a ${TXID_HEX_LEN}-char hex string (txid), got ${preview(r.pegin_txid)}`,\n );\n }\n\n if (typeof r.found !== \"boolean\") {\n throw new VpResponseValidationError(\n `VP response validation failed: \"found\" must be a boolean, got ${preview(r.found)}`,\n );\n }\n\n // `claimer` is `Option<ClaimerPegoutStatus>` server-side; null when absent.\n if (r.claimer !== null) {\n if (typeof r.claimer !== \"object\") {\n throw new VpResponseValidationError(\n `VP response validation failed: \"claimer\" must be an object or null, got ${preview(r.claimer)}`,\n );\n }\n validateClaimerPegoutStatus(r.claimer as Record<string, unknown>);\n }\n\n // `challengers: Vec<ChallengerStatus>` server-side; always present (possibly empty).\n if (!Array.isArray(r.challengers)) {\n throw new VpResponseValidationError(\n `VP response validation failed: \"challengers\" must be an array, got ${preview(r.challengers)}`,\n );\n }\n for (let i = 0; i < r.challengers.length; i++) {\n validateChallengerStatus(r.challengers[i], i);\n }\n}\n\nfunction validateClaimerPegoutStatus(value: Record<string, unknown>): void {\n assertNonEmptyString(value.status, \"claimer.status\");\n if (typeof value.failed !== \"boolean\") {\n throw new VpResponseValidationError(\n `VP response validation failed: \"claimer.failed\" must be a boolean, got ${preview(value.failed)}`,\n );\n }\n assertNonEmptyString(value.claim_txid, \"claimer.claim_txid\");\n assertNonEmptyString(value.claimer_pubkey, \"claimer.claimer_pubkey\");\n assertNonEmptyString(value.assert_txid, \"claimer.assert_txid\");\n if (typeof value.created_at !== \"number\") {\n throw new VpResponseValidationError(\n `VP response validation failed: \"claimer.created_at\" must be a number, got ${preview(value.created_at)}`,\n );\n }\n if (typeof value.updated_at !== \"number\") {\n throw new VpResponseValidationError(\n `VP response validation failed: \"claimer.updated_at\" must be a number, got ${preview(value.updated_at)}`,\n );\n }\n}\n\nfunction validateChallengerStatus(value: unknown, index: number): void {\n if (value === null || typeof value !== \"object\") {\n throw new VpResponseValidationError(\n `VP response validation failed: \"challengers[${index}]\" must be an object, got ${preview(value)}`,\n );\n }\n const c = value as Record<string, unknown>;\n assertNonEmptyString(c.status, `challengers[${index}].status`);\n assertNonEmptyString(c.claim_txid, `challengers[${index}].claim_txid`);\n assertNonEmptyString(c.claimer_pubkey, `challengers[${index}].claimer_pubkey`);\n assertNullableString(c.assert_txid, `challengers[${index}].assert_txid`);\n assertNullableString(\n c.challenge_assert_x_txid,\n `challengers[${index}].challenge_assert_x_txid`,\n );\n assertNullableString(\n c.challenge_assert_y_txid,\n `challengers[${index}].challenge_assert_y_txid`,\n );\n assertNullableString(c.nopayout_txid, `challengers[${index}].nopayout_txid`);\n if (typeof c.created_at !== \"number\") {\n throw new VpResponseValidationError(\n `VP response validation failed: \"challengers[${index}].created_at\" must be a number, got ${preview(c.created_at)}`,\n );\n }\n if (typeof c.updated_at !== \"number\") {\n throw new VpResponseValidationError(\n `VP response validation failed: \"challengers[${index}].updated_at\" must be a number, got ${preview(c.updated_at)}`,\n );\n }\n}\n\nfunction assertNullableString(value: unknown, field: string): void {\n if (value !== null && typeof value !== \"string\") {\n throw new VpResponseValidationError(\n `VP response validation failed: \"${field}\" must be a string or null, got ${preview(value)}`,\n );\n }\n}\n\n/**\n * Validate a `batchGetPeginStatus` response. Per-result envelope shape:\n * `{ pegin_txid, result: GetPeginStatusResponse | null, error: string | null }`.\n * The inner result (when non-null) is validated via the single-item validator.\n */\nexport function validateBatchGetPeginStatusResponse(\n response: unknown,\n): asserts response is BatchGetPeginStatusResponse {\n validateBatchEnvelope(response, \"batchGetPeginStatus\", (entry) => {\n if (entry.result !== null) {\n validateGetPeginStatusResponse(entry.result);\n }\n });\n}\n\n/** Validate a `batchGetPegoutStatus` response. Same envelope as peginStatus. */\nexport function validateBatchGetPegoutStatusResponse(\n response: unknown,\n): asserts response is BatchGetPegoutStatusResponse {\n validateBatchEnvelope(response, \"batchGetPegoutStatus\", (entry) => {\n if (entry.result !== null) {\n validateGetPegoutStatusResponse(entry.result);\n }\n });\n}\n\ninterface BatchResultEnvelope {\n pegin_txid: string;\n result: unknown;\n error: string | null;\n}\n\nfunction validateBatchEnvelope(\n response: unknown,\n rpcName: string,\n validateInnerResult: (entry: BatchResultEnvelope, index: number) => void,\n): void {\n if (response === null || typeof response !== \"object\") {\n throw new VpResponseValidationError(\n `VP response validation failed: ${rpcName} response is not an object`,\n );\n }\n const r = response as Record<string, unknown>;\n if (!Array.isArray(r.results)) {\n throw new VpResponseValidationError(\n `VP response validation failed: \"${rpcName}.results\" must be an array, got ${preview(r.results)}`,\n );\n }\n for (let i = 0; i < r.results.length; i++) {\n const entry = r.results[i];\n if (entry === null || typeof entry !== \"object\") {\n throw new VpResponseValidationError(\n `VP response validation failed: \"${rpcName}.results[${i}]\" must be an object, got ${preview(entry)}`,\n );\n }\n const e = entry as Record<string, unknown>;\n if (\n !isNonEmptyHex(e.pegin_txid) ||\n e.pegin_txid.length !== TXID_HEX_LEN\n ) {\n throw new VpResponseValidationError(\n `VP response validation failed: \"${rpcName}.results[${i}].pegin_txid\" must be a ${TXID_HEX_LEN}-char hex string, got ${preview(e.pegin_txid)}`,\n );\n }\n if (e.error !== null && typeof e.error !== \"string\") {\n throw new VpResponseValidationError(\n `VP response validation failed: \"${rpcName}.results[${i}].error\" must be a string or null, got ${preview(e.error)}`,\n );\n }\n // Exactly one of `result` / `error` must be populated. The server only\n // ever sets one per item; treating both-null as a protocol violation\n // surfaces server bugs early instead of letting them silently degrade.\n if (e.result === null && e.error === null) {\n throw new VpResponseValidationError(\n `VP response validation failed: \"${rpcName}.results[${i}]\" has neither \"result\" nor \"error\" populated`,\n );\n }\n if (e.result !== null && e.error !== null) {\n throw new VpResponseValidationError(\n `VP response validation failed: \"${rpcName}.results[${i}]\" has both \"result\" and \"error\" populated`,\n );\n }\n validateInnerResult(e as unknown as BatchResultEnvelope, i);\n }\n}\n\nfunction validateDepositorGraphTransactions(\n graph: Record<string, unknown>,\n): void {\n validateTransactionData(graph.claim_tx, \"depositor_graph.claim_tx\");\n validateTransactionData(graph.assert_tx, \"depositor_graph.assert_tx\");\n validateTransactionData(graph.payout_tx, \"depositor_graph.payout_tx\");\n assertNonEmptyString(graph.payout_psbt, \"depositor_graph.payout_psbt\");\n\n if (!Array.isArray(graph.challenger_presign_data)) {\n throw new VpResponseValidationError(\n `VP response validation failed: \"depositor_graph.challenger_presign_data\" must be an array`,\n );\n }\n\n for (let i = 0; i < graph.challenger_presign_data.length; i++) {\n validatePresignDataPerChallenger(\n graph.challenger_presign_data[i],\n `depositor_graph.challenger_presign_data[${i}]`,\n );\n }\n\n if (typeof graph.offchain_params_version !== \"number\") {\n throw new VpResponseValidationError(\n `VP response validation failed: \"depositor_graph.offchain_params_version\" must be a number`,\n );\n }\n}\n","/**\n * JSON-RPC client for the Vault Provider API.\n *\n * Wraps {@link JsonRpcClient} with typed methods matching the\n * `vaultProvider_*` RPC namespace defined in the btc-vault pegin spec.\n *\n * Implements the narrow service interfaces (PeginStatusReader, WotsKeySubmitter,\n * PresignClient, ClaimerArtifactsReader) so it can be passed directly to\n * any deposit protocol service function.\n *\n * @see https://github.com/babylonlabs-io/btc-vault/blob/main/docs/pegin.md\n */\n\nimport type { PeginStatusReader, WotsKeySubmitter, PresignClient, ClaimerArtifactsReader } from \"../../services/deposit/interfaces\";\n\nimport {\n type BearerTokenProvider,\n JsonRpcClient,\n type JsonRpcClientConfig,\n} from \"./json-rpc-client\";\nimport type {\n BatchGetPeginStatusParams,\n BatchGetPeginStatusResponse,\n BatchGetPegoutStatusParams,\n BatchGetPegoutStatusResponse,\n GetPeginStatusParams,\n GetPeginStatusResponse,\n RequestDepositorClaimerArtifactsParams,\n RequestDepositorClaimerArtifactsResponse,\n RequestDepositorPresignTransactionsParams,\n RequestDepositorPresignTransactionsResponse,\n SubmitDepositorPresignaturesParams,\n SubmitDepositorWotsKeyParams,\n} from \"./types\";\nimport {\n validateBatchGetPeginStatusResponse,\n validateBatchGetPegoutStatusResponse,\n validateGetPeginStatusResponse,\n validateRequestDepositorClaimerArtifactsResponse,\n validateRequestDepositorPresignTransactionsResponse,\n} from \"./validators\";\n\nexport interface VaultProviderRpcClientOptions {\n /** Timeout in milliseconds per request (default: 60000) */\n timeout?: number;\n /** Number of retry attempts for safe methods (default: 3) */\n retries?: number;\n /** Initial retry delay in milliseconds (default: 1000) */\n retryDelay?: number;\n /**\n * Custom retry predicate. Default retries only the idempotent read\n * methods: `getPeginStatus`, `batchGetPeginStatus`, `batchGetPegoutStatus`,\n * `requestDepositorPresignTransactions`.\n */\n retryableFor?: (method: string) => boolean;\n /** Custom headers. */\n headers?: Record<string, string>;\n /**\n * Per-request bearer-token source. A non-null return attaches\n * `Authorization: Bearer <token>`; `null` skips auth. Wire a\n * {@link VpTokenProvider} for depositor-gated methods.\n */\n tokenProvider?: BearerTokenProvider;\n /** Maximum response body size, in bytes, for typed JSON-RPC calls */\n maxResponseBytes?: number;\n}\n\nconst DEFAULT_TIMEOUT_MS = 60_000;\n\n/**\n * Concrete VP RPC client implementing all service interfaces.\n *\n * Usage:\n * ```ts\n * const client = new VaultProviderRpcClient(\"https://vp.example.com/rpc\");\n * const status = await client.getPeginStatus({ pegin_txid: \"abc...\" });\n * ```\n */\nexport class VaultProviderRpcClient\n implements PeginStatusReader, WotsKeySubmitter, PresignClient, ClaimerArtifactsReader\n{\n private client: JsonRpcClient;\n\n constructor(baseUrl: string, options?: VaultProviderRpcClientOptions) {\n const config: JsonRpcClientConfig = {\n baseUrl,\n timeout: options?.timeout ?? DEFAULT_TIMEOUT_MS,\n retries: options?.retries,\n retryDelay: options?.retryDelay,\n retryableFor: options?.retryableFor,\n headers: options?.headers,\n tokenProvider: options?.tokenProvider,\n maxResponseBytes: options?.maxResponseBytes,\n };\n this.client = new JsonRpcClient(config);\n }\n\n /**\n * Request the payout/claim/assert transactions that the depositor\n * needs to pre-sign before the vault can be activated on Bitcoin.\n */\n async requestDepositorPresignTransactions(\n params: RequestDepositorPresignTransactionsParams,\n signal?: AbortSignal,\n ): Promise<RequestDepositorPresignTransactionsResponse> {\n const response = await this.client.call<\n RequestDepositorPresignTransactionsParams,\n unknown\n >(\"vaultProvider_requestDepositorPresignTransactions\", params, signal);\n validateRequestDepositorPresignTransactionsResponse(response);\n return response;\n }\n\n /**\n * Submit the depositor's pre-signatures for the payout transactions\n * and the depositor-as-claimer graph.\n */\n async submitDepositorPresignatures(\n params: SubmitDepositorPresignaturesParams,\n signal?: AbortSignal,\n ): Promise<void> {\n return this.client.call<SubmitDepositorPresignaturesParams, void>(\n \"vaultProvider_submitDepositorPresignatures\",\n params,\n signal,\n );\n }\n\n /**\n * Submit the depositor's WOTS public key to the vault provider.\n * Called after the pegin is finalized on Ethereum, when the VP is in\n * `PendingDepositorWotsPK` status.\n */\n async submitDepositorWotsKey(\n params: SubmitDepositorWotsKeyParams,\n signal?: AbortSignal,\n ): Promise<void> {\n return this.client.call<SubmitDepositorWotsKeyParams, void>(\n \"vaultProvider_submitDepositorWotsKey\",\n params,\n signal,\n );\n }\n\n /**\n * Request the BaBe DecryptorArtifacts needed for the depositor to\n * independently evaluate garbled circuits during a challenge.\n */\n async requestDepositorClaimerArtifacts(\n params: RequestDepositorClaimerArtifactsParams,\n signal?: AbortSignal,\n ): Promise<RequestDepositorClaimerArtifactsResponse> {\n const response = await this.client.call<\n RequestDepositorClaimerArtifactsParams,\n unknown\n >(\"vaultProvider_requestDepositorClaimerArtifacts\", params, signal);\n validateRequestDepositorClaimerArtifactsResponse(response);\n return response;\n }\n\n /** Get the current pegin status from the vault provider daemon. */\n async getPeginStatus(\n params: GetPeginStatusParams,\n signal?: AbortSignal,\n ): Promise<GetPeginStatusResponse> {\n const response = await this.client.call<GetPeginStatusParams, unknown>(\n \"vaultProvider_getPeginStatus\",\n params,\n signal,\n );\n validateGetPeginStatusResponse(response);\n return response;\n }\n\n /**\n * Get pegin status for many txids in one round trip. Per-result envelope\n * isolates per-pegin failures from the overall RPC. Caller must chunk\n * inputs at `VP_BATCH_MAX_SIZE`.\n */\n async batchGetPeginStatus(\n params: BatchGetPeginStatusParams,\n signal?: AbortSignal,\n ): Promise<BatchGetPeginStatusResponse> {\n const response = await this.client.call<\n BatchGetPeginStatusParams,\n unknown\n >(\"vaultProvider_batchGetPeginStatus\", params, signal);\n validateBatchGetPeginStatusResponse(response);\n return response;\n }\n\n /**\n * Get pegout status for many txids in one round trip. Same per-result\n * envelope semantics as `batchGetPeginStatus`.\n */\n async batchGetPegoutStatus(\n params: BatchGetPegoutStatusParams,\n signal?: AbortSignal,\n ): Promise<BatchGetPegoutStatusResponse> {\n const response = await this.client.call<\n BatchGetPegoutStatusParams,\n unknown\n >(\"vaultProvider_batchGetPegoutStatus\", params, signal);\n validateBatchGetPegoutStatusResponse(response);\n return response;\n }\n}\n","/**\n * Defensive helper for attributing per-item results in a VP batch RPC\n * response back to the requested txids. The server promises 1:1 ordered\n * results, but we don't trust that promise — a server bug could duplicate,\n * skip, or scramble items, and silent attribution-by-array-index would\n * mask the bug.\n *\n * Lowercases all txids on both sides to absorb case mismatch (the FE\n * strips `0x` but doesn't otherwise normalize).\n *\n * @module tbv/core/clients/vault-provider/batchAttribution\n */\n\n/** Per-item entry in a VP batch response. */\nexport interface BatchResultEntry<T> {\n pegin_txid: string;\n result: T | null;\n error: string | null;\n}\n\n/** Output of {@link attributeBatchResults}. */\nexport interface BatchAttributionResult<T> {\n /** Lowercase requested txid -> per-item envelope. */\n byTxid: Map<string, { result: T | null; error: string | null }>;\n /** Requested txids that did not appear in the response. */\n missing: string[];\n /** Echoed txids that were not in the request — logged + dropped. */\n unexpected: string[];\n /** Echoed txids that appeared more than once — first kept, rest dropped. */\n duplicate: string[];\n}\n\n/**\n * Attribute batch results to requested txids defensively.\n *\n * Both `requestedTxids` and the echoed `pegin_txid` field on each result\n * are lowercased before lookup. Duplicates and unexpected echoes are\n * surfaced so callers can flag the affected items as errored rather than\n * silently overwriting state.\n *\n * `requestedTxids` may contain duplicates; they are de-duplicated for the\n * purposes of map keys (each unique txid becomes a single map entry).\n */\nexport function attributeBatchResults<T>(\n requestedTxids: string[],\n results: ReadonlyArray<BatchResultEntry<T>>,\n): BatchAttributionResult<T> {\n const requestedSet = new Set<string>();\n for (const txid of requestedTxids) {\n requestedSet.add(txid.toLowerCase());\n }\n\n const byTxid = new Map<\n string,\n { result: T | null; error: string | null }\n >();\n const seen = new Set<string>();\n const duplicate: string[] = [];\n const unexpected: string[] = [];\n\n for (const entry of results) {\n const lower = entry.pegin_txid.toLowerCase();\n if (!requestedSet.has(lower)) {\n unexpected.push(lower);\n continue;\n }\n if (seen.has(lower)) {\n duplicate.push(lower);\n continue;\n }\n seen.add(lower);\n byTxid.set(lower, { result: entry.result, error: entry.error });\n }\n\n const missing: string[] = [];\n for (const txid of requestedSet) {\n if (!seen.has(txid)) missing.push(txid);\n }\n\n return { byTxid, missing, unexpected, duplicate };\n}\n","/**\n * Generic chunk + attribute + dispatch loop for VP batch RPCs.\n *\n * Wraps {@link attributeBatchResults} with chunking and per-callback\n * dispatch so the FE polling hooks (and any future SDK consumer) only\n * have to declare per-item handlers — chunking by `VP_BATCH_MAX_SIZE`,\n * lowercase txid normalization, missing/duplicate/unexpected\n * surfacing, and the duplicate-skip invariant in the byTxid loop are\n * all owned here.\n *\n * @module tbv/core/clients/vault-provider/batchPoll\n */\n\nimport {\n attributeBatchResults,\n type BatchResultEntry,\n} from \"./batchAttribution\";\nimport { VP_BATCH_MAX_SIZE } from \"./types\";\n\nexport interface BatchPollByProviderOptions<TItem, TResult> {\n /** Items to poll for this provider, e.g. `DepositToPoll[]`. */\n items: TItem[];\n /** Extract the canonical txid for each item. Helper lowercases it. */\n getTxid: (item: TItem) => string;\n /**\n * Per-chunk RPC call. Receives lowercased txids; returns the batch\n * envelope. Caller wraps `rpcClient.batchGet*Status({ pegin_txids })`.\n */\n batchCall: (\n txids: string[],\n ) => Promise<{ results: ReadonlyArray<BatchResultEntry<TResult>> }>;\n /**\n * Handle a per-item envelope. Exactly one of `result` / `error` is\n * populated (validator invariant). Caller decides UI state, logging,\n * etc. Not invoked for txids surfaced via {@link onDuplicate}.\n *\n * Note: `envelope.pegin_txid` is the lowercased txid the helper\n * sent in the request, not whatever case/encoding the server echoed.\n */\n onItem: (item: TItem, envelope: BatchResultEntry<TResult>) => void;\n /** Server omitted this item from the response. */\n onMissing: (item: TItem) => void;\n /** Server returned this item more than once. Caller picks UI state. */\n onDuplicate: (item: TItem) => void;\n /**\n * Optional aggregate signal for an entire chunk where the server\n * returned duplicates. Fires once per chunk (only if `count > 0`)\n * AFTER all per-item `onDuplicate` dispatches. Caller typically logs\n * the count alongside the provider name.\n */\n onDuplicateBatch?: (count: number) => void;\n /**\n * The whole chunk's RPC call failed (transport or response\n * validation). Receives the chunk and the error. Caller decides how\n * to project that onto per-item state.\n */\n onWholeBatchError: (chunk: TItem[], error: unknown) => void;\n /**\n * Server returned txids that were not in the request. Caller\n * typically logs the count for observability — there's no recovery\n * action since the original request items are unaffected. Optional;\n * defaults to no-op.\n */\n onUnexpected?: (echoedTxids: string[]) => void;\n /**\n * Maximum items per RPC call. Defaults to {@link VP_BATCH_MAX_SIZE}.\n * Exposed for tests so chunking can be exercised without 50+\n * fixtures.\n */\n batchSize?: number;\n}\n\nexport async function batchPollByProvider<TItem, TResult>(\n options: BatchPollByProviderOptions<TItem, TResult>,\n): Promise<void> {\n const {\n items,\n getTxid,\n batchCall,\n onItem,\n onMissing,\n onDuplicate,\n onDuplicateBatch,\n onWholeBatchError,\n onUnexpected,\n batchSize = VP_BATCH_MAX_SIZE,\n } = options;\n\n if (!Number.isInteger(batchSize) || batchSize <= 0) {\n throw new Error(\n `batchPollByProvider: batchSize must be a positive integer, got ${batchSize}`,\n );\n }\n\n for (let i = 0; i < items.length; i += batchSize) {\n const chunk = items.slice(i, i + batchSize);\n const txidToItem = new Map<string, TItem>();\n const txids: string[] = [];\n for (const item of chunk) {\n const lowerTxid = getTxid(item).toLowerCase();\n txidToItem.set(lowerTxid, item);\n txids.push(lowerTxid);\n }\n\n // Both the RPC call and attribution sit inside the same try/catch\n // so a malformed-batch validator throw is routed through\n // `onWholeBatchError` rather than aborting the polling pass.\n let attribution;\n try {\n const response = await batchCall(txids);\n attribution = attributeBatchResults<TResult>(txids, response.results);\n } catch (error) {\n onWholeBatchError(chunk, error);\n continue;\n }\n\n if (onUnexpected && attribution.unexpected.length > 0) {\n onUnexpected(attribution.unexpected);\n }\n\n const duplicateTxids = new Set(attribution.duplicate);\n for (const txid of duplicateTxids) {\n const item = txidToItem.get(txid);\n if (item) onDuplicate(item);\n }\n if (onDuplicateBatch && duplicateTxids.size > 0) {\n onDuplicateBatch(duplicateTxids.size);\n }\n for (const txid of attribution.missing) {\n const item = txidToItem.get(txid);\n if (item) onMissing(item);\n }\n for (const [txid, envelope] of attribution.byTxid) {\n // Skip duplicates — already dispatched via onDuplicate above.\n if (duplicateTxids.has(txid)) continue;\n const item = txidToItem.get(txid);\n if (!item) continue;\n onItem(item, {\n pegin_txid: txid,\n result: envelope.result,\n error: envelope.error,\n });\n }\n }\n}\n","/**\n * BIP-322 \"simple\" signature verification for P2TR key-path.\n *\n * Mirrors the Rust reference in\n * `btc-vault/crates/btc-signer/src/message.rs::verify_bip322_message`\n * (which delegates to `rust-bitcoin::bip322::verify_simple` for a\n * P2TR key-path-only address with no merkle root).\n *\n * The algorithm:\n *\n * 1. Compute the BIP-322 tagged-hash of the message:\n * m_hash = SHA256( SHA256(tag) || SHA256(tag) || message )\n * where tag = \"BIP0322-signed-message\".\n *\n * 2. Build a virtual \"to_spend\" transaction with one input (prevout\n * all-zero txid + 0xFFFFFFFF vout, scriptSig = `OP_0 PUSH32 m_hash`,\n * sequence = 0) and one output (value 0, scriptPubKey = P2TR for\n * the signer's x-only pubkey).\n *\n * 3. Build a \"to_sign\" transaction that spends to_spend[0] and has a\n * single `OP_RETURN` output (value 0).\n *\n * 4. Compute the BIP-341 taproot sighash of to_sign input 0 with\n * SIGHASH_DEFAULT (0x00).\n *\n * 5. Verify the 64-byte Schnorr signature against the **tweaked**\n * output key `Q = P + tap_tweak(P) * G`, where `tap_tweak(P) =\n * hash_TapTweak(serialize_x_only(P))` (no merkle root — key-path\n * only).\n *\n * `bitcoinjs-lib` handles (2)–(4); `tiny-secp256k1-asmjs` provides\n * the tweak and Schnorr verify. Pulling in a full BIP-322 library\n * would add a peer dep for what amounts to ~40 lines of glue.\n *\n * @module tbv/core/clients/vault-provider/auth/bip322Verify\n */\n\nimport * as ecc from \"@bitcoin-js/tiny-secp256k1-asmjs\";\nimport { payments, Transaction } from \"bitcoinjs-lib\";\n\nimport { Buffer } from \"buffer\";\nimport { sha256 } from \"@noble/hashes/sha2.js\";\n\n/** BIP-322 message tag (BIP-340 tagged-hash style). */\nconst BIP322_TAG = \"BIP0322-signed-message\";\n\n/** BIP-341 taproot-tweak tag. */\nconst TAPTWEAK_TAG = \"TapTweak\";\n\nconst X_ONLY_PUBKEY_SIZE = 32;\nconst SCHNORR_SIG_SIZE = 64;\n\n/**\n * BIP-340 tagged hash: `SHA256( SHA256(tag) || SHA256(tag) || data )`.\n * Used for both BIP-322 message hashing and BIP-341 tap-tweak.\n */\nfunction taggedHash(tag: string, data: Uint8Array): Uint8Array {\n const tagBytes = new TextEncoder().encode(tag);\n const tagHash = sha256(tagBytes);\n const preimage = new Uint8Array(tagHash.length * 2 + data.length);\n preimage.set(tagHash, 0);\n preimage.set(tagHash, tagHash.length);\n preimage.set(data, tagHash.length * 2);\n return sha256(preimage);\n}\n\n/**\n * Apply BIP-341 taproot tweak to an x-only pubkey with no merkle\n * root (key-path-only address).\n *\n * `tap_tweak = hash_TapTweak(P)`\n * `Q = P + tap_tweak * G` (x-only, even-Y parity)\n *\n * Returns the tweaked 32-byte x-only pubkey, or null if the tweak\n * produces a point-at-infinity or invalid result.\n */\nfunction tweakXOnlyKey(xOnly: Uint8Array): Uint8Array | null {\n if (xOnly.length !== X_ONLY_PUBKEY_SIZE) return null;\n const tweak = taggedHash(TAPTWEAK_TAG, xOnly);\n const tweaked = ecc.xOnlyPointAddTweak(xOnly, tweak);\n return tweaked ? tweaked.xOnlyPubkey : null;\n}\n\n/**\n * Verify a BIP-322 \"simple\" P2TR key-path signature over an arbitrary\n * byte message.\n *\n * @internal Exposed only so the golden-vector test suite can pin the\n * verifier independently of `verifyServerIdentity`. Production callers\n * should use `verifyServerIdentity` from `./serverIdentity` instead.\n *\n * @param messageBytes - The bytes that were signed (e.g. a CBOR-encoded\n * payload). Not pre-hashed; this function applies\n * the BIP-322 tagged hash internally.\n * @param xOnlyPubkey - 32-byte x-only pubkey of the signer (pre-tweak).\n * @param signature - 64-byte raw Schnorr signature (BIP-340), as\n * emitted by a key-path witness with\n * SIGHASH_DEFAULT.\n * @returns `true` if the signature verifies against the address\n * derived from `xOnlyPubkey`; `false` otherwise.\n */\nexport function verifyBip322Simple(\n messageBytes: Uint8Array,\n xOnlyPubkey: Uint8Array,\n signature: Uint8Array,\n): boolean {\n if (xOnlyPubkey.length !== X_ONLY_PUBKEY_SIZE) return false;\n if (signature.length !== SCHNORR_SIG_SIZE) return false;\n\n // Any exception from the underlying crypto libraries (e.g. the\n // `Expected Point` error `tiny-secp256k1` throws when the supplied\n // 32 bytes don't represent a valid x-coordinate on secp256k1) is\n // treated as a verification failure rather than propagated — a\n // verifier MUST return a boolean, not raise.\n try {\n // Step 1: BIP-322 tagged hash of the message.\n const messageHash = taggedHash(BIP322_TAG, messageBytes);\n\n // Step 2: scriptPubKey for the signer's P2TR key-path-only address.\n // bitcoinjs-lib's `payments.p2tr({ internalPubkey })` computes the\n // tweak and produces the `OP_1 <tweaked_xonly>` output script.\n const p2tr = payments.p2tr({\n internalPubkey: Buffer.from(xOnlyPubkey),\n });\n if (!p2tr.output) return false;\n const scriptPubKey = p2tr.output;\n\n // Step 3: build to_spend virtual tx.\n //\n // NOTE: bitcoinjs-lib v6.x's `Transaction.addOutput` and\n // `hashForWitnessV1` are typed for `Satoshi` (a UInt53 number),\n // not `bigint`. Passing `BigInt(0)` triggers a typeforce\n // assertion in `addOutput` (\"Expected property '1' of type\n // Satoshi, got BigInt 0\") which our outer try/catch silently\n // turns into `verify -> false`. Use plain `0` everywhere.\n const ZERO_SATS = 0;\n const toSpend = new Transaction();\n toSpend.version = 0;\n toSpend.locktime = 0;\n // scriptSig: OP_0 (0x00) + OP_PUSHBYTES_32 (0x20) + message_hash (32B)\n const scriptSig = Buffer.concat([\n Buffer.from([0x00, 0x20]),\n Buffer.from(messageHash),\n ]);\n toSpend.addInput(\n Buffer.alloc(32, 0), // prev_txid = 0x0000...0000\n 0xffffffff, // prev_vout = 0xFFFFFFFF\n 0, // sequence = 0\n scriptSig,\n );\n toSpend.addOutput(scriptPubKey, ZERO_SATS);\n\n // Step 4: build to_sign virtual tx spending to_spend[0].\n const toSign = new Transaction();\n toSign.version = 0;\n toSign.locktime = 0;\n // Bitcoin txid in natural-byte (little-endian) form.\n const toSpendTxid = toSpend.getHash();\n toSign.addInput(toSpendTxid, 0, 0);\n toSign.addOutput(Buffer.from([0x6a]), ZERO_SATS); // OP_RETURN\n\n // Step 5: taproot sighash for to_sign input 0 (SIGHASH_DEFAULT).\n const sighash = toSign.hashForWitnessV1(\n 0,\n [scriptPubKey],\n [ZERO_SATS],\n Transaction.SIGHASH_DEFAULT,\n );\n\n // Step 6: tweak the x-only pubkey (no merkle root) and verify Schnorr.\n const tweakedXOnly = tweakXOnlyKey(xOnlyPubkey);\n if (!tweakedXOnly) return false;\n\n return ecc.verifySchnorr(sighash, tweakedXOnly, signature);\n } catch {\n return false;\n }\n}\n","/**\n * Minimal CBOR encoder for the server-identity payload shape.\n *\n * We only need to encode one specific CBOR structure — the 3-tuple\n * `(SERVER_IDENTITY_DOMAIN, ephemeral_pubkey_bytes, expires_at_u64)` —\n * byte-for-byte identical to what the Rust `ciborium` crate produces\n * for the corresponding tuple, because that's the exact message the\n * VP signs with BIP-322.\n *\n * IMPORTANT encoding quirk: the Rust side passes the domain and\n * pubkey as `&[u8]` / `Vec<u8>` without a `#[serde(with = \"serde_bytes\")]`\n * attribute, so serde/ciborium encodes them as **CBOR arrays of u8**\n * (major type 4, one item per byte) — NOT as CBOR byte strings (major\n * type 2). A naive byte-string encoding would produce the wrong bytes\n * and signature verification would fail.\n *\n * Rather than pull in a full CBOR dependency for this one shape, we\n * implement the exact subset inline (~40 LOC) and pin it with golden\n * vectors against the Rust reference output.\n *\n * @module tbv/core/clients/vault-provider/auth/cbor\n */\n\n/**\n * Encode a small CBOR unsigned-integer \"head\" byte for major type\n * `major` (0..7) with argument `arg` (0..2^64-1).\n *\n * Returns the header bytes; the caller concatenates any trailing data\n * (e.g. array elements). Encoding rules:\n * arg < 24 → single byte `(major << 5) | arg`\n * arg < 256 → `(major << 5) | 24` + 1-byte arg\n * arg < 65536 → `(major << 5) | 25` + 2-byte BE arg\n * arg < 2^32 → `(major << 5) | 26` + 4-byte BE arg\n * arg < 2^64 → `(major << 5) | 27` + 8-byte BE arg\n */\nfunction cborHead(major: number, arg: number | bigint): Uint8Array {\n const tag = (major & 0x07) << 5;\n const n = typeof arg === \"bigint\" ? arg : BigInt(arg);\n if (n < 0n) throw new Error(\"cborHead: negative argument\");\n\n if (n < 24n) return new Uint8Array([tag | Number(n)]);\n if (n < 0x100n) return new Uint8Array([tag | 24, Number(n)]);\n if (n < 0x10000n) {\n const v = Number(n);\n return new Uint8Array([tag | 25, (v >>> 8) & 0xff, v & 0xff]);\n }\n if (n < 0x1_0000_0000n) {\n const v = Number(n);\n return new Uint8Array([\n tag | 26,\n (v >>> 24) & 0xff,\n (v >>> 16) & 0xff,\n (v >>> 8) & 0xff,\n v & 0xff,\n ]);\n }\n // 8-byte BE for u64 range\n const out = new Uint8Array(9);\n out[0] = tag | 27;\n for (let i = 7; i >= 0; i--) {\n out[1 + i] = Number(n >> BigInt((7 - i) * 8)) & 0xff;\n }\n return out;\n}\n\nfunction concat(...parts: Uint8Array[]): Uint8Array {\n const total = parts.reduce((s, p) => s + p.length, 0);\n const out = new Uint8Array(total);\n let offset = 0;\n for (const p of parts) {\n out.set(p, offset);\n offset += p.length;\n }\n return out;\n}\n\n/**\n * Encode a `Vec<u8>` / `&[u8]` the way ciborium does by default — as a\n * CBOR array of u8 (major type 4), one element per byte.\n *\n * Each byte becomes a CBOR unsigned integer (major type 0): bytes\n * < 24 are encoded as single bytes, bytes 24..255 as `0x18 XX`.\n */\nfunction encodeBytesAsArrayOfU8(bytes: Uint8Array): Uint8Array {\n const header = cborHead(4, bytes.length);\n const items: Uint8Array[] = [header];\n for (const b of bytes) {\n items.push(cborHead(0, b));\n }\n return concat(...items);\n}\n\n/**\n * Encode the server-identity payload the Rust side signs:\n *\n * ciborium::into_writer(\n * &(SERVER_IDENTITY_DOMAIN, ephemeral_pubkey.serialize().to_vec(), expires_at),\n * buf\n * )\n *\n * Output bytes are byte-for-byte identical to the Rust reference,\n * pinned by the golden vector in the corresponding test file.\n *\n * @internal Exposed only for the golden-vector test that pins this\n * encoding against ciborium's output. Production callers reach this\n * via `verifyServerIdentity` from `./serverIdentity`.\n *\n * @param domain - Must be `\"btc-auth.server-identity.v1\"` (27 bytes)\n * — the constant from btc-vault's `server_identity.rs`.\n * @param ephemeralPubkeyCompressed - 33-byte SEC1-compressed pubkey.\n * @param expiresAt - Unix timestamp (seconds). Must be a safe integer.\n */\nexport function encodeServerIdentityPayload(\n domain: Uint8Array,\n ephemeralPubkeyCompressed: Uint8Array,\n expiresAt: number,\n): Uint8Array {\n if (!Number.isSafeInteger(expiresAt) || expiresAt < 0) {\n throw new Error(\n `encodeServerIdentityPayload: expires_at must be a non-negative safe integer, got ${expiresAt}`,\n );\n }\n const arrayHeader = cborHead(4, 3); // 3-tuple encoded as array of 3\n const domainBytes = encodeBytesAsArrayOfU8(domain);\n const pubkeyBytes = encodeBytesAsArrayOfU8(ephemeralPubkeyCompressed);\n const expiresAtBytes = cborHead(0, expiresAt);\n return concat(arrayHeader, domainBytes, pubkeyBytes, expiresAtBytes);\n}\n","/**\n * Server-identity verification for the vault provider's\n * `auth_createDepositorToken` response.\n *\n * The VP returns a `ServerIdentityResponse` bundled with every issued\n * token:\n *\n * - `server_pubkey`: VP's persistent x-only pubkey (HEX, 32B)\n * - `ephemeral_pubkey`: VP's ephemeral token-signing key (HEX, 33B compressed)\n * - `expires_at`: Unix timestamp when the ephemeral key expires\n * - `signature`: BIP-322 signature by the persistent key over\n * `(SERVER_IDENTITY_DOMAIN, ephemeral_pubkey, expires_at)`\n *\n * The FE pins `server_pubkey` against the on-chain `VaultProvider.btcPubKey`\n * it reads from the registry contract. A mismatch rejects the token.\n *\n * @module tbv/core/clients/vault-provider/auth/serverIdentity\n */\n\nimport * as ecc from \"@bitcoin-js/tiny-secp256k1-asmjs\";\n\nimport {\n COMPRESSED_PUBKEY_HEX_LEN,\n SCHNORR_SIG_HEX_LEN,\n stripHexPrefix,\n X_ONLY_PUBKEY_HEX_LEN,\n} from \"../../../primitives/utils/bitcoin\";\nimport { HEX_RE } from \"../../../utils/validation\";\n\nimport { verifyBip322Simple } from \"./bip322Verify\";\nimport { encodeServerIdentityPayload } from \"./cbor\";\n\n/**\n * Byte-string domain the btc-vault Rust reference passes as the first\n * element of the CBOR tuple signed over for server-identity proofs.\n * Must match `SERVER_IDENTITY_DOMAIN` in\n * `btc-vault/crates/btc-auth/src/server_identity.rs`.\n */\nconst SERVER_IDENTITY_DOMAIN = new TextEncoder().encode(\n \"btc-auth.server-identity.v1\",\n);\n\n/**\n * Cap on `proof.expires_at - now`. Bounds how long a leaked VP\n * ephemeral key stays usable; the bearer token's own TTL does not\n * (different trust boundary). 2h = Rust ref VP's 1h rotation × 2 for\n * clock skew. Override per call via `maxLifetimeSecs`.\n */\nconst DEFAULT_MAX_PROOF_LIFETIME_SECS = 2 * 3600;\n\n/**\n * Wire representation from btc-vault's `ServerIdentityResponse`.\n */\nexport interface ServerIdentityResponse {\n /** Hex-encoded x-only (32-byte) persistent server pubkey. */\n server_pubkey: string;\n /** Hex-encoded compressed (33-byte) ephemeral token-signing pubkey. */\n ephemeral_pubkey: string;\n /** Unix timestamp at which the ephemeral key expires. */\n expires_at: number;\n /** Hex-encoded 64-byte BIP-322 Schnorr signature. */\n signature: string;\n}\n\nexport interface VerifyServerIdentityInput {\n /** The proof returned by `auth_createDepositorToken`. */\n proof: ServerIdentityResponse;\n /**\n * The x-only persistent server pubkey the FE expects (sourced from\n * the on-chain `VaultProvider.btcPubKey` via the vault registry\n * reader). 64-char lowercase hex, no `0x` prefix.\n */\n pinnedServerPubkey: string;\n /** Current Unix timestamp in seconds. Injected for testability. */\n now: number;\n /** Cap on `proof.expires_at - now` (seconds). Defaults to {@link DEFAULT_MAX_PROOF_LIFETIME_SECS}. */\n maxLifetimeSecs?: number;\n}\n\nexport class ServerIdentityError extends Error {\n constructor(\n message: string,\n public readonly reason:\n | \"pinned_pubkey_mismatch\"\n | \"expired\"\n | \"expires_too_far\"\n | \"invalid_expires_at\"\n | \"invalid_max_lifetime\"\n | \"invalid_pubkey_encoding\"\n | \"invalid_ephemeral_pubkey\"\n | \"invalid_signature_encoding\"\n | \"signature_verification_failed\",\n ) {\n super(message);\n this.name = \"ServerIdentityError\";\n }\n}\n\n/** Parse a lowercase-hex string to bytes. Expects even length, already validated. */\nfunction hexToBytes(hex: string): Uint8Array {\n const out = new Uint8Array(hex.length / 2);\n for (let i = 0; i < out.length; i++) {\n out[i] = parseInt(hex.slice(i * 2, i * 2 + 2), 16);\n }\n return out;\n}\n\n\n/**\n * Verify a server identity proof against a pinned server pubkey.\n *\n * Checks:\n * 1. `server_pubkey` matches the pin.\n * 2. `now < expires_at <= now + maxLifetimeSecs` (with integer guards).\n * 3. `ephemeral_pubkey` is a well-formed 33-byte compressed pubkey.\n * 4. `signature` is a well-formed 64-byte Schnorr hex string.\n * 5. The BIP-322 Schnorr signature cryptographically verifies\n * against `server_pubkey` over the CBOR-encoded tuple\n * `(SERVER_IDENTITY_DOMAIN, ephemeral_pubkey, expires_at)`.\n *\n * Step 5 is what actually binds the ephemeral key to the persistent\n * pubkey — without it, a TLS-MITM attacker who reads the pinned\n * pubkey from the on-chain registry could substitute an arbitrary\n * ephemeral pubkey paired with any lexically-valid signature.\n *\n * @throws ServerIdentityError on any validation failure.\n */\nexport function verifyServerIdentity(input: VerifyServerIdentityInput): void {\n const { proof, pinnedServerPubkey, now } = input;\n const maxLifetimeSecs =\n input.maxLifetimeSecs ?? DEFAULT_MAX_PROOF_LIFETIME_SECS;\n\n const pinned = stripHexPrefix(pinnedServerPubkey).toLowerCase();\n if (pinned.length !== X_ONLY_PUBKEY_HEX_LEN || !HEX_RE.test(pinned)) {\n throw new ServerIdentityError(\n `pinnedServerPubkey must be 32-byte hex; got ${pinned.length} chars`,\n \"invalid_pubkey_encoding\",\n );\n }\n\n const actual = stripHexPrefix(proof.server_pubkey).toLowerCase();\n if (actual.length !== X_ONLY_PUBKEY_HEX_LEN || !HEX_RE.test(actual)) {\n throw new ServerIdentityError(\n `server_pubkey must be 32-byte hex; got ${actual.length} chars`,\n \"invalid_pubkey_encoding\",\n );\n }\n\n if (actual !== pinned) {\n throw new ServerIdentityError(\n `server_pubkey does not match pinned value: expected ${pinned}, got ${actual}`,\n \"pinned_pubkey_mismatch\",\n );\n }\n\n // Validate both sides of the comparison are well-formed integers\n // BEFORE comparing — untrusted JSON-RPC input can supply\n // undefined/NaN/string values for `expires_at`, and relational\n // comparisons with those silently evaluate to `false` (accepting the\n // proof). Caller's `now` is injected but we still sanity-check it.\n // Garbage data and \"valid but past\" both render the proof unusable\n // but mean different things to a caller — keep the reasons distinct.\n if (!Number.isSafeInteger(proof.expires_at)) {\n throw new ServerIdentityError(\n `expires_at must be a finite integer; got ${JSON.stringify(proof.expires_at)}`,\n \"invalid_expires_at\",\n );\n }\n if (!Number.isSafeInteger(now)) {\n throw new ServerIdentityError(\n `now must be a finite integer; got ${JSON.stringify(now)}`,\n \"invalid_expires_at\",\n );\n }\n if (proof.expires_at <= now) {\n throw new ServerIdentityError(\n `server identity proof expired at ${proof.expires_at}, now ${now}`,\n \"expired\",\n );\n }\n if (!Number.isSafeInteger(maxLifetimeSecs) || maxLifetimeSecs <= 0) {\n throw new ServerIdentityError(\n `maxLifetimeSecs must be a positive safe integer; got ${JSON.stringify(maxLifetimeSecs)}`,\n \"invalid_max_lifetime\",\n );\n }\n if (proof.expires_at - now > maxLifetimeSecs) {\n throw new ServerIdentityError(\n `server identity proof expires too far in the future: ` +\n `expires_at=${proof.expires_at}, now=${now}, max lifetime=${maxLifetimeSecs}s`,\n \"expires_too_far\",\n );\n }\n\n const eph = stripHexPrefix(proof.ephemeral_pubkey).toLowerCase();\n if (eph.length !== COMPRESSED_PUBKEY_HEX_LEN || !HEX_RE.test(eph)) {\n throw new ServerIdentityError(\n `ephemeral_pubkey must be 33-byte compressed hex; got ${eph.length} chars`,\n \"invalid_ephemeral_pubkey\",\n );\n }\n const prefix = eph.slice(0, 2);\n if (prefix !== \"02\" && prefix !== \"03\") {\n throw new ServerIdentityError(\n `ephemeral_pubkey must be compressed (prefix 02/03); got ${prefix}`,\n \"invalid_ephemeral_pubkey\",\n );\n }\n // Curve validation. The BIP-322 signature attests to the byte string\n // of `ephemeral_pubkey` only, not to its curve validity. Without\n // this check, a server could sign a structurally-valid byte string\n // that doesn't decode to a secp256k1 point — passing verification\n // here and surfacing as an obscure crypto error later when the\n // depositor tries to use the key. Reject up front.\n const ephBytes = hexToBytes(eph);\n if (!ecc.isPoint(ephBytes)) {\n throw new ServerIdentityError(\n \"ephemeral_pubkey is not a valid secp256k1 point\",\n \"invalid_ephemeral_pubkey\",\n );\n }\n\n const sig = stripHexPrefix(proof.signature).toLowerCase();\n if (sig.length !== SCHNORR_SIG_HEX_LEN || !HEX_RE.test(sig)) {\n throw new ServerIdentityError(\n `signature must be 64-byte Schnorr hex; got ${sig.length} chars`,\n \"invalid_signature_encoding\",\n );\n }\n\n // Cryptographic verification of the BIP-322 signature over the\n // CBOR-encoded payload. Without this, the ephemeral-key binding is\n // unenforced and a TLS-MITM could substitute a fake ephemeral key\n // alongside the real (publicly-readable) pinned pubkey.\n const payload = encodeServerIdentityPayload(\n SERVER_IDENTITY_DOMAIN,\n hexToBytes(eph),\n proof.expires_at,\n );\n const verified = verifyBip322Simple(payload, hexToBytes(actual), hexToBytes(sig));\n if (!verified) {\n throw new ServerIdentityError(\n \"BIP-322 signature verification failed — ephemeral key is not attested by pinned server pubkey\",\n \"signature_verification_failed\",\n );\n }\n}\n","/**\n * VP RPC methods that require `Authorization: Bearer <token>`.\n * Protocol invariant — must be kept in sync with the VP server.\n *\n * Split into two sets by the CWT subject the VP demands:\n *\n * - {@link AUTH_GATED_METHODS} — bearer minted by\n * `auth_createDepositorToken` (Subject::VaultdJsonRpc). These run\n * through the proxy's plain JSON-RPC forward path.\n * - {@link GRPC_AUTH_GATED_METHODS} — bearer minted by\n * `auth_createDepositorTokenGrpc` (Subject::VaultdGrpc). The proxy\n * translates these into gRPC calls to vaultd's daemon gRPC server,\n * so a JSON-RPC-subject token would be rejected by\n * `GrpcAuthInterceptor`.\n *\n * @stability frozen\n *\n * @module tbv/core/clients/vault-provider/auth/gatedMethods\n */\n\nexport const AUTH_GATED_METHODS: ReadonlySet<string> = new Set([\n \"vaultProvider_submitDepositorWotsKey\",\n \"vaultProvider_submitDepositorPresignatures\",\n \"vaultProvider_requestDepositorPresignTransactions\",\n]);\n\nexport const GRPC_AUTH_GATED_METHODS: ReadonlySet<string> = new Set([\n \"vaultProvider_requestDepositorClaimerArtifacts\",\n]);\n","/**\n * Shared internals for the unauthenticated token-issuing JSON-RPC\n * client. The \"inner\" client is dedicated to `auth_createDepositorToken`\n * — it MUST NOT carry a `tokenProvider`, else the JSON-RPC header\n * builder would recurse into token acquisition.\n *\n * @module tbv/core/clients/vault-provider/auth/innerTokenClient\n */\n\nimport { JsonRpcClient } from \"../json-rpc-client\";\n\nconst TOKEN_RPC_TIMEOUT_MS = 60_000;\n\nexport const TOKEN_ISSUE_METHOD = \"auth_createDepositorToken\";\n/**\n * gRPC-subject sibling of {@link TOKEN_ISSUE_METHOD}. The proxy bridges\n * this call to vaultd's `VaultProviderDepositorAuthService.CreateDepositorToken`\n * so the resulting CWT is bound to `Subject::VaultdGrpc` — required to\n * pass vaultd's `GrpcAuthInterceptor` on methods the proxy translates to\n * gRPC (currently just the artifact stream).\n */\nexport const GRPC_TOKEN_ISSUE_METHOD = \"auth_createDepositorTokenGrpc\";\n\nexport function buildInnerTokenClient(\n baseUrl: string,\n headers?: Record<string, string>,\n): JsonRpcClient {\n return new JsonRpcClient({\n baseUrl,\n timeout: TOKEN_RPC_TIMEOUT_MS,\n headers,\n retryableFor: (method) =>\n method === TOKEN_ISSUE_METHOD || method === GRPC_TOKEN_ISSUE_METHOD,\n });\n}\n","/**\n * Minimal CBOR decoder — the read-side counterpart to {@link ./cbor}.\n *\n * Decodes only the subset needed to verify a vault-provider CWT bearer\n * token (RFC 8392) wrapped in a COSE Sign1 envelope (RFC 8152): tagged\n * values, definite-length arrays and maps, byte/text strings, and\n * unsigned/negative integers. Indefinite-length items, floats, and\n * big-number tags are intentionally rejected — the issuer\n * (btc-vault's `coset`/`ciborium` stack) never emits them for this\n * shape, so accepting them would only widen the parser's attack\n * surface.\n *\n * The decoder is a cursor over a single buffer. {@link CborReader.pos}\n * is public so callers can slice the exact encoded byte range of an\n * item (head + content) — required to reconstruct the COSE\n * `Sig_structure` byte-for-byte from the token's own protected-header\n * and payload byte strings.\n *\n * @module tbv/core/clients/vault-provider/auth/cborDecode\n */\n\n/** CBOR major types (the high 3 bits of the initial byte). */\nconst MAJOR_UNSIGNED_INT = 0;\nconst MAJOR_NEGATIVE_INT = 1;\nconst MAJOR_BYTE_STRING = 2;\nconst MAJOR_TEXT_STRING = 3;\nconst MAJOR_ARRAY = 4;\nconst MAJOR_MAP = 5;\nconst MAJOR_TAG = 6;\nconst MAJOR_SIMPLE = 7;\n\n/**\n * Smallest additional-info value that introduces a multi-byte argument\n * (24 ⇒ 1 byte, 25 ⇒ 2, 26 ⇒ 4, 27 ⇒ 8 — i.e. `1 << (info - 24)`).\n */\nconst ARG_IN_NEXT_1_BYTE = 24;\n/** Additional-info ≥ this (28..31) is reserved/indefinite — unsupported. */\nconst ARG_RESERVED_MIN = 28;\n\n/** Major-7 simple values we accept. */\nconst SIMPLE_FALSE = 20;\nconst SIMPLE_TRUE = 21;\nconst SIMPLE_NULL = 22;\n\n/**\n * Maximum CBOR nesting depth. Mirrors the issuer's recursion cap (256 in\n * btc-vault's `ciborium` stack). The COSE protected header is decoded\n * *before* the signature is verified, so without this bound a\n * malicious/MITM'd VP could send a deeply-nested blob and crash token\n * acquisition with an uncatchable stack overflow. Far below the JS call\n * stack limit, so it converts that DoS into a catchable decode error.\n */\nconst MAX_NESTING_DEPTH = 256;\n\n/** A decoded CBOR data item. Maps preserve key insertion order. */\nexport type CborValue =\n | number\n | bigint\n | string\n | Uint8Array\n | boolean\n | null\n | CborValue[]\n | Map<CborValue, CborValue>\n | CborTagged;\n\n/** A CBOR tagged value (major type 6). */\nexport interface CborTagged {\n tag: number;\n value: CborValue;\n}\n\n/** Parsed initial-byte header: major type plus its decoded argument. */\nexport interface CborHead {\n major: number;\n /** The header argument (length, value, tag number, …) as a number. */\n arg: number;\n}\n\nexport class CborDecodeError extends Error {\n constructor(message: string) {\n super(`CBOR decode: ${message}`);\n this.name = \"CborDecodeError\";\n }\n}\n\n/**\n * Cursor-based reader over a CBOR buffer. Not reusable across buffers —\n * construct one per decode.\n */\nexport class CborReader {\n readonly buf: Uint8Array;\n /** Current read offset. Public so callers can slice encoded sub-ranges. */\n pos = 0;\n\n constructor(buf: Uint8Array) {\n this.buf = buf;\n }\n\n private nextByte(): number {\n if (this.pos >= this.buf.length) {\n throw new CborDecodeError(\"unexpected end of input\");\n }\n return this.buf[this.pos++];\n }\n\n /**\n * Read an initial byte and its argument. Rejects indefinite-length\n * and reserved additional-info encodings. Arguments wider than\n * {@link Number.MAX_SAFE_INTEGER} are rejected — none of the token's\n * lengths, tags, or timestamps approach that bound.\n */\n readHead(): CborHead {\n const initial = this.nextByte();\n const major = initial >> 5;\n const info = initial & 0x1f;\n\n if (info < ARG_IN_NEXT_1_BYTE) {\n return { major, arg: info };\n }\n if (info >= ARG_RESERVED_MIN) {\n throw new CborDecodeError(\n `unsupported additional info ${info} (indefinite-length or reserved)`,\n );\n }\n\n const byteCount = 1 << (info - ARG_IN_NEXT_1_BYTE);\n\n let value = 0n;\n for (let i = 0; i < byteCount; i++) {\n value = (value << 8n) | BigInt(this.nextByte());\n }\n if (value > BigInt(Number.MAX_SAFE_INTEGER)) {\n throw new CborDecodeError(`argument ${value} exceeds safe integer range`);\n }\n return { major, arg: Number(value) };\n }\n\n /** Read `length` raw bytes as a sub-array view into the backing buffer. */\n private readBytes(length: number): Uint8Array {\n if (this.pos + length > this.buf.length) {\n throw new CborDecodeError(\"length overruns end of input\");\n }\n const slice = this.buf.subarray(this.pos, this.pos + length);\n this.pos += length;\n return slice;\n }\n\n /**\n * Read a byte string (major type 2), returning its content bytes.\n * Throws if the next item is not a byte string.\n */\n readByteString(): Uint8Array {\n const head = this.readHead();\n if (head.major !== MAJOR_BYTE_STRING) {\n throw new CborDecodeError(\n `expected byte string (major ${MAJOR_BYTE_STRING}), got major ${head.major}`,\n );\n }\n return this.readBytes(head.arg);\n }\n\n /**\n * Read the next complete data item as a decoded {@link CborValue}.\n *\n * `depth` tracks the current nesting level so a deeply-nested blob is\n * rejected with a {@link CborDecodeError} rather than overflowing the\n * native call stack (see {@link MAX_NESTING_DEPTH}).\n */\n readValue(depth = 0): CborValue {\n if (depth > MAX_NESTING_DEPTH) {\n throw new CborDecodeError(\n `nesting exceeds maximum depth ${MAX_NESTING_DEPTH}`,\n );\n }\n const head = this.readHead();\n switch (head.major) {\n case MAJOR_UNSIGNED_INT:\n return head.arg;\n case MAJOR_NEGATIVE_INT:\n // RFC 8949 §3.1: the encoded argument n represents -1 - n.\n return -1 - head.arg;\n case MAJOR_BYTE_STRING:\n return this.readBytes(head.arg);\n case MAJOR_TEXT_STRING:\n return new TextDecoder(\"utf-8\", { fatal: true }).decode(\n this.readBytes(head.arg),\n );\n case MAJOR_ARRAY: {\n const items: CborValue[] = [];\n for (let i = 0; i < head.arg; i++) {\n items.push(this.readValue(depth + 1));\n }\n return items;\n }\n case MAJOR_MAP: {\n const map = new Map<CborValue, CborValue>();\n for (let i = 0; i < head.arg; i++) {\n const key = this.readValue(depth + 1);\n const value = this.readValue(depth + 1);\n map.set(key, value);\n }\n return map;\n }\n case MAJOR_TAG:\n return { tag: head.arg, value: this.readValue(depth + 1) };\n case MAJOR_SIMPLE:\n if (head.arg === SIMPLE_FALSE) return false;\n if (head.arg === SIMPLE_TRUE) return true;\n if (head.arg === SIMPLE_NULL) return null;\n throw new CborDecodeError(\n `unsupported simple/float value ${head.arg}`,\n );\n default:\n throw new CborDecodeError(`unsupported major type ${head.major}`);\n }\n }\n}\n\n/**\n * Decode a single CBOR item from `bytes`, rejecting any trailing bytes.\n *\n * Used to parse the COSE protected header and CWT claims set — both are\n * exactly one top-level item, so a valid prefix followed by extra bytes\n * is a malformed structure, not a benign tail. Strict consumption keeps\n * the parser from silently accepting a token a stricter CWT/COSE\n * consumer would interpret differently.\n */\nexport function decodeCbor(bytes: Uint8Array): CborValue {\n const reader = new CborReader(bytes);\n const value = reader.readValue();\n if (reader.pos !== bytes.length) {\n throw new CborDecodeError(\"trailing bytes after top-level item\");\n }\n return value;\n}\n","/**\n * Verify a vault-provider CWT bearer token (RFC 8392) wrapped in a\n * COSE Sign1 envelope (RFC 8152), signed with ES256K by the VP's\n * ephemeral token-signing key.\n *\n * This is the TypeScript port of the btc-vault Rust client verifier\n * (`crates/btc-auth/src/client.rs::validate_token_with_public_key_at_time`\n * plus the response cross-checks from `verify_token_response_at_time`).\n * The FE previously verified only the server-identity proof\n * ({@link ./serverIdentity}) and treated the token itself as an opaque\n * blob; this closes that gap by cryptographically verifying the token\n * and binding its claims to the expected issuer, subject, and depositor.\n *\n * Trust chain: {@link ./serverIdentity} first proves the\n * `ephemeral_pubkey` is attested by the on-chain-pinned server key.\n * This function then verifies the token's COSE signature against that\n * same ephemeral key, so a token that decodes and verifies here is one\n * the pinned VP actually issued.\n *\n * The byte-level expectations (COSE tag, ES256K alg id, Sig_structure\n * layout, CWT registered-claim keys) mirror the issuer's `coset` stack\n * and are pinned by the golden-vector test against a real Rust-issued\n * token.\n *\n * @module tbv/core/clients/vault-provider/auth/verifyDepositorCwt\n */\n\nimport * as ecc from \"@bitcoin-js/tiny-secp256k1-asmjs\";\nimport { sha256 } from \"@noble/hashes/sha2.js\";\n\nimport {\n COMPRESSED_PUBKEY_HEX_LEN,\n hexToUint8Array,\n stripHexPrefix,\n X_ONLY_PUBKEY_HEX_LEN,\n} from \"../../../primitives/utils/bitcoin\";\nimport { HEX_RE } from \"../../../utils/validation\";\n\nimport { CborReader, decodeCbor } from \"./cborDecode\";\n\n/** CWT `sub` value for JSON-RPC-subject tokens (`auth_createDepositorToken`). */\nexport const CWT_SUBJECT_JSONRPC = \"vaultd-jsonrpc\";\n/** CWT `sub` value for gRPC-subject tokens (`auth_createDepositorTokenGrpc`). */\nexport const CWT_SUBJECT_GRPC = \"vaultd-grpc\";\n\n/** CBOR tag wrapping a COSE_Sign1 structure (RFC 8152 §2). */\nconst COSE_SIGN1_TAG = 18;\n/** A COSE_Sign1 is a 4-element array: [protected, unprotected, payload, signature]. */\nconst COSE_SIGN1_ARRAY_LEN = 4;\n/** COSE algorithm id for ES256K (ECDSA w/ secp256k1 + SHA-256), RFC 8812. */\nconst COSE_ALG_ES256K = -47;\n/** COSE header label for the algorithm (RFC 8152 §3.1). */\nconst COSE_HEADER_LABEL_ALG = 1;\n/** ECDSA signature length in COSE compact (r‖s) form. */\nconst ECDSA_COMPACT_SIG_LEN = 64;\n\n/** CBOR major-type 4 (array) high bits, for the Sig_structure header. */\nconst CBOR_ARRAY_HEAD = 0x80;\n/** CBOR major-type 3 (text string) high bits, for the context string head. */\nconst CBOR_TEXT_STRING_HEAD = 0x60;\n/** CBOR encoding of an empty byte string (major type 2, length 0). */\nconst CBOR_EMPTY_BYTE_STRING = 0x40;\n\n/** CWT registered claim keys (RFC 8392 §4 / IANA CWT registry). */\nconst CWT_CLAIM_ISS = 1;\nconst CWT_CLAIM_SUB = 2;\nconst CWT_CLAIM_AUD = 3;\nconst CWT_CLAIM_EXP = 4;\nconst CWT_CLAIM_NBF = 5;\nconst CWT_CLAIM_IAT = 6;\nconst CWT_CLAIM_CTI = 7;\n\n/**\n * Context string for a COSE_Sign1 Sig_structure (RFC 8152 §4.4). 10\n * bytes, so it encodes with a single-byte CBOR text-string head.\n */\nconst SIG_STRUCTURE_CONTEXT = new TextEncoder().encode(\"Signature1\");\n\nexport type CwtVerificationReason =\n | \"invalid_input\"\n | \"invalid_token_structure\"\n | \"unexpected_algorithm\"\n | \"signature_verification_failed\"\n | \"invalid_claims\"\n | \"issuer_mismatch\"\n | \"subject_mismatch\"\n | \"audience_mismatch\"\n | \"token_not_yet_valid\"\n | \"token_expired\"\n | \"expiry_mismatch\"\n | \"server_identity_expires_before_token\";\n\nexport class CwtVerificationError extends Error {\n constructor(\n message: string,\n public readonly reason: CwtVerificationReason,\n ) {\n super(message);\n this.name = \"CwtVerificationError\";\n }\n}\n\nexport interface VerifyDepositorCwtInput {\n /** Base64url (no padding) COSE Sign1 token from `auth_createDepositorToken`. */\n token: string;\n /**\n * VP ephemeral token-signing pubkey (33-byte compressed hex) from the\n * bundled `server_identity` proof — MUST already be verified by\n * {@link verifyServerIdentity} before being passed here.\n */\n ephemeralPubkeyHex: string;\n /** Pinned VP persistent x-only pubkey (on-chain). Asserted against the token `iss`. */\n expectedIssuerXOnlyPubkey: string;\n /** Expected `sub` — {@link CWT_SUBJECT_JSONRPC} or {@link CWT_SUBJECT_GRPC}. */\n expectedSubject: string;\n /** Depositor x-only pubkey. Asserted against the token `aud`. */\n expectedAudienceXOnlyPubkey: string;\n /** Outer wire `expires_at`. Must equal the token's `exp` exactly. */\n responseExpiresAt: number;\n /** `server_identity.expires_at`. Must be ≥ the token's `exp`. */\n serverIdentityExpiresAt: number;\n /** Current Unix time (seconds). Injected for testability. */\n now: number;\n}\n\nexport interface VerifiedCwtClaims {\n issuer: string;\n subject: string;\n audience: string;\n expiresAt: number;\n notBefore: number;\n issuedAt: number;\n}\n\n/**\n * Verify a depositor CWT and return its claims, or throw\n * {@link CwtVerificationError}.\n *\n * Steps (matching the Rust reference):\n * 1. Decode the COSE Sign1 envelope and assert the protected header\n * pins ES256K.\n * 2. Verify the ECDSA signature over the reconstructed Sig_structure\n * against the (already server-identity-verified) ephemeral key.\n * 3. Decode the CWT claims and assert `iss`/`sub`/`aud` bindings,\n * `nbf`/`exp` validity, `cti` presence, and the outer-vs-inner\n * expiry cross-checks.\n */\nexport function verifyDepositorCwt(\n input: VerifyDepositorCwtInput,\n): VerifiedCwtClaims {\n const expectedIssuer = normalizeXOnly(\n input.expectedIssuerXOnlyPubkey,\n \"expectedIssuerXOnlyPubkey\",\n );\n const expectedAudience = normalizeXOnly(\n input.expectedAudienceXOnlyPubkey,\n \"expectedAudienceXOnlyPubkey\",\n );\n const ephemeral = decodeCompressedPubkey(input.ephemeralPubkeyHex);\n\n const tokenBytes = base64UrlToBytes(input.token);\n\n // --- 1. COSE Sign1 structural decode -------------------------------\n // Capture the exact encoded byte ranges of the protected header and\n // payload so the Sig_structure can be rebuilt byte-for-byte from the\n // token's own bytes (any re-encoding risks a non-canonical mismatch).\n const reader = new CborReader(tokenBytes);\n const tag = reader.readHead();\n if (tag.major !== 6 || tag.arg !== COSE_SIGN1_TAG) {\n throw new CwtVerificationError(\n `token is not a COSE Sign1 tagged value (tag ${COSE_SIGN1_TAG})`,\n \"invalid_token_structure\",\n );\n }\n const array = reader.readHead();\n if (array.major !== 4 || array.arg !== COSE_SIGN1_ARRAY_LEN) {\n throw new CwtVerificationError(\n `COSE Sign1 must be a ${COSE_SIGN1_ARRAY_LEN}-element array`,\n \"invalid_token_structure\",\n );\n }\n\n const protectedStart = reader.pos;\n const protectedContent = reader.readByteString();\n const protectedBstr = tokenBytes.subarray(protectedStart, reader.pos);\n\n // Unprotected header map: present in the envelope but unused here.\n reader.readValue();\n\n const payloadStart = reader.pos;\n const payloadContent = reader.readByteString();\n const payloadBstr = tokenBytes.subarray(payloadStart, reader.pos);\n\n const signature = reader.readByteString();\n if (signature.length !== ECDSA_COMPACT_SIG_LEN) {\n throw new CwtVerificationError(\n `COSE signature must be ${ECDSA_COMPACT_SIG_LEN} bytes, got ${signature.length}`,\n \"invalid_token_structure\",\n );\n }\n // Reject anything after the COSE_Sign1 structure. The bearer we verify\n // must be the exact bytes attached to authenticated calls; a stricter\n // CWT/COSE consumer could interpret trailing bytes differently.\n if (reader.pos !== tokenBytes.length) {\n throw new CwtVerificationError(\n \"COSE Sign1 token has trailing bytes after the signature\",\n \"invalid_token_structure\",\n );\n }\n\n // --- 2a. Algorithm pin --------------------------------------------\n const alg = readProtectedAlgorithm(protectedContent);\n if (alg !== COSE_ALG_ES256K) {\n throw new CwtVerificationError(\n `unexpected COSE algorithm ${alg} (expected ES256K ${COSE_ALG_ES256K})`,\n \"unexpected_algorithm\",\n );\n }\n\n // --- 2b. Signature verification -----------------------------------\n const sigStructure = buildSigStructure(protectedBstr, payloadBstr);\n const digest = sha256(sigStructure);\n // strict = true enforces low-S, matching libsecp256k1's `verify_ecdsa`.\n if (!ecc.verify(digest, ephemeral, signature, true)) {\n throw new CwtVerificationError(\n \"COSE signature does not verify against the server's ephemeral key\",\n \"signature_verification_failed\",\n );\n }\n\n // --- 3. Claims -----------------------------------------------------\n const claims = decodeClaims(payloadContent);\n\n const audience = claims.audience.toLowerCase();\n if (audience.length !== X_ONLY_PUBKEY_HEX_LEN || !HEX_RE.test(audience)) {\n throw new CwtVerificationError(\n \"token `aud` is not a 32-byte x-only pubkey hex\",\n \"invalid_claims\",\n );\n }\n if (claims.issuedAt > claims.expiresAt) {\n throw new CwtVerificationError(\n `token iat (${claims.issuedAt}) is after exp (${claims.expiresAt})`,\n \"invalid_claims\",\n );\n }\n\n if (claims.issuer.toLowerCase() !== expectedIssuer) {\n throw new CwtVerificationError(\n `token issuer does not match pinned server pubkey: expected ${expectedIssuer}, got ${claims.issuer.toLowerCase()}`,\n \"issuer_mismatch\",\n );\n }\n if (claims.subject !== input.expectedSubject) {\n throw new CwtVerificationError(\n `token subject mismatch: expected ${input.expectedSubject}, got ${claims.subject}`,\n \"subject_mismatch\",\n );\n }\n if (audience !== expectedAudience) {\n throw new CwtVerificationError(\n `token audience does not match depositor pubkey: expected ${expectedAudience}, got ${audience}`,\n \"audience_mismatch\",\n );\n }\n if (claims.notBefore > input.now) {\n throw new CwtVerificationError(\n `token not yet valid: nbf ${claims.notBefore} > now ${input.now}`,\n \"token_not_yet_valid\",\n );\n }\n // Reject tokens stamped in the future. The Rust reference enforces\n // `iat <= now`; the golden tokens have iat == nbf so the `nbf` check\n // above covers it there, but checking iat explicitly matches the\n // reference exactly (and catches a token with nbf in the past but iat\n // in the future).\n if (claims.issuedAt > input.now) {\n throw new CwtVerificationError(\n `token issued in the future: iat ${claims.issuedAt} > now ${input.now}`,\n \"invalid_claims\",\n );\n }\n if (claims.expiresAt <= input.now) {\n throw new CwtVerificationError(\n `token expired: exp ${claims.expiresAt} <= now ${input.now}`,\n \"token_expired\",\n );\n }\n if (input.responseExpiresAt !== claims.expiresAt) {\n throw new CwtVerificationError(\n `response expires_at (${input.responseExpiresAt}) does not equal token exp (${claims.expiresAt})`,\n \"expiry_mismatch\",\n );\n }\n if (input.serverIdentityExpiresAt < claims.expiresAt) {\n throw new CwtVerificationError(\n `server identity expires (${input.serverIdentityExpiresAt}) before token exp (${claims.expiresAt})`,\n \"server_identity_expires_before_token\",\n );\n }\n\n return {\n issuer: claims.issuer,\n subject: claims.subject,\n audience,\n expiresAt: claims.expiresAt,\n notBefore: claims.notBefore,\n issuedAt: claims.issuedAt,\n };\n}\n\n/** Read the algorithm label from the COSE protected-header byte string. */\nfunction readProtectedAlgorithm(protectedContent: Uint8Array): number {\n if (protectedContent.length === 0) {\n throw new CwtVerificationError(\n \"empty COSE protected header (no algorithm)\",\n \"unexpected_algorithm\",\n );\n }\n const header = decodeCbor(protectedContent);\n if (!(header instanceof Map)) {\n throw new CwtVerificationError(\n \"COSE protected header is not a map\",\n \"invalid_token_structure\",\n );\n }\n const alg = header.get(COSE_HEADER_LABEL_ALG);\n if (typeof alg !== \"number\") {\n throw new CwtVerificationError(\n \"COSE protected header missing integer algorithm label\",\n \"unexpected_algorithm\",\n );\n }\n return alg;\n}\n\n/**\n * Rebuild the COSE_Sign1 Sig_structure (RFC 8152 §4.4):\n *\n * [ \"Signature1\", body_protected (bstr), external_aad = h'' , payload (bstr) ]\n *\n * `body_protected` and `payload` are spliced verbatim from the token's\n * own encoded byte strings, so the result is byte-identical to what the\n * issuer signed regardless of CBOR canonicalization choices.\n */\nfunction buildSigStructure(\n protectedBstr: Uint8Array,\n payloadBstr: Uint8Array,\n): Uint8Array {\n return concatBytes(\n Uint8Array.of(CBOR_ARRAY_HEAD | COSE_SIGN1_ARRAY_LEN),\n Uint8Array.of(CBOR_TEXT_STRING_HEAD | SIG_STRUCTURE_CONTEXT.length),\n SIG_STRUCTURE_CONTEXT,\n protectedBstr,\n Uint8Array.of(CBOR_EMPTY_BYTE_STRING),\n payloadBstr,\n );\n}\n\ninterface DecodedClaims {\n issuer: string;\n subject: string;\n audience: string;\n expiresAt: number;\n notBefore: number;\n issuedAt: number;\n}\n\n/** Decode and type-check the CWT registered claims from the payload. */\nfunction decodeClaims(payloadContent: Uint8Array): DecodedClaims {\n const root = decodeCbor(payloadContent);\n if (!(root instanceof Map)) {\n throw new CwtVerificationError(\n \"CWT claims root is not a map\",\n \"invalid_claims\",\n );\n }\n const cti = requireBytes(root, CWT_CLAIM_CTI, \"cti\");\n if (cti.length === 0) {\n throw new CwtVerificationError(\"token cti is empty\", \"invalid_claims\");\n }\n return {\n issuer: requireString(root, CWT_CLAIM_ISS, \"iss\"),\n subject: requireString(root, CWT_CLAIM_SUB, \"sub\"),\n audience: requireString(root, CWT_CLAIM_AUD, \"aud\"),\n expiresAt: requireTimestamp(root, CWT_CLAIM_EXP, \"exp\"),\n notBefore: requireTimestamp(root, CWT_CLAIM_NBF, \"nbf\"),\n issuedAt: requireTimestamp(root, CWT_CLAIM_IAT, \"iat\"),\n };\n}\n\nfunction requireString(\n claims: Map<unknown, unknown>,\n key: number,\n name: string,\n): string {\n const value = claims.get(key);\n if (typeof value !== \"string\") {\n throw new CwtVerificationError(\n `token claim ${name} is missing or not a text string`,\n \"invalid_claims\",\n );\n }\n return value;\n}\n\nfunction requireBytes(\n claims: Map<unknown, unknown>,\n key: number,\n name: string,\n): Uint8Array {\n const value = claims.get(key);\n if (!(value instanceof Uint8Array)) {\n throw new CwtVerificationError(\n `token claim ${name} is missing or not a byte string`,\n \"invalid_claims\",\n );\n }\n return value;\n}\n\nfunction requireTimestamp(\n claims: Map<unknown, unknown>,\n key: number,\n name: string,\n): number {\n const value = claims.get(key);\n if (typeof value !== \"number\" || !Number.isSafeInteger(value) || value < 0) {\n throw new CwtVerificationError(\n `token claim ${name} is missing or not a non-negative integer timestamp`,\n \"invalid_claims\",\n );\n }\n return value;\n}\n\n/** Validate and normalize a 32-byte x-only pubkey to lowercase hex. */\nfunction normalizeXOnly(pubkey: string, label: string): string {\n const normalized = stripHexPrefix(pubkey).toLowerCase();\n if (normalized.length !== X_ONLY_PUBKEY_HEX_LEN || !HEX_RE.test(normalized)) {\n throw new CwtVerificationError(\n `${label} must be 32-byte x-only hex; got ${normalized.length} chars`,\n \"invalid_input\",\n );\n }\n return normalized;\n}\n\n/** Validate a 33-byte compressed pubkey hex and return its bytes. */\nfunction decodeCompressedPubkey(pubkeyHex: string): Uint8Array {\n const normalized = stripHexPrefix(pubkeyHex).toLowerCase();\n const prefix = normalized.slice(0, 2);\n if (\n normalized.length !== COMPRESSED_PUBKEY_HEX_LEN ||\n !HEX_RE.test(normalized) ||\n (prefix !== \"02\" && prefix !== \"03\")\n ) {\n throw new CwtVerificationError(\n \"ephemeralPubkeyHex must be 33-byte compressed pubkey hex (prefix 02/03)\",\n \"invalid_input\",\n );\n }\n return hexToUint8Array(normalized);\n}\n\nconst B64URL_LOOKUP = (() => {\n const table = new Int16Array(128).fill(-1);\n const alphabet =\n \"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_\";\n for (let i = 0; i < alphabet.length; i++) {\n table[alphabet.charCodeAt(i)] = i;\n }\n return table;\n})();\n\n/** Decode a base64url (no-padding) string to bytes. */\nfunction base64UrlToBytes(input: string): Uint8Array {\n const len = input.length;\n const fullGroups = Math.floor(len / 4);\n const remainder = len % 4;\n if (remainder === 1) {\n throw new CwtVerificationError(\n \"invalid base64url length\",\n \"invalid_token_structure\",\n );\n }\n const outLen = fullGroups * 3 + (remainder === 0 ? 0 : remainder - 1);\n const out = new Uint8Array(outLen);\n\n const sextet = (charCode: number): number => {\n const value = charCode < 128 ? B64URL_LOOKUP[charCode] : -1;\n if (value < 0) {\n throw new CwtVerificationError(\n \"invalid base64url character\",\n \"invalid_token_structure\",\n );\n }\n return value;\n };\n\n let inPos = 0;\n let outPos = 0;\n for (let g = 0; g < fullGroups; g++) {\n const a = sextet(input.charCodeAt(inPos++));\n const b = sextet(input.charCodeAt(inPos++));\n const c = sextet(input.charCodeAt(inPos++));\n const d = sextet(input.charCodeAt(inPos++));\n out[outPos++] = (a << 2) | (b >> 4);\n out[outPos++] = ((b & 0x0f) << 4) | (c >> 2);\n out[outPos++] = ((c & 0x03) << 6) | d;\n }\n if (remainder === 2) {\n const a = sextet(input.charCodeAt(inPos++));\n const b = sextet(input.charCodeAt(inPos++));\n out[outPos++] = (a << 2) | (b >> 4);\n } else if (remainder === 3) {\n const a = sextet(input.charCodeAt(inPos++));\n const b = sextet(input.charCodeAt(inPos++));\n const c = sextet(input.charCodeAt(inPos++));\n out[outPos++] = (a << 2) | (b >> 4);\n out[outPos++] = ((b & 0x0f) << 4) | (c >> 2);\n }\n return out;\n}\n\nfunction concatBytes(...parts: Uint8Array[]): Uint8Array {\n const total = parts.reduce((sum, part) => sum + part.length, 0);\n const out = new Uint8Array(total);\n let offset = 0;\n for (const part of parts) {\n out.set(part, offset);\n offset += part.length;\n }\n return out;\n}\n","/**\n * `VpTokenProvider` — caches CWT bearer tokens issued by the vault\n * provider's `auth_createDepositorToken` RPC, with lazy expiry check\n * and single-flight concurrent acquire.\n *\n * Usage:\n *\n * ```ts\n * const provider = new VpTokenProvider({\n * client,\n * peginTxid,\n * authAnchorHex,\n * pinnedServerPubkey,\n * authGatedMethods,\n * });\n * const bearer = await provider.getToken(method); // null if not gated\n * ```\n *\n * The provider implements the `BearerTokenProvider` interface expected\n * by `JsonRpcClient`. Plug directly:\n *\n * ```ts\n * const client = new JsonRpcClient({ ..., tokenProvider: provider });\n * ```\n *\n * @module tbv/core/clients/vault-provider/auth/tokenProvider\n */\n\nimport type { OnChainBtcPubkey } from \"../../eth/types\";\nimport type { BearerTokenProvider, JsonRpcClient } from \"../json-rpc-client\";\nimport {\n GRPC_TOKEN_ISSUE_METHOD,\n TOKEN_ISSUE_METHOD,\n} from \"./innerTokenClient\";\nimport {\n type ServerIdentityResponse,\n verifyServerIdentity,\n} from \"./serverIdentity\";\nimport {\n CWT_SUBJECT_GRPC,\n CWT_SUBJECT_JSONRPC,\n verifyDepositorCwt,\n} from \"./verifyDepositorCwt\";\n\n/**\n * Maximum reasonable `expires_at` value (seconds since epoch). Guards\n * against a bogus far-future timestamp that would lock the cache on a\n * bad token forever. Jan 1, 2100 in Unix seconds.\n */\nconst MAX_EXPIRES_AT_SECS = 4_102_444_800;\n\n/**\n * Default safety margin before `expires_at` — we treat a token as\n * expired this many seconds before its stated expiry so that in-flight\n * requests don't race the expiry boundary.\n */\nconst DEFAULT_REFRESH_SKEW_SECS = 30;\n\n/**\n * Wire response shape of `auth_createDepositorToken`.\n */\nexport interface CreateDepositorTokenResponse {\n /** Base64url-encoded COSE Sign1 CWT bearer token. */\n token: string;\n /** Unix timestamp at which the token expires. */\n expires_at: number;\n /** Server identity proof bundled with every token response. */\n server_identity: ServerIdentityResponse;\n}\n\nexport interface VpTokenProviderConfig {\n client: JsonRpcClient;\n /** Per-vault depositor-signed PegIn tx id. NOT shared across sibling vaults in a batch. */\n peginTxid: string;\n /** 64-char hex of the 32-byte OP_RETURN auth-anchor preimage. */\n authAnchorHex: string;\n /** Pinned VP pubkey from the on-chain registry; branded so indexer mirrors can't substitute. */\n pinnedServerPubkey: OnChainBtcPubkey;\n /**\n * Depositor x-only pubkey (32-byte hex). Asserted against every\n * issued token's CWT `aud` claim so a token minted for a different\n * depositor — or mis-issued by a buggy/compromised VP — is rejected\n * before it can authenticate a mutation.\n */\n expectedAudienceXOnlyPubkey: string;\n /**\n * Methods that need a JSON-RPC-subject bearer (minted via\n * `auth_createDepositorToken`). Forwarded over plain HTTP JSON-RPC by\n * the proxy. `getToken` returns `null` for any method outside this and\n * {@link grpcGatedMethods}.\n */\n authGatedMethods: ReadonlySet<string>;\n /**\n * Methods that need a gRPC-subject bearer (minted via\n * `auth_createDepositorTokenGrpc`). The proxy translates these into\n * gRPC calls to vaultd; the JSON-RPC bearer is rejected with a\n * `Subject` mismatch.\n */\n grpcGatedMethods: ReadonlySet<string>;\n /** Default {@link DEFAULT_REFRESH_SKEW_SECS}. */\n refreshSkewSecs?: number;\n /** Clock source for testability. */\n now?: () => number;\n}\n\ninterface CachedToken {\n token: string;\n expiresAt: number;\n}\n\n/**\n * Acquire, cache, and refresh VP bearer tokens.\n *\n * Implements {@link BearerTokenProvider}. Safe to pass directly into\n * `JsonRpcClient` as `tokenProvider`.\n */\nexport class VpTokenProvider implements BearerTokenProvider {\n // `client` is the only mutable field — see `setClient`. The\n // identity-bearing fields (peginTxid/authAnchorHex/pinnedServerPubkey)\n // remain readonly and are checked against re-registration in the\n // registry's `getOrCreate`.\n private client: JsonRpcClient;\n private readonly peginTxid: string;\n private readonly authAnchorHex: string;\n private readonly pinnedServerPubkey: OnChainBtcPubkey;\n private readonly expectedAudienceXOnlyPubkey: string;\n private readonly authGatedMethods: ReadonlySet<string>;\n private readonly grpcGatedMethods: ReadonlySet<string>;\n private readonly refreshSkewSecs: number;\n private readonly now: () => number;\n\n /** Cached JSON-RPC-subject bearer (auth_createDepositorToken). */\n private cachedJsonRpc: CachedToken | null = null;\n private inFlightJsonRpc: Promise<CachedToken> | null = null;\n /** Cached gRPC-subject bearer (auth_createDepositorTokenGrpc). */\n private cachedGrpc: CachedToken | null = null;\n private inFlightGrpc: Promise<CachedToken> | null = null;\n\n constructor(config: VpTokenProviderConfig) {\n this.client = config.client;\n this.peginTxid = config.peginTxid;\n this.authAnchorHex = config.authAnchorHex;\n this.pinnedServerPubkey = config.pinnedServerPubkey;\n this.expectedAudienceXOnlyPubkey = config.expectedAudienceXOnlyPubkey;\n this.authGatedMethods = config.authGatedMethods;\n this.grpcGatedMethods = config.grpcGatedMethods;\n this.refreshSkewSecs = config.refreshSkewSecs ?? DEFAULT_REFRESH_SKEW_SECS;\n this.now = config.now ?? (() => Math.floor(Date.now() / 1000));\n }\n\n /**\n * Return a bearer token for `method`, or `null` if `method` is not\n * auth-gated.\n *\n * Routes by subject: `authGatedMethods` → JSON-RPC bearer (issued via\n * `auth_createDepositorToken`); `grpcGatedMethods` → gRPC bearer\n * (`auth_createDepositorTokenGrpc`). Either path acquires lazily and\n * single-flights concurrent callers; the two cache slots are\n * independent.\n *\n * Both token-issuing methods are hard-exempted from the gate — if\n * either were ever included in the gated sets (caller misconfiguration)\n * the provider would recurse into `acquireSingleFlight` from inside the\n * JSON-RPC header builder before `inFlight` is assigned, defeating the\n * single-flight guard. Returning `null` here breaks that recursion\n * deterministically.\n */\n async getToken(method: string): Promise<string | null> {\n if (method === TOKEN_ISSUE_METHOD || method === GRPC_TOKEN_ISSUE_METHOD) {\n return null;\n }\n\n if (this.grpcGatedMethods.has(method)) {\n return this.getTokenForSubject(\"grpc\");\n }\n if (this.authGatedMethods.has(method)) {\n return this.getTokenForSubject(\"jsonrpc\");\n }\n return null;\n }\n\n /**\n * Drop both cached tokens. Next `getToken` call re-acquires the slot\n * that's actually needed. Called by `JsonRpcClient` on wire\n * `auth_expired` responses; the client doesn't tell us which subject\n * expired, so we evict both to stay correct under either.\n *\n * Worst case is one extra round-trip on the slot that was still fresh,\n * which is cheaper than carrying a `Subject` argument through\n * `BearerTokenProvider`.\n */\n invalidate(): void {\n this.cachedJsonRpc = null;\n this.cachedGrpc = null;\n // Do NOT clear `inFlight*` — a concurrent acquire is still valid;\n // the invalidator is saying \"the cached token is bad\", not \"any\n // in-flight acquire is bad\". The in-flight acquire will populate\n // a fresh `cached*` on completion.\n }\n\n private async getTokenForSubject(\n subject: \"jsonrpc\" | \"grpc\",\n ): Promise<string> {\n const cached =\n subject === \"grpc\" ? this.cachedGrpc : this.cachedJsonRpc;\n if (cached && this.now() + this.refreshSkewSecs < cached.expiresAt) {\n return cached.token;\n }\n const fresh = await this.acquireSingleFlight(subject);\n return fresh.token;\n }\n\n /**\n * Swap in a different transport for subsequent token-issuing calls.\n * Used by the registry when a later caller registers the same\n * `peginTxid` against a different `baseUrl` — the cached token\n * (bound to identity, not transport) stays valid, but future\n * refreshes hit the new URL. An in-flight acquire keeps using the\n * old client (it captured the reference); next call uses the new.\n */\n setClient(client: JsonRpcClient): void {\n this.client = client;\n }\n\n private acquireSingleFlight(\n subject: \"jsonrpc\" | \"grpc\",\n ): Promise<CachedToken> {\n const existing =\n subject === \"grpc\" ? this.inFlightGrpc : this.inFlightJsonRpc;\n if (existing) return existing;\n\n const issueMethod =\n subject === \"grpc\" ? GRPC_TOKEN_ISSUE_METHOD : TOKEN_ISSUE_METHOD;\n\n const p = (async () => {\n try {\n const response = await this.client.call<\n { pegin_txid: string; auth_anchor: string },\n CreateDepositorTokenResponse\n >(issueMethod, {\n pegin_txid: this.peginTxid,\n auth_anchor: this.authAnchorHex,\n });\n\n verifyServerIdentity({\n proof: response.server_identity,\n pinnedServerPubkey: this.pinnedServerPubkey,\n now: this.now(),\n });\n\n // Validate wire payload before caching so a malformed response\n // from a compromised VP or proxy can't poison the cache with\n // unusable values (non-string token, non-integer expiry, etc.).\n if (typeof response.token !== \"string\" || response.token.length === 0) {\n throw new Error(\n `VpTokenProvider: invalid token in acquire response (expected non-empty string, got ${typeof response.token})`,\n );\n }\n const now = this.now();\n if (\n !Number.isSafeInteger(response.expires_at) ||\n response.expires_at <= now ||\n response.expires_at > MAX_EXPIRES_AT_SECS\n ) {\n throw new Error(\n `VpTokenProvider: invalid expires_at in acquire response (got ${JSON.stringify(response.expires_at)}; must be a safe integer in (${now}, ${MAX_EXPIRES_AT_SECS}])`,\n );\n }\n\n // Cryptographically verify the token itself — not just the wire\n // envelope. The COSE Sign1 signature is checked against the\n // (server-identity-verified) ephemeral key, and the inner CWT\n // claims are bound to this depositor (`aud`), this VP (`iss`),\n // and this subject. Without this the bearer is an opaque blob the\n // FE would attach to mutations on the VP's word alone.\n verifyDepositorCwt({\n token: response.token,\n ephemeralPubkeyHex: response.server_identity.ephemeral_pubkey,\n expectedIssuerXOnlyPubkey: this.pinnedServerPubkey,\n expectedSubject:\n subject === \"grpc\" ? CWT_SUBJECT_GRPC : CWT_SUBJECT_JSONRPC,\n expectedAudienceXOnlyPubkey: this.expectedAudienceXOnlyPubkey,\n responseExpiresAt: response.expires_at,\n serverIdentityExpiresAt: response.server_identity.expires_at,\n now,\n });\n\n const fresh: CachedToken = {\n token: response.token,\n expiresAt: response.expires_at,\n };\n if (subject === \"grpc\") {\n this.cachedGrpc = fresh;\n } else {\n this.cachedJsonRpc = fresh;\n }\n return fresh;\n } finally {\n if (subject === \"grpc\") {\n this.inFlightGrpc = null;\n } else {\n this.inFlightJsonRpc = null;\n }\n }\n })();\n\n if (subject === \"grpc\") {\n this.inFlightGrpc = p;\n } else {\n this.inFlightJsonRpc = p;\n }\n return p;\n }\n}\n","/**\n * In-memory registry of {@link VpTokenProvider} instances keyed by\n * the per-vault depositor-signed PegIn tx hash. Module-level\n * singleton, per-tab, never persisted.\n *\n * @module tbv/core/clients/vault-provider/auth/tokenRegistry\n */\n\nimport type { OnChainBtcPubkey } from \"../../eth/types\";\nimport type { JsonRpcClient } from \"../json-rpc-client\";\n\nimport { AUTH_GATED_METHODS, GRPC_AUTH_GATED_METHODS } from \"./gatedMethods\";\nimport { VpTokenProvider } from \"./tokenProvider\";\n\nexport interface VpTokenRegistryInput {\n client: JsonRpcClient;\n peginTxid: string;\n authAnchorHex: string;\n pinnedServerPubkey: OnChainBtcPubkey;\n /** Depositor x-only pubkey (32-byte hex), asserted against each token's CWT `aud`. */\n expectedAudienceXOnlyPubkey: string;\n /**\n * Opt into gRPC-subject auth for {@link GRPC_AUTH_GATED_METHODS}\n * (currently the artifact stream). Defaults to `false`: those methods\n * fall back into the JSON-RPC-subject set and authenticate via\n * `auth_createDepositorToken`, matching a proxy that runs with\n * `ENABLE_GRPC_ARTIFACTS` off. Set `true` only against a proxy that\n * serves `auth_createDepositorTokenGrpc`.\n */\n enableGrpcArtifactAuth?: boolean;\n}\n\ninterface RegistryEntry {\n provider: VpTokenProvider;\n authAnchorHex: string;\n pinnedServerPubkey: OnChainBtcPubkey;\n expectedAudienceXOnlyPubkey: string;\n /** Resolved (defaulted) gRPC-auth gating the provider was built with. */\n enableGrpcArtifactAuth: boolean;\n}\n\nexport class VpTokenRegistry {\n private readonly entries = new Map<string, RegistryEntry>();\n\n /**\n * Return the cached `VpTokenProvider` for `peginTxid` if one exists\n * with matching `authAnchorHex`, `pinnedServerPubkey`, and\n * `enableGrpcArtifactAuth`, otherwise construct and cache a fresh\n * provider. A mismatch on any of those throws — silent overwrite would\n * mask derivation drift, VP pubkey rotation, or a caller that disagrees\n * on the auth subject (which the cached provider can't switch).\n */\n getOrCreate(input: VpTokenRegistryInput): VpTokenProvider {\n // gRPC-subject auth is opt-in. When off (default), the gRPC-gated\n // methods are folded into the JSON-RPC-subject set so they keep\n // minting their bearer via `auth_createDepositorToken` — the\n // pre-PR-#1789 behaviour, and the only path a proxy without\n // `ENABLE_GRPC_ARTIFACTS` accepts. Resolved once here so the cache-hit\n // mismatch check and the miss-path construction agree on the default.\n const useGrpcAuth = input.enableGrpcArtifactAuth ?? false;\n\n const existing = this.entries.get(input.peginTxid);\n if (existing) {\n if (existing.authAnchorHex !== input.authAnchorHex) {\n throw new Error(\n `VpTokenRegistry: peginTxid ${input.peginTxid} already bound to authAnchorHex ${existing.authAnchorHex.slice(0, 8)}…; got ${input.authAnchorHex.slice(0, 8)}…`,\n );\n }\n if (existing.pinnedServerPubkey !== input.pinnedServerPubkey) {\n throw new Error(\n `VpTokenRegistry: peginTxid ${input.peginTxid} already bound to pinnedServerPubkey ${existing.pinnedServerPubkey.slice(0, 8)}…; got ${input.pinnedServerPubkey.slice(0, 8)}…`,\n );\n }\n if (\n existing.expectedAudienceXOnlyPubkey !==\n input.expectedAudienceXOnlyPubkey\n ) {\n throw new Error(\n `VpTokenRegistry: peginTxid ${input.peginTxid} already bound to expectedAudienceXOnlyPubkey ${existing.expectedAudienceXOnlyPubkey.slice(0, 8)}…; got ${input.expectedAudienceXOnlyPubkey.slice(0, 8)}…`,\n );\n }\n // The provider's gated-method sets are fixed at construction, so a\n // later caller asking for a different subject can't be honoured by\n // the cached instance. Fail loudly rather than silently serve the\n // wrong-subject token (a Subject-mismatch rejection at the VP).\n if (existing.enableGrpcArtifactAuth !== useGrpcAuth) {\n throw new Error(\n `VpTokenRegistry: peginTxid ${input.peginTxid} already bound to enableGrpcArtifactAuth=${existing.enableGrpcArtifactAuth}; got ${useGrpcAuth}`,\n );\n }\n // Refresh the inner transport on every reuse so a VP URL\n // change between calls doesn't leave the cached provider\n // pinned to a dead URL for token refresh.\n existing.provider.setClient(input.client);\n return existing.provider;\n }\n\n const provider = new VpTokenProvider({\n client: input.client,\n peginTxid: input.peginTxid,\n authAnchorHex: input.authAnchorHex,\n pinnedServerPubkey: input.pinnedServerPubkey,\n expectedAudienceXOnlyPubkey: input.expectedAudienceXOnlyPubkey,\n authGatedMethods: useGrpcAuth\n ? AUTH_GATED_METHODS\n : new Set([...AUTH_GATED_METHODS, ...GRPC_AUTH_GATED_METHODS]),\n grpcGatedMethods: useGrpcAuth ? GRPC_AUTH_GATED_METHODS : new Set(),\n });\n this.entries.set(input.peginTxid, {\n provider,\n authAnchorHex: input.authAnchorHex,\n pinnedServerPubkey: input.pinnedServerPubkey,\n expectedAudienceXOnlyPubkey: input.expectedAudienceXOnlyPubkey,\n enableGrpcArtifactAuth: useGrpcAuth,\n });\n return provider;\n }\n\n /** Return the cached provider, or `undefined` if none. */\n peek(peginTxid: string): VpTokenProvider | undefined {\n return this.entries.get(peginTxid)?.provider;\n }\n\n /**\n * Evict the entry for `peginTxid`. Idempotent. Called on terminal\n * paths — activation success, user-cancel, or component unmount —\n * so `authAnchorHex` doesn't outlive the deposit session.\n */\n release(peginTxid: string): void {\n this.entries.delete(peginTxid);\n }\n\n /**\n * Wipe every cached entry. Test-only escape hatch — not exposed on\n * the public {@link VpTokenRegistryPublic} singleton type.\n *\n * @internal\n */\n clear(): void {\n this.entries.clear();\n }\n\n get size(): number {\n return this.entries.size;\n }\n}\n\n/**\n * Public surface of the singleton — excludes the test-only `clear`\n * method.\n */\nexport interface VpTokenRegistryPublic {\n getOrCreate(input: VpTokenRegistryInput): VpTokenProvider;\n peek(peginTxid: string): VpTokenProvider | undefined;\n release(peginTxid: string): void;\n readonly size: number;\n}\n\nexport const vpTokenRegistry: VpTokenRegistryPublic = new VpTokenRegistry();\n","/**\n * Build a {@link VaultProviderRpcClient} that auto-attaches CWT\n * bearer tokens on auth-gated methods. Caller pre-derives both the\n * `authAnchorHex` (from the wallet) and the `pinnedServerPubkey`\n * (from the on-chain registry) and hands them in — the SDK has no\n * notion of wallets here.\n *\n * @module tbv/core/clients/vault-provider/auth/createAuthenticatedVpClient\n */\n\nimport { processPublicKeyToXOnly } from \"../../../primitives/utils/bitcoin\";\nimport type { OnChainBtcPubkey } from \"../../eth/types\";\nimport {\n VaultProviderRpcClient,\n type VaultProviderRpcClientOptions,\n} from \"../api\";\n\nimport { buildInnerTokenClient } from \"./innerTokenClient\";\nimport { vpTokenRegistry } from \"./tokenRegistry\";\n\nexport interface AuthenticatedVpClientConfig {\n /** Base URL of the VP RPC endpoint (already proxied if applicable). */\n baseUrl: string;\n /** Per-vault depositor-signed PegIn tx id (registry cache key). */\n peginTxid: string;\n /** Already-derived 32-byte auth-anchor preimage (64-char hex, no `0x`). */\n authAnchorHex: string;\n /** On-chain VP pubkey, branded so it can only come from the registry reader. */\n pinnedServerPubkey: OnChainBtcPubkey;\n /**\n * Depositor BTC pubkey (x-only or compressed hex). Normalized to\n * x-only and asserted against every issued token's CWT `aud` claim.\n */\n depositorBtcPubkey: string;\n /**\n * Opt into gRPC-subject auth for the artifact stream. Defaults to\n * `false` (JSON-RPC bearer). Only enable against a proxy running with\n * `ENABLE_GRPC_ARTIFACTS`. Forwarded to {@link vpTokenRegistry}.\n */\n enableGrpcArtifactAuth?: boolean;\n /** Optional outer-client tunables (timeout, retries, headers, etc.). */\n options?: VaultProviderRpcClientOptions;\n}\n\nexport function createAuthenticatedVpClient(\n config: AuthenticatedVpClientConfig,\n): VaultProviderRpcClient {\n const innerTokenClient = buildInnerTokenClient(\n config.baseUrl,\n config.options?.headers,\n );\n\n const tokenProvider = vpTokenRegistry.getOrCreate({\n client: innerTokenClient,\n peginTxid: config.peginTxid,\n authAnchorHex: config.authAnchorHex,\n pinnedServerPubkey: config.pinnedServerPubkey,\n expectedAudienceXOnlyPubkey: processPublicKeyToXOnly(\n config.depositorBtcPubkey,\n ),\n enableGrpcArtifactAuth: config.enableGrpcArtifactAuth,\n });\n\n return new VaultProviderRpcClient(config.baseUrl, {\n ...config.options,\n tokenProvider,\n });\n}\n","/**\n * Pre-populate {@link vpTokenRegistry} when the caller already has\n * both the auth-anchor preimage and the on-chain VP pubkey. Seeds\n * the cache for a `peginTxid` so a later `createAuthenticatedVpClient`\n * call reuses the cached `VpTokenProvider` instead of rebuilding it.\n *\n * @module tbv/core/clients/vault-provider/auth/primeVpAuth\n */\n\nimport { processPublicKeyToXOnly } from \"../../../primitives/utils/bitcoin\";\nimport type { OnChainBtcPubkey } from \"../../eth/types\";\n\nimport { buildInnerTokenClient } from \"./innerTokenClient\";\nimport { vpTokenRegistry } from \"./tokenRegistry\";\n\nexport interface PrimeVpAuthInput {\n baseUrl: string;\n peginTxid: string;\n authAnchorHex: string;\n pinnedServerPubkey: OnChainBtcPubkey;\n /**\n * Depositor BTC pubkey (x-only or compressed hex). Normalized to\n * x-only and asserted against every issued token's CWT `aud` claim.\n */\n depositorBtcPubkey: string;\n /** Optional headers forwarded to the inner token client (e.g. gateway auth). */\n headers?: Record<string, string>;\n /**\n * Opt into gRPC-subject auth for the artifact stream. Defaults to\n * `false`. Must match the value passed to a later\n * `createAuthenticatedVpClient` for the same `peginTxid` —\n * `VpTokenRegistry.getOrCreate` throws on a mismatch rather than\n * serve the wrong-subject token from the primed provider.\n */\n enableGrpcArtifactAuth?: boolean;\n}\n\nexport function primeVpTokenRegistry(input: PrimeVpAuthInput): void {\n vpTokenRegistry.getOrCreate({\n client: buildInnerTokenClient(input.baseUrl, input.headers),\n peginTxid: input.peginTxid,\n authAnchorHex: input.authAnchorHex,\n pinnedServerPubkey: input.pinnedServerPubkey,\n expectedAudienceXOnlyPubkey: processPublicKeyToXOnly(\n input.depositorBtcPubkey,\n ),\n enableGrpcArtifactAuth: input.enableGrpcArtifactAuth,\n });\n}\n"],"names":["resolveProtocolAddresses","publicClient","btcVaultRegistryAddress","protocolParams","applicationRegistry","BTCVaultRegistryABI","UINT16_MAX","mapOffchainParams","result","mapTBVParams","deriveTimelockPegin","timelockAssert","ViemProtocolParamsReader","contractAddress","ProtocolParamsABI","params","validateTBVProtocolParams","validateOffchainParams","version","raw","assertValidOffchainParamsVersion","results","tbvParams","offchainParams","offchainParamsVersion","config","validatePegInConfiguration","onSkippedVersion","latestVersion","versions","_","i","contracts","v","byVersion","error","mapKeyPairs","pair","ViemVaultKeeperReader","appEntryPoint","ApplicationRegistryABI","ViemUniversalChallengerReader","OnChainBtcVaultStatus","DAEMON_STATUS_VALUES","DaemonStatus","VP_ERROR_PREVIEW_MAX_LEN","preview","value","_a","VP_VALIDATION_USER_MESSAGE","VpResponseValidationError","detail","__publicField","TXID_HEX_LEN","isNonEmptyHex","HEX_RE","isNonEmptyString","assertNonEmptyHex","field","assertNonEmptyString","assertBtcPubkey","X_ONLY_PUBKEY_HEX_LEN","COMPRESSED_PUBKEY_HEX_LEN","validatePresigningProgressFields","progress","presigning","p","validateGetPeginStatusResponse","response","r","validateRequestDepositorPresignTransactionsResponse","validateClaimerTransactions","validateDepositorGraphTransactions","validateTransactionData","tx","validateChallengeAssertConnectorData","c","validatePresignDataPerChallenger","d","CHALLENGE_ASSERT_CONNECTORS_PER_CHALLENGER","validateRequestDepositorClaimerArtifactsResponse","sessionEntries","key","session","validateGetPegoutStatusResponse","validateClaimerPegoutStatus","validateChallengerStatus","index","assertNullableString","validateBatchGetPeginStatusResponse","validateBatchEnvelope","entry","validateBatchGetPegoutStatusResponse","rpcName","validateInnerResult","e","graph","DEFAULT_TIMEOUT_MS","VaultProviderRpcClient","baseUrl","options","JsonRpcClient","signal","attributeBatchResults","requestedTxids","requestedSet","txid","byTxid","seen","duplicate","unexpected","lower","missing","batchPollByProvider","items","getTxid","batchCall","onItem","onMissing","onDuplicate","onDuplicateBatch","onWholeBatchError","onUnexpected","batchSize","VP_BATCH_MAX_SIZE","chunk","txidToItem","txids","item","lowerTxid","attribution","duplicateTxids","envelope","BIP322_TAG","TAPTWEAK_TAG","X_ONLY_PUBKEY_SIZE","SCHNORR_SIG_SIZE","taggedHash","tag","data","tagBytes","tagHash","sha256","preimage","tweakXOnlyKey","xOnly","tweak","tweaked","ecc","verifyBip322Simple","messageBytes","xOnlyPubkey","signature","messageHash","p2tr","payments","Buffer","scriptPubKey","ZERO_SATS","toSpend","Transaction","scriptSig","toSign","toSpendTxid","sighash","tweakedXOnly","cborHead","major","arg","out","concat","parts","total","s","offset","encodeBytesAsArrayOfU8","bytes","b","encodeServerIdentityPayload","domain","ephemeralPubkeyCompressed","expiresAt","arrayHeader","domainBytes","pubkeyBytes","expiresAtBytes","SERVER_IDENTITY_DOMAIN","DEFAULT_MAX_PROOF_LIFETIME_SECS","ServerIdentityError","message","reason","hexToBytes","hex","verifyServerIdentity","input","proof","pinnedServerPubkey","now","maxLifetimeSecs","pinned","stripHexPrefix","actual","eph","prefix","ephBytes","sig","SCHNORR_SIG_HEX_LEN","payload","AUTH_GATED_METHODS","GRPC_AUTH_GATED_METHODS","TOKEN_RPC_TIMEOUT_MS","TOKEN_ISSUE_METHOD","GRPC_TOKEN_ISSUE_METHOD","buildInnerTokenClient","headers","method","MAJOR_UNSIGNED_INT","MAJOR_NEGATIVE_INT","MAJOR_BYTE_STRING","MAJOR_TEXT_STRING","MAJOR_ARRAY","MAJOR_MAP","MAJOR_TAG","MAJOR_SIMPLE","ARG_IN_NEXT_1_BYTE","ARG_RESERVED_MIN","SIMPLE_FALSE","SIMPLE_TRUE","SIMPLE_NULL","MAX_NESTING_DEPTH","CborDecodeError","CborReader","buf","initial","info","byteCount","length","slice","head","depth","map","decodeCbor","reader","CWT_SUBJECT_JSONRPC","CWT_SUBJECT_GRPC","COSE_SIGN1_TAG","COSE_SIGN1_ARRAY_LEN","COSE_ALG_ES256K","COSE_HEADER_LABEL_ALG","ECDSA_COMPACT_SIG_LEN","CBOR_ARRAY_HEAD","CBOR_TEXT_STRING_HEAD","CBOR_EMPTY_BYTE_STRING","CWT_CLAIM_ISS","CWT_CLAIM_SUB","CWT_CLAIM_AUD","CWT_CLAIM_EXP","CWT_CLAIM_NBF","CWT_CLAIM_IAT","CWT_CLAIM_CTI","SIG_STRUCTURE_CONTEXT","CwtVerificationError","verifyDepositorCwt","expectedIssuer","normalizeXOnly","expectedAudience","ephemeral","decodeCompressedPubkey","tokenBytes","base64UrlToBytes","array","protectedStart","protectedContent","protectedBstr","payloadStart","payloadContent","payloadBstr","alg","readProtectedAlgorithm","sigStructure","buildSigStructure","digest","claims","decodeClaims","audience","header","concatBytes","root","requireBytes","requireString","requireTimestamp","name","pubkey","label","normalized","pubkeyHex","hexToUint8Array","B64URL_LOOKUP","table","alphabet","len","fullGroups","remainder","outLen","sextet","charCode","inPos","outPos","g","a","sum","part","MAX_EXPIRES_AT_SECS","DEFAULT_REFRESH_SKEW_SECS","VpTokenProvider","subject","cached","client","existing","issueMethod","fresh","VpTokenRegistry","useGrpcAuth","provider","peginTxid","vpTokenRegistry","createAuthenticatedVpClient","innerTokenClient","tokenProvider","processPublicKeyToXOnly","primeVpTokenRegistry"],"mappings":"s3BA8BA,eAAsBA,GACpBC,EACAC,EAC4B,CAC5B,KAAM,CAACC,EAAgBC,CAAmB,EAAI,MAAMH,EAAa,UAAU,CACzE,UAAW,CACT,CACE,QAASC,EACT,IAAKG,EAAAA,oBACL,aAAc,gBAAA,EAEhB,CACE,QAASH,EACT,IAAKG,EAAAA,oBACL,aAAc,qBAAA,CAChB,EAEF,aAAc,EAAA,CACf,EAED,MAAO,CACL,eAAAF,EACA,oBAAAC,CAAA,CAEJ,CCzBA,MAAME,GAAa,MAkCnB,SAASC,EAAkBC,EAAoD,CAC7E,MAAO,CACL,eAAgBA,EAAO,eACvB,wBAAyBA,EAAO,wBAChC,oBAAqB,CAAC,GAAGA,EAAO,mBAAmB,EACnD,cAAeA,EAAO,cACtB,QAASA,EAAO,QAChB,mBAAoBA,EAAO,mBAC3B,wBAAyBA,EAAO,wBAChC,mBAAoBA,EAAO,mBAC3B,QAASA,EAAO,QAChB,OAAQA,EAAO,OACf,gBAAiBA,EAAO,gBACxB,qBAAsBA,EAAO,qBAC7B,iBAAkBA,EAAO,gBAAA,CAE7B,CAGA,SAASC,GAAaD,EAAyC,CAC7D,MAAO,CACL,mBAAoBA,EAAO,mBAC3B,eAAgBA,EAAO,eACvB,gBAAiBA,EAAO,gBACxB,uBAAwBA,EAAO,uBAC/B,mBAAoBA,EAAO,mBAC3B,wBAAyBA,EAAO,uBAAA,CAEpC,CAYA,SAASE,GAAoBC,EAAgC,CAC3D,GAAIA,EAAiB,OAAOL,EAAU,EACpC,MAAM,IAAI,MACR,wBAAwBK,CAAc,wBAAwBL,EAAU,GAAA,EAG5E,OAAO,OAAOK,CAAc,CAC9B,CAeO,MAAMC,EAAyD,CACpE,YACUX,EACAY,EACR,CAFQ,KAAA,aAAAZ,EACA,KAAA,gBAAAY,CACP,CAEH,MAAM,sBAAmD,CACvD,MAAML,EAAU,MAAM,KAAK,aAAa,aAAa,CACnD,QAAS,KAAK,gBACd,IAAKM,EAAAA,kBACL,aAAc,sBAAA,CACf,EAEKC,EAASN,GAAaD,CAAM,EAClCQ,OAAAA,EAAAA,0BAA0BD,CAAM,EACzBA,CACT,CAEA,MAAM,yBAA4D,CAChE,MAAMP,EAAU,MAAM,KAAK,aAAa,aAAa,CACnD,QAAS,KAAK,gBACd,IAAKM,EAAAA,kBACL,aAAc,yBAAA,CACf,EAEKC,EAASR,EAAkBC,CAAM,EACvCS,OAAAA,EAAAA,uBAAuBF,CAAM,EACtBA,CACT,CAEA,MAAM,2BACJG,EACkC,CAClC,MAAMV,EAAU,MAAM,KAAK,aAAa,aAAa,CACnD,QAAS,KAAK,gBACd,IAAKM,EAAAA,kBACL,aAAc,6BACd,KAAM,CAACI,CAAO,CAAA,CACf,EAEKH,EAASR,EAAkBC,CAAM,EACvCS,OAAAA,EAAAA,uBAAuBF,CAAM,EACtBA,CACT,CAEA,MAAM,gCAAkD,CACtD,MAAMI,EAAM,MAAM,KAAK,aAAa,aAAa,CAC/C,QAAS,KAAK,gBACd,IAAKL,EAAAA,kBACL,aAAc,6BAAA,CACf,EACKI,EAAU,OAAOC,CAAG,EAC1BC,OAAAA,EAAAA,iCAAiCF,CAAO,EACjCA,CACT,CAEA,MAAM,0BAA0BA,EAAkC,CAChE,MAAMH,EAAS,MAAM,KAAK,2BAA2BG,CAAO,EAC5D,OAAOR,GAAoBK,EAAO,cAAc,CAClD,CASA,MAAM,uBAAqD,CACzD,MAAMM,EAAU,MAAM,KAAK,aAAa,UAAU,CAChD,UAAW,CACT,CACE,QAAS,KAAK,gBACd,IAAKP,EAAAA,kBACL,aAAc,sBAAA,EAEhB,CACE,QAAS,KAAK,gBACd,IAAKA,EAAAA,kBACL,aAAc,yBAAA,EAEhB,CACE,QAAS,KAAK,gBACd,IAAKA,EAAAA,kBACL,aAAc,6BAAA,CAChB,EAEF,aAAc,EAAA,CACf,EAEKQ,EAAYb,GAAaY,EAAQ,CAAC,CAAiB,EACnDE,EAAiBhB,EAAkBc,EAAQ,CAAC,CAAsB,EAClEG,EAAwB,OAAOH,EAAQ,CAAC,CAAC,EAEzCI,EAA6B,CACjC,mBAAoBH,EAAU,mBAC9B,eAAgBA,EAAU,eAC1B,gBAAiBA,EAAU,gBAC3B,uBAAwBA,EAAU,uBAClC,mBAAoBA,EAAU,mBAC9B,wBAAyBA,EAAU,wBACnC,cAAeZ,GAAoBa,EAAe,cAAc,EAChE,eAAgBA,EAAe,QAC/B,mBAAoBA,EAAe,mBACnC,eAAAA,EACA,sBAAAC,CAAA,EAGFE,OAAAA,EAAAA,2BAA2BD,CAAM,EAC1BA,CACT,CAYA,MAAM,uBACJE,EACgC,CAChC,MAAMC,EAAgB,MAAM,KAAK,+BAAA,EACjC,GAAIA,IAAkB,EACpB,MAAO,CAAE,UAAW,IAAI,IAAO,cAAe,CAAA,EAGhD,MAAMC,EAAW,MAAM,KAAK,CAAE,OAAQD,CAAA,EAAiB,CAACE,EAAGC,IAAMA,EAAI,CAAC,EAChEC,EAAYH,EAAS,IAAKI,IAAO,CACrC,QAAS,KAAK,gBACd,IAAKnB,EAAAA,kBACL,aAAc,6BACd,KAAM,CAACmB,CAAC,CAAA,EACR,EAEIZ,EAAU,MAAM,KAAK,aAAa,UAAU,CAChD,UAAAW,EACA,aAAc,EAAA,CACf,EAEKE,MAAgB,IACtB,QAASH,EAAI,EAAGA,EAAIF,EAAS,OAAQE,IAAK,CACxC,MAAMhB,EAASR,EAAkBc,EAAQU,CAAC,CAAsB,EAChE,GAAI,CACFd,EAAAA,uBAAuBF,CAAM,EAC7BmB,EAAU,IAAIL,EAASE,CAAC,EAAGhB,CAAM,CACnC,OAASoB,EAAO,CAGdR,GAAA,MAAAA,EACEE,EAASE,CAAC,EACVI,aAAiB,MAAQA,EAAQ,IAAI,MAAM,OAAOA,CAAK,CAAC,EAE5D,CACF,CAEA,MAAO,CAAE,UAAAD,EAAW,cAAAN,CAAA,CACtB,CACF,CC5QA,SAASQ,EACP5B,EACqB,CACrB,OAAOA,EAAO,IAAK6B,IAAU,CAC3B,WAAYA,EAAK,WACjB,UAAWA,EAAK,SAAA,EAChB,CACJ,CAWO,MAAMC,EAAmD,CAC9D,YACUrC,EACAY,EACR,CAFQ,KAAA,aAAAZ,EACA,KAAA,gBAAAY,CACP,CAEH,MAAM,yBACJ0B,EACArB,EAC8B,CAC9B,MAAMV,EAAU,MAAM,KAAK,aAAa,aAAa,CACnD,QAAS,KAAK,gBACd,IAAKgC,EAAAA,uBACL,aAAc,2BACd,KAAM,CAACD,EAAerB,CAAO,CAAA,CAC9B,EAED,OAAOkB,EAAY5B,CAAM,CAC3B,CAEA,MAAM,uBACJ+B,EAC8B,CAC9B,MAAM/B,EAAU,MAAM,KAAK,aAAa,aAAa,CACnD,QAAS,KAAK,gBACd,IAAKgC,EAAAA,uBACL,aAAc,yBACd,KAAM,CAACD,CAAa,CAAA,CACrB,EAED,OAAOH,EAAY5B,CAAM,CAC3B,CAEA,MAAM,8BACJ+B,EACiB,CAQjB,OAPgB,MAAM,KAAK,aAAa,aAAa,CACnD,QAAS,KAAK,gBACd,IAAKC,EAAAA,uBACL,aAAc,gCACd,KAAM,CAACD,CAAa,CAAA,CACrB,CAGH,CACF,CAWO,MAAME,EAAmE,CAC9E,YACUxC,EACAY,EACR,CAFQ,KAAA,aAAAZ,EACA,KAAA,gBAAAY,CACP,CAEH,MAAM,iCACJK,EAC8B,CAC9B,MAAMV,EAAU,MAAM,KAAK,aAAa,aAAa,CACnD,QAAS,KAAK,gBACd,IAAKM,EAAAA,kBACL,aAAc,mCACd,KAAM,CAACI,CAAO,CAAA,CACf,EAED,OAAOkB,EAAY5B,CAAM,CAC3B,CAEA,MAAM,gCAA+D,CACnE,MAAMA,EAAU,MAAM,KAAK,aAAa,aAAa,CACnD,QAAS,KAAK,gBACd,IAAKM,EAAAA,kBACL,aAAc,gCAAA,CACf,EAED,OAAOsB,EAAY5B,CAAM,CAC3B,CAEA,MAAM,sCAAwD,CAO5D,OANgB,MAAM,KAAK,aAAa,aAAa,CACnD,QAAS,KAAK,gBACd,IAAKM,EAAAA,kBACL,aAAc,mCAAA,CACf,CAGH,CACF,CC7FO,IAAK4B,IAAAA,IACVA,EAAAA,EAAA,QAAU,CAAA,EAAV,UACAA,EAAAA,EAAA,SAAW,CAAA,EAAX,WACAA,EAAAA,EAAA,OAAS,CAAA,EAAT,SACAA,EAAAA,EAAA,SAAW,CAAA,EAAX,WACAA,EAAAA,EAAA,QAAU,CAAA,EAAV,UALUA,IAAAA,IAAA,CAAA,CAAA,ECTZ,MAAMC,GAAuB,IAAI,IAAY,OAAO,OAAOC,EAAAA,YAAY,CAAC,EAElEC,GAA2B,IAEjC,SAASC,EAAQC,EAAwB,OACvC,QACEC,EAAA,KAAK,UAAUD,CAAK,IAApB,YAAAC,EAAuB,MAAM,EAAGH,MAA6B,WAEjE,CAEA,MAAMI,GACJ,2FAQK,MAAMC,UAAkC,KAAM,CAGnD,YAAYC,EAAgB,CAC1B,MAAMF,EAA0B,EAHzBG,EAAA,eAIP,KAAK,KAAO,4BACZ,KAAK,OAASD,CAChB,CACF,CAGA,MAAME,EAAe,GAErB,SAASC,EAAcP,EAAiC,CACtD,OAAO,OAAOA,GAAU,UAAYA,EAAM,OAAS,GAAKQ,EAAAA,OAAO,KAAKR,CAAK,CAC3E,CAEA,SAASS,GAAiBT,EAAiC,CACzD,OAAO,OAAOA,GAAU,UAAYA,EAAM,OAAS,CACrD,CAEA,SAASU,GAAkBV,EAAgBW,EAAqB,CAC9D,GAAI,CAACJ,EAAcP,CAAK,EACtB,MAAM,IAAIG,EACR,mCAAmCQ,CAAK,yCAAyCZ,EAAQC,CAAK,CAAC,EAAA,CAGrG,CAEA,SAASY,EAAqBZ,EAAgBW,EAAqB,CACjE,GAAI,CAACF,GAAiBT,CAAK,EACzB,MAAM,IAAIG,EACR,mCAAmCQ,CAAK,qCAAqCZ,EAAQC,CAAK,CAAC,EAAA,CAGjG,CAMA,SAASa,EAAgBb,EAAgBW,EAAqB,CAC5D,GACE,CAACJ,EAAcP,CAAK,GACnBA,EAAM,SAAWc,yBAChBd,EAAM,SAAWe,4BAEnB,MAAM,IAAIZ,EACR,mCAAmCQ,CAAK,eAAeG,EAAAA,qBAAqB,OAAOC,EAAAA,yBAAyB,sCAAsChB,EAAQC,CAAK,CAAC,EAAA,CAGtK,CAKA,SAASgB,GACPC,EACM,CACN,MAAMC,EAAaD,EAAS,WAC5B,GAAgCC,GAAe,KAAM,OACrD,GAAI,OAAOA,GAAe,UAAY,MAAM,QAAQA,CAAU,EAC5D,MAAM,IAAIf,EACR,mFAAA,EAIJ,MAAMgB,EAAID,EAEV,GACEC,EAAE,0BAA4B,QAC9B,OAAOA,EAAE,yBAA4B,UAErC,MAAM,IAAIhB,EACR,kHAAkHJ,EAAQoB,EAAE,uBAAuB,CAAC,EAAA,EAIxJ,GACEA,EAAE,qCAAuC,QACzC,OAAOA,EAAE,oCAAuC,SAEhD,MAAM,IAAIhB,EACR,4HAA4HJ,EAAQoB,EAAE,kCAAkC,CAAC,EAAA,EAI7K,GACEA,EAAE,iCAAmC,QACrC,OAAOA,EAAE,gCAAmC,SAE5C,MAAM,IAAIhB,EACR,wHAAwHJ,EAAQoB,EAAE,8BAA8B,CAAC,EAAA,CAGvK,CAOO,SAASC,GACdC,EAC4C,CAC5C,GAAIA,IAAa,MAAQ,OAAOA,GAAa,SAC3C,MAAM,IAAIlB,EACR,yEAAA,EAIJ,MAAMmB,EAAID,EAEV,GAAI,CAACd,EAAce,EAAE,UAAU,GAAKA,EAAE,WAAW,SAAWhB,EAC1D,MAAM,IAAIH,EACR,yDAAyDG,CAAY,gCAAgCP,EAAQuB,EAAE,UAAU,CAAC,EAAA,EAI9H,GAAI,OAAOA,EAAE,QAAW,SACtB,MAAM,IAAInB,EACR,0DAAA,EAIJ,GAAI,CAACP,GAAqB,IAAI0B,EAAE,MAAM,EACpC,MAAM,IAAInB,EACR,uDAAuDmB,EAAE,MAAM,uBAAuB,CAAC,GAAG1B,EAAoB,EAAE,KAAK,IAAI,CAAC,EAAA,EAI9H,GACE0B,EAAE,WAAa,MACf,OAAOA,EAAE,UAAa,UACtB,MAAM,QAAQA,EAAE,QAAQ,EAExB,MAAM,IAAInB,EACR,6DAAA,EAMJ,GAFAa,GAAiCM,EAAE,QAAmC,EAElE,OAAOA,EAAE,aAAgB,SAC3B,MAAM,IAAInB,EACR,+DAAA,EAIJ,GAAImB,EAAE,aAAe,QAAa,OAAOA,EAAE,YAAe,SACxD,MAAM,IAAInB,EACR,gFAAgFJ,EAAQuB,EAAE,UAAU,CAAC,EAAA,CAG3G,CAKO,SAASC,GACdF,EACiE,CACjE,GAAIA,IAAa,MAAQ,OAAOA,GAAa,SAC3C,MAAM,IAAIlB,EACR,8FAAA,EAIJ,MAAMmB,EAAID,EAEV,GAAI,CAAC,MAAM,QAAQC,EAAE,GAAG,EACtB,MAAM,IAAInB,EACR,uDAAA,EAIJ,QAASnB,EAAI,EAAGA,EAAIsC,EAAE,IAAI,OAAQtC,IAChCwC,GAA4BF,EAAE,IAAItC,CAAC,EAAG,OAAOA,CAAC,GAAG,EAGnD,GAAIsC,EAAE,kBAAoB,MAAQ,OAAOA,EAAE,iBAAoB,SAC7D,MAAM,IAAInB,EACR,oEAAA,EAIJsB,GACEH,EAAE,eAAA,CAEN,CAEA,SAASI,EAAwB1B,EAAgBW,EAAqB,CACpE,GAAIX,IAAU,MAAQ,OAAOA,GAAU,SACrC,MAAM,IAAIG,EACR,mCAAmCQ,CAAK,qBAAA,EAI5CD,GADWV,EACU,OAAQ,GAAGW,CAAK,SAAS,CAChD,CAEA,SAASa,GAA4BxB,EAAgBW,EAAqB,CACxE,GAAIX,IAAU,MAAQ,OAAOA,GAAU,SACrC,MAAM,IAAIG,EACR,mCAAmCQ,CAAK,qBAAA,EAI5C,MAAMgB,EAAK3B,EAEXa,EAAgBc,EAAG,eAAgB,GAAGhB,CAAK,iBAAiB,EAC5De,EAAwBC,EAAG,SAAU,GAAGhB,CAAK,WAAW,EACxDe,EAAwBC,EAAG,UAAW,GAAGhB,CAAK,YAAY,EAC1De,EAAwBC,EAAG,UAAW,GAAGhB,CAAK,YAAY,EAC1DC,EAAqBe,EAAG,YAAa,GAAGhB,CAAK,cAAc,CAC7D,CAEA,SAASiB,GACP5B,EACAW,EACM,CACN,GAAIX,IAAU,MAAQ,OAAOA,GAAU,SACrC,MAAM,IAAIG,EACR,mCAAmCQ,CAAK,qBAAA,EAI5C,MAAMkB,EAAI7B,EACVY,EAAqBiB,EAAE,cAAe,GAAGlB,CAAK,gBAAgB,EAC9DC,EAAqBiB,EAAE,kBAAmB,GAAGlB,CAAK,oBAAoB,CACxE,CAEA,SAASmB,GAAiC9B,EAAgBW,EAAqB,CAC7E,GAAIX,IAAU,MAAQ,OAAOA,GAAU,SACrC,MAAM,IAAIG,EACR,mCAAmCQ,CAAK,qBAAA,EAI5C,MAAMoB,EAAI/B,EAcV,GAZAa,EAAgBkB,EAAE,kBAAmB,GAAGpB,CAAK,oBAAoB,EACjEe,EACEK,EAAE,sBACF,GAAGpB,CAAK,wBAAA,EAEVe,EACEK,EAAE,sBACF,GAAGpB,CAAK,wBAAA,EAEVe,EAAwBK,EAAE,YAAa,GAAGpB,CAAK,cAAc,EAC7DC,EAAqBmB,EAAE,cAAe,GAAGpB,CAAK,gBAAgB,EAE1D,CAAC,MAAM,QAAQoB,EAAE,2BAA2B,EAC9C,MAAM,IAAI5B,EACR,mCAAmCQ,CAAK,gDAAA,EAI5C,GACEoB,EAAE,4BAA4B,SAC9BC,6CAEA,MAAM,IAAI7B,EACR,mCAAmCQ,CAAK,mDAAmDqB,EAAAA,0CAA0C,iBAAiBD,EAAE,4BAA4B,MAAM,EAAA,EAI9L,QAAS/C,EAAI,EAAGA,EAAI+C,EAAE,4BAA4B,OAAQ/C,IACxD4C,GACEG,EAAE,4BAA4B/C,CAAC,EAC/B,GAAG2B,CAAK,gCAAgC3B,CAAC,GAAA,EAI7C,GAAI,CAAC,MAAM,QAAQ+C,EAAE,mBAAmB,EACtC,MAAM,IAAI5B,EACR,mCAAmCQ,CAAK,wCAAA,EAI5C,QAAS3B,EAAI,EAAGA,EAAI+C,EAAE,oBAAoB,OAAQ/C,IAChD0B,GACEqB,EAAE,oBAAoB/C,CAAC,EACvB,GAAG2B,CAAK,wBAAwB3B,CAAC,GAAA,CAGvC,CAKO,SAASiD,GACdZ,EAC8D,CAC9D,GAAIA,IAAa,MAAQ,OAAOA,GAAa,SAC3C,MAAM,IAAIlB,EACR,2FAAA,EAIJ,MAAMmB,EAAID,EAEV,GAAI,CAACZ,GAAiBa,EAAE,aAAa,EACnC,MAAM,IAAInB,EACR,kFAAkFJ,EAAQuB,EAAE,aAAa,CAAC,EAAA,EAI9G,GAAI,CAACf,EAAce,EAAE,iBAAiB,EACpC,MAAM,IAAInB,EACR,0FAA0FJ,EAAQuB,EAAE,iBAAiB,CAAC,EAAA,EAI1H,GACEA,EAAE,gBAAkB,MACpB,OAAOA,EAAE,eAAkB,UAC3B,MAAM,QAAQA,EAAE,aAAa,EAE7B,MAAM,IAAInB,EACR,kEAAA,EAIJ,MAAM+B,EAAiB,OAAO,QAC5BZ,EAAE,aAAA,EAEJ,GAAIY,EAAe,SAAW,EAC5B,MAAM,IAAI/B,EACR,2FAAA,EAIJ,SAAW,CAACgC,EAAKC,CAAO,IAAKF,EAAgB,CAE3C,GADArB,EAAgBsB,EAAK,kBAAkBA,CAAG,IAAI,EAC1CC,IAAY,MAAQ,OAAOA,GAAY,SACzC,MAAM,IAAIjC,EACR,iDAAiDgC,CAAG,qBAAA,EAGxD,MAAM,EAAIC,EACV,GAAI,CAAC7B,EAAc,EAAE,uBAAuB,EAC1C,MAAM,IAAIJ,EACR,iDAAiDgC,CAAG,iEAAiEpC,EAAQ,EAAE,uBAAuB,CAAC,EAAA,CAG7J,CACF,CAOO,SAASsC,GACdhB,EAC6C,CAC7C,GAAIA,IAAa,MAAQ,OAAOA,GAAa,SAC3C,MAAM,IAAIlB,EACR,uEAAA,EAIJ,MAAMmB,EAAID,EAEV,GAAI,CAACd,EAAce,EAAE,UAAU,GAAKA,EAAE,WAAW,SAAWhB,EAC1D,MAAM,IAAIH,EACR,yDAAyDG,CAAY,gCAAgCP,EAAQuB,EAAE,UAAU,CAAC,EAAA,EAI9H,GAAI,OAAOA,EAAE,OAAU,UACrB,MAAM,IAAInB,EACR,iEAAiEJ,EAAQuB,EAAE,KAAK,CAAC,EAAA,EAKrF,GAAIA,EAAE,UAAY,KAAM,CACtB,GAAI,OAAOA,EAAE,SAAY,SACvB,MAAM,IAAInB,EACR,2EAA2EJ,EAAQuB,EAAE,OAAO,CAAC,EAAA,EAGjGgB,GAA4BhB,EAAE,OAAkC,CAClE,CAGA,GAAI,CAAC,MAAM,QAAQA,EAAE,WAAW,EAC9B,MAAM,IAAInB,EACR,sEAAsEJ,EAAQuB,EAAE,WAAW,CAAC,EAAA,EAGhG,QAAStC,EAAI,EAAGA,EAAIsC,EAAE,YAAY,OAAQtC,IACxCuD,GAAyBjB,EAAE,YAAYtC,CAAC,EAAGA,CAAC,CAEhD,CAEA,SAASsD,GAA4BtC,EAAsC,CAEzE,GADAY,EAAqBZ,EAAM,OAAQ,gBAAgB,EAC/C,OAAOA,EAAM,QAAW,UAC1B,MAAM,IAAIG,EACR,0EAA0EJ,EAAQC,EAAM,MAAM,CAAC,EAAA,EAMnG,GAHAY,EAAqBZ,EAAM,WAAY,oBAAoB,EAC3DY,EAAqBZ,EAAM,eAAgB,wBAAwB,EACnEY,EAAqBZ,EAAM,YAAa,qBAAqB,EACzD,OAAOA,EAAM,YAAe,SAC9B,MAAM,IAAIG,EACR,6EAA6EJ,EAAQC,EAAM,UAAU,CAAC,EAAA,EAG1G,GAAI,OAAOA,EAAM,YAAe,SAC9B,MAAM,IAAIG,EACR,6EAA6EJ,EAAQC,EAAM,UAAU,CAAC,EAAA,CAG5G,CAEA,SAASuC,GAAyBvC,EAAgBwC,EAAqB,CACrE,GAAIxC,IAAU,MAAQ,OAAOA,GAAU,SACrC,MAAM,IAAIG,EACR,+CAA+CqC,CAAK,6BAA6BzC,EAAQC,CAAK,CAAC,EAAA,EAGnG,MAAM6B,EAAI7B,EAcV,GAbAY,EAAqBiB,EAAE,OAAQ,eAAeW,CAAK,UAAU,EAC7D5B,EAAqBiB,EAAE,WAAY,eAAeW,CAAK,cAAc,EACrE5B,EAAqBiB,EAAE,eAAgB,eAAeW,CAAK,kBAAkB,EAC7EC,EAAqBZ,EAAE,YAAa,eAAeW,CAAK,eAAe,EACvEC,EACEZ,EAAE,wBACF,eAAeW,CAAK,2BAAA,EAEtBC,EACEZ,EAAE,wBACF,eAAeW,CAAK,2BAAA,EAEtBC,EAAqBZ,EAAE,cAAe,eAAeW,CAAK,iBAAiB,EACvE,OAAOX,EAAE,YAAe,SAC1B,MAAM,IAAI1B,EACR,+CAA+CqC,CAAK,uCAAuCzC,EAAQ8B,EAAE,UAAU,CAAC,EAAA,EAGpH,GAAI,OAAOA,EAAE,YAAe,SAC1B,MAAM,IAAI1B,EACR,+CAA+CqC,CAAK,uCAAuCzC,EAAQ8B,EAAE,UAAU,CAAC,EAAA,CAGtH,CAEA,SAASY,EAAqBzC,EAAgBW,EAAqB,CACjE,GAAIX,IAAU,MAAQ,OAAOA,GAAU,SACrC,MAAM,IAAIG,EACR,mCAAmCQ,CAAK,mCAAmCZ,EAAQC,CAAK,CAAC,EAAA,CAG/F,CAOO,SAAS0C,GACdrB,EACiD,CACjDsB,GAAsBtB,EAAU,sBAAwBuB,GAAU,CAC5DA,EAAM,SAAW,MACnBxB,GAA+BwB,EAAM,MAAM,CAE/C,CAAC,CACH,CAGO,SAASC,GACdxB,EACkD,CAClDsB,GAAsBtB,EAAU,uBAAyBuB,GAAU,CAC7DA,EAAM,SAAW,MACnBP,GAAgCO,EAAM,MAAM,CAEhD,CAAC,CACH,CAQA,SAASD,GACPtB,EACAyB,EACAC,EACM,CACN,GAAI1B,IAAa,MAAQ,OAAOA,GAAa,SAC3C,MAAM,IAAIlB,EACR,kCAAkC2C,CAAO,4BAAA,EAG7C,MAAMxB,EAAID,EACV,GAAI,CAAC,MAAM,QAAQC,EAAE,OAAO,EAC1B,MAAM,IAAInB,EACR,mCAAmC2C,CAAO,mCAAmC/C,EAAQuB,EAAE,OAAO,CAAC,EAAA,EAGnG,QAAS,EAAI,EAAG,EAAIA,EAAE,QAAQ,OAAQ,IAAK,CACzC,MAAMsB,EAAQtB,EAAE,QAAQ,CAAC,EACzB,GAAIsB,IAAU,MAAQ,OAAOA,GAAU,SACrC,MAAM,IAAIzC,EACR,mCAAmC2C,CAAO,YAAY,CAAC,6BAA6B/C,EAAQ6C,CAAK,CAAC,EAAA,EAGtG,MAAMI,EAAIJ,EACV,GACE,CAACrC,EAAcyC,EAAE,UAAU,GAC3BA,EAAE,WAAW,SAAW1C,EAExB,MAAM,IAAIH,EACR,mCAAmC2C,CAAO,YAAY,CAAC,2BAA2BxC,CAAY,yBAAyBP,EAAQiD,EAAE,UAAU,CAAC,EAAA,EAGhJ,GAAIA,EAAE,QAAU,MAAQ,OAAOA,EAAE,OAAU,SACzC,MAAM,IAAI7C,EACR,mCAAmC2C,CAAO,YAAY,CAAC,0CAA0C/C,EAAQiD,EAAE,KAAK,CAAC,EAAA,EAMrH,GAAIA,EAAE,SAAW,MAAQA,EAAE,QAAU,KACnC,MAAM,IAAI7C,EACR,mCAAmC2C,CAAO,YAAY,CAAC,+CAAA,EAG3D,GAAIE,EAAE,SAAW,MAAQA,EAAE,QAAU,KACnC,MAAM,IAAI7C,EACR,mCAAmC2C,CAAO,YAAY,CAAC,4CAAA,EAG3DC,EAAoBC,EAAqC,CAAC,CAC5D,CACF,CAEA,SAASvB,GACPwB,EACM,CAMN,GALAvB,EAAwBuB,EAAM,SAAU,0BAA0B,EAClEvB,EAAwBuB,EAAM,UAAW,2BAA2B,EACpEvB,EAAwBuB,EAAM,UAAW,2BAA2B,EACpErC,EAAqBqC,EAAM,YAAa,6BAA6B,EAEjE,CAAC,MAAM,QAAQA,EAAM,uBAAuB,EAC9C,MAAM,IAAI9C,EACR,2FAAA,EAIJ,QAASnB,EAAI,EAAGA,EAAIiE,EAAM,wBAAwB,OAAQjE,IACxD8C,GACEmB,EAAM,wBAAwBjE,CAAC,EAC/B,2CAA2CA,CAAC,GAAA,EAIhD,GAAI,OAAOiE,EAAM,yBAA4B,SAC3C,MAAM,IAAI9C,EACR,2FAAA,CAGN,CCziBA,MAAM+C,GAAqB,IAWpB,MAAMC,EAEb,CAGE,YAAYC,EAAiBC,EAAyC,CAF9DhD,EAAA,eAGN,MAAM3B,EAA8B,CAClC,QAAA0E,EACA,SAASC,GAAA,YAAAA,EAAS,UAAWH,GAC7B,QAASG,GAAA,YAAAA,EAAS,QAClB,WAAYA,GAAA,YAAAA,EAAS,WACrB,aAAcA,GAAA,YAAAA,EAAS,aACvB,QAASA,GAAA,YAAAA,EAAS,QAClB,cAAeA,GAAA,YAAAA,EAAS,cACxB,iBAAkBA,GAAA,YAAAA,EAAS,gBAAA,EAE7B,KAAK,OAAS,IAAIC,EAAAA,cAAc5E,CAAM,CACxC,CAMA,MAAM,oCACJV,EACAuF,EACsD,CACtD,MAAMlC,EAAW,MAAM,KAAK,OAAO,KAGjC,oDAAqDrD,EAAQuF,CAAM,EACrE,OAAAhC,GAAoDF,CAAQ,EACrDA,CACT,CAMA,MAAM,6BACJrD,EACAuF,EACe,CACf,OAAO,KAAK,OAAO,KACjB,6CACAvF,EACAuF,CAAA,CAEJ,CAOA,MAAM,uBACJvF,EACAuF,EACe,CACf,OAAO,KAAK,OAAO,KACjB,uCACAvF,EACAuF,CAAA,CAEJ,CAMA,MAAM,iCACJvF,EACAuF,EACmD,CACnD,MAAMlC,EAAW,MAAM,KAAK,OAAO,KAGjC,iDAAkDrD,EAAQuF,CAAM,EAClE,OAAAtB,GAAiDZ,CAAQ,EAClDA,CACT,CAGA,MAAM,eACJrD,EACAuF,EACiC,CACjC,MAAMlC,EAAW,MAAM,KAAK,OAAO,KACjC,+BACArD,EACAuF,CAAA,EAEF,OAAAnC,GAA+BC,CAAQ,EAChCA,CACT,CAOA,MAAM,oBACJrD,EACAuF,EACsC,CACtC,MAAMlC,EAAW,MAAM,KAAK,OAAO,KAGjC,oCAAqCrD,EAAQuF,CAAM,EACrD,OAAAb,GAAoCrB,CAAQ,EACrCA,CACT,CAMA,MAAM,qBACJrD,EACAuF,EACuC,CACvC,MAAMlC,EAAW,MAAM,KAAK,OAAO,KAGjC,qCAAsCrD,EAAQuF,CAAM,EACtD,OAAAV,GAAqCxB,CAAQ,EACtCA,CACT,CACF,CCnKO,SAASmC,GACdC,EACAnF,EAC2B,CAC3B,MAAMoF,MAAmB,IACzB,UAAWC,KAAQF,EACjBC,EAAa,IAAIC,EAAK,aAAa,EAGrC,MAAMC,MAAa,IAIbC,MAAW,IACXC,EAAsB,CAAA,EACtBC,EAAuB,CAAA,EAE7B,UAAWnB,KAAStE,EAAS,CAC3B,MAAM0F,EAAQpB,EAAM,WAAW,YAAA,EAC/B,GAAI,CAACc,EAAa,IAAIM,CAAK,EAAG,CAC5BD,EAAW,KAAKC,CAAK,EACrB,QACF,CACA,GAAIH,EAAK,IAAIG,CAAK,EAAG,CACnBF,EAAU,KAAKE,CAAK,EACpB,QACF,CACAH,EAAK,IAAIG,CAAK,EACdJ,EAAO,IAAII,EAAO,CAAE,OAAQpB,EAAM,OAAQ,MAAOA,EAAM,MAAO,CAChE,CAEA,MAAMqB,EAAoB,CAAA,EAC1B,UAAWN,KAAQD,EACZG,EAAK,IAAIF,CAAI,GAAGM,EAAQ,KAAKN,CAAI,EAGxC,MAAO,CAAE,OAAAC,EAAQ,QAAAK,EAAS,WAAAF,EAAY,UAAAD,CAAA,CACxC,CCRA,eAAsBI,GACpBb,EACe,CACf,KAAM,CACJ,MAAAc,EACA,QAAAC,EACA,UAAAC,EACA,OAAAC,EACA,UAAAC,EACA,YAAAC,EACA,iBAAAC,EACA,kBAAAC,EACA,aAAAC,EACA,UAAAC,EAAYC,EAAAA,iBAAA,EACVxB,EAEJ,GAAI,CAAC,OAAO,UAAUuB,CAAS,GAAKA,GAAa,EAC/C,MAAM,IAAI,MACR,kEAAkEA,CAAS,EAAA,EAI/E,QAAS5F,EAAI,EAAGA,EAAImF,EAAM,OAAQnF,GAAK4F,EAAW,CAChD,MAAME,EAAQX,EAAM,MAAMnF,EAAGA,EAAI4F,CAAS,EACpCG,MAAiB,IACjBC,EAAkB,CAAA,EACxB,UAAWC,KAAQH,EAAO,CACxB,MAAMI,EAAYd,EAAQa,CAAI,EAAE,YAAA,EAChCF,EAAW,IAAIG,EAAWD,CAAI,EAC9BD,EAAM,KAAKE,CAAS,CACtB,CAKA,IAAIC,EACJ,GAAI,CACF,MAAM9D,EAAW,MAAMgD,EAAUW,CAAK,EACtCG,EAAc3B,GAA+BwB,EAAO3D,EAAS,OAAO,CACtE,OAASjC,EAAO,CACdsF,EAAkBI,EAAO1F,CAAK,EAC9B,QACF,CAEIuF,GAAgBQ,EAAY,WAAW,OAAS,GAClDR,EAAaQ,EAAY,UAAU,EAGrC,MAAMC,EAAiB,IAAI,IAAID,EAAY,SAAS,EACpD,UAAWxB,KAAQyB,EAAgB,CACjC,MAAMH,EAAOF,EAAW,IAAIpB,CAAI,EAC5BsB,KAAkBA,CAAI,CAC5B,CACIR,GAAoBW,EAAe,KAAO,GAC5CX,EAAiBW,EAAe,IAAI,EAEtC,UAAWzB,KAAQwB,EAAY,QAAS,CACtC,MAAMF,EAAOF,EAAW,IAAIpB,CAAI,EAC5BsB,KAAgBA,CAAI,CAC1B,CACA,SAAW,CAACtB,EAAM0B,CAAQ,IAAKF,EAAY,OAAQ,CAEjD,GAAIC,EAAe,IAAIzB,CAAI,EAAG,SAC9B,MAAMsB,EAAOF,EAAW,IAAIpB,CAAI,EAC3BsB,GACLX,EAAOW,EAAM,CACX,WAAYtB,EACZ,OAAQ0B,EAAS,OACjB,MAAOA,EAAS,KAAA,CACjB,CACH,CACF,CACF,CCpGA,MAAMC,GAAa,yBAGbC,GAAe,WAEfC,GAAqB,GACrBC,GAAmB,GAMzB,SAASC,GAAWC,EAAaC,EAA8B,CAC7D,MAAMC,EAAW,IAAI,cAAc,OAAOF,CAAG,EACvCG,EAAUC,EAAAA,OAAOF,CAAQ,EACzBG,EAAW,IAAI,WAAWF,EAAQ,OAAS,EAAIF,EAAK,MAAM,EAChE,OAAAI,EAAS,IAAIF,EAAS,CAAC,EACvBE,EAAS,IAAIF,EAASA,EAAQ,MAAM,EACpCE,EAAS,IAAIJ,EAAME,EAAQ,OAAS,CAAC,EAC9BC,EAAAA,OAAOC,CAAQ,CACxB,CAYA,SAASC,GAAcC,EAAsC,CAC3D,GAAIA,EAAM,SAAWV,GAAoB,OAAO,KAChD,MAAMW,EAAQT,GAAWH,GAAcW,CAAK,EACtCE,EAAUC,EAAI,mBAAmBH,EAAOC,CAAK,EACnD,OAAOC,EAAUA,EAAQ,YAAc,IACzC,CAoBO,SAASE,GACdC,EACAC,EACAC,EACS,CAET,GADID,EAAY,SAAWhB,IACvBiB,EAAU,SAAWhB,GAAkB,MAAO,GAOlD,GAAI,CAEF,MAAMiB,EAAchB,GAAWJ,GAAYiB,CAAY,EAKjDI,EAAOC,EAAAA,SAAS,KAAK,CACzB,eAAgBC,EAAAA,OAAO,KAAKL,CAAW,CAAA,CACxC,EACD,GAAI,CAACG,EAAK,OAAQ,MAAO,GACzB,MAAMG,EAAeH,EAAK,OAUpBI,EAAY,EACZC,EAAU,IAAIC,cACpBD,EAAQ,QAAU,EAClBA,EAAQ,SAAW,EAEnB,MAAME,EAAYL,EAAAA,OAAO,OAAO,CAC9BA,EAAAA,OAAO,KAAK,CAAC,EAAM,EAAI,CAAC,EACxBA,EAAAA,OAAO,KAAKH,CAAW,CAAA,CACxB,EACDM,EAAQ,SACNH,SAAO,MAAM,GAAI,CAAC,EAClB,WACA,EACAK,CAAA,EAEFF,EAAQ,UAAUF,EAAcC,CAAS,EAGzC,MAAMI,EAAS,IAAIF,cACnBE,EAAO,QAAU,EACjBA,EAAO,SAAW,EAElB,MAAMC,EAAcJ,EAAQ,QAAA,EAC5BG,EAAO,SAASC,EAAa,EAAG,CAAC,EACjCD,EAAO,UAAUN,SAAO,KAAK,CAAC,GAAI,CAAC,EAAGE,CAAS,EAG/C,MAAMM,EAAUF,EAAO,iBACrB,EACA,CAACL,CAAY,EACb,CAACC,CAAS,EACVE,cAAY,eAAA,EAIRK,EAAerB,GAAcO,CAAW,EAC9C,OAAKc,EAEEjB,EAAI,cAAcgB,EAASC,EAAcb,CAAS,EAF/B,EAG5B,MAAQ,CACN,MAAO,EACT,CACF,CC9IA,SAASc,EAASC,EAAeC,EAAkC,CACjE,MAAM9B,GAAO6B,EAAQ,IAAS,EACxB,EAAI,OAAOC,GAAQ,SAAWA,EAAM,OAAOA,CAAG,EACpD,GAAI,EAAI,GAAI,MAAM,IAAI,MAAM,6BAA6B,EAEzD,GAAI,EAAI,IAAK,OAAO,IAAI,WAAW,CAAC9B,EAAM,OAAO,CAAC,CAAC,CAAC,EACpD,GAAI,EAAI,OAAQ,OAAO,IAAI,WAAW,CAACA,EAAM,GAAI,OAAO,CAAC,CAAC,CAAC,EAC3D,GAAI,EAAI,SAAU,CAChB,MAAMzG,EAAI,OAAO,CAAC,EAClB,OAAO,IAAI,WAAW,CAACyG,EAAM,GAAKzG,IAAM,EAAK,IAAMA,EAAI,GAAI,CAAC,CAC9D,CACA,GAAI,EAAI,aAAgB,CACtB,MAAMA,EAAI,OAAO,CAAC,EAClB,OAAO,IAAI,WAAW,CACpByG,EAAM,GACLzG,IAAM,GAAM,IACZA,IAAM,GAAM,IACZA,IAAM,EAAK,IACZA,EAAI,GAAA,CACL,CACH,CAEA,MAAMwI,EAAM,IAAI,WAAW,CAAC,EAC5BA,EAAI,CAAC,EAAI/B,EAAM,GACf,QAAS3G,EAAI,EAAGA,GAAK,EAAGA,IACtB0I,EAAI,EAAI1I,CAAC,EAAI,OAAO,GAAK,QAAQ,EAAIA,GAAK,CAAC,CAAC,EAAI,IAElD,OAAO0I,CACT,CAEA,SAASC,MAAUC,EAAiC,CAClD,MAAMC,EAAQD,EAAM,OAAO,CAACE,EAAG3G,IAAM2G,EAAI3G,EAAE,OAAQ,CAAC,EAC9CuG,EAAM,IAAI,WAAWG,CAAK,EAChC,IAAIE,EAAS,EACb,UAAW5G,KAAKyG,EACdF,EAAI,IAAIvG,EAAG4G,CAAM,EACjBA,GAAU5G,EAAE,OAEd,OAAOuG,CACT,CASA,SAASM,GAAuBC,EAA+B,CAE7D,MAAM9D,EAAsB,CADboD,EAAS,EAAGU,EAAM,MAAM,CACJ,EACnC,UAAWC,KAAKD,EACd9D,EAAM,KAAKoD,EAAS,EAAGW,CAAC,CAAC,EAE3B,OAAOP,GAAO,GAAGxD,CAAK,CACxB,CAsBO,SAASgE,GACdC,EACAC,EACAC,EACY,CACZ,GAAI,CAAC,OAAO,cAAcA,CAAS,GAAKA,EAAY,EAClD,MAAM,IAAI,MACR,oFAAoFA,CAAS,EAAA,EAGjG,MAAMC,EAAchB,EAAS,EAAG,CAAC,EAC3BiB,EAAcR,GAAuBI,CAAM,EAC3CK,EAAcT,GAAuBK,CAAyB,EAC9DK,EAAiBnB,EAAS,EAAGe,CAAS,EAC5C,OAAOX,GAAOY,EAAaC,EAAaC,EAAaC,CAAc,CACrE,CCzFA,MAAMC,GAAyB,IAAI,YAAA,EAAc,OAC/C,6BACF,EAQMC,GAAkC,EAAI,KA+BrC,MAAMC,UAA4B,KAAM,CAC7C,YACEC,EACgBC,EAUhB,CACA,MAAMD,CAAO,EAXG,KAAA,OAAAC,EAYhB,KAAK,KAAO,qBACd,CACF,CAGA,SAASC,EAAWC,EAAyB,CAC3C,MAAMvB,EAAM,IAAI,WAAWuB,EAAI,OAAS,CAAC,EACzC,QAASjK,EAAI,EAAGA,EAAI0I,EAAI,OAAQ1I,IAC9B0I,EAAI1I,CAAC,EAAI,SAASiK,EAAI,MAAMjK,EAAI,EAAGA,EAAI,EAAI,CAAC,EAAG,EAAE,EAEnD,OAAO0I,CACT,CAsBO,SAASwB,GAAqBC,EAAwC,CAC3E,KAAM,CAAE,MAAAC,EAAO,mBAAAC,EAAoB,IAAAC,CAAA,EAAQH,EACrCI,EACJJ,EAAM,iBAAmBP,GAErBY,EAASC,EAAAA,eAAeJ,CAAkB,EAAE,YAAA,EAClD,GAAIG,EAAO,SAAW1I,EAAAA,uBAAyB,CAACN,EAAAA,OAAO,KAAKgJ,CAAM,EAChE,MAAM,IAAIX,EACR,+CAA+CW,EAAO,MAAM,SAC5D,yBAAA,EAIJ,MAAME,EAASD,EAAAA,eAAeL,EAAM,aAAa,EAAE,YAAA,EACnD,GAAIM,EAAO,SAAW5I,EAAAA,uBAAyB,CAACN,EAAAA,OAAO,KAAKkJ,CAAM,EAChE,MAAM,IAAIb,EACR,0CAA0Ca,EAAO,MAAM,SACvD,yBAAA,EAIJ,GAAIA,IAAWF,EACb,MAAM,IAAIX,EACR,uDAAuDW,CAAM,SAASE,CAAM,GAC5E,wBAAA,EAWJ,GAAI,CAAC,OAAO,cAAcN,EAAM,UAAU,EACxC,MAAM,IAAIP,EACR,4CAA4C,KAAK,UAAUO,EAAM,UAAU,CAAC,GAC5E,oBAAA,EAGJ,GAAI,CAAC,OAAO,cAAcE,CAAG,EAC3B,MAAM,IAAIT,EACR,qCAAqC,KAAK,UAAUS,CAAG,CAAC,GACxD,oBAAA,EAGJ,GAAIF,EAAM,YAAcE,EACtB,MAAM,IAAIT,EACR,oCAAoCO,EAAM,UAAU,SAASE,CAAG,GAChE,SAAA,EAGJ,GAAI,CAAC,OAAO,cAAcC,CAAe,GAAKA,GAAmB,EAC/D,MAAM,IAAIV,EACR,wDAAwD,KAAK,UAAUU,CAAe,CAAC,GACvF,sBAAA,EAGJ,GAAIH,EAAM,WAAaE,EAAMC,EAC3B,MAAM,IAAIV,EACR,mEACgBO,EAAM,UAAU,SAASE,CAAG,kBAAkBC,CAAe,IAC7E,iBAAA,EAIJ,MAAMI,EAAMF,EAAAA,eAAeL,EAAM,gBAAgB,EAAE,YAAA,EACnD,GAAIO,EAAI,SAAW5I,EAAAA,2BAA6B,CAACP,EAAAA,OAAO,KAAKmJ,CAAG,EAC9D,MAAM,IAAId,EACR,wDAAwDc,EAAI,MAAM,SAClE,0BAAA,EAGJ,MAAMC,EAASD,EAAI,MAAM,EAAG,CAAC,EAC7B,GAAIC,IAAW,MAAQA,IAAW,KAChC,MAAM,IAAIf,EACR,2DAA2De,CAAM,GACjE,0BAAA,EASJ,MAAMC,EAAWb,EAAWW,CAAG,EAC/B,GAAI,CAACtD,EAAI,QAAQwD,CAAQ,EACvB,MAAM,IAAIhB,EACR,kDACA,0BAAA,EAIJ,MAAMiB,EAAML,EAAAA,eAAeL,EAAM,SAAS,EAAE,YAAA,EAC5C,GAAIU,EAAI,SAAWC,EAAAA,qBAAuB,CAACvJ,EAAAA,OAAO,KAAKsJ,CAAG,EACxD,MAAM,IAAIjB,EACR,8CAA8CiB,EAAI,MAAM,SACxD,4BAAA,EAQJ,MAAME,EAAU7B,GACdQ,GACAK,EAAWW,CAAG,EACdP,EAAM,UAAA,EAGR,GAAI,CADa9C,GAAmB0D,EAAShB,EAAWU,CAAM,EAAGV,EAAWc,CAAG,CAAC,EAE9E,MAAM,IAAIjB,EACR,gGACA,+BAAA,CAGN,CClOO,MAAMoB,OAA8C,IAAI,CAC7D,uCACA,6CACA,mDACF,CAAC,EAEYC,OAAmD,IAAI,CAClE,gDACF,CAAC,ECjBKC,GAAuB,IAEhBC,EAAqB,4BAQrBC,EAA0B,gCAEhC,SAASC,GACdlH,EACAmH,EACe,CACf,OAAO,IAAIjH,EAAAA,cAAc,CACvB,QAAAF,EACA,QAAS+G,GACT,QAAAI,EACA,aAAeC,GACbA,IAAWJ,GAAsBI,IAAWH,CAAA,CAC/C,CACH,CCZA,MAAMI,GAAqB,EACrBC,GAAqB,EACrBC,EAAoB,EACpBC,GAAoB,EACpBC,GAAc,EACdC,GAAY,EACZC,GAAY,EACZC,GAAe,EAMfC,GAAqB,GAErBC,GAAmB,GAGnBC,GAAe,GACfC,GAAc,GACdC,GAAc,GAUdC,GAAoB,IA2BnB,MAAMC,UAAwB,KAAM,CACzC,YAAYzC,EAAiB,CAC3B,MAAM,gBAAgBA,CAAO,EAAE,EAC/B,KAAK,KAAO,iBACd,CACF,CAMO,MAAM0C,EAAW,CAKtB,YAAYC,EAAiB,CAJpBpL,EAAA,YAETA,EAAA,WAAM,GAGJ,KAAK,IAAMoL,CACb,CAEQ,UAAmB,CACzB,GAAI,KAAK,KAAO,KAAK,IAAI,OACvB,MAAM,IAAIF,EAAgB,yBAAyB,EAErD,OAAO,KAAK,IAAI,KAAK,KAAK,CAC5B,CAQA,UAAqB,CACnB,MAAMG,EAAU,KAAK,SAAA,EACflE,EAAQkE,GAAW,EACnBC,EAAOD,EAAU,GAEvB,GAAIC,EAAOV,GACT,MAAO,CAAE,MAAAzD,EAAO,IAAKmE,CAAA,EAEvB,GAAIA,GAAQT,GACV,MAAM,IAAIK,EACR,+BAA+BI,CAAI,kCAAA,EAIvC,MAAMC,EAAY,GAAMD,EAAOV,GAE/B,IAAIjL,EAAQ,GACZ,QAAShB,EAAI,EAAGA,EAAI4M,EAAW5M,IAC7BgB,EAASA,GAAS,GAAM,OAAO,KAAK,UAAU,EAEhD,GAAIA,EAAQ,OAAO,OAAO,gBAAgB,EACxC,MAAM,IAAIuL,EAAgB,YAAYvL,CAAK,6BAA6B,EAE1E,MAAO,CAAE,MAAAwH,EAAO,IAAK,OAAOxH,CAAK,CAAA,CACnC,CAGQ,UAAU6L,EAA4B,CAC5C,GAAI,KAAK,IAAMA,EAAS,KAAK,IAAI,OAC/B,MAAM,IAAIN,EAAgB,8BAA8B,EAE1D,MAAMO,EAAQ,KAAK,IAAI,SAAS,KAAK,IAAK,KAAK,IAAMD,CAAM,EAC3D,YAAK,KAAOA,EACLC,CACT,CAMA,gBAA6B,CAC3B,MAAMC,EAAO,KAAK,SAAA,EAClB,GAAIA,EAAK,QAAUpB,EACjB,MAAM,IAAIY,EACR,+BAA+BZ,CAAiB,gBAAgBoB,EAAK,KAAK,EAAA,EAG9E,OAAO,KAAK,UAAUA,EAAK,GAAG,CAChC,CASA,UAAUC,EAAQ,EAAc,CAC9B,GAAIA,EAAQV,GACV,MAAM,IAAIC,EACR,iCAAiCD,EAAiB,EAAA,EAGtD,MAAMS,EAAO,KAAK,SAAA,EAClB,OAAQA,EAAK,MAAA,CACX,KAAKtB,GACH,OAAOsB,EAAK,IACd,KAAKrB,GAEH,MAAO,GAAKqB,EAAK,IACnB,KAAKpB,EACH,OAAO,KAAK,UAAUoB,EAAK,GAAG,EAChC,KAAKnB,GACH,OAAO,IAAI,YAAY,QAAS,CAAE,MAAO,EAAA,CAAM,EAAE,OAC/C,KAAK,UAAUmB,EAAK,GAAG,CAAA,EAE3B,KAAKlB,GAAa,CAChB,MAAM1G,EAAqB,CAAA,EAC3B,QAAS,EAAI,EAAG,EAAI4H,EAAK,IAAK,IAC5B5H,EAAM,KAAK,KAAK,UAAU6H,EAAQ,CAAC,CAAC,EAEtC,OAAO7H,CACT,CACA,KAAK2G,GAAW,CACd,MAAMmB,MAAU,IAChB,QAAS,EAAI,EAAG,EAAIF,EAAK,IAAK,IAAK,CACjC,MAAM5J,EAAM,KAAK,UAAU6J,EAAQ,CAAC,EAC9BhM,EAAQ,KAAK,UAAUgM,EAAQ,CAAC,EACtCC,EAAI,IAAI9J,EAAKnC,CAAK,CACpB,CACA,OAAOiM,CACT,CACA,KAAKlB,GACH,MAAO,CAAE,IAAKgB,EAAK,IAAK,MAAO,KAAK,UAAUC,EAAQ,CAAC,CAAA,EACzD,KAAKhB,GACH,GAAIe,EAAK,MAAQZ,GAAc,MAAO,GACtC,GAAIY,EAAK,MAAQX,GAAa,MAAO,GACrC,GAAIW,EAAK,MAAQV,GAAa,OAAO,KACrC,MAAM,IAAIE,EACR,kCAAkCQ,EAAK,GAAG,EAAA,EAE9C,QACE,MAAM,IAAIR,EAAgB,0BAA0BQ,EAAK,KAAK,EAAE,CAAA,CAEtE,CACF,CAWO,SAASG,GAAWjE,EAA8B,CACvD,MAAMkE,EAAS,IAAIX,GAAWvD,CAAK,EAC7BjI,EAAQmM,EAAO,UAAA,EACrB,GAAIA,EAAO,MAAQlE,EAAM,OACvB,MAAM,IAAIsD,EAAgB,qCAAqC,EAEjE,OAAOvL,CACT,CClMO,MAAMoM,GAAsB,iBAEtBC,GAAmB,cAG1BC,GAAiB,GAEjBC,EAAuB,EAEvBC,GAAkB,IAElBC,GAAwB,EAExBC,GAAwB,GAGxBC,GAAkB,IAElBC,GAAwB,GAExBC,GAAyB,GAGzBC,GAAgB,EAChBC,GAAgB,EAChBC,GAAgB,EAChBC,GAAgB,EAChBC,GAAgB,EAChBC,GAAgB,EAChBC,GAAgB,EAMhBC,GAAwB,IAAI,cAAc,OAAO,YAAY,EAgB5D,MAAMC,UAA6B,KAAM,CAC9C,YACExE,EACgBC,EAChB,CACA,MAAMD,CAAO,EAFG,KAAA,OAAAC,EAGhB,KAAK,KAAO,sBACd,CACF,CA+CO,SAASwE,GACdpE,EACmB,CACnB,MAAMqE,EAAiBC,GACrBtE,EAAM,0BACN,2BAAA,EAEIuE,EAAmBD,GACvBtE,EAAM,4BACN,6BAAA,EAEIwE,EAAYC,GAAuBzE,EAAM,kBAAkB,EAE3D0E,EAAaC,GAAiB3E,EAAM,KAAK,EAMzCgD,EAAS,IAAIX,GAAWqC,CAAU,EAClClI,EAAMwG,EAAO,SAAA,EACnB,GAAIxG,EAAI,QAAU,GAAKA,EAAI,MAAQ2G,GACjC,MAAM,IAAIgB,EACR,+CAA+ChB,EAAc,IAC7D,yBAAA,EAGJ,MAAMyB,EAAQ5B,EAAO,SAAA,EACrB,GAAI4B,EAAM,QAAU,GAAKA,EAAM,MAAQxB,EACrC,MAAM,IAAIe,EACR,wBAAwBf,CAAoB,iBAC5C,yBAAA,EAIJ,MAAMyB,EAAiB7B,EAAO,IACxB8B,EAAmB9B,EAAO,eAAA,EAC1B+B,EAAgBL,EAAW,SAASG,EAAgB7B,EAAO,GAAG,EAGpEA,EAAO,UAAA,EAEP,MAAMgC,EAAehC,EAAO,IACtBiC,EAAiBjC,EAAO,eAAA,EACxBkC,EAAcR,EAAW,SAASM,EAAchC,EAAO,GAAG,EAE1D1F,EAAY0F,EAAO,eAAA,EACzB,GAAI1F,EAAU,SAAWiG,GACvB,MAAM,IAAIY,EACR,0BAA0BZ,EAAqB,eAAejG,EAAU,MAAM,GAC9E,yBAAA,EAMJ,GAAI0F,EAAO,MAAQ0B,EAAW,OAC5B,MAAM,IAAIP,EACR,0DACA,yBAAA,EAKJ,MAAMgB,EAAMC,GAAuBN,CAAgB,EACnD,GAAIK,IAAQ9B,GACV,MAAM,IAAIc,EACR,6BAA6BgB,CAAG,qBAAqB9B,EAAe,IACpE,sBAAA,EAKJ,MAAMgC,EAAeC,GAAkBP,EAAeG,CAAW,EAC3DK,EAAS3I,EAAAA,OAAOyI,CAAY,EAElC,GAAI,CAACnI,EAAI,OAAOqI,EAAQf,EAAWlH,EAAW,EAAI,EAChD,MAAM,IAAI6G,EACR,oEACA,+BAAA,EAKJ,MAAMqB,EAASC,GAAaR,CAAc,EAEpCS,EAAWF,EAAO,SAAS,YAAA,EACjC,GAAIE,EAAS,SAAW/N,EAAAA,uBAAyB,CAACN,EAAAA,OAAO,KAAKqO,CAAQ,EACpE,MAAM,IAAIvB,EACR,iDACA,gBAAA,EAGJ,GAAIqB,EAAO,SAAWA,EAAO,UAC3B,MAAM,IAAIrB,EACR,cAAcqB,EAAO,QAAQ,mBAAmBA,EAAO,SAAS,IAChE,gBAAA,EAIJ,GAAIA,EAAO,OAAO,YAAA,IAAkBnB,EAClC,MAAM,IAAIF,EACR,8DAA8DE,CAAc,SAASmB,EAAO,OAAO,aAAa,GAChH,iBAAA,EAGJ,GAAIA,EAAO,UAAYxF,EAAM,gBAC3B,MAAM,IAAImE,EACR,oCAAoCnE,EAAM,eAAe,SAASwF,EAAO,OAAO,GAChF,kBAAA,EAGJ,GAAIE,IAAanB,EACf,MAAM,IAAIJ,EACR,4DAA4DI,CAAgB,SAASmB,CAAQ,GAC7F,mBAAA,EAGJ,GAAIF,EAAO,UAAYxF,EAAM,IAC3B,MAAM,IAAImE,EACR,4BAA4BqB,EAAO,SAAS,UAAUxF,EAAM,GAAG,GAC/D,qBAAA,EAQJ,GAAIwF,EAAO,SAAWxF,EAAM,IAC1B,MAAM,IAAImE,EACR,mCAAmCqB,EAAO,QAAQ,UAAUxF,EAAM,GAAG,GACrE,gBAAA,EAGJ,GAAIwF,EAAO,WAAaxF,EAAM,IAC5B,MAAM,IAAImE,EACR,sBAAsBqB,EAAO,SAAS,WAAWxF,EAAM,GAAG,GAC1D,eAAA,EAGJ,GAAIA,EAAM,oBAAsBwF,EAAO,UACrC,MAAM,IAAIrB,EACR,wBAAwBnE,EAAM,iBAAiB,+BAA+BwF,EAAO,SAAS,IAC9F,iBAAA,EAGJ,GAAIxF,EAAM,wBAA0BwF,EAAO,UACzC,MAAM,IAAIrB,EACR,4BAA4BnE,EAAM,uBAAuB,uBAAuBwF,EAAO,SAAS,IAChG,sCAAA,EAIJ,MAAO,CACL,OAAQA,EAAO,OACf,QAASA,EAAO,QAChB,SAAAE,EACA,UAAWF,EAAO,UAClB,UAAWA,EAAO,UAClB,SAAUA,EAAO,QAAA,CAErB,CAGA,SAASJ,GAAuBN,EAAsC,CACpE,GAAIA,EAAiB,SAAW,EAC9B,MAAM,IAAIX,EACR,6CACA,sBAAA,EAGJ,MAAMwB,EAAS5C,GAAW+B,CAAgB,EAC1C,GAAI,EAAEa,aAAkB,KACtB,MAAM,IAAIxB,EACR,qCACA,yBAAA,EAGJ,MAAMgB,EAAMQ,EAAO,IAAIrC,EAAqB,EAC5C,GAAI,OAAO6B,GAAQ,SACjB,MAAM,IAAIhB,EACR,wDACA,sBAAA,EAGJ,OAAOgB,CACT,CAWA,SAASG,GACPP,EACAG,EACY,CACZ,OAAOU,GACL,WAAW,GAAGpC,GAAkBJ,CAAoB,EACpD,WAAW,GAAGK,GAAwBS,GAAsB,MAAM,EAClEA,GACAa,EACA,WAAW,GAAGrB,EAAsB,EACpCwB,CAAA,CAEJ,CAYA,SAASO,GAAaR,EAA2C,CAC/D,MAAMY,EAAO9C,GAAWkC,CAAc,EACtC,GAAI,EAAEY,aAAgB,KACpB,MAAM,IAAI1B,EACR,+BACA,gBAAA,EAIJ,GADY2B,GAAaD,EAAM5B,GAAe,KAAK,EAC3C,SAAW,EACjB,MAAM,IAAIE,EAAqB,qBAAsB,gBAAgB,EAEvE,MAAO,CACL,OAAQ4B,EAAcF,EAAMlC,GAAe,KAAK,EAChD,QAASoC,EAAcF,EAAMjC,GAAe,KAAK,EACjD,SAAUmC,EAAcF,EAAMhC,GAAe,KAAK,EAClD,UAAWmC,EAAiBH,EAAM/B,GAAe,KAAK,EACtD,UAAWkC,EAAiBH,EAAM9B,GAAe,KAAK,EACtD,SAAUiC,EAAiBH,EAAM7B,GAAe,KAAK,CAAA,CAEzD,CAEA,SAAS+B,EACPP,EACAxM,EACAiN,EACQ,CACR,MAAMpP,EAAQ2O,EAAO,IAAIxM,CAAG,EAC5B,GAAI,OAAOnC,GAAU,SACnB,MAAM,IAAIsN,EACR,eAAe8B,CAAI,mCACnB,gBAAA,EAGJ,OAAOpP,CACT,CAEA,SAASiP,GACPN,EACAxM,EACAiN,EACY,CACZ,MAAMpP,EAAQ2O,EAAO,IAAIxM,CAAG,EAC5B,GAAI,EAAEnC,aAAiB,YACrB,MAAM,IAAIsN,EACR,eAAe8B,CAAI,mCACnB,gBAAA,EAGJ,OAAOpP,CACT,CAEA,SAASmP,EACPR,EACAxM,EACAiN,EACQ,CACR,MAAMpP,EAAQ2O,EAAO,IAAIxM,CAAG,EAC5B,GAAI,OAAOnC,GAAU,UAAY,CAAC,OAAO,cAAcA,CAAK,GAAKA,EAAQ,EACvE,MAAM,IAAIsN,EACR,eAAe8B,CAAI,sDACnB,gBAAA,EAGJ,OAAOpP,CACT,CAGA,SAASyN,GAAe4B,EAAgBC,EAAuB,CAC7D,MAAMC,EAAa9F,EAAAA,eAAe4F,CAAM,EAAE,YAAA,EAC1C,GAAIE,EAAW,SAAWzO,EAAAA,uBAAyB,CAACN,EAAAA,OAAO,KAAK+O,CAAU,EACxE,MAAM,IAAIjC,EACR,GAAGgC,CAAK,oCAAoCC,EAAW,MAAM,SAC7D,eAAA,EAGJ,OAAOA,CACT,CAGA,SAAS3B,GAAuB4B,EAA+B,CAC7D,MAAMD,EAAa9F,EAAAA,eAAe+F,CAAS,EAAE,YAAA,EACvC5F,EAAS2F,EAAW,MAAM,EAAG,CAAC,EACpC,GACEA,EAAW,SAAWxO,EAAAA,2BACtB,CAACP,EAAAA,OAAO,KAAK+O,CAAU,GACtB3F,IAAW,MAAQA,IAAW,KAE/B,MAAM,IAAI0D,EACR,0EACA,eAAA,EAGJ,OAAOmC,EAAAA,gBAAgBF,CAAU,CACnC,CAEA,MAAMG,IAAiB,IAAM,CAC3B,MAAMC,EAAQ,IAAI,WAAW,GAAG,EAAE,KAAK,EAAE,EACnCC,EACJ,mEACF,QAAS5Q,EAAI,EAAGA,EAAI4Q,EAAS,OAAQ5Q,IACnC2Q,EAAMC,EAAS,WAAW5Q,CAAC,CAAC,EAAIA,EAElC,OAAO2Q,CACT,GAAA,EAGA,SAAS7B,GAAiB3E,EAA2B,CACnD,MAAM0G,EAAM1G,EAAM,OACZ2G,EAAa,KAAK,MAAMD,EAAM,CAAC,EAC/BE,EAAYF,EAAM,EACxB,GAAIE,IAAc,EAChB,MAAM,IAAIzC,EACR,2BACA,yBAAA,EAGJ,MAAM0C,EAASF,EAAa,GAAKC,IAAc,EAAI,EAAIA,EAAY,GAC7DrI,EAAM,IAAI,WAAWsI,CAAM,EAE3BC,EAAUC,GAA6B,CAC3C,MAAMlQ,EAAQkQ,EAAW,IAAMR,GAAcQ,CAAQ,EAAI,GACzD,GAAIlQ,EAAQ,EACV,MAAM,IAAIsN,EACR,8BACA,yBAAA,EAGJ,OAAOtN,CACT,EAEA,IAAImQ,EAAQ,EACRC,EAAS,EACb,QAASC,EAAI,EAAGA,EAAIP,EAAYO,IAAK,CACnC,MAAMC,EAAIL,EAAO9G,EAAM,WAAWgH,GAAO,CAAC,EACpCjI,EAAI+H,EAAO9G,EAAM,WAAWgH,GAAO,CAAC,EACpCtO,EAAIoO,EAAO9G,EAAM,WAAWgH,GAAO,CAAC,EACpCpO,EAAIkO,EAAO9G,EAAM,WAAWgH,GAAO,CAAC,EAC1CzI,EAAI0I,GAAQ,EAAKE,GAAK,EAAMpI,GAAK,EACjCR,EAAI0I,GAAQ,GAAMlI,EAAI,KAAS,EAAMrG,GAAK,EAC1C6F,EAAI0I,GAAQ,GAAMvO,EAAI,IAAS,EAAKE,CACtC,CACA,GAAIgO,IAAc,EAAG,CACnB,MAAMO,EAAIL,EAAO9G,EAAM,WAAWgH,GAAO,CAAC,EACpCjI,EAAI+H,EAAO9G,EAAM,WAAWgH,GAAO,CAAC,EAC1CzI,EAAI0I,GAAQ,EAAKE,GAAK,EAAMpI,GAAK,CACnC,SAAW6H,IAAc,EAAG,CAC1B,MAAMO,EAAIL,EAAO9G,EAAM,WAAWgH,GAAO,CAAC,EACpCjI,EAAI+H,EAAO9G,EAAM,WAAWgH,GAAO,CAAC,EACpCtO,EAAIoO,EAAO9G,EAAM,WAAWgH,GAAO,CAAC,EAC1CzI,EAAI0I,GAAQ,EAAKE,GAAK,EAAMpI,GAAK,EACjCR,EAAI0I,GAAQ,GAAMlI,EAAI,KAAS,EAAMrG,GAAK,CAC5C,CACA,OAAO6F,CACT,CAEA,SAASqH,MAAenH,EAAiC,CACvD,MAAMC,EAAQD,EAAM,OAAO,CAAC2I,EAAKC,IAASD,EAAMC,EAAK,OAAQ,CAAC,EACxD9I,EAAM,IAAI,WAAWG,CAAK,EAChC,IAAIE,EAAS,EACb,UAAWyI,KAAQ5I,EACjBF,EAAI,IAAI8I,EAAMzI,CAAM,EACpBA,GAAUyI,EAAK,OAEjB,OAAO9I,CACT,CCreA,MAAM+I,GAAsB,WAOtBC,GAA4B,GA4D3B,MAAMC,EAA+C,CAsB1D,YAAYjS,EAA+B,CAjBnC2B,EAAA,eACSA,EAAA,kBACAA,EAAA,sBACAA,EAAA,2BACAA,EAAA,oCACAA,EAAA,yBACAA,EAAA,yBACAA,EAAA,wBACAA,EAAA,YAGTA,EAAA,qBAAoC,MACpCA,EAAA,uBAA+C,MAE/CA,EAAA,kBAAiC,MACjCA,EAAA,oBAA4C,MAGlD,KAAK,OAAS3B,EAAO,OACrB,KAAK,UAAYA,EAAO,UACxB,KAAK,cAAgBA,EAAO,cAC5B,KAAK,mBAAqBA,EAAO,mBACjC,KAAK,4BAA8BA,EAAO,4BAC1C,KAAK,iBAAmBA,EAAO,iBAC/B,KAAK,iBAAmBA,EAAO,iBAC/B,KAAK,gBAAkBA,EAAO,iBAAmBgS,GACjD,KAAK,IAAMhS,EAAO,MAAQ,IAAM,KAAK,MAAM,KAAK,MAAQ,GAAI,EAC9D,CAmBA,MAAM,SAAS8L,EAAwC,CACrD,OAAIA,IAAWJ,GAAsBI,IAAWH,EACvC,KAGL,KAAK,iBAAiB,IAAIG,CAAM,EAC3B,KAAK,mBAAmB,MAAM,EAEnC,KAAK,iBAAiB,IAAIA,CAAM,EAC3B,KAAK,mBAAmB,SAAS,EAEnC,IACT,CAYA,YAAmB,CACjB,KAAK,cAAgB,KACrB,KAAK,WAAa,IAKpB,CAEA,MAAc,mBACZoG,EACiB,CACjB,MAAMC,EACJD,IAAY,OAAS,KAAK,WAAa,KAAK,cAC9C,OAAIC,GAAU,KAAK,IAAA,EAAQ,KAAK,gBAAkBA,EAAO,UAChDA,EAAO,OAEF,MAAM,KAAK,oBAAoBD,CAAO,GACvC,KACf,CAUA,UAAUE,EAA6B,CACrC,KAAK,OAASA,CAChB,CAEQ,oBACNF,EACsB,CACtB,MAAMG,EACJH,IAAY,OAAS,KAAK,aAAe,KAAK,gBAChD,GAAIG,EAAU,OAAOA,EAErB,MAAMC,EACJJ,IAAY,OAASvG,EAA0BD,EAE3CjJ,GAAK,SAAY,CACrB,GAAI,CACF,MAAME,EAAW,MAAM,KAAK,OAAO,KAGjC2P,EAAa,CACb,WAAY,KAAK,UACjB,YAAa,KAAK,aAAA,CACnB,EAWD,GATA9H,GAAqB,CACnB,MAAO7H,EAAS,gBAChB,mBAAoB,KAAK,mBACzB,IAAK,KAAK,IAAA,CAAI,CACf,EAKG,OAAOA,EAAS,OAAU,UAAYA,EAAS,MAAM,SAAW,EAClE,MAAM,IAAI,MACR,sFAAsF,OAAOA,EAAS,KAAK,GAAA,EAG/G,MAAMiI,EAAM,KAAK,IAAA,EACjB,GACE,CAAC,OAAO,cAAcjI,EAAS,UAAU,GACzCA,EAAS,YAAciI,GACvBjI,EAAS,WAAaoP,GAEtB,MAAM,IAAI,MACR,gEAAgE,KAAK,UAAUpP,EAAS,UAAU,CAAC,gCAAgCiI,CAAG,KAAKmH,EAAmB,IAAA,EAUlKlD,GAAmB,CACjB,MAAOlM,EAAS,MAChB,mBAAoBA,EAAS,gBAAgB,iBAC7C,0BAA2B,KAAK,mBAChC,gBACEuP,IAAY,OAASvE,GAAmBD,GAC1C,4BAA6B,KAAK,4BAClC,kBAAmB/K,EAAS,WAC5B,wBAAyBA,EAAS,gBAAgB,WAClD,IAAAiI,CAAA,CACD,EAED,MAAM2H,EAAqB,CACzB,MAAO5P,EAAS,MAChB,UAAWA,EAAS,UAAA,EAEtB,OAAIuP,IAAY,OACd,KAAK,WAAaK,EAElB,KAAK,cAAgBA,EAEhBA,CACT,QAAA,CACML,IAAY,OACd,KAAK,aAAe,KAEpB,KAAK,gBAAkB,IAE3B,CACF,GAAA,EAEA,OAAIA,IAAY,OACd,KAAK,aAAezP,EAEpB,KAAK,gBAAkBA,EAElBA,CACT,CACF,CChRO,MAAM+P,EAAgB,CAAtB,cACY7Q,EAAA,mBAAc,KAU/B,YAAY8I,EAA8C,CAOxD,MAAMgI,EAAchI,EAAM,wBAA0B,GAE9C4H,EAAW,KAAK,QAAQ,IAAI5H,EAAM,SAAS,EACjD,GAAI4H,EAAU,CACZ,GAAIA,EAAS,gBAAkB5H,EAAM,cACnC,MAAM,IAAI,MACR,8BAA8BA,EAAM,SAAS,mCAAmC4H,EAAS,cAAc,MAAM,EAAG,CAAC,CAAC,UAAU5H,EAAM,cAAc,MAAM,EAAG,CAAC,CAAC,GAAA,EAG/J,GAAI4H,EAAS,qBAAuB5H,EAAM,mBACxC,MAAM,IAAI,MACR,8BAA8BA,EAAM,SAAS,wCAAwC4H,EAAS,mBAAmB,MAAM,EAAG,CAAC,CAAC,UAAU5H,EAAM,mBAAmB,MAAM,EAAG,CAAC,CAAC,GAAA,EAG9K,GACE4H,EAAS,8BACT5H,EAAM,4BAEN,MAAM,IAAI,MACR,8BAA8BA,EAAM,SAAS,iDAAiD4H,EAAS,4BAA4B,MAAM,EAAG,CAAC,CAAC,UAAU5H,EAAM,4BAA4B,MAAM,EAAG,CAAC,CAAC,GAAA,EAOzM,GAAI4H,EAAS,yBAA2BI,EACtC,MAAM,IAAI,MACR,8BAA8BhI,EAAM,SAAS,4CAA4C4H,EAAS,sBAAsB,SAASI,CAAW,EAAA,EAMhJ,OAAAJ,EAAS,SAAS,UAAU5H,EAAM,MAAM,EACjC4H,EAAS,QAClB,CAEA,MAAMK,EAAW,IAAIT,GAAgB,CACnC,OAAQxH,EAAM,OACd,UAAWA,EAAM,UACjB,cAAeA,EAAM,cACrB,mBAAoBA,EAAM,mBAC1B,4BAA6BA,EAAM,4BACnC,iBAAkBgI,EACdlH,GACA,IAAI,IAAI,CAAC,GAAGA,GAAoB,GAAGC,EAAuB,CAAC,EAC/D,iBAAkBiH,EAAcjH,GAA0B,IAAI,GAAI,CACnE,EACD,YAAK,QAAQ,IAAIf,EAAM,UAAW,CAChC,SAAAiI,EACA,cAAejI,EAAM,cACrB,mBAAoBA,EAAM,mBAC1B,4BAA6BA,EAAM,4BACnC,uBAAwBgI,CAAA,CACzB,EACMC,CACT,CAGA,KAAKC,EAAgD,OACnD,OAAOpR,EAAA,KAAK,QAAQ,IAAIoR,CAAS,IAA1B,YAAApR,EAA6B,QACtC,CAOA,QAAQoR,EAAyB,CAC/B,KAAK,QAAQ,OAAOA,CAAS,CAC/B,CAQA,OAAc,CACZ,KAAK,QAAQ,MAAA,CACf,CAEA,IAAI,MAAe,CACjB,OAAO,KAAK,QAAQ,IACtB,CACF,CAaO,MAAMC,EAAyC,IAAIJ,GClHnD,SAASK,GACd7S,EACwB,OACxB,MAAM8S,EAAmBlH,GACvB5L,EAAO,SACPuB,EAAAvB,EAAO,UAAP,YAAAuB,EAAgB,OAAA,EAGZwR,EAAgBH,EAAgB,YAAY,CAChD,OAAQE,EACR,UAAW9S,EAAO,UAClB,cAAeA,EAAO,cACtB,mBAAoBA,EAAO,mBAC3B,4BAA6BgT,EAAAA,wBAC3BhT,EAAO,kBAAA,EAET,uBAAwBA,EAAO,sBAAA,CAChC,EAED,OAAO,IAAIyE,GAAuBzE,EAAO,QAAS,CAChD,GAAGA,EAAO,QACV,cAAA+S,CAAA,CACD,CACH,CC9BO,SAASE,GAAqBxI,EAA+B,CAClEmI,EAAgB,YAAY,CAC1B,OAAQhH,GAAsBnB,EAAM,QAASA,EAAM,OAAO,EAC1D,UAAWA,EAAM,UACjB,cAAeA,EAAM,cACrB,mBAAoBA,EAAM,mBAC1B,4BAA6BuI,EAAAA,wBAC3BvI,EAAM,kBAAA,EAER,uBAAwBA,EAAM,sBAAA,CAC/B,CACH"}

package/dist/tbv/core/clients/index.cjs CHANGED Viewed

@@ -1,2 +1,2 @@
-"use strict";Object.defineProperty(exports,Symbol.toStringTag,{value:"Module"});const r=require("../../../mempoolApi-C_9JhjCI.cjs"),e=require("../../../primeVpAuth-wKbRw0m4.cjs"),t=require("../../../types-WA0LrDk1.cjs");exports.MEMPOOL_API_URLS=r.MEMPOOL_API_URLS;exports.ViemVaultRegistryReader=r.ViemVaultRegistryReader;exports.getAddressTxs=r.getAddressTxs;exports.getAddressUtxos=r.getAddressUtxos;exports.getMempoolApiUrl=r.getMempoolApiUrl;exports.getNetworkFees=r.getNetworkFees;exports.getTipHeight=r.getTipHeight;exports.getTxHex=r.getTxHex;exports.getTxInfo=r.getTxInfo;exports.getUtxoInfo=r.getUtxoInfo;exports.pushTx=r.pushTx;exports.validateOffchainParams=r.validateOffchainParams;exports.validatePegInConfiguration=r.validatePegInConfiguration;exports.validateTBVProtocolParams=r.validateTBVProtocolParams;exports.OnChainBtcVaultStatus=e.OnChainBtcVaultStatus;exports.ServerIdentityError=e.ServerIdentityError;exports.VaultProviderRpcClient=e.VaultProviderRpcClient;exports.ViemProtocolParamsReader=e.ViemProtocolParamsReader;exports.ViemUniversalChallengerReader=e.ViemUniversalChallengerReader;exports.ViemVaultKeeperReader=e.ViemVaultKeeperReader;exports.VpResponseValidationError=e.VpResponseValidationError;exports.VpTokenRegistry=e.VpTokenRegistry;exports.batchPollByProvider=e.batchPollByProvider;exports.createAuthenticatedVpClient=e.createAuthenticatedVpClient;exports.primeVpTokenRegistry=e.primeVpTokenRegistry;exports.resolveProtocolAddresses=e.resolveProtocolAddresses;exports.validateRequestDepositorClaimerArtifactsResponse=e.validateRequestDepositorClaimerArtifactsResponse;exports.verifyServerIdentity=e.verifyServerIdentity;exports.vpTokenRegistry=e.vpTokenRegistry;exports.AUTH_EXPIRED_DATA_KIND=t.AUTH_EXPIRED_DATA_KIND;exports.DaemonStatus=t.DaemonStatus;exports.JSON_RPC_ERROR_CODES=t.JSON_RPC_ERROR_CODES;exports.JsonRpcClient=t.JsonRpcClient;exports.JsonRpcError=t.JsonRpcError;exports.POST_WOTS_STATUSES=t.POST_WOTS_STATUSES;exports.PRE_DEPOSITOR_SIGNATURES_STATES=t.PRE_DEPOSITOR_SIGNATURES_STATES;exports.RpcErrorCode=t.RpcErrorCode;exports.VP_BATCH_MAX_SIZE=t.VP_BATCH_MAX_SIZE;exports.VP_TERMINAL_FAILURE_STATUSES=t.VP_TERMINAL_FAILURE_STATUSES;exports.VP_TRANSIENT_STATUSES=t.VP_TRANSIENT_STATUSES;
+"use strict";Object.defineProperty(exports,Symbol.toStringTag,{value:"Module"});const e=require("../../../mempoolApi-NMiYQAXI.cjs"),t=require("../../../primeVpAuth-Brl_bnBH.cjs"),r=require("../../../types-WA0LrDk1.cjs");exports.MEMPOOL_API_URLS=e.MEMPOOL_API_URLS;exports.ViemVaultRegistryReader=e.ViemVaultRegistryReader;exports.getAddressTxs=e.getAddressTxs;exports.getAddressUtxos=e.getAddressUtxos;exports.getMempoolApiUrl=e.getMempoolApiUrl;exports.getNetworkFees=e.getNetworkFees;exports.getOutspend=e.getOutspend;exports.getTipHeight=e.getTipHeight;exports.getTxHex=e.getTxHex;exports.getTxInfo=e.getTxInfo;exports.getUtxoInfo=e.getUtxoInfo;exports.pushTx=e.pushTx;exports.validateOffchainParams=e.validateOffchainParams;exports.validatePegInConfiguration=e.validatePegInConfiguration;exports.validateTBVProtocolParams=e.validateTBVProtocolParams;exports.OnChainBtcVaultStatus=t.OnChainBtcVaultStatus;exports.ServerIdentityError=t.ServerIdentityError;exports.VaultProviderRpcClient=t.VaultProviderRpcClient;exports.ViemProtocolParamsReader=t.ViemProtocolParamsReader;exports.ViemUniversalChallengerReader=t.ViemUniversalChallengerReader;exports.ViemVaultKeeperReader=t.ViemVaultKeeperReader;exports.VpResponseValidationError=t.VpResponseValidationError;exports.VpTokenRegistry=t.VpTokenRegistry;exports.batchPollByProvider=t.batchPollByProvider;exports.createAuthenticatedVpClient=t.createAuthenticatedVpClient;exports.primeVpTokenRegistry=t.primeVpTokenRegistry;exports.resolveProtocolAddresses=t.resolveProtocolAddresses;exports.validateRequestDepositorClaimerArtifactsResponse=t.validateRequestDepositorClaimerArtifactsResponse;exports.verifyServerIdentity=t.verifyServerIdentity;exports.vpTokenRegistry=t.vpTokenRegistry;exports.AUTH_EXPIRED_DATA_KIND=r.AUTH_EXPIRED_DATA_KIND;exports.DaemonStatus=r.DaemonStatus;exports.JSON_RPC_ERROR_CODES=r.JSON_RPC_ERROR_CODES;exports.JsonRpcClient=r.JsonRpcClient;exports.JsonRpcError=r.JsonRpcError;exports.POST_WOTS_STATUSES=r.POST_WOTS_STATUSES;exports.PRE_DEPOSITOR_SIGNATURES_STATES=r.PRE_DEPOSITOR_SIGNATURES_STATES;exports.RpcErrorCode=r.RpcErrorCode;exports.VP_BATCH_MAX_SIZE=r.VP_BATCH_MAX_SIZE;exports.VP_TERMINAL_FAILURE_STATUSES=r.VP_TERMINAL_FAILURE_STATUSES;exports.VP_TRANSIENT_STATUSES=r.VP_TRANSIENT_STATUSES;
 //# sourceMappingURL=index.cjs.map

package/dist/tbv/core/clients/index.js CHANGED Viewed

@@ -1,46 +1,47 @@
-import { M as s, V as r, g as t, a as o, b as i, c as R, d as T, e as S, f as n, h as d, p as l, v as p, i as A, j as P } from "../../../mempoolApi-BxT89SAq.js";
-import { O as E, S as V, V as g, g as c, h as m, i as v, a as I, d as f, b as O, f as C, p as U, r as u, v as x, c as h, e as y } from "../../../primeVpAuth-Dzxxy0-F.js";
-import { A as N, D as M, b, J as k, a as B, d as H, P as J, R as L, e as F, c as K, V as X } from "../../../types-CQDRQvV-.js";
+import { M as s, V as r, g as t, a as o, b as i, c as R, d as T, e as n, f as S, h as d, i as l, p, v as A, j as P, k as _ } from "../../../mempoolApi-Dc1KSVNI.js";
+import { O as V, S as g, V as c, g as m, h as v, i as I, a as O, d as f, b as u, f as C, p as U, r as x, v as h, c as y, e as D } from "../../../primeVpAuth-BdrwraAe.js";
+import { A as M, D as k, b, J as B, a as H, d as J, P as L, R as F, e as K, c as X, V as j } from "../../../types-CQDRQvV-.js";
 export {
-  N as AUTH_EXPIRED_DATA_KIND,
-  M as DaemonStatus,
+  M as AUTH_EXPIRED_DATA_KIND,
+  k as DaemonStatus,
   b as JSON_RPC_ERROR_CODES,
-  k as JsonRpcClient,
-  B as JsonRpcError,
+  B as JsonRpcClient,
+  H as JsonRpcError,
   s as MEMPOOL_API_URLS,
-  E as OnChainBtcVaultStatus,
-  H as POST_WOTS_STATUSES,
-  J as PRE_DEPOSITOR_SIGNATURES_STATES,
-  L as RpcErrorCode,
-  V as ServerIdentityError,
-  F as VP_BATCH_MAX_SIZE,
-  K as VP_TERMINAL_FAILURE_STATUSES,
-  X as VP_TRANSIENT_STATUSES,
-  g as VaultProviderRpcClient,
-  c as ViemProtocolParamsReader,
-  m as ViemUniversalChallengerReader,
-  v as ViemVaultKeeperReader,
+  V as OnChainBtcVaultStatus,
+  J as POST_WOTS_STATUSES,
+  L as PRE_DEPOSITOR_SIGNATURES_STATES,
+  F as RpcErrorCode,
+  g as ServerIdentityError,
+  K as VP_BATCH_MAX_SIZE,
+  X as VP_TERMINAL_FAILURE_STATUSES,
+  j as VP_TRANSIENT_STATUSES,
+  c as VaultProviderRpcClient,
+  m as ViemProtocolParamsReader,
+  v as ViemUniversalChallengerReader,
+  I as ViemVaultKeeperReader,
   r as ViemVaultRegistryReader,
-  I as VpResponseValidationError,
+  O as VpResponseValidationError,
   f as VpTokenRegistry,
-  O as batchPollByProvider,
+  u as batchPollByProvider,
   C as createAuthenticatedVpClient,
   t as getAddressTxs,
   o as getAddressUtxos,
   i as getMempoolApiUrl,
   R as getNetworkFees,
-  T as getTipHeight,
+  T as getOutspend,
+  n as getTipHeight,
   S as getTxHex,
-  n as getTxInfo,
-  d as getUtxoInfo,
+  d as getTxInfo,
+  l as getUtxoInfo,
   U as primeVpTokenRegistry,
-  l as pushTx,
-  u as resolveProtocolAddresses,
-  p as validateOffchainParams,
-  A as validatePegInConfiguration,
-  x as validateRequestDepositorClaimerArtifactsResponse,
-  P as validateTBVProtocolParams,
-  h as verifyServerIdentity,
-  y as vpTokenRegistry
+  p as pushTx,
+  x as resolveProtocolAddresses,
+  A as validateOffchainParams,
+  P as validatePegInConfiguration,
+  h as validateRequestDepositorClaimerArtifactsResponse,
+  _ as validateTBVProtocolParams,
+  y as verifyServerIdentity,
+  D as vpTokenRegistry
 };
 //# sourceMappingURL=index.js.map

package/dist/tbv/core/clients/mempool/index.d.ts CHANGED Viewed

@@ -5,7 +5,7 @@
  *
  * @module clients/mempool
  */
-export { getAddressTxs, getAddressUtxos, getMempoolApiUrl, getNetworkFees, getTipHeight, getTxHex, getTxInfo, getUtxoInfo, MEMPOOL_API_URLS, pushTx, } from './mempoolApi';
+export { getAddressTxs, getAddressUtxos, getMempoolApiUrl, getNetworkFees, getOutspend, getTipHeight, getTxHex, getTxInfo, getUtxoInfo, MEMPOOL_API_URLS, pushTx, } from './mempoolApi';
 export type { AddressTx } from './mempoolApi';
-export type { MempoolUTXO, NetworkFees, TxInfo, TxInput, TxOutput, TxStatus, UtxoInfo, } from './types';
+export type { MempoolUTXO, NetworkFees, OutspendStatus, TxInfo, TxInput, TxOutput, TxStatus, UtxoInfo, } from './types';
 //# sourceMappingURL=index.d.ts.map

package/dist/tbv/core/clients/mempool/index.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../../../src/tbv/core/clients/mempool/index.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EACL,aAAa,EACb,eAAe,EACf,gBAAgB,EAChB,cAAc,EACd,YAAY,EACZ,QAAQ,EACR,SAAS,EACT,WAAW,EACX,gBAAgB,EAChB,MAAM,GACP,MAAM,cAAc,CAAC;AAEtB,YAAY,EAAE,SAAS,EAAE,MAAM,cAAc,CAAC;AAE9C,YAAY,EACV,WAAW,EACX,WAAW,EACX,MAAM,EACN,OAAO,EACP,QAAQ,EACR,QAAQ,EACR,QAAQ,GACT,MAAM,SAAS,CAAC"}
1	+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../../../src/tbv/core/clients/mempool/index.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EACL,aAAa,EACb,eAAe,EACf,gBAAgB,EAChB,cAAc,EACd,WAAW,EACX,YAAY,EACZ,QAAQ,EACR,SAAS,EACT,WAAW,EACX,gBAAgB,EAChB,MAAM,GACP,MAAM,cAAc,CAAC;AAEtB,YAAY,EAAE,SAAS,EAAE,MAAM,cAAc,CAAC;AAE9C,YAAY,EACV,WAAW,EACX,WAAW,EACX,cAAc,EACd,MAAM,EACN,OAAO,EACP,QAAQ,EACR,QAAQ,EACR,QAAQ,GACT,MAAM,SAAS,CAAC"}

package/dist/tbv/core/clients/mempool/mempoolApi.d.ts CHANGED Viewed

@@ -1,4 +1,4 @@
-import { MempoolUTXO, NetworkFees, TxInfo, UtxoInfo } from './types';
+import { MempoolUTXO, NetworkFees, OutspendStatus, TxInfo, UtxoInfo } from './types';
 /**
  * Default mempool API URLs by network.
  */
@@ -35,6 +35,20 @@ export declare function getTxInfo(txid: string, apiUrl: string): Promise<TxInfo>
  * @throws Error if the response is not a whole number
  */
 export declare function getTipHeight(apiUrl: string): Promise<number>;
+/**
+ * Get the spend status of a specific transaction output.
+ *
+ * Calls the esplora-compatible `GET /tx/{txid}/outspend/{vout}` endpoint
+ * (mempool.space backend, mempool/electrs `rest.rs`). Returns
+ * `{ spent: false }` for an unspent output, or
+ * `{ spent: true, txid, vin, status }` when the output has been spent.
+ *
+ * @param txid - The transaction id whose output is being checked (no 0x prefix)
+ * @param vout - The output index
+ * @param apiUrl - Mempool API base URL
+ * @returns The output's spend status
+ */
+export declare function getOutspend(txid: string, vout: number, apiUrl: string): Promise<OutspendStatus>;
 /**
  * Get the hex representation of a transaction.
  *

package/dist/tbv/core/clients/mempool/mempoolApi.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"mempoolApi.d.ts","sourceRoot":"","sources":["../../../../../src/tbv/core/clients/mempool/mempoolApi.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AASH,OAAO,KAAK,~~EAAE~~,WAAW,~~EAAE~~,WAAW,~~EAAE~~,MAAM,~~EAAE~~,QAAQ,~~EAAE~~,MAAM,SAAS,CAAC;~~AAkG1E~~;;GAEG;AACH,eAAO,MAAM,gBAAgB;;;;CAInB,CAAC;AAiCX;;;;;;;GAOG;AACH,wBAAsB,MAAM,CAAC,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAmC3E;AAED;;;;;;GAMG;AACH,wBAAsB,SAAS,CAAC,IAAI,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAG7E;AAED;;;;;;;;;GASG;AACH,wBAAsB,YAAY,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CASlE;AAED;;;;;;;GAOG;AACH,wBAAsB,QAAQ,CAAC,IAAI,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAmB5E;AAED;;;;;;;;;;GAUG;AACH,wBAAsB,WAAW,CAC/B,IAAI,EAAE,MAAM,EACZ,IAAI,EAAE,MAAM,EACZ,MAAM,EAAE,MAAM,GACb,OAAO,CAAC,QAAQ,CAAC,CAsBnB;AAED;;;;;;GAMG;AACH,wBAAsB,eAAe,CACnC,OAAO,EAAE,MAAM,EACf,MAAM,EAAE,MAAM,GACb,OAAO,CAAC,WAAW,EAAE,CAAC,CAkExB;AAED;;;;;GAKG;AACH,wBAAgB,gBAAgB,CAC9B,OAAO,EAAE,SAAS,GAAG,SAAS,GAAG,QAAQ,GACxC,MAAM,CAER;AAED;;GAEG;AACH,MAAM,WAAW,SAAS;IACxB,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,EAAE;QACN,SAAS,EAAE,OAAO,CAAC;QACnB,YAAY,CAAC,EAAE,MAAM,CAAC;KACvB,CAAC;CACH;AAED;;;;;;;;;GASG;AACH,wBAAsB,aAAa,CACjC,OAAO,EAAE,MAAM,EACf,MAAM,EAAE,MAAM,GACb,OAAO,CAAC,SAAS,EAAE,CAAC,CAGtB;AAED;;;;;;;;GAQG;AACH,wBAAsB,cAAc,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,WAAW,CAAC,CA0CzE"}
1	+ {"version":3,"file":"mempoolApi.d.ts","sourceRoot":"","sources":["../../../../../src/tbv/core/clients/mempool/mempoolApi.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AASH,OAAO,KAAK,EACV,WAAW,EACX,WAAW,EACX,cAAc,EACd,MAAM,EACN,QAAQ,EACT,MAAM,SAAS,CAAC;AAkGjB;;GAEG;AACH,eAAO,MAAM,gBAAgB;;;;CAInB,CAAC;AAiCX;;;;;;;GAOG;AACH,wBAAsB,MAAM,CAAC,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAmC3E;AAED;;;;;;GAMG;AACH,wBAAsB,SAAS,CAAC,IAAI,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAG7E;AAED;;;;;;;;;GASG;AACH,wBAAsB,YAAY,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CASlE;AAED;;;;;;;;;;;;GAYG;AACH,wBAAsB,WAAW,CAC/B,IAAI,EAAE,MAAM,EACZ,IAAI,EAAE,MAAM,EACZ,MAAM,EAAE,MAAM,GACb,OAAO,CAAC,cAAc,CAAC,CAMzB;AAED;;;;;;;GAOG;AACH,wBAAsB,QAAQ,CAAC,IAAI,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAmB5E;AAED;;;;;;;;;;GAUG;AACH,wBAAsB,WAAW,CAC/B,IAAI,EAAE,MAAM,EACZ,IAAI,EAAE,MAAM,EACZ,MAAM,EAAE,MAAM,GACb,OAAO,CAAC,QAAQ,CAAC,CAsBnB;AAED;;;;;;GAMG;AACH,wBAAsB,eAAe,CACnC,OAAO,EAAE,MAAM,EACf,MAAM,EAAE,MAAM,GACb,OAAO,CAAC,WAAW,EAAE,CAAC,CAkExB;AAED;;;;;GAKG;AACH,wBAAgB,gBAAgB,CAC9B,OAAO,EAAE,SAAS,GAAG,SAAS,GAAG,QAAQ,GACxC,MAAM,CAER;AAED;;GAEG;AACH,MAAM,WAAW,SAAS;IACxB,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,EAAE;QACN,SAAS,EAAE,OAAO,CAAC;QACnB,YAAY,CAAC,EAAE,MAAM,CAAC;KACvB,CAAC;CACH;AAED;;;;;;;;;GASG;AACH,wBAAsB,aAAa,CACjC,OAAO,EAAE,MAAM,EACf,MAAM,EAAE,MAAM,GACb,OAAO,CAAC,SAAS,EAAE,CAAC,CAGtB;AAED;;;;;;;;GAQG;AACH,wBAAsB,cAAc,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,WAAW,CAAC,CA0CzE"}